diff --git a/container-selinux.tgz b/container-selinux.tgz
index bad12d0..cbeb3df 100644
Binary files a/container-selinux.tgz and b/container-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 42b44f0..9a64a86 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -11381,7 +11381,7 @@ index b876c48ad..2e591a538 100644
+
+/sysroot/ostree/deploy/.*-atomic/deploy(/.*)? gen_context(system_u:object_r:root_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76ad..c1b46d8f3 100644
+index f962f76ad..de87579ff 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -13978,7 +13978,32 @@ index f962f76ad..c1b46d8f3 100644
')
########################################
-@@ -5112,6 +6425,24 @@ interface(`files_create_kernel_symbol_table',`
+@@ -4814,6 +6127,24 @@ interface(`files_delete_usr_files',`
+
+ ########################################
+ ## <summary>
++## Map files in /usr in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_mmap_usr_files',`
++ gen_require(`
++ type usr_t;
++ ')
++
++ allow $1 usr_t:file map;
++')
++
++########################################
++## <summary>
+ ## Get the attributes of files in /usr.
+ ## </summary>
+ ## <param name="domain">
+@@ -5112,6 +6443,24 @@ interface(`files_create_kernel_symbol_table',`
########################################
## <summary>
@@ -14003,7 +14028,7 @@ index f962f76ad..c1b46d8f3 100644
## Read system.map in the /boot directory.
## </summary>
## <param name="domain">
-@@ -5241,6 +6572,24 @@ interface(`files_list_var',`
+@@ -5241,6 +6590,24 @@ interface(`files_list_var',`
########################################
## <summary>
@@ -14028,7 +14053,7 @@ index f962f76ad..c1b46d8f3 100644
## Create, read, write, and delete directories
## in the /var directory.
## </summary>
-@@ -5328,7 +6677,7 @@ interface(`files_dontaudit_rw_var_files',`
+@@ -5328,7 +6695,7 @@ interface(`files_dontaudit_rw_var_files',`
type var_t;
')
@@ -14037,7 +14062,7 @@ index f962f76ad..c1b46d8f3 100644
')
########################################
-@@ -5419,6 +6768,24 @@ interface(`files_var_filetrans',`
+@@ -5419,6 +6786,24 @@ interface(`files_var_filetrans',`
filetrans_pattern($1, var_t, $2, $3, $4)
')
@@ -14062,7 +14087,7 @@ index f962f76ad..c1b46d8f3 100644
########################################
## <summary>
## Get the attributes of the /var/lib directory.
-@@ -5527,6 +6894,25 @@ interface(`files_rw_var_lib_dirs',`
+@@ -5527,6 +6912,25 @@ interface(`files_rw_var_lib_dirs',`
########################################
## <summary>
@@ -14088,7 +14113,7 @@ index f962f76ad..c1b46d8f3 100644
## Create objects in the /var/lib directory
## </summary>
## <param name="domain">
-@@ -5596,6 +6982,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5596,6 +7000,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -14114,7 +14139,7 @@ index f962f76ad..c1b46d8f3 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -5619,6 +7024,42 @@ interface(`files_manage_urandom_seed',`
+@@ -5619,6 +7042,42 @@ interface(`files_manage_urandom_seed',`
manage_files_pattern($1, var_lib_t, var_lib_t)
')
@@ -14157,7 +14182,7 @@ index f962f76ad..c1b46d8f3 100644
########################################
## <summary>
## Allow domain to manage mount tables
-@@ -5641,7 +7082,7 @@ interface(`files_manage_mounttab',`
+@@ -5641,7 +7100,7 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -14166,7 +14191,7 @@ index f962f76ad..c1b46d8f3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5649,12 +7090,13 @@ interface(`files_manage_mounttab',`
+@@ -5649,12 +7108,13 @@ interface(`files_manage_mounttab',`
## </summary>
## </param>
#
@@ -14182,7 +14207,7 @@ index f962f76ad..c1b46d8f3 100644
')
########################################
-@@ -5672,6 +7114,7 @@ interface(`files_search_locks',`
+@@ -5672,6 +7132,7 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -14190,7 +14215,7 @@ index f962f76ad..c1b46d8f3 100644
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5698,7 +7141,26 @@ interface(`files_dontaudit_search_locks',`
+@@ -5698,7 +7159,26 @@ interface(`files_dontaudit_search_locks',`
########################################
## <summary>
@@ -14218,7 +14243,7 @@ index f962f76ad..c1b46d8f3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5706,13 +7168,12 @@ interface(`files_dontaudit_search_locks',`
+@@ -5706,13 +7186,12 @@ interface(`files_dontaudit_search_locks',`
## </summary>
## </param>
#
@@ -14235,7 +14260,7 @@ index f962f76ad..c1b46d8f3 100644
')
########################################
-@@ -5731,7 +7192,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5731,7 +7210,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -14244,7 +14269,7 @@ index f962f76ad..c1b46d8f3 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5764,7 +7225,6 @@ interface(`files_create_lock_dirs',`
+@@ -5764,7 +7243,6 @@ interface(`files_create_lock_dirs',`
## Domain allowed access.
## </summary>
## </param>
@@ -14252,7 +14277,7 @@ index f962f76ad..c1b46d8f3 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5779,7 +7239,7 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5779,7 +7257,7 @@ interface(`files_relabel_all_lock_dirs',`
########################################
## <summary>
@@ -14261,7 +14286,7 @@ index f962f76ad..c1b46d8f3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5787,13 +7247,33 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5787,13 +7265,33 @@ interface(`files_relabel_all_lock_dirs',`
## </summary>
## </param>
#
@@ -14296,7 +14321,7 @@ index f962f76ad..c1b46d8f3 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5809,13 +7289,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5809,13 +7307,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -14314,7 +14339,7 @@ index f962f76ad..c1b46d8f3 100644
')
########################################
-@@ -5834,9 +7313,7 @@ interface(`files_manage_generic_locks',`
+@@ -5834,9 +7331,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -14325,7 +14350,7 @@ index f962f76ad..c1b46d8f3 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5878,8 +7355,7 @@ interface(`files_read_all_locks',`
+@@ -5878,8 +7373,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -14335,7 +14360,7 @@ index f962f76ad..c1b46d8f3 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5901,8 +7377,7 @@ interface(`files_manage_all_locks',`
+@@ -5901,8 +7395,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -14345,7 +14370,7 @@ index f962f76ad..c1b46d8f3 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5939,8 +7414,7 @@ interface(`files_lock_filetrans',`
+@@ -5939,8 +7432,7 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -14355,7 +14380,7 @@ index f962f76ad..c1b46d8f3 100644
filetrans_pattern($1, var_lock_t, $2, $3, $4)
')
-@@ -5979,7 +7453,7 @@ interface(`files_setattr_pid_dirs',`
+@@ -5979,7 +7471,7 @@ interface(`files_setattr_pid_dirs',`
type var_run_t;
')
@@ -14364,7 +14389,7 @@ index f962f76ad..c1b46d8f3 100644
allow $1 var_run_t:dir setattr;
')
-@@ -5999,10 +7473,48 @@ interface(`files_search_pids',`
+@@ -5999,10 +7491,48 @@ interface(`files_search_pids',`
type var_t, var_run_t;
')
@@ -14413,133 +14438,615 @@ index f962f76ad..c1b46d8f3 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -6025,6 +7537,43 @@ interface(`files_dontaudit_search_pids',`
+@@ -6025,47 +7555,45 @@ interface(`files_dontaudit_search_pids',`
########################################
## <summary>
+-## List the contents of the runtime process
+-## ID directories (/var/run).
+## Do not audit attempts to search
+## the all /var/run directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_list_pids',`
++interface(`files_dontaudit_search_all_pids',`
+ gen_require(`
+- type var_t, var_run_t;
++ attribute pidfile;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, var_run_t)
++ dontaudit $1 pidfile:dir search_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read generic process ID files.
++## Allow search the all /var/run directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_generic_pids',`
++interface(`files_search_all_pids',`
+ gen_require(`
+- type var_t, var_run_t;
++ attribute pidfile;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, var_run_t)
+- read_files_pattern($1, var_run_t, var_run_t)
++ allow $1 pidfile:dir search_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Write named generic process ID pipes
++## List the contents of the runtime process
++## ID directories (/var/run).
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6073,12 +7601,51 @@ interface(`files_read_generic_pids',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_write_generic_pid_pipes',`
++interface(`files_list_pids',`
++ gen_require(`
++ type var_t, var_run_t;
++ ')
++
++ files_search_pids($1)
++ list_dirs_pattern($1, var_t, var_run_t)
++')
++
++########################################
++## <summary>
++## Read generic process ID files.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`files_dontaudit_search_all_pids',`
++interface(`files_read_generic_pids',`
+ gen_require(`
-+ attribute pidfile;
++ type var_t, var_run_t;
+ ')
+
-+ dontaudit $1 pidfile:dir search_dir_perms;
++ files_search_pids($1)
++ list_dirs_pattern($1, var_t, var_run_t)
++ read_files_pattern($1, var_run_t, var_run_t)
+')
+
+########################################
+## <summary>
-+## Allow search the all /var/run directory.
++## Write named generic process ID pipes
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`files_search_all_pids',`
++interface(`files_write_generic_pid_pipes',`
+ gen_require(`
+ type var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ files_search_pids($1)
+ allow $1 var_run_t:fifo_file write;
+ ')
+
+@@ -6140,7 +7707,6 @@ interface(`files_pid_filetrans',`
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ filetrans_pattern($1, var_run_t, $2, $3, $4)
+ ')
+
+@@ -6169,6 +7735,24 @@ interface(`files_pid_filetrans_lock_dir',`
+
+ ########################################
+ ## <summary>
++## rw generic pid files inherited from another process
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_rw_inherited_generic_pid_files',`
+ gen_require(`
-+ attribute pidfile;
++ type var_run_t;
+ ')
+
-+ allow $1 pidfile:dir search_dir_perms;
++ allow $1 var_run_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
- ## List the contents of the runtime process
- ## ID directories (/var/run).
+ ## Read and write generic process ID files.
## </summary>
-@@ -6039,7 +7588,7 @@ interface(`files_list_pids',`
+ ## <param name="domain">
+@@ -6182,7 +7766,7 @@ interface(`files_rw_generic_pids',`
type var_t, var_run_t;
')
- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ files_search_pids($1)
list_dirs_pattern($1, var_t, var_run_t)
+ rw_files_pattern($1, var_run_t, var_run_t)
')
+@@ -6249,55 +7833,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
-@@ -6058,7 +7607,7 @@ interface(`files_read_generic_pids',`
- type var_t, var_run_t;
+ ########################################
+ ## <summary>
+-## Read all process ID files.
++## Relable all pid directories
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_read_all_pids',`
++interface(`files_relabel_all_pid_dirs',`
+ gen_require(`
+ attribute pidfile;
+- type var_t, var_run_t;
')
- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-+ files_search_pids($1)
- list_dirs_pattern($1, var_t, var_run_t)
- read_files_pattern($1, var_run_t, var_run_t)
+- list_dirs_pattern($1, var_t, pidfile)
+- read_files_pattern($1, pidfile, pidfile)
++ relabel_dirs_pattern($1, pidfile, pidfile)
')
-@@ -6078,7 +7627,7 @@ interface(`files_write_generic_pid_pipes',`
- type var_run_t;
+
+ ########################################
+ ## <summary>
+-## Delete all process IDs.
++## Delete all pid sockets
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_delete_all_pids',`
++interface(`files_delete_all_pid_sockets',`
+ gen_require(`
+ attribute pidfile;
+- type var_t, var_run_t;
')
+- allow $1 var_t:dir search_dir_perms;
- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-+ files_search_pids($1)
- allow $1 var_run_t:fifo_file write;
+- allow $1 var_run_t:dir rmdir;
+- allow $1 var_run_t:lnk_file delete_lnk_file_perms;
+- delete_files_pattern($1, pidfile, pidfile)
+- delete_fifo_files_pattern($1, pidfile, pidfile)
+- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
++ allow $1 pidfile:sock_file delete_sock_file_perms;
')
-@@ -6140,7 +7689,6 @@ interface(`files_pid_filetrans',`
+ ########################################
+ ## <summary>
+-## Delete all process ID directories.
++## Create all pid sockets
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6305,42 +7877,35 @@ interface(`files_delete_all_pids',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_delete_all_pid_dirs',`
++interface(`files_create_all_pid_sockets',`
+ gen_require(`
+ attribute pidfile;
+- type var_t, var_run_t;
')
- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_t:dir search_dir_perms;
- allow $1 var_run_t:lnk_file read_lnk_file_perms;
- filetrans_pattern($1, var_run_t, $2, $3, $4)
+- delete_dirs_pattern($1, pidfile, pidfile)
++ allow $1 pidfile:sock_file create_sock_file_perms;
')
-@@ -6169,7 +7717,7 @@ interface(`files_pid_filetrans_lock_dir',`
+ ########################################
+ ## <summary>
+-## Create, read, write and delete all
+-## var_run (pid) content
++## Create all pid named pipes
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain alloed access.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_all_pids',`
++interface(`files_create_all_pid_pipes',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
+- manage_dirs_pattern($1, pidfile, pidfile)
+- manage_files_pattern($1, pidfile, pidfile)
+- manage_lnk_files_pattern($1, pidfile, pidfile)
++ allow $1 pidfile:fifo_file create_fifo_file_perms;
+ ')
########################################
## <summary>
--## Read and write generic process ID files.
-+## rw generic pid files inherited from another process
+-## Mount filesystems on all polyinstantiation
+-## member directories.
++## Delete all pid named pipes
## </summary>
## <param name="domain">
## <summary>
-@@ -6177,12 +7725,30 @@ interface(`files_pid_filetrans_lock_dir',`
+@@ -6348,18 +7913,18 @@ interface(`files_manage_all_pids',`
## </summary>
## </param>
#
--interface(`files_rw_generic_pids',`
-+interface(`files_rw_inherited_generic_pid_files',`
+-interface(`files_mounton_all_poly_members',`
++interface(`files_delete_all_pid_pipes',`
gen_require(`
-- type var_t, var_run_t;
+- attribute polymember;
++ attribute pidfile;
+ ')
+
+- allow $1 polymember:dir mounton;
++ allow $1 pidfile:fifo_file delete_fifo_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Search the contents of generic spool
+-## directories (/var/spool).
++## manage all pidfile directories
++## in the /var/run directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6367,37 +7932,40 @@ interface(`files_mounton_all_poly_members',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_search_spool',`
++interface(`files_manage_all_pid_dirs',`
+ gen_require(`
+- type var_t, var_spool_t;
++ attribute pidfile;
+ ')
+
+- search_dirs_pattern($1, var_t, var_spool_t)
++ manage_dirs_pattern($1,pidfile,pidfile)
+ ')
+
++
+ ########################################
+ ## <summary>
+-## Do not audit attempts to search generic
+-## spool directories.
++## Read all process ID files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`files_dontaudit_search_spool',`
++interface(`files_read_all_pids',`
+ gen_require(`
+- type var_spool_t;
++ attribute pidfile;
++ type var_t;
+ ')
+
+- dontaudit $1 var_spool_t:dir search_dir_perms;
++ list_dirs_pattern($1, var_t, pidfile)
++ read_files_pattern($1, pidfile, pidfile)
++ read_lnk_files_pattern($1, pidfile, pidfile)
+ ')
+
+ ########################################
+ ## <summary>
+-## List the contents of generic spool
+-## (/var/spool) directories.
++## Relable all pid files
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6405,18 +7973,17 @@ interface(`files_dontaudit_search_spool',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_list_spool',`
++interface(`files_relabel_all_pid_files',`
+ gen_require(`
+- type var_t, var_spool_t;
++ attribute pidfile;
+ ')
+
+- list_dirs_pattern($1, var_t, var_spool_t)
++ relabel_files_pattern($1, pidfile, pidfile)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete generic
+-## spool directories (/var/spool).
++## Execute generic programs in /var/run in the caller domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6424,18 +7991,18 @@ interface(`files_list_spool',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_generic_spool_dirs',`
++interface(`files_exec_generic_pid_files',`
+ gen_require(`
+- type var_t, var_spool_t;
+ type var_run_t;
')
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-+ allow $1 var_run_t:file rw_inherited_file_perms;
+- allow $1 var_t:dir search_dir_perms;
+- manage_dirs_pattern($1, var_spool_t, var_spool_t)
++ exec_files_pattern($1, var_run_t, var_run_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Read generic spool files.
++## Write all sockets
++## in the /var/run directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6443,19 +8010,18 @@ interface(`files_manage_generic_spool_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_generic_spool',`
++interface(`files_write_all_pid_sockets',`
+ gen_require(`
+- type var_t, var_spool_t;
++ attribute pidfile;
+ ')
+
+- list_dirs_pattern($1, var_t, var_spool_t)
+- read_files_pattern($1, var_spool_t, var_spool_t)
++ allow $1 pidfile:sock_file write_sock_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete generic
+-## spool files.
++## manage all pidfiles
++## in the /var/run directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6463,55 +8029,62 @@ interface(`files_read_generic_spool',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_generic_spool',`
++interface(`files_manage_all_pids',`
+ gen_require(`
+- type var_t, var_spool_t;
++ attribute pidfile;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- manage_files_pattern($1, var_spool_t, var_spool_t)
++ manage_files_pattern($1,pidfile,pidfile)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create objects in the spool directory
+-## with a private type with a type transition.
++## Mount filesystems on all polyinstantiation
++## member directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="file">
+-## <summary>
+-## Type to which the created node will be transitioned.
+-## </summary>
+-## </param>
+-## <param name="class">
+-## <summary>
+-## Object class(es) (single or set including {}) for which this
+-## the transition will occur.
+-## </summary>
+-## </param>
+-## <param name="name" optional="true">
++#
++interface(`files_mounton_all_poly_members',`
++ gen_require(`
++ attribute polymember;
++ ')
++
++ allow $1 polymember:dir mounton;
+')
+
+########################################
+## <summary>
-+## Read and write generic process ID files.
++## Delete all process IDs.
+## </summary>
+## <param name="domain">
-+## <summary>
+ ## <summary>
+-## The name of the object being created.
+## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`files_spool_filetrans',`
++interface(`files_delete_all_pids',`
+ gen_require(`
+- type var_t, var_spool_t;
++ attribute pidfile;
++ type var_t, var_run_t;
+ ')
+
++ files_search_pids($1)
+ allow $1 var_t:dir search_dir_perms;
+- filetrans_pattern($1, var_spool_t, $2, $3, $4)
++ allow $1 var_run_t:dir rmdir;
++ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
++ delete_files_pattern($1, pidfile, pidfile)
++ delete_fifo_files_pattern($1, pidfile, pidfile)
++ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
+ ')
+
+ ########################################
+ ## <summary>
+-## Allow access to manage all polyinstantiated
+-## directories on the system.
++## Delete all process ID directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6519,53 +8092,332 @@ interface(`files_spool_filetrans',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_polyinstantiate_all',`
++interface(`files_delete_all_pid_dirs',`
+ gen_require(`
+- attribute polydir, polymember, polyparent;
+- type poly_t;
++ attribute pidfile;
++ type var_t, var_run_t;
+ ')
+
+- # Need to give access to /selinux/member
+- selinux_compute_member($1)
+-
+- # Need sys_admin capability for mounting
+- allow $1 self:capability { chown fsetid sys_admin fowner };
+-
+- # Need to give access to the directories to be polyinstantiated
+- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
+-
+- # Need to give access to the polyinstantiated subdirectories
+- allow $1 polymember:dir search_dir_perms;
+-
+- # Need to give access to parent directories where original
+- # is remounted for polyinstantiation aware programs (like gdm)
+- allow $1 polyparent:dir { getattr mounton };
+-
+- # Need to give permission to create directories where applicable
+- allow $1 self:process setfscreate;
+- allow $1 polymember: dir { create setattr relabelto };
+- allow $1 polydir: dir { write add_name open };
+- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
+-
+- # Default type for mountpoints
+- allow $1 poly_t:dir { create mounton };
+- fs_unmount_xattr_fs($1)
+-
+- fs_mount_tmpfs($1)
+- fs_unmount_tmpfs($1)
++ files_search_pids($1)
++ allow $1 var_t:dir search_dir_perms;
++ delete_dirs_pattern($1, pidfile, pidfile)
++')
+
+- ifdef(`distro_redhat',`
+- # namespace.init
+- files_search_tmp($1)
+- files_search_home($1)
+- corecmd_exec_bin($1)
+- seutil_domtrans_setfiles($1)
++########################################
++## <summary>
++## Make the specified type a file
++## used for spool files.
++## </summary>
++## <desc>
++## <p>
++## Make the specified type usable for spool files.
++## This will also make the type usable for files, making
++## calls to files_type() redundant. Failure to use this interface
++## for a spool file may result in problems with
++## purging spool files.
++## </p>
++## <p>
++## Related interfaces:
++## </p>
++## <ul>
++## <li>files_spool_filetrans()</li>
++## </ul>
++## <p>
++## Example usage with a domain that can create and
++## write its spool file in the system spool file
++## directories (/var/spool):
++## </p>
++## <p>
++## type myspoolfile_t;
++## files_spool_file(myfile_spool_t)
++## allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms };
++## files_spool_filetrans(mydomain_t, myfile_spool_t, file)
++## </p>
++## </desc>
++## <param name="file_type">
++## <summary>
++## Type of the file to be used as a
++## spool file.
+## </summary>
+## </param>
++## <infoflow type="none"/>
+#
-+interface(`files_rw_generic_pids',`
++interface(`files_spool_file',`
+ gen_require(`
-+ type var_t, var_run_t;
-+ ')
++ attribute spoolfile;
+ ')
+
-+ files_search_pids($1)
- list_dirs_pattern($1, var_t, var_run_t)
- rw_files_pattern($1, var_run_t, var_run_t)
++ files_type($1)
++ typeattribute $1 spoolfile;
')
-@@ -6249,6 +7815,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
-+## Relable all pid directories
+-## Unconfined access to files.
++## Create all spool sockets
+## </summary>
+## <param name="domain">
+## <summary>
@@ -14547,17 +15054,17 @@ index f962f76ad..c1b46d8f3 100644
+## </summary>
+## </param>
+#
-+interface(`files_relabel_all_pid_dirs',`
++interface(`files_create_all_spool_sockets',`
+ gen_require(`
-+ attribute pidfile;
++ attribute spoolfile;
+ ')
+
-+ relabel_dirs_pattern($1, pidfile, pidfile)
++ allow $1 spoolfile:sock_file create_sock_file_perms;
+')
+
+########################################
+## <summary>
-+## Delete all pid sockets
++## Delete all spool sockets
+## </summary>
+## <param name="domain">
+## <summary>
@@ -14565,35 +15072,39 @@ index f962f76ad..c1b46d8f3 100644
+## </summary>
+## </param>
+#
-+interface(`files_delete_all_pid_sockets',`
++interface(`files_delete_all_spool_sockets',`
+ gen_require(`
-+ attribute pidfile;
++ attribute spoolfile;
+ ')
+
-+ allow $1 pidfile:sock_file delete_sock_file_perms;
++ allow $1 spoolfile:sock_file delete_sock_file_perms;
+')
+
+########################################
+## <summary>
-+## Create all pid sockets
++## Relabel to and from all spool
++## directory types.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
++## <rolecap/>
+#
-+interface(`files_create_all_pid_sockets',`
++interface(`files_relabel_all_spool_dirs',`
+ gen_require(`
-+ attribute pidfile;
++ attribute spoolfile;
++ type var_t;
+ ')
+
-+ allow $1 pidfile:sock_file create_sock_file_perms;
++ relabel_dirs_pattern($1, spoolfile, spoolfile)
+')
+
+########################################
+## <summary>
-+## Create all pid named pipes
++## Search the contents of generic spool
++## directories (/var/spool).
+## </summary>
+## <param name="domain">
+## <summary>
@@ -14601,36 +15112,37 @@ index f962f76ad..c1b46d8f3 100644
+## </summary>
+## </param>
+#
-+interface(`files_create_all_pid_pipes',`
++interface(`files_search_spool',`
+ gen_require(`
-+ attribute pidfile;
++ type var_t, var_spool_t;
+ ')
+
-+ allow $1 pidfile:fifo_file create_fifo_file_perms;
++ search_dirs_pattern($1, var_t, var_spool_t)
+')
+
+########################################
+## <summary>
-+## Delete all pid named pipes
++## Do not audit attempts to search generic
++## spool directories.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
-+interface(`files_delete_all_pid_pipes',`
++interface(`files_dontaudit_search_spool',`
+ gen_require(`
-+ attribute pidfile;
++ type var_spool_t;
+ ')
+
-+ allow $1 pidfile:fifo_file delete_fifo_file_perms;
++ dontaudit $1 var_spool_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
-+## manage all pidfile directories
-+## in the /var/run directory.
++## List the contents of generic spool
++## (/var/spool) directories.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -14638,37 +15150,18 @@ index f962f76ad..c1b46d8f3 100644
+## </summary>
+## </param>
+#
-+interface(`files_manage_all_pid_dirs',`
++interface(`files_list_spool',`
+ gen_require(`
-+ attribute pidfile;
++ type var_t, var_spool_t;
+ ')
+
-+ manage_dirs_pattern($1,pidfile,pidfile)
-+')
-+
-+
-+########################################
-+## <summary>
- ## Read all process ID files.
- ## </summary>
- ## <param name="domain">
-@@ -6261,12 +7937,105 @@ interface(`files_dontaudit_ioctl_all_pids',`
- interface(`files_read_all_pids',`
- gen_require(`
- attribute pidfile;
-- type var_t, var_run_t;
-+ type var_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
- list_dirs_pattern($1, var_t, pidfile)
- read_files_pattern($1, pidfile, pidfile)
-+ read_lnk_files_pattern($1, pidfile, pidfile)
++ list_dirs_pattern($1, var_t, var_spool_t)
+')
+
+########################################
+## <summary>
-+## Relable all pid files
++## Create, read, write, and delete generic
++## spool directories (/var/spool).
+## </summary>
+## <param name="domain">
+## <summary>
@@ -14676,17 +15169,18 @@ index f962f76ad..c1b46d8f3 100644
+## </summary>
+## </param>
+#
-+interface(`files_relabel_all_pid_files',`
++interface(`files_manage_generic_spool_dirs',`
+ gen_require(`
-+ attribute pidfile;
++ type var_t, var_spool_t;
+ ')
+
-+ relabel_files_pattern($1, pidfile, pidfile)
++ allow $1 var_t:dir search_dir_perms;
++ manage_dirs_pattern($1, var_spool_t, var_spool_t)
+')
+
+########################################
+## <summary>
-+## Execute generic programs in /var/run in the caller domain.
++## Read generic spool files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -14694,18 +15188,19 @@ index f962f76ad..c1b46d8f3 100644
+## </summary>
+## </param>
+#
-+interface(`files_exec_generic_pid_files',`
++interface(`files_read_generic_spool',`
+ gen_require(`
-+ type var_run_t;
++ type var_t, var_spool_t;
+ ')
+
-+ exec_files_pattern($1, var_run_t, var_run_t)
++ list_dirs_pattern($1, var_t, var_spool_t)
++ read_files_pattern($1, var_spool_t, var_spool_t)
+')
+
+########################################
+## <summary>
-+## Write all sockets
-+## in the /var/run directory.
++## Create, read, write, and delete generic
++## spool files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -14713,37 +15208,55 @@ index f962f76ad..c1b46d8f3 100644
+## </summary>
+## </param>
+#
-+interface(`files_write_all_pid_sockets',`
++interface(`files_manage_generic_spool',`
+ gen_require(`
-+ attribute pidfile;
++ type var_t, var_spool_t;
+ ')
+
-+ allow $1 pidfile:sock_file write_sock_file_perms;
++ allow $1 var_t:dir search_dir_perms;
++ manage_files_pattern($1, var_spool_t, var_spool_t)
+')
+
+########################################
+## <summary>
-+## manage all pidfiles
-+## in the /var/run directory.
++## Create objects in the spool directory
++## with a private type with a type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
++## <param name="file">
++## <summary>
++## Type to which the created node will be transitioned.
++## </summary>
++## </param>
++## <param name="class">
++## <summary>
++## Object class(es) (single or set including {}) for which this
++## the transition will occur.
++## </summary>
++## </param>
++## <param name="name" optional="true">
++## <summary>
++## The name of the object being created.
++## </summary>
++## </param>
+#
-+interface(`files_manage_all_pids',`
++interface(`files_spool_filetrans',`
+ gen_require(`
-+ attribute pidfile;
++ type var_t, var_spool_t;
+ ')
+
-+ manage_files_pattern($1,pidfile,pidfile)
++ allow $1 var_t:dir search_dir_perms;
++ filetrans_pattern($1, var_spool_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
-+## Mount filesystems on all polyinstantiation
-+## member directories.
++## Allow access to manage all polyinstantiated
++## directories on the system.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -14751,155 +15264,57 @@ index f962f76ad..c1b46d8f3 100644
+## </summary>
+## </param>
+#
-+interface(`files_mounton_all_poly_members',`
++interface(`files_polyinstantiate_all',`
+ gen_require(`
-+ attribute polymember;
++ attribute polydir, polymember, polyparent;
++ type poly_t;
+ ')
+
-+ allow $1 polymember:dir mounton;
- ')
-
- ########################################
-@@ -6286,8 +8055,8 @@ interface(`files_delete_all_pids',`
- type var_t, var_run_t;
- ')
-
-+ files_search_pids($1)
- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
- allow $1 var_run_t:dir rmdir;
- allow $1 var_run_t:lnk_file delete_lnk_file_perms;
- delete_files_pattern($1, pidfile, pidfile)
-@@ -6311,36 +8080,80 @@ interface(`files_delete_all_pid_dirs',`
- type var_t, var_run_t;
- ')
-
-+ files_search_pids($1)
- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
- delete_dirs_pattern($1, pidfile, pidfile)
- ')
-
- ########################################
- ## <summary>
--## Create, read, write and delete all
--## var_run (pid) content
-+## Make the specified type a file
-+## used for spool files.
-+## </summary>
-+## <desc>
-+## <p>
-+## Make the specified type usable for spool files.
-+## This will also make the type usable for files, making
-+## calls to files_type() redundant. Failure to use this interface
-+## for a spool file may result in problems with
-+## purging spool files.
-+## </p>
-+## <p>
-+## Related interfaces:
-+## </p>
-+## <ul>
-+## <li>files_spool_filetrans()</li>
-+## </ul>
-+## <p>
-+## Example usage with a domain that can create and
-+## write its spool file in the system spool file
-+## directories (/var/spool):
-+## </p>
-+## <p>
-+## type myspoolfile_t;
-+## files_spool_file(myfile_spool_t)
-+## allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms };
-+## files_spool_filetrans(mydomain_t, myfile_spool_t, file)
-+## </p>
-+## </desc>
-+## <param name="file_type">
-+## <summary>
-+## Type of the file to be used as a
-+## spool file.
-+## </summary>
-+## </param>
-+## <infoflow type="none"/>
-+#
-+interface(`files_spool_file',`
-+ gen_require(`
-+ attribute spoolfile;
-+ ')
++ # Need to give access to /selinux/member
++ selinux_compute_member($1)
+
-+ files_type($1)
-+ typeattribute $1 spoolfile;
++ # Need sys_admin capability for mounting
++ allow $1 self:capability { chown fsetid sys_admin fowner };
++
++ # Need to give access to the directories to be polyinstantiated
++ allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
++
++ # Need to give access to the polyinstantiated subdirectories
++ allow $1 polymember:dir search_dir_perms;
++
++ # Need to give access to parent directories where original
++ # is remounted for polyinstantiation aware programs (like gdm)
++ allow $1 polyparent:dir { getattr mounton };
++
++ # Need to give permission to create directories where applicable
++ allow $1 self:process setfscreate;
++ allow $1 polymember: dir { create setattr relabelto };
++ allow $1 polydir: dir { write add_name open };
++ allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
++
++ # Default type for mountpoints
++ allow $1 poly_t:dir { create mounton };
++ fs_unmount_xattr_fs($1)
++
++ fs_mount_tmpfs($1)
++ fs_unmount_tmpfs($1)
++
++ ifdef(`distro_redhat',`
++ # namespace.init
++ files_search_tmp($1)
++ files_search_home($1)
++ corecmd_exec_bin($1)
++ seutil_domtrans_setfiles($1)
++ ')
+')
+
+########################################
+## <summary>
-+## Create all spool sockets
++## Unconfined access to files.
## </summary>
## <param name="domain">
## <summary>
--## Domain alloed access.
-+## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`files_manage_all_pids',`
-+interface(`files_create_all_spool_sockets',`
- gen_require(`
-- attribute pidfile;
-+ attribute spoolfile;
- ')
-
-- manage_dirs_pattern($1, pidfile, pidfile)
-- manage_files_pattern($1, pidfile, pidfile)
-- manage_lnk_files_pattern($1, pidfile, pidfile)
-+ allow $1 spoolfile:sock_file create_sock_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Mount filesystems on all polyinstantiation
--## member directories.
-+## Delete all spool sockets
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -6348,12 +8161,33 @@ interface(`files_manage_all_pids',`
- ## </summary>
- ## </param>
- #
--interface(`files_mounton_all_poly_members',`
-+interface(`files_delete_all_spool_sockets',`
- gen_require(`
-- attribute polymember;
-+ attribute spoolfile;
- ')
-
-- allow $1 polymember:dir mounton;
-+ allow $1 spoolfile:sock_file delete_sock_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Relabel to and from all spool
-+## directory types.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`files_relabel_all_spool_dirs',`
-+ gen_require(`
-+ attribute spoolfile;
-+ type var_t;
-+ ')
-+
-+ relabel_dirs_pattern($1, spoolfile, spoolfile)
- ')
-
- ########################################
-@@ -6580,3 +8414,623 @@ interface(`files_unconfined',`
+@@ -6580,3 +8432,623 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -15770,7 +16185,7 @@ index d7c11a0b3..f521a50f8 100644
/var/run/shm/.* <<none>>
-')
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 8416beb43..b5b7a0ae8 100644
+index 8416beb43..2aa8d9ff4 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -577,6 +577,24 @@ interface(`fs_mount_cgroup', `
@@ -16654,7 +17069,7 @@ index 8416beb43..b5b7a0ae8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1839,174 +2234,988 @@ interface(`fs_unmount_fusefs',`
+@@ -1839,174 +2234,989 @@ interface(`fs_unmount_fusefs',`
## </summary>
## </param>
#
@@ -17199,6 +17614,7 @@ index 8416beb43..b5b7a0ae8 100644
+ type hugetlbfs_t;
+ ')
+
++ allow $1 hugetlbfs_t:file map;
+ rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
+')
+
@@ -17694,7 +18110,7 @@ index 8416beb43..b5b7a0ae8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2014,19 +3223,20 @@ interface(`fs_dontaudit_manage_fusefs_files',`
+@@ -2014,19 +3224,20 @@ interface(`fs_dontaudit_manage_fusefs_files',`
## </summary>
## </param>
#
@@ -17721,7 +18137,7 @@ index 8416beb43..b5b7a0ae8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2034,17 +3244,18 @@ interface(`fs_read_fusefs_symlinks',`
+@@ -2034,17 +3245,18 @@ interface(`fs_read_fusefs_symlinks',`
## </summary>
## </param>
#
@@ -17744,7 +18160,7 @@ index 8416beb43..b5b7a0ae8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2052,17 +3263,38 @@ interface(`fs_getattr_hugetlbfs',`
+@@ -2052,17 +3264,38 @@ interface(`fs_getattr_hugetlbfs',`
## </summary>
## </param>
#
@@ -17787,7 +18203,7 @@ index 8416beb43..b5b7a0ae8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2070,17 +3302,19 @@ interface(`fs_list_hugetlbfs',`
+@@ -2070,17 +3303,19 @@ interface(`fs_list_hugetlbfs',`
## </summary>
## </param>
#
@@ -17811,7 +18227,7 @@ index 8416beb43..b5b7a0ae8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2088,35 +3322,41 @@ interface(`fs_manage_hugetlbfs_dirs',`
+@@ -2088,35 +3323,41 @@ interface(`fs_manage_hugetlbfs_dirs',`
## </summary>
## </param>
#
@@ -17864,7 +18280,7 @@ index 8416beb43..b5b7a0ae8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2124,17 +3364,19 @@ interface(`fs_associate_hugetlbfs',`
+@@ -2124,17 +3365,19 @@ interface(`fs_associate_hugetlbfs',`
## </summary>
## </param>
#
@@ -17888,7 +18304,7 @@ index 8416beb43..b5b7a0ae8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2142,17 +3384,23 @@ interface(`fs_search_inotifyfs',`
+@@ -2142,17 +3385,23 @@ interface(`fs_search_inotifyfs',`
## </summary>
## </param>
#
@@ -17916,7 +18332,7 @@ index 8416beb43..b5b7a0ae8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2160,53 +3408,39 @@ interface(`fs_list_inotifyfs',`
+@@ -2160,53 +3409,39 @@ interface(`fs_list_inotifyfs',`
## </summary>
## </param>
#
@@ -17982,7 +18398,7 @@ index 8416beb43..b5b7a0ae8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2214,19 +3448,18 @@ interface(`fs_hugetlbfs_filetrans',`
+@@ -2214,19 +3449,18 @@ interface(`fs_hugetlbfs_filetrans',`
## </summary>
## </param>
#
@@ -18007,7 +18423,7 @@ index 8416beb43..b5b7a0ae8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2234,18 +3467,18 @@ interface(`fs_mount_iso9660_fs',`
+@@ -2234,18 +3468,18 @@ interface(`fs_mount_iso9660_fs',`
## </summary>
## </param>
#
@@ -18031,7 +18447,7 @@ index 8416beb43..b5b7a0ae8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2253,58 +3486,54 @@ interface(`fs_remount_iso9660_fs',`
+@@ -2253,58 +3487,54 @@ interface(`fs_remount_iso9660_fs',`
## </summary>
## </param>
#
@@ -18103,7 +18519,7 @@ index 8416beb43..b5b7a0ae8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2312,19 +3541,17 @@ interface(`fs_getattr_iso9660_files',`
+@@ -2312,19 +3542,17 @@ interface(`fs_getattr_iso9660_files',`
## </summary>
## </param>
#
@@ -18127,7 +18543,7 @@ index 8416beb43..b5b7a0ae8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2332,18 +3559,17 @@ interface(`fs_read_iso9660_files',`
+@@ -2332,18 +3560,17 @@ interface(`fs_read_iso9660_files',`
## </summary>
## </param>
#
@@ -18149,7 +18565,7 @@ index 8416beb43..b5b7a0ae8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2351,240 +3577,243 @@ interface(`fs_mount_nfs',`
+@@ -2351,240 +3578,243 @@ interface(`fs_mount_nfs',`
## </summary>
## </param>
#
@@ -18449,7 +18865,7 @@ index 8416beb43..b5b7a0ae8 100644
')
########################################
-@@ -2603,7 +3832,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2603,7 +3833,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
type nfs_t;
')
@@ -18458,7 +18874,7 @@ index 8416beb43..b5b7a0ae8 100644
')
########################################
-@@ -2627,7 +3856,7 @@ interface(`fs_read_nfs_symlinks',`
+@@ -2627,7 +3857,7 @@ interface(`fs_read_nfs_symlinks',`
########################################
## <summary>
@@ -18467,7 +18883,7 @@ index 8416beb43..b5b7a0ae8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2719,6 +3948,65 @@ interface(`fs_search_rpc',`
+@@ -2719,6 +3949,65 @@ interface(`fs_search_rpc',`
########################################
## <summary>
@@ -18533,7 +18949,7 @@ index 8416beb43..b5b7a0ae8 100644
## Search removable storage directories.
## </summary>
## <param name="domain">
-@@ -2741,7 +4029,7 @@ interface(`fs_search_removable',`
+@@ -2741,7 +4030,7 @@ interface(`fs_search_removable',`
## </summary>
## <param name="domain">
## <summary>
@@ -18542,7 +18958,7 @@ index 8416beb43..b5b7a0ae8 100644
## </summary>
## </param>
#
-@@ -2777,7 +4065,7 @@ interface(`fs_read_removable_files',`
+@@ -2777,7 +4066,7 @@ interface(`fs_read_removable_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -18551,7 +18967,7 @@ index 8416beb43..b5b7a0ae8 100644
## </summary>
## </param>
#
-@@ -2970,6 +4258,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2970,6 +4259,7 @@ interface(`fs_manage_nfs_dirs',`
type nfs_t;
')
@@ -18559,7 +18975,7 @@ index 8416beb43..b5b7a0ae8 100644
allow $1 nfs_t:dir manage_dir_perms;
')
-@@ -3010,6 +4299,7 @@ interface(`fs_manage_nfs_files',`
+@@ -3010,6 +4300,7 @@ interface(`fs_manage_nfs_files',`
type nfs_t;
')
@@ -18567,7 +18983,7 @@ index 8416beb43..b5b7a0ae8 100644
manage_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3050,6 +4340,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -3050,6 +4341,7 @@ interface(`fs_manage_nfs_symlinks',`
type nfs_t;
')
@@ -18575,7 +18991,7 @@ index 8416beb43..b5b7a0ae8 100644
manage_lnk_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3137,6 +4428,24 @@ interface(`fs_nfs_domtrans',`
+@@ -3137,6 +4429,24 @@ interface(`fs_nfs_domtrans',`
########################################
## <summary>
@@ -18600,7 +19016,7 @@ index 8416beb43..b5b7a0ae8 100644
## Mount a NFS server pseudo filesystem.
## </summary>
## <param name="domain">
-@@ -3239,15 +4548,198 @@ interface(`fs_search_nfsd_fs',`
+@@ -3239,15 +4549,198 @@ interface(`fs_search_nfsd_fs',`
#
interface(`fs_list_nfsd_fs',`
gen_require(`
@@ -18802,7 +19218,7 @@ index 8416beb43..b5b7a0ae8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3255,35 +4747,35 @@ interface(`fs_list_nfsd_fs',`
+@@ -3255,35 +4748,35 @@ interface(`fs_list_nfsd_fs',`
## </summary>
## </param>
#
@@ -18847,7 +19263,7 @@ index 8416beb43..b5b7a0ae8 100644
## </summary>
## <param name="type">
## <summary>
-@@ -3291,12 +4783,12 @@ interface(`fs_rw_nfsd_fs',`
+@@ -3291,12 +4784,12 @@ interface(`fs_rw_nfsd_fs',`
## </summary>
## </param>
#
@@ -18863,7 +19279,7 @@ index 8416beb43..b5b7a0ae8 100644
')
########################################
-@@ -3392,7 +4884,7 @@ interface(`fs_search_ramfs',`
+@@ -3392,7 +4885,7 @@ interface(`fs_search_ramfs',`
########################################
## <summary>
@@ -18872,7 +19288,7 @@ index 8416beb43..b5b7a0ae8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3429,7 +4921,7 @@ interface(`fs_manage_ramfs_dirs',`
+@@ -3429,7 +4922,7 @@ interface(`fs_manage_ramfs_dirs',`
########################################
## <summary>
@@ -18881,7 +19297,7 @@ index 8416beb43..b5b7a0ae8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3447,7 +4939,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
+@@ -3447,7 +4940,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
########################################
## <summary>
@@ -18890,7 +19306,7 @@ index 8416beb43..b5b7a0ae8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3779,6 +5271,24 @@ interface(`fs_mount_tmpfs',`
+@@ -3779,6 +5272,24 @@ interface(`fs_mount_tmpfs',`
########################################
## <summary>
@@ -18915,7 +19331,7 @@ index 8416beb43..b5b7a0ae8 100644
## Remount a tmpfs filesystem.
## </summary>
## <param name="domain">
-@@ -3815,6 +5325,24 @@ interface(`fs_unmount_tmpfs',`
+@@ -3815,6 +5326,24 @@ interface(`fs_unmount_tmpfs',`
########################################
## <summary>
@@ -18940,7 +19356,7 @@ index 8416beb43..b5b7a0ae8 100644
## Get the attributes of a tmpfs
## filesystem.
## </summary>
-@@ -3908,7 +5436,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3908,7 +5437,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
########################################
## <summary>
@@ -18949,7 +19365,7 @@ index 8416beb43..b5b7a0ae8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3916,17 +5444,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3916,17 +5445,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
## </summary>
## </param>
#
@@ -18970,7 +19386,7 @@ index 8416beb43..b5b7a0ae8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3934,17 +5462,17 @@ interface(`fs_mounton_tmpfs',`
+@@ -3934,17 +5463,17 @@ interface(`fs_mounton_tmpfs',`
## </summary>
## </param>
#
@@ -18991,7 +19407,7 @@ index 8416beb43..b5b7a0ae8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3952,17 +5480,36 @@ interface(`fs_setattr_tmpfs_dirs',`
+@@ -3952,17 +5481,36 @@ interface(`fs_setattr_tmpfs_dirs',`
## </summary>
## </param>
#
@@ -19031,7 +19447,7 @@ index 8416beb43..b5b7a0ae8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3970,31 +5517,48 @@ interface(`fs_search_tmpfs',`
+@@ -3970,31 +5518,48 @@ interface(`fs_search_tmpfs',`
## </summary>
## </param>
#
@@ -19087,7 +19503,7 @@ index 8416beb43..b5b7a0ae8 100644
')
########################################
-@@ -4057,23 +5621,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',`
+@@ -4057,23 +5622,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',`
## </param>
## <param name="name" optional="true">
## <summary>
@@ -19264,7 +19680,7 @@ index 8416beb43..b5b7a0ae8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4081,18 +5792,18 @@ interface(`fs_tmpfs_filetrans',`
+@@ -4081,18 +5793,18 @@ interface(`fs_tmpfs_filetrans',`
## </summary>
## </param>
#
@@ -19287,7 +19703,7 @@ index 8416beb43..b5b7a0ae8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4100,54 +5811,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',`
+@@ -4100,54 +5812,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',`
## </summary>
## </param>
#
@@ -19354,7 +19770,7 @@ index 8416beb43..b5b7a0ae8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4155,17 +5865,18 @@ interface(`fs_read_tmpfs_files',`
+@@ -4155,17 +5866,18 @@ interface(`fs_read_tmpfs_files',`
## </summary>
## </param>
#
@@ -19376,7 +19792,7 @@ index 8416beb43..b5b7a0ae8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4173,17 +5884,18 @@ interface(`fs_rw_tmpfs_files',`
+@@ -4173,17 +5885,18 @@ interface(`fs_rw_tmpfs_files',`
## </summary>
## </param>
#
@@ -19398,7 +19814,7 @@ index 8416beb43..b5b7a0ae8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4191,37 +5903,36 @@ interface(`fs_read_tmpfs_symlinks',`
+@@ -4191,37 +5904,36 @@ interface(`fs_read_tmpfs_symlinks',`
## </summary>
## </param>
#
@@ -19444,7 +19860,7 @@ index 8416beb43..b5b7a0ae8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4229,18 +5940,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4229,18 +5941,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
## </summary>
## </param>
#
@@ -19466,7 +19882,7 @@ index 8416beb43..b5b7a0ae8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4248,18 +5959,19 @@ interface(`fs_relabel_tmpfs_chr_file',`
+@@ -4248,18 +5960,19 @@ interface(`fs_relabel_tmpfs_chr_file',`
## </summary>
## </param>
#
@@ -19490,7 +19906,7 @@ index 8416beb43..b5b7a0ae8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4267,32 +5979,31 @@ interface(`fs_rw_tmpfs_blk_files',`
+@@ -4267,32 +5980,31 @@ interface(`fs_rw_tmpfs_blk_files',`
## </summary>
## </param>
#
@@ -19529,7 +19945,7 @@ index 8416beb43..b5b7a0ae8 100644
')
########################################
-@@ -4407,6 +6118,25 @@ interface(`fs_search_xenfs',`
+@@ -4407,6 +6119,25 @@ interface(`fs_search_xenfs',`
allow $1 xenfs_t:dir search_dir_perms;
')
@@ -19555,7 +19971,7 @@ index 8416beb43..b5b7a0ae8 100644
########################################
## <summary>
## Create, read, write, and delete directories
-@@ -4503,6 +6233,8 @@ interface(`fs_mount_all_fs',`
+@@ -4503,6 +6234,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -19564,7 +19980,7 @@ index 8416beb43..b5b7a0ae8 100644
')
########################################
-@@ -4549,7 +6281,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4549,7 +6282,7 @@ interface(`fs_unmount_all_fs',`
## <desc>
## <p>
## Allow the specified domain to
@@ -19573,7 +19989,7 @@ index 8416beb43..b5b7a0ae8 100644
## Example attributes:
## </p>
## <ul>
-@@ -4596,6 +6328,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
+@@ -4596,6 +6329,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
########################################
## <summary>
@@ -19600,7 +20016,7 @@ index 8416beb43..b5b7a0ae8 100644
## Get the quotas of all filesystems.
## </summary>
## <param name="domain">
-@@ -4671,6 +6423,25 @@ interface(`fs_getattr_all_dirs',`
+@@ -4671,6 +6424,25 @@ interface(`fs_getattr_all_dirs',`
########################################
## <summary>
@@ -19626,7 +20042,7 @@ index 8416beb43..b5b7a0ae8 100644
## Search all directories with a filesystem type.
## </summary>
## <param name="domain">
-@@ -4912,3 +6683,176 @@ interface(`fs_unconfined',`
+@@ -4912,3 +6684,176 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -27098,7 +27514,7 @@ index 9d2f31168..2d782e051 100644
+ postgresql_filetrans_named_content($1)
')
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
-index 03061349c..bb5f3dd51 100644
+index 03061349c..e30703d3c 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -19,25 +19,32 @@ gen_require(`
@@ -27182,7 +27598,15 @@ index 03061349c..bb5f3dd51 100644
manage_files_pattern(postgresql_t, postgresql_log_t, postgresql_log_t)
logging_log_filetrans(postgresql_t, postgresql_log_t, { file dir })
-@@ -299,12 +311,12 @@ manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run
+@@ -291,6 +303,7 @@ manage_lnk_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
+ manage_fifo_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
+ manage_sock_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
+ files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file })
++allow postgresql_t postgresql_tmp_t:file map;
+ fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file })
+
+ manage_dirs_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t)
+@@ -299,12 +312,12 @@ manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run
files_pid_filetrans(postgresql_t, postgresql_var_run_t, { dir file })
kernel_read_kernel_sysctls(postgresql_t)
@@ -27196,7 +27620,7 @@ index 03061349c..bb5f3dd51 100644
corenet_all_recvfrom_netlabel(postgresql_t)
corenet_tcp_sendrecv_generic_if(postgresql_t)
corenet_udp_sendrecv_generic_if(postgresql_t)
-@@ -342,8 +354,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t)
+@@ -342,8 +355,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t)
domain_use_interactive_fds(postgresql_t)
files_dontaudit_search_home(postgresql_t)
@@ -27206,7 +27630,7 @@ index 03061349c..bb5f3dd51 100644
files_read_etc_runtime_files(postgresql_t)
files_read_usr_files(postgresql_t)
-@@ -354,20 +365,28 @@ init_read_utmp(postgresql_t)
+@@ -354,20 +366,28 @@ init_read_utmp(postgresql_t)
logging_send_syslog_msg(postgresql_t)
logging_send_audit_msgs(postgresql_t)
@@ -27238,7 +27662,7 @@ index 03061349c..bb5f3dd51 100644
allow postgresql_t self:process execmem;
')
-@@ -485,10 +504,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin
+@@ -485,10 +505,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin
# It is always allowed to operate temporary objects for any database client.
allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db_tuple db_sequence db_view db_procedure} ~{ relabelto relabelfrom };
@@ -27295,7 +27719,7 @@ index 03061349c..bb5f3dd51 100644
allow sepgsql_client_type sepgsql_schema_t:db_schema { add_name remove_name };
')
-@@ -536,7 +597,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
+@@ -536,7 +598,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
kernel_relabelfrom_unlabeled_database(sepgsql_admin_type)
@@ -27304,7 +27728,7 @@ index 03061349c..bb5f3dd51 100644
allow sepgsql_admin_type sepgsql_database_type:db_database *;
allow sepgsql_admin_type sepgsql_schema_type:db_schema *;
-@@ -589,3 +650,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
+@@ -589,3 +651,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module;
kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type)
@@ -41373,7 +41797,7 @@ index 6b917403e..772411608 100644
+
+/var/run/storaged(/.*)? gen_context(system_u:object_r:lvm_var_run_t,s0)
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
-index 58bc27f22..842ce28c4 100644
+index 58bc27f22..90f567300 100644
--- a/policy/modules/system/lvm.if
+++ b/policy/modules/system/lvm.if
@@ -1,5 +1,41 @@
@@ -41609,7 +42033,7 @@ index 58bc27f22..842ce28c4 100644
+ type lvm_var_run_t;
+ ')
+
-+ allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms;
++ allow $1 lvm_var_run_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
@@ -43812,7 +44236,7 @@ index d43f3b194..c5053dbbd 100644
+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
-index 38220721d..0395f4810 100644
+index 38220721d..abac74231 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -135,6 +135,42 @@ interface(`seutil_exec_loadpolicy',`
@@ -44364,7 +44788,7 @@ index 38220721d..0395f4810 100644
## Execute semanage in the semanage domain, and
## allow the specified role the semanage domain,
## and use the caller's terminal.
-@@ -1017,11 +1407,105 @@ interface(`seutil_domtrans_semanage',`
+@@ -1017,11 +1407,125 @@ interface(`seutil_domtrans_semanage',`
#
interface(`seutil_run_semanage',`
gen_require(`
@@ -44453,6 +44877,26 @@ index 38220721d..0395f4810 100644
+ read_lnk_files_pattern($1, semanage_store_t, semanage_store_t)
+')
+
++########################################
++## <summary>
++## Dontaudit read selinux module store
++## module store.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`seutil_dontaudit_read_module_store',`
++ gen_require(`
++ type semanage_store_t;
++ ')
++
++dontaudit $1 semanage_store_t:dir list_dir_perms;
++dontaudit $1 semanage_store_t:file read_file_perms;
++')
++
+#######################################
+## <summary>
+## Dontaudit access check on module store
@@ -44472,7 +44916,7 @@ index 38220721d..0395f4810 100644
')
########################################
-@@ -1041,9 +1525,15 @@ interface(`seutil_manage_module_store',`
+@@ -1041,9 +1545,15 @@ interface(`seutil_manage_module_store',`
')
files_search_etc($1)
@@ -44488,7 +44932,7 @@ index 38220721d..0395f4810 100644
')
#######################################
-@@ -1067,6 +1557,24 @@ interface(`seutil_get_semanage_read_lock',`
+@@ -1067,6 +1577,24 @@ interface(`seutil_get_semanage_read_lock',`
#######################################
## <summary>
@@ -44513,7 +44957,7 @@ index 38220721d..0395f4810 100644
## Get trans lock on module store
## </summary>
## <param name="domain">
-@@ -1137,3 +1645,121 @@ interface(`seutil_dontaudit_libselinux_linked',`
+@@ -1137,3 +1665,121 @@ interface(`seutil_dontaudit_libselinux_linked',`
selinux_dontaudit_get_fs_mount($1)
seutil_dontaudit_read_config($1)
')
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 6295178..b27035a 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -108616,10 +108616,10 @@ index 000000000..a6e216c73
+
diff --git a/targetd.te b/targetd.te
new file mode 100644
-index 000000000..4cc8557fc
+index 000000000..681ec9f67
--- /dev/null
+++ b/targetd.te
-@@ -0,0 +1,91 @@
+@@ -0,0 +1,101 @@
+policy_module(targetd, 1.0.0)
+
+########################################
@@ -108646,7 +108646,7 @@ index 000000000..4cc8557fc
+allow targetd_t self:fifo_file rw_fifo_file_perms;
+allow targetd_t self:unix_stream_socket create_stream_socket_perms;
+allow targetd_t self:unix_dgram_socket create_socket_perms;
-+allow targetd_t self:tcp_socket listen;
++allow targetd_t self:tcp_socket { accept listen };
+allow targetd_t self:netlink_route_socket r_netlink_socket_perms;
+allow targetd_t self:process { setfscreate setsched };
+
@@ -108654,6 +108654,8 @@ index 000000000..4cc8557fc
+manage_files_pattern(targetd_t, targetd_etc_rw_t, targetd_etc_rw_t)
+files_etc_filetrans(targetd_t, targetd_etc_rw_t, { dir file })
+
++files_rw_isid_type_dirs(targetd_t)
++
+fs_getattr_xattr_fs(targetd_t)
+fs_manage_configfs_files(targetd_t)
+fs_manage_configfs_lnk_files(targetd_t)
@@ -108665,6 +108667,8 @@ index 000000000..4cc8557fc
+kernel_read_system_state(targetd_t)
+kernel_read_network_state(targetd_t)
+kernel_load_module(targetd_t)
++kernel_request_load_module(targetd_t)
++kernel_dgram_send(targetd_t)
+
+rpc_read_exports(targetd_t)
+
@@ -108685,6 +108689,8 @@ index 000000000..4cc8557fc
+
+libs_exec_ldconfig(targetd_t)
+
++seutil_dontaudit_read_module_store(targetd_t)
++
+storage_raw_read_fixed_disk(targetd_t)
+storage_raw_read_removable_device(targetd_t)
+
@@ -108708,6 +108714,10 @@ index 000000000..4cc8557fc
+')
+
+optional_policy(`
++ rpm_dontaudit_read_db(targetd_t)
++')
++
++optional_policy(`
+ udev_read_pid_files(targetd_t)
+')
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 8445df7..56debab 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 275%{?dist}
+Release: 276%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -681,6 +681,9 @@ exit 0
%endif
%changelog
+* Sat Aug 26 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-276
+- Allow couple map rules
+
* Wed Aug 23 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-275
- Make confined users working
- Allow ipmievd_t domain to load kernel modules