diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index d2b48ca..45b20e7 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -2667,7 +2667,7 @@ index 99e3903..fa68362 100644
##
##
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 1d732f1..1a53101 100644
+index 1d732f1..4aef39e 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -26,6 +26,7 @@ type chfn_exec_t;
@@ -2896,11 +2896,12 @@ index 1d732f1..1a53101 100644
userdom_use_unpriv_users_fds(passwd_t)
# make sure that getcon succeeds
userdom_getattr_all_users(passwd_t)
-@@ -352,6 +383,14 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -352,6 +383,15 @@ userdom_read_user_tmp_files(passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
+userdom_stream_connect(passwd_t)
++userdom_rw_stream(passwd_t)
+
+optional_policy(`
+ gnome_exec_keyringd(passwd_t)
@@ -2911,7 +2912,7 @@ index 1d732f1..1a53101 100644
optional_policy(`
nscd_run(passwd_t, passwd_roles)
-@@ -401,9 +440,10 @@ dev_read_urand(sysadm_passwd_t)
+@@ -401,9 +441,10 @@ dev_read_urand(sysadm_passwd_t)
fs_getattr_xattr_fs(sysadm_passwd_t)
fs_search_auto_mountpoints(sysadm_passwd_t)
@@ -2924,7 +2925,7 @@ index 1d732f1..1a53101 100644
auth_manage_shadow(sysadm_passwd_t)
auth_relabel_shadow(sysadm_passwd_t)
auth_etc_filetrans_shadow(sysadm_passwd_t)
-@@ -416,7 +456,6 @@ files_read_usr_files(sysadm_passwd_t)
+@@ -416,7 +457,6 @@ files_read_usr_files(sysadm_passwd_t)
domain_use_interactive_fds(sysadm_passwd_t)
@@ -2932,7 +2933,7 @@ index 1d732f1..1a53101 100644
files_relabel_etc_files(sysadm_passwd_t)
files_read_etc_runtime_files(sysadm_passwd_t)
# for nscd lookups
-@@ -426,12 +465,9 @@ files_dontaudit_search_pids(sysadm_passwd_t)
+@@ -426,12 +466,9 @@ files_dontaudit_search_pids(sysadm_passwd_t)
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(sysadm_passwd_t)
@@ -2945,7 +2946,7 @@ index 1d732f1..1a53101 100644
userdom_use_unpriv_users_fds(sysadm_passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
-@@ -446,7 +482,8 @@ optional_policy(`
+@@ -446,7 +483,8 @@ optional_policy(`
# Useradd local policy
#
@@ -2955,7 +2956,7 @@ index 1d732f1..1a53101 100644
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
-@@ -461,6 +498,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
+@@ -461,6 +499,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
allow useradd_t self:unix_dgram_socket sendto;
allow useradd_t self:unix_stream_socket connectto;
@@ -2966,7 +2967,7 @@ index 1d732f1..1a53101 100644
# for getting the number of groups
kernel_read_kernel_sysctls(useradd_t)
-@@ -468,29 +509,28 @@ corecmd_exec_shell(useradd_t)
+@@ -468,29 +510,28 @@ corecmd_exec_shell(useradd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(useradd_t)
@@ -3006,7 +3007,7 @@ index 1d732f1..1a53101 100644
auth_run_chk_passwd(useradd_t, useradd_roles)
auth_rw_lastlog(useradd_t)
-@@ -498,6 +538,7 @@ auth_rw_faillog(useradd_t)
+@@ -498,6 +539,7 @@ auth_rw_faillog(useradd_t)
auth_use_nsswitch(useradd_t)
# these may be unnecessary due to the above
# domtrans_chk_passwd() call.
@@ -3014,7 +3015,7 @@ index 1d732f1..1a53101 100644
auth_manage_shadow(useradd_t)
auth_relabel_shadow(useradd_t)
auth_etc_filetrans_shadow(useradd_t)
-@@ -508,33 +549,32 @@ init_rw_utmp(useradd_t)
+@@ -508,33 +550,32 @@ init_rw_utmp(useradd_t)
logging_send_audit_msgs(useradd_t)
logging_send_syslog_msg(useradd_t)
@@ -3059,7 +3060,7 @@ index 1d732f1..1a53101 100644
optional_policy(`
apache_manage_all_user_content(useradd_t)
')
-@@ -549,10 +589,19 @@ optional_policy(`
+@@ -549,10 +590,19 @@ optional_policy(`
')
optional_policy(`
@@ -3079,7 +3080,7 @@ index 1d732f1..1a53101 100644
tunable_policy(`samba_domain_controller',`
samba_append_log(useradd_t)
')
-@@ -562,3 +611,12 @@ optional_policy(`
+@@ -562,3 +612,12 @@ optional_policy(`
rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t)
')
@@ -5460,7 +5461,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055..a19d634 100644
+index b191055..9ae3918 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@@ -5534,7 +5535,7 @@ index b191055..a19d634 100644
# reserved_port_t is the type of INET port numbers below 1024.
#
type reserved_port_t, port_type, reserved_port_type;
-@@ -84,55 +107,69 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
+@@ -84,55 +107,68 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
network_port(amavisd_recv, tcp,10024,s0)
network_port(amavisd_send, tcp,10025,s0)
network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0)
@@ -5553,7 +5554,6 @@ index b191055..a19d634 100644
network_port(boinc_client, tcp,1043,s0, udp,1034,s0)
network_port(biff) # no defined portcon
network_port(certmaster, tcp,51235,s0)
-+network_port(cockpit, udp,1001,s0)
+network_port(collectd, udp,25826,s0)
network_port(chronyd, udp,323,s0)
network_port(clamd, tcp,3310,s0)
@@ -5612,7 +5612,7 @@ index b191055..a19d634 100644
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
network_port(hadoop_datanode, tcp,50010,s0)
-@@ -140,45 +177,52 @@ network_port(hadoop_namenode, tcp,8020,s0)
+@@ -140,45 +176,53 @@ network_port(hadoop_namenode, tcp,8020,s0)
network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
@@ -5651,6 +5651,7 @@ index b191055..a19d634 100644
+network_port(kerberos_admin, tcp,749,s0)
+network_port(kerberos_password, tcp,464,s0, udp,464,s0)
+network_port(keystone, tcp, 35357,s0, udp, 35357,s0)
++network_port(kubernetes, tcp, 10250,s0, tcp, 4001,s0, tcp, 4194,s0)
+network_port(rlogin, tcp,543,s0, tcp,2105,s0)
+network_port(rtsclient, tcp,2501,s0)
network_port(kprop, tcp,754,s0)
@@ -17457,7 +17458,7 @@ index 7be4ddf..71e675a 100644
+/sys/class/net/ib.* -- gen_context(system_u:object_r:sysctl_net_t,s0)
+/sys/kernel/uevent_helper -- gen_context(system_u:object_r:usermodehelper_t,s0)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index e100d88..fb8a1f1 100644
+index e100d88..5a45858 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -126,6 +126,24 @@ interface(`kernel_setsched',`
@@ -17621,7 +17622,32 @@ index e100d88..fb8a1f1 100644
## Allow caller to get the attributes of kernel message
## interface (/proc/kmsg).
##
-@@ -1477,6 +1565,24 @@ interface(`kernel_dontaudit_list_all_proc',`
+@@ -1458,6 +1546,24 @@ interface(`kernel_list_all_proc',`
+
+ ########################################
+ ##
++## Allow attempts to mounton all proc directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_mounton_all_proc',`
++ gen_require(`
++ attribute proc_type;
++ ')
++
++ allow $1 proc_type:dir mounton;
++')
++
++########################################
++##
+ ## Do not audit attempts to list all proc directories.
+ ##
+ ##
+@@ -1477,6 +1583,24 @@ interface(`kernel_dontaudit_list_all_proc',`
########################################
##
@@ -17646,7 +17672,7 @@ index e100d88..fb8a1f1 100644
## Do not audit attempts by caller to search
## the base directory of sysctls.
##
-@@ -1672,7 +1778,7 @@ interface(`kernel_read_net_sysctls',`
+@@ -1672,7 +1796,7 @@ interface(`kernel_read_net_sysctls',`
')
read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
@@ -17655,7 +17681,7 @@ index e100d88..fb8a1f1 100644
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
')
-@@ -1693,7 +1799,7 @@ interface(`kernel_rw_net_sysctls',`
+@@ -1693,7 +1817,7 @@ interface(`kernel_rw_net_sysctls',`
')
rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
@@ -17664,7 +17690,7 @@ index e100d88..fb8a1f1 100644
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
')
-@@ -1715,7 +1821,6 @@ interface(`kernel_read_unix_sysctls',`
+@@ -1715,7 +1839,6 @@ interface(`kernel_read_unix_sysctls',`
')
read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t)
@@ -17672,7 +17698,7 @@ index e100d88..fb8a1f1 100644
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
')
-@@ -1750,16 +1855,9 @@ interface(`kernel_rw_unix_sysctls',`
+@@ -1750,16 +1873,9 @@ interface(`kernel_rw_unix_sysctls',`
## Domain allowed access.
##
##
@@ -17690,7 +17716,7 @@ index e100d88..fb8a1f1 100644
')
########################################
-@@ -1771,16 +1869,9 @@ interface(`kernel_read_hotplug_sysctls',`
+@@ -1771,16 +1887,9 @@ interface(`kernel_read_hotplug_sysctls',`
## Domain allowed access.
##
##
@@ -17708,7 +17734,7 @@ index e100d88..fb8a1f1 100644
')
########################################
-@@ -1792,16 +1883,9 @@ interface(`kernel_rw_hotplug_sysctls',`
+@@ -1792,16 +1901,9 @@ interface(`kernel_rw_hotplug_sysctls',`
## Domain allowed access.
##
##
@@ -17726,7 +17752,7 @@ index e100d88..fb8a1f1 100644
')
########################################
-@@ -1813,16 +1897,9 @@ interface(`kernel_read_modprobe_sysctls',`
+@@ -1813,16 +1915,9 @@ interface(`kernel_read_modprobe_sysctls',`
## Domain allowed access.
##
##
@@ -17744,16 +17770,37 @@ index e100d88..fb8a1f1 100644
')
########################################
-@@ -2085,7 +2162,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
+@@ -2085,9 +2180,28 @@ interface(`kernel_dontaudit_list_all_sysctls',`
')
dontaudit $1 sysctl_type:dir list_dir_perms;
- dontaudit $1 sysctl_type:file getattr;
+ dontaudit $1 sysctl_type:file read_file_perms;
++')
++
++########################################
++##
++## Allow attempts to mounton all sysctl directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_mounton_all_sysctls',`
++ gen_require(`
++ attribute sysctl_type;
++ ')
++
++ allow $1 sysctl_type:dir mounton;
')
++
########################################
-@@ -2282,6 +2359,25 @@ interface(`kernel_list_unlabeled',`
+ ##
+ ## Allow caller to read all sysctls.
+@@ -2282,6 +2396,25 @@ interface(`kernel_list_unlabeled',`
########################################
##
@@ -17779,7 +17826,7 @@ index e100d88..fb8a1f1 100644
## Read the process state (/proc/pid) of all unlabeled_t.
##
##
-@@ -2306,7 +2402,7 @@ interface(`kernel_read_unlabeled_state',`
+@@ -2306,7 +2439,7 @@ interface(`kernel_read_unlabeled_state',`
##
##
##
@@ -17788,7 +17835,7 @@ index e100d88..fb8a1f1 100644
##
##
#
-@@ -2488,6 +2584,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
+@@ -2488,6 +2621,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
########################################
##
@@ -17813,7 +17860,7 @@ index e100d88..fb8a1f1 100644
## Do not audit attempts by caller to get attributes for
## unlabeled character devices.
##
-@@ -2525,6 +2639,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
+@@ -2525,6 +2676,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
########################################
##
@@ -17838,7 +17885,7 @@ index e100d88..fb8a1f1 100644
## Allow caller to relabel unlabeled files.
##
##
-@@ -2667,6 +2799,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+@@ -2667,6 +2836,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
########################################
##
@@ -17863,7 +17910,7 @@ index e100d88..fb8a1f1 100644
## Receive TCP packets from an unlabeled connection.
##
##
-@@ -2694,6 +2844,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+@@ -2694,6 +2881,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
########################################
##
@@ -17889,7 +17936,7 @@ index e100d88..fb8a1f1 100644
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
##
-@@ -2803,6 +2972,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+@@ -2803,6 +3009,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
allow $1 unlabeled_t:rawip_socket recvfrom;
')
@@ -17923,10 +17970,11 @@ index e100d88..fb8a1f1 100644
########################################
##
-@@ -2958,6 +3154,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2958,7 +3191,25 @@ interface(`kernel_relabelfrom_unlabeled_database',`
########################################
##
+-## Unconfined access to kernel module resources.
+## Relabel to unlabeled context .
+##
+##
@@ -17945,10 +17993,11 @@ index e100d88..fb8a1f1 100644
+
+########################################
+##
- ## Unconfined access to kernel module resources.
++## Unconfined access to kernel module resources.
##
##
-@@ -2972,5 +3186,565 @@ interface(`kernel_unconfined',`
+ ##
+@@ -2972,5 +3223,565 @@ interface(`kernel_unconfined',`
')
typeattribute $1 kern_unconfined;
@@ -34282,10 +34331,10 @@ index 312cd04..3c62b4c 100644
+userdom_use_inherited_user_terminals(setkey_t)
+userdom_read_user_tmp_files(setkey_t)
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
-index 73a1c4e..ef41ebe 100644
+index 73a1c4e..af8050d 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
-@@ -1,22 +1,35 @@
+@@ -1,22 +1,39 @@
/etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
@@ -34293,13 +34342,17 @@ index 73a1c4e..ef41ebe 100644
+/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/usr/lib/systemd/system/arptables.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
+/usr/lib/systemd/system/iptables.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
+/usr/lib/systemd/system/ip6tables.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
+/usr/lib/systemd/system/ipset.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
+
++
+/usr/libexec/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0)
+
+/sbin/arptables -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/sbin/arptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/sbin/arptables-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
@@ -36767,7 +36820,7 @@ index 58bc27f..f5ae583 100644
+')
+
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
-index 79048c4..f505f63 100644
+index 79048c4..a7040f1 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
@@ -36851,7 +36904,7 @@ index 79048c4..f505f63 100644
ccs_stream_connect(clvmd_t)
')
-@@ -170,6 +181,7 @@ dontaudit lvm_t self:capability sys_tty_config;
+@@ -170,15 +181,22 @@ dontaudit lvm_t self:capability sys_tty_config;
allow lvm_t self:process { sigchld sigkill sigstop signull signal setfscreate };
# LVM will complain a lot if it cannot set its priority.
allow lvm_t self:process setsched;
@@ -36859,7 +36912,10 @@ index 79048c4..f505f63 100644
allow lvm_t self:file rw_file_perms;
allow lvm_t self:fifo_file manage_fifo_file_perms;
allow lvm_t self:unix_dgram_socket create_socket_perms;
-@@ -179,6 +191,11 @@ allow lvm_t self:sem create_sem_perms;
++allow lvm_t self:socket create_socket_perms;
+ allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms;
+ allow lvm_t self:sem create_sem_perms;
+
allow lvm_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow lvm_t clvmd_t:unix_stream_socket { connectto rw_socket_perms };
@@ -36871,7 +36927,7 @@ index 79048c4..f505f63 100644
manage_dirs_pattern(lvm_t, lvm_tmp_t, lvm_tmp_t)
manage_files_pattern(lvm_t, lvm_tmp_t, lvm_tmp_t)
files_tmp_filetrans(lvm_t, lvm_tmp_t, { file dir })
-@@ -191,10 +208,12 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t)
+@@ -191,10 +209,12 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t)
can_exec(lvm_t, lvm_exec_t)
# Creating lock files
@@ -36884,7 +36940,7 @@ index 79048c4..f505f63 100644
manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
-@@ -202,8 +221,10 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file })
+@@ -202,8 +222,10 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file })
manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
@@ -36896,7 +36952,7 @@ index 79048c4..f505f63 100644
read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
-@@ -220,6 +241,7 @@ kernel_read_kernel_sysctls(lvm_t)
+@@ -220,6 +242,7 @@ kernel_read_kernel_sysctls(lvm_t)
# it has no reason to need this
kernel_dontaudit_getattr_core_if(lvm_t)
kernel_use_fds(lvm_t)
@@ -36904,7 +36960,7 @@ index 79048c4..f505f63 100644
kernel_search_debugfs(lvm_t)
corecmd_exec_bin(lvm_t)
-@@ -230,11 +252,13 @@ dev_delete_generic_dirs(lvm_t)
+@@ -230,11 +253,13 @@ dev_delete_generic_dirs(lvm_t)
dev_read_rand(lvm_t)
dev_read_urand(lvm_t)
dev_rw_lvm_control(lvm_t)
@@ -36919,7 +36975,7 @@ index 79048c4..f505f63 100644
# cjp: this has no effect since LVM does not
# have lnk_file relabelto for anything else.
# perhaps this should be blk_files?
-@@ -246,6 +270,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
+@@ -246,6 +271,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
dev_dontaudit_getattr_generic_blk_files(lvm_t)
dev_dontaudit_getattr_generic_pipes(lvm_t)
dev_create_generic_dirs(lvm_t)
@@ -36927,7 +36983,7 @@ index 79048c4..f505f63 100644
domain_use_interactive_fds(lvm_t)
domain_read_all_domains_state(lvm_t)
-@@ -255,17 +280,21 @@ files_read_etc_files(lvm_t)
+@@ -255,17 +281,21 @@ files_read_etc_files(lvm_t)
files_read_etc_runtime_files(lvm_t)
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dirs(lvm_t)
@@ -36950,7 +37006,7 @@ index 79048c4..f505f63 100644
selinux_get_fs_mount(lvm_t)
selinux_validate_context(lvm_t)
-@@ -285,7 +314,7 @@ storage_dev_filetrans_fixed_disk(lvm_t)
+@@ -285,7 +315,7 @@ storage_dev_filetrans_fixed_disk(lvm_t)
# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
storage_manage_fixed_disk(lvm_t)
@@ -36959,7 +37015,7 @@ index 79048c4..f505f63 100644
init_use_fds(lvm_t)
init_dontaudit_getattr_initctl(lvm_t)
-@@ -293,15 +322,22 @@ init_use_script_ptys(lvm_t)
+@@ -293,15 +323,22 @@ init_use_script_ptys(lvm_t)
init_read_script_state(lvm_t)
logging_send_syslog_msg(lvm_t)
@@ -36983,7 +37039,7 @@ index 79048c4..f505f63 100644
ifdef(`distro_redhat',`
# this is from the initrd:
-@@ -313,6 +349,11 @@ ifdef(`distro_redhat',`
+@@ -313,6 +350,11 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -36995,7 +37051,7 @@ index 79048c4..f505f63 100644
bootloader_rw_tmp_files(lvm_t)
')
-@@ -333,14 +374,34 @@ optional_policy(`
+@@ -333,14 +375,34 @@ optional_policy(`
')
optional_policy(`
@@ -42685,10 +42741,10 @@ index 0000000..d2a8fc7
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..e2c527a
+index 0000000..08a4e91
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,685 @@
+@@ -0,0 +1,686 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -42787,6 +42843,7 @@ index 0000000..e2c527a
+
+fs_mount_tmpfs(systemd_logind_t)
+fs_unmount_tmpfs(systemd_logind_t)
++fs_list_tmpfs(systemd_logind_t)
+fs_manage_fusefs_dirs(systemd_logind_t)
+fs_manage_fusefs_files(systemd_logind_t)
+
@@ -44765,7 +44822,7 @@ index db75976..8f5380f 100644
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
+
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6..d193211 100644
+index 9dc60c6..72d01d2 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -48054,7 +48111,7 @@ index 9dc60c6..d193211 100644
## Create keys for all user domains.
##
##
-@@ -3435,4 +4477,1666 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3435,4 +4477,1684 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
@@ -48586,7 +48643,7 @@ index 9dc60c6..d193211 100644
+########################################
+##
+## Do not audit attempts to read and write
-+## unserdomain stream.
++## userdomain stream.
+##
+##
+##
@@ -48604,6 +48661,24 @@ index 9dc60c6..d193211 100644
+
+########################################
+##
++## Read and write userdomain stream.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_rw_stream',`
++ gen_require(`
++ attribute userdomain;
++ ')
++
++ allow $1 userdomain:unix_stream_socket rw_socket_perms;
++')
++
++########################################
++##
+## Do not audit attempts to read and write
+## unserdomain datagram socket.
+##
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 5e8f985..610c051 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -3618,7 +3618,7 @@ index 7caefc3..7e70f67 100644
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/apache.if b/apache.if
-index f6eb485..9eba5f5 100644
+index f6eb485..499800e 100644
--- a/apache.if
+++ b/apache.if
@@ -1,9 +1,9 @@
@@ -4085,7 +4085,13 @@ index f6eb485..9eba5f5 100644
##
##
##
-@@ -372,8 +413,8 @@ interface(`apache_dontaudit_rw_stream_sockets',`
+@@ -367,13 +408,13 @@ interface(`apache_dontaudit_rw_stream_sockets',`
+ type httpd_t;
+ ')
+
+- dontaudit $1 httpd_t:unix_stream_socket { read write };
++ dontaudit $1 httpd_t:unix_stream_socket { getattr read write };
+ ')
########################################
##
@@ -4241,11 +4247,10 @@ index f6eb485..9eba5f5 100644
apache_domtrans_helper($1)
- roleattribute $2 httpd_helper_roles;
+ role $2 types httpd_helper_t;
- ')
-
- ########################################
- ##
--## Read httpd log files.
++')
++
++########################################
++##
+## dontaudit attempts to read
+## apache log files.
+##
@@ -4263,10 +4268,11 @@ index f6eb485..9eba5f5 100644
+
+ dontaudit $1 httpd_log_t:file read_file_perms;
+ dontaudit $1 httpd_log_t:lnk_file read_lnk_file_perms;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Read httpd log files.
+## Allow the specified domain to read
+## apache log files.
##
@@ -4547,11 +4553,31 @@ index f6eb485..9eba5f5 100644
-########################################
+######################################
++##
++## Allow the specified domain to read
++## apache system content rw files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`apache_read_sys_content_rw_files',`
++ gen_require(`
++ type httpd_sys_rw_content_t;
++ ')
++
++ read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
++')
++
++######################################
##
-## Create, read, write, and delete
-## httpd system rw content.
+## Allow the specified domain to read
-+## apache system content rw files.
++## apache system content rw dirs.
##
##
##
@@ -4561,32 +4587,12 @@ index f6eb485..9eba5f5 100644
+##
#
-interface(`apache_manage_sys_rw_content',`
-+interface(`apache_read_sys_content_rw_files',`
++interface(`apache_read_sys_content_rw_dirs',`
gen_require(`
type httpd_sys_rw_content_t;
')
- apache_search_sys_content($1)
-+ read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
-+')
-+
-+######################################
-+##
-+## Allow the specified domain to read
-+## apache system content rw dirs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`apache_read_sys_content_rw_dirs',`
-+ gen_require(`
-+ type httpd_sys_rw_content_t;
-+ ')
-+
+ list_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
@@ -4679,6 +4685,15 @@ index f6eb485..9eba5f5 100644
##
##
##
+@@ -916,7 +1122,7 @@ interface(`apache_dontaudit_rw_sys_script_stream_sockets',`
+ type httpd_sys_script_t;
+ ')
+
+- dontaudit $1 httpd_sys_script_t:unix_stream_socket { read write };
++ dontaudit $1 httpd_sys_script_t:unix_stream_socket { getattr read write };
+ ')
+
+ ########################################
@@ -941,7 +1147,7 @@ interface(`apache_domtrans_all_scripts',`
########################################
##
@@ -4972,7 +4987,7 @@ index f6eb485..9eba5f5 100644
+ dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
+ dontaudit $1 httpd_t:tcp_socket { read write };
+ dontaudit $1 httpd_t:unix_dgram_socket { read write };
-+ dontaudit $1 httpd_t:unix_stream_socket { read write };
++ dontaudit $1 httpd_t:unix_stream_socket { getattr read write };
+ dontaudit $1 httpd_tmp_t:file { read write };
+')
+
@@ -13804,10 +13819,10 @@ index 0000000..573dcae
+')
diff --git a/cockpit.te b/cockpit.te
new file mode 100644
-index 0000000..cc6201d
+index 0000000..4c9b3b1
--- /dev/null
+++ b/cockpit.te
-@@ -0,0 +1,89 @@
+@@ -0,0 +1,85 @@
+policy_module(cockpit, 1.0.0)
+
+########################################
@@ -13845,11 +13860,7 @@ index 0000000..cc6201d
+dev_read_urand(cockpit_ws_t) # for authkey
+dev_read_rand(cockpit_ws_t) # for libssh
+
-+# cockpit-ws can read from the cockpit port
-+# TODO: disable this until we have it in our f20 selinux-policy-targeted
-+# corenet_tcp_bind_cockpit_port(cockpit_ws_t)
-+#allow cockpit_ws_t init_t:tcp_socket accept;
-+corenet_tcp_bind_all_reserved_ports(cockpit_ws_t)
++corenet_tcp_bind_websm_port(cockpit_ws_t)
+
+# cockpit-ws can connect to other hosts via ssh
+corenet_tcp_connect_ssh_port(cockpit_ws_t)
@@ -24559,10 +24570,10 @@ index 0000000..76eb32e
+')
diff --git a/docker.te b/docker.te
new file mode 100644
-index 0000000..dfb6b04
+index 0000000..ef1b924
--- /dev/null
+++ b/docker.te
-@@ -0,0 +1,278 @@
+@@ -0,0 +1,280 @@
+policy_module(docker, 1.0.0)
+
+########################################
@@ -24672,7 +24683,7 @@ index 0000000..dfb6b04
+manage_lnk_files_pattern(docker_t, docker_var_run_t, docker_var_run_t)
+files_pid_filetrans(docker_t, docker_var_run_t, { dir file lnk_file sock_file })
+
-+allow docker_t docker_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
++allow docker_t docker_devpts_t:chr_file { relabelfrom rw_chr_file_perms setattr_chr_file_perms };
+term_create_pty(docker_t, docker_devpts_t)
+
+kernel_read_system_state(docker_t)
@@ -24755,6 +24766,8 @@ index 0000000..dfb6b04
+kernel_get_sysvipc_info(docker_t)
+kernel_request_load_module(docker_t)
+kernel_mounton_messages(docker_t)
++kernel_mounton_all_proc(docker_t)
++kernel_mounton_all_sysctls(docker_t)
+
+dev_getattr_all(docker_t)
+dev_getattr_sysfs_fs(docker_t)
@@ -39659,6 +39672,152 @@ index c5548c5..1356fcb 100644
-miscfiles_read_localization(ktalkd_t)
+userdom_use_user_ptys(ktalkd_t)
+userdom_use_user_ttys(ktalkd_t)
+diff --git a/kubernetes.fc b/kubernetes.fc
+new file mode 100644
+index 0000000..9d05b4a
+--- /dev/null
++++ b/kubernetes.fc
+@@ -0,0 +1,15 @@
++/usr/lib/systemd/system/kubelet.* -- gen_context(system_u:object_r:kube_kubelet_unit_file_t,s0)
++/usr/lib/systemd/system/kube-apiserver.* -- gen_context(system_u:object_r:kube_apiserver_unit_file_t,s0)
++/usr/lib/systemd/system/kube-controller-manager.* -- gen_context(system_u:object_r:kube_controller_unit_file_t,s0)
++/usr/lib/systemd/system/kube-proxy.* -- gen_context(system_u:object_r:kube_proxy_unit_file_t,s0)
++/usr/lib/systemd/system/etcd.* -- gen_context(system_u:object_r:kube_etcd_unit_file_t,s0)
++
++/usr/bin/kubelet -- gen_context(system_u:object_r:kube_kubelet_exec_t,s0)
++/usr/bin/kube-apiserver -- gen_context(system_u:object_r:kube_apiserver_exec_t,s0)
++/usr/bin/kube-controller-manager -- gen_context(system_u:object_r:kube_controller_exec_t,s0)
++/usr/bin/kube-proxy -- gen_context(system_u:object_r:kube_proxy_exec_t,s0)
++/usr/bin/kubecfg -- gen_context(system_u:object_r:kube_kubecfg_exec_t,s0)
++/usr/bin/etcd -- gen_context(system_u:object_r:kube_etcd_exec_t,s0)
++
++/var/lib/etcd(/.*)? gen_context(system_u:object_r:kube_etcd_var_lib_t,s0)
++
+diff --git a/kubernetes.if b/kubernetes.if
+new file mode 100644
+index 0000000..e9d90b0
+--- /dev/null
++++ b/kubernetes.if
+@@ -0,0 +1,43 @@
++## kube
++
++######################################
++##
++## Creates types and rules for a basic
++## kube init daemon domain.
++##
++##
++##
++## Prefix for the domain.
++##
++##
++#
++template(`kube_domain_template',`
++ gen_require(`
++ attribute kube_domain;
++ ')
++
++ ##############################
++ #
++ # $1_t declarations
++ #
++
++ type kube_$1_t, kube_domain;
++ type kube_$1_exec_t;
++ init_daemon_domain(kube_$1_t, kube_$1_exec_t)
++
++ type kube_$1_unit_file_t;
++ systemd_unit_file(kube_$1_unit_file_t)
++
++ ##############################
++ #
++ # kube_domain domain policy
++
++ kernel_read_unix_sysctls(kube_domain)
++ kernel_read_net_sysctls(kube_domain)
++
++ auth_read_passwd(kube_domain)
++
++ corenet_tcp_bind_generic_node(kube_domain)
++ corenet_tcp_connect_http_cache_port(kube_domain)
++ corenet_tcp_connect_kubernetes_port(kube_domain)
++')
+diff --git a/kubernetes.te b/kubernetes.te
+new file mode 100644
+index 0000000..7bfbbff
+--- /dev/null
++++ b/kubernetes.te
+@@ -0,0 +1,70 @@
++policy_module(kubernetes, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++attribute kube_domain;
++
++kube_domain_template(kubelet)
++kube_domain_template(apiserver)
++kube_domain_template(controller)
++kube_domain_template(proxy)
++kube_domain_template(kubecfg)
++kube_domain_template(etcd)
++
++type kube_etcd_var_lib_t;
++files_type(kube_etcd_var_lib_t)
++
++########################################
++#
++# kubelet local policy
++#
++
++allow kube_kubelet_t self:capability net_admin;
++allow kube_kubelet_t self:tcp_socket { accept listen create_socket_perms };
++
++corenet_tcp_bind_kubernetes_port(kube_kubelet_t)
++
++########################################
++#
++# kube_controller local policy
++#
++
++allow kube_controller_t self:tcp_socket create_socket_perms;
++
++########################################
++#
++# kube_apiserver local policy
++#
++
++allow kube_apiserver_t self:tcp_socket { accept listen create_socket_perms };
++
++corenet_tcp_bind_http_cache_port(kube_apiserver_t)
++
++########################################
++#
++# kube_proxy local policy
++#
++
++allow kube_proxy_t self:capability net_admin;
++allow kube_proxy_t self:tcp_socket create_socket_perms;
++
++########################################
++#
++# kube_ectd local policy
++#
++
++allow kube_etcd_t self:tcp_socket { accept listen create_socket_perms };
++allow kube_etcd_t self:unix_dgram_socket create_socket_perms;
++
++fs_getattr_xattr_fs(kube_etcd_t)
++
++manage_files_pattern(kube_etcd_t, kube_etcd_var_lib_t, kube_etcd_var_lib_t)
++files_var_lib_filetrans(kube_etcd_t, kube_etcd_var_lib_t, file )
++
++corenet_tcp_bind_kubernetes_port(kube_etcd_t)
++corenet_tcp_bind_afs3_callback_port(kube_etcd_t)
++
++logging_send_syslog_msg(kube_etcd_t)
diff --git a/kudzu.if b/kudzu.if
index 5297064..6ba8108 100644
--- a/kudzu.if
@@ -49187,7 +49346,7 @@ index ed81cac..837a43a 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/mta.te b/mta.te
-index ff1d68c..45bdd6f 100644
+index ff1d68c..58ba0ce 100644
--- a/mta.te
+++ b/mta.te
@@ -14,8 +14,6 @@ attribute mailserver_sender;
@@ -49414,7 +49573,7 @@ index ff1d68c..45bdd6f 100644
')
optional_policy(`
-@@ -258,10 +282,16 @@ optional_policy(`
+@@ -258,10 +282,17 @@ optional_policy(`
')
optional_policy(`
@@ -49428,10 +49587,11 @@ index ff1d68c..45bdd6f 100644
+')
+
+optional_policy(`
++ nagios_append_spool(system_mail_t)
nagios_read_tmp_files(system_mail_t)
')
-@@ -272,6 +302,19 @@ optional_policy(`
+@@ -272,6 +303,19 @@ optional_policy(`
manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
@@ -49451,7 +49611,7 @@ index ff1d68c..45bdd6f 100644
')
optional_policy(`
-@@ -287,42 +330,36 @@ optional_policy(`
+@@ -287,42 +331,36 @@ optional_policy(`
')
optional_policy(`
@@ -49504,7 +49664,7 @@ index ff1d68c..45bdd6f 100644
allow mailserver_delivery mail_spool_t:dir list_dir_perms;
create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
-@@ -331,44 +368,48 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+@@ -331,44 +369,48 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -49574,7 +49734,7 @@ index ff1d68c..45bdd6f 100644
')
optional_policy(`
-@@ -381,24 +422,49 @@ optional_policy(`
+@@ -381,24 +423,49 @@ optional_policy(`
########################################
#
@@ -51910,7 +52070,7 @@ index d78dfc3..02f18ac 100644
-/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
diff --git a/nagios.if b/nagios.if
-index 0641e97..d7d9a79 100644
+index 0641e97..cad402c 100644
--- a/nagios.if
+++ b/nagios.if
@@ -1,12 +1,13 @@
@@ -52015,13 +52175,32 @@ index 0641e97..d7d9a79 100644
##
##
##
-@@ -132,13 +125,14 @@ interface(`nagios_search_spool',`
+@@ -132,13 +125,33 @@ interface(`nagios_search_spool',`
type nagios_spool_t;
')
- files_search_spool($1)
allow $1 nagios_spool_t:dir search_dir_perms;
+ files_search_spool($1)
++')
++
++########################################
++##
++## Append nagios spool files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`nagios_append_spool',`
++ gen_require(`
++ type nagios_spool_t;
++ ')
++
++ allow $1 nagios_spool_t:file append_file_perms;
++ files_search_spool($1)
')
########################################
@@ -52032,17 +52211,18 @@ index 0641e97..d7d9a79 100644
##
##
##
-@@ -151,13 +145,34 @@ interface(`nagios_read_tmp_files',`
+@@ -151,13 +164,34 @@ interface(`nagios_read_tmp_files',`
type nagios_tmp_t;
')
- files_search_tmp($1)
allow $1 nagios_tmp_t:file read_file_perms;
+ files_search_tmp($1)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Execute nrpe with a domain transition.
+## Allow the specified domain to read
+## nagios temporary files.
+##
@@ -52059,17 +52239,16 @@ index 0641e97..d7d9a79 100644
+
+ allow $1 nagios_tmp_t:file rw_inherited_file_perms;
+ files_search_tmp($1)
- ')
-
- ########################################
- ##
--## Execute nrpe with a domain transition.
++')
++
++########################################
++##
+## Execute the nagios NRPE with
+## a domain transition.
##
##
##
-@@ -170,14 +185,13 @@ interface(`nagios_domtrans_nrpe',`
+@@ -170,14 +204,13 @@ interface(`nagios_domtrans_nrpe',`
type nrpe_t, nrpe_exec_t;
')
@@ -52086,7 +52265,7 @@ index 0641e97..d7d9a79 100644
##
##
##
-@@ -186,44 +200,43 @@ interface(`nagios_domtrans_nrpe',`
+@@ -186,44 +219,43 @@ interface(`nagios_domtrans_nrpe',`
##
##
##
@@ -54376,10 +54555,10 @@ index 0000000..d6de5b6
+/var/run/nova(/.*)? gen_context(system_u:object_r:nova_var_run_t,s0)
diff --git a/nova.if b/nova.if
new file mode 100644
-index 0000000..28936b4
+index 0000000..ce897e2
--- /dev/null
+++ b/nova.if
-@@ -0,0 +1,57 @@
+@@ -0,0 +1,59 @@
+## openstack-nova
+
+######################################
@@ -54429,7 +54608,9 @@ index 0000000..28936b4
+
+ manage_dirs_pattern(nova_$1_t, nova_$1_tmp_t, nova_$1_tmp_t)
+ manage_files_pattern(nova_$1_t, nova_$1_tmp_t, nova_$1_tmp_t)
-+ files_tmp_filetrans(nova_$1_t, nova_$1_tmp_t, { file dir })
++ manage_lnk_files_pattern(nova_$1_t, nova_$1_tmp_t, nova_$1_tmp_t)
++ files_tmp_filetrans(nova_$1_t, nova_$1_tmp_t, { lnk_file file dir })
++ fs_tmpfs_filetrans(nova_$1_t, nova_$1_tmp_t, { lnk_file file dir })
+ can_exec(nova_$1_t, nova_$1_tmp_t)
+
+ kernel_read_system_state(nova_$1_t)
@@ -61732,7 +61913,7 @@ index bf59ef7..2d8335f 100644
+')
+
diff --git a/passenger.te b/passenger.te
-index 08ec33b..24ce7e8 100644
+index 08ec33b..e478148 100644
--- a/passenger.te
+++ b/passenger.te
@@ -14,6 +14,9 @@ role system_r types passenger_t;
@@ -61745,7 +61926,7 @@ index 08ec33b..24ce7e8 100644
type passenger_var_lib_t;
files_type(passenger_var_lib_t)
-@@ -22,22 +25,24 @@ files_pid_file(passenger_var_run_t)
+@@ -22,22 +25,25 @@ files_pid_file(passenger_var_run_t)
########################################
#
@@ -61755,7 +61936,8 @@ index 08ec33b..24ce7e8 100644
allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid setgid sys_nice sys_ptrace sys_resource };
-allow passenger_t self:process { setpgid setsched sigkill signal };
-+allow passenger_t self:process { setpgid setsched sigkill signal signull };
++allow passenger_t self:capability2 block_suspend;
++allow passenger_t self:process { setpgid setsched getsession signal_perms };
allow passenger_t self:fifo_file rw_fifo_file_perms;
-allow passenger_t self:unix_stream_socket { accept connectto listen };
+allow passenger_t self:tcp_socket listen;
@@ -61777,7 +61959,7 @@ index 08ec33b..24ce7e8 100644
manage_dirs_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
manage_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
-@@ -45,7 +50,11 @@ manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
+@@ -45,7 +51,11 @@ manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file })
@@ -61790,7 +61972,7 @@ index 08ec33b..24ce7e8 100644
kernel_read_system_state(passenger_t)
kernel_read_kernel_sysctls(passenger_t)
-@@ -53,13 +62,10 @@ kernel_read_network_state(passenger_t)
+@@ -53,13 +63,10 @@ kernel_read_network_state(passenger_t)
kernel_read_net_sysctls(passenger_t)
corenet_all_recvfrom_netlabel(passenger_t)
@@ -61805,7 +61987,7 @@ index 08ec33b..24ce7e8 100644
corecmd_exec_bin(passenger_t)
corecmd_exec_shell(passenger_t)
-@@ -68,8 +74,6 @@ dev_read_urand(passenger_t)
+@@ -68,8 +75,6 @@ dev_read_urand(passenger_t)
domain_read_all_domains_state(passenger_t)
@@ -61814,7 +61996,7 @@ index 08ec33b..24ce7e8 100644
auth_use_nsswitch(passenger_t)
logging_send_syslog_msg(passenger_t)
-@@ -94,14 +98,21 @@ optional_policy(`
+@@ -94,14 +99,21 @@ optional_policy(`
')
optional_policy(`
@@ -74611,7 +74793,7 @@ index fe2adf8..f7e9c70 100644
+ admin_pattern($1, qpidd_var_run_t)
')
diff --git a/qpid.te b/qpid.te
-index 83eb09e..b48c931 100644
+index 83eb09e..fc17eee 100644
--- a/qpid.te
+++ b/qpid.te
@@ -12,6 +12,9 @@ init_daemon_domain(qpidd_t, qpidd_exec_t)
@@ -74624,7 +74806,7 @@ index 83eb09e..b48c931 100644
type qpidd_tmpfs_t;
files_tmpfs_file(qpidd_tmpfs_t)
-@@ -33,41 +36,52 @@ allow qpidd_t self:shm create_shm_perms;
+@@ -33,41 +36,54 @@ allow qpidd_t self:shm create_shm_perms;
allow qpidd_t self:tcp_socket { accept listen };
allow qpidd_t self:unix_stream_socket { accept listen };
@@ -74651,6 +74833,8 @@ index 83eb09e..b48c931 100644
kernel_read_system_state(qpidd_t)
-corenet_all_recvfrom_unlabeled(qpidd_t)
++auth_read_passwd(qpidd_t)
++
corenet_all_recvfrom_netlabel(qpidd_t)
+corenet_tcp_bind_generic_node(qpidd_t)
corenet_tcp_sendrecv_generic_if(qpidd_t)
@@ -87896,10 +88080,10 @@ index 0000000..03bdcef
+')
diff --git a/sandboxX.te b/sandboxX.te
new file mode 100644
-index 0000000..499e739
+index 0000000..a3319b0
--- /dev/null
+++ b/sandboxX.te
-@@ -0,0 +1,500 @@
+@@ -0,0 +1,501 @@
+policy_module(sandboxX,1.0.0)
+
+dbus_stub()
@@ -88054,6 +88238,7 @@ index 0000000..499e739
+manage_fifo_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
+manage_lnk_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
+dontaudit sandbox_x_domain sandbox_file_t:dir mounton;
++allow sandbox_x_domain sandbox_file_t:file execmod;
+
+kernel_getattr_proc(sandbox_x_domain)
+kernel_read_network_state(sandbox_x_domain)
@@ -101276,7 +101461,7 @@ index a4f20bc..9ccc90c 100644
+/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index facdee8..d179539 100644
+index facdee8..c43ef2e 100644
--- a/virt.if
+++ b/virt.if
@@ -1,120 +1,51 @@
@@ -102325,7 +102510,7 @@ index facdee8..d179539 100644
##
##
##
-@@ -860,74 +695,265 @@ interface(`virt_read_lib_files',`
+@@ -860,74 +695,266 @@ interface(`virt_read_lib_files',`
##
##
#
@@ -102474,6 +102659,7 @@ index facdee8..d179539 100644
+ manage_fifo_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
+ manage_chr_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
+ manage_lnk_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
++ allow $1 svirt_sandbox_file_t:dir_file_class_set { relabelfrom relabelto };
+')
+
+#######################################
@@ -102613,7 +102799,7 @@ index facdee8..d179539 100644
##
##
##
-@@ -935,19 +961,17 @@ interface(`virt_read_log',`
+@@ -935,19 +962,17 @@ interface(`virt_read_log',`
##
##
#
@@ -102637,7 +102823,7 @@ index facdee8..d179539 100644
##
##
##
-@@ -955,20 +979,17 @@ interface(`virt_append_log',`
+@@ -955,20 +980,17 @@ interface(`virt_append_log',`
##
##
#
@@ -102662,7 +102848,7 @@ index facdee8..d179539 100644
##
##
##
-@@ -976,18 +997,17 @@ interface(`virt_manage_log',`
+@@ -976,18 +998,17 @@ interface(`virt_manage_log',`
##
##
#
@@ -102685,7 +102871,7 @@ index facdee8..d179539 100644
##
##
##
-@@ -995,36 +1015,57 @@ interface(`virt_search_images',`
+@@ -995,36 +1016,57 @@ interface(`virt_search_images',`
##
##
#
@@ -102762,7 +102948,7 @@ index facdee8..d179539 100644
##
##
##
-@@ -1032,20 +1073,28 @@ interface(`virt_read_images',`
+@@ -1032,20 +1074,28 @@ interface(`virt_read_images',`
##
##
#
@@ -102798,7 +102984,7 @@ index facdee8..d179539 100644
##
##
##
-@@ -1053,37 +1102,133 @@ interface(`virt_rw_all_image_chr_files',`
+@@ -1053,37 +1103,133 @@ interface(`virt_rw_all_image_chr_files',`
##
##
#
@@ -102946,7 +103132,7 @@ index facdee8..d179539 100644
##
##
##
-@@ -1091,36 +1236,54 @@ interface(`virt_manage_virt_cache',`
+@@ -1091,36 +1237,54 @@ interface(`virt_manage_virt_cache',`
##
##
#
@@ -103020,7 +103206,7 @@ index facdee8..d179539 100644
##
##
##
-@@ -1136,50 +1299,53 @@ interface(`virt_manage_images',`
+@@ -1136,50 +1300,53 @@ interface(`virt_manage_images',`
#
interface(`virt_admin',`
gen_require(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a7014b4..60ab40d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 72%{?dist}
+Release: 73%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -602,7 +602,23 @@ SELinux Reference policy mls base module.
%endif
%changelog
-* Tue Aug 12 2014 Lukas Vrabec 3.12.1-72
+* Mon Aug 18 2014 Lukas Vrabec 3.13.1-73
+- Allow ssytemd_logind_t to list tmpfs directories
+- Allow lvm_t to create undefined sockets
+- Allow passwd_t to read/write stream sockets
+- Allow docker lots more access.
+- Fix label for ports
+- Add support for arptables-{restore,save} and also labeling for /usr/lib/systemd/system/arptables.service.
+- Label tcp port 4194 as kubernetes port.
+- Additional access required for passenger_t
+- sandbox domains should be allowed to use libraries which require execmod
+- Allow qpid to read passwd files BZ (#1130086)
+- Remove cockpit port, it is now going to use websm port
+- Add getattr to the list of access to dontaudit on unix_stream_sockets
+- Allow sendmail to append dead.letter located in var/spool/nagios/dead.letter.
+
+
+* Tue Aug 12 2014 Lukas Vrabec 3.13.1-72
- docker needs to be able to look at everything in /dev
- Allow all processes to send themselves signals
- Allow sysadm_t to create netlink_tcpdiag socket