diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index f05841c..699d224 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -5074,7 +5074,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 4edc40d..f678b45 100644
+index 4edc40d..fba95c8 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
@@ -5250,7 +5250,7 @@ index 4edc40d..f678b45 100644
-network_port(milter) # no defined portcon
+network_port(milter, tcp, 8891, s0) # no defined portcon
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
-+network_port(mongod, tcp,27017,s0)
++network_port(mongod, tcp,27017-27019,s0, tcp, 28017-28019,s0)
network_port(monopd, tcp,1234,s0)
network_port(mountd, tcp,20048,s0, udp,20048,s0)
network_port(movaz_ssc, tcp,5252,s0, udp,5252,s0)
@@ -8320,10 +8320,10 @@ index c2c6e05..96aeeef 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 64ff4d7..90999af 100644
+index 64ff4d7..87c124c 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
-@@ -19,6 +19,119 @@
+@@ -19,6 +19,136 @@
## Comains the file initial SID.
## </required>
@@ -8425,6 +8425,23 @@ index 64ff4d7..90999af 100644
+
+#####################################
+## <summary>
++## files stub var_run_t interface. No access allowed.
++## </summary>
++## <param name="domain" unused="true">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++#
++interface(`files_stub_var',`
++ gen_require(`
++ type var_t;
++ ')
++')
++
++
++#####################################
++## <summary>
+## files stub tmp_t interface. No access allowed.
+## </summary>
+## <param name="domain" unused="true">
@@ -8443,7 +8460,7 @@ index 64ff4d7..90999af 100644
########################################
## <summary>
## Make the specified type usable for files
-@@ -55,6 +168,7 @@
+@@ -55,6 +185,7 @@
## <li>files_pid_file()</li>
## <li>files_security_file()</li>
## <li>files_security_mountpoint()</li>
@@ -8451,7 +8468,7 @@ index 64ff4d7..90999af 100644
## <li>files_tmp_file()</li>
## <li>files_tmpfs_file()</li>
## <li>logging_log_file()</li>
-@@ -125,30 +239,31 @@ interface(`files_security_file',`
+@@ -125,30 +256,31 @@ interface(`files_security_file',`
typeattribute $1 file_type, security_file_type, non_auth_file_type;
')
@@ -8489,7 +8506,7 @@ index 64ff4d7..90999af 100644
## </summary>
## <param name="type">
## <summary>
-@@ -156,33 +271,33 @@ interface(`files_lock_file',`
+@@ -156,33 +288,33 @@ interface(`files_lock_file',`
## </summary>
## </param>
#
@@ -8531,7 +8548,7 @@ index 64ff4d7..90999af 100644
')
########################################
-@@ -521,7 +636,7 @@ interface(`files_mounton_non_security',`
+@@ -521,7 +653,7 @@ interface(`files_mounton_non_security',`
attribute non_security_file_type;
')
@@ -8540,7 +8557,7 @@ index 64ff4d7..90999af 100644
allow $1 non_security_file_type:file mounton;
')
-@@ -620,6 +735,63 @@ interface(`files_dontaudit_getattr_non_security_files',`
+@@ -620,6 +752,63 @@ interface(`files_dontaudit_getattr_non_security_files',`
########################################
## <summary>
@@ -8604,7 +8621,7 @@ index 64ff4d7..90999af 100644
## Read all files.
## </summary>
## <param name="domain">
-@@ -683,12 +855,82 @@ interface(`files_read_non_security_files',`
+@@ -683,12 +872,82 @@ interface(`files_read_non_security_files',`
attribute non_security_file_type;
')
@@ -8687,7 +8704,7 @@ index 64ff4d7..90999af 100644
## Read all directories on the filesystem, except
## the listed exceptions.
## </summary>
-@@ -953,6 +1195,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',`
+@@ -953,6 +1212,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',`
########################################
## <summary>
@@ -8713,7 +8730,7 @@ index 64ff4d7..90999af 100644
## Get the attributes of all named sockets.
## </summary>
## <param name="domain">
-@@ -991,6 +1252,25 @@ interface(`files_dontaudit_getattr_all_sockets',`
+@@ -991,6 +1269,25 @@ interface(`files_dontaudit_getattr_all_sockets',`
########################################
## <summary>
@@ -8739,7 +8756,7 @@ index 64ff4d7..90999af 100644
## Do not audit attempts to get the attributes
## of non security named sockets.
## </summary>
-@@ -1073,10 +1353,8 @@ interface(`files_relabel_all_files',`
+@@ -1073,10 +1370,8 @@ interface(`files_relabel_all_files',`
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -8752,7 +8769,7 @@ index 64ff4d7..90999af 100644
# satisfy the assertions:
seutil_relabelto_bin_policy($1)
-@@ -1182,24 +1460,6 @@ interface(`files_list_all',`
+@@ -1182,24 +1477,6 @@ interface(`files_list_all',`
########################################
## <summary>
@@ -8777,7 +8794,7 @@ index 64ff4d7..90999af 100644
## Do not audit attempts to search the
## contents of any directories on extended
## attribute filesystems.
-@@ -1443,9 +1703,6 @@ interface(`files_relabel_non_auth_files',`
+@@ -1443,9 +1720,6 @@ interface(`files_relabel_non_auth_files',`
# device nodes with file types.
relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type)
relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type)
@@ -8787,7 +8804,7 @@ index 64ff4d7..90999af 100644
')
#############################################
-@@ -1583,6 +1840,24 @@ interface(`files_getattr_all_mountpoints',`
+@@ -1583,6 +1857,24 @@ interface(`files_getattr_all_mountpoints',`
########################################
## <summary>
@@ -8812,58 +8829,55 @@ index 64ff4d7..90999af 100644
## Set the attributes of all mount points.
## </summary>
## <param name="domain">
-@@ -1673,6 +1948,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
+@@ -1673,25 +1965,61 @@ interface(`files_dontaudit_list_all_mountpoints',`
########################################
## <summary>
+-## Do not audit attempts to write to mount points.
+## Write all mount points.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_write_all_mountpoints',`
+- gen_require(`
+- attribute mountpoint;
+- ')
+interface(`files_write_all_mountpoints',`
+ gen_require(`
+ attribute mountpoint;
+ ')
-+
+
+- dontaudit $1 mountpoint:dir write;
+ allow $1 mountpoint:dir write;
-+')
-+
-+########################################
-+## <summary>
- ## Do not audit attempts to write to mount points.
- ## </summary>
- ## <param name="domain">
-@@ -1691,7 +1984,7 @@ interface(`files_dontaudit_write_all_mountpoints',`
+ ')
########################################
## <summary>
-## List the contents of the root directory.
-+## Write all file type directories.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -1699,12 +1992,30 @@ interface(`files_dontaudit_write_all_mountpoints',`
- ## </summary>
- ## </param>
- #
--interface(`files_list_root',`
-+interface(`files_write_all_dirs',`
- gen_require(`
-- type root_t;
-+ attribute file_type;
- ')
-
-- allow $1 root_t:dir list_dir_perms;
-+ allow $1 file_type:dir write;
++## Do not audit attempts to write to mount points.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_write_all_mountpoints',`
++ gen_require(`
++ attribute mountpoint;
++ ')
++
++ dontaudit $1 mountpoint:dir write;
+')
+
+########################################
+## <summary>
-+## List the contents of the root directory.
++## Write all file type directories.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -8871,16 +8885,21 @@ index 64ff4d7..90999af 100644
+## </summary>
+## </param>
+#
-+interface(`files_list_root',`
++interface(`files_write_all_dirs',`
+ gen_require(`
-+ type root_t;
++ attribute file_type;
+ ')
+
-+ allow $1 root_t:dir list_dir_perms;
- allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock };
- ')
-
-@@ -1874,25 +2185,25 @@ interface(`files_delete_root_dir_entry',`
++ allow $1 file_type:dir write;
++')
++
++########################################
++## <summary>
++## List the contents of the root directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1874,25 +2202,25 @@ interface(`files_delete_root_dir_entry',`
########################################
## <summary>
@@ -8912,7 +8931,7 @@ index 64ff4d7..90999af 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1905,7 +2216,7 @@ interface(`files_relabel_rootfs',`
+@@ -1905,7 +2233,7 @@ interface(`files_relabel_rootfs',`
type root_t;
')
@@ -8921,7 +8940,7 @@ index 64ff4d7..90999af 100644
')
########################################
-@@ -1928,6 +2239,24 @@ interface(`files_unmount_rootfs',`
+@@ -1928,6 +2256,24 @@ interface(`files_unmount_rootfs',`
########################################
## <summary>
@@ -8946,7 +8965,7 @@ index 64ff4d7..90999af 100644
## Get attributes of the /boot directory.
## </summary>
## <param name="domain">
-@@ -2627,6 +2956,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2627,6 +2973,24 @@ interface(`files_rw_etc_dirs',`
allow $1 etc_t:dir rw_dir_perms;
')
@@ -8971,7 +8990,7 @@ index 64ff4d7..90999af 100644
##########################################
## <summary>
## Manage generic directories in /etc
-@@ -2698,6 +3045,7 @@ interface(`files_read_etc_files',`
+@@ -2698,6 +3062,7 @@ interface(`files_read_etc_files',`
allow $1 etc_t:dir list_dir_perms;
read_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
@@ -8979,7 +8998,7 @@ index 64ff4d7..90999af 100644
')
########################################
-@@ -2706,7 +3054,7 @@ interface(`files_read_etc_files',`
+@@ -2706,7 +3071,7 @@ interface(`files_read_etc_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -8988,7 +9007,7 @@ index 64ff4d7..90999af 100644
## </summary>
## </param>
#
-@@ -2762,6 +3110,25 @@ interface(`files_manage_etc_files',`
+@@ -2762,6 +3127,25 @@ interface(`files_manage_etc_files',`
########################################
## <summary>
@@ -9014,7 +9033,7 @@ index 64ff4d7..90999af 100644
## Delete system configuration files in /etc.
## </summary>
## <param name="domain">
-@@ -2780,6 +3147,24 @@ interface(`files_delete_etc_files',`
+@@ -2780,6 +3164,24 @@ interface(`files_delete_etc_files',`
########################################
## <summary>
@@ -9039,7 +9058,7 @@ index 64ff4d7..90999af 100644
## Execute generic files in /etc.
## </summary>
## <param name="domain">
-@@ -2945,24 +3330,6 @@ interface(`files_delete_boot_flag',`
+@@ -2945,24 +3347,6 @@ interface(`files_delete_boot_flag',`
########################################
## <summary>
@@ -9064,7 +9083,7 @@ index 64ff4d7..90999af 100644
## Read files in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
-@@ -3003,9 +3370,7 @@ interface(`files_read_etc_runtime_files',`
+@@ -3003,9 +3387,7 @@ interface(`files_read_etc_runtime_files',`
########################################
## <summary>
@@ -9075,7 +9094,7 @@ index 64ff4d7..90999af 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3013,18 +3378,17 @@ interface(`files_read_etc_runtime_files',`
+@@ -3013,18 +3395,17 @@ interface(`files_read_etc_runtime_files',`
## </summary>
## </param>
#
@@ -9097,7 +9116,7 @@ index 64ff4d7..90999af 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3042,6 +3406,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
+@@ -3042,6 +3423,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
########################################
## <summary>
@@ -9124,7 +9143,7 @@ index 64ff4d7..90999af 100644
## Read and write files in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
-@@ -3059,6 +3443,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -3059,6 +3460,7 @@ interface(`files_rw_etc_runtime_files',`
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -9132,7 +9151,7 @@ index 64ff4d7..90999af 100644
')
########################################
-@@ -3080,6 +3465,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -3080,6 +3482,7 @@ interface(`files_manage_etc_runtime_files',`
')
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -9140,7 +9159,7 @@ index 64ff4d7..90999af 100644
')
########################################
-@@ -3132,6 +3518,25 @@ interface(`files_getattr_isid_type_dirs',`
+@@ -3132,6 +3535,25 @@ interface(`files_getattr_isid_type_dirs',`
########################################
## <summary>
@@ -9166,7 +9185,7 @@ index 64ff4d7..90999af 100644
## Do not audit attempts to search directories on new filesystems
## that have not yet been labeled.
## </summary>
-@@ -3208,6 +3613,25 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3208,6 +3630,25 @@ interface(`files_delete_isid_type_dirs',`
########################################
## <summary>
@@ -9192,7 +9211,7 @@ index 64ff4d7..90999af 100644
## Create, read, write, and delete directories
## on new filesystems that have not yet been labeled.
## </summary>
-@@ -3455,6 +3879,25 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3455,6 +3896,25 @@ interface(`files_rw_isid_type_blk_files',`
########################################
## <summary>
@@ -9218,7 +9237,7 @@ index 64ff4d7..90999af 100644
## Create, read, write, and delete block device nodes
## on new filesystems that have not yet been labeled.
## </summary>
-@@ -3796,20 +4239,38 @@ interface(`files_list_mnt',`
+@@ -3796,20 +4256,38 @@ interface(`files_list_mnt',`
######################################
## <summary>
@@ -9262,7 +9281,7 @@ index 64ff4d7..90999af 100644
')
########################################
-@@ -4199,156 +4660,176 @@ interface(`files_read_world_readable_sockets',`
+@@ -4199,156 +4677,176 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -9515,7 +9534,7 @@ index 64ff4d7..90999af 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4356,53 +4837,56 @@ interface(`files_delete_tmp_dir_entry',`
+@@ -4356,53 +4854,56 @@ interface(`files_delete_tmp_dir_entry',`
## </summary>
## </param>
#
@@ -9584,7 +9603,7 @@ index 64ff4d7..90999af 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4410,35 +4894,36 @@ interface(`files_manage_generic_tmp_files',`
+@@ -4410,35 +4911,36 @@ interface(`files_manage_generic_tmp_files',`
## </summary>
## </param>
#
@@ -9627,7 +9646,7 @@ index 64ff4d7..90999af 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4446,77 +4931,74 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4446,77 +4948,74 @@ interface(`files_rw_generic_tmp_sockets',`
## </summary>
## </param>
#
@@ -9732,7 +9751,7 @@ index 64ff4d7..90999af 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4524,58 +5006,61 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
+@@ -4524,58 +5023,61 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
## </summary>
## </param>
#
@@ -9811,7 +9830,7 @@ index 64ff4d7..90999af 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4583,51 +5068,35 @@ interface(`files_dontaudit_getattr_all_tmp_sockets',`
+@@ -4583,51 +5085,35 @@ interface(`files_dontaudit_getattr_all_tmp_sockets',`
## </summary>
## </param>
#
@@ -9870,7 +9889,7 @@ index 64ff4d7..90999af 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4635,22 +5104,17 @@ interface(`files_tmp_filetrans',`
+@@ -4635,22 +5121,17 @@ interface(`files_tmp_filetrans',`
## </summary>
## </param>
#
@@ -9897,7 +9916,7 @@ index 64ff4d7..90999af 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4658,17 +5122,17 @@ interface(`files_purge_tmp',`
+@@ -4658,17 +5139,17 @@ interface(`files_purge_tmp',`
## </summary>
## </param>
#
@@ -9919,7 +9938,7 @@ index 64ff4d7..90999af 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4676,18 +5140,17 @@ interface(`files_setattr_usr_dirs',`
+@@ -4676,18 +5157,17 @@ interface(`files_setattr_usr_dirs',`
## </summary>
## </param>
#
@@ -9942,7 +9961,7 @@ index 64ff4d7..90999af 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4695,35 +5158,35 @@ interface(`files_search_usr',`
+@@ -4695,35 +5175,35 @@ interface(`files_search_usr',`
## </summary>
## </param>
#
@@ -9987,7 +10006,7 @@ index 64ff4d7..90999af 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4731,36 +5194,35 @@ interface(`files_dontaudit_write_usr_dirs',`
+@@ -4731,36 +5211,35 @@ interface(`files_dontaudit_write_usr_dirs',`
## </summary>
## </param>
#
@@ -10033,7 +10052,7 @@ index 64ff4d7..90999af 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4768,111 +5230,100 @@ interface(`files_dontaudit_rw_usr_dirs',`
+@@ -4768,111 +5247,100 @@ interface(`files_dontaudit_rw_usr_dirs',`
## </summary>
## </param>
#
@@ -10177,7 +10196,7 @@ index 64ff4d7..90999af 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4880,35 +5331,17 @@ interface(`files_exec_usr_files',`
+@@ -4880,35 +5348,17 @@ interface(`files_exec_usr_files',`
## </summary>
## </param>
#
@@ -10217,7 +10236,7 @@ index 64ff4d7..90999af 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4916,67 +5349,70 @@ interface(`files_manage_usr_files',`
+@@ -4916,67 +5366,70 @@ interface(`files_manage_usr_files',`
## </summary>
## </param>
#
@@ -10306,7 +10325,7 @@ index 64ff4d7..90999af 100644
## </summary>
## </param>
## <param name="name" optional="true">
-@@ -4985,35 +5421,50 @@ interface(`files_read_usr_symlinks',`
+@@ -4985,35 +5438,50 @@ interface(`files_read_usr_symlinks',`
## </summary>
## </param>
#
@@ -10366,7 +10385,7 @@ index 64ff4d7..90999af 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5021,20 +5472,17 @@ interface(`files_dontaudit_search_src',`
+@@ -5021,20 +5489,17 @@ interface(`files_dontaudit_search_src',`
## </summary>
## </param>
#
@@ -10391,7 +10410,7 @@ index 64ff4d7..90999af 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5042,20 +5490,18 @@ interface(`files_getattr_usr_src_files',`
+@@ -5042,20 +5507,18 @@ interface(`files_getattr_usr_src_files',`
## </summary>
## </param>
#
@@ -10416,7 +10435,7 @@ index 64ff4d7..90999af 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5063,38 +5509,35 @@ interface(`files_read_usr_src_files',`
+@@ -5063,38 +5526,35 @@ interface(`files_read_usr_src_files',`
## </summary>
## </param>
#
@@ -10464,7 +10483,7 @@ index 64ff4d7..90999af 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5102,37 +5545,36 @@ interface(`files_create_kernel_symbol_table',`
+@@ -5102,37 +5562,36 @@ interface(`files_create_kernel_symbol_table',`
## </summary>
## </param>
#
@@ -10512,7 +10531,7 @@ index 64ff4d7..90999af 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5140,35 +5582,35 @@ interface(`files_delete_kernel_symbol_table',`
+@@ -5140,35 +5599,35 @@ interface(`files_delete_kernel_symbol_table',`
## </summary>
## </param>
#
@@ -10557,7 +10576,7 @@ index 64ff4d7..90999af 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5176,36 +5618,55 @@ interface(`files_dontaudit_write_var_dirs',`
+@@ -5176,36 +5635,55 @@ interface(`files_dontaudit_write_var_dirs',`
## </summary>
## </param>
#
@@ -10623,7 +10642,7 @@ index 64ff4d7..90999af 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5213,36 +5674,37 @@ interface(`files_dontaudit_search_var',`
+@@ -5213,36 +5691,37 @@ interface(`files_dontaudit_search_var',`
## </summary>
## </param>
#
@@ -10671,7 +10690,7 @@ index 64ff4d7..90999af 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5250,17 +5712,17 @@ interface(`files_manage_var_dirs',`
+@@ -5250,17 +5729,17 @@ interface(`files_manage_var_dirs',`
## </summary>
## </param>
#
@@ -10693,7 +10712,7 @@ index 64ff4d7..90999af 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5268,17 +5730,17 @@ interface(`files_read_var_files',`
+@@ -5268,17 +5747,17 @@ interface(`files_read_var_files',`
## </summary>
## </param>
#
@@ -10715,7 +10734,7 @@ index 64ff4d7..90999af 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5286,73 +5748,86 @@ interface(`files_append_var_files',`
+@@ -5286,73 +5765,86 @@ interface(`files_append_var_files',`
## </summary>
## </param>
#
@@ -10822,7 +10841,7 @@ index 64ff4d7..90999af 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5360,50 +5835,41 @@ interface(`files_read_var_symlinks',`
+@@ -5360,50 +5852,41 @@ interface(`files_read_var_symlinks',`
## </summary>
## </param>
#
@@ -10887,7 +10906,7 @@ index 64ff4d7..90999af 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5411,69 +5877,57 @@ interface(`files_var_filetrans',`
+@@ -5411,69 +5894,57 @@ interface(`files_var_filetrans',`
## </summary>
## </param>
#
@@ -10974,7 +10993,7 @@ index 64ff4d7..90999af 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5481,17 +5935,18 @@ interface(`files_dontaudit_search_var_lib',`
+@@ -5481,17 +5952,18 @@ interface(`files_dontaudit_search_var_lib',`
## </summary>
## </param>
#
@@ -10998,7 +11017,7 @@ index 64ff4d7..90999af 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5499,51 +5954,35 @@ interface(`files_list_var_lib',`
+@@ -5499,51 +5971,35 @@ interface(`files_list_var_lib',`
## </summary>
## </param>
#
@@ -11059,7 +11078,7 @@ index 64ff4d7..90999af 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5551,40 +5990,36 @@ interface(`files_var_lib_filetrans',`
+@@ -5551,40 +6007,36 @@ interface(`files_var_lib_filetrans',`
## </summary>
## </param>
#
@@ -11110,7 +11129,7 @@ index 64ff4d7..90999af 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5592,38 +6027,36 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5592,38 +6044,36 @@ interface(`files_read_var_lib_symlinks',`
## </summary>
## </param>
#
@@ -11159,7 +11178,7 @@ index 64ff4d7..90999af 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5631,17 +6064,17 @@ interface(`files_manage_mounttab',`
+@@ -5631,17 +6081,17 @@ interface(`files_manage_mounttab',`
## </summary>
## </param>
#
@@ -11181,7 +11200,7 @@ index 64ff4d7..90999af 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5649,38 +6082,35 @@ interface(`files_setattr_lock_dirs',`
+@@ -5649,38 +6099,35 @@ interface(`files_setattr_lock_dirs',`
## </summary>
## </param>
#
@@ -11229,7 +11248,7 @@ index 64ff4d7..90999af 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5688,80 +6118,73 @@ interface(`files_dontaudit_search_locks',`
+@@ -5688,80 +6135,73 @@ interface(`files_dontaudit_search_locks',`
## </summary>
## </param>
#
@@ -11331,7 +11350,7 @@ index 64ff4d7..90999af 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5769,41 +6192,50 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5769,41 +6209,50 @@ interface(`files_relabel_all_lock_dirs',`
## </summary>
## </param>
#
@@ -11396,7 +11415,7 @@ index 64ff4d7..90999af 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5811,65 +6243,69 @@ interface(`files_delete_generic_locks',`
+@@ -5811,65 +6260,69 @@ interface(`files_delete_generic_locks',`
## </summary>
## </param>
#
@@ -11491,7 +11510,7 @@ index 64ff4d7..90999af 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5877,37 +6313,49 @@ interface(`files_read_all_locks',`
+@@ -5877,37 +6330,49 @@ interface(`files_read_all_locks',`
## </summary>
## </param>
#
@@ -11555,7 +11574,7 @@ index 64ff4d7..90999af 100644
## </summary>
## </param>
## <param name="name" optional="true">
-@@ -5916,39 +6364,37 @@ interface(`files_manage_all_locks',`
+@@ -5916,39 +6381,37 @@ interface(`files_manage_all_locks',`
## </summary>
## </param>
#
@@ -11605,7 +11624,7 @@ index 64ff4d7..90999af 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5956,19 +6402,18 @@ interface(`files_dontaudit_getattr_pid_dirs',`
+@@ -5956,19 +6419,18 @@ interface(`files_dontaudit_getattr_pid_dirs',`
## </summary>
## </param>
#
@@ -11630,7 +11649,7 @@ index 64ff4d7..90999af 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5976,39 +6421,41 @@ interface(`files_setattr_pid_dirs',`
+@@ -5976,19 +6438,1114 @@ interface(`files_setattr_pid_dirs',`
## </summary>
## </param>
#
@@ -11655,41 +11674,33 @@ index 64ff4d7..90999af 100644
-## the /var/run directory.
+## Create, read, write, and delete the
+## pseudorandom number generator seed.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain to not audit.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`files_dontaudit_search_pids',`
++## </summary>
++## </param>
++#
+interface(`files_manage_urandom_seed',`
- gen_require(`
-- type var_run_t;
++ gen_require(`
+ type var_t, var_lib_t;
- ')
-
-- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-- dontaudit $1 var_run_t:dir search_dir_perms;
++ ')
++
+ allow $1 var_t:dir search_dir_perms;
+ manage_files_pattern($1, var_lib_t, var_lib_t)
- ')
-
- ########################################
- ## <summary>
--## List the contents of the runtime process
--## ID directories (/var/run).
++')
++
++########################################
++## <summary>
+## Allow domain to manage mount tables
+## necessary for rpcd, nfsd, etc.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -6016,18 +6463,1012 @@ interface(`files_dontaudit_search_pids',`
- ## </summary>
- ## </param>
- #
--interface(`files_list_pids',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`files_manage_mounttab',`
+ gen_require(`
+ type var_t, var_lib_t;
@@ -12051,7 +12062,7 @@ index 64ff4d7..90999af 100644
+ type var_run_t;
+ ')
+
-+ allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ files_search_pids($1)
+ allow $1 var_run_t:dir setattr;
+')
+
@@ -12071,6 +12082,7 @@ index 64ff4d7..90999af 100644
+ type var_t, var_run_t;
+ ')
+
++ allow $1 var_t:lnk_file read_lnk_file_perms;
+ allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ search_dirs_pattern($1, var_t, var_run_t)
+')
@@ -12167,7 +12179,7 @@ index 64ff4d7..90999af 100644
+ type var_t, var_run_t;
+ ')
+
-+ allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ files_search_pids($1)
+ list_dirs_pattern($1, var_t, var_run_t)
+')
+
@@ -12186,7 +12198,7 @@ index 64ff4d7..90999af 100644
+ type var_t, var_run_t;
+ ')
+
-+ allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ files_search_pids($1)
+ list_dirs_pattern($1, var_t, var_run_t)
+ read_files_pattern($1, var_run_t, var_run_t)
+')
@@ -12206,7 +12218,7 @@ index 64ff4d7..90999af 100644
+ type var_run_t;
+ ')
+
-+ allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ files_search_pids($1)
+ allow $1 var_run_t:fifo_file write;
+')
+
@@ -12309,7 +12321,7 @@ index 64ff4d7..90999af 100644
+ type var_t, var_run_t;
+ ')
+
-+ allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ files_search_pids($1)
+ list_dirs_pattern($1, var_t, var_run_t)
+ rw_files_pattern($1, var_run_t, var_run_t)
+')
@@ -12597,8 +12609,8 @@ index 64ff4d7..90999af 100644
+ type var_t, var_run_t;
+ ')
+
++ files_search_pids($1)
+ allow $1 var_t:dir search_dir_perms;
-+ allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ allow $1 var_run_t:dir rmdir;
+ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
+ delete_files_pattern($1, pidfile, pidfile)
@@ -12622,8 +12634,8 @@ index 64ff4d7..90999af 100644
+ type var_t, var_run_t;
+ ')
+
++ files_search_pids($1)
+ allow $1 var_t:dir search_dir_perms;
-+ allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ delete_dirs_pattern($1, pidfile, pidfile)
+')
+
@@ -12686,71 +12698,174 @@ index 64ff4d7..90999af 100644
+## </param>
+#
+interface(`files_create_all_spool_sockets',`
++ gen_require(`
++ attribute spoolfile;
++ ')
++
++ allow $1 spoolfile:sock_file create_sock_file_perms;
++')
++
++########################################
++## <summary>
++## Delete all spool sockets
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_delete_all_spool_sockets',`
++ gen_require(`
++ attribute spoolfile;
++ ')
++
++ allow $1 spoolfile:sock_file delete_sock_file_perms;
++')
++
++########################################
++## <summary>
++## Relabel to and from all spool
++## directory types.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`files_relabel_all_spool_dirs',`
++ gen_require(`
++ attribute spoolfile;
++ type var_t;
++ ')
++
++ relabel_dirs_pattern($1, spoolfile, spoolfile)
++')
++
++########################################
++## <summary>
++## Search the contents of generic spool
++## directories (/var/spool).
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_search_spool',`
++ gen_require(`
++ type var_t, var_spool_t;
++ ')
++
++ search_dirs_pattern($1, var_t, var_spool_t)
++')
++
++########################################
++## <summary>
++## Do not audit attempts to search generic
++## spool directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5996,19 +7553,18 @@ interface(`files_search_pids',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_search_pids',`
++interface(`files_dontaudit_search_spool',`
+ gen_require(`
+- type var_run_t;
++ type var_spool_t;
+ ')
+
+- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+- dontaudit $1 var_run_t:dir search_dir_perms;
++ dontaudit $1 var_spool_t:dir search_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## List the contents of the runtime process
+-## ID directories (/var/run).
++## List the contents of generic spool
++## (/var/spool) directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6016,18 +7572,18 @@ interface(`files_dontaudit_search_pids',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_list_pids',`
++interface(`files_list_spool',`
gen_require(`
- type var_t, var_run_t;
-+ attribute spoolfile;
++ type var_t, var_spool_t;
')
- allow $1 var_run_t:lnk_file read_lnk_file_perms;
- list_dirs_pattern($1, var_t, var_run_t)
-+ allow $1 spoolfile:sock_file create_sock_file_perms;
++ list_dirs_pattern($1, var_t, var_spool_t)
')
########################################
## <summary>
-## Read generic process ID files.
-+## Delete all spool sockets
++## Create, read, write, and delete generic
++## spool directories (/var/spool).
## </summary>
## <param name="domain">
## <summary>
-@@ -6035,123 +7476,336 @@ interface(`files_list_pids',`
+@@ -6035,19 +7591,18 @@ interface(`files_list_pids',`
## </summary>
## </param>
#
-interface(`files_read_generic_pids',`
-+interface(`files_delete_all_spool_sockets',`
++interface(`files_manage_generic_spool_dirs',`
gen_require(`
- type var_t, var_run_t;
-+ attribute spoolfile;
++ type var_t, var_spool_t;
')
- allow $1 var_run_t:lnk_file read_lnk_file_perms;
- list_dirs_pattern($1, var_t, var_run_t)
- read_files_pattern($1, var_run_t, var_run_t)
-+ allow $1 spoolfile:sock_file delete_sock_file_perms;
++ allow $1 var_t:dir search_dir_perms;
++ manage_dirs_pattern($1, var_spool_t, var_spool_t)
')
########################################
## <summary>
-## Write named generic process ID pipes
-+## Relabel to and from all spool
-+## directory types.
++## Read generic spool files.
## </summary>
## <param name="domain">
## <summary>
- ## Domain allowed access.
+@@ -6055,103 +7610,220 @@ interface(`files_read_generic_pids',`
## </summary>
## </param>
-+## <rolecap/>
#
-interface(`files_write_generic_pid_pipes',`
-+interface(`files_relabel_all_spool_dirs',`
++interface(`files_read_generic_spool',`
gen_require(`
- type var_run_t;
-+ attribute spoolfile;
-+ type var_t;
++ type var_t, var_spool_t;
')
- allow $1 var_run_t:lnk_file read_lnk_file_perms;
- allow $1 var_run_t:fifo_file write;
-+ relabel_dirs_pattern($1, spoolfile, spoolfile)
++ list_dirs_pattern($1, var_t, var_spool_t)
++ read_files_pattern($1, var_spool_t, var_spool_t)
')
########################################
## <summary>
-## Create an object in the process ID directory, with a private type.
-+## Search the contents of generic spool
-+## directories (/var/spool).
++## Create, read, write, and delete generic
++## spool files.
## </summary>
-## <desc>
-## <p>
@@ -12785,105 +12900,6 @@ index 64ff4d7..90999af 100644
## </param>
-## <param name="private type">
+#
-+interface(`files_search_spool',`
-+ gen_require(`
-+ type var_t, var_spool_t;
-+ ')
-+
-+ search_dirs_pattern($1, var_t, var_spool_t)
-+')
-+
-+########################################
-+## <summary>
-+## Do not audit attempts to search generic
-+## spool directories.
-+## </summary>
-+## <param name="domain">
- ## <summary>
--## The type of the object to be created.
-+## Domain to not audit.
- ## </summary>
- ## </param>
--## <param name="object">
-+#
-+interface(`files_dontaudit_search_spool',`
-+ gen_require(`
-+ type var_spool_t;
-+ ')
-+
-+ dontaudit $1 var_spool_t:dir search_dir_perms;
-+')
-+
-+########################################
-+## <summary>
-+## List the contents of generic spool
-+## (/var/spool) directories.
-+## </summary>
-+## <param name="domain">
- ## <summary>
--## The object class of the object being created.
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_list_spool',`
-+ gen_require(`
-+ type var_t, var_spool_t;
-+ ')
-+
-+ list_dirs_pattern($1, var_t, var_spool_t)
-+')
-+
-+########################################
-+## <summary>
-+## Create, read, write, and delete generic
-+## spool directories (/var/spool).
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_manage_generic_spool_dirs',`
-+ gen_require(`
-+ type var_t, var_spool_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ manage_dirs_pattern($1, var_spool_t, var_spool_t)
-+')
-+
-+########################################
-+## <summary>
-+## Read generic spool files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_read_generic_spool',`
-+ gen_require(`
-+ type var_t, var_spool_t;
-+ ')
-+
-+ list_dirs_pattern($1, var_t, var_spool_t)
-+ read_files_pattern($1, var_spool_t, var_spool_t)
-+')
-+
-+########################################
-+## <summary>
-+## Create, read, write, and delete generic
-+## spool files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+interface(`files_manage_generic_spool',`
+ gen_require(`
+ type var_t, var_spool_t;
@@ -12899,12 +12915,15 @@ index 64ff4d7..90999af 100644
+## with a private type with a type transition.
+## </summary>
+## <param name="domain">
-+## <summary>
+ ## <summary>
+-## The type of the object to be created.
+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+-## <param name="object">
+## <param name="file">
-+## <summary>
+ ## <summary>
+-## The object class of the object being created.
+## Type to which the created node will be transitioned.
+## </summary>
+## </param>
@@ -13099,7 +13118,7 @@ index 64ff4d7..90999af 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6159,20 +7813,18 @@ interface(`files_pid_filetrans_lock_dir',`
+@@ -6159,20 +7831,18 @@ interface(`files_pid_filetrans_lock_dir',`
## </summary>
## </param>
#
@@ -13125,7 +13144,7 @@ index 64ff4d7..90999af 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6180,19 +7832,17 @@ interface(`files_rw_generic_pids',`
+@@ -6180,19 +7850,17 @@ interface(`files_rw_generic_pids',`
## </summary>
## </param>
#
@@ -13149,7 +13168,7 @@ index 64ff4d7..90999af 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6200,18 +7850,17 @@ interface(`files_dontaudit_getattr_all_pids',`
+@@ -6200,18 +7868,17 @@ interface(`files_dontaudit_getattr_all_pids',`
## </summary>
## </param>
#
@@ -13172,7 +13191,7 @@ index 64ff4d7..90999af 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6219,41 +7868,43 @@ interface(`files_dontaudit_write_all_pids',`
+@@ -6219,41 +7886,43 @@ interface(`files_dontaudit_write_all_pids',`
## </summary>
## </param>
#
@@ -13230,7 +13249,7 @@ index 64ff4d7..90999af 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6262,67 +7913,55 @@ interface(`files_read_all_pids',`
+@@ -6262,67 +7931,55 @@ interface(`files_read_all_pids',`
## </param>
## <rolecap/>
#
@@ -13315,7 +13334,7 @@ index 64ff4d7..90999af 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6330,37 +7969,37 @@ interface(`files_manage_all_pids',`
+@@ -6330,37 +7987,37 @@ interface(`files_manage_all_pids',`
## </summary>
## </param>
#
@@ -13364,7 +13383,7 @@ index 64ff4d7..90999af 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6368,186 +8007,169 @@ interface(`files_search_spool',`
+@@ -6368,186 +8025,169 @@ interface(`files_search_spool',`
## </summary>
## </param>
#
@@ -13631,7 +13650,7 @@ index 64ff4d7..90999af 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6555,10 +8177,11 @@ interface(`files_polyinstantiate_all',`
+@@ -6555,10 +8195,11 @@ interface(`files_polyinstantiate_all',`
## </summary>
## </param>
#
@@ -31807,7 +31826,7 @@ index e8c59a5..ea56d23 100644
')
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
-index 9fe8e01..06fa481 100644
+index 9fe8e01..fa82aac 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -9,11 +9,13 @@ ifdef(`distro_gentoo',`
@@ -31826,7 +31845,7 @@ index 9fe8e01..06fa481 100644
ifdef(`distro_redhat',`
/etc/sysconfig/clock -- gen_context(system_u:object_r:locale_t,s0)
-@@ -37,11 +39,6 @@ ifdef(`distro_redhat',`
+@@ -37,14 +39,10 @@ ifdef(`distro_redhat',`
/usr/lib/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0)
@@ -31838,7 +31857,19 @@ index 9fe8e01..06fa481 100644
/usr/man(/.*)? gen_context(system_u:object_r:man_t,s0)
/usr/share/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0)
-@@ -77,7 +74,7 @@ ifdef(`distro_redhat',`
++/usr/share/pki/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0)
+ /usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
+ /usr/share/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
+ /usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
+@@ -53,6 +51,7 @@ ifdef(`distro_redhat',`
+ /usr/share/X11/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
+ /usr/share/zoneinfo(/.*)? gen_context(system_u:object_r:locale_t,s0)
+
++/usr/share/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
+ /usr/share/ssl/certs(/.*)? gen_context(system_u:object_r:cert_t,s0)
+ /usr/share/ssl/private(/.*)? gen_context(system_u:object_r:cert_t,s0)
+
+@@ -77,7 +76,7 @@ ifdef(`distro_redhat',`
/var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0)
/var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
@@ -31847,7 +31878,7 @@ index 9fe8e01..06fa481 100644
/var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
-@@ -90,6 +87,7 @@ ifdef(`distro_debian',`
+@@ -90,6 +89,7 @@ ifdef(`distro_debian',`
')
ifdef(`distro_redhat',`
@@ -34692,10 +34723,10 @@ index 1447687..d5e6fb9 100644
seutil_read_config(setrans_t)
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
-index 346a7cc..2fa1253 100644
+index 346a7cc..b44bb0c 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
-@@ -17,14 +17,15 @@ ifdef(`distro_debian',`
+@@ -17,16 +17,17 @@ ifdef(`distro_debian',`
/etc/dhclient.*conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0)
@@ -34712,8 +34743,11 @@ index 346a7cc..2fa1253 100644
/etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
+/etc/ntp\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
- /etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0)
+-/etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0)
++/etc/dhcp3?(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0)
+
+ ifdef(`distro_redhat',`
@@ -55,6 +56,20 @@ ifdef(`distro_redhat',`
#
# /usr
@@ -35417,12 +35451,29 @@ index 0000000..4e12420
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..fc080a1
+index 0000000..ab20e2f
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1064 @@
+@@ -0,0 +1,1081 @@
+## <summary>SELinux policy for systemd components</summary>
+
++######################################
++## <summary>
++## Create a domain for processes which are started
++## exuting systemctl.
++## </summary>
++## <param name="domain_prefix">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_stub_unit_file',`
++ gen_require(`
++ type systemd_unit_file_t;
++ ')
++')
++
+#######################################
+## <summary>
+## Create a domain for processes which are started
@@ -36487,7 +36538,7 @@ index 0000000..fc080a1
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..60e3e89
+index 0000000..4d56107
--- /dev/null
+++ b/policy/modules/system/systemd.te
@@ -0,0 +1,641 @@
@@ -36970,7 +37021,7 @@ index 0000000..60e3e89
+
+userdom_dbus_send_all_users(systemd_localed_t)
+
-+xserver_read_config(systemd_localed_t)
++xserver_manage_config(systemd_localed_t)
+
+optional_policy(`
+ dbus_connect_system_bus(systemd_localed_t)
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index ff0cb24..fe16da6 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -516,7 +516,7 @@ index 058d908..702b716 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index cc43d25..304203f 100644
+index cc43d25..0842350 100644
--- a/abrt.te
+++ b/abrt.te
@@ -1,4 +1,4 @@
@@ -935,7 +935,7 @@ index cc43d25..304203f 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -352,30 +406,37 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -352,30 +406,38 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
@@ -947,6 +947,7 @@ index cc43d25..304203f 100644
+optional_policy(`
+ mock_domtrans(abrt_retrace_worker_t)
++ mock_manage_lib_files(abrt_t)
+')
+
########################################
@@ -976,7 +977,7 @@ index cc43d25..304203f 100644
kernel_read_kernel_sysctls(abrt_dump_oops_t)
kernel_read_ring_buffer(abrt_dump_oops_t)
-@@ -384,14 +445,15 @@ domain_use_interactive_fds(abrt_dump_oops_t)
+@@ -384,14 +446,15 @@ domain_use_interactive_fds(abrt_dump_oops_t)
fs_list_inotifyfs(abrt_dump_oops_t)
logging_read_generic_logs(abrt_dump_oops_t)
@@ -994,7 +995,7 @@ index cc43d25..304203f 100644
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
-@@ -400,16 +462,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+@@ -400,16 +463,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
corecmd_exec_bin(abrt_watch_log_t)
logging_read_all_logs(abrt_watch_log_t)
@@ -9740,10 +9741,10 @@ index 2354e21..bec6c06 100644
+ ')
+')
diff --git a/certwatch.te b/certwatch.te
-index 403af41..7c0b1be 100644
+index 403af41..68a5e26 100644
--- a/certwatch.te
+++ b/certwatch.te
-@@ -21,25 +21,26 @@ role certwatch_roles types certwatch_t;
+@@ -21,27 +21,29 @@ role certwatch_roles types certwatch_t;
allow certwatch_t self:capability sys_nice;
allow certwatch_t self:process { setsched getsched };
@@ -9774,7 +9775,10 @@ index 403af41..7c0b1be 100644
+userdom_dontaudit_list_admin_dir(certwatch_t)
optional_policy(`
++ apache_exec(certwatch_t)
apache_exec_modules(certwatch_t)
+ apache_read_config(certwatch_t)
+ ')
diff --git a/cfengine.if b/cfengine.if
index a731122..5279d4e 100644
--- a/cfengine.if
@@ -9933,7 +9937,7 @@ index 85ca63f..1d1c99c 100644
admin_pattern($1, { cgconfig_etc_t cgrules_etc_t })
files_list_etc($1)
diff --git a/cgroup.te b/cgroup.te
-index fdee107..eb7a3ac 100644
+index fdee107..7a38b63 100644
--- a/cgroup.te
+++ b/cgroup.te
@@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
@@ -9979,10 +9983,10 @@ index fdee107..eb7a3ac 100644
#
# cgred local policy
#
++allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_override sys_ptrace };
++allow cgred_t self:process signal_perms;
-allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override };
-+allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_override sys_ptrace };
-+
allow cgred_t self:netlink_socket { write bind create read };
allow cgred_t self:unix_dgram_socket { write create connect };
@@ -16021,7 +16025,7 @@ index 06da9a0..ca832e1 100644
+ ps_process_pattern($1, cupsd_t)
')
diff --git a/cups.te b/cups.te
-index 9f34c2e..45fe9a0 100644
+index 9f34c2e..3b03f21 100644
--- a/cups.te
+++ b/cups.te
@@ -5,19 +5,24 @@ policy_module(cups, 1.15.9)
@@ -16243,7 +16247,7 @@ index 9f34c2e..45fe9a0 100644
files_exec_usr_files(cupsd_t)
# for /var/lib/defoma
files_read_var_lib_files(cupsd_t)
-@@ -215,16 +246,16 @@ files_read_world_readable_files(cupsd_t)
+@@ -215,16 +246,17 @@ files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
files_read_var_files(cupsd_t)
files_read_var_symlinks(cupsd_t)
@@ -16259,10 +16263,11 @@ index 9f34c2e..45fe9a0 100644
fs_search_fusefs(cupsd_t)
fs_read_anon_inodefs_files(cupsd_t)
+fs_rw_anon_inodefs_files(cupsd_t)
++fs_rw_inherited_tmpfs_files(cupsd_t)
mls_fd_use_all_levels(cupsd_t)
mls_file_downgrade(cupsd_t)
-@@ -235,6 +266,8 @@ mls_socket_write_all_levels(cupsd_t)
+@@ -235,6 +267,8 @@ mls_socket_write_all_levels(cupsd_t)
term_search_ptys(cupsd_t)
term_use_unallocated_ttys(cupsd_t)
@@ -16271,7 +16276,7 @@ index 9f34c2e..45fe9a0 100644
selinux_compute_access_vector(cupsd_t)
selinux_validate_context(cupsd_t)
-@@ -247,21 +280,20 @@ auth_dontaudit_read_pam_pid(cupsd_t)
+@@ -247,21 +281,20 @@ auth_dontaudit_read_pam_pid(cupsd_t)
auth_rw_faillog(cupsd_t)
auth_use_nsswitch(cupsd_t)
@@ -16297,7 +16302,7 @@ index 9f34c2e..45fe9a0 100644
userdom_dontaudit_search_user_home_content(cupsd_t)
optional_policy(`
-@@ -275,6 +307,8 @@ optional_policy(`
+@@ -275,6 +308,8 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(cupsd_t)
@@ -16306,7 +16311,7 @@ index 9f34c2e..45fe9a0 100644
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
-@@ -285,8 +319,10 @@ optional_policy(`
+@@ -285,8 +320,10 @@ optional_policy(`
hal_dbus_chat(cupsd_t)
')
@@ -16317,7 +16322,7 @@ index 9f34c2e..45fe9a0 100644
')
')
-@@ -299,8 +335,8 @@ optional_policy(`
+@@ -299,8 +336,8 @@ optional_policy(`
')
optional_policy(`
@@ -16327,7 +16332,7 @@ index 9f34c2e..45fe9a0 100644
')
optional_policy(`
-@@ -309,7 +345,6 @@ optional_policy(`
+@@ -309,7 +346,6 @@ optional_policy(`
optional_policy(`
lpd_exec_lpr(cupsd_t)
@@ -16335,7 +16340,7 @@ index 9f34c2e..45fe9a0 100644
lpd_read_config(cupsd_t)
lpd_relabel_spool(cupsd_t)
')
-@@ -337,7 +372,7 @@ optional_policy(`
+@@ -337,7 +373,7 @@ optional_policy(`
')
optional_policy(`
@@ -16344,7 +16349,7 @@ index 9f34c2e..45fe9a0 100644
')
########################################
-@@ -345,11 +380,9 @@ optional_policy(`
+@@ -345,11 +381,9 @@ optional_policy(`
# Configuration daemon local policy
#
@@ -16358,7 +16363,7 @@ index 9f34c2e..45fe9a0 100644
allow cupsd_config_t cupsd_t:process signal;
ps_process_pattern(cupsd_config_t, cupsd_t)
-@@ -375,18 +408,15 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
+@@ -375,18 +409,15 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
@@ -16378,7 +16383,7 @@ index 9f34c2e..45fe9a0 100644
corenet_all_recvfrom_netlabel(cupsd_config_t)
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -395,20 +425,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+@@ -395,20 +426,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
corenet_sendrecv_all_client_packets(cupsd_config_t)
corenet_tcp_connect_all_ports(cupsd_config_t)
@@ -16399,7 +16404,7 @@ index 9f34c2e..45fe9a0 100644
fs_search_auto_mountpoints(cupsd_config_t)
domain_use_interactive_fds(cupsd_config_t)
-@@ -420,11 +442,6 @@ auth_use_nsswitch(cupsd_config_t)
+@@ -420,11 +443,6 @@ auth_use_nsswitch(cupsd_config_t)
logging_send_syslog_msg(cupsd_config_t)
@@ -16411,7 +16416,7 @@ index 9f34c2e..45fe9a0 100644
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
-@@ -452,9 +469,12 @@ optional_policy(`
+@@ -452,9 +470,12 @@ optional_policy(`
')
optional_policy(`
@@ -16425,7 +16430,7 @@ index 9f34c2e..45fe9a0 100644
')
optional_policy(`
-@@ -490,10 +510,6 @@ optional_policy(`
+@@ -490,10 +511,6 @@ optional_policy(`
# Lpd local policy
#
@@ -16436,7 +16441,7 @@ index 9f34c2e..45fe9a0 100644
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
-@@ -511,31 +527,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+@@ -511,31 +528,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
@@ -16469,7 +16474,7 @@ index 9f34c2e..45fe9a0 100644
optional_policy(`
inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
')
-@@ -546,7 +553,6 @@ optional_policy(`
+@@ -546,7 +554,6 @@ optional_policy(`
#
allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
@@ -16477,7 +16482,7 @@ index 9f34c2e..45fe9a0 100644
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
-@@ -562,17 +568,8 @@ fs_search_auto_mountpoints(cups_pdf_t)
+@@ -562,17 +569,8 @@ fs_search_auto_mountpoints(cups_pdf_t)
kernel_read_system_state(cups_pdf_t)
@@ -16495,7 +16500,7 @@ index 9f34c2e..45fe9a0 100644
userdom_manage_user_home_content_dirs(cups_pdf_t)
userdom_manage_user_home_content_files(cups_pdf_t)
userdom_home_filetrans_user_home_dir(cups_pdf_t)
-@@ -582,128 +579,12 @@ tunable_policy(`use_nfs_home_dirs',`
+@@ -582,128 +580,12 @@ tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files(cups_pdf_t)
')
@@ -16626,7 +16631,7 @@ index 9f34c2e..45fe9a0 100644
########################################
#
-@@ -731,7 +612,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -731,7 +613,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@@ -16634,7 +16639,7 @@ index 9f34c2e..45fe9a0 100644
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -741,13 +621,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
+@@ -741,13 +622,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
corenet_tcp_bind_ptal_port(ptal_t)
corenet_tcp_sendrecv_ptal_port(ptal_t)
@@ -16648,7 +16653,7 @@ index 9f34c2e..45fe9a0 100644
files_read_etc_runtime_files(ptal_t)
fs_getattr_all_fs(ptal_t)
-@@ -755,8 +633,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -755,8 +634,6 @@ fs_search_auto_mountpoints(ptal_t)
logging_send_syslog_msg(ptal_t)
@@ -19296,7 +19301,7 @@ index 0000000..332a1c9
+')
diff --git a/dirsrv-admin.te b/dirsrv-admin.te
new file mode 100644
-index 0000000..a3d076f
+index 0000000..ab083cf
--- /dev/null
+++ b/dirsrv-admin.te
@@ -0,0 +1,144 @@
@@ -19334,7 +19339,7 @@ index 0000000..a3d076f
+#
+allow dirsrvadmin_t self:fifo_file rw_fifo_file_perms;
+allow dirsrvadmin_t self:capability { dac_read_search dac_override sys_tty_config sys_resource };
-+allow dirsrvadmin_t self:process setrlimit;
++allow dirsrvadmin_t self:process { setrlimit signal_perms };
+
+manage_files_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+manage_dirs_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
@@ -23081,7 +23086,7 @@ index d062080..e098a40 100644
ftp_run_ftpdctl($1, $2)
')
diff --git a/ftp.te b/ftp.te
-index e50f33c..2f7de33 100644
+index e50f33c..5e6cdb8 100644
--- a/ftp.te
+++ b/ftp.te
@@ -13,7 +13,7 @@ policy_module(ftp, 1.14.1)
@@ -23102,16 +23107,23 @@ index e50f33c..2f7de33 100644
## <desc>
## <p>
-@@ -30,7 +30,7 @@ gen_tunable(allow_ftpd_full_access, false)
+@@ -30,7 +30,14 @@ gen_tunable(allow_ftpd_full_access, false)
## used for public file transfer services.
## </p>
## </desc>
-gen_tunable(allow_ftpd_use_cifs, false)
+gen_tunable(ftpd_use_cifs, false)
++
++## <desc>
++## <p>
++## Allow samba to export ntfs/fusefs volumes.
++## </p>
++## </desc>
++gen_tunable(ftpd_use_fusefs, false)
## <desc>
## <p>
-@@ -38,7 +38,7 @@ gen_tunable(allow_ftpd_use_cifs, false)
+@@ -38,7 +45,7 @@ gen_tunable(allow_ftpd_use_cifs, false)
## used for public file transfer services.
## </p>
## </desc>
@@ -23120,7 +23132,7 @@ index e50f33c..2f7de33 100644
## <desc>
## <p>
-@@ -124,6 +124,9 @@ files_config_file(ftpd_etc_t)
+@@ -124,6 +131,9 @@ files_config_file(ftpd_etc_t)
type ftpd_initrc_exec_t;
init_script_file(ftpd_initrc_exec_t)
@@ -23130,7 +23142,7 @@ index e50f33c..2f7de33 100644
type ftpd_lock_t;
files_lock_file(ftpd_lock_t)
-@@ -179,6 +182,9 @@ allow ftpd_t ftpd_etc_t:file read_file_perms;
+@@ -179,6 +189,9 @@ allow ftpd_t ftpd_etc_t:file read_file_perms;
allow ftpd_t ftpd_lock_t:file manage_file_perms;
files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
@@ -23140,7 +23152,7 @@ index e50f33c..2f7de33 100644
manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
-@@ -201,14 +207,13 @@ logging_log_filetrans(ftpd_t, xferlog_t, file)
+@@ -201,14 +214,13 @@ logging_log_filetrans(ftpd_t, xferlog_t, file)
kernel_read_kernel_sysctls(ftpd_t)
kernel_read_system_state(ftpd_t)
@@ -23156,7 +23168,7 @@ index e50f33c..2f7de33 100644
corenet_all_recvfrom_netlabel(ftpd_t)
corenet_tcp_sendrecv_generic_if(ftpd_t)
corenet_udp_sendrecv_generic_if(ftpd_t)
-@@ -224,9 +229,12 @@ corenet_tcp_bind_ftp_port(ftpd_t)
+@@ -224,9 +236,12 @@ corenet_tcp_bind_ftp_port(ftpd_t)
corenet_sendrecv_ftp_data_server_packets(ftpd_t)
corenet_tcp_bind_ftp_data_port(ftpd_t)
@@ -23170,7 +23182,7 @@ index e50f33c..2f7de33 100644
files_read_etc_runtime_files(ftpd_t)
files_search_var_lib(ftpd_t)
-@@ -245,7 +253,6 @@ logging_send_audit_msgs(ftpd_t)
+@@ -245,7 +260,6 @@ logging_send_audit_msgs(ftpd_t)
logging_send_syslog_msg(ftpd_t)
logging_set_loginuid(ftpd_t)
@@ -23178,7 +23190,7 @@ index e50f33c..2f7de33 100644
miscfiles_read_public_files(ftpd_t)
seutil_dontaudit_search_config(ftpd_t)
-@@ -254,32 +261,42 @@ sysnet_use_ldap(ftpd_t)
+@@ -254,32 +268,49 @@ sysnet_use_ldap(ftpd_t)
userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
userdom_dontaudit_search_user_home_dirs(ftpd_t)
@@ -23201,6 +23213,13 @@ index e50f33c..2f7de33 100644
')
-tunable_policy(`allow_ftpd_use_nfs',`
++tunable_policy(`ftpd_use_fusefs',`
++ fs_manage_fusefs_dirs(ftpd_t)
++ fs_manage_fusefs_files(ftpd_t)
++',`
++ fs_search_fusefs(ftpd_t)
++')
++
+tunable_policy(`ftpd_use_nfs',`
fs_read_nfs_files(ftpd_t)
fs_read_nfs_symlinks(ftpd_t)
@@ -23228,7 +23247,7 @@ index e50f33c..2f7de33 100644
')
tunable_policy(`ftpd_use_passive_mode',`
-@@ -299,9 +316,9 @@ tunable_policy(`ftpd_connect_db',`
+@@ -299,9 +330,9 @@ tunable_policy(`ftpd_connect_db',`
corenet_sendrecv_mssql_client_packets(ftpd_t)
corenet_tcp_connect_mssql_port(ftpd_t)
corenet_tcp_sendrecv_mssql_port(ftpd_t)
@@ -23241,7 +23260,7 @@ index e50f33c..2f7de33 100644
')
tunable_policy(`ftp_home_dir',`
-@@ -309,12 +326,9 @@ tunable_policy(`ftp_home_dir',`
+@@ -309,12 +340,9 @@ tunable_policy(`ftp_home_dir',`
userdom_manage_user_home_content_dirs(ftpd_t)
userdom_manage_user_home_content_files(ftpd_t)
@@ -23254,7 +23273,7 @@ index e50f33c..2f7de33 100644
userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
')
-@@ -360,7 +374,7 @@ optional_policy(`
+@@ -360,7 +388,7 @@ optional_policy(`
selinux_validate_context(ftpd_t)
kerberos_keytab_template(ftpd, ftpd_t)
@@ -23263,7 +23282,7 @@ index e50f33c..2f7de33 100644
')
optional_policy(`
-@@ -410,21 +424,20 @@ optional_policy(`
+@@ -410,21 +438,20 @@ optional_policy(`
#
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
@@ -23287,7 +23306,7 @@ index e50f33c..2f7de33 100644
miscfiles_read_public_files(anon_sftpd_t)
-@@ -437,23 +450,34 @@ tunable_policy(`sftpd_anon_write',`
+@@ -437,23 +464,34 @@ tunable_policy(`sftpd_anon_write',`
# Sftpd local policy
#
@@ -23328,7 +23347,7 @@ index e50f33c..2f7de33 100644
')
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -475,21 +499,11 @@ tunable_policy(`sftpd_anon_write',`
+@@ -475,21 +513,11 @@ tunable_policy(`sftpd_anon_write',`
tunable_policy(`sftpd_full_access',`
allow sftpd_t self:capability { dac_override dac_read_search };
fs_read_noxattr_fs_files(sftpd_t)
@@ -36788,7 +36807,7 @@ index 6194b80..648d041 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..4c1c064 100644
+index 6a306ee..8faac8d 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
@@ -37047,10 +37066,10 @@ index 6a306ee..4c1c064 100644
-userdom_manage_user_home_content_dirs(mozilla_t)
-userdom_manage_user_home_content_files(mozilla_t)
-userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
--
--userdom_write_user_tmp_sockets(mozilla_t)
+userdom_use_inherited_user_ptys(mozilla_t)
+-userdom_write_user_tmp_sockets(mozilla_t)
+-
-mozilla_run_plugin(mozilla_t, mozilla_roles)
-mozilla_run_plugin_config(mozilla_t, mozilla_roles)
+#mozilla_run_plugin(mozilla_t, mozilla_roles)
@@ -37213,7 +37232,7 @@ index 6a306ee..4c1c064 100644
')
optional_policy(`
-@@ -300,221 +308,171 @@ optional_policy(`
+@@ -300,221 +308,173 @@ optional_policy(`
########################################
#
@@ -37468,7 +37487,8 @@ index 6a306ee..4c1c064 100644
-userdom_manage_user_home_content_dirs(mozilla_plugin_t)
-userdom_manage_user_home_content_files(mozilla_plugin_t)
-userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file })
--
++systemd_read_logind_sessions_files(mozilla_plugin_t)
+
-userdom_write_user_tmp_sockets(mozilla_plugin_t)
+term_getattr_all_ttys(mozilla_plugin_t)
+term_getattr_all_ptys(mozilla_plugin_t)
@@ -37528,7 +37548,7 @@ index 6a306ee..4c1c064 100644
')
optional_policy(`
-@@ -523,36 +481,47 @@ optional_policy(`
+@@ -523,36 +483,47 @@ optional_policy(`
')
optional_policy(`
@@ -37589,7 +37609,7 @@ index 6a306ee..4c1c064 100644
')
optional_policy(`
-@@ -560,7 +529,7 @@ optional_policy(`
+@@ -560,7 +531,7 @@ optional_policy(`
')
optional_policy(`
@@ -37598,7 +37618,7 @@ index 6a306ee..4c1c064 100644
')
optional_policy(`
-@@ -568,108 +537,108 @@ optional_policy(`
+@@ -568,108 +539,108 @@ optional_policy(`
')
optional_policy(`
@@ -43275,7 +43295,7 @@ index 46e55c3..346242e 100644
+ allow $1 nis_unit_file_t:service all_service_perms;
')
diff --git a/nis.te b/nis.te
-index 3e4a31c..0d16edc 100644
+index 3e4a31c..bd8e3ff 100644
--- a/nis.te
+++ b/nis.te
@@ -1,12 +1,10 @@
@@ -43465,7 +43485,7 @@ index 3e4a31c..0d16edc 100644
sysnet_read_config(yppasswdd_t)
-@@ -219,6 +215,10 @@ optional_policy(`
+@@ -219,6 +215,14 @@ optional_policy(`
')
optional_policy(`
@@ -43473,10 +43493,14 @@ index 3e4a31c..0d16edc 100644
+')
+
+optional_policy(`
++ nis_use_ypbind(yppasswdd_t)
++')
++
++optional_policy(`
seutil_sigchld_newrole(yppasswdd_t)
')
-@@ -234,7 +234,8 @@ optional_policy(`
+@@ -234,7 +238,8 @@ optional_policy(`
dontaudit ypserv_t self:capability sys_tty_config;
allow ypserv_t self:fifo_file rw_fifo_file_perms;
allow ypserv_t self:process signal_perms;
@@ -43486,7 +43510,7 @@ index 3e4a31c..0d16edc 100644
allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
allow ypserv_t self:tcp_socket connected_stream_socket_perms;
allow ypserv_t self:udp_socket create_socket_perms;
-@@ -254,7 +255,6 @@ kernel_read_kernel_sysctls(ypserv_t)
+@@ -254,7 +259,6 @@ kernel_read_kernel_sysctls(ypserv_t)
kernel_list_proc(ypserv_t)
kernel_read_proc_symlinks(ypserv_t)
@@ -43494,7 +43518,7 @@ index 3e4a31c..0d16edc 100644
corenet_all_recvfrom_netlabel(ypserv_t)
corenet_tcp_sendrecv_generic_if(ypserv_t)
corenet_udp_sendrecv_generic_if(ypserv_t)
-@@ -264,31 +264,27 @@ corenet_tcp_sendrecv_all_ports(ypserv_t)
+@@ -264,31 +268,27 @@ corenet_tcp_sendrecv_all_ports(ypserv_t)
corenet_udp_sendrecv_all_ports(ypserv_t)
corenet_tcp_bind_generic_node(ypserv_t)
corenet_udp_bind_generic_node(ypserv_t)
@@ -43532,7 +43556,7 @@ index 3e4a31c..0d16edc 100644
nis_domtrans_ypxfr(ypserv_t)
-@@ -310,8 +306,8 @@ optional_policy(`
+@@ -310,8 +310,8 @@ optional_policy(`
# ypxfr local policy
#
@@ -43543,7 +43567,7 @@ index 3e4a31c..0d16edc 100644
allow ypxfr_t self:tcp_socket create_stream_socket_perms;
allow ypxfr_t self:udp_socket create_socket_perms;
allow ypxfr_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -326,7 +322,6 @@ allow ypxfr_t ypserv_conf_t:file read_file_perms;
+@@ -326,7 +326,6 @@ allow ypxfr_t ypserv_conf_t:file read_file_perms;
manage_files_pattern(ypxfr_t, ypxfr_var_run_t, ypxfr_var_run_t)
files_pid_filetrans(ypxfr_t, ypxfr_var_run_t, file)
@@ -43551,7 +43575,7 @@ index 3e4a31c..0d16edc 100644
corenet_all_recvfrom_netlabel(ypxfr_t)
corenet_tcp_sendrecv_generic_if(ypxfr_t)
corenet_udp_sendrecv_generic_if(ypxfr_t)
-@@ -336,23 +331,19 @@ corenet_tcp_sendrecv_all_ports(ypxfr_t)
+@@ -336,23 +335,19 @@ corenet_tcp_sendrecv_all_ports(ypxfr_t)
corenet_udp_sendrecv_all_ports(ypxfr_t)
corenet_tcp_bind_generic_node(ypxfr_t)
corenet_udp_bind_generic_node(ypxfr_t)
@@ -48201,10 +48225,10 @@ index 0000000..407386d
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
-index 0000000..45e60e5
+index 0000000..894ce1c
--- /dev/null
+++ b/openshift.te
-@@ -0,0 +1,526 @@
+@@ -0,0 +1,530 @@
+policy_module(openshift,1.0.0)
+
+gen_require(`
@@ -48728,6 +48752,10 @@ index 0000000..45e60e5
+')
+
+optional_policy(`
++ quota_read_db(openshift_cron_t)
++')
++
++optional_policy(`
+ ssh_exec_keygen(openshift_cron_t)
+ ssh_dontaudit_read_server_keys(openshift_cron_t)
+')
@@ -81326,10 +81354,10 @@ index 0000000..bfcd2c7
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 0000000..aaf768a
+index 0000000..49cd645
--- /dev/null
+++ b/thumb.te
-@@ -0,0 +1,137 @@
+@@ -0,0 +1,138 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -81424,6 +81452,7 @@ index 0000000..aaf768a
+userdom_dontaudit_setattr_user_tmp(thumb_t)
+userdom_read_user_tmp_files(thumb_t)
+userdom_read_user_home_content_files(thumb_t)
++userdom_exec_user_home_content_files(thumb_t)
+userdom_write_user_tmp_files(thumb_t)
+userdom_read_home_audio_files(thumb_t)
+userdom_home_reader(thumb_t)
@@ -82357,7 +82386,7 @@ index e29db63..061fb98 100644
domain_system_change_exemption($1)
role_transition $2 tuned_initrc_exec_t system_r;
diff --git a/tuned.te b/tuned.te
-index 7116181..0bd0be9 100644
+index 7116181..7a80e6d 100644
--- a/tuned.te
+++ b/tuned.te
@@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t)
@@ -82370,9 +82399,12 @@ index 7116181..0bd0be9 100644
type tuned_var_run_t;
files_pid_file(tuned_var_run_t)
-@@ -31,8 +34,10 @@ files_pid_file(tuned_var_run_t)
+@@ -29,10 +32,12 @@ files_pid_file(tuned_var_run_t)
+ # Local policy
+ #
- allow tuned_t self:capability { sys_admin sys_nice };
+-allow tuned_t self:capability { sys_admin sys_nice };
++allow tuned_t self:capability { sys_admin sys_nice sys_rawio };
dontaudit tuned_t self:capability { dac_override sys_tty_config };
-allow tuned_t self:process { setsched signal };
+allow tuned_t self:process { setsched signal };
@@ -85655,7 +85687,7 @@ index 9dec06c..b991ec7 100644
+ allow svirt_lxc_domain $1:process sigchld;
')
diff --git a/virt.te b/virt.te
-index 1f22fba..e780b1b 100644
+index 1f22fba..64e638c 100644
--- a/virt.te
+++ b/virt.te
@@ -1,94 +1,98 @@
@@ -86524,7 +86556,7 @@ index 1f22fba..e780b1b 100644
+# virtual domains common policy
+#
+allow virt_domain self:capability2 compromise_kernel;
-+allow virt_domain self:process { setrlimit signal_perms getsched };
++allow virt_domain self:process { setrlimit signal_perms getsched setsched };
+allow virt_domain self:fifo_file rw_fifo_file_perms;
+allow virt_domain self:shm create_shm_perms;
+allow virt_domain self:unix_stream_socket create_stream_socket_perms;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b22aa16..2989464 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 23%{?dist}
+Release: 24%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -526,6 +526,28 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Mar 26 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-24
+- Add labeling for /usr/share/pki
+- Allow programs that read var_run_t symlinks also read var_t symlinks
+- Add additional ports as mongod_port_t for 27018, 27019, 28017, 28018 and 28019 ports
+- Fix labeling for /etc/dhcp directory
+- add missing systemd_stub_unit_file() interface
+- Add files_stub_var() interface
+- Add lables for cert_t directories
+- Make localectl set-x11-keymap working at all
+- Allow abrt to manage mock build environments to catch build problems.
+- Allow virt_domains to setsched for running gdb on itself
+- Allow thumb_t to execute user home content
+- Allow pulseaudio running as mozilla_plugin_t to read /run/systemd/users/1000
+- Allow certwatch to execut /usr/bin/httpd
+- Allow cgred to send signal perms to itself, needs back port to RHEL6
+- Allow openshift_cron_t to look at quota
+- Allow cups_t to read inhered tmpfs_t from the kernel
+- Allow yppasswdd to use NIS
+- Tuned wants sys_rawio capability
+- Add ftpd_use_fusefs boolean
+- Allow dirsrvadmin_t to signal itself
+
* Wed Mar 20 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-23
- Allow localectl to read /etc/X11/xorg.conf.d directory
- Revert "Revert "Fix filetrans rules for kdm creates .xsession-errors""