diff --git a/container-selinux.tgz b/container-selinux.tgz
index 5803b56..be53f4f 100644
Binary files a/container-selinux.tgz and b/container-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 08e0d0d..5182051 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -6003,7 +6003,7 @@ index 8e0f9cd..b9f45b9 100644
  
  define(`create_packet_interfaces',``
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055..4d57db3 100644
+index b191055..61c55fd 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
 @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@@ -6077,7 +6077,7 @@ index b191055..4d57db3 100644
  # reserved_port_t is the type of INET port numbers below 1024.
  #
  type reserved_port_t, port_type, reserved_port_type;
-@@ -76,63 +99,80 @@ type server_packet_t, packet_type, server_packet_type;
+@@ -76,63 +99,82 @@ type server_packet_t, packet_type, server_packet_type;
  network_port(afs_bos, udp,7007,s0)
  network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0)
  network_port(afs_ka, udp,7004,s0)
@@ -6101,6 +6101,7 @@ index b191055..4d57db3 100644
  network_port(audit, tcp,60,s0)
  network_port(auth, tcp,113,s0)
 +network_port(bacula, tcp,9103,s0, udp,9103,s0)
++network_port(bctp, tcp,8999,s0, udp,8999,s0)
  network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
  network_port(boinc, tcp,31416,s0)
  network_port(boinc_client, tcp,1043,s0, udp,1034,s0)
@@ -6133,6 +6134,7 @@ index b191055..4d57db3 100644
  network_port(dbskkd, tcp,1178,s0)
  network_port(dcc, udp,6276,s0, udp,6277,s0)
  network_port(dccm, tcp,5679,s0, udp,5679,s0)
++network_port(dey_keyneg, tcp,8750,s0, udp,8750,s0)
 +network_port(dey_sapi, tcp,4330,s0)
  network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0, tcp,5546,s0)
  network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
@@ -6168,7 +6170,7 @@ index b191055..4d57db3 100644
  network_port(gopher, tcp,70,s0, udp,70,s0)
  network_port(gpsd, tcp,2947,s0)
  network_port(hadoop_datanode, tcp,50010,s0)
-@@ -140,45 +180,60 @@ network_port(hadoop_namenode, tcp,8020,s0)
+@@ -140,45 +182,61 @@ network_port(hadoop_namenode, tcp,8020,s0)
  network_port(hddtemp, tcp,7634,s0)
  network_port(howl, tcp,5335,s0, udp,5353,s0)
  network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
@@ -6176,6 +6178,7 @@ index b191055..4d57db3 100644
 -network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
 +network_port(http, tcp,80,s0, tcp,81,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0,tcp,9000, s0) #8443 is mod_nss default port
 +network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,8123,s0, tcp,10001-10010,s0) # 8118 is for privoxy
++network_port(ibm_dt_2, tcp,1792,s0, udp,1792,s0)
 +network_port(intermapper, tcp,8181,s0)
  network_port(i18n_input, tcp,9010,s0)
  network_port(imaze, tcp,5323,s0, udp,5323,s0)
@@ -6245,7 +6248,7 @@ index b191055..4d57db3 100644
  network_port(msnp, tcp,1863,s0, udp,1863,s0)
  network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
  network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -186,101 +241,130 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
+@@ -186,101 +244,130 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
  network_port(mxi, tcp,8005,s0, udp,8005,s0)
  network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
  network_port(mysqlmanagerd, tcp,2273,s0)
@@ -6396,7 +6399,7 @@ index b191055..4d57db3 100644
  network_port(xserver, tcp,6000-6020,s0)
  network_port(zarafa, tcp,236,s0, tcp,237,s0)
  network_port(zabbix, tcp,10051,s0)
-@@ -288,19 +372,23 @@ network_port(zabbix_agent, tcp,10050,s0)
+@@ -288,19 +375,23 @@ network_port(zabbix_agent, tcp,10050,s0)
  network_port(zookeeper_client, tcp,2181,s0)
  network_port(zookeeper_election, tcp,3888,s0)
  network_port(zookeeper_leader, tcp,2888,s0)
@@ -6423,7 +6426,7 @@ index b191055..4d57db3 100644
  
  ########################################
  #
-@@ -333,6 +421,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -333,6 +424,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
  
  build_option(`enable_mls',`
  network_interface(lo, lo, s0 - mls_systemhigh)
@@ -6432,7 +6435,7 @@ index b191055..4d57db3 100644
  ',`
  typealias netif_t alias { lo_netif_t netif_lo_t };
  ')
-@@ -345,9 +435,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -345,9 +438,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
  allow corenet_unconfined_type node_type:node *;
  allow corenet_unconfined_type netif_type:netif *;
  allow corenet_unconfined_type packet_type:packet *;
@@ -10276,7 +10279,7 @@ index 6a1e4d1..4b87be8 100644
 +	allow $1 domain:process rlimitinh;
  ')
 diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..ac8eab0 100644
+index cf04cb5..5831355 100644
 --- a/policy/modules/kernel/domain.te
 +++ b/policy/modules/kernel/domain.te
 @@ -4,17 +4,49 @@ policy_module(domain, 1.11.0)
@@ -10444,7 +10447,7 @@ index cf04cb5..ac8eab0 100644
  
  # Create/access any System V IPC objects.
  allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -160,11 +249,392 @@ allow unconfined_domain_type domain:msg { send receive };
+@@ -160,11 +249,393 @@ allow unconfined_domain_type domain:msg { send receive };
  
  # For /proc/pid
  allow unconfined_domain_type domain:dir list_dir_perms;
@@ -10757,6 +10760,7 @@ index cf04cb5..ac8eab0 100644
 +')
 +
 +ifdef(`hide_broken_symptoms',`
++    dontaudit domain self:capability { net_admin };
 +	dontaudit domain self:udp_socket listen;
 +	allow domain domain:key { link search };
 +	dontaudit domain domain:socket_class_set { read write };
@@ -15499,7 +15503,7 @@ index d7c11a0..f521a50 100644
  /var/run/shm/.*			<<none>>
 -')
 diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 8416beb..5a4a6f0 100644
+index 8416beb..b5b7a0a 100644
 --- a/policy/modules/kernel/filesystem.if
 +++ b/policy/modules/kernel/filesystem.if
 @@ -577,6 +577,24 @@ interface(`fs_mount_cgroup', `
@@ -15839,52 +15843,345 @@ index 8416beb..5a4a6f0 100644
  ')
  
  ########################################
-@@ -1542,6 +1740,63 @@ interface(`fs_cifs_domtrans',`
+@@ -1542,48 +1740,48 @@ interface(`fs_cifs_domtrans',`
  	domain_auto_transition_pattern($1, cifs_t, $2)
  ')
  
+-#######################################
 +########################################
-+## <summary>
+ ## <summary>
+-##	Create, read, write, and delete dirs
+-##	on a configfs filesystem.
 +##	Make general progams in cifs an entrypoint for
 +##	the specified domain.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	The domain for which cifs_t is an entrypoint.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_manage_configfs_dirs',`
++interface(`fs_cifs_entry_type',`
+ 	gen_require(`
+-		type configfs_t;
++		type cifs_t;
+ 	')
+ 
+-	manage_dirs_pattern($1, configfs_t, configfs_t)
++	domain_entry_file($1, cifs_t)
+ ')
+ 
+-#######################################
++########################################
+ ## <summary>
+-##	Create, read, write, and delete files
+-##	on a configfs filesystem.
++##	Make general progams in CIFS an entrypoint for
++##	the specified domain.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	The domain for which cifs_t is an entrypoint.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_manage_configfs_files',`
++interface(`fs_cifs_entrypoint',`
+ 	gen_require(`
+-		type configfs_t;
++		type cifs_t;
+ 	')
+ 
+-	manage_files_pattern($1, configfs_t, configfs_t)
++    allow $1 cifs_t:file entrypoint;
+ ')
+ 
+-########################################
++#######################################
+ ## <summary>
+-##	Mount a DOS filesystem, such as
+-##	FAT32 or NTFS.
++##	dontaudit write dirs
++##	on a configfs filesystem.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -1591,19 +1789,18 @@ interface(`fs_manage_configfs_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_mount_dos_fs',`
++interface(`fs_dontaudit_write_configfs_dirs',`
+ 	gen_require(`
+-		type dosfs_t;
++		type configfs_t;
+ 	')
+ 
+-	allow $1 dosfs_t:filesystem mount;
++	dontaudit $1 configfs_t:dir write;
+ ')
+ 
+-########################################
++#######################################
+ ## <summary>
+-##	Remount a DOS filesystem, such as
+-##	FAT32 or NTFS.  This allows
+-##	some mount options to be changed.
++##	Read dirs
++##	on a configfs filesystem.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -1611,18 +1808,18 @@ interface(`fs_mount_dos_fs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_remount_dos_fs',`
++interface(`fs_read_configfs_dirs',`
+ 	gen_require(`
+-		type dosfs_t;
++		type configfs_t;
+ 	')
+ 
+-	allow $1 dosfs_t:filesystem remount;
++	list_dirs_pattern($1, configfs_t, configfs_t)
+ ')
+ 
+-########################################
++#######################################
+ ## <summary>
+-##	Unmount a DOS filesystem, such as
+-##	FAT32 or NTFS.
++##	Create, read, write, and delete dirs
++##	on a configfs filesystem.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -1630,38 +1827,37 @@ interface(`fs_remount_dos_fs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_unmount_dos_fs',`
++interface(`fs_manage_configfs_dirs',`
+ 	gen_require(`
+-		type dosfs_t;
++		type configfs_t;
+ 	')
+ 
+-	allow $1 dosfs_t:filesystem unmount;
++	manage_dirs_pattern($1, configfs_t, configfs_t)
+ ')
+ 
+-########################################
++#######################################
+ ## <summary>
+-##	Get the attributes of a DOS
+-##	filesystem, such as FAT32 or NTFS.
++##	Read files
++##	on a configfs filesystem.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`fs_getattr_dos_fs',`
++interface(`fs_read_configfs_files',`
+ 	gen_require(`
+-		type dosfs_t;
++		type configfs_t;
+ 	')
+ 
+-	allow $1 dosfs_t:filesystem getattr;
++	read_files_pattern($1, configfs_t, configfs_t)
+ ')
+ 
+-########################################
++#######################################
+ ## <summary>
+-##	Allow changing of the label of a
+-##	DOS filesystem using the context= mount option.
++##	Create, read, write, and delete files
++##	on a configfs filesystem.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -1669,17 +1865,18 @@ interface(`fs_getattr_dos_fs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_relabelfrom_dos_fs',`
++interface(`fs_manage_configfs_files',`
+ 	gen_require(`
+-		type dosfs_t;
++		type configfs_t;
+ 	')
+ 
+-	allow $1 dosfs_t:filesystem relabelfrom;
++	manage_files_pattern($1, configfs_t, configfs_t)
+ ')
+ 
+-########################################
++#######################################
+ ## <summary>
+-##	Search dosfs filesystem.
++##	Create, read, write, and delete files
++##	on a configfs filesystem.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -1687,17 +1884,17 @@ interface(`fs_relabelfrom_dos_fs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_search_dos',`
++interface(`fs_manage_configfs_lnk_files',`
+ 	gen_require(`
+-		type dosfs_t;
++		type configfs_t;
+ 	')
+ 
+-	allow $1 dosfs_t:dir search_dir_perms;
++	manage_lnk_files_pattern($1, configfs_t, configfs_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	List dirs DOS filesystem.
++##	Unmount a configfs filesystem
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -1705,18 +1902,18 @@ interface(`fs_search_dos',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_list_dos',`
++interface(`fs_unmount_configfs',`
+ 	gen_require(`
+-		type dosfs_t;
++		type configfs_t;
+ 	')
+ 
+-	list_dirs_pattern($1, dosfs_t, dosfs_t)
++	allow $1 configfs_t:filesystem unmount;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete dirs
+-##	on a DOS filesystem.
++##	Mount a DOS filesystem, such as
++##	FAT32 or NTFS.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -1724,17 +1921,19 @@ interface(`fs_list_dos',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_manage_dos_dirs',`
++interface(`fs_mount_dos_fs',`
+ 	gen_require(`
+ 		type dosfs_t;
+ 	')
+ 
+-	manage_dirs_pattern($1, dosfs_t, dosfs_t)
++	allow $1 dosfs_t:filesystem mount;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read files on a DOS filesystem.
++##	Remount a DOS filesystem, such as
++##	FAT32 or NTFS.  This allows
++##	some mount options to be changed.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -1742,18 +1941,18 @@ interface(`fs_manage_dos_dirs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_read_dos_files',`
++interface(`fs_remount_dos_fs',`
+ 	gen_require(`
+ 		type dosfs_t;
+ 	')
+ 
+-	read_files_pattern($1, dosfs_t, dosfs_t)
++	allow $1 dosfs_t:filesystem remount;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete files
+-##	on a DOS filesystem.
++##	Unmount a DOS filesystem, such as
++##	FAT32 or NTFS.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -1761,7 +1960,138 @@ interface(`fs_read_dos_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_manage_dos_files',`
++interface(`fs_unmount_dos_fs',`
++	gen_require(`
++		type dosfs_t;
++	')
++
++	allow $1 dosfs_t:filesystem unmount;
++')
++
++########################################
++## <summary>
++##	Get the attributes of a DOS
++##	filesystem, such as FAT32 or NTFS.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	The domain for which cifs_t is an entrypoint.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
++## <rolecap/>
 +#
-+interface(`fs_cifs_entry_type',`
++interface(`fs_getattr_dos_fs',`
 +	gen_require(`
-+		type cifs_t;
++		type dosfs_t;
 +	')
 +
-+	domain_entry_file($1, cifs_t)
++	allow $1 dosfs_t:filesystem getattr;
 +')
 +
 +########################################
 +## <summary>
-+##	Make general progams in CIFS an entrypoint for
-+##	the specified domain.
++##	Allow changing of the label of a
++##	DOS filesystem using the context= mount option.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	The domain for which cifs_t is an entrypoint.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`fs_cifs_entrypoint',`
++interface(`fs_relabelfrom_dos_fs',`
 +	gen_require(`
-+		type cifs_t;
++		type dosfs_t;
 +	')
 +
-+    allow $1 cifs_t:file entrypoint;
++	allow $1 dosfs_t:filesystem relabelfrom;
 +')
 +
-+#######################################
++########################################
 +## <summary>
-+##	dontaudit write dirs
-+##	on a configfs filesystem.
++##	Search dosfs filesystem.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -15892,25 +16189,17 @@ index 8416beb..5a4a6f0 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`fs_dontaudit_write_configfs_dirs',`
++interface(`fs_search_dos',`
 +	gen_require(`
-+		type configfs_t;
++		type dosfs_t;
 +	')
 +
-+	dontaudit $1 configfs_t:dir write;
++	allow $1 dosfs_t:dir search_dir_perms;
 +')
 +
- #######################################
- ## <summary>
- ##	Create, read, write, and delete dirs
-@@ -1580,6 +1835,43 @@ interface(`fs_manage_configfs_files',`
- 	manage_files_pattern($1, configfs_t, configfs_t)
- ')
- 
-+#######################################
++########################################
 +## <summary>
-+##	Create, read, write, and delete files
-+##	on a configfs filesystem.
++##	List dirs DOS filesystem.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -15918,17 +16207,18 @@ index 8416beb..5a4a6f0 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`fs_manage_configfs_lnk_files',`
++interface(`fs_list_dos',`
 +	gen_require(`
-+		type configfs_t;
++		type dosfs_t;
 +	')
 +
-+	manage_lnk_files_pattern($1, configfs_t, configfs_t)
++	list_dirs_pattern($1, dosfs_t, dosfs_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Unmount a configfs filesystem
++##	Create, read, write, and delete dirs
++##	on a DOS filesystem.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -15936,54 +16226,74 @@ index 8416beb..5a4a6f0 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`fs_unmount_configfs',`
++interface(`fs_manage_dos_dirs',`
 +	gen_require(`
-+		type configfs_t;
++		type dosfs_t;
 +	')
 +
-+	allow $1 configfs_t:filesystem unmount;
++	manage_dirs_pattern($1, dosfs_t, dosfs_t)
 +')
 +
- ########################################
- ## <summary>
- ##	Mount a DOS filesystem, such as
-@@ -1793,58 +2085,257 @@ interface(`fs_read_eventpollfs',`
++########################################
++## <summary>
++##	Read files on a DOS filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`fs_read_dos_files',`
++	gen_require(`
++		type dosfs_t;
++	')
++
++	read_files_pattern($1, dosfs_t, dosfs_t)
++')
++
++########################################
++## <summary>
++##	Create, read, write, and delete files
++##	on a DOS filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`fs_manage_dos_files',`
+ 	gen_require(`
+ 		type dosfs_t;
+ 	')
+@@ -1793,45 +2123,110 @@ interface(`fs_read_eventpollfs',`
  	refpolicywarn(`$0($*) has been deprecated.')
  ')
  
--########################################
 +
 +#######################################
- ## <summary>
--##	Mount a FUSE filesystem.
++## <summary>
 +##      Search directories
 +##      on a ecrypt filesystem.
- ## </summary>
- ## <param name="domain">
--##	<summary>
--##	Domain allowed access.
--##	</summary>
++## </summary>
++## <param name="domain">
 +##      <summary>
 +##      Domain allowed access.
 +##      </summary>
- ## </param>
- #
--interface(`fs_mount_fusefs',`
--	gen_require(`
--		type fusefs_t;
--	')
++## </param>
++#
 +interface(`fs_search_ecryptfs',`
 +        gen_require(`
 +                type ecryptfs_t;
 +        ')
- 
--	allow $1 fusefs_t:filesystem mount;
++
 +        allow $1 ecryptfs_t:dir search_dir_perms;
- ')
- 
++')
++
  ########################################
  ## <summary>
--##	Unmount a FUSE filesystem.
+-##	Mount a FUSE filesystem.
 +##	Create, read, write, and delete directories
 +##	on a FUSEFS filesystem.
  ## </summary>
@@ -15994,70 +16304,65 @@ index 8416beb..5a4a6f0 100644
  ## </param>
 +## <rolecap/>
  #
--interface(`fs_unmount_fusefs',`
+-interface(`fs_mount_fusefs',`
 +interface(`fs_manage_ecryptfs_dirs',`
  	gen_require(`
 -		type fusefs_t;
 +		type ecryptfs_t;
  	')
  
--	allow $1 fusefs_t:filesystem unmount;
+-	allow $1 fusefs_t:filesystem mount;
 +	manage_dirs_pattern($1, ecryptfs_t, ecryptfs_t)
 +	allow $1 ecryptfs_t:dir manage_dir_perms;
- ')
- 
--########################################
++')
++
 +#######################################
- ## <summary>
--##	Mounton a FUSEFS filesystem.
++## <summary>
 +##      Create, read, write, and delete files
 +##      on a FUSEFS filesystem.
- ## </summary>
- ## <param name="domain">
--##	<summary>
--##	Domain allowed access.
--##	</summary>
++## </summary>
++## <param name="domain">
 +##      <summary>
 +##      Domain allowed access.
 +##      </summary>
- ## </param>
++## </param>
 +## <rolecap/>
- #
--interface(`fs_mounton_fusefs',`
--	gen_require(`
--		type fusefs_t;
--	')
++#
 +interface(`fs_read_ecryptfs_files',`
 +        gen_require(`
 +                type ecryptfs_t;
 +        ')
- 
--	allow $1 fusefs_t:dir mounton;
-+        read_files_pattern($1, ecryptfs_t, ecryptfs_t)
-+')
 +
-+########################################
-+## <summary>
++        read_files_pattern($1, ecryptfs_t, ecryptfs_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Unmount a FUSE filesystem.
 +##	Create, read, write, and delete files
 +##	on a FUSEFS filesystem.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
 +## <rolecap/>
-+#
+ #
+-interface(`fs_unmount_fusefs',`
 +interface(`fs_manage_ecryptfs_files',`
-+	gen_require(`
+ 	gen_require(`
+-		type fusefs_t;
 +		type ecryptfs_t;
-+	')
-+
+ 	')
+ 
+-	allow $1 fusefs_t:filesystem unmount;
 +	manage_files_pattern($1, ecryptfs_t, ecryptfs_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Mounton a FUSEFS filesystem.
 +##	Do not audit attempts to create,
 +##	read, write, and delete files
 +##	on a FUSEFS filesystem.
@@ -16079,18 +16384,21 @@ index 8416beb..5a4a6f0 100644
 +########################################
 +## <summary>
 +##	Read symbolic links on a FUSEFS filesystem.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -1839,174 +2234,988 @@ interface(`fs_unmount_fusefs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_mounton_fusefs',`
 +interface(`fs_read_ecryptfs_symlinks',`
-+	gen_require(`
+ 	gen_require(`
+-		type fusefs_t;
 +		type ecryptfs_t;
-+	')
-+
+ 	')
+ 
+-	allow $1 fusefs_t:dir mounton;
 +	allow $1 ecryptfs_t:dir list_dir_perms;
 +	read_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t)
 +')
@@ -16110,31 +16418,39 @@ index 8416beb..5a4a6f0 100644
 +		type ecryptfs_t;
 +	')
 +	dontaudit $1 ecryptfs_t:file append;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Search directories
+-##	on a FUSEFS filesystem.
 +##	Manage symbolic links on a FUSEFS filesystem.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`fs_search_fusefs',`
 +interface(`fs_manage_ecryptfs_symlinks',`
-+	gen_require(`
+ 	gen_require(`
+-		type fusefs_t;
 +		type ecryptfs_t;
-+	')
-+
+ 	')
+ 
+-	allow $1 fusefs_t:dir search_dir_perms;
 +	manage_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to list the contents
+-##	of directories on a FUSEFS filesystem.
 +##	Execute a file on a FUSE filesystem
 +##	in the specified domain.
-+## </summary>
+ ## </summary>
 +## <desc>
 +##	<p>
 +##	Execute a file on a FUSE filesystem
@@ -16154,17 +16470,19 @@ index 8416beb..5a4a6f0 100644
 +##	in particular used by the ssh-agent policy.
 +##	</p>
 +## </desc>
-+## <param name="domain">
-+##	<summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
 +##	Domain allowed to transition.
 +##	</summary>
 +## </param>
 +## <param name="target_domain">
 +##	<summary>
 +##	The type of the new process.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_dontaudit_list_fusefs',`
 +interface(`fs_ecryptfs_domtrans',`
 +	gen_require(`
 +		type ecryptfs_t;
@@ -16185,16 +16503,37 @@ index 8416beb..5a4a6f0 100644
 +## </param>
 +#
 +interface(`fs_mount_fusefs',`
+ 	gen_require(`
+ 		type fusefs_t;
+ 	')
+ 
+-	dontaudit $1 fusefs_t:dir list_dir_perms;
++	allow $1 fusefs_t:filesystem mount;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete directories
+-##	on a FUSEFS filesystem.
++##	Unmount a FUSE filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`fs_unmount_fusefs',`
 +	gen_require(`
 +		type fusefs_t;
 +	')
 +
-+	allow $1 fusefs_t:filesystem mount;
++	allow $1 fusefs_t:filesystem unmount;
 +')
 +
 +########################################
 +## <summary>
-+##	Unmount a FUSE filesystem.
++##	Mounton a FUSEFS filesystem.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -16202,38 +16541,63 @@ index 8416beb..5a4a6f0 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`fs_unmount_fusefs',`
++interface(`fs_mounton_fusefs',`
 +	gen_require(`
 +		type fusefs_t;
 +	')
 +
-+	allow $1 fusefs_t:filesystem unmount;
++	allow $1 fusefs_t:dir mounton;
 +')
 +
 +########################################
 +## <summary>
-+##	Mounton a FUSEFS filesystem.
++##	Search directories
++##	on a FUSEFS filesystem.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
++## <rolecap/>
 +#
-+interface(`fs_mounton_fusefs',`
++interface(`fs_search_fusefs',`
 +	gen_require(`
 +		type fusefs_t;
 +	')
 +
-+	allow $1 fusefs_t:dir mounton;
- ')
- 
- ########################################
-@@ -1896,117 +2387,797 @@ interface(`fs_dontaudit_list_fusefs',`
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <rolecap/>
++	allow $1 fusefs_t:dir search_dir_perms;
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to list the contents
++##	of directories on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`fs_dontaudit_list_fusefs',`
++	gen_require(`
++		type fusefs_t;
++	')
++
++	dontaudit $1 fusefs_t:dir list_dir_perms;
++')
++
++########################################
++## <summary>
++##	Create, read, write, and delete directories
++##	on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
 +## <rolecap/>
 +#
 +interface(`fs_manage_fusefs_dirs',`
@@ -16912,12 +17276,13 @@ index 8416beb..5a4a6f0 100644
 +## <summary>
 +##	Read files on an iso9660 filesystem, which
 +##	is usually used on CDs.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
  #
 -interface(`fs_manage_fusefs_dirs',`
 +interface(`fs_getattr_iso9660_files',`
@@ -17062,7 +17427,7 @@ index 8416beb..5a4a6f0 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2014,19 +3185,20 @@ interface(`fs_dontaudit_manage_fusefs_files',`
+@@ -2014,19 +3223,20 @@ interface(`fs_dontaudit_manage_fusefs_files',`
  ##	</summary>
  ## </param>
  #
@@ -17089,7 +17454,7 @@ index 8416beb..5a4a6f0 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2034,17 +3206,18 @@ interface(`fs_read_fusefs_symlinks',`
+@@ -2034,17 +3244,18 @@ interface(`fs_read_fusefs_symlinks',`
  ##	</summary>
  ## </param>
  #
@@ -17112,7 +17477,7 @@ index 8416beb..5a4a6f0 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2052,17 +3225,38 @@ interface(`fs_getattr_hugetlbfs',`
+@@ -2052,17 +3263,38 @@ interface(`fs_getattr_hugetlbfs',`
  ##	</summary>
  ## </param>
  #
@@ -17155,7 +17520,7 @@ index 8416beb..5a4a6f0 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2070,17 +3264,19 @@ interface(`fs_list_hugetlbfs',`
+@@ -2070,17 +3302,19 @@ interface(`fs_list_hugetlbfs',`
  ##	</summary>
  ## </param>
  #
@@ -17179,7 +17544,7 @@ index 8416beb..5a4a6f0 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2088,35 +3284,41 @@ interface(`fs_manage_hugetlbfs_dirs',`
+@@ -2088,35 +3322,41 @@ interface(`fs_manage_hugetlbfs_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -17232,7 +17597,7 @@ index 8416beb..5a4a6f0 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2124,17 +3326,19 @@ interface(`fs_associate_hugetlbfs',`
+@@ -2124,17 +3364,19 @@ interface(`fs_associate_hugetlbfs',`
  ##	</summary>
  ## </param>
  #
@@ -17256,7 +17621,7 @@ index 8416beb..5a4a6f0 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2142,17 +3346,23 @@ interface(`fs_search_inotifyfs',`
+@@ -2142,17 +3384,23 @@ interface(`fs_search_inotifyfs',`
  ##	</summary>
  ## </param>
  #
@@ -17284,7 +17649,7 @@ index 8416beb..5a4a6f0 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2160,53 +3370,39 @@ interface(`fs_list_inotifyfs',`
+@@ -2160,53 +3408,39 @@ interface(`fs_list_inotifyfs',`
  ##	</summary>
  ## </param>
  #
@@ -17350,7 +17715,7 @@ index 8416beb..5a4a6f0 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2214,19 +3410,18 @@ interface(`fs_hugetlbfs_filetrans',`
+@@ -2214,19 +3448,18 @@ interface(`fs_hugetlbfs_filetrans',`
  ##	</summary>
  ## </param>
  #
@@ -17375,7 +17740,7 @@ index 8416beb..5a4a6f0 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2234,18 +3429,18 @@ interface(`fs_mount_iso9660_fs',`
+@@ -2234,18 +3467,18 @@ interface(`fs_mount_iso9660_fs',`
  ##	</summary>
  ## </param>
  #
@@ -17399,7 +17764,7 @@ index 8416beb..5a4a6f0 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2253,58 +3448,54 @@ interface(`fs_remount_iso9660_fs',`
+@@ -2253,58 +3486,54 @@ interface(`fs_remount_iso9660_fs',`
  ##	</summary>
  ## </param>
  #
@@ -17471,7 +17836,7 @@ index 8416beb..5a4a6f0 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2312,19 +3503,17 @@ interface(`fs_getattr_iso9660_files',`
+@@ -2312,19 +3541,17 @@ interface(`fs_getattr_iso9660_files',`
  ##	</summary>
  ## </param>
  #
@@ -17495,7 +17860,7 @@ index 8416beb..5a4a6f0 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2332,18 +3521,17 @@ interface(`fs_read_iso9660_files',`
+@@ -2332,18 +3559,17 @@ interface(`fs_read_iso9660_files',`
  ##	</summary>
  ## </param>
  #
@@ -17517,7 +17882,7 @@ index 8416beb..5a4a6f0 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2351,240 +3539,243 @@ interface(`fs_mount_nfs',`
+@@ -2351,240 +3577,243 @@ interface(`fs_mount_nfs',`
  ##	</summary>
  ## </param>
  #
@@ -17817,7 +18182,7 @@ index 8416beb..5a4a6f0 100644
  ')
  
  ########################################
-@@ -2603,7 +3794,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2603,7 +3832,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
  		type nfs_t;
  	')
  
@@ -17826,7 +18191,7 @@ index 8416beb..5a4a6f0 100644
  ')
  
  ########################################
-@@ -2627,7 +3818,7 @@ interface(`fs_read_nfs_symlinks',`
+@@ -2627,7 +3856,7 @@ interface(`fs_read_nfs_symlinks',`
  
  ########################################
  ## <summary>
@@ -17835,7 +18200,7 @@ index 8416beb..5a4a6f0 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2719,6 +3910,65 @@ interface(`fs_search_rpc',`
+@@ -2719,6 +3948,65 @@ interface(`fs_search_rpc',`
  
  ########################################
  ## <summary>
@@ -17901,7 +18266,7 @@ index 8416beb..5a4a6f0 100644
  ##	Search removable storage directories.
  ## </summary>
  ## <param name="domain">
-@@ -2741,7 +3991,7 @@ interface(`fs_search_removable',`
+@@ -2741,7 +4029,7 @@ interface(`fs_search_removable',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -17910,7 +18275,7 @@ index 8416beb..5a4a6f0 100644
  ##	</summary>
  ## </param>
  #
-@@ -2777,7 +4027,7 @@ interface(`fs_read_removable_files',`
+@@ -2777,7 +4065,7 @@ interface(`fs_read_removable_files',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -17919,7 +18284,7 @@ index 8416beb..5a4a6f0 100644
  ##	</summary>
  ## </param>
  #
-@@ -2970,6 +4220,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2970,6 +4258,7 @@ interface(`fs_manage_nfs_dirs',`
  		type nfs_t;
  	')
  
@@ -17927,7 +18292,7 @@ index 8416beb..5a4a6f0 100644
  	allow $1 nfs_t:dir manage_dir_perms;
  ')
  
-@@ -3010,6 +4261,7 @@ interface(`fs_manage_nfs_files',`
+@@ -3010,6 +4299,7 @@ interface(`fs_manage_nfs_files',`
  		type nfs_t;
  	')
  
@@ -17935,7 +18300,7 @@ index 8416beb..5a4a6f0 100644
  	manage_files_pattern($1, nfs_t, nfs_t)
  ')
  
-@@ -3050,6 +4302,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -3050,6 +4340,7 @@ interface(`fs_manage_nfs_symlinks',`
  		type nfs_t;
  	')
  
@@ -17943,7 +18308,7 @@ index 8416beb..5a4a6f0 100644
  	manage_lnk_files_pattern($1, nfs_t, nfs_t)
  ')
  
-@@ -3137,6 +4390,24 @@ interface(`fs_nfs_domtrans',`
+@@ -3137,6 +4428,24 @@ interface(`fs_nfs_domtrans',`
  
  ########################################
  ## <summary>
@@ -17968,7 +18333,7 @@ index 8416beb..5a4a6f0 100644
  ##	Mount a NFS server pseudo filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -3239,15 +4510,198 @@ interface(`fs_search_nfsd_fs',`
+@@ -3239,15 +4548,198 @@ interface(`fs_search_nfsd_fs',`
  #
  interface(`fs_list_nfsd_fs',`
  	gen_require(`
@@ -18170,7 +18535,7 @@ index 8416beb..5a4a6f0 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3255,35 +4709,35 @@ interface(`fs_list_nfsd_fs',`
+@@ -3255,35 +4747,35 @@ interface(`fs_list_nfsd_fs',`
  ##	</summary>
  ## </param>
  #
@@ -18215,7 +18580,7 @@ index 8416beb..5a4a6f0 100644
  ## </summary>
  ## <param name="type">
  ##	<summary>
-@@ -3291,12 +4745,12 @@ interface(`fs_rw_nfsd_fs',`
+@@ -3291,12 +4783,12 @@ interface(`fs_rw_nfsd_fs',`
  ##	</summary>
  ## </param>
  #
@@ -18231,7 +18596,7 @@ index 8416beb..5a4a6f0 100644
  ')
  
  ########################################
-@@ -3392,7 +4846,7 @@ interface(`fs_search_ramfs',`
+@@ -3392,7 +4884,7 @@ interface(`fs_search_ramfs',`
  
  ########################################
  ## <summary>
@@ -18240,7 +18605,7 @@ index 8416beb..5a4a6f0 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3429,7 +4883,7 @@ interface(`fs_manage_ramfs_dirs',`
+@@ -3429,7 +4921,7 @@ interface(`fs_manage_ramfs_dirs',`
  
  ########################################
  ## <summary>
@@ -18249,7 +18614,7 @@ index 8416beb..5a4a6f0 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3447,7 +4901,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
+@@ -3447,7 +4939,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
  
  ########################################
  ## <summary>
@@ -18258,7 +18623,7 @@ index 8416beb..5a4a6f0 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3779,6 +5233,24 @@ interface(`fs_mount_tmpfs',`
+@@ -3779,6 +5271,24 @@ interface(`fs_mount_tmpfs',`
  
  ########################################
  ## <summary>
@@ -18283,7 +18648,7 @@ index 8416beb..5a4a6f0 100644
  ##	Remount a tmpfs filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -3815,6 +5287,24 @@ interface(`fs_unmount_tmpfs',`
+@@ -3815,6 +5325,24 @@ interface(`fs_unmount_tmpfs',`
  
  ########################################
  ## <summary>
@@ -18308,7 +18673,7 @@ index 8416beb..5a4a6f0 100644
  ##	Get the attributes of a tmpfs
  ##	filesystem.
  ## </summary>
-@@ -3908,7 +5398,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3908,7 +5436,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
  
  ########################################
  ## <summary>
@@ -18317,7 +18682,7 @@ index 8416beb..5a4a6f0 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3916,17 +5406,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3916,17 +5444,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -18338,7 +18703,7 @@ index 8416beb..5a4a6f0 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3934,17 +5424,17 @@ interface(`fs_mounton_tmpfs',`
+@@ -3934,17 +5462,17 @@ interface(`fs_mounton_tmpfs',`
  ##	</summary>
  ## </param>
  #
@@ -18359,7 +18724,7 @@ index 8416beb..5a4a6f0 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3952,17 +5442,36 @@ interface(`fs_setattr_tmpfs_dirs',`
+@@ -3952,17 +5480,36 @@ interface(`fs_setattr_tmpfs_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -18399,7 +18764,7 @@ index 8416beb..5a4a6f0 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3970,31 +5479,48 @@ interface(`fs_search_tmpfs',`
+@@ -3970,31 +5517,48 @@ interface(`fs_search_tmpfs',`
  ##	</summary>
  ## </param>
  #
@@ -18455,7 +18820,7 @@ index 8416beb..5a4a6f0 100644
  ')
  
  ########################################
-@@ -4057,23 +5583,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',`
+@@ -4057,23 +5621,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',`
  ## </param>
  ## <param name="name" optional="true">
  ##	<summary>
@@ -18632,7 +18997,7 @@ index 8416beb..5a4a6f0 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4081,18 +5754,18 @@ interface(`fs_tmpfs_filetrans',`
+@@ -4081,18 +5792,18 @@ interface(`fs_tmpfs_filetrans',`
  ##	</summary>
  ## </param>
  #
@@ -18655,7 +19020,7 @@ index 8416beb..5a4a6f0 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4100,54 +5773,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',`
+@@ -4100,54 +5811,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',`
  ##	</summary>
  ## </param>
  #
@@ -18722,7 +19087,7 @@ index 8416beb..5a4a6f0 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4155,17 +5827,18 @@ interface(`fs_read_tmpfs_files',`
+@@ -4155,17 +5865,18 @@ interface(`fs_read_tmpfs_files',`
  ##	</summary>
  ## </param>
  #
@@ -18744,7 +19109,7 @@ index 8416beb..5a4a6f0 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4173,17 +5846,18 @@ interface(`fs_rw_tmpfs_files',`
+@@ -4173,17 +5884,18 @@ interface(`fs_rw_tmpfs_files',`
  ##	</summary>
  ## </param>
  #
@@ -18766,7 +19131,7 @@ index 8416beb..5a4a6f0 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4191,37 +5865,36 @@ interface(`fs_read_tmpfs_symlinks',`
+@@ -4191,37 +5903,36 @@ interface(`fs_read_tmpfs_symlinks',`
  ##	</summary>
  ## </param>
  #
@@ -18812,7 +19177,7 @@ index 8416beb..5a4a6f0 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4229,18 +5902,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4229,18 +5940,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
  ##	</summary>
  ## </param>
  #
@@ -18834,7 +19199,7 @@ index 8416beb..5a4a6f0 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4248,18 +5921,19 @@ interface(`fs_relabel_tmpfs_chr_file',`
+@@ -4248,18 +5959,19 @@ interface(`fs_relabel_tmpfs_chr_file',`
  ##	</summary>
  ## </param>
  #
@@ -18858,7 +19223,7 @@ index 8416beb..5a4a6f0 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4267,32 +5941,31 @@ interface(`fs_rw_tmpfs_blk_files',`
+@@ -4267,32 +5979,31 @@ interface(`fs_rw_tmpfs_blk_files',`
  ##	</summary>
  ## </param>
  #
@@ -18897,7 +19262,7 @@ index 8416beb..5a4a6f0 100644
  ')
  
  ########################################
-@@ -4407,6 +6080,25 @@ interface(`fs_search_xenfs',`
+@@ -4407,6 +6118,25 @@ interface(`fs_search_xenfs',`
  	allow $1 xenfs_t:dir search_dir_perms;
  ')
  
@@ -18923,7 +19288,7 @@ index 8416beb..5a4a6f0 100644
  ########################################
  ## <summary>
  ##	Create, read, write, and delete directories
-@@ -4503,6 +6195,8 @@ interface(`fs_mount_all_fs',`
+@@ -4503,6 +6233,8 @@ interface(`fs_mount_all_fs',`
  	')
  
  	allow $1 filesystem_type:filesystem mount;
@@ -18932,7 +19297,7 @@ index 8416beb..5a4a6f0 100644
  ')
  
  ########################################
-@@ -4549,7 +6243,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4549,7 +6281,7 @@ interface(`fs_unmount_all_fs',`
  ## <desc>
  ##	<p>
  ##	Allow the specified domain to
@@ -18941,7 +19306,7 @@ index 8416beb..5a4a6f0 100644
  ##	Example attributes:
  ##	</p>
  ##	<ul>
-@@ -4596,6 +6290,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
+@@ -4596,6 +6328,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
  
  ########################################
  ## <summary>
@@ -18968,7 +19333,7 @@ index 8416beb..5a4a6f0 100644
  ##	Get the quotas of all filesystems.
  ## </summary>
  ## <param name="domain">
-@@ -4671,6 +6385,25 @@ interface(`fs_getattr_all_dirs',`
+@@ -4671,6 +6423,25 @@ interface(`fs_getattr_all_dirs',`
  
  ########################################
  ## <summary>
@@ -18994,7 +19359,7 @@ index 8416beb..5a4a6f0 100644
  ##	Search all directories with a filesystem type.
  ## </summary>
  ## <param name="domain">
-@@ -4912,3 +6645,176 @@ interface(`fs_unconfined',`
+@@ -4912,3 +6683,176 @@ interface(`fs_unconfined',`
  
  	typeattribute $1 filesystem_unconfined_type;
  ')
@@ -27424,7 +27789,7 @@ index fe0c682..20f3ba4 100644
 +	ps_process_pattern($1, sshd_t)
 +')
 diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index cc877c7..b8e6e98 100644
+index cc877c7..92de2d7 100644
 --- a/policy/modules/services/ssh.te
 +++ b/policy/modules/services/ssh.te
 @@ -6,43 +6,69 @@ policy_module(ssh, 2.4.2)
@@ -27946,7 +28311,7 @@ index cc877c7..b8e6e98 100644
  
  optional_policy(`
  	seutil_sigchld_newrole(ssh_keygen_t)
-@@ -341,3 +527,148 @@ optional_policy(`
+@@ -341,3 +527,150 @@ optional_policy(`
  optional_policy(`
  	udev_read_db(ssh_keygen_t)
  ')
@@ -27987,6 +28352,8 @@ index cc877c7..b8e6e98 100644
 +
 +allow sshd_net_t self:process setrlimit;
 +
++dev_rw_crypto(sshd_net_t)
++
 +init_ioctl_stream_sockets(sshd_net_t)
 +init_rw_tcp_sockets(sshd_net_t)
 +
@@ -30025,7 +30392,7 @@ index 6bf0ecc..e6be63a 100644
 +')
 +
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..da86a8e 100644
+index 8b40377..4758042 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
 @@ -26,28 +26,66 @@ gen_require(`
@@ -30529,7 +30896,7 @@ index 8b40377..da86a8e 100644
  kernel_read_network_state(xdm_t)
 +kernel_request_load_module(xdm_t)
 +kernel_stream_connect(xdm_t)
-+kernel_dontaudit_view_key(xdm_t)
++kernel_view_key(xdm_t)
  
  corecmd_exec_shell(xdm_t)
  corecmd_exec_bin(xdm_t)
@@ -45734,10 +46101,10 @@ index 0000000..121b422
 +/var/run/initramfs(/.*)?	<<none>>
 diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
 new file mode 100644
-index 0000000..86e3d01
+index 0000000..3303edd
 --- /dev/null
 +++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1803 @@
+@@ -0,0 +1,1823 @@
 +## <summary>SELinux policy for systemd components</summary>
 +
 +######################################
@@ -46015,6 +46382,26 @@ index 0000000..86e3d01
 +
 +######################################
 +## <summary>
++##	Read systemd_resolved PID files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`systemd_resolved_read_pid',`
++	gen_require(`
++		type systemd_resolved_var_run_t;
++	')
++
++	files_search_pids($1)
++	list_dirs_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
++	read_files_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
++')
++
++######################################
++## <summary>
 +##	Read systemd_login PID files.
 +## </summary>
 +## <param name="domain">
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 5c3fa78..24ad5d3 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -5537,7 +5537,7 @@ index f6eb485..fe461a3 100644
 +		ps_process_pattern(httpd_t, $1)
  ')
 diff --git a/apache.te b/apache.te
-index 6649962..371039c 100644
+index 6649962..24e7705 100644
 --- a/apache.te
 +++ b/apache.te
 @@ -5,280 +5,346 @@ policy_module(apache, 2.7.2)
@@ -6791,7 +6791,7 @@ index 6649962..371039c 100644
  ')
  
  optional_policy(`
-@@ -786,35 +964,61 @@ optional_policy(`
+@@ -786,35 +964,62 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6832,6 +6832,7 @@ index 6649962..371039c 100644
 +optional_policy(`
 +    kerberos_manage_host_rcache(httpd_t)
 +    kerberos_read_keytab(httpd_t)
++    kerberos_read_kdc_config(httpd_t)
 +    kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_23")
 +    kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_48")
 +    kerberos_use(httpd_t)
@@ -6866,7 +6867,7 @@ index 6649962..371039c 100644
  
  	tunable_policy(`httpd_manage_ipa',`
  		memcached_manage_pid_files(httpd_t)
-@@ -822,8 +1026,31 @@ optional_policy(`
+@@ -822,8 +1027,31 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6898,7 +6899,7 @@ index 6649962..371039c 100644
  
  	tunable_policy(`httpd_can_network_connect_db',`
  		mysql_tcp_connect(httpd_t)
-@@ -832,6 +1059,8 @@ optional_policy(`
+@@ -832,6 +1060,8 @@ optional_policy(`
  
  optional_policy(`
  	nagios_read_config(httpd_t)
@@ -6907,7 +6908,7 @@ index 6649962..371039c 100644
  ')
  
  optional_policy(`
-@@ -842,20 +1071,44 @@ optional_policy(`
+@@ -842,20 +1072,44 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6958,7 +6959,7 @@ index 6649962..371039c 100644
  ')
  
  optional_policy(`
-@@ -863,16 +1116,31 @@ optional_policy(`
+@@ -863,16 +1117,31 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6992,7 +6993,7 @@ index 6649962..371039c 100644
  ')
  
  optional_policy(`
-@@ -883,65 +1151,189 @@ optional_policy(`
+@@ -883,65 +1152,189 @@ optional_policy(`
  	yam_read_content(httpd_t)
  ')
  
@@ -7204,7 +7205,7 @@ index 6649962..371039c 100644
  files_dontaudit_search_pids(httpd_suexec_t)
  files_search_home(httpd_suexec_t)
  
-@@ -950,123 +1342,75 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -950,123 +1343,75 @@ auth_use_nsswitch(httpd_suexec_t)
  logging_search_logs(httpd_suexec_t)
  logging_send_syslog_msg(httpd_suexec_t)
  
@@ -7358,7 +7359,7 @@ index 6649962..371039c 100644
  	mysql_read_config(httpd_suexec_t)
  
  	tunable_policy(`httpd_can_network_connect_db',`
-@@ -1083,172 +1427,107 @@ optional_policy(`
+@@ -1083,172 +1428,107 @@ optional_policy(`
  	')
  ')
  
@@ -7596,7 +7597,7 @@ index 6649962..371039c 100644
  ')
  
  tunable_policy(`httpd_read_user_content',`
-@@ -1256,64 +1535,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1256,64 +1536,74 @@ tunable_policy(`httpd_read_user_content',`
  ')
  
  tunable_policy(`httpd_use_cifs',`
@@ -7693,7 +7694,7 @@ index 6649962..371039c 100644
  
  ########################################
  #
-@@ -1321,8 +1610,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1321,8 +1611,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
  #
  
  optional_policy(`
@@ -7710,7 +7711,7 @@ index 6649962..371039c 100644
  ')
  
  ########################################
-@@ -1330,49 +1626,41 @@ optional_policy(`
+@@ -1330,49 +1627,41 @@ optional_policy(`
  # User content local policy
  #
  
@@ -7777,7 +7778,7 @@ index 6649962..371039c 100644
  kernel_read_system_state(httpd_passwd_t)
  
  corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1670,109 @@ dev_read_urand(httpd_passwd_t)
+@@ -1382,38 +1671,109 @@ dev_read_urand(httpd_passwd_t)
  
  domain_use_interactive_fds(httpd_passwd_t)
  
@@ -16534,7 +16535,7 @@ index 881d92f..a2d588a 100644
 +	')
  ')
 diff --git a/condor.te b/condor.te
-index ce9f040..bd8d855 100644
+index ce9f040..e1e84a5 100644
 --- a/condor.te
 +++ b/condor.te
 @@ -34,7 +34,7 @@ files_tmp_file(condor_startd_tmp_t)
@@ -16614,22 +16615,24 @@ index ce9f040..bd8d855 100644
  #
  
 -allow condor_master_t self:capability { setuid setgid dac_override sys_ptrace };
-+allow condor_master_t self:capability { chown setuid setgid sys_ptrace };
++allow condor_master_t self:capability { chown setuid setgid sys_ptrace net_admin };
  
  allow condor_master_t condor_domain:process { sigkill signal };
  
-@@ -138,6 +148,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
+@@ -138,6 +148,12 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
  manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
  files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir })
  
 +can_exec(condor_master_t, condor_master_exec_t)
 +
 +kernel_read_system_state(condor_master_t)
++kernel_read_fs_sysctls(condor_master_t)
++kernel_rw_net_sysctls(condor_master_t)
 +
  corenet_udp_sendrecv_generic_if(condor_master_t)
  corenet_udp_sendrecv_generic_node(condor_master_t)
  corenet_tcp_bind_generic_node(condor_master_t)
-@@ -157,6 +171,8 @@ domain_read_all_domains_state(condor_master_t)
+@@ -157,6 +173,8 @@ domain_read_all_domains_state(condor_master_t)
  
  auth_use_nsswitch(condor_master_t)
  
@@ -16638,7 +16641,7 @@ index ce9f040..bd8d855 100644
  optional_policy(`
  	mta_send_mail(condor_master_t)
  	mta_read_config(condor_master_t)
-@@ -174,6 +190,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
+@@ -174,6 +192,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
  
  kernel_read_network_state(condor_collector_t)
  
@@ -16647,7 +16650,7 @@ index ce9f040..bd8d855 100644
  #####################################
  #
  # Negotiator local policy
-@@ -183,12 +201,15 @@ allow condor_negotiator_t self:capability { setuid setgid };
+@@ -183,12 +203,15 @@ allow condor_negotiator_t self:capability { setuid setgid };
  allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms;
  allow condor_negotiator_t condor_master_t:udp_socket getattr;
  
@@ -16663,7 +16666,7 @@ index ce9f040..bd8d855 100644
  
  allow condor_procd_t condor_domain:process sigkill;
  
-@@ -206,6 +227,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
+@@ -206,6 +229,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
  
  allow condor_schedd_t condor_var_lock_t:dir manage_file_perms;
  
@@ -16672,7 +16675,7 @@ index ce9f040..bd8d855 100644
  domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t)
  domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t)
  
-@@ -214,6 +237,13 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
+@@ -214,6 +239,13 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
  relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
  files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir })
  
@@ -16686,7 +16689,7 @@ index ce9f040..bd8d855 100644
  #####################################
  #
  # Startd local policy
-@@ -238,11 +268,10 @@ domain_read_all_domains_state(condor_startd_t)
+@@ -238,11 +270,10 @@ domain_read_all_domains_state(condor_startd_t)
  mcs_process_set_categories(condor_startd_t)
  
  init_domtrans_script(condor_startd_t)
@@ -16699,7 +16702,7 @@ index ce9f040..bd8d855 100644
  optional_policy(`
  	ssh_basic_client_template(condor_startd, condor_startd_t, system_r)
  	ssh_domtrans(condor_startd_t)
-@@ -254,3 +283,7 @@ optional_policy(`
+@@ -254,3 +285,7 @@ optional_policy(`
  		kerberos_use(condor_startd_ssh_t)
  	')
  ')
@@ -20661,7 +20664,7 @@ index b25b01d..06895f3 100644
  ')
 +
 diff --git a/ctdb.te b/ctdb.te
-index 001b502..ac0508e 100644
+index 001b502..73da04a 100644
 --- a/ctdb.te
 +++ b/ctdb.te
 @@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t)
@@ -20674,10 +20677,12 @@ index 001b502..ac0508e 100644
  type ctdbd_var_run_t;
  files_pid_file(ctdbd_var_run_t)
  
-@@ -33,12 +36,15 @@ files_pid_file(ctdbd_var_run_t)
+@@ -32,13 +35,16 @@ files_pid_file(ctdbd_var_run_t)
+ # Local policy
  #
  
- allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice };
+-allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice };
++allow ctdbd_t self:capability { chown dac_override dac_read_search ipc_lock net_admin net_raw sys_nice };
 +allow ctdbd_t self:capability2 block_suspend;
  allow ctdbd_t self:process { setpgid signal_perms setsched };
  allow ctdbd_t self:fifo_file rw_fifo_file_perms;
@@ -26190,7 +26195,7 @@ index 19aa0b8..a79982c 100644
 +
 +
 diff --git a/dnsmasq.te b/dnsmasq.te
-index 37a3b7b..0a64088 100644
+index 37a3b7b..9af09cc 100644
 --- a/dnsmasq.te
 +++ b/dnsmasq.te
 @@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t)
@@ -26253,20 +26258,20 @@ index 37a3b7b..0a64088 100644
 +	optional_policy(`
 +		networkmanager_dbus_chat(dnsmasq_t)
 +	')
-+')
-+
-+optional_policy(`
-+	dnsmasq_domtrans(dnsmasq_t)
  ')
  
  optional_policy(`
 -	networkmanager_read_pid_files(dnsmasq_t)
++	dnsmasq_domtrans(dnsmasq_t)
++')
++
++optional_policy(`
 +	networkmanager_read_conf(dnsmasq_t)
 +	networkmanager_manage_pid_files(dnsmasq_t)
  ')
  
  optional_policy(`
-@@ -124,6 +144,14 @@ optional_policy(`
+@@ -124,6 +144,18 @@ optional_policy(`
  
  optional_policy(`
  	virt_manage_lib_files(dnsmasq_t)
@@ -26281,6 +26286,10 @@ index 37a3b7b..0a64088 100644
 +    neutron_rw_fifo_file(dnsmasq_t)
 +    neutron_sigchld(dnsmasq_t)
 +')
++
++optional_policy(`
++    systemd_resolved_read_pid(dnsmasq_t)
++')
 diff --git a/dnssec.fc b/dnssec.fc
 new file mode 100644
 index 0000000..1714fa6
@@ -31099,10 +31108,10 @@ index e5b15fb..220622e 100644
  
 diff --git a/ganesha.fc b/ganesha.fc
 new file mode 100644
-index 0000000..c5982d5
+index 0000000..855f58e
 --- /dev/null
 +++ b/ganesha.fc
-@@ -0,0 +1,11 @@
+@@ -0,0 +1,12 @@
 +/usr/bin/ganesha.nfsd		--	gen_context(system_u:object_r:ganesha_exec_t,s0)
 +
 +/usr/lib/systemd/system/nfs-ganesha-config.*		--	gen_context(system_u:object_r:ganesha_unit_file_t,s0)
@@ -31112,6 +31121,7 @@ index 0000000..c5982d5
 +/usr/lib/systemd/system/nfs-ganesha.*e		--	gen_context(system_u:object_r:ganesha_unit_file_t,s0)
 +
 +/var/log/ganesha.log	--	gen_context(system_u:object_r:ganesha_var_log_t,s0)
++/var/log/ganesha-gfapi.log	--	gen_context(system_u:object_r:ganesha_var_log_t,s0)
 +
 +/var/run/ganesha(/.*)?		gen_context(system_u:object_r:ganesha_var_run_t,s0)
 diff --git a/ganesha.if b/ganesha.if
@@ -31269,10 +31279,10 @@ index 0000000..d9ba5fa
 +')
 diff --git a/ganesha.te b/ganesha.te
 new file mode 100644
-index 0000000..9542305
+index 0000000..3cf186e
 --- /dev/null
 +++ b/ganesha.te
-@@ -0,0 +1,72 @@
+@@ -0,0 +1,109 @@
 +policy_module(ganesha, 1.0.0)
 +
 +########################################
@@ -31280,18 +31290,26 @@ index 0000000..9542305
 +# Declarations
 +#
 +
++## <desc>
++## <p>
++## Allow ganesha to read/write fuse files
++## </p>
++## </desc>
++gen_tunable(ganesha_use_fusefs, false)
++
 +type ganesha_t;
 +type ganesha_exec_t;
 +init_daemon_domain(ganesha_t, ganesha_exec_t)
 +
-+permissive ganesha_t;
-+
 +type ganesha_var_log_t;
 +logging_log_file(ganesha_var_log_t)
 +
 +type ganesha_var_run_t;
 +files_pid_file(ganesha_var_run_t)
 +
++type ganesha_tmp_t;
++files_tmp_file(ganesha_tmp_t)
++
 +type ganesha_unit_file_t;
 +systemd_unit_file(ganesha_unit_file_t)
 +
@@ -31299,6 +31317,9 @@ index 0000000..9542305
 +#
 +# ganesha local policy
 +#
++dontaudit ganesha_t self:capability net_admin;
++
++allow ganesha_t self:capability2 block_suspend;
 +allow ganesha_t self:process { setcap setrlimit };
 +allow ganesha_t self:fifo_file rw_fifo_file_perms;
 +allow ganesha_t self:unix_stream_socket create_stream_socket_perms;
@@ -31313,15 +31334,28 @@ index 0000000..9542305
 +manage_files_pattern(ganesha_t, ganesha_var_log_t, ganesha_var_log_t)
 +logging_log_filetrans(ganesha_t, ganesha_var_log_t, { file dir })
 +
++manage_dirs_pattern(ganesha_t, ganesha_tmp_t, ganesha_tmp_t)
++manage_files_pattern(ganesha_t, ganesha_tmp_t, ganesha_tmp_t)
++files_tmp_filetrans(ganesha_t, ganesha_tmp_t, { file dir })
++
++kernel_read_system_state(ganesha_t)
++kernel_search_network_sysctl(ganesha_t)
++kernel_read_net_sysctls(ganesha_t)
++
 +auth_use_nsswitch(ganesha_t)
 +
 +corenet_tcp_bind_nfs_port(ganesha_t)
 +corenet_tcp_connect_generic_port(ganesha_t)
++corenet_tcp_connect_gluster_port(ganesha_t)
++corenet_udp_bind_dey_keyneg_port(ganesha_t)
++corenet_tcp_bind_dey_keyneg_port(ganesha_t)
 +corenet_udp_bind_nfs_port(ganesha_t)
 +corenet_udp_bind_all_rpc_ports(ganesha_t)
 +corenet_tcp_bind_all_rpc_ports(ganesha_t)
 +corenet_tcp_bind_mountd_port(ganesha_t)
 +corenet_udp_bind_mountd_port(ganesha_t)
++corenet_tcp_connect_virt_migration_port(ganesha_t)
++corenet_tcp_connect_all_rpc_ports(ganesha_t)
 +
 +dev_rw_infiniband_dev(ganesha_t)
 +dev_read_gpfs(ganesha_t)
@@ -31336,6 +31370,11 @@ index 0000000..9542305
 +    unconfined_dbus_chat(ganesha_t)
 +')
 +
++optional_policy(`
++    glusterd_read_conf(ganesha_t)
++    glusterd_read_lib_files(ganesha_t)
++    glusterd_manage_pid(ganesha_t)
++')
 +
 +optional_policy(`
 +    kerberos_read_keytab(ganesha_t)
@@ -31343,8 +31382,16 @@ index 0000000..9542305
 +
 +optional_policy(`
 +	rpc_manage_nfs_state_data_dir(ganesha_t)
++    rpc_read_nfs_state_data(ganesha_t)
 +	rpcbind_stream_connect(ganesha_t)
 +')
++
++tunable_policy(`ganesha_use_fusefs',`
++    fs_manage_fusefs_dirs(ganesha_t)
++    fs_manage_fusefs_files(ganesha_t)
++    fs_read_fusefs_symlinks(ganesha_t)
++    fs_getattr_fusefs(ganesha_t)
++')
 diff --git a/gatekeeper.te b/gatekeeper.te
 index 2820368..88c98f4 100644
 --- a/gatekeeper.te
@@ -32683,10 +32730,10 @@ index 0000000..9806f50
 +/var/run/glusterd.*	-s	gen_context(system_u:object_r:glusterd_var_run_t,s0)
 diff --git a/glusterd.if b/glusterd.if
 new file mode 100644
-index 0000000..764ae00
+index 0000000..4501460
 --- /dev/null
 +++ b/glusterd.if
-@@ -0,0 +1,261 @@
+@@ -0,0 +1,302 @@
 +
 +## <summary>policy for glusterd</summary>
 +
@@ -32787,6 +32834,26 @@ index 0000000..764ae00
 +
 +########################################
 +## <summary>
++##	Manage glusterd PID files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`glusterd_manage_pid',`
++	gen_require(`
++		type glusterd_var_run_t;
++	')
++
++	files_search_pids($1)
++	manage_dirs_pattern($1, glusterd_var_run_t, glusterd_var_run_t)
++	manage_files_pattern($1, glusterd_var_run_t, glusterd_var_run_t)
++')
++
++########################################
++## <summary>
 +##	Manage glusterd log files
 +## </summary>
 +## <param name="domain">
@@ -32884,6 +32951,26 @@ index 0000000..764ae00
 +
 +######################################
 +## <summary>
++## Read /var/lib/glusterd files.
++## </summary>
++## <param name="domain">
++##     <summary>
++##     Domain allowed access.
++##     </summary>
++## </param>
++#
++interface(`glusterd_read_lib_files',`
++       gen_require(`
++               type glusterd_var_lib_t;
++       ')
++
++    files_search_var_lib($1)
++	allow $1 glusterd_var_lib_t:dir search_dir_perms;
++    read_files_pattern($1, glusterd_var_lib_t, glusterd_var_lib_t)
++')
++
++######################################
++## <summary>
 +## Read and write /var/lib/glusterd files.
 +## </summary>
 +## <param name="domain">
@@ -32898,6 +32985,7 @@ index 0000000..764ae00
 +       ')
 +
 +    files_search_var_lib($1)
++	allow $1 glusterd_var_lib_t:dir search_dir_perms;
 +    manage_files_pattern($1, glusterd_var_lib_t, glusterd_var_lib_t)
 +')
 +
@@ -42853,10 +42941,10 @@ index 0000000..bd7e7fa
 +')
 diff --git a/keepalived.te b/keepalived.te
 new file mode 100644
-index 0000000..c07a3fe
+index 0000000..c4f0c32
 --- /dev/null
 +++ b/keepalived.te
-@@ -0,0 +1,94 @@
+@@ -0,0 +1,95 @@
 +policy_module(keepalived, 1.0.0)
 +
 +########################################
@@ -42910,6 +42998,7 @@ index 0000000..c07a3fe
 +corenet_tcp_connect_smtp_port(keepalived_t)
 +corenet_tcp_connect_snmp_port(keepalived_t)
 +corenet_tcp_connect_agentx_port(keepalived_t)
++corenet_tcp_connect_squid_port(keepalived_t)
 +
 +domain_read_all_domains_state(keepalived_t)
 +
@@ -43794,7 +43883,7 @@ index f6c00d8..79ea4d8 100644
 +	kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
  ')
 diff --git a/kerberos.te b/kerberos.te
-index 8833d59..3fde8ee 100644
+index 8833d59..ac3f3ee 100644
 --- a/kerberos.te
 +++ b/kerberos.te
 @@ -6,11 +6,11 @@ policy_module(kerberos, 1.12.0)
@@ -44004,7 +44093,7 @@ index 8833d59..3fde8ee 100644
  logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file)
  
  allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms;
-@@ -201,71 +236,79 @@ manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
+@@ -201,71 +236,83 @@ manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
  files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir })
  
  manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
@@ -44088,17 +44177,20 @@ index 8833d59..3fde8ee 100644
  ')
  
  optional_policy(`
--	nis_use_ypbind(krb5kdc_t)
 +	dirsrv_stream_connect(krb5kdc_t)
++')
++
++optional_policy(`
+ 	nis_use_ypbind(krb5kdc_t)
  ')
  
  optional_policy(`
 -	sssd_read_public_files(krb5kdc_t)
-+	nis_use_ypbind(krb5kdc_t)
++	realmd_read_var_lib(krb5kdc_t)
  ')
  
  optional_policy(`
-@@ -273,6 +316,10 @@ optional_policy(`
+@@ -273,6 +320,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -44109,7 +44201,7 @@ index 8833d59..3fde8ee 100644
  	udev_read_db(krb5kdc_t)
  ')
  
-@@ -281,10 +328,12 @@ optional_policy(`
+@@ -281,10 +332,12 @@ optional_policy(`
  # kpropd local policy
  #
  
@@ -44125,7 +44217,7 @@ index 8833d59..3fde8ee 100644
  
  allow kpropd_t krb5_host_rcache_t:file manage_file_perms;
  
-@@ -301,27 +350,26 @@ manage_dirs_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
+@@ -301,27 +354,26 @@ manage_dirs_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
  manage_files_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
  files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
  
@@ -58853,7 +58945,7 @@ index 0641e97..f3b1111 100644
 +	admin_pattern($1, nrpe_etc_t)
  ')
 diff --git a/nagios.te b/nagios.te
-index 7b3e682..d1e103e 100644
+index 7b3e682..c1f487c 100644
 --- a/nagios.te
 +++ b/nagios.te
 @@ -5,6 +5,25 @@ policy_module(nagios, 1.13.0)
@@ -58938,7 +59030,15 @@ index 7b3e682..d1e103e 100644
  
  ########################################
  #
-@@ -96,11 +121,13 @@ allow nagios_t nagios_etc_t:dir list_dir_perms;
+@@ -87,6 +112,7 @@ dontaudit nagios_t self:capability sys_tty_config;
+ allow nagios_t self:process { setpgid signal_perms };
+ allow nagios_t self:fifo_file rw_fifo_file_perms;
+ allow nagios_t self:tcp_socket { accept listen };
++allow nagios_t self:unix_stream_socket { connectto };
+ 
+ allow nagios_t nagios_plugin_domain:process signal_perms;
+ 
+@@ -96,11 +122,13 @@ allow nagios_t nagios_etc_t:dir list_dir_perms;
  allow nagios_t nagios_etc_t:file read_file_perms;
  allow nagios_t nagios_etc_t:lnk_file read_lnk_file_perms;
  
@@ -58957,7 +59057,7 @@ index 7b3e682..d1e103e 100644
  
  manage_dirs_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t)
  manage_files_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t)
-@@ -110,11 +137,14 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t)
+@@ -110,11 +138,14 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t)
  files_pid_filetrans(nagios_t, nagios_var_run_t, file)
  
  manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
@@ -58974,7 +59074,7 @@ index 7b3e682..d1e103e 100644
  
  kernel_read_system_state(nagios_t)
  kernel_read_kernel_sysctls(nagios_t)
-@@ -123,7 +153,6 @@ kernel_read_software_raid_state(nagios_t)
+@@ -123,7 +154,6 @@ kernel_read_software_raid_state(nagios_t)
  corecmd_exec_bin(nagios_t)
  corecmd_exec_shell(nagios_t)
  
@@ -58982,7 +59082,7 @@ index 7b3e682..d1e103e 100644
  corenet_all_recvfrom_netlabel(nagios_t)
  corenet_tcp_sendrecv_generic_if(nagios_t)
  corenet_tcp_sendrecv_generic_node(nagios_t)
-@@ -143,18 +172,16 @@ domain_read_all_domains_state(nagios_t)
+@@ -143,18 +173,16 @@ domain_read_all_domains_state(nagios_t)
  
  files_read_etc_runtime_files(nagios_t)
  files_read_kernel_symbol_table(nagios_t)
@@ -59002,7 +59102,7 @@ index 7b3e682..d1e103e 100644
  userdom_dontaudit_use_unpriv_user_fds(nagios_t)
  userdom_dontaudit_search_user_home_dirs(nagios_t)
  
-@@ -162,6 +189,37 @@ mta_send_mail(nagios_t)
+@@ -162,6 +190,41 @@ mta_send_mail(nagios_t)
  mta_signal_system_mail(nagios_t)
  mta_kill_system_mail(nagios_t)
  
@@ -59027,6 +59127,10 @@ index 7b3e682..d1e103e 100644
 +')
 +
 +optional_policy(`
++    apache_systemctl(nagios_t)
++')
++
++optional_policy(`
 +    tunable_policy(`nagios_run_sudo',`
 +        sudo_exec(nagios_t)
 +        sudo_manage_db(nagios_t)
@@ -59040,7 +59144,7 @@ index 7b3e682..d1e103e 100644
  optional_policy(`
  	netutils_kill_ping(nagios_t)
  ')
-@@ -178,35 +236,37 @@ optional_policy(`
+@@ -178,35 +241,37 @@ optional_policy(`
  #
  # CGI local policy
  #
@@ -59096,7 +59200,7 @@ index 7b3e682..d1e103e 100644
  ')
  
  ########################################
-@@ -214,7 +274,7 @@ optional_policy(`
+@@ -214,7 +279,7 @@ optional_policy(`
  # Nrpe local policy
  #
  
@@ -59105,7 +59209,7 @@ index 7b3e682..d1e103e 100644
  dontaudit nrpe_t self:capability { sys_tty_config sys_resource };
  allow nrpe_t self:process { setpgid signal_perms setsched setrlimit };
  allow nrpe_t self:fifo_file rw_fifo_file_perms;
-@@ -229,9 +289,9 @@ files_pid_filetrans(nrpe_t, nrpe_var_run_t, file)
+@@ -229,9 +294,9 @@ files_pid_filetrans(nrpe_t, nrpe_var_run_t, file)
  
  domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t)
  
@@ -59116,7 +59220,7 @@ index 7b3e682..d1e103e 100644
  
  corecmd_exec_bin(nrpe_t)
  corecmd_exec_shell(nrpe_t)
-@@ -252,8 +312,8 @@ dev_read_urand(nrpe_t)
+@@ -252,8 +317,8 @@ dev_read_urand(nrpe_t)
  domain_use_interactive_fds(nrpe_t)
  domain_read_all_domains_state(nrpe_t)
  
@@ -59126,7 +59230,7 @@ index 7b3e682..d1e103e 100644
  
  fs_getattr_all_fs(nrpe_t)
  fs_search_auto_mountpoints(nrpe_t)
-@@ -262,10 +322,34 @@ auth_use_nsswitch(nrpe_t)
+@@ -262,10 +327,34 @@ auth_use_nsswitch(nrpe_t)
  
  logging_send_syslog_msg(nrpe_t)
  
@@ -59163,7 +59267,7 @@ index 7b3e682..d1e103e 100644
  optional_policy(`
  	inetd_tcp_service_domain(nrpe_t, nrpe_exec_t)
  ')
-@@ -310,15 +394,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
+@@ -310,15 +399,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
  #
  
  allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
@@ -59182,7 +59286,7 @@ index 7b3e682..d1e103e 100644
  logging_send_syslog_msg(nagios_mail_plugin_t)
  
  sysnet_dns_name_resolve(nagios_mail_plugin_t)
-@@ -345,6 +429,9 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
+@@ -345,9 +434,14 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
  
  kernel_read_software_raid_state(nagios_checkdisk_plugin_t)
  
@@ -59192,7 +59296,12 @@ index 7b3e682..d1e103e 100644
  files_getattr_all_mountpoints(nagios_checkdisk_plugin_t)
  files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
  
-@@ -357,9 +444,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
++fs_read_configfs_files(nagios_checkdisk_plugin_t)
++fs_read_configfs_dirs(nagios_checkdisk_plugin_t)
+ fs_getattr_all_fs(nagios_checkdisk_plugin_t)
+ 
+ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
+@@ -357,9 +451,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
  # Services local policy
  #
  
@@ -59206,7 +59315,7 @@ index 7b3e682..d1e103e 100644
  
  corecmd_exec_bin(nagios_services_plugin_t)
  
-@@ -391,6 +480,11 @@ optional_policy(`
+@@ -391,6 +487,11 @@ optional_policy(`
  
  optional_policy(`
  	mysql_stream_connect(nagios_services_plugin_t)
@@ -59218,7 +59327,7 @@ index 7b3e682..d1e103e 100644
  ')
  
  optional_policy(`
-@@ -406,28 +500,36 @@ allow nagios_system_plugin_t self:capability dac_override;
+@@ -406,28 +507,36 @@ allow nagios_system_plugin_t self:capability dac_override;
  dontaudit nagios_system_plugin_t self:capability { setuid setgid };
  
  read_files_pattern(nagios_system_plugin_t, nagios_log_t, nagios_log_t)
@@ -59257,7 +59366,7 @@ index 7b3e682..d1e103e 100644
  #######################################
  #
  # Event local policy
-@@ -442,9 +544,39 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
+@@ -442,9 +551,39 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
  
  init_domtrans_script(nagios_eventhandler_plugin_t)
  
@@ -69954,10 +70063,10 @@ index 0000000..abb250d
 +')
 diff --git a/pcp.te b/pcp.te
 new file mode 100644
-index 0000000..7bd521e
+index 0000000..69b47dc
 --- /dev/null
 +++ b/pcp.te
-@@ -0,0 +1,309 @@
+@@ -0,0 +1,313 @@
 +policy_module(pcp, 1.0.0)
 +
 +########################################
@@ -70228,8 +70337,12 @@ index 0000000..7bd521e
 +
 +fs_search_cgroup_dirs(pcp_pmie_t)
 +
++init_status(pcp_pmie_t)
++
 +logging_send_syslog_msg(pcp_pmie_t)
 +
++systemd_exec_systemctl(pcp_pmie_t)
++systemd_read_unit_files(pcp_pmie_t)
 +systemd_search_unit_dirs(pcp_pmie_t)
 +
 +userdom_read_user_tmp_files(pcp_pmie_t)
@@ -72393,10 +72506,10 @@ index 0000000..47cd0f8
 +/usr/lib/systemd/system/pki-tomcat.*	gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0)
 diff --git a/pki.if b/pki.if
 new file mode 100644
-index 0000000..d8226f9
+index 0000000..f18fcc6
 --- /dev/null
 +++ b/pki.if
-@@ -0,0 +1,461 @@
+@@ -0,0 +1,479 @@
 +
 +## <summary>policy for pki</summary>
 +
@@ -72822,6 +72935,24 @@ index 0000000..d8226f9
 +
 +########################################
 +## <summary>
++##	Allow execute pki_common_t files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`pki_exec_common_files',`
++	gen_require(`
++		type pki_common_t;
++	')
++
++	exec_files_pattern($1, pki_common_t, pki_common_t)
++')
++
++########################################
++## <summary>
 +##	Allow read pki_common_t files
 +## </summary>
 +## <param name="domain">
@@ -86456,7 +86587,7 @@ index 04babe3..3b92679 100644
 +
 +/var/lib/ipa-client(/.*)?		gen_context(system_u:object_r:realmd_var_lib_t,s0)
 diff --git a/realmd.if b/realmd.if
-index bff31df..3b2a829 100644
+index bff31df..1663054 100644
 --- a/realmd.if
 +++ b/realmd.if
 @@ -1,8 +1,9 @@
@@ -86471,7 +86602,7 @@ index bff31df..3b2a829 100644
  ## </summary>
  ## <param name="domain">
  ## <summary>
-@@ -39,3 +40,101 @@ interface(`realmd_dbus_chat',`
+@@ -39,3 +40,120 @@ interface(`realmd_dbus_chat',`
  	allow $1 realmd_t:dbus send_msg;
  	allow realmd_t $1:dbus send_msg;
  ')
@@ -86573,6 +86704,25 @@ index bff31df..3b2a829 100644
 +	read_files_pattern($1, realmd_tmp_t, realmd_tmp_t)
 +')
 +
++#######################################
++## <summary>
++##	Read realmd library files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`realmd_read_var_lib',`
++	gen_require(`
++		type realmd_var_lib_t;
++	')
++
++	list_dirs_pattern($1, realmd_var_lib_t, realmd_var_lib_t)
++	read_files_pattern($1, realmd_var_lib_t, realmd_var_lib_t)
++
++')
 diff --git a/realmd.te b/realmd.te
 index 5bc878b..5736203 100644
 --- a/realmd.te
@@ -91572,7 +91722,7 @@ index a6fb30c..97ef313 100644
 +/var/run/rpc\.statd\.lock --	gen_context(system_u:object_r:rpcd_lock_t,s0)
 +
 diff --git a/rpc.if b/rpc.if
-index 0bf13c2..9572351 100644
+index 0bf13c2..79a2a9c 100644
 --- a/rpc.if
 +++ b/rpc.if
 @@ -1,4 +1,4 @@
@@ -91937,7 +92087,12 @@ index 0bf13c2..9572351 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -350,8 +407,7 @@ interface(`rpc_read_nfs_state_data',`
+@@ -346,12 +403,12 @@ interface(`rpc_read_nfs_state_data',`
+ 
+ 	files_search_var_lib($1)
+ 	read_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
++	read_lnk_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
+ ')
  
  ########################################
  ## <summary>
@@ -91947,7 +92102,7 @@ index 0bf13c2..9572351 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -366,31 +422,68 @@ interface(`rpc_manage_nfs_state_data',`
+@@ -366,31 +423,68 @@ interface(`rpc_manage_nfs_state_data',`
  
  	files_search_var_lib($1)
  	manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
@@ -92022,7 +92177,7 @@ index 0bf13c2..9572351 100644
  	')
  
  	allow $1 rpc_domain:process { ptrace signal_perms };
-@@ -411,10 +504,28 @@ interface(`rpc_admin',`
+@@ -411,10 +505,28 @@ interface(`rpc_admin',`
  	admin_pattern($1, rpcd_var_run_t)
  
  	files_list_all($1)
@@ -96030,7 +96185,7 @@ index 50d07fb..a34db48 100644
 +	allow $1 samba_unit_file_t:service all_service_perms;
  ')
 diff --git a/samba.te b/samba.te
-index 2b7c441..c3db0c7 100644
+index 2b7c441..0aaed65 100644
 --- a/samba.te
 +++ b/samba.te
 @@ -6,99 +6,86 @@ policy_module(samba, 1.16.3)
@@ -96621,7 +96776,7 @@ index 2b7c441..c3db0c7 100644
  ')
  
  optional_policy(`
-@@ -474,11 +501,30 @@ optional_policy(`
+@@ -474,11 +501,31 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -96636,6 +96791,7 @@ index 2b7c441..c3db0c7 100644
 +optional_policy(`
 +    glusterd_read_conf(smbd_t)
 +    glusterd_rw_lib(smbd_t)
++    glusterd_manage_pid(smbd_t)
 +')
 +
 +optional_policy(`
@@ -96652,7 +96808,7 @@ index 2b7c441..c3db0c7 100644
  	lpd_exec_lpr(smbd_t)
  ')
  
-@@ -488,6 +534,10 @@ optional_policy(`
+@@ -488,6 +535,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -96663,7 +96819,7 @@ index 2b7c441..c3db0c7 100644
  	rpc_search_nfs_state_data(smbd_t)
  ')
  
-@@ -499,12 +549,53 @@ optional_policy(`
+@@ -499,12 +550,53 @@ optional_policy(`
  	udev_read_db(smbd_t)
  ')
  
@@ -96718,7 +96874,7 @@ index 2b7c441..c3db0c7 100644
  allow nmbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow nmbd_t self:fd use;
  allow nmbd_t self:fifo_file rw_fifo_file_perms;
-@@ -512,9 +603,11 @@ allow nmbd_t self:msg { send receive };
+@@ -512,9 +604,11 @@ allow nmbd_t self:msg { send receive };
  allow nmbd_t self:msgq create_msgq_perms;
  allow nmbd_t self:sem create_sem_perms;
  allow nmbd_t self:shm create_shm_perms;
@@ -96733,7 +96889,7 @@ index 2b7c441..c3db0c7 100644
  
  manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
  manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-@@ -526,20 +619,16 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+@@ -526,20 +620,16 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
  read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
  
  manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
@@ -96758,7 +96914,7 @@ index 2b7c441..c3db0c7 100644
  
  kernel_getattr_core_if(nmbd_t)
  kernel_getattr_message_if(nmbd_t)
-@@ -547,53 +636,44 @@ kernel_read_kernel_sysctls(nmbd_t)
+@@ -547,53 +637,44 @@ kernel_read_kernel_sysctls(nmbd_t)
  kernel_read_network_state(nmbd_t)
  kernel_read_software_raid_state(nmbd_t)
  kernel_read_system_state(nmbd_t)
@@ -96827,7 +96983,7 @@ index 2b7c441..c3db0c7 100644
  ')
  
  optional_policy(`
-@@ -606,18 +686,29 @@ optional_policy(`
+@@ -606,18 +687,29 @@ optional_policy(`
  
  ########################################
  #
@@ -96863,7 +97019,7 @@ index 2b7c441..c3db0c7 100644
  
  samba_read_config(smbcontrol_t)
  samba_search_var(smbcontrol_t)
-@@ -627,39 +718,38 @@ domain_use_interactive_fds(smbcontrol_t)
+@@ -627,39 +719,38 @@ domain_use_interactive_fds(smbcontrol_t)
  
  dev_read_urand(smbcontrol_t)
  
@@ -96915,7 +97071,7 @@ index 2b7c441..c3db0c7 100644
  
  allow smbmount_t samba_secrets_t:file manage_file_perms;
  
-@@ -668,26 +758,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+@@ -668,26 +759,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
  manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
  files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
  
@@ -96951,7 +97107,7 @@ index 2b7c441..c3db0c7 100644
  
  fs_getattr_cifs(smbmount_t)
  fs_mount_cifs(smbmount_t)
-@@ -699,58 +785,77 @@ fs_read_cifs_files(smbmount_t)
+@@ -699,58 +786,77 @@ fs_read_cifs_files(smbmount_t)
  storage_raw_read_fixed_disk(smbmount_t)
  storage_raw_write_fixed_disk(smbmount_t)
  
@@ -97043,7 +97199,7 @@ index 2b7c441..c3db0c7 100644
  
  manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
  manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -759,17 +864,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+@@ -759,17 +865,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
  manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
  files_pid_filetrans(swat_t, swat_var_run_t, file)
  
@@ -97067,7 +97223,7 @@ index 2b7c441..c3db0c7 100644
  
  kernel_read_kernel_sysctls(swat_t)
  kernel_read_system_state(swat_t)
-@@ -777,36 +878,25 @@ kernel_read_network_state(swat_t)
+@@ -777,36 +879,25 @@ kernel_read_network_state(swat_t)
  
  corecmd_search_bin(swat_t)
  
@@ -97110,7 +97266,7 @@ index 2b7c441..c3db0c7 100644
  
  auth_domtrans_chk_passwd(swat_t)
  auth_use_nsswitch(swat_t)
-@@ -818,10 +908,11 @@ logging_send_syslog_msg(swat_t)
+@@ -818,10 +909,11 @@ logging_send_syslog_msg(swat_t)
  logging_send_audit_msgs(swat_t)
  logging_search_logs(swat_t)
  
@@ -97124,7 +97280,7 @@ index 2b7c441..c3db0c7 100644
  optional_policy(`
  	cups_read_rw_config(swat_t)
  	cups_stream_connect(swat_t)
-@@ -840,17 +931,20 @@ optional_policy(`
+@@ -840,17 +932,20 @@ optional_policy(`
  # Winbind local policy
  #
  
@@ -97151,7 +97307,7 @@ index 2b7c441..c3db0c7 100644
  
  allow winbind_t samba_etc_t:dir list_dir_perms;
  read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -860,9 +954,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+@@ -860,9 +955,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
  filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
  
  manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@@ -97162,7 +97318,7 @@ index 2b7c441..c3db0c7 100644
  manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
  
  manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -873,38 +965,42 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -873,38 +966,42 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
  
  rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
  
@@ -97216,7 +97372,7 @@ index 2b7c441..c3db0c7 100644
  corenet_tcp_connect_smbd_port(winbind_t)
  corenet_tcp_connect_epmap_port(winbind_t)
  corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -912,38 +1008,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -912,38 +1009,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
  dev_read_sysfs(winbind_t)
  dev_read_urand(winbind_t)
  
@@ -97275,7 +97431,7 @@ index 2b7c441..c3db0c7 100644
  ')
  
  optional_policy(`
-@@ -959,31 +1069,36 @@ optional_policy(`
+@@ -959,31 +1070,36 @@ optional_policy(`
  # Winbind helper local policy
  #
  
@@ -97319,7 +97475,7 @@ index 2b7c441..c3db0c7 100644
  
  optional_policy(`
  	apache_append_log(winbind_helper_t)
-@@ -997,25 +1112,38 @@ optional_policy(`
+@@ -997,25 +1113,38 @@ optional_policy(`
  
  ########################################
  #
@@ -99326,10 +99482,10 @@ index 0000000..7a058a8
 +')
 diff --git a/sbd.te b/sbd.te
 new file mode 100644
-index 0000000..9c44c87
+index 0000000..469868d
 --- /dev/null
 +++ b/sbd.te
-@@ -0,0 +1,54 @@
+@@ -0,0 +1,55 @@
 +policy_module(sbd, 1.0.0)
 +
 +########################################
@@ -99351,7 +99507,7 @@ index 0000000..9c44c87
 +#
 +# sbd local policy
 +#
-+allow sbd_t self:capability { dac_override ipc_lock sys_nice sys_admin};
++allow sbd_t self:capability { dac_override ipc_lock sys_boot sys_nice sys_admin};
 +allow sbd_t self:process { fork setsched signal_perms };
 +allow sbd_t self:fifo_file rw_fifo_file_perms;
 +allow sbd_t self:unix_stream_socket create_stream_socket_perms;
@@ -99365,6 +99521,7 @@ index 0000000..9c44c87
 +kernel_read_system_state(sbd_t)
 +kernel_dgram_send(sbd_t)
 +kernel_rw_kernel_sysctl(sbd_t)
++kernel_create_rpc_sysctls(sbd_t)
 +
 +dev_read_rand(sbd_t)
 +dev_write_watchdog(sbd_t)
@@ -111050,10 +111207,10 @@ index 0000000..e5cec8f
 +')
 diff --git a/tomcat.te b/tomcat.te
 new file mode 100644
-index 0000000..cf2b1a7
+index 0000000..1d0e69b
 --- /dev/null
 +++ b/tomcat.te
-@@ -0,0 +1,99 @@
+@@ -0,0 +1,106 @@
 +policy_module(tomcat, 1.0.0)
 +
 +########################################
@@ -111075,6 +111232,9 @@ index 0000000..cf2b1a7
 +
 +auth_use_nsswitch(tomcat_t)
 +
++# Temporary fix, while missing SELinux policies for HSM
++init_stream_connect_script(tomcat_t)
++
 +optional_policy(`
 +    pki_manage_tomcat_cert(tomcat_t)
 +    pki_manage_apache_log_files(tomcat_t)
@@ -111083,6 +111243,7 @@ index 0000000..cf2b1a7
 +    pki_search_log_dirs(tomcat_t)
 +    pki_manage_tomcat_log(tomcat_t)
 +    pki_manage_common_files(tomcat_t)
++    pki_exec_common_files(tomcat_t)
 +    pki_stream_connect(tomcat_t)
 +')
 +
@@ -111122,6 +111283,7 @@ index 0000000..cf2b1a7
 +corenet_tcp_bind_http_port(tomcat_domain)
 +corenet_tcp_bind_http_cache_port(tomcat_domain)
 +corenet_tcp_bind_mxi_port(tomcat_domain)
++corenet_tcp_bind_bctp_port(tomcat_domain)
 +corenet_tcp_connect_http_port(tomcat_domain)
 +corenet_tcp_connect_ldap_port(tomcat_domain)
 +corenet_tcp_connect_mxi_port(tomcat_domain)
@@ -111129,6 +111291,8 @@ index 0000000..cf2b1a7
 +corenet_tcp_connect_postgresql_port(tomcat_domain)
 +corenet_tcp_connect_amqp_port(tomcat_domain)
 +corenet_tcp_connect_oracle_port(tomcat_domain)
++corenet_tcp_connect_ibm_dt_2_port(tomcat_domain)
++corenet_tcp_connect_unreserved_ports(tomcat_domain)
 +
 +dev_read_rand(tomcat_domain)
 +dev_read_urand(tomcat_domain)
@@ -115754,10 +115918,10 @@ index facdee8..b5a815a 100644
 +	dontaudit $1 virtd_t:lnk_file read_lnk_file_perms;
  ')
 diff --git a/virt.te b/virt.te
-index f03dcf5..6e0d11b 100644
+index f03dcf5..066b1c3 100644
 --- a/virt.te
 +++ b/virt.te
-@@ -1,451 +1,415 @@
+@@ -1,451 +1,422 @@
 -policy_module(virt, 1.7.4)
 +policy_module(virt, 1.5.0)
  
@@ -115840,6 +116004,13 @@ index f03dcf5..6e0d11b 100644
 -##	can use nfs file systems.
 -##	</p>
 +## <p>
++## Allow confined virtual guests to use glusterd
++## </p>
++## </desc>
++gen_tunable(virt_use_glusterd, false)
++
++## <desc>
++## <p>
 +## Allow sandbox containers to share apache content
 +## </p>
 +## </desc>
@@ -115931,8 +116102,7 @@ index f03dcf5..6e0d11b 100644
 +## </p>
 +## </desc>
 +gen_tunable(virt_sandbox_use_audit, true)
- 
--attribute svirt_lxc_domain;
++
 +## <desc>
 +## <p>
 +## Allow sandbox containers to use netlink system calls
@@ -115946,7 +116116,8 @@ index f03dcf5..6e0d11b 100644
 +## </p>
 +## </desc>
 +gen_tunable(virt_sandbox_use_sys_admin, false)
-+
+ 
+-attribute svirt_lxc_domain;
 +## <desc>
 +## <p>
 +## Allow sandbox containers to use mknod system calls
@@ -115988,10 +116159,10 @@ index f03dcf5..6e0d11b 100644
 +
 +virt_domain_template(svirt_tcg)
 +role system_r types svirt_tcg_t;
-+
-+type qemu_exec_t, virt_file_type;
  
 -type virt_cache_t alias svirt_cache_t;
++type qemu_exec_t, virt_file_type;
++
 +type virt_cache_t alias svirt_cache_t, virt_file_type;
  files_type(virt_cache_t)
  
@@ -116362,10 +116533,10 @@ index f03dcf5..6e0d11b 100644
 -manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
 -
 -filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
+-
+-stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
 +allow svirt_t self:process ptrace;
  
--stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
--
 -corenet_udp_sendrecv_generic_if(svirt_t)
 -corenet_udp_sendrecv_generic_node(svirt_t)
 -corenet_udp_sendrecv_all_ports(svirt_t)
@@ -116483,7 +116654,7 @@ index f03dcf5..6e0d11b 100644
  
  read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
  read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -455,42 +419,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -455,42 +426,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
  manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
  filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
  
@@ -116530,27 +116701,27 @@ index f03dcf5..6e0d11b 100644
  logging_log_filetrans(virtd_t, virt_log_t, { file dir })
  
  manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -503,23 +454,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -503,23 +461,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
  manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
  files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
  
 -manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
 -manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
 -filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
+-
+-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
+-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
 +manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
 +manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
 +filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
 +allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto };
 +stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
  
--stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
--stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+-can_exec(virtd_t, virt_tmp_t)
 +# libvirtd is permitted to talk to virtlogd
 +stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_var_run_t, virtlogd_t)
 +allow virtd_t virtlogd_t:fifo_file rw_inherited_fifo_file_perms;
  
--can_exec(virtd_t, virt_tmp_t)
--
 -kernel_read_crypto_sysctls(virtd_t)
  kernel_read_system_state(virtd_t)
  kernel_read_network_state(virtd_t)
@@ -116564,7 +116735,7 @@ index f03dcf5..6e0d11b 100644
  
  corecmd_exec_bin(virtd_t)
  corecmd_exec_shell(virtd_t)
-@@ -527,24 +479,16 @@ corecmd_exec_shell(virtd_t)
+@@ -527,24 +486,16 @@ corecmd_exec_shell(virtd_t)
  corenet_all_recvfrom_netlabel(virtd_t)
  corenet_tcp_sendrecv_generic_if(virtd_t)
  corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -116592,7 +116763,7 @@ index f03dcf5..6e0d11b 100644
  dev_rw_sysfs(virtd_t)
  dev_read_urand(virtd_t)
  dev_read_rand(virtd_t)
-@@ -555,20 +499,26 @@ dev_rw_vhost(virtd_t)
+@@ -555,20 +506,26 @@ dev_rw_vhost(virtd_t)
  dev_setattr_generic_usb_dev(virtd_t)
  dev_relabel_generic_usb_dev(virtd_t)
  
@@ -116623,7 +116794,7 @@ index f03dcf5..6e0d11b 100644
  fs_list_auto_mountpoints(virtd_t)
  fs_getattr_all_fs(virtd_t)
  fs_rw_anon_inodefs_files(virtd_t)
-@@ -601,15 +551,18 @@ term_use_ptmx(virtd_t)
+@@ -601,15 +558,18 @@ term_use_ptmx(virtd_t)
  
  auth_use_nsswitch(virtd_t)
  
@@ -116643,29 +116814,19 @@ index f03dcf5..6e0d11b 100644
  
  selinux_validate_context(virtd_t)
  
-@@ -620,18 +573,26 @@ seutil_read_file_contexts(virtd_t)
+@@ -620,27 +580,35 @@ seutil_read_file_contexts(virtd_t)
  sysnet_signull_ifconfig(virtd_t)
  sysnet_signal_ifconfig(virtd_t)
  sysnet_domtrans_ifconfig(virtd_t)
 +sysnet_read_config(virtd_t)
  
--userdom_read_all_users_state(virtd_t)
--
--ifdef(`hide_broken_symptoms',`
--	dontaudit virtd_t self:capability { sys_module sys_ptrace };
--')
 +systemd_dbus_chat_logind(virtd_t)
 +systemd_write_inhibit_pipes(virtd_t)
- 
--tunable_policy(`virt_use_fusefs',`
--	fs_manage_fusefs_dirs(virtd_t)
--	fs_manage_fusefs_files(virtd_t)
--	fs_read_fusefs_symlinks(virtd_t)
--')
++
 +userdom_list_admin_dir(virtd_t)
 +userdom_getattr_all_users(virtd_t)
 +userdom_list_user_home_content(virtd_t)
-+userdom_read_all_users_state(virtd_t)
+ userdom_read_all_users_state(virtd_t)
 +userdom_read_user_home_content_files(virtd_t)
 +userdom_relabel_user_tmp_files(virtd_t)
 +userdom_setattr_user_tmp_files(virtd_t)
@@ -116678,9 +116839,24 @@ index f03dcf5..6e0d11b 100644
 +#userdom_user_home_dir_filetrans(virtd_t, virt_home_t, { dir file })
 +virt_filetrans_home_content(virtd_t)
  
- tunable_policy(`virt_use_nfs',`
- 	fs_manage_nfs_dirs(virtd_t)
-@@ -640,7 +601,7 @@ tunable_policy(`virt_use_nfs',`
+-ifdef(`hide_broken_symptoms',`
+-	dontaudit virtd_t self:capability { sys_module sys_ptrace };
+-')
+-
+-tunable_policy(`virt_use_fusefs',`
+-	fs_manage_fusefs_dirs(virtd_t)
+-	fs_manage_fusefs_files(virtd_t)
+-	fs_read_fusefs_symlinks(virtd_t)
+-')
+-
+-tunable_policy(`virt_use_nfs',`
+-	fs_manage_nfs_dirs(virtd_t)
+-	fs_manage_nfs_files(virtd_t)
+-	fs_read_nfs_symlinks(virtd_t)
++tunable_policy(`virt_use_nfs',`
++	fs_manage_nfs_dirs(virtd_t)
++	fs_manage_nfs_files(virtd_t)
++	fs_read_nfs_symlinks(virtd_t)
  ')
  
  tunable_policy(`virt_use_samba',`
@@ -116689,7 +116865,7 @@ index f03dcf5..6e0d11b 100644
  	fs_manage_cifs_files(virtd_t)
  	fs_read_cifs_symlinks(virtd_t)
  ')
-@@ -665,20 +626,12 @@ optional_policy(`
+@@ -665,20 +633,12 @@ optional_policy(`
  	')
  
  	optional_policy(`
@@ -116697,8 +116873,7 @@ index f03dcf5..6e0d11b 100644
 -	')
 -
 -	optional_policy(`
--		hal_dbus_chat(virtd_t)
-+		hal_dbus_chat(virtd_t)
+ 		hal_dbus_chat(virtd_t)
  	')
  
  	optional_policy(`
@@ -116711,7 +116886,7 @@ index f03dcf5..6e0d11b 100644
  ')
  
  optional_policy(`
-@@ -691,20 +644,26 @@ optional_policy(`
+@@ -691,20 +651,26 @@ optional_policy(`
  	dnsmasq_kill(virtd_t)
  	dnsmasq_signull(virtd_t)
  	dnsmasq_create_pid_dirs(virtd_t)
@@ -116742,7 +116917,7 @@ index f03dcf5..6e0d11b 100644
  ')
  
  optional_policy(`
-@@ -712,11 +671,18 @@ optional_policy(`
+@@ -712,11 +678,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -116761,7 +116936,7 @@ index f03dcf5..6e0d11b 100644
  	policykit_domtrans_auth(virtd_t)
  	policykit_domtrans_resolve(virtd_t)
  	policykit_read_lib(virtd_t)
-@@ -727,10 +693,18 @@ optional_policy(`
+@@ -727,10 +700,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -116780,7 +116955,7 @@ index f03dcf5..6e0d11b 100644
  	kernel_read_xen_state(virtd_t)
  	kernel_write_xen_state(virtd_t)
  
-@@ -746,44 +720,344 @@ optional_policy(`
+@@ -746,44 +727,350 @@ optional_policy(`
  	udev_read_pid_files(virtd_t)
  ')
  
@@ -116893,7 +117068,7 @@ index f03dcf5..6e0d11b 100644
 +manage_sock_files_pattern(virt_domain, svirt_home_t, svirt_home_t)
 +filetrans_pattern(virt_domain, virt_home_t, svirt_home_t, { dir sock_file file })
 +stream_connect_pattern(virt_domain, svirt_home_t, svirt_home_t, virtd_t)
- 
++
 +manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
 +manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
 +files_var_filetrans(virt_domain, virt_cache_t, { file dir })
@@ -116929,7 +117104,7 @@ index f03dcf5..6e0d11b 100644
 +stream_connect_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t, virtd_t)
 +
 +dontaudit virtd_t virt_domain:process  { siginh noatsecure rlimitinh };
-+
+ 
 +dontaudit virt_domain virt_tmpfs_type:file { read write };
 +
 +append_files_pattern(virt_domain, virt_log_t, virt_log_t)
@@ -117047,6 +117222,12 @@ index f03dcf5..6e0d11b 100644
 +	fs_getattr_fusefs(virt_domain)
 +')
 +
++optional_policy(`
++    tunable_policy(`virt_use_glusterd',`
++        glusterd_manage_pid(virt_domain)
++    ')
++')
++
 +tunable_policy(`virt_use_nfs',`
 +	fs_manage_nfs_dirs(virt_domain)
 +	fs_manage_nfs_files(virt_domain)
@@ -117147,7 +117328,7 @@ index f03dcf5..6e0d11b 100644
  kernel_read_system_state(virsh_t)
  kernel_read_network_state(virsh_t)
  kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +1068,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +1081,18 @@ kernel_write_xen_state(virsh_t)
  corecmd_exec_bin(virsh_t)
  corecmd_exec_shell(virsh_t)
  
@@ -117174,7 +117355,7 @@ index f03dcf5..6e0d11b 100644
  
  fs_getattr_all_fs(virsh_t)
  fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +1088,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +1101,25 @@ fs_search_auto_mountpoints(virsh_t)
  
  storage_raw_read_fixed_disk(virsh_t)
  
@@ -117208,7 +117389,7 @@ index f03dcf5..6e0d11b 100644
  
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +1125,20 @@ optional_policy(`
+@@ -856,14 +1138,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -117230,7 +117411,7 @@ index f03dcf5..6e0d11b 100644
  	xen_stream_connect(virsh_t)
  	xen_stream_connect_xenstore(virsh_t)
  ')
-@@ -888,49 +1163,66 @@ optional_policy(`
+@@ -888,49 +1176,66 @@ optional_policy(`
  	kernel_read_xen_state(virsh_ssh_t)
  	kernel_write_xen_state(virsh_ssh_t)
  
@@ -117315,7 +117496,7 @@ index f03dcf5..6e0d11b 100644
  
  corecmd_exec_bin(virtd_lxc_t)
  corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1234,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1247,16 @@ dev_read_urand(virtd_lxc_t)
  
  domain_use_interactive_fds(virtd_lxc_t)
  
@@ -117335,7 +117516,7 @@ index f03dcf5..6e0d11b 100644
  fs_getattr_all_fs(virtd_lxc_t)
  fs_manage_tmpfs_dirs(virtd_lxc_t)
  fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,8 +1255,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,8 +1268,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
  fs_unmount_all_fs(virtd_lxc_t)
  fs_relabelfrom_tmpfs(virtd_lxc_t)
  
@@ -117359,7 +117540,7 @@ index f03dcf5..6e0d11b 100644
  selinux_get_enforce_mode(virtd_lxc_t)
  selinux_get_fs_mount(virtd_lxc_t)
  selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1280,296 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1293,296 @@ selinux_compute_create_context(virtd_lxc_t)
  selinux_compute_relabel_context(virtd_lxc_t)
  selinux_compute_user_contexts(virtd_lxc_t)
  
@@ -117390,7 +117571,8 @@ index f03dcf5..6e0d11b 100644
 +optional_policy(`
 +    container_exec_lib(virtd_lxc_t)
 +')
-+
+ 
+-sysnet_domtrans_ifconfig(virtd_lxc_t)
 +optional_policy(`
 +	gnome_read_generic_cache_files(virtd_lxc_t)
 +')
@@ -117398,8 +117580,7 @@ index f03dcf5..6e0d11b 100644
 +optional_policy(`
 +	setrans_manage_pid_files(virtd_lxc_t)
 +')
- 
--sysnet_domtrans_ifconfig(virtd_lxc_t)
++
 +optional_policy(`
 +	unconfined_domain(virtd_lxc_t)
 +')
@@ -117611,26 +117792,26 @@ index f03dcf5..6e0d11b 100644
 +		apache_read_sys_content(svirt_sandbox_domain)
 +	')
 +')
++
++optional_policy(`
++	mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
++')
++
++optional_policy(`
++	ssh_use_ptys(svirt_sandbox_domain)
++')
  
  optional_policy(`
 -	udev_read_pid_files(svirt_lxc_domain)
-+	mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
++	udev_read_pid_files(svirt_sandbox_domain)
  ')
  
  optional_policy(`
 -	apache_exec_modules(svirt_lxc_domain)
 -	apache_read_sys_content(svirt_lxc_domain)
-+	ssh_use_ptys(svirt_sandbox_domain)
-+')
-+
-+optional_policy(`
-+	udev_read_pid_files(svirt_sandbox_domain)
-+')
-+
-+optional_policy(`
 +	userhelper_dontaudit_write_config(svirt_sandbox_domain)
-+')
-+
+ ')
+ 
 +tunable_policy(`virt_use_nfs',`
 +	fs_manage_nfs_dirs(svirt_sandbox_domain)
 +	fs_manage_nfs_files(svirt_sandbox_domain)
@@ -117667,16 +117848,23 @@ index f03dcf5..6e0d11b 100644
 +    container_spc_stream_connect(svirt_sandbox_domain)
 +    fs_dontaudit_remount_tmpfs(svirt_sandbox_domain)
 +    dev_dontaudit_mounton_sysfs(svirt_sandbox_domain)
- ')
- 
++')
++
++########################################
++#
++# container_t local policy
++#
++virt_sandbox_domain_template(container)
++typealias container_t alias svirt_lxc_net_t;
++# Policy moved to container-selinux policy package
++
  ########################################
  #
 -# Lxc net local policy
 +# container_t local policy
  #
-+virt_sandbox_domain_template(container)
-+typealias container_t alias svirt_lxc_net_t;
-+# Policy moved to container-selinux policy package
++virt_sandbox_domain_template(svirt_qemu_net)
++typeattribute svirt_qemu_net_t sandbox_net_domain;
  
 -allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap };
 -dontaudit svirt_lxc_net_t self:capability2 block_suspend;
@@ -117689,19 +117877,18 @@ index f03dcf5..6e0d11b 100644
 -allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
 -allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_socket_perms;
 -allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms;
-+########################################
-+#
-+# container_t local policy
-+#
-+virt_sandbox_domain_template(svirt_qemu_net)
-+typeattribute svirt_qemu_net_t sandbox_net_domain;
- 
--kernel_read_network_state(svirt_lxc_net_t)
--kernel_read_irq_sysctls(svirt_lxc_net_t)
 +allow svirt_qemu_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap };
 +dontaudit svirt_qemu_net_t self:capability2 block_suspend;
 +allow svirt_qemu_net_t self:process { execstack execmem };
  
+-kernel_read_network_state(svirt_lxc_net_t)
+-kernel_read_irq_sysctls(svirt_lxc_net_t)
++tunable_policy(`virt_sandbox_use_netlink',`
++	allow svirt_qemu_net_t self:netlink_socket create_socket_perms;
++	allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
++	allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms;
++')
+ 
 -corenet_all_recvfrom_unlabeled(svirt_lxc_net_t)
 -corenet_all_recvfrom_netlabel(svirt_lxc_net_t)
 -corenet_tcp_sendrecv_generic_if(svirt_lxc_net_t)
@@ -117712,15 +117899,6 @@ index f03dcf5..6e0d11b 100644
 -corenet_udp_sendrecv_all_ports(svirt_lxc_net_t)
 -corenet_tcp_bind_generic_node(svirt_lxc_net_t)
 -corenet_udp_bind_generic_node(svirt_lxc_net_t)
-+tunable_policy(`virt_sandbox_use_netlink',`
-+	allow svirt_qemu_net_t self:netlink_socket create_socket_perms;
-+	allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
-+	allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms;
-+')
- 
--corenet_sendrecv_all_server_packets(svirt_lxc_net_t)
--corenet_udp_bind_all_ports(svirt_lxc_net_t)
--corenet_tcp_bind_all_ports(svirt_lxc_net_t)
 +manage_dirs_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
 +manage_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
 +manage_fifo_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
@@ -117728,52 +117906,55 @@ index f03dcf5..6e0d11b 100644
 +manage_sock_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
 +filetrans_pattern(sandbox_net_domain, virt_home_t, svirt_home_t, { dir sock_file file })
  
--corenet_sendrecv_all_client_packets(svirt_lxc_net_t)
--corenet_tcp_connect_all_ports(svirt_lxc_net_t)
+-corenet_sendrecv_all_server_packets(svirt_lxc_net_t)
+-corenet_udp_bind_all_ports(svirt_lxc_net_t)
+-corenet_tcp_bind_all_ports(svirt_lxc_net_t)
 +term_use_generic_ptys(svirt_qemu_net_t)
 +term_use_ptmx(svirt_qemu_net_t)
  
+-corenet_sendrecv_all_client_packets(svirt_lxc_net_t)
+-corenet_tcp_connect_all_ports(svirt_lxc_net_t)
++dev_rw_kvm(svirt_qemu_net_t)
+ 
 -dev_getattr_mtrr_dev(svirt_lxc_net_t)
 -dev_read_rand(svirt_lxc_net_t)
 -dev_read_sysfs(svirt_lxc_net_t)
 -dev_read_urand(svirt_lxc_net_t)
-+dev_rw_kvm(svirt_qemu_net_t)
++manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t)
  
 -files_read_kernel_modules(svirt_lxc_net_t)
-+manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t)
++list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
++read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
  
 -fs_mount_cgroup(svirt_lxc_net_t)
 -fs_manage_cgroup_dirs(svirt_lxc_net_t)
 -fs_rw_cgroup_files(svirt_lxc_net_t)
-+list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
-+read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
- 
--auth_use_nsswitch(svirt_lxc_net_t)
 +append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t)
  
--logging_send_audit_msgs(svirt_lxc_net_t)
+-auth_use_nsswitch(svirt_lxc_net_t)
 +kernel_read_irq_sysctls(svirt_qemu_net_t)
  
--userdom_use_user_ptys(svirt_lxc_net_t)
+-logging_send_audit_msgs(svirt_lxc_net_t)
 +dev_read_sysfs(svirt_qemu_net_t)
 +dev_getattr_mtrr_dev(svirt_qemu_net_t)
 +dev_read_rand(svirt_qemu_net_t)
 +dev_read_urand(svirt_qemu_net_t)
  
+-userdom_use_user_ptys(svirt_lxc_net_t)
++files_read_kernel_modules(svirt_qemu_net_t)
+ 
 -optional_policy(`
 -	rpm_read_db(svirt_lxc_net_t)
 -')
-+files_read_kernel_modules(svirt_qemu_net_t)
++fs_noxattr_type(container_file_t)
++fs_mount_cgroup(svirt_qemu_net_t)
++fs_manage_cgroup_dirs(svirt_qemu_net_t)
++fs_manage_cgroup_files(svirt_qemu_net_t)
  
 -#######################################
 -#
 -# Prot exec local policy
 -#
-+fs_noxattr_type(container_file_t)
-+fs_mount_cgroup(svirt_qemu_net_t)
-+fs_manage_cgroup_dirs(svirt_qemu_net_t)
-+fs_manage_cgroup_files(svirt_qemu_net_t)
-+
 +term_pty(container_file_t)
 +
 +auth_use_nsswitch(svirt_qemu_net_t)
@@ -117803,7 +117984,7 @@ index f03dcf5..6e0d11b 100644
  allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
  allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
  
-@@ -1174,12 +1582,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1595,12 @@ dev_read_sysfs(virt_qmf_t)
  dev_read_rand(virt_qmf_t)
  dev_read_urand(virt_qmf_t)
  
@@ -117818,7 +117999,7 @@ index f03dcf5..6e0d11b 100644
  sysnet_read_config(virt_qmf_t)
  
  optional_policy(`
-@@ -1192,7 +1600,7 @@ optional_policy(`
+@@ -1192,7 +1613,7 @@ optional_policy(`
  
  ########################################
  #
@@ -117827,7 +118008,7 @@ index f03dcf5..6e0d11b 100644
  #
  
  allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1609,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1622,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
  allow virt_bridgehelper_t self:tun_socket create_socket_perms;
  allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 69d7900..64a3b35 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 255%{?dist}
+Release: 256%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -689,6 +689,47 @@ exit 0
 %endif
 
 %changelog
+* Mon Jun 05 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-256
+- Allow keepalived domain connect to squid tcp port
+- Allow krb5kdc_t domain read realmd lib files.
+- Allow tomcat to connect on all unreserved ports
+- Allow keepalived domain connect to squid tcp port
+- Allow krb5kdc_t domain read realmd lib files.
+- Allow tomcat to connect on all unreserved ports
+- Allow ganesha to connect to all rpc ports
+- Update ganesha with few allow rules
+- Update rpc_read_nfs_state_data() interface to allow read also lnk_files.
+- virt_use_glusterd boolean should be in optional block
+- Add new boolean virt_use_glusterd
+- Add capability sys_boot for sbd_t domain Allow sbd_t domain to create rpc sysctls.
+- Allow ganesha_t domain to manage glusterd_var_run_t pid files.
+- Create new interface: glusterd_read_lib_files() Allow ganesha read glusterd lib files. Allow ganesha read network sysctls
+- Add few allow rules to ganesha module
+- Allow condor_master_t to read sysctls.
+- Add dac_override cap to ctdbd_t domain
+- Add ganesha_use_fusefs boolean.
+- Allow httpd_t reading kerberos kdc config files
+- Allow tomcat_t domain connect to ibm_dt_2 tcp port.
+- Allow stream connect to initrc_t domains
+- Add pki_exec_common_files() interface
+- Allow  dnsmasq_t domain to read systemd-resolved pid files.
+- Allow tomcat domain name_bind on tcp bctp_port_t
+- Allow smbd_t domain generate debugging files under /var/run/gluster. These files are created through the libgfapi.so library that provides integration of a GlusterFS client in the Samba (vfs_glusterfs) process.
+- Allow condor_master_t write to sysctl_net_t
+- Allow nagios check disk plugin read /sys/kernel/config/
+- Allow pcp_pmie_t domain execute systemctl binary
+- Allow nagios to connect to stream sockets. Allow nagios start httpd via systemctl
+- xdm_t should view kernel keys
+- Hide broken symptoms when machine is configured with network bounding.
+- Label 8750 tcp/udp port as dey_keyneg_port_t
+- Label tcp/udp port 1792 as ibm_dt_2_port_t
+- Add interface fs_read_configfs_dirs()
+- Add interface fs_read_configfs_files()
+- Fix systemd_resolved_read_pid interface
+- Add interface systemd_resolved_read_pid()
+- Allow sshd_net_t domain read/write into crypto devices
+- Label 8999 tcp/udp as bctp_port_t
+
 * Thu May 18 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-255
 - Dontaudit net_admin capability for domains postfix_master_t and postfix_qmgr_t
 - Add interface pki_manage_common_files()