diff --git a/docker-selinux.tgz b/docker-selinux.tgz
index 107f454..a53f917 100644
Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index d34fe0d..a5c7403 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -15451,7 +15451,7 @@ index d7c11a0..6b3331d 100644
/var/run/shm/.* <<none>>
-')
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 8416beb..cdeecad 100644
+index 8416beb..843f849 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -15899,7 +15899,7 @@ index 8416beb..cdeecad 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1878,135 +2085,151 @@ interface(`fs_search_fusefs',`
+@@ -1878,117 +2085,346 @@ interface(`fs_search_fusefs',`
## </summary>
## </param>
#
@@ -16069,628 +16069,227 @@ index 8416beb..cdeecad 100644
-## read, write, and delete files
-## on a FUSEFS filesystem.
+## Unmount a FUSE filesystem.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain to not audit.
-+## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`fs_dontaudit_manage_fusefs_files',`
-+interface(`fs_unmount_fusefs',`
- gen_require(`
- type fusefs_t;
- ')
-
-- dontaudit $1 fusefs_t:file manage_file_perms;
-+ allow $1 fusefs_t:filesystem unmount;
- ')
-
- ########################################
- ## <summary>
--## Read symbolic links on a FUSEFS filesystem.
-+## Mounton a FUSEFS filesystem.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -2014,145 +2237,194 @@ interface(`fs_dontaudit_manage_fusefs_files',`
- ## </summary>
- ## </param>
- #
--interface(`fs_read_fusefs_symlinks',`
-+interface(`fs_mounton_fusefs',`
- gen_require(`
- type fusefs_t;
- ')
-
-- allow $1 fusefs_t:dir list_dir_perms;
-- read_lnk_files_pattern($1, fusefs_t, fusefs_t)
-+ allow $1 fusefs_t:dir mounton;
- ')
-
- ########################################
- ## <summary>
--## Get the attributes of an hugetlbfs
--## filesystem.
-+## Search directories
-+## on a FUSEFS filesystem.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
-+## <rolecap/>
- #
--interface(`fs_getattr_hugetlbfs',`
-+interface(`fs_search_fusefs',`
- gen_require(`
-- type hugetlbfs_t;
-+ type fusefs_t;
- ')
-
-- allow $1 hugetlbfs_t:filesystem getattr;
-+ allow $1 fusefs_t:dir search_dir_perms;
- ')
-
- ########################################
- ## <summary>
--## List hugetlbfs.
-+## Do not audit attempts to list the contents
-+## of directories on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`fs_dontaudit_list_fusefs',`
++interface(`fs_unmount_fusefs',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
-+ dontaudit $1 fusefs_t:dir list_dir_perms;
++ allow $1 fusefs_t:filesystem unmount;
+')
+
+########################################
+## <summary>
-+## Create, read, write, and delete directories
-+## on a FUSEFS filesystem.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
-+## <rolecap/>
- #
--interface(`fs_list_hugetlbfs',`
-+interface(`fs_manage_fusefs_dirs',`
- gen_require(`
-- type hugetlbfs_t;
-+ type fusefs_t;
- ')
-
-- allow $1 hugetlbfs_t:dir list_dir_perms;
-+ allow $1 fusefs_t:dir manage_dir_perms;
- ')
-
- ########################################
- ## <summary>
--## Manage hugetlbfs dirs.
-+## Do not audit attempts to create, read,
-+## write, and delete directories
-+## on a FUSEFS filesystem.
++## Mounton a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`fs_dontaudit_manage_fusefs_dirs',`
++interface(`fs_mounton_fusefs',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
-+ dontaudit $1 fusefs_t:dir manage_dir_perms;
++ allow $1 fusefs_t:dir mounton;
+')
+
+########################################
+## <summary>
-+## Read, a FUSEFS filesystem.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
-+## <rolecap/>
- #
--interface(`fs_manage_hugetlbfs_dirs',`
-+interface(`fs_read_fusefs_files',`
- gen_require(`
-- type hugetlbfs_t;
-+ type fusefs_t;
- ')
-
-- manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
-+ read_files_pattern($1, fusefs_t, fusefs_t)
- ')
-
- ########################################
- ## <summary>
--## Read and write hugetlbfs files.
-+## Execute files on a FUSEFS filesystem.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
-+## <rolecap/>
- #
--interface(`fs_rw_hugetlbfs_files',`
-+interface(`fs_exec_fusefs_files',`
- gen_require(`
-- type hugetlbfs_t;
-+ type fusefs_t;
- ')
-
-- rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
-+ exec_files_pattern($1, fusefs_t, fusefs_t)
- ')
-
- ########################################
- ## <summary>
--## Allow the type to associate to hugetlbfs filesystems.
-+## Make general progams in FUSEFS an entrypoint for
-+## the specified domain.
- ## </summary>
--## <param name="type">
-+## <param name="domain">
- ## <summary>
--## The type of the object to be associated.
-+## The domain for which fusefs_t is an entrypoint.
- ## </summary>
- ## </param>
- #
--interface(`fs_associate_hugetlbfs',`
-+interface(`fs_fusefs_entry_type',`
- gen_require(`
-- type hugetlbfs_t;
-+ type fusefs_t;
- ')
-
-- allow $1 hugetlbfs_t:filesystem associate;
-+ domain_entry_file($1, fusefs_t)
- ')
-
- ########################################
- ## <summary>
--## Search inotifyfs filesystem.
-+## Make general progams in FUSEFS an entrypoint for
-+## the specified domain.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
-+## The domain for which fusefs_t is an entrypoint.
- ## </summary>
- ## </param>
- #
--interface(`fs_search_inotifyfs',`
-+interface(`fs_fusefs_entrypoint',`
- gen_require(`
-- type inotifyfs_t;
-+ type fusefs_t;
- ')
-
-- allow $1 inotifyfs_t:dir search_dir_perms;
-+ allow $1 fusefs_t:file entrypoint;
- ')
-
- ########################################
- ## <summary>
--## List inotifyfs filesystem.
-+## Create, read, write, and delete files
-+## on a FUSEFS filesystem.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
-+## <rolecap/>
- #
--interface(`fs_list_inotifyfs',`
-+interface(`fs_manage_fusefs_files',`
- gen_require(`
-- type inotifyfs_t;
-+ type fusefs_t;
- ')
-
-- allow $1 inotifyfs_t:dir list_dir_perms;
-+ manage_files_pattern($1, fusefs_t, fusefs_t)
- ')
-
- ########################################
- ## <summary>
--## Dontaudit List inotifyfs filesystem.
-+## Do not audit attempts to create,
-+## read, write, and delete files
++## Search directories
+## on a FUSEFS filesystem.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -2160,53 +2432,136 @@ interface(`fs_list_inotifyfs',`
- ## </summary>
- ## </param>
- #
--interface(`fs_dontaudit_list_inotifyfs',`
-+interface(`fs_dontaudit_manage_fusefs_files',`
- gen_require(`
-- type inotifyfs_t;
-+ type fusefs_t;
- ')
-
-- dontaudit $1 inotifyfs_t:dir list_dir_perms;
-+ dontaudit $1 fusefs_t:file manage_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Create an object in a hugetlbfs filesystem, with a private
--## type using a type transition.
-+## Read symbolic links on a FUSEFS filesystem.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <param name="private type">
-+#
-+interface(`fs_read_fusefs_symlinks',`
-+ gen_require(`
-+ type fusefs_t;
-+ ')
-+
-+ allow $1 fusefs_t:dir list_dir_perms;
-+ read_lnk_files_pattern($1, fusefs_t, fusefs_t)
-+')
-+
-+########################################
-+## <summary>
-+## Manage symbolic links on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
- ## <summary>
--## The type of the object to be created.
++## <summary>
+## Domain allowed access.
- ## </summary>
- ## </param>
--## <param name="object">
++## </summary>
++## </param>
++## <rolecap/>
+#
-+interface(`fs_manage_fusefs_symlinks',`
-+ gen_require(`
-+ type fusefs_t;
-+ ')
-+
-+ manage_lnk_files_pattern($1, fusefs_t, fusefs_t)
-+')
-+
-+########################################
-+## <summary>
-+## Execute a file on a FUSE filesystem
-+## in the specified domain.
-+## </summary>
-+## <desc>
-+## <p>
-+## Execute a file on a FUSE filesystem
-+## in the specified domain. This allows
-+## the specified domain to execute any file
-+## on these filesystems in the specified
-+## domain. This is not suggested.
-+## </p>
-+## <p>
-+## No interprocess communication (signals, pipes,
-+## etc.) is provided by this interface since
-+## the domains are not owned by this module.
-+## </p>
-+## <p>
-+## This interface was added to handle
-+## home directories on FUSE filesystems,
-+## in particular used by the ssh-agent policy.
-+## </p>
-+## </desc>
-+## <param name="domain">
- ## <summary>
--## The object class of the object being created.
-+## Domain allowed to transition.
- ## </summary>
- ## </param>
--## <param name="name" optional="true">
-+## <param name="target_domain">
- ## <summary>
--## The name of the object being created.
-+## The type of the new process.
- ## </summary>
- ## </param>
- #
--interface(`fs_hugetlbfs_filetrans',`
-+interface(`fs_fusefs_domtrans',`
++interface(`fs_search_fusefs',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
+ allow $1 fusefs_t:dir search_dir_perms;
-+ domain_auto_transition_pattern($1, fusefs_t, $2)
+')
+
+########################################
+## <summary>
-+## Get the attributes of a FUSEFS filesystem.
++## Do not audit attempts to list the contents
++## of directories on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
-+## <rolecap/>
+#
-+interface(`fs_getattr_fusefs',`
++interface(`fs_dontaudit_list_fusefs',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
-+ allow $1 fusefs_t:filesystem getattr;
++ dontaudit $1 fusefs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
-+## Get the attributes of an hugetlbfs
-+## filesystem.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`fs_getattr_hugetlbfs',`
- gen_require(`
- type hugetlbfs_t;
- ')
-
-- allow $2 hugetlbfs_t:filesystem associate;
-- filetrans_pattern($1, hugetlbfs_t, $2, $3, $4)
-+ allow $1 hugetlbfs_t:filesystem getattr;
- ')
-
- ########################################
- ## <summary>
--## Mount an iso9660 filesystem, which
--## is usually used on CDs.
-+## List hugetlbfs.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -2214,19 +2569,17 @@ interface(`fs_hugetlbfs_filetrans',`
- ## </summary>
- ## </param>
- #
--interface(`fs_mount_iso9660_fs',`
-+interface(`fs_list_hugetlbfs',`
- gen_require(`
-- type iso9660_t;
-+ type hugetlbfs_t;
- ')
-
-- allow $1 iso9660_t:filesystem mount;
-+ allow $1 hugetlbfs_t:dir list_dir_perms;
- ')
-
- ########################################
- ## <summary>
--## Remount an iso9660 filesystem, which
--## is usually used on CDs. This allows
--## some mount options to be changed.
-+## Manage hugetlbfs dirs.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -2234,18 +2587,17 @@ interface(`fs_mount_iso9660_fs',`
- ## </summary>
- ## </param>
- #
--interface(`fs_remount_iso9660_fs',`
-+interface(`fs_manage_hugetlbfs_dirs',`
- gen_require(`
-- type iso9660_t;
-+ type hugetlbfs_t;
- ')
-
-- allow $1 iso9660_t:filesystem remount;
-+ manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
- ')
-
- ########################################
- ## <summary>
--## Unmount an iso9660 filesystem, which
--## is usually used on CDs.
-+## Read hugetlbfs files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -2253,38 +2605,557 @@ interface(`fs_remount_iso9660_fs',`
- ## </summary>
- ## </param>
- #
--interface(`fs_unmount_iso9660_fs',`
-+interface(`fs_read_hugetlbfs_files',`
- gen_require(`
-- type iso9660_t;
-+ type hugetlbfs_t;
- ')
-
-- allow $1 iso9660_t:filesystem unmount;
-+ read_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
- ')
-
- ########################################
- ## <summary>
--## Get the attributes of an iso9660
--## filesystem, which is usually used on CDs.
-+## Read and write hugetlbfs files.
++## Create, read, write, and delete directories
++## on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
++## <rolecap/>
+#
-+interface(`fs_rw_hugetlbfs_files',`
++interface(`fs_manage_fusefs_dirs',`
+ gen_require(`
-+ type hugetlbfs_t;
++ type fusefs_t;
+ ')
+
-+ rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
++ allow $1 fusefs_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
-+## Execute hugetlbfs files.
++## Do not audit attempts to create, read,
++## write, and delete directories
++## on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
-+interface(`fs_exec_hugetlbfs_files',`
++interface(`fs_dontaudit_manage_fusefs_dirs',`
+ gen_require(`
-+ type hugetlbfs_t;
++ type fusefs_t;
+ ')
+
-+ allow $1 hugetlbfs_t:dir list_dir_perms;
-+ exec_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
++ dontaudit $1 fusefs_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
-+## Allow the type to associate to hugetlbfs filesystems.
++## Read, a FUSEFS filesystem.
+## </summary>
-+## <param name="type">
++## <param name="domain">
+## <summary>
-+## The type of the object to be associated.
++## Domain allowed access.
+## </summary>
+## </param>
++## <rolecap/>
+#
-+interface(`fs_associate_hugetlbfs',`
++interface(`fs_read_fusefs_files',`
+ gen_require(`
-+ type hugetlbfs_t;
++ type fusefs_t;
+ ')
+
-+ allow $1 hugetlbfs_t:filesystem associate;
++ read_files_pattern($1, fusefs_t, fusefs_t)
+')
+
+########################################
+## <summary>
-+## Search inotifyfs filesystem.
++## Execute files on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
++## <rolecap/>
+#
-+interface(`fs_search_inotifyfs',`
++interface(`fs_exec_fusefs_files',`
+ gen_require(`
-+ type inotifyfs_t;
++ type fusefs_t;
+ ')
+
-+ allow $1 inotifyfs_t:dir search_dir_perms;
++ exec_files_pattern($1, fusefs_t, fusefs_t)
+')
+
+########################################
+## <summary>
-+## List inotifyfs filesystem.
++## Make general progams in FUSEFS an entrypoint for
++## the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## The domain for which fusefs_t is an entrypoint.
+## </summary>
+## </param>
+#
-+interface(`fs_list_inotifyfs',`
++interface(`fs_fusefs_entry_type',`
+ gen_require(`
-+ type inotifyfs_t;
++ type fusefs_t;
+ ')
+
-+ allow $1 inotifyfs_t:dir list_dir_perms;
-+ fs_read_anon_inodefs_files($1)
++ domain_entry_file($1, fusefs_t)
+')
+
+########################################
+## <summary>
-+## Do not audit attempts to list inotifyfs filesystem.
++## Make general progams in FUSEFS an entrypoint for
++## the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## The domain for which fusefs_t is an entrypoint.
+## </summary>
+## </param>
+#
-+interface(`fs_dontaudit_list_inotifyfs',`
++interface(`fs_fusefs_entrypoint',`
+ gen_require(`
-+ type inotifyfs_t;
++ type fusefs_t;
+ ')
+
-+ dontaudit $1 inotifyfs_t:dir list_dir_perms;
++ allow $1 fusefs_t:file entrypoint;
+')
+
+########################################
+## <summary>
-+## Create an object in a hugetlbfs filesystem, with a private
-+## type using a type transition.
++## Create, read, write, and delete files
++## on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
-+## <param name="private type">
-+## <summary>
-+## The type of the object to be created.
-+## </summary>
-+## </param>
-+## <param name="object">
-+## <summary>
-+## The object class of the object being created.
-+## </summary>
-+## </param>
-+## <param name="name" optional="true">
-+## <summary>
-+## The name of the object being created.
-+## </summary>
-+## </param>
++## <rolecap/>
+#
-+interface(`fs_hugetlbfs_filetrans',`
++interface(`fs_manage_fusefs_files',`
+ gen_require(`
-+ type hugetlbfs_t;
++ type fusefs_t;
+ ')
+
-+ allow $2 hugetlbfs_t:filesystem associate;
-+ filetrans_pattern($1, hugetlbfs_t, $2, $3, $4)
++ manage_files_pattern($1, fusefs_t, fusefs_t)
+')
+
+########################################
+## <summary>
-+## Mount an iso9660 filesystem, which
-+## is usually used on CDs.
++## Do not audit attempts to create,
++## read, write, and delete files
++## on a FUSEFS filesystem.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2025,6 +2461,87 @@ interface(`fs_read_fusefs_symlinks',`
+
+ ########################################
+ ## <summary>
++## Manage symbolic links on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -16698,77 +16297,106 @@ index 8416beb..cdeecad 100644
+## </summary>
+## </param>
+#
-+interface(`fs_mount_iso9660_fs',`
++interface(`fs_manage_fusefs_symlinks',`
+ gen_require(`
-+ type iso9660_t;
++ type fusefs_t;
+ ')
+
-+ allow $1 iso9660_t:filesystem mount;
++ manage_lnk_files_pattern($1, fusefs_t, fusefs_t)
+')
+
+########################################
+## <summary>
-+## Remount an iso9660 filesystem, which
-+## is usually used on CDs. This allows
-+## some mount options to be changed.
++## Execute a file on a FUSE filesystem
++## in the specified domain.
+## </summary>
++## <desc>
++## <p>
++## Execute a file on a FUSE filesystem
++## in the specified domain. This allows
++## the specified domain to execute any file
++## on these filesystems in the specified
++## domain. This is not suggested.
++## </p>
++## <p>
++## No interprocess communication (signals, pipes,
++## etc.) is provided by this interface since
++## the domains are not owned by this module.
++## </p>
++## <p>
++## This interface was added to handle
++## home directories on FUSE filesystems,
++## in particular used by the ssh-agent policy.
++## </p>
++## </desc>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain allowed to transition.
++## </summary>
++## </param>
++## <param name="target_domain">
++## <summary>
++## The type of the new process.
+## </summary>
+## </param>
+#
-+interface(`fs_remount_iso9660_fs',`
++interface(`fs_fusefs_domtrans',`
+ gen_require(`
-+ type iso9660_t;
++ type fusefs_t;
+ ')
+
-+ allow $1 iso9660_t:filesystem remount;
++ allow $1 fusefs_t:dir search_dir_perms;
++ domain_auto_transition_pattern($1, fusefs_t, $2)
+')
+
+########################################
+## <summary>
-+## Unmount an iso9660 filesystem, which
-+## is usually used on CDs.
++## Get the attributes of a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
++## <rolecap/>
+#
-+interface(`fs_unmount_iso9660_fs',`
++interface(`fs_getattr_fusefs',`
+ gen_require(`
-+ type iso9660_t;
++ type fusefs_t;
+ ')
+
-+ allow $1 iso9660_t:filesystem unmount;
++ allow $1 fusefs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
-+## Get the attributes of an iso9660
-+## filesystem, which is usually used on CDs.
+ ## Get the attributes of an hugetlbfs
+ ## filesystem.
+ ## </summary>
+@@ -2062,7 +2579,43 @@ interface(`fs_list_hugetlbfs',`
+
+ ########################################
+ ## <summary>
+-## Manage hugetlbfs dirs.
++## Manage hugetlbfs dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
-+## <rolecap/>
+#
-+interface(`fs_getattr_iso9660_fs',`
++interface(`fs_manage_hugetlbfs_dirs',`
+ gen_require(`
-+ type iso9660_t;
++ type hugetlbfs_t;
+ ')
+
-+ allow $1 iso9660_t:filesystem getattr;
++ manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
+')
+
+########################################
+## <summary>
-+## Read files on an iso9660 filesystem, which
-+## is usually used on CDs.
++## Read hugetlbfs files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -16776,11 +16404,77 @@ index 8416beb..cdeecad 100644
+## </summary>
+## </param>
+#
-+interface(`fs_getattr_iso9660_files',`
++interface(`fs_read_hugetlbfs_files',`
+ gen_require(`
-+ type iso9660_t;
++ type hugetlbfs_t;
+ ')
+
++ read_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
++')
++
++########################################
++## <summary>
++## Read and write hugetlbfs files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2070,17 +2623,17 @@ interface(`fs_list_hugetlbfs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`fs_manage_hugetlbfs_dirs',`
++interface(`fs_rw_hugetlbfs_files',`
+ gen_require(`
+ type hugetlbfs_t;
+ ')
+
+- manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
++ rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Read and write hugetlbfs files.
++## Execute hugetlbfs files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2088,12 +2641,13 @@ interface(`fs_manage_hugetlbfs_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`fs_rw_hugetlbfs_files',`
++interface(`fs_exec_hugetlbfs_files',`
+ gen_require(`
+ type hugetlbfs_t;
+ ')
+
+- rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
++ allow $1 hugetlbfs_t:dir list_dir_perms;
++ exec_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
+ ')
+
+ ########################################
+@@ -2148,11 +2702,12 @@ interface(`fs_list_inotifyfs',`
+ ')
+
+ allow $1 inotifyfs_t:dir list_dir_perms;
++ fs_read_anon_inodefs_files($1)
+ ')
+
+ ########################################
+ ## <summary>
+-## Dontaudit List inotifyfs filesystem.
++## Do not audit attempts to list inotifyfs filesystem.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2297,14 +2852,332 @@ interface(`fs_getattr_iso9660_files',`
+ type iso9660_t;
+ ')
+
+- allow $1 iso9660_t:dir list_dir_perms;
+- allow $1 iso9660_t:file getattr;
+ allow $1 iso9660_t:dir list_dir_perms;
+ allow $1 iso9660_t:file getattr;
+')
@@ -17067,48 +16761,37 @@ index 8416beb..cdeecad 100644
+## Do not audit attempts to open,
+## get attributes, read and write
+## cgroup files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain to not audit.
- ## </summary>
- ## </param>
--## <rolecap/>
- #
--interface(`fs_getattr_iso9660_fs',`
++## </summary>
++## </param>
++#
+interface(`fs_dontaudit_rw_kdbus_files',`
- gen_require(`
-- type iso9660_t;
++ gen_require(`
+ type kdbusfs_t;
- ')
-
-- allow $1 iso9660_t:filesystem getattr;
++ ')
++
+ dontaudit $1 kdbusfs_t:file rw_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Read files on an iso9660 filesystem, which
--## is usually used on CDs.
++')
++
++########################################
++## <summary>
+## Manage kdbusfs files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -2292,19 +3163,21 @@ interface(`fs_getattr_iso9660_fs',`
- ## </summary>
- ## </param>
- #
--interface(`fs_getattr_iso9660_files',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`fs_manage_kdbus_files',`
- gen_require(`
-- type iso9660_t;
++ gen_require(`
+ type kdbusfs_t;
+
- ')
-
-- allow $1 iso9660_t:dir list_dir_perms;
-- allow $1 iso9660_t:file getattr;
++ ')
++
+ manage_files_pattern($1, kdbusfs_t, kdbusfs_t)
+ manage_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
+ fs_search_tmpfs($1)
@@ -17433,10 +17116,11 @@ index 8416beb..cdeecad 100644
## Mount a NFS server pseudo filesystem.
## </summary>
## <param name="domain">
-@@ -3263,6 +4309,24 @@ interface(`fs_getattr_nfsd_files',`
+@@ -3263,7 +4309,25 @@ interface(`fs_getattr_nfsd_files',`
getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
')
+-########################################
+#######################################
+## <summary>
+## read files on an nfsd filesystem
@@ -17455,13 +17139,34 @@ index 8416beb..cdeecad 100644
+ read_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
+')
+
- ########################################
++#######################################
## <summary>
## Read and write NFS server files.
-@@ -3283,6 +4347,24 @@ interface(`fs_rw_nfsd_fs',`
+ ## </summary>
+@@ -3281,6 +4345,42 @@ interface(`fs_rw_nfsd_fs',`
+ rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
+ ')
- ########################################
- ## <summary>
++#######################################
++## <summary>
++## Read nsfs inodes (e.g. /proc/pid/ns/uts)
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_read_nsfs_files',`
++ gen_require(`
++ type nsfs_t;
++ ')
++
++ allow $1 nsfs_t:file read_file_perms;
++')
++
++########################################
++## <summary>
+## Manage NFS server files.
+## </summary>
+## <param name="domain">
@@ -17478,12 +17183,10 @@ index 8416beb..cdeecad 100644
+ manage_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
+')
+
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
## Allow the type to associate to ramfs filesystems.
- ## </summary>
- ## <param name="type">
-@@ -3392,7 +4474,7 @@ interface(`fs_search_ramfs',`
+@@ -3392,7 +4492,7 @@ interface(`fs_search_ramfs',`
########################################
## <summary>
@@ -17492,7 +17195,7 @@ index 8416beb..cdeecad 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3429,7 +4511,7 @@ interface(`fs_manage_ramfs_dirs',`
+@@ -3429,7 +4529,7 @@ interface(`fs_manage_ramfs_dirs',`
########################################
## <summary>
@@ -17501,7 +17204,7 @@ index 8416beb..cdeecad 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3447,7 +4529,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
+@@ -3447,7 +4547,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
########################################
## <summary>
@@ -17510,7 +17213,7 @@ index 8416beb..cdeecad 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3779,6 +4861,24 @@ interface(`fs_mount_tmpfs',`
+@@ -3779,6 +4879,24 @@ interface(`fs_mount_tmpfs',`
########################################
## <summary>
@@ -17535,7 +17238,7 @@ index 8416beb..cdeecad 100644
## Remount a tmpfs filesystem.
## </summary>
## <param name="domain">
-@@ -3815,6 +4915,24 @@ interface(`fs_unmount_tmpfs',`
+@@ -3815,6 +4933,24 @@ interface(`fs_unmount_tmpfs',`
########################################
## <summary>
@@ -17560,7 +17263,7 @@ index 8416beb..cdeecad 100644
## Get the attributes of a tmpfs
## filesystem.
## </summary>
-@@ -3839,39 +4957,76 @@ interface(`fs_getattr_tmpfs',`
+@@ -3839,39 +4975,76 @@ interface(`fs_getattr_tmpfs',`
## </summary>
## <param name="type">
## <summary>
@@ -17646,7 +17349,7 @@ index 8416beb..cdeecad 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3879,36 +5034,35 @@ interface(`fs_relabelfrom_tmpfs',`
+@@ -3879,36 +5052,35 @@ interface(`fs_relabelfrom_tmpfs',`
## </summary>
## </param>
#
@@ -17690,7 +17393,7 @@ index 8416beb..cdeecad 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3916,35 +5070,36 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3916,35 +5088,36 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
## </summary>
## </param>
#
@@ -17734,7 +17437,7 @@ index 8416beb..cdeecad 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3952,17 +5107,17 @@ interface(`fs_setattr_tmpfs_dirs',`
+@@ -3952,17 +5125,17 @@ interface(`fs_setattr_tmpfs_dirs',`
## </summary>
## </param>
#
@@ -17755,7 +17458,7 @@ index 8416beb..cdeecad 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3970,31 +5125,30 @@ interface(`fs_search_tmpfs',`
+@@ -3970,31 +5143,30 @@ interface(`fs_search_tmpfs',`
## </summary>
## </param>
#
@@ -17793,7 +17496,7 @@ index 8416beb..cdeecad 100644
')
########################################
-@@ -4105,7 +5259,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
+@@ -4105,7 +5277,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
type tmpfs_t;
')
@@ -17802,7 +17505,7 @@ index 8416beb..cdeecad 100644
')
########################################
-@@ -4165,6 +5319,24 @@ interface(`fs_rw_tmpfs_files',`
+@@ -4165,6 +5337,24 @@ interface(`fs_rw_tmpfs_files',`
########################################
## <summary>
@@ -17827,7 +17530,7 @@ index 8416beb..cdeecad 100644
## Read tmpfs link files.
## </summary>
## <param name="domain">
-@@ -4202,7 +5374,7 @@ interface(`fs_rw_tmpfs_chr_files',`
+@@ -4202,7 +5392,7 @@ interface(`fs_rw_tmpfs_chr_files',`
########################################
## <summary>
@@ -17836,7 +17539,7 @@ index 8416beb..cdeecad 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4221,6 +5393,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4221,6 +5411,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
########################################
## <summary>
@@ -17897,7 +17600,7 @@ index 8416beb..cdeecad 100644
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
-@@ -4278,6 +5504,44 @@ interface(`fs_relabel_tmpfs_blk_file',`
+@@ -4278,6 +5522,44 @@ interface(`fs_relabel_tmpfs_blk_file',`
########################################
## <summary>
@@ -17942,7 +17645,7 @@ index 8416beb..cdeecad 100644
## Read and write, create and delete generic
## files on tmpfs filesystems.
## </summary>
-@@ -4297,6 +5561,25 @@ interface(`fs_manage_tmpfs_files',`
+@@ -4297,6 +5579,25 @@ interface(`fs_manage_tmpfs_files',`
########################################
## <summary>
@@ -17968,7 +17671,7 @@ index 8416beb..cdeecad 100644
## Read and write, create and delete symbolic
## links on tmpfs filesystems.
## </summary>
-@@ -4407,6 +5690,25 @@ interface(`fs_search_xenfs',`
+@@ -4407,6 +5708,25 @@ interface(`fs_search_xenfs',`
allow $1 xenfs_t:dir search_dir_perms;
')
@@ -17994,7 +17697,7 @@ index 8416beb..cdeecad 100644
########################################
## <summary>
## Create, read, write, and delete directories
-@@ -4503,6 +5805,8 @@ interface(`fs_mount_all_fs',`
+@@ -4503,6 +5823,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -18003,7 +17706,7 @@ index 8416beb..cdeecad 100644
')
########################################
-@@ -4549,7 +5853,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4549,7 +5871,7 @@ interface(`fs_unmount_all_fs',`
## <desc>
## <p>
## Allow the specified domain to
@@ -18012,7 +17715,7 @@ index 8416beb..cdeecad 100644
## Example attributes:
## </p>
## <ul>
-@@ -4596,6 +5900,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
+@@ -4596,6 +5918,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
########################################
## <summary>
@@ -18039,7 +17742,7 @@ index 8416beb..cdeecad 100644
## Get the quotas of all filesystems.
## </summary>
## <param name="domain">
-@@ -4671,6 +5995,25 @@ interface(`fs_getattr_all_dirs',`
+@@ -4671,6 +6013,25 @@ interface(`fs_getattr_all_dirs',`
########################################
## <summary>
@@ -18065,7 +17768,7 @@ index 8416beb..cdeecad 100644
## Search all directories with a filesystem type.
## </summary>
## <param name="domain">
-@@ -4912,3 +6255,63 @@ interface(`fs_unconfined',`
+@@ -4912,3 +6273,63 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -18130,7 +17833,7 @@ index 8416beb..cdeecad 100644
+ read_files_pattern($1, efivarfs_t, efivarfs_t)
+')
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index e7d1738..3e3ed4e 100644
+index e7d1738..235b730 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -26,14 +26,19 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
@@ -18214,13 +17917,17 @@ index e7d1738..3e3ed4e 100644
type mvfs_t;
fs_noxattr_type(mvfs_t)
allow mvfs_t self:filesystem associate;
-@@ -118,13 +142,14 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
+@@ -118,13 +142,18 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
type nfsd_fs_t;
fs_type(nfsd_fs_t)
+files_mountpoint(nfsd_fs_t)
genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
++type nsfs_t;
++fs_type(nsfs_t)
++genfscon nsfs / gen_context(system_u:object_r:nsfs_t,s0)
++
type oprofilefs_t;
fs_type(oprofilefs_t)
genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0)
@@ -18230,7 +17937,7 @@ index e7d1738..3e3ed4e 100644
fs_type(pstore_t)
files_mountpoint(pstore_t)
dev_associate_sysfs(pstore_t)
-@@ -150,11 +175,6 @@ fs_type(spufs_t)
+@@ -150,11 +179,6 @@ fs_type(spufs_t)
genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
files_mountpoint(spufs_t)
@@ -18242,7 +17949,7 @@ index e7d1738..3e3ed4e 100644
type sysv_t;
fs_noxattr_type(sysv_t)
files_mountpoint(sysv_t)
-@@ -172,6 +192,8 @@ type vxfs_t;
+@@ -172,6 +196,8 @@ type vxfs_t;
fs_noxattr_type(vxfs_t)
files_mountpoint(vxfs_t)
genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
@@ -18251,7 +17958,7 @@ index e7d1738..3e3ed4e 100644
#
# tmpfs_t is the type for tmpfs filesystems
-@@ -182,6 +204,8 @@ fs_type(tmpfs_t)
+@@ -182,6 +208,8 @@ fs_type(tmpfs_t)
files_type(tmpfs_t)
files_mountpoint(tmpfs_t)
files_poly_parent(tmpfs_t)
@@ -18260,7 +17967,7 @@ index e7d1738..3e3ed4e 100644
# Use a transition SID based on the allocating task SID and the
# filesystem SID to label inodes in the following filesystem types,
-@@ -261,6 +285,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+@@ -261,6 +289,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
type removable_t;
allow removable_t noxattrfs:filesystem associate;
fs_noxattr_type(removable_t)
@@ -18269,7 +17976,7 @@ index e7d1738..3e3ed4e 100644
files_mountpoint(removable_t)
#
-@@ -280,6 +306,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
+@@ -280,6 +310,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
@@ -18277,7 +17984,7 @@ index e7d1738..3e3ed4e 100644
########################################
#
-@@ -301,9 +328,10 @@ fs_associate_noxattr(noxattrfs)
+@@ -301,9 +332,10 @@ fs_associate_noxattr(noxattrfs)
# Unconfined access to this module
#
@@ -33978,7 +33685,7 @@ index 79a45f6..e69fa39 100644
+ allow $1 init_var_lib_t:dir search_dir_perms;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..91eaead 100644
+index 17eda24..4eb70c7 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -34273,7 +33980,7 @@ index 17eda24..91eaead 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +323,240 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +323,243 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -34347,6 +34054,7 @@ index 17eda24..91eaead 100644
+allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow init_t self:netlink_selinux_socket create_socket_perms;
++allow init_t self:unix_dgram_socket lock;
+# Until systemd is fixed
+allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
+allow init_t self:udp_socket create_socket_perms;
@@ -34420,6 +34128,8 @@ index 17eda24..91eaead 100644
+fs_rw_tmpfs_files(init_t)
+fs_relabel_cgroup_dirs(init_t)
+fs_search_cgroup_dirs(init_t)
++# for network namespaces
++fs_read_nsfs_files(init_t)
+
+storage_getattr_removable_dev(init_t)
+
@@ -34523,7 +34233,7 @@ index 17eda24..91eaead 100644
')
optional_policy(`
-@@ -216,7 +564,30 @@ optional_policy(`
+@@ -216,7 +567,30 @@ optional_policy(`
')
optional_policy(`
@@ -34555,7 +34265,7 @@ index 17eda24..91eaead 100644
')
########################################
-@@ -225,9 +596,9 @@ optional_policy(`
+@@ -225,9 +599,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -34567,7 +34277,7 @@ index 17eda24..91eaead 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -258,12 +629,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +632,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -34584,7 +34294,7 @@ index 17eda24..91eaead 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +654,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +657,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -34627,7 +34337,7 @@ index 17eda24..91eaead 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +691,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +694,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -34639,7 +34349,7 @@ index 17eda24..91eaead 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -313,8 +703,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +706,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -34650,7 +34360,7 @@ index 17eda24..91eaead 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -322,8 +714,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +717,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -34660,7 +34370,7 @@ index 17eda24..91eaead 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -332,7 +723,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +726,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -34668,7 +34378,7 @@ index 17eda24..91eaead 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -340,6 +730,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +733,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -34676,7 +34386,7 @@ index 17eda24..91eaead 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -347,14 +738,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +741,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -34694,7 +34404,7 @@ index 17eda24..91eaead 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -364,8 +756,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +759,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -34708,7 +34418,7 @@ index 17eda24..91eaead 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -375,10 +771,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +774,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -34722,7 +34432,7 @@ index 17eda24..91eaead 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -387,8 +784,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +787,10 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -34733,7 +34443,7 @@ index 17eda24..91eaead 100644
storage_getattr_fixed_disk_dev(initrc_t)
storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +797,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +800,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -34741,7 +34451,7 @@ index 17eda24..91eaead 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -416,20 +816,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +819,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -34765,7 +34475,7 @@ index 17eda24..91eaead 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +849,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +852,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -34773,7 +34483,7 @@ index 17eda24..91eaead 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +883,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +886,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -34784,7 +34494,7 @@ index 17eda24..91eaead 100644
alsa_read_lib(initrc_t)
')
-@@ -506,7 +907,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +910,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -34793,7 +34503,7 @@ index 17eda24..91eaead 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -521,6 +922,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +925,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -34801,7 +34511,7 @@ index 17eda24..91eaead 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -541,6 +943,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +946,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -34809,7 +34519,7 @@ index 17eda24..91eaead 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +953,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +956,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -34854,7 +34564,7 @@ index 17eda24..91eaead 100644
')
optional_policy(`
-@@ -559,14 +998,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +1001,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -34886,7 +34596,7 @@ index 17eda24..91eaead 100644
')
')
-@@ -577,6 +1033,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1036,39 @@ ifdef(`distro_suse',`
')
')
@@ -34926,7 +34636,7 @@ index 17eda24..91eaead 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1078,8 @@ optional_policy(`
+@@ -589,6 +1081,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -34935,7 +34645,7 @@ index 17eda24..91eaead 100644
')
optional_policy(`
-@@ -610,6 +1101,7 @@ optional_policy(`
+@@ -610,6 +1104,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -34943,7 +34653,7 @@ index 17eda24..91eaead 100644
')
optional_policy(`
-@@ -626,6 +1118,17 @@ optional_policy(`
+@@ -626,6 +1121,17 @@ optional_policy(`
')
optional_policy(`
@@ -34961,7 +34671,7 @@ index 17eda24..91eaead 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -642,9 +1145,13 @@ optional_policy(`
+@@ -642,9 +1148,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -34975,7 +34685,7 @@ index 17eda24..91eaead 100644
')
optional_policy(`
-@@ -657,15 +1164,11 @@ optional_policy(`
+@@ -657,15 +1167,11 @@ optional_policy(`
')
optional_policy(`
@@ -34993,7 +34703,7 @@ index 17eda24..91eaead 100644
')
optional_policy(`
-@@ -686,6 +1189,15 @@ optional_policy(`
+@@ -686,6 +1192,15 @@ optional_policy(`
')
optional_policy(`
@@ -35009,7 +34719,7 @@ index 17eda24..91eaead 100644
inn_exec_config(initrc_t)
')
-@@ -726,6 +1238,7 @@ optional_policy(`
+@@ -726,6 +1241,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -35017,7 +34727,7 @@ index 17eda24..91eaead 100644
')
optional_policy(`
-@@ -743,7 +1256,13 @@ optional_policy(`
+@@ -743,7 +1259,13 @@ optional_policy(`
')
optional_policy(`
@@ -35032,7 +34742,7 @@ index 17eda24..91eaead 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -766,6 +1285,10 @@ optional_policy(`
+@@ -766,6 +1288,10 @@ optional_policy(`
')
optional_policy(`
@@ -35043,7 +34753,7 @@ index 17eda24..91eaead 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -775,10 +1298,20 @@ optional_policy(`
+@@ -775,10 +1301,20 @@ optional_policy(`
')
optional_policy(`
@@ -35064,7 +34774,7 @@ index 17eda24..91eaead 100644
quota_manage_flags(initrc_t)
')
-@@ -787,6 +1320,10 @@ optional_policy(`
+@@ -787,6 +1323,10 @@ optional_policy(`
')
optional_policy(`
@@ -35075,7 +34785,7 @@ index 17eda24..91eaead 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -808,8 +1345,6 @@ optional_policy(`
+@@ -808,8 +1348,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -35084,7 +34794,7 @@ index 17eda24..91eaead 100644
')
optional_policy(`
-@@ -818,6 +1353,10 @@ optional_policy(`
+@@ -818,6 +1356,10 @@ optional_policy(`
')
optional_policy(`
@@ -35095,7 +34805,7 @@ index 17eda24..91eaead 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -827,10 +1366,12 @@ optional_policy(`
+@@ -827,10 +1369,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -35108,7 +34818,7 @@ index 17eda24..91eaead 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1398,60 @@ optional_policy(`
+@@ -857,21 +1401,60 @@ optional_policy(`
')
optional_policy(`
@@ -35170,7 +34880,7 @@ index 17eda24..91eaead 100644
')
optional_policy(`
-@@ -887,6 +1467,10 @@ optional_policy(`
+@@ -887,6 +1470,10 @@ optional_policy(`
')
optional_policy(`
@@ -35181,7 +34891,7 @@ index 17eda24..91eaead 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -897,3 +1481,218 @@ optional_policy(`
+@@ -897,3 +1484,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -37271,7 +36981,7 @@ index 446fa99..22f539c 100644
+ plymouthd_exec_plymouth(sulogin_t)
')
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index b50c5fe..5c39fe5 100644
+index b50c5fe..9eacd9b 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -1,11 +1,15 @@
@@ -37286,7 +36996,7 @@ index b50c5fe..5c39fe5 100644
/etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
+/usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_file_t,s0)
-+/usr/lib/systemd/system/syslogd.* -- gen_context(system_u:object_r:syslogd_unit_file_t,s0)
++/usr/lib/systemd/system/rsyslog.* -- gen_context(system_u:object_r:syslogd_unit_file_t,s0)
+
/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
/sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0)
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 854fb99..d8d0f0f 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -29627,6 +29627,340 @@ index 36838c2..8bfc879 100644
- fs_read_nfs_files(sftpd_t)
- fs_read_nfs_symlinks(ftpd_t)
-')
+diff --git a/fwupd.fc b/fwupd.fc
+new file mode 100644
+index 0000000..1f13f70
+--- /dev/null
++++ b/fwupd.fc
+@@ -0,0 +1,8 @@
++/usr/lib/systemd/system/fwupd-offline-update.* -- gen_context(system_u:object_r:fwupd_unit_file_t,s0)
++/usr/lib/systemd/system/fwupd.* -- gen_context(system_u:object_r:fwupd_unit_file_t,s0)
++
++/usr/libexec/fwupd/fwupd -- gen_context(system_u:object_r:fwupd_exec_t,s0)
++
++/var/cache/app-info(/.*)? gen_context(system_u:object_r:fwupd_cache_t,s0)
++
++/var/lib/fwupd(/.*)? gen_context(system_u:object_r:fwupd_var_lib_t,s0)
+diff --git a/fwupd.if b/fwupd.if
+new file mode 100644
+index 0000000..c4d2c2d
+--- /dev/null
++++ b/fwupd.if
+@@ -0,0 +1,260 @@
++
++## <summary>fwupd is a daemon to allow session software to update device firmware</summary>
++
++########################################
++## <summary>
++## Execute fwupd_exec_t in the fwupd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`fwupd_domtrans',`
++ gen_require(`
++ type fwupd_t, fwupd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, fwupd_exec_t, fwupd_t)
++')
++
++######################################
++## <summary>
++## Execute fwupd in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fwupd_exec',`
++ gen_require(`
++ type fwupd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ can_exec($1, fwupd_exec_t)
++')
++
++########################################
++## <summary>
++## Search fwupd cache directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fwupd_search_cache',`
++ gen_require(`
++ type fwupd_cache_t;
++ ')
++
++ allow $1 fwupd_cache_t:dir search_dir_perms;
++ files_search_var($1)
++')
++
++########################################
++## <summary>
++## Read fwupd cache files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fwupd_read_cache_files',`
++ gen_require(`
++ type fwupd_cache_t;
++ ')
++
++ files_search_var($1)
++ read_files_pattern($1, fwupd_cache_t, fwupd_cache_t)
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete
++## fwupd cache files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fwupd_manage_cache_files',`
++ gen_require(`
++ type fwupd_cache_t;
++ ')
++
++ files_search_var($1)
++ manage_files_pattern($1, fwupd_cache_t, fwupd_cache_t)
++')
++
++########################################
++## <summary>
++## Manage fwupd cache dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fwupd_manage_cache_dirs',`
++ gen_require(`
++ type fwupd_cache_t;
++ ')
++
++ files_search_var($1)
++ manage_dirs_pattern($1, fwupd_cache_t, fwupd_cache_t)
++')
++
++
++########################################
++## <summary>
++## Search fwupd lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fwupd_search_lib',`
++ gen_require(`
++ type fwupd_var_lib_t;
++ ')
++
++ allow $1 fwupd_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Read fwupd lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fwupd_read_lib_files',`
++ gen_require(`
++ type fwupd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, fwupd_var_lib_t, fwupd_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage fwupd lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fwupd_manage_lib_files',`
++ gen_require(`
++ type fwupd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, fwupd_var_lib_t, fwupd_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage fwupd lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fwupd_manage_lib_dirs',`
++ gen_require(`
++ type fwupd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, fwupd_var_lib_t, fwupd_var_lib_t)
++')
++
++########################################
++## <summary>
++## Execute fwupd server in the fwupd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`fwupd_systemctl',`
++ gen_require(`
++ type fwupd_t;
++ type fwupd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 fwupd_unit_file_t:file read_file_perms;
++ allow $1 fwupd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, fwupd_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an fwupd environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fwupd_admin',`
++ gen_require(`
++ type fwupd_t;
++ type fwupd_cache_t;
++ type fwupd_var_lib_t;
++ type fwupd_unit_file_t;
++ ')
++
++ allow $1 fwupd_t:process { signal_perms };
++ ps_process_pattern($1, fwupd_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 fwupd_t:process ptrace;
++ ')
++
++ files_search_var($1)
++ admin_pattern($1, fwupd_cache_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, fwupd_var_lib_t)
++
++ fwupd_systemctl($1)
++ admin_pattern($1, fwupd_unit_file_t)
++ allow $1 fwupd_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/fwupd.te b/fwupd.te
+new file mode 100644
+index 0000000..8937282
+--- /dev/null
++++ b/fwupd.te
+@@ -0,0 +1,48 @@
++policy_module(fwupd, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type fwupd_t;
++type fwupd_exec_t;
++init_daemon_domain(fwupd_t, fwupd_exec_t)
++
++type fwupd_cache_t;
++files_type(fwupd_cache_t)
++
++type fwupd_var_lib_t;
++files_type(fwupd_var_lib_t)
++
++type fwupd_unit_file_t;
++systemd_unit_file(fwupd_unit_file_t)
++
++########################################
++#
++# fwupd local policy
++#
++allow fwupd_t self:fifo_file rw_fifo_file_perms;
++allow fwupd_t self:unix_stream_socket create_stream_socket_perms;
++allow fwupd_t self:netlink_kobject_uevent_socket create_socket_perms;;
++
++manage_dirs_pattern(fwupd_t, fwupd_cache_t, fwupd_cache_t)
++manage_files_pattern(fwupd_t, fwupd_cache_t, fwupd_cache_t)
++manage_lnk_files_pattern(fwupd_t, fwupd_cache_t, fwupd_cache_t)
++files_var_filetrans(fwupd_t, fwupd_cache_t, { dir })
++
++manage_dirs_pattern(fwupd_t, fwupd_var_lib_t, fwupd_var_lib_t)
++manage_files_pattern(fwupd_t, fwupd_var_lib_t, fwupd_var_lib_t)
++manage_lnk_files_pattern(fwupd_t, fwupd_var_lib_t, fwupd_var_lib_t)
++files_var_lib_filetrans(fwupd_t, fwupd_var_lib_t, { dir })
++
++auth_read_passwd(fwupd_t)
++
++dev_rw_sysfs(fwupd_t)
++dev_rw_generic_usb_dev(fwupd_t)
++
++udev_read_pid_files(fwupd_t)
++
++optional_policy(`
++ dbus_system_domain(fwupd_t,fwupd_exec_t)
++')
diff --git a/games.if b/games.if
index e2a3e0d..50ebd40 100644
--- a/games.if
@@ -37269,16 +37603,17 @@ index 0000000..61f2003
+userdom_use_user_terminals(iotop_t)
diff --git a/ipa.fc b/ipa.fc
new file mode 100644
-index 0000000..3a71430
+index 0000000..ce135f3
--- /dev/null
+++ b/ipa.fc
-@@ -0,0 +1,13 @@
+@@ -0,0 +1,14 @@
+/usr/lib/systemd/system/ipa-otpd.* -- gen_context(system_u:object_r:ipa_otpd_unit_file_t,s0)
+
+/usr/libexec/ipa-otpd -- gen_context(system_u:object_r:ipa_otpd_exec_t,s0)
+
+/usr/libexec/ipa/com\.redhat\.idm\.trust-fetch-domains -- gen_context(system_u:object_r:ipa_helper_exec_t,s0)
+/usr/libexec/ipa/oddjob/com\.redhat\.idm\.trust-fetch-domains -- gen_context(system_u:object_r:ipa_helper_exec_t,s0)
++/usr/libexec/ipa/oddjob/org\.freeipa\.server\.conncheck -- gen_context(system_u:object_r:ipa_helper_exec_t,s0)
+
+/var/lib/ipa(/.*)? gen_context(system_u:object_r:ipa_var_lib_t,s0)
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 6b7292c..6ff9647 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 166%{?dist}
+Release: 167%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -664,6 +664,13 @@ exit 0
%endif
%changelog
+* Mon Jan 18 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-167
+- Add fwupd policy for daemon to allow session software to update device firmware
+- Label /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck as ipa_helper_exec_t. BZ(1289930)
+- Allow systemd services to use PrivateNetwork feature
+- Add a type and genfscon for nsfs.
+- Fix SELinux context for rsyslog unit file. BZ(1284173)
+
* Wed Jan 13 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-166
- Allow logrotate to systemctl rsyslog service. BZ(1284173)
- Allow condor_master_t domain capability chown. BZ(1297048)