diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index a0c5582..2c662e8 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -35708,10 +35708,10 @@ index 4e94884..7ab6191 100644
+ filetrans_pattern($1, syslogd_var_run_t, $2, $3, $4)
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 59b04c1..aaf4124 100644
+index 59b04c1..0bdf67e 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
-@@ -4,6 +4,21 @@ policy_module(logging, 1.20.1)
+@@ -4,6 +4,29 @@ policy_module(logging, 1.20.1)
#
# Declarations
#
@@ -35730,10 +35730,18 @@ index 59b04c1..aaf4124 100644
+## </p>
+## </desc>
+gen_tunable(logging_syslogd_use_tty, true)
++
++## <desc>
++## <p>
++## Allow syslogd the ability to call nagios plugins. It is
++## turned on by omprog rsyslog plugin.
++## </p>
++## </desc>
++gen_tunable(logging_syslogd_run_nagios_plugins, false)
attribute logfile;
-@@ -20,6 +35,7 @@ files_security_file(auditd_log_t)
+@@ -20,6 +43,7 @@ files_security_file(auditd_log_t)
files_security_mountpoint(auditd_log_t)
type audit_spool_t;
@@ -35741,7 +35749,7 @@ index 59b04c1..aaf4124 100644
files_security_file(audit_spool_t)
files_security_mountpoint(audit_spool_t)
-@@ -33,6 +49,9 @@ init_script_file(auditd_initrc_exec_t)
+@@ -33,6 +57,9 @@ init_script_file(auditd_initrc_exec_t)
type auditd_var_run_t;
files_pid_file(auditd_var_run_t)
@@ -35751,7 +35759,7 @@ index 59b04c1..aaf4124 100644
type audisp_t;
type audisp_exec_t;
init_system_domain(audisp_t, audisp_exec_t)
-@@ -64,6 +83,7 @@ files_config_file(syslog_conf_t)
+@@ -64,6 +91,7 @@ files_config_file(syslog_conf_t)
type syslogd_t;
type syslogd_exec_t;
init_daemon_domain(syslogd_t, syslogd_exec_t)
@@ -35759,7 +35767,7 @@ index 59b04c1..aaf4124 100644
type syslogd_initrc_exec_t;
init_script_file(syslogd_initrc_exec_t)
-@@ -71,11 +91,15 @@ init_script_file(syslogd_initrc_exec_t)
+@@ -71,11 +99,15 @@ init_script_file(syslogd_initrc_exec_t)
type syslogd_tmp_t;
files_tmp_file(syslogd_tmp_t)
@@ -35775,7 +35783,7 @@ index 59b04c1..aaf4124 100644
type var_log_t;
logging_log_file(var_log_t)
-@@ -94,6 +118,8 @@ ifdef(`enable_mls',`
+@@ -94,6 +126,8 @@ ifdef(`enable_mls',`
allow auditctl_t self:capability { fsetid dac_read_search dac_override };
allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;
@@ -35784,7 +35792,7 @@ index 59b04c1..aaf4124 100644
read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t)
allow auditctl_t auditd_etc_t:dir list_dir_perms;
-@@ -111,7 +137,9 @@ domain_use_interactive_fds(auditctl_t)
+@@ -111,7 +145,9 @@ domain_use_interactive_fds(auditctl_t)
mls_file_read_all_levels(auditctl_t)
@@ -35795,7 +35803,7 @@ index 59b04c1..aaf4124 100644
init_dontaudit_use_fds(auditctl_t)
-@@ -136,9 +164,10 @@ allow auditd_t self:tcp_socket create_stream_socket_perms;
+@@ -136,9 +172,10 @@ allow auditd_t self:tcp_socket create_stream_socket_perms;
allow auditd_t auditd_etc_t:dir list_dir_perms;
allow auditd_t auditd_etc_t:file read_file_perms;
@@ -35807,7 +35815,7 @@ index 59b04c1..aaf4124 100644
manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
-@@ -148,6 +177,7 @@ kernel_read_kernel_sysctls(auditd_t)
+@@ -148,6 +185,7 @@ kernel_read_kernel_sysctls(auditd_t)
# Needs to be able to run dispatcher. see /etc/audit/auditd.conf
# Probably want a transition, and a new auditd_helper app
kernel_read_system_state(auditd_t)
@@ -35815,7 +35823,7 @@ index 59b04c1..aaf4124 100644
dev_read_sysfs(auditd_t)
-@@ -155,9 +185,6 @@ fs_getattr_all_fs(auditd_t)
+@@ -155,9 +193,6 @@ fs_getattr_all_fs(auditd_t)
fs_search_auto_mountpoints(auditd_t)
fs_rw_anon_inodefs_files(auditd_t)
@@ -35825,7 +35833,7 @@ index 59b04c1..aaf4124 100644
corenet_all_recvfrom_netlabel(auditd_t)
corenet_tcp_sendrecv_generic_if(auditd_t)
corenet_tcp_sendrecv_generic_node(auditd_t)
-@@ -183,16 +210,17 @@ logging_send_syslog_msg(auditd_t)
+@@ -183,16 +218,17 @@ logging_send_syslog_msg(auditd_t)
logging_domtrans_dispatcher(auditd_t)
logging_signal_dispatcher(auditd_t)
@@ -35847,7 +35855,7 @@ index 59b04c1..aaf4124 100644
userdom_dontaudit_use_unpriv_user_fds(auditd_t)
userdom_dontaudit_search_user_home_dirs(auditd_t)
-@@ -237,19 +265,29 @@ corecmd_exec_shell(audisp_t)
+@@ -237,19 +273,29 @@ corecmd_exec_shell(audisp_t)
domain_use_interactive_fds(audisp_t)
@@ -35879,7 +35887,7 @@ index 59b04c1..aaf4124 100644
')
########################################
-@@ -268,7 +306,6 @@ files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
+@@ -268,7 +314,6 @@ files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
corecmd_exec_bin(audisp_remote_t)
@@ -35887,7 +35895,7 @@ index 59b04c1..aaf4124 100644
corenet_all_recvfrom_netlabel(audisp_remote_t)
corenet_tcp_sendrecv_generic_if(audisp_remote_t)
corenet_tcp_sendrecv_generic_node(audisp_remote_t)
-@@ -280,10 +317,18 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
+@@ -280,10 +325,18 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
files_read_etc_files(audisp_remote_t)
@@ -35907,7 +35915,7 @@ index 59b04c1..aaf4124 100644
sysnet_dns_name_resolve(audisp_remote_t)
-@@ -326,7 +371,6 @@ files_read_etc_files(klogd_t)
+@@ -326,7 +379,6 @@ files_read_etc_files(klogd_t)
logging_send_syslog_msg(klogd_t)
@@ -35915,7 +35923,7 @@ index 59b04c1..aaf4124 100644
mls_file_read_all_levels(klogd_t)
-@@ -355,13 +399,12 @@ optional_policy(`
+@@ -355,13 +407,12 @@ optional_policy(`
# sys_admin for the integrated klog of syslog-ng and metalog
# sys_nice for rsyslog
# cjp: why net_admin!
@@ -35932,7 +35940,7 @@ index 59b04c1..aaf4124 100644
# receive messages to be logged
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -369,11 +412,15 @@ allow syslogd_t self:unix_dgram_socket sendto;
+@@ -369,11 +420,15 @@ allow syslogd_t self:unix_dgram_socket sendto;
allow syslogd_t self:fifo_file rw_fifo_file_perms;
allow syslogd_t self:udp_socket create_socket_perms;
allow syslogd_t self:tcp_socket create_stream_socket_perms;
@@ -35949,7 +35957,7 @@ index 59b04c1..aaf4124 100644
files_pid_filetrans(syslogd_t, devlog_t, sock_file)
# create/append log files.
-@@ -389,30 +436,47 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -389,30 +444,47 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
@@ -36000,7 +36008,7 @@ index 59b04c1..aaf4124 100644
# syslog-ng can listen and connect on tcp port 514 (rsh)
corenet_tcp_sendrecv_generic_if(syslogd_t)
corenet_tcp_sendrecv_generic_node(syslogd_t)
-@@ -422,6 +486,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
+@@ -422,6 +494,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
corenet_tcp_connect_rsh_port(syslogd_t)
# Allow users to define additional syslog ports to connect to
corenet_tcp_bind_syslogd_port(syslogd_t)
@@ -36009,7 +36017,7 @@ index 59b04c1..aaf4124 100644
corenet_tcp_connect_syslogd_port(syslogd_t)
corenet_tcp_connect_postgresql_port(syslogd_t)
corenet_tcp_connect_mysqld_port(syslogd_t)
-@@ -432,9 +498,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+@@ -432,9 +506,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
corenet_sendrecv_postgresql_client_packets(syslogd_t)
corenet_sendrecv_mysqld_client_packets(syslogd_t)
@@ -36023,6 +36031,12 @@ index 59b04c1..aaf4124 100644
+ corenet_tcp_connect_smtp_port(syslogd_t)
+')
+
++optional_policy(`
++ tunable_policy(`logging_syslogd_run_nagios_plugins',`
++ nagios_domtrans_unconfined_plugins(syslogd_t)
++ ')
++')
++
dev_filetrans(syslogd_t, devlog_t, sock_file)
dev_read_sysfs(syslogd_t)
-
@@ -36037,7 +36051,7 @@ index 59b04c1..aaf4124 100644
domain_use_interactive_fds(syslogd_t)
files_read_etc_files(syslogd_t)
-@@ -448,13 +531,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
+@@ -448,13 +545,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
fs_getattr_all_fs(syslogd_t)
fs_search_auto_mountpoints(syslogd_t)
@@ -36055,7 +36069,7 @@ index 59b04c1..aaf4124 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
-@@ -466,11 +553,12 @@ init_use_fds(syslogd_t)
+@@ -466,11 +567,12 @@ init_use_fds(syslogd_t)
# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)
@@ -36071,7 +36085,7 @@ index 59b04c1..aaf4124 100644
ifdef(`distro_gentoo',`
# default gentoo syslog-ng config appends kernel
-@@ -497,6 +585,7 @@ optional_policy(`
+@@ -497,6 +599,7 @@ optional_policy(`
optional_policy(`
cron_manage_log_files(syslogd_t)
cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
@@ -36079,7 +36093,7 @@ index 59b04c1..aaf4124 100644
')
optional_policy(`
-@@ -507,15 +596,40 @@ optional_policy(`
+@@ -507,15 +610,40 @@ optional_policy(`
')
optional_policy(`
@@ -36120,7 +36134,7 @@ index 59b04c1..aaf4124 100644
')
optional_policy(`
-@@ -526,3 +640,26 @@ optional_policy(`
+@@ -526,3 +654,26 @@ optional_policy(`
# log to the xconsole
xserver_rw_console(syslogd_t)
')
@@ -44854,7 +44868,7 @@ index db75976..c54480a 100644
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
+
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6..769ce74 100644
+index 9dc60c6..a24e48e 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -45855,7 +45869,7 @@ index 9dc60c6..769ce74 100644
userdom_change_password_template($1)
-@@ -761,83 +1007,107 @@ template(`userdom_login_user_template', `
+@@ -761,82 +1007,109 @@ template(`userdom_login_user_template', `
#
# User domain Local policy
#
@@ -45990,16 +46004,18 @@ index 9dc60c6..769ce74 100644
+ oddjob_run_mkhomedir($1_t, $1_r)
')
++ optional_policy(`
++ ipa_run_helper($1_t, $1_r)
++ ')
++
optional_policy(`
- rpm_read_db($1_t)
- rpm_dontaudit_manage_db($1_t)
+ wine_filetrans_named_content($1_usertype)
')
-+
')
- #######################################
-@@ -868,6 +1138,12 @@ template(`userdom_restricted_user_template',`
+@@ -868,6 +1141,12 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -46012,7 +46028,7 @@ index 9dc60c6..769ce74 100644
##############################
#
# Local policy
-@@ -907,53 +1183,137 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -907,53 +1186,137 @@ template(`userdom_restricted_xwindows_user_template',`
#
# Local policy
#
@@ -46168,7 +46184,7 @@ index 9dc60c6..769ce74 100644
')
#######################################
-@@ -987,27 +1347,33 @@ template(`userdom_unpriv_user_template', `
+@@ -987,27 +1350,33 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -46206,7 +46222,7 @@ index 9dc60c6..769ce74 100644
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
# Write floppies
-@@ -1018,23 +1384,63 @@ template(`userdom_unpriv_user_template', `
+@@ -1018,23 +1387,63 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -46280,7 +46296,7 @@ index 9dc60c6..769ce74 100644
')
# Run pppd in pppd_t by default for user
-@@ -1043,7 +1449,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1043,7 +1452,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -46291,7 +46307,7 @@ index 9dc60c6..769ce74 100644
')
')
-@@ -1079,7 +1487,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1079,7 +1490,9 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -46302,7 +46318,7 @@ index 9dc60c6..769ce74 100644
')
##############################
-@@ -1095,6 +1505,7 @@ template(`userdom_admin_user_template',`
+@@ -1095,6 +1508,7 @@ template(`userdom_admin_user_template',`
role system_r types $1_t;
typeattribute $1_t admindomain;
@@ -46310,7 +46326,7 @@ index 9dc60c6..769ce74 100644
ifdef(`direct_sysadm_daemon',`
domain_system_change_exemption($1_t)
-@@ -1105,14 +1516,8 @@ template(`userdom_admin_user_template',`
+@@ -1105,14 +1519,8 @@ template(`userdom_admin_user_template',`
# $1_t local policy
#
@@ -46327,7 +46343,7 @@ index 9dc60c6..769ce74 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
-@@ -1128,6 +1533,7 @@ template(`userdom_admin_user_template',`
+@@ -1128,6 +1536,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -46335,7 +46351,7 @@ index 9dc60c6..769ce74 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1145,10 +1551,15 @@ template(`userdom_admin_user_template',`
+@@ -1145,10 +1554,15 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -46351,7 +46367,7 @@ index 9dc60c6..769ce74 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1159,29 +1570,40 @@ template(`userdom_admin_user_template',`
+@@ -1159,29 +1573,40 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -46396,7 +46412,7 @@ index 9dc60c6..769ce74 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1191,6 +1613,8 @@ template(`userdom_admin_user_template',`
+@@ -1191,6 +1616,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -46405,7 +46421,7 @@ index 9dc60c6..769ce74 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1198,13 +1622,21 @@ template(`userdom_admin_user_template',`
+@@ -1198,13 +1625,21 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@@ -46428,7 +46444,7 @@ index 9dc60c6..769ce74 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1240,7 +1672,7 @@ template(`userdom_admin_user_template',`
+@@ -1240,7 +1675,7 @@ template(`userdom_admin_user_template',`
## </summary>
## </param>
#
@@ -46437,7 +46453,7 @@ index 9dc60c6..769ce74 100644
allow $1 self:capability { dac_read_search dac_override };
corecmd_exec_shell($1)
-@@ -1250,6 +1682,8 @@ template(`userdom_security_admin_template',`
+@@ -1250,6 +1685,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -46446,7 +46462,7 @@ index 9dc60c6..769ce74 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1262,8 +1696,10 @@ template(`userdom_security_admin_template',`
+@@ -1262,8 +1699,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -46458,7 +46474,7 @@ index 9dc60c6..769ce74 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1274,29 +1710,31 @@ template(`userdom_security_admin_template',`
+@@ -1274,29 +1713,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -46501,7 +46517,7 @@ index 9dc60c6..769ce74 100644
')
optional_policy(`
-@@ -1357,14 +1795,17 @@ interface(`userdom_user_home_content',`
+@@ -1357,14 +1798,17 @@ interface(`userdom_user_home_content',`
gen_require(`
attribute user_home_content_type;
type user_home_t;
@@ -46520,7 +46536,7 @@ index 9dc60c6..769ce74 100644
')
########################################
-@@ -1397,12 +1838,51 @@ interface(`userdom_user_tmp_file',`
+@@ -1397,12 +1841,51 @@ interface(`userdom_user_tmp_file',`
## </param>
#
interface(`userdom_user_tmpfs_file',`
@@ -46573,7 +46589,7 @@ index 9dc60c6..769ce74 100644
## Allow domain to attach to TUN devices created by administrative users.
## </summary>
## <param name="domain">
-@@ -1509,11 +1989,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1509,11 +1992,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -46605,7 +46621,7 @@ index 9dc60c6..769ce74 100644
## Do not audit attempts to search user home directories.
## </summary>
## <desc>
-@@ -1555,6 +2055,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1555,6 +2058,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -46620,7 +46636,7 @@ index 9dc60c6..769ce74 100644
')
########################################
-@@ -1570,9 +2078,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1570,9 +2081,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -46632,7 +46648,7 @@ index 9dc60c6..769ce74 100644
')
########################################
-@@ -1613,6 +2123,24 @@ interface(`userdom_manage_user_home_dirs',`
+@@ -1613,6 +2126,24 @@ interface(`userdom_manage_user_home_dirs',`
########################################
## <summary>
@@ -46657,7 +46673,7 @@ index 9dc60c6..769ce74 100644
## Relabel to user home directories.
## </summary>
## <param name="domain">
-@@ -1631,6 +2159,59 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1631,6 +2162,59 @@ interface(`userdom_relabelto_user_home_dirs',`
########################################
## <summary>
@@ -46717,7 +46733,7 @@ index 9dc60c6..769ce74 100644
## Create directories in the home dir root with
## the user home directory type.
## </summary>
-@@ -1704,10 +2285,12 @@ interface(`userdom_user_home_domtrans',`
+@@ -1704,10 +2288,12 @@ interface(`userdom_user_home_domtrans',`
#
interface(`userdom_dontaudit_search_user_home_content',`
gen_require(`
@@ -46732,7 +46748,7 @@ index 9dc60c6..769ce74 100644
')
########################################
-@@ -1741,10 +2324,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1741,10 +2327,12 @@ interface(`userdom_list_all_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -46747,7 +46763,7 @@ index 9dc60c6..769ce74 100644
')
########################################
-@@ -1769,7 +2354,7 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1769,7 +2357,7 @@ interface(`userdom_manage_user_home_content_dirs',`
########################################
## <summary>
@@ -46756,7 +46772,7 @@ index 9dc60c6..769ce74 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1777,19 +2362,17 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1777,19 +2365,17 @@ interface(`userdom_manage_user_home_content_dirs',`
## </summary>
## </param>
#
@@ -46780,7 +46796,7 @@ index 9dc60c6..769ce74 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1797,55 +2380,55 @@ interface(`userdom_delete_all_user_home_content_dirs',`
+@@ -1797,55 +2383,55 @@ interface(`userdom_delete_all_user_home_content_dirs',`
## </summary>
## </param>
#
@@ -46851,7 +46867,7 @@ index 9dc60c6..769ce74 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1853,18 +2436,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1853,18 +2439,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
## </summary>
## </param>
#
@@ -46879,7 +46895,7 @@ index 9dc60c6..769ce74 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1872,17 +2456,151 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1872,17 +2459,151 @@ interface(`userdom_mmap_user_home_content_files',`
## </summary>
## </param>
#
@@ -47035,7 +47051,7 @@ index 9dc60c6..769ce74 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1893,11 +2611,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1893,11 +2614,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -47053,7 +47069,7 @@ index 9dc60c6..769ce74 100644
')
########################################
-@@ -1938,7 +2659,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1938,7 +2662,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
########################################
## <summary>
@@ -47062,7 +47078,7 @@ index 9dc60c6..769ce74 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1946,10 +2667,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1946,10 +2670,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
## </summary>
## </param>
#
@@ -47075,7 +47091,7 @@ index 9dc60c6..769ce74 100644
')
userdom_search_user_home_content($1)
-@@ -1958,7 +2678,7 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1958,7 +2681,7 @@ interface(`userdom_delete_all_user_home_content_files',`
########################################
## <summary>
@@ -47084,7 +47100,7 @@ index 9dc60c6..769ce74 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1966,12 +2686,66 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1966,12 +2689,66 @@ interface(`userdom_delete_all_user_home_content_files',`
## </summary>
## </param>
#
@@ -47153,7 +47169,7 @@ index 9dc60c6..769ce74 100644
')
########################################
-@@ -2007,8 +2781,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2007,8 +2784,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -47163,7 +47179,7 @@ index 9dc60c6..769ce74 100644
')
########################################
-@@ -2024,20 +2797,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2024,20 +2800,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -47188,7 +47204,7 @@ index 9dc60c6..769ce74 100644
########################################
## <summary>
-@@ -2120,7 +2887,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2120,7 +2890,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
## <summary>
@@ -47197,7 +47213,7 @@ index 9dc60c6..769ce74 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2128,19 +2895,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2128,19 +2898,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -47221,7 +47237,7 @@ index 9dc60c6..769ce74 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2148,12 +2913,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2148,12 +2916,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -47237,7 +47253,7 @@ index 9dc60c6..769ce74 100644
')
########################################
-@@ -2388,18 +3153,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2388,18 +3156,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
## </summary>
## </param>
#
@@ -47295,7 +47311,7 @@ index 9dc60c6..769ce74 100644
## Do not audit attempts to read users
## temporary files.
## </summary>
-@@ -2414,7 +3215,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2414,7 +3218,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -47304,7 +47320,7 @@ index 9dc60c6..769ce74 100644
')
########################################
-@@ -2455,6 +3256,25 @@ interface(`userdom_rw_user_tmp_files',`
+@@ -2455,6 +3259,25 @@ interface(`userdom_rw_user_tmp_files',`
rw_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
')
@@ -47330,7 +47346,7 @@ index 9dc60c6..769ce74 100644
########################################
## <summary>
-@@ -2538,7 +3358,7 @@ interface(`userdom_manage_user_tmp_files',`
+@@ -2538,7 +3361,7 @@ interface(`userdom_manage_user_tmp_files',`
########################################
## <summary>
## Create, read, write, and delete user
@@ -47339,7 +47355,7 @@ index 9dc60c6..769ce74 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2546,19 +3366,19 @@ interface(`userdom_manage_user_tmp_files',`
+@@ -2546,19 +3369,19 @@ interface(`userdom_manage_user_tmp_files',`
## </summary>
## </param>
#
@@ -47362,7 +47378,7 @@ index 9dc60c6..769ce74 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2566,19 +3386,19 @@ interface(`userdom_manage_user_tmp_symlinks',`
+@@ -2566,19 +3389,19 @@ interface(`userdom_manage_user_tmp_symlinks',`
## </summary>
## </param>
#
@@ -47385,7 +47401,7 @@ index 9dc60c6..769ce74 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2586,19 +3406,60 @@ interface(`userdom_manage_user_tmp_pipes',`
+@@ -2586,19 +3409,60 @@ interface(`userdom_manage_user_tmp_pipes',`
## </summary>
## </param>
#
@@ -47450,7 +47466,7 @@ index 9dc60c6..769ce74 100644
## a specified private type.
## </summary>
## <param name="domain">
-@@ -2661,6 +3522,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2661,6 +3525,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -47472,7 +47488,7 @@ index 9dc60c6..769ce74 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2672,18 +3548,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2672,18 +3551,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
## </param>
#
interface(`userdom_read_user_tmpfs_files',`
@@ -47494,7 +47510,7 @@ index 9dc60c6..769ce74 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2692,19 +3563,13 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2692,19 +3566,13 @@ interface(`userdom_read_user_tmpfs_files',`
## </param>
#
interface(`userdom_rw_user_tmpfs_files',`
@@ -47517,7 +47533,7 @@ index 9dc60c6..769ce74 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2713,13 +3578,56 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2713,13 +3581,56 @@ interface(`userdom_rw_user_tmpfs_files',`
## </param>
#
interface(`userdom_manage_user_tmpfs_files',`
@@ -47578,7 +47594,7 @@ index 9dc60c6..769ce74 100644
')
########################################
-@@ -2814,6 +3722,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2814,6 +3725,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -47603,7 +47619,7 @@ index 9dc60c6..769ce74 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2832,22 +3758,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2832,22 +3761,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -47646,7 +47662,7 @@ index 9dc60c6..769ce74 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2856,14 +3794,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2856,14 +3797,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -47684,7 +47700,7 @@ index 9dc60c6..769ce74 100644
')
########################################
-@@ -2882,8 +3839,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2882,8 +3842,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -47714,7 +47730,7 @@ index 9dc60c6..769ce74 100644
')
########################################
-@@ -2955,69 +3931,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2955,69 +3934,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -47815,7 +47831,7 @@ index 9dc60c6..769ce74 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3025,12 +4000,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3025,12 +4003,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -47830,7 +47846,7 @@ index 9dc60c6..769ce74 100644
')
########################################
-@@ -3094,7 +4069,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3094,7 +4072,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -47839,7 +47855,7 @@ index 9dc60c6..769ce74 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3110,29 +4085,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3110,29 +4088,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -47873,7 +47889,7 @@ index 9dc60c6..769ce74 100644
')
########################################
-@@ -3214,7 +4173,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3214,7 +4176,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -47900,7 +47916,7 @@ index 9dc60c6..769ce74 100644
')
########################################
-@@ -3269,12 +4246,13 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3269,12 +4249,13 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -47916,7 +47932,7 @@ index 9dc60c6..769ce74 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3282,46 +4260,122 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3282,46 +4263,122 @@ interface(`userdom_write_user_tmp_files',`
## </summary>
## </param>
#
@@ -48052,7 +48068,7 @@ index 9dc60c6..769ce74 100644
')
allow $1 userdomain:process getattr;
-@@ -3382,6 +4436,42 @@ interface(`userdom_signal_all_users',`
+@@ -3382,6 +4439,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -48095,7 +48111,7 @@ index 9dc60c6..769ce74 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3402,6 +4492,60 @@ interface(`userdom_sigchld_all_users',`
+@@ -3402,6 +4495,60 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -48156,7 +48172,7 @@ index 9dc60c6..769ce74 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3435,4 +4579,1691 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3435,4 +4582,1691 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index efe9698..e56d9f6 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -546,7 +546,7 @@ index 058d908..158acba 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index eb50f07..a0f044b 100644
+index eb50f07..d6d0e34 100644
--- a/abrt.te
+++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@@ -1054,7 +1054,7 @@ index eb50f07..a0f044b 100644
#######################################
#
-@@ -404,25 +517,58 @@ logging_read_generic_logs(abrt_dump_oops_t)
+@@ -404,25 +517,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
#
allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
@@ -1086,7 +1086,7 @@ index eb50f07..a0f044b 100644
# Upload watch local policy
#
-+allow abrt_upload_watch_t self:capability { dac_override chown };
++allow abrt_upload_watch_t self:capability { dac_override chown fsetid };
+
+manage_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
+manage_dirs_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
@@ -1097,6 +1097,8 @@ index eb50f07..a0f044b 100644
+
+manage_dirs_pattern(abrt_upload_watch_t, abrt_var_cache_t, abrt_var_cache_t)
+
++abrt_dbus_chat(abrt_upload_watch_t)
++
corecmd_exec_bin(abrt_upload_watch_t)
+dev_read_urand(abrt_upload_watch_t)
@@ -1115,7 +1117,7 @@ index eb50f07..a0f044b 100644
')
#######################################
-@@ -430,10 +576,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
+@@ -430,10 +578,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
# Global local policy
#
@@ -5173,10 +5175,10 @@ index f6eb485..164501c 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 6649962..44258d7 100644
+index 6649962..fc23c8a 100644
--- a/apache.te
+++ b/apache.te
-@@ -5,280 +5,339 @@ policy_module(apache, 2.7.2)
+@@ -5,280 +5,346 @@ policy_module(apache, 2.7.2)
# Declarations
#
@@ -5251,6 +5253,13 @@ index 6649962..44258d7 100644
+
+## <desc>
+## <p>
++## Allow httpd processes to run IPA helper.
++## </p>
++## </desc>
++gen_tunable(httpd_run_ipa, false)
++
++## <desc>
++## <p>
+## Allow httpd to use built in scripting (usually php)
+## </p>
+## </desc>
@@ -5306,22 +5315,22 @@ index 6649962..44258d7 100644
+## <p>
+## Allow HTTPD scripts and modules to connect to databases over the network.
+## </p>
++## </desc>
++gen_tunable(httpd_can_network_connect_db, false)
++
++## <desc>
++## <p>
++## Allow httpd to connect to memcache server
++## </p>
## </desc>
-gen_tunable(httpd_can_network_connect_memcache, false)
-+gen_tunable(httpd_can_network_connect_db, false)
++gen_tunable(httpd_can_network_memcache, false)
## <desc>
-## <p>
-## Determine whether httpd can act as a relay.
-## </p>
+## <p>
-+## Allow httpd to connect to memcache server
-+## </p>
-+## </desc>
-+gen_tunable(httpd_can_network_memcache, false)
-+
-+## <desc>
-+## <p>
+## Allow httpd to act as a relay
+## </p>
## </desc>
@@ -5662,7 +5671,7 @@ index 6649962..44258d7 100644
type httpd_initrc_exec_t;
init_script_file(httpd_initrc_exec_t)
-@@ -286,15 +345,35 @@ init_script_file(httpd_initrc_exec_t)
+@@ -286,15 +352,35 @@ init_script_file(httpd_initrc_exec_t)
type httpd_keytab_t;
files_type(httpd_keytab_t)
@@ -5698,7 +5707,7 @@ index 6649962..44258d7 100644
type httpd_rotatelogs_t;
type httpd_rotatelogs_exec_t;
init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
-@@ -302,10 +381,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
+@@ -302,10 +388,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
type httpd_squirrelmail_t;
files_type(httpd_squirrelmail_t)
@@ -5711,7 +5720,7 @@ index 6649962..44258d7 100644
type httpd_suexec_exec_t;
domain_type(httpd_suexec_t)
domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t)
-@@ -314,9 +391,19 @@ role system_r types httpd_suexec_t;
+@@ -314,9 +398,19 @@ role system_r types httpd_suexec_t;
type httpd_suexec_tmp_t;
files_tmp_file(httpd_suexec_tmp_t)
@@ -5734,7 +5743,7 @@ index 6649962..44258d7 100644
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -324,14 +411,21 @@ files_tmp_file(httpd_tmp_t)
+@@ -324,14 +418,21 @@ files_tmp_file(httpd_tmp_t)
type httpd_tmpfs_t;
files_tmpfs_file(httpd_tmpfs_t)
@@ -5757,7 +5766,7 @@ index 6649962..44258d7 100644
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -346,33 +440,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
+@@ -346,33 +447,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
@@ -5809,7 +5818,7 @@ index 6649962..44258d7 100644
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
allow httpd_t self:sock_file read_sock_file_perms;
-@@ -381,30 +482,39 @@ allow httpd_t self:shm create_shm_perms;
+@@ -381,30 +489,39 @@ allow httpd_t self:shm create_shm_perms;
allow httpd_t self:sem create_sem_perms;
allow httpd_t self:msgq create_msgq_perms;
allow httpd_t self:msg { send receive };
@@ -5854,7 +5863,7 @@ index 6649962..44258d7 100644
logging_log_filetrans(httpd_t, httpd_log_t, file)
allow httpd_t httpd_modules_t:dir list_dir_perms;
-@@ -412,14 +522,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+@@ -412,14 +529,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
@@ -5876,7 +5885,7 @@ index 6649962..44258d7 100644
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -450,140 +567,174 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -450,140 +574,174 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@@ -5944,7 +5953,7 @@ index 6649962..44258d7 100644
+fs_read_hugetlbfs_files(httpd_t)
+
+auth_use_nsswitch(httpd_t)
-
++
+application_exec_all(httpd_t)
+
+# execute perl
@@ -5953,7 +5962,7 @@ index 6649962..44258d7 100644
+
+domain_use_interactive_fds(httpd_t)
+domain_dontaudit_read_all_domains_state(httpd_t)
-+
+
+files_dontaudit_search_all_pids(httpd_t)
files_dontaudit_getattr_all_pids(httpd_t)
-files_read_usr_files(httpd_t)
@@ -6116,7 +6125,7 @@ index 6649962..44258d7 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -594,28 +745,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -594,28 +752,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@@ -6176,7 +6185,7 @@ index 6649962..44258d7 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -624,68 +797,46 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -624,68 +804,46 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
@@ -6269,7 +6278,7 @@ index 6649962..44258d7 100644
')
tunable_policy(`httpd_setrlimit',`
-@@ -695,49 +846,48 @@ tunable_policy(`httpd_setrlimit',`
+@@ -695,49 +853,48 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -6290,17 +6299,17 @@ index 6649962..44258d7 100644
- userdom_use_user_terminals(httpd_t)
-',`
- userdom_dontaudit_use_user_terminals(httpd_t)
--')
--
++ userdom_use_inherited_user_terminals(httpd_t)
++ userdom_use_inherited_user_terminals(httpd_suexec_t)
+ ')
+
-tunable_policy(`httpd_use_cifs',`
- fs_list_auto_mountpoints(httpd_t)
- fs_manage_cifs_dirs(httpd_t)
- fs_manage_cifs_files(httpd_t)
- fs_manage_cifs_symlinks(httpd_t)
-+ userdom_use_inherited_user_terminals(httpd_t)
-+ userdom_use_inherited_user_terminals(httpd_suexec_t)
- ')
-
+-')
+-
-tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',`
- fs_exec_cifs_files(httpd_t)
-')
@@ -6350,7 +6359,7 @@ index 6649962..44258d7 100644
')
optional_policy(`
-@@ -749,24 +899,32 @@ optional_policy(`
+@@ -749,24 +906,32 @@ optional_policy(`
')
optional_policy(`
@@ -6389,7 +6398,7 @@ index 6649962..44258d7 100644
')
optional_policy(`
-@@ -775,6 +933,10 @@ optional_policy(`
+@@ -775,6 +940,10 @@ optional_policy(`
tunable_policy(`httpd_dbus_avahi',`
avahi_dbus_chat(httpd_t)
')
@@ -6400,7 +6409,7 @@ index 6649962..44258d7 100644
')
optional_policy(`
-@@ -786,35 +948,60 @@ optional_policy(`
+@@ -786,35 +955,60 @@ optional_policy(`
')
optional_policy(`
@@ -6474,10 +6483,22 @@ index 6649962..44258d7 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
-@@ -822,8 +1009,18 @@ optional_policy(`
+@@ -822,8 +1016,30 @@ optional_policy(`
')
optional_policy(`
++ tunable_policy(`httpd_run_ipa',`
++ oddjob_dbus_chat(httpd_t)
++ ')
++')
++
++optional_policy(`
++ tunable_policy(`httpd_run_ipa',`
++ ipa_domtrans_helper(httpd_t)
++ ')
++')
++
++optional_policy(`
+ munin_read_config(httpd_t)
+')
+
@@ -6493,7 +6514,7 @@ index 6649962..44258d7 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
-@@ -832,6 +1029,8 @@ optional_policy(`
+@@ -832,6 +1048,8 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -6502,7 +6523,7 @@ index 6649962..44258d7 100644
')
optional_policy(`
-@@ -842,20 +1041,40 @@ optional_policy(`
+@@ -842,20 +1060,40 @@ optional_policy(`
')
optional_policy(`
@@ -6537,19 +6558,19 @@ index 6649962..44258d7 100644
- ')
+optional_policy(`
+ puppet_read_lib(httpd_t)
-+')
-+
-+optional_policy(`
-+ pwauth_domtrans(httpd_t)
')
optional_policy(`
- puppet_read_lib_files(httpd_t)
++ pwauth_domtrans(httpd_t)
++')
++
++optional_policy(`
+ rpm_dontaudit_read_db(httpd_t)
')
optional_policy(`
-@@ -863,16 +1082,31 @@ optional_policy(`
+@@ -863,16 +1101,31 @@ optional_policy(`
')
optional_policy(`
@@ -6583,7 +6604,7 @@ index 6649962..44258d7 100644
')
optional_policy(`
-@@ -883,65 +1117,189 @@ optional_policy(`
+@@ -883,65 +1136,189 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -6672,10 +6693,11 @@ index 6649962..44258d7 100644
-',`
- userdom_dontaudit_use_user_terminals(httpd_helper_t)
+ userdom_use_inherited_user_terminals(httpd_helper_t)
-+')
-+
-+########################################
-+#
+ ')
+
+ ########################################
+ #
+-# Suexec local policy
+# Apache PHP script local policy
+#
+
@@ -6734,11 +6756,10 @@ index 6649962..44258d7 100644
+ tunable_policy(`httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_php_t)
+ ')
- ')
-
- ########################################
- #
--# Suexec local policy
++')
++
++########################################
++#
+# Apache suexec local policy
#
@@ -6795,7 +6816,7 @@ index 6649962..44258d7 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -950,123 +1308,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -950,123 +1327,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -6950,7 +6971,7 @@ index 6649962..44258d7 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1083,172 +1392,107 @@ optional_policy(`
+@@ -1083,172 +1411,107 @@ optional_policy(`
')
')
@@ -6972,11 +6993,11 @@ index 6649962..44258d7 100644
-allow httpd_script_domains self:unix_stream_socket connectto;
-
-allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms;
-+allow httpd_sys_script_t self:process getsched;
-
+-
-append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
--
++allow httpd_sys_script_t self:process getsched;
+
-kernel_dontaudit_search_sysctl(httpd_script_domains)
-kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
-
@@ -7133,7 +7154,8 @@ index 6649962..44258d7 100644
-kernel_read_kernel_sysctls(httpd_sys_script_t)
-
-fs_search_auto_mountpoints(httpd_sys_script_t)
--
++corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+
-files_read_var_symlinks(httpd_sys_script_t)
-files_search_var_lib(httpd_sys_script_t)
-files_search_spool(httpd_sys_script_t)
@@ -7141,8 +7163,7 @@ index 6649962..44258d7 100644
-apache_domtrans_rotatelogs(httpd_sys_script_t)
-
-auth_use_nsswitch(httpd_sys_script_t)
-+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
-
+-
-tunable_policy(`httpd_can_sendmail',`
- corenet_sendrecv_smtp_client_packets(httpd_sys_script_t)
- corenet_tcp_connect_smtp_port(httpd_sys_script_t)
@@ -7188,7 +7209,7 @@ index 6649962..44258d7 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1256,64 +1500,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1256,64 +1519,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -7285,7 +7306,7 @@ index 6649962..44258d7 100644
########################################
#
-@@ -1321,8 +1575,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1321,8 +1594,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -7302,7 +7323,7 @@ index 6649962..44258d7 100644
')
########################################
-@@ -1330,49 +1591,38 @@ optional_policy(`
+@@ -1330,49 +1610,38 @@ optional_policy(`
# User content local policy
#
@@ -7367,7 +7388,7 @@ index 6649962..44258d7 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1632,109 @@ dev_read_urand(httpd_passwd_t)
+@@ -1382,38 +1651,109 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -25135,10 +25156,10 @@ index 0000000..457d4dd
+')
diff --git a/dnssec.te b/dnssec.te
new file mode 100644
-index 0000000..1e0a31f
+index 0000000..6d795fe
--- /dev/null
+++ b/dnssec.te
-@@ -0,0 +1,74 @@
+@@ -0,0 +1,81 @@
+policy_module(dnssec, 1.0.0)
+
+########################################
@@ -25156,6 +25177,9 @@ index 0000000..1e0a31f
+type dnssec_trigger_var_run_t;
+files_pid_file(dnssec_trigger_var_run_t)
+
++type dnssec_trigger_tmp_t;
++files_tmp_file(dnssec_trigger_tmp_t)
++
+########################################
+#
+# dnssec_trigger local policy
@@ -25171,6 +25195,10 @@ index 0000000..1e0a31f
+manage_files_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
+files_pid_filetrans(dnssec_trigger_t, dnssec_trigger_var_run_t, { dir file })
+
++manage_files_pattern(dnssec_trigger_t,dnssec_trigger_tmp_t,dnssec_trigger_tmp_t)
++manage_dirs_pattern(dnssec_trigger_t,dnssec_trigger_tmp_t,dnssec_trigger_tmp_t)
++files_tmp_filetrans(dnssec_trigger_t,dnssec_trigger_tmp_t,{ file dir })
++
+kernel_read_system_state(dnssec_trigger_t)
+
+corecmd_exec_bin(dnssec_trigger_t)
@@ -28721,7 +28749,7 @@ index 4498143..84a4858 100644
ftp_run_ftpdctl($1, $2)
')
diff --git a/ftp.te b/ftp.te
-index 36838c2..a422d04 100644
+index 36838c2..a09e8b2 100644
--- a/ftp.te
+++ b/ftp.te
@@ -13,7 +13,7 @@ policy_module(ftp, 1.15.1)
@@ -28767,22 +28795,7 @@ index 36838c2..a422d04 100644
## <desc>
## <p>
-@@ -50,14 +57,6 @@ gen_tunable(ftpd_connect_db, false)
-
- ## <desc>
- ## <p>
--## Determine whether ftpd can bind to all
--## unreserved ports for passive mode.
--## </p>
--## </desc>
--gen_tunable(ftpd_use_passive_mode, false)
--
--## <desc>
--## <p>
- ## Determine whether ftpd can connect to
- ## all unreserved ports.
- ## </p>
-@@ -124,6 +123,9 @@ files_config_file(ftpd_etc_t)
+@@ -124,6 +131,9 @@ files_config_file(ftpd_etc_t)
type ftpd_initrc_exec_t;
init_script_file(ftpd_initrc_exec_t)
@@ -28792,7 +28805,7 @@ index 36838c2..a422d04 100644
type ftpd_keytab_t;
files_type(ftpd_keytab_t)
-@@ -184,6 +186,9 @@ allow ftpd_t ftpd_keytab_t:file read_file_perms;
+@@ -184,6 +194,9 @@ allow ftpd_t ftpd_keytab_t:file read_file_perms;
allow ftpd_t ftpd_lock_t:file manage_file_perms;
files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
@@ -28802,7 +28815,7 @@ index 36838c2..a422d04 100644
manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
-@@ -198,22 +203,19 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir })
+@@ -198,22 +211,19 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir })
allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms;
@@ -28829,7 +28842,7 @@ index 36838c2..a422d04 100644
corenet_all_recvfrom_netlabel(ftpd_t)
corenet_tcp_sendrecv_generic_if(ftpd_t)
corenet_udp_sendrecv_generic_if(ftpd_t)
-@@ -229,9 +231,12 @@ corenet_tcp_bind_ftp_port(ftpd_t)
+@@ -229,9 +239,12 @@ corenet_tcp_bind_ftp_port(ftpd_t)
corenet_sendrecv_ftp_data_server_packets(ftpd_t)
corenet_tcp_bind_ftp_data_port(ftpd_t)
@@ -28843,7 +28856,7 @@ index 36838c2..a422d04 100644
files_read_etc_runtime_files(ftpd_t)
files_search_var_lib(ftpd_t)
-@@ -250,7 +255,6 @@ logging_send_audit_msgs(ftpd_t)
+@@ -250,7 +263,6 @@ logging_send_audit_msgs(ftpd_t)
logging_send_syslog_msg(ftpd_t)
logging_set_loginuid(ftpd_t)
@@ -28851,7 +28864,7 @@ index 36838c2..a422d04 100644
miscfiles_read_public_files(ftpd_t)
seutil_dontaudit_search_config(ftpd_t)
-@@ -259,37 +263,47 @@ sysnet_use_ldap(ftpd_t)
+@@ -259,32 +271,50 @@ sysnet_use_ldap(ftpd_t)
userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
userdom_dontaudit_search_user_home_dirs(ftpd_t)
@@ -28898,18 +28911,18 @@ index 36838c2..a422d04 100644
- files_manage_non_auth_files(ftpd_t)
+ files_manage_non_security_dirs(ftpd_t)
+ files_manage_non_security_files(ftpd_t)
- ')
-
--tunable_policy(`ftpd_use_passive_mode',`
-- corenet_sendrecv_all_server_packets(ftpd_t)
-- corenet_tcp_bind_all_unreserved_ports(ftpd_t)
++')
++
++tunable_policy(`ftpd_use_passive_mode',`
++ corenet_tcp_bind_all_unreserved_ports(ftpd_t)
++')
+
+tunable_policy(`ftpd_connect_all_unreserved',`
+ corenet_tcp_connect_all_unreserved_ports(ftpd_t)
')
- tunable_policy(`ftpd_connect_all_unreserved',`
-@@ -304,22 +318,19 @@ tunable_policy(`ftpd_connect_db',`
+ tunable_policy(`ftpd_use_passive_mode',`
+@@ -304,22 +334,19 @@ tunable_policy(`ftpd_connect_db',`
corenet_sendrecv_mssql_client_packets(ftpd_t)
corenet_tcp_connect_mssql_port(ftpd_t)
corenet_tcp_sendrecv_mssql_port(ftpd_t)
@@ -28937,7 +28950,7 @@ index 36838c2..a422d04 100644
userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
')
-@@ -363,9 +374,8 @@ optional_policy(`
+@@ -363,9 +390,8 @@ optional_policy(`
optional_policy(`
selinux_validate_context(ftpd_t)
@@ -28948,7 +28961,7 @@ index 36838c2..a422d04 100644
kerberos_use(ftpd_t)
')
-@@ -416,21 +426,20 @@ optional_policy(`
+@@ -416,21 +442,20 @@ optional_policy(`
#
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
@@ -28972,7 +28985,7 @@ index 36838c2..a422d04 100644
miscfiles_read_public_files(anon_sftpd_t)
-@@ -443,23 +452,34 @@ tunable_policy(`sftpd_anon_write',`
+@@ -443,23 +468,34 @@ tunable_policy(`sftpd_anon_write',`
# Sftpd local policy
#
@@ -29013,7 +29026,7 @@ index 36838c2..a422d04 100644
')
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -481,21 +501,11 @@ tunable_policy(`sftpd_anon_write',`
+@@ -481,21 +517,11 @@ tunable_policy(`sftpd_anon_write',`
tunable_policy(`sftpd_full_access',`
allow sftpd_t self:capability { dac_override dac_read_search };
fs_read_noxattr_fs_files(sftpd_t)
@@ -36212,24 +36225,26 @@ index 0000000..61f2003
+userdom_use_user_terminals(iotop_t)
diff --git a/ipa.fc b/ipa.fc
new file mode 100644
-index 0000000..877a747
+index 0000000..db194ec
--- /dev/null
+++ b/ipa.fc
-@@ -0,0 +1,8 @@
+@@ -0,0 +1,10 @@
+/usr/lib/systemd/system/ipa-otpd.* -- gen_context(system_u:object_r:ipa_otpd_unit_file_t,s0)
+
+/usr/libexec/ipa-otpd -- gen_context(system_u:object_r:ipa_otpd_exec_t,s0)
+
++/usr/libexec/ipa/com\.redhat\.idm\.trust-fetch-domains -- gen_context(system_u:object_r:ipa_helper_exec_t,s0)
++
+/var/lib/ipa(/.*)? gen_context(system_u:object_r:ipa_var_lib_t,s0)
+
+/var/run/ipa(/.*)? gen_context(system_u:object_r:ipa_var_run_t,s0)
+
diff --git a/ipa.if b/ipa.if
new file mode 100644
-index 0000000..789b3e8
+index 0000000..de83173
--- /dev/null
+++ b/ipa.if
-@@ -0,0 +1,112 @@
+@@ -0,0 +1,150 @@
+## <summary>Policy for IPA services.</summary>
+
+########################################
@@ -36270,6 +36285,44 @@ index 0000000..789b3e8
+
+########################################
+## <summary>
++## Execute ipa-helper in the ipa_helper domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`ipa_domtrans_helper',`
++ gen_require(`
++ type ipa_helper_t, ipa_helper_exec_t;
++ ')
++
++ domtrans_pattern($1, ipa_helper_exec_t, ipa_helper_t)
++')
++
++########################################
++## <summary>
++## Execute ipa-helper in the ipa_helper domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`ipa_run_helper',`
++ gen_require(`
++ type ipa_helper_t;
++ attribute_role ipa_helper_roles;
++ ')
++
++ ipa_domtrans_helper($1)
++ roleattribute $2 ipa_helper_roles;
++')
++
++########################################
++## <summary>
+## Allow domain to manage ipa lib files/dirs.
+## </summary>
+## <param name="domain">
@@ -36344,10 +36397,10 @@ index 0000000..789b3e8
+
diff --git a/ipa.te b/ipa.te
new file mode 100644
-index 0000000..a7f09d25
+index 0000000..7d70dcb
--- /dev/null
+++ b/ipa.te
-@@ -0,0 +1,50 @@
+@@ -0,0 +1,113 @@
+policy_module(ipa, 1.0.0)
+
+########################################
@@ -36357,6 +36410,9 @@ index 0000000..a7f09d25
+
+attribute ipa_domain;
+
++attribute_role ipa_helper_roles;
++roleattribute system_r ipa_helper_roles;
++
+type ipa_otpd_t, ipa_domain;
+type ipa_otpd_exec_t;
+init_daemon_domain(ipa_otpd_t, ipa_otpd_exec_t)
@@ -36370,6 +36426,13 @@ index 0000000..a7f09d25
+type ipa_var_run_t;
+files_pid_file(ipa_var_run_t)
+
++type ipa_helper_t;
++type ipa_helper_exec_t;
++domain_type(ipa_helper_t)
++domain_obj_id_change_exemption(ipa_helper_t)
++init_system_domain(ipa_helper_t, ipa_helper_exec_t)
++role ipa_helper_roles types ipa_helper_t;
++
+########################################
+#
+# ipa_otpd local policy
@@ -36398,6 +36461,59 @@ index 0000000..a7f09d25
+optional_policy(`
+ kerberos_use(ipa_otpd_t)
+')
++
++########################################
++#
++# ipa-helper local policy
++#
++
++
++allow ipa_helper_t self:capability { dac_override chown };
++
++allow ipa_helper_t self:process setfscreate;
++allow ipa_helper_t self:fifo_file rw_fifo_file_perms;
++allow ipa_helper_t self:netlink_route_socket r_netlink_socket_perms;
++
++kernel_read_system_state(ipa_helper_t)
++
++corenet_tcp_connect_ldap_port(ipa_helper_t)
++corenet_tcp_connect_smbd_port(ipa_helper_t)
++
++corecmd_exec_bin(ipa_helper_t)
++corecmd_exec_shell(ipa_helper_t)
++
++dev_read_urand(ipa_helper_t)
++
++auth_use_nsswitch(ipa_helper_t)
++
++ipa_manage_pid_files(ipa_helper_t)
++ipa_read_lib(ipa_helper_t)
++
++logging_send_syslog_msg(ipa_helper_t)
++
++optional_policy(`
++ ldap_stream_connect(ipa_helper_t)
++')
++
++optional_policy(`
++ libs_exec_ldconfig(ipa_helper_t)
++')
++
++optional_policy(`
++ memcached_stream_connect(ipa_helper_t)
++')
++
++optional_policy(`
++ oddjob_system_entry(ipa_helper_t, ipa_helper_exec_t)
++')
++
++optional_policy(`
++ samba_read_config(ipa_helper_t)
++')
++
++optional_policy(`
++ sssd_manage_lib_files(ipa_helper_t)
++')
diff --git a/irc.fc b/irc.fc
index 48e7739..1bf0326 100644
--- a/irc.fc
@@ -50280,7 +50396,7 @@ index f42896c..bd1eb52 100644
+/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+/var/spool/smtpd(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/mta.if b/mta.if
-index ed81cac..80e6086 100644
+index ed81cac..ad452db 100644
--- a/mta.if
+++ b/mta.if
@@ -1,4 +1,4 @@
@@ -51236,7 +51352,7 @@ index ed81cac..80e6086 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1081,3 +1067,201 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -1081,3 +1067,204 @@ interface(`mta_rw_user_mail_stream_sockets',`
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
@@ -51435,6 +51551,9 @@ index ed81cac..80e6086 100644
+ mta_etc_filetrans_aliases($1, "aliases.db")
+ mta_etc_filetrans_aliases($1, "aliasesdb-stamp")
+ mta_etc_filetrans_aliases($1, "__db.aliases.db")
++ mta_etc_filetrans_aliases($1, "virtusertable.db")
++ mta_etc_filetrans_aliases($1, "access.db")
++ mta_etc_filetrans_aliases($1, "domaintable.db")
+ mta_filetrans_home_content($1)
+ mta_filetrans_admin_home_content($1)
+')
@@ -54225,7 +54344,7 @@ index d78dfc3..40e1c77 100644
-/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
diff --git a/nagios.if b/nagios.if
-index 0641e97..ed3394e 100644
+index 0641e97..438eeb3 100644
--- a/nagios.if
+++ b/nagios.if
@@ -1,12 +1,13 @@
@@ -54247,7 +54366,7 @@ index 0641e97..ed3394e 100644
## </summary>
## </param>
#
-@@ -16,38 +17,31 @@ template(`nagios_plugin_template',`
+@@ -16,38 +17,51 @@ template(`nagios_plugin_template',`
type nagios_t, nrpe_t;
')
@@ -54280,6 +54399,26 @@ index 0641e97..ed3394e 100644
## <summary>
-## Do not audit attempts to read or
-## write nagios unnamed pipes.
++## Execute the nagios unconfined plugins with
++## a domain transition.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`nagios_domtrans_unconfined_plugins',`
++ gen_require(`
++ type nagios_unconfined_plugin_t;
++ type nagios_unconfined_plugin_exec_t;
++ ')
++
++ domtrans_pattern($1, nagios_unconfined_plugin_exec_t, nagios_unconfined_plugin_t)
++')
++
++########################################
++## <summary>
+## Do not audit attempts to read or write nagios
+## unnamed pipes.
## </summary>
@@ -54292,7 +54431,7 @@ index 0641e97..ed3394e 100644
#
interface(`nagios_dontaudit_rw_pipes',`
gen_require(`
-@@ -59,7 +53,8 @@ interface(`nagios_dontaudit_rw_pipes',`
+@@ -59,7 +73,8 @@ interface(`nagios_dontaudit_rw_pipes',`
########################################
## <summary>
@@ -54302,7 +54441,7 @@ index 0641e97..ed3394e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -73,15 +68,33 @@ interface(`nagios_read_config',`
+@@ -73,15 +88,33 @@ interface(`nagios_read_config',`
type nagios_etc_t;
')
@@ -54339,7 +54478,7 @@ index 0641e97..ed3394e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -100,8 +113,7 @@ interface(`nagios_read_log',`
+@@ -100,8 +133,7 @@ interface(`nagios_read_log',`
########################################
## <summary>
@@ -54349,18 +54488,17 @@ index 0641e97..ed3394e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -132,13 +144,33 @@ interface(`nagios_search_spool',`
+@@ -132,13 +164,33 @@ interface(`nagios_search_spool',`
type nagios_spool_t;
')
- files_search_spool($1)
allow $1 nagios_spool_t:dir search_dir_perms;
+ files_search_spool($1)
- ')
-
- ########################################
- ## <summary>
--## Read nagios temporary files.
++')
++
++########################################
++## <summary>
+## Append nagios spool files.
+## </summary>
+## <param name="domain">
@@ -54376,16 +54514,17 @@ index 0641e97..ed3394e 100644
+
+ allow $1 nagios_spool_t:file append_file_perms;
+ files_search_spool($1)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Read nagios temporary files.
+## Allow the specified domain to read
+## nagios temporary files.
## </summary>
## <param name="domain">
## <summary>
-@@ -151,13 +183,34 @@ interface(`nagios_read_tmp_files',`
+@@ -151,13 +203,34 @@ interface(`nagios_read_tmp_files',`
type nagios_tmp_t;
')
@@ -54422,7 +54561,7 @@ index 0641e97..ed3394e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -170,14 +223,13 @@ interface(`nagios_domtrans_nrpe',`
+@@ -170,14 +243,13 @@ interface(`nagios_domtrans_nrpe',`
type nrpe_t, nrpe_exec_t;
')
@@ -54439,7 +54578,7 @@ index 0641e97..ed3394e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -186,44 +238,43 @@ interface(`nagios_domtrans_nrpe',`
+@@ -186,44 +258,43 @@ interface(`nagios_domtrans_nrpe',`
## </param>
## <param name="role">
## <summary>
@@ -64947,10 +65086,10 @@ index 0000000..80246e6
+
diff --git a/pcp.te b/pcp.te
new file mode 100644
-index 0000000..7a3dc05
+index 0000000..15702ce
--- /dev/null
+++ b/pcp.te
-@@ -0,0 +1,240 @@
+@@ -0,0 +1,241 @@
+policy_module(pcp, 1.0.0)
+
+########################################
@@ -65000,6 +65139,7 @@ index 0000000..7a3dc05
+allow pcp_domain self:tcp_socket create_stream_socket_perms;
+allow pcp_domain self:udp_socket create_socket_perms;
+allow pcp_domain self:netlink_route_socket create_socket_perms;
++allow pcp_domain self:unix_stream_socket connectto;
+
+corenet_tcp_connect_all_ephemeral_ports(pcp_domain)
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 22fb027..1b2c317 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 134%{?dist}
+Release: 135%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -602,6 +602,30 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Jul 09 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-135
+- Update mta_filetrans_named_content() interface to cover more db files.
+- Revert "Remove ftpd_use_passive_mode boolean. It does not make sense due to ephemeral port handling."
+- Allow pcp domains to connect to own process using unix_stream_socket.
+- Typo in abrt.te
+- Allow abrt-upload-watch service to dbus chat with ABRT daemon and fsetid capability to allow run reporter-upload correctly.
+- Add nagios_domtrans_unconfined_plugins() interface.
+- Add nagios_domtrans_unconfined_plugins() interface.
+- Add new boolean - httpd_run_ipa to allow httpd process to run IPA helper and dbus chat with oddjob.
+- Add support for oddjob based helper in FreeIPA. BZ(1238165)
+- Allow dnssec_trigger_t create dnssec_trigger_tmp_t files in /var/tmp/ BZ(1240840)
+- Allow ctdb_t sending signull to smbd_t, for checking if smbd process exists. BZ(1224879)
+- Fix cron_system_cronjob_use_shares boolean to call fs interfaces which contain only entrypoint permission.
+- Add cron_system_cronjob_use_shares boolean to allow system cronjob to be executed from shares - NFS, CIFS, FUSE. It requires "entrypoint" permissios on nfs_t, cifs_t and fusefs_t SELinux types.
+- nrpe needs kill capability to make gluster moniterd nodes working.
+- Revert "Dontaudit ctbd_t sending signull to smbd_t."
+- Fix interface corenet_tcp_connect_postgresql_port_port(prosody_t)
+- Allow prosody connect to postgresql port.
+- Fix logging_syslogd_run_nagios_plugins calling in logging.te
+- Add logging_syslogd_run_nagios_plugins boolean for rsyslog to allow transition to nagios unconfined plugins.
+- Add support for oddjob based helper in FreeIPA. BZ(1238165)
+- Add new interfaces
+- Add fs_fusefs_entry_type() interface.
+
* Thu Jul 02 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-134
- Allow ctdb_t sending signull to smbd_t, for checking if smbd process exists. BZ(1224879)
- Fix cron_system_cronjob_use_shares boolean to call fs interfaces which contain only entrypoint permission.