diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index f7031bd..0f02a50 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -3466,7 +3466,7 @@ index 7590165..d81185e 100644
+ fs_mounton_fusefs(seunshare_domain)
')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 33e0f8d..d41bb39 100644
+index 33e0f8d..e16fba2 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@@ -3728,13 +3728,12 @@ index 33e0f8d..d41bb39 100644
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -280,10 +343,15 @@ ifdef(`distro_gentoo',`
+@@ -280,10 +343,14 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/cluster/SAPDatabase -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/cluster/SAPInstance -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/share/cluster/fence_scsi_check\.pl -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/cluster/checkquorum.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -3744,7 +3743,7 @@ index 33e0f8d..d41bb39 100644
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -298,16 +366,22 @@ ifdef(`distro_gentoo',`
+@@ -298,16 +365,22 @@ ifdef(`distro_gentoo',`
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
@@ -3769,7 +3768,7 @@ index 33e0f8d..d41bb39 100644
ifdef(`distro_debian',`
/usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -325,20 +399,27 @@ ifdef(`distro_redhat', `
+@@ -325,20 +398,27 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
@@ -3798,7 +3797,7 @@ index 33e0f8d..d41bb39 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -346,6 +427,7 @@ ifdef(`distro_redhat', `
+@@ -346,6 +426,7 @@ ifdef(`distro_redhat', `
/usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0)
@@ -3806,7 +3805,7 @@ index 33e0f8d..d41bb39 100644
/usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
-@@ -387,17 +469,34 @@ ifdef(`distro_suse', `
+@@ -387,17 +468,34 @@ ifdef(`distro_suse', `
#
# /var
#
@@ -10085,7 +10084,7 @@ index 6a1e4d1..26e5558 100644
+ dontaudit $1 domain:dir_file_class_set audit_access;
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..e8da15e 100644
+index cf04cb5..e9c1427 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,17 +4,41 @@ policy_module(domain, 1.11.0)
@@ -10238,7 +10237,7 @@ index cf04cb5..e8da15e 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +242,365 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +242,369 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -10379,6 +10378,10 @@ index cf04cb5..e8da15e 100644
+')
+
+optional_policy(`
++ iptables_filetrans_named_content(named_filetrans_domain)
++')
++
++optional_policy(`
+ kerberos_filetrans_named_content(named_filetrans_domain)
+')
+
@@ -22428,7 +22431,7 @@ index ff92430..36740ea 100644
## <summary>
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 2522ca6..f2029b6 100644
+index 2522ca6..0371f63 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -5,39 +5,88 @@ policy_module(sysadm, 2.6.1)
@@ -22634,7 +22637,7 @@ index 2522ca6..f2029b6 100644
fstools_run(sysadm_t, sysadm_r)
')
-@@ -175,6 +249,13 @@ optional_policy(`
+@@ -175,10 +249,27 @@ optional_policy(`
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -22648,23 +22651,21 @@ index 2522ca6..f2029b6 100644
')
optional_policy(`
-@@ -182,6 +263,15 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ irc_role(sysadm_r, sysadm_t)
+ iptables_run(sysadm_t, sysadm_r)
++ iptables_filetrans_named_content(sysadm_t)
+')
+
+optional_policy(`
-+ kerberos_exec_kadmind(sysadm_t)
-+ kerberos_filetrans_named_content(sysadm_t)
++ irc_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
- kudzu_run(sysadm_t, sysadm_r)
++ kerberos_exec_kadmind(sysadm_t)
++ kerberos_filetrans_named_content(sysadm_t)
')
-@@ -190,11 +280,12 @@ optional_policy(`
+ optional_policy(`
+@@ -190,11 +281,12 @@ optional_policy(`
')
optional_policy(`
@@ -22679,7 +22680,7 @@ index 2522ca6..f2029b6 100644
')
optional_policy(`
-@@ -210,22 +301,20 @@ optional_policy(`
+@@ -210,22 +302,20 @@ optional_policy(`
modutils_run_depmod(sysadm_t, sysadm_r)
modutils_run_insmod(sysadm_t, sysadm_r)
modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -22708,7 +22709,7 @@ index 2522ca6..f2029b6 100644
')
optional_policy(`
-@@ -237,14 +326,28 @@ optional_policy(`
+@@ -237,14 +327,28 @@ optional_policy(`
')
optional_policy(`
@@ -22737,7 +22738,7 @@ index 2522ca6..f2029b6 100644
')
optional_policy(`
-@@ -252,10 +355,20 @@ optional_policy(`
+@@ -252,10 +356,20 @@ optional_policy(`
')
optional_policy(`
@@ -22758,7 +22759,7 @@ index 2522ca6..f2029b6 100644
portage_run(sysadm_t, sysadm_r)
portage_run_fetch(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
-@@ -266,35 +379,41 @@ optional_policy(`
+@@ -266,35 +380,41 @@ optional_policy(`
')
optional_policy(`
@@ -22807,7 +22808,7 @@ index 2522ca6..f2029b6 100644
')
optional_policy(`
-@@ -308,6 +427,7 @@ optional_policy(`
+@@ -308,6 +428,7 @@ optional_policy(`
optional_policy(`
screen_role_template(sysadm, sysadm_r, sysadm_t)
@@ -22815,7 +22816,7 @@ index 2522ca6..f2029b6 100644
')
optional_policy(`
-@@ -315,12 +435,20 @@ optional_policy(`
+@@ -315,12 +436,20 @@ optional_policy(`
')
optional_policy(`
@@ -22837,7 +22838,7 @@ index 2522ca6..f2029b6 100644
')
optional_policy(`
-@@ -345,30 +473,37 @@ optional_policy(`
+@@ -345,30 +474,37 @@ optional_policy(`
')
optional_policy(`
@@ -22884,7 +22885,7 @@ index 2522ca6..f2029b6 100644
')
optional_policy(`
-@@ -380,10 +515,6 @@ optional_policy(`
+@@ -380,10 +516,6 @@ optional_policy(`
')
optional_policy(`
@@ -22895,7 +22896,7 @@ index 2522ca6..f2029b6 100644
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
usermanage_run_groupadd(sysadm_t, sysadm_r)
usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -391,6 +522,9 @@ optional_policy(`
+@@ -391,6 +523,9 @@ optional_policy(`
optional_policy(`
virt_stream_connect(sysadm_t)
@@ -22905,7 +22906,7 @@ index 2522ca6..f2029b6 100644
')
optional_policy(`
-@@ -398,31 +532,34 @@ optional_policy(`
+@@ -398,31 +533,34 @@ optional_policy(`
')
optional_policy(`
@@ -22946,7 +22947,7 @@ index 2522ca6..f2029b6 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -435,10 +572,6 @@ ifndef(`distro_redhat',`
+@@ -435,10 +573,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -22957,7 +22958,7 @@ index 2522ca6..f2029b6 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
optional_policy(`
-@@ -459,15 +592,79 @@ ifndef(`distro_redhat',`
+@@ -459,15 +593,79 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -35737,7 +35738,7 @@ index 73a1c4e..ec4c7c7 100644
+
+/var/run/xtables.* -- gen_context(system_u:object_r:iptables_var_run_t,s0)
diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
-index c42fbc3..277fe6c 100644
+index c42fbc3..bf211db 100644
--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@@ -17,10 +17,6 @@ interface(`iptables_domtrans',`
@@ -35782,6 +35783,28 @@ index c42fbc3..277fe6c 100644
#####################################
## <summary>
## Set the attributes of iptables config files.
+@@ -163,3 +183,21 @@ interface(`iptables_manage_config',`
+ files_search_etc($1)
+ manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
+ ')
++
++########################################
++## <summary>
++## Transition to iptables named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`iptables_filetrans_named_content',`
++ gen_require(`
++ type iptables_var_run_t;
++ ')
++
++ files_pid_filetrans($1, iptables_var_run_t, file, "xtables.lock")
++')
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index be8ed1e..3c2729f 100644
--- a/policy/modules/system/iptables.te
@@ -44649,10 +44672,10 @@ index 0000000..cde0261
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..dff8d54
+index 0000000..8209291
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,723 @@
+@@ -0,0 +1,725 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -44780,6 +44803,8 @@ index 0000000..dff8d54
+manage_fifo_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
+manage_sock_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
+
++systemd_start_power_services(systemd_logind_t)
++
+dev_getattr_all_chr_files(systemd_logind_t)
+dev_getattr_all_blk_files(systemd_logind_t)
+dev_rw_sysfs(systemd_logind_t)
@@ -45674,7 +45699,7 @@ index 9a1650d..d7e8a01 100644
########################################
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index 39f185f..125f7fe 100644
+index 39f185f..5658ab4 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t)
@@ -45712,17 +45737,18 @@ index 39f185f..125f7fe 100644
allow udev_t self:process { execmem setfscreate };
allow udev_t self:fd use;
allow udev_t self:fifo_file rw_fifo_file_perms;
-@@ -53,7 +54,9 @@ allow udev_t self:unix_stream_socket { listen accept };
+@@ -53,7 +54,10 @@ allow udev_t self:unix_stream_socket { listen accept };
allow udev_t self:unix_dgram_socket sendto;
allow udev_t self:unix_stream_socket connectto;
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow udev_t self:netlink_generic_socket create_socket_perms;
allow udev_t self:rawip_socket create_socket_perms;
+allow udev_t self:netlink_socket create_socket_perms;
++allow udev_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
allow udev_t udev_exec_t:file write;
can_exec(udev_t, udev_exec_t)
-@@ -64,31 +67,39 @@ can_exec(udev_t, udev_helper_exec_t)
+@@ -64,31 +68,39 @@ can_exec(udev_t, udev_helper_exec_t)
# read udev config
allow udev_t udev_etc_t:file read_file_perms;
@@ -45769,7 +45795,7 @@ index 39f185f..125f7fe 100644
#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
kernel_rw_net_sysctls(udev_t)
-@@ -99,6 +110,7 @@ corecmd_exec_all_executables(udev_t)
+@@ -99,6 +111,7 @@ corecmd_exec_all_executables(udev_t)
dev_rw_sysfs(udev_t)
dev_manage_all_dev_nodes(udev_t)
@@ -45777,7 +45803,7 @@ index 39f185f..125f7fe 100644
dev_rw_generic_files(udev_t)
dev_delete_generic_files(udev_t)
dev_search_usbfs(udev_t)
-@@ -107,23 +119,31 @@ dev_relabel_all_dev_nodes(udev_t)
+@@ -107,23 +120,31 @@ dev_relabel_all_dev_nodes(udev_t)
# preserved, instead of short circuiting the relabel
dev_relabel_generic_symlinks(udev_t)
dev_manage_generic_symlinks(udev_t)
@@ -45813,7 +45839,7 @@ index 39f185f..125f7fe 100644
mls_file_read_all_levels(udev_t)
mls_file_write_all_levels(udev_t)
-@@ -145,17 +165,20 @@ auth_use_nsswitch(udev_t)
+@@ -145,17 +166,20 @@ auth_use_nsswitch(udev_t)
init_read_utmp(udev_t)
init_dontaudit_write_utmp(udev_t)
init_getattr_initctl(udev_t)
@@ -45835,7 +45861,7 @@ index 39f185f..125f7fe 100644
seutil_read_config(udev_t)
seutil_read_default_contexts(udev_t)
-@@ -169,9 +192,13 @@ sysnet_read_dhcpc_pid(udev_t)
+@@ -169,9 +193,13 @@ sysnet_read_dhcpc_pid(udev_t)
sysnet_delete_dhcpc_pid(udev_t)
sysnet_signal_dhcpc(udev_t)
sysnet_manage_config(udev_t)
@@ -45850,7 +45876,7 @@ index 39f185f..125f7fe 100644
ifdef(`distro_debian',`
files_pid_filetrans(udev_t, udev_var_run_t, dir, "xen-hotplug")
-@@ -195,16 +222,9 @@ ifdef(`distro_gentoo',`
+@@ -195,16 +223,9 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -45869,7 +45895,7 @@ index 39f185f..125f7fe 100644
# for arping used for static IP addresses on PCMCIA ethernet
netutils_domtrans(udev_t)
-@@ -242,6 +262,7 @@ optional_policy(`
+@@ -242,6 +263,7 @@ optional_policy(`
optional_policy(`
cups_domtrans_config(udev_t)
@@ -45877,7 +45903,7 @@ index 39f185f..125f7fe 100644
')
optional_policy(`
-@@ -249,17 +270,31 @@ optional_policy(`
+@@ -249,17 +271,31 @@ optional_policy(`
dbus_use_system_bus_fds(udev_t)
optional_policy(`
@@ -45911,7 +45937,7 @@ index 39f185f..125f7fe 100644
')
optional_policy(`
-@@ -289,6 +324,10 @@ optional_policy(`
+@@ -289,6 +325,10 @@ optional_policy(`
')
optional_policy(`
@@ -45922,7 +45948,7 @@ index 39f185f..125f7fe 100644
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -303,6 +342,15 @@ optional_policy(`
+@@ -303,6 +343,15 @@ optional_policy(`
')
optional_policy(`
@@ -45938,7 +45964,7 @@ index 39f185f..125f7fe 100644
unconfined_signal(udev_t)
')
-@@ -315,6 +363,7 @@ optional_policy(`
+@@ -315,6 +364,7 @@ optional_policy(`
kernel_read_xen_state(udev_t)
xen_manage_log(udev_t)
xen_read_image_files(udev_t)
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index e6c90eb..56e5efb 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -9476,7 +9476,7 @@ index 531a8f2..0b86f2f 100644
+ allow $1 named_unit_file_t:service all_service_perms;
')
diff --git a/bind.te b/bind.te
-index 1241123..e196b89 100644
+index 1241123..cce7112 100644
--- a/bind.te
+++ b/bind.te
@@ -34,7 +34,7 @@ type named_checkconf_exec_t;
@@ -9520,7 +9520,11 @@ index 1241123..e196b89 100644
logging_log_filetrans(named_t, named_log_t, file)
manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
-@@ -115,7 +117,6 @@ kernel_read_network_state(named_t)
+@@ -112,10 +114,10 @@ read_lnk_files_pattern(named_t, named_zone_t, named_zone_t)
+ kernel_read_kernel_sysctls(named_t)
+ kernel_read_system_state(named_t)
+ kernel_read_network_state(named_t)
++kernel_read_net_sysctls(named_t)
corecmd_search_bin(named_t)
@@ -9528,7 +9532,7 @@ index 1241123..e196b89 100644
corenet_all_recvfrom_netlabel(named_t)
corenet_tcp_sendrecv_generic_if(named_t)
corenet_udp_sendrecv_generic_if(named_t)
-@@ -144,6 +145,7 @@ corenet_tcp_sendrecv_all_ports(named_t)
+@@ -144,6 +146,7 @@ corenet_tcp_sendrecv_all_ports(named_t)
dev_read_sysfs(named_t)
dev_read_rand(named_t)
dev_read_urand(named_t)
@@ -9536,7 +9540,7 @@ index 1241123..e196b89 100644
domain_use_interactive_fds(named_t)
-@@ -175,6 +177,19 @@ tunable_policy(`named_write_master_zones',`
+@@ -175,6 +178,19 @@ tunable_policy(`named_write_master_zones',`
')
optional_policy(`
@@ -9556,7 +9560,7 @@ index 1241123..e196b89 100644
dbus_system_domain(named_t, named_exec_t)
init_dbus_chat_script(named_t)
-@@ -187,7 +202,13 @@ optional_policy(`
+@@ -187,7 +203,13 @@ optional_policy(`
')
optional_policy(`
@@ -9570,7 +9574,7 @@ index 1241123..e196b89 100644
kerberos_use(named_t)
')
-@@ -215,7 +236,8 @@ optional_policy(`
+@@ -215,7 +237,8 @@ optional_policy(`
#
allow ndc_t self:capability { dac_override net_admin };
@@ -9580,7 +9584,7 @@ index 1241123..e196b89 100644
allow ndc_t self:fifo_file rw_fifo_file_perms;
allow ndc_t self:unix_stream_socket { accept listen };
-@@ -229,10 +251,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
+@@ -229,10 +252,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
allow ndc_t named_zone_t:dir search_dir_perms;
@@ -9592,7 +9596,7 @@ index 1241123..e196b89 100644
corenet_all_recvfrom_netlabel(ndc_t)
corenet_tcp_sendrecv_generic_if(ndc_t)
corenet_tcp_sendrecv_generic_node(ndc_t)
-@@ -242,6 +263,9 @@ corenet_tcp_bind_generic_node(ndc_t)
+@@ -242,6 +264,9 @@ corenet_tcp_bind_generic_node(ndc_t)
corenet_tcp_connect_rndc_port(ndc_t)
corenet_sendrecv_rndc_client_packets(ndc_t)
@@ -9602,7 +9606,7 @@ index 1241123..e196b89 100644
domain_use_interactive_fds(ndc_t)
files_search_pids(ndc_t)
-@@ -257,7 +281,7 @@ init_use_script_ptys(ndc_t)
+@@ -257,7 +282,7 @@ init_use_script_ptys(ndc_t)
logging_send_syslog_msg(ndc_t)
@@ -12985,7 +12989,7 @@ index 0000000..5955ff0
+ gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t)
+')
diff --git a/chronyd.fc b/chronyd.fc
-index 4e4143e..16d23e1 100644
+index 4e4143e..36ee9e1 100644
--- a/chronyd.fc
+++ b/chronyd.fc
@@ -1,13 +1,17 @@
@@ -13003,8 +13007,9 @@ index 4e4143e..16d23e1 100644
/var/log/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_log_t,s0)
- /var/run/chronyd(/.*) gen_context(system_u:object_r:chronyd_var_run_t,s0)
-+/var/run/chrony-helper(/.*) gen_context(system_u:object_r:chronyd_var_run_t,s0)
+-/var/run/chronyd(/.*) gen_context(system_u:object_r:chronyd_var_run_t,s0)
++/var/run/chronyd(/.*)? gen_context(system_u:object_r:chronyd_var_run_t,s0)
++/var/run/chrony-helper(/.*)? gen_context(system_u:object_r:chronyd_var_run_t,s0)
/var/run/chronyd\.pid -- gen_context(system_u:object_r:chronyd_var_run_t,s0)
/var/run/chronyd\.sock -s gen_context(system_u:object_r:chronyd_var_run_t,s0)
diff --git a/chronyd.if b/chronyd.if
@@ -57241,7 +57246,7 @@ index 86dc29d..7380935 100644
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
')
diff --git a/networkmanager.te b/networkmanager.te
-index 55f2009..b84767b 100644
+index 55f2009..4a29f9c 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -9,15 +9,18 @@ type NetworkManager_t;
@@ -57266,7 +57271,7 @@ index 55f2009..b84767b 100644
type NetworkManager_log_t;
logging_log_file(NetworkManager_log_t)
-@@ -39,25 +42,55 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
+@@ -39,25 +42,56 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
# Local policy
#
@@ -57298,6 +57303,7 @@ index 55f2009..b84767b 100644
-allow NetworkManager_t self:unix_stream_socket { accept listen };
+allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
+allow NetworkManager_t self:unix_stream_socket{ create_stream_socket_perms connectto };
++allow NetworkManager_t self:netlink_generic_socket create_socket_perms;
allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms;
+allow NetworkManager_t self:netlink_xfrm_socket create_netlink_socket_perms;
allow NetworkManager_t self:netlink_socket create_socket_perms;
@@ -57331,7 +57337,7 @@ index 55f2009..b84767b 100644
manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
filetrans_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_rw_t, { dir file })
-@@ -68,6 +101,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_
+@@ -68,6 +102,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_
setattr_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
@@ -57339,7 +57345,7 @@ index 55f2009..b84767b 100644
manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
-@@ -81,17 +115,15 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_
+@@ -81,17 +116,15 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_
manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file })
@@ -57359,7 +57365,7 @@ index 55f2009..b84767b 100644
corenet_all_recvfrom_netlabel(NetworkManager_t)
corenet_tcp_sendrecv_generic_if(NetworkManager_t)
corenet_udp_sendrecv_generic_if(NetworkManager_t)
-@@ -102,36 +134,24 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
+@@ -102,36 +135,24 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
corenet_tcp_sendrecv_all_ports(NetworkManager_t)
corenet_udp_sendrecv_all_ports(NetworkManager_t)
corenet_udp_bind_generic_node(NetworkManager_t)
@@ -57401,7 +57407,7 @@ index 55f2009..b84767b 100644
fs_getattr_all_fs(NetworkManager_t)
fs_search_auto_mountpoints(NetworkManager_t)
fs_list_inotifyfs(NetworkManager_t)
-@@ -140,18 +160,36 @@ mls_file_read_all_levels(NetworkManager_t)
+@@ -140,18 +161,36 @@ mls_file_read_all_levels(NetworkManager_t)
selinux_dontaudit_search_fs(NetworkManager_t)
@@ -57439,7 +57445,7 @@ index 55f2009..b84767b 100644
seutil_read_config(NetworkManager_t)
-@@ -166,21 +204,34 @@ sysnet_kill_dhcpc(NetworkManager_t)
+@@ -166,21 +205,34 @@ sysnet_kill_dhcpc(NetworkManager_t)
sysnet_read_dhcpc_state(NetworkManager_t)
sysnet_delete_dhcpc_state(NetworkManager_t)
sysnet_search_dhcp_state(NetworkManager_t)
@@ -57478,7 +57484,7 @@ index 55f2009..b84767b 100644
')
optional_policy(`
-@@ -196,10 +247,6 @@ optional_policy(`
+@@ -196,10 +248,6 @@ optional_policy(`
')
optional_policy(`
@@ -57489,7 +57495,7 @@ index 55f2009..b84767b 100644
consoletype_exec(NetworkManager_t)
')
-@@ -210,16 +257,11 @@ optional_policy(`
+@@ -210,16 +258,11 @@ optional_policy(`
optional_policy(`
dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -57508,7 +57514,7 @@ index 55f2009..b84767b 100644
')
')
-@@ -231,10 +273,17 @@ optional_policy(`
+@@ -231,10 +274,17 @@ optional_policy(`
dnsmasq_kill(NetworkManager_t)
dnsmasq_signal(NetworkManager_t)
dnsmasq_signull(NetworkManager_t)
@@ -57527,7 +57533,7 @@ index 55f2009..b84767b 100644
')
optional_policy(`
-@@ -246,10 +295,26 @@ optional_policy(`
+@@ -246,10 +296,26 @@ optional_policy(`
')
optional_policy(`
@@ -57554,7 +57560,7 @@ index 55f2009..b84767b 100644
')
optional_policy(`
-@@ -257,15 +322,19 @@ optional_policy(`
+@@ -257,15 +323,19 @@ optional_policy(`
')
optional_policy(`
@@ -57576,7 +57582,7 @@ index 55f2009..b84767b 100644
')
optional_policy(`
-@@ -274,10 +343,17 @@ optional_policy(`
+@@ -274,10 +344,17 @@ optional_policy(`
nscd_signull(NetworkManager_t)
nscd_kill(NetworkManager_t)
nscd_initrc_domtrans(NetworkManager_t)
@@ -57594,7 +57600,7 @@ index 55f2009..b84767b 100644
')
optional_policy(`
-@@ -286,9 +362,12 @@ optional_policy(`
+@@ -286,9 +363,12 @@ optional_policy(`
openvpn_kill(NetworkManager_t)
openvpn_signal(NetworkManager_t)
openvpn_signull(NetworkManager_t)
@@ -57607,7 +57613,7 @@ index 55f2009..b84767b 100644
policykit_domtrans_auth(NetworkManager_t)
policykit_read_lib(NetworkManager_t)
policykit_read_reload(NetworkManager_t)
-@@ -296,7 +375,7 @@ optional_policy(`
+@@ -296,7 +376,7 @@ optional_policy(`
')
optional_policy(`
@@ -57616,7 +57622,7 @@ index 55f2009..b84767b 100644
')
optional_policy(`
-@@ -307,6 +386,7 @@ optional_policy(`
+@@ -307,6 +387,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
@@ -57624,7 +57630,7 @@ index 55f2009..b84767b 100644
')
optional_policy(`
-@@ -320,14 +400,21 @@ optional_policy(`
+@@ -320,14 +401,21 @@ optional_policy(`
')
optional_policy(`
@@ -57651,7 +57657,7 @@ index 55f2009..b84767b 100644
')
optional_policy(`
-@@ -357,6 +444,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -357,6 +445,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t)
@@ -62320,10 +62326,10 @@ index 0000000..598789a
+
diff --git a/openhpid.te b/openhpid.te
new file mode 100644
-index 0000000..ade6576
+index 0000000..2cb47c8
--- /dev/null
+++ b/openhpid.te
-@@ -0,0 +1,52 @@
+@@ -0,0 +1,59 @@
+policy_module(openhpid, 1.0.0)
+
+########################################
@@ -62365,8 +62371,11 @@ index 0000000..ade6576
+manage_files_pattern(openhpid_t, openhpid_var_run_t, openhpid_var_run_t)
+files_pid_filetrans(openhpid_t, openhpid_var_run_t, { file })
+
++kernel_read_system_state(openhpid_t)
++
+corenet_tcp_bind_generic_node(openhpid_t)
+corenet_tcp_bind_openhpid_port(openhpid_t)
++corenet_tcp_connect_http_port(openhpid_t)
+
+dev_read_urand(openhpid_t)
+dev_rw_watchdog(openhpid_t)
@@ -62376,6 +62385,10 @@ index 0000000..ade6576
+miscfiles_read_generic_certs(openhpid_t)
+
+sysnet_read_config(openhpid_t)
++
++optional_policy(`
++ snmp_read_snmp_var_lib_files(openhpid_t)
++')
diff --git a/openshift-origin.fc b/openshift-origin.fc
new file mode 100644
index 0000000..30ca148
@@ -64677,7 +64690,7 @@ index 9b15730..cb00f20 100644
+ ')
')
diff --git a/openvswitch.te b/openvswitch.te
-index 44dbc99..eb8d420 100644
+index 44dbc99..ba23186 100644
--- a/openvswitch.te
+++ b/openvswitch.te
@@ -9,11 +9,8 @@ type openvswitch_t;
@@ -64742,7 +64755,7 @@ index 44dbc99..eb8d420 100644
manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file })
-@@ -65,33 +68,46 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
+@@ -65,33 +68,47 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file })
@@ -64787,6 +64800,7 @@ index 44dbc99..eb8d420 100644
+modutils_exec_insmod(openvswitch_t)
+modutils_list_module_config(openvswitch_t)
+modutils_read_module_config(openvswitch_t)
++modutils_read_module_deps(openvswitch_t)
sysnet_dns_name_resolve(openvswitch_t)
@@ -83435,7 +83449,7 @@ index c8a1e16..2d409bf 100644
xen_domtrans_xm(rgmanager_t)
')
diff --git a/rhcs.fc b/rhcs.fc
-index 47de2d6..9ecda11 100644
+index 47de2d6..dfb3396 100644
--- a/rhcs.fc
+++ b/rhcs.fc
@@ -1,31 +1,95 @@
@@ -83528,7 +83542,7 @@ index 47de2d6..9ecda11 100644
+
+/usr/share/corosync/corosync -- gen_context(system_u:object_r:cluster_exec_t,s0)
+
-+/usr/share/cluster/fence_scsi_check.* -- gen_context(system_u:object_r:fenced_exec_t,s0)
++/usr/share/cluster/fence_scsi_check\.pl -- gen_context(system_u:object_r:fenced_exec_t,s0)
+
+/usr/lib/pcsd/pcsd -- gen_context(system_u:object_r:cluster_exec_t,s0)
+
@@ -84405,7 +84419,7 @@ index c8bdea2..29df561 100644
+ allow $1 cluster_unit_file_t:service all_service_perms;
')
diff --git a/rhcs.te b/rhcs.te
-index 6cf79c4..9d253c3 100644
+index 6cf79c4..2c7b543 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false)
@@ -84854,7 +84868,7 @@ index 6cf79c4..9d253c3 100644
')
optional_policy(`
-@@ -203,6 +502,17 @@ optional_policy(`
+@@ -203,6 +502,21 @@ optional_policy(`
snmp_manage_var_lib_dirs(fenced_t)
')
@@ -84869,10 +84883,14 @@ index 6cf79c4..9d253c3 100644
+ watchdog_unconfined_exec_read_lnk_files(fenced_t)
+')
+
++optional_policy(`
++ gnome_dontaudit_search_config(fenced_t)
++')
++
#######################################
#
# foghorn local policy
-@@ -221,16 +531,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
+@@ -221,16 +535,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
corenet_tcp_connect_agentx_port(foghorn_t)
corenet_tcp_sendrecv_agentx_port(foghorn_t)
@@ -84893,7 +84911,7 @@ index 6cf79c4..9d253c3 100644
snmp_stream_connect(foghorn_t)
')
-@@ -247,16 +559,20 @@ stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_
+@@ -247,16 +563,20 @@ stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_
stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
stream_connect_pattern(gfs_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
@@ -84915,7 +84933,7 @@ index 6cf79c4..9d253c3 100644
optional_policy(`
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
-@@ -275,10 +591,57 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+@@ -275,10 +595,57 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
dev_list_sysfs(groupd_t)
@@ -84975,7 +84993,7 @@ index 6cf79c4..9d253c3 100644
######################################
#
# qdiskd local policy
-@@ -292,7 +655,6 @@ manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
+@@ -292,7 +659,6 @@ manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
files_var_lib_filetrans(qdiskd_t, qdiskd_var_lib_t, { file dir sock_file })
@@ -84983,7 +85001,7 @@ index 6cf79c4..9d253c3 100644
kernel_read_software_raid_state(qdiskd_t)
kernel_getattr_core_if(qdiskd_t)
-@@ -321,6 +683,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -321,6 +687,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
auth_use_nsswitch(qdiskd_t)
@@ -93700,37 +93718,44 @@ index 0000000..7a8e744
+userdom_dontaudit_open_user_ptys(sandbox_x_domain)
+
diff --git a/sanlock.fc b/sanlock.fc
-index 3df2a0f..4eb82b8 100644
+index 3df2a0f..7264d8a 100644
--- a/sanlock.fc
+++ b/sanlock.fc
-@@ -1,7 +1,12 @@
+@@ -1,7 +1,18 @@
+
/etc/rc\.d/init\.d/sanlock -- gen_context(system_u:object_r:sanlock_initrc_exec_t,s0)
-/usr/sbin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0)
-+/etc/sanlock(/.*)? gen_context(system_u:object_r:sanlock_conf_t,s0)
++/etc/sanlock(/.*)? gen_context(system_u:object_r:sanlock_conf_t,s0)
+
+/var/run/sanlock(/.*)? gen_context(system_u:object_r:sanlock_var_run_t,s0)
++
++/var/run/sanlk-resetd(/.*)? gen_context(system_u:object_r:sanlock_var_run_t,s0)
+
+/var/log/sanlock\.log.* gen_context(system_u:object_r:sanlock_log_t,s0)
++
++/usr/sbin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0)
++
++/usr/sbin/sanlk-resetd -- gen_context(system_u:object_r:sanlk_resetd_exec_t,s0)
-/var/run/sanlock(/.*)? gen_context(system_u:object_r:sanlock_var_run_t,s0)
-+/usr/sbin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0)
++/usr/lib/systemd/system/sanlock\.service -- gen_context(system_u:object_r:sanlock_unit_file_t,s0)
-/var/log/sanlock\.log.* -- gen_context(system_u:object_r:sanlock_log_t,s0)
-+/usr/lib/systemd/system/sanlock\.service -- gen_context(system_u:object_r:sanlock_unit_file_t,s0)
++/usr/lib/systemd/system/sanlk-resetd\.service -- gen_context(system_u:object_r:sanlk_resetd_unit_file_t,s0)
diff --git a/sanlock.if b/sanlock.if
-index cd6c213..82a5ff0 100644
+index cd6c213..372c7bb 100644
--- a/sanlock.if
+++ b/sanlock.if
-@@ -1,4 +1,5 @@
+@@ -1,4 +1,6 @@
-## <summary>shared storage lock manager.</summary>
+
-+## <summary>policy for sanlock</summary>
++## <summary>Sanlock - lock manager built on shared storage.</summary>
++
########################################
## <summary>
-@@ -15,18 +16,17 @@ interface(`sanlock_domtrans',`
+@@ -15,18 +17,17 @@ interface(`sanlock_domtrans',`
type sanlock_t, sanlock_exec_t;
')
@@ -93752,7 +93777,7 @@ index cd6c213..82a5ff0 100644
## </summary>
## </param>
#
-@@ -40,8 +40,7 @@ interface(`sanlock_initrc_domtrans',`
+@@ -40,8 +41,7 @@ interface(`sanlock_initrc_domtrans',`
######################################
## <summary>
@@ -93762,7 +93787,7 @@ index cd6c213..82a5ff0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -60,28 +59,51 @@ interface(`sanlock_manage_pid_files',`
+@@ -60,28 +60,51 @@ interface(`sanlock_manage_pid_files',`
########################################
## <summary>
@@ -93823,7 +93848,7 @@ index cd6c213..82a5ff0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -97,21 +119,23 @@ interface(`sanlock_stream_connect',`
+@@ -97,21 +120,125 @@ interface(`sanlock_stream_connect',`
#
interface(`sanlock_admin',`
gen_require(`
@@ -93846,20 +93871,120 @@ index cd6c213..82a5ff0 100644
role_transition $2 sanlock_initrc_exec_t system_r;
allow $2 system_r;
-- files_search_pids($1)
-- admin_pattern($1, sanlock_var_run_t)
--
-- logging_search_logs($1)
-- admin_pattern($1, sanlock_log_t)
+ virt_systemctl($1)
+ admin_pattern($1, sanlock_unit_file_t)
+ allow $1 sanlock_unit_file_t:service all_service_perms;
++')
++
++########################################
++## <summary>
++## Execute sanlk_resetd_exec_t in the sanlk_resetd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`sanlock_domtrans_sanlk_resetd',`
++ gen_require(`
++ type sanlk_resetd_t, sanlk_resetd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, sanlk_resetd_exec_t, sanlk_resetd_t)
++')
++
++######################################
++## <summary>
++## Execute sanlk_resetd in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`sanlock_exec_sanlk_resetd',`
++ gen_require(`
++ type sanlk_resetd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ can_exec($1, sanlk_resetd_exec_t)
++')
++
++########################################
++## <summary>
++## Execute sanlk_resetd server in the sanlk_resetd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`sanlock_systemctl_sanlk_resetd',`
++ gen_require(`
++ type sanlk_resetd_t;
++ type sanlk_resetd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 sanlk_resetd_unit_file_t:file read_file_perms;
++ allow $1 sanlk_resetd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, sanlk_resetd_t)
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an sanlk_resetd environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`sanlock_admin_sanlk_resetd',`
++ gen_require(`
++ type sanlk_resetd_t;
++ type sanlk_resetd_unit_file_t;
++ type sanlk_resetd_unit_file_t;
++ ')
++
++ allow $1 sanlk_resetd_t:process { signal_perms };
++ ps_process_pattern($1, sanlk_resetd_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 sanlk_resetd_t:process ptrace;
++ ')
++
+ files_search_pids($1)
+- admin_pattern($1, sanlock_var_run_t)
+
+- logging_search_logs($1)
+- admin_pattern($1, sanlock_log_t)
++ sanlk_resetd_systemctl($1)
++ admin_pattern($1, sanlk_resetd_unit_file_t)
++ allow $1 sanlk_resetd_unit_file_t:service all_service_perms;
++
++ sanlk_resetd_systemctl($1)
++ admin_pattern($1, sanlk_resetd_unit_file_t)
++ allow $1 sanlk_resetd_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
')
diff --git a/sanlock.te b/sanlock.te
-index 0045465..2059657 100644
+index 0045465..7afb413 100644
--- a/sanlock.te
+++ b/sanlock.te
-@@ -6,25 +6,33 @@ policy_module(sanlock, 1.1.0)
+@@ -6,25 +6,37 @@ policy_module(sanlock, 1.1.0)
#
## <desc>
@@ -93895,23 +94020,30 @@ index 0045465..2059657 100644
type sanlock_exec_t;
init_daemon_domain(sanlock_t, sanlock_exec_t)
++type sanlk_resetd_t;
++type sanlk_resetd_exec_t;
++init_daemon_domain(sanlk_resetd_t, sanlk_resetd_exec_t)
++
+type sanlock_conf_t;
+files_config_file(sanlock_conf_t)
+
type sanlock_var_run_t;
files_pid_file(sanlock_var_run_t)
-@@ -34,6 +42,9 @@ logging_log_file(sanlock_log_t)
+@@ -34,6 +46,12 @@ logging_log_file(sanlock_log_t)
type sanlock_initrc_exec_t;
init_script_file(sanlock_initrc_exec_t)
+type sanlock_unit_file_t;
+systemd_unit_file(sanlock_unit_file_t)
+
++type sanlk_resetd_unit_file_t;
++systemd_unit_file(sanlk_resetd_unit_file_t)
++
ifdef(`enable_mcs',`
init_ranged_daemon_domain(sanlock_t, sanlock_exec_t, s0 - mcs_systemhigh)
')
-@@ -44,17 +55,18 @@ ifdef(`enable_mls',`
+@@ -44,17 +62,18 @@ ifdef(`enable_mls',`
########################################
#
@@ -93925,18 +94057,18 @@ index 0045465..2059657 100644
allow sanlock_t self:fifo_file rw_fifo_file_perms;
-allow sanlock_t self:unix_stream_socket { accept listen };
+allow sanlock_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_files_pattern(sanlock_t, sanlock_conf_t, sanlock_conf_t)
-+manage_dirs_pattern(sanlock_t, sanlock_conf_t, sanlock_conf_t)
-append_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t)
-create_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t)
-setattr_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t)
++manage_files_pattern(sanlock_t, sanlock_conf_t, sanlock_conf_t)
++manage_dirs_pattern(sanlock_t, sanlock_conf_t, sanlock_conf_t)
++
+manage_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t)
logging_log_filetrans(sanlock_t, sanlock_log_t, file)
manage_dirs_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
-@@ -65,13 +77,16 @@ files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file })
+@@ -65,13 +84,16 @@ files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file })
kernel_read_system_state(sanlock_t)
kernel_read_kernel_sysctls(sanlock_t)
@@ -93956,7 +94088,7 @@ index 0045465..2059657 100644
auth_use_nsswitch(sanlock_t)
init_read_utmp(sanlock_t)
-@@ -79,20 +94,29 @@ init_dontaudit_write_utmp(sanlock_t)
+@@ -79,20 +101,29 @@ init_dontaudit_write_utmp(sanlock_t)
logging_send_syslog_msg(sanlock_t)
@@ -93995,7 +94127,7 @@ index 0045465..2059657 100644
')
optional_policy(`
-@@ -100,7 +124,10 @@ optional_policy(`
+@@ -100,7 +131,34 @@ optional_policy(`
')
optional_policy(`
@@ -94007,6 +94139,30 @@ index 0045465..2059657 100644
- virt_signal_all_virt_domains(sanlock_t)
+ virt_signal_svirt(sanlock_t)
+ virt_read_pid_files(sanlock_t)
++')
++
++########################################
++#
++# sanlk_resetd local policy
++#
++
++allow sanlk_resetd_t self:capability dac_override;
++allow sanlk_resetd_t self:fifo_file rw_fifo_file_perms;
++allow sanlk_resetd_t sanlock_t:unix_stream_socket connectto;
++
++manage_dirs_pattern(sanlk_resetd_t, sanlock_var_run_t, sanlock_var_run_t)
++manage_files_pattern(sanlk_resetd_t, sanlock_var_run_t, sanlock_var_run_t)
++manage_sock_files_pattern(sanlk_resetd_t, sanlock_var_run_t, sanlock_var_run_t)
++files_pid_filetrans(sanlk_resetd_t, sanlock_var_run_t, dir)
++
++kernel_dgram_send(sanlk_resetd_t)
++
++domain_use_interactive_fds(sanlk_resetd_t)
++
++logging_send_syslog_msg(sanlk_resetd_t)
++
++optional_policy(`
++ wdmd_stream_connect(sanlk_resetd_t)
')
diff --git a/sasl.fc b/sasl.fc
index 54f41c2..7e58679 100644
@@ -94579,7 +94735,7 @@ index e7c2cf7..435aaa6 100644
+/var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
+/var/run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
diff --git a/screen.if b/screen.if
-index be5cce2..a7a8a67 100644
+index be5cce2..b81f5df 100644
--- a/screen.if
+++ b/screen.if
@@ -1,4 +1,4 @@
@@ -94600,7 +94756,7 @@ index be5cce2..a7a8a67 100644
')
########################################
-@@ -35,50 +34,52 @@ template(`screen_role_template',`
+@@ -35,50 +34,53 @@ template(`screen_role_template',`
#
type $1_screen_t, screen_domain;
@@ -94620,6 +94776,7 @@ index be5cce2..a7a8a67 100644
- #
- # Local policy
- #
++ userdom_list_user_home_dirs($1_screen_t)
+ userdom_home_reader($1_screen_t)
domtrans_pattern($3, screen_exec_t, $1_screen_t)
@@ -94675,7 +94832,7 @@ index be5cce2..a7a8a67 100644
tunable_policy(`use_samba_home_dirs',`
fs_cifs_domtrans($1_screen_t, $3)
-@@ -88,3 +89,41 @@ template(`screen_role_template',`
+@@ -88,3 +90,41 @@ template(`screen_role_template',`
fs_nfs_domtrans($1_screen_t, $3)
')
')
@@ -112411,7 +112568,7 @@ index eecd0e0..8df2e8c 100644
/var/run/watchdog\.pid -- gen_context(system_u:object_r:watchdog_var_run_t,s0)
diff --git a/watchdog.if b/watchdog.if
-index 6461a77..146852e 100644
+index 6461a77..8fda2dd 100644
--- a/watchdog.if
+++ b/watchdog.if
@@ -37,3 +37,21 @@ interface(`watchdog_admin',`
@@ -112434,7 +112591,7 @@ index 6461a77..146852e 100644
+ type watchdog_unconfined_exec_t;
+ ')
+
-+ allow $1 watchdog_unconfined_exec_t:lnk_file read_lnk_file_perms;
++ read_lnk_files_pattern($1,watchdog_unconfined_exec_t, watchdog_unconfined_exec_t)
+')
diff --git a/watchdog.te b/watchdog.te
index 3548317..fc3da17 100644
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d345fdb..fa117a0 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 146%{?dist}
+Release: 147%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -651,6 +651,23 @@ exit 0
%endif
%changelog
+* Mon Sep 14 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-147
+- named wants to access /proc/sys/net/ipv4/ip_local_port_range to get ehphemeral range. BZ(#1260272)
+- Allow user screen domains to list directorires in HOMEDIR wit user_home_t labeling.
+- Dontaudit fenced search gnome config
+- Allow teamd running as NetworkManager_t to access netlink_generic_socket to allow multiple network interfaces to be teamed together. BZ(#1259180)
+- Fix for watchdog_unconfined_exec_read_lnk_files, Add also dir search perms in watchdog_unconfined_exec_t.
+- Sanlock policy update. #1255307 - New sub-domain for sanlk-reset daemon
+- Fix labeling for fence_scsi_check script
+- Allow openhpid to read system state Aloow openhpid to connect to tcp http port.
+- Allow openhpid to read snmp var lib files.
+- Allow openvswitch_t domains read kernel dependencies due to openvswitch run modprobe
+- Fix regexp in chronyd.fc file
+- systemd-logind needs to be able to act with /usr/lib/systemd/system/poweroff.target to allow shutdown system. BZ(#1260175)
+- Allow systemd-udevd to access netlink_route_socket to change names for network interfaces without unconfined.pp module. It affects also MLS.
+- Allow unconfined_t domains to create /var/run/xtables.lock with iptables_var_run_t
+- Remove bin_t label for /usr/share/cluster/fence_scsi_check\.pl
+
* Tue Sep 01 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-146
- Allow passenger to getattr filesystem xattr
- Revert "Allow pegasus_openlmi_storage_t create mdadm.conf.anacbak file in /etc."