diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index fcd3ecd..4bd124c 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -2744,7 +2744,7 @@ index 99e3903..fa68362 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 1d732f1..0dbda7d 100644
+index 1d732f1..6a6da75 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -26,6 +26,7 @@ type chfn_exec_t;
@@ -2973,13 +2973,16 @@ index 1d732f1..0dbda7d 100644
userdom_use_unpriv_users_fds(passwd_t)
# make sure that getcon succeeds
userdom_getattr_all_users(passwd_t)
-@@ -352,6 +383,15 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -352,6 +383,18 @@ userdom_read_user_tmp_files(passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
+userdom_stream_connect(passwd_t)
+userdom_rw_stream(passwd_t)
+
++# needed by gnome-keyring
++userdom_manage_user_tmp_files(passwd_t)
++
+optional_policy(`
+ gnome_exec_keyringd(passwd_t)
+ gnome_manage_cache_home_dir(passwd_t)
@@ -2989,7 +2992,7 @@ index 1d732f1..0dbda7d 100644
optional_policy(`
nscd_run(passwd_t, passwd_roles)
-@@ -401,9 +441,10 @@ dev_read_urand(sysadm_passwd_t)
+@@ -401,9 +444,10 @@ dev_read_urand(sysadm_passwd_t)
fs_getattr_xattr_fs(sysadm_passwd_t)
fs_search_auto_mountpoints(sysadm_passwd_t)
@@ -3002,7 +3005,7 @@ index 1d732f1..0dbda7d 100644
auth_manage_shadow(sysadm_passwd_t)
auth_relabel_shadow(sysadm_passwd_t)
auth_etc_filetrans_shadow(sysadm_passwd_t)
-@@ -416,7 +457,6 @@ files_read_usr_files(sysadm_passwd_t)
+@@ -416,7 +460,6 @@ files_read_usr_files(sysadm_passwd_t)
domain_use_interactive_fds(sysadm_passwd_t)
@@ -3010,7 +3013,7 @@ index 1d732f1..0dbda7d 100644
files_relabel_etc_files(sysadm_passwd_t)
files_read_etc_runtime_files(sysadm_passwd_t)
# for nscd lookups
-@@ -426,12 +466,9 @@ files_dontaudit_search_pids(sysadm_passwd_t)
+@@ -426,12 +469,9 @@ files_dontaudit_search_pids(sysadm_passwd_t)
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(sysadm_passwd_t)
@@ -3023,7 +3026,7 @@ index 1d732f1..0dbda7d 100644
userdom_use_unpriv_users_fds(sysadm_passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
-@@ -446,7 +483,8 @@ optional_policy(`
+@@ -446,7 +486,8 @@ optional_policy(`
# Useradd local policy
#
@@ -3033,7 +3036,7 @@ index 1d732f1..0dbda7d 100644
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
-@@ -461,6 +499,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
+@@ -461,6 +502,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
allow useradd_t self:unix_dgram_socket sendto;
allow useradd_t self:unix_stream_socket connectto;
@@ -3044,7 +3047,7 @@ index 1d732f1..0dbda7d 100644
# for getting the number of groups
kernel_read_kernel_sysctls(useradd_t)
-@@ -468,29 +510,28 @@ corecmd_exec_shell(useradd_t)
+@@ -468,29 +513,28 @@ corecmd_exec_shell(useradd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(useradd_t)
@@ -3084,7 +3087,7 @@ index 1d732f1..0dbda7d 100644
auth_run_chk_passwd(useradd_t, useradd_roles)
auth_rw_lastlog(useradd_t)
-@@ -498,6 +539,7 @@ auth_rw_faillog(useradd_t)
+@@ -498,6 +542,7 @@ auth_rw_faillog(useradd_t)
auth_use_nsswitch(useradd_t)
# these may be unnecessary due to the above
# domtrans_chk_passwd() call.
@@ -3092,7 +3095,7 @@ index 1d732f1..0dbda7d 100644
auth_manage_shadow(useradd_t)
auth_relabel_shadow(useradd_t)
auth_etc_filetrans_shadow(useradd_t)
-@@ -508,33 +550,32 @@ init_rw_utmp(useradd_t)
+@@ -508,33 +553,32 @@ init_rw_utmp(useradd_t)
logging_send_audit_msgs(useradd_t)
logging_send_syslog_msg(useradd_t)
@@ -3137,7 +3140,7 @@ index 1d732f1..0dbda7d 100644
optional_policy(`
apache_manage_all_user_content(useradd_t)
')
-@@ -549,10 +590,19 @@ optional_policy(`
+@@ -549,10 +593,19 @@ optional_policy(`
')
optional_policy(`
@@ -3157,7 +3160,7 @@ index 1d732f1..0dbda7d 100644
tunable_policy(`samba_domain_controller',`
samba_append_log(useradd_t)
')
-@@ -562,3 +612,12 @@ optional_policy(`
+@@ -562,3 +615,12 @@ optional_policy(`
rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t)
')
@@ -3343,7 +3346,7 @@ index 7590165..d81185e 100644
+ fs_mounton_fusefs(seunshare_domain)
')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 33e0f8d..c5c1122 100644
+index 33e0f8d..d41bb39 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@@ -3683,7 +3686,7 @@ index 33e0f8d..c5c1122 100644
/usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
-@@ -387,17 +469,33 @@ ifdef(`distro_suse', `
+@@ -387,17 +469,34 @@ ifdef(`distro_suse', `
#
# /var
#
@@ -3705,6 +3708,7 @@ index 33e0f8d..c5c1122 100644
/var/qmail/rc -- gen_context(system_u:object_r:bin_t,s0)
+/var/lib/glusterd/hooks/.*/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
++/var/lib/glusterd/hooks/.*/.*\.py -- gen_context(system_u:object_r:bin_t,s0)
+
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
@@ -23857,7 +23861,7 @@ index fe0c682..3ad1b1f 100644
+ ps_process_pattern($1, sshd_t)
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index cc877c7..66bf790 100644
+index cc877c7..b8e6e98 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,43 +6,69 @@ policy_module(ssh, 2.4.2)
@@ -24193,7 +24197,7 @@ index cc877c7..66bf790 100644
')
optional_policy(`
-@@ -266,6 +327,15 @@ optional_policy(`
+@@ -266,6 +327,19 @@ optional_policy(`
')
optional_policy(`
@@ -24206,10 +24210,14 @@ index cc877c7..66bf790 100644
+')
+
+optional_policy(`
++ gnome_exec_keyringd(sshd_t)
++')
++
++optional_policy(`
inetd_tcp_service_domain(sshd_t, sshd_exec_t)
')
-@@ -275,10 +345,26 @@ optional_policy(`
+@@ -275,10 +349,26 @@ optional_policy(`
')
optional_policy(`
@@ -24236,7 +24244,7 @@ index cc877c7..66bf790 100644
rpm_use_script_fds(sshd_t)
')
-@@ -289,13 +375,93 @@ optional_policy(`
+@@ -289,13 +379,93 @@ optional_policy(`
')
optional_policy(`
@@ -24330,7 +24338,7 @@ index cc877c7..66bf790 100644
########################################
#
# ssh_keygen local policy
-@@ -304,19 +470,33 @@ optional_policy(`
+@@ -304,19 +474,33 @@ optional_policy(`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -24365,7 +24373,7 @@ index cc877c7..66bf790 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -332,7 +512,9 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -332,7 +516,9 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
@@ -24375,7 +24383,7 @@ index cc877c7..66bf790 100644
optional_policy(`
seutil_sigchld_newrole(ssh_keygen_t)
-@@ -341,3 +523,148 @@ optional_policy(`
+@@ -341,3 +527,148 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
@@ -42591,10 +42599,10 @@ index 0000000..d2a8fc7
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..3c4ffa35
+index 0000000..0401ad8
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,720 @@
+@@ -0,0 +1,721 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -42768,6 +42776,7 @@ index 0000000..3c4ffa35
+init_halt(systemd_logind_t)
+init_undefined(systemd_logind_t)
+init_signal_script(systemd_logind_t)
++init_getattr_script_status_files(systemd_logind_t)
+
+getty_systemctl(systemd_logind_t)
+
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 4113220..5734f67 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -546,7 +546,7 @@ index 058d908..158acba 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index eb50f07..fb0af36 100644
+index eb50f07..a0f044b 100644
--- a/abrt.te
+++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@@ -694,7 +694,7 @@ index eb50f07..fb0af36 100644
manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
logging_log_filetrans(abrt_t, abrt_var_log_t, file)
-@@ -125,48 +135,55 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
+@@ -125,48 +135,56 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
@@ -720,6 +720,7 @@ index eb50f07..fb0af36 100644
+manage_dirs_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
+manage_lnk_files_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
++kernel_read_all_proc(abrt_t)
kernel_read_ring_buffer(abrt_t)
-kernel_read_system_state(abrt_t)
+kernel_read_network_state(abrt_t)
@@ -757,7 +758,7 @@ index eb50f07..fb0af36 100644
domain_getattr_all_domains(abrt_t)
domain_read_all_domains_state(abrt_t)
-@@ -176,29 +193,43 @@ files_getattr_all_files(abrt_t)
+@@ -176,29 +194,43 @@ files_getattr_all_files(abrt_t)
files_read_config_files(abrt_t)
files_read_etc_runtime_files(abrt_t)
files_read_var_symlinks(abrt_t)
@@ -804,7 +805,7 @@ index eb50f07..fb0af36 100644
tunable_policy(`abrt_anon_write',`
miscfiles_manage_public_files(abrt_t)
-@@ -206,15 +237,11 @@ tunable_policy(`abrt_anon_write',`
+@@ -206,15 +238,11 @@ tunable_policy(`abrt_anon_write',`
optional_policy(`
apache_list_modules(abrt_t)
@@ -821,7 +822,7 @@ index eb50f07..fb0af36 100644
')
optional_policy(`
-@@ -222,6 +249,24 @@ optional_policy(`
+@@ -222,6 +250,24 @@ optional_policy(`
')
optional_policy(`
@@ -846,7 +847,7 @@ index eb50f07..fb0af36 100644
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
policykit_read_reload(abrt_t)
-@@ -234,6 +279,11 @@ optional_policy(`
+@@ -234,6 +280,11 @@ optional_policy(`
')
optional_policy(`
@@ -858,7 +859,7 @@ index eb50f07..fb0af36 100644
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
rpm_manage_cache(abrt_t)
-@@ -243,6 +293,7 @@ optional_policy(`
+@@ -243,6 +294,7 @@ optional_policy(`
rpm_signull(abrt_t)
')
@@ -866,7 +867,7 @@ index eb50f07..fb0af36 100644
optional_policy(`
sendmail_domtrans(abrt_t)
')
-@@ -253,9 +304,21 @@ optional_policy(`
+@@ -253,9 +305,21 @@ optional_policy(`
sosreport_delete_tmp_files(abrt_t)
')
@@ -889,7 +890,7 @@ index eb50f07..fb0af36 100644
#
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -266,9 +329,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -266,9 +330,13 @@ tunable_policy(`abrt_handle_event',`
can_exec(abrt_t, abrt_handle_event_exec_t)
')
@@ -904,7 +905,7 @@ index eb50f07..fb0af36 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -281,6 +348,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -281,6 +349,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@@ -912,7 +913,7 @@ index eb50f07..fb0af36 100644
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-@@ -289,15 +357,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -289,15 +358,20 @@ corecmd_read_all_executables(abrt_helper_t)
domain_read_all_domains_state(abrt_helper_t)
@@ -933,7 +934,7 @@ index eb50f07..fb0af36 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -305,11 +378,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -305,11 +379,25 @@ ifdef(`hide_broken_symptoms',`
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -960,7 +961,7 @@ index eb50f07..fb0af36 100644
#
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -327,10 +414,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+@@ -327,10 +415,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
dev_read_urand(abrt_retrace_coredump_t)
@@ -974,7 +975,7 @@ index eb50f07..fb0af36 100644
optional_policy(`
rpm_exec(abrt_retrace_coredump_t)
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -343,10 +432,11 @@ optional_policy(`
+@@ -343,10 +433,11 @@ optional_policy(`
#######################################
#
@@ -988,7 +989,7 @@ index eb50f07..fb0af36 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -365,38 +455,60 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -365,38 +456,60 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
@@ -1053,7 +1054,7 @@ index eb50f07..fb0af36 100644
#######################################
#
-@@ -404,25 +516,58 @@ logging_read_generic_logs(abrt_dump_oops_t)
+@@ -404,25 +517,58 @@ logging_read_generic_logs(abrt_dump_oops_t)
#
allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
@@ -1114,7 +1115,7 @@ index eb50f07..fb0af36 100644
')
#######################################
-@@ -430,10 +575,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
+@@ -430,10 +576,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
# Global local policy
#
@@ -13774,10 +13775,10 @@ index 0000000..a06f04b
+')
diff --git a/cloudform.te b/cloudform.te
new file mode 100644
-index 0000000..ec3a39a
+index 0000000..af630a4
--- /dev/null
+++ b/cloudform.te
-@@ -0,0 +1,244 @@
+@@ -0,0 +1,247 @@
+policy_module(cloudform, 1.0)
+########################################
+#
@@ -13939,6 +13940,9 @@ index 0000000..ec3a39a
+
+optional_policy(`
+ rpm_run(cloud_init_t, system_r)
++')
++
++optional_policy(`
+ unconfined_domain(cloud_init_t)
+')
+
@@ -19639,7 +19643,7 @@ index b25b01d..6b7d687 100644
')
+
diff --git a/ctdb.te b/ctdb.te
-index 001b502..57be129 100644
+index 001b502..61a9e2d 100644
--- a/ctdb.te
+++ b/ctdb.te
@@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t)
@@ -19721,7 +19725,7 @@ index 001b502..57be129 100644
-miscfiles_read_localization(ctdbd_t)
miscfiles_read_public_files(ctdbd_t)
-+userdom_home_reader(ctdbd_t)
++userdom_home_manager(ctdbd_t)
+
optional_policy(`
consoletype_exec(ctdbd_t)
@@ -25113,10 +25117,10 @@ index 0000000..457d4dd
+')
diff --git a/dnssec.te b/dnssec.te
new file mode 100644
-index 0000000..b045889
+index 0000000..dd2545b
--- /dev/null
+++ b/dnssec.te
-@@ -0,0 +1,72 @@
+@@ -0,0 +1,73 @@
+policy_module(dnssec, 1.0.0)
+
+########################################
@@ -25187,7 +25191,8 @@ index 0000000..b045889
+optional_policy(`
+ networkmanager_stream_connect(dnssec_trigger_t)
+ networkmanager_sigchld(dnssec_trigger_t)
-+
++ networkmanager_sigkill(dnssec_trigger_t)
++ networkmanager_signull(dnssec_trigger_t)
+')
diff --git a/dnssectrigger.te b/dnssectrigger.te
index c7bb4e7..e6fe2f40 100644
@@ -30416,10 +30421,10 @@ index 0000000..8c8c6c9
+/var/run/glusterd.* -s gen_context(system_u:object_r:glusterd_var_run_t,s0)
diff --git a/glusterd.if b/glusterd.if
new file mode 100644
-index 0000000..5e3410a
+index 0000000..fc9bf19
--- /dev/null
+++ b/glusterd.if
-@@ -0,0 +1,224 @@
+@@ -0,0 +1,243 @@
+
+## <summary>policy for glusterd</summary>
+
@@ -30597,7 +30602,26 @@ index 0000000..5e3410a
+ rw_files_pattern($1, glusterd_var_lib_t, glusterd_var_lib_t)
+')
+
-+########################################
++######################################
++## <summary>
++## Read and write /var/lib/glusterd files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`glusterd_manage_lib_files',`
++ gen_require(`
++ type glusterd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, glusterd_var_lib_t, glusterd_var_lib_t)
++')
++
++######################################
+## <summary>
+## All of the rules required to administrate
+## an glusterd environment
@@ -30646,10 +30670,10 @@ index 0000000..5e3410a
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
-index 0000000..e4830ba
+index 0000000..e8706c0
--- /dev/null
+++ b/glusterd.te
-@@ -0,0 +1,232 @@
+@@ -0,0 +1,271 @@
+policy_module(glusterfs, 1.1.2)
+
+## <desc>
@@ -30683,6 +30707,7 @@ index 0000000..e4830ba
+type glusterd_t;
+type glusterd_exec_t;
+init_daemon_domain(glusterd_t, glusterd_exec_t)
++domain_obj_id_change_exemption(glusterd_t)
+
+type glusterd_conf_t;
+files_type(glusterd_conf_t)
@@ -30710,13 +30735,16 @@ index 0000000..e4830ba
+# Local policy
+#
+
-+allow glusterd_t self:capability { sys_admin sys_resource sys_ptrace dac_override chown dac_read_search fowner fsetid kill setgid setuid net_admin mknod };
++allow glusterd_t self:capability { sys_admin sys_resource sys_ptrace dac_override chown dac_read_search fowner fsetid kill setgid setuid net_admin mknod net_raw };
+
+allow glusterd_t self:capability2 block_suspend;
-+allow glusterd_t self:process { getcap setcap setrlimit signal_perms };
++allow glusterd_t self:process { getcap setcap setrlimit signal_perms setsched getsched };
++allow glusterd_t self:sem create_sem_perms;
+allow glusterd_t self:fifo_file rw_fifo_file_perms;
+allow glusterd_t self:tcp_socket { accept listen };
+allow glusterd_t self:unix_stream_socket { accept listen connectto };
++allow glusterd_t self:rawip_socket create_socket_perms;
++allow glusterd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
+manage_files_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
@@ -30777,6 +30805,7 @@ index 0000000..e4830ba
+corenet_udp_sendrecv_all_ports(glusterd_t)
+corenet_tcp_bind_generic_node(glusterd_t)
+corenet_udp_bind_generic_node(glusterd_t)
++corenet_raw_bind_generic_node(glusterd_t)
+
+corenet_tcp_connect_gluster_port(glusterd_t)
+corenet_tcp_bind_gluster_port(glusterd_t)
@@ -30813,12 +30842,26 @@ index 0000000..e4830ba
+files_mounton_non_security(glusterd_t)
+
+storage_rw_fuse(glusterd_t)
++#needed by /usr/sbin/xfs_db
++storage_raw_read_fixed_disk(glusterd_t)
++storage_raw_write_fixed_disk(glusterd_t)
+
+auth_use_nsswitch(glusterd_t)
+
+fs_getattr_all_fs(glusterd_t)
+
++init_domtrans_script(glusterd_t)
++init_initrc_domain(glusterd_t)
++init_read_script_state(glusterd_t)
++init_rw_script_tmp_files(glusterd_t)
++init_manage_script_status_files(glusterd_t)
++
++systemd_config_systemd_services(glusterd_t)
++systemd_signal_passwd_agent(glusterd_t)
++
+logging_send_syslog_msg(glusterd_t)
++logging_dontaudit_search_audit_logs(glusterd_t)
++
+libs_exec_ldconfig(glusterd_t)
+
+miscfiles_read_localization(glusterd_t)
@@ -30826,6 +30869,10 @@ index 0000000..e4830ba
+
+userdom_manage_user_home_dirs(glusterd_t)
+userdom_filetrans_home_content(glusterd_t)
++userdom_read_user_tmp_files(glusterd_t)
++userdom_delete_user_tmpfs_files(glusterd_t)
++userdom_rw_user_tmpfs_files(glusterd_t)
++userdom_kill_all_users(glusterd_t)
+
+mount_domtrans(glusterd_t)
+
@@ -30854,6 +30901,11 @@ index 0000000..e4830ba
+
+optional_policy(`
+ dbus_system_bus_client(glusterd_t)
++ dbus_connect_system_bus(glusterd_t)
++
++ optional_policy(`
++ policykit_dbus_chat(glusterd_t)
++ ')
+')
+
+optional_policy(`
@@ -30867,10 +30919,15 @@ index 0000000..e4830ba
+optional_policy(`
+ samba_domtrans_smbd(glusterd_t)
+ samba_systemctl(glusterd_t)
++ samba_signal_smbd(glusterd_t)
+ samba_manage_config(glusterd_t)
+')
+
+optional_policy(`
++ ssh_exec_keygen(glusterd_t)
++')
++
++optional_policy(`
+ rpc_domtrans_rpcd(glusterd_t)
+ rpc_kill_rpcd(glusterd_t)
+')
@@ -30880,6 +30937,12 @@ index 0000000..e4830ba
+')
+
+optional_policy(`
++ rhcs_dbus_chat_cluster(glusterd_t)
++ rhcs_domtrans_cluster(glusterd_t)
++ rhcs_systemctl_cluster(glusterd_t)
++')
++
++optional_policy(`
+ ssh_exec(glusterd_t)
+')
diff --git a/glusterfs.fc b/glusterfs.fc
@@ -42863,19 +42926,17 @@ index 61db5a0..9d5d255 100644
+userdom_use_inherited_user_terminals(lockdev_t)
+
diff --git a/logrotate.fc b/logrotate.fc
-index a11d5be..4cf59d3 100644
+index a11d5be..5fc9001 100644
--- a/logrotate.fc
+++ b/logrotate.fc
-@@ -1,6 +1,9 @@
+@@ -1,6 +1,7 @@
-/etc/cron\.(daily|weekly)/sysklogd -- gen_context(system_u:object_r:logrotate_exec_t,s0)
+/etc/cron\.(daily|weekly)/sysklogd -- gen_context(system_u:object_r:logrotate_exec_t,s0)
/usr/sbin/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0)
-+ifdef(`distro_debian', `
/var/lib/logrotate(/.*)? gen_context(system_u:object_r:logrotate_var_lib_t,s0)
-/var/lib/logrotate\.status -- gen_context(system_u:object_r:logrotate_var_lib_t,s0)
-+', `
+/var/lib/logrotate\.status.* -- gen_context(system_u:object_r:logrotate_var_lib_t,s0)
+')
diff --git a/logrotate.if b/logrotate.if
@@ -54397,7 +54458,7 @@ index 0641e97..ed3394e 100644
+ admin_pattern($1, nrpe_etc_t)
')
diff --git a/nagios.te b/nagios.te
-index 7b3e682..1729d5d 100644
+index 7b3e682..40e93b4 100644
--- a/nagios.te
+++ b/nagios.te
@@ -5,6 +5,25 @@ policy_module(nagios, 1.13.0)
@@ -54501,7 +54562,7 @@ index 7b3e682..1729d5d 100644
manage_dirs_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t)
manage_files_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t)
-@@ -110,7 +137,9 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t)
+@@ -110,11 +137,14 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t)
files_pid_filetrans(nagios_t, nagios_var_run_t, file)
manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
@@ -54512,7 +54573,13 @@ index 7b3e682..1729d5d 100644
manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
manage_fifo_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
-@@ -123,7 +152,6 @@ kernel_read_software_raid_state(nagios_t)
+-files_var_lib_filetrans(nagios_t, nagios_var_lib_t, { file fifo_file })
++manage_dirs_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
++files_var_lib_filetrans(nagios_t, nagios_var_lib_t, { dir file fifo_file })
+
+ kernel_read_system_state(nagios_t)
+ kernel_read_kernel_sysctls(nagios_t)
+@@ -123,7 +153,6 @@ kernel_read_software_raid_state(nagios_t)
corecmd_exec_bin(nagios_t)
corecmd_exec_shell(nagios_t)
@@ -54520,7 +54587,7 @@ index 7b3e682..1729d5d 100644
corenet_all_recvfrom_netlabel(nagios_t)
corenet_tcp_sendrecv_generic_if(nagios_t)
corenet_tcp_sendrecv_generic_node(nagios_t)
-@@ -143,7 +171,6 @@ domain_read_all_domains_state(nagios_t)
+@@ -143,7 +172,6 @@ domain_read_all_domains_state(nagios_t)
files_read_etc_runtime_files(nagios_t)
files_read_kernel_symbol_table(nagios_t)
@@ -54528,7 +54595,7 @@ index 7b3e682..1729d5d 100644
files_search_spool(nagios_t)
fs_getattr_all_fs(nagios_t)
-@@ -153,8 +180,6 @@ auth_use_nsswitch(nagios_t)
+@@ -153,8 +181,6 @@ auth_use_nsswitch(nagios_t)
logging_send_syslog_msg(nagios_t)
@@ -54537,7 +54604,7 @@ index 7b3e682..1729d5d 100644
userdom_dontaudit_use_unpriv_user_fds(nagios_t)
userdom_dontaudit_search_user_home_dirs(nagios_t)
-@@ -162,6 +187,35 @@ mta_send_mail(nagios_t)
+@@ -162,6 +188,35 @@ mta_send_mail(nagios_t)
mta_signal_system_mail(nagios_t)
mta_kill_system_mail(nagios_t)
@@ -54573,7 +54640,7 @@ index 7b3e682..1729d5d 100644
optional_policy(`
netutils_kill_ping(nagios_t)
')
-@@ -178,35 +232,37 @@ optional_policy(`
+@@ -178,35 +233,37 @@ optional_policy(`
#
# CGI local policy
#
@@ -54629,7 +54696,7 @@ index 7b3e682..1729d5d 100644
')
########################################
-@@ -229,9 +285,9 @@ files_pid_filetrans(nrpe_t, nrpe_var_run_t, file)
+@@ -229,9 +286,9 @@ files_pid_filetrans(nrpe_t, nrpe_var_run_t, file)
domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t)
@@ -54640,7 +54707,7 @@ index 7b3e682..1729d5d 100644
corecmd_exec_bin(nrpe_t)
corecmd_exec_shell(nrpe_t)
-@@ -252,8 +308,8 @@ dev_read_urand(nrpe_t)
+@@ -252,8 +309,8 @@ dev_read_urand(nrpe_t)
domain_use_interactive_fds(nrpe_t)
domain_read_all_domains_state(nrpe_t)
@@ -54650,7 +54717,7 @@ index 7b3e682..1729d5d 100644
fs_getattr_all_fs(nrpe_t)
fs_search_auto_mountpoints(nrpe_t)
-@@ -262,10 +318,34 @@ auth_use_nsswitch(nrpe_t)
+@@ -262,10 +319,34 @@ auth_use_nsswitch(nrpe_t)
logging_send_syslog_msg(nrpe_t)
@@ -54687,7 +54754,7 @@ index 7b3e682..1729d5d 100644
optional_policy(`
inetd_tcp_service_domain(nrpe_t, nrpe_exec_t)
')
-@@ -310,15 +390,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
+@@ -310,15 +391,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
#
allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
@@ -54706,7 +54773,7 @@ index 7b3e682..1729d5d 100644
logging_send_syslog_msg(nagios_mail_plugin_t)
sysnet_dns_name_resolve(nagios_mail_plugin_t)
-@@ -345,6 +425,9 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
+@@ -345,6 +426,9 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
kernel_read_software_raid_state(nagios_checkdisk_plugin_t)
@@ -54716,7 +54783,7 @@ index 7b3e682..1729d5d 100644
files_getattr_all_mountpoints(nagios_checkdisk_plugin_t)
files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
-@@ -357,9 +440,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
+@@ -357,9 +441,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
# Services local policy
#
@@ -54730,7 +54797,7 @@ index 7b3e682..1729d5d 100644
corecmd_exec_bin(nagios_services_plugin_t)
-@@ -391,6 +476,11 @@ optional_policy(`
+@@ -391,6 +477,11 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(nagios_services_plugin_t)
@@ -54742,7 +54809,7 @@ index 7b3e682..1729d5d 100644
')
optional_policy(`
-@@ -406,28 +496,36 @@ allow nagios_system_plugin_t self:capability dac_override;
+@@ -406,28 +497,36 @@ allow nagios_system_plugin_t self:capability dac_override;
dontaudit nagios_system_plugin_t self:capability { setuid setgid };
read_files_pattern(nagios_system_plugin_t, nagios_log_t, nagios_log_t)
@@ -54781,7 +54848,7 @@ index 7b3e682..1729d5d 100644
#######################################
#
# Event local policy
-@@ -442,9 +540,39 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
+@@ -442,9 +541,39 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
init_domtrans_script(nagios_eventhandler_plugin_t)
@@ -55109,7 +55176,7 @@ index 94b9734..448a7e8 100644
+/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/networkmanager.if b/networkmanager.if
-index 86dc29d..970bf8a 100644
+index 86dc29d..68f7cb1 100644
--- a/networkmanager.if
+++ b/networkmanager.if
@@ -2,7 +2,7 @@
@@ -55340,11 +55407,12 @@ index 86dc29d..970bf8a 100644
#
-interface(`networkmanager_read_pid_files',`
+interface(`networkmanager_manage_pid_files',`
-+ gen_require(`
-+ type NetworkManager_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
+ gen_require(`
+ type NetworkManager_var_run_t;
+ ')
+
+ files_search_pids($1)
+- allow $1 NetworkManager_var_run_t:file read_file_perms;
+ manage_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
+')
+
@@ -55359,12 +55427,11 @@ index 86dc29d..970bf8a 100644
+## </param>
+#
+interface(`networkmanager_manage_pid_sock_files',`
- gen_require(`
- type NetworkManager_var_run_t;
- ')
-
- files_search_pids($1)
-- allow $1 NetworkManager_var_run_t:file read_file_perms;
++ gen_require(`
++ type NetworkManager_var_run_t;
++ ')
++
++ files_search_pids($1)
+ manage_sock_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
+')
+
@@ -55439,7 +55506,7 @@ index 86dc29d..970bf8a 100644
## <param name="role">
## <summary>
## Role allowed access.
-@@ -287,33 +425,150 @@ interface(`networkmanager_stream_connect',`
+@@ -287,33 +425,189 @@ interface(`networkmanager_stream_connect',`
## </param>
## <rolecap/>
#
@@ -55566,6 +55633,45 @@ index 86dc29d..970bf8a 100644
+
+ allow $1 NetworkManager_t:process sigchld;
+')
++
++########################################
++## <summary>
++## Send signull to networkmanager.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++#
++interface(`networkmanager_signull',`
++ gen_require(`
++ type NetworkManager_t;
++ ')
++
++ allow $1 NetworkManager_t:process signull;
++')
++
++########################################
++## <summary>
++## Send sigkill to networkmanager.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++#
++interface(`networkmanager_sigkill',`
++ gen_require(`
++ type NetworkManager_t;
++ ')
++
++ allow $1 NetworkManager_t:process sigkill;
++')
++
+########################################
+## <summary>
+## Transition to networkmanager named content
@@ -59025,10 +59131,15 @@ index 0000000..7d839fe
+ pulseaudio_setattr_home_dir(nsplugin_t)
+')
diff --git a/ntop.te b/ntop.te
-index 8ec7859..719cffd 100644
+index 8ec7859..6c23623 100644
--- a/ntop.te
+++ b/ntop.te
-@@ -33,6 +33,7 @@ allow ntop_t self:capability { net_raw setgid setuid sys_admin net_admin };
+@@ -29,10 +29,11 @@ files_pid_file(ntop_var_run_t)
+ # Local Policy
+ #
+
+-allow ntop_t self:capability { net_raw setgid setuid sys_admin net_admin };
++allow ntop_t self:capability { net_raw setgid setuid sys_admin net_admin dac_override };
dontaudit ntop_t self:capability sys_tty_config;
allow ntop_t self:process signal_perms;
allow ntop_t self:fifo_file rw_fifo_file_perms;
@@ -59057,6 +59168,17 @@ index 8ec7859..719cffd 100644
fs_getattr_all_fs(ntop_t)
fs_search_auto_mountpoints(ntop_t)
+@@ -101,6 +102,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ snmp_read_snmp_var_lib_files(ntop_t)
++')
++
++optional_policy(`
+ seutil_sigchld_newrole(ntop_t)
+ ')
+
diff --git a/ntp.fc b/ntp.fc
index af3c91e..3e5f9cf 100644
--- a/ntp.fc
@@ -64617,10 +64739,10 @@ index 0000000..9b8cb6b
+/var/run/pmcd\.socket -- gen_context(system_u:object_r:pcp_var_run_t,s0)
diff --git a/pcp.if b/pcp.if
new file mode 100644
-index 0000000..b33d6ca
+index 0000000..80246e6
--- /dev/null
+++ b/pcp.if
-@@ -0,0 +1,141 @@
+@@ -0,0 +1,144 @@
+## <summary>The pcp command summarizes the status of a Performance Co-Pilot (PCP) installation</summary>
+
+######################################
@@ -64642,12 +64764,15 @@ index 0000000..b33d6ca
+ type pcp_$1_t, pcp_domain;
+ type pcp_$1_exec_t;
+ init_daemon_domain(pcp_$1_t, pcp_$1_exec_t)
-+ cron_system_entry(pcp_$1_t, pcp_$1_exec_t)
+
+ type pcp_$1_initrc_exec_t;
+ init_script_file(pcp_$1_initrc_exec_t)
+
+ auth_use_nsswitch(pcp_$1_t)
++
++ optional_policy(`
++ cron_system_entry(pcp_$1_t, pcp_$1_exec_t)
++ ')
+')
+
+######################################
@@ -78960,9 +79085,18 @@ index ac7058d..48739ac 100644
init_labeled_script_domtrans($1, radvd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/radvd.te b/radvd.te
-index 6d162e4..889c0ed 100644
+index 6d162e4..9027807 100644
--- a/radvd.te
+++ b/radvd.te
+@@ -22,7 +22,7 @@ files_pid_file(radvd_var_run_t)
+ # Local policy
+ #
+
+-allow radvd_t self:capability { kill setgid setuid net_raw net_admin };
++allow radvd_t self:capability { kill setgid setuid net_raw net_admin dac_override };
+ dontaudit radvd_t self:capability sys_tty_config;
+ allow radvd_t self:process signal_perms;
+ allow radvd_t self:fifo_file rw_fifo_file_perms;
@@ -65,8 +65,6 @@ auth_use_nsswitch(radvd_t)
logging_send_syslog_msg(radvd_t)
@@ -81762,7 +81896,7 @@ index 47de2d6..eb08783 100644
+/var/log/pacemaker\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
+/var/log/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_log_t,s0)
diff --git a/rhcs.if b/rhcs.if
-index c8bdea2..bf60580 100644
+index c8bdea2..29df561 100644
--- a/rhcs.if
+++ b/rhcs.if
@@ -1,19 +1,19 @@
@@ -82194,7 +82328,7 @@ index c8bdea2..bf60580 100644
')
######################################
-@@ -446,52 +556,362 @@ interface(`rhcs_domtrans_qdiskd',`
+@@ -446,52 +556,385 @@ interface(`rhcs_domtrans_qdiskd',`
########################################
## <summary>
@@ -82226,30 +82360,18 @@ index c8bdea2..bf60580 100644
## <summary>
-## Role allowed access.
+## Domain allowed access.
- ## </summary>
- ## </param>
--## <rolecap/>
- #
--interface(`rhcs_admin',`
++## </summary>
++## </param>
++#
+interface(`rhcs_read_cluster_lib_files',`
- gen_require(`
-- attribute cluster_domain, cluster_pid, cluster_tmpfs;
-- attribute cluster_log;
-- type dlm_controld_initrc_exec_t, foghorn_initrc_exec_t, fenced_lock_t;
-- type fenced_tmp_t, qdiskd_var_lib_t;
++ gen_require(`
+ type cluster_var_lib_t;
- ')
-
-- allow $1 cluster_domain:process { ptrace signal_perms };
-- ps_process_pattern($1, cluster_domain)
++ ')
++
+ files_search_var_lib($1)
+ read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
-
-- init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t })
-- domain_system_change_exemption($1)
-- role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r;
-- allow $2 system_r;
++
+#####################################
+## <summary>
+## Allow domain to manage cluster lib files
@@ -82264,15 +82386,11 @@ index c8bdea2..bf60580 100644
+ gen_require(`
+ type cluster_var_lib_t;
+ ')
-
-- files_search_pids($1)
-- admin_pattern($1, cluster_pid)
++
+ files_search_var_lib($1)
+ manage_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
-
-- files_search_locks($1)
-- admin_pattern($1, fenced_lock_t)
++
+####################################
+## <summary>
+## Allow domain to relabel cluster lib files
@@ -82292,9 +82410,7 @@ index c8bdea2..bf60580 100644
+ relabelto_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+ relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
-
-- files_search_tmp($1)
-- admin_pattern($1, fenced_tmp_t)
++
+######################################
+## <summary>
+## Execute a domain transition to run cluster administrative domain.
@@ -82309,15 +82425,11 @@ index c8bdea2..bf60580 100644
+ gen_require(`
+ type cluster_t, cluster_exec_t;
+ ')
-
-- files_search_var_lib($1)
-- admin_pattern($1, qdiskd_var_lib_t)
++
+ corecmd_search_bin($1)
+ domtrans_pattern($1, cluster_exec_t, cluster_t)
+')
-
-- fs_search_tmpfs($1)
-- admin_pattern($1, cluster_tmpfs)
++
+#######################################
+## <summary>
+## Execute cluster init scripts in
@@ -82532,6 +82644,45 @@ index c8bdea2..bf60580 100644
+ ps_process_pattern($1, cluster_t)
+')
+
++########################################
++## <summary>
++## Send and receive messages from
++## a cluster service over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`rhcs_admin',`
++interface(`rhcs_dbus_chat_cluster',`
+ gen_require(`
+- attribute cluster_domain, cluster_pid, cluster_tmpfs;
+- attribute cluster_log;
+- type dlm_controld_initrc_exec_t, foghorn_initrc_exec_t, fenced_lock_t;
+- type fenced_tmp_t, qdiskd_var_lib_t;
++ type cluster_t;
++ class dbus send_msg;
+ ')
+
+- allow $1 cluster_domain:process { ptrace signal_perms };
+- ps_process_pattern($1, cluster_domain)
++ allow $1 cluster_t:dbus send_msg;
++ allow cluster_t $1:dbus send_msg;
++')
+
+- init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t })
+- domain_system_change_exemption($1)
+- role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r;
+- allow $2 system_r;
+
+- files_search_pids($1)
+- admin_pattern($1, cluster_pid)
+
+- files_search_locks($1)
+- admin_pattern($1, fenced_lock_t)
+#####################################
+## <summary>
+## All of the rules required to administrate
@@ -82555,14 +82706,20 @@ index c8bdea2..bf60580 100644
+ type cluster_tmpfs_t, cluster_var_log_t, cluster_var_run_t;
+ type cluster_unit_file_t;
+ ')
-+
+
+- files_search_tmp($1)
+- admin_pattern($1, fenced_tmp_t)
+ allow $1 cluster_t:process signal_perms;
+ ps_process_pattern($1, cluster_t)
-+
+
+- files_search_var_lib($1)
+- admin_pattern($1, qdiskd_var_lib_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 cluster_t:process ptrace;
+ ')
-+
+
+- fs_search_tmpfs($1)
+- admin_pattern($1, cluster_tmpfs)
+ init_labeled_script_domtrans($1, cluster_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 cluster_initrc_exec_t system_r;
@@ -86152,7 +86309,7 @@ index ebe91fc..913587c 100644
+/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
')
diff --git a/rpm.if b/rpm.if
-index ef3b225..d481e0a 100644
+index ef3b225..8f213aa 100644
--- a/rpm.if
+++ b/rpm.if
@@ -1,8 +1,8 @@
@@ -86218,7 +86375,7 @@ index ef3b225..d481e0a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -74,23 +74,28 @@ interface(`rpm_domtrans_script',`
+@@ -74,23 +74,30 @@ interface(`rpm_domtrans_script',`
## </param>
## <param name="role">
## <summary>
@@ -86242,6 +86399,8 @@ index ef3b225..d481e0a 100644
+ domain_system_change_exemption($1)
+ role_transition $2 rpm_exec_t system_r;
+ allow $2 system_r;
++
++ rpm_transition_script($1, $2)
')
########################################
@@ -86251,7 +86410,7 @@ index ef3b225..d481e0a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -109,7 +114,7 @@ interface(`rpm_exec',`
+@@ -109,7 +116,7 @@ interface(`rpm_exec',`
########################################
## <summary>
@@ -86260,7 +86419,7 @@ index ef3b225..d481e0a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -127,7 +132,7 @@ interface(`rpm_signull',`
+@@ -127,7 +134,7 @@ interface(`rpm_signull',`
########################################
## <summary>
@@ -86269,7 +86428,7 @@ index ef3b225..d481e0a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -145,7 +150,7 @@ interface(`rpm_use_fds',`
+@@ -145,7 +152,7 @@ interface(`rpm_use_fds',`
########################################
## <summary>
@@ -86278,7 +86437,7 @@ index ef3b225..d481e0a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -163,7 +168,7 @@ interface(`rpm_read_pipes',`
+@@ -163,7 +170,7 @@ interface(`rpm_read_pipes',`
########################################
## <summary>
@@ -86287,7 +86446,7 @@ index ef3b225..d481e0a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -181,6 +186,60 @@ interface(`rpm_rw_pipes',`
+@@ -181,6 +188,60 @@ interface(`rpm_rw_pipes',`
########################################
## <summary>
@@ -86348,7 +86507,7 @@ index ef3b225..d481e0a 100644
## Send and receive messages from
## rpm over dbus.
## </summary>
-@@ -224,7 +283,7 @@ interface(`rpm_dontaudit_dbus_chat',`
+@@ -224,7 +285,7 @@ interface(`rpm_dontaudit_dbus_chat',`
########################################
## <summary>
## Send and receive messages from
@@ -86357,7 +86516,7 @@ index ef3b225..d481e0a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -244,7 +303,7 @@ interface(`rpm_script_dbus_chat',`
+@@ -244,7 +305,7 @@ interface(`rpm_script_dbus_chat',`
########################################
## <summary>
@@ -86366,7 +86525,7 @@ index ef3b225..d481e0a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -263,7 +322,8 @@ interface(`rpm_search_log',`
+@@ -263,7 +324,8 @@ interface(`rpm_search_log',`
#####################################
## <summary>
@@ -86376,17 +86535,19 @@ index ef3b225..d481e0a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -276,14 +336,30 @@ interface(`rpm_append_log',`
+@@ -276,14 +338,30 @@ interface(`rpm_append_log',`
type rpm_log_t;
')
- logging_search_logs($1)
- append_files_pattern($1, rpm_log_t, rpm_log_t)
+ allow $1 rpm_log_t:file append_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## rpm log files.
+## Create, read, write, and delete the RPM log.
+## </summary>
+## <param name="domain">
@@ -86401,17 +86562,15 @@ index ef3b225..d481e0a 100644
+ ')
+
+ read_files_pattern($1, rpm_log_t, rpm_log_t)
- ')
-
- ########################################
- ## <summary>
--## Create, read, write, and delete
--## rpm log files.
++')
++
++########################################
++## <summary>
+## Create, read, write, and delete the RPM log.
## </summary>
## <param name="domain">
## <summary>
-@@ -302,7 +378,32 @@ interface(`rpm_manage_log',`
+@@ -302,7 +380,32 @@ interface(`rpm_manage_log',`
########################################
## <summary>
@@ -86445,7 +86604,7 @@ index ef3b225..d481e0a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -320,8 +421,8 @@ interface(`rpm_use_script_fds',`
+@@ -320,8 +423,8 @@ interface(`rpm_use_script_fds',`
########################################
## <summary>
@@ -86456,7 +86615,7 @@ index ef3b225..d481e0a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -335,12 +436,15 @@ interface(`rpm_manage_script_tmp_files',`
+@@ -335,12 +438,15 @@ interface(`rpm_manage_script_tmp_files',`
')
files_search_tmp($1)
@@ -86473,7 +86632,7 @@ index ef3b225..d481e0a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -353,14 +457,13 @@ interface(`rpm_append_tmp_files',`
+@@ -353,14 +459,13 @@ interface(`rpm_append_tmp_files',`
type rpm_tmp_t;
')
@@ -86491,7 +86650,7 @@ index ef3b225..d481e0a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -374,12 +477,14 @@ interface(`rpm_manage_tmp_files',`
+@@ -374,12 +479,14 @@ interface(`rpm_manage_tmp_files',`
')
files_search_tmp($1)
@@ -86507,7 +86666,7 @@ index ef3b225..d481e0a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -399,7 +504,7 @@ interface(`rpm_read_script_tmp_files',`
+@@ -399,7 +506,7 @@ interface(`rpm_read_script_tmp_files',`
########################################
## <summary>
@@ -86516,7 +86675,7 @@ index ef3b225..d481e0a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -420,8 +525,7 @@ interface(`rpm_read_cache',`
+@@ -420,8 +527,7 @@ interface(`rpm_read_cache',`
########################################
## <summary>
@@ -86526,7 +86685,7 @@ index ef3b225..d481e0a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -442,7 +546,7 @@ interface(`rpm_manage_cache',`
+@@ -442,7 +548,7 @@ interface(`rpm_manage_cache',`
########################################
## <summary>
@@ -86535,7 +86694,7 @@ index ef3b225..d481e0a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -459,11 +563,12 @@ interface(`rpm_read_db',`
+@@ -459,11 +565,12 @@ interface(`rpm_read_db',`
allow $1 rpm_var_lib_t:dir list_dir_perms;
read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
@@ -86549,7 +86708,7 @@ index ef3b225..d481e0a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -482,8 +587,7 @@ interface(`rpm_delete_db',`
+@@ -482,8 +589,7 @@ interface(`rpm_delete_db',`
########################################
## <summary>
@@ -86559,7 +86718,7 @@ index ef3b225..d481e0a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -503,8 +607,28 @@ interface(`rpm_manage_db',`
+@@ -503,8 +609,28 @@ interface(`rpm_manage_db',`
########################################
## <summary>
@@ -86589,7 +86748,7 @@ index ef3b225..d481e0a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -517,7 +641,7 @@ interface(`rpm_dontaudit_manage_db',`
+@@ -517,7 +643,7 @@ interface(`rpm_dontaudit_manage_db',`
type rpm_var_lib_t;
')
@@ -86598,7 +86757,7 @@ index ef3b225..d481e0a 100644
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
-@@ -543,8 +667,7 @@ interface(`rpm_read_pid_files',`
+@@ -543,8 +669,7 @@ interface(`rpm_read_pid_files',`
#####################################
## <summary>
@@ -86608,7 +86767,7 @@ index ef3b225..d481e0a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -563,8 +686,7 @@ interface(`rpm_manage_pid_files',`
+@@ -563,8 +688,7 @@ interface(`rpm_manage_pid_files',`
######################################
## <summary>
@@ -86618,7 +86777,7 @@ index ef3b225..d481e0a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -573,43 +695,54 @@ interface(`rpm_manage_pid_files',`
+@@ -573,43 +697,54 @@ interface(`rpm_manage_pid_files',`
## </param>
#
interface(`rpm_pid_filetrans',`
@@ -86690,7 +86849,7 @@ index ef3b225..d481e0a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -617,22 +750,56 @@ interface(`rpm_pid_filetrans_rpm_pid',`
+@@ -617,22 +752,56 @@ interface(`rpm_pid_filetrans_rpm_pid',`
## </summary>
## </param>
## <param name="role">
@@ -86758,7 +86917,7 @@ index ef3b225..d481e0a 100644
init_labeled_script_domtrans($1, rpm_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -641,9 +808,6 @@ interface(`rpm_admin',`
+@@ -641,9 +810,6 @@ interface(`rpm_admin',`
admin_pattern($1, rpm_file_t)
@@ -89274,7 +89433,7 @@ index 50d07fb..59296a2 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 2b7c441..9f3c662 100644
+index 2b7c441..9303cc1 100644
--- a/samba.te
+++ b/samba.te
@@ -6,99 +6,86 @@ policy_module(samba, 1.16.3)
@@ -89540,7 +89699,7 @@ index 2b7c441..9f3c662 100644
dev_read_urand(samba_net_t)
-@@ -233,15 +236,16 @@ auth_manage_cache(samba_net_t)
+@@ -233,15 +236,22 @@ auth_manage_cache(samba_net_t)
logging_send_syslog_msg(samba_net_t)
@@ -89556,12 +89715,18 @@ index 2b7c441..9f3c662 100644
optional_policy(`
- ldap_stream_connect(samba_net_t)
++ ctdbd_stream_connect(samba_net_t)
++ ctdbd_manage_lib_dirs(samba_net_t)
++ ctdbd_manage_lib_files(samba_net_t)
++')
++
++optional_policy(`
+ ldap_stream_connect(samba_net_t)
+ dirsrv_stream_connect(samba_net_t)
')
optional_policy(`
-@@ -249,46 +253,58 @@ optional_policy(`
+@@ -249,46 +259,58 @@ optional_policy(`
')
optional_policy(`
@@ -89581,7 +89746,8 @@ index 2b7c441..9f3c662 100644
+# smbd Local policy
#
- allow smbd_t self:capability { chown fowner kill fsetid setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_override dac_read_search };
+-allow smbd_t self:capability { chown fowner kill fsetid setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_override dac_read_search };
++allow smbd_t self:capability { chown fowner kill fsetid setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_override dac_read_search net_admin };
dontaudit smbd_t self:capability sys_tty_config;
-allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
+allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
@@ -89632,7 +89798,7 @@ index 2b7c441..9f3c662 100644
manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
allow smbd_t samba_share_t:filesystem { getattr quotaget };
-@@ -298,65 +314,72 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
+@@ -298,65 +320,72 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t)
files_var_filetrans(smbd_t, samba_var_t, dir, "samba")
@@ -89729,7 +89895,7 @@ index 2b7c441..9f3c662 100644
fs_getattr_all_fs(smbd_t)
fs_getattr_all_dirs(smbd_t)
-@@ -366,44 +389,53 @@ fs_getattr_rpc_dirs(smbd_t)
+@@ -366,44 +395,53 @@ fs_getattr_rpc_dirs(smbd_t)
fs_list_inotifyfs(smbd_t)
fs_get_all_fs_quotas(smbd_t)
@@ -89795,7 +89961,7 @@ index 2b7c441..9f3c662 100644
')
tunable_policy(`samba_domain_controller',`
-@@ -419,20 +451,10 @@ tunable_policy(`samba_domain_controller',`
+@@ -419,20 +457,10 @@ tunable_policy(`samba_domain_controller',`
')
tunable_policy(`samba_enable_home_dirs',`
@@ -89818,7 +89984,7 @@ index 2b7c441..9f3c662 100644
tunable_policy(`samba_share_nfs',`
fs_manage_nfs_dirs(smbd_t)
fs_manage_nfs_files(smbd_t)
-@@ -441,6 +463,7 @@ tunable_policy(`samba_share_nfs',`
+@@ -441,6 +469,7 @@ tunable_policy(`samba_share_nfs',`
fs_manage_nfs_named_sockets(smbd_t)
')
@@ -89826,7 +89992,7 @@ index 2b7c441..9f3c662 100644
tunable_policy(`samba_share_fusefs',`
fs_manage_fusefs_dirs(smbd_t)
fs_manage_fusefs_files(smbd_t)
-@@ -448,15 +471,10 @@ tunable_policy(`samba_share_fusefs',`
+@@ -448,15 +477,10 @@ tunable_policy(`samba_share_fusefs',`
fs_search_fusefs(smbd_t)
')
@@ -89846,7 +90012,7 @@ index 2b7c441..9f3c662 100644
')
optional_policy(`
-@@ -466,6 +484,7 @@ optional_policy(`
+@@ -466,6 +490,7 @@ optional_policy(`
optional_policy(`
ctdbd_stream_connect(smbd_t)
ctdbd_manage_lib_files(smbd_t)
@@ -89854,7 +90020,7 @@ index 2b7c441..9f3c662 100644
')
optional_policy(`
-@@ -474,11 +493,30 @@ optional_policy(`
+@@ -474,11 +499,30 @@ optional_policy(`
')
optional_policy(`
@@ -89885,7 +90051,7 @@ index 2b7c441..9f3c662 100644
lpd_exec_lpr(smbd_t)
')
-@@ -488,6 +526,10 @@ optional_policy(`
+@@ -488,6 +532,10 @@ optional_policy(`
')
optional_policy(`
@@ -89896,7 +90062,7 @@ index 2b7c441..9f3c662 100644
rpc_search_nfs_state_data(smbd_t)
')
-@@ -499,9 +541,48 @@ optional_policy(`
+@@ -499,9 +547,48 @@ optional_policy(`
udev_read_db(smbd_t)
')
@@ -89946,7 +90112,7 @@ index 2b7c441..9f3c662 100644
#
dontaudit nmbd_t self:capability sys_tty_config;
-@@ -512,9 +593,11 @@ allow nmbd_t self:msg { send receive };
+@@ -512,9 +599,11 @@ allow nmbd_t self:msg { send receive };
allow nmbd_t self:msgq create_msgq_perms;
allow nmbd_t self:sem create_sem_perms;
allow nmbd_t self:shm create_shm_perms;
@@ -89961,7 +90127,7 @@ index 2b7c441..9f3c662 100644
manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-@@ -526,20 +609,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+@@ -526,20 +615,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
@@ -89985,7 +90151,7 @@ index 2b7c441..9f3c662 100644
kernel_getattr_core_if(nmbd_t)
kernel_getattr_message_if(nmbd_t)
-@@ -547,53 +625,44 @@ kernel_read_kernel_sysctls(nmbd_t)
+@@ -547,53 +631,44 @@ kernel_read_kernel_sysctls(nmbd_t)
kernel_read_network_state(nmbd_t)
kernel_read_software_raid_state(nmbd_t)
kernel_read_system_state(nmbd_t)
@@ -90036,14 +90202,14 @@ index 2b7c441..9f3c662 100644
-
userdom_use_unpriv_users_fds(nmbd_t)
-userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
--
++userdom_dontaudit_search_user_home_dirs(nmbd_t)
+
-tunable_policy(`samba_export_all_ro',`
- fs_read_noxattr_fs_files(nmbd_t)
- files_list_non_auth_dirs(nmbd_t)
- files_read_non_auth_files(nmbd_t)
-')
-+userdom_dontaudit_search_user_home_dirs(nmbd_t)
-
+-
-tunable_policy(`samba_export_all_rw',`
- fs_read_noxattr_fs_files(nmbd_t)
- files_manage_non_auth_files(nmbd_t)
@@ -90054,7 +90220,7 @@ index 2b7c441..9f3c662 100644
')
optional_policy(`
-@@ -606,16 +675,22 @@ optional_policy(`
+@@ -606,16 +681,22 @@ optional_policy(`
########################################
#
@@ -90081,7 +90247,7 @@ index 2b7c441..9f3c662 100644
manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
-@@ -627,16 +702,13 @@ domain_use_interactive_fds(smbcontrol_t)
+@@ -627,16 +708,13 @@ domain_use_interactive_fds(smbcontrol_t)
dev_read_urand(smbcontrol_t)
@@ -90100,7 +90266,7 @@ index 2b7c441..9f3c662 100644
optional_policy(`
ctdbd_stream_connect(smbcontrol_t)
-@@ -644,22 +716,23 @@ optional_policy(`
+@@ -644,22 +722,23 @@ optional_policy(`
########################################
#
@@ -90132,7 +90298,7 @@ index 2b7c441..9f3c662 100644
allow smbmount_t samba_secrets_t:file manage_file_perms;
-@@ -668,26 +741,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+@@ -668,26 +747,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
@@ -90168,7 +90334,7 @@ index 2b7c441..9f3c662 100644
fs_getattr_cifs(smbmount_t)
fs_mount_cifs(smbmount_t)
-@@ -699,58 +768,77 @@ fs_read_cifs_files(smbmount_t)
+@@ -699,58 +774,77 @@ fs_read_cifs_files(smbmount_t)
storage_raw_read_fixed_disk(smbmount_t)
storage_raw_write_fixed_disk(smbmount_t)
@@ -90260,7 +90426,7 @@ index 2b7c441..9f3c662 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -759,17 +847,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+@@ -759,17 +853,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
files_pid_filetrans(swat_t, swat_var_run_t, file)
@@ -90284,7 +90450,7 @@ index 2b7c441..9f3c662 100644
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -777,36 +861,25 @@ kernel_read_network_state(swat_t)
+@@ -777,36 +867,25 @@ kernel_read_network_state(swat_t)
corecmd_search_bin(swat_t)
@@ -90327,7 +90493,7 @@ index 2b7c441..9f3c662 100644
auth_domtrans_chk_passwd(swat_t)
auth_use_nsswitch(swat_t)
-@@ -818,10 +891,11 @@ logging_send_syslog_msg(swat_t)
+@@ -818,10 +897,11 @@ logging_send_syslog_msg(swat_t)
logging_send_audit_msgs(swat_t)
logging_search_logs(swat_t)
@@ -90341,7 +90507,7 @@ index 2b7c441..9f3c662 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -840,17 +914,20 @@ optional_policy(`
+@@ -840,17 +920,20 @@ optional_policy(`
# Winbind local policy
#
@@ -90367,7 +90533,7 @@ index 2b7c441..9f3c662 100644
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -860,9 +937,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+@@ -860,9 +943,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@@ -90378,7 +90544,7 @@ index 2b7c441..9f3c662 100644
manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -873,38 +948,41 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -873,38 +954,41 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
@@ -90431,7 +90597,7 @@ index 2b7c441..9f3c662 100644
corenet_tcp_connect_smbd_port(winbind_t)
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -912,38 +990,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -912,38 +996,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
dev_read_sysfs(winbind_t)
dev_read_urand(winbind_t)
@@ -90490,7 +90656,7 @@ index 2b7c441..9f3c662 100644
')
optional_policy(`
-@@ -959,31 +1051,35 @@ optional_policy(`
+@@ -959,31 +1057,35 @@ optional_policy(`
# Winbind helper local policy
#
@@ -90533,7 +90699,7 @@ index 2b7c441..9f3c662 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -997,25 +1093,38 @@ optional_policy(`
+@@ -997,25 +1099,38 @@ optional_policy(`
########################################
#
diff --git a/selinux-policy.spec b/selinux-policy.spec
index e0963a0..d096f2b 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 129%{?dist}
+Release: 130%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -602,6 +602,34 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Jun 18 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-130
+- Allow glusterd to interact with gluster tools running in a user domain
+- rpm_transition_script() is called from rpm_run. Update cloud-init rules.
+- Call rpm_transition_script() from rpm_run() interface.
+- Allow radvd has setuid and it requires dac_override. BZ(1224403)
+- Add glusterd_manage_lib_files() interface.
+- Allow samba_t net_admin capability to make CIFS mount working.
+- S30samba-start gluster hooks wants to search audit logs. Dontaudit it.
+- Reflect logrotate change which moves /var/lib/logrotate.status to /var/lib/logrotate/logrotate.status. BZ(1228531)
+- ntop reads /var/lib/ntop/macPrefix.db and it needs dac_override. It has setuid/setgid. BZ(1058822)
+- Allow cloud-init to run rpm scriptlets to install packages. BZ(1227484)
+- Allow nagios to generate charts.
+- Allow glusterd to send generic signals to systemd_passwd_agent processes.
+- Allow glusterd to run init scripts.
+- Allow glusterd to execute /usr/sbin/xfs_dbin glusterd_t domain.
+- Calling cron_system_entry() in pcp_domain_template needs to be a part of optional_policy block.
+- Allow samba-net to access /var/lib/ctdbd dirs/files.
+- Allow glusterd to send a signal to smbd.
+- Make ctdbd as home manager to access also FUSE.
+- Allow glusterd to use geo-replication gluster tool.
+- Allow glusterd to execute ssh-keygen.
+- Allow glusterd to interact with cluster services.
+- Add rhcs_dbus_chat_cluster()
+- systemd-logind accesses /dev/shm. BZ(1230443)
+- Label gluster python hooks also as bin_t.
+- Allow sshd to execute gnome-keyring if there is configured pam_gnome_keyring.so.
+- Allow gnome-keyring executed by passwd to access /run/user/UID/keyring to change a password.
+
* Tue Jun 09 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-129
- We need to restore contexts on /etc/passwd*,/etc/group*,/etc/*shadow* during install phase to get proper labeling for these files until selinux-policy pkgs are installed. BZ(1228489)