-##
@@ -12785,105 +12900,6 @@ index 64ff4d7..90999af 100644
##
-##
+#
-+interface(`files_search_spool',`
-+ gen_require(`
-+ type var_t, var_spool_t;
-+ ')
-+
-+ search_dirs_pattern($1, var_t, var_spool_t)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to search generic
-+## spool directories.
-+##
-+##
- ##
--## The type of the object to be created.
-+## Domain to not audit.
- ##
- ##
--##
-+#
-+interface(`files_dontaudit_search_spool',`
-+ gen_require(`
-+ type var_spool_t;
-+ ')
-+
-+ dontaudit $1 var_spool_t:dir search_dir_perms;
-+')
-+
-+########################################
-+##
-+## List the contents of generic spool
-+## (/var/spool) directories.
-+##
-+##
- ##
--## The object class of the object being created.
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_list_spool',`
-+ gen_require(`
-+ type var_t, var_spool_t;
-+ ')
-+
-+ list_dirs_pattern($1, var_t, var_spool_t)
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete generic
-+## spool directories (/var/spool).
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_manage_generic_spool_dirs',`
-+ gen_require(`
-+ type var_t, var_spool_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ manage_dirs_pattern($1, var_spool_t, var_spool_t)
-+')
-+
-+########################################
-+##
-+## Read generic spool files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_read_generic_spool',`
-+ gen_require(`
-+ type var_t, var_spool_t;
-+ ')
-+
-+ list_dirs_pattern($1, var_t, var_spool_t)
-+ read_files_pattern($1, var_spool_t, var_spool_t)
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete generic
-+## spool files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+interface(`files_manage_generic_spool',`
+ gen_require(`
+ type var_t, var_spool_t;
@@ -12899,12 +12915,15 @@ index 64ff4d7..90999af 100644
+## with a private type with a type transition.
+##
+##
-+##
+ ##
+-## The type of the object to be created.
+## Domain allowed access.
-+##
-+##
+ ##
+ ##
+-##
+##
-+##
+ ##
+-## The object class of the object being created.
+## Type to which the created node will be transitioned.
+##
+##
@@ -13099,7 +13118,7 @@ index 64ff4d7..90999af 100644
##
##
##
-@@ -6159,20 +7813,18 @@ interface(`files_pid_filetrans_lock_dir',`
+@@ -6159,20 +7831,18 @@ interface(`files_pid_filetrans_lock_dir',`
##
##
#
@@ -13125,7 +13144,7 @@ index 64ff4d7..90999af 100644
##
##
##
-@@ -6180,19 +7832,17 @@ interface(`files_rw_generic_pids',`
+@@ -6180,19 +7850,17 @@ interface(`files_rw_generic_pids',`
##
##
#
@@ -13149,7 +13168,7 @@ index 64ff4d7..90999af 100644
##
##
##
-@@ -6200,18 +7850,17 @@ interface(`files_dontaudit_getattr_all_pids',`
+@@ -6200,18 +7868,17 @@ interface(`files_dontaudit_getattr_all_pids',`
##
##
#
@@ -13172,7 +13191,7 @@ index 64ff4d7..90999af 100644
##
##
##
-@@ -6219,41 +7868,43 @@ interface(`files_dontaudit_write_all_pids',`
+@@ -6219,41 +7886,43 @@ interface(`files_dontaudit_write_all_pids',`
##
##
#
@@ -13230,7 +13249,7 @@ index 64ff4d7..90999af 100644
##
##
##
-@@ -6262,67 +7913,55 @@ interface(`files_read_all_pids',`
+@@ -6262,67 +7931,55 @@ interface(`files_read_all_pids',`
##
##
#
@@ -13315,7 +13334,7 @@ index 64ff4d7..90999af 100644
##
##
##
-@@ -6330,37 +7969,37 @@ interface(`files_manage_all_pids',`
+@@ -6330,37 +7987,37 @@ interface(`files_manage_all_pids',`
##
##
#
@@ -13364,7 +13383,7 @@ index 64ff4d7..90999af 100644
##
##
##
-@@ -6368,186 +8007,169 @@ interface(`files_search_spool',`
+@@ -6368,186 +8025,169 @@ interface(`files_search_spool',`
##
##
#
@@ -13631,7 +13650,7 @@ index 64ff4d7..90999af 100644
##
##
##
-@@ -6555,10 +8177,11 @@ interface(`files_polyinstantiate_all',`
+@@ -6555,10 +8195,11 @@ interface(`files_polyinstantiate_all',`
##
##
#
@@ -31807,7 +31826,7 @@ index e8c59a5..ea56d23 100644
')
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
-index 9fe8e01..06fa481 100644
+index 9fe8e01..fa82aac 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -9,11 +9,13 @@ ifdef(`distro_gentoo',`
@@ -31826,7 +31845,7 @@ index 9fe8e01..06fa481 100644
ifdef(`distro_redhat',`
/etc/sysconfig/clock -- gen_context(system_u:object_r:locale_t,s0)
-@@ -37,11 +39,6 @@ ifdef(`distro_redhat',`
+@@ -37,14 +39,10 @@ ifdef(`distro_redhat',`
/usr/lib/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0)
@@ -31838,7 +31857,19 @@ index 9fe8e01..06fa481 100644
/usr/man(/.*)? gen_context(system_u:object_r:man_t,s0)
/usr/share/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0)
-@@ -77,7 +74,7 @@ ifdef(`distro_redhat',`
++/usr/share/pki/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0)
+ /usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
+ /usr/share/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
+ /usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
+@@ -53,6 +51,7 @@ ifdef(`distro_redhat',`
+ /usr/share/X11/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
+ /usr/share/zoneinfo(/.*)? gen_context(system_u:object_r:locale_t,s0)
+
++/usr/share/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
+ /usr/share/ssl/certs(/.*)? gen_context(system_u:object_r:cert_t,s0)
+ /usr/share/ssl/private(/.*)? gen_context(system_u:object_r:cert_t,s0)
+
+@@ -77,7 +76,7 @@ ifdef(`distro_redhat',`
/var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0)
/var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
@@ -31847,7 +31878,7 @@ index 9fe8e01..06fa481 100644
/var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
-@@ -90,6 +87,7 @@ ifdef(`distro_debian',`
+@@ -90,6 +89,7 @@ ifdef(`distro_debian',`
')
ifdef(`distro_redhat',`
@@ -34692,10 +34723,10 @@ index 1447687..d5e6fb9 100644
seutil_read_config(setrans_t)
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
-index 346a7cc..2fa1253 100644
+index 346a7cc..b44bb0c 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
-@@ -17,14 +17,15 @@ ifdef(`distro_debian',`
+@@ -17,16 +17,17 @@ ifdef(`distro_debian',`
/etc/dhclient.*conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0)
@@ -34712,8 +34743,11 @@ index 346a7cc..2fa1253 100644
/etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
+/etc/ntp\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
- /etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0)
+-/etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0)
++/etc/dhcp3?(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0)
+
+ ifdef(`distro_redhat',`
@@ -55,6 +56,20 @@ ifdef(`distro_redhat',`
#
# /usr
@@ -35417,12 +35451,29 @@ index 0000000..4e12420
+/var/run/initramfs(/.*)? <>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..fc080a1
+index 0000000..ab20e2f
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1064 @@
+@@ -0,0 +1,1081 @@
+## SELinux policy for systemd components
+
++######################################
++##
++## Create a domain for processes which are started
++## exuting systemctl.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_stub_unit_file',`
++ gen_require(`
++ type systemd_unit_file_t;
++ ')
++')
++
+#######################################
+##
+## Create a domain for processes which are started
@@ -36487,7 +36538,7 @@ index 0000000..fc080a1
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..60e3e89
+index 0000000..4d56107
--- /dev/null
+++ b/policy/modules/system/systemd.te
@@ -0,0 +1,641 @@
@@ -36970,7 +37021,7 @@ index 0000000..60e3e89
+
+userdom_dbus_send_all_users(systemd_localed_t)
+
-+xserver_read_config(systemd_localed_t)
++xserver_manage_config(systemd_localed_t)
+
+optional_policy(`
+ dbus_connect_system_bus(systemd_localed_t)
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index ff0cb24..fe16da6 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -516,7 +516,7 @@ index 058d908..702b716 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index cc43d25..304203f 100644
+index cc43d25..0842350 100644
--- a/abrt.te
+++ b/abrt.te
@@ -1,4 +1,4 @@
@@ -935,7 +935,7 @@ index cc43d25..304203f 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -352,30 +406,37 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -352,30 +406,38 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
@@ -947,6 +947,7 @@ index cc43d25..304203f 100644
+optional_policy(`
+ mock_domtrans(abrt_retrace_worker_t)
++ mock_manage_lib_files(abrt_t)
+')
+
########################################
@@ -976,7 +977,7 @@ index cc43d25..304203f 100644
kernel_read_kernel_sysctls(abrt_dump_oops_t)
kernel_read_ring_buffer(abrt_dump_oops_t)
-@@ -384,14 +445,15 @@ domain_use_interactive_fds(abrt_dump_oops_t)
+@@ -384,14 +446,15 @@ domain_use_interactive_fds(abrt_dump_oops_t)
fs_list_inotifyfs(abrt_dump_oops_t)
logging_read_generic_logs(abrt_dump_oops_t)
@@ -994,7 +995,7 @@ index cc43d25..304203f 100644
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
-@@ -400,16 +462,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+@@ -400,16 +463,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
corecmd_exec_bin(abrt_watch_log_t)
logging_read_all_logs(abrt_watch_log_t)
@@ -9740,10 +9741,10 @@ index 2354e21..bec6c06 100644
+ ')
+')
diff --git a/certwatch.te b/certwatch.te
-index 403af41..7c0b1be 100644
+index 403af41..68a5e26 100644
--- a/certwatch.te
+++ b/certwatch.te
-@@ -21,25 +21,26 @@ role certwatch_roles types certwatch_t;
+@@ -21,27 +21,29 @@ role certwatch_roles types certwatch_t;
allow certwatch_t self:capability sys_nice;
allow certwatch_t self:process { setsched getsched };
@@ -9774,7 +9775,10 @@ index 403af41..7c0b1be 100644
+userdom_dontaudit_list_admin_dir(certwatch_t)
optional_policy(`
++ apache_exec(certwatch_t)
apache_exec_modules(certwatch_t)
+ apache_read_config(certwatch_t)
+ ')
diff --git a/cfengine.if b/cfengine.if
index a731122..5279d4e 100644
--- a/cfengine.if
@@ -9933,7 +9937,7 @@ index 85ca63f..1d1c99c 100644
admin_pattern($1, { cgconfig_etc_t cgrules_etc_t })
files_list_etc($1)
diff --git a/cgroup.te b/cgroup.te
-index fdee107..eb7a3ac 100644
+index fdee107..7a38b63 100644
--- a/cgroup.te
+++ b/cgroup.te
@@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
@@ -9979,10 +9983,10 @@ index fdee107..eb7a3ac 100644
#
# cgred local policy
#
++allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_override sys_ptrace };
++allow cgred_t self:process signal_perms;
-allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override };
-+allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_override sys_ptrace };
-+
allow cgred_t self:netlink_socket { write bind create read };
allow cgred_t self:unix_dgram_socket { write create connect };
@@ -16021,7 +16025,7 @@ index 06da9a0..ca832e1 100644
+ ps_process_pattern($1, cupsd_t)
')
diff --git a/cups.te b/cups.te
-index 9f34c2e..45fe9a0 100644
+index 9f34c2e..3b03f21 100644
--- a/cups.te
+++ b/cups.te
@@ -5,19 +5,24 @@ policy_module(cups, 1.15.9)
@@ -16243,7 +16247,7 @@ index 9f34c2e..45fe9a0 100644
files_exec_usr_files(cupsd_t)
# for /var/lib/defoma
files_read_var_lib_files(cupsd_t)
-@@ -215,16 +246,16 @@ files_read_world_readable_files(cupsd_t)
+@@ -215,16 +246,17 @@ files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
files_read_var_files(cupsd_t)
files_read_var_symlinks(cupsd_t)
@@ -16259,10 +16263,11 @@ index 9f34c2e..45fe9a0 100644
fs_search_fusefs(cupsd_t)
fs_read_anon_inodefs_files(cupsd_t)
+fs_rw_anon_inodefs_files(cupsd_t)
++fs_rw_inherited_tmpfs_files(cupsd_t)
mls_fd_use_all_levels(cupsd_t)
mls_file_downgrade(cupsd_t)
-@@ -235,6 +266,8 @@ mls_socket_write_all_levels(cupsd_t)
+@@ -235,6 +267,8 @@ mls_socket_write_all_levels(cupsd_t)
term_search_ptys(cupsd_t)
term_use_unallocated_ttys(cupsd_t)
@@ -16271,7 +16276,7 @@ index 9f34c2e..45fe9a0 100644
selinux_compute_access_vector(cupsd_t)
selinux_validate_context(cupsd_t)
-@@ -247,21 +280,20 @@ auth_dontaudit_read_pam_pid(cupsd_t)
+@@ -247,21 +281,20 @@ auth_dontaudit_read_pam_pid(cupsd_t)
auth_rw_faillog(cupsd_t)
auth_use_nsswitch(cupsd_t)
@@ -16297,7 +16302,7 @@ index 9f34c2e..45fe9a0 100644
userdom_dontaudit_search_user_home_content(cupsd_t)
optional_policy(`
-@@ -275,6 +307,8 @@ optional_policy(`
+@@ -275,6 +308,8 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(cupsd_t)
@@ -16306,7 +16311,7 @@ index 9f34c2e..45fe9a0 100644
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
-@@ -285,8 +319,10 @@ optional_policy(`
+@@ -285,8 +320,10 @@ optional_policy(`
hal_dbus_chat(cupsd_t)
')
@@ -16317,7 +16322,7 @@ index 9f34c2e..45fe9a0 100644
')
')
-@@ -299,8 +335,8 @@ optional_policy(`
+@@ -299,8 +336,8 @@ optional_policy(`
')
optional_policy(`
@@ -16327,7 +16332,7 @@ index 9f34c2e..45fe9a0 100644
')
optional_policy(`
-@@ -309,7 +345,6 @@ optional_policy(`
+@@ -309,7 +346,6 @@ optional_policy(`
optional_policy(`
lpd_exec_lpr(cupsd_t)
@@ -16335,7 +16340,7 @@ index 9f34c2e..45fe9a0 100644
lpd_read_config(cupsd_t)
lpd_relabel_spool(cupsd_t)
')
-@@ -337,7 +372,7 @@ optional_policy(`
+@@ -337,7 +373,7 @@ optional_policy(`
')
optional_policy(`
@@ -16344,7 +16349,7 @@ index 9f34c2e..45fe9a0 100644
')
########################################
-@@ -345,11 +380,9 @@ optional_policy(`
+@@ -345,11 +381,9 @@ optional_policy(`
# Configuration daemon local policy
#
@@ -16358,7 +16363,7 @@ index 9f34c2e..45fe9a0 100644
allow cupsd_config_t cupsd_t:process signal;
ps_process_pattern(cupsd_config_t, cupsd_t)
-@@ -375,18 +408,15 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
+@@ -375,18 +409,15 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
@@ -16378,7 +16383,7 @@ index 9f34c2e..45fe9a0 100644
corenet_all_recvfrom_netlabel(cupsd_config_t)
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -395,20 +425,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+@@ -395,20 +426,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
corenet_sendrecv_all_client_packets(cupsd_config_t)
corenet_tcp_connect_all_ports(cupsd_config_t)
@@ -16399,7 +16404,7 @@ index 9f34c2e..45fe9a0 100644
fs_search_auto_mountpoints(cupsd_config_t)
domain_use_interactive_fds(cupsd_config_t)
-@@ -420,11 +442,6 @@ auth_use_nsswitch(cupsd_config_t)
+@@ -420,11 +443,6 @@ auth_use_nsswitch(cupsd_config_t)
logging_send_syslog_msg(cupsd_config_t)
@@ -16411,7 +16416,7 @@ index 9f34c2e..45fe9a0 100644
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
-@@ -452,9 +469,12 @@ optional_policy(`
+@@ -452,9 +470,12 @@ optional_policy(`
')
optional_policy(`
@@ -16425,7 +16430,7 @@ index 9f34c2e..45fe9a0 100644
')
optional_policy(`
-@@ -490,10 +510,6 @@ optional_policy(`
+@@ -490,10 +511,6 @@ optional_policy(`
# Lpd local policy
#
@@ -16436,7 +16441,7 @@ index 9f34c2e..45fe9a0 100644
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
-@@ -511,31 +527,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+@@ -511,31 +528,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
@@ -16469,7 +16474,7 @@ index 9f34c2e..45fe9a0 100644
optional_policy(`
inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
')
-@@ -546,7 +553,6 @@ optional_policy(`
+@@ -546,7 +554,6 @@ optional_policy(`
#
allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
@@ -16477,7 +16482,7 @@ index 9f34c2e..45fe9a0 100644
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
-@@ -562,17 +568,8 @@ fs_search_auto_mountpoints(cups_pdf_t)
+@@ -562,17 +569,8 @@ fs_search_auto_mountpoints(cups_pdf_t)
kernel_read_system_state(cups_pdf_t)
@@ -16495,7 +16500,7 @@ index 9f34c2e..45fe9a0 100644
userdom_manage_user_home_content_dirs(cups_pdf_t)
userdom_manage_user_home_content_files(cups_pdf_t)
userdom_home_filetrans_user_home_dir(cups_pdf_t)
-@@ -582,128 +579,12 @@ tunable_policy(`use_nfs_home_dirs',`
+@@ -582,128 +580,12 @@ tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files(cups_pdf_t)
')
@@ -16626,7 +16631,7 @@ index 9f34c2e..45fe9a0 100644
########################################
#
-@@ -731,7 +612,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -731,7 +613,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@@ -16634,7 +16639,7 @@ index 9f34c2e..45fe9a0 100644
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -741,13 +621,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
+@@ -741,13 +622,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
corenet_tcp_bind_ptal_port(ptal_t)
corenet_tcp_sendrecv_ptal_port(ptal_t)
@@ -16648,7 +16653,7 @@ index 9f34c2e..45fe9a0 100644
files_read_etc_runtime_files(ptal_t)
fs_getattr_all_fs(ptal_t)
-@@ -755,8 +633,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -755,8 +634,6 @@ fs_search_auto_mountpoints(ptal_t)
logging_send_syslog_msg(ptal_t)
@@ -19296,7 +19301,7 @@ index 0000000..332a1c9
+')
diff --git a/dirsrv-admin.te b/dirsrv-admin.te
new file mode 100644
-index 0000000..a3d076f
+index 0000000..ab083cf
--- /dev/null
+++ b/dirsrv-admin.te
@@ -0,0 +1,144 @@
@@ -19334,7 +19339,7 @@ index 0000000..a3d076f
+#
+allow dirsrvadmin_t self:fifo_file rw_fifo_file_perms;
+allow dirsrvadmin_t self:capability { dac_read_search dac_override sys_tty_config sys_resource };
-+allow dirsrvadmin_t self:process setrlimit;
++allow dirsrvadmin_t self:process { setrlimit signal_perms };
+
+manage_files_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+manage_dirs_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
@@ -23081,7 +23086,7 @@ index d062080..e098a40 100644
ftp_run_ftpdctl($1, $2)
')
diff --git a/ftp.te b/ftp.te
-index e50f33c..2f7de33 100644
+index e50f33c..5e6cdb8 100644
--- a/ftp.te
+++ b/ftp.te
@@ -13,7 +13,7 @@ policy_module(ftp, 1.14.1)
@@ -23102,16 +23107,23 @@ index e50f33c..2f7de33 100644
##
##
-@@ -30,7 +30,7 @@ gen_tunable(allow_ftpd_full_access, false)
+@@ -30,7 +30,14 @@ gen_tunable(allow_ftpd_full_access, false)
## used for public file transfer services.
##
##
-gen_tunable(allow_ftpd_use_cifs, false)
+gen_tunable(ftpd_use_cifs, false)
++
++##
++##
++## Allow samba to export ntfs/fusefs volumes.
++##
++##
++gen_tunable(ftpd_use_fusefs, false)
##
##
-@@ -38,7 +38,7 @@ gen_tunable(allow_ftpd_use_cifs, false)
+@@ -38,7 +45,7 @@ gen_tunable(allow_ftpd_use_cifs, false)
## used for public file transfer services.
##
##
@@ -23120,7 +23132,7 @@ index e50f33c..2f7de33 100644
##
##
-@@ -124,6 +124,9 @@ files_config_file(ftpd_etc_t)
+@@ -124,6 +131,9 @@ files_config_file(ftpd_etc_t)
type ftpd_initrc_exec_t;
init_script_file(ftpd_initrc_exec_t)
@@ -23130,7 +23142,7 @@ index e50f33c..2f7de33 100644
type ftpd_lock_t;
files_lock_file(ftpd_lock_t)
-@@ -179,6 +182,9 @@ allow ftpd_t ftpd_etc_t:file read_file_perms;
+@@ -179,6 +189,9 @@ allow ftpd_t ftpd_etc_t:file read_file_perms;
allow ftpd_t ftpd_lock_t:file manage_file_perms;
files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
@@ -23140,7 +23152,7 @@ index e50f33c..2f7de33 100644
manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
-@@ -201,14 +207,13 @@ logging_log_filetrans(ftpd_t, xferlog_t, file)
+@@ -201,14 +214,13 @@ logging_log_filetrans(ftpd_t, xferlog_t, file)
kernel_read_kernel_sysctls(ftpd_t)
kernel_read_system_state(ftpd_t)
@@ -23156,7 +23168,7 @@ index e50f33c..2f7de33 100644
corenet_all_recvfrom_netlabel(ftpd_t)
corenet_tcp_sendrecv_generic_if(ftpd_t)
corenet_udp_sendrecv_generic_if(ftpd_t)
-@@ -224,9 +229,12 @@ corenet_tcp_bind_ftp_port(ftpd_t)
+@@ -224,9 +236,12 @@ corenet_tcp_bind_ftp_port(ftpd_t)
corenet_sendrecv_ftp_data_server_packets(ftpd_t)
corenet_tcp_bind_ftp_data_port(ftpd_t)
@@ -23170,7 +23182,7 @@ index e50f33c..2f7de33 100644
files_read_etc_runtime_files(ftpd_t)
files_search_var_lib(ftpd_t)
-@@ -245,7 +253,6 @@ logging_send_audit_msgs(ftpd_t)
+@@ -245,7 +260,6 @@ logging_send_audit_msgs(ftpd_t)
logging_send_syslog_msg(ftpd_t)
logging_set_loginuid(ftpd_t)
@@ -23178,7 +23190,7 @@ index e50f33c..2f7de33 100644
miscfiles_read_public_files(ftpd_t)
seutil_dontaudit_search_config(ftpd_t)
-@@ -254,32 +261,42 @@ sysnet_use_ldap(ftpd_t)
+@@ -254,32 +268,49 @@ sysnet_use_ldap(ftpd_t)
userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
userdom_dontaudit_search_user_home_dirs(ftpd_t)
@@ -23201,6 +23213,13 @@ index e50f33c..2f7de33 100644
')
-tunable_policy(`allow_ftpd_use_nfs',`
++tunable_policy(`ftpd_use_fusefs',`
++ fs_manage_fusefs_dirs(ftpd_t)
++ fs_manage_fusefs_files(ftpd_t)
++',`
++ fs_search_fusefs(ftpd_t)
++')
++
+tunable_policy(`ftpd_use_nfs',`
fs_read_nfs_files(ftpd_t)
fs_read_nfs_symlinks(ftpd_t)
@@ -23228,7 +23247,7 @@ index e50f33c..2f7de33 100644
')
tunable_policy(`ftpd_use_passive_mode',`
-@@ -299,9 +316,9 @@ tunable_policy(`ftpd_connect_db',`
+@@ -299,9 +330,9 @@ tunable_policy(`ftpd_connect_db',`
corenet_sendrecv_mssql_client_packets(ftpd_t)
corenet_tcp_connect_mssql_port(ftpd_t)
corenet_tcp_sendrecv_mssql_port(ftpd_t)
@@ -23241,7 +23260,7 @@ index e50f33c..2f7de33 100644
')
tunable_policy(`ftp_home_dir',`
-@@ -309,12 +326,9 @@ tunable_policy(`ftp_home_dir',`
+@@ -309,12 +340,9 @@ tunable_policy(`ftp_home_dir',`
userdom_manage_user_home_content_dirs(ftpd_t)
userdom_manage_user_home_content_files(ftpd_t)
@@ -23254,7 +23273,7 @@ index e50f33c..2f7de33 100644
userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
')
-@@ -360,7 +374,7 @@ optional_policy(`
+@@ -360,7 +388,7 @@ optional_policy(`
selinux_validate_context(ftpd_t)
kerberos_keytab_template(ftpd, ftpd_t)
@@ -23263,7 +23282,7 @@ index e50f33c..2f7de33 100644
')
optional_policy(`
-@@ -410,21 +424,20 @@ optional_policy(`
+@@ -410,21 +438,20 @@ optional_policy(`
#
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
@@ -23287,7 +23306,7 @@ index e50f33c..2f7de33 100644
miscfiles_read_public_files(anon_sftpd_t)
-@@ -437,23 +450,34 @@ tunable_policy(`sftpd_anon_write',`
+@@ -437,23 +464,34 @@ tunable_policy(`sftpd_anon_write',`
# Sftpd local policy
#
@@ -23328,7 +23347,7 @@ index e50f33c..2f7de33 100644
')
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -475,21 +499,11 @@ tunable_policy(`sftpd_anon_write',`
+@@ -475,21 +513,11 @@ tunable_policy(`sftpd_anon_write',`
tunable_policy(`sftpd_full_access',`
allow sftpd_t self:capability { dac_override dac_read_search };
fs_read_noxattr_fs_files(sftpd_t)
@@ -36788,7 +36807,7 @@ index 6194b80..648d041 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..4c1c064 100644
+index 6a306ee..8faac8d 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
@@ -37047,10 +37066,10 @@ index 6a306ee..4c1c064 100644
-userdom_manage_user_home_content_dirs(mozilla_t)
-userdom_manage_user_home_content_files(mozilla_t)
-userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
--
--userdom_write_user_tmp_sockets(mozilla_t)
+userdom_use_inherited_user_ptys(mozilla_t)
+-userdom_write_user_tmp_sockets(mozilla_t)
+-
-mozilla_run_plugin(mozilla_t, mozilla_roles)
-mozilla_run_plugin_config(mozilla_t, mozilla_roles)
+#mozilla_run_plugin(mozilla_t, mozilla_roles)
@@ -37213,7 +37232,7 @@ index 6a306ee..4c1c064 100644
')
optional_policy(`
-@@ -300,221 +308,171 @@ optional_policy(`
+@@ -300,221 +308,173 @@ optional_policy(`
########################################
#
@@ -37468,7 +37487,8 @@ index 6a306ee..4c1c064 100644
-userdom_manage_user_home_content_dirs(mozilla_plugin_t)
-userdom_manage_user_home_content_files(mozilla_plugin_t)
-userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file })
--
++systemd_read_logind_sessions_files(mozilla_plugin_t)
+
-userdom_write_user_tmp_sockets(mozilla_plugin_t)
+term_getattr_all_ttys(mozilla_plugin_t)
+term_getattr_all_ptys(mozilla_plugin_t)
@@ -37528,7 +37548,7 @@ index 6a306ee..4c1c064 100644
')
optional_policy(`
-@@ -523,36 +481,47 @@ optional_policy(`
+@@ -523,36 +483,47 @@ optional_policy(`
')
optional_policy(`
@@ -37589,7 +37609,7 @@ index 6a306ee..4c1c064 100644
')
optional_policy(`
-@@ -560,7 +529,7 @@ optional_policy(`
+@@ -560,7 +531,7 @@ optional_policy(`
')
optional_policy(`
@@ -37598,7 +37618,7 @@ index 6a306ee..4c1c064 100644
')
optional_policy(`
-@@ -568,108 +537,108 @@ optional_policy(`
+@@ -568,108 +539,108 @@ optional_policy(`
')
optional_policy(`
@@ -43275,7 +43295,7 @@ index 46e55c3..346242e 100644
+ allow $1 nis_unit_file_t:service all_service_perms;
')
diff --git a/nis.te b/nis.te
-index 3e4a31c..0d16edc 100644
+index 3e4a31c..bd8e3ff 100644
--- a/nis.te
+++ b/nis.te
@@ -1,12 +1,10 @@
@@ -43465,7 +43485,7 @@ index 3e4a31c..0d16edc 100644
sysnet_read_config(yppasswdd_t)
-@@ -219,6 +215,10 @@ optional_policy(`
+@@ -219,6 +215,14 @@ optional_policy(`
')
optional_policy(`
@@ -43473,10 +43493,14 @@ index 3e4a31c..0d16edc 100644
+')
+
+optional_policy(`
++ nis_use_ypbind(yppasswdd_t)
++')
++
++optional_policy(`
seutil_sigchld_newrole(yppasswdd_t)
')
-@@ -234,7 +234,8 @@ optional_policy(`
+@@ -234,7 +238,8 @@ optional_policy(`
dontaudit ypserv_t self:capability sys_tty_config;
allow ypserv_t self:fifo_file rw_fifo_file_perms;
allow ypserv_t self:process signal_perms;
@@ -43486,7 +43510,7 @@ index 3e4a31c..0d16edc 100644
allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
allow ypserv_t self:tcp_socket connected_stream_socket_perms;
allow ypserv_t self:udp_socket create_socket_perms;
-@@ -254,7 +255,6 @@ kernel_read_kernel_sysctls(ypserv_t)
+@@ -254,7 +259,6 @@ kernel_read_kernel_sysctls(ypserv_t)
kernel_list_proc(ypserv_t)
kernel_read_proc_symlinks(ypserv_t)
@@ -43494,7 +43518,7 @@ index 3e4a31c..0d16edc 100644
corenet_all_recvfrom_netlabel(ypserv_t)
corenet_tcp_sendrecv_generic_if(ypserv_t)
corenet_udp_sendrecv_generic_if(ypserv_t)
-@@ -264,31 +264,27 @@ corenet_tcp_sendrecv_all_ports(ypserv_t)
+@@ -264,31 +268,27 @@ corenet_tcp_sendrecv_all_ports(ypserv_t)
corenet_udp_sendrecv_all_ports(ypserv_t)
corenet_tcp_bind_generic_node(ypserv_t)
corenet_udp_bind_generic_node(ypserv_t)
@@ -43532,7 +43556,7 @@ index 3e4a31c..0d16edc 100644
nis_domtrans_ypxfr(ypserv_t)
-@@ -310,8 +306,8 @@ optional_policy(`
+@@ -310,8 +310,8 @@ optional_policy(`
# ypxfr local policy
#
@@ -43543,7 +43567,7 @@ index 3e4a31c..0d16edc 100644
allow ypxfr_t self:tcp_socket create_stream_socket_perms;
allow ypxfr_t self:udp_socket create_socket_perms;
allow ypxfr_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -326,7 +322,6 @@ allow ypxfr_t ypserv_conf_t:file read_file_perms;
+@@ -326,7 +326,6 @@ allow ypxfr_t ypserv_conf_t:file read_file_perms;
manage_files_pattern(ypxfr_t, ypxfr_var_run_t, ypxfr_var_run_t)
files_pid_filetrans(ypxfr_t, ypxfr_var_run_t, file)
@@ -43551,7 +43575,7 @@ index 3e4a31c..0d16edc 100644
corenet_all_recvfrom_netlabel(ypxfr_t)
corenet_tcp_sendrecv_generic_if(ypxfr_t)
corenet_udp_sendrecv_generic_if(ypxfr_t)
-@@ -336,23 +331,19 @@ corenet_tcp_sendrecv_all_ports(ypxfr_t)
+@@ -336,23 +335,19 @@ corenet_tcp_sendrecv_all_ports(ypxfr_t)
corenet_udp_sendrecv_all_ports(ypxfr_t)
corenet_tcp_bind_generic_node(ypxfr_t)
corenet_udp_bind_generic_node(ypxfr_t)
@@ -48201,10 +48225,10 @@ index 0000000..407386d
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
-index 0000000..45e60e5
+index 0000000..894ce1c
--- /dev/null
+++ b/openshift.te
-@@ -0,0 +1,526 @@
+@@ -0,0 +1,530 @@
+policy_module(openshift,1.0.0)
+
+gen_require(`
@@ -48728,6 +48752,10 @@ index 0000000..45e60e5
+')
+
+optional_policy(`
++ quota_read_db(openshift_cron_t)
++')
++
++optional_policy(`
+ ssh_exec_keygen(openshift_cron_t)
+ ssh_dontaudit_read_server_keys(openshift_cron_t)
+')
@@ -81326,10 +81354,10 @@ index 0000000..bfcd2c7
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 0000000..aaf768a
+index 0000000..49cd645
--- /dev/null
+++ b/thumb.te
-@@ -0,0 +1,137 @@
+@@ -0,0 +1,138 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -81424,6 +81452,7 @@ index 0000000..aaf768a
+userdom_dontaudit_setattr_user_tmp(thumb_t)
+userdom_read_user_tmp_files(thumb_t)
+userdom_read_user_home_content_files(thumb_t)
++userdom_exec_user_home_content_files(thumb_t)
+userdom_write_user_tmp_files(thumb_t)
+userdom_read_home_audio_files(thumb_t)
+userdom_home_reader(thumb_t)
@@ -82357,7 +82386,7 @@ index e29db63..061fb98 100644
domain_system_change_exemption($1)
role_transition $2 tuned_initrc_exec_t system_r;
diff --git a/tuned.te b/tuned.te
-index 7116181..0bd0be9 100644
+index 7116181..7a80e6d 100644
--- a/tuned.te
+++ b/tuned.te
@@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t)
@@ -82370,9 +82399,12 @@ index 7116181..0bd0be9 100644
type tuned_var_run_t;
files_pid_file(tuned_var_run_t)
-@@ -31,8 +34,10 @@ files_pid_file(tuned_var_run_t)
+@@ -29,10 +32,12 @@ files_pid_file(tuned_var_run_t)
+ # Local policy
+ #
- allow tuned_t self:capability { sys_admin sys_nice };
+-allow tuned_t self:capability { sys_admin sys_nice };
++allow tuned_t self:capability { sys_admin sys_nice sys_rawio };
dontaudit tuned_t self:capability { dac_override sys_tty_config };
-allow tuned_t self:process { setsched signal };
+allow tuned_t self:process { setsched signal };
@@ -85655,7 +85687,7 @@ index 9dec06c..b991ec7 100644
+ allow svirt_lxc_domain $1:process sigchld;
')
diff --git a/virt.te b/virt.te
-index 1f22fba..e780b1b 100644
+index 1f22fba..64e638c 100644
--- a/virt.te
+++ b/virt.te
@@ -1,94 +1,98 @@
@@ -86524,7 +86556,7 @@ index 1f22fba..e780b1b 100644
+# virtual domains common policy
+#
+allow virt_domain self:capability2 compromise_kernel;
-+allow virt_domain self:process { setrlimit signal_perms getsched };
++allow virt_domain self:process { setrlimit signal_perms getsched setsched };
+allow virt_domain self:fifo_file rw_fifo_file_perms;
+allow virt_domain self:shm create_shm_perms;
+allow virt_domain self:unix_stream_socket create_stream_socket_perms;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b22aa16..2989464 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 23%{?dist}
+Release: 24%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -526,6 +526,28 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Mar 26 2013 Miroslav Grepl 3.12.1-24
+- Add labeling for /usr/share/pki
+- Allow programs that read var_run_t symlinks also read var_t symlinks
+- Add additional ports as mongod_port_t for 27018, 27019, 28017, 28018 and 28019 ports
+- Fix labeling for /etc/dhcp directory
+- add missing systemd_stub_unit_file() interface
+- Add files_stub_var() interface
+- Add lables for cert_t directories
+- Make localectl set-x11-keymap working at all
+- Allow abrt to manage mock build environments to catch build problems.
+- Allow virt_domains to setsched for running gdb on itself
+- Allow thumb_t to execute user home content
+- Allow pulseaudio running as mozilla_plugin_t to read /run/systemd/users/1000
+- Allow certwatch to execut /usr/bin/httpd
+- Allow cgred to send signal perms to itself, needs back port to RHEL6
+- Allow openshift_cron_t to look at quota
+- Allow cups_t to read inhered tmpfs_t from the kernel
+- Allow yppasswdd to use NIS
+- Tuned wants sys_rawio capability
+- Add ftpd_use_fusefs boolean
+- Allow dirsrvadmin_t to signal itself
+
* Wed Mar 20 2013 Miroslav Grepl 3.12.1-23
- Allow localectl to read /etc/X11/xorg.conf.d directory
- Revert "Revert "Fix filetrans rules for kdm creates .xsession-errors""