+ ## Create DHCP state data.
+@@ -711,8 +917,6 @@ interface(`sysnet_dns_name_resolve',`
allow $1 self:udp_socket create_socket_perms;
allow $1 self:netlink_route_socket r_netlink_socket_perms;
@@ -37786,7 +37822,7 @@ index 2cea692..77f307f 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
-@@ -720,8 +904,11 @@ interface(`sysnet_dns_name_resolve',`
+@@ -720,8 +924,11 @@ interface(`sysnet_dns_name_resolve',`
corenet_tcp_sendrecv_dns_port($1)
corenet_udp_sendrecv_dns_port($1)
corenet_tcp_connect_dns_port($1)
@@ -37798,7 +37834,7 @@ index 2cea692..77f307f 100644
sysnet_read_config($1)
optional_policy(`
-@@ -750,8 +937,6 @@ interface(`sysnet_use_ldap',`
+@@ -750,8 +957,6 @@ interface(`sysnet_use_ldap',`
allow $1 self:tcp_socket create_socket_perms;
@@ -37807,7 +37843,7 @@ index 2cea692..77f307f 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
corenet_tcp_sendrecv_ldap_port($1)
-@@ -763,6 +948,9 @@ interface(`sysnet_use_ldap',`
+@@ -763,6 +968,9 @@ interface(`sysnet_use_ldap',`
dev_read_urand($1)
sysnet_read_config($1)
@@ -37817,7 +37853,7 @@ index 2cea692..77f307f 100644
')
########################################
-@@ -784,7 +972,6 @@ interface(`sysnet_use_portmap',`
+@@ -784,7 +992,6 @@ interface(`sysnet_use_portmap',`
allow $1 self:udp_socket create_socket_perms;
corenet_all_recvfrom_unlabeled($1)
@@ -37825,7 +37861,7 @@ index 2cea692..77f307f 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
-@@ -796,3 +983,115 @@ interface(`sysnet_use_portmap',`
+@@ -796,3 +1003,115 @@ interface(`sysnet_use_portmap',`
sysnet_read_config($1)
')
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index aab44a5..a3ec877 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -1519,7 +1519,7 @@ index 3b5dcb9..fbe187f 100644
domain_system_change_exemption($1)
role_transition $2 aiccu_initrc_exec_t system_r;
diff --git a/aiccu.te b/aiccu.te
-index 5d2b90e..f1cf098 100644
+index 5d2b90e..bb8adeb 100644
--- a/aiccu.te
+++ b/aiccu.te
@@ -48,7 +48,6 @@ corenet_all_recvfrom_unlabeled(aiccu_t)
@@ -1530,7 +1530,7 @@ index 5d2b90e..f1cf098 100644
corenet_sendrecv_sixxsconfig_client_packets(aiccu_t)
corenet_tcp_connect_sixxsconfig_port(aiccu_t)
corenet_tcp_sendrecv_sixxsconfig_port(aiccu_t)
-@@ -60,11 +59,10 @@ domain_use_interactive_fds(aiccu_t)
+@@ -60,17 +59,20 @@ domain_use_interactive_fds(aiccu_t)
dev_read_rand(aiccu_t)
dev_read_urand(aiccu_t)
@@ -1544,6 +1544,16 @@ index 5d2b90e..f1cf098 100644
optional_policy(`
modutils_domtrans_insmod(aiccu_t)
+ ')
+
+ optional_policy(`
++ pcscd_stream_connect(aiccu_t)
++')
++
++optional_policy(`
+ sysnet_dns_name_resolve(aiccu_t)
+ sysnet_domtrans_ifconfig(aiccu_t)
+ ')
diff --git a/aide.if b/aide.if
index 01cbb67..94a4a24 100644
--- a/aide.if
@@ -2313,10 +2323,10 @@ index 16d0d66..60abfd0 100644
optional_policy(`
nscd_dontaudit_search_pid(amtu_t)
diff --git a/anaconda.fc b/anaconda.fc
-index b098089..258407b 100644
+index b098089..358c9f9 100644
--- a/anaconda.fc
+++ b/anaconda.fc
-@@ -1 +1,7 @@
+@@ -1 +1,11 @@
# No file context specifications.
+
+/usr/libexec/anaconda/anaconda-yum -- gen_context(system_u:object_r:install_exec_t,s0)
@@ -2324,11 +2334,15 @@ index b098089..258407b 100644
+
+/usr/bin/ostree -- gen_context(system_u:object_r:install_exec_t,s0)
+/usr/bin/rpm-ostree -- gen_context(system_u:object_r:install_exec_t,s0)
++
++/usr/bin/preupg.* -- gen_context(system_u:object_r:preupgrade_exec_t,s0)
++/var/lib/preupgrade(/.*)? gen_context(system_u:object_r:preupgrade_data_t,s0)
++/var/log/preupgrade(/.*)? gen_context(system_u:object_r:preupgrade_data_t,s0)
diff --git a/anaconda.if b/anaconda.if
-index 14a61b7..21bbf36 100644
+index 14a61b7..76d9329 100644
--- a/anaconda.if
+++ b/anaconda.if
-@@ -1 +1,54 @@
+@@ -1 +1,132 @@
## Anaconda installer.
+
+########################################
@@ -2383,8 +2397,86 @@ index 14a61b7..21bbf36 100644
+ ')
+')
+
++########################################
++##
++## Execute preupgrade in the caller domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`anaconda_exec_preupgrade',`
++ gen_require(`
++ type preupgrade_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ can_exec($1, preupgrade_exec_t)
++')
++
++########################################
++##
++## Execute a domain transition to run preupgrade.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`anaconda_domtrans_preupgrade',`
++ gen_require(`
++ type preupgrade_t, preupgrade_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, preupgrade_exec_t, preupgrade_t)
++')
++
++########################################
++##
++## Read preupgrade lib files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`anaconda_read_lib_files_preupgrade',`
++ gen_require(`
++ type preupgrade_data_t;
++ ')
++
++ read_files_pattern($1, preupgrade_data_t, preupgrade_data_t)
++ read_lnk_files_pattern($1, preupgrade_data_t, preupgrade_data_t)
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Manage preupgrade lib files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`anaconda_manage_lib_files_preupgrade',`
++ gen_require(`
++ type preupgrade_data_t;
++ ')
++
++ manage_dirs_pattern($1, preupgrade_data_t, preupgrade_data_t)
++ manage_files_pattern($1, preupgrade_data_t, preupgrade_data_t)
++ manage_lnk_files_pattern($1, preupgrade_data_t, preupgrade_data_t)
++ files_search_var_lib($1)
++')
diff --git a/anaconda.te b/anaconda.te
-index aa44abf..ae0e58f 100644
+index aa44abf..84c95ed 100644
--- a/anaconda.te
+++ b/anaconda.te
@@ -4,6 +4,10 @@ gen_require(`
@@ -2398,7 +2490,7 @@ index aa44abf..ae0e58f 100644
########################################
#
# Declarations
-@@ -16,6 +20,14 @@ domain_entry_file(anaconda_t, anaconda_exec_t)
+@@ -16,6 +20,22 @@ domain_entry_file(anaconda_t, anaconda_exec_t)
domain_obj_id_change_exemption(anaconda_t)
role system_r types anaconda_t;
@@ -2410,10 +2502,18 @@ index aa44abf..ae0e58f 100644
+application_domain(install_t, install_exec_t)
+role install_roles types install_t;
+
++type preupgrade_t;
++type preupgrade_exec_t;
++application_domain(preupgrade_t, preupgrade_exec_t)
++role system_r types preupgrade_t;
++
++type preupgrade_data_t;
++files_type(preupgrade_data_t)
++
########################################
#
# Local policy
-@@ -34,8 +46,9 @@ modutils_domtrans_insmod(anaconda_t)
+@@ -34,8 +54,9 @@ modutils_domtrans_insmod(anaconda_t)
modutils_domtrans_depmod(anaconda_t)
seutil_domtrans_semanage(anaconda_t)
@@ -2424,7 +2524,7 @@ index aa44abf..ae0e58f 100644
optional_policy(`
rpm_domtrans(anaconda_t)
-@@ -53,3 +66,34 @@ optional_policy(`
+@@ -53,3 +74,46 @@ optional_policy(`
optional_policy(`
unconfined_domain_noaudit(anaconda_t)
')
@@ -2459,6 +2559,18 @@ index aa44abf..ae0e58f 100644
+')
+
+
++########################################
++#
++# Local policy
++#
++
++manage_files_pattern(preupgrade_t, preupgrade_data_t, preupgrade_data_t)
++manage_dirs_pattern(preupgrade_t, preupgrade_data_t, preupgrade_data_t)
++manage_lnk_files_pattern(preupgrade_t, preupgrade_data_t, preupgrade_data_t)
++
++optional_policy(`
++ unconfined_domain_noaudit(preupgrade_t)
++')
diff --git a/antivirus.fc b/antivirus.fc
new file mode 100644
index 0000000..219f32d
@@ -2839,10 +2951,10 @@ index 0000000..df5b3be
+')
diff --git a/antivirus.te b/antivirus.te
new file mode 100644
-index 0000000..8ba9c95
+index 0000000..83590aa
--- /dev/null
+++ b/antivirus.te
-@@ -0,0 +1,274 @@
+@@ -0,0 +1,273 @@
+policy_module(antivirus, 1.0.0)
+
+########################################
@@ -2882,7 +2994,7 @@ index 0000000..8ba9c95
+systemd_unit_file(antivirus_unit_file_t)
+
+type antivirus_conf_t;
-+typealias antivirus_conf_t alias { clamd_etc_t };
++typealias antivirus_conf_t alias { clamd_etc_t amavis_etc_t };
+files_config_file(antivirus_conf_t)
+
+type antivirus_var_run_t;
@@ -3011,6 +3123,7 @@ index 0000000..8ba9c95
+
+domain_dontaudit_read_all_domains_state(antivirus_domain)
+
++files_dontaudit_read_security_files(antivirus_domain)
+files_read_etc_runtime_files(antivirus_domain)
+files_search_spool(antivirus_domain)
+
@@ -3035,8 +3148,6 @@ index 0000000..8ba9c95
+
+tunable_policy(`antivirus_can_scan_system',`
+ files_read_non_security_files(antivirus_domain)
-+ #files_dontaudit_read_all_non_security_files(antivirus_domain)
-+ files_dontaudit_read_security_files(antivirus_domain)
+ files_getattr_all_pipes(antivirus_domain)
+ files_getattr_all_sockets(antivirus_domain)
+ dev_getattr_all_blk_files(antivirus_domain)
@@ -3118,10 +3229,10 @@ index 0000000..8ba9c95
+ spamassassin_read_pid_files(antivirus_domain)
+')
diff --git a/apache.fc b/apache.fc
-index 7caefc3..8434d2f 100644
+index 7caefc3..0d9db0a 100644
--- a/apache.fc
+++ b/apache.fc
-@@ -1,162 +1,201 @@
+@@ -1,162 +1,202 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -3177,6 +3288,7 @@ index 7caefc3..8434d2f 100644
+/usr/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/opt/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/lib/systemd/system/httpd.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
++/usr/lib/systemd/system/thttpd.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
+/usr/lib/systemd/system/jetty.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
+/usr/lib/systemd/system/php-fpm.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
+/usr/lib/systemd/system/nginx.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
@@ -4921,10 +5033,10 @@ index f6eb485..51b128e 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 6649962..6ae8921 100644
+index 6649962..a25874f 100644
--- a/apache.te
+++ b/apache.te
-@@ -5,280 +5,331 @@ policy_module(apache, 2.7.2)
+@@ -5,280 +5,339 @@ policy_module(apache, 2.7.2)
# Declarations
#
@@ -5065,55 +5177,73 @@ index 6649962..6ae8921 100644
+##
+## Allow httpd to connect to memcache server
+##
- ##
--gen_tunable(httpd_can_network_relay, false)
++##
+gen_tunable(httpd_can_network_memcache, false)
++
++##
++##
++## Allow httpd to act as a relay
++##
+ ##
+ gen_tunable(httpd_can_network_relay, false)
##
-##
-## Determine whether httpd daemon can
-## connect to zabbix over the network.
-##
-+##
-+## Allow httpd to act as a relay
-+##
++##
++## Allow http daemon to connect to zabbix
++##
##
-gen_tunable(httpd_can_network_connect_zabbix, false)
-+gen_tunable(httpd_can_network_relay, false)
++gen_tunable(httpd_can_connect_zabbix, false)
##
-##
-## Determine whether httpd can send mail.
-##
+##
-+## Allow http daemon to connect to zabbix
++## Allow http daemon to connect to mythtv
+##
++##
++gen_tunable(httpd_can_connect_mythtv, false)
++
++##
++##
++## Allow http daemon to check spam
++##
++##
++gen_tunable(httpd_can_check_spam, false)
++
++##
++##
++## Allow http daemon to send mail
++##
##
--gen_tunable(httpd_can_sendmail, false)
-+gen_tunable(httpd_can_connect_zabbix, false)
+ gen_tunable(httpd_can_sendmail, false)
##
-##
-## Determine whether httpd can communicate
-## with avahi service via dbus.
-##
-+##
-+## Allow http daemon to connect to mythtv
-+##
++##
++## Allow Apache to communicate with avahi service via dbus
++##
##
--gen_tunable(httpd_dbus_avahi, false)
-+gen_tunable(httpd_can_connect_mythtv, false)
+ gen_tunable(httpd_dbus_avahi, false)
##
-##
-## Determine wether httpd can use support.
-##
+##
-+## Allow http daemon to check spam
++## Allow Apache to communicate with sssd service via dbus
+##
##
-gen_tunable(httpd_enable_cgi, false)
-+gen_tunable(httpd_can_check_spam, false)
++gen_tunable(httpd_dbus_sssd, false)
##
-##
@@ -5121,11 +5251,11 @@ index 6649962..6ae8921 100644
-## FTP server by listening on the ftp port.
-##
+##
-+## Allow http daemon to send mail
++## Allow httpd cgi support
+##
##
-gen_tunable(httpd_enable_ftp_server, false)
-+gen_tunable(httpd_can_sendmail, false)
++gen_tunable(httpd_enable_cgi, false)
##
-##
@@ -5133,11 +5263,12 @@ index 6649962..6ae8921 100644
-## user home directories.
-##
+##
-+## Allow Apache to communicate with avahi service via dbus
++## Allow httpd to act as a FTP server by
++## listening on the ftp port.
+##
##
-gen_tunable(httpd_enable_homedirs, false)
-+gen_tunable(httpd_dbus_avahi, false)
++gen_tunable(httpd_enable_ftp_server, false)
##
-##
@@ -5147,23 +5278,24 @@ index 6649962..6ae8921 100644
-## be labeled public_content_rw_t.
-##
+##
-+## Allow Apache to communicate with sssd service via dbus
++## Allow httpd to act as a FTP client
++## connecting to the ftp port and ephemeral ports
+##
##
-gen_tunable(httpd_gpg_anon_write, false)
-+gen_tunable(httpd_dbus_sssd, false)
++gen_tunable(httpd_can_connect_ftp, false)
##
-##
-## Determine whether httpd can execute
-## its temporary content.
-##
-+##
-+## Allow httpd cgi support
-+##
++##
++## Allow httpd to connect to the ldap port
++##
##
-gen_tunable(httpd_tmp_exec, false)
-+gen_tunable(httpd_enable_cgi, false)
++gen_tunable(httpd_can_connect_ldap, false)
##
-##
@@ -5171,12 +5303,11 @@ index 6649962..6ae8921 100644
-## modules can use execmem and execstack.
-##
+##
-+## Allow httpd to act as a FTP server by
-+## listening on the ftp port.
++## Allow httpd to read home directories
+##
##
-gen_tunable(httpd_execmem, false)
-+gen_tunable(httpd_enable_ftp_server, false)
++gen_tunable(httpd_enable_homedirs, false)
##
-##
@@ -5184,35 +5315,35 @@ index 6649962..6ae8921 100644
-## to port 80 for graceful shutdown.
-##
+##
-+## Allow httpd to act as a FTP client
-+## connecting to the ftp port and ephemeral ports
++## Allow httpd to read user content
+##
##
-gen_tunable(httpd_graceful_shutdown, false)
-+gen_tunable(httpd_can_connect_ftp, false)
++gen_tunable(httpd_read_user_content, false)
##
-##
-## Determine whether httpd can
-## manage IPA content files.
-##
-+##
-+## Allow httpd to connect to the ldap port
-+##
++##
++## Allow Apache to run in stickshift mode, not transition to passenger
++##
##
-gen_tunable(httpd_manage_ipa, false)
-+gen_tunable(httpd_can_connect_ldap, false)
++gen_tunable(httpd_run_stickshift, false)
++
##
-##
-## Determine whether httpd can use mod_auth_ntlm_winbind.
-##
+##
-+## Allow httpd to read home directories
++## Allow Apache to run preupgrade
+##
##
-gen_tunable(httpd_mod_auth_ntlm_winbind, false)
-+gen_tunable(httpd_enable_homedirs, false)
++gen_tunable(httpd_run_preupgrade, false)
##
-##
@@ -5220,10 +5351,11 @@ index 6649962..6ae8921 100644
-## generic user home content files.
-##
+##
-+## Allow httpd to read user content
++## Allow Apache to query NS records
+##
##
- gen_tunable(httpd_read_user_content, false)
+-gen_tunable(httpd_read_user_content, false)
++gen_tunable(httpd_verify_dns, false)
##
-##
@@ -5231,20 +5363,6 @@ index 6649962..6ae8921 100644
-## its resource limits.
-##
+##
-+## Allow Apache to run in stickshift mode, not transition to passenger
-+##
-+##
-+gen_tunable(httpd_run_stickshift, false)
-+
-+##
-+##
-+## Allow Apache to query NS records
-+##
-+##
-+gen_tunable(httpd_verify_dns, false)
-+
-+##
-+##
+## Allow httpd daemon to change its resource limits
+##
##
@@ -5404,7 +5522,7 @@ index 6649962..6ae8921 100644
type httpd_initrc_exec_t;
init_script_file(httpd_initrc_exec_t)
-@@ -286,15 +337,35 @@ init_script_file(httpd_initrc_exec_t)
+@@ -286,15 +345,35 @@ init_script_file(httpd_initrc_exec_t)
type httpd_keytab_t;
files_type(httpd_keytab_t)
@@ -5440,7 +5558,7 @@ index 6649962..6ae8921 100644
type httpd_rotatelogs_t;
type httpd_rotatelogs_exec_t;
init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
-@@ -302,10 +373,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
+@@ -302,10 +381,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
type httpd_squirrelmail_t;
files_type(httpd_squirrelmail_t)
@@ -5453,7 +5571,7 @@ index 6649962..6ae8921 100644
type httpd_suexec_exec_t;
domain_type(httpd_suexec_t)
domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t)
-@@ -314,9 +383,19 @@ role system_r types httpd_suexec_t;
+@@ -314,9 +391,19 @@ role system_r types httpd_suexec_t;
type httpd_suexec_tmp_t;
files_tmp_file(httpd_suexec_tmp_t)
@@ -5476,7 +5594,7 @@ index 6649962..6ae8921 100644
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -324,14 +403,21 @@ files_tmp_file(httpd_tmp_t)
+@@ -324,14 +411,21 @@ files_tmp_file(httpd_tmp_t)
type httpd_tmpfs_t;
files_tmpfs_file(httpd_tmpfs_t)
@@ -5499,7 +5617,7 @@ index 6649962..6ae8921 100644
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -346,33 +432,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
+@@ -346,33 +440,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
@@ -5544,13 +5662,14 @@ index 6649962..6ae8921 100644
+# Apache server local policy
#
- allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
+-allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
-dontaudit httpd_t self:capability net_admin;
++allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config sys_chroot };
+dontaudit httpd_t self:capability { net_admin sys_tty_config };
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
allow httpd_t self:sock_file read_sock_file_perms;
-@@ -381,30 +474,38 @@ allow httpd_t self:shm create_shm_perms;
+@@ -381,30 +482,39 @@ allow httpd_t self:shm create_shm_perms;
allow httpd_t self:sem create_sem_perms;
allow httpd_t self:msgq create_msgq_perms;
allow httpd_t self:msg { send receive };
@@ -5587,6 +5706,7 @@ index 6649962..6ae8921 100644
create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
++setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+# cjp: need to refine create interfaces to
@@ -5594,7 +5714,7 @@ index 6649962..6ae8921 100644
logging_log_filetrans(httpd_t, httpd_log_t, file)
allow httpd_t httpd_modules_t:dir list_dir_perms;
-@@ -412,14 +513,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+@@ -412,14 +522,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
@@ -5616,7 +5736,7 @@ index 6649962..6ae8921 100644
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -450,140 +558,172 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -450,140 +567,172 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@@ -5854,7 +5974,7 @@ index 6649962..6ae8921 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -594,28 +734,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -594,28 +743,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@@ -5914,7 +6034,7 @@ index 6649962..6ae8921 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -624,68 +786,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -624,68 +795,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
@@ -6005,7 +6125,7 @@ index 6649962..6ae8921 100644
')
tunable_policy(`httpd_setrlimit',`
-@@ -695,49 +833,48 @@ tunable_policy(`httpd_setrlimit',`
+@@ -695,49 +842,48 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -6026,17 +6146,17 @@ index 6649962..6ae8921 100644
- userdom_use_user_terminals(httpd_t)
-',`
- userdom_dontaudit_use_user_terminals(httpd_t)
-+ userdom_use_inherited_user_terminals(httpd_t)
-+ userdom_use_inherited_user_terminals(httpd_suexec_t)
- ')
-
+-')
+-
-tunable_policy(`httpd_use_cifs',`
- fs_list_auto_mountpoints(httpd_t)
- fs_manage_cifs_dirs(httpd_t)
- fs_manage_cifs_files(httpd_t)
- fs_manage_cifs_symlinks(httpd_t)
--')
--
++ userdom_use_inherited_user_terminals(httpd_t)
++ userdom_use_inherited_user_terminals(httpd_suexec_t)
+ ')
+
-tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',`
- fs_exec_cifs_files(httpd_t)
-')
@@ -6086,7 +6206,7 @@ index 6649962..6ae8921 100644
')
optional_policy(`
-@@ -749,24 +886,32 @@ optional_policy(`
+@@ -749,24 +895,32 @@ optional_policy(`
')
optional_policy(`
@@ -6125,7 +6245,7 @@ index 6649962..6ae8921 100644
')
optional_policy(`
-@@ -775,6 +920,10 @@ optional_policy(`
+@@ -775,6 +929,10 @@ optional_policy(`
tunable_policy(`httpd_dbus_avahi',`
avahi_dbus_chat(httpd_t)
')
@@ -6136,7 +6256,7 @@ index 6649962..6ae8921 100644
')
optional_policy(`
-@@ -786,35 +935,55 @@ optional_policy(`
+@@ -786,35 +944,55 @@ optional_policy(`
')
optional_policy(`
@@ -6205,7 +6325,7 @@ index 6649962..6ae8921 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
-@@ -822,8 +991,18 @@ optional_policy(`
+@@ -822,8 +1000,18 @@ optional_policy(`
')
optional_policy(`
@@ -6224,7 +6344,7 @@ index 6649962..6ae8921 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
-@@ -832,6 +1011,7 @@ optional_policy(`
+@@ -832,6 +1020,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -6232,7 +6352,7 @@ index 6649962..6ae8921 100644
')
optional_policy(`
-@@ -842,20 +1022,39 @@ optional_policy(`
+@@ -842,20 +1031,39 @@ optional_policy(`
')
optional_policy(`
@@ -6278,7 +6398,7 @@ index 6649962..6ae8921 100644
')
optional_policy(`
-@@ -863,19 +1062,35 @@ optional_policy(`
+@@ -863,19 +1071,35 @@ optional_policy(`
')
optional_policy(`
@@ -6314,7 +6434,7 @@ index 6649962..6ae8921 100644
udev_read_db(httpd_t)
')
-@@ -883,65 +1098,173 @@ optional_policy(`
+@@ -883,65 +1107,183 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -6382,16 +6502,25 @@ index 6649962..6ae8921 100644
+ ')
+')
+
++optional_policy(`
++ tunable_policy(`httpd_run_preupgrade', `
++ anaconda_manage_lib_files_preupgrade(httpd_t)
++ anaconda_domtrans_preupgrade(httpd_t)
++ ',`
++ anaconda_read_lib_files_preupgrade(httpd_t)
++ anaconda_exec_preupgrade(httpd_t)
++ ')
++')
++
tunable_policy(`httpd_tty_comm',`
- userdom_use_user_terminals(httpd_helper_t)
-',`
- userdom_dontaudit_use_user_terminals(httpd_helper_t)
+ userdom_use_inherited_user_terminals(httpd_helper_t)
- ')
-
- ########################################
- #
--# Suexec local policy
++')
++
++########################################
++#
+# Apache PHP script local policy
+#
+
@@ -6450,10 +6579,11 @@ index 6649962..6ae8921 100644
+ tunable_policy(`httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_php_t)
+ ')
-+')
-+
-+########################################
-+#
+ ')
+
+ ########################################
+ #
+-# Suexec local policy
+# Apache suexec local policy
#
@@ -6510,7 +6640,7 @@ index 6649962..6ae8921 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -950,123 +1273,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -950,123 +1292,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -6665,7 +6795,7 @@ index 6649962..6ae8921 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1083,172 +1357,106 @@ optional_policy(`
+@@ -1083,172 +1376,106 @@ optional_policy(`
')
')
@@ -6690,11 +6820,11 @@ index 6649962..6ae8921 100644
-
-append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
--
--kernel_dontaudit_search_sysctl(httpd_script_domains)
--kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
+allow httpd_sys_script_t self:process getsched;
+-kernel_dontaudit_search_sysctl(httpd_script_domains)
+-kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
+-
-corenet_all_recvfrom_unlabeled(httpd_script_domains)
-corenet_all_recvfrom_netlabel(httpd_script_domains)
-corenet_tcp_sendrecv_generic_if(httpd_script_domains)
@@ -6783,6 +6913,15 @@ index 6649962..6ae8921 100644
- corenet_sendrecv_oracledb_client_packets(httpd_script_domains)
- corenet_tcp_connect_oracledb_port(httpd_script_domains)
- corenet_tcp_sendrecv_oracledb_port(httpd_script_domains)
+-')
+-
+-optional_policy(`
+- mysql_read_config(httpd_script_domains)
+- mysql_stream_connect(httpd_script_domains)
+-
+- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
+- mysql_tcp_connect(httpd_script_domains)
+- ')
+tunable_policy(`httpd_can_network_connect_db',`
+ corenet_tcp_connect_gds_db_port(httpd_sys_script_t)
+ corenet_tcp_connect_mssql_port(httpd_sys_script_t)
@@ -6792,21 +6931,12 @@ index 6649962..6ae8921 100644
')
-optional_policy(`
-- mysql_read_config(httpd_script_domains)
-- mysql_stream_connect(httpd_script_domains)
--
-- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
-- mysql_tcp_connect(httpd_script_domains)
-- ')
--')
+- postgresql_stream_connect(httpd_script_domains)
+fs_cifs_entry_type(httpd_sys_script_t)
+fs_read_iso9660_files(httpd_sys_script_t)
+fs_nfs_entry_type(httpd_sys_script_t)
+fs_rw_anon_inodefs_files(httpd_sys_script_t)
--optional_policy(`
-- postgresql_stream_connect(httpd_script_domains)
--
- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
- postgresql_tcp_connect(httpd_script_domains)
- ')
@@ -6843,8 +6973,7 @@ index 6649962..6ae8921 100644
-allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
-allow httpd_sys_script_t squirrelmail_spool_t:file read_file_perms;
-allow httpd_sys_script_t squirrelmail_spool_t:lnk_file read_lnk_file_perms;
-+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
-
+-
-kernel_read_kernel_sysctls(httpd_sys_script_t)
-
-fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -6856,7 +6985,8 @@ index 6649962..6ae8921 100644
-apache_domtrans_rotatelogs(httpd_sys_script_t)
-
-auth_use_nsswitch(httpd_sys_script_t)
--
++corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+
-tunable_policy(`httpd_can_sendmail',`
- corenet_sendrecv_smtp_client_packets(httpd_sys_script_t)
- corenet_tcp_connect_smtp_port(httpd_sys_script_t)
@@ -6902,7 +7032,7 @@ index 6649962..6ae8921 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1256,64 +1464,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1256,64 +1483,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -6999,7 +7129,7 @@ index 6649962..6ae8921 100644
########################################
#
-@@ -1321,8 +1539,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1321,8 +1558,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -7016,7 +7146,7 @@ index 6649962..6ae8921 100644
')
########################################
-@@ -1330,49 +1555,38 @@ optional_policy(`
+@@ -1330,49 +1574,38 @@ optional_policy(`
# User content local policy
#
@@ -7081,7 +7211,7 @@ index 6649962..6ae8921 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1596,100 @@ dev_read_urand(httpd_passwd_t)
+@@ -1382,38 +1615,101 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -7142,7 +7272,7 @@ index 6649962..6ae8921 100644
-allow httpd_gpg_t httpd_t:process sigchld;
+allow httpd_t httpd_script_exec_type:file read_file_perms;
+allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;
-+allow httpd_t httpd_script_type:process { signal sigkill sigstop };
++allow httpd_t httpd_script_type:process { signal sigkill sigstop signull };
+allow httpd_t httpd_script_exec_type:dir list_dir_perms;
-dev_read_rand(httpd_gpg_t)
@@ -7158,6 +7288,7 @@ index 6649962..6ae8921 100644
-miscfiles_read_localization(httpd_gpg_t)
+dontaudit httpd_script_type httpd_t:tcp_socket { read write };
++dontaudit httpd_script_type httpd_t:unix_stream_socket { read write };
-tunable_policy(`httpd_gpg_anon_write',`
- miscfiles_manage_public_files(httpd_gpg_t)
@@ -8176,7 +8307,7 @@ index f24e369..9bce868 100644
+ allow $1 automount_unit_file_t:service all_service_perms;
')
diff --git a/automount.te b/automount.te
-index 27d2f40..5eec4ff 100644
+index 27d2f40..daed3ef 100644
--- a/automount.te
+++ b/automount.te
@@ -22,6 +22,9 @@ type automount_tmp_t;
@@ -8207,7 +8338,15 @@ index 27d2f40..5eec4ff 100644
corenet_all_recvfrom_netlabel(automount_t)
corenet_tcp_sendrecv_generic_if(automount_t)
corenet_udp_sendrecv_generic_if(automount_t)
-@@ -101,7 +104,6 @@ files_mount_all_file_type_fs(automount_t)
+@@ -91,6 +94,7 @@ corenet_udp_bind_all_rpc_ports(automount_t)
+
+ files_dontaudit_write_var_dirs(automount_t)
+ files_getattr_all_dirs(automount_t)
++files_getattr_all_files(automount_t)
+ files_getattr_default_dirs(automount_t)
+ files_getattr_home_dir(automount_t)
+ files_getattr_isid_type_dirs(automount_t)
+@@ -101,7 +105,6 @@ files_mount_all_file_type_fs(automount_t)
files_mounton_all_mountpoints(automount_t)
files_mounton_mnt(automount_t)
files_read_etc_runtime_files(automount_t)
@@ -8215,7 +8354,7 @@ index 27d2f40..5eec4ff 100644
files_search_boot(automount_t)
files_search_all(automount_t)
files_unmount_all_file_type_fs(automount_t)
-@@ -113,6 +115,7 @@ fs_manage_autofs_symlinks(automount_t)
+@@ -113,6 +116,7 @@ fs_manage_autofs_symlinks(automount_t)
fs_mount_all_fs(automount_t)
fs_mount_autofs(automount_t)
fs_read_nfs_files(automount_t)
@@ -8223,7 +8362,7 @@ index 27d2f40..5eec4ff 100644
fs_search_all(automount_t)
fs_search_auto_mountpoints(automount_t)
fs_unmount_all_fs(automount_t)
-@@ -135,15 +138,18 @@ auth_use_nsswitch(automount_t)
+@@ -135,15 +139,18 @@ auth_use_nsswitch(automount_t)
logging_send_syslog_msg(automount_t)
logging_search_logs(automount_t)
@@ -8246,7 +8385,7 @@ index 27d2f40..5eec4ff 100644
fstools_domtrans(automount_t)
')
-@@ -166,3 +172,8 @@ optional_policy(`
+@@ -166,3 +173,8 @@ optional_policy(`
optional_policy(`
udev_read_db(automount_t)
')
@@ -11932,7 +12071,7 @@ index 32e8265..0de4af3 100644
+ allow $1 chronyd_unit_file_t:service all_service_perms;
')
diff --git a/chronyd.te b/chronyd.te
-index e5b621c..2ec82ae 100644
+index e5b621c..e7c249d 100644
--- a/chronyd.te
+++ b/chronyd.te
@@ -18,6 +18,9 @@ files_type(chronyd_keys_t)
@@ -11963,7 +12102,7 @@ index e5b621c..2ec82ae 100644
allow chronyd_t chronyd_keys_t:file read_file_perms;
manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
-@@ -76,18 +83,19 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
+@@ -76,18 +83,20 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
corenet_udp_bind_chronyd_port(chronyd_t)
corenet_udp_sendrecv_chronyd_port(chronyd_t)
@@ -11971,6 +12110,7 @@ index e5b621c..2ec82ae 100644
+
+dev_read_rand(chronyd_t)
+dev_read_urand(chronyd_t)
++dev_read_sysfs(chronyd_t)
+
dev_rw_realtime_clock(chronyd_t)
@@ -24690,6 +24830,19 @@ index 0aabc7e..71459e8 100644
+ # Handle sieve scripts
sendmail_domtrans(dovecot_deliver_t)
')
+diff --git a/drbd.fc b/drbd.fc
+index 671a3fb..c781675 100644
+--- a/drbd.fc
++++ b/drbd.fc
+@@ -3,7 +3,7 @@
+ /sbin/drbdadm -- gen_context(system_u:object_r:drbd_exec_t,s0)
+ /sbin/drbdsetup -- gen_context(system_u:object_r:drbd_exec_t,s0)
+
+-/usr/lib/ocf/resource.\d/linbit/drbd -- gen_context(system_u:object_r:drbd_exec_t,s0)
++/usr/lib/ocf/resource\.d/linbit/drbd -- gen_context(system_u:object_r:drbd_exec_t,s0)
+
+ /usr/sbin/drbdadm -- gen_context(system_u:object_r:drbd_exec_t,s0)
+ /usr/sbin/drbdsetup -- gen_context(system_u:object_r:drbd_exec_t,s0)
diff --git a/drbd.if b/drbd.if
index 9a21639..26c5986 100644
--- a/drbd.if
@@ -26838,10 +26991,10 @@ index 0000000..dc94853
+
diff --git a/freeipmi.te b/freeipmi.te
new file mode 100644
-index 0000000..43a12cb
+index 0000000..431dda0
--- /dev/null
+++ b/freeipmi.te
-@@ -0,0 +1,70 @@
+@@ -0,0 +1,73 @@
+policy_module(freeipmi, 1.0.0)
+
+########################################
@@ -26881,6 +27034,10 @@ index 0000000..43a12cb
+manage_lnk_files_pattern(freeipmi_domain, freeipmi_var_lib_t, freeipmi_var_lib_t)
+files_var_lib_filetrans(freeipmi_domain, freeipmi_var_lib_t, { dir })
+
++dev_read_rand(freeipmi_domain)
++dev_read_urand(freeipmi_domain)
++dev_rw_ipmi_dev(freeipmi_domain)
++
+sysnet_dns_name_resolve(freeipmi_domain)
+
+#######################################
@@ -26891,7 +27048,6 @@ index 0000000..43a12cb
+files_pid_filetrans(freeipmi_bmc_watchdog_t, freeipmi_bmc_watchdog_var_run_t, file, "bmc-watchdog.pid")
+
+dev_read_raw_memory(freeipmi_bmc_watchdog_t)
-+dev_rw_ipmi_dev(freeipmi_bmc_watchdog_t)
+
+#######################################
+#
@@ -28531,7 +28687,7 @@ index 9eacb2c..229782f 100644
init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
domain_system_change_exemption($1)
diff --git a/glance.te b/glance.te
-index 5cd0909..337e872 100644
+index 5cd0909..a304d35 100644
--- a/glance.te
+++ b/glance.te
@@ -7,8 +7,7 @@ policy_module(glance, 1.1.0)
@@ -28565,7 +28721,7 @@ index 5cd0909..337e872 100644
allow glance_domain self:fifo_file rw_fifo_file_perms;
allow glance_domain self:unix_stream_socket create_stream_socket_perms;
allow glance_domain self:tcp_socket { accept listen };
-@@ -56,27 +58,23 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
+@@ -56,29 +58,29 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
@@ -28596,8 +28752,14 @@ index 5cd0909..337e872 100644
-
sysnet_dns_name_resolve(glance_domain)
++optional_policy(`
++ mysql_read_db_lnk_files(glance_domain)
++')
++
########################################
-@@ -88,8 +86,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
+ #
+ # Registry local policy
+@@ -88,8 +90,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { dir file })
@@ -28612,7 +28774,7 @@ index 5cd0909..337e872 100644
logging_send_syslog_msg(glance_registry_t)
-@@ -108,13 +112,22 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
+@@ -108,13 +116,24 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file })
can_exec(glance_api_t, glance_tmp_t)
@@ -28631,6 +28793,8 @@ index 5cd0909..337e872 100644
+corenet_tcp_connect_http_port(glance_api_t)
+
+corenet_tcp_connect_all_ephemeral_ports(glance_api_t)
++corenet_tcp_connect_commplex_main_port(glance_api_t)
++corenet_tcp_connect_http_cache_port(glance_api_t)
+
+corenet_sendrecv_hplip_server_packets(glance_api_t)
+corenet_tcp_bind_hplip_port(glance_api_t)
@@ -31330,7 +31494,7 @@ index ab09d61..5f39122 100644
+ type_transition $1 gkeyringd_exec_t:process $2;
')
diff --git a/gnome.te b/gnome.te
-index 63893eb..8720f49 100644
+index 63893eb..d759604 100644
--- a/gnome.te
+++ b/gnome.te
@@ -5,14 +5,33 @@ policy_module(gnome, 2.3.0)
@@ -31369,7 +31533,7 @@ index 63893eb..8720f49 100644
typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
typealias gconf_home_t alias unconfined_gconf_home_t;
-@@ -31,105 +50,226 @@ typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
+@@ -31,105 +50,225 @@ typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
userdom_user_application_domain(gconfd_t, gconfd_exec_t)
role gconfd_roles types gconfd_t;
@@ -31589,7 +31753,6 @@ index 63893eb..8720f49 100644
+filetrans_pattern(gkeyringd_domain, gconf_home_t, data_home_t, dir, "share")
+filetrans_pattern(gkeyringd_domain, gnome_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
+filetrans_pattern(gkeyringd_domain, data_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
-+filetrans_pattern(gkeyringd_domain, gnome_home_t, data_home_t, dir, "keyrings")
-manage_dirs_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t)
-manage_sock_files_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t)
@@ -34331,7 +34494,7 @@ index 08b7560..417e630 100644
+/usr/lib/systemd/system/((iscsi)|(iscsid)|(iscsiuio))\.service -- gen_context(system_u:object_r:iscsi_unit_file_t,s0)
+/usr/lib/systemd/system/((iscsid)|(iscsiuio))\.socket -- gen_context(system_u:object_r:iscsi_unit_file_t,s0)
diff --git a/iscsi.if b/iscsi.if
-index 1a35420..2ea1241 100644
+index 1a35420..a7e1562 100644
--- a/iscsi.if
+++ b/iscsi.if
@@ -22,6 +22,27 @@ interface(`iscsid_domtrans',`
@@ -34362,7 +34525,7 @@ index 1a35420..2ea1241 100644
## iscsid sempaphores.
##
##