diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 0f02a50..03bb267 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -23797,10 +23797,10 @@ index 0000000..4165608
+')
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..45aab67
+index 0000000..c0d61f3
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,339 @@
+@@ -0,0 +1,340 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -23837,6 +23837,7 @@ index 0000000..45aab67
+userdom_manage_home_role(unconfined_r, unconfined_t)
+userdom_manage_tmp_role(unconfined_r, unconfined_t)
+userdom_unpriv_type(unconfined_t)
++userdom_login_userdomain(unconfined_t)
+
+type unconfined_exec_t;
+application_domain(unconfined_t, unconfined_exec_t)
@@ -32166,7 +32167,7 @@ index bc0ffc8..37b8ea5 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 79a45f6..ca8a198 100644
+index 79a45f6..9769b64 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1,5 +1,21 @@
@@ -32368,7 +32369,33 @@ index 79a45f6..ca8a198 100644
########################################
## <summary>
## Mark the file type as a daemon run dir, allowing initrc_t
-@@ -469,7 +500,6 @@ interface(`init_domtrans',`
+@@ -460,6 +491,25 @@ interface(`init_domtrans',`
+ domtrans_pattern($1, init_exec_t, init_t)
+ ')
+
++
++########################################
++## <summary>
++## Allow any file point to be the entrypoint of this domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_entrypoint_exec',`
++ gen_require(`
++ type init_exec_t;
++ ')
++
++ allow $1 init_exec_t:file entrypoint;
++')
++
+ ########################################
+ ## <summary>
+ ## Execute the init program in the caller domain.
+@@ -469,7 +519,6 @@ interface(`init_domtrans',`
## Domain allowed access.
## </summary>
## </param>
@@ -32376,7 +32403,7 @@ index 79a45f6..ca8a198 100644
#
interface(`init_exec',`
gen_require(`
-@@ -478,6 +508,48 @@ interface(`init_exec',`
+@@ -478,6 +527,48 @@ interface(`init_exec',`
corecmd_search_bin($1)
can_exec($1, init_exec_t)
@@ -32425,7 +32452,7 @@ index 79a45f6..ca8a198 100644
')
########################################
-@@ -566,6 +638,58 @@ interface(`init_sigchld',`
+@@ -566,6 +657,58 @@ interface(`init_sigchld',`
########################################
## <summary>
@@ -32484,7 +32511,7 @@ index 79a45f6..ca8a198 100644
## Connect to init with a unix socket.
## </summary>
## <param name="domain">
-@@ -576,10 +700,66 @@ interface(`init_sigchld',`
+@@ -576,10 +719,66 @@ interface(`init_sigchld',`
#
interface(`init_stream_connect',`
gen_require(`
@@ -32553,7 +32580,7 @@ index 79a45f6..ca8a198 100644
')
########################################
-@@ -743,22 +923,24 @@ interface(`init_write_initctl',`
+@@ -743,22 +942,24 @@ interface(`init_write_initctl',`
interface(`init_telinit',`
gen_require(`
type initctl_t;
@@ -32587,7 +32614,7 @@ index 79a45f6..ca8a198 100644
')
########################################
-@@ -787,7 +969,7 @@ interface(`init_rw_initctl',`
+@@ -787,7 +988,7 @@ interface(`init_rw_initctl',`
## </summary>
## <param name="domain">
## <summary>
@@ -32596,7 +32623,7 @@ index 79a45f6..ca8a198 100644
## </summary>
## </param>
#
-@@ -830,11 +1012,12 @@ interface(`init_script_file_entry_type',`
+@@ -830,11 +1031,12 @@ interface(`init_script_file_entry_type',`
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -32611,7 +32638,7 @@ index 79a45f6..ca8a198 100644
ifdef(`distro_gentoo',`
gen_require(`
-@@ -845,11 +1028,11 @@ interface(`init_spec_domtrans_script',`
+@@ -845,11 +1047,11 @@ interface(`init_spec_domtrans_script',`
')
ifdef(`enable_mcs',`
@@ -32625,7 +32652,7 @@ index 79a45f6..ca8a198 100644
')
')
-@@ -865,19 +1048,41 @@ interface(`init_spec_domtrans_script',`
+@@ -865,19 +1067,41 @@ interface(`init_spec_domtrans_script',`
#
interface(`init_domtrans_script',`
gen_require(`
@@ -32671,7 +32698,7 @@ index 79a45f6..ca8a198 100644
')
########################################
-@@ -933,9 +1138,14 @@ interface(`init_script_file_domtrans',`
+@@ -933,9 +1157,14 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -32686,7 +32713,7 @@ index 79a45f6..ca8a198 100644
files_search_etc($1)
')
-@@ -1012,6 +1222,62 @@ interface(`init_read_state',`
+@@ -1012,6 +1241,62 @@ interface(`init_read_state',`
########################################
## <summary>
@@ -32749,7 +32776,7 @@ index 79a45f6..ca8a198 100644
## Ptrace init
## </summary>
## <param name="domain">
-@@ -1026,7 +1292,9 @@ interface(`init_ptrace',`
+@@ -1026,7 +1311,9 @@ interface(`init_ptrace',`
type init_t;
')
@@ -32760,7 +32787,7 @@ index 79a45f6..ca8a198 100644
')
########################################
-@@ -1125,7 +1393,8 @@ interface(`init_getattr_all_script_files',`
+@@ -1125,7 +1412,8 @@ interface(`init_getattr_all_script_files',`
########################################
## <summary>
@@ -32770,7 +32797,7 @@ index 79a45f6..ca8a198 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1133,59 +1402,95 @@ interface(`init_getattr_all_script_files',`
+@@ -1133,26 +1421,62 @@ interface(`init_getattr_all_script_files',`
## </summary>
## </param>
#
@@ -32800,90 +32827,47 @@ index 79a45f6..ca8a198 100644
#
-interface(`init_dontaudit_read_all_script_files',`
+interface(`init_read_all_script_files',`
- gen_require(`
- attribute init_script_file_type;
- ')
-
-- dontaudit $1 init_script_file_type:file read_file_perms;
-+ files_search_etc($1)
-+ allow $1 init_script_file_type:file read_file_perms;
- ')
-
--########################################
-+#######################################
- ## <summary>
--## Execute all init scripts in the caller domain.
-+## Dontaudit getattr all init script files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
-+## Domain to not audit.
- ## </summary>
- ## </param>
- #
--interface(`init_exec_all_script_files',`
-+interface(`init_dontaudit_getattr_all_script_files',`
- gen_require(`
- attribute init_script_file_type;
- ')
-
-- files_list_etc($1)
-- can_exec($1, init_script_file_type)
-+ dontaudit $1 init_script_file_type:file getattr;
- ')
-
--########################################
-+#######################################
- ## <summary>
--## Read the process state (/proc/pid) of the init scripts.
-+## Dontaudit read all init script files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`init_dontaudit_read_all_script_files',`
+ gen_require(`
+ attribute init_script_file_type;
+ ')
+
-+ dontaudit $1 init_script_file_type:file read_file_perms;
++ files_search_etc($1)
++ allow $1 init_script_file_type:file read_file_perms;
+')
+
-+########################################
++#######################################
+## <summary>
-+## Execute all init scripts in the caller domain.
++## Dontaudit getattr all init script files.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
-+interface(`init_exec_all_script_files',`
++interface(`init_dontaudit_getattr_all_script_files',`
+ gen_require(`
+ attribute init_script_file_type;
+ ')
+
-+ files_list_etc($1)
-+ can_exec($1, init_script_file_type)
++ dontaudit $1 init_script_file_type:file getattr;
+')
+
-+########################################
++#######################################
+## <summary>
-+## Read the process state (/proc/pid) of the init scripts.
++## Dontaudit read all init script files.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
- ## </summary>
- ## </param>
- #
-@@ -1195,12 +1500,7 @@ interface(`init_read_script_state',`
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`init_dontaudit_read_all_script_files',`
+ gen_require(`
+ attribute init_script_file_type;
+ ')
+@@ -1195,12 +1519,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
@@ -32897,7 +32881,7 @@ index 79a45f6..ca8a198 100644
')
########################################
-@@ -1314,6 +1614,24 @@ interface(`init_signal_script',`
+@@ -1314,6 +1633,24 @@ interface(`init_signal_script',`
########################################
## <summary>
@@ -32922,7 +32906,7 @@ index 79a45f6..ca8a198 100644
## Send null signals to init scripts.
## </summary>
## <param name="domain">
-@@ -1440,6 +1758,27 @@ interface(`init_dbus_send_script',`
+@@ -1440,6 +1777,27 @@ interface(`init_dbus_send_script',`
########################################
## <summary>
## Send and receive messages from
@@ -32950,7 +32934,7 @@ index 79a45f6..ca8a198 100644
## init scripts over dbus.
## </summary>
## <param name="domain">
-@@ -1547,6 +1886,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1547,6 +1905,25 @@ interface(`init_getattr_script_status_files',`
########################################
## <summary>
@@ -32976,7 +32960,7 @@ index 79a45f6..ca8a198 100644
## Do not audit attempts to read init script
## status files.
## </summary>
-@@ -1605,6 +1963,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1605,6 +1982,24 @@ interface(`init_rw_script_tmp_files',`
########################################
## <summary>
@@ -33001,7 +32985,7 @@ index 79a45f6..ca8a198 100644
## Create files in a init script
## temporary data directory.
## </summary>
-@@ -1677,6 +2053,43 @@ interface(`init_read_utmp',`
+@@ -1677,6 +2072,43 @@ interface(`init_read_utmp',`
########################################
## <summary>
@@ -33045,7 +33029,7 @@ index 79a45f6..ca8a198 100644
## Do not audit attempts to write utmp.
## </summary>
## <param name="domain">
-@@ -1765,7 +2178,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1765,7 +2197,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -33054,7 +33038,7 @@ index 79a45f6..ca8a198 100644
')
########################################
-@@ -1806,6 +2219,133 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1806,6 +2238,133 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
')
@@ -33188,7 +33172,7 @@ index 79a45f6..ca8a198 100644
########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1840,3 +2380,492 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1840,3 +2399,492 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -33682,7 +33666,7 @@ index 79a45f6..ca8a198 100644
+ read_files_pattern($1, init_var_lib_t, init_var_lib_t)
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..740457b 100644
+index 17eda24..0fe1650 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -33906,7 +33890,7 @@ index 17eda24..740457b 100644
# file descriptors inherited from the rootfs:
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)
-@@ -156,28 +256,53 @@ fs_list_inotifyfs(init_t)
+@@ -156,28 +256,55 @@ fs_list_inotifyfs(init_t)
fs_write_ramfs_sockets(init_t)
mcs_process_set_categories(init_t)
@@ -33958,13 +33942,15 @@ index 17eda24..740457b 100644
+userdom_use_user_ttys(init_t)
+userdom_manage_tmp_dirs(init_t)
+userdom_manage_tmp_sockets(init_t)
++
++userdom_transition_login_userdomain(init_t)
-miscfiles_read_localization(init_t)
+allow init_t self:process setsched;
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +311,242 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +313,242 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -34193,9 +34179,10 @@ index 17eda24..740457b 100644
+ optional_policy(`
+ devicekit_dbus_chat_power(init_t)
+ ')
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- nscd_use(init_t)
+ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to
+ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
+ # the directory. But we do not want to allow this.
@@ -34206,17 +34193,16 @@ index 17eda24..740457b 100644
+optional_policy(`
+ networkmanager_stream_connect(init_t)
+ networkmanager_stream_connect(initrc_t)
- ')
-
- optional_policy(`
-- nscd_use(init_t)
++')
++
++optional_policy(`
+ plymouthd_stream_connect(init_t)
+ plymouthd_exec_plymouth(init_t)
+ plymouthd_filetrans_named_content(init_t)
')
optional_policy(`
-@@ -216,7 +554,31 @@ optional_policy(`
+@@ -216,7 +556,31 @@ optional_policy(`
')
optional_policy(`
@@ -34248,7 +34234,7 @@ index 17eda24..740457b 100644
')
########################################
-@@ -225,9 +587,9 @@ optional_policy(`
+@@ -225,9 +589,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -34260,7 +34246,7 @@ index 17eda24..740457b 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -258,12 +620,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +622,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -34277,7 +34263,7 @@ index 17eda24..740457b 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +645,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +647,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -34320,7 +34306,7 @@ index 17eda24..740457b 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +682,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +684,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -34332,7 +34318,7 @@ index 17eda24..740457b 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -313,8 +694,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +696,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -34343,7 +34329,7 @@ index 17eda24..740457b 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -322,8 +705,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +707,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -34353,7 +34339,7 @@ index 17eda24..740457b 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -332,7 +714,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +716,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -34361,7 +34347,7 @@ index 17eda24..740457b 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -340,6 +721,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +723,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -34369,7 +34355,7 @@ index 17eda24..740457b 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -347,14 +729,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +731,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -34387,7 +34373,7 @@ index 17eda24..740457b 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -364,8 +747,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +749,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -34401,7 +34387,7 @@ index 17eda24..740457b 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -375,10 +762,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +764,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -34415,7 +34401,7 @@ index 17eda24..740457b 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -387,8 +775,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +777,10 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -34426,7 +34412,7 @@ index 17eda24..740457b 100644
storage_getattr_fixed_disk_dev(initrc_t)
storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +788,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +790,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -34434,7 +34420,7 @@ index 17eda24..740457b 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -416,20 +807,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +809,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -34458,7 +34444,7 @@ index 17eda24..740457b 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +840,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +842,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -34466,7 +34452,7 @@ index 17eda24..740457b 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +874,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +876,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -34477,7 +34463,7 @@ index 17eda24..740457b 100644
alsa_read_lib(initrc_t)
')
-@@ -506,7 +898,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +900,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -34486,7 +34472,7 @@ index 17eda24..740457b 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -521,6 +913,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +915,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -34494,7 +34480,7 @@ index 17eda24..740457b 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -541,6 +934,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +936,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -34502,7 +34488,7 @@ index 17eda24..740457b 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +944,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +946,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -34547,7 +34533,7 @@ index 17eda24..740457b 100644
')
optional_policy(`
-@@ -559,14 +989,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +991,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -34579,7 +34565,7 @@ index 17eda24..740457b 100644
')
')
-@@ -577,6 +1024,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1026,39 @@ ifdef(`distro_suse',`
')
')
@@ -34619,7 +34605,7 @@ index 17eda24..740457b 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1069,8 @@ optional_policy(`
+@@ -589,6 +1071,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -34628,7 +34614,7 @@ index 17eda24..740457b 100644
')
optional_policy(`
-@@ -610,6 +1092,7 @@ optional_policy(`
+@@ -610,6 +1094,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -34636,7 +34622,7 @@ index 17eda24..740457b 100644
')
optional_policy(`
-@@ -626,6 +1109,17 @@ optional_policy(`
+@@ -626,6 +1111,17 @@ optional_policy(`
')
optional_policy(`
@@ -34654,7 +34640,7 @@ index 17eda24..740457b 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -642,9 +1136,13 @@ optional_policy(`
+@@ -642,9 +1138,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -34668,7 +34654,7 @@ index 17eda24..740457b 100644
')
optional_policy(`
-@@ -657,15 +1155,11 @@ optional_policy(`
+@@ -657,15 +1157,11 @@ optional_policy(`
')
optional_policy(`
@@ -34686,7 +34672,7 @@ index 17eda24..740457b 100644
')
optional_policy(`
-@@ -686,6 +1180,15 @@ optional_policy(`
+@@ -686,6 +1182,15 @@ optional_policy(`
')
optional_policy(`
@@ -34702,7 +34688,7 @@ index 17eda24..740457b 100644
inn_exec_config(initrc_t)
')
-@@ -726,6 +1229,7 @@ optional_policy(`
+@@ -726,6 +1231,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -34710,7 +34696,7 @@ index 17eda24..740457b 100644
')
optional_policy(`
-@@ -743,7 +1247,13 @@ optional_policy(`
+@@ -743,7 +1249,13 @@ optional_policy(`
')
optional_policy(`
@@ -34725,7 +34711,7 @@ index 17eda24..740457b 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -766,6 +1276,10 @@ optional_policy(`
+@@ -766,6 +1278,10 @@ optional_policy(`
')
optional_policy(`
@@ -34736,7 +34722,7 @@ index 17eda24..740457b 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -775,10 +1289,20 @@ optional_policy(`
+@@ -775,10 +1291,20 @@ optional_policy(`
')
optional_policy(`
@@ -34757,7 +34743,7 @@ index 17eda24..740457b 100644
quota_manage_flags(initrc_t)
')
-@@ -787,6 +1311,10 @@ optional_policy(`
+@@ -787,6 +1313,10 @@ optional_policy(`
')
optional_policy(`
@@ -34768,7 +34754,7 @@ index 17eda24..740457b 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -808,8 +1336,6 @@ optional_policy(`
+@@ -808,8 +1338,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -34777,7 +34763,7 @@ index 17eda24..740457b 100644
')
optional_policy(`
-@@ -818,6 +1344,10 @@ optional_policy(`
+@@ -818,6 +1346,10 @@ optional_policy(`
')
optional_policy(`
@@ -34788,7 +34774,7 @@ index 17eda24..740457b 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -827,10 +1357,12 @@ optional_policy(`
+@@ -827,10 +1359,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -34801,7 +34787,7 @@ index 17eda24..740457b 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1389,60 @@ optional_policy(`
+@@ -857,21 +1391,60 @@ optional_policy(`
')
optional_policy(`
@@ -34863,7 +34849,7 @@ index 17eda24..740457b 100644
')
optional_policy(`
-@@ -887,6 +1458,10 @@ optional_policy(`
+@@ -887,6 +1460,10 @@ optional_policy(`
')
optional_policy(`
@@ -34874,7 +34860,7 @@ index 17eda24..740457b 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -897,3 +1472,218 @@ optional_policy(`
+@@ -897,3 +1474,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -38687,10 +38673,10 @@ index 79048c4..14497e9 100644
udev_read_pid_files(lvm_t)
')
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
-index 9fe8e01..ce00ccb 100644
+index 9fe8e01..cf3a4a6 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
-@@ -9,11 +9,14 @@ ifdef(`distro_gentoo',`
+@@ -9,11 +9,15 @@ ifdef(`distro_gentoo',`
# /etc
#
/etc/avahi/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
@@ -38702,12 +38688,13 @@ index 9fe8e01..ce00ccb 100644
+/etc/locale.conf -- gen_context(system_u:object_r:locale_t,s0)
/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
/etc/ssl(/.*)? gen_context(system_u:object_r:cert_t,s0)
++/etc/ipa/nssdb(/.*)? gen_context(system_u:object_r:cert_t,s0)
/etc/timezone -- gen_context(system_u:object_r:locale_t,s0)
+/etc/vconsole.conf -- gen_context(system_u:object_r:locale_t,s0)
ifdef(`distro_redhat',`
/etc/sysconfig/clock -- gen_context(system_u:object_r:locale_t,s0)
-@@ -37,24 +40,20 @@ ifdef(`distro_redhat',`
+@@ -37,24 +41,20 @@ ifdef(`distro_redhat',`
/usr/lib/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0)
@@ -38737,7 +38724,7 @@ index 9fe8e01..ce00ccb 100644
/usr/X11R6/lib/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
-@@ -77,7 +76,7 @@ ifdef(`distro_redhat',`
+@@ -77,7 +77,7 @@ ifdef(`distro_redhat',`
/var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0)
/var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
@@ -38746,7 +38733,7 @@ index 9fe8e01..ce00ccb 100644
/var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
-@@ -90,6 +89,7 @@ ifdef(`distro_debian',`
+@@ -90,6 +90,7 @@ ifdef(`distro_debian',`
')
ifdef(`distro_redhat',`
@@ -45999,7 +45986,7 @@ index 0abaf84..8b34dbc 100644
-/usr/lib/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-')
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
-index 5ca20a9..7261f73 100644
+index 5ca20a9..99a38b0 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -12,53 +12,57 @@
@@ -46110,7 +46097,7 @@ index 5ca20a9..7261f73 100644
')
########################################
-@@ -175,361 +185,12 @@ interface(`unconfined_alias_domain',`
+@@ -175,343 +185,12 @@ interface(`unconfined_alias_domain',`
## </param>
#
interface(`unconfined_execmem_alias_program',`
@@ -46446,25 +46433,31 @@ index 5ca20a9..7261f73 100644
- ')
-
- dontaudit $1 unconfined_t:tcp_socket { read write };
--')
--
--########################################
--## <summary>
++ refpolicywarn(`$0() has been deprecated.')
+ ')
+
+ ########################################
+ ## <summary>
-## Create keys for the unconfined domain.
--## </summary>
--## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
--## </param>
--#
++## Connect to unconfined_server with a unix socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -519,17 +198,19 @@ interface(`unconfined_dontaudit_rw_tcp_sockets',`
+ ## </summary>
+ ## </param>
+ #
-interface(`unconfined_create_keys',`
-- gen_require(`
++interface(`unconfined_server_stream_connect',`
+ gen_require(`
- type unconfined_t;
-- ')
--
++ type unconfined_service_t;
+ ')
+
- allow $1 unconfined_t:key create;
-+ refpolicywarn(`$0() has been deprecated.')
++ files_search_pids($1)
++ files_write_generic_pid_pipes($1)
++ allow $1 unconfined_service_t:unix_stream_socket { getattr connectto };
')
########################################
@@ -46474,12 +46467,12 @@ index 5ca20a9..7261f73 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -537,19 +198,19 @@ interface(`unconfined_create_keys',`
+@@ -537,19 +218,17 @@ interface(`unconfined_create_keys',`
## </summary>
## </param>
#
-interface(`unconfined_dbus_send',`
-+interface(`unconfined_server_stream_connect',`
++interface(`unconfined_server_domtrans',`
gen_require(`
- type unconfined_t;
- class dbus send_msg;
@@ -46487,60 +46480,58 @@ index 5ca20a9..7261f73 100644
')
- allow $1 unconfined_t:dbus send_msg;
-+ files_search_pids($1)
-+ files_write_generic_pid_pipes($1)
-+ allow $1 unconfined_service_t:unix_stream_socket { getattr connectto };
++ corecmd_bin_domtrans($1, unconfined_service_t)
')
########################################
## <summary>
-## Send and receive messages from
-## unconfined_t over dbus.
-+## Connect to unconfined_server with a unix socket.
++## Allow caller domain to dbus chat unconfined_server.
## </summary>
## <param name="domain">
## <summary>
-@@ -557,20 +218,17 @@ interface(`unconfined_dbus_send',`
+@@ -557,20 +236,19 @@ interface(`unconfined_dbus_send',`
## </summary>
## </param>
#
-interface(`unconfined_dbus_chat',`
-+interface(`unconfined_server_domtrans',`
++interface(`unconfined_server_dbus_chat',`
gen_require(`
- type unconfined_t;
- class dbus send_msg;
+ type unconfined_service_t;
++ class dbus send_msg;
')
- allow $1 unconfined_t:dbus send_msg;
- allow unconfined_t $1:dbus send_msg;
-+ corecmd_bin_domtrans($1, unconfined_service_t)
++ allow $1 unconfined_service_t:dbus send_msg;
++ allow unconfined_service_t $1:dbus send_msg;
')
########################################
## <summary>
-## Connect to the the unconfined DBUS
-## for service (acquire_svc).
-+## Allow caller domain to dbus chat unconfined_server.
++## Send signull to unconfined_service_t.
## </summary>
## <param name="domain">
## <summary>
-@@ -578,11 +236,12 @@ interface(`unconfined_dbus_chat',`
+@@ -578,11 +256,10 @@ interface(`unconfined_dbus_chat',`
## </summary>
## </param>
#
-interface(`unconfined_dbus_connect',`
-+interface(`unconfined_server_dbus_chat',`
++interface(`unconfined_server_signull',`
gen_require(`
- type unconfined_t;
- class dbus acquire_svc;
+ type unconfined_service_t;
-+ class dbus send_msg;
')
- allow $1 unconfined_t:dbus acquire_svc;
-+ allow $1 unconfined_service_t:dbus send_msg;
-+ allow unconfined_service_t $1:dbus send_msg;
++ allow $1 unconfined_service_t:process signull;
')
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 5fe902d..a349d18 100644
@@ -46810,7 +46801,7 @@ index db75976..c54480a 100644
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
+
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6..7811266 100644
+index 9dc60c6..48a4886 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -47811,7 +47802,7 @@ index 9dc60c6..7811266 100644
userdom_change_password_template($1)
-@@ -761,82 +1007,109 @@ template(`userdom_login_user_template', `
+@@ -761,82 +1007,112 @@ template(`userdom_login_user_template', `
#
# User domain Local policy
#
@@ -47889,9 +47880,12 @@ index 9dc60c6..7811266 100644
+ init_dontaudit_use_script_fds($1_usertype)
- libs_exec_lib_files($1_t)
-+ libs_exec_lib_files($1_usertype)
++ # Needed by pam_selinux.so calling in systemd-users
++ init_entrypoint_exec(login_userdomain)
- logging_dontaudit_getattr_all_logs($1_t)
++ libs_exec_lib_files($1_usertype)
++
+ logging_dontaudit_getattr_all_logs($1_usertype)
- miscfiles_read_man_pages($1_t)
@@ -47957,7 +47951,7 @@ index 9dc60c6..7811266 100644
')
')
-@@ -868,6 +1141,12 @@ template(`userdom_restricted_user_template',`
+@@ -868,6 +1144,12 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -47970,7 +47964,7 @@ index 9dc60c6..7811266 100644
##############################
#
# Local policy
-@@ -907,53 +1186,137 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -907,53 +1189,137 @@ template(`userdom_restricted_xwindows_user_template',`
#
# Local policy
#
@@ -47999,8 +47993,7 @@ index 9dc60c6..7811266 100644
- logging_send_audit_msgs($1_t)
- selinux_get_enforce_mode($1_t)
+ libs_dontaudit_setattr_lib_files($1_usertype)
-
-- xserver_restricted_role($1_r, $1_t)
++
+ init_read_state($1_usertype)
+
+ tunable_policy(`selinuxuser_rw_noexattrfile',`
@@ -48023,10 +48016,11 @@ index 9dc60c6..7811266 100644
+ seutil_exec_restorecond($1_t)
+ seutil_read_file_contexts($1_t)
+ seutil_read_default_contexts($1_t)
-+
-+ xserver_restricted_role($1_r, $1_t)
-+
-+ optional_policy(`
+
+ xserver_restricted_role($1_r, $1_t)
+
+ optional_policy(`
+- alsa_read_rw_config($1_t)
+ alsa_read_rw_config($1_usertype)
+ ')
+
@@ -48037,9 +48031,8 @@ index 9dc60c6..7811266 100644
+ # cjp: telepathy F15 bugs
+ telepathy_role($1_r, $1_t, $1)
+ ')
-
- optional_policy(`
-- alsa_read_rw_config($1_t)
++
++ optional_policy(`
+ obex_role($1_r, $1_t, $1)
')
@@ -48126,7 +48119,7 @@ index 9dc60c6..7811266 100644
')
#######################################
-@@ -987,27 +1350,33 @@ template(`userdom_unpriv_user_template', `
+@@ -987,27 +1353,33 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -48164,7 +48157,7 @@ index 9dc60c6..7811266 100644
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
# Write floppies
-@@ -1018,23 +1387,63 @@ template(`userdom_unpriv_user_template', `
+@@ -1018,23 +1390,63 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -48224,21 +48217,21 @@ index 9dc60c6..7811266 100644
+ optional_policy(`
+ mount_run_fusermount($1_t, $1_r)
+ mount_read_pid_files($1_t)
-+ ')
-+
-+ optional_policy(`
-+ wine_role_template($1, $1_r, $1_t)
')
optional_policy(`
- netutils_run_ping_cond($1_t, $1_r)
- netutils_run_traceroute_cond($1_t, $1_r)
++ wine_role_template($1, $1_r, $1_t)
++ ')
++
++ optional_policy(`
+ postfix_run_postdrop($1_t, $1_r)
+ postfix_search_spool($1_t)
')
# Run pppd in pppd_t by default for user
-@@ -1043,7 +1452,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1043,7 +1455,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -48249,7 +48242,7 @@ index 9dc60c6..7811266 100644
')
')
-@@ -1079,7 +1490,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1079,7 +1493,9 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -48260,7 +48253,7 @@ index 9dc60c6..7811266 100644
')
##############################
-@@ -1095,6 +1508,7 @@ template(`userdom_admin_user_template',`
+@@ -1095,6 +1511,7 @@ template(`userdom_admin_user_template',`
role system_r types $1_t;
typeattribute $1_t admindomain;
@@ -48268,7 +48261,7 @@ index 9dc60c6..7811266 100644
ifdef(`direct_sysadm_daemon',`
domain_system_change_exemption($1_t)
-@@ -1105,14 +1519,8 @@ template(`userdom_admin_user_template',`
+@@ -1105,14 +1522,8 @@ template(`userdom_admin_user_template',`
# $1_t local policy
#
@@ -48285,7 +48278,7 @@ index 9dc60c6..7811266 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
-@@ -1128,6 +1536,8 @@ template(`userdom_admin_user_template',`
+@@ -1128,6 +1539,8 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -48294,7 +48287,7 @@ index 9dc60c6..7811266 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1145,10 +1555,15 @@ template(`userdom_admin_user_template',`
+@@ -1145,10 +1558,15 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -48310,7 +48303,7 @@ index 9dc60c6..7811266 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1159,29 +1574,40 @@ template(`userdom_admin_user_template',`
+@@ -1159,29 +1577,40 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -48355,7 +48348,7 @@ index 9dc60c6..7811266 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1191,6 +1617,8 @@ template(`userdom_admin_user_template',`
+@@ -1191,6 +1620,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -48364,7 +48357,7 @@ index 9dc60c6..7811266 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1198,13 +1626,21 @@ template(`userdom_admin_user_template',`
+@@ -1198,13 +1629,21 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@@ -48387,7 +48380,7 @@ index 9dc60c6..7811266 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1240,7 +1676,7 @@ template(`userdom_admin_user_template',`
+@@ -1240,7 +1679,7 @@ template(`userdom_admin_user_template',`
## </summary>
## </param>
#
@@ -48396,7 +48389,7 @@ index 9dc60c6..7811266 100644
allow $1 self:capability { dac_read_search dac_override };
corecmd_exec_shell($1)
-@@ -1250,6 +1686,8 @@ template(`userdom_security_admin_template',`
+@@ -1250,6 +1689,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -48405,7 +48398,7 @@ index 9dc60c6..7811266 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1262,8 +1700,10 @@ template(`userdom_security_admin_template',`
+@@ -1262,8 +1703,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -48417,7 +48410,7 @@ index 9dc60c6..7811266 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1274,29 +1714,31 @@ template(`userdom_security_admin_template',`
+@@ -1274,29 +1717,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -48460,7 +48453,7 @@ index 9dc60c6..7811266 100644
')
optional_policy(`
-@@ -1357,14 +1799,17 @@ interface(`userdom_user_home_content',`
+@@ -1357,14 +1802,17 @@ interface(`userdom_user_home_content',`
gen_require(`
attribute user_home_content_type;
type user_home_t;
@@ -48479,7 +48472,7 @@ index 9dc60c6..7811266 100644
')
########################################
-@@ -1397,12 +1842,51 @@ interface(`userdom_user_tmp_file',`
+@@ -1397,12 +1845,51 @@ interface(`userdom_user_tmp_file',`
## </param>
#
interface(`userdom_user_tmpfs_file',`
@@ -48532,7 +48525,7 @@ index 9dc60c6..7811266 100644
## Allow domain to attach to TUN devices created by administrative users.
## </summary>
## <param name="domain">
-@@ -1509,11 +1993,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1509,11 +1996,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -48564,7 +48557,7 @@ index 9dc60c6..7811266 100644
## Do not audit attempts to search user home directories.
## </summary>
## <desc>
-@@ -1555,6 +2059,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1555,6 +2062,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -48579,7 +48572,7 @@ index 9dc60c6..7811266 100644
')
########################################
-@@ -1570,9 +2082,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1570,9 +2085,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -48591,7 +48584,7 @@ index 9dc60c6..7811266 100644
')
########################################
-@@ -1613,6 +2127,24 @@ interface(`userdom_manage_user_home_dirs',`
+@@ -1613,6 +2130,24 @@ interface(`userdom_manage_user_home_dirs',`
########################################
## <summary>
@@ -48616,7 +48609,7 @@ index 9dc60c6..7811266 100644
## Relabel to user home directories.
## </summary>
## <param name="domain">
-@@ -1631,6 +2163,59 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1631,6 +2166,59 @@ interface(`userdom_relabelto_user_home_dirs',`
########################################
## <summary>
@@ -48676,7 +48669,7 @@ index 9dc60c6..7811266 100644
## Create directories in the home dir root with
## the user home directory type.
## </summary>
-@@ -1704,10 +2289,12 @@ interface(`userdom_user_home_domtrans',`
+@@ -1704,10 +2292,12 @@ interface(`userdom_user_home_domtrans',`
#
interface(`userdom_dontaudit_search_user_home_content',`
gen_require(`
@@ -48691,7 +48684,7 @@ index 9dc60c6..7811266 100644
')
########################################
-@@ -1741,10 +2328,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1741,10 +2331,12 @@ interface(`userdom_list_all_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -48706,7 +48699,7 @@ index 9dc60c6..7811266 100644
')
########################################
-@@ -1769,7 +2358,7 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1769,7 +2361,7 @@ interface(`userdom_manage_user_home_content_dirs',`
########################################
## <summary>
@@ -48715,7 +48708,7 @@ index 9dc60c6..7811266 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1777,19 +2366,17 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1777,19 +2369,17 @@ interface(`userdom_manage_user_home_content_dirs',`
## </summary>
## </param>
#
@@ -48739,7 +48732,7 @@ index 9dc60c6..7811266 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1797,55 +2384,55 @@ interface(`userdom_delete_all_user_home_content_dirs',`
+@@ -1797,55 +2387,55 @@ interface(`userdom_delete_all_user_home_content_dirs',`
## </summary>
## </param>
#
@@ -48810,7 +48803,7 @@ index 9dc60c6..7811266 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1853,18 +2440,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1853,18 +2443,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
## </summary>
## </param>
#
@@ -48838,13 +48831,14 @@ index 9dc60c6..7811266 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1872,17 +2460,151 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1872,17 +2463,151 @@ interface(`userdom_mmap_user_home_content_files',`
## </summary>
## </param>
#
-interface(`userdom_read_user_home_content_files',`
- gen_require(`
- type user_home_dir_t, user_home_t;
+- ')
+interface(`usedom_dontaudit_user_getattr_tmp_sockets',`
+ gen_require(`
+ type user_tmp_t;
@@ -48961,7 +48955,7 @@ index 9dc60c6..7811266 100644
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ attribute user_home_type;
- ')
++ ')
- read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+ allow $1 user_home_dir_t:lnk_file read_lnk_file_perms;
@@ -48994,7 +48988,7 @@ index 9dc60c6..7811266 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1893,11 +2615,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1893,11 +2618,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -49012,7 +49006,7 @@ index 9dc60c6..7811266 100644
')
########################################
-@@ -1938,7 +2663,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1938,7 +2666,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
########################################
## <summary>
@@ -49021,7 +49015,7 @@ index 9dc60c6..7811266 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1946,10 +2671,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1946,10 +2674,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
## </summary>
## </param>
#
@@ -49034,7 +49028,7 @@ index 9dc60c6..7811266 100644
')
userdom_search_user_home_content($1)
-@@ -1958,7 +2682,7 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1958,7 +2685,7 @@ interface(`userdom_delete_all_user_home_content_files',`
########################################
## <summary>
@@ -49043,7 +49037,7 @@ index 9dc60c6..7811266 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1966,12 +2690,66 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1966,12 +2693,66 @@ interface(`userdom_delete_all_user_home_content_files',`
## </summary>
## </param>
#
@@ -49112,7 +49106,7 @@ index 9dc60c6..7811266 100644
')
########################################
-@@ -2007,8 +2785,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2007,8 +2788,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -49122,7 +49116,7 @@ index 9dc60c6..7811266 100644
')
########################################
-@@ -2024,20 +2801,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2024,21 +2804,15 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -49136,18 +49130,19 @@ index 9dc60c6..7811266 100644
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files($1)
-- ')
--
-- tunable_policy(`use_samba_home_dirs',`
-- fs_exec_cifs_files($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ dontaudit $1 user_home_type:sock_file execute;
')
--')
+- tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files($1)
+- ')
+-')
+-
########################################
## <summary>
-@@ -2120,7 +2891,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+ ## Do not audit attempts to execute user home files.
+@@ -2120,7 +2894,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
## <summary>
@@ -49156,7 +49151,7 @@ index 9dc60c6..7811266 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2128,19 +2899,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2128,19 +2902,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -49180,7 +49175,7 @@ index 9dc60c6..7811266 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2148,12 +2917,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2148,12 +2920,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -49196,7 +49191,7 @@ index 9dc60c6..7811266 100644
')
########################################
-@@ -2388,18 +3157,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2388,18 +3160,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
## </summary>
## </param>
#
@@ -49254,7 +49249,7 @@ index 9dc60c6..7811266 100644
## Do not audit attempts to read users
## temporary files.
## </summary>
-@@ -2414,7 +3219,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2414,7 +3222,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -49263,7 +49258,7 @@ index 9dc60c6..7811266 100644
')
########################################
-@@ -2455,6 +3260,25 @@ interface(`userdom_rw_user_tmp_files',`
+@@ -2455,6 +3263,25 @@ interface(`userdom_rw_user_tmp_files',`
rw_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
')
@@ -49289,7 +49284,7 @@ index 9dc60c6..7811266 100644
########################################
## <summary>
-@@ -2538,7 +3362,7 @@ interface(`userdom_manage_user_tmp_files',`
+@@ -2538,7 +3365,7 @@ interface(`userdom_manage_user_tmp_files',`
########################################
## <summary>
## Create, read, write, and delete user
@@ -49298,7 +49293,7 @@ index 9dc60c6..7811266 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2546,19 +3370,19 @@ interface(`userdom_manage_user_tmp_files',`
+@@ -2546,19 +3373,19 @@ interface(`userdom_manage_user_tmp_files',`
## </summary>
## </param>
#
@@ -49321,7 +49316,7 @@ index 9dc60c6..7811266 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2566,19 +3390,19 @@ interface(`userdom_manage_user_tmp_symlinks',`
+@@ -2566,19 +3393,19 @@ interface(`userdom_manage_user_tmp_symlinks',`
## </summary>
## </param>
#
@@ -49344,7 +49339,7 @@ index 9dc60c6..7811266 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2586,19 +3410,60 @@ interface(`userdom_manage_user_tmp_pipes',`
+@@ -2586,18 +3413,59 @@ interface(`userdom_manage_user_tmp_pipes',`
## </summary>
## </param>
#
@@ -49363,7 +49358,6 @@ index 9dc60c6..7811266 100644
########################################
## <summary>
-## Create objects in a user temporary directory
--## with an automatic type transition to
+## Create, read, write, and delete user
+## temporary named pipes.
+## </summary>
@@ -49405,11 +49399,10 @@ index 9dc60c6..7811266 100644
+########################################
+## <summary>
+## Create objects in a user temporary directory
-+## with an automatic type transition to
+ ## with an automatic type transition to
## a specified private type.
## </summary>
- ## <param name="domain">
-@@ -2661,6 +3526,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2661,6 +3529,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -49431,7 +49424,7 @@ index 9dc60c6..7811266 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2672,18 +3552,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2672,18 +3555,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
## </param>
#
interface(`userdom_read_user_tmpfs_files',`
@@ -49453,7 +49446,7 @@ index 9dc60c6..7811266 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2692,19 +3567,13 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2692,19 +3570,13 @@ interface(`userdom_read_user_tmpfs_files',`
## </param>
#
interface(`userdom_rw_user_tmpfs_files',`
@@ -49476,7 +49469,7 @@ index 9dc60c6..7811266 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2713,13 +3582,56 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2713,13 +3585,56 @@ interface(`userdom_rw_user_tmpfs_files',`
## </param>
#
interface(`userdom_manage_user_tmpfs_files',`
@@ -49537,7 +49530,7 @@ index 9dc60c6..7811266 100644
')
########################################
-@@ -2814,6 +3726,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2814,6 +3729,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -49562,7 +49555,7 @@ index 9dc60c6..7811266 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2832,22 +3762,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2832,22 +3765,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -49605,7 +49598,7 @@ index 9dc60c6..7811266 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2856,14 +3798,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2856,14 +3801,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -49643,7 +49636,7 @@ index 9dc60c6..7811266 100644
')
########################################
-@@ -2882,8 +3843,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2882,8 +3846,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -49673,7 +49666,7 @@ index 9dc60c6..7811266 100644
')
########################################
-@@ -2955,69 +3935,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2955,69 +3938,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -49774,7 +49767,7 @@ index 9dc60c6..7811266 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3025,12 +4004,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3025,12 +4007,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -49789,7 +49782,7 @@ index 9dc60c6..7811266 100644
')
########################################
-@@ -3094,7 +4073,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3094,7 +4076,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -49798,7 +49791,7 @@ index 9dc60c6..7811266 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3110,29 +4089,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3110,29 +4092,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -49832,7 +49825,7 @@ index 9dc60c6..7811266 100644
')
########################################
-@@ -3214,7 +4177,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3214,7 +4180,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -49859,7 +49852,7 @@ index 9dc60c6..7811266 100644
')
########################################
-@@ -3269,12 +4250,13 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3269,12 +4253,13 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -49875,7 +49868,7 @@ index 9dc60c6..7811266 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3282,46 +4264,122 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3282,46 +4267,122 @@ interface(`userdom_write_user_tmp_files',`
## </summary>
## </param>
#
@@ -50011,7 +50004,7 @@ index 9dc60c6..7811266 100644
')
allow $1 userdomain:process getattr;
-@@ -3382,6 +4440,42 @@ interface(`userdom_signal_all_users',`
+@@ -3382,6 +4443,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -50054,7 +50047,7 @@ index 9dc60c6..7811266 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3402,6 +4496,60 @@ interface(`userdom_sigchld_all_users',`
+@@ -3402,6 +4499,60 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -50115,7 +50108,7 @@ index 9dc60c6..7811266 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3435,4 +4583,1691 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3435,4 +4586,1727 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
@@ -51639,6 +51632,42 @@ index 9dc60c6..7811266 100644
+
+########################################
+## <summary>
++## Allow caller to transition to login userdomain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_transition_login_userdomain',`
++ gen_require(`
++ attribute login_userdomain;
++ ')
++
++ allow $1 login_userdomain:process transition;
++')
++
++########################################
++## <summary>
++## Add caller login userdomain attribute.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_login_userdomain',`
++ gen_require(`
++ attribute login_userdomain;
++ ')
++
++ typeattribute $1 login_userdomain;
++')
++
++########################################
++## <summary>
+## Do not audit attempts to check the
+## access on user content files
+## </summary>
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 56e5efb..73b86e6 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -1385,7 +1385,7 @@ index 8d42c97..2377f8f 100644
optional_policy(`
unconfined_domain(ada_t)
diff --git a/afs.fc b/afs.fc
-index 8926c16..29817e9 100644
+index 8926c16..206ea16 100644
--- a/afs.fc
+++ b/afs.fc
@@ -3,6 +3,8 @@
@@ -1397,6 +1397,17 @@ index 8926c16..29817e9 100644
/usr/afs/bin/bosserver -- gen_context(system_u:object_r:afs_bosserver_exec_t,s0)
/usr/afs/bin/fileserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
/usr/afs/bin/kaserver -- gen_context(system_u:object_r:afs_kaserver_exec_t,s0)
+@@ -10,6 +12,10 @@
+ /usr/afs/bin/salvager -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+ /usr/afs/bin/volserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+ /usr/afs/bin/vlserver -- gen_context(system_u:object_r:afs_vlserver_exec_t,s0)
++/usr/afs/bin/dafileserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
++/usr/afs/bin/davolserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
++/usr/afs/bin/salvageserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
++/usr/afs/bin/dasalvager -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+
+ /usr/afs/db -d gen_context(system_u:object_r:afs_dbdir_t,s0)
+ /usr/afs/db/pr.* -- gen_context(system_u:object_r:afs_pt_db_t,s0)
diff --git a/afs.if b/afs.if
index 3b41be6..97d99f9 100644
--- a/afs.if
@@ -2632,7 +2643,7 @@ index 14a61b7..76d9329 100644
+ files_search_var_lib($1)
+')
diff --git a/anaconda.te b/anaconda.te
-index aa44abf..9efa1f2 100644
+index aa44abf..9e76516 100644
--- a/anaconda.te
+++ b/anaconda.te
@@ -4,6 +4,10 @@ gen_require(`
@@ -2680,7 +2691,7 @@ index aa44abf..9efa1f2 100644
optional_policy(`
rpm_domtrans(anaconda_t)
-@@ -53,3 +74,54 @@ optional_policy(`
+@@ -53,3 +74,55 @@ optional_policy(`
optional_policy(`
unconfined_domain_noaudit(anaconda_t)
')
@@ -2693,6 +2704,7 @@ index aa44abf..9efa1f2 100644
+allow install_t self:capability2 mac_admin;
+
+systemd_dbus_chat_localed(install_t)
++systemd_dbus_chat_logind(install_t)
+
+tunable_policy(`deny_ptrace',`',`
+ domain_ptrace_all_domains(install_t)
@@ -3748,7 +3760,7 @@ index 7caefc3..77e26bf 100644
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/apache.if b/apache.if
-index f6eb485..164501c 100644
+index f6eb485..c55558a 100644
--- a/apache.if
+++ b/apache.if
@@ -1,9 +1,9 @@
@@ -3943,11 +3955,11 @@ index f6eb485..164501c 100644
- ')
+ # privileged users run the script:
+ domtrans_pattern(httpd_exec_scripts, $1_script_exec_t, $1_script_t)
-+
-+ allow httpd_exec_scripts $1_script_exec_t:file read_file_perms;
- tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
- filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file })
++ allow httpd_exec_scripts $1_script_exec_t:file read_file_perms;
++
+ # apache runs the script:
+ domtrans_pattern(httpd_t, $1_script_exec_t, $1_script_t)
+ allow httpd_t $1_script_t:unix_dgram_socket sendto;
@@ -4396,10 +4408,11 @@ index f6eb485..164501c 100644
apache_domtrans_helper($1)
- roleattribute $2 httpd_helper_roles;
+ role $2 types httpd_helper_t;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Read httpd log files.
+## dontaudit attempts to read
+## apache log files.
+## </summary>
@@ -4417,11 +4430,10 @@ index f6eb485..164501c 100644
+
+ dontaudit $1 httpd_log_t:file read_file_perms;
+ dontaudit $1 httpd_log_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Read httpd log files.
++')
++
++########################################
++## <summary>
+## Allow the specified domain to read
+## apache log files.
## </summary>
@@ -5095,7 +5107,7 @@ index f6eb485..164501c 100644
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
-@@ -1224,9 +1500,141 @@ interface(`apache_admin',`
+@@ -1224,9 +1500,160 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
@@ -5231,15 +5243,34 @@ index f6eb485..164501c 100644
+ type httpd_user_content_t, httpd_user_script_exec_t, httpd_user_htaccess_t;
+ type httpd_user_content_ra_t;
+ ')
-
-- apache_run_all_scripts($1, $2)
-- apache_run_helper($1, $2)
++
+ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "public_html")
+ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "www")
+ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "web")
+ filetrans_pattern($1, httpd_user_content_t, httpd_user_script_exec_t, dir, "cgi-bin")
+ filetrans_pattern($1, httpd_user_content_t, httpd_user_content_ra_t, dir, "logs")
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
++')
++
++########################################
++## <summary>
++## Read apache pid files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`apache_read_pid_files',`
++ gen_require(`
++ type httpd_var_run_t;
++ ')
+
+- apache_run_all_scripts($1, $2)
+- apache_run_helper($1, $2)
++ files_search_pids($1)
++ read_files_pattern($1, httpd_var_run_t, httpd_var_run_t)
')
diff --git a/apache.te b/apache.te
index 6649962..7abf562 100644
@@ -21567,10 +21598,10 @@ index f55c420..e9d64ab 100644
-
-miscfiles_read_localization(dbskkd_t)
diff --git a/dbus.fc b/dbus.fc
-index dda905b..ccd0ba9 100644
+index dda905b..5587295 100644
--- a/dbus.fc
+++ b/dbus.fc
-@@ -1,20 +1,27 @@
+@@ -1,20 +1,29 @@
-HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:session_dbusd_home_t,s0)
+/etc/dbus-1(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0)
@@ -21581,27 +21612,28 @@ index dda905b..ccd0ba9 100644
+ifdef(`distro_redhat',`
+/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/usr/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
++/usr/libexec/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+')
-/lib/dbus-.*/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
-/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+
+-/usr/lib/dbus-.*/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+ifdef(`distro_debian',`
+/usr/lib/dbus-1.0/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+')
--/usr/lib/dbus-.*/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+-/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+ifdef(`distro_gentoo',`
+/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+')
--/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+-/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
+/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
+/var/cache/ibus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
--/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
--
-/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
-/var/run/messagebus\.pid -- gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
@@ -24118,10 +24150,12 @@ index b3b2188..5f91705 100644
miscfiles_read_localization(dirmngr_t)
diff --git a/dirsrv-admin.fc b/dirsrv-admin.fc
new file mode 100644
-index 0000000..5e44c5e
+index 0000000..38b17f8
--- /dev/null
+++ b/dirsrv-admin.fc
-@@ -0,0 +1,15 @@
+@@ -0,0 +1,17 @@
++/usr/lib/systemd/system/dirsrv-admin\.service -- gen_context(system_u:object_r:dirsrvadmin_unit_file_t,s0)
++
+/etc/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:dirsrvadmin_config_t,s0)
+
+/etc/dirsrv/dsgw(/.*)? gen_context(system_u:object_r:dirsrvadmin_config_t,s0)
@@ -24139,10 +24173,10 @@ index 0000000..5e44c5e
+/var/lock/subsys/dirsrv-admin -- gen_context(system_u:object_r:dirsrvadmin_lock_t,s0)
diff --git a/dirsrv-admin.if b/dirsrv-admin.if
new file mode 100644
-index 0000000..e360d38
+index 0000000..0d4e704
--- /dev/null
+++ b/dirsrv-admin.if
-@@ -0,0 +1,133 @@
+@@ -0,0 +1,157 @@
+## <summary>Administration Server for Directory Server, dirsrv-admin.</summary>
+
+########################################
@@ -24257,6 +24291,30 @@ index 0000000..e360d38
+ manage_dirs_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+')
+
++########################################
++## <summary>
++## Execute dirsrv-admin server in the dirsrv-admin domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`dirsrvadmin_systemctl',`
++ gen_require(`
++ type dirsrvadmin_t;
++ type dirsrvadmin_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ init_reload_services($1)
++ allow $1 dirsrvadmin_unit_file_t:file read_file_perms;
++ allow $1 dirsrvadmin_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, dirsrvadmin_t)
++')
++
+#######################################
+## <summary>
+## Execute admin cgi programs in caller domain.
@@ -24278,10 +24336,10 @@ index 0000000..e360d38
+')
diff --git a/dirsrv-admin.te b/dirsrv-admin.te
new file mode 100644
-index 0000000..37afbd4
+index 0000000..09223af
--- /dev/null
+++ b/dirsrv-admin.te
-@@ -0,0 +1,158 @@
+@@ -0,0 +1,167 @@
+policy_module(dirsrv-admin,1.0.0)
+
+########################################
@@ -24303,6 +24361,9 @@ index 0000000..37afbd4
+type dirsrvadmin_tmp_t;
+files_tmp_file(dirsrvadmin_tmp_t)
+
++type dirsrvadmin_unit_file_t;
++systemd_unit_file(dirsrvadmin_unit_file_t)
++
+type dirsrvadmin_unconfined_script_t;
+type dirsrvadmin_unconfined_script_exec_t;
+domain_type(dirsrvadmin_unconfined_script_t)
@@ -24370,6 +24431,7 @@ index 0000000..37afbd4
+
+ kernel_read_kernel_sysctls(dirsrvadmin_script_t)
+
++ auth_read_passwd(dirsrvadmin_script_t)
+
+ corenet_tcp_bind_generic_node(dirsrvadmin_script_t)
+ corenet_udp_bind_generic_node(dirsrvadmin_script_t)
@@ -24388,9 +24450,14 @@ index 0000000..37afbd4
+ manage_dirs_pattern(dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+ files_tmp_filetrans(dirsrvadmin_script_t, dirsrvadmin_tmp_t, { file dir })
+
++ optional_policy(`
++ dirsrvadmin_systemctl(dirsrvadmin_script_t)
++ ')
++
+ optional_policy(`
+ apache_read_modules(dirsrvadmin_script_t)
+ apache_read_config(dirsrvadmin_script_t)
++ apache_read_pid_files(dirsrvadmin_script_t)
+ apache_signal(dirsrvadmin_script_t)
+ apache_signull(dirsrvadmin_script_t)
+ ')
@@ -25535,10 +25602,10 @@ index 0000000..d22ed69
+')
diff --git a/dnssec.te b/dnssec.te
new file mode 100644
-index 0000000..bfa9ff5
+index 0000000..181a31b
--- /dev/null
+++ b/dnssec.te
-@@ -0,0 +1,86 @@
+@@ -0,0 +1,87 @@
+policy_module(dnssec, 1.0.0)
+
+########################################
@@ -25620,6 +25687,7 @@ index 0000000..bfa9ff5
+
+optional_policy(`
+ networkmanager_stream_connect(dnssec_trigger_t)
++ networkmanager_signal(dnssec_trigger_t)
+ networkmanager_sigchld(dnssec_trigger_t)
+ networkmanager_sigkill(dnssec_trigger_t)
+ networkmanager_signull(dnssec_trigger_t)
@@ -45349,7 +45417,7 @@ index d314333..27ede09 100644
+ ')
')
diff --git a/lsm.te b/lsm.te
-index 4ec0eea..996fdc8 100644
+index 4ec0eea..03738f2 100644
--- a/lsm.te
+++ b/lsm.te
@@ -4,6 +4,13 @@ policy_module(lsm, 1.0.0)
@@ -45391,7 +45459,7 @@ index 4ec0eea..996fdc8 100644
allow lsmd_t self:unix_stream_socket create_stream_socket_perms;
manage_dirs_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
-@@ -26,4 +44,67 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
+@@ -26,4 +44,68 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file })
@@ -45410,7 +45478,7 @@ index 4ec0eea..996fdc8 100644
+allow lsmd_plugin_t self:udp_socket create_socket_perms;
+allow lsmd_plugin_t self:tcp_socket create_stream_socket_perms;
+allow lsmd_plugin_t self:netlink_route_socket r_netlink_socket_perms;
-+allow lsmd_plugin_t self:capability { sys_rawio } ;
++allow lsmd_plugin_t self:capability { sys_admin sys_rawio } ;
+
+domtrans_pattern(lsmd_t, lsmd_plugin_exec_t, lsmd_plugin_t)
+allow lsmd_plugin_t lsmd_t:unix_stream_socket { read write };
@@ -45434,6 +45502,7 @@ index 4ec0eea..996fdc8 100644
+
+dev_read_urand(lsmd_plugin_t)
+dev_read_sysfs(lsmd_plugin_t)
++dev_getattr_sysfs_fs(lsmd_plugin_t)
+
+corecmd_exec_bin(lsmd_plugin_t)
+
@@ -62326,10 +62395,10 @@ index 0000000..598789a
+
diff --git a/openhpid.te b/openhpid.te
new file mode 100644
-index 0000000..2cb47c8
+index 0000000..b4f88f6
--- /dev/null
+++ b/openhpid.te
-@@ -0,0 +1,59 @@
+@@ -0,0 +1,60 @@
+policy_module(openhpid, 1.0.0)
+
+########################################
@@ -62387,7 +62456,8 @@ index 0000000..2cb47c8
+sysnet_read_config(openhpid_t)
+
+optional_policy(`
-+ snmp_read_snmp_var_lib_files(openhpid_t)
++ snmp_manage_var_lib_files(openhpid_t)
++ snmp_manage_var_lib_dirs(openhpid_t)
+')
diff --git a/openshift-origin.fc b/openshift-origin.fc
new file mode 100644
@@ -79158,7 +79228,7 @@ index fe2adf8..f7e9c70 100644
+ admin_pattern($1, qpidd_var_run_t)
')
diff --git a/qpid.te b/qpid.te
-index 83eb09e..41033de 100644
+index 83eb09e..8f641fc 100644
--- a/qpid.te
+++ b/qpid.te
@@ -12,6 +12,9 @@ init_daemon_domain(qpidd_t, qpidd_exec_t)
@@ -79171,7 +79241,7 @@ index 83eb09e..41033de 100644
type qpidd_tmpfs_t;
files_tmpfs_file(qpidd_tmpfs_t)
-@@ -33,41 +36,56 @@ allow qpidd_t self:shm create_shm_perms;
+@@ -33,41 +36,57 @@ allow qpidd_t self:shm create_shm_perms;
allow qpidd_t self:tcp_socket { accept listen };
allow qpidd_t self:unix_stream_socket { accept listen };
@@ -79212,10 +79282,11 @@ index 83eb09e..41033de 100644
corenet_sendrecv_amqp_server_packets(qpidd_t)
corenet_tcp_bind_amqp_port(qpidd_t)
corenet_tcp_sendrecv_amqp_port(qpidd_t)
-
++corenet_tcp_connect_amqp_port(qpidd_t)
++
+corenet_tcp_bind_matahari_port(qpidd_t)
+corenet_tcp_connect_matahari_port(qpidd_t)
-+
+
dev_read_sysfs(qpidd_t)
dev_read_urand(qpidd_t)
+dev_read_rand(qpidd_t)
@@ -81011,7 +81082,7 @@ index 951db7f..00e699d 100644
+ files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf.anacbak")
')
diff --git a/raid.te b/raid.te
-index c99753f..1c950ed 100644
+index c99753f..c8696d7 100644
--- a/raid.te
+++ b/raid.te
@@ -15,54 +15,101 @@ role mdadm_roles types mdadm_t;
@@ -81125,7 +81196,7 @@ index c99753f..1c950ed 100644
mls_file_read_all_levels(mdadm_t)
mls_file_write_all_levels(mdadm_t)
-@@ -71,15 +118,22 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
+@@ -71,15 +118,25 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
storage_manage_fixed_disk(mdadm_t)
storage_read_scsi_generic(mdadm_t)
storage_write_scsi_generic(mdadm_t)
@@ -81146,10 +81217,13 @@ index c99753f..1c950ed 100644
-miscfiles_read_localization(mdadm_t)
+systemd_exec_systemctl(mdadm_t)
+systemd_start_systemd_services(mdadm_t)
++
++term_use_generic_ptys(mdadm_t)
++term_use_unallocated_ttys(mdadm_t)
userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
userdom_dontaudit_search_user_home_content(mdadm_t)
-@@ -90,17 +144,38 @@ optional_policy(`
+@@ -90,17 +147,38 @@ optional_policy(`
')
optional_policy(`
@@ -85849,7 +85923,7 @@ index 6dbc905..4b17c93 100644
- admin_pattern($1, rhsmcertd_lock_t)
')
diff --git a/rhsmcertd.te b/rhsmcertd.te
-index d32e1a2..2078892 100644
+index d32e1a2..2e80d44 100644
--- a/rhsmcertd.te
+++ b/rhsmcertd.te
@@ -18,6 +18,9 @@ logging_log_file(rhsmcertd_log_t)
@@ -85888,7 +85962,7 @@ index d32e1a2..2078892 100644
manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
-@@ -50,25 +56,83 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
+@@ -50,25 +56,87 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
kernel_read_network_state(rhsmcertd_t)
@@ -85973,9 +86047,13 @@ index d32e1a2..2078892 100644
+ virt_signull(rhsmcertd_t)
+')
+
++optional_policy(`
++ unconfined_signull(rhsmcertd_t)
++')
++
optional_policy(`
- rpm_read_db(rhsmcertd_t)
-+ unconfined_signull(rhsmcertd_t)
++ unconfined_server_signull(rhsmcertd_t)
')
diff --git a/ricci.if b/ricci.if
index 2ab3ed1..23d579c 100644
@@ -87844,7 +87922,7 @@ index 3b5e9ee..ff1163f 100644
+ admin_pattern($1, rpcbind_var_run_t)
')
diff --git a/rpcbind.te b/rpcbind.te
-index 54de77c..db58475 100644
+index 54de77c..0ee4cc1 100644
--- a/rpcbind.te
+++ b/rpcbind.te
@@ -12,6 +12,9 @@ init_daemon_domain(rpcbind_t, rpcbind_exec_t)
@@ -87857,7 +87935,13 @@ index 54de77c..db58475 100644
type rpcbind_var_run_t;
files_pid_file(rpcbind_var_run_t)
init_daemon_run_dir(rpcbind_var_run_t, "rpcbind")
-@@ -29,6 +32,10 @@ allow rpcbind_t self:fifo_file rw_fifo_file_perms;
+@@ -24,11 +27,15 @@ files_type(rpcbind_var_lib_t)
+ # Local policy
+ #
+
+-allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config };
++allow rpcbind_t self:capability { chown dac_override setgid setuid sys_tty_config };
+ allow rpcbind_t self:fifo_file rw_fifo_file_perms;
allow rpcbind_t self:unix_stream_socket { accept listen };
allow rpcbind_t self:tcp_socket { accept listen };
@@ -91235,7 +91319,7 @@ index 50d07fb..337a3e7 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 2b7c441..0c7bfd4 100644
+index 2b7c441..bf7a710 100644
--- a/samba.te
+++ b/samba.te
@@ -6,99 +6,86 @@ policy_module(samba, 1.16.3)
@@ -91614,8 +91698,8 @@ index 2b7c441..0c7bfd4 100644
+manage_sock_files_pattern(smbd_t, samba_spool_t, samba_spool_t)
+files_spool_filetrans(smbd_t, samba_spool_t, dir, "samba")
+
-+
+allow smbd_t smbcontrol_t:process { signal signull };
++allow smbd_t smbcontrol_t:unix_dgram_socket sendto;
+
manage_dirs_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t)
manage_files_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t)
@@ -91933,7 +92017,7 @@ index 2b7c441..0c7bfd4 100644
manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-@@ -526,20 +617,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+@@ -526,20 +617,16 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
@@ -91954,10 +92038,11 @@ index 2b7c441..0c7bfd4 100644
-
-allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
+allow nmbd_t smbcontrol_t:process signal;
++allow nmbd_t smbcontrol_t:unix_dgram_socket sendto;
kernel_getattr_core_if(nmbd_t)
kernel_getattr_message_if(nmbd_t)
-@@ -547,53 +633,44 @@ kernel_read_kernel_sysctls(nmbd_t)
+@@ -547,53 +634,44 @@ kernel_read_kernel_sysctls(nmbd_t)
kernel_read_network_state(nmbd_t)
kernel_read_software_raid_state(nmbd_t)
kernel_read_system_state(nmbd_t)
@@ -92008,14 +92093,14 @@ index 2b7c441..0c7bfd4 100644
-
userdom_use_unpriv_users_fds(nmbd_t)
-userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
-+userdom_dontaudit_search_user_home_dirs(nmbd_t)
-
+-
-tunable_policy(`samba_export_all_ro',`
- fs_read_noxattr_fs_files(nmbd_t)
- files_list_non_auth_dirs(nmbd_t)
- files_read_non_auth_files(nmbd_t)
-')
--
++userdom_dontaudit_search_user_home_dirs(nmbd_t)
+
-tunable_policy(`samba_export_all_rw',`
- fs_read_noxattr_fs_files(nmbd_t)
- files_manage_non_auth_files(nmbd_t)
@@ -92026,7 +92111,7 @@ index 2b7c441..0c7bfd4 100644
')
optional_policy(`
-@@ -606,16 +683,22 @@ optional_policy(`
+@@ -606,18 +684,29 @@ optional_policy(`
########################################
#
@@ -92034,26 +92119,35 @@ index 2b7c441..0c7bfd4 100644
+# smbcontrol local policy
#
-+allow smbcontrol_t self:capability2 block_suspend;
- allow smbcontrol_t self:process signal;
+-allow smbcontrol_t self:process signal;
-allow smbcontrol_t self:fifo_file rw_fifo_file_perms;
+-allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
++allow smbcontrol_t self:capability2 block_suspend;
+ allow smbcontrol_t self:process { signal signull };
+# internal communication is often done using fifo and unix sockets.
+allow smbcontrol_t self:fifo_file rw_file_perms;
- allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
- allow smbcontrol_t self:process { signal signull };
++allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
++allow smbcontrol_t self:unix_dgram_socket create_socket_perms;
++
++allow smbcontrol_t nmbd_t:process { signal signull };
++read_files_pattern(smbcontrol_t, nmbd_var_run_t, nmbd_var_run_t)
-allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull };
-read_files_pattern(smbcontrol_t, { nmbd_var_run_t smbd_var_run_t }, { nmbd_var_run_t smbd_var_run_t })
-+allow smbcontrol_t nmbd_t:process { signal signull };
-+read_files_pattern(smbcontrol_t, nmbd_var_run_t, nmbd_var_run_t)
-+
+allow smbcontrol_t smbd_t:process { signal signull };
+read_files_pattern(smbcontrol_t, smbd_var_run_t, smbd_var_run_t)
+allow smbcontrol_t winbind_t:process { signal signull };
manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
++manage_sock_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
++
++allow smbcontrol_t nmbd_t:unix_dgram_socket sendto;
++allow smbcontrol_t smbd_t:unix_dgram_socket sendto;
++allow smbcontrol_t winbind_t:unix_dgram_socket sendto;
-@@ -627,16 +710,13 @@ domain_use_interactive_fds(smbcontrol_t)
+ samba_read_config(smbcontrol_t)
+ samba_search_var(smbcontrol_t)
+@@ -627,16 +716,13 @@ domain_use_interactive_fds(smbcontrol_t)
dev_read_urand(smbcontrol_t)
@@ -92072,7 +92166,7 @@ index 2b7c441..0c7bfd4 100644
optional_policy(`
ctdbd_stream_connect(smbcontrol_t)
-@@ -644,22 +724,23 @@ optional_policy(`
+@@ -644,22 +730,23 @@ optional_policy(`
########################################
#
@@ -92104,7 +92198,7 @@ index 2b7c441..0c7bfd4 100644
allow smbmount_t samba_secrets_t:file manage_file_perms;
-@@ -668,26 +749,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+@@ -668,26 +755,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
@@ -92140,7 +92234,7 @@ index 2b7c441..0c7bfd4 100644
fs_getattr_cifs(smbmount_t)
fs_mount_cifs(smbmount_t)
-@@ -699,58 +776,77 @@ fs_read_cifs_files(smbmount_t)
+@@ -699,58 +782,77 @@ fs_read_cifs_files(smbmount_t)
storage_raw_read_fixed_disk(smbmount_t)
storage_raw_write_fixed_disk(smbmount_t)
@@ -92232,7 +92326,7 @@ index 2b7c441..0c7bfd4 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -759,17 +855,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+@@ -759,17 +861,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
files_pid_filetrans(swat_t, swat_var_run_t, file)
@@ -92256,7 +92350,7 @@ index 2b7c441..0c7bfd4 100644
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -777,36 +869,25 @@ kernel_read_network_state(swat_t)
+@@ -777,36 +875,25 @@ kernel_read_network_state(swat_t)
corecmd_search_bin(swat_t)
@@ -92299,7 +92393,7 @@ index 2b7c441..0c7bfd4 100644
auth_domtrans_chk_passwd(swat_t)
auth_use_nsswitch(swat_t)
-@@ -818,10 +899,11 @@ logging_send_syslog_msg(swat_t)
+@@ -818,10 +905,11 @@ logging_send_syslog_msg(swat_t)
logging_send_audit_msgs(swat_t)
logging_search_logs(swat_t)
@@ -92313,7 +92407,7 @@ index 2b7c441..0c7bfd4 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -840,17 +922,20 @@ optional_policy(`
+@@ -840,17 +928,20 @@ optional_policy(`
# Winbind local policy
#
@@ -92339,7 +92433,7 @@ index 2b7c441..0c7bfd4 100644
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -860,9 +945,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+@@ -860,9 +951,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@@ -92350,7 +92444,7 @@ index 2b7c441..0c7bfd4 100644
manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -873,38 +956,41 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -873,38 +962,41 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
@@ -92403,7 +92497,7 @@ index 2b7c441..0c7bfd4 100644
corenet_tcp_connect_smbd_port(winbind_t)
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -912,38 +998,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -912,38 +1004,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
dev_read_sysfs(winbind_t)
dev_read_urand(winbind_t)
@@ -92462,7 +92556,7 @@ index 2b7c441..0c7bfd4 100644
')
optional_policy(`
-@@ -959,31 +1059,35 @@ optional_policy(`
+@@ -959,31 +1065,36 @@ optional_policy(`
# Winbind helper local policy
#
@@ -92478,6 +92572,7 @@ index 2b7c441..0c7bfd4 100644
+files_list_var_lib(winbind_helper_t)
allow winbind_t smbcontrol_t:process signal;
++allow winbind_t smbcontrol_t:unix_dgram_socket sendto;
stream_connect_pattern(winbind_helper_t, winbind_var_run_t, winbind_var_run_t, winbind_t)
@@ -92505,7 +92600,7 @@ index 2b7c441..0c7bfd4 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -997,25 +1101,38 @@ optional_policy(`
+@@ -997,25 +1108,38 @@ optional_policy(`
########################################
#
@@ -97891,7 +97986,7 @@ index 2f0a2f2..1569e33 100644
+/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0)
/var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0)
diff --git a/snmp.if b/snmp.if
-index 7a9cc9d..2b9cae3 100644
+index 7a9cc9d..23cb658 100644
--- a/snmp.if
+++ b/snmp.if
@@ -57,8 +57,7 @@ interface(`snmp_udp_chat',`
@@ -97904,7 +97999,7 @@ index 7a9cc9d..2b9cae3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -66,19 +65,58 @@ interface(`snmp_udp_chat',`
+@@ -66,19 +65,57 @@ interface(`snmp_udp_chat',`
## </summary>
## </param>
#
@@ -97955,7 +98050,6 @@ index 7a9cc9d..2b9cae3 100644
+ ')
+
allow $1 snmpd_var_lib_t:dir manage_dir_perms;
-+ files_var_lib_filetrans($1, snmpd_var_lib_t, dir)
')
########################################
@@ -97966,7 +98060,7 @@ index 7a9cc9d..2b9cae3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -98,7 +136,7 @@ interface(`snmp_manage_var_lib_files',`
+@@ -98,7 +135,7 @@ interface(`snmp_manage_var_lib_files',`
########################################
## <summary>
@@ -97975,7 +98069,7 @@ index 7a9cc9d..2b9cae3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -106,14 +144,35 @@ interface(`snmp_manage_var_lib_files',`
+@@ -106,14 +143,35 @@ interface(`snmp_manage_var_lib_files',`
## </summary>
## </param>
#
@@ -98014,7 +98108,7 @@ index 7a9cc9d..2b9cae3 100644
')
########################################
-@@ -179,8 +238,12 @@ interface(`snmp_admin',`
+@@ -179,8 +237,12 @@ interface(`snmp_admin',`
type snmpd_var_lib_t, snmpd_var_run_t;
')
@@ -107638,7 +107732,7 @@ index a4f20bc..374e8ef 100644
+/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index facdee8..a6dcaaa 100644
+index facdee8..efe9356 100644
--- a/virt.if
+++ b/virt.if
@@ -1,318 +1,226 @@
@@ -108868,13 +108962,12 @@ index facdee8..a6dcaaa 100644
+#######################################
+## <summary>
+## Execute Sandbox Files
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <param name="private type">
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
+#
+interface(`virt_exec_sandbox_files',`
+ gen_require(`
@@ -108887,14 +108980,13 @@ index facdee8..a6dcaaa 100644
+#######################################
+## <summary>
+## Manage Sandbox Files
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
## <summary>
--## The type of the object to be created.
-+## Domain allowed access.
+ ## Domain allowed access.
## </summary>
## </param>
--## <param name="object">
+-## <param name="private type">
+#
+interface(`virt_manage_sandbox_files',`
+ gen_require(`
@@ -108915,11 +109007,11 @@ index facdee8..a6dcaaa 100644
+## </summary>
+## <param name="domain">
## <summary>
--## The object class of the object being created.
+-## The type of the object to be created.
+## Domain allowed access.
## </summary>
## </param>
--## <param name="name" optional="true">
+-## <param name="object">
+#
+interface(`virt_relabel_sandbox_filesystem',`
+ gen_require(`
@@ -108935,16 +109027,14 @@ index facdee8..a6dcaaa 100644
+## </summary>
+## <param name="domain">
## <summary>
--## The name of the object being created.
+-## The object class of the object being created.
+## Domain allowed access.
## </summary>
## </param>
--## <infoflow type="write" weight="10"/>
- #
--interface(`virt_pid_filetrans',`
+-## <param name="name" optional="true">
++#
+interface(`virt_mounton_sandbox_file',`
- gen_require(`
-- type virt_var_run_t;
++ gen_require(`
+ type svirt_sandbox_file_t;
+ ')
+
@@ -108956,13 +109046,17 @@ index facdee8..a6dcaaa 100644
+## Connect to virt over a unix domain stream socket.
+## </summary>
+## <param name="domain">
-+## <summary>
+ ## <summary>
+-## The name of the object being created.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+-## <infoflow type="write" weight="10"/>
+ #
+-interface(`virt_pid_filetrans',`
+interface(`virt_stream_connect_sandbox',`
-+ gen_require(`
+ gen_require(`
+- type virt_var_run_t;
+ attribute svirt_sandbox_domain;
+ type svirt_sandbox_file_t;
')
@@ -109458,15 +109552,13 @@ index facdee8..a6dcaaa 100644
+interface(`virt_rlimitinh',`
+ gen_require(`
+ type virtd_t;
- ')
++ ')
+
+ allow $1 virtd_t:process { rlimitinh };
- ')
-
- ########################################
- ## <summary>
--## All of the rules required to
--## administrate an virt environment.
++')
++
++########################################
++## <summary>
+## Read and write to svirt_image devices.
+## </summary>
+## <param name="domain">
@@ -109478,19 +109570,21 @@ index facdee8..a6dcaaa 100644
+interface(`virt_noatsecure',`
+ gen_require(`
+ type virtd_t;
-+ ')
+ ')
+
+ allow $1 virtd_t:process { noatsecure rlimitinh };
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an virt environment.
+## All of the rules required to administrate
+## an virt environment
## </summary>
## <param name="domain">
## <summary>
-@@ -1136,50 +1407,53 @@ interface(`virt_manage_images',`
+@@ -1136,50 +1407,76 @@ interface(`virt_manage_images',`
#
interface(`virt_admin',`
gen_require(`
@@ -109532,29 +109626,23 @@ index facdee8..a6dcaaa 100644
-
- files_search_tmp($1)
- admin_pattern($1, { virt_tmp_type virt_tmp_t })
-+ allow $1 virt_domain:process signal_perms;
-
+-
- files_search_etc($1)
- admin_pattern($1, { virt_etc_t virt_etc_rw_t virtd_keytab_t })
-+ admin_pattern($1, virt_file_type)
-+ admin_pattern($1, svirt_file_type)
++ allow $1 virt_domain:process signal_perms;
- logging_search_logs($1)
- admin_pattern($1, virt_log_t)
-+ virt_systemctl($1)
-+ allow $1 virtd_unit_file_t:service all_service_perms;
++ admin_pattern($1, virt_file_type)
++ admin_pattern($1, svirt_file_type)
- files_search_pids($1)
- admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t })
--
++ virt_systemctl($1)
++ allow $1 virtd_unit_file_t:service all_service_perms;
+
- files_search_var($1)
- admin_pattern($1, svirt_cache_t)
--
-- files_search_var_lib($1)
-- admin_pattern($1, { virt_image_type virt_var_lib_t svirt_lxc_file_t })
--
-- files_search_locks($1)
-- admin_pattern($1, virt_lock_t)
+ virt_stream_connect_sandbox($1)
+ virt_stream_connect_svirt($1)
+ virt_stream_connect($1)
@@ -109574,9 +109662,36 @@ index facdee8..a6dcaaa 100644
+ attribute sandbox_caps_domain;
+ ')
+- files_search_var_lib($1)
+- admin_pattern($1, { virt_image_type virt_var_lib_t svirt_lxc_file_t })
++ typeattribute $1 sandbox_caps_domain;
++')
+
+- files_search_locks($1)
+- admin_pattern($1, virt_lock_t)
+
- dev_list_all_dev_nodes($1)
- allow $1 virt_ptynode:chr_file rw_term_perms;
-+ typeattribute $1 sandbox_caps_domain;
++########################################
++## <summary>
++## Send and receive messages from
++## virt over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`virt_dbus_chat',`
++ gen_require(`
++ type virtd_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 virtd_t:dbus send_msg;
++ allow virtd_t $1:dbus send_msg;
++ ps_process_pattern(virtd_t, $1)
')
diff --git a/virt.te b/virt.te
index f03dcf5..d15b4d3 100644
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 8819056..ea25522 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 147%{?dist}
+Release: 148%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -656,6 +656,37 @@ exit 0
%endif
%changelog
+* Tue Sep 22 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-148
+- Update config.tgz to reflect changes in default context for SELinux users related to pam_selinux.so which is now used in systemd-users.
+- Added support for permissive domains
+- Allow rpcbind_t domain to change file owner and group
+- rpm-ostree has a daemon mode now and need to speak to polkit/logind for authorization. BZ(#1264988)
+- Allow dnssec-trigger to send generic signal to Network-Manager. BZ(#1242578)
+- Allow smbcontrol to create a socket in /var/samba which uses for a communication with smbd, nmbd and winbind.
+- Revert "Add apache_read_pid_files() interface"
+- Allow dirsrv-admin read httpd pid files.
+- Add apache_read_pid_files() interface
+- Add label for dirsrv-admin unit file.
+- Allow qpid daemon to connect on amqp tcp port.
+- Allow dirsrvadmin-script read /etc/passwd file Allow dirsrvadmin-script exec systemctl
+- Add labels for afs binaries: dafileserver, davolserver, salvageserver, dasalvager
+- Add lsmd_plugin_t sys_admin capability, Allow lsmd_plugin_t getattr from sysfs filesystem.
+- Allow rhsmcertd_t send signull to unconfined_service_t domains.
+- Revert "Allow pcp to read docker lib files."
+- Label /usr/libexec/dbus-1/dbus-daemon-launch-helper as dbusd_exec_t to have systemd dbus services running in the correct domain instead of unconfined_service_t if unconfined.pp module is enabled. BZ(#1262993)
+- Allow pcp to read docker lib files.
+- Revert "init_t needs to be login_pgm domain because of systemd-users + pam_selinux.so"
+- Add login_userdomain attribute also for unconfined_t.
+- Add userdom_login_userdomain() interface.
+- Label /etc/ipa/nssdb dir as cert_t
+- init_t needs to be login_pgm domain because of systemd-users + pam_selinux.so
+- Add interface unconfined_server_signull() to allow domains send signull to unconfined_service_t
+- Call userdom_transition_login_userdomain() instead of userdom_transition() in init.te related to pam_selinux.so+systemd-users.
+- Add userdom_transition_login_userdomain() interface
+- Allow user domains with login_userdomain to have entrypoint access on init_exec. It is needed by pam_selinux.so call in systemd-users. BZ(#1263350)
+- Add init_entrypoint_exec() interface.
+- Allow init_t to have transition allow rule for userdomain if pam_selinux.so is used in /etc/pam.d/systemd-user. It ensures that systemd user sessions will run with correct userdomain types instead of init_t. BZ(#1263350)
+
* Mon Sep 14 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-147
- named wants to access /proc/sys/net/ipv4/ip_local_port_range to get ehphemeral range. BZ(#1260272)
- Allow user screen domains to list directorires in HOMEDIR wit user_home_t labeling.