diff --git a/docker-selinux.tgz b/docker-selinux.tgz
index 3a4a272..5224658 100644
Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 23edb1d..0af94e9 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -25199,7 +25199,7 @@ index ff92430..36740ea 100644
##
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 2522ca6..f7ff2c7 100644
+index 2522ca6..d2f55a2 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -5,39 +5,88 @@ policy_module(sysadm, 2.6.1)
@@ -25464,7 +25464,7 @@ index 2522ca6..f7ff2c7 100644
')
optional_policy(`
-@@ -210,22 +308,20 @@ optional_policy(`
+@@ -210,22 +308,21 @@ optional_policy(`
modutils_run_depmod(sysadm_t, sysadm_r)
modutils_run_insmod(sysadm_t, sysadm_r)
modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -25490,10 +25490,11 @@ index 2522ca6..f7ff2c7 100644
+ # this is defined in userdom_common_user_template
+ #mta_filetrans_home_content(sysadm_t)
+ mta_filetrans_admin_home_content(sysadm_t)
++ mta_rw_aliases(sysadm_t)
')
optional_policy(`
-@@ -237,14 +333,28 @@ optional_policy(`
+@@ -237,14 +334,28 @@ optional_policy(`
')
optional_policy(`
@@ -25522,7 +25523,7 @@ index 2522ca6..f7ff2c7 100644
')
optional_policy(`
-@@ -252,10 +362,20 @@ optional_policy(`
+@@ -252,10 +363,20 @@ optional_policy(`
')
optional_policy(`
@@ -25543,7 +25544,7 @@ index 2522ca6..f7ff2c7 100644
portage_run(sysadm_t, sysadm_r)
portage_run_fetch(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
-@@ -266,35 +386,41 @@ optional_policy(`
+@@ -266,35 +387,41 @@ optional_policy(`
')
optional_policy(`
@@ -25592,7 +25593,7 @@ index 2522ca6..f7ff2c7 100644
')
optional_policy(`
-@@ -308,6 +434,7 @@ optional_policy(`
+@@ -308,6 +435,7 @@ optional_policy(`
optional_policy(`
screen_role_template(sysadm, sysadm_r, sysadm_t)
@@ -25600,7 +25601,7 @@ index 2522ca6..f7ff2c7 100644
')
optional_policy(`
-@@ -315,12 +442,20 @@ optional_policy(`
+@@ -315,12 +443,20 @@ optional_policy(`
')
optional_policy(`
@@ -25622,7 +25623,7 @@ index 2522ca6..f7ff2c7 100644
')
optional_policy(`
-@@ -345,30 +480,37 @@ optional_policy(`
+@@ -345,30 +481,37 @@ optional_policy(`
')
optional_policy(`
@@ -25669,7 +25670,7 @@ index 2522ca6..f7ff2c7 100644
')
optional_policy(`
-@@ -380,10 +522,6 @@ optional_policy(`
+@@ -380,10 +523,6 @@ optional_policy(`
')
optional_policy(`
@@ -25680,7 +25681,7 @@ index 2522ca6..f7ff2c7 100644
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
usermanage_run_groupadd(sysadm_t, sysadm_r)
usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -391,6 +529,9 @@ optional_policy(`
+@@ -391,6 +530,9 @@ optional_policy(`
optional_policy(`
virt_stream_connect(sysadm_t)
@@ -25690,7 +25691,7 @@ index 2522ca6..f7ff2c7 100644
')
optional_policy(`
-@@ -398,31 +539,34 @@ optional_policy(`
+@@ -398,31 +540,34 @@ optional_policy(`
')
optional_policy(`
@@ -25731,7 +25732,7 @@ index 2522ca6..f7ff2c7 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -435,10 +579,6 @@ ifndef(`distro_redhat',`
+@@ -435,10 +580,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -25742,7 +25743,7 @@ index 2522ca6..f7ff2c7 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
optional_policy(`
-@@ -459,15 +599,79 @@ ifndef(`distro_redhat',`
+@@ -459,15 +600,79 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -46030,7 +46031,7 @@ index 2cea692..8edb742 100644
+ files_etc_filetrans($1, net_conf_t, file)
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index a392fc4..155d5ce 100644
+index a392fc4..79fadfc 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4)
@@ -46264,7 +46265,7 @@ index a392fc4..155d5ce 100644
vmware_append_log(dhcpc_t)
')
-@@ -264,12 +313,26 @@ allow ifconfig_t self:msgq create_msgq_perms;
+@@ -264,29 +313,66 @@ allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
@@ -46291,7 +46292,11 @@ index a392fc4..155d5ce 100644
kernel_use_fds(ifconfig_t)
kernel_read_system_state(ifconfig_t)
kernel_read_network_state(ifconfig_t)
-@@ -279,14 +342,32 @@ kernel_rw_net_sysctls(ifconfig_t)
+ kernel_request_load_module(ifconfig_t)
+ kernel_search_network_sysctl(ifconfig_t)
+ kernel_rw_net_sysctls(ifconfig_t)
++kernel_getattr_proc(ifconfig_t)
++kernel_unmount_proc(ifconfig_t)
corenet_rw_tun_tap_dev(ifconfig_t)
@@ -46306,6 +46311,7 @@ index a392fc4..155d5ce 100644
+dev_mounton_sysfs(ifconfig_t)
+dev_mount_sysfs_fs(ifconfig_t)
+dev_unmount_sysfs_fs(ifconfig_t)
++dev_getattr_sysfs_fs(ifconfig_t)
domain_use_interactive_fds(ifconfig_t)
+domain_read_all_domains_state(ifconfig_t)
@@ -46317,6 +46323,8 @@ index a392fc4..155d5ce 100644
+files_dontaudit_read_root_files(ifconfig_t)
+files_rw_inherited_tmp_file(ifconfig_t)
+files_dontaudit_rw_var_files(ifconfig_t)
++
++files_mounton_rootfs(ifconfig_t)
files_read_etc_files(ifconfig_t)
files_read_etc_runtime_files(ifconfig_t)
@@ -46324,7 +46332,7 @@ index a392fc4..155d5ce 100644
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
-@@ -299,33 +380,51 @@ term_dontaudit_use_all_ptys(ifconfig_t)
+@@ -299,33 +385,51 @@ term_dontaudit_use_all_ptys(ifconfig_t)
term_dontaudit_use_ptmx(ifconfig_t)
term_dontaudit_use_generic_ptys(ifconfig_t)
@@ -46382,7 +46390,7 @@ index a392fc4..155d5ce 100644
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
')
-@@ -336,7 +435,11 @@ ifdef(`hide_broken_symptoms',`
+@@ -336,7 +440,11 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
@@ -46395,7 +46403,7 @@ index a392fc4..155d5ce 100644
')
optional_policy(`
-@@ -350,7 +453,16 @@ optional_policy(`
+@@ -350,7 +458,16 @@ optional_policy(`
')
optional_policy(`
@@ -46413,7 +46421,7 @@ index a392fc4..155d5ce 100644
')
optional_policy(`
-@@ -371,3 +483,13 @@ optional_policy(`
+@@ -371,3 +488,13 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index ff0837a..e5b5dff 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -8167,7 +8167,7 @@ index 1a7a97e..2c7252a 100644
domain_system_change_exemption($1)
role_transition $2 apmd_initrc_exec_t system_r;
diff --git a/apm.te b/apm.te
-index 7fd431b..708ae24 100644
+index 7fd431b..a1b6c41 100644
--- a/apm.te
+++ b/apm.te
@@ -35,12 +35,15 @@ files_type(apmd_var_lib_t)
@@ -8229,16 +8229,17 @@ index 7fd431b..708ae24 100644
corecmd_exec_all_executables(apmd_t)
-@@ -129,6 +133,8 @@ domain_dontaudit_list_all_domains_state(apmd_t)
+@@ -129,6 +133,9 @@ domain_dontaudit_list_all_domains_state(apmd_t)
auth_use_nsswitch(apmd_t)
init_domtrans_script(apmd_t)
+init_read_utmp(apmd_t)
+init_telinit(apmd_t)
++init_dbus_chat(apmd_t)
libs_exec_ld_so(apmd_t)
libs_exec_lib_files(apmd_t)
-@@ -136,17 +142,16 @@ libs_exec_lib_files(apmd_t)
+@@ -136,17 +143,16 @@ libs_exec_lib_files(apmd_t)
logging_send_audit_msgs(apmd_t)
logging_send_syslog_msg(apmd_t)
@@ -8258,7 +8259,7 @@ index 7fd431b..708ae24 100644
optional_policy(`
automount_domtrans(apmd_t)
-@@ -206,11 +211,20 @@ optional_policy(`
+@@ -206,11 +212,20 @@ optional_policy(`
')
optional_policy(`
@@ -15448,7 +15449,7 @@ index 954309e..6780142 100644
')
+
diff --git a/collectd.te b/collectd.te
-index 6471fa8..3f5989f 100644
+index 6471fa8..de0fd11 100644
--- a/collectd.te
+++ b/collectd.te
@@ -26,43 +26,59 @@ files_type(collectd_var_lib_t)
@@ -15492,12 +15493,12 @@ index 6471fa8..3f5989f 100644
+kernel_read_all_sysctls(collectd_t)
+kernel_read_all_proc(collectd_t)
+kernel_list_all_proc(collectd_t)
++
++auth_use_nsswitch(collectd_t)
-kernel_read_network_state(collectd_t)
-kernel_read_net_sysctls(collectd_t)
-kernel_read_system_state(collectd_t)
-+auth_use_nsswitch(collectd_t)
-+
+corenet_udp_bind_generic_node(collectd_t)
+corenet_udp_bind_collectd_port(collectd_t)
@@ -15520,7 +15521,7 @@ index 6471fa8..3f5989f 100644
logging_send_syslog_msg(collectd_t)
-@@ -74,17 +90,41 @@ tunable_policy(`collectd_tcp_network_connect',`
+@@ -74,17 +90,45 @@ tunable_policy(`collectd_tcp_network_connect',`
corenet_tcp_sendrecv_all_ports(collectd_t)
')
@@ -15538,6 +15539,10 @@ index 6471fa8..3f5989f 100644
+')
+
+optional_policy(`
++ postgresql_stream_connect(collectd_t)
++')
++
++optional_policy(`
+ snmp_read_snmp_var_lib_dirs(collectd_t)
+')
+
@@ -16588,10 +16593,10 @@ index 0000000..1cc5fa4
+')
diff --git a/conman.te b/conman.te
new file mode 100644
-index 0000000..722f400
+index 0000000..bce21bf
--- /dev/null
+++ b/conman.te
-@@ -0,0 +1,93 @@
+@@ -0,0 +1,96 @@
+policy_module(conman, 1.0.0)
+
+########################################
@@ -16626,6 +16631,7 @@ index 0000000..722f400
+type conman_unconfined_script_t;
+type conman_unconfined_script_exec_t;
+application_domain(conman_unconfined_script_t, conman_unconfined_script_exec_t)
++init_system_domain(conman_unconfined_script_t, conman_unconfined_script_exec_t)
+
+########################################
+#
@@ -16639,6 +16645,8 @@ index 0000000..722f400
+allow conman_t self:unix_stream_socket create_stream_socket_perms;
+allow conman_t self:tcp_socket { accept listen create_socket_perms };
+
++allow conman_t conman_unconfined_script_t:process sigkill;
++
+manage_dirs_pattern(conman_t, conman_log_t, conman_log_t)
+manage_files_pattern(conman_t, conman_log_t, conman_log_t)
+logging_log_filetrans(conman_t, conman_log_t, { dir })
@@ -32623,7 +32631,7 @@ index e39de43..5edcb83 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
-index ab09d61..980f1f6 100644
+index ab09d61..cfd00e3 100644
--- a/gnome.if
+++ b/gnome.if
@@ -1,52 +1,76 @@
@@ -32747,7 +32755,7 @@ index ab09d61..980f1f6 100644
########################################
#
# Gkeyringd policy
-@@ -89,37 +110,85 @@ template(`gnome_role_template',`
+@@ -89,37 +110,92 @@ template(`gnome_role_template',`
domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
@@ -32806,10 +32814,17 @@ index ab09d61..980f1f6 100644
- gnome_dbus_chat_gkeyringd($1, $3)
+ telepathy_mission_control_read_state($1_gkeyringd_t)
+ telepathy_gabble_stream_connect_to($1_gkeyringd_t,gkeyringd_tmp_t,gkeyringd_tmp_t)
++ ')
++ ')
++
++ optional_policy(`
++ gen_require(`
++ type xguest_gkeyringd_t;
')
- ')
- ')
-
++ dbus_dontaudit_stream_connect_session_bus(xguest_gkeyringd_t)
++ ')
++')
++
+#######################################
+##
+## Allow domain to run gkeyring in the $1_gkeyringd_t domain.
@@ -32834,11 +32849,11 @@ index ab09d61..980f1f6 100644
+ gen_require(`
+ type $1_gkeyringd_t;
+ type gkeyringd_exec_t;
-+ ')
+ ')
+ role $2 types $1_gkeyringd_t;
+ domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
-+')
-+
+ ')
+
########################################
##
-## Execute gconf in the caller domain.
@@ -32846,7 +32861,7 @@ index ab09d61..980f1f6 100644
##
##
##
-@@ -127,18 +196,18 @@ template(`gnome_role_template',`
+@@ -127,18 +203,18 @@ template(`gnome_role_template',`
##
##
#
@@ -32870,7 +32885,7 @@ index ab09d61..980f1f6 100644
##
##
##
-@@ -146,119 +215,114 @@ interface(`gnome_exec_gconf',`
+@@ -146,119 +222,114 @@ interface(`gnome_exec_gconf',`
##
##
#
@@ -33027,7 +33042,7 @@ index ab09d61..980f1f6 100644
##
##
##
-@@ -266,15 +330,21 @@ interface(`gnome_create_generic_home_dirs',`
+@@ -266,15 +337,21 @@ interface(`gnome_create_generic_home_dirs',`
##
##
#
@@ -33054,7 +33069,7 @@ index ab09d61..980f1f6 100644
##
##
##
-@@ -282,57 +352,89 @@ interface(`gnome_setattr_config_dirs',`
+@@ -282,57 +359,89 @@ interface(`gnome_setattr_config_dirs',`
##
##
#
@@ -33162,7 +33177,7 @@ index ab09d61..980f1f6 100644
##
##
##
-@@ -340,15 +442,18 @@ interface(`gnome_read_generic_home_content',`
+@@ -340,15 +449,18 @@ interface(`gnome_read_generic_home_content',`
##
##
#
@@ -33186,7 +33201,7 @@ index ab09d61..980f1f6 100644
##
##
##
-@@ -356,22 +461,18 @@ interface(`gnome_manage_config',`
+@@ -356,22 +468,18 @@ interface(`gnome_manage_config',`
##
##
#
@@ -33214,7 +33229,7 @@ index ab09d61..980f1f6 100644
##
##
##
-@@ -379,53 +480,37 @@ interface(`gnome_manage_generic_home_content',`
+@@ -379,53 +487,37 @@ interface(`gnome_manage_generic_home_content',`
##
##
#
@@ -33276,7 +33291,7 @@ index ab09d61..980f1f6 100644
##
##
##
-@@ -433,17 +518,18 @@ interface(`gnome_home_filetrans',`
+@@ -433,17 +525,18 @@ interface(`gnome_home_filetrans',`
##
##
#
@@ -33299,7 +33314,7 @@ index ab09d61..980f1f6 100644
##
##
##
-@@ -451,23 +537,18 @@ interface(`gnome_create_generic_gconf_home_dirs',`
+@@ -451,23 +544,18 @@ interface(`gnome_create_generic_gconf_home_dirs',`
##
##
#
@@ -33327,7 +33342,7 @@ index ab09d61..980f1f6 100644
##
##
##
-@@ -475,22 +556,18 @@ interface(`gnome_read_generic_gconf_home_content',`
+@@ -475,22 +563,18 @@ interface(`gnome_read_generic_gconf_home_content',`
##
##
#
@@ -33354,7 +33369,7 @@ index ab09d61..980f1f6 100644
##
##
##
-@@ -498,79 +575,59 @@ interface(`gnome_manage_generic_gconf_home_content',`
+@@ -498,79 +582,59 @@ interface(`gnome_manage_generic_gconf_home_content',`
##
##
#
@@ -33452,7 +33467,7 @@ index ab09d61..980f1f6 100644
##
##
##
-@@ -579,12 +636,12 @@ interface(`gnome_home_filetrans_gnome_home',`
+@@ -579,12 +643,12 @@ interface(`gnome_home_filetrans_gnome_home',`
##
##
##
@@ -33467,7 +33482,7 @@ index ab09d61..980f1f6 100644
##
##
##
-@@ -593,18 +650,18 @@ interface(`gnome_home_filetrans_gnome_home',`
+@@ -593,18 +657,18 @@ interface(`gnome_home_filetrans_gnome_home',`
##
##
#
@@ -33492,7 +33507,7 @@ index ab09d61..980f1f6 100644
##
##
##
-@@ -612,46 +669,80 @@ interface(`gnome_gconf_home_filetrans',`
+@@ -612,46 +676,58 @@ interface(`gnome_gconf_home_filetrans',`
##
##
#
@@ -33517,11 +33532,15 @@ index ab09d61..980f1f6 100644
+## Read generic data home dirs.
##
-##
+-##
+-## The prefix of the user domain (e.g., user
+-## is the prefix for user_t).
+-##
+##
+##
+## Domain allowed access.
+##
-+##
+ ##
+#
+interface(`gnome_read_generic_data_home_dirs',`
+ gen_require(`
@@ -33535,30 +33554,6 @@ index ab09d61..980f1f6 100644
+##
+## Manage gconf data home files
+##
-+##
- ##
--## The prefix of the user domain (e.g., user
--## is the prefix for user_t).
-+## Domain allowed access.
- ##
- ##
-+#
-+interface(`gnome_manage_data',`
-+ gen_require(`
-+ type data_home_t;
-+ type gconf_home_t;
-+ ')
-+
-+ allow $1 gconf_home_t:dir search_dir_perms;
-+ manage_dirs_pattern($1, data_home_t, data_home_t)
-+ manage_files_pattern($1, data_home_t, data_home_t)
-+ manage_lnk_files_pattern($1, data_home_t, data_home_t)
-+')
-+
-+########################################
-+##
-+## Read icc data home content.
-+##
##
##
## Domain allowed access.
@@ -33566,122 +33561,146 @@ index ab09d61..980f1f6 100644
##
#
-interface(`gnome_dbus_chat_gkeyringd',`
-+interface(`gnome_read_home_icc_data_content',`
++interface(`gnome_manage_data',`
gen_require(`
- type $1_gkeyringd_t;
- class dbus send_msg;
-+ type icc_data_home_t, gconf_home_t, data_home_t;
++ type data_home_t;
++ type gconf_home_t;
')
- allow $2 $1_gkeyringd_t:dbus send_msg;
- allow $1_gkeyringd_t $2:dbus send_msg;
-+ userdom_search_user_home_dirs($1)
-+ allow $1 { gconf_home_t data_home_t }:dir search_dir_perms;
-+ list_dirs_pattern($1, icc_data_home_t, icc_data_home_t)
-+ read_files_pattern($1, icc_data_home_t, icc_data_home_t)
-+ read_lnk_files_pattern($1, icc_data_home_t, icc_data_home_t)
++ allow $1 gconf_home_t:dir search_dir_perms;
++ manage_dirs_pattern($1, data_home_t, data_home_t)
++ manage_files_pattern($1, data_home_t, data_home_t)
++ manage_lnk_files_pattern($1, data_home_t, data_home_t)
')
########################################
##
-## Send and receive messages from all
-## gnome keyring daemon over dbus.
-+## Read inherited icc data home files.
++## Read icc data home content.
##
##
##
-@@ -659,46 +750,64 @@ interface(`gnome_dbus_chat_gkeyringd',`
+@@ -659,59 +735,1090 @@ interface(`gnome_dbus_chat_gkeyringd',`
##
##
#
-interface(`gnome_dbus_chat_all_gkeyringd',`
-+interface(`gnome_read_inherited_home_icc_data_files',`
++interface(`gnome_read_home_icc_data_content',`
gen_require(`
- attribute gkeyringd_domain;
- class dbus send_msg;
-+ type icc_data_home_t;
++ type icc_data_home_t, gconf_home_t, data_home_t;
')
- allow $1 gkeyringd_domain:dbus send_msg;
- allow gkeyringd_domain $1:dbus send_msg;
-+ allow $1 icc_data_home_t:file read_inherited_file_perms;
++ userdom_search_user_home_dirs($1)
++ allow $1 { gconf_home_t data_home_t }:dir search_dir_perms;
++ list_dirs_pattern($1, icc_data_home_t, icc_data_home_t)
++ read_files_pattern($1, icc_data_home_t, icc_data_home_t)
++ read_lnk_files_pattern($1, icc_data_home_t, icc_data_home_t)
')
########################################
##
-## Connect to gnome keyring daemon
-## with a unix stream socket.
-+## Create gconf_home_t objects in the /root directory
++## Read inherited icc data home files.
##
-##
+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-+## The class of the object to be created.
++## Domain allowed access.
##
##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
+#
-+interface(`gnome_admin_home_gconf_filetrans',`
++interface(`gnome_read_inherited_home_icc_data_files',`
+ gen_require(`
-+ type gconf_home_t;
++ type icc_data_home_t;
+ ')
+
-+ userdom_admin_home_dir_filetrans($1, gconf_home_t, $2, $3)
++ allow $1 icc_data_home_t:file read_inherited_file_perms;
+')
+
+########################################
+##
-+## Do not audit attempts to read
-+## inherited gconf config files.
++## Create gconf_home_t objects in the /root directory
+##
##
##
--## Domain allowed access.
-+## Domain to not audit.
+ ## Domain allowed access.
##
##
++##
++##
++## The class of the object to be created.
++##
++##
++##
++##
++## The name of the object being created.
++##
++##
#
-interface(`gnome_stream_connect_gkeyringd',`
-+interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
++interface(`gnome_admin_home_gconf_filetrans',`
gen_require(`
- type $1_gkeyringd_t, gnome_keyring_tmp_t;
-+ type gconf_etc_t;
++ type gconf_home_t;
')
- files_search_tmp($2)
- stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, $1_gkeyringd_t)
-+ dontaudit $1 gconf_etc_t:file read_inherited_file_perms;
++ userdom_admin_home_dir_filetrans($1, gconf_home_t, $2, $3)
')
########################################
##
-## Connect to all gnome keyring daemon
-## with a unix stream socket.
-+## read gconf config files
++## Do not audit attempts to read
++## inherited gconf config files.
##
##
##
-@@ -706,12 +815,1003 @@ interface(`gnome_stream_connect_gkeyringd',`
+-## Domain allowed access.
++## Domain to not audit.
##
##
#
-interface(`gnome_stream_connect_all_gkeyringd',`
-+interface(`gnome_read_gconf_config',`
++interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
gen_require(`
- attribute gkeyringd_domain;
- type gnome_keyring_tmp_t;
+ type gconf_etc_t;
+ ')
+
+- files_search_tmp($1)
+- stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
++ dontaudit $1 gconf_etc_t:file read_inherited_file_perms;
++')
++
++########################################
++##
++## read gconf config files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_read_gconf_config',`
++ gen_require(`
++ type gconf_etc_t;
+ ')
+
+ allow $1 gconf_etc_t:dir list_dir_perms;
@@ -33824,10 +33843,9 @@ index ab09d61..980f1f6 100644
+interface(`gnome_list_gkeyringd_tmp_dirs',`
+ gen_require(`
+ type gkeyringd_tmp_t;
- ')
-
- files_search_tmp($1)
-- stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
++ ')
++
++ files_search_tmp($1)
+ allow $1 gkeyringd_tmp_t:dir list_dir_perms;
+')
+
@@ -56069,7 +56087,7 @@ index 687af38..5381f1b 100644
+ mysql_stream_connect($1)
')
diff --git a/mysql.te b/mysql.te
-index 7584bbe..dbbdb99 100644
+index 7584bbe..31069d2 100644
--- a/mysql.te
+++ b/mysql.te
@@ -6,20 +6,22 @@ policy_module(mysql, 1.14.1)
@@ -56251,7 +56269,7 @@ index 7584bbe..dbbdb99 100644
seutil_sigchld_newrole(mysqld_t)
')
-@@ -155,21 +178,18 @@ optional_policy(`
+@@ -155,21 +178,20 @@ optional_policy(`
#######################################
#
@@ -56266,7 +56284,8 @@ index 7584bbe..dbbdb99 100644
allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
-allow mysqld_safe_t mysqld_t:process signull;
--
++allow mysqld_safe_t mysqld_t:process { rlimitinh };
+
read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
-manage_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
+delete_sock_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
@@ -56278,7 +56297,7 @@ index 7584bbe..dbbdb99 100644
list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
-@@ -177,9 +197,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
+@@ -177,9 +199,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
@@ -56289,7 +56308,7 @@ index 7584bbe..dbbdb99 100644
kernel_read_system_state(mysqld_safe_t)
kernel_read_kernel_sysctls(mysqld_safe_t)
-@@ -187,21 +205,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
+@@ -187,21 +207,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
corecmd_exec_bin(mysqld_safe_t)
corecmd_exec_shell(mysqld_safe_t)
@@ -56305,9 +56324,9 @@ index 7584bbe..dbbdb99 100644
+files_dontaudit_access_check_root(mysqld_safe_t)
files_dontaudit_search_all_mountpoints(mysqld_safe_t)
+files_dontaudit_getattr_all_dirs(mysqld_safe_t)
-+
-+files_write_root_dirs(mysqld_safe_t)
++files_write_root_dirs(mysqld_safe_t)
++
+logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
logging_send_syslog_msg(mysqld_safe_t)
@@ -56325,7 +56344,7 @@ index 7584bbe..dbbdb99 100644
optional_policy(`
hostname_exec(mysqld_safe_t)
-@@ -209,7 +235,7 @@ optional_policy(`
+@@ -209,7 +237,7 @@ optional_policy(`
########################################
#
@@ -56334,7 +56353,7 @@ index 7584bbe..dbbdb99 100644
#
allow mysqlmanagerd_t self:capability { dac_override kill };
-@@ -218,11 +244,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
+@@ -218,11 +246,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
@@ -56352,7 +56371,7 @@ index 7584bbe..dbbdb99 100644
domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
-@@ -230,31 +257,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
+@@ -230,31 +259,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
@@ -90628,10 +90647,10 @@ index 54de77c..0ee4cc1 100644
ifdef(`distro_debian',`
term_dontaudit_use_unallocated_ttys(rpcbind_t)
diff --git a/rpm.fc b/rpm.fc
-index ebe91fc..913587c 100644
+index ebe91fc..6ba4338 100644
--- a/rpm.fc
+++ b/rpm.fc
-@@ -1,61 +1,78 @@
+@@ -1,61 +1,80 @@
-/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/etc/rc\.d/init\.d/bcfg2 -- gen_context(system_u:object_r:rpm_initrc_exec_t,s0)
@@ -90666,6 +90685,11 @@ index ebe91fc..913587c 100644
+/usr/libexec/pegasus/pycmpiLMI_Software-cimprovagt -- gen_context(system_u:object_r:rpm_exec_t,s0)
+
+/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0)
++
++/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/sbin/yum-cron -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/sbin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/sbin/bcfg2 -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -90684,14 +90708,11 @@ index ebe91fc..913587c 100644
-/usr/sbin/synaptic -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
-/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
-+/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0)
-+/usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0)
-+/usr/sbin/yum-cron -- gen_context(system_u:object_r:rpm_exec_t,s0)
-+/usr/sbin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
-+
+/usr/share/yumex/yumex-yum-backend -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
+
++/usr/share/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
++
+ifdef(`distro_redhat', `
+/usr/sbin/bcfg2 -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/package-cleanup -- gen_context(system_u:object_r:rpm_exec_t,s0)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 945fe28..481b4b6 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 196%{?dist}
+Release: 197%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -647,6 +647,17 @@ exit 0
%endif
%changelog
+* Thu Jun 16 2016 Lukas Vrabec 3.13.1-197
+- Allow conman to kill conman_unconfined_script.
+- Make conman_unconfined_script_t as init_system_domain.
+- Allow init dbus chat with apmd.
+- Patch /var/lib/rpm is symlink to /usr/share/rpm on Atomic, due to this change we need to label also /usr/share/rpm as rpm_var_lib_t.
+- Dontaudit xguest_gkeyringd_t stream connect to system_dbusd_t
+- Allow collectd_t to stream connect to postgresql.
+- Allow mysqld_safe to inherit rlimit information from mysqld
+- Allow ip netns to mounton root fs and unmount proc_t fs.
+- Allow sysadm_t to run newaliases command.
+
* Mon Jun 13 2016 Lukas Vrabec 3.13.1-196
- Allow svirt_sandbox_domains to r/w onload sockets
- Add filetrans rule that NetworkManager_t can create net_conf_t files in /etc.