diff --git a/container-selinux.tgz b/container-selinux.tgz
index 19e9920..5ebf455 100644
Binary files a/container-selinux.tgz and b/container-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 0738e94..adcd569 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -2117,7 +2117,7 @@ index c6ca761..0c86bfd 100644
')
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
-index c44c359..a3d4e61 100644
+index c44c359..5038ed0 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -7,10 +7,10 @@ policy_module(netutils, 1.12.1)
@@ -2138,7 +2138,7 @@ index c44c359..a3d4e61 100644
# Perform network administration operations and have raw access to the network.
-allow netutils_t self:capability { dac_read_search net_admin net_raw setuid setgid sys_chroot };
-+allow netutils_t self:capability { chown dac_read_search net_admin net_raw setuid setgid sys_chroot };
++allow netutils_t self:capability { chown dac_read_search net_admin net_raw setuid setgid sys_chroot setpcap };
dontaudit netutils_t self:capability { dac_override sys_tty_config };
allow netutils_t self:process { setcap signal_perms };
allow netutils_t self:netlink_route_socket create_netlink_socket_perms;
@@ -2328,10 +2328,18 @@ index 688abc2..3d89250 100644
/usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0)
+/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
-index 03ec5ca..102ccff 100644
+index 03ec5ca..1ed2cd4 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
-@@ -58,6 +58,7 @@ template(`su_restricted_domain_template', `
+@@ -48,6 +48,7 @@ template(`su_restricted_domain_template', `
+ allow $1_su_t self:fifo_file rw_fifo_file_perms;
+ allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
+ allow $1_su_t self:unix_stream_socket create_stream_socket_perms;
++ allow $1_su_t self:netlink_selinux_socket create_socket_perms;
+
+ # Transition from the user domain to this domain.
+ domtrans_pattern($2, su_exec_t, $1_su_t)
+@@ -58,6 +59,7 @@ template(`su_restricted_domain_template', `
allow $2 $1_su_t:fifo_file rw_file_perms;
allow $2 $1_su_t:process sigchld;
@@ -2339,7 +2347,7 @@ index 03ec5ca..102ccff 100644
kernel_read_system_state($1_su_t)
kernel_read_kernel_sysctls($1_su_t)
kernel_search_key($1_su_t)
-@@ -86,10 +87,10 @@ template(`su_restricted_domain_template', `
+@@ -86,10 +88,10 @@ template(`su_restricted_domain_template', `
# Write to utmp.
init_rw_utmp($1_su_t)
init_search_script_keys($1_su_t)
@@ -2351,7 +2359,7 @@ index 03ec5ca..102ccff 100644
ifdef(`distro_redhat',`
# RHEL5 and possibly newer releases incl. Fedora
-@@ -119,11 +120,6 @@ template(`su_restricted_domain_template', `
+@@ -119,11 +121,6 @@ template(`su_restricted_domain_template', `
userdom_spec_domtrans_unpriv_users($1_su_t)
')
@@ -2363,7 +2371,7 @@ index 03ec5ca..102ccff 100644
optional_policy(`
cron_read_pipes($1_su_t)
')
-@@ -172,15 +168,8 @@ template(`su_role_template',`
+@@ -172,14 +169,6 @@ template(`su_role_template',`
role $2 types $1_su_t;
allow $3 $1_su_t:process signal;
@@ -2376,10 +2384,8 @@ index 03ec5ca..102ccff 100644
- allow $1_su_t self:key { search write };
-
allow $1_su_t $3:key search;
-+ allow $1_su_t self:netlink_selinux_socket create_socket_perms;
# Transition from the user domain to this domain.
- domtrans_pattern($3, su_exec_t, $1_su_t)
@@ -194,125 +183,16 @@ template(`su_role_template',`
allow $3 $1_su_t:process sigchld;
@@ -10268,7 +10274,7 @@ index 6a1e4d1..4b87be8 100644
+ allow $1 domain:process rlimitinh;
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..1de3267 100644
+index cf04cb5..ac8eab0 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,17 +4,49 @@ policy_module(domain, 1.11.0)
@@ -10436,7 +10442,7 @@ index cf04cb5..1de3267 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -160,11 +249,388 @@ allow unconfined_domain_type domain:msg { send receive };
+@@ -160,11 +249,392 @@ allow unconfined_domain_type domain:msg { send receive };
# For /proc/pid
allow unconfined_domain_type domain:dir list_dir_perms;
@@ -10472,6 +10478,10 @@ index cf04cb5..1de3267 100644
+')
+
+optional_policy(`
++ ipa_filetrans_named_content(named_filetrans_domain)
++')
++
++optional_policy(`
+ locallogin_filetrans_home_content(named_filetrans_domain)
+')
+
@@ -23229,7 +23239,7 @@ index 234a940..a92415a 100644
########################################
##
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 0fef1fc..aea97fa 100644
+index 0fef1fc..c3c0f6d 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,73 @@ policy_module(staff, 2.4.0)
@@ -23588,7 +23598,7 @@ index 0fef1fc..aea97fa 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -176,3 +400,23 @@ ifndef(`distro_redhat',`
+@@ -176,3 +400,24 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -23608,6 +23618,7 @@ index 0fef1fc..aea97fa 100644
+ dev_rw_kvm(staff_t)
+ virt_manage_images(staff_t)
+ virt_stream_connect_svirt(staff_t)
++ virt_systemctl(staff_t)
+ virt_rw_stream_sockets_svirt(staff_t)
+ virt_exec(staff_t)
+ ')
@@ -25103,10 +25114,10 @@ index 0000000..f730286
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..60c3f9d
+index 0000000..89f4076
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,358 @@
+@@ -0,0 +1,360 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -25169,6 +25180,8 @@ index 0000000..60c3f9d
+allow unconfined_t self:system syslog_read;
+dontaudit unconfined_t self:capability sys_module;
+
++allow unconfined_t file_type:system module_load;
++
+kernel_rw_unlabeled_socket(unconfined_t)
+kernel_rw_unlabeled_rawip_socket(unconfined_t)
+
@@ -29671,7 +29684,7 @@ index 6bf0ecc..e6be63a 100644
+')
+
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..a55ca15 100644
+index 8b40377..da86a8e 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,28 +26,66 @@ gen_require(`
@@ -30030,7 +30043,7 @@ index 8b40377..a55ca15 100644
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
ssh_dontaudit_rw_tcp_sockets(xauth_t)
-@@ -300,64 +420,106 @@ optional_policy(`
+@@ -300,64 +420,107 @@ optional_policy(`
# XDM Local policy
#
@@ -30038,6 +30051,7 @@ index 8b40377..a55ca15 100644
-allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
+allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service net_admin sys_ptrace };
+allow xdm_t self:capability2 { block_suspend };
++allow xdm_t self:cap_userns { kill };
+dontaudit xdm_t self:capability sys_admin;
+dontaudit xdm_t self:capability2 wake_alarm;
+tunable_policy(`deny_ptrace',`',`
@@ -30150,7 +30164,7 @@ index 8b40377..a55ca15 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -366,20 +528,31 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -366,20 +529,31 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -30184,7 +30198,7 @@ index 8b40377..a55ca15 100644
corenet_all_recvfrom_netlabel(xdm_t)
corenet_tcp_sendrecv_generic_if(xdm_t)
corenet_udp_sendrecv_generic_if(xdm_t)
-@@ -389,38 +562,51 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -389,38 +563,51 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -30240,7 +30254,7 @@ index 8b40377..a55ca15 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -431,9 +617,30 @@ files_list_mnt(xdm_t)
+@@ -431,9 +618,30 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -30271,7 +30285,7 @@ index 8b40377..a55ca15 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -442,28 +649,46 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -442,28 +650,46 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -30322,7 +30336,7 @@ index 8b40377..a55ca15 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -472,24 +697,163 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -472,24 +698,163 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -30492,7 +30506,7 @@ index 8b40377..a55ca15 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -502,12 +866,31 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,12 +867,31 @@ tunable_policy(`xdm_sysadm_login',`
# allow xserver_t xdm_tmpfs_t:file rw_file_perms;
')
@@ -30524,7 +30538,7 @@ index 8b40377..a55ca15 100644
')
optional_policy(`
-@@ -518,8 +901,36 @@ optional_policy(`
+@@ -518,8 +902,36 @@ optional_policy(`
dbus_system_bus_client(xdm_t)
dbus_connect_system_bus(xdm_t)
@@ -30562,7 +30576,7 @@ index 8b40377..a55ca15 100644
')
')
-@@ -530,6 +941,20 @@ optional_policy(`
+@@ -530,6 +942,20 @@ optional_policy(`
')
optional_policy(`
@@ -30583,7 +30597,7 @@ index 8b40377..a55ca15 100644
hostname_exec(xdm_t)
')
-@@ -547,28 +972,78 @@ optional_policy(`
+@@ -547,28 +973,78 @@ optional_policy(`
')
optional_policy(`
@@ -30671,7 +30685,7 @@ index 8b40377..a55ca15 100644
')
optional_policy(`
-@@ -580,6 +1055,14 @@ optional_policy(`
+@@ -580,6 +1056,14 @@ optional_policy(`
')
optional_policy(`
@@ -30686,7 +30700,7 @@ index 8b40377..a55ca15 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,7 +1077,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+@@ -594,7 +1078,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@@ -30695,7 +30709,7 @@ index 8b40377..a55ca15 100644
# setuid/setgid for the wrapper program to change UID
# sys_rawio is for iopl access - should not be needed for frame-buffer
-@@ -604,8 +1087,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -604,8 +1088,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -30708,7 +30722,7 @@ index 8b40377..a55ca15 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -618,8 +1104,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -618,8 +1105,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -30724,7 +30738,7 @@ index 8b40377..a55ca15 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -627,6 +1120,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -627,6 +1121,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@@ -30735,7 +30749,7 @@ index 8b40377..a55ca15 100644
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -638,25 +1135,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -638,25 +1136,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -30777,7 +30791,7 @@ index 8b40377..a55ca15 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -677,23 +1186,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -677,23 +1187,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -30809,7 +30823,7 @@ index 8b40377..a55ca15 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -705,6 +1219,14 @@ fs_search_nfs(xserver_t)
+@@ -705,6 +1220,14 @@ fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -30824,7 +30838,7 @@ index 8b40377..a55ca15 100644
mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
-@@ -718,20 +1240,18 @@ init_getpgid(xserver_t)
+@@ -718,20 +1241,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -30848,7 +30862,7 @@ index 8b40377..a55ca15 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -739,8 +1259,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -739,8 +1260,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
@@ -30857,7 +30871,7 @@ index 8b40377..a55ca15 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
-@@ -785,17 +1303,54 @@ optional_policy(`
+@@ -785,17 +1304,54 @@ optional_policy(`
')
optional_policy(`
@@ -30914,7 +30928,7 @@ index 8b40377..a55ca15 100644
')
optional_policy(`
-@@ -803,6 +1358,10 @@ optional_policy(`
+@@ -803,6 +1359,10 @@ optional_policy(`
')
optional_policy(`
@@ -30925,7 +30939,7 @@ index 8b40377..a55ca15 100644
xfs_stream_connect(xserver_t)
')
-@@ -818,18 +1377,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -818,18 +1378,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -30950,7 +30964,7 @@ index 8b40377..a55ca15 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -842,26 +1400,21 @@ init_use_fds(xserver_t)
+@@ -842,26 +1401,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -30985,7 +30999,7 @@ index 8b40377..a55ca15 100644
')
optional_policy(`
-@@ -912,7 +1465,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -912,7 +1466,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -30994,7 +31008,7 @@ index 8b40377..a55ca15 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -966,11 +1519,31 @@ allow x_domain self:x_resource { read write };
+@@ -966,11 +1520,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -31026,7 +31040,7 @@ index 8b40377..a55ca15 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -992,18 +1565,148 @@ tunable_policy(`! xserver_object_manager',`
+@@ -992,18 +1566,148 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -33598,7 +33612,7 @@ index bc0ffc8..37b8ea5 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 79a45f6..e90f7a4 100644
+index 79a45f6..2dad865 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1,5 +1,21 @@
@@ -34582,10 +34596,28 @@ index 79a45f6..e90f7a4 100644
## Do not audit attempts to read init script
## status files.
##
-@@ -1605,6 +2057,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1605,6 +2057,42 @@ interface(`init_rw_script_tmp_files',`
########################################
##
++## Do not audit attempts to read initrc_tmp_t files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`init_dontaudit_write_initrc_tmp',`
++ gen_require(`
++ type initrc_tmp_t;
++ ')
++
++ dontaudit $1 initrc_tmp_t:fifo_file write_fifo_file_perms;
++')
++
++########################################
++##
+## Read and write init script inherited temporary data.
+##
+##
@@ -34607,7 +34639,7 @@ index 79a45f6..e90f7a4 100644
## Create files in a init script
## temporary data directory.
##
-@@ -1677,6 +2147,43 @@ interface(`init_read_utmp',`
+@@ -1677,6 +2165,43 @@ interface(`init_read_utmp',`
########################################
##
@@ -34651,7 +34683,7 @@ index 79a45f6..e90f7a4 100644
## Do not audit attempts to write utmp.
##
##
-@@ -1765,7 +2272,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1765,7 +2290,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -34660,7 +34692,7 @@ index 79a45f6..e90f7a4 100644
')
########################################
-@@ -1806,37 +2313,744 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1806,27 +2331,154 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
')
@@ -34697,21 +34729,13 @@ index 79a45f6..e90f7a4 100644
##
-## Allow the specified domain to connect to daemon with a udp socket
+## Allow listing of the /run/systemd directory.
- ##
- ##
--##
--## Domain allowed access.
--##
++##
++##
+##
+## Domain allowed access.
+##
- ##
- #
--interface(`init_udp_recvfrom_all_daemons',`
-- gen_require(`
-- attribute daemon;
-- ')
-- corenet_udp_recvfrom_labeled($1, daemon)
++##
++#
+interface(`init_list_pid_dirs',`
+ gen_require(`
+ type init_var_run_t;
@@ -34832,19 +34856,13 @@ index 79a45f6..e90f7a4 100644
+########################################
+##
+## Allow the specified domain to connect to daemon with a udp socket
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_udp_recvfrom_all_daemons',`
-+ gen_require(`
-+ attribute daemon;
-+ ')
-+ corenet_udp_recvfrom_labeled($1, daemon)
-+')
+ ##
+ ##
+ ##
+@@ -1840,3 +2492,583 @@ interface(`init_udp_recvfrom_all_daemons',`
+ ')
+ corenet_udp_recvfrom_labeled($1, daemon)
+ ')
+
+########################################
+##
@@ -35424,7 +35442,7 @@ index 79a45f6..e90f7a4 100644
+
+ files_search_var_lib($1)
+ allow $1 init_var_lib_t:dir search_dir_perms;
- ')
++')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 17eda24..fa4ad6a 100644
--- a/policy/modules/system/init.te
@@ -43322,7 +43340,7 @@ index 3822072..d358162 100644
+ allow semanage_t $1:dbus send_msg;
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index dc46420..a86e9eb 100644
+index dc46420..67f4de1 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -11,14 +11,16 @@ gen_require(`
@@ -43857,7 +43875,7 @@ index dc46420..a86e9eb 100644
')
########################################
-@@ -522,111 +597,202 @@ ifdef(`distro_ubuntu',`
+@@ -522,111 +597,203 @@ ifdef(`distro_ubuntu',`
# Setfiles local policy
#
@@ -44036,6 +44054,7 @@ index dc46420..a86e9eb 100644
+init_use_script_fds(setfiles_domain)
+init_use_script_ptys(setfiles_domain)
+init_exec_script_files(setfiles_domain)
++init_dontaudit_write_initrc_tmp(setfiles_domain)
+
+userdom_use_all_users_fds(setfiles_domain)
# for config files in a home directory
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 62ea368..3e40862 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -3521,10 +3521,10 @@ index 0000000..c679dd3
+ spamassassin_read_pid_files(antivirus_domain)
+')
diff --git a/apache.fc b/apache.fc
-index 7caefc3..dac9ad5 100644
+index 7caefc3..966c2f3 100644
--- a/apache.fc
+++ b/apache.fc
-@@ -1,162 +1,217 @@
+@@ -1,162 +1,218 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -3861,6 +3861,7 @@ index 7caefc3..dac9ad5 100644
+/var/www/html(/.*)?/wp_backups(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/html(/.*)?/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/html/owncloud/data(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/www/html/nextcloud/data(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/www/miq/vmdb/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
@@ -5536,7 +5537,7 @@ index f6eb485..fe461a3 100644
+ ps_process_pattern(httpd_t, $1)
')
diff --git a/apache.te b/apache.te
-index 6649962..1cbf151 100644
+index 6649962..371039c 100644
--- a/apache.te
+++ b/apache.te
@@ -5,280 +5,346 @@ policy_module(apache, 2.7.2)
@@ -6865,7 +6866,7 @@ index 6649962..1cbf151 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
-@@ -822,8 +1026,30 @@ optional_policy(`
+@@ -822,8 +1026,31 @@ optional_policy(`
')
optional_policy(`
@@ -6878,6 +6879,7 @@ index 6649962..1cbf151 100644
+ tunable_policy(`httpd_run_ipa',`
+ ipa_domtrans_helper(httpd_t)
+ ')
++ ipa_cert_filetrans_named_content(httpd_t)
+')
+
+optional_policy(`
@@ -6896,7 +6898,7 @@ index 6649962..1cbf151 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
-@@ -832,6 +1058,8 @@ optional_policy(`
+@@ -832,6 +1059,8 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -6905,7 +6907,7 @@ index 6649962..1cbf151 100644
')
optional_policy(`
-@@ -842,20 +1070,44 @@ optional_policy(`
+@@ -842,20 +1071,44 @@ optional_policy(`
')
optional_policy(`
@@ -6956,7 +6958,7 @@ index 6649962..1cbf151 100644
')
optional_policy(`
-@@ -863,16 +1115,31 @@ optional_policy(`
+@@ -863,16 +1116,31 @@ optional_policy(`
')
optional_policy(`
@@ -6990,7 +6992,7 @@ index 6649962..1cbf151 100644
')
optional_policy(`
-@@ -883,65 +1150,189 @@ optional_policy(`
+@@ -883,65 +1151,189 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -7202,7 +7204,7 @@ index 6649962..1cbf151 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -950,123 +1341,75 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -950,123 +1342,75 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -7356,7 +7358,7 @@ index 6649962..1cbf151 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1083,172 +1426,107 @@ optional_policy(`
+@@ -1083,172 +1427,107 @@ optional_policy(`
')
')
@@ -7594,7 +7596,7 @@ index 6649962..1cbf151 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1256,64 +1534,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1256,64 +1535,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -7691,7 +7693,7 @@ index 6649962..1cbf151 100644
########################################
#
-@@ -1321,8 +1609,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1321,8 +1610,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -7708,7 +7710,7 @@ index 6649962..1cbf151 100644
')
########################################
-@@ -1330,49 +1625,40 @@ optional_policy(`
+@@ -1330,49 +1626,41 @@ optional_policy(`
# User content local policy
#
@@ -7747,6 +7749,7 @@ index 6649962..1cbf151 100644
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',`
- fs_exec_nfs_files(httpd_user_script_t)
+ read_files_pattern(httpd_t, httpd_user_content_type, httpd_user_content_type)
++ read_lnk_files_pattern(httpd_t, httpd_user_content_type, httpd_user_content_type)
')
tunable_policy(`httpd_read_user_content',`
@@ -7774,7 +7777,7 @@ index 6649962..1cbf151 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1668,109 @@ dev_read_urand(httpd_passwd_t)
+@@ -1382,38 +1670,109 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -12336,10 +12339,14 @@ index 4a87873..113f3b3 100644
+
+mta_send_mail(certmaster_t)
diff --git a/certmonger.fc b/certmonger.fc
-index ed298d8..cd8eb4d 100644
+index ed298d8..c887648 100644
--- a/certmonger.fc
+++ b/certmonger.fc
-@@ -2,6 +2,8 @@
+@@ -1,7 +1,12 @@
++/etc/systemd/system/dirsrv.target.wants(/.*)? gen_context(system_u:object_r:certmonger_unit_file_t,s0)
++/usr/lib/systemd/system/certmonger.* gen_context(system_u:object_r:certmonger_unit_file_t,s0)
++
+ /etc/rc\.d/init\.d/certmonger -- gen_context(system_u:object_r:certmonger_initrc_exec_t,s0)
/usr/sbin/certmonger -- gen_context(system_u:object_r:certmonger_exec_t,s0)
@@ -12377,16 +12384,19 @@ index 008f8ef..144c074 100644
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/certmonger.te b/certmonger.te
-index 550b287..e799a42 100644
+index 550b287..b4565e3 100644
--- a/certmonger.te
+++ b/certmonger.te
-@@ -18,18 +18,23 @@ files_type(certmonger_var_lib_t)
+@@ -18,18 +18,26 @@ files_type(certmonger_var_lib_t)
type certmonger_var_run_t;
files_pid_file(certmonger_var_run_t)
+type certmonger_unconfined_exec_t;
+application_executable_file(certmonger_unconfined_exec_t)
+
++type certmonger_unit_file_t;
++systemd_unit_file(certmonger_unit_file_t)
++
########################################
#
# Local policy
@@ -12408,7 +12418,7 @@ index 550b287..e799a42 100644
manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
-@@ -41,6 +46,7 @@ files_pid_filetrans(certmonger_t, certmonger_var_run_t, { dir file })
+@@ -41,6 +49,7 @@ files_pid_filetrans(certmonger_t, certmonger_var_run_t, { dir file })
kernel_read_kernel_sysctls(certmonger_t)
kernel_read_system_state(certmonger_t)
@@ -12416,7 +12426,7 @@ index 550b287..e799a42 100644
corenet_all_recvfrom_unlabeled(certmonger_t)
corenet_all_recvfrom_netlabel(certmonger_t)
-@@ -49,17 +55,26 @@ corenet_tcp_sendrecv_generic_node(certmonger_t)
+@@ -49,17 +58,26 @@ corenet_tcp_sendrecv_generic_node(certmonger_t)
corenet_sendrecv_certmaster_client_packets(certmonger_t)
corenet_tcp_connect_certmaster_port(certmonger_t)
@@ -12444,7 +12454,7 @@ index 550b287..e799a42 100644
fs_search_cgroup_dirs(certmonger_t)
-@@ -68,18 +83,22 @@ auth_rw_cache(certmonger_t)
+@@ -68,18 +86,24 @@ auth_rw_cache(certmonger_t)
init_getattr_all_script_files(certmonger_t)
@@ -12458,6 +12468,8 @@ index 550b287..e799a42 100644
+
+systemd_exec_systemctl(certmonger_t)
+systemd_manage_all_unit_files(certmonger_t)
++systemd_start_systemd_services(certmonger_t)
++systemd_status_all_unit_files(certmonger_t)
userdom_search_user_home_content(certmonger_t)
@@ -12470,7 +12482,7 @@ index 550b287..e799a42 100644
')
optional_policy(`
-@@ -92,11 +111,66 @@ optional_policy(`
+@@ -92,11 +116,73 @@ optional_policy(`
')
optional_policy(`
@@ -12514,6 +12526,13 @@ index 550b287..e799a42 100644
+ sssd_delete_public_files(certmonger_t)
+')
+
++optional_policy(`
++ allow certmonger_t certmonger_unit_file_t:service manage_service_perms;
++ allow certmonger_t certmonger_unit_file_t:file manage_file_perms;
++ allow certmonger_t certmonger_unit_file_t:dir manage_dir_perms;
++ systemd_unit_file_filetrans(certmonger_t, certmonger_unit_file_t, dir)
++')
++
+########################################
+#
+# certmonger_unconfined_script_t local policy
@@ -16514,7 +16533,7 @@ index 881d92f..a2d588a 100644
+ ')
')
diff --git a/condor.te b/condor.te
-index ce9f040..320d6e8 100644
+index ce9f040..bd8d855 100644
--- a/condor.te
+++ b/condor.te
@@ -34,7 +34,7 @@ files_tmp_file(condor_startd_tmp_t)
@@ -16557,15 +16576,17 @@ index ce9f040..320d6e8 100644
rw_files_pattern(condor_domain, condor_conf_t, condor_conf_t)
-@@ -86,16 +97,14 @@ files_pid_filetrans(condor_domain, condor_var_run_t, { dir file fifo_file })
+@@ -86,16 +97,15 @@ files_pid_filetrans(condor_domain, condor_var_run_t, { dir file fifo_file })
allow condor_domain condor_master_t:process signull;
allow condor_domain condor_master_t:tcp_socket getattr;
+allow condor_domain condor_master_t:udp_socket { read write };
- kernel_read_kernel_sysctls(condor_domain)
+-kernel_read_kernel_sysctls(condor_domain)
kernel_read_network_state(condor_domain)
-kernel_read_system_state(condor_domain)
++kernel_rw_kernel_sysctl(condor_domain)
++kernel_search_network_sysctl(condor_domain)
corecmd_exec_bin(condor_domain)
corecmd_exec_shell(condor_domain)
@@ -16575,7 +16596,7 @@ index ce9f040..320d6e8 100644
corenet_tcp_sendrecv_generic_if(condor_domain)
corenet_tcp_sendrecv_generic_node(condor_domain)
-@@ -109,9 +118,9 @@ dev_read_rand(condor_domain)
+@@ -109,9 +119,9 @@ dev_read_rand(condor_domain)
dev_read_sysfs(condor_domain)
dev_read_urand(condor_domain)
@@ -16587,7 +16608,7 @@ index ce9f040..320d6e8 100644
sysnet_dns_name_resolve(condor_domain)
-@@ -130,7 +139,7 @@ optional_policy(`
+@@ -130,7 +140,7 @@ optional_policy(`
# Master local policy
#
@@ -16596,7 +16617,7 @@ index ce9f040..320d6e8 100644
allow condor_master_t condor_domain:process { sigkill signal };
-@@ -138,6 +147,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
+@@ -138,6 +148,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir })
@@ -16607,7 +16628,7 @@ index ce9f040..320d6e8 100644
corenet_udp_sendrecv_generic_if(condor_master_t)
corenet_udp_sendrecv_generic_node(condor_master_t)
corenet_tcp_bind_generic_node(condor_master_t)
-@@ -157,6 +170,8 @@ domain_read_all_domains_state(condor_master_t)
+@@ -157,6 +171,8 @@ domain_read_all_domains_state(condor_master_t)
auth_use_nsswitch(condor_master_t)
@@ -16616,7 +16637,7 @@ index ce9f040..320d6e8 100644
optional_policy(`
mta_send_mail(condor_master_t)
mta_read_config(condor_master_t)
-@@ -174,6 +189,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
+@@ -174,6 +190,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
kernel_read_network_state(condor_collector_t)
@@ -16625,7 +16646,7 @@ index ce9f040..320d6e8 100644
#####################################
#
# Negotiator local policy
-@@ -183,12 +200,15 @@ allow condor_negotiator_t self:capability { setuid setgid };
+@@ -183,12 +201,15 @@ allow condor_negotiator_t self:capability { setuid setgid };
allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms;
allow condor_negotiator_t condor_master_t:udp_socket getattr;
@@ -16641,7 +16662,7 @@ index ce9f040..320d6e8 100644
allow condor_procd_t condor_domain:process sigkill;
-@@ -206,6 +226,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
+@@ -206,6 +227,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
allow condor_schedd_t condor_var_lock_t:dir manage_file_perms;
@@ -16650,16 +16671,21 @@ index ce9f040..320d6e8 100644
domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t)
domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t)
-@@ -214,6 +236,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
+@@ -214,6 +237,13 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir })
+corenet_tcp_connect_all_ephemeral_ports(condor_schedd_t)
+
++optional_policy(`
++ mta_send_mail(condor_schedd_t)
++ mta_read_config(condor_schedd_t)
++')
++
#####################################
#
# Startd local policy
-@@ -238,11 +262,10 @@ domain_read_all_domains_state(condor_startd_t)
+@@ -238,11 +268,10 @@ domain_read_all_domains_state(condor_startd_t)
mcs_process_set_categories(condor_startd_t)
init_domtrans_script(condor_startd_t)
@@ -16672,7 +16698,7 @@ index ce9f040..320d6e8 100644
optional_policy(`
ssh_basic_client_template(condor_startd, condor_startd_t, system_r)
ssh_domtrans(condor_startd_t)
-@@ -254,3 +277,7 @@ optional_policy(`
+@@ -254,3 +283,7 @@ optional_policy(`
kerberos_use(condor_startd_ssh_t)
')
')
@@ -25510,10 +25536,10 @@ index 0000000..b3784d8
+')
diff --git a/dirsrv.te b/dirsrv.te
new file mode 100644
-index 0000000..f9f9806
+index 0000000..fa74f85
--- /dev/null
+++ b/dirsrv.te
-@@ -0,0 +1,203 @@
+@@ -0,0 +1,204 @@
+policy_module(dirsrv,1.0.0)
+
+########################################
@@ -25635,6 +25661,7 @@ index 0000000..f9f9806
+files_read_usr_symlinks(dirsrv_t)
+
+fs_getattr_all_fs(dirsrv_t)
++fs_read_cgroup_files(dirsrv_t)
+
+auth_use_pam(dirsrv_t)
+
@@ -31118,7 +31145,7 @@ index 0000000..d9ba5fa
+')
diff --git a/ganesha.te b/ganesha.te
new file mode 100644
-index 0000000..fe7b5d7
+index 0000000..9542305
--- /dev/null
+++ b/ganesha.te
@@ -0,0 +1,72 @@
@@ -31172,7 +31199,7 @@ index 0000000..fe7b5d7
+corenet_tcp_bind_mountd_port(ganesha_t)
+corenet_udp_bind_mountd_port(ganesha_t)
+
-+dev_read_infiniband_dev(ganesha_t)
++dev_rw_infiniband_dev(ganesha_t)
+dev_read_gpfs(ganesha_t)
+
+logging_send_syslog_msg(ganesha_t)
@@ -33396,7 +33423,7 @@ index e39de43..5edcb83 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
-index ab09d61..1a07290 100644
+index ab09d61..72d67c2 100644
--- a/gnome.if
+++ b/gnome.if
@@ -1,52 +1,76 @@
@@ -33520,7 +33547,7 @@ index ab09d61..1a07290 100644
########################################
#
# Gkeyringd policy
-@@ -89,37 +110,92 @@ template(`gnome_role_template',`
+@@ -89,37 +110,86 @@ template(`gnome_role_template',`
domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
@@ -33571,6 +33598,7 @@ index ab09d61..1a07290 100644
optional_policy(`
- dbus_spec_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
+ dbus_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
++ dbus_dontaudit_stream_connect_system_dbusd($1_gkeyringd_t)
+ gnome_manage_generic_home_dirs($1_gkeyringd_t)
+ gnome_read_generic_data_home_files($1_gkeyringd_t)
+ gnome_read_generic_data_home_dirs($1_gkeyringd_t)
@@ -33579,17 +33607,10 @@ index ab09d61..1a07290 100644
- gnome_dbus_chat_gkeyringd($1, $3)
+ telepathy_mission_control_read_state($1_gkeyringd_t)
+ telepathy_gabble_stream_connect_to($1_gkeyringd_t,gkeyringd_tmp_t,gkeyringd_tmp_t)
-+ ')
-+ ')
-+
-+ optional_policy(`
-+ gen_require(`
-+ type xguest_gkeyringd_t;
')
-+ dbus_dontaudit_stream_connect_session_bus(xguest_gkeyringd_t)
-+ ')
-+')
-+
+ ')
+ ')
+
+#######################################
+##
+## Allow domain to run gkeyring in the $1_gkeyringd_t domain.
@@ -33614,11 +33635,11 @@ index ab09d61..1a07290 100644
+ gen_require(`
+ type $1_gkeyringd_t;
+ type gkeyringd_exec_t;
- ')
++ ')
+ role $2 types $1_gkeyringd_t;
+ domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
- ')
-
++')
++
########################################
##
-## Execute gconf in the caller domain.
@@ -33626,7 +33647,7 @@ index ab09d61..1a07290 100644
##
##
##
-@@ -127,18 +203,18 @@ template(`gnome_role_template',`
+@@ -127,18 +197,18 @@ template(`gnome_role_template',`
##
##
#
@@ -33650,7 +33671,7 @@ index ab09d61..1a07290 100644
##
##
##
-@@ -146,119 +222,114 @@ interface(`gnome_exec_gconf',`
+@@ -146,119 +216,114 @@ interface(`gnome_exec_gconf',`
##
##
#
@@ -33807,7 +33828,7 @@ index ab09d61..1a07290 100644
##
##
##
-@@ -266,15 +337,21 @@ interface(`gnome_create_generic_home_dirs',`
+@@ -266,15 +331,21 @@ interface(`gnome_create_generic_home_dirs',`
##
##
#
@@ -33834,7 +33855,7 @@ index ab09d61..1a07290 100644
##
##
##
-@@ -282,57 +359,89 @@ interface(`gnome_setattr_config_dirs',`
+@@ -282,57 +353,89 @@ interface(`gnome_setattr_config_dirs',`
##
##
#
@@ -33942,7 +33963,7 @@ index ab09d61..1a07290 100644
##
##
##
-@@ -340,15 +449,18 @@ interface(`gnome_read_generic_home_content',`
+@@ -340,15 +443,18 @@ interface(`gnome_read_generic_home_content',`
##
##
#
@@ -33966,7 +33987,7 @@ index ab09d61..1a07290 100644
##
##
##
-@@ -356,22 +468,18 @@ interface(`gnome_manage_config',`
+@@ -356,22 +462,18 @@ interface(`gnome_manage_config',`
##
##
#
@@ -33994,7 +34015,7 @@ index ab09d61..1a07290 100644
##
##
##
-@@ -379,53 +487,37 @@ interface(`gnome_manage_generic_home_content',`
+@@ -379,53 +481,37 @@ interface(`gnome_manage_generic_home_content',`
##
##
#
@@ -34056,7 +34077,7 @@ index ab09d61..1a07290 100644
##
##
##
-@@ -433,17 +525,18 @@ interface(`gnome_home_filetrans',`
+@@ -433,17 +519,18 @@ interface(`gnome_home_filetrans',`
##
##
#
@@ -34079,7 +34100,7 @@ index ab09d61..1a07290 100644
##
##
##
-@@ -451,23 +544,18 @@ interface(`gnome_create_generic_gconf_home_dirs',`
+@@ -451,23 +538,18 @@ interface(`gnome_create_generic_gconf_home_dirs',`
##
##
#
@@ -34107,7 +34128,7 @@ index ab09d61..1a07290 100644
##
##
##
-@@ -475,22 +563,18 @@ interface(`gnome_read_generic_gconf_home_content',`
+@@ -475,22 +557,18 @@ interface(`gnome_read_generic_gconf_home_content',`
##
##
#
@@ -34134,7 +34155,7 @@ index ab09d61..1a07290 100644
##
##
##
-@@ -498,79 +582,59 @@ interface(`gnome_manage_generic_gconf_home_content',`
+@@ -498,79 +576,59 @@ interface(`gnome_manage_generic_gconf_home_content',`
##
##
#
@@ -34232,7 +34253,7 @@ index ab09d61..1a07290 100644
##
##
##
-@@ -579,12 +643,12 @@ interface(`gnome_home_filetrans_gnome_home',`
+@@ -579,12 +637,12 @@ interface(`gnome_home_filetrans_gnome_home',`
##
##
##
@@ -34247,7 +34268,7 @@ index ab09d61..1a07290 100644
##
##
##
-@@ -593,18 +657,18 @@ interface(`gnome_home_filetrans_gnome_home',`
+@@ -593,18 +651,18 @@ interface(`gnome_home_filetrans_gnome_home',`
##
##
#
@@ -34272,7 +34293,7 @@ index ab09d61..1a07290 100644
##
##
##
-@@ -612,46 +676,58 @@ interface(`gnome_gconf_home_filetrans',`
+@@ -612,46 +670,80 @@ interface(`gnome_gconf_home_filetrans',`
##
##
#
@@ -34297,15 +34318,11 @@ index ab09d61..1a07290 100644
+## Read generic data home dirs.
##
-##
--##
--## The prefix of the user domain (e.g., user
--## is the prefix for user_t).
--##
+##
+##
+## Domain allowed access.
+##
- ##
++##
+#
+interface(`gnome_read_generic_data_home_dirs',`
+ gen_require(`
@@ -34319,6 +34336,30 @@ index ab09d61..1a07290 100644
+##
+## Manage gconf data home files
+##
++##
+ ##
+-## The prefix of the user domain (e.g., user
+-## is the prefix for user_t).
++## Domain allowed access.
+ ##
+ ##
++#
++interface(`gnome_manage_data',`
++ gen_require(`
++ type data_home_t;
++ type gconf_home_t;
++ ')
++
++ allow $1 gconf_home_t:dir search_dir_perms;
++ manage_dirs_pattern($1, data_home_t, data_home_t)
++ manage_files_pattern($1, data_home_t, data_home_t)
++ manage_lnk_files_pattern($1, data_home_t, data_home_t)
++')
++
++########################################
++##
++## Read icc data home content.
++##
##
##
## Domain allowed access.
@@ -34326,146 +34367,122 @@ index ab09d61..1a07290 100644
##
#
-interface(`gnome_dbus_chat_gkeyringd',`
-+interface(`gnome_manage_data',`
++interface(`gnome_read_home_icc_data_content',`
gen_require(`
- type $1_gkeyringd_t;
- class dbus send_msg;
-+ type data_home_t;
-+ type gconf_home_t;
++ type icc_data_home_t, gconf_home_t, data_home_t;
')
- allow $2 $1_gkeyringd_t:dbus send_msg;
- allow $1_gkeyringd_t $2:dbus send_msg;
-+ allow $1 gconf_home_t:dir search_dir_perms;
-+ manage_dirs_pattern($1, data_home_t, data_home_t)
-+ manage_files_pattern($1, data_home_t, data_home_t)
-+ manage_lnk_files_pattern($1, data_home_t, data_home_t)
++ userdom_search_user_home_dirs($1)
++ allow $1 { gconf_home_t data_home_t }:dir search_dir_perms;
++ list_dirs_pattern($1, icc_data_home_t, icc_data_home_t)
++ read_files_pattern($1, icc_data_home_t, icc_data_home_t)
++ read_lnk_files_pattern($1, icc_data_home_t, icc_data_home_t)
')
########################################
##
-## Send and receive messages from all
-## gnome keyring daemon over dbus.
-+## Read icc data home content.
++## Read inherited icc data home files.
##
##
##
-@@ -659,59 +735,1090 @@ interface(`gnome_dbus_chat_gkeyringd',`
+@@ -659,46 +751,64 @@ interface(`gnome_dbus_chat_gkeyringd',`
##
##
#
-interface(`gnome_dbus_chat_all_gkeyringd',`
-+interface(`gnome_read_home_icc_data_content',`
++interface(`gnome_read_inherited_home_icc_data_files',`
gen_require(`
- attribute gkeyringd_domain;
- class dbus send_msg;
-+ type icc_data_home_t, gconf_home_t, data_home_t;
++ type icc_data_home_t;
')
- allow $1 gkeyringd_domain:dbus send_msg;
- allow gkeyringd_domain $1:dbus send_msg;
-+ userdom_search_user_home_dirs($1)
-+ allow $1 { gconf_home_t data_home_t }:dir search_dir_perms;
-+ list_dirs_pattern($1, icc_data_home_t, icc_data_home_t)
-+ read_files_pattern($1, icc_data_home_t, icc_data_home_t)
-+ read_lnk_files_pattern($1, icc_data_home_t, icc_data_home_t)
++ allow $1 icc_data_home_t:file read_inherited_file_perms;
')
########################################
##
-## Connect to gnome keyring daemon
-## with a unix stream socket.
-+## Read inherited icc data home files.
++## Create gconf_home_t objects in the /root directory
##
-##
+##
++##
++## Domain allowed access.
++##
++##
++##
##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-+## Domain allowed access.
++## The class of the object to be created.
##
##
++##
++##
++## The name of the object being created.
++##
++##
+#
-+interface(`gnome_read_inherited_home_icc_data_files',`
++interface(`gnome_admin_home_gconf_filetrans',`
+ gen_require(`
-+ type icc_data_home_t;
++ type gconf_home_t;
+ ')
+
-+ allow $1 icc_data_home_t:file read_inherited_file_perms;
++ userdom_admin_home_dir_filetrans($1, gconf_home_t, $2, $3)
+')
+
+########################################
+##
-+## Create gconf_home_t objects in the /root directory
++## Do not audit attempts to read
++## inherited gconf config files.
+##
##
##
- ## Domain allowed access.
+-## Domain allowed access.
++## Domain to not audit.
##
##
-+##
-+##
-+## The class of the object to be created.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
#
-interface(`gnome_stream_connect_gkeyringd',`
-+interface(`gnome_admin_home_gconf_filetrans',`
++interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
gen_require(`
- type $1_gkeyringd_t, gnome_keyring_tmp_t;
-+ type gconf_home_t;
++ type gconf_etc_t;
')
- files_search_tmp($2)
- stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, $1_gkeyringd_t)
-+ userdom_admin_home_dir_filetrans($1, gconf_home_t, $2, $3)
++ dontaudit $1 gconf_etc_t:file read_inherited_file_perms;
')
########################################
##
-## Connect to all gnome keyring daemon
-## with a unix stream socket.
-+## Do not audit attempts to read
-+## inherited gconf config files.
++## read gconf config files
##
##
##
--## Domain allowed access.
-+## Domain to not audit.
+@@ -706,12 +816,1003 @@ interface(`gnome_stream_connect_gkeyringd',`
##
##
#
-interface(`gnome_stream_connect_all_gkeyringd',`
-+interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
++interface(`gnome_read_gconf_config',`
gen_require(`
- attribute gkeyringd_domain;
- type gnome_keyring_tmp_t;
+ type gconf_etc_t;
- ')
-
-- files_search_tmp($1)
-- stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
-+ dontaudit $1 gconf_etc_t:file read_inherited_file_perms;
-+')
-+
-+########################################
-+##
-+## read gconf config files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`gnome_read_gconf_config',`
-+ gen_require(`
-+ type gconf_etc_t;
+ ')
+
+ allow $1 gconf_etc_t:dir list_dir_perms;
@@ -34608,9 +34625,10 @@ index ab09d61..1a07290 100644
+interface(`gnome_list_gkeyringd_tmp_dirs',`
+ gen_require(`
+ type gkeyringd_tmp_t;
-+ ')
-+
-+ files_search_tmp($1)
+ ')
+
+ files_search_tmp($1)
+- stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
+ allow $1 gkeyringd_tmp_t:dir list_dir_perms;
+')
+
@@ -38169,10 +38187,10 @@ index 6517fad..f183748 100644
+ allow $1 hypervkvp_unit_file_t:service all_service_perms;
')
diff --git a/hypervkvp.te b/hypervkvp.te
-index 4eb7041..b205df0 100644
+index 4eb7041..ea3c933 100644
--- a/hypervkvp.te
+++ b/hypervkvp.te
-@@ -5,24 +5,154 @@ policy_module(hypervkvp, 1.0.0)
+@@ -5,24 +5,158 @@ policy_module(hypervkvp, 1.0.0)
# Declarations
#
@@ -38224,10 +38242,12 @@ index 4eb7041..b205df0 100644
+dev_read_sysfs(hyperv_domain)
+
+########################################
-+#
+ #
+# hypervkvp local policy
-+#
-+
+ #
+
+-allow hypervkvpd_t self:fifo_file rw_fifo_file_perms;
+-allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms;
+allow hypervkvp_t self:capability sys_ptrace;
+allow hypervkvp_t self:process setfscreate;
+allow hypervkvp_t self:netlink_route_socket rw_netlink_socket_perms;
@@ -38301,6 +38321,10 @@ index 4eb7041..b205df0 100644
+')
+
+optional_policy(`
++ hostname_exec(hypervkvp_t)
++')
++
++optional_policy(`
+ netutils_domtrans_ping(hypervkvp_t)
+ netutils_domtrans(hypervkvp_t)
+')
@@ -38318,12 +38342,10 @@ index 4eb7041..b205df0 100644
+')
+
+########################################
- #
++#
+# hypervvssd local policy
- #
-
--allow hypervkvpd_t self:fifo_file rw_fifo_file_perms;
--allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms;
++#
++
+allow hypervvssd_t self:capability sys_admin;
+
+dev_rw_hypervvssd(hypervvssd_t)
@@ -39043,10 +39065,12 @@ index 0000000..61f2003
+userdom_use_user_terminals(iotop_t)
diff --git a/ipa.fc b/ipa.fc
new file mode 100644
-index 0000000..419d280
+index 0000000..74206ed
--- /dev/null
+++ b/ipa.fc
-@@ -0,0 +1,25 @@
+@@ -0,0 +1,29 @@
++/etc/httpd/alias/ipasession.key -- gen_context(system_u:object_r:ipa_cert_t,s0)
++
+/usr/lib/systemd/system/ipa-otpd.* -- gen_context(system_u:object_r:ipa_otpd_unit_file_t,s0)
+
+/usr/lib/systemd/system/ipa-dnskeysyncd.* -- gen_context(system_u:object_r:ipa_dnskey_unit_file_t,s0)
@@ -39054,6 +39078,8 @@ index 0000000..419d280
+/usr/lib/systemd/system/ipa-ods-exporter.* -- gen_context(system_u:object_r:ipa_ods_exporter_unit_file_t,s0)
+
+/usr/libexec/ipa-otpd -- gen_context(system_u:object_r:ipa_otpd_exec_t,s0)
++/usr/libexec/ipa/ipa-otpd -- gen_context(system_u:object_r:ipa_otpd_exec_t,s0)
++
+
+/usr/libexec/ipa/ipa-ods-exporter -- gen_context(system_u:object_r:ipa_ods_exporter_exec_t,s0)
+
@@ -39074,10 +39100,10 @@ index 0000000..419d280
+
diff --git a/ipa.if b/ipa.if
new file mode 100644
-index 0000000..ddbc007
+index 0000000..d611c53
--- /dev/null
+++ b/ipa.if
-@@ -0,0 +1,252 @@
+@@ -0,0 +1,309 @@
+## Policy for IPA services.
+
+########################################
@@ -39330,12 +39356,69 @@ index 0000000..ddbc007
+
+ logging_log_named_filetrans($1, ipa_log_t, dir, "ipa")
+')
++
++#######################################
++##
++## Allow domain to create /tmp/ca.p12
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ipa_filetrans_named_content',`
++
++ gen_require(`
++ type ipa_tmp_t;
++ ')
++
++ files_tmp_filetrans($1, ipa_tmp_t, file, "ca.p12")
++')
++
++########################################
++##
++## Create file ipasession.key in cert_t dir
++## with ipa_cert_t type
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ipa_cert_filetrans_named_content',`
++ gen_require(`
++ type ipa_cert_t;
++ ')
++
++ filetrans_pattern($1, cert_t, ipa_cert_t, file ,"ipasession.key")
++ manage_files_pattern($1, ipa_cert_t, ipa_cert_t)
++')
++
++########################################
++##
++## Allow domain to read ipa tmp files/dirs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ipa_read_tmp',`
++ gen_require(`
++ type ipa_tmp_t;
++ ')
++
++ read_files_pattern($1, ipa_tmp_t, ipa_tmp_t)
++')
diff --git a/ipa.te b/ipa.te
new file mode 100644
-index 0000000..55e151e
+index 0000000..d806e25
--- /dev/null
+++ b/ipa.te
-@@ -0,0 +1,264 @@
+@@ -0,0 +1,273 @@
+policy_module(ipa, 1.0.0)
+
+########################################
@@ -39385,6 +39468,9 @@ index 0000000..55e151e
+init_system_domain(ipa_helper_t, ipa_helper_exec_t)
+role ipa_helper_roles types ipa_helper_t;
+
++type ipa_cert_t;
++miscfiles_cert_type(ipa_cert_t)
++
+type ipa_tmp_t;
+files_tmp_file(ipa_tmp_t)
+
@@ -39398,6 +39484,9 @@ index 0000000..55e151e
+allow ipa_otpd_t self:fifo_file rw_fifo_file_perms;
+allow ipa_otpd_t self:unix_stream_socket create_stream_socket_perms;
+
++read_files_pattern(ipa_otpd_t, ipa_cert_t, ipa_cert_t)
++read_lnk_files_pattern(ipa_otpd_t, ipa_cert_t, ipa_cert_t)
++
+manage_dirs_pattern(ipa_otpd_t, ipa_var_run_t, ipa_var_run_t)
+manage_files_pattern(ipa_otpd_t, ipa_var_run_t, ipa_var_run_t)
+files_pid_filetrans(ipa_otpd_t, ipa_var_run_t, file)
@@ -39502,6 +39591,9 @@ index 0000000..55e151e
+allow ipa_dnskey_t self:unix_dgram_socket create_socket_perms;
+allow ipa_dnskey_t self:netlink_route_socket { create_netlink_socket_perms nlmsg_read };
+
++read_files_pattern(ipa_dnskey_t, ipa_cert_t, ipa_cert_t)
++read_lnk_files_pattern(ipa_dnskey_t, ipa_cert_t, ipa_cert_t)
++
+manage_files_pattern(ipa_dnskey_t, ipa_var_lib_t, ipa_var_lib_t)
+setattr_dirs_pattern(ipa_dnskey_t, ipa_var_lib_t, ipa_var_lib_t)
+list_dirs_pattern(ipa_dnskey_t, ipa_var_lib_t, ipa_var_lib_t)
@@ -63569,7 +63661,7 @@ index e96a309..4245308 100644
+')
+
diff --git a/ntp.te b/ntp.te
-index f81b113..76db00a 100644
+index f81b113..6d039fb 100644
--- a/ntp.te
+++ b/ntp.te
@@ -18,6 +18,9 @@ role ntpd_roles types ntpd_t;
@@ -63582,7 +63674,11 @@ index f81b113..76db00a 100644
type ntp_conf_t;
files_config_file(ntp_conf_t)
-@@ -53,6 +56,8 @@ allow ntpd_t self:tcp_socket { accept listen };
+@@ -50,9 +53,12 @@ allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit };
+ allow ntpd_t self:fifo_file rw_fifo_file_perms;
+ allow ntpd_t self:shm create_shm_perms;
+ allow ntpd_t self:tcp_socket { accept listen };
++allow ntpd_t self:socket create_socket_perms;
manage_dirs_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
@@ -63591,7 +63687,7 @@ index f81b113..76db00a 100644
allow ntpd_t ntp_conf_t:file read_file_perms;
-@@ -60,9 +65,7 @@ read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
+@@ -60,9 +66,7 @@ read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
allow ntpd_t ntpd_log_t:dir setattr_dir_perms;
@@ -63602,7 +63698,7 @@ index f81b113..76db00a 100644
logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir })
manage_dirs_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t)
-@@ -83,21 +86,16 @@ kernel_read_system_state(ntpd_t)
+@@ -83,21 +87,16 @@ kernel_read_system_state(ntpd_t)
kernel_read_network_state(ntpd_t)
kernel_request_load_module(ntpd_t)
@@ -63626,7 +63722,7 @@ index f81b113..76db00a 100644
corecmd_exec_bin(ntpd_t)
corecmd_exec_shell(ntpd_t)
-@@ -110,13 +108,15 @@ domain_use_interactive_fds(ntpd_t)
+@@ -110,13 +109,15 @@ domain_use_interactive_fds(ntpd_t)
domain_dontaudit_list_all_domains_state(ntpd_t)
files_read_etc_runtime_files(ntpd_t)
@@ -63643,7 +63739,7 @@ index f81b113..76db00a 100644
auth_use_nsswitch(ntpd_t)
-@@ -124,12 +124,14 @@ init_exec_script_files(ntpd_t)
+@@ -124,12 +125,14 @@ init_exec_script_files(ntpd_t)
logging_send_syslog_msg(ntpd_t)
@@ -63660,7 +63756,7 @@ index f81b113..76db00a 100644
cron_system_entry(ntpd_t, ntpdate_exec_t)
')
-@@ -152,9 +154,18 @@ optional_policy(`
+@@ -152,9 +155,18 @@ optional_policy(`
')
optional_policy(`
@@ -72167,10 +72263,10 @@ index 0000000..47cd0f8
+/usr/lib/systemd/system/pki-tomcat.* gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0)
diff --git a/pki.if b/pki.if
new file mode 100644
-index 0000000..5c7f232
+index 0000000..efe3ad3
--- /dev/null
+++ b/pki.if
-@@ -0,0 +1,404 @@
+@@ -0,0 +1,442 @@
+
+## policy for pki
+
@@ -72575,12 +72671,50 @@ index 0000000..5c7f232
+
+ list_dirs_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t)
+')
++
++########################################
++##
++## Allow read pki_common_t files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`pki_read_common_files',`
++ gen_require(`
++ type pki_common_t;
++ ')
++
++ read_files_pattern($1, pki_common_t, pki_common_t)
++')
++
++########################################
++##
++## Connect to pki over an unix
++## stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`pki_stream_connect',`
++ gen_require(`
++ type pki_tomcat_t, pki_common_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, pki_common_t, pki_common_t, pki_tomcat_t)
++')
diff --git a/pki.te b/pki.te
new file mode 100644
-index 0000000..bdeebb9
+index 0000000..555b44a
--- /dev/null
+++ b/pki.te
-@@ -0,0 +1,281 @@
+@@ -0,0 +1,283 @@
+policy_module(pki,10.0.11)
+
+########################################
@@ -72693,6 +72827,8 @@ index 0000000..bdeebb9
+can_exec(pki_tomcat_t, pki_common_t)
+init_stream_connect_script(pki_tomcat_t)
+
++auth_read_passwd(pki_tomcat_t)
++
+search_dirs_pattern(pki_tomcat_t, pki_log_t, pki_log_t)
+
+kernel_read_kernel_sysctls(pki_tomcat_t)
@@ -84546,7 +84682,7 @@ index 4460582..4c66c25 100644
+
')
diff --git a/radius.te b/radius.te
-index 403a4fe..95b5e45 100644
+index 403a4fe..b1668fa 100644
--- a/radius.te
+++ b/radius.te
@@ -5,6 +5,13 @@ policy_module(radius, 1.13.0)
@@ -84669,7 +84805,18 @@ index 403a4fe..95b5e45 100644
logrotate_exec(radiusd_t)
')
-@@ -140,5 +167,10 @@ optional_policy(`
+@@ -132,6 +159,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ postgresql_tcp_connect(radiusd_t)
++')
++
++optional_policy(`
+ samba_domtrans_winbind_helper(radiusd_t)
+ ')
+
+@@ -140,5 +171,10 @@ optional_policy(`
')
optional_policy(`
@@ -89923,7 +90070,7 @@ index 6dbc905..4b17c93 100644
- admin_pattern($1, rhsmcertd_lock_t)
')
diff --git a/rhsmcertd.te b/rhsmcertd.te
-index d32e1a2..7239c98 100644
+index d32e1a2..75b615f 100644
--- a/rhsmcertd.te
+++ b/rhsmcertd.te
@@ -18,6 +18,9 @@ logging_log_file(rhsmcertd_log_t)
@@ -89962,7 +90109,7 @@ index d32e1a2..7239c98 100644
manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
-@@ -50,25 +56,90 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
+@@ -50,25 +56,94 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
kernel_read_network_state(rhsmcertd_t)
@@ -90030,6 +90177,10 @@ index d32e1a2..7239c98 100644
+')
+
+optional_policy(`
++ hostname_exec(rhsmcertd_t)
++')
++
++optional_policy(`
+ rhnsd_manage_config(rhsmcertd_t)
+')
+
@@ -95735,7 +95886,7 @@ index 50d07fb..a34db48 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 2b7c441..efe3f59 100644
+index 2b7c441..c3db0c7 100644
--- a/samba.te
+++ b/samba.te
@@ -6,99 +6,86 @@ policy_module(samba, 1.16.3)
@@ -96834,9 +96985,10 @@ index 2b7c441..efe3f59 100644
#
-allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice };
+-dontaudit winbind_t self:capability sys_tty_config;
+allow winbind_t self:capability { kill dac_override ipc_lock setuid sys_nice };
+allow winbind_t self:capability2 block_suspend;
- dontaudit winbind_t self:capability sys_tty_config;
++dontaudit winbind_t self:capability { net_admin sys_tty_config };
allow winbind_t self:process { signal_perms getsched setsched };
allow winbind_t self:fifo_file rw_fifo_file_perms;
-allow winbind_t self:unix_stream_socket { accept listen };
@@ -100220,7 +100372,7 @@ index 35ad2a7..afdc7da 100644
+ admin_pattern($1, mail_spool_t)
')
diff --git a/sendmail.te b/sendmail.te
-index 12700b4..3a32af4 100644
+index 12700b4..2ede411 100644
--- a/sendmail.te
+++ b/sendmail.te
@@ -37,21 +37,23 @@ role sendmail_unconfined_roles types unconfined_sendmail_t;
@@ -100255,7 +100407,7 @@ index 12700b4..3a32af4 100644
logging_log_filetrans(sendmail_t, sendmail_log_t, { file dir })
manage_dirs_pattern(sendmail_t, sendmail_tmp_t, sendmail_tmp_t)
-@@ -63,33 +65,23 @@ files_pid_filetrans(sendmail_t, sendmail_var_run_t, file)
+@@ -63,33 +65,24 @@ files_pid_filetrans(sendmail_t, sendmail_var_run_t, file)
kernel_read_network_state(sendmail_t)
kernel_read_kernel_sysctls(sendmail_t)
@@ -100263,6 +100415,7 @@ index 12700b4..3a32af4 100644
kernel_read_system_state(sendmail_t)
+kernel_search_network_sysctl(sendmail_t)
+kernel_read_kernel_sysctls(sendmail_t)
++kernel_read_net_sysctls(sendmail_t)
-corenet_all_recvfrom_unlabeled(sendmail_t)
corenet_all_recvfrom_netlabel(sendmail_t)
@@ -100295,7 +100448,7 @@ index 12700b4..3a32af4 100644
fs_getattr_all_fs(sendmail_t)
fs_search_auto_mountpoints(sendmail_t)
-@@ -98,35 +90,49 @@ fs_rw_anon_inodefs_files(sendmail_t)
+@@ -98,35 +91,49 @@ fs_rw_anon_inodefs_files(sendmail_t)
term_dontaudit_use_console(sendmail_t)
term_dontaudit_use_generic_ptys(sendmail_t)
@@ -100351,7 +100504,7 @@ index 12700b4..3a32af4 100644
')
optional_policy(`
-@@ -134,8 +140,8 @@ optional_policy(`
+@@ -134,8 +141,8 @@ optional_policy(`
')
optional_policy(`
@@ -100362,7 +100515,7 @@ index 12700b4..3a32af4 100644
')
optional_policy(`
-@@ -164,6 +170,10 @@ optional_policy(`
+@@ -164,6 +171,10 @@ optional_policy(`
')
optional_policy(`
@@ -100373,7 +100526,7 @@ index 12700b4..3a32af4 100644
milter_stream_connect_all(sendmail_t)
')
-@@ -172,6 +182,11 @@ optional_policy(`
+@@ -172,6 +183,11 @@ optional_policy(`
')
optional_policy(`
@@ -100385,7 +100538,7 @@ index 12700b4..3a32af4 100644
postfix_domtrans_postdrop(sendmail_t)
postfix_domtrans_master(sendmail_t)
postfix_domtrans_postqueue(sendmail_t)
-@@ -193,6 +208,10 @@ optional_policy(`
+@@ -193,6 +209,10 @@ optional_policy(`
')
optional_policy(`
@@ -100396,7 +100549,7 @@ index 12700b4..3a32af4 100644
udev_read_db(sendmail_t)
')
-@@ -206,8 +225,6 @@ optional_policy(`
+@@ -206,8 +226,6 @@ optional_policy(`
#
optional_policy(`
@@ -105930,7 +106083,7 @@ index a240455..277f8f2 100644
- admin_pattern($1, sssd_log_t)
')
diff --git a/sssd.te b/sssd.te
-index 2d8db1f..6efbaac 100644
+index 2d8db1f..d4fee07 100644
--- a/sssd.te
+++ b/sssd.te
@@ -28,19 +28,31 @@ logging_log_file(sssd_var_log_t)
@@ -106048,7 +106201,7 @@ index 2d8db1f..6efbaac 100644
init_read_utmp(sssd_t)
-@@ -112,18 +131,64 @@ logging_send_syslog_msg(sssd_t)
+@@ -112,18 +131,67 @@ logging_send_syslog_msg(sssd_t)
logging_send_audit_msgs(sssd_t)
miscfiles_read_generic_certs(sssd_t)
@@ -106076,7 +106229,7 @@ index 2d8db1f..6efbaac 100644
+ kerberos_read_home_content(sssd_t)
+ kerberos_rw_config(sssd_t)
+ kerberos_rw_keytab(sssd_t)
- ')
++')
+
+optional_policy(`
+ dirsrv_stream_connect(sssd_t)
@@ -106094,7 +106247,7 @@ index 2d8db1f..6efbaac 100644
+
+optional_policy(`
+ systemd_login_read_pid_files(sssd_t)
-+')
+ ')
+
+########################################
+#
@@ -106102,9 +106255,12 @@ index 2d8db1f..6efbaac 100644
+#
+
+allow sssd_selinux_manager_t self:capability { setgid setuid };
++dontaudit sssd_selinux_manager_t self:capability net_admin;
+
+domtrans_pattern(sssd_t, sssd_selinux_manager_exec_t, sssd_selinux_manager_t)
+
++init_ioctl_stream_sockets(sssd_selinux_manager_t)
++
+logging_send_audit_msgs(sssd_selinux_manager_t)
+
+seutil_semanage_policy(sssd_selinux_manager_t)
@@ -107417,10 +107573,10 @@ index 0000000..a6e216c
+
diff --git a/targetd.te b/targetd.te
new file mode 100644
-index 0000000..7f28cdd
+index 0000000..e187320
--- /dev/null
+++ b/targetd.te
-@@ -0,0 +1,65 @@
+@@ -0,0 +1,68 @@
+policy_module(targetd, 1.0.0)
+
+########################################
@@ -107446,6 +107602,7 @@ index 0000000..7f28cdd
+allow targetd_t self:capability { sys_admin };
+allow targetd_t self:fifo_file rw_fifo_file_perms;
+allow targetd_t self:unix_stream_socket create_stream_socket_perms;
++allow targetd_t self:unix_dgram_socket create_socket_perms;
+allow targetd_t self:tcp_socket listen;
+allow targetd_t self:netlink_route_socket r_netlink_socket_perms;
+allow targetd_t self:process setfscreate;
@@ -107455,6 +107612,7 @@ index 0000000..7f28cdd
+files_etc_filetrans(targetd_t, targetd_etc_rw_t, { dir file })
+
+kernel_read_system_state(targetd_t)
++kernel_read_network_state(targetd_t)
+
+auth_use_nsswitch(targetd_t)
+
@@ -107467,6 +107625,7 @@ index 0000000..7f28cdd
+dev_read_sysfs(targetd_t)
+dev_read_urand(targetd_t)
+dev_rw_lvm_control(targetd_t)
++dev_getattr_loop_control(targetd_t)
+
+libs_exec_ldconfig(targetd_t)
+
@@ -110041,10 +110200,10 @@ index 0000000..46f12a4
+')
diff --git a/tlp.te b/tlp.te
new file mode 100644
-index 0000000..ae69138
+index 0000000..f31ed95
--- /dev/null
+++ b/tlp.te
-@@ -0,0 +1,70 @@
+@@ -0,0 +1,74 @@
+policy_module(tlp, 1.0.0)
+
+########################################
@@ -110109,6 +110268,10 @@ index 0000000..ae69138
+sysnet_exec_ifconfig(tlp_t)
+
+optional_policy(`
++ dbus_stream_connect_system_dbusd(tlp_t)
++')
++
++optional_policy(`
+ fstools_exec(tlp_t)
+')
+
@@ -110687,10 +110850,10 @@ index 0000000..e5cec8f
+')
diff --git a/tomcat.te b/tomcat.te
new file mode 100644
-index 0000000..1aa150f
+index 0000000..71e14ac
--- /dev/null
+++ b/tomcat.te
-@@ -0,0 +1,85 @@
+@@ -0,0 +1,86 @@
+policy_module(tomcat, 1.0.0)
+
+########################################
@@ -110710,6 +110873,7 @@ index 0000000..1aa150f
+# tomcat local policy
+#
+
++auth_use_nsswitch(tomcat_t)
+
+optional_policy(`
+ pki_manage_tomcat_cert(tomcat_t)
@@ -110718,6 +110882,8 @@ index 0000000..1aa150f
+ pki_manage_tomcat_etc_rw(tomcat_t)
+ pki_search_log_dirs(tomcat_t)
+ pki_manage_tomcat_log(tomcat_t)
++ pki_read_common_files(tomcat_t)
++ pki_stream_connect(tomcat_t)
+')
+
+optional_policy(`
@@ -110726,6 +110892,7 @@ index 0000000..1aa150f
+
+optional_policy(`
+ ipa_read_lib(tomcat_t)
++ ipa_read_tmp(tomcat_t)
+')
+
+########################################
@@ -110768,9 +110935,6 @@ index 0000000..1aa150f
+fs_getattr_all_fs(tomcat_domain)
+fs_read_hugetlbfs_files(tomcat_domain)
+
-+
-+auth_read_passwd(tomcat_domain)
-+
+sysnet_dns_name_resolve(tomcat_domain)
+
+optional_policy(`
@@ -115377,7 +115541,7 @@ index facdee8..487857a 100644
+ dontaudit $1 virtd_t:lnk_file read_lnk_file_perms;
')
diff --git a/virt.te b/virt.te
-index f03dcf5..006d4b5 100644
+index f03dcf5..fee0027 100644
--- a/virt.te
+++ b/virt.te
@@ -1,451 +1,413 @@
@@ -116401,7 +116565,7 @@ index f03dcf5..006d4b5 100644
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
-@@ -746,44 +718,341 @@ optional_policy(`
+@@ -746,44 +718,344 @@ optional_policy(`
udev_read_pid_files(virtd_t)
')
@@ -116479,6 +116643,9 @@ index f03dcf5..006d4b5 100644
+allow virtlogd_t virtd_t:file read_file_perms;
+allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms;
+
++tunable_policy(`virt_use_nfs',`
++ fs_append_nfs_files(virtlogd_t)
++')
+
+########################################
+#
@@ -116551,7 +116718,7 @@ index f03dcf5..006d4b5 100644
+dontaudit virt_domain virt_tmpfs_type:file { read write };
+
+append_files_pattern(virt_domain, virt_log_t, virt_log_t)
-
++
+append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
+
+corecmd_exec_bin(virt_domain)
@@ -116672,7 +116839,7 @@ index f03dcf5..006d4b5 100644
+ fs_read_nfs_symlinks(virt_domain)
+ fs_getattr_nfs(virt_domain)
+')
-+
+
+tunable_policy(`virt_use_samba',`
+ fs_manage_cifs_dirs(virt_domain)
+ fs_manage_cifs_files(virt_domain)
@@ -116765,7 +116932,7 @@ index f03dcf5..006d4b5 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +1063,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +1066,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -116792,7 +116959,7 @@ index f03dcf5..006d4b5 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +1083,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +1086,25 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -116809,10 +116976,10 @@ index f03dcf5..006d4b5 100644
-logging_send_syslog_msg(virsh_t)
+systemd_exec_systemctl(virsh_t)
-+
-+auth_read_passwd(virsh_t)
-miscfiles_read_localization(virsh_t)
++auth_read_passwd(virsh_t)
++
+logging_send_syslog_msg(virsh_t)
sysnet_dns_name_resolve(virsh_t)
@@ -116826,7 +116993,7 @@ index f03dcf5..006d4b5 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +1120,20 @@ optional_policy(`
+@@ -856,14 +1123,20 @@ optional_policy(`
')
optional_policy(`
@@ -116848,7 +117015,7 @@ index f03dcf5..006d4b5 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -888,49 +1158,66 @@ optional_policy(`
+@@ -888,49 +1161,66 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -116933,7 +117100,7 @@ index f03dcf5..006d4b5 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1229,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1232,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -116953,7 +117120,7 @@ index f03dcf5..006d4b5 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,8 +1250,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,8 +1253,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -116977,7 +117144,7 @@ index f03dcf5..006d4b5 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1275,296 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1278,296 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -117140,13 +117307,6 @@ index f03dcf5..006d4b5 100644
+userdom_use_inherited_user_terminals(svirt_sandbox_domain)
+userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
+userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
-+
-+optional_policy(`
-+tunable_policy(`virt_sandbox_share_apache_content',`
-+ apache_exec_modules(svirt_sandbox_domain)
-+ apache_read_sys_content(svirt_sandbox_domain)
-+ ')
-+')
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
@@ -117231,17 +117391,24 @@ index f03dcf5..006d4b5 100644
-
-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
+optional_policy(`
-+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
++tunable_policy(`virt_sandbox_share_apache_content',`
++ apache_exec_modules(svirt_sandbox_domain)
++ apache_read_sys_content(svirt_sandbox_domain)
++ ')
+')
optional_policy(`
- udev_read_pid_files(svirt_lxc_domain)
-+ ssh_use_ptys(svirt_sandbox_domain)
++ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
')
optional_policy(`
- apache_exec_modules(svirt_lxc_domain)
- apache_read_sys_content(svirt_lxc_domain)
++ ssh_use_ptys(svirt_sandbox_domain)
++')
++
++optional_policy(`
+ udev_read_pid_files(svirt_sandbox_domain)
+')
+
@@ -117395,10 +117562,10 @@ index f03dcf5..006d4b5 100644
+term_pty(container_file_t)
+
+auth_use_nsswitch(svirt_qemu_net_t)
-+
-+rpm_read_db(svirt_qemu_net_t)
-allow svirt_prot_exec_t self:process { execmem execstack };
++rpm_read_db(svirt_qemu_net_t)
++
+logging_send_syslog_msg(svirt_qemu_net_t)
+
+tunable_policy(`virt_sandbox_use_audit',`
@@ -117421,7 +117588,7 @@ index f03dcf5..006d4b5 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1577,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1580,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -117436,7 +117603,7 @@ index f03dcf5..006d4b5 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1192,7 +1595,7 @@ optional_policy(`
+@@ -1192,7 +1598,7 @@ optional_policy(`
########################################
#
@@ -117445,7 +117612,7 @@ index f03dcf5..006d4b5 100644
#
allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1604,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1607,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
allow virt_bridgehelper_t self:tun_socket create_socket_perms;
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
@@ -120542,10 +120709,10 @@ index 0928c5d..d270a72 100644
userdom_dontaudit_use_unpriv_user_fds(xfs_t)
diff --git a/xguest.te b/xguest.te
-index a64aad3..d923154 100644
+index a64aad3..12dc86b 100644
--- a/xguest.te
+++ b/xguest.te
-@@ -6,46 +6,47 @@ policy_module(xguest, 1.2.0)
+@@ -6,46 +6,49 @@ policy_module(xguest, 1.2.0)
#
##
@@ -120599,7 +120766,8 @@ index a64aad3..d923154 100644
#
-kernel_dontaudit_request_load_module(xguest_t)
--
++dontaudit xguest_t xguest_t : tcp_socket { listen };
+
ifndef(`enable_mls',`
fs_exec_noxattr(xguest_t)
@@ -120611,7 +120779,7 @@ index a64aad3..d923154 100644
storage_raw_read_removable_device(xguest_t)
storage_raw_write_removable_device(xguest_t)
',`
-@@ -54,9 +55,25 @@ ifndef(`enable_mls',`
+@@ -54,9 +57,25 @@ ifndef(`enable_mls',`
')
optional_policy(`
@@ -120638,7 +120806,7 @@ index a64aad3..d923154 100644
files_dontaudit_getattr_boot_dirs(xguest_t)
files_search_mnt(xguest_t)
-@@ -65,10 +82,9 @@ optional_policy(`
+@@ -65,10 +84,9 @@ optional_policy(`
fs_manage_noxattr_fs_dirs(xguest_t)
fs_getattr_noxattr_fs(xguest_t)
fs_read_noxattr_fs_symlinks(xguest_t)
@@ -120650,7 +120818,7 @@ index a64aad3..d923154 100644
')
')
-@@ -84,12 +100,25 @@ optional_policy(`
+@@ -84,12 +102,25 @@ optional_policy(`
')
')
@@ -120662,23 +120830,23 @@ index a64aad3..d923154 100644
+
+optional_policy(`
+ colord_dbus_chat(xguest_t)
- ')
-
- optional_policy(`
-- gnomeclock_dontaudit_dbus_chat(xguest_t)
-+ chrome_role(xguest_r, xguest_t)
+')
+
+optional_policy(`
-+ thumb_role(xguest_r, xguest_t)
++ chrome_role(xguest_r, xguest_t)
+')
+
+optional_policy(`
++ thumb_role(xguest_r, xguest_t)
+ ')
+
+ optional_policy(`
+- gnomeclock_dontaudit_dbus_chat(xguest_t)
+ dbus_dontaudit_chat_system_bus(xguest_t)
')
optional_policy(`
-@@ -97,75 +126,78 @@ optional_policy(`
+@@ -97,75 +128,78 @@ optional_policy(`
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 614a27f..aeab6e6 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 252%{?dist}
+Release: 253%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -689,6 +689,50 @@ exit 0
%endif
%changelog
+* Fri May 12 2017 Lukas Vrabec - 3.13.1-253
+- auth_use_nsswitch can call only domain not attribute
+- Dontaudit net_admin cap for winbind_t
+- Allow tlp_t domain to stream connect to system bus
+- Allow tomcat_t domain read pki_common_t files
+- Add interface pki_read_common_files()
+- Fix broken cermonger module
+- Fix broken apache module
+- Allow hypervkvp_t domain execute hostname
+- Dontaudit sssd_selinux_manager_t use of net_admin capability
+- Allow tomcat_t stream connect to pki_common_t
+- Dontaudit xguest_t's attempts to listen to its tcp_socket
+- Allow sssd_selinux_manager_t to ioctl init_t sockets
+- Improve ipa_cert_filetrans_named_content() interface to also allow caller domain manage ipa_cert_t type.
+- Allow pki_tomcat_t domain read /etc/passwd.
+- Allow tomcat_t domain read ipa_tmp_t files
+- Label new path for ipa-otpd
+- Allow radiusd_t domain stream connect to postgresql_t
+- Allow rhsmcertd_t to execute hostname_exec_t binaries.
+- Allow virtlogd to append nfs_t files when virt_use_nfs=1
+- Allow httpd_t domain read also httpd_user_content_type lnk_files.
+- Allow httpd_t domain create /etc/httpd/alias/ipaseesion.key with label ipa_cert_t
+- Dontaudit _gkeyringd_t stream connect to system_dbusd_t
+- Label /var/www/html/nextcloud/data as httpd_sys_rw_content_t
+- Add interface ipa_filetrans_named_content()
+- Allow tomcat use nsswitch
+- Allow certmonger_t start/status generic services
+- Allow dirsrv read cgroup files.
+- Allow ganesha_t domain read/write infiniband devices.
+- Allow sendmail_t domain sysctl_net_t files
+- Allow targetd_t domain read network state and getattr on loop_control_device_t
+- Allow condor_schedd_t domain send mails.
+- Allow ntpd to creating sockets. BZ(1434395)
+- Alow certmonger to create own systemd unit files.
+- Add kill namespace capability to xdm_t domain
+- Revert "su using libselinux and creating netlink_selinux socket is needed to allow libselinux initialization."
+- Revert "Allow _su_t to create netlink_selinux_socket"
+- Allow _su_t to create netlink_selinux_socket
+- Allow unconfined_t to module_load any file
+- Allow staff to systemctl virt server when staff_use_svirt=1
+- Allow unconfined_t create /tmp/ca.p12 file with ipa_tmp_t context
+- Allow netutils setpcap capability
+- Dontaudit leaked file descriptor happening in setfiles_t domain BZ(1388124)
+
* Thu Apr 20 2017 Michael Scherer - 3.13.1-252
- fix #1380325, selinux-policy-sandbox always removing sandbox module on upgrade