diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 2d6e729..402d0ff 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -8705,7 +8705,7 @@ index 6a1e4d1..84e8030 100644
+ dontaudit $1 domain:dir_file_class_set audit_access;
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..628d039 100644
+index cf04cb5..23627f4 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -8842,7 +8842,7 @@ index cf04cb5..628d039 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +231,330 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +231,334 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -9153,6 +9153,10 @@ index cf04cb5..628d039 100644
+dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
+
+optional_policy(`
++ rkhunter_append_lib_files(domain)
++')
++
++optional_policy(`
+ rpm_rw_script_inherited_pipes(domain)
+ rpm_use_fds(domain)
+ rpm_read_pipes(domain)
@@ -15887,7 +15891,7 @@ index e100d88..6f745f0 100644
+ allow $1 usermodehelper_t:file relabelto;
')
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 8dbab4c..4b6c9ad 100644
+index 8dbab4c..b1a339b 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -25,6 +25,9 @@ attribute kern_unconfined;
@@ -15916,7 +15920,7 @@ index 8dbab4c..4b6c9ad 100644
allow debugfs_t self:filesystem associate;
genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
-@@ -95,9 +100,31 @@ genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh)
+@@ -95,9 +100,32 @@ genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh)
type proc_mdstat_t, proc_type;
genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0)
@@ -15939,6 +15943,7 @@ index 8dbab4c..4b6c9ad 100644
+type usermodehelper_t, proc_type;
+typealias usermodehelper_t alias sysctl_hotplug_t;
+typealias usermodehelper_t alias sysctl_modprobe_t;
++dev_associate_sysfs(usermodehelper_t)
+genfscon proc /sys/kernel/core_pattern gen_context(system_u:object_r:usermodehelper_t,s0)
+genfscon proc /sys/kernel/hotplug gen_context(system_u:object_r:usermodehelper_t,s0)
+genfscon proc /sys/kernel/modprobe gen_context(system_u:object_r:usermodehelper_t,s0)
@@ -15948,7 +15953,7 @@ index 8dbab4c..4b6c9ad 100644
type proc_xen_t, proc_type;
files_mountpoint(proc_xen_t)
genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0)
-@@ -133,14 +160,6 @@ genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0)
+@@ -133,14 +161,6 @@ genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0)
type sysctl_kernel_t, sysctl_type;
genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s0)
@@ -15963,7 +15968,7 @@ index 8dbab4c..4b6c9ad 100644
# /proc/sys/net directory and files
type sysctl_net_t, sysctl_type;
genfscon proc /sys/net gen_context(system_u:object_r:sysctl_net_t,s0)
-@@ -153,6 +172,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0)
+@@ -153,6 +173,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0)
type sysctl_vm_t, sysctl_type;
genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0)
@@ -15974,7 +15979,7 @@ index 8dbab4c..4b6c9ad 100644
# /proc/sys/dev directory and files
type sysctl_dev_t, sysctl_type;
genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
-@@ -165,6 +188,14 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
+@@ -165,6 +189,14 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
type unlabeled_t;
fs_associate(unlabeled_t)
sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
@@ -15989,7 +15994,7 @@ index 8dbab4c..4b6c9ad 100644
# These initial sids are no longer used, and can be removed:
sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-@@ -189,6 +220,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+@@ -189,6 +221,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
# kernel local policy
#
@@ -15997,7 +16002,7 @@ index 8dbab4c..4b6c9ad 100644
allow kernel_t self:capability ~sys_module;
allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow kernel_t self:shm create_shm_perms;
-@@ -233,7 +265,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
+@@ -233,7 +266,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
corenet_in_generic_if(unlabeled_t)
corenet_in_generic_node(unlabeled_t)
@@ -16005,7 +16010,7 @@ index 8dbab4c..4b6c9ad 100644
corenet_all_recvfrom_netlabel(kernel_t)
# Kernel-generated traffic e.g., ICMP replies:
corenet_raw_sendrecv_all_if(kernel_t)
-@@ -244,17 +275,21 @@ corenet_tcp_sendrecv_all_if(kernel_t)
+@@ -244,17 +276,21 @@ corenet_tcp_sendrecv_all_if(kernel_t)
corenet_tcp_sendrecv_all_nodes(kernel_t)
corenet_raw_send_generic_node(kernel_t)
corenet_send_all_packets(kernel_t)
@@ -16031,7 +16036,7 @@ index 8dbab4c..4b6c9ad 100644
# Mount root file system. Used when loading a policy
# from initrd, then mounting the root filesystem
-@@ -263,7 +298,8 @@ fs_unmount_all_fs(kernel_t)
+@@ -263,7 +299,8 @@ fs_unmount_all_fs(kernel_t)
selinux_load_policy(kernel_t)
@@ -16041,7 +16046,7 @@ index 8dbab4c..4b6c9ad 100644
corecmd_exec_shell(kernel_t)
corecmd_list_bin(kernel_t)
-@@ -277,25 +313,49 @@ files_list_root(kernel_t)
+@@ -277,25 +314,49 @@ files_list_root(kernel_t)
files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
@@ -16091,7 +16096,7 @@ index 8dbab4c..4b6c9ad 100644
')
optional_policy(`
-@@ -305,6 +365,19 @@ optional_policy(`
+@@ -305,6 +366,19 @@ optional_policy(`
optional_policy(`
logging_send_syslog_msg(kernel_t)
@@ -16111,7 +16116,7 @@ index 8dbab4c..4b6c9ad 100644
')
optional_policy(`
-@@ -312,6 +385,11 @@ optional_policy(`
+@@ -312,6 +386,11 @@ optional_policy(`
')
optional_policy(`
@@ -16123,7 +16128,7 @@ index 8dbab4c..4b6c9ad 100644
# nfs kernel server needs kernel UDP access. It is less risky and painful
# to just give it everything.
allow kernel_t self:tcp_socket create_stream_socket_perms;
-@@ -332,9 +410,6 @@ optional_policy(`
+@@ -332,9 +411,6 @@ optional_policy(`
sysnet_read_config(kernel_t)
@@ -16133,7 +16138,7 @@ index 8dbab4c..4b6c9ad 100644
rpc_udp_rw_nfs_sockets(kernel_t)
tunable_policy(`nfs_export_all_ro',`
-@@ -343,9 +418,7 @@ optional_policy(`
+@@ -343,9 +419,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@@ -16144,7 +16149,7 @@ index 8dbab4c..4b6c9ad 100644
')
tunable_policy(`nfs_export_all_rw',`
-@@ -354,7 +427,7 @@ optional_policy(`
+@@ -354,7 +428,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@@ -16153,7 +16158,7 @@ index 8dbab4c..4b6c9ad 100644
')
')
-@@ -367,6 +440,15 @@ optional_policy(`
+@@ -367,6 +441,15 @@ optional_policy(`
unconfined_domain_noaudit(kernel_t)
')
@@ -16169,7 +16174,7 @@ index 8dbab4c..4b6c9ad 100644
########################################
#
# Unlabeled process local policy
-@@ -409,4 +491,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
+@@ -409,4 +492,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
allow kern_unconfined unlabeled_t:filesystem *;
allow kern_unconfined unlabeled_t:association *;
allow kern_unconfined unlabeled_t:packet *;
@@ -24190,7 +24195,7 @@ index 6bf0ecc..115c533 100644
+ dontaudit $1 xserver_log_t:dir search_dir_perms;
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..ef809dd 100644
+index 8b40377..39c8bbb 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,28 +26,59 @@ gen_require(`
@@ -24660,7 +24665,7 @@ index 8b40377..ef809dd 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -366,20 +526,29 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -366,20 +526,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -24675,6 +24680,7 @@ index 8b40377..ef809dd 100644
+manage_lnk_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
manage_fifo_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
-logging_log_filetrans(xdm_t, xserver_log_t, file)
++files_var_filetrans(xdm_t, xserver_log_t, dir, "gdm")
kernel_read_system_state(xdm_t)
+kernel_read_device_sysctls(xdm_t)
@@ -24692,7 +24698,7 @@ index 8b40377..ef809dd 100644
corenet_all_recvfrom_netlabel(xdm_t)
corenet_tcp_sendrecv_generic_if(xdm_t)
corenet_udp_sendrecv_generic_if(xdm_t)
-@@ -389,38 +558,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -389,38 +559,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -24746,7 +24752,7 @@ index 8b40377..ef809dd 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -431,9 +611,28 @@ files_list_mnt(xdm_t)
+@@ -431,9 +612,28 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -24775,7 +24781,7 @@ index 8b40377..ef809dd 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -442,28 +641,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -442,28 +642,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -24824,7 +24830,7 @@ index 8b40377..ef809dd 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -472,24 +688,144 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -472,24 +689,144 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -24975,7 +24981,7 @@ index 8b40377..ef809dd 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -503,11 +839,26 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -503,11 +840,26 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -25002,7 +25008,7 @@ index 8b40377..ef809dd 100644
')
optional_policy(`
-@@ -517,9 +868,34 @@ optional_policy(`
+@@ -517,9 +869,34 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(xdm_t)
dbus_connect_system_bus(xdm_t)
@@ -25038,7 +25044,7 @@ index 8b40377..ef809dd 100644
')
')
-@@ -530,6 +906,20 @@ optional_policy(`
+@@ -530,6 +907,20 @@ optional_policy(`
')
optional_policy(`
@@ -25059,7 +25065,7 @@ index 8b40377..ef809dd 100644
hostname_exec(xdm_t)
')
-@@ -547,28 +937,78 @@ optional_policy(`
+@@ -547,28 +938,78 @@ optional_policy(`
')
optional_policy(`
@@ -25147,7 +25153,7 @@ index 8b40377..ef809dd 100644
')
optional_policy(`
-@@ -580,6 +1020,14 @@ optional_policy(`
+@@ -580,6 +1021,14 @@ optional_policy(`
')
optional_policy(`
@@ -25162,7 +25168,7 @@ index 8b40377..ef809dd 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,7 +1042,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+@@ -594,7 +1043,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@@ -25171,7 +25177,7 @@ index 8b40377..ef809dd 100644
# setuid/setgid for the wrapper program to change UID
# sys_rawio is for iopl access - should not be needed for frame-buffer
-@@ -604,8 +1052,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -604,8 +1053,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -25184,7 +25190,7 @@ index 8b40377..ef809dd 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -618,8 +1069,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -618,8 +1070,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -25200,7 +25206,7 @@ index 8b40377..ef809dd 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -627,6 +1085,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -627,6 +1086,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@@ -25211,7 +25217,7 @@ index 8b40377..ef809dd 100644
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -638,25 +1100,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -638,25 +1101,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -25248,7 +25254,7 @@ index 8b40377..ef809dd 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -677,23 +1146,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -677,23 +1147,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -25280,7 +25286,7 @@ index 8b40377..ef809dd 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -704,7 +1178,16 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -704,7 +1179,16 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -25298,7 +25304,7 @@ index 8b40377..ef809dd 100644
mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
-@@ -718,20 +1201,18 @@ init_getpgid(xserver_t)
+@@ -718,20 +1202,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -25322,7 +25328,7 @@ index 8b40377..ef809dd 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -739,8 +1220,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -739,8 +1221,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
@@ -25331,7 +25337,7 @@ index 8b40377..ef809dd 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
-@@ -785,17 +1264,44 @@ optional_policy(`
+@@ -785,17 +1265,44 @@ optional_policy(`
')
optional_policy(`
@@ -25378,7 +25384,7 @@ index 8b40377..ef809dd 100644
')
optional_policy(`
-@@ -803,6 +1309,10 @@ optional_policy(`
+@@ -803,6 +1310,10 @@ optional_policy(`
')
optional_policy(`
@@ -25389,7 +25395,7 @@ index 8b40377..ef809dd 100644
xfs_stream_connect(xserver_t)
')
-@@ -818,10 +1328,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -818,10 +1329,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -25403,7 +25409,7 @@ index 8b40377..ef809dd 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -829,7 +1339,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -829,7 +1340,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -25412,7 +25418,7 @@ index 8b40377..ef809dd 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -842,26 +1352,21 @@ init_use_fds(xserver_t)
+@@ -842,26 +1353,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -25447,7 +25453,7 @@ index 8b40377..ef809dd 100644
')
optional_policy(`
-@@ -912,7 +1417,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -912,7 +1418,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -25456,7 +25462,7 @@ index 8b40377..ef809dd 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -966,11 +1471,31 @@ allow x_domain self:x_resource { read write };
+@@ -966,11 +1472,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -25488,7 +25494,7 @@ index 8b40377..ef809dd 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -992,18 +1517,150 @@ tunable_policy(`! xserver_object_manager',`
+@@ -992,18 +1518,150 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -39138,7 +39144,7 @@ index 0000000..1d9bdfd
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..e9b0d55
+index 0000000..1605309
--- /dev/null
+++ b/policy/modules/system/systemd.te
@@ -0,0 +1,659 @@
@@ -39359,7 +39365,7 @@ index 0000000..e9b0d55
+# Local policy
+#
+
-+allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override };
++allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override net_admin };
+allow systemd_passwd_agent_t self:process { setsockcreate };
+allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
+
@@ -39403,7 +39409,7 @@ index 0000000..e9b0d55
+# Local policy
+#
+
-+allow systemd_tmpfiles_t self:capability { chown dac_override fsetid fowner mknod };
++allow systemd_tmpfiles_t self:capability { chown dac_override fsetid fowner mknod net_admin };
+allow systemd_tmpfiles_t self:process { setfscreate };
+
+allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms;
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 3c2bcc4..dbef4b0 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -531,7 +531,7 @@ index 058d908..70eb89d 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index eb50f07..517116e 100644
+index eb50f07..189ab37 100644
--- a/abrt.te
+++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@@ -653,7 +653,7 @@ index eb50f07..517116e 100644
-allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice };
-dontaudit abrt_t self:capability sys_rawio;
+allow abrt_t self:capability { chown dac_override fowner fsetid ipc_lock kill setgid setuid sys_nice sys_ptrace };
-+dontaudit abrt_t self:capability { sys_rawio sys_ptrace };
++dontaudit abrt_t self:capability { net_admin sys_rawio sys_ptrace };
allow abrt_t self:process { setpgid sigkill signal signull setsched getsched };
+
allow abrt_t self:fifo_file rw_fifo_file_perms;
@@ -16445,7 +16445,7 @@ index 1303b30..72481a7 100644
+ logging_log_filetrans($1, cron_log_t, $2, $3)
')
diff --git a/cron.te b/cron.te
-index 7de3859..d8264c4 100644
+index 7de3859..ce147f1 100644
--- a/cron.te
+++ b/cron.te
@@ -11,46 +11,46 @@ gen_require(`
@@ -17130,7 +17130,7 @@ index 7de3859..d8264c4 100644
')
optional_policy(`
-@@ -598,7 +595,19 @@ optional_policy(`
+@@ -598,7 +595,23 @@ optional_policy(`
')
optional_policy(`
@@ -17147,10 +17147,14 @@ index 7de3859..d8264c4 100644
+ prelink_manage_log(system_cronjob_t)
+ prelink_read_cache(system_cronjob_t)
+ prelink_relabel_lib(system_cronjob_t)
++')
++
++optional_policy(`
++ rkhunter_manage_lib_files(system_cronjob_t)
')
optional_policy(`
-@@ -608,6 +617,7 @@ optional_policy(`
+@@ -608,6 +621,7 @@ optional_policy(`
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
@@ -17158,7 +17162,7 @@ index 7de3859..d8264c4 100644
')
optional_policy(`
-@@ -615,12 +625,24 @@ optional_policy(`
+@@ -615,12 +629,24 @@ optional_policy(`
')
optional_policy(`
@@ -17185,7 +17189,7 @@ index 7de3859..d8264c4 100644
#
allow cronjob_t self:process { signal_perms setsched };
-@@ -628,12 +650,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
+@@ -628,12 +654,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
allow cronjob_t self:unix_dgram_socket create_socket_perms;
@@ -17219,7 +17223,7 @@ index 7de3859..d8264c4 100644
corenet_all_recvfrom_netlabel(cronjob_t)
corenet_tcp_sendrecv_generic_if(cronjob_t)
corenet_udp_sendrecv_generic_if(cronjob_t)
-@@ -641,66 +683,138 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
+@@ -641,66 +687,138 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
corenet_udp_sendrecv_generic_node(cronjob_t)
corenet_tcp_sendrecv_all_ports(cronjob_t)
corenet_udp_sendrecv_all_ports(cronjob_t)
@@ -19215,7 +19219,7 @@ index dda905b..31f269b 100644
/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+')
diff --git a/dbus.if b/dbus.if
-index 62d22cb..fefd4b4 100644
+index 62d22cb..4d3ed7b 100644
--- a/dbus.if
+++ b/dbus.if
@@ -1,4 +1,4 @@
@@ -19224,16 +19228,33 @@ index 62d22cb..fefd4b4 100644
########################################
## <summary>
-@@ -19,7 +19,7 @@ interface(`dbus_stub',`
+@@ -19,7 +19,24 @@ interface(`dbus_stub',`
########################################
## <summary>
-## Role access for dbus.
++## Execute dbus-daemon in the caller domain.
++## </summary>
++## <param name="domain" unused="true">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++#
++interface(`dbus_exec_dbusd',`
++ gen_require(`
++ type dbusd_exec_t;
++ ')
++ can_exec($1, dbusd_exec_t)
++')
++
++########################################
++## <summary>
+## Role access for dbus
## </summary>
## <param name="role_prefix">
## <summary>
-@@ -41,59 +41,68 @@ interface(`dbus_stub',`
+@@ -41,59 +58,68 @@ interface(`dbus_stub',`
template(`dbus_role_template',`
gen_require(`
class dbus { send_msg acquire_svc };
@@ -19323,7 +19344,7 @@ index 62d22cb..fefd4b4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -103,65 +112,29 @@ template(`dbus_role_template',`
+@@ -103,65 +129,29 @@ template(`dbus_role_template',`
#
interface(`dbus_system_bus_client',`
gen_require(`
@@ -19398,7 +19419,7 @@ index 62d22cb..fefd4b4 100644
## </summary>
## <param name="role_prefix">
## <summary>
-@@ -175,19 +148,21 @@ interface(`dbus_connect_all_session_bus',`
+@@ -175,19 +165,21 @@ interface(`dbus_connect_all_session_bus',`
## </summary>
## </param>
#
@@ -19425,7 +19446,7 @@ index 62d22cb..fefd4b4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -196,72 +171,23 @@ interface(`dbus_connect_spec_session_bus',`
+@@ -196,72 +188,23 @@ interface(`dbus_connect_spec_session_bus',`
## </param>
#
interface(`dbus_session_bus_client',`
@@ -19505,7 +19526,7 @@ index 62d22cb..fefd4b4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -270,59 +196,17 @@ interface(`dbus_spec_session_bus_client',`
+@@ -270,59 +213,17 @@ interface(`dbus_spec_session_bus_client',`
## </param>
#
interface(`dbus_send_session_bus',`
@@ -19567,21 +19588,23 @@ index 62d22cb..fefd4b4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -381,69 +265,32 @@ interface(`dbus_manage_lib_files',`
+@@ -381,69 +282,32 @@ interface(`dbus_manage_lib_files',`
########################################
## <summary>
-## Allow a application domain to be
-## started by the specified session bus.
--## </summary>
++## Connect to the system DBUS
++## for service (acquire_svc).
+ ## </summary>
-## <param name="role_prefix">
-## <summary>
-## The prefix of the user role (e.g., user
-## is the prefix for user_r).
-## </summary>
-## </param>
--## <param name="domain">
--## <summary>
+ ## <param name="domain">
+ ## <summary>
-## Type to be used as a domain.
-## </summary>
-## </param>
@@ -19601,11 +19624,9 @@ index 62d22cb..fefd4b4 100644
-## <summary>
-## Allow a application domain to be
-## started by the specified session bus.
-+## Connect to the system DBUS
-+## for service (acquire_svc).
- ## </summary>
- ## <param name="domain">
- ## <summary>
+-## </summary>
+-## <param name="domain">
+-## <summary>
-## Type to be used as a domain.
-## </summary>
-## </param>
@@ -19648,7 +19669,7 @@ index 62d22cb..fefd4b4 100644
## </summary>
## </param>
## <param name="domain">
-@@ -458,20 +305,21 @@ interface(`dbus_all_session_domain',`
+@@ -458,20 +322,21 @@ interface(`dbus_all_session_domain',`
## </summary>
## </param>
#
@@ -19674,7 +19695,7 @@ index 62d22cb..fefd4b4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -490,7 +338,7 @@ interface(`dbus_connect_system_bus',`
+@@ -490,7 +355,7 @@ interface(`dbus_connect_system_bus',`
########################################
## <summary>
@@ -19683,7 +19704,7 @@ index 62d22cb..fefd4b4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -509,7 +357,7 @@ interface(`dbus_send_system_bus',`
+@@ -509,7 +374,7 @@ interface(`dbus_send_system_bus',`
########################################
## <summary>
@@ -19692,7 +19713,7 @@ index 62d22cb..fefd4b4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -528,8 +376,8 @@ interface(`dbus_system_bus_unconfined',`
+@@ -528,8 +393,8 @@ interface(`dbus_system_bus_unconfined',`
########################################
## <summary>
@@ -19703,7 +19724,7 @@ index 62d22cb..fefd4b4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -544,33 +392,24 @@ interface(`dbus_system_bus_unconfined',`
+@@ -544,33 +409,24 @@ interface(`dbus_system_bus_unconfined',`
#
interface(`dbus_system_domain',`
gen_require(`
@@ -19741,7 +19762,7 @@ index 62d22cb..fefd4b4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -588,26 +427,25 @@ interface(`dbus_use_system_bus_fds',`
+@@ -588,26 +444,25 @@ interface(`dbus_use_system_bus_fds',`
########################################
## <summary>
@@ -19774,7 +19795,7 @@ index 62d22cb..fefd4b4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -615,10 +453,91 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
+@@ -615,10 +470,91 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
## </summary>
## </param>
#
@@ -25378,10 +25399,10 @@ index cf0e567..91d4dfb 100644
userdom_dontaudit_search_user_home_dirs(fail2ban_client_t)
userdom_use_user_terminals(fail2ban_client_t)
diff --git a/fcoe.te b/fcoe.te
-index ce358fb..90e08d8 100644
+index ce358fb..aabd04f 100644
--- a/fcoe.te
+++ b/fcoe.te
-@@ -20,20 +20,20 @@ files_pid_file(fcoemon_var_run_t)
+@@ -20,25 +20,27 @@ files_pid_file(fcoemon_var_run_t)
# Local policy
#
@@ -25406,6 +25427,13 @@ index ce358fb..90e08d8 100644
logging_send_syslog_msg(fcoemon_t)
+ miscfiles_read_localization(fcoemon_t)
+
++userdom_dgram_send(fcoemon_t)
++
+ optional_policy(`
+ lldpad_dgram_send(fcoemon_t)
+ ')
diff --git a/fetchmail.fc b/fetchmail.fc
index 133b8ee..a47a12f 100644
--- a/fetchmail.fc
@@ -26532,7 +26560,7 @@ index 4498143..77bbcef 100644
ftp_run_ftpdctl($1, $2)
')
diff --git a/ftp.te b/ftp.te
-index 36838c2..ab0eccc 100644
+index 36838c2..34b08ac 100644
--- a/ftp.te
+++ b/ftp.te
@@ -13,7 +13,7 @@ policy_module(ftp, 1.15.1)
@@ -26636,7 +26664,7 @@ index 36838c2..ab0eccc 100644
miscfiles_read_public_files(ftpd_t)
seutil_dontaudit_search_config(ftpd_t)
-@@ -259,32 +273,49 @@ sysnet_use_ldap(ftpd_t)
+@@ -259,32 +273,50 @@ sysnet_use_ldap(ftpd_t)
userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
userdom_dontaudit_search_user_home_dirs(ftpd_t)
@@ -26662,6 +26690,7 @@ index 36838c2..ab0eccc 100644
+tunable_policy(`ftpd_use_fusefs',`
+ fs_manage_fusefs_dirs(ftpd_t)
+ fs_manage_fusefs_files(ftpd_t)
++ fs_manage_fusefs_symlinks(ftpd_t)
+',`
+ fs_search_fusefs(ftpd_t)
+')
@@ -26693,7 +26722,7 @@ index 36838c2..ab0eccc 100644
')
tunable_policy(`ftpd_use_passive_mode',`
-@@ -304,22 +335,19 @@ tunable_policy(`ftpd_connect_db',`
+@@ -304,22 +336,19 @@ tunable_policy(`ftpd_connect_db',`
corenet_sendrecv_mssql_client_packets(ftpd_t)
corenet_tcp_connect_mssql_port(ftpd_t)
corenet_tcp_sendrecv_mssql_port(ftpd_t)
@@ -26721,7 +26750,7 @@ index 36838c2..ab0eccc 100644
userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
')
-@@ -363,9 +391,8 @@ optional_policy(`
+@@ -363,9 +392,8 @@ optional_policy(`
optional_policy(`
selinux_validate_context(ftpd_t)
@@ -26732,7 +26761,7 @@ index 36838c2..ab0eccc 100644
kerberos_use(ftpd_t)
')
-@@ -416,21 +443,20 @@ optional_policy(`
+@@ -416,21 +444,20 @@ optional_policy(`
#
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
@@ -26756,7 +26785,7 @@ index 36838c2..ab0eccc 100644
miscfiles_read_public_files(anon_sftpd_t)
-@@ -443,23 +469,34 @@ tunable_policy(`sftpd_anon_write',`
+@@ -443,23 +470,34 @@ tunable_policy(`sftpd_anon_write',`
# Sftpd local policy
#
@@ -26797,7 +26826,7 @@ index 36838c2..ab0eccc 100644
')
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -481,21 +518,11 @@ tunable_policy(`sftpd_anon_write',`
+@@ -481,21 +519,11 @@ tunable_policy(`sftpd_anon_write',`
tunable_policy(`sftpd_full_access',`
allow sftpd_t self:capability { dac_override dac_read_search };
fs_read_noxattr_fs_files(sftpd_t)
@@ -37589,7 +37618,7 @@ index 3602712..fc7b071 100644
+ allow $1 slapd_unit_file_t:service all_service_perms;
')
diff --git a/ldap.te b/ldap.te
-index 4c2b111..8915138 100644
+index 4c2b111..6effd5f 100644
--- a/ldap.te
+++ b/ldap.te
@@ -21,6 +21,9 @@ files_config_file(slapd_etc_t)
@@ -37602,6 +37631,15 @@ index 4c2b111..8915138 100644
type slapd_keytab_t;
files_type(slapd_keytab_t)
+@@ -49,7 +52,7 @@ files_pid_file(slapd_var_run_t)
+
+ allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search };
+ dontaudit slapd_t self:capability sys_tty_config;
+-allow slapd_t self:process setsched;
++allow slapd_t self:process { setsched signal } ;
+ allow slapd_t self:fifo_file rw_fifo_file_perms;
+ allow slapd_t self:tcp_socket { accept listen };
+
@@ -93,7 +96,6 @@ files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file })
kernel_read_system_state(slapd_t)
kernel_read_kernel_sysctls(slapd_t)
@@ -38089,7 +38127,7 @@ index d18c960..fb5b674 100644
domain_system_change_exemption($1)
role_transition $2 lldpad_initrc_exec_t system_r;
diff --git a/lldpad.te b/lldpad.te
-index 2a491d9..db979c3 100644
+index 2a491d9..dcd3ae6 100644
--- a/lldpad.te
+++ b/lldpad.te
@@ -26,7 +26,7 @@ files_pid_file(lldpad_var_run_t)
@@ -38101,7 +38139,7 @@ index 2a491d9..db979c3 100644
allow lldpad_t self:shm create_shm_perms;
allow lldpad_t self:fifo_file rw_fifo_file_perms;
allow lldpad_t self:unix_stream_socket { accept listen };
-@@ -51,11 +51,9 @@ kernel_request_load_module(lldpad_t)
+@@ -51,12 +51,14 @@ kernel_request_load_module(lldpad_t)
dev_read_sysfs(lldpad_t)
@@ -38114,6 +38152,11 @@ index 2a491d9..db979c3 100644
optional_policy(`
fcoe_dgram_send_fcoemon(lldpad_t)
+ ')
++
++optional_policy(`
++ networkmanager_dgram_send(lldpad_t)
++')
diff --git a/loadkeys.te b/loadkeys.te
index d2f4643..c8e6b37 100644
--- a/loadkeys.te
@@ -38525,24 +38568,10 @@ index be0ab84..e4d6e6f 100644
logging_read_all_logs(logrotate_mail_t)
+manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
diff --git a/logwatch.te b/logwatch.te
-index ab65034..6f52140 100644
+index ab65034..ed34956 100644
--- a/logwatch.te
+++ b/logwatch.te
-@@ -6,6 +6,13 @@ policy_module(logwatch, 1.12.2)
- #
-
- ## <desc>
-+## <p>
-+## Allow epylog to send mail
-+## </p>
-+## </desc>
-+gen_tunable(logwatch_can_sendmail, false)
-+
-+## <desc>
- ## <p>
- ## Determine whether logwatch can connect
- ## to mail over the network.
-@@ -15,7 +22,8 @@ gen_tunable(logwatch_can_network_connect_mail, false)
+@@ -15,7 +15,8 @@ gen_tunable(logwatch_can_network_connect_mail, false)
type logwatch_t;
type logwatch_exec_t;
@@ -38552,7 +38581,7 @@ index ab65034..6f52140 100644
type logwatch_cache_t;
files_type(logwatch_cache_t)
-@@ -45,7 +53,8 @@ allow logwatch_t self:unix_stream_socket { accept listen };
+@@ -45,7 +46,8 @@ allow logwatch_t self:unix_stream_socket { accept listen };
manage_dirs_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
manage_files_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
@@ -38562,7 +38591,7 @@ index ab65034..6f52140 100644
files_lock_filetrans(logwatch_t, logwatch_lock_t, file)
manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
-@@ -61,6 +70,11 @@ kernel_read_system_state(logwatch_t)
+@@ -61,6 +63,11 @@ kernel_read_system_state(logwatch_t)
kernel_read_net_sysctls(logwatch_t)
kernel_read_network_state(logwatch_t)
@@ -38574,7 +38603,7 @@ index ab65034..6f52140 100644
corecmd_exec_bin(logwatch_t)
corecmd_exec_shell(logwatch_t)
-@@ -75,10 +89,11 @@ files_list_var(logwatch_t)
+@@ -75,10 +82,11 @@ files_list_var(logwatch_t)
files_search_all(logwatch_t)
files_read_var_symlinks(logwatch_t)
files_read_etc_runtime_files(logwatch_t)
@@ -38587,7 +38616,7 @@ index ab65034..6f52140 100644
fs_dontaudit_list_auto_mountpoints(logwatch_t)
fs_list_inotifyfs(logwatch_t)
-@@ -100,23 +115,14 @@ libs_read_lib_files(logwatch_t)
+@@ -100,23 +108,14 @@ libs_read_lib_files(logwatch_t)
logging_read_all_logs(logwatch_t)
logging_send_syslog_msg(logwatch_t)
@@ -38611,7 +38640,7 @@ index ab65034..6f52140 100644
corenet_sendrecv_smtp_client_packets(logwatch_t)
corenet_tcp_connect_smtp_port(logwatch_t)
corenet_tcp_sendrecv_smtp_port(logwatch_t)
-@@ -160,6 +166,12 @@ optional_policy(`
+@@ -160,6 +159,12 @@ optional_policy(`
')
optional_policy(`
@@ -38624,7 +38653,7 @@ index ab65034..6f52140 100644
rpc_search_nfs_state_data(logwatch_t)
')
-@@ -187,6 +199,12 @@ dev_read_sysfs(logwatch_mail_t)
+@@ -187,6 +192,12 @@ dev_read_sysfs(logwatch_mail_t)
logging_read_all_logs(logwatch_mail_t)
@@ -49299,7 +49328,7 @@ index 94b9734..bb9c83e 100644
+/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/networkmanager.if b/networkmanager.if
-index 86dc29d..5b73942 100644
+index 86dc29d..993ecf5 100644
--- a/networkmanager.if
+++ b/networkmanager.if
@@ -2,7 +2,7 @@
@@ -49570,7 +49599,7 @@ index 86dc29d..5b73942 100644
## </summary>
## </param>
## <param name="role">
-@@ -287,33 +370,113 @@ interface(`networkmanager_stream_connect',`
+@@ -287,33 +370,132 @@ interface(`networkmanager_stream_connect',`
## </param>
## <rolecap/>
#
@@ -49635,9 +49664,7 @@ index 86dc29d..5b73942 100644
+ gen_require(`
+ type NetworkManager_var_lib_t;
+ ')
-
-- files_search_pids($1)
-- admin_pattern($1, NetworkManager_var_run_t)
++
+ manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
+')
+
@@ -49661,6 +49688,26 @@ index 86dc29d..5b73942 100644
+ allow $1 NetworkManager_t:lnk_file read_lnk_file_perms;
+')
+
++#######################################
++## <summary>
++## Send to NetworkManager with a unix dgram socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`networkmanager_dgram_send',`
++ gen_require(`
++ type NetworkManager_t, NetworkManager_var_run_t;
++ ')
+
+ files_search_pids($1)
+- admin_pattern($1, NetworkManager_var_run_t)
++ dgram_send_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t, NetworkManager_t)
++')
++
+########################################
+## <summary>
+## Transition to networkmanager named content
@@ -49705,7 +49752,7 @@ index 86dc29d..5b73942 100644
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
')
diff --git a/networkmanager.te b/networkmanager.te
-index 55f2009..c8ed2bd 100644
+index 55f2009..8562dec 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -9,15 +9,18 @@ type NetworkManager_t;
@@ -49959,7 +50006,7 @@ index 55f2009..c8ed2bd 100644
')
')
-@@ -231,18 +260,23 @@ optional_policy(`
+@@ -231,18 +260,27 @@ optional_policy(`
dnsmasq_kill(NetworkManager_t)
dnsmasq_signal(NetworkManager_t)
dnsmasq_signull(NetworkManager_t)
@@ -49982,11 +50029,15 @@ index 55f2009..c8ed2bd 100644
+')
+
+optional_policy(`
++ iscsid_domtrans(NetworkManager_t)
++')
++
++optional_policy(`
+ iodined_domtrans(NetworkManager_t)
')
optional_policy(`
-@@ -250,6 +284,10 @@ optional_policy(`
+@@ -250,6 +288,10 @@ optional_policy(`
ipsec_kill_mgmt(NetworkManager_t)
ipsec_signal_mgmt(NetworkManager_t)
ipsec_signull_mgmt(NetworkManager_t)
@@ -49997,7 +50048,7 @@ index 55f2009..c8ed2bd 100644
')
optional_policy(`
-@@ -257,11 +295,14 @@ optional_policy(`
+@@ -257,11 +299,14 @@ optional_policy(`
')
optional_policy(`
@@ -50014,7 +50065,7 @@ index 55f2009..c8ed2bd 100644
')
optional_policy(`
-@@ -274,10 +315,17 @@ optional_policy(`
+@@ -274,10 +319,17 @@ optional_policy(`
nscd_signull(NetworkManager_t)
nscd_kill(NetworkManager_t)
nscd_initrc_domtrans(NetworkManager_t)
@@ -50032,7 +50083,7 @@ index 55f2009..c8ed2bd 100644
')
optional_policy(`
-@@ -289,6 +337,7 @@ optional_policy(`
+@@ -289,6 +341,7 @@ optional_policy(`
')
optional_policy(`
@@ -50040,7 +50091,7 @@ index 55f2009..c8ed2bd 100644
policykit_domtrans_auth(NetworkManager_t)
policykit_read_lib(NetworkManager_t)
policykit_read_reload(NetworkManager_t)
-@@ -296,7 +345,7 @@ optional_policy(`
+@@ -296,7 +349,7 @@ optional_policy(`
')
optional_policy(`
@@ -50049,7 +50100,7 @@ index 55f2009..c8ed2bd 100644
')
optional_policy(`
-@@ -307,6 +356,7 @@ optional_policy(`
+@@ -307,6 +360,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
@@ -50057,7 +50108,7 @@ index 55f2009..c8ed2bd 100644
')
optional_policy(`
-@@ -320,14 +370,20 @@ optional_policy(`
+@@ -320,14 +374,20 @@ optional_policy(`
')
optional_policy(`
@@ -50083,7 +50134,7 @@ index 55f2009..c8ed2bd 100644
')
optional_policy(`
-@@ -357,6 +413,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -357,6 +417,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t)
@@ -58462,7 +58513,7 @@ index d2fc677..ded726f 100644
')
+
diff --git a/pegasus.te b/pegasus.te
-index 608f454..a5787c2 100644
+index 608f454..7ba84e6 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0)
@@ -58481,7 +58532,7 @@ index 608f454..a5787c2 100644
type pegasus_cache_t;
files_type(pegasus_cache_t)
-@@ -30,20 +29,293 @@ files_type(pegasus_mof_t)
+@@ -30,20 +29,297 @@ files_type(pegasus_mof_t)
type pegasus_var_run_t;
files_pid_file(pegasus_var_run_t)
@@ -58628,7 +58679,8 @@ index 608f454..a5787c2 100644
+# pegasus openlmi system (networking) local policy
+#
+
-+allow pegasus_openlmi_system_t self:capability { net_admin };
++allow pegasus_openlmi_system_t self:capability { net_admin sys_boot };
++allow pegasus_openlmi_system_t self:process signal_perms;
+
+allow pegasus_openlmi_system_t self:netlink_route_socket r_netlink_socket_perms;
+
@@ -58637,6 +58689,8 @@ index 608f454..a5787c2 100644
+dev_rw_sysfs(pegasus_openlmi_system_t)
+dev_read_urand(pegasus_openlmi_system_t)
+
++init_read_utmp(pegasus_openlmi_system_t)
++
+systemd_config_power_services(pegasus_openlmi_system_t)
+systemd_dbus_chat_logind(pegasus_openlmi_system_t)
+
@@ -58708,6 +58762,7 @@ index 608f454..a5787c2 100644
+
+seutil_read_file_contexts(pegasus_openlmi_storage_t)
+
++storage_raw_read_removable_device(pegasus_openlmi_storage_t)
+storage_raw_read_fixed_disk(pegasus_openlmi_storage_t)
+storage_raw_write_fixed_disk(pegasus_openlmi_storage_t)
+
@@ -58780,7 +58835,7 @@ index 608f454..a5787c2 100644
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
-@@ -54,22 +326,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
+@@ -54,22 +330,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@@ -58811,7 +58866,7 @@ index 608f454..a5787c2 100644
kernel_read_network_state(pegasus_t)
kernel_read_kernel_sysctls(pegasus_t)
-@@ -80,27 +352,21 @@ kernel_read_net_sysctls(pegasus_t)
+@@ -80,27 +356,21 @@ kernel_read_net_sysctls(pegasus_t)
kernel_read_xen_state(pegasus_t)
kernel_write_xen_state(pegasus_t)
@@ -58844,7 +58899,7 @@ index 608f454..a5787c2 100644
corecmd_exec_bin(pegasus_t)
corecmd_exec_shell(pegasus_t)
-@@ -114,9 +380,11 @@ files_getattr_all_dirs(pegasus_t)
+@@ -114,9 +384,11 @@ files_getattr_all_dirs(pegasus_t)
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
@@ -58856,7 +58911,7 @@ index 608f454..a5787c2 100644
files_list_var_lib(pegasus_t)
files_read_var_lib_files(pegasus_t)
-@@ -128,18 +396,29 @@ init_stream_connect_script(pegasus_t)
+@@ -128,18 +400,29 @@ init_stream_connect_script(pegasus_t)
logging_send_audit_msgs(pegasus_t)
logging_send_syslog_msg(pegasus_t)
@@ -58892,7 +58947,7 @@ index 608f454..a5787c2 100644
')
optional_policy(`
-@@ -151,16 +430,24 @@ optional_policy(`
+@@ -151,16 +434,24 @@ optional_policy(`
')
optional_policy(`
@@ -58921,7 +58976,7 @@ index 608f454..a5787c2 100644
')
optional_policy(`
-@@ -168,7 +455,7 @@ optional_policy(`
+@@ -168,7 +459,7 @@ optional_policy(`
')
optional_policy(`
@@ -60062,10 +60117,10 @@ index 0000000..798efb6
+')
diff --git a/pki.te b/pki.te
new file mode 100644
-index 0000000..d656f71
+index 0000000..5c64daf
--- /dev/null
+++ b/pki.te
-@@ -0,0 +1,271 @@
+@@ -0,0 +1,272 @@
+policy_module(pki,10.0.11)
+
+########################################
@@ -60240,6 +60295,7 @@ index 0000000..d656f71
+
+corenet_tcp_bind_pki_ra_port(pki_ra_t)
+# talk to other subsystems
++corenet_tcp_connect_http_port(pki_ra_t)
+corenet_tcp_connect_pki_ca_port(pki_ra_t)
+corenet_tcp_connect_smtp_port(pki_ra_t)
+
@@ -60366,7 +60422,7 @@ index 735500f..2ba6832 100644
-/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0)
+/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0)
diff --git a/plymouthd.if b/plymouthd.if
-index 30e751f..78fb7c6 100644
+index 30e751f..61feb3a 100644
--- a/plymouthd.if
+++ b/plymouthd.if
@@ -1,4 +1,4 @@
@@ -60554,7 +60610,7 @@ index 30e751f..78fb7c6 100644
gen_require(`
type plymouthd_var_run_t;
')
-@@ -233,36 +228,113 @@ interface(`plymouthd_read_pid_files',`
+@@ -233,36 +228,112 @@ interface(`plymouthd_read_pid_files',`
########################################
## <summary>
@@ -60562,12 +60618,13 @@ index 30e751f..78fb7c6 100644
-## administrate an plymouthd environment.
+## Allow the specified domain to read
+## to plymouthd log files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="role">
+#
+interface(`plymouthd_read_log',`
+ gen_require(`
@@ -60590,26 +60647,27 @@ index 30e751f..78fb7c6 100644
+#
+interface(`plymouthd_create_log',`
+ gen_require(`
-+ type plymouthd_log_t;
++ type plymouthd_var_log_t;
+ ')
+
+ logging_search_logs($1)
-+ create_files_pattern($1, plymouthd_log_t, plymouthd_log_t)
++ create_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
+')
+
-+
+########################################
+## <summary>
+## Allow the specified domain to manage
+## to plymouthd log files.
- ## </summary>
- ## <param name="domain">
++## </summary>
++## <param name="domain">
## <summary>
- ## Domain allowed access.
+-## Role allowed access.
++## Domain allowed access.
## </summary>
## </param>
--## <param name="role">
-+#
+-## <rolecap/>
+ #
+-interface(`plymouthd_admin',`
+interface(`plymouthd_manage_log',`
+ gen_require(`
+ type plymouthd_var_log_t;
@@ -60646,14 +60704,11 @@ index 30e751f..78fb7c6 100644
+## an plymouthd environment
+## </summary>
+## <param name="domain">
- ## <summary>
--## Role allowed access.
++## <summary>
+## Domain allowed access.
- ## </summary>
- ## </param>
--## <rolecap/>
- #
--interface(`plymouthd_admin',`
++## </summary>
++## </param>
++#
+interface(`plymouthd_admin', `
gen_require(`
type plymouthd_t, plymouthd_spool_t, plymouthd_var_lib_t;
@@ -63095,7 +63150,7 @@ index ded95ec..3cf7146 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
')
diff --git a/postfix.te b/postfix.te
-index 5cfb83e..efec4cc 100644
+index 5cfb83e..ab42dca 100644
--- a/postfix.te
+++ b/postfix.te
@@ -6,27 +6,23 @@ policy_module(postfix, 1.15.1)
@@ -63358,13 +63413,13 @@ index 5cfb83e..efec4cc 100644
-create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t)
-setattr_dirs_pattern(postfix_master_t, postfix_var_run_t, postfix_var_run_t)
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t, dir, "pid")
-+kernel_read_all_sysctls(postfix_master_t)
-
+-
-can_exec(postfix_master_t, postfix_exec_t)
-
-domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
-domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
--
++kernel_read_all_sysctls(postfix_master_t)
+
-corenet_all_recvfrom_unlabeled(postfix_master_t)
corenet_all_recvfrom_netlabel(postfix_master_t)
corenet_tcp_sendrecv_generic_if(postfix_master_t)
@@ -63674,7 +63729,7 @@ index 5cfb83e..efec4cc 100644
stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
-@@ -532,16 +443,15 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
+@@ -532,21 +443,21 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
@@ -63694,7 +63749,24 @@ index 5cfb83e..efec4cc 100644
#
allow postfix_pipe_t self:process setrlimit;
-@@ -584,19 +494,26 @@ optional_policy(`
+
+ write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
++write_sock_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t)
+
+ write_fifo_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t)
+
+@@ -557,6 +468,10 @@ domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
+ corecmd_exec_bin(postfix_pipe_t)
+
+ optional_policy(`
++ cyrus_stream_connect(postfix_pipe_t)
++')
++
++optional_policy(`
+ dovecot_domtrans_deliver(postfix_pipe_t)
+ ')
+
+@@ -584,19 +499,26 @@ optional_policy(`
########################################
#
@@ -63726,7 +63798,7 @@ index 5cfb83e..efec4cc 100644
term_dontaudit_use_all_ptys(postfix_postdrop_t)
term_dontaudit_use_all_ttys(postfix_postdrop_t)
-@@ -611,10 +528,7 @@ optional_policy(`
+@@ -611,10 +533,7 @@ optional_policy(`
cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
')
@@ -63738,7 +63810,7 @@ index 5cfb83e..efec4cc 100644
optional_policy(`
fstools_read_pipes(postfix_postdrop_t)
')
-@@ -629,17 +543,24 @@ optional_policy(`
+@@ -629,17 +548,24 @@ optional_policy(`
#######################################
#
@@ -63766,7 +63838,7 @@ index 5cfb83e..efec4cc 100644
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
-@@ -655,69 +576,78 @@ optional_policy(`
+@@ -655,69 +581,78 @@ optional_policy(`
########################################
#
@@ -63863,7 +63935,7 @@ index 5cfb83e..efec4cc 100644
')
optional_policy(`
-@@ -730,29 +660,30 @@ optional_policy(`
+@@ -730,29 +665,30 @@ optional_policy(`
########################################
#
@@ -63902,7 +63974,7 @@ index 5cfb83e..efec4cc 100644
optional_policy(`
dovecot_stream_connect_auth(postfix_smtpd_t)
dovecot_stream_connect(postfix_smtpd_t)
-@@ -764,6 +695,7 @@ optional_policy(`
+@@ -764,6 +700,7 @@ optional_policy(`
optional_policy(`
milter_stream_connect_all(postfix_smtpd_t)
@@ -63910,7 +63982,7 @@ index 5cfb83e..efec4cc 100644
')
optional_policy(`
-@@ -774,31 +706,100 @@ optional_policy(`
+@@ -774,31 +711,100 @@ optional_policy(`
sasl_connect(postfix_smtpd_t)
')
@@ -76473,7 +76545,7 @@ index 6dbc905..4b17c93 100644
- admin_pattern($1, rhsmcertd_lock_t)
')
diff --git a/rhsmcertd.te b/rhsmcertd.te
-index d32e1a2..73051fc 100644
+index d32e1a2..64b5dee 100644
--- a/rhsmcertd.te
+++ b/rhsmcertd.te
@@ -30,14 +30,13 @@ files_pid_file(rhsmcertd_var_run_t)
@@ -76494,7 +76566,7 @@ index d32e1a2..73051fc 100644
manage_files_pattern(rhsmcertd_t, rhsmcertd_lock_t, rhsmcertd_lock_t)
files_lock_filetrans(rhsmcertd_t, rhsmcertd_lock_t, file)
-@@ -52,23 +51,39 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
+@@ -52,23 +51,40 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
kernel_read_network_state(rhsmcertd_t)
kernel_read_system_state(rhsmcertd_t)
@@ -76537,6 +76609,7 @@ index d32e1a2..73051fc 100644
+
+optional_policy(`
rpm_read_db(rhsmcertd_t)
++ rpm_signull(rhsmcertd_t)
')
diff --git a/ricci.if b/ricci.if
index 2ab3ed1..23d579c 100644
@@ -76927,6 +77000,68 @@ index 0ba2569..64a0237 100644
optional_policy(`
ccs_stream_connect(ricci_modstorage_t)
+diff --git a/rkhunter.fc b/rkhunter.fc
+new file mode 100644
+index 0000000..645a9cc
+--- /dev/null
++++ b/rkhunter.fc
+@@ -0,0 +1 @@
++/var/lib/rkhunter(/.*)? gen_context(system_u:object_r:rkhunter_var_lib_t,s0)
+diff --git a/rkhunter.if b/rkhunter.if
+new file mode 100644
+index 0000000..0be4cee
+--- /dev/null
++++ b/rkhunter.if
+@@ -0,0 +1,39 @@
++## <summary> policy for rkhunter </summary>
++
++########################################
++## <summary>
++## Append rkhunter lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rkhunter_append_lib_files',`
++ gen_require(`
++ type rkhunter_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ append_files_pattern($1, rkhunter_var_lib_t, rkhunter_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage rkhunter lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rkhunter_manage_lib_files',`
++ gen_require(`
++ type rkhunter_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, rkhunter_var_lib_t, rkhunter_var_lib_t)
++')
+diff --git a/rkhunter.te b/rkhunter.te
+new file mode 100644
+index 0000000..aa2d09e
+--- /dev/null
++++ b/rkhunter.te
+@@ -0,0 +1,4 @@
++policy_module(rhhunter, 1.0)
++
++type rkhunter_var_lib_t;
++files_type(rkhunter_var_lib_t)
diff --git a/rlogin.fc b/rlogin.fc
index f111877..e361ee9 100644
--- a/rlogin.fc
@@ -81317,7 +81452,7 @@ index 50d07fb..bada62f 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 2b7c441..d06a165 100644
+index 2b7c441..71cbfc7 100644
--- a/samba.te
+++ b/samba.te
@@ -6,100 +6,80 @@ policy_module(samba, 1.16.3)
@@ -81484,7 +81619,14 @@ index 2b7c441..d06a165 100644
type smbd_t;
type smbd_exec_t;
-@@ -152,9 +135,10 @@ type smbd_var_run_t;
+@@ -148,13 +131,17 @@ files_type(smbd_keytab_t)
+ type smbd_tmp_t;
+ files_tmp_file(smbd_tmp_t)
+
++type smbd_tmpfs_t;
++files_tmpfs_file(smbd_tmpfs_t)
++
+ type smbd_var_run_t;
files_pid_file(smbd_var_run_t)
type smbmount_t;
@@ -81497,7 +81639,7 @@ index 2b7c441..d06a165 100644
type swat_t;
type swat_exec_t;
-@@ -173,28 +157,29 @@ type winbind_exec_t;
+@@ -173,28 +160,29 @@ type winbind_exec_t;
init_daemon_domain(winbind_t, winbind_exec_t)
type winbind_helper_t;
@@ -81535,7 +81677,7 @@ index 2b7c441..d06a165 100644
allow samba_net_t samba_etc_t:file read_file_perms;
-@@ -210,17 +195,22 @@ manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
+@@ -210,17 +198,22 @@ manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t)
files_var_filetrans(samba_net_t, samba_var_t, dir, "samba")
@@ -81562,7 +81704,7 @@ index 2b7c441..d06a165 100644
dev_read_urand(samba_net_t)
-@@ -233,15 +223,16 @@ auth_manage_cache(samba_net_t)
+@@ -233,15 +226,16 @@ auth_manage_cache(samba_net_t)
logging_send_syslog_msg(samba_net_t)
@@ -81583,7 +81725,7 @@ index 2b7c441..d06a165 100644
')
optional_policy(`
-@@ -249,46 +240,58 @@ optional_policy(`
+@@ -249,46 +243,58 @@ optional_policy(`
')
optional_policy(`
@@ -81626,11 +81768,11 @@ index 2b7c441..d06a165 100644
-allow smbd_t { swat_t winbind_t smbcontrol_t nmbd_t }:process { signal signull };
+allow smbd_t nmbd_t:process { signal signull };
-+
-+allow smbd_t nmbd_var_run_t:file rw_file_perms;
-+stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
-allow smbd_t samba_etc_t:file { rw_file_perms setattr_file_perms };
++allow smbd_t nmbd_var_run_t:file rw_file_perms;
++stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
++
+allow smbd_t samba_etc_t:file { rw_file_perms setattr };
allow smbd_t smbd_keytab_t:file read_file_perms;
@@ -81654,7 +81796,7 @@ index 2b7c441..d06a165 100644
manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
allow smbd_t samba_share_t:filesystem { getattr quotaget };
-@@ -298,6 +301,8 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
+@@ -298,20 +304,26 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t)
files_var_filetrans(smbd_t, samba_var_t, dir, "samba")
@@ -81663,7 +81805,13 @@ index 2b7c441..d06a165 100644
manage_dirs_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t)
manage_files_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t)
files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
-@@ -307,11 +312,11 @@ manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
+
++manage_dirs_pattern(smbd_t, smbd_tmpfs_t, smbd_tmpfs_t)
++manage_files_pattern(smbd_t, smbd_tmpfs_t, smbd_tmpfs_t)
++fs_tmpfs_filetrans(smbd_t, smbd_tmpfs_t, { file dir })
++
+ manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
+ manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
files_pid_filetrans(smbd_t, smbd_var_run_t, { dir file })
@@ -81679,7 +81827,7 @@ index 2b7c441..d06a165 100644
kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
-@@ -321,43 +326,33 @@ kernel_read_kernel_sysctls(smbd_t)
+@@ -321,43 +333,33 @@ kernel_read_kernel_sysctls(smbd_t)
kernel_read_software_raid_state(smbd_t)
kernel_read_system_state(smbd_t)
@@ -81734,7 +81882,7 @@ index 2b7c441..d06a165 100644
fs_getattr_all_fs(smbd_t)
fs_getattr_all_dirs(smbd_t)
fs_get_xattr_fs_quotas(smbd_t)
-@@ -366,44 +361,55 @@ fs_getattr_rpc_dirs(smbd_t)
+@@ -366,44 +368,55 @@ fs_getattr_rpc_dirs(smbd_t)
fs_list_inotifyfs(smbd_t)
fs_get_all_fs_quotas(smbd_t)
@@ -81801,7 +81949,7 @@ index 2b7c441..d06a165 100644
')
tunable_policy(`samba_domain_controller',`
-@@ -419,20 +425,10 @@ tunable_policy(`samba_domain_controller',`
+@@ -419,20 +432,10 @@ tunable_policy(`samba_domain_controller',`
')
tunable_policy(`samba_enable_home_dirs',`
@@ -81824,7 +81972,7 @@ index 2b7c441..d06a165 100644
tunable_policy(`samba_share_nfs',`
fs_manage_nfs_dirs(smbd_t)
fs_manage_nfs_files(smbd_t)
-@@ -441,6 +437,7 @@ tunable_policy(`samba_share_nfs',`
+@@ -441,6 +444,7 @@ tunable_policy(`samba_share_nfs',`
fs_manage_nfs_named_sockets(smbd_t)
')
@@ -81832,7 +81980,7 @@ index 2b7c441..d06a165 100644
tunable_policy(`samba_share_fusefs',`
fs_manage_fusefs_dirs(smbd_t)
fs_manage_fusefs_files(smbd_t)
-@@ -448,17 +445,6 @@ tunable_policy(`samba_share_fusefs',`
+@@ -448,17 +452,6 @@ tunable_policy(`samba_share_fusefs',`
fs_search_fusefs(smbd_t)
')
@@ -81850,7 +81998,7 @@ index 2b7c441..d06a165 100644
optional_policy(`
ccs_read_config(smbd_t)
')
-@@ -466,6 +452,7 @@ optional_policy(`
+@@ -466,6 +459,7 @@ optional_policy(`
optional_policy(`
ctdbd_stream_connect(smbd_t)
ctdbd_manage_lib_files(smbd_t)
@@ -81858,7 +82006,7 @@ index 2b7c441..d06a165 100644
')
optional_policy(`
-@@ -479,6 +466,11 @@ optional_policy(`
+@@ -479,6 +473,11 @@ optional_policy(`
')
optional_policy(`
@@ -81870,7 +82018,7 @@ index 2b7c441..d06a165 100644
lpd_exec_lpr(smbd_t)
')
-@@ -488,6 +480,10 @@ optional_policy(`
+@@ -488,6 +487,10 @@ optional_policy(`
')
optional_policy(`
@@ -81881,7 +82029,7 @@ index 2b7c441..d06a165 100644
rpc_search_nfs_state_data(smbd_t)
')
-@@ -499,9 +495,33 @@ optional_policy(`
+@@ -499,9 +502,33 @@ optional_policy(`
udev_read_db(smbd_t)
')
@@ -81916,7 +82064,7 @@ index 2b7c441..d06a165 100644
#
dontaudit nmbd_t self:capability sys_tty_config;
-@@ -512,9 +532,11 @@ allow nmbd_t self:msg { send receive };
+@@ -512,9 +539,11 @@ allow nmbd_t self:msg { send receive };
allow nmbd_t self:msgq create_msgq_perms;
allow nmbd_t self:sem create_sem_perms;
allow nmbd_t self:shm create_shm_perms;
@@ -81931,7 +82079,7 @@ index 2b7c441..d06a165 100644
manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-@@ -526,20 +548,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+@@ -526,20 +555,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
@@ -81955,7 +82103,7 @@ index 2b7c441..d06a165 100644
kernel_getattr_core_if(nmbd_t)
kernel_getattr_message_if(nmbd_t)
-@@ -548,52 +565,42 @@ kernel_read_network_state(nmbd_t)
+@@ -548,52 +572,42 @@ kernel_read_network_state(nmbd_t)
kernel_read_software_raid_state(nmbd_t)
kernel_read_system_state(nmbd_t)
@@ -82004,14 +82152,14 @@ index 2b7c441..d06a165 100644
-
userdom_use_unpriv_users_fds(nmbd_t)
-userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
--
++userdom_dontaudit_search_user_home_dirs(nmbd_t)
+
-tunable_policy(`samba_export_all_ro',`
- fs_read_noxattr_fs_files(nmbd_t)
- files_list_non_auth_dirs(nmbd_t)
- files_read_non_auth_files(nmbd_t)
-')
-+userdom_dontaudit_search_user_home_dirs(nmbd_t)
-
+-
-tunable_policy(`samba_export_all_rw',`
- fs_read_noxattr_fs_files(nmbd_t)
- files_manage_non_auth_files(nmbd_t)
@@ -82022,7 +82170,7 @@ index 2b7c441..d06a165 100644
')
optional_policy(`
-@@ -606,16 +613,22 @@ optional_policy(`
+@@ -606,16 +620,22 @@ optional_policy(`
########################################
#
@@ -82030,7 +82178,7 @@ index 2b7c441..d06a165 100644
+# smbcontrol local policy
#
-+
++allow smbcontrol_t self:capability2 block_suspend;
allow smbcontrol_t self:process signal;
-allow smbcontrol_t self:fifo_file rw_fifo_file_perms;
+# internal communication is often done using fifo and unix sockets.
@@ -82049,7 +82197,7 @@ index 2b7c441..d06a165 100644
manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
-@@ -627,16 +640,11 @@ domain_use_interactive_fds(smbcontrol_t)
+@@ -627,16 +647,11 @@ domain_use_interactive_fds(smbcontrol_t)
dev_read_urand(smbcontrol_t)
@@ -82067,7 +82215,7 @@ index 2b7c441..d06a165 100644
optional_policy(`
ctdbd_stream_connect(smbcontrol_t)
-@@ -644,22 +652,23 @@ optional_policy(`
+@@ -644,22 +659,23 @@ optional_policy(`
########################################
#
@@ -82099,7 +82247,7 @@ index 2b7c441..d06a165 100644
allow smbmount_t samba_secrets_t:file manage_file_perms;
-@@ -668,26 +677,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+@@ -668,26 +684,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
@@ -82135,7 +82283,7 @@ index 2b7c441..d06a165 100644
fs_getattr_cifs(smbmount_t)
fs_mount_cifs(smbmount_t)
-@@ -699,58 +704,77 @@ fs_read_cifs_files(smbmount_t)
+@@ -699,58 +711,77 @@ fs_read_cifs_files(smbmount_t)
storage_raw_read_fixed_disk(smbmount_t)
storage_raw_write_fixed_disk(smbmount_t)
@@ -82227,7 +82375,7 @@ index 2b7c441..d06a165 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -759,17 +783,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+@@ -759,17 +790,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
files_pid_filetrans(swat_t, swat_var_run_t, file)
@@ -82251,7 +82399,7 @@ index 2b7c441..d06a165 100644
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -777,36 +797,25 @@ kernel_read_network_state(swat_t)
+@@ -777,36 +804,25 @@ kernel_read_network_state(swat_t)
corecmd_search_bin(swat_t)
@@ -82294,7 +82442,7 @@ index 2b7c441..d06a165 100644
auth_domtrans_chk_passwd(swat_t)
auth_use_nsswitch(swat_t)
-@@ -818,10 +827,11 @@ logging_send_syslog_msg(swat_t)
+@@ -818,10 +834,11 @@ logging_send_syslog_msg(swat_t)
logging_send_audit_msgs(swat_t)
logging_search_logs(swat_t)
@@ -82308,7 +82456,7 @@ index 2b7c441..d06a165 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -840,17 +850,20 @@ optional_policy(`
+@@ -840,17 +857,20 @@ optional_policy(`
# Winbind local policy
#
@@ -82334,7 +82482,7 @@ index 2b7c441..d06a165 100644
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -860,9 +873,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+@@ -860,9 +880,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@@ -82345,7 +82493,7 @@ index 2b7c441..d06a165 100644
manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -873,23 +884,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -873,23 +891,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
@@ -82375,7 +82523,7 @@ index 2b7c441..d06a165 100644
manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
kernel_read_network_state(winbind_t)
-@@ -898,13 +907,17 @@ kernel_read_system_state(winbind_t)
+@@ -898,13 +914,17 @@ kernel_read_system_state(winbind_t)
corecmd_exec_bin(winbind_t)
@@ -82396,7 +82544,7 @@ index 2b7c441..d06a165 100644
corenet_tcp_connect_smbd_port(winbind_t)
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -912,10 +925,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -912,10 +932,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
dev_read_sysfs(winbind_t)
dev_read_urand(winbind_t)
@@ -82407,7 +82555,7 @@ index 2b7c441..d06a165 100644
fs_getattr_all_fs(winbind_t)
fs_search_auto_mountpoints(winbind_t)
-@@ -924,26 +933,39 @@ auth_domtrans_chk_passwd(winbind_t)
+@@ -924,26 +940,39 @@ auth_domtrans_chk_passwd(winbind_t)
auth_use_nsswitch(winbind_t)
auth_manage_cache(winbind_t)
@@ -82449,7 +82597,7 @@ index 2b7c441..d06a165 100644
')
optional_policy(`
-@@ -959,31 +981,29 @@ optional_policy(`
+@@ -959,31 +988,29 @@ optional_policy(`
# Winbind helper local policy
#
@@ -82487,7 +82635,7 @@ index 2b7c441..d06a165 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -997,25 +1017,38 @@ optional_policy(`
+@@ -997,25 +1024,38 @@ optional_policy(`
########################################
#
@@ -85567,10 +85715,10 @@ index 3a9a70b..903109c 100644
logging_list_logs($1)
admin_pattern($1, setroubleshoot_var_log_t)
diff --git a/setroubleshoot.te b/setroubleshoot.te
-index ce67935..b58792f 100644
+index ce67935..b3df839 100644
--- a/setroubleshoot.te
+++ b/setroubleshoot.te
-@@ -7,43 +7,50 @@ policy_module(setroubleshoot, 1.12.1)
+@@ -7,43 +7,52 @@ policy_module(setroubleshoot, 1.12.1)
type setroubleshootd_t alias setroubleshoot_t;
type setroubleshootd_exec_t;
@@ -85602,6 +85750,8 @@ index ce67935..b58792f 100644
allow setroubleshootd_t self:capability { dac_override sys_nice sys_ptrace sys_tty_config };
-allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal execmem execstack };
++dontaudit setroubleshootd_t self:capability net_admin;
++
+allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal };
+# if bad library causes setroubleshoot to require these, we want to give it so setroubleshoot can continue to run
+allow setroubleshootd_t self:process { execmem execstack };
@@ -85632,7 +85782,7 @@ index ce67935..b58792f 100644
manage_dirs_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
manage_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
-@@ -61,14 +68,13 @@ corecmd_exec_bin(setroubleshootd_t)
+@@ -61,14 +70,13 @@ corecmd_exec_bin(setroubleshootd_t)
corecmd_exec_shell(setroubleshootd_t)
corecmd_read_all_executables(setroubleshootd_t)
@@ -85650,7 +85800,7 @@ index ce67935..b58792f 100644
dev_read_urand(setroubleshootd_t)
dev_read_sysfs(setroubleshootd_t)
-@@ -76,10 +82,9 @@ dev_getattr_all_blk_files(setroubleshootd_t)
+@@ -76,10 +84,9 @@ dev_getattr_all_blk_files(setroubleshootd_t)
dev_getattr_all_chr_files(setroubleshootd_t)
dev_getattr_mtrr_dev(setroubleshootd_t)
@@ -85662,7 +85812,7 @@ index ce67935..b58792f 100644
files_list_all(setroubleshootd_t)
files_getattr_all_files(setroubleshootd_t)
files_getattr_all_pipes(setroubleshootd_t)
-@@ -109,27 +114,24 @@ init_read_utmp(setroubleshootd_t)
+@@ -109,27 +116,24 @@ init_read_utmp(setroubleshootd_t)
init_dontaudit_write_utmp(setroubleshootd_t)
libs_exec_ld_so(setroubleshootd_t)
@@ -85695,7 +85845,7 @@ index ce67935..b58792f 100644
')
optional_policy(`
-@@ -137,10 +139,18 @@ optional_policy(`
+@@ -137,10 +141,18 @@ optional_policy(`
')
optional_policy(`
@@ -85714,7 +85864,7 @@ index ce67935..b58792f 100644
rpm_exec(setroubleshootd_t)
rpm_signull(setroubleshootd_t)
rpm_read_db(setroubleshootd_t)
-@@ -150,26 +160,36 @@ optional_policy(`
+@@ -150,26 +162,36 @@ optional_policy(`
########################################
#
@@ -85753,7 +85903,7 @@ index ce67935..b58792f 100644
files_list_tmp(setroubleshoot_fixit_t)
auth_use_nsswitch(setroubleshoot_fixit_t)
-@@ -177,23 +197,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
+@@ -177,23 +199,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
logging_send_audit_msgs(setroubleshoot_fixit_t)
logging_send_syslog_msg(setroubleshoot_fixit_t)
@@ -86556,10 +86706,29 @@ index ca32e89..98278dd 100644
+
')
diff --git a/slpd.te b/slpd.te
-index 731512a..645dad6 100644
+index 731512a..4ce76cd 100644
--- a/slpd.te
+++ b/slpd.te
-@@ -50,6 +50,10 @@ corenet_sendrecv_svrloc_server_packets(slpd_t)
+@@ -23,7 +23,7 @@ files_pid_file(slpd_var_run_t)
+ # Local policy
+ #
+
+-allow slpd_t self:capability { kill setgid setuid };
++allow slpd_t self:capability { kill net_admin setgid setuid };
+ allow slpd_t self:process signal;
+ allow slpd_t self:fifo_file rw_fifo_file_perms;
+ allow slpd_t self:tcp_socket { accept listen };
+@@ -35,6 +35,9 @@ logging_log_filetrans(slpd_t, slpd_log_t, file)
+ manage_files_pattern(slpd_t, slpd_var_run_t, slpd_var_run_t)
+ files_pid_filetrans(slpd_t, slpd_var_run_t, file)
+
++kernel_read_system_state(slpd_t)
++kernel_read_network_state(slpd_t)
++
+ corenet_all_recvfrom_unlabeled(slpd_t)
+ corenet_all_recvfrom_netlabel(slpd_t)
+ corenet_tcp_sendrecv_generic_if(slpd_t)
+@@ -50,6 +53,12 @@ corenet_sendrecv_svrloc_server_packets(slpd_t)
corenet_tcp_bind_svrloc_port(slpd_t)
corenet_udp_bind_svrloc_port(slpd_t)
@@ -86570,6 +86739,8 @@ index 731512a..645dad6 100644
auth_use_nsswitch(slpd_t)
-miscfiles_read_localization(slpd_t)
++logging_send_syslog_msg(slpd_t)
++
+sysnet_dns_name_resolve(slpd_t)
diff --git a/slrnpull.te b/slrnpull.te
index 59eb07f..4626942 100644
@@ -87249,11 +87420,13 @@ index cbfe369..6594af3 100644
files_search_var_lib($1)
diff --git a/snapper.fc b/snapper.fc
new file mode 100644
-index 0000000..3f412d5
+index 0000000..48c0623
--- /dev/null
+++ b/snapper.fc
-@@ -0,0 +1 @@
+@@ -0,0 +1,3 @@
+/usr/sbin/snapperd -- gen_context(system_u:object_r:snapperd_exec_t,s0)
++
++/var/log/snapper\.log.* -- gen_context(system_u:object_r:snapperd_log_t,s0)
diff --git a/snapper.if b/snapper.if
new file mode 100644
index 0000000..94105ee
@@ -87304,10 +87477,10 @@ index 0000000..94105ee
+')
diff --git a/snapper.te b/snapper.te
new file mode 100644
-index 0000000..ad232be
+index 0000000..3df20a6
--- /dev/null
+++ b/snapper.te
-@@ -0,0 +1,33 @@
+@@ -0,0 +1,56 @@
+policy_module(snapper, 1.0.0)
+
+########################################
@@ -87319,6 +87492,12 @@ index 0000000..ad232be
+type snapperd_exec_t;
+init_daemon_domain(snapperd_t, snapperd_exec_t)
+
++type snapperd_log_t;
++logging_log_file(snapperd_log_t)
++
++type snapperd_data_t;
++files_type(snapperd_data_t)
++
+########################################
+#
+# snapperd local policy
@@ -87327,13 +87506,29 @@ index 0000000..ad232be
+allow snapperd_t self:fifo_file rw_fifo_file_perms;
+allow snapperd_t self:unix_stream_socket create_stream_socket_perms;
+
++manage_files_pattern(snapperd_t, snapperd_log_t, snapperd_log_t)
++logging_log_filetrans(snapperd_t, snapperd_log_t, file)
++
++manage_files_pattern(snapperd_t, snapperd_data_t, snapperd_data_t)
++manage_dirs_pattern(snapperd_t, snapperd_data_t, snapperd_data_t)
++manage_lnk_files_pattern(snapperd_t, snapperd_data_t, snapperd_data_t)
++
++domain_read_all_domains_state(snapperd_t)
++
++corecmd_exec_shell(snapperd_t)
++corecmd_exec_bin(snapperd_t)
++
++files_read_all_files(snapperd_t)
++files_list_all(snapperd_t)
++
++fs_getattr_all_fs(snapperd_t)
++
+storage_raw_read_fixed_disk(snapperd_t)
+
+auth_use_nsswitch(snapperd_t)
+
-+miscfiles_read_localization(snapperd_t)
-+
+optional_policy(`
++ dbus_system_domain(snapperd_t, snapperd_exec_t)
+ dbus_system_bus_client(snapperd_t)
+ dbus_connect_system_bus(snapperd_t)
+')
@@ -87341,6 +87536,7 @@ index 0000000..ad232be
+optional_policy(`
+ mount_domtrans(snapperd_t)
+')
++
diff --git a/snmp.fc b/snmp.fc
index 2f0a2f2..1569e33 100644
--- a/snmp.fc
@@ -93321,10 +93517,10 @@ index 0000000..c1fd8b4
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 0000000..ed78f6f
+index 0000000..81e8be9
--- /dev/null
+++ b/thumb.te
-@@ -0,0 +1,154 @@
+@@ -0,0 +1,155 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -93444,6 +93640,7 @@ index 0000000..ed78f6f
+')
+
+optional_policy(`
++ dbus_exec_dbusd(thumb_t)
+ dbus_dontaudit_stream_connect_session_bus(thumb_t)
+ dbus_dontaudit_chat_session_bus(thumb_t)
+')
@@ -100137,10 +100334,10 @@ index 0000000..044be2f
+')
diff --git a/vmtools.te b/vmtools.te
new file mode 100644
-index 0000000..7918651
+index 0000000..b4d2dac
--- /dev/null
+++ b/vmtools.te
-@@ -0,0 +1,27 @@
+@@ -0,0 +1,42 @@
+policy_module(vmtools, 1.0.0)
+
+########################################
@@ -100155,17 +100352,32 @@ index 0000000..7918651
+type vmtools_unit_file_t;
+systemd_unit_file(vmtools_unit_file_t)
+
++type vmtools_tmp_t;
++files_tmp_file(vmtools_tmp_t)
++
+########################################
+#
+# vmtools local policy
+#
++allow vmtools_t self:capability { sys_time sys_rawio };
+allow vmtools_t self:fifo_file rw_fifo_file_perms;
+allow vmtools_t self:unix_stream_socket create_stream_socket_perms;
+allow vmtools_t self:unix_dgram_socket create_socket_perms;
+
-+auth_use_nsswitch(vmtools_t)
++manage_dirs_pattern(vmtools_t, vmtools_tmp_t, vmtools_tmp_t)
++manage_files_pattern(vmtools_t, vmtools_tmp_t, vmtools_tmp_t)
++manage_lnk_files_pattern(vmtools_t, vmtools_tmp_t, vmtools_tmp_t)
++files_tmp_filetrans(vmtools_t, vmtools_tmp_t, { file dir })
++
++kernel_read_system_state(vmtools_t)
++kernel_read_network_state(vmtools_t)
++
++corecmd_exec_shell(vmtools_t)
+
+dev_read_urand(vmtools_t)
++dev_getattr_all_blk_files(vmtools_t)
++
++auth_use_nsswitch(vmtools_t)
+
+logging_send_syslog_msg(vmtools_t)
diff --git a/vmware.if b/vmware.if
diff --git a/selinux-policy.spec b/selinux-policy.spec
index ca49964..d2c5efd 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 18%{?dist}
+Release: 19%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -578,6 +578,45 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Jan 28 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-19
+- Add net_admin also for systemd_passwd_agent_t
+- Allow Associate usermodehelper_t to sysfs filesystem
+- Allow gdm to create /var/gdm with correct labeling
+- Allow domains to append rkhunterl lib files. #1057982
+- Allow systemd_tmpfiles_t net_admin to communicate with journald
+- update libs_filetrans_named_content() to have support for /usr/lib/debug directory
+- Adding a new service script to enable setcheckreqprot
+- Add interface to getattr on an isid_type for any type of file
+- Allow initrc_t domtrans to authconfig if unconfined is enabled
+- Add labeling for snapper.log
+- Allow tumbler to execute dbusd-daemon in thumb_t
+- Add dbus_exec_dbusd()
+- Add snapperd_data_t type
+- Add additional fixes for snapperd
+- FIx bad calling in samba.te
+- Allow smbd to create tmpfs
+- Allow rhsmcertd-worker send signull to rpm process
+- Allow net_admin capability and send system log msgs
+- Allow lldpad send dgram to NM
+- Add networkmanager_dgram_send()
+- rkhunter_var_lib_t is correct type
+- Allow openlmi-storage to read removable devices
+- Allow system cron jobs to manage rkhunter lib files
+- Add rkhunter_manage_lib_files()
+- Fix ftpd_use_fusefs boolean to allow manage also symlinks
+- Allow smbcontrob block_suspend cap2
+- Allow slpd to read network and system state info
+- Allow NM domtrans to iscsid_t if iscsiadm is executed
+- Allow slapd to send a signal itself
+- Allow sslget running as pki_ra_t to contact port 8443, the secure port of the CA.
+- Fix plymouthd_create_log() interface
+- Add rkhunter policy with files type definition for /var/lib/rkhunter until it is fixed in rkhunter package
+- Allow postfix and cyrus-imapd to work out of box
+- Remove logwatch_can_sendmail which is no longer used
+- Allow fcoemon to talk with unpriv user domain using unix_stream_socket
+- snapperd is D-Bus service
+- Allow OpenLMI PowerManagement to call 'systemctl --force reboot'
+
* Fri Jan 24 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-18
- Add haproxy_connect_any boolean
- Allow haproxy also to use http cache port by default