diff --git a/docker-selinux.tgz b/docker-selinux.tgz
index 1868e25..9763ea9 100644
Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index ac108ca..f6f8c8e 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -5718,7 +5718,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055..e66e77a 100644
+index b191055..5ee0a46 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@@ -5874,7 +5874,7 @@ index b191055..e66e77a 100644
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
network_port(hadoop_datanode, tcp,50010,s0)
-@@ -140,45 +179,55 @@ network_port(hadoop_namenode, tcp,8020,s0)
+@@ -140,45 +179,57 @@ network_port(hadoop_namenode, tcp,8020,s0)
network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
@@ -5915,7 +5915,9 @@ index b191055..e66e77a 100644
+network_port(kerberos_password, tcp,464,s0, udp,464,s0)
+network_port(keystone, tcp, 35357,s0, udp, 35357,s0)
+network_port(kubernetes, tcp, 10250,s0, tcp, 4001,s0, tcp, 4194,s0)
++network_port(lltng, tcp, 5345, s0)
+network_port(rabbitmq, tcp,25672,s0)
++network_port(rkt, tcp,18112,s0)
+network_port(rlogin, tcp,543,s0, tcp,2105,s0)
+network_port(rtsclient, tcp,2501,s0)
network_port(kprop, tcp,754,s0)
@@ -5945,7 +5947,7 @@ index b191055..e66e77a 100644
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -186,101 +235,126 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
+@@ -186,101 +237,126 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
network_port(mxi, tcp,8005,s0, udp,8005,s0)
network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
network_port(mysqlmanagerd, tcp,2273,s0)
@@ -6090,7 +6092,7 @@ index b191055..e66e77a 100644
network_port(xserver, tcp,6000-6020,s0)
network_port(zarafa, tcp,236,s0, tcp,237,s0)
network_port(zabbix, tcp,10051,s0)
-@@ -288,19 +362,23 @@ network_port(zabbix_agent, tcp,10050,s0)
+@@ -288,19 +364,23 @@ network_port(zabbix_agent, tcp,10050,s0)
network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
@@ -6117,7 +6119,7 @@ index b191055..e66e77a 100644
########################################
#
-@@ -333,6 +411,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -333,6 +413,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
build_option(`enable_mls',`
network_interface(lo, lo, s0 - mls_systemhigh)
@@ -6126,7 +6128,7 @@ index b191055..e66e77a 100644
',`
typealias netif_t alias { lo_netif_t netif_lo_t };
')
-@@ -345,9 +425,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -345,9 +427,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -36340,7 +36342,7 @@ index c42fbc3..bf211db 100644
+ files_pid_filetrans($1, iptables_var_run_t, file, "xtables.lock")
+')
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index be8ed1e..bce6063 100644
+index be8ed1e..e336bc1 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -16,15 +16,18 @@ role iptables_roles types iptables_t;
@@ -36455,20 +36457,21 @@ index be8ed1e..bce6063 100644
')
optional_policy(`
-@@ -110,6 +126,12 @@ optional_policy(`
+@@ -110,6 +126,13 @@ optional_policy(`
')
optional_policy(`
+ firewalld_read_config(iptables_t)
+ firewalld_read_pid_files(iptables_t)
+ firewalld_dontaudit_write_tmp_files(iptables_t)
++ firewalld_dontaudit_leaks(iptables_t)
+')
+
+optional_policy(`
modutils_run_insmod(iptables_t, iptables_roles)
')
-@@ -124,6 +146,16 @@ optional_policy(`
+@@ -124,6 +147,16 @@ optional_policy(`
optional_policy(`
psad_rw_tmp_files(iptables_t)
@@ -36485,7 +36488,7 @@ index be8ed1e..bce6063 100644
')
optional_policy(`
-@@ -135,9 +167,9 @@ optional_policy(`
+@@ -135,9 +168,9 @@ optional_policy(`
')
optional_policy(`
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index c6d4153..d3c8d76 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -589,7 +589,7 @@ index 058d908..ee0c559 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index eb50f07..11582eb 100644
+index eb50f07..22f5977 100644
--- a/abrt.te
+++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@@ -1044,7 +1044,7 @@ index eb50f07..11582eb 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -365,38 +468,76 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -365,38 +468,78 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
@@ -1094,6 +1094,8 @@ index eb50f07..11582eb 100644
+
+auth_read_passwd(abrt_dump_oops_t)
+
++corecmd_getattr_all_executables(abrt_dump_oops_t)
++
+dev_read_urand(abrt_dump_oops_t)
+dev_read_rand(abrt_dump_oops_t)
@@ -1102,10 +1104,10 @@ index eb50f07..11582eb 100644
+domain_ptrace_all_domains(abrt_dump_oops_t)
+domain_read_all_domains_state(abrt_dump_oops_t)
+domain_getattr_all_domains(abrt_dump_oops_t)
-
++
+files_manage_non_security_dirs(abrt_dump_oops_t)
+files_manage_non_security_files(abrt_dump_oops_t)
-+
+
+fs_getattr_all_fs(abrt_dump_oops_t)
fs_list_inotifyfs(abrt_dump_oops_t)
+fs_list_pstorefs(abrt_dump_oops_t)
@@ -1125,7 +1127,7 @@ index eb50f07..11582eb 100644
#######################################
#
-@@ -404,25 +545,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
+@@ -404,25 +547,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
#
allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
@@ -1188,7 +1190,7 @@ index eb50f07..11582eb 100644
')
#######################################
-@@ -430,10 +606,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
+@@ -430,10 +608,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
# Global local policy
#
@@ -3449,10 +3451,10 @@ index 0000000..d8b04b5
+ spamassassin_read_pid_files(antivirus_domain)
+')
diff --git a/apache.fc b/apache.fc
-index 7caefc3..b25689b 100644
+index 7caefc3..4313ba3 100644
--- a/apache.fc
+++ b/apache.fc
-@@ -1,162 +1,211 @@
+@@ -1,162 +1,212 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -3710,6 +3712,7 @@ index 7caefc3..b25689b 100644
+/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/log/graphite-web(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/nginx(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
@@ -15295,7 +15298,7 @@ index 954309e..6780142 100644
')
+
diff --git a/collectd.te b/collectd.te
-index 6471fa8..3baa00b 100644
+index 6471fa8..3f5989f 100644
--- a/collectd.te
+++ b/collectd.te
@@ -26,43 +26,59 @@ files_type(collectd_var_lib_t)
@@ -15317,7 +15320,7 @@ index 6471fa8..3baa00b 100644
#
-allow collectd_t self:capability { ipc_lock sys_nice };
-+allow collectd_t self:capability { ipc_lock net_raw net_admin sys_nice sys_ptrace dac_override };
++allow collectd_t self:capability { ipc_lock net_raw net_admin sys_nice sys_ptrace dac_override setuid setgid };
allow collectd_t self:process { getsched setsched signal };
allow collectd_t self:fifo_file rw_fifo_file_perms;
allow collectd_t self:packet_socket create_socket_perms;
@@ -20550,7 +20553,7 @@ index 3023be7..0317731 100644
+ files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups")
')
diff --git a/cups.te b/cups.te
-index c91813c..3d89006 100644
+index c91813c..65e9a4d 100644
--- a/cups.te
+++ b/cups.te
@@ -5,19 +5,31 @@ policy_module(cups, 1.16.2)
@@ -20914,6 +20917,15 @@ index c91813c..3d89006 100644
samba_read_config(cupsd_t)
samba_rw_var_files(cupsd_t)
samba_stream_connect_nmbd(cupsd_t)
+@@ -326,7 +387,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- snmp_read_snmp_var_lib_files(cupsd_t)
++ snmp_manage_var_lib_files(cupsd_t)
+ ')
+
+ optional_policy(`
@@ -334,7 +395,11 @@ optional_policy(`
')
@@ -40567,10 +40579,10 @@ index 3a00b3a..92f125f 100644
+')
+
diff --git a/kdump.te b/kdump.te
-index 715fc21..8bcd248 100644
+index 715fc21..e8792ed 100644
--- a/kdump.te
+++ b/kdump.te
-@@ -12,35 +12,57 @@ init_system_domain(kdump_t, kdump_exec_t)
+@@ -12,35 +12,58 @@ init_system_domain(kdump_t, kdump_exec_t)
type kdump_etc_t;
files_config_file(kdump_etc_t)
@@ -40620,6 +40632,7 @@ index 715fc21..8bcd248 100644
-files_read_etc_files(kdump_t)
files_read_etc_runtime_files(kdump_t)
+files_read_kernel_symbol_table(kdump_t)
++files_read_kernel_modules(kdump_t)
files_read_kernel_img(kdump_t)
+kernel_read_system_state(kdump_t)
@@ -40633,7 +40646,7 @@ index 715fc21..8bcd248 100644
dev_read_framebuffer(kdump_t)
dev_read_sysfs(kdump_t)
-@@ -48,22 +70,35 @@ term_use_console(kdump_t)
+@@ -48,22 +71,35 @@ term_use_console(kdump_t)
#######################################
#
@@ -40673,7 +40686,7 @@ index 715fc21..8bcd248 100644
kernel_read_system_state(kdumpctl_t)
-@@ -71,46 +106,56 @@ corecmd_exec_bin(kdumpctl_t)
+@@ -71,46 +107,56 @@ corecmd_exec_bin(kdumpctl_t)
corecmd_exec_shell(kdumpctl_t)
dev_read_sysfs(kdumpctl_t)
@@ -46094,6 +46107,187 @@ index 4ec0eea..03738f2 100644
+storage_raw_rw_fixed_disk(lsmd_plugin_t)
+storage_read_scsi_generic(lsmd_plugin_t)
+storage_write_scsi_generic(lsmd_plugin_t)
+diff --git a/lttng-tools.fc b/lttng-tools.fc
+new file mode 100644
+index 0000000..bdd17ca
+--- /dev/null
++++ b/lttng-tools.fc
+@@ -0,0 +1,5 @@
++/usr/bin/lttng-sessiond -- gen_context(system_u:object_r:lttng_sessiond_exec_t,s0)
++
++/usr/lib/systemd/system/lttng-sessiond.service -- gen_context(system_u:object_r:lttng_sessiond_unit_file_t,s0)
++
++/var/run/lttng(/.*)? gen_context(system_u:object_r:lttng_sessiond_var_run_t,s0)
+diff --git a/lttng-tools.if b/lttng-tools.if
+new file mode 100644
+index 0000000..6b0da33
+--- /dev/null
++++ b/lttng-tools.if
+@@ -0,0 +1,98 @@
++
++## LTTng 2.x central tracing registry session daemon.
++
++########################################
++##
++## Execute lttng_sessiond_exec_t in the lttng_sessiond domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`lttng_sessiond_domtrans',`
++ gen_require(`
++ type lttng_sessiond_t, lttng_sessiond_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, lttng_sessiond_exec_t, lttng_sessiond_t)
++')
++
++######################################
++##
++## Execute lttng_sessiond in the caller domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`lttng_sessiond_exec',`
++ gen_require(`
++ type lttng_sessiond_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ can_exec($1, lttng_sessiond_exec_t)
++')
++
++########################################
++##
++## Execute lttng_sessiond server in the lttng_sessiond domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`lttng_sessiond_systemctl',`
++ gen_require(`
++ type lttng_sessiond_t;
++ type lttng_sessiond_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 lttng_sessiond_unit_file_t:file read_file_perms;
++ allow $1 lttng_sessiond_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, lttng_sessiond_t)
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an lttng_sessiond environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`lttng_sessiond_admin',`
++ gen_require(`
++ type lttng_sessiond_t;
++ type lttng_sessiond_unit_file_t;
++ ')
++
++ allow $1 lttng_sessiond_t:process { signal_perms };
++ ps_process_pattern($1, lttng_sessiond_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 lttng_sessiond_t:process ptrace;
++ ')
++
++ lttng_sessiond_systemctl($1)
++ admin_pattern($1, lttng_sessiond_unit_file_t)
++ allow $1 lttng_sessiond_unit_file_t:service all_service_perms;
++
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/lttng-tools.te b/lttng-tools.te
+new file mode 100644
+index 0000000..0b9ade5
+--- /dev/null
++++ b/lttng-tools.te
+@@ -0,0 +1,60 @@
++policy_module(lttng-tools, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type lttng_sessiond_t;
++type lttng_sessiond_exec_t;
++init_daemon_domain(lttng_sessiond_t, lttng_sessiond_exec_t)
++
++type lttng_sessiond_tmpfs_t;
++files_tmpfs_file(lttng_sessiond_tmpfs_t)
++
++type lttng_sessiond_var_run_t;
++files_pid_file(lttng_sessiond_var_run_t)
++
++type lttng_sessiond_unit_file_t;
++systemd_unit_file(lttng_sessiond_unit_file_t)
++
++########################################
++#
++# lttng_sessiond local policy
++#
++
++allow lttng_sessiond_t self:capability { chown setgid setuid fsetid net_admin sys_resource };
++
++allow lttng_sessiond_t self:process { setrlimit signal_perms };
++allow lttng_sessiond_t self:fifo_file rw_fifo_file_perms;
++allow lttng_sessiond_t self:tcp_socket listen;
++allow lttng_sessiond_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(lttng_sessiond_t, lttng_sessiond_var_run_t, lttng_sessiond_var_run_t)
++manage_files_pattern(lttng_sessiond_t, lttng_sessiond_var_run_t, lttng_sessiond_var_run_t)
++manage_lnk_files_pattern(lttng_sessiond_t, lttng_sessiond_var_run_t, lttng_sessiond_var_run_t)
++manage_sock_files_pattern(lttng_sessiond_t, lttng_sessiond_var_run_t, lttng_sessiond_var_run_t)
++files_pid_filetrans(lttng_sessiond_t, lttng_sessiond_var_run_t, { dir })
++
++manage_dirs_pattern(lttng_sessiond_t, lttng_sessiond_tmpfs_t, lttng_sessiond_tmpfs_t)
++manage_files_pattern(lttng_sessiond_t, lttng_sessiond_tmpfs_t, lttng_sessiond_tmpfs_t)
++fs_tmpfs_filetrans(lttng_sessiond_t, lttng_sessiond_tmpfs_t, { dir file })
++
++kernel_read_system_state(lttng_sessiond_t)
++kernel_read_net_sysctls(lttng_sessiond_t)
++kernel_read_fs_sysctls(lttng_sessiond_t)
++
++corecmd_exec_shell(lttng_sessiond_t)
++
++corenet_tcp_bind_generic_node(lttng_sessiond_t)
++corenet_tcp_bind_lltng_port(lttng_sessiond_t)
++
++dev_read_sysfs(lttng_sessiond_t)
++
++fs_getattr_tmpfs(lttng_sessiond_t)
++
++auth_use_nsswitch(lttng_sessiond_t)
++
++modutils_exec_insmod(lttng_sessiond_t)
++modutils_read_module_config(lttng_sessiond_t)
++files_read_kernel_modules(lttng_sessiond_t)
diff --git a/mailman.fc b/mailman.fc
index 995d0a5..3d40d59 100644
--- a/mailman.fc
@@ -49489,7 +49683,7 @@ index 6fcfc31..e9e6bc5 100644
+/var/run/mongo.* gen_context(system_u:object_r:mongod_var_run_t,s0)
+/var/run/aeolus/dbomatic\.pid -- gen_context(system_u:object_r:mongod_var_run_t,s0)
diff --git a/mongodb.te b/mongodb.te
-index 169f236..608c584 100644
+index 169f236..f19680b 100644
--- a/mongodb.te
+++ b/mongodb.te
@@ -12,6 +12,9 @@ init_daemon_domain(mongod_t, mongod_exec_t)
@@ -49502,7 +49696,7 @@ index 169f236..608c584 100644
type mongod_log_t;
logging_log_file(mongod_log_t)
-@@ -21,19 +24,25 @@ files_type(mongod_var_lib_t)
+@@ -21,19 +24,26 @@ files_type(mongod_var_lib_t)
type mongod_var_run_t;
files_pid_file(mongod_var_run_t)
@@ -49526,6 +49720,7 @@ index 169f236..608c584 100644
-logging_log_filetrans(mongod_t, mongod_log_t, dir)
+allow mongod_t self:netlink_route_socket r_netlink_socket_perms;
+allow mongod_t self:unix_stream_socket create_stream_socket_perms;
++allow mongod_t self:unix_dgram_socket create_socket_perms;
+allow mongod_t self:udp_socket create_socket_perms;
+allow mongod_t self:tcp_socket { accept listen };
+
@@ -49534,7 +49729,7 @@ index 169f236..608c584 100644
manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
-@@ -41,21 +50,44 @@ files_var_lib_filetrans(mongod_t, mongod_var_lib_t, dir)
+@@ -41,21 +51,44 @@ files_var_lib_filetrans(mongod_t, mongod_var_lib_t, dir)
manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
@@ -54602,7 +54797,7 @@ index b708708..f4c0e61 100644
+ apache_search_sys_content(munin_t)
+')
diff --git a/mysql.fc b/mysql.fc
-index 06f8666..4599ab5 100644
+index 06f8666..2accd90 100644
--- a/mysql.fc
+++ b/mysql.fc
@@ -1,27 +1,46 @@
@@ -54656,7 +54851,7 @@ index 06f8666..4599ab5 100644
+#
+# /var
+#
-+/var/lib/mysql(-files)?(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0)
++/var/lib/mysql(-files|-keyring)?(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0)
+/var/lib/mysql/mysql\.sock -s gen_context(system_u:object_r:mysqld_var_run_t,s0)
/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0)
@@ -102307,7 +102502,7 @@ index a240455..04419ae 100644
- admin_pattern($1, sssd_log_t)
')
diff --git a/sssd.te b/sssd.te
-index 2d8db1f..edad970 100644
+index 2d8db1f..a696686 100644
--- a/sssd.te
+++ b/sssd.te
@@ -28,17 +28,25 @@ logging_log_file(sssd_var_log_t)
@@ -102350,7 +102545,7 @@ index 2d8db1f..edad970 100644
logging_log_filetrans(sssd_t, sssd_var_log_t, file)
manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
-@@ -62,17 +68,12 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
+@@ -62,17 +68,13 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
kernel_read_network_state(sssd_t)
kernel_read_system_state(sssd_t)
@@ -102368,10 +102563,11 @@ index 2d8db1f..edad970 100644
corenet_dontaudit_udp_bind_all_ports(sssd_t)
+corenet_tcp_connect_kerberos_password_port(sssd_t)
+corenet_tcp_connect_smbd_port(sssd_t)
++corenet_tcp_connect_http_port(sssd_t)
corecmd_exec_bin(sssd_t)
-@@ -83,28 +84,35 @@ domain_read_all_domains_state(sssd_t)
+@@ -83,28 +85,35 @@ domain_read_all_domains_state(sssd_t)
domain_obj_id_change_exemption(sssd_t)
files_list_tmp(sssd_t)
@@ -102411,7 +102607,7 @@ index 2d8db1f..edad970 100644
init_read_utmp(sssd_t)
-@@ -112,18 +120,63 @@ logging_send_syslog_msg(sssd_t)
+@@ -112,18 +121,64 @@ logging_send_syslog_msg(sssd_t)
logging_send_audit_msgs(sssd_t)
miscfiles_read_generic_certs(sssd_t)
@@ -102438,6 +102634,7 @@ index 2d8db1f..edad970 100644
+ kerberos_tmp_filetrans_host_rcache(sssd_t, "host_0")
+ kerberos_read_home_content(sssd_t)
+ kerberos_rw_config(sssd_t)
++ kerberos_rw_keytab(sssd_t)
+')
+
+optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d550adf..799d32d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 171%{?dist}
+Release: 172%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -673,6 +673,22 @@ exit 0
%endif
%changelog
+* Thu Feb 25 2016 Lukas Vrabec 3.13.1-172
+- Fix macro name from snmp_manage_snmp_var_lib_files to snmp_manage_var_lib_files in cupsd policy.
+- Allow hplip driver to write to its MIB index files stored in the /var/lib/net-snmp/mib_indexes. Resolves: rhbz#1291033
+- Allow collectd setgid capability Resolves:#1310896
+- Allow adcli running as sssd_t to write krb5.keytab file.
+- Allow abrt-hook-ccpp to getattr on all executables. BZ(1284304)
+- Allow kexec to read kernel module files in /usr/lib/modules.
+- Add httpd_log_t for /var/log/graphite-web rhbz#1306981
+- Remove redudant rules and fix _admin interface.
+- Add SELinux policy for LTTng 2.x central tracing registry session daemon.
+- Allow create mongodb unix dgram sockets. rhbz#1306819
+- Support for InnoDB Tablespace Encryption.
+- Dontaudit leaded file descriptors from firewalld
+- Add port for rkt services
+- Add support for the default lttng-sessiond port - tcp/5345. This port is used by LTTng 2.x central tracing registry session daemon.
+
* Thu Feb 11 2016 Lukas Vrabec 3.13.1-171
- Allow setroubleshoot_fixit_t to use temporary files