diff --git a/docker-selinux.tgz b/docker-selinux.tgz
index 3795792..02bfac3 100644
Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 0813676..b5bc472 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -17882,7 +17882,7 @@ index d7c11a0..6b3331d 100644
/var/run/shm/.* <<none>>
-')
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 8416beb..99002ca 100644
+index 8416beb..531dfef 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -18034,7 +18034,33 @@ index 8416beb..99002ca 100644
dev_search_sysfs($1)
')
-@@ -920,6 +990,24 @@ interface(`fs_getattr_cifs',`
+@@ -826,6 +896,25 @@ interface(`fs_mounton_cgroup', `
+
+ ########################################
+ ## <summary>
++## Read and write ceph files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_rw_cephfs_files',`
++ gen_require(`
++ type cephfs_t;
++
++ ')
++
++ rw_files_pattern($1, cephfs_t, cephfs_t)
++')
++
++########################################
++## <summary>
+ ## Do not audit attempts to read
+ ## dirs on a CIFS or SMB filesystem.
+ ## </summary>
+@@ -920,6 +1009,24 @@ interface(`fs_getattr_cifs',`
########################################
## <summary>
@@ -18059,7 +18085,7 @@ index 8416beb..99002ca 100644
## Search directories on a CIFS or SMB filesystem.
## </summary>
## <param name="domain">
-@@ -1107,6 +1195,24 @@ interface(`fs_read_noxattr_fs_files',`
+@@ -1107,6 +1214,24 @@ interface(`fs_read_noxattr_fs_files',`
########################################
## <summary>
@@ -18084,7 +18110,7 @@ index 8416beb..99002ca 100644
## Do not audit attempts to read all
## noxattrfs files.
## </summary>
-@@ -1245,7 +1351,7 @@ interface(`fs_append_cifs_files',`
+@@ -1245,7 +1370,7 @@ interface(`fs_append_cifs_files',`
########################################
## <summary>
@@ -18093,7 +18119,7 @@ index 8416beb..99002ca 100644
## on a CIFS filesystem.
## </summary>
## <param name="domain">
-@@ -1265,6 +1371,42 @@ interface(`fs_dontaudit_append_cifs_files',`
+@@ -1265,6 +1390,42 @@ interface(`fs_dontaudit_append_cifs_files',`
########################################
## <summary>
@@ -18136,7 +18162,7 @@ index 8416beb..99002ca 100644
## Do not audit attempts to read or
## write files on a CIFS or SMB filesystem.
## </summary>
-@@ -1279,7 +1421,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
+@@ -1279,7 +1440,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
type cifs_t;
')
@@ -18145,7 +18171,7 @@ index 8416beb..99002ca 100644
')
########################################
-@@ -1542,6 +1684,63 @@ interface(`fs_cifs_domtrans',`
+@@ -1542,6 +1703,63 @@ interface(`fs_cifs_domtrans',`
domain_auto_transition_pattern($1, cifs_t, $2)
')
@@ -18209,7 +18235,7 @@ index 8416beb..99002ca 100644
#######################################
## <summary>
## Create, read, write, and delete dirs
-@@ -1582,6 +1781,24 @@ interface(`fs_manage_configfs_files',`
+@@ -1582,6 +1800,24 @@ interface(`fs_manage_configfs_files',`
########################################
## <summary>
@@ -18234,7 +18260,7 @@ index 8416beb..99002ca 100644
## Mount a DOS filesystem, such as
## FAT32 or NTFS.
## </summary>
-@@ -1793,63 +2010,70 @@ interface(`fs_read_eventpollfs',`
+@@ -1793,63 +2029,70 @@ interface(`fs_read_eventpollfs',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -18330,7 +18356,7 @@ index 8416beb..99002ca 100644
## on a FUSEFS filesystem.
## </summary>
## <param name="domain">
-@@ -1859,18 +2083,19 @@ interface(`fs_mounton_fusefs',`
+@@ -1859,18 +2102,19 @@ interface(`fs_mounton_fusefs',`
## </param>
## <rolecap/>
#
@@ -18355,7 +18381,7 @@ index 8416beb..99002ca 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1878,135 +2103,740 @@ interface(`fs_search_fusefs',`
+@@ -1878,135 +2122,740 @@ interface(`fs_search_fusefs',`
## </summary>
## </param>
#
@@ -18452,6 +18478,15 @@ index 8416beb..99002ca 100644
+## Execute a file on a FUSE filesystem
+## in the specified domain.
## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-## <rolecap/>
+-#
+-interface(`fs_exec_fusefs_files',`
+- gen_require(`
+## <desc>
+## <p>
+## Execute a file on a FUSE filesystem
@@ -18471,17 +18506,11 @@ index 8416beb..99002ca 100644
+## in particular used by the ssh-agent policy.
+## </p>
+## </desc>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
++## <param name="domain">
++## <summary>
+## Domain allowed to transition.
- ## </summary>
- ## </param>
--## <rolecap/>
--#
--interface(`fs_exec_fusefs_files',`
-- gen_require(`
-- type fusefs_t;
++## </summary>
++## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the new process.
@@ -18840,9 +18869,10 @@ index 8416beb..99002ca 100644
+#
+interface(`fs_getattr_fusefs',`
+ gen_require(`
-+ type fusefs_t;
-+ ')
-+
+ type fusefs_t;
+ ')
+
+- exec_files_pattern($1, fusefs_t, fusefs_t)
+ allow $1 fusefs_t:filesystem getattr;
+')
+
@@ -19076,9 +19106,8 @@ index 8416beb..99002ca 100644
+interface(`fs_hugetlbfs_filetrans',`
+ gen_require(`
+ type hugetlbfs_t;
- ')
-
-- exec_files_pattern($1, fusefs_t, fusefs_t)
++ ')
++
+ allow $2 hugetlbfs_t:filesystem associate;
+ filetrans_pattern($1, hugetlbfs_t, $2, $3, $4)
')
@@ -19143,7 +19172,7 @@ index 8416beb..99002ca 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2014,37 +2844,38 @@ interface(`fs_dontaudit_manage_fusefs_files',`
+@@ -2014,37 +2863,38 @@ interface(`fs_dontaudit_manage_fusefs_files',`
## </summary>
## </param>
#
@@ -19192,7 +19221,7 @@ index 8416beb..99002ca 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2052,17 +2883,19 @@ interface(`fs_getattr_hugetlbfs',`
+@@ -2052,17 +2902,19 @@ interface(`fs_getattr_hugetlbfs',`
## </summary>
## </param>
#
@@ -19216,7 +19245,7 @@ index 8416beb..99002ca 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2070,17 +2903,20 @@ interface(`fs_list_hugetlbfs',`
+@@ -2070,17 +2922,20 @@ interface(`fs_list_hugetlbfs',`
## </summary>
## </param>
#
@@ -19241,7 +19270,7 @@ index 8416beb..99002ca 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2088,35 +2924,35 @@ interface(`fs_manage_hugetlbfs_dirs',`
+@@ -2088,35 +2943,35 @@ interface(`fs_manage_hugetlbfs_dirs',`
## </summary>
## </param>
#
@@ -19287,7 +19316,7 @@ index 8416beb..99002ca 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2124,17 +2960,17 @@ interface(`fs_associate_hugetlbfs',`
+@@ -2124,17 +2979,17 @@ interface(`fs_associate_hugetlbfs',`
## </summary>
## </param>
#
@@ -19309,7 +19338,7 @@ index 8416beb..99002ca 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2142,71 +2978,136 @@ interface(`fs_search_inotifyfs',`
+@@ -2142,71 +2997,136 @@ interface(`fs_search_inotifyfs',`
## </summary>
## </param>
#
@@ -19469,7 +19498,7 @@ index 8416beb..99002ca 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2214,19 +3115,21 @@ interface(`fs_hugetlbfs_filetrans',`
+@@ -2214,19 +3134,21 @@ interface(`fs_hugetlbfs_filetrans',`
## </summary>
## </param>
#
@@ -19497,7 +19526,7 @@ index 8416beb..99002ca 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2234,18 +3137,19 @@ interface(`fs_mount_iso9660_fs',`
+@@ -2234,18 +3156,19 @@ interface(`fs_mount_iso9660_fs',`
## </summary>
## </param>
#
@@ -19522,7 +19551,7 @@ index 8416beb..99002ca 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2253,38 +3157,41 @@ interface(`fs_remount_iso9660_fs',`
+@@ -2253,38 +3176,41 @@ interface(`fs_remount_iso9660_fs',`
## </summary>
## </param>
#
@@ -19576,7 +19605,7 @@ index 8416beb..99002ca 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2292,19 +3199,21 @@ interface(`fs_getattr_iso9660_fs',`
+@@ -2292,19 +3218,21 @@ interface(`fs_getattr_iso9660_fs',`
## </summary>
## </param>
#
@@ -19604,7 +19633,7 @@ index 8416beb..99002ca 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2312,16 +3221,15 @@ interface(`fs_getattr_iso9660_files',`
+@@ -2312,16 +3240,15 @@ interface(`fs_getattr_iso9660_files',`
## </summary>
## </param>
#
@@ -19625,7 +19654,7 @@ index 8416beb..99002ca 100644
########################################
## <summary>
## Mount a NFS filesystem.
-@@ -2356,44 +3264,62 @@ interface(`fs_remount_nfs',`
+@@ -2356,44 +3283,62 @@ interface(`fs_remount_nfs',`
type nfs_t;
')
@@ -19696,7 +19725,7 @@ index 8416beb..99002ca 100644
')
########################################
-@@ -2485,6 +3411,7 @@ interface(`fs_read_nfs_files',`
+@@ -2485,6 +3430,7 @@ interface(`fs_read_nfs_files',`
type nfs_t;
')
@@ -19704,7 +19733,7 @@ index 8416beb..99002ca 100644
allow $1 nfs_t:dir list_dir_perms;
read_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2523,6 +3450,7 @@ interface(`fs_write_nfs_files',`
+@@ -2523,6 +3469,7 @@ interface(`fs_write_nfs_files',`
type nfs_t;
')
@@ -19712,7 +19741,7 @@ index 8416beb..99002ca 100644
allow $1 nfs_t:dir list_dir_perms;
write_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2549,6 +3477,44 @@ interface(`fs_exec_nfs_files',`
+@@ -2549,6 +3496,44 @@ interface(`fs_exec_nfs_files',`
########################################
## <summary>
@@ -19757,7 +19786,7 @@ index 8416beb..99002ca 100644
## Append files
## on a NFS filesystem.
## </summary>
-@@ -2569,7 +3535,7 @@ interface(`fs_append_nfs_files',`
+@@ -2569,7 +3554,7 @@ interface(`fs_append_nfs_files',`
########################################
## <summary>
@@ -19766,7 +19795,7 @@ index 8416beb..99002ca 100644
## on a NFS filesystem.
## </summary>
## <param name="domain">
-@@ -2589,6 +3555,42 @@ interface(`fs_dontaudit_append_nfs_files',`
+@@ -2589,6 +3574,42 @@ interface(`fs_dontaudit_append_nfs_files',`
########################################
## <summary>
@@ -19809,7 +19838,7 @@ index 8416beb..99002ca 100644
## Do not audit attempts to read or
## write files on a NFS filesystem.
## </summary>
-@@ -2603,7 +3605,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2603,7 +3624,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
type nfs_t;
')
@@ -19818,7 +19847,7 @@ index 8416beb..99002ca 100644
')
########################################
-@@ -2627,7 +3629,7 @@ interface(`fs_read_nfs_symlinks',`
+@@ -2627,7 +3648,7 @@ interface(`fs_read_nfs_symlinks',`
########################################
## <summary>
@@ -19827,7 +19856,7 @@ index 8416beb..99002ca 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2719,6 +3721,65 @@ interface(`fs_search_rpc',`
+@@ -2719,6 +3740,65 @@ interface(`fs_search_rpc',`
########################################
## <summary>
@@ -19893,7 +19922,7 @@ index 8416beb..99002ca 100644
## Search removable storage directories.
## </summary>
## <param name="domain">
-@@ -2741,7 +3802,7 @@ interface(`fs_search_removable',`
+@@ -2741,7 +3821,7 @@ interface(`fs_search_removable',`
## </summary>
## <param name="domain">
## <summary>
@@ -19902,7 +19931,7 @@ index 8416beb..99002ca 100644
## </summary>
## </param>
#
-@@ -2777,7 +3838,7 @@ interface(`fs_read_removable_files',`
+@@ -2777,7 +3857,7 @@ interface(`fs_read_removable_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -19911,7 +19940,7 @@ index 8416beb..99002ca 100644
## </summary>
## </param>
#
-@@ -2970,6 +4031,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2970,6 +4050,7 @@ interface(`fs_manage_nfs_dirs',`
type nfs_t;
')
@@ -19919,7 +19948,7 @@ index 8416beb..99002ca 100644
allow $1 nfs_t:dir manage_dir_perms;
')
-@@ -3010,6 +4072,7 @@ interface(`fs_manage_nfs_files',`
+@@ -3010,6 +4091,7 @@ interface(`fs_manage_nfs_files',`
type nfs_t;
')
@@ -19927,7 +19956,7 @@ index 8416beb..99002ca 100644
manage_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3050,6 +4113,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -3050,6 +4132,7 @@ interface(`fs_manage_nfs_symlinks',`
type nfs_t;
')
@@ -19935,7 +19964,7 @@ index 8416beb..99002ca 100644
manage_lnk_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3137,6 +4201,24 @@ interface(`fs_nfs_domtrans',`
+@@ -3137,6 +4220,24 @@ interface(`fs_nfs_domtrans',`
########################################
## <summary>
@@ -19960,7 +19989,7 @@ index 8416beb..99002ca 100644
## Mount a NFS server pseudo filesystem.
## </summary>
## <param name="domain">
-@@ -3263,7 +4345,25 @@ interface(`fs_getattr_nfsd_files',`
+@@ -3263,7 +4364,25 @@ interface(`fs_getattr_nfsd_files',`
getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
')
@@ -19987,7 +20016,7 @@ index 8416beb..99002ca 100644
## <summary>
## Read and write NFS server files.
## </summary>
-@@ -3283,6 +4383,59 @@ interface(`fs_rw_nfsd_fs',`
+@@ -3283,6 +4402,59 @@ interface(`fs_rw_nfsd_fs',`
########################################
## <summary>
@@ -20047,7 +20076,7 @@ index 8416beb..99002ca 100644
## Allow the type to associate to ramfs filesystems.
## </summary>
## <param name="type">
-@@ -3392,7 +4545,7 @@ interface(`fs_search_ramfs',`
+@@ -3392,7 +4564,7 @@ interface(`fs_search_ramfs',`
########################################
## <summary>
@@ -20056,7 +20085,7 @@ index 8416beb..99002ca 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3429,7 +4582,7 @@ interface(`fs_manage_ramfs_dirs',`
+@@ -3429,7 +4601,7 @@ interface(`fs_manage_ramfs_dirs',`
########################################
## <summary>
@@ -20065,7 +20094,7 @@ index 8416beb..99002ca 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3447,7 +4600,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
+@@ -3447,7 +4619,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
########################################
## <summary>
@@ -20074,7 +20103,7 @@ index 8416beb..99002ca 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3779,6 +4932,24 @@ interface(`fs_mount_tmpfs',`
+@@ -3779,6 +4951,24 @@ interface(`fs_mount_tmpfs',`
########################################
## <summary>
@@ -20099,7 +20128,7 @@ index 8416beb..99002ca 100644
## Remount a tmpfs filesystem.
## </summary>
## <param name="domain">
-@@ -3815,6 +4986,24 @@ interface(`fs_unmount_tmpfs',`
+@@ -3815,6 +5005,24 @@ interface(`fs_unmount_tmpfs',`
########################################
## <summary>
@@ -20124,7 +20153,7 @@ index 8416beb..99002ca 100644
## Get the attributes of a tmpfs
## filesystem.
## </summary>
-@@ -3839,39 +5028,76 @@ interface(`fs_getattr_tmpfs',`
+@@ -3839,39 +5047,76 @@ interface(`fs_getattr_tmpfs',`
## </summary>
## <param name="type">
## <summary>
@@ -20210,7 +20239,7 @@ index 8416beb..99002ca 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3879,36 +5105,35 @@ interface(`fs_relabelfrom_tmpfs',`
+@@ -3879,36 +5124,35 @@ interface(`fs_relabelfrom_tmpfs',`
## </summary>
## </param>
#
@@ -20254,7 +20283,7 @@ index 8416beb..99002ca 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3916,35 +5141,36 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3916,35 +5160,36 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
## </summary>
## </param>
#
@@ -20298,7 +20327,7 @@ index 8416beb..99002ca 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3952,17 +5178,17 @@ interface(`fs_setattr_tmpfs_dirs',`
+@@ -3952,17 +5197,17 @@ interface(`fs_setattr_tmpfs_dirs',`
## </summary>
## </param>
#
@@ -20319,7 +20348,7 @@ index 8416beb..99002ca 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3970,31 +5196,30 @@ interface(`fs_search_tmpfs',`
+@@ -3970,31 +5215,30 @@ interface(`fs_search_tmpfs',`
## </summary>
## </param>
#
@@ -20357,7 +20386,7 @@ index 8416beb..99002ca 100644
')
########################################
-@@ -4105,7 +5330,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
+@@ -4105,7 +5349,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
type tmpfs_t;
')
@@ -20366,7 +20395,7 @@ index 8416beb..99002ca 100644
')
########################################
-@@ -4165,6 +5390,24 @@ interface(`fs_rw_tmpfs_files',`
+@@ -4165,6 +5409,24 @@ interface(`fs_rw_tmpfs_files',`
########################################
## <summary>
@@ -20391,7 +20420,7 @@ index 8416beb..99002ca 100644
## Read tmpfs link files.
## </summary>
## <param name="domain">
-@@ -4202,7 +5445,7 @@ interface(`fs_rw_tmpfs_chr_files',`
+@@ -4202,7 +5464,7 @@ interface(`fs_rw_tmpfs_chr_files',`
########################################
## <summary>
@@ -20400,7 +20429,7 @@ index 8416beb..99002ca 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4221,6 +5464,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4221,6 +5483,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
########################################
## <summary>
@@ -20461,7 +20490,7 @@ index 8416beb..99002ca 100644
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
-@@ -4278,6 +5575,44 @@ interface(`fs_relabel_tmpfs_blk_file',`
+@@ -4278,6 +5594,44 @@ interface(`fs_relabel_tmpfs_blk_file',`
########################################
## <summary>
@@ -20506,7 +20535,7 @@ index 8416beb..99002ca 100644
## Read and write, create and delete generic
## files on tmpfs filesystems.
## </summary>
-@@ -4297,6 +5632,25 @@ interface(`fs_manage_tmpfs_files',`
+@@ -4297,6 +5651,25 @@ interface(`fs_manage_tmpfs_files',`
########################################
## <summary>
@@ -20532,7 +20561,7 @@ index 8416beb..99002ca 100644
## Read and write, create and delete symbolic
## links on tmpfs filesystems.
## </summary>
-@@ -4407,6 +5761,25 @@ interface(`fs_search_xenfs',`
+@@ -4407,6 +5780,25 @@ interface(`fs_search_xenfs',`
allow $1 xenfs_t:dir search_dir_perms;
')
@@ -20558,7 +20587,7 @@ index 8416beb..99002ca 100644
########################################
## <summary>
## Create, read, write, and delete directories
-@@ -4503,6 +5876,8 @@ interface(`fs_mount_all_fs',`
+@@ -4503,6 +5895,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -20567,7 +20596,7 @@ index 8416beb..99002ca 100644
')
########################################
-@@ -4549,7 +5924,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4549,7 +5943,7 @@ interface(`fs_unmount_all_fs',`
## <desc>
## <p>
## Allow the specified domain to
@@ -20576,7 +20605,7 @@ index 8416beb..99002ca 100644
## Example attributes:
## </p>
## <ul>
-@@ -4596,6 +5971,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
+@@ -4596,6 +5990,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
########################################
## <summary>
@@ -20603,7 +20632,7 @@ index 8416beb..99002ca 100644
## Get the quotas of all filesystems.
## </summary>
## <param name="domain">
-@@ -4671,6 +6066,25 @@ interface(`fs_getattr_all_dirs',`
+@@ -4671,6 +6085,25 @@ interface(`fs_getattr_all_dirs',`
########################################
## <summary>
@@ -20629,7 +20658,7 @@ index 8416beb..99002ca 100644
## Search all directories with a filesystem type.
## </summary>
## <param name="domain">
-@@ -4912,3 +6326,63 @@ interface(`fs_unconfined',`
+@@ -4912,3 +6345,63 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -20694,7 +20723,7 @@ index 8416beb..99002ca 100644
+ read_files_pattern($1, efivarfs_t, efivarfs_t)
+')
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index e7d1738..7e37941 100644
+index e7d1738..fc52817 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -26,14 +26,19 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
@@ -20725,7 +20754,7 @@ index e7d1738..7e37941 100644
type bdev_t;
fs_type(bdev_t)
-@@ -63,16 +69,23 @@ fs_type(binfmt_misc_fs_t)
+@@ -63,16 +69,28 @@ fs_type(binfmt_misc_fs_t)
files_mountpoint(binfmt_misc_fs_t)
genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0)
@@ -20741,6 +20770,11 @@ index e7d1738..7e37941 100644
genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
-type cgroup_t;
++type cephfs_t;
++fs_type(cephfs_t)
++files_mountpoint(cephfs_t)
++genfscon ceph / gen_context(system_u:object_r:cephfs_t,s0)
++
+type cgroup_t alias cgroupfs_t;
fs_type(cgroup_t)
files_mountpoint(cgroup_t)
@@ -20750,7 +20784,7 @@ index e7d1738..7e37941 100644
type configfs_t;
fs_type(configfs_t)
-@@ -88,6 +101,11 @@ fs_noxattr_type(ecryptfs_t)
+@@ -88,6 +106,11 @@ fs_noxattr_type(ecryptfs_t)
files_mountpoint(ecryptfs_t)
genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0)
@@ -20762,7 +20796,7 @@ index e7d1738..7e37941 100644
type futexfs_t;
fs_type(futexfs_t)
genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
-@@ -96,6 +114,7 @@ type hugetlbfs_t;
+@@ -96,6 +119,7 @@ type hugetlbfs_t;
fs_type(hugetlbfs_t)
files_mountpoint(hugetlbfs_t)
fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
@@ -20770,7 +20804,7 @@ index e7d1738..7e37941 100644
type ibmasmfs_t;
fs_type(ibmasmfs_t)
-@@ -111,6 +130,12 @@ type inotifyfs_t;
+@@ -111,6 +135,12 @@ type inotifyfs_t;
fs_type(inotifyfs_t)
genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0)
@@ -20783,7 +20817,7 @@ index e7d1738..7e37941 100644
type mvfs_t;
fs_noxattr_type(mvfs_t)
allow mvfs_t self:filesystem associate;
-@@ -118,13 +143,18 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
+@@ -118,13 +148,18 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
type nfsd_fs_t;
fs_type(nfsd_fs_t)
@@ -20803,7 +20837,7 @@ index e7d1738..7e37941 100644
fs_type(pstore_t)
files_mountpoint(pstore_t)
dev_associate_sysfs(pstore_t)
-@@ -150,17 +180,16 @@ fs_type(spufs_t)
+@@ -150,17 +185,16 @@ fs_type(spufs_t)
genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
files_mountpoint(spufs_t)
@@ -20825,7 +20859,7 @@ index e7d1738..7e37941 100644
type vmblock_t;
fs_noxattr_type(vmblock_t)
files_mountpoint(vmblock_t)
-@@ -172,6 +201,8 @@ type vxfs_t;
+@@ -172,6 +206,8 @@ type vxfs_t;
fs_noxattr_type(vxfs_t)
files_mountpoint(vxfs_t)
genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
@@ -20834,7 +20868,7 @@ index e7d1738..7e37941 100644
#
# tmpfs_t is the type for tmpfs filesystems
-@@ -182,6 +213,8 @@ fs_type(tmpfs_t)
+@@ -182,6 +218,8 @@ fs_type(tmpfs_t)
files_type(tmpfs_t)
files_mountpoint(tmpfs_t)
files_poly_parent(tmpfs_t)
@@ -20843,7 +20877,7 @@ index e7d1738..7e37941 100644
# Use a transition SID based on the allocating task SID and the
# filesystem SID to label inodes in the following filesystem types,
-@@ -261,6 +294,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+@@ -261,6 +299,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
type removable_t;
allow removable_t noxattrfs:filesystem associate;
fs_noxattr_type(removable_t)
@@ -20852,7 +20886,7 @@ index e7d1738..7e37941 100644
files_mountpoint(removable_t)
#
-@@ -280,6 +315,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
+@@ -280,6 +320,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
@@ -20860,7 +20894,7 @@ index e7d1738..7e37941 100644
########################################
#
-@@ -301,9 +337,10 @@ fs_associate_noxattr(noxattrfs)
+@@ -301,9 +342,10 @@ fs_associate_noxattr(noxattrfs)
# Unconfined access to this module
#
@@ -36664,7 +36698,7 @@ index 79a45f6..e69fa39 100644
+ allow $1 init_var_lib_t:dir search_dir_perms;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..09abd53 100644
+index 17eda24..f09c5ae 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -36962,7 +36996,7 @@ index 17eda24..09abd53 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +325,252 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +325,256 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -37016,17 +37050,20 @@ index 17eda24..09abd53 100644
+')
+
+optional_policy(`
++ ipa_delete_tmp(init_t)
++')
++
++optional_policy(`
+ iscsi_read_lib_files(init_t)
+ iscsi_manage_lock(init_t)
- ')
-
- optional_policy(`
-- auth_rw_login_records(init_t)
++')
++
++optional_policy(`
+ modutils_domtrans_insmod(init_t)
+ modutils_list_module_config(init_t)
- ')
-
- optional_policy(`
++')
++
++optional_policy(`
+ postfix_exec(init_t)
+ postfix_list_spool(init_t)
+ mta_read_config(init_t)
@@ -37183,13 +37220,14 @@ index 17eda24..09abd53 100644
+optional_policy(`
+ lvm_rw_pipes(init_t)
+ lvm_read_config(init_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- auth_rw_login_records(init_t)
+ consolekit_manage_log(init_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+ dbus_connect_system_bus(init_t)
dbus_system_bus_client(init_t)
+ dbus_delete_pid_files(init_t)
@@ -37197,18 +37235,18 @@ index 17eda24..09abd53 100644
+ optional_policy(`
+ devicekit_dbus_chat_power(init_t)
+ ')
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- nscd_use(init_t)
+ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to
+ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
+ # the directory. But we do not want to allow this.
+ # The master process of dovecot will manage this file.
+ dovecot_dontaudit_unlink_lib_files(initrc_t)
- ')
-
- optional_policy(`
-- nscd_use(init_t)
++')
++
++optional_policy(`
+ networkmanager_stream_connect(init_t)
+ networkmanager_stream_connect(initrc_t)
+')
@@ -37224,7 +37262,7 @@ index 17eda24..09abd53 100644
')
optional_policy(`
-@@ -216,7 +578,30 @@ optional_policy(`
+@@ -216,7 +582,30 @@ optional_policy(`
')
optional_policy(`
@@ -37256,7 +37294,7 @@ index 17eda24..09abd53 100644
')
########################################
-@@ -225,9 +610,9 @@ optional_policy(`
+@@ -225,9 +614,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -37268,7 +37306,7 @@ index 17eda24..09abd53 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -258,12 +643,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +647,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -37285,7 +37323,7 @@ index 17eda24..09abd53 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +668,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +672,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -37328,7 +37366,7 @@ index 17eda24..09abd53 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +705,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +709,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -37340,7 +37378,7 @@ index 17eda24..09abd53 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -313,8 +717,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +721,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -37351,7 +37389,7 @@ index 17eda24..09abd53 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -322,8 +728,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +732,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -37361,7 +37399,7 @@ index 17eda24..09abd53 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -332,7 +737,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +741,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -37369,7 +37407,7 @@ index 17eda24..09abd53 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -340,6 +744,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +748,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -37377,7 +37415,7 @@ index 17eda24..09abd53 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -347,14 +752,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +756,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -37395,7 +37433,7 @@ index 17eda24..09abd53 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -364,8 +770,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +774,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -37409,7 +37447,7 @@ index 17eda24..09abd53 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -375,10 +785,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +789,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -37423,7 +37461,7 @@ index 17eda24..09abd53 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -387,8 +798,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +802,10 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -37434,7 +37472,7 @@ index 17eda24..09abd53 100644
storage_getattr_fixed_disk_dev(initrc_t)
storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +811,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +815,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -37442,7 +37480,7 @@ index 17eda24..09abd53 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -416,20 +830,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +834,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -37466,7 +37504,7 @@ index 17eda24..09abd53 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +863,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +867,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -37474,7 +37512,7 @@ index 17eda24..09abd53 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +897,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +901,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -37485,7 +37523,7 @@ index 17eda24..09abd53 100644
alsa_read_lib(initrc_t)
')
-@@ -506,7 +921,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +925,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -37494,7 +37532,7 @@ index 17eda24..09abd53 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -521,6 +936,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +940,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -37502,7 +37540,7 @@ index 17eda24..09abd53 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -541,6 +957,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +961,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -37510,7 +37548,7 @@ index 17eda24..09abd53 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +967,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +971,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -37555,7 +37593,7 @@ index 17eda24..09abd53 100644
')
optional_policy(`
-@@ -559,14 +1012,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +1016,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -37587,7 +37625,7 @@ index 17eda24..09abd53 100644
')
')
-@@ -577,6 +1047,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1051,39 @@ ifdef(`distro_suse',`
')
')
@@ -37627,7 +37665,7 @@ index 17eda24..09abd53 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1092,8 @@ optional_policy(`
+@@ -589,6 +1096,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -37636,7 +37674,7 @@ index 17eda24..09abd53 100644
')
optional_policy(`
-@@ -610,6 +1115,7 @@ optional_policy(`
+@@ -610,6 +1119,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -37644,7 +37682,7 @@ index 17eda24..09abd53 100644
')
optional_policy(`
-@@ -626,6 +1132,17 @@ optional_policy(`
+@@ -626,6 +1136,17 @@ optional_policy(`
')
optional_policy(`
@@ -37662,7 +37700,7 @@ index 17eda24..09abd53 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -642,9 +1159,13 @@ optional_policy(`
+@@ -642,9 +1163,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -37676,7 +37714,7 @@ index 17eda24..09abd53 100644
')
optional_policy(`
-@@ -657,15 +1178,11 @@ optional_policy(`
+@@ -657,15 +1182,11 @@ optional_policy(`
')
optional_policy(`
@@ -37694,7 +37732,7 @@ index 17eda24..09abd53 100644
')
optional_policy(`
-@@ -686,6 +1203,15 @@ optional_policy(`
+@@ -686,6 +1207,15 @@ optional_policy(`
')
optional_policy(`
@@ -37710,7 +37748,7 @@ index 17eda24..09abd53 100644
inn_exec_config(initrc_t)
')
-@@ -726,6 +1252,7 @@ optional_policy(`
+@@ -726,6 +1256,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -37718,7 +37756,7 @@ index 17eda24..09abd53 100644
')
optional_policy(`
-@@ -743,7 +1270,13 @@ optional_policy(`
+@@ -743,7 +1274,13 @@ optional_policy(`
')
optional_policy(`
@@ -37733,7 +37771,7 @@ index 17eda24..09abd53 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -766,6 +1299,10 @@ optional_policy(`
+@@ -766,6 +1303,10 @@ optional_policy(`
')
optional_policy(`
@@ -37744,7 +37782,7 @@ index 17eda24..09abd53 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -775,10 +1312,20 @@ optional_policy(`
+@@ -775,10 +1316,20 @@ optional_policy(`
')
optional_policy(`
@@ -37765,7 +37803,7 @@ index 17eda24..09abd53 100644
quota_manage_flags(initrc_t)
')
-@@ -787,6 +1334,10 @@ optional_policy(`
+@@ -787,6 +1338,10 @@ optional_policy(`
')
optional_policy(`
@@ -37776,7 +37814,7 @@ index 17eda24..09abd53 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -808,8 +1359,6 @@ optional_policy(`
+@@ -808,8 +1363,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -37785,7 +37823,7 @@ index 17eda24..09abd53 100644
')
optional_policy(`
-@@ -818,6 +1367,10 @@ optional_policy(`
+@@ -818,6 +1371,10 @@ optional_policy(`
')
optional_policy(`
@@ -37796,7 +37834,7 @@ index 17eda24..09abd53 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -827,10 +1380,12 @@ optional_policy(`
+@@ -827,10 +1384,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -37809,7 +37847,7 @@ index 17eda24..09abd53 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1412,62 @@ optional_policy(`
+@@ -857,21 +1416,62 @@ optional_policy(`
')
optional_policy(`
@@ -37873,7 +37911,7 @@ index 17eda24..09abd53 100644
')
optional_policy(`
-@@ -887,6 +1483,10 @@ optional_policy(`
+@@ -887,6 +1487,10 @@ optional_policy(`
')
optional_policy(`
@@ -37884,7 +37922,7 @@ index 17eda24..09abd53 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -897,3 +1497,218 @@ optional_policy(`
+@@ -897,3 +1501,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -48133,10 +48171,10 @@ index 0000000..ebd6cc8
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..f799c5b
+index 0000000..0be65c0
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,929 @@
+@@ -0,0 +1,930 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -48809,6 +48847,7 @@ index 0000000..f799c5b
+
+kernel_dgram_send(systemd_hostnamed_t)
+kernel_read_xen_state(systemd_hostnamed_t)
++kernel_read_sysctl(systemd_hostnamed_t)
+
+dev_write_kmsg(systemd_hostnamed_t)
+dev_read_sysfs(systemd_hostnamed_t)
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 8a3b713..596ccb2 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -12236,7 +12236,7 @@ index 008f8ef..144c074 100644
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/certmonger.te b/certmonger.te
-index 550b287..943af3b 100644
+index 550b287..ea704c2 100644
--- a/certmonger.te
+++ b/certmonger.te
@@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t)
@@ -12273,7 +12273,7 @@ index 550b287..943af3b 100644
corenet_all_recvfrom_unlabeled(certmonger_t)
corenet_all_recvfrom_netlabel(certmonger_t)
-@@ -49,17 +55,25 @@ corenet_tcp_sendrecv_generic_node(certmonger_t)
+@@ -49,17 +55,26 @@ corenet_tcp_sendrecv_generic_node(certmonger_t)
corenet_sendrecv_certmaster_client_packets(certmonger_t)
corenet_tcp_connect_certmaster_port(certmonger_t)
@@ -12297,10 +12297,11 @@ index 550b287..943af3b 100644
-files_read_usr_files(certmonger_t)
files_list_tmp(certmonger_t)
+files_list_home(certmonger_t)
++files_dontaudit_write_etc_runtime_files(certmonger_t)
fs_search_cgroup_dirs(certmonger_t)
-@@ -68,18 +82,21 @@ auth_rw_cache(certmonger_t)
+@@ -68,18 +83,21 @@ auth_rw_cache(certmonger_t)
init_getattr_all_script_files(certmonger_t)
@@ -12325,7 +12326,7 @@ index 550b287..943af3b 100644
')
optional_policy(`
-@@ -92,11 +109,58 @@ optional_policy(`
+@@ -92,11 +110,58 @@ optional_policy(`
')
optional_policy(`
@@ -25086,10 +25087,10 @@ index 0000000..b214253
+')
diff --git a/dirsrv.te b/dirsrv.te
new file mode 100644
-index 0000000..73d1b46
+index 0000000..aa290b1
--- /dev/null
+++ b/dirsrv.te
-@@ -0,0 +1,196 @@
+@@ -0,0 +1,200 @@
+policy_module(dirsrv,1.0.0)
+
+########################################
@@ -25243,6 +25244,10 @@ index 0000000..73d1b46
+ uuidd_stream_connect_manager(dirsrv_t)
+')
+
++optional_policy(`
++ systemd_manage_passwd_run(dirsrv_t)
++')
++
+########################################
+#
+# dirsrv-snmp local policy
@@ -29623,7 +29628,7 @@ index 4498143..84a4858 100644
ftp_run_ftpdctl($1, $2)
')
diff --git a/ftp.te b/ftp.te
-index 36838c2..2812a63 100644
+index 36838c2..0a8b621 100644
--- a/ftp.te
+++ b/ftp.te
@@ -13,7 +13,7 @@ policy_module(ftp, 1.15.1)
@@ -29669,10 +29674,12 @@ index 36838c2..2812a63 100644
## <desc>
## <p>
-@@ -66,14 +73,6 @@ gen_tunable(ftpd_connect_all_unreserved, false)
+@@ -64,49 +71,6 @@ gen_tunable(ftpd_use_passive_mode, false)
+ ## </desc>
+ gen_tunable(ftpd_connect_all_unreserved, false)
- ## <desc>
- ## <p>
+-## <desc>
+-## <p>
-## Determine whether ftpd can read and write
-## files in user home directories.
-## </p>
@@ -29681,10 +29688,43 @@ index 36838c2..2812a63 100644
-
-## <desc>
-## <p>
- ## Determine whether sftpd can modify
- ## public files used for public file
- ## transfer services. Directories/Files must
-@@ -124,6 +123,9 @@ files_config_file(ftpd_etc_t)
+-## Determine whether sftpd can modify
+-## public files used for public file
+-## transfer services. Directories/Files must
+-## be labeled public_content_rw_t.
+-## </p>
+-## </desc>
+-gen_tunable(sftpd_anon_write, false)
+-
+-## <desc>
+-## <p>
+-## Determine whether sftpd-can read and write
+-## files in user home directories.
+-## </p>
+-## </desc>
+-gen_tunable(sftpd_enable_homedirs, false)
+-
+-## <desc>
+-## <p>
+-## Determine whether sftpd-can login to
+-## local users and read and write all
+-## files on the system, governed by DAC.
+-## </p>
+-## </desc>
+-gen_tunable(sftpd_full_access, false)
+-
+-## <desc>
+-## <p>
+-## Determine whether sftpd can read and write
+-## files in user ssh home directories.
+-## </p>
+-## </desc>
+-gen_tunable(sftpd_write_ssh_home, false)
+-
+ attribute_role ftpdctl_roles;
+
+ type anon_sftpd_t;
+@@ -124,6 +88,9 @@ files_config_file(ftpd_etc_t)
type ftpd_initrc_exec_t;
init_script_file(ftpd_initrc_exec_t)
@@ -29694,7 +29734,7 @@ index 36838c2..2812a63 100644
type ftpd_keytab_t;
files_type(ftpd_keytab_t)
-@@ -184,6 +186,9 @@ allow ftpd_t ftpd_keytab_t:file read_file_perms;
+@@ -184,6 +151,9 @@ allow ftpd_t ftpd_keytab_t:file read_file_perms;
allow ftpd_t ftpd_lock_t:file manage_file_perms;
files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
@@ -29704,7 +29744,7 @@ index 36838c2..2812a63 100644
manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
-@@ -198,22 +203,19 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir })
+@@ -198,22 +168,19 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir })
allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms;
@@ -29731,7 +29771,7 @@ index 36838c2..2812a63 100644
corenet_all_recvfrom_netlabel(ftpd_t)
corenet_tcp_sendrecv_generic_if(ftpd_t)
corenet_udp_sendrecv_generic_if(ftpd_t)
-@@ -229,9 +231,12 @@ corenet_tcp_bind_ftp_port(ftpd_t)
+@@ -229,9 +196,12 @@ corenet_tcp_bind_ftp_port(ftpd_t)
corenet_sendrecv_ftp_data_server_packets(ftpd_t)
corenet_tcp_bind_ftp_data_port(ftpd_t)
@@ -29745,7 +29785,7 @@ index 36838c2..2812a63 100644
files_read_etc_runtime_files(ftpd_t)
files_search_var_lib(ftpd_t)
-@@ -250,7 +255,6 @@ logging_send_audit_msgs(ftpd_t)
+@@ -250,7 +220,6 @@ logging_send_audit_msgs(ftpd_t)
logging_send_syslog_msg(ftpd_t)
logging_set_loginuid(ftpd_t)
@@ -29753,7 +29793,7 @@ index 36838c2..2812a63 100644
miscfiles_read_public_files(ftpd_t)
seutil_dontaudit_search_config(ftpd_t)
-@@ -259,32 +263,50 @@ sysnet_use_ldap(ftpd_t)
+@@ -259,32 +228,50 @@ sysnet_use_ldap(ftpd_t)
userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
userdom_dontaudit_search_user_home_dirs(ftpd_t)
@@ -29811,7 +29851,7 @@ index 36838c2..2812a63 100644
')
tunable_policy(`ftpd_use_passive_mode',`
-@@ -304,44 +326,24 @@ tunable_policy(`ftpd_connect_db',`
+@@ -304,44 +291,24 @@ tunable_policy(`ftpd_connect_db',`
corenet_sendrecv_mssql_client_packets(ftpd_t)
corenet_tcp_connect_mssql_port(ftpd_t)
corenet_tcp_sendrecv_mssql_port(ftpd_t)
@@ -29861,7 +29901,7 @@ index 36838c2..2812a63 100644
corecmd_exec_shell(ftpd_t)
files_read_usr_files(ftpd_t)
-@@ -363,9 +365,8 @@ optional_policy(`
+@@ -363,9 +330,8 @@ optional_policy(`
optional_policy(`
selinux_validate_context(ftpd_t)
@@ -29872,7 +29912,7 @@ index 36838c2..2812a63 100644
kerberos_use(ftpd_t)
')
-@@ -416,21 +417,20 @@ optional_policy(`
+@@ -416,86 +382,39 @@ optional_policy(`
#
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
@@ -29893,10 +29933,15 @@ index 36838c2..2812a63 100644
#
-files_read_etc_files(anon_sftpd_t)
-
+-
miscfiles_read_public_files(anon_sftpd_t)
-@@ -443,23 +443,34 @@ tunable_policy(`sftpd_anon_write',`
+-tunable_policy(`sftpd_anon_write',`
+- miscfiles_manage_public_files(anon_sftpd_t)
+-')
+-
+ ########################################
+ #
# Sftpd local policy
#
@@ -29905,26 +29950,12 @@ index 36838c2..2812a63 100644
userdom_read_user_home_content_files(sftpd_t)
userdom_read_user_home_content_symlinks(sftpd_t)
+userdom_dontaudit_list_admin_dir(sftpd_t)
-+
-+tunable_policy(`sftpd_full_access',`
-+ allow sftpd_t self:capability { dac_override dac_read_search };
-+ fs_read_noxattr_fs_files(sftpd_t)
-+ files_manage_non_security_dirs(sftpd_t)
-+ files_manage_non_security_files(sftpd_t)
-+')
-+
-+optional_policy(`
-+ tunable_policy(`sftpd_write_ssh_home',`
-+ ssh_manage_home_files(sftpd_t)
-+ ')
-+')
-+
+
+-tunable_policy(`sftpd_enable_homedirs',`
+- allow sftpd_t self:capability { dac_override dac_read_search };
+userdom_filetrans_home_content(sftpd_t)
+userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file })
- tunable_policy(`sftpd_enable_homedirs',`
- allow sftpd_t self:capability { dac_override dac_read_search };
-
userdom_manage_user_home_content_dirs(sftpd_t)
userdom_manage_user_home_content_files(sftpd_t)
- userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file })
@@ -29934,22 +29965,35 @@ index 36838c2..2812a63 100644
-',`
- userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file })
- userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file })
- ')
+-')
+-
+-tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(sftpd_t)
+- fs_manage_nfs_files(sftpd_t)
+- fs_manage_nfs_symlinks(sftpd_t)
+-')
- tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -481,21 +492,8 @@ tunable_policy(`sftpd_anon_write',`
- tunable_policy(`sftpd_full_access',`
- allow sftpd_t self:capability { dac_override dac_read_search };
- fs_read_noxattr_fs_files(sftpd_t)
-- files_manage_non_auth_files(sftpd_t)
-+ files_manage_non_security_files(sftpd_t)
- ')
+-tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
+- fs_manage_cifs_dirs(sftpd_t)
+- fs_manage_cifs_files(sftpd_t)
+- fs_manage_cifs_symlinks(sftpd_t)
+-')
++userdom_home_reader(sftpd_t)
+-tunable_policy(`sftpd_anon_write',`
+- miscfiles_manage_public_files(sftpd_t)
+-')
+-
+-tunable_policy(`sftpd_full_access',`
+- allow sftpd_t self:capability { dac_override dac_read_search };
+- fs_read_noxattr_fs_files(sftpd_t)
+- files_manage_non_auth_files(sftpd_t)
+-')
+-
-tunable_policy(`sftpd_write_ssh_home',`
- ssh_manage_home_files(sftpd_t)
-')
-+userdom_home_reader(sftpd_t)
-
+-
-tunable_policy(`use_samba_home_dirs',`
- fs_list_cifs(sftpd_t)
- fs_read_cifs_files(sftpd_t)
@@ -36215,10 +36259,10 @@ index 0000000..2277038
+')
diff --git a/gssproxy.te b/gssproxy.te
new file mode 100644
-index 0000000..bbd5979
+index 0000000..dc1385d
--- /dev/null
+++ b/gssproxy.te
-@@ -0,0 +1,68 @@
+@@ -0,0 +1,70 @@
+policy_module(gssproxy, 1.0.0)
+
+########################################
@@ -36266,6 +36310,8 @@ index 0000000..bbd5979
+
+files_read_etc_files(gssproxy_t)
+
++fs_getattr_all_fs(gssproxy_t)
++
+auth_use_nsswitch(gssproxy_t)
+
+dev_read_urand(gssproxy_t)
@@ -38026,10 +38072,10 @@ index 0000000..e1ddda0
+
diff --git a/ipa.if b/ipa.if
new file mode 100644
-index 0000000..904782d
+index 0000000..ee3a606
--- /dev/null
+++ b/ipa.if
-@@ -0,0 +1,178 @@
+@@ -0,0 +1,197 @@
+## <summary>Policy for IPA services.</summary>
+
+########################################
@@ -38208,12 +38254,31 @@ index 0000000..904782d
+
+ files_pid_filetrans($1, ipa_var_run_t, file, $2)
+')
++
++########################################
++## <summary>
++## Allow domain to manage ipa tmp files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ipa_delete_tmp',`
++ gen_require(`
++ type ipa_tmp_t;
++ ')
++
++ files_search_tmp($1)
++ allow $1 ipa_tmp_t:file unlink;
++')
diff --git a/ipa.te b/ipa.te
new file mode 100644
-index 0000000..5fad85e
+index 0000000..3ca42f7
--- /dev/null
+++ b/ipa.te
-@@ -0,0 +1,195 @@
+@@ -0,0 +1,199 @@
+policy_module(ipa, 1.0.0)
+
+########################################
@@ -38393,6 +38458,10 @@ index 0000000..5fad85e
+sysnet_read_config(ipa_dnskey_t)
+
+optional_policy(`
++ apache_search_config(ipa_dnskey_t)
++')
++
++optional_policy(`
+ bind_domtrans_ndc(ipa_dnskey_t)
+ bind_read_dnssec_keys(ipa_dnskey_t)
+ bind_manage_zone(ipa_dnskey_t)
@@ -63471,10 +63540,10 @@ index 0000000..08d0e79
+/var/opendnssec(/.*)? gen_context(system_u:object_r:opendnssec_var_t,s0)
diff --git a/opendnssec.if b/opendnssec.if
new file mode 100644
-index 0000000..fb0141d
+index 0000000..eac3932
--- /dev/null
+++ b/opendnssec.if
-@@ -0,0 +1,206 @@
+@@ -0,0 +1,208 @@
+
+## <summary>policy for opendnssec</summary>
+
@@ -63533,6 +63602,7 @@ index 0000000..fb0141d
+ ')
+
+ files_search_etc($1)
++ allow $1 opendnssec_conf_t:dir list_dir_perms;
+ allow $1 opendnssec_conf_t:file read_file_perms;
+')
+
@@ -63553,6 +63623,7 @@ index 0000000..fb0141d
+ ')
+
+ files_search_etc($1)
++ allow $1 opendnssec_conf_t:dir manage_dir_perms;
+ allow $1 opendnssec_conf_t:file manage_file_perms;
+')
+
@@ -96494,7 +96565,7 @@ index cd6c213..372c7bb 100644
+ ')
')
diff --git a/sanlock.te b/sanlock.te
-index 0045465..7afb413 100644
+index 0045465..5080a66 100644
--- a/sanlock.te
+++ b/sanlock.te
@@ -6,25 +6,37 @@ policy_module(sanlock, 1.1.0)
@@ -96581,7 +96652,7 @@ index 0045465..7afb413 100644
logging_log_filetrans(sanlock_t, sanlock_log_t, file)
manage_dirs_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
-@@ -65,13 +84,16 @@ files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file })
+@@ -65,13 +84,18 @@ files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file })
kernel_read_system_state(sanlock_t)
kernel_read_kernel_sysctls(sanlock_t)
@@ -96592,6 +96663,8 @@ index 0045465..7afb413 100644
+files_read_mnt_symlinks(sanlock_t)
+
++fs_rw_cephfs_files(sanlock_t)
++
storage_raw_rw_fixed_disk(sanlock_t)
+dev_read_rand(sanlock_t)
@@ -96601,7 +96674,7 @@ index 0045465..7afb413 100644
auth_use_nsswitch(sanlock_t)
init_read_utmp(sanlock_t)
-@@ -79,20 +101,29 @@ init_dontaudit_write_utmp(sanlock_t)
+@@ -79,20 +103,29 @@ init_dontaudit_write_utmp(sanlock_t)
logging_send_syslog_msg(sanlock_t)
@@ -96640,7 +96713,7 @@ index 0045465..7afb413 100644
')
optional_policy(`
-@@ -100,7 +131,34 @@ optional_policy(`
+@@ -100,7 +133,34 @@ optional_policy(`
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index ab37315..f12dbb0 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 192%{?dist}
+Release: 193%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -647,6 +647,17 @@ exit 0
%endif
%changelog
+* Mon May 30 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-193
+- Directory Server (389-ds-base) has been updated to use systemd-ask-password. In order to function correctly we need the following added to dirsrv.te
+- Update opendnssec_manage_config() interface to allow caller domain also manage opendnssec_conf_t dirs
+- Allow gssproxy to get attributes on all filesystem object types. BZ(1333778)
+- Allow ipa_dnskey_t search httpd config files.
+- Dontaudit certmonger to write to etc_runtime_t
+- Update opendnssec_read_conf() interface to allow caller domain also read opendnssec_conf_t dirs.
+- Add interface ipa_delete_tmp()
+- Allow systemd_hostanmed_t to read /proc/sysinfo labeled as sysctl_t.
+- Allow systemd to remove ipa temp files during uinstalling ipa. BZ(1333106)
+
* Wed May 25 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-192
- Create new SELinux type for /usr/libexec/ipa/ipa-dnskeysyncd BZ(1333106)
- Add SELinux policy for opendnssec service. BZ(1333106)