diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 9bb7547..123e1ed 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -31994,10 +31994,10 @@ index 0000000..595f756
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..a4b0917
+index 0000000..8b02900
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1041 @@
+@@ -0,0 +1,1043 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -33016,12 +33016,13 @@ index 0000000..a4b0917
+
+ allow $1 systemd_timedated_t:dbus send_msg;
+ allow systemd_timedated_t $1:dbus send_msg;
++ ps_process_pattern(systemd_hostnamed_t, $1)
+')
+
+########################################
+## <summary>
+## Send and receive messages from
-+## systemd hostnamed over dbus.
++## systemd timedated over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -33037,14 +33038,15 @@ index 0000000..a4b0917
+
+ allow $1 systemd_hostnamed_t:dbus send_msg;
+ allow systemd_hostnamed_t $1:dbus send_msg;
++ ps_process_pattern(systemd_hostnamed_t, $1)
+')
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..6c712b8
+index 0000000..913fc52
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,618 @@
+@@ -0,0 +1,620 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -33521,6 +33523,8 @@ index 0000000..6c712b8
+seutil_read_config(systemd_localed_t)
+seutil_read_file_contexts(systemd_localed_t)
+
++logging_stream_connect_syslog(systemd_localed_t)
++
+miscfiles_manage_localization(systemd_localed_t)
+miscfiles_etc_filetrans_localization(systemd_localed_t)
+
@@ -35034,7 +35038,7 @@ index db75976..65191bd 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..4efa151 100644
+index 3c5dba7..c270e54 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -35050,7 +35054,7 @@ index 3c5dba7..4efa151 100644
corecmd_shell_entry_type($1_t)
corecmd_bin_entry_type($1_t)
domain_user_exemption_target($1_t)
-@@ -44,79 +46,132 @@ template(`userdom_base_user_template',`
+@@ -44,79 +46,133 @@ template(`userdom_base_user_template',`
term_user_pty($1_t, user_devpts_t)
term_user_tty($1_t, user_tty_device_t)
@@ -35202,6 +35206,7 @@ index 3c5dba7..4efa151 100644
+ miscfiles_read_public_files($1_usertype)
- tunable_policy(`allow_execmem',`
++ systemd_dbus_chat_hostnamed($1_usertype)
+ systemd_dbus_chat_logind($1_usertype)
+ systemd_read_logind_sessions_files($1_usertype)
+ systemd_write_inhibit_pipes($1_usertype)
@@ -35235,7 +35240,7 @@ index 3c5dba7..4efa151 100644
')
#######################################
-@@ -150,6 +205,8 @@ interface(`userdom_ro_home_role',`
+@@ -150,6 +206,8 @@ interface(`userdom_ro_home_role',`
type user_home_t, user_home_dir_t;
')
@@ -35244,7 +35249,7 @@ index 3c5dba7..4efa151 100644
##############################
#
# Domain access to home dir
-@@ -167,27 +224,6 @@ interface(`userdom_ro_home_role',`
+@@ -167,27 +225,6 @@ interface(`userdom_ro_home_role',`
read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
files_list_home($2)
@@ -35272,7 +35277,7 @@ index 3c5dba7..4efa151 100644
')
#######################################
-@@ -219,8 +255,11 @@ interface(`userdom_ro_home_role',`
+@@ -219,8 +256,11 @@ interface(`userdom_ro_home_role',`
interface(`userdom_manage_home_role',`
gen_require(`
type user_home_t, user_home_dir_t;
@@ -35284,7 +35289,7 @@ index 3c5dba7..4efa151 100644
##############################
#
# Domain access to home dir
-@@ -229,43 +268,47 @@ interface(`userdom_manage_home_role',`
+@@ -229,43 +269,47 @@ interface(`userdom_manage_home_role',`
type_member $2 user_home_dir_t:dir user_home_dir_t;
# full control of the home directory
@@ -35348,7 +35353,7 @@ index 3c5dba7..4efa151 100644
')
')
-@@ -273,6 +316,25 @@ interface(`userdom_manage_home_role',`
+@@ -273,6 +317,25 @@ interface(`userdom_manage_home_role',`
## <summary>
## Manage user temporary files
## </summary>
@@ -35374,7 +35379,7 @@ index 3c5dba7..4efa151 100644
## <param name="role">
## <summary>
## Role allowed access.
-@@ -287,17 +349,64 @@ interface(`userdom_manage_home_role',`
+@@ -287,17 +350,64 @@ interface(`userdom_manage_home_role',`
#
interface(`userdom_manage_tmp_role',`
gen_require(`
@@ -35444,7 +35449,7 @@ index 3c5dba7..4efa151 100644
')
#######################################
-@@ -317,11 +426,31 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -317,11 +427,31 @@ interface(`userdom_exec_user_tmp_files',`
')
exec_files_pattern($1, user_tmp_t, user_tmp_t)
@@ -35476,7 +35481,7 @@ index 3c5dba7..4efa151 100644
## Role access for the user tmpfs type
## that the user has full access.
## </summary>
-@@ -348,59 +477,60 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -348,59 +478,60 @@ interface(`userdom_exec_user_tmp_files',`
#
interface(`userdom_manage_tmpfs_role',`
gen_require(`
@@ -35567,7 +35572,7 @@ index 3c5dba7..4efa151 100644
')
#######################################
-@@ -431,6 +561,7 @@ template(`userdom_xwindows_client_template',`
+@@ -431,6 +562,7 @@ template(`userdom_xwindows_client_template',`
dev_dontaudit_rw_dri($1_t)
# GNOME checks for usb and other devices:
dev_rw_usbfs($1_t)
@@ -35575,7 +35580,7 @@ index 3c5dba7..4efa151 100644
xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
xserver_xsession_entry_type($1_t)
-@@ -463,8 +594,8 @@ template(`userdom_change_password_template',`
+@@ -463,8 +595,8 @@ template(`userdom_change_password_template',`
')
optional_policy(`
@@ -35586,7 +35591,7 @@ index 3c5dba7..4efa151 100644
')
')
-@@ -491,7 +622,8 @@ template(`userdom_common_user_template',`
+@@ -491,7 +623,8 @@ template(`userdom_common_user_template',`
attribute unpriv_userdomain;
')
@@ -35596,7 +35601,7 @@ index 3c5dba7..4efa151 100644
##############################
#
-@@ -501,41 +633,51 @@ template(`userdom_common_user_template',`
+@@ -501,41 +634,51 @@ template(`userdom_common_user_template',`
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -35671,7 +35676,7 @@ index 3c5dba7..4efa151 100644
# cjp: some of this probably can be removed
selinux_get_fs_mount($1_t)
-@@ -546,93 +688,121 @@ template(`userdom_common_user_template',`
+@@ -546,93 +689,121 @@ template(`userdom_common_user_template',`
selinux_compute_user_contexts($1_t)
# for eject
@@ -35831,7 +35836,7 @@ index 3c5dba7..4efa151 100644
')
optional_policy(`
-@@ -646,19 +816,17 @@ template(`userdom_common_user_template',`
+@@ -646,19 +817,17 @@ template(`userdom_common_user_template',`
# for running depmod as part of the kernel packaging process
optional_policy(`
@@ -35856,7 +35861,7 @@ index 3c5dba7..4efa151 100644
mysql_stream_connect($1_t)
')
')
-@@ -671,7 +839,7 @@ template(`userdom_common_user_template',`
+@@ -671,7 +840,7 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -35865,7 +35870,7 @@ index 3c5dba7..4efa151 100644
')
optional_policy(`
-@@ -680,9 +848,9 @@ template(`userdom_common_user_template',`
+@@ -680,9 +849,9 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -35878,7 +35883,7 @@ index 3c5dba7..4efa151 100644
')
')
-@@ -693,32 +861,36 @@ template(`userdom_common_user_template',`
+@@ -693,32 +862,36 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -35926,7 +35931,7 @@ index 3c5dba7..4efa151 100644
')
')
-@@ -743,17 +915,33 @@ template(`userdom_common_user_template',`
+@@ -743,17 +916,33 @@ template(`userdom_common_user_template',`
template(`userdom_login_user_template', `
gen_require(`
class context contains;
@@ -35965,7 +35970,7 @@ index 3c5dba7..4efa151 100644
userdom_change_password_template($1)
-@@ -761,82 +949,100 @@ template(`userdom_login_user_template', `
+@@ -761,82 +950,100 @@ template(`userdom_login_user_template', `
#
# User domain Local policy
#
@@ -36102,7 +36107,7 @@ index 3c5dba7..4efa151 100644
')
')
-@@ -868,6 +1074,12 @@ template(`userdom_restricted_user_template',`
+@@ -868,6 +1075,12 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -36115,7 +36120,7 @@ index 3c5dba7..4efa151 100644
##############################
#
# Local policy
-@@ -908,41 +1120,97 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -908,41 +1121,97 @@ template(`userdom_restricted_xwindows_user_template',`
# Local policy
#
@@ -36226,7 +36231,7 @@ index 3c5dba7..4efa151 100644
')
optional_policy(`
-@@ -951,12 +1219,30 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -951,12 +1220,30 @@ template(`userdom_restricted_xwindows_user_template',`
')
optional_policy(`
@@ -36258,7 +36263,7 @@ index 3c5dba7..4efa151 100644
')
#######################################
-@@ -990,27 +1276,33 @@ template(`userdom_unpriv_user_template', `
+@@ -990,27 +1277,33 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -36296,7 +36301,7 @@ index 3c5dba7..4efa151 100644
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
# Write floppies
-@@ -1021,23 +1313,57 @@ template(`userdom_unpriv_user_template', `
+@@ -1021,23 +1314,57 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -36364,7 +36369,7 @@ index 3c5dba7..4efa151 100644
')
# Run pppd in pppd_t by default for user
-@@ -1046,7 +1372,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1046,7 +1373,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -36375,7 +36380,7 @@ index 3c5dba7..4efa151 100644
')
')
-@@ -1082,7 +1410,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1082,7 +1411,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -36384,7 +36389,7 @@ index 3c5dba7..4efa151 100644
')
##############################
-@@ -1109,6 +1437,7 @@ template(`userdom_admin_user_template',`
+@@ -1109,6 +1438,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -36392,7 +36397,7 @@ index 3c5dba7..4efa151 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1117,6 +1446,9 @@ template(`userdom_admin_user_template',`
+@@ -1117,6 +1447,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -36402,7 +36407,7 @@ index 3c5dba7..4efa151 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1131,6 +1463,7 @@ template(`userdom_admin_user_template',`
+@@ -1131,6 +1464,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -36410,7 +36415,7 @@ index 3c5dba7..4efa151 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1148,10 +1481,14 @@ template(`userdom_admin_user_template',`
+@@ -1148,10 +1482,14 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -36425,7 +36430,7 @@ index 3c5dba7..4efa151 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1162,30 +1499,39 @@ template(`userdom_admin_user_template',`
+@@ -1162,30 +1500,39 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -36470,7 +36475,7 @@ index 3c5dba7..4efa151 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
# cannot directly manipulate policy files with arbitrary programs.
-@@ -1194,6 +1540,8 @@ template(`userdom_admin_user_template',`
+@@ -1194,6 +1541,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -36479,7 +36484,7 @@ index 3c5dba7..4efa151 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1201,13 +1549,17 @@ template(`userdom_admin_user_template',`
+@@ -1201,13 +1550,17 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@@ -36498,7 +36503,7 @@ index 3c5dba7..4efa151 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1253,6 +1605,8 @@ template(`userdom_security_admin_template',`
+@@ -1253,6 +1606,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -36507,7 +36512,7 @@ index 3c5dba7..4efa151 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1265,8 +1619,10 @@ template(`userdom_security_admin_template',`
+@@ -1265,8 +1620,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -36519,7 +36524,7 @@ index 3c5dba7..4efa151 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1277,29 +1633,31 @@ template(`userdom_security_admin_template',`
+@@ -1277,29 +1634,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -36562,7 +36567,7 @@ index 3c5dba7..4efa151 100644
')
optional_policy(`
-@@ -1360,14 +1718,17 @@ interface(`userdom_user_home_content',`
+@@ -1360,14 +1719,17 @@ interface(`userdom_user_home_content',`
gen_require(`
attribute user_home_content_type;
type user_home_t;
@@ -36581,7 +36586,7 @@ index 3c5dba7..4efa151 100644
')
########################################
-@@ -1408,6 +1769,51 @@ interface(`userdom_user_tmpfs_file',`
+@@ -1408,6 +1770,51 @@ interface(`userdom_user_tmpfs_file',`
## <summary>
## Allow domain to attach to TUN devices created by administrative users.
## </summary>
@@ -36633,7 +36638,7 @@ index 3c5dba7..4efa151 100644
## <param name="domain">
## <summary>
## Domain allowed access.
-@@ -1512,11 +1918,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1512,11 +1919,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -36665,7 +36670,7 @@ index 3c5dba7..4efa151 100644
## Do not audit attempts to search user home directories.
## </summary>
## <desc>
-@@ -1558,6 +1984,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1558,6 +1985,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -36680,7 +36685,7 @@ index 3c5dba7..4efa151 100644
')
########################################
-@@ -1573,9 +2007,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1573,9 +2008,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -36692,7 +36697,7 @@ index 3c5dba7..4efa151 100644
')
########################################
-@@ -1632,6 +2068,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1632,6 +2069,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -36735,7 +36740,7 @@ index 3c5dba7..4efa151 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1711,6 +2183,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1711,6 +2184,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -36744,7 +36749,7 @@ index 3c5dba7..4efa151 100644
')
########################################
-@@ -1744,10 +2218,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1744,10 +2219,12 @@ interface(`userdom_list_all_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -36759,7 +36764,7 @@ index 3c5dba7..4efa151 100644
')
########################################
-@@ -1772,7 +2248,7 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1772,7 +2249,7 @@ interface(`userdom_manage_user_home_content_dirs',`
########################################
## <summary>
@@ -36768,7 +36773,7 @@ index 3c5dba7..4efa151 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1780,19 +2256,17 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1780,19 +2257,17 @@ interface(`userdom_manage_user_home_content_dirs',`
## </summary>
## </param>
#
@@ -36792,7 +36797,7 @@ index 3c5dba7..4efa151 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1800,31 +2274,31 @@ interface(`userdom_delete_all_user_home_content_dirs',`
+@@ -1800,31 +2275,31 @@ interface(`userdom_delete_all_user_home_content_dirs',`
## </summary>
## </param>
#
@@ -36832,7 +36837,7 @@ index 3c5dba7..4efa151 100644
')
########################################
-@@ -1848,6 +2322,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1848,6 +2323,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@@ -36858,7 +36863,7 @@ index 3c5dba7..4efa151 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1878,14 +2371,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1878,14 +2372,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -36896,7 +36901,7 @@ index 3c5dba7..4efa151 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1896,11 +2411,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1896,11 +2412,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -36914,7 +36919,7 @@ index 3c5dba7..4efa151 100644
')
########################################
-@@ -1941,7 +2459,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1941,7 +2460,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
########################################
## <summary>
@@ -36941,7 +36946,7 @@ index 3c5dba7..4efa151 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1951,17 +2487,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1951,17 +2488,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
#
interface(`userdom_delete_all_user_home_content_files',`
gen_require(`
@@ -36962,7 +36967,7 @@ index 3c5dba7..4efa151 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1969,12 +2503,48 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1969,12 +2504,48 @@ interface(`userdom_delete_all_user_home_content_files',`
## </summary>
## </param>
#
@@ -37013,7 +37018,7 @@ index 3c5dba7..4efa151 100644
')
########################################
-@@ -2010,8 +2580,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2010,8 +2581,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -37023,7 +37028,7 @@ index 3c5dba7..4efa151 100644
')
########################################
-@@ -2027,20 +2596,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2027,20 +2597,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -37048,7 +37053,7 @@ index 3c5dba7..4efa151 100644
########################################
## <summary>
-@@ -2123,7 +2686,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2123,7 +2687,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
## <summary>
@@ -37057,7 +37062,7 @@ index 3c5dba7..4efa151 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2131,19 +2694,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2131,19 +2695,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -37081,7 +37086,7 @@ index 3c5dba7..4efa151 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2151,12 +2712,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2151,12 +2713,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -37097,7 +37102,7 @@ index 3c5dba7..4efa151 100644
')
########################################
-@@ -2393,11 +2954,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2393,11 +2955,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -37112,7 +37117,7 @@ index 3c5dba7..4efa151 100644
files_search_tmp($1)
')
-@@ -2417,7 +2978,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2417,7 +2979,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -37121,7 +37126,7 @@ index 3c5dba7..4efa151 100644
')
########################################
-@@ -2664,6 +3225,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2664,6 +3226,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -37147,7 +37152,7 @@ index 3c5dba7..4efa151 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2680,13 +3260,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2680,13 +3261,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -37163,7 +37168,7 @@ index 3c5dba7..4efa151 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2707,7 +3288,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2707,7 +3289,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -37172,7 +37177,7 @@ index 3c5dba7..4efa151 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2715,19 +3296,17 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2715,19 +3297,17 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -37195,7 +37200,7 @@ index 3c5dba7..4efa151 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2735,21 +3314,39 @@ interface(`userdom_manage_user_tmpfs_files',`
+@@ -2735,21 +3315,39 @@ interface(`userdom_manage_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -37240,7 +37245,7 @@ index 3c5dba7..4efa151 100644
## </summary>
## </param>
#
-@@ -2817,6 +3414,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2817,6 +3415,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -37265,7 +37270,7 @@ index 3c5dba7..4efa151 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2835,22 +3450,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2835,22 +3451,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -37308,7 +37313,7 @@ index 3c5dba7..4efa151 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2859,14 +3486,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2859,14 +3487,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -37346,7 +37351,7 @@ index 3c5dba7..4efa151 100644
')
########################################
-@@ -2885,8 +3531,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2885,8 +3532,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -37376,7 +37381,7 @@ index 3c5dba7..4efa151 100644
')
########################################
-@@ -2958,69 +3623,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2958,69 +3624,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -37477,7 +37482,7 @@ index 3c5dba7..4efa151 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3028,12 +3692,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3028,12 +3693,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -37492,7 +37497,7 @@ index 3c5dba7..4efa151 100644
')
########################################
-@@ -3097,7 +3761,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3097,7 +3762,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -37501,7 +37506,7 @@ index 3c5dba7..4efa151 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3113,29 +3777,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3113,29 +3778,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -37535,7 +37540,7 @@ index 3c5dba7..4efa151 100644
')
########################################
-@@ -3217,7 +3865,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3217,7 +3866,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -37544,7 +37549,7 @@ index 3c5dba7..4efa151 100644
')
########################################
-@@ -3272,7 +3920,64 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3272,7 +3921,64 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -37610,7 +37615,7 @@ index 3c5dba7..4efa151 100644
')
########################################
-@@ -3290,7 +3995,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3290,7 +3996,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@@ -37619,7 +37624,7 @@ index 3c5dba7..4efa151 100644
')
########################################
-@@ -3309,6 +4014,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3309,6 +4015,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -37627,7 +37632,7 @@ index 3c5dba7..4efa151 100644
kernel_search_proc($1)
')
-@@ -3385,6 +4091,42 @@ interface(`userdom_signal_all_users',`
+@@ -3385,6 +4092,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -37670,7 +37675,7 @@ index 3c5dba7..4efa151 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3405,6 +4147,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3405,6 +4148,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -37695,7 +37700,7 @@ index 3c5dba7..4efa151 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3439,3 +4199,1365 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3439,3 +4200,1365 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index c71d3e6..cb0c0a9 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -64,7 +64,7 @@ index e4f84de..94697ea 100644
+/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
diff --git a/abrt.if b/abrt.if
-index 058d908..cce58bb 100644
+index 058d908..b7620e3 100644
--- a/abrt.if
+++ b/abrt.if
@@ -1,4 +1,26 @@
@@ -314,7 +314,7 @@ index 058d908..cce58bb 100644
+ ')
+
+ systemd_exec_systemctl($1)
-+ allow $1 abrt_unit_file_t:file read_file_perms;
++ allow $1 abrt_unit_file_t:file manage_file_perms;
+ allow $1 abrt_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, abrt_t)
@@ -16924,7 +16924,7 @@ index dda905b..31f269b 100644
/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+')
diff --git a/dbus.if b/dbus.if
-index afcf3a2..90299b3 100644
+index afcf3a2..0730306 100644
--- a/dbus.if
+++ b/dbus.if
@@ -1,4 +1,4 @@
@@ -17409,7 +17409,7 @@ index afcf3a2..90299b3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -543,33 +387,57 @@ interface(`dbus_system_bus_unconfined',`
+@@ -543,33 +387,24 @@ interface(`dbus_system_bus_unconfined',`
#
interface(`dbus_system_domain',`
gen_require(`
@@ -17425,122 +17425,114 @@ index afcf3a2..90299b3 100644
- role system_r types $1;
-
domtrans_pattern(system_dbusd_t, $2, $1)
-+')
- dbus_system_bus_client($1)
- dbus_connect_system_bus($1)
-
- ps_process_pattern(system_dbusd_t, $1)
-+########################################
-+## <summary>
-+## Use and inherit system DBUS file descriptors.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dbus_use_system_bus_fds',`
-+ gen_require(`
-+ type system_dbusd_t;
-+ ')
-
+-
- userdom_read_all_users_state($1)
-+ allow $1 system_dbusd_t:fd use;
-+')
++ ps_process_pattern($1, system_dbusd_t)
- ifdef(`hide_broken_symptoms', `
- dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
-+########################################
-+## <summary>
-+## Allow unconfined access to the system DBUS.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dbus_unconfined',`
-+ gen_require(`
-+ attribute dbusd_unconfined;
- ')
-+
-+ typeattribute $1 dbusd_unconfined;
+- ')
')
########################################
## <summary>
-## Use and inherit DBUS system bus
-## file descriptors.
-+## Delete all dbus pid files
++## Use and inherit system DBUS file descriptors.
## </summary>
## <param name="domain">
## <summary>
-@@ -577,18 +445,20 @@ interface(`dbus_system_domain',`
- ## </summary>
- ## </param>
- #
--interface(`dbus_use_system_bus_fds',`
-+interface(`dbus_delete_pid_files',`
- gen_require(`
-- type system_dbusd_t;
-+ type system_dbusd_var_run_t;
- ')
-
-- allow $1 system_dbusd_t:fd use;
-+ files_search_pids($1)
-+ delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
- ')
+@@ -587,26 +422,25 @@ interface(`dbus_use_system_bus_fds',`
########################################
## <summary>
-## Do not audit attempts to read and
-## write DBUS system bus TCP sockets.
-+## Do not audit attempts to connect to
-+## session bus types with a unix
-+## stream socket.
++## Allow unconfined access to the system DBUS.
## </summary>
## <param name="domain">
## <summary>
-@@ -596,28 +466,51 @@ interface(`dbus_use_system_bus_fds',`
+-## Domain to not audit.
++## Domain allowed access.
## </summary>
## </param>
#
-interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
-+interface(`dbus_dontaudit_stream_connect_session_bus',`
++interface(`dbus_unconfined',`
gen_require(`
- type system_dbusd_t;
-+ attribute session_bus_type;
++ attribute dbusd_unconfined;
')
- dontaudit $1 system_dbusd_t:tcp_socket { read write };
-+ dontaudit $1 session_bus_type:unix_stream_socket connectto;
++ typeattribute $1 dbusd_unconfined;
')
########################################
## <summary>
-## Unconfined access to DBUS.
-+## Do not audit attempts to send dbus
-+## messages to session bus types.
++## Delete all dbus pid files
## </summary>
## <param name="domain">
## <summary>
--## Domain allowed access.
-+## Domain to not audit.
+@@ -614,10 +448,72 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
## </summary>
## </param>
#
-interface(`dbus_unconfined',`
-+interface(`dbus_dontaudit_chat_session_bus',`
++interface(`dbus_delete_pid_files',`
gen_require(`
- attribute dbusd_unconfined;
-+ attribute session_bus_type;
-+ class dbus send_msg;
++ type system_dbusd_var_run_t;
')
- typeattribute $1 dbusd_unconfined;
++ files_search_pids($1)
++ delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
++')
++
++########################################
++## <summary>
++## Do not audit attempts to connect to
++## session bus types with a unix
++## stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`dbus_dontaudit_stream_connect_session_bus',`
++ gen_require(`
++ attribute session_bus_type;
++ ')
++
++ dontaudit $1 session_bus_type:unix_stream_socket connectto;
++')
++
++########################################
++## <summary>
++## Do not audit attempts to send dbus
++## messages to session bus types.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`dbus_dontaudit_chat_session_bus',`
++ gen_require(`
++ attribute session_bus_type;
++ class dbus send_msg;
++ ')
++
+ dontaudit $1 session_bus_type:dbus send_msg;
+')
+
@@ -23707,12 +23699,35 @@ index 0000000..1ed97fe
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
-index 0000000..6704414
+index 0000000..9cfc035
--- /dev/null
+++ b/glusterd.te
-@@ -0,0 +1,104 @@
+@@ -0,0 +1,145 @@
+policy_module(glusterfs, 1.0.1)
+
++## <desc>
++## <p>
++## Allow glusterfsd to modify public files used for public file
++## transfer services. Files/Directories must be labeled
++## public_content_rw_t.
++## </p>
++## </desc>
++gen_tunable(gluster_anon_write, false)
++
++## <desc>
++## <p>
++## Allow glusterfsd to share any file/directory read only.
++## </p>
++## </desc>
++gen_tunable(gluster_export_all_ro, false)
++
++## <desc>
++## <p>
++## Allow glusterfsd to share any file/directory read/write.
++## </p>
++## </desc>
++gen_tunable(gluster_export_all_rw, false)
++
+########################################
+#
+# Declarations
@@ -23806,6 +23821,8 @@ index 0000000..6704414
+
+domain_use_interactive_fds(glusterd_t)
+
++fs_getattr_all_fs(glusterd_t)
++
+auth_use_nsswitch(glusterd_t)
+
+fs_getattr_all_fs(glusterd_t)
@@ -23813,8 +23830,24 @@ index 0000000..6704414
+logging_send_syslog_msg(glusterd_t)
+
+miscfiles_read_localization(glusterd_t)
++miscfiles_read_public_files(glusterd_t)
+
+userdom_manage_user_home_dirs(glusterd_t)
++
++tunable_policy(`gluster_anon_write',`
++ miscfiles_manage_public_files(glusterd_t)
++')
++
++tunable_policy(`gluster_export_all_ro',`
++ fs_read_noxattr_fs_files(glusterd_t)
++ files_read_non_security_files(glusterd_t)
++')
++
++tunable_policy(`gluster_export_all_rw',`
++ fs_manage_noxattr_fs_files(glusterd_t)
++ files_manage_non_security_files(glusterd_t)
++')
++
diff --git a/glusterfs.fc b/glusterfs.fc
deleted file mode 100644
index 4bd6ade..0000000
@@ -28136,10 +28169,84 @@ index c5a8112..947efe0 100644
userdom_dontaudit_use_unpriv_user_fds(irqbalance_t)
userdom_dontaudit_search_user_home_dirs(irqbalance_t)
+diff --git a/iscsi.fc b/iscsi.fc
+index 08b7560..9d1930b 100644
+--- a/iscsi.fc
++++ b/iscsi.fc
+@@ -1,19 +1,17 @@
+-/etc/rc\.d/init\.d/((iscsi)|(iscsid)) -- gen_context(system_u:object_r:iscsi_initrc_exec_t,s0)
+-
+ /sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
+-/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
+ /sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
+
+ /usr/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
+-/usr/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
+ /usr/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
+
+ /var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0)
+
+ /var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0)
+
+-/var/log/brcm-iscsi\.log.* -- gen_context(system_u:object_r:iscsi_log_t,s0)
+ /var/log/iscsiuio\.log.* -- gen_context(system_u:object_r:iscsi_log_t,s0)
+
+ /var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0)
+ /var/run/iscsiuio\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0)
++
++/usr/lib/systemd/system/((iscsi)|(iscsid)|(iscsiuio))\.service -- gen_context(system_u:object_r:iscsi_unit_file_t,s0)
++/usr/lib/systemd/system/((iscsid)|(iscsiuio))\.socket -- gen_context(system_u:object_r:iscsi_unit_file_t,s0)
+diff --git a/iscsi.if b/iscsi.if
+index 1a35420..1d27695 100644
+--- a/iscsi.if
++++ b/iscsi.if
+@@ -88,27 +88,21 @@ interface(`iscsi_read_lib_files',`
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="role">
+-## <summary>
+-## Role allowed access.
+-## </summary>
+-## </param>
+ ## <rolecap/>
+ #
+ interface(`iscsi_admin',`
+ gen_require(`
+ type iscsid_t, iscsi_lock_t, iscsi_log_t;
+ type iscsi_var_lib_t, iscsi_var_run_t, iscsi_tmp_t;
+- type iscsi_initrc_exec_t;
++ type iscsi_unit_file_t;
+ ')
+
+ allow $1 iscsid_t:process { ptrace signal_perms };
+ ps_process_pattern($1, iscsid_t)
+
+- init_labeled_script_domtrans($1, iscsi_initrc_exec_t)
+- domain_system_change_exemption($1)
+- role_transition $2 iscsi_initrc_exec_t system_r;
+- allow $2 system_r;
++ systemd_exec_systemctl($1)
++ allow $1 iscsi_unit_file_t:file manage_file_perms;
++ allow $1 iscsi_unit_file_t:service manage_service_perms;
+
+ logging_search_logs($1)
+ admin_pattern($1, iscsi_log_t)
diff --git a/iscsi.te b/iscsi.te
-index 57304e4..3dba77f 100644
+index 57304e4..74153ec 100644
--- a/iscsi.te
+++ b/iscsi.te
+@@ -9,8 +9,8 @@ type iscsid_t;
+ type iscsid_exec_t;
+ init_daemon_domain(iscsid_t, iscsid_exec_t)
+
+-type iscsi_initrc_exec_t;
+-init_script_file(iscsi_initrc_exec_t)
++type iscsi_unit_file_t;
++systemd_unit_file(iscsi_unit_file_t)
+
+ type iscsi_lock_t;
+ files_lock_file(iscsi_lock_t)
@@ -33,7 +33,6 @@ files_pid_file(iscsi_var_run_t)
#
@@ -28148,7 +28255,12 @@ index 57304e4..3dba77f 100644
allow iscsid_t self:process { setrlimit setsched signal };
allow iscsid_t self:fifo_file rw_fifo_file_perms;
allow iscsid_t self:unix_stream_socket { accept connectto listen };
-@@ -68,7 +67,6 @@ kernel_read_network_state(iscsid_t)
+@@ -64,11 +63,11 @@ files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
+
+ can_exec(iscsid_t, iscsid_exec_t)
+
++kernel_request_load_module(iscsid_t)
+ kernel_read_network_state(iscsid_t)
kernel_read_system_state(iscsid_t)
kernel_setsched(iscsid_t)
@@ -28156,18 +28268,22 @@ index 57304e4..3dba77f 100644
corenet_all_recvfrom_netlabel(iscsid_t)
corenet_tcp_sendrecv_generic_if(iscsid_t)
corenet_tcp_sendrecv_generic_node(iscsid_t)
-@@ -85,6 +83,10 @@ corenet_sendrecv_isns_client_packets(iscsid_t)
+@@ -85,10 +84,12 @@ corenet_sendrecv_isns_client_packets(iscsid_t)
corenet_tcp_connect_isns_port(iscsid_t)
corenet_tcp_sendrecv_isns_port(iscsid_t)
+-dev_read_raw_memory(iscsid_t)
+corenet_sendrecv_winshadow_client_packets(iscsid_t)
+corenet_tcp_connect_winshadow_port(iscsid_t)
+corenet_tcp_sendrecv_winshadow_port(iscsid_t)
+
- dev_read_raw_memory(iscsid_t)
dev_rw_sysfs(iscsid_t)
dev_rw_userio_dev(iscsid_t)
-@@ -99,8 +101,6 @@ init_stream_connect_script(iscsid_t)
+-dev_write_raw_memory(iscsid_t)
+
+ domain_use_interactive_fds(iscsid_t)
+ domain_dontaudit_read_all_domains_state(iscsid_t)
+@@ -99,8 +100,6 @@ init_stream_connect_script(iscsid_t)
logging_send_syslog_msg(iscsid_t)
@@ -42489,7 +42605,7 @@ index 8aa1bfa..cd0e015 100644
+/usr/lib/systemd/system/yppasswdd.* -- gen_context(system_u:object_r:nis_unit_file_t,s0)
+/usr/lib/systemd/system/ypxfrd.* -- gen_context(system_u:object_r:nis_unit_file_t,s0)
diff --git a/nis.if b/nis.if
-index 46e55c3..1112fae 100644
+index 46e55c3..346242e 100644
--- a/nis.if
+++ b/nis.if
@@ -1,4 +1,4 @@
@@ -42518,14 +42634,12 @@ index 46e55c3..1112fae 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
-@@ -49,14 +44,13 @@ interface(`nis_use_ypbind_uncond',`
+@@ -49,14 +44,11 @@ interface(`nis_use_ypbind_uncond',`
corenet_udp_bind_generic_node($1)
corenet_tcp_bind_generic_port($1)
corenet_udp_bind_generic_port($1)
- corenet_dontaudit_tcp_bind_all_reserved_ports($1)
- corenet_dontaudit_udp_bind_all_reserved_ports($1)
-+ corenet_tcp_bind_all_rpc_ports($1)
-+ corenet_udp_bind_all_rpc_ports($1)
corenet_dontaudit_tcp_bind_all_ports($1)
corenet_dontaudit_udp_bind_all_ports($1)
corenet_tcp_connect_portmap_port($1)
@@ -42536,7 +42650,7 @@ index 46e55c3..1112fae 100644
corenet_sendrecv_portmap_client_packets($1)
corenet_sendrecv_generic_client_packets($1)
corenet_sendrecv_generic_server_packets($1)
-@@ -88,14 +82,14 @@ interface(`nis_use_ypbind_uncond',`
+@@ -88,14 +80,14 @@ interface(`nis_use_ypbind_uncond',`
## <rolecap/>
#
interface(`nis_use_ypbind',`
@@ -42553,7 +42667,7 @@ index 46e55c3..1112fae 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -105,7 +99,7 @@ interface(`nis_use_ypbind',`
+@@ -105,7 +97,7 @@ interface(`nis_use_ypbind',`
## <rolecap/>
#
interface(`nis_authenticate',`
@@ -42562,7 +42676,7 @@ index 46e55c3..1112fae 100644
nis_use_ypbind_uncond($1)
corenet_tcp_bind_all_rpc_ports($1)
corenet_udp_bind_all_rpc_ports($1)
-@@ -133,20 +127,19 @@ interface(`nis_domtrans_ypbind',`
+@@ -133,20 +125,19 @@ interface(`nis_domtrans_ypbind',`
#######################################
## <summary>
@@ -42590,7 +42704,7 @@ index 46e55c3..1112fae 100644
can_exec($1, ypbind_exec_t)
')
-@@ -169,11 +162,11 @@ interface(`nis_exec_ypbind',`
+@@ -169,11 +160,11 @@ interface(`nis_exec_ypbind',`
#
interface(`nis_run_ypbind',`
gen_require(`
@@ -42604,7 +42718,7 @@ index 46e55c3..1112fae 100644
')
########################################
-@@ -196,7 +189,7 @@ interface(`nis_signal_ypbind',`
+@@ -196,7 +187,7 @@ interface(`nis_signal_ypbind',`
########################################
## <summary>
@@ -42613,7 +42727,7 @@ index 46e55c3..1112fae 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -272,10 +265,11 @@ interface(`nis_read_ypbind_pid',`
+@@ -272,10 +263,11 @@ interface(`nis_read_ypbind_pid',`
#
interface(`nis_delete_ypbind_pid',`
gen_require(`
@@ -42627,7 +42741,7 @@ index 46e55c3..1112fae 100644
')
########################################
-@@ -355,8 +349,57 @@ interface(`nis_initrc_domtrans_ypbind',`
+@@ -355,8 +347,57 @@ interface(`nis_initrc_domtrans_ypbind',`
########################################
## <summary>
@@ -42687,7 +42801,7 @@ index 46e55c3..1112fae 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -372,32 +415,56 @@ interface(`nis_initrc_domtrans_ypbind',`
+@@ -372,32 +413,56 @@ interface(`nis_initrc_domtrans_ypbind',`
#
interface(`nis_admin',`
gen_require(`
@@ -51986,7 +52100,7 @@ index 032a84d..be00a65 100644
+ allow $1 policykit_auth_t:process signal;
')
diff --git a/policykit.te b/policykit.te
-index 49694e8..0372dfd 100644
+index 49694e8..e426304 100644
--- a/policykit.te
+++ b/policykit.te
@@ -1,4 +1,4 @@
@@ -52018,7 +52132,7 @@ index 49694e8..0372dfd 100644
type policykit_resolve_t, policykit_domain;
type policykit_resolve_exec_t;
-@@ -42,48 +37,43 @@ files_pid_file(policykit_var_run_t)
+@@ -42,63 +37,64 @@ files_pid_file(policykit_var_run_t)
#######################################
#
@@ -52081,7 +52195,10 @@ index 49694e8..0372dfd 100644
domain_read_all_domains_state(policykit_t)
-@@ -93,12 +83,17 @@ fs_list_inotifyfs(policykit_t)
+ files_dontaudit_search_all_mountpoints(policykit_t)
+
++fs_getattr_all_fs(policykit_t)
+ fs_list_inotifyfs(policykit_t)
auth_use_nsswitch(policykit_t)
@@ -52099,7 +52216,7 @@ index 49694e8..0372dfd 100644
optional_policy(`
consolekit_dbus_chat(policykit_t)
')
-@@ -109,29 +104,43 @@ optional_policy(`
+@@ -109,29 +105,43 @@ optional_policy(`
')
optional_policy(`
@@ -52151,7 +52268,7 @@ index 49694e8..0372dfd 100644
rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
-@@ -145,9 +154,6 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
+@@ -145,9 +155,6 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
@@ -52161,7 +52278,7 @@ index 49694e8..0372dfd 100644
kernel_dontaudit_search_kernel_sysctl(policykit_auth_t)
dev_read_video_dev(policykit_auth_t)
-@@ -162,48 +168,58 @@ auth_rw_var_auth(policykit_auth_t)
+@@ -162,48 +169,58 @@ auth_rw_var_auth(policykit_auth_t)
auth_use_nsswitch(policykit_auth_t)
auth_domtrans_chk_passwd(policykit_auth_t)
@@ -52230,7 +52347,7 @@ index 49694e8..0372dfd 100644
rw_files_pattern(policykit_grant_t, policykit_reload_t, policykit_reload_t)
-@@ -211,23 +227,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t
+@@ -211,23 +228,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t
manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t)
@@ -52257,7 +52374,7 @@ index 49694e8..0372dfd 100644
optional_policy(`
consolekit_dbus_chat(policykit_grant_t)
')
-@@ -235,26 +248,28 @@ optional_policy(`
+@@ -235,26 +249,28 @@ optional_policy(`
########################################
#
@@ -52292,7 +52409,7 @@ index 49694e8..0372dfd 100644
userdom_read_all_users_state(policykit_resolve_t)
optional_policy(`
-@@ -266,6 +281,7 @@ optional_policy(`
+@@ -266,6 +282,7 @@ optional_policy(`
')
optional_policy(`
@@ -69204,7 +69321,7 @@ index aee75af..a6bab06 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 57c034b..4d983f7 100644
+index 57c034b..055c3c5 100644
--- a/samba.te
+++ b/samba.te
@@ -1,4 +1,4 @@
@@ -69758,9 +69875,9 @@ index 57c034b..4d983f7 100644
+
+tunable_policy(`samba_export_all_rw',`
+ allow nmbd_t self:capability { dac_read_search dac_override };
-+ fs_read_noxattr_fs_files(smbd_t)
++ fs_manage_noxattr_fs_files(smbd_t)
+ files_manage_non_security_files(smbd_t)
-+ fs_read_noxattr_fs_files(nmbd_t)
++ fs_manage_noxattr_fs_files(nmbd_t)
+ files_manage_non_security_files(nmbd_t)
+')
+
@@ -79818,10 +79935,10 @@ index 0000000..601aea3
+/usr/lib/tumbler[^/]*/tumblerd -- gen_context(system_u:object_r:thumb_exec_t,s0)
diff --git a/thumb.if b/thumb.if
new file mode 100644
-index 0000000..72c42ad
+index 0000000..eb30b4c
--- /dev/null
+++ b/thumb.if
-@@ -0,0 +1,126 @@
+@@ -0,0 +1,125 @@
+
+## <summary>policy for thumb</summary>
+
@@ -79901,8 +80018,7 @@ index 0000000..72c42ad
+ ps_process_pattern($2, thumb_t)
+ allow thumb_t $2:unix_stream_socket connectto;
+
-+ allow $2 thumb_t:dbus send_msg;
-+ allow thumb_t $2:dbus send_msg;
++ thumb_dbus_chat($2)
+ thumb_filetrans_home_content($2)
+')
+