diff --git a/container-selinux.tgz b/container-selinux.tgz
index f1a0fe3..4927c34 100644
Binary files a/container-selinux.tgz and b/container-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index b1dd7bd..0b8dd19 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -3854,6 +3854,13 @@ index 759016583..1b9a61d18 100644
+tunable_policy(`use_fusefs_home_dirs',`
+ fs_mounton_fusefs(seunshare_domain)
')
+diff --git a/policy/modules/contrib b/policy/modules/contrib
+index 298b88741..b35f071ea 160000
+--- a/policy/modules/contrib
++++ b/policy/modules/contrib
+@@ -1 +1 @@
+-Subproject commit 298b887411b663a7da40a7a465915a7352bac80d
++Subproject commit b35f071eace9e06117f78cdda3dd6692388dff6f
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 33e0f8dad..6fd767031 100644
--- a/policy/modules/kernel/corecommands.fc
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index de01743..72de4e2 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -31970,294 +31970,6 @@ index e5b15fb7e..220622e84 100644
allow games_t self:process execmem;
')
-diff --git a/ganesha.fc b/ganesha.fc
-new file mode 100644
-index 000000000..c723bfb97
---- /dev/null
-+++ b/ganesha.fc
-@@ -0,0 +1,12 @@
-+/usr/bin/ganesha.nfsd -- gen_context(system_u:object_r:ganesha_exec_t,s0)
-+
-+/usr/lib/systemd/system/nfs-ganesha-config.* -- gen_context(system_u:object_r:ganesha_unit_file_t,s0)
-+
-+/usr/lib/systemd/system/nfs-ganesha-lock.* -- gen_context(system_u:object_r:ganesha_unit_file_t,s0)
-+
-+/usr/lib/systemd/system/nfs-ganesha.*e -- gen_context(system_u:object_r:ganesha_unit_file_t,s0)
-+
-+/var/log/ganesha.log.* -- gen_context(system_u:object_r:ganesha_var_log_t,s0)
-+/var/log/ganesha-gfapi.log.* -- gen_context(system_u:object_r:ganesha_var_log_t,s0)
-+
-+/var/run/ganesha(/.*)? gen_context(system_u:object_r:ganesha_var_run_t,s0)
-diff --git a/ganesha.if b/ganesha.if
-new file mode 100644
-index 000000000..d9ba5fa27
---- /dev/null
-+++ b/ganesha.if
-@@ -0,0 +1,147 @@
-+
-+## <summary>policy for ganesha</summary>
-+
-+########################################
-+## <summary>
-+## Execute ganesha_exec_t in the ganesha domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`ganesha_domtrans',`
-+ gen_require(`
-+ type ganesha_t, ganesha_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, ganesha_exec_t, ganesha_t)
-+')
-+
-+######################################
-+## <summary>
-+## Execute ganesha in the caller domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`ganesha_exec',`
-+ gen_require(`
-+ type ganesha_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ can_exec($1, ganesha_exec_t)
-+')
-+########################################
-+## <summary>
-+## Read ganesha PID files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`ganesha_read_pid_files',`
-+ gen_require(`
-+ type ganesha_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ read_files_pattern($1, ganesha_var_run_t, ganesha_var_run_t)
-+')
-+
-+########################################
-+## <summary>
-+## Execute ganesha server in the ganesha domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`ganesha_systemctl',`
-+ gen_require(`
-+ type ganesha_t;
-+ type ganesha_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ allow $1 ganesha_unit_file_t:file read_file_perms;
-+ allow $1 ganesha_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, ganesha_t)
-+')
-+
-+
-+########################################
-+## <summary>
-+## Send and receive messages from
-+## ganesha over dbus.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`ganesha_dbus_chat',`
-+ gen_require(`
-+ type ganesha_t;
-+ class dbus send_msg;
-+ ')
-+
-+ allow $1 ganesha_t:dbus send_msg;
-+ allow ganesha_t $1:dbus send_msg;
-+')
-+
-+########################################
-+## <summary>
-+## All of the rules required to administrate
-+## an ganesha environment
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`ganesha_admin',`
-+ gen_require(`
-+ type ganesha_t;
-+ type ganesha_var_run_t;
-+ type ganesha_unit_file_t;
-+ ')
-+
-+ allow $1 ganesha_t:process { signal_perms };
-+ ps_process_pattern($1, ganesha_t)
-+
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 ganesha_t:process ptrace;
-+ ')
-+
-+ files_search_pids($1)
-+ admin_pattern($1, ganesha_var_run_t)
-+
-+ ganesha_systemctl($1)
-+ admin_pattern($1, ganesha_unit_file_t)
-+ allow $1 ganesha_unit_file_t:service all_service_perms;
-+ optional_policy(`
-+ systemd_passwd_agent_exec($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ ')
-+')
-diff --git a/ganesha.te b/ganesha.te
-new file mode 100644
-index 000000000..f25a3f34d
---- /dev/null
-+++ b/ganesha.te
-@@ -0,0 +1,111 @@
-+policy_module(ganesha, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+## <desc>
-+## <p>
-+## Allow ganesha to read/write fuse files
-+## </p>
-+## </desc>
-+gen_tunable(ganesha_use_fusefs, false)
-+
-+type ganesha_t;
-+type ganesha_exec_t;
-+init_daemon_domain(ganesha_t, ganesha_exec_t)
-+
-+type ganesha_var_log_t;
-+logging_log_file(ganesha_var_log_t)
-+
-+type ganesha_var_run_t;
-+files_pid_file(ganesha_var_run_t)
-+
-+type ganesha_tmp_t;
-+files_tmp_file(ganesha_tmp_t)
-+
-+type ganesha_unit_file_t;
-+systemd_unit_file(ganesha_unit_file_t)
-+
-+########################################
-+#
-+# ganesha local policy
-+#
-+dontaudit ganesha_t self:capability net_admin;
-+
-+allow ganesha_t self:capability { dac_read_search dac_override };
-+allow ganesha_t self:capability2 block_suspend;
-+allow ganesha_t self:process { setcap setrlimit };
-+allow ganesha_t self:fifo_file rw_fifo_file_perms;
-+allow ganesha_t self:unix_stream_socket create_stream_socket_perms;
-+allow ganesha_t self:tcp_socket { accept listen };
-+
-+manage_dirs_pattern(ganesha_t, ganesha_var_run_t, ganesha_var_run_t)
-+manage_files_pattern(ganesha_t, ganesha_var_run_t, ganesha_var_run_t)
-+manage_lnk_files_pattern(ganesha_t, ganesha_var_run_t, ganesha_var_run_t)
-+files_pid_filetrans(ganesha_t, ganesha_var_run_t, { dir file lnk_file })
-+
-+manage_dirs_pattern(ganesha_t, ganesha_var_log_t, ganesha_var_log_t)
-+manage_files_pattern(ganesha_t, ganesha_var_log_t, ganesha_var_log_t)
-+logging_log_filetrans(ganesha_t, ganesha_var_log_t, { file dir })
-+
-+manage_dirs_pattern(ganesha_t, ganesha_tmp_t, ganesha_tmp_t)
-+manage_files_pattern(ganesha_t, ganesha_tmp_t, ganesha_tmp_t)
-+files_tmp_filetrans(ganesha_t, ganesha_tmp_t, { file dir })
-+
-+kernel_read_system_state(ganesha_t)
-+kernel_search_network_sysctl(ganesha_t)
-+kernel_read_net_sysctls(ganesha_t)
-+
-+auth_use_nsswitch(ganesha_t)
-+
-+corenet_tcp_bind_nfs_port(ganesha_t)
-+corenet_tcp_connect_generic_port(ganesha_t)
-+corenet_tcp_connect_gluster_port(ganesha_t)
-+corenet_udp_bind_dey_keyneg_port(ganesha_t)
-+corenet_tcp_bind_dey_keyneg_port(ganesha_t)
-+corenet_udp_bind_nfs_port(ganesha_t)
-+corenet_udp_bind_all_rpc_ports(ganesha_t)
-+corenet_tcp_bind_all_rpc_ports(ganesha_t)
-+corenet_tcp_bind_mountd_port(ganesha_t)
-+corenet_udp_bind_mountd_port(ganesha_t)
-+corenet_tcp_connect_virt_migration_port(ganesha_t)
-+corenet_tcp_connect_all_rpc_ports(ganesha_t)
-+
-+dev_rw_infiniband_dev(ganesha_t)
-+dev_read_gpfs(ganesha_t)
-+dev_read_rand(ganesha_t)
-+
-+logging_send_syslog_msg(ganesha_t)
-+
-+sysnet_dns_name_resolve(ganesha_t)
-+
-+optional_policy(`
-+ dbus_system_bus_client(ganesha_t)
-+ dbus_connect_system_bus(ganesha_t)
-+ unconfined_dbus_chat(ganesha_t)
-+')
-+
-+optional_policy(`
-+ glusterd_read_conf(ganesha_t)
-+ glusterd_read_lib_files(ganesha_t)
-+ glusterd_manage_pid(ganesha_t)
-+')
-+
-+optional_policy(`
-+ kerberos_read_keytab(ganesha_t)
-+')
-+
-+optional_policy(`
-+ rpc_manage_nfs_state_data_dir(ganesha_t)
-+ rpc_read_nfs_state_data(ganesha_t)
-+ rpcbind_stream_connect(ganesha_t)
-+')
-+
-+tunable_policy(`ganesha_use_fusefs',`
-+ fs_manage_fusefs_dirs(ganesha_t)
-+ fs_manage_fusefs_files(ganesha_t)
-+ fs_read_fusefs_symlinks(ganesha_t)
-+ fs_getattr_fusefs(ganesha_t)
-+')
diff --git a/gatekeeper.te b/gatekeeper.te
index 28203689c..88c98f481 100644
--- a/gatekeeper.te
@@ -33565,10 +33277,10 @@ index 5cd09096a..bd3c3d21b 100644
+corenet_tcp_connect_glance_registry_port(glance_scrubber_t)
diff --git a/glusterd.fc b/glusterd.fc
new file mode 100644
-index 000000000..9806f50ae
+index 000000000..e42e81f5f
--- /dev/null
+++ b/glusterd.fc
-@@ -0,0 +1,25 @@
+@@ -0,0 +1,30 @@
+/etc/rc\.d/init\.d/gluster.* -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
+
+/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0)
@@ -33594,12 +33306,17 @@ index 000000000..9806f50ae
+/var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0)
+/var/run/glusterd.* -- gen_context(system_u:object_r:glusterd_var_run_t,s0)
+/var/run/glusterd.* -s gen_context(system_u:object_r:glusterd_var_run_t,s0)
++
++/var/log/ganesha(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0)
++/var/log/ganesha.log -- gen_context(system_u:object_r:glusterd_log_t,s0)
++/var/log/ganesha-gfapi.log -- gen_context(system_u:object_r:glusterd_log_t,s0)
++
diff --git a/glusterd.if b/glusterd.if
new file mode 100644
-index 000000000..450146018
+index 000000000..291191f17
--- /dev/null
+++ b/glusterd.if
-@@ -0,0 +1,302 @@
+@@ -0,0 +1,301 @@
+
+## <summary>policy for glusterd</summary>
+
@@ -33901,13 +33618,12 @@ index 000000000..450146018
+ admin_pattern($1, glusterd_conf_t)
+
+')
-+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
-index 000000000..7eeb7b0c0
+index 000000000..ffa5ab9b3
--- /dev/null
+++ b/glusterd.te
-@@ -0,0 +1,331 @@
+@@ -0,0 +1,328 @@
+policy_module(glusterd, 1.1.3)
+
+## <desc>
@@ -33974,6 +33690,8 @@ index 000000000..7eeb7b0c0
+type glusterd_brick_t;
+files_type(glusterd_brick_t)
+
++typealias glusterd_log_t alias ganesha_var_log_t;
++
+########################################
+#
+# Local policy
@@ -34177,11 +33895,6 @@ index 000000000..7eeb7b0c0
+')
+
+optional_policy(`
-+ ganesha_systemctl(glusterd_t)
-+ ganesha_dbus_chat(glusterd_t)
-+')
-+
-+optional_policy(`
+ hostname_exec(glusterd_t)
+')
+
@@ -34221,8 +33934,8 @@ index 000000000..7eeb7b0c0
+optional_policy(`
+ rpc_systemctl_nfsd(glusterd_t)
+ rpc_systemctl_rpcd(glusterd_t)
-+
+ rpc_domtrans_nfsd(glusterd_t)
++ rpc_dbus_chat_nfsd(glusterd_t)
+ rpc_domtrans_rpcd(glusterd_t)
+ rpc_manage_nfs_state_data(glusterd_t)
+ rpc_manage_nfs_state_data_dir(glusterd_t)
@@ -90565,7 +90278,7 @@ index c8bdea28d..96da15f8a 100644
+ logging_log_named_filetrans($1, var_log_t, dir, "bundles")
')
diff --git a/rhcs.te b/rhcs.te
-index 6cf79c449..5c0bfd05d 100644
+index 6cf79c449..63c113978 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false)
@@ -90804,7 +90517,7 @@ index 6cf79c449..5c0bfd05d 100644
+')
+
+optional_policy(`
-+ ganesha_dbus_chat(cluster_t)
++ rpc_dbus_chat_nfsd(cluster_t)
+')
+
+optional_policy(`
@@ -93361,11 +93074,18 @@ index ccb5991ed..fa10c5a2d 100644
optional_policy(`
diff --git a/rpc.fc b/rpc.fc
-index a6fb30cb3..97ef313df 100644
+index a6fb30cb3..e11f3a0f3 100644
--- a/rpc.fc
+++ b/rpc.fc
-@@ -1,12 +1,25 @@
+@@ -1,12 +1,31 @@
-/etc/exports -- gen_context(system_u:object_r:exports_t,s0)
+
+-/etc/rc\.d/init\.d/nfs -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0)
+-/etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
+-/etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
+
+-/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+-/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+#
+# /etc
+#
@@ -93374,16 +93094,15 @@ index a6fb30cb3..97ef313df 100644
+/etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
--/etc/rc\.d/init\.d/nfs -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0)
--/etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
--/etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
+/usr/lib/systemd/system/nfs.* -- gen_context(system_u:object_r:nfsd_unit_file_t,s0)
+/usr/lib/systemd/system/rpc.* -- gen_context(system_u:object_r:rpcd_unit_file_t,s0)
-
--/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
--/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0)
++
++/usr/lib/systemd/system/nfs-ganesha-config.* -- gen_context(system_u:object_r:nfsd_unit_file_t,s0)
++/usr/lib/systemd/system/nfs-ganesha-lock.* -- gen_context(system_u:object_r:nfsd_unit_file_t,s0)
++/usr/lib/systemd/system/nfs-ganesha.*e -- gen_context(system_u:object_r:nfsd_unit_file_t,s0)
++
+/usr/lib/systemd/system-generators/nfs.* -- gen_context(system_u:object_r:nfsd_exec_t,s0)
-
++
+#
+# /sbin
+#
@@ -93396,24 +93115,27 @@ index a6fb30cb3..97ef313df 100644
/usr/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
/usr/sbin/rpc\.idmapd -- gen_context(system_u:object_r:rpcd_exec_t,s0)
/usr/sbin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
-@@ -16,7 +29,13 @@
+@@ -16,7 +35,16 @@
/usr/sbin/rpc\.svcgssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
/usr/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0)
-/var/lib/nfs(/.*)? gen_context(system_u:object_r:var_lib_nfs_t,s0)
++/usr/bin/ganesha\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
++
+#
+# /var
+#
+/var/lib/nfs(/.*)? gen_context(system_u:object_r:var_lib_nfs_t,s0)
+/var/run/sm-notify.* gen_context(system_u:object_r:rpcd_var_run_t,s0)
++/var/run/ganesha.* gen_context(system_u:object_r:rpcd_var_run_t,s0)
/var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0)
-/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
+/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
+/var/run/rpc\.statd\.lock -- gen_context(system_u:object_r:rpcd_lock_t,s0)
+
diff --git a/rpc.if b/rpc.if
-index 0bf13c220..79a2a9c48 100644
+index 0bf13c220..2ee527f2a 100644
--- a/rpc.if
+++ b/rpc.if
@@ -1,4 +1,4 @@
@@ -93750,11 +93472,10 @@ index 0bf13c220..79a2a9c48 100644
+
+ files_search_var_lib($1)
+ allow $1 var_lib_nfs_t:dir list_dir_perms;
- ')
-
- ########################################
- ## <summary>
--## Read nfs lib files.
++')
++
++########################################
++## <summary>
+## Manage NFS state data in /var/lib/nfs.
+## </summary>
+## <param name="domain">
@@ -93770,10 +93491,11 @@ index 0bf13c220..79a2a9c48 100644
+
+ files_search_var_lib($1)
+ allow $1 var_lib_nfs_t:dir manage_dir_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Read nfs lib files.
+## Read NFS state data in /var/lib/nfs.
## </summary>
## <param name="domain">
@@ -93868,7 +93590,7 @@ index 0bf13c220..79a2a9c48 100644
')
allow $1 rpc_domain:process { ptrace signal_perms };
-@@ -411,10 +505,28 @@ interface(`rpc_admin',`
+@@ -411,10 +505,49 @@ interface(`rpc_admin',`
admin_pattern($1, rpcd_var_run_t)
files_list_all($1)
@@ -93898,8 +93620,29 @@ index 0bf13c220..79a2a9c48 100644
+
+ allow $1 gssd_t:process { noatsecure rlimitinh };
+')
++
++########################################
++## <summary>
++## Send and receive messages from
++## ganesha over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rpc_dbus_chat_nfsd',`
++ gen_require(`
++ type nfsd_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 nfsd_t:dbus send_msg;
++ allow nfsd_t $1:dbus send_msg;
++')
diff --git a/rpc.te b/rpc.te
-index 2da9fca2f..c8afd1e50 100644
+index 2da9fca2f..f06eb2732 100644
--- a/rpc.te
+++ b/rpc.te
@@ -6,22 +6,27 @@ policy_module(rpc, 1.15.1)
@@ -93942,7 +93685,7 @@ index 2da9fca2f..c8afd1e50 100644
attribute rpc_domain;
-@@ -39,21 +44,26 @@ files_tmp_file(gssd_tmp_t)
+@@ -39,25 +44,36 @@ files_tmp_file(gssd_tmp_t)
type rpcd_var_run_t;
files_pid_file(rpcd_var_run_t)
@@ -93974,7 +93717,17 @@ index 2da9fca2f..c8afd1e50 100644
type var_lib_nfs_t;
files_mountpoint(var_lib_nfs_t)
-@@ -71,7 +81,6 @@ allow rpc_domain self:tcp_socket { accept listen };
+
++type nfsd_tmp_t;
++files_tmp_file(nfsd_tmp_t)
++
++typealias nfsd_exec_t alias ganesha_exec_t;
++typealias nfsd_unit_file_t alias ganesha_unit_file_t;
++
+ ########################################
+ #
+ # Common rpc domain local policy
+@@ -71,7 +87,6 @@ allow rpc_domain self:tcp_socket { accept listen };
manage_dirs_pattern(rpc_domain, var_lib_nfs_t, var_lib_nfs_t)
manage_files_pattern(rpc_domain, var_lib_nfs_t, var_lib_nfs_t)
@@ -93982,7 +93735,7 @@ index 2da9fca2f..c8afd1e50 100644
kernel_read_kernel_sysctls(rpc_domain)
kernel_rw_rpc_sysctls(rpc_domain)
-@@ -79,8 +88,6 @@ dev_read_sysfs(rpc_domain)
+@@ -79,8 +94,6 @@ dev_read_sysfs(rpc_domain)
dev_read_urand(rpc_domain)
dev_read_rand(rpc_domain)
@@ -93991,7 +93744,7 @@ index 2da9fca2f..c8afd1e50 100644
corenet_tcp_sendrecv_generic_if(rpc_domain)
corenet_udp_sendrecv_generic_if(rpc_domain)
corenet_tcp_sendrecv_generic_node(rpc_domain)
-@@ -108,41 +115,48 @@ files_read_etc_runtime_files(rpc_domain)
+@@ -108,41 +121,48 @@ files_read_etc_runtime_files(rpc_domain)
files_read_usr_files(rpc_domain)
files_list_home(rpc_domain)
@@ -94049,7 +93802,7 @@ index 2da9fca2f..c8afd1e50 100644
kernel_read_sysctl(rpcd_t)
kernel_rw_fs_sysctls(rpcd_t)
kernel_dontaudit_getattr_core_if(rpcd_t)
-@@ -163,13 +177,21 @@ fs_getattr_all_fs(rpcd_t)
+@@ -163,13 +183,21 @@ fs_getattr_all_fs(rpcd_t)
storage_getattr_fixed_disk_dev(rpcd_t)
@@ -94073,7 +93826,7 @@ index 2da9fca2f..c8afd1e50 100644
ifdef(`distro_debian',`
term_dontaudit_use_unallocated_ttys(rpcd_t)
-@@ -181,19 +203,27 @@ optional_policy(`
+@@ -181,19 +209,27 @@ optional_policy(`
')
optional_policy(`
@@ -94104,17 +93857,26 @@ index 2da9fca2f..c8afd1e50 100644
')
########################################
-@@ -201,42 +231,66 @@ optional_policy(`
+@@ -201,42 +237,75 @@ optional_policy(`
# NFSD local policy
#
-allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
-+allow nfsd_t self:capability { dac_read_search sys_admin sys_resource };
++allow nfsd_t self:capability { dac_read_search dac_override sys_admin sys_resource };
+dontaudit nfsd_t self:capability sys_rawio;
++
++allow nfsd_t self:process { setcap };
allow nfsd_t exports_t:file read_file_perms;
-allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
++manage_dirs_pattern(nfsd_t, nfsd_tmp_t, nfsd_tmp_t)
++manage_files_pattern(nfsd_t, nfsd_tmp_t, nfsd_tmp_t)
++files_tmp_filetrans(nfsd_t, nfsd_tmp_t, { file dir })
++
++manage_files_pattern(nfsd_t, rpcd_var_run_t, rpcd_var_run_t)
++files_pid_filetrans(nfsd_t, rpcd_var_run_t, { file })
++
+# for /proc/fs/nfs/exports - should we have a new type?
+kernel_read_system_state(nfsd_t)
kernel_read_network_state(nfsd_t)
@@ -94126,10 +93888,10 @@ index 2da9fca2f..c8afd1e50 100644
+kernel_mounton_proc(nfsd_t)
+kernel_rw_rpc_sysctls_dirs(nfsd_t)
+kernel_create_rpc_sysctls(nfsd_t)
++
++corecmd_exec_shell(nfsd_t)
-corenet_sendrecv_nfs_server_packets(nfsd_t)
-+corecmd_exec_shell(nfsd_t)
-+
+corenet_tcp_bind_all_rpc_ports(nfsd_t)
+corenet_udp_bind_all_rpc_ports(nfsd_t)
corenet_tcp_bind_nfs_port(nfsd_t)
@@ -94182,7 +93944,7 @@ index 2da9fca2f..c8afd1e50 100644
miscfiles_manage_public_files(nfsd_t)
')
-@@ -245,7 +299,6 @@ tunable_policy(`nfs_export_all_rw',`
+@@ -245,7 +314,6 @@ tunable_policy(`nfs_export_all_rw',`
dev_getattr_all_chr_files(nfsd_t)
fs_read_noxattr_fs_files(nfsd_t)
@@ -94190,13 +93952,22 @@ index 2da9fca2f..c8afd1e50 100644
')
tunable_policy(`nfs_export_all_ro',`
-@@ -257,12 +310,12 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -257,12 +325,21 @@ tunable_policy(`nfs_export_all_ro',`
fs_read_noxattr_fs_files(nfsd_t)
- files_list_non_auth_dirs(nfsd_t)
- files_read_non_auth_files(nfsd_t)
+ files_read_non_security_files(nfsd_t)
++')
++
++optional_policy(`
++ glusterd_manage_log(nfsd_t)
++ glusterd_manage_pid(nfsd_t)
++')
++
++optional_policy(`
++ dbus_system_bus_client(nfsd_t)
')
optional_policy(`
@@ -94205,7 +93976,7 @@ index 2da9fca2f..c8afd1e50 100644
')
########################################
-@@ -270,7 +323,7 @@ optional_policy(`
+@@ -270,7 +347,7 @@ optional_policy(`
# GSSD local policy
#
@@ -94214,7 +93985,7 @@ index 2da9fca2f..c8afd1e50 100644
allow gssd_t self:process { getsched setsched };
allow gssd_t self:fifo_file rw_fifo_file_perms;
-@@ -280,6 +333,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+@@ -280,6 +357,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
@@ -94222,7 +93993,7 @@ index 2da9fca2f..c8afd1e50 100644
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_request_load_module(gssd_t)
-@@ -288,25 +342,31 @@ kernel_signal(gssd_t)
+@@ -288,25 +366,31 @@ kernel_signal(gssd_t)
corecmd_exec_bin(gssd_t)
@@ -94257,7 +94028,7 @@ index 2da9fca2f..c8afd1e50 100644
')
optional_policy(`
-@@ -314,9 +374,12 @@ optional_policy(`
+@@ -314,9 +398,12 @@ optional_policy(`
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b26ba55..0fbaeed 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 304%{?dist}
+Release: 305%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -717,6 +717,9 @@ exit 0
%endif
%changelog
+* Fri Nov 24 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-305
+- Make ganesha nfs server
+
* Tue Nov 21 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-304
- Add interface raid_relabel_mdadm_var_run_content()
- Fix iscsi SELinux module