diff --git a/docker-selinux.tgz b/docker-selinux.tgz
index 5bf5064..013c2b7 100644
Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index b4a8532..ec2e279 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -19566,7 +19566,7 @@ index e100d88..65a3b6d 100644
+')
+
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 8dbab4c..a85c5d7 100644
+index 8dbab4c..7c405f5 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -25,6 +25,9 @@ attribute kern_unconfined;
@@ -19722,7 +19722,7 @@ index 8dbab4c..a85c5d7 100644
corecmd_exec_shell(kernel_t)
corecmd_list_bin(kernel_t)
-@@ -277,25 +315,54 @@ files_list_root(kernel_t)
+@@ -277,13 +315,23 @@ files_list_root(kernel_t)
files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
@@ -19746,11 +19746,10 @@ index 8dbab4c..a85c5d7 100644
ifdef(`distro_redhat',`
# Bugzilla 222337
- fs_rw_tmpfs_chr_files(kernel_t)
+@@ -291,11 +339,29 @@ ifdef(`distro_redhat',`
')
-+
-+optional_policy(`
+ optional_policy(`
+ abrt_filetrans_named_content(kernel_t)
+ abrt_dump_oops_domtrans(kernel_t)
+')
@@ -19767,7 +19766,7 @@ index 8dbab4c..a85c5d7 100644
+ kerberos_filetrans_home_content(kernel_t)
+')
+
- optional_policy(`
++optional_policy(`
hotplug_search_config(kernel_t)
')
@@ -19777,7 +19776,7 @@ index 8dbab4c..a85c5d7 100644
')
optional_policy(`
-@@ -305,6 +372,19 @@ optional_policy(`
+@@ -305,6 +371,19 @@ optional_policy(`
optional_policy(`
logging_send_syslog_msg(kernel_t)
@@ -19797,7 +19796,7 @@ index 8dbab4c..a85c5d7 100644
')
optional_policy(`
-@@ -312,6 +392,11 @@ optional_policy(`
+@@ -312,6 +391,11 @@ optional_policy(`
')
optional_policy(`
@@ -19809,7 +19808,7 @@ index 8dbab4c..a85c5d7 100644
# nfs kernel server needs kernel UDP access. It is less risky and painful
# to just give it everything.
allow kernel_t self:tcp_socket create_stream_socket_perms;
-@@ -332,9 +417,6 @@ optional_policy(`
+@@ -332,9 +416,6 @@ optional_policy(`
sysnet_read_config(kernel_t)
@@ -19819,7 +19818,7 @@ index 8dbab4c..a85c5d7 100644
rpc_udp_rw_nfs_sockets(kernel_t)
tunable_policy(`nfs_export_all_ro',`
-@@ -343,9 +425,7 @@ optional_policy(`
+@@ -343,9 +424,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@@ -19830,7 +19829,7 @@ index 8dbab4c..a85c5d7 100644
')
tunable_policy(`nfs_export_all_rw',`
-@@ -354,7 +434,7 @@ optional_policy(`
+@@ -354,7 +433,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@@ -19839,7 +19838,14 @@ index 8dbab4c..a85c5d7 100644
')
')
-@@ -367,6 +447,15 @@ optional_policy(`
+@@ -364,9 +443,22 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ systemd_coredump_domtrans(kernel_t)
++')
++
++optional_policy(`
unconfined_domain_noaudit(kernel_t)
')
@@ -19855,7 +19861,7 @@ index 8dbab4c..a85c5d7 100644
########################################
#
# Unlabeled process local policy
-@@ -399,14 +488,39 @@ if( ! secure_mode_insmod ) {
+@@ -399,14 +491,39 @@ if( ! secure_mode_insmod ) {
# Rules for unconfined acccess to this module
#
@@ -37265,10 +37271,10 @@ index 446fa99..22f539c 100644
+ plymouthd_exec_plymouth(sulogin_t)
')
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index b50c5fe..13da95a 100644
+index b50c5fe..5c39fe5 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
-@@ -1,11 +1,14 @@
+@@ -1,11 +1,15 @@
-/dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
+/dev/log -l gen_context(system_u:object_r:devlog_t,mls_systemhigh)
@@ -37280,11 +37286,12 @@ index b50c5fe..13da95a 100644
/etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
+/usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_file_t,s0)
++/usr/lib/systemd/system/syslogd.* -- gen_context(system_u:object_r:syslogd_unit_file_t,s0)
+
/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
/sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0)
/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
-@@ -17,12 +20,25 @@
+@@ -17,12 +21,25 @@
/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
@@ -37311,7 +37318,7 @@ index b50c5fe..13da95a 100644
/var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
/var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
-@@ -38,21 +54,22 @@ ifdef(`distro_suse', `
+@@ -38,21 +55,22 @@ ifdef(`distro_suse', `
/var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
/var/log/.* gen_context(system_u:object_r:var_log_t,s0)
@@ -37337,7 +37344,7 @@ index b50c5fe..13da95a 100644
')
/var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
-@@ -65,11 +82,16 @@ ifdef(`distro_redhat',`
+@@ -65,11 +83,16 @@ ifdef(`distro_redhat',`
/var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
/var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
/var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0)
@@ -37356,7 +37363,7 @@ index b50c5fe..13da95a 100644
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 4e94884..3c33045 100644
+index 4e94884..41a18bc 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
@@ -37470,21 +37477,14 @@ index 4e94884..3c33045 100644
+interface(`logging_create_devlog_dev',`
+ gen_require(`
+ type devlog_t;
- ')
-
-- allow $1 devlog_t:lnk_file read_lnk_file_perms;
-- allow $1 devlog_t:sock_file write_sock_file_perms;
++ ')
++
+ allow $1 devlog_t:lnk_file manage_lnk_file_perms;
+ dev_filetrans($1, devlog_t, lnk_file, "log")
+ init_pid_filetrans($1, devlog_t, sock_file, "syslog")
+ logging_syslogd_pid_filetrans($1, devlog_t, sock_file, "dev-log")
+')
-
-- # the type of socket depends on the syslog daemon
-- allow $1 syslogd_t:unix_dgram_socket sendto;
-- allow $1 syslogd_t:unix_stream_socket connectto;
-- allow $1 self:unix_dgram_socket create_socket_perms;
-- allow $1 self:unix_stream_socket create_socket_perms;
++
+########################################
+## <summary>
+## Relabel the devlog sock_file.
@@ -37498,16 +37498,19 @@ index 4e94884..3c33045 100644
+interface(`logging_relabel_devlog_dev',`
+ gen_require(`
+ type devlog_t;
-+ ')
+ ')
-- # If syslog is down, the glibc syslog() function
-- # will write to the console.
-- term_write_console($1)
-- term_dontaudit_read_console($1)
+- allow $1 devlog_t:lnk_file read_lnk_file_perms;
+- allow $1 devlog_t:sock_file write_sock_file_perms;
+ allow $1 devlog_t:sock_file relabel_sock_file_perms;
+ allow $1 devlog_t:lnk_file relabelto_lnk_file_perms;
+')
-+
+
+- # the type of socket depends on the syslog daemon
+- allow $1 syslogd_t:unix_dgram_socket sendto;
+- allow $1 syslogd_t:unix_stream_socket connectto;
+- allow $1 self:unix_dgram_socket create_socket_perms;
+- allow $1 self:unix_stream_socket create_socket_perms;
+########################################
+## <summary>
+## Allow domain to read the syslog pid files.
@@ -37522,7 +37525,11 @@ index 4e94884..3c33045 100644
+ gen_require(`
+ type syslogd_var_run_t;
+ ')
-+
+
+- # If syslog is down, the glibc syslog() function
+- # will write to the console.
+- term_write_console($1)
+- term_dontaudit_read_console($1)
+ read_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
+ list_dirs_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
+')
@@ -37767,7 +37774,7 @@ index 4e94884..3c33045 100644
manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
-@@ -1004,6 +1286,33 @@ interface(`logging_admin_audit',`
+@@ -1004,6 +1286,55 @@ interface(`logging_admin_audit',`
domain_system_change_exemption($1)
role_transition $2 auditd_initrc_exec_t system_r;
allow $2 system_r;
@@ -37798,10 +37805,32 @@ index 4e94884..3c33045 100644
+ allow $1 auditd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, auditd_t)
++')
++########################################
++## <summary>
++## Execute auditd server in the auditd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`logging_systemctl_syslogd',`
++ gen_require(`
++ type syslogd_t;
++ type syslogd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 syslogd_unit_file_t:file read_file_perms;
++ allow $1 syslog_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, syslogd_t)
')
########################################
-@@ -1032,10 +1341,15 @@ interface(`logging_admin_syslog',`
+@@ -1032,10 +1363,15 @@ interface(`logging_admin_syslog',`
type syslogd_initrc_exec_t;
')
@@ -37819,7 +37848,7 @@ index 4e94884..3c33045 100644
manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
-@@ -1057,6 +1371,8 @@ interface(`logging_admin_syslog',`
+@@ -1057,6 +1393,8 @@ interface(`logging_admin_syslog',`
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
logging_manage_all_logs($1)
@@ -37828,7 +37857,7 @@ index 4e94884..3c33045 100644
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -1085,3 +1401,90 @@ interface(`logging_admin',`
+@@ -1085,3 +1423,90 @@ interface(`logging_admin',`
logging_admin_audit($1, $2)
logging_admin_syslog($1, $2)
')
@@ -37920,7 +37949,7 @@ index 4e94884..3c33045 100644
+ filetrans_pattern($1, syslogd_var_run_t, $2, $3, $4)
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 59b04c1..e1ec2e8 100644
+index 59b04c1..6810e0b 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -4,6 +4,29 @@ policy_module(logging, 1.20.1)
@@ -37979,7 +38008,7 @@ index 59b04c1..e1ec2e8 100644
type syslogd_initrc_exec_t;
init_script_file(syslogd_initrc_exec_t)
-@@ -71,11 +99,15 @@ init_script_file(syslogd_initrc_exec_t)
+@@ -71,16 +99,23 @@ init_script_file(syslogd_initrc_exec_t)
type syslogd_tmp_t;
files_tmp_file(syslogd_tmp_t)
@@ -37995,7 +38024,15 @@ index 59b04c1..e1ec2e8 100644
type var_log_t;
logging_log_file(var_log_t)
-@@ -94,6 +126,8 @@ ifdef(`enable_mls',`
+ files_mountpoint(var_log_t)
+
++type syslogd_unit_file_t;
++systemd_unit_file(syslogd_unit_file_t)
++
+ ifdef(`enable_mls',`
+ init_ranged_daemon_domain(auditd_t, auditd_exec_t, mls_systemhigh)
+ init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh)
+@@ -94,6 +129,8 @@ ifdef(`enable_mls',`
allow auditctl_t self:capability { fsetid dac_read_search dac_override };
allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;
@@ -38004,7 +38041,7 @@ index 59b04c1..e1ec2e8 100644
read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t)
allow auditctl_t auditd_etc_t:dir list_dir_perms;
-@@ -111,7 +145,9 @@ domain_use_interactive_fds(auditctl_t)
+@@ -111,7 +148,9 @@ domain_use_interactive_fds(auditctl_t)
mls_file_read_all_levels(auditctl_t)
@@ -38015,7 +38052,7 @@ index 59b04c1..e1ec2e8 100644
init_dontaudit_use_fds(auditctl_t)
-@@ -136,9 +172,10 @@ allow auditd_t self:tcp_socket create_stream_socket_perms;
+@@ -136,9 +175,10 @@ allow auditd_t self:tcp_socket create_stream_socket_perms;
allow auditd_t auditd_etc_t:dir list_dir_perms;
allow auditd_t auditd_etc_t:file read_file_perms;
@@ -38027,7 +38064,7 @@ index 59b04c1..e1ec2e8 100644
manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
-@@ -148,6 +185,7 @@ kernel_read_kernel_sysctls(auditd_t)
+@@ -148,6 +188,7 @@ kernel_read_kernel_sysctls(auditd_t)
# Needs to be able to run dispatcher. see /etc/audit/auditd.conf
# Probably want a transition, and a new auditd_helper app
kernel_read_system_state(auditd_t)
@@ -38035,7 +38072,7 @@ index 59b04c1..e1ec2e8 100644
dev_read_sysfs(auditd_t)
-@@ -155,9 +193,6 @@ fs_getattr_all_fs(auditd_t)
+@@ -155,9 +196,6 @@ fs_getattr_all_fs(auditd_t)
fs_search_auto_mountpoints(auditd_t)
fs_rw_anon_inodefs_files(auditd_t)
@@ -38045,7 +38082,7 @@ index 59b04c1..e1ec2e8 100644
corenet_all_recvfrom_netlabel(auditd_t)
corenet_tcp_sendrecv_generic_if(auditd_t)
corenet_tcp_sendrecv_generic_node(auditd_t)
-@@ -183,16 +218,17 @@ logging_send_syslog_msg(auditd_t)
+@@ -183,16 +221,17 @@ logging_send_syslog_msg(auditd_t)
logging_domtrans_dispatcher(auditd_t)
logging_signal_dispatcher(auditd_t)
@@ -38067,7 +38104,7 @@ index 59b04c1..e1ec2e8 100644
userdom_dontaudit_use_unpriv_user_fds(auditd_t)
userdom_dontaudit_search_user_home_dirs(auditd_t)
-@@ -237,19 +273,29 @@ corecmd_exec_shell(audisp_t)
+@@ -237,19 +276,29 @@ corecmd_exec_shell(audisp_t)
domain_use_interactive_fds(audisp_t)
@@ -38099,7 +38136,7 @@ index 59b04c1..e1ec2e8 100644
')
########################################
-@@ -266,9 +312,10 @@ manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
+@@ -266,9 +315,10 @@ manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
@@ -38111,7 +38148,7 @@ index 59b04c1..e1ec2e8 100644
corenet_all_recvfrom_netlabel(audisp_remote_t)
corenet_tcp_sendrecv_generic_if(audisp_remote_t)
corenet_tcp_sendrecv_generic_node(audisp_remote_t)
-@@ -280,13 +327,26 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
+@@ -280,13 +330,26 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
files_read_etc_files(audisp_remote_t)
@@ -38139,7 +38176,7 @@ index 59b04c1..e1ec2e8 100644
########################################
#
# klogd local policy
-@@ -326,7 +386,6 @@ files_read_etc_files(klogd_t)
+@@ -326,7 +389,6 @@ files_read_etc_files(klogd_t)
logging_send_syslog_msg(klogd_t)
@@ -38147,7 +38184,7 @@ index 59b04c1..e1ec2e8 100644
mls_file_read_all_levels(klogd_t)
-@@ -355,13 +414,12 @@ optional_policy(`
+@@ -355,13 +417,12 @@ optional_policy(`
# sys_admin for the integrated klog of syslog-ng and metalog
# sys_nice for rsyslog
# cjp: why net_admin!
@@ -38164,7 +38201,7 @@ index 59b04c1..e1ec2e8 100644
# receive messages to be logged
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -369,11 +427,15 @@ allow syslogd_t self:unix_dgram_socket sendto;
+@@ -369,11 +430,15 @@ allow syslogd_t self:unix_dgram_socket sendto;
allow syslogd_t self:fifo_file rw_fifo_file_perms;
allow syslogd_t self:udp_socket create_socket_perms;
allow syslogd_t self:tcp_socket create_stream_socket_perms;
@@ -38181,7 +38218,7 @@ index 59b04c1..e1ec2e8 100644
files_pid_filetrans(syslogd_t, devlog_t, sock_file)
# create/append log files.
-@@ -389,30 +451,47 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -389,30 +454,47 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
@@ -38232,7 +38269,7 @@ index 59b04c1..e1ec2e8 100644
# syslog-ng can listen and connect on tcp port 514 (rsh)
corenet_tcp_sendrecv_generic_if(syslogd_t)
corenet_tcp_sendrecv_generic_node(syslogd_t)
-@@ -422,6 +501,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
+@@ -422,6 +504,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
corenet_tcp_connect_rsh_port(syslogd_t)
# Allow users to define additional syslog ports to connect to
corenet_tcp_bind_syslogd_port(syslogd_t)
@@ -38241,7 +38278,7 @@ index 59b04c1..e1ec2e8 100644
corenet_tcp_connect_syslogd_port(syslogd_t)
corenet_tcp_connect_postgresql_port(syslogd_t)
corenet_tcp_connect_mysqld_port(syslogd_t)
-@@ -432,9 +513,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+@@ -432,9 +516,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
corenet_sendrecv_postgresql_client_packets(syslogd_t)
corenet_sendrecv_mysqld_client_packets(syslogd_t)
@@ -38275,7 +38312,7 @@ index 59b04c1..e1ec2e8 100644
domain_use_interactive_fds(syslogd_t)
files_read_etc_files(syslogd_t)
-@@ -448,13 +552,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
+@@ -448,13 +555,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
fs_getattr_all_fs(syslogd_t)
fs_search_auto_mountpoints(syslogd_t)
@@ -38293,7 +38330,7 @@ index 59b04c1..e1ec2e8 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
-@@ -466,11 +574,12 @@ init_use_fds(syslogd_t)
+@@ -466,11 +577,12 @@ init_use_fds(syslogd_t)
# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)
@@ -38309,7 +38346,7 @@ index 59b04c1..e1ec2e8 100644
ifdef(`distro_gentoo',`
# default gentoo syslog-ng config appends kernel
-@@ -497,6 +606,7 @@ optional_policy(`
+@@ -497,6 +609,7 @@ optional_policy(`
optional_policy(`
cron_manage_log_files(syslogd_t)
cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
@@ -38317,7 +38354,7 @@ index 59b04c1..e1ec2e8 100644
')
optional_policy(`
-@@ -507,15 +617,40 @@ optional_policy(`
+@@ -507,15 +620,44 @@ optional_policy(`
')
optional_policy(`
@@ -38354,11 +38391,15 @@ index 59b04c1..e1ec2e8 100644
+')
+
+optional_policy(`
++ systemd_rw_coredump_tmpfs_files(syslogd_t)
++')
++
++optional_policy(`
+ daemontools_search_svc_dir(syslogd_t)
')
optional_policy(`
-@@ -526,3 +661,26 @@ optional_policy(`
+@@ -526,3 +668,26 @@ optional_policy(`
# log to the xconsole
xserver_rw_console(syslogd_t)
')
@@ -43551,10 +43592,10 @@ index a392fc4..78fa512 100644
+')
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
new file mode 100644
-index 0000000..884ac5c
+index 0000000..b53de2b
--- /dev/null
+++ b/policy/modules/system/systemd.fc
-@@ -0,0 +1,59 @@
+@@ -0,0 +1,61 @@
+HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0)
+/root/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0)
+
@@ -43565,6 +43606,7 @@ index 0000000..884ac5c
+/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0)
+/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
+/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
++/bin/systemd-coredump -- gen_context(system_u:object_r:systemd_coredump_exec_t,s0)
+
+/usr/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0)
+/usr/bin/systemd-gnome-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
@@ -43596,6 +43638,7 @@ index 0000000..884ac5c
+/usr/lib/systemd/systemd-logger -- gen_context(system_u:object_r:systemd_logger_exec_t,s0)
+/usr/lib/systemd/systemd-networkd -- gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
+/usr/lib/systemd/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
++/usr/lib/systemd/systemd-coredump -- gen_context(system_u:object_r:systemd_coredump_exec_t,s0)
+
+/var/lib/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_lib_t,s0)
+/var/lib/systemd/rfkill(/.*)? gen_context(system_u:object_r:systemd_rfkill_var_lib_t,s0)
@@ -43616,10 +43659,10 @@ index 0000000..884ac5c
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..c253b33
+index 0000000..300bf59
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1640 @@
+@@ -0,0 +1,1676 @@
+## <summary>SELinux policy for systemd components</summary>
+
+######################################
@@ -45260,12 +45303,48 @@ index 0000000..c253b33
+ allow systemd_machined_t $1:dbus send_msg;
+ ps_process_pattern(systemd_machined_t, $1)
+')
++
++#######################################
++## <summary>
++## Execute a domain transition to run systemd-coredump.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_coredump_domtrans',`
++ gen_require(`
++ type systemd_coredump_t, systemd_coredump_exec_t;
++ ')
++
++ domtrans_pattern($1, systemd_coredump_exec_t, systemd_coredump_t)
++')
++
++########################################
++## <summary>
++## Read and write to systemd-coredump temporary file system.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_rw_coredump_tmpfs_files',`
++ gen_require(`
++ type systemd_coredump_tmpfs_t;
++ ')
++
++ allow $1 systemd_coredump_tmpfs_t:file rw_file_perms;
++')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..b4a073f
+index 0000000..eb1b3c3
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,825 @@
+@@ -0,0 +1,842 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -45301,6 +45380,11 @@ index 0000000..b4a073f
+files_security_file(random_seed_t)
+files_mountpoint(random_seed_t)
+
++systemd_domain_template(systemd_coredump)
++
++type systemd_coredump_tmpfs_t;
++files_tmpfs_file(systemd_coredump_tmpfs_t)
++
+systemd_domain_template(systemd_networkd)
+
+type systemd_networkd_unit_file_t;
@@ -46052,6 +46136,18 @@ index 0000000..b4a073f
+
+logging_send_syslog_msg(systemd_sysctl_t)
+
++#######################################
++#
++# systemd_coredump domains
++#
++
++manage_files_pattern(systemd_coredump_t, systemd_coredump_tmpfs_t, systemd_coredump_tmpfs_t)
++fs_tmpfs_filetrans(systemd_coredump_t, systemd_coredump_tmpfs_t, file )
++
++optional_policy(`
++ unconfined_domain(systemd_coredump_t)
++')
++
+########################################
+#
+# Common rules for systemd domains
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 90745cc..c84486c 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -13298,7 +13298,7 @@ index 32e8265..c5a2913 100644
+ allow $1 chronyd_unit_file_t:service all_service_perms;
')
diff --git a/chronyd.te b/chronyd.te
-index e5b621c..135100a 100644
+index e5b621c..74e168f 100644
--- a/chronyd.te
+++ b/chronyd.te
@@ -18,6 +18,9 @@ files_type(chronyd_keys_t)
@@ -13329,7 +13329,7 @@ index e5b621c..135100a 100644
allow chronyd_t chronyd_keys_t:file read_file_perms;
manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
-@@ -76,18 +83,38 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
+@@ -76,18 +83,41 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
corenet_udp_bind_chronyd_port(chronyd_t)
corenet_udp_sendrecv_chronyd_port(chronyd_t)
@@ -13355,6 +13355,9 @@ index e5b621c..135100a 100644
+systemd_exec_systemctl(chronyd_t)
+
+userdom_dgram_send(chronyd_t)
++
++optional_policy(`
++ dbus_system_bus_client(chronyd_t)
optional_policy(`
gpsd_rw_shm(chronyd_t)
@@ -16066,7 +16069,7 @@ index 881d92f..a2d588a 100644
+ ')
')
diff --git a/condor.te b/condor.te
-index ce9f040..32ebb0c 100644
+index ce9f040..dc29445 100644
--- a/condor.te
+++ b/condor.te
@@ -34,7 +34,7 @@ files_tmp_file(condor_startd_tmp_t)
@@ -16144,7 +16147,7 @@ index ce9f040..32ebb0c 100644
#
-allow condor_master_t self:capability { setuid setgid dac_override sys_ptrace };
-+allow condor_master_t self:capability { setuid setgid sys_ptrace };
++allow condor_master_t self:capability { chown setuid setgid sys_ptrace };
allow condor_master_t condor_domain:process { sigkill signal };
@@ -19829,10 +19832,10 @@ index 8401fe6..d58f3e7 100644
/var/spool/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_spool_t,s0)
diff --git a/ctdb.if b/ctdb.if
-index b25b01d..6b7d687 100644
+index b25b01d..06895f3 100644
--- a/ctdb.if
+++ b/ctdb.if
-@@ -1,9 +1,161 @@
+@@ -1,9 +1,178 @@
-## <summary>Clustered Database based on Samba Trivial Database.</summary>
+
+## <summary>policy for ctdbd</summary>
@@ -19891,6 +19894,23 @@ index b25b01d..6b7d687 100644
+ allow $1 ctdbd_t:process signal;
+')
+
++#######################################
++## <summary>
++## Allow domain to sigchld ctdbd.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ctdbd_sigchld',`
++ gen_require(`
++ type ctdbd_t;
++ ')
++ allow $1 ctdbd_t:process sigchld;
++')
++
+########################################
+## <summary>
+## Read ctdbd's log files.
@@ -19997,7 +20017,7 @@ index b25b01d..6b7d687 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -17,13 +169,12 @@ interface(`ctdbd_manage_lib_files',`
+@@ -17,13 +186,12 @@ interface(`ctdbd_manage_lib_files',`
')
files_search_var_lib($1)
@@ -20014,7 +20034,7 @@ index b25b01d..6b7d687 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -31,19 +182,58 @@ interface(`ctdbd_manage_lib_files',`
+@@ -31,19 +199,58 @@ interface(`ctdbd_manage_lib_files',`
## </summary>
## </param>
#
@@ -20078,7 +20098,7 @@ index b25b01d..6b7d687 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -57,16 +247,19 @@ interface(`ctdbd_stream_connect',`
+@@ -57,16 +264,19 @@ interface(`ctdbd_stream_connect',`
## </param>
## <rolecap/>
#
@@ -20102,7 +20122,7 @@ index b25b01d..6b7d687 100644
domain_system_change_exemption($1)
role_transition $2 ctdbd_initrc_exec_t system_r;
allow $2 system_r;
-@@ -74,12 +267,10 @@ interface(`ctdb_admin',`
+@@ -74,12 +284,10 @@ interface(`ctdb_admin',`
logging_search_logs($1)
admin_pattern($1, ctdbd_log_t)
@@ -37248,10 +37268,10 @@ index 0000000..61f2003
+userdom_use_user_terminals(iotop_t)
diff --git a/ipa.fc b/ipa.fc
new file mode 100644
-index 0000000..749756a
+index 0000000..3a71430
--- /dev/null
+++ b/ipa.fc
-@@ -0,0 +1,11 @@
+@@ -0,0 +1,13 @@
+/usr/lib/systemd/system/ipa-otpd.* -- gen_context(system_u:object_r:ipa_otpd_unit_file_t,s0)
+
+/usr/libexec/ipa-otpd -- gen_context(system_u:object_r:ipa_otpd_exec_t,s0)
@@ -37261,6 +37281,8 @@ index 0000000..749756a
+
+/var/lib/ipa(/.*)? gen_context(system_u:object_r:ipa_var_lib_t,s0)
+
++/var/log/ipareplica-conncheck.log -- gen_context(system_u:object_r:ipa_log_t,s0)
++
+/var/run/ipa(/.*)? gen_context(system_u:object_r:ipa_var_run_t,s0)
+
diff --git a/ipa.if b/ipa.if
@@ -37449,10 +37471,10 @@ index 0000000..904782d
+')
diff --git a/ipa.te b/ipa.te
new file mode 100644
-index 0000000..694c092
+index 0000000..af46439
--- /dev/null
+++ b/ipa.te
-@@ -0,0 +1,122 @@
+@@ -0,0 +1,130 @@
+policy_module(ipa, 1.0.0)
+
+########################################
@@ -37472,6 +37494,9 @@ index 0000000..694c092
+type ipa_otpd_unit_file_t;
+systemd_unit_file(ipa_otpd_unit_file_t)
+
++type ipa_log_t;
++logging_log_file(ipa_log_t)
++
+type ipa_var_lib_t;
+files_type(ipa_var_lib_t)
+
@@ -37529,10 +37554,15 @@ index 0000000..694c092
+allow ipa_helper_t self:fifo_file rw_fifo_file_perms;
+allow ipa_helper_t self:netlink_route_socket r_netlink_socket_perms;
+
++manage_files_pattern(ipa_helper_t, ipa_log_t, ipa_log_t)
++logging_log_filetrans(ipa_helper_t, ipa_log_t, file)
++
+kernel_read_system_state(ipa_helper_t)
+
+corenet_tcp_connect_ldap_port(ipa_helper_t)
+corenet_tcp_connect_smbd_port(ipa_helper_t)
++corenet_tcp_connect_http_port(ipa_helper_t)
++corenet_tcp_connect_kerberos_password_port(ipa_helper_t)
+
+corecmd_exec_bin(ipa_helper_t)
+corecmd_exec_shell(ipa_helper_t)
@@ -40563,10 +40593,10 @@ index 0000000..bd7e7fa
+')
diff --git a/keepalived.te b/keepalived.te
new file mode 100644
-index 0000000..20adcb3
+index 0000000..8ab40b5
--- /dev/null
+++ b/keepalived.te
-@@ -0,0 +1,90 @@
+@@ -0,0 +1,91 @@
+policy_module(keepalived, 1.0.0)
+
+########################################
@@ -40613,6 +40643,7 @@ index 0000000..20adcb3
+
+corenet_tcp_connect_connlcli_port(keepalived_t)
+corenet_tcp_connect_http_port(keepalived_t)
++corenet_tcp_connect_mysqld_port(keepalived_t)
+corenet_tcp_connect_smtp_port(keepalived_t)
+corenet_tcp_connect_snmp_port(keepalived_t)
+corenet_tcp_connect_agentx_port(keepalived_t)
@@ -44665,7 +44696,7 @@ index dd8e01a..9cd6b0b 100644
## <param name="domain">
## <summary>
diff --git a/logrotate.te b/logrotate.te
-index be0ab84..08c168f 100644
+index be0ab84..24e669e 100644
--- a/logrotate.te
+++ b/logrotate.te
@@ -5,16 +5,22 @@ policy_module(logrotate, 1.15.0)
@@ -44787,7 +44818,7 @@ index be0ab84..08c168f 100644
files_manage_generic_spool(logrotate_t)
files_manage_generic_spool_dirs(logrotate_t)
files_getattr_generic_locks(logrotate_t)
-@@ -95,32 +123,51 @@ mls_process_write_to_clearance(logrotate_t)
+@@ -95,32 +123,52 @@ mls_process_write_to_clearance(logrotate_t)
selinux_get_fs_mount(logrotate_t)
selinux_get_enforce_mode(logrotate_t)
@@ -44804,6 +44835,7 @@ index be0ab84..08c168f 100644
logging_send_audit_msgs(logrotate_t)
+# cjp: why is this needed?
logging_exec_all_logs(logrotate_t)
++logging_systemctl_syslogd(logrotate_t)
-miscfiles_read_localization(logrotate_t)
+systemd_exec_systemctl(logrotate_t)
@@ -44845,7 +44877,7 @@ index be0ab84..08c168f 100644
')
optional_policy(`
-@@ -135,16 +182,17 @@ optional_policy(`
+@@ -135,16 +183,17 @@ optional_policy(`
optional_policy(`
apache_read_config(logrotate_t)
@@ -44865,7 +44897,7 @@ index be0ab84..08c168f 100644
')
optional_policy(`
-@@ -170,6 +218,11 @@ optional_policy(`
+@@ -170,6 +219,11 @@ optional_policy(`
')
optional_policy(`
@@ -44877,7 +44909,7 @@ index be0ab84..08c168f 100644
fail2ban_stream_connect(logrotate_t)
')
-@@ -178,7 +231,7 @@ optional_policy(`
+@@ -178,7 +232,7 @@ optional_policy(`
')
optional_policy(`
@@ -44886,7 +44918,7 @@ index be0ab84..08c168f 100644
')
optional_policy(`
-@@ -198,17 +251,18 @@ optional_policy(`
+@@ -198,17 +252,18 @@ optional_policy(`
')
optional_policy(`
@@ -44908,7 +44940,7 @@ index be0ab84..08c168f 100644
')
optional_policy(`
-@@ -216,6 +270,14 @@ optional_policy(`
+@@ -216,6 +271,14 @@ optional_policy(`
')
optional_policy(`
@@ -44923,7 +44955,7 @@ index be0ab84..08c168f 100644
samba_exec_log(logrotate_t)
')
-@@ -228,26 +290,43 @@ optional_policy(`
+@@ -228,26 +291,43 @@ optional_policy(`
')
optional_policy(`
@@ -59456,10 +59488,10 @@ index bcd7d0a..0188086 100644
+ unconfined_dontaudit_rw_packet_sockets(nscd_t)
+')
diff --git a/nsd.fc b/nsd.fc
-index 4f2b1b6..5348e92 100644
+index 4f2b1b6..adea830 100644
--- a/nsd.fc
+++ b/nsd.fc
-@@ -1,16 +1,13 @@
+@@ -1,16 +1,17 @@
-/etc/rc\.d/init\.d/nsd -- gen_context(system_u:object_r:nsd_initrc_exec_t,s0)
-/etc/nsd(/.*)? gen_context(system_u:object_r:nsd_conf_t,s0)
@@ -59480,6 +59512,10 @@ index 4f2b1b6..5348e92 100644
-/var/lib/nsd(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
-/var/lib/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0)
+/usr/sbin/zonec -- gen_context(system_u:object_r:nsd_exec_t,s0)
++/usr/sbin/nsd-checkconf -- gen_context(system_u:object_r:nsd_exec_t,s0)
++/usr/sbin/nsd-checkzone -- gen_context(system_u:object_r:nsd_exec_t,s0)
++/usr/sbin/nsd-control -- gen_context(system_u:object_r:nsd_exec_t,s0)
++/usr/sbin/nsd-control-setup -- gen_context(system_u:object_r:nsd_exec_t,s0)
+/var/lib/nsd(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
/var/run/nsd\.pid -- gen_context(system_u:object_r:nsd_var_run_t,s0)
@@ -59573,7 +59609,7 @@ index a9c60ff..ad4f14a 100644
+ refpolicywarn(`$0($*) has been deprecated.')
')
diff --git a/nsd.te b/nsd.te
-index 47bb1d2..a97c60f 100644
+index 47bb1d2..3316c17 100644
--- a/nsd.te
+++ b/nsd.te
@@ -9,9 +9,7 @@ type nsd_t;
@@ -59587,7 +59623,7 @@ index 47bb1d2..a97c60f 100644
type nsd_conf_t;
files_type(nsd_conf_t)
-@@ -20,32 +18,28 @@ domain_type(nsd_crond_t)
+@@ -20,32 +18,31 @@ domain_type(nsd_crond_t)
domain_entry_file(nsd_crond_t, nsd_exec_t)
role system_r types nsd_crond_t;
@@ -59602,13 +59638,17 @@ index 47bb1d2..a97c60f 100644
+type nsd_zone_t alias nsd_db_t;
files_type(nsd_zone_t)
++type nsd_tmp_t;
++files_tmp_file(nsd_tmp_t)
++
########################################
#
-# Local policy
+# NSD Local policy
#
- allow nsd_t self:capability { chown dac_override kill setgid setuid };
+-allow nsd_t self:capability { chown dac_override kill setgid setuid };
++allow nsd_t self:capability { chown dac_override kill setgid setuid net_admin };
dontaudit nsd_t self:capability sys_tty_config;
allow nsd_t self:process signal_perms;
+allow nsd_t self:tcp_socket create_stream_socket_perms;
@@ -59627,7 +59667,18 @@ index 47bb1d2..a97c60f 100644
manage_files_pattern(nsd_t, nsd_var_run_t, nsd_var_run_t)
files_pid_filetrans(nsd_t, nsd_var_run_t, file)
-@@ -62,7 +56,6 @@ kernel_read_kernel_sysctls(nsd_t)
+@@ -55,6 +52,10 @@ manage_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
+ manage_lnk_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
+ files_var_lib_filetrans(nsd_t, nsd_zone_t, dir)
+
++manage_dirs_pattern(nsd_t, nsd_tmp_t, nsd_tmp_t)
++manage_files_pattern(nsd_t, nsd_tmp_t, nsd_tmp_t)
++files_tmp_filetrans(nsd_t, nsd_tmp_t, { file dir })
++
+ can_exec(nsd_t, nsd_exec_t)
+
+ kernel_read_system_state(nsd_t)
+@@ -62,7 +63,6 @@ kernel_read_kernel_sysctls(nsd_t)
corecmd_exec_bin(nsd_t)
@@ -59635,7 +59686,7 @@ index 47bb1d2..a97c60f 100644
corenet_all_recvfrom_netlabel(nsd_t)
corenet_tcp_sendrecv_generic_if(nsd_t)
corenet_udp_sendrecv_generic_if(nsd_t)
-@@ -72,16 +65,17 @@ corenet_tcp_sendrecv_all_ports(nsd_t)
+@@ -72,16 +72,17 @@ corenet_tcp_sendrecv_all_ports(nsd_t)
corenet_udp_sendrecv_all_ports(nsd_t)
corenet_tcp_bind_generic_node(nsd_t)
corenet_udp_bind_generic_node(nsd_t)
@@ -59655,7 +59706,7 @@ index 47bb1d2..a97c60f 100644
fs_getattr_all_fs(nsd_t)
fs_search_auto_mountpoints(nsd_t)
-@@ -90,8 +84,6 @@ auth_use_nsswitch(nsd_t)
+@@ -90,8 +91,6 @@ auth_use_nsswitch(nsd_t)
logging_send_syslog_msg(nsd_t)
@@ -59664,7 +59715,7 @@ index 47bb1d2..a97c60f 100644
userdom_dontaudit_use_unpriv_user_fds(nsd_t)
userdom_dontaudit_search_user_home_dirs(nsd_t)
-@@ -105,23 +97,24 @@ optional_policy(`
+@@ -105,23 +104,24 @@ optional_policy(`
########################################
#
@@ -59697,7 +59748,7 @@ index 47bb1d2..a97c60f 100644
manage_files_pattern(nsd_crond_t, nsd_zone_t, nsd_zone_t)
filetrans_pattern(nsd_crond_t, nsd_conf_t, nsd_zone_t, file)
-@@ -133,27 +126,27 @@ kernel_read_system_state(nsd_crond_t)
+@@ -133,27 +133,27 @@ kernel_read_system_state(nsd_crond_t)
corecmd_exec_bin(nsd_crond_t)
corecmd_exec_shell(nsd_crond_t)
@@ -65138,7 +65189,7 @@ index 9b15730..cb00f20 100644
+ ')
')
diff --git a/openvswitch.te b/openvswitch.te
-index 44dbc99..a17af8b 100644
+index 44dbc99..fce33b0 100644
--- a/openvswitch.te
+++ b/openvswitch.te
@@ -9,11 +9,8 @@ type openvswitch_t;
@@ -65204,7 +65255,7 @@ index 44dbc99..a17af8b 100644
manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file })
-@@ -65,33 +69,47 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
+@@ -65,33 +69,48 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file })
@@ -65240,9 +65291,10 @@ index 44dbc99..a17af8b 100644
fs_getattr_all_fs(openvswitch_t)
fs_search_cgroup_dirs(openvswitch_t)
-
-+auth_use_nsswitch(openvswitch_t)
++fs_rw_hugetlbfs_files(openvswitch_t)
+
++auth_use_nsswitch(openvswitch_t)
+
logging_send_syslog_msg(openvswitch_t)
-miscfiles_read_localization(openvswitch_t)
@@ -92007,7 +92059,7 @@ index 50d07fb..e9569d2 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 2b7c441..0232e85 100644
+index 2b7c441..ca83568 100644
--- a/samba.te
+++ b/samba.te
@@ -6,99 +6,86 @@ policy_module(samba, 1.16.3)
@@ -92835,7 +92887,7 @@ index 2b7c441..0232e85 100644
samba_read_config(smbcontrol_t)
samba_search_var(smbcontrol_t)
-@@ -627,16 +716,13 @@ domain_use_interactive_fds(smbcontrol_t)
+@@ -627,39 +716,38 @@ domain_use_interactive_fds(smbcontrol_t)
dev_read_urand(smbcontrol_t)
@@ -92854,7 +92906,8 @@ index 2b7c441..0232e85 100644
optional_policy(`
ctdbd_stream_connect(smbcontrol_t)
-@@ -644,22 +730,23 @@ optional_policy(`
++ ctdbd_sigchld(smbcontrol_t)
+ ')
########################################
#
@@ -92886,7 +92939,7 @@ index 2b7c441..0232e85 100644
allow smbmount_t samba_secrets_t:file manage_file_perms;
-@@ -668,26 +755,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+@@ -668,26 +756,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
@@ -92922,7 +92975,7 @@ index 2b7c441..0232e85 100644
fs_getattr_cifs(smbmount_t)
fs_mount_cifs(smbmount_t)
-@@ -699,58 +782,77 @@ fs_read_cifs_files(smbmount_t)
+@@ -699,58 +783,77 @@ fs_read_cifs_files(smbmount_t)
storage_raw_read_fixed_disk(smbmount_t)
storage_raw_write_fixed_disk(smbmount_t)
@@ -93014,7 +93067,7 @@ index 2b7c441..0232e85 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -759,17 +861,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+@@ -759,17 +862,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
files_pid_filetrans(swat_t, swat_var_run_t, file)
@@ -93038,7 +93091,7 @@ index 2b7c441..0232e85 100644
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -777,36 +875,25 @@ kernel_read_network_state(swat_t)
+@@ -777,36 +876,25 @@ kernel_read_network_state(swat_t)
corecmd_search_bin(swat_t)
@@ -93081,7 +93134,7 @@ index 2b7c441..0232e85 100644
auth_domtrans_chk_passwd(swat_t)
auth_use_nsswitch(swat_t)
-@@ -818,10 +905,11 @@ logging_send_syslog_msg(swat_t)
+@@ -818,10 +906,11 @@ logging_send_syslog_msg(swat_t)
logging_send_audit_msgs(swat_t)
logging_search_logs(swat_t)
@@ -93095,7 +93148,7 @@ index 2b7c441..0232e85 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -840,17 +928,20 @@ optional_policy(`
+@@ -840,17 +929,20 @@ optional_policy(`
# Winbind local policy
#
@@ -93121,7 +93174,7 @@ index 2b7c441..0232e85 100644
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -860,9 +951,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+@@ -860,9 +952,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@@ -93132,7 +93185,7 @@ index 2b7c441..0232e85 100644
manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -873,38 +962,42 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -873,38 +963,42 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
@@ -93186,7 +93239,7 @@ index 2b7c441..0232e85 100644
corenet_tcp_connect_smbd_port(winbind_t)
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -912,38 +1005,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -912,38 +1006,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
dev_read_sysfs(winbind_t)
dev_read_urand(winbind_t)
@@ -93245,7 +93298,7 @@ index 2b7c441..0232e85 100644
')
optional_policy(`
-@@ -959,31 +1066,36 @@ optional_policy(`
+@@ -959,31 +1067,36 @@ optional_policy(`
# Winbind helper local policy
#
@@ -93289,7 +93342,7 @@ index 2b7c441..0232e85 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -997,25 +1109,38 @@ optional_policy(`
+@@ -997,25 +1110,38 @@ optional_policy(`
########################################
#
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 57fbaa3..6b7292c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 165%{?dist}
+Release: 166%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -664,6 +664,25 @@ exit 0
%endif
%changelog
+* Wed Jan 13 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-166
+- Allow logrotate to systemctl rsyslog service. BZ(1284173)
+- Allow condor_master_t domain capability chown. BZ(1297048)
+- Allow chronyd to be dbus bus client. BZ(1297129)
+- Allow openvswitch read/write hugetlb filesystem.
+- Revert "Allow openvswitch read/write hugetlb filesystem."
+- Allow smbcontrol domain to send sigchld to ctdbd domain.
+- Allow openvswitch read/write hugetlb filesystem.
+- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib
+- Label /var/log/ipareplica-conncheck.log file as ipa_log_t Allow ipa_helper_t domain to manage logs labeledas ipa_log_t Allow ipa_helper_t to connect on http and kerberos_passwd ports. BZ(1289930)
+- Allow keepalived to connect to 3306/tcp port - mysqld_port_t.
+- Merge remote-tracking branch 'refs/remotes/origin/rawhide-contrib' into rawhide-contrib
+- Merge remote-tracking branch 'refs/remotes/origin/rawhide-contrib' into rawhide-contrib
+- Merge pull request #86 from rhatdan/rawhide-contrib
+- Label some new nsd binaries as nsd_exec_t Allow nsd domain net_admin cap. Create label nsd_tmp_t for nsd tmp files/dirs BZ (1293146)
+- Added interface logging_systemctl_syslogd
+- Label rsyslog unit file
+- Added policy for systemd-coredump service. Added domain transition from kernel_t to systemd_coredump_t. Allow syslogd_t domain to read/write tmpfs systemd-coredump files. Make new domain uconfined for now.
+
* Wed Jan 06 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-165
- Allow sddm-helper running as xdm_t to create .wayland-errors with correct labeling. BZ(#1291085)
- Revert "Allow arping running as netutils_t sys_module capability for removing tap devices."