diff --git a/container-selinux.tgz b/container-selinux.tgz
index 3861472..f1a0fe3 100644
Binary files a/container-selinux.tgz and b/container-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index ecefc64..b1dd7bd 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -17432,7 +17432,7 @@ index d7c11a0b3..f521a50f8 100644
/var/run/shm/.* <<none>>
-')
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 8416beb43..2aa8d9ff4 100644
+index 8416beb43..0444eacf4 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -577,6 +577,24 @@ interface(`fs_mount_cgroup', `
@@ -18316,7 +18316,7 @@ index 8416beb43..2aa8d9ff4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1839,174 +2234,989 @@ interface(`fs_unmount_fusefs',`
+@@ -1839,115 +2234,875 @@ interface(`fs_unmount_fusefs',`
## </summary>
## </param>
#
@@ -18413,55 +18413,66 @@ index 8416beb43..2aa8d9ff4 100644
#
-interface(`fs_dontaudit_list_fusefs',`
+interface(`fs_ecryptfs_domtrans',`
-+ gen_require(`
+ gen_require(`
+- type fusefs_t;
+ type ecryptfs_t;
-+ ')
-+
+ ')
+
+- dontaudit $1 fusefs_t:dir list_dir_perms;
+ allow $1 ecryptfs_t:dir search_dir_perms;
+ domain_auto_transition_pattern($1, ecryptfs_t, $2)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete directories
+-## on a FUSEFS filesystem.
+## Mount a FUSE filesystem.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`fs_manage_fusefs_dirs',`
+interface(`fs_mount_fusefs',`
gen_require(`
type fusefs_t;
')
-- dontaudit $1 fusefs_t:dir list_dir_perms;
+- allow $1 fusefs_t:dir manage_dir_perms;
+ allow $1 fusefs_t:filesystem mount;
')
########################################
## <summary>
--## Create, read, write, and delete directories
+-## Do not audit attempts to create, read,
+-## write, and delete directories
-## on a FUSEFS filesystem.
+## Unmount a FUSE filesystem.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`fs_dontaudit_manage_fusefs_dirs',`
+interface(`fs_unmount_fusefs',`
-+ gen_require(`
-+ type fusefs_t;
-+ ')
-+
+ gen_require(`
+ type fusefs_t;
+ ')
+
+- dontaudit $1 fusefs_t:dir manage_dir_perms;
+ allow $1 fusefs_t:filesystem unmount;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Read, a FUSEFS filesystem.
+## Mounton a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
@@ -18597,6 +18608,25 @@ index 8416beb43..2aa8d9ff4 100644
+
+########################################
+## <summary>
++## mmap files on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`fs_mmap_fusefs_files',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
++ allow $1 fusefs_t:file map;
++')
++
++########################################
++## <summary>
+## Make general progams in FUSEFS an entrypoint for
+## the specified domain.
+## </summary>
@@ -19167,98 +19197,6 @@ index 8416beb43..2aa8d9ff4 100644
+## <summary>
+## Unmount an iso9660 filesystem, which
+## is usually used on CDs.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`fs_unmount_iso9660_fs',`
-+ gen_require(`
-+ type iso9660_t;
-+ ')
-+
-+ allow $1 iso9660_t:filesystem unmount;
-+')
-+
-+########################################
-+## <summary>
-+## Get the attributes of an iso9660
-+## filesystem, which is usually used on CDs.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`fs_getattr_iso9660_fs',`
-+ gen_require(`
-+ type iso9660_t;
-+ ')
-+
-+ allow $1 iso9660_t:filesystem getattr;
-+')
-+
-+########################################
-+## <summary>
-+## Read files on an iso9660 filesystem, which
-+## is usually used on CDs.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <rolecap/>
- #
--interface(`fs_manage_fusefs_dirs',`
-+interface(`fs_getattr_iso9660_files',`
- gen_require(`
-- type fusefs_t;
-+ type iso9660_t;
- ')
-
-- allow $1 fusefs_t:dir manage_dir_perms;
-+ allow $1 iso9660_t:dir list_dir_perms;
-+ allow $1 iso9660_t:file getattr;
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to create, read,
--## write, and delete directories
--## on a FUSEFS filesystem.
-+## Read files on an iso9660 filesystem, which
-+## is usually used on CDs.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain to not audit.
-+## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`fs_dontaudit_manage_fusefs_dirs',`
-+interface(`fs_read_iso9660_files',`
- gen_require(`
-- type fusefs_t;
-+ type iso9660_t;
- ')
-
-- dontaudit $1 fusefs_t:dir manage_dir_perms;
-+ allow $1 iso9660_t:dir list_dir_perms;
-+ read_files_pattern($1, iso9660_t, iso9660_t)
-+ read_lnk_files_pattern($1, iso9660_t, iso9660_t)
- ')
-
-+
- ########################################
- ## <summary>
--## Read, a FUSEFS filesystem.
-+## Mount kdbus filesystems.
## </summary>
## <param name="domain">
## <summary>
@@ -19268,44 +19206,45 @@ index 8416beb43..2aa8d9ff4 100644
-## <rolecap/>
#
-interface(`fs_read_fusefs_files',`
-+interface(`fs_mount_kdbus', `
++interface(`fs_unmount_iso9660_fs',`
gen_require(`
- type fusefs_t;
-+ type kdbusfs_t;
++ type iso9660_t;
')
- read_files_pattern($1, fusefs_t, fusefs_t)
-+ allow $1 kdbusfs_t:filesystem mount;
++ allow $1 iso9660_t:filesystem unmount;
')
########################################
## <summary>
-## Execute files on a FUSEFS filesystem.
-+## Remount kdbus filesystems.
++## Get the attributes of an iso9660
++## filesystem, which is usually used on CDs.
## </summary>
## <param name="domain">
## <summary>
- ## Domain allowed access.
- ## </summary>
+@@ -1956,57 +3111,59 @@ interface(`fs_read_fusefs_files',`
## </param>
--## <rolecap/>
+ ## <rolecap/>
#
-interface(`fs_exec_fusefs_files',`
-+interface(`fs_remount_kdbus', `
++interface(`fs_getattr_iso9660_fs',`
gen_require(`
- type fusefs_t;
-+ type kdbusfs_t;
++ type iso9660_t;
')
- exec_files_pattern($1, fusefs_t, fusefs_t)
-+ allow $1 kdbusfs_t:filesystem remount;
++ allow $1 iso9660_t:filesystem getattr;
')
########################################
## <summary>
-## Create, read, write, and delete files
-## on a FUSEFS filesystem.
-+## Unmount kdbus filesystems.
++## Read files on an iso9660 filesystem, which
++## is usually used on CDs.
## </summary>
## <param name="domain">
## <summary>
@@ -19315,14 +19254,15 @@ index 8416beb43..2aa8d9ff4 100644
-## <rolecap/>
#
-interface(`fs_manage_fusefs_files',`
-+interface(`fs_unmount_kdbus', `
++interface(`fs_getattr_iso9660_files',`
gen_require(`
- type fusefs_t;
-+ type kdbusfs_t;
++ type iso9660_t;
')
- manage_files_pattern($1, fusefs_t, fusefs_t)
-+ allow $1 kdbusfs_t:filesystem unmount;
++ allow $1 iso9660_t:dir list_dir_perms;
++ allow $1 iso9660_t:file getattr;
')
########################################
@@ -19330,7 +19270,8 @@ index 8416beb43..2aa8d9ff4 100644
-## Do not audit attempts to create,
-## read, write, and delete files
-## on a FUSEFS filesystem.
-+## Get attributes of kdbus filesystems.
++## Read files on an iso9660 filesystem, which
++## is usually used on CDs.
## </summary>
## <param name="domain">
## <summary>
@@ -19340,154 +19281,130 @@ index 8416beb43..2aa8d9ff4 100644
## </param>
#
-interface(`fs_dontaudit_manage_fusefs_files',`
-+interface(`fs_getattr_kdbus',`
++interface(`fs_read_iso9660_files',`
gen_require(`
- type fusefs_t;
-+ type kdbusfs_t;
++ type iso9660_t;
')
- dontaudit $1 fusefs_t:file manage_file_perms;
-+ allow $1 kdbusfs_t:filesystem getattr;
++ allow $1 iso9660_t:dir list_dir_perms;
++ read_files_pattern($1, iso9660_t, iso9660_t)
++ read_lnk_files_pattern($1, iso9660_t, iso9660_t)
')
++
########################################
## <summary>
-## Read symbolic links on a FUSEFS filesystem.
-+## Search kdbusfs directories.
++## Mount kdbus filesystems.
## </summary>
## <param name="domain">
## <summary>
-@@ -2014,19 +3224,20 @@ interface(`fs_dontaudit_manage_fusefs_files',`
+@@ -2014,19 +3171,17 @@ interface(`fs_dontaudit_manage_fusefs_files',`
## </summary>
## </param>
#
-interface(`fs_read_fusefs_symlinks',`
-+interface(`fs_search_kdbus_dirs',`
++interface(`fs_mount_kdbus', `
gen_require(`
- type fusefs_t;
+ type kdbusfs_t;
-+
')
- allow $1 fusefs_t:dir list_dir_perms;
- read_lnk_files_pattern($1, fusefs_t, fusefs_t)
-+ search_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
-+ fs_search_tmpfs($1)
-+ dev_search_sysfs($1)
++ allow $1 kdbusfs_t:filesystem mount;
')
########################################
## <summary>
-## Get the attributes of an hugetlbfs
-## filesystem.
-+## Relabel kdbusfs directories.
++## Remount kdbus filesystems.
## </summary>
## <param name="domain">
## <summary>
-@@ -2034,17 +3245,18 @@ interface(`fs_read_fusefs_symlinks',`
+@@ -2034,17 +3189,17 @@ interface(`fs_read_fusefs_symlinks',`
## </summary>
## </param>
#
-interface(`fs_getattr_hugetlbfs',`
-+interface(`fs_relabel_kdbus_dirs',`
++interface(`fs_remount_kdbus', `
gen_require(`
- type hugetlbfs_t;
+ type kdbusfs_t;
-+
')
- allow $1 hugetlbfs_t:filesystem getattr;
-+ relabel_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
++ allow $1 kdbusfs_t:filesystem remount;
')
########################################
## <summary>
-## List hugetlbfs.
-+## List kdbusfs directories.
++## Unmount kdbus filesystems.
## </summary>
## <param name="domain">
## <summary>
-@@ -2052,17 +3264,38 @@ interface(`fs_getattr_hugetlbfs',`
+@@ -2052,17 +3207,17 @@ interface(`fs_getattr_hugetlbfs',`
## </summary>
## </param>
#
-interface(`fs_list_hugetlbfs',`
-+interface(`fs_list_kdbus_dirs',`
++interface(`fs_unmount_kdbus', `
gen_require(`
- type hugetlbfs_t;
+ type kdbusfs_t;
')
- allow $1 hugetlbfs_t:dir list_dir_perms;
-+ list_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
-+ fs_search_tmpfs($1)
-+ dev_search_sysfs($1)
-+')
-+
-+#######################################
-+## <summary>
-+## Do not audit attempts to search kdbusfs directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`fs_dontaudit_search_kdbus_dirs', `
-+ gen_require(`
-+ type kdbusfs_t;
-+ ')
-+
-+ dontaudit $1 kdbusfs_t:dir search_dir_perms;
-+ dev_dontaudit_search_sysfs($1)
++ allow $1 kdbusfs_t:filesystem unmount;
')
########################################
## <summary>
-## Manage hugetlbfs dirs.
-+## Delete kdbusfs directories.
++## Get attributes of kdbus filesystems.
## </summary>
## <param name="domain">
## <summary>
-@@ -2070,17 +3303,19 @@ interface(`fs_list_hugetlbfs',`
+@@ -2070,17 +3225,17 @@ interface(`fs_list_hugetlbfs',`
## </summary>
## </param>
#
-interface(`fs_manage_hugetlbfs_dirs',`
-+interface(`fs_delete_kdbus_dirs', `
++interface(`fs_getattr_kdbus',`
gen_require(`
- type hugetlbfs_t;
+ type kdbusfs_t;
')
- manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
-+ delete_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
-+ fs_search_tmpfs($1)
-+ dev_search_sysfs($1)
++ allow $1 kdbusfs_t:filesystem getattr;
')
########################################
## <summary>
-## Read and write hugetlbfs files.
-+## Manage kdbusfs directories.
++## Search kdbusfs directories.
## </summary>
## <param name="domain">
## <summary>
-@@ -2088,35 +3323,41 @@ interface(`fs_manage_hugetlbfs_dirs',`
+@@ -2088,35 +3243,39 @@ interface(`fs_manage_hugetlbfs_dirs',`
## </summary>
## </param>
#
-interface(`fs_rw_hugetlbfs_files',`
-+interface(`fs_manage_kdbus_dirs',`
++interface(`fs_search_kdbus_dirs',`
gen_require(`
- type hugetlbfs_t;
-- ')
+ type kdbusfs_t;
++
+ ')
- rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
-+ ')
-+ manage_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
++ search_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
')
@@ -19495,7 +19412,7 @@ index 8416beb43..2aa8d9ff4 100644
########################################
## <summary>
-## Allow the type to associate to hugetlbfs filesystems.
-+## Read kdbusfs files.
++## Relabel kdbusfs directories.
## </summary>
-## <param name="type">
+## <param name="domain">
@@ -19506,7 +19423,7 @@ index 8416beb43..2aa8d9ff4 100644
## </param>
#
-interface(`fs_associate_hugetlbfs',`
-+interface(`fs_read_kdbus_files',`
++interface(`fs_relabel_kdbus_dirs',`
gen_require(`
- type hugetlbfs_t;
+ type kdbusfs_t;
@@ -19514,91 +19431,92 @@ index 8416beb43..2aa8d9ff4 100644
')
- allow $1 hugetlbfs_t:filesystem associate;
-+ read_files_pattern($1, kdbusfs_t, kdbusfs_t)
-+ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
-+ fs_search_tmpfs($1)
-+ dev_search_sysfs($1)
++ relabel_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
')
########################################
## <summary>
-## Search inotifyfs filesystem.
-+## Write kdbusfs files.
++## List kdbusfs directories.
## </summary>
## <param name="domain">
## <summary>
-@@ -2124,17 +3365,19 @@ interface(`fs_associate_hugetlbfs',`
+@@ -2124,89 +3283,78 @@ interface(`fs_associate_hugetlbfs',`
## </summary>
## </param>
#
-interface(`fs_search_inotifyfs',`
-+interface(`fs_write_kdbus_files', `
++interface(`fs_list_kdbus_dirs',`
gen_require(`
- type inotifyfs_t;
+ type kdbusfs_t;
')
- allow $1 inotifyfs_t:dir search_dir_perms;
-+ write_files_pattern($1, kdbusfs_t, kdbusfs_t)
++ list_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
')
- ########################################
+-########################################
++#######################################
## <summary>
-## List inotifyfs filesystem.
-+## Read and write kdbusfs files.
++## Do not audit attempts to search kdbusfs directories.
## </summary>
## <param name="domain">
- ## <summary>
-@@ -2142,17 +3385,23 @@ interface(`fs_search_inotifyfs',`
- ## </summary>
+-## <summary>
+-## Domain allowed access.
+-## </summary>
++## <summary>
++## Domain to not audit.
++## </summary>
## </param>
#
-interface(`fs_list_inotifyfs',`
-+interface(`fs_rw_kdbus_files',`
- gen_require(`
+- gen_require(`
- type inotifyfs_t;
-+ type kdbusfs_t;
-+
- ')
+- ')
++interface(`fs_dontaudit_search_kdbus_dirs', `
++ gen_require(`
++ type kdbusfs_t;
++ ')
- allow $1 inotifyfs_t:dir list_dir_perms;
-+ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
-+ rw_files_pattern($1, kdbusfs_t, kdbusfs_t)
-+ fs_search_tmpfs($1)
-+ dev_search_sysfs($1)
++ dontaudit $1 kdbusfs_t:dir search_dir_perms;
++ dev_dontaudit_search_sysfs($1)
')
########################################
## <summary>
-## Dontaudit List inotifyfs filesystem.
-+## Do not audit attempts to open,
-+## get attributes, read and write
-+## cgroup files.
++## Delete kdbusfs directories.
## </summary>
## <param name="domain">
## <summary>
-@@ -2160,53 +3409,39 @@ interface(`fs_list_inotifyfs',`
+-## Domain to not audit.
++## Domain allowed access.
## </summary>
## </param>
#
-interface(`fs_dontaudit_list_inotifyfs',`
-+interface(`fs_dontaudit_rw_kdbus_files',`
++interface(`fs_delete_kdbus_dirs', `
gen_require(`
- type inotifyfs_t;
+ type kdbusfs_t;
')
- dontaudit $1 inotifyfs_t:dir list_dir_perms;
-+ dontaudit $1 kdbusfs_t:file rw_file_perms;
++ delete_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
++ fs_search_tmpfs($1)
++ dev_search_sysfs($1)
')
########################################
## <summary>
-## Create an object in a hugetlbfs filesystem, with a private
-## type using a type transition.
-+## Manage kdbusfs files.
++## Manage kdbusfs directories.
## </summary>
## <param name="domain">
## <summary>
@@ -19622,17 +19540,16 @@ index 8416beb43..2aa8d9ff4 100644
-## </param>
#
-interface(`fs_hugetlbfs_filetrans',`
-+interface(`fs_manage_kdbus_files',`
++interface(`fs_manage_kdbus_dirs',`
gen_require(`
- type hugetlbfs_t;
+- ')
+ type kdbusfs_t;
-+
- ')
- allow $2 hugetlbfs_t:filesystem associate;
- filetrans_pattern($1, hugetlbfs_t, $2, $3, $4)
-+ manage_files_pattern($1, kdbusfs_t, kdbusfs_t)
-+ manage_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
++ ')
++ manage_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
')
@@ -19641,394 +19558,284 @@ index 8416beb43..2aa8d9ff4 100644
## <summary>
-## Mount an iso9660 filesystem, which
-## is usually used on CDs.
-+## Mount on kdbusfs directories.
++## Read kdbusfs files.
## </summary>
## <param name="domain">
## <summary>
-@@ -2214,19 +3449,18 @@ interface(`fs_hugetlbfs_filetrans',`
+@@ -2214,19 +3362,21 @@ interface(`fs_hugetlbfs_filetrans',`
## </summary>
## </param>
#
-interface(`fs_mount_iso9660_fs',`
-+interface(`fs_mounton_kdbus', `
++interface(`fs_read_kdbus_files',`
gen_require(`
- type iso9660_t;
+ type kdbusfs_t;
++
')
- allow $1 iso9660_t:filesystem mount;
-+ allow $1 kdbusfs_t:dir mounton;
++ read_files_pattern($1, kdbusfs_t, kdbusfs_t)
++ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
++ fs_search_tmpfs($1)
++ dev_search_sysfs($1)
')
-+
########################################
## <summary>
-## Remount an iso9660 filesystem, which
-## is usually used on CDs. This allows
-## some mount options to be changed.
-+## Mount a NFS filesystem.
++## Write kdbusfs files.
## </summary>
## <param name="domain">
## <summary>
-@@ -2234,18 +3468,18 @@ interface(`fs_mount_iso9660_fs',`
+@@ -2234,18 +3384,19 @@ interface(`fs_mount_iso9660_fs',`
## </summary>
## </param>
#
-interface(`fs_remount_iso9660_fs',`
-+interface(`fs_mount_nfs',`
++interface(`fs_write_kdbus_files', `
gen_require(`
- type iso9660_t;
-+ type nfs_t;
++ type kdbusfs_t;
')
- allow $1 iso9660_t:filesystem remount;
-+ allow $1 nfs_t:filesystem mount;
++ write_files_pattern($1, kdbusfs_t, kdbusfs_t)
++ fs_search_tmpfs($1)
++ dev_search_sysfs($1)
')
########################################
## <summary>
-## Unmount an iso9660 filesystem, which
-## is usually used on CDs.
-+## Remount a NFS filesystem. This allows
-+## some mount options to be changed.
++## Read and write kdbusfs files.
## </summary>
## <param name="domain">
## <summary>
-@@ -2253,58 +3487,54 @@ interface(`fs_remount_iso9660_fs',`
+@@ -2253,38 +3404,41 @@ interface(`fs_remount_iso9660_fs',`
## </summary>
## </param>
#
-interface(`fs_unmount_iso9660_fs',`
-+interface(`fs_remount_nfs',`
++interface(`fs_rw_kdbus_files',`
gen_require(`
- type iso9660_t;
-+ type nfs_t;
++ type kdbusfs_t;
++
')
- allow $1 iso9660_t:filesystem unmount;
-+ allow $1 nfs_t:filesystem remount;
++ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
++ rw_files_pattern($1, kdbusfs_t, kdbusfs_t)
++ fs_search_tmpfs($1)
++ dev_search_sysfs($1)
')
########################################
## <summary>
-## Get the attributes of an iso9660
-## filesystem, which is usually used on CDs.
-+## Unmount a NFS filesystem.
++## Do not audit attempts to open,
++## get attributes, read and write
++## cgroup files.
## </summary>
## <param name="domain">
## <summary>
- ## Domain allowed access.
+-## Domain allowed access.
++## Domain to not audit.
## </summary>
## </param>
-## <rolecap/>
#
-interface(`fs_getattr_iso9660_fs',`
-+interface(`fs_unmount_nfs',`
++interface(`fs_dontaudit_rw_kdbus_files',`
gen_require(`
- type iso9660_t;
-+ type nfs_t;
++ type kdbusfs_t;
')
- allow $1 iso9660_t:filesystem getattr;
-+ allow $1 nfs_t:filesystem unmount;
++ dontaudit $1 kdbusfs_t:file rw_file_perms;
')
########################################
## <summary>
-## Read files on an iso9660 filesystem, which
-## is usually used on CDs.
-+## Get the attributes of a NFS filesystem.
++## Manage kdbusfs files.
## </summary>
## <param name="domain">
## <summary>
- ## Domain allowed access.
+@@ -2292,19 +3446,21 @@ interface(`fs_getattr_iso9660_fs',`
## </summary>
## </param>
-+## <rolecap/>
#
-interface(`fs_getattr_iso9660_files',`
-+interface(`fs_getattr_nfs',`
++interface(`fs_manage_kdbus_files',`
gen_require(`
- type iso9660_t;
-+ type nfs_t;
++ type kdbusfs_t;
++
')
- allow $1 iso9660_t:dir list_dir_perms;
- allow $1 iso9660_t:file getattr;
-+ allow $1 nfs_t:filesystem getattr;
++ manage_files_pattern($1, kdbusfs_t, kdbusfs_t)
++ manage_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
++ fs_search_tmpfs($1)
++ dev_search_sysfs($1)
')
########################################
## <summary>
-## Read files on an iso9660 filesystem, which
-## is usually used on CDs.
-+## Set the attributes of nfs directories.
++## Mount on kdbusfs directories.
## </summary>
## <param name="domain">
## <summary>
-@@ -2312,19 +3542,17 @@ interface(`fs_getattr_iso9660_files',`
+@@ -2312,16 +3468,15 @@ interface(`fs_getattr_iso9660_files',`
## </summary>
## </param>
#
-interface(`fs_read_iso9660_files',`
-+interface(`fs_setattr_nfs_dirs',`
++interface(`fs_mounton_kdbus', `
gen_require(`
- type iso9660_t;
-+ type nfs_t;
++ type kdbusfs_t;
')
- allow $1 iso9660_t:dir list_dir_perms;
- read_files_pattern($1, iso9660_t, iso9660_t)
- read_lnk_files_pattern($1, iso9660_t, iso9660_t)
-+ allow $1 nfs_t:dir setattr;
- ')
-
- ########################################
- ## <summary>
--## Mount a NFS filesystem.
-+## Search directories on a NFS filesystem.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -2332,18 +3560,17 @@ interface(`fs_read_iso9660_files',`
- ## </summary>
- ## </param>
- #
--interface(`fs_mount_nfs',`
-+interface(`fs_search_nfs',`
- gen_require(`
- type nfs_t;
- ')
-
-- allow $1 nfs_t:filesystem mount;
-+ allow $1 nfs_t:dir search_dir_perms;
- ')
-
- ########################################
- ## <summary>
--## Remount a NFS filesystem. This allows
--## some mount options to be changed.
-+## List NFS filesystem.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -2351,240 +3578,243 @@ interface(`fs_mount_nfs',`
- ## </summary>
- ## </param>
- #
--interface(`fs_remount_nfs',`
-+interface(`fs_list_nfs',`
- gen_require(`
- type nfs_t;
- ')
-
-- allow $1 nfs_t:filesystem remount;
-+ allow $1 nfs_t:dir list_dir_perms;
++ allow $1 kdbusfs_t:dir mounton;
')
++
########################################
## <summary>
--## Unmount a NFS filesystem.
-+## Do not audit attempts to list the contents
-+## of directories on a NFS filesystem.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
-+## Domain to not audit.
- ## </summary>
- ## </param>
- #
--interface(`fs_unmount_nfs',`
-+interface(`fs_dontaudit_list_nfs',`
- gen_require(`
- type nfs_t;
- ')
-
-- allow $1 nfs_t:filesystem unmount;
-+ dontaudit $1 nfs_t:dir list_dir_perms;
- ')
+ ## Mount a NFS filesystem.
+@@ -2398,6 +3553,24 @@ interface(`fs_getattr_nfs',`
########################################
## <summary>
--## Get the attributes of a NFS filesystem.
-+## Mounton a NFS filesystem.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <rolecap/>
- #
--interface(`fs_getattr_nfs',`
-+interface(`fs_mounton_nfs',`
- gen_require(`
- type nfs_t;
- ')
-
-- allow $1 nfs_t:filesystem getattr;
-+ allow $1 nfs_t:dir mounton;
- ')
-
- ########################################
- ## <summary>
--## Search directories on a NFS filesystem.
-+## Read files on a NFS filesystem.
++## Set the attributes of nfs directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_setattr_nfs_dirs',`
++ gen_require(`
++ type nfs_t;
++ ')
++
++ allow $1 nfs_t:dir setattr;
++')
++
++########################################
++## <summary>
+ ## Search directories on a NFS filesystem.
## </summary>
## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
-+## <rolecap/>
- #
--interface(`fs_search_nfs',`
-+interface(`fs_read_nfs_files',`
- gen_require(`
+@@ -2485,6 +3658,7 @@ interface(`fs_read_nfs_files',`
type nfs_t;
')
-- allow $1 nfs_t:dir search_dir_perms;
+ fs_search_auto_mountpoints($1)
-+ allow $1 nfs_t:dir list_dir_perms;
-+ read_files_pattern($1, nfs_t, nfs_t)
+ allow $1 nfs_t:dir list_dir_perms;
+ read_files_pattern($1, nfs_t, nfs_t)
')
-
- ########################################
- ## <summary>
--## List NFS filesystem.
-+## Do not audit attempts to read
-+## files on a NFS filesystem.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
-+## Domain to not audit.
+@@ -2518,73 +3692,148 @@ interface(`fs_dontaudit_read_nfs_files',`
## </summary>
## </param>
#
--interface(`fs_list_nfs',`
-+interface(`fs_dontaudit_read_nfs_files',`
- gen_require(`
- type nfs_t;
- ')
-
-- allow $1 nfs_t:dir list_dir_perms;
-+ dontaudit $1 nfs_t:file read_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to list the contents
--## of directories on a NFS filesystem.
-+## Read files on a NFS filesystem.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain to not audit.
-+## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`fs_dontaudit_list_nfs',`
+-interface(`fs_write_nfs_files',`
+interface(`fs_write_nfs_files',`
- gen_require(`
- type nfs_t;
- ')
-
-- dontaudit $1 nfs_t:dir list_dir_perms;
++ gen_require(`
++ type nfs_t;
++ ')
++
+ fs_search_auto_mountpoints($1)
+ allow $1 nfs_t:dir list_dir_perms;
+ write_files_pattern($1, nfs_t, nfs_t)
- ')
-
- ########################################
- ## <summary>
--## Mounton a NFS filesystem.
++')
++
++########################################
++## <summary>
+## Execute files on a NFS filesystem.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
+## <rolecap/>
- #
--interface(`fs_mounton_nfs',`
++#
+interface(`fs_exec_nfs_files',`
- gen_require(`
- type nfs_t;
- ')
-
-- allow $1 nfs_t:dir mounton;
++ gen_require(`
++ type nfs_t;
++ ')
++
+ allow $1 nfs_t:dir list_dir_perms;
+ exec_files_pattern($1, nfs_t, nfs_t)
- ')
-
- ########################################
- ## <summary>
--## Read files on a NFS filesystem.
++')
++
++########################################
++## <summary>
+## Make general progams in nfs an entrypoint for
+## the specified domain.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
++## </summary>
++## <param name="domain">
++## <summary>
+## The domain for which nfs_t is an entrypoint.
- ## </summary>
- ## </param>
--## <rolecap/>
- #
--interface(`fs_read_nfs_files',`
++## </summary>
++## </param>
++#
+interface(`fs_nfs_entry_type',`
- gen_require(`
- type nfs_t;
- ')
-
-- allow $1 nfs_t:dir list_dir_perms;
-- read_files_pattern($1, nfs_t, nfs_t)
++ gen_require(`
++ type nfs_t;
++ ')
++
+ domain_entry_file($1, nfs_t)
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to read
--## files on a NFS filesystem.
++')
++
++########################################
++## <summary>
+## Make general progams in NFS an entrypoint for
+## the specified domain.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain to not audit.
++## </summary>
++## <param name="domain">
++## <summary>
+## The domain for which nfs_t is an entrypoint.
- ## </summary>
- ## </param>
- #
--interface(`fs_dontaudit_read_nfs_files',`
++## </summary>
++## </param>
++#
+interface(`fs_nfs_entrypoint',`
- gen_require(`
- type nfs_t;
- ')
-
-- dontaudit $1 nfs_t:file read_file_perms;
++ gen_require(`
++ type nfs_t;
++ ')
++
+ allow $1 nfs_t:file entrypoint;
- ')
-
- ########################################
- ## <summary>
--## Read files on a NFS filesystem.
++')
++
++########################################
++## <summary>
+## Append files
+## on a NFS filesystem.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
+## <rolecap/>
- #
--interface(`fs_write_nfs_files',`
++#
+interface(`fs_append_nfs_files',`
gen_require(`
type nfs_t;
@@ -20112,7 +19919,7 @@ index 8416beb43..2aa8d9ff4 100644
')
########################################
-@@ -2603,7 +3833,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2603,7 +3852,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
type nfs_t;
')
@@ -20121,7 +19928,7 @@ index 8416beb43..2aa8d9ff4 100644
')
########################################
-@@ -2627,7 +3857,7 @@ interface(`fs_read_nfs_symlinks',`
+@@ -2627,7 +3876,7 @@ interface(`fs_read_nfs_symlinks',`
########################################
## <summary>
@@ -20130,7 +19937,7 @@ index 8416beb43..2aa8d9ff4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2719,6 +3949,65 @@ interface(`fs_search_rpc',`
+@@ -2719,6 +3968,65 @@ interface(`fs_search_rpc',`
########################################
## <summary>
@@ -20196,7 +20003,7 @@ index 8416beb43..2aa8d9ff4 100644
## Search removable storage directories.
## </summary>
## <param name="domain">
-@@ -2741,7 +4030,7 @@ interface(`fs_search_removable',`
+@@ -2741,7 +4049,7 @@ interface(`fs_search_removable',`
## </summary>
## <param name="domain">
## <summary>
@@ -20205,7 +20012,7 @@ index 8416beb43..2aa8d9ff4 100644
## </summary>
## </param>
#
-@@ -2777,7 +4066,7 @@ interface(`fs_read_removable_files',`
+@@ -2777,7 +4085,7 @@ interface(`fs_read_removable_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -20214,7 +20021,7 @@ index 8416beb43..2aa8d9ff4 100644
## </summary>
## </param>
#
-@@ -2970,6 +4259,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2970,6 +4278,7 @@ interface(`fs_manage_nfs_dirs',`
type nfs_t;
')
@@ -20222,7 +20029,7 @@ index 8416beb43..2aa8d9ff4 100644
allow $1 nfs_t:dir manage_dir_perms;
')
-@@ -3010,6 +4300,7 @@ interface(`fs_manage_nfs_files',`
+@@ -3010,11 +4319,31 @@ interface(`fs_manage_nfs_files',`
type nfs_t;
')
@@ -20230,7 +20037,31 @@ index 8416beb43..2aa8d9ff4 100644
manage_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3050,6 +4341,7 @@ interface(`fs_manage_nfs_symlinks',`
+ ########################################
+ ## <summary>
++## mmap files on a NFS filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`fs_mmap_nfs_files',`
++ gen_require(`
++ type nfs_t;
++ ')
++
++ allow $1 nfs_t:file map;
++')
++
++########################################
++## <summary>
+ ## Do not audit attempts to create,
+ ## read, write, and delete files
+ ## on a NFS filesystem.
+@@ -3050,6 +4379,7 @@ interface(`fs_manage_nfs_symlinks',`
type nfs_t;
')
@@ -20238,7 +20069,7 @@ index 8416beb43..2aa8d9ff4 100644
manage_lnk_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3137,6 +4429,24 @@ interface(`fs_nfs_domtrans',`
+@@ -3137,6 +4467,24 @@ interface(`fs_nfs_domtrans',`
########################################
## <summary>
@@ -20263,7 +20094,7 @@ index 8416beb43..2aa8d9ff4 100644
## Mount a NFS server pseudo filesystem.
## </summary>
## <param name="domain">
-@@ -3239,15 +4549,198 @@ interface(`fs_search_nfsd_fs',`
+@@ -3239,15 +4587,198 @@ interface(`fs_search_nfsd_fs',`
#
interface(`fs_list_nfsd_fs',`
gen_require(`
@@ -20465,7 +20296,7 @@ index 8416beb43..2aa8d9ff4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3255,35 +4748,35 @@ interface(`fs_list_nfsd_fs',`
+@@ -3255,35 +4786,35 @@ interface(`fs_list_nfsd_fs',`
## </summary>
## </param>
#
@@ -20510,7 +20341,7 @@ index 8416beb43..2aa8d9ff4 100644
## </summary>
## <param name="type">
## <summary>
-@@ -3291,12 +4784,12 @@ interface(`fs_rw_nfsd_fs',`
+@@ -3291,12 +4822,12 @@ interface(`fs_rw_nfsd_fs',`
## </summary>
## </param>
#
@@ -20526,7 +20357,7 @@ index 8416beb43..2aa8d9ff4 100644
')
########################################
-@@ -3392,7 +4885,7 @@ interface(`fs_search_ramfs',`
+@@ -3392,7 +4923,7 @@ interface(`fs_search_ramfs',`
########################################
## <summary>
@@ -20535,7 +20366,7 @@ index 8416beb43..2aa8d9ff4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3429,7 +4922,7 @@ interface(`fs_manage_ramfs_dirs',`
+@@ -3429,7 +4960,7 @@ interface(`fs_manage_ramfs_dirs',`
########################################
## <summary>
@@ -20544,7 +20375,7 @@ index 8416beb43..2aa8d9ff4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3447,7 +4940,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
+@@ -3447,7 +4978,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
########################################
## <summary>
@@ -20553,7 +20384,7 @@ index 8416beb43..2aa8d9ff4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3779,6 +5272,24 @@ interface(`fs_mount_tmpfs',`
+@@ -3779,6 +5310,24 @@ interface(`fs_mount_tmpfs',`
########################################
## <summary>
@@ -20578,7 +20409,7 @@ index 8416beb43..2aa8d9ff4 100644
## Remount a tmpfs filesystem.
## </summary>
## <param name="domain">
-@@ -3815,6 +5326,24 @@ interface(`fs_unmount_tmpfs',`
+@@ -3815,6 +5364,24 @@ interface(`fs_unmount_tmpfs',`
########################################
## <summary>
@@ -20603,7 +20434,7 @@ index 8416beb43..2aa8d9ff4 100644
## Get the attributes of a tmpfs
## filesystem.
## </summary>
-@@ -3908,7 +5437,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3908,7 +5475,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
########################################
## <summary>
@@ -20612,7 +20443,7 @@ index 8416beb43..2aa8d9ff4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3916,17 +5445,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3916,17 +5483,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
## </summary>
## </param>
#
@@ -20633,7 +20464,7 @@ index 8416beb43..2aa8d9ff4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3934,17 +5463,17 @@ interface(`fs_mounton_tmpfs',`
+@@ -3934,17 +5501,17 @@ interface(`fs_mounton_tmpfs',`
## </summary>
## </param>
#
@@ -20654,7 +20485,7 @@ index 8416beb43..2aa8d9ff4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3952,17 +5481,36 @@ interface(`fs_setattr_tmpfs_dirs',`
+@@ -3952,17 +5519,36 @@ interface(`fs_setattr_tmpfs_dirs',`
## </summary>
## </param>
#
@@ -20694,7 +20525,7 @@ index 8416beb43..2aa8d9ff4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3970,31 +5518,48 @@ interface(`fs_search_tmpfs',`
+@@ -3970,31 +5556,48 @@ interface(`fs_search_tmpfs',`
## </summary>
## </param>
#
@@ -20750,7 +20581,7 @@ index 8416beb43..2aa8d9ff4 100644
')
########################################
-@@ -4057,23 +5622,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',`
+@@ -4057,23 +5660,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',`
## </param>
## <param name="name" optional="true">
## <summary>
@@ -20927,7 +20758,7 @@ index 8416beb43..2aa8d9ff4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4081,18 +5793,18 @@ interface(`fs_tmpfs_filetrans',`
+@@ -4081,18 +5831,18 @@ interface(`fs_tmpfs_filetrans',`
## </summary>
## </param>
#
@@ -20950,7 +20781,7 @@ index 8416beb43..2aa8d9ff4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4100,54 +5812,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',`
+@@ -4100,54 +5850,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',`
## </summary>
## </param>
#
@@ -21017,7 +20848,7 @@ index 8416beb43..2aa8d9ff4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4155,17 +5866,18 @@ interface(`fs_read_tmpfs_files',`
+@@ -4155,17 +5904,18 @@ interface(`fs_read_tmpfs_files',`
## </summary>
## </param>
#
@@ -21039,7 +20870,7 @@ index 8416beb43..2aa8d9ff4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4173,17 +5885,18 @@ interface(`fs_rw_tmpfs_files',`
+@@ -4173,17 +5923,18 @@ interface(`fs_rw_tmpfs_files',`
## </summary>
## </param>
#
@@ -21061,7 +20892,7 @@ index 8416beb43..2aa8d9ff4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4191,37 +5904,36 @@ interface(`fs_read_tmpfs_symlinks',`
+@@ -4191,37 +5942,36 @@ interface(`fs_read_tmpfs_symlinks',`
## </summary>
## </param>
#
@@ -21107,7 +20938,7 @@ index 8416beb43..2aa8d9ff4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4229,18 +5941,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4229,18 +5979,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
## </summary>
## </param>
#
@@ -21129,7 +20960,7 @@ index 8416beb43..2aa8d9ff4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4248,18 +5960,19 @@ interface(`fs_relabel_tmpfs_chr_file',`
+@@ -4248,18 +5998,19 @@ interface(`fs_relabel_tmpfs_chr_file',`
## </summary>
## </param>
#
@@ -21153,7 +20984,7 @@ index 8416beb43..2aa8d9ff4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4267,32 +5980,31 @@ interface(`fs_rw_tmpfs_blk_files',`
+@@ -4267,32 +6018,31 @@ interface(`fs_rw_tmpfs_blk_files',`
## </summary>
## </param>
#
@@ -21192,7 +21023,7 @@ index 8416beb43..2aa8d9ff4 100644
')
########################################
-@@ -4407,6 +6119,25 @@ interface(`fs_search_xenfs',`
+@@ -4407,6 +6157,25 @@ interface(`fs_search_xenfs',`
allow $1 xenfs_t:dir search_dir_perms;
')
@@ -21218,7 +21049,7 @@ index 8416beb43..2aa8d9ff4 100644
########################################
## <summary>
## Create, read, write, and delete directories
-@@ -4503,6 +6234,8 @@ interface(`fs_mount_all_fs',`
+@@ -4503,6 +6272,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -21227,7 +21058,7 @@ index 8416beb43..2aa8d9ff4 100644
')
########################################
-@@ -4549,7 +6282,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4549,7 +6320,7 @@ interface(`fs_unmount_all_fs',`
## <desc>
## <p>
## Allow the specified domain to
@@ -21236,7 +21067,7 @@ index 8416beb43..2aa8d9ff4 100644
## Example attributes:
## </p>
## <ul>
-@@ -4596,6 +6329,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
+@@ -4596,6 +6367,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
########################################
## <summary>
@@ -21263,7 +21094,7 @@ index 8416beb43..2aa8d9ff4 100644
## Get the quotas of all filesystems.
## </summary>
## <param name="domain">
-@@ -4671,6 +6424,25 @@ interface(`fs_getattr_all_dirs',`
+@@ -4671,6 +6462,25 @@ interface(`fs_getattr_all_dirs',`
########################################
## <summary>
@@ -21289,7 +21120,7 @@ index 8416beb43..2aa8d9ff4 100644
## Search all directories with a filesystem type.
## </summary>
## <param name="domain">
-@@ -4912,3 +6684,176 @@ interface(`fs_unconfined',`
+@@ -4912,3 +6722,176 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -36205,7 +36036,7 @@ index e4376aa98..2c98c5647 100644
+ allow $1 getty_unit_file_t:service start;
+')
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
-index f6743ea19..8c64a7e19 100644
+index f6743ea19..743d661ec 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -27,13 +27,24 @@ files_tmp_file(getty_tmp_t)
@@ -36246,8 +36077,8 @@ index f6743ea19..8c64a7e19 100644
term_setattr_all_ttys(getty_t)
term_setattr_unallocated_ttys(getty_t)
term_setattr_console(getty_t)
-+term_setattr_usb_ttys(getty_t)
+term_use_console(getty_t)
++term_use_usb_ttys(getty_t)
auth_rw_login_records(getty_t)
+auth_use_nsswitch(getty_t)
@@ -38371,7 +38202,7 @@ index 79a45f62e..0244681f0 100644
+')
+
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda2480..09d9144cb 100644
+index 17eda2480..fecc37500 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -38583,7 +38414,7 @@ index 17eda2480..09d9144cb 100644
domain_getpgid_all_domains(init_t)
domain_kill_all_domains(init_t)
-@@ -139,45 +243,103 @@ domain_signal_all_domains(init_t)
+@@ -139,45 +243,105 @@ domain_signal_all_domains(init_t)
domain_signull_all_domains(init_t)
domain_sigstop_all_domains(init_t)
domain_sigchld_all_domains(init_t)
@@ -38613,6 +38444,8 @@ index 17eda2480..09d9144cb 100644
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)
+files_dontaudit_mounton_modules_object(init_t)
++files_manage_mnt_dirs(init_t)
++files_manage_mnt_files(init_t)
fs_list_inotifyfs(init_t)
# cjp: this may be related to /dev/log
@@ -38680,12 +38513,12 @@ index 17eda2480..09d9144cb 100644
+miscfiles_filetrans_named_content(init_t)
+
+udev_manage_rules_files(init_t)
-
--miscfiles_read_localization(init_t)
++
+userdom_use_user_ttys(init_t)
+userdom_manage_tmp_dirs(init_t)
+userdom_manage_tmp_sockets(init_t)
-+
+
+-miscfiles_read_localization(init_t)
+userdom_transition_login_userdomain(init_t)
+userdom_noatsecure_login_userdomain(init_t)
+userdom_sigchld_login_userdomain(init_t)
@@ -38694,7 +38527,7 @@ index 17eda2480..09d9144cb 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +348,295 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +350,303 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -38788,9 +38621,14 @@ index 17eda2480..09d9144cb 100644
+ postfix_list_spool(init_t)
+ mta_read_config(init_t)
+ mta_manage_aliases(init_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- auth_rw_login_records(init_t)
++ raid_relabel_mdadm_var_run_content(init_t)
+ ')
+
+ optional_policy(`
+ systemd_allow_mount_dir(init_t)
+')
+
@@ -38953,14 +38791,13 @@ index 17eda2480..09d9144cb 100644
+optional_policy(`
+ lvm_rw_pipes(init_t)
+ lvm_read_config(init_t)
- ')
-
- optional_policy(`
-- auth_rw_login_records(init_t)
++')
++
++optional_policy(`
+ lldpad_relabel_tmpfs(init_t)
- ')
-
- optional_policy(`
++')
++
++optional_policy(`
+ consolekit_manage_log(init_t)
+')
+
@@ -38983,23 +38820,27 @@ index 17eda2480..09d9144cb 100644
+')
+
+optional_policy(`
-+ networkmanager_stream_connect(init_t)
-+ networkmanager_stream_connect(initrc_t)
++ mount_rw_pid_files(init_t)
+')
+
+optional_policy(`
-+ plymouthd_stream_connect(init_t)
-+ plymouthd_exec_plymouth(init_t)
-+ plymouthd_filetrans_named_content(init_t)
++ networkmanager_stream_connect(init_t)
++ networkmanager_stream_connect(initrc_t)
')
optional_policy(`
- nscd_use(init_t)
++ plymouthd_stream_connect(init_t)
++ plymouthd_exec_plymouth(init_t)
++ plymouthd_filetrans_named_content(init_t)
++')
++
++optional_policy(`
+ ssh_getattr_server_keys(init_t)
')
optional_policy(`
-@@ -216,7 +644,35 @@ optional_policy(`
+@@ -216,7 +654,35 @@ optional_policy(`
')
optional_policy(`
@@ -39036,7 +38877,7 @@ index 17eda2480..09d9144cb 100644
')
########################################
-@@ -225,9 +681,9 @@ optional_policy(`
+@@ -225,9 +691,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -39048,7 +38889,7 @@ index 17eda2480..09d9144cb 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -258,12 +714,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +724,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -39065,7 +38906,7 @@ index 17eda2480..09d9144cb 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +739,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +749,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -39108,7 +38949,7 @@ index 17eda2480..09d9144cb 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +776,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +786,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -39120,7 +38961,7 @@ index 17eda2480..09d9144cb 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -313,8 +788,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +798,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -39131,7 +38972,7 @@ index 17eda2480..09d9144cb 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -322,8 +799,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +809,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -39141,7 +38982,7 @@ index 17eda2480..09d9144cb 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -332,7 +808,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +818,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -39149,7 +38990,7 @@ index 17eda2480..09d9144cb 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -340,6 +815,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +825,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -39157,7 +38998,7 @@ index 17eda2480..09d9144cb 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -347,14 +823,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +833,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -39175,7 +39016,7 @@ index 17eda2480..09d9144cb 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -364,8 +841,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +851,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -39189,7 +39030,7 @@ index 17eda2480..09d9144cb 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -375,10 +856,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +866,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -39203,7 +39044,7 @@ index 17eda2480..09d9144cb 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -387,8 +869,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +879,10 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -39214,7 +39055,7 @@ index 17eda2480..09d9144cb 100644
storage_getattr_fixed_disk_dev(initrc_t)
storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +882,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +892,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -39222,7 +39063,7 @@ index 17eda2480..09d9144cb 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -416,20 +901,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +911,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -39246,7 +39087,7 @@ index 17eda2480..09d9144cb 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +934,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +944,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -39254,7 +39095,7 @@ index 17eda2480..09d9144cb 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +968,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +978,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -39265,7 +39106,7 @@ index 17eda2480..09d9144cb 100644
alsa_read_lib(initrc_t)
')
-@@ -506,7 +992,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +1002,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -39274,7 +39115,7 @@ index 17eda2480..09d9144cb 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -521,6 +1007,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +1017,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -39282,7 +39123,7 @@ index 17eda2480..09d9144cb 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -541,6 +1028,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +1038,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -39290,7 +39131,7 @@ index 17eda2480..09d9144cb 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +1038,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +1048,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -39335,7 +39176,7 @@ index 17eda2480..09d9144cb 100644
')
optional_policy(`
-@@ -559,14 +1083,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +1093,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -39367,7 +39208,7 @@ index 17eda2480..09d9144cb 100644
')
')
-@@ -577,6 +1118,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1128,39 @@ ifdef(`distro_suse',`
')
')
@@ -39407,7 +39248,7 @@ index 17eda2480..09d9144cb 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1163,8 @@ optional_policy(`
+@@ -589,6 +1173,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -39416,7 +39257,7 @@ index 17eda2480..09d9144cb 100644
')
optional_policy(`
-@@ -610,6 +1186,7 @@ optional_policy(`
+@@ -610,6 +1196,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -39424,7 +39265,7 @@ index 17eda2480..09d9144cb 100644
')
optional_policy(`
-@@ -626,6 +1203,17 @@ optional_policy(`
+@@ -626,6 +1213,17 @@ optional_policy(`
')
optional_policy(`
@@ -39442,7 +39283,7 @@ index 17eda2480..09d9144cb 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -642,9 +1230,13 @@ optional_policy(`
+@@ -642,9 +1240,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -39456,7 +39297,7 @@ index 17eda2480..09d9144cb 100644
')
optional_policy(`
-@@ -657,15 +1249,11 @@ optional_policy(`
+@@ -657,15 +1259,11 @@ optional_policy(`
')
optional_policy(`
@@ -39474,7 +39315,7 @@ index 17eda2480..09d9144cb 100644
')
optional_policy(`
-@@ -686,6 +1274,15 @@ optional_policy(`
+@@ -686,6 +1284,15 @@ optional_policy(`
')
optional_policy(`
@@ -39490,7 +39331,7 @@ index 17eda2480..09d9144cb 100644
inn_exec_config(initrc_t)
')
-@@ -726,6 +1323,7 @@ optional_policy(`
+@@ -726,6 +1333,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -39498,7 +39339,7 @@ index 17eda2480..09d9144cb 100644
')
optional_policy(`
-@@ -743,7 +1341,13 @@ optional_policy(`
+@@ -743,7 +1351,13 @@ optional_policy(`
')
optional_policy(`
@@ -39513,7 +39354,7 @@ index 17eda2480..09d9144cb 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -766,6 +1370,10 @@ optional_policy(`
+@@ -766,6 +1380,10 @@ optional_policy(`
')
optional_policy(`
@@ -39524,7 +39365,7 @@ index 17eda2480..09d9144cb 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -775,10 +1383,20 @@ optional_policy(`
+@@ -775,10 +1393,20 @@ optional_policy(`
')
optional_policy(`
@@ -39545,7 +39386,7 @@ index 17eda2480..09d9144cb 100644
quota_manage_flags(initrc_t)
')
-@@ -787,6 +1405,10 @@ optional_policy(`
+@@ -787,6 +1415,10 @@ optional_policy(`
')
optional_policy(`
@@ -39556,7 +39397,7 @@ index 17eda2480..09d9144cb 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -808,8 +1430,6 @@ optional_policy(`
+@@ -808,8 +1440,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -39565,7 +39406,7 @@ index 17eda2480..09d9144cb 100644
')
optional_policy(`
-@@ -818,6 +1438,10 @@ optional_policy(`
+@@ -818,6 +1448,10 @@ optional_policy(`
')
optional_policy(`
@@ -39576,7 +39417,7 @@ index 17eda2480..09d9144cb 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -827,10 +1451,12 @@ optional_policy(`
+@@ -827,10 +1461,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -39589,7 +39430,7 @@ index 17eda2480..09d9144cb 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1483,62 @@ optional_policy(`
+@@ -857,21 +1493,62 @@ optional_policy(`
')
optional_policy(`
@@ -39653,7 +39494,7 @@ index 17eda2480..09d9144cb 100644
')
optional_policy(`
-@@ -887,6 +1554,10 @@ optional_policy(`
+@@ -887,6 +1564,10 @@ optional_policy(`
')
optional_policy(`
@@ -39664,7 +39505,7 @@ index 17eda2480..09d9144cb 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -897,3 +1568,218 @@ optional_policy(`
+@@ -897,3 +1578,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -40188,7 +40029,7 @@ index 0d4c8d35e..537aa4274 100644
+ ps_process_pattern($1, ipsec_mgmt_t)
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 312cd0417..27a5d0650 100644
+index 312cd0417..07a92cc93 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@@ -40201,7 +40042,7 @@ index 312cd0417..27a5d0650 100644
type ipsec_mgmt_lock_t;
files_lock_file(ipsec_mgmt_lock_t)
-@@ -67,29 +70,43 @@ type setkey_exec_t;
+@@ -67,29 +70,44 @@ type setkey_exec_t;
init_system_domain(setkey_t, setkey_exec_t)
role system_r types setkey_t;
@@ -40244,13 +40085,14 @@ index 312cd0417..27a5d0650 100644
-manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
+manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
++allow ipsec_t ipsec_key_file_t:file map;
+
+manage_files_pattern(ipsec_t, ipsec_log_t, ipsec_log_t)
+logging_log_filetrans(ipsec_t, ipsec_log_t, file, "pluto.log")
manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
-@@ -101,6 +118,7 @@ manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
+@@ -101,6 +119,7 @@ manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
files_pid_filetrans(ipsec_t, ipsec_var_run_t, { dir file sock_file })
can_exec(ipsec_t, ipsec_mgmt_exec_t)
@@ -40258,7 +40100,7 @@ index 312cd0417..27a5d0650 100644
# pluto runs an updown script (by calling popen()!) as this is by default
# a shell script, we need to find a way to make things work without
-@@ -110,10 +128,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
+@@ -110,10 +129,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
allow ipsec_mgmt_t ipsec_t:fd use;
allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
@@ -40271,7 +40113,7 @@ index 312cd0417..27a5d0650 100644
kernel_list_proc(ipsec_t)
kernel_read_proc_symlinks(ipsec_t)
# allow pluto to access /proc/net/ipsec_eroute;
-@@ -128,20 +146,24 @@ corecmd_exec_shell(ipsec_t)
+@@ -128,20 +147,24 @@ corecmd_exec_shell(ipsec_t)
corecmd_exec_bin(ipsec_t)
# Pluto needs network access
@@ -40303,7 +40145,7 @@ index 312cd0417..27a5d0650 100644
dev_read_sysfs(ipsec_t)
dev_read_rand(ipsec_t)
-@@ -157,22 +179,32 @@ files_dontaudit_search_home(ipsec_t)
+@@ -157,22 +180,32 @@ files_dontaudit_search_home(ipsec_t)
fs_getattr_all_fs(ipsec_t)
fs_search_auto_mountpoints(ipsec_t)
@@ -40338,7 +40180,7 @@ index 312cd0417..27a5d0650 100644
optional_policy(`
seutil_sigchld_newrole(ipsec_t)
-@@ -182,19 +214,30 @@ optional_policy(`
+@@ -182,19 +215,30 @@ optional_policy(`
udev_read_db(ipsec_t)
')
@@ -40373,7 +40215,7 @@ index 312cd0417..27a5d0650 100644
allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
-@@ -208,12 +251,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
+@@ -208,12 +252,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
@@ -40389,7 +40231,7 @@ index 312cd0417..27a5d0650 100644
# _realsetup needs to be able to cat /var/run/pluto.pid,
# run ps on that pid, and delete the file
-@@ -246,6 +291,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
+@@ -246,6 +292,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
kernel_getattr_core_if(ipsec_mgmt_t)
kernel_getattr_message_if(ipsec_mgmt_t)
@@ -40406,7 +40248,7 @@ index 312cd0417..27a5d0650 100644
files_read_kernel_symbol_table(ipsec_mgmt_t)
files_getattr_kernel_modules(ipsec_mgmt_t)
-@@ -255,6 +310,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
+@@ -255,6 +311,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
corecmd_exec_bin(ipsec_mgmt_t)
corecmd_exec_shell(ipsec_mgmt_t)
@@ -40415,7 +40257,7 @@ index 312cd0417..27a5d0650 100644
dev_read_rand(ipsec_mgmt_t)
dev_read_urand(ipsec_mgmt_t)
-@@ -269,6 +326,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
+@@ -269,6 +327,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
files_read_etc_files(ipsec_mgmt_t)
files_exec_etc_files(ipsec_mgmt_t)
files_read_etc_runtime_files(ipsec_mgmt_t)
@@ -40423,7 +40265,7 @@ index 312cd0417..27a5d0650 100644
files_read_usr_files(ipsec_mgmt_t)
files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
files_dontaudit_getattr_default_files(ipsec_mgmt_t)
-@@ -278,9 +336,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+@@ -278,9 +337,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
fs_list_tmpfs(ipsec_mgmt_t)
term_use_console(ipsec_mgmt_t)
@@ -40435,7 +40277,7 @@ index 312cd0417..27a5d0650 100644
init_read_utmp(ipsec_mgmt_t)
init_use_script_ptys(ipsec_mgmt_t)
-@@ -288,17 +347,28 @@ init_exec_script_files(ipsec_mgmt_t)
+@@ -288,17 +348,28 @@ init_exec_script_files(ipsec_mgmt_t)
init_use_fds(ipsec_mgmt_t)
init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
@@ -40469,7 +40311,7 @@ index 312cd0417..27a5d0650 100644
optional_policy(`
consoletype_exec(ipsec_mgmt_t)
-@@ -322,6 +392,10 @@ optional_policy(`
+@@ -322,6 +393,10 @@ optional_policy(`
')
optional_policy(`
@@ -40480,7 +40322,7 @@ index 312cd0417..27a5d0650 100644
modutils_domtrans_insmod(ipsec_mgmt_t)
')
-@@ -335,7 +409,7 @@ optional_policy(`
+@@ -335,7 +410,7 @@ optional_policy(`
#
allow racoon_t self:capability { net_admin net_bind_service };
@@ -40489,7 +40331,7 @@ index 312cd0417..27a5d0650 100644
allow racoon_t self:unix_dgram_socket { connect create ioctl write };
allow racoon_t self:netlink_selinux_socket { bind create read };
allow racoon_t self:udp_socket create_socket_perms;
-@@ -370,13 +444,12 @@ kernel_request_load_module(racoon_t)
+@@ -370,13 +445,12 @@ kernel_request_load_module(racoon_t)
corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)
@@ -40509,7 +40351,7 @@ index 312cd0417..27a5d0650 100644
corenet_udp_bind_isakmp_port(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t)
-@@ -401,10 +474,10 @@ locallogin_use_fds(racoon_t)
+@@ -401,10 +475,10 @@ locallogin_use_fds(racoon_t)
logging_send_syslog_msg(racoon_t)
logging_send_audit_msgs(racoon_t)
@@ -40522,7 +40364,7 @@ index 312cd0417..27a5d0650 100644
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -438,9 +511,8 @@ corenet_setcontext_all_spds(setkey_t)
+@@ -438,9 +512,8 @@ corenet_setcontext_all_spds(setkey_t)
locallogin_use_fds(setkey_t)
@@ -42680,7 +42522,7 @@ index 4e9488463..2db173f77 100644
+')
+
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 59b04c1a2..6ae1e2663 100644
+index 59b04c1a2..e9545b961 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -4,6 +4,29 @@ policy_module(logging, 1.20.1)
@@ -42974,7 +42816,7 @@ index 59b04c1a2..6ae1e2663 100644
rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
files_search_spool(syslogd_t)
-@@ -389,30 +457,48 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -389,30 +457,49 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
@@ -42984,6 +42826,7 @@ index 59b04c1a2..6ae1e2663 100644
+
+manage_sock_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
++allow syslogd_t syslogd_var_lib_t:file map;
files_search_var_lib(syslogd_t)
-# manage pid file
@@ -43026,7 +42869,7 @@ index 59b04c1a2..6ae1e2663 100644
# syslog-ng can listen and connect on tcp port 514 (rsh)
corenet_tcp_sendrecv_generic_if(syslogd_t)
corenet_tcp_sendrecv_generic_node(syslogd_t)
-@@ -422,6 +508,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
+@@ -422,6 +509,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
corenet_tcp_connect_rsh_port(syslogd_t)
# Allow users to define additional syslog ports to connect to
corenet_tcp_bind_syslogd_port(syslogd_t)
@@ -43035,7 +42878,7 @@ index 59b04c1a2..6ae1e2663 100644
corenet_tcp_connect_syslogd_port(syslogd_t)
corenet_tcp_connect_postgresql_port(syslogd_t)
corenet_tcp_connect_mysqld_port(syslogd_t)
-@@ -432,9 +520,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+@@ -432,9 +521,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
corenet_sendrecv_postgresql_client_packets(syslogd_t)
corenet_sendrecv_mysqld_client_packets(syslogd_t)
@@ -43069,7 +42912,7 @@ index 59b04c1a2..6ae1e2663 100644
domain_use_interactive_fds(syslogd_t)
files_read_etc_files(syslogd_t)
-@@ -448,13 +559,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
+@@ -448,13 +560,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
fs_getattr_all_fs(syslogd_t)
fs_search_auto_mountpoints(syslogd_t)
@@ -43087,7 +42930,7 @@ index 59b04c1a2..6ae1e2663 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
-@@ -466,11 +581,12 @@ init_use_fds(syslogd_t)
+@@ -466,11 +582,12 @@ init_use_fds(syslogd_t)
# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)
@@ -43103,7 +42946,7 @@ index 59b04c1a2..6ae1e2663 100644
ifdef(`distro_gentoo',`
# default gentoo syslog-ng config appends kernel
-@@ -497,6 +613,7 @@ optional_policy(`
+@@ -497,6 +614,7 @@ optional_policy(`
optional_policy(`
cron_manage_log_files(syslogd_t)
cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
@@ -43111,7 +42954,7 @@ index 59b04c1a2..6ae1e2663 100644
')
optional_policy(`
-@@ -507,15 +624,44 @@ optional_policy(`
+@@ -507,15 +625,44 @@ optional_policy(`
')
optional_policy(`
@@ -43156,7 +42999,7 @@ index 59b04c1a2..6ae1e2663 100644
')
optional_policy(`
-@@ -526,3 +672,29 @@ optional_policy(`
+@@ -526,3 +673,29 @@ optional_policy(`
# log to the xconsole
xserver_rw_console(syslogd_t)
')
@@ -48771,10 +48614,10 @@ index 000000000..121b42208
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 000000000..5871e072d
+index 000000000..dc06d3b3f
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1880 @@
+@@ -0,0 +1,1898 @@
+## <summary>SELinux policy for systemd components</summary>
+
+######################################
@@ -49377,6 +49220,24 @@ index 000000000..5871e072d
+
+########################################
+## <summary>
++## Execute a domain transition to run systemd_rfkill.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_rfkill_domtrans',`
++ gen_require(`
++ type systemd_rfkill_t, systemd_rfkill_exec_t;
++ ')
++
++ domtrans_pattern($1, systemd_rfkill_exec_t, systemd_rfkill_t)
++')
++
++########################################
++## <summary>
+## Execute a domain transition to run systemd_notify.
+## </summary>
+## <param name="domain">
@@ -50657,10 +50518,10 @@ index 000000000..5871e072d
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 000000000..bb880db4a
+index 000000000..598ce3fca
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,1040 @@
+@@ -0,0 +1,1041 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -50708,6 +50569,7 @@ index 000000000..bb880db4a
+systemd_unit_file(systemd_hwdb_unit_file_t)
+
+systemd_domain_template(systemd_networkd)
++init_nnp_daemon_domain(systemd_networkd_t)
+
+type systemd_networkd_unit_file_t;
+systemd_unit_file(systemd_networkd_unit_file_t)
@@ -58290,7 +58152,7 @@ index 9dc60c6c0..562afbe9a 100644
+ ')
')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index f4ac38dc7..e4733e828 100644
+index f4ac38dc7..f3819687f 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,48 +7,43 @@ policy_module(userdomain, 4.9.1)
@@ -58379,7 +58241,7 @@ index f4ac38dc7..e4733e828 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -70,26 +83,396 @@ ubac_constrained(user_home_dir_t)
+@@ -70,26 +83,397 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -58521,6 +58383,7 @@ index f4ac38dc7..e4733e828 100644
+ fs_manage_nfs_dirs(userdom_home_manager_type)
+ fs_manage_nfs_files(userdom_home_manager_type)
+ fs_manage_nfs_symlinks(userdom_home_manager_type)
++ fs_mmap_nfs_files(userdom_home_manager_type)
+')
+
+tunable_policy(`use_samba_home_dirs',`
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index b4a2b26..de01743 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -589,7 +589,7 @@ index 058d908e4..ee0c55969 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index eb50f070f..4a8367de4 100644
+index eb50f070f..c23bb4b86 100644
--- a/abrt.te
+++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@@ -806,7 +806,7 @@ index eb50f070f..4a8367de4 100644
domain_getattr_all_domains(abrt_t)
domain_read_all_domains_state(abrt_t)
-@@ -176,29 +199,44 @@ files_getattr_all_files(abrt_t)
+@@ -176,29 +199,46 @@ files_getattr_all_files(abrt_t)
files_read_config_files(abrt_t)
files_read_etc_runtime_files(abrt_t)
files_read_var_symlinks(abrt_t)
@@ -826,6 +826,7 @@ index eb50f070f..4a8367de4 100644
fs_getattr_all_dirs(abrt_t)
-fs_list_inotifyfs(abrt_t)
fs_read_fusefs_files(abrt_t)
++fs_mmap_fusefs_files(abrt_t)
fs_read_noxattr_fs_files(abrt_t)
fs_read_nfs_files(abrt_t)
fs_read_nfs_symlinks(abrt_t)
@@ -836,6 +837,7 @@ index eb50f070f..4a8367de4 100644
+storage_dontaudit_read_fixed_disk(abrt_t)
logging_read_generic_logs(abrt_t)
++logging_mmap_journal(abrt_t)
+logging_send_syslog_msg(abrt_t)
+logging_stream_connect_syslog(abrt_t)
+logging_read_syslog_pid(abrt_t)
@@ -854,7 +856,7 @@ index eb50f070f..4a8367de4 100644
tunable_policy(`abrt_anon_write',`
miscfiles_manage_public_files(abrt_t)
-@@ -206,15 +244,11 @@ tunable_policy(`abrt_anon_write',`
+@@ -206,15 +246,11 @@ tunable_policy(`abrt_anon_write',`
optional_policy(`
apache_list_modules(abrt_t)
@@ -871,7 +873,7 @@ index eb50f070f..4a8367de4 100644
')
optional_policy(`
-@@ -222,6 +256,37 @@ optional_policy(`
+@@ -222,6 +258,37 @@ optional_policy(`
')
optional_policy(`
@@ -909,7 +911,7 @@ index eb50f070f..4a8367de4 100644
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
policykit_read_reload(abrt_t)
-@@ -234,18 +299,25 @@ optional_policy(`
+@@ -234,18 +301,25 @@ optional_policy(`
')
optional_policy(`
@@ -938,7 +940,7 @@ index eb50f070f..4a8367de4 100644
optional_policy(`
sosreport_domtrans(abrt_t)
-@@ -253,9 +325,21 @@ optional_policy(`
+@@ -253,9 +327,21 @@ optional_policy(`
sosreport_delete_tmp_files(abrt_t)
')
@@ -961,7 +963,7 @@ index eb50f070f..4a8367de4 100644
#
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -266,9 +350,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -266,9 +352,13 @@ tunable_policy(`abrt_handle_event',`
can_exec(abrt_t, abrt_handle_event_exec_t)
')
@@ -976,7 +978,7 @@ index eb50f070f..4a8367de4 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -281,6 +369,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -281,6 +371,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@@ -984,7 +986,7 @@ index eb50f070f..4a8367de4 100644
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-@@ -289,15 +378,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -289,15 +380,20 @@ corecmd_read_all_executables(abrt_helper_t)
domain_read_all_domains_state(abrt_helper_t)
@@ -1005,7 +1007,7 @@ index eb50f070f..4a8367de4 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -305,11 +399,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -305,11 +401,25 @@ ifdef(`hide_broken_symptoms',`
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -1032,7 +1034,7 @@ index eb50f070f..4a8367de4 100644
#
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -327,10 +435,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+@@ -327,10 +437,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
dev_read_urand(abrt_retrace_coredump_t)
@@ -1046,7 +1048,7 @@ index eb50f070f..4a8367de4 100644
optional_policy(`
rpm_exec(abrt_retrace_coredump_t)
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -343,10 +453,11 @@ optional_policy(`
+@@ -343,10 +455,11 @@ optional_policy(`
#######################################
#
@@ -1060,7 +1062,7 @@ index eb50f070f..4a8367de4 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -365,38 +476,90 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -365,38 +478,90 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
@@ -1155,7 +1157,7 @@ index eb50f070f..4a8367de4 100644
#######################################
#
-@@ -404,25 +567,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
+@@ -404,25 +569,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
#
allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
@@ -1218,7 +1220,7 @@ index eb50f070f..4a8367de4 100644
')
#######################################
-@@ -430,10 +628,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
+@@ -430,10 +630,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
# Global local policy
#
@@ -3300,10 +3302,10 @@ index 000000000..36251b926
+')
diff --git a/antivirus.te b/antivirus.te
new file mode 100644
-index 000000000..28cdddda9
+index 000000000..547ee89dd
--- /dev/null
+++ b/antivirus.te
-@@ -0,0 +1,274 @@
+@@ -0,0 +1,275 @@
+policy_module(antivirus, 1.0.0)
+
+########################################
@@ -3333,6 +3335,7 @@ index 000000000..28cdddda9
+typealias antivirus_t alias { amavis_t clamd_t clamscan_t freshclam_t } ;
+typealias antivirus_exec_t alias { amavis_exec_t clamd_exec_t clamscan_exec_t freshclam_exec_t };
+init_daemon_domain(antivirus_t, antivirus_exec_t)
++init_nnp_daemon_domain(antivirus_t)
+
+type antivirus_initrc_exec_t;
+typealias antivirus_initrc_exec_t alias { clamd_initrc_exec_t amavis_initrc_exec_t };
@@ -5631,7 +5634,7 @@ index f6eb4851f..3628a384f 100644
+ allow $1 httpd_t:process { noatsecure };
')
diff --git a/apache.te b/apache.te
-index 6649962b6..0a7b49bbb 100644
+index 6649962b6..b7ac74501 100644
--- a/apache.te
+++ b/apache.te
@@ -5,280 +5,346 @@ policy_module(apache, 2.7.2)
@@ -7890,7 +7893,7 @@ index 6649962b6..0a7b49bbb 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1681,109 @@ dev_read_urand(httpd_passwd_t)
+@@ -1382,38 +1681,110 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -7989,6 +7992,7 @@ index 6649962b6..0a7b49bbb 100644
+')
+
+read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
++allow httpd_t httpd_content_type:file map;
+
+tunable_policy(`httpd_builtin_scripting',`
+ allow httpd_t httpd_content_type:dir search_dir_perms;
@@ -21744,7 +21748,7 @@ index 3023be7f6..5afde8039 100644
+ files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups")
')
diff --git a/cups.te b/cups.te
-index c91813ccb..0ea3e3d6a 100644
+index c91813ccb..dd52ab6ad 100644
--- a/cups.te
+++ b/cups.te
@@ -5,19 +5,31 @@ policy_module(cups, 1.16.2)
@@ -22021,7 +22025,7 @@ index c91813ccb..0ea3e3d6a 100644
selinux_compute_access_vector(cupsd_t)
selinux_validate_context(cupsd_t)
-@@ -244,23 +289,31 @@ auth_dontaudit_read_pam_pid(cupsd_t)
+@@ -244,23 +289,33 @@ auth_dontaudit_read_pam_pid(cupsd_t)
auth_rw_faillog(cupsd_t)
auth_use_nsswitch(cupsd_t)
@@ -22038,7 +22042,8 @@ index c91813ccb..0ea3e3d6a 100644
-miscfiles_read_localization(cupsd_t)
-miscfiles_read_fonts(cupsd_t)
-miscfiles_setattr_fonts_cache_dirs(cupsd_t)
--
++miscfiles_legacy_read_localization(cupsd_t)
+
seutil_read_config(cupsd_t)
sysnet_exec_ifconfig(cupsd_t)
@@ -22058,7 +22063,7 @@ index c91813ccb..0ea3e3d6a 100644
optional_policy(`
apm_domtrans_client(cupsd_t)
')
-@@ -272,6 +325,8 @@ optional_policy(`
+@@ -272,6 +327,8 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(cupsd_t)
@@ -22067,7 +22072,7 @@ index c91813ccb..0ea3e3d6a 100644
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
-@@ -279,11 +334,17 @@ optional_policy(`
+@@ -279,11 +336,17 @@ optional_policy(`
')
optional_policy(`
@@ -22085,7 +22090,7 @@ index c91813ccb..0ea3e3d6a 100644
')
')
-@@ -296,8 +357,8 @@ optional_policy(`
+@@ -296,8 +359,8 @@ optional_policy(`
')
optional_policy(`
@@ -22095,7 +22100,7 @@ index c91813ccb..0ea3e3d6a 100644
')
optional_policy(`
-@@ -306,7 +367,6 @@ optional_policy(`
+@@ -306,7 +369,6 @@ optional_policy(`
optional_policy(`
lpd_exec_lpr(cupsd_t)
@@ -22103,7 +22108,7 @@ index c91813ccb..0ea3e3d6a 100644
lpd_read_config(cupsd_t)
lpd_relabel_spool(cupsd_t)
')
-@@ -316,6 +376,10 @@ optional_policy(`
+@@ -316,6 +378,10 @@ optional_policy(`
')
optional_policy(`
@@ -22114,7 +22119,7 @@ index c91813ccb..0ea3e3d6a 100644
samba_read_config(cupsd_t)
samba_rw_var_files(cupsd_t)
samba_stream_connect_nmbd(cupsd_t)
-@@ -326,7 +390,7 @@ optional_policy(`
+@@ -326,7 +392,7 @@ optional_policy(`
')
optional_policy(`
@@ -22123,7 +22128,7 @@ index c91813ccb..0ea3e3d6a 100644
')
optional_policy(`
-@@ -334,7 +398,11 @@ optional_policy(`
+@@ -334,7 +400,11 @@ optional_policy(`
')
optional_policy(`
@@ -22136,7 +22141,7 @@ index c91813ccb..0ea3e3d6a 100644
')
########################################
-@@ -342,12 +410,11 @@ optional_policy(`
+@@ -342,12 +412,11 @@ optional_policy(`
# Configuration daemon local policy
#
@@ -22152,7 +22157,7 @@ index c91813ccb..0ea3e3d6a 100644
allow cupsd_config_t cupsd_t:process signal;
ps_process_pattern(cupsd_config_t, cupsd_t)
-@@ -367,23 +434,23 @@ manage_dirs_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
+@@ -367,23 +436,23 @@ manage_dirs_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
@@ -22180,7 +22185,7 @@ index c91813ccb..0ea3e3d6a 100644
corenet_all_recvfrom_netlabel(cupsd_config_t)
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -392,20 +459,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+@@ -392,20 +461,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
corenet_sendrecv_all_client_packets(cupsd_config_t)
corenet_tcp_connect_all_ports(cupsd_config_t)
@@ -22201,7 +22206,7 @@ index c91813ccb..0ea3e3d6a 100644
fs_search_auto_mountpoints(cupsd_config_t)
domain_use_interactive_fds(cupsd_config_t)
-@@ -417,17 +476,16 @@ auth_use_nsswitch(cupsd_config_t)
+@@ -417,17 +478,16 @@ auth_use_nsswitch(cupsd_config_t)
logging_send_syslog_msg(cupsd_config_t)
@@ -22223,7 +22228,7 @@ index c91813ccb..0ea3e3d6a 100644
optional_policy(`
term_use_generic_ptys(cupsd_config_t)
')
-@@ -449,9 +507,12 @@ optional_policy(`
+@@ -449,9 +509,12 @@ optional_policy(`
')
optional_policy(`
@@ -22237,7 +22242,7 @@ index c91813ccb..0ea3e3d6a 100644
')
optional_policy(`
-@@ -467,6 +528,10 @@ optional_policy(`
+@@ -467,6 +530,10 @@ optional_policy(`
')
optional_policy(`
@@ -22248,7 +22253,7 @@ index c91813ccb..0ea3e3d6a 100644
rpm_read_db(cupsd_config_t)
')
-@@ -487,10 +552,6 @@ optional_policy(`
+@@ -487,10 +554,6 @@ optional_policy(`
# Lpd local policy
#
@@ -22259,7 +22264,7 @@ index c91813ccb..0ea3e3d6a 100644
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
-@@ -508,15 +569,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+@@ -508,15 +571,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
@@ -22277,7 +22282,7 @@ index c91813ccb..0ea3e3d6a 100644
corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t)
corenet_sendrecv_printer_server_packets(cupsd_lpd_t)
-@@ -537,9 +598,6 @@ auth_use_nsswitch(cupsd_lpd_t)
+@@ -537,9 +600,6 @@ auth_use_nsswitch(cupsd_lpd_t)
logging_send_syslog_msg(cupsd_lpd_t)
@@ -22287,7 +22292,7 @@ index c91813ccb..0ea3e3d6a 100644
optional_policy(`
inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
')
-@@ -549,9 +607,9 @@ optional_policy(`
+@@ -549,9 +609,9 @@ optional_policy(`
# Pdf local policy
#
@@ -22299,7 +22304,7 @@ index c91813ccb..0ea3e3d6a 100644
append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
create_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
-@@ -566,148 +624,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
+@@ -566,148 +626,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
kernel_read_system_state(cups_pdf_t)
@@ -22328,11 +22333,13 @@ index c91813ccb..0ea3e3d6a 100644
- fs_manage_cifs_dirs(cups_pdf_t)
- fs_manage_cifs_files(cups_pdf_t)
-')
--
--optional_policy(`
++userdom_home_manager(cups_pdf_t)
+
+ optional_policy(`
- lpd_manage_spool(cups_pdf_t)
--')
--
++ gnome_read_config(cups_pdf_t)
+ ')
+
-########################################
-#
-# HPLIP local policy
@@ -22434,13 +22441,11 @@ index c91813ccb..0ea3e3d6a 100644
- lpd_read_config(hplip_t)
- lpd_manage_spool(hplip_t)
-')
-+userdom_home_manager(cups_pdf_t)
-
- optional_policy(`
+-
+-optional_policy(`
- seutil_sigchld_newrole(hplip_t)
-+ gnome_read_config(cups_pdf_t)
- ')
-
+-')
+-
-optional_policy(`
- snmp_read_snmp_var_lib_files(hplip_t)
-')
@@ -22451,7 +22456,7 @@ index c91813ccb..0ea3e3d6a 100644
########################################
#
-@@ -735,7 +668,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -735,7 +670,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@@ -22459,7 +22464,7 @@ index c91813ccb..0ea3e3d6a 100644
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -745,13 +677,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
+@@ -745,13 +679,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
corenet_tcp_bind_ptal_port(ptal_t)
corenet_tcp_sendrecv_ptal_port(ptal_t)
@@ -22473,7 +22478,7 @@ index c91813ccb..0ea3e3d6a 100644
files_read_etc_runtime_files(ptal_t)
fs_getattr_all_fs(ptal_t)
-@@ -759,8 +689,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -759,8 +691,6 @@ fs_search_auto_mountpoints(ptal_t)
logging_send_syslog_msg(ptal_t)
@@ -22482,7 +22487,7 @@ index c91813ccb..0ea3e3d6a 100644
sysnet_read_config(ptal_t)
userdom_dontaudit_use_unpriv_user_fds(ptal_t)
-@@ -773,3 +701,4 @@ optional_policy(`
+@@ -773,3 +703,4 @@ optional_policy(`
optional_policy(`
udev_read_db(ptal_t)
')
@@ -27568,7 +27573,7 @@ index d5badb755..c2431fc73 100644
+ admin_pattern($1, dovecot_passwd_t)
')
diff --git a/dovecot.te b/dovecot.te
-index 0aabc7e66..958d6c8df 100644
+index 0aabc7e66..6786b1a40 100644
--- a/dovecot.te
+++ b/dovecot.te
@@ -7,12 +7,10 @@ policy_module(dovecot, 1.16.1)
@@ -27760,7 +27765,7 @@ index 0aabc7e66..958d6c8df 100644
init_getattr_utmp(dovecot_t)
-@@ -171,45 +170,44 @@ auth_use_nsswitch(dovecot_t)
+@@ -171,45 +170,45 @@ auth_use_nsswitch(dovecot_t)
miscfiles_read_generic_certs(dovecot_t)
@@ -27788,6 +27793,7 @@ index 0aabc7e66..958d6c8df 100644
- fs_manage_cifs_symlinks(dovecot_t)
+optional_policy(`
+ mta_manage_home_rw(dovecot_t)
++ mta_mmap_home_rw(dovecot_t)
+ mta_manage_spool(dovecot_t)
')
@@ -27824,7 +27830,7 @@ index 0aabc7e66..958d6c8df 100644
sendmail_domtrans(dovecot_t)
')
-@@ -227,49 +225,73 @@ optional_policy(`
+@@ -227,49 +226,73 @@ optional_policy(`
########################################
#
@@ -27908,7 +27914,7 @@ index 0aabc7e66..958d6c8df 100644
')
optional_policy(`
-@@ -277,53 +299,79 @@ optional_policy(`
+@@ -277,53 +300,79 @@ optional_policy(`
')
optional_policy(`
@@ -28007,7 +28013,7 @@ index 0aabc7e66..958d6c8df 100644
mta_read_queue(dovecot_deliver_t)
')
-@@ -332,5 +380,6 @@ optional_policy(`
+@@ -332,5 +381,6 @@ optional_policy(`
')
optional_policy(`
@@ -41535,7 +41541,7 @@ index 1a354203e..8101022be 100644
logging_search_logs($1)
admin_pattern($1, iscsi_log_t)
diff --git a/iscsi.te b/iscsi.te
-index ca020faa9..58233a218 100644
+index ca020faa9..4afdcc8f9 100644
--- a/iscsi.te
+++ b/iscsi.te
@@ -5,12 +5,15 @@ policy_module(iscsi, 1.9.0)
@@ -41572,7 +41578,7 @@ index ca020faa9..58233a218 100644
allow iscsid_t self:netlink_socket create_socket_perms;
allow iscsid_t self:netlink_kobject_uevent_socket create_socket_perms;
allow iscsid_t self:netlink_route_socket nlmsg_write;
-@@ -55,20 +58,22 @@ manage_dirs_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t)
+@@ -55,20 +58,23 @@ manage_dirs_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t)
manage_files_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t)
fs_tmpfs_filetrans(iscsid_t, iscsi_tmp_t, { dir file })
@@ -41595,12 +41601,13 @@ index ca020faa9..58233a218 100644
kernel_read_system_state(iscsid_t)
-kernel_setsched(iscsid_t)
+kernel_dontaudit_setsched(iscsid_t)
++kernel_request_load_module(iscsid_t)
-corenet_all_recvfrom_unlabeled(iscsid_t)
corenet_all_recvfrom_netlabel(iscsid_t)
corenet_tcp_sendrecv_generic_if(iscsid_t)
corenet_tcp_sendrecv_generic_node(iscsid_t)
-@@ -85,22 +90,40 @@ corenet_sendrecv_isns_client_packets(iscsid_t)
+@@ -85,22 +91,40 @@ corenet_sendrecv_isns_client_packets(iscsid_t)
corenet_tcp_connect_isns_port(iscsid_t)
corenet_tcp_sendrecv_isns_port(iscsid_t)
@@ -50510,10 +50517,10 @@ index 327f3f726..d6ae4eab6 100644
+ ')
')
diff --git a/mandb.te b/mandb.te
-index e6136fd37..56fa2cfc1 100644
+index e6136fd37..afaa79b11 100644
--- a/mandb.te
+++ b/mandb.te
-@@ -10,19 +10,40 @@ roleattribute system_r mandb_roles;
+@@ -10,22 +10,46 @@ roleattribute system_r mandb_roles;
type mandb_t;
type mandb_exec_t;
@@ -50546,6 +50553,7 @@ index e6136fd37..56fa2cfc1 100644
+manage_lnk_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t)
+files_var_filetrans(mandb_t, mandb_cache_t, { dir file lnk_file })
+can_exec(mandb_t, mandb_exec_t)
++allow mandb_t mandb_cache_t:file map;
+
+userdom_search_user_home_dirs(mandb_t)
+allow mandb_t mandb_home_t:file read_file_perms;
@@ -50556,7 +50564,12 @@ index e6136fd37..56fa2cfc1 100644
kernel_read_kernel_sysctls(mandb_t)
kernel_read_system_state(mandb_t)
-@@ -33,11 +54,14 @@ dev_search_sysfs(mandb_t)
++auth_read_passwd(mandb_t)
++
+ corecmd_exec_bin(mandb_t)
+ corecmd_exec_shell(mandb_t)
+
+@@ -33,11 +57,14 @@ dev_search_sysfs(mandb_t)
domain_use_interactive_fds(mandb_t)
@@ -51050,10 +51063,18 @@ index 1d4eb19b8..650014e0f 100644
admin_pattern($1, memcached_var_run_t)
')
diff --git a/memcached.te b/memcached.te
-index 29b752160..68ec663c2 100644
+index 29b752160..8c41e59db 100644
--- a/memcached.te
+++ b/memcached.te
-@@ -20,7 +20,7 @@ files_pid_file(memcached_var_run_t)
+@@ -8,6 +8,7 @@ policy_module(memcached, 1.3.1)
+ type memcached_t;
+ type memcached_exec_t;
+ init_daemon_domain(memcached_t, memcached_exec_t)
++init_nnp_daemon_domain(memcached_t)
+
+ type memcached_initrc_exec_t;
+ init_script_file(memcached_initrc_exec_t)
+@@ -20,7 +21,7 @@ files_pid_file(memcached_var_run_t)
# Local policy
#
@@ -51062,7 +51083,7 @@ index 29b752160..68ec663c2 100644
dontaudit memcached_t self:capability sys_tty_config;
allow memcached_t self:process { setrlimit signal_perms };
allow memcached_t self:tcp_socket { accept listen };
-@@ -59,4 +59,3 @@ term_dontaudit_use_console(memcached_t)
+@@ -59,4 +60,3 @@ term_dontaudit_use_console(memcached_t)
auth_use_nsswitch(memcached_t)
@@ -55833,7 +55854,7 @@ index f42896cbf..fce39c1ce 100644
+/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+/var/spool/smtpd(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/mta.if b/mta.if
-index ed81cac5a..cd52baf59 100644
+index ed81cac5a..4ea31b5e2 100644
--- a/mta.if
+++ b/mta.if
@@ -1,4 +1,4 @@
@@ -55985,13 +56006,11 @@ index ed81cac5a..cd52baf59 100644
')
-#######################################
-+######################################
- ## <summary>
+-## <summary>
-## Read mta mail home files.
-+## Dontaudit read and write an leaked file descriptors
- ## </summary>
- ## <param name="domain">
- ## <summary>
+-## </summary>
+-## <param name="domain">
+-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
@@ -56026,13 +56045,15 @@ index ed81cac5a..cd52baf59 100644
-')
-
-########################################
--## <summary>
++######################################
+ ## <summary>
-## Create specified objects in user home
-## directories with the generic mail
-## home type.
--## </summary>
--## <param name="domain">
--## <summary>
++## Dontaudit read and write an leaked file descriptors
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
@@ -56789,7 +56810,7 @@ index ed81cac5a..cd52baf59 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1081,3 +1067,209 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -1081,3 +1067,228 @@ interface(`mta_rw_user_mail_stream_sockets',`
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
@@ -56866,6 +56887,24 @@ index ed81cac5a..cd52baf59 100644
+
+####################################
+## <summary>
++## ALlow domain to mmap mail content in the homedir
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mta_mmap_home_rw',`
++ gen_require(`
++ type mail_home_rw_t;
++ ')
++
++ allow $1 mail_home_rw_t:file map;
++')
++
++####################################
++## <summary>
+## ALlow domain to read mail content in the homedir
+## </summary>
+## <param name="domain">
@@ -56881,6 +56920,7 @@ index ed81cac5a..cd52baf59 100644
+
+ userdom_search_user_home_dirs($1)
+ read_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
++ list_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t)
+ read_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+
+ ifdef(`distro_redhat',`
@@ -76570,7 +76610,7 @@ index c0e878537..3070aa066 100644
+/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
+/var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
diff --git a/postfix.if b/postfix.if
-index ded95ec3a..210018ce4 100644
+index ded95ec3a..30d57cf13 100644
--- a/postfix.if
+++ b/postfix.if
@@ -1,4 +1,4 @@
@@ -76738,11 +76778,12 @@ index ded95ec3a..210018ce4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -143,16 +132,15 @@ interface(`postfix_read_config',`
+@@ -143,16 +132,16 @@ interface(`postfix_read_config',`
type postfix_etc_t;
')
+ read_files_pattern($1, postfix_etc_t, postfix_etc_t)
++ list_dirs_pattern($1, postfix_etc_t, postfix_etc_t)
+ read_lnk_files_pattern($1, postfix_etc_t, postfix_etc_t)
files_search_etc($1)
- allow $1 postfix_etc_t:dir list_dir_perms;
@@ -76759,7 +76800,7 @@ index ded95ec3a..210018ce4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -180,6 +168,7 @@ interface(`postfix_config_filetrans',`
+@@ -180,6 +169,7 @@ interface(`postfix_config_filetrans',`
type postfix_etc_t;
')
@@ -76767,7 +76808,7 @@ index ded95ec3a..210018ce4 100644
filetrans_pattern($1, postfix_etc_t, $2, $3, $4)
')
-@@ -205,7 +194,8 @@ interface(`postfix_dontaudit_rw_local_tcp_sockets',`
+@@ -205,7 +195,8 @@ interface(`postfix_dontaudit_rw_local_tcp_sockets',`
########################################
## <summary>
@@ -76777,7 +76818,7 @@ index ded95ec3a..210018ce4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -221,30 +211,28 @@ interface(`postfix_rw_local_pipes',`
+@@ -221,30 +212,28 @@ interface(`postfix_rw_local_pipes',`
allow $1 postfix_local_t:fifo_file rw_fifo_file_perms;
')
@@ -76820,7 +76861,7 @@ index ded95ec3a..210018ce4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -252,18 +240,18 @@ interface(`postfix_read_local_state',`
+@@ -252,18 +241,18 @@ interface(`postfix_read_local_state',`
## </summary>
## </param>
#
@@ -76844,7 +76885,7 @@ index ded95ec3a..210018ce4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -277,14 +265,13 @@ interface(`postfix_read_master_state',`
+@@ -277,14 +266,13 @@ interface(`postfix_read_master_state',`
')
kernel_search_proc($1)
@@ -76862,7 +76903,7 @@ index ded95ec3a..210018ce4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -335,15 +322,13 @@ interface(`postfix_domtrans_map',`
+@@ -335,15 +323,13 @@ interface(`postfix_domtrans_map',`
type postfix_map_t, postfix_map_exec_t;
')
@@ -76880,7 +76921,7 @@ index ded95ec3a..210018ce4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -359,17 +344,17 @@ interface(`postfix_domtrans_map',`
+@@ -359,17 +345,17 @@ interface(`postfix_domtrans_map',`
#
interface(`postfix_run_map',`
gen_require(`
@@ -76902,7 +76943,7 @@ index ded95ec3a..210018ce4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -380,16 +365,35 @@ interface(`postfix_run_map',`
+@@ -380,16 +366,35 @@ interface(`postfix_run_map',`
interface(`postfix_domtrans_master',`
gen_require(`
type postfix_master_t, postfix_master_exec_t;
@@ -76941,7 +76982,7 @@ index ded95ec3a..210018ce4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -402,21 +406,18 @@ interface(`postfix_exec_master',`
+@@ -402,21 +407,18 @@ interface(`postfix_exec_master',`
type postfix_master_exec_t;
')
@@ -76964,7 +77005,7 @@ index ded95ec3a..210018ce4 100644
#
interface(`postfix_stream_connect_master',`
gen_require(`
-@@ -428,8 +429,7 @@ interface(`postfix_stream_connect_master',`
+@@ -428,8 +430,7 @@ interface(`postfix_stream_connect_master',`
########################################
## <summary>
@@ -76974,7 +77015,7 @@ index ded95ec3a..210018ce4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -437,15 +437,18 @@ interface(`postfix_stream_connect_master',`
+@@ -437,15 +438,18 @@ interface(`postfix_stream_connect_master',`
## </summary>
## </param>
#
@@ -76997,7 +77038,7 @@ index ded95ec3a..210018ce4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -458,14 +461,13 @@ interface(`postfix_domtrans_postdrop',`
+@@ -458,14 +462,13 @@ interface(`postfix_domtrans_postdrop',`
type postfix_postdrop_t, postfix_postdrop_exec_t;
')
@@ -77013,7 +77054,7 @@ index ded95ec3a..210018ce4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -478,30 +480,85 @@ interface(`postfix_domtrans_postqueue',`
+@@ -478,30 +481,85 @@ interface(`postfix_domtrans_postqueue',`
type postfix_postqueue_t, postfix_postqueue_exec_t;
')
@@ -77109,7 +77150,7 @@ index ded95ec3a..210018ce4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -514,13 +571,12 @@ interface(`postfix_exec_postqueue',`
+@@ -514,13 +572,12 @@ interface(`postfix_exec_postqueue',`
type postfix_postqueue_exec_t;
')
@@ -77124,7 +77165,7 @@ index ded95ec3a..210018ce4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -533,13 +589,13 @@ interface(`postfix_create_private_sockets',`
+@@ -533,13 +590,13 @@ interface(`postfix_create_private_sockets',`
type postfix_private_t;
')
@@ -77140,7 +77181,7 @@ index ded95ec3a..210018ce4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -552,13 +608,14 @@ interface(`postfix_manage_private_sockets',`
+@@ -552,13 +609,14 @@ interface(`postfix_manage_private_sockets',`
type postfix_private_t;
')
@@ -77157,7 +77198,7 @@ index ded95ec3a..210018ce4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -571,14 +628,12 @@ interface(`postfix_domtrans_smtp',`
+@@ -571,14 +629,12 @@ interface(`postfix_domtrans_smtp',`
type postfix_smtp_t, postfix_smtp_exec_t;
')
@@ -77173,7 +77214,7 @@ index ded95ec3a..210018ce4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -586,7 +641,7 @@ interface(`postfix_domtrans_smtp',`
+@@ -586,7 +642,7 @@ interface(`postfix_domtrans_smtp',`
## </summary>
## </param>
#
@@ -77182,7 +77223,7 @@ index ded95ec3a..210018ce4 100644
gen_require(`
attribute postfix_spool_type;
')
-@@ -607,11 +662,11 @@ interface(`postfix_getattr_all_spool_files',`
+@@ -607,11 +663,11 @@ interface(`postfix_getattr_all_spool_files',`
#
interface(`postfix_search_spool',`
gen_require(`
@@ -77196,7 +77237,7 @@ index ded95ec3a..210018ce4 100644
')
########################################
-@@ -626,11 +681,11 @@ interface(`postfix_search_spool',`
+@@ -626,11 +682,11 @@ interface(`postfix_search_spool',`
#
interface(`postfix_list_spool',`
gen_require(`
@@ -77210,7 +77251,7 @@ index ded95ec3a..210018ce4 100644
')
########################################
-@@ -645,17 +700,16 @@ interface(`postfix_list_spool',`
+@@ -645,17 +701,16 @@ interface(`postfix_list_spool',`
#
interface(`postfix_read_spool_files',`
gen_require(`
@@ -77231,7 +77272,7 @@ index ded95ec3a..210018ce4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -665,11 +719,50 @@ interface(`postfix_read_spool_files',`
+@@ -665,11 +720,50 @@ interface(`postfix_read_spool_files',`
#
interface(`postfix_manage_spool_files',`
gen_require(`
@@ -77284,7 +77325,7 @@ index ded95ec3a..210018ce4 100644
')
########################################
-@@ -693,8 +786,8 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -693,8 +787,8 @@ interface(`postfix_domtrans_user_mail_handler',`
########################################
## <summary>
@@ -77295,7 +77336,7 @@ index ded95ec3a..210018ce4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -710,38 +803,137 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -710,38 +804,137 @@ interface(`postfix_domtrans_user_mail_handler',`
#
interface(`postfix_admin',`
gen_require(`
@@ -86725,7 +86766,7 @@ index 5806046b1..2a4769ff4 100644
+
/var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0)
diff --git a/raid.if b/raid.if
-index 951db7f1b..00e699da4 100644
+index 951db7f1b..65666b765 100644
--- a/raid.if
+++ b/raid.if
@@ -1,9 +1,8 @@
@@ -86807,27 +86848,22 @@ index 951db7f1b..00e699da4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -57,47 +79,113 @@ interface(`raid_run_mdadm',`
+@@ -57,47 +79,131 @@ interface(`raid_run_mdadm',`
## </summary>
## </param>
#
--interface(`raid_manage_mdadm_pid',`
+interface(`raid_read_mdadm_pid',`
- gen_require(`
- type mdadm_var_run_t;
- ')
-
-- files_search_pids($1)
-- allow $1 mdadm_var_run_t:file manage_file_perms;
++ gen_require(`
++ type mdadm_var_run_t;
++ ')
++
+ read_files_pattern($1, mdadm_var_run_t, mdadm_var_run_t)
- ')
-
- ########################################
- ## <summary>
--## All of the rules required to
--## administrate an mdadm environment.
++')
++
++########################################
++## <summary>
+## Create, read, write, and delete the mdadm pid files.
- ## </summary>
++## </summary>
+## <desc>
+## <p>
+## Create, read, write, and delete the mdadm pid files.
@@ -86836,24 +86872,24 @@ index 951db7f1b..00e699da4 100644
+## Added for use in the init module.
+## </p>
+## </desc>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <param name="role">
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
+#
-+interface(`raid_manage_mdadm_pid',`
-+ gen_require(`
-+ type mdadm_var_run_t;
-+ ')
-+
+ interface(`raid_manage_mdadm_pid',`
+ gen_require(`
+ type mdadm_var_run_t;
+ ')
+
+- files_search_pids($1)
+ # FIXME: maybe should have a type_transition. not
+ # clear what this is doing, from the original
+ # mdadm policy
-+ allow $1 mdadm_var_run_t:file manage_file_perms;
-+')
-+
+ allow $1 mdadm_var_run_t:file manage_file_perms;
+ ')
+
+#######################################
+## <summary>
+## Check access to the mdadm executable.
@@ -86873,9 +86909,31 @@ index 951db7f1b..00e699da4 100644
+ allow $1 mdadm_exec_t:file { getattr_file_perms execute };
+')
+
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an mdadm environment.
++## Read mdadm config files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="role">
++#
++interface(`raid_read_conf_files',`
++ gen_require(`
++ type mdadm_conf_t;
++ ')
++
++ read_files_pattern($1, mdadm_conf_t, mdadm_conf_t)
++')
++
+########################################
+## <summary>
-+## Read mdadm config files.
++## Manage mdadm config files.
+## </summary>
+## <param name="domain">
## <summary>
@@ -86886,7 +86944,7 @@ index 951db7f1b..00e699da4 100644
-## <rolecap/>
#
-interface(`raid_admin_mdadm',`
-+interface(`raid_read_conf_files',`
++interface(`raid_manage_conf_files',`
gen_require(`
- type mdadm_t, mdadm_initrc_exec_t, mdadm_var_run_t;
+ type mdadm_conf_t;
@@ -86894,12 +86952,12 @@ index 951db7f1b..00e699da4 100644
- allow $1 mdadm_t:process { ptrace signal_perms };
- ps_process_pattern($1, mdadm_t)
-+ read_files_pattern($1, mdadm_conf_t, mdadm_conf_t)
++ manage_files_pattern($1, mdadm_conf_t, mdadm_conf_t)
+')
+
+########################################
+## <summary>
-+## Manage mdadm config files.
++## Transition to mdadm named content
+## </summary>
+## <param name="domain">
+## <summary>
@@ -86907,7 +86965,7 @@ index 951db7f1b..00e699da4 100644
+## </summary>
+## </param>
+#
-+interface(`raid_manage_conf_files',`
++interface(`raid_filetrans_named_content',`
+ gen_require(`
+ type mdadm_conf_t;
+ ')
@@ -86916,29 +86974,29 @@ index 951db7f1b..00e699da4 100644
- domain_system_change_exemption($1)
- role_transition $2 mdadm_initrc_exec_t system_r;
- allow $2 system_r;
-+ manage_files_pattern($1, mdadm_conf_t, mdadm_conf_t)
++ files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf")
++ files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf.anacbak")
+')
- files_search_pids($1)
- admin_pattern($1, mdadm_var_run_t)
+########################################
+## <summary>
-+## Transition to mdadm named content
++## Relabel from mdadm_var_run_t sock file.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`raid_filetrans_named_content',`
++interface(`raid_relabel_mdadm_var_run_content',`
+ gen_require(`
-+ type mdadm_conf_t;
++ type mdadm_var_run_t;
+ ')
- raid_run_mdadm($2, $1)
-+ files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf")
-+ files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf.anacbak")
++ allow $1 mdadm_var_run_t:sock_file relabel_sock_file_perms;
')
diff --git a/raid.te b/raid.te
index c99753f2c..082d5f686 100644
@@ -106130,7 +106188,7 @@ index 1499b0bbf..e695a62f3 100644
- spamassassin_role($2, $1)
')
diff --git a/spamassassin.te b/spamassassin.te
-index cc58e3578..ece033330 100644
+index cc58e3578..0c421b171 100644
--- a/spamassassin.te
+++ b/spamassassin.te
@@ -7,50 +7,30 @@ policy_module(spamassassin, 2.6.1)
@@ -106566,7 +106624,7 @@ index cc58e3578..ece033330 100644
optional_policy(`
abrt_stream_connect(spamc_t)
-@@ -243,19 +352,31 @@ optional_policy(`
+@@ -243,19 +352,32 @@ optional_policy(`
')
optional_policy(`
@@ -106596,10 +106654,11 @@ index cc58e3578..ece033330 100644
- sendmail_rw_pipes(spamc_t)
sendmail_stub(spamc_t)
+ sendmail_rw_pipes(spamc_t)
++ mta_read_home_rw(spamc_t)
')
optional_policy(`
-@@ -267,48 +388,54 @@ optional_policy(`
+@@ -267,48 +389,54 @@ optional_policy(`
########################################
#
@@ -106674,7 +106733,7 @@ index cc58e3578..ece033330 100644
manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
-@@ -317,12 +444,14 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+@@ -317,12 +445,14 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir })
@@ -106691,7 +106750,7 @@ index cc58e3578..ece033330 100644
corenet_all_recvfrom_netlabel(spamd_t)
corenet_tcp_sendrecv_generic_if(spamd_t)
corenet_udp_sendrecv_generic_if(spamd_t)
-@@ -331,78 +460,60 @@ corenet_udp_sendrecv_generic_node(spamd_t)
+@@ -331,78 +461,60 @@ corenet_udp_sendrecv_generic_node(spamd_t)
corenet_tcp_sendrecv_all_ports(spamd_t)
corenet_udp_sendrecv_all_ports(spamd_t)
corenet_tcp_bind_generic_node(spamd_t)
@@ -106796,7 +106855,7 @@ index cc58e3578..ece033330 100644
')
optional_policy(`
-@@ -421,21 +532,13 @@ optional_policy(`
+@@ -421,21 +533,13 @@ optional_policy(`
')
optional_policy(`
@@ -106820,7 +106879,7 @@ index cc58e3578..ece033330 100644
')
optional_policy(`
-@@ -443,8 +546,8 @@ optional_policy(`
+@@ -443,8 +547,8 @@ optional_policy(`
')
optional_policy(`
@@ -106830,7 +106889,7 @@ index cc58e3578..ece033330 100644
')
optional_policy(`
-@@ -455,7 +558,17 @@ optional_policy(`
+@@ -455,7 +559,17 @@ optional_policy(`
optional_policy(`
razor_domtrans(spamd_t)
razor_read_lib_files(spamd_t)
@@ -106849,7 +106908,7 @@ index cc58e3578..ece033330 100644
')
optional_policy(`
-@@ -463,9 +576,10 @@ optional_policy(`
+@@ -463,9 +577,10 @@ optional_policy(`
')
optional_policy(`
@@ -106861,7 +106920,7 @@ index cc58e3578..ece033330 100644
')
optional_policy(`
-@@ -474,32 +588,31 @@ optional_policy(`
+@@ -474,32 +589,31 @@ optional_policy(`
########################################
#
@@ -106903,7 +106962,7 @@ index cc58e3578..ece033330 100644
corecmd_exec_bin(spamd_update_t)
corecmd_exec_shell(spamd_update_t)
-@@ -508,25 +621,26 @@ dev_read_urand(spamd_update_t)
+@@ -508,25 +622,26 @@ dev_read_urand(spamd_update_t)
domain_use_interactive_fds(spamd_update_t)
@@ -112488,10 +112547,10 @@ index 000000000..368e18842
+')
diff --git a/tlp.te b/tlp.te
new file mode 100644
-index 000000000..f124882af
+index 000000000..80e71067a
--- /dev/null
+++ b/tlp.te
-@@ -0,0 +1,91 @@
+@@ -0,0 +1,95 @@
+policy_module(tlp, 1.0.0)
+
+########################################
@@ -112581,6 +112640,10 @@ index 000000000..f124882af
+')
+
+optional_policy(`
++ systemd_rfkill_domtrans(tlp_t)
++')
++
++optional_policy(`
+ udev_domtrans(tlp_t)
+')
diff --git a/tmpreaper.te b/tmpreaper.te
@@ -117985,7 +118048,7 @@ index facdee8b3..2a619ba9e 100644
+ dgram_send_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
')
diff --git a/virt.te b/virt.te
-index f03dcf567..3fde9b1cd 100644
+index f03dcf567..6467b8676 100644
--- a/virt.te
+++ b/virt.te
@@ -1,451 +1,424 @@
@@ -118950,7 +119013,7 @@ index f03dcf567..3fde9b1cd 100644
')
optional_policy(`
-@@ -691,99 +653,449 @@ optional_policy(`
+@@ -691,99 +653,450 @@ optional_policy(`
dnsmasq_kill(virtd_t)
dnsmasq_signull(virtd_t)
dnsmasq_create_pid_dirs(virtd_t)
@@ -119160,6 +119223,7 @@ index f03dcf567..3fde9b1cd 100644
+manage_files_pattern(virt_domain, svirt_tmpfs_t, svirt_tmpfs_t)
+manage_lnk_files_pattern(virt_domain, svirt_tmpfs_t, svirt_tmpfs_t)
+fs_tmpfs_filetrans(virt_domain, svirt_tmpfs_t, { dir file lnk_file })
++allow virt_domain svirt_tmpfs_t:file map;
+
+manage_dirs_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t)
+manage_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t)
@@ -119451,7 +119515,7 @@ index f03dcf567..3fde9b1cd 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +1106,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +1107,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -119478,7 +119542,7 @@ index f03dcf567..3fde9b1cd 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +1126,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +1127,25 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -119512,7 +119576,7 @@ index f03dcf567..3fde9b1cd 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +1163,20 @@ optional_policy(`
+@@ -856,14 +1164,20 @@ optional_policy(`
')
optional_policy(`
@@ -119534,7 +119598,7 @@ index f03dcf567..3fde9b1cd 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -888,49 +1201,66 @@ optional_policy(`
+@@ -888,49 +1202,66 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -119619,7 +119683,7 @@ index f03dcf567..3fde9b1cd 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1272,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1273,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -119639,7 +119703,7 @@ index f03dcf567..3fde9b1cd 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,15 +1293,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,15 +1294,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -119658,7 +119722,7 @@ index f03dcf567..3fde9b1cd 100644
term_use_generic_ptys(virtd_lxc_t)
term_use_ptmx(virtd_lxc_t)
-@@ -982,186 +1307,307 @@ auth_use_nsswitch(virtd_lxc_t)
+@@ -982,186 +1308,307 @@ auth_use_nsswitch(virtd_lxc_t)
logging_send_syslog_msg(virtd_lxc_t)
@@ -120095,7 +120159,7 @@ index f03dcf567..3fde9b1cd 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1620,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1621,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -120110,7 +120174,7 @@ index f03dcf567..3fde9b1cd 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1192,7 +1638,7 @@ optional_policy(`
+@@ -1192,7 +1639,7 @@ optional_policy(`
########################################
#
@@ -120119,7 +120183,7 @@ index f03dcf567..3fde9b1cd 100644
#
allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1647,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1648,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
allow virt_bridgehelper_t self:tun_socket create_socket_perms;
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 413882a..b26ba55 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 303%{?dist}
+Release: 304%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -717,6 +717,35 @@ exit 0
%endif
%changelog
+* Tue Nov 21 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-304
+- Add interface raid_relabel_mdadm_var_run_content()
+- Fix iscsi SELinux module
+- Allow spamc_t domain to read home mail content BZ(1414366)
+- Allow sendmail_t to list postfix config dirs BZ(1514868)
+- Allow dovecot_t domain to mmap mail content in homedirs BZ(1513153)
+- Allow iscsid_t domain to requesting loading kernel modules BZ(1448877)
+- Allow svirt_t domain to mmap svirt_tmpfs_t files BZ(1515304)
+- Allow cupsd_t domain to localization BZ(1514350)
+- Allow antivirus_t nnp domain transition because of systemd security features. BZ(1514451)
+- Allow tlp_t domain transition to systemd_rfkill_t domain BZ(1416301)
+- Allow abrt_t domain to mmap fusefs_t files BZ(1515169)
+- Allow memcached_t domain nnp_transition becuase of systemd security features BZ(1514867)
+- Allow httpd_t domain to mmap all httpd content type BZ(1514866)
+- Allow mandb_t to read /etc/passwd BZ(1514903)
+- Allow mandb_t domain to mmap files with label mandb_cache_t BZ(1514093)
+- Allow abrt_t domain to mmap files with label syslogd_var_run_t BZ(1514975)
+- Allow nnp transition for systemd-networkd daemon to run in proper SELinux domain BZ(1507263)
+- Allow systemd to read/write to mount_var_run_t files BZ(1515373)
+- Allow systemd to relabel mdadm_var_run_t sock files BZ(1515373)
+- Allow home managers to mmap nfs_t files BZ(1514372)
+- Add interface fs_mmap_nfs_files()
+- Allow systemd-mount to create new directory for mountpoint BZ(1514880)
+- Allow getty to use usbttys
+- Add interface systemd_rfkill_domtrans()
+- Allow syslogd_t to mmap files with label syslogd_var_lib_t BZ(1513403)
+- Add interface fs_mmap_fusefs_files()
+- Allow ipsec_t domain to mmap files with label ipsec_key_file_t BZ(1514251)
+
* Thu Nov 16 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-303
- Allow pcp_pmlogger to send logs to journal BZ(1512367)
- Merge pull request #40 from lslebodn/kcm_kerberos