diff --git a/docker-selinux.tgz b/docker-selinux.tgz
index 5224658..b57ae16 100644
Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 0af94e9..5c190b1 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -2922,7 +2922,7 @@ index 99e3903..fa68362 100644
##
##
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 1d732f1..f6ff7aa 100644
+index 1d732f1..47af4c3 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -26,6 +26,7 @@ type chfn_exec_t;
@@ -3151,7 +3151,7 @@ index 1d732f1..f6ff7aa 100644
userdom_use_unpriv_users_fds(passwd_t)
# make sure that getcon succeeds
userdom_getattr_all_users(passwd_t)
-@@ -352,6 +383,18 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -352,6 +383,19 @@ userdom_read_user_tmp_files(passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
@@ -3160,6 +3160,7 @@ index 1d732f1..f6ff7aa 100644
+
+# needed by gnome-keyring
+userdom_manage_user_tmp_files(passwd_t)
++userdom_manage_user_tmp_dirs(passwd_t)
+
+optional_policy(`
+ gnome_exec_keyringd(passwd_t)
@@ -3170,7 +3171,7 @@ index 1d732f1..f6ff7aa 100644
optional_policy(`
nscd_run(passwd_t, passwd_roles)
-@@ -401,9 +444,10 @@ dev_read_urand(sysadm_passwd_t)
+@@ -401,9 +445,10 @@ dev_read_urand(sysadm_passwd_t)
fs_getattr_xattr_fs(sysadm_passwd_t)
fs_search_auto_mountpoints(sysadm_passwd_t)
@@ -3183,7 +3184,7 @@ index 1d732f1..f6ff7aa 100644
auth_manage_shadow(sysadm_passwd_t)
auth_relabel_shadow(sysadm_passwd_t)
auth_etc_filetrans_shadow(sysadm_passwd_t)
-@@ -416,7 +460,6 @@ files_read_usr_files(sysadm_passwd_t)
+@@ -416,7 +461,6 @@ files_read_usr_files(sysadm_passwd_t)
domain_use_interactive_fds(sysadm_passwd_t)
@@ -3191,7 +3192,7 @@ index 1d732f1..f6ff7aa 100644
files_relabel_etc_files(sysadm_passwd_t)
files_read_etc_runtime_files(sysadm_passwd_t)
# for nscd lookups
-@@ -426,12 +469,9 @@ files_dontaudit_search_pids(sysadm_passwd_t)
+@@ -426,12 +470,9 @@ files_dontaudit_search_pids(sysadm_passwd_t)
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(sysadm_passwd_t)
@@ -3204,7 +3205,7 @@ index 1d732f1..f6ff7aa 100644
userdom_use_unpriv_users_fds(sysadm_passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
-@@ -446,7 +486,8 @@ optional_policy(`
+@@ -446,7 +487,8 @@ optional_policy(`
# Useradd local policy
#
@@ -3214,7 +3215,7 @@ index 1d732f1..f6ff7aa 100644
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
-@@ -461,6 +502,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
+@@ -461,6 +503,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
allow useradd_t self:unix_dgram_socket sendto;
allow useradd_t self:unix_stream_socket connectto;
@@ -3225,7 +3226,7 @@ index 1d732f1..f6ff7aa 100644
# for getting the number of groups
kernel_read_kernel_sysctls(useradd_t)
-@@ -468,29 +513,28 @@ corecmd_exec_shell(useradd_t)
+@@ -468,29 +514,28 @@ corecmd_exec_shell(useradd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(useradd_t)
@@ -3265,7 +3266,7 @@ index 1d732f1..f6ff7aa 100644
auth_run_chk_passwd(useradd_t, useradd_roles)
auth_rw_lastlog(useradd_t)
-@@ -498,6 +542,7 @@ auth_rw_faillog(useradd_t)
+@@ -498,6 +543,7 @@ auth_rw_faillog(useradd_t)
auth_use_nsswitch(useradd_t)
# these may be unnecessary due to the above
# domtrans_chk_passwd() call.
@@ -3273,7 +3274,7 @@ index 1d732f1..f6ff7aa 100644
auth_manage_shadow(useradd_t)
auth_relabel_shadow(useradd_t)
auth_etc_filetrans_shadow(useradd_t)
-@@ -508,33 +553,32 @@ init_rw_utmp(useradd_t)
+@@ -508,33 +554,32 @@ init_rw_utmp(useradd_t)
logging_send_audit_msgs(useradd_t)
logging_send_syslog_msg(useradd_t)
@@ -3318,7 +3319,7 @@ index 1d732f1..f6ff7aa 100644
optional_policy(`
apache_manage_all_user_content(useradd_t)
')
-@@ -545,14 +589,27 @@ optional_policy(`
+@@ -545,14 +590,27 @@ optional_policy(`
')
optional_policy(`
@@ -3346,7 +3347,7 @@ index 1d732f1..f6ff7aa 100644
tunable_policy(`samba_domain_controller',`
samba_append_log(useradd_t)
')
-@@ -562,3 +619,12 @@ optional_policy(`
+@@ -562,3 +620,12 @@ optional_policy(`
rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t)
')
@@ -5812,7 +5813,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055..90ffe79 100644
+index b191055..72bc5d0 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@@ -5886,7 +5887,7 @@ index b191055..90ffe79 100644
# reserved_port_t is the type of INET port numbers below 1024.
#
type reserved_port_t, port_type, reserved_port_type;
-@@ -76,63 +99,79 @@ type server_packet_t, packet_type, server_packet_type;
+@@ -76,63 +99,80 @@ type server_packet_t, packet_type, server_packet_type;
network_port(afs_bos, udp,7007,s0)
network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0)
network_port(afs_ka, udp,7004,s0)
@@ -5956,6 +5957,7 @@ index b191055..90ffe79 100644
network_port(embrace_dp_c, tcp,3198,s0, udp,3198,s0)
network_port(epmap, tcp,135,s0, udp,135,s0)
network_port(epmd, tcp,4369,s0, udp,4369,s0)
++network_port(fac_restore, tcp,5582,s0, udp,5582,s0)
network_port(fingerd, tcp,79,s0)
-network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
+network_port(fmpro_internal, tcp,5003,s0, udp,5003,s0)
@@ -5976,7 +5978,7 @@ index b191055..90ffe79 100644
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
network_port(hadoop_datanode, tcp,50010,s0)
-@@ -140,45 +179,60 @@ network_port(hadoop_namenode, tcp,8020,s0)
+@@ -140,45 +180,60 @@ network_port(hadoop_namenode, tcp,8020,s0)
network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
@@ -6052,7 +6054,7 @@ index b191055..90ffe79 100644
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -186,101 +240,129 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
+@@ -186,101 +241,129 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
network_port(mxi, tcp,8005,s0, udp,8005,s0)
network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
network_port(mysqlmanagerd, tcp,2273,s0)
@@ -6117,8 +6119,9 @@ index b191055..90ffe79 100644
+network_port(radius, udp,1645,s0, tcp,1645,s0, tcp,1812,s0, udp,1812,s0, tcp,18120-18121,s0, udp,18120-18121, s0)
network_port(radsec, tcp,2083,s0)
network_port(razor, tcp,2703,s0)
+-network_port(redis, tcp,6379,s0)
+network_port(time, tcp,37,s0, udp,37,s0)
- network_port(redis, tcp,6379,s0)
++network_port(redis, tcp,6379,s0, tcp,26379,s0, tcp,16379,s0)
network_port(repository, tcp, 6363, s0)
network_port(ricci, tcp,11111,s0, udp,11111,s0)
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
@@ -6200,7 +6203,7 @@ index b191055..90ffe79 100644
network_port(xserver, tcp,6000-6020,s0)
network_port(zarafa, tcp,236,s0, tcp,237,s0)
network_port(zabbix, tcp,10051,s0)
-@@ -288,19 +370,23 @@ network_port(zabbix_agent, tcp,10050,s0)
+@@ -288,19 +371,23 @@ network_port(zabbix_agent, tcp,10050,s0)
network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
@@ -6227,7 +6230,7 @@ index b191055..90ffe79 100644
########################################
#
-@@ -333,6 +419,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -333,6 +420,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
build_option(`enable_mls',`
network_interface(lo, lo, s0 - mls_systemhigh)
@@ -6236,7 +6239,7 @@ index b191055..90ffe79 100644
',`
typealias netif_t alias { lo_netif_t netif_lo_t };
')
-@@ -345,9 +433,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -345,9 +434,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -11030,7 +11033,7 @@ index b876c48..03f9342 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..917b5b2 100644
+index f962f76..41b68a6 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -15076,7 +15079,7 @@ index f962f76..917b5b2 100644
##
##
##
-@@ -5808,165 +6675,156 @@ interface(`files_getattr_generic_locks',`
+@@ -5808,63 +6675,68 @@ interface(`files_getattr_generic_locks',`
##
##
#
@@ -15134,10 +15137,11 @@ index f962f76..917b5b2 100644
+ filetrans_pattern($1, var_t, $2, $3, $4)
')
++
########################################
##
-## Delete all lock files.
-+## Get the attributes of the /var/lib directory.
++## Relabel dirs in the /var directory.
##
##
##
@@ -15147,46 +15151,32 @@ index f962f76..917b5b2 100644
-##
#
-interface(`files_delete_all_locks',`
-+interface(`files_getattr_var_lib_dirs',`
++interface(`files_relabel_var_dirs',`
gen_require(`
- attribute lockfile;
- type var_t, var_lock_t;
-+ type var_t, var_lib_t;
++ type var_t;
')
-
+-
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
- delete_files_pattern($1, lockfile, lockfile)
-+ getattr_dirs_pattern($1, var_t, var_lib_t)
++ allow $1 var_t:dir relabel_dir_perms;
')
########################################
##
-## Read all lock files.
-+## Search the /var/lib directory.
++## Get the attributes of the /var/lib directory.
##
-+##
-+##
-+## Search the /var/lib directory. This is
-+## necessary to access files or directories under
-+## /var/lib that have a private type. For example, a
-+## domain accessing a private library file in the
-+## /var/lib directory:
-+##
-+##
-+## allow mydomain_t mylibfile_t:file read_file_perms;
-+## files_search_var_lib(mydomain_t)
-+##
-+##
##
##
- ## Domain allowed access.
+@@ -5872,101 +6744,87 @@ interface(`files_delete_all_locks',`
##
##
-+##
#
-interface(`files_read_all_locks',`
-+interface(`files_search_var_lib',`
++interface(`files_getattr_var_lib_dirs',`
gen_require(`
- attribute lockfile;
- type var_t, var_lock_t;
@@ -15198,29 +15188,40 @@ index f962f76..917b5b2 100644
- allow $1 lockfile:dir list_dir_perms;
- read_files_pattern($1, lockfile, lockfile)
- read_lnk_files_pattern($1, lockfile, lockfile)
-+ search_dirs_pattern($1, var_t, var_lib_t)
++ getattr_dirs_pattern($1, var_t, var_lib_t)
')
########################################
##
-## manage all lock files.
-+## Do not audit attempts to search the
-+## contents of /var/lib.
++## Search the /var/lib directory.
##
++##
++##
++## Search the /var/lib directory. This is
++## necessary to access files or directories under
++## /var/lib that have a private type. For example, a
++## domain accessing a private library file in the
++## /var/lib directory:
++##
++##
++## allow mydomain_t mylibfile_t:file read_file_perms;
++## files_search_var_lib(mydomain_t)
++##
++##
##
##
--## Domain allowed access.
-+## Domain to not audit.
+ ## Domain allowed access.
##
##
+##
#
-interface(`files_manage_all_locks',`
-+interface(`files_dontaudit_search_var_lib',`
++interface(`files_search_var_lib',`
gen_require(`
- attribute lockfile;
- type var_t, var_lock_t;
-+ type var_lib_t;
++ type var_t, var_lib_t;
')
- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
@@ -15228,20 +15229,21 @@ index f962f76..917b5b2 100644
- manage_dirs_pattern($1, lockfile, lockfile)
- manage_files_pattern($1, lockfile, lockfile)
- manage_lnk_files_pattern($1, lockfile, lockfile)
-+ dontaudit $1 var_lib_t:dir search_dir_perms;
++ search_dirs_pattern($1, var_t, var_lib_t)
')
########################################
##
-## Create an object in the locks directory, with a private
-## type using a type transition.
-+## List the contents of the /var/lib directory.
++## Do not audit attempts to search the
++## contents of /var/lib.
##
##
##
- ## Domain allowed access.
- ##
- ##
+-## Domain allowed access.
+-##
+-##
-##
-##
-## The type of the object to be created.
@@ -15255,28 +15257,29 @@ index f962f76..917b5b2 100644
-##
-##
-## The name of the object being created.
--##
--##
++## Domain to not audit.
+ ##
+ ##
++##
#
-interface(`files_lock_filetrans',`
-+interface(`files_list_var_lib',`
++interface(`files_dontaudit_search_var_lib',`
gen_require(`
- type var_t, var_lock_t;
-+ type var_t, var_lib_t;
++ type var_lib_t;
')
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
- filetrans_pattern($1, var_lock_t, $2, $3, $4)
-+ list_dirs_pattern($1, var_t, var_lib_t)
++ dontaudit $1 var_lib_t:dir search_dir_perms;
')
--########################################
-+###########################################
+ ########################################
##
-## Do not audit attempts to get the attributes
-## of the /var/run directory.
-+## Read-write /var/lib directories
++## List the contents of the /var/lib directory.
##
##
##
@@ -15286,30 +15289,31 @@ index f962f76..917b5b2 100644
##
#
-interface(`files_dontaudit_getattr_pid_dirs',`
-+interface(`files_rw_var_lib_dirs',`
++interface(`files_list_var_lib',`
gen_require(`
- type var_run_t;
-+ type var_lib_t;
++ type var_t, var_lib_t;
')
- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
- dontaudit $1 var_run_t:dir getattr;
-+ rw_dirs_pattern($1, var_lib_t, var_lib_t)
++ list_dirs_pattern($1, var_t, var_lib_t)
')
- ########################################
+-########################################
++###########################################
##
-## Set the attributes of the /var/run directory.
-+## Create directories in /var/lib
++## Read-write /var/lib directories
##
##
##
-@@ -5974,59 +6832,71 @@ interface(`files_dontaudit_getattr_pid_dirs',`
+@@ -5974,19 +6832,17 @@ interface(`files_dontaudit_getattr_pid_dirs',`
##
##
#
-interface(`files_setattr_pid_dirs',`
-+interface(`files_create_var_lib_dirs',`
++interface(`files_rw_var_lib_dirs',`
gen_require(`
- type var_run_t;
+ type var_lib_t;
@@ -15317,65 +15321,64 @@ index f962f76..917b5b2 100644
- allow $1 var_run_t:lnk_file read_lnk_file_perms;
- allow $1 var_run_t:dir setattr;
-+ allow $1 var_lib_t:dir { create rw_dir_perms };
++ rw_dirs_pattern($1, var_lib_t, var_lib_t)
')
-+
########################################
##
-## Search the contents of runtime process
-## ID directories (/var/run).
-+## Create objects in the /var/lib directory
++## Create directories in /var/lib
##
##
##
- ## Domain allowed access.
+@@ -5994,39 +6850,52 @@ interface(`files_setattr_pid_dirs',`
##
##
-+##
-+##
-+## The type of the object to be created
-+##
-+##
-+##
-+##
-+## The object class.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
#
-interface(`files_search_pids',`
-+interface(`files_var_lib_filetrans',`
++interface(`files_create_var_lib_dirs',`
gen_require(`
- type var_t, var_run_t;
-+ type var_t, var_lib_t;
++ type var_lib_t;
')
- allow $1 var_run_t:lnk_file read_lnk_file_perms;
- search_dirs_pattern($1, var_t, var_run_t)
-+ allow $1 var_t:dir search_dir_perms;
-+ filetrans_pattern($1, var_lib_t, $2, $3, $4)
++ allow $1 var_lib_t:dir { create rw_dir_perms };
')
++
########################################
##
-## Do not audit attempts to search
-## the /var/run directory.
-+## Read generic files in /var/lib.
++## Create objects in the /var/lib directory
##
##
##
-## Domain to not audit.
+## Domain allowed access.
++##
++##
++##
++##
++## The type of the object to be created
++##
++##
++##
++##
++## The object class.
++##
++##
++##
++##
++## The name of the object being created.
##
##
#
-interface(`files_dontaudit_search_pids',`
-+interface(`files_read_var_lib_files',`
++interface(`files_var_lib_filetrans',`
gen_require(`
- type var_run_t;
+ type var_t, var_lib_t;
@@ -15383,24 +15386,24 @@ index f962f76..917b5b2 100644
- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
- dontaudit $1 var_run_t:dir search_dir_perms;
-+ allow $1 var_lib_t:dir list_dir_perms;
-+ read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
++ allow $1 var_t:dir search_dir_perms;
++ filetrans_pattern($1, var_lib_t, $2, $3, $4)
')
########################################
##
-## List the contents of the runtime process
-## ID directories (/var/run).
-+## Read generic symbolic links in /var/lib
++## Read generic files in /var/lib.
##
##
##
-@@ -6034,18 +6904,18 @@ interface(`files_dontaudit_search_pids',`
+@@ -6034,18 +6903,18 @@ interface(`files_dontaudit_search_pids',`
##
##
#
-interface(`files_list_pids',`
-+interface(`files_read_var_lib_symlinks',`
++interface(`files_read_var_lib_files',`
gen_require(`
- type var_t, var_run_t;
+ type var_t, var_lib_t;
@@ -15408,69 +15411,127 @@ index f962f76..917b5b2 100644
- allow $1 var_run_t:lnk_file read_lnk_file_perms;
- list_dirs_pattern($1, var_t, var_run_t)
-+ read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
++ allow $1 var_lib_t:dir list_dir_perms;
++ read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
########################################
##
-## Read generic process ID files.
-+## manage generic symbolic links
-+## in the /var/lib directory.
++## Read generic symbolic links in /var/lib
##
##
##
-@@ -6053,19 +6923,21 @@ interface(`files_list_pids',`
+@@ -6053,19 +6922,18 @@ interface(`files_list_pids',`
##
##
#
-interface(`files_read_generic_pids',`
-+interface(`files_manage_var_lib_symlinks',`
++interface(`files_read_var_lib_symlinks',`
gen_require(`
- type var_t, var_run_t;
-+ type var_lib_t;
++ type var_t, var_lib_t;
')
- allow $1 var_run_t:lnk_file read_lnk_file_perms;
- list_dirs_pattern($1, var_t, var_run_t)
- read_files_pattern($1, var_run_t, var_run_t)
-+ manage_lnk_files_pattern($1,var_lib_t,var_lib_t)
++ read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
-+# cjp: the next two interfaces really need to be fixed
-+# in some way. They really neeed their own types.
-+
########################################
##
-## Write named generic process ID pipes
-+## Create, read, write, and delete the
-+## pseudorandom number generator seed.
++## manage generic symbolic links
++## in the /var/lib directory.
##
##
##
-@@ -6073,43 +6945,1377 @@ interface(`files_read_generic_pids',`
+@@ -6073,23 +6941,652 @@ interface(`files_read_generic_pids',`
##
##
#
-interface(`files_write_generic_pid_pipes',`
-+interface(`files_manage_urandom_seed',`
++interface(`files_manage_var_lib_symlinks',`
gen_require(`
- type var_run_t;
-+ type var_t, var_lib_t;
++ type var_lib_t;
')
- allow $1 var_run_t:lnk_file read_lnk_file_perms;
- allow $1 var_run_t:fifo_file write;
-+ allow $1 var_t:dir search_dir_perms;
-+ manage_files_pattern($1, var_lib_t, var_lib_t)
++ manage_lnk_files_pattern($1,var_lib_t,var_lib_t)
')
++# cjp: the next two interfaces really need to be fixed
++# in some way. They really neeed their own types.
++
########################################
##
-## Create an object in the process ID directory, with a private type.
-+## Allow domain to manage mount tables
-+## necessary for rpcd, nfsd, etc.
++## Create, read, write, and delete the
++## pseudorandom number generator seed.
##
-##
+-##
+-## Create an object in the process ID directory (e.g., /var/run)
+-## with a private type. Typically this is used for creating
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_manage_urandom_seed',`
++ gen_require(`
++ type var_t, var_lib_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ manage_files_pattern($1, var_lib_t, var_lib_t)
++')
++
++
++########################################
++##
++## Relabel to dirs in the /var/lib directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_relabelto_var_lib_dirs',`
++ gen_require(`
++ type var_lib_t;
++ ')
++ allow $1 var_lib_t:dir relabelto;
++')
++
++
++########################################
++##
++## Relabel dirs in the /var/lib directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_relabel_var_lib_dirs',`
++ gen_require(`
++ type var_lib_t;
++ ')
++ allow $1 var_lib_t:dir relabel_dir_perms;
++')
++
++########################################
++##
++## Allow domain to manage mount tables
++## necessary for rpcd, nfsd, etc.
++##
+##
+##
+## Domain allowed access.
@@ -16045,14 +16106,14 @@ index f962f76..917b5b2 100644
+##
+## Create an object in the process ID directory (e.g., /var/run)
+## with a private type. Typically this is used for creating
-+## private PID files in /var/run with the private type instead
-+## of the general PID file type. To accomplish this goal,
-+## either the program must be SELinux-aware, or use this interface.
-+##
-+##
-+## Related interfaces:
-+##
-+##
+ ## private PID files in /var/run with the private type instead
+ ## of the general PID file type. To accomplish this goal,
+ ## either the program must be SELinux-aware, or use this interface.
+@@ -6098,18 +7595,781 @@ interface(`files_write_generic_pid_pipes',`
+ ## Related interfaces:
+ ##
+ ##
+-## - files_pid_file()
+## - files_pid_file()
+##
+##
@@ -16497,23 +16558,17 @@ index f962f76..917b5b2 100644
+## used for spool files.
+##
+##
- ##
--## Create an object in the process ID directory (e.g., /var/run)
--## with a private type. Typically this is used for creating
--## private PID files in /var/run with the private type instead
--## of the general PID file type. To accomplish this goal,
--## either the program must be SELinux-aware, or use this interface.
++##
+## Make the specified type usable for spool files.
+## This will also make the type usable for files, making
+## calls to files_type() redundant. Failure to use this interface
+## for a spool file may result in problems with
+## purging spool files.
- ##
- ##
- ## Related interfaces:
- ##
- ##
--## - files_pid_file()
++##
++##
++## Related interfaces:
++##
++##
+## - files_spool_filetrans()
##
##
@@ -16843,7 +16898,7 @@ index f962f76..917b5b2 100644
##
##
##
-@@ -6117,80 +8323,157 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6117,80 +8377,157 @@ interface(`files_write_generic_pid_pipes',`
## Domain allowed access.
##
##
@@ -17030,7 +17085,7 @@ index f962f76..917b5b2 100644
##
##
##
-@@ -6198,19 +8481,17 @@ interface(`files_rw_generic_pids',`
+@@ -6198,19 +8535,17 @@ interface(`files_rw_generic_pids',`
##
##
#
@@ -17054,7 +17109,7 @@ index f962f76..917b5b2 100644
##
##
##
-@@ -6218,18 +8499,17 @@ interface(`files_dontaudit_getattr_all_pids',`
+@@ -6218,18 +8553,17 @@ interface(`files_dontaudit_getattr_all_pids',`
##
##
#
@@ -17077,7 +17132,7 @@ index f962f76..917b5b2 100644
##
##
##
-@@ -6237,129 +8517,119 @@ interface(`files_dontaudit_write_all_pids',`
+@@ -6237,129 +8571,119 @@ interface(`files_dontaudit_write_all_pids',`
##
##
#
@@ -17247,7 +17302,7 @@ index f962f76..917b5b2 100644
##
##
##
-@@ -6367,18 +8637,19 @@ interface(`files_mounton_all_poly_members',`
+@@ -6367,18 +8691,19 @@ interface(`files_mounton_all_poly_members',`
##
##
#
@@ -17272,7 +17327,7 @@ index f962f76..917b5b2 100644
##
##
##
-@@ -6386,132 +8657,227 @@ interface(`files_search_spool',`
+@@ -6386,132 +8711,227 @@ interface(`files_search_spool',`
##
##
#
@@ -17546,7 +17601,7 @@ index f962f76..917b5b2 100644
##
##
##
-@@ -6519,53 +8885,17 @@ interface(`files_spool_filetrans',`
+@@ -6519,53 +8939,17 @@ interface(`files_spool_filetrans',`
##
##
#
@@ -17604,7 +17659,7 @@ index f962f76..917b5b2 100644
##
##
##
-@@ -6573,10 +8903,10 @@ interface(`files_polyinstantiate_all',`
+@@ -6573,10 +8957,10 @@ interface(`files_polyinstantiate_all',`
##
##
#
@@ -25199,7 +25254,7 @@ index ff92430..36740ea 100644
##
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 2522ca6..d2f55a2 100644
+index 2522ca6..fe03d6d 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -5,39 +5,88 @@ policy_module(sysadm, 2.6.1)
@@ -25359,18 +25414,18 @@ index 2522ca6..d2f55a2 100644
optional_policy(`
- consoletype_run(sysadm_t, sysadm_r)
+ cron_admin_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+- cvs_exec(sysadm_t)
++ consoletype_exec(sysadm_t)
+')
+
+optional_policy(`
-+ consoletype_exec(sysadm_t)
++ daemonstools_run_start(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
-+ daemonstools_run_start(sysadm_t, sysadm_r)
- ')
-
- optional_policy(`
-- cvs_exec(sysadm_t)
+ dbus_role_template(sysadm, sysadm_r, sysadm_t)
+
+ dontaudit sysadm_dbusd_t self:capability net_admin;
@@ -25494,7 +25549,7 @@ index 2522ca6..d2f55a2 100644
')
optional_policy(`
-@@ -237,14 +334,28 @@ optional_policy(`
+@@ -237,14 +334,32 @@ optional_policy(`
')
optional_policy(`
@@ -25520,10 +25575,14 @@ index 2522ca6..d2f55a2 100644
+
+optional_policy(`
+ nx_filetrans_named_content(sysadm_t)
++')
++
++optional_policy(`
++ oddjob_dbus_chat(sysadm_t)
')
optional_policy(`
-@@ -252,10 +363,20 @@ optional_policy(`
+@@ -252,10 +367,20 @@ optional_policy(`
')
optional_policy(`
@@ -25544,7 +25603,7 @@ index 2522ca6..d2f55a2 100644
portage_run(sysadm_t, sysadm_r)
portage_run_fetch(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
-@@ -266,35 +387,41 @@ optional_policy(`
+@@ -266,35 +391,46 @@ optional_policy(`
')
optional_policy(`
@@ -25555,30 +25614,35 @@ index 2522ca6..d2f55a2 100644
optional_policy(`
- quota_run(sysadm_t, sysadm_r)
+ postgresql_admin(sysadm_t, sysadm_r)
++ postgresql_run(sysadm_t, sysadm_r)
')
optional_policy(`
- raid_run_mdadm(sysadm_r, sysadm_t)
-+ prelink_run(sysadm_t, sysadm_r)
++ journalctl_role(sysadm_r, sysadm_t)
')
optional_policy(`
- razor_role(sysadm_r, sysadm_t)
-+ puppet_run_puppetca(sysadm_t, sysadm_r)
++ prelink_run(sysadm_t, sysadm_r)
')
optional_policy(`
- rpc_domtrans_nfsd(sysadm_t)
-+ quota_filetrans_named_content(sysadm_t)
++ puppet_run_puppetca(sysadm_t, sysadm_r)
')
optional_policy(`
- rpm_run(sysadm_t, sysadm_r)
-+ raid_domtrans_mdadm(sysadm_t)
++ quota_filetrans_named_content(sysadm_t)
')
optional_policy(`
- rssh_role(sysadm_r, sysadm_t)
++ raid_domtrans_mdadm(sysadm_t)
++')
++
++optional_policy(`
+ rpc_domtrans_nfsd(sysadm_t)
+')
+
@@ -25593,7 +25657,7 @@ index 2522ca6..d2f55a2 100644
')
optional_policy(`
-@@ -308,6 +435,7 @@ optional_policy(`
+@@ -308,6 +444,7 @@ optional_policy(`
optional_policy(`
screen_role_template(sysadm, sysadm_r, sysadm_t)
@@ -25601,7 +25665,7 @@ index 2522ca6..d2f55a2 100644
')
optional_policy(`
-@@ -315,12 +443,20 @@ optional_policy(`
+@@ -315,12 +452,20 @@ optional_policy(`
')
optional_policy(`
@@ -25623,7 +25687,7 @@ index 2522ca6..d2f55a2 100644
')
optional_policy(`
-@@ -345,30 +481,37 @@ optional_policy(`
+@@ -345,30 +490,37 @@ optional_policy(`
')
optional_policy(`
@@ -25670,7 +25734,7 @@ index 2522ca6..d2f55a2 100644
')
optional_policy(`
-@@ -380,10 +523,6 @@ optional_policy(`
+@@ -380,10 +532,6 @@ optional_policy(`
')
optional_policy(`
@@ -25681,7 +25745,7 @@ index 2522ca6..d2f55a2 100644
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
usermanage_run_groupadd(sysadm_t, sysadm_r)
usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -391,6 +530,9 @@ optional_policy(`
+@@ -391,6 +539,9 @@ optional_policy(`
optional_policy(`
virt_stream_connect(sysadm_t)
@@ -25691,7 +25755,7 @@ index 2522ca6..d2f55a2 100644
')
optional_policy(`
-@@ -398,31 +540,34 @@ optional_policy(`
+@@ -398,31 +549,34 @@ optional_policy(`
')
optional_policy(`
@@ -25732,7 +25796,7 @@ index 2522ca6..d2f55a2 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -435,10 +580,6 @@ ifndef(`distro_redhat',`
+@@ -435,10 +589,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -25743,7 +25807,7 @@ index 2522ca6..d2f55a2 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
optional_policy(`
-@@ -459,15 +600,79 @@ ifndef(`distro_redhat',`
+@@ -459,15 +609,79 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -27188,10 +27252,10 @@ index a26f84f..f4a44eb 100644
-/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0)
+#/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0)
diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
-index 9d2f311..9e87525 100644
+index 9d2f311..2d782e0 100644
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
-@@ -10,90 +10,21 @@
+@@ -10,90 +10,46 @@
##
##
##
@@ -27237,7 +27301,8 @@ index 9d2f311..9e87525 100644
typeattribute $2 sepgsql_client_type;
role $1 types sepgsql_trusted_proc_t;
role $1 types sepgsql_ranged_proc_t;
--
++')
+
- ##############################
- #
- # Client local policy
@@ -27251,8 +27316,27 @@ index 9d2f311..9e87525 100644
- allow $2 user_sepgsql_seq_t:db_sequence { create drop setattr set_value };
- allow $2 user_sepgsql_view_t:db_view { create drop setattr };
- allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr };
-- ')
--
++########################################
++##
++## Execute the postgresql program in the postgresql domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++##
++##
++## The role to allow the postgresql domain.
++##
++##
++##
++#
++interface(`postgresql_run',`
++ gen_require(`
++ type postgresql_t;
+ ')
+
- allow $2 user_sepgsql_schema_t:db_schema { getattr search add_name remove_name };
- type_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t;
- type_transition $2 sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp";
@@ -27283,10 +27367,12 @@ index 9d2f311..9e87525 100644
-
- allow $2 sepgsql_trusted_proc_t:process transition;
- type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
++ postgresql_domtrans($1)
++ role $2 types postgresql_t;
')
########################################
-@@ -312,7 +243,7 @@ interface(`postgresql_search_db',`
+@@ -312,7 +268,7 @@ interface(`postgresql_search_db',`
type postgresql_db_t;
')
@@ -27295,7 +27381,7 @@ index 9d2f311..9e87525 100644
')
########################################
-@@ -324,14 +255,16 @@ interface(`postgresql_search_db',`
+@@ -324,14 +280,16 @@ interface(`postgresql_search_db',`
## Domain allowed access.
##
##
@@ -27315,7 +27401,7 @@ index 9d2f311..9e87525 100644
')
########################################
-@@ -354,6 +287,24 @@ interface(`postgresql_domtrans',`
+@@ -354,6 +312,24 @@ interface(`postgresql_domtrans',`
######################################
##
@@ -27340,7 +27426,7 @@ index 9d2f311..9e87525 100644
## Allow domain to signal postgresql
##
##
-@@ -421,7 +372,6 @@ interface(`postgresql_tcp_connect',`
+@@ -421,7 +397,6 @@ interface(`postgresql_tcp_connect',`
## Domain allowed access.
##
##
@@ -27348,7 +27434,7 @@ index 9d2f311..9e87525 100644
#
interface(`postgresql_stream_connect',`
gen_require(`
-@@ -432,6 +382,7 @@ interface(`postgresql_stream_connect',`
+@@ -432,6 +407,7 @@ interface(`postgresql_stream_connect',`
files_search_pids($1)
files_search_tmp($1)
@@ -27356,7 +27442,7 @@ index 9d2f311..9e87525 100644
')
########################################
-@@ -447,83 +398,10 @@ interface(`postgresql_stream_connect',`
+@@ -447,83 +423,10 @@ interface(`postgresql_stream_connect',`
#
interface(`postgresql_unpriv_client',`
gen_require(`
@@ -27440,7 +27526,7 @@ index 9d2f311..9e87525 100644
')
########################################
-@@ -547,6 +425,29 @@ interface(`postgresql_unconfined',`
+@@ -547,6 +450,29 @@ interface(`postgresql_unconfined',`
########################################
##
@@ -27470,7 +27556,7 @@ index 9d2f311..9e87525 100644
## All of the rules required to administrate an postgresql environment
##
##
-@@ -563,35 +464,41 @@ interface(`postgresql_unconfined',`
+@@ -563,35 +489,41 @@ interface(`postgresql_unconfined',`
#
interface(`postgresql_admin',`
gen_require(`
@@ -35033,7 +35119,7 @@ index bc0ffc8..37b8ea5 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 79a45f6..cf6add7 100644
+index 79a45f6..e176b9f 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1,5 +1,21 @@
@@ -35598,12 +35684,36 @@ index 79a45f6..cf6add7 100644
files_search_etc($1)
')
-@@ -1012,26 +1260,27 @@ interface(`init_read_state',`
+@@ -992,7 +1240,7 @@ interface(`init_run_daemon',`
+
+ ########################################
+ ##
+-## Read the process state (/proc/pid) of init.
++## Allow execute all init daemon executables type without transition.
+ ##
+ ##
+ ##
+@@ -1000,38 +1248,37 @@ interface(`init_run_daemon',`
+ ##
+ ##
+ #
+-interface(`init_read_state',`
++interface(`init_exec_notrans_direct_init_entry',`
+ gen_require(`
+- type init_t;
++ attribute direct_init_entry;
+ ')
+
+- allow $1 init_t:dir search_dir_perms;
+- allow $1 init_t:file read_file_perms;
+- allow $1 init_t:lnk_file read_lnk_file_perms;
++ allow $1 direct_init_entry:file execute_no_trans;
+ ')
########################################
##
-## Ptrace init
-+## Dontaudit read the process state (/proc/pid) of init.
++## Read the process state (/proc/pid) of init.
##
##
##
@@ -35613,52 +35723,54 @@ index 79a45f6..cf6add7 100644
-##
#
-interface(`init_ptrace',`
-+interface(`init_dontaudit_read_state',`
++interface(`init_read_state',`
gen_require(`
type init_t;
')
- allow $1 init_t:process ptrace;
-+ dontaudit $1 init_t:dir search_dir_perms;
-+ dontaudit $1 init_t:file read_file_perms;
-+ dontaudit $1 init_t:lnk_file read_lnk_file_perms;
++ allow $1 init_t:dir search_dir_perms;
++ allow $1 init_t:file read_file_perms;
++ allow $1 init_t:lnk_file read_lnk_file_perms;
')
########################################
##
-## Write an init script unnamed pipe.
-+## Read the process keyring of init.
++## Dontaudit read the process state (/proc/pid) of init.
##
##
##
-@@ -1039,17 +1288,17 @@ interface(`init_ptrace',`
+@@ -1039,17 +1286,19 @@ interface(`init_ptrace',`
##
##
#
-interface(`init_write_script_pipes',`
-+interface(`init_read_key',`
++interface(`init_dontaudit_read_state',`
gen_require(`
- type initrc_t;
+ type init_t;
')
- allow $1 initrc_t:fifo_file write;
-+ allow $1 init_t:key read;
++ dontaudit $1 init_t:dir search_dir_perms;
++ dontaudit $1 init_t:file read_file_perms;
++ dontaudit $1 init_t:lnk_file read_lnk_file_perms;
')
########################################
##
-## Get the attribute of init script entrypoint files.
-+## Write the process keyring of init.
++## Read the process keyring of init.
##
##
##
-@@ -1057,37 +1306,38 @@ interface(`init_write_script_pipes',`
+@@ -1057,18 +1306,17 @@ interface(`init_write_script_pipes',`
##
##
#
-interface(`init_getattr_script_files',`
-+interface(`init_write_key',`
++interface(`init_read_key',`
gen_require(`
- type initrc_exec_t;
+ type init_t;
@@ -35672,17 +35784,16 @@ index 79a45f6..cf6add7 100644
########################################
##
-## Read init scripts.
-+## Ptrace init
++## Write the process keyring of init.
##
##
##
- ## Domain allowed access.
+@@ -1076,37 +1324,38 @@ interface(`init_getattr_script_files',`
##
##
-+##
#
-interface(`init_read_script_files',`
-+interface(`init_ptrace',`
++interface(`init_write_key',`
gen_require(`
- type initrc_exec_t;
+ type init_t;
@@ -35690,69 +35801,84 @@ index 79a45f6..cf6add7 100644
- files_search_etc($1)
- allow $1 initrc_exec_t:file read_file_perms;
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 init_t:process ptrace;
-+ ')
++ allow $1 init_t:key read;
')
########################################
##
-## Execute init scripts in the caller domain.
-+## Write an init script unnamed pipe.
++## Ptrace init
##
##
##
-@@ -1095,18 +1345,17 @@ interface(`init_read_script_files',`
+ ## Domain allowed access.
##
##
++##
#
-interface(`init_exec_script_files',`
-+interface(`init_write_script_pipes',`
++interface(`init_ptrace',`
gen_require(`
- type initrc_exec_t;
-+ type initrc_t;
++ type init_t;
')
- files_list_etc($1)
- can_exec($1, initrc_exec_t)
-+ allow $1 initrc_t:fifo_file write;
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 init_t:process ptrace;
++ ')
')
########################################
##
-## Get the attribute of all init script entrypoint files.
-+## Get the attribute of init script entrypoint files.
++## Write an init script unnamed pipe.
##
##
##
-@@ -1114,18 +1363,18 @@ interface(`init_exec_script_files',`
+@@ -1114,7 +1363,82 @@ interface(`init_exec_script_files',`
##
##
#
-interface(`init_getattr_all_script_files',`
++interface(`init_write_script_pipes',`
++ gen_require(`
++ type initrc_t;
++ ')
++
++ allow $1 initrc_t:fifo_file write;
++')
++
++########################################
++##
++## Get the attribute of init script entrypoint files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`init_getattr_script_files',`
- gen_require(`
-- attribute init_script_file_type;
++ gen_require(`
+ type initrc_exec_t;
- ')
-
- files_list_etc($1)
-- allow $1 init_script_file_type:file getattr;
++ ')
++
++ files_list_etc($1)
+ allow $1 initrc_exec_t:file getattr;
- ')
-
- ########################################
- ##
--## Read all init script files.
++')
++
++########################################
++##
+## Read init scripts.
- ##
- ##
- ##
-@@ -1133,7 +1382,102 @@ interface(`init_getattr_all_script_files',`
- ##
- ##
- #
--interface(`init_read_all_script_files',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`init_read_script_files',`
+ gen_require(`
+ type initrc_exec_t;
@@ -35792,16 +35918,13 @@ index 79a45f6..cf6add7 100644
+##
+#
+interface(`init_getattr_all_script_files',`
-+ gen_require(`
-+ attribute init_script_file_type;
-+ ')
-+
-+ files_list_etc($1)
-+ allow $1 init_script_file_type:file getattr;
-+')
-+
-+########################################
-+##
+ gen_require(`
+ attribute init_script_file_type;
+ ')
+@@ -1125,6 +1449,44 @@ interface(`init_getattr_all_script_files',`
+
+ ########################################
+ ##
+## Allow the specified domain to modify the systemd configuration of
+## all init scripts.
+##
@@ -35840,19 +35963,10 @@ index 79a45f6..cf6add7 100644
+
+########################################
+##
-+## Read all init script files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_read_all_script_files',`
- gen_require(`
- attribute init_script_file_type;
- ')
-@@ -1144,6 +1488,24 @@ interface(`init_read_all_script_files',`
+ ## Read all init script files.
+ ##
+ ##
+@@ -1144,6 +1506,24 @@ interface(`init_read_all_script_files',`
#######################################
##
@@ -35877,7 +35991,7 @@ index 79a45f6..cf6add7 100644
## Dontaudit read all init script files.
##
##
-@@ -1195,12 +1557,7 @@ interface(`init_read_script_state',`
+@@ -1195,12 +1575,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
@@ -35891,7 +36005,7 @@ index 79a45f6..cf6add7 100644
')
########################################
-@@ -1314,6 +1671,24 @@ interface(`init_signal_script',`
+@@ -1314,6 +1689,24 @@ interface(`init_signal_script',`
########################################
##
@@ -35916,7 +36030,7 @@ index 79a45f6..cf6add7 100644
## Send null signals to init scripts.
##
##
-@@ -1440,6 +1815,27 @@ interface(`init_dbus_send_script',`
+@@ -1440,6 +1833,27 @@ interface(`init_dbus_send_script',`
########################################
##
## Send and receive messages from
@@ -35944,7 +36058,7 @@ index 79a45f6..cf6add7 100644
## init scripts over dbus.
##
##
-@@ -1547,6 +1943,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1547,6 +1961,25 @@ interface(`init_getattr_script_status_files',`
########################################
##
@@ -35970,7 +36084,7 @@ index 79a45f6..cf6add7 100644
## Do not audit attempts to read init script
## status files.
##
-@@ -1605,6 +2020,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1605,6 +2038,24 @@ interface(`init_rw_script_tmp_files',`
########################################
##
@@ -35995,7 +36109,7 @@ index 79a45f6..cf6add7 100644
## Create files in a init script
## temporary data directory.
##
-@@ -1677,6 +2110,43 @@ interface(`init_read_utmp',`
+@@ -1677,6 +2128,43 @@ interface(`init_read_utmp',`
########################################
##
@@ -36039,7 +36153,7 @@ index 79a45f6..cf6add7 100644
## Do not audit attempts to write utmp.
##
##
-@@ -1765,7 +2235,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1765,7 +2253,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -36048,7 +36162,7 @@ index 79a45f6..cf6add7 100644
')
########################################
-@@ -1806,37 +2276,672 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1806,37 +2294,672 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
')
@@ -36057,23 +36171,33 @@ index 79a45f6..cf6add7 100644
##
-## Allow the specified domain to connect to daemon with a tcp socket
+## Allow search directory in the /run/systemd directory.
-+##
-+##
+ ##
+ ##
+-##
+-## Domain allowed access.
+-##
+##
+## Domain allowed access.
+##
-+##
-+#
+ ##
+ #
+-interface(`init_tcp_recvfrom_all_daemons',`
+- gen_require(`
+- attribute daemon;
+- ')
+interface(`init_search_pid_dirs',`
+ gen_require(`
+ type init_var_run_t;
+ ')
-+
+
+- corenet_tcp_recvfrom_labeled($1, daemon)
+ allow $1 init_var_run_t:dir search_dir_perms;
-+')
-+
+ ')
+
+-########################################
+######################################
-+##
+ ##
+-## Allow the specified domain to connect to daemon with a udp socket
+## Allow listing of the /run/systemd directory.
+##
+##
@@ -36137,7 +36261,7 @@ index 79a45f6..cf6add7 100644
##
##
#
--interface(`init_tcp_recvfrom_all_daemons',`
+-interface(`init_udp_recvfrom_all_daemons',`
- gen_require(`
- attribute daemon;
- ')
@@ -36145,25 +36269,22 @@ index 79a45f6..cf6add7 100644
+ gen_require(`
+ type init_var_run_t;
+ ')
-
-- corenet_tcp_recvfrom_labeled($1, daemon)
++
+ files_search_pids($1)
+ filetrans_pattern($1, init_var_run_t, $2, $3, $4)
- ')
-
--########################################
++')
++
+#######################################
- ##
--## Allow the specified domain to connect to daemon with a udp socket
++##
+## Create objects in /run/systemd directory
+## with an automatic type transition to
+## a specified private type.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
++##
++##
++##
++## Domain allowed access.
++##
++##
+##
+##
+## The type of the object to create.
@@ -36179,14 +36300,11 @@ index 79a45f6..cf6add7 100644
+## The name of the object being created.
+##
+##
- #
--interface(`init_udp_recvfrom_all_daemons',`
++#
+interface(`init_named_pid_filetrans',`
- gen_require(`
-- attribute daemon;
++ gen_require(`
+ type init_var_run_t;
- ')
-- corenet_udp_recvfrom_labeled($1, daemon)
++ ')
+
+ files_search_pids($1)
+ filetrans_pattern($1, init_var_run_t, $2, $3, $4)
@@ -36224,8 +36342,8 @@ index 79a45f6..cf6add7 100644
+ gen_require(`
+ attribute daemon;
+ ')
-+ corenet_udp_recvfrom_labeled($1, daemon)
-+')
+ corenet_udp_recvfrom_labeled($1, daemon)
+ ')
+
+########################################
+##
@@ -36733,9 +36851,9 @@ index 79a45f6..cf6add7 100644
+
+ files_search_var_lib($1)
+ allow $1 init_var_lib_t:dir search_dir_perms;
- ')
++')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..f09c5ae 100644
+index 17eda24..0a4a187 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -36960,7 +37078,7 @@ index 17eda24..f09c5ae 100644
# file descriptors inherited from the rootfs:
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)
-@@ -155,29 +256,67 @@ fs_list_inotifyfs(init_t)
+@@ -155,29 +256,68 @@ fs_list_inotifyfs(init_t)
# cjp: this may be related to /dev/log
fs_write_ramfs_sockets(init_t)
@@ -37003,6 +37121,7 @@ index 17eda24..f09c5ae 100644
# Run init scripts.
init_domtrans_script(init_t)
++init_exec_notrans_direct_init_entry(init_t)
libs_rw_ld_so_cache(init_t)
@@ -37033,7 +37152,7 @@ index 17eda24..f09c5ae 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +325,256 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +326,258 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -37168,6 +37287,8 @@ index 17eda24..f09c5ae 100644
+files_list_home(init_t)
+files_create_lock_dirs(init_t)
+files_relabel_all_lock_dirs(init_t)
++files_relabel_var_dirs(init_t)
++files_relabel_var_lib_dirs(init_t)
+files_read_kernel_modules(init_t)
+fs_getattr_all_fs(init_t)
+fs_manage_cgroup_dirs(init_t)
@@ -37299,7 +37420,7 @@ index 17eda24..f09c5ae 100644
')
optional_policy(`
-@@ -216,7 +582,30 @@ optional_policy(`
+@@ -216,7 +585,30 @@ optional_policy(`
')
optional_policy(`
@@ -37331,7 +37452,7 @@ index 17eda24..f09c5ae 100644
')
########################################
-@@ -225,9 +614,9 @@ optional_policy(`
+@@ -225,9 +617,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -37343,7 +37464,7 @@ index 17eda24..f09c5ae 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -258,12 +647,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +650,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -37360,7 +37481,7 @@ index 17eda24..f09c5ae 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +672,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +675,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -37403,7 +37524,7 @@ index 17eda24..f09c5ae 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +709,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +712,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -37415,7 +37536,7 @@ index 17eda24..f09c5ae 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -313,8 +721,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +724,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -37426,7 +37547,7 @@ index 17eda24..f09c5ae 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -322,8 +732,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +735,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -37436,7 +37557,7 @@ index 17eda24..f09c5ae 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -332,7 +741,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +744,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -37444,7 +37565,7 @@ index 17eda24..f09c5ae 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -340,6 +748,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +751,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -37452,7 +37573,7 @@ index 17eda24..f09c5ae 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -347,14 +756,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +759,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -37470,7 +37591,7 @@ index 17eda24..f09c5ae 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -364,8 +774,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +777,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -37484,7 +37605,7 @@ index 17eda24..f09c5ae 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -375,10 +789,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +792,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -37498,7 +37619,7 @@ index 17eda24..f09c5ae 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -387,8 +802,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +805,10 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -37509,7 +37630,7 @@ index 17eda24..f09c5ae 100644
storage_getattr_fixed_disk_dev(initrc_t)
storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +815,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +818,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -37517,7 +37638,7 @@ index 17eda24..f09c5ae 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -416,20 +834,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +837,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -37541,7 +37662,7 @@ index 17eda24..f09c5ae 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +867,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +870,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -37549,7 +37670,7 @@ index 17eda24..f09c5ae 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +901,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +904,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -37560,7 +37681,7 @@ index 17eda24..f09c5ae 100644
alsa_read_lib(initrc_t)
')
-@@ -506,7 +925,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +928,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -37569,7 +37690,7 @@ index 17eda24..f09c5ae 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -521,6 +940,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +943,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -37577,7 +37698,7 @@ index 17eda24..f09c5ae 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -541,6 +961,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +964,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -37585,7 +37706,7 @@ index 17eda24..f09c5ae 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +971,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +974,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -37630,7 +37751,7 @@ index 17eda24..f09c5ae 100644
')
optional_policy(`
-@@ -559,14 +1016,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +1019,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -37662,7 +37783,7 @@ index 17eda24..f09c5ae 100644
')
')
-@@ -577,6 +1051,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1054,39 @@ ifdef(`distro_suse',`
')
')
@@ -37702,7 +37823,7 @@ index 17eda24..f09c5ae 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1096,8 @@ optional_policy(`
+@@ -589,6 +1099,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -37711,7 +37832,7 @@ index 17eda24..f09c5ae 100644
')
optional_policy(`
-@@ -610,6 +1119,7 @@ optional_policy(`
+@@ -610,6 +1122,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -37719,7 +37840,7 @@ index 17eda24..f09c5ae 100644
')
optional_policy(`
-@@ -626,6 +1136,17 @@ optional_policy(`
+@@ -626,6 +1139,17 @@ optional_policy(`
')
optional_policy(`
@@ -37737,7 +37858,7 @@ index 17eda24..f09c5ae 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -642,9 +1163,13 @@ optional_policy(`
+@@ -642,9 +1166,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -37751,7 +37872,7 @@ index 17eda24..f09c5ae 100644
')
optional_policy(`
-@@ -657,15 +1182,11 @@ optional_policy(`
+@@ -657,15 +1185,11 @@ optional_policy(`
')
optional_policy(`
@@ -37769,7 +37890,7 @@ index 17eda24..f09c5ae 100644
')
optional_policy(`
-@@ -686,6 +1207,15 @@ optional_policy(`
+@@ -686,6 +1210,15 @@ optional_policy(`
')
optional_policy(`
@@ -37785,7 +37906,7 @@ index 17eda24..f09c5ae 100644
inn_exec_config(initrc_t)
')
-@@ -726,6 +1256,7 @@ optional_policy(`
+@@ -726,6 +1259,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -37793,7 +37914,7 @@ index 17eda24..f09c5ae 100644
')
optional_policy(`
-@@ -743,7 +1274,13 @@ optional_policy(`
+@@ -743,7 +1277,13 @@ optional_policy(`
')
optional_policy(`
@@ -37808,7 +37929,7 @@ index 17eda24..f09c5ae 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -766,6 +1303,10 @@ optional_policy(`
+@@ -766,6 +1306,10 @@ optional_policy(`
')
optional_policy(`
@@ -37819,7 +37940,7 @@ index 17eda24..f09c5ae 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -775,10 +1316,20 @@ optional_policy(`
+@@ -775,10 +1319,20 @@ optional_policy(`
')
optional_policy(`
@@ -37840,7 +37961,7 @@ index 17eda24..f09c5ae 100644
quota_manage_flags(initrc_t)
')
-@@ -787,6 +1338,10 @@ optional_policy(`
+@@ -787,6 +1341,10 @@ optional_policy(`
')
optional_policy(`
@@ -37851,7 +37972,7 @@ index 17eda24..f09c5ae 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -808,8 +1363,6 @@ optional_policy(`
+@@ -808,8 +1366,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -37860,7 +37981,7 @@ index 17eda24..f09c5ae 100644
')
optional_policy(`
-@@ -818,6 +1371,10 @@ optional_policy(`
+@@ -818,6 +1374,10 @@ optional_policy(`
')
optional_policy(`
@@ -37871,7 +37992,7 @@ index 17eda24..f09c5ae 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -827,10 +1384,12 @@ optional_policy(`
+@@ -827,10 +1387,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -37884,7 +38005,7 @@ index 17eda24..f09c5ae 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1416,62 @@ optional_policy(`
+@@ -857,21 +1419,62 @@ optional_policy(`
')
optional_policy(`
@@ -37948,7 +38069,7 @@ index 17eda24..f09c5ae 100644
')
optional_policy(`
-@@ -887,6 +1487,10 @@ optional_policy(`
+@@ -887,6 +1490,10 @@ optional_policy(`
')
optional_policy(`
@@ -37959,7 +38080,7 @@ index 17eda24..f09c5ae 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -897,3 +1501,218 @@ optional_policy(`
+@@ -897,3 +1504,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -48234,10 +48355,10 @@ index 0000000..ebd6cc8
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..8c07053
+index 0000000..7717a2b
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,931 @@
+@@ -0,0 +1,932 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -49120,6 +49241,7 @@ index 0000000..8c07053
+
+corenet_tcp_bind_llmnr_port(systemd_resolved_t)
+corenet_udp_bind_llmnr_port(systemd_resolved_t)
++corenet_tcp_connect_llmnr_port(systemd_resolved_t)
+
+dev_write_kmsg(systemd_resolved_t)
+dev_read_sysfs(systemd_resolved_t)
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index e5b5dff..6657026 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -16593,10 +16593,10 @@ index 0000000..1cc5fa4
+')
diff --git a/conman.te b/conman.te
new file mode 100644
-index 0000000..bce21bf
+index 0000000..2357f3b
--- /dev/null
+++ b/conman.te
-@@ -0,0 +1,96 @@
+@@ -0,0 +1,97 @@
+policy_module(conman, 1.0.0)
+
+########################################
@@ -16646,6 +16646,7 @@ index 0000000..bce21bf
+allow conman_t self:tcp_socket { accept listen create_socket_perms };
+
+allow conman_t conman_unconfined_script_t:process sigkill;
++allow conman_t conman_unconfined_script_exec_t:dir list_dir_perms;
+
+manage_dirs_pattern(conman_t, conman_log_t, conman_log_t)
+manage_files_pattern(conman_t, conman_log_t, conman_log_t)
@@ -28762,7 +28763,7 @@ index c62c567..a74f123 100644
+ allow $1 firewalld_unit_file_t:service all_service_perms;
')
diff --git a/firewalld.te b/firewalld.te
-index 98072a3..d5d852e 100644
+index 98072a3..18a2ef2 100644
--- a/firewalld.te
+++ b/firewalld.te
@@ -21,9 +21,15 @@ logging_log_file(firewalld_var_log_t)
@@ -28806,7 +28807,7 @@ index 98072a3..d5d852e 100644
kernel_read_network_state(firewalld_t)
kernel_read_system_state(firewalld_t)
-@@ -63,20 +77,19 @@ dev_search_sysfs(firewalld_t)
+@@ -63,20 +77,20 @@ dev_search_sysfs(firewalld_t)
domain_use_interactive_fds(firewalld_t)
@@ -28830,10 +28831,11 @@ index 98072a3..d5d852e 100644
-sysnet_read_config(firewalld_t)
+sysnet_dns_name_resolve(firewalld_t)
++sysnet_manage_config_dirs(firewalld_t)
optional_policy(`
dbus_system_domain(firewalld_t, firewalld_exec_t)
-@@ -95,6 +108,10 @@ optional_policy(`
+@@ -95,6 +109,10 @@ optional_policy(`
')
optional_policy(`
@@ -29529,7 +29531,7 @@ index 0000000..0d09fbd
+
+userdom_use_inherited_user_terminals(freqset_t)
diff --git a/ftp.fc b/ftp.fc
-index ddb75c1..44f74e6 100644
+index ddb75c1..f38075f 100644
--- a/ftp.fc
+++ b/ftp.fc
@@ -1,5 +1,8 @@
@@ -29541,6 +29543,14 @@ index ddb75c1..44f74e6 100644
/etc/cron\.monthly/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
/etc/rc\.d/init\.d/vsftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
+@@ -23,6 +26,7 @@
+
+ /var/log/muddleftpd\.log.* -- gen_context(system_u:object_r:xferlog_t,s0)
+ /var/log/proftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0)
++/var/log/proftpd\.log -- gen_context(system_u:object_r:xferlog_t,s0)
+ /var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0)
+ /var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0)
+ /var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0)
diff --git a/ftp.if b/ftp.if
index 4498143..84a4858 100644
--- a/ftp.if
@@ -36646,10 +36656,10 @@ index 0000000..d0016da
+')
diff --git a/hostapd.te b/hostapd.te
new file mode 100644
-index 0000000..54deae3
+index 0000000..438573d
--- /dev/null
+++ b/hostapd.te
-@@ -0,0 +1,52 @@
+@@ -0,0 +1,53 @@
+policy_module(hostapd, 1.0.0)
+
+########################################
@@ -36675,6 +36685,7 @@ index 0000000..54deae3
+allow hostapd_t self:fifo_file rw_fifo_file_perms;
+allow hostapd_t self:unix_stream_socket create_stream_socket_perms;
+allow hostapd_t self:netlink_socket create_socket_perms;
++allow hostapd_t self:netlink_generic_socket create_socket_perms;
+allow hostapd_t self:netlink_route_socket create_netlink_socket_perms;
+allow hostapd_t self:packet_socket create_socket_perms;
+
@@ -40775,10 +40786,10 @@ index 0000000..17126b6
+')
diff --git a/journalctl.te b/journalctl.te
new file mode 100644
-index 0000000..896cde4
+index 0000000..68dd2b7
--- /dev/null
+++ b/journalctl.te
-@@ -0,0 +1,46 @@
+@@ -0,0 +1,47 @@
+policy_module(journalctl, 1.0.0)
+
+########################################
@@ -40819,6 +40830,7 @@ index 0000000..896cde4
+miscfiles_read_localization(journalctl_t)
+
+logging_read_generic_logs(journalctl_t)
++logging_read_syslog_pid(journalctl_t)
+
+userdom_list_user_home_dirs(journalctl_t)
+userdom_read_user_home_content_files(journalctl_t)
@@ -49038,11 +49050,11 @@ index 0000000..0f290e9
+
diff --git a/mirrormanager.fc b/mirrormanager.fc
new file mode 100644
-index 0000000..c713b27
+index 0000000..abd53a4
--- /dev/null
+++ b/mirrormanager.fc
@@ -0,0 +1,7 @@
-+/usr/share/mirrormanager/server/mirrormanager -- gen_context(system_u:object_r:mirrormanager_exec_t,s0)
++/usr/share/mirrormanager/server/mirrormanager(/.*)? gen_context(system_u:object_r:mirrormanager_exec_t,s0)
+
+/var/lib/mirrormanager(/.*)? gen_context(system_u:object_r:mirrormanager_var_lib_t,s0)
+
@@ -53170,10 +53182,10 @@ index 65a246a..fa86320 100644
netutils_domtrans_ping(mrtg_t)
diff --git a/mta.fc b/mta.fc
-index f42896c..2cf0c23 100644
+index f42896c..fce39c1 100644
--- a/mta.fc
+++ b/mta.fc
-@@ -1,34 +1,41 @@
+@@ -1,34 +1,39 @@
-HOME_DIR/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/\.forward[^/]* -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0)
@@ -53195,6 +53207,8 @@ index f42896c..2cf0c23 100644
-/etc/postfix/aliases.* -- gen_context(system_u:object_r:etc_aliases_t,s0)
-
-/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+-/usr/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+-
+/etc/mail/.*\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
+ifdef(`distro_redhat',`
+/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0)
@@ -53207,8 +53221,6 @@ index f42896c..2cf0c23 100644
+/root/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
+
+/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
- /usr/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-
/usr/lib/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-/usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
@@ -59325,10 +59337,10 @@ index 0000000..409de8c
+')
diff --git a/ninfod.te b/ninfod.te
new file mode 100644
-index 0000000..d75c408
+index 0000000..b3aa3ce
--- /dev/null
+++ b/ninfod.te
-@@ -0,0 +1,35 @@
+@@ -0,0 +1,36 @@
+policy_module(ninfod, 1.0.0)
+
+########################################
@@ -59355,6 +59367,7 @@ index 0000000..d75c408
+allow ninfod_t self:fifo_file rw_fifo_file_perms;
+allow ninfod_t self:rawip_socket { create setopt };
+allow ninfod_t self:unix_stream_socket create_stream_socket_perms;
++allow ninfod_t self:rawip_socket read;
+
+manage_files_pattern(ninfod_t, ninfod_run_t, ninfod_run_t)
+files_pid_filetrans(ninfod_t,ninfod_run_t, { file })
@@ -69117,7 +69130,7 @@ index d2fc677..86dce34 100644
')
+
diff --git a/pegasus.te b/pegasus.te
-index 608f454..6a92354 100644
+index 608f454..bc31081 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0)
@@ -69477,7 +69490,7 @@ index 608f454..6a92354 100644
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
-@@ -54,22 +368,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
+@@ -54,25 +368,26 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@@ -69508,7 +69521,11 @@ index 608f454..6a92354 100644
kernel_read_network_state(pegasus_t)
kernel_read_kernel_sysctls(pegasus_t)
-@@ -80,27 +394,21 @@ kernel_read_net_sysctls(pegasus_t)
++kernel_read_sysctl(pegasus_t)
+ kernel_read_fs_sysctls(pegasus_t)
+ kernel_read_system_state(pegasus_t)
+ kernel_search_vm_sysctl(pegasus_t)
+@@ -80,27 +395,21 @@ kernel_read_net_sysctls(pegasus_t)
kernel_read_xen_state(pegasus_t)
kernel_write_xen_state(pegasus_t)
@@ -69541,7 +69558,7 @@ index 608f454..6a92354 100644
corecmd_exec_bin(pegasus_t)
corecmd_exec_shell(pegasus_t)
-@@ -114,9 +422,11 @@ files_getattr_all_dirs(pegasus_t)
+@@ -114,9 +423,11 @@ files_getattr_all_dirs(pegasus_t)
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
@@ -69553,7 +69570,7 @@ index 608f454..6a92354 100644
files_list_var_lib(pegasus_t)
files_read_var_lib_files(pegasus_t)
-@@ -128,18 +438,29 @@ init_stream_connect_script(pegasus_t)
+@@ -128,18 +439,29 @@ init_stream_connect_script(pegasus_t)
logging_send_audit_msgs(pegasus_t)
logging_send_syslog_msg(pegasus_t)
@@ -69575,21 +69592,21 @@ index 608f454..6a92354 100644
+optional_policy(`
+ dbus_system_bus_client(pegasus_t)
+ dbus_connect_system_bus(pegasus_t)
-+
-+ optional_policy(`
-+ networkmanager_dbus_chat(pegasus_t)
-+ ')
-+')
- optional_policy(`
- networkmanager_dbus_chat(pegasus_t)
- ')
++ optional_policy(`
++ networkmanager_dbus_chat(pegasus_t)
++ ')
++')
++
+optional_policy(`
+ rhcs_stream_connect_cluster(pegasus_t)
')
optional_policy(`
-@@ -151,16 +472,24 @@ optional_policy(`
+@@ -151,16 +473,24 @@ optional_policy(`
')
optional_policy(`
@@ -69618,7 +69635,7 @@ index 608f454..6a92354 100644
')
optional_policy(`
-@@ -168,7 +497,7 @@ optional_policy(`
+@@ -168,7 +498,7 @@ optional_policy(`
')
optional_policy(`
@@ -69627,7 +69644,7 @@ index 608f454..6a92354 100644
')
optional_policy(`
-@@ -180,6 +509,7 @@ optional_policy(`
+@@ -180,12 +510,17 @@ optional_policy(`
')
optional_policy(`
@@ -69635,6 +69652,16 @@ index 608f454..6a92354 100644
virt_domtrans(pegasus_t)
virt_stream_connect(pegasus_t)
virt_manage_config(pegasus_t)
+ ')
+
+ optional_policy(`
++ qemu_getattr_exec(pegasus_t)
++')
++
++optional_policy(`
+ xen_stream_connect(pegasus_t)
+ xen_stream_connect_xenstore(pegasus_t)
+ ')
diff --git a/pesign.fc b/pesign.fc
new file mode 100644
index 0000000..7b54c39
@@ -77508,10 +77535,10 @@ index 0000000..8231f4f
+')
diff --git a/prosody.te b/prosody.te
new file mode 100644
-index 0000000..3ef4a99
+index 0000000..71f9abb
--- /dev/null
+++ b/prosody.te
-@@ -0,0 +1,97 @@
+@@ -0,0 +1,98 @@
+policy_module(prosody, 1.0.0)
+
+########################################
@@ -77588,6 +77615,7 @@ index 0000000..3ef4a99
+corenet_tcp_bind_jabber_interserver_port(prosody_t)
+corenet_tcp_bind_jabber_router_port(prosody_t)
+corenet_tcp_bind_commplex_main_port(prosody_t)
++corenet_tcp_bind_fac_restore_port(prosody_t)
+
+tunable_policy(`prosody_bind_http_port',`
+ corenet_tcp_bind_http_port(prosody_t)
@@ -78923,7 +78951,7 @@ index 7cb8b1f..bef7217 100644
+ allow $1 puppet_var_run_t:dir search_dir_perms;
')
diff --git a/puppet.te b/puppet.te
-index 618dcfe..1cd6fca 100644
+index 618dcfe..67d166c 100644
--- a/puppet.te
+++ b/puppet.te
@@ -6,25 +6,32 @@ policy_module(puppet, 1.4.0)
@@ -78985,7 +79013,7 @@ index 618dcfe..1cd6fca 100644
type puppetmaster_t;
type puppetmaster_exec_t;
-@@ -56,161 +62,162 @@ files_tmp_file(puppetmaster_tmp_t)
+@@ -56,161 +62,166 @@ files_tmp_file(puppetmaster_tmp_t)
########################################
#
@@ -79184,61 +79212,65 @@ index 618dcfe..1cd6fca 100644
+
+optional_policy(`
+ mysql_stream_connect(puppetagent_t)
++')
++
++optional_policy(`
++ postgresql_stream_connect(puppetagent_t)
++')
++
++optional_policy(`
++ cfengine_read_lib_files(puppetagent_t)
')
optional_policy(`
- cfengine_read_lib_files(puppet_t)
-+ postgresql_stream_connect(puppetagent_t)
++ consoletype_exec(puppetagent_t)
')
optional_policy(`
- consoletype_exec(puppet_t)
-+ cfengine_read_lib_files(puppetagent_t)
++ hostname_exec(puppetagent_t)
')
optional_policy(`
- hostname_exec(puppet_t)
-+ consoletype_exec(puppetagent_t)
++ mount_domtrans(puppetagent_t)
')
optional_policy(`
- mount_domtrans(puppet_t)
-+ hostname_exec(puppetagent_t)
++ mta_send_mail(puppetagent_t)
')
optional_policy(`
- mta_send_mail(puppet_t)
-+ mount_domtrans(puppetagent_t)
++ firewalld_dbus_chat(puppetagent_t)
')
optional_policy(`
- portage_domtrans(puppet_t)
- portage_domtrans_fetch(puppet_t)
- portage_domtrans_gcc_config(puppet_t)
-+ mta_send_mail(puppetagent_t)
++ portage_domtrans(puppetagent_t)
++ portage_domtrans_fetch(puppetagent_t)
++ portage_domtrans_gcc_config(puppetagent_t)
')
optional_policy(`
- files_rw_var_files(puppet_t)
-+ firewalld_dbus_chat(puppetagent_t)
-+')
++ files_rw_var_files(puppetagent_t)
- rpm_domtrans(puppet_t)
- rpm_manage_db(puppet_t)
- rpm_manage_log(puppet_t)
-+optional_policy(`
-+ portage_domtrans(puppetagent_t)
-+ portage_domtrans_fetch(puppetagent_t)
-+ portage_domtrans_gcc_config(puppetagent_t)
++ rpm_domtrans(puppetagent_t)
++ rpm_manage_db(puppetagent_t)
++ rpm_manage_log(puppetagent_t)
')
optional_policy(`
- unconfined_domain(puppet_t)
-+ files_rw_var_files(puppetagent_t)
-+
-+ rpm_domtrans(puppetagent_t)
-+ rpm_manage_db(puppetagent_t)
-+ rpm_manage_log(puppetagent_t)
++ shorewall_domtrans(puppetagent_t)
')
optional_policy(`
@@ -79264,7 +79296,7 @@ index 618dcfe..1cd6fca 100644
allow puppetca_t puppet_var_lib_t:dir list_dir_perms;
manage_files_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t)
-@@ -221,6 +228,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms;
+@@ -221,6 +232,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms;
allow puppetca_t puppet_var_run_t:dir search_dir_perms;
kernel_read_system_state(puppetca_t)
@@ -79272,7 +79304,7 @@ index 618dcfe..1cd6fca 100644
kernel_read_kernel_sysctls(puppetca_t)
corecmd_exec_bin(puppetca_t)
-@@ -229,15 +237,12 @@ corecmd_exec_shell(puppetca_t)
+@@ -229,15 +241,12 @@ corecmd_exec_shell(puppetca_t)
dev_read_urand(puppetca_t)
dev_search_sysfs(puppetca_t)
@@ -79288,7 +79320,7 @@ index 618dcfe..1cd6fca 100644
miscfiles_read_generic_certs(puppetca_t)
seutil_read_file_contexts(puppetca_t)
-@@ -246,38 +251,48 @@ optional_policy(`
+@@ -246,38 +255,48 @@ optional_policy(`
hostname_exec(puppetca_t)
')
@@ -79353,7 +79385,7 @@ index 618dcfe..1cd6fca 100644
kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
kernel_read_network_state(puppetmaster_t)
-@@ -289,23 +304,24 @@ corecmd_exec_bin(puppetmaster_t)
+@@ -289,23 +308,24 @@ corecmd_exec_bin(puppetmaster_t)
corecmd_exec_shell(puppetmaster_t)
corenet_all_recvfrom_netlabel(puppetmaster_t)
@@ -79384,7 +79416,7 @@ index 618dcfe..1cd6fca 100644
selinux_validate_context(puppetmaster_t)
-@@ -314,26 +330,31 @@ auth_use_nsswitch(puppetmaster_t)
+@@ -314,26 +334,31 @@ auth_use_nsswitch(puppetmaster_t)
logging_send_syslog_msg(puppetmaster_t)
miscfiles_read_generic_certs(puppetmaster_t)
@@ -79421,7 +79453,7 @@ index 618dcfe..1cd6fca 100644
')
optional_policy(`
-@@ -342,3 +363,9 @@ optional_policy(`
+@@ -342,3 +367,9 @@ optional_policy(`
rpm_exec(puppetmaster_t)
rpm_read_db(puppetmaster_t)
')
@@ -80193,7 +80225,7 @@ index 86ea53c..a2dcf7b 100644
/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
/usr/bin/kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
diff --git a/qemu.if b/qemu.if
-index eaf56b8..aa90671 100644
+index eaf56b8..8894726 100644
--- a/qemu.if
+++ b/qemu.if
@@ -1,19 +1,21 @@
@@ -80419,7 +80451,7 @@ index eaf56b8..aa90671 100644
##
##
##
-@@ -264,48 +239,68 @@ interface(`qemu_kill',`
+@@ -264,28 +239,68 @@ interface(`qemu_kill',`
########################################
##
@@ -80457,9 +80489,6 @@ index eaf56b8..aa90671 100644
- type unconfined_qemu_t, qemu_exec_t;
+ type qemu_exec_t;
')
--
-- corecmd_search_bin($1)
-- domtrans_pattern($1, qemu_exec_t, unconfined_qemu_t)
+
+ read_lnk_files_pattern($1, qemu_exec_t, qemu_exec_t)
+ domain_transition_pattern($1, qemu_exec_t, $2)
@@ -80469,63 +80498,66 @@ index eaf56b8..aa90671 100644
+ allow $2 $1:fd use;
+ allow $2 $1:fifo_file rw_fifo_file_perms;
+ allow $2 $1:process sigchld;
++')
+
+- corecmd_search_bin($1)
+- domtrans_pattern($1, qemu_exec_t, unconfined_qemu_t)
++########################################
++##
++## Execute qemu unconfined programs in the role.
++##
++##
++##
++## The role to allow the qemu unconfined domain.
++##
++##
++#
++interface(`qemu_unconfined_role',`
++ gen_require(`
++ type unconfined_qemu_t;
++ type qemu_t;
++ ')
++ role $1 types unconfined_qemu_t;
++ role $1 types qemu_t;
')
########################################
##
-## Create, read, write, and delete
-## qemu temporary directories.
-+## Execute qemu unconfined programs in the role.
++## Manage qemu temporary dirs.
##
--##
-+##
+ ##
##
--## Domain allowed access.
-+## The role to allow the qemu unconfined domain.
- ##
- ##
- #
--interface(`qemu_manage_tmp_dirs',`
-+interface(`qemu_unconfined_role',`
- gen_require(`
-- type qemu_tmp_t;
-+ type unconfined_qemu_t;
-+ type qemu_t;
+@@ -298,14 +313,12 @@ interface(`qemu_manage_tmp_dirs',`
+ type qemu_tmp_t;
')
--
+
- files_search_tmp($1)
-- manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t)
-+ role $1 types unconfined_qemu_t;
-+ role $1 types qemu_t;
+ manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t)
')
########################################
##
-## Create, read, write, and delete
-## qemu temporary files.
-+## Manage qemu temporary dirs.
++## Manage qemu temporary files.
##
##
##
-@@ -313,58 +308,41 @@ interface(`qemu_manage_tmp_dirs',`
- ##
- ##
- #
--interface(`qemu_manage_tmp_files',`
-+interface(`qemu_manage_tmp_dirs',`
- gen_require(`
+@@ -318,59 +331,42 @@ interface(`qemu_manage_tmp_files',`
type qemu_tmp_t;
')
- files_search_tmp($1)
-- manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
-+ manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t)
+ manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
')
########################################
##
-## Execute qemu in a specified domain.
-+## Manage qemu temporary files.
++## Make qemu_exec_t an entrypoint for
++## the specified domain.
##
-##
-##
@@ -80543,43 +80575,54 @@ index eaf56b8..aa90671 100644
-##
-##
-##
-+##
- ##
+-##
-## Domain to transition to.
-+## Domain allowed access.
- ##
+-##
++##
++##
++## The domain for which qemu_exec_t is an entrypoint.
++##
##
#
-interface(`qemu_spec_domtrans',`
-+interface(`qemu_manage_tmp_files',`
++interface(`qemu_entry_type',`
gen_require(`
-- type qemu_exec_t;
-+ type qemu_tmp_t;
+ type qemu_exec_t;
')
- corecmd_search_bin($1)
- domain_auto_trans($1, qemu_exec_t, $2)
-+ manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
++ domain_entry_file($1, qemu_exec_t)
')
-######################################
-+########################################
++#######################################
##
-## Make qemu executable files an
-## entrypoint for the specified domain.
-+## Make qemu_exec_t an entrypoint for
-+## the specified domain.
++## Getattr on qemu executable.
##
##
-##
-## The domain for which qemu_exec_t is an entrypoint.
-##
-+##
-+## The domain for which qemu_exec_t is an entrypoint.
-+##
++##
++## Domain allowed to transition.
++##
##
#
- interface(`qemu_entry_type',`
+-interface(`qemu_entry_type',`
+- gen_require(`
+- type qemu_exec_t;
+- ')
++interface(`qemu_getattr_exec',`
++ gen_require(`
++ type qemu_exec_t;
++ ')
+
+- domain_entry_file($1, qemu_exec_t)
++ allow $1 qemu_exec_t:file getattr;
+ ')
diff --git a/qemu.te b/qemu.te
index 4f90743..958c0ef 100644
--- a/qemu.te
@@ -88301,7 +88344,7 @@ index 6dbc905..4b17c93 100644
- admin_pattern($1, rhsmcertd_lock_t)
')
diff --git a/rhsmcertd.te b/rhsmcertd.te
-index d32e1a2..2e80d44 100644
+index d32e1a2..cb5f49c 100644
--- a/rhsmcertd.te
+++ b/rhsmcertd.te
@@ -18,6 +18,9 @@ logging_log_file(rhsmcertd_log_t)
@@ -88340,7 +88383,7 @@ index d32e1a2..2e80d44 100644
manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
-@@ -50,25 +56,87 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
+@@ -50,25 +56,89 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
kernel_read_network_state(rhsmcertd_t)
@@ -88351,6 +88394,8 @@ index d32e1a2..2e80d44 100644
+corenet_tcp_connect_http_port(rhsmcertd_t)
+corenet_tcp_connect_http_cache_port(rhsmcertd_t)
+corenet_tcp_connect_squid_port(rhsmcertd_t)
++corenet_tcp_connect_netport_port(rhsmcertd_t)
++corenet_tcp_connect_websm_port(rhsmcertd_t)
corecmd_exec_bin(rhsmcertd_t)
+corecmd_exec_shell(rhsmcertd_t)
@@ -101382,10 +101427,10 @@ index 0919e0c..56a984b 100644
userdom_dontaudit_use_unpriv_user_fds(soundd_t)
diff --git a/spamassassin.fc b/spamassassin.fc
-index e9bd097..e059e27 100644
+index e9bd097..5724bcf 100644
--- a/spamassassin.fc
+++ b/spamassassin.fc
-@@ -1,20 +1,26 @@
+@@ -1,20 +1,27 @@
-HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0)
-HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamd_home_t,s0)
+HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
@@ -101417,10 +101462,11 @@ index e9bd097..e059e27 100644
/usr/bin/mimedefang -- gen_context(system_u:object_r:spamd_exec_t,s0)
-/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0)
++/usr/libexec/mimedefang-wrapper -- gen_context(system_u:object_r:spamd_exec_t,s0)
/var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
/var/lib/spamassassin/compiled(/.*)? gen_context(system_u:object_r:spamd_compiled_t,s0)
-@@ -25,7 +31,22 @@ HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamd_home_t,s0)
+@@ -25,7 +32,22 @@ HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamd_home_t,s0)
/var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
/var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
@@ -101901,10 +101947,10 @@ index 1499b0b..6950cab 100644
- spamassassin_role($2, $1)
')
diff --git a/spamassassin.te b/spamassassin.te
-index cc58e35..d20d0ed 100644
+index cc58e35..7e5c719 100644
--- a/spamassassin.te
+++ b/spamassassin.te
-@@ -7,50 +7,23 @@ policy_module(spamassassin, 2.6.1)
+@@ -7,50 +7,30 @@ policy_module(spamassassin, 2.6.1)
##
##
@@ -101925,6 +101971,13 @@ index cc58e35..d20d0ed 100644
-gen_tunable(spamd_enable_home_dirs, false)
+gen_tunable(spamd_enable_home_dirs, true)
+
++##
++##
++## Allow spamd_update to connect to all ports.
++##
++##
++gen_tunable(spamd_update_can_network, false)
++
type spamd_update_t;
type spamd_update_exec_t;
@@ -101961,7 +102014,7 @@ index cc58e35..d20d0ed 100644
type spamd_t;
type spamd_exec_t;
-@@ -59,12 +32,6 @@ init_daemon_domain(spamd_t, spamd_exec_t)
+@@ -59,12 +39,6 @@ init_daemon_domain(spamd_t, spamd_exec_t)
type spamd_compiled_t;
files_type(spamd_compiled_t)
@@ -101974,7 +102027,7 @@ index cc58e35..d20d0ed 100644
type spamd_initrc_exec_t;
init_script_file(spamd_initrc_exec_t)
-@@ -72,87 +39,199 @@ type spamd_log_t;
+@@ -72,87 +46,199 @@ type spamd_log_t;
logging_log_file(spamd_log_t)
type spamd_spool_t;
@@ -102196,7 +102249,7 @@ index cc58e35..d20d0ed 100644
nis_use_ypbind_uncond(spamassassin_t)
')
')
-@@ -160,6 +239,8 @@ optional_policy(`
+@@ -160,6 +246,8 @@ optional_policy(`
optional_policy(`
mta_read_config(spamassassin_t)
sendmail_stub(spamassassin_t)
@@ -102205,7 +102258,7 @@ index cc58e35..d20d0ed 100644
')
########################################
-@@ -167,72 +248,95 @@ optional_policy(`
+@@ -167,72 +255,95 @@ optional_policy(`
# Client local policy
#
@@ -102309,20 +102362,20 @@ index cc58e35..d20d0ed 100644
-auth_use_nsswitch(spamc_t)
+fs_search_auto_mountpoints(spamc_t)
-+
-+libs_exec_ldconfig(spamc_t)
- logging_send_syslog_msg(spamc_t)
+-logging_send_syslog_msg(spamc_t)
++libs_exec_ldconfig(spamc_t)
-miscfiles_read_localization(spamc_t)
-+auth_use_nsswitch(spamc_t)
++logging_send_syslog_msg(spamc_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(spamc_t)
- fs_manage_nfs_files(spamc_t)
- fs_manage_nfs_symlinks(spamc_t)
-')
--
++auth_use_nsswitch(spamc_t)
+
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(spamc_t)
- fs_manage_cifs_files(spamc_t)
@@ -102332,7 +102385,7 @@ index cc58e35..d20d0ed 100644
optional_policy(`
abrt_stream_connect(spamc_t)
-@@ -243,6 +347,7 @@ optional_policy(`
+@@ -243,6 +354,7 @@ optional_policy(`
')
optional_policy(`
@@ -102340,7 +102393,7 @@ index cc58e35..d20d0ed 100644
evolution_stream_connect(spamc_t)
')
-@@ -251,11 +356,18 @@ optional_policy(`
+@@ -251,11 +363,18 @@ optional_policy(`
')
optional_policy(`
@@ -102360,7 +102413,7 @@ index cc58e35..d20d0ed 100644
')
optional_policy(`
-@@ -267,36 +379,40 @@ optional_policy(`
+@@ -267,36 +386,40 @@ optional_policy(`
########################################
#
@@ -102387,17 +102440,17 @@ index cc58e35..d20d0ed 100644
allow spamd_t self:unix_dgram_socket sendto;
-allow spamd_t self:unix_stream_socket { accept connectto listen };
-allow spamd_t self:tcp_socket { accept listen };
--
++allow spamd_t self:unix_stream_socket connectto;
++allow spamd_t self:tcp_socket create_stream_socket_perms;
++allow spamd_t self:udp_socket create_socket_perms;
+
-manage_dirs_pattern(spamd_t, spamd_home_t, spamd_home_t)
-manage_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
-manage_lnk_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
-manage_fifo_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
-manage_sock_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
-userdom_user_home_dir_filetrans(spamd_t, spamd_home_t, dir, ".spamd")
-+allow spamd_t self:unix_stream_socket connectto;
-+allow spamd_t self:tcp_socket create_stream_socket_perms;
-+allow spamd_t self:udp_socket create_socket_perms;
-
+-
-manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
-manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
-manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
@@ -102418,7 +102471,7 @@ index cc58e35..d20d0ed 100644
logging_log_filetrans(spamd_t, spamd_log_t, file)
manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
-@@ -308,7 +424,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
+@@ -308,7 +431,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
@@ -102428,7 +102481,7 @@ index cc58e35..d20d0ed 100644
manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
-@@ -317,12 +434,14 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+@@ -317,12 +441,14 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir })
@@ -102445,7 +102498,7 @@ index cc58e35..d20d0ed 100644
corenet_all_recvfrom_netlabel(spamd_t)
corenet_tcp_sendrecv_generic_if(spamd_t)
corenet_udp_sendrecv_generic_if(spamd_t)
-@@ -331,78 +450,60 @@ corenet_udp_sendrecv_generic_node(spamd_t)
+@@ -331,78 +457,60 @@ corenet_udp_sendrecv_generic_node(spamd_t)
corenet_tcp_sendrecv_all_ports(spamd_t)
corenet_udp_sendrecv_all_ports(spamd_t)
corenet_tcp_bind_generic_node(spamd_t)
@@ -102550,7 +102603,7 @@ index cc58e35..d20d0ed 100644
')
optional_policy(`
-@@ -421,21 +522,13 @@ optional_policy(`
+@@ -421,21 +529,13 @@ optional_policy(`
')
optional_policy(`
@@ -102574,7 +102627,7 @@ index cc58e35..d20d0ed 100644
')
optional_policy(`
-@@ -443,8 +536,8 @@ optional_policy(`
+@@ -443,8 +543,8 @@ optional_policy(`
')
optional_policy(`
@@ -102584,7 +102637,7 @@ index cc58e35..d20d0ed 100644
')
optional_policy(`
-@@ -455,7 +548,17 @@ optional_policy(`
+@@ -455,7 +555,17 @@ optional_policy(`
optional_policy(`
razor_domtrans(spamd_t)
razor_read_lib_files(spamd_t)
@@ -102603,7 +102656,7 @@ index cc58e35..d20d0ed 100644
')
optional_policy(`
-@@ -463,9 +566,9 @@ optional_policy(`
+@@ -463,9 +573,9 @@ optional_policy(`
')
optional_policy(`
@@ -102614,7 +102667,7 @@ index cc58e35..d20d0ed 100644
')
optional_policy(`
-@@ -474,32 +577,32 @@ optional_policy(`
+@@ -474,32 +584,32 @@ optional_policy(`
########################################
#
@@ -102640,24 +102693,24 @@ index cc58e35..d20d0ed 100644
-kernel_read_system_state(spamd_update_t)
+allow spamd_update_t spamc_home_t:dir search_dir_perms;
+allow spamd_update_t spamd_tmp_t:file read_file_perms;
++
++allow spamd_update_t spamc_home_t:dir search_dir_perms;
-corenet_all_recvfrom_unlabeled(spamd_update_t)
-corenet_all_recvfrom_netlabel(spamd_update_t)
-corenet_tcp_sendrecv_generic_if(spamd_update_t)
-corenet_tcp_sendrecv_generic_node(spamd_update_t)
-corenet_tcp_sendrecv_all_ports(spamd_update_t)
-+allow spamd_update_t spamc_home_t:dir search_dir_perms;
++kernel_read_system_state(spamd_update_t)
-corenet_sendrecv_http_client_packets(spamd_update_t)
-+kernel_read_system_state(spamd_update_t)
-+
+# for updating rules
corenet_tcp_connect_http_port(spamd_update_t)
-corenet_tcp_sendrecv_http_port(spamd_update_t)
corecmd_exec_bin(spamd_update_t)
corecmd_exec_shell(spamd_update_t)
-@@ -508,25 +611,21 @@ dev_read_urand(spamd_update_t)
+@@ -508,25 +618,26 @@ dev_read_urand(spamd_update_t)
domain_use_interactive_fds(spamd_update_t)
@@ -102687,8 +102740,13 @@ index cc58e35..d20d0ed 100644
- mta_read_config(spamd_update_t)
+ gpg_domtrans(spamd_update_t)
+ gpg_manage_home_content(spamd_update_t)
- ')
++')
+
++tunable_policy(`spamd_update_can_network',`
++ corenet_sendrecv_all_client_packets(spamd_update_t)
++ corenet_tcp_connect_all_ports(spamd_update_t)
++ corenet_tcp_sendrecv_all_ports(spamd_update_t)
+ ')
diff --git a/speech-dispatcher.fc b/speech-dispatcher.fc
new file mode 100644
index 0000000..545f682
@@ -108753,7 +108811,7 @@ index e29db63..061fb98 100644
domain_system_change_exemption($1)
role_transition $2 tuned_initrc_exec_t system_r;
diff --git a/tuned.te b/tuned.te
-index 393a330..6893547 100644
+index 393a330..0691d4a 100644
--- a/tuned.te
+++ b/tuned.te
@@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t)
@@ -108818,7 +108876,7 @@ index 393a330..6893547 100644
corecmd_exec_bin(tuned_t)
corecmd_exec_shell(tuned_t)
-@@ -64,31 +78,60 @@ corecmd_exec_shell(tuned_t)
+@@ -64,35 +78,72 @@ corecmd_exec_shell(tuned_t)
dev_getattr_all_blk_files(tuned_t)
dev_getattr_all_chr_files(tuned_t)
dev_read_urand(tuned_t)
@@ -108879,11 +108937,15 @@ index 393a330..6893547 100644
mount_domtrans(tuned_t)
')
-+# to allow network interface tuning
optional_policy(`
++ policykit_dbus_chat(tuned_t)
++')
++
++# to allow network interface tuning
++optional_policy(`
sysnet_domtrans_ifconfig(tuned_t)
')
-@@ -96,3 +139,7 @@ optional_policy(`
+
optional_policy(`
unconfined_dbus_send(tuned_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 3e5dd9d..b3718bc 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 197%{?dist}
+Release: 198%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -647,6 +647,42 @@ exit 0
%endif
%changelog
+* Wed Jun 22 2016 Lukas Vrabec 3.13.1-198
+- Allow firewalld_t to create entries in net_conf_t dirs.
+- Allow journalctl to read syslogd_var_run_t files. This allows to staff_t and sysadm_t to read journals
+- Allow rhsmcertd connect to port tcp 9090
+- Label for /bin/mail(x) was removed but /usr/bin/mail(x) not. This path is also needed to remove.
+- Label /usr/libexec/mimedefang-wrapper as spamd_exec_t.
+- Add new boolean spamd_update_can_network.
+- Add proper label for /var/log/proftpd.log
+- Allow rhsmcertd connect to tcp netport_port_t
+- Fix SELinux context for /usr/share/mirrormanager/server/mirrormanager to Label all binaries under dir as mirrormanager_exec_t.
+- Allow prosody to bind to fac_restore tcp port.
+- Fix SELinux context for usr/share/mirrormanager/server/mirrormanager
+- Allow ninfod to read raw packets
+- Fix broken hostapd policy
+- Allow hostapd to create netlink_generic sockets. BZ(1343683)
+- Merge pull request #133 from vinzent/allow_puppet_transition_to_shorewall
+- Allow pegasus get attributes from qemu binary files.
+- Allow tuned to use policykit. This change is required by cockpit.
+- Allow conman_t to read dir with conman_unconfined_script_t binary files.
+- Allow pegasus to read /proc/sysinfo.
+- Allow puppet_t transtition to shorewall_t
+- Allow conman to kill conman_unconfined_script.
+- Allow sysadm_role to run journalctl_t domain. This allows sysadm user to read journals.
+- Merge remote-tracking branch 'refs/remotes/origin/rawhide-base' into rawhide-base
+- Allow systemd to execute all init daemon executables.
+- Add init_exec_notrans_direct_init_entry() interface.
+- Label tcp ports:16379, 26379 as redis_port_t
+- Allow systemd to relabel /var and /var/lib directories during boot.
+- Add files_relabel_var_dirs() and files_relabel_var_dirs() interfaces.
+- Add files_relabelto_var_lib_dirs() interface.
+- Label tcp and udp port 5582 as fac_restore_port_t
+- Allow sysadm_t user to run postgresql-setup.
+- Allow sysadm_t user to dbus chat with oddjob_t. This allows confined admin run oddjob mkhomedirfor script.
+- Allow systemd-resolved to connect to llmnr tcp port. BZ(1344849)
+- Allow passwd_t also manage user_tmp_t dirs, this change is needed by gnome-keyringd
+
* Thu Jun 16 2016 Lukas Vrabec 3.13.1-197
- Allow conman to kill conman_unconfined_script.
- Make conman_unconfined_script_t as init_system_domain.