diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index b8c55f3..3cca223 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -5637,7 +5637,7 @@ index b31c054..17e11e0 100644
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 76f285e..e26dfc3 100644
+index 76f285e..0fc6f53 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -6384,7 +6384,32 @@ index 76f285e..e26dfc3 100644
## Do not audit attempts to get the attributes
## of the BIOS non-volatile RAM device.
## </summary>
-@@ -3254,7 +3565,25 @@ interface(`dev_rw_printer',`
+@@ -3163,6 +3474,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',`
+
+ ########################################
+ ## <summary>
++## Read BIOS non-volatile RAM.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_read_nvram',`
++ gen_require(`
++ type nvram_device_t;
++ ')
++
++ read_chr_files_pattern($1, device_t, nvram_device_t)
++')
++
++########################################
++## <summary>
+ ## Read and write BIOS non-volatile RAM.
+ ## </summary>
+ ## <param name="domain">
+@@ -3254,7 +3583,25 @@ interface(`dev_rw_printer',`
########################################
## <summary>
@@ -6411,7 +6436,7 @@ index 76f285e..e26dfc3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3262,12 +3591,13 @@ interface(`dev_rw_printer',`
+@@ -3262,12 +3609,13 @@ interface(`dev_rw_printer',`
## </summary>
## </param>
#
@@ -6428,356 +6453,29 @@ index 76f285e..e26dfc3 100644
')
########################################
-@@ -3855,7 +4185,7 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3855,6 +4203,96 @@ interface(`dev_getattr_sysfs_dirs',`
########################################
## <summary>
--## Search the sysfs directories.
+## Set the attributes of sysfs directories.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -3863,53 +4193,53 @@ interface(`dev_getattr_sysfs_dirs',`
- ## </summary>
- ## </param>
- #
--interface(`dev_search_sysfs',`
-+interface(`dev_setattr_sysfs_dirs',`
- gen_require(`
- type sysfs_t;
- ')
-
-- search_dirs_pattern($1, sysfs_t, sysfs_t)
-+ allow $1 sysfs_t:dir setattr_dir_perms;
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to search sysfs.
-+## Get attributes of sysfs filesystems.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain to not audit.
-+## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`dev_dontaudit_search_sysfs',`
-+interface(`dev_getattr_sysfs_fs',`
- gen_require(`
- type sysfs_t;
- ')
-
-- dontaudit $1 sysfs_t:dir search_dir_perms;
-+ allow $1 sysfs_t:filesystem getattr;
- ')
-
- ########################################
- ## <summary>
--## List the contents of the sysfs directories.
-+## Mount a filesystem on /sys
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
-+## Domain allow access.
- ## </summary>
- ## </param>
- #
--interface(`dev_list_sysfs',`
-+interface(`dev_mounton_sysfs',`
- gen_require(`
- type sysfs_t;
- ')
-
-- list_dirs_pattern($1, sysfs_t, sysfs_t)
-+ allow $1 sysfs_t:dir mounton;
- ')
-
- ########################################
- ## <summary>
--## Write in a sysfs directories.
-+## Mount sysfs filesystems.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -3917,37 +4247,35 @@ interface(`dev_list_sysfs',`
- ## </summary>
- ## </param>
- #
--# cjp: added for cpuspeed
--interface(`dev_write_sysfs_dirs',`
-+interface(`dev_mount_sysfs_fs',`
- gen_require(`
- type sysfs_t;
- ')
-
-- allow $1 sysfs_t:dir write;
-+ allow $1 sysfs_t:filesystem mount;
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to write in a sysfs directory.
-+## Unmount sysfs filesystems.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain to not audit.
-+## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`dev_dontaudit_write_sysfs_dirs',`
-+interface(`dev_unmount_sysfs_fs',`
- gen_require(`
- type sysfs_t;
- ')
-
-- dontaudit $1 sysfs_t:dir write;
-+ allow $1 sysfs_t:filesystem unmount;
- ')
-
- ########################################
- ## <summary>
--## Create, read, write, and delete sysfs
--## directories.
-+## Search the sysfs directories.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -3955,47 +4283,35 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
- ## </summary>
- ## </param>
- #
--interface(`dev_manage_sysfs_dirs',`
-+interface(`dev_search_sysfs',`
- gen_require(`
- type sysfs_t;
- ')
-
-- manage_dirs_pattern($1, sysfs_t, sysfs_t)
-+ search_dirs_pattern($1, sysfs_t, sysfs_t)
- ')
-
- ########################################
- ## <summary>
--## Read hardware state information.
-+## Do not audit attempts to search sysfs.
- ## </summary>
--## <desc>
--## <p>
--## Allow the specified domain to read the contents of
--## the sysfs filesystem. This filesystem contains
--## information, parameters, and other settings on the
--## hardware installed on the system.
--## </p>
--## </desc>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
-+## Domain to not audit.
- ## </summary>
- ## </param>
--## <infoflow type="read" weight="10"/>
- #
--interface(`dev_read_sysfs',`
-+interface(`dev_dontaudit_search_sysfs',`
- gen_require(`
- type sysfs_t;
- ')
-
-- read_files_pattern($1, sysfs_t, sysfs_t)
-- read_lnk_files_pattern($1, sysfs_t, sysfs_t)
--
-- list_dirs_pattern($1, sysfs_t, sysfs_t)
-+ dontaudit $1 sysfs_t:dir search_dir_perms;
- ')
-
- ########################################
- ## <summary>
--## Allow caller to modify hardware state information.
-+## List the contents of the sysfs directories.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -4003,20 +4319,18 @@ interface(`dev_read_sysfs',`
- ## </summary>
- ## </param>
- #
--interface(`dev_rw_sysfs',`
-+interface(`dev_list_sysfs',`
- gen_require(`
- type sysfs_t;
- ')
-
-- rw_files_pattern($1, sysfs_t, sysfs_t)
- read_lnk_files_pattern($1, sysfs_t, sysfs_t)
--
- list_dirs_pattern($1, sysfs_t, sysfs_t)
- ')
-
- ########################################
- ## <summary>
--## Read and write the TPM device.
-+## Write in a sysfs directories.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -4024,78 +4338,60 @@ interface(`dev_rw_sysfs',`
- ## </summary>
- ## </param>
- #
--interface(`dev_rw_tpm',`
-+# cjp: added for cpuspeed
-+interface(`dev_write_sysfs_dirs',`
- gen_require(`
-- type device_t, tpm_device_t;
-+ type sysfs_t;
- ')
-
-- rw_chr_files_pattern($1, device_t, tpm_device_t)
-+ allow $1 sysfs_t:dir write;
- ')
-
- ########################################
- ## <summary>
--## Read from pseudo random number generator devices (e.g., /dev/urandom).
-+## Do not audit attempts to write in a sysfs directory.
- ## </summary>
--## <desc>
--## <p>
--## Allow the specified domain to read from pseudo random number
--## generator devices (e.g., /dev/urandom). Typically this is
--## used in situations when a cryptographically secure random
--## number is not necessarily needed. One example is the Stack
--## Smashing Protector (SSP, formerly known as ProPolice) support
--## that may be compiled into programs.
--## </p>
--## <p>
--## Related interface:
--## </p>
--## <ul>
--## <li>dev_read_rand()</li>
--## </ul>
--## <p>
--## Related tunable:
--## </p>
--## <ul>
--## <li>global_ssp</li>
--## </ul>
--## </desc>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
-+## Domain to not audit.
- ## </summary>
- ## </param>
--## <infoflow type="read" weight="10"/>
- #
--interface(`dev_read_urand',`
-+interface(`dev_dontaudit_write_sysfs_dirs',`
- gen_require(`
-- type device_t, urandom_device_t;
-+ type sysfs_t;
- ')
-
-- read_chr_files_pattern($1, device_t, urandom_device_t)
-+ dontaudit $1 sysfs_t:dir write;
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to read from pseudo
--## random devices (e.g., /dev/urandom)
-+## Read cpu online hardware state information.
- ## </summary>
-+## <desc>
-+## <p>
-+## Allow the specified domain to read /sys/devices/system/cpu/online file.
-+## </p>
-+## </desc>
- ## <param name="domain">
- ## <summary>
--## Domain to not audit.
-+## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`dev_dontaudit_read_urand',`
-+interface(`dev_read_cpu_online',`
- gen_require(`
-- type urandom_device_t;
-+ type cpu_online_t;
- ')
-
-- dontaudit $1 urandom_device_t:chr_file { getattr read };
-+ dev_search_sysfs($1)
-+ read_files_pattern($1, cpu_online_t, cpu_online_t)
- ')
-
- ########################################
- ## <summary>
--## Write to the pseudo random device (e.g., /dev/urandom). This
--## sets the random number generator seed.
-+## Relabel cpu online hardware state information.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -4103,19 +4399,245 @@ interface(`dev_dontaudit_read_urand',`
- ## </summary>
- ## </param>
- #
--interface(`dev_write_urand',`
-+interface(`dev_relabel_cpu_online',`
- gen_require(`
-- type device_t, urandom_device_t;
-+ type cpu_online_t;
-+ type sysfs_t;
- ')
-
-- write_chr_files_pattern($1, device_t, urandom_device_t)
-+ dev_search_sysfs($1)
-+ allow $1 cpu_online_t:file relabel_file_perms;
- ')
-
-+
- ########################################
- ## <summary>
--## Getattr generic the USB devices.
-+## Read hardware state information.
- ## </summary>
--## <param name="domain">
-+## <desc>
-+## <p>
-+## Allow the specified domain to read the contents of
-+## the sysfs filesystem. This filesystem contains
-+## information, parameters, and other settings on the
-+## hardware installed on the system.
-+## </p>
-+## </desc>
++## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
-+## <infoflow type="read" weight="10"/>
+#
-+interface(`dev_read_sysfs',`
++interface(`dev_setattr_sysfs_dirs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
-+ read_files_pattern($1, sysfs_t, sysfs_t)
-+ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
-+
-+ list_dirs_pattern($1, sysfs_t, sysfs_t)
++ allow $1 sysfs_t:dir setattr_dir_perms;
+')
+
+########################################
+## <summary>
-+## Allow caller to modify hardware state information.
++## Get attributes of sysfs filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -6785,38 +6483,35 @@ index 76f285e..e26dfc3 100644
+## </summary>
+## </param>
+#
-+interface(`dev_rw_sysfs',`
++interface(`dev_getattr_sysfs_fs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
-+ rw_files_pattern($1, sysfs_t, sysfs_t)
-+ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
-+
-+ list_dirs_pattern($1, sysfs_t, sysfs_t)
++ allow $1 sysfs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
-+## Relabel hardware state directories.
++## Mount a filesystem on /sys
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain allow access.
+## </summary>
+## </param>
+#
-+interface(`dev_relabel_sysfs_dirs',`
++interface(`dev_mounton_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
-+ relabel_dirs_pattern($1, sysfs_t, sysfs_t)
++ allow $1 sysfs_t:dir mounton;
+')
+
+########################################
+## <summary>
-+## Relabel hardware state files
++## Mount sysfs filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -6824,19 +6519,17 @@ index 76f285e..e26dfc3 100644
+## </summary>
+## </param>
+#
-+interface(`dev_relabel_all_sysfs',`
++interface(`dev_mount_sysfs_fs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
-+ relabel_dirs_pattern($1, sysfs_t, sysfs_t)
-+ relabel_files_pattern($1, sysfs_t, sysfs_t)
-+ relabel_lnk_files_pattern($1, sysfs_t, sysfs_t)
++ allow $1 sysfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
-+## Allow caller to modify hardware state information.
++## Unmount sysfs filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -6844,17 +6537,59 @@ index 76f285e..e26dfc3 100644
+## </summary>
+## </param>
+#
-+interface(`dev_manage_sysfs_dirs',`
++interface(`dev_unmount_sysfs_fs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
-+ manage_dirs_pattern($1, sysfs_t, sysfs_t)
++ allow $1 sysfs_t:filesystem unmount;
+')
+
+########################################
+## <summary>
-+## Read and write the TPM device.
+ ## Search the sysfs directories.
+ ## </summary>
+ ## <param name="domain">
+@@ -3904,6 +4342,7 @@ interface(`dev_list_sysfs',`
+ type sysfs_t;
+ ')
+
++ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
+ list_dirs_pattern($1, sysfs_t, sysfs_t)
+ ')
+
+@@ -3946,23 +4385,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete sysfs
+-## directories.
++## Read cpu online hardware state information.
+ ## </summary>
++## <desc>
++## <p>
++## Allow the specified domain to read /sys/devices/system/cpu/online file.
++## </p>
++## </desc>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`dev_manage_sysfs_dirs',`
++interface(`dev_read_cpu_online',`
++ gen_require(`
++ type cpu_online_t;
++ ')
++
++ dev_search_sysfs($1)
++ read_files_pattern($1, cpu_online_t, cpu_online_t)
++')
++
++########################################
++## <summary>
++## Relabel cpu online hardware state information.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -6862,78 +6597,85 @@ index 76f285e..e26dfc3 100644
+## </summary>
+## </param>
+#
-+interface(`dev_rw_tpm',`
-+ gen_require(`
-+ type device_t, tpm_device_t;
++interface(`dev_relabel_cpu_online',`
+ gen_require(`
++ type cpu_online_t;
+ type sysfs_t;
+ ')
+
+- manage_dirs_pattern($1, sysfs_t, sysfs_t)
++ dev_search_sysfs($1)
++ allow $1 cpu_online_t:file relabel_file_perms;
+ ')
+
++
+ ########################################
+ ## <summary>
+ ## Read hardware state information.
+@@ -4016,7 +4481,7 @@ interface(`dev_rw_sysfs',`
+
+ ########################################
+ ## <summary>
+-## Read and write the TPM device.
++## Relabel hardware state directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4024,9 +4489,65 @@ interface(`dev_rw_sysfs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`dev_rw_tpm',`
++interface(`dev_relabel_sysfs_dirs',`
+ gen_require(`
+- type device_t, tpm_device_t;
++ type sysfs_t;
+ ')
+
-+ rw_chr_files_pattern($1, device_t, tpm_device_t)
++ relabel_dirs_pattern($1, sysfs_t, sysfs_t)
+')
+
+########################################
+## <summary>
-+## Read from pseudo random number generator devices (e.g., /dev/urandom).
++## Relabel hardware state files
+## </summary>
-+## <desc>
-+## <p>
-+## Allow the specified domain to read from pseudo random number
-+## generator devices (e.g., /dev/urandom). Typically this is
-+## used in situations when a cryptographically secure random
-+## number is not necessarily needed. One example is the Stack
-+## Smashing Protector (SSP, formerly known as ProPolice) support
-+## that may be compiled into programs.
-+## </p>
-+## <p>
-+## Related interface:
-+## </p>
-+## <ul>
-+## <li>dev_read_rand()</li>
-+## </ul>
-+## <p>
-+## Related tunable:
-+## </p>
-+## <ul>
-+## <li>global_ssp</li>
-+## </ul>
-+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
-+## <infoflow type="read" weight="10"/>
+#
-+interface(`dev_read_urand',`
++interface(`dev_relabel_all_sysfs',`
+ gen_require(`
-+ type device_t, urandom_device_t;
++ type sysfs_t;
+ ')
+
-+ read_chr_files_pattern($1, device_t, urandom_device_t)
++ relabel_dirs_pattern($1, sysfs_t, sysfs_t)
++ relabel_files_pattern($1, sysfs_t, sysfs_t)
++ relabel_lnk_files_pattern($1, sysfs_t, sysfs_t)
+')
+
+########################################
+## <summary>
-+## Do not audit attempts to read from pseudo
-+## random devices (e.g., /dev/urandom)
++## Allow caller to modify hardware state information.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`dev_dontaudit_read_urand',`
++interface(`dev_manage_sysfs_dirs',`
+ gen_require(`
-+ type urandom_device_t;
++ type sysfs_t;
+ ')
+
-+ dontaudit $1 urandom_device_t:chr_file { getattr read };
++ manage_dirs_pattern($1, sysfs_t, sysfs_t)
+')
+
+########################################
+## <summary>
-+## Write to the pseudo random device (e.g., /dev/urandom). This
-+## sets the random number generator seed.
++## Read and write the TPM device.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -6941,16 +6683,16 @@ index 76f285e..e26dfc3 100644
+## </summary>
+## </param>
+#
-+interface(`dev_write_urand',`
++interface(`dev_rw_tpm',`
+ gen_require(`
-+ type device_t, urandom_device_t;
-+ ')
-+
-+ write_chr_files_pattern($1, device_t, urandom_device_t)
-+')
-+
-+########################################
-+## <summary>
++ type device_t, tpm_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, tpm_device_t)
+@@ -4113,6 +4634,25 @@ interface(`dev_write_urand',`
+
+ ########################################
+ ## <summary>
+## Do not audit attempts to write to pseudo
+## random devices (e.g., /dev/urandom)
+## </summary>
@@ -6970,13 +6712,10 @@ index 76f285e..e26dfc3 100644
+
+########################################
+## <summary>
-+## Getattr generic the USB devices.
-+## </summary>
-+## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
-@@ -4409,9 +4931,9 @@ interface(`dev_rw_usbfs',`
+ ## Getattr generic the USB devices.
+ ## </summary>
+ ## <param name="domain">
+@@ -4409,9 +4949,9 @@ interface(`dev_rw_usbfs',`
read_lnk_files_pattern($1, usbfs_t, usbfs_t)
')
@@ -6988,7 +6727,7 @@ index 76f285e..e26dfc3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4419,17 +4941,17 @@ interface(`dev_rw_usbfs',`
+@@ -4419,17 +4959,17 @@ interface(`dev_rw_usbfs',`
## </summary>
## </param>
#
@@ -7011,7 +6750,7 @@ index 76f285e..e26dfc3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4437,12 +4959,12 @@ interface(`dev_getattr_video_dev',`
+@@ -4437,12 +4977,12 @@ interface(`dev_getattr_video_dev',`
## </summary>
## </param>
#
@@ -7027,7 +6766,7 @@ index 76f285e..e26dfc3 100644
')
########################################
-@@ -4539,6 +5061,134 @@ interface(`dev_write_video_dev',`
+@@ -4539,6 +5079,134 @@ interface(`dev_write_video_dev',`
########################################
## <summary>
@@ -7162,7 +6901,7 @@ index 76f285e..e26dfc3 100644
## Allow read/write the vhost net device
## </summary>
## <param name="domain">
-@@ -4557,6 +5207,24 @@ interface(`dev_rw_vhost',`
+@@ -4557,6 +5225,24 @@ interface(`dev_rw_vhost',`
########################################
## <summary>
@@ -7187,7 +6926,7 @@ index 76f285e..e26dfc3 100644
## Read and write VMWare devices.
## </summary>
## <param name="domain">
-@@ -4762,6 +5430,26 @@ interface(`dev_rw_xserver_misc',`
+@@ -4762,6 +5448,26 @@ interface(`dev_rw_xserver_misc',`
########################################
## <summary>
@@ -7214,7 +6953,7 @@ index 76f285e..e26dfc3 100644
## Read and write to the zero device (/dev/zero).
## </summary>
## <param name="domain">
-@@ -4851,3 +5539,943 @@ interface(`dev_unconfined',`
+@@ -4851,3 +5557,943 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -15146,7 +14885,7 @@ index 522ab32..cb9c3a2 100644
')
}
diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
-index 54f1827..409df4f 100644
+index 54f1827..cc2de1a 100644
--- a/policy/modules/kernel/storage.fc
+++ b/policy/modules/kernel/storage.fc
@@ -23,12 +23,15 @@
@@ -15166,16 +14905,17 @@ index 54f1827..409df4f 100644
/dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/mtd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-@@ -51,7 +54,7 @@ ifdef(`distro_redhat', `
+@@ -51,7 +54,8 @@ ifdef(`distro_redhat', `
/dev/sjcd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/sonycd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/tape.* -c gen_context(system_u:object_r:tape_device_t,s0)
-/dev/tw[a-z][^/]+ -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
++/dev/tgt -c gen_context(system_u:object_r:scsi_generic_device_t,s0)
+/dev/tw[a-z][^/]* -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/ub[a-z][^/]+ -b gen_context(system_u:object_r:removable_device_t,mls_systemhigh)
/dev/ubd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/vd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-@@ -81,3 +84,6 @@ ifdef(`distro_redhat', `
+@@ -81,3 +85,6 @@ ifdef(`distro_redhat', `
/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
@@ -31487,7 +31227,7 @@ index 7449974..6375786 100644
+ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin")
+')
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index 7a49e28..3e5393b 100644
+index 7a49e28..1d374a0 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -5,7 +5,7 @@ policy_module(modutils, 1.13.3)
@@ -31668,7 +31408,7 @@ index 7a49e28..3e5393b 100644
userdom_dontaudit_search_user_home_dirs(insmod_t)
kernel_domtrans_to(insmod_t, insmod_exec_t)
-@@ -184,28 +202,32 @@ optional_policy(`
+@@ -184,28 +202,33 @@ optional_policy(`
')
optional_policy(`
@@ -31685,6 +31425,7 @@ index 7a49e28..3e5393b 100644
optional_policy(`
- hotplug_search_config(insmod_t)
++ firewalld_dontaudit_write_tmp_files(insmod_t)
+ firewallgui_dontaudit_rw_pipes(insmod_t)
')
@@ -31708,7 +31449,7 @@ index 7a49e28..3e5393b 100644
')
optional_policy(`
-@@ -225,6 +247,7 @@ optional_policy(`
+@@ -225,6 +248,7 @@ optional_policy(`
optional_policy(`
rpm_rw_pipes(insmod_t)
@@ -31716,7 +31457,7 @@ index 7a49e28..3e5393b 100644
')
optional_policy(`
-@@ -233,6 +256,10 @@ optional_policy(`
+@@ -233,6 +257,10 @@ optional_policy(`
')
optional_policy(`
@@ -31727,7 +31468,7 @@ index 7a49e28..3e5393b 100644
# cjp: why is this needed:
dev_rw_xserver_misc(insmod_t)
-@@ -291,11 +318,10 @@ init_use_script_ptys(update_modules_t)
+@@ -291,11 +319,10 @@ init_use_script_ptys(update_modules_t)
logging_send_syslog_msg(update_modules_t)
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 68c500f..dd55837 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -64407,7 +64407,7 @@ index 951db7f..6d6ec1d 100644
+ allow $1 mdadm_exec_t:file { getattr_file_perms execute };
')
diff --git a/raid.te b/raid.te
-index 2c1730b..259b790 100644
+index 2c1730b..e67ea1b 100644
--- a/raid.te
+++ b/raid.te
@@ -15,6 +15,9 @@ role mdadm_roles types mdadm_t;
@@ -64453,10 +64453,11 @@ index 2c1730b..259b790 100644
corecmd_exec_bin(mdadm_t)
corecmd_exec_shell(mdadm_t)
-@@ -51,17 +59,19 @@ dev_dontaudit_getattr_all_blk_files(mdadm_t)
+@@ -51,17 +59,20 @@ dev_dontaudit_getattr_all_blk_files(mdadm_t)
dev_dontaudit_getattr_all_chr_files(mdadm_t)
dev_read_realtime_clock(mdadm_t)
dev_read_raw_memory(mdadm_t)
++dev_read_nvram(mdadm_t)
+dev_read_generic_files(mdadm_t)
+domain_read_all_domains_state(mdadm_t)
@@ -64475,7 +64476,7 @@ index 2c1730b..259b790 100644
mls_file_read_all_levels(mdadm_t)
mls_file_write_all_levels(mdadm_t)
-@@ -70,16 +80,18 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
+@@ -70,16 +81,18 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
storage_manage_fixed_disk(mdadm_t)
storage_read_scsi_generic(mdadm_t)
storage_write_scsi_generic(mdadm_t)
@@ -70529,7 +70530,7 @@ index 0628d50..84f2fd7 100644
+ allow rpm_script_t $1:process sigchld;
')
diff --git a/rpm.te b/rpm.te
-index 5cbe81c..f79d5f4 100644
+index 5cbe81c..ff2b58e 100644
--- a/rpm.te
+++ b/rpm.te
@@ -1,15 +1,13 @@
@@ -70785,7 +70786,7 @@ index 5cbe81c..f79d5f4 100644
')
########################################
-@@ -239,19 +252,20 @@ optional_policy(`
+@@ -239,18 +252,20 @@ optional_policy(`
#
allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin };
@@ -70803,13 +70804,13 @@ index 5cbe81c..f79d5f4 100644
allow rpm_script_t self:msgq create_msgq_perms;
allow rpm_script_t self:msg { send receive };
allow rpm_script_t self:netlink_kobject_uevent_socket create_socket_perms;
-
--allow rpm_script_t rpm_t:netlink_route_socket { read write };
-
+-allow rpm_script_t rpm_t:netlink_route_socket { read write };
++allow rpm_script_t self:netlink_audit_socket create_socket_perms;
+
allow rpm_script_t rpm_tmp_t:file read_file_perms;
- allow rpm_script_t rpm_script_tmp_t:dir mounton;
-@@ -267,8 +281,9 @@ manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
+@@ -267,8 +282,9 @@ manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
manage_fifo_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })
@@ -70820,7 +70821,7 @@ index 5cbe81c..f79d5f4 100644
kernel_read_crypto_sysctls(rpm_script_t)
kernel_read_kernel_sysctls(rpm_script_t)
-@@ -277,45 +292,27 @@ kernel_read_network_state(rpm_script_t)
+@@ -277,45 +293,27 @@ kernel_read_network_state(rpm_script_t)
kernel_list_all_proc(rpm_script_t)
kernel_read_software_raid_state(rpm_script_t)
@@ -70870,7 +70871,7 @@ index 5cbe81c..f79d5f4 100644
mls_file_read_all_levels(rpm_script_t)
mls_file_write_all_levels(rpm_script_t)
-@@ -331,30 +328,48 @@ storage_raw_write_fixed_disk(rpm_script_t)
+@@ -331,30 +329,48 @@ storage_raw_write_fixed_disk(rpm_script_t)
term_getattr_unallocated_ttys(rpm_script_t)
term_list_ptys(rpm_script_t)
@@ -70928,7 +70929,7 @@ index 5cbe81c..f79d5f4 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -363,40 +378,54 @@ ifdef(`distro_redhat',`
+@@ -363,40 +379,54 @@ ifdef(`distro_redhat',`
')
')
@@ -70993,7 +70994,7 @@ index 5cbe81c..f79d5f4 100644
unconfined_domtrans(rpm_script_t)
optional_policy(`
-@@ -409,6 +438,6 @@ optional_policy(`
+@@ -409,6 +439,6 @@ optional_policy(`
')
optional_policy(`
@@ -83440,6 +83441,18 @@ index 38389e6..4847b43 100644
+/usr/sbin/tgtd -- gen_context(system_u:object_r:tgtd_exec_t,s0)
+/var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0)
+/var/run/tgtd.* -s gen_context(system_u:object_r:tgtd_var_run_t,s0)
+diff --git a/tgtd.if b/tgtd.if
+index 5406b6e..dc5b46e 100644
+--- a/tgtd.if
++++ b/tgtd.if
+@@ -97,6 +97,6 @@ interface(`tgtd_admin',`
+ files_search_tmp($1)
+ admin_pattern($1, tgtd_tmp_t)
+
+- files_search_tmpfs($1)
++ fs_search_tmpfs($1)
+ admin_pattern($1, tgtd_tmpfs_t)
+ ')
diff --git a/tgtd.te b/tgtd.te
index c93c973..08aef1e 100644
--- a/tgtd.te
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 36979ff..fd27e30 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 51%{?dist}
+Release: 52%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -530,6 +530,12 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Jun 14 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-52
+- Add labeling for /dev/tgt
+- Dontaudit leak fd from firewalld for modprobe
+- Allow runuser running as rpm_script_t to create netlink_audit socket
+- Allow mdadm to read BIOS non-volatile RAM
+
* Thu Jun 13 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-51
- accountservice watches when accounts come and go in wtmp
- /usr/java/jre1.7.0_21/bin/java needs to create netlink socket