diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 18e996e..88466e4 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -5410,7 +5410,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055..136b78e 100644
+index b191055..11bfc30 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@@ -5515,11 +5515,12 @@ index b191055..136b78e 100644
network_port(commplex_main, tcp,5000,s0, udp,5000,s0)
network_port(comsat, udp,512,s0)
network_port(condor, tcp,9618,s0, udp,9618,s0)
-+network_port(conman, tcp,7890,s0, udp,7890,s0)
-+network_port(connlcli, tcp,1358,s0, udp,1358,s0)
- network_port(couchdb, tcp,5984,s0, udp,5984,s0)
+-network_port(couchdb, tcp,5984,s0, udp,5984,s0)
-network_port(cslistener, tcp,9000,s0, udp,9000,s0)
-network_port(ctdb, tcp,4379,s0, udp,4397,s0)
++network_port(conman, tcp,7890,s0, udp,7890,s0)
++network_port(connlcli, tcp,1358,s0, udp,1358,s0)
++network_port(couchdb, tcp,5984,s0, udp,5984,s0, tcp,6984,s0, udp,6984,s0)
+network_port(ctdb, tcp,4379,s0, udp,4379,s0)
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
@@ -13159,7 +13160,7 @@ index f962f76..ae94e80 100644
+ allow $1 etc_t:service status;
+')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
-index 1a03abd..dfcd2ad 100644
+index 1a03abd..32a40f8 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -5,12 +5,16 @@ policy_module(files, 1.18.1)
@@ -13179,7 +13180,7 @@ index 1a03abd..dfcd2ad 100644
# For labeling types that are to be polyinstantiated
attribute polydir;
-@@ -48,47 +52,55 @@ attribute usercanread;
+@@ -48,47 +52,53 @@ attribute usercanread;
#
type boot_t;
files_mountpoint(boot_t)
@@ -13223,12 +13224,11 @@ index 1a03abd..dfcd2ad 100644
# generated during initialization.
#
-type etc_runtime_t;
-+type etc_runtime_t, configfile;
- files_type(etc_runtime_t)
- #Temporarily in policy until FC5 dissappears
- typealias etc_runtime_t alias firstboot_rw_t;
-
- #
+-files_type(etc_runtime_t)
+-#Temporarily in policy until FC5 dissappears
+-typealias etc_runtime_t alias firstboot_rw_t;
+-
+-#
-# file_t is the default type of a file that has not yet been
-# assigned an extended attribute (EA) value (when using a filesystem
-# that supports EAs).
@@ -13237,8 +13237,10 @@ index 1a03abd..dfcd2ad 100644
-files_mountpoint(file_t)
-kernel_rootfs_mountpoint(file_t)
-sid file gen_context(system_u:object_r:file_t,s0)
--
--#
++type etc_runtime_t, configfile;
++files_ro_base_file(etc_runtime_t)
+
+ #
# home_root_t is the type for the directory where user home directories
# are created
#
@@ -13247,7 +13249,7 @@ index 1a03abd..dfcd2ad 100644
files_mountpoint(home_root_t)
files_poly_parent(home_root_t)
-@@ -96,12 +108,13 @@ files_poly_parent(home_root_t)
+@@ -96,12 +106,13 @@ files_poly_parent(home_root_t)
# lost_found_t is the type for the lost+found directories.
#
type lost_found_t;
@@ -13262,7 +13264,7 @@ index 1a03abd..dfcd2ad 100644
files_mountpoint(mnt_t)
#
-@@ -123,6 +136,7 @@ files_type(readable_t)
+@@ -123,6 +134,7 @@ files_type(readable_t)
# root_t is the type for rootfs and the root directory.
#
type root_t;
@@ -13270,7 +13272,7 @@ index 1a03abd..dfcd2ad 100644
files_mountpoint(root_t)
files_poly_parent(root_t)
kernel_rootfs_mountpoint(root_t)
-@@ -133,45 +147,54 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
+@@ -133,45 +145,54 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
#
type src_t;
files_mountpoint(src_t)
@@ -13325,7 +13327,7 @@ index 1a03abd..dfcd2ad 100644
files_lock_file(var_lock_t)
files_mountpoint(var_lock_t)
-@@ -180,6 +203,7 @@ files_mountpoint(var_lock_t)
+@@ -180,6 +201,7 @@ files_mountpoint(var_lock_t)
# used for pid and other runtime files.
#
type var_run_t;
@@ -13333,7 +13335,7 @@ index 1a03abd..dfcd2ad 100644
files_pid_file(var_run_t)
files_mountpoint(var_run_t)
-@@ -187,7 +211,9 @@ files_mountpoint(var_run_t)
+@@ -187,7 +209,9 @@ files_mountpoint(var_run_t)
# var_spool_t is the type of /var/spool
#
type var_spool_t;
@@ -13343,7 +13345,7 @@ index 1a03abd..dfcd2ad 100644
########################################
#
-@@ -224,12 +250,13 @@ fs_associate_tmpfs(tmpfsfile)
+@@ -224,12 +248,13 @@ fs_associate_tmpfs(tmpfsfile)
#
# Create/access any file in a labeled filesystem;
@@ -24413,7 +24415,7 @@ index 6bf0ecc..bf98136 100644
+')
+
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..c52fbe6 100644
+index 8b40377..95dde04 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,28 +26,59 @@ gen_require(`
@@ -24621,7 +24623,7 @@ index 8b40377..c52fbe6 100644
userdom_user_tmpfs_file(xserver_tmpfs_t)
type xsession_exec_t;
-@@ -226,21 +288,33 @@ optional_policy(`
+@@ -226,21 +288,35 @@ optional_policy(`
#
allow iceauth_t iceauth_home_t:file manage_file_perms;
@@ -24642,6 +24644,10 @@ index 8b40377..c52fbe6 100644
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_files(iceauth_t)
-')
++xserver_filetrans_home_content(iceauth_t)
+
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_files(iceauth_t)
+ifdef(`hide_broken_symptoms',`
+ dev_dontaudit_read_urand(iceauth_t)
+ dev_dontaudit_rw_dri(iceauth_t)
@@ -24649,9 +24655,7 @@ index 8b40377..c52fbe6 100644
+ fs_dontaudit_list_inotifyfs(iceauth_t)
+ fs_dontaudit_rw_anon_inodefs_files(iceauth_t)
+ term_dontaudit_use_unallocated_ttys(iceauth_t)
-
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_files(iceauth_t)
++
+ userdom_dontaudit_read_user_home_content_files(iceauth_t)
+ userdom_dontaudit_write_user_home_content_files(iceauth_t)
+ userdom_dontaudit_write_user_tmp_files(iceauth_t)
@@ -24662,7 +24666,7 @@ index 8b40377..c52fbe6 100644
')
########################################
-@@ -248,48 +322,89 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -248,48 +324,90 @@ tunable_policy(`use_samba_home_dirs',`
# Xauth local policy
#
@@ -24725,6 +24729,7 @@ index 8b40377..c52fbe6 100644
+userdom_use_inherited_user_terminals(xauth_t)
userdom_read_user_tmp_files(xauth_t)
+userdom_read_all_users_state(xauth_t)
++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file)
+userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority")
+userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-l")
+userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-c")
@@ -24763,7 +24768,7 @@ index 8b40377..c52fbe6 100644
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
ssh_dontaudit_rw_tcp_sockets(xauth_t)
-@@ -300,64 +415,109 @@ optional_policy(`
+@@ -300,64 +418,109 @@ optional_policy(`
# XDM Local policy
#
@@ -24791,10 +24796,10 @@ index 8b40377..c52fbe6 100644
allow xdm_t self:appletalk_socket create_socket_perms;
allow xdm_t self:key { search link write };
+allow xdm_t self:dbus { send_msg acquire_svc };
-+
-+allow xdm_t xauth_home_t:file manage_file_perms;
-allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
++allow xdm_t xauth_home_t:file manage_file_perms;
++
+allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms };
+manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
+manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
@@ -24883,7 +24888,7 @@ index 8b40377..c52fbe6 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -366,20 +526,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -366,20 +529,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -24916,7 +24921,7 @@ index 8b40377..c52fbe6 100644
corenet_all_recvfrom_netlabel(xdm_t)
corenet_tcp_sendrecv_generic_if(xdm_t)
corenet_udp_sendrecv_generic_if(xdm_t)
-@@ -389,38 +559,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -389,38 +562,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -24970,7 +24975,7 @@ index 8b40377..c52fbe6 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -431,9 +612,28 @@ files_list_mnt(xdm_t)
+@@ -431,9 +615,28 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -24999,7 +25004,7 @@ index 8b40377..c52fbe6 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -442,28 +642,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -442,28 +645,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -25048,7 +25053,7 @@ index 8b40377..c52fbe6 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -472,24 +689,149 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -472,24 +692,149 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -25204,7 +25209,7 @@ index 8b40377..c52fbe6 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -503,11 +845,26 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -503,11 +848,26 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -25231,7 +25236,7 @@ index 8b40377..c52fbe6 100644
')
optional_policy(`
-@@ -517,9 +874,34 @@ optional_policy(`
+@@ -517,9 +877,34 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(xdm_t)
dbus_connect_system_bus(xdm_t)
@@ -25239,17 +25244,17 @@ index 8b40377..c52fbe6 100644
+ optional_policy(`
+ accountsd_dbus_chat(xdm_t)
+ ')
-+
-+ optional_policy(`
+
+ optional_policy(`
+- accountsd_dbus_chat(xdm_t)
+ bluetooth_dbus_chat(xdm_t)
+ ')
+
+ optional_policy(`
+ cpufreqselector_dbus_chat(xdm_t)
+ ')
-
- optional_policy(`
-- accountsd_dbus_chat(xdm_t)
++
++ optional_policy(`
+ devicekit_dbus_chat_disk(xdm_t)
+ devicekit_dbus_chat_power(xdm_t)
+ ')
@@ -25267,7 +25272,7 @@ index 8b40377..c52fbe6 100644
')
')
-@@ -530,6 +912,20 @@ optional_policy(`
+@@ -530,6 +915,20 @@ optional_policy(`
')
optional_policy(`
@@ -25288,7 +25293,7 @@ index 8b40377..c52fbe6 100644
hostname_exec(xdm_t)
')
-@@ -547,28 +943,78 @@ optional_policy(`
+@@ -547,28 +946,78 @@ optional_policy(`
')
optional_policy(`
@@ -25376,7 +25381,7 @@ index 8b40377..c52fbe6 100644
')
optional_policy(`
-@@ -580,6 +1026,14 @@ optional_policy(`
+@@ -580,6 +1029,14 @@ optional_policy(`
')
optional_policy(`
@@ -25391,7 +25396,7 @@ index 8b40377..c52fbe6 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,7 +1048,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+@@ -594,7 +1051,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@@ -25400,7 +25405,7 @@ index 8b40377..c52fbe6 100644
# setuid/setgid for the wrapper program to change UID
# sys_rawio is for iopl access - should not be needed for frame-buffer
-@@ -604,8 +1058,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -604,8 +1061,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -25413,7 +25418,7 @@ index 8b40377..c52fbe6 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -618,8 +1075,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -618,8 +1078,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -25429,7 +25434,7 @@ index 8b40377..c52fbe6 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -627,6 +1091,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -627,6 +1094,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@@ -25440,7 +25445,7 @@ index 8b40377..c52fbe6 100644
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -638,25 +1106,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -638,25 +1109,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -25477,7 +25482,7 @@ index 8b40377..c52fbe6 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -677,23 +1152,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -677,23 +1155,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -25509,7 +25514,7 @@ index 8b40377..c52fbe6 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -705,6 +1185,14 @@ fs_search_nfs(xserver_t)
+@@ -705,6 +1188,14 @@ fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -25524,7 +25529,7 @@ index 8b40377..c52fbe6 100644
mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
-@@ -718,20 +1206,18 @@ init_getpgid(xserver_t)
+@@ -718,20 +1209,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -25548,7 +25553,7 @@ index 8b40377..c52fbe6 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -739,8 +1225,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -739,8 +1228,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
@@ -25557,7 +25562,7 @@ index 8b40377..c52fbe6 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
-@@ -785,17 +1269,44 @@ optional_policy(`
+@@ -785,17 +1272,44 @@ optional_policy(`
')
optional_policy(`
@@ -25604,7 +25609,7 @@ index 8b40377..c52fbe6 100644
')
optional_policy(`
-@@ -803,6 +1314,10 @@ optional_policy(`
+@@ -803,6 +1317,10 @@ optional_policy(`
')
optional_policy(`
@@ -25615,7 +25620,7 @@ index 8b40377..c52fbe6 100644
xfs_stream_connect(xserver_t)
')
-@@ -818,10 +1333,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -818,10 +1336,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -25629,7 +25634,7 @@ index 8b40377..c52fbe6 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -829,7 +1344,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -829,7 +1347,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -25638,7 +25643,7 @@ index 8b40377..c52fbe6 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -842,26 +1357,21 @@ init_use_fds(xserver_t)
+@@ -842,26 +1360,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -25673,7 +25678,7 @@ index 8b40377..c52fbe6 100644
')
optional_policy(`
-@@ -912,7 +1422,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -912,7 +1425,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -25682,7 +25687,7 @@ index 8b40377..c52fbe6 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -966,11 +1476,31 @@ allow x_domain self:x_resource { read write };
+@@ -966,11 +1479,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -25714,7 +25719,7 @@ index 8b40377..c52fbe6 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -992,18 +1522,150 @@ tunable_policy(`! xserver_object_manager',`
+@@ -992,18 +1525,150 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -34949,7 +34954,7 @@ index a38605e..f035d9f 100644
+/usr/sbin/umount\.ecryptfs_private -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
+/usr/sbin/umount\.ecryptfs -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
-index 4584457..fb1c881 100644
+index 4584457..c2ae1ea 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -16,6 +16,13 @@ interface(`mount_domtrans',`
@@ -34974,7 +34979,7 @@ index 4584457..fb1c881 100644
')
mount_domtrans($1)
-@@ -47,6 +55,92 @@ interface(`mount_run',`
+@@ -47,6 +55,110 @@ interface(`mount_run',`
########################################
##
@@ -35043,6 +35048,24 @@ index 4584457..fb1c881 100644
+ files_search_pids($1)
+')
+
++#######################################
++##
++## Do not audit attemps to write mount PID files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`mount_dontaudit_write_mount_pid',`
++ gen_require(`
++ type mount_var_run_t;
++ ')
++
++ dontaudit $1 mount_var_run_t:file write;
++')
++
+########################################
+##
+## Manage mount PID files.
@@ -35067,7 +35090,7 @@ index 4584457..fb1c881 100644
## Execute mount in the caller domain.
##
##
-@@ -91,7 +185,7 @@ interface(`mount_signal',`
+@@ -91,7 +203,7 @@ interface(`mount_signal',`
##
##
##
@@ -35076,7 +35099,7 @@ index 4584457..fb1c881 100644
##
##
#
-@@ -131,45 +225,184 @@ interface(`mount_send_nfs_client_request',`
+@@ -131,45 +243,184 @@ interface(`mount_send_nfs_client_request',`
########################################
##
@@ -35142,15 +35165,12 @@ index 4584457..fb1c881 100644
#
-interface(`mount_run_unconfined',`
+interface(`mount_exec_fusermount',`
- gen_require(`
-- type unconfined_mount_t;
++ gen_require(`
+ type fusermount_exec_t;
- ')
-
-- mount_domtrans_unconfined($1)
-- role $2 types unconfined_mount_t;
++ ')
++
+ can_exec($1, fusermount_exec_t)
- ')
++')
+
+########################################
+##
@@ -35163,12 +35183,15 @@ index 4584457..fb1c881 100644
+##
+#
+interface(`mount_dontaudit_exec_fusermount',`
-+ gen_require(`
+ gen_require(`
+- type unconfined_mount_t;
+ type fusermount_exec_t;
-+ ')
-+
+ ')
+
+- mount_domtrans_unconfined($1)
+- role $2 types unconfined_mount_t;
+ dontaudit $1 fusermount_exec_t:file exec_file_perms;
-+')
+ ')
+
+######################################
+##
@@ -39676,10 +39699,10 @@ index 0000000..8bca1d7
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..188a153
+index 0000000..ca13b14
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,677 @@
+@@ -0,0 +1,680 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -39776,6 +39799,9 @@ index 0000000..188a153
+mls_file_read_all_levels(systemd_logind_t)
+mls_file_write_all_levels(systemd_logind_t)
+
++fs_mount_tmpfs(systemd_logind_t)
++fs_unmount_tmpfs(systemd_logind_t)
++
+manage_dirs_pattern(systemd_logind_t, systemd_logind_var_lib_t, systemd_logind_var_lib_t)
+manage_files_pattern(systemd_logind_t, systemd_logind_var_lib_t, systemd_logind_var_lib_t)
+init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir, "linger")
@@ -39861,8 +39887,8 @@ index 0000000..188a153
+
+userdom_read_all_users_state(systemd_logind_t)
+userdom_use_user_ttys(systemd_logind_t)
-+userdom_manage_all_user_tmp_content(systemd_logind_t)
-+userdom_manage_all_user_tmpfs_content(systemd_logind_t)
++userdom_manage_tmp_role(system_r, systemd_logind_t)
++userdom_manage_tmpfs_role(system_r, systemd_logind_t)
+
+xserver_dbus_chat(systemd_logind_t)
+
@@ -41487,10 +41513,10 @@ index 5ca20a9..e749152 100644
+ corecmd_bin_domtrans($1, unconfined_service_t)
')
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
-index 5fe902d..9382e97 100644
+index 5fe902d..fcc9efe 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
-@@ -1,207 +1,16 @@
+@@ -1,207 +1,20 @@
-policy_module(unconfined, 3.5.1)
+policy_module(unconfined, 3.5.0)
@@ -41700,12 +41726,13 @@ index 5fe902d..9382e97 100644
-
-allow unconfined_execmem_t self:process { execstack execmem };
-unconfined_domain_noaudit(unconfined_execmem_t)
--
--optional_policy(`
-- unconfined_dbus_chat(unconfined_execmem_t)
--')
+corecmd_bin_entry_type(unconfined_service_t)
+corecmd_shell_entry_type(unconfined_service_t)
+
+ optional_policy(`
+- unconfined_dbus_chat(unconfined_execmem_t)
++ rpm_transition_script(unconfined_service_t, system_r)
+ ')
diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
index db75976..e4eb903 100644
--- a/policy/modules/system/userdomain.fc
@@ -41737,7 +41764,7 @@ index db75976..e4eb903 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6..428fe58 100644
+index 9dc60c6..858bd7a 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -42230,7 +42257,7 @@ index 9dc60c6..428fe58 100644
+ type user_tmpfs_t;
+ ')
+
-+ allow $1 user_tmpfs_t:file manage_file_perms;
++ manage_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+')
+
+#######################################
@@ -42286,11 +42313,11 @@ index 9dc60c6..428fe58 100644
- gen_require(`
- type $1_t;
- ')
-+interface(`userdom_basic_networking',`
-
+-
- allow $1_t self:tcp_socket create_stream_socket_perms;
- allow $1_t self:udp_socket create_socket_perms;
--
++interface(`userdom_basic_networking',`
+
- corenet_all_recvfrom_unlabeled($1_t)
- corenet_all_recvfrom_netlabel($1_t)
- corenet_tcp_sendrecv_generic_if($1_t)
@@ -42382,27 +42409,27 @@ index 9dc60c6..428fe58 100644
+ kernel_get_sysvipc_info($1_usertype)
# Find CDROM devices:
- kernel_read_device_sysctls($1_t)
--
-- corecmd_exec_bin($1_t)
+ kernel_read_device_sysctls($1_usertype)
+ kernel_request_load_module($1_usertype)
-- corenet_udp_bind_generic_node($1_t)
-- corenet_udp_bind_generic_port($1_t)
+- corecmd_exec_bin($1_t)
+ corenet_udp_bind_generic_node($1_usertype)
+ corenet_udp_bind_generic_port($1_usertype)
-- dev_read_rand($1_t)
-- dev_write_sound($1_t)
-- dev_read_sound($1_t)
-- dev_read_sound_mixer($1_t)
-- dev_write_sound_mixer($1_t)
+- corenet_udp_bind_generic_node($1_t)
+- corenet_udp_bind_generic_port($1_t)
+ dev_read_rand($1_usertype)
+ dev_write_sound($1_usertype)
+ dev_read_sound($1_usertype)
+ dev_read_sound_mixer($1_usertype)
+ dev_write_sound_mixer($1_usertype)
+- dev_read_rand($1_t)
+- dev_write_sound($1_t)
+- dev_read_sound($1_t)
+- dev_read_sound_mixer($1_t)
+- dev_write_sound_mixer($1_t)
+-
- files_exec_etc_files($1_t)
- files_search_locks($1_t)
+ files_exec_etc_files($1_usertype)
@@ -42426,12 +42453,12 @@ index 9dc60c6..428fe58 100644
+ fs_read_noxattr_fs_files($1_usertype)
+ fs_read_noxattr_fs_symlinks($1_usertype)
+ fs_rw_cgroup_files($1_usertype)
-
-- fs_rw_cgroup_files($1_t)
++
+ application_getattr_socket($1_usertype)
+
+ logging_send_syslog_msg($1_t)
-+
+
+- fs_rw_cgroup_files($1_t)
+ selinux_get_enforce_mode($1_t)
# cjp: some of this probably can be removed
@@ -42538,67 +42565,67 @@ index 9dc60c6..428fe58 100644
+ optional_policy(`
+ geoclue_dbus_chat($1_usertype)
+ ')
++
++ optional_policy(`
++ gnome_dbus_chat_gconfdefault($1_usertype)
++ ')
optional_policy(`
- bluetooth_dbus_chat($1_t)
-+ gnome_dbus_chat_gconfdefault($1_usertype)
++ hal_dbus_chat($1_usertype)
')
optional_policy(`
- consolekit_dbus_chat($1_t)
-+ hal_dbus_chat($1_usertype)
++ kde_dbus_chat_backlighthelper($1_usertype)
')
optional_policy(`
- cups_dbus_chat_config($1_t)
-+ kde_dbus_chat_backlighthelper($1_usertype)
++ modemmanager_dbus_chat($1_usertype)
')
optional_policy(`
- hal_dbus_chat($1_t)
-+ modemmanager_dbus_chat($1_usertype)
++ networkmanager_dbus_chat($1_usertype)
++ networkmanager_read_lib_files($1_usertype)
')
optional_policy(`
- networkmanager_dbus_chat($1_t)
-+ networkmanager_dbus_chat($1_usertype)
-+ networkmanager_read_lib_files($1_usertype)
++ policykit_dbus_chat($1_usertype)
')
optional_policy(`
- policykit_dbus_chat($1_t)
-+ policykit_dbus_chat($1_usertype)
- ')
-+
-+ optional_policy(`
+ vpn_dbus_chat($1_usertype)
-+ ')
-+ ')
-+
-+ optional_policy(`
-+ git_role($1_r, $1_t)
+ ')
')
optional_policy(`
- inetd_use_fds($1_t)
- inetd_rw_tcp_sockets($1_t)
-+ inetd_use_fds($1_usertype)
-+ inetd_rw_tcp_sockets($1_usertype)
++ git_role($1_r, $1_t)
')
optional_policy(`
- inn_read_config($1_t)
- inn_read_news_lib($1_t)
- inn_read_news_spool($1_t)
-+ inn_read_config($1_usertype)
-+ inn_read_news_lib($1_usertype)
-+ inn_read_news_spool($1_usertype)
++ inetd_use_fds($1_usertype)
++ inetd_rw_tcp_sockets($1_usertype)
')
optional_policy(`
- kerberos_manage_krb5_home_files($1_t)
- kerberos_relabel_krb5_home_files($1_t)
- kerberos_home_filetrans_krb5_home($1_t, file, ".k5login")
++ inn_read_config($1_usertype)
++ inn_read_news_lib($1_usertype)
++ inn_read_news_spool($1_usertype)
++ ')
++
++ optional_policy(`
+ lircd_stream_connect($1_usertype)
')
@@ -42660,35 +42687,27 @@ index 9dc60c6..428fe58 100644
optional_policy(`
- resmgr_stream_connect($1_t)
+ resmgr_stream_connect($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ rpc_dontaudit_getattr_exports($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ rpcbind_stream_connect($1_usertype)
')
optional_policy(`
- rpc_dontaudit_getattr_exports($1_t)
- rpc_manage_nfs_rw_content($1_t)
-+ samba_stream_connect_winbind($1_usertype)
++ rpc_dontaudit_getattr_exports($1_usertype)
')
optional_policy(`
- samba_stream_connect_winbind($1_t)
-+ sandbox_transition($1_usertype, $1_r)
++ rpcbind_stream_connect($1_usertype)
')
optional_policy(`
- slrnpull_search_spool($1_t)
-+ seunshare_role_template($1, $1_r, $1_t)
++ samba_stream_connect_winbind($1_usertype)
')
optional_policy(`
- usernetctl_run($1_t, $1_r)
-+ slrnpull_search_spool($1_usertype)
++ sandbox_transition($1_usertype, $1_r)
')
optional_policy(`
@@ -42697,6 +42716,14 @@ index 9dc60c6..428fe58 100644
- virt_home_filetrans_virt_content($1_t, dir, "isos")
- virt_home_filetrans_svirt_home($1_t, dir, "qemu")
- virt_home_filetrans_virt_home($1_t, dir, "VirtualMachines")
++ seunshare_role_template($1, $1_r, $1_t)
++ ')
++
++ optional_policy(`
++ slrnpull_search_spool($1_usertype)
++ ')
++
++ optional_policy(`
+ thumb_role($1_r, $1_usertype)
')
')
@@ -42721,7 +42748,9 @@ index 9dc60c6..428fe58 100644
+
+ ifelse(`$1',`unconfined',`',`
+ gen_tunable($1_exec_content, true)
-+
+
+- userdom_exec_user_tmp_files($1_t)
+- userdom_exec_user_home_content_files($1_t)
+ tunable_policy(`$1_exec_content',`
+ userdom_exec_user_tmp_files($1_usertype)
+ userdom_exec_user_home_content_files($1_usertype)
@@ -42729,9 +42758,7 @@ index 9dc60c6..428fe58 100644
+ tunable_policy(`$1_exec_content && use_nfs_home_dirs',`
+ fs_exec_nfs_files($1_usertype)
+ ')
-
-- userdom_exec_user_tmp_files($1_t)
-- userdom_exec_user_home_content_files($1_t)
++
+ tunable_policy(`$1_exec_content && use_samba_home_dirs',`
+ fs_exec_cifs_files($1_usertype)
+ ')
@@ -43138,16 +43165,16 @@ index 9dc60c6..428fe58 100644
+
+ optional_policy(`
+ gpm_stream_connect($1_usertype)
++ ')
++
++ optional_policy(`
++ mount_run_fusermount($1_t, $1_r)
++ mount_read_pid_files($1_t)
')
optional_policy(`
- netutils_run_ping_cond($1_t, $1_r)
- netutils_run_traceroute_cond($1_t, $1_r)
-+ mount_run_fusermount($1_t, $1_r)
-+ mount_read_pid_files($1_t)
-+ ')
-+
-+ optional_policy(`
+ wine_role_template($1, $1_r, $1_t)
+ ')
+
@@ -44391,7 +44418,7 @@ index 9dc60c6..428fe58 100644
')
########################################
-@@ -3214,31 +3977,49 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3214,30 +3977,48 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -44424,7 +44451,6 @@ index 9dc60c6..428fe58 100644
########################################
##
-## Do not audit attempts to relabel files from
--## user pty types.
+## Relabel files to unprivileged user pty types.
+##
+##
@@ -44444,10 +44470,9 @@ index 9dc60c6..428fe58 100644
+########################################
+##
+## Do not audit attempts to relabel files from
-+## user pty types.
+ ## user pty types.
##
##
- ##
@@ -3269,7 +4050,83 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -46300,7 +46325,7 @@ index 9dc60c6..428fe58 100644
+')
+
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index f4ac38d..711759c 100644
+index f4ac38d..7283238 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,48 +7,43 @@ policy_module(userdomain, 4.9.1)
@@ -46389,7 +46414,7 @@ index f4ac38d..711759c 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -70,26 +83,384 @@ ubac_constrained(user_home_dir_t)
+@@ -70,26 +83,386 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -46456,6 +46481,8 @@ index f4ac38d..711759c 100644
+dontaudit unpriv_userdomain self:dir setattr;
+allow unpriv_userdomain self:key manage_key_perms;
+
++mount_dontaudit_write_mount_pid(unpriv_userdomain)
++
+optional_policy(`
+ alsa_read_rw_config(unpriv_userdomain)
+ alsa_manage_home_files(unpriv_userdomain)
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index b5ed9ef..5449d47 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -11316,10 +11316,10 @@ index 0000000..57866f6
+HOME_DIR/\.cache/chromium(/.*)? gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
diff --git a/chrome.if b/chrome.if
new file mode 100644
-index 0000000..8ea5b7c
+index 0000000..a0fdbcb
--- /dev/null
+++ b/chrome.if
-@@ -0,0 +1,133 @@
+@@ -0,0 +1,136 @@
+
+## policy for chrome
+
@@ -11343,6 +11343,9 @@ index 0000000..8ea5b7c
+
+ allow $1 chrome_sandbox_t:fd use;
+
++ dontaudit chrome_sandbox_t $1:socket_class_set getattr;
++ allow chrome_sandbox_t $1:unix_stream_socket rw_socket_perms;
++
+ ifdef(`hide_broken_symptoms',`
+ fs_dontaudit_rw_anon_inodefs_files(chrome_sandbox_t)
+ ')
@@ -13273,7 +13276,7 @@ index 954309e..f4db2ca 100644
')
+
diff --git a/collectd.te b/collectd.te
-index 6471fa8..26584f2 100644
+index 6471fa8..36c3464 100644
--- a/collectd.te
+++ b/collectd.te
@@ -26,18 +26,28 @@ files_type(collectd_var_lib_t)
@@ -13342,7 +13345,7 @@ index 6471fa8..26584f2 100644
logging_send_syslog_msg(collectd_t)
-@@ -75,16 +90,30 @@ tunable_policy(`collectd_tcp_network_connect',`
+@@ -75,16 +90,31 @@ tunable_policy(`collectd_tcp_network_connect',`
')
optional_policy(`
@@ -13355,6 +13358,7 @@ index 6471fa8..26584f2 100644
+
+optional_policy(`
virt_read_config(collectd_t)
++ virt_stream_connect(collectd_t)
')
########################################
@@ -16650,7 +16654,7 @@ index 1303b30..72481a7 100644
+ logging_log_filetrans($1, cron_log_t, $2, $3)
')
diff --git a/cron.te b/cron.te
-index 7de3859..23baf47 100644
+index 7de3859..24f2712 100644
--- a/cron.te
+++ b/cron.te
@@ -11,46 +11,46 @@ gen_require(`
@@ -16724,7 +16728,7 @@ index 7de3859..23baf47 100644
type crond_tmp_t;
files_tmp_file(crond_tmp_t)
files_poly_parent(crond_tmp_t)
-@@ -92,15 +95,16 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t };
+@@ -92,15 +95,17 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t };
typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
@@ -16739,12 +16743,13 @@ index 7de3859..23baf47 100644
init_daemon_domain(system_cronjob_t, anacron_exec_t)
corecmd_shell_entry_type(system_cronjob_t)
-domain_entry_file(system_cronjob_t, system_cron_spool_t)
++corecmd_bin_entry_type(system_cronjob_t)
+role system_r types system_cronjob_t;
+domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t)
type system_cronjob_lock_t alias system_crond_lock_t;
files_lock_file(system_cronjob_lock_t)
-@@ -108,94 +112,34 @@ files_lock_file(system_cronjob_lock_t)
+@@ -108,94 +113,34 @@ files_lock_file(system_cronjob_lock_t)
type system_cronjob_tmp_t alias system_crond_tmp_t;
files_tmp_file(system_cronjob_tmp_t)
@@ -16851,7 +16856,7 @@ index 7de3859..23baf47 100644
selinux_get_fs_mount(admin_crontab_t)
selinux_validate_context(admin_crontab_t)
selinux_compute_access_vector(admin_crontab_t)
-@@ -204,22 +148,26 @@ selinux_compute_relabel_context(admin_crontab_t)
+@@ -204,22 +149,26 @@ selinux_compute_relabel_context(admin_crontab_t)
selinux_compute_user_contexts(admin_crontab_t)
tunable_policy(`fcron_crond',`
@@ -16881,7 +16886,7 @@ index 7de3859..23baf47 100644
allow crond_t self:shm create_shm_perms;
allow crond_t self:sem create_sem_perms;
allow crond_t self:msgq create_msgq_perms;
-@@ -227,7 +175,7 @@ allow crond_t self:msg { send receive };
+@@ -227,7 +176,7 @@ allow crond_t self:msg { send receive };
allow crond_t self:key { search write link };
dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit;
@@ -16890,7 +16895,7 @@ index 7de3859..23baf47 100644
logging_log_filetrans(crond_t, cron_log_t, file)
manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t)
-@@ -237,73 +185,68 @@ manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
+@@ -237,73 +186,68 @@ manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t)
manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t)
@@ -16994,7 +16999,7 @@ index 7de3859..23baf47 100644
auth_use_nsswitch(crond_t)
logging_send_audit_msgs(crond_t)
-@@ -312,41 +255,46 @@ logging_set_loginuid(crond_t)
+@@ -312,41 +256,46 @@ logging_set_loginuid(crond_t)
seutil_read_config(crond_t)
seutil_read_default_contexts(crond_t)
@@ -17057,7 +17062,7 @@ index 7de3859..23baf47 100644
')
optional_policy(`
-@@ -354,103 +302,135 @@ optional_policy(`
+@@ -354,103 +303,135 @@ optional_policy(`
')
optional_policy(`
@@ -17224,7 +17229,7 @@ index 7de3859..23baf47 100644
allow system_cronjob_t cron_spool_t:dir list_dir_perms;
allow system_cronjob_t cron_spool_t:file rw_file_perms;
-@@ -461,11 +441,11 @@ kernel_read_network_state(system_cronjob_t)
+@@ -461,11 +442,11 @@ kernel_read_network_state(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
kernel_read_software_raid_state(system_cronjob_t)
@@ -17237,7 +17242,7 @@ index 7de3859..23baf47 100644
corenet_all_recvfrom_netlabel(system_cronjob_t)
corenet_tcp_sendrecv_generic_if(system_cronjob_t)
corenet_udp_sendrecv_generic_if(system_cronjob_t)
-@@ -485,6 +465,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
+@@ -485,6 +466,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
fs_getattr_all_pipes(system_cronjob_t)
fs_getattr_all_sockets(system_cronjob_t)
@@ -17245,7 +17250,7 @@ index 7de3859..23baf47 100644
domain_dontaudit_read_all_domains_state(system_cronjob_t)
files_exec_etc_files(system_cronjob_t)
-@@ -495,17 +476,22 @@ files_getattr_all_files(system_cronjob_t)
+@@ -495,17 +477,22 @@ files_getattr_all_files(system_cronjob_t)
files_getattr_all_symlinks(system_cronjob_t)
files_getattr_all_pipes(system_cronjob_t)
files_getattr_all_sockets(system_cronjob_t)
@@ -17270,7 +17275,7 @@ index 7de3859..23baf47 100644
auth_use_nsswitch(system_cronjob_t)
-@@ -516,20 +502,26 @@ logging_read_generic_logs(system_cronjob_t)
+@@ -516,20 +503,26 @@ logging_read_generic_logs(system_cronjob_t)
logging_send_audit_msgs(system_cronjob_t)
logging_send_syslog_msg(system_cronjob_t)
@@ -17300,7 +17305,7 @@ index 7de3859..23baf47 100644
selinux_validate_context(system_cronjob_t)
selinux_compute_access_vector(system_cronjob_t)
selinux_compute_create_context(system_cronjob_t)
-@@ -539,10 +531,18 @@ tunable_policy(`cron_can_relabel',`
+@@ -539,10 +532,18 @@ tunable_policy(`cron_can_relabel',`
')
optional_policy(`
@@ -17319,7 +17324,7 @@ index 7de3859..23baf47 100644
')
optional_policy(`
-@@ -551,10 +551,6 @@ optional_policy(`
+@@ -551,10 +552,6 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(system_cronjob_t)
@@ -17330,7 +17335,7 @@ index 7de3859..23baf47 100644
')
optional_policy(`
-@@ -591,6 +587,7 @@ optional_policy(`
+@@ -591,6 +588,7 @@ optional_policy(`
optional_policy(`
mta_read_config(system_cronjob_t)
mta_send_mail(system_cronjob_t)
@@ -17338,7 +17343,7 @@ index 7de3859..23baf47 100644
')
optional_policy(`
-@@ -598,7 +595,23 @@ optional_policy(`
+@@ -598,7 +596,23 @@ optional_policy(`
')
optional_policy(`
@@ -17362,7 +17367,7 @@ index 7de3859..23baf47 100644
')
optional_policy(`
-@@ -608,6 +621,7 @@ optional_policy(`
+@@ -608,6 +622,7 @@ optional_policy(`
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
@@ -17370,7 +17375,7 @@ index 7de3859..23baf47 100644
')
optional_policy(`
-@@ -615,12 +629,24 @@ optional_policy(`
+@@ -615,12 +630,24 @@ optional_policy(`
')
optional_policy(`
@@ -17397,7 +17402,7 @@ index 7de3859..23baf47 100644
#
allow cronjob_t self:process { signal_perms setsched };
-@@ -628,12 +654,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
+@@ -628,12 +655,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
allow cronjob_t self:unix_dgram_socket create_socket_perms;
@@ -17431,7 +17436,7 @@ index 7de3859..23baf47 100644
corenet_all_recvfrom_netlabel(cronjob_t)
corenet_tcp_sendrecv_generic_if(cronjob_t)
corenet_udp_sendrecv_generic_if(cronjob_t)
-@@ -641,66 +687,138 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
+@@ -641,66 +688,138 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
corenet_udp_sendrecv_generic_node(cronjob_t)
corenet_tcp_sendrecv_all_ports(cronjob_t)
corenet_udp_sendrecv_all_ports(cronjob_t)
@@ -18130,7 +18135,7 @@ index 949011e..afe482b 100644
+/etc/opt/brother/Printers/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --git a/cups.if b/cups.if
-index 3023be7..20e370b 100644
+index 3023be7..303af85 100644
--- a/cups.if
+++ b/cups.if
@@ -200,10 +200,13 @@ interface(`cups_dbus_chat_config',`
@@ -18207,7 +18212,7 @@ index 3023be7..20e370b 100644
init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -368,13 +399,44 @@ interface(`cups_admin',`
+@@ -368,13 +399,45 @@ interface(`cups_admin',`
logging_list_logs($1)
admin_pattern($1, cupsd_log_t)
@@ -18256,6 +18261,7 @@ index 3023be7..20e370b 100644
+ files_etc_filetrans($1, cupsd_rw_etc_t, dir, "inf")
+ files_usr_filetrans($1, cupsd_rw_etc_t, dir, "inf")
+ corecmd_bin_filetrans($1, cupsd_rw_etc_t, dir, "inf")
++ files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups")
')
diff --git a/cups.te b/cups.te
index c91813c..2230476 100644
@@ -23932,7 +23938,7 @@ index c880070..4448055 100644
-/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
+/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
diff --git a/dovecot.if b/dovecot.if
-index d5badb7..f439164 100644
+index d5badb7..c2431fc 100644
--- a/dovecot.if
+++ b/dovecot.if
@@ -1,29 +1,49 @@
@@ -24059,7 +24065,7 @@ index d5badb7..f439164 100644
##
##
##
-@@ -120,10 +136,29 @@ interface(`dovecot_write_inherited_tmp_files',`
+@@ -120,10 +136,30 @@ interface(`dovecot_write_inherited_tmp_files',`
allow $1 dovecot_tmp_t:file write;
')
@@ -24079,6 +24085,7 @@ index d5badb7..f439164 100644
+ ')
+
+ files_search_etc($1)
++ list_dirs_pattern($1, dovecot_etc_t, dovecot_etc_t)
+ read_files_pattern($1, dovecot_etc_t, dovecot_etc_t)
+')
+
@@ -24091,7 +24098,7 @@ index d5badb7..f439164 100644
##
##
##
-@@ -132,7 +167,7 @@ interface(`dovecot_write_inherited_tmp_files',`
+@@ -132,7 +168,7 @@ interface(`dovecot_write_inherited_tmp_files',`
##
##
##
@@ -24100,7 +24107,7 @@ index d5badb7..f439164 100644
##
##
##
-@@ -146,9 +181,13 @@ interface(`dovecot_admin',`
+@@ -146,9 +182,13 @@ interface(`dovecot_admin',`
type dovecot_keytab_t;
')
@@ -24115,7 +24122,7 @@ index d5badb7..f439164 100644
init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 dovecot_initrc_exec_t system_r;
-@@ -157,20 +196,25 @@ interface(`dovecot_admin',`
+@@ -157,20 +197,25 @@ interface(`dovecot_admin',`
files_list_etc($1)
admin_pattern($1, { dovecot_keytab_t dovecot_etc_t })
@@ -30767,7 +30774,7 @@ index ab09d61..d0bfef0 100644
+ type_transition $1 gkeyringd_exec_t:process $2;
')
diff --git a/gnome.te b/gnome.te
-index 63893eb..e9adc23 100644
+index 63893eb..8720f49 100644
--- a/gnome.te
+++ b/gnome.te
@@ -5,14 +5,33 @@ policy_module(gnome, 2.3.0)
@@ -30806,7 +30813,7 @@ index 63893eb..e9adc23 100644
typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
typealias gconf_home_t alias unconfined_gconf_home_t;
-@@ -31,105 +50,225 @@ typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
+@@ -31,105 +50,226 @@ typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
userdom_user_application_domain(gconfd_t, gconfd_exec_t)
role gconfd_roles types gconfd_t;
@@ -31034,6 +31041,7 @@ index 63893eb..e9adc23 100644
+manage_dirs_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t)
+manage_sock_files_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t)
+files_tmp_filetrans(gkeyringd_domain, gkeyringd_tmp_t, dir)
++fs_tmpfs_filetrans(gkeyringd_domain, gkeyringd_tmp_t, dir)
+userdom_user_tmp_filetrans(gkeyringd_domain, gkeyringd_tmp_t, { sock_file dir })
-kernel_read_system_state(gkeyringd_domain)
@@ -43487,10 +43495,10 @@ index 0000000..b694afc
+')
+
diff --git a/mozilla.fc b/mozilla.fc
-index 6ffaba2..7128926 100644
+index 6ffaba2..549fb8c 100644
--- a/mozilla.fc
+++ b/mozilla.fc
-@@ -1,38 +1,71 @@
+@@ -1,38 +1,72 @@
-HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
@@ -43514,6 +43522,7 @@ index 6ffaba2..7128926 100644
+HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.cache/mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/\.cache/icedtea-web(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/POkemon.*(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -43597,7 +43606,7 @@ index 6ffaba2..7128926 100644
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/mozilla.if b/mozilla.if
-index 6194b80..03c6414 100644
+index 6194b80..cafb2b0 100644
--- a/mozilla.if
+++ b/mozilla.if
@@ -1,146 +1,75 @@
@@ -44308,7 +44317,7 @@ index 6194b80..03c6414 100644
##
##
##
-@@ -530,45 +519,56 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
+@@ -530,45 +519,57 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
##
##
#
@@ -44386,6 +44395,7 @@ index 6194b80..03c6414 100644
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".webex")
+ optional_policy(`
+ gnome_cache_filetrans($1, mozilla_home_t, dir, "mozilla")
++ gnome_cache_filetrans($1, mozilla_home_t, dir, "icedtea-web")
+ ')
')
+
@@ -84729,10 +84739,10 @@ index 0000000..3258f45
+')
diff --git a/sandboxX.te b/sandboxX.te
new file mode 100644
-index 0000000..01ff0ea
+index 0000000..956922c
--- /dev/null
+++ b/sandboxX.te
-@@ -0,0 +1,496 @@
+@@ -0,0 +1,500 @@
+policy_module(sandboxX,1.0.0)
+
+dbus_stub()
@@ -84947,6 +84957,10 @@ index 0000000..01ff0ea
+storage_dontaudit_rw_fuse(sandbox_x_domain)
+
+optional_policy(`
++ bluetooth_dbus_chat(sandbox_x_domain)
++')
++
++optional_policy(`
+ consolekit_dbus_chat(sandbox_x_domain)
+')
+
@@ -89257,7 +89271,7 @@ index 7d86b34..5f58180 100644
+ files_list_pids($1)
')
diff --git a/snort.te b/snort.te
-index 1af72df..f63015b 100644
+index 1af72df..7e55b50 100644
--- a/snort.te
+++ b/snort.te
@@ -32,10 +32,13 @@ files_pid_file(snort_var_run_t)
@@ -89275,7 +89289,18 @@ index 1af72df..f63015b 100644
allow snort_t self:netlink_firewall_socket create_socket_perms;
allow snort_t snort_etc_t:dir list_dir_perms;
-@@ -63,7 +66,6 @@ kernel_request_load_module(snort_t)
+@@ -43,9 +46,7 @@ allow snort_t snort_etc_t:file read_file_perms;
+ allow snort_t snort_etc_t:lnk_file read_lnk_file_perms;
+
+ manage_dirs_pattern(snort_t, snort_log_t, snort_log_t)
+-append_files_pattern(snort_t, snort_log_t, snort_log_t)
+-create_files_pattern(snort_t, snort_log_t, snort_log_t)
+-setattr_files_pattern(snort_t, snort_log_t, snort_log_t)
++manage_files_pattern(snort_t, snort_log_t, snort_log_t)
+ logging_log_filetrans(snort_t, snort_log_t, { file dir })
+
+ manage_dirs_pattern(snort_t, snort_tmp_t, snort_tmp_t)
+@@ -63,7 +64,6 @@ kernel_request_load_module(snort_t)
kernel_dontaudit_read_system_state(snort_t)
kernel_read_network_state(snort_t)
@@ -89283,7 +89308,7 @@ index 1af72df..f63015b 100644
corenet_all_recvfrom_netlabel(snort_t)
corenet_tcp_sendrecv_generic_if(snort_t)
corenet_udp_sendrecv_generic_if(snort_t)
-@@ -86,18 +88,17 @@ dev_rw_generic_usb_dev(snort_t)
+@@ -86,18 +86,17 @@ dev_rw_generic_usb_dev(snort_t)
domain_use_interactive_fds(snort_t)
@@ -101913,10 +101938,10 @@ index 0000000..7933d80
+')
diff --git a/vmtools.te b/vmtools.te
new file mode 100644
-index 0000000..5ce7d9c
+index 0000000..d59b917
--- /dev/null
+++ b/vmtools.te
-@@ -0,0 +1,89 @@
+@@ -0,0 +1,94 @@
+policy_module(vmtools, 1.0.0)
+
+########################################
@@ -102006,6 +102031,11 @@ index 0000000..5ce7d9c
+corecmd_exec_bin(vmtools_helper_t)
+
+userdom_stream_connect(vmtools_helper_t)
++
++optional_policy(`
++ unconfined_domain(vmtools_helper_t)
++')
++
diff --git a/vmware.if b/vmware.if
index 20a1fb2..470ea95 100644
--- a/vmware.if
@@ -102295,7 +102325,7 @@ index 7a7f342..afedcba 100644
##
##
diff --git a/vpn.te b/vpn.te
-index 95b26d1..28e0030 100644
+index 95b26d1..3d74e70 100644
--- a/vpn.te
+++ b/vpn.te
@@ -6,6 +6,7 @@ policy_module(vpn, 1.16.0)
@@ -102407,7 +102437,7 @@ index 95b26d1..28e0030 100644
-
-optional_policy(`
- seutil_use_newrole_fds(vpnc_t)
-+ networkmanager_delete_pid_files(vpnc_t)
++ networkmanager_manage_pid_files(vpnc_t)
')
diff --git a/w3c.fc b/w3c.fc
index 463c799..227feaf 100644
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 840b31c..29241e9 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 36%{?dist}
+Release: 37%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -580,6 +580,26 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Mar 17 2014 Miroslav Grepl 3.13.1-37
+- Allow collectd to talk to libvirt
+- Allow chrome_sandbox to use leaked unix_stream_sockets
+- Dontaudit leaks of sockets into chrome_sandbox_t
+- If you create a cups directory in /var/cache then it should be labeled cups_rw_etc_t
+- Run vmtools as unconfined domains
+- Allow snort to manage its log files
+- Allow systemd_cronjob_t to be entered via bin_t
+- Allow procman to list doveconf_etc_t
+- allow keyring daemon to create content in tmpfs directories
+- Add proper labelling for icedtea-web
+- vpnc is creating content in networkmanager var run directory
+- unconfined_service should be allowed to transition to rpm_script_t
+- Allow couchdb to listen on port 6984
+- Dontaudit attempts by unpriv user domain to write to /run/mount directory, caused by running mount command
+- Allow systemd-logind to setup user tmpfs directories
+- Add additional fixes for systemd_networkd_t
+- Allow systemd-logind to manage user_tmpfs_t
+- Allow systemd-logind to mount /run/user/1000 to get gdm working
+
* Fri Mar 14 2014 Miroslav Grepl 3.13.1-36
- Add additional fixes for systemd_networkd_t
- Allow systemd-logind to manage user_tmpfs_t