diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 5f3e71b..5a49e8c 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -9408,7 +9408,7 @@ index b876c48..27f60c6 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..5c44da2 100644
+index f962f76..68d8f79 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -10418,10 +10418,19 @@ index f962f76..5c44da2 100644
')
########################################
-@@ -3150,6 +3686,25 @@ interface(`files_getattr_isid_type_dirs',`
-
- ########################################
- ## <summary>
+@@ -3142,10 +3678,29 @@ interface(`files_etc_filetrans_etc_runtime',`
+ #
+ interface(`files_getattr_isid_type_dirs',`
+ gen_require(`
+- type file_t;
++ type unlabeled_t;
++ ')
++
++ allow $1 unlabeled_t:dir getattr;
++')
++
++########################################
++## <summary>
+## Setattr of directories on new filesystems
+## that have not yet been labeled.
+## </summary>
@@ -10433,21 +10442,63 @@ index f962f76..5c44da2 100644
+#
+interface(`files_setattr_isid_type_dirs',`
+ gen_require(`
-+ type file_t;
++ type unlabeled_t;
+ ')
+
+- allow $1 file_t:dir getattr;
++ allow $1 unlabeled_t:dir setattr;
+ ')
+
+ ########################################
+@@ -3161,10 +3716,10 @@ interface(`files_getattr_isid_type_dirs',`
+ #
+ interface(`files_dontaudit_search_isid_type_dirs',`
+ gen_require(`
+- type file_t;
++ type unlabeled_t;
+ ')
+
+- dontaudit $1 file_t:dir search_dir_perms;
++ dontaudit $1 unlabeled_t:dir search_dir_perms;
+ ')
+
+ ########################################
+@@ -3180,10 +3735,10 @@ interface(`files_dontaudit_search_isid_type_dirs',`
+ #
+ interface(`files_list_isid_type_dirs',`
+ gen_require(`
+- type file_t;
++ type unlabeled_t;
+ ')
+
+- allow $1 file_t:dir list_dir_perms;
++ allow $1 unlabeled_t:dir list_dir_perms;
+ ')
+
+ ########################################
+@@ -3199,10 +3754,10 @@ interface(`files_list_isid_type_dirs',`
+ #
+ interface(`files_rw_isid_type_dirs',`
+ gen_require(`
+- type file_t;
++ type unlabeled_t;
+ ')
+
+- allow $1 file_t:dir rw_dir_perms;
++ allow $1 unlabeled_t:dir rw_dir_perms;
+ ')
+
+ ########################################
+@@ -3218,10 +3773,66 @@ interface(`files_rw_isid_type_dirs',`
+ #
+ interface(`files_delete_isid_type_dirs',`
+ gen_require(`
+- type file_t;
++ type unlabeled_t;
+ ')
+
-+ allow $1 file_t:dir setattr;
++ delete_dirs_pattern($1, unlabeled_t, unlabeled_t)
+')
-+
-+########################################
-+## <summary>
- ## Do not audit attempts to search directories on new filesystems
- ## that have not yet been labeled.
- ## </summary>
-@@ -3223,6 +3778,62 @@ interface(`files_delete_isid_type_dirs',`
-
- delete_dirs_pattern($1, file_t, file_t)
- ')
+########################################
+## <summary>
+## Execute files on new filesystems
@@ -10461,10 +10512,10 @@ index f962f76..5c44da2 100644
+#
+interface(`files_exec_isid_files',`
+ gen_require(`
-+ type file_t;
++ type unlabeled_t;
+ ')
+
-+ can_exec($1, file_t)
++ can_exec($1, unlabeled_t)
+')
+
+########################################
@@ -10480,10 +10531,10 @@ index f962f76..5c44da2 100644
+#
+interface(`files_mounton_isid',`
+ gen_require(`
-+ type file_t;
++ type unlabeled_t;
+ ')
+
-+ allow $1 file_t:dir mounton;
++ allow $1 unlabeled_t:dir mounton;
+')
+
+########################################
@@ -10499,18 +10550,183 @@ index f962f76..5c44da2 100644
+#
+interface(`files_relabelfrom_isid_type',`
+ gen_require(`
-+ type file_t;
-+ ')
-+
-+ dontaudit $1 file_t:dir_file_class_set relabelfrom;
-+')
++ type unlabeled_t;
+ ')
+
+- delete_dirs_pattern($1, file_t, file_t)
++ dontaudit $1 unlabeled_t:dir_file_class_set relabelfrom;
+ ')
########################################
- ## <summary>
-@@ -3473,6 +4084,25 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3237,10 +3848,10 @@ interface(`files_delete_isid_type_dirs',`
+ #
+ interface(`files_manage_isid_type_dirs',`
+ gen_require(`
+- type file_t;
++ type unlabeled_t;
+ ')
+
+- allow $1 file_t:dir manage_dir_perms;
++ allow $1 unlabeled_t:dir manage_dir_perms;
+ ')
########################################
- ## <summary>
+@@ -3256,10 +3867,10 @@ interface(`files_manage_isid_type_dirs',`
+ #
+ interface(`files_mounton_isid_type_dirs',`
+ gen_require(`
+- type file_t;
++ type unlabeled_t;
+ ')
+
+- allow $1 file_t:dir { search_dir_perms mounton };
++ allow $1 unlabeled_t:dir { search_dir_perms mounton };
+ ')
+
+ ########################################
+@@ -3275,10 +3886,10 @@ interface(`files_mounton_isid_type_dirs',`
+ #
+ interface(`files_read_isid_type_files',`
+ gen_require(`
+- type file_t;
++ type unlabeled_t;
+ ')
+
+- allow $1 file_t:file read_file_perms;
++ allow $1 unlabeled_t:file read_file_perms;
+ ')
+
+ ########################################
+@@ -3294,10 +3905,10 @@ interface(`files_read_isid_type_files',`
+ #
+ interface(`files_delete_isid_type_files',`
+ gen_require(`
+- type file_t;
++ type unlabeled_t;
+ ')
+
+- delete_files_pattern($1, file_t, file_t)
++ delete_files_pattern($1, unlabeled_t, unlabeled_t)
+ ')
+
+ ########################################
+@@ -3313,10 +3924,10 @@ interface(`files_delete_isid_type_files',`
+ #
+ interface(`files_delete_isid_type_symlinks',`
+ gen_require(`
+- type file_t;
++ type unlabeled_t;
+ ')
+
+- delete_lnk_files_pattern($1, file_t, file_t)
++ delete_lnk_files_pattern($1, unlabeled_t, unlabeled_t)
+ ')
+
+ ########################################
+@@ -3332,10 +3943,10 @@ interface(`files_delete_isid_type_symlinks',`
+ #
+ interface(`files_delete_isid_type_fifo_files',`
+ gen_require(`
+- type file_t;
++ type unlabeled_t;
+ ')
+
+- delete_fifo_files_pattern($1, file_t, file_t)
++ delete_fifo_files_pattern($1, unlabeled_t, unlabeled_t)
+ ')
+
+ ########################################
+@@ -3351,10 +3962,10 @@ interface(`files_delete_isid_type_fifo_files',`
+ #
+ interface(`files_delete_isid_type_sock_files',`
+ gen_require(`
+- type file_t;
++ type unlabeled_t;
+ ')
+
+- delete_sock_files_pattern($1, file_t, file_t)
++ delete_sock_files_pattern($1, unlabeled_t, unlabeled_t)
+ ')
+
+ ########################################
+@@ -3370,10 +3981,10 @@ interface(`files_delete_isid_type_sock_files',`
+ #
+ interface(`files_delete_isid_type_blk_files',`
+ gen_require(`
+- type file_t;
++ type unlabeled_t;
+ ')
+
+- delete_blk_files_pattern($1, file_t, file_t)
++ delete_blk_files_pattern($1, unlabeled_t, unlabeled_t)
+ ')
+
+ ########################################
+@@ -3389,10 +4000,10 @@ interface(`files_delete_isid_type_blk_files',`
+ #
+ interface(`files_dontaudit_write_isid_chr_files',`
+ gen_require(`
+- type file_t;
++ type unlabeled_t;
+ ')
+
+- dontaudit $1 file_t:chr_file write;
++ dontaudit $1 unlabeled_t:chr_file write;
+ ')
+
+ ########################################
+@@ -3408,10 +4019,10 @@ interface(`files_dontaudit_write_isid_chr_files',`
+ #
+ interface(`files_delete_isid_type_chr_files',`
+ gen_require(`
+- type file_t;
++ type unlabeled_t;
+ ')
+
+- delete_chr_files_pattern($1, file_t, file_t)
++ delete_chr_files_pattern($1, unlabeled_t, unlabeled_t)
+ ')
+
+ ########################################
+@@ -3427,10 +4038,10 @@ interface(`files_delete_isid_type_chr_files',`
+ #
+ interface(`files_manage_isid_type_files',`
+ gen_require(`
+- type file_t;
++ type unlabeled_t;
+ ')
+
+- allow $1 file_t:file manage_file_perms;
++ allow $1 unlabeled_t:file manage_file_perms;
+ ')
+
+ ########################################
+@@ -3446,10 +4057,10 @@ interface(`files_manage_isid_type_files',`
+ #
+ interface(`files_manage_isid_type_symlinks',`
+ gen_require(`
+- type file_t;
++ type unlabeled_t;
+ ')
+
+- allow $1 file_t:lnk_file manage_lnk_file_perms;
++ allow $1 unlabeled_t:lnk_file manage_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -3465,10 +4076,29 @@ interface(`files_manage_isid_type_symlinks',`
+ #
+ interface(`files_rw_isid_type_blk_files',`
+ gen_require(`
+- type file_t;
++ type unlabeled_t;
++ ')
++
++ allow $1 unlabeled_t:blk_file rw_blk_file_perms;
++')
++
++########################################
++## <summary>
+## rw any files inherited from another process
+## on new filesystems that have not yet been labeled.
+## </summary>
@@ -10522,17 +10738,40 @@ index f962f76..5c44da2 100644
+#
+interface(`files_rw_inherited_isid_type_files',`
+ gen_require(`
-+ type file_t;
-+ ')
-+
-+ allow $1 file_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
- ## Create, read, write, and delete block device nodes
- ## on new filesystems that have not yet been labeled.
- ## </summary>
++ type unlabeled_t;
+ ')
+
+- allow $1 file_t:blk_file rw_blk_file_perms;
++ allow $1 unlabeled_t:file rw_inherited_file_perms;
+ ')
+
+ ########################################
+@@ -3484,10 +4114,10 @@ interface(`files_rw_isid_type_blk_files',`
+ #
+ interface(`files_manage_isid_type_blk_files',`
+ gen_require(`
+- type file_t;
++ type unlabeled_t;
+ ')
+
+- allow $1 file_t:blk_file manage_blk_file_perms;
++ allow $1 unlabeled_t:blk_file manage_blk_file_perms;
+ ')
+
+ ########################################
+@@ -3503,10 +4133,10 @@ interface(`files_manage_isid_type_blk_files',`
+ #
+ interface(`files_manage_isid_type_chr_files',`
+ gen_require(`
+- type file_t;
++ type unlabeled_t;
+ ')
+
+- allow $1 file_t:chr_file manage_chr_file_perms;
++ allow $1 unlabeled_t:chr_file manage_chr_file_perms;
+ ')
+
+ ########################################
@@ -3814,20 +4444,38 @@ interface(`files_list_mnt',`
######################################
@@ -10939,7 +11178,7 @@ index f962f76..5c44da2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4482,44 +5384,134 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -4482,59 +5384,149 @@ interface(`files_setattr_all_tmp_dirs',`
## </summary>
## </param>
#
@@ -10989,19 +11228,23 @@ index f962f76..5c44da2 100644
## <summary>
-## Domain not to audit.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_getattr_all_tmp_files',`
+interface(`files_read_inherited_tmp_files',`
-+ gen_require(`
-+ attribute tmpfile;
-+ ')
-+
+ gen_require(`
+ attribute tmpfile;
+ ')
+
+- dontaudit $1 tmpfile:file getattr;
+ allow $1 tmpfile:file { append read_inherited_file_perms };
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Allow attempts to get the attributes
+-## of all tmp files.
+## Allow caller to append inherited tmp files.
+## </summary>
+## <param name="domain">
@@ -11084,9 +11327,24 @@ index f962f76..5c44da2 100644
+## <param name="domain">
+## <summary>
+## Domain to not audit.
- ## </summary>
- ## </param>
- #
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_getattr_all_tmp_files',`
++ gen_require(`
++ attribute tmpfile;
++ ')
++
++ dontaudit $1 tmpfile:file getattr;
++')
++
++########################################
++## <summary>
++## Allow attempts to get the attributes
++## of all tmp files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
@@ -4579,7 +5571,7 @@ interface(`files_relabel_all_tmp_files',`
## </summary>
## <param name="domain">
@@ -11491,7 +11749,7 @@ index f962f76..5c44da2 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -6025,27 +7192,46 @@ interface(`files_dontaudit_search_pids',`
+@@ -6025,21 +7192,40 @@ interface(`files_dontaudit_search_pids',`
########################################
## <summary>
@@ -11515,13 +11773,11 @@ index f962f76..5c44da2 100644
')
- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_run_t)
+ dontaudit $1 pidfile:dir search_dir_perms;
- ')
-
- ########################################
- ## <summary>
--## Read generic process ID files.
++')
++
++########################################
++## <summary>
+## List the contents of the runtime process
+## ID directories (/var/run).
+## </summary>
@@ -11537,15 +11793,9 @@ index f962f76..5c44da2 100644
+ ')
+
+ files_search_pids($1)
-+ list_dirs_pattern($1, var_t, var_run_t)
-+')
-+
-+########################################
-+## <summary>
-+## Read generic process ID files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
+ list_dirs_pattern($1, var_t, var_run_t)
+ ')
+
@@ -6058,7 +7244,7 @@ interface(`files_read_generic_pids',`
type var_t, var_run_t;
')
@@ -12829,7 +13079,7 @@ index f962f76..5c44da2 100644
+ allow $1 etc_t:service status;
')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
-index 1a03abd..0335af9 100644
+index 1a03abd..dfcd2ad 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -5,12 +5,16 @@ policy_module(files, 1.18.1)
@@ -12849,7 +13099,7 @@ index 1a03abd..0335af9 100644
# For labeling types that are to be polyinstantiated
attribute polydir;
-@@ -48,28 +52,45 @@ attribute usercanread;
+@@ -48,47 +52,55 @@ attribute usercanread;
#
type boot_t;
files_mountpoint(boot_t)
@@ -12897,15 +13147,19 @@ index 1a03abd..0335af9 100644
files_type(etc_runtime_t)
#Temporarily in policy until FC5 dissappears
typealias etc_runtime_t alias firstboot_rw_t;
-@@ -81,6 +102,7 @@ typealias etc_runtime_t alias firstboot_rw_t;
- #
- type file_t;
- files_mountpoint(file_t)
-+files_base_file(file_t)
- kernel_rootfs_mountpoint(file_t)
- sid file gen_context(system_u:object_r:file_t,s0)
-@@ -89,6 +111,7 @@ sid file gen_context(system_u:object_r:file_t,s0)
+ #
+-# file_t is the default type of a file that has not yet been
+-# assigned an extended attribute (EA) value (when using a filesystem
+-# that supports EAs).
+-#
+-type file_t;
+-files_mountpoint(file_t)
+-kernel_rootfs_mountpoint(file_t)
+-sid file gen_context(system_u:object_r:file_t,s0)
+-
+-#
+ # home_root_t is the type for the directory where user home directories
# are created
#
type home_root_t;
@@ -12913,7 +13167,7 @@ index 1a03abd..0335af9 100644
files_mountpoint(home_root_t)
files_poly_parent(home_root_t)
-@@ -96,12 +119,13 @@ files_poly_parent(home_root_t)
+@@ -96,12 +108,13 @@ files_poly_parent(home_root_t)
# lost_found_t is the type for the lost+found directories.
#
type lost_found_t;
@@ -12928,7 +13182,7 @@ index 1a03abd..0335af9 100644
files_mountpoint(mnt_t)
#
-@@ -123,6 +147,7 @@ files_type(readable_t)
+@@ -123,6 +136,7 @@ files_type(readable_t)
# root_t is the type for rootfs and the root directory.
#
type root_t;
@@ -12936,7 +13190,7 @@ index 1a03abd..0335af9 100644
files_mountpoint(root_t)
files_poly_parent(root_t)
kernel_rootfs_mountpoint(root_t)
-@@ -133,45 +158,54 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
+@@ -133,45 +147,54 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
#
type src_t;
files_mountpoint(src_t)
@@ -12991,7 +13245,7 @@ index 1a03abd..0335af9 100644
files_lock_file(var_lock_t)
files_mountpoint(var_lock_t)
-@@ -180,6 +214,7 @@ files_mountpoint(var_lock_t)
+@@ -180,6 +203,7 @@ files_mountpoint(var_lock_t)
# used for pid and other runtime files.
#
type var_run_t;
@@ -12999,7 +13253,7 @@ index 1a03abd..0335af9 100644
files_pid_file(var_run_t)
files_mountpoint(var_run_t)
-@@ -187,7 +222,9 @@ files_mountpoint(var_run_t)
+@@ -187,7 +211,9 @@ files_mountpoint(var_run_t)
# var_spool_t is the type of /var/spool
#
type var_spool_t;
@@ -13009,7 +13263,7 @@ index 1a03abd..0335af9 100644
########################################
#
-@@ -224,12 +261,13 @@ fs_associate_tmpfs(tmpfsfile)
+@@ -224,12 +250,13 @@ fs_associate_tmpfs(tmpfsfile)
#
# Create/access any file in a labeled filesystem;
@@ -15284,7 +15538,7 @@ index e100d88..2b0a5b3 100644
+ list_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
')
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 8dbab4c..88cbe95 100644
+index 8dbab4c..b33d885 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -25,6 +25,9 @@ attribute kern_unconfined;
@@ -15335,15 +15589,22 @@ index 8dbab4c..88cbe95 100644
# /proc/sys/dev directory and files
type sysctl_dev_t, sysctl_type;
genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
-@@ -165,6 +178,7 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
+@@ -165,6 +178,14 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
type unlabeled_t;
fs_associate(unlabeled_t)
sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+allow unlabeled_t self:filesystem associate;
++
++# Need the following because we are type alias of file_t.
++files_mountpoint(unlabeled_t)
++files_base_file(unlabeled_t)
++kernel_rootfs_mountpoint(unlabeled_t)
++sid file gen_context(system_u:object_r:unlabeled_t,s0)
++typealias unlabeled_t alias file_t;
# These initial sids are no longer used, and can be removed:
sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-@@ -189,6 +203,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+@@ -189,6 +210,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
# kernel local policy
#
@@ -15351,7 +15612,7 @@ index 8dbab4c..88cbe95 100644
allow kernel_t self:capability ~sys_module;
allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow kernel_t self:shm create_shm_perms;
-@@ -233,7 +248,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
+@@ -233,7 +255,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
corenet_in_generic_if(unlabeled_t)
corenet_in_generic_node(unlabeled_t)
@@ -15359,7 +15620,7 @@ index 8dbab4c..88cbe95 100644
corenet_all_recvfrom_netlabel(kernel_t)
# Kernel-generated traffic e.g., ICMP replies:
corenet_raw_sendrecv_all_if(kernel_t)
-@@ -244,17 +258,21 @@ corenet_tcp_sendrecv_all_if(kernel_t)
+@@ -244,17 +265,21 @@ corenet_tcp_sendrecv_all_if(kernel_t)
corenet_tcp_sendrecv_all_nodes(kernel_t)
corenet_raw_send_generic_node(kernel_t)
corenet_send_all_packets(kernel_t)
@@ -15385,7 +15646,7 @@ index 8dbab4c..88cbe95 100644
# Mount root file system. Used when loading a policy
# from initrd, then mounting the root filesystem
-@@ -263,7 +281,8 @@ fs_unmount_all_fs(kernel_t)
+@@ -263,7 +288,8 @@ fs_unmount_all_fs(kernel_t)
selinux_load_policy(kernel_t)
@@ -15395,7 +15656,7 @@ index 8dbab4c..88cbe95 100644
corecmd_exec_shell(kernel_t)
corecmd_list_bin(kernel_t)
-@@ -277,25 +296,49 @@ files_list_root(kernel_t)
+@@ -277,25 +303,49 @@ files_list_root(kernel_t)
files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
@@ -15445,7 +15706,7 @@ index 8dbab4c..88cbe95 100644
')
optional_policy(`
-@@ -305,6 +348,19 @@ optional_policy(`
+@@ -305,6 +355,19 @@ optional_policy(`
optional_policy(`
logging_send_syslog_msg(kernel_t)
@@ -15465,7 +15726,7 @@ index 8dbab4c..88cbe95 100644
')
optional_policy(`
-@@ -312,6 +368,10 @@ optional_policy(`
+@@ -312,6 +375,10 @@ optional_policy(`
')
optional_policy(`
@@ -15476,7 +15737,7 @@ index 8dbab4c..88cbe95 100644
# nfs kernel server needs kernel UDP access. It is less risky and painful
# to just give it everything.
allow kernel_t self:tcp_socket create_stream_socket_perms;
-@@ -332,9 +392,6 @@ optional_policy(`
+@@ -332,9 +399,6 @@ optional_policy(`
sysnet_read_config(kernel_t)
@@ -15486,7 +15747,7 @@ index 8dbab4c..88cbe95 100644
rpc_udp_rw_nfs_sockets(kernel_t)
tunable_policy(`nfs_export_all_ro',`
-@@ -343,9 +400,7 @@ optional_policy(`
+@@ -343,9 +407,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@@ -15497,7 +15758,7 @@ index 8dbab4c..88cbe95 100644
')
tunable_policy(`nfs_export_all_rw',`
-@@ -354,7 +409,7 @@ optional_policy(`
+@@ -354,7 +416,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@@ -15506,7 +15767,7 @@ index 8dbab4c..88cbe95 100644
')
')
-@@ -367,6 +422,15 @@ optional_policy(`
+@@ -367,6 +429,15 @@ optional_policy(`
unconfined_domain_noaudit(kernel_t)
')
@@ -15522,7 +15783,7 @@ index 8dbab4c..88cbe95 100644
########################################
#
# Unlabeled process local policy
-@@ -409,4 +473,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
+@@ -409,4 +480,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
allow kern_unconfined unlabeled_t:filesystem *;
allow kern_unconfined unlabeled_t:association *;
allow kern_unconfined unlabeled_t:packet *;
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index cf9c3c2..107f50a 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -71040,7 +71040,7 @@ index 951db7f..c0cabe8 100644
+ files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf")
')
diff --git a/raid.te b/raid.te
-index c99753f..5e27523 100644
+index c99753f..2eb5455 100644
--- a/raid.te
+++ b/raid.te
@@ -15,6 +15,15 @@ role mdadm_roles types mdadm_t;
@@ -71059,7 +71059,7 @@ index c99753f..5e27523 100644
type mdadm_var_run_t alias mdadm_map_t;
files_pid_file(mdadm_var_run_t)
dev_associate(mdadm_var_run_t)
-@@ -25,23 +34,34 @@ dev_associate(mdadm_var_run_t)
+@@ -25,44 +34,64 @@ dev_associate(mdadm_var_run_t)
#
allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
@@ -71098,10 +71098,12 @@ index c99753f..5e27523 100644
corecmd_exec_bin(mdadm_t)
corecmd_exec_shell(mdadm_t)
-@@ -49,20 +69,29 @@ corecmd_exec_shell(mdadm_t)
+
dev_rw_sysfs(mdadm_t)
- dev_dontaudit_getattr_all_blk_files(mdadm_t)
- dev_dontaudit_getattr_all_chr_files(mdadm_t)
+-dev_dontaudit_getattr_all_blk_files(mdadm_t)
+-dev_dontaudit_getattr_all_chr_files(mdadm_t)
++dev_dontaudit_read_all_blk_files(mdadm_t)
++dev_dontaudit_read_all_chr_files(mdadm_t)
+dev_read_crash(mdadm_t)
+dev_read_framebuffer(mdadm_t)
dev_read_realtime_clock(mdadm_t)
@@ -76722,7 +76724,7 @@ index 0bf13c2..d59aef7 100644
type nfsd_initrc_exec_t, rpcd_initrc_exec_t, exports_t;
type var_lib_nfs_t, rpcd_var_run_t, gssd_tmp_t;
diff --git a/rpc.te b/rpc.te
-index 2da9fca..11e7bfe 100644
+index 2da9fca..2497a03 100644
--- a/rpc.te
+++ b/rpc.te
@@ -6,22 +6,20 @@ policy_module(rpc, 1.15.1)
@@ -77028,7 +77030,7 @@ index 2da9fca..11e7bfe 100644
miscfiles_read_generic_certs(gssd_t)
userdom_signal_all_users(gssd_t)
-+userdom_read_all_users_keys(gssd_t)
++userdom_manage_all_users_keys(gssd_t)
-tunable_policy(`allow_gssd_read_tmp',`
+tunable_policy(`gssd_read_tmp',`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index bc8d8e5..bc5e146 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 12%{?dist}
+Release: 13%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -576,7 +576,10 @@ SELinux Reference policy mls base module.
%endif
%changelog
-* Mon Jan 9 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-12
+* Mon Jan 13 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-13
+- Remove file_t from the system and realias it with unlabeled_t
+
+* Thu Jan 9 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-12
- Add gluster fixes
- Remove ability to transition to unconfined_t from confined domains
- Additional allow rules to get libvirt-lxc containers working with docker