diff --git a/container-selinux.tgz b/container-selinux.tgz
index 9633bb7..3472067 100644
Binary files a/container-selinux.tgz and b/container-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index e01d341..fbb472a 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -18132,7 +18132,7 @@ index d7c11a0..f521a50 100644
/var/run/shm/.* <<none>>
-')
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 8416beb..ca45838 100644
+index 8416beb..b38387e 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -18631,7 +18631,7 @@ index 8416beb..ca45838 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1878,95 +2122,169 @@ interface(`fs_search_fusefs',`
+@@ -1878,135 +2122,151 @@ interface(`fs_search_fusefs',`
## </summary>
## </param>
#
@@ -18737,6 +18737,7 @@ index 8416beb..ca45838 100644
-#
-interface(`fs_exec_fusefs_files',`
- gen_require(`
+- type fusefs_t;
+## <desc>
+## <p>
+## Execute a file on a FUSE filesystem
@@ -18770,86 +18771,34 @@ index 8416beb..ca45838 100644
+interface(`fs_ecryptfs_domtrans',`
+ gen_require(`
+ type ecryptfs_t;
-+ ')
-+
-+ allow $1 ecryptfs_t:dir search_dir_perms;
-+ domain_auto_transition_pattern($1, ecryptfs_t, $2)
-+')
-+
-+########################################
-+## <summary>
-+## Mount a FUSE filesystem.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`fs_mount_fusefs',`
-+ gen_require(`
- type fusefs_t;
')
- exec_files_pattern($1, fusefs_t, fusefs_t)
-+ allow $1 fusefs_t:filesystem mount;
++ allow $1 ecryptfs_t:dir search_dir_perms;
++ domain_auto_transition_pattern($1, ecryptfs_t, $2)
')
########################################
## <summary>
-## Create, read, write, and delete files
-+## Unmount a FUSE filesystem.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`fs_unmount_fusefs',`
-+ gen_require(`
-+ type fusefs_t;
-+ ')
-+
-+ allow $1 fusefs_t:filesystem unmount;
-+')
-+
-+########################################
-+## <summary>
-+## Mounton a FUSEFS filesystem.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`fs_mounton_fusefs',`
-+ gen_require(`
-+ type fusefs_t;
-+ ')
-+
-+ allow $1 fusefs_t:dir mounton;
-+')
-+
-+########################################
-+## <summary>
-+## Search directories
- ## on a FUSEFS filesystem.
+-## on a FUSEFS filesystem.
++## Mount a FUSE filesystem.
## </summary>
## <param name="domain">
-@@ -1976,19 +2294,18 @@ interface(`fs_exec_fusefs_files',`
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
## </param>
- ## <rolecap/>
+-## <rolecap/>
#
-interface(`fs_manage_fusefs_files',`
-+interface(`fs_search_fusefs',`
++interface(`fs_mount_fusefs',`
gen_require(`
type fusefs_t;
')
- manage_files_pattern($1, fusefs_t, fusefs_t)
-+ allow $1 fusefs_t:dir search_dir_perms;
++ allow $1 fusefs_t:filesystem mount;
')
########################################
@@ -18857,79 +18806,96 @@ index 8416beb..ca45838 100644
-## Do not audit attempts to create,
-## read, write, and delete files
-## on a FUSEFS filesystem.
-+## Do not audit attempts to list the contents
-+## of directories on a FUSEFS filesystem.
++## Unmount a FUSE filesystem.
## </summary>
## <param name="domain">
## <summary>
-@@ -1996,217 +2313,274 @@ interface(`fs_manage_fusefs_files',`
+-## Domain to not audit.
++## Domain allowed access.
## </summary>
## </param>
#
-interface(`fs_dontaudit_manage_fusefs_files',`
-+interface(`fs_dontaudit_list_fusefs',`
++interface(`fs_unmount_fusefs',`
gen_require(`
type fusefs_t;
')
- dontaudit $1 fusefs_t:file manage_file_perms;
-+ dontaudit $1 fusefs_t:dir list_dir_perms;
++ allow $1 fusefs_t:filesystem unmount;
')
########################################
## <summary>
-## Read symbolic links on a FUSEFS filesystem.
-+## Create, read, write, and delete directories
-+## on a FUSEFS filesystem.
++## Mounton a FUSEFS filesystem.
## </summary>
## <param name="domain">
## <summary>
- ## Domain allowed access.
+@@ -2014,145 +2274,194 @@ interface(`fs_dontaudit_manage_fusefs_files',`
## </summary>
## </param>
-+## <rolecap/>
#
-interface(`fs_read_fusefs_symlinks',`
-+interface(`fs_manage_fusefs_dirs',`
++interface(`fs_mounton_fusefs',`
gen_require(`
type fusefs_t;
')
- allow $1 fusefs_t:dir list_dir_perms;
- read_lnk_files_pattern($1, fusefs_t, fusefs_t)
-+ allow $1 fusefs_t:dir manage_dir_perms;
++ allow $1 fusefs_t:dir mounton;
')
########################################
## <summary>
-## Get the attributes of an hugetlbfs
-## filesystem.
-+## Do not audit attempts to create, read,
-+## write, and delete directories
++## Search directories
+## on a FUSEFS filesystem.
## </summary>
## <param name="domain">
## <summary>
--## Domain allowed access.
-+## Domain to not audit.
+ ## Domain allowed access.
## </summary>
## </param>
++## <rolecap/>
#
-interface(`fs_getattr_hugetlbfs',`
-+interface(`fs_dontaudit_manage_fusefs_dirs',`
++interface(`fs_search_fusefs',`
gen_require(`
- type hugetlbfs_t;
+ type fusefs_t;
')
- allow $1 hugetlbfs_t:filesystem getattr;
-+ dontaudit $1 fusefs_t:dir manage_dir_perms;
++ allow $1 fusefs_t:dir search_dir_perms;
')
########################################
## <summary>
-## List hugetlbfs.
-+## Read, a FUSEFS filesystem.
++## Do not audit attempts to list the contents
++## of directories on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`fs_dontaudit_list_fusefs',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
++ dontaudit $1 fusefs_t:dir list_dir_perms;
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete directories
++## on a FUSEFS filesystem.
## </summary>
## <param name="domain">
## <summary>
@@ -18939,20 +18905,40 @@ index 8416beb..ca45838 100644
+## <rolecap/>
#
-interface(`fs_list_hugetlbfs',`
-+interface(`fs_read_fusefs_files',`
++interface(`fs_manage_fusefs_dirs',`
gen_require(`
- type hugetlbfs_t;
+ type fusefs_t;
')
- allow $1 hugetlbfs_t:dir list_dir_perms;
-+ read_files_pattern($1, fusefs_t, fusefs_t)
++ allow $1 fusefs_t:dir manage_dir_perms;
')
########################################
## <summary>
-## Manage hugetlbfs dirs.
-+## Execute files on a FUSEFS filesystem.
++## Do not audit attempts to create, read,
++## write, and delete directories
++## on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`fs_dontaudit_manage_fusefs_dirs',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
++ dontaudit $1 fusefs_t:dir manage_dir_perms;
++')
++
++########################################
++## <summary>
++## Read, a FUSEFS filesystem.
## </summary>
## <param name="domain">
## <summary>
@@ -18962,38 +18948,37 @@ index 8416beb..ca45838 100644
+## <rolecap/>
#
-interface(`fs_manage_hugetlbfs_dirs',`
-+interface(`fs_exec_fusefs_files',`
++interface(`fs_read_fusefs_files',`
gen_require(`
- type hugetlbfs_t;
+ type fusefs_t;
')
- manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
-+ exec_files_pattern($1, fusefs_t, fusefs_t)
++ read_files_pattern($1, fusefs_t, fusefs_t)
')
########################################
## <summary>
-## Read and write hugetlbfs files.
-+## Make general progams in FUSEFS an entrypoint for
-+## the specified domain.
++## Execute files on a FUSEFS filesystem.
## </summary>
## <param name="domain">
## <summary>
--## Domain allowed access.
-+## The domain for which fusefs_t is an entrypoint.
+ ## Domain allowed access.
## </summary>
## </param>
++## <rolecap/>
#
-interface(`fs_rw_hugetlbfs_files',`
-+interface(`fs_fusefs_entry_type',`
++interface(`fs_exec_fusefs_files',`
gen_require(`
- type hugetlbfs_t;
+ type fusefs_t;
')
- rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
-+ domain_entry_file($1, fusefs_t)
++ exec_files_pattern($1, fusefs_t, fusefs_t)
')
########################################
@@ -19011,94 +18996,93 @@ index 8416beb..ca45838 100644
## </param>
#
-interface(`fs_associate_hugetlbfs',`
-+interface(`fs_fusefs_entrypoint',`
++interface(`fs_fusefs_entry_type',`
gen_require(`
- type hugetlbfs_t;
+ type fusefs_t;
')
- allow $1 hugetlbfs_t:filesystem associate;
-+ allow $1 fusefs_t:file entrypoint;
++ domain_entry_file($1, fusefs_t)
')
########################################
## <summary>
-## Search inotifyfs filesystem.
-+## Create, read, write, and delete files
-+## on a FUSEFS filesystem.
++## Make general progams in FUSEFS an entrypoint for
++## the specified domain.
## </summary>
## <param name="domain">
## <summary>
- ## Domain allowed access.
+-## Domain allowed access.
++## The domain for which fusefs_t is an entrypoint.
## </summary>
## </param>
-+## <rolecap/>
#
-interface(`fs_search_inotifyfs',`
-+interface(`fs_manage_fusefs_files',`
++interface(`fs_fusefs_entrypoint',`
gen_require(`
- type inotifyfs_t;
+ type fusefs_t;
')
- allow $1 inotifyfs_t:dir search_dir_perms;
-+ manage_files_pattern($1, fusefs_t, fusefs_t)
++ allow $1 fusefs_t:file entrypoint;
')
########################################
## <summary>
-## List inotifyfs filesystem.
-+## Do not audit attempts to create,
-+## read, write, and delete files
++## Create, read, write, and delete files
+## on a FUSEFS filesystem.
## </summary>
## <param name="domain">
## <summary>
--## Domain allowed access.
-+## Domain to not audit.
+ ## Domain allowed access.
## </summary>
## </param>
++## <rolecap/>
#
-interface(`fs_list_inotifyfs',`
-+interface(`fs_dontaudit_manage_fusefs_files',`
++interface(`fs_manage_fusefs_files',`
gen_require(`
- type inotifyfs_t;
+ type fusefs_t;
')
- allow $1 inotifyfs_t:dir list_dir_perms;
-+ dontaudit $1 fusefs_t:file manage_file_perms;
++ manage_files_pattern($1, fusefs_t, fusefs_t)
')
########################################
## <summary>
-## Dontaudit List inotifyfs filesystem.
-+## Read symbolic links on a FUSEFS filesystem.
++## Do not audit attempts to create,
++## read, write, and delete files
++## on a FUSEFS filesystem.
## </summary>
## <param name="domain">
## <summary>
--## Domain to not audit.
-+## Domain allowed access.
+@@ -2160,73 +2469,118 @@ interface(`fs_list_inotifyfs',`
## </summary>
## </param>
#
-interface(`fs_dontaudit_list_inotifyfs',`
-+interface(`fs_read_fusefs_symlinks',`
++interface(`fs_dontaudit_manage_fusefs_files',`
gen_require(`
- type inotifyfs_t;
+ type fusefs_t;
')
- dontaudit $1 inotifyfs_t:dir list_dir_perms;
-+ allow $1 fusefs_t:dir list_dir_perms;
-+ read_lnk_files_pattern($1, fusefs_t, fusefs_t)
++ dontaudit $1 fusefs_t:file manage_file_perms;
')
########################################
## <summary>
-## Create an object in a hugetlbfs filesystem, with a private
-## type using a type transition.
-+## Manage symbolic links on a FUSEFS filesystem.
++## Read symbolic links on a FUSEFS filesystem.
## </summary>
## <param name="domain">
## <summary>
@@ -19107,6 +19091,27 @@ index 8416beb..ca45838 100644
## </param>
-## <param name="private type">
+#
++interface(`fs_read_fusefs_symlinks',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
++ allow $1 fusefs_t:dir list_dir_perms;
++ read_lnk_files_pattern($1, fusefs_t, fusefs_t)
++')
++
++########################################
++## <summary>
++## Manage symbolic links on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
+ ## <summary>
+-## The type of the object to be created.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="object">
++#
+interface(`fs_manage_fusefs_symlinks',`
+ gen_require(`
+ type fusefs_t;
@@ -19141,84 +19146,93 @@ index 8416beb..ca45838 100644
+## </desc>
+## <param name="domain">
## <summary>
--## The type of the object to be created.
+-## The object class of the object being created.
+## Domain allowed to transition.
## </summary>
## </param>
--## <param name="object">
+-## <param name="name" optional="true">
+## <param name="target_domain">
## <summary>
--## The object class of the object being created.
+-## The name of the object being created.
+## The type of the new process.
## </summary>
## </param>
--## <param name="name" optional="true">
-+#
+ #
+-interface(`fs_hugetlbfs_filetrans',`
+interface(`fs_fusefs_domtrans',`
-+ gen_require(`
+ gen_require(`
+- type hugetlbfs_t;
+ type fusefs_t;
-+ ')
-+
+ ')
+
+- allow $2 hugetlbfs_t:filesystem associate;
+- filetrans_pattern($1, hugetlbfs_t, $2, $3, $4)
+ allow $1 fusefs_t:dir search_dir_perms;
+ domain_auto_transition_pattern($1, fusefs_t, $2)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Mount an iso9660 filesystem, which
+-## is usually used on CDs.
+## Get the attributes of a FUSEFS filesystem.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
## <summary>
--## The name of the object being created.
-+## Domain allowed access.
+ ## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
--interface(`fs_hugetlbfs_filetrans',`
+-interface(`fs_mount_iso9660_fs',`
+interface(`fs_getattr_fusefs',`
gen_require(`
-- type hugetlbfs_t;
+- type iso9660_t;
+ type fusefs_t;
')
-- allow $2 hugetlbfs_t:filesystem associate;
-- filetrans_pattern($1, hugetlbfs_t, $2, $3, $4)
+- allow $1 iso9660_t:filesystem mount;
+ allow $1 fusefs_t:filesystem getattr;
')
########################################
## <summary>
--## Mount an iso9660 filesystem, which
--## is usually used on CDs.
+-## Remount an iso9660 filesystem, which
+-## is usually used on CDs. This allows
+-## some mount options to be changed.
+## Get the attributes of an hugetlbfs
+## filesystem.
## </summary>
## <param name="domain">
## <summary>
-@@ -2214,19 +2588,681 @@ interface(`fs_hugetlbfs_filetrans',`
+@@ -2234,18 +2588,17 @@ interface(`fs_mount_iso9660_fs',`
## </summary>
## </param>
#
--interface(`fs_mount_iso9660_fs',`
+-interface(`fs_remount_iso9660_fs',`
+interface(`fs_getattr_hugetlbfs',`
-+ gen_require(`
+ gen_require(`
+- type iso9660_t;
+ type hugetlbfs_t;
-+ ')
-+
+ ')
+
+- allow $1 iso9660_t:filesystem remount;
+ allow $1 hugetlbfs_t:filesystem getattr;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Unmount an iso9660 filesystem, which
+-## is usually used on CDs.
+## List hugetlbfs.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2253,38 +2606,725 @@ interface(`fs_remount_iso9660_fs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`fs_unmount_iso9660_fs',`
+interface(`fs_list_hugetlbfs',`
+ gen_require(`
+ type hugetlbfs_t;
@@ -19862,58 +19876,47 @@ index 8416beb..ca45838 100644
+## </param>
+#
+interface(`fs_read_kdbus_files',`
- gen_require(`
-- type iso9660_t;
++ gen_require(`
+ type cgroup_t;
+
- ')
-
-- allow $1 iso9660_t:filesystem mount;
++ ')
++
+ read_files_pattern($1, kdbusfs_t, kdbusfs_t)
+ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
- ')
-
- ########################################
- ## <summary>
--## Remount an iso9660 filesystem, which
--## is usually used on CDs. This allows
--## some mount options to be changed.
++')
++
++########################################
++## <summary>
+## Write kdbusfs files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -2234,18 +3270,19 @@ interface(`fs_mount_iso9660_fs',`
- ## </summary>
- ## </param>
- #
--interface(`fs_remount_iso9660_fs',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`fs_write_kdbus_files', `
- gen_require(`
-- type iso9660_t;
++ gen_require(`
+ type kdbusfs_t;
- ')
-
-- allow $1 iso9660_t:filesystem remount;
++ ')
++
+ write_files_pattern($1, kdbusfs_t, kdbusfs_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
- ')
-
- ########################################
- ## <summary>
--## Unmount an iso9660 filesystem, which
--## is usually used on CDs.
++')
++
++########################################
++## <summary>
+## Read and write kdbusfs files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -2253,38 +3290,41 @@ interface(`fs_remount_iso9660_fs',`
- ## </summary>
- ## </param>
- #
--interface(`fs_unmount_iso9660_fs',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`fs_rw_kdbus_files',`
gen_require(`
- type iso9660_t;
@@ -20301,7 +20304,7 @@ index 8416beb..ca45838 100644
## Mount a NFS server pseudo filesystem.
## </summary>
## <param name="domain">
-@@ -3255,17 +4470,107 @@ interface(`fs_list_nfsd_fs',`
+@@ -3255,17 +4470,126 @@ interface(`fs_list_nfsd_fs',`
## </summary>
## </param>
#
@@ -20360,6 +20363,25 @@ index 8416beb..ca45838 100644
+## </summary>
+## </param>
+#
++interface(`fs_dontaudit_getattr_nsfs_files',`
++ gen_require(`
++ type nsfs_t;
++ ')
++
++ dontaudit $1 nsfs_t:file getattr;
++')
++
++
++########################################
++## <summary>
++## Getattr files on an nsfs filesystem
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`fs_getattr_nsfs_files',`
+ gen_require(`
+ type nsfs_t;
@@ -20413,7 +20435,7 @@ index 8416beb..ca45838 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3273,12 +4578,12 @@ interface(`fs_getattr_nfsd_files',`
+@@ -3273,12 +4597,12 @@ interface(`fs_getattr_nfsd_files',`
## </summary>
## </param>
#
@@ -20428,7 +20450,7 @@ index 8416beb..ca45838 100644
')
########################################
-@@ -3301,6 +4606,24 @@ interface(`fs_associate_ramfs',`
+@@ -3301,6 +4625,24 @@ interface(`fs_associate_ramfs',`
########################################
## <summary>
@@ -20453,7 +20475,7 @@ index 8416beb..ca45838 100644
## Mount a RAM filesystem.
## </summary>
## <param name="domain">
-@@ -3392,7 +4715,7 @@ interface(`fs_search_ramfs',`
+@@ -3392,7 +4734,7 @@ interface(`fs_search_ramfs',`
########################################
## <summary>
@@ -20462,7 +20484,7 @@ index 8416beb..ca45838 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3429,7 +4752,7 @@ interface(`fs_manage_ramfs_dirs',`
+@@ -3429,7 +4771,7 @@ interface(`fs_manage_ramfs_dirs',`
########################################
## <summary>
@@ -20471,7 +20493,7 @@ index 8416beb..ca45838 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3447,7 +4770,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
+@@ -3447,7 +4789,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
########################################
## <summary>
@@ -20480,7 +20502,7 @@ index 8416beb..ca45838 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3779,6 +5102,24 @@ interface(`fs_mount_tmpfs',`
+@@ -3779,6 +5121,24 @@ interface(`fs_mount_tmpfs',`
########################################
## <summary>
@@ -20505,7 +20527,7 @@ index 8416beb..ca45838 100644
## Remount a tmpfs filesystem.
## </summary>
## <param name="domain">
-@@ -3815,6 +5156,24 @@ interface(`fs_unmount_tmpfs',`
+@@ -3815,6 +5175,24 @@ interface(`fs_unmount_tmpfs',`
########################################
## <summary>
@@ -20530,7 +20552,7 @@ index 8416beb..ca45838 100644
## Get the attributes of a tmpfs
## filesystem.
## </summary>
-@@ -3908,7 +5267,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3908,7 +5286,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
########################################
## <summary>
@@ -20539,7 +20561,7 @@ index 8416beb..ca45838 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3916,17 +5275,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3916,17 +5294,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
## </summary>
## </param>
#
@@ -20560,7 +20582,7 @@ index 8416beb..ca45838 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3934,17 +5293,17 @@ interface(`fs_mounton_tmpfs',`
+@@ -3934,17 +5312,17 @@ interface(`fs_mounton_tmpfs',`
## </summary>
## </param>
#
@@ -20581,7 +20603,7 @@ index 8416beb..ca45838 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3952,17 +5311,36 @@ interface(`fs_setattr_tmpfs_dirs',`
+@@ -3952,17 +5330,36 @@ interface(`fs_setattr_tmpfs_dirs',`
## </summary>
## </param>
#
@@ -20621,7 +20643,7 @@ index 8416beb..ca45838 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3970,31 +5348,48 @@ interface(`fs_search_tmpfs',`
+@@ -3970,31 +5367,48 @@ interface(`fs_search_tmpfs',`
## </summary>
## </param>
#
@@ -20677,7 +20699,7 @@ index 8416beb..ca45838 100644
')
########################################
-@@ -4057,23 +5452,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',`
+@@ -4057,23 +5471,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',`
## </param>
## <param name="name" optional="true">
## <summary>
@@ -20854,7 +20876,7 @@ index 8416beb..ca45838 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4081,18 +5623,18 @@ interface(`fs_tmpfs_filetrans',`
+@@ -4081,18 +5642,18 @@ interface(`fs_tmpfs_filetrans',`
## </summary>
## </param>
#
@@ -20877,7 +20899,7 @@ index 8416beb..ca45838 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4100,54 +5642,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',`
+@@ -4100,54 +5661,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',`
## </summary>
## </param>
#
@@ -20944,7 +20966,7 @@ index 8416beb..ca45838 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4155,17 +5696,18 @@ interface(`fs_read_tmpfs_files',`
+@@ -4155,17 +5715,18 @@ interface(`fs_read_tmpfs_files',`
## </summary>
## </param>
#
@@ -20966,7 +20988,7 @@ index 8416beb..ca45838 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4173,17 +5715,18 @@ interface(`fs_rw_tmpfs_files',`
+@@ -4173,17 +5734,18 @@ interface(`fs_rw_tmpfs_files',`
## </summary>
## </param>
#
@@ -20988,7 +21010,7 @@ index 8416beb..ca45838 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4191,37 +5734,36 @@ interface(`fs_read_tmpfs_symlinks',`
+@@ -4191,37 +5753,36 @@ interface(`fs_read_tmpfs_symlinks',`
## </summary>
## </param>
#
@@ -21034,7 +21056,7 @@ index 8416beb..ca45838 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4229,18 +5771,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4229,18 +5790,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
## </summary>
## </param>
#
@@ -21056,7 +21078,7 @@ index 8416beb..ca45838 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4248,18 +5790,19 @@ interface(`fs_relabel_tmpfs_chr_file',`
+@@ -4248,18 +5809,19 @@ interface(`fs_relabel_tmpfs_chr_file',`
## </summary>
## </param>
#
@@ -21080,7 +21102,7 @@ index 8416beb..ca45838 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4267,32 +5810,31 @@ interface(`fs_rw_tmpfs_blk_files',`
+@@ -4267,32 +5829,31 @@ interface(`fs_rw_tmpfs_blk_files',`
## </summary>
## </param>
#
@@ -21119,7 +21141,7 @@ index 8416beb..ca45838 100644
')
########################################
-@@ -4407,6 +5949,25 @@ interface(`fs_search_xenfs',`
+@@ -4407,6 +5968,25 @@ interface(`fs_search_xenfs',`
allow $1 xenfs_t:dir search_dir_perms;
')
@@ -21145,7 +21167,7 @@ index 8416beb..ca45838 100644
########################################
## <summary>
## Create, read, write, and delete directories
-@@ -4503,6 +6064,8 @@ interface(`fs_mount_all_fs',`
+@@ -4503,6 +6083,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -21154,7 +21176,7 @@ index 8416beb..ca45838 100644
')
########################################
-@@ -4549,7 +6112,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4549,7 +6131,7 @@ interface(`fs_unmount_all_fs',`
## <desc>
## <p>
## Allow the specified domain to
@@ -21163,7 +21185,7 @@ index 8416beb..ca45838 100644
## Example attributes:
## </p>
## <ul>
-@@ -4596,6 +6159,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
+@@ -4596,6 +6178,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
########################################
## <summary>
@@ -21190,7 +21212,7 @@ index 8416beb..ca45838 100644
## Get the quotas of all filesystems.
## </summary>
## <param name="domain">
-@@ -4671,6 +6254,25 @@ interface(`fs_getattr_all_dirs',`
+@@ -4671,6 +6273,25 @@ interface(`fs_getattr_all_dirs',`
########################################
## <summary>
@@ -21216,7 +21238,7 @@ index 8416beb..ca45838 100644
## Search all directories with a filesystem type.
## </summary>
## <param name="domain">
-@@ -4912,3 +6514,173 @@ interface(`fs_unconfined',`
+@@ -4912,3 +6533,175 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -21255,10 +21277,12 @@ index 8416beb..ca45838 100644
+interface(`fs_tmpfs_filetrans_named_content',`
+ gen_require(`
+ type cgroup_t;
++ type devlog_t;
+ ')
+
+ fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpu")
+ fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct")
++ fs_tmpfs_filetrans($1, devlog_t, lnk_file, "log")
+')
+
+#######################################
@@ -41694,7 +41718,7 @@ index 4e94884..31be8ac 100644
+ filetrans_pattern($1, syslogd_var_run_t, $2, $3, $4)
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 59b04c1..6810e0b 100644
+index 59b04c1..2be561d 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -4,6 +4,29 @@ policy_module(logging, 1.20.1)
@@ -41929,13 +41953,14 @@ index 59b04c1..6810e0b 100644
mls_file_read_all_levels(klogd_t)
-@@ -355,13 +417,12 @@ optional_policy(`
+@@ -355,13 +417,13 @@ optional_policy(`
# sys_admin for the integrated klog of syslog-ng and metalog
# sys_nice for rsyslog
# cjp: why net_admin!
-allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin sys_nice chown fsetid };
+allow syslogd_t self:capability { sys_ptrace dac_override sys_resource sys_tty_config ipc_lock net_admin setgid setuid sys_admin sys_nice chown fsetid setuid setgid net_raw };
dontaudit syslogd_t self:capability sys_tty_config;
++dontaudit syslogd_t self:cap_userns sys_ptrace;
+allow syslogd_t self:capability2 { syslog block_suspend };
# setpgid for metalog
# setrlimit for syslog-ng
@@ -41946,7 +41971,7 @@ index 59b04c1..6810e0b 100644
# receive messages to be logged
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -369,11 +430,15 @@ allow syslogd_t self:unix_dgram_socket sendto;
+@@ -369,11 +431,15 @@ allow syslogd_t self:unix_dgram_socket sendto;
allow syslogd_t self:fifo_file rw_fifo_file_perms;
allow syslogd_t self:udp_socket create_socket_perms;
allow syslogd_t self:tcp_socket create_stream_socket_perms;
@@ -41963,7 +41988,7 @@ index 59b04c1..6810e0b 100644
files_pid_filetrans(syslogd_t, devlog_t, sock_file)
# create/append log files.
-@@ -389,30 +454,47 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -389,30 +455,47 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
@@ -42014,7 +42039,7 @@ index 59b04c1..6810e0b 100644
# syslog-ng can listen and connect on tcp port 514 (rsh)
corenet_tcp_sendrecv_generic_if(syslogd_t)
corenet_tcp_sendrecv_generic_node(syslogd_t)
-@@ -422,6 +504,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
+@@ -422,6 +505,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
corenet_tcp_connect_rsh_port(syslogd_t)
# Allow users to define additional syslog ports to connect to
corenet_tcp_bind_syslogd_port(syslogd_t)
@@ -42023,7 +42048,7 @@ index 59b04c1..6810e0b 100644
corenet_tcp_connect_syslogd_port(syslogd_t)
corenet_tcp_connect_postgresql_port(syslogd_t)
corenet_tcp_connect_mysqld_port(syslogd_t)
-@@ -432,9 +516,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+@@ -432,9 +517,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
corenet_sendrecv_postgresql_client_packets(syslogd_t)
corenet_sendrecv_mysqld_client_packets(syslogd_t)
@@ -42057,7 +42082,7 @@ index 59b04c1..6810e0b 100644
domain_use_interactive_fds(syslogd_t)
files_read_etc_files(syslogd_t)
-@@ -448,13 +555,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
+@@ -448,13 +556,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
fs_getattr_all_fs(syslogd_t)
fs_search_auto_mountpoints(syslogd_t)
@@ -42075,7 +42100,7 @@ index 59b04c1..6810e0b 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
-@@ -466,11 +577,12 @@ init_use_fds(syslogd_t)
+@@ -466,11 +578,12 @@ init_use_fds(syslogd_t)
# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)
@@ -42091,7 +42116,7 @@ index 59b04c1..6810e0b 100644
ifdef(`distro_gentoo',`
# default gentoo syslog-ng config appends kernel
-@@ -497,6 +609,7 @@ optional_policy(`
+@@ -497,6 +610,7 @@ optional_policy(`
optional_policy(`
cron_manage_log_files(syslogd_t)
cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
@@ -42099,7 +42124,7 @@ index 59b04c1..6810e0b 100644
')
optional_policy(`
-@@ -507,15 +620,44 @@ optional_policy(`
+@@ -507,15 +621,44 @@ optional_policy(`
')
optional_policy(`
@@ -42144,7 +42169,7 @@ index 59b04c1..6810e0b 100644
')
optional_policy(`
-@@ -526,3 +668,26 @@ optional_policy(`
+@@ -526,3 +669,26 @@ optional_policy(`
# log to the xconsole
xserver_rw_console(syslogd_t)
')
@@ -47450,10 +47475,10 @@ index a392fc4..b01eb22 100644
+')
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
new file mode 100644
-index 0000000..fc4c791
+index 0000000..a0ed66f
--- /dev/null
+++ b/policy/modules/system/systemd.fc
-@@ -0,0 +1,71 @@
+@@ -0,0 +1,72 @@
+HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0)
+/root/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0)
+
@@ -47511,6 +47536,7 @@ index 0000000..fc4c791
+/var/lib/systemd/rfkill(/.*)? gen_context(system_u:object_r:systemd_rfkill_var_lib_t,s0)
+/var/lib/systemd/linger(/.*)? gen_context(system_u:object_r:systemd_logind_var_lib_t,mls_systemhigh)
+/var/lib/random-seed gen_context(system_u:object_r:random_seed_t,mls_systemhigh)
++/usr/lib/systemd/resolv.* -- gen_context(system_u:object_r:lib_t,s0)
+/usr/var/lib/random-seed gen_context(system_u:object_r:random_seed_t,mls_systemhigh)
+
+/var/run/.*nologin.* gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index d5c2491..15c12d8 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -29049,7 +29049,7 @@ index c62c567..a74f123 100644
+ allow $1 firewalld_unit_file_t:service all_service_perms;
')
diff --git a/firewalld.te b/firewalld.te
-index 98072a3..ee152e2 100644
+index 98072a3..0235724 100644
--- a/firewalld.te
+++ b/firewalld.te
@@ -21,9 +21,15 @@ logging_log_file(firewalld_var_log_t)
@@ -29077,7 +29077,7 @@ index 98072a3..ee152e2 100644
allow firewalld_t firewalld_var_log_t:file append_file_perms;
allow firewalld_t firewalld_var_log_t:file create_file_perms;
-@@ -48,8 +56,14 @@ manage_files_pattern(firewalld_t, firewalld_tmp_t, firewalld_tmp_t)
+@@ -48,13 +56,21 @@ manage_files_pattern(firewalld_t, firewalld_tmp_t, firewalld_tmp_t)
files_tmp_filetrans(firewalld_t, firewalld_tmp_t, file)
allow firewalld_t firewalld_tmp_t:file mmap_file_perms;
@@ -29093,7 +29093,14 @@ index 98072a3..ee152e2 100644
kernel_read_network_state(firewalld_t)
kernel_read_system_state(firewalld_t)
-@@ -63,20 +77,26 @@ dev_search_sysfs(firewalld_t)
+ kernel_rw_net_sysctls(firewalld_t)
+
++files_list_kernel_modules(firewalld_t)
++
+ corecmd_exec_bin(firewalld_t)
+ corecmd_exec_shell(firewalld_t)
+
+@@ -63,20 +79,26 @@ dev_search_sysfs(firewalld_t)
domain_use_interactive_fds(firewalld_t)
@@ -29114,20 +29121,20 @@ index 98072a3..ee152e2 100644
-seutil_exec_setfiles(firewalld_t)
-seutil_read_file_contexts(firewalld_t)
+logging_send_syslog_msg(firewalld_t)
-
--sysnet_read_config(firewalld_t)
++
+sysnet_dns_name_resolve(firewalld_t)
+sysnet_manage_config_dirs(firewalld_t)
+sysnet_manage_config(firewalld_t)
+sysnet_relabelfrom_net_conf(firewalld_t)
+sysnet_relabelto_net_conf(firewalld_t)
-+
+
+-sysnet_read_config(firewalld_t)
+userdom_dontaudit_create_admin_dir(firewalld_t)
+userdom_dontaudit_manage_admin_dir(firewalld_t)
optional_policy(`
dbus_system_domain(firewalld_t, firewalld_exec_t)
-@@ -91,10 +111,15 @@ optional_policy(`
+@@ -91,10 +113,15 @@ optional_policy(`
optional_policy(`
networkmanager_dbus_chat(firewalld_t)
@@ -46284,7 +46291,7 @@ index dd8e01a..9cd6b0b 100644
## <param name="domain">
## <summary>
diff --git a/logrotate.te b/logrotate.te
-index be0ab84..d46c5e7 100644
+index be0ab84..6180bdb 100644
--- a/logrotate.te
+++ b/logrotate.te
@@ -5,16 +5,29 @@ policy_module(logrotate, 1.15.0)
@@ -46359,7 +46366,7 @@ index be0ab84..d46c5e7 100644
allow logrotate_t self:shm create_shm_perms;
allow logrotate_t self:sem create_sem_perms;
allow logrotate_t self:msgq create_msgq_perms;
-@@ -48,36 +71,52 @@ allow logrotate_t self:msg { send receive };
+@@ -48,36 +71,53 @@ allow logrotate_t self:msg { send receive };
allow logrotate_t logrotate_lock_t:file manage_file_perms;
files_lock_filetrans(logrotate_t, logrotate_lock_t, file)
@@ -46386,6 +46393,7 @@ index be0ab84..d46c5e7 100644
+fs_search_auto_mountpoints(logrotate_t)
+fs_getattr_all_fs(logrotate_t)
+fs_list_inotifyfs(logrotate_t)
++fs_dontaudit_getattr_nsfs_files(logrotate_t)
+
+mls_file_read_all_levels(logrotate_t)
+mls_file_write_all_levels(logrotate_t)
@@ -46417,7 +46425,7 @@ index be0ab84..d46c5e7 100644
files_manage_generic_spool(logrotate_t)
files_manage_generic_spool_dirs(logrotate_t)
files_getattr_generic_locks(logrotate_t)
-@@ -95,32 +134,56 @@ mls_process_write_to_clearance(logrotate_t)
+@@ -95,32 +135,56 @@ mls_process_write_to_clearance(logrotate_t)
selinux_get_fs_mount(logrotate_t)
selinux_get_enforce_mode(logrotate_t)
@@ -46480,7 +46488,7 @@ index be0ab84..d46c5e7 100644
')
optional_policy(`
-@@ -135,16 +198,17 @@ optional_policy(`
+@@ -135,16 +199,17 @@ optional_policy(`
optional_policy(`
apache_read_config(logrotate_t)
@@ -46500,7 +46508,7 @@ index be0ab84..d46c5e7 100644
')
optional_policy(`
-@@ -170,6 +234,11 @@ optional_policy(`
+@@ -170,6 +235,11 @@ optional_policy(`
')
optional_policy(`
@@ -46512,7 +46520,7 @@ index be0ab84..d46c5e7 100644
fail2ban_stream_connect(logrotate_t)
')
-@@ -178,7 +247,8 @@ optional_policy(`
+@@ -178,7 +248,8 @@ optional_policy(`
')
optional_policy(`
@@ -46522,7 +46530,7 @@ index be0ab84..d46c5e7 100644
')
optional_policy(`
-@@ -198,17 +268,18 @@ optional_policy(`
+@@ -198,17 +269,18 @@ optional_policy(`
')
optional_policy(`
@@ -46544,7 +46552,7 @@ index be0ab84..d46c5e7 100644
')
optional_policy(`
-@@ -216,6 +287,14 @@ optional_policy(`
+@@ -216,6 +288,14 @@ optional_policy(`
')
optional_policy(`
@@ -46559,7 +46567,7 @@ index be0ab84..d46c5e7 100644
samba_exec_log(logrotate_t)
')
-@@ -228,26 +307,50 @@ optional_policy(`
+@@ -228,26 +308,50 @@ optional_policy(`
')
optional_policy(`
@@ -69146,10 +69154,10 @@ index 0000000..fa4cfaa
Binary files /dev/null and b/pcp.pp differ
diff --git a/pcp.te b/pcp.te
new file mode 100644
-index 0000000..d6fdef6
+index 0000000..04a0b20
--- /dev/null
+++ b/pcp.te
-@@ -0,0 +1,297 @@
+@@ -0,0 +1,299 @@
+policy_module(pcp, 1.0.0)
+
+########################################
@@ -69405,6 +69413,8 @@ index 0000000..d6fdef6
+
+allow pcp_pmie_t pcp_pmcd_t:unix_stream_socket connectto;
+
++allow pcp_pmie_t pcp_pmcd_t:process signal;
++
+kernel_read_system_state(pcp_pmie_t)
+
+corecmd_exec_bin(pcp_pmie_t)
@@ -90449,7 +90459,7 @@ index ccb5991..fa10c5a 100644
optional_policy(`
diff --git a/rpc.fc b/rpc.fc
-index a6fb30c..3148280 100644
+index a6fb30c..97ef313 100644
--- a/rpc.fc
+++ b/rpc.fc
@@ -1,12 +1,25 @@
@@ -90484,7 +90494,7 @@ index a6fb30c..3148280 100644
/usr/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
/usr/sbin/rpc\.idmapd -- gen_context(system_u:object_r:rpcd_exec_t,s0)
/usr/sbin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
-@@ -16,7 +29,12 @@
+@@ -16,7 +29,13 @@
/usr/sbin/rpc\.svcgssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
/usr/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0)
@@ -90498,6 +90508,7 @@ index a6fb30c..3148280 100644
/var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0)
-/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
+/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
++/var/run/rpc\.statd\.lock -- gen_context(system_u:object_r:rpcd_lock_t,s0)
+
diff --git a/rpc.if b/rpc.if
index 0bf13c2..ed393a0 100644
@@ -90960,7 +90971,7 @@ index 0bf13c2..ed393a0 100644
files_list_tmp($1)
admin_pattern($1, gssd_tmp_t)
diff --git a/rpc.te b/rpc.te
-index 2da9fca..23bddad 100644
+index 2da9fca..6935f5c 100644
--- a/rpc.te
+++ b/rpc.te
@@ -6,22 +6,27 @@ policy_module(rpc, 1.15.1)
@@ -91003,10 +91014,13 @@ index 2da9fca..23bddad 100644
attribute rpc_domain;
-@@ -39,21 +44,23 @@ files_tmp_file(gssd_tmp_t)
+@@ -39,21 +44,26 @@ files_tmp_file(gssd_tmp_t)
type rpcd_var_run_t;
files_pid_file(rpcd_var_run_t)
++type rpcd_lock_t;
++files_lock_file(rpcd_lock_t)
++
+# rpcd_t is the domain of rpc daemons.
+# rpc_exec_t is the type of rpc daemon programs.
rpc_domain_template(rpcd)
@@ -91032,7 +91046,7 @@ index 2da9fca..23bddad 100644
type var_lib_nfs_t;
files_mountpoint(var_lib_nfs_t)
-@@ -71,7 +78,6 @@ allow rpc_domain self:tcp_socket { accept listen };
+@@ -71,7 +81,6 @@ allow rpc_domain self:tcp_socket { accept listen };
manage_dirs_pattern(rpc_domain, var_lib_nfs_t, var_lib_nfs_t)
manage_files_pattern(rpc_domain, var_lib_nfs_t, var_lib_nfs_t)
@@ -91040,7 +91054,7 @@ index 2da9fca..23bddad 100644
kernel_read_kernel_sysctls(rpc_domain)
kernel_rw_rpc_sysctls(rpc_domain)
-@@ -79,8 +85,6 @@ dev_read_sysfs(rpc_domain)
+@@ -79,8 +88,6 @@ dev_read_sysfs(rpc_domain)
dev_read_urand(rpc_domain)
dev_read_rand(rpc_domain)
@@ -91049,7 +91063,7 @@ index 2da9fca..23bddad 100644
corenet_tcp_sendrecv_generic_if(rpc_domain)
corenet_udp_sendrecv_generic_if(rpc_domain)
corenet_tcp_sendrecv_generic_node(rpc_domain)
-@@ -108,41 +112,45 @@ files_read_etc_runtime_files(rpc_domain)
+@@ -108,41 +115,48 @@ files_read_etc_runtime_files(rpc_domain)
files_read_usr_files(rpc_domain)
files_list_home(rpc_domain)
@@ -91093,6 +91107,9 @@ index 2da9fca..23bddad 100644
+read_lnk_files_pattern(rpcd_t, var_lib_nfs_t, var_lib_nfs_t)
+
++allow rpcd_t rpcd_lock_t:file manage_file_perms;
++files_lock_filetrans(rpcd_t, rpcd_lock_t, file)
++
+# rpc.statd executes sm-notify
can_exec(rpcd_t, rpcd_exec_t)
@@ -91103,7 +91120,7 @@ index 2da9fca..23bddad 100644
kernel_read_sysctl(rpcd_t)
kernel_rw_fs_sysctls(rpcd_t)
kernel_dontaudit_getattr_core_if(rpcd_t)
-@@ -163,13 +171,21 @@ fs_getattr_all_fs(rpcd_t)
+@@ -163,13 +177,21 @@ fs_getattr_all_fs(rpcd_t)
storage_getattr_fixed_disk_dev(rpcd_t)
@@ -91127,7 +91144,7 @@ index 2da9fca..23bddad 100644
ifdef(`distro_debian',`
term_dontaudit_use_unallocated_ttys(rpcd_t)
-@@ -181,19 +197,27 @@ optional_policy(`
+@@ -181,19 +203,27 @@ optional_policy(`
')
optional_policy(`
@@ -91158,7 +91175,7 @@ index 2da9fca..23bddad 100644
')
########################################
-@@ -202,41 +226,61 @@ optional_policy(`
+@@ -202,41 +232,61 @@ optional_policy(`
#
allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
@@ -91229,7 +91246,7 @@ index 2da9fca..23bddad 100644
miscfiles_manage_public_files(nfsd_t)
')
-@@ -245,7 +289,6 @@ tunable_policy(`nfs_export_all_rw',`
+@@ -245,7 +295,6 @@ tunable_policy(`nfs_export_all_rw',`
dev_getattr_all_chr_files(nfsd_t)
fs_read_noxattr_fs_files(nfsd_t)
@@ -91237,7 +91254,7 @@ index 2da9fca..23bddad 100644
')
tunable_policy(`nfs_export_all_ro',`
-@@ -257,12 +300,12 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -257,12 +306,12 @@ tunable_policy(`nfs_export_all_ro',`
fs_read_noxattr_fs_files(nfsd_t)
@@ -91252,7 +91269,7 @@ index 2da9fca..23bddad 100644
')
########################################
-@@ -270,7 +313,7 @@ optional_policy(`
+@@ -270,7 +319,7 @@ optional_policy(`
# GSSD local policy
#
@@ -91261,7 +91278,7 @@ index 2da9fca..23bddad 100644
allow gssd_t self:process { getsched setsched };
allow gssd_t self:fifo_file rw_fifo_file_perms;
-@@ -280,6 +323,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+@@ -280,6 +329,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
@@ -91269,7 +91286,7 @@ index 2da9fca..23bddad 100644
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_request_load_module(gssd_t)
-@@ -288,25 +332,31 @@ kernel_signal(gssd_t)
+@@ -288,25 +338,31 @@ kernel_signal(gssd_t)
corecmd_exec_bin(gssd_t)
@@ -91304,7 +91321,7 @@ index 2da9fca..23bddad 100644
')
optional_policy(`
-@@ -314,9 +364,12 @@ optional_policy(`
+@@ -314,9 +370,12 @@ optional_policy(`
')
optional_policy(`
@@ -103021,7 +103038,7 @@ index 1499b0b..e695a62 100644
- spamassassin_role($2, $1)
')
diff --git a/spamassassin.te b/spamassassin.te
-index cc58e35..d844f55 100644
+index cc58e35..963d86c 100644
--- a/spamassassin.te
+++ b/spamassassin.te
@@ -7,50 +7,30 @@ policy_module(spamassassin, 2.6.1)
@@ -103728,7 +103745,7 @@ index cc58e35..d844f55 100644
')
optional_policy(`
-@@ -463,9 +571,9 @@ optional_policy(`
+@@ -463,9 +571,10 @@ optional_policy(`
')
optional_policy(`
@@ -103736,10 +103753,11 @@ index cc58e35..d844f55 100644
sendmail_stub(spamd_t)
mta_read_config(spamd_t)
- mta_send_mail(spamd_t)
++ mta_manage_spool(spamd_t)
')
optional_policy(`
-@@ -474,32 +582,32 @@ optional_policy(`
+@@ -474,32 +583,32 @@ optional_policy(`
########################################
#
@@ -103782,7 +103800,7 @@ index cc58e35..d844f55 100644
corecmd_exec_bin(spamd_update_t)
corecmd_exec_shell(spamd_update_t)
-@@ -508,25 +616,26 @@ dev_read_urand(spamd_update_t)
+@@ -508,25 +617,26 @@ dev_read_urand(spamd_update_t)
domain_use_interactive_fds(spamd_update_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 0c11cd7..a5f3859 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 226%{?dist}
+Release: 227%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -675,6 +675,18 @@ exit 0
%endif
%changelog
+* Tue Nov 29 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-227
+- Dontaudit logrotate_t to getattr nsfs_t BZ(1399081)
+- Allow pmie daemon to send signal pcmd daemon BZ(1398078)
+- Allow spamd_t to manage /var/spool/mail. BZ(1398437)
+- Label /run/rpc.statd.lock as rpcd_lock_t and allow rpcd_t domain to manage it. BZ(1397254)
+- Merge pull request #171 from t-woerner/rawhide-contrib
+- Allow firewalld to getattr open search read modules_object_t:dir
+- Allow systemd create /dev/log in own mount-namespace. BZ(1383867)
+- Add interface fs_dontaudit_getattr_nsfs_files()
+- Label /usr/lib/systemd/resolv.conf as lib_t to allow all domains read this file. BZ(1398853)
+- Dontaudit systemd_journal sys_ptrace userns capability. BZ(1374187)
+
* Wed Nov 16 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-226
- Adding policy for tlp
- Add interface dev_manage_sysfs()