diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 5053e10..b0f6b27 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -2357,10 +2357,10 @@ index 0960199..aa51ab2 100644
+ can_exec($1, sudo_exec_t)
+')
diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
-index d9fce57..fc6d1d3 100644
+index d9fce57..612503a 100644
--- a/policy/modules/admin/sudo.te
+++ b/policy/modules/admin/sudo.te
-@@ -7,3 +7,100 @@ attribute sudodomain;
+@@ -7,3 +7,105 @@ attribute sudodomain;
type sudo_exec_t;
application_executable_file(sudo_exec_t)
@@ -2392,6 +2392,7 @@ index d9fce57..fc6d1d3 100644
+allow sudodomain self:unix_dgram_socket sendto;
+allow sudodomain self:unix_stream_socket connectto;
+allow sudodomain self:key manage_key_perms;
++allow sudodomain self:netlink_kobject_uevent_socket create_socket_perms;
+
+kernel_getattr_core_if(sudodomain)
+kernel_link_key(sudodomain)
@@ -2454,6 +2455,10 @@ index d9fce57..fc6d1d3 100644
+userdom_search_admin_dir(sudodomain)
+userdom_manage_all_users_keys(sudodomain)
+
++tunable_policy(`authlogin_yubikey',`
++ auth_manage_home_content(sudodomain)
++')
++
+optional_policy(`
+ dbus_system_bus_client(sudodomain)
+')
@@ -5844,7 +5849,7 @@ index 3f6e168..51ad69a 100644
')
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index b31c054..1212440 100644
+index b31c054..5e37a40 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -15,15 +15,18 @@
@@ -5922,7 +5927,7 @@ index b31c054..1212440 100644
/dev/usb/dc2xx.* -c gen_context(system_u:object_r:scanner_device_t,s0)
/dev/usb/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
/dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0)
-@@ -198,12 +212,22 @@ ifdef(`distro_debian',`
+@@ -198,12 +212,27 @@ ifdef(`distro_debian',`
/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
@@ -5934,6 +5939,11 @@ index b31c054..1212440 100644
/var/named/chroot/dev/null -c gen_context(system_u:object_r:null_device_t,s0)
/var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
/var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
++/var/named/chroot_sdb/dev -d gen_context(system_u:object_r:device_t,s0)
++/var/named/chroot_sdb/dev/null -c gen_context(system_u:object_r:null_device_t,s0)
++/var/named/chroot_sdb/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
++/var/named/chroot_sdb/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
++/
+/var/spool/postfix/dev -d gen_context(system_u:object_r:device_t,s0)
')
+
@@ -9214,7 +9224,7 @@ index cf04cb5..0b3704b 100644
+ unconfined_server_stream_connect(domain)
+')
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index b876c48..7a98631 100644
+index b876c48..9cbe36a 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -9348,7 +9358,7 @@ index b876c48..7a98631 100644
#
# /selinux
#
-@@ -178,25 +191,28 @@ ifdef(`distro_debian',`
+@@ -178,25 +191,29 @@ ifdef(`distro_debian',`
#
# /srv
#
@@ -9367,6 +9377,7 @@ index b876c48..7a98631 100644
/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/tmp/lost\+found/.* <<none>>
++/tmp/hsperfdata_root gen_context(system_u:object_r:tmp_t,s0)
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:tmp_t,s0)
#
@@ -9380,7 +9391,7 @@ index b876c48..7a98631 100644
/usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
-@@ -204,15 +220,9 @@ ifdef(`distro_debian',`
+@@ -204,15 +221,9 @@ ifdef(`distro_debian',`
/usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0)
@@ -9397,7 +9408,7 @@ index b876c48..7a98631 100644
/usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0)
-@@ -220,8 +230,6 @@ ifdef(`distro_debian',`
+@@ -220,8 +231,6 @@ ifdef(`distro_debian',`
/usr/tmp/.* <<none>>
ifndef(`distro_redhat',`
@@ -9406,7 +9417,7 @@ index b876c48..7a98631 100644
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
')
-@@ -229,7 +237,7 @@ ifndef(`distro_redhat',`
+@@ -229,7 +238,7 @@ ifndef(`distro_redhat',`
#
# /var
#
@@ -9415,7 +9426,7 @@ index b876c48..7a98631 100644
/var/.* gen_context(system_u:object_r:var_t,s0)
/var/\.journal <<none>>
-@@ -237,11 +245,25 @@ ifndef(`distro_redhat',`
+@@ -237,11 +246,25 @@ ifndef(`distro_redhat',`
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -9442,7 +9453,7 @@ index b876c48..7a98631 100644
/var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/log/lost\+found/.* <<none>>
-@@ -256,12 +278,14 @@ ifndef(`distro_redhat',`
+@@ -256,12 +279,14 @@ ifndef(`distro_redhat',`
/var/run -l gen_context(system_u:object_r:var_run_t,s0)
/var/run/.* gen_context(system_u:object_r:var_run_t,s0)
/var/run/.*\.*pid <<none>>
@@ -9457,7 +9468,7 @@ index b876c48..7a98631 100644
/var/tmp/.* <<none>>
/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/tmp/lost\+found/.* <<none>>
-@@ -271,3 +295,5 @@ ifdef(`distro_debian',`
+@@ -271,3 +296,5 @@ ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
/var/run/motd\.dynamic -- gen_context(system_u:object_r:initrc_var_run_t,s0)
')
@@ -20526,7 +20537,7 @@ index 3835596..fbca2be 100644
########################################
## <summary>
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index 6d77e81..c8df034 100644
+index 6d77e81..c175ba4 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -1,5 +1,12 @@
@@ -20542,7 +20553,7 @@ index 6d77e81..c8df034 100644
# this module should be named user, but that is
# a compile error since user is a keyword.
-@@ -12,12 +19,96 @@ role user_r;
+@@ -12,12 +19,98 @@ role user_r;
userdom_unpriv_user_template(user)
@@ -20555,6 +20566,8 @@ index 6d77e81..c8df034 100644
+storage_read_scsi_generic(user_t)
+storage_write_scsi_generic(user_t)
+
++seutil_read_module_store(user_t)
++
+init_dbus_chat(user_t)
+init_status(user_t)
+
@@ -20640,7 +20653,7 @@ index 6d77e81..c8df034 100644
')
optional_policy(`
-@@ -25,6 +116,18 @@ optional_policy(`
+@@ -25,6 +118,18 @@ optional_policy(`
')
optional_policy(`
@@ -20659,7 +20672,7 @@ index 6d77e81..c8df034 100644
vlock_run(user_t, user_r)
')
-@@ -102,10 +205,6 @@ ifndef(`distro_redhat',`
+@@ -102,10 +207,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -20670,7 +20683,7 @@ index 6d77e81..c8df034 100644
postgresql_role(user_r, user_t)
')
-@@ -128,7 +227,6 @@ ifndef(`distro_redhat',`
+@@ -128,7 +229,6 @@ ifndef(`distro_redhat',`
optional_policy(`
ssh_role_template(user, user_r, user_t)
')
@@ -20678,7 +20691,7 @@ index 6d77e81..c8df034 100644
optional_policy(`
su_role_template(user, user_r, user_t)
')
-@@ -161,3 +259,19 @@ ifndef(`distro_redhat',`
+@@ -161,3 +261,19 @@ ifndef(`distro_redhat',`
wireshark_role(user_r, user_t)
')
')
@@ -26106,14 +26119,14 @@ index c6fdab7..af71c62 100644
sudo_sigchld(application_domain_type)
')
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 2479587..00d2700 100644
+index 2479587..077c9bc 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -1,14 +1,28 @@
-+HOME_DIR/\.yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0)
++HOME_DIR/\.yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0)
+HOME_DIR/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0)
+HOME_DIR/\.google_authenticator~ gen_context(system_u:object_r:auth_home_t,s0)
-+/root/\.yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0)
++/root/\.yubico/(.*) gen_context(system_u:object_r:auth_home_t,s0)
+/root/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0)
+/root/\.google_authenticator~ gen_context(system_u:object_r:auth_home_t,s0)
@@ -26201,7 +26214,7 @@ index 2479587..00d2700 100644
/var/(db|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
/var/lib/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 3efd5b6..08c3e93 100644
+index 3efd5b6..0bd3a26 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -23,11 +23,17 @@ interface(`auth_role',`
@@ -26787,7 +26800,7 @@ index 3efd5b6..08c3e93 100644
')
########################################
-@@ -1805,3 +2029,242 @@ interface(`auth_unconfined',`
+@@ -1805,3 +2029,262 @@ interface(`auth_unconfined',`
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -26990,6 +27003,26 @@ index 3efd5b6..08c3e93 100644
+ read_files_pattern($1, auth_home_t, auth_home_t)
+')
+
++########################################
++## <summary>
++## Read the authorization data in the user home directory
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`auth_manage_home_content',`
++
++ gen_require(`
++ type auth_home_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ manage_files_pattern($1, auth_home_t, auth_home_t)
++ manage_dirs_pattern($1, auth_home_t, auth_home_t)
++')
+
+########################################
+## <summary>
@@ -27031,7 +27064,7 @@ index 3efd5b6..08c3e93 100644
+ allow $1 login_pgm:process sigchld;
+')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 09b791d..1a3d5b3 100644
+index 09b791d..73376ca 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1)
@@ -27047,7 +27080,7 @@ index 09b791d..1a3d5b3 100644
+
+## <desc>
+## <p>
-+## Allow users to login using a yubikey server
++## Allow users to login using a yubikey OTP server or challenge response mode
+## </p>
+## </desc>
+gen_tunable(authlogin_yubikey, false)
@@ -29621,7 +29654,7 @@ index 79a45f6..89b43aa 100644
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..d1590ad 100644
+index 17eda24..56e006c 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -29834,7 +29867,7 @@ index 17eda24..d1590ad 100644
# file descriptors inherited from the rootfs:
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)
-@@ -156,28 +246,52 @@ fs_list_inotifyfs(init_t)
+@@ -156,28 +246,53 @@ fs_list_inotifyfs(init_t)
fs_write_ramfs_sockets(init_t)
mcs_process_set_categories(init_t)
@@ -29874,6 +29907,7 @@ index 17eda24..d1590ad 100644
+logging_send_audit_msgs(init_t)
logging_rw_generic_logs(init_t)
+logging_relabel_devlog_dev(init_t)
++logging_manage_audit_config(init_t)
seutil_read_config(init_t)
+seutil_read_module_store(init_t)
@@ -29890,7 +29924,7 @@ index 17eda24..d1590ad 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +300,230 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +301,230 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -30129,7 +30163,7 @@ index 17eda24..d1590ad 100644
')
optional_policy(`
-@@ -216,7 +531,31 @@ optional_policy(`
+@@ -216,7 +532,31 @@ optional_policy(`
')
optional_policy(`
@@ -30161,7 +30195,7 @@ index 17eda24..d1590ad 100644
')
########################################
-@@ -225,9 +564,9 @@ optional_policy(`
+@@ -225,9 +565,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -30173,7 +30207,7 @@ index 17eda24..d1590ad 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -258,12 +597,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +598,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -30190,7 +30224,7 @@ index 17eda24..d1590ad 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +622,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +623,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -30233,7 +30267,7 @@ index 17eda24..d1590ad 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +659,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +660,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -30245,7 +30279,7 @@ index 17eda24..d1590ad 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -313,8 +671,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +672,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -30256,7 +30290,7 @@ index 17eda24..d1590ad 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -322,8 +682,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +683,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -30266,7 +30300,7 @@ index 17eda24..d1590ad 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -332,7 +691,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +692,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -30274,7 +30308,7 @@ index 17eda24..d1590ad 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -340,6 +698,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +699,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -30282,7 +30316,7 @@ index 17eda24..d1590ad 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -347,14 +706,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +707,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -30300,7 +30334,7 @@ index 17eda24..d1590ad 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -364,8 +724,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +725,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -30314,7 +30348,7 @@ index 17eda24..d1590ad 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -375,10 +739,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +740,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -30328,7 +30362,7 @@ index 17eda24..d1590ad 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -387,8 +752,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +753,10 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -30339,7 +30373,7 @@ index 17eda24..d1590ad 100644
storage_getattr_fixed_disk_dev(initrc_t)
storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +765,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +766,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -30347,7 +30381,7 @@ index 17eda24..d1590ad 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -416,20 +784,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +785,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -30371,7 +30405,7 @@ index 17eda24..d1590ad 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +817,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +818,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -30379,7 +30413,7 @@ index 17eda24..d1590ad 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +851,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +852,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -30390,7 +30424,7 @@ index 17eda24..d1590ad 100644
alsa_read_lib(initrc_t)
')
-@@ -506,7 +875,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +876,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -30399,7 +30433,7 @@ index 17eda24..d1590ad 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -521,6 +890,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +891,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -30407,7 +30441,7 @@ index 17eda24..d1590ad 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -541,6 +911,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +912,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -30415,7 +30449,7 @@ index 17eda24..d1590ad 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +921,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +922,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -30460,7 +30494,7 @@ index 17eda24..d1590ad 100644
')
optional_policy(`
-@@ -559,14 +966,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +967,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -30492,7 +30526,7 @@ index 17eda24..d1590ad 100644
')
')
-@@ -577,6 +1001,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1002,39 @@ ifdef(`distro_suse',`
')
')
@@ -30532,7 +30566,7 @@ index 17eda24..d1590ad 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1046,8 @@ optional_policy(`
+@@ -589,6 +1047,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -30541,7 +30575,7 @@ index 17eda24..d1590ad 100644
')
optional_policy(`
-@@ -610,6 +1069,7 @@ optional_policy(`
+@@ -610,6 +1070,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -30549,7 +30583,7 @@ index 17eda24..d1590ad 100644
')
optional_policy(`
-@@ -626,6 +1086,17 @@ optional_policy(`
+@@ -626,6 +1087,17 @@ optional_policy(`
')
optional_policy(`
@@ -30567,7 +30601,7 @@ index 17eda24..d1590ad 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -642,9 +1113,13 @@ optional_policy(`
+@@ -642,9 +1114,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -30581,7 +30615,7 @@ index 17eda24..d1590ad 100644
')
optional_policy(`
-@@ -657,15 +1132,11 @@ optional_policy(`
+@@ -657,15 +1133,11 @@ optional_policy(`
')
optional_policy(`
@@ -30599,7 +30633,7 @@ index 17eda24..d1590ad 100644
')
optional_policy(`
-@@ -686,6 +1157,15 @@ optional_policy(`
+@@ -686,6 +1158,15 @@ optional_policy(`
')
optional_policy(`
@@ -30615,7 +30649,7 @@ index 17eda24..d1590ad 100644
inn_exec_config(initrc_t)
')
-@@ -726,6 +1206,7 @@ optional_policy(`
+@@ -726,6 +1207,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -30623,7 +30657,7 @@ index 17eda24..d1590ad 100644
')
optional_policy(`
-@@ -743,7 +1224,13 @@ optional_policy(`
+@@ -743,7 +1225,13 @@ optional_policy(`
')
optional_policy(`
@@ -30638,7 +30672,7 @@ index 17eda24..d1590ad 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -766,6 +1253,10 @@ optional_policy(`
+@@ -766,6 +1254,10 @@ optional_policy(`
')
optional_policy(`
@@ -30649,7 +30683,7 @@ index 17eda24..d1590ad 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -775,10 +1266,20 @@ optional_policy(`
+@@ -775,10 +1267,20 @@ optional_policy(`
')
optional_policy(`
@@ -30670,7 +30704,7 @@ index 17eda24..d1590ad 100644
quota_manage_flags(initrc_t)
')
-@@ -787,6 +1288,10 @@ optional_policy(`
+@@ -787,6 +1289,10 @@ optional_policy(`
')
optional_policy(`
@@ -30681,7 +30715,7 @@ index 17eda24..d1590ad 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -808,8 +1313,6 @@ optional_policy(`
+@@ -808,8 +1314,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -30690,7 +30724,7 @@ index 17eda24..d1590ad 100644
')
optional_policy(`
-@@ -818,6 +1321,10 @@ optional_policy(`
+@@ -818,6 +1322,10 @@ optional_policy(`
')
optional_policy(`
@@ -30701,7 +30735,7 @@ index 17eda24..d1590ad 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -827,10 +1334,12 @@ optional_policy(`
+@@ -827,10 +1335,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -30714,7 +30748,7 @@ index 17eda24..d1590ad 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1366,60 @@ optional_policy(`
+@@ -857,21 +1367,60 @@ optional_policy(`
')
optional_policy(`
@@ -30776,7 +30810,7 @@ index 17eda24..d1590ad 100644
')
optional_policy(`
-@@ -887,6 +1435,10 @@ optional_policy(`
+@@ -887,6 +1436,10 @@ optional_policy(`
')
optional_policy(`
@@ -30787,7 +30821,7 @@ index 17eda24..d1590ad 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -897,3 +1449,218 @@ optional_policy(`
+@@ -897,3 +1450,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -31007,10 +31041,10 @@ index 17eda24..d1590ad 100644
+ ')
+ ')
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
-index 662e79b..08589f8 100644
+index 662e79b..fc34e78 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
-@@ -1,14 +1,23 @@
+@@ -1,14 +1,24 @@
/etc/rc\.d/init\.d/ipsec -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
/etc/rc\.d/init\.d/racoon -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/strongswan -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
@@ -31018,6 +31052,7 @@ index 662e79b..08589f8 100644
-/etc/ipsec\.secrets -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
+/usr/lib/systemd/system/ipsec.* -- gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0)
+/usr/lib/systemd/system/strongswan.* -- gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0)
++/usr/lib/systemd/system/strongimcv.* -- gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0)
+
+/etc/ipsec\.secrets.* -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
/etc/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
@@ -31035,17 +31070,19 @@ index 662e79b..08589f8 100644
/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
-@@ -26,16 +35,24 @@
+@@ -26,16 +36,26 @@
/usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
+/usr/libexec/nm-libreswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
-+/usr/libexec/strongswan/.* -- gen_context(system_u:object_r:ipsec_exec_t,s0)
++/usr/libexec/strongswan/.* -- gen_context(system_u:object_r:ipsec_exec_t,s0)
++/usr/libexec/strongimcv/.* -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
/usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0)
/usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
+/usr/sbin/strongswan -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
++/usr/sbin/strongimcv -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
/var/lock/subsys/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
+/var/lock/subsys/strongswan -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
@@ -37456,7 +37493,7 @@ index 40edc18..a072ac2 100644
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
+
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 2cea692..f752c31 100644
+index 2cea692..77f307f 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@@ -37784,7 +37821,7 @@ index 2cea692..f752c31 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
-@@ -796,3 +983,95 @@ interface(`sysnet_use_portmap',`
+@@ -796,3 +983,115 @@ interface(`sysnet_use_portmap',`
sysnet_read_config($1)
')
@@ -37873,6 +37910,26 @@ index 2cea692..f752c31 100644
+## </summary>
+## </param>
+#
++interface(`sysnet_manage_ifconfig_run',`
++ gen_require(`
++ type ifconfig_var_run_t;
++ ')
++
++ manage_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
++ manage_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
++ manage_lnk_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
++')
++
++########################################
++## <summary>
++## Transition to sysnet ifconfig named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`sysnet_filetrans_named_content_ifconfig',`
+ gen_require(`
+ type ifconfig_var_run_t;
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index c10d55a..bc6b66b 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -4921,10 +4921,10 @@ index f6eb485..51b128e 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 6649962..1f527f5 100644
+index 6649962..6ae8921 100644
--- a/apache.te
+++ b/apache.te
-@@ -5,280 +5,325 @@ policy_module(apache, 2.7.2)
+@@ -5,280 +5,331 @@ policy_module(apache, 2.7.2)
# Declarations
#
@@ -4945,7 +4945,6 @@ index 6649962..1f527f5 100644
## </desc>
-gen_tunable(allow_httpd_anon_write, false)
+gen_tunable(httpd_anon_write, false)
-+
## <desc>
-## <p>
@@ -5066,61 +5065,55 @@ index 6649962..1f527f5 100644
+## <p>
+## Allow httpd to connect to memcache server
+## </p>
-+## </desc>
-+gen_tunable(httpd_can_network_memcache, false)
-+
-+## <desc>
-+## <p>
-+## Allow httpd to act as a relay
-+## </p>
## </desc>
- gen_tunable(httpd_can_network_relay, false)
+-gen_tunable(httpd_can_network_relay, false)
++gen_tunable(httpd_can_network_memcache, false)
## <desc>
-## <p>
-## Determine whether httpd daemon can
-## connect to zabbix over the network.
-## </p>
-+## <p>
-+## Allow http daemon to connect to zabbix
-+## </p>
++## <p>
++## Allow httpd to act as a relay
++## </p>
## </desc>
-gen_tunable(httpd_can_network_connect_zabbix, false)
-+gen_tunable(httpd_can_connect_zabbix, false)
++gen_tunable(httpd_can_network_relay, false)
## <desc>
-## <p>
-## Determine whether httpd can send mail.
-## </p>
+## <p>
-+## Allow http daemon to connect to mythtv
++## Allow http daemon to connect to zabbix
+## </p>
## </desc>
-gen_tunable(httpd_can_sendmail, false)
-+gen_tunable(httpd_can_connect_mythtv, false)
++gen_tunable(httpd_can_connect_zabbix, false)
## <desc>
-## <p>
-## Determine whether httpd can communicate
-## with avahi service via dbus.
-## </p>
-+## <p>
-+## Allow http daemon to check spam
-+## </p>
++## <p>
++## Allow http daemon to connect to mythtv
++## </p>
## </desc>
-gen_tunable(httpd_dbus_avahi, false)
-+gen_tunable(httpd_can_check_spam, false)
++gen_tunable(httpd_can_connect_mythtv, false)
## <desc>
-## <p>
-## Determine wether httpd can use support.
-## </p>
+## <p>
-+## Allow http daemon to send mail
++## Allow http daemon to check spam
+## </p>
## </desc>
-gen_tunable(httpd_enable_cgi, false)
-+gen_tunable(httpd_can_sendmail, false)
++gen_tunable(httpd_can_check_spam, false)
## <desc>
-## <p>
@@ -5128,11 +5121,11 @@ index 6649962..1f527f5 100644
-## FTP server by listening on the ftp port.
-## </p>
+## <p>
-+## Allow Apache to communicate with avahi service via dbus
++## Allow http daemon to send mail
+## </p>
## </desc>
-gen_tunable(httpd_enable_ftp_server, false)
-+gen_tunable(httpd_dbus_avahi, false)
++gen_tunable(httpd_can_sendmail, false)
## <desc>
-## <p>
@@ -5140,11 +5133,11 @@ index 6649962..1f527f5 100644
-## user home directories.
-## </p>
+## <p>
-+## Allow httpd cgi support
++## Allow Apache to communicate with avahi service via dbus
+## </p>
## </desc>
-gen_tunable(httpd_enable_homedirs, false)
-+gen_tunable(httpd_enable_cgi, false)
++gen_tunable(httpd_dbus_avahi, false)
## <desc>
-## <p>
@@ -5154,12 +5147,11 @@ index 6649962..1f527f5 100644
-## be labeled public_content_rw_t.
-## </p>
+## <p>
-+## Allow httpd to act as a FTP server by
-+## listening on the ftp port.
++## Allow Apache to communicate with sssd service via dbus
+## </p>
## </desc>
-gen_tunable(httpd_gpg_anon_write, false)
-+gen_tunable(httpd_enable_ftp_server, false)
++gen_tunable(httpd_dbus_sssd, false)
## <desc>
-## <p>
@@ -5167,24 +5159,24 @@ index 6649962..1f527f5 100644
-## its temporary content.
-## </p>
+## <p>
-+## Allow httpd to act as a FTP client
-+## connecting to the ftp port and ephemeral ports
++## Allow httpd cgi support
+## </p>
## </desc>
-gen_tunable(httpd_tmp_exec, false)
-+gen_tunable(httpd_can_connect_ftp, false)
++gen_tunable(httpd_enable_cgi, false)
## <desc>
-## <p>
-## Determine whether httpd scripts and
-## modules can use execmem and execstack.
-## </p>
-+## <p>
-+## Allow httpd to connect to the ldap port
-+## </p>
++## <p>
++## Allow httpd to act as a FTP server by
++## listening on the ftp port.
++## </p>
## </desc>
-gen_tunable(httpd_execmem, false)
-+gen_tunable(httpd_can_connect_ldap, false)
++gen_tunable(httpd_enable_ftp_server, false)
## <desc>
-## <p>
@@ -5192,34 +5184,35 @@ index 6649962..1f527f5 100644
-## to port 80 for graceful shutdown.
-## </p>
+## <p>
-+## Allow httpd to read home directories
++## Allow httpd to act as a FTP client
++## connecting to the ftp port and ephemeral ports
+## </p>
## </desc>
-gen_tunable(httpd_graceful_shutdown, false)
-+gen_tunable(httpd_enable_homedirs, false)
++gen_tunable(httpd_can_connect_ftp, false)
## <desc>
-## <p>
-## Determine whether httpd can
-## manage IPA content files.
-## </p>
-+## <p>
-+## Allow httpd to read user content
-+## </p>
++## <p>
++## Allow httpd to connect to the ldap port
++## </p>
## </desc>
-gen_tunable(httpd_manage_ipa, false)
-+gen_tunable(httpd_read_user_content, false)
++gen_tunable(httpd_can_connect_ldap, false)
## <desc>
-## <p>
-## Determine whether httpd can use mod_auth_ntlm_winbind.
-## </p>
+## <p>
-+## Allow Apache to run in stickshift mode, not transition to passenger
++## Allow httpd to read home directories
+## </p>
## </desc>
-gen_tunable(httpd_mod_auth_ntlm_winbind, false)
-+gen_tunable(httpd_run_stickshift, false)
++gen_tunable(httpd_enable_homedirs, false)
## <desc>
-## <p>
@@ -5227,11 +5220,10 @@ index 6649962..1f527f5 100644
-## generic user home content files.
-## </p>
+## <p>
-+## Allow Apache to query NS records
++## Allow httpd to read user content
+## </p>
## </desc>
--gen_tunable(httpd_read_user_content, false)
-+gen_tunable(httpd_verify_dns, false)
+ gen_tunable(httpd_read_user_content, false)
## <desc>
-## <p>
@@ -5239,6 +5231,20 @@ index 6649962..1f527f5 100644
-## its resource limits.
-## </p>
+## <p>
++## Allow Apache to run in stickshift mode, not transition to passenger
++## </p>
++## </desc>
++gen_tunable(httpd_run_stickshift, false)
++
++## <desc>
++## <p>
++## Allow Apache to query NS records
++## </p>
++## </desc>
++gen_tunable(httpd_verify_dns, false)
++
++## <desc>
++## <p>
+## Allow httpd daemon to change its resource limits
+## </p>
## </desc>
@@ -5398,7 +5404,7 @@ index 6649962..1f527f5 100644
type httpd_initrc_exec_t;
init_script_file(httpd_initrc_exec_t)
-@@ -286,15 +331,35 @@ init_script_file(httpd_initrc_exec_t)
+@@ -286,15 +337,35 @@ init_script_file(httpd_initrc_exec_t)
type httpd_keytab_t;
files_type(httpd_keytab_t)
@@ -5434,7 +5440,7 @@ index 6649962..1f527f5 100644
type httpd_rotatelogs_t;
type httpd_rotatelogs_exec_t;
init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
-@@ -302,10 +367,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
+@@ -302,10 +373,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
type httpd_squirrelmail_t;
files_type(httpd_squirrelmail_t)
@@ -5447,7 +5453,7 @@ index 6649962..1f527f5 100644
type httpd_suexec_exec_t;
domain_type(httpd_suexec_t)
domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t)
-@@ -314,9 +377,19 @@ role system_r types httpd_suexec_t;
+@@ -314,9 +383,19 @@ role system_r types httpd_suexec_t;
type httpd_suexec_tmp_t;
files_tmp_file(httpd_suexec_tmp_t)
@@ -5470,7 +5476,7 @@ index 6649962..1f527f5 100644
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -324,14 +397,21 @@ files_tmp_file(httpd_tmp_t)
+@@ -324,14 +403,21 @@ files_tmp_file(httpd_tmp_t)
type httpd_tmpfs_t;
files_tmpfs_file(httpd_tmpfs_t)
@@ -5493,7 +5499,7 @@ index 6649962..1f527f5 100644
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -346,33 +426,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
+@@ -346,33 +432,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
@@ -5544,7 +5550,7 @@ index 6649962..1f527f5 100644
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
allow httpd_t self:sock_file read_sock_file_perms;
-@@ -381,30 +468,38 @@ allow httpd_t self:shm create_shm_perms;
+@@ -381,30 +474,38 @@ allow httpd_t self:shm create_shm_perms;
allow httpd_t self:sem create_sem_perms;
allow httpd_t self:msgq create_msgq_perms;
allow httpd_t self:msg { send receive };
@@ -5588,7 +5594,7 @@ index 6649962..1f527f5 100644
logging_log_filetrans(httpd_t, httpd_log_t, file)
allow httpd_t httpd_modules_t:dir list_dir_perms;
-@@ -412,14 +507,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+@@ -412,14 +513,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
@@ -5610,7 +5616,7 @@ index 6649962..1f527f5 100644
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -450,140 +552,172 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -450,140 +558,172 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@@ -5678,7 +5684,7 @@ index 6649962..1f527f5 100644
+fs_read_hugetlbfs_files(httpd_t)
+
+auth_use_nsswitch(httpd_t)
-+
+
+application_exec_all(httpd_t)
+
+# execute perl
@@ -5687,7 +5693,7 @@ index 6649962..1f527f5 100644
+
+domain_use_interactive_fds(httpd_t)
+domain_dontaudit_read_all_domains_state(httpd_t)
-
++
+files_dontaudit_search_all_pids(httpd_t)
files_dontaudit_getattr_all_pids(httpd_t)
-files_read_usr_files(httpd_t)
@@ -5848,7 +5854,7 @@ index 6649962..1f527f5 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -594,28 +728,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -594,28 +734,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@@ -5908,7 +5914,7 @@ index 6649962..1f527f5 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -624,68 +780,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -624,68 +786,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
@@ -5999,7 +6005,7 @@ index 6649962..1f527f5 100644
')
tunable_policy(`httpd_setrlimit',`
-@@ -695,66 +827,56 @@ tunable_policy(`httpd_setrlimit',`
+@@ -695,49 +833,48 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -6020,8 +6026,10 @@ index 6649962..1f527f5 100644
- userdom_use_user_terminals(httpd_t)
-',`
- userdom_dontaudit_use_user_terminals(httpd_t)
--')
--
++ userdom_use_inherited_user_terminals(httpd_t)
++ userdom_use_inherited_user_terminals(httpd_suexec_t)
+ ')
+
-tunable_policy(`httpd_use_cifs',`
- fs_list_auto_mountpoints(httpd_t)
- fs_manage_cifs_dirs(httpd_t)
@@ -6032,28 +6040,15 @@ index 6649962..1f527f5 100644
-tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',`
- fs_exec_cifs_files(httpd_t)
-')
--
--tunable_policy(`httpd_use_fusefs',`
-- fs_list_auto_mountpoints(httpd_t)
-- fs_manage_fusefs_dirs(httpd_t)
-- fs_manage_fusefs_files(httpd_t)
-- fs_read_fusefs_symlinks(httpd_t)
-+ userdom_use_inherited_user_terminals(httpd_t)
-+ userdom_use_inherited_user_terminals(httpd_suexec_t)
- ')
-
--tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
-- fs_exec_fusefs_files(httpd_t)
--')
+optional_policy(`
+ cobbler_list_config(httpd_t)
+ cobbler_read_config(httpd_t)
--tunable_policy(`httpd_use_nfs',`
+-tunable_policy(`httpd_use_fusefs',`
- fs_list_auto_mountpoints(httpd_t)
-- fs_manage_nfs_dirs(httpd_t)
-- fs_manage_nfs_files(httpd_t)
-- fs_manage_nfs_symlinks(httpd_t)
+- fs_manage_fusefs_dirs(httpd_t)
+- fs_manage_fusefs_files(httpd_t)
+- fs_read_fusefs_symlinks(httpd_t)
-')
+ tunable_policy(`httpd_serve_cobbler_files',`
+ cobbler_manage_lib_files(httpd_t)
@@ -6062,22 +6057,27 @@ index 6649962..1f527f5 100644
+ cobbler_search_lib(httpd_t)
+ ')
--tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
-- fs_exec_nfs_files(httpd_t)
+-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
+- fs_exec_fusefs_files(httpd_t)
+ tunable_policy(`httpd_can_network_connect_cobbler',`
+ corenet_tcp_connect_cobbler_port(httpd_t)
+ ')
')
- optional_policy(`
-- calamaris_read_www_files(httpd_t)
+-tunable_policy(`httpd_use_nfs',`
+- fs_list_auto_mountpoints(httpd_t)
+- fs_manage_nfs_dirs(httpd_t)
+- fs_manage_nfs_files(httpd_t)
+- fs_manage_nfs_symlinks(httpd_t)
++optional_policy(`
+ tunable_policy(`httpd_use_sasl',`
+ sasl_connect(httpd_t)
+ ')
')
- optional_policy(`
-- ccs_read_config(httpd_t)
+-tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
+- fs_exec_nfs_files(httpd_t)
++optional_policy(`
+ # Support for ABRT retrace server
+ # mod_wsgi
+ abrt_manage_spool_retrace(httpd_t)
@@ -6086,26 +6086,33 @@ index 6649962..1f527f5 100644
')
optional_policy(`
+@@ -749,24 +886,32 @@ optional_policy(`
+ ')
+
+ optional_policy(`
- clamav_domtrans_clamscan(httpd_t)
-+ calamaris_read_www_files(httpd_t)
++ cron_system_entry(httpd_t, httpd_exec_t)
')
optional_policy(`
- cobbler_read_config(httpd_t)
- cobbler_read_lib_files(httpd_t)
-+ ccs_read_config(httpd_t)
++ cvs_read_data(httpd_t)
')
optional_policy(`
-@@ -770,6 +892,23 @@ optional_policy(`
+- cron_system_entry(httpd_t, httpd_exec_t)
++ daemontools_service_domain(httpd_t, httpd_exec_t)
')
optional_policy(`
+- cvs_read_data(httpd_t)
+ #needed by FreeIPA
+ dirsrv_stream_connect(httpd_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- daemontools_service_domain(httpd_t, httpd_exec_t)
+ dirsrv_manage_config(httpd_t)
+ dirsrv_manage_log(httpd_t)
+ dirsrv_manage_var_run(httpd_t)
@@ -6115,13 +6122,21 @@ index 6649962..1f527f5 100644
+ dirsrvadmin_manage_config(httpd_t)
+ dirsrvadmin_manage_tmp(httpd_t)
+ dirsrvadmin_domtrans_unconfined_script_t(httpd_t)
-+')
-+
-+ optional_policy(`
- dbus_system_bus_client(httpd_t)
+ ')
+ optional_policy(`
+@@ -775,6 +920,10 @@ optional_policy(`
tunable_policy(`httpd_dbus_avahi',`
-@@ -786,35 +925,55 @@ optional_policy(`
+ avahi_dbus_chat(httpd_t)
+ ')
++
++ tunable_policy(`httpd_dbus_sssd',
++ sssd_dbus_chat(httpd_t)
++ ')
+ ')
+
+ optional_policy(`
+@@ -786,35 +935,55 @@ optional_policy(`
')
optional_policy(`
@@ -6190,7 +6205,7 @@ index 6649962..1f527f5 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
-@@ -822,8 +981,18 @@ optional_policy(`
+@@ -822,8 +991,18 @@ optional_policy(`
')
optional_policy(`
@@ -6209,7 +6224,7 @@ index 6649962..1f527f5 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
-@@ -832,6 +1001,7 @@ optional_policy(`
+@@ -832,6 +1011,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -6217,7 +6232,7 @@ index 6649962..1f527f5 100644
')
optional_policy(`
-@@ -842,20 +1012,39 @@ optional_policy(`
+@@ -842,20 +1022,39 @@ optional_policy(`
')
optional_policy(`
@@ -6263,7 +6278,7 @@ index 6649962..1f527f5 100644
')
optional_policy(`
-@@ -863,19 +1052,35 @@ optional_policy(`
+@@ -863,19 +1062,35 @@ optional_policy(`
')
optional_policy(`
@@ -6299,7 +6314,7 @@ index 6649962..1f527f5 100644
udev_read_db(httpd_t)
')
-@@ -883,65 +1088,173 @@ optional_policy(`
+@@ -883,65 +1098,173 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -6495,7 +6510,7 @@ index 6649962..1f527f5 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -950,123 +1263,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -950,123 +1273,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -6650,7 +6665,7 @@ index 6649962..1f527f5 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1083,172 +1347,106 @@ optional_policy(`
+@@ -1083,172 +1357,106 @@ optional_policy(`
')
')
@@ -6887,7 +6902,7 @@ index 6649962..1f527f5 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1256,64 +1454,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1256,64 +1464,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -6984,7 +6999,7 @@ index 6649962..1f527f5 100644
########################################
#
-@@ -1321,8 +1529,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1321,8 +1539,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -7001,7 +7016,7 @@ index 6649962..1f527f5 100644
')
########################################
-@@ -1330,49 +1545,38 @@ optional_policy(`
+@@ -1330,49 +1555,38 @@ optional_policy(`
# User content local policy
#
@@ -7066,7 +7081,7 @@ index 6649962..1f527f5 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1586,100 @@ dev_read_urand(httpd_passwd_t)
+@@ -1382,38 +1596,100 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -9630,7 +9645,7 @@ index 02fefaa..fbcef10 100644
+ ')
')
diff --git a/boinc.te b/boinc.te
-index 687d4c4..28c35c1 100644
+index 687d4c4..3c5a83a 100644
--- a/boinc.te
+++ b/boinc.te
@@ -12,7 +12,9 @@ policy_module(boinc, 1.1.1)
@@ -9820,17 +9835,19 @@ index 687d4c4..28c35c1 100644
term_getattr_all_ptys(boinc_t)
term_getattr_unallocated_ttys(boinc_t)
-@@ -137,8 +151,7 @@ init_read_utmp(boinc_t)
+@@ -137,8 +151,9 @@ init_read_utmp(boinc_t)
logging_send_syslog_msg(boinc_t)
-miscfiles_read_fonts(boinc_t)
-miscfiles_read_localization(boinc_t)
++modutils_dontaudit_exec_insmod(boinc_t)
++
+xserver_stream_connect(boinc_t)
tunable_policy(`boinc_execmem',`
allow boinc_t self:process { execstack execmem };
-@@ -148,48 +161,61 @@ optional_policy(`
+@@ -148,48 +163,61 @@ optional_policy(`
mta_send_mail(boinc_t)
')
@@ -19416,10 +19433,10 @@ index f55c420..e9d64ab 100644
-
-miscfiles_read_localization(dbskkd_t)
diff --git a/dbus.fc b/dbus.fc
-index dda905b..31f269b 100644
+index dda905b..ccd0ba9 100644
--- a/dbus.fc
+++ b/dbus.fc
-@@ -1,20 +1,26 @@
+@@ -1,20 +1,27 @@
-HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:session_dbusd_home_t,s0)
+/etc/dbus-1(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0)
@@ -19447,6 +19464,7 @@ index dda905b..31f269b 100644
-/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
++/var/cache/ibus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
-/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
-
@@ -19458,7 +19476,7 @@ index dda905b..31f269b 100644
/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+')
diff --git a/dbus.if b/dbus.if
-index 62d22cb..2d33fcd 100644
+index 62d22cb..2b84a85 100644
--- a/dbus.if
+++ b/dbus.if
@@ -1,4 +1,4 @@
@@ -20241,7 +20259,7 @@ index 62d22cb..2d33fcd 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -597,28 +571,32 @@ interface(`dbus_use_system_bus_fds',`
+@@ -597,28 +571,49 @@ interface(`dbus_use_system_bus_fds',`
## </summary>
## </param>
#
@@ -20281,6 +20299,23 @@ index 62d22cb..2d33fcd 100644
- typeattribute $1 dbusd_unconfined;
+ dontaudit $1 system_bus_type:dbus send_msg;
+ dontaudit system_bus_type $1:dbus send_msg;
++')
++
++#######################################
++## <summary>
++## Transition to dbus named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dbus_filetrans_named_content_system',`
++ gen_require(`
++ type system_dbusd_var_lib_t;
++ ')
++ files_var_filetrans($1, system_dbusd_var_lib_t, dir, "ibus")
')
diff --git a/dbus.te b/dbus.te
index c9998c8..8b8b691 100644
@@ -22774,7 +22809,7 @@ index 23ab808..84735a8 100644
+/var/run/dnsmasq.* gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
diff --git a/dnsmasq.if b/dnsmasq.if
-index 19aa0b8..e34a540 100644
+index 19aa0b8..b9895ba 100644
--- a/dnsmasq.if
+++ b/dnsmasq.if
@@ -10,7 +10,6 @@
@@ -22918,27 +22953,40 @@ index 19aa0b8..e34a540 100644
read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
')
-@@ -214,37 +292,49 @@ interface(`dnsmasq_create_pid_dirs',`
+@@ -214,37 +292,66 @@ interface(`dnsmasq_create_pid_dirs',`
########################################
## <summary>
-## Create specified objects in specified
-## directories with a type transition to
-## the dnsmasq pid file type.
-+## Transition to dnsmasq named content
++## Create dnsmasq pid directories.
## </summary>
## <param name="domain">
## <summary>
--## Domain allowed access.
--## </summary>
--## </param>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
-## <param name="file_type">
-## <summary>
-## Directory to transition on.
-## </summary>
-## </param>
-## <param name="object">
--## <summary>
++#
++interface(`dnsmasq_read_state',`
++ gen_require(`
++ type dnsmasq_t;
++ ')
++ ps_process_pattern($1, dnsmasq_t)
++')
++
++########################################
++## <summary>
++## Transition to dnsmasq named content
++## </summary>
++## <param name="domain">
+ ## <summary>
-## The object class of the object being created.
+## Domain allowed access.
## </summary>
@@ -22986,7 +23034,7 @@ index 19aa0b8..e34a540 100644
')
########################################
-@@ -267,12 +357,18 @@ interface(`dnsmasq_spec_filetrans_pid',`
+@@ -267,12 +374,18 @@ interface(`dnsmasq_spec_filetrans_pid',`
interface(`dnsmasq_admin',`
gen_require(`
type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t;
@@ -23007,7 +23055,7 @@ index 19aa0b8..e34a540 100644
init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 dnsmasq_initrc_exec_t system_r;
-@@ -281,9 +377,13 @@ interface(`dnsmasq_admin',`
+@@ -281,9 +394,13 @@ interface(`dnsmasq_admin',`
files_list_var_lib($1)
admin_pattern($1, dnsmasq_lease_t)
@@ -33800,10 +33848,10 @@ index 0000000..48d7322
+
diff --git a/ipa.if b/ipa.if
new file mode 100644
-index 0000000..d028154
+index 0000000..a2af18e
--- /dev/null
+++ b/ipa.if
-@@ -0,0 +1,57 @@
+@@ -0,0 +1,76 @@
+## <summary>Policy for IPA services.</summary>
+
+########################################
@@ -33861,6 +33909,25 @@ index 0000000..d028154
+ manage_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
+')
+
++########################################
++## <summary>
++## Allow domain to manage ipa lib files/dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ipa_read_lib',`
++ gen_require(`
++ type ipa_var_lib_t;
++ ')
++
++ read_files_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
++ list_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
++')
++
diff --git a/ipa.te b/ipa.te
new file mode 100644
index 0000000..b60bc5f
@@ -54477,7 +54544,7 @@ index af3c91e..6882a3f 100644
/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
diff --git a/ntp.if b/ntp.if
-index e96a309..c6d1b01 100644
+index e96a309..2bacc3f 100644
--- a/ntp.if
+++ b/ntp.if
@@ -1,4 +1,4 @@
@@ -54644,7 +54711,7 @@ index e96a309..c6d1b01 100644
logging_list_logs($1)
admin_pattern($1, ntpd_log_t)
-@@ -186,5 +270,28 @@ interface(`ntp_admin',`
+@@ -186,5 +270,30 @@ interface(`ntp_admin',`
files_list_pids($1)
admin_pattern($1, ntpd_var_run_t)
@@ -54669,13 +54736,15 @@ index e96a309..c6d1b01 100644
+interface(`ntp_filetrans_named_content',`
+ gen_require(`
+ type ntp_conf_t;
++ type ntp_drift_t;
+ ')
+
+ files_etc_filetrans($1, ntp_conf_t, file, "ntpd.conf")
+ files_etc_filetrans($1, ntp_conf_t, dir, "ntp")
++ files_var_lib_filetrans($1, ntp_drift_t, file, "sntp-kod")
')
diff --git a/ntp.te b/ntp.te
-index f81b113..8d889d8 100644
+index f81b113..5c71385 100644
--- a/ntp.te
+++ b/ntp.te
@@ -18,6 +18,9 @@ role ntpd_roles types ntpd_t;
@@ -54688,7 +54757,15 @@ index f81b113..8d889d8 100644
type ntp_conf_t;
files_config_file(ntp_conf_t)
-@@ -60,9 +63,7 @@ read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
+@@ -53,6 +56,7 @@ allow ntpd_t self:tcp_socket { accept listen };
+
+ manage_dirs_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
+ manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
++files_var_lib_filetrans(ntpd_t, ntp_drift_t, dir, "sntp-kod")
+
+ allow ntpd_t ntp_conf_t:file read_file_perms;
+
+@@ -60,9 +64,7 @@ read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
allow ntpd_t ntpd_log_t:dir setattr_dir_perms;
@@ -54699,7 +54776,7 @@ index f81b113..8d889d8 100644
logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir })
manage_dirs_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t)
-@@ -83,21 +84,16 @@ kernel_read_system_state(ntpd_t)
+@@ -83,21 +85,16 @@ kernel_read_system_state(ntpd_t)
kernel_read_network_state(ntpd_t)
kernel_request_load_module(ntpd_t)
@@ -54723,7 +54800,7 @@ index f81b113..8d889d8 100644
corecmd_exec_bin(ntpd_t)
corecmd_exec_shell(ntpd_t)
-@@ -110,13 +106,15 @@ domain_use_interactive_fds(ntpd_t)
+@@ -110,13 +107,15 @@ domain_use_interactive_fds(ntpd_t)
domain_dontaudit_list_all_domains_state(ntpd_t)
files_read_etc_runtime_files(ntpd_t)
@@ -54740,7 +54817,7 @@ index f81b113..8d889d8 100644
auth_use_nsswitch(ntpd_t)
-@@ -124,8 +122,6 @@ init_exec_script_files(ntpd_t)
+@@ -124,8 +123,6 @@ init_exec_script_files(ntpd_t)
logging_send_syslog_msg(ntpd_t)
@@ -61927,10 +62004,10 @@ index 0000000..798efb6
+')
diff --git a/pki.te b/pki.te
new file mode 100644
-index 0000000..22f672d
+index 0000000..90c6736
--- /dev/null
+++ b/pki.te
-@@ -0,0 +1,274 @@
+@@ -0,0 +1,278 @@
+policy_module(pki,10.0.11)
+
+########################################
@@ -62078,6 +62155,10 @@ index 0000000..22f672d
+ hostname_exec(pki_tomcat_t)
+')
+
++optional_policy(`
++ ipa_read_lib(pki_tomcat_t)
++')
++
+#######################################
+#
+# tps local policy
@@ -69301,23 +69382,21 @@ index 6643b49..1d2470f 100644
optional_policy(`
diff --git a/puppet.fc b/puppet.fc
-index d68e26d..98ad443 100644
+index d68e26d..94b9e8e 100644
--- a/puppet.fc
+++ b/puppet.fc
-@@ -1,18 +1,13 @@
+@@ -1,18 +1,10 @@
-/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
+/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
-/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
-+/usr/lib/systemd/system/puppet.* -- gen_context(system_u:object_r:puppet_unit_file_t,s0)
-+/usr/lib/systemd/system/puppetmaster.* -- gen_context(system_u:object_r:puppet_unit_file_t,s0)
++/usr/lib/systemd/system/puppetmaster.* -- gen_context(system_u:object_r:puppet_unit_file_t,s0)
- /usr/bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
+-/usr/bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
-/usr/bin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
-/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
-+/usr/bin/puppet -- gen_context(system_u:object_r:puppet_exec_t,s0)
-+/usr/bin/start-puppet-agent -- gen_context(system_u:object_r:puppet_exec_t,s0)
++/usr/bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
+/usr/bin/start-puppet-master -- gen_context(system_u:object_r:puppet_exec_t,s0)
-/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
@@ -72595,10 +72674,10 @@ index afc0068..3105104 100644
+ ')
')
diff --git a/quantum.te b/quantum.te
-index 8644d8b..c93b852 100644
+index 8644d8b..2ba5770 100644
--- a/quantum.te
+++ b/quantum.te
-@@ -5,92 +5,121 @@ policy_module(quantum, 1.1.0)
+@@ -5,92 +5,127 @@ policy_module(quantum, 1.1.0)
# Declarations
#
@@ -72643,7 +72722,7 @@ index 8644d8b..c93b852 100644
-allow quantum_t self:key manage_key_perms;
-allow quantum_t self:tcp_socket { accept listen };
-allow quantum_t self:unix_stream_socket { accept listen };
-+allow neutron_t self:capability { setgid setuid sys_resource net_admin sys_admin };
++allow neutron_t self:capability { sys_ptrace kill setgid setuid sys_resource net_admin sys_admin };
+allow neutron_t self:process { setsched setrlimit };
+allow neutron_t self:fifo_file rw_fifo_file_perms;
+allow neutron_t self:key manage_key_perms;
@@ -72656,37 +72735,39 @@ index 8644d8b..c93b852 100644
+create_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
+setattr_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
+logging_log_filetrans(neutron_t, neutron_log_t, dir)
-+
-+manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
-+files_tmp_filetrans(neutron_t, neutron_tmp_t, file)
-manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t)
-append_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
-create_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
-setattr_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
-logging_log_filetrans(quantum_t, quantum_log_t, dir)
-+manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
-+manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
-+files_var_lib_filetrans(neutron_t, neutron_var_lib_t, dir)
++manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
++files_tmp_filetrans(neutron_t, neutron_tmp_t, file)
-manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t)
-files_tmp_filetrans(quantum_t, quantum_tmp_t, file)
-+can_exec(neutron_t, neutron_tmp_t)
++manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
++manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
++files_var_lib_filetrans(neutron_t, neutron_var_lib_t, dir)
-manage_dirs_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
-manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
-files_var_lib_filetrans(quantum_t, quantum_var_lib_t, dir)
++can_exec(neutron_t, neutron_tmp_t)
+
+-can_exec(quantum_t, quantum_tmp_t)
+kernel_read_kernel_sysctls(neutron_t)
+kernel_read_system_state(neutron_t)
+kernel_read_network_state(neutron_t)
+kernel_request_load_module(neutron_t)
--can_exec(quantum_t, quantum_tmp_t)
+-kernel_read_kernel_sysctls(quantum_t)
+-kernel_read_system_state(quantum_t)
+corecmd_exec_shell(neutron_t)
+corecmd_exec_bin(neutron_t)
--kernel_read_kernel_sysctls(quantum_t)
--kernel_read_system_state(quantum_t)
+-corecmd_exec_shell(quantum_t)
+-corecmd_exec_bin(quantum_t)
+corenet_all_recvfrom_unlabeled(neutron_t)
+corenet_all_recvfrom_netlabel(neutron_t)
+corenet_tcp_sendrecv_generic_if(neutron_t)
@@ -72694,82 +72775,86 @@ index 8644d8b..c93b852 100644
+corenet_tcp_sendrecv_all_ports(neutron_t)
+corenet_tcp_bind_generic_node(neutron_t)
--corecmd_exec_shell(quantum_t)
--corecmd_exec_bin(quantum_t)
-+corenet_tcp_bind_neutron_port(neutron_t)
-+corenet_tcp_connect_keystone_port(neutron_t)
-+corenet_tcp_connect_amqp_port(neutron_t)
-+corenet_tcp_connect_mysqld_port(neutron_t)
-
-corenet_all_recvfrom_unlabeled(quantum_t)
-corenet_all_recvfrom_netlabel(quantum_t)
-corenet_tcp_sendrecv_generic_if(quantum_t)
-corenet_tcp_sendrecv_generic_node(quantum_t)
-corenet_tcp_sendrecv_all_ports(quantum_t)
-corenet_tcp_bind_generic_node(quantum_t)
-+domain_named_filetrans(neutron_t)
++corenet_tcp_bind_neutron_port(neutron_t)
++corenet_tcp_connect_keystone_port(neutron_t)
++corenet_tcp_connect_amqp_port(neutron_t)
++corenet_tcp_connect_mysqld_port(neutron_t)
-dev_list_sysfs(quantum_t)
-dev_read_urand(quantum_t)
++domain_named_filetrans(neutron_t)
+
+-files_read_usr_files(quantum_t)
+dev_read_sysfs(neutron_t)
+dev_read_urand(neutron_t)
+dev_mounton_sysfs(neutron_t)
+dev_mount_sysfs_fs(neutron_t)
-
--files_read_usr_files(quantum_t)
-+auth_use_nsswitch(neutron_t)
++dev_unmount_sysfs_fs(neutron_t)
-auth_use_nsswitch(quantum_t)
-+libs_exec_ldconfig(neutron_t)
++files_mounton_non_security(neutron_t)
-libs_exec_ldconfig(quantum_t)
-+logging_send_audit_msgs(neutron_t)
-+logging_send_syslog_msg(neutron_t)
++auth_use_nsswitch(neutron_t)
-logging_send_audit_msgs(quantum_t)
-logging_send_syslog_msg(quantum_t)
-+sysnet_exec_ifconfig(neutron_t)
-+sysnet_filetrans_named_content_ifconfig(neutron_t)
++libs_exec_ldconfig(neutron_t)
-miscfiles_read_localization(quantum_t)
-+optional_policy(`
-+ brctl_domtrans(neutron_t)
-+')
++logging_send_audit_msgs(neutron_t)
++logging_send_syslog_msg(neutron_t)
-sysnet_domtrans_ifconfig(quantum_t)
-+optional_policy(`
-+ dnsmasq_domtrans(neutron_t)
-+')
++sysnet_exec_ifconfig(neutron_t)
++sysnet_manage_ifconfig_run(neutron_t)
++sysnet_filetrans_named_content_ifconfig(neutron_t)
optional_policy(`
- brctl_domtrans(quantum_t)
-+ iptables_domtrans(neutron_t)
++ brctl_domtrans(neutron_t)
')
optional_policy(`
- mysql_stream_connect(quantum_t)
- mysql_read_config(quantum_t)
-+ mysql_stream_connect(neutron_t)
-+ mysql_read_config(neutron_t)
++ dnsmasq_domtrans(neutron_t)
++ dnsmasq_signal(neutron_t)
++ dnsmasq_read_state(neutron_t)
++')
- mysql_tcp_connect(quantum_t)
-+ mysql_tcp_connect(neutron_t)
++optional_policy(`
++ iptables_domtrans(neutron_t)
')
optional_policy(`
- postgresql_stream_connect(quantum_t)
- postgresql_unpriv_client(quantum_t)
++ mysql_stream_connect(neutron_t)
++ mysql_read_config(neutron_t)
+
+- postgresql_tcp_connect(quantum_t)
++ mysql_tcp_connect(neutron_t)
+ ')
++
++optional_policy(`
+ postgresql_stream_connect(neutron_t)
+ postgresql_unpriv_client(neutron_t)
+
+ postgresql_tcp_connect(neutron_t)
+')
-
-- postgresql_tcp_connect(quantum_t)
++
+optional_policy(`
+ openvswitch_domtrans(neutron_t)
+ openvswitch_stream_connect(neutron_t)
- ')
++')
+
+optional_policy(`
+ sudo_exec(neutron_t)
@@ -84788,10 +84873,10 @@ index 0000000..89bc443
+')
diff --git a/sandbox.te b/sandbox.te
new file mode 100644
-index 0000000..b12aada
+index 0000000..62a9666
--- /dev/null
+++ b/sandbox.te
-@@ -0,0 +1,62 @@
+@@ -0,0 +1,63 @@
+policy_module(sandbox,1.0.0)
+
+attribute sandbox_domain;
@@ -84837,6 +84922,7 @@ index 0000000..b12aada
+')
+
+kernel_dontaudit_read_system_state(sandbox_domain)
++kernel_dontaudit_getattr_core_if(sandbox_domain)
+
+corecmd_exec_all_executables(sandbox_domain)
+
@@ -98017,7 +98103,7 @@ index 1c35171..2cba4df 100644
domain_system_change_exemption($1)
role_transition $2 varnishd_initrc_exec_t system_r;
diff --git a/varnishd.te b/varnishd.te
-index 9d4d8cb..f50c3ff 100644
+index 9d4d8cb..a58e2dd 100644
--- a/varnishd.te
+++ b/varnishd.te
@@ -21,7 +21,7 @@ type varnishd_initrc_exec_t;
@@ -98029,7 +98115,7 @@ index 9d4d8cb..f50c3ff 100644
type varnishd_tmp_t;
files_tmp_file(varnishd_tmp_t)
-@@ -43,7 +43,7 @@ type varnishlog_var_run_t;
+@@ -43,16 +43,16 @@ type varnishlog_var_run_t;
files_pid_file(varnishlog_var_run_t)
type varnishlog_log_t;
@@ -98038,9 +98124,11 @@ index 9d4d8cb..f50c3ff 100644
########################################
#
-@@ -52,7 +52,7 @@ files_type(varnishlog_log_t)
+ # Local policy
+ #
- allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid };
+-allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid };
++allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid chown };
dontaudit varnishd_t self:capability sys_tty_config;
-allow varnishd_t self:process signal;
+allow varnishd_t self:process { execmem signal };
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 617d83b..0f5906d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 42%{?dist}
+Release: 43%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -588,6 +588,24 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Apr 4 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-43
+- Add labels for /var/named/chroot_sdb/dev devices
+- Add support for strongimcv
+- Add additional fixes for yubikeys based on william@firstyear.id.au
+- Allow init_t run /sbin/augenrules
+- Remove dup decl for dev_unmount_sysfs_fs
+- Allow unpriv SELinux user to use sandbox
+- Fix ntp_filetrans_named_content for sntp-kod file
+- Add httpd_dbus_sssd boolean
+- Dontaudit exec insmod in boinc policy
+- Add dbus_filetrans_named_content_system()
+- We want to label only /usr/bin/start-puppet-master to avoid puppet agent running in puppet_t
+- varnishd wants chown capability
+- update ntp_filetrans_named_content() interface
+- Add additional fixes for neutron_t. #1083335
+- Dontaudit sandbox_t getattr on proc_kcore_t
+- Allow pki_tomcat_t to read ipa lib files
+
* Tue Apr 1 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-42
- Merge user_tmp_t and user_tmpfs_t together to have only user_tmp_t