##
## Allow the specified domain to
@@ -18622,7 +18941,7 @@ index 8416beb..19d5bea 100644
## Example attributes:
##
##
-@@ -4596,6 +6253,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
+@@ -4596,6 +6290,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
########################################
##
@@ -18649,7 +18968,7 @@ index 8416beb..19d5bea 100644
## Get the quotas of all filesystems.
##
##
-@@ -4671,6 +6348,25 @@ interface(`fs_getattr_all_dirs',`
+@@ -4671,6 +6385,25 @@ interface(`fs_getattr_all_dirs',`
########################################
##
@@ -18675,7 +18994,7 @@ index 8416beb..19d5bea 100644
## Search all directories with a filesystem type.
##
##
-@@ -4912,3 +6608,176 @@ interface(`fs_unconfined',`
+@@ -4912,3 +6645,176 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -18714,7 +19033,7 @@ index 8416beb..19d5bea 100644
+interface(`fs_tmpfs_filetrans_named_content',`
+ gen_require(`
+ type cgroup_t;
-+ type devlog_t;
++ type devlog_t;
+ ')
+
+ fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpu")
@@ -18847,13 +19166,13 @@ index 8416beb..19d5bea 100644
+#
+interface(`fs_unmount_tracefs', `
+ gen_require(`
-+ type cgroup_t;
++ type tracefs_t;
+ ')
+
+ allow $1 tracefs_t:filesystem unmount;
+')
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index e7d1738..b3e6523 100644
+index e7d1738..b10afaf 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -26,14 +26,20 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
@@ -18877,7 +19196,15 @@ index e7d1738..b3e6523 100644
# Use the allocating task SID to label inodes in the following filesystem
# types, and label the filesystem itself with the specified context.
-@@ -53,6 +59,7 @@ type anon_inodefs_t;
+@@ -43,6 +49,7 @@ fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0);
+ fs_use_task eventpollfs gen_context(system_u:object_r:fs_t,s0);
+ fs_use_task pipefs gen_context(system_u:object_r:fs_t,s0);
+ fs_use_task sockfs gen_context(system_u:object_r:fs_t,s0);
++fs_use_task nsfs gen_context(system_u:object_r:fs_t,s0);
+
+ ##############################
+ #
+@@ -53,6 +60,7 @@ type anon_inodefs_t;
fs_type(anon_inodefs_t)
files_mountpoint(anon_inodefs_t)
genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0)
@@ -18885,7 +19212,7 @@ index e7d1738..b3e6523 100644
type bdev_t;
fs_type(bdev_t)
-@@ -63,16 +70,28 @@ fs_type(binfmt_misc_fs_t)
+@@ -63,16 +71,28 @@ fs_type(binfmt_misc_fs_t)
files_mountpoint(binfmt_misc_fs_t)
genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0)
@@ -18915,7 +19242,7 @@ index e7d1738..b3e6523 100644
type configfs_t;
fs_type(configfs_t)
-@@ -88,6 +107,11 @@ fs_noxattr_type(ecryptfs_t)
+@@ -88,6 +108,11 @@ fs_noxattr_type(ecryptfs_t)
files_mountpoint(ecryptfs_t)
genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0)
@@ -18927,7 +19254,7 @@ index e7d1738..b3e6523 100644
type futexfs_t;
fs_type(futexfs_t)
genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
-@@ -96,6 +120,7 @@ type hugetlbfs_t;
+@@ -96,6 +121,7 @@ type hugetlbfs_t;
fs_type(hugetlbfs_t)
files_mountpoint(hugetlbfs_t)
fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
@@ -18935,7 +19262,7 @@ index e7d1738..b3e6523 100644
type ibmasmfs_t;
fs_type(ibmasmfs_t)
-@@ -111,6 +136,12 @@ type inotifyfs_t;
+@@ -111,6 +137,12 @@ type inotifyfs_t;
fs_type(inotifyfs_t)
genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0)
@@ -18948,7 +19275,7 @@ index e7d1738..b3e6523 100644
type mvfs_t;
fs_noxattr_type(mvfs_t)
allow mvfs_t self:filesystem associate;
-@@ -118,13 +149,23 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
+@@ -118,13 +150,23 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
type nfsd_fs_t;
fs_type(nfsd_fs_t)
@@ -18973,7 +19300,7 @@ index e7d1738..b3e6523 100644
fs_type(pstore_t)
files_mountpoint(pstore_t)
dev_associate_sysfs(pstore_t)
-@@ -150,17 +191,16 @@ fs_type(spufs_t)
+@@ -150,17 +192,16 @@ fs_type(spufs_t)
genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
files_mountpoint(spufs_t)
@@ -18995,7 +19322,7 @@ index e7d1738..b3e6523 100644
type vmblock_t;
fs_noxattr_type(vmblock_t)
files_mountpoint(vmblock_t)
-@@ -172,6 +212,8 @@ type vxfs_t;
+@@ -172,6 +213,8 @@ type vxfs_t;
fs_noxattr_type(vxfs_t)
files_mountpoint(vxfs_t)
genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
@@ -19004,7 +19331,7 @@ index e7d1738..b3e6523 100644
#
# tmpfs_t is the type for tmpfs filesystems
-@@ -182,6 +224,8 @@ fs_type(tmpfs_t)
+@@ -182,6 +225,8 @@ fs_type(tmpfs_t)
files_type(tmpfs_t)
files_mountpoint(tmpfs_t)
files_poly_parent(tmpfs_t)
@@ -19013,7 +19340,7 @@ index e7d1738..b3e6523 100644
# Use a transition SID based on the allocating task SID and the
# filesystem SID to label inodes in the following filesystem types,
-@@ -261,6 +305,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+@@ -261,6 +306,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
type removable_t;
allow removable_t noxattrfs:filesystem associate;
fs_noxattr_type(removable_t)
@@ -19022,7 +19349,7 @@ index e7d1738..b3e6523 100644
files_mountpoint(removable_t)
#
-@@ -280,6 +326,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
+@@ -280,6 +327,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
@@ -19030,7 +19357,7 @@ index e7d1738..b3e6523 100644
########################################
#
-@@ -301,9 +348,10 @@ fs_associate_noxattr(noxattrfs)
+@@ -301,9 +349,10 @@ fs_associate_noxattr(noxattrfs)
# Unconfined access to this module
#
@@ -40804,7 +41131,7 @@ index 9fe8e01..c62c761 100644
/var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
')
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
-index fc28bc3..8828b8a 100644
+index fc28bc3..3be6892 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -67,6 +67,27 @@ interface(`miscfiles_read_all_certs',`
@@ -40998,7 +41325,7 @@ index fc28bc3..8828b8a 100644
- files_etc_filetrans($1, locale_t, file)
-
-+ files_etc_filetrans($1, locale_t, lnk_file)
++ files_etc_filetrans($1, locale_t, { file lnk_file })
+ files_etc_filetrans($1, locale_t, {lnk_file file}, "localtime" )
+ files_etc_filetrans($1, locale_t, file, "locale.conf" )
+ files_etc_filetrans($1, locale_t, file, "timezone" )
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 9f9f119..5c3fa78 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -12384,7 +12384,7 @@ index 008f8ef..144c074 100644
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/certmonger.te b/certmonger.te
-index 550b287..b4565e3 100644
+index 550b287..80de6d3 100644
--- a/certmonger.te
+++ b/certmonger.te
@@ -18,18 +18,26 @@ files_type(certmonger_var_lib_t)
@@ -12475,7 +12475,8 @@ index 550b287..b4565e3 100644
optional_policy(`
- apache_initrc_domtrans(certmonger_t)
- apache_search_config(certmonger_t)
+- apache_search_config(certmonger_t)
++ apache_read_config(certmonger_t)
apache_signal(certmonger_t)
apache_signull(certmonger_t)
+ apache_systemctl(certmonger_t)
@@ -24429,7 +24430,7 @@ index 8ce99ff..1bc5d3a 100644
+ logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
')
diff --git a/devicekit.te b/devicekit.te
-index 77a5003..360db40 100644
+index 77a5003..86a7ed2 100644
--- a/devicekit.te
+++ b/devicekit.te
@@ -7,15 +7,15 @@ policy_module(devicekit, 1.3.1)
@@ -24462,20 +24463,22 @@ index 77a5003..360db40 100644
########################################
#
# Local policy
-@@ -45,11 +49,8 @@ kernel_read_system_state(devicekit_t)
+@@ -44,12 +48,10 @@ kernel_read_system_state(devicekit_t)
+
dev_read_sysfs(devicekit_t)
dev_read_urand(devicekit_t)
-
+-
-files_read_etc_files(devicekit_t)
-
-miscfiles_read_localization(devicekit_t)
--
++dev_getattr_all(devicekit_t)
+
optional_policy(`
+ dbus_system_domain(devicekit_t, devicekit_exec_t)
dbus_system_bus_client(devicekit_t)
allow devicekit_t { devicekit_disk_t devicekit_power_t }:dbus send_msg;
-@@ -64,7 +65,8 @@ optional_policy(`
+@@ -64,7 +66,8 @@ optional_policy(`
# Disk local policy
#
@@ -24485,7 +24488,7 @@ index 77a5003..360db40 100644
allow devicekit_disk_t self:process { getsched signal_perms };
allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -81,17 +83,18 @@ allow devicekit_disk_t devicekit_var_run_t:dir mounton;
+@@ -81,17 +84,18 @@ allow devicekit_disk_t devicekit_var_run_t:dir mounton;
manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { dir file })
@@ -24506,7 +24509,7 @@ index 77a5003..360db40 100644
corecmd_exec_bin(devicekit_disk_t)
corecmd_exec_shell(devicekit_disk_t)
-@@ -99,6 +102,8 @@ corecmd_getattr_all_executables(devicekit_disk_t)
+@@ -99,6 +103,8 @@ corecmd_getattr_all_executables(devicekit_disk_t)
dev_getattr_all_chr_files(devicekit_disk_t)
dev_getattr_mtrr_dev(devicekit_disk_t)
@@ -24515,7 +24518,7 @@ index 77a5003..360db40 100644
dev_getattr_usbfs_dirs(devicekit_disk_t)
dev_manage_generic_files(devicekit_disk_t)
dev_read_urand(devicekit_disk_t)
-@@ -117,8 +122,8 @@ files_getattr_all_pipes(devicekit_disk_t)
+@@ -117,8 +123,8 @@ files_getattr_all_pipes(devicekit_disk_t)
files_manage_boot_dirs(devicekit_disk_t)
files_manage_isid_type_dirs(devicekit_disk_t)
files_manage_mnt_dirs(devicekit_disk_t)
@@ -24525,7 +24528,7 @@ index 77a5003..360db40 100644
fs_getattr_all_fs(devicekit_disk_t)
fs_list_inotifyfs(devicekit_disk_t)
-@@ -135,18 +140,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
+@@ -135,18 +141,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
storage_raw_read_removable_device(devicekit_disk_t)
storage_raw_write_removable_device(devicekit_disk_t)
@@ -24547,7 +24550,7 @@ index 77a5003..360db40 100644
dbus_system_bus_client(devicekit_disk_t)
allow devicekit_disk_t devicekit_t:dbus send_msg;
-@@ -170,6 +175,7 @@ optional_policy(`
+@@ -170,6 +176,7 @@ optional_policy(`
optional_policy(`
mount_domtrans(devicekit_disk_t)
@@ -24555,7 +24558,7 @@ index 77a5003..360db40 100644
')
optional_policy(`
-@@ -183,6 +189,11 @@ optional_policy(`
+@@ -183,6 +190,11 @@ optional_policy(`
')
optional_policy(`
@@ -24567,7 +24570,7 @@ index 77a5003..360db40 100644
udev_domtrans(devicekit_disk_t)
udev_read_db(devicekit_disk_t)
udev_read_pid_files(devicekit_disk_t)
-@@ -192,12 +203,19 @@ optional_policy(`
+@@ -192,12 +204,19 @@ optional_policy(`
virt_manage_images(devicekit_disk_t)
')
@@ -24588,7 +24591,7 @@ index 77a5003..360db40 100644
allow devicekit_power_t self:process { getsched signal_perms };
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
-@@ -212,9 +230,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
+@@ -212,9 +231,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
@@ -24599,7 +24602,7 @@ index 77a5003..360db40 100644
logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file)
manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t)
-@@ -224,12 +240,12 @@ files_pid_filetrans(devicekit_power_t, devicekit_var_run_t, { dir file })
+@@ -224,12 +241,12 @@ files_pid_filetrans(devicekit_power_t, devicekit_var_run_t, { dir file })
kernel_read_fs_sysctls(devicekit_power_t)
kernel_read_network_state(devicekit_power_t)
kernel_read_system_state(devicekit_power_t)
@@ -24614,7 +24617,7 @@ index 77a5003..360db40 100644
corecmd_exec_bin(devicekit_power_t)
corecmd_exec_shell(devicekit_power_t)
-@@ -248,21 +264,18 @@ domain_read_all_domains_state(devicekit_power_t)
+@@ -248,21 +265,18 @@ domain_read_all_domains_state(devicekit_power_t)
files_read_kernel_img(devicekit_power_t)
files_read_etc_runtime_files(devicekit_power_t)
@@ -24637,7 +24640,7 @@ index 77a5003..360db40 100644
sysnet_domtrans_ifconfig(devicekit_power_t)
sysnet_domtrans_dhcpc(devicekit_power_t)
-@@ -277,6 +290,12 @@ optional_policy(`
+@@ -277,6 +291,12 @@ optional_policy(`
')
optional_policy(`
@@ -24650,7 +24653,7 @@ index 77a5003..360db40 100644
dbus_system_bus_client(devicekit_power_t)
allow devicekit_power_t devicekit_t:dbus send_msg;
-@@ -307,8 +326,11 @@ optional_policy(`
+@@ -307,8 +327,11 @@ optional_policy(`
')
optional_policy(`
@@ -24663,7 +24666,7 @@ index 77a5003..360db40 100644
hal_manage_pid_dirs(devicekit_power_t)
hal_manage_pid_files(devicekit_power_t)
')
-@@ -347,3 +369,9 @@ optional_policy(`
+@@ -347,3 +370,9 @@ optional_policy(`
optional_policy(`
vbetool_domtrans(devicekit_power_t)
')
@@ -42850,10 +42853,10 @@ index 0000000..bd7e7fa
+')
diff --git a/keepalived.te b/keepalived.te
new file mode 100644
-index 0000000..82772f2
+index 0000000..c07a3fe
--- /dev/null
+++ b/keepalived.te
-@@ -0,0 +1,93 @@
+@@ -0,0 +1,94 @@
+policy_module(keepalived, 1.0.0)
+
+########################################
@@ -42883,6 +42886,7 @@ index 0000000..82772f2
+allow keepalived_t self:process { signal_perms };
+allow keepalived_t self:netlink_socket create_socket_perms;
+allow keepalived_t self:netlink_generic_socket create_socket_perms;
++allow keepalived_t self:netlink_netfilter_socket create_socket_perms;
+allow keepalived_t self:netlink_route_socket nlmsg_write;
+allow keepalived_t self:packet_socket create_socket_perms;
+allow keepalived_t self:rawip_socket create_socket_perms;
@@ -72389,10 +72393,10 @@ index 0000000..47cd0f8
+/usr/lib/systemd/system/pki-tomcat.* gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0)
diff --git a/pki.if b/pki.if
new file mode 100644
-index 0000000..efe3ad3
+index 0000000..d8226f9
--- /dev/null
+++ b/pki.if
-@@ -0,0 +1,442 @@
+@@ -0,0 +1,461 @@
+
+## policy for pki
+
@@ -72818,6 +72822,25 @@ index 0000000..efe3ad3
+
+########################################
+##
++## Allow read pki_common_t files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`pki_manage_common_files',`
++ gen_require(`
++ type pki_common_t;
++ ')
++
++ manage_files_pattern($1, pki_common_t, pki_common_t)
++ manage_dirs_pattern($1, pki_common_t, pki_common_t)
++')
++
++########################################
++##
+## Connect to pki over an unix
+## stream socket.
+##
@@ -75907,7 +75930,7 @@ index ded95ec..3cf7146 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
')
diff --git a/postfix.te b/postfix.te
-index 5cfb83e..9cfa754 100644
+index 5cfb83e..4273d32 100644
--- a/postfix.te
+++ b/postfix.te
@@ -6,27 +6,23 @@ policy_module(postfix, 1.15.1)
@@ -76000,7 +76023,7 @@ index 5cfb83e..9cfa754 100644
type postfix_data_t;
files_type(postfix_data_t)
-@@ -105,109 +106,22 @@ mta_mailserver_delivery(postfix_virtual_t)
+@@ -105,109 +106,23 @@ mta_mailserver_delivery(postfix_virtual_t)
########################################
#
@@ -76085,8 +76108,9 @@ index 5cfb83e..9cfa754 100644
-########################################
-#
-# Common postfix user domain local policy
--#
--
++# Postfix master process local policy
+ #
+
-allow postfix_user_domains self:capability dac_override;
-
-domain_use_interactive_fds(postfix_user_domains)
@@ -76094,10 +76118,10 @@ index 5cfb83e..9cfa754 100644
-########################################
-#
-# Master local policy
-+# Postfix master process local policy
- #
-
+-#
+-
-allow postfix_master_t self:capability { chown dac_override kill fowner setgid setuid sys_tty_config };
++dontaudit postfix_master_t self:capability { net_admin };
+# chown is to set the correct ownership of queue dirs
+allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
allow postfix_master_t self:capability2 block_suspend;
@@ -76117,7 +76141,7 @@ index 5cfb83e..9cfa754 100644
allow postfix_master_t postfix_data_t:dir manage_dir_perms;
allow postfix_master_t postfix_data_t:file manage_file_perms;
-@@ -216,34 +130,32 @@ allow postfix_master_t postfix_keytab_t:file read_file_perms;
+@@ -216,34 +131,32 @@ allow postfix_master_t postfix_keytab_t:file read_file_perms;
allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock };
@@ -76165,7 +76189,7 @@ index 5cfb83e..9cfa754 100644
create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t)
delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-@@ -253,16 +165,8 @@ filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, d
+@@ -253,16 +166,8 @@ filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, d
filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "deferred")
filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "maildrop")
@@ -76183,7 +76207,7 @@ index 5cfb83e..9cfa754 100644
corenet_all_recvfrom_netlabel(postfix_master_t)
corenet_tcp_sendrecv_generic_if(postfix_master_t)
corenet_udp_sendrecv_generic_if(postfix_master_t)
-@@ -270,50 +174,44 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
+@@ -270,50 +175,44 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
corenet_udp_sendrecv_generic_node(postfix_master_t)
corenet_tcp_sendrecv_all_ports(postfix_master_t)
corenet_udp_sendrecv_all_ports(postfix_master_t)
@@ -76252,7 +76276,7 @@ index 5cfb83e..9cfa754 100644
optional_policy(`
cyrus_stream_connect(postfix_master_t)
')
-@@ -324,14 +222,6 @@ optional_policy(`
+@@ -324,14 +223,6 @@ optional_policy(`
')
optional_policy(`
@@ -76267,7 +76291,7 @@ index 5cfb83e..9cfa754 100644
postgrey_search_spool(postfix_master_t)
')
-@@ -341,12 +231,14 @@ optional_policy(`
+@@ -341,12 +232,14 @@ optional_policy(`
########################################
#
@@ -76284,7 +76308,7 @@ index 5cfb83e..9cfa754 100644
manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
-@@ -363,37 +255,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
+@@ -363,37 +256,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
########################################
#
@@ -76331,7 +76355,7 @@ index 5cfb83e..9cfa754 100644
optional_policy(`
mailman_read_data_files(postfix_cleanup_t)
-@@ -401,36 +290,50 @@ optional_policy(`
+@@ -401,36 +291,50 @@ optional_policy(`
########################################
#
@@ -76391,7 +76415,7 @@ index 5cfb83e..9cfa754 100644
')
optional_policy(`
-@@ -442,16 +345,25 @@ optional_policy(`
+@@ -442,16 +346,25 @@ optional_policy(`
')
optional_policy(`
@@ -76417,7 +76441,7 @@ index 5cfb83e..9cfa754 100644
procmail_domtrans(postfix_local_t)
')
-@@ -466,15 +378,17 @@ optional_policy(`
+@@ -466,15 +379,17 @@ optional_policy(`
########################################
#
@@ -76441,7 +76465,7 @@ index 5cfb83e..9cfa754 100644
manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
-@@ -484,14 +398,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
+@@ -484,14 +399,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
kernel_dontaudit_list_proc(postfix_map_t)
kernel_dontaudit_read_system_state(postfix_map_t)
@@ -76461,7 +76485,7 @@ index 5cfb83e..9cfa754 100644
corecmd_list_bin(postfix_map_t)
corecmd_read_bin_symlinks(postfix_map_t)
-@@ -500,7 +415,6 @@ corecmd_read_bin_pipes(postfix_map_t)
+@@ -500,7 +416,6 @@ corecmd_read_bin_pipes(postfix_map_t)
corecmd_read_bin_sockets(postfix_map_t)
files_list_home(postfix_map_t)
@@ -76469,7 +76493,7 @@ index 5cfb83e..9cfa754 100644
files_read_etc_runtime_files(postfix_map_t)
files_dontaudit_search_var(postfix_map_t)
-@@ -508,21 +422,24 @@ auth_use_nsswitch(postfix_map_t)
+@@ -508,21 +423,24 @@ auth_use_nsswitch(postfix_map_t)
logging_send_syslog_msg(postfix_map_t)
@@ -76497,7 +76521,7 @@ index 5cfb83e..9cfa754 100644
stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
-@@ -532,21 +449,21 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
+@@ -532,21 +450,21 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
@@ -76523,7 +76547,7 @@ index 5cfb83e..9cfa754 100644
write_fifo_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t)
-@@ -557,6 +474,10 @@ domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
+@@ -557,6 +475,10 @@ domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
corecmd_exec_bin(postfix_pipe_t)
optional_policy(`
@@ -76534,7 +76558,7 @@ index 5cfb83e..9cfa754 100644
dovecot_domtrans_deliver(postfix_pipe_t)
')
-@@ -584,19 +505,28 @@ optional_policy(`
+@@ -584,19 +506,28 @@ optional_policy(`
########################################
#
@@ -76568,7 +76592,7 @@ index 5cfb83e..9cfa754 100644
term_dontaudit_use_all_ptys(postfix_postdrop_t)
term_dontaudit_use_all_ttys(postfix_postdrop_t)
-@@ -611,10 +541,7 @@ optional_policy(`
+@@ -611,10 +542,7 @@ optional_policy(`
cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
')
@@ -76580,7 +76604,7 @@ index 5cfb83e..9cfa754 100644
optional_policy(`
fstools_read_pipes(postfix_postdrop_t)
')
-@@ -629,17 +556,24 @@ optional_policy(`
+@@ -629,17 +557,24 @@ optional_policy(`
#######################################
#
@@ -76608,7 +76632,7 @@ index 5cfb83e..9cfa754 100644
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
-@@ -655,69 +589,78 @@ optional_policy(`
+@@ -655,69 +590,80 @@ optional_policy(`
########################################
#
@@ -76619,7 +76643,8 @@ index 5cfb83e..9cfa754 100644
-allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
-allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
-allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file read_lnk_file_perms;
--
++dontaudit postfix_qmgr_t self:capability { net_admin };
+
stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t)
@@ -76705,7 +76730,7 @@ index 5cfb83e..9cfa754 100644
')
optional_policy(`
-@@ -730,28 +673,32 @@ optional_policy(`
+@@ -730,28 +676,32 @@ optional_policy(`
########################################
#
@@ -76746,7 +76771,7 @@ index 5cfb83e..9cfa754 100644
optional_policy(`
dovecot_stream_connect_auth(postfix_smtpd_t)
-@@ -764,6 +711,7 @@ optional_policy(`
+@@ -764,6 +714,7 @@ optional_policy(`
optional_policy(`
milter_stream_connect_all(postfix_smtpd_t)
@@ -76754,7 +76779,7 @@ index 5cfb83e..9cfa754 100644
')
optional_policy(`
-@@ -774,31 +722,101 @@ optional_policy(`
+@@ -774,31 +725,101 @@ optional_policy(`
sasl_connect(postfix_smtpd_t)
')
@@ -91214,7 +91239,7 @@ index 13f788f..10e2033 100644
+ allow $1 rngd_unit_file_t:service all_service_perms;
')
diff --git a/rngd.te b/rngd.te
-index a7b7717..861aa31 100644
+index a7b7717..41bca3b 100644
--- a/rngd.te
+++ b/rngd.te
@@ -12,6 +12,9 @@ init_daemon_domain(rngd_t, rngd_exec_t)
@@ -91227,12 +91252,14 @@ index a7b7717..861aa31 100644
type rngd_var_run_t;
files_pid_file(rngd_var_run_t)
-@@ -35,8 +38,5 @@ dev_read_urand(rngd_t)
+@@ -34,9 +37,7 @@ dev_read_rand(rngd_t)
+ dev_read_urand(rngd_t)
dev_rw_tpm(rngd_t)
dev_write_rand(rngd_t)
-
--files_read_etc_files(rngd_t)
-
+-files_read_etc_files(rngd_t)
++dev_read_sysfs(rngd_t)
+
logging_send_syslog_msg(rngd_t)
-miscfiles_read_localization(rngd_t)
@@ -105702,7 +105729,7 @@ index 0000000..821e158
+')
+
diff --git a/sssd.fc b/sssd.fc
-index dbb005a..47b49ea 100644
+index dbb005a..2655c75 100644
--- a/sssd.fc
+++ b/sssd.fc
@@ -1,15 +1,30 @@
@@ -105740,8 +105767,8 @@ index dbb005a..47b49ea 100644
-/var/run/sssd\.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
+/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
-+/var/run/secrets.socket gen_context(system_u:object_r:sssd_var_run_t,s0)
-+/var/run/.heim_org.h5l.kcm-socket -- gen_context(system_u:object_r:sssd_var_run_t,s0)
++/var/run/secrets\.socket -s gen_context(system_u:object_r:sssd_var_run_t,s0)
++/var/run/\.heim_org\.h5l\.kcm-socket -s gen_context(system_u:object_r:sssd_var_run_t,s0)
diff --git a/sssd.if b/sssd.if
index a240455..aac2584 100644
--- a/sssd.if
@@ -106240,7 +106267,7 @@ index a240455..aac2584 100644
- admin_pattern($1, sssd_log_t)
')
diff --git a/sssd.te b/sssd.te
-index 2d8db1f..f0f3862 100644
+index 2d8db1f..07606ba 100644
--- a/sssd.te
+++ b/sssd.te
@@ -28,19 +28,31 @@ logging_log_file(sssd_var_log_t)
@@ -106295,8 +106322,9 @@ index 2d8db1f..f0f3862 100644
manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
+-files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
+manage_sock_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
- files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
++files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir sock_file })
kernel_read_network_state(sssd_t)
kernel_read_system_state(sssd_t)
@@ -111022,10 +111050,10 @@ index 0000000..e5cec8f
+')
diff --git a/tomcat.te b/tomcat.te
new file mode 100644
-index 0000000..cc0c5fe
+index 0000000..cf2b1a7
--- /dev/null
+++ b/tomcat.te
-@@ -0,0 +1,89 @@
+@@ -0,0 +1,99 @@
+policy_module(tomcat, 1.0.0)
+
+########################################
@@ -111054,7 +111082,7 @@ index 0000000..cc0c5fe
+ pki_manage_tomcat_etc_rw(tomcat_t)
+ pki_search_log_dirs(tomcat_t)
+ pki_manage_tomcat_log(tomcat_t)
-+ pki_read_common_files(tomcat_t)
++ pki_manage_common_files(tomcat_t)
+ pki_stream_connect(tomcat_t)
+')
+
@@ -111100,6 +111128,7 @@ index 0000000..cc0c5fe
+corenet_tcp_connect_http_cache_port(tomcat_domain)
+corenet_tcp_connect_postgresql_port(tomcat_domain)
+corenet_tcp_connect_amqp_port(tomcat_domain)
++corenet_tcp_connect_oracle_port(tomcat_domain)
+
+dev_read_rand(tomcat_domain)
+dev_read_urand(tomcat_domain)
@@ -111113,8 +111142,17 @@ index 0000000..cc0c5fe
+sysnet_dns_name_resolve(tomcat_domain)
+
+optional_policy(`
++ cobbler_read_lib_files(tomcat_domain)
++')
++
++optional_policy(`
+ tomcat_search_lib(tomcat_domain)
+')
++
++optional_policy(`
++ rpm_exec(tomcat_domain)
++ rpm_read_db(tomcat_domain)
++')
diff --git a/tor.fc b/tor.fc
index dce42ec..b6b67bf 100644
--- a/tor.fc
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f591cb1..69d7900 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 254%{?dist}
+Release: 255%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -689,6 +689,28 @@ exit 0
%endif
%changelog
+* Thu May 18 2017 Lukas Vrabec - 3.13.1-255
+- Dontaudit net_admin capability for domains postfix_master_t and postfix_qmgr_t
+- Add interface pki_manage_common_files()
+- Allow rngd domain read sysfs_t
+- Allow tomcat_t domain to manage pki_common_t files and dirs
+- Merge pull request #3 from rhatdan/devicekit
+- Merge pull request #12 from lslebodn/sssd_sockets_fc
+- Allow certmonger reads httpd_config_t files
+- Allow keepalived_t domain creating netlink_netfilter_socket.
+- Use stricter fc rules for sssd sockets in /var/run
+- Allow tomcat domain read rpm_var_lib_t files Allow tomcat domain exec rpm_exec_t files Allow tomcat domain name connect on oracle_port_t Allow tomcat domain read cobbler_var_lib_t files.
+- Allow sssd_t domain creating sock files labeled as sssd_var_run_t in /var/run/
+- Allow svirt_t to read raw fixed_disk_device_t to make working blockcommit
+- ejabberd small fixes
+- Update targetd policy to accommodate changes in the service
+- Allow tomcat_domain connect to * postgresql_port_t * amqp_port_t Allow tomcat_domain read network sysctls
+- Allow virt_domain to read raw fixed_disk_device_t to make working blockcommit
+- Dontaudit net_admin capability for useradd_t domain
+- Allow systemd_localed_t and systemd_timedated_t create files in /etc with label locate_t BZ(1443723)
+- Make able deply overcloud via neutron_t to label nsfs as fs_t
+- Add fs_manage_configfs_lnk_files() interface
+
* Mon May 15 2017 Lukas Vrabec - 3.13.1-254
- Allow svirt_t to read raw fixed_disk_device_t to make working blockcommit
- ejabberd small fixes