diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 9709c47..7905622 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -15970,7 +15970,7 @@ index 649e458..cc924ae 100644
+ list_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
')
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 6fac350..e7add10 100644
+index 6fac350..06704f6 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -25,6 +25,9 @@ attribute kern_unconfined;
@@ -16021,7 +16021,15 @@ index 6fac350..e7add10 100644
# /proc/sys/dev directory and files
type sysctl_dev_t, sysctl_type;
genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
-@@ -233,7 +246,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
+@@ -189,6 +202,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+ # kernel local policy
+ #
+
++allow kernel_t self:capability2 mac_admin;
+ allow kernel_t self:capability ~sys_module;
+ allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow kernel_t self:shm create_shm_perms;
+@@ -233,7 +247,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
corenet_in_generic_if(unlabeled_t)
corenet_in_generic_node(unlabeled_t)
@@ -16029,7 +16037,7 @@ index 6fac350..e7add10 100644
corenet_all_recvfrom_netlabel(kernel_t)
# Kernel-generated traffic e.g., ICMP replies:
corenet_raw_sendrecv_all_if(kernel_t)
-@@ -244,17 +256,21 @@ corenet_tcp_sendrecv_all_if(kernel_t)
+@@ -244,17 +257,21 @@ corenet_tcp_sendrecv_all_if(kernel_t)
corenet_tcp_sendrecv_all_nodes(kernel_t)
corenet_raw_send_generic_node(kernel_t)
corenet_send_all_packets(kernel_t)
@@ -16055,7 +16063,7 @@ index 6fac350..e7add10 100644
# Mount root file system. Used when loading a policy
# from initrd, then mounting the root filesystem
-@@ -263,7 +279,8 @@ fs_unmount_all_fs(kernel_t)
+@@ -263,7 +280,8 @@ fs_unmount_all_fs(kernel_t)
selinux_load_policy(kernel_t)
@@ -16065,7 +16073,7 @@ index 6fac350..e7add10 100644
corecmd_exec_shell(kernel_t)
corecmd_list_bin(kernel_t)
-@@ -277,25 +294,49 @@ files_list_root(kernel_t)
+@@ -277,25 +295,49 @@ files_list_root(kernel_t)
files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
@@ -16115,7 +16123,7 @@ index 6fac350..e7add10 100644
')
optional_policy(`
-@@ -305,6 +346,19 @@ optional_policy(`
+@@ -305,6 +347,19 @@ optional_policy(`
optional_policy(`
logging_send_syslog_msg(kernel_t)
@@ -16135,7 +16143,7 @@ index 6fac350..e7add10 100644
')
optional_policy(`
-@@ -334,7 +388,6 @@ optional_policy(`
+@@ -334,7 +389,6 @@ optional_policy(`
rpc_manage_nfs_ro_content(kernel_t)
rpc_manage_nfs_rw_content(kernel_t)
@@ -16143,7 +16151,7 @@ index 6fac350..e7add10 100644
rpc_udp_rw_nfs_sockets(kernel_t)
tunable_policy(`nfs_export_all_ro',`
-@@ -343,9 +396,7 @@ optional_policy(`
+@@ -343,9 +397,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@@ -16154,7 +16162,7 @@ index 6fac350..e7add10 100644
')
tunable_policy(`nfs_export_all_rw',`
-@@ -354,7 +405,7 @@ optional_policy(`
+@@ -354,7 +406,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@@ -16163,7 +16171,7 @@ index 6fac350..e7add10 100644
')
')
-@@ -367,6 +418,15 @@ optional_policy(`
+@@ -367,6 +419,15 @@ optional_policy(`
unconfined_domain_noaudit(kernel_t)
')
@@ -16179,7 +16187,7 @@ index 6fac350..e7add10 100644
########################################
#
# Unlabeled process local policy
-@@ -409,4 +469,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
+@@ -409,4 +470,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
allow kern_unconfined unlabeled_t:filesystem *;
allow kern_unconfined unlabeled_t:association *;
allow kern_unconfined unlabeled_t:packet *;
@@ -22226,7 +22234,7 @@ index d1f64a0..3be3d00 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc..ad955d5 100644
+index 6bf0ecc..0ef3955 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -22571,15 +22579,58 @@ index 6bf0ecc..ad955d5 100644
########################################
##
## Create a Xauthority file in the user home directory.
-@@ -598,6 +682,7 @@ interface(`xserver_read_user_xauth',`
+@@ -567,6 +651,24 @@ interface(`xserver_user_home_dir_filetrans_user_xauth',`
+
+ ########################################
+ ##
++## Create a Xauthority file in the admin home directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_admin_home_dir_filetrans_xauth',`
++ gen_require(`
++ type xauth_home_t;
++ ')
++
++ userdom_admin_home_dir_filetrans($1, xauth_home_t, file)
++')
++
++########################################
++##
+ ## Read all users fonts, user font configurations,
+ ## and manage all users font caches.
+ ##
+@@ -598,6 +700,25 @@ interface(`xserver_read_user_xauth',`
allow $1 xauth_home_t:file read_file_perms;
userdom_search_user_home_dirs($1)
+ xserver_read_xdm_pid($1)
++')
++
++########################################
++##
++## Manage all users .Xauthority.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_manage_user_xauth',`
++ gen_require(`
++ type xauth_home_t;
++ ')
++
++ allow $1 xauth_home_t:file manage_file_perms;
')
########################################
-@@ -615,7 +700,7 @@ interface(`xserver_setattr_console_pipes',`
+@@ -615,7 +736,7 @@ interface(`xserver_setattr_console_pipes',`
type xconsole_device_t;
')
@@ -22588,7 +22639,7 @@ index 6bf0ecc..ad955d5 100644
')
########################################
-@@ -638,6 +723,25 @@ interface(`xserver_rw_console',`
+@@ -638,6 +759,25 @@ interface(`xserver_rw_console',`
########################################
##
@@ -22614,7 +22665,7 @@ index 6bf0ecc..ad955d5 100644
## Use file descriptors for xdm.
##
##
-@@ -651,7 +755,7 @@ interface(`xserver_use_xdm_fds',`
+@@ -651,7 +791,7 @@ interface(`xserver_use_xdm_fds',`
type xdm_t;
')
@@ -22623,7 +22674,7 @@ index 6bf0ecc..ad955d5 100644
')
########################################
-@@ -670,7 +774,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
+@@ -670,7 +810,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
type xdm_t;
')
@@ -22632,7 +22683,7 @@ index 6bf0ecc..ad955d5 100644
')
########################################
-@@ -688,7 +792,7 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -688,7 +828,7 @@ interface(`xserver_rw_xdm_pipes',`
type xdm_t;
')
@@ -22641,7 +22692,7 @@ index 6bf0ecc..ad955d5 100644
')
########################################
-@@ -703,12 +807,11 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -703,12 +843,11 @@ interface(`xserver_rw_xdm_pipes',`
##
#
interface(`xserver_dontaudit_rw_xdm_pipes',`
@@ -22655,7 +22706,7 @@ index 6bf0ecc..ad955d5 100644
')
########################################
-@@ -765,11 +868,71 @@ interface(`xserver_manage_xdm_spool_files',`
+@@ -765,11 +904,71 @@ interface(`xserver_manage_xdm_spool_files',`
#
interface(`xserver_stream_connect_xdm',`
gen_require(`
@@ -22729,7 +22780,7 @@ index 6bf0ecc..ad955d5 100644
')
########################################
-@@ -793,6 +956,25 @@ interface(`xserver_read_xdm_rw_config',`
+@@ -793,6 +992,25 @@ interface(`xserver_read_xdm_rw_config',`
########################################
##
@@ -22755,7 +22806,7 @@ index 6bf0ecc..ad955d5 100644
## Set the attributes of XDM temporary directories.
##
##
-@@ -806,7 +988,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
+@@ -806,7 +1024,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
type xdm_tmp_t;
')
@@ -22782,7 +22833,7 @@ index 6bf0ecc..ad955d5 100644
')
########################################
-@@ -846,7 +1046,26 @@ interface(`xserver_read_xdm_pid',`
+@@ -846,7 +1082,26 @@ interface(`xserver_read_xdm_pid',`
')
files_search_pids($1)
@@ -22810,7 +22861,7 @@ index 6bf0ecc..ad955d5 100644
')
########################################
-@@ -869,6 +1088,24 @@ interface(`xserver_read_xdm_lib_files',`
+@@ -869,6 +1124,24 @@ interface(`xserver_read_xdm_lib_files',`
########################################
##
@@ -22835,7 +22886,7 @@ index 6bf0ecc..ad955d5 100644
## Make an X session script an entrypoint for the specified domain.
##
##
-@@ -938,7 +1175,26 @@ interface(`xserver_getattr_log',`
+@@ -938,7 +1211,26 @@ interface(`xserver_getattr_log',`
')
logging_search_logs($1)
@@ -22863,7 +22914,7 @@ index 6bf0ecc..ad955d5 100644
')
########################################
-@@ -957,7 +1213,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -957,7 +1249,7 @@ interface(`xserver_dontaudit_write_log',`
type xserver_log_t;
')
@@ -22872,7 +22923,7 @@ index 6bf0ecc..ad955d5 100644
')
########################################
-@@ -1004,6 +1260,45 @@ interface(`xserver_read_xkb_libs',`
+@@ -1004,6 +1296,45 @@ interface(`xserver_read_xkb_libs',`
########################################
##
@@ -22918,7 +22969,7 @@ index 6bf0ecc..ad955d5 100644
## Read xdm temporary files.
##
##
-@@ -1017,7 +1312,7 @@ interface(`xserver_read_xdm_tmp_files',`
+@@ -1017,7 +1348,7 @@ interface(`xserver_read_xdm_tmp_files',`
type xdm_tmp_t;
')
@@ -22927,71 +22978,113 @@ index 6bf0ecc..ad955d5 100644
read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
')
-@@ -1079,6 +1374,42 @@ interface(`xserver_manage_xdm_tmp_files',`
+@@ -1079,53 +1410,91 @@ interface(`xserver_manage_xdm_tmp_files',`
########################################
##
+-## Do not audit attempts to get the attributes of
+-## xdm temporary named sockets.
+## Create, read, write, and delete xdm temporary dirs.
-+##
-+##
-+##
+ ##
+ ##
+ ##
+-## Domain to not audit.
+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+interface(`xserver_relabel_xdm_tmp_dirs',`
+ gen_require(`
+ type xdm_tmp_t;
+ ')
+
+- dontaudit $1 xdm_tmp_t:sock_file getattr;
++ allow $1 xdm_tmp_t:dir relabel_dir_perms;
+ ')
+
+ ########################################
+ ##
+-## Execute the X server in the X server domain.
++## Create, read, write, and delete xdm temporary dirs.
+ ##
+ ##
+ ##
+-## Domain allowed to transition.
++## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`xserver_domtrans',`
++interface(`xserver_manage_xdm_tmp_dirs',`
+ gen_require(`
+- type xserver_t, xserver_exec_t;
++ type xdm_tmp_t;
+ ')
+
+- allow $1 xserver_t:process siginh;
+- domtrans_pattern($1, xserver_exec_t, xserver_t)
++ manage_dirs_pattern($1, xdm_tmp_t, xdm_tmp_t)
+ ')
+
+ ########################################
+ ##
+-## Signal X servers
++## Do not audit attempts to get the attributes of
++## xdm temporary named sockets.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+-interface(`xserver_signal',`
++interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+ gen_require(`
+ type xdm_tmp_t;
+ ')
+
-+ allow $1 xdm_tmp_t:dir relabel_dir_perms;
++ dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms;
+')
+
+########################################
+##
-+## Create, read, write, and delete xdm temporary dirs.
++## Execute the X server in the X server domain.
+##
+##
+##
-+## Domain allowed access.
++## Domain allowed to transition.
+##
+##
+#
-+interface(`xserver_manage_xdm_tmp_dirs',`
++interface(`xserver_domtrans',`
+ gen_require(`
-+ type xdm_tmp_t;
++ type xserver_t, xserver_exec_t;
+ ')
+
-+ manage_dirs_pattern($1, xdm_tmp_t, xdm_tmp_t)
++ allow $1 xserver_t:process siginh;
++ domtrans_pattern($1, xserver_exec_t, xserver_t)
++
++ allow xserver_t $1:process getpgid;
+')
+
+########################################
+##
- ## Do not audit attempts to get the attributes of
- ## xdm temporary named sockets.
- ##
-@@ -1093,7 +1424,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
- type xdm_tmp_t;
- ')
-
-- dontaudit $1 xdm_tmp_t:sock_file getattr;
-+ dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms;
- ')
-
- ########################################
-@@ -1111,8 +1442,10 @@ interface(`xserver_domtrans',`
- type xserver_t, xserver_exec_t;
++## Signal X servers
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_signal',`
+ gen_require(`
+ type xserver_t;
')
-
-- allow $1 xserver_t:process siginh;
-+ allow $1 xserver_t:process siginh;
- domtrans_pattern($1, xserver_exec_t, xserver_t)
-+
-+ allow xserver_t $1:process getpgid;
- ')
-
- ########################################
-@@ -1226,6 +1559,26 @@ interface(`xserver_stream_connect',`
+@@ -1226,6 +1595,26 @@ interface(`xserver_stream_connect',`
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -23018,7 +23111,7 @@ index 6bf0ecc..ad955d5 100644
')
########################################
-@@ -1251,7 +1604,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1251,7 +1640,7 @@ interface(`xserver_read_tmp_files',`
##
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@@ -23027,7 +23120,7 @@ index 6bf0ecc..ad955d5 100644
##
##
##
-@@ -1261,13 +1614,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1261,13 +1650,23 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
@@ -23052,7 +23145,7 @@ index 6bf0ecc..ad955d5 100644
')
########################################
-@@ -1284,10 +1647,604 @@ interface(`xserver_manage_core_devices',`
+@@ -1284,10 +1683,604 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -23660,7 +23753,7 @@ index 6bf0ecc..ad955d5 100644
+ files_search_tmp($1)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 2696452..0881350 100644
+index 2696452..48c4924 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -24225,7 +24318,7 @@ index 2696452..0881350 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -441,28 +620,41 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -441,28 +620,42 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -24254,6 +24347,7 @@ index 2696452..0881350 100644
+init_status(xdm_t)
libs_exec_lib_files(xdm_t)
++libs_exec_ldconfig(xdm_t)
logging_read_generic_logs(xdm_t)
@@ -24270,7 +24364,7 @@ index 2696452..0881350 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -471,24 +663,43 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -471,24 +664,43 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -24320,7 +24414,7 @@ index 2696452..0881350 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -502,11 +713,26 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,11 +714,26 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -24347,7 +24441,7 @@ index 2696452..0881350 100644
')
optional_policy(`
-@@ -514,12 +740,72 @@ optional_policy(`
+@@ -514,12 +741,72 @@ optional_policy(`
')
optional_policy(`
@@ -24420,7 +24514,7 @@ index 2696452..0881350 100644
hostname_exec(xdm_t)
')
-@@ -537,28 +823,78 @@ optional_policy(`
+@@ -537,28 +824,78 @@ optional_policy(`
')
optional_policy(`
@@ -24508,7 +24602,7 @@ index 2696452..0881350 100644
')
optional_policy(`
-@@ -570,6 +906,14 @@ optional_policy(`
+@@ -570,6 +907,14 @@ optional_policy(`
')
optional_policy(`
@@ -24523,7 +24617,7 @@ index 2696452..0881350 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,8 +938,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -594,8 +939,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -24536,7 +24630,7 @@ index 2696452..0881350 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -608,8 +955,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +956,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -24552,7 +24646,7 @@ index 2696452..0881350 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -617,6 +971,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -617,6 +972,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@@ -24563,7 +24657,7 @@ index 2696452..0881350 100644
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -628,12 +986,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -628,12 +987,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -24585,7 +24679,7 @@ index 2696452..0881350 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -641,12 +1006,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,12 +1007,12 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -24599,7 +24693,7 @@ index 2696452..0881350 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +1032,27 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +1033,27 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -24630,7 +24724,7 @@ index 2696452..0881350 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -694,7 +1063,16 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,7 +1064,16 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -24648,7 +24742,7 @@ index 2696452..0881350 100644
mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
-@@ -708,20 +1086,18 @@ init_getpgid(xserver_t)
+@@ -708,20 +1087,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -24672,7 +24766,7 @@ index 2696452..0881350 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -729,8 +1105,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -729,8 +1106,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
@@ -24681,7 +24775,7 @@ index 2696452..0881350 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
-@@ -775,16 +1149,44 @@ optional_policy(`
+@@ -775,16 +1150,44 @@ optional_policy(`
')
optional_policy(`
@@ -24727,7 +24821,7 @@ index 2696452..0881350 100644
unconfined_domtrans(xserver_t)
')
-@@ -793,6 +1195,10 @@ optional_policy(`
+@@ -793,6 +1196,10 @@ optional_policy(`
')
optional_policy(`
@@ -24738,7 +24832,7 @@ index 2696452..0881350 100644
xfs_stream_connect(xserver_t)
')
-@@ -808,10 +1214,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1215,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -24752,7 +24846,7 @@ index 2696452..0881350 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1225,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1226,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -24761,7 +24855,7 @@ index 2696452..0881350 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -832,26 +1238,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1239,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -24796,7 +24890,7 @@ index 2696452..0881350 100644
')
optional_policy(`
-@@ -902,7 +1303,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1304,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -24805,7 +24899,7 @@ index 2696452..0881350 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -956,11 +1357,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1358,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -24837,7 +24931,7 @@ index 2696452..0881350 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -982,18 +1403,40 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1404,40 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -28076,7 +28170,7 @@ index 24e7804..1894886 100644
+ allow $1 init_t:system undefined;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..61531ce 100644
+index dd3be8d..84ffb31 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,24 @@ gen_require(`
@@ -29138,7 +29232,7 @@ index dd3be8d..61531ce 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -896,3 +1353,191 @@ optional_policy(`
+@@ -896,3 +1353,196 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -29321,6 +29415,11 @@ index dd3be8d..61531ce 100644
+allow initrc_domain systemprocess:process transition;
+
+optional_policy(`
++ systemd_getattr_unit_dirs(daemon)
++ systemd_getattr_unit_dirs(systemprocess)
++')
++
++optional_policy(`
+ rgmanager_search_lib(initrc_domain)
+')
+
@@ -35720,10 +35819,10 @@ index 0000000..4e12420
+/var/run/initramfs(/.*)? <>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..16c7767
+index 0000000..5894afb
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1122 @@
+@@ -0,0 +1,1159 @@
+## SELinux policy for systemd components
+
+######################################
@@ -35893,7 +35992,25 @@ index 0000000..16c7767
+ ')
+
+ files_search_var_lib($1)
-+ allow $1 systemd_unit_file_type:file getattr_file_perms;
++ getattr_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
++')
++
++#####################################
++##
++## Allow domain to getattr all systemd unit directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_getattr_unit_dirs',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ allow $1 systemd_unit_file_type:dir getattr;
+')
+
+######################################
@@ -36846,12 +36963,31 @@ index 0000000..16c7767
+ allow systemd_localed_t $1:dbus send_msg;
+ ps_process_pattern(systemd_localed_t, $1)
+')
++
++########################################
++##
++## Dontaudit attempts to send dbus domains chat messages
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`systemd_dontaudit_dbus_chat',`
++ gen_require(`
++ attribute systemd_domain;
++ class dbus send_msg;
++ ')
++
++ dontaudit $1 systemd_domain:dbus send_msg;
++')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..4d56107
+index 0000000..b3ea12d
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,641 @@
+@@ -0,0 +1,642 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -37342,7 +37478,8 @@ index 0000000..4d56107
+#
+# Hostnamed policy
+#
-+dontaudit systemd_hostnamed_t self:capability { sys_admin sys_ptrace };
++allow systemd_hostnamed_t self:capability sys_admin;
++dontaudit systemd_hostnamed_t self:capability sys_ptrace;
+
+allow systemd_hostnamed_t self:fifo_file rw_fifo_file_perms;
+allow systemd_hostnamed_t self:unix_stream_socket create_stream_socket_perms;
@@ -37791,7 +37928,7 @@ index 0f64692..d7e8a01 100644
########################################
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index a5ec88b..32e7d9e 100644
+index a5ec88b..1749342 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -17,14 +17,12 @@ init_daemon_domain(udev_t, udev_exec_t)
@@ -37942,16 +38079,17 @@ index a5ec88b..32e7d9e 100644
seutil_read_config(udev_t)
seutil_read_default_contexts(udev_t)
-@@ -170,6 +188,8 @@ sysnet_signal_dhcpc(udev_t)
+@@ -170,6 +188,9 @@ sysnet_signal_dhcpc(udev_t)
sysnet_manage_config(udev_t)
sysnet_etc_filetrans_config(udev_t)
+systemd_login_read_pid_files(udev_t)
++systemd_getattr_unit_files(udev_t)
+
userdom_dontaudit_search_user_home_content(udev_t)
ifdef(`distro_gentoo',`
-@@ -179,16 +199,9 @@ ifdef(`distro_gentoo',`
+@@ -179,16 +200,9 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -37970,7 +38108,7 @@ index a5ec88b..32e7d9e 100644
# for arping used for static IP addresses on PCMCIA ethernet
netutils_domtrans(udev_t)
-@@ -226,19 +239,34 @@ optional_policy(`
+@@ -226,19 +240,34 @@ optional_policy(`
optional_policy(`
cups_domtrans_config(udev_t)
@@ -38005,7 +38143,7 @@ index a5ec88b..32e7d9e 100644
')
optional_policy(`
-@@ -264,6 +292,10 @@ optional_policy(`
+@@ -264,6 +293,10 @@ optional_policy(`
')
optional_policy(`
@@ -38016,7 +38154,7 @@ index a5ec88b..32e7d9e 100644
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -278,6 +310,15 @@ optional_policy(`
+@@ -278,6 +311,15 @@ optional_policy(`
')
optional_policy(`
@@ -38032,7 +38170,7 @@ index a5ec88b..32e7d9e 100644
unconfined_signal(udev_t)
')
-@@ -290,6 +331,7 @@ optional_policy(`
+@@ -290,6 +332,7 @@ optional_policy(`
kernel_read_xen_state(udev_t)
xen_manage_log(udev_t)
xen_read_image_files(udev_t)
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 4aeb84e..8b4d3ad 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -1243,10 +1243,16 @@ index 8b5ad06..8ce8f26 100644
optional_policy(`
unconfined_domain(ada_t)
diff --git a/afs.if b/afs.if
-index 3b41be6..0b18812 100644
+index 3b41be6..188db36 100644
--- a/afs.if
+++ b/afs.if
-@@ -100,8 +100,12 @@ interface(`afs_admin',`
+@@ -95,13 +95,17 @@ interface(`afs_initrc_domtrans',`
+ interface(`afs_admin',`
+ gen_require(`
+ attribute afs_domain;
+- type afs_initrc_exec_t, afs_dbdir_t, afs_pt_db_t;
++ type afs_t, afs_initrc_exec_t, afs_dbdir_t, afs_pt_db_t;
+ type afs_ka_db_t, afs_vl_db_t, afs_config_t;
type afs_logfile_t, afs_cache_t, afs_files_t;
')
@@ -2144,7 +2150,7 @@ index 0000000..e44bff0
+
diff --git a/antivirus.if b/antivirus.if
new file mode 100644
-index 0000000..3929b7e
+index 0000000..df5b3be
--- /dev/null
+++ b/antivirus.if
@@ -0,0 +1,322 @@
@@ -2155,7 +2161,7 @@ index 0000000..3929b7e
+## Creates types and rules for a basic
+## antivirus domain.
+##
-+##
++##
+##
+## Prefix for the domain.
+##
@@ -2722,10 +2728,10 @@ index 0000000..b334e9a
+ spamassassin_read_pid_files(antivirus_domain)
+')
diff --git a/apache.fc b/apache.fc
-index 550a69e..78579c0 100644
+index 550a69e..8f98c41 100644
--- a/apache.fc
+++ b/apache.fc
-@@ -1,161 +1,184 @@
+@@ -1,161 +1,189 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -2943,6 +2949,7 @@ index 550a69e..78579c0 100644
-/var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/lib/openshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/var/lib/openshift/\.log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/lib/owncloud(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/stickshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -3030,6 +3037,10 @@ index 550a69e..78579c0 100644
+
+/var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
++/var/www/moodle/data(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++
++/var/lib/moodle(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++
+/var/www/openshift/console/tmp(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
+/var/www/openshift/console/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+
@@ -9004,6 +9015,17 @@ index bcd1e87..6294955 100644
optional_policy(`
xen_append_log(brctl_t)
xen_dontaudit_rw_unix_stream_sockets(brctl_t)
+diff --git a/bugzilla.fc b/bugzilla.fc
+index fce0b6e..fb6e397 100644
+--- a/bugzilla.fc
++++ b/bugzilla.fc
+@@ -1,4 +1,4 @@
+-/usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
+-/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0)
++/usr/share/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
++/usr/share/bugzilla/.*\.cgi -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0)
+
+ /var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0)
diff --git a/bugzilla.if b/bugzilla.if
index 1b22262..bf0cefa 100644
--- a/bugzilla.if
@@ -9054,7 +9076,7 @@ index 1b22262..bf0cefa 100644
+ ')
')
diff --git a/bugzilla.te b/bugzilla.te
-index 41f8251..e0449c8 100644
+index 41f8251..464107b 100644
--- a/bugzilla.te
+++ b/bugzilla.te
@@ -7,6 +7,9 @@ policy_module(bugzilla, 1.0.4)
@@ -9075,7 +9097,7 @@ index 41f8251..e0449c8 100644
corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t)
corenet_tcp_sendrecv_generic_if(httpd_bugzilla_script_t)
corenet_tcp_sendrecv_generic_node(httpd_bugzilla_script_t)
-@@ -27,9 +29,15 @@ corenet_sendrecv_smtp_client_packets(httpd_bugzilla_script_t)
+@@ -27,11 +29,19 @@ corenet_sendrecv_smtp_client_packets(httpd_bugzilla_script_t)
corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t)
corenet_tcp_sendrecv_smtp_port(httpd_bugzilla_script_t)
@@ -9091,7 +9113,11 @@ index 41f8251..e0449c8 100644
+sysnet_read_config(httpd_bugzilla_script_t)
sysnet_use_ldap(httpd_bugzilla_script_t)
++miscfiles_read_certs(httpd_bugzilla_script_t)
++
optional_policy(`
+ mta_send_mail(httpd_bugzilla_script_t)
+ ')
diff --git a/cachefilesd.fc b/cachefilesd.fc
index 648c790..aa03fc8 100644
--- a/cachefilesd.fc
@@ -9461,10 +9487,10 @@ index 4ec0626..88e7e89 100644
userdom_dontaudit_use_unpriv_user_fds(canna_t)
diff --git a/ccs.if b/ccs.if
-index 5ded72d..f6b854c 100644
+index 5ded72d..c1b4d35 100644
--- a/ccs.if
+++ b/ccs.if
-@@ -102,9 +102,13 @@ interface(`ccs_admin',`
+@@ -102,16 +102,20 @@ interface(`ccs_admin',`
type ccs_var_run_t, ccs_tmp_t;
')
@@ -9479,6 +9505,14 @@ index 5ded72d..f6b854c 100644
init_labeled_script_domtrans($1, ccs_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 ccs_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_search_etc($1)
+- admin_pattern($1, ccs_conf_t)
++ admin_pattern($1, cluster_conf_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, ccs_var_lib_t)
diff --git a/ccs.te b/ccs.te
index b85b53b..476aaa3 100644
--- a/ccs.te
@@ -9649,7 +9683,7 @@ index 008f8ef..144c074 100644
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/certmonger.te b/certmonger.te
-index 2354e21..bec6c06 100644
+index 2354e21..03e12b7 100644
--- a/certmonger.te
+++ b/certmonger.te
@@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t)
@@ -9721,7 +9755,7 @@ index 2354e21..bec6c06 100644
')
optional_policy(`
-@@ -92,11 +103,46 @@ optional_policy(`
+@@ -92,11 +103,47 @@ optional_policy(`
')
optional_policy(`
@@ -9743,6 +9777,7 @@ index 2354e21..bec6c06 100644
+
+optional_policy(`
+ pki_rw_tomcat_cert(certmonger_t)
++ pki_read_tomcat_lib_files(certmonger_t)
+')
+
+########################################
@@ -9770,15 +9805,17 @@ index 2354e21..bec6c06 100644
+ ')
+')
diff --git a/certwatch.te b/certwatch.te
-index 403af41..68a5e26 100644
+index 403af41..48acf72 100644
--- a/certwatch.te
+++ b/certwatch.te
-@@ -21,27 +21,29 @@ role certwatch_roles types certwatch_t;
+@@ -21,27 +21,31 @@ role certwatch_roles types certwatch_t;
allow certwatch_t self:capability sys_nice;
allow certwatch_t self:process { setsched getsched };
+kernel_read_system_state(certwatch_t)
+
++corecmd_exec_bin(certwatch_t)
++
+dev_read_rand(certwatch_t)
dev_read_urand(certwatch_t)
@@ -11990,10 +12027,10 @@ index 23dc348..7cc536b 100644
/usr/sbin/condor_collector -- gen_context(system_u:object_r:condor_collector_exec_t,s0)
/usr/sbin/condor_master -- gen_context(system_u:object_r:condor_master_exec_t,s0)
diff --git a/condor.if b/condor.if
-index 3fe3cb8..684b700 100644
+index 3fe3cb8..b8e08c6 100644
--- a/condor.if
+++ b/condor.if
-@@ -1,81 +1,392 @@
+@@ -1,81 +1,397 @@
-## High-Throughput Computing System.
+
+## policy for condor
@@ -12056,10 +12093,9 @@ index 3fe3cb8..684b700 100644
+ corecmd_search_bin($1)
+ domtrans_pattern($1, condor_exec_t, condor_t)
+')
-
- #######################################
- ##
--## The template to define a condor domain.
++
++#######################################
++##
+## Allows to start userland processes
+## by transitioning to the specified domain,
+## with a range transition.
@@ -12092,12 +12128,14 @@ index 3fe3cb8..684b700 100644
+ ')
+
+')
-+
-+#######################################
-+##
+
+ #######################################
+ ##
+-## The template to define a condor domain.
+## Allows to start userlandprocesses
+## by transitioning to the specified domain.
-+##
+ ##
+-##
+##
+##
+## The process type entered by condor_startd.
@@ -12120,8 +12158,7 @@ index 3fe3cb8..684b700 100644
+########################################
+##
+## Read condor's log files.
- ##
--##
++##
+##
##
-## Domain prefix to be used.
@@ -12310,10 +12347,15 @@ index 3fe3cb8..684b700 100644
+##
+#
+interface(`condor_read_pid_files',`
-+ gen_require(`
+ gen_require(`
+- attribute condor_domain;
+- type condor_initrc_exec_config_t, condor_log_t;
+- type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t;
+- type condor_var_run_t, condor_startd_tmp_t;
+ type condor_var_run_t;
-+ ')
-+
+ ')
+
+- allow $1 condor_domain:process { ptrace signal_perms };
+ files_search_pids($1)
+ allow $1 condor_var_run_t:file read_file_perms;
+')
@@ -12354,15 +12396,10 @@ index 3fe3cb8..684b700 100644
+##
+#
+interface(`condor_rw_tcp_sockets_startd',`
- gen_require(`
-- attribute condor_domain;
-- type condor_initrc_exec_config_t, condor_log_t;
-- type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t;
-- type condor_var_run_t, condor_startd_tmp_t;
++ gen_require(`
+ type condor_startd_t;
- ')
-
-- allow $1 condor_domain:process { ptrace signal_perms };
++ ')
++
+ allow $1 condor_startd_t:tcp_socket rw_socket_perms;
+')
+
@@ -12394,6 +12431,11 @@ index 3fe3cb8..684b700 100644
+## Domain allowed access.
+##
+##
++##
++##
++## Domain allowed access.
++##
++##
+#
+interface(`condor_admin',`
+ gen_require(`
@@ -12426,7 +12468,7 @@ index 3fe3cb8..684b700 100644
files_search_var_lib($1)
admin_pattern($1, condor_var_lib_t)
-@@ -85,4 +396,13 @@ interface(`condor_admin',`
+@@ -85,4 +401,13 @@ interface(`condor_admin',`
files_search_tmp($1)
admin_pattern($1, { condor_schedd_tmp_t condor_startd_tmp_t })
@@ -19966,6 +20008,19 @@ index 0000000..217b0ef
+ snmp_manage_var_lib_files(dirsrv_snmp_t)
+ snmp_stream_connect(dirsrv_snmp_t)
+')
+diff --git a/distcc.if b/distcc.if
+index 24d8c74..1790ec5 100644
+--- a/distcc.if
++++ b/distcc.if
+@@ -19,7 +19,7 @@
+ #
+ interface(`distcc_admin',`
+ gen_require(`
+- type distccd_t, distccd_t, distccd_log_t;
++ type distccd_t, distccd_t, distccd_log_t, distccd_var_run_t;
+ type disccd_var_run_t, distccd_tmp_t, distccd_initrc_exec_t;
+ ')
+
diff --git a/distcc.te b/distcc.te
index b441a4d..83fb340 100644
--- a/distcc.te
@@ -21202,7 +21257,7 @@ index a7bfaf0..d16e5e8 100644
sendmail_domtrans(dovecot_deliver_t)
')
diff --git a/drbd.if b/drbd.if
-index 9a21639..a09fb52 100644
+index 9a21639..26c5986 100644
--- a/drbd.if
+++ b/drbd.if
@@ -2,12 +2,11 @@
@@ -21220,7 +21275,7 @@ index 9a21639..a09fb52 100644
##
##
#
-@@ -16,26 +15,97 @@ interface(`drbd_domtrans',`
+@@ -16,14 +15,91 @@ interface(`drbd_domtrans',`
type drbd_t, drbd_exec_t;
')
@@ -21272,13 +21327,12 @@ index 9a21639..a09fb52 100644
+##
+## Create, read, write, and delete
+## drbd lib files.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
++##
++##
++##
++## Domain allowed access.
++##
++##
+#
+interface(`drbd_manage_lib_files',`
+ gen_require(`
@@ -21294,8 +21348,7 @@ index 9a21639..a09fb52 100644
+## Manage drbd lib dirs files.
+##
+##
- ##
--## Role allowed access.
++##
+## Domain allowed access.
+##
+##
@@ -21314,17 +21367,18 @@ index 9a21639..a09fb52 100644
+##
+## All of the rules required to administrate
+## an drbd environment
-+##
-+##
-+##
-+## Domain allowed access.
+ ##
+ ##
+ ##
+@@ -35,7 +111,6 @@ interface(`drbd_domtrans',`
+ ## Role allowed access.
##
##
-##
#
interface(`drbd_admin',`
gen_require(`
-@@ -43,9 +113,13 @@ interface(`drbd_admin',`
+@@ -43,9 +118,13 @@ interface(`drbd_admin',`
type drbd_var_lib_t;
')
@@ -21339,7 +21393,7 @@ index 9a21639..a09fb52 100644
init_labeled_script_domtrans($1, drbd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 drbd_initrc_exec_t system_r;
-@@ -57,3 +131,4 @@ interface(`drbd_admin',`
+@@ -57,3 +136,4 @@ interface(`drbd_admin',`
files_search_var_lib($1)
admin_pattern($1, drbd_var_lib_t)
')
@@ -23074,7 +23128,7 @@ index ddb75c1..44f74e6 100644
/etc/rc\.d/init\.d/vsftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
diff --git a/ftp.if b/ftp.if
-index d062080..e098a40 100644
+index d062080..97fb494 100644
--- a/ftp.if
+++ b/ftp.if
@@ -1,5 +1,66 @@
@@ -23152,7 +23206,7 @@ index d062080..e098a40 100644
+ allow $1 ftpd_t:process signal_perms;
ps_process_pattern($1, { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t })
+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd }:process ptrace;
++ allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t }:process ptrace;
+ ')
init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
@@ -23604,7 +23658,7 @@ index 1e29af1..a1c464e 100644
+ userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git")
+')
diff --git a/git.te b/git.te
-index 93b0301..9108ddc 100644
+index 93b0301..11a76a5 100644
--- a/git.te
+++ b/git.te
@@ -49,14 +49,6 @@ gen_tunable(git_session_users, false)
@@ -23655,16 +23709,17 @@ index 93b0301..9108ddc 100644
tunable_policy(`use_nfs_home_dirs',`
fs_getattr_nfs(git_session_t)
-@@ -157,6 +149,8 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -157,6 +149,9 @@ tunable_policy(`use_samba_home_dirs',`
list_dirs_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
read_files_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
++kernel_read_network_state(git_system_t)
+kernel_read_system_state(git_system_t)
+
files_search_var_lib(git_system_t)
auth_use_nsswitch(git_system_t)
-@@ -255,12 +249,9 @@ tunable_policy(`git_cgi_use_nfs',`
+@@ -255,12 +250,9 @@ tunable_policy(`git_cgi_use_nfs',`
allow git_daemon self:fifo_file rw_fifo_file_perms;
@@ -31706,9 +31761,18 @@ index 3494d9b..124a2ab 100644
+ postgresql_stream_connect(keystone_t)
+')
diff --git a/kismet.if b/kismet.if
-index aa2a337..bb09e3c 100644
+index aa2a337..7ff229f 100644
--- a/kismet.if
+++ b/kismet.if
+@@ -283,7 +283,7 @@ interface(`kismet_manage_log',`
+ interface(`kismet_admin',`
+ gen_require(`
+ type kismet_t, kismet_var_lib_t, kismet_var_run_t;
+- type kismet_log_t, kismet_tmp_t;
++ type kismet_log_t, kismet_tmp_t, kismet_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, kismet_initrc_exec_t)
@@ -292,7 +292,11 @@ interface(`kismet_admin',`
allow $2 system_r;
@@ -36050,18 +36114,13 @@ index cb4c13d..d744144 100644
logging_send_syslog_msg(modemmanager_t)
diff --git a/mojomojo.if b/mojomojo.if
-index 73952f4..80e26d2 100644
+index 73952f4..b19a6ee 100644
--- a/mojomojo.if
+++ b/mojomojo.if
-@@ -10,12 +10,6 @@
- ## Domain allowed access.
+@@ -15,7 +15,6 @@
+ ## Role allowed access.
##
##
--##
--##
--## Role allowed access.
--##
--##
-##
#
interface(`mojomojo_admin',`
@@ -42253,10 +42312,10 @@ index 0000000..8d7c751
+')
diff --git a/namespace.te b/namespace.te
new file mode 100644
-index 0000000..bac253c
+index 0000000..c674894
--- /dev/null
+++ b/namespace.te
-@@ -0,0 +1,40 @@
+@@ -0,0 +1,39 @@
+policy_module(namespace,1.0.0)
+
+########################################
@@ -42292,8 +42351,7 @@ index 0000000..bac253c
+
+term_use_console(namespace_init_t)
+
-+userdom_manage_user_home_content_dirs(namespace_init_t)
-+userdom_manage_user_home_content_files(namespace_init_t)
++userdom_manage_user_home_content(namespace_init_t)
+userdom_relabelto_user_home_dirs(namespace_init_t)
+userdom_relabelto_user_home_files(namespace_init_t)
+userdom_filetrans_home_content(namespace_init_t)
@@ -45041,7 +45099,7 @@ index 402100e..ce913b2 100644
+/usr/sbin/nslcd -- gen_context(system_u:object_r:nslcd_exec_t,s0)
+/var/run/nslcd(/.*)? gen_context(system_u:object_r:nslcd_var_run_t,s0)
diff --git a/nslcd.if b/nslcd.if
-index 97df768..0398e70 100644
+index 97df768..852d1c6 100644
--- a/nslcd.if
+++ b/nslcd.if
@@ -1,4 +1,4 @@
@@ -45067,23 +45125,60 @@ index 97df768..0398e70 100644
##
##
##
-@@ -58,8 +57,7 @@ interface(`nslcd_read_pid_files',`
+@@ -58,8 +57,25 @@ interface(`nslcd_read_pid_files',`
########################################
##
-## Connect to nslcd over an unix
-## domain stream socket.
++## Dontaudit write to nslcd over an unix stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`nslcd_dontaudit_write_ock_file',`
++ gen_require(`
++ type nslcd_var_run_t;
++ ')
++
++ dontaudit $1 nslcd_var_run_t:sock_file write;
++')
++
++########################################
++##
+## Connect to nslcd over an unix stream socket.
##
##
##
-@@ -72,14 +70,14 @@ interface(`nslcd_stream_connect',`
+@@ -72,14 +88,33 @@ interface(`nslcd_stream_connect',`
type nslcd_t, nslcd_var_run_t;
')
- files_search_pids($1)
stream_connect_pattern($1, nslcd_var_run_t, nslcd_var_run_t, nslcd_t)
+ files_search_pids($1)
++')
++
++#######################################
++##
++## Do not audit attempts to write nslcd sock files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`nslcd_dontaudit_write_sock_file',`
++ gen_require(`
++ type nslcd_t, nslcd_var_run_t;
++ ')
++
++ dontaudit $1 nslcd_t:sock_file write;
++ dontaudit $1 nslcd_var_run_t:sock_file write;
')
########################################
@@ -45095,7 +45190,7 @@ index 97df768..0398e70 100644
##
##
##
-@@ -99,17 +97,21 @@ interface(`nslcd_admin',`
+@@ -99,17 +134,21 @@ interface(`nslcd_admin',`
type nslcd_conf_t;
')
@@ -46503,10 +46598,10 @@ index 379af96..41ff159 100644
+/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
+/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
diff --git a/nut.if b/nut.if
-index 57c0161..d5ad79d 100644
+index 57c0161..54bd4d7 100644
--- a/nut.if
+++ b/nut.if
-@@ -1,39 +1,25 @@
+@@ -1,39 +1,24 @@
-## Network UPS Tools
+## nut - Network UPS Tools
@@ -46554,7 +46649,6 @@ index 57c0161..d5ad79d 100644
- files_search_etc($1)
- admin_pattern($1, nut_conf_t)
+ systemd_exec_systemctl($1)
-+ systemd_read_fifo_file_password_run($1)
+ allow $1 nut_unit_file_t:file read_file_perms;
+ allow $1 nut_unit_file_t:service manage_service_perms;
@@ -46899,10 +46993,10 @@ index 03fa560..000c5fe 100644
-/usr/bin/obex-data-server -- gen_context(system_u:object_r:obex_exec_t,s0)
+/usr/bin/obex-data-server -- gen_context(system_u:object_r:obex_exec_t,s0)
diff --git a/obex.if b/obex.if
-index 8635ea2..6012235 100644
+index 8635ea2..eec20b4 100644
--- a/obex.if
+++ b/obex.if
-@@ -1,88 +1,89 @@
+@@ -1,15 +1,50 @@
## D-Bus service providing high-level OBEX client and server side functionality.
-#######################################
@@ -46910,146 +47004,139 @@ index 8635ea2..6012235 100644
##
-## The role template for obex.
+## Transition to obex.
-+##
-+##
-+##
-+## Domain allowed to transition.
##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
--##
--##
--##
--## The role associated with the user domain.
--##
--##
--##
--##
--## The type of the user domain.
--##
- ##
- #
--template(`obex_role_template',`
-- gen_require(`
-- attribute_role obex_roles;
-- type obex_t, obex_exec_exec_t;
-- ')
--
-- ########################################
-- #
-- # Declarations
-- #
--
-- roleattribute $2 obex_roles;
--
-- ########################################
-- #
-- # Policy
-- #
--
-- allow $3 obex_t:process { ptrace signal_perms };
-- ps_process_pattern($3, obex_t)
--
-- dbus_spec_session_domain($1, obex_exec_t, obex_t)
++##
++##
++## Domain allowed to transition.
++##
++##
++#
+interface(`obex_domtrans',`
+ gen_require(`
+ type obex_t, obex_exec_t;
+ ')
-
-- obex_dbus_chat($3)
++
+ corecmd_search_bin($1)
+ domtrans_pattern($1, obex_exec_t, obex_t)
- ')
-
- ########################################
- ##
--## Execute obex in the obex domain.
++')
++
++########################################
++##
+## Send and receive messages from
+## obex over dbus.
- ##
- ##
--##
--## Domain allowed to transition.
--##
++##
++##
+##
+## Domain allowed access.
+##
##
- #
--interface(`obex_domtrans',`
-- gen_require(`
-- type obex_t, obex_exec_t;
-- ')
++#
+interface(`obex_dbus_chat',`
+ gen_require(`
+ type obex_t;
+ class dbus send_msg;
+ ')
-
-- corecmd_search_bin($1)
-- domtrans_pattern($1, obex_exec_t, obex_t)
++
+ allow $1 obex_t:dbus send_msg;
+ allow obex_t $1:dbus send_msg;
- ')
-
--########################################
++')
++
+#######################################
- ##
--## Send and receive messages from
--## obex over dbus.
++##
+## Role access for obex domains
+## that executes via dbus-session
- ##
--##
-+##
++##
+ ##
##
--## Domain allowed access.
-+## The role associated with the user domain.
-+##
-+##
-+##
-+##
-+## The type of the user domain.
-+##
-+##
+ ## The role associated with the user domain.
+@@ -20,69 +55,34 @@
+ ## The type of the user domain.
+ ##
+ ##
+##
+##
+## User domain prefix to be used.
- ##
- ##
++##
++##
#
--interface(`obex_dbus_chat',`
+-template(`obex_role_template',`
+template(`obex_role',`
gen_require(`
-- type obex_t;
-- class dbus send_msg;
-+ attribute_role obex_roles;
+ attribute_role obex_roles;
+- type obex_t, obex_exec_exec_t;
+ type obex_t, obex_exec_t;
')
-- allow $1 obex_t:dbus send_msg;
-- allow obex_t $1:dbus send_msg;
-+ ########################################
-+ #
-+ # Declarations
-+ #
-+
-+ roleattribute $1 obex_roles;
-+ #role $1 types obex_t;
-+
-+ ########################################
-+ #
-+ # Policy
-+ #
-+
+ ########################################
+- #
++ #
+ # Declarations
+ #
+
+- roleattribute $2 obex_roles;
++ roleattribute $1 obex_roles;
+
+ ########################################
+- #
++ #
+ # Policy
+- #
+-
+- allow $3 obex_t:process { ptrace signal_perms };
+- ps_process_pattern($3, obex_t)
++ #
+
+- dbus_spec_session_domain($1, obex_exec_t, obex_t)
+-
+- obex_dbus_chat($3)
+-')
+ allow $2 obex_t:process signal_perms;
+ ps_process_pattern($2, obex_t)
-+
+
+-########################################
+-##
+-## Execute obex in the obex domain.
+-##
+-##
+-##
+-## Domain allowed to transition.
+-##
+-##
+-#
+-interface(`obex_domtrans',`
+- gen_require(`
+- type obex_t, obex_exec_t;
+- ')
+-
+- corecmd_search_bin($1)
+- domtrans_pattern($1, obex_exec_t, obex_t)
+-')
+-
+-########################################
+-##
+-## Send and receive messages from
+-## obex over dbus.
+-##
+-##
+-##
+-## Domain allowed access.
+-##
+-##
+-#
+-interface(`obex_dbus_chat',`
+- gen_require(`
+- type obex_t;
+- class dbus send_msg;
+- ')
+ dbus_session_domain($3, obex_exec_t, obex_t)
-+
+
+- allow $1 obex_t:dbus send_msg;
+- allow obex_t $1:dbus send_msg;
+ obex_dbus_chat($2)
')
diff --git a/obex.te b/obex.te
@@ -47770,10 +47857,10 @@ index 0000000..f2d6119
+/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0)
diff --git a/openshift.if b/openshift.if
new file mode 100644
-index 0000000..407386d
+index 0000000..bf9505f
--- /dev/null
+++ b/openshift.if
-@@ -0,0 +1,646 @@
+@@ -0,0 +1,651 @@
+
+## policy for openshift
+
@@ -47805,6 +47892,11 @@ index 0000000..407386d
+## The type of the process performing this action.
+##
+##
++##
++##
++## Role access to this domain.
++##
++##
+#
+interface(`openshift_initrc_run',`
+ gen_require(`
@@ -49099,7 +49191,7 @@ index 45d7cc5..baf8d21 100644
-/var/run/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_run_t,s0)
+/etc/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_rw_t,s0)
diff --git a/openvswitch.if b/openvswitch.if
-index 9b15730..14f29e4 100644
+index 9b15730..6563dba 100644
--- a/openvswitch.if
+++ b/openvswitch.if
@@ -1,13 +1,14 @@
@@ -49268,7 +49360,7 @@ index 9b15730..14f29e4 100644
##
##
##
-@@ -40,44 +176,67 @@ interface(`openvswitch_read_pid_files',`
+@@ -40,44 +176,66 @@ interface(`openvswitch_read_pid_files',`
########################################
##
@@ -49291,7 +49383,6 @@ index 9b15730..14f29e4 100644
+ ')
+
+ systemd_exec_systemctl($1)
-+ systemd_read_fifo_file_password_run($1)
+ allow $1 openvswitch_unit_file_t:file read_file_perms;
+ allow $1 openvswitch_unit_file_t:service manage_service_perms;
+
@@ -50325,7 +50416,7 @@ index d2fc677..22b745a 100644
+ logging_send_syslog_msg(pegasus_openlmi_$1_t)
')
diff --git a/pegasus.te b/pegasus.te
-index 7bcf327..850de84 100644
+index 7bcf327..78d251c 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -1,17 +1,16 @@
@@ -50459,11 +50550,13 @@ index 7bcf327..850de84 100644
domain_use_interactive_fds(pegasus_t)
domain_read_all_domains_state(pegasus_t)
-@@ -128,18 +135,23 @@ init_stream_connect_script(pegasus_t)
+@@ -128,18 +135,25 @@ init_stream_connect_script(pegasus_t)
logging_send_audit_msgs(pegasus_t)
logging_send_syslog_msg(pegasus_t)
-miscfiles_read_localization(pegasus_t)
++mount_exec(pegasus_t)
++
+sysnet_read_config(pegasus_t)
+sysnet_domtrans_ifconfig(pegasus_t)
@@ -50489,7 +50582,7 @@ index 7bcf327..850de84 100644
')
optional_policy(`
-@@ -151,16 +163,15 @@ optional_policy(`
+@@ -151,16 +165,15 @@ optional_policy(`
')
optional_policy(`
@@ -50509,7 +50602,7 @@ index 7bcf327..850de84 100644
')
optional_policy(`
-@@ -168,7 +179,7 @@ optional_policy(`
+@@ -168,7 +181,7 @@ optional_policy(`
')
optional_policy(`
@@ -51517,10 +51610,10 @@ index 0000000..0c167b7
+/usr/lib/systemd/system/pki-tomcat.* gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0)
diff --git a/pki.if b/pki.if
new file mode 100644
-index 0000000..83c13cf
+index 0000000..8119448
--- /dev/null
+++ b/pki.if
-@@ -0,0 +1,248 @@
+@@ -0,0 +1,265 @@
+
+## policy for pki
+########################################
@@ -51769,6 +51862,23 @@ index 0000000..83c13cf
+ manage_files_pattern($1, pki_apache_config, pki_apache_config)
+')
+
++#################################
++##
++## Allow domain to read pki tomcat lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`pki_read_tomcat_lib_files',`
++ gen_require(`
++ type pki_tomcat_var_lib_t;
++ ')
++
++ read_files_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t)
++')
diff --git a/pki.te b/pki.te
new file mode 100644
index 0000000..352c7e4
@@ -53874,7 +53984,7 @@ index c0e8785..c0e0959 100644
+/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
/var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_flush_t,s0)
diff --git a/postfix.if b/postfix.if
-index 2e23946..41da729 100644
+index 2e23946..589bbf2 100644
--- a/postfix.if
+++ b/postfix.if
@@ -1,4 +1,4 @@
@@ -54214,10 +54324,8 @@ index 2e23946..41da729 100644
')
+
- ########################################
- ##
--## Execute the master postfix program
--## in the caller domain.
++########################################
++##
+## Execute the master postfix in the postfix master domain.
+##
+##
@@ -54234,8 +54342,10 @@ index 2e23946..41da729 100644
+ init_labeled_script_domtrans($1, postfix_initrc_exec_t)
+')
+
-+########################################
-+##
+ ########################################
+ ##
+-## Execute the master postfix program
+-## in the caller domain.
+## Execute the master postfix program in the
+## caller domain.
##
@@ -54313,7 +54423,7 @@ index 2e23946..41da729 100644
##
##
##
-@@ -478,30 +479,67 @@ interface(`postfix_domtrans_postqueue',`
+@@ -478,30 +479,84 @@ interface(`postfix_domtrans_postqueue',`
type postfix_postqueue_t, postfix_postqueue_exec_t;
')
@@ -54333,18 +54443,15 @@ index 2e23946..41da729 100644
##
-## Domain allowed access.
+## Domain allowed to transition.
- ##
- ##
++##
++##
+##
+##
+## The role to be allowed the iptables domain.
+##
+##
+##
- #
--interface(`posftix_exec_postqueue',`
-- refpolicywarn(`$0($*) has been deprecated.')
-- postfix_exec_postqueue($1)
++#
+
+interface(`postfix_run_postqueue',`
+ gen_require(`
@@ -54354,25 +54461,45 @@ index 2e23946..41da729 100644
+ postfix_domtrans_postqueue($1)
+ role $2 types postfix_postqueue_t;
+ allow postfix_postqueue_t $1:unix_stream_socket { read write getattr };
- ')
-
++')
++
+########################################
+##
-+## Execute postfix_postgqueue in the postfix_postgqueue domain, and
-+## allow the specified role the postfix_postgqueue domain.
++## Execute postfix_postgqueue in the postfix_postgqueue domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
++#
++interface(`postfix_domtrans_postgqueue',`
++ gen_require(`
++ type postfix_postgqueue_t;
++ ')
++ domtrans_pattern($1, postfix_postgqueue_exec_t,postfix_postgqueue_t)
++')
++
++########################################
++##
++## Execute postfix_postgqueue in the postfix_postgqueue domain, and
++## allow the specified role the postfix_postgqueue domain.
++##
++##
++##
++## Domain allowed to transition.
+ ##
+ ##
+##
+##
+## Role allowed access.
+##
+##
+##
-+#
+ #
+-interface(`posftix_exec_postqueue',`
+- refpolicywarn(`$0($*) has been deprecated.')
+- postfix_exec_postqueue($1)
+interface(`postfix_run_postgqueue',`
+ gen_require(`
+ type postfix_postgqueue_t;
@@ -54380,8 +54507,8 @@ index 2e23946..41da729 100644
+
+ postfix_domtrans_postgqueue($1)
+ role $2 types postfix_postgqueue_t;
-+')
-+
+ ')
+
+
#######################################
##
@@ -54391,7 +54518,7 @@ index 2e23946..41da729 100644
##
##
##
-@@ -514,13 +552,12 @@ interface(`postfix_exec_postqueue',`
+@@ -514,13 +569,12 @@ interface(`postfix_exec_postqueue',`
type postfix_postqueue_exec_t;
')
@@ -54406,7 +54533,7 @@ index 2e23946..41da729 100644
##
##
##
-@@ -533,13 +570,13 @@ interface(`postfix_create_private_sockets',`
+@@ -533,13 +587,13 @@ interface(`postfix_create_private_sockets',`
type postfix_private_t;
')
@@ -54422,7 +54549,7 @@ index 2e23946..41da729 100644
##
##
##
-@@ -552,13 +589,14 @@ interface(`postfix_manage_private_sockets',`
+@@ -552,13 +606,14 @@ interface(`postfix_manage_private_sockets',`
type postfix_private_t;
')
@@ -54439,7 +54566,7 @@ index 2e23946..41da729 100644
##
##
##
-@@ -571,14 +609,12 @@ interface(`postfix_domtrans_smtp',`
+@@ -571,14 +626,12 @@ interface(`postfix_domtrans_smtp',`
type postfix_smtp_t, postfix_smtp_exec_t;
')
@@ -54455,7 +54582,7 @@ index 2e23946..41da729 100644
##
##
##
-@@ -586,7 +622,7 @@ interface(`postfix_domtrans_smtp',`
+@@ -586,7 +639,7 @@ interface(`postfix_domtrans_smtp',`
##
##
#
@@ -54464,7 +54591,7 @@ index 2e23946..41da729 100644
gen_require(`
attribute postfix_spool_type;
')
-@@ -607,11 +643,11 @@ interface(`postfix_getattr_all_spool_files',`
+@@ -607,11 +660,11 @@ interface(`postfix_getattr_all_spool_files',`
#
interface(`postfix_search_spool',`
gen_require(`
@@ -54478,7 +54605,7 @@ index 2e23946..41da729 100644
')
########################################
-@@ -626,11 +662,11 @@ interface(`postfix_search_spool',`
+@@ -626,11 +679,11 @@ interface(`postfix_search_spool',`
#
interface(`postfix_list_spool',`
gen_require(`
@@ -54492,7 +54619,7 @@ index 2e23946..41da729 100644
')
########################################
-@@ -645,17 +681,16 @@ interface(`postfix_list_spool',`
+@@ -645,17 +698,16 @@ interface(`postfix_list_spool',`
#
interface(`postfix_read_spool_files',`
gen_require(`
@@ -54513,7 +54640,7 @@ index 2e23946..41da729 100644
##
##
##
-@@ -665,11 +700,31 @@ interface(`postfix_read_spool_files',`
+@@ -665,11 +717,31 @@ interface(`postfix_read_spool_files',`
#
interface(`postfix_manage_spool_files',`
gen_require(`
@@ -54547,7 +54674,7 @@ index 2e23946..41da729 100644
')
########################################
-@@ -693,8 +748,8 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -693,8 +765,8 @@ interface(`postfix_domtrans_user_mail_handler',`
########################################
##
@@ -54558,7 +54685,7 @@ index 2e23946..41da729 100644
##
##
##
-@@ -710,37 +765,137 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -710,37 +782,137 @@ interface(`postfix_domtrans_user_mail_handler',`
#
interface(`postfix_admin',`
gen_require(`
@@ -64285,7 +64412,7 @@ index 47de2d6..1f5dbf8 100644
+/var/log/cluster/corosync\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
+/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
diff --git a/rhcs.if b/rhcs.if
-index 56bc01f..cbca7aa 100644
+index 56bc01f..895e16e 100644
--- a/rhcs.if
+++ b/rhcs.if
@@ -1,19 +1,19 @@
@@ -64888,7 +65015,7 @@ index 56bc01f..cbca7aa 100644
+#
+interface(`rhcs_manage_cluster_tmpfs_files',`
+ gen_require(`
-+ type rgmanager_tmpfs_t;
++ type cluster_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
@@ -64991,7 +65118,7 @@ index 56bc01f..cbca7aa 100644
+ allow $1 cluster_unit_file_t:service all_service_perms;
')
diff --git a/rhcs.te b/rhcs.te
-index 2c2de9a..aa4480c 100644
+index 2c2de9a..c839537 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false)
@@ -65388,7 +65515,7 @@ index 2c2de9a..aa4480c 100644
#######################################
#
# foghorn local policy
-@@ -223,7 +493,8 @@ corenet_tcp_sendrecv_agentx_port(foghorn_t)
+@@ -223,14 +493,15 @@ corenet_tcp_sendrecv_agentx_port(foghorn_t)
dev_read_urand(foghorn_t)
@@ -65398,6 +65525,14 @@ index 2c2de9a..aa4480c 100644
optional_policy(`
dbus_connect_system_bus(foghorn_t)
+ ')
+
+ optional_policy(`
+- snmp_read_snmp_var_lib_files(foghorn_t)
++ snmp_manage_var_lib_dirs(foghorn_t)
+ snmp_stream_connect(foghorn_t)
+ ')
+
@@ -257,6 +528,8 @@ storage_getattr_removable_dev(gfs_controld_t)
init_rw_script_tmp_files(gfs_controld_t)
@@ -65926,7 +66061,7 @@ index 0000000..0e965c3
+ rpm_domtrans(rhnsd_t)
+')
diff --git a/rhsmcertd.if b/rhsmcertd.if
-index 6dbc905..92aac94 100644
+index 6dbc905..d803796 100644
--- a/rhsmcertd.if
+++ b/rhsmcertd.if
@@ -1,8 +1,8 @@
@@ -66103,7 +66238,7 @@ index 6dbc905..92aac94 100644
gen_require(`
type rhsmcertd_t, rhsmcertd_initrc_exec_t, rhsmcertd_log_t;
- type rhsmcertd_var_lib_t, rhsmcertd_var_run_t, rhsmcertd_lock_t;
-+ type rhsmcertd_var_lib_t, rhsmcertd_var_run_t;
++ type rhsmcertd_var_lib_t, rhsmcertd_lock_t, rhsmcertd_var_run_t;
')
- allow $1 rhsmcertd_t:process { ptrace signal_perms };
@@ -66703,7 +66838,7 @@ index 5dd779e..276eb3a 100644
+
/usr/sbin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0)
diff --git a/rngd.if b/rngd.if
-index 0e759a2..8b505d5 100644
+index 0e759a2..9c83bc9 100644
--- a/rngd.if
+++ b/rngd.if
@@ -2,6 +2,28 @@
@@ -66759,7 +66894,7 @@ index 0e759a2..8b505d5 100644
role_transition $2 rngd_initrc_exec_t system_r;
allow $2 system_r;
+
-+ rng_systemctl($1)
++ rng_systemctl_rngd($1)
+ admin_pattern($1, rngd_unit_file_t)
+ allow $1 rngd_unit_file_t:service all_service_perms;
')
@@ -67874,10 +68009,10 @@ index c49828c..a323332 100644
sysnet_dns_name_resolve(rpcbind_t)
diff --git a/rpm.fc b/rpm.fc
-index ebe91fc..8dd55c5 100644
+index ebe91fc..1609333 100644
--- a/rpm.fc
+++ b/rpm.fc
-@@ -1,61 +1,70 @@
+@@ -1,61 +1,71 @@
-/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/etc/rc\.d/init\.d/bcfg2 -- gen_context(system_u:object_r:rpm_initrc_exec_t,s0)
@@ -67885,6 +68020,7 @@ index ebe91fc..8dd55c5 100644
-/sbin/yast2 -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/bin/anaconda-yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/debuginfo-install -- gen_context(system_u:object_r:debuginfo_exec_t,s0)
-/usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -76588,6 +76724,19 @@ index ccd28bb..b9e856e 100644
sysnet_dns_name_resolve(snort_t)
userdom_dontaudit_use_unpriv_user_fds(snort_t)
+diff --git a/sosreport.if b/sosreport.if
+index 634c6b4..e1edfd9 100644
+--- a/sosreport.if
++++ b/sosreport.if
+@@ -42,7 +42,7 @@ interface(`sosreport_run',`
+ ')
+
+ sosreport_domtrans($1)
+- roleattribute $2 sospreport_roles;
++ roleattribute $2 sosreport_roles;
+ ')
+
+ ########################################
diff --git a/sosreport.te b/sosreport.te
index 703efa3..de313d7 100644
--- a/sosreport.te
@@ -79226,10 +79375,10 @@ index 0000000..e5433ad
+')
diff --git a/swift.if b/swift.if
new file mode 100644
-index 0000000..ce6e8ae
+index 0000000..015c2c9
--- /dev/null
+++ b/swift.if
-@@ -0,0 +1,124 @@
+@@ -0,0 +1,123 @@
+
+## policy for swift
+
@@ -79308,7 +79457,6 @@ index 0000000..ce6e8ae
+ ')
+
+ systemd_exec_systemctl($1)
-+ systemd_read_fifo_file_password_run($1)
+ allow $1 swift_unit_file_t:file read_file_perms;
+ allow $1 swift_unit_file_t:service manage_service_perms;
+
@@ -81650,10 +81798,10 @@ index 0000000..bfcd2c7
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 0000000..49cd645
+index 0000000..797d761
--- /dev/null
+++ b/thumb.te
-@@ -0,0 +1,138 @@
+@@ -0,0 +1,142 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -81788,6 +81936,10 @@ index 0000000..49cd645
+ nscd_dontaudit_write_sock_file(thumb_t)
+')
+
++optional_policy(`
++ nslcd_dontaudit_write_sock_file(thumb_t)
++')
++
+tunable_policy(`nis_enabled',`
+ corenet_dontaudit_udp_bind_all_ports(thumb_t)
+ corenet_dontaudit_udp_bind_generic_node(thumb_t)
@@ -83031,6 +83183,19 @@ index 2d871b8..acbf304 100644
optional_policy(`
dbus_system_bus_client(updfstab_t)
+diff --git a/uptime.if b/uptime.if
+index 01a3234..19f4724 100644
+--- a/uptime.if
++++ b/uptime.if
+@@ -19,7 +19,7 @@
+ #
+ interface(`uptime_admin',`
+ gen_require(`
+- type uptimed_t, uptimed_initrc_exec_t. uptimed_etc_t;
++ type uptimed_t, uptimed_initrc_exec_t, uptimed_etc_t;
+ type uptimed_spool_t, uptimed_var_run_t;
+ ')
+
diff --git a/uptime.te b/uptime.te
index 09741f6..8e5b35c 100644
--- a/uptime.te
@@ -83552,7 +83717,7 @@ index cf118fd..cd80e83 100644
+ can_exec($1, consolehelper_exec_t)
+')
diff --git a/userhelper.te b/userhelper.te
-index 274ed9c..57a9c3d 100644
+index 274ed9c..cc18d6f 100644
--- a/userhelper.te
+++ b/userhelper.te
@@ -1,15 +1,12 @@
@@ -83573,7 +83738,7 @@ index 274ed9c..57a9c3d 100644
type userhelper_conf_t;
files_config_file(userhelper_conf_t)
-@@ -22,141 +19,72 @@ application_executable_file(consolehelper_exec_t)
+@@ -22,141 +19,77 @@ application_executable_file(consolehelper_exec_t)
########################################
#
@@ -83663,6 +83828,9 @@ index 274ed9c..57a9c3d 100644
- fs_search_cifs(consolehelper_type)
+optional_policy(`
+ dbus_session_bus_client(consolehelper_domain)
++ optional_policy(`
++ devicekit_dbus_chat_disk(consolehelper_domain)
++ ')
')
optional_policy(`
@@ -83677,6 +83845,8 @@ index 274ed9c..57a9c3d 100644
- xserver_stream_connect(consolehelper_type)
+ xserver_read_home_fonts(consolehelper_domain)
+ xserver_stream_connect(consolehelper_domain)
++ xserver_admin_home_dir_filetrans_xauth(consolehelper_domain)
++ xserver_manage_user_xauth(consolehelper_domain)
')
-########################################
@@ -84085,7 +84255,7 @@ index 14e1eec..b33d259 100644
tunable_policy(`vbetool_mmap_zero_ignore',`
dontaudit vbetool_t self:memprotect mmap_zero;
diff --git a/vdagent.if b/vdagent.if
-index 31c752e..e9c041d 100644
+index 31c752e..ef52235 100644
--- a/vdagent.if
+++ b/vdagent.if
@@ -24,15 +24,15 @@ interface(`vdagent_domtrans',`
@@ -84163,20 +84333,15 @@ index 31c752e..e9c041d 100644
')
########################################
-@@ -105,12 +105,6 @@ interface(`vdagent_stream_connect',`
- ## Domain allowed access.
+@@ -110,7 +110,6 @@ interface(`vdagent_stream_connect',`
+ ## Role allowed access.
##
##
--##
--##
--## Role allowed access.
--##
--##
-##
#
interface(`vdagent_admin',`
gen_require(`
-@@ -120,6 +114,9 @@ interface(`vdagent_admin',`
+@@ -120,6 +119,9 @@ interface(`vdagent_admin',`
allow $1 vdagent_t:process signal_perms;
ps_process_pattern($1, vdagent_t)
@@ -87840,23 +88005,18 @@ index 3a56513..5721057 100644
sysnet_dns_name_resolve(vmware_t)
diff --git a/vnstatd.if b/vnstatd.if
-index 137ac44..a0089e6 100644
+index 137ac44..b644854 100644
--- a/vnstatd.if
+++ b/vnstatd.if
-@@ -152,12 +152,6 @@ interface(`vnstatd_manage_lib_files',`
- ## Domain allowed access.
+@@ -157,7 +157,6 @@ interface(`vnstatd_manage_lib_files',`
+ ## Role allowed access.
##
##
--##
--##
--## Role allowed access.
--##
--##
-##
#
interface(`vnstatd_admin',`
gen_require(`
-@@ -165,9 +159,13 @@ interface(`vnstatd_admin',`
+@@ -165,9 +164,13 @@ interface(`vnstatd_admin',`
type vnstatd_var_run_t;
')
@@ -89890,7 +90050,7 @@ index 0cea2cd..7668014 100644
userdom_dontaudit_use_unpriv_user_fds(xfs_t)
diff --git a/xguest.te b/xguest.te
-index 2882821..6618596 100644
+index 2882821..8cf4841 100644
--- a/xguest.te
+++ b/xguest.te
@@ -1,4 +1,4 @@
@@ -89899,7 +90059,7 @@ index 2882821..6618596 100644
########################################
#
-@@ -6,46 +6,46 @@ policy_module(xguest, 1.1.2)
+@@ -6,46 +6,47 @@ policy_module(xguest, 1.1.2)
#
##
@@ -89945,6 +90105,7 @@ index 2882821..6618596 100644
+
+init_dbus_chat(xguest_t)
+init_status(xguest_t)
++systemd_dontaudit_dbus_chat(xguest_t)
########################################
#
@@ -89964,7 +90125,7 @@ index 2882821..6618596 100644
storage_raw_read_removable_device(xguest_t)
storage_raw_write_removable_device(xguest_t)
',`
-@@ -54,9 +54,22 @@ ifndef(`enable_mls',`
+@@ -54,9 +55,22 @@ ifndef(`enable_mls',`
')
optional_policy(`
@@ -89988,7 +90149,7 @@ index 2882821..6618596 100644
files_dontaudit_getattr_boot_dirs(xguest_t)
files_search_mnt(xguest_t)
-@@ -65,10 +78,9 @@ optional_policy(`
+@@ -65,10 +79,9 @@ optional_policy(`
fs_manage_noxattr_fs_dirs(xguest_t)
fs_getattr_noxattr_fs(xguest_t)
fs_read_noxattr_fs_symlinks(xguest_t)
@@ -90000,7 +90161,7 @@ index 2882821..6618596 100644
')
')
-@@ -84,12 +96,17 @@ optional_policy(`
+@@ -84,12 +97,17 @@ optional_policy(`
')
')
@@ -90020,7 +90181,7 @@ index 2882821..6618596 100644
')
optional_policy(`
-@@ -97,75 +114,82 @@ optional_policy(`
+@@ -97,75 +115,82 @@ optional_policy(`
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 679cc34..202c048 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 28%{?dist}
+Release: 29%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -526,6 +526,41 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Apr 11 2013 Miroslav Grepl 3.12.1-29
+- Add mising nslcd_dontaudit_write_sock_file() interface
+- one more fix
+- Fix pki_read_tomcat_lib_files() interface
+- Allow certmonger to read pki-tomcat lib files
+- Allow certwatch to execute bin_t
+- Allow snmp to manage /var/lib/net-snmp files
+- Don't audit attempts to write to stream socket of nscld by thumbnailers
+- Allow git_system_t to read network state
+- Allow pegasas to execute mount command
+- Fix desc for drdb_admin
+- Fix condor_amin()
+- Interface fixes for uptime, vdagent, vnstatd
+- Fix labeling for moodle in /var/www/moodle/data
+- Add interface fixes
+- Allow bugzilla to read certs
+- /var/www/moodle needs to be writable by apache
+- Add interface to dontaudit attempts to send dbus messages to systemd domains, for xguest
+- Fix namespace_init_t to create content with proper labels, and allow it to manage all user content
+- Allow httpd_t to connect to osapi_compute port using httpd_use_openstack bolean
+- Fixes for dlm_controld
+- Fix apache_read_sys_content_rw_dirs() interface
+- Allow logrotate to read /var/log/z-push dir
+- Fix sys_nice for cups_domain
+- Allow postfix_postdrop to acces postfix_public socket
+- Allow sched_setscheduler for cupsd_t
+- Add missing context for /usr/sbin/snmpd
+- Kernel_t needs mac_admin in order to support labeled NFS
+- Fix systemd_dontaudit_dbus_chat() interface
+- Add interface to dontaudit attempts to send dbus messages to systemd domains, for xguest
+- Allow consolehelper domain to write Xauth files in /root
+- Add port definition for osapi_compute port
+- Allow unconfined to create /etc/hostname with correct labeling
+- Add systemd_filetrans_named_hostname() interface
+
* Mon Apr 8 2013 Dan Walsh 3.12.1-28
- Allow httpd_t to connect to osapi_compute port using httpd_use_openstack bolean
- Fixes for dlm_controld