diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 18479d6..73354c9 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -18160,7 +18160,7 @@ index 7be4ddf..9710b33 100644
+/sys/kernel/debug -d gen_context(system_u:object_r:debugfs_t,s0)
+/sys/kernel/debug/.* <<none>>
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index e100d88..d2fc766 100644
+index e100d88..65a3b6d 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -126,6 +126,24 @@ interface(`kernel_setsched',`
@@ -18791,7 +18791,7 @@ index e100d88..d2fc766 100644
## Unconfined access to kernel module resources.
## </summary>
## <param name="domain">
-@@ -2972,5 +3284,628 @@ interface(`kernel_unconfined',`
+@@ -2972,5 +3284,630 @@ interface(`kernel_unconfined',`
')
typeattribute $1 kern_unconfined;
@@ -19154,12 +19154,14 @@ index e100d88..d2fc766 100644
+interface(`kernel_read_security_state',`
+ gen_require(`
+ type proc_t, proc_security_t;
++ attribute sysctl_type;
+ ')
+
+ read_files_pattern($1, { proc_t proc_security_t }, proc_security_t)
+ read_lnk_files_pattern($1, { proc_t proc_security_t }, proc_security_t)
+
+ list_dirs_pattern($1, proc_t, proc_security_t)
++ allow $1 sysctl_type:dir search_dir_perms;
+')
+
+########################################
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 45300a0..97bc967 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -6,10 +6,10 @@ index 0000000..bea5755
@@ -0,0 +1 @@
+TAGS
diff --git a/abrt.fc b/abrt.fc
-index 1a93dc5..f2b26f5 100644
+index 1a93dc5..e948aef 100644
--- a/abrt.fc
+++ b/abrt.fc
-@@ -1,31 +1,46 @@
+@@ -1,31 +1,47 @@
-/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
-/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
+/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
@@ -38,10 +38,8 @@ index 1a93dc5..f2b26f5 100644
-/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
/usr/libexec/abrt-handle-event -- gen_context(system_u:object_r:abrt_handle_event_exec_t,s0)
-/usr/libexec/abrt-hook-python -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
-
--/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
--/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0)
--/usr/sbin/abrt-upload-watch -- gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0)
++/usr/libexec/abrt-hook-ccpp -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
++
+/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+/var/cache/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
@@ -55,7 +53,10 @@ index 1a93dc5..f2b26f5 100644
+/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
+/var/run/abrtd?\.socket -- gen_context(system_u:object_r:abrt_var_run_t,s0)
+/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0)
-+
+
+-/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
+-/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0)
+-/usr/sbin/abrt-upload-watch -- gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0)
+/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
+/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
@@ -9521,7 +9522,7 @@ index 531a8f2..0b86f2f 100644
+ allow $1 named_unit_file_t:service all_service_perms;
')
diff --git a/bind.te b/bind.te
-index 1241123..cce7112 100644
+index 1241123..5336071 100644
--- a/bind.te
+++ b/bind.te
@@ -34,7 +34,7 @@ type named_checkconf_exec_t;
@@ -9577,7 +9578,12 @@ index 1241123..cce7112 100644
corenet_all_recvfrom_netlabel(named_t)
corenet_tcp_sendrecv_generic_if(named_t)
corenet_udp_sendrecv_generic_if(named_t)
-@@ -144,6 +146,7 @@ corenet_tcp_sendrecv_all_ports(named_t)
+@@ -141,9 +143,12 @@ corenet_sendrecv_all_client_packets(named_t)
+ corenet_tcp_connect_all_ports(named_t)
+ corenet_tcp_sendrecv_all_ports(named_t)
+
++corenet_tcp_bind_all_ephemeral_ports(named_t)
++
dev_read_sysfs(named_t)
dev_read_rand(named_t)
dev_read_urand(named_t)
@@ -9585,7 +9591,7 @@ index 1241123..cce7112 100644
domain_use_interactive_fds(named_t)
-@@ -175,6 +178,19 @@ tunable_policy(`named_write_master_zones',`
+@@ -175,6 +180,19 @@ tunable_policy(`named_write_master_zones',`
')
optional_policy(`
@@ -9605,7 +9611,7 @@ index 1241123..cce7112 100644
dbus_system_domain(named_t, named_exec_t)
init_dbus_chat_script(named_t)
-@@ -187,7 +203,13 @@ optional_policy(`
+@@ -187,7 +205,13 @@ optional_policy(`
')
optional_policy(`
@@ -9619,7 +9625,7 @@ index 1241123..cce7112 100644
kerberos_use(named_t)
')
-@@ -215,7 +237,8 @@ optional_policy(`
+@@ -215,7 +239,8 @@ optional_policy(`
#
allow ndc_t self:capability { dac_override net_admin };
@@ -9629,7 +9635,7 @@ index 1241123..cce7112 100644
allow ndc_t self:fifo_file rw_fifo_file_perms;
allow ndc_t self:unix_stream_socket { accept listen };
-@@ -229,10 +252,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
+@@ -229,10 +254,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
allow ndc_t named_zone_t:dir search_dir_perms;
@@ -9641,7 +9647,7 @@ index 1241123..cce7112 100644
corenet_all_recvfrom_netlabel(ndc_t)
corenet_tcp_sendrecv_generic_if(ndc_t)
corenet_tcp_sendrecv_generic_node(ndc_t)
-@@ -242,6 +264,9 @@ corenet_tcp_bind_generic_node(ndc_t)
+@@ -242,6 +266,9 @@ corenet_tcp_bind_generic_node(ndc_t)
corenet_tcp_connect_rndc_port(ndc_t)
corenet_sendrecv_rndc_client_packets(ndc_t)
@@ -9651,7 +9657,7 @@ index 1241123..cce7112 100644
domain_use_interactive_fds(ndc_t)
files_search_pids(ndc_t)
-@@ -257,7 +282,7 @@ init_use_script_ptys(ndc_t)
+@@ -257,7 +284,7 @@ init_use_script_ptys(ndc_t)
logging_send_syslog_msg(ndc_t)
@@ -20435,7 +20441,7 @@ index 3023be7..0317731 100644
+ files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups")
')
diff --git a/cups.te b/cups.te
-index c91813c..84c4ee4 100644
+index c91813c..999581c 100644
--- a/cups.te
+++ b/cups.te
@@ -5,19 +5,31 @@ policy_module(cups, 1.16.2)
@@ -20535,7 +20541,7 @@ index c91813c..84c4ee4 100644
type ptal_t;
type ptal_exec_t;
-@@ -97,21 +99,49 @@ ifdef(`enable_mls',`
+@@ -97,21 +99,50 @@ ifdef(`enable_mls',`
init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, mls_systemhigh)
')
@@ -20583,13 +20589,14 @@ index c91813c..84c4ee4 100644
+allow cupsd_t self:process { getpgid setpgid setsched };
allow cupsd_t self:unix_stream_socket { accept connectto listen };
allow cupsd_t self:netlink_selinux_socket create_socket_perms;
++allow cupsd_t self:socket connect;
allow cupsd_t self:shm create_shm_perms;
allow cupsd_t self:sem create_sem_perms;
-allow cupsd_t self:tcp_socket { accept listen };
allow cupsd_t self:appletalk_socket create_socket_perms;
allow cupsd_t cupsd_etc_t:dir setattr_dir_perms;
-@@ -120,11 +150,14 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
+@@ -120,11 +151,14 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
@@ -20604,7 +20611,7 @@ index c91813c..84c4ee4 100644
allow cupsd_t cupsd_exec_t:dir search_dir_perms;
allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
-@@ -136,22 +169,23 @@ manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+@@ -136,22 +170,23 @@ manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
@@ -20632,7 +20639,7 @@ index c91813c..84c4ee4 100644
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
-@@ -159,11 +193,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
+@@ -159,11 +194,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t })
kernel_read_system_state(cupsd_t)
@@ -20644,7 +20651,7 @@ index c91813c..84c4ee4 100644
corenet_all_recvfrom_netlabel(cupsd_t)
corenet_tcp_sendrecv_generic_if(cupsd_t)
corenet_udp_sendrecv_generic_if(cupsd_t)
-@@ -186,12 +218,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
+@@ -186,12 +219,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_bind_all_rpc_ports(cupsd_t)
corenet_tcp_connect_all_ports(cupsd_t)
@@ -20669,7 +20676,7 @@ index c91813c..84c4ee4 100644
dev_rw_input_dev(cupsd_t)
dev_rw_generic_usb_dev(cupsd_t)
dev_rw_usbfs(cupsd_t)
-@@ -203,7 +243,6 @@ domain_use_interactive_fds(cupsd_t)
+@@ -203,7 +244,6 @@ domain_use_interactive_fds(cupsd_t)
files_getattr_boot_dirs(cupsd_t)
files_list_spool(cupsd_t)
files_read_etc_runtime_files(cupsd_t)
@@ -20677,7 +20684,7 @@ index c91813c..84c4ee4 100644
files_exec_usr_files(cupsd_t)
# for /var/lib/defoma
files_read_var_lib_files(cupsd_t)
-@@ -212,17 +251,19 @@ files_read_world_readable_files(cupsd_t)
+@@ -212,17 +252,19 @@ files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
files_read_var_files(cupsd_t)
files_read_var_symlinks(cupsd_t)
@@ -20699,7 +20706,7 @@ index c91813c..84c4ee4 100644
mls_fd_use_all_levels(cupsd_t)
mls_file_downgrade(cupsd_t)
mls_file_write_all_levels(cupsd_t)
-@@ -232,6 +273,8 @@ mls_socket_write_all_levels(cupsd_t)
+@@ -232,6 +274,8 @@ mls_socket_write_all_levels(cupsd_t)
term_search_ptys(cupsd_t)
term_use_unallocated_ttys(cupsd_t)
@@ -20708,7 +20715,7 @@ index c91813c..84c4ee4 100644
selinux_compute_access_vector(cupsd_t)
selinux_validate_context(cupsd_t)
-@@ -244,22 +287,27 @@ auth_dontaudit_read_pam_pid(cupsd_t)
+@@ -244,22 +288,27 @@ auth_dontaudit_read_pam_pid(cupsd_t)
auth_rw_faillog(cupsd_t)
auth_use_nsswitch(cupsd_t)
@@ -20741,7 +20748,7 @@ index c91813c..84c4ee4 100644
optional_policy(`
apm_domtrans_client(cupsd_t)
-@@ -272,6 +320,8 @@ optional_policy(`
+@@ -272,6 +321,8 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(cupsd_t)
@@ -20750,7 +20757,7 @@ index c91813c..84c4ee4 100644
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
-@@ -279,11 +329,17 @@ optional_policy(`
+@@ -279,11 +330,17 @@ optional_policy(`
')
optional_policy(`
@@ -20768,7 +20775,7 @@ index c91813c..84c4ee4 100644
')
')
-@@ -296,8 +352,8 @@ optional_policy(`
+@@ -296,8 +353,8 @@ optional_policy(`
')
optional_policy(`
@@ -20778,7 +20785,7 @@ index c91813c..84c4ee4 100644
')
optional_policy(`
-@@ -306,7 +362,6 @@ optional_policy(`
+@@ -306,7 +363,6 @@ optional_policy(`
optional_policy(`
lpd_exec_lpr(cupsd_t)
@@ -20786,7 +20793,7 @@ index c91813c..84c4ee4 100644
lpd_read_config(cupsd_t)
lpd_relabel_spool(cupsd_t)
')
-@@ -316,6 +371,10 @@ optional_policy(`
+@@ -316,6 +372,10 @@ optional_policy(`
')
optional_policy(`
@@ -20797,7 +20804,7 @@ index c91813c..84c4ee4 100644
samba_read_config(cupsd_t)
samba_rw_var_files(cupsd_t)
samba_stream_connect_nmbd(cupsd_t)
-@@ -334,7 +393,11 @@ optional_policy(`
+@@ -334,7 +394,11 @@ optional_policy(`
')
optional_policy(`
@@ -20810,7 +20817,7 @@ index c91813c..84c4ee4 100644
')
########################################
-@@ -342,12 +405,11 @@ optional_policy(`
+@@ -342,12 +406,11 @@ optional_policy(`
# Configuration daemon local policy
#
@@ -20826,7 +20833,7 @@ index c91813c..84c4ee4 100644
allow cupsd_config_t cupsd_t:process signal;
ps_process_pattern(cupsd_config_t, cupsd_t)
-@@ -372,18 +434,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
+@@ -372,18 +435,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
@@ -20847,7 +20854,7 @@ index c91813c..84c4ee4 100644
corenet_all_recvfrom_netlabel(cupsd_config_t)
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -392,20 +452,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+@@ -392,20 +453,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
corenet_sendrecv_all_client_packets(cupsd_config_t)
corenet_tcp_connect_all_ports(cupsd_config_t)
@@ -20868,7 +20875,7 @@ index c91813c..84c4ee4 100644
fs_search_auto_mountpoints(cupsd_config_t)
domain_use_interactive_fds(cupsd_config_t)
-@@ -417,11 +469,6 @@ auth_use_nsswitch(cupsd_config_t)
+@@ -417,11 +470,6 @@ auth_use_nsswitch(cupsd_config_t)
logging_send_syslog_msg(cupsd_config_t)
@@ -20880,7 +20887,7 @@ index c91813c..84c4ee4 100644
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
-@@ -449,9 +496,12 @@ optional_policy(`
+@@ -449,9 +497,12 @@ optional_policy(`
')
optional_policy(`
@@ -20894,7 +20901,7 @@ index c91813c..84c4ee4 100644
')
optional_policy(`
-@@ -467,6 +517,10 @@ optional_policy(`
+@@ -467,6 +518,10 @@ optional_policy(`
')
optional_policy(`
@@ -20905,7 +20912,7 @@ index c91813c..84c4ee4 100644
rpm_read_db(cupsd_config_t)
')
-@@ -487,10 +541,6 @@ optional_policy(`
+@@ -487,10 +542,6 @@ optional_policy(`
# Lpd local policy
#
@@ -20916,7 +20923,7 @@ index c91813c..84c4ee4 100644
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
-@@ -508,15 +558,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+@@ -508,15 +559,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
@@ -20934,7 +20941,7 @@ index c91813c..84c4ee4 100644
corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t)
corenet_sendrecv_printer_server_packets(cupsd_lpd_t)
-@@ -537,9 +587,6 @@ auth_use_nsswitch(cupsd_lpd_t)
+@@ -537,9 +588,6 @@ auth_use_nsswitch(cupsd_lpd_t)
logging_send_syslog_msg(cupsd_lpd_t)
@@ -20944,7 +20951,7 @@ index c91813c..84c4ee4 100644
optional_policy(`
inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
')
-@@ -550,7 +597,6 @@ optional_policy(`
+@@ -550,7 +598,6 @@ optional_policy(`
#
allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
@@ -20952,7 +20959,7 @@ index c91813c..84c4ee4 100644
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
-@@ -566,148 +612,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
+@@ -566,148 +613,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
kernel_read_system_state(cups_pdf_t)
@@ -21104,7 +21111,7 @@ index c91813c..84c4ee4 100644
########################################
#
-@@ -735,7 +656,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -735,7 +657,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@@ -21112,7 +21119,7 @@ index c91813c..84c4ee4 100644
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -745,13 +665,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
+@@ -745,13 +666,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
corenet_tcp_bind_ptal_port(ptal_t)
corenet_tcp_sendrecv_ptal_port(ptal_t)
@@ -21126,7 +21133,7 @@ index c91813c..84c4ee4 100644
files_read_etc_runtime_files(ptal_t)
fs_getattr_all_fs(ptal_t)
-@@ -759,8 +677,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -759,8 +678,6 @@ fs_search_auto_mountpoints(ptal_t)
logging_send_syslog_msg(ptal_t)
@@ -21135,7 +21142,7 @@ index c91813c..84c4ee4 100644
sysnet_read_config(ptal_t)
userdom_dontaudit_use_unpriv_user_fds(ptal_t)
-@@ -773,3 +689,4 @@ optional_policy(`
+@@ -773,3 +690,4 @@ optional_policy(`
optional_policy(`
udev_read_db(ptal_t)
')
@@ -38130,7 +38137,7 @@ index 1a35420..8101022 100644
logging_search_logs($1)
admin_pattern($1, iscsi_log_t)
diff --git a/iscsi.te b/iscsi.te
-index ca020fa..989eba9 100644
+index ca020fa..d546e07 100644
--- a/iscsi.te
+++ b/iscsi.te
@@ -5,12 +5,15 @@ policy_module(iscsi, 1.9.0)
@@ -38151,7 +38158,7 @@ index ca020fa..989eba9 100644
type iscsi_lock_t;
files_lock_file(iscsi_lock_t)
-@@ -32,8 +35,7 @@ files_pid_file(iscsi_var_run_t)
+@@ -32,13 +35,13 @@ files_pid_file(iscsi_var_run_t)
# Local policy
#
@@ -38161,7 +38168,13 @@ index ca020fa..989eba9 100644
allow iscsid_t self:process { setrlimit setsched signal };
allow iscsid_t self:fifo_file rw_fifo_file_perms;
allow iscsid_t self:unix_stream_socket { accept connectto listen };
-@@ -55,20 +57,22 @@ manage_dirs_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t)
+ allow iscsid_t self:sem create_sem_perms;
+ allow iscsid_t self:shm create_shm_perms;
++allow iscsid_t self:netlink_iscsi_socket create_socket_perms;
+ allow iscsid_t self:netlink_socket create_socket_perms;
+ allow iscsid_t self:netlink_kobject_uevent_socket create_socket_perms;
+ allow iscsid_t self:netlink_route_socket nlmsg_write;
+@@ -55,20 +58,22 @@ manage_dirs_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t)
manage_files_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t)
fs_tmpfs_filetrans(iscsid_t, iscsi_tmp_t, { dir file })
@@ -38189,7 +38202,7 @@ index ca020fa..989eba9 100644
corenet_all_recvfrom_netlabel(iscsid_t)
corenet_tcp_sendrecv_generic_if(iscsid_t)
corenet_tcp_sendrecv_generic_node(iscsid_t)
-@@ -85,22 +89,38 @@ corenet_sendrecv_isns_client_packets(iscsid_t)
+@@ -85,22 +90,38 @@ corenet_sendrecv_isns_client_packets(iscsid_t)
corenet_tcp_connect_isns_port(iscsid_t)
corenet_tcp_sendrecv_isns_port(iscsid_t)
@@ -57329,7 +57342,7 @@ index 86dc29d..7380935 100644
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
')
diff --git a/networkmanager.te b/networkmanager.te
-index 55f2009..4a29f9c 100644
+index 55f2009..51cb268 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -9,15 +9,18 @@ type NetworkManager_t;
@@ -57407,11 +57420,11 @@ index 55f2009..4a29f9c 100644
+can_exec(NetworkManager_t, NetworkManager_exec_t)
+#wicd
+can_exec(NetworkManager_t, wpa_cli_exec_t)
-
++
+list_dirs_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
+read_files_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
+read_lnk_files_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
-+
+
+list_dirs_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
+read_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
+read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
@@ -57528,7 +57541,7 @@ index 55f2009..4a29f9c 100644
seutil_read_config(NetworkManager_t)
-@@ -166,21 +205,34 @@ sysnet_kill_dhcpc(NetworkManager_t)
+@@ -166,21 +205,36 @@ sysnet_kill_dhcpc(NetworkManager_t)
sysnet_read_dhcpc_state(NetworkManager_t)
sysnet_delete_dhcpc_state(NetworkManager_t)
sysnet_search_dhcp_state(NetworkManager_t)
@@ -57539,9 +57552,11 @@ index 55f2009..4a29f9c 100644
-# certificates in user home directories (cert_home_t in ~/\.pki)
-userdom_read_user_home_content_files(NetworkManager_t)
-+term_use_unallocated_ttys(NetworkManager_t)
++systemd_machined_read_pid_files(NetworkManager_t)
-userdom_write_user_tmp_sockets(NetworkManager_t)
++term_use_unallocated_ttys(NetworkManager_t)
++
+userdom_stream_connect(NetworkManager_t)
userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
userdom_dontaudit_use_user_ttys(NetworkManager_t)
@@ -57567,7 +57582,7 @@ index 55f2009..4a29f9c 100644
')
optional_policy(`
-@@ -196,10 +248,6 @@ optional_policy(`
+@@ -196,10 +250,6 @@ optional_policy(`
')
optional_policy(`
@@ -57578,7 +57593,7 @@ index 55f2009..4a29f9c 100644
consoletype_exec(NetworkManager_t)
')
-@@ -210,16 +258,11 @@ optional_policy(`
+@@ -210,16 +260,11 @@ optional_policy(`
optional_policy(`
dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -57597,7 +57612,7 @@ index 55f2009..4a29f9c 100644
')
')
-@@ -231,10 +274,17 @@ optional_policy(`
+@@ -231,10 +276,17 @@ optional_policy(`
dnsmasq_kill(NetworkManager_t)
dnsmasq_signal(NetworkManager_t)
dnsmasq_signull(NetworkManager_t)
@@ -57616,7 +57631,7 @@ index 55f2009..4a29f9c 100644
')
optional_policy(`
-@@ -246,10 +296,26 @@ optional_policy(`
+@@ -246,10 +298,26 @@ optional_policy(`
')
optional_policy(`
@@ -57643,7 +57658,7 @@ index 55f2009..4a29f9c 100644
')
optional_policy(`
-@@ -257,15 +323,19 @@ optional_policy(`
+@@ -257,15 +325,19 @@ optional_policy(`
')
optional_policy(`
@@ -57665,7 +57680,7 @@ index 55f2009..4a29f9c 100644
')
optional_policy(`
-@@ -274,10 +344,17 @@ optional_policy(`
+@@ -274,10 +346,17 @@ optional_policy(`
nscd_signull(NetworkManager_t)
nscd_kill(NetworkManager_t)
nscd_initrc_domtrans(NetworkManager_t)
@@ -57683,7 +57698,7 @@ index 55f2009..4a29f9c 100644
')
optional_policy(`
-@@ -286,9 +363,12 @@ optional_policy(`
+@@ -286,9 +365,12 @@ optional_policy(`
openvpn_kill(NetworkManager_t)
openvpn_signal(NetworkManager_t)
openvpn_signull(NetworkManager_t)
@@ -57696,7 +57711,7 @@ index 55f2009..4a29f9c 100644
policykit_domtrans_auth(NetworkManager_t)
policykit_read_lib(NetworkManager_t)
policykit_read_reload(NetworkManager_t)
-@@ -296,7 +376,7 @@ optional_policy(`
+@@ -296,7 +378,7 @@ optional_policy(`
')
optional_policy(`
@@ -57705,7 +57720,7 @@ index 55f2009..4a29f9c 100644
')
optional_policy(`
-@@ -307,6 +387,7 @@ optional_policy(`
+@@ -307,6 +389,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
@@ -57713,7 +57728,7 @@ index 55f2009..4a29f9c 100644
')
optional_policy(`
-@@ -320,14 +401,21 @@ optional_policy(`
+@@ -320,14 +403,21 @@ optional_policy(`
')
optional_policy(`
@@ -57740,7 +57755,7 @@ index 55f2009..4a29f9c 100644
')
optional_policy(`
-@@ -357,6 +445,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -357,6 +447,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t)
@@ -66366,10 +66381,10 @@ index 0000000..80246e6
+
diff --git a/pcp.te b/pcp.te
new file mode 100644
-index 0000000..5b5747f
+index 0000000..b7242be
--- /dev/null
+++ b/pcp.te
-@@ -0,0 +1,264 @@
+@@ -0,0 +1,266 @@
+policy_module(pcp, 1.0.0)
+
+########################################
@@ -66630,6 +66645,8 @@ index 0000000..5b5747f
+
+allow pcp_pmlogger_t pcp_pmcd_t:unix_stream_socket connectto;
+
++kernel_read_system_state(pcp_pmlogger_t)
++
+corenet_tcp_bind_dey_sapi_port(pcp_pmlogger_t)
+corenet_tcp_bind_commplex_link_port(pcp_pmlogger_t)
+corenet_tcp_bind_generic_node(pcp_pmlogger_t)
@@ -70093,7 +70110,7 @@ index 032a84d..be00a65 100644
+ allow $1 policykit_auth_t:process signal;
')
diff --git a/policykit.te b/policykit.te
-index ee91778..945a36f 100644
+index ee91778..5fd133f 100644
--- a/policykit.te
+++ b/policykit.te
@@ -7,9 +7,6 @@ policy_module(policykit, 1.3.0)
@@ -70119,7 +70136,7 @@ index ee91778..945a36f 100644
type policykit_resolve_t, policykit_domain;
type policykit_resolve_exec_t;
-@@ -42,63 +37,68 @@ files_pid_file(policykit_var_run_t)
+@@ -42,63 +37,70 @@ files_pid_file(policykit_var_run_t)
#######################################
#
@@ -70195,6 +70212,8 @@ index ee91778..945a36f 100644
+
+logging_send_syslog_msg(policykit_t)
+
++systemd_machined_read_pid_files(policykit_t)
++
userdom_getattr_all_users(policykit_t)
userdom_read_all_users_state(policykit_t)
+userdom_dontaudit_search_admin_dir(policykit_t)
@@ -70207,7 +70226,7 @@ index ee91778..945a36f 100644
optional_policy(`
consolekit_dbus_chat(policykit_t)
')
-@@ -109,29 +109,43 @@ optional_policy(`
+@@ -109,29 +111,43 @@ optional_policy(`
')
optional_policy(`
@@ -70259,7 +70278,7 @@ index ee91778..945a36f 100644
rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
-@@ -145,65 +159,80 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
+@@ -145,65 +161,80 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
@@ -70352,7 +70371,7 @@ index ee91778..945a36f 100644
rw_files_pattern(policykit_grant_t, policykit_reload_t, policykit_reload_t)
-@@ -211,23 +240,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t
+@@ -211,23 +242,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t
manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t)
@@ -70379,7 +70398,7 @@ index ee91778..945a36f 100644
optional_policy(`
consolekit_dbus_chat(policykit_grant_t)
')
-@@ -235,26 +261,28 @@ optional_policy(`
+@@ -235,26 +263,28 @@ optional_policy(`
########################################
#
@@ -70414,7 +70433,7 @@ index ee91778..945a36f 100644
userdom_read_all_users_state(policykit_resolve_t)
optional_policy(`
-@@ -266,6 +294,6 @@ optional_policy(`
+@@ -266,6 +296,6 @@ optional_policy(`
')
optional_policy(`
@@ -93560,7 +93579,7 @@ index 0000000..3e89d71
+')
diff --git a/sandboxX.te b/sandboxX.te
new file mode 100644
-index 0000000..7a8e744
+index 0000000..c9449b4
--- /dev/null
+++ b/sandboxX.te
@@ -0,0 +1,505 @@
@@ -93858,8 +93877,8 @@ index 0000000..7a8e744
+userdom_use_user_ptys(sandbox_x_t)
+
+#1103622
-+corenet_tcp_connect_xserver_port(sandbox_x_t)
-+xserver_stream_connect(sandbox_x_t)
++corenet_tcp_connect_xserver_port(sandbox_x_domain)
++xserver_stream_connect(sandbox_x_domain)
+
+########################################
+#
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 62f370b..b9d3761 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 151%{?dist}
+Release: 152%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -656,6 +656,17 @@ exit 0
%endif
%changelog
+* Thu Oct 08 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-152
+- Allow pcp_pmlogger to read system state. BZ(1258699)
+- Allow cupsd to connect on socket. BZ(1258089)
+- Allow named to bind on ephemeral ports. BZ(#1259766)
+- Allow iscsid create netlink iscsid sockets.
+- We need allow connect to xserver for all sandbox_x domain because we have one type for all sandbox processes.
+- Allow NetworkManager_t and policykit_t read access to systemd-machined pid files. #1255305
+- Add missing labeling for /usr/libexec/abrt-hook-ccpp as a part of #1245477 and #1242467 bugs.
+- Allow search dirs in sysfs types in kernel_read_security_state.
+- Fix kernel_read_security_state interface that source domain of this interface can search sysctl_fs_t dirs.
+
* Fri Oct 02 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-151
- Update modules_filetrans_named_content() to make sure we don't get modules_dep labeling by filename transitions.
- Remove /usr/lib/modules/[^/]+/modules\..+ labeling