diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index d471202..a0c5582 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -14445,7 +14445,7 @@ index d7c11a0..6b3331d 100644
/var/run/shm/.* <<none>>
-')
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 8416beb..19d6aba 100644
+index 8416beb..d7111b8 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -14683,7 +14683,7 @@ index 8416beb..19d6aba 100644
')
########################################
-@@ -1542,6 +1666,25 @@ interface(`fs_cifs_domtrans',`
+@@ -1542,6 +1666,44 @@ interface(`fs_cifs_domtrans',`
domain_auto_transition_pattern($1, cifs_t, $2)
')
@@ -14706,10 +14706,29 @@ index 8416beb..19d6aba 100644
+ domain_entry_file($1, cifs_t)
+')
+
++########################################
++## <summary>
++## Make general progams in CIFS an entrypoint for
++## the specified domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The domain for which cifs_t is an entrypoint.
++## </summary>
++## </param>
++#
++interface(`fs_cifs_entrypoint',`
++ gen_require(`
++ type cifs_t;
++ ')
++
++ allow $1 cifs_t:file entrypoint;
++')
++
#######################################
## <summary>
## Create, read, write, and delete dirs
-@@ -1582,6 +1725,24 @@ interface(`fs_manage_configfs_files',`
+@@ -1582,6 +1744,24 @@ interface(`fs_manage_configfs_files',`
########################################
## <summary>
@@ -14734,7 +14753,7 @@ index 8416beb..19d6aba 100644
## Mount a DOS filesystem, such as
## FAT32 or NTFS.
## </summary>
-@@ -1793,63 +1954,70 @@ interface(`fs_read_eventpollfs',`
+@@ -1793,63 +1973,70 @@ interface(`fs_read_eventpollfs',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -14830,7 +14849,7 @@ index 8416beb..19d6aba 100644
## on a FUSEFS filesystem.
## </summary>
## <param name="domain">
-@@ -1859,18 +2027,19 @@ interface(`fs_mounton_fusefs',`
+@@ -1859,18 +2046,19 @@ interface(`fs_mounton_fusefs',`
## </param>
## <rolecap/>
#
@@ -14855,7 +14874,7 @@ index 8416beb..19d6aba 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1878,135 +2047,151 @@ interface(`fs_search_fusefs',`
+@@ -1878,135 +2066,151 @@ interface(`fs_search_fusefs',`
## </summary>
## </param>
#
@@ -15050,7 +15069,7 @@ index 8416beb..19d6aba 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2014,41 +2199,297 @@ interface(`fs_dontaudit_manage_fusefs_files',`
+@@ -2014,19 +2218,313 @@ interface(`fs_dontaudit_manage_fusefs_files',`
## </summary>
## </param>
#
@@ -15071,34 +15090,29 @@ index 8416beb..19d6aba 100644
-## filesystem.
+## Search directories
+## on a FUSEFS filesystem.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
+## <rolecap/>
- #
--interface(`fs_getattr_hugetlbfs',`
++#
+interface(`fs_search_fusefs',`
- gen_require(`
-- type hugetlbfs_t;
++ gen_require(`
+ type fusefs_t;
- ')
-
-- allow $1 hugetlbfs_t:filesystem getattr;
++ ')
++
+ allow $1 fusefs_t:dir search_dir_perms;
- ')
-
- ########################################
- ## <summary>
--## List hugetlbfs.
++')
++
++########################################
++## <summary>
+## Do not audit attempts to list the contents
+## of directories on a FUSEFS filesystem.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
@@ -15191,6 +15205,44 @@ index 8416beb..19d6aba 100644
+
+########################################
+## <summary>
++## Make general progams in FUSEFS an entrypoint for
++## the specified domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The domain for which fusefs_t is an entrypoint.
++## </summary>
++## </param>
++#
++interface(`fs_fusefs_entry_type',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
++ domain_entry_file($1, fusefs_t)
++')
++
++########################################
++## <summary>
++## Make general progams in FUSEFS an entrypoint for
++## the specified domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The domain for which fusefs_t is an entrypoint.
++## </summary>
++## </param>
++#
++interface(`fs_fusefs_entrypoint',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
++ allow $1 fusefs_t:file entrypoint;
++')
++
++########################################
++## <summary>
+## Create, read, write, and delete files
+## on a FUSEFS filesystem.
+## </summary>
@@ -15333,32 +15385,10 @@ index 8416beb..19d6aba 100644
+## <summary>
+## Get the attributes of an hugetlbfs
+## filesystem.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`fs_getattr_hugetlbfs',`
-+ gen_require(`
-+ type hugetlbfs_t;
-+ ')
-+
-+ allow $1 hugetlbfs_t:filesystem getattr;
-+')
-+
-+########################################
-+## <summary>
-+## List hugetlbfs.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
- ## </summary>
- ## </param>
- #
-@@ -2080,6 +2521,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2080,6 +2578,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
########################################
## <summary>
@@ -15383,7 +15413,7 @@ index 8416beb..19d6aba 100644
## Read and write hugetlbfs files.
## </summary>
## <param name="domain">
-@@ -2098,6 +2557,25 @@ interface(`fs_rw_hugetlbfs_files',`
+@@ -2098,6 +2614,25 @@ interface(`fs_rw_hugetlbfs_files',`
########################################
## <summary>
@@ -15409,7 +15439,7 @@ index 8416beb..19d6aba 100644
## Allow the type to associate to hugetlbfs filesystems.
## </summary>
## <param name="type">
-@@ -2148,11 +2626,12 @@ interface(`fs_list_inotifyfs',`
+@@ -2148,11 +2683,12 @@ interface(`fs_list_inotifyfs',`
')
allow $1 inotifyfs_t:dir list_dir_perms;
@@ -15423,7 +15453,7 @@ index 8416beb..19d6aba 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2485,6 +2964,7 @@ interface(`fs_read_nfs_files',`
+@@ -2485,6 +3021,7 @@ interface(`fs_read_nfs_files',`
type nfs_t;
')
@@ -15431,7 +15461,7 @@ index 8416beb..19d6aba 100644
allow $1 nfs_t:dir list_dir_perms;
read_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2523,6 +3003,7 @@ interface(`fs_write_nfs_files',`
+@@ -2523,6 +3060,7 @@ interface(`fs_write_nfs_files',`
type nfs_t;
')
@@ -15439,7 +15469,7 @@ index 8416beb..19d6aba 100644
allow $1 nfs_t:dir list_dir_perms;
write_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2549,6 +3030,25 @@ interface(`fs_exec_nfs_files',`
+@@ -2549,6 +3087,44 @@ interface(`fs_exec_nfs_files',`
########################################
## <summary>
@@ -15462,10 +15492,29 @@ index 8416beb..19d6aba 100644
+
+########################################
+## <summary>
++## Make general progams in NFS an entrypoint for
++## the specified domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The domain for which nfs_t is an entrypoint.
++## </summary>
++## </param>
++#
++interface(`fs_nfs_entrypoint',`
++ gen_require(`
++ type nfs_t;
++ ')
++
++ allow $1 nfs_t:file entrypoint;
++')
++
++########################################
++## <summary>
## Append files
## on a NFS filesystem.
## </summary>
-@@ -2569,7 +3069,7 @@ interface(`fs_append_nfs_files',`
+@@ -2569,7 +3145,7 @@ interface(`fs_append_nfs_files',`
########################################
## <summary>
@@ -15474,7 +15523,7 @@ index 8416beb..19d6aba 100644
## on a NFS filesystem.
## </summary>
## <param name="domain">
-@@ -2589,6 +3089,42 @@ interface(`fs_dontaudit_append_nfs_files',`
+@@ -2589,6 +3165,42 @@ interface(`fs_dontaudit_append_nfs_files',`
########################################
## <summary>
@@ -15517,7 +15566,7 @@ index 8416beb..19d6aba 100644
## Do not audit attempts to read or
## write files on a NFS filesystem.
## </summary>
-@@ -2603,7 +3139,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2603,7 +3215,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
type nfs_t;
')
@@ -15526,7 +15575,7 @@ index 8416beb..19d6aba 100644
')
########################################
-@@ -2627,7 +3163,7 @@ interface(`fs_read_nfs_symlinks',`
+@@ -2627,7 +3239,7 @@ interface(`fs_read_nfs_symlinks',`
########################################
## <summary>
@@ -15535,7 +15584,7 @@ index 8416beb..19d6aba 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2719,6 +3255,47 @@ interface(`fs_search_rpc',`
+@@ -2719,6 +3331,47 @@ interface(`fs_search_rpc',`
########################################
## <summary>
@@ -15583,7 +15632,7 @@ index 8416beb..19d6aba 100644
## Search removable storage directories.
## </summary>
## <param name="domain">
-@@ -2741,7 +3318,7 @@ interface(`fs_search_removable',`
+@@ -2741,7 +3394,7 @@ interface(`fs_search_removable',`
## </summary>
## <param name="domain">
## <summary>
@@ -15592,7 +15641,7 @@ index 8416beb..19d6aba 100644
## </summary>
## </param>
#
-@@ -2777,7 +3354,7 @@ interface(`fs_read_removable_files',`
+@@ -2777,7 +3430,7 @@ interface(`fs_read_removable_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -15601,7 +15650,7 @@ index 8416beb..19d6aba 100644
## </summary>
## </param>
#
-@@ -2970,6 +3547,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2970,6 +3623,7 @@ interface(`fs_manage_nfs_dirs',`
type nfs_t;
')
@@ -15609,7 +15658,7 @@ index 8416beb..19d6aba 100644
allow $1 nfs_t:dir manage_dir_perms;
')
-@@ -3010,6 +3588,7 @@ interface(`fs_manage_nfs_files',`
+@@ -3010,6 +3664,7 @@ interface(`fs_manage_nfs_files',`
type nfs_t;
')
@@ -15617,7 +15666,7 @@ index 8416beb..19d6aba 100644
manage_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3050,6 +3629,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -3050,6 +3705,7 @@ interface(`fs_manage_nfs_symlinks',`
type nfs_t;
')
@@ -15625,7 +15674,7 @@ index 8416beb..19d6aba 100644
manage_lnk_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3137,6 +3717,24 @@ interface(`fs_nfs_domtrans',`
+@@ -3137,6 +3793,24 @@ interface(`fs_nfs_domtrans',`
########################################
## <summary>
@@ -15650,7 +15699,7 @@ index 8416beb..19d6aba 100644
## Mount a NFS server pseudo filesystem.
## </summary>
## <param name="domain">
-@@ -3263,6 +3861,24 @@ interface(`fs_getattr_nfsd_files',`
+@@ -3263,6 +3937,24 @@ interface(`fs_getattr_nfsd_files',`
getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
')
@@ -15675,7 +15724,7 @@ index 8416beb..19d6aba 100644
########################################
## <summary>
## Read and write NFS server files.
-@@ -3283,6 +3899,24 @@ interface(`fs_rw_nfsd_fs',`
+@@ -3283,6 +3975,24 @@ interface(`fs_rw_nfsd_fs',`
########################################
## <summary>
@@ -15700,7 +15749,7 @@ index 8416beb..19d6aba 100644
## Allow the type to associate to ramfs filesystems.
## </summary>
## <param name="type">
-@@ -3392,7 +4026,7 @@ interface(`fs_search_ramfs',`
+@@ -3392,7 +4102,7 @@ interface(`fs_search_ramfs',`
########################################
## <summary>
@@ -15709,7 +15758,7 @@ index 8416beb..19d6aba 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3429,7 +4063,7 @@ interface(`fs_manage_ramfs_dirs',`
+@@ -3429,7 +4139,7 @@ interface(`fs_manage_ramfs_dirs',`
########################################
## <summary>
@@ -15718,7 +15767,7 @@ index 8416beb..19d6aba 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3447,7 +4081,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
+@@ -3447,7 +4157,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
########################################
## <summary>
@@ -15727,7 +15776,7 @@ index 8416beb..19d6aba 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3743,25 +4377,61 @@ interface(`fs_getattr_rpc_pipefs',`
+@@ -3743,25 +4453,61 @@ interface(`fs_getattr_rpc_pipefs',`
#########################################
## <summary>
@@ -15795,7 +15844,7 @@ index 8416beb..19d6aba 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3769,17 +4439,17 @@ interface(`fs_rw_rpc_named_pipes',`
+@@ -3769,17 +4515,17 @@ interface(`fs_rw_rpc_named_pipes',`
## </summary>
## </param>
#
@@ -15816,7 +15865,7 @@ index 8416beb..19d6aba 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3787,17 +4457,17 @@ interface(`fs_mount_tmpfs',`
+@@ -3787,17 +4533,17 @@ interface(`fs_mount_tmpfs',`
## </summary>
## </param>
#
@@ -15837,7 +15886,7 @@ index 8416beb..19d6aba 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3805,12 +4475,12 @@ interface(`fs_remount_tmpfs',`
+@@ -3805,12 +4551,12 @@ interface(`fs_remount_tmpfs',`
## </summary>
## </param>
#
@@ -15852,7 +15901,7 @@ index 8416beb..19d6aba 100644
')
########################################
-@@ -3908,7 +4578,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3908,7 +4654,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
########################################
## <summary>
@@ -15861,7 +15910,7 @@ index 8416beb..19d6aba 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3916,17 +4586,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3916,17 +4662,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
## </summary>
## </param>
#
@@ -15882,7 +15931,7 @@ index 8416beb..19d6aba 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3934,17 +4604,17 @@ interface(`fs_mounton_tmpfs',`
+@@ -3934,17 +4680,17 @@ interface(`fs_mounton_tmpfs',`
## </summary>
## </param>
#
@@ -15903,7 +15952,7 @@ index 8416beb..19d6aba 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3952,17 +4622,36 @@ interface(`fs_setattr_tmpfs_dirs',`
+@@ -3952,17 +4698,36 @@ interface(`fs_setattr_tmpfs_dirs',`
## </summary>
## </param>
#
@@ -15943,7 +15992,7 @@ index 8416beb..19d6aba 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3970,31 +4659,48 @@ interface(`fs_search_tmpfs',`
+@@ -3970,31 +4735,48 @@ interface(`fs_search_tmpfs',`
## </summary>
## </param>
#
@@ -15999,7 +16048,7 @@ index 8416beb..19d6aba 100644
')
########################################
-@@ -4105,7 +4811,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
+@@ -4105,7 +4887,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
type tmpfs_t;
')
@@ -16008,7 +16057,7 @@ index 8416beb..19d6aba 100644
')
########################################
-@@ -4165,6 +4871,24 @@ interface(`fs_rw_tmpfs_files',`
+@@ -4165,6 +4947,24 @@ interface(`fs_rw_tmpfs_files',`
########################################
## <summary>
@@ -16033,7 +16082,7 @@ index 8416beb..19d6aba 100644
## Read tmpfs link files.
## </summary>
## <param name="domain">
-@@ -4202,7 +4926,7 @@ interface(`fs_rw_tmpfs_chr_files',`
+@@ -4202,7 +5002,7 @@ interface(`fs_rw_tmpfs_chr_files',`
########################################
## <summary>
@@ -16042,7 +16091,7 @@ index 8416beb..19d6aba 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4221,6 +4945,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4221,6 +5021,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
########################################
## <summary>
@@ -16103,7 +16152,7 @@ index 8416beb..19d6aba 100644
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
-@@ -4278,6 +5056,44 @@ interface(`fs_relabel_tmpfs_blk_file',`
+@@ -4278,6 +5132,44 @@ interface(`fs_relabel_tmpfs_blk_file',`
########################################
## <summary>
@@ -16148,7 +16197,7 @@ index 8416beb..19d6aba 100644
## Read and write, create and delete generic
## files on tmpfs filesystems.
## </summary>
-@@ -4297,6 +5113,25 @@ interface(`fs_manage_tmpfs_files',`
+@@ -4297,6 +5189,25 @@ interface(`fs_manage_tmpfs_files',`
########################################
## <summary>
@@ -16174,7 +16223,7 @@ index 8416beb..19d6aba 100644
## Read and write, create and delete symbolic
## links on tmpfs filesystems.
## </summary>
-@@ -4503,6 +5338,8 @@ interface(`fs_mount_all_fs',`
+@@ -4503,6 +5414,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -16183,7 +16232,7 @@ index 8416beb..19d6aba 100644
')
########################################
-@@ -4549,7 +5386,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4549,7 +5462,7 @@ interface(`fs_unmount_all_fs',`
## <desc>
## <p>
## Allow the specified domain to
@@ -16192,7 +16241,7 @@ index 8416beb..19d6aba 100644
## Example attributes:
## </p>
## <ul>
-@@ -4596,6 +5433,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
+@@ -4596,6 +5509,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
########################################
## <summary>
@@ -16219,7 +16268,7 @@ index 8416beb..19d6aba 100644
## Get the quotas of all filesystems.
## </summary>
## <param name="domain">
-@@ -4671,6 +5528,25 @@ interface(`fs_getattr_all_dirs',`
+@@ -4671,6 +5604,25 @@ interface(`fs_getattr_all_dirs',`
########################################
## <summary>
@@ -16245,7 +16294,7 @@ index 8416beb..19d6aba 100644
## Search all directories with a filesystem type.
## </summary>
## <param name="domain">
-@@ -4912,3 +5788,43 @@ interface(`fs_unconfined',`
+@@ -4912,3 +5864,43 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -33950,7 +33999,7 @@ index c42fbc3..277fe6c 100644
## <summary>
## Set the attributes of iptables config files.
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index be8ed1e..231b21d 100644
+index be8ed1e..750839c 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -16,15 +16,18 @@ role iptables_roles types iptables_t;
@@ -34071,7 +34120,7 @@ index be8ed1e..231b21d 100644
modutils_run_insmod(iptables_t, iptables_roles)
')
-@@ -124,6 +142,12 @@ optional_policy(`
+@@ -124,6 +142,16 @@ optional_policy(`
optional_policy(`
psad_rw_tmp_files(iptables_t)
@@ -34079,12 +34128,16 @@ index be8ed1e..231b21d 100644
+')
+
+optional_policy(`
++ ctdbd_read_lib_files(iptables_t)
++')
++
++optional_policy(`
+ neutron_rw_inherited_pipes(iptables_t)
+ neutron_sigchld(iptables_t)
')
optional_policy(`
-@@ -135,9 +159,9 @@ optional_policy(`
+@@ -135,9 +163,9 @@ optional_policy(`
')
optional_policy(`
@@ -42673,7 +42726,7 @@ index 0000000..d2a8fc7
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..0401ad8
+index 0000000..ea27f86
--- /dev/null
+++ b/policy/modules/system/systemd.te
@@ -0,0 +1,721 @@
@@ -42946,7 +42999,7 @@ index 0000000..0401ad8
+
+dev_read_sysfs(systemd_networkd_t)
+
-+auth_read_passwd(systemd_networkd_t)
++auth_use_nsswitch(systemd_networkd_t)
+
+sysnet_manage_config(systemd_networkd_t)
+sysnet_manage_config_dirs(systemd_networkd_t)
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 20b84a9..efe9698 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -18378,10 +18378,10 @@ index 1303b30..759412f 100644
+ logging_log_filetrans($1, cron_log_t, $2, $3)
')
diff --git a/cron.te b/cron.te
-index 7de3859..0ee059a 100644
+index 7de3859..9d2cd2d 100644
--- a/cron.te
+++ b/cron.te
-@@ -11,46 +11,46 @@ gen_require(`
+@@ -11,46 +11,54 @@ gen_require(`
## <desc>
## <p>
@@ -18405,9 +18405,17 @@ index 7de3859..0ee059a 100644
+## in the user domain as opposed to the
+## the generic cronjob domain.
+## </p>
++## </desc>
++gen_tunable(cron_userdomain_transition, true)
++
++## <desc>
++## <p>
++## Allow system cronjob to be executed on
++## on NFS, CIFS or FUSE filesystem.
++## </p>
## </desc>
-gen_tunable(cron_userdomain_transition, false)
-+gen_tunable(cron_userdomain_transition, true)
++gen_tunable(cron_system_cronjob_use_shares, false)
## <desc>
## <p>
@@ -18442,7 +18450,7 @@ index 7de3859..0ee059a 100644
type cron_log_t;
logging_log_file(cron_log_t)
-@@ -71,6 +71,9 @@ domain_cron_exemption_source(crond_t)
+@@ -71,6 +79,9 @@ domain_cron_exemption_source(crond_t)
type crond_initrc_exec_t;
init_script_file(crond_initrc_exec_t)
@@ -18452,7 +18460,7 @@ index 7de3859..0ee059a 100644
type crond_tmp_t;
files_tmp_file(crond_tmp_t)
files_poly_parent(crond_tmp_t)
-@@ -92,15 +95,17 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t };
+@@ -92,15 +103,17 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t };
typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
@@ -18473,7 +18481,7 @@ index 7de3859..0ee059a 100644
type system_cronjob_lock_t alias system_crond_lock_t;
files_lock_file(system_cronjob_lock_t)
-@@ -108,94 +113,34 @@ files_lock_file(system_cronjob_lock_t)
+@@ -108,94 +121,34 @@ files_lock_file(system_cronjob_lock_t)
type system_cronjob_tmp_t alias system_crond_tmp_t;
files_tmp_file(system_cronjob_tmp_t)
@@ -18580,7 +18588,7 @@ index 7de3859..0ee059a 100644
selinux_get_fs_mount(admin_crontab_t)
selinux_validate_context(admin_crontab_t)
selinux_compute_access_vector(admin_crontab_t)
-@@ -204,22 +149,26 @@ selinux_compute_relabel_context(admin_crontab_t)
+@@ -204,22 +157,26 @@ selinux_compute_relabel_context(admin_crontab_t)
selinux_compute_user_contexts(admin_crontab_t)
tunable_policy(`fcron_crond',`
@@ -18610,7 +18618,7 @@ index 7de3859..0ee059a 100644
allow crond_t self:shm create_shm_perms;
allow crond_t self:sem create_sem_perms;
allow crond_t self:msgq create_msgq_perms;
-@@ -227,7 +176,7 @@ allow crond_t self:msg { send receive };
+@@ -227,7 +184,7 @@ allow crond_t self:msg { send receive };
allow crond_t self:key { search write link };
dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit;
@@ -18619,7 +18627,7 @@ index 7de3859..0ee059a 100644
logging_log_filetrans(crond_t, cron_log_t, file)
manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t)
-@@ -237,73 +186,68 @@ manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
+@@ -237,73 +194,68 @@ manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t)
manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t)
@@ -18723,7 +18731,7 @@ index 7de3859..0ee059a 100644
auth_use_nsswitch(crond_t)
logging_send_audit_msgs(crond_t)
-@@ -312,41 +256,46 @@ logging_set_loginuid(crond_t)
+@@ -312,41 +264,46 @@ logging_set_loginuid(crond_t)
seutil_read_config(crond_t)
seutil_read_default_contexts(crond_t)
@@ -18786,7 +18794,7 @@ index 7de3859..0ee059a 100644
')
optional_policy(`
-@@ -354,103 +303,135 @@ optional_policy(`
+@@ -354,103 +311,141 @@ optional_policy(`
')
optional_policy(`
@@ -18916,6 +18924,12 @@ index 7de3859..0ee059a 100644
+# for this purpose.
+allow system_cronjob_t system_cron_spool_t:file entrypoint;
+
++tunable_policy(`cron_system_cronjob_use_shares',`
++ fs_fusefs_entrypoint(system_cronjob_t)
++ fs_nfs_entrypoint(system_cronjob_t)
++ fs_cifs_entrypoint(system_cronjob_t)
++')
++
+# Permit a transition from the crond_t domain to this domain.
+# The transition is requested explicitly by the modified crond
+# via setexeccon. There is no way to set up an automatic
@@ -18953,7 +18967,7 @@ index 7de3859..0ee059a 100644
allow system_cronjob_t cron_spool_t:dir list_dir_perms;
allow system_cronjob_t cron_spool_t:file rw_file_perms;
-@@ -461,11 +442,11 @@ kernel_read_network_state(system_cronjob_t)
+@@ -461,11 +456,11 @@ kernel_read_network_state(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
kernel_read_software_raid_state(system_cronjob_t)
@@ -18966,7 +18980,7 @@ index 7de3859..0ee059a 100644
corenet_all_recvfrom_netlabel(system_cronjob_t)
corenet_tcp_sendrecv_generic_if(system_cronjob_t)
corenet_udp_sendrecv_generic_if(system_cronjob_t)
-@@ -485,6 +466,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
+@@ -485,6 +480,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
fs_getattr_all_pipes(system_cronjob_t)
fs_getattr_all_sockets(system_cronjob_t)
@@ -18974,7 +18988,7 @@ index 7de3859..0ee059a 100644
domain_dontaudit_read_all_domains_state(system_cronjob_t)
files_exec_etc_files(system_cronjob_t)
-@@ -495,17 +477,22 @@ files_getattr_all_files(system_cronjob_t)
+@@ -495,17 +491,22 @@ files_getattr_all_files(system_cronjob_t)
files_getattr_all_symlinks(system_cronjob_t)
files_getattr_all_pipes(system_cronjob_t)
files_getattr_all_sockets(system_cronjob_t)
@@ -18999,7 +19013,7 @@ index 7de3859..0ee059a 100644
auth_use_nsswitch(system_cronjob_t)
-@@ -516,20 +503,26 @@ logging_read_generic_logs(system_cronjob_t)
+@@ -516,20 +517,26 @@ logging_read_generic_logs(system_cronjob_t)
logging_send_audit_msgs(system_cronjob_t)
logging_send_syslog_msg(system_cronjob_t)
@@ -19029,7 +19043,7 @@ index 7de3859..0ee059a 100644
selinux_validate_context(system_cronjob_t)
selinux_compute_access_vector(system_cronjob_t)
selinux_compute_create_context(system_cronjob_t)
-@@ -539,10 +532,18 @@ tunable_policy(`cron_can_relabel',`
+@@ -539,10 +546,18 @@ tunable_policy(`cron_can_relabel',`
')
optional_policy(`
@@ -19048,7 +19062,7 @@ index 7de3859..0ee059a 100644
')
optional_policy(`
-@@ -551,10 +552,6 @@ optional_policy(`
+@@ -551,10 +566,6 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(system_cronjob_t)
@@ -19059,7 +19073,7 @@ index 7de3859..0ee059a 100644
')
optional_policy(`
-@@ -591,6 +588,7 @@ optional_policy(`
+@@ -591,6 +602,7 @@ optional_policy(`
optional_policy(`
mta_read_config(system_cronjob_t)
mta_send_mail(system_cronjob_t)
@@ -19067,7 +19081,7 @@ index 7de3859..0ee059a 100644
')
optional_policy(`
-@@ -598,7 +596,23 @@ optional_policy(`
+@@ -598,7 +610,23 @@ optional_policy(`
')
optional_policy(`
@@ -19091,7 +19105,7 @@ index 7de3859..0ee059a 100644
')
optional_policy(`
-@@ -607,7 +621,12 @@ optional_policy(`
+@@ -607,7 +635,12 @@ optional_policy(`
')
optional_policy(`
@@ -19104,7 +19118,7 @@ index 7de3859..0ee059a 100644
')
optional_policy(`
-@@ -615,12 +634,27 @@ optional_policy(`
+@@ -615,12 +648,27 @@ optional_policy(`
')
optional_policy(`
@@ -19134,7 +19148,7 @@ index 7de3859..0ee059a 100644
#
allow cronjob_t self:process { signal_perms setsched };
-@@ -628,12 +662,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
+@@ -628,12 +676,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
allow cronjob_t self:unix_dgram_socket create_socket_perms;
@@ -19168,7 +19182,7 @@ index 7de3859..0ee059a 100644
corenet_all_recvfrom_netlabel(cronjob_t)
corenet_tcp_sendrecv_generic_if(cronjob_t)
corenet_udp_sendrecv_generic_if(cronjob_t)
-@@ -641,66 +695,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
+@@ -641,66 +709,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
corenet_udp_sendrecv_generic_node(cronjob_t)
corenet_tcp_sendrecv_all_ports(cronjob_t)
corenet_udp_sendrecv_all_ports(cronjob_t)
@@ -19643,7 +19657,7 @@ index b25b01d..6b7d687 100644
')
+
diff --git a/ctdb.te b/ctdb.te
-index 001b502..61a9e2d 100644
+index 001b502..bbf96d9 100644
--- a/ctdb.te
+++ b/ctdb.te
@@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t)
@@ -19730,7 +19744,11 @@ index 001b502..61a9e2d 100644
optional_policy(`
consoletype_exec(ctdbd_t)
')
-@@ -109,6 +132,7 @@ optional_policy(`
+@@ -106,9 +129,11 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ samba_signull_smbd(ctdbd_t)
samba_initrc_domtrans(ctdbd_t)
samba_domtrans_net(ctdbd_t)
samba_rw_var_files(ctdbd_t)
@@ -26094,7 +26112,7 @@ index 9a21639..26c5986 100644
')
+
diff --git a/drbd.te b/drbd.te
-index f2516cc..70ddc24 100644
+index f2516cc..b371be4 100644
--- a/drbd.te
+++ b/drbd.te
@@ -18,17 +18,20 @@ files_type(drbd_var_lib_t)
@@ -26120,7 +26138,7 @@ index f2516cc..70ddc24 100644
manage_dirs_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
manage_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
-@@ -38,18 +41,36 @@ files_var_lib_filetrans(drbd_t, drbd_var_lib_t, dir)
+@@ -38,18 +41,37 @@ files_var_lib_filetrans(drbd_t, drbd_var_lib_t, dir)
manage_files_pattern(drbd_t, drbd_lock_t, drbd_lock_t)
files_lock_filetrans(drbd_t, drbd_lock_t, file)
@@ -26153,6 +26171,7 @@ index f2516cc..70ddc24 100644
+modutils_exec_insmod(drbd_t)
+
+storage_raw_read_fixed_disk(drbd_t)
++storage_raw_write_fixed_disk(drbd_t)
sysnet_dns_name_resolve(drbd_t)
+
@@ -54483,7 +54502,7 @@ index 0641e97..ed3394e 100644
+ admin_pattern($1, nrpe_etc_t)
')
diff --git a/nagios.te b/nagios.te
-index 7b3e682..40e93b4 100644
+index 7b3e682..e4b8c8a 100644
--- a/nagios.te
+++ b/nagios.te
@@ -5,6 +5,25 @@ policy_module(nagios, 1.13.0)
@@ -54721,6 +54740,15 @@ index 7b3e682..40e93b4 100644
')
########################################
+@@ -214,7 +271,7 @@ optional_policy(`
+ # Nrpe local policy
+ #
+
+-allow nrpe_t self:capability { setuid setgid };
++allow nrpe_t self:capability { setuid setgid kill };
+ dontaudit nrpe_t self:capability { sys_tty_config sys_resource };
+ allow nrpe_t self:process { setpgid signal_perms setsched setrlimit };
+ allow nrpe_t self:fifo_file rw_fifo_file_perms;
@@ -229,9 +286,9 @@ files_pid_filetrans(nrpe_t, nrpe_var_run_t, file)
domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t)
@@ -64919,10 +64947,10 @@ index 0000000..80246e6
+
diff --git a/pcp.te b/pcp.te
new file mode 100644
-index 0000000..8ec1e54
+index 0000000..7a3dc05
--- /dev/null
+++ b/pcp.te
-@@ -0,0 +1,236 @@
+@@ -0,0 +1,240 @@
+policy_module(pcp, 1.0.0)
+
+########################################
@@ -65062,6 +65090,10 @@ index 0000000..8ec1e54
+userdom_read_user_tmp_files(pcp_pmcd_t)
+
+optional_policy(`
++ mysql_stream_connect(pcp_pmcd_t)
++')
++
++optional_policy(`
+ dbus_system_bus_client(pcp_pmcd_t)
+
+ optional_policy(`
@@ -73259,10 +73291,10 @@ index cc426e6..fe5d842 100644
+')
diff --git a/prosody.fc b/prosody.fc
new file mode 100644
-index 0000000..96a0d9f
+index 0000000..c056a2f
--- /dev/null
+++ b/prosody.fc
-@@ -0,0 +1,8 @@
+@@ -0,0 +1,10 @@
+/usr/bin/prosody -- gen_context(system_u:object_r:prosody_exec_t,s0)
+/usr/bin/prosodyctl -- gen_context(system_u:object_r:prosody_exec_t,s0)
+
@@ -73271,6 +73303,8 @@ index 0000000..96a0d9f
+/var/lib/prosody(/.*)? gen_context(system_u:object_r:prosody_var_lib_t,s0)
+
+/var/run/prosody(/.*)? gen_context(system_u:object_r:prosody_var_run_t,s0)
++
++/var/log/prosody(/.*)? gen_context(system_u:object_r:prosody_log_t,s0)
diff --git a/prosody.if b/prosody.if
new file mode 100644
index 0000000..44ed5ad
@@ -73514,10 +73548,10 @@ index 0000000..44ed5ad
+')
diff --git a/prosody.te b/prosody.te
new file mode 100644
-index 0000000..ad32ffe
+index 0000000..f48f1b9
--- /dev/null
+++ b/prosody.te
-@@ -0,0 +1,75 @@
+@@ -0,0 +1,85 @@
+policy_module(prosody, 1.0.0)
+
+########################################
@@ -73537,6 +73571,9 @@ index 0000000..ad32ffe
+type prosody_exec_t;
+init_daemon_domain(prosody_t, prosody_exec_t)
+
++type prosody_log_t;
++logging_log_file(prosody_log_t)
++
+type prosody_var_lib_t;
+files_type(prosody_var_lib_t)
+
@@ -73550,7 +73587,7 @@ index 0000000..ad32ffe
+#
+# prosody local policy
+#
-+allow prosody_t self:capability { setuid setgid };
++allow prosody_t self:capability { setuid setgid dac_read_search dac_override };
+allow prosody_t self:process { signal_perms execmem };
+allow prosody_t self:tcp_socket create_stream_socket_perms;
+
@@ -73564,6 +73601,11 @@ index 0000000..ad32ffe
+manage_lnk_files_pattern(prosody_t, prosody_var_run_t, prosody_var_run_t)
+files_pid_filetrans(prosody_t, prosody_var_run_t, { dir file lnk_file })
+
++manage_dirs_pattern(prosody_t, prosody_log_t, prosody_log_t)
++manage_files_pattern(prosody_t, prosody_log_t, prosody_log_t)
++setattr_files_pattern(prosody_t, prosody_log_t, prosody_log_t)
++logging_log_filetrans(prosody_t, prosody_log_t, { file dir })
++
+can_exec(prosody_t, prosody_exec_t)
+
+kernel_read_system_state(prosody_t)
@@ -73572,11 +73614,13 @@ index 0000000..ad32ffe
+corecmd_exec_shell(prosody_t)
+
+corenet_udp_bind_generic_node(prosody_t)
++corenet_tcp_connect_postgresql_port(prosody_t)
+corenet_tcp_connect_jabber_interserver_port(prosody_t)
+corenet_tcp_connect_jabber_client_port(prosody_t)
+corenet_tcp_bind_jabber_client_port(prosody_t)
+corenet_tcp_bind_jabber_interserver_port(prosody_t)
+corenet_tcp_bind_jabber_router_port(prosody_t)
++
+tunable_policy(`prosody_bind_http_port',`
+ corenet_tcp_bind_http_port(prosody_t)
+')
@@ -88717,7 +88761,7 @@ index b8b66ff..a93346e 100644
+/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
+')
diff --git a/samba.if b/samba.if
-index 50d07fb..59296a2 100644
+index 50d07fb..556b25d 100644
--- a/samba.if
+++ b/samba.if
@@ -1,8 +1,12 @@
@@ -89168,8 +89212,27 @@ index 50d07fb..59296a2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -507,8 +624,7 @@ interface(`samba_signal_smbd',`
+@@ -505,10 +622,26 @@ interface(`samba_signal_smbd',`
+ allow $1 smbd_t:process signal;
+ ')
++######################################
++## <summary>
++## Allow domain to signull samba
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`samba_signull_smbd',`
++ gen_require(`
++ type smbd_t;
++ ')
++ allow $1 smbd_t:process signull;
++')
++
########################################
## <summary>
-## Do not audit attempts to inherit
@@ -89178,7 +89241,7 @@ index 50d07fb..59296a2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -526,7 +642,7 @@ interface(`samba_dontaudit_use_fds',`
+@@ -526,7 +659,7 @@ interface(`samba_dontaudit_use_fds',`
########################################
## <summary>
@@ -89187,7 +89250,7 @@ index 50d07fb..59296a2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -544,7 +660,7 @@ interface(`samba_write_smbmount_tcp_sockets',`
+@@ -544,7 +677,7 @@ interface(`samba_write_smbmount_tcp_sockets',`
########################################
## <summary>
@@ -89196,7 +89259,7 @@ index 50d07fb..59296a2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -560,49 +676,47 @@ interface(`samba_rw_smbmount_tcp_sockets',`
+@@ -560,49 +693,47 @@ interface(`samba_rw_smbmount_tcp_sockets',`
allow $1 smbmount_t:tcp_socket { read write };
')
@@ -89265,7 +89328,7 @@ index 50d07fb..59296a2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -618,16 +732,16 @@ interface(`samba_getattr_winbind_exec',`
+@@ -618,16 +749,16 @@ interface(`samba_getattr_winbind_exec',`
#
interface(`samba_run_winbind_helper',`
gen_require(`
@@ -89285,7 +89348,7 @@ index 50d07fb..59296a2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -637,17 +751,16 @@ interface(`samba_run_winbind_helper',`
+@@ -637,17 +768,16 @@ interface(`samba_run_winbind_helper',`
#
interface(`samba_read_winbind_pid',`
gen_require(`
@@ -89307,7 +89370,7 @@ index 50d07fb..59296a2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -657,17 +770,61 @@ interface(`samba_read_winbind_pid',`
+@@ -657,17 +787,61 @@ interface(`samba_read_winbind_pid',`
#
interface(`samba_stream_connect_winbind',`
gen_require(`
@@ -89374,7 +89437,7 @@ index 50d07fb..59296a2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -676,7 +833,7 @@ interface(`samba_stream_connect_winbind',`
+@@ -676,7 +850,7 @@ interface(`samba_stream_connect_winbind',`
## </param>
## <param name="role">
## <summary>
@@ -89383,15 +89446,17 @@ index 50d07fb..59296a2 100644
## </summary>
## </param>
## <rolecap/>
-@@ -689,11 +846,29 @@ interface(`samba_admin',`
+@@ -689,11 +863,29 @@ interface(`samba_admin',`
type samba_etc_t, samba_share_t, samba_initrc_exec_t;
type swat_var_run_t, swat_tmp_t, winbind_log_t;
type winbind_var_run_t, winbind_tmp_t;
- type smbd_keytab_t;
+ type smbd_keytab_t, samba_unit_file_t;
+ type samba_unconfined_script_t;
-+ ')
-+
+ ')
+
+- allow $1 { nmbd_t smbd_t }:process { ptrace signal_perms };
+- ps_process_pattern($1, { nmbd_t smbd_t })
+ allow $1 smbd_t:process signal_perms;
+ ps_process_pattern($1, smbd_t)
+
@@ -89399,10 +89464,8 @@ index 50d07fb..59296a2 100644
+ allow $1 smbd_t:process ptrace;
+ allow $1 nmbd_t:process ptrace;
+ allow $1 samba_unconfined_script_t:process ptrace;
- ')
-
-- allow $1 { nmbd_t smbd_t }:process { ptrace signal_perms };
-- ps_process_pattern($1, { nmbd_t smbd_t })
++ ')
++
+ allow $1 nmbd_t:process signal_perms;
+ ps_process_pattern($1, nmbd_t)
+
@@ -89416,7 +89479,7 @@ index 50d07fb..59296a2 100644
init_labeled_script_domtrans($1, samba_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -703,23 +878,34 @@ interface(`samba_admin',`
+@@ -703,23 +895,34 @@ interface(`samba_admin',`
files_list_etc($1)
admin_pattern($1, { samba_etc_t smbd_keytab_t })
@@ -89427,11 +89490,11 @@ index 50d07fb..59296a2 100644
- files_list_var($1)
- admin_pattern($1, { samba_share_t samba_var_t samba_secrets_t })
+ admin_pattern($1, samba_secrets_t)
++
++ admin_pattern($1, samba_share_t)
- files_list_spool($1)
- admin_pattern($1, smbd_spool_t)
-+ admin_pattern($1, samba_share_t)
-+
+ admin_pattern($1, samba_var_t)
+ files_list_var($1)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 9fe3042..22fb027 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 133%{?dist}
+Release: 134%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -602,6 +602,17 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Jul 02 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-134
+- Allow ctdb_t sending signull to smbd_t, for checking if smbd process exists. BZ(1224879)
+- Fix cron_system_cronjob_use_shares boolean to call fs interfaces which contain only entrypoint permission.
+- Add cron_system_cronjob_use_shares boolean to allow system cronjob to be executed from shares - NFS, CIFS, FUSE. It requires "entrypoint" permissios on nfs_t, cifs_t and fusefs_t SELinux types.
+- Merge remote-tracking branch 'refs/remotes/origin/rawhide-contrib' into rawhide-contrib
+- nrpe needs kill capability to make gluster moniterd nodes working.
+- Fix interface corenet_tcp_connect_postgresql_port_port(prosody_t)
+- Allow prosody connect to postgresql port.
+- Add new interfaces
+- Add fs_fusefs_entry_type() interface.
+
* Tue Jun 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-133
- Cleanup permissive domains.