diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 61760b8..fcd0358 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -17591,7 +17591,7 @@ index e100d88..991e1a5 100644
+')
+
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 8dbab4c..15c063c 100644
+index 8dbab4c..46d7f18 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -25,6 +25,9 @@ attribute kern_unconfined;
@@ -17612,15 +17612,16 @@ index 8dbab4c..15c063c 100644
role system_r types kernel_t;
sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
-@@ -58,6 +62,7 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
+@@ -58,6 +62,8 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
type debugfs_t;
files_mountpoint(debugfs_t)
fs_type(debugfs_t)
++dev_associate_sysfs(debugfs_t)
+
allow debugfs_t self:filesystem associate;
genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
-@@ -95,9 +100,32 @@ genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh)
+@@ -95,9 +101,32 @@ genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh)
type proc_mdstat_t, proc_type;
genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0)
@@ -17653,7 +17654,7 @@ index 8dbab4c..15c063c 100644
type proc_xen_t, proc_type;
files_mountpoint(proc_xen_t)
genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0)
-@@ -133,14 +161,6 @@ genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0)
+@@ -133,14 +162,6 @@ genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0)
type sysctl_kernel_t, sysctl_type;
genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s0)
@@ -17668,7 +17669,7 @@ index 8dbab4c..15c063c 100644
# /proc/sys/net directory and files
type sysctl_net_t, sysctl_type;
genfscon proc /sys/net gen_context(system_u:object_r:sysctl_net_t,s0)
-@@ -153,6 +173,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0)
+@@ -153,6 +174,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0)
type sysctl_vm_t, sysctl_type;
genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0)
@@ -17679,7 +17680,7 @@ index 8dbab4c..15c063c 100644
# /proc/sys/dev directory and files
type sysctl_dev_t, sysctl_type;
genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
-@@ -165,6 +189,14 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
+@@ -165,6 +190,14 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
type unlabeled_t;
fs_associate(unlabeled_t)
sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
@@ -17694,7 +17695,7 @@ index 8dbab4c..15c063c 100644
# These initial sids are no longer used, and can be removed:
sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-@@ -189,6 +221,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+@@ -189,6 +222,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
# kernel local policy
#
@@ -17702,7 +17703,7 @@ index 8dbab4c..15c063c 100644
allow kernel_t self:capability ~sys_module;
allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow kernel_t self:shm create_shm_perms;
-@@ -233,7 +266,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
+@@ -233,7 +267,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
corenet_in_generic_if(unlabeled_t)
corenet_in_generic_node(unlabeled_t)
@@ -17710,7 +17711,7 @@ index 8dbab4c..15c063c 100644
corenet_all_recvfrom_netlabel(kernel_t)
# Kernel-generated traffic e.g., ICMP replies:
corenet_raw_sendrecv_all_if(kernel_t)
-@@ -244,17 +276,21 @@ corenet_tcp_sendrecv_all_if(kernel_t)
+@@ -244,17 +277,21 @@ corenet_tcp_sendrecv_all_if(kernel_t)
corenet_tcp_sendrecv_all_nodes(kernel_t)
corenet_raw_send_generic_node(kernel_t)
corenet_send_all_packets(kernel_t)
@@ -17736,7 +17737,7 @@ index 8dbab4c..15c063c 100644
# Mount root file system. Used when loading a policy
# from initrd, then mounting the root filesystem
-@@ -263,7 +299,8 @@ fs_unmount_all_fs(kernel_t)
+@@ -263,7 +300,8 @@ fs_unmount_all_fs(kernel_t)
selinux_load_policy(kernel_t)
@@ -17746,7 +17747,7 @@ index 8dbab4c..15c063c 100644
corecmd_exec_shell(kernel_t)
corecmd_list_bin(kernel_t)
-@@ -277,25 +314,53 @@ files_list_root(kernel_t)
+@@ -277,25 +315,53 @@ files_list_root(kernel_t)
files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
@@ -17800,7 +17801,7 @@ index 8dbab4c..15c063c 100644
')
optional_policy(`
-@@ -305,6 +370,19 @@ optional_policy(`
+@@ -305,6 +371,19 @@ optional_policy(`
optional_policy(`
logging_send_syslog_msg(kernel_t)
@@ -17820,7 +17821,7 @@ index 8dbab4c..15c063c 100644
')
optional_policy(`
-@@ -312,6 +390,11 @@ optional_policy(`
+@@ -312,6 +391,11 @@ optional_policy(`
')
optional_policy(`
@@ -17832,7 +17833,7 @@ index 8dbab4c..15c063c 100644
# nfs kernel server needs kernel UDP access. It is less risky and painful
# to just give it everything.
allow kernel_t self:tcp_socket create_stream_socket_perms;
-@@ -332,9 +415,6 @@ optional_policy(`
+@@ -332,9 +416,6 @@ optional_policy(`
sysnet_read_config(kernel_t)
@@ -17842,7 +17843,7 @@ index 8dbab4c..15c063c 100644
rpc_udp_rw_nfs_sockets(kernel_t)
tunable_policy(`nfs_export_all_ro',`
-@@ -343,9 +423,7 @@ optional_policy(`
+@@ -343,9 +424,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@@ -17853,7 +17854,7 @@ index 8dbab4c..15c063c 100644
')
tunable_policy(`nfs_export_all_rw',`
-@@ -354,7 +432,7 @@ optional_policy(`
+@@ -354,7 +433,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@@ -17862,7 +17863,7 @@ index 8dbab4c..15c063c 100644
')
')
-@@ -367,6 +445,15 @@ optional_policy(`
+@@ -367,6 +446,15 @@ optional_policy(`
unconfined_domain_noaudit(kernel_t)
')
@@ -17878,7 +17879,7 @@ index 8dbab4c..15c063c 100644
########################################
#
# Unlabeled process local policy
-@@ -399,14 +486,39 @@ if( ! secure_mode_insmod ) {
+@@ -399,14 +487,39 @@ if( ! secure_mode_insmod ) {
# Rules for unconfined acccess to this module
#
@@ -36486,7 +36487,7 @@ index 79048c4..c3a255a 100644
udev_read_pid_files(lvm_t)
')
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
-index 9fe8e01..3d71062 100644
+index 9fe8e01..ce00ccb 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -9,11 +9,14 @@ ifdef(`distro_gentoo',`
@@ -36497,7 +36498,7 @@ index 9fe8e01..3d71062 100644
-/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
+/etc/docker/certs\.d(/.*)? gen_context(system_u:object_r:cert_t,s0)
+/etc/httpd/alias(/.*)? gen_context(system_u:object_r:cert_t,s0)
-+/etc/localtime gen_context(system_u:object_r:locale_t,s0)
++/etc/localtime -l gen_context(system_u:object_r:locale_t,s0)
+/etc/locale.conf -- gen_context(system_u:object_r:locale_t,s0)
/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
/etc/ssl(/.*)? gen_context(system_u:object_r:cert_t,s0)
@@ -42364,10 +42365,10 @@ index 0000000..d2a8fc7
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..f3a8fe7
+index 0000000..c19260b
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,713 @@
+@@ -0,0 +1,714 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -42626,6 +42627,7 @@ index 0000000..f3a8fe7
+
+kernel_dgram_send(systemd_networkd_t)
+kernel_request_load_module(systemd_networkd_t)
++kernel_rw_net_sysctls(systemd_networkd_t)
+
+dev_read_sysfs(systemd_networkd_t)
+
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 55d5d91..a9db964 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -5157,7 +5157,7 @@ index f6eb485..164501c 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 6649962..9c06038 100644
+index 6649962..d671bf8 100644
--- a/apache.te
+++ b/apache.te
@@ -5,280 +5,339 @@ policy_module(apache, 2.7.2)
@@ -6477,15 +6477,16 @@ index 6649962..9c06038 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
-@@ -832,6 +1029,7 @@ optional_policy(`
+@@ -832,6 +1029,8 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
++ nagios_read_lib(httpd_t)
+ nagios_read_log(httpd_t)
')
optional_policy(`
-@@ -842,20 +1040,40 @@ optional_policy(`
+@@ -842,20 +1041,40 @@ optional_policy(`
')
optional_policy(`
@@ -6532,7 +6533,7 @@ index 6649962..9c06038 100644
')
optional_policy(`
-@@ -863,19 +1081,35 @@ optional_policy(`
+@@ -863,19 +1082,35 @@ optional_policy(`
')
optional_policy(`
@@ -6568,7 +6569,7 @@ index 6649962..9c06038 100644
udev_read_db(httpd_t)
')
-@@ -883,65 +1117,189 @@ optional_policy(`
+@@ -883,65 +1118,189 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -6780,7 +6781,7 @@ index 6649962..9c06038 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -950,123 +1308,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -950,123 +1309,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -6935,7 +6936,7 @@ index 6649962..9c06038 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1083,172 +1392,107 @@ optional_policy(`
+@@ -1083,172 +1393,107 @@ optional_policy(`
')
')
@@ -7173,7 +7174,7 @@ index 6649962..9c06038 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1256,64 +1500,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1256,64 +1501,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -7270,7 +7271,7 @@ index 6649962..9c06038 100644
########################################
#
-@@ -1321,8 +1575,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1321,8 +1576,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -7287,7 +7288,7 @@ index 6649962..9c06038 100644
')
########################################
-@@ -1330,49 +1591,38 @@ optional_policy(`
+@@ -1330,49 +1592,38 @@ optional_policy(`
# User content local policy
#
@@ -7352,7 +7353,7 @@ index 6649962..9c06038 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1632,101 @@ dev_read_urand(httpd_passwd_t)
+@@ -1382,38 +1633,101 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -24751,11 +24752,14 @@ index 37a3b7b..921056a 100644
+')
diff --git a/dnssec.fc b/dnssec.fc
new file mode 100644
-index 0000000..9e231a8
+index 0000000..1714fa6
--- /dev/null
+++ b/dnssec.fc
-@@ -0,0 +1,3 @@
+@@ -0,0 +1,6 @@
++/usr/lib/systemd/system/dnssec-triggerd.* -- gen_context(system_u:object_r:dnssec_trigger_unit_file_t,s0)
++
+/usr/sbin/dnssec-triggerd -- gen_context(system_u:object_r:dnssec_trigger_exec_t,s0)
++/usr/libexec/dnssec-trigger-script -- gen_context(system_u:object_r:dnssec_trigger_exec_t,s0)
+
+/var/run/dnssec.* gen_context(system_u:object_r:dnssec_trigger_var_run_t,s0)
diff --git a/dnssec.if b/dnssec.if
@@ -24851,10 +24855,10 @@ index 0000000..457d4dd
+')
diff --git a/dnssec.te b/dnssec.te
new file mode 100644
-index 0000000..46f4d2c
+index 0000000..64f1a64
--- /dev/null
+++ b/dnssec.te
-@@ -0,0 +1,63 @@
+@@ -0,0 +1,68 @@
+policy_module(dnssec, 1.0.0)
+
+########################################
@@ -24866,6 +24870,9 @@ index 0000000..46f4d2c
+type dnssec_trigger_exec_t;
+init_daemon_domain(dnssec_trigger_t, dnssec_trigger_exec_t)
+
++type dnssec_trigger_unit_file_t;
++systemd_unit_file(dnssec_trigger_unit_file_t)
++
+type dnssec_trigger_var_run_t;
+files_pid_file(dnssec_trigger_var_run_t)
+
@@ -24917,6 +24924,8 @@ index 0000000..46f4d2c
+
+optional_policy(`
+ networkmanager_stream_connect(dnssec_trigger_t)
++ networkmanager_sigchld(dnssec_trigger_t)
++
+')
diff --git a/dnssectrigger.te b/dnssectrigger.te
index c7bb4e7..e6fe2f40 100644
@@ -46851,16 +46860,22 @@ index 0000000..e7220a5
+logging_send_syslog_msg(mon_procd_t)
+
diff --git a/mongodb.fc b/mongodb.fc
-index 6fcfc31..91adcaf 100644
+index 6fcfc31..e9e6bc5 100644
--- a/mongodb.fc
+++ b/mongodb.fc
-@@ -1,9 +1,13 @@
+@@ -1,9 +1,19 @@
/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/mongos -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
-/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
++/usr/lib/systemd/system/mongod.* -- gen_context(system_u:object_r:mongod_unit_file_t,s0)
++/usr/lib/systemd/system/mongos.* -- gen_context(system_u:object_r:mongod_unit_file_t,s0)
++
+/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
+/usr/bin/mongos -- gen_context(system_u:object_r:mongod_exec_t,s0)
+/usr/share/aeolus-conductor/dbomatic/dbomatic -- gen_context(system_u:object_r:mongod_exec_t,s0)
++
++/usr/libexec/mongodb-scl-helper -- gen_context(system_u:object_r:mongod_exec_t,s0)
/var/lib/mongo.* gen_context(system_u:object_r:mongod_var_lib_t,s0)
@@ -46872,10 +46887,20 @@ index 6fcfc31..91adcaf 100644
+/var/run/mongo.* gen_context(system_u:object_r:mongod_var_run_t,s0)
+/var/run/aeolus/dbomatic\.pid -- gen_context(system_u:object_r:mongod_var_run_t,s0)
diff --git a/mongodb.te b/mongodb.te
-index 169f236..571da1a 100644
+index 169f236..608c584 100644
--- a/mongodb.te
+++ b/mongodb.te
-@@ -21,19 +21,25 @@ files_type(mongod_var_lib_t)
+@@ -12,6 +12,9 @@ init_daemon_domain(mongod_t, mongod_exec_t)
+ type mongod_initrc_exec_t;
+ init_script_file(mongod_initrc_exec_t)
+
++type mongod_unit_file_t;
++systemd_unit_file(mongod_unit_file_t)
++
+ type mongod_log_t;
+ logging_log_file(mongod_log_t)
+
+@@ -21,19 +24,25 @@ files_type(mongod_var_lib_t)
type mongod_var_run_t;
files_pid_file(mongod_var_run_t)
@@ -46907,7 +46932,7 @@ index 169f236..571da1a 100644
manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
-@@ -41,21 +47,44 @@ files_var_lib_filetrans(mongod_t, mongod_var_lib_t, dir)
+@@ -41,21 +50,44 @@ files_var_lib_filetrans(mongod_t, mongod_var_lib_t, dir)
manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
@@ -51970,10 +51995,10 @@ index b708708..dd6e04b 100644
+ apache_search_sys_content(munin_t)
+')
diff --git a/mysql.fc b/mysql.fc
-index 06f8666..d813d8a 100644
+index 06f8666..c2c13aa 100644
--- a/mysql.fc
+++ b/mysql.fc
-@@ -1,12 +1,26 @@
+@@ -1,27 +1,46 @@
-HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
-
-/etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0)
@@ -52009,7 +52034,9 @@ index 06f8666..d813d8a 100644
/usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
/usr/bin/mysql_upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0)
-@@ -14,14 +28,17 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
+ /usr/libexec/mysqld -- gen_context(system_u:object_r:mysqld_exec_t,s0)
++/usr/libexec/mysqld_safe-scl-helper -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
++
/usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
/usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
@@ -53678,7 +53705,7 @@ index d78dfc3..40e1c77 100644
-/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
diff --git a/nagios.if b/nagios.if
-index 0641e97..cad402c 100644
+index 0641e97..ed3394e 100644
--- a/nagios.if
+++ b/nagios.if
@@ -1,12 +1,13 @@
@@ -53755,7 +53782,7 @@ index 0641e97..cad402c 100644
##
##
##
-@@ -73,15 +68,14 @@ interface(`nagios_read_config',`
+@@ -73,15 +68,33 @@ interface(`nagios_read_config',`
type nagios_etc_t;
')
@@ -53764,6 +53791,25 @@ index 0641e97..cad402c 100644
allow $1 nagios_etc_t:file read_file_perms;
- allow $1 nagios_etc_t:lnk_file read_lnk_file_perms;
+ files_search_etc($1)
++')
++######################################
++##
++## Read nagios lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`nagios_read_lib',`
++ gen_require(`
++ type nagios_var_lib_t;
++ ')
++
++ files_search_var($1)
++ list_dirs_pattern($1, nagios_var_lib_t, nagios_var_lib_t)
++ read_files_pattern($1, nagios_var_lib_t, nagios_var_lib_t)
')
######################################
@@ -53773,7 +53819,7 @@ index 0641e97..cad402c 100644
##
##
##
-@@ -100,8 +94,7 @@ interface(`nagios_read_log',`
+@@ -100,8 +113,7 @@ interface(`nagios_read_log',`
########################################
##
@@ -53783,17 +53829,18 @@ index 0641e97..cad402c 100644
##
##
##
-@@ -132,13 +125,33 @@ interface(`nagios_search_spool',`
+@@ -132,13 +144,33 @@ interface(`nagios_search_spool',`
type nagios_spool_t;
')
- files_search_spool($1)
allow $1 nagios_spool_t:dir search_dir_perms;
+ files_search_spool($1)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Read nagios temporary files.
+## Append nagios spool files.
+##
+##
@@ -53809,17 +53856,16 @@ index 0641e97..cad402c 100644
+
+ allow $1 nagios_spool_t:file append_file_perms;
+ files_search_spool($1)
- ')
-
- ########################################
- ##
--## Read nagios temporary files.
++')
++
++########################################
++##
+## Allow the specified domain to read
+## nagios temporary files.
##
##
##
-@@ -151,13 +164,34 @@ interface(`nagios_read_tmp_files',`
+@@ -151,13 +183,34 @@ interface(`nagios_read_tmp_files',`
type nagios_tmp_t;
')
@@ -53856,7 +53902,7 @@ index 0641e97..cad402c 100644
##
##
##
-@@ -170,14 +204,13 @@ interface(`nagios_domtrans_nrpe',`
+@@ -170,14 +223,13 @@ interface(`nagios_domtrans_nrpe',`
type nrpe_t, nrpe_exec_t;
')
@@ -53873,7 +53919,7 @@ index 0641e97..cad402c 100644
##
##
##
-@@ -186,44 +219,43 @@ interface(`nagios_domtrans_nrpe',`
+@@ -186,44 +238,43 @@ interface(`nagios_domtrans_nrpe',`
##
##
##
@@ -54558,7 +54604,7 @@ index 94b9734..448a7e8 100644
+/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/networkmanager.if b/networkmanager.if
-index 86dc29d..219892b 100644
+index 86dc29d..0c72c4d 100644
--- a/networkmanager.if
+++ b/networkmanager.if
@@ -2,7 +2,7 @@
@@ -54789,12 +54835,11 @@ index 86dc29d..219892b 100644
#
-interface(`networkmanager_read_pid_files',`
+interface(`networkmanager_manage_pid_files',`
- gen_require(`
- type NetworkManager_var_run_t;
- ')
-
- files_search_pids($1)
-- allow $1 NetworkManager_var_run_t:file read_file_perms;
++ gen_require(`
++ type NetworkManager_var_run_t;
++ ')
++
++ files_search_pids($1)
+ manage_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
+')
+
@@ -54809,11 +54854,12 @@ index 86dc29d..219892b 100644
+##
+#
+interface(`networkmanager_manage_pid_sock_files',`
-+ gen_require(`
-+ type NetworkManager_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
+ gen_require(`
+ type NetworkManager_var_run_t;
+ ')
+
+ files_search_pids($1)
+- allow $1 NetworkManager_var_run_t:file read_file_perms;
+ manage_sock_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
+')
+
@@ -54888,7 +54934,7 @@ index 86dc29d..219892b 100644
##
##
## Role allowed access.
-@@ -287,33 +425,132 @@ interface(`networkmanager_stream_connect',`
+@@ -287,33 +425,150 @@ interface(`networkmanager_stream_connect',`
##
##
#
@@ -54999,6 +55045,24 @@ index 86dc29d..219892b 100644
+
+########################################
+##
++## Send sigchld to networkmanager.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++#
++interface(`networkmanager_sigchld',`
++ gen_require(`
++ type networkmanager_t;
++ ')
++
++ allow $1 networkmanager_t:process sigchld;
++')
++########################################
++##
+## Transition to networkmanager named content
+##
+##
@@ -91721,7 +91785,7 @@ index 98c9e0a..562666e 100644
files_search_pids($1)
admin_pattern($1, sblim_var_run_t)
diff --git a/sblim.te b/sblim.te
-index 299756b..8ce51cb 100644
+index 299756b..7d15afd 100644
--- a/sblim.te
+++ b/sblim.te
@@ -7,13 +7,11 @@ policy_module(sblim, 1.1.0)
@@ -91803,7 +91867,7 @@ index 299756b..8ce51cb 100644
-allow sblim_gatherd_t self:capability dac_override;
-allow sblim_gatherd_t self:process signal;
-+allow sblim_gatherd_t self:capability { dac_override sys_nice };
++allow sblim_gatherd_t self:capability { dac_override sys_nice sys_ptrace };
+allow sblim_gatherd_t self:process { setsched signal };
allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms;
allow sblim_gatherd_t self:unix_stream_socket { accept listen };
@@ -104221,7 +104285,7 @@ index a4f20bc..b3bd64f 100644
+/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index facdee8..c930866 100644
+index facdee8..814626a 100644
--- a/virt.if
+++ b/virt.if
@@ -1,318 +1,226 @@
@@ -104822,7 +104886,7 @@ index facdee8..c930866 100644
##
##
##
-@@ -495,53 +398,37 @@ interface(`virt_manage_virt_content',`
+@@ -495,53 +398,38 @@ interface(`virt_manage_virt_content',`
##
##
#
@@ -104876,6 +104940,7 @@ index facdee8..c930866 100644
- virt_home_filetrans($1, virt_content_t, $2, $3)
+ files_search_pids($1)
+ read_files_pattern($1, virt_var_run_t, virt_var_run_t)
++ read_lnk_files_pattern($1, virt_var_run_t, virt_var_run_t)
')
########################################
@@ -104886,7 +104951,7 @@ index facdee8..c930866 100644
##
##
##
-@@ -549,34 +436,21 @@ interface(`virt_home_filetrans_virt_content',`
+@@ -549,34 +437,21 @@ interface(`virt_home_filetrans_virt_content',`
##
##
#
@@ -104929,7 +104994,7 @@ index facdee8..c930866 100644
##
##
##
-@@ -584,32 +458,36 @@ interface(`virt_manage_svirt_home_content',`
+@@ -584,32 +459,36 @@ interface(`virt_manage_svirt_home_content',`
##
##
#
@@ -104978,7 +105043,7 @@ index facdee8..c930866 100644
##
##
##
-@@ -618,54 +496,36 @@ interface(`virt_relabel_svirt_home_content',`
+@@ -618,54 +497,36 @@ interface(`virt_relabel_svirt_home_content',`
##
##
#
@@ -105042,7 +105107,7 @@ index facdee8..c930866 100644
##
##
##
-@@ -673,107 +533,136 @@ interface(`virt_home_filetrans',`
+@@ -673,107 +534,136 @@ interface(`virt_home_filetrans',`
##
##
#
@@ -105223,7 +105288,7 @@ index facdee8..c930866 100644
##
##
##
-@@ -781,19 +670,18 @@ interface(`virt_home_filetrans_virt_home',`
+@@ -781,19 +671,18 @@ interface(`virt_home_filetrans_virt_home',`
##
##
#
@@ -105248,7 +105313,7 @@ index facdee8..c930866 100644
##
##
##
-@@ -801,18 +689,36 @@ interface(`virt_read_pid_files',`
+@@ -801,18 +690,36 @@ interface(`virt_read_pid_files',`
##
##
#
@@ -105290,7 +105355,7 @@ index facdee8..c930866 100644
##
##
##
-@@ -820,18 +726,17 @@ interface(`virt_manage_pid_files',`
+@@ -820,18 +727,17 @@ interface(`virt_manage_pid_files',`
##
##
#
@@ -105313,7 +105378,7 @@ index facdee8..c930866 100644
##
##
##
-@@ -839,20 +744,18 @@ interface(`virt_search_lib',`
+@@ -839,20 +745,18 @@ interface(`virt_search_lib',`
##
##
#
@@ -105338,7 +105403,7 @@ index facdee8..c930866 100644
##
##
##
-@@ -860,94 +763,267 @@ interface(`virt_read_lib_files',`
+@@ -860,94 +764,267 @@ interface(`virt_read_lib_files',`
##
##
#
@@ -105635,7 +105700,7 @@ index facdee8..c930866 100644
##
##
##
-@@ -955,20 +1031,17 @@ interface(`virt_append_log',`
+@@ -955,20 +1032,17 @@ interface(`virt_append_log',`
##
##
#
@@ -105660,7 +105725,7 @@ index facdee8..c930866 100644
##
##
##
-@@ -976,18 +1049,17 @@ interface(`virt_manage_log',`
+@@ -976,18 +1050,17 @@ interface(`virt_manage_log',`
##
##
#
@@ -105683,7 +105748,7 @@ index facdee8..c930866 100644
##
##
##
-@@ -995,36 +1067,35 @@ interface(`virt_search_images',`
+@@ -995,36 +1068,35 @@ interface(`virt_search_images',`
##
##
#
@@ -105739,7 +105804,7 @@ index facdee8..c930866 100644
##
##
##
-@@ -1032,20 +1103,17 @@ interface(`virt_read_images',`
+@@ -1032,20 +1104,17 @@ interface(`virt_read_images',`
##
##
#
@@ -105764,7 +105829,7 @@ index facdee8..c930866 100644
##
##
##
-@@ -1053,15 +1121,57 @@ interface(`virt_rw_all_image_chr_files',`
+@@ -1053,15 +1122,57 @@ interface(`virt_rw_all_image_chr_files',`
##
##
#
@@ -105827,7 +105892,7 @@ index facdee8..c930866 100644
##
##
##
-@@ -1069,21 +1179,28 @@ interface(`virt_manage_svirt_cache',`
+@@ -1069,21 +1180,28 @@ interface(`virt_manage_svirt_cache',`
##
##
#
@@ -105864,7 +105929,7 @@ index facdee8..c930866 100644
##
##
##
-@@ -1091,36 +1208,188 @@ interface(`virt_manage_virt_cache',`
+@@ -1091,36 +1209,188 @@ interface(`virt_manage_virt_cache',`
##
##
#
@@ -106071,7 +106136,7 @@ index facdee8..c930866 100644
##
##
##
-@@ -1136,50 +1405,53 @@ interface(`virt_manage_images',`
+@@ -1136,50 +1406,53 @@ interface(`virt_manage_images',`
#
interface(`virt_admin',`
gen_require(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a1da1e0..3656ec8 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 125%{?dist}
+Release: 126%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -602,6 +602,24 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Apr 30 2015 Lukas Vrabec 3.13.1-126
+- allow httpd_t to read nagios lib_var_lib_t to allow rddtool generate graphs which will be shown by httpd .
+- Add nagios_read_lib() interface.
+- Additional fix for mongod_unit_file_t in mongodb.te.
+- Fix decl of mongod_unit_file to mongod_unit_file_t.
+- Fix mongodb unit file declaration.
+- Update virt_read_pid_files() interface to allow read also symlinks with virt_var_run_t type.
+- Fix labeling for /usr/libexec/mysqld_safe-scl-helper.
+- Add support for mysqld_safe-scl-helper which is needed for RHSCL daemons.
+- Allow sys_ptrace cap for sblim-gatherd caused by ps.
+- Add support for /usr/libexec/mongodb-scl-helper RHSCL helper script.
+- Add support for mongod/mongos systemd unit files.
+- Allow dnssec-trigger to send sigchld to networkmanager
+- add interface networkmanager_sigchld
+- Add dnssec-trigger unit file Label dnssec-trigger script in libexec
+- Remove duplicate specification for /etc/localtime.
+- Add default labeling for /etc/localtime symlink.
+
* Mon Apr 20 2015 Lukas Vrabec 3.13.1-125
- Define ipa_var_run_t type
- Allow certmonger to manage renewal.lock. BZ(1213256)