diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 1601045..619e58c 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -1802,7 +1802,7 @@ index c6ca761..0c86bfd 100644
')
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
-index c44c359..bb78970 100644
+index c44c359..e679c18 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -7,10 +7,10 @@ policy_module(netutils, 1.12.1)
@@ -1857,11 +1857,15 @@ index c44c359..bb78970 100644
fs_getattr_xattr_fs(netutils_t)
-@@ -82,10 +86,9 @@ auth_use_nsswitch(netutils_t)
+@@ -80,12 +84,12 @@ init_use_script_ptys(netutils_t)
- logging_send_syslog_msg(netutils_t)
+ auth_use_nsswitch(netutils_t)
+
+-logging_send_syslog_msg(netutils_t)
++libs_use_ld_so(netutils_t)
-miscfiles_read_localization(netutils_t)
++logging_send_syslog_msg(netutils_t)
term_dontaudit_use_console(netutils_t)
-userdom_use_user_terminals(netutils_t)
@@ -1869,7 +1873,7 @@ index c44c359..bb78970 100644
userdom_use_all_users_fds(netutils_t)
optional_policy(`
-@@ -110,11 +113,10 @@ allow ping_t self:capability { setuid net_raw };
+@@ -110,11 +114,10 @@ allow ping_t self:capability { setuid net_raw };
allow ping_t self:process { getcap setcap };
dontaudit ping_t self:capability sys_tty_config;
allow ping_t self:tcp_socket create_socket_perms;
@@ -1883,7 +1887,7 @@ index c44c359..bb78970 100644
corenet_all_recvfrom_netlabel(ping_t)
corenet_tcp_sendrecv_generic_if(ping_t)
corenet_raw_sendrecv_generic_if(ping_t)
-@@ -124,6 +126,9 @@ corenet_raw_bind_generic_node(ping_t)
+@@ -124,6 +127,9 @@ corenet_raw_bind_generic_node(ping_t)
corenet_tcp_sendrecv_all_ports(ping_t)
fs_dontaudit_getattr_xattr_fs(ping_t)
@@ -1893,7 +1897,7 @@ index c44c359..bb78970 100644
domain_use_interactive_fds(ping_t)
-@@ -131,14 +136,13 @@ files_read_etc_files(ping_t)
+@@ -131,14 +137,13 @@ files_read_etc_files(ping_t)
files_dontaudit_search_var(ping_t)
kernel_read_system_state(ping_t)
@@ -1911,7 +1915,7 @@ index c44c359..bb78970 100644
ifdef(`hide_broken_symptoms',`
init_dontaudit_use_fds(ping_t)
-@@ -149,11 +153,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -149,11 +154,25 @@ ifdef(`hide_broken_symptoms',`
')
')
@@ -1937,7 +1941,7 @@ index c44c359..bb78970 100644
pcmcia_use_cardmgr_fds(ping_t)
')
-@@ -161,6 +179,15 @@ optional_policy(`
+@@ -161,6 +180,15 @@ optional_policy(`
hotplug_use_fds(ping_t)
')
@@ -1953,7 +1957,7 @@ index c44c359..bb78970 100644
########################################
#
# Traceroute local policy
-@@ -174,7 +201,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
+@@ -174,7 +202,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
kernel_read_system_state(traceroute_t)
kernel_read_network_state(traceroute_t)
@@ -1961,7 +1965,7 @@ index c44c359..bb78970 100644
corenet_all_recvfrom_netlabel(traceroute_t)
corenet_tcp_sendrecv_generic_if(traceroute_t)
corenet_udp_sendrecv_generic_if(traceroute_t)
-@@ -198,6 +224,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
+@@ -198,6 +225,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
domain_use_interactive_fds(traceroute_t)
files_read_etc_files(traceroute_t)
@@ -1969,7 +1973,7 @@ index c44c359..bb78970 100644
files_dontaudit_search_var(traceroute_t)
init_use_fds(traceroute_t)
-@@ -206,11 +233,17 @@ auth_use_nsswitch(traceroute_t)
+@@ -206,11 +234,17 @@ auth_use_nsswitch(traceroute_t)
logging_send_syslog_msg(traceroute_t)
@@ -2752,7 +2756,7 @@ index 99e3903..fa68362 100644
##
##
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 1d732f1..6a6da75 100644
+index 1d732f1..f6ff7aa 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -26,6 +26,7 @@ type chfn_exec_t;
@@ -3127,10 +3131,10 @@ index 1d732f1..6a6da75 100644
userdom_use_unpriv_users_fds(useradd_t)
# Add/remove user home directories
-userdom_manage_user_home_dirs(useradd_t)
- userdom_home_filetrans_user_home_dir(useradd_t)
+-userdom_home_filetrans_user_home_dir(useradd_t)
-userdom_manage_user_home_content_dirs(useradd_t)
-userdom_manage_user_home_content_files(useradd_t)
--userdom_home_filetrans_user_home_dir(useradd_t)
+ userdom_home_filetrans_user_home_dir(useradd_t)
-userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set)
+userdom_manage_home_role(system_r, useradd_t)
+userdom_delete_all_user_home_content(useradd_t)
@@ -3148,7 +3152,15 @@ index 1d732f1..6a6da75 100644
optional_policy(`
apache_manage_all_user_content(useradd_t)
')
-@@ -549,10 +593,19 @@ optional_policy(`
+@@ -545,14 +589,27 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ kerberos_manage_kdc_var_lib(useradd_t)
++')
++
++optional_policy(`
+ nscd_run(useradd_t, useradd_roles)
')
optional_policy(`
@@ -3168,7 +3180,7 @@ index 1d732f1..6a6da75 100644
tunable_policy(`samba_domain_controller',`
samba_append_log(useradd_t)
')
-@@ -562,3 +615,12 @@ optional_policy(`
+@@ -562,3 +619,12 @@ optional_policy(`
rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t)
')
@@ -6035,7 +6047,7 @@ index 3f6e168..340e49f 100644
')
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index b31c054..1f28afb 100644
+index b31c054..d500876 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -15,15 +15,18 @@
@@ -6068,7 +6080,7 @@ index b31c054..1f28afb 100644
/dev/ipmi[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0)
/dev/ipmi/[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0)
/dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0)
-@@ -61,7 +66,8 @@
+@@ -61,8 +66,10 @@
/dev/loop-control -c gen_context(system_u:object_r:loop_control_device_t,s0)
/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
/dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
@@ -6076,9 +6088,11 @@ index b31c054..1f28afb 100644
+/dev/media.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/mei -c gen_context(system_u:object_r:mei_device_t,s0)
/dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
++/dev/memory_bandwidth -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
-@@ -72,6 +78,7 @@
+ /dev/mice -c gen_context(system_u:object_r:mouse_device_t,s0)
+@@ -72,6 +79,7 @@
/dev/mixer.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0)
/dev/modem -c gen_context(system_u:object_r:modem_device_t,s0)
@@ -6086,7 +6100,7 @@ index b31c054..1f28afb 100644
/dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/msr.* -c gen_context(system_u:object_r:cpu_device_t,s0)
/dev/net/vhost -c gen_context(system_u:object_r:vhost_device_t,s0)
-@@ -80,6 +87,8 @@
+@@ -80,6 +88,8 @@
/dev/noz.* -c gen_context(system_u:object_r:modem_device_t,s0)
/dev/null -c gen_context(system_u:object_r:null_device_t,s0)
/dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
@@ -6095,7 +6109,7 @@ index b31c054..1f28afb 100644
/dev/nvram -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh)
/dev/oldmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/opengl -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
-@@ -90,6 +99,7 @@
+@@ -90,6 +100,7 @@
/dev/pmu -c gen_context(system_u:object_r:power_device_t,s0)
/dev/port -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/pps.* -c gen_context(system_u:object_r:clock_device_t,s0)
@@ -6103,7 +6117,7 @@ index b31c054..1f28afb 100644
/dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0)
-@@ -106,6 +116,7 @@
+@@ -106,6 +117,7 @@
/dev/snapshot -c gen_context(system_u:object_r:apm_bios_t,s0)
/dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0)
@@ -6111,10 +6125,11 @@ index b31c054..1f28afb 100644
/dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0)
/dev/uinput -c gen_context(system_u:object_r:event_device_t,s0)
-@@ -118,6 +129,11 @@
+@@ -118,6 +130,12 @@
ifdef(`distro_suse', `
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
')
++/dev/vhci -c gen_context(system_u:object_r:vhost_device_t,s0)
+/dev/vchiq -c gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/vc-mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+/dev/vfio/(vfio)?[0-9]* -c gen_context(system_u:object_r:vfio_device_t,s0)
@@ -6123,7 +6138,7 @@ index b31c054..1f28afb 100644
/dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0)
/dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
-@@ -129,12 +145,14 @@ ifdef(`distro_suse', `
+@@ -129,12 +147,14 @@ ifdef(`distro_suse', `
/dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/watchdog.* -c gen_context(system_u:object_r:watchdog_device_t,s0)
@@ -6138,7 +6153,7 @@ index b31c054..1f28afb 100644
/dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0)
-@@ -172,6 +190,8 @@ ifdef(`distro_suse', `
+@@ -172,6 +192,8 @@ ifdef(`distro_suse', `
/dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0)
@@ -6147,7 +6162,7 @@ index b31c054..1f28afb 100644
/dev/usb/dc2xx.* -c gen_context(system_u:object_r:scanner_device_t,s0)
/dev/usb/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
/dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0)
-@@ -198,12 +218,27 @@ ifdef(`distro_debian',`
+@@ -198,12 +220,27 @@ ifdef(`distro_debian',`
/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
@@ -6178,7 +6193,7 @@ index b31c054..1f28afb 100644
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 76f285e..99f01e2 100644
+index 76f285e..450a2b7 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -7727,7 +7742,32 @@ index 76f285e..99f01e2 100644
## Read and write VMWare devices.
##
##
-@@ -4762,6 +5715,44 @@ interface(`dev_rw_xserver_misc',`
+@@ -4630,6 +5583,24 @@ interface(`dev_write_watchdog',`
+
+ ########################################
+ ##
++## RW to watchdog devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rw_watchdog',`
++ gen_require(`
++ type device_t, watchdog_device_t;
++ ')
++
++ rw_chr_files_pattern($1, device_t, watchdog_device_t)
++')
++
++########################################
++##
+ ## Read and write the the wireless device.
+ ##
+ ##
+@@ -4762,6 +5733,44 @@ interface(`dev_rw_xserver_misc',`
########################################
##
@@ -7772,7 +7812,7 @@ index 76f285e..99f01e2 100644
## Read and write to the zero device (/dev/zero).
##
##
-@@ -4851,3 +5842,966 @@ interface(`dev_unconfined',`
+@@ -4851,3 +5860,966 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -9190,7 +9230,7 @@ index 6a1e4d1..26e5558 100644
+ dontaudit $1 domain:dir_file_class_set audit_access;
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..ed54d58 100644
+index cf04cb5..e8da15e 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,17 +4,41 @@ policy_module(domain, 1.11.0)
@@ -9343,7 +9383,7 @@ index cf04cb5..ed54d58 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +242,361 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +242,365 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -9363,6 +9403,10 @@ index cf04cb5..ed54d58 100644
+ kdump_filetrans_named_content(unconfined_domain_type)
+')
+
++optional_policy(`
++ fstools_filetrans_named_content_fsadm(named_filetrans_domain)
++')
++
+#optional_policy(`
+# docker_filetrans_named_content(named_filetrans_domain)
+#')
@@ -21446,7 +21490,7 @@ index ff92430..36740ea 100644
##
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 2522ca6..85c5be2 100644
+index 2522ca6..f2029b6 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -5,39 +5,88 @@ policy_module(sysadm, 2.6.1)
@@ -21855,7 +21899,7 @@ index 2522ca6..85c5be2 100644
')
optional_policy(`
-@@ -345,7 +473,18 @@ optional_policy(`
+@@ -345,30 +473,37 @@ optional_policy(`
')
optional_policy(`
@@ -21868,35 +21912,41 @@ index 2522ca6..85c5be2 100644
+ systemd_login_reboot(sysadm_t)
+ systemd_login_halt(sysadm_t)
+ systemd_login_undefined(sysadm_t)
-+')
-+
-+optional_policy(`
-+ tftp_filetrans_named_content(sysadm_t)
')
optional_policy(`
-@@ -356,19 +495,11 @@ optional_policy(`
+- tripwire_run_siggen(sysadm_t, sysadm_r)
+- tripwire_run_tripwire(sysadm_t, sysadm_r)
+- tripwire_run_twadmin(sysadm_t, sysadm_r)
+- tripwire_run_twprint(sysadm_t, sysadm_r)
++ systemd_exec_sysctl(sysadm_t)
')
optional_policy(`
- tvtime_role(sysadm_r, sysadm_t)
--')
--
--optional_policy(`
- tzdata_domtrans(sysadm_t)
++ tftp_filetrans_named_content(sysadm_t)
+ ')
+
+ optional_policy(`
+- tzdata_domtrans(sysadm_t)
++ tripwire_run_siggen(sysadm_t, sysadm_r)
++ tripwire_run_tripwire(sysadm_t, sysadm_r)
++ tripwire_run_twadmin(sysadm_t, sysadm_r)
++ tripwire_run_twprint(sysadm_t, sysadm_r)
')
optional_policy(`
- uml_role(sysadm_r, sysadm_t)
--')
--
--optional_policy(`
++ tzdata_domtrans(sysadm_t)
+ ')
+
+ optional_policy(`
- unconfined_domtrans(sysadm_t)
+ udev_run(sysadm_t, sysadm_r)
')
optional_policy(`
-@@ -380,10 +511,6 @@ optional_policy(`
+@@ -380,10 +515,6 @@ optional_policy(`
')
optional_policy(`
@@ -21907,7 +21957,7 @@ index 2522ca6..85c5be2 100644
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
usermanage_run_groupadd(sysadm_t, sysadm_r)
usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -391,6 +518,9 @@ optional_policy(`
+@@ -391,6 +522,9 @@ optional_policy(`
optional_policy(`
virt_stream_connect(sysadm_t)
@@ -21917,7 +21967,7 @@ index 2522ca6..85c5be2 100644
')
optional_policy(`
-@@ -398,31 +528,34 @@ optional_policy(`
+@@ -398,31 +532,34 @@ optional_policy(`
')
optional_policy(`
@@ -21958,7 +22008,7 @@ index 2522ca6..85c5be2 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -435,10 +568,6 @@ ifndef(`distro_redhat',`
+@@ -435,10 +572,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -21969,7 +22019,7 @@ index 2522ca6..85c5be2 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
optional_policy(`
-@@ -459,15 +588,79 @@ ifndef(`distro_redhat',`
+@@ -459,15 +592,79 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -30557,10 +30607,10 @@ index 948ce2a..8cab8ae 100644
+
+/var/run/blkid(/.*)? gen_context(system_u:object_r:fsadm_var_run_t,s0)
diff --git a/policy/modules/system/fstools.if b/policy/modules/system/fstools.if
-index 016a770..1effeb4 100644
+index 016a770..3fce820 100644
--- a/policy/modules/system/fstools.if
+++ b/policy/modules/system/fstools.if
-@@ -154,3 +154,24 @@ interface(`fstools_getattr_swap_files',`
+@@ -154,3 +154,42 @@ interface(`fstools_getattr_swap_files',`
allow $1 swapfile_t:file getattr;
')
@@ -30583,10 +30633,28 @@ index 016a770..1effeb4 100644
+ files_search_pids($1)
+ manage_dirs_pattern($1, fsadm_var_run_t, fsadm_var_run_t)
+ manage_files_pattern($1, fsadm_var_run_t, fsadm_var_run_t)
++ fstools_filetrans_named_content_fsadm($1)
++')
++
++########################################
++##
++## Transition to systemd content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fstools_filetrans_named_content_fsadm',`
++ gen_require(`
++ type fsadm_var_run_t;
++ ')
++
+ files_pid_filetrans($1, fsadm_var_run_t, dir, "blkid")
+')
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
-index 3f48d30..1fb0cde 100644
+index 3f48d30..cb4f966 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -13,9 +13,15 @@ role system_r types fsadm_t;
@@ -30672,7 +30740,7 @@ index 3f48d30..1fb0cde 100644
# Recreate /mnt/cdrom.
files_manage_mnt_dirs(fsadm_t)
# for tune2fs
-@@ -133,21 +156,27 @@ storage_raw_write_fixed_disk(fsadm_t)
+@@ -133,21 +156,28 @@ storage_raw_write_fixed_disk(fsadm_t)
storage_raw_read_removable_device(fsadm_t)
storage_raw_write_removable_device(fsadm_t)
storage_read_scsi_generic(fsadm_t)
@@ -30690,19 +30758,21 @@ index 3f48d30..1fb0cde 100644
+init_stream_connect(fsadm_t)
logging_send_syslog_msg(fsadm_t)
+-
+-miscfiles_read_localization(fsadm_t)
+logging_send_audit_msgs(fsadm_t)
+logging_stream_connect_syslog(fsadm_t)
--miscfiles_read_localization(fsadm_t)
-
seutil_read_config(fsadm_t)
-userdom_use_user_terminals(fsadm_t)
+term_use_all_inherited_terms(fsadm_t)
++
++userdom_rw_inherited_user_tmp_pipes(fsadm_t)
ifdef(`distro_redhat',`
optional_policy(`
-@@ -166,6 +195,11 @@ optional_policy(`
+@@ -166,6 +196,11 @@ optional_policy(`
')
optional_policy(`
@@ -30714,7 +30784,7 @@ index 3f48d30..1fb0cde 100644
hal_dontaudit_write_log(fsadm_t)
')
-@@ -179,6 +213,10 @@ optional_policy(`
+@@ -179,6 +214,10 @@ optional_policy(`
')
optional_policy(`
@@ -30725,7 +30795,7 @@ index 3f48d30..1fb0cde 100644
nis_use_ypbind(fsadm_t)
')
-@@ -192,6 +230,10 @@ optional_policy(`
+@@ -192,6 +231,10 @@ optional_policy(`
')
optional_policy(`
@@ -34723,7 +34793,7 @@ index c42fbc3..277fe6c 100644
##
## Set the attributes of iptables config files.
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index be8ed1e..750839c 100644
+index be8ed1e..e93440e 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -16,15 +16,18 @@ role iptables_roles types iptables_t;
@@ -34748,7 +34818,7 @@ index be8ed1e..750839c 100644
########################################
#
# Iptables local policy
-@@ -37,23 +40,28 @@ allow iptables_t self:process { sigchld sigkill sigstop signull signal };
+@@ -37,23 +40,29 @@ allow iptables_t self:process { sigchld sigkill sigstop signull signal };
allow iptables_t self:netlink_socket create_socket_perms;
allow iptables_t self:rawip_socket create_socket_perms;
@@ -34763,6 +34833,7 @@ index be8ed1e..750839c 100644
+manage_dirs_pattern(iptables_t, iptables_var_lib_t, iptables_var_lib_t)
+manage_files_pattern(iptables_t, iptables_var_lib_t, iptables_var_lib_t)
+manage_lnk_files_pattern(iptables_t, iptables_var_lib_t, iptables_var_lib_t)
++files_var_lib_filetrans(iptables_t, iptables_var_lib_t, { file dir lnk_file })
+
can_exec(iptables_t, iptables_exec_t)
@@ -34780,7 +34851,7 @@ index be8ed1e..750839c 100644
kernel_use_fds(iptables_t)
# needed by ipvsadm
-@@ -64,6 +72,8 @@ corenet_relabelto_all_packets(iptables_t)
+@@ -64,6 +73,8 @@ corenet_relabelto_all_packets(iptables_t)
corenet_dontaudit_rw_tun_tap_dev(iptables_t)
dev_read_sysfs(iptables_t)
@@ -34789,7 +34860,7 @@ index be8ed1e..750839c 100644
fs_getattr_xattr_fs(iptables_t)
fs_search_auto_mountpoints(iptables_t)
-@@ -72,11 +82,12 @@ fs_list_inotifyfs(iptables_t)
+@@ -72,11 +83,12 @@ fs_list_inotifyfs(iptables_t)
mls_file_read_all_levels(iptables_t)
term_dontaudit_use_console(iptables_t)
@@ -34804,7 +34875,7 @@ index be8ed1e..750839c 100644
auth_use_nsswitch(iptables_t)
-@@ -85,15 +96,14 @@ init_use_script_ptys(iptables_t)
+@@ -85,15 +97,14 @@ init_use_script_ptys(iptables_t)
# to allow rules to be saved on reboot:
init_rw_script_tmp_files(iptables_t)
init_rw_script_stream_sockets(iptables_t)
@@ -34822,7 +34893,7 @@ index be8ed1e..750839c 100644
userdom_use_all_users_fds(iptables_t)
ifdef(`hide_broken_symptoms',`
-@@ -102,6 +112,9 @@ ifdef(`hide_broken_symptoms',`
+@@ -102,6 +113,9 @@ ifdef(`hide_broken_symptoms',`
optional_policy(`
fail2ban_append_log(iptables_t)
@@ -34832,7 +34903,7 @@ index be8ed1e..750839c 100644
')
optional_policy(`
-@@ -110,6 +123,11 @@ optional_policy(`
+@@ -110,6 +124,11 @@ optional_policy(`
')
optional_policy(`
@@ -34844,7 +34915,7 @@ index be8ed1e..750839c 100644
modutils_run_insmod(iptables_t, iptables_roles)
')
-@@ -124,6 +142,16 @@ optional_policy(`
+@@ -124,6 +143,16 @@ optional_policy(`
optional_policy(`
psad_rw_tmp_files(iptables_t)
@@ -34861,7 +34932,7 @@ index be8ed1e..750839c 100644
')
optional_policy(`
-@@ -135,9 +163,9 @@ optional_policy(`
+@@ -135,9 +164,9 @@ optional_policy(`
')
optional_policy(`
@@ -37060,7 +37131,7 @@ index 6b91740..5c1669a 100644
+/var/run/clvmd\.pid -- gen_context(system_u:object_r:clvmd_var_run_t,s0)
/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0)
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
-index 58bc27f..4e1936d 100644
+index 58bc27f..6293110 100644
--- a/policy/modules/system/lvm.if
+++ b/policy/modules/system/lvm.if
@@ -1,5 +1,22 @@
@@ -37163,7 +37234,7 @@ index 58bc27f..4e1936d 100644
######################################
##
## Execute a domain transition to run clvmd.
-@@ -123,3 +203,154 @@ interface(`lvm_domtrans_clvmd',`
+@@ -123,3 +203,157 @@ interface(`lvm_domtrans_clvmd',`
corecmd_search_bin($1)
domtrans_pattern($1, clvmd_exec_t, clvmd_t)
')
@@ -37311,15 +37382,18 @@ index 58bc27f..4e1936d 100644
+ type lvm_lock_t;
+ ')
+
++ files_lock_filetrans($1, lvm_lock_t, dir, "lvm")
++
+ files_search_locks($1)
+ manage_files_pattern($1, lvm_lock_t, lvm_lock_t)
+ manage_dirs_pattern($1, lvm_lock_t, lvm_lock_t)
++
+')
+
+
+
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
-index 79048c4..6cf8b94 100644
+index 79048c4..14497e9 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
@@ -37514,7 +37588,7 @@ index 79048c4..6cf8b94 100644
init_use_fds(lvm_t)
init_dontaudit_getattr_initctl(lvm_t)
-@@ -293,15 +323,22 @@ init_use_script_ptys(lvm_t)
+@@ -293,15 +323,23 @@ init_use_script_ptys(lvm_t)
init_read_script_state(lvm_t)
logging_send_syslog_msg(lvm_t)
@@ -37531,6 +37605,7 @@ index 79048c4..6cf8b94 100644
+userdom_use_inherited_user_terminals(lvm_t)
userdom_use_user_terminals(lvm_t)
++userdom_rw_inherited_user_tmp_pipes(lvm_t)
+userdom_rw_semaphores(lvm_t)
+userdom_search_user_home_dirs(lvm_t)
+
@@ -37538,7 +37613,7 @@ index 79048c4..6cf8b94 100644
ifdef(`distro_redhat',`
# this is from the initrd:
-@@ -313,6 +350,11 @@ ifdef(`distro_redhat',`
+@@ -313,6 +351,11 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -37550,7 +37625,7 @@ index 79048c4..6cf8b94 100644
bootloader_rw_tmp_files(lvm_t)
')
-@@ -320,6 +362,10 @@ optional_policy(`
+@@ -320,6 +363,10 @@ optional_policy(`
ccs_stream_connect(lvm_t)
')
@@ -37561,7 +37636,7 @@ index 79048c4..6cf8b94 100644
optional_policy(`
gpm_dontaudit_getattr_gpmctl(lvm_t)
')
-@@ -333,14 +379,30 @@ optional_policy(`
+@@ -333,14 +380,30 @@ optional_policy(`
')
optional_policy(`
@@ -38128,7 +38203,7 @@ index 7449974..23bbbf2 100644
+ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin")
+')
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index 7a363b8..ba534ac 100644
+index 7a363b8..3f02a36 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -5,7 +5,7 @@ policy_module(modutils, 1.14.0)
@@ -38282,7 +38357,7 @@ index 7a363b8..ba534ac 100644
domain_signal_all_domains(insmod_t)
domain_use_interactive_fds(insmod_t)
-@@ -151,30 +169,38 @@ files_read_etc_runtime_files(insmod_t)
+@@ -151,31 +169,44 @@ files_read_etc_runtime_files(insmod_t)
files_read_etc_files(insmod_t)
files_read_usr_files(insmod_t)
files_exec_etc_files(insmod_t)
@@ -38323,9 +38398,15 @@ index 7a363b8..ba534ac 100644
-
+term_use_all_inherited_terms(insmod_t)
userdom_dontaudit_search_user_home_dirs(insmod_t)
++# needed by depmod in MLS
++userdom_manage_user_tmp_files(insmod_t)
++userdom_manage_user_tmp_pipes(insmod_t)
++userdom_manage_user_tmp_symlinks(insmod_t)
++userdom_manage_user_tmp_dirs(insmod_t)
kernel_domtrans_to(insmod_t, insmod_exec_t)
-@@ -184,28 +210,33 @@ optional_policy(`
+
+@@ -184,28 +215,33 @@ optional_policy(`
')
optional_policy(`
@@ -38366,7 +38447,7 @@ index 7a363b8..ba534ac 100644
')
optional_policy(`
-@@ -225,6 +256,7 @@ optional_policy(`
+@@ -225,6 +261,7 @@ optional_policy(`
optional_policy(`
rpm_rw_pipes(insmod_t)
@@ -38374,7 +38455,7 @@ index 7a363b8..ba534ac 100644
')
optional_policy(`
-@@ -233,6 +265,10 @@ optional_policy(`
+@@ -233,6 +270,10 @@ optional_policy(`
')
optional_policy(`
@@ -38385,7 +38466,7 @@ index 7a363b8..ba534ac 100644
# cjp: why is this needed:
dev_rw_xserver_misc(insmod_t)
-@@ -291,11 +327,10 @@ init_use_script_ptys(update_modules_t)
+@@ -291,11 +332,10 @@ init_use_script_ptys(update_modules_t)
logging_send_syslog_msg(update_modules_t)
@@ -42065,10 +42146,10 @@ index 0000000..a03b5ee
+/var/run/initramfs(/.*)? <>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..d2a8fc7
+index 0000000..cde0261
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1460 @@
+@@ -0,0 +1,1497 @@
+## SELinux policy for systemd components
+
+######################################
@@ -42502,6 +42583,43 @@ index 0000000..d2a8fc7
+
+#######################################
+##
++## Execute a domain transition to run systemd-sysctl.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_domtrans_sysctl',`
++ gen_require(`
++ type systemd_sysctl_t, systemd_sysctl_exec_t;
++ ')
++
++ domtrans_pattern($1, systemd_sysctl_exec_t, systemd_sysctl_t)
++')
++
++#######################################
++##
++## Allow a domain to execute systemd-sysctl in the caller domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_exec_sysctl',`
++ gen_require(`
++ type systemd_sysctl_exec_t;
++ ')
++
++ can_exec($1,systemd_sysctl_exec_t)
++
++')
++
++#######################################
++##
+## Execute a domain transition to run systemd-tmpfiles.
+##
+##
@@ -44554,7 +44672,7 @@ index 9a1650d..d7e8a01 100644
########################################
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index 39f185f..a253f3f 100644
+index 39f185f..703b804 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t)
@@ -44713,7 +44831,7 @@ index 39f185f..a253f3f 100644
seutil_read_config(udev_t)
seutil_read_default_contexts(udev_t)
-@@ -169,7 +191,10 @@ sysnet_read_dhcpc_pid(udev_t)
+@@ -169,9 +191,13 @@ sysnet_read_dhcpc_pid(udev_t)
sysnet_delete_dhcpc_pid(udev_t)
sysnet_signal_dhcpc(udev_t)
sysnet_manage_config(udev_t)
@@ -44724,8 +44842,11 @@ index 39f185f..a253f3f 100644
+systemd_getattr_unit_files(udev_t)
userdom_dontaudit_search_user_home_content(udev_t)
++userdom_rw_inherited_user_tmp_pipes(udev_t)
-@@ -195,16 +220,9 @@ ifdef(`distro_gentoo',`
+ ifdef(`distro_debian',`
+ files_pid_filetrans(udev_t, udev_var_run_t, dir, "xen-hotplug")
+@@ -195,16 +221,9 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -44744,7 +44865,7 @@ index 39f185f..a253f3f 100644
# for arping used for static IP addresses on PCMCIA ethernet
netutils_domtrans(udev_t)
-@@ -242,6 +260,7 @@ optional_policy(`
+@@ -242,6 +261,7 @@ optional_policy(`
optional_policy(`
cups_domtrans_config(udev_t)
@@ -44752,7 +44873,7 @@ index 39f185f..a253f3f 100644
')
optional_policy(`
-@@ -249,17 +268,31 @@ optional_policy(`
+@@ -249,17 +269,31 @@ optional_policy(`
dbus_use_system_bus_fds(udev_t)
optional_policy(`
@@ -44786,7 +44907,7 @@ index 39f185f..a253f3f 100644
')
optional_policy(`
-@@ -289,6 +322,10 @@ optional_policy(`
+@@ -289,6 +323,10 @@ optional_policy(`
')
optional_policy(`
@@ -44797,7 +44918,7 @@ index 39f185f..a253f3f 100644
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -303,6 +340,15 @@ optional_policy(`
+@@ -303,6 +341,15 @@ optional_policy(`
')
optional_policy(`
@@ -44813,7 +44934,7 @@ index 39f185f..a253f3f 100644
unconfined_signal(udev_t)
')
-@@ -315,6 +361,7 @@ optional_policy(`
+@@ -315,6 +362,7 @@ optional_policy(`
kernel_read_xen_state(udev_t)
xen_manage_log(udev_t)
xen_read_image_files(udev_t)
@@ -45659,7 +45780,7 @@ index db75976..c54480a 100644
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
+
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6..a24e48e 100644
+index 9dc60c6..7811266 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -47134,15 +47255,16 @@ index 9dc60c6..a24e48e 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
-@@ -1128,6 +1536,7 @@ template(`userdom_admin_user_template',`
+@@ -1128,6 +1536,8 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
+ kernel_signal($1_t)
++ kernel_stream_connect($1_t)
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1145,10 +1554,15 @@ template(`userdom_admin_user_template',`
+@@ -1145,10 +1555,15 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -47158,7 +47280,7 @@ index 9dc60c6..a24e48e 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1159,29 +1573,40 @@ template(`userdom_admin_user_template',`
+@@ -1159,29 +1574,40 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -47203,7 +47325,7 @@ index 9dc60c6..a24e48e 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1191,6 +1616,8 @@ template(`userdom_admin_user_template',`
+@@ -1191,6 +1617,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -47212,7 +47334,7 @@ index 9dc60c6..a24e48e 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1198,13 +1625,21 @@ template(`userdom_admin_user_template',`
+@@ -1198,13 +1626,21 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@@ -47235,7 +47357,7 @@ index 9dc60c6..a24e48e 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1240,7 +1675,7 @@ template(`userdom_admin_user_template',`
+@@ -1240,7 +1676,7 @@ template(`userdom_admin_user_template',`
##
##
#
@@ -47244,7 +47366,7 @@ index 9dc60c6..a24e48e 100644
allow $1 self:capability { dac_read_search dac_override };
corecmd_exec_shell($1)
-@@ -1250,6 +1685,8 @@ template(`userdom_security_admin_template',`
+@@ -1250,6 +1686,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -47253,7 +47375,7 @@ index 9dc60c6..a24e48e 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1262,8 +1699,10 @@ template(`userdom_security_admin_template',`
+@@ -1262,8 +1700,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -47265,7 +47387,7 @@ index 9dc60c6..a24e48e 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1274,29 +1713,31 @@ template(`userdom_security_admin_template',`
+@@ -1274,29 +1714,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -47308,7 +47430,7 @@ index 9dc60c6..a24e48e 100644
')
optional_policy(`
-@@ -1357,14 +1798,17 @@ interface(`userdom_user_home_content',`
+@@ -1357,14 +1799,17 @@ interface(`userdom_user_home_content',`
gen_require(`
attribute user_home_content_type;
type user_home_t;
@@ -47327,7 +47449,7 @@ index 9dc60c6..a24e48e 100644
')
########################################
-@@ -1397,12 +1841,51 @@ interface(`userdom_user_tmp_file',`
+@@ -1397,12 +1842,51 @@ interface(`userdom_user_tmp_file',`
##
#
interface(`userdom_user_tmpfs_file',`
@@ -47380,7 +47502,7 @@ index 9dc60c6..a24e48e 100644
## Allow domain to attach to TUN devices created by administrative users.
##
##
-@@ -1509,11 +1992,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1509,11 +1993,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -47412,7 +47534,7 @@ index 9dc60c6..a24e48e 100644
## Do not audit attempts to search user home directories.
##
##
-@@ -1555,6 +2058,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1555,6 +2059,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -47427,7 +47549,7 @@ index 9dc60c6..a24e48e 100644
')
########################################
-@@ -1570,9 +2081,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1570,9 +2082,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -47439,7 +47561,7 @@ index 9dc60c6..a24e48e 100644
')
########################################
-@@ -1613,6 +2126,24 @@ interface(`userdom_manage_user_home_dirs',`
+@@ -1613,6 +2127,24 @@ interface(`userdom_manage_user_home_dirs',`
########################################
##
@@ -47464,7 +47586,7 @@ index 9dc60c6..a24e48e 100644
## Relabel to user home directories.
##
##
-@@ -1631,6 +2162,59 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1631,6 +2163,59 @@ interface(`userdom_relabelto_user_home_dirs',`
########################################
##
@@ -47524,7 +47646,7 @@ index 9dc60c6..a24e48e 100644
## Create directories in the home dir root with
## the user home directory type.
##
-@@ -1704,10 +2288,12 @@ interface(`userdom_user_home_domtrans',`
+@@ -1704,10 +2289,12 @@ interface(`userdom_user_home_domtrans',`
#
interface(`userdom_dontaudit_search_user_home_content',`
gen_require(`
@@ -47539,7 +47661,7 @@ index 9dc60c6..a24e48e 100644
')
########################################
-@@ -1741,10 +2327,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1741,10 +2328,12 @@ interface(`userdom_list_all_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -47554,7 +47676,7 @@ index 9dc60c6..a24e48e 100644
')
########################################
-@@ -1769,7 +2357,7 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1769,7 +2358,7 @@ interface(`userdom_manage_user_home_content_dirs',`
########################################
##
@@ -47563,7 +47685,7 @@ index 9dc60c6..a24e48e 100644
##
##
##
-@@ -1777,19 +2365,17 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1777,19 +2366,17 @@ interface(`userdom_manage_user_home_content_dirs',`
##
##
#
@@ -47587,7 +47709,7 @@ index 9dc60c6..a24e48e 100644
##
##
##
-@@ -1797,55 +2383,55 @@ interface(`userdom_delete_all_user_home_content_dirs',`
+@@ -1797,55 +2384,55 @@ interface(`userdom_delete_all_user_home_content_dirs',`
##
##
#
@@ -47658,7 +47780,7 @@ index 9dc60c6..a24e48e 100644
##
##
##
-@@ -1853,18 +2439,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1853,18 +2440,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
##
##
#
@@ -47686,7 +47808,7 @@ index 9dc60c6..a24e48e 100644
##
##
##
-@@ -1872,17 +2459,151 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1872,17 +2460,151 @@ interface(`userdom_mmap_user_home_content_files',`
##
##
#
@@ -47842,7 +47964,7 @@ index 9dc60c6..a24e48e 100644
## Do not audit attempts to read user home files.
##
##
-@@ -1893,11 +2614,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1893,11 +2615,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -47860,7 +47982,7 @@ index 9dc60c6..a24e48e 100644
')
########################################
-@@ -1938,7 +2662,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1938,7 +2663,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
########################################
##
@@ -47869,7 +47991,7 @@ index 9dc60c6..a24e48e 100644
##
##
##
-@@ -1946,10 +2670,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1946,10 +2671,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
##
##
#
@@ -47882,7 +48004,7 @@ index 9dc60c6..a24e48e 100644
')
userdom_search_user_home_content($1)
-@@ -1958,7 +2681,7 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1958,7 +2682,7 @@ interface(`userdom_delete_all_user_home_content_files',`
########################################
##
@@ -47891,7 +48013,7 @@ index 9dc60c6..a24e48e 100644
##
##
##
-@@ -1966,12 +2689,66 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1966,12 +2690,66 @@ interface(`userdom_delete_all_user_home_content_files',`
##
##
#
@@ -47960,7 +48082,7 @@ index 9dc60c6..a24e48e 100644
')
########################################
-@@ -2007,8 +2784,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2007,8 +2785,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -47970,7 +48092,7 @@ index 9dc60c6..a24e48e 100644
')
########################################
-@@ -2024,20 +2800,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2024,20 +2801,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -47995,7 +48117,7 @@ index 9dc60c6..a24e48e 100644
########################################
##
-@@ -2120,7 +2890,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2120,7 +2891,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
##
@@ -48004,7 +48126,7 @@ index 9dc60c6..a24e48e 100644
##
##
##
-@@ -2128,19 +2898,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2128,19 +2899,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
##
##
#
@@ -48028,7 +48150,7 @@ index 9dc60c6..a24e48e 100644
##
##
##
-@@ -2148,12 +2916,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2148,12 +2917,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
##
##
#
@@ -48044,7 +48166,7 @@ index 9dc60c6..a24e48e 100644
')
########################################
-@@ -2388,18 +3156,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2388,18 +3157,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
##
##
#
@@ -48102,7 +48224,7 @@ index 9dc60c6..a24e48e 100644
## Do not audit attempts to read users
## temporary files.
##
-@@ -2414,7 +3218,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2414,7 +3219,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -48111,7 +48233,7 @@ index 9dc60c6..a24e48e 100644
')
########################################
-@@ -2455,6 +3259,25 @@ interface(`userdom_rw_user_tmp_files',`
+@@ -2455,6 +3260,25 @@ interface(`userdom_rw_user_tmp_files',`
rw_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
')
@@ -48137,7 +48259,7 @@ index 9dc60c6..a24e48e 100644
########################################
##
-@@ -2538,7 +3361,7 @@ interface(`userdom_manage_user_tmp_files',`
+@@ -2538,7 +3362,7 @@ interface(`userdom_manage_user_tmp_files',`
########################################
##
## Create, read, write, and delete user
@@ -48146,7 +48268,7 @@ index 9dc60c6..a24e48e 100644
##
##
##
-@@ -2546,19 +3369,19 @@ interface(`userdom_manage_user_tmp_files',`
+@@ -2546,19 +3370,19 @@ interface(`userdom_manage_user_tmp_files',`
##
##
#
@@ -48169,7 +48291,7 @@ index 9dc60c6..a24e48e 100644
##
##
##
-@@ -2566,19 +3389,19 @@ interface(`userdom_manage_user_tmp_symlinks',`
+@@ -2566,19 +3390,19 @@ interface(`userdom_manage_user_tmp_symlinks',`
##
##
#
@@ -48192,7 +48314,7 @@ index 9dc60c6..a24e48e 100644
##
##
##
-@@ -2586,19 +3409,60 @@ interface(`userdom_manage_user_tmp_pipes',`
+@@ -2586,19 +3410,60 @@ interface(`userdom_manage_user_tmp_pipes',`
##
##
#
@@ -48257,7 +48379,7 @@ index 9dc60c6..a24e48e 100644
## a specified private type.
##
##
-@@ -2661,6 +3525,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2661,6 +3526,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -48279,7 +48401,7 @@ index 9dc60c6..a24e48e 100644
########################################
##
## Read user tmpfs files.
-@@ -2672,18 +3551,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2672,18 +3552,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
##
#
interface(`userdom_read_user_tmpfs_files',`
@@ -48301,7 +48423,7 @@ index 9dc60c6..a24e48e 100644
##
##
##
-@@ -2692,19 +3566,13 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2692,19 +3567,13 @@ interface(`userdom_read_user_tmpfs_files',`
##
#
interface(`userdom_rw_user_tmpfs_files',`
@@ -48324,7 +48446,7 @@ index 9dc60c6..a24e48e 100644
##
##
##
-@@ -2713,13 +3581,56 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2713,13 +3582,56 @@ interface(`userdom_rw_user_tmpfs_files',`
##
#
interface(`userdom_manage_user_tmpfs_files',`
@@ -48385,7 +48507,7 @@ index 9dc60c6..a24e48e 100644
')
########################################
-@@ -2814,6 +3725,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2814,6 +3726,24 @@ interface(`userdom_use_user_ttys',`
########################################
##
@@ -48410,7 +48532,7 @@ index 9dc60c6..a24e48e 100644
## Read and write a user domain pty.
##
##
-@@ -2832,22 +3761,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2832,22 +3762,34 @@ interface(`userdom_use_user_ptys',`
########################################
##
@@ -48453,7 +48575,7 @@ index 9dc60c6..a24e48e 100644
##
##
##
-@@ -2856,14 +3797,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2856,14 +3798,33 @@ interface(`userdom_use_user_ptys',`
##
##
#
@@ -48491,7 +48613,7 @@ index 9dc60c6..a24e48e 100644
')
########################################
-@@ -2882,8 +3842,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2882,8 +3843,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -48521,7 +48643,7 @@ index 9dc60c6..a24e48e 100644
')
########################################
-@@ -2955,69 +3934,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2955,69 +3935,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -48622,7 +48744,7 @@ index 9dc60c6..a24e48e 100644
##
##
##
-@@ -3025,12 +4003,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3025,12 +4004,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
##
##
#
@@ -48637,7 +48759,7 @@ index 9dc60c6..a24e48e 100644
')
########################################
-@@ -3094,7 +4072,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3094,7 +4073,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -48646,7 +48768,7 @@ index 9dc60c6..a24e48e 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3110,29 +4088,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3110,29 +4089,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -48680,7 +48802,7 @@ index 9dc60c6..a24e48e 100644
')
########################################
-@@ -3214,7 +4176,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3214,7 +4177,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -48707,7 +48829,7 @@ index 9dc60c6..a24e48e 100644
')
########################################
-@@ -3269,12 +4249,13 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3269,12 +4250,13 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -48723,7 +48845,7 @@ index 9dc60c6..a24e48e 100644
##
##
##
-@@ -3282,46 +4263,122 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3282,46 +4264,122 @@ interface(`userdom_write_user_tmp_files',`
##
##
#
@@ -48859,7 +48981,7 @@ index 9dc60c6..a24e48e 100644
')
allow $1 userdomain:process getattr;
-@@ -3382,6 +4439,42 @@ interface(`userdom_signal_all_users',`
+@@ -3382,6 +4440,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -48902,7 +49024,7 @@ index 9dc60c6..a24e48e 100644
########################################
##
## Send a SIGCHLD signal to all user domains.
-@@ -3402,6 +4495,60 @@ interface(`userdom_sigchld_all_users',`
+@@ -3402,6 +4496,60 @@ interface(`userdom_sigchld_all_users',`
########################################
##
@@ -48963,7 +49085,7 @@ index 9dc60c6..a24e48e 100644
## Create keys for all user domains.
##
##
-@@ -3435,4 +4582,1691 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3435,4 +4583,1691 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index d819bb5..1fd3df8 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -7703,7 +7703,7 @@ index f3c0aba..f6e25ed 100644
+ files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail")
')
diff --git a/apcupsd.te b/apcupsd.te
-index 080bc4d..12d701e 100644
+index 080bc4d..5db6cde 100644
--- a/apcupsd.te
+++ b/apcupsd.te
@@ -24,6 +24,12 @@ files_tmp_file(apcupsd_tmp_t)
@@ -7741,7 +7741,7 @@ index 080bc4d..12d701e 100644
corenet_all_recvfrom_netlabel(apcupsd_t)
corenet_tcp_sendrecv_generic_if(apcupsd_t)
corenet_tcp_sendrecv_generic_node(apcupsd_t)
-@@ -67,26 +73,36 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t)
+@@ -67,26 +73,38 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t)
corenet_sendrecv_apcupsd_server_packets(apcupsd_t)
corenet_tcp_sendrecv_apcupsd_port(apcupsd_t)
corenet_tcp_connect_apcupsd_port(apcupsd_t)
@@ -7754,6 +7754,8 @@ index 080bc4d..12d701e 100644
+fs_getattr_xattr_fs(apcupsd_t)
+
++dev_read_sysfs(apcupsd_t)
++
dev_rw_generic_usb_dev(apcupsd_t)
-files_read_etc_files(apcupsd_t)
@@ -7770,10 +7772,10 @@ index 080bc4d..12d701e 100644
+#apcupsd runs shutdown, probably need a shutdown domain
+init_rw_utmp(apcupsd_t)
+init_telinit(apcupsd_t)
++
++auth_use_nsswitch(apcupsd_t)
-miscfiles_read_localization(apcupsd_t)
-+auth_use_nsswitch(apcupsd_t)
-+
+logging_send_syslog_msg(apcupsd_t)
sysnet_dns_name_resolve(apcupsd_t)
@@ -7783,7 +7785,7 @@ index 080bc4d..12d701e 100644
optional_policy(`
hostname_exec(apcupsd_t)
-@@ -101,6 +117,11 @@ optional_policy(`
+@@ -101,6 +119,11 @@ optional_policy(`
shutdown_domtrans(apcupsd_t)
')
@@ -7795,7 +7797,7 @@ index 080bc4d..12d701e 100644
########################################
#
# CGI local policy
-@@ -108,20 +129,20 @@ optional_policy(`
+@@ -108,20 +131,20 @@ optional_policy(`
optional_policy(`
apache_content_template(apcupsd_cgi)
@@ -12738,10 +12740,10 @@ index 0000000..5955ff0
+ gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t)
+')
diff --git a/chronyd.fc b/chronyd.fc
-index 4e4143e..d5e0260 100644
+index 4e4143e..e20f1b4 100644
--- a/chronyd.fc
+++ b/chronyd.fc
-@@ -1,7 +1,9 @@
+@@ -1,8 +1,11 @@
-/etc/chrony\.keys -- gen_context(system_u:object_r:chronyd_keys_t,s0)
+/etc/chrony\.keys.* -- gen_context(system_u:object_r:chronyd_keys_t,s0)
@@ -12750,8 +12752,10 @@ index 4e4143e..d5e0260 100644
+/usr/lib/systemd/system/chrony.* -- gen_context(system_u:object_r:chronyd_unit_file_t,s0)
+
/usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
++/usr/libexec/chrony-helper -- gen_context(system_u:object_r:chronyd_exec_t,s0)
/var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0)
+
diff --git a/chronyd.if b/chronyd.if
index 32e8265..74fd151 100644
--- a/chronyd.if
@@ -12923,7 +12927,7 @@ index 32e8265..74fd151 100644
+ allow $1 chronyd_unit_file_t:service all_service_perms;
')
diff --git a/chronyd.te b/chronyd.te
-index e5b621c..e8b9178 100644
+index e5b621c..08ecb52 100644
--- a/chronyd.te
+++ b/chronyd.te
@@ -18,6 +18,9 @@ files_type(chronyd_keys_t)
@@ -12954,7 +12958,7 @@ index e5b621c..e8b9178 100644
allow chronyd_t chronyd_keys_t:file read_file_perms;
manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
-@@ -76,18 +83,30 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
+@@ -76,18 +83,34 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
corenet_udp_bind_chronyd_port(chronyd_t)
corenet_udp_sendrecv_chronyd_port(chronyd_t)
@@ -12968,10 +12972,14 @@ index e5b621c..e8b9178 100644
auth_use_nsswitch(chronyd_t)
++corecmd_exec_bin(chronyd_t)
++
logging_send_syslog_msg(chronyd_t)
-miscfiles_read_localization(chronyd_t)
+mta_send_mail(chronyd_t)
++
++sysnet_read_dhcpc_state(chronyd_t)
optional_policy(`
gpsd_rw_shm(chronyd_t)
@@ -22180,7 +22188,7 @@ index 62d22cb..f8ab4af 100644
+ files_var_filetrans($1, system_dbusd_var_lib_t, dir, "ibus")
')
diff --git a/dbus.te b/dbus.te
-index c9998c8..011faba 100644
+index c9998c8..44c6283 100644
--- a/dbus.te
+++ b/dbus.te
@@ -4,17 +4,15 @@ gen_require(`
@@ -22304,7 +22312,7 @@ index c9998c8..011faba 100644
mls_fd_use_all_levels(system_dbusd_t)
mls_rangetrans_target(system_dbusd_t)
mls_file_read_all_levels(system_dbusd_t)
-@@ -123,66 +122,166 @@ term_dontaudit_use_console(system_dbusd_t)
+@@ -123,66 +122,170 @@ term_dontaudit_use_console(system_dbusd_t)
auth_use_nsswitch(system_dbusd_t)
auth_read_pam_console_data(system_dbusd_t)
@@ -22357,10 +22365,9 @@ index c9998c8..011faba 100644
+
+optional_policy(`
+ getty_start_services(system_dbusd_t)
- ')
-
- optional_policy(`
-- seutil_sigchld_newrole(system_dbusd_t)
++')
++
++optional_policy(`
+ gnome_exec_gconf(system_dbusd_t)
+ gnome_read_inherited_home_icc_data_files(system_dbusd_t)
+')
@@ -22381,10 +22388,15 @@ index c9998c8..011faba 100644
+')
+
+optional_policy(`
-+ sysnet_domtrans_dhcpc(system_dbusd_t)
++ snapper_read_inherited_pipe(system_dbusd_t)
+')
+
+optional_policy(`
++ sysnet_domtrans_dhcpc(system_dbusd_t)
+ ')
+
+ optional_policy(`
+- seutil_sigchld_newrole(system_dbusd_t)
+ systemd_use_fds_logind(system_dbusd_t)
+ systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
+ systemd_write_inhibit_pipes(system_dbusd_t)
@@ -22444,11 +22456,11 @@ index c9998c8..011faba 100644
+optional_policy(`
+ unconfined_dbus_send(system_bus_type)
+')
-
++
+ifdef(`hide_broken_symptoms',`
+ dontaudit system_bus_type system_dbusd_t:netlink_selinux_socket { read write };
+')
-+
+
+########################################
+#
+# session_bus_type rules
@@ -22485,7 +22497,7 @@ index c9998c8..011faba 100644
kernel_read_kernel_sysctls(session_bus_type)
corecmd_list_bin(session_bus_type)
-@@ -191,23 +290,18 @@ corecmd_read_bin_files(session_bus_type)
+@@ -191,23 +294,18 @@ corecmd_read_bin_files(session_bus_type)
corecmd_read_bin_pipes(session_bus_type)
corecmd_read_bin_sockets(session_bus_type)
@@ -22510,7 +22522,7 @@ index c9998c8..011faba 100644
files_dontaudit_search_var(session_bus_type)
fs_getattr_romfs(session_bus_type)
-@@ -215,7 +309,6 @@ fs_getattr_xattr_fs(session_bus_type)
+@@ -215,7 +313,6 @@ fs_getattr_xattr_fs(session_bus_type)
fs_list_inotifyfs(session_bus_type)
fs_dontaudit_list_nfs(session_bus_type)
@@ -22518,7 +22530,7 @@ index c9998c8..011faba 100644
selinux_validate_context(session_bus_type)
selinux_compute_access_vector(session_bus_type)
selinux_compute_create_context(session_bus_type)
-@@ -225,18 +318,36 @@ selinux_compute_user_contexts(session_bus_type)
+@@ -225,18 +322,36 @@ selinux_compute_user_contexts(session_bus_type)
auth_read_pam_console_data(session_bus_type)
logging_send_audit_msgs(session_bus_type)
@@ -22560,7 +22572,7 @@ index c9998c8..011faba 100644
')
########################################
-@@ -244,5 +355,9 @@ optional_policy(`
+@@ -244,5 +359,9 @@ optional_policy(`
# Unconfined access to this module
#
@@ -39410,10 +39422,10 @@ index 0000000..20adcb3
+ ')
+')
diff --git a/kerberos.fc b/kerberos.fc
-index 4fe75fd..b9f07ae 100644
+index 4fe75fd..f01d946 100644
--- a/kerberos.fc
+++ b/kerberos.fc
-@@ -1,52 +1,52 @@
+@@ -1,52 +1,54 @@
-HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
-/root/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
+HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
@@ -39451,25 +39463,33 @@ index 4fe75fd..b9f07ae 100644
-/usr/local/kerberos/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
-/usr/local/kerberos/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
--
++/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
++/usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+
-/usr/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
-/usr/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
--
++/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
++/var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0)
++/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
++/var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
++/var/kerberos/krb5kdc/principal.*\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0)
+
-/usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
-/usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
--
++/var/lib/kdcproxy(/.*)? gen_context(system_u:object_r:krb5kdc_var_lib_t,s0)
+
-/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
-+/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
- /usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+-/usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
++/var/log/krb5kdc\.log.* gen_context(system_u:object_r:krb5kdc_log_t,s0)
++/var/log/kadmin(d)?\.log.* gen_context(system_u:object_r:kadmind_log_t,s0)
-/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0)
--
++/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+
-/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
-+/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
- /var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0)
+-/var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0)
-/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
-+/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
- /var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+-/var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
-/var/kerberos/krb5kdc/principal.*\.ok -- gen_context(system_u:object_r:krb5kdc_lock_t,s0)
-
-/var/log/krb5kdc\.log.* -- gen_context(system_u:object_r:krb5kdc_log_t,s0)
@@ -39484,13 +39504,6 @@ index 4fe75fd..b9f07ae 100644
-/var/tmp/ldapmap1_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-+/var/kerberos/krb5kdc/principal.*\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0)
-+
-+/var/log/krb5kdc\.log.* gen_context(system_u:object_r:krb5kdc_log_t,s0)
-+/var/log/kadmin(d)?\.log.* gen_context(system_u:object_r:kadmind_log_t,s0)
-+
-+/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-+
+/var/run/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_var_run_t,s0)
+
+/var/tmp/DNS_25 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
@@ -39505,7 +39518,7 @@ index 4fe75fd..b9f07ae 100644
+/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --git a/kerberos.if b/kerberos.if
-index f6c00d8..7b777ab 100644
+index f6c00d8..e3cb4f1 100644
--- a/kerberos.if
+++ b/kerberos.if
@@ -1,27 +1,29 @@
@@ -39823,7 +39836,7 @@ index f6c00d8..7b777ab 100644
##
##
##
-@@ -278,254 +290,255 @@ interface(`kerberos_read_keytab',`
+@@ -278,49 +290,122 @@ interface(`kerberos_read_keytab',`
##
##
#
@@ -39893,31 +39906,23 @@ index f6c00d8..7b777ab 100644
##
##
-##
--##
--## Class of the object being created.
--##
--##
--##
+##
##
--## The name of the object being created.
+-## Class of the object being created.
+## The role to be allowed to manage the kerberos domain.
- ##
- ##
++##
++##
+##
- #
--interface(`kerberos_etc_filetrans_keytab',`
++#
+interface(`kerberos_admin',`
- gen_require(`
-- type krb5_keytab_t;
++ gen_require(`
+ type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
+ type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
+ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
+ type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t;
+ type krb5kdc_var_run_t, krb5_host_rcache_t;
- ')
-
-- files_etc_filetrans($1, krb5_keytab_t, $2, $3)
++ ')
++
+ allow $1 kadmind_t:process signal_perms;
+ ps_process_pattern($1, kadmind_t)
+ tunable_policy(`deny_ptrace',`',`
@@ -39957,6 +39962,33 @@ index f6c00d8..7b777ab 100644
+ admin_pattern($1, krb5kdc_tmp_t)
+
+ admin_pattern($1, krb5kdc_var_run_t)
++')
++
++########################################
++##
++## Type transition files created in /tmp
++## to the krb5_host_rcache type.
++##
++##
++##
++## Domain allowed access.
+ ##
+ ##
+ ##
+@@ -329,60 +414,63 @@ interface(`kerberos_manage_keytab_files',`
+ ##
+ ##
+ #
+-interface(`kerberos_etc_filetrans_keytab',`
++interface(`kerberos_tmp_filetrans_host_rcache',`
+ gen_require(`
+- type krb5_keytab_t;
++ type krb5_host_rcache_t;
+ ')
+
+- files_etc_filetrans($1, krb5_keytab_t, $2, $3)
++ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
++ files_tmp_filetrans($1, krb5_host_rcache_t, file, $2)
')
########################################
@@ -39964,7 +39996,7 @@ index f6c00d8..7b777ab 100644
-## Create a derived type for kerberos
-## keytab files.
+## Type transition files created in /tmp
-+## to the krb5_host_rcache type.
++## to the kadmind_tmp type.
##
-##
+##
@@ -39985,20 +40017,19 @@ index f6c00d8..7b777ab 100644
- refpolicywarn(`$0($*) has been deprecated.')
- kerberos_read_keytab($2)
- kerberos_use($2)
-+interface(`kerberos_tmp_filetrans_host_rcache',`
++interface(`kerberos_tmp_filetrans_kadmin',`
+ gen_require(`
-+ type krb5_host_rcache_t;
++ type kadmind_tmp_t;
+ ')
+
-+ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
-+ files_tmp_filetrans($1, krb5_host_rcache_t, file, $2)
++ manage_files_pattern($1, kadmind_tmp_t, kadmind_tmp_t)
++ files_tmp_filetrans($1, kadmind_tmp_t, file, $2)
')
########################################
##
-## Read kerberos kdc configuration files.
-+## Type transition files created in /tmp
-+## to the kadmind_tmp type.
++## read kerberos homedir content (.k5login)
##
##
##
@@ -40006,43 +40037,38 @@ index f6c00d8..7b777ab 100644
##
##
-##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
#
-interface(`kerberos_read_kdc_config',`
-+interface(`kerberos_tmp_filetrans_kadmin',`
++interface(`kerberos_read_home_content',`
gen_require(`
- type krb5kdc_conf_t;
-+ type kadmind_tmp_t;
++ type krb5_home_t;
')
- files_search_etc($1)
- read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
-+ manage_files_pattern($1, kadmind_tmp_t, kadmind_tmp_t)
-+ files_tmp_filetrans($1, kadmind_tmp_t, file, $2)
++ userdom_search_user_home_dirs($1)
++ read_files_pattern($1, krb5_home_t, krb5_home_t)
')
########################################
##
-## Create, read, write, and delete
-## kerberos host rcache files.
-+## read kerberos homedir content (.k5login)
++## Manage the kerberos kdc /var/lib files
++## and directories.
##
##
##
- ## Domain allowed access.
- ##
+@@ -391,141 +479,88 @@ interface(`kerberos_read_kdc_config',`
##
--##
+ ##
#
-interface(`kerberos_manage_host_rcache',`
-+interface(`kerberos_read_home_content',`
++interface(`kerberos_manage_kdc_var_lib',`
gen_require(`
- type krb5_host_rcache_t;
-+ type krb5_home_t;
++ type krb5kdc_var_lib_t;
')
- domain_obj_id_change_exemption($1)
@@ -40057,8 +40083,9 @@ index f6c00d8..7b777ab 100644
- files_search_tmp($1)
- allow $1 krb5_host_rcache_t:file manage_file_perms;
- ')
-+ userdom_search_user_home_dirs($1)
-+ read_files_pattern($1, krb5_home_t, krb5_home_t)
++ files_search_etc($1)
++ manage_files_pattern($1, krb5kdc_var_lib_t, krb5kdc_var_lib_t)
++ manage_dirs_pattern($1, krb5kdc_var_lib_t, krb5kdc_var_lib_t)
')
########################################
@@ -40139,14 +40166,14 @@ index f6c00d8..7b777ab 100644
##
##
-## Domain allowed access.
--##
--##
--##
--##
--## Role allowed access.
+## Domain allowed access.
##
##
+-##
+-##
+-## Role allowed access.
+-##
+-##
-##
#
-interface(`kerberos_admin',`
@@ -40215,7 +40242,7 @@ index f6c00d8..7b777ab 100644
+ kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
')
diff --git a/kerberos.te b/kerberos.te
-index 8833d59..462e466 100644
+index 8833d59..1d0599a 100644
--- a/kerberos.te
+++ b/kerberos.te
@@ -6,11 +6,11 @@ policy_module(kerberos, 1.12.0)
@@ -40234,7 +40261,7 @@ index 8833d59..462e466 100644
type kadmind_t;
type kadmind_exec_t;
-@@ -35,23 +35,27 @@ init_daemon_domain(kpropd_t, kpropd_exec_t)
+@@ -35,23 +35,29 @@ init_daemon_domain(kpropd_t, kpropd_exec_t)
domain_obj_id_change_exemption(kpropd_t)
type krb5_conf_t;
@@ -40261,12 +40288,14 @@ index 8833d59..462e466 100644
-files_type(krb5kdc_lock_t)
+files_lock_file(krb5kdc_lock_t)
++type krb5kdc_var_lib_t;
++files_type(krb5kdc_var_lib_t)
+
+# types for KDC principal file(s)
type krb5kdc_principal_t;
files_type(krb5kdc_principal_t)
-@@ -74,28 +78,33 @@ files_pid_file(krb5kdc_var_run_t)
+@@ -74,28 +80,33 @@ files_pid_file(krb5kdc_var_run_t)
# kadmind local policy
#
@@ -40306,7 +40335,7 @@ index 8833d59..462e466 100644
manage_dirs_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t)
manage_files_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t)
files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir })
-@@ -103,13 +112,15 @@ files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir })
+@@ -103,13 +114,15 @@ files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir })
manage_files_pattern(kadmind_t, kadmind_var_run_t, kadmind_var_run_t)
files_pid_filetrans(kadmind_t, kadmind_var_run_t, file)
@@ -40325,7 +40354,7 @@ index 8833d59..462e466 100644
corenet_all_recvfrom_netlabel(kadmind_t)
corenet_tcp_sendrecv_generic_if(kadmind_t)
corenet_udp_sendrecv_generic_if(kadmind_t)
-@@ -119,31 +130,44 @@ corenet_tcp_sendrecv_all_ports(kadmind_t)
+@@ -119,31 +132,44 @@ corenet_tcp_sendrecv_all_ports(kadmind_t)
corenet_udp_sendrecv_all_ports(kadmind_t)
corenet_tcp_bind_generic_node(kadmind_t)
corenet_udp_bind_generic_node(kadmind_t)
@@ -40373,7 +40402,7 @@ index 8833d59..462e466 100644
sysnet_use_ldap(kadmind_t)
userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
-@@ -154,11 +178,16 @@ optional_policy(`
+@@ -154,11 +180,16 @@ optional_policy(`
')
optional_policy(`
@@ -40390,7 +40419,7 @@ index 8833d59..462e466 100644
')
optional_policy(`
-@@ -174,24 +203,27 @@ optional_policy(`
+@@ -174,24 +205,27 @@ optional_policy(`
# Krb5kdc local policy
#
@@ -40422,17 +40451,19 @@ index 8833d59..462e466 100644
logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file)
allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms;
-@@ -201,71 +233,76 @@ manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
+@@ -201,71 +235,79 @@ manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir })
manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
-files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, file)
--
--can_exec(krb5kdc_t, krb5kdc_exec_t)
+manage_sock_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
+manage_dirs_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
+files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, { dir file sock_file })
+-can_exec(krb5kdc_t, krb5kdc_exec_t)
++manage_files_pattern(krb5kdc_t, krb5kdc_var_lib_t, krb5kdc_var_lib_t)
++manage_dirs_pattern(krb5kdc_t, krb5kdc_var_lib_t, krb5kdc_var_lib_t)
+
kernel_read_system_state(krb5kdc_t)
kernel_read_kernel_sysctls(krb5kdc_t)
+kernel_list_proc(krb5kdc_t)
@@ -40514,7 +40545,7 @@ index 8833d59..462e466 100644
')
optional_policy(`
-@@ -273,6 +310,10 @@ optional_policy(`
+@@ -273,6 +315,10 @@ optional_policy(`
')
optional_policy(`
@@ -40525,7 +40556,7 @@ index 8833d59..462e466 100644
udev_read_db(krb5kdc_t)
')
-@@ -281,10 +322,12 @@ optional_policy(`
+@@ -281,10 +327,12 @@ optional_policy(`
# kpropd local policy
#
@@ -40541,7 +40572,7 @@ index 8833d59..462e466 100644
allow kpropd_t krb5_host_rcache_t:file manage_file_perms;
-@@ -301,27 +344,25 @@ manage_dirs_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
+@@ -301,27 +349,26 @@ manage_dirs_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
manage_files_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
@@ -40558,6 +40589,7 @@ index 8833d59..462e466 100644
-corenet_sendrecv_kprop_server_packets(kpropd_t)
corenet_tcp_bind_kprop_port(kpropd_t)
-corenet_tcp_sendrecv_kprop_port(kpropd_t)
++corenet_tcp_connect_kprop_port(kpropd_t)
dev_read_urand(kpropd_t)
@@ -43365,7 +43397,7 @@ index dd8e01a..9cd6b0b 100644
##
##
diff --git a/logrotate.te b/logrotate.te
-index be0ab84..ce57aac 100644
+index be0ab84..08c168f 100644
--- a/logrotate.te
+++ b/logrotate.te
@@ -5,16 +5,22 @@ policy_module(logrotate, 1.15.0)
@@ -43487,7 +43519,7 @@ index be0ab84..ce57aac 100644
files_manage_generic_spool(logrotate_t)
files_manage_generic_spool_dirs(logrotate_t)
files_getattr_generic_locks(logrotate_t)
-@@ -95,6 +123,8 @@ mls_process_write_to_clearance(logrotate_t)
+@@ -95,32 +123,51 @@ mls_process_write_to_clearance(logrotate_t)
selinux_get_fs_mount(logrotate_t)
selinux_get_enforce_mode(logrotate_t)
@@ -43496,7 +43528,9 @@ index be0ab84..ce57aac 100644
auth_manage_login_records(logrotate_t)
auth_use_nsswitch(logrotate_t)
-@@ -103,24 +133,40 @@ init_all_labeled_script_domtrans(logrotate_t)
+ init_all_labeled_script_domtrans(logrotate_t)
++init_reload_services(logrotate_t)
+
logging_manage_all_logs(logrotate_t)
logging_send_syslog_msg(logrotate_t)
logging_send_audit_msgs(logrotate_t)
@@ -43543,7 +43577,7 @@ index be0ab84..ce57aac 100644
')
optional_policy(`
-@@ -135,16 +181,17 @@ optional_policy(`
+@@ -135,16 +182,17 @@ optional_policy(`
optional_policy(`
apache_read_config(logrotate_t)
@@ -43563,7 +43597,7 @@ index be0ab84..ce57aac 100644
')
optional_policy(`
-@@ -170,6 +217,11 @@ optional_policy(`
+@@ -170,6 +218,11 @@ optional_policy(`
')
optional_policy(`
@@ -43575,7 +43609,7 @@ index be0ab84..ce57aac 100644
fail2ban_stream_connect(logrotate_t)
')
-@@ -178,7 +230,7 @@ optional_policy(`
+@@ -178,7 +231,7 @@ optional_policy(`
')
optional_policy(`
@@ -43584,7 +43618,7 @@ index be0ab84..ce57aac 100644
')
optional_policy(`
-@@ -198,17 +250,18 @@ optional_policy(`
+@@ -198,17 +251,18 @@ optional_policy(`
')
optional_policy(`
@@ -43606,7 +43640,7 @@ index be0ab84..ce57aac 100644
')
optional_policy(`
-@@ -216,6 +269,14 @@ optional_policy(`
+@@ -216,6 +270,14 @@ optional_policy(`
')
optional_policy(`
@@ -43621,7 +43655,7 @@ index be0ab84..ce57aac 100644
samba_exec_log(logrotate_t)
')
-@@ -228,26 +289,43 @@ optional_policy(`
+@@ -228,26 +290,43 @@ optional_policy(`
')
optional_policy(`
@@ -44249,7 +44283,7 @@ index d314333..27ede09 100644
+ ')
')
diff --git a/lsm.te b/lsm.te
-index 4ec0eea..022172c 100644
+index 4ec0eea..996fdc8 100644
--- a/lsm.te
+++ b/lsm.te
@@ -4,6 +4,13 @@ policy_module(lsm, 1.0.0)
@@ -44266,7 +44300,7 @@ index 4ec0eea..022172c 100644
type lsmd_t;
type lsmd_exec_t;
-@@ -12,6 +19,17 @@ init_daemon_domain(lsmd_t, lsmd_exec_t)
+@@ -12,12 +19,23 @@ init_daemon_domain(lsmd_t, lsmd_exec_t)
type lsmd_var_run_t;
files_pid_file(lsmd_var_run_t)
@@ -44284,6 +44318,13 @@ index 4ec0eea..022172c 100644
########################################
#
# Local policy
+ #
+
+-allow lsmd_t self:capability setgid;
++allow lsmd_t self:capability { setuid setgid };
+ allow lsmd_t self:unix_stream_socket create_stream_socket_perms;
+
+ manage_dirs_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
@@ -26,4 +44,67 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file })
@@ -61205,10 +61246,10 @@ index 0000000..598789a
+
diff --git a/openhpid.te b/openhpid.te
new file mode 100644
-index 0000000..51acfae
+index 0000000..ade6576
--- /dev/null
+++ b/openhpid.te
-@@ -0,0 +1,47 @@
+@@ -0,0 +1,52 @@
+policy_module(openhpid, 1.0.0)
+
+########################################
@@ -61254,8 +61295,13 @@ index 0000000..51acfae
+corenet_tcp_bind_openhpid_port(openhpid_t)
+
+dev_read_urand(openhpid_t)
++dev_rw_watchdog(openhpid_t)
+
+logging_send_syslog_msg(openhpid_t)
++
++miscfiles_read_generic_certs(openhpid_t)
++
++sysnet_read_config(openhpid_t)
diff --git a/openshift-origin.fc b/openshift-origin.fc
new file mode 100644
index 0000000..30ca148
@@ -79848,10 +79894,10 @@ index 951db7f..04b6dde 100644
+ files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf")
')
diff --git a/raid.te b/raid.te
-index c99753f..0d4e845 100644
+index c99753f..f6bd1c6 100644
--- a/raid.te
+++ b/raid.te
-@@ -15,54 +15,92 @@ role mdadm_roles types mdadm_t;
+@@ -15,54 +15,100 @@ role mdadm_roles types mdadm_t;
type mdadm_initrc_exec_t;
init_script_file(mdadm_initrc_exec_t)
@@ -79862,7 +79908,10 @@ index c99753f..0d4e845 100644
+systemd_unit_file(mdadm_unit_file_t)
+
+type mdadm_tmp_t;
-+files_tmpfs_file(mdadm_tmp_t)
++files_tmp_file(mdadm_tmp_t)
++
++type mdadm_tmpfs_t;
++files_tmpfs_file(mdadm_tmpfs_t)
+
type mdadm_var_run_t alias mdadm_map_t;
files_pid_file(mdadm_var_run_t)
@@ -79891,6 +79940,10 @@ index c99753f..0d4e845 100644
+manage_files_pattern(mdadm_t, mdadm_tmp_t, mdadm_tmp_t)
+manage_dirs_pattern(mdadm_t, mdadm_tmp_t, mdadm_tmp_t)
+files_tmp_filetrans(mdadm_t, mdadm_tmp_t, file)
++
++manage_files_pattern(mdadm_t, mdadm_tmpfs_t, mdadm_tmpfs_t)
++manage_dirs_pattern(mdadm_t, mdadm_tmpfs_t, mdadm_tmpfs_t)
++fs_tmpfs_filetrans(mdadm_t, mdadm_tmpfs_t, { dir file })
manage_dirs_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
manage_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
@@ -79935,6 +79988,7 @@ index c99753f..0d4e845 100644
+dev_read_generic_files(mdadm_t)
+dev_read_generic_usb_dev(mdadm_t)
+dev_read_urand(mdadm_t)
++dev_read_rand(mdadm_t)
+
+domain_read_all_domains_state(mdadm_t)
domain_use_interactive_fds(mdadm_t)
@@ -79953,7 +80007,7 @@ index c99753f..0d4e845 100644
mls_file_read_all_levels(mdadm_t)
mls_file_write_all_levels(mdadm_t)
-@@ -71,15 +109,22 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
+@@ -71,15 +117,22 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
storage_manage_fixed_disk(mdadm_t)
storage_read_scsi_generic(mdadm_t)
storage_write_scsi_generic(mdadm_t)
@@ -79977,7 +80031,7 @@ index c99753f..0d4e845 100644
userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
userdom_dontaudit_search_user_home_content(mdadm_t)
-@@ -90,17 +135,38 @@ optional_policy(`
+@@ -90,17 +143,38 @@ optional_policy(`
')
optional_policy(`
@@ -92507,14 +92561,16 @@ index 0000000..a3319b0
+userdom_dontaudit_open_user_ptys(sandbox_x_domain)
+
diff --git a/sanlock.fc b/sanlock.fc
-index 3df2a0f..9059165 100644
+index 3df2a0f..4eb82b8 100644
--- a/sanlock.fc
+++ b/sanlock.fc
-@@ -1,7 +1,10 @@
+@@ -1,7 +1,12 @@
+
/etc/rc\.d/init\.d/sanlock -- gen_context(system_u:object_r:sanlock_initrc_exec_t,s0)
-/usr/sbin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0)
++/etc/sanlock(/.*)? gen_context(system_u:object_r:sanlock_conf_t,s0)
++
+/var/run/sanlock(/.*)? gen_context(system_u:object_r:sanlock_var_run_t,s0)
+
+/var/log/sanlock\.log.* gen_context(system_u:object_r:sanlock_log_t,s0)
@@ -92661,10 +92717,10 @@ index cd6c213..82a5ff0 100644
+ allow $1 sanlock_unit_file_t:service all_service_perms;
')
diff --git a/sanlock.te b/sanlock.te
-index 0045465..61da47f 100644
+index 0045465..2059657 100644
--- a/sanlock.te
+++ b/sanlock.te
-@@ -6,21 +6,26 @@ policy_module(sanlock, 1.1.0)
+@@ -6,25 +6,33 @@ policy_module(sanlock, 1.1.0)
#
##
@@ -92699,7 +92755,14 @@ index 0045465..61da47f 100644
type sanlock_t;
type sanlock_exec_t;
init_daemon_domain(sanlock_t, sanlock_exec_t)
-@@ -34,6 +39,9 @@ logging_log_file(sanlock_log_t)
+
++type sanlock_conf_t;
++files_config_file(sanlock_conf_t)
++
+ type sanlock_var_run_t;
+ files_pid_file(sanlock_var_run_t)
+
+@@ -34,6 +42,9 @@ logging_log_file(sanlock_log_t)
type sanlock_initrc_exec_t;
init_script_file(sanlock_initrc_exec_t)
@@ -92709,7 +92772,7 @@ index 0045465..61da47f 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(sanlock_t, sanlock_exec_t, s0 - mcs_systemhigh)
')
-@@ -44,17 +52,15 @@ ifdef(`enable_mls',`
+@@ -44,17 +55,18 @@ ifdef(`enable_mls',`
########################################
#
@@ -92723,6 +92786,9 @@ index 0045465..61da47f 100644
allow sanlock_t self:fifo_file rw_fifo_file_perms;
-allow sanlock_t self:unix_stream_socket { accept listen };
+allow sanlock_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_files_pattern(sanlock_t, sanlock_conf_t, sanlock_conf_t)
++manage_dirs_pattern(sanlock_t, sanlock_conf_t, sanlock_conf_t)
-append_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t)
-create_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t)
@@ -92731,7 +92797,7 @@ index 0045465..61da47f 100644
logging_log_filetrans(sanlock_t, sanlock_log_t, file)
manage_dirs_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
-@@ -65,13 +71,16 @@ files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file })
+@@ -65,13 +77,16 @@ files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file })
kernel_read_system_state(sanlock_t)
kernel_read_kernel_sysctls(sanlock_t)
@@ -92751,7 +92817,7 @@ index 0045465..61da47f 100644
auth_use_nsswitch(sanlock_t)
init_read_utmp(sanlock_t)
-@@ -79,20 +88,29 @@ init_dontaudit_write_utmp(sanlock_t)
+@@ -79,20 +94,29 @@ init_dontaudit_write_utmp(sanlock_t)
logging_send_syslog_msg(sanlock_t)
@@ -92790,7 +92856,7 @@ index 0045465..61da47f 100644
')
optional_policy(`
-@@ -100,7 +118,10 @@ optional_policy(`
+@@ -100,7 +124,10 @@ optional_policy(`
')
optional_policy(`
@@ -96334,10 +96400,10 @@ index 0000000..4f4bdb3
+/home/(.*/)?\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
diff --git a/snapper.if b/snapper.if
new file mode 100644
-index 0000000..5a3cb30
+index 0000000..ed76979
--- /dev/null
+++ b/snapper.if
-@@ -0,0 +1,62 @@
+@@ -0,0 +1,80 @@
+
+## policy for snapperd
+
@@ -96381,6 +96447,24 @@ index 0000000..5a3cb30
+ allow snapperd_t $1:dbus send_msg;
+')
+
++########################################
++##
++## Allow a domain to read inherited snapper pipe.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`snapper_read_inherited_pipe',`
++ gen_require(`
++ type snapperd_t;
++ ')
++
++ allow $1 snapperd_t:fifo_file read_inherited_file_perms;
++')
++
+#######################################
+##
+## Allow domain to create .smapshot
@@ -101164,7 +101248,7 @@ index 0000000..a6e216c
+
diff --git a/targetd.te b/targetd.te
new file mode 100644
-index 0000000..a2cb50c
+index 0000000..6768bda
--- /dev/null
+++ b/targetd.te
@@ -0,0 +1,62 @@
@@ -101214,8 +101298,8 @@ index 0000000..a2cb50c
+
+libs_exec_ldconfig(targetd_t)
+
-+storage_getattr_fixed_disk_dev(targetd_t)
-+storage_getattr_removable_dev(targetd_t)
++storage_raw_read_fixed_disk(targetd_t)
++storage_raw_read_removable_device(targetd_t)
+
+sysnet_read_config(targetd_t)
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d1c3aac..b88f90a 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 140%{?dist}
+Release: 141%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -647,6 +647,37 @@ exit 0
%endif
%changelog
+* Mon Aug 10 2015 Lukas Vrabec 3.13.1-141
+- Allow chronyd to execute mkdir command.
+- Allow chronyd_t to read dhcpc state.
+- Label /usr/libexec/chrony-helper as chronyd_exec_t
+- Allow openhpid liboa_soap plugin to read resolv.conf file.
+- Allow openhpid liboa_soap plugin to read generic certs.
+- Allow openhpid use libwatchdog plugin. (Allow openhpid_t rw watchdog device)
+- Allow logrotate to reload services.
+- Allow apcupsd_t to read /sys/devices
+- Allow kpropd to connect to kropd tcp port.
+- Allow lsmd also setuid capability. Some commands need to executed under root privs. Other commands are executed under unprivileged user.
+- Allow snapperd to pass data (one way only) via pipe negotiated over dbus.
+- Add snapper_read_inherited_pipe() interface.
+- Add missing ";" in kerberos.te
+- Add support for /var/lib/kdcproxy and label it as krb5kdc_var_lib_t. It needs to be accessible by useradd_t.
+- Add support for /etc/sanlock which is writable by sanlock daemon.
+- Allow mdadm to access /dev/random and add support to create own files/dirs as mdadm_tmpfs_t.
+- Add labels for /dev/memory_bandwith and /dev/vhci. Thanks ssekidde
+- Add interface to read/write watchdog device.
+- Add transition rule for iptables_var_lib_t
+- Allow useradd add homedir located in /var/lib/kdcproxy in ipa-server RPM scriplet.
+- Revert "Allow grubby to manage and create /run/blkid with correct labeling"
+- Allow grubby to manage and create /run/blkid with correct labeling
+- Add fstools_filetrans_named_content_fsadm() and call it for named_filetrans_domain domains. We need to be sure that /run/blkid is created with correct labeling.
+- arping running as netutils_t needs to access /etc/ld.so.cache in MLS.
+- Allow sysadm to execute systemd-sysctl in the sysadm_t domain. It is needed for ifup command in MLS mode.
+- Add systemd_exec_sysctl() and systemd_domtrans_sysctl() interfaces.
+- Allow udev, lvm and fsadm to access systemd-cat in /var/tmp/dracut if 'dracut -fv' is executed in MLS.
+- Allow admin SELinu users to communicate with kernel_t. It is needed to access /run/systemd/journal/stdout if 'dracut -vf' is executed. We allow it for other SELinux users.
+- depmod runs as insmod_t and it needs to manage user tmp files which was allowed for depmod_t. It is needed by dracut command for SELinux restrictive policy (confined users, MLS).
+
* Wed Aug 05 2015 Miroslav Grepl 3.13.1-140
- firewalld needs to relabel own config files. BZ(#1250537)
- Allow rhsmcertd to send signull to unconfined_service