diff --git a/container-selinux.tgz b/container-selinux.tgz
index c34b771..08e4154 100644
Binary files a/container-selinux.tgz and b/container-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 6bdaf0c..afa94bc 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -1,3 +1,13 @@
+diff --git a/.gitmodules b/.gitmodules
+index 360bd03..e794aa3 100644
+--- a/.gitmodules
++++ b/.gitmodules
+@@ -1,3 +1,4 @@
+ [submodule "policy/modules/contrib"]
+ path = policy/modules/contrib
+- url = http://oss.tresys.com/git/refpolicy-contrib.git
++ url = https://github.com/fedora-selinux/selinux-policy-contrib
++ branch = rawhide
diff --git a/Makefile b/Makefile
index ec7b5cb..e2936c6 100644
--- a/Makefile
@@ -19165,7 +19175,7 @@ index 7be4ddf..9710b33 100644
+/sys/kernel/debug -d gen_context(system_u:object_r:debugfs_t,s0)
+/sys/kernel/debug/.* <<none>>
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index e100d88..342fb1e 100644
+index e100d88..d780b64 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -126,6 +126,24 @@ interface(`kernel_setsched',`
@@ -19561,7 +19571,34 @@ index e100d88..342fb1e 100644
')
########################################
-@@ -2085,7 +2241,54 @@ interface(`kernel_dontaudit_list_all_sysctls',`
+@@ -2048,6 +2204,26 @@ interface(`kernel_read_rpc_sysctls',`
+ list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t)
+ ')
+
++
++########################################
++## <summary>
++## Read RPC sysctls.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`kernel_rw_rpc_sysctls_dirs',`
++ gen_require(`
++ type proc_t, proc_net_t, sysctl_rpc_t;
++ ')
++
++ rw_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Read and write RPC sysctls.
+@@ -2085,7 +2261,54 @@ interface(`kernel_dontaudit_list_all_sysctls',`
')
dontaudit $1 sysctl_type:dir list_dir_perms;
@@ -19617,7 +19654,7 @@ index e100d88..342fb1e 100644
')
########################################
-@@ -2282,6 +2485,25 @@ interface(`kernel_list_unlabeled',`
+@@ -2282,6 +2505,25 @@ interface(`kernel_list_unlabeled',`
########################################
## <summary>
@@ -19643,7 +19680,7 @@ index e100d88..342fb1e 100644
## Read the process state (/proc/pid) of all unlabeled_t.
## </summary>
## <param name="domain">
-@@ -2306,7 +2528,7 @@ interface(`kernel_read_unlabeled_state',`
+@@ -2306,7 +2548,7 @@ interface(`kernel_read_unlabeled_state',`
## </summary>
## <param name="domain">
## <summary>
@@ -19652,98 +19689,77 @@ index e100d88..342fb1e 100644
## </summary>
## </param>
#
-@@ -2488,6 +2710,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
+@@ -2488,21 +2730,39 @@ interface(`kernel_rw_unlabeled_blk_files',`
########################################
## <summary>
+-## Do not audit attempts by caller to get attributes for
+-## unlabeled character devices.
+## Read and write unlabeled sockets.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`kernel_rw_unlabeled_socket',`
-+ gen_require(`
-+ type unlabeled_t;
-+ ')
-+
-+ allow $1 unlabeled_t:socket rw_socket_perms;
-+')
-+
-+########################################
-+## <summary>
- ## Do not audit attempts by caller to get attributes for
- ## unlabeled character devices.
- ## </summary>
-@@ -2525,7 +2765,7 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
-
- ########################################
- ## <summary>
--## Allow caller to relabel unlabeled files.
-+## Allow caller to relabel unlabeled filesystems.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -2533,18 +2773,17 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
- ## </summary>
- ## </param>
- #
--interface(`kernel_relabelfrom_unlabeled_files',`
-+interface(`kernel_relabelfrom_unlabeled_fs',`
- gen_require(`
- type unlabeled_t;
- ')
-
-- kernel_list_unlabeled($1)
-- allow $1 unlabeled_t:file { getattr relabelfrom };
-+ allow $1 unlabeled_t:filesystem relabelfrom;
- ')
-
- ########################################
- ## <summary>
--## Allow caller to relabel unlabeled symbolic links.
-+## Allow caller to relabel unlabeled files.
## </summary>
## <param name="domain">
## <summary>
-@@ -2552,13 +2791,32 @@ interface(`kernel_relabelfrom_unlabeled_files',`
+-## Domain to not audit.
++## Domain allowed access.
## </summary>
## </param>
#
--interface(`kernel_relabelfrom_unlabeled_symlinks',`
-+interface(`kernel_relabelfrom_unlabeled_files',`
+-interface(`kernel_dontaudit_getattr_unlabeled_chr_files',`
++interface(`kernel_rw_unlabeled_socket',`
gen_require(`
type unlabeled_t;
')
- kernel_list_unlabeled($1)
-- allow $1 unlabeled_t:lnk_file { getattr relabelfrom };
-+ allow $1 unlabeled_t:file { getattr relabelfrom };
+- dontaudit $1 unlabeled_t:chr_file getattr;
++ allow $1 unlabeled_t:socket rw_socket_perms;
+')
+
+########################################
+## <summary>
-+## Allow caller to relabel unlabeled symbolic links.
++## Do not audit attempts by caller to get attributes for
++## unlabeled character devices.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
-+interface(`kernel_relabelfrom_unlabeled_symlinks',`
++interface(`kernel_dontaudit_getattr_unlabeled_chr_files',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
-+ kernel_list_unlabeled($1)
-+ allow $1 unlabeled_t:lnk_file { getattr relabelfrom };
++ dontaudit $1 unlabeled_t:chr_file getattr;
')
########################################
-@@ -2667,6 +2925,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+@@ -2525,6 +2785,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
+
+ ########################################
+ ## <summary>
++## Allow caller to relabel unlabeled filesystems.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`kernel_relabelfrom_unlabeled_fs',`
++ gen_require(`
++ type unlabeled_t;
++ ')
++
++ allow $1 unlabeled_t:filesystem relabelfrom;
++')
++
++########################################
++## <summary>
+ ## Allow caller to relabel unlabeled files.
+ ## </summary>
+ ## <param name="domain">
+@@ -2667,6 +2945,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
########################################
## <summary>
@@ -19768,7 +19784,7 @@ index e100d88..342fb1e 100644
## Receive TCP packets from an unlabeled connection.
## </summary>
## <desc>
-@@ -2694,6 +2970,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+@@ -2694,6 +2990,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
########################################
## <summary>
@@ -19794,7 +19810,7 @@ index e100d88..342fb1e 100644
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
## </summary>
-@@ -2803,6 +3098,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+@@ -2803,6 +3118,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
allow $1 unlabeled_t:rawip_socket recvfrom;
')
@@ -19828,7 +19844,7 @@ index e100d88..342fb1e 100644
########################################
## <summary>
-@@ -2958,6 +3280,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2958,6 +3300,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
########################################
## <summary>
@@ -19853,7 +19869,7 @@ index e100d88..342fb1e 100644
## Unconfined access to kernel module resources.
## </summary>
## <param name="domain">
-@@ -2972,5 +3312,649 @@ interface(`kernel_unconfined',`
+@@ -2972,5 +3332,649 @@ interface(`kernel_unconfined',`
')
typeattribute $1 kern_unconfined;
@@ -37802,7 +37818,7 @@ index 0000000..c814795
+fs_manage_kdbus_dirs(systemd_logind_t)
+fs_manage_kdbus_files(systemd_logind_t)
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index 73bb3c0..7b05663 100644
+index 73bb3c0..5d62107 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -1,3 +1,4 @@
@@ -37886,7 +37902,7 @@ index 73bb3c0..7b05663 100644
/usr/lib/libADM5.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/libatiadlxx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/win32/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/libGLdispatch/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libGLdispatch.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/ADM_plugins/videoFilter/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -43211,7 +43227,7 @@ index 3822072..d358162 100644
+ allow semanage_t $1:dbus send_msg;
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index dc46420..8d4ed0f 100644
+index dc46420..a86e9eb 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -11,14 +11,16 @@ gen_require(`
@@ -43746,7 +43762,7 @@ index dc46420..8d4ed0f 100644
')
########################################
-@@ -522,111 +597,201 @@ ifdef(`distro_ubuntu',`
+@@ -522,111 +597,202 @@ ifdef(`distro_ubuntu',`
# Setfiles local policy
#
@@ -43911,6 +43927,7 @@ index dc46420..8d4ed0f 100644
+fs_getattr_all_files(setfiles_domain)
+fs_search_auto_mountpoints(setfiles_domain)
+fs_relabelfrom_noxattr_fs(setfiles_domain)
++fs_mount_tracefs(setfiles_domain)
+
+selinux_validate_context(setfiles_domain)
+selinux_compute_access_vector(setfiles_domain)
@@ -47071,10 +47088,10 @@ index 0000000..86e3d01
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..c6280dc
+index 0000000..0100a56
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,1017 @@
+@@ -0,0 +1,1018 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -48072,6 +48089,7 @@ index 0000000..c6280dc
+#
+
+allow systemd_bootchart_t self:capability2 wake_alarm;
++allow systemd_bootchart_t self:unix_dgram_socket create_socket_perms;
+
+kernel_dgram_send(systemd_bootchart_t)
+kernel_rw_kernel_sysctl(systemd_bootchart_t)
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 2396b2b..30ee75e 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -12878,7 +12878,7 @@ index 85ca63f..1d1c99c 100644
admin_pattern($1, { cgconfig_etc_t cgrules_etc_t })
files_list_etc($1)
diff --git a/cgroup.te b/cgroup.te
-index 80a88a2..ec869f5 100644
+index 80a88a2..71c25c3 100644
--- a/cgroup.te
+++ b/cgroup.te
@@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
@@ -12906,7 +12906,7 @@ index 80a88a2..ec869f5 100644
domain_setpriority_all_domains(cgclear_t)
fs_manage_cgroup_dirs(cgclear_t)
-@@ -64,23 +66,25 @@ allow cgconfig_t cgconfig_etc_t:file read_file_perms;
+@@ -64,23 +66,26 @@ allow cgconfig_t cgconfig_etc_t:file read_file_perms;
kernel_list_unlabeled(cgconfig_t)
kernel_read_system_state(cgconfig_t)
@@ -12930,12 +12930,13 @@ index 80a88a2..ec869f5 100644
-allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override };
allow cgred_t self:netlink_socket { write bind create read };
allow cgred_t self:unix_dgram_socket { write create connect };
++allow cgred_t self:netlink_connector_socket create_socket_perms;
+allow cgred_t cgconfig_etc_t:file read_file_perms;
allow cgred_t cgrules_etc_t:file read_file_perms;
allow cgred_t cgred_log_t:file { append_file_perms create_file_perms setattr_file_perms };
-@@ -99,10 +103,11 @@ domain_setpriority_all_domains(cgred_t)
+@@ -99,10 +104,11 @@ domain_setpriority_all_domains(cgred_t)
files_getattr_all_files(cgred_t)
files_getattr_all_sockets(cgred_t)
files_read_all_symlinks(cgred_t)
@@ -14855,10 +14856,10 @@ index cc4e7cb..f348d27 100644
domain_system_change_exemption($1)
role_transition $2 cmirrord_initrc_exec_t system_r;
diff --git a/cmirrord.te b/cmirrord.te
-index bbdd396..8328b95 100644
+index bbdd396..28b1761 100644
--- a/cmirrord.te
+++ b/cmirrord.te
-@@ -23,7 +23,7 @@ files_pid_file(cmirrord_var_run_t)
+@@ -23,13 +23,14 @@ files_pid_file(cmirrord_var_run_t)
# Local policy
#
@@ -14867,7 +14868,14 @@ index bbdd396..8328b95 100644
dontaudit cmirrord_t self:capability sys_tty_config;
allow cmirrord_t self:process { setfscreate signal };
allow cmirrord_t self:fifo_file rw_fifo_file_perms;
-@@ -42,16 +42,18 @@ files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file)
+ allow cmirrord_t self:sem create_sem_perms;
+ allow cmirrord_t self:shm create_shm_perms;
+ allow cmirrord_t self:netlink_socket create_socket_perms;
++allow cmirrord_t self:netlink_connector_socket create_socket_perms;
+ allow cmirrord_t self:unix_stream_socket { accept listen };
+
+ manage_dirs_pattern(cmirrord_t, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+@@ -42,16 +43,18 @@ files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file)
domain_use_interactive_fds(cmirrord_t)
domain_obj_id_change_exemption(cmirrord_t)
@@ -30858,6 +30866,243 @@ index e5b15fb..220622e 100644
allow games_t self:process execmem;
')
+diff --git a/ganesha.fc b/ganesha.fc
+new file mode 100644
+index 0000000..c5982d5
+--- /dev/null
++++ b/ganesha.fc
+@@ -0,0 +1,11 @@
++/usr/bin/ganesha.nfsd -- gen_context(system_u:object_r:ganesha_exec_t,s0)
++
++/usr/lib/systemd/system/nfs-ganesha-config.* -- gen_context(system_u:object_r:ganesha_unit_file_t,s0)
++
++/usr/lib/systemd/system/nfs-ganesha-lock.* -- gen_context(system_u:object_r:ganesha_unit_file_t,s0)
++
++/usr/lib/systemd/system/nfs-ganesha.*e -- gen_context(system_u:object_r:ganesha_unit_file_t,s0)
++
++/var/log/ganesha.log -- gen_context(system_u:object_r:ganesha_var_log_t,s0)
++
++/var/run/ganesha(/.*)? gen_context(system_u:object_r:ganesha_var_run_t,s0)
+diff --git a/ganesha.if b/ganesha.if
+new file mode 100644
+index 0000000..d9ba5fa
+--- /dev/null
++++ b/ganesha.if
+@@ -0,0 +1,147 @@
++
++## <summary>policy for ganesha</summary>
++
++########################################
++## <summary>
++## Execute ganesha_exec_t in the ganesha domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`ganesha_domtrans',`
++ gen_require(`
++ type ganesha_t, ganesha_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, ganesha_exec_t, ganesha_t)
++')
++
++######################################
++## <summary>
++## Execute ganesha in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ganesha_exec',`
++ gen_require(`
++ type ganesha_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ can_exec($1, ganesha_exec_t)
++')
++########################################
++## <summary>
++## Read ganesha PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ganesha_read_pid_files',`
++ gen_require(`
++ type ganesha_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, ganesha_var_run_t, ganesha_var_run_t)
++')
++
++########################################
++## <summary>
++## Execute ganesha server in the ganesha domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`ganesha_systemctl',`
++ gen_require(`
++ type ganesha_t;
++ type ganesha_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 ganesha_unit_file_t:file read_file_perms;
++ allow $1 ganesha_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, ganesha_t)
++')
++
++
++########################################
++## <summary>
++## Send and receive messages from
++## ganesha over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ganesha_dbus_chat',`
++ gen_require(`
++ type ganesha_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 ganesha_t:dbus send_msg;
++ allow ganesha_t $1:dbus send_msg;
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an ganesha environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`ganesha_admin',`
++ gen_require(`
++ type ganesha_t;
++ type ganesha_var_run_t;
++ type ganesha_unit_file_t;
++ ')
++
++ allow $1 ganesha_t:process { signal_perms };
++ ps_process_pattern($1, ganesha_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 ganesha_t:process ptrace;
++ ')
++
++ files_search_pids($1)
++ admin_pattern($1, ganesha_var_run_t)
++
++ ganesha_systemctl($1)
++ admin_pattern($1, ganesha_unit_file_t)
++ allow $1 ganesha_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/ganesha.te b/ganesha.te
+new file mode 100644
+index 0000000..20b9fcf
+--- /dev/null
++++ b/ganesha.te
+@@ -0,0 +1,61 @@
++policy_module(ganesha, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type ganesha_t;
++type ganesha_exec_t;
++init_daemon_domain(ganesha_t, ganesha_exec_t)
++
++permissive ganesha_t;
++
++type ganesha_var_log_t;
++logging_log_file(ganesha_var_log_t)
++
++type ganesha_var_run_t;
++files_pid_file(ganesha_var_run_t)
++
++type ganesha_unit_file_t;
++systemd_unit_file(ganesha_unit_file_t)
++
++########################################
++#
++# ganesha local policy
++#
++allow ganesha_t self:process { setcap setrlimit };
++allow ganesha_t self:fifo_file rw_fifo_file_perms;
++allow ganesha_t self:unix_stream_socket create_stream_socket_perms;
++allow ganesha_t self:tcp_socket { accept listen };
++
++manage_dirs_pattern(ganesha_t, ganesha_var_run_t, ganesha_var_run_t)
++manage_files_pattern(ganesha_t, ganesha_var_run_t, ganesha_var_run_t)
++manage_lnk_files_pattern(ganesha_t, ganesha_var_run_t, ganesha_var_run_t)
++files_pid_filetrans(ganesha_t, ganesha_var_run_t, { dir file lnk_file })
++
++manage_dirs_pattern(ganesha_t, ganesha_var_log_t, ganesha_var_log_t)
++manage_files_pattern(ganesha_t, ganesha_var_log_t, ganesha_var_log_t)
++logging_log_filetrans(ganesha_t, ganesha_var_log_t, { file dir })
++
++auth_use_nsswitch(ganesha_t)
++
++corenet_tcp_bind_nfs_port(ganesha_t)
++corenet_tcp_connect_generic_port(ganesha_t)
++corenet_udp_bind_nfs_port(ganesha_t)
++corenet_udp_bind_all_rpc_ports(ganesha_t)
++corenet_tcp_bind_all_rpc_ports(ganesha_t)
++
++logging_send_syslog_msg(ganesha_t)
++
++sysnet_dns_name_resolve(ganesha_t)
++
++optional_policy(`
++ dbus_system_bus_client(ganesha_t)
++ dbus_connect_system_bus(ganesha_t)
++')
++
++optional_policy(`
++ rpc_manage_nfs_state_data_dir(ganesha_t)
++ rpcbind_stream_connect(ganesha_t)
++')
diff --git a/gatekeeper.te b/gatekeeper.te
index 2820368..88c98f4 100644
--- a/gatekeeper.te
@@ -32165,10 +32410,10 @@ index 5cd0909..bd3c3d2 100644
+corenet_tcp_connect_glance_registry_port(glance_scrubber_t)
diff --git a/glusterd.fc b/glusterd.fc
new file mode 100644
-index 0000000..a3633cd
+index 0000000..9806f50
--- /dev/null
+++ b/glusterd.fc
-@@ -0,0 +1,29 @@
+@@ -0,0 +1,25 @@
+/etc/rc\.d/init\.d/gluster.* -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
+
+/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0)
@@ -32184,20 +32429,16 @@ index 0000000..a3633cd
+/usr/libexec/glusterfs/peer_eventsapi.py -- gen_context(system_u:object_r:glusterd_exec_t,s0)
+/usr/libexec/glusterfs/events/glustereventsd.py -- gen_context(system_u:object_r:glusterd_exec_t,s0)
+
-+/usr/bin/ganesha.nfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)
-+
+/opt/glusterfs/[^/]+/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)
+
+/var/lib/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_lib_t,s0)
+
+/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0)
-+/var/log/ganesha.log -- gen_context(system_u:object_r:glusterd_log_t,s0)
+
+/var/run/gluster(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0)
+/var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0)
+/var/run/glusterd.* -- gen_context(system_u:object_r:glusterd_var_run_t,s0)
+/var/run/glusterd.* -s gen_context(system_u:object_r:glusterd_var_run_t,s0)
-+/var/run/ganesha.* -- gen_context(system_u:object_r:glusterd_var_run_t,s0)
diff --git a/glusterd.if b/glusterd.if
new file mode 100644
index 0000000..764ae00
@@ -83507,7 +83748,7 @@ index da64218..3fb8575 100644
+ domtrans_pattern($1, quota_nld_exec_t, quota_nld_t)
')
diff --git a/quota.te b/quota.te
-index f47c8e8..d4e9042 100644
+index f47c8e8..af09c76 100644
--- a/quota.te
+++ b/quota.te
@@ -5,12 +5,10 @@ policy_module(quota, 1.6.0)
@@ -83602,7 +83843,7 @@ index f47c8e8..d4e9042 100644
')
optional_policy(`
-@@ -103,12 +102,12 @@ optional_policy(`
+@@ -103,12 +102,13 @@ optional_policy(`
#######################################
#
@@ -83613,11 +83854,12 @@ index f47c8e8..d4e9042 100644
allow quota_nld_t self:fifo_file rw_fifo_file_perms;
allow quota_nld_t self:netlink_socket create_socket_perms;
-allow quota_nld_t self:unix_stream_socket { accept listen };
++allow quota_nld_t self:netlink_generic_socket create_socket_perms;
+allow quota_nld_t self:unix_stream_socket create_stream_socket_perms;
manage_files_pattern(quota_nld_t, quota_nld_var_run_t, quota_nld_var_run_t)
files_pid_filetrans(quota_nld_t, quota_nld_var_run_t, { file })
-@@ -121,11 +120,9 @@ init_read_utmp(quota_nld_t)
+@@ -121,11 +121,9 @@ init_read_utmp(quota_nld_t)
logging_send_syslog_msg(quota_nld_t)
@@ -91112,7 +91354,7 @@ index 0bf13c2..ed393a0 100644
files_list_tmp($1)
admin_pattern($1, gssd_tmp_t)
diff --git a/rpc.te b/rpc.te
-index 2da9fca..a37f579 100644
+index 2da9fca..be1fab2 100644
--- a/rpc.te
+++ b/rpc.te
@@ -6,22 +6,27 @@ policy_module(rpc, 1.15.1)
@@ -91316,7 +91558,7 @@ index 2da9fca..a37f579 100644
')
########################################
-@@ -202,41 +232,61 @@ optional_policy(`
+@@ -202,41 +232,62 @@ optional_policy(`
#
allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
@@ -91334,6 +91576,7 @@ index 2da9fca..a37f579 100644
kernel_request_load_module(nfsd_t)
-# kernel_mounton_proc(nfsd_t)
+kernel_mounton_proc(nfsd_t)
++kernel_rw_rpc_sysctls_dirs(nfsd_t)
-corenet_sendrecv_nfs_server_packets(nfsd_t)
+corecmd_exec_shell(nfsd_t)
@@ -91388,7 +91631,7 @@ index 2da9fca..a37f579 100644
miscfiles_manage_public_files(nfsd_t)
')
-@@ -245,7 +295,6 @@ tunable_policy(`nfs_export_all_rw',`
+@@ -245,7 +296,6 @@ tunable_policy(`nfs_export_all_rw',`
dev_getattr_all_chr_files(nfsd_t)
fs_read_noxattr_fs_files(nfsd_t)
@@ -91396,7 +91639,7 @@ index 2da9fca..a37f579 100644
')
tunable_policy(`nfs_export_all_ro',`
-@@ -257,12 +306,12 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -257,12 +307,12 @@ tunable_policy(`nfs_export_all_ro',`
fs_read_noxattr_fs_files(nfsd_t)
@@ -91411,7 +91654,7 @@ index 2da9fca..a37f579 100644
')
########################################
-@@ -270,7 +319,7 @@ optional_policy(`
+@@ -270,7 +320,7 @@ optional_policy(`
# GSSD local policy
#
@@ -91420,7 +91663,7 @@ index 2da9fca..a37f579 100644
allow gssd_t self:process { getsched setsched };
allow gssd_t self:fifo_file rw_fifo_file_perms;
-@@ -280,6 +329,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+@@ -280,6 +330,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
@@ -91428,7 +91671,7 @@ index 2da9fca..a37f579 100644
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_request_load_module(gssd_t)
-@@ -288,25 +338,31 @@ kernel_signal(gssd_t)
+@@ -288,25 +339,31 @@ kernel_signal(gssd_t)
corecmd_exec_bin(gssd_t)
@@ -91463,7 +91706,7 @@ index 2da9fca..a37f579 100644
')
optional_policy(`
-@@ -314,9 +370,12 @@ optional_policy(`
+@@ -314,9 +371,12 @@ optional_policy(`
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 5862875..72a0954 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 240%{?dist}
+Release: 241%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -675,6 +675,10 @@ exit 0
%endif
%changelog
+* Tue Feb 21 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-241
+- Remove ganesha from gluster module and create own module for ganesha
+- FIx label for /usr/lib/libGLdispatch.so.0.0.0
+
* Wed Feb 15 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-240
- Dontaudit xdm_t wake_alarm capability2
- Allow systemd_initctl_t to create and connect unix_dgram sockets