diff --git a/docker-selinux.tgz b/docker-selinux.tgz
index 9abc9f0..62c4b1a 100644
Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index b488b01..ac108ca 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -5718,7 +5718,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055..bb7bad0 100644
+index b191055..e66e77a 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@@ -5945,7 +5945,7 @@ index b191055..bb7bad0 100644
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -186,101 +235,124 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
+@@ -186,101 +235,126 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
network_port(mxi, tcp,8005,s0, udp,8005,s0)
network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
network_port(mysqlmanagerd, tcp,2273,s0)
@@ -5968,6 +5968,8 @@ index b191055..bb7bad0 100644
network_port(openhpid, tcp,4743,s0, udp,4743,s0)
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
+network_port(openvswitch, tcp,6634,s0)
++network_port(openqa, tcp,9526,s0)
++network_port(openqa_websockets, tcp,9527,s0)
+network_port(osapi_compute, tcp, 8774, s0)
+network_port(ovsdb, tcp, 6640, s0)
network_port(pdps, tcp,1314,s0, udp,1314,s0)
@@ -6088,7 +6090,7 @@ index b191055..bb7bad0 100644
network_port(xserver, tcp,6000-6020,s0)
network_port(zarafa, tcp,236,s0, tcp,237,s0)
network_port(zabbix, tcp,10051,s0)
-@@ -288,19 +360,23 @@ network_port(zabbix_agent, tcp,10050,s0)
+@@ -288,19 +362,23 @@ network_port(zabbix_agent, tcp,10050,s0)
network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
@@ -6115,7 +6117,7 @@ index b191055..bb7bad0 100644
########################################
#
-@@ -333,6 +409,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -333,6 +411,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
build_option(`enable_mls',`
network_interface(lo, lo, s0 - mls_systemhigh)
@@ -6124,7 +6126,7 @@ index b191055..bb7bad0 100644
',`
typealias netif_t alias { lo_netif_t netif_lo_t };
')
-@@ -345,9 +423,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -345,9 +425,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -10144,7 +10146,7 @@ index 6a1e4d1..26e5558 100644
+ dontaudit $1 domain:dir_file_class_set audit_access;
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..549d218 100644
+index cf04cb5..7b76b77 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,17 +4,41 @@ policy_module(domain, 1.11.0)
@@ -10211,7 +10213,7 @@ index cf04cb5..549d218 100644
# create child processes in the domain
-allow domain self:process { fork sigchld };
-+allow domain self:process { getcap fork getsched signal_perms setrlimit getattr getcap getsched getsession };
++allow domain self:process { getcap fork getsched signal_perms };
# Use trusted objects in /dev
+dev_read_cpu_online(domain)
@@ -15451,7 +15453,7 @@ index d7c11a0..6b3331d 100644
/var/run/shm/.* <<none>>
-')
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 8416beb..1a164a7 100644
+index 8416beb..f3dd0f6 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -15899,7 +15901,7 @@ index 8416beb..1a164a7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1878,117 +2085,346 @@ interface(`fs_search_fusefs',`
+@@ -1878,135 +2085,721 @@ interface(`fs_search_fusefs',`
## </summary>
## </param>
#
@@ -16282,13 +16284,42 @@ index 8416beb..1a164a7 100644
+## Do not audit attempts to create,
+## read, write, and delete files
+## on a FUSEFS filesystem.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -2025,6 +2461,87 @@ interface(`fs_read_fusefs_symlinks',`
-
- ########################################
- ## <summary>
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`fs_dontaudit_manage_fusefs_files',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
++ dontaudit $1 fusefs_t:file manage_file_perms;
++')
++
++########################################
++## <summary>
++## Read symbolic links on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_read_fusefs_symlinks',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
++ allow $1 fusefs_t:dir list_dir_perms;
++ read_lnk_files_pattern($1, fusefs_t, fusefs_t)
++')
++
++########################################
++## <summary>
+## Manage symbolic links on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
@@ -16370,14 +16401,38 @@ index 8416beb..1a164a7 100644
+
+########################################
+## <summary>
- ## Get the attributes of an hugetlbfs
- ## filesystem.
- ## </summary>
-@@ -2057,12 +2574,66 @@ interface(`fs_list_hugetlbfs',`
- type hugetlbfs_t;
- ')
-
-- allow $1 hugetlbfs_t:dir list_dir_perms;
++## Get the attributes of an hugetlbfs
++## filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_getattr_hugetlbfs',`
++ gen_require(`
++ type hugetlbfs_t;
++ ')
++
++ allow $1 hugetlbfs_t:filesystem getattr;
++')
++
++########################################
++## <summary>
++## List hugetlbfs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_list_hugetlbfs',`
++ gen_require(`
++ type hugetlbfs_t;
++ ')
++
+ allow $1 hugetlbfs_t:dir list_dir_perms;
+')
+
@@ -16433,80 +16488,29 @@ index 8416beb..1a164a7 100644
+ ')
+
+ rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
- ')
-
- ########################################
- ## <summary>
--## Manage hugetlbfs dirs.
++')
++
++########################################
++## <summary>
+## Manage hugetlbfs files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -2070,17 +2641,17 @@ interface(`fs_list_hugetlbfs',`
- ## </summary>
- ## </param>
- #
--interface(`fs_manage_hugetlbfs_dirs',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`fs_manage_hugetlbfs_files',`
- gen_require(`
- type hugetlbfs_t;
- ')
-
-- manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
++ gen_require(`
++ type hugetlbfs_t;
++ ')
++
+ manage_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
- ')
-
- ########################################
- ## <summary>
--## Read and write hugetlbfs files.
-+## Execute hugetlbfs files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -2088,12 +2659,13 @@ interface(`fs_manage_hugetlbfs_dirs',`
- ## </summary>
- ## </param>
- #
--interface(`fs_rw_hugetlbfs_files',`
-+interface(`fs_exec_hugetlbfs_files',`
- gen_require(`
- type hugetlbfs_t;
- ')
-
-- rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
-+ allow $1 hugetlbfs_t:dir list_dir_perms;
-+ exec_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
- ')
-
- ########################################
-@@ -2148,11 +2720,12 @@ interface(`fs_list_inotifyfs',`
- ')
-
- allow $1 inotifyfs_t:dir list_dir_perms;
-+ fs_read_anon_inodefs_files($1)
- ')
-
- ########################################
- ## <summary>
--## Dontaudit List inotifyfs filesystem.
-+## Do not audit attempts to list inotifyfs filesystem.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -2297,14 +2870,332 @@ interface(`fs_getattr_iso9660_files',`
- type iso9660_t;
- ')
-
-- allow $1 iso9660_t:dir list_dir_perms;
-- allow $1 iso9660_t:file getattr;
-+ allow $1 iso9660_t:dir list_dir_perms;
-+ allow $1 iso9660_t:file getattr;
+')
+
+########################################
+## <summary>
-+## Read files on an iso9660 filesystem, which
-+## is usually used on CDs.
++## Execute hugetlbfs files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -16514,38 +16518,36 @@ index 8416beb..1a164a7 100644
+## </summary>
+## </param>
+#
-+interface(`fs_read_iso9660_files',`
++interface(`fs_exec_hugetlbfs_files',`
+ gen_require(`
-+ type iso9660_t;
++ type hugetlbfs_t;
+ ')
+
-+ allow $1 iso9660_t:dir list_dir_perms;
-+ read_files_pattern($1, iso9660_t, iso9660_t)
-+ read_lnk_files_pattern($1, iso9660_t, iso9660_t)
++ allow $1 hugetlbfs_t:dir list_dir_perms;
++ exec_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
+')
+
-+
+########################################
+## <summary>
-+## Mount kdbus filesystems.
++## Allow the type to associate to hugetlbfs filesystems.
+## </summary>
-+## <param name="domain">
++## <param name="type">
+## <summary>
-+## Domain allowed access.
++## The type of the object to be associated.
+## </summary>
+## </param>
+#
-+interface(`fs_mount_kdbus', `
++interface(`fs_associate_hugetlbfs',`
+ gen_require(`
-+ type kdbusfs_t;
++ type hugetlbfs_t;
+ ')
+
-+ allow $1 kdbusfs_t:filesystem mount;
++ allow $1 hugetlbfs_t:filesystem associate;
+')
+
+########################################
+## <summary>
-+## Remount kdbus filesystems.
++## Search inotifyfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -16553,17 +16555,17 @@ index 8416beb..1a164a7 100644
+## </summary>
+## </param>
+#
-+interface(`fs_remount_kdbus', `
++interface(`fs_search_inotifyfs',`
+ gen_require(`
-+ type kdbusfs_t;
++ type inotifyfs_t;
+ ')
+
-+ allow $1 kdbusfs_t:filesystem remount;
++ allow $1 inotifyfs_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
-+## Unmount kdbus filesystems.
++## List inotifyfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -16571,41 +16573,317 @@ index 8416beb..1a164a7 100644
+## </summary>
+## </param>
+#
-+interface(`fs_unmount_kdbus', `
++interface(`fs_list_inotifyfs',`
+ gen_require(`
-+ type kdbusfs_t;
++ type inotifyfs_t;
+ ')
+
-+ allow $1 kdbusfs_t:filesystem unmount;
++ allow $1 inotifyfs_t:dir list_dir_perms;
++ fs_read_anon_inodefs_files($1)
+')
+
+########################################
+## <summary>
-+## Get attributes of kdbus filesystems.
++## Do not audit attempts to list inotifyfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
-+interface(`fs_getattr_kdbus',`
++interface(`fs_dontaudit_list_inotifyfs',`
+ gen_require(`
-+ type kdbusfs_t;
++ type inotifyfs_t;
+ ')
+
-+ allow $1 kdbusfs_t:filesystem getattr;
++ dontaudit $1 inotifyfs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
-+## Search kdbusfs directories.
++## Create an object in a hugetlbfs filesystem, with a private
++## type using a type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
++## <param name="private type">
++## <summary>
++## The type of the object to be created.
++## </summary>
++## </param>
++## <param name="object">
++## <summary>
++## The object class of the object being created.
++## </summary>
++## </param>
++## <param name="name" optional="true">
++## <summary>
++## The name of the object being created.
++## </summary>
++## </param>
++#
++interface(`fs_hugetlbfs_filetrans',`
++ gen_require(`
++ type hugetlbfs_t;
++ ')
++
++ allow $2 hugetlbfs_t:filesystem associate;
++ filetrans_pattern($1, hugetlbfs_t, $2, $3, $4)
++')
++
++########################################
++## <summary>
++## Mount an iso9660 filesystem, which
++## is usually used on CDs.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`fs_dontaudit_manage_fusefs_files',`
++interface(`fs_mount_iso9660_fs',`
+ gen_require(`
+- type fusefs_t;
++ type iso9660_t;
+ ')
+
+- dontaudit $1 fusefs_t:file manage_file_perms;
++ allow $1 iso9660_t:filesystem mount;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read symbolic links on a FUSEFS filesystem.
++## Remount an iso9660 filesystem, which
++## is usually used on CDs. This allows
++## some mount options to be changed.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2014,19 +2807,18 @@ interface(`fs_dontaudit_manage_fusefs_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`fs_read_fusefs_symlinks',`
++interface(`fs_remount_iso9660_fs',`
+ gen_require(`
+- type fusefs_t;
++ type iso9660_t;
+ ')
+
+- allow $1 fusefs_t:dir list_dir_perms;
+- read_lnk_files_pattern($1, fusefs_t, fusefs_t)
++ allow $1 iso9660_t:filesystem remount;
+ ')
+
+ ########################################
+ ## <summary>
+-## Get the attributes of an hugetlbfs
+-## filesystem.
++## Unmount an iso9660 filesystem, which
++## is usually used on CDs.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2034,35 +2826,38 @@ interface(`fs_read_fusefs_symlinks',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`fs_getattr_hugetlbfs',`
++interface(`fs_unmount_iso9660_fs',`
+ gen_require(`
+- type hugetlbfs_t;
++ type iso9660_t;
+ ')
+
+- allow $1 hugetlbfs_t:filesystem getattr;
++ allow $1 iso9660_t:filesystem unmount;
+ ')
+
+ ########################################
+ ## <summary>
+-## List hugetlbfs.
++## Get the attributes of an iso9660
++## filesystem, which is usually used on CDs.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`fs_list_hugetlbfs',`
++interface(`fs_getattr_iso9660_fs',`
+ gen_require(`
+- type hugetlbfs_t;
++ type iso9660_t;
+ ')
+
+- allow $1 hugetlbfs_t:dir list_dir_perms;
++ allow $1 iso9660_t:filesystem getattr;
+ ')
+
+ ########################################
+ ## <summary>
+-## Manage hugetlbfs dirs.
++## Read files on an iso9660 filesystem, which
++## is usually used on CDs.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2070,17 +2865,19 @@ interface(`fs_list_hugetlbfs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`fs_manage_hugetlbfs_dirs',`
++interface(`fs_getattr_iso9660_files',`
+ gen_require(`
+- type hugetlbfs_t;
++ type iso9660_t;
+ ')
+
+- manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
++ allow $1 iso9660_t:dir list_dir_perms;
++ allow $1 iso9660_t:file getattr;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read and write hugetlbfs files.
++## Read files on an iso9660 filesystem, which
++## is usually used on CDs.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2088,35 +2885,38 @@ interface(`fs_manage_hugetlbfs_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`fs_rw_hugetlbfs_files',`
++interface(`fs_read_iso9660_files',`
+ gen_require(`
+- type hugetlbfs_t;
++ type iso9660_t;
+ ')
+
+- rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
++ allow $1 iso9660_t:dir list_dir_perms;
++ read_files_pattern($1, iso9660_t, iso9660_t)
++ read_lnk_files_pattern($1, iso9660_t, iso9660_t)
+ ')
+
++
+ ########################################
+ ## <summary>
+-## Allow the type to associate to hugetlbfs filesystems.
++## Mount kdbus filesystems.
+ ## </summary>
+-## <param name="type">
++## <param name="domain">
+ ## <summary>
+-## The type of the object to be associated.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`fs_associate_hugetlbfs',`
++interface(`fs_mount_kdbus', `
+ gen_require(`
+- type hugetlbfs_t;
++ type kdbusfs_t;
+ ')
+
+- allow $1 hugetlbfs_t:filesystem associate;
++ allow $1 kdbusfs_t:filesystem mount;
+ ')
+
+ ########################################
+ ## <summary>
+-## Search inotifyfs filesystem.
++## Remount kdbus filesystems.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2124,17 +2924,17 @@ interface(`fs_associate_hugetlbfs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`fs_search_inotifyfs',`
++interface(`fs_remount_kdbus', `
+ gen_require(`
+- type inotifyfs_t;
++ type kdbusfs_t;
+ ')
+
+- allow $1 inotifyfs_t:dir search_dir_perms;
++ allow $1 kdbusfs_t:filesystem remount;
+ ')
+
+ ########################################
+ ## <summary>
+-## List inotifyfs filesystem.
++## Unmount kdbus filesystems.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2142,71 +2942,134 @@ interface(`fs_search_inotifyfs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`fs_list_inotifyfs',`
++interface(`fs_unmount_kdbus', `
+ gen_require(`
+- type inotifyfs_t;
++ type kdbusfs_t;
+ ')
+
+- allow $1 inotifyfs_t:dir list_dir_perms;
++ allow $1 kdbusfs_t:filesystem unmount;
+ ')
+
+ ########################################
+ ## <summary>
+-## Dontaudit List inotifyfs filesystem.
++## Get attributes of kdbus filesystems.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`fs_dontaudit_list_inotifyfs',`
++interface(`fs_getattr_kdbus',`
+ gen_require(`
+- type inotifyfs_t;
++ type kdbusfs_t;
+ ')
+
+- dontaudit $1 inotifyfs_t:dir list_dir_perms;
++ allow $1 kdbusfs_t:filesystem getattr;
+ ')
+
+ ########################################
+ ## <summary>
+-## Create an object in a hugetlbfs filesystem, with a private
+-## type using a type transition.
++## Search kdbusfs directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="private type">
+#
+interface(`fs_search_kdbus_dirs',`
+ gen_require(`
@@ -16623,10 +16901,12 @@ index 8416beb..1a164a7 100644
+## Relabel kdbusfs directories.
+## </summary>
+## <param name="domain">
-+## <summary>
+ ## <summary>
+-## The type of the object to be created.
+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+-## <param name="object">
+#
+interface(`fs_relabel_kdbus_dirs',`
+ gen_require(`
@@ -16642,10 +16922,12 @@ index 8416beb..1a164a7 100644
+## List kdbusfs directories.
+## </summary>
+## <param name="domain">
-+## <summary>
+ ## <summary>
+-## The object class of the object being created.
+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+-## <param name="name" optional="true">
+#
+interface(`fs_list_kdbus_dirs',`
+ gen_require(`
@@ -16681,107 +16963,137 @@ index 8416beb..1a164a7 100644
+## Delete kdbusfs directories.
+## </summary>
+## <param name="domain">
-+## <summary>
+ ## <summary>
+-## The name of the object being created.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`fs_hugetlbfs_filetrans',`
+interface(`fs_delete_kdbus_dirs', `
-+ gen_require(`
+ gen_require(`
+- type hugetlbfs_t;
+ type kdbusfs_t;
-+ ')
-+
+ ')
+
+- allow $2 hugetlbfs_t:filesystem associate;
+- filetrans_pattern($1, hugetlbfs_t, $2, $3, $4)
+ delete_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Mount an iso9660 filesystem, which
+-## is usually used on CDs.
+## Manage kdbusfs directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2214,19 +3077,19 @@ interface(`fs_hugetlbfs_filetrans',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`fs_mount_iso9660_fs',`
+interface(`fs_manage_kdbus_dirs',`
-+ gen_require(`
+ gen_require(`
+- type iso9660_t;
+- ')
+ type kdbusfs_t;
-+
+
+- allow $1 iso9660_t:filesystem mount;
+ ')
+ manage_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
+ fs_search_tmpfs($1)
-+ dev_search_sysfs($1)
-+')
-+
-+########################################
-+## <summary>
++ dev_search_sysfs($1)
+ ')
+
+ ########################################
+ ## <summary>
+-## Remount an iso9660 filesystem, which
+-## is usually used on CDs. This allows
+-## some mount options to be changed.
+## Read kdbusfs files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2234,18 +3097,21 @@ interface(`fs_mount_iso9660_fs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`fs_remount_iso9660_fs',`
+interface(`fs_read_kdbus_files',`
-+ gen_require(`
+ gen_require(`
+- type iso9660_t;
+ type cgroup_t;
+
-+ ')
-+
+ ')
+
+- allow $1 iso9660_t:filesystem remount;
+ read_files_pattern($1, kdbusfs_t, kdbusfs_t)
+ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Unmount an iso9660 filesystem, which
+-## is usually used on CDs.
+## Write kdbusfs files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2253,38 +3119,61 @@ interface(`fs_remount_iso9660_fs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`fs_unmount_iso9660_fs',`
+interface(`fs_write_kdbus_files', `
-+ gen_require(`
+ gen_require(`
+- type iso9660_t;
+ type kdbusfs_t;
-+ ')
-+
+ ')
+
+- allow $1 iso9660_t:filesystem unmount;
+ write_files_pattern($1, kdbusfs_t, kdbusfs_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Get the attributes of an iso9660
+-## filesystem, which is usually used on CDs.
+## Read and write kdbusfs files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`fs_getattr_iso9660_fs',`
+interface(`fs_rw_kdbus_files',`
-+ gen_require(`
+ gen_require(`
+- type iso9660_t;
+ type kdbusfs_t;
+
-+ ')
-+
+ ')
+
+- allow $1 iso9660_t:filesystem getattr;
+ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
+ rw_files_pattern($1, kdbusfs_t, kdbusfs_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Read files on an iso9660 filesystem, which
+-## is usually used on CDs.
+## Do not audit attempts to open,
+## get attributes, read and write
+## cgroup files.
@@ -16803,19 +17115,23 @@ index 8416beb..1a164a7 100644
+########################################
+## <summary>
+## Manage kdbusfs files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2292,19 +3181,21 @@ interface(`fs_getattr_iso9660_fs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`fs_getattr_iso9660_files',`
+interface(`fs_manage_kdbus_files',`
-+ gen_require(`
+ gen_require(`
+- type iso9660_t;
+ type kdbusfs_t;
+
-+ ')
-+
+ ')
+
+- allow $1 iso9660_t:dir list_dir_perms;
+- allow $1 iso9660_t:file getattr;
+ manage_files_pattern($1, kdbusfs_t, kdbusfs_t)
+ manage_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
+ fs_search_tmpfs($1)
@@ -16851,11 +17167,17 @@ index 8416beb..1a164a7 100644
########################################
## <summary>
## Mount a NFS filesystem.
-@@ -2398,6 +3288,24 @@ interface(`fs_getattr_nfs',`
+@@ -2356,44 +3246,62 @@ interface(`fs_remount_nfs',`
+ type nfs_t;
+ ')
- ########################################
- ## <summary>
-+## Set the attributes of nfs directories.
+- allow $1 nfs_t:filesystem remount;
++ allow $1 nfs_t:filesystem remount;
++')
++
++########################################
++## <summary>
++## Unmount a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -16863,19 +17185,59 @@ index 8416beb..1a164a7 100644
+## </summary>
+## </param>
+#
-+interface(`fs_setattr_nfs_dirs',`
++interface(`fs_unmount_nfs',`
+ gen_require(`
+ type nfs_t;
+ ')
+
-+ allow $1 nfs_t:dir setattr;
-+')
-+
-+########################################
-+## <summary>
- ## Search directories on a NFS filesystem.
++ allow $1 nfs_t:filesystem unmount;
+ ')
+
+ ########################################
+ ## <summary>
+-## Unmount a NFS filesystem.
++## Get the attributes of a NFS filesystem.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`fs_unmount_nfs',`
++interface(`fs_getattr_nfs',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+- allow $1 nfs_t:filesystem unmount;
++ allow $1 nfs_t:filesystem getattr;
+ ')
+
+ ########################################
+ ## <summary>
+-## Get the attributes of a NFS filesystem.
++## Set the attributes of nfs directories.
## </summary>
## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`fs_getattr_nfs',`
++interface(`fs_setattr_nfs_dirs',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+- allow $1 nfs_t:filesystem getattr;
++ allow $1 nfs_t:dir setattr;
+ ')
+
+ ########################################
@@ -2485,6 +3393,7 @@ interface(`fs_read_nfs_files',`
type nfs_t;
')
@@ -17167,10 +17529,25 @@ index 8416beb..1a164a7 100644
## <summary>
## Read and write NFS server files.
## </summary>
-@@ -3281,6 +4363,42 @@ interface(`fs_rw_nfsd_fs',`
- rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
- ')
+@@ -3283,6 +4365,59 @@ interface(`fs_rw_nfsd_fs',`
+ ########################################
+ ## <summary>
++## Getattr files on an nsfs filesystem
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_getattr_nsfs_files',`
++ gen_require(`
++ type nsfs_t;
++ ')
++
++ getattr_files_pattern($1, nsfs_t, nsfs_t)
++')
+#######################################
+## <summary>
+## Read nsfs inodes (e.g. /proc/pid/ns/uts)
@@ -17207,10 +17584,12 @@ index 8416beb..1a164a7 100644
+ manage_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
+')
+
- ########################################
- ## <summary>
++########################################
++## <summary>
## Allow the type to associate to ramfs filesystems.
-@@ -3392,7 +4510,7 @@ interface(`fs_search_ramfs',`
+ ## </summary>
+ ## <param name="type">
+@@ -3392,7 +4527,7 @@ interface(`fs_search_ramfs',`
########################################
## <summary>
@@ -17219,7 +17598,7 @@ index 8416beb..1a164a7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3429,7 +4547,7 @@ interface(`fs_manage_ramfs_dirs',`
+@@ -3429,7 +4564,7 @@ interface(`fs_manage_ramfs_dirs',`
########################################
## <summary>
@@ -17228,7 +17607,7 @@ index 8416beb..1a164a7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3447,7 +4565,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
+@@ -3447,7 +4582,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
########################################
## <summary>
@@ -17237,7 +17616,7 @@ index 8416beb..1a164a7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3779,6 +4897,24 @@ interface(`fs_mount_tmpfs',`
+@@ -3779,6 +4914,24 @@ interface(`fs_mount_tmpfs',`
########################################
## <summary>
@@ -17262,7 +17641,7 @@ index 8416beb..1a164a7 100644
## Remount a tmpfs filesystem.
## </summary>
## <param name="domain">
-@@ -3815,6 +4951,24 @@ interface(`fs_unmount_tmpfs',`
+@@ -3815,6 +4968,24 @@ interface(`fs_unmount_tmpfs',`
########################################
## <summary>
@@ -17287,7 +17666,7 @@ index 8416beb..1a164a7 100644
## Get the attributes of a tmpfs
## filesystem.
## </summary>
-@@ -3839,39 +4993,76 @@ interface(`fs_getattr_tmpfs',`
+@@ -3839,39 +5010,76 @@ interface(`fs_getattr_tmpfs',`
## </summary>
## <param name="type">
## <summary>
@@ -17373,7 +17752,7 @@ index 8416beb..1a164a7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3879,36 +5070,35 @@ interface(`fs_relabelfrom_tmpfs',`
+@@ -3879,36 +5087,35 @@ interface(`fs_relabelfrom_tmpfs',`
## </summary>
## </param>
#
@@ -17417,7 +17796,7 @@ index 8416beb..1a164a7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3916,35 +5106,36 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3916,35 +5123,36 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
## </summary>
## </param>
#
@@ -17461,7 +17840,7 @@ index 8416beb..1a164a7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3952,17 +5143,17 @@ interface(`fs_setattr_tmpfs_dirs',`
+@@ -3952,17 +5160,17 @@ interface(`fs_setattr_tmpfs_dirs',`
## </summary>
## </param>
#
@@ -17482,7 +17861,7 @@ index 8416beb..1a164a7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3970,31 +5161,30 @@ interface(`fs_search_tmpfs',`
+@@ -3970,31 +5178,30 @@ interface(`fs_search_tmpfs',`
## </summary>
## </param>
#
@@ -17520,7 +17899,7 @@ index 8416beb..1a164a7 100644
')
########################################
-@@ -4105,7 +5295,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
+@@ -4105,7 +5312,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
type tmpfs_t;
')
@@ -17529,7 +17908,7 @@ index 8416beb..1a164a7 100644
')
########################################
-@@ -4165,6 +5355,24 @@ interface(`fs_rw_tmpfs_files',`
+@@ -4165,6 +5372,24 @@ interface(`fs_rw_tmpfs_files',`
########################################
## <summary>
@@ -17554,7 +17933,7 @@ index 8416beb..1a164a7 100644
## Read tmpfs link files.
## </summary>
## <param name="domain">
-@@ -4202,7 +5410,7 @@ interface(`fs_rw_tmpfs_chr_files',`
+@@ -4202,7 +5427,7 @@ interface(`fs_rw_tmpfs_chr_files',`
########################################
## <summary>
@@ -17563,7 +17942,7 @@ index 8416beb..1a164a7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4221,6 +5429,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4221,6 +5446,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
########################################
## <summary>
@@ -17624,7 +18003,7 @@ index 8416beb..1a164a7 100644
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
-@@ -4278,6 +5540,44 @@ interface(`fs_relabel_tmpfs_blk_file',`
+@@ -4278,6 +5557,44 @@ interface(`fs_relabel_tmpfs_blk_file',`
########################################
## <summary>
@@ -17669,7 +18048,7 @@ index 8416beb..1a164a7 100644
## Read and write, create and delete generic
## files on tmpfs filesystems.
## </summary>
-@@ -4297,6 +5597,25 @@ interface(`fs_manage_tmpfs_files',`
+@@ -4297,6 +5614,25 @@ interface(`fs_manage_tmpfs_files',`
########################################
## <summary>
@@ -17695,7 +18074,7 @@ index 8416beb..1a164a7 100644
## Read and write, create and delete symbolic
## links on tmpfs filesystems.
## </summary>
-@@ -4407,6 +5726,25 @@ interface(`fs_search_xenfs',`
+@@ -4407,6 +5743,25 @@ interface(`fs_search_xenfs',`
allow $1 xenfs_t:dir search_dir_perms;
')
@@ -17721,7 +18100,7 @@ index 8416beb..1a164a7 100644
########################################
## <summary>
## Create, read, write, and delete directories
-@@ -4503,6 +5841,8 @@ interface(`fs_mount_all_fs',`
+@@ -4503,6 +5858,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -17730,7 +18109,7 @@ index 8416beb..1a164a7 100644
')
########################################
-@@ -4549,7 +5889,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4549,7 +5906,7 @@ interface(`fs_unmount_all_fs',`
## <desc>
## <p>
## Allow the specified domain to
@@ -17739,7 +18118,7 @@ index 8416beb..1a164a7 100644
## Example attributes:
## </p>
## <ul>
-@@ -4596,6 +5936,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
+@@ -4596,6 +5953,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
########################################
## <summary>
@@ -17766,7 +18145,7 @@ index 8416beb..1a164a7 100644
## Get the quotas of all filesystems.
## </summary>
## <param name="domain">
-@@ -4671,6 +6031,25 @@ interface(`fs_getattr_all_dirs',`
+@@ -4671,6 +6048,25 @@ interface(`fs_getattr_all_dirs',`
########################################
## <summary>
@@ -17792,7 +18171,7 @@ index 8416beb..1a164a7 100644
## Search all directories with a filesystem type.
## </summary>
## <param name="domain">
-@@ -4912,3 +6291,63 @@ interface(`fs_unconfined',`
+@@ -4912,3 +6308,63 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -24884,7 +25263,7 @@ index 76d9f66..5c271ce 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index fe0c682..3ad1b1f 100644
+index fe0c682..60003bc 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,11 @@
@@ -25231,12 +25610,12 @@ index fe0c682..3ad1b1f 100644
- # transition back to normal privs upon exec
- fs_cifs_domtrans($1_ssh_agent_t, $3)
- ')
--
++ userdom_home_manager($1_ssh_agent_t)
+
- optional_policy(`
- nis_use_ypbind($1_ssh_agent_t)
- ')
-+ userdom_home_manager($1_ssh_agent_t)
-
+-
- optional_policy(`
- xserver_use_xdm_fds($1_ssh_agent_t)
- xserver_rw_xdm_pipes($1_ssh_agent_t)
@@ -25251,7 +25630,7 @@ index fe0c682..3ad1b1f 100644
- allow $1 sshd_t:fifo_file { getattr read };
+ allow $1 sshd_t:fifo_file read_fifo_file_perms;
- ')
++')
+
+######################################
+## <summary>
@@ -25269,7 +25648,7 @@ index fe0c682..3ad1b1f 100644
+ ')
+
+ allow $1 sshd_t:unix_dgram_socket rw_stream_socket_perms;
-+')
+ ')
+
########################################
## <summary>
@@ -25360,7 +25739,7 @@ index fe0c682..3ad1b1f 100644
## Read ssh home directory content
## </summary>
## <param name="domain">
-@@ -701,6 +758,50 @@ interface(`ssh_domtrans_keygen',`
+@@ -701,6 +758,68 @@ interface(`ssh_domtrans_keygen',`
########################################
## <summary>
@@ -25408,10 +25787,28 @@ index fe0c682..3ad1b1f 100644
+
+########################################
+## <summary>
++## Getattr ssh server keys
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`ssh_getattr_server_keys',`
++ gen_require(`
++ type sshd_key_t;
++ ')
++
++ allow $1 sshd_key_t:file getattr_file_perms;
++')
++
++########################################
++## <summary>
## Read ssh server keys
## </summary>
## <param name="domain">
-@@ -714,7 +815,26 @@ interface(`ssh_dontaudit_read_server_keys',`
+@@ -714,7 +833,26 @@ interface(`ssh_dontaudit_read_server_keys',`
type sshd_key_t;
')
@@ -25439,7 +25836,7 @@ index fe0c682..3ad1b1f 100644
')
######################################
-@@ -754,3 +874,151 @@ interface(`ssh_delete_tmp',`
+@@ -754,3 +892,151 @@ interface(`ssh_delete_tmp',`
files_search_tmp($1)
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
')
@@ -26429,7 +26826,7 @@ index 8274418..12a5645 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc..7d0c3c3 100644
+index 6bf0ecc..e6be63a 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -18,100 +18,36 @@
@@ -27402,7 +27799,7 @@ index 6bf0ecc..7d0c3c3 100644
')
########################################
-@@ -1111,8 +1412,10 @@ interface(`xserver_domtrans',`
+@@ -1111,8 +1412,28 @@ interface(`xserver_domtrans',`
type xserver_t, xserver_exec_t;
')
@@ -27411,10 +27808,28 @@ index 6bf0ecc..7d0c3c3 100644
domtrans_pattern($1, xserver_exec_t, xserver_t)
+
+ allow xserver_t $1:process getpgid;
++')
++
++########################################
++## <summary>
++## Allow execute the X server.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`xserver_exec',`
++ gen_require(`
++ type xserver_exec_t;
++ ')
++
++ can_exec($1, xserver_exec_t)
')
########################################
-@@ -1210,6 +1513,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',`
+@@ -1210,6 +1531,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',`
########################################
## <summary>
@@ -27440,7 +27855,7 @@ index 6bf0ecc..7d0c3c3 100644
## Connect to the X server over a unix domain
## stream socket.
## </summary>
-@@ -1226,6 +1548,26 @@ interface(`xserver_stream_connect',`
+@@ -1226,6 +1566,26 @@ interface(`xserver_stream_connect',`
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -27467,7 +27882,7 @@ index 6bf0ecc..7d0c3c3 100644
')
########################################
-@@ -1251,7 +1593,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1251,7 +1611,7 @@ interface(`xserver_read_tmp_files',`
## <summary>
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@@ -27476,7 +27891,7 @@ index 6bf0ecc..7d0c3c3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1261,13 +1603,27 @@ interface(`xserver_read_tmp_files',`
+@@ -1261,13 +1621,27 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
@@ -27505,7 +27920,7 @@ index 6bf0ecc..7d0c3c3 100644
')
########################################
-@@ -1284,10 +1640,662 @@ interface(`xserver_manage_core_devices',`
+@@ -1284,10 +1658,662 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -33720,7 +34135,7 @@ index 79a45f6..e69fa39 100644
+ allow $1 init_var_lib_t:dir search_dir_perms;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..4eb70c7 100644
+index 17eda24..528f36a 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -34015,7 +34430,7 @@ index 17eda24..4eb70c7 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +323,243 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +323,247 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -34056,16 +34471,15 @@ index 17eda24..4eb70c7 100644
+optional_policy(`
+ kdump_read_crash(init_t)
+ kdump_read_config(init_t)
- ')
-
- optional_policy(`
-- auth_rw_login_records(init_t)
++')
++
++optional_policy(`
+ gnome_filetrans_home_content(init_t)
+ gnome_manage_data(init_t)
+ gnome_manage_config(init_t)
- ')
-
- optional_policy(`
++')
++
++optional_policy(`
+ iscsi_read_lib_files(init_t)
+ iscsi_manage_lock(init_t)
+')
@@ -34073,9 +34487,10 @@ index 17eda24..4eb70c7 100644
+optional_policy(`
+ modutils_domtrans_insmod(init_t)
+ modutils_list_module_config(init_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- auth_rw_login_records(init_t)
+ postfix_exec(init_t)
+ postfix_list_spool(init_t)
+ mta_read_config(init_t)
@@ -34231,9 +34646,9 @@ index 17eda24..4eb70c7 100644
+optional_policy(`
+ lvm_rw_pipes(init_t)
+ lvm_read_config(init_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+ consolekit_manage_log(init_t)
+')
+
@@ -34265,10 +34680,14 @@ index 17eda24..4eb70c7 100644
+ plymouthd_stream_connect(init_t)
+ plymouthd_exec_plymouth(init_t)
+ plymouthd_filetrans_named_content(init_t)
++')
++
++optional_policy(`
++ ssh_getattr_server_keys(init_t)
')
optional_policy(`
-@@ -216,7 +567,30 @@ optional_policy(`
+@@ -216,7 +571,30 @@ optional_policy(`
')
optional_policy(`
@@ -34300,7 +34719,7 @@ index 17eda24..4eb70c7 100644
')
########################################
-@@ -225,9 +599,9 @@ optional_policy(`
+@@ -225,9 +603,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -34312,7 +34731,7 @@ index 17eda24..4eb70c7 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -258,12 +632,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +636,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -34329,7 +34748,7 @@ index 17eda24..4eb70c7 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +657,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +661,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -34372,7 +34791,7 @@ index 17eda24..4eb70c7 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +694,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +698,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -34384,7 +34803,7 @@ index 17eda24..4eb70c7 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -313,8 +706,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +710,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -34395,7 +34814,7 @@ index 17eda24..4eb70c7 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -322,8 +717,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +721,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -34405,7 +34824,7 @@ index 17eda24..4eb70c7 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -332,7 +726,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +730,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -34413,7 +34832,7 @@ index 17eda24..4eb70c7 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -340,6 +733,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +737,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -34421,7 +34840,7 @@ index 17eda24..4eb70c7 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -347,14 +741,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +745,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -34439,7 +34858,7 @@ index 17eda24..4eb70c7 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -364,8 +759,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +763,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -34453,7 +34872,7 @@ index 17eda24..4eb70c7 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -375,10 +774,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +778,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -34467,7 +34886,7 @@ index 17eda24..4eb70c7 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -387,8 +787,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +791,10 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -34478,7 +34897,7 @@ index 17eda24..4eb70c7 100644
storage_getattr_fixed_disk_dev(initrc_t)
storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +800,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +804,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -34486,7 +34905,7 @@ index 17eda24..4eb70c7 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -416,20 +819,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +823,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -34510,7 +34929,7 @@ index 17eda24..4eb70c7 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +852,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +856,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -34518,7 +34937,7 @@ index 17eda24..4eb70c7 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +886,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +890,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -34529,7 +34948,7 @@ index 17eda24..4eb70c7 100644
alsa_read_lib(initrc_t)
')
-@@ -506,7 +910,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +914,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -34538,7 +34957,7 @@ index 17eda24..4eb70c7 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -521,6 +925,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +929,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -34546,7 +34965,7 @@ index 17eda24..4eb70c7 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -541,6 +946,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +950,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -34554,7 +34973,7 @@ index 17eda24..4eb70c7 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +956,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +960,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -34599,7 +35018,7 @@ index 17eda24..4eb70c7 100644
')
optional_policy(`
-@@ -559,14 +1001,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +1005,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -34631,7 +35050,7 @@ index 17eda24..4eb70c7 100644
')
')
-@@ -577,6 +1036,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1040,39 @@ ifdef(`distro_suse',`
')
')
@@ -34671,7 +35090,7 @@ index 17eda24..4eb70c7 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1081,8 @@ optional_policy(`
+@@ -589,6 +1085,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -34680,7 +35099,7 @@ index 17eda24..4eb70c7 100644
')
optional_policy(`
-@@ -610,6 +1104,7 @@ optional_policy(`
+@@ -610,6 +1108,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -34688,7 +35107,7 @@ index 17eda24..4eb70c7 100644
')
optional_policy(`
-@@ -626,6 +1121,17 @@ optional_policy(`
+@@ -626,6 +1125,17 @@ optional_policy(`
')
optional_policy(`
@@ -34706,7 +35125,7 @@ index 17eda24..4eb70c7 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -642,9 +1148,13 @@ optional_policy(`
+@@ -642,9 +1152,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -34720,7 +35139,7 @@ index 17eda24..4eb70c7 100644
')
optional_policy(`
-@@ -657,15 +1167,11 @@ optional_policy(`
+@@ -657,15 +1171,11 @@ optional_policy(`
')
optional_policy(`
@@ -34738,7 +35157,7 @@ index 17eda24..4eb70c7 100644
')
optional_policy(`
-@@ -686,6 +1192,15 @@ optional_policy(`
+@@ -686,6 +1196,15 @@ optional_policy(`
')
optional_policy(`
@@ -34754,7 +35173,7 @@ index 17eda24..4eb70c7 100644
inn_exec_config(initrc_t)
')
-@@ -726,6 +1241,7 @@ optional_policy(`
+@@ -726,6 +1245,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -34762,7 +35181,7 @@ index 17eda24..4eb70c7 100644
')
optional_policy(`
-@@ -743,7 +1259,13 @@ optional_policy(`
+@@ -743,7 +1263,13 @@ optional_policy(`
')
optional_policy(`
@@ -34777,7 +35196,7 @@ index 17eda24..4eb70c7 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -766,6 +1288,10 @@ optional_policy(`
+@@ -766,6 +1292,10 @@ optional_policy(`
')
optional_policy(`
@@ -34788,7 +35207,7 @@ index 17eda24..4eb70c7 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -775,10 +1301,20 @@ optional_policy(`
+@@ -775,10 +1305,20 @@ optional_policy(`
')
optional_policy(`
@@ -34809,7 +35228,7 @@ index 17eda24..4eb70c7 100644
quota_manage_flags(initrc_t)
')
-@@ -787,6 +1323,10 @@ optional_policy(`
+@@ -787,6 +1327,10 @@ optional_policy(`
')
optional_policy(`
@@ -34820,7 +35239,7 @@ index 17eda24..4eb70c7 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -808,8 +1348,6 @@ optional_policy(`
+@@ -808,8 +1352,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -34829,7 +35248,7 @@ index 17eda24..4eb70c7 100644
')
optional_policy(`
-@@ -818,6 +1356,10 @@ optional_policy(`
+@@ -818,6 +1360,10 @@ optional_policy(`
')
optional_policy(`
@@ -34840,7 +35259,7 @@ index 17eda24..4eb70c7 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -827,10 +1369,12 @@ optional_policy(`
+@@ -827,10 +1373,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -34853,7 +35272,7 @@ index 17eda24..4eb70c7 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1401,60 @@ optional_policy(`
+@@ -857,21 +1405,60 @@ optional_policy(`
')
optional_policy(`
@@ -34915,7 +35334,7 @@ index 17eda24..4eb70c7 100644
')
optional_policy(`
-@@ -887,6 +1470,10 @@ optional_policy(`
+@@ -887,6 +1474,10 @@ optional_policy(`
')
optional_policy(`
@@ -34926,7 +35345,7 @@ index 17eda24..4eb70c7 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -897,3 +1484,218 @@ optional_policy(`
+@@ -897,3 +1488,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 81a1fe2..b31e8a4 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -589,7 +589,7 @@ index 058d908..ee0c559 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index eb50f07..5ad038c 100644
+index eb50f07..11582eb 100644
--- a/abrt.te
+++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@@ -839,9 +839,9 @@ index eb50f07..5ad038c 100644
+logging_read_syslog_pid(abrt_t)
+
+auth_use_nsswitch(abrt_t)
-
-+init_read_utmp(abrt_t)
+
++init_read_utmp(abrt_t)
+
+miscfiles_read_generic_certs(abrt_t)
miscfiles_read_public_files(abrt_t)
+miscfiles_dontaudit_access_check_cert(abrt_t)
@@ -1044,7 +1044,7 @@ index eb50f07..5ad038c 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -365,38 +468,71 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -365,38 +468,76 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
@@ -1109,6 +1109,7 @@ index eb50f07..5ad038c 100644
+fs_getattr_all_fs(abrt_dump_oops_t)
fs_list_inotifyfs(abrt_dump_oops_t)
+fs_list_pstorefs(abrt_dump_oops_t)
++fs_getattr_nsfs_files(abrt_dump_oops_t)
+
+selinux_compute_create_context(abrt_dump_oops_t)
@@ -1117,10 +1118,14 @@ index eb50f07..5ad038c 100644
+logging_send_syslog_msg(abrt_dump_oops_t)
+
+init_read_var_lib_files(abrt_dump_oops_t)
++
++optional_policy(`
++ xserver_exec(abrt_dump_oops_t)
++')
#######################################
#
-@@ -404,25 +540,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
+@@ -404,25 +545,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
#
allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
@@ -1183,7 +1188,7 @@ index eb50f07..5ad038c 100644
')
#######################################
-@@ -430,10 +601,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
+@@ -430,10 +606,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
# Global local policy
#
@@ -28320,7 +28325,7 @@ index 21d7b84..0e272bd 100644
/etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0)
diff --git a/firewalld.if b/firewalld.if
-index c62c567..2d9e254 100644
+index c62c567..a74f123 100644
--- a/firewalld.if
+++ b/firewalld.if
@@ -2,7 +2,7 @@
@@ -28401,7 +28406,7 @@ index c62c567..2d9e254 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -51,18 +93,37 @@ interface(`firewalld_dbus_chat',`
+@@ -51,18 +93,55 @@ interface(`firewalld_dbus_chat',`
## </summary>
## </param>
#
@@ -28413,12 +28418,10 @@ index c62c567..2d9e254 100644
- dontaudit $1 firewalld_tmp_t:file { read write };
+ dontaudit $1 firewalld_tmp_t:file write;
- ')
-
- ########################################
- ## <summary>
--## All of the rules required to
--## administrate an firewalld environment.
++')
++
++########################################
++## <summary>
+## Read firewalld PID files.
+## </summary>
+## <param name="domain">
@@ -28438,12 +28441,32 @@ index c62c567..2d9e254 100644
+
+########################################
+## <summary>
++## Dontaudit read and write leaked firewalld file descriptors
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`firewalld_dontaudit_leaks',`
++ gen_require(`
++ type firewalld_tmpfs_t;
++ ')
++
++ dontaudit $1 firewalld_tmpfs_t:file rw_inherited_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an firewalld environment.
+## All of the rules required to administrate
+## an firewalld environment
## </summary>
## <param name="domain">
## <summary>
-@@ -79,14 +140,18 @@ interface(`firewalld_dontaudit_rw_tmp_files',`
+@@ -79,14 +158,18 @@ interface(`firewalld_dontaudit_rw_tmp_files',`
interface(`firewalld_admin',`
gen_require(`
type firewalld_t, firewalld_initrc_exec_t;
@@ -28465,7 +28488,7 @@ index c62c567..2d9e254 100644
domain_system_change_exemption($1)
role_transition $2 firewalld_initrc_exec_t system_r;
allow $2 system_r;
-@@ -97,6 +162,9 @@ interface(`firewalld_admin',`
+@@ -97,6 +180,9 @@ interface(`firewalld_admin',`
logging_search_logs($1)
admin_pattern($1, firewalld_var_log_t)
@@ -29656,13 +29679,15 @@ index 36838c2..8bfc879 100644
-')
diff --git a/fwupd.fc b/fwupd.fc
new file mode 100644
-index 0000000..1f13f70
+index 0000000..859dc40
--- /dev/null
+++ b/fwupd.fc
-@@ -0,0 +1,8 @@
+@@ -0,0 +1,10 @@
+/usr/lib/systemd/system/fwupd-offline-update.* -- gen_context(system_u:object_r:fwupd_unit_file_t,s0)
+/usr/lib/systemd/system/fwupd.* -- gen_context(system_u:object_r:fwupd_unit_file_t,s0)
+
++/etc/pki/(fwupd|fwupd-metadata)(/.*)? gen_context(system_u:object_r:fwupd_cert_t,s0)
++
+/usr/libexec/fwupd/fwupd -- gen_context(system_u:object_r:fwupd_exec_t,s0)
+
+/var/cache/app-info(/.*)? gen_context(system_u:object_r:fwupd_cache_t,s0)
@@ -29936,10 +29961,10 @@ index 0000000..c4d2c2d
+')
diff --git a/fwupd.te b/fwupd.te
new file mode 100644
-index 0000000..53ba6cd
+index 0000000..3dd3dc8
--- /dev/null
+++ b/fwupd.te
-@@ -0,0 +1,50 @@
+@@ -0,0 +1,60 @@
+policy_module(fwupd, 1.0.0)
+
+########################################
@@ -29954,6 +29979,9 @@ index 0000000..53ba6cd
+type fwupd_cache_t;
+files_type(fwupd_cache_t)
+
++type fwupd_cert_t;
++miscfiles_cert_type(fwupd_cert_t)
++
+type fwupd_var_lib_t;
+files_type(fwupd_var_lib_t)
+
@@ -29973,6 +30001,10 @@ index 0000000..53ba6cd
+manage_lnk_files_pattern(fwupd_t, fwupd_cache_t, fwupd_cache_t)
+files_var_filetrans(fwupd_t, fwupd_cache_t, { dir })
+
++allow fwupd_t fwupd_cert_t:dir list_dir_perms;
++read_files_pattern(fwupd_t, fwupd_cert_t, fwupd_cert_t)
++read_lnk_files_pattern(fwupd_t, fwupd_cert_t, fwupd_cert_t)
++
+manage_dirs_pattern(fwupd_t, fwupd_var_lib_t, fwupd_var_lib_t)
+manage_files_pattern(fwupd_t, fwupd_var_lib_t, fwupd_var_lib_t)
+manage_lnk_files_pattern(fwupd_t, fwupd_var_lib_t, fwupd_var_lib_t)
@@ -29989,6 +30021,9 @@ index 0000000..53ba6cd
+
+optional_policy(`
+ dbus_system_domain(fwupd_t,fwupd_exec_t)
++ optional_policy(`
++ policykit_dbus_chat(fwupd_t)
++ ')
+')
diff --git a/games.if b/games.if
index e2a3e0d..50ebd40 100644
@@ -74520,7 +74555,7 @@ index cd8b8b9..2cfa88a 100644
+ allow $1 pppd_unit_file_t:service all_service_perms;
')
diff --git a/ppp.te b/ppp.te
-index d616ca3..8ccefd5 100644
+index d616ca3..e4fc9c0 100644
--- a/ppp.te
+++ b/ppp.te
@@ -6,41 +6,47 @@ policy_module(ppp, 1.14.0)
@@ -74649,13 +74684,14 @@ index d616ca3..8ccefd5 100644
manage_dirs_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t)
manage_files_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t)
-+manage_sock_files_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t)
- files_pid_filetrans(pppd_t, pppd_var_run_t, { dir file })
-
+-files_pid_filetrans(pppd_t, pppd_var_run_t, { dir file })
+-
-can_exec(pppd_t, pppd_exec_t)
-
-domtrans_pattern(pppd_t, pptp_exec_t, pptp_t)
--
++manage_sock_files_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t)
++files_pid_filetrans(pppd_t, pppd_var_run_t, { dir file sock_file })
+
allow pppd_t pptp_t:process signal;
+# for SSP
@@ -75040,7 +75076,7 @@ index 20d4697..e6605c1 100644
+ files_etc_filetrans($1, prelink_cache_t, file, "prelink.cache")
+')
diff --git a/prelink.te b/prelink.te
-index 8e26216..d59dc50 100644
+index 8e26216..98068fc 100644
--- a/prelink.te
+++ b/prelink.te
@@ -6,13 +6,10 @@ policy_module(prelink, 1.11.0)
@@ -75186,7 +75222,8 @@ index 8e26216..d59dc50 100644
optional_policy(`
allow prelink_cron_system_t self:capability setuid;
- allow prelink_cron_system_t self:process { setsched setfscreate signal };
+- allow prelink_cron_system_t self:process { setsched setfscreate signal };
++ allow prelink_cron_system_t self:process { setsched setfscreate signal setrlimit };
allow prelink_cron_system_t self:fifo_file rw_fifo_file_perms;
- allow prelink_cron_system_t self:unix_dgram_socket create_socket_perms;
+ allow prelink_cron_system_t self:unix_dgram_socket { write bind create setopt };
@@ -107315,22 +107352,23 @@ index 9b95c3e..a892845 100644
init_labeled_script_domtrans($1, ulogd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/ulogd.te b/ulogd.te
-index de35e5f..51f2763 100644
+index de35e5f..91cac11 100644
--- a/ulogd.te
+++ b/ulogd.te
-@@ -29,8 +29,10 @@ logging_log_file(ulogd_var_log_t)
+@@ -29,8 +29,11 @@ logging_log_file(ulogd_var_log_t)
allow ulogd_t self:capability { net_admin setuid setgid sys_nice };
allow ulogd_t self:process setsched;
allow ulogd_t self:netlink_nflog_socket create_socket_perms;
+allow ulogd_t self:netlink_route_socket r_netlink_socket_perms;
allow ulogd_t self:netlink_socket create_socket_perms;
-allow ulogd_t self:tcp_socket create_stream_socket_perms;
++allow ulogd_t self:netlink_netfilter_socket create_socket_perms;
+allow ulogd_t self:tcp_socket { create_stream_socket_perms connect };
+allow ulogd_t self:udp_socket create_socket_perms;
read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t)
-@@ -42,10 +44,7 @@ create_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
+@@ -42,10 +45,7 @@ create_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
setattr_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
logging_log_filetrans(ulogd_t, ulogd_var_log_t, file)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b76d5d8..7574896 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 169%{?dist}
+Release: 170%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -664,6 +664,24 @@ exit 0
%endif
%changelog
+* Wed Feb 10 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-170
+- Allow abrt_dump_oops_t to getattr filesystem nsfs files. rhbz#1300334
+- Allow ulogd_t to create netlink_netfilter sockets. rhbz#1305426
+- Create new type fwupd_cert_t Label /etc/pki/(fwupd|fwupd-metadata) dirs as fwupd_cert_t Allow fwupd_t domain to read fwupd_cert_t files|lnk_files rhbz#1303533
+- Add interface to dontaudit leaked files from firewalld
+- fwupd needs to dbus chat with policykit
+- Allow fwupd domain transition to gpg domain. Fwupd signing firmware updates by gpg. rhbz#1303531
+- Allow abrt_dump_oops_t to check permissions for a /usr/bin/Xorg. rhbz#1284967
+- Allow prelink_cron_system_t domain set resource limits. BZ(1190364)
+- Allow pppd_t domain to create sockfiles in /var/run labeled as pppd_var_run_t label. BZ(1302666)
+- Fix wrong name for openqa_websockets tcp port.
+- Allow run sshd-keygen on second boot if first boot fails after some reason and content is not syncedon the disk. These changes are reflecting this commit in sshd. http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/commit/?id=af94f46861844cbd6ba4162115039bebcc8f78ba rhbz#1299106
+- Add interface ssh_getattr_server_keys() interface. rhbz#1299106
+- Added Label openqa for tcp port (9526) Added Label openqa-websockets for tcp port (9527) rhbz#1277312
+- Add interface fs_getattr_nsfs_files()
+- Add interface xserver_exec().
+- Revert "Allow all domains some process flags."BZ(1190364)
+
* Wed Feb 03 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-169
- Allow openvswitch domain capability sys_rawio.
- Revert "Allow NetworkManager create dhcpc pid files. BZ(1229755)"