diff --git a/container-selinux.tgz b/container-selinux.tgz
index a98f4fe..1e43445 100644
Binary files a/container-selinux.tgz and b/container-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 887b34c..edfb83c 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -3084,7 +3084,7 @@ index 99e3903..fa68362 100644
##
##
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 1d732f1..c2962a5 100644
+index 1d732f1..09a9fb3 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -26,6 +26,7 @@ type chfn_exec_t;
@@ -3237,7 +3237,18 @@ index 1d732f1..c2962a5 100644
auth_relabel_shadow(groupadd_t)
auth_etc_filetrans_shadow(groupadd_t)
-@@ -273,7 +297,7 @@ optional_policy(`
+@@ -251,6 +275,10 @@ userdom_use_unpriv_users_fds(groupadd_t)
+ userdom_dontaudit_search_user_home_dirs(groupadd_t)
+
+ optional_policy(`
++ dbus_system_bus_client(groupadd_t)
++')
++
++optional_policy(`
+ dpkg_use_fds(groupadd_t)
+ dpkg_rw_pipes(groupadd_t)
+ ')
+@@ -273,7 +301,7 @@ optional_policy(`
# Passwd local policy
#
@@ -3246,7 +3257,7 @@ index 1d732f1..c2962a5 100644
dontaudit passwd_t self:capability sys_tty_config;
allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow passwd_t self:process { setrlimit setfscreate };
-@@ -288,6 +312,7 @@ allow passwd_t self:shm create_shm_perms;
+@@ -288,6 +316,7 @@ allow passwd_t self:shm create_shm_perms;
allow passwd_t self:sem create_sem_perms;
allow passwd_t self:msgq create_msgq_perms;
allow passwd_t self:msg { send receive };
@@ -3254,7 +3265,7 @@ index 1d732f1..c2962a5 100644
allow passwd_t crack_db_t:dir list_dir_perms;
read_files_pattern(passwd_t, crack_db_t, crack_db_t)
-@@ -296,6 +321,7 @@ kernel_read_kernel_sysctls(passwd_t)
+@@ -296,6 +325,7 @@ kernel_read_kernel_sysctls(passwd_t)
# for SSP
dev_read_urand(passwd_t)
@@ -3262,7 +3273,7 @@ index 1d732f1..c2962a5 100644
fs_getattr_xattr_fs(passwd_t)
fs_search_auto_mountpoints(passwd_t)
-@@ -310,26 +336,32 @@ selinux_compute_create_context(passwd_t)
+@@ -310,26 +340,32 @@ selinux_compute_create_context(passwd_t)
selinux_compute_relabel_context(passwd_t)
selinux_compute_user_contexts(passwd_t)
@@ -3299,7 +3310,7 @@ index 1d732f1..c2962a5 100644
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(passwd_t)
-@@ -338,12 +370,11 @@ init_use_fds(passwd_t)
+@@ -338,12 +374,11 @@ init_use_fds(passwd_t)
logging_send_audit_msgs(passwd_t)
logging_send_syslog_msg(passwd_t)
@@ -3313,7 +3324,7 @@ index 1d732f1..c2962a5 100644
userdom_use_unpriv_users_fds(passwd_t)
# make sure that getcon succeeds
userdom_getattr_all_users(passwd_t)
-@@ -352,6 +383,20 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -352,6 +387,20 @@ userdom_read_user_tmp_files(passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
@@ -3334,7 +3345,7 @@ index 1d732f1..c2962a5 100644
optional_policy(`
nscd_run(passwd_t, passwd_roles)
-@@ -401,9 +446,10 @@ dev_read_urand(sysadm_passwd_t)
+@@ -401,9 +450,10 @@ dev_read_urand(sysadm_passwd_t)
fs_getattr_xattr_fs(sysadm_passwd_t)
fs_search_auto_mountpoints(sysadm_passwd_t)
@@ -3347,7 +3358,7 @@ index 1d732f1..c2962a5 100644
auth_manage_shadow(sysadm_passwd_t)
auth_relabel_shadow(sysadm_passwd_t)
auth_etc_filetrans_shadow(sysadm_passwd_t)
-@@ -416,7 +462,6 @@ files_read_usr_files(sysadm_passwd_t)
+@@ -416,7 +466,6 @@ files_read_usr_files(sysadm_passwd_t)
domain_use_interactive_fds(sysadm_passwd_t)
@@ -3355,7 +3366,7 @@ index 1d732f1..c2962a5 100644
files_relabel_etc_files(sysadm_passwd_t)
files_read_etc_runtime_files(sysadm_passwd_t)
# for nscd lookups
-@@ -426,12 +471,9 @@ files_dontaudit_search_pids(sysadm_passwd_t)
+@@ -426,12 +475,9 @@ files_dontaudit_search_pids(sysadm_passwd_t)
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(sysadm_passwd_t)
@@ -3368,7 +3379,7 @@ index 1d732f1..c2962a5 100644
userdom_use_unpriv_users_fds(sysadm_passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
-@@ -446,7 +488,8 @@ optional_policy(`
+@@ -446,7 +492,8 @@ optional_policy(`
# Useradd local policy
#
@@ -3378,7 +3389,7 @@ index 1d732f1..c2962a5 100644
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
-@@ -461,6 +504,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
+@@ -461,6 +508,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
allow useradd_t self:unix_dgram_socket sendto;
allow useradd_t self:unix_stream_socket connectto;
@@ -3389,7 +3400,7 @@ index 1d732f1..c2962a5 100644
# for getting the number of groups
kernel_read_kernel_sysctls(useradd_t)
-@@ -468,29 +515,28 @@ corecmd_exec_shell(useradd_t)
+@@ -468,29 +519,28 @@ corecmd_exec_shell(useradd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(useradd_t)
@@ -3429,7 +3440,7 @@ index 1d732f1..c2962a5 100644
auth_run_chk_passwd(useradd_t, useradd_roles)
auth_rw_lastlog(useradd_t)
-@@ -498,6 +544,7 @@ auth_rw_faillog(useradd_t)
+@@ -498,6 +548,7 @@ auth_rw_faillog(useradd_t)
auth_use_nsswitch(useradd_t)
# these may be unnecessary due to the above
# domtrans_chk_passwd() call.
@@ -3437,7 +3448,7 @@ index 1d732f1..c2962a5 100644
auth_manage_shadow(useradd_t)
auth_relabel_shadow(useradd_t)
auth_etc_filetrans_shadow(useradd_t)
-@@ -508,33 +555,32 @@ init_rw_utmp(useradd_t)
+@@ -508,35 +559,38 @@ init_rw_utmp(useradd_t)
logging_send_audit_msgs(useradd_t)
logging_send_syslog_msg(useradd_t)
@@ -3477,12 +3488,17 @@ index 1d732f1..c2962a5 100644
- optional_policy(`
- unconfined_domain(useradd_t)
- ')
--')
--
++optional_policy(`
++ apache_manage_all_user_content(useradd_t)
+ ')
+
optional_policy(`
- apache_manage_all_user_content(useradd_t)
+- apache_manage_all_user_content(useradd_t)
++ dbus_system_bus_client(useradd_t)
')
-@@ -545,14 +591,27 @@ optional_policy(`
+
+ optional_policy(`
+@@ -545,14 +599,27 @@ optional_policy(`
')
optional_policy(`
@@ -3510,7 +3526,7 @@ index 1d732f1..c2962a5 100644
tunable_policy(`samba_domain_controller',`
samba_append_log(useradd_t)
')
-@@ -562,3 +621,12 @@ optional_policy(`
+@@ -562,3 +629,12 @@ optional_policy(`
rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t)
')
@@ -19015,7 +19031,7 @@ index 7be4ddf..9710b33 100644
+/sys/kernel/debug -d gen_context(system_u:object_r:debugfs_t,s0)
+/sys/kernel/debug/.* <>
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index e100d88..ff9e7ba 100644
+index e100d88..5113b22 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -126,6 +126,24 @@ interface(`kernel_setsched',`
@@ -19086,7 +19102,49 @@ index e100d88..ff9e7ba 100644
')
########################################
-@@ -762,8 +798,8 @@ interface(`kernel_manage_debugfs',`
+@@ -441,6 +477,41 @@ interface(`kernel_dontaudit_link_key',`
+
+ ########################################
+ ##
++## Allow view the kernel key ring.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_view_key',`
++ gen_require(`
++ type kernel_t;
++ ')
++
++ allow $1 kernel_t:key view;
++')
++
++########################################
++##
++## dontaudit view the kernel key ring.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`kernel_dontaudit_view_key',`
++ gen_require(`
++ type kernel_t;
++ ')
++
++ dontaudit $1 kernel_t:key view;
++')
++########################################
++##
+ ## Allows caller to read the ring buffer.
+ ##
+ ##
+@@ -762,8 +833,8 @@ interface(`kernel_manage_debugfs',`
')
manage_files_pattern($1, debugfs_t, debugfs_t)
@@ -19096,7 +19154,7 @@ index e100d88..ff9e7ba 100644
')
########################################
-@@ -786,6 +822,24 @@ interface(`kernel_mount_kvmfs',`
+@@ -786,6 +857,24 @@ interface(`kernel_mount_kvmfs',`
########################################
##
@@ -19121,7 +19179,7 @@ index e100d88..ff9e7ba 100644
## Unmount the proc filesystem.
##
##
-@@ -804,6 +858,24 @@ interface(`kernel_unmount_proc',`
+@@ -804,6 +893,24 @@ interface(`kernel_unmount_proc',`
########################################
##
@@ -19146,7 +19204,7 @@ index e100d88..ff9e7ba 100644
## Get the attributes of the proc filesystem.
##
##
-@@ -841,6 +913,25 @@ interface(`kernel_dontaudit_setattr_proc_dirs',`
+@@ -841,6 +948,25 @@ interface(`kernel_dontaudit_setattr_proc_dirs',`
########################################
##
@@ -19172,7 +19230,7 @@ index e100d88..ff9e7ba 100644
## Search directories in /proc.
##
##
-@@ -991,13 +1082,10 @@ interface(`kernel_read_proc_symlinks',`
+@@ -991,13 +1117,10 @@ interface(`kernel_read_proc_symlinks',`
#
interface(`kernel_read_system_state',`
gen_require(`
@@ -19188,7 +19246,7 @@ index e100d88..ff9e7ba 100644
')
########################################
-@@ -1025,6 +1113,44 @@ interface(`kernel_write_proc_files',`
+@@ -1025,6 +1148,44 @@ interface(`kernel_write_proc_files',`
########################################
##
@@ -19233,7 +19291,7 @@ index e100d88..ff9e7ba 100644
## Do not audit attempts by caller to
## read system state information in proc.
##
-@@ -1208,6 +1334,24 @@ interface(`kernel_read_messages',`
+@@ -1208,6 +1369,24 @@ interface(`kernel_read_messages',`
########################################
##
@@ -19258,7 +19316,7 @@ index e100d88..ff9e7ba 100644
## Allow caller to get the attributes of kernel message
## interface (/proc/kmsg).
##
-@@ -1458,6 +1602,25 @@ interface(`kernel_list_all_proc',`
+@@ -1458,6 +1637,25 @@ interface(`kernel_list_all_proc',`
########################################
##
@@ -19284,7 +19342,7 @@ index e100d88..ff9e7ba 100644
## Do not audit attempts to list all proc directories.
##
##
-@@ -1477,6 +1640,28 @@ interface(`kernel_dontaudit_list_all_proc',`
+@@ -1477,6 +1675,28 @@ interface(`kernel_dontaudit_list_all_proc',`
########################################
##
@@ -19313,7 +19371,7 @@ index e100d88..ff9e7ba 100644
## Do not audit attempts by caller to search
## the base directory of sysctls.
##
-@@ -1672,7 +1857,7 @@ interface(`kernel_read_net_sysctls',`
+@@ -1672,7 +1892,7 @@ interface(`kernel_read_net_sysctls',`
')
read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
@@ -19322,7 +19380,7 @@ index e100d88..ff9e7ba 100644
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
')
-@@ -1693,7 +1878,7 @@ interface(`kernel_rw_net_sysctls',`
+@@ -1693,7 +1913,7 @@ interface(`kernel_rw_net_sysctls',`
')
rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
@@ -19331,7 +19389,7 @@ index e100d88..ff9e7ba 100644
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
')
-@@ -1715,7 +1900,6 @@ interface(`kernel_read_unix_sysctls',`
+@@ -1715,7 +1935,6 @@ interface(`kernel_read_unix_sysctls',`
')
read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t)
@@ -19339,7 +19397,7 @@ index e100d88..ff9e7ba 100644
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
')
-@@ -1750,16 +1934,9 @@ interface(`kernel_rw_unix_sysctls',`
+@@ -1750,16 +1969,9 @@ interface(`kernel_rw_unix_sysctls',`
## Domain allowed access.
##
##
@@ -19357,7 +19415,7 @@ index e100d88..ff9e7ba 100644
')
########################################
-@@ -1771,16 +1948,9 @@ interface(`kernel_read_hotplug_sysctls',`
+@@ -1771,16 +1983,9 @@ interface(`kernel_read_hotplug_sysctls',`
## Domain allowed access.
##
##
@@ -19375,7 +19433,7 @@ index e100d88..ff9e7ba 100644
')
########################################
-@@ -1792,16 +1962,9 @@ interface(`kernel_rw_hotplug_sysctls',`
+@@ -1792,16 +1997,9 @@ interface(`kernel_rw_hotplug_sysctls',`
## Domain allowed access.
##
##
@@ -19393,7 +19451,7 @@ index e100d88..ff9e7ba 100644
')
########################################
-@@ -1813,16 +1976,9 @@ interface(`kernel_read_modprobe_sysctls',`
+@@ -1813,16 +2011,9 @@ interface(`kernel_read_modprobe_sysctls',`
## Domain allowed access.
##
##
@@ -19411,68 +19469,115 @@ index e100d88..ff9e7ba 100644
')
########################################
-@@ -2048,6 +2204,26 @@ interface(`kernel_read_rpc_sysctls',`
+@@ -2048,9 +2239,10 @@ interface(`kernel_read_rpc_sysctls',`
list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t)
')
+
-+########################################
-+##
+ ########################################
+ ##
+-## Read and write RPC sysctls.
+## Read RPC sysctls.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -2059,38 +2251,38 @@ interface(`kernel_read_rpc_sysctls',`
+ ##
+ ##
+ #
+-interface(`kernel_rw_rpc_sysctls',`
+interface(`kernel_rw_rpc_sysctls_dirs',`
-+ gen_require(`
-+ type proc_t, proc_net_t, sysctl_rpc_t;
-+ ')
-+
+ gen_require(`
+ type proc_t, proc_net_t, sysctl_rpc_t;
+ ')
+
+- rw_files_pattern($1, { proc_t proc_net_t sysctl_rpc_t }, sysctl_rpc_t)
+-
+- list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t)
+ rw_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t)
-+')
-+
- ########################################
- ##
- ## Read and write RPC sysctls.
-@@ -2071,6 +2247,26 @@ interface(`kernel_rw_rpc_sysctls',`
+ ')
########################################
##
+-## Do not audit attempts to list all sysctl directories.
+## Read and write RPC sysctls.
-+##
-+##
-+##
+ ##
+ ##
+ ##
+-## Domain to not audit.
+## Domain allowed access.
-+##
-+##
+ ##
+ ##
+##
-+#
-+interface(`kernel_create_rpc_sysctls',`
-+ gen_require(`
+ #
+-interface(`kernel_dontaudit_list_all_sysctls',`
++interface(`kernel_rw_rpc_sysctls',`
+ gen_require(`
+- attribute sysctl_type;
+ type proc_t, proc_net_t, sysctl_rpc_t;
-+ ')
+ ')
+
+- dontaudit $1 sysctl_type:dir list_dir_perms;
+- dontaudit $1 sysctl_type:file getattr;
++ rw_files_pattern($1, { proc_t proc_net_t sysctl_rpc_t }, sysctl_rpc_t)
+
++ list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t)
+ ')
+
+ ########################################
+ ##
+-## Allow caller to read all sysctls.
++## Read and write RPC sysctls.
+ ##
+ ##
+ ##
+@@ -2099,40 +2291,126 @@ interface(`kernel_dontaudit_list_all_sysctls',`
+ ##
+ ##
+ #
+-interface(`kernel_read_all_sysctls',`
++interface(`kernel_create_rpc_sysctls',`
+ gen_require(`
+- attribute sysctl_type;
+- type proc_t, proc_net_t;
++ type proc_t, proc_net_t, sysctl_rpc_t;
+ ')
+
+- # proc_net_t for /proc/net/rpc sysctls
+- read_files_pattern($1, { proc_t proc_net_t sysctl_type }, sysctl_type)
+ create_files_pattern($1, { proc_t proc_net_t sysctl_rpc_t }, sysctl_rpc_t)
-+
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to list all sysctl directories.
+
+- list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_type)
+ ')
+
+ ########################################
+ ##
+-## Read and write all sysctls.
++## Do not audit attempts to list all sysctl directories.
##
##
-@@ -2085,7 +2281,54 @@ interface(`kernel_dontaudit_list_all_sysctls',`
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+-##
+ #
+-interface(`kernel_rw_all_sysctls',`
++interface(`kernel_dontaudit_list_all_sysctls',`
+ gen_require(`
+ attribute sysctl_type;
+- type proc_t, proc_net_t;
')
- dontaudit $1 sysctl_type:dir list_dir_perms;
-- dontaudit $1 sysctl_type:file getattr;
+- # proc_net_t for /proc/net/rpc sysctls
+- rw_files_pattern($1, { proc_t proc_net_t sysctl_type }, sysctl_type)
++ dontaudit $1 sysctl_type:dir list_dir_perms;
+ dontaudit $1 sysctl_type:file read_file_perms;
+')
-+
+
+- allow $1 sysctl_type:dir list_dir_perms;
+- # why is setattr needed?
+########################################
+##
+## Allow attempts to mounton all sysctl directories.
@@ -19518,70 +19623,92 @@ index e100d88..ff9e7ba 100644
+ allow $1 debugfs_t:dir mounton;
+ allow $1 cgroup_t:dir mounton;
+
++')
++
++########################################
++##
++## Allow caller to read all sysctls.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`kernel_read_all_sysctls',`
++ gen_require(`
++ attribute sysctl_type;
++ type proc_t, proc_net_t;
++ ')
++
++ # proc_net_t for /proc/net/rpc sysctls
++ read_files_pattern($1, { proc_t proc_net_t sysctl_type }, sysctl_type)
++
++ list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_type)
++')
++
++########################################
++##
++## Read and write all sysctls.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`kernel_rw_all_sysctls',`
++ gen_require(`
++ attribute sysctl_type;
++ type proc_t, proc_net_t;
++ ')
++
++ # proc_net_t for /proc/net/rpc sysctls
++ rw_files_pattern($1, { proc_t proc_net_t sysctl_type }, sysctl_type)
++
++ allow $1 sysctl_type:dir list_dir_perms;
++ # why is setattr needed?
+ allow $1 sysctl_type:file setattr;
')
- ########################################
-@@ -2282,7 +2525,7 @@ interface(`kernel_list_unlabeled',`
+@@ -2282,6 +2560,25 @@ interface(`kernel_list_unlabeled',`
########################################
##
--## Read the process state (/proc/pid) of all unlabeled_t.
+## Delete unlabeled files
- ##
- ##
- ##
-@@ -2290,19 +2533,18 @@ interface(`kernel_list_unlabeled',`
- ##
- ##
- #
--interface(`kernel_read_unlabeled_state',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`kernel_delete_unlabeled',`
- gen_require(`
- type unlabeled_t;
- ')
-
-- allow $1 unlabeled_t:dir list_dir_perms;
-- read_files_pattern($1, unlabeled_t, unlabeled_t)
-- read_lnk_files_pattern($1, unlabeled_t, unlabeled_t)
-+ allow $1 unlabeled_t:dir delete_dir_perms;
-+ allow $1 unlabeled_t:dir_file_class_set delete_file_perms;
- ')
-
- ########################################
- ##
--## Do not audit attempts to list unlabeled directories.
-+## Read the process state (/proc/pid) of all unlabeled_t.
- ##
- ##
- ##
-@@ -2310,6 +2552,26 @@ interface(`kernel_read_unlabeled_state',`
- ##
- ##
- #
-+interface(`kernel_read_unlabeled_state',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
-+ allow $1 unlabeled_t:dir list_dir_perms;
-+ read_files_pattern($1, unlabeled_t, unlabeled_t)
-+ read_lnk_files_pattern($1, unlabeled_t, unlabeled_t)
++ allow $1 unlabeled_t:dir delete_dir_perms;
++ allow $1 unlabeled_t:dir_file_class_set delete_file_perms;
+')
+
+########################################
+##
-+## Do not audit attempts to list unlabeled directories.
-+##
-+##
-+##
+ ## Read the process state (/proc/pid) of all unlabeled_t.
+ ##
+ ##
+@@ -2306,7 +2603,7 @@ interface(`kernel_read_unlabeled_state',`
+ ##
+ ##
+ ##
+-## Domain allowed access.
+## Domain to not audit.
-+##
-+##
-+#
- interface(`kernel_dontaudit_list_unlabeled',`
- gen_require(`
- type unlabeled_t;
-@@ -2488,6 +2750,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
+ ##
+ ##
+ #
+@@ -2488,6 +2785,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
########################################
##
@@ -19606,7 +19733,7 @@ index e100d88..ff9e7ba 100644
## Do not audit attempts by caller to get attributes for
## unlabeled character devices.
##
-@@ -2525,6 +2805,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
+@@ -2525,6 +2840,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
########################################
##
@@ -19631,7 +19758,7 @@ index e100d88..ff9e7ba 100644
## Allow caller to relabel unlabeled files.
##
##
-@@ -2667,6 +2965,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+@@ -2667,6 +3000,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
########################################
##
@@ -19656,7 +19783,7 @@ index e100d88..ff9e7ba 100644
## Receive TCP packets from an unlabeled connection.
##
##
-@@ -2694,6 +3010,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+@@ -2694,6 +3045,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
########################################
##
@@ -19682,7 +19809,7 @@ index e100d88..ff9e7ba 100644
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
##
-@@ -2803,6 +3138,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+@@ -2803,6 +3173,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
allow $1 unlabeled_t:rawip_socket recvfrom;
')
@@ -19716,7 +19843,7 @@ index e100d88..ff9e7ba 100644
########################################
##
-@@ -2958,6 +3320,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2958,6 +3355,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
########################################
##
@@ -19741,7 +19868,7 @@ index e100d88..ff9e7ba 100644
## Unconfined access to kernel module resources.
##
##
-@@ -2972,5 +3352,649 @@ interface(`kernel_unconfined',`
+@@ -2972,5 +3387,649 @@ interface(`kernel_unconfined',`
')
typeattribute $1 kern_unconfined;
@@ -19841,7 +19968,7 @@ index e100d88..ff9e7ba 100644
+ ')
+
+ dontaudit $1 sysctl_type:file getattr;
-+')
+ ')
+
+########################################
+##
@@ -19920,7 +20047,7 @@ index e100d88..ff9e7ba 100644
+ ')
+
+ dontaudit $1 proc_numa_t:dir search;
- ')
++')
+
+########################################
+##
@@ -23102,7 +23229,7 @@ index 234a940..a92415a 100644
########################################
##
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 0fef1fc..93ad99f 100644
+index 0fef1fc..aea97fa 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,73 @@ policy_module(staff, 2.4.0)
@@ -23179,7 +23306,7 @@ index 0fef1fc..93ad99f 100644
optional_policy(`
apache_role(staff_r, staff_t)
')
-@@ -23,11 +84,127 @@ optional_policy(`
+@@ -23,11 +84,128 @@ optional_policy(`
')
optional_policy(`
@@ -23242,6 +23369,7 @@ index 0fef1fc..93ad99f 100644
+
+optional_policy(`
+ fwupd_dbus_chat(staff_t)
++ fwupd_read_cache_files(staff_t)
+')
+
+optional_policy(`
@@ -23308,7 +23436,7 @@ index 0fef1fc..93ad99f 100644
')
optional_policy(`
-@@ -35,15 +212,31 @@ optional_policy(`
+@@ -35,15 +213,31 @@ optional_policy(`
')
optional_policy(`
@@ -23342,7 +23470,7 @@ index 0fef1fc..93ad99f 100644
')
optional_policy(`
-@@ -52,11 +245,61 @@ optional_policy(`
+@@ -52,11 +246,61 @@ optional_policy(`
')
optional_policy(`
@@ -23405,7 +23533,7 @@ index 0fef1fc..93ad99f 100644
')
ifndef(`distro_redhat',`
-@@ -65,10 +308,6 @@ ifndef(`distro_redhat',`
+@@ -65,10 +309,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -23416,7 +23544,7 @@ index 0fef1fc..93ad99f 100644
cdrecord_role(staff_r, staff_t)
')
-@@ -78,10 +317,6 @@ ifndef(`distro_redhat',`
+@@ -78,10 +318,6 @@ ifndef(`distro_redhat',`
optional_policy(`
dbus_role_template(staff, staff_r, staff_t)
@@ -23427,7 +23555,7 @@ index 0fef1fc..93ad99f 100644
')
optional_policy(`
-@@ -101,10 +336,6 @@ ifndef(`distro_redhat',`
+@@ -101,10 +337,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -23438,7 +23566,7 @@ index 0fef1fc..93ad99f 100644
java_role(staff_r, staff_t)
')
-@@ -125,10 +356,6 @@ ifndef(`distro_redhat',`
+@@ -125,10 +357,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -23449,7 +23577,7 @@ index 0fef1fc..93ad99f 100644
pyzor_role(staff_r, staff_t)
')
-@@ -141,10 +368,6 @@ ifndef(`distro_redhat',`
+@@ -141,10 +369,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -23460,7 +23588,7 @@ index 0fef1fc..93ad99f 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -176,3 +399,23 @@ ifndef(`distro_redhat',`
+@@ -176,3 +400,23 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -29543,7 +29671,7 @@ index 6bf0ecc..e6be63a 100644
+')
+
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..bd907ca 100644
+index 8b40377..a55ca15 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,28 +26,66 @@ gen_require(`
@@ -30022,7 +30150,7 @@ index 8b40377..bd907ca 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -366,20 +528,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -366,20 +528,31 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -30046,6 +30174,7 @@ index 8b40377..bd907ca 100644
kernel_read_network_state(xdm_t)
+kernel_request_load_module(xdm_t)
+kernel_stream_connect(xdm_t)
++kernel_dontaudit_view_key(xdm_t)
corecmd_exec_shell(xdm_t)
corecmd_exec_bin(xdm_t)
@@ -30055,7 +30184,7 @@ index 8b40377..bd907ca 100644
corenet_all_recvfrom_netlabel(xdm_t)
corenet_tcp_sendrecv_generic_if(xdm_t)
corenet_udp_sendrecv_generic_if(xdm_t)
-@@ -389,38 +561,50 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -389,38 +562,51 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -30101,6 +30230,7 @@ index 8b40377..bd907ca 100644
+dev_getattr_null_dev(xdm_t)
+dev_setattr_null_dev(xdm_t)
+dev_read_nvme(xdm_t)
++dev_getattr_loop_control(xdm_t)
domain_use_interactive_fds(xdm_t)
# Do not audit denied probes of /proc.
@@ -30110,7 +30240,7 @@ index 8b40377..bd907ca 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -431,9 +615,30 @@ files_list_mnt(xdm_t)
+@@ -431,9 +617,30 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -30141,7 +30271,7 @@ index 8b40377..bd907ca 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -442,28 +647,46 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -442,28 +649,46 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -30192,7 +30322,7 @@ index 8b40377..bd907ca 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -472,24 +695,163 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -472,24 +697,163 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -30362,7 +30492,7 @@ index 8b40377..bd907ca 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -502,12 +864,31 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,12 +866,31 @@ tunable_policy(`xdm_sysadm_login',`
# allow xserver_t xdm_tmpfs_t:file rw_file_perms;
')
@@ -30394,7 +30524,7 @@ index 8b40377..bd907ca 100644
')
optional_policy(`
-@@ -518,8 +899,36 @@ optional_policy(`
+@@ -518,8 +901,36 @@ optional_policy(`
dbus_system_bus_client(xdm_t)
dbus_connect_system_bus(xdm_t)
@@ -30432,7 +30562,7 @@ index 8b40377..bd907ca 100644
')
')
-@@ -530,6 +939,20 @@ optional_policy(`
+@@ -530,6 +941,20 @@ optional_policy(`
')
optional_policy(`
@@ -30453,7 +30583,7 @@ index 8b40377..bd907ca 100644
hostname_exec(xdm_t)
')
-@@ -547,28 +970,78 @@ optional_policy(`
+@@ -547,28 +972,78 @@ optional_policy(`
')
optional_policy(`
@@ -30541,7 +30671,7 @@ index 8b40377..bd907ca 100644
')
optional_policy(`
-@@ -580,6 +1053,14 @@ optional_policy(`
+@@ -580,6 +1055,14 @@ optional_policy(`
')
optional_policy(`
@@ -30556,7 +30686,7 @@ index 8b40377..bd907ca 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,7 +1075,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+@@ -594,7 +1077,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@@ -30565,7 +30695,7 @@ index 8b40377..bd907ca 100644
# setuid/setgid for the wrapper program to change UID
# sys_rawio is for iopl access - should not be needed for frame-buffer
-@@ -604,8 +1085,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -604,8 +1087,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -30578,7 +30708,7 @@ index 8b40377..bd907ca 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -618,8 +1102,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -618,8 +1104,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -30594,7 +30724,7 @@ index 8b40377..bd907ca 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -627,6 +1118,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -627,6 +1120,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@@ -30605,7 +30735,7 @@ index 8b40377..bd907ca 100644
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -638,25 +1133,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -638,25 +1135,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -30647,7 +30777,7 @@ index 8b40377..bd907ca 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -677,23 +1184,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -677,23 +1186,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -30679,7 +30809,7 @@ index 8b40377..bd907ca 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -705,6 +1217,14 @@ fs_search_nfs(xserver_t)
+@@ -705,6 +1219,14 @@ fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -30694,7 +30824,7 @@ index 8b40377..bd907ca 100644
mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
-@@ -718,20 +1238,18 @@ init_getpgid(xserver_t)
+@@ -718,20 +1240,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -30718,7 +30848,7 @@ index 8b40377..bd907ca 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -739,8 +1257,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -739,8 +1259,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
@@ -30727,7 +30857,7 @@ index 8b40377..bd907ca 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
-@@ -785,17 +1301,54 @@ optional_policy(`
+@@ -785,17 +1303,54 @@ optional_policy(`
')
optional_policy(`
@@ -30784,7 +30914,7 @@ index 8b40377..bd907ca 100644
')
optional_policy(`
-@@ -803,6 +1356,10 @@ optional_policy(`
+@@ -803,6 +1358,10 @@ optional_policy(`
')
optional_policy(`
@@ -30795,7 +30925,7 @@ index 8b40377..bd907ca 100644
xfs_stream_connect(xserver_t)
')
-@@ -818,18 +1375,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -818,18 +1377,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -30820,7 +30950,7 @@ index 8b40377..bd907ca 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -842,26 +1398,21 @@ init_use_fds(xserver_t)
+@@ -842,26 +1400,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -30855,7 +30985,7 @@ index 8b40377..bd907ca 100644
')
optional_policy(`
-@@ -912,7 +1463,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -912,7 +1465,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -30864,7 +30994,7 @@ index 8b40377..bd907ca 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -966,11 +1517,31 @@ allow x_domain self:x_resource { read write };
+@@ -966,11 +1519,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -30896,7 +31026,7 @@ index 8b40377..bd907ca 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -992,18 +1563,148 @@ tunable_policy(`! xserver_object_manager',`
+@@ -992,18 +1565,148 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -35296,7 +35426,7 @@ index 79a45f6..e90f7a4 100644
+ allow $1 init_var_lib_t:dir search_dir_perms;
')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..a78f8b6 100644
+index 17eda24..1f4dc71 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -35598,10 +35728,10 @@ index 17eda24..a78f8b6 100644
+
+miscfiles_manage_localization(init_t)
+miscfiles_filetrans_named_content(init_t)
++
++udev_manage_rules_files(init_t)
-miscfiles_read_localization(init_t)
-+udev_manage_rules_files(init_t)
-+
+userdom_use_user_ttys(init_t)
+userdom_manage_tmp_dirs(init_t)
+userdom_manage_tmp_sockets(init_t)
@@ -35614,7 +35744,7 @@ index 17eda24..a78f8b6 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +343,275 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +343,280 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -35664,6 +35794,11 @@ index 17eda24..a78f8b6 100644
+')
+
+optional_policy(`
++ gssproxy_noatsecure(init_t)
++ gssd_noatsecure(init_t)
++')
++
++optional_policy(`
+ anaconda_domtrans_install(init_t)
+')
+
@@ -35872,9 +36007,10 @@ index 17eda24..a78f8b6 100644
+ optional_policy(`
+ devicekit_dbus_chat_power(init_t)
+ ')
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- nscd_use(init_t)
+ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to
+ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
+ # the directory. But we do not want to allow this.
@@ -35885,10 +36021,9 @@ index 17eda24..a78f8b6 100644
+optional_policy(`
+ networkmanager_stream_connect(init_t)
+ networkmanager_stream_connect(initrc_t)
- ')
-
- optional_policy(`
-- nscd_use(init_t)
++')
++
++optional_policy(`
+ plymouthd_stream_connect(init_t)
+ plymouthd_exec_plymouth(init_t)
+ plymouthd_filetrans_named_content(init_t)
@@ -35899,7 +36034,7 @@ index 17eda24..a78f8b6 100644
')
optional_policy(`
-@@ -216,7 +619,30 @@ optional_policy(`
+@@ -216,7 +624,30 @@ optional_policy(`
')
optional_policy(`
@@ -35931,7 +36066,7 @@ index 17eda24..a78f8b6 100644
')
########################################
-@@ -225,9 +651,9 @@ optional_policy(`
+@@ -225,9 +656,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -35943,7 +36078,7 @@ index 17eda24..a78f8b6 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -258,12 +684,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +689,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -35960,7 +36095,7 @@ index 17eda24..a78f8b6 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +709,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +714,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -36003,7 +36138,7 @@ index 17eda24..a78f8b6 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +746,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +751,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -36015,7 +36150,7 @@ index 17eda24..a78f8b6 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -313,8 +758,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +763,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -36026,7 +36161,7 @@ index 17eda24..a78f8b6 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -322,8 +769,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +774,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -36036,7 +36171,7 @@ index 17eda24..a78f8b6 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -332,7 +778,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +783,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -36044,7 +36179,7 @@ index 17eda24..a78f8b6 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -340,6 +785,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +790,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -36052,7 +36187,7 @@ index 17eda24..a78f8b6 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -347,14 +793,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +798,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -36070,7 +36205,7 @@ index 17eda24..a78f8b6 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -364,8 +811,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +816,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -36084,7 +36219,7 @@ index 17eda24..a78f8b6 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -375,10 +826,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +831,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -36098,7 +36233,7 @@ index 17eda24..a78f8b6 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -387,8 +839,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +844,10 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -36109,7 +36244,7 @@ index 17eda24..a78f8b6 100644
storage_getattr_fixed_disk_dev(initrc_t)
storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +852,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +857,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -36117,7 +36252,7 @@ index 17eda24..a78f8b6 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -416,20 +871,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +876,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -36141,7 +36276,7 @@ index 17eda24..a78f8b6 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +904,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +909,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -36149,7 +36284,7 @@ index 17eda24..a78f8b6 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +938,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +943,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -36160,7 +36295,7 @@ index 17eda24..a78f8b6 100644
alsa_read_lib(initrc_t)
')
-@@ -506,7 +962,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +967,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -36169,7 +36304,7 @@ index 17eda24..a78f8b6 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -521,6 +977,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +982,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -36177,7 +36312,7 @@ index 17eda24..a78f8b6 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -541,6 +998,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +1003,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -36185,7 +36320,7 @@ index 17eda24..a78f8b6 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +1008,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +1013,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -36230,7 +36365,7 @@ index 17eda24..a78f8b6 100644
')
optional_policy(`
-@@ -559,14 +1053,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +1058,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -36262,7 +36397,7 @@ index 17eda24..a78f8b6 100644
')
')
-@@ -577,6 +1088,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1093,39 @@ ifdef(`distro_suse',`
')
')
@@ -36302,7 +36437,7 @@ index 17eda24..a78f8b6 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1133,8 @@ optional_policy(`
+@@ -589,6 +1138,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -36311,7 +36446,7 @@ index 17eda24..a78f8b6 100644
')
optional_policy(`
-@@ -610,6 +1156,7 @@ optional_policy(`
+@@ -610,6 +1161,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -36319,7 +36454,7 @@ index 17eda24..a78f8b6 100644
')
optional_policy(`
-@@ -626,6 +1173,17 @@ optional_policy(`
+@@ -626,6 +1178,17 @@ optional_policy(`
')
optional_policy(`
@@ -36337,7 +36472,7 @@ index 17eda24..a78f8b6 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -642,9 +1200,13 @@ optional_policy(`
+@@ -642,9 +1205,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -36351,7 +36486,7 @@ index 17eda24..a78f8b6 100644
')
optional_policy(`
-@@ -657,15 +1219,11 @@ optional_policy(`
+@@ -657,15 +1224,11 @@ optional_policy(`
')
optional_policy(`
@@ -36369,7 +36504,7 @@ index 17eda24..a78f8b6 100644
')
optional_policy(`
-@@ -686,6 +1244,15 @@ optional_policy(`
+@@ -686,6 +1249,15 @@ optional_policy(`
')
optional_policy(`
@@ -36385,7 +36520,7 @@ index 17eda24..a78f8b6 100644
inn_exec_config(initrc_t)
')
-@@ -726,6 +1293,7 @@ optional_policy(`
+@@ -726,6 +1298,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -36393,7 +36528,7 @@ index 17eda24..a78f8b6 100644
')
optional_policy(`
-@@ -743,7 +1311,13 @@ optional_policy(`
+@@ -743,7 +1316,13 @@ optional_policy(`
')
optional_policy(`
@@ -36408,7 +36543,7 @@ index 17eda24..a78f8b6 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -766,6 +1340,10 @@ optional_policy(`
+@@ -766,6 +1345,10 @@ optional_policy(`
')
optional_policy(`
@@ -36419,7 +36554,7 @@ index 17eda24..a78f8b6 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -775,10 +1353,20 @@ optional_policy(`
+@@ -775,10 +1358,20 @@ optional_policy(`
')
optional_policy(`
@@ -36440,7 +36575,7 @@ index 17eda24..a78f8b6 100644
quota_manage_flags(initrc_t)
')
-@@ -787,6 +1375,10 @@ optional_policy(`
+@@ -787,6 +1380,10 @@ optional_policy(`
')
optional_policy(`
@@ -36451,7 +36586,7 @@ index 17eda24..a78f8b6 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -808,8 +1400,6 @@ optional_policy(`
+@@ -808,8 +1405,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -36460,7 +36595,7 @@ index 17eda24..a78f8b6 100644
')
optional_policy(`
-@@ -818,6 +1408,10 @@ optional_policy(`
+@@ -818,6 +1413,10 @@ optional_policy(`
')
optional_policy(`
@@ -36471,7 +36606,7 @@ index 17eda24..a78f8b6 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -827,10 +1421,12 @@ optional_policy(`
+@@ -827,10 +1426,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -36484,7 +36619,7 @@ index 17eda24..a78f8b6 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1453,62 @@ optional_policy(`
+@@ -857,21 +1458,62 @@ optional_policy(`
')
optional_policy(`
@@ -36548,7 +36683,7 @@ index 17eda24..a78f8b6 100644
')
optional_policy(`
-@@ -887,6 +1524,10 @@ optional_policy(`
+@@ -887,6 +1529,10 @@ optional_policy(`
')
optional_policy(`
@@ -36559,7 +36694,7 @@ index 17eda24..a78f8b6 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -897,3 +1538,218 @@ optional_policy(`
+@@ -897,3 +1543,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 39466f6..99726a8 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -12376,7 +12376,7 @@ index 008f8ef..144c074 100644
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/certmonger.te b/certmonger.te
-index 550b287..10b00ba 100644
+index 550b287..e799a42 100644
--- a/certmonger.te
+++ b/certmonger.te
@@ -18,18 +18,23 @@ files_type(certmonger_var_lib_t)
@@ -12469,7 +12469,7 @@ index 550b287..10b00ba 100644
')
optional_policy(`
-@@ -92,11 +111,61 @@ optional_policy(`
+@@ -92,11 +111,66 @@ optional_policy(`
')
optional_policy(`
@@ -12492,6 +12492,7 @@ index 550b287..10b00ba 100644
kerberos_use(certmonger_t)
+ kerberos_read_keytab(certmonger_t)
+ kerberos_manage_kdc_config(certmonger_t)
++ kerberos_filetrans_named_content(certmonger_t)
')
optional_policy(`
@@ -12505,6 +12506,10 @@ index 550b287..10b00ba 100644
+')
+
+optional_policy(`
++ rhcs_start_haproxy_services(certmonger_t)
++')
++
++optional_policy(`
+ sssd_delete_public_files(certmonger_t)
+')
+
@@ -13617,7 +13622,7 @@ index 32e8265..ac74503 100644
+ allow $1 chronyd_unit_file_t:service all_service_perms;
')
diff --git a/chronyd.te b/chronyd.te
-index e5b621c..eba4e6d 100644
+index e5b621c..ded8e64 100644
--- a/chronyd.te
+++ b/chronyd.te
@@ -18,6 +18,9 @@ files_type(chronyd_keys_t)
@@ -13636,7 +13641,7 @@ index e5b621c..eba4e6d 100644
-allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time };
-allow chronyd_t self:process { getcap setcap setrlimit signal };
-+allow chronyd_t self:capability { dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_time chown };
++allow chronyd_t self:capability { dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_time chown net_admin };
+allow chronyd_t self:process { getsched setsched getcap setcap setrlimit signal };
allow chronyd_t self:shm create_shm_perms;
+allow chronyd_t self:udp_socket create_socket_perms;
@@ -15358,10 +15363,10 @@ index 0000000..d5920c0
+')
diff --git a/cockpit.te b/cockpit.te
new file mode 100644
-index 0000000..0167d62
+index 0000000..d60494e
--- /dev/null
+++ b/cockpit.te
-@@ -0,0 +1,120 @@
+@@ -0,0 +1,121 @@
+policy_module(cockpit, 1.0.0)
+
+########################################
@@ -15470,6 +15475,7 @@ index 0000000..0167d62
+auth_write_login_records(cockpit_session_t)
+
+corenet_tcp_bind_ssh_port(cockpit_session_t)
++corenet_tcp_connect_ssh_port(cockpit_session_t)
+
+# cockpit-session can execute cockpit-agent as the user
+userdom_spec_domtrans_all_users(cockpit_session_t)
@@ -19307,7 +19313,7 @@ index 1303b30..f13c532 100644
+ logging_log_filetrans($1, cron_log_t, $2, $3)
')
diff --git a/cron.te b/cron.te
-index 7de3859..65e947c 100644
+index 7de3859..b66e53f 100644
--- a/cron.te
+++ b/cron.te
@@ -11,46 +11,54 @@ gen_require(`
@@ -20024,7 +20030,7 @@ index 7de3859..65e947c 100644
')
optional_policy(`
-@@ -598,7 +618,27 @@ optional_policy(`
+@@ -598,7 +618,31 @@ optional_policy(`
')
optional_policy(`
@@ -20032,6 +20038,10 @@ index 7de3859..65e947c 100644
+')
+
+optional_policy(`
++ pcp_filetrans_named_content(system_cronjob_t)
++')
++
++optional_policy(`
postfix_read_config(system_cronjob_t)
+')
+
@@ -20052,7 +20062,7 @@ index 7de3859..65e947c 100644
')
optional_policy(`
-@@ -607,7 +647,12 @@ optional_policy(`
+@@ -607,7 +651,12 @@ optional_policy(`
')
optional_policy(`
@@ -20065,7 +20075,7 @@ index 7de3859..65e947c 100644
')
optional_policy(`
-@@ -615,12 +660,27 @@ optional_policy(`
+@@ -615,12 +664,27 @@ optional_policy(`
')
optional_policy(`
@@ -20095,7 +20105,7 @@ index 7de3859..65e947c 100644
#
allow cronjob_t self:process { signal_perms setsched };
-@@ -628,12 +688,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
+@@ -628,12 +692,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
allow cronjob_t self:unix_dgram_socket create_socket_perms;
@@ -20129,7 +20139,7 @@ index 7de3859..65e947c 100644
corenet_all_recvfrom_netlabel(cronjob_t)
corenet_tcp_sendrecv_generic_if(cronjob_t)
corenet_udp_sendrecv_generic_if(cronjob_t)
-@@ -641,66 +721,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
+@@ -641,66 +725,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
corenet_udp_sendrecv_generic_node(cronjob_t)
corenet_tcp_sendrecv_all_ports(cronjob_t)
corenet_udp_sendrecv_all_ports(cronjob_t)
@@ -36836,10 +36846,10 @@ index 0000000..f4659d1
+/var/run/gssproxy\.sock -s gen_context(system_u:object_r:gssproxy_var_run_t,s0)
diff --git a/gssproxy.if b/gssproxy.if
new file mode 100644
-index 0000000..2277038
+index 0000000..8a2013a
--- /dev/null
+++ b/gssproxy.if
-@@ -0,0 +1,199 @@
+@@ -0,0 +1,217 @@
+
+## policy for gssproxy
+
@@ -37039,9 +37049,27 @@ index 0000000..2277038
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
++
++########################################
++##
++## Read and write to svirt_image devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gssproxy_noatsecure',`
++ gen_require(`
++ type gssproxy_t;
++ ')
++
++ allow $1 gssproxy_t:process { noatsecure rlimitinh };
++')
diff --git a/gssproxy.te b/gssproxy.te
new file mode 100644
-index 0000000..5e43ca7
+index 0000000..27abcbb
--- /dev/null
+++ b/gssproxy.te
@@ -0,0 +1,74 @@
@@ -37069,7 +37097,7 @@ index 0000000..5e43ca7
+#
+# gssproxy local policy
+#
-+allow gssproxy_t self:capability { setuid setgid };
++allow gssproxy_t self:capability { setuid setgid dac_override };
+allow gssproxy_t self:capability2 block_suspend;
+allow gssproxy_t self:fifo_file rw_fifo_file_perms;
+allow gssproxy_t self:unix_stream_socket create_stream_socket_perms;
@@ -39303,10 +39331,10 @@ index 0000000..ddbc007
+')
diff --git a/ipa.te b/ipa.te
new file mode 100644
-index 0000000..e4c5d89
+index 0000000..55e151e
--- /dev/null
+++ b/ipa.te
-@@ -0,0 +1,260 @@
+@@ -0,0 +1,264 @@
+policy_module(ipa, 1.0.0)
+
+########################################
@@ -39406,6 +39434,10 @@ index 0000000..e4c5d89
+manage_files_pattern(ipa_helper_t, ipa_log_t, ipa_log_t)
+logging_log_filetrans(ipa_helper_t, ipa_log_t, file)
+
++manage_dirs_pattern(ipa_helper_t, ipa_var_run_t, ipa_var_run_t)
++manage_files_pattern(ipa_helper_t, ipa_var_run_t, ipa_var_run_t)
++files_pid_filetrans(ipa_helper_t, ipa_var_run_t, { dir file })
++
+kernel_read_system_state(ipa_helper_t)
+kernel_read_network_state(ipa_helper_t)
+
@@ -42793,7 +42825,7 @@ index 4fe75fd..3504a9b 100644
+/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --git a/kerberos.if b/kerberos.if
-index f6c00d8..b7e477d 100644
+index f6c00d8..79ea4d8 100644
--- a/kerberos.if
+++ b/kerberos.if
@@ -1,27 +1,29 @@
@@ -43137,8 +43169,8 @@ index f6c00d8..b7e477d 100644
files_search_etc($1)
- allow $1 krb5_keytab_t:file manage_file_perms;
-+ read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
-+ list_dirs_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
++ manage_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
++ manage_dirs_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
')
########################################
@@ -46379,7 +46411,7 @@ index dff21a7..b6981c8 100644
init_labeled_script_domtrans($1, lircd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/lircd.te b/lircd.te
-index 483c87b..f68ee3a 100644
+index 483c87b..df73ba0 100644
--- a/lircd.te
+++ b/lircd.te
@@ -13,7 +13,7 @@ type lircd_initrc_exec_t;
@@ -46412,6 +46444,15 @@ index 483c87b..f68ee3a 100644
corenet_all_recvfrom_unlabeled(lircd_t)
corenet_all_recvfrom_netlabel(lircd_t)
corenet_tcp_sendrecv_generic_if(lircd_t)
+@@ -56,7 +58,7 @@ dev_read_mouse(lircd_t)
+ dev_filetrans_lirc(lircd_t)
+ dev_rw_lirc(lircd_t)
+ dev_rw_input_dev(lircd_t)
+-dev_read_sysfs(lircd_t)
++dev_rw_sysfs(lircd_t)
+
+ files_read_config_files(lircd_t)
+ files_list_var(lircd_t)
@@ -64,9 +66,11 @@ files_manage_generic_locks(lircd_t)
files_read_all_locks(lircd_t)
@@ -69520,10 +69561,10 @@ index 0000000..de7c78c
+/var/run/pmlogger\.primary\.socket -l gen_context(system_u:object_r:pcp_var_run_t,s0)
diff --git a/pcp.if b/pcp.if
new file mode 100644
-index 0000000..80246e6
+index 0000000..abb250d
--- /dev/null
+++ b/pcp.if
-@@ -0,0 +1,144 @@
+@@ -0,0 +1,160 @@
+## The pcp command summarizes the status of a Performance Co-Pilot (PCP) installation
+
+######################################
@@ -69668,12 +69709,28 @@ index 0000000..80246e6
+ can_exec($1, pcp_pmlogger_exec_t)
+')
+
++#######################################
++##
++## Transition to pcp named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`pcp_filetrans_named_content',`
++ gen_require(`
++ type pcp_var_run_t;
++ ')
++ files_pid_filetrans($1, pcp_var_run_t, dir, "pcp")
++')
diff --git a/pcp.te b/pcp.te
new file mode 100644
-index 0000000..e55bf80
+index 0000000..7bd521e
--- /dev/null
+++ b/pcp.te
-@@ -0,0 +1,308 @@
+@@ -0,0 +1,309 @@
+policy_module(pcp, 1.0.0)
+
+########################################
@@ -69784,7 +69841,7 @@ index 0000000..e55bf80
+# pcp_pmcd local policy
+#
+
-+allow pcp_pmcd_t self:capability { sys_admin sys_ptrace };
++allow pcp_pmcd_t self:capability { net_admin sys_admin sys_ptrace };
+allow pcp_pmcd_t self:process { setsched };
+allow pcp_pmcd_t self:unix_dgram_socket create_socket_perms;
+
@@ -69795,6 +69852,7 @@ index 0000000..e55bf80
+kernel_read_fs_sysctls(pcp_pmcd_t)
+kernel_read_rpc_sysctls(pcp_pmcd_t)
+kernel_search_network_sysctl(pcp_pmcd_t)
++kernel_read_net_sysctls(pcp_pmcd_t)
+
+corecmd_exec_bin(pcp_pmcd_t)
+
@@ -72108,10 +72166,10 @@ index 0000000..47cd0f8
+/usr/lib/systemd/system/pki-tomcat.* gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0)
diff --git a/pki.if b/pki.if
new file mode 100644
-index 0000000..798efb6
+index 0000000..5c7f232
--- /dev/null
+++ b/pki.if
-@@ -0,0 +1,287 @@
+@@ -0,0 +1,404 @@
+
+## policy for pki
+
@@ -72138,6 +72196,46 @@ index 0000000..798efb6
+
+########################################
+##
++## Allow read and write pki cert files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`pki_manage_tomcat_cert',`
++ gen_require(`
++ type pki_tomcat_cert_t;
++ type pki_tomcat_etc_rw_t;
++ ')
++
++ allow $1 pki_tomcat_etc_rw_t:dir manage_dir_perms;
++ manage_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
++ manage_lnk_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
++')
++
++########################################
++##
++## Allow read and write pki cert files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`pki_manage_tomcat_etc_rw',`
++ gen_require(`
++ type pki_tomcat_etc_rw_t;
++ ')
++
++ manage_files_pattern($1, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
++ manage_lnk_files_pattern($1, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
++')
++
++########################################
++##
+## Allow domain to read pki cert files.
+##
+##
@@ -72335,6 +72433,25 @@ index 0000000..798efb6
+##
+##
+#
++interface(`pki_search_log_dirs',`
++ gen_require(`
++ type pki_log_t;
++ ')
++
++ search_dirs_pattern($1, pki_log_t, pki_log_t)
++
++')
++
++##################################
++##
++## Dontaudit domain to write pki log files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`pki_dontaudit_write_log',`
+ gen_require(`
+ type pki_log_t;
@@ -72395,10 +72512,68 @@ index 0000000..798efb6
+ gen_require(`
+ type pki_tomcat_var_lib_t;
+ ')
-+
++
+ read_files_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t)
+ read_lnk_files_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t)
+')
++
++
++#################################
++##
++## Allow domain to manage pki tomcat lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`pki_manage_tomcat_lib',`
++ gen_require(`
++ type pki_tomcat_var_lib_t;
++ ')
++
++ manage_dirs_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t)
++ manage_files_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t)
++ manage_lnk_files_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t)
++')
++
++#################################
++##
++## Allow domain to manage pki tomcat lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`pki_manage_tomcat_log',`
++ gen_require(`
++ type pki_tomcat_log_t;
++ ')
++
++ manage_dirs_pattern($1, pki_tomcat_log_t, pki_tomcat_log_t)
++ manage_files_pattern($1, pki_tomcat_log_t, pki_tomcat_log_t)
++')
++
++#################################
++##
++## Allow domain to read pki tomcat lib dirs
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`pki_read_tomcat_lib_dirs',`
++ gen_require(`
++ type pki_tomcat_var_lib_t;
++ ')
++
++ list_dirs_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t)
++')
diff --git a/pki.te b/pki.te
new file mode 100644
index 0000000..bdeebb9
@@ -84368,7 +84543,7 @@ index 4460582..4c66c25 100644
+
')
diff --git a/radius.te b/radius.te
-index 403a4fe..93085f2 100644
+index 403a4fe..95b5e45 100644
--- a/radius.te
+++ b/radius.te
@@ -5,6 +5,13 @@ policy_module(radius, 1.13.0)
@@ -84385,7 +84560,7 @@ index 403a4fe..93085f2 100644
type radiusd_t;
type radiusd_exec_t;
init_daemon_domain(radiusd_t, radiusd_exec_t)
-@@ -27,6 +34,9 @@ files_type(radiusd_var_lib_t)
+@@ -27,14 +34,17 @@ files_type(radiusd_var_lib_t)
type radiusd_var_run_t;
files_pid_file(radiusd_var_run_t)
@@ -84395,9 +84570,10 @@ index 403a4fe..93085f2 100644
########################################
#
# Local policy
-@@ -34,7 +44,7 @@ files_pid_file(radiusd_var_run_t)
+ #
- allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config };
+-allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config };
++allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config sys_ptrace };
dontaudit radiusd_t self:capability sys_tty_config;
-allow radiusd_t self:process { getsched setrlimit setsched sigkill signal };
+allow radiusd_t self:process { getsched setrlimit setsched sigkill signal ptrace};
@@ -87419,7 +87595,7 @@ index 47de2d6..6baf5cd 100644
+/var/log/pacemaker\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
+/var/log/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_log_t,s0)
diff --git a/rhcs.if b/rhcs.if
-index c8bdea2..8ad3e01 100644
+index c8bdea2..beb2872 100644
--- a/rhcs.if
+++ b/rhcs.if
@@ -1,19 +1,19 @@
@@ -87870,7 +88046,7 @@ index c8bdea2..8ad3e01 100644
')
######################################
-@@ -446,52 +577,385 @@ interface(`rhcs_domtrans_qdiskd',`
+@@ -446,52 +577,404 @@ interface(`rhcs_domtrans_qdiskd',`
########################################
##
@@ -87908,16 +88084,10 @@ index c8bdea2..8ad3e01 100644
#
-interface(`rhcs_admin',`
+interface(`rhcs_read_cluster_lib_files',`
- gen_require(`
-- attribute cluster_domain, cluster_pid, cluster_tmpfs;
-- attribute cluster_log;
-- type dlm_controld_initrc_exec_t, foghorn_initrc_exec_t, fenced_lock_t;
-- type fenced_tmp_t, qdiskd_var_lib_t;
++ gen_require(`
+ type cluster_var_lib_t;
- ')
-
-- allow $1 cluster_domain:process { ptrace signal_perms };
-- ps_process_pattern($1, cluster_domain)
++ ')
++
+ files_search_var_lib($1)
+ read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
@@ -87936,17 +88106,11 @@ index c8bdea2..8ad3e01 100644
+ gen_require(`
+ type cluster_var_lib_t;
+ ')
-
-- init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t })
-- domain_system_change_exemption($1)
-- role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r;
-- allow $2 system_r;
++
+ files_search_var_lib($1)
+ manage_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
-
-- files_search_pids($1)
-- admin_pattern($1, cluster_pid)
++
+####################################
+##
+## Allow domain to relabel cluster lib files
@@ -87966,9 +88130,7 @@ index c8bdea2..8ad3e01 100644
+ relabelto_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+ relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
-
-- files_search_locks($1)
-- admin_pattern($1, fenced_lock_t)
++
+######################################
+##
+## Execute a domain transition to run cluster administrative domain.
@@ -87983,15 +88145,11 @@ index c8bdea2..8ad3e01 100644
+ gen_require(`
+ type cluster_t, cluster_exec_t;
+ ')
-
-- files_search_tmp($1)
-- admin_pattern($1, fenced_tmp_t)
++
+ corecmd_search_bin($1)
+ domtrans_pattern($1, cluster_exec_t, cluster_t)
+')
-
-- files_search_var_lib($1)
-- admin_pattern($1, qdiskd_var_lib_t)
++
+#######################################
+##
+## Execute cluster init scripts in
@@ -88007,9 +88165,7 @@ index c8bdea2..8ad3e01 100644
+ gen_require(`
+ type cluster_initrc_exec_t;
+ ')
-
-- fs_search_tmpfs($1)
-- admin_pattern($1, cluster_tmpfs)
++
+ init_labeled_script_domtrans($1, cluster_initrc_exec_t)
+')
+
@@ -88220,17 +88376,31 @@ index c8bdea2..8ad3e01 100644
+##
+#
+interface(`rhcs_dbus_chat_cluster',`
-+ gen_require(`
+ gen_require(`
+- attribute cluster_domain, cluster_pid, cluster_tmpfs;
+- attribute cluster_log;
+- type dlm_controld_initrc_exec_t, foghorn_initrc_exec_t, fenced_lock_t;
+- type fenced_tmp_t, qdiskd_var_lib_t;
+ type cluster_t;
+ class dbus send_msg;
-+ ')
-+
+ ')
+
+- allow $1 cluster_domain:process { ptrace signal_perms };
+- ps_process_pattern($1, cluster_domain)
+ allow $1 cluster_t:dbus send_msg;
+ allow cluster_t $1:dbus send_msg;
+')
-+
-+
-+
+
+- init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t })
+- domain_system_change_exemption($1)
+- role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r;
+- allow $2 system_r;
+
+- files_search_pids($1)
+- admin_pattern($1, cluster_pid)
+
+- files_search_locks($1)
+- admin_pattern($1, fenced_lock_t)
+#####################################
+##
+## All of the rules required to administrate
@@ -88254,14 +88424,20 @@ index c8bdea2..8ad3e01 100644
+ type cluster_tmpfs_t, cluster_var_log_t, cluster_var_run_t;
+ type cluster_unit_file_t;
+ ')
-+
+
+- files_search_tmp($1)
+- admin_pattern($1, fenced_tmp_t)
+ allow $1 cluster_t:process signal_perms;
+ ps_process_pattern($1, cluster_t)
-+
+
+- files_search_var_lib($1)
+- admin_pattern($1, qdiskd_var_lib_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 cluster_t:process ptrace;
+ ')
-+
+
+- fs_search_tmpfs($1)
+- admin_pattern($1, cluster_tmpfs)
+ init_labeled_script_domtrans($1, cluster_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 cluster_initrc_exec_t system_r;
@@ -88277,12 +88453,31 @@ index c8bdea2..8ad3e01 100644
+
+ files_list_pids($1)
+ admin_pattern($1, cluster_var_run_t)
-
-- logging_search_logs($1)
-- admin_pattern($1, cluster_log)
++
+ rhcs_systemctl_cluster($1)
+ admin_pattern($1, cluster_unit_file_t)
+ allow $1 cluster_unit_file_t:service all_service_perms;
++')
++
++########################################
++##
++## Start haproxy unit files domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`rhcs_start_haproxy_services',`
++ gen_require(`
++ type haproxy_unit_file_t;
++ ')
+
+- logging_search_logs($1)
+- admin_pattern($1, cluster_log)
++ systemd_exec_systemctl($1)
++ allow $1 haproxy_unit_file_t:service {status start};
')
diff --git a/rhcs.te b/rhcs.te
index 6cf79c4..5279416 100644
@@ -91079,7 +91274,7 @@ index a6fb30c..97ef313 100644
+/var/run/rpc\.statd\.lock -- gen_context(system_u:object_r:rpcd_lock_t,s0)
+
diff --git a/rpc.if b/rpc.if
-index 0bf13c2..ed393a0 100644
+index 0bf13c2..9572351 100644
--- a/rpc.if
+++ b/rpc.if
@@ -1,4 +1,4 @@
@@ -91397,11 +91592,10 @@ index 0bf13c2..ed393a0 100644
files_search_var_lib($1)
- allow $1 var_lib_nfs_t:dir search;
+ allow $1 var_lib_nfs_t:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## Read nfs lib files.
++')
++
++########################################
++##
+## List NFS state data in /var/lib/nfs.
+##
+##
@@ -91417,10 +91611,11 @@ index 0bf13c2..ed393a0 100644
+
+ files_search_var_lib($1)
+ allow $1 var_lib_nfs_t:dir list_dir_perms;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Read nfs lib files.
+## Manage NFS state data in /var/lib/nfs.
+##
+##
@@ -91529,7 +91724,7 @@ index 0bf13c2..ed393a0 100644
')
allow $1 rpc_domain:process { ptrace signal_perms };
-@@ -411,7 +504,7 @@ interface(`rpc_admin',`
+@@ -411,10 +504,28 @@ interface(`rpc_admin',`
admin_pattern($1, rpcd_var_run_t)
files_list_all($1)
@@ -91538,6 +91733,27 @@ index 0bf13c2..ed393a0 100644
files_list_tmp($1)
admin_pattern($1, gssd_tmp_t)
+
+ fs_search_nfsd_fs($1)
+ ')
++
++########################################
++##
++## Read and write to svirt_image devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`rpc_gssd_noatsecure',`
++ gen_require(`
++ type gssd_t;
++ ')
++
++ allow $1 gssd_t:process { noatsecure rlimitinh };
++')
diff --git a/rpc.te b/rpc.te
index 2da9fca..f97a61a 100644
--- a/rpc.te
@@ -98811,10 +99027,10 @@ index 0000000..7a058a8
+')
diff --git a/sbd.te b/sbd.te
new file mode 100644
-index 0000000..95a5182
+index 0000000..9c44c87
--- /dev/null
+++ b/sbd.te
-@@ -0,0 +1,52 @@
+@@ -0,0 +1,54 @@
+policy_module(sbd, 1.0.0)
+
+########################################
@@ -98862,6 +99078,8 @@ index 0000000..95a5182
+
+logging_send_syslog_msg(sbd_t)
+
++storage_raw_rw_fixed_disk(sbd_t)
++
+optional_policy(`
+ rhcs_rw_cluster_tmpfs(sbd_t)
+ rhcs_stream_connect_cluster(sbd_t)
@@ -99999,7 +100217,7 @@ index 35ad2a7..afdc7da 100644
+ admin_pattern($1, mail_spool_t)
')
diff --git a/sendmail.te b/sendmail.te
-index 12700b4..27adacc 100644
+index 12700b4..3a32af4 100644
--- a/sendmail.te
+++ b/sendmail.te
@@ -37,21 +37,23 @@ role sendmail_unconfined_roles types unconfined_sendmail_t;
@@ -100034,12 +100252,14 @@ index 12700b4..27adacc 100644
logging_log_filetrans(sendmail_t, sendmail_log_t, { file dir })
manage_dirs_pattern(sendmail_t, sendmail_tmp_t, sendmail_tmp_t)
-@@ -63,33 +65,21 @@ files_pid_filetrans(sendmail_t, sendmail_var_run_t, file)
+@@ -63,33 +65,23 @@ files_pid_filetrans(sendmail_t, sendmail_var_run_t, file)
kernel_read_network_state(sendmail_t)
kernel_read_kernel_sysctls(sendmail_t)
+# for piping mail to a command
kernel_read_system_state(sendmail_t)
++kernel_search_network_sysctl(sendmail_t)
++kernel_read_kernel_sysctls(sendmail_t)
-corenet_all_recvfrom_unlabeled(sendmail_t)
corenet_all_recvfrom_netlabel(sendmail_t)
@@ -100072,7 +100292,7 @@ index 12700b4..27adacc 100644
fs_getattr_all_fs(sendmail_t)
fs_search_auto_mountpoints(sendmail_t)
-@@ -98,35 +88,49 @@ fs_rw_anon_inodefs_files(sendmail_t)
+@@ -98,35 +90,49 @@ fs_rw_anon_inodefs_files(sendmail_t)
term_dontaudit_use_console(sendmail_t)
term_dontaudit_use_generic_ptys(sendmail_t)
@@ -100128,7 +100348,7 @@ index 12700b4..27adacc 100644
')
optional_policy(`
-@@ -134,8 +138,8 @@ optional_policy(`
+@@ -134,8 +140,8 @@ optional_policy(`
')
optional_policy(`
@@ -100139,7 +100359,7 @@ index 12700b4..27adacc 100644
')
optional_policy(`
-@@ -164,6 +168,10 @@ optional_policy(`
+@@ -164,6 +170,10 @@ optional_policy(`
')
optional_policy(`
@@ -100150,7 +100370,7 @@ index 12700b4..27adacc 100644
milter_stream_connect_all(sendmail_t)
')
-@@ -172,6 +180,11 @@ optional_policy(`
+@@ -172,6 +182,11 @@ optional_policy(`
')
optional_policy(`
@@ -100162,7 +100382,7 @@ index 12700b4..27adacc 100644
postfix_domtrans_postdrop(sendmail_t)
postfix_domtrans_master(sendmail_t)
postfix_domtrans_postqueue(sendmail_t)
-@@ -193,6 +206,10 @@ optional_policy(`
+@@ -193,6 +208,10 @@ optional_policy(`
')
optional_policy(`
@@ -100173,7 +100393,7 @@ index 12700b4..27adacc 100644
udev_read_db(sendmail_t)
')
-@@ -206,8 +223,6 @@ optional_policy(`
+@@ -206,8 +225,6 @@ optional_policy(`
#
optional_policy(`
@@ -109818,10 +110038,10 @@ index 0000000..46f12a4
+')
diff --git a/tlp.te b/tlp.te
new file mode 100644
-index 0000000..0183c55
+index 0000000..ae69138
--- /dev/null
+++ b/tlp.te
-@@ -0,0 +1,65 @@
+@@ -0,0 +1,70 @@
+policy_module(tlp, 1.0.0)
+
+########################################
@@ -109881,12 +110101,17 @@ index 0000000..0183c55
+modutils_read_module_config(tlp_t)
+
+storage_raw_read_fixed_disk(tlp_t)
++storage_raw_write_removable_device(tlp_t)
+
+sysnet_exec_ifconfig(tlp_t)
+
+optional_policy(`
+ fstools_exec(tlp_t)
+')
++
++optional_policy(`
++ mount_domtrans(tlp_t)
++')
diff --git a/tmpreaper.te b/tmpreaper.te
index 585a77f..a7cb326 100644
--- a/tmpreaper.te
@@ -110459,10 +110684,10 @@ index 0000000..e5cec8f
+')
diff --git a/tomcat.te b/tomcat.te
new file mode 100644
-index 0000000..3157eb8
+index 0000000..1aa150f
--- /dev/null
+++ b/tomcat.te
-@@ -0,0 +1,70 @@
+@@ -0,0 +1,85 @@
+policy_module(tomcat, 1.0.0)
+
+########################################
@@ -110482,10 +110707,24 @@ index 0000000..3157eb8
+# tomcat local policy
+#
+
++
++optional_policy(`
++ pki_manage_tomcat_cert(tomcat_t)
++ pki_manage_apache_log_files(tomcat_t)
++ pki_manage_tomcat_lib(tomcat_t)
++ pki_manage_tomcat_etc_rw(tomcat_t)
++ pki_search_log_dirs(tomcat_t)
++ pki_manage_tomcat_log(tomcat_t)
++')
++
+optional_policy(`
+ unconfined_domain(tomcat_t)
+')
+
++optional_policy(`
++ ipa_read_lib(tomcat_t)
++')
++
+########################################
+#
+# tomcat domain local policy
@@ -110513,6 +110752,7 @@ index 0000000..3157eb8
+corenet_tcp_bind_http_cache_port(tomcat_domain)
+corenet_tcp_bind_mxi_port(tomcat_domain)
+corenet_tcp_connect_http_port(tomcat_domain)
++corenet_tcp_connect_ldap_port(tomcat_domain)
+corenet_tcp_connect_mxi_port(tomcat_domain)
+corenet_tcp_connect_http_cache_port(tomcat_domain)
+
@@ -115134,7 +115374,7 @@ index facdee8..487857a 100644
+ dontaudit $1 virtd_t:lnk_file read_lnk_file_perms;
')
diff --git a/virt.te b/virt.te
-index f03dcf5..d790a0d 100644
+index f03dcf5..006d4b5 100644
--- a/virt.te
+++ b/virt.te
@@ -1,451 +1,413 @@
@@ -116158,7 +116398,7 @@ index f03dcf5..d790a0d 100644
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
-@@ -746,44 +718,336 @@ optional_policy(`
+@@ -746,44 +718,341 @@ optional_policy(`
udev_read_pid_files(virtd_t)
')
@@ -116208,12 +116448,17 @@ index f03dcf5..d790a0d 100644
+files_pid_filetrans(virtlogd_t, virtlogd_var_run_t, file)
-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
-+kernel_read_network_state(virtlogd_t)
++manage_dirs_pattern(virtlogd_t, svirt_tmp_t, svirt_tmp_t)
++manage_files_pattern(virtlogd_t, svirt_tmp_t, svirt_tmp_t)
++manage_lnk_files_pattern(virtlogd_t, svirt_tmp_t, svirt_tmp_t)
++files_tmp_filetrans(virtlogd_t, svirt_tmp_t, { file dir lnk_file })
-allow virsh_t svirt_lxc_domain:process transition;
-+allow virtlogd_t self:unix_stream_socket create_stream_socket_perms;
++kernel_read_network_state(virtlogd_t)
-can_exec(virsh_t, virsh_exec_t)
++allow virtlogd_t self:unix_stream_socket create_stream_socket_perms;
++
+dev_read_sysfs(virtlogd_t)
+
+logging_send_syslog_msg(virtlogd_t)
@@ -116303,7 +116548,7 @@ index f03dcf5..d790a0d 100644
+dontaudit virt_domain virt_tmpfs_type:file { read write };
+
+append_files_pattern(virt_domain, virt_log_t, virt_log_t)
-+
+
+append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
+
+corecmd_exec_bin(virt_domain)
@@ -116361,7 +116606,7 @@ index f03dcf5..d790a0d 100644
+term_getattr_pty_fs(virt_domain)
+term_use_generic_ptys(virt_domain)
+term_use_ptmx(virt_domain)
-
++
+tunable_policy(`virt_use_execmem',`
+ allow virt_domain self:process { execmem execstack };
+')
@@ -116517,7 +116762,7 @@ index f03dcf5..d790a0d 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +1058,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +1063,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -116544,7 +116789,7 @@ index f03dcf5..d790a0d 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +1078,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +1083,25 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -116578,7 +116823,7 @@ index f03dcf5..d790a0d 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +1115,20 @@ optional_policy(`
+@@ -856,14 +1120,20 @@ optional_policy(`
')
optional_policy(`
@@ -116600,7 +116845,7 @@ index f03dcf5..d790a0d 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -888,49 +1153,66 @@ optional_policy(`
+@@ -888,49 +1158,66 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -116685,7 +116930,7 @@ index f03dcf5..d790a0d 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1224,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1229,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -116705,7 +116950,7 @@ index f03dcf5..d790a0d 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,8 +1245,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,8 +1250,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -116729,7 +116974,7 @@ index f03dcf5..d790a0d 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1270,296 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1275,296 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -116760,8 +117005,7 @@ index f03dcf5..d790a0d 100644
+optional_policy(`
+ container_exec_lib(virtd_lxc_t)
+')
-
--sysnet_domtrans_ifconfig(virtd_lxc_t)
++
+optional_policy(`
+ gnome_read_generic_cache_files(virtd_lxc_t)
+')
@@ -116769,7 +117013,8 @@ index f03dcf5..d790a0d 100644
+optional_policy(`
+ setrans_manage_pid_files(virtd_lxc_t)
+')
-+
+
+-sysnet_domtrans_ifconfig(virtd_lxc_t)
+optional_policy(`
+ unconfined_domain(virtd_lxc_t)
+')
@@ -116802,89 +117047,7 @@ index f03dcf5..d790a0d 100644
+tunable_policy(`deny_ptrace',`',`
+ allow svirt_sandbox_domain self:process ptrace;
+')
-
--allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
--allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
--allow svirt_lxc_domain self:fifo_file manage_file_perms;
--allow svirt_lxc_domain self:sem create_sem_perms;
--allow svirt_lxc_domain self:shm create_shm_perms;
--allow svirt_lxc_domain self:msgq create_msgq_perms;
--allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
--allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
--
--allow svirt_lxc_domain virtd_lxc_t:fd use;
--allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms;
--allow svirt_lxc_domain virtd_lxc_t:process sigchld;
--
--allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
--
--allow svirt_lxc_domain virsh_t:fd use;
--allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms;
--allow svirt_lxc_domain virsh_t:process sigchld;
--
--allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms;
--allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms;
--
--manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--
--allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton;
--allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr;
--
--can_exec(svirt_lxc_domain, svirt_lxc_file_t)
--
--kernel_getattr_proc(svirt_lxc_domain)
--kernel_list_all_proc(svirt_lxc_domain)
--kernel_read_kernel_sysctls(svirt_lxc_domain)
--kernel_rw_net_sysctls(svirt_lxc_domain)
--kernel_read_system_state(svirt_lxc_domain)
--kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
--
--corecmd_exec_all_executables(svirt_lxc_domain)
--
--files_dontaudit_getattr_all_dirs(svirt_lxc_domain)
--files_dontaudit_getattr_all_files(svirt_lxc_domain)
--files_dontaudit_getattr_all_symlinks(svirt_lxc_domain)
--files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
--files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
--files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
--files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
--# files_entrypoint_all_files(svirt_lxc_domain)
--files_list_var(svirt_lxc_domain)
--files_list_var_lib(svirt_lxc_domain)
--files_search_all(svirt_lxc_domain)
--files_read_config_files(svirt_lxc_domain)
--files_read_usr_files(svirt_lxc_domain)
--files_read_usr_symlinks(svirt_lxc_domain)
--
--fs_getattr_all_fs(svirt_lxc_domain)
--fs_list_inotifyfs(svirt_lxc_domain)
--
--# fs_rw_inherited_tmpfs_files(svirt_lxc_domain)
--# fs_rw_inherited_cifs_files(svirt_lxc_domain)
--# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain)
--
--auth_dontaudit_read_login_records(svirt_lxc_domain)
--auth_dontaudit_write_login_records(svirt_lxc_domain)
--auth_search_pam_console_data(svirt_lxc_domain)
--
--clock_read_adjtime(svirt_lxc_domain)
--
--init_read_utmp(svirt_lxc_domain)
--init_dontaudit_write_utmp(svirt_lxc_domain)
--
--libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
--
--miscfiles_read_localization(svirt_lxc_domain)
--miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain)
--miscfiles_read_fonts(svirt_lxc_domain)
--
--mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
++
+allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto };
+allow virtd_t svirt_sandbox_domain:process { signal_perms getattr };
+allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms };
@@ -116974,26 +117137,108 @@ index f03dcf5..d790a0d 100644
+userdom_use_inherited_user_terminals(svirt_sandbox_domain)
+userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
+userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
-
- optional_policy(`
-- udev_read_pid_files(svirt_lxc_domain)
++
++optional_policy(`
+tunable_policy(`virt_sandbox_share_apache_content',`
+ apache_exec_modules(svirt_sandbox_domain)
+ apache_read_sys_content(svirt_sandbox_domain)
+ ')
++')
+
+-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
+-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
+-allow svirt_lxc_domain self:fifo_file manage_file_perms;
+-allow svirt_lxc_domain self:sem create_sem_perms;
+-allow svirt_lxc_domain self:shm create_shm_perms;
+-allow svirt_lxc_domain self:msgq create_msgq_perms;
+-allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
+-allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
+-
+-allow svirt_lxc_domain virtd_lxc_t:fd use;
+-allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms;
+-allow svirt_lxc_domain virtd_lxc_t:process sigchld;
+-
+-allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
+-
+-allow svirt_lxc_domain virsh_t:fd use;
+-allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms;
+-allow svirt_lxc_domain virsh_t:process sigchld;
+-
+-allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms;
+-allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms;
+-
+-manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-
+-allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton;
+-allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr;
+-
+-can_exec(svirt_lxc_domain, svirt_lxc_file_t)
+-
+-kernel_getattr_proc(svirt_lxc_domain)
+-kernel_list_all_proc(svirt_lxc_domain)
+-kernel_read_kernel_sysctls(svirt_lxc_domain)
+-kernel_rw_net_sysctls(svirt_lxc_domain)
+-kernel_read_system_state(svirt_lxc_domain)
+-kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
+-
+-corecmd_exec_all_executables(svirt_lxc_domain)
+-
+-files_dontaudit_getattr_all_dirs(svirt_lxc_domain)
+-files_dontaudit_getattr_all_files(svirt_lxc_domain)
+-files_dontaudit_getattr_all_symlinks(svirt_lxc_domain)
+-files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
+-files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
+-files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
+-files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
+-# files_entrypoint_all_files(svirt_lxc_domain)
+-files_list_var(svirt_lxc_domain)
+-files_list_var_lib(svirt_lxc_domain)
+-files_search_all(svirt_lxc_domain)
+-files_read_config_files(svirt_lxc_domain)
+-files_read_usr_files(svirt_lxc_domain)
+-files_read_usr_symlinks(svirt_lxc_domain)
+-
+-fs_getattr_all_fs(svirt_lxc_domain)
+-fs_list_inotifyfs(svirt_lxc_domain)
+-
+-# fs_rw_inherited_tmpfs_files(svirt_lxc_domain)
+-# fs_rw_inherited_cifs_files(svirt_lxc_domain)
+-# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain)
+-
+-auth_dontaudit_read_login_records(svirt_lxc_domain)
+-auth_dontaudit_write_login_records(svirt_lxc_domain)
+-auth_search_pam_console_data(svirt_lxc_domain)
+-
+-clock_read_adjtime(svirt_lxc_domain)
+-
+-init_read_utmp(svirt_lxc_domain)
+-init_dontaudit_write_utmp(svirt_lxc_domain)
+-
+-libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
+-
+-miscfiles_read_localization(svirt_lxc_domain)
+-miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain)
+-miscfiles_read_fonts(svirt_lxc_domain)
+-
+-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
++optional_policy(`
++ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
++')
+
+ optional_policy(`
+- udev_read_pid_files(svirt_lxc_domain)
++ ssh_use_ptys(svirt_sandbox_domain)
')
optional_policy(`
- apache_exec_modules(svirt_lxc_domain)
- apache_read_sys_content(svirt_lxc_domain)
-+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
-+')
-+
-+optional_policy(`
-+ ssh_use_ptys(svirt_sandbox_domain)
-+')
-+
-+optional_policy(`
+ udev_read_pid_files(svirt_sandbox_domain)
+')
+
@@ -117173,7 +117418,7 @@ index f03dcf5..d790a0d 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1572,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1577,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -117188,7 +117433,7 @@ index f03dcf5..d790a0d 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1192,7 +1590,7 @@ optional_policy(`
+@@ -1192,7 +1595,7 @@ optional_policy(`
########################################
#
@@ -117197,7 +117442,7 @@ index f03dcf5..d790a0d 100644
#
allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1599,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1604,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
allow virt_bridgehelper_t self:tun_socket create_socket_perms;
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 0014e49..ed2482e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 249%{?dist}
+Release: 250%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -682,6 +682,35 @@ exit 0
%endif
%changelog
+* Tue Apr 18 2017 Lukas Vrabec - 3.13.1-250
+- Allow tlp_t domain to ioctl removable devices BZ(1436830)
+- Allow tlp_t domain domtrans into mount_t BZ(1442571)
+- Allow lircd_t to read/write to sysfs BZ(1442443)
+- Fix policy to reflect all changes in new IPA release
+- Allow virtlogd_t to creating tmp files with virt_tmp_t labels.
+- Allow sbd_t to read/write fixed disk devices
+- Add sys_ptrace capability to radiusd_t domain
+- Allow cockpit_session_t domain connects to ssh tcp ports.
+- Update tomcat policy to make working ipa install process
+- Allow pcp_pmcd_t net_admin capability. Allow pcp_pmcd_t read net sysctls Allow system_cronjob_t create /var/run/pcp with pcp_var_run_t
+- Fix all AVC denials during pkispawn of CA Resolves: rhbz#1436383
+- Update pki interfaces and tomcat module
+- Allow sendmail to search network sysctls
+- Add interface gssd_noatsecure()
+- Add interface gssproxy_noatsecure()
+- Allow chronyd_t net_admin capability to allow support HW timestamping.
+- Update tomcat policy.
+- Allow certmonger to start haproxy service
+- Fix init Module
+- Make groupadd_t domain as system bus client BZ(1416963)
+- Make useradd_t domain as system bus client BZ(1442572)
+- Allow xdm_t to gettattr /dev/loop-control device BZ(1385090)
+- Dontaudit gdm-session-worker to view key unknown. BZ(1433191)
+- Allow init noatsecure for gssd and gssproxy
+- Allow staff user to read fwupd_cache_t files
+- Remove typo bugs
+- Remove /proc <> from fedora policy, it's no longer necessary
+
* Mon Apr 03 2017 Lukas Vrabec - 3.13.1-249
- Merge pull request #4 from lslebodn/sssd_socket_activated
- Remove /proc <> from fedora policy, it's no longer necessary