diff --git a/container-selinux.tgz b/container-selinux.tgz
index 96dd93e..b1bd8aa 100644
Binary files a/container-selinux.tgz and b/container-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 4b9c6c9..b7cc288 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -2201,7 +2201,7 @@ index c6ca761c9..0c86bfd54 100644
')
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
-index c44c3592a..5038ed0d5 100644
+index c44c3592a..cba535365 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -7,10 +7,10 @@ policy_module(netutils, 1.12.1)
@@ -2259,7 +2259,7 @@ index c44c3592a..5038ed0d5 100644
fs_getattr_xattr_fs(netutils_t)
-@@ -80,12 +86,12 @@ init_use_script_ptys(netutils_t)
+@@ -80,15 +86,19 @@ init_use_script_ptys(netutils_t)
auth_use_nsswitch(netutils_t)
@@ -2275,7 +2275,14 @@ index c44c3592a..5038ed0d5 100644
userdom_use_all_users_fds(netutils_t)
optional_policy(`
-@@ -110,11 +116,10 @@ allow ping_t self:capability { setuid net_raw };
++ kdump_dontaudit_inherited_kdumpctl_tmp_pipes(netutils_t)
++')
++
++optional_policy(`
+ nis_use_ypbind(netutils_t)
+ ')
+
+@@ -110,11 +120,10 @@ allow ping_t self:capability { setuid net_raw };
allow ping_t self:process { getcap setcap };
dontaudit ping_t self:capability sys_tty_config;
allow ping_t self:tcp_socket create_socket_perms;
@@ -2289,7 +2296,7 @@ index c44c3592a..5038ed0d5 100644
corenet_all_recvfrom_netlabel(ping_t)
corenet_tcp_sendrecv_generic_if(ping_t)
corenet_raw_sendrecv_generic_if(ping_t)
-@@ -124,6 +129,9 @@ corenet_raw_bind_generic_node(ping_t)
+@@ -124,6 +133,9 @@ corenet_raw_bind_generic_node(ping_t)
corenet_tcp_sendrecv_all_ports(ping_t)
fs_dontaudit_getattr_xattr_fs(ping_t)
@@ -2299,7 +2306,7 @@ index c44c3592a..5038ed0d5 100644
domain_use_interactive_fds(ping_t)
-@@ -131,14 +139,14 @@ files_read_etc_files(ping_t)
+@@ -131,14 +143,14 @@ files_read_etc_files(ping_t)
files_dontaudit_search_var(ping_t)
kernel_read_system_state(ping_t)
@@ -2318,7 +2325,7 @@ index c44c3592a..5038ed0d5 100644
ifdef(`hide_broken_symptoms',`
init_dontaudit_use_fds(ping_t)
-@@ -146,14 +154,29 @@ ifdef(`hide_broken_symptoms',`
+@@ -146,14 +158,29 @@ ifdef(`hide_broken_symptoms',`
optional_policy(`
nagios_dontaudit_rw_log(ping_t)
nagios_dontaudit_rw_pipes(ping_t)
@@ -2348,7 +2355,7 @@ index c44c3592a..5038ed0d5 100644
pcmcia_use_cardmgr_fds(ping_t)
')
-@@ -161,6 +184,15 @@ optional_policy(`
+@@ -161,6 +188,15 @@ optional_policy(`
hotplug_use_fds(ping_t)
')
@@ -2364,7 +2371,7 @@ index c44c3592a..5038ed0d5 100644
########################################
#
# Traceroute local policy
-@@ -174,7 +206,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
+@@ -174,7 +210,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
kernel_read_system_state(traceroute_t)
kernel_read_network_state(traceroute_t)
@@ -2372,7 +2379,7 @@ index c44c3592a..5038ed0d5 100644
corenet_all_recvfrom_netlabel(traceroute_t)
corenet_tcp_sendrecv_generic_if(traceroute_t)
corenet_udp_sendrecv_generic_if(traceroute_t)
-@@ -198,6 +229,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
+@@ -198,6 +233,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
domain_use_interactive_fds(traceroute_t)
files_read_etc_files(traceroute_t)
@@ -2380,7 +2387,7 @@ index c44c3592a..5038ed0d5 100644
files_dontaudit_search_var(traceroute_t)
init_use_fds(traceroute_t)
-@@ -206,11 +238,17 @@ auth_use_nsswitch(traceroute_t)
+@@ -206,11 +242,17 @@ auth_use_nsswitch(traceroute_t)
logging_send_syslog_msg(traceroute_t)
@@ -3182,7 +3189,7 @@ index 99e3903ea..fa68362ea 100644
##
##
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 1d732f1e7..d698fdd02 100644
+index 1d732f1e7..6a7c8001a 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -26,6 +26,7 @@ type chfn_exec_t;
@@ -3313,7 +3320,7 @@ index 1d732f1e7..d698fdd02 100644
dontaudit groupadd_t self:capability { fsetid sys_tty_config };
allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow groupadd_t self:process { setrlimit setfscreate };
-@@ -212,8 +236,8 @@ selinux_compute_create_context(groupadd_t)
+@@ -212,17 +236,18 @@ selinux_compute_create_context(groupadd_t)
selinux_compute_relabel_context(groupadd_t)
selinux_compute_user_contexts(groupadd_t)
@@ -3324,7 +3331,8 @@ index 1d732f1e7..d698fdd02 100644
init_use_fds(groupadd_t)
init_read_utmp(groupadd_t)
-@@ -221,8 +245,8 @@ init_dontaudit_write_utmp(groupadd_t)
+ init_dontaudit_write_utmp(groupadd_t)
++init_dbus_chat(groupadd_t)
domain_use_interactive_fds(groupadd_t)
@@ -3334,7 +3342,7 @@ index 1d732f1e7..d698fdd02 100644
files_read_etc_runtime_files(groupadd_t)
files_read_usr_symlinks(groupadd_t)
-@@ -232,14 +256,14 @@ corecmd_exec_bin(groupadd_t)
+@@ -232,14 +257,14 @@ corecmd_exec_bin(groupadd_t)
logging_send_audit_msgs(groupadd_t)
logging_send_syslog_msg(groupadd_t)
@@ -3351,7 +3359,7 @@ index 1d732f1e7..d698fdd02 100644
auth_relabel_shadow(groupadd_t)
auth_etc_filetrans_shadow(groupadd_t)
-@@ -251,6 +275,10 @@ userdom_use_unpriv_users_fds(groupadd_t)
+@@ -251,6 +276,10 @@ userdom_use_unpriv_users_fds(groupadd_t)
userdom_dontaudit_search_user_home_dirs(groupadd_t)
optional_policy(`
@@ -3362,7 +3370,7 @@ index 1d732f1e7..d698fdd02 100644
dpkg_use_fds(groupadd_t)
dpkg_rw_pipes(groupadd_t)
')
-@@ -273,7 +301,7 @@ optional_policy(`
+@@ -273,7 +302,7 @@ optional_policy(`
# Passwd local policy
#
@@ -3371,7 +3379,7 @@ index 1d732f1e7..d698fdd02 100644
dontaudit passwd_t self:capability sys_tty_config;
allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow passwd_t self:process { setrlimit setfscreate };
-@@ -288,6 +316,7 @@ allow passwd_t self:shm create_shm_perms;
+@@ -288,6 +317,7 @@ allow passwd_t self:shm create_shm_perms;
allow passwd_t self:sem create_sem_perms;
allow passwd_t self:msgq create_msgq_perms;
allow passwd_t self:msg { send receive };
@@ -3379,7 +3387,7 @@ index 1d732f1e7..d698fdd02 100644
allow passwd_t crack_db_t:dir list_dir_perms;
read_files_pattern(passwd_t, crack_db_t, crack_db_t)
-@@ -296,6 +325,7 @@ kernel_read_kernel_sysctls(passwd_t)
+@@ -296,6 +326,7 @@ kernel_read_kernel_sysctls(passwd_t)
# for SSP
dev_read_urand(passwd_t)
@@ -3387,7 +3395,7 @@ index 1d732f1e7..d698fdd02 100644
fs_getattr_xattr_fs(passwd_t)
fs_search_auto_mountpoints(passwd_t)
-@@ -310,26 +340,32 @@ selinux_compute_create_context(passwd_t)
+@@ -310,26 +341,32 @@ selinux_compute_create_context(passwd_t)
selinux_compute_relabel_context(passwd_t)
selinux_compute_user_contexts(passwd_t)
@@ -3424,7 +3432,7 @@ index 1d732f1e7..d698fdd02 100644
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(passwd_t)
-@@ -338,12 +374,11 @@ init_use_fds(passwd_t)
+@@ -338,12 +375,11 @@ init_use_fds(passwd_t)
logging_send_audit_msgs(passwd_t)
logging_send_syslog_msg(passwd_t)
@@ -3438,7 +3446,7 @@ index 1d732f1e7..d698fdd02 100644
userdom_use_unpriv_users_fds(passwd_t)
# make sure that getcon succeeds
userdom_getattr_all_users(passwd_t)
-@@ -352,6 +387,20 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -352,6 +388,20 @@ userdom_read_user_tmp_files(passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
@@ -3459,7 +3467,7 @@ index 1d732f1e7..d698fdd02 100644
optional_policy(`
nscd_run(passwd_t, passwd_roles)
-@@ -362,7 +411,7 @@ optional_policy(`
+@@ -362,7 +412,7 @@ optional_policy(`
# Password admin local policy
#
@@ -3468,7 +3476,7 @@ index 1d732f1e7..d698fdd02 100644
allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow sysadm_passwd_t self:process { setrlimit setfscreate };
allow sysadm_passwd_t self:fd use;
-@@ -401,9 +450,10 @@ dev_read_urand(sysadm_passwd_t)
+@@ -401,9 +451,10 @@ dev_read_urand(sysadm_passwd_t)
fs_getattr_xattr_fs(sysadm_passwd_t)
fs_search_auto_mountpoints(sysadm_passwd_t)
@@ -3481,7 +3489,7 @@ index 1d732f1e7..d698fdd02 100644
auth_manage_shadow(sysadm_passwd_t)
auth_relabel_shadow(sysadm_passwd_t)
auth_etc_filetrans_shadow(sysadm_passwd_t)
-@@ -416,7 +466,6 @@ files_read_usr_files(sysadm_passwd_t)
+@@ -416,7 +467,6 @@ files_read_usr_files(sysadm_passwd_t)
domain_use_interactive_fds(sysadm_passwd_t)
@@ -3489,7 +3497,7 @@ index 1d732f1e7..d698fdd02 100644
files_relabel_etc_files(sysadm_passwd_t)
files_read_etc_runtime_files(sysadm_passwd_t)
# for nscd lookups
-@@ -426,12 +475,9 @@ files_dontaudit_search_pids(sysadm_passwd_t)
+@@ -426,12 +476,9 @@ files_dontaudit_search_pids(sysadm_passwd_t)
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(sysadm_passwd_t)
@@ -3502,7 +3510,7 @@ index 1d732f1e7..d698fdd02 100644
userdom_use_unpriv_users_fds(sysadm_passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
-@@ -446,8 +492,10 @@ optional_policy(`
+@@ -446,8 +493,10 @@ optional_policy(`
# Useradd local policy
#
@@ -3515,7 +3523,7 @@ index 1d732f1e7..d698fdd02 100644
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
allow useradd_t self:fd use;
-@@ -461,6 +509,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
+@@ -461,6 +510,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
allow useradd_t self:unix_dgram_socket sendto;
allow useradd_t self:unix_stream_socket connectto;
@@ -3526,7 +3534,7 @@ index 1d732f1e7..d698fdd02 100644
# for getting the number of groups
kernel_read_kernel_sysctls(useradd_t)
-@@ -468,29 +520,28 @@ corecmd_exec_shell(useradd_t)
+@@ -468,29 +521,28 @@ corecmd_exec_shell(useradd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(useradd_t)
@@ -3566,7 +3574,7 @@ index 1d732f1e7..d698fdd02 100644
auth_run_chk_passwd(useradd_t, useradd_roles)
auth_rw_lastlog(useradd_t)
-@@ -498,6 +549,7 @@ auth_rw_faillog(useradd_t)
+@@ -498,45 +550,50 @@ auth_rw_faillog(useradd_t)
auth_use_nsswitch(useradd_t)
# these may be unnecessary due to the above
# domtrans_chk_passwd() call.
@@ -3574,7 +3582,11 @@ index 1d732f1e7..d698fdd02 100644
auth_manage_shadow(useradd_t)
auth_relabel_shadow(useradd_t)
auth_etc_filetrans_shadow(useradd_t)
-@@ -508,35 +560,38 @@ init_rw_utmp(useradd_t)
+
+ init_use_fds(useradd_t)
+ init_rw_utmp(useradd_t)
++init_dbus_chat(useradd_t)
+
logging_send_audit_msgs(useradd_t)
logging_send_syslog_msg(useradd_t)
@@ -3624,7 +3636,7 @@ index 1d732f1e7..d698fdd02 100644
')
optional_policy(`
-@@ -545,14 +600,27 @@ optional_policy(`
+@@ -545,14 +602,27 @@ optional_policy(`
')
optional_policy(`
@@ -3652,7 +3664,7 @@ index 1d732f1e7..d698fdd02 100644
tunable_policy(`samba_domain_controller',`
samba_append_log(useradd_t)
')
-@@ -562,3 +630,12 @@ optional_policy(`
+@@ -562,3 +632,12 @@ optional_policy(`
rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t)
')
@@ -42484,7 +42496,7 @@ index 9fe8e01e3..c62c76136 100644
/var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
')
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
-index fc28bc31b..e4b9a3bf0 100644
+index fc28bc31b..7ed7664fb 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -67,6 +67,27 @@ interface(`miscfiles_read_all_certs',`
@@ -42515,7 +42527,33 @@ index fc28bc31b..e4b9a3bf0 100644
## Read generic SSL certificates.
##
##
-@@ -106,6 +127,24 @@ interface(`miscfiles_manage_generic_cert_dirs',`
+@@ -88,6 +109,25 @@ interface(`miscfiles_read_generic_certs',`
+
+ ########################################
+ ##
++## mmap generic SSL certificates.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`miscfiles_map_generic_certs',`
++ gen_require(`
++ type cert_t;
++ ')
++
++ allow $1 cert_t:file map;
++')
++
++########################################
++##
+ ## Manage generic SSL certificates.
+ ##
+ ##
+@@ -106,6 +146,24 @@ interface(`miscfiles_manage_generic_cert_dirs',`
########################################
##
@@ -42540,7 +42578,7 @@ index fc28bc31b..e4b9a3bf0 100644
## Manage generic SSL certificates.
##
##
-@@ -121,7 +160,7 @@ interface(`miscfiles_manage_generic_cert_files',`
+@@ -121,7 +179,7 @@ interface(`miscfiles_manage_generic_cert_files',`
')
manage_files_pattern($1, cert_t, cert_t)
@@ -42549,7 +42587,7 @@ index fc28bc31b..e4b9a3bf0 100644
')
########################################
-@@ -156,6 +195,26 @@ interface(`miscfiles_manage_cert_dirs',`
+@@ -156,6 +214,26 @@ interface(`miscfiles_manage_cert_dirs',`
########################################
##
@@ -42576,7 +42614,7 @@ index fc28bc31b..e4b9a3bf0 100644
## Manage SSL certificates.
##
##
-@@ -191,6 +250,7 @@ interface(`miscfiles_read_fonts',`
+@@ -191,6 +269,7 @@ interface(`miscfiles_read_fonts',`
allow $1 fonts_t:dir list_dir_perms;
read_files_pattern($1, fonts_t, fonts_t)
@@ -42584,7 +42622,7 @@ index fc28bc31b..e4b9a3bf0 100644
read_lnk_files_pattern($1, fonts_t, fonts_t)
allow $1 fonts_cache_t:dir list_dir_perms;
-@@ -414,6 +474,7 @@ interface(`miscfiles_read_localization',`
+@@ -414,6 +493,7 @@ interface(`miscfiles_read_localization',`
allow $1 locale_t:dir list_dir_perms;
read_files_pattern($1, locale_t, locale_t)
read_lnk_files_pattern($1, locale_t, locale_t)
@@ -42592,7 +42630,7 @@ index fc28bc31b..e4b9a3bf0 100644
')
########################################
-@@ -434,6 +495,7 @@ interface(`miscfiles_rw_localization',`
+@@ -434,6 +514,7 @@ interface(`miscfiles_rw_localization',`
files_search_usr($1)
allow $1 locale_t:dir list_dir_perms;
rw_files_pattern($1, locale_t, locale_t)
@@ -42600,7 +42638,7 @@ index fc28bc31b..e4b9a3bf0 100644
')
########################################
-@@ -453,6 +515,7 @@ interface(`miscfiles_relabel_localization',`
+@@ -453,6 +534,7 @@ interface(`miscfiles_relabel_localization',`
files_search_usr($1)
relabel_files_pattern($1, locale_t, locale_t)
@@ -42608,7 +42646,7 @@ index fc28bc31b..e4b9a3bf0 100644
')
########################################
-@@ -470,7 +533,6 @@ interface(`miscfiles_legacy_read_localization',`
+@@ -470,7 +552,6 @@ interface(`miscfiles_legacy_read_localization',`
type locale_t;
')
@@ -42616,7 +42654,7 @@ index fc28bc31b..e4b9a3bf0 100644
allow $1 locale_t:file execute;
')
-@@ -531,6 +593,10 @@ interface(`miscfiles_read_man_pages',`
+@@ -531,6 +612,10 @@ interface(`miscfiles_read_man_pages',`
allow $1 { man_cache_t man_t }:dir list_dir_perms;
read_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
read_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
@@ -42627,7 +42665,7 @@ index fc28bc31b..e4b9a3bf0 100644
')
########################################
-@@ -554,6 +620,29 @@ interface(`miscfiles_delete_man_pages',`
+@@ -554,6 +639,29 @@ interface(`miscfiles_delete_man_pages',`
delete_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
delete_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
delete_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
@@ -42657,7 +42695,7 @@ index fc28bc31b..e4b9a3bf0 100644
')
########################################
-@@ -622,6 +711,30 @@ interface(`miscfiles_manage_man_cache',`
+@@ -622,6 +730,30 @@ interface(`miscfiles_manage_man_cache',`
########################################
##
@@ -42688,7 +42726,7 @@ index fc28bc31b..e4b9a3bf0 100644
## Read public files used for file
## transfer services.
##
-@@ -784,8 +897,11 @@ interface(`miscfiles_etc_filetrans_localization',`
+@@ -784,8 +916,11 @@ interface(`miscfiles_etc_filetrans_localization',`
type locale_t;
')
@@ -42702,7 +42740,7 @@ index fc28bc31b..e4b9a3bf0 100644
')
########################################
-@@ -809,3 +925,61 @@ interface(`miscfiles_manage_localization',`
+@@ -809,3 +944,61 @@ interface(`miscfiles_manage_localization',`
manage_lnk_files_pattern($1, locale_t, locale_t)
')
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 59f9fbf..9809300 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -5579,7 +5579,7 @@ index f6eb4851f..fe461a3fc 100644
+ ps_process_pattern(httpd_t, $1)
')
diff --git a/apache.te b/apache.te
-index 6649962b6..6dd10dd7d 100644
+index 6649962b6..a6b4312e6 100644
--- a/apache.te
+++ b/apache.te
@@ -5,280 +5,346 @@ policy_module(apache, 2.7.2)
@@ -6297,7 +6297,7 @@ index 6649962b6..6dd10dd7d 100644
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })
setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
-@@ -450,140 +570,177 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -450,140 +570,178 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@@ -6419,6 +6419,7 @@ index 6649962b6..6dd10dd7d 100644
miscfiles_read_fonts(httpd_t)
miscfiles_read_public_files(httpd_t)
miscfiles_read_generic_certs(httpd_t)
++miscfiles_map_generic_certs(httpd_t)
miscfiles_read_tetex_data(httpd_t)
-
-seutil_dontaudit_search_config(httpd_t)
@@ -6539,7 +6540,7 @@ index 6649962b6..6dd10dd7d 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -594,28 +751,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -594,28 +752,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@@ -6599,7 +6600,7 @@ index 6649962b6..6dd10dd7d 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -624,68 +803,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -624,68 +804,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
@@ -6702,7 +6703,7 @@ index 6649962b6..6dd10dd7d 100644
')
tunable_policy(`httpd_setrlimit',`
-@@ -695,49 +862,48 @@ tunable_policy(`httpd_setrlimit',`
+@@ -695,49 +863,48 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -6783,7 +6784,7 @@ index 6649962b6..6dd10dd7d 100644
')
optional_policy(`
-@@ -749,24 +915,32 @@ optional_policy(`
+@@ -749,24 +916,32 @@ optional_policy(`
')
optional_policy(`
@@ -6822,7 +6823,7 @@ index 6649962b6..6dd10dd7d 100644
')
optional_policy(`
-@@ -775,6 +949,10 @@ optional_policy(`
+@@ -775,6 +950,10 @@ optional_policy(`
tunable_policy(`httpd_dbus_avahi',`
avahi_dbus_chat(httpd_t)
')
@@ -6833,7 +6834,7 @@ index 6649962b6..6dd10dd7d 100644
')
optional_policy(`
-@@ -786,35 +964,62 @@ optional_policy(`
+@@ -786,35 +965,62 @@ optional_policy(`
')
optional_policy(`
@@ -6909,7 +6910,7 @@ index 6649962b6..6dd10dd7d 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
-@@ -822,8 +1027,31 @@ optional_policy(`
+@@ -822,8 +1028,31 @@ optional_policy(`
')
optional_policy(`
@@ -6941,7 +6942,7 @@ index 6649962b6..6dd10dd7d 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
-@@ -832,6 +1060,8 @@ optional_policy(`
+@@ -832,6 +1061,8 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -6950,7 +6951,7 @@ index 6649962b6..6dd10dd7d 100644
')
optional_policy(`
-@@ -842,20 +1072,48 @@ optional_policy(`
+@@ -842,20 +1073,48 @@ optional_policy(`
')
optional_policy(`
@@ -7005,7 +7006,7 @@ index 6649962b6..6dd10dd7d 100644
')
optional_policy(`
-@@ -863,16 +1121,31 @@ optional_policy(`
+@@ -863,16 +1122,31 @@ optional_policy(`
')
optional_policy(`
@@ -7039,7 +7040,7 @@ index 6649962b6..6dd10dd7d 100644
')
optional_policy(`
-@@ -883,65 +1156,189 @@ optional_policy(`
+@@ -883,65 +1157,189 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -7251,7 +7252,7 @@ index 6649962b6..6dd10dd7d 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -950,123 +1347,75 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -950,123 +1348,75 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -7405,7 +7406,7 @@ index 6649962b6..6dd10dd7d 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1083,172 +1432,107 @@ optional_policy(`
+@@ -1083,172 +1433,107 @@ optional_policy(`
')
')
@@ -7643,7 +7644,7 @@ index 6649962b6..6dd10dd7d 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1256,64 +1540,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1256,64 +1541,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -7741,7 +7742,7 @@ index 6649962b6..6dd10dd7d 100644
########################################
#
-@@ -1321,8 +1615,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1321,8 +1616,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -7758,7 +7759,7 @@ index 6649962b6..6dd10dd7d 100644
')
########################################
-@@ -1330,49 +1631,41 @@ optional_policy(`
+@@ -1330,49 +1632,41 @@ optional_policy(`
# User content local policy
#
@@ -7825,7 +7826,7 @@ index 6649962b6..6dd10dd7d 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1675,109 @@ dev_read_urand(httpd_passwd_t)
+@@ -1382,38 +1676,109 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -9912,7 +9913,7 @@ index 531a8f244..3fcf18722 100644
+ allow $1 named_unit_file_t:service all_service_perms;
')
diff --git a/bind.te b/bind.te
-index 124112346..73543d306 100644
+index 124112346..57a8b4484 100644
--- a/bind.te
+++ b/bind.te
@@ -34,7 +34,7 @@ type named_checkconf_exec_t;
@@ -9991,7 +9992,7 @@ index 124112346..73543d306 100644
corenet_tcp_bind_rndc_port(named_t)
corenet_tcp_sendrecv_rndc_port(named_t)
-@@ -141,9 +150,13 @@ corenet_sendrecv_all_client_packets(named_t)
+@@ -141,13 +150,18 @@ corenet_sendrecv_all_client_packets(named_t)
corenet_tcp_connect_all_ports(named_t)
corenet_tcp_sendrecv_all_ports(named_t)
@@ -10005,7 +10006,12 @@ index 124112346..73543d306 100644
domain_use_interactive_fds(named_t)
-@@ -175,6 +188,19 @@ tunable_policy(`named_write_master_zones',`
+ files_read_etc_runtime_files(named_t)
++files_mmap_usr_files(named_t)
+
+ fs_getattr_all_fs(named_t)
+ fs_search_auto_mountpoints(named_t)
+@@ -175,6 +189,19 @@ tunable_policy(`named_write_master_zones',`
')
optional_policy(`
@@ -10025,7 +10031,7 @@ index 124112346..73543d306 100644
dbus_system_domain(named_t, named_exec_t)
init_dbus_chat_script(named_t)
-@@ -187,7 +213,17 @@ optional_policy(`
+@@ -187,7 +214,17 @@ optional_policy(`
')
optional_policy(`
@@ -10043,7 +10049,7 @@ index 124112346..73543d306 100644
kerberos_use(named_t)
')
-@@ -214,8 +250,9 @@ optional_policy(`
+@@ -214,8 +251,9 @@ optional_policy(`
# NDC local policy
#
@@ -10055,7 +10061,7 @@ index 124112346..73543d306 100644
allow ndc_t self:fifo_file rw_fifo_file_perms;
allow ndc_t self:unix_stream_socket { accept listen };
-@@ -229,10 +266,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
+@@ -229,10 +267,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
allow ndc_t named_zone_t:dir search_dir_perms;
@@ -10067,7 +10073,7 @@ index 124112346..73543d306 100644
corenet_all_recvfrom_netlabel(ndc_t)
corenet_tcp_sendrecv_generic_if(ndc_t)
corenet_tcp_sendrecv_generic_node(ndc_t)
-@@ -242,6 +278,9 @@ corenet_tcp_bind_generic_node(ndc_t)
+@@ -242,6 +279,9 @@ corenet_tcp_bind_generic_node(ndc_t)
corenet_tcp_connect_rndc_port(ndc_t)
corenet_sendrecv_rndc_client_packets(ndc_t)
@@ -10077,7 +10083,7 @@ index 124112346..73543d306 100644
domain_use_interactive_fds(ndc_t)
files_search_pids(ndc_t)
-@@ -257,7 +296,7 @@ init_use_script_ptys(ndc_t)
+@@ -257,7 +297,7 @@ init_use_script_ptys(ndc_t)
logging_send_syslog_msg(ndc_t)
@@ -14802,10 +14808,10 @@ index 000000000..55fe0d668
+')
diff --git a/cloudform.te b/cloudform.te
new file mode 100644
-index 000000000..21e6ae757
+index 000000000..73f3eb8a0
--- /dev/null
+++ b/cloudform.te
-@@ -0,0 +1,249 @@
+@@ -0,0 +1,250 @@
+policy_module(cloudform, 1.0)
+########################################
+#
@@ -14913,6 +14919,7 @@ index 000000000..21e6ae757
+selinux_validate_context(cloud_init_t)
+
+systemd_dbus_chat_hostnamed(cloud_init_t)
++systemd_dbus_chat_timedated(cloud_init_t)
+systemd_exec_systemctl(cloud_init_t)
+systemd_start_all_services(cloud_init_t)
+
@@ -25774,10 +25781,10 @@ index 000000000..b3784d85d
+')
diff --git a/dirsrv.te b/dirsrv.te
new file mode 100644
-index 000000000..22cafcd43
+index 000000000..86c5021d6
--- /dev/null
+++ b/dirsrv.te
-@@ -0,0 +1,207 @@
+@@ -0,0 +1,211 @@
+policy_module(dirsrv,1.0.0)
+
+########################################
@@ -25942,6 +25949,10 @@ index 000000000..22cafcd43
+ systemd_manage_passwd_run(dirsrv_t)
+')
+
++optional_policy(`
++ rolekit_read_tmp(dirsrv_t)
++')
++
+########################################
+#
+# dirsrv-snmp local policy
@@ -39954,10 +39965,10 @@ index 000000000..d611c53d4
+')
diff --git a/ipa.te b/ipa.te
new file mode 100644
-index 000000000..28955ddc0
+index 000000000..99cb86250
--- /dev/null
+++ b/ipa.te
-@@ -0,0 +1,273 @@
+@@ -0,0 +1,275 @@
+policy_module(ipa, 1.0.0)
+
+########################################
@@ -40154,6 +40165,8 @@ index 000000000..28955ddc0
+
+dev_read_rand(ipa_dnskey_t)
+
++can_exec(ipa_dnskey_t,ipa_dnskey_exec_t)
++
+libs_exec_ldconfig(ipa_dnskey_t)
+
+logging_send_syslog_msg(ipa_dnskey_t)
@@ -47356,7 +47369,7 @@ index 2a491d96c..3399d597a 100644
+ virt_dgram_send(lldpad_t)
+')
diff --git a/loadkeys.te b/loadkeys.te
-index d2f464375..c8e6b37b0 100644
+index d2f464375..ecbfa88ff 100644
--- a/loadkeys.te
+++ b/loadkeys.te
@@ -25,20 +25,19 @@ kernel_read_system_state(loadkeys_t)
@@ -47383,6 +47396,15 @@ index d2f464375..c8e6b37b0 100644
userdom_list_user_home_content(loadkeys_t)
ifdef(`hide_broken_symptoms',`
+@@ -52,3 +51,8 @@ optional_policy(`
+ optional_policy(`
+ nscd_dontaudit_search_pid(loadkeys_t)
+ ')
++
++optional_policy(`
++ sssd_read_public_files(loadkeys_t)
++ sssd_stream_connect(loadkeys_t)
++')
diff --git a/lockdev.if b/lockdev.if
index 4313b8bc0..cd1435cdf 100644
--- a/lockdev.if
@@ -47493,7 +47515,7 @@ index dd8e01af3..9cd6b0b8e 100644
##
##
diff --git a/logrotate.te b/logrotate.te
-index be0ab84b3..0129ddb61 100644
+index be0ab84b3..882160882 100644
--- a/logrotate.te
+++ b/logrotate.te
@@ -5,16 +5,29 @@ policy_module(logrotate, 1.15.0)
@@ -47568,7 +47590,7 @@ index be0ab84b3..0129ddb61 100644
allow logrotate_t self:shm create_shm_perms;
allow logrotate_t self:sem create_sem_perms;
allow logrotate_t self:msgq create_msgq_perms;
-@@ -48,36 +71,53 @@ allow logrotate_t self:msg { send receive };
+@@ -48,36 +71,54 @@ allow logrotate_t self:msg { send receive };
allow logrotate_t logrotate_lock_t:file manage_file_perms;
files_lock_filetrans(logrotate_t, logrotate_lock_t, file)
@@ -47591,6 +47613,7 @@ index be0ab84b3..0129ddb61 100644
+dev_read_urand(logrotate_t)
+dev_read_sysfs(logrotate_t)
++dev_write_kmsg(logrotate_t)
+
+fs_search_auto_mountpoints(logrotate_t)
+fs_getattr_all_fs(logrotate_t)
@@ -47627,7 +47650,7 @@ index be0ab84b3..0129ddb61 100644
files_manage_generic_spool(logrotate_t)
files_manage_generic_spool_dirs(logrotate_t)
files_getattr_generic_locks(logrotate_t)
-@@ -95,32 +135,57 @@ mls_process_write_to_clearance(logrotate_t)
+@@ -95,32 +136,57 @@ mls_process_write_to_clearance(logrotate_t)
selinux_get_fs_mount(logrotate_t)
selinux_get_enforce_mode(logrotate_t)
@@ -47691,7 +47714,7 @@ index be0ab84b3..0129ddb61 100644
')
optional_policy(`
-@@ -135,16 +200,17 @@ optional_policy(`
+@@ -135,16 +201,17 @@ optional_policy(`
optional_policy(`
apache_read_config(logrotate_t)
@@ -47711,7 +47734,7 @@ index be0ab84b3..0129ddb61 100644
')
optional_policy(`
-@@ -170,6 +236,11 @@ optional_policy(`
+@@ -170,6 +237,11 @@ optional_policy(`
')
optional_policy(`
@@ -47723,7 +47746,7 @@ index be0ab84b3..0129ddb61 100644
fail2ban_stream_connect(logrotate_t)
')
-@@ -178,7 +249,8 @@ optional_policy(`
+@@ -178,7 +250,8 @@ optional_policy(`
')
optional_policy(`
@@ -47733,7 +47756,7 @@ index be0ab84b3..0129ddb61 100644
')
optional_policy(`
-@@ -198,17 +270,18 @@ optional_policy(`
+@@ -198,17 +271,18 @@ optional_policy(`
')
optional_policy(`
@@ -47755,7 +47778,7 @@ index be0ab84b3..0129ddb61 100644
')
optional_policy(`
-@@ -216,6 +289,14 @@ optional_policy(`
+@@ -216,6 +290,14 @@ optional_policy(`
')
optional_policy(`
@@ -47770,7 +47793,7 @@ index be0ab84b3..0129ddb61 100644
samba_exec_log(logrotate_t)
')
-@@ -228,26 +309,50 @@ optional_policy(`
+@@ -228,26 +310,50 @@ optional_policy(`
')
optional_policy(`
@@ -91002,7 +91025,7 @@ index 6dbc905b3..4b17c933e 100644
- admin_pattern($1, rhsmcertd_lock_t)
')
diff --git a/rhsmcertd.te b/rhsmcertd.te
-index d32e1a279..75b615f81 100644
+index d32e1a279..b79ae3194 100644
--- a/rhsmcertd.te
+++ b/rhsmcertd.te
@@ -18,6 +18,9 @@ logging_log_file(rhsmcertd_log_t)
@@ -91015,11 +91038,13 @@ index d32e1a279..75b615f81 100644
type rhsmcertd_var_lib_t;
files_type(rhsmcertd_var_lib_t)
-@@ -30,18 +33,21 @@ files_pid_file(rhsmcertd_var_run_t)
+@@ -29,19 +32,22 @@ files_pid_file(rhsmcertd_var_run_t)
+ # Local policy
#
- allow rhsmcertd_t self:capability sys_nice;
+-allow rhsmcertd_t self:capability sys_nice;
-allow rhsmcertd_t self:process { signal setsched };
++allow rhsmcertd_t self:capability { kill sys_nice };
+allow rhsmcertd_t self:process { signal_perms setsched };
+
allow rhsmcertd_t self:fifo_file rw_fifo_file_perms;
@@ -92077,10 +92102,10 @@ index 000000000..504b6e13e
+/usr/sbin/roled -- gen_context(system_u:object_r:rolekit_exec_t,s0)
diff --git a/rolekit.if b/rolekit.if
new file mode 100644
-index 000000000..b11fb8f6d
+index 000000000..df5e3338c
--- /dev/null
+++ b/rolekit.if
-@@ -0,0 +1,120 @@
+@@ -0,0 +1,138 @@
+## Daemon for Linux systems providing a stable D-BUS interface to manage the deployment of Server Roles.
+
+########################################
@@ -92201,6 +92226,24 @@ index 000000000..b11fb8f6d
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
++
++########################################
++##
++## Allow domain to read rolekit tmp files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`rolekit_read_tmp',`
++ gen_require(`
++ type rolekit_tmp_t;
++ ')
++
++ read_files_pattern($1, rolekit_tmp_t, rolekit_tmp_t)
++')
diff --git a/rolekit.te b/rolekit.te
new file mode 100644
index 000000000..da944537b
@@ -94260,7 +94303,7 @@ index ef3b22507..79518530e 100644
admin_pattern($1, { rpm_tmp_t rpm_script_tmp_t })
diff --git a/rpm.te b/rpm.te
-index 6fc360e60..2f24b1e0c 100644
+index 6fc360e60..219964375 100644
--- a/rpm.te
+++ b/rpm.te
@@ -1,15 +1,13 @@
@@ -94603,7 +94646,7 @@ index 6fc360e60..2f24b1e0c 100644
mls_file_read_all_levels(rpm_script_t)
mls_file_write_all_levels(rpm_script_t)
-@@ -331,73 +331,129 @@ storage_raw_write_fixed_disk(rpm_script_t)
+@@ -331,73 +331,130 @@ storage_raw_write_fixed_disk(rpm_script_t)
term_getattr_unallocated_ttys(rpm_script_t)
term_list_ptys(rpm_script_t)
@@ -94636,9 +94679,10 @@ index 6fc360e60..2f24b1e0c 100644
+init_manage_transient_unit(rpm_script_t)
init_domtrans_script(rpm_script_t)
init_telinit(rpm_script_t)
-
-+systemd_config_all_services(rpm_script_t)
++init_dbus_chat(rpm_script_t)
+
++systemd_config_all_services(rpm_script_t)
+
libs_exec_ld_so(rpm_script_t)
libs_exec_lib_files(rpm_script_t)
-libs_run_ldconfig(rpm_script_t, rpm_roles)
@@ -94753,7 +94797,7 @@ index 6fc360e60..2f24b1e0c 100644
optional_policy(`
java_domtrans_unconfined(rpm_script_t)
-@@ -409,6 +465,6 @@ optional_policy(`
+@@ -409,6 +466,6 @@ optional_policy(`
')
optional_policy(`
@@ -96873,7 +96917,7 @@ index 50d07fb2e..a34db489c 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 2b7c441e7..c7a475130 100644
+index 2b7c441e7..5d52fba0f 100644
--- a/samba.te
+++ b/samba.te
@@ -6,99 +6,86 @@ policy_module(samba, 1.16.3)
@@ -98011,9 +98055,12 @@ index 2b7c441e7..c7a475130 100644
manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -873,38 +972,42 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -871,40 +970,44 @@ manage_lnk_files_pattern(winbind_t, samba_var_t, samba_var_t)
+ manage_sock_files_pattern(winbind_t, samba_var_t, samba_var_t)
+ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
- rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+-rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
++manage_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
-# This needs a file context specification
-allow winbind_t winbind_log_t:file { append_file_perms create_file_perms setattr_file_perms };
@@ -111369,10 +111416,10 @@ index 000000000..368e18842
+')
diff --git a/tlp.te b/tlp.te
new file mode 100644
-index 000000000..f31ed95d7
+index 000000000..761cc35b0
--- /dev/null
+++ b/tlp.te
-@@ -0,0 +1,74 @@
+@@ -0,0 +1,80 @@
+policy_module(tlp, 1.0.0)
+
+########################################
@@ -111417,6 +111464,7 @@ index 000000000..f31ed95d7
+kernel_rw_fs_sysctls(tlp_t)
+kernel_rw_kernel_sysctl(tlp_t)
+kernel_rw_vm_sysctls(tlp_t)
++kernel_create_rpc_sysctls(tlp_t)
+
+auth_read_passwd(tlp_t)
+
@@ -111425,12 +111473,16 @@ index 000000000..f31ed95d7
+dev_list_sysfs(tlp_t)
+dev_manage_sysfs(tlp_t)
+dev_rw_cpu_microcode(tlp_t)
++dev_rw_wireless(tlp_t)
+
+files_read_kernel_modules(tlp_t)
++files_load_kernel_modules(tlp_t)
+
+modutils_exec_insmod(tlp_t)
+modutils_read_module_config(tlp_t)
+
++logging_send_syslog_msg(tlp_t)
++
+storage_raw_read_fixed_disk(tlp_t)
+storage_raw_write_removable_device(tlp_t)
+
@@ -111438,6 +111490,7 @@ index 000000000..f31ed95d7
+
+optional_policy(`
+ dbus_stream_connect_system_dbusd(tlp_t)
++ dbus_system_bus_client(tlp_t)
+')
+
+optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 1c03730..9635f28 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 279%{?dist}
+Release: 280%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -681,6 +681,18 @@ exit 0
%endif
%changelog
+* Thu Sep 07 2017 Lukas Vrabec - 3.13.1-280
+- Add rules fixing installing ipa-server-install with SELinux in Enforcing. BZ(1488404)
+- Fix denials during ipa-server-install process on F27+
+- Allow httpd_t to mmap cert_t
+- Add few rules to make tlp_t domain working in enforcing mode
+- Allow cloud_init_t to dbus chat with systemd_timedated_t
+- Allow logrotate_t to write to kmsg
+- Add capability kill to rhsmcertd_t
+- Allow winbind to manage smbd_tmp_t files
+- Allow groupadd_t domain to dbus chat with systemd.BZ(1488404)
+- Add interface miscfiles_map_generic_certs()
+
* Tue Sep 05 2017 Lukas Vrabec - 3.13.1-279
- Allow abrt_dump_oops_t to read sssd_public_t files
- Allow cockpit_ws_t to mmap usr_t files