diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index d114f36..6debbcb 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -2376,7 +2376,7 @@ index 99e3903..7270808 100644
########################################
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index d555767..34e1e8c 100644
+index d555767..9365051 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.1)
@@ -2658,7 +2658,7 @@ index d555767..34e1e8c 100644
userdom_use_unpriv_users_fds(passwd_t)
# make sure that getcon succeeds
userdom_getattr_all_users(passwd_t)
-@@ -349,9 +389,15 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -349,9 +389,16 @@ userdom_read_user_tmp_files(passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
@@ -2667,6 +2667,7 @@ index d555767..34e1e8c 100644
optional_policy(`
- nscd_run(passwd_t, passwd_roles)
+ gnome_exec_keyringd(passwd_t)
++ gnome_manage_cache_home_dir(passwd_t)
+')
+
+optional_policy(`
@@ -2675,7 +2676,7 @@ index d555767..34e1e8c 100644
')
########################################
-@@ -398,9 +444,10 @@ dev_read_urand(sysadm_passwd_t)
+@@ -398,9 +445,10 @@ dev_read_urand(sysadm_passwd_t)
fs_getattr_xattr_fs(sysadm_passwd_t)
fs_search_auto_mountpoints(sysadm_passwd_t)
@@ -2688,7 +2689,7 @@ index d555767..34e1e8c 100644
auth_manage_shadow(sysadm_passwd_t)
auth_relabel_shadow(sysadm_passwd_t)
auth_etc_filetrans_shadow(sysadm_passwd_t)
-@@ -413,7 +460,6 @@ files_read_usr_files(sysadm_passwd_t)
+@@ -413,7 +461,6 @@ files_read_usr_files(sysadm_passwd_t)
domain_use_interactive_fds(sysadm_passwd_t)
@@ -2696,7 +2697,7 @@ index d555767..34e1e8c 100644
files_relabel_etc_files(sysadm_passwd_t)
files_read_etc_runtime_files(sysadm_passwd_t)
# for nscd lookups
-@@ -423,19 +469,17 @@ files_dontaudit_search_pids(sysadm_passwd_t)
+@@ -423,19 +470,17 @@ files_dontaudit_search_pids(sysadm_passwd_t)
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(sysadm_passwd_t)
@@ -2718,7 +2719,7 @@ index d555767..34e1e8c 100644
')
########################################
-@@ -443,7 +487,8 @@ optional_policy(`
+@@ -443,7 +488,8 @@ optional_policy(`
# Useradd local policy
#
@@ -2728,7 +2729,7 @@ index d555767..34e1e8c 100644
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
-@@ -458,6 +503,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
+@@ -458,6 +504,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
allow useradd_t self:unix_dgram_socket sendto;
allow useradd_t self:unix_stream_socket connectto;
@@ -2739,7 +2740,7 @@ index d555767..34e1e8c 100644
# for getting the number of groups
kernel_read_kernel_sysctls(useradd_t)
-@@ -465,36 +514,36 @@ corecmd_exec_shell(useradd_t)
+@@ -465,36 +515,36 @@ corecmd_exec_shell(useradd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(useradd_t)
@@ -2788,7 +2789,7 @@ index d555767..34e1e8c 100644
auth_manage_shadow(useradd_t)
auth_relabel_shadow(useradd_t)
auth_etc_filetrans_shadow(useradd_t)
-@@ -505,33 +554,36 @@ init_rw_utmp(useradd_t)
+@@ -505,33 +555,36 @@ init_rw_utmp(useradd_t)
logging_send_audit_msgs(useradd_t)
logging_send_syslog_msg(useradd_t)
@@ -2839,7 +2840,7 @@ index d555767..34e1e8c 100644
optional_policy(`
apache_manage_all_user_content(useradd_t)
')
-@@ -542,7 +594,12 @@ optional_policy(`
+@@ -542,7 +595,12 @@ optional_policy(`
')
optional_policy(`
@@ -2853,7 +2854,7 @@ index d555767..34e1e8c 100644
')
optional_policy(`
-@@ -550,6 +607,11 @@ optional_policy(`
+@@ -550,6 +608,11 @@ optional_policy(`
')
optional_policy(`
@@ -2865,7 +2866,7 @@ index d555767..34e1e8c 100644
tunable_policy(`samba_domain_controller',`
samba_append_log(useradd_t)
')
-@@ -559,3 +621,12 @@ optional_policy(`
+@@ -559,3 +622,12 @@ optional_policy(`
rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t)
')
@@ -5170,7 +5171,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 4edc40d..b48abbe 100644
+index 4edc40d..8fd1cbb 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
@@ -5272,7 +5273,7 @@ index 4edc40d..b48abbe 100644
network_port(ctdb, tcp,4379,s0, udp,4397,s0)
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
-@@ -119,18 +141,23 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0,
+@@ -119,19 +141,25 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0,
network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
@@ -5296,9 +5297,11 @@ index 4edc40d..b48abbe 100644
network_port(git, tcp,9418,s0, udp,9418,s0)
+network_port(glance, tcp,9292,s0, udp,9292,s0)
network_port(glance_registry, tcp,9191,s0, udp,9191,s0)
++network_port(gluster, tcp,24007,s0, tcp, 38465-38469,s0)
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
-@@ -139,45 +166,51 @@ network_port(hadoop_namenode, tcp,8020,s0)
+ network_port(hadoop_datanode, tcp,50010,s0)
+@@ -139,45 +167,51 @@ network_port(hadoop_namenode, tcp,8020,s0)
network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
@@ -5364,7 +5367,7 @@ index 4edc40d..b48abbe 100644
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -185,24 +218,32 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
+@@ -185,24 +219,32 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
network_port(mxi, tcp,8005,s0, udp,8005,s0)
network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
network_port(mysqlmanagerd, tcp,2273,s0)
@@ -5400,7 +5403,7 @@ index 4edc40d..b48abbe 100644
network_port(pktcable_cops, tcp,2126,s0, udp,2126,s0)
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
network_port(portmap, udp,111,s0, tcp,111,s0)
-@@ -214,38 +255,43 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
+@@ -214,38 +256,43 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
@@ -5425,7 +5428,8 @@ index 4edc40d..b48abbe 100644
network_port(router, udp,520,s0, udp,521,s0, tcp,521,s0)
network_port(rsh, tcp,514,s0)
network_port(rsync, tcp,873,s0, udp,873,s0)
- network_port(rtsp, tcp,554,s0, udp,554,s0)
+-network_port(rtsp, tcp,554,s0, udp,554,s0)
++network_port(rtsp, tcp,554,s0, udp,554,s0, tcp,8554,s0, udp,8554,s0)
network_port(rwho, udp,513,s0)
network_port(sap, tcp,9875,s0, udp,9875,s0)
+network_port(saphostctrl, tcp,1128,s0, tcp,1129,s0)
@@ -5450,7 +5454,7 @@ index 4edc40d..b48abbe 100644
network_port(ssh, tcp,22,s0)
network_port(stunnel) # no defined portcon
network_port(svn, tcp,3690,s0, udp,3690,s0)
-@@ -257,8 +303,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
+@@ -257,8 +304,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
@@ -5461,7 +5465,7 @@ index 4edc40d..b48abbe 100644
network_port(transproxy, tcp,8081,s0)
network_port(trisoap, tcp,10200,s0, udp,10200,s0)
network_port(ups, tcp,3493,s0)
-@@ -268,10 +315,10 @@ network_port(varnishd, tcp,6081-6082,s0)
+@@ -268,10 +316,10 @@ network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -5474,7 +5478,7 @@ index 4edc40d..b48abbe 100644
network_port(winshadow, tcp,3161,s0, udp,3261,s0)
network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
-@@ -292,12 +339,16 @@ network_port(zope, tcp,8021,s0)
+@@ -292,12 +340,16 @@ network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
# these entries just cover any remaining reserved ports not otherwise declared.
@@ -5493,7 +5497,7 @@ index 4edc40d..b48abbe 100644
########################################
#
-@@ -330,6 +381,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -330,6 +382,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
build_option(`enable_mls',`
network_interface(lo, lo, s0 - mls_systemhigh)
@@ -5502,7 +5506,7 @@ index 4edc40d..b48abbe 100644
',`
typealias netif_t alias { lo_netif_t netif_lo_t };
')
-@@ -342,9 +395,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -342,9 +396,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -8404,7 +8408,7 @@ index 6a1e4d1..c691385 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..19c3e01 100644
+index cf04cb5..d02fa9e 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -8532,7 +8536,7 @@ index cf04cb5..19c3e01 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +229,287 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +229,292 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -8602,6 +8606,10 @@ index cf04cb5..19c3e01 100644
+')
+
+optional_policy(`
++ apcupsd_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
+ bootloader_filetrans_config(unconfined_domain_type)
+')
+
@@ -8707,6 +8715,7 @@ index cf04cb5..19c3e01 100644
+
+optional_policy(`
+ ssh_filetrans_admin_home_content(unconfined_domain_type)
++ ssh_filetrans_keys(unconfined_domain_type)
+')
+
+optional_policy(`
@@ -14406,7 +14415,7 @@ index 649e458..d47750f 100644
+ list_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
')
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 6fac350..1470f08 100644
+index 6fac350..5a087a7 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -25,6 +25,9 @@ attribute kern_unconfined;
@@ -14598,15 +14607,17 @@ index 6fac350..1470f08 100644
# nfs kernel server needs kernel UDP access. It is less risky and painful
# to just give it everything.
allow kernel_t self:tcp_socket create_stream_socket_perms;
-@@ -334,7 +394,6 @@ optional_policy(`
+@@ -332,9 +392,6 @@ optional_policy(`
+
+ sysnet_read_config(kernel_t)
- rpc_manage_nfs_ro_content(kernel_t)
- rpc_manage_nfs_rw_content(kernel_t)
+- rpc_manage_nfs_ro_content(kernel_t)
+- rpc_manage_nfs_rw_content(kernel_t)
- rpc_tcp_rw_nfs_sockets(kernel_t)
rpc_udp_rw_nfs_sockets(kernel_t)
tunable_policy(`nfs_export_all_ro',`
-@@ -343,9 +402,7 @@ optional_policy(`
+@@ -343,9 +400,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@@ -14617,7 +14628,7 @@ index 6fac350..1470f08 100644
')
tunable_policy(`nfs_export_all_rw',`
-@@ -354,7 +411,7 @@ optional_policy(`
+@@ -354,7 +409,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@@ -14626,7 +14637,7 @@ index 6fac350..1470f08 100644
')
')
-@@ -367,6 +424,15 @@ optional_policy(`
+@@ -367,6 +422,15 @@ optional_policy(`
unconfined_domain_noaudit(kernel_t)
')
@@ -14642,7 +14653,7 @@ index 6fac350..1470f08 100644
########################################
#
# Unlabeled process local policy
-@@ -409,4 +475,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
+@@ -409,4 +473,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
allow kern_unconfined unlabeled_t:filesystem *;
allow kern_unconfined unlabeled_t:association *;
allow kern_unconfined unlabeled_t:packet *;
@@ -17047,10 +17058,10 @@ index ff92430..36740ea 100644
## <summary>
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 88d0028..c3275cb 100644
+index 88d0028..e7c0869 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
-@@ -5,39 +5,81 @@ policy_module(sysadm, 2.5.1)
+@@ -5,39 +5,82 @@ policy_module(sysadm, 2.5.1)
# Declarations
#
@@ -17139,11 +17150,12 @@ index 88d0028..c3275cb 100644
+
+optional_policy(`
+ ssh_filetrans_admin_home_content(sysadm_t)
++ ssh_filetrans_keys(sysadm_t)
+')
ifdef(`direct_sysadm_daemon',`
optional_policy(`
-@@ -55,13 +97,7 @@ ifdef(`distro_gentoo',`
+@@ -55,13 +98,7 @@ ifdef(`distro_gentoo',`
init_exec_rc(sysadm_t)
')
@@ -17158,7 +17170,7 @@ index 88d0028..c3275cb 100644
domain_ptrace_all_domains(sysadm_t)
')
-@@ -71,9 +107,9 @@ optional_policy(`
+@@ -71,9 +108,9 @@ optional_policy(`
optional_policy(`
apache_run_helper(sysadm_t, sysadm_r)
@@ -17169,7 +17181,7 @@ index 88d0028..c3275cb 100644
')
optional_policy(`
-@@ -87,6 +123,7 @@ optional_policy(`
+@@ -87,6 +124,7 @@ optional_policy(`
optional_policy(`
asterisk_stream_connect(sysadm_t)
@@ -17177,7 +17189,7 @@ index 88d0028..c3275cb 100644
')
optional_policy(`
-@@ -110,11 +147,17 @@ optional_policy(`
+@@ -110,11 +148,17 @@ optional_policy(`
')
optional_policy(`
@@ -17195,7 +17207,7 @@ index 88d0028..c3275cb 100644
')
optional_policy(`
-@@ -122,11 +165,19 @@ optional_policy(`
+@@ -122,11 +166,19 @@ optional_policy(`
')
optional_policy(`
@@ -17217,7 +17229,7 @@ index 88d0028..c3275cb 100644
')
optional_policy(`
-@@ -140,6 +191,10 @@ optional_policy(`
+@@ -140,6 +192,10 @@ optional_policy(`
')
optional_policy(`
@@ -17228,7 +17240,7 @@ index 88d0028..c3275cb 100644
dmesg_exec(sysadm_t)
')
-@@ -156,11 +211,11 @@ optional_policy(`
+@@ -156,11 +212,11 @@ optional_policy(`
')
optional_policy(`
@@ -17242,7 +17254,7 @@ index 88d0028..c3275cb 100644
')
optional_policy(`
-@@ -179,6 +234,13 @@ optional_policy(`
+@@ -179,6 +235,13 @@ optional_policy(`
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -17256,7 +17268,7 @@ index 88d0028..c3275cb 100644
')
optional_policy(`
-@@ -186,15 +248,20 @@ optional_policy(`
+@@ -186,15 +249,20 @@ optional_policy(`
')
optional_policy(`
@@ -17280,7 +17292,7 @@ index 88d0028..c3275cb 100644
')
optional_policy(`
-@@ -214,22 +281,20 @@ optional_policy(`
+@@ -214,22 +282,20 @@ optional_policy(`
modutils_run_depmod(sysadm_t, sysadm_r)
modutils_run_insmod(sysadm_t, sysadm_r)
modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -17309,7 +17321,7 @@ index 88d0028..c3275cb 100644
')
optional_policy(`
-@@ -241,14 +306,27 @@ optional_policy(`
+@@ -241,14 +307,27 @@ optional_policy(`
')
optional_policy(`
@@ -17337,7 +17349,7 @@ index 88d0028..c3275cb 100644
')
optional_policy(`
-@@ -256,10 +334,20 @@ optional_policy(`
+@@ -256,10 +335,20 @@ optional_policy(`
')
optional_policy(`
@@ -17358,7 +17370,7 @@ index 88d0028..c3275cb 100644
portage_run(sysadm_t, sysadm_r)
portage_run_fetch(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
-@@ -270,31 +358,36 @@ optional_policy(`
+@@ -270,31 +359,36 @@ optional_policy(`
')
optional_policy(`
@@ -17402,7 +17414,7 @@ index 88d0028..c3275cb 100644
')
optional_policy(`
-@@ -319,12 +412,18 @@ optional_policy(`
+@@ -319,12 +413,18 @@ optional_policy(`
')
optional_policy(`
@@ -17422,7 +17434,7 @@ index 88d0028..c3275cb 100644
')
optional_policy(`
-@@ -349,7 +448,18 @@ optional_policy(`
+@@ -349,7 +449,18 @@ optional_policy(`
')
optional_policy(`
@@ -17442,7 +17454,7 @@ index 88d0028..c3275cb 100644
')
optional_policy(`
-@@ -360,19 +470,15 @@ optional_policy(`
+@@ -360,19 +471,15 @@ optional_policy(`
')
optional_policy(`
@@ -17464,7 +17476,7 @@ index 88d0028..c3275cb 100644
')
optional_policy(`
-@@ -384,10 +490,6 @@ optional_policy(`
+@@ -384,10 +491,6 @@ optional_policy(`
')
optional_policy(`
@@ -17475,7 +17487,7 @@ index 88d0028..c3275cb 100644
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
usermanage_run_groupadd(sysadm_t, sysadm_r)
usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -395,6 +497,9 @@ optional_policy(`
+@@ -395,6 +498,9 @@ optional_policy(`
optional_policy(`
virt_stream_connect(sysadm_t)
@@ -17485,7 +17497,7 @@ index 88d0028..c3275cb 100644
')
optional_policy(`
-@@ -402,31 +507,34 @@ optional_policy(`
+@@ -402,31 +508,34 @@ optional_policy(`
')
optional_policy(`
@@ -17526,7 +17538,7 @@ index 88d0028..c3275cb 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -439,10 +547,6 @@ ifndef(`distro_redhat',`
+@@ -439,10 +548,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -17537,7 +17549,7 @@ index 88d0028..c3275cb 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
optional_policy(`
-@@ -463,15 +567,75 @@ ifndef(`distro_redhat',`
+@@ -463,15 +568,75 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -19378,13 +19390,15 @@ index 346d011..3e23acb 100644
+ ')
+')
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
-index 76d9f66..21c96cf 100644
+index 76d9f66..02d4ea6 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
-@@ -1,4 +1,16 @@
+@@ -1,16 +1,36 @@
HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+HOME_DIR/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
-+
+
+-/etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0)
+-/etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0)
+/var/lib/amanda/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/var/lib/gitolite/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/var/lib/gitolite3/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
@@ -19395,10 +19409,13 @@ index 76d9f66..21c96cf 100644
+/var/lib/pgsql/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+
+/etc/rc\.d/init\.d/sshd -- gen_context(system_u:object_r:sshd_initrc_exec_t,s0)
++
++/etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0)
++/etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0)
++/etc/ssh/ssh_host.*_key\.pub -- gen_context(system_u:object_r:sshd_key_t,s0)
- /etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0)
- /etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0)
-@@ -8,9 +20,16 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+ /usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
+ /usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0)
/usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
/usr/lib/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
@@ -19416,7 +19433,7 @@ index 76d9f66..21c96cf 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index fe0c682..95ae197 100644
+index fe0c682..225aaa7 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,11 @@
@@ -19964,7 +19981,7 @@ index fe0c682..95ae197 100644
')
######################################
-@@ -754,3 +873,124 @@ interface(`ssh_delete_tmp',`
+@@ -754,3 +873,149 @@ interface(`ssh_delete_tmp',`
files_search_tmp($1)
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
')
@@ -20032,6 +20049,31 @@ index fe0c682..95ae197 100644
+
+########################################
+## <summary>
++## Create .ssh directory in the user home directory
++## with an correct label.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ssh_filetrans_keys',`
++
++ gen_require(`
++ type sshd_key_t;
++ ')
++
++ files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_key")
++ files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_dsa_key")
++ files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_rsa_key")
++ files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_key.pub")
++ files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_dsa_key.pub")
++ files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_rsa_key.pub")
++')
++
++########################################
++## <summary>
+## Do not audit attempts to read and
+## write the sshd pty type.
+## </summary>
@@ -28412,29 +28454,33 @@ index dd3be8d..8cda2bb 100644
+ allow direct_run_init direct_init_entry:file { getattr open read execute };
+')
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
-index 662e79b..93aad6f 100644
+index 662e79b..ef9370d 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
-@@ -1,13 +1,17 @@
+@@ -1,14 +1,19 @@
/etc/rc\.d/init\.d/ipsec -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
/etc/rc\.d/init\.d/racoon -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/strongswan -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
-/etc/ipsec\.secrets -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
+-/etc/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
+/usr/lib/systemd/system/strongswan.* -- gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0)
+
-+/etc/ipsec\.secrets.* -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
- /etc/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
++/etc/(strongswan)?/ipsec\.secrets.* -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
++/etc/(strongswan)?/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
/etc/racoon/psk\.txt -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
/etc/racoon(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0)
/etc/racoon/certs(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
+-/etc/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
+/etc/strongswan(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0)
+
- /etc/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
++/etc/(strongswan)?/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
-@@ -26,10 +30,12 @@
+
+@@ -26,12 +31,15 @@
/usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
@@ -28446,8 +28492,11 @@ index 662e79b..93aad6f 100644
+/usr/sbin/strongswan -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
/var/lock/subsys/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
++/var/lock/subsys/strongswan -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
-@@ -39,3 +45,5 @@
+ /var/log/pluto\.log -- gen_context(system_u:object_r:ipsec_log_t,s0)
+
+@@ -39,3 +47,5 @@
/var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
/var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
@@ -31302,7 +31351,7 @@ index e8c59a5..d2df072 100644
')
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
-index 9fe8e01..5985e0f 100644
+index 9fe8e01..a70c055 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -9,11 +9,13 @@ ifdef(`distro_gentoo',`
@@ -31345,12 +31394,8 @@ index 9fe8e01..5985e0f 100644
/usr/share/ssl/certs(/.*)? gen_context(system_u:object_r:cert_t,s0)
/usr/share/ssl/private(/.*)? gen_context(system_u:object_r:cert_t,s0)
-@@ -75,9 +74,11 @@ ifdef(`distro_redhat',`
-
- /var/lib/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
+@@ -77,7 +76,7 @@ ifdef(`distro_redhat',`
-+/var/lib/ipa/pki-ca/publish(/.*)? gen_context(system_u:object_r:cert_t,s0)
-+
/var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0)
/var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
-/var/cache/man(/.*)? gen_context(system_u:object_r:man_cache_t,s0)
@@ -31358,7 +31403,7 @@ index 9fe8e01..5985e0f 100644
/var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
-@@ -90,6 +91,7 @@ ifdef(`distro_debian',`
+@@ -90,6 +89,7 @@ ifdef(`distro_debian',`
')
ifdef(`distro_redhat',`
@@ -38327,7 +38372,7 @@ index db75976..65191bd 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..4129aa6 100644
+index 3c5dba7..33a39dc 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -39174,7 +39219,7 @@ index 3c5dba7..4129aa6 100644
')
')
-@@ -693,32 +859,36 @@ template(`userdom_common_user_template',`
+@@ -693,32 +859,35 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -39184,7 +39229,6 @@ index 3c5dba7..4129aa6 100644
+
+ optional_policy(`
+ rpc_dontaudit_getattr_exports($1_usertype)
-+ rpc_manage_nfs_rw_content($1_usertype)
+ ')
+
+ optional_policy(`
@@ -39222,7 +39266,7 @@ index 3c5dba7..4129aa6 100644
')
')
-@@ -743,17 +913,33 @@ template(`userdom_common_user_template',`
+@@ -743,17 +912,33 @@ template(`userdom_common_user_template',`
template(`userdom_login_user_template', `
gen_require(`
class context contains;
@@ -39260,7 +39304,7 @@ index 3c5dba7..4129aa6 100644
userdom_change_password_template($1)
-@@ -761,82 +947,99 @@ template(`userdom_login_user_template', `
+@@ -761,82 +946,99 @@ template(`userdom_login_user_template', `
#
# User domain Local policy
#
@@ -39396,7 +39440,7 @@ index 3c5dba7..4129aa6 100644
')
')
-@@ -868,6 +1071,12 @@ template(`userdom_restricted_user_template',`
+@@ -868,6 +1070,12 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -39409,7 +39453,7 @@ index 3c5dba7..4129aa6 100644
##############################
#
# Local policy
-@@ -908,41 +1117,97 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -908,41 +1116,97 @@ template(`userdom_restricted_xwindows_user_template',`
# Local policy
#
@@ -39520,7 +39564,7 @@ index 3c5dba7..4129aa6 100644
')
optional_policy(`
-@@ -951,12 +1216,29 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -951,12 +1215,29 @@ template(`userdom_restricted_xwindows_user_template',`
')
optional_policy(`
@@ -39551,7 +39595,7 @@ index 3c5dba7..4129aa6 100644
')
#######################################
-@@ -990,27 +1272,33 @@ template(`userdom_unpriv_user_template', `
+@@ -990,27 +1271,33 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -39589,7 +39633,7 @@ index 3c5dba7..4129aa6 100644
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
# Write floppies
-@@ -1021,23 +1309,60 @@ template(`userdom_unpriv_user_template', `
+@@ -1021,23 +1308,60 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -39660,7 +39704,7 @@ index 3c5dba7..4129aa6 100644
')
# Run pppd in pppd_t by default for user
-@@ -1046,7 +1371,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1046,7 +1370,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -39671,7 +39715,7 @@ index 3c5dba7..4129aa6 100644
')
')
-@@ -1082,7 +1409,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1082,7 +1408,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -39680,7 +39724,7 @@ index 3c5dba7..4129aa6 100644
')
##############################
-@@ -1109,6 +1436,7 @@ template(`userdom_admin_user_template',`
+@@ -1109,6 +1435,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -39688,7 +39732,7 @@ index 3c5dba7..4129aa6 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1117,6 +1445,9 @@ template(`userdom_admin_user_template',`
+@@ -1117,6 +1444,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -39698,7 +39742,7 @@ index 3c5dba7..4129aa6 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1131,6 +1462,7 @@ template(`userdom_admin_user_template',`
+@@ -1131,6 +1461,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -39706,7 +39750,7 @@ index 3c5dba7..4129aa6 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1148,10 +1480,14 @@ template(`userdom_admin_user_template',`
+@@ -1148,10 +1479,14 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -39721,7 +39765,7 @@ index 3c5dba7..4129aa6 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1162,29 +1498,38 @@ template(`userdom_admin_user_template',`
+@@ -1162,29 +1497,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -39764,7 +39808,7 @@ index 3c5dba7..4129aa6 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1194,6 +1539,8 @@ template(`userdom_admin_user_template',`
+@@ -1194,6 +1538,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -39773,7 +39817,7 @@ index 3c5dba7..4129aa6 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1201,13 +1548,17 @@ template(`userdom_admin_user_template',`
+@@ -1201,13 +1547,17 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@@ -39792,7 +39836,7 @@ index 3c5dba7..4129aa6 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1253,6 +1604,8 @@ template(`userdom_security_admin_template',`
+@@ -1253,6 +1603,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -39801,7 +39845,7 @@ index 3c5dba7..4129aa6 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1265,8 +1618,10 @@ template(`userdom_security_admin_template',`
+@@ -1265,8 +1617,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -39813,7 +39857,7 @@ index 3c5dba7..4129aa6 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1277,29 +1632,31 @@ template(`userdom_security_admin_template',`
+@@ -1277,29 +1631,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -39856,7 +39900,7 @@ index 3c5dba7..4129aa6 100644
')
optional_policy(`
-@@ -1360,14 +1717,17 @@ interface(`userdom_user_home_content',`
+@@ -1360,14 +1716,17 @@ interface(`userdom_user_home_content',`
gen_require(`
attribute user_home_content_type;
type user_home_t;
@@ -39875,7 +39919,7 @@ index 3c5dba7..4129aa6 100644
')
########################################
-@@ -1408,6 +1768,51 @@ interface(`userdom_user_tmpfs_file',`
+@@ -1408,6 +1767,51 @@ interface(`userdom_user_tmpfs_file',`
## <summary>
## Allow domain to attach to TUN devices created by administrative users.
## </summary>
@@ -39927,7 +39971,7 @@ index 3c5dba7..4129aa6 100644
## <param name="domain">
## <summary>
## Domain allowed access.
-@@ -1512,11 +1917,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1512,11 +1916,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -39959,7 +40003,7 @@ index 3c5dba7..4129aa6 100644
## Do not audit attempts to search user home directories.
## </summary>
## <desc>
-@@ -1558,6 +1983,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1558,6 +1982,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -39974,7 +40018,7 @@ index 3c5dba7..4129aa6 100644
')
########################################
-@@ -1573,9 +2006,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1573,9 +2005,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -39986,7 +40030,7 @@ index 3c5dba7..4129aa6 100644
')
########################################
-@@ -1632,6 +2067,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1632,6 +2066,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -40029,7 +40073,7 @@ index 3c5dba7..4129aa6 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1711,6 +2182,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1711,6 +2181,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -40038,7 +40082,7 @@ index 3c5dba7..4129aa6 100644
')
########################################
-@@ -1744,10 +2217,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1744,10 +2216,12 @@ interface(`userdom_list_all_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -40053,7 +40097,7 @@ index 3c5dba7..4129aa6 100644
')
########################################
-@@ -1772,7 +2247,7 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1772,7 +2246,7 @@ interface(`userdom_manage_user_home_content_dirs',`
########################################
## <summary>
@@ -40062,7 +40106,7 @@ index 3c5dba7..4129aa6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1780,19 +2255,17 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1780,19 +2254,17 @@ interface(`userdom_manage_user_home_content_dirs',`
## </summary>
## </param>
#
@@ -40086,7 +40130,7 @@ index 3c5dba7..4129aa6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1800,31 +2273,31 @@ interface(`userdom_delete_all_user_home_content_dirs',`
+@@ -1800,31 +2272,31 @@ interface(`userdom_delete_all_user_home_content_dirs',`
## </summary>
## </param>
#
@@ -40126,7 +40170,7 @@ index 3c5dba7..4129aa6 100644
')
########################################
-@@ -1848,6 +2321,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1848,6 +2320,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@@ -40152,7 +40196,7 @@ index 3c5dba7..4129aa6 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1878,14 +2370,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1878,14 +2369,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -40190,7 +40234,7 @@ index 3c5dba7..4129aa6 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1896,11 +2410,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1896,11 +2409,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -40208,7 +40252,7 @@ index 3c5dba7..4129aa6 100644
')
########################################
-@@ -1941,7 +2458,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1941,7 +2457,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
########################################
## <summary>
@@ -40235,7 +40279,7 @@ index 3c5dba7..4129aa6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1951,17 +2486,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1951,17 +2485,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
#
interface(`userdom_delete_all_user_home_content_files',`
gen_require(`
@@ -40256,7 +40300,7 @@ index 3c5dba7..4129aa6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1969,12 +2502,48 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1969,12 +2501,48 @@ interface(`userdom_delete_all_user_home_content_files',`
## </summary>
## </param>
#
@@ -40307,7 +40351,7 @@ index 3c5dba7..4129aa6 100644
')
########################################
-@@ -2010,8 +2579,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2010,8 +2578,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -40317,7 +40361,7 @@ index 3c5dba7..4129aa6 100644
')
########################################
-@@ -2027,20 +2595,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2027,20 +2594,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -40342,7 +40386,7 @@ index 3c5dba7..4129aa6 100644
########################################
## <summary>
-@@ -2123,7 +2685,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2123,7 +2684,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
## <summary>
@@ -40351,7 +40395,7 @@ index 3c5dba7..4129aa6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2131,19 +2693,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2131,19 +2692,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -40375,7 +40419,7 @@ index 3c5dba7..4129aa6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2151,12 +2711,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2151,12 +2710,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -40391,7 +40435,7 @@ index 3c5dba7..4129aa6 100644
')
########################################
-@@ -2393,11 +2953,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2393,11 +2952,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -40406,7 +40450,7 @@ index 3c5dba7..4129aa6 100644
files_search_tmp($1)
')
-@@ -2417,7 +2977,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2417,7 +2976,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -40415,7 +40459,7 @@ index 3c5dba7..4129aa6 100644
')
########################################
-@@ -2664,6 +3224,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2664,6 +3223,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -40441,7 +40485,7 @@ index 3c5dba7..4129aa6 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2680,13 +3259,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2680,13 +3258,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -40457,7 +40501,7 @@ index 3c5dba7..4129aa6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2707,7 +3287,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2707,7 +3286,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -40466,7 +40510,7 @@ index 3c5dba7..4129aa6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2715,19 +3295,17 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2715,19 +3294,17 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -40489,7 +40533,7 @@ index 3c5dba7..4129aa6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2735,25 +3313,43 @@ interface(`userdom_manage_user_tmpfs_files',`
+@@ -2735,25 +3312,43 @@ interface(`userdom_manage_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -40539,7 +40583,7 @@ index 3c5dba7..4129aa6 100644
gen_require(`
type user_tty_device_t;
')
-@@ -2817,6 +3413,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2817,6 +3412,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -40564,7 +40608,7 @@ index 3c5dba7..4129aa6 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2835,22 +3449,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2835,22 +3448,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -40607,7 +40651,7 @@ index 3c5dba7..4129aa6 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2859,14 +3485,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2859,14 +3484,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -40645,7 +40689,7 @@ index 3c5dba7..4129aa6 100644
')
########################################
-@@ -2885,8 +3530,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2885,8 +3529,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -40675,7 +40719,7 @@ index 3c5dba7..4129aa6 100644
')
########################################
-@@ -2958,69 +3622,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2958,69 +3621,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -40776,7 +40820,7 @@ index 3c5dba7..4129aa6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3028,12 +3691,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3028,12 +3690,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -40791,7 +40835,7 @@ index 3c5dba7..4129aa6 100644
')
########################################
-@@ -3097,7 +3760,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3097,7 +3759,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -40800,7 +40844,7 @@ index 3c5dba7..4129aa6 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3113,29 +3776,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3113,29 +3775,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -40834,7 +40878,7 @@ index 3c5dba7..4129aa6 100644
')
########################################
-@@ -3217,7 +3864,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3217,7 +3863,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -40861,7 +40905,7 @@ index 3c5dba7..4129aa6 100644
')
########################################
-@@ -3272,7 +3937,64 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3272,7 +3936,64 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -40927,7 +40971,7 @@ index 3c5dba7..4129aa6 100644
')
########################################
-@@ -3290,7 +4012,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3290,7 +4011,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@@ -40936,7 +40980,7 @@ index 3c5dba7..4129aa6 100644
')
########################################
-@@ -3309,6 +4031,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3309,6 +4030,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -40944,7 +40988,7 @@ index 3c5dba7..4129aa6 100644
kernel_search_proc($1)
')
-@@ -3385,6 +4108,42 @@ interface(`userdom_signal_all_users',`
+@@ -3385,6 +4107,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -40987,7 +41031,7 @@ index 3c5dba7..4129aa6 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3405,6 +4164,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3405,6 +4163,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -41012,7 +41056,7 @@ index 3c5dba7..4129aa6 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3438,4 +4215,1455 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3438,4 +4214,1455 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index d9abd45..5d30ac9 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -6756,10 +6756,10 @@ index 1a82e29..ffff859 100644
+ corenet_tcp_connect_osapi_compute_port(httpd_t)
')
diff --git a/apcupsd.fc b/apcupsd.fc
-index 5ec0e13..2da2368 100644
+index 5ec0e13..1c37fe1 100644
--- a/apcupsd.fc
+++ b/apcupsd.fc
-@@ -1,5 +1,7 @@
+@@ -1,10 +1,13 @@
/etc/rc\.d/init\.d/apcupsd -- gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0)
+/usr/lib/systemd/system/apcupsd.* -- gen_context(system_u:object_r:apcupsd_unit_file_t,s0)
@@ -6767,11 +6767,17 @@ index 5ec0e13..2da2368 100644
/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
/usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
+
+ /var/lock/subsys/apcupsd -- gen_context(system_u:object_r:apcupsd_lock_t,s0)
++/var/lock/LCK.. -- gen_context(system_u:object_r:apcupsd_lock_t,s0)
+
+ /var/log/apcupsd\.events.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
+ /var/log/apcupsd\.status.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
diff --git a/apcupsd.if b/apcupsd.if
-index f3c0aba..5189407 100644
+index f3c0aba..b6afc90 100644
--- a/apcupsd.if
+++ b/apcupsd.if
-@@ -125,6 +125,29 @@ interface(`apcupsd_cgi_script_domtrans',`
+@@ -125,6 +125,49 @@ interface(`apcupsd_cgi_script_domtrans',`
########################################
## <summary>
@@ -6798,10 +6804,30 @@ index f3c0aba..5189407 100644
+
+########################################
+## <summary>
++## Create configuration files in /var/lock
++## with a named file type transition.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`apcupsd_filetrans_named_content',`
++ gen_require(`
++ type apcupsd_lock_t;
++ ')
++
++ files_lock_filetrans($1, apcupsd_lock_t, file, "apcupsd")
++ files_lock_filetrans($1, apcupsd_lock_t, file, "LCK..")
++')
++
++########################################
++## <summary>
## All of the rules required to
## administrate an apcupsd environment.
## </summary>
-@@ -144,11 +167,16 @@ interface(`apcupsd_admin',`
+@@ -144,11 +187,16 @@ interface(`apcupsd_admin',`
gen_require(`
type apcupsd_t, apcupsd_tmp_t, apcupsd_log_t;
type apcupsd_var_run_t, apcupsd_initrc_exec_t, apcupsd_lock_t;
@@ -6819,7 +6845,7 @@ index f3c0aba..5189407 100644
apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 apcupsd_initrc_exec_t system_r;
-@@ -165,4 +193,8 @@ interface(`apcupsd_admin',`
+@@ -165,4 +213,8 @@ interface(`apcupsd_admin',`
files_list_pids($1)
admin_pattern($1, apcupsd_var_run_t)
@@ -6829,7 +6855,7 @@ index f3c0aba..5189407 100644
+ allow $1 apcupsd_unit_file_t:service all_service_perms;
')
diff --git a/apcupsd.te b/apcupsd.te
-index b236327..f194ee1 100644
+index b236327..ea24c5d 100644
--- a/apcupsd.te
+++ b/apcupsd.te
@@ -24,6 +24,9 @@ files_tmp_file(apcupsd_tmp_t)
@@ -6869,7 +6895,7 @@ index b236327..f194ee1 100644
corenet_udp_bind_snmp_port(apcupsd_t)
corenet_sendrecv_snmp_server_packets(apcupsd_t)
-@@ -74,19 +75,23 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t)
+@@ -74,19 +75,25 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t)
dev_rw_generic_usb_dev(apcupsd_t)
@@ -6893,11 +6919,13 @@ index b236327..f194ee1 100644
sysnet_dns_name_resolve(apcupsd_t)
-userdom_use_user_ttys(apcupsd_t)
++systemd_start_power_services(apcupsd_t)
++
+userdom_use_inherited_user_ttys(apcupsd_t)
optional_policy(`
hostname_exec(apcupsd_t)
-@@ -112,7 +117,6 @@ optional_policy(`
+@@ -112,7 +119,6 @@ optional_policy(`
allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms;
@@ -8960,7 +8988,7 @@ index 02fefaa..fbcef10 100644
+ ')
')
diff --git a/boinc.te b/boinc.te
-index 7c92aa1..1a30d34 100644
+index 7c92aa1..f177ca5 100644
--- a/boinc.te
+++ b/boinc.te
@@ -1,11 +1,13 @@
@@ -9055,7 +9083,7 @@ index 7c92aa1..1a30d34 100644
manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
-@@ -54,74 +91,47 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
+@@ -54,74 +91,48 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
@@ -9088,6 +9116,7 @@ index 7c92aa1..1a30d34 100644
+# needs read /proc/interrupts
kernel_read_system_state(boinc_t)
++kernel_read_network_state(boinc_t)
kernel_search_vm_sysctl(boinc_t)
-corenet_all_recvfrom_unlabeled(boinc_t)
@@ -9151,7 +9180,7 @@ index 7c92aa1..1a30d34 100644
term_getattr_all_ptys(boinc_t)
term_getattr_unallocated_ttys(boinc_t)
-@@ -130,55 +140,65 @@ init_read_utmp(boinc_t)
+@@ -130,55 +141,65 @@ init_read_utmp(boinc_t)
logging_send_syslog_msg(boinc_t)
@@ -11477,10 +11506,10 @@ index 29782b8..685edff 100644
')
diff --git a/cloudform.fc b/cloudform.fc
new file mode 100644
-index 0000000..cc740da
+index 0000000..3a0de96
--- /dev/null
+++ b/cloudform.fc
-@@ -0,0 +1,29 @@
+@@ -0,0 +1,27 @@
+/etc/rc\.d/init\.d/iwhd -- gen_context(system_u:object_r:iwhd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
+
@@ -11498,16 +11527,14 @@ index 0000000..cc740da
+/var/lib/cloud(/.*)? gen_context(system_u:object_r:cloud_var_lib_t,s0)
+/var/log/cloud-init\.log -- gen_context(system_u:object_r:cloud_log_t,s0)
+/var/lib/iwhd(/.*)? gen_context(system_u:object_r:iwhd_var_lib_t,s0)
-+/var/lib/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_lib_t,s0)
++/var/lib/mongo.* gen_context(system_u:object_r:mongod_var_lib_t,s0)
+
+/var/log/deltacloud-core(/.*)? gen_context(system_u:object_r:deltacloudd_log_t,s0)
+/var/log/iwhd\.log.* -- gen_context(system_u:object_r:iwhd_log_t,s0)
-+/var/log/mongodb(/.*)? gen_context(system_u:object_r:mongod_log_t,s0)
-+/var/log/mongo(/.*)? gen_context(system_u:object_r:mongod_log_t,s0)
-+/var/log/mongo/mongod\.log.* -- gen_context(system_u:object_r:mongod_log_t,s0)
++/var/log/mongo.* gen_context(system_u:object_r:mongod_log_t,s0)
+/var/log/aeolus-conductor/dbomatic\.log.* -- gen_context(system_u:object_r:mongod_log_t,s0)
+
-+/var/run/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_run_t,s0)
++/var/run/mongo.* gen_context(system_u:object_r:mongod_var_run_t,s0)
+/var/run/aeolus/dbomatic\.pid -- gen_context(system_u:object_r:mongod_var_run_t,s0)
+/var/run/iwhd\.pid -- gen_context(system_u:object_r:iwhd_var_run_t,s0)
diff --git a/cloudform.if b/cloudform.if
@@ -13308,7 +13335,7 @@ index 5b830ec..0647a3b 100644
+ ps_process_pattern($1, consolekit_t)
+')
diff --git a/consolekit.te b/consolekit.te
-index 5f0c793..ecd0397 100644
+index 5f0c793..d11e25b 100644
--- a/consolekit.te
+++ b/consolekit.te
@@ -19,12 +19,16 @@ type consolekit_var_run_t;
@@ -13328,7 +13355,7 @@ index 5f0c793..ecd0397 100644
allow consolekit_t self:process { getsched signal };
allow consolekit_t self:fifo_file rw_fifo_file_perms;
allow consolekit_t self:unix_stream_socket { accept listen };
-@@ -54,37 +58,35 @@ dev_read_sysfs(consolekit_t)
+@@ -54,37 +58,36 @@ dev_read_sysfs(consolekit_t)
domain_read_all_domains_state(consolekit_t)
domain_use_interactive_fds(consolekit_t)
@@ -13356,6 +13383,7 @@ index 5f0c793..ecd0397 100644
-miscfiles_read_localization(consolekit_t)
+systemd_exec_systemctl(consolekit_t)
++systemd_start_power_services(consolekit_t)
+userdom_read_all_users_state(consolekit_t)
userdom_dontaudit_read_user_home_content_files(consolekit_t)
@@ -13374,7 +13402,7 @@ index 5f0c793..ecd0397 100644
')
ifdef(`distro_debian',`
-@@ -112,13 +114,6 @@ optional_policy(`
+@@ -112,13 +115,6 @@ optional_policy(`
')
')
@@ -13604,13 +13632,32 @@ index c086302..4f33119 100644
/etc/rc\.d/init\.d/couchdb -- gen_context(system_u:object_r:couchdb_initrc_exec_t,s0)
diff --git a/couchdb.if b/couchdb.if
-index 83d6744..6afc08d 100644
+index 83d6744..b934cb7 100644
--- a/couchdb.if
+++ b/couchdb.if
-@@ -2,6 +2,25 @@
+@@ -2,6 +2,44 @@
########################################
## <summary>
++## Allow to read couchdb log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`couchdb_read_log_files',`
++ gen_require(`
++ type couchdb_log_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, couchdb_log_t, couchdb_log_t)
++')
++
++########################################
++## <summary>
+## Allow to read couchdb lib files.
+## </summary>
+## <param name="domain">
@@ -13633,7 +13680,7 @@ index 83d6744..6afc08d 100644
## All of the rules required to
## administrate an couchdb environment.
## </summary>
-@@ -10,6 +29,108 @@
+@@ -10,6 +48,108 @@
## Domain allowed access.
## </summary>
## </param>
@@ -13742,7 +13789,7 @@ index 83d6744..6afc08d 100644
## <param name="role">
## <summary>
## Role allowed access.
-@@ -19,14 +140,19 @@
+@@ -19,14 +159,19 @@
#
interface(`couchdb_admin',`
gen_require(`
@@ -13763,7 +13810,7 @@ index 83d6744..6afc08d 100644
init_labeled_script_domtrans($1, couchdb_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 couchdb_initrc_exec_t system_r;
-@@ -46,4 +172,13 @@ interface(`couchdb_admin',`
+@@ -46,4 +191,13 @@ interface(`couchdb_admin',`
files_search_pids($1)
admin_pattern($1, couchdb_var_run_t)
@@ -20235,7 +20282,7 @@ index 0000000..021c5ae
+
diff --git a/dirsrv.fc b/dirsrv.fc
new file mode 100644
-index 0000000..0ea1ebb
+index 0000000..5d30dab
--- /dev/null
+++ b/dirsrv.fc
@@ -0,0 +1,23 @@
@@ -20253,7 +20300,7 @@ index 0000000..0ea1ebb
+/var/run/ldap-agent\.pid gen_context(system_u:object_r:dirsrv_snmp_var_run_t,s0)
+
+# BZ:
-+/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0)
++/var/run/slapd.* -s gen_context(system_u:object_r:dirsrv_var_run_t,s0)
+
+/var/lib/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_lib_t,s0)
+
@@ -21577,7 +21624,7 @@ index dbcac59..66d42bb 100644
+ admin_pattern($1, dovecot_passwd_t)
')
diff --git a/dovecot.te b/dovecot.te
-index a7bfaf0..457c894 100644
+index a7bfaf0..fe94a6c 100644
--- a/dovecot.te
+++ b/dovecot.te
@@ -1,4 +1,4 @@
@@ -21710,16 +21757,19 @@ index a7bfaf0..457c894 100644
logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir })
manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
-@@ -122,43 +126,33 @@ manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
+@@ -120,45 +124,35 @@ manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
+ manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
+ manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_fifo_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
- files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file })
-
+-files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file })
+-
-can_exec(dovecot_t, dovecot_exec_t)
-
-allow dovecot_t dovecot_auth_t:process signal;
-
-domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
--
++files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file sock_file })
+
-corenet_all_recvfrom_unlabeled(dovecot_t)
corenet_all_recvfrom_netlabel(dovecot_t)
corenet_tcp_sendrecv_generic_if(dovecot_t)
@@ -21876,10 +21926,10 @@ index a7bfaf0..457c894 100644
+files_read_usr_symlinks(dovecot_auth_t)
+files_read_var_lib_files(dovecot_auth_t)
+files_search_tmp(dovecot_auth_t)
++
++fs_getattr_xattr_fs(dovecot_auth_t)
-seutil_dontaudit_search_config(dovecot_auth_t)
-+fs_getattr_xattr_fs(dovecot_auth_t)
-+
+init_rw_utmp(dovecot_auth_t)
sysnet_use_ldap(dovecot_auth_t)
@@ -21898,9 +21948,18 @@ index a7bfaf0..457c894 100644
mysql_stream_connect(dovecot_auth_t)
mysql_read_config(dovecot_auth_t)
mysql_tcp_connect(dovecot_auth_t)
-@@ -272,14 +279,21 @@ optional_policy(`
+@@ -271,15 +278,30 @@ optional_policy(`
+ ')
optional_policy(`
++ dbus_system_bus_client(dovecot_auth_t)
++ optional_policy(`
++ oddjob_dbus_chat(dovecot_auth_t)
++ oddjob_domtrans_mkhomedir(dovecot_auth_t)
++ ')
++')
++
++optional_policy(`
postfix_manage_private_sockets(dovecot_auth_t)
+ postfix_rw_inherited_master_pipes(dovecot_deliver_t)
postfix_search_spool(dovecot_auth_t)
@@ -21921,7 +21980,7 @@ index a7bfaf0..457c894 100644
allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
-@@ -289,35 +303,42 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t
+@@ -289,35 +311,42 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t
files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
@@ -21981,7 +22040,7 @@ index a7bfaf0..457c894 100644
mta_read_queue(dovecot_deliver_t)
')
-@@ -326,5 +347,6 @@ optional_policy(`
+@@ -326,5 +355,6 @@ optional_policy(`
')
optional_policy(`
@@ -24944,10 +25003,10 @@ index 0000000..1ed97fe
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
-index 0000000..ab1fd22
+index 0000000..6ceb963
--- /dev/null
+++ b/glusterd.te
-@@ -0,0 +1,146 @@
+@@ -0,0 +1,160 @@
+policy_module(glusterfs, 1.0.1)
+
+## <desc>
@@ -25005,8 +25064,8 @@ index 0000000..ab1fd22
+# Local policy
+#
+
-+allow glusterd_t self:capability { sys_admin sys_resource dac_override chown dac_read_search fowner };
-+allow glusterd_t self:process { setrlimit signal };
++allow glusterd_t self:capability { sys_admin sys_resource dac_override chown dac_read_search fowner setuid };
++allow glusterd_t self:process { getcap setcap setrlimit signal };
+allow glusterd_t self:fifo_file rw_fifo_file_perms;
+allow glusterd_t self:tcp_socket { accept listen };
+allow glusterd_t self:unix_stream_socket { accept listen connectto };
@@ -25052,10 +25111,18 @@ index 0000000..ab1fd22
+corenet_tcp_bind_generic_node(glusterd_t)
+corenet_udp_bind_generic_node(glusterd_t)
+
-+# Too coarse?
++corenet_tcp_connect_gluster_port(glusterd_t)
++corenet_tcp_bind_gluster_port(glusterd_t)
++
++# replacement for rpc.mountd
+corenet_sendrecv_all_server_packets(glusterd_t)
+corenet_tcp_bind_all_reserved_ports(glusterd_t)
+corenet_udp_bind_all_rpc_ports(glusterd_t)
++corenet_tcp_bind_all_rpc_ports(glusterd_t)
++corenet_tcp_bind_nfs_port(glusterd_t)
++corenet_udp_bind_nfs_port(glusterd_t)
++corenet_udp_bind_mountd_port(glusterd_t)
++corenet_tcp_bind_mountd_port(glusterd_t)
+corenet_udp_bind_ipp_port(glusterd_t)
+
+corenet_sendrecv_all_client_packets(glusterd_t)
@@ -25068,6 +25135,8 @@ index 0000000..ab1fd22
+
+fs_getattr_all_fs(glusterd_t)
+
++storage_rw_fuse(glusterd_t)
++
+auth_use_nsswitch(glusterd_t)
+
+fs_getattr_all_fs(glusterd_t)
@@ -25094,6 +25163,10 @@ index 0000000..ab1fd22
+ files_manage_non_security_dirs(glusterd_t)
+ files_manage_non_security_files(glusterd_t)
+')
++
++optional_policy(`
++ rpc_domtrans_rpcd(glusterd_t)
++')
diff --git a/glusterfs.fc b/glusterfs.fc
deleted file mode 100644
index 4bd6ade..0000000
@@ -27272,7 +27345,7 @@ index d03fd43..26023f7 100644
+ type_transition $1 gkeyringd_exec_t:process $2;
')
diff --git a/gnome.te b/gnome.te
-index 20f726b..8e905be 100644
+index 20f726b..c6ff2a1 100644
--- a/gnome.te
+++ b/gnome.te
@@ -1,18 +1,36 @@
@@ -27316,7 +27389,7 @@ index 20f726b..8e905be 100644
typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
typealias gconf_home_t alias unconfined_gconf_home_t;
-@@ -29,107 +47,227 @@ type gconfd_exec_t;
+@@ -29,107 +47,226 @@ type gconfd_exec_t;
typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t };
typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
userdom_user_application_domain(gconfd_t, gconfd_exec_t)
@@ -27370,41 +27443,41 @@ index 20f726b..8e905be 100644
+manage_dirs_pattern(gconfd_t, gconf_home_t, gconf_home_t)
+manage_files_pattern(gconfd_t, gconf_home_t, gconf_home_t)
+userdom_user_home_dir_filetrans(gconfd_t, gconf_home_t, dir)
-+
+
+-domain_use_interactive_fds(gnomedomain)
+manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
+manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
+userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
-+
+
+-files_read_etc_files(gnomedomain)
+allow gconfd_t gconf_etc_t:dir list_dir_perms;
+read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t)
+
+dev_read_urand(gconfd_t)
--domain_use_interactive_fds(gnomedomain)
-
--files_read_etc_files(gnomedomain)
-
-miscfiles_read_localization(gnomedomain)
-+logging_send_syslog_msg(gconfd_t)
-logging_send_syslog_msg(gnomedomain)
+
+-userdom_use_user_terminals(gnomedomain)
++logging_send_syslog_msg(gconfd_t)
++
+userdom_manage_user_tmp_sockets(gconfd_t)
+userdom_manage_user_tmp_dirs(gconfd_t)
+userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
--userdom_use_user_terminals(gnomedomain)
-+optional_policy(`
-+ nscd_dontaudit_search_pid(gconfd_t)
-+')
-
optional_policy(`
- xserver_rw_xdm_pipes(gnomedomain)
- xserver_use_xdm_fds(gnomedomain)
-+ xserver_use_xdm_fds(gconfd_t)
-+ xserver_rw_xdm_pipes(gconfd_t)
++ nscd_dontaudit_search_pid(gconfd_t)
')
-##############################
++optional_policy(`
++ xserver_use_xdm_fds(gconfd_t)
++ xserver_rw_xdm_pipes(gconfd_t)
++')
++
+#######################################
#
-# Conf daemon local Policy
@@ -27425,10 +27498,10 @@ index 20f726b..8e905be 100644
-manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
-manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
-userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
++auth_read_passwd(gconfdefaultsm_t)
-userdom_manage_user_tmp_dirs(gconfd_t)
-userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
-+
+gnome_manage_gconf_home_files(gconfdefaultsm_t)
+gnome_manage_gconf_config(gconfdefaultsm_t)
+
@@ -27461,8 +27534,7 @@ index 20f726b..8e905be 100644
+userdom_home_manager(gconfdefaultsm_t)
+
+#######################################
- #
--# Keyring-daemon local policy
++#
+# gnome-system-monitor-mechanisms local policy
+#
+
@@ -27481,7 +27553,6 @@ index 20f726b..8e905be 100644
+domain_signal_all_domains(gnomesystemmm_t)
+domain_sigstop_all_domains(gnomesystemmm_t)
+
-+
+fs_getattr_xattr_fs(gnomesystemmm_t)
+
+auth_read_passwd(gnomesystemmm_t)
@@ -27515,7 +27586,8 @@ index 20f726b..8e905be 100644
+')
+
+######################################
-+#
+ #
+-# Keyring-daemon local policy
+# gnome-keyring-daemon local policy
#
@@ -35903,15 +35975,16 @@ index e08c55d..9e634bd 100644
+
+')
diff --git a/mandb.fc b/mandb.fc
-index 2de0f64..50f34fd 100644
+index 2de0f64..3c24286 100644
--- a/mandb.fc
+++ b/mandb.fc
-@@ -1 +1,9 @@
+@@ -1 +1,10 @@
/etc/cron.daily/man-db\.cron -- gen_context(system_u:object_r:mandb_exec_t,s0)
+
+/usr/bin/mandb -- gen_context(system_u:object_r:mandb_exec_t,s0)
+
+/var/cache/man(/.*)? gen_context(system_u:object_r:mandb_cache_t,s0)
++/opt/local/share/man(/.*)? gen_context(system_u:object_r:mandb_cache_t,s0)
+
+/var/lock/man-db\.lock -- gen_context(system_u:object_r:mandb_lock_t,s0)
+
@@ -37042,10 +37115,10 @@ index 0000000..8d0e473
+/var/cache/mock(/.*)? gen_context(system_u:object_r:mock_cache_t,s0)
diff --git a/mock.if b/mock.if
new file mode 100644
-index 0000000..1446e6a
+index 0000000..895f325
--- /dev/null
+++ b/mock.if
-@@ -0,0 +1,303 @@
+@@ -0,0 +1,305 @@
+## <summary>policy for mock</summary>
+
+########################################
@@ -37261,6 +37334,8 @@ index 0000000..1446e6a
+ mock_domtrans($1)
+ role $2 types mock_t;
+ role $2 types mock_build_t;
++
++ mount_run(mock_t, $2)
+')
+
+########################################
@@ -37351,10 +37426,10 @@ index 0000000..1446e6a
+')
diff --git a/mock.te b/mock.te
new file mode 100644
-index 0000000..67b8b3d
+index 0000000..7245033
--- /dev/null
+++ b/mock.te
-@@ -0,0 +1,264 @@
+@@ -0,0 +1,273 @@
+policy_module(mock,1.0.0)
+
+## <desc>
@@ -37390,6 +37465,9 @@ index 0000000..67b8b3d
+type mock_var_lib_t;
+files_type(mock_var_lib_t)
+
++type mock_var_run_t;
++files_pid_file(mock_var_run_t)
++
+type mock_etc_t;
+files_config_file(mock_etc_t)
+
@@ -37432,6 +37510,12 @@ index 0000000..67b8b3d
+allow mock_t mock_var_lib_t:dir relabel_dir_perms;
+allow mock_t mock_var_lib_t:file relabel_file_perms;
+
++manage_files_pattern(mock_t, mock_var_run_t, mock_var_run_t)
++manage_dirs_pattern(mock_t, mock_var_run_t, mock_var_run_t)
++manage_sock_files_pattern(mock_t, mock_var_run_t, mock_var_run_t)
++manage_lnk_files_pattern(mock_t, mock_var_run_t, mock_var_run_t)
++files_pid_filetrans(mock_t, mock_var_run_t, { file dir sock_file })
++
+kernel_read_irq_sysctls(mock_t)
+kernel_read_system_state(mock_t)
+kernel_read_network_state(mock_t)
@@ -37798,14 +37882,14 @@ index 7e534cf..3652584 100644
+ ')
+')
diff --git a/mongodb.te b/mongodb.te
-index 4de8949..d705316 100644
+index 4de8949..7bd7e35 100644
--- a/mongodb.te
+++ b/mongodb.te
@@ -49,13 +49,11 @@ corenet_all_recvfrom_unlabeled(mongod_t)
corenet_all_recvfrom_netlabel(mongod_t)
corenet_tcp_sendrecv_generic_if(mongod_t)
corenet_tcp_sendrecv_generic_node(mongod_t)
-+corenet_tcp_connect_mongodb_port(mongod_t)
++corenet_tcp_connect_mongod_port(mongod_t)
corenet_tcp_bind_generic_node(mongod_t)
dev_read_sysfs(mongod_t)
@@ -42066,7 +42150,7 @@ index b744fe3..4c1b6a8 100644
init_labeled_script_domtrans($1, munin_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/munin.te b/munin.te
-index 97370e4..27d3100 100644
+index 97370e4..92138ca 100644
--- a/munin.te
+++ b/munin.te
@@ -40,12 +40,15 @@ munin_plugin_template(services)
@@ -42166,7 +42250,13 @@ index 97370e4..27d3100 100644
')
optional_policy(`
-@@ -246,17 +232,17 @@ corenet_sendrecv_hddtemp_client_packets(disk_munin_plugin_t)
+@@ -242,21 +228,23 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
+
+ rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
+
++kernel_read_fs_sysctls(disk_munin_plugin_t)
++
+ corenet_sendrecv_hddtemp_client_packets(disk_munin_plugin_t)
corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t)
corenet_tcp_sendrecv_hddtemp_port(disk_munin_plugin_t)
@@ -42178,7 +42268,7 @@ index 97370e4..27d3100 100644
dev_read_urand(disk_munin_plugin_t)
-
-files_read_etc_runtime_files(disk_munin_plugin_t)
-+dev_read_all_blk_files(munin_disk_plugin_t)
++dev_read_all_blk_files(disk_munin_plugin_t)
fs_getattr_all_fs(disk_munin_plugin_t)
fs_getattr_all_dirs(disk_munin_plugin_t)
@@ -42188,7 +42278,18 @@ index 97370e4..27d3100 100644
sysnet_read_config(disk_munin_plugin_t)
-@@ -275,27 +261,36 @@ optional_policy(`
+@@ -268,6 +256,10 @@ optional_policy(`
+ fstools_exec(disk_munin_plugin_t)
+ ')
+
++optional_policy(`
++ rpc_search_nfs_state_data(disk_munin_plugin_t)
++')
++
+ ####################################
+ #
+ # Mail local policy
+@@ -275,27 +267,36 @@ optional_policy(`
allow mail_munin_plugin_t self:capability dac_override;
@@ -42229,7 +42330,16 @@ index 97370e4..27d3100 100644
')
optional_policy(`
-@@ -353,7 +348,11 @@ optional_policy(`
+@@ -331,7 +332,7 @@ dev_read_rand(services_munin_plugin_t)
+ sysnet_read_config(services_munin_plugin_t)
+
+ optional_policy(`
+- bind_read_config(munin_services_plugin_t)
++ bind_read_config(services_munin_plugin_t)
+ ')
+
+ optional_policy(`
+@@ -353,7 +354,11 @@ optional_policy(`
')
optional_policy(`
@@ -42242,7 +42352,7 @@ index 97370e4..27d3100 100644
')
optional_policy(`
-@@ -385,6 +384,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
+@@ -385,6 +390,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
kernel_read_network_state(system_munin_plugin_t)
kernel_read_all_sysctls(system_munin_plugin_t)
@@ -42250,7 +42360,7 @@ index 97370e4..27d3100 100644
dev_read_sysfs(system_munin_plugin_t)
dev_read_urand(system_munin_plugin_t)
-@@ -413,3 +413,31 @@ optional_policy(`
+@@ -413,3 +419,31 @@ optional_policy(`
optional_policy(`
unconfined_domain(unconfined_munin_plugin_t)
')
@@ -48521,7 +48631,7 @@ index 57c0161..54bd4d7 100644
+ ps_process_pattern($1, swift_t)
')
diff --git a/nut.te b/nut.te
-index 0c9deb7..ebfaeb8 100644
+index 0c9deb7..76988d6 100644
--- a/nut.te
+++ b/nut.te
@@ -1,4 +1,4 @@
@@ -48530,7 +48640,7 @@ index 0c9deb7..ebfaeb8 100644
########################################
#
-@@ -22,100 +22,94 @@ type nut_upsdrvctl_t, nut_domain;
+@@ -22,116 +22,126 @@ type nut_upsdrvctl_t, nut_domain;
type nut_upsdrvctl_exec_t;
init_daemon_domain(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)
@@ -48674,11 +48784,13 @@ index 0c9deb7..ebfaeb8 100644
+
auth_use_nsswitch(nut_upsmon_t)
-+
mta_send_mail(nut_upsmon_t)
++systemd_start_power_services(nut_upsmon_t)
++
optional_policy(`
-@@ -124,14 +118,29 @@ optional_policy(`
+ shutdown_domtrans(nut_upsmon_t)
+ ')
########################################
#
@@ -48710,7 +48822,7 @@ index 0c9deb7..ebfaeb8 100644
corecmd_exec_bin(nut_upsdrvctl_t)
dev_read_sysfs(nut_upsdrvctl_t)
-@@ -139,22 +148,34 @@ dev_read_urand(nut_upsdrvctl_t)
+@@ -139,22 +149,34 @@ dev_read_urand(nut_upsdrvctl_t)
dev_rw_generic_usb_dev(nut_upsdrvctl_t)
term_use_unallocated_ttys(nut_upsdrvctl_t)
@@ -53830,10 +53942,10 @@ index 0000000..f788d35
+logging_send_syslog_msg(pkcsslotd_t)
diff --git a/pki.fc b/pki.fc
new file mode 100644
-index 0000000..0c167b7
+index 0000000..726d992
--- /dev/null
+++ b/pki.fc
-@@ -0,0 +1,55 @@
+@@ -0,0 +1,56 @@
+/etc/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
+/var/lib/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
+/var/run/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
@@ -53869,6 +53981,7 @@ index 0000000..0c167b7
+/var/run/pki-ca.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
+/var/log/pki-ca(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0)
+/var/lib/pki-ca/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
++/var/lib/ipa/pki-ca/publish(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
+/etc/pki-kra(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
+/var/lib/pki-kra(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
+/var/run/pki-kra.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
@@ -53891,10 +54004,10 @@ index 0000000..0c167b7
+/usr/lib/systemd/system/pki-tomcat.* gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0)
diff --git a/pki.if b/pki.if
new file mode 100644
-index 0000000..898a5e8
+index 0000000..b975b85
--- /dev/null
+++ b/pki.if
-@@ -0,0 +1,292 @@
+@@ -0,0 +1,294 @@
+
+## <summary>policy for pki</summary>
+
@@ -53916,6 +54029,7 @@ index 0000000..898a5e8
+
+ allow $1 pki_tomcat_etc_rw_t:dir search_dir_perms;
+ rw_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
++ create_lnk_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
+')
+
+########################################
@@ -53934,6 +54048,7 @@ index 0000000..898a5e8
+ ')
+
+ read_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
++ read_lnk_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
+')
+
+########################################
@@ -54189,10 +54304,10 @@ index 0000000..898a5e8
+')
diff --git a/pki.te b/pki.te
new file mode 100644
-index 0000000..10eaddc
+index 0000000..17f5d18
--- /dev/null
+++ b/pki.te
-@@ -0,0 +1,283 @@
+@@ -0,0 +1,284 @@
+policy_module(pki,10.0.11)
+
+########################################
@@ -54281,6 +54396,7 @@ index 0000000..10eaddc
+
+manage_dirs_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
+manage_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
++manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
+
+manage_dirs_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t)
+manage_files_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t)
@@ -54950,10 +55066,10 @@ index a14b3bc..b196183 100644
userdom_signal_unpriv_users(podsleuth_t)
diff --git a/policykit.fc b/policykit.fc
-index 1d76c72..eeb33d9 100644
+index 1d76c72..93d09d9 100644
--- a/policykit.fc
+++ b/policykit.fc
-@@ -1,23 +1,21 @@
+@@ -1,23 +1,22 @@
-/usr/lib/polkit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
-/usr/lib/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
-
@@ -54980,6 +55096,7 @@ index 1d76c72..eeb33d9 100644
+/usr/libexec/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0)
+/usr/libexec/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+/usr/lib/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
++/usr/libexec/kde4/polkit-kde-authentication-agent-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+/usr/libexec/polkit-1/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0)
-/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0)
@@ -57177,7 +57294,7 @@ index 2e23946..589bbf2 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
')
diff --git a/postfix.te b/postfix.te
-index 191a66f..93a04c2 100644
+index 191a66f..5acf87c 100644
--- a/postfix.te
+++ b/postfix.te
@@ -1,4 +1,4 @@
@@ -57554,7 +57671,7 @@ index 191a66f..93a04c2 100644
manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
-@@ -355,35 +252,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
+@@ -355,37 +252,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
########################################
#
@@ -57594,12 +57711,14 @@ index 191a66f..93a04c2 100644
-corenet_sendrecv_kismet_client_packets(postfix_cleanup_t)
-corenet_tcp_connect_kismet_port(postfix_cleanup_t)
-corenet_tcp_sendrecv_kismet_port(postfix_cleanup_t)
+-
+-mta_read_aliases(postfix_cleanup_t)
+# allow postfix to connect to sqlgrey
+corenet_tcp_connect_rtsclient_port(postfix_cleanup_t)
- mta_read_aliases(postfix_cleanup_t)
-
-@@ -393,36 +289,53 @@ optional_policy(`
+ optional_policy(`
+ mailman_read_data_files(postfix_cleanup_t)
+@@ -393,36 +287,50 @@ optional_policy(`
########################################
#
@@ -57629,11 +57748,9 @@ index 191a66f..93a04c2 100644
logging_dontaudit_search_logs(postfix_local_t)
--mta_delete_spool(postfix_local_t)
- mta_read_aliases(postfix_local_t)
-+mta_delete_spool(postfix_local_t)
-+# For reading spamassasin
- mta_read_config(postfix_local_t)
+ mta_delete_spool(postfix_local_t)
+-mta_read_aliases(postfix_local_t)
+-mta_read_config(postfix_local_t)
+# Handle vacation script
mta_send_mail(postfix_local_t)
@@ -57661,7 +57778,7 @@ index 191a66f..93a04c2 100644
')
optional_policy(`
-@@ -434,6 +347,7 @@ optional_policy(`
+@@ -434,6 +342,7 @@ optional_policy(`
')
optional_policy(`
@@ -57669,7 +57786,7 @@ index 191a66f..93a04c2 100644
mailman_manage_data_files(postfix_local_t)
mailman_append_log(postfix_local_t)
mailman_read_log(postfix_local_t)
-@@ -444,6 +358,10 @@ optional_policy(`
+@@ -444,6 +353,10 @@ optional_policy(`
')
optional_policy(`
@@ -57680,7 +57797,7 @@ index 191a66f..93a04c2 100644
procmail_domtrans(postfix_local_t)
')
-@@ -458,15 +376,17 @@ optional_policy(`
+@@ -458,15 +371,17 @@ optional_policy(`
########################################
#
@@ -57704,7 +57821,7 @@ index 191a66f..93a04c2 100644
manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
-@@ -476,14 +396,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
+@@ -476,14 +391,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
kernel_dontaudit_list_proc(postfix_map_t)
kernel_dontaudit_read_system_state(postfix_map_t)
@@ -57724,7 +57841,7 @@ index 191a66f..93a04c2 100644
corecmd_list_bin(postfix_map_t)
corecmd_read_bin_symlinks(postfix_map_t)
-@@ -492,7 +413,6 @@ corecmd_read_bin_pipes(postfix_map_t)
+@@ -492,7 +408,6 @@ corecmd_read_bin_pipes(postfix_map_t)
corecmd_read_bin_sockets(postfix_map_t)
files_list_home(postfix_map_t)
@@ -57732,7 +57849,7 @@ index 191a66f..93a04c2 100644
files_read_etc_runtime_files(postfix_map_t)
files_dontaudit_search_var(postfix_map_t)
-@@ -500,21 +420,22 @@ auth_use_nsswitch(postfix_map_t)
+@@ -500,21 +415,22 @@ auth_use_nsswitch(postfix_map_t)
logging_send_syslog_msg(postfix_map_t)
@@ -57758,7 +57875,7 @@ index 191a66f..93a04c2 100644
stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
-@@ -524,16 +445,15 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
+@@ -524,16 +440,15 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
@@ -57778,7 +57895,7 @@ index 191a66f..93a04c2 100644
#
allow postfix_pipe_t self:process setrlimit;
-@@ -576,19 +496,26 @@ optional_policy(`
+@@ -576,19 +491,26 @@ optional_policy(`
########################################
#
@@ -57810,7 +57927,7 @@ index 191a66f..93a04c2 100644
term_dontaudit_use_all_ptys(postfix_postdrop_t)
term_dontaudit_use_all_ttys(postfix_postdrop_t)
-@@ -603,10 +530,7 @@ optional_policy(`
+@@ -603,10 +525,7 @@ optional_policy(`
cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
')
@@ -57822,7 +57939,7 @@ index 191a66f..93a04c2 100644
optional_policy(`
fstools_read_pipes(postfix_postdrop_t)
')
-@@ -621,17 +545,24 @@ optional_policy(`
+@@ -621,17 +540,24 @@ optional_policy(`
#######################################
#
@@ -57850,7 +57967,7 @@ index 191a66f..93a04c2 100644
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
-@@ -647,67 +578,77 @@ optional_policy(`
+@@ -647,67 +573,77 @@ optional_policy(`
########################################
#
@@ -57946,7 +58063,7 @@ index 191a66f..93a04c2 100644
')
optional_policy(`
-@@ -720,24 +661,27 @@ optional_policy(`
+@@ -720,29 +656,30 @@ optional_policy(`
########################################
#
@@ -57980,7 +58097,12 @@ index 191a66f..93a04c2 100644
fs_getattr_all_dirs(postfix_smtpd_t)
fs_getattr_all_fs(postfix_smtpd_t)
-@@ -754,6 +698,7 @@ optional_policy(`
+-mta_read_aliases(postfix_smtpd_t)
+-
+ optional_policy(`
+ dovecot_stream_connect_auth(postfix_smtpd_t)
+ dovecot_stream_connect(postfix_smtpd_t)
+@@ -754,6 +691,7 @@ optional_policy(`
optional_policy(`
milter_stream_connect_all(postfix_smtpd_t)
@@ -57988,7 +58110,7 @@ index 191a66f..93a04c2 100644
')
optional_policy(`
-@@ -764,31 +709,99 @@ optional_policy(`
+@@ -764,31 +702,99 @@ optional_policy(`
sasl_connect(postfix_smtpd_t)
')
@@ -58015,11 +58137,9 @@ index 191a66f..93a04c2 100644
+corecmd_exec_shell(postfix_virtual_t)
corecmd_exec_bin(postfix_virtual_t)
-+
- mta_read_aliases(postfix_virtual_t)
+-mta_read_aliases(postfix_virtual_t)
mta_delete_spool(postfix_virtual_t)
-+# For reading spamassasin
- mta_read_config(postfix_virtual_t)
+-mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
userdom_manage_user_home_dirs(postfix_virtual_t)
@@ -58084,6 +58204,10 @@ index 191a66f..93a04c2 100644
+init_sigchld(postfix_domain)
+init_dontaudit_rw_stream_socket(postfix_domain)
+
++# For reading spamassasin
++mta_read_config(postfix_domain)
++mta_read_aliases(postfix_domain)
++
+miscfiles_read_generic_certs(postfix_domain)
+
+userdom_dontaudit_use_unpriv_user_fds(postfix_domain)
@@ -65212,7 +65336,7 @@ index c5ad6de..c67dbef 100644
/var/run/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_run_t,s0)
diff --git a/rabbitmq.te b/rabbitmq.te
-index 3698b51..7b56492 100644
+index 3698b51..b0e67e8 100644
--- a/rabbitmq.te
+++ b/rabbitmq.te
@@ -45,6 +45,8 @@ setattr_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
@@ -65233,7 +65357,7 @@ index 3698b51..7b56492 100644
corenet_all_recvfrom_unlabeled(rabbitmq_beam_t)
corenet_all_recvfrom_netlabel(rabbitmq_beam_t)
corenet_tcp_sendrecv_generic_if(rabbitmq_beam_t)
-@@ -68,20 +72,28 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
+@@ -68,20 +72,35 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
@@ -65241,12 +65365,18 @@ index 3698b51..7b56492 100644
+corenet_tcp_bind_jabber_client_port(rabbitmq_beam_t)
+corenet_tcp_bind_jabber_interserver_port(rabbitmq_beam_t)
+
++domain_read_all_domains_state(rabbitmq_beam_t)
++
+auth_read_passwd(rabbitmq_beam_t)
-files_read_etc_files(rabbitmq_beam_t)
-+fs_getattr_all_fs(rabbitmq_beam_t)
++files_getattr_all_mountpoints(rabbitmq_beam_t)
-miscfiles_read_localization(rabbitmq_beam_t)
++fs_getattr_all_fs(rabbitmq_beam_t)
++fs_getattr_all_dirs(rabbitmq_beam_t)
++fs_getattr_cgroup(rabbitmq_beam_t)
++
+dev_read_sysfs(rabbitmq_beam_t)
+dev_read_urand(rabbitmq_beam_t)
@@ -65254,7 +65384,8 @@ index 3698b51..7b56492 100644
+optional_policy(`
+ couchdb_read_conf_files(rabbitmq_beam_t)
-+ couchdb_read_lib_files(rabbitmq_beam_t)
++ couchdb_read_log_files(rabbitmq_beam_t)
++ couchdb_manage_lib_files(rabbitmq_beam_t)
+')
+
########################################
@@ -65266,7 +65397,7 @@ index 3698b51..7b56492 100644
allow rabbitmq_epmd_t self:process signal;
allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
-@@ -99,8 +111,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
+@@ -99,8 +118,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t)
@@ -67536,7 +67667,7 @@ index 47de2d6..347ddf7 100644
+/var/log/cluster/corosync\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
+/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
diff --git a/rhcs.if b/rhcs.if
-index 56bc01f..895e16e 100644
+index 56bc01f..4699b1b 100644
--- a/rhcs.if
+++ b/rhcs.if
@@ -1,19 +1,19 @@
@@ -67561,7 +67692,7 @@ index 56bc01f..895e16e 100644
gen_require(`
- attribute cluster_domain, cluster_pid, cluster_tmpfs;
- attribute cluster_log;
-+ attribute cluster_domain, cluster_tmpfs, cluster_pid;
++ attribute cluster_domain, cluster_tmpfs, cluster_pid, cluster_log;
')
##############################
@@ -68242,7 +68373,7 @@ index 56bc01f..895e16e 100644
+ allow $1 cluster_unit_file_t:service all_service_perms;
')
diff --git a/rhcs.te b/rhcs.te
-index 2c2de9a..1eaca34 100644
+index 2c2de9a..1e8d8dc 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false)
@@ -68302,7 +68433,7 @@ index 2c2de9a..1eaca34 100644
+typealias cluster_var_run_t alias { aisexec_var_run_t corosync_var_run_t pacemaker_var_run_t rgmanager_var_run_t };
+
+type cluster_initrc_exec_t;
-+typealias cluster_initrc_exec_t alias { aisexec_initrc_exec_t corosync_initrc_exec_t pacemaker rgmanager_initrc_exec_t };
++typealias cluster_initrc_exec_t alias { aisexec_initrc_exec_t corosync_initrc_exec_t pacemaker_initrc_exec_t rgmanager_initrc_exec_t };
+init_script_file(cluster_initrc_exec_t)
+
+type cluster_tmp_t;
@@ -68631,6 +68762,15 @@ index 2c2de9a..1eaca34 100644
tunable_policy(`fenced_can_network_connect',`
corenet_sendrecv_all_client_packets(fenced_t)
+@@ -182,7 +461,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- corosync_exec(fenced_t)
++ rhcs_exec_cluster(fenced_t)
+ ')
+
+ optional_policy(`
@@ -190,10 +469,6 @@ optional_policy(`
')
@@ -69735,7 +69875,7 @@ index 2ab3ed1..23d579c 100644
role_transition $2 ricci_initrc_exec_t system_r;
allow $2 system_r;
diff --git a/ricci.te b/ricci.te
-index 9702ed2..eeb9e48 100644
+index 9702ed2..a265af9 100644
--- a/ricci.te
+++ b/ricci.te
@@ -115,7 +115,6 @@ kernel_read_system_state(ricci_t)
@@ -69754,16 +69894,16 @@ index 9702ed2..eeb9e48 100644
files_read_etc_runtime_files(ricci_t)
files_create_boot_flag(ricci_t)
-@@ -149,8 +147,6 @@ locallogin_dontaudit_use_fds(ricci_t)
+@@ -149,7 +147,7 @@ locallogin_dontaudit_use_fds(ricci_t)
logging_send_syslog_msg(ricci_t)
-miscfiles_read_localization(ricci_t)
--
++systemd_start_power_services(ricci_t)
+
sysnet_dns_name_resolve(ricci_t)
- optional_policy(`
-@@ -235,13 +231,8 @@ init_domtrans_script(ricci_modcluster_t)
+@@ -235,13 +233,8 @@ init_domtrans_script(ricci_modcluster_t)
logging_send_syslog_msg(ricci_modcluster_t)
@@ -69778,7 +69918,7 @@ index 9702ed2..eeb9e48 100644
')
optional_policy(`
-@@ -271,7 +262,7 @@ optional_policy(`
+@@ -271,7 +264,7 @@ optional_policy(`
')
optional_policy(`
@@ -69787,7 +69927,7 @@ index 9702ed2..eeb9e48 100644
')
########################################
-@@ -336,23 +327,16 @@ locallogin_dontaudit_use_fds(ricci_modclusterd_t)
+@@ -336,23 +329,16 @@ locallogin_dontaudit_use_fds(ricci_modclusterd_t)
logging_send_syslog_msg(ricci_modclusterd_t)
@@ -69812,7 +69952,7 @@ index 9702ed2..eeb9e48 100644
')
optional_policy(`
-@@ -374,12 +358,10 @@ corecmd_exec_bin(ricci_modlog_t)
+@@ -374,12 +360,10 @@ corecmd_exec_bin(ricci_modlog_t)
domain_read_all_domains_state(ricci_modlog_t)
@@ -69825,7 +69965,7 @@ index 9702ed2..eeb9e48 100644
optional_policy(`
nscd_dontaudit_search_pid(ricci_modlog_t)
-@@ -401,9 +383,8 @@ kernel_read_kernel_sysctls(ricci_modrpm_t)
+@@ -401,9 +385,8 @@ kernel_read_kernel_sysctls(ricci_modrpm_t)
corecmd_exec_bin(ricci_modrpm_t)
files_search_usr(ricci_modrpm_t)
@@ -69836,7 +69976,7 @@ index 9702ed2..eeb9e48 100644
optional_policy(`
oddjob_system_entry(ricci_modrpm_t, ricci_modrpm_exec_t)
-@@ -428,14 +409,13 @@ kernel_read_system_state(ricci_modservice_t)
+@@ -428,14 +411,13 @@ kernel_read_system_state(ricci_modservice_t)
corecmd_exec_bin(ricci_modservice_t)
corecmd_exec_shell(ricci_modservice_t)
@@ -69852,7 +69992,7 @@ index 9702ed2..eeb9e48 100644
optional_policy(`
ccs_read_config(ricci_modservice_t)
-@@ -460,7 +440,6 @@ optional_policy(`
+@@ -460,7 +442,6 @@ optional_policy(`
allow ricci_modstorage_t self:capability { mknod sys_nice };
allow ricci_modstorage_t self:process { setsched signal };
@@ -69860,7 +70000,7 @@ index 9702ed2..eeb9e48 100644
allow ricci_modstorage_t self:fifo_file rw_fifo_file_perms;
kernel_read_kernel_sysctls(ricci_modstorage_t)
-@@ -480,21 +459,21 @@ domain_read_all_domains_state(ricci_modstorage_t)
+@@ -480,21 +461,21 @@ domain_read_all_domains_state(ricci_modstorage_t)
files_manage_etc_files(ricci_modstorage_t)
files_read_etc_runtime_files(ricci_modstorage_t)
@@ -70184,7 +70324,7 @@ index a6fb30c..b0c22f7 100644
+/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
+
diff --git a/rpc.if b/rpc.if
-index 3bd6446..a61764b 100644
+index 3bd6446..8bde316 100644
--- a/rpc.if
+++ b/rpc.if
@@ -1,4 +1,4 @@
@@ -70375,161 +70515,179 @@ index 3bd6446..a61764b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -159,7 +231,30 @@ interface(`rpc_initrc_domtrans_nfsd',`
+@@ -159,7 +231,7 @@ interface(`rpc_initrc_domtrans_nfsd',`
########################################
## <summary>
-## Execute rpcd in the rpcd domain.
+## Execute nfsd server in the nfsd domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -167,120 +239,108 @@ interface(`rpc_initrc_domtrans_nfsd',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`rpc_domtrans_rpcd',`
+interface(`rpc_systemctl_nfsd',`
-+ gen_require(`
+ gen_require(`
+- type rpcd_t, rpcd_exec_t;
+ type nfsd_unit_file_t;
+ type nfsd_t;
-+ ')
-+
+ ')
+
+- corecmd_search_bin($1)
+- domtrans_pattern($1, rpcd_exec_t, rpcd_t)
+-')
+ systemd_exec_systemctl($1)
+ allow $1 nfsd_unit_file_t:file read_file_perms;
+ allow $1 nfsd_unit_file_t:service manage_service_perms;
-+
+
+-#######################################
+-## <summary>
+-## Execute rpcd init scripts in
+-## the initrc domain.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed to transition.
+-## </summary>
+-## </param>
+-#
+-interface(`rpc_initrc_domtrans_rpcd',`
+- gen_require(`
+- type rpcd_initrc_exec_t;
+- ')
+-
+- init_labeled_script_domtrans($1, rpcd_initrc_exec_t)
+ ps_process_pattern($1, nfsd_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Read nfs exported content.
+## Execute domain in rpcd domain.
## </summary>
## <param name="domain">
## <summary>
-@@ -172,14 +267,39 @@ interface(`rpc_domtrans_rpcd',`
- type rpcd_t, rpcd_exec_t;
+-## Domain allowed access.
++## Domain allowed to transition.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`rpc_read_nfs_content',`
++interface(`rpc_domtrans_rpcd',`
+ gen_require(`
+- type nfsd_ro_t, nfsd_rw_t;
++ type rpcd_t, rpcd_exec_t;
')
-- corecmd_search_bin($1)
- domtrans_pattern($1, rpcd_exec_t, rpcd_t)
+- allow $1 { nfsd_ro_t nfsd_rw_t }:dir list_dir_perms;
+- allow $1 { nfsd_ro_t nfsd_rw_t }:file read_file_perms;
+- allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file read_lnk_file_perms;
++ domtrans_pattern($1, rpcd_exec_t, rpcd_t)
+ allow rpcd_t $1:process signal;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## nfs exported read write content.
+## Execute rpcd in the rcpd domain, and
+## allow the specified role the rpcd domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain allowed to transition.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
-+## <rolecap/>
-+#
+ ## <rolecap/>
+ #
+-interface(`rpc_manage_nfs_rw_content',`
+interface(`rpc_run_rpcd',`
-+ gen_require(`
+ gen_require(`
+- type nfsd_rw_t;
+ type rpcd_t;
-+ ')
-+
+ ')
+
+- manage_dirs_pattern($1, nfsd_rw_t, nfsd_rw_t)
+- manage_files_pattern($1, nfsd_rw_t, nfsd_rw_t)
+- manage_lnk_files_pattern($1, nfsd_rw_t, nfsd_rw_t)
+ rpc_domtrans_rpcd($1)
+ role $2 types rpcd_t;
')
- #######################################
+-########################################
++#######################################
## <summary>
--## Execute rpcd init scripts in
--## the initrc domain.
+-## Create, read, write, and delete
+-## nfs exported read only content.
+## Execute domain in rpcd domain.
## </summary>
## <param name="domain">
## <summary>
-@@ -197,7 +317,30 @@ interface(`rpc_initrc_domtrans_rpcd',`
+-## Domain allowed access.
++## Domain allowed to transition.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`rpc_manage_nfs_ro_content',`
++interface(`rpc_initrc_domtrans_rpcd',`
+ gen_require(`
+- type nfsd_ro_t;
++ type rpcd_initrc_exec_t;
+ ')
+
+- manage_dirs_pattern($1, nfsd_ro_t, nfsd_ro_t)
+- manage_files_pattern($1, nfsd_ro_t, nfsd_ro_t)
+- manage_lnk_files_pattern($1, nfsd_ro_t, nfsd_ro_t)
++ init_labeled_script_domtrans($1, rpcd_initrc_exec_t)
+ ')
########################################
## <summary>
--## Read nfs exported content.
+-## Read and write to nfsd tcp sockets.
+## Execute rpcd server in the rpcd domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`rpc_tcp_rw_nfs_sockets',`
+interface(`rpc_systemctl_rpcd',`
-+ gen_require(`
+ gen_require(`
+- type nfsd_t;
+ type rpcd_unit_file_t;
+ type rpcd_t;
-+ ')
-+
+ ')
+
+- allow $1 nfsd_t:tcp_socket rw_socket_perms;
+ systemd_exec_systemctl($1)
+ allow $1 rpcd_unit_file_t:file read_file_perms;
+ allow $1 rpcd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, rpcd_t)
-+')
-+
-+########################################
-+## <summary>
-+## Read NFS exported content.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -218,8 +361,7 @@ interface(`rpc_read_nfs_content',`
-
- ########################################
- ## <summary>
--## Create, read, write, and delete
--## nfs exported read write content.
-+## Allow domain to create read and write NFS directories.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -240,8 +382,7 @@ interface(`rpc_manage_nfs_rw_content',`
-
- ########################################
- ## <summary>
--## Create, read, write, and delete
--## nfs exported read only content.
-+## Allow domain to create read and write NFS directories.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -262,25 +403,7 @@ interface(`rpc_manage_nfs_ro_content',`
+ ')
########################################
## <summary>
--## Read and write to nfsd tcp sockets.
--## </summary>
--## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
--## </param>
--#
--interface(`rpc_tcp_rw_nfs_sockets',`
-- gen_require(`
-- type nfsd_t;
-- ')
--
-- allow $1 nfsd_t:tcp_socket rw_socket_perms;
--')
--
--########################################
--## <summary>
-## Read and write to nfsd udp sockets.
+## Allow domain to read and write to an NFS UDP socket.
## </summary>
## <param name="domain">
## <summary>
-@@ -312,7 +435,7 @@ interface(`rpc_udp_send_nfs',`
+@@ -312,7 +372,7 @@ interface(`rpc_udp_send_nfs',`
########################################
## <summary>
@@ -70538,7 +70696,7 @@ index 3bd6446..a61764b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -326,12 +449,12 @@ interface(`rpc_search_nfs_state_data',`
+@@ -326,12 +386,12 @@ interface(`rpc_search_nfs_state_data',`
')
files_search_var_lib($1)
@@ -70553,7 +70711,7 @@ index 3bd6446..a61764b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -339,19 +462,18 @@ interface(`rpc_search_nfs_state_data',`
+@@ -339,19 +399,18 @@ interface(`rpc_search_nfs_state_data',`
## </summary>
## </param>
#
@@ -70576,7 +70734,7 @@ index 3bd6446..a61764b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -359,62 +481,31 @@ interface(`rpc_read_nfs_state_data',`
+@@ -359,62 +418,31 @@ interface(`rpc_read_nfs_state_data',`
## </summary>
## </param>
#
@@ -70648,7 +70806,7 @@ index 3bd6446..a61764b 100644
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
')
diff --git a/rpc.te b/rpc.te
-index e5212e6..4fb05d7 100644
+index e5212e6..97bb4a0 100644
--- a/rpc.te
+++ b/rpc.te
@@ -1,4 +1,4 @@
@@ -70692,7 +70850,7 @@ index e5212e6..4fb05d7 100644
type exports_t;
files_config_file(exports_t)
-@@ -36,16 +32,24 @@ files_tmp_file(gssd_tmp_t)
+@@ -36,110 +32,49 @@ files_tmp_file(gssd_tmp_t)
type rpcd_var_run_t;
files_pid_file(rpcd_var_run_t)
@@ -70711,13 +70869,16 @@ index e5212e6..4fb05d7 100644
type nfsd_initrc_exec_t;
init_script_file(nfsd_initrc_exec_t)
+-type nfsd_rw_t;
+-files_type(nfsd_rw_t)
+-
+-type nfsd_ro_t;
+-files_type(nfsd_ro_t)
+type nfsd_unit_file_t;
+systemd_unit_file(nfsd_unit_file_t)
-+
- type nfsd_rw_t;
- files_type(nfsd_rw_t)
-@@ -57,89 +61,26 @@ files_mountpoint(var_lib_nfs_t)
+ type var_lib_nfs_t;
+ files_mountpoint(var_lib_nfs_t)
########################################
#
@@ -70813,7 +70974,7 @@ index e5212e6..4fb05d7 100644
kernel_read_sysctl(rpcd_t)
kernel_rw_fs_sysctls(rpcd_t)
kernel_dontaudit_getattr_core_if(rpcd_t)
-@@ -160,13 +101,14 @@ fs_getattr_all_fs(rpcd_t)
+@@ -160,13 +95,14 @@ fs_getattr_all_fs(rpcd_t)
storage_getattr_fixed_disk_dev(rpcd_t)
@@ -70831,7 +70992,7 @@ index e5212e6..4fb05d7 100644
optional_policy(`
automount_signal(rpcd_t)
-@@ -174,19 +116,23 @@ optional_policy(`
+@@ -174,19 +110,23 @@ optional_policy(`
')
optional_policy(`
@@ -70859,14 +71020,14 @@ index e5212e6..4fb05d7 100644
')
########################################
-@@ -195,41 +141,57 @@ optional_policy(`
+@@ -195,41 +135,56 @@ optional_policy(`
#
allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
+dontaudit nfsd_t self:capability sys_rawio;
allow nfsd_t exports_t:file read_file_perms;
- allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
+-allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
+# for /proc/fs/nfs/exports - should we have a new type?
+kernel_read_system_state(nfsd_t)
@@ -70924,7 +71085,7 @@ index e5212e6..4fb05d7 100644
miscfiles_manage_public_files(nfsd_t)
')
-@@ -238,7 +200,6 @@ tunable_policy(`nfs_export_all_rw',`
+@@ -238,7 +193,6 @@ tunable_policy(`nfs_export_all_rw',`
dev_getattr_all_chr_files(nfsd_t)
fs_read_noxattr_fs_files(nfsd_t)
@@ -70932,7 +71093,7 @@ index e5212e6..4fb05d7 100644
')
tunable_policy(`nfs_export_all_ro',`
-@@ -250,12 +211,12 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -250,12 +204,12 @@ tunable_policy(`nfs_export_all_ro',`
fs_read_noxattr_fs_files(nfsd_t)
@@ -70947,7 +71108,7 @@ index e5212e6..4fb05d7 100644
')
########################################
-@@ -271,6 +232,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+@@ -271,6 +225,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
@@ -70955,7 +71116,7 @@ index e5212e6..4fb05d7 100644
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_request_load_module(gssd_t)
-@@ -279,25 +241,29 @@ kernel_signal(gssd_t)
+@@ -279,25 +234,29 @@ kernel_signal(gssd_t)
corecmd_exec_bin(gssd_t)
@@ -70988,7 +71149,7 @@ index e5212e6..4fb05d7 100644
')
optional_policy(`
-@@ -306,8 +272,11 @@ optional_policy(`
+@@ -306,8 +265,11 @@ optional_policy(`
optional_policy(`
kerberos_keytab_template(gssd, gssd_t)
@@ -71859,7 +72020,7 @@ index 0628d50..84f2fd7 100644
+ allow rpm_script_t $1:process sigchld;
')
diff --git a/rpm.te b/rpm.te
-index 5cbe81c..94b945c 100644
+index 5cbe81c..90177fd 100644
--- a/rpm.te
+++ b/rpm.te
@@ -1,15 +1,13 @@
@@ -72135,7 +72296,7 @@ index 5cbe81c..94b945c 100644
allow rpm_script_t self:netlink_kobject_uevent_socket create_socket_perms;
-
-allow rpm_script_t rpm_t:netlink_route_socket { read write };
-+allow rpm_script_t self:netlink_audit_socket create_socket_perms;
++allow rpm_script_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
allow rpm_script_t rpm_tmp_t:file read_file_perms;
@@ -84951,7 +85112,7 @@ index 5406b6e..dc5b46e 100644
admin_pattern($1, tgtd_tmpfs_t)
')
diff --git a/tgtd.te b/tgtd.te
-index c93c973..08aef1e 100644
+index c93c973..b04d201 100644
--- a/tgtd.te
+++ b/tgtd.te
@@ -29,7 +29,7 @@ files_pid_file(tgtd_var_run_t)
@@ -84959,7 +85120,7 @@ index c93c973..08aef1e 100644
#
-allow tgtd_t self:capability sys_resource;
-+allow tgtd_t self:capability { dac_override sys_resource };
++allow tgtd_t self:capability { dac_override sys_resource sys_rawio sys_admin };
allow tgtd_t self:capability2 block_suspend;
allow tgtd_t self:process { setrlimit signal };
allow tgtd_t self:fifo_file rw_fifo_file_perms;
@@ -84971,7 +85132,7 @@ index c93c973..08aef1e 100644
corenet_tcp_sendrecv_generic_if(tgtd_t)
corenet_tcp_sendrecv_generic_node(tgtd_t)
corenet_tcp_bind_generic_node(tgtd_t)
-@@ -69,7 +68,7 @@ corenet_tcp_sendrecv_iscsi_port(tgtd_t)
+@@ -69,16 +68,16 @@ corenet_tcp_sendrecv_iscsi_port(tgtd_t)
dev_read_sysfs(tgtd_t)
@@ -84980,7 +85141,9 @@ index c93c973..08aef1e 100644
fs_read_anon_inodefs_files(tgtd_t)
-@@ -77,8 +76,6 @@ storage_manage_fixed_disk(tgtd_t)
+ storage_manage_fixed_disk(tgtd_t)
++storage_read_scsi_generic(tgtd_t)
++storage_write_scsi_generic(tgtd_t)
logging_send_syslog_msg(tgtd_t)
@@ -84991,10 +85154,10 @@ index c93c973..08aef1e 100644
')
diff --git a/thin.fc b/thin.fc
new file mode 100644
-index 0000000..7f4bce8
+index 0000000..1f8a908
--- /dev/null
+++ b/thin.fc
-@@ -0,0 +1,11 @@
+@@ -0,0 +1,12 @@
+/usr/bin/thin -- gen_context(system_u:object_r:thin_exec_t,s0)
+
+/usr/bin/aeolus-configserver-thinwrapper -- gen_context(system_u:object_r:thin_aeolus_configserver_exec_t,s0)
@@ -85006,12 +85169,13 @@ index 0000000..7f4bce8
+
+/var/run/aeolus-configserver(/.*)? gen_context(system_u:object_r:thin_aeolus_configserver_var_run_t,s0)
+/var/run/aeolus/thin\.pid -- gen_context(system_u:object_r:thin_var_run_t,s0)
++/var/run/thin(/.*)? gen_context(system_u:object_r:thin_var_run_t,s0)
diff --git a/thin.if b/thin.if
new file mode 100644
-index 0000000..b9f811d
+index 0000000..5e3637e
--- /dev/null
+++ b/thin.if
-@@ -0,0 +1,66 @@
+@@ -0,0 +1,64 @@
+## <summary>thin policy</summary>
+
+#######################################
@@ -85076,14 +85240,12 @@ index 0000000..b9f811d
+ files_search_pids($1)
+ stream_connect_pattern($1, thin_var_run_t, thin_var_run_t, thin_t)
+')
-+
-+
diff --git a/thin.te b/thin.te
new file mode 100644
-index 0000000..dda7934
+index 0000000..ff282dc
--- /dev/null
+++ b/thin.te
-@@ -0,0 +1,113 @@
+@@ -0,0 +1,114 @@
+policy_module(thin, 1.0)
+
+########################################
@@ -85169,14 +85331,15 @@ index 0000000..dda7934
+manage_dirs_pattern(thin_t, thin_log_t, thin_log_t)
+logging_log_filetrans(thin_t, thin_log_t, { file dir })
+
++manage_dirs_pattern(thin_t, thin_var_run_t, thin_var_run_t)
+manage_files_pattern(thin_t, thin_var_run_t, thin_var_run_t)
++manage_lnk_files_pattern(thin_t, thin_var_run_t, thin_var_run_t)
+manage_sock_files_pattern(thin_t, thin_var_run_t, thin_var_run_t)
-+files_pid_filetrans(thin_t, thin_var_run_t, { file })
++files_pid_filetrans(thin_t, thin_var_run_t, { dir file sock_file })
+
+corenet_tcp_bind_ntop_port(thin_t)
+corenet_tcp_connect_postgresql_port(thin_t)
+
-+
+#######################################
+#
+# thin aeolus configserver local policy
@@ -89832,10 +89995,10 @@ index 9dec06c..378880d 100644
+ allow $1 svirt_image_t:chr_file rw_file_perms;
')
diff --git a/virt.te b/virt.te
-index 1f22fba..99dd3a5 100644
+index 1f22fba..a8d17af 100644
--- a/virt.te
+++ b/virt.te
-@@ -1,94 +1,98 @@
+@@ -1,94 +1,97 @@
-policy_module(virt, 1.6.10)
+policy_module(virt, 1.5.0)
@@ -89843,7 +90006,6 @@ index 1f22fba..99dd3a5 100644
#
# Declarations
#
-
+attribute virsh_transition_domain;
+attribute virt_ptynode;
+attribute virt_domain;
@@ -89860,7 +90022,7 @@ index 1f22fba..99dd3a5 100644
+files_type(svirt_image_t)
+dev_node(svirt_image_t)
+dev_associate_sysfs(svirt_image_t)
-+
+
## <desc>
-## <p>
-## Determine whether confined virtual guests
@@ -89986,7 +90148,7 @@ index 1f22fba..99dd3a5 100644
type virt_cache_t alias svirt_cache_t;
files_type(virt_cache_t)
-@@ -105,27 +109,25 @@ userdom_user_home_content(virt_home_t)
+@@ -105,27 +108,25 @@ userdom_user_home_content(virt_home_t)
type svirt_home_t;
userdom_user_home_content(svirt_home_t)
@@ -90020,7 +90182,7 @@ index 1f22fba..99dd3a5 100644
type virt_var_run_t;
files_pid_file(virt_var_run_t)
-@@ -139,9 +141,17 @@ init_daemon_domain(virtd_t, virtd_exec_t)
+@@ -139,9 +140,17 @@ init_daemon_domain(virtd_t, virtd_exec_t)
domain_obj_id_change_exemption(virtd_t)
domain_subj_id_change_exemption(virtd_t)
@@ -90038,7 +90200,7 @@ index 1f22fba..99dd3a5 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
-@@ -155,290 +165,134 @@ type virt_qmf_exec_t;
+@@ -155,290 +164,134 @@ type virt_qmf_exec_t;
init_daemon_domain(virt_qmf_t, virt_qmf_exec_t)
type virt_bridgehelper_t;
@@ -90302,7 +90464,9 @@ index 1f22fba..99dd3a5 100644
-
-dontaudit svirt_t virt_content_t:file write_file_perms;
-dontaudit svirt_t virt_content_t:dir rw_dir_perms;
--
++allow svirt_tcg_t self:process { execmem execstack };
++allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
+
-append_files_pattern(svirt_t, virt_home_t, virt_home_t)
-manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t)
-manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
@@ -90331,9 +90495,7 @@ index 1f22fba..99dd3a5 100644
-corenet_sendrecv_all_server_packets(svirt_t)
-corenet_udp_bind_all_ports(svirt_t)
-corenet_tcp_bind_all_ports(svirt_t)
-+allow svirt_tcg_t self:process { execmem execstack };
-+allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
-
+-
-corenet_sendrecv_all_client_packets(svirt_t)
-corenet_tcp_connect_all_ports(svirt_t)
+corenet_udp_sendrecv_generic_if(svirt_tcg_t)
@@ -90409,7 +90571,7 @@ index 1f22fba..99dd3a5 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -448,42 +302,28 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -448,42 +301,28 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@@ -90455,7 +90617,7 @@ index 1f22fba..99dd3a5 100644
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -496,16 +336,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -496,16 +335,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -90476,7 +90638,7 @@ index 1f22fba..99dd3a5 100644
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
-@@ -513,6 +348,7 @@ kernel_read_kernel_sysctls(virtd_t)
+@@ -513,6 +347,7 @@ kernel_read_kernel_sysctls(virtd_t)
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
kernel_setsched(virtd_t)
@@ -90484,7 +90646,7 @@ index 1f22fba..99dd3a5 100644
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -520,24 +356,16 @@ corecmd_exec_shell(virtd_t)
+@@ -520,24 +355,16 @@ corecmd_exec_shell(virtd_t)
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -90512,7 +90674,7 @@ index 1f22fba..99dd3a5 100644
dev_rw_sysfs(virtd_t)
dev_read_urand(virtd_t)
dev_read_rand(virtd_t)
-@@ -548,22 +376,23 @@ dev_rw_vhost(virtd_t)
+@@ -548,22 +375,23 @@ dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t)
@@ -90541,7 +90703,7 @@ index 1f22fba..99dd3a5 100644
fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
-@@ -594,15 +423,18 @@ term_use_ptmx(virtd_t)
+@@ -594,15 +422,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -90561,20 +90723,20 @@ index 1f22fba..99dd3a5 100644
selinux_validate_context(virtd_t)
-@@ -613,18 +445,24 @@ seutil_read_file_contexts(virtd_t)
+@@ -613,18 +444,24 @@ seutil_read_file_contexts(virtd_t)
sysnet_signull_ifconfig(virtd_t)
sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
+sysnet_read_config(virtd_t)
-userdom_read_all_users_state(virtd_t)
--
--ifdef(`hide_broken_symptoms',`
-- dontaudit virtd_t self:capability { sys_module sys_ptrace };
--')
+systemd_dbus_chat_logind(virtd_t)
+systemd_write_inhibit_pipes(virtd_t)
+-ifdef(`hide_broken_symptoms',`
+- dontaudit virtd_t self:capability { sys_module sys_ptrace };
+-')
+-
-tunable_policy(`virt_use_fusefs',`
- fs_manage_fusefs_dirs(virtd_t)
- fs_manage_fusefs_files(virtd_t)
@@ -90596,7 +90758,7 @@ index 1f22fba..99dd3a5 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -633,7 +471,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -633,7 +470,7 @@ tunable_policy(`virt_use_nfs',`
')
tunable_policy(`virt_use_samba',`
@@ -90605,7 +90767,7 @@ index 1f22fba..99dd3a5 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
-@@ -658,95 +496,325 @@ optional_policy(`
+@@ -658,95 +495,325 @@ optional_policy(`
')
optional_policy(`
@@ -90977,7 +91139,7 @@ index 1f22fba..99dd3a5 100644
manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
-@@ -758,23 +826,16 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -758,23 +825,16 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -91008,7 +91170,7 @@ index 1f22fba..99dd3a5 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +846,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +845,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -91035,7 +91197,7 @@ index 1f22fba..99dd3a5 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -812,24 +866,22 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,24 +865,22 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -91067,7 +91229,7 @@ index 1f22fba..99dd3a5 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
fs_manage_nfs_files(virsh_t)
-@@ -847,14 +899,20 @@ optional_policy(`
+@@ -847,14 +898,20 @@ optional_policy(`
')
optional_policy(`
@@ -91089,7 +91251,7 @@ index 1f22fba..99dd3a5 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -879,34 +937,45 @@ optional_policy(`
+@@ -879,34 +936,45 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -91144,7 +91306,7 @@ index 1f22fba..99dd3a5 100644
manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -916,12 +985,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -916,12 +984,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
@@ -91162,7 +91324,7 @@ index 1f22fba..99dd3a5 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -933,10 +1007,8 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,10 +1006,8 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -91173,7 +91335,7 @@ index 1f22fba..99dd3a5 100644
files_relabel_rootfs(virtd_lxc_t)
files_mounton_non_security(virtd_lxc_t)
files_mount_all_file_type_fs(virtd_lxc_t)
-@@ -944,6 +1016,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
+@@ -944,6 +1015,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
files_list_isid_type_dirs(virtd_lxc_t)
files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set)
@@ -91181,7 +91343,7 @@ index 1f22fba..99dd3a5 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,15 +1028,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,15 +1027,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -91200,7 +91362,7 @@ index 1f22fba..99dd3a5 100644
term_use_generic_ptys(virtd_lxc_t)
term_use_ptmx(virtd_lxc_t)
-@@ -973,21 +1042,40 @@ auth_use_nsswitch(virtd_lxc_t)
+@@ -973,21 +1041,40 @@ auth_use_nsswitch(virtd_lxc_t)
logging_send_syslog_msg(virtd_lxc_t)
@@ -91249,7 +91411,7 @@ index 1f22fba..99dd3a5 100644
allow svirt_lxc_domain self:fifo_file manage_file_perms;
allow svirt_lxc_domain self:sem create_sem_perms;
allow svirt_lxc_domain self:shm create_shm_perms;
-@@ -995,18 +1083,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
+@@ -995,18 +1082,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
@@ -91276,7 +91438,7 @@ index 1f22fba..99dd3a5 100644
manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -1015,17 +1101,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -1015,17 +1100,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -91289,13 +91451,14 @@ index 1f22fba..99dd3a5 100644
-
kernel_getattr_proc(svirt_lxc_domain)
kernel_list_all_proc(svirt_lxc_domain)
- kernel_read_kernel_sysctls(svirt_lxc_domain)
+-kernel_read_kernel_sysctls(svirt_lxc_domain)
++kernel_read_all_sysctls(svirt_lxc_domain)
kernel_rw_net_sysctls(svirt_lxc_domain)
-kernel_read_system_state(svirt_lxc_domain)
kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
corecmd_exec_all_executables(svirt_lxc_domain)
-@@ -1037,21 +1120,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
+@@ -1037,21 +1119,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
@@ -91322,7 +91485,7 @@ index 1f22fba..99dd3a5 100644
auth_dontaudit_read_login_records(svirt_lxc_domain)
auth_dontaudit_write_login_records(svirt_lxc_domain)
auth_search_pam_console_data(svirt_lxc_domain)
-@@ -1063,96 +1145,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
+@@ -1063,96 +1144,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
@@ -91461,7 +91624,7 @@ index 1f22fba..99dd3a5 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1243,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1242,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -91476,7 +91639,7 @@ index 1f22fba..99dd3a5 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1261,8 @@ optional_policy(`
+@@ -1183,9 +1260,8 @@ optional_policy(`
########################################
#
@@ -91487,7 +91650,7 @@ index 1f22fba..99dd3a5 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1275,114 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1274,115 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
@@ -91542,6 +91705,7 @@ index 1f22fba..99dd3a5 100644
+sysnet_dns_name_resolve(virt_qemu_ga_t)
+
+systemd_exec_systemctl(virt_qemu_ga_t)
++systemd_start_power_services(virt_qemu_ga_t)
+
+userdom_use_user_ptys(virt_qemu_ga_t)
+
@@ -91636,7 +91800,7 @@ index 20a1fb2..470ea95 100644
allow $2 { vmware_tmp_t vmware_file_t }:dir { manage_dir_perms relabel_dir_perms };
allow $2 { vmware_conf_t vmware_file_t vmware_tmp_t vmware_tmpfs_t }:file { manage_file_perms relabel_file_perms };
diff --git a/vmware.te b/vmware.te
-index 3a56513..5721057 100644
+index 3a56513..d7ec42b 100644
--- a/vmware.te
+++ b/vmware.te
@@ -65,7 +65,8 @@ ifdef(`enable_mcs',`
@@ -91675,7 +91839,7 @@ index 3a56513..5721057 100644
fs_getattr_all_fs(vmware_host_t)
fs_search_auto_mountpoints(vmware_host_t)
-@@ -138,8 +138,6 @@ libs_exec_ld_so(vmware_host_t)
+@@ -138,23 +138,27 @@ libs_exec_ld_so(vmware_host_t)
logging_send_syslog_msg(vmware_host_t)
@@ -91684,7 +91848,11 @@ index 3a56513..5721057 100644
sysnet_dns_name_resolve(vmware_host_t)
sysnet_domtrans_ifconfig(vmware_host_t)
-@@ -149,12 +147,16 @@ userdom_dontaudit_search_user_home_dirs(vmware_host_t)
++systemd_start_power_services(vmware_host_t)
++
+ userdom_dontaudit_use_unpriv_user_fds(vmware_host_t)
+ userdom_dontaudit_search_user_home_dirs(vmware_host_t)
+
netutils_domtrans_ping(vmware_host_t)
optional_policy(`
@@ -91703,7 +91871,7 @@ index 3a56513..5721057 100644
optional_policy(`
samba_read_config(vmware_host_t)
-@@ -244,9 +246,7 @@ dev_search_sysfs(vmware_t)
+@@ -244,9 +248,7 @@ dev_search_sysfs(vmware_t)
domain_use_interactive_fds(vmware_t)
@@ -91713,7 +91881,7 @@ index 3a56513..5721057 100644
files_list_home(vmware_t)
fs_getattr_all_fs(vmware_t)
-@@ -258,9 +258,8 @@ storage_raw_write_removable_device(vmware_t)
+@@ -258,9 +260,8 @@ storage_raw_write_removable_device(vmware_t)
libs_exec_ld_so(vmware_t)
libs_read_lib_files(vmware_t)
@@ -94280,7 +94448,7 @@ index dd63de0..38ce620 100644
- admin_pattern($1, zabbix_tmpfs_t)
')
diff --git a/zabbix.te b/zabbix.te
-index 46e4cd3..29d4996 100644
+index 46e4cd3..4dec288 100644
--- a/zabbix.te
+++ b/zabbix.te
@@ -6,7 +6,7 @@ policy_module(zabbix, 1.5.3)
@@ -94328,6 +94496,15 @@ index 46e4cd3..29d4996 100644
')
########################################
+@@ -133,7 +129,7 @@ optional_policy(`
+ #
+
+ allow zabbix_agent_t self:capability { setuid setgid };
+-allow zabbix_agent_t self:process { setsched getsched signal };
++allow zabbix_agent_t self:process { setpgid setsched getsched signal };
+ allow zabbix_agent_t self:fifo_file rw_fifo_file_perms;
+ allow zabbix_agent_t self:sem create_sem_perms;
+ allow zabbix_agent_t self:shm create_shm_perms;
@@ -182,7 +178,6 @@ domain_search_all_domains_state(zabbix_agent_t)
files_getattr_all_dirs(zabbix_agent_t)
files_getattr_all_files(zabbix_agent_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 1d8f15b..6364a4a 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 63%{?dist}
+Release: 65%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -539,6 +539,30 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Jul 17 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-65
+- Label /var/lib/ipa/pki-ca/publish as pki_tomcat_cert_t
+- Add labeling for /usr/libexec/kde4/polkit-kde-authentication-agent-1
+- Allow all domains that can domtrans to shutdown, to start the power services script to shutdown
+- consolekit needs to be able to shut down system
+- Move around interfaces
+- Remove nfsd_rw_t and nfsd_ro_t, they don't do anything
+- Add additional fixes for rabbitmq_beam to allow getattr on mountpoints
+- Allow gconf-defaults-m to read /etc/passwd
+- Fix pki_rw_tomcat_cert() interface to support lnk_files
+
+* Fri Jul 12 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-64
+- Add support for gluster ports
+- Make sure that all keys located in /etc/ssh/ are labeled correctly
+- Make sure apcuspd lock files get created with the correct label
+- Use getcap in gluster.te
+- Fix gluster policy
+- add additional fixes to allow beam.smp to interact with couchdb files
+- Additional fix for #974149
+- Allow gluster to user gluster ports
+- Allow glusterd to transition to rpcd_t and add additional fixes for #980683
+- Allow tgtd working when accessing to the passthrough device
+- Fix labeling for mdadm unit files
+
* Thu Jul 11 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-63
- Add mdadm fixes