diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index e5011b6..d6b7e2e 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -8272,7 +8272,7 @@ index 6529bd9..831344c 100644
+allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *;
allow devices_unconfined_type mtrr_device_t:file *;
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
-index 6a1e4d1..1e738dd 100644
+index 6a1e4d1..47a42d5 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -76,33 +76,8 @@ interface(`domain_type',`
@@ -8415,7 +8415,7 @@ index 6a1e4d1..1e738dd 100644
## Unconfined access to domains.
##
##
-@@ -1530,4 +1561,27 @@ interface(`domain_unconfined',`
+@@ -1530,4 +1561,45 @@ interface(`domain_unconfined',`
typeattribute $1 can_change_object_identity;
typeattribute $1 set_curr_context;
typeattribute $1 process_uncond_exempt;
@@ -8442,9 +8442,27 @@ index 6a1e4d1..1e738dd 100644
+ ')
+
+ dontaudit $1 domain:socket_class_set { read write };
++')
++
++########################################
++##
++## Allow caller to transition to any domain
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`domain_transition_all',`
++ gen_require(`
++ attribute domain;
++ ')
++
++ dontaudit $1 domain:process transition;
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..ff7c2ff 100644
+index cf04cb5..bcaf613 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -8551,16 +8569,17 @@ index cf04cb5..ff7c2ff 100644
')
optional_policy(`
-@@ -133,6 +189,8 @@ optional_policy(`
+@@ -133,6 +189,9 @@ optional_policy(`
optional_policy(`
xserver_dontaudit_use_xdm_fds(domain)
xserver_dontaudit_rw_xdm_pipes(domain)
+ xserver_dontaudit_append_xdm_home_files(domain)
+ xserver_dontaudit_write_log(domain)
++ xserver_dontaudit_xdm_rw_stream_sockets(domain)
')
########################################
-@@ -147,12 +205,18 @@ optional_policy(`
+@@ -147,12 +206,18 @@ optional_policy(`
# Use/sendto/connectto sockets created by any domain.
allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
@@ -8580,7 +8599,7 @@ index cf04cb5..ff7c2ff 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +230,295 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +231,295 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -18362,10 +18381,10 @@ index 0000000..cf6582f
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..9de7a1f
+index 0000000..3c3b9b3
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,330 @@
+@@ -0,0 +1,331 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -18445,6 +18464,7 @@ index 0000000..9de7a1f
+
+unconfined_domain_noaudit(unconfined_t)
+domain_named_filetrans(unconfined_t)
++domain_transition_all(unconfined_t)
+
+usermanage_run_passwd(unconfined_t, unconfined_r)
+
@@ -20187,7 +20207,7 @@ index fe0c682..225aaa7 100644
+ ps_process_pattern($1, sshd_t)
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 5fc0391..994eec2 100644
+index 5fc0391..3448145 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,43 +6,54 @@ policy_module(ssh, 2.3.3)
@@ -20297,11 +20317,13 @@ index 5fc0391..994eec2 100644
manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
-@@ -107,33 +120,39 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
+@@ -107,33 +120,41 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
-userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
++userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, sock_file)
++userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, dir, ".ssh")
+userdom_read_all_users_keys(ssh_t)
+userdom_stream_connect(ssh_t)
+userdom_search_admin_dir(sshd_t)
@@ -20342,7 +20364,7 @@ index 5fc0391..994eec2 100644
dev_read_urand(ssh_t)
fs_getattr_all_fs(ssh_t)
-@@ -156,38 +175,42 @@ logging_read_generic_logs(ssh_t)
+@@ -156,38 +177,42 @@ logging_read_generic_logs(ssh_t)
auth_use_nsswitch(ssh_t)
@@ -20404,7 +20426,7 @@ index 5fc0391..994eec2 100644
')
optional_policy(`
-@@ -195,6 +218,7 @@ optional_policy(`
+@@ -195,6 +220,7 @@ optional_policy(`
xserver_domtrans_xauth(ssh_t)
')
@@ -20412,7 +20434,7 @@ index 5fc0391..994eec2 100644
##############################
#
# ssh_keysign_t local policy
-@@ -206,6 +230,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
+@@ -206,6 +232,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
allow ssh_keysign_t sshd_key_t:file { getattr read };
dev_read_urand(ssh_keysign_t)
@@ -20420,7 +20442,7 @@ index 5fc0391..994eec2 100644
files_read_etc_files(ssh_keysign_t)
-@@ -223,33 +248,53 @@ optional_policy(`
+@@ -223,33 +250,54 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -20447,6 +20469,7 @@ index 5fc0391..994eec2 100644
# for X forwarding
corenet_tcp_bind_xserver_port(sshd_t)
++corenet_tcp_bind_vnc_port(sshd_t)
corenet_sendrecv_xserver_server_packets(sshd_t)
+auth_exec_login_program(sshd_t)
@@ -20483,7 +20506,7 @@ index 5fc0391..994eec2 100644
')
optional_policy(`
-@@ -257,11 +302,24 @@ optional_policy(`
+@@ -257,11 +305,24 @@ optional_policy(`
')
optional_policy(`
@@ -20509,7 +20532,7 @@ index 5fc0391..994eec2 100644
')
optional_policy(`
-@@ -269,6 +327,10 @@ optional_policy(`
+@@ -269,6 +330,10 @@ optional_policy(`
')
optional_policy(`
@@ -20520,7 +20543,7 @@ index 5fc0391..994eec2 100644
rpm_use_script_fds(sshd_t)
')
-@@ -279,13 +341,69 @@ optional_policy(`
+@@ -279,13 +344,69 @@ optional_policy(`
')
optional_policy(`
@@ -20590,7 +20613,7 @@ index 5fc0391..994eec2 100644
########################################
#
# ssh_keygen local policy
-@@ -294,19 +412,26 @@ optional_policy(`
+@@ -294,19 +415,26 @@ optional_policy(`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -20618,7 +20641,7 @@ index 5fc0391..994eec2 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -323,6 +448,12 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -323,6 +451,12 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -20631,7 +20654,7 @@ index 5fc0391..994eec2 100644
optional_policy(`
seutil_sigchld_newrole(ssh_keygen_t)
-@@ -331,3 +462,138 @@ optional_policy(`
+@@ -331,3 +465,138 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
@@ -29942,7 +29965,7 @@ index 0e3c2a9..ea9bd57 100644
+ userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin")
+')
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index c04ac46..799d194 100644
+index c04ac46..ed59137 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t)
@@ -30066,7 +30089,7 @@ index c04ac46..799d194 100644
unconfined_shell_domtrans(local_login_t)
')
-@@ -215,37 +211,55 @@ allow sulogin_t self:sem create_sem_perms;
+@@ -215,37 +211,56 @@ allow sulogin_t self:sem create_sem_perms;
allow sulogin_t self:msgq create_msgq_perms;
allow sulogin_t self:msg { send receive };
@@ -30088,6 +30111,7 @@ index c04ac46..799d194 100644
+auth_use_nsswitch(sulogin_t)
init_getpgid_script(sulogin_t)
++init_getpgid(sulogin_t)
logging_send_syslog_msg(sulogin_t)
@@ -30124,7 +30148,7 @@ index c04ac46..799d194 100644
init_getpgid(sulogin_t)
', `
allow sulogin_t self:process setexec;
-@@ -256,11 +270,3 @@ ifdef(`sulogin_no_pam', `
+@@ -256,11 +271,3 @@ ifdef(`sulogin_no_pam', `
selinux_compute_relabel_context(sulogin_t)
selinux_compute_user_contexts(sulogin_t)
')
@@ -31490,7 +31514,7 @@ index e8c59a5..d2df072 100644
')
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
-index 9fe8e01..a70c055 100644
+index 9fe8e01..83acb32 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -9,11 +9,13 @@ ifdef(`distro_gentoo',`
@@ -31509,7 +31533,7 @@ index 9fe8e01..a70c055 100644
ifdef(`distro_redhat',`
/etc/sysconfig/clock -- gen_context(system_u:object_r:locale_t,s0)
-@@ -37,14 +39,10 @@ ifdef(`distro_redhat',`
+@@ -37,24 +39,20 @@ ifdef(`distro_redhat',`
/usr/lib/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0)
@@ -31521,19 +31545,25 @@ index 9fe8e01..a70c055 100644
/usr/man(/.*)? gen_context(system_u:object_r:man_t,s0)
/usr/share/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0)
-+/usr/share/pki/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0)
/usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
- /usr/share/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
+-/usr/share/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
/usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
-@@ -53,6 +51,7 @@ ifdef(`distro_redhat',`
- /usr/share/X11/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
- /usr/share/zoneinfo(/.*)? gen_context(system_u:object_r:locale_t,s0)
-
-+/usr/share/pki/ca-trust-source(/.*)? gen_context(system_u:object_r:cert_t,s0)
+ /usr/share/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
+ /usr/share/man(/.*)? gen_context(system_u:object_r:man_t,s0)
+-/usr/share/X11/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
+-/usr/share/zoneinfo(/.*)? gen_context(system_u:object_r:locale_t,s0)
+-
++/usr/share/pki/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0)
++/usr/share/pki/ca-trust-source(/.*)? gen_context(system_u:object_r:cert_t,s0)
/usr/share/ssl/certs(/.*)? gen_context(system_u:object_r:cert_t,s0)
/usr/share/ssl/private(/.*)? gen_context(system_u:object_r:cert_t,s0)
++/usr/share/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
++/usr/share/X11/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
++/usr/share/zoneinfo(/.*)? gen_context(system_u:object_r:locale_t,s0)
+
+ /usr/X11R6/lib/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
-@@ -77,7 +76,7 @@ ifdef(`distro_redhat',`
+@@ -77,7 +75,7 @@ ifdef(`distro_redhat',`
/var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0)
/var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
@@ -31542,7 +31572,7 @@ index 9fe8e01..a70c055 100644
/var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
-@@ -90,6 +89,7 @@ ifdef(`distro_debian',`
+@@ -90,6 +88,7 @@ ifdef(`distro_debian',`
')
ifdef(`distro_redhat',`
@@ -31777,10 +31807,10 @@ index d6293de..8f8d80d 100644
#
# Base type for the tests directory.
diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc
-index 9933677..b155a0d 100644
+index 9933677..ca14c17 100644
--- a/policy/modules/system/modutils.fc
+++ b/policy/modules/system/modutils.fc
-@@ -23,3 +23,13 @@ ifdef(`distro_gentoo',`
+@@ -23,3 +23,15 @@ ifdef(`distro_gentoo',`
/sbin/update-modules -- gen_context(system_u:object_r:update_modules_exec_t,s0)
/usr/bin/kmod -- gen_context(system_u:object_r:insmod_exec_t,s0)
@@ -31794,6 +31824,8 @@ index 9933677..b155a0d 100644
+/usr/sbin/update-modules -- gen_context(system_u:object_r:update_modules_exec_t,s0)
+
+/usr/lib/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0)
++
++/var/run/tmpfiles.d/kmod.conf -- gen_context(system_u:object_r:insmod_var_run_t,s0)
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
index 7449974..6375786 100644
--- a/policy/modules/system/modutils.if
@@ -31900,7 +31932,7 @@ index 7449974..6375786 100644
+ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin")
+')
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index 7a49e28..de1dcdd 100644
+index 7a49e28..82004c9 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -5,7 +5,7 @@ policy_module(modutils, 1.13.3)
@@ -31912,13 +31944,16 @@ index 7a49e28..de1dcdd 100644
type depmod_t;
type depmod_exec_t;
-@@ -16,11 +16,12 @@ type insmod_t;
+@@ -16,11 +16,15 @@ type insmod_t;
type insmod_exec_t;
application_domain(insmod_t, insmod_exec_t)
mls_file_write_all_levels(insmod_t)
+mls_process_write_down(insmod_t)
role system_r types insmod_t;
++type insmod_var_run_t;
++files_pid_file(insmod_var_run_t)
++
# module loading config
type modules_conf_t;
-files_type(modules_conf_t)
@@ -31926,7 +31961,7 @@ index 7a49e28..de1dcdd 100644
# module dependencies
type modules_dep_t;
-@@ -29,12 +30,16 @@ files_type(modules_dep_t)
+@@ -29,12 +33,16 @@ files_type(modules_dep_t)
type update_modules_t;
type update_modules_exec_t;
init_system_domain(update_modules_t, update_modules_exec_t)
@@ -31945,7 +31980,7 @@ index 7a49e28..de1dcdd 100644
########################################
#
# depmod local policy
-@@ -54,12 +59,15 @@ corecmd_search_bin(depmod_t)
+@@ -54,12 +62,15 @@ corecmd_search_bin(depmod_t)
domain_use_interactive_fds(depmod_t)
@@ -31961,7 +31996,7 @@ index 7a49e28..de1dcdd 100644
fs_getattr_xattr_fs(depmod_t)
-@@ -69,10 +77,12 @@ init_use_fds(depmod_t)
+@@ -69,10 +80,12 @@ init_use_fds(depmod_t)
init_use_script_fds(depmod_t)
init_use_script_ptys(depmod_t)
@@ -31975,7 +32010,7 @@ index 7a49e28..de1dcdd 100644
ifdef(`distro_ubuntu',`
optional_policy(`
-@@ -80,12 +90,8 @@ ifdef(`distro_ubuntu',`
+@@ -80,12 +93,8 @@ ifdef(`distro_ubuntu',`
')
')
@@ -31990,7 +32025,7 @@ index 7a49e28..de1dcdd 100644
')
optional_policy(`
-@@ -94,7 +100,6 @@ optional_policy(`
+@@ -94,7 +103,6 @@ optional_policy(`
')
optional_policy(`
@@ -31998,7 +32033,7 @@ index 7a49e28..de1dcdd 100644
unconfined_domain(depmod_t)
')
-@@ -103,11 +108,12 @@ optional_policy(`
+@@ -103,11 +111,12 @@ optional_policy(`
# insmod local policy
#
@@ -32012,8 +32047,14 @@ index 7a49e28..de1dcdd 100644
# Read module config and dependency information
list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t)
-@@ -117,14 +123,18 @@ read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
+@@ -115,16 +124,24 @@ read_files_pattern(insmod_t, modules_conf_t, modules_conf_t)
+ list_dirs_pattern(insmod_t, modules_dep_t, modules_dep_t)
+ read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
++manage_dirs_pattern(insmod_t, insmod_var_run_t, insmod_var_run_t)
++manage_files_pattern(insmod_t, insmod_var_run_t, insmod_var_run_t)
++files_pid_filetrans(insmod_t, insmod_var_run_t, {dir file })
++
can_exec(insmod_t, insmod_exec_t)
+manage_files_pattern(insmod_t,insmod_tmpfs_t,insmod_tmpfs_t)
@@ -32032,7 +32073,7 @@ index 7a49e28..de1dcdd 100644
# Rules for /proc/sys/kernel/tainted
kernel_read_kernel_sysctls(insmod_t)
kernel_rw_kernel_sysctl(insmod_t)
-@@ -142,6 +152,7 @@ dev_rw_agp(insmod_t)
+@@ -142,6 +159,7 @@ dev_rw_agp(insmod_t)
dev_read_sound(insmod_t)
dev_write_sound(insmod_t)
dev_rw_apm_bios(insmod_t)
@@ -32040,7 +32081,7 @@ index 7a49e28..de1dcdd 100644
domain_signal_all_domains(insmod_t)
domain_use_interactive_fds(insmod_t)
-@@ -151,30 +162,38 @@ files_read_etc_runtime_files(insmod_t)
+@@ -151,30 +169,38 @@ files_read_etc_runtime_files(insmod_t)
files_read_etc_files(insmod_t)
files_read_usr_files(insmod_t)
files_exec_etc_files(insmod_t)
@@ -32083,7 +32124,7 @@ index 7a49e28..de1dcdd 100644
userdom_dontaudit_search_user_home_dirs(insmod_t)
kernel_domtrans_to(insmod_t, insmod_exec_t)
-@@ -184,28 +203,33 @@ optional_policy(`
+@@ -184,28 +210,33 @@ optional_policy(`
')
optional_policy(`
@@ -32107,24 +32148,24 @@ index 7a49e28..de1dcdd 100644
optional_policy(`
- mount_domtrans(insmod_t)
+ hal_write_log(insmod_t)
++')
++
++optional_policy(`
++ hotplug_search_config(insmod_t)
')
optional_policy(`
- nis_use_ypbind(insmod_t)
-+ hotplug_search_config(insmod_t)
++ kdump_manage_kdumpctl_tmp_files(insmod_t)
')
optional_policy(`
- nscd_use(insmod_t)
-+ kdump_manage_kdumpctl_tmp_files(insmod_t)
-+')
-+
-+optional_policy(`
+ mount_domtrans(insmod_t)
')
optional_policy(`
-@@ -225,6 +249,7 @@ optional_policy(`
+@@ -225,6 +256,7 @@ optional_policy(`
optional_policy(`
rpm_rw_pipes(insmod_t)
@@ -32132,7 +32173,7 @@ index 7a49e28..de1dcdd 100644
')
optional_policy(`
-@@ -233,6 +258,10 @@ optional_policy(`
+@@ -233,6 +265,10 @@ optional_policy(`
')
optional_policy(`
@@ -32143,7 +32184,7 @@ index 7a49e28..de1dcdd 100644
# cjp: why is this needed:
dev_rw_xserver_misc(insmod_t)
-@@ -291,11 +320,10 @@ init_use_script_ptys(update_modules_t)
+@@ -291,11 +327,10 @@ init_use_script_ptys(update_modules_t)
logging_send_syslog_msg(update_modules_t)
@@ -36528,7 +36569,7 @@ index 0000000..1a254f8
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..13712f9
+index 0000000..6379489
--- /dev/null
+++ b/policy/modules/system/systemd.te
@@ -0,0 +1,661 @@
@@ -36821,8 +36862,8 @@ index 0000000..13712f9
+dev_relabel_all_sysfs(systemd_tmpfiles_t)
+dev_relabel_cpu_online(systemd_tmpfiles_t)
+dev_read_cpu_online(systemd_tmpfiles_t)
-+dev_manage_printer(systemd_tmpfiles_t)
-+dev_relabel_printer(systemd_tmpfiles_t)
++dev_manage_all_dev_nodes(systemd_tmpfiles_t)
++dev_relabel_all_dev_nodes(systemd_tmpfiles_t)
+
+domain_obj_id_change_exemption(systemd_tmpfiles_t)
+
@@ -38573,7 +38614,7 @@ index db75976..65191bd 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..33a39dc 100644
+index 3c5dba7..89012c2 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -41257,7 +41298,7 @@ index 3c5dba7..33a39dc 100644
## Create keys for all user domains.
##
##
-@@ -3438,4 +4214,1455 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3438,4 +4214,1454 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
@@ -42618,9 +42659,8 @@ index 3c5dba7..33a39dc 100644
+ gen_require(`
+ attribute userdom_home_manager_type;
+ ')
-+ typeattribute $1 userdom_home_manager_type;
+
-+ userdom_filetrans_home_content($1)
++ typeattribute $1 userdom_home_manager_type;
+')
+
+########################################
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 9800f7e..1ab902e 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -2577,10 +2577,10 @@ index 0000000..df5b3be
+')
diff --git a/antivirus.te b/antivirus.te
new file mode 100644
-index 0000000..badbc17
+index 0000000..0c9dc73
--- /dev/null
+++ b/antivirus.te
-@@ -0,0 +1,256 @@
+@@ -0,0 +1,257 @@
+policy_module(antivirus, 1.0.0)
+
+########################################
@@ -2757,7 +2757,8 @@ index 0000000..badbc17
+
+tunable_policy(`antivirus_can_scan_system',`
+ files_read_non_security_files(antivirus_domain)
-+ files_dontaudit_read_all_non_security_files(antivirus_domain)
++ #files_dontaudit_read_all_non_security_files(antivirus_domain)
++ files_dontaudit_read_security_files(antivirus_domain)
+ files_getattr_all_pipes(antivirus_domain)
+ files_getattr_all_sockets(antivirus_domain)
+ dev_getattr_all_blk_files(antivirus_domain)
@@ -9351,7 +9352,7 @@ index 1b22262..bf0cefa 100644
+ ')
')
diff --git a/bugzilla.te b/bugzilla.te
-index 41f8251..464107b 100644
+index 41f8251..57f094e 100644
--- a/bugzilla.te
+++ b/bugzilla.te
@@ -7,6 +7,9 @@ policy_module(bugzilla, 1.0.4)
@@ -9372,7 +9373,7 @@ index 41f8251..464107b 100644
corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t)
corenet_tcp_sendrecv_generic_if(httpd_bugzilla_script_t)
corenet_tcp_sendrecv_generic_node(httpd_bugzilla_script_t)
-@@ -27,11 +29,19 @@ corenet_sendrecv_smtp_client_packets(httpd_bugzilla_script_t)
+@@ -27,11 +29,21 @@ corenet_sendrecv_smtp_client_packets(httpd_bugzilla_script_t)
corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t)
corenet_tcp_sendrecv_smtp_port(httpd_bugzilla_script_t)
@@ -9385,6 +9386,8 @@ index 41f8251..464107b 100644
-sysnet_dns_name_resolve(httpd_bugzilla_script_t)
+auth_read_passwd(httpd_bugzilla_script_t)
+
++dev_read_sysfs(httpd_bugzilla_script_t)
++
+sysnet_read_config(httpd_bugzilla_script_t)
sysnet_use_ldap(httpd_bugzilla_script_t)
@@ -13077,7 +13080,7 @@ index 3fe3cb8..b8e08c6 100644
+ ')
')
diff --git a/condor.te b/condor.te
-index 3f2b672..c0501e0 100644
+index 3f2b672..8dee63d 100644
--- a/condor.te
+++ b/condor.te
@@ -46,6 +46,9 @@ files_lock_file(condor_var_lock_t)
@@ -13090,7 +13093,7 @@ index 3f2b672..c0501e0 100644
condor_domain_template(collector)
condor_domain_template(negotiator)
condor_domain_template(procd)
-@@ -57,10 +60,14 @@ condor_domain_template(startd)
+@@ -57,10 +60,15 @@ condor_domain_template(startd)
# Global local policy
#
@@ -13104,15 +13107,11 @@ index 3f2b672..c0501e0 100644
+allow condor_domain self:tcp_socket create_stream_socket_perms;
+allow condor_domain self:udp_socket create_socket_perms;
+allow condor_domain self:unix_stream_socket create_stream_socket_perms;
++allow condor_domain self:netlink_route_socket r_netlink_socket_perms;
manage_dirs_pattern(condor_domain, condor_log_t, condor_log_t)
append_files_pattern(condor_domain, condor_log_t, condor_log_t)
-@@ -86,13 +93,10 @@ allow condor_domain condor_master_t:tcp_socket getattr;
-
- kernel_read_kernel_sysctls(condor_domain)
- kernel_read_network_state(condor_domain)
--kernel_read_system_state(condor_domain)
-
+@@ -91,8 +99,6 @@ kernel_read_system_state(condor_domain)
corecmd_exec_bin(condor_domain)
corecmd_exec_shell(condor_domain)
@@ -13121,7 +13120,7 @@ index 3f2b672..c0501e0 100644
corenet_tcp_sendrecv_generic_if(condor_domain)
corenet_tcp_sendrecv_generic_node(condor_domain)
-@@ -106,9 +110,7 @@ dev_read_rand(condor_domain)
+@@ -106,9 +112,7 @@ dev_read_rand(condor_domain)
dev_read_sysfs(condor_domain)
dev_read_urand(condor_domain)
@@ -13132,7 +13131,7 @@ index 3f2b672..c0501e0 100644
tunable_policy(`condor_tcp_network_connect',`
corenet_sendrecv_all_client_packets(condor_domain)
-@@ -125,7 +127,7 @@ optional_policy(`
+@@ -125,7 +129,7 @@ optional_policy(`
# Master local policy
#
@@ -13141,7 +13140,7 @@ index 3f2b672..c0501e0 100644
allow condor_master_t condor_domain:process { sigkill signal };
-@@ -133,6 +135,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
+@@ -133,6 +137,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir })
@@ -13152,7 +13151,7 @@ index 3f2b672..c0501e0 100644
corenet_udp_sendrecv_generic_if(condor_master_t)
corenet_udp_sendrecv_generic_node(condor_master_t)
corenet_tcp_bind_generic_node(condor_master_t)
-@@ -150,7 +156,7 @@ corenet_tcp_sendrecv_amqp_port(condor_master_t)
+@@ -150,7 +158,7 @@ corenet_tcp_sendrecv_amqp_port(condor_master_t)
domain_read_all_domains_state(condor_master_t)
@@ -13161,7 +13160,7 @@ index 3f2b672..c0501e0 100644
optional_policy(`
mta_send_mail(condor_master_t)
-@@ -169,6 +175,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
+@@ -169,6 +177,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
kernel_read_network_state(condor_collector_t)
@@ -13170,7 +13169,7 @@ index 3f2b672..c0501e0 100644
#####################################
#
# Negotiator local policy
-@@ -178,6 +186,8 @@ allow condor_negotiator_t self:capability { setuid setgid };
+@@ -178,6 +188,8 @@ allow condor_negotiator_t self:capability { setuid setgid };
allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms;
allow condor_negotiator_t condor_master_t:udp_socket getattr;
@@ -13179,7 +13178,7 @@ index 3f2b672..c0501e0 100644
######################################
#
# Procd local policy
-@@ -201,6 +211,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
+@@ -201,6 +213,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
allow condor_schedd_t condor_var_lock_t:dir manage_file_perms;
@@ -13188,7 +13187,7 @@ index 3f2b672..c0501e0 100644
domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t)
domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t)
-@@ -209,6 +221,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
+@@ -209,6 +223,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir })
@@ -13197,7 +13196,7 @@ index 3f2b672..c0501e0 100644
#####################################
#
# Startd local policy
-@@ -233,11 +247,10 @@ domain_read_all_domains_state(condor_startd_t)
+@@ -233,11 +249,10 @@ domain_read_all_domains_state(condor_startd_t)
mcs_process_set_categories(condor_startd_t)
init_domtrans_script(condor_startd_t)
@@ -13210,7 +13209,7 @@ index 3f2b672..c0501e0 100644
optional_policy(`
ssh_basic_client_template(condor_startd, condor_startd_t, system_r)
ssh_domtrans(condor_startd_t)
-@@ -249,3 +262,7 @@ optional_policy(`
+@@ -249,3 +264,7 @@ optional_policy(`
kerberos_use(condor_startd_ssh_t)
')
')
@@ -15273,7 +15272,7 @@ index 1303b30..058864e 100644
+ logging_log_filetrans($1, cron_log_t, $2, $3)
')
diff --git a/cron.te b/cron.te
-index 28e1b86..0c0f4f2 100644
+index 28e1b86..bf91ba9 100644
--- a/cron.te
+++ b/cron.te
@@ -1,4 +1,4 @@
@@ -15888,7 +15887,7 @@ index 28e1b86..0c0f4f2 100644
init_domtrans_script(system_cronjob_t)
auth_use_nsswitch(system_cronjob_t)
-@@ -511,20 +489,23 @@ logging_read_generic_logs(system_cronjob_t)
+@@ -511,20 +489,26 @@ logging_read_generic_logs(system_cronjob_t)
logging_send_audit_msgs(system_cronjob_t)
logging_send_syslog_msg(system_cronjob_t)
@@ -15896,6 +15895,9 @@ index 28e1b86..0c0f4f2 100644
-
seutil_read_config(system_cronjob_t)
++userdom_manage_tmpfs_files(system_cronjob_t, file)
++userdom_tmpfs_filetrans(system_cronjob_t, file)
++
ifdef(`distro_redhat',`
+ # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
+ allow crond_t system_cron_spool_t:file manage_file_perms;
@@ -15915,7 +15917,7 @@ index 28e1b86..0c0f4f2 100644
selinux_validate_context(system_cronjob_t)
selinux_compute_access_vector(system_cronjob_t)
selinux_compute_create_context(system_cronjob_t)
-@@ -534,10 +515,17 @@ tunable_policy(`cron_can_relabel',`
+@@ -534,10 +518,17 @@ tunable_policy(`cron_can_relabel',`
')
optional_policy(`
@@ -15933,7 +15935,7 @@ index 28e1b86..0c0f4f2 100644
')
optional_policy(`
-@@ -546,10 +534,6 @@ optional_policy(`
+@@ -546,10 +537,6 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(system_cronjob_t)
@@ -15944,7 +15946,7 @@ index 28e1b86..0c0f4f2 100644
')
optional_policy(`
-@@ -581,6 +565,7 @@ optional_policy(`
+@@ -581,6 +568,7 @@ optional_policy(`
optional_policy(`
mta_read_config(system_cronjob_t)
mta_send_mail(system_cronjob_t)
@@ -15952,7 +15954,7 @@ index 28e1b86..0c0f4f2 100644
')
optional_policy(`
-@@ -588,15 +573,19 @@ optional_policy(`
+@@ -588,15 +576,19 @@ optional_policy(`
')
optional_policy(`
@@ -15974,7 +15976,7 @@ index 28e1b86..0c0f4f2 100644
')
optional_policy(`
-@@ -606,6 +595,7 @@ optional_policy(`
+@@ -606,6 +598,7 @@ optional_policy(`
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
@@ -15982,7 +15984,7 @@ index 28e1b86..0c0f4f2 100644
')
optional_policy(`
-@@ -613,12 +603,24 @@ optional_policy(`
+@@ -613,12 +606,24 @@ optional_policy(`
')
optional_policy(`
@@ -16009,7 +16011,7 @@ index 28e1b86..0c0f4f2 100644
#
allow cronjob_t self:process { signal_perms setsched };
-@@ -626,12 +628,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
+@@ -626,12 +631,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
allow cronjob_t self:unix_dgram_socket create_socket_perms;
@@ -16043,7 +16045,7 @@ index 28e1b86..0c0f4f2 100644
corenet_all_recvfrom_netlabel(cronjob_t)
corenet_tcp_sendrecv_generic_if(cronjob_t)
corenet_udp_sendrecv_generic_if(cronjob_t)
-@@ -639,84 +661,148 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
+@@ -639,84 +664,148 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
corenet_udp_sendrecv_generic_node(cronjob_t)
corenet_tcp_sendrecv_all_ports(cronjob_t)
corenet_udp_sendrecv_all_ports(cronjob_t)
@@ -21640,7 +21642,7 @@ index dbcac59..66d42bb 100644
+ admin_pattern($1, dovecot_passwd_t)
')
diff --git a/dovecot.te b/dovecot.te
-index a7bfaf0..fe94a6c 100644
+index a7bfaf0..4ebb0ad 100644
--- a/dovecot.te
+++ b/dovecot.te
@@ -1,4 +1,4 @@
@@ -21893,7 +21895,7 @@ index a7bfaf0..fe94a6c 100644
sendmail_domtrans(dovecot_t)
')
-@@ -221,46 +213,61 @@ optional_policy(`
+@@ -221,46 +213,63 @@ optional_policy(`
########################################
#
@@ -21942,14 +21944,16 @@ index a7bfaf0..fe94a6c 100644
+files_read_usr_symlinks(dovecot_auth_t)
+files_read_var_lib_files(dovecot_auth_t)
+files_search_tmp(dovecot_auth_t)
-+
-+fs_getattr_xattr_fs(dovecot_auth_t)
-seutil_dontaudit_search_config(dovecot_auth_t)
++fs_getattr_xattr_fs(dovecot_auth_t)
++
+init_rw_utmp(dovecot_auth_t)
sysnet_use_ldap(dovecot_auth_t)
++userdom_getattr_user_home_dirs(dovecot_auth_t)
++
optional_policy(`
+ kerberos_use(dovecot_auth_t)
+
@@ -21964,7 +21968,7 @@ index a7bfaf0..fe94a6c 100644
mysql_stream_connect(dovecot_auth_t)
mysql_read_config(dovecot_auth_t)
mysql_tcp_connect(dovecot_auth_t)
-@@ -271,15 +278,30 @@ optional_policy(`
+@@ -271,15 +280,30 @@ optional_policy(`
')
optional_policy(`
@@ -21996,7 +22000,7 @@ index a7bfaf0..fe94a6c 100644
allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
-@@ -289,35 +311,42 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t
+@@ -289,35 +313,42 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t
files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
@@ -22056,7 +22060,7 @@ index a7bfaf0..fe94a6c 100644
mta_read_queue(dovecot_deliver_t)
')
-@@ -326,5 +355,6 @@ optional_policy(`
+@@ -326,5 +357,6 @@ optional_policy(`
')
optional_policy(`
@@ -25467,10 +25471,10 @@ index e39de43..5818f74 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
-index d03fd43..26023f7 100644
+index d03fd43..567f963 100644
--- a/gnome.if
+++ b/gnome.if
-@@ -1,123 +1,154 @@
+@@ -1,123 +1,155 @@
-## GNU network object model environment.
+## GNU network object model environment (GNOME)
@@ -25661,6 +25665,7 @@ index d03fd43..26023f7 100644
+
+ optional_policy(`
+ telepathy_mission_control_read_state($1_gkeyringd_t)
++ telepathy_gabble_stream_connect_to($1_gkeyringd_t,gkeyringd_tmp_t,gkeyringd_tmp_t)
+ ')
+ ')
+')
@@ -25702,7 +25707,7 @@ index d03fd43..26023f7 100644
##
##
##
-@@ -125,18 +156,18 @@ template(`gnome_role_template',`
+@@ -125,18 +157,18 @@ template(`gnome_role_template',`
##
##
#
@@ -25726,7 +25731,7 @@ index d03fd43..26023f7 100644
##
##
##
-@@ -144,119 +175,114 @@ interface(`gnome_exec_gconf',`
+@@ -144,119 +176,114 @@ interface(`gnome_exec_gconf',`
##
##
#
@@ -25883,7 +25888,7 @@ index d03fd43..26023f7 100644
##
##
##
-@@ -264,15 +290,21 @@ interface(`gnome_create_generic_home_dirs',`
+@@ -264,15 +291,21 @@ interface(`gnome_create_generic_home_dirs',`
##
##
#
@@ -25910,7 +25915,7 @@ index d03fd43..26023f7 100644
##
##
##
-@@ -280,57 +312,89 @@ interface(`gnome_setattr_config_dirs',`
+@@ -280,57 +313,89 @@ interface(`gnome_setattr_config_dirs',`
##
##
#
@@ -26018,7 +26023,7 @@ index d03fd43..26023f7 100644
##
##
##
-@@ -338,15 +402,18 @@ interface(`gnome_read_generic_home_content',`
+@@ -338,15 +403,18 @@ interface(`gnome_read_generic_home_content',`
##
##
#
@@ -26042,7 +26047,7 @@ index d03fd43..26023f7 100644
##
##
##
-@@ -354,22 +421,18 @@ interface(`gnome_manage_config',`
+@@ -354,22 +422,18 @@ interface(`gnome_manage_config',`
##
##
#
@@ -26070,7 +26075,7 @@ index d03fd43..26023f7 100644
##
##
##
-@@ -377,53 +440,37 @@ interface(`gnome_manage_generic_home_content',`
+@@ -377,53 +441,37 @@ interface(`gnome_manage_generic_home_content',`
##
##
#
@@ -26132,7 +26137,7 @@ index d03fd43..26023f7 100644
##
##
##
-@@ -431,17 +478,18 @@ interface(`gnome_home_filetrans',`
+@@ -431,17 +479,18 @@ interface(`gnome_home_filetrans',`
##
##
#
@@ -26155,7 +26160,7 @@ index d03fd43..26023f7 100644
##
##
##
-@@ -449,23 +497,18 @@ interface(`gnome_create_generic_gconf_home_dirs',`
+@@ -449,23 +498,18 @@ interface(`gnome_create_generic_gconf_home_dirs',`
##
##
#
@@ -26183,7 +26188,7 @@ index d03fd43..26023f7 100644
##
##
##
-@@ -473,82 +516,72 @@ interface(`gnome_read_generic_gconf_home_content',`
+@@ -473,82 +517,72 @@ interface(`gnome_read_generic_gconf_home_content',`
##
##
#
@@ -26289,7 +26294,7 @@ index d03fd43..26023f7 100644
##
##
##
-@@ -557,52 +590,76 @@ interface(`gnome_home_filetrans_gconf_home',`
+@@ -557,52 +591,76 @@ interface(`gnome_home_filetrans_gconf_home',`
##
##
#
@@ -26387,7 +26392,7 @@ index d03fd43..26023f7 100644
##
##
##
-@@ -610,93 +667,126 @@ interface(`gnome_gconf_home_filetrans',`
+@@ -610,93 +668,126 @@ interface(`gnome_gconf_home_filetrans',`
##
##
#
@@ -26548,7 +26553,7 @@ index d03fd43..26023f7 100644
##
##
##
-@@ -704,12 +794,811 @@ interface(`gnome_stream_connect_gkeyringd',`
+@@ -704,12 +795,811 @@ interface(`gnome_stream_connect_gkeyringd',`
##
##
#
@@ -36792,14 +36797,15 @@ index 4926208..293e577 100644
-miscfiles_read_localization(memcached_t)
diff --git a/milter.fc b/milter.fc
-index 89409eb..64ac6f0 100644
+index 89409eb..67e42f6 100644
--- a/milter.fc
+++ b/milter.fc
-@@ -1,18 +1,26 @@
+@@ -1,18 +1,29 @@
+/etc/mail/dkim-milter/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
+
+/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
+/usr/sbin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
++/usr/sbin/opendmarc -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
/usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
-/usr/sbin/sqlgrey -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
-/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
@@ -36817,6 +36823,7 @@ index 89409eb..64ac6f0 100644
-/var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
+/var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
++/var/run/opendmarc(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
/var/run/milter-greylist\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0)
-/var/run/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
@@ -36832,6 +36839,7 @@ index 89409eb..64ac6f0 100644
+/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
/var/spool/postfix/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
+/var/spool/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
++/var/spool/opendmarc(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
diff --git a/milter.if b/milter.if
index cba62db..562833a 100644
--- a/milter.if
@@ -38109,7 +38117,7 @@ index 6ffaba2..154cade 100644
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/mozilla.if b/mozilla.if
-index 6194b80..97e35b2 100644
+index 6194b80..35b2b47 100644
--- a/mozilla.if
+++ b/mozilla.if
@@ -1,146 +1,75 @@
@@ -38276,10 +38284,10 @@ index 6194b80..97e35b2 100644
- allow $2 mozilla_plugin_rw_t:dir list_dir_perms;
- allow $2 mozilla_plugin_rw_t:file read_file_perms;
- allow $2 mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
--
-- can_exec($2, mozilla_plugin_rw_t)
+ mozilla_filetrans_home_content($2)
+- can_exec($2, mozilla_plugin_rw_t)
+-
- optional_policy(`
- mozilla_dbus_chat_plugin($2)
- ')
@@ -38425,7 +38433,7 @@ index 6194b80..97e35b2 100644
')
########################################
-@@ -303,102 +195,99 @@ interface(`mozilla_domtrans',`
+@@ -303,102 +195,103 @@ interface(`mozilla_domtrans',`
type mozilla_t, mozilla_exec_t;
')
@@ -38513,8 +38521,8 @@ index 6194b80..97e35b2 100644
mozilla_domtrans_plugin($1)
roleattribute $2 mozilla_plugin_roles;
+-')
+ roleattribute $2 mozilla_plugin_config_roles;
- ')
-########################################
-##
@@ -38530,12 +38538,14 @@ index 6194b80..97e35b2 100644
-interface(`mozilla_domtrans_plugin_config',`
- gen_require(`
- type mozilla_plugin_config_t, mozilla_plugin_config_exec_t;
-- ')
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 mozilla_plugin_t:process ptrace;
+ ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, mozilla_plugin_config_exec_t, mozilla_plugin_config_t)
--')
--
+ ')
+
-########################################
+#######################################
##
@@ -38576,7 +38586,7 @@ index 6194b80..97e35b2 100644
')
########################################
-@@ -424,8 +313,7 @@ interface(`mozilla_dbus_chat',`
+@@ -424,8 +317,7 @@ interface(`mozilla_dbus_chat',`
########################################
##
@@ -38586,7 +38596,7 @@ index 6194b80..97e35b2 100644
##
##
##
-@@ -433,76 +321,108 @@ interface(`mozilla_dbus_chat',`
+@@ -433,76 +325,108 @@ interface(`mozilla_dbus_chat',`
##
##
#
@@ -38724,7 +38734,7 @@ index 6194b80..97e35b2 100644
##
##
##
-@@ -510,19 +430,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
+@@ -510,19 +434,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
##
##
#
@@ -38749,7 +38759,7 @@ index 6194b80..97e35b2 100644
##
##
##
-@@ -530,45 +449,53 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
+@@ -530,45 +453,53 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
##
##
#
@@ -44895,7 +44905,7 @@ index 0e8508c..0b68b86 100644
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
')
diff --git a/networkmanager.te b/networkmanager.te
-index 0b48a30..c71f8e5 100644
+index 0b48a30..2de59df 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -1,4 +1,4 @@
@@ -44926,7 +44936,7 @@ index 0b48a30..c71f8e5 100644
type NetworkManager_log_t;
logging_log_file(NetworkManager_log_t)
-@@ -39,24 +42,42 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
+@@ -39,25 +42,44 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
# Local policy
#
@@ -44971,14 +44981,16 @@ index 0b48a30..c71f8e5 100644
+can_exec(NetworkManager_t, NetworkManager_exec_t)
+#wicd
+can_exec(NetworkManager_t, wpa_cli_exec_t)
-+
+
+list_dirs_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
+read_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
+read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
-
++
++read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
-@@ -68,6 +89,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_
+ filetrans_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_rw_t, { dir file })
+@@ -68,6 +90,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_
setattr_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
@@ -44986,7 +44998,7 @@ index 0b48a30..c71f8e5 100644
manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
-@@ -81,9 +103,6 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_
+@@ -81,9 +104,6 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_
manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file })
@@ -44996,7 +45008,7 @@ index 0b48a30..c71f8e5 100644
kernel_read_system_state(NetworkManager_t)
kernel_read_network_state(NetworkManager_t)
kernel_read_kernel_sysctls(NetworkManager_t)
-@@ -91,7 +110,6 @@ kernel_request_load_module(NetworkManager_t)
+@@ -91,7 +111,6 @@ kernel_request_load_module(NetworkManager_t)
kernel_read_debugfs(NetworkManager_t)
kernel_rw_net_sysctls(NetworkManager_t)
@@ -45004,7 +45016,7 @@ index 0b48a30..c71f8e5 100644
corenet_all_recvfrom_netlabel(NetworkManager_t)
corenet_tcp_sendrecv_generic_if(NetworkManager_t)
corenet_udp_sendrecv_generic_if(NetworkManager_t)
-@@ -102,22 +120,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
+@@ -102,22 +121,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
corenet_tcp_sendrecv_all_ports(NetworkManager_t)
corenet_udp_sendrecv_all_ports(NetworkManager_t)
corenet_udp_bind_generic_node(NetworkManager_t)
@@ -45030,7 +45042,7 @@ index 0b48a30..c71f8e5 100644
dev_rw_sysfs(NetworkManager_t)
dev_read_rand(NetworkManager_t)
dev_read_urand(NetworkManager_t)
-@@ -125,13 +136,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
+@@ -125,13 +137,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
dev_getattr_all_chr_files(NetworkManager_t)
dev_rw_wireless(NetworkManager_t)
@@ -45044,7 +45056,7 @@ index 0b48a30..c71f8e5 100644
fs_getattr_all_fs(NetworkManager_t)
fs_search_auto_mountpoints(NetworkManager_t)
fs_list_inotifyfs(NetworkManager_t)
-@@ -140,6 +144,17 @@ mls_file_read_all_levels(NetworkManager_t)
+@@ -140,6 +145,17 @@ mls_file_read_all_levels(NetworkManager_t)
selinux_dontaudit_search_fs(NetworkManager_t)
@@ -45062,7 +45074,7 @@ index 0b48a30..c71f8e5 100644
storage_getattr_fixed_disk_dev(NetworkManager_t)
init_read_utmp(NetworkManager_t)
-@@ -148,10 +163,11 @@ init_domtrans_script(NetworkManager_t)
+@@ -148,10 +164,11 @@ init_domtrans_script(NetworkManager_t)
auth_use_nsswitch(NetworkManager_t)
@@ -45075,7 +45087,7 @@ index 0b48a30..c71f8e5 100644
seutil_read_config(NetworkManager_t)
-@@ -166,21 +182,32 @@ sysnet_kill_dhcpc(NetworkManager_t)
+@@ -166,21 +183,32 @@ sysnet_kill_dhcpc(NetworkManager_t)
sysnet_read_dhcpc_state(NetworkManager_t)
sysnet_delete_dhcpc_state(NetworkManager_t)
sysnet_search_dhcp_state(NetworkManager_t)
@@ -45112,7 +45124,7 @@ index 0b48a30..c71f8e5 100644
')
optional_policy(`
-@@ -196,10 +223,6 @@ optional_policy(`
+@@ -196,10 +224,6 @@ optional_policy(`
')
optional_policy(`
@@ -45123,7 +45135,7 @@ index 0b48a30..c71f8e5 100644
consoletype_exec(NetworkManager_t)
')
-@@ -210,16 +233,11 @@ optional_policy(`
+@@ -210,16 +234,11 @@ optional_policy(`
optional_policy(`
dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -45142,7 +45154,7 @@ index 0b48a30..c71f8e5 100644
')
')
-@@ -231,18 +249,19 @@ optional_policy(`
+@@ -231,18 +250,19 @@ optional_policy(`
dnsmasq_kill(NetworkManager_t)
dnsmasq_signal(NetworkManager_t)
dnsmasq_signull(NetworkManager_t)
@@ -45165,7 +45177,7 @@ index 0b48a30..c71f8e5 100644
')
optional_policy(`
-@@ -250,6 +269,10 @@ optional_policy(`
+@@ -250,6 +270,10 @@ optional_policy(`
ipsec_kill_mgmt(NetworkManager_t)
ipsec_signal_mgmt(NetworkManager_t)
ipsec_signull_mgmt(NetworkManager_t)
@@ -45176,7 +45188,7 @@ index 0b48a30..c71f8e5 100644
')
optional_policy(`
-@@ -257,11 +280,10 @@ optional_policy(`
+@@ -257,11 +281,10 @@ optional_policy(`
')
optional_policy(`
@@ -45192,7 +45204,7 @@ index 0b48a30..c71f8e5 100644
')
optional_policy(`
-@@ -274,10 +296,17 @@ optional_policy(`
+@@ -274,10 +297,17 @@ optional_policy(`
nscd_signull(NetworkManager_t)
nscd_kill(NetworkManager_t)
nscd_initrc_domtrans(NetworkManager_t)
@@ -45210,7 +45222,7 @@ index 0b48a30..c71f8e5 100644
')
optional_policy(`
-@@ -289,6 +318,7 @@ optional_policy(`
+@@ -289,6 +319,7 @@ optional_policy(`
')
optional_policy(`
@@ -45218,7 +45230,7 @@ index 0b48a30..c71f8e5 100644
policykit_domtrans_auth(NetworkManager_t)
policykit_read_lib(NetworkManager_t)
policykit_read_reload(NetworkManager_t)
-@@ -296,7 +326,7 @@ optional_policy(`
+@@ -296,7 +327,7 @@ optional_policy(`
')
optional_policy(`
@@ -45227,7 +45239,7 @@ index 0b48a30..c71f8e5 100644
')
optional_policy(`
-@@ -307,6 +337,7 @@ optional_policy(`
+@@ -307,6 +338,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
@@ -45235,7 +45247,7 @@ index 0b48a30..c71f8e5 100644
')
optional_policy(`
-@@ -320,13 +351,19 @@ optional_policy(`
+@@ -320,13 +352,19 @@ optional_policy(`
')
optional_policy(`
@@ -45259,7 +45271,7 @@ index 0b48a30..c71f8e5 100644
')
optional_policy(`
-@@ -356,6 +393,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -356,6 +394,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t)
@@ -52534,35 +52546,42 @@ index 96db654..ff3aadd 100644
+ virt_rw_svirt_dev(pcscd_t)
+')
diff --git a/pegasus.fc b/pegasus.fc
-index dfd46e4..2f407d6 100644
+index dfd46e4..0aaa891 100644
--- a/pegasus.fc
+++ b/pegasus.fc
-@@ -1,15 +1,16 @@
+@@ -1,15 +1,24 @@
-/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
--/etc/Pegasus/pegasus_current\.conf gen_context(system_u:object_r:pegasus_data_t,s0)
--
++
++/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
+ /etc/Pegasus/pegasus_current\.conf gen_context(system_u:object_r:pegasus_data_t,s0)
+
-/etc/rc\.d/init\.d/tog-pegasus -- gen_context(system_u:object_r:pegasus_initrc_exec_t,s0)
++/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0)
++/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0)
++
++/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0)
++
++/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0)
++
++/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
++
++#openlmi agents
++/usr/libexec/pegasus/cmpiLMI_Account-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_account_exec_t,s0)
++/usr/libexec/pegasus/cmpiLMI_LogicalFile-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_logicalfile_exec_t,s0)
++/usr/libexec/pegasus/cmpiLMI_Networking-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_networking_exec_t,s0)
++/usr/libexec/pegasus/pycmpiLMI_Storage-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_storage_exec_t,s0)
++
-/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0)
-/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0)
-+/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
-+/etc/Pegasus/pegasus_current\.conf gen_context(system_u:object_r:pegasus_data_t,s0)
-/var/cache/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_cache_t,s0)
-+/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0)
-+/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0)
-/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0)
-+/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0)
-/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0)
-+/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0)
- /usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
-+
-+#openlmi agents
-+/usr/libexec/pegasus/cmpiLMI_Account-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_account_exec_t,s0)
-+/usr/libexec/pegasus/cmpiLMI_LogicalFile-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_logicalfile_exec_t,s0)
+-/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
diff --git a/pegasus.if b/pegasus.if
index d2fc677..ded726f 100644
--- a/pegasus.if
@@ -52664,7 +52683,7 @@ index d2fc677..ded726f 100644
')
+
diff --git a/pegasus.te b/pegasus.te
-index 7bcf327..04b62f4 100644
+index 7bcf327..193d6c3 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -1,17 +1,16 @@
@@ -52688,13 +52707,19 @@ index 7bcf327..04b62f4 100644
type pegasus_cache_t;
files_type(pegasus_cache_t)
-@@ -30,20 +29,115 @@ files_type(pegasus_mof_t)
+@@ -30,20 +29,176 @@ files_type(pegasus_mof_t)
type pegasus_var_run_t;
files_pid_file(pegasus_var_run_t)
+# pegasus openlmi providers
+pegasus_openlmi_domain_template(account)
+pegasus_openlmi_domain_template(logicalfile)
++pegasus_openlmi_domain_template(networking)
++
++pegasus_openlmi_domain_template(storage)
++type pegasus_openlmi_storage_tmp_t;
++files_tmp_file(pegasus_openlmi_storage_tmp_t)
++
+pegasus_openlmi_domain_template(unconfined)
+
+#######################################
@@ -52702,12 +52727,19 @@ index 7bcf327..04b62f4 100644
+# pegasus openlmi providers local policy
+#
+
++allow pegasus_openlmi_domain self:capability { setuid setgid };
++
+allow pegasus_openlmi_domain self:fifo_file rw_fifo_file_perms;
+
+list_dirs_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t)
-+read_files_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t)
++rw_files_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t)
++
++kernel_read_system_state(pegasus_openlmi_domain)
+
+corecmd_exec_bin(pegasus_openlmi_domain)
++corecmd_exec_shell(pegasus_openlmi_domain)
++
++auth_read_passwd(pegasus_openlmi_domain)
+
+sysnet_read_config(pegasus_openlmi_domain)
+
@@ -52720,7 +52752,7 @@ index 7bcf327..04b62f4 100644
+# pegasus openlmi account local policy
+#
+
-+allow pegasus_openlmi_account_t self:capability { setuid chown setgid dac_override };
++allow pegasus_openlmi_account_t self:capability { chown dac_override };
+allow pegasus_openlmi_account_t self:process setfscreate;
+
+auth_manage_passwd(pegasus_openlmi_account_t)
@@ -52751,7 +52783,7 @@ index 7bcf327..04b62f4 100644
+# pegasus openlmi logicalfile local policy
+#
+
-+allow pegasus_openlmi_logicalfile_t self:capability { setuid setgid dac_override };
++allow pegasus_openlmi_logicalfile_t self:capability { dac_override };
+files_manage_non_security_dirs(pegasus_openlmi_logicalfile_t)
+files_manage_non_security_files(pegasus_openlmi_logicalfile_t)
+
@@ -52779,6 +52811,54 @@ index 7bcf327..04b62f4 100644
+
+######################################
+#
++# pegasus openlmi networking local policy
++#
++
++allow pegasus_openlmi_networking_t self:capability { net_admin };
++
++allow pegasus_openlmi_networking_t self:netlink_route_socket r_netlink_socket_perms;;
++allow pegasus_openlmi_networking_t self:udp_socket create_socket_perms;
++
++dev_rw_sysfs(pegasus_openlmi_networking_t)
++dev_read_urand(pegasus_openlmi_networking_t)
++
++optional_policy(`
++ dbus_system_bus_client(pegasus_openlmi_networking_t)
++
++ optional_policy(`
++ networkmanager_dbus_chat(pegasus_openlmi_networking_t)
++ ')
++')
++
++######################################
++#
++# pegasus openlmi storage local policy
++#
++
++manage_files_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t)
++manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t)
++files_tmp_filetrans(pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t, { file dir})
++
++storage_rw_inherited_fixed_disk_dev(pegasus_openlmi_networking_t)
++
++modutils_domtrans_insmod(pegasus_openlmi_storage_t)
++
++udev_domtrans(pegasus_openlmi_storage_t)
++
++optional_policy(`
++ lvm_domtrans(pegasus_openlmi_storage_t)
++')
++
++optional_policy(`
++ mount_domtrans(pegasus_openlmi_storage_t)
++')
++
++optional_policy(`
++ raid_domtrans_mdadm(pegasus_openlmi_storage_t)
++')
++
++######################################
++#
+# pegasus openlmi unconfined local policy
+#
+
@@ -52809,7 +52889,7 @@ index 7bcf327..04b62f4 100644
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
-@@ -54,22 +148,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
+@@ -54,22 +209,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@@ -52840,7 +52920,7 @@ index 7bcf327..04b62f4 100644
kernel_read_network_state(pegasus_t)
kernel_read_kernel_sysctls(pegasus_t)
-@@ -80,27 +174,21 @@ kernel_read_net_sysctls(pegasus_t)
+@@ -80,27 +235,21 @@ kernel_read_net_sysctls(pegasus_t)
kernel_read_xen_state(pegasus_t)
kernel_write_xen_state(pegasus_t)
@@ -52873,7 +52953,7 @@ index 7bcf327..04b62f4 100644
corecmd_exec_bin(pegasus_t)
corecmd_exec_shell(pegasus_t)
-@@ -114,6 +202,7 @@ files_getattr_all_dirs(pegasus_t)
+@@ -114,6 +263,7 @@ files_getattr_all_dirs(pegasus_t)
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
@@ -52881,7 +52961,7 @@ index 7bcf327..04b62f4 100644
domain_use_interactive_fds(pegasus_t)
domain_read_all_domains_state(pegasus_t)
-@@ -128,18 +217,25 @@ init_stream_connect_script(pegasus_t)
+@@ -128,18 +278,25 @@ init_stream_connect_script(pegasus_t)
logging_send_audit_msgs(pegasus_t)
logging_send_syslog_msg(pegasus_t)
@@ -52899,21 +52979,21 @@ index 7bcf327..04b62f4 100644
- dbus_connect_system_bus(pegasus_t)
+ dbus_system_bus_client(pegasus_t)
+ dbus_connect_system_bus(pegasus_t)
-+
-+ optional_policy(`
-+ networkmanager_dbus_chat(pegasus_t)
-+ ')
-+')
- optional_policy(`
- networkmanager_dbus_chat(pegasus_t)
- ')
++ optional_policy(`
++ networkmanager_dbus_chat(pegasus_t)
++ ')
++')
++
+optional_policy(`
+ rhcs_stream_connect_cluster(pegasus_t)
')
optional_policy(`
-@@ -151,16 +247,24 @@ optional_policy(`
+@@ -151,16 +308,24 @@ optional_policy(`
')
optional_policy(`
@@ -52934,7 +53014,7 @@ index 7bcf327..04b62f4 100644
+')
+
+optional_policy(`
-+ rpm_exec(pegasus_t)
++ rpm_domtrans(pegasus_t)
+')
+
+optional_policy(`
@@ -52942,7 +53022,7 @@ index 7bcf327..04b62f4 100644
')
optional_policy(`
-@@ -168,7 +272,7 @@ optional_policy(`
+@@ -168,7 +333,7 @@ optional_policy(`
')
optional_policy(`
@@ -57411,7 +57491,7 @@ index 2e23946..589bbf2 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
')
diff --git a/postfix.te b/postfix.te
-index 191a66f..5acf87c 100644
+index 191a66f..cddce7d 100644
--- a/postfix.te
+++ b/postfix.te
@@ -1,4 +1,4 @@
@@ -57500,7 +57580,7 @@ index 191a66f..5acf87c 100644
type postfix_data_t;
files_type(postfix_data_t)
-@@ -102,160 +102,64 @@ mta_mailserver_delivery(postfix_virtual_t)
+@@ -102,160 +102,61 @@ mta_mailserver_delivery(postfix_virtual_t)
########################################
#
@@ -57664,19 +57744,19 @@ index 191a66f..5acf87c 100644
-manage_sock_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
-setattr_dirs_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_public_t, dir, "public")
-
+-
-create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t)
- delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
- rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-+rw_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
- setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+-delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+-rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+-setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "maildrop")
--
+
-create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t)
-setattr_dirs_pattern(postfix_master_t, postfix_var_run_t, postfix_var_run_t)
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t, dir, "pid")
-
-can_exec(postfix_master_t, postfix_exec_t)
++manage_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
-domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
@@ -57686,7 +57766,7 @@ index 191a66f..5acf87c 100644
corenet_all_recvfrom_netlabel(postfix_master_t)
corenet_tcp_sendrecv_generic_if(postfix_master_t)
corenet_udp_sendrecv_generic_if(postfix_master_t)
-@@ -263,50 +167,44 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
+@@ -263,50 +164,44 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
corenet_udp_sendrecv_generic_node(postfix_master_t)
corenet_tcp_sendrecv_all_ports(postfix_master_t)
corenet_udp_sendrecv_all_ports(postfix_master_t)
@@ -57755,7 +57835,7 @@ index 191a66f..5acf87c 100644
optional_policy(`
cyrus_stream_connect(postfix_master_t)
')
-@@ -316,14 +214,11 @@ optional_policy(`
+@@ -316,14 +211,11 @@ optional_policy(`
')
optional_policy(`
@@ -57771,7 +57851,7 @@ index 191a66f..5acf87c 100644
postgrey_search_spool(postfix_master_t)
')
-@@ -333,12 +228,14 @@ optional_policy(`
+@@ -333,12 +225,14 @@ optional_policy(`
########################################
#
@@ -57788,7 +57868,7 @@ index 191a66f..5acf87c 100644
manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
-@@ -355,37 +252,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
+@@ -355,37 +249,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
########################################
#
@@ -57835,7 +57915,7 @@ index 191a66f..5acf87c 100644
optional_policy(`
mailman_read_data_files(postfix_cleanup_t)
-@@ -393,36 +287,50 @@ optional_policy(`
+@@ -393,36 +284,50 @@ optional_policy(`
########################################
#
@@ -57895,7 +57975,7 @@ index 191a66f..5acf87c 100644
')
optional_policy(`
-@@ -434,6 +342,7 @@ optional_policy(`
+@@ -434,6 +339,7 @@ optional_policy(`
')
optional_policy(`
@@ -57903,7 +57983,7 @@ index 191a66f..5acf87c 100644
mailman_manage_data_files(postfix_local_t)
mailman_append_log(postfix_local_t)
mailman_read_log(postfix_local_t)
-@@ -444,6 +353,10 @@ optional_policy(`
+@@ -444,6 +350,10 @@ optional_policy(`
')
optional_policy(`
@@ -57914,7 +57994,7 @@ index 191a66f..5acf87c 100644
procmail_domtrans(postfix_local_t)
')
-@@ -458,15 +371,17 @@ optional_policy(`
+@@ -458,15 +368,17 @@ optional_policy(`
########################################
#
@@ -57938,7 +58018,7 @@ index 191a66f..5acf87c 100644
manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
-@@ -476,14 +391,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
+@@ -476,14 +388,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
kernel_dontaudit_list_proc(postfix_map_t)
kernel_dontaudit_read_system_state(postfix_map_t)
@@ -57958,7 +58038,7 @@ index 191a66f..5acf87c 100644
corecmd_list_bin(postfix_map_t)
corecmd_read_bin_symlinks(postfix_map_t)
-@@ -492,7 +408,6 @@ corecmd_read_bin_pipes(postfix_map_t)
+@@ -492,7 +405,6 @@ corecmd_read_bin_pipes(postfix_map_t)
corecmd_read_bin_sockets(postfix_map_t)
files_list_home(postfix_map_t)
@@ -57966,7 +58046,7 @@ index 191a66f..5acf87c 100644
files_read_etc_runtime_files(postfix_map_t)
files_dontaudit_search_var(postfix_map_t)
-@@ -500,21 +415,22 @@ auth_use_nsswitch(postfix_map_t)
+@@ -500,21 +412,22 @@ auth_use_nsswitch(postfix_map_t)
logging_send_syslog_msg(postfix_map_t)
@@ -57992,7 +58072,7 @@ index 191a66f..5acf87c 100644
stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
-@@ -524,16 +440,15 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
+@@ -524,16 +437,15 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
@@ -58012,7 +58092,7 @@ index 191a66f..5acf87c 100644
#
allow postfix_pipe_t self:process setrlimit;
-@@ -576,19 +491,26 @@ optional_policy(`
+@@ -576,19 +488,26 @@ optional_policy(`
########################################
#
@@ -58044,7 +58124,7 @@ index 191a66f..5acf87c 100644
term_dontaudit_use_all_ptys(postfix_postdrop_t)
term_dontaudit_use_all_ttys(postfix_postdrop_t)
-@@ -603,10 +525,7 @@ optional_policy(`
+@@ -603,10 +522,7 @@ optional_policy(`
cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
')
@@ -58056,7 +58136,7 @@ index 191a66f..5acf87c 100644
optional_policy(`
fstools_read_pipes(postfix_postdrop_t)
')
-@@ -621,17 +540,24 @@ optional_policy(`
+@@ -621,17 +537,24 @@ optional_policy(`
#######################################
#
@@ -58084,7 +58164,7 @@ index 191a66f..5acf87c 100644
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
-@@ -647,67 +573,77 @@ optional_policy(`
+@@ -647,67 +570,77 @@ optional_policy(`
########################################
#
@@ -58180,7 +58260,7 @@ index 191a66f..5acf87c 100644
')
optional_policy(`
-@@ -720,29 +656,30 @@ optional_policy(`
+@@ -720,29 +653,30 @@ optional_policy(`
########################################
#
@@ -58219,7 +58299,7 @@ index 191a66f..5acf87c 100644
optional_policy(`
dovecot_stream_connect_auth(postfix_smtpd_t)
dovecot_stream_connect(postfix_smtpd_t)
-@@ -754,6 +691,7 @@ optional_policy(`
+@@ -754,6 +688,7 @@ optional_policy(`
optional_policy(`
milter_stream_connect_all(postfix_smtpd_t)
@@ -58227,7 +58307,7 @@ index 191a66f..5acf87c 100644
')
optional_policy(`
-@@ -764,31 +702,99 @@ optional_policy(`
+@@ -764,31 +699,99 @@ optional_policy(`
sasl_connect(postfix_smtpd_t)
')
@@ -71473,10 +71553,10 @@ index c49828c..a323332 100644
sysnet_dns_name_resolve(rpcbind_t)
diff --git a/rpm.fc b/rpm.fc
-index ebe91fc..1609333 100644
+index ebe91fc..6392cad 100644
--- a/rpm.fc
+++ b/rpm.fc
-@@ -1,61 +1,71 @@
+@@ -1,61 +1,72 @@
-/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/etc/rc\.d/init\.d/bcfg2 -- gen_context(system_u:object_r:rpm_initrc_exec_t,s0)
@@ -71505,6 +71585,7 @@ index ebe91fc..1609333 100644
/usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/libexec/pegasus/pycmpiLMI_Software-cimprovagt -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/sbin/bcfg2 -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -79463,13 +79544,15 @@ index ca32e89..98278dd 100644
+
')
diff --git a/slpd.te b/slpd.te
-index 66ac42a..f28fadc 100644
+index 66ac42a..1a4c952 100644
--- a/slpd.te
+++ b/slpd.te
-@@ -50,6 +50,8 @@ corenet_sendrecv_svrloc_server_packets(slpd_t)
+@@ -50,6 +50,10 @@ corenet_sendrecv_svrloc_server_packets(slpd_t)
corenet_tcp_bind_svrloc_port(slpd_t)
corenet_udp_bind_svrloc_port(slpd_t)
++corenet_udp_bind_dhcpc_port(slpd_t)
++
+dev_read_urand(slpd_t)
+
auth_use_nsswitch(slpd_t)
@@ -83790,7 +83873,7 @@ index c7de0cf..9813503 100644
+/usr/libexec/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t, s0)
+/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0)
diff --git a/telepathy.if b/telepathy.if
-index 42946bc..95a9aa3 100644
+index 42946bc..3d30062 100644
--- a/telepathy.if
+++ b/telepathy.if
@@ -2,45 +2,39 @@
@@ -83870,7 +83953,7 @@ index 42946bc..95a9aa3 100644
type telepathy_gabble_t, telepathy_sofiasip_t, telepathy_idle_t;
type telepathy_mission_control_t, telepathy_salut_t, telepathy_sunshine_t;
type telepathy_stream_engine_t, telepathy_msn_t, telepathy_gabble_exec_t;
-@@ -63,91 +62,61 @@ template(`telepathy_role_template',`
+@@ -63,91 +62,79 @@ template(`telepathy_role_template',`
type telepathy_mission_control_exec_t, telepathy_salut_exec_t;
type telepathy_sunshine_exec_t, telepathy_stream_engine_exec_t;
type telepathy_msn_exec_t;
@@ -83884,11 +83967,14 @@ index 42946bc..95a9aa3 100644
-
- allow $3 telepathy_domain:process { ptrace signal_perms };
- ps_process_pattern($3, telepathy_domain)
--
++ role $1 types telepathy_domain;
+
- telepathy_gabble_stream_connect($3)
- telepathy_msn_stream_connect($3)
- telepathy_salut_stream_connect($3)
--
++ allow $2 telepathy_domain:process signal_perms;
++ ps_process_pattern($2, telepathy_domain)
+
- dbus_spec_session_domain($1, telepathy_gabble_exec_t, telepathy_gabble_t)
- dbus_spec_session_domain($1, telepathy_sofiasip_exec_t, telepathy_sofiasip_t)
- dbus_spec_session_domain($1, telepathy_idle_exec_t, telepathy_idle_t)
@@ -83898,30 +83984,13 @@ index 42946bc..95a9aa3 100644
- dbus_spec_session_domain($1, telepathy_sunshine_exec_t, telepathy_sunshine_t)
- dbus_spec_session_domain($1, telepathy_stream_engine_exec_t, telepathy_stream_engine_t)
- dbus_spec_session_domain($1, telepathy_msn_exec_t, telepathy_msn_t)
--
-- allow $3 { telepathy_mission_control_cache_home_t telepathy_cache_home_t telepathy_logger_cache_home_t }:dir { manage_dir_perms relabel_dir_perms };
-- allow $3 { telepathy_gabble_cache_home_t telepathy_mission_control_home_t telepathy_data_home_t }:dir { manage_dir_perms relabel_dir_perms };
-- allow $3 { telepathy_mission_control_data_home_t telepathy_sunshine_home_t telepathy_logger_data_home_t }:dir { manage_dir_perms relabel_dir_perms };
--
-- allow $3 { telepathy_mission_control_cache_home_t telepathy_cache_home_t telepathy_logger_cache_home_t }:file { manage_file_perms relabel_file_perms };
-- allow $3 { telepathy_gabble_cache_home_t telepathy_mission_control_home_t telepathy_data_home_t }:file { manage_file_perms relabel_file_perms };
-- allow $3 { telepathy_mission_control_data_home_t telepathy_sunshine_home_t telepathy_logger_data_home_t }:file { manage_file_perms relabel_file_perms };
-+ role $1 types telepathy_domain;
-
-- filetrans_pattern($3, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir, "gabble")
-- # gnome_cache_filetrans($3, telepathy_gabble_cache_home_t, dir, "wocky")
-+ allow $2 telepathy_domain:process signal_perms;
-+ ps_process_pattern($2, telepathy_domain)
-
-- filetrans_pattern($3, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir, "logger")
-- # gnome_data_filetrans($3, telepathy_logger_data_home_t, dir, "TpLogger")
+ telepathy_gabble_stream_connect($2)
+ telepathy_msn_stream_connect($2)
+ telepathy_salut_stream_connect($2)
-- userdom_user_home_dir_filetrans($3, telepathy_mission_control_home_t, dir, ".mission-control")
-- filetrans_pattern($3, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control")
-- # gnome_cache_filetrans($3, telepathy_mission_control_cache_home_t, file, ".mc_connections")
+- allow $3 { telepathy_mission_control_cache_home_t telepathy_cache_home_t telepathy_logger_cache_home_t }:dir { manage_dir_perms relabel_dir_perms };
+- allow $3 { telepathy_gabble_cache_home_t telepathy_mission_control_home_t telepathy_data_home_t }:dir { manage_dir_perms relabel_dir_perms };
+- allow $3 { telepathy_mission_control_data_home_t telepathy_sunshine_home_t telepathy_logger_data_home_t }:dir { manage_dir_perms relabel_dir_perms };
+ dbus_session_domain($3, telepathy_gabble_exec_t, telepathy_gabble_t)
+ dbus_session_domain($3, telepathy_sofiasip_exec_t, telepathy_sofiasip_t)
+ dbus_session_domain($3, telepathy_idle_exec_t, telepathy_idle_t)
@@ -83932,6 +84001,20 @@ index 42946bc..95a9aa3 100644
+ dbus_session_domain($3, telepathy_stream_engine_exec_t, telepathy_stream_engine_t)
+ dbus_session_domain($3, telepathy_msn_exec_t, telepathy_msn_t)
+- allow $3 { telepathy_mission_control_cache_home_t telepathy_cache_home_t telepathy_logger_cache_home_t }:file { manage_file_perms relabel_file_perms };
+- allow $3 { telepathy_gabble_cache_home_t telepathy_mission_control_home_t telepathy_data_home_t }:file { manage_file_perms relabel_file_perms };
+- allow $3 { telepathy_mission_control_data_home_t telepathy_sunshine_home_t telepathy_logger_data_home_t }:file { manage_file_perms relabel_file_perms };
+-
+- filetrans_pattern($3, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir, "gabble")
+- # gnome_cache_filetrans($3, telepathy_gabble_cache_home_t, dir, "wocky")
+-
+- filetrans_pattern($3, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir, "logger")
+- # gnome_data_filetrans($3, telepathy_logger_data_home_t, dir, "TpLogger")
+-
+- userdom_user_home_dir_filetrans($3, telepathy_mission_control_home_t, dir, ".mission-control")
+- filetrans_pattern($3, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control")
+- # gnome_cache_filetrans($3, telepathy_mission_control_cache_home_t, file, ".mc_connections")
+-
- userdom_user_home_dir_filetrans($3, telepathy_sunshine_home_t, dir, ".telepathy-sunshine")
-
- # gnome_cache_filetrans($3, telepathy_cache_home_t, dir, "telepathy")
@@ -83971,8 +84054,7 @@ index 42946bc..95a9aa3 100644
##
-## Send dbus messages to and from
-## gabble.
-+## Send DBus messages to and from
-+## Telepathy Gabble.
++## Allow Telepathy Gabble to stream connect to a domain.
##
##
-##
@@ -83982,11 +84064,30 @@ index 42946bc..95a9aa3 100644
##
#
-interface(`telepathy_gabble_dbus_chat',`
++interface(`telepathy_gabble_stream_connect_to', `
++ gen_require(`
++ type telepathy_gabble_t;
++ ')
++
++ stream_connect_pattern(telepathy_gabble_t, $2, $2, $1)
++')
++
++########################################
++##
++## Send DBus messages to and from
++## Telepathy Gabble.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`telepathy_gabble_dbus_chat', `
gen_require(`
type telepathy_gabble_t;
class dbus send_msg;
-@@ -159,10 +128,10 @@ interface(`telepathy_gabble_dbus_chat',`
+@@ -159,10 +146,10 @@ interface(`telepathy_gabble_dbus_chat',`
########################################
##
@@ -83999,7 +84100,7 @@ index 42946bc..95a9aa3 100644
## Domain allowed access.
##
##
-@@ -173,15 +142,12 @@ interface(`telepathy_mission_control_read_state',`
+@@ -173,15 +160,12 @@ interface(`telepathy_mission_control_read_state',`
')
kernel_search_proc($1)
@@ -84017,7 +84118,7 @@ index 42946bc..95a9aa3 100644
##
##
##
-@@ -189,19 +155,18 @@ interface(`telepathy_mission_control_read_state',`
+@@ -189,19 +173,18 @@ interface(`telepathy_mission_control_read_state',`
##
##
#
@@ -84040,7 +84141,7 @@ index 42946bc..95a9aa3 100644
##
##
##
-@@ -209,11 +174,138 @@ interface(`telepathy_msn_stream_connect',`
+@@ -209,11 +192,138 @@ interface(`telepathy_msn_stream_connect',`
##
##
#
@@ -90131,10 +90232,10 @@ index 9dec06c..378880d 100644
+ allow $1 svirt_image_t:chr_file rw_file_perms;
')
diff --git a/virt.te b/virt.te
-index 1f22fba..6b715d6 100644
+index 1f22fba..4493e63 100644
--- a/virt.te
+++ b/virt.te
-@@ -1,94 +1,97 @@
+@@ -1,94 +1,104 @@
-policy_module(virt, 1.6.10)
+policy_module(virt, 1.5.0)
@@ -90177,6 +90278,13 @@ index 1f22fba..6b715d6 100644
-## their stack executable.
-##
+##
++## Allow virtual processes to run as userdomains
++##
++##
++gen_tunable(virt_transition_userdomain, false)
++
++##
++##
+## Allow confined virtual guests to use executable memory and executable stack
+##
##
@@ -90284,7 +90392,7 @@ index 1f22fba..6b715d6 100644
type virt_cache_t alias svirt_cache_t;
files_type(virt_cache_t)
-@@ -105,27 +108,25 @@ userdom_user_home_content(virt_home_t)
+@@ -105,27 +115,25 @@ userdom_user_home_content(virt_home_t)
type svirt_home_t;
userdom_user_home_content(svirt_home_t)
@@ -90318,7 +90426,7 @@ index 1f22fba..6b715d6 100644
type virt_var_run_t;
files_pid_file(virt_var_run_t)
-@@ -139,9 +140,17 @@ init_daemon_domain(virtd_t, virtd_exec_t)
+@@ -139,9 +147,17 @@ init_daemon_domain(virtd_t, virtd_exec_t)
domain_obj_id_change_exemption(virtd_t)
domain_subj_id_change_exemption(virtd_t)
@@ -90336,7 +90444,7 @@ index 1f22fba..6b715d6 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
-@@ -155,290 +164,134 @@ type virt_qmf_exec_t;
+@@ -155,290 +171,134 @@ type virt_qmf_exec_t;
init_daemon_domain(virt_qmf_t, virt_qmf_exec_t)
type virt_bridgehelper_t;
@@ -90600,16 +90708,16 @@ index 1f22fba..6b715d6 100644
-
-dontaudit svirt_t virt_content_t:file write_file_perms;
-dontaudit svirt_t virt_content_t:dir rw_dir_perms;
-+allow svirt_tcg_t self:process { execmem execstack };
-+allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
-
+-
-append_files_pattern(svirt_t, virt_home_t, virt_home_t)
-manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t)
-manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
-manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
-
-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
--
++allow svirt_tcg_t self:process { execmem execstack };
++allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
+
-stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
-
-corenet_udp_sendrecv_generic_if(svirt_t)
@@ -90707,7 +90815,7 @@ index 1f22fba..6b715d6 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -448,42 +301,28 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -448,42 +308,28 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@@ -90753,7 +90861,7 @@ index 1f22fba..6b715d6 100644
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -496,16 +335,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -496,16 +342,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -90774,7 +90882,7 @@ index 1f22fba..6b715d6 100644
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
-@@ -513,6 +347,7 @@ kernel_read_kernel_sysctls(virtd_t)
+@@ -513,6 +354,7 @@ kernel_read_kernel_sysctls(virtd_t)
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
kernel_setsched(virtd_t)
@@ -90782,7 +90890,7 @@ index 1f22fba..6b715d6 100644
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -520,24 +355,16 @@ corecmd_exec_shell(virtd_t)
+@@ -520,24 +362,16 @@ corecmd_exec_shell(virtd_t)
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -90810,7 +90918,7 @@ index 1f22fba..6b715d6 100644
dev_rw_sysfs(virtd_t)
dev_read_urand(virtd_t)
dev_read_rand(virtd_t)
-@@ -548,22 +375,23 @@ dev_rw_vhost(virtd_t)
+@@ -548,22 +382,23 @@ dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t)
@@ -90839,7 +90947,7 @@ index 1f22fba..6b715d6 100644
fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
-@@ -594,15 +422,18 @@ term_use_ptmx(virtd_t)
+@@ -594,15 +429,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -90859,20 +90967,20 @@ index 1f22fba..6b715d6 100644
selinux_validate_context(virtd_t)
-@@ -613,18 +444,24 @@ seutil_read_file_contexts(virtd_t)
+@@ -613,18 +451,24 @@ seutil_read_file_contexts(virtd_t)
sysnet_signull_ifconfig(virtd_t)
sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
+sysnet_read_config(virtd_t)
-userdom_read_all_users_state(virtd_t)
-+systemd_dbus_chat_logind(virtd_t)
-+systemd_write_inhibit_pipes(virtd_t)
-
+-
-ifdef(`hide_broken_symptoms',`
- dontaudit virtd_t self:capability { sys_module sys_ptrace };
-')
--
++systemd_dbus_chat_logind(virtd_t)
++systemd_write_inhibit_pipes(virtd_t)
+
-tunable_policy(`virt_use_fusefs',`
- fs_manage_fusefs_dirs(virtd_t)
- fs_manage_fusefs_files(virtd_t)
@@ -90894,7 +91002,7 @@ index 1f22fba..6b715d6 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -633,7 +470,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -633,7 +477,7 @@ tunable_policy(`virt_use_nfs',`
')
tunable_policy(`virt_use_samba',`
@@ -90903,17 +91011,19 @@ index 1f22fba..6b715d6 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
-@@ -658,95 +495,325 @@ optional_policy(`
+@@ -658,95 +502,325 @@ optional_policy(`
')
optional_policy(`
- firewalld_dbus_chat(virtd_t)
-+ hal_dbus_chat(virtd_t)
+- ')
+-
+- optional_policy(`
+ hal_dbus_chat(virtd_t)
')
optional_policy(`
-- hal_dbus_chat(virtd_t)
-+ networkmanager_dbus_chat(virtd_t)
+ networkmanager_dbus_chat(virtd_t)
')
+')
+
@@ -91113,10 +91223,7 @@ index 1f22fba..6b715d6 100644
+# I think we need these for now.
+miscfiles_read_public_files(virt_domain)
+storage_raw_read_removable_device(virt_domain)
-
-- optional_policy(`
-- networkmanager_dbus_chat(virtd_t)
-- ')
++
+sysnet_read_config(virt_domain)
- optional_policy(`
@@ -91275,7 +91382,7 @@ index 1f22fba..6b715d6 100644
manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
-@@ -758,23 +825,16 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -758,23 +832,16 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -91286,27 +91393,27 @@ index 1f22fba..6b715d6 100644
-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
-
-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
--
--allow virsh_t svirt_lxc_domain:process transition;
+manage_dirs_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+virt_filetrans_named_content(virsh_t)
+filetrans_pattern(virsh_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
+-allow virsh_t svirt_lxc_domain:process transition;
++dontaudit virsh_t virt_var_lib_t:file read_inherited_file_perms;
+
-can_exec(virsh_t, virsh_exec_t)
-
-virt_domtrans(virsh_t)
-virt_manage_images(virsh_t)
-virt_manage_config(virsh_t)
-virt_stream_connect(virsh_t)
-+dontaudit virsh_t virt_var_lib_t:file read_inherited_file_perms;
-
+-
-kernel_read_crypto_sysctls(virsh_t)
+kernel_write_proc_files(virsh_t)
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +845,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +852,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -91333,7 +91440,7 @@ index 1f22fba..6b715d6 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -812,24 +865,22 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,24 +872,22 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -91365,7 +91472,7 @@ index 1f22fba..6b715d6 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
fs_manage_nfs_files(virsh_t)
-@@ -847,14 +898,20 @@ optional_policy(`
+@@ -847,14 +905,20 @@ optional_policy(`
')
optional_policy(`
@@ -91387,7 +91494,7 @@ index 1f22fba..6b715d6 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -879,34 +936,45 @@ optional_policy(`
+@@ -879,34 +943,45 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -91442,7 +91549,7 @@ index 1f22fba..6b715d6 100644
manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -916,12 +984,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -916,12 +991,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
@@ -91460,7 +91567,7 @@ index 1f22fba..6b715d6 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -933,10 +1006,8 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,10 +1013,8 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -91471,7 +91578,7 @@ index 1f22fba..6b715d6 100644
files_relabel_rootfs(virtd_lxc_t)
files_mounton_non_security(virtd_lxc_t)
files_mount_all_file_type_fs(virtd_lxc_t)
-@@ -944,6 +1015,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
+@@ -944,6 +1022,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
files_list_isid_type_dirs(virtd_lxc_t)
files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set)
@@ -91479,7 +91586,7 @@ index 1f22fba..6b715d6 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,15 +1027,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,15 +1034,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -91498,7 +91605,7 @@ index 1f22fba..6b715d6 100644
term_use_generic_ptys(virtd_lxc_t)
term_use_ptmx(virtd_lxc_t)
-@@ -973,21 +1041,39 @@ auth_use_nsswitch(virtd_lxc_t)
+@@ -973,21 +1048,39 @@ auth_use_nsswitch(virtd_lxc_t)
logging_send_syslog_msg(virtd_lxc_t)
@@ -91546,7 +91653,7 @@ index 1f22fba..6b715d6 100644
allow svirt_lxc_domain self:fifo_file manage_file_perms;
allow svirt_lxc_domain self:sem create_sem_perms;
allow svirt_lxc_domain self:shm create_shm_perms;
-@@ -995,18 +1081,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
+@@ -995,18 +1088,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
@@ -91573,7 +91680,7 @@ index 1f22fba..6b715d6 100644
manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -1015,17 +1099,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -1015,17 +1106,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -91593,7 +91700,7 @@ index 1f22fba..6b715d6 100644
kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
corecmd_exec_all_executables(svirt_lxc_domain)
-@@ -1037,21 +1118,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
+@@ -1037,21 +1125,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
@@ -91620,7 +91727,7 @@ index 1f22fba..6b715d6 100644
auth_dontaudit_read_login_records(svirt_lxc_domain)
auth_dontaudit_write_login_records(svirt_lxc_domain)
auth_search_pam_console_data(svirt_lxc_domain)
-@@ -1063,96 +1143,93 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
+@@ -1063,96 +1150,93 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
@@ -91639,12 +91746,12 @@ index 1f22fba..6b715d6 100644
+ apache_exec_modules(svirt_lxc_domain)
+ apache_read_sys_content(svirt_lxc_domain)
+')
-
--mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
++
+optional_policy(`
+ mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
+')
-+
+
+-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
+optional_policy(`
+ ssh_use_ptys(svirt_lxc_net_t)
+')
@@ -91760,7 +91867,7 @@ index 1f22fba..6b715d6 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1242,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1249,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -91775,7 +91882,7 @@ index 1f22fba..6b715d6 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1260,8 @@ optional_policy(`
+@@ -1183,9 +1267,8 @@ optional_policy(`
########################################
#
@@ -91786,7 +91893,7 @@ index 1f22fba..6b715d6 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1274,115 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1281,121 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
@@ -91904,6 +92011,12 @@ index 1f22fba..6b715d6 100644
+role system_r types svirt_socket_t;
+allow virtd_t svirt_socket_t:unix_stream_socket { connectto create_stream_socket_perms };
+allow virt_domain svirt_socket_t:unix_stream_socket { connectto create_stream_socket_perms };
++
++tunable_policy(`virt_transition_userdomain',`
++ userdom_transition(virt_t)
++ userdom_transition(virt_lxc_t)
++')
++
diff --git a/vlock.te b/vlock.te
index 9ead775..b5285e7 100644
--- a/vlock.te
@@ -95236,7 +95349,7 @@ index 3416401..ef64e73 100644
init_labeled_script_domtrans($1, zebra_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/zebra.te b/zebra.te
-index b0803c2..13da3cf 100644
+index b0803c2..f1fa5f7 100644
--- a/zebra.te
+++ b/zebra.te
@@ -1,4 +1,4 @@
@@ -95311,7 +95424,7 @@ index b0803c2..13da3cf 100644
corenet_all_recvfrom_netlabel(zebra_t)
corenet_tcp_sendrecv_generic_if(zebra_t)
corenet_udp_sendrecv_generic_if(zebra_t)
-@@ -79,48 +78,42 @@ corenet_raw_sendrecv_generic_if(zebra_t)
+@@ -79,48 +78,44 @@ corenet_raw_sendrecv_generic_if(zebra_t)
corenet_tcp_sendrecv_generic_node(zebra_t)
corenet_udp_sendrecv_generic_node(zebra_t)
corenet_raw_sendrecv_generic_node(zebra_t)
@@ -95338,6 +95451,8 @@ index b0803c2..13da3cf 100644
dev_associate_usbfs(zebra_var_run_t)
dev_list_all_dev_nodes(zebra_t)
++dev_read_rand(zebra_t)
++dev_read_urand(zebra_t)
dev_read_sysfs(zebra_t)
dev_rw_zero(zebra_t)
@@ -95372,7 +95487,7 @@ index b0803c2..13da3cf 100644
manage_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
')
-@@ -139,3 +132,7 @@ optional_policy(`
+@@ -139,3 +134,7 @@ optional_policy(`
optional_policy(`
udev_read_db(zebra_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b950318..9b084d6 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 66%{?dist}
+Release: 67%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -538,6 +538,16 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Jul 26 2013 Miroslav Grepl 3.12.1-67
+- Add support for cmpiLMI_Service-cimprovagt
+- Allow pegasus domtrans to rpm_t to make pycmpiLMI_Software-cimprovagt running as rpm_t
+- Label pycmpiLMI_Software-cimprovagt as rpm_exec_t
+- Add support for pycmpiLMI_Storage-cimprovagt
+- Add support for cmpiLMI_Networking-cimprovagt
+- Allow system_cronjob_t to create user_tmpfs_t to make pulseaudio working
+- Allow virtual machines and containers to run as user doains, needed for virt-sandbox
+- Allow buglist.cgi to read cpu info
+
* Mon Jul 22 2013 Miroslav Grepl 3.12.1-66
- Allow systemd-tmpfile to handle tmp content in print spool dir
- Allow systemd-sysctl to send system log messages