diff --git a/container-selinux.tgz b/container-selinux.tgz
index ecd2a47..a948e55 100644
Binary files a/container-selinux.tgz and b/container-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index c4bf466..e9995ed 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -27411,10 +27411,10 @@ index 000000000..bb9082586
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 000000000..bdfe41b61
+index 000000000..93d7f8839
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,363 @@
+@@ -0,0 +1,367 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -27735,6 +27735,10 @@ index 000000000..bdfe41b61
+')
+
+optional_policy(`
++ chronyd_run_chronyc(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
+ oddjob_run_mkhomedir(unconfined_t, unconfined_r)
+ oddjob_run(unconfined_t, unconfined_r)
+')
@@ -43463,7 +43467,7 @@ index 79048c410..d404d6528 100644
udev_read_pid_files(lvm_t)
')
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
-index 9fe8e01e3..c62c76136 100644
+index 9fe8e01e3..6aa1ea05a 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -9,11 +9,16 @@ ifdef(`distro_gentoo',`
@@ -43524,16 +43528,19 @@ index 9fe8e01e3..c62c76136 100644
/var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
-@@ -90,6 +91,7 @@ ifdef(`distro_debian',`
+@@ -89,7 +90,10 @@ ifdef(`distro_debian',`
+ /var/lib/usbutils(/.*)? gen_context(system_u:object_r:hwdata_t,s0)
')
++/var/lib/letsencrypt(/.*)? gen_context(system_u:object_r:cert_t,s0)
++
ifdef(`distro_redhat',`
+/var/named/chroot/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
/var/empty/sshd/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
/var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
')
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
-index fc28bc31b..7ed7664fb 100644
+index fc28bc31b..1701f0861 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -67,6 +67,27 @@ interface(`miscfiles_read_all_certs',`
@@ -43777,7 +43784,7 @@ index fc28bc31b..7ed7664fb 100644
')
########################################
-@@ -809,3 +944,61 @@ interface(`miscfiles_manage_localization',`
+@@ -809,3 +944,81 @@ interface(`miscfiles_manage_localization',`
manage_lnk_files_pattern($1, locale_t, locale_t)
')
@@ -43831,6 +43838,7 @@ index fc28bc31b..7ed7664fb 100644
+ files_var_filetrans($1, man_t, dir, "man")
+ files_etc_filetrans($1, cert_t, dir, "pki")
+ files_usr_filetrans($1, cert_t, dir, "certs")
++ files_var_lib_filetrans($1, cert_t, dir, "letsencrypt")
+ files_usr_filetrans($1, fonts_t, dir, "fonts")
+ files_usr_filetrans($1, hwdata_t, dir, "hwdata")
+ files_var_filetrans($1, fonts_cache_t, dir, "fontconfig")
@@ -43839,6 +43847,25 @@ index fc28bc31b..7ed7664fb 100644
+ files_var_lib_filetrans($1, tetex_data_t, dir, "texmf")
+ files_var_filetrans($1, public_content_t, dir, "ftp")
+')
++
++
++########################################
++## <summary>
++## Transition to miscfiles named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`miscfiles_filetrans_named_content_letsencrypt',`
++ gen_require(`
++ type cert_t;
++ ')
++
++ files_var_lib_filetrans($1, cert_t, dir, "letsencrypt")
++')
diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
index 1361961d0..be6b7fc80 100644
--- a/policy/modules/system/miscfiles.te
@@ -52359,10 +52386,10 @@ index 5ca20a97d..43bb011b3 100644
+ allow $1 unconfined_service_t:process { noatsecure };
')
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
-index 5fe902db3..0a7c3bb00 100644
+index 5fe902db3..52a051d8a 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
-@@ -1,207 +1,33 @@
+@@ -1,207 +1,38 @@
-policy_module(unconfined, 3.5.1)
+policy_module(unconfined, 3.5.0)
@@ -52382,6 +52409,7 @@ index 5fe902db3..0a7c3bb00 100644
+type unconfined_service_t;
+domain_type(unconfined_service_t)
+role system_r types unconfined_service_t;
++init_nnp_daemon_domain(unconfined_service_t)
-type unconfined_exec_t;
-init_system_domain(unconfined_t, unconfined_exec_t)
@@ -52434,24 +52462,30 @@ index 5fe902db3..0a7c3bb00 100644
- apache_run_helper(unconfined_t, unconfined_r)
- apache_role(unconfined_r, unconfined_t)
-')
--
++role unconfined_r types unconfined_service_t;
+
-optional_policy(`
- bind_run_ndc(unconfined_t, unconfined_r)
-')
--
--optional_policy(`
++corecmd_bin_entry_type(unconfined_service_t)
++corecmd_shell_entry_type(unconfined_service_t)
+
+ optional_policy(`
- bootloader_run(unconfined_t, unconfined_r)
--')
--
--optional_policy(`
++ rpm_transition_script(unconfined_service_t, system_r)
+ ')
+
+ optional_policy(`
- cron_unconfined_role(unconfined_r, unconfined_t)
--')
--
--optional_policy(`
++ chronyd_run_chronyc(unconfined_service_t, system_r)
+ ')
+
+ optional_policy(`
- firstboot_run(unconfined_t, unconfined_r)
--')
--
--optional_policy(`
++ dbus_chat_system_bus(unconfined_service_t)
+ ')
+
+ optional_policy(`
- ftp_run_ftpdctl(unconfined_t, unconfined_r)
-')
-
@@ -52523,8 +52557,7 @@ index 5fe902db3..0a7c3bb00 100644
-optional_policy(`
- rpm_run(unconfined_t, unconfined_r)
-')
-+role unconfined_r types unconfined_service_t;
-
+-
-optional_policy(`
- samba_run_net(unconfined_t, unconfined_r)
- samba_run_winbind_helper(unconfined_t, unconfined_r)
@@ -52546,20 +52579,16 @@ index 5fe902db3..0a7c3bb00 100644
-optional_policy(`
- unconfined_dbus_chat(unconfined_t)
-')
-+corecmd_bin_entry_type(unconfined_service_t)
-+corecmd_shell_entry_type(unconfined_service_t)
-
- optional_policy(`
+-
+-optional_policy(`
- usermanage_run_admin_passwd(unconfined_t, unconfined_r)
-+ rpm_transition_script(unconfined_service_t, system_r)
- ')
-
- optional_policy(`
+-')
+-
+-optional_policy(`
- vpn_run(unconfined_t, unconfined_r)
-+ dbus_chat_system_bus(unconfined_service_t)
- ')
-
- optional_policy(`
+-')
+-
+-optional_policy(`
- webalizer_run(unconfined_t, unconfined_r)
-')
-
@@ -52628,7 +52657,7 @@ index db7597682..c54480a1d 100644
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
+
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6c0..1d1213e00 100644
+index 9dc60c6c0..562afbe9a 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -53653,7 +53682,7 @@ index 9dc60c6c0..1d1213e00 100644
userdom_change_password_template($1)
-@@ -761,86 +1031,117 @@ template(`userdom_login_user_template', `
+@@ -761,86 +1031,121 @@ template(`userdom_login_user_template', `
#
# User domain Local policy
#
@@ -53797,6 +53826,10 @@ index 9dc60c6c0..1d1213e00 100644
+ ')
+
+ optional_policy(`
++ chronyd_run_chronyc($1_t, $1_r)
++ ')
++
++ optional_policy(`
+ ipa_run_helper($1_t, $1_r)
+ ')
+
@@ -53809,7 +53842,7 @@ index 9dc60c6c0..1d1213e00 100644
## <summary>
## The template for creating a unprivileged login user.
## </summary>
-@@ -868,6 +1169,12 @@ template(`userdom_restricted_user_template',`
+@@ -868,6 +1173,12 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -53822,7 +53855,7 @@ index 9dc60c6c0..1d1213e00 100644
##############################
#
# Local policy
-@@ -907,53 +1214,143 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -907,53 +1218,143 @@ template(`userdom_restricted_xwindows_user_template',`
#
# Local policy
#
@@ -53901,13 +53934,15 @@ index 9dc60c6c0..1d1213e00 100644
+ dbus_role_template($1, $1_r, $1_usertype)
+ dbus_system_bus_client($1_usertype)
+ allow $1_usertype $1_usertype:dbus send_msg;
-+
-+ optional_policy(`
+
+ optional_policy(`
+- consolekit_dbus_chat($1_t)
+ abrt_dbus_chat($1_usertype)
+ abrt_run_helper($1_usertype, $1_r)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- cups_dbus_chat($1_t)
+ accountsd_dbus_chat($1_usertype)
+ ')
+
@@ -53915,15 +53950,13 @@ index 9dc60c6c0..1d1213e00 100644
+ consolekit_dontaudit_read_log($1_usertype)
+ consolekit_dbus_chat($1_usertype)
+ ')
-
- optional_policy(`
-- consolekit_dbus_chat($1_t)
++
++ optional_policy(`
+ cups_dbus_chat($1_usertype)
+ cups_dbus_chat_config($1_usertype)
- ')
-
- optional_policy(`
-- cups_dbus_chat($1_t)
++ ')
++
++ optional_policy(`
+ devicekit_dbus_chat($1_usertype)
+ devicekit_dbus_chat_disk($1_usertype)
+ devicekit_dbus_chat_power($1_usertype)
@@ -53978,7 +54011,7 @@ index 9dc60c6c0..1d1213e00 100644
')
#######################################
-@@ -987,27 +1384,36 @@ template(`userdom_unpriv_user_template', `
+@@ -987,27 +1388,36 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -54019,7 +54052,7 @@ index 9dc60c6c0..1d1213e00 100644
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
# Write floppies
-@@ -1018,23 +1424,64 @@ template(`userdom_unpriv_user_template', `
+@@ -1018,23 +1428,64 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -54080,21 +54113,21 @@ index 9dc60c6c0..1d1213e00 100644
+ optional_policy(`
+ mount_run_fusermount($1_t, $1_r)
+ mount_read_pid_files($1_t)
-+ ')
-+
-+ optional_policy(`
-+ wine_role_template($1, $1_r, $1_t)
')
optional_policy(`
- netutils_run_ping_cond($1_t, $1_r)
- netutils_run_traceroute_cond($1_t, $1_r)
++ wine_role_template($1, $1_r, $1_t)
++ ')
++
++ optional_policy(`
+ postfix_run_postdrop($1_t, $1_r)
+ postfix_search_spool($1_t)
')
# Run pppd in pppd_t by default for user
-@@ -1043,7 +1490,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1043,7 +1494,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -54105,7 +54138,7 @@ index 9dc60c6c0..1d1213e00 100644
')
')
-@@ -1079,7 +1528,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1079,7 +1532,9 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -54116,7 +54149,7 @@ index 9dc60c6c0..1d1213e00 100644
')
##############################
-@@ -1095,6 +1546,7 @@ template(`userdom_admin_user_template',`
+@@ -1095,6 +1550,7 @@ template(`userdom_admin_user_template',`
role system_r types $1_t;
typeattribute $1_t admindomain;
@@ -54124,7 +54157,7 @@ index 9dc60c6c0..1d1213e00 100644
ifdef(`direct_sysadm_daemon',`
domain_system_change_exemption($1_t)
-@@ -1105,14 +1557,8 @@ template(`userdom_admin_user_template',`
+@@ -1105,14 +1561,8 @@ template(`userdom_admin_user_template',`
# $1_t local policy
#
@@ -54141,7 +54174,7 @@ index 9dc60c6c0..1d1213e00 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
-@@ -1128,6 +1574,8 @@ template(`userdom_admin_user_template',`
+@@ -1128,6 +1578,8 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -54150,7 +54183,7 @@ index 9dc60c6c0..1d1213e00 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1145,10 +1593,15 @@ template(`userdom_admin_user_template',`
+@@ -1145,10 +1597,15 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -54166,7 +54199,7 @@ index 9dc60c6c0..1d1213e00 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1159,29 +1612,40 @@ template(`userdom_admin_user_template',`
+@@ -1159,29 +1616,40 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -54211,7 +54244,7 @@ index 9dc60c6c0..1d1213e00 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1191,6 +1655,8 @@ template(`userdom_admin_user_template',`
+@@ -1191,6 +1659,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -54220,7 +54253,7 @@ index 9dc60c6c0..1d1213e00 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1198,13 +1664,21 @@ template(`userdom_admin_user_template',`
+@@ -1198,13 +1668,21 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@@ -54243,7 +54276,7 @@ index 9dc60c6c0..1d1213e00 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1240,8 +1714,8 @@ template(`userdom_admin_user_template',`
+@@ -1240,8 +1718,8 @@ template(`userdom_admin_user_template',`
## </summary>
## </param>
#
@@ -54254,7 +54287,7 @@ index 9dc60c6c0..1d1213e00 100644
corecmd_exec_shell($1)
-@@ -1250,6 +1724,8 @@ template(`userdom_security_admin_template',`
+@@ -1250,6 +1728,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -54263,7 +54296,7 @@ index 9dc60c6c0..1d1213e00 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1262,8 +1738,10 @@ template(`userdom_security_admin_template',`
+@@ -1262,8 +1742,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -54275,7 +54308,7 @@ index 9dc60c6c0..1d1213e00 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1274,29 +1752,31 @@ template(`userdom_security_admin_template',`
+@@ -1274,29 +1756,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -54318,7 +54351,7 @@ index 9dc60c6c0..1d1213e00 100644
')
optional_policy(`
-@@ -1357,14 +1837,17 @@ interface(`userdom_user_home_content',`
+@@ -1357,14 +1841,17 @@ interface(`userdom_user_home_content',`
gen_require(`
attribute user_home_content_type;
type user_home_t;
@@ -54337,7 +54370,7 @@ index 9dc60c6c0..1d1213e00 100644
')
########################################
-@@ -1397,12 +1880,52 @@ interface(`userdom_user_tmp_file',`
+@@ -1397,12 +1884,52 @@ interface(`userdom_user_tmp_file',`
## </param>
#
interface(`userdom_user_tmpfs_file',`
@@ -54391,7 +54424,7 @@ index 9dc60c6c0..1d1213e00 100644
## Allow domain to attach to TUN devices created by administrative users.
## </summary>
## <param name="domain">
-@@ -1509,11 +2032,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1509,11 +2036,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -54423,7 +54456,7 @@ index 9dc60c6c0..1d1213e00 100644
## Do not audit attempts to search user home directories.
## </summary>
## <desc>
-@@ -1555,6 +2098,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1555,6 +2102,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -54438,7 +54471,7 @@ index 9dc60c6c0..1d1213e00 100644
')
########################################
-@@ -1570,9 +2121,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1570,9 +2125,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -54450,7 +54483,7 @@ index 9dc60c6c0..1d1213e00 100644
')
########################################
-@@ -1613,6 +2166,24 @@ interface(`userdom_manage_user_home_dirs',`
+@@ -1613,6 +2170,24 @@ interface(`userdom_manage_user_home_dirs',`
########################################
## <summary>
@@ -54475,7 +54508,7 @@ index 9dc60c6c0..1d1213e00 100644
## Relabel to user home directories.
## </summary>
## <param name="domain">
-@@ -1631,6 +2202,59 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1631,6 +2206,59 @@ interface(`userdom_relabelto_user_home_dirs',`
########################################
## <summary>
@@ -54535,7 +54568,7 @@ index 9dc60c6c0..1d1213e00 100644
## Create directories in the home dir root with
## the user home directory type.
## </summary>
-@@ -1704,10 +2328,12 @@ interface(`userdom_user_home_domtrans',`
+@@ -1704,10 +2332,12 @@ interface(`userdom_user_home_domtrans',`
#
interface(`userdom_dontaudit_search_user_home_content',`
gen_require(`
@@ -54550,7 +54583,7 @@ index 9dc60c6c0..1d1213e00 100644
')
########################################
-@@ -1741,10 +2367,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1741,10 +2371,12 @@ interface(`userdom_list_all_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -54565,7 +54598,7 @@ index 9dc60c6c0..1d1213e00 100644
')
########################################
-@@ -1769,7 +2397,7 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1769,7 +2401,7 @@ interface(`userdom_manage_user_home_content_dirs',`
########################################
## <summary>
@@ -54574,7 +54607,7 @@ index 9dc60c6c0..1d1213e00 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1777,19 +2405,17 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1777,19 +2409,17 @@ interface(`userdom_manage_user_home_content_dirs',`
## </summary>
## </param>
#
@@ -54598,7 +54631,7 @@ index 9dc60c6c0..1d1213e00 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1797,47 +2423,157 @@ interface(`userdom_delete_all_user_home_content_dirs',`
+@@ -1797,45 +2427,155 @@ interface(`userdom_delete_all_user_home_content_dirs',`
## </summary>
## </param>
#
@@ -54653,8 +54686,7 @@ index 9dc60c6c0..1d1213e00 100644
#
-interface(`userdom_dontaudit_setattr_user_home_content_files',`
+interface(`userdom_setattr_user_tmp_files',`
- gen_require(`
-- type user_home_t;
++ gen_require(`
+ type user_tmp_t;
+ ')
+
@@ -54764,12 +54796,10 @@ index 9dc60c6c0..1d1213e00 100644
+## </param>
+#
+interface(`userdom_dontaudit_setattr_user_home_content_files',`
-+ gen_require(`
-+ type user_home_t;
+ gen_require(`
+ type user_home_t;
')
-
- dontaudit $1 user_home_t:file setattr_file_perms;
-@@ -1845,6 +2581,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1845,6 +2585,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@@ -54795,7 +54825,7 @@ index 9dc60c6c0..1d1213e00 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1875,14 +2630,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1875,14 +2634,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -54833,7 +54863,7 @@ index 9dc60c6c0..1d1213e00 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1893,11 +2670,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1893,11 +2674,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -54851,7 +54881,7 @@ index 9dc60c6c0..1d1213e00 100644
')
########################################
-@@ -1938,7 +2718,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1938,7 +2722,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
########################################
## <summary>
@@ -54860,7 +54890,7 @@ index 9dc60c6c0..1d1213e00 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1946,10 +2726,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1946,10 +2730,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
## </summary>
## </param>
#
@@ -54873,7 +54903,7 @@ index 9dc60c6c0..1d1213e00 100644
')
userdom_search_user_home_content($1)
-@@ -1958,7 +2737,7 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1958,7 +2741,7 @@ interface(`userdom_delete_all_user_home_content_files',`
########################################
## <summary>
@@ -54882,7 +54912,7 @@ index 9dc60c6c0..1d1213e00 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1966,12 +2745,66 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1966,12 +2749,66 @@ interface(`userdom_delete_all_user_home_content_files',`
## </summary>
## </param>
#
@@ -54951,7 +54981,7 @@ index 9dc60c6c0..1d1213e00 100644
')
########################################
-@@ -2007,8 +2840,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2007,8 +2844,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -54961,7 +54991,7 @@ index 9dc60c6c0..1d1213e00 100644
')
########################################
-@@ -2024,20 +2856,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2024,20 +2860,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -54986,7 +55016,7 @@ index 9dc60c6c0..1d1213e00 100644
########################################
## <summary>
-@@ -2120,7 +2946,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2120,7 +2950,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
## <summary>
@@ -54995,7 +55025,7 @@ index 9dc60c6c0..1d1213e00 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2128,19 +2954,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2128,19 +2958,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -55019,7 +55049,7 @@ index 9dc60c6c0..1d1213e00 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2148,12 +2972,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2148,12 +2976,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -55035,7 +55065,7 @@ index 9dc60c6c0..1d1213e00 100644
')
########################################
-@@ -2388,18 +3212,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2388,18 +3216,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
## </summary>
## </param>
#
@@ -55093,7 +55123,7 @@ index 9dc60c6c0..1d1213e00 100644
## Do not audit attempts to read users
## temporary files.
## </summary>
-@@ -2414,7 +3274,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2414,7 +3278,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -55102,7 +55132,7 @@ index 9dc60c6c0..1d1213e00 100644
')
########################################
-@@ -2455,6 +3315,25 @@ interface(`userdom_rw_user_tmp_files',`
+@@ -2455,6 +3319,25 @@ interface(`userdom_rw_user_tmp_files',`
rw_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
')
@@ -55128,7 +55158,7 @@ index 9dc60c6c0..1d1213e00 100644
########################################
## <summary>
-@@ -2538,7 +3417,7 @@ interface(`userdom_manage_user_tmp_files',`
+@@ -2538,7 +3421,7 @@ interface(`userdom_manage_user_tmp_files',`
########################################
## <summary>
## Create, read, write, and delete user
@@ -55137,7 +55167,7 @@ index 9dc60c6c0..1d1213e00 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2546,19 +3425,19 @@ interface(`userdom_manage_user_tmp_files',`
+@@ -2546,19 +3429,19 @@ interface(`userdom_manage_user_tmp_files',`
## </summary>
## </param>
#
@@ -55160,7 +55190,7 @@ index 9dc60c6c0..1d1213e00 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2566,19 +3445,19 @@ interface(`userdom_manage_user_tmp_symlinks',`
+@@ -2566,19 +3449,19 @@ interface(`userdom_manage_user_tmp_symlinks',`
## </summary>
## </param>
#
@@ -55183,7 +55213,7 @@ index 9dc60c6c0..1d1213e00 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2586,19 +3465,60 @@ interface(`userdom_manage_user_tmp_pipes',`
+@@ -2586,20 +3469,61 @@ interface(`userdom_manage_user_tmp_pipes',`
## </summary>
## </param>
#
@@ -55203,6 +55233,7 @@ index 9dc60c6c0..1d1213e00 100644
## <summary>
-## Create objects in a user temporary directory
-## with an automatic type transition to
+-## a specified private type.
+## Create, read, write, and delete user
+## temporary named pipes.
+## </summary>
@@ -55245,10 +55276,11 @@ index 9dc60c6c0..1d1213e00 100644
+## <summary>
+## Create objects in a user temporary directory
+## with an automatic type transition to
- ## a specified private type.
++## a specified private type.
## </summary>
## <param name="domain">
-@@ -2661,6 +3581,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+ ## <summary>
+@@ -2661,6 +3585,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -55270,7 +55302,7 @@ index 9dc60c6c0..1d1213e00 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2672,18 +3607,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2672,18 +3611,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
## </param>
#
interface(`userdom_read_user_tmpfs_files',`
@@ -55292,7 +55324,7 @@ index 9dc60c6c0..1d1213e00 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2692,19 +3622,13 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2692,19 +3626,13 @@ interface(`userdom_read_user_tmpfs_files',`
## </param>
#
interface(`userdom_rw_user_tmpfs_files',`
@@ -55315,7 +55347,7 @@ index 9dc60c6c0..1d1213e00 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2713,13 +3637,56 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2713,13 +3641,56 @@ interface(`userdom_rw_user_tmpfs_files',`
## </param>
#
interface(`userdom_manage_user_tmpfs_files',`
@@ -55376,7 +55408,7 @@ index 9dc60c6c0..1d1213e00 100644
')
########################################
-@@ -2814,6 +3781,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2814,6 +3785,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -55401,7 +55433,7 @@ index 9dc60c6c0..1d1213e00 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2832,22 +3817,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2832,22 +3821,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -55444,7 +55476,7 @@ index 9dc60c6c0..1d1213e00 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2856,14 +3853,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2856,14 +3857,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -55482,7 +55514,7 @@ index 9dc60c6c0..1d1213e00 100644
')
########################################
-@@ -2882,8 +3898,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2882,8 +3902,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -55512,7 +55544,7 @@ index 9dc60c6c0..1d1213e00 100644
')
########################################
-@@ -2955,6 +3990,42 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2955,6 +3994,42 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -55555,7 +55587,7 @@ index 9dc60c6c0..1d1213e00 100644
########################################
## <summary>
## Execute an Xserver session in all unprivileged user domains. This
-@@ -2978,24 +4049,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
+@@ -2978,24 +4053,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -55580,7 +55612,7 @@ index 9dc60c6c0..1d1213e00 100644
########################################
## <summary>
## Manage unpriviledged user SysV sempaphores.
-@@ -3014,9 +4067,9 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3014,9 +4071,9 @@ interface(`userdom_manage_unpriv_user_semaphores',`
allow $1 unpriv_userdomain:sem create_sem_perms;
')
@@ -55592,7 +55624,7 @@ index 9dc60c6c0..1d1213e00 100644
## memory segments.
## </summary>
## <param name="domain">
-@@ -3025,17 +4078,17 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3025,17 +4082,17 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -55613,7 +55645,7 @@ index 9dc60c6c0..1d1213e00 100644
## memory segments.
## </summary>
## <param name="domain">
-@@ -3044,12 +4097,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',`
+@@ -3044,12 +4101,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',`
## </summary>
## </param>
#
@@ -55628,7 +55660,7 @@ index 9dc60c6c0..1d1213e00 100644
')
########################################
-@@ -3094,7 +4147,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3094,7 +4151,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -55637,7 +55669,7 @@ index 9dc60c6c0..1d1213e00 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3110,29 +4163,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3110,29 +4167,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -55671,7 +55703,7 @@ index 9dc60c6c0..1d1213e00 100644
')
########################################
-@@ -3214,7 +4251,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3214,7 +4255,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -55698,7 +55730,7 @@ index 9dc60c6c0..1d1213e00 100644
')
########################################
-@@ -3269,12 +4324,13 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3269,12 +4328,13 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -55714,7 +55746,7 @@ index 9dc60c6c0..1d1213e00 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3282,49 +4338,125 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3282,46 +4342,122 @@ interface(`userdom_write_user_tmp_files',`
## </summary>
## </param>
#
@@ -55772,9 +55804,8 @@ index 9dc60c6c0..1d1213e00 100644
gen_require(`
- attribute userdomain;
+ type user_tmp_t;
- ')
-
-- allow $1 userdomain:process getattr;
++ ')
++
+ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
@@ -55848,13 +55879,10 @@ index 9dc60c6c0..1d1213e00 100644
+interface(`userdom_getattr_all_users',`
+ gen_require(`
+ attribute userdomain;
-+ ')
-+
-+ allow $1 userdomain:process getattr;
- ')
+ ')
- ########################################
-@@ -3382,6 +4514,42 @@ interface(`userdom_signal_all_users',`
+ allow $1 userdomain:process getattr;
+@@ -3382,6 +4518,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -55897,7 +55925,7 @@ index 9dc60c6c0..1d1213e00 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3402,6 +4570,60 @@ interface(`userdom_sigchld_all_users',`
+@@ -3402,6 +4574,60 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -55958,7 +55986,7 @@ index 9dc60c6c0..1d1213e00 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3435,4 +4657,1835 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3435,4 +4661,1835 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index c022c34..2d99539 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -2531,10 +2531,18 @@ index 60d4f8c90..18ef0772c 100644
domain_system_change_exemption($1)
role_transition $2 amavis_initrc_exec_t system_r;
diff --git a/amavis.te b/amavis.te
-index 91fa72ae1..2e9b8246a 100644
+index 91fa72ae1..11a55da57 100644
--- a/amavis.te
+++ b/amavis.te
-@@ -39,14 +39,14 @@ type amavis_quarantine_t;
+@@ -16,6 +16,7 @@ gen_tunable(amavis_use_jit, false)
+ type amavis_t;
+ type amavis_exec_t;
+ init_daemon_domain(amavis_t, amavis_exec_t)
++init_nnp_daemon_domain(amavis_t)
+
+ type amavis_etc_t;
+ files_config_file(amavis_etc_t)
+@@ -39,14 +40,14 @@ type amavis_quarantine_t;
files_type(amavis_quarantine_t)
type amavis_spool_t;
@@ -2551,7 +2559,7 @@ index 91fa72ae1..2e9b8246a 100644
dontaudit amavis_t self:capability sys_tty_config;
allow amavis_t self:process signal_perms;
allow amavis_t self:fifo_file rw_fifo_file_perms;
-@@ -67,9 +67,12 @@ manage_lnk_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
+@@ -67,9 +68,12 @@ manage_lnk_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
manage_sock_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
filetrans_pattern(amavis_t, amavis_spool_t, amavis_var_run_t, sock_file)
@@ -2565,7 +2573,7 @@ index 91fa72ae1..2e9b8246a 100644
manage_dirs_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
manage_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
-@@ -95,7 +98,6 @@ kernel_dontaudit_read_proc_symlinks(amavis_t)
+@@ -95,7 +99,6 @@ kernel_dontaudit_read_proc_symlinks(amavis_t)
corecmd_exec_bin(amavis_t)
corecmd_exec_shell(amavis_t)
@@ -2573,7 +2581,7 @@ index 91fa72ae1..2e9b8246a 100644
corenet_all_recvfrom_netlabel(amavis_t)
corenet_tcp_sendrecv_generic_if(amavis_t)
corenet_udp_sendrecv_generic_if(amavis_t)
-@@ -118,6 +120,7 @@ corenet_dontaudit_udp_bind_all_ports(amavis_t)
+@@ -118,6 +121,7 @@ corenet_dontaudit_udp_bind_all_ports(amavis_t)
corenet_sendrecv_razor_client_packets(amavis_t)
corenet_tcp_connect_razor_port(amavis_t)
@@ -2581,7 +2589,7 @@ index 91fa72ae1..2e9b8246a 100644
dev_read_rand(amavis_t)
dev_read_sysfs(amavis_t)
-@@ -127,7 +130,6 @@ domain_use_interactive_fds(amavis_t)
+@@ -127,7 +131,6 @@ domain_use_interactive_fds(amavis_t)
domain_dontaudit_read_all_domains_state(amavis_t)
files_read_etc_runtime_files(amavis_t)
@@ -2589,7 +2597,7 @@ index 91fa72ae1..2e9b8246a 100644
files_search_spool(amavis_t)
fs_getattr_xattr_fs(amavis_t)
-@@ -141,14 +143,20 @@ init_stream_connect_script(amavis_t)
+@@ -141,14 +144,20 @@ init_stream_connect_script(amavis_t)
logging_send_syslog_msg(amavis_t)
@@ -2613,7 +2621,7 @@ index 91fa72ae1..2e9b8246a 100644
')
optional_policy(`
-@@ -173,6 +181,10 @@ optional_policy(`
+@@ -173,6 +182,10 @@ optional_policy(`
')
optional_policy(`
@@ -5615,7 +5623,7 @@ index f6eb4851f..3628a384f 100644
+ allow $1 httpd_t:process { noatsecure };
')
diff --git a/apache.te b/apache.te
-index 6649962b6..f6ac61e03 100644
+index 6649962b6..cb95398ea 100644
--- a/apache.te
+++ b/apache.te
@@ -5,280 +5,346 @@ policy_module(apache, 2.7.2)
@@ -7796,7 +7804,7 @@ index 6649962b6..f6ac61e03 100644
')
########################################
-@@ -1330,49 +1633,42 @@ optional_policy(`
+@@ -1330,49 +1633,43 @@ optional_policy(`
# User content local policy
#
@@ -7836,6 +7844,7 @@ index 6649962b6..f6ac61e03 100644
- fs_exec_nfs_files(httpd_user_script_t)
+ read_files_pattern(httpd_t, httpd_user_content_type, httpd_user_content_type)
+ read_lnk_files_pattern(httpd_t, httpd_user_content_type, httpd_user_content_type)
++ list_dirs_pattern(httpd_t, httpd_user_content_type, httpd_user_content_type)
+ allow httpd_t httpd_user_content_type:file map;
')
@@ -7864,7 +7873,7 @@ index 6649962b6..f6ac61e03 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1678,109 @@ dev_read_urand(httpd_passwd_t)
+@@ -1382,38 +1679,109 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -10562,10 +10571,10 @@ index 3a5032e06..3facb7156 100644
+ xserver_read_state_xdm(blueman_t)
+')
diff --git a/bluetooth.fc b/bluetooth.fc
-index 2b9c7f329..0086b95d1 100644
+index 2b9c7f329..6ae8a62c9 100644
--- a/bluetooth.fc
+++ b/bluetooth.fc
-@@ -5,10 +5,14 @@
+@@ -5,10 +5,15 @@
/etc/rc\.d/init\.d/dund -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
/etc/rc\.d/init\.d/pand -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
@@ -10577,6 +10586,7 @@ index 2b9c7f329..0086b95d1 100644
/usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/bin/pand -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/libexec/bluetooth/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
++/usr/libexec/bluetooth/obexd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/sbin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/sbin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
@@ -13642,10 +13652,10 @@ index 000000000..ca526f823
+ gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t)
+')
diff --git a/chronyd.fc b/chronyd.fc
-index 4e4143ed8..f03dba037 100644
+index 4e4143ed8..9c06350c2 100644
--- a/chronyd.fc
+++ b/chronyd.fc
-@@ -1,13 +1,18 @@
+@@ -1,13 +1,20 @@
-/etc/chrony\.keys -- gen_context(system_u:object_r:chronyd_keys_t,s0)
+/etc/chrony\.keys.* -- gen_context(system_u:object_r:chronyd_keys_t,s0)
@@ -13655,6 +13665,8 @@ index 4e4143ed8..f03dba037 100644
+
/usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
+/usr/libexec/chrony-helper -- gen_context(system_u:object_r:chronyd_exec_t,s0)
++
++/usr/bin/chronyc -- gen_context(system_u:object_r:chronyc_exec_t,s0)
/var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0)
@@ -13667,7 +13679,7 @@ index 4e4143ed8..f03dba037 100644
/var/run/chronyd\.pid -- gen_context(system_u:object_r:chronyd_var_run_t,s0)
/var/run/chronyd\.sock -s gen_context(system_u:object_r:chronyd_var_run_t,s0)
diff --git a/chronyd.if b/chronyd.if
-index 32e8265c2..ac74503d1 100644
+index 32e8265c2..508f3b84f 100644
--- a/chronyd.if
+++ b/chronyd.if
@@ -57,6 +57,24 @@ interface(`chronyd_exec',`
@@ -13801,7 +13813,7 @@ index 32e8265c2..ac74503d1 100644
')
####################################
-@@ -176,28 +255,38 @@ interface(`chronyd_read_key_files',`
+@@ -176,28 +255,81 @@ interface(`chronyd_read_key_files',`
#
interface(`chronyd_admin',`
gen_require(`
@@ -13848,12 +13860,65 @@ index 32e8265c2..ac74503d1 100644
+ admin_pattern($1, chronyd_unit_file_t)
+ chronyd_systemctl($1)
+ allow $1 chronyd_unit_file_t:service all_service_perms;
++')
++
++########################################
++## <summary>
++## Execute chronyc in the chronyc domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`chronyd_domtrans_chronyc',`
++ gen_require(`
++ type chronyc_t, chronyc_exec_t;
++ ')
++
++ domtrans_pattern($1, chronyc_exec_t, chronyc_t)
++')
++
++########################################
++## <summary>
++## Execute chronyc in the chronyc domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++#
++interface(`chronyd_run_chronyc',`
++ gen_require(`
++ type chronyc_t;
++ attribute_role chronyc_roles;
++ ')
++
++ chronyd_domtrans_chronyc($1)
++ roleattribute $2 chronyc_roles;
')
diff --git a/chronyd.te b/chronyd.te
-index e5b621c29..cfc64f1b0 100644
+index e5b621c29..89ecee1f7 100644
--- a/chronyd.te
+++ b/chronyd.te
-@@ -18,6 +18,9 @@ files_type(chronyd_keys_t)
+@@ -5,6 +5,9 @@ policy_module(chronyd, 1.2.0)
+ # Declarations
+ #
+
++attribute_role chronyc_roles;
++roleattribute system_r chronyc_roles;
++
+ type chronyd_t;
+ type chronyd_exec_t;
+ init_daemon_domain(chronyd_t, chronyd_exec_t)
+@@ -18,6 +21,9 @@ files_type(chronyd_keys_t)
type chronyd_tmpfs_t;
files_tmpfs_file(chronyd_tmpfs_t)
@@ -13863,13 +13928,25 @@ index e5b621c29..cfc64f1b0 100644
type chronyd_var_lib_t;
files_type(chronyd_var_lib_t)
-@@ -32,11 +35,15 @@ files_pid_file(chronyd_var_run_t)
+@@ -27,18 +33,33 @@ logging_log_file(chronyd_var_log_t)
+ type chronyd_var_run_t;
+ files_pid_file(chronyd_var_run_t)
+
++type chronyc_t;
++type chronyc_exec_t;
++domain_type(chronyc_t, chronyc_exec_t)
++init_system_domain(chronyc_t, chronyc_exec_t)
++role chronyc_roles types chronyc_t;
++
+ ########################################
+ #
# Local policy
#
-allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time };
-allow chronyd_t self:process { getcap setcap setrlimit signal };
+allow chronyd_t self:capability { dac_read_search dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_time chown net_admin };
++allow chronyd_t self:capability2 block_suspend;
+allow chronyd_t self:process { getsched setsched getcap setcap setrlimit signal };
allow chronyd_t self:shm create_shm_perms;
+allow chronyd_t self:udp_socket create_socket_perms;
@@ -13880,17 +13957,24 @@ index e5b621c29..cfc64f1b0 100644
+allow chronyd_t chronyd_keys_t:file setattr_file_perms;
allow chronyd_t chronyd_keys_t:file read_file_perms;
++allow chronyd_t chronyc_t:unix_dgram_socket sendto;
++
++allow chronyd_t chronyc_exec_t:file mmap_file_perms;
++
manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
-@@ -62,6 +69,8 @@ files_pid_filetrans(chronyd_t, chronyd_var_run_t, { dir file sock_file })
+ manage_files_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
+ fs_tmpfs_filetrans(chronyd_t, chronyd_tmpfs_t, { dir file })
+@@ -61,6 +82,9 @@ files_pid_filetrans(chronyd_t, chronyd_var_run_t, { dir file sock_file })
+
kernel_read_system_state(chronyd_t)
kernel_read_network_state(chronyd_t)
-
-+clock_read_adjtime(chronyd_t)
++kernel_request_load_module(chronyd_t)
+
++clock_read_adjtime(chronyd_t)
+
corenet_all_recvfrom_unlabeled(chronyd_t)
corenet_all_recvfrom_netlabel(chronyd_t)
- corenet_udp_sendrecv_generic_if(chronyd_t)
-@@ -76,18 +85,42 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
+@@ -76,18 +100,62 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
corenet_udp_bind_chronyd_port(chronyd_t)
corenet_udp_sendrecv_chronyd_port(chronyd_t)
@@ -13935,6 +14019,26 @@ index e5b621c29..cfc64f1b0 100644
+optional_policy(`
+ ptp4l_rw_shm(chronyd_t)
')
++
++########################################
++#
++# Local policy
++#
++
++allow chronyc_t self:capability { dac_read_search dac_override };
++allow chronyc_t self:udp_socket create_socket_perms;
++allow chronyc_t self:unix_dgram_socket create_socket_perms;
++allow chronyc_t self:netlink_route_socket create_netlink_socket_perms;
++
++allow chronyc_t chronyd_t:unix_dgram_socket sendto;
++
++manage_dirs_pattern(chronyc_t, chronyd_var_run_t, chronyd_var_run_t)
++manage_files_pattern(chronyc_t, chronyd_var_run_t, chronyd_var_run_t)
++manage_sock_files_pattern(chronyc_t, chronyd_var_run_t, chronyd_var_run_t)
++
++corecmd_exec_bin(chronyc_t)
++
++sysnet_read_config(chronyc_t)
diff --git a/cinder.fc b/cinder.fc
new file mode 100644
index 000000000..4b318b783
@@ -17134,10 +17238,10 @@ index 000000000..1cc5fa464
+')
diff --git a/conman.te b/conman.te
new file mode 100644
-index 000000000..25cbb9aff
+index 000000000..246420052
--- /dev/null
+++ b/conman.te
-@@ -0,0 +1,99 @@
+@@ -0,0 +1,114 @@
+policy_module(conman, 1.0.0)
+
+########################################
@@ -17153,6 +17257,13 @@ index 000000000..25cbb9aff
+## </desc>
+gen_tunable(conman_can_network, false)
+
++## <desc>
++## <p>
++## Allow conman to manage nfs files
++## </p>
++## </desc>
++gen_tunable(conman_use_nfs, false)
++
+type conman_t;
+type conman_exec_t;
+init_daemon_domain(conman_t, conman_exec_t)
@@ -17209,6 +17320,8 @@ index 000000000..25cbb9aff
+
+corecmd_exec_bin(conman_t)
+
++dev_read_urand(conman_t)
++
+logging_send_syslog_msg(conman_t)
+
+sysnet_dns_name_resolve(conman_t)
@@ -17216,6 +17329,7 @@ index 000000000..25cbb9aff
+userdom_use_user_ptys(conman_t)
+
+term_use_usb_ttys(conman_t)
++term_use_ptmx(conman_t)
+
+tunable_policy(`conman_can_network',`
+ corenet_sendrecv_all_client_packets(conman_t)
@@ -17223,6 +17337,11 @@ index 000000000..25cbb9aff
+ corenet_tcp_sendrecv_all_ports(conman_t)
+')
+
++tunable_policy(`conman_use_nfs',`
++ fs_manage_nfs_files(conman_t)
++ fs_read_nfs_symlinks(conman_t)
++')
++
+optional_policy(`
+ freeipmi_stream_connect(conman_t)
+')
@@ -19865,7 +19984,7 @@ index 1303b3036..f5bd4aee8 100644
+ logging_log_filetrans($1, var_log_t, file, "redhat-access-insights.log")
')
diff --git a/cron.te b/cron.te
-index 7de385956..f91dd2fe5 100644
+index 7de385956..46400791a 100644
--- a/cron.te
+++ b/cron.te
@@ -11,46 +11,54 @@ gen_require(`
@@ -20504,12 +20623,13 @@ index 7de385956..f91dd2fe5 100644
auth_use_nsswitch(system_cronjob_t)
-@@ -516,20 +520,26 @@ logging_read_generic_logs(system_cronjob_t)
+@@ -516,20 +520,28 @@ logging_read_generic_logs(system_cronjob_t)
logging_send_audit_msgs(system_cronjob_t)
logging_send_syslog_msg(system_cronjob_t)
-miscfiles_read_localization(system_cronjob_t)
--
++miscfiles_filetrans_named_content_letsencrypt(system_cronjob_t)
+
seutil_read_config(system_cronjob_t)
+userdom_manage_tmpfs_files(system_cronjob_t, file)
@@ -20534,7 +20654,7 @@ index 7de385956..f91dd2fe5 100644
selinux_validate_context(system_cronjob_t)
selinux_compute_access_vector(system_cronjob_t)
selinux_compute_create_context(system_cronjob_t)
-@@ -539,10 +549,22 @@ tunable_policy(`cron_can_relabel',`
+@@ -539,10 +551,26 @@ tunable_policy(`cron_can_relabel',`
')
optional_policy(`
@@ -20554,10 +20674,14 @@ index 7de385956..f91dd2fe5 100644
+
+optional_policy(`
+ cron_generic_log_filetrans_log_insights(system_cronjob_t)
++')
++
++optional_policy(`
++ chronyd_run_chronyc(system_cronjob_t,system_r)
')
optional_policy(`
-@@ -551,10 +573,6 @@ optional_policy(`
+@@ -551,10 +579,6 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(system_cronjob_t)
@@ -20568,7 +20692,7 @@ index 7de385956..f91dd2fe5 100644
')
optional_policy(`
-@@ -567,6 +585,10 @@ optional_policy(`
+@@ -567,6 +591,10 @@ optional_policy(`
')
optional_policy(`
@@ -20579,7 +20703,7 @@ index 7de385956..f91dd2fe5 100644
ftp_read_log(system_cronjob_t)
')
-@@ -591,6 +613,8 @@ optional_policy(`
+@@ -591,6 +619,8 @@ optional_policy(`
optional_policy(`
mta_read_config(system_cronjob_t)
mta_send_mail(system_cronjob_t)
@@ -20588,7 +20712,7 @@ index 7de385956..f91dd2fe5 100644
')
optional_policy(`
-@@ -598,7 +622,31 @@ optional_policy(`
+@@ -598,7 +628,31 @@ optional_policy(`
')
optional_policy(`
@@ -20620,7 +20744,7 @@ index 7de385956..f91dd2fe5 100644
')
optional_policy(`
-@@ -607,7 +655,12 @@ optional_policy(`
+@@ -607,7 +661,12 @@ optional_policy(`
')
optional_policy(`
@@ -20633,7 +20757,7 @@ index 7de385956..f91dd2fe5 100644
')
optional_policy(`
-@@ -615,12 +668,27 @@ optional_policy(`
+@@ -615,12 +674,27 @@ optional_policy(`
')
optional_policy(`
@@ -20663,7 +20787,7 @@ index 7de385956..f91dd2fe5 100644
#
allow cronjob_t self:process { signal_perms setsched };
-@@ -628,12 +696,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
+@@ -628,12 +702,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
allow cronjob_t self:unix_dgram_socket create_socket_perms;
@@ -20697,7 +20821,7 @@ index 7de385956..f91dd2fe5 100644
corenet_all_recvfrom_netlabel(cronjob_t)
corenet_tcp_sendrecv_generic_if(cronjob_t)
corenet_udp_sendrecv_generic_if(cronjob_t)
-@@ -641,66 +729,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
+@@ -641,66 +735,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
corenet_udp_sendrecv_generic_node(cronjob_t)
corenet_tcp_sendrecv_all_ports(cronjob_t)
corenet_udp_sendrecv_all_ports(cronjob_t)
@@ -27002,10 +27126,10 @@ index 000000000..d22ed691a
+')
diff --git a/dnssec.te b/dnssec.te
new file mode 100644
-index 000000000..238787661
+index 000000000..b93540692
--- /dev/null
+++ b/dnssec.te
-@@ -0,0 +1,91 @@
+@@ -0,0 +1,93 @@
+policy_module(dnssec, 1.0.0)
+
+########################################
@@ -27049,6 +27173,8 @@ index 000000000..238787661
+
+kernel_read_system_state(dnssec_trigger_t)
+
++can_exec(dnssec_trigger_t, dnssec_trigger_exec_t)
++
+corecmd_exec_bin(dnssec_trigger_t)
+corecmd_exec_shell(dnssec_trigger_t)
+corecmd_read_all_executables(dnssec_trigger_t)
@@ -31797,7 +31923,7 @@ index e5b15fb7e..220622e84 100644
diff --git a/ganesha.fc b/ganesha.fc
new file mode 100644
-index 000000000..855f58e55
+index 000000000..c723bfb97
--- /dev/null
+++ b/ganesha.fc
@@ -0,0 +1,12 @@
@@ -31809,8 +31935,8 @@ index 000000000..855f58e55
+
+/usr/lib/systemd/system/nfs-ganesha.*e -- gen_context(system_u:object_r:ganesha_unit_file_t,s0)
+
-+/var/log/ganesha.log -- gen_context(system_u:object_r:ganesha_var_log_t,s0)
-+/var/log/ganesha-gfapi.log -- gen_context(system_u:object_r:ganesha_var_log_t,s0)
++/var/log/ganesha.log.* -- gen_context(system_u:object_r:ganesha_var_log_t,s0)
++/var/log/ganesha-gfapi.log.* -- gen_context(system_u:object_r:ganesha_var_log_t,s0)
+
+/var/run/ganesha(/.*)? gen_context(system_u:object_r:ganesha_var_run_t,s0)
diff --git a/ganesha.if b/ganesha.if
@@ -39473,7 +39599,7 @@ index fbb54e7d8..05c377768 100644
########################################
diff --git a/inetd.te b/inetd.te
-index c6450df8a..ed6af7994 100644
+index c6450df8a..94760a2ec 100644
--- a/inetd.te
+++ b/inetd.te
@@ -21,6 +21,7 @@ files_pid_file(inetd_var_run_t)
@@ -39571,7 +39697,7 @@ index c6450df8a..ed6af7994 100644
dev_read_urand(inetd_child_t)
fs_getattr_xattr_fs(inetd_child_t)
-@@ -230,7 +244,15 @@ auth_use_nsswitch(inetd_child_t)
+@@ -230,7 +244,19 @@ auth_use_nsswitch(inetd_child_t)
logging_send_syslog_msg(inetd_child_t)
@@ -39579,6 +39705,10 @@ index c6450df8a..ed6af7994 100644
+sysnet_read_config(inetd_child_t)
+
+optional_policy(`
++ chronyd_run_chronyc(inetd_child_t,system_r)
++')
++
++optional_policy(`
+ kerberos_use(inetd_child_t)
+')
+
@@ -40028,7 +40158,7 @@ index 000000000..61f2003c8
+userdom_use_user_terminals(iotop_t)
diff --git a/ipa.fc b/ipa.fc
new file mode 100644
-index 000000000..74206edcb
+index 000000000..61fd84f00
--- /dev/null
+++ b/ipa.fc
@@ -0,0 +1,29 @@
@@ -40057,7 +40187,7 @@ index 000000000..74206edcb
+
+/var/log/ipa(/.*)? gen_context(system_u:object_r:ipa_log_t,s0)
+
-+/var/log/ipareplica-conncheck.log -- gen_context(system_u:object_r:ipa_log_t,s0)
++/var/log/ipareplica-conncheck.log.* -- gen_context(system_u:object_r:ipa_log_t,s0)
+
+/var/run/ipa(/.*)? gen_context(system_u:object_r:ipa_var_run_t,s0)
+
@@ -43698,10 +43828,10 @@ index 000000000..bd7e7fa17
+')
diff --git a/keepalived.te b/keepalived.te
new file mode 100644
-index 000000000..e5b8b3bbf
+index 000000000..f84877209
--- /dev/null
+++ b/keepalived.te
-@@ -0,0 +1,100 @@
+@@ -0,0 +1,101 @@
+policy_module(keepalived, 1.0.0)
+
+########################################
@@ -43743,6 +43873,7 @@ index 000000000..e5b8b3bbf
+kernel_read_network_state(keepalived_t)
+kernel_request_load_module(keepalived_t)
+kernel_rw_usermodehelper_state(keepalived_t)
++kernel_search_network_sysctl(keepalived_t)
+
+auth_use_nsswitch(keepalived_t)
+
@@ -46465,7 +46596,7 @@ index 73e2803ee..34ca3aa22 100644
role_transition $2 l2tpd_initrc_exec_t system_r;
allow $2 system_r;
diff --git a/l2tp.te b/l2tp.te
-index bb06a7fee..01e784bf5 100644
+index bb06a7fee..3339bd85c 100644
--- a/l2tp.te
+++ b/l2tp.te
@@ -27,7 +27,7 @@ files_pid_file(l2tpd_var_run_t)
@@ -46492,7 +46623,7 @@ index bb06a7fee..01e784bf5 100644
corenet_all_recvfrom_unlabeled(l2tpd_t)
corenet_all_recvfrom_netlabel(l2tpd_t)
corenet_raw_sendrecv_generic_if(l2tpd_t)
-@@ -75,19 +77,37 @@ corecmd_exec_bin(l2tpd_t)
+@@ -75,19 +77,38 @@ corecmd_exec_bin(l2tpd_t)
dev_read_urand(l2tpd_t)
@@ -46524,6 +46655,7 @@ index bb06a7fee..01e784bf5 100644
+ ipsec_mgmt_read_pid(l2tpd_t)
+ ipsec_filetrans_key_file(l2tpd_t)
+ ipsec_manage_key_file(l2tpd_t)
++ ipsec_kill_mgmt(l2tpd_t)
+')
+
+optional_policy(`
@@ -46812,7 +46944,7 @@ index 3602712d0..af83a5b6b 100644
+ allow $1 slapd_unit_file_t:service all_service_perms;
')
diff --git a/ldap.te b/ldap.te
-index 4c2b1110e..7b306e4bb 100644
+index 4c2b1110e..f01469806 100644
--- a/ldap.te
+++ b/ldap.te
@@ -21,6 +21,9 @@ files_config_file(slapd_etc_t)
@@ -46837,7 +46969,15 @@ index 4c2b1110e..7b306e4bb 100644
allow slapd_t self:fifo_file rw_fifo_file_perms;
allow slapd_t self:tcp_socket { accept listen };
-@@ -69,9 +72,7 @@ allow slapd_t slapd_lock_t:file manage_file_perms;
+@@ -60,6 +63,7 @@ read_lnk_files_pattern(slapd_t, slapd_cert_t, slapd_cert_t)
+ manage_dirs_pattern(slapd_t, slapd_db_t, slapd_db_t)
+ manage_files_pattern(slapd_t, slapd_db_t, slapd_db_t)
+ manage_lnk_files_pattern(slapd_t, slapd_db_t, slapd_db_t)
++allow slapd_t slapd_db_t:file map;
+
+ allow slapd_t slapd_etc_t:file read_file_perms;
+
+@@ -69,9 +73,7 @@ allow slapd_t slapd_lock_t:file manage_file_perms;
files_lock_filetrans(slapd_t, slapd_lock_t, file)
manage_dirs_pattern(slapd_t, slapd_log_t, slapd_log_t)
@@ -46848,7 +46988,7 @@ index 4c2b1110e..7b306e4bb 100644
logging_log_filetrans(slapd_t, slapd_log_t, { file dir })
manage_dirs_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
-@@ -93,7 +94,6 @@ files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file })
+@@ -93,7 +95,6 @@ files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file })
kernel_read_system_state(slapd_t)
kernel_read_kernel_sysctls(slapd_t)
@@ -46856,7 +46996,7 @@ index 4c2b1110e..7b306e4bb 100644
corenet_all_recvfrom_netlabel(slapd_t)
corenet_tcp_sendrecv_generic_if(slapd_t)
corenet_tcp_sendrecv_generic_node(slapd_t)
-@@ -115,25 +115,26 @@ fs_getattr_all_fs(slapd_t)
+@@ -115,25 +116,26 @@ fs_getattr_all_fs(slapd_t)
fs_search_auto_mountpoints(slapd_t)
files_read_etc_runtime_files(slapd_t)
@@ -63258,7 +63398,7 @@ index bcd7d0a7d..9b397fdd7 100644
+ unconfined_dontaudit_rw_packet_sockets(nscd_t)
+')
diff --git a/nsd.fc b/nsd.fc
-index 4f2b1b663..6b300d54f 100644
+index 4f2b1b663..0e24b49a9 100644
--- a/nsd.fc
+++ b/nsd.fc
@@ -1,16 +1,19 @@
@@ -63290,7 +63430,7 @@ index 4f2b1b663..6b300d54f 100644
+/var/lib/nsd(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
/var/run/nsd\.pid -- gen_context(system_u:object_r:nsd_var_run_t,s0)
+
-+/var/log/nsd\.log -- gen_context(system_u:object_r:nsd_log_t,s0)
++/var/log/nsd\.log.* -- gen_context(system_u:object_r:nsd_log_t,s0)
diff --git a/nsd.if b/nsd.if
index a9c60ff87..ad4f14ad6 100644
--- a/nsd.if
@@ -69407,7 +69547,7 @@ index 9b157305b..cb00f200a 100644
+ ')
')
diff --git a/openvswitch.te b/openvswitch.te
-index 44dbc99ab..7bcb16c59 100644
+index 44dbc99ab..6221f5b9a 100644
--- a/openvswitch.te
+++ b/openvswitch.te
@@ -9,11 +9,8 @@ type openvswitch_t;
@@ -69439,7 +69579,7 @@ index 44dbc99ab..7bcb16c59 100644
-allow openvswitch_t self:capability { net_admin sys_nice sys_resource ipc_lock };
-allow openvswitch_t self:process { setrlimit setsched signal };
-+allow openvswitch_t self:capability { dac_override net_admin ipc_lock sys_module sys_nice sys_rawio sys_resource chown setgid setpcap setuid };
++allow openvswitch_t self:capability { dac_override dac_read_search net_admin ipc_lock sys_module sys_nice sys_rawio sys_resource chown setgid setpcap setuid kill };
+allow openvswitch_t self:capability2 block_suspend;
+allow openvswitch_t self:process { fork setsched setrlimit signal setcap };
allow openvswitch_t self:fifo_file rw_fifo_file_perms;
@@ -82044,7 +82184,7 @@ index 7cb8b1f9c..bef72173b 100644
+ allow $1 puppet_var_run_t:dir search_dir_perms;
')
diff --git a/puppet.te b/puppet.te
-index 618dcfeed..5bd88a99d 100644
+index 618dcfeed..56b9252c6 100644
--- a/puppet.te
+++ b/puppet.te
@@ -6,25 +6,32 @@ policy_module(puppet, 1.4.0)
@@ -82106,7 +82246,7 @@ index 618dcfeed..5bd88a99d 100644
type puppetmaster_t;
type puppetmaster_exec_t;
-@@ -56,161 +62,174 @@ files_tmp_file(puppetmaster_tmp_t)
+@@ -56,161 +62,178 @@ files_tmp_file(puppetmaster_tmp_t)
########################################
#
@@ -82305,53 +82445,49 @@ index 618dcfeed..5bd88a99d 100644
+
+optional_policy(`
+ mysql_stream_connect(puppetagent_t)
++')
++
++optional_policy(`
++ postgresql_stream_connect(puppetagent_t)
++')
++
++optional_policy(`
++ cfengine_read_lib_files(puppetagent_t)
++')
++
++optional_policy(`
++ consoletype_exec(puppetagent_t)
')
optional_policy(`
- cfengine_read_lib_files(puppet_t)
-+ postgresql_stream_connect(puppetagent_t)
++ hostname_exec(puppetagent_t)
')
optional_policy(`
- consoletype_exec(puppet_t)
-+ cfengine_read_lib_files(puppetagent_t)
++ mount_domtrans(puppetagent_t)
')
optional_policy(`
- hostname_exec(puppet_t)
-+ consoletype_exec(puppetagent_t)
++ mta_send_mail(puppetagent_t)
')
optional_policy(`
- mount_domtrans(puppet_t)
-+ hostname_exec(puppetagent_t)
++ networkmanager_dbus_chat(puppetagent_t)
')
optional_policy(`
- mta_send_mail(puppet_t)
-+ mount_domtrans(puppetagent_t)
++ firewalld_dbus_chat(puppetagent_t)
')
optional_policy(`
- portage_domtrans(puppet_t)
- portage_domtrans_fetch(puppet_t)
- portage_domtrans_gcc_config(puppet_t)
-+ mta_send_mail(puppetagent_t)
- ')
-
- optional_policy(`
-- files_rw_var_files(puppet_t)
-+ networkmanager_dbus_chat(puppetagent_t)
-+')
-+
-+optional_policy(`
-+ firewalld_dbus_chat(puppetagent_t)
-+')
-
-- rpm_domtrans(puppet_t)
-- rpm_manage_db(puppet_t)
-- rpm_manage_log(puppet_t)
-+optional_policy(`
+ portage_domtrans(puppetagent_t)
+ portage_domtrans_fetch(puppetagent_t)
+ portage_domtrans_gcc_config(puppetagent_t)
@@ -82363,21 +82499,29 @@ index 618dcfeed..5bd88a99d 100644
+ rpm_domtrans(puppetagent_t)
+ rpm_manage_db(puppetagent_t)
+ rpm_manage_log(puppetagent_t)
+ ')
+
+ optional_policy(`
+- files_rw_var_files(puppet_t)
++ shorewall_domtrans(puppetagent_t)
+')
-+
+
+- rpm_domtrans(puppet_t)
+- rpm_manage_db(puppet_t)
+- rpm_manage_log(puppet_t)
+optional_policy(`
-+ shorewall_domtrans(puppetagent_t)
++ unconfined_domain_noaudit(puppetagent_t)
')
optional_policy(`
- unconfined_domain(puppet_t)
-+ unconfined_domain_noaudit(puppetagent_t)
++ shorewall_domtrans(puppet_t)
')
optional_policy(`
- usermanage_domtrans_groupadd(puppet_t)
- usermanage_domtrans_useradd(puppet_t)
-+ shorewall_domtrans(puppet_t)
++ rhsmcertd_dbus_chat(puppetagent_t)
')
########################################
@@ -82398,7 +82542,7 @@ index 618dcfeed..5bd88a99d 100644
allow puppetca_t puppet_var_lib_t:dir list_dir_perms;
manage_files_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t)
-@@ -221,6 +240,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms;
+@@ -221,6 +244,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms;
allow puppetca_t puppet_var_run_t:dir search_dir_perms;
kernel_read_system_state(puppetca_t)
@@ -82406,7 +82550,7 @@ index 618dcfeed..5bd88a99d 100644
kernel_read_kernel_sysctls(puppetca_t)
corecmd_exec_bin(puppetca_t)
-@@ -229,15 +249,12 @@ corecmd_exec_shell(puppetca_t)
+@@ -229,15 +253,12 @@ corecmd_exec_shell(puppetca_t)
dev_read_urand(puppetca_t)
dev_search_sysfs(puppetca_t)
@@ -82422,7 +82566,7 @@ index 618dcfeed..5bd88a99d 100644
miscfiles_read_generic_certs(puppetca_t)
seutil_read_file_contexts(puppetca_t)
-@@ -246,38 +263,48 @@ optional_policy(`
+@@ -246,38 +267,48 @@ optional_policy(`
hostname_exec(puppetca_t)
')
@@ -82488,7 +82632,7 @@ index 618dcfeed..5bd88a99d 100644
kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
kernel_read_network_state(puppetmaster_t)
-@@ -289,23 +316,24 @@ corecmd_exec_bin(puppetmaster_t)
+@@ -289,23 +320,24 @@ corecmd_exec_bin(puppetmaster_t)
corecmd_exec_shell(puppetmaster_t)
corenet_all_recvfrom_netlabel(puppetmaster_t)
@@ -82519,7 +82663,7 @@ index 618dcfeed..5bd88a99d 100644
selinux_validate_context(puppetmaster_t)
-@@ -314,26 +342,32 @@ auth_use_nsswitch(puppetmaster_t)
+@@ -314,26 +346,32 @@ auth_use_nsswitch(puppetmaster_t)
logging_send_syslog_msg(puppetmaster_t)
miscfiles_read_generic_certs(puppetmaster_t)
@@ -82557,7 +82701,7 @@ index 618dcfeed..5bd88a99d 100644
')
optional_policy(`
-@@ -342,3 +376,9 @@ optional_policy(`
+@@ -342,3 +380,9 @@ optional_policy(`
rpm_exec(puppetmaster_t)
rpm_read_db(puppetmaster_t)
')
@@ -108436,10 +108580,10 @@ index 27a8480bc..fc3fca520 100644
+
allow stunnel_t stunnel_port_t:tcp_socket name_bind;
diff --git a/svnserve.fc b/svnserve.fc
-index effffd028..12ca090e1 100644
+index effffd028..0d5c275de 100644
--- a/svnserve.fc
+++ b/svnserve.fc
-@@ -1,8 +1,13 @@
+@@ -1,8 +1,15 @@
-/etc/rc\.d/init\.d/svnserve -- gen_context(system_u:object_r:svnserve_initrc_exec_t,s0)
+/etc/rc.d/init.d/svnserve -- gen_context(system_u:object_r:svnserve_initrc_exec_t,s0)
@@ -108458,6 +108602,8 @@ index effffd028..12ca090e1 100644
+/var/svn(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0)
+/var/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0)
+/var/lib/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0)
++
++/var/log/svnserve(/.*)? gen_context(system_u:object_r:svnserve_log_t,s0)
diff --git a/svnserve.if b/svnserve.if
index 2ac91b6e0..a97033d2b 100644
--- a/svnserve.if
@@ -108596,10 +108742,10 @@ index 2ac91b6e0..a97033d2b 100644
')
+
diff --git a/svnserve.te b/svnserve.te
-index 49d688d66..451a64768 100644
+index 49d688d66..f7e23fe71 100644
--- a/svnserve.te
+++ b/svnserve.te
-@@ -12,12 +12,18 @@ init_daemon_domain(svnserve_t, svnserve_exec_t)
+@@ -12,12 +12,21 @@ init_daemon_domain(svnserve_t, svnserve_exec_t)
type svnserve_initrc_exec_t;
init_script_file(svnserve_initrc_exec_t)
@@ -108615,10 +108761,13 @@ index 49d688d66..451a64768 100644
+type svnserve_tmp_t;
+files_tmp_file(svnserve_tmp_t)
+
++type svnserve_log_t;
++logging_log_file(svnserve_log_t)
++
########################################
#
# Local policy
-@@ -27,6 +33,11 @@ allow svnserve_t self:fifo_file rw_fifo_file_perms;
+@@ -27,6 +36,11 @@ allow svnserve_t self:fifo_file rw_fifo_file_perms;
allow svnserve_t self:tcp_socket create_stream_socket_perms;
allow svnserve_t self:unix_stream_socket { listen accept };
@@ -108630,17 +108779,19 @@ index 49d688d66..451a64768 100644
manage_dirs_pattern(svnserve_t, svnserve_content_t, svnserve_content_t)
manage_files_pattern(svnserve_t, svnserve_content_t, svnserve_content_t)
-@@ -34,9 +45,6 @@ manage_dirs_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t)
+@@ -34,8 +48,9 @@ manage_dirs_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t)
manage_files_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t)
files_pid_filetrans(svnserve_t, svnserve_var_run_t, { dir file })
-files_read_etc_files(svnserve_t)
-files_read_usr_files(svnserve_t)
--
++manage_files_pattern(svnserve_t, svnserve_log_t, svnserve_log_t)
++manage_dirs_pattern(svnserve_t, svnserve_log_t, svnserve_log_t)
++logging_log_filetrans(svnserve_t, svnserve_log_t, { dir file })
+
corenet_all_recvfrom_unlabeled(svnserve_t)
corenet_all_recvfrom_netlabel(svnserve_t)
- corenet_tcp_sendrecv_generic_if(svnserve_t)
-@@ -52,8 +60,9 @@ corenet_tcp_sendrecv_svn_port(svnserve_t)
+@@ -52,8 +67,13 @@ corenet_tcp_sendrecv_svn_port(svnserve_t)
corenet_udp_bind_svn_port(svnserve_t)
corenet_udp_sendrecv_svn_port(svnserve_t)
@@ -108652,6 +108803,10 @@ index 49d688d66..451a64768 100644
+logging_send_syslog_msg(svnserve_t)
sysnet_dns_name_resolve(svnserve_t)
++
++optional_policy(`
++ kerberos_use(svnserve_t)
++')
diff --git a/swift.fc b/swift.fc
new file mode 100644
index 000000000..6d897bc25
@@ -111616,10 +111771,10 @@ index 000000000..9524b50aa
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 000000000..2b15dca23
+index 000000000..d6affa561
--- /dev/null
+++ b/thumb.te
-@@ -0,0 +1,172 @@
+@@ -0,0 +1,173 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -111670,6 +111825,7 @@ index 000000000..2b15dca23
+manage_files_pattern(thumb_t, thumb_home_t, thumb_home_t)
+userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, dir, ".thumbnails")
+userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, file, "missfont.log")
++userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, file)
+userdom_dontaudit_access_check_user_content(thumb_t)
+userdom_rw_inherited_user_tmp_files(thumb_t)
+userdom_manage_home_texlive(thumb_t)
@@ -112173,10 +112329,10 @@ index 000000000..5185a9e8e
+ sssd_stream_connect(tlp_t)
+')
diff --git a/tmpreaper.te b/tmpreaper.te
-index 585a77f95..9858c8b8d 100644
+index 585a77f95..71981be9d 100644
--- a/tmpreaper.te
+++ b/tmpreaper.te
-@@ -5,20 +5,46 @@ policy_module(tmpreaper, 1.7.1)
+@@ -5,20 +5,47 @@ policy_module(tmpreaper, 1.7.1)
# Declarations
#
@@ -112208,6 +112364,7 @@ index 585a77f95..9858c8b8d 100644
type tmpreaper_exec_t;
init_system_domain(tmpreaper_t, tmpreaper_exec_t)
+application_domain(tmpreaper_t, tmpreaper_exec_t)
++init_nnp_daemon_domain(tmpreaper_t)
########################################
#
@@ -112224,7 +112381,7 @@ index 585a77f95..9858c8b8d 100644
dev_read_urand(tmpreaper_t)
-@@ -27,15 +53,16 @@ corecmd_exec_shell(tmpreaper_t)
+@@ -27,15 +54,16 @@ corecmd_exec_shell(tmpreaper_t)
fs_getattr_xattr_fs(tmpreaper_t)
fs_list_all(tmpreaper_t)
@@ -112246,7 +112403,7 @@ index 585a77f95..9858c8b8d 100644
mls_file_read_all_levels(tmpreaper_t)
mls_file_write_all_levels(tmpreaper_t)
-@@ -45,7 +72,6 @@ init_use_inherited_script_ptys(tmpreaper_t)
+@@ -45,7 +73,6 @@ init_use_inherited_script_ptys(tmpreaper_t)
logging_send_syslog_msg(tmpreaper_t)
@@ -112254,7 +112411,7 @@ index 585a77f95..9858c8b8d 100644
miscfiles_delete_man_pages(tmpreaper_t)
ifdef(`distro_debian',`
-@@ -53,10 +79,33 @@ ifdef(`distro_debian',`
+@@ -53,10 +80,33 @@ ifdef(`distro_debian',`
')
ifdef(`distro_redhat',`
@@ -112289,7 +112446,7 @@ index 585a77f95..9858c8b8d 100644
')
optional_policy(`
-@@ -64,6 +113,7 @@ optional_policy(`
+@@ -64,6 +114,7 @@ optional_policy(`
')
optional_policy(`
@@ -112297,7 +112454,7 @@ index 585a77f95..9858c8b8d 100644
apache_list_cache(tmpreaper_t)
apache_delete_cache_dirs(tmpreaper_t)
apache_delete_cache_files(tmpreaper_t)
-@@ -79,7 +129,19 @@ optional_policy(`
+@@ -79,7 +130,19 @@ optional_policy(`
')
optional_policy(`
@@ -112318,7 +112475,7 @@ index 585a77f95..9858c8b8d 100644
')
optional_policy(`
-@@ -89,3 +151,8 @@ optional_policy(`
+@@ -89,3 +152,8 @@ optional_policy(`
optional_policy(`
rpm_manage_cache(tmpreaper_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 3286d6b..01b8a40 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 298%{?dist}
+Release: 299%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -719,6 +719,32 @@ exit 0
%endif
%changelog
+* Tue Oct 24 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-299
+- Label /usr/libexec/bluetooth/obexd as bluetoothd_exec_t to run process as bluetooth_t
+- Allow chronyd_t do request kernel module and block_suspend capability
+- Allow system_cronjob_t to create /var/lib/letsencrypt dir with right label
+- Allow slapd_t domain to mmap files labeled as slpad_db_t BZ(1505414)
+- Allow dnssec_trigger_t domain to execute binaries with dnssec_trigeer_exec_t BZ(1487912)
+- Allow l2tpd_t domain to send SIGKILL to ipsec_mgmt_t domains BZ(1505220)
+- Allow thumb_t creating thumb_home_t files in user_home_dir_t direcotry BZ(1474110)
+- Allow httpd_t also read httpd_user_content_type dirs when httpd_enable_homedirs is enables
+- Allow svnserve to use kerberos
+- Allow conman to use ptmx. Add conman_use_nfs boolean
+- Allow nnp transition for amavis and tmpreaper SELinux domains
+- Allow chronyd_t to mmap chronyc_exec_t binary files
+- Add dac_read_search capability to openvswitch_t domain
+- Allow svnserve to manage own svnserve_log_t files/dirs
+- Allow keepalived_t to search network sysctls
+- Allow puppetagent_t domain dbus chat with rhsmcertd_t domain
+- Add kill capability to openvswitch_t domain
+- Label also compressed logs in /var/log for different services
+- Allow inetd_child_t and system_cronjob_t to run chronyc.
+- Allow chrony to create netlink route sockets
+- Add SELinux support for chronyc
+- Add support for running certbot(letsencrypt) in crontab
+- Allow nnp trasintion for unconfined_service_t
+- Allow unpriv user domains and unconfined_service_t to use chronyc
+
* Sun Oct 22 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-298
- Drop *.lst files from file list
- Ship file_contexts.homedirs in store