diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 4a010e7d..7ba4bbae 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -7634,7 +7634,7 @@ index 6a1e4d1..adafd25 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..8601a3e 100644
+index cf04cb5..431baa5 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -7760,7 +7760,7 @@ index cf04cb5..8601a3e 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +227,262 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +227,261 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -8022,7 +8022,6 @@ index cf04cb5..8601a3e 100644
+ prelink_exec(domain)
+ ')
+')
-+
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index c2c6e05..d0e6d1c 100644
--- a/policy/modules/kernel/files.fc
@@ -17466,7 +17465,7 @@ index 9d2f311..9e87525 100644
+ postgresql_filetrans_named_content($1)
')
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
-index 346d011..d84cfd8 100644
+index 346d011..3e23acb 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -19,25 +19,32 @@ gen_require(`
@@ -17479,15 +17478,15 @@ index 346d011..d84cfd8 100644
+##
+## Allow postgresql to use ssh and rsync for point-in-time recovery
+##
- ##
--gen_tunable(sepgsql_enable_users_ddl, false)
++##
+gen_tunable(postgresql_can_rsync, false)
+
+##
+##
+## Allow unprivileged users to execute DDL statement
+##
-+##
+ ##
+-gen_tunable(sepgsql_enable_users_ddl, false)
+gen_tunable(postgresql_selinux_users_ddl, true)
##
@@ -17566,16 +17565,27 @@ index 346d011..d84cfd8 100644
seutil_libselinux_linked(postgresql_t)
seutil_read_default_contexts(postgresql_t)
-@@ -367,7 +373,7 @@ optional_policy(`
+@@ -364,10 +370,18 @@ userdom_dontaudit_search_user_home_dirs(postgresql_t)
+ userdom_dontaudit_use_user_terminals(postgresql_t)
+
+ optional_policy(`
++ ccs_read_config(postgresql_t)
++')
++
++optional_policy(`
mta_getattr_spool(postgresql_t)
')
-tunable_policy(`allow_execmem',`
++optional_policy(`
++ rhcs_manage_cluster_pid_files(postgresql_t)
++')
++
+tunable_policy(`deny_execmem',`',`
allow postgresql_t self:process execmem;
')
-@@ -485,10 +491,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin
+@@ -485,10 +499,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin
# It is always allowed to operate temporary objects for any database client.
allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db_tuple db_sequence db_view db_procedure} ~{ relabelto relabelfrom };
@@ -17632,7 +17642,7 @@ index 346d011..d84cfd8 100644
allow sepgsql_client_type sepgsql_schema_t:db_schema { add_name remove_name };
')
-@@ -536,7 +584,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
+@@ -536,7 +592,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
kernel_relabelfrom_unlabeled_database(sepgsql_admin_type)
@@ -17641,7 +17651,7 @@ index 346d011..d84cfd8 100644
allow sepgsql_admin_type sepgsql_database_type:db_database *;
allow sepgsql_admin_type sepgsql_schema_type:db_schema *;
-@@ -589,3 +637,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
+@@ -589,3 +645,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module;
kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type)
@@ -18323,7 +18333,7 @@ index fe0c682..da12170 100644
+ allow $1 sshd_devpts_t:chr_file rw_inherited_chr_file_perms;
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 5fc0391..8d190be 100644
+index 5fc0391..3540387 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,44 +6,52 @@ policy_module(ssh, 2.3.3)
@@ -18651,7 +18661,7 @@ index 5fc0391..8d190be 100644
rpm_use_script_fds(sshd_t)
')
-@@ -279,6 +335,32 @@ optional_policy(`
+@@ -279,13 +335,69 @@ optional_policy(`
')
optional_policy(`
@@ -18684,7 +18694,14 @@ index 5fc0391..8d190be 100644
unconfined_shell_domtrans(sshd_t)
')
-@@ -286,6 +368,29 @@ optional_policy(`
+ optional_policy(`
++ kernel_write_proc_files(sshd_t)
++ virt_transition_svirt_lxc(sshd_t, system_r)
++ virt_stream_connect_lxc(sshd_t)
++ virt_stream_connect(sshd_t)
++')
++
++optional_policy(`
xserver_domtrans_xauth(sshd_t)
')
@@ -18714,7 +18731,7 @@ index 5fc0391..8d190be 100644
########################################
#
# ssh_keygen local policy
-@@ -294,19 +399,26 @@ optional_policy(`
+@@ -294,19 +406,26 @@ optional_policy(`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -18742,7 +18759,7 @@ index 5fc0391..8d190be 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -323,6 +435,12 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -323,6 +442,12 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -18755,7 +18772,7 @@ index 5fc0391..8d190be 100644
optional_policy(`
seutil_sigchld_newrole(ssh_keygen_t)
-@@ -331,3 +449,138 @@ optional_policy(`
+@@ -331,3 +456,138 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
@@ -20428,7 +20445,7 @@ index 6bf0ecc..8a8ed32 100644
+ files_search_tmp($1)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 2696452..2964047 100644
+index 2696452..7a3a6c0 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -20962,7 +20979,7 @@ index 2696452..2964047 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -430,9 +587,26 @@ files_list_mnt(xdm_t)
+@@ -430,9 +587,27 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -20973,6 +20990,7 @@ index 2696452..2964047 100644
+files_dontaudit_getattr_all_symlinks(xdm_t)
+files_dontaudit_getattr_all_tmp_sockets(xdm_t)
+files_dontaudit_all_access_check(xdm_t)
++files_dontaudit_list_non_security(xdm_t)
fs_getattr_all_fs(xdm_t)
fs_search_auto_mountpoints(xdm_t)
@@ -20989,7 +21007,7 @@ index 2696452..2964047 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -441,28 +615,40 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -441,28 +616,40 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -21033,7 +21051,7 @@ index 2696452..2964047 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -471,24 +657,43 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -471,24 +658,43 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -21083,7 +21101,7 @@ index 2696452..2964047 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -502,11 +707,26 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,11 +708,26 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -21110,7 +21128,7 @@ index 2696452..2964047 100644
')
optional_policy(`
-@@ -514,12 +734,72 @@ optional_policy(`
+@@ -514,12 +735,72 @@ optional_policy(`
')
optional_policy(`
@@ -21183,7 +21201,7 @@ index 2696452..2964047 100644
hostname_exec(xdm_t)
')
-@@ -537,28 +817,78 @@ optional_policy(`
+@@ -537,28 +818,78 @@ optional_policy(`
')
optional_policy(`
@@ -21271,7 +21289,7 @@ index 2696452..2964047 100644
')
optional_policy(`
-@@ -570,6 +900,14 @@ optional_policy(`
+@@ -570,6 +901,14 @@ optional_policy(`
')
optional_policy(`
@@ -21286,7 +21304,7 @@ index 2696452..2964047 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,8 +932,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -594,8 +933,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -21299,7 +21317,7 @@ index 2696452..2964047 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -608,8 +949,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +950,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -21315,7 +21333,7 @@ index 2696452..2964047 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -628,12 +976,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -628,12 +977,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -21337,7 +21355,7 @@ index 2696452..2964047 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -641,12 +996,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,12 +997,12 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -21351,7 +21369,7 @@ index 2696452..2964047 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +1022,27 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +1023,27 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -21382,7 +21400,7 @@ index 2696452..2964047 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -694,8 +1053,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,8 +1054,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -21396,7 +21414,7 @@ index 2696452..2964047 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -708,20 +1072,18 @@ init_getpgid(xserver_t)
+@@ -708,20 +1073,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -21420,7 +21438,7 @@ index 2696452..2964047 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -729,8 +1091,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -729,8 +1092,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
@@ -21429,7 +21447,7 @@ index 2696452..2964047 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
-@@ -775,16 +1135,44 @@ optional_policy(`
+@@ -775,16 +1136,44 @@ optional_policy(`
')
optional_policy(`
@@ -21475,7 +21493,7 @@ index 2696452..2964047 100644
unconfined_domtrans(xserver_t)
')
-@@ -793,6 +1181,10 @@ optional_policy(`
+@@ -793,6 +1182,10 @@ optional_policy(`
')
optional_policy(`
@@ -21486,7 +21504,7 @@ index 2696452..2964047 100644
xfs_stream_connect(xserver_t)
')
-@@ -808,10 +1200,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1201,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -21500,7 +21518,7 @@ index 2696452..2964047 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1211,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1212,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -21509,7 +21527,7 @@ index 2696452..2964047 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -832,26 +1224,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1225,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -21544,7 +21562,7 @@ index 2696452..2964047 100644
')
optional_policy(`
-@@ -902,7 +1289,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1290,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -21553,7 +21571,7 @@ index 2696452..2964047 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -956,11 +1343,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1344,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -21585,7 +21603,7 @@ index 2696452..2964047 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -982,18 +1389,40 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1390,40 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -22622,7 +22640,7 @@ index 3efd5b6..792df83 100644
+')
+
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 104037e..fbe9b26 100644
+index 104037e..a8a2a2d 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.4.2)
@@ -22887,12 +22905,15 @@ index 104037e..fbe9b26 100644
files_list_var_lib(nsswitch_domain)
# read /etc/nsswitch.conf
-@@ -418,14 +448,18 @@ files_read_etc_files(nsswitch_domain)
+@@ -417,15 +447,21 @@ files_read_etc_files(nsswitch_domain)
+
sysnet_dns_name_resolve(nsswitch_domain)
- tunable_policy(`authlogin_nsswitch_use_ldap',`
+-tunable_policy(`authlogin_nsswitch_use_ldap',`
- files_list_var_lib(nsswitch_domain)
--
++systemd_hostnamed_read_config(nsswitch_domain)
+
++tunable_policy(`authlogin_nsswitch_use_ldap',`
miscfiles_read_generic_certs(nsswitch_domain)
sysnet_use_ldap(nsswitch_domain)
')
@@ -22908,7 +22929,7 @@ index 104037e..fbe9b26 100644
ldap_stream_connect(nsswitch_domain)
')
')
-@@ -438,6 +472,7 @@ optional_policy(`
+@@ -438,6 +474,7 @@ optional_policy(`
likewise_stream_connect_lsassd(nsswitch_domain)
')
@@ -22916,7 +22937,7 @@ index 104037e..fbe9b26 100644
optional_policy(`
kerberos_use(nsswitch_domain)
')
-@@ -456,6 +491,7 @@ optional_policy(`
+@@ -456,6 +493,7 @@ optional_policy(`
optional_policy(`
sssd_stream_connect(nsswitch_domain)
@@ -22924,7 +22945,7 @@ index 104037e..fbe9b26 100644
')
optional_policy(`
-@@ -463,3 +499,132 @@ optional_policy(`
+@@ -463,3 +501,132 @@ optional_policy(`
samba_read_var_files(nsswitch_domain)
samba_dontaudit_write_var_files(nsswitch_domain)
')
@@ -26319,10 +26340,10 @@ index 9e54bf9..35992c7 100644
+userdom_read_user_tmp_files(setkey_t)
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
-index 1b93eb7..5effebe 100644
+index 1b93eb7..b2532aa 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
-@@ -1,7 +1,8 @@
+@@ -1,21 +1,27 @@
/etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
@@ -26334,7 +26355,15 @@ index 1b93eb7..5effebe 100644
/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
-@@ -14,8 +15,13 @@
+ /sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
+-/sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0)
+-/sbin/ip6?tables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
+-/sbin/ip6?tables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/sbin/ip6?tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/sbin/ip6?tables-restore.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/sbin/ip6?tables-multi.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
+ /sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0)
+ /sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
@@ -26345,9 +26374,9 @@ index 1b93eb7..5effebe 100644
-/usr/sbin/iptables -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+/usr/sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+/usr/sbin/ip6?tables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+/usr/sbin/ip6?tables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/usr/sbin/ip6?tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/usr/sbin/ip6?tables-restore.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/usr/sbin/ip6?tables-multi.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
@@ -29642,7 +29671,7 @@ index 4584457..300c3f7 100644
+ domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t)
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 6a50270..b78f6a9 100644
+index 6a50270..bfb146f 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -10,35 +10,60 @@ policy_module(mount, 1.15.1)
@@ -29839,7 +29868,7 @@ index 6a50270..b78f6a9 100644
term_dontaudit_manage_pty_dirs(mount_t)
auth_use_nsswitch(mount_t)
-@@ -121,16 +187,20 @@ auth_use_nsswitch(mount_t)
+@@ -121,16 +187,19 @@ auth_use_nsswitch(mount_t)
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@@ -29849,7 +29878,7 @@ index 6a50270..b78f6a9 100644
logging_send_syslog_msg(mount_t)
-miscfiles_read_localization(mount_t)
-
+-
sysnet_use_portmap(mount_t)
seutil_read_config(mount_t)
@@ -29861,7 +29890,7 @@ index 6a50270..b78f6a9 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -146,26 +216,27 @@ ifdef(`distro_ubuntu',`
+@@ -146,26 +215,27 @@ ifdef(`distro_ubuntu',`
')
')
@@ -29901,7 +29930,7 @@ index 6a50270..b78f6a9 100644
corenet_tcp_bind_generic_port(mount_t)
corenet_udp_bind_generic_port(mount_t)
corenet_tcp_bind_reserved_port(mount_t)
-@@ -179,6 +250,8 @@ optional_policy(`
+@@ -179,6 +249,8 @@ optional_policy(`
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -29910,7 +29939,7 @@ index 6a50270..b78f6a9 100644
')
optional_policy(`
-@@ -186,6 +259,32 @@ optional_policy(`
+@@ -186,6 +258,36 @@ optional_policy(`
')
optional_policy(`
@@ -29934,6 +29963,10 @@ index 6a50270..b78f6a9 100644
+')
+
+optional_policy(`
++ glusterd_domtrans(mount_t)
++')
++
++optional_policy(`
+ hal_write_log(mount_t)
+ hal_use_fds(mount_t)
+ hal_dontaudit_rw_pipes(mount_t)
@@ -29943,7 +29976,7 @@ index 6a50270..b78f6a9 100644
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -194,24 +293,124 @@ optional_policy(`
+@@ -194,24 +296,124 @@ optional_policy(`
')
optional_policy(`
@@ -30002,22 +30035,22 @@ index 6a50270..b78f6a9 100644
+
+optional_policy(`
+ usbmuxd_stream_connect(mount_t)
-+')
-+
-+optional_policy(`
-+ userhelper_exec_console(mount_t)
-+')
-+
-+optional_policy(`
-+ virt_read_blk_images(mount_t)
+')
optional_policy(`
- files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
- unconfined_domain(unconfined_mount_t)
-+ vmware_exec_host(mount_t)
++ userhelper_exec_console(mount_t)
')
+
++optional_policy(`
++ virt_read_blk_images(mount_t)
++')
++
++optional_policy(`
++ vmware_exec_host(mount_t)
++')
++
+######################################
+#
+# showmount local policy
@@ -30147,7 +30180,7 @@ index d43f3b1..c4182e8 100644
+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
-index 3822072..2639601 100644
+index 3822072..1029e3b 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -192,11 +192,22 @@ interface(`seutil_domtrans_newrole',`
@@ -30516,7 +30549,17 @@ index 3822072..2639601 100644
########################################
##
## Create, read, write, and delete the default_contexts files.
-@@ -999,6 +1270,26 @@ interface(`seutil_domtrans_semanage',`
+@@ -784,7 +1055,9 @@ interface(`seutil_read_file_contexts',`
+
+ files_search_etc($1)
+ allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
++ list_dirs_pattern($1, file_context_t, file_context_t)
+ read_files_pattern($1, file_context_t, file_context_t)
++ read_lnk_files_pattern($1, file_context_t, file_context_t)
+ ')
+
+ ########################################
+@@ -999,6 +1272,26 @@ interface(`seutil_domtrans_semanage',`
########################################
##
@@ -30543,7 +30586,7 @@ index 3822072..2639601 100644
## Execute semanage in the semanage domain, and
## allow the specified role the semanage domain,
## and use the caller's terminal.
-@@ -1017,11 +1308,66 @@ interface(`seutil_domtrans_semanage',`
+@@ -1017,11 +1310,66 @@ interface(`seutil_domtrans_semanage',`
#
interface(`seutil_run_semanage',`
gen_require(`
@@ -30612,7 +30655,7 @@ index 3822072..2639601 100644
')
########################################
-@@ -1044,6 +1390,9 @@ interface(`seutil_manage_module_store',`
+@@ -1044,6 +1392,9 @@ interface(`seutil_manage_module_store',`
manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
manage_files_pattern($1, semanage_store_t, semanage_store_t)
filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules")
@@ -30622,7 +30665,7 @@ index 3822072..2639601 100644
')
#######################################
-@@ -1137,3 +1486,98 @@ interface(`seutil_dontaudit_libselinux_linked',`
+@@ -1137,3 +1488,98 @@ interface(`seutil_dontaudit_libselinux_linked',`
selinux_dontaudit_get_fs_mount($1)
seutil_dontaudit_read_config($1)
')
@@ -32229,10 +32272,13 @@ index b7686d5..9a50b11 100644
+')
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
new file mode 100644
-index 0000000..595f756
+index 0000000..4e12420
--- /dev/null
+++ b/policy/modules/system/systemd.fc
-@@ -0,0 +1,39 @@
+@@ -0,0 +1,42 @@
++/etc/hostname -- gen_context(system_u:object_r:hostname_etc_t,s0)
++/etc/machine-info -- gen_context(system_u:object_r:hostname_etc_t,s0)
++
+/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
+/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0)
+/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
@@ -32274,10 +32320,10 @@ index 0000000..595f756
+/var/run/initramfs(/.*)? <>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..2961157
+index 0000000..fc080a1
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1042 @@
+@@ -0,0 +1,1064 @@
+## SELinux policy for systemd components
+
+#######################################
@@ -33068,6 +33114,25 @@ index 0000000..2961157
+ files_var_lib_filetrans($1, random_seed_t, file, "random_seed")
+')
+
++########################################
++##
++## Allow process to read hostname config file.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`systemd_hostnamed_read_config',`
++ gen_require(`
++ type hostname_etc_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 hostname_etc_t:file read_file_perms;
++')
+
+########################################
+##
@@ -33083,11 +33148,14 @@ index 0000000..2961157
+ gen_require(`
+ type systemd_passwd_var_run_t;
+ type systemd_logind_var_run_t;
++ type hostname_etc_t;
+ ')
+
+ files_pid_filetrans($1, systemd_logind_var_run_t, file, "nologin")
+ init_named_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password-block")
+ init_named_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password")
++ files_etc_filetrans($1, hostname_etc_t, file, "hostname" )
++ files_etc_filetrans($1, hostname_etc_t, file, "machine-info" )
+')
+
+########################################
@@ -33322,10 +33390,10 @@ index 0000000..2961157
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..ac0a395
+index 0000000..90e063a
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,624 @@
+@@ -0,0 +1,632 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -33400,6 +33468,9 @@ index 0000000..ac0a395
+type systemd_hostnamed_exec_t;
+init_daemon_domain(systemd_hostnamed_t, systemd_hostnamed_exec_t)
+
++type hostname_etc_t;
++files_config_file(hostname_etc_t)
++
+type systemd_timedated_t, systemd_domain;
+type systemd_timedated_exec_t;
+init_daemon_domain(systemd_timedated_t, systemd_timedated_exec_t)
@@ -33538,10 +33609,6 @@ index 0000000..ac0a395
+')
+
+optional_policy(`
-+ policykit_dbus_chat(systemd_logind_t)
-+')
-+
-+optional_policy(`
+ rpm_dbus_chat(systemd_logind_t)
+')
+
@@ -33556,7 +33623,7 @@ index 0000000..ac0a395
+#
+
+allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override };
-+allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal };
++allow systemd_passwd_agent_t self:process { setsockcreate };
+allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
@@ -33671,9 +33738,6 @@ index 0000000..ac0a395
+miscfiles_relabel_man_pages(systemd_tmpfiles_t)
+miscfiles_delete_man_pages(systemd_tmpfiles_t)
+
-+seutil_read_config(systemd_tmpfiles_t)
-+seutil_read_file_contexts(systemd_tmpfiles_t)
-+
+ifdef(`distro_redhat',`
+ userdom_list_user_home_content(systemd_tmpfiles_t)
+ userdom_delete_all_user_home_content_dirs(systemd_tmpfiles_t)
@@ -33799,10 +33863,8 @@ index 0000000..ac0a395
+
+dev_write_kmsg(systemd_localed_t)
+
-+seutil_read_config(systemd_localed_t)
-+seutil_read_file_contexts(systemd_localed_t)
-+
+logging_stream_connect_syslog(systemd_localed_t)
++logging_send_syslog_msg(systemd_localed_t)
+
+miscfiles_manage_localization(systemd_localed_t)
+miscfiles_etc_filetrans_localization(systemd_localed_t)
@@ -33818,12 +33880,17 @@ index 0000000..ac0a395
+#
+# Hostnamed policy
+#
-+dontaudit systemd_hostnamed_t self:capability sys_ptrace;
++dontaudit systemd_hostnamed_t self:capability { sys_admin sys_ptrace };
+
+allow systemd_hostnamed_t self:fifo_file rw_fifo_file_perms;
+allow systemd_hostnamed_t self:unix_stream_socket create_stream_socket_perms;
+allow systemd_hostnamed_t self:unix_dgram_socket create_socket_perms;
+
++manage_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t)
++manage_lnk_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t)
++files_etc_filetrans(systemd_hostnamed_t, hostname_etc_t, file, "hostname" )
++files_etc_filetrans(systemd_hostnamed_t, hostname_etc_t, file, "machine-info" )
++
+kernel_dgram_send(systemd_hostnamed_t)
+
+dev_write_kmsg(systemd_hostnamed_t)
@@ -33835,6 +33902,9 @@ index 0000000..ac0a395
+
+logging_send_syslog_msg(systemd_hostnamed_t)
+
++userdom_read_all_users_state(systemd_hostnamed_t)
++userdom_dbus_send_all_users(systemd_hostnamed_t)
++
+optional_policy(`
+ dbus_system_bus_client(systemd_hostnamed_t)
+ dbus_connect_system_bus(systemd_hostnamed_t)
@@ -33845,7 +33915,7 @@ index 0000000..ac0a395
+# Timedated policy
+#
+allow systemd_timedated_t self:capability { sys_nice sys_time dac_override };
-+allow systemd_timedated_t self:process { getattr getsched signal setfscreate };
++allow systemd_timedated_t self:process { getattr getsched setfscreate };
+allow systemd_timedated_t self:fifo_file rw_fifo_file_perms;
+allow systemd_timedated_t self:unix_stream_socket create_stream_socket_perms;
+allow systemd_timedated_t self:unix_dgram_socket create_socket_perms;
@@ -33875,8 +33945,6 @@ index 0000000..ac0a395
+miscfiles_manage_localization(systemd_timedated_t)
+miscfiles_etc_filetrans_localization(systemd_timedated_t)
+
-+seutil_read_file_contexts(systemd_timedated_t)
-+
+userdom_read_all_users_state(systemd_timedated_t)
+
+optional_policy(`
@@ -33915,7 +33983,6 @@ index 0000000..ac0a395
+')
+
+optional_policy(`
-+ policykit_dbus_chat(systemd_timedated_t)
+ policykit_domtrans_auth(systemd_timedated_t)
+ policykit_read_lib(systemd_timedated_t)
+ policykit_read_reload(systemd_timedated_t)
@@ -33943,13 +34010,22 @@ index 0000000..ac0a395
+#
+# Common rules for systemd domains
+#
-+
++allow systemd_domain self:process { setfscreate signal_perms };
+files_read_etc_files(systemd_domain)
+files_read_etc_runtime_files(systemd_domain)
+files_read_usr_files(systemd_domain)
+
++init_search_pid_dirs(systemd_domain)
++
+logging_stream_connect_syslog(systemd_domain)
+
++seutil_read_config(systemd_domain)
++seutil_read_file_contexts(systemd_domain)
++
++optional_policy(`
++ policykit_dbus_chat(systemd_domain)
++')
++
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 40928d8..49fd32e 100644
--- a/policy/modules/system/udev.fc
@@ -35321,7 +35397,7 @@ index db75976..65191bd 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..ba7a400 100644
+index 3c5dba7..05bc969 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -37987,10 +38063,12 @@ index 3c5dba7..ba7a400 100644
## Create keys for all user domains.
##
##
-@@ -3439,3 +4197,1355 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3438,4 +4196,1357 @@ interface(`userdom_dbus_send_all_users',`
+ ')
allow $1 userdomain:dbus send_msg;
- ')
++ ps_process_pattern($1, userdomain)
++')
+
+########################################
+##
@@ -39342,7 +39420,7 @@ index 3c5dba7..ba7a400 100644
+ ')
+
+ filetrans_pattern($1, user_tmpfs_t, $2, $3, $4)
-+')
+ ')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index e2b538b..6371ed6 100644
--- a/policy/modules/system/userdomain.te
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 867dc4d7..59ef21bc 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -2694,7 +2694,7 @@ index 0000000..b334e9a
+ spamassassin_read_pid_files(antivirus_domain)
+')
diff --git a/apache.fc b/apache.fc
-index 550a69e..d2af19f 100644
+index 550a69e..e714059 100644
--- a/apache.fc
+++ b/apache.fc
@@ -1,161 +1,184 @@
@@ -2724,7 +2724,7 @@ index 550a69e..d2af19f 100644
+/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/etc/owncloud/config\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/etc/owncloud(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
@@ -10091,10 +10091,10 @@ index 0000000..efebae7
+')
diff --git a/chrome.te b/chrome.te
new file mode 100644
-index 0000000..2cce501
+index 0000000..a54bf63
--- /dev/null
+++ b/chrome.te
-@@ -0,0 +1,203 @@
+@@ -0,0 +1,204 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -10293,6 +10293,7 @@ index 0000000..2cce501
+userdom_execute_user_tmpfs_files(chrome_sandbox_nacl_t)
+userdom_rw_inherited_user_tmp_files(chrome_sandbox_nacl_t)
+userdom_dontaudit_read_user_home_content_files(chrome_sandbox_nacl_t)
++userdom_dontaudit_use_user_terminals(chrome_sandbox_nacl_t)
+
+optional_policy(`
+ gnome_dontaudit_append_config_files(chrome_sandbox_nacl_t)
@@ -11596,10 +11597,10 @@ index 954309e..f4db2ca 100644
')
+
diff --git a/collectd.te b/collectd.te
-index 6471fa8..45f1622 100644
+index 6471fa8..afeb58c 100644
--- a/collectd.te
+++ b/collectd.te
-@@ -26,6 +26,9 @@ files_type(collectd_var_lib_t)
+@@ -26,8 +26,14 @@ files_type(collectd_var_lib_t)
type collectd_var_run_t;
files_pid_file(collectd_var_run_t)
@@ -11608,8 +11609,21 @@ index 6471fa8..45f1622 100644
+
apache_content_template(collectd)
++type httpd_collectd_script_tmp_t;
++files_tmp_file(httpd_collectd_script_tmp_t)
++
########################################
-@@ -48,21 +51,18 @@ files_pid_filetrans(collectd_t, collectd_var_run_t, file)
+ #
+ # Local policy
+@@ -38,6 +44,7 @@ allow collectd_t self:process { getsched setsched signal };
+ allow collectd_t self:fifo_file rw_fifo_file_perms;
+ allow collectd_t self:packet_socket create_socket_perms;
+ allow collectd_t self:unix_stream_socket { accept listen };
++allow collectd_t self:netlink_tcpdiag_socket create_socket_perms;
+
+ manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
+ manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
+@@ -48,21 +55,18 @@ files_pid_filetrans(collectd_t, collectd_var_run_t, file)
domain_use_interactive_fds(collectd_t)
@@ -11634,14 +11648,30 @@ index 6471fa8..45f1622 100644
logging_send_syslog_msg(collectd_t)
-@@ -87,4 +87,7 @@ optional_policy(`
- read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
- list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
- miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
-+
-+ auth_read_passwd(httpd_collectd_script_t)
- ')
+@@ -80,11 +84,17 @@ optional_policy(`
+
+ ########################################
+ #
+-# Web local policy
++# Web collectd local policy
+ #
+
+-optional_policy(`
+- read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
+- list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
+- miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
+-')
+
++files_search_var_lib(httpd_collectd_script_t)
++read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
++list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
++miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
++
++manage_dirs_pattern(httpd_collectd_script_t, httpd_collectd_script_tmp_t, httpd_collectd_script_tmp_t)
++manage_files_pattern(httpd_collectd_script_t, httpd_collectd_script_tmp_t, httpd_collectd_script_tmp_t)
++files_tmp_filetrans(httpd_collectd_script_t, httpd_collectd_script_tmp_t, { file dir })
++
++auth_read_passwd(httpd_collectd_script_t)
diff --git a/colord.fc b/colord.fc
index 717ea0b..22e0385 100644
--- a/colord.fc
@@ -15640,10 +15670,10 @@ index 6ce66e7..1d0337a 100644
optional_policy(`
diff --git a/cups.fc b/cups.fc
-index 949011e..85b210b 100644
+index 949011e..0332f88 100644
--- a/cups.fc
+++ b/cups.fc
-@@ -1,77 +1,85 @@
+@@ -1,77 +1,86 @@
-/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
@@ -15760,6 +15790,7 @@ index 949011e..85b210b 100644
+/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,mls_systemhigh)
++/var/run/hplip(/.*) gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/run/hp.*\.pid -- gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/run/hp.*\.port -- gen_context(system_u:object_r:cupsd_var_run_t,s0)
/var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
@@ -23526,7 +23557,7 @@ index 9eacb2c..229782f 100644
init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
domain_system_change_exemption($1)
diff --git a/glance.te b/glance.te
-index e0a4f46..70277e8 100644
+index e0a4f46..0a1aec6 100644
--- a/glance.te
+++ b/glance.te
@@ -7,8 +7,7 @@ policy_module(glance, 1.0.2)
@@ -23560,7 +23591,7 @@ index e0a4f46..70277e8 100644
allow glance_domain self:fifo_file rw_fifo_file_perms;
allow glance_domain self:unix_stream_socket create_stream_socket_perms;
allow glance_domain self:tcp_socket { accept listen };
-@@ -56,10 +58,6 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
+@@ -56,27 +58,21 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
@@ -23571,7 +23602,11 @@ index e0a4f46..70277e8 100644
corenet_tcp_sendrecv_generic_if(glance_domain)
corenet_tcp_sendrecv_generic_node(glance_domain)
corenet_tcp_sendrecv_all_ports(glance_domain)
-@@ -70,13 +68,10 @@ corecmd_exec_shell(glance_domain)
+ corenet_tcp_bind_generic_node(glance_domain)
++corenet_tcp_connect_mysqld_port(glance_domain)
+
+ corecmd_exec_bin(glance_domain)
+ corecmd_exec_shell(glance_domain)
dev_read_urand(glance_domain)
@@ -23586,7 +23621,7 @@ index e0a4f46..70277e8 100644
sysnet_dns_name_resolve(glance_domain)
########################################
-@@ -88,8 +83,15 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
+@@ -88,8 +84,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { dir file })
@@ -23597,12 +23632,11 @@ index e0a4f46..70277e8 100644
+corenet_tcp_bind_generic_node(glance_registry_t)
corenet_sendrecv_glance_registry_server_packets(glance_registry_t)
corenet_tcp_bind_glance_registry_port(glance_registry_t)
-+corenet_tcp_connect_mysqld_port(glance_registry_t)
+corenet_tcp_connect_all_ephemeral_ports(glance_registry_t)
logging_send_syslog_msg(glance_registry_t)
-@@ -108,13 +110,19 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
+@@ -108,13 +110,20 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file })
can_exec(glance_api_t, glance_tmp_t)
@@ -23616,12 +23650,13 @@ index e0a4f46..70277e8 100644
+corenet_tcp_bind_glance_port(glance_api_t)
corenet_sendrecv_glance_registry_client_packets(glance_api_t)
corenet_tcp_connect_glance_registry_port(glance_api_t)
-
++corenet_tcp_connect_mysqld_port(glance_api_t)
++
+corenet_tcp_connect_all_ephemeral_ports(glance_api_t)
+
+corenet_sendrecv_hplip_server_packets(glance_api_t)
+corenet_tcp_bind_hplip_port(glance_api_t)
-+
+
fs_getattr_xattr_fs(glance_api_t)
+
+optional_policy(`
@@ -23807,7 +23842,7 @@ index 0000000..1ed97fe
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
-index 0000000..643f4bd
+index 0000000..190dcb1
--- /dev/null
+++ b/glusterd.te
@@ -0,0 +1,146 @@
@@ -23954,9 +23989,9 @@ index 0000000..643f4bd
+
+tunable_policy(`gluster_export_all_rw',`
+ fs_manage_noxattr_fs_files(glusterd_t)
++ files_manage_non_security_dirs(glusterd_t)
+ files_manage_non_security_files(glusterd_t)
+')
-+
diff --git a/glusterfs.fc b/glusterfs.fc
deleted file mode 100644
index 4bd6ade..0000000
@@ -31400,7 +31435,7 @@ index d3e7fc9..f20248c 100644
+ ')
')
diff --git a/keystone.te b/keystone.te
-index 3494d9b..343535a 100644
+index 3494d9b..124a2ab 100644
--- a/keystone.te
+++ b/keystone.te
@@ -21,10 +21,14 @@ files_type(keystone_var_lib_t)
@@ -31418,7 +31453,15 @@ index 3494d9b..343535a 100644
allow keystone_t self:fifo_file rw_fifo_file_perms;
allow keystone_t self:unix_stream_socket { accept listen };
-@@ -62,15 +66,17 @@ corenet_sendrecv_commplex_main_server_packets(keystone_t)
+@@ -57,20 +61,25 @@ corenet_all_recvfrom_netlabel(keystone_t)
+ corenet_tcp_sendrecv_generic_if(keystone_t)
+ corenet_tcp_sendrecv_generic_node(keystone_t)
+ corenet_tcp_bind_generic_node(keystone_t)
++corenet_tcp_connect_mysqld_port(keystone_t)
++
++corenet_tcp_connect_mysqld_port(keystone_t)
+
+ corenet_sendrecv_commplex_main_server_packets(keystone_t)
corenet_tcp_bind_commplex_main_port(keystone_t)
corenet_tcp_sendrecv_commplex_main_port(keystone_t)
@@ -39948,7 +39991,7 @@ index b744fe3..4c1b6a8 100644
init_labeled_script_domtrans($1, munin_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/munin.te b/munin.te
-index 97370e4..f076c38 100644
+index 97370e4..27d3100 100644
--- a/munin.te
+++ b/munin.te
@@ -40,12 +40,15 @@ munin_plugin_template(services)
@@ -39968,7 +40011,7 @@ index 97370e4..f076c38 100644
allow munin_plugin_domain self:fifo_file rw_fifo_file_perms;
allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms;
-@@ -58,24 +61,16 @@ allow munin_plugin_domain munin_var_lib_t:dir search_dir_perms;
+@@ -58,23 +61,17 @@ allow munin_plugin_domain munin_var_lib_t:dir search_dir_perms;
manage_files_pattern(munin_plugin_domain, munin_plugin_state_t, munin_plugin_state_t)
@@ -39989,11 +40032,11 @@ index 97370e4..f076c38 100644
fs_getattr_all_fs(munin_plugin_domain)
-miscfiles_read_localization(munin_plugin_domain)
--
++auth_read_passwd(munin_plugin_domain)
+
optional_policy(`
nscd_use(munin_plugin_domain)
- ')
-@@ -114,7 +109,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
+@@ -114,7 +111,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
@@ -40002,7 +40045,7 @@ index 97370e4..f076c38 100644
manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t)
manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t)
-@@ -130,7 +125,6 @@ kernel_read_all_sysctls(munin_t)
+@@ -130,7 +127,6 @@ kernel_read_all_sysctls(munin_t)
corecmd_exec_bin(munin_t)
corecmd_exec_shell(munin_t)
@@ -40010,7 +40053,7 @@ index 97370e4..f076c38 100644
corenet_all_recvfrom_netlabel(munin_t)
corenet_tcp_sendrecv_generic_if(munin_t)
corenet_tcp_sendrecv_generic_node(munin_t)
-@@ -153,7 +147,6 @@ domain_use_interactive_fds(munin_t)
+@@ -153,7 +149,6 @@ domain_use_interactive_fds(munin_t)
domain_read_all_domains_state(munin_t)
files_read_etc_runtime_files(munin_t)
@@ -40018,7 +40061,7 @@ index 97370e4..f076c38 100644
files_list_spool(munin_t)
fs_getattr_all_fs(munin_t)
-@@ -165,7 +158,6 @@ logging_send_syslog_msg(munin_t)
+@@ -165,7 +160,6 @@ logging_send_syslog_msg(munin_t)
logging_read_all_logs(munin_t)
miscfiles_read_fonts(munin_t)
@@ -40026,7 +40069,7 @@ index 97370e4..f076c38 100644
miscfiles_setattr_fonts_cache_dirs(munin_t)
sysnet_exec_ifconfig(munin_t)
-@@ -173,13 +165,6 @@ sysnet_exec_ifconfig(munin_t)
+@@ -173,13 +167,6 @@ sysnet_exec_ifconfig(munin_t)
userdom_dontaudit_use_unpriv_user_fds(munin_t)
userdom_dontaudit_search_user_home_dirs(munin_t)
@@ -40040,7 +40083,7 @@ index 97370e4..f076c38 100644
optional_policy(`
cron_system_entry(munin_t, munin_exec_t)
-@@ -213,7 +198,6 @@ optional_policy(`
+@@ -213,7 +200,6 @@ optional_policy(`
optional_policy(`
postfix_list_spool(munin_t)
@@ -40048,7 +40091,7 @@ index 97370e4..f076c38 100644
')
optional_policy(`
-@@ -246,17 +230,17 @@ corenet_sendrecv_hddtemp_client_packets(disk_munin_plugin_t)
+@@ -246,17 +232,17 @@ corenet_sendrecv_hddtemp_client_packets(disk_munin_plugin_t)
corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t)
corenet_tcp_sendrecv_hddtemp_port(disk_munin_plugin_t)
@@ -40070,7 +40113,7 @@ index 97370e4..f076c38 100644
sysnet_read_config(disk_munin_plugin_t)
-@@ -275,27 +259,36 @@ optional_policy(`
+@@ -275,27 +261,36 @@ optional_policy(`
allow mail_munin_plugin_t self:capability dac_override;
@@ -40111,7 +40154,7 @@ index 97370e4..f076c38 100644
')
optional_policy(`
-@@ -353,7 +346,11 @@ optional_policy(`
+@@ -353,7 +348,11 @@ optional_policy(`
')
optional_policy(`
@@ -40124,7 +40167,15 @@ index 97370e4..f076c38 100644
')
optional_policy(`
-@@ -413,3 +410,30 @@ optional_policy(`
+@@ -385,6 +384,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
+
+ kernel_read_network_state(system_munin_plugin_t)
+ kernel_read_all_sysctls(system_munin_plugin_t)
++kernel_read_fs_sysctls(system_munin_plugin_t)
+
+ dev_read_sysfs(system_munin_plugin_t)
+ dev_read_urand(system_munin_plugin_t)
+@@ -413,3 +413,31 @@ optional_policy(`
optional_policy(`
unconfined_domain(unconfined_munin_plugin_t)
')
@@ -40146,7 +40197,8 @@ index 97370e4..f076c38 100644
+read_files_pattern(httpd_munin_script_t, munin_var_lib_t, munin_var_lib_t)
+read_files_pattern(httpd_munin_script_t, munin_etc_t, munin_etc_t)
+
-+allow httpd_munin_script_t munin_log_t:file read_file_perms;
++read_files_pattern(httpd_munin_script_t, munin_log_t, munin_log_t)
++append_files_pattern(httpd_munin_script_t, munin_log_t, munin_log_t)
+
+files_search_var_lib(httpd_munin_script_t)
+
@@ -42462,7 +42514,7 @@ index 0e8508c..b9c69d2 100644
+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireed-settings.conf")
')
diff --git a/networkmanager.te b/networkmanager.te
-index 0b48a30..da4eebb 100644
+index 0b48a30..0c6cd41 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -1,4 +1,4 @@
@@ -42786,7 +42838,7 @@ index 0b48a30..da4eebb 100644
')
optional_policy(`
-@@ -320,13 +342,14 @@ optional_policy(`
+@@ -320,13 +342,15 @@ optional_policy(`
')
optional_policy(`
@@ -42795,6 +42847,7 @@ index 0b48a30..da4eebb 100644
+ systemd_write_inhibit_pipes(NetworkManager_t)
+ systemd_read_logind_sessions_files(NetworkManager_t)
+ systemd_dbus_chat_logind(NetworkManager_t)
++ systemd_hostnamed_read_config(NetworkManager_t)
')
optional_policy(`
@@ -42805,7 +42858,7 @@ index 0b48a30..da4eebb 100644
')
optional_policy(`
-@@ -356,6 +379,5 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -356,6 +380,5 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t)
@@ -43499,10 +43552,10 @@ index 0000000..7d11148
+')
diff --git a/nova.te b/nova.te
new file mode 100644
-index 0000000..7ce9e62
+index 0000000..c3a9a89
--- /dev/null
+++ b/nova.te
-@@ -0,0 +1,326 @@
+@@ -0,0 +1,325 @@
+policy_module(nova, 1.0.0)
+
+########################################
@@ -43558,19 +43611,18 @@ index 0000000..7ce9e62
+manage_files_pattern(nova_domain, nova_var_run_t, nova_var_run_t)
+
+corenet_tcp_connect_amqp_port(nova_domain)
++corenet_tcp_connect_mysqld_port(nova_domain)
+
+corecmd_exec_bin(nova_domain)
+corecmd_exec_shell(nova_domain)
++corenet_tcp_connect_mysqld_port(nova_domain)
+
+dev_read_urand(nova_domain)
+
+fs_getattr_xattr_fs(nova_domain)
+
-+
+libs_exec_ldconfig(nova_domain)
+
-+
-+
+optional_policy(`
+ sysnet_read_config(nova_domain)
+')
@@ -48042,10 +48094,10 @@ index 0000000..407386d
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
-index 0000000..a23c70a
+index 0000000..d859b72
--- /dev/null
+++ b/openshift.te
-@@ -0,0 +1,472 @@
+@@ -0,0 +1,481 @@
+policy_module(openshift,1.0.0)
+
+gen_require(`
@@ -48112,6 +48164,9 @@ index 0000000..a23c70a
+type openshift_cgroup_read_exec_t;
+application_domain(openshift_cgroup_read_t, openshift_cgroup_read_exec_t)
+
++type openshift_cgroup_read_tmp_t, openshift_file_type;
++files_tmp_file(openshift_cgroup_read_tmp_t)
++
+type openshift_cron_t;
+type openshift_cron_exec_t;
+domain_type(openshift_cron_t)
@@ -48281,6 +48336,7 @@ index 0000000..a23c70a
+files_dontaudit_getattr_non_security_sockets(openshift_domain)
+files_dontaudit_setattr_non_security_dirs(openshift_domain)
+files_dontaudit_setattr_non_security_files(openshift_domain)
++files_dontaudit_rw_inherited_locks(openshift_domain)
+
+libs_exec_lib_files(openshift_domain)
+libs_exec_ld_so(openshift_domain)
@@ -48416,6 +48472,10 @@ index 0000000..a23c70a
+allow openshift_cgroup_read_t self:unix_stream_socket create_stream_socket_perms;
+allow openshift_cgroup_read_t openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms;
+
++manage_dirs_pattern(openshift_cgroup_read_t, openshift_cgroup_read_tmp_t, openshift_cgroup_read_tmp_t)
++manage_files_pattern(openshift_cgroup_read_t, openshift_cgroup_read_tmp_t, openshift_cgroup_read_tmp_t)
++files_tmp_filetrans(openshift_cgroup_read_t, openshift_cgroup_read_tmp_t, { file dir })
++
+kernel_read_system_state(openshift_cgroup_read_t)
+
+miscfiles_read_localization(openshift_cgroup_read_t)
@@ -48425,12 +48485,12 @@ index 0000000..a23c70a
+')
+
+corecmd_exec_bin(openshift_cgroup_read_t)
++corecmd_exec_shell(openshift_cgroup_read_t)
+
+dev_read_urand(openshift_cgroup_read_t)
+
+domain_use_interactive_fds(openshift_cgroup_read_t)
+
-+
+fs_dontaudit_rw_anon_inodefs_files(openshift_cgroup_read_t)
+
+userdom_use_inherited_user_ptys(openshift_cgroup_read_t)
@@ -48442,6 +48502,7 @@ index 0000000..a23c70a
+
+allow openshift_domain openshift_cgroup_read_t:process { getattr signal signull sigkill };
+
++fs_list_cgroup_dirs(openshift_cgroup_read_t)
+fs_read_cgroup_files(openshift_cgroup_read_t)
+
+allow openshift_cgroup_read_t openshift_var_lib_t:dir list_dir_perms;
@@ -56356,7 +56417,7 @@ index 20d4697..e6605c1 100644
+ files_etc_filetrans($1, prelink_cache_t, file, "prelink.cache")
+')
diff --git a/prelink.te b/prelink.te
-index c0f047a..e81b5b1 100644
+index c0f047a..6f22887 100644
--- a/prelink.te
+++ b/prelink.te
@@ -1,4 +1,4 @@
@@ -56529,19 +56590,20 @@ index c0f047a..e81b5b1 100644
kernel_read_system_state(prelink_cron_system_t)
-@@ -184,8 +168,10 @@ optional_policy(`
+@@ -184,8 +168,11 @@ optional_policy(`
dev_list_sysfs(prelink_cron_system_t)
dev_read_sysfs(prelink_cron_system_t)
- files_rw_etc_dirs(prelink_cron_system_t)
files_dontaudit_search_all_mountpoints(prelink_cron_system_t)
+ files_search_var_lib(prelink_cron_system_t)
++ files_dontaudit_list_non_security(prelink_cron_system_t)
+
+ fs_search_cgroup_dirs(prelink_cron_system_t)
auth_use_nsswitch(prelink_cron_system_t)
-@@ -196,11 +182,20 @@ optional_policy(`
+@@ -196,11 +183,20 @@ optional_policy(`
logging_search_logs(prelink_cron_system_t)
@@ -63284,7 +63346,7 @@ index 5421af0..91e69b8 100644
+/var/run/heartbeat(/.*)? gen_context(system_u:object_r:rgmanager_var_run_t,s0)
+/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0)
diff --git a/rgmanager.if b/rgmanager.if
-index 1c2f9aa..7d70a46 100644
+index 1c2f9aa..8af1f78 100644
--- a/rgmanager.if
+++ b/rgmanager.if
@@ -1,13 +1,13 @@
@@ -63314,8 +63376,29 @@ index 1c2f9aa..7d70a46 100644
##
##
##
-@@ -41,8 +40,7 @@ interface(`rgmanager_stream_connect',`
+@@ -39,10 +38,28 @@ interface(`rgmanager_stream_connect',`
+ stream_connect_pattern($1, rgmanager_var_run_t, rgmanager_var_run_t, rgmanager_t)
+ ')
++########################################
++##
++## Manage rgmanager pid files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`rgmanager_manage_pid_files',`
++ gen_require(`
++ type rgmanager_var_run_t;
++ ')
++
++ files_search_pids($1)
++ manage_files_pattern($1, rgmanager_var_run_t, rgmanager_var_run_t)
++')
++
######################################
##
-## Create, read, write, and delete
@@ -63324,7 +63407,7 @@ index 1c2f9aa..7d70a46 100644
##
##
##
-@@ -61,8 +59,7 @@ interface(`rgmanager_manage_tmp_files',`
+@@ -61,8 +78,7 @@ interface(`rgmanager_manage_tmp_files',`
######################################
##
@@ -63334,7 +63417,7 @@ index 1c2f9aa..7d70a46 100644
##
##
##
-@@ -79,10 +76,28 @@ interface(`rgmanager_manage_tmpfs_files',`
+@@ -79,10 +95,28 @@ interface(`rgmanager_manage_tmpfs_files',`
manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
')
@@ -63365,7 +63448,7 @@ index 1c2f9aa..7d70a46 100644
##
##
##
-@@ -91,7 +106,7 @@ interface(`rgmanager_manage_tmpfs_files',`
+@@ -91,7 +125,7 @@ interface(`rgmanager_manage_tmpfs_files',`
##
##
##
@@ -63374,7 +63457,7 @@ index 1c2f9aa..7d70a46 100644
##
##
##
-@@ -102,8 +117,11 @@ interface(`rgmanager_admin',`
+@@ -102,8 +136,11 @@ interface(`rgmanager_admin',`
type rgmanager_tmpfs_t, rgmanager_var_log_t, rgmanager_var_run_t;
')
@@ -63387,7 +63470,7 @@ index 1c2f9aa..7d70a46 100644
init_labeled_script_domtrans($1, rgmanager_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -121,3 +139,47 @@ interface(`rgmanager_admin',`
+@@ -121,3 +158,47 @@ interface(`rgmanager_admin',`
files_list_pids($1)
admin_pattern($1, rgmanager_var_run_t)
')
@@ -63762,7 +63845,7 @@ index 47de2d6..1f5dbf8 100644
+/var/log/cluster/corosync\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
+/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
diff --git a/rhcs.if b/rhcs.if
-index 56bc01f..f0a05e8 100644
+index 56bc01f..27c4de4 100644
--- a/rhcs.if
+++ b/rhcs.if
@@ -1,19 +1,19 @@
@@ -64124,7 +64207,7 @@ index 56bc01f..f0a05e8 100644
')
######################################
-@@ -446,52 +456,303 @@ interface(`rhcs_domtrans_qdiskd',`
+@@ -446,52 +456,322 @@ interface(`rhcs_domtrans_qdiskd',`
########################################
##
@@ -64175,7 +64258,11 @@ index 56bc01f..f0a05e8 100644
+ files_search_var_lib($1)
+ read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
-+
+
+- init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t })
+- domain_system_change_exemption($1)
+- role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r;
+- allow $2 system_r;
+#####################################
+##
+## Allow domain to manage cluster lib files
@@ -64190,15 +64277,15 @@ index 56bc01f..f0a05e8 100644
+ gen_require(`
+ type cluster_var_lib_t;
+ ')
-+
+
+- files_search_pids($1)
+- admin_pattern($1, cluster_pid)
+ files_search_var_lib($1)
+ manage_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
-- init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t })
-- domain_system_change_exemption($1)
-- role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r;
-- allow $2 system_r;
+- files_search_locks($1)
+- admin_pattern($1, fenced_lock_t)
+####################################
+##
+## Allow domain to relabel cluster lib files
@@ -64219,8 +64306,8 @@ index 56bc01f..f0a05e8 100644
+ relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
-- files_search_pids($1)
-- admin_pattern($1, cluster_pid)
+- files_search_tmp($1)
+- admin_pattern($1, fenced_tmp_t)
+######################################
+##
+## Execute a domain transition to run cluster administrative domain.
@@ -64236,14 +64323,14 @@ index 56bc01f..f0a05e8 100644
+ type cluster_t, cluster_exec_t;
+ ')
-- files_search_locks($1)
-- admin_pattern($1, fenced_lock_t)
+- files_search_var_lib($1)
+- admin_pattern($1, qdiskd_var_lib_t)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, cluster_exec_t, cluster_t)
+')
-- files_search_tmp($1)
-- admin_pattern($1, fenced_tmp_t)
+- fs_search_tmpfs($1)
+- admin_pattern($1, cluster_tmpfs)
+#######################################
+##
+## Execute cluster init scripts in
@@ -64259,14 +64346,10 @@ index 56bc01f..f0a05e8 100644
+ gen_require(`
+ type cluster_initrc_exec_t;
+ ')
-
-- files_search_var_lib($1)
-- admin_pattern($1, qdiskd_var_lib_t)
++
+ init_labeled_script_domtrans($1, cluster_initrc_exec_t)
+')
-
-- fs_search_tmpfs($1)
-- admin_pattern($1, cluster_tmpfs)
++
+#####################################
+##
+## Execute cluster in the caller domain.
@@ -64380,6 +64463,25 @@ index 56bc01f..f0a05e8 100644
+ manage_files_pattern($1, cluster_tmpfs_t, cluster_tmpfs_t)
+')
+
++#####################################
++##
++## Allow manage cluster pid files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`rhcs_manage_cluster_pid_files',`
++ gen_require(`
++ type cluster_var_run_t;
++ ')
++
++ files_search_pids($1)
++ manage_files_pattern($1, cluster_var_run_t, cluster_var_run_t)
++')
++
+#######################################
+##
+## Execute cluster server in the cluster domain.
@@ -68859,7 +68961,7 @@ index f1140ef..c5bd83a 100644
+ files_etc_filetrans($1, rsync_etc_t, $2, $3)
')
diff --git a/rsync.te b/rsync.te
-index e3e7c96..68cba2d 100644
+index e3e7c96..0820cb2 100644
--- a/rsync.te
+++ b/rsync.te
@@ -1,4 +1,4 @@
@@ -68881,40 +68983,24 @@ index e3e7c96..68cba2d 100644
+##
##
-gen_tunable(rsync_use_cifs, false)
--
--##
--##
--## Determine whether rsync can
--## use fuse file systems.
--##
--##
--gen_tunable(rsync_use_fusefs, false)
--
--##
--##
--## Determine whether rsync can use
--## nfs file systems.
--##
--##
--gen_tunable(rsync_use_nfs, false)
+gen_tunable(rsync_client, false)
##
-##
-## Determine whether rsync can
--## run as a client
+-## use fuse file systems.
-##
+##
+## Allow rsync to export any files/directories read only.
+##
##
--gen_tunable(rsync_client, false)
+-gen_tunable(rsync_use_fusefs, false)
+gen_tunable(rsync_export_all_ro, false)
##
-##
--## Determine whether rsync can
--## export all content read only.
+-## Determine whether rsync can use
+-## nfs file systems.
-##
+##
+## Allow rsync to modify public files
@@ -68922,21 +69008,37 @@ index e3e7c96..68cba2d 100644
+## labeled public_content_rw_t.
+##
##
--gen_tunable(rsync_export_all_ro, false)
+-gen_tunable(rsync_use_nfs, false)
+gen_tunable(rsync_anon_write, false)
##
##
+-## Determine whether rsync can
+-## run as a client
++## Allow rsync server to manage all files/directories on the system.
+ ##
+ ##
+-gen_tunable(rsync_client, false)
++gen_tunable(rsync_full_access, false)
+
+-##
+-##
+-## Determine whether rsync can
+-## export all content read only.
+-##
+-##
+-gen_tunable(rsync_export_all_ro, false)
+-
+-##
+-##
-## Determine whether rsync can modify
-## public files used for public file
-## transfer services. Directories/Files must
-## be labeled public_content_rw_t.
-+## Allow rsync server to manage all files/directories on the system.
- ##
- ##
+-##
+-##
-gen_tunable(allow_rsync_anon_write, false)
-+gen_tunable(rsync_full_access, false)
-
+-
-attribute_role rsync_roles;
type rsync_t;
@@ -68963,14 +69065,14 @@ index e3e7c96..68cba2d 100644
-allow rsync_t self:tcp_socket { accept listen };
+allow rsync_t self:tcp_socket create_stream_socket_perms;
+allow rsync_t self:udp_socket connected_socket_perms;
-
--allow rsync_t rsync_etc_t:file read_file_perms;
++
+# for identd
+# cjp: this should probably only be inetd_child_t rules?
+# search home and kerberos also.
+allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+#end for identd
-+
+
+-allow rsync_t rsync_etc_t:file read_file_perms;
+read_files_pattern(rsync_t, rsync_etc_t, rsync_etc_t)
allow rsync_t rsync_data_t:dir list_dir_perms;
@@ -68987,7 +69089,7 @@ index e3e7c96..68cba2d 100644
logging_log_filetrans(rsync_t, rsync_log_t, file)
manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t)
-@@ -108,91 +97,76 @@ kernel_read_kernel_sysctls(rsync_t)
+@@ -108,91 +97,80 @@ kernel_read_kernel_sysctls(rsync_t)
kernel_read_system_state(rsync_t)
kernel_read_network_state(rsync_t)
@@ -69110,11 +69212,12 @@ index e3e7c96..68cba2d 100644
-optional_policy(`
- kerberos_use(rsync_t)
-')
--
--optional_policy(`
-- inetd_service_domain(rsync_t, rsync_exec_t)
--')
+auth_can_read_shadow_passwords(rsync_t)
+
+ optional_policy(`
+- inetd_service_domain(rsync_t, rsync_exec_t)
++ swift_manage_data_files(rsync_t)
+ ')
diff --git a/rtkit.if b/rtkit.if
index bd35afe..051addd 100644
--- a/rtkit.if
@@ -73180,7 +73283,7 @@ index c21ddcc..ee00be2 100644
+ can_exec($1, screen_exec_t)
+')
diff --git a/screen.te b/screen.te
-index f095081..c0d7b61 100644
+index f095081..ee69aa7 100644
--- a/screen.te
+++ b/screen.te
@@ -1,13 +1,11 @@
@@ -73211,7 +73314,7 @@ index f095081..c0d7b61 100644
type screen_var_run_t;
typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t sysadm_screen_var_run_t };
typealias screen_var_run_t alias { auditadm_screen_var_run_t secadm_screen_var_run_t screen_dir_t };
-@@ -30,33 +23,33 @@ ubac_constrained(screen_var_run_t)
+@@ -30,33 +23,35 @@ ubac_constrained(screen_var_run_t)
########################################
#
@@ -73219,7 +73322,9 @@ index f095081..c0d7b61 100644
+# Local policy
#
- allow screen_domain self:capability { setuid setgid fsetid };
+-allow screen_domain self:capability { setuid setgid fsetid };
++allow screen_domain self:capability { fsetid setgid setuid sys_tty_config };
++dontaudit screen_domain self:capability dac_override;
allow screen_domain self:process signal_perms;
-allow screen_domain self:fd use;
allow screen_domain self:fifo_file rw_fifo_file_perms;
@@ -73247,6 +73352,7 @@ index f095081..c0d7b61 100644
manage_dirs_pattern(screen_domain, screen_home_t, screen_home_t)
-read_files_pattern(screen_domain, screen_home_t, screen_home_t)
manage_fifo_files_pattern(screen_domain, screen_home_t, screen_home_t)
++manage_sock_files_pattern(screen_domain, screen_home_t, screen_home_t)
+userdom_user_home_dir_filetrans(screen_domain, screen_home_t, dir)
+userdom_admin_home_dir_filetrans(screen_domain, screen_home_t, dir)
+read_files_pattern(screen_domain, screen_home_t, screen_home_t)
@@ -73257,7 +73363,7 @@ index f095081..c0d7b61 100644
kernel_read_kernel_sysctls(screen_domain)
corecmd_list_bin(screen_domain)
-@@ -65,55 +58,39 @@ corecmd_read_bin_symlinks(screen_domain)
+@@ -65,55 +60,39 @@ corecmd_read_bin_symlinks(screen_domain)
corecmd_read_bin_pipes(screen_domain)
corecmd_read_bin_sockets(screen_domain)
@@ -74190,7 +74296,7 @@ index 3a9a70b..039b0c8 100644
logging_list_logs($1)
admin_pattern($1, setroubleshoot_var_log_t)
diff --git a/setroubleshoot.te b/setroubleshoot.te
-index 49b12ae..0a0f095 100644
+index 49b12ae..c6f3302 100644
--- a/setroubleshoot.te
+++ b/setroubleshoot.te
@@ -1,4 +1,4 @@
@@ -74287,7 +74393,7 @@ index 49b12ae..0a0f095 100644
files_list_all(setroubleshootd_t)
files_getattr_all_files(setroubleshootd_t)
files_getattr_all_pipes(setroubleshootd_t)
-@@ -108,13 +113,13 @@ init_dontaudit_write_utmp(setroubleshootd_t)
+@@ -108,26 +113,23 @@ init_dontaudit_write_utmp(setroubleshootd_t)
libs_exec_ld_so(setroubleshootd_t)
@@ -74297,13 +74403,16 @@ index 49b12ae..0a0f095 100644
logging_send_audit_msgs(setroubleshootd_t)
logging_send_syslog_msg(setroubleshootd_t)
logging_stream_connect_dispatcher(setroubleshootd_t)
--
--miscfiles_read_localization(setroubleshootd_t)
+logging_stream_connect_syslog(setroubleshootd_t)
+-miscfiles_read_localization(setroubleshootd_t)
+-
++seutil_read_bin_policy(setroubleshootd_t)
seutil_read_config(setroubleshootd_t)
++seutil_read_default_contexts(setroubleshootd_t)
seutil_read_file_contexts(setroubleshootd_t)
-@@ -123,11 +128,7 @@ seutil_read_bin_policy(setroubleshootd_t)
+-seutil_read_bin_policy(setroubleshootd_t)
+
userdom_dontaudit_read_user_home_content_files(setroubleshootd_t)
optional_policy(`
@@ -74316,7 +74425,7 @@ index 49b12ae..0a0f095 100644
')
optional_policy(`
-@@ -135,10 +136,18 @@ optional_policy(`
+@@ -135,10 +137,18 @@ optional_policy(`
')
optional_policy(`
@@ -74335,7 +74444,7 @@ index 49b12ae..0a0f095 100644
rpm_exec(setroubleshootd_t)
rpm_signull(setroubleshootd_t)
rpm_read_db(setroubleshootd_t)
-@@ -148,15 +157,17 @@ optional_policy(`
+@@ -148,15 +158,17 @@ optional_policy(`
########################################
#
@@ -74354,7 +74463,7 @@ index 49b12ae..0a0f095 100644
setroubleshoot_stream_connect(setroubleshoot_fixit_t)
kernel_read_system_state(setroubleshoot_fixit_t)
-@@ -165,9 +176,13 @@ corecmd_exec_bin(setroubleshoot_fixit_t)
+@@ -165,9 +177,13 @@ corecmd_exec_bin(setroubleshoot_fixit_t)
corecmd_exec_shell(setroubleshoot_fixit_t)
corecmd_getattr_all_executables(setroubleshoot_fixit_t)
@@ -74369,7 +74478,7 @@ index 49b12ae..0a0f095 100644
files_list_tmp(setroubleshoot_fixit_t)
auth_use_nsswitch(setroubleshoot_fixit_t)
-@@ -175,23 +190,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
+@@ -175,23 +191,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
logging_send_audit_msgs(setroubleshoot_fixit_t)
logging_send_syslog_msg(setroubleshoot_fixit_t)
@@ -78572,10 +78681,21 @@ index c6aaac7..dc3f167 100644
sysnet_dns_name_resolve(svnserve_t)
diff --git a/swift.fc b/swift.fc
new file mode 100644
-index 0000000..7917018
+index 0000000..e5433ad
--- /dev/null
+++ b/swift.fc
-@@ -0,0 +1,9 @@
+@@ -0,0 +1,28 @@
++/usr/bin/swift-account-auditor -- gen_context(system_u:object_r:swift_exec_t,s0)
++/usr/bin/swift-account-reaper -- gen_context(system_u:object_r:swift_exec_t,s0)
++/usr/bin/swift-account-replicator -- gen_context(system_u:object_r:swift_exec_t,s0)
++/usr/bin/swift-account-server -- gen_context(system_u:object_r:swift_exec_t,s0)
++
++/usr/bin/swift-container-auditor -- gen_context(system_u:object_r:swift_exec_t,s0)
++/usr/bin/swift-container-replicator -- gen_context(system_u:object_r:swift_exec_t,s0)
++/usr/bin/swift-container-server -- gen_context(system_u:object_r:swift_exec_t,s0)
++/usr/bin/swift-container-sync -- gen_context(system_u:object_r:swift_exec_t,s0)
++/usr/bin/swift-container-updater -- gen_context(system_u:object_r:swift_exec_t,s0)
++
+/usr/bin/swift-object-auditor -- gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-object-info -- gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-object-replicator -- gen_context(system_u:object_r:swift_exec_t,s0)
@@ -78585,12 +78705,20 @@ index 0000000..7917018
+/usr/lib/systemd/system/openstack-swift.* -- gen_context(system_u:object_r:swift_unit_file_t,s0)
+
+/var/run/swift(/.*)? gen_context(system_u:object_r:swift_var_run_t,s0)
++
++# This seems to be a de-facto standard when using swift.
++/srv/node(/.*)? gen_context(system_u:object_r:swift_data_t,s0)
++
++# This is specific to RHOS's packstack utility
++ifdef(`distro_redhat', `
++/srv/loopback-device(/.*)? gen_context(system_u:object_r:swift_data_t,s0)
++')
diff --git a/swift.if b/swift.if
new file mode 100644
-index 0000000..4ec3f4d
+index 0000000..ce6e8ae
--- /dev/null
+++ b/swift.if
-@@ -0,0 +1,103 @@
+@@ -0,0 +1,124 @@
+
+## policy for swift
+
@@ -78612,6 +78740,7 @@ index 0000000..4ec3f4d
+ corecmd_search_bin($1)
+ domtrans_pattern($1, swift_exec_t, swift_t)
+')
++
+########################################
+##
+## Read swift PID files.
@@ -78633,6 +78762,26 @@ index 0000000..4ec3f4d
+
+########################################
+##
++## Manage swift data files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`swift_manage_data_files',`
++ gen_require(`
++ type swift_data_t;
++ ')
++
++ files_search_pids($1)
++ manage_files_pattern($1, swift_data_t, swift_data_t)
++ manage_dirs_pattern($1, swift_data_t, swift_data_t)
++')
++
++########################################
++##
+## Execute swift server in the swift domain.
+##
+##
@@ -78696,10 +78845,10 @@ index 0000000..4ec3f4d
+')
diff --git a/swift.te b/swift.te
new file mode 100644
-index 0000000..e3eab32
+index 0000000..39f1ca1
--- /dev/null
+++ b/swift.te
-@@ -0,0 +1,45 @@
+@@ -0,0 +1,53 @@
+policy_module(swift, 1.0.0)
+
+########################################
@@ -78717,6 +78866,9 @@ index 0000000..e3eab32
+type swift_unit_file_t;
+systemd_unit_file(swift_unit_file_t)
+
++type swift_data_t;
++files_type(swift_data_t)
++
+########################################
+#
+# swift local policy
@@ -78731,6 +78883,11 @@ index 0000000..e3eab32
+manage_lnk_files_pattern(swift_t, swift_var_run_t, swift_var_run_t)
+files_pid_filetrans(swift_t, swift_var_run_t, { dir })
+
++# swift makes use of rsync, so we need to give rsync permissions
++# to edit swift_data_t files as well as swift_t those permissions
++manage_dirs_pattern(swift_t, swift_data_t, swift_data_t)
++manage_files_pattern(swift_t, swift_data_t, swift_data_t)
++
+kernel_dgram_send(swift_t)
+kernel_read_system_state(swift_t)
+
@@ -78776,10 +78933,21 @@ index c9824cb..1973f71 100644
userdom_dontaudit_use_unpriv_user_fds(sxid_t)
diff --git a/sysstat.te b/sysstat.te
-index c8b80b2..e6b8ab8 100644
+index c8b80b2..f041061 100644
--- a/sysstat.te
+++ b/sysstat.te
-@@ -38,6 +38,7 @@ kernel_read_kernel_sysctls(sysstat_t)
+@@ -24,9 +24,7 @@ allow sysstat_t self:capability { dac_override sys_admin sys_resource sys_tty_co
+ allow sysstat_t self:fifo_file rw_fifo_file_perms;
+
+ manage_dirs_pattern(sysstat_t,sysstat_log_t,sysstat_log_t)
+-append_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
+-create_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
+-setattr_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
++manage_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
+ manage_lnk_files_pattern(sysstat_t,sysstat_log_t,sysstat_log_t)
+ logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir })
+
+@@ -38,6 +36,7 @@ kernel_read_kernel_sysctls(sysstat_t)
kernel_read_fs_sysctls(sysstat_t)
kernel_read_rpc_sysctls(sysstat_t)
@@ -78787,7 +78955,7 @@ index c8b80b2..e6b8ab8 100644
corecmd_exec_bin(sysstat_t)
dev_read_sysfs(sysstat_t)
-@@ -49,8 +50,10 @@ files_read_etc_runtime_files(sysstat_t)
+@@ -49,8 +48,10 @@ files_read_etc_runtime_files(sysstat_t)
fs_getattr_xattr_fs(sysstat_t)
fs_list_inotifyfs(sysstat_t)
@@ -78799,7 +78967,7 @@ index c8b80b2..e6b8ab8 100644
auth_use_nsswitch(sysstat_t)
-@@ -60,10 +63,9 @@ locallogin_use_fds(sysstat_t)
+@@ -60,10 +61,9 @@ locallogin_use_fds(sysstat_t)
logging_send_syslog_msg(sysstat_t)
@@ -81954,7 +82122,7 @@ index e29db63..061fb98 100644
domain_system_change_exemption($1)
role_transition $2 tuned_initrc_exec_t system_r;
diff --git a/tuned.te b/tuned.te
-index 7116181..9815e42 100644
+index 7116181..0bd0be9 100644
--- a/tuned.te
+++ b/tuned.te
@@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t)
@@ -82000,7 +82168,11 @@ index 7116181..9815e42 100644
corecmd_exec_bin(tuned_t)
corecmd_exec_shell(tuned_t)
-@@ -67,28 +77,44 @@ dev_read_urand(tuned_t)
+@@ -64,31 +74,48 @@ corecmd_exec_shell(tuned_t)
+ dev_getattr_all_blk_files(tuned_t)
+ dev_getattr_all_chr_files(tuned_t)
+ dev_read_urand(tuned_t)
++dev_read_cpuid(tuned_t)
dev_rw_sysfs(tuned_t)
dev_rw_netcontrol(tuned_t)
@@ -83648,7 +83820,7 @@ index c30da4c..014e40c 100644
+/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
+/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index 9dec06c..d8a2b54 100644
+index 9dec06c..175e66a 100644
--- a/virt.if
+++ b/virt.if
@@ -1,120 +1,51 @@
@@ -84626,7 +84798,7 @@ index 9dec06c..d8a2b54 100644
##
##
##
-@@ -860,115 +603,223 @@ interface(`virt_read_lib_files',`
+@@ -860,115 +603,244 @@ interface(`virt_read_lib_files',`
##
##
#
@@ -84657,9 +84829,6 @@ index 9dec06c..d8a2b54 100644
##
##
-##
--##
--## The type of the object to be created.
--##
+#
+interface(`virt_manage_images',`
+ gen_require(`
@@ -84684,8 +84853,7 @@ index 9dec06c..d8a2b54 100644
+##
+## Domain allowed access.
+##
- ##
--##
++##
+#
+interface(`virt_manage_default_image_type',`
+ gen_require(`
@@ -84705,11 +84873,11 @@ index 9dec06c..d8a2b54 100644
+##
+##
##
--## The object class of the object being created.
+-## The type of the object to be created.
+## Domain allowed to transition.
##
##
--##
+-##
+#
+interface(`virt_systemctl',`
+ gen_require(`
@@ -84730,24 +84898,46 @@ index 9dec06c..d8a2b54 100644
+##
+##
##
--## The name of the object being created.
+-## The object class of the object being created.
+## Domain allowed to transition.
##
##
+-##
++#
++interface(`virt_ptrace',`
++ gen_require(`
++ attribute virt_domain;
++ ')
++
++ allow $1 virt_domain:process ptrace;
++')
++
++#######################################
++##
++## Connect to virt over a unix domain stream socket.
++##
++##
+ ##
+-## The name of the object being created.
++## Domain allowed access.
+ ##
+ ##
-##
#
-interface(`virt_pid_filetrans',`
-+interface(`virt_ptrace',`
++interface(`virt_stream_connect_lxc',`
gen_require(`
- type virt_var_run_t;
-+ attribute virt_domain;
++ attribute svirt_lxc_domain;
++ type svirt_lxc_file_t;
')
-- files_search_pids($1)
+ files_search_pids($1)
- filetrans_pattern($1, virt_var_run_t, $2, $3, $4)
-+ allow $1 virt_domain:process ptrace;
++ stream_connect_pattern($1, svirt_lxc_file_t, svirt_lxc_file_t, svirt_lxc_domain)
')
++
########################################
##
-## Read virt log files.
@@ -84890,7 +85080,7 @@ index 9dec06c..d8a2b54 100644
##
##
##
-@@ -976,18 +827,17 @@ interface(`virt_manage_log',`
+@@ -976,18 +848,17 @@ interface(`virt_manage_log',`
##
##
#
@@ -84913,7 +85103,7 @@ index 9dec06c..d8a2b54 100644
##
##
##
-@@ -995,36 +845,17 @@ interface(`virt_search_images',`
+@@ -995,36 +866,17 @@ interface(`virt_search_images',`
##
##
#
@@ -84954,7 +85144,7 @@ index 9dec06c..d8a2b54 100644
##
##
##
-@@ -1032,58 +863,57 @@ interface(`virt_read_images',`
+@@ -1032,58 +884,57 @@ interface(`virt_read_images',`
##
##
#
@@ -85034,7 +85224,7 @@ index 9dec06c..d8a2b54 100644
##
##
##
-@@ -1091,95 +921,131 @@ interface(`virt_manage_virt_cache',`
+@@ -1091,95 +942,131 @@ interface(`virt_manage_virt_cache',`
##
##
#
@@ -85228,7 +85418,7 @@ index 9dec06c..d8a2b54 100644
+ allow svirt_lxc_domain $1:process sigchld;
')
diff --git a/virt.te b/virt.te
-index 1f22fba..d984f26 100644
+index 1f22fba..d5e8852 100644
--- a/virt.te
+++ b/virt.te
@@ -1,94 +1,98 @@
@@ -85651,6 +85841,10 @@ index 1f22fba..d984f26 100644
- xserver_stream_connect(virt_domain)
- ')
-')
+-
+-optional_policy(`
+- dbus_read_lib_files(virt_domain)
+-')
+corenet_udp_sendrecv_generic_if(svirt_t)
+corenet_udp_sendrecv_generic_node(svirt_t)
+corenet_udp_sendrecv_all_ports(svirt_t)
@@ -85660,24 +85854,20 @@ index 1f22fba..d984f26 100644
+corenet_tcp_connect_all_ports(svirt_t)
-optional_policy(`
-- dbus_read_lib_files(virt_domain)
+- nscd_use(virt_domain)
-')
+miscfiles_read_generic_certs(svirt_t)
optional_policy(`
-- nscd_use(virt_domain)
+- samba_domtrans_smbd(virt_domain)
+ xen_rw_image_files(svirt_t)
')
optional_policy(`
-- samba_domtrans_smbd(virt_domain)
+- xen_rw_image_files(virt_domain)
+ nscd_use(svirt_t)
')
--optional_policy(`
-- xen_rw_image_files(virt_domain)
--')
--
-########################################
+#######################################
#
@@ -85695,9 +85885,7 @@ index 1f22fba..d984f26 100644
-manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t)
-manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
-manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
-+allow svirt_tcg_t self:process { execmem execstack };
-+allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
-
+-
-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
-
-stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
@@ -85721,7 +85909,9 @@ index 1f22fba..d984f26 100644
-corenet_sendrecv_all_server_packets(svirt_t)
-corenet_udp_bind_all_ports(svirt_t)
-corenet_tcp_bind_all_ports(svirt_t)
--
++allow svirt_tcg_t self:process { execmem execstack };
++allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
+
-corenet_sendrecv_all_client_packets(svirt_t)
-corenet_tcp_connect_all_ports(svirt_t)
+corenet_udp_sendrecv_generic_if(svirt_tcg_t)
@@ -85849,16 +86039,16 @@ index 1f22fba..d984f26 100644
-manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
--
--stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
--stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
--
--can_exec(virtd_t, virt_tmp_t)
+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
+-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
+-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+-
+-can_exec(virtd_t, virt_tmp_t)
+-
-kernel_read_crypto_sysctls(virtd_t)
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
@@ -85950,13 +86140,13 @@ index 1f22fba..d984f26 100644
+sysnet_read_config(virtd_t)
-userdom_read_all_users_state(virtd_t)
--
--ifdef(`hide_broken_symptoms',`
-- dontaudit virtd_t self:capability { sys_module sys_ptrace };
--')
+systemd_dbus_chat_logind(virtd_t)
+systemd_write_inhibit_pipes(virtd_t)
+-ifdef(`hide_broken_symptoms',`
+- dontaudit virtd_t self:capability { sys_module sys_ptrace };
+-')
+-
-tunable_policy(`virt_use_fusefs',`
- fs_manage_fusefs_dirs(virtd_t)
- fs_manage_fusefs_files(virtd_t)
@@ -85987,15 +86177,13 @@ index 1f22fba..d984f26 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
-@@ -646,107 +472,326 @@ optional_policy(`
- consoletype_exec(virtd_t)
- ')
+@@ -649,104 +475,323 @@ optional_policy(`
+ optional_policy(`
+ dbus_system_bus_client(virtd_t)
--optional_policy(`
-- dbus_system_bus_client(virtd_t)
-+optional_policy(`
-+ dbus_system_bus_client(virtd_t)
-+
+- optional_policy(`
+- avahi_dbus_chat(virtd_t)
+- ')
+ optional_policy(`
+ avahi_dbus_chat(virtd_t)
+ ')
@@ -86097,7 +86285,7 @@ index 1f22fba..d984f26 100644
+# virtual domains common policy
+#
+allow virt_domain self:capability2 compromise_kernel;
-+allow virt_domain self:process { signal getsched signull };
++allow virt_domain self:process { setrlimit signal_perms getsched };
+allow virt_domain self:fifo_file rw_fifo_file_perms;
+allow virt_domain self:shm create_shm_perms;
+allow virt_domain self:unix_stream_socket create_stream_socket_perms;
@@ -86186,10 +86374,7 @@ index 1f22fba..d984f26 100644
+dev_rw_inherited_vhost(virt_domain)
+
+domain_use_interactive_fds(virt_domain)
-
-- optional_policy(`
-- avahi_dbus_chat(virtd_t)
-- ')
++
+files_read_mnt_symlinks(virt_domain)
+files_read_var_files(virt_domain)
+files_search_all(virt_domain)
@@ -86705,7 +86890,7 @@ index 1f22fba..d984f26 100644
auth_dontaudit_read_login_records(svirt_lxc_domain)
auth_dontaudit_write_login_records(svirt_lxc_domain)
auth_search_pam_console_data(svirt_lxc_domain)
-@@ -1063,11 +1109,16 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
+@@ -1063,96 +1109,91 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
@@ -86719,23 +86904,32 @@ index 1f22fba..d984f26 100644
+userdom_use_inherited_user_terminals(svirt_lxc_domain)
+
+optional_policy(`
++ apache_exec_modules(svirt_lxc_domain)
++ apache_read_sys_content(svirt_lxc_domain)
++')
++
++optional_policy(`
+ mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
++')
++
++optional_policy(`
++ ssh_use_ptys(svirt_lxc_net_t)
+')
optional_policy(`
udev_read_pid_files(svirt_lxc_domain)
-@@ -1078,81 +1129,67 @@ optional_policy(`
- apache_read_sys_content(svirt_lxc_domain)
+ ')
+
+ optional_policy(`
+- apache_exec_modules(svirt_lxc_domain)
+- apache_read_sys_content(svirt_lxc_domain)
++ userhelper_dontaudit_write_config(svirt_lxc_domain)
')
-########################################
-#
-# Lxc net local policy
-#
-+optional_policy(`
-+ userhelper_dontaudit_write_config(svirt_lxc_domain)
-+')
-+
+virt_lxc_domain_template(svirt_lxc_net)
-allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap };
@@ -86832,7 +87026,7 @@ index 1f22fba..d984f26 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1202,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1206,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -86847,7 +87041,7 @@ index 1f22fba..d984f26 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1220,8 @@ optional_policy(`
+@@ -1183,9 +1224,8 @@ optional_policy(`
########################################
#
@@ -86858,7 +87052,7 @@ index 1f22fba..d984f26 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1234,70 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1238,70 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index cccfcebd..126dfb1e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 18%{?dist}
+Release: 20%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -526,6 +526,32 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Mar 8 2013 Miroslav Grepl 3.12.1-20
+- Adopt swift changes from lhh@redhat.com
+- Add rhcs_manage_cluster_pid_files() interface
+- Allow screen domains to configure tty and setup sock_file in ~/.screen directory
+- ALlow setroubleshoot to read default_context_t, needed to backport to F18
+- Label /etc/owncloud as being an apache writable directory
+- Allow sshd to stream connect to an lxc domain
+
+* Thu Mar 7 2013 Miroslav Grepl 3.12.1-19
+- Allow postgresql to manage rgmanager pid files
+- Allow postgresql to read ccs data
+- Allow systemd_domain to send dbus messages to policykit
+- Add labels for /etc/hostname and /etc/machine-info and allow systemd-hostnamed to create them
+- All systemd domains that create content are reading the file_context file and setfscreate
+- Systemd domains need to search through init_var_run_t
+- Allow sshd to communicate with libvirt to set containers labels
+- Add interface to manage pid files
+- Allow NetworkManger_t to read /etc/hostname
+- Dontaudit leaked locked files into openshift_domains
+- Add fixes for oo-cgroup-read - it nows creates tmp files
+- Allow gluster to manage all directories as well as files
+- Dontaudit chrome_sandbox_nacl_t using user terminals
+- Allow sysstat to manage its own log files
+- Allow virtual machines to setrlimit and send itself signals.
+- Add labeling for /var/run/hplip
+
* Mon Mar 4 2013 Miroslav Grepl 3.12.1-18
- Fix POSTIN scriptlet