diff --git a/docker-selinux.tgz b/docker-selinux.tgz
index 18e1490..ec8f187 100644
Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 2a9b586..fa76122 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -24184,7 +24184,7 @@ index 0ea25b6..37069ae 100644
+
+/usr/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index cbb729b..f118b2a 100644
+index cbb729b..ce0291e 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -124,7 +124,7 @@ interface(`term_user_tty',`
@@ -24340,7 +24340,31 @@ index cbb729b..f118b2a 100644
## Do not audit attempts to read the
## /dev/pts directory.
## </summary>
-@@ -620,7 +716,7 @@ interface(`term_use_generic_ptys',`
+@@ -519,6 +615,23 @@ interface(`term_dontaudit_manage_pty_dirs',`
+
+ ########################################
+ ## <summary>
++## Get the attributes of generic pty devices.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to allow
++## </summary>
++## </param>
++#
++interface(`term_getattr_generic_ptys',`
++ gen_require(`
++ type devpts_t;
++ ')
++
++ allow $1 devpts_t:chr_file getattr;
++')
++########################################
++## <summary>
+ ## Do not audit attempts to get the attributes
+ ## of generic pty devices.
+ ## </summary>
+@@ -620,7 +733,7 @@ interface(`term_use_generic_ptys',`
########################################
## <summary>
@@ -24349,7 +24373,7 @@ index cbb729b..f118b2a 100644
## write the generic pty type. This is
## generally only used in the targeted policy.
## </summary>
-@@ -635,6 +731,7 @@ interface(`term_dontaudit_use_generic_ptys',`
+@@ -635,6 +748,7 @@ interface(`term_dontaudit_use_generic_ptys',`
type devpts_t;
')
@@ -24357,7 +24381,7 @@ index cbb729b..f118b2a 100644
dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
')
-@@ -879,6 +976,26 @@ interface(`term_use_all_ptys',`
+@@ -879,6 +993,26 @@ interface(`term_use_all_ptys',`
########################################
## <summary>
@@ -24384,7 +24408,7 @@ index cbb729b..f118b2a 100644
## Do not audit attempts to read or write any ptys.
## </summary>
## <param name="domain">
-@@ -892,7 +1009,7 @@ interface(`term_dontaudit_use_all_ptys',`
+@@ -892,7 +1026,7 @@ interface(`term_dontaudit_use_all_ptys',`
attribute ptynode;
')
@@ -24393,7 +24417,7 @@ index cbb729b..f118b2a 100644
')
########################################
-@@ -912,7 +1029,7 @@ interface(`term_relabel_all_ptys',`
+@@ -912,7 +1046,7 @@ interface(`term_relabel_all_ptys',`
')
dev_list_all_dev_nodes($1)
@@ -24402,7 +24426,7 @@ index cbb729b..f118b2a 100644
')
########################################
-@@ -940,7 +1057,7 @@ interface(`term_getattr_all_user_ptys',`
+@@ -940,7 +1074,7 @@ interface(`term_getattr_all_user_ptys',`
## </summary>
## <param name="domain">
## <summary>
@@ -24411,7 +24435,7 @@ index cbb729b..f118b2a 100644
## </summary>
## </param>
#
-@@ -1067,6 +1184,28 @@ interface(`term_getattr_unallocated_ttys',`
+@@ -1067,6 +1201,28 @@ interface(`term_getattr_unallocated_ttys',`
########################################
## <summary>
@@ -24440,7 +24464,7 @@ index cbb729b..f118b2a 100644
## Do not audit attempts to get the attributes
## of all unallocated tty device nodes.
## </summary>
-@@ -1165,6 +1304,25 @@ interface(`term_relabel_unallocated_ttys',`
+@@ -1165,6 +1321,25 @@ interface(`term_relabel_unallocated_ttys',`
########################################
## <summary>
@@ -24466,7 +24490,7 @@ index cbb729b..f118b2a 100644
## Relabel from all user tty types to
## the unallocated tty type.
## </summary>
-@@ -1259,7 +1417,47 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1259,7 +1434,47 @@ interface(`term_dontaudit_use_unallocated_ttys',`
type tty_device_t;
')
@@ -24515,7 +24539,7 @@ index cbb729b..f118b2a 100644
')
########################################
-@@ -1275,11 +1473,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1275,11 +1490,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
#
interface(`term_getattr_all_ttys',`
gen_require(`
@@ -24529,7 +24553,7 @@ index cbb729b..f118b2a 100644
')
########################################
-@@ -1296,10 +1496,12 @@ interface(`term_getattr_all_ttys',`
+@@ -1296,10 +1513,12 @@ interface(`term_getattr_all_ttys',`
interface(`term_dontaudit_getattr_all_ttys',`
gen_require(`
attribute ttynode;
@@ -24542,7 +24566,7 @@ index cbb729b..f118b2a 100644
')
########################################
-@@ -1377,7 +1579,27 @@ interface(`term_use_all_ttys',`
+@@ -1377,7 +1596,27 @@ interface(`term_use_all_ttys',`
')
dev_list_all_dev_nodes($1)
@@ -24571,7 +24595,7 @@ index cbb729b..f118b2a 100644
')
########################################
-@@ -1396,7 +1618,7 @@ interface(`term_dontaudit_use_all_ttys',`
+@@ -1396,7 +1635,7 @@ interface(`term_dontaudit_use_all_ttys',`
attribute ttynode;
')
@@ -24580,7 +24604,7 @@ index cbb729b..f118b2a 100644
')
########################################
-@@ -1504,7 +1726,7 @@ interface(`term_use_all_user_ttys',`
+@@ -1504,7 +1743,7 @@ interface(`term_use_all_user_ttys',`
## </summary>
## <param name="domain">
## <summary>
@@ -24589,7 +24613,7 @@ index cbb729b..f118b2a 100644
## </summary>
## </param>
#
-@@ -1513,21 +1735,435 @@ interface(`term_dontaudit_use_all_user_ttys',`
+@@ -1513,21 +1752,435 @@ interface(`term_dontaudit_use_all_user_ttys',`
term_dontaudit_use_all_ttys($1)
')
@@ -28261,7 +28285,7 @@ index 76d9f66..7528851 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index fe0c682..60003bc 100644
+index fe0c682..0ac21a6 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,11 @@
@@ -28383,16 +28407,15 @@ index fe0c682..60003bc 100644
type $1_t, ssh_server;
auth_login_pgm_domain($1_t)
-@@ -181,20 +205,23 @@ template(`ssh_server_template', `
+@@ -181,20 +205,22 @@ template(`ssh_server_template', `
type $1_var_run_t;
files_pid_file($1_var_run_t)
- allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
-+ allow $1_t self:capability { kill sys_admin sys_chroot sys_nice sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config };
++ allow $1_t self:capability { setpcap kill sys_admin sys_chroot sys_nice sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config };
allow $1_t self:fifo_file rw_fifo_file_perms;
- allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate };
-+ allow $1_t self:process { getcap signal getsched setsched setrlimit setexec };
-+ allow $1_t self:process { signal getcap getsched setsched setrlimit setexec };
++ allow $1_t self:process { setcap getcap signal getsched setsched setrlimit setexec };
allow $1_t self:tcp_socket create_stream_socket_perms;
allow $1_t self:udp_socket create_socket_perms;
+ allow $1_t self:tun_socket { create_socket_perms relabelfrom relabelto };
@@ -28412,7 +28435,7 @@ index fe0c682..60003bc 100644
allow $1_t $1_var_run_t:file manage_file_perms;
files_pid_filetrans($1_t, $1_var_run_t, file)
-@@ -206,6 +233,7 @@ template(`ssh_server_template', `
+@@ -206,6 +232,7 @@ template(`ssh_server_template', `
kernel_read_kernel_sysctls($1_t)
kernel_read_network_state($1_t)
@@ -28420,7 +28443,7 @@ index fe0c682..60003bc 100644
corenet_all_recvfrom_unlabeled($1_t)
corenet_all_recvfrom_netlabel($1_t)
-@@ -220,10 +248,13 @@ template(`ssh_server_template', `
+@@ -220,10 +247,13 @@ template(`ssh_server_template', `
corenet_tcp_bind_generic_node($1_t)
corenet_udp_bind_generic_node($1_t)
corenet_tcp_bind_ssh_port($1_t)
@@ -28436,7 +28459,7 @@ index fe0c682..60003bc 100644
auth_rw_login_records($1_t)
auth_rw_faillog($1_t)
-@@ -234,6 +265,7 @@ template(`ssh_server_template', `
+@@ -234,6 +264,7 @@ template(`ssh_server_template', `
corecmd_getattr_bin_files($1_t)
domain_interactive_fd($1_t)
@@ -28444,7 +28467,7 @@ index fe0c682..60003bc 100644
files_read_etc_files($1_t)
files_read_etc_runtime_files($1_t)
-@@ -241,35 +273,33 @@ template(`ssh_server_template', `
+@@ -241,35 +272,33 @@ template(`ssh_server_template', `
logging_search_logs($1_t)
@@ -28491,7 +28514,7 @@ index fe0c682..60003bc 100644
')
########################################
-@@ -292,14 +322,15 @@ template(`ssh_server_template', `
+@@ -292,14 +321,15 @@ template(`ssh_server_template', `
## User domain for the role
## </summary>
## </param>
@@ -28508,7 +28531,7 @@ index fe0c682..60003bc 100644
')
##############################
-@@ -328,103 +359,56 @@ template(`ssh_role_template',`
+@@ -328,103 +358,56 @@ template(`ssh_role_template',`
# allow ps to show ssh
ps_process_pattern($3, ssh_t)
@@ -28622,7 +28645,7 @@ index fe0c682..60003bc 100644
')
########################################
-@@ -496,8 +480,27 @@ interface(`ssh_read_pipes',`
+@@ -496,8 +479,27 @@ interface(`ssh_read_pipes',`
type sshd_t;
')
@@ -28651,7 +28674,7 @@ index fe0c682..60003bc 100644
########################################
## <summary>
## Read and write a ssh server unnamed pipe.
-@@ -513,7 +516,7 @@ interface(`ssh_rw_pipes',`
+@@ -513,7 +515,7 @@ interface(`ssh_rw_pipes',`
type sshd_t;
')
@@ -28660,7 +28683,7 @@ index fe0c682..60003bc 100644
')
########################################
-@@ -605,6 +608,24 @@ interface(`ssh_domtrans',`
+@@ -605,6 +607,24 @@ interface(`ssh_domtrans',`
########################################
## <summary>
@@ -28685,7 +28708,7 @@ index fe0c682..60003bc 100644
## Execute the ssh client in the caller domain.
## </summary>
## <param name="domain">
-@@ -637,7 +658,7 @@ interface(`ssh_setattr_key_files',`
+@@ -637,7 +657,7 @@ interface(`ssh_setattr_key_files',`
type sshd_key_t;
')
@@ -28694,7 +28717,7 @@ index fe0c682..60003bc 100644
files_search_pids($1)
')
-@@ -662,6 +683,42 @@ interface(`ssh_agent_exec',`
+@@ -662,6 +682,42 @@ interface(`ssh_agent_exec',`
########################################
## <summary>
@@ -28737,7 +28760,7 @@ index fe0c682..60003bc 100644
## Read ssh home directory content
## </summary>
## <param name="domain">
-@@ -701,6 +758,68 @@ interface(`ssh_domtrans_keygen',`
+@@ -701,6 +757,68 @@ interface(`ssh_domtrans_keygen',`
########################################
## <summary>
@@ -28806,7 +28829,7 @@ index fe0c682..60003bc 100644
## Read ssh server keys
## </summary>
## <param name="domain">
-@@ -714,7 +833,26 @@ interface(`ssh_dontaudit_read_server_keys',`
+@@ -714,7 +832,26 @@ interface(`ssh_dontaudit_read_server_keys',`
type sshd_key_t;
')
@@ -28834,7 +28857,7 @@ index fe0c682..60003bc 100644
')
######################################
-@@ -754,3 +892,151 @@ interface(`ssh_delete_tmp',`
+@@ -754,3 +891,151 @@ interface(`ssh_delete_tmp',`
files_search_tmp($1)
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
')
@@ -28987,7 +29010,7 @@ index fe0c682..60003bc 100644
+ ps_process_pattern($1, sshd_t)
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index cc877c7..4d56aea 100644
+index cc877c7..b8e6e98 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,43 +6,69 @@ policy_module(ssh, 2.4.2)
@@ -29074,7 +29097,7 @@ index cc877c7..4d56aea 100644
type ssh_t;
type ssh_exec_t;
-@@ -67,25 +93,28 @@ userdom_user_application_domain(ssh_keysign_t, ssh_keysign_exec_t)
+@@ -67,15 +93,17 @@ userdom_user_application_domain(ssh_keysign_t, ssh_keysign_exec_t)
type ssh_tmpfs_t;
typealias ssh_tmpfs_t alias { user_ssh_tmpfs_t staff_ssh_tmpfs_t sysadm_ssh_tmpfs_t };
typealias ssh_tmpfs_t alias { auditadm_ssh_tmpfs_t secadm_ssh_tmpfs_t };
@@ -29095,11 +29118,7 @@ index cc877c7..4d56aea 100644
##############################
#
- # SSH client local policy
- #
-
--allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
-+allow ssh_t self:capability { setpcap setuid setgid dac_override dac_read_search };
+@@ -86,6 +114,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow ssh_t self:fd use;
allow ssh_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 769aeec..7869f93 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -10560,28 +10560,31 @@ index 851769e..3dc3f36 100644
term_dontaudit_use_all_ttys(bluetooth_helper_t)
diff --git a/boinc.fc b/boinc.fc
-index 6d3ccad..bda740a 100644
+index 6d3ccad..9c69f28 100644
--- a/boinc.fc
+++ b/boinc.fc
-@@ -1,9 +1,12 @@
+@@ -1,9 +1,15 @@
-/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
++/etc/boinc-client/global_prefs_override.xml -- gen_context(system_u:object_r:boinc_var_lib_t,s0)
++/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
-/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0)
-+/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
++/usr/bin/boinc -- gen_context(system_u:object_r:boinc_exec_t,s0)
++/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0)
-/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0)
-/var/lib/boinc/projects(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
-/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
-+/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0)
++/usr/lib/systemd/system/boinc-client\.service -- gen_context(system_u:object_r:boinc_unit_file_t,s0)
-/var/log/boinc\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0)
-+/usr/lib/systemd/system/boinc-client\.service -- gen_context(system_u:object_r:boinc_unit_file_t,s0)
-+
+/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0)
++/var/lib/boinc-client(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0)
+/var/lib/boinc/projects(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
+/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
+
+/var/log/boinc\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0)
++/var/log/boincerr\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0)
diff --git a/boinc.if b/boinc.if
index 02fefaa..308616e 100644
--- a/boinc.if
@@ -10803,9 +10806,15 @@ index 02fefaa..308616e 100644
+ ')
')
diff --git a/boinc.te b/boinc.te
-index 687d4c4..f668033 100644
+index 687d4c4..bce6267 100644
--- a/boinc.te
+++ b/boinc.te
+@@ -1,4 +1,4 @@
+-policy_module(boinc, 1.1.1)
++policy_module(boinc, 1.3.1)
+
+ ########################################
+ #
@@ -12,7 +12,9 @@ policy_module(boinc, 1.1.1)
## </desc>
gen_tunable(boinc_execmem, true)
@@ -10817,7 +10826,7 @@ index 687d4c4..f668033 100644
type boinc_exec_t;
init_daemon_domain(boinc_t, boinc_exec_t)
-@@ -28,31 +30,69 @@ files_tmpfs_file(boinc_tmpfs_t)
+@@ -28,31 +30,71 @@ files_tmpfs_file(boinc_tmpfs_t)
type boinc_var_lib_t;
files_type(boinc_var_lib_t)
@@ -10893,10 +10902,12 @@ index 687d4c4..f668033 100644
allow boinc_t self:shm create_shm_perms;
-allow boinc_t self:fifo_file rw_fifo_file_perms;
-allow boinc_t self:sem create_sem_perms;
++
++can_exec(boinc_t, boinc_exec_t)
manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
-@@ -61,74 +101,49 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
+@@ -61,84 +103,62 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
@@ -10918,11 +10929,11 @@ index 687d4c4..f668033 100644
-create_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
-setattr_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
-logging_log_filetrans(boinc_t, boinc_log_t, file)
--
--can_exec(boinc_t, boinc_var_lib_t)
+manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+-can_exec(boinc_t, boinc_var_lib_t)
+-
-domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
+manage_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
+logging_log_filetrans(boinc_t, boinc_log_t, { file })
@@ -10994,8 +11005,11 @@ index 687d4c4..f668033 100644
term_getattr_all_ptys(boinc_t)
term_getattr_unallocated_ttys(boinc_t)
-@@ -137,8 +152,9 @@ init_read_utmp(boinc_t)
+ init_read_utmp(boinc_t)
+
++libs_exec_lib_files(boinc_t)
++
logging_send_syslog_msg(boinc_t)
-miscfiles_read_fonts(boinc_t)
@@ -11006,7 +11020,7 @@ index 687d4c4..f668033 100644
tunable_policy(`boinc_execmem',`
allow boinc_t self:process { execstack execmem };
-@@ -148,48 +164,61 @@ optional_policy(`
+@@ -148,48 +168,69 @@ optional_policy(`
mta_send_mail(boinc_t)
')
@@ -11067,9 +11081,17 @@ index 687d4c4..f668033 100644
-corenet_sendrecv_boinc_client_packets(boinc_project_t)
corenet_tcp_connect_boinc_port(boinc_project_t)
-corenet_tcp_sendrecv_boinc_port(boinc_project_t)
++
++dev_getattr_input_dev(boinc_t)
++dev_getattr_mouse_dev(boinc_t)
files_dontaudit_search_home(boinc_project_t)
++term_getattr_ptmx(boinc_t)
++term_getattr_generic_ptys(boinc_t)
++
++userdom_getattr_user_ttys(boinc_t)
++
+# needed by java
+fs_read_hugetlbfs_files(boinc_project_t)
+
@@ -12256,10 +12278,10 @@ index 008f8ef..144c074 100644
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/certmonger.te b/certmonger.te
-index 550b287..f37b9b0 100644
+index 550b287..b824421 100644
--- a/certmonger.te
+++ b/certmonger.te
-@@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t)
+@@ -18,18 +18,23 @@ files_type(certmonger_var_lib_t)
type certmonger_var_run_t;
files_pid_file(certmonger_var_run_t)
@@ -12269,8 +12291,10 @@ index 550b287..f37b9b0 100644
########################################
#
# Local policy
-@@ -26,10 +29,12 @@ files_pid_file(certmonger_var_run_t)
- allow certmonger_t self:capability { dac_override dac_read_search setgid setuid kill sys_nice };
+ #
+
+-allow certmonger_t self:capability { dac_override dac_read_search setgid setuid kill sys_nice };
++allow certmonger_t self:capability { chown dac_override dac_read_search setgid setuid kill sys_nice };
dontaudit certmonger_t self:capability sys_tty_config;
allow certmonger_t self:capability2 block_suspend;
+
@@ -15268,10 +15292,10 @@ index 0000000..77cdd5e
+ unconfined_domtrans(cockpit_session_t)
+')
diff --git a/collectd.fc b/collectd.fc
-index 79a3abe..3237fb0 100644
+index 79a3abe..3ee73d1 100644
--- a/collectd.fc
+++ b/collectd.fc
-@@ -1,9 +1,12 @@
+@@ -1,9 +1,13 @@
/etc/rc\.d/init\.d/collectd -- gen_context(system_u:object_r:collectd_initrc_exec_t,s0)
+/usr/lib/systemd/system/collectd.* -- gen_context(system_u:object_r:collectd_unit_file_t,s0)
@@ -15281,6 +15305,7 @@ index 79a3abe..3237fb0 100644
/var/lib/collectd(/.*)? gen_context(system_u:object_r:collectd_var_lib_t,s0)
/var/run/collectd\.pid -- gen_context(system_u:object_r:collectd_var_run_t,s0)
++/var/run/collectd(/.*)? gen_context(system_u:object_r:collectd_var_run_t,s0)
+/var/run/collectd-unixsock -s gen_context(system_u:object_r:collectd_var_run_t,s0)
-/usr/share/collectd/collection3/bin/.*\.cgi -- gen_context(system_u:object_r:httpd_collectd_script_exec_t,s0)
@@ -15469,10 +15494,10 @@ index 954309e..6780142 100644
')
+
diff --git a/collectd.te b/collectd.te
-index 6471fa8..de0fd11 100644
+index 6471fa8..b82bae6 100644
--- a/collectd.te
+++ b/collectd.te
-@@ -26,43 +26,59 @@ files_type(collectd_var_lib_t)
+@@ -26,43 +26,61 @@ files_type(collectd_var_lib_t)
type collectd_var_run_t;
files_pid_file(collectd_var_run_t)
@@ -15495,6 +15520,7 @@ index 6471fa8..de0fd11 100644
allow collectd_t self:process { getsched setsched signal };
allow collectd_t self:fifo_file rw_fifo_file_perms;
allow collectd_t self:packet_socket create_socket_perms;
++allow collectd_t self:rawip_socket create_socket_perms;
allow collectd_t self:unix_stream_socket { accept listen };
+allow collectd_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
+allow collectd_t self:udp_socket create_socket_perms;
@@ -15506,8 +15532,9 @@ index 6471fa8..de0fd11 100644
manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
-files_pid_filetrans(collectd_t, collectd_var_run_t, file)
++manage_dirs_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
+manage_sock_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
-+files_pid_filetrans(collectd_t, collectd_var_run_t, { file sock_file })
++files_pid_filetrans(collectd_t, collectd_var_run_t, { dir file sock_file})
-domain_use_interactive_fds(collectd_t)
+kernel_read_all_sysctls(collectd_t)
@@ -15541,7 +15568,7 @@ index 6471fa8..de0fd11 100644
logging_send_syslog_msg(collectd_t)
-@@ -74,17 +90,45 @@ tunable_policy(`collectd_tcp_network_connect',`
+@@ -74,17 +92,45 @@ tunable_policy(`collectd_tcp_network_connect',`
corenet_tcp_sendrecv_all_ports(collectd_t)
')
@@ -79180,7 +79207,7 @@ index 7cb8b1f..bef7217 100644
+ allow $1 puppet_var_run_t:dir search_dir_perms;
')
diff --git a/puppet.te b/puppet.te
-index 618dcfe..67d166c 100644
+index 618dcfe..8e08251 100644
--- a/puppet.te
+++ b/puppet.te
@@ -6,25 +6,32 @@ policy_module(puppet, 1.4.0)
@@ -79242,7 +79269,7 @@ index 618dcfe..67d166c 100644
type puppetmaster_t;
type puppetmaster_exec_t;
-@@ -56,161 +62,166 @@ files_tmp_file(puppetmaster_tmp_t)
+@@ -56,161 +62,170 @@ files_tmp_file(puppetmaster_tmp_t)
########################################
#
@@ -79441,71 +79468,75 @@ index 618dcfe..67d166c 100644
+
+optional_policy(`
+ mysql_stream_connect(puppetagent_t)
-+')
-+
-+optional_policy(`
-+ postgresql_stream_connect(puppetagent_t)
-+')
-+
-+optional_policy(`
-+ cfengine_read_lib_files(puppetagent_t)
')
optional_policy(`
- cfengine_read_lib_files(puppet_t)
-+ consoletype_exec(puppetagent_t)
++ postgresql_stream_connect(puppetagent_t)
')
optional_policy(`
- consoletype_exec(puppet_t)
-+ hostname_exec(puppetagent_t)
++ cfengine_read_lib_files(puppetagent_t)
')
optional_policy(`
- hostname_exec(puppet_t)
-+ mount_domtrans(puppetagent_t)
++ consoletype_exec(puppetagent_t)
')
optional_policy(`
- mount_domtrans(puppet_t)
-+ mta_send_mail(puppetagent_t)
++ hostname_exec(puppetagent_t)
')
optional_policy(`
- mta_send_mail(puppet_t)
-+ firewalld_dbus_chat(puppetagent_t)
++ mount_domtrans(puppetagent_t)
')
optional_policy(`
- portage_domtrans(puppet_t)
- portage_domtrans_fetch(puppet_t)
- portage_domtrans_gcc_config(puppet_t)
-+ portage_domtrans(puppetagent_t)
-+ portage_domtrans_fetch(puppetagent_t)
-+ portage_domtrans_gcc_config(puppetagent_t)
++ mta_send_mail(puppetagent_t)
')
optional_policy(`
- files_rw_var_files(puppet_t)
-+ files_rw_var_files(puppetagent_t)
++ firewalld_dbus_chat(puppetagent_t)
++')
- rpm_domtrans(puppet_t)
- rpm_manage_db(puppet_t)
- rpm_manage_log(puppet_t)
-+ rpm_domtrans(puppetagent_t)
-+ rpm_manage_db(puppetagent_t)
-+ rpm_manage_log(puppetagent_t)
++optional_policy(`
++ portage_domtrans(puppetagent_t)
++ portage_domtrans_fetch(puppetagent_t)
++ portage_domtrans_gcc_config(puppetagent_t)
')
optional_policy(`
- unconfined_domain(puppet_t)
-+ shorewall_domtrans(puppetagent_t)
++ files_rw_var_files(puppetagent_t)
++
++ rpm_domtrans(puppetagent_t)
++ rpm_manage_db(puppetagent_t)
++ rpm_manage_log(puppetagent_t)
')
optional_policy(`
- usermanage_domtrans_groupadd(puppet_t)
- usermanage_domtrans_useradd(puppet_t)
++ shorewall_domtrans(puppetagent_t)
++')
++
++optional_policy(`
+ unconfined_domain_noaudit(puppetagent_t)
++')
++
++optional_policy(`
++ shorewall_domtrans(puppet_t)
')
########################################
@@ -79525,7 +79556,7 @@ index 618dcfe..67d166c 100644
allow puppetca_t puppet_var_lib_t:dir list_dir_perms;
manage_files_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t)
-@@ -221,6 +232,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms;
+@@ -221,6 +236,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms;
allow puppetca_t puppet_var_run_t:dir search_dir_perms;
kernel_read_system_state(puppetca_t)
@@ -79533,7 +79564,7 @@ index 618dcfe..67d166c 100644
kernel_read_kernel_sysctls(puppetca_t)
corecmd_exec_bin(puppetca_t)
-@@ -229,15 +241,12 @@ corecmd_exec_shell(puppetca_t)
+@@ -229,15 +245,12 @@ corecmd_exec_shell(puppetca_t)
dev_read_urand(puppetca_t)
dev_search_sysfs(puppetca_t)
@@ -79549,7 +79580,7 @@ index 618dcfe..67d166c 100644
miscfiles_read_generic_certs(puppetca_t)
seutil_read_file_contexts(puppetca_t)
-@@ -246,38 +255,48 @@ optional_policy(`
+@@ -246,38 +259,48 @@ optional_policy(`
hostname_exec(puppetca_t)
')
@@ -79614,7 +79645,7 @@ index 618dcfe..67d166c 100644
kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
kernel_read_network_state(puppetmaster_t)
-@@ -289,23 +308,24 @@ corecmd_exec_bin(puppetmaster_t)
+@@ -289,23 +312,24 @@ corecmd_exec_bin(puppetmaster_t)
corecmd_exec_shell(puppetmaster_t)
corenet_all_recvfrom_netlabel(puppetmaster_t)
@@ -79645,7 +79676,7 @@ index 618dcfe..67d166c 100644
selinux_validate_context(puppetmaster_t)
-@@ -314,26 +334,31 @@ auth_use_nsswitch(puppetmaster_t)
+@@ -314,26 +338,31 @@ auth_use_nsswitch(puppetmaster_t)
logging_send_syslog_msg(puppetmaster_t)
miscfiles_read_generic_certs(puppetmaster_t)
@@ -79682,7 +79713,7 @@ index 618dcfe..67d166c 100644
')
optional_policy(`
-@@ -342,3 +367,9 @@ optional_policy(`
+@@ -342,3 +371,9 @@ optional_policy(`
rpm_exec(puppetmaster_t)
rpm_read_db(puppetmaster_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 927fb06..ee1ea02 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 205%{?dist}
+Release: 206%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -648,6 +648,16 @@ exit 0
%endif
%changelog
+* Tue Aug 02 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-206
+- collectd: update policy for 5.5
+- Allow puppet_t transtition to shorewall_t
+- Grant certmonger "chown" capability
+- Boinc updates from Russell Coker.
+- Allow sshd setcap capability. This is needed due to latest changes in sshd.
+- Revert "Allow sshd setcap capability. This is needed due to latest changes in sshd"
+- Revert "Fix typo in ssh policy"
+- Get attributes of generic ptys, from Russell Coker.
+
* Fri Jul 29 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-205
- Dontaudit mock_build_t can list all ptys.
- Allow ftpd_t to mamange userhome data without any boolean.