* Tue Mar 07 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-244 - Update fwupd policy - /usr/libexec/udisks2/udisksd should be labeled as devicekit_disk_exec_t - Update ganesha policy - Allow chronyd to read adjtime - Merge pull request #194 from hogarthj/certbot_policy - get the correct cert_t context on certbot certificates bz#1289778 - Label /dev/ss0 as gpfs_device_t

2017-03-07 18:20:47 +01:00 · 2017-03-07 18:20:47 +01:00 · 0cdcb41ef4
commit 0cdcb41ef4
parent fe778a9320
4 changed files with 301 additions and 321 deletions
--- a/container-selinux.tgz
+++ b/container-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -277,6 +277,15 @@ index c049e10..150f281 100644
 -system_u:system_r:svirt_t
 +system_u:system_r:svirt_t:s0
 +system_u:system_r:svirt_tcg_t:s0
 diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
 index d392dec..4565e9b 100644
 --- a/config/file_contexts.subs_dist
 +++ b/config/file_contexts.subs_dist
@@ -19,3 +19,4 @@
 /usr/local/lib64 /usr/lib
 /usr/local/lib /usr/lib
 /var/run/lock /var/lock
 +/sbin /usr/sbin
 diff --git a/man/man8/ftpd_selinux.8 b/man/man8/ftpd_selinux.8
 deleted file mode 100644
 index 5bebd82..0000000
@ -6455,7 +6464,7 @@ index 3f6e168..340e49f 100644
 ')
 diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index b31c054..1ed65a0 100644
+index b31c054..3ad1127 100644
 --- a/policy/modules/kernel/devices.fc
 +++ b/policy/modules/kernel/devices.fc
@@ -15,15 +15,18 @@
@ -6498,7 +6507,7 @@ index b31c054..1ed65a0 100644
 /dev/mcelog		-c	gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
 -/dev/mei		-c	gen_context(system_u:object_r:mei_device_t,s0)
 +/dev/media.*	-c	gen_context(system_u:object_r:v4l_device_t,s0)
-+/dev/mei        -c	gen_context(system_u:object_r:mei_device_t,s0)
+/dev/mei[0-9]*       -c	gen_context(system_u:object_r:mei_device_t,s0)
 /dev/mem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
 +/dev/memory_bandwidth   -c  gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
 /dev/mergemem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
@ -6573,7 +6582,12 @@ index b31c054..1ed65a0 100644
 /dev/card.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 /dev/cmx.*		-c	gen_context(system_u:object_r:smartcard_device_t,s0)
-@@ -172,15 +199,21 @@ ifdef(`distro_suse', `
+@@ -169,18 +196,26 @@ ifdef(`distro_suse', `
 /dev/s(ou)?nd/.*	-c	gen_context(system_u:object_r:sound_device_t,s0)
 +/dev/ss[0-9]+		-c	gen_context(system_u:object_r:gpfs_device_t,s0)
 +
 /dev/touchscreen/ucb1x00 -c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/touchscreen/mk712	-c	gen_context(system_u:object_r:mouse_device_t,s0)
@ -6595,7 +6609,7 @@ index b31c054..1ed65a0 100644
 ifdef(`distro_debian',`
 # this is a static /dev dir "backup mount"
-@@ -198,12 +231,27 @@ ifdef(`distro_debian',`
+@@ -198,12 +233,27 @@ ifdef(`distro_debian',`
 /lib/udev/devices/null	-c	gen_context(system_u:object_r:null_device_t,s0)
 /lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
@ -6626,7 +6640,7 @@ index b31c054..1ed65a0 100644
 +/usr/lib/udev/devices/null	-c	gen_context(system_u:object_r:null_device_t,s0)
 +/usr/lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
 diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 76f285e..72f99c0 100644
+index 76f285e..47c1b4d 100644
 --- a/policy/modules/kernel/devices.if
 +++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@ -8375,32 +8389,11 @@ index 76f285e..72f99c0 100644
 	')
 	getattr_chr_files_pattern($1, device_t, usb_device_t)
-@@ -4330,28 +5292,180 @@ interface(`dev_search_usbfs',`
+@@ -4351,7 +5313,159 @@ interface(`dev_list_usbfs',`
 ########################################
 ## <summary>
-##	Allow caller to get a list of usb hardware.
+-##	Set the attributes of usbfs filesystem.
 +##	Allow caller to get a list of usb hardware.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`dev_list_usbfs',`
 +	gen_require(`
 +		type usbfs_t;
 +	')
 +
 +	read_lnk_files_pattern($1, usbfs_t, usbfs_t)
 +	getattr_files_pattern($1, usbfs_t, usbfs_t)
 +
 +	list_dirs_pattern($1, usbfs_t, usbfs_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Set the attributes of usbfs filesystem.
 +## </summary>
 +## <param name="domain">
@ -8536,31 +8529,23 @@ index 76f285e..72f99c0 100644
 +## <summary>
 +##	Do not audit attempts to set the attributes
 +##	of video4linux device nodes.
- ## </summary>
+## </summary>
- ## <param name="domain">
+## <param name="domain">
- ##	<summary>
+##	<summary>
 -##	Domain allowed access.
 +##	Domain to not audit.
- ##	</summary>
+##	</summary>
- ## </param>
+## </param>
- #
+#
 -interface(`dev_list_usbfs',`
 +interface(`dev_dontaudit_setattr_video_dev',`
- 	gen_require(`
+	gen_require(`
 -		type usbfs_t;
 +		type v4l_device_t;
- 	')
+	')
- 
+
 -	read_lnk_files_pattern($1, usbfs_t, usbfs_t)
 -	getattr_files_pattern($1, usbfs_t, usbfs_t)
 -
 -	list_dirs_pattern($1, usbfs_t, usbfs_t)
 +	dontaudit $1 v4l_device_t:chr_file setattr;
- ')
+')
- 
+
- ########################################
+########################################
- ## <summary>
+## <summary>
 -##	Set the attributes of usbfs filesystem.
 +##	Read the video4linux devices.
 ## </summary>
 ## <param name="domain">
@ -8883,7 +8868,7 @@ index 76f285e..72f99c0 100644
 ##	Read and write to the zero device (/dev/zero).
 ## </summary>
 ## <param name="domain">
-@@ -4851,3 +6015,1022 @@ interface(`dev_unconfined',`
+@@ -4851,3 +6015,1042 @@ interface(`dev_unconfined',`
 	typeattribute $1 devices_unconfined_type;
 ')
@ -9000,6 +8985,24 @@ index 76f285e..72f99c0 100644
 +
 +########################################
 +## <summary>
 +##	Allow read/write the hypervkvp device
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`dev_read_gpfs',`
 +	gen_require(`
 +		type device_t, gpfs_device_t;
 +	')
 +
 +	read_chr_files_pattern($1, device_t, gpfs_device_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Allow read/write the hypervvssd device
 +## </summary>
 +## <param name="domain">
@ -9137,6 +9140,7 @@ index 76f285e..72f99c0 100644
 +    type mptctl_device_t;
 +    type hypervkvp_device_t;
 +    type hypervvssd_device_t;
 +    type gpfs_device_t;
 +')
 +
 +	dev_filetrans_printer_named_dev($1)
@ -9839,6 +9843,7 @@ index 76f285e..72f99c0 100644
 +	filetrans_pattern($1, device_t, uhid_device_t, chr_file, "uhid")
 +	filetrans_pattern($1, device_t, hypervkvp_device_t, chr_file, "hv_kvp")
 +	filetrans_pattern($1, device_t, hypervvssd_device_t, chr_file, "hv_vss")
 +	filetrans_pattern($1, device_t, gpfs_device_t, chr_file, "ss0")
 +	dev_filetrans_xserver_named_dev($1)
 +')
 +
@ -9907,7 +9912,7 @@ index 76f285e..72f99c0 100644
 +	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
 +')
 diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
-index 0b1a871..29965c3 100644
+index 0b1a871..9099db5 100644
 --- a/policy/modules/kernel/devices.te
 +++ b/policy/modules/kernel/devices.te
@@ -15,11 +15,12 @@ attribute devices_unconfined_type;
@ -9954,7 +9959,7 @@ index 0b1a871..29965c3 100644
 type event_device_t;
 dev_node(event_device_t)
-@@ -88,12 +92,33 @@ type framebuf_device_t;
+@@ -88,12 +92,39 @@ type framebuf_device_t;
 dev_node(framebuf_device_t)
 #
@ -9966,6 +9971,12 @@ index 0b1a871..29965c3 100644
 +type hypervvssd_device_t;
 +dev_node(hypervvssd_device_t)
 +
 +#
 +# Type for /dev/ss0
 +#
 +type gpfs_device_t;
 +dev_node(gpfs_device_t)
 +
 +#
 # Type for /dev/ipmi/0
 #
@ -9988,7 +9999,7 @@ index 0b1a871..29965c3 100644
 # Type for /dev/kmsg
 #
 type kmsg_device_t;
-@@ -111,6 +136,7 @@ dev_node(ksm_device_t)
+@@ -111,6 +142,7 @@ dev_node(ksm_device_t)
 #
 type kvm_device_t;
 dev_node(kvm_device_t)
@ -9996,7 +10007,7 @@ index 0b1a871..29965c3 100644
 #
 # Type for /dev/lirc
-@@ -118,6 +144,9 @@ dev_node(kvm_device_t)
+@@ -118,6 +150,9 @@ dev_node(kvm_device_t)
 type lirc_device_t;
 dev_node(lirc_device_t)
@ -10006,7 +10017,7 @@ index 0b1a871..29965c3 100644
 type loop_control_device_t;
 dev_node(loop_control_device_t)
-@@ -150,12 +179,24 @@ type modem_device_t;
+@@ -150,12 +185,24 @@ type modem_device_t;
 dev_node(modem_device_t)
 #
@ -10031,7 +10042,7 @@ index 0b1a871..29965c3 100644
 # Type for /dev/cpu/mtrr and /proc/mtrr
 #
 type mtrr_device_t;
-@@ -183,6 +224,12 @@ type nvram_device_t;
+@@ -183,6 +230,12 @@ type nvram_device_t;
 dev_node(nvram_device_t)
 #
@ -10044,7 +10055,7 @@ index 0b1a871..29965c3 100644
 # Type for /dev/pmu
 #
 type power_device_t;
-@@ -227,6 +274,10 @@ files_mountpoint(sysfs_t)
+@@ -227,6 +280,10 @@ files_mountpoint(sysfs_t)
 fs_type(sysfs_t)
 genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
@ -10055,7 +10066,7 @@ index 0b1a871..29965c3 100644
 #
 # Type for /dev/tpm
 #
-@@ -266,6 +317,15 @@ dev_node(usbmon_device_t)
+@@ -266,6 +323,15 @@ dev_node(usbmon_device_t)
 type userio_device_t;
 dev_node(userio_device_t)
@ -10071,7 +10082,7 @@ index 0b1a871..29965c3 100644
 type v4l_device_t;
 dev_node(v4l_device_t)
-@@ -274,6 +334,7 @@ dev_node(v4l_device_t)
+@@ -274,6 +340,7 @@ dev_node(v4l_device_t)
 #
 type vhost_device_t;
 dev_node(vhost_device_t)
@ -10079,7 +10090,7 @@ index 0b1a871..29965c3 100644
 # Type for vmware devices.
 type vmware_device_t;
-@@ -319,5 +380,8 @@ files_associate_tmp(device_node)
+@@ -319,5 +386,8 @@ files_associate_tmp(device_node)
 #
 allow devices_unconfined_type self:capability sys_rawio;
@ -10442,10 +10453,10 @@ index 6a1e4d1..4b87be8 100644
 +	allow $1 domain:process rlimitinh;
 ')
 diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..ae8a257 100644
+index cf04cb5..3c25609 100644
 --- a/policy/modules/kernel/domain.te
 +++ b/policy/modules/kernel/domain.te
-@@ -4,17 +4,41 @@ policy_module(domain, 1.11.0)
+@@ -4,17 +4,49 @@ policy_module(domain, 1.11.0)
 #
 # Declarations
 #
@ -10482,13 +10493,21 @@ index cf04cb5..ae8a257 100644
 ## </desc>
 gen_tunable(mmap_low_allowed, false)
 +## <desc>
 +## <p>
 +##	Allow all domains write to kmsg_device,
 +##  while kernel is executed with systemd.log_target=kmsg parameter.
 +## </p>
 +## </desc>
 +gen_tunable(domain_can_write_kmsg, false)
 +
 # Mark process types as domains
 attribute domain;
 +attribute named_filetrans_domain;
 # Transitions only allowed from domains to other domains
 neverallow domain ~domain:process { transition dyntransition };
-@@ -86,23 +110,55 @@ neverallow ~{ domain unlabeled_t } *:process *;
+@@ -86,23 +118,59 @@ neverallow ~{ domain unlabeled_t } *:process *;
 allow domain self:dir list_dir_perms;
 allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
 allow domain self:file rw_file_perms;
@ -10539,13 +10558,17 @@ index cf04cb5..ae8a257 100644
 +    userdom_search_admin_dir(domain)
 +')
 +
 +tunable_policy(`domain_can_write_kmsg',`
 +    dev_write_kmsg(domain)
 +')
 +
 +tunable_policy(`domain_kernel_load_modules',`
 +	kernel_request_load_module(domain)
 +')
 ifdef(`hide_broken_symptoms',`
 	# This check is in the general socket
-@@ -121,8 +177,19 @@ tunable_policy(`global_ssp',`
+@@ -121,8 +189,19 @@ tunable_policy(`global_ssp',`
 ')
 optional_policy(`
@ -10565,7 +10588,7 @@ index cf04cb5..ae8a257 100644
 ')
 optional_policy(`
-@@ -133,6 +200,9 @@ optional_policy(`
+@@ -133,6 +212,9 @@ optional_policy(`
 optional_policy(`
 	xserver_dontaudit_use_xdm_fds(domain)
 	xserver_dontaudit_rw_xdm_pipes(domain)
@ -10575,7 +10598,7 @@ index cf04cb5..ae8a257 100644
 ')
 ########################################
-@@ -145,14 +215,21 @@ optional_policy(`
+@@ -145,14 +227,21 @@ optional_policy(`
 # be used on an attribute.
 # Use/sendto/connectto sockets created by any domain.
@ -10598,7 +10621,7 @@ index cf04cb5..ae8a257 100644
 # Create/access any System V IPC objects.
 allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -160,11 +237,386 @@ allow unconfined_domain_type domain:msg { send receive };
+@@ -160,11 +249,386 @@ allow unconfined_domain_type domain:msg { send receive };
 # For /proc/pid
 allow unconfined_domain_type domain:dir list_dir_perms;
@ -10987,7 +11010,7 @@ index cf04cb5..ae8a257 100644
 +	unconfined_server_stream_connect(domain)
 +')
 diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index b876c48..03f9342 100644
+index b876c48..3690ce4 100644
 --- a/policy/modules/kernel/files.fc
 +++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@ -11127,7 +11150,7 @@ index b876c48..03f9342 100644
 +ifdef(`distro_redhat',`
 +/rhev			-d	gen_context(system_u:object_r:mnt_t,s0)
 +/rhev(/[^/]*)?		-d	gen_context(system_u:object_r:mnt_t,s0)
-+/rhev/[^/]*/.*			<<none>>
+/rhev/[^/]*/.*			gen_context(system_u:object_r:mnt_t,s0)
 +')
 +
 #
@ -20548,7 +20571,7 @@ index e100d88..ff9e7ba 100644
 +')
 +
 diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 8dbab4c..88c7112 100644
+index 8dbab4c..a2f0d06 100644
 --- a/policy/modules/kernel/kernel.te
 +++ b/policy/modules/kernel/kernel.te
@@ -25,6 +25,9 @@ attribute kern_unconfined;
@ -20611,7 +20634,15 @@ index 8dbab4c..88c7112 100644
 type proc_xen_t, proc_type;
 files_mountpoint(proc_xen_t)
 genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0)
-@@ -133,14 +162,6 @@ genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0)
+@@ -118,6 +147,7 @@ genfscon proc /irq gen_context(system_u:object_r:sysctl_irq_t,s0)
 # /proc/net/rpc directory and files
 type sysctl_rpc_t, sysctl_type;
 +fs_associate_proc(sysctl_rpc_t)
 genfscon proc /net/rpc gen_context(system_u:object_r:sysctl_rpc_t,s0)
 # /proc/sys/crypto directory and files
@@ -133,14 +163,6 @@ genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0)
 type sysctl_kernel_t, sysctl_type;
 genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s0)
@ -20626,7 +20657,7 @@ index 8dbab4c..88c7112 100644
 # /proc/sys/net directory and files
 type sysctl_net_t, sysctl_type;
 genfscon proc /sys/net gen_context(system_u:object_r:sysctl_net_t,s0)
-@@ -153,6 +174,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0)
+@@ -153,6 +175,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0)
 type sysctl_vm_t, sysctl_type;
 genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0)
@ -20637,7 +20668,7 @@ index 8dbab4c..88c7112 100644
 # /proc/sys/dev directory and files
 type sysctl_dev_t, sysctl_type;
 genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
-@@ -165,6 +190,14 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
+@@ -165,6 +191,14 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
 type unlabeled_t;
 fs_associate(unlabeled_t)
 sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
@ -20652,7 +20683,7 @@ index 8dbab4c..88c7112 100644
 # These initial sids are no longer used, and can be removed:
 sid any_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-@@ -189,6 +222,7 @@ sid tcp_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+@@ -189,6 +223,7 @@ sid tcp_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
 # kernel local policy
 #
@ -20660,7 +20691,7 @@ index 8dbab4c..88c7112 100644
 allow kernel_t self:capability ~sys_module;
 allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow kernel_t self:shm create_shm_perms;
-@@ -233,7 +267,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
+@@ -233,7 +268,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
 corenet_in_generic_if(unlabeled_t)
 corenet_in_generic_node(unlabeled_t)
@ -20668,7 +20699,7 @@ index 8dbab4c..88c7112 100644
 corenet_all_recvfrom_netlabel(kernel_t)
 # Kernel-generated traffic e.g., ICMP replies:
 corenet_raw_sendrecv_all_if(kernel_t)
-@@ -244,17 +277,21 @@ corenet_tcp_sendrecv_all_if(kernel_t)
+@@ -244,17 +278,21 @@ corenet_tcp_sendrecv_all_if(kernel_t)
 corenet_tcp_sendrecv_all_nodes(kernel_t)
 corenet_raw_send_generic_node(kernel_t)
 corenet_send_all_packets(kernel_t)
@ -20694,7 +20725,7 @@ index 8dbab4c..88c7112 100644
 # Mount root file system. Used when loading a policy
 # from initrd, then mounting the root filesystem
-@@ -263,7 +300,8 @@ fs_unmount_all_fs(kernel_t)
+@@ -263,7 +301,8 @@ fs_unmount_all_fs(kernel_t)
 selinux_load_policy(kernel_t)
@ -20704,7 +20735,7 @@ index 8dbab4c..88c7112 100644
 corecmd_exec_shell(kernel_t)
 corecmd_list_bin(kernel_t)
-@@ -277,13 +315,23 @@ files_list_root(kernel_t)
+@@ -277,13 +316,23 @@ files_list_root(kernel_t)
 files_list_etc(kernel_t)
 files_list_home(kernel_t)
 files_read_usr_files(kernel_t)
@ -20728,7 +20759,7 @@ index 8dbab4c..88c7112 100644
 ifdef(`distro_redhat',`
 	# Bugzilla 222337
-@@ -291,11 +339,29 @@ ifdef(`distro_redhat',`
+@@ -291,11 +340,29 @@ ifdef(`distro_redhat',`
 ')
 optional_policy(`
@ -20758,7 +20789,7 @@ index 8dbab4c..88c7112 100644
 ')
 optional_policy(`
-@@ -305,6 +371,19 @@ optional_policy(`
+@@ -305,6 +372,19 @@ optional_policy(`
 optional_policy(`
 	logging_send_syslog_msg(kernel_t)
@ -20778,7 +20809,7 @@ index 8dbab4c..88c7112 100644
 ')
 optional_policy(`
-@@ -312,6 +391,11 @@ optional_policy(`
+@@ -312,6 +392,11 @@ optional_policy(`
 ')
 optional_policy(`
@ -20790,7 +20821,7 @@ index 8dbab4c..88c7112 100644
 	# nfs kernel server needs kernel UDP access. It is less risky and painful
 	# to just give it everything.
 	allow kernel_t self:tcp_socket create_stream_socket_perms;
-@@ -332,9 +416,6 @@ optional_policy(`
+@@ -332,9 +417,6 @@ optional_policy(`
 	sysnet_read_config(kernel_t)
@ -20800,7 +20831,7 @@ index 8dbab4c..88c7112 100644
 	rpc_udp_rw_nfs_sockets(kernel_t)
 	tunable_policy(`nfs_export_all_ro',`
-@@ -343,9 +424,7 @@ optional_policy(`
+@@ -343,9 +425,7 @@ optional_policy(`
 		fs_read_noxattr_fs_files(kernel_t)
 		fs_read_noxattr_fs_symlinks(kernel_t)
@ -20811,7 +20842,7 @@ index 8dbab4c..88c7112 100644
 	')
 	tunable_policy(`nfs_export_all_rw',`
-@@ -354,7 +433,7 @@ optional_policy(`
+@@ -354,7 +434,7 @@ optional_policy(`
 		fs_read_noxattr_fs_files(kernel_t)
 		fs_read_noxattr_fs_symlinks(kernel_t)
@ -20820,7 +20851,7 @@ index 8dbab4c..88c7112 100644
 	')
 ')
-@@ -364,9 +443,22 @@ optional_policy(`
+@@ -364,9 +444,22 @@ optional_policy(`
 ')
 optional_policy(`
@ -20843,7 +20874,7 @@ index 8dbab4c..88c7112 100644
 ########################################
 #
 # Unlabeled process local policy
-@@ -388,6 +480,8 @@ optional_policy(`
+@@ -388,6 +481,8 @@ optional_policy(`
 if( ! secure_mode_insmod ) {
 	allow can_load_kernmodule self:capability sys_module;
@ -20852,7 +20883,7 @@ index 8dbab4c..88c7112 100644
 	# load_module() calls stop_machine() which
 	# calls sched_setscheduler()
 	allow can_load_kernmodule self:capability sys_nice;
-@@ -399,14 +493,38 @@ if( ! secure_mode_insmod ) {
+@@ -399,14 +494,38 @@ if( ! secure_mode_insmod ) {
 # Rules for unconfined acccess to this module
 #
@ -37508,10 +37539,10 @@ index 312cd04..102b975 100644
 +userdom_use_inherited_user_terminals(setkey_t)
 +userdom_read_user_tmp_files(setkey_t)
 diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
-index 73a1c4e..63c7fc0 100644
+index 73a1c4e..1ca98b8 100644
 --- a/policy/modules/system/iptables.fc
 +++ b/policy/modules/system/iptables.fc
-@@ -1,22 +1,48 @@
+@@ -1,22 +1,49 @@
 /etc/rc\.d/init\.d/ip6?tables	--	gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
 -/etc/rc\.d/init\.d/ebtables	--	gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
 -/etc/sysconfig/ip6?tables.*	--	gen_context(system_u:object_r:iptables_conf_t,s0)
@ -37574,6 +37605,7 @@ index 73a1c4e..63c7fc0 100644
 +/var/lib/ebtables(/.*)?			gen_context(system_u:object_r:iptables_var_lib_t,s0)
 +
 +/var/lock/subsys/iptables      --      gen_context(system_u:object_r:iptables_lock_t,s0)
 +/var/lock/subsys/ip6tables      --      gen_context(system_u:object_r:iptables_lock_t,s0)
 +
 +/var/run/xtables.*       --  gen_context(system_u:object_r:iptables_var_run_t,s0)
 diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
@ -37854,7 +37886,7 @@ index 0000000..c814795
 +fs_manage_kdbus_dirs(systemd_logind_t)
 +fs_manage_kdbus_files(systemd_logind_t)
 diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index 73bb3c0..5d62107 100644
+index 73bb3c0..f36d28b 100644
 --- a/policy/modules/system/libraries.fc
 +++ b/policy/modules/system/libraries.fc
@@ -1,3 +1,4 @@
@ -38032,7 +38064,7 @@ index 73bb3c0..5d62107 100644
 /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -299,17 +315,156 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:te
+@@ -299,17 +315,158 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:te
 #
 /var/cache/ldconfig(/.*)?			gen_context(system_u:object_r:ldconfig_cache_t,s0)
@ -38186,6 +38218,8 @@ index 73bb3c0..5d62107 100644
 +
 +/usr/lib/libGTL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 +
 +/usr/lib64/erlang/erts-[^/]*/bin/epmd  --  gen_context(system_u:object_r:lib_t,s0)
 +
 +/usr/lib/nsr/(.*/)?.*\.so		-- gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/opt/lgtonmc/bin/.*\.so(\.[0-9])?  	--  gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/opt/google/picasa/.*\.dll	--  gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -40644,10 +40678,10 @@ index 79048c4..262c9ec 100644
 	udev_read_pid_files(lvm_t)
 ')
 diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
-index 9fe8e01..cf3a4a6 100644
+index 9fe8e01..c62c761 100644
 --- a/policy/modules/system/miscfiles.fc
 +++ b/policy/modules/system/miscfiles.fc
-@@ -9,11 +9,15 @@ ifdef(`distro_gentoo',`
+@@ -9,11 +9,16 @@ ifdef(`distro_gentoo',`
 # /etc
 #
 /etc/avahi/etc/localtime --	gen_context(system_u:object_r:locale_t,s0)
@ -40659,13 +40693,14 @@ index 9fe8e01..cf3a4a6 100644
 +/etc/locale.conf	--	gen_context(system_u:object_r:locale_t,s0)
 /etc/pki(/.*)?			gen_context(system_u:object_r:cert_t,s0)
 /etc/ssl(/.*)?			gen_context(system_u:object_r:cert_t,s0)
 +/etc/(letsencrypt|certbot)/(live|archive)(/.*)?			gen_context(system_u:object_r:cert_t,s0)
 +/etc/ipa/nssdb(/.*)?			gen_context(system_u:object_r:cert_t,s0)
 /etc/timezone		--	gen_context(system_u:object_r:locale_t,s0)
 +/etc/vconsole.conf	--	gen_context(system_u:object_r:locale_t,s0)
 ifdef(`distro_redhat',`
 /etc/sysconfig/clock	--	gen_context(system_u:object_r:locale_t,s0)
-@@ -37,24 +41,20 @@ ifdef(`distro_redhat',`
+@@ -37,24 +42,20 @@ ifdef(`distro_redhat',`
 /usr/lib/perl5/man(/.*)?	gen_context(system_u:object_r:man_t,s0)
@ -40695,7 +40730,7 @@ index 9fe8e01..cf3a4a6 100644
 /usr/X11R6/lib/X11/fonts(/.*)?	gen_context(system_u:object_r:fonts_t,s0)
-@@ -77,7 +77,7 @@ ifdef(`distro_redhat',`
+@@ -77,7 +78,7 @@ ifdef(`distro_redhat',`
 /var/cache/fontconfig(/.*)?	gen_context(system_u:object_r:fonts_cache_t,s0)
 /var/cache/fonts(/.*)?		gen_context(system_u:object_r:tetex_data_t,s0)
@ -40704,7 +40739,7 @@ index 9fe8e01..cf3a4a6 100644
 /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
-@@ -90,6 +90,7 @@ ifdef(`distro_debian',`
+@@ -90,6 +91,7 @@ ifdef(`distro_debian',`
 ')
 ifdef(`distro_redhat',`
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -13596,7 +13596,7 @@ index 32e8265..ac74503 100644
 +	allow $1 chronyd_unit_file_t:service all_service_perms;
 ')
 diff --git a/chronyd.te b/chronyd.te
-index e5b621c..bc73da9 100644
+index e5b621c..eba4e6d 100644
 --- a/chronyd.te
 +++ b/chronyd.te
@@ -18,6 +18,9 @@ files_type(chronyd_keys_t)
@ -13627,7 +13627,16 @@ index e5b621c..bc73da9 100644
 allow chronyd_t chronyd_keys_t:file read_file_perms;
 manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
-@@ -76,18 +83,42 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
+@@ -62,6 +69,8 @@ files_pid_filetrans(chronyd_t, chronyd_var_run_t, { dir file sock_file })
 kernel_read_system_state(chronyd_t)
 kernel_read_network_state(chronyd_t)
 +clock_read_adjtime(chronyd_t)
 +
 corenet_all_recvfrom_unlabeled(chronyd_t)
 corenet_all_recvfrom_netlabel(chronyd_t)
 corenet_udp_sendrecv_generic_if(chronyd_t)
@@ -76,18 +85,42 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
 corenet_udp_bind_chronyd_port(chronyd_t)
 corenet_udp_sendrecv_chronyd_port(chronyd_t)
@ -19268,7 +19277,7 @@ index 1303b30..f13c532 100644
 +    logging_log_filetrans($1, cron_log_t, $2, $3)
 ')
 diff --git a/cron.te b/cron.te
-index 7de3859..e8010ba 100644
+index 7de3859..65e947c 100644
 --- a/cron.te
 +++ b/cron.te
@@ -11,46 +11,54 @@ gen_require(`
@ -19985,7 +19994,7 @@ index 7de3859..e8010ba 100644
 ')
 optional_policy(`
-@@ -598,7 +618,23 @@ optional_policy(`
+@@ -598,7 +618,27 @@ optional_policy(`
 ')
 optional_policy(`
@ -20006,10 +20015,14 @@ index 7de3859..e8010ba 100644
 +
 +optional_policy(`
 +    rkhunter_manage_lib_files(system_cronjob_t)
 +')
 +
 +optional_policy(`
 +    rhsmcertd_dbus_chat(system_cronjob_t)
 ')
 optional_policy(`
-@@ -607,7 +643,12 @@ optional_policy(`
+@@ -607,7 +647,12 @@ optional_policy(`
 ')
 optional_policy(`
@ -20022,7 +20035,7 @@ index 7de3859..e8010ba 100644
 ')
 optional_policy(`
-@@ -615,12 +656,27 @@ optional_policy(`
+@@ -615,12 +660,27 @@ optional_policy(`
 ')
 optional_policy(`
@ -20052,7 +20065,7 @@ index 7de3859..e8010ba 100644
 #
 allow cronjob_t self:process { signal_perms setsched };
-@@ -628,12 +684,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
+@@ -628,12 +688,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
 allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
 allow cronjob_t self:unix_dgram_socket create_socket_perms;
@ -20086,7 +20099,7 @@ index 7de3859..e8010ba 100644
 corenet_all_recvfrom_netlabel(cronjob_t)
 corenet_tcp_sendrecv_generic_if(cronjob_t)
 corenet_udp_sendrecv_generic_if(cronjob_t)
-@@ -641,66 +717,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
+@@ -641,66 +721,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
 corenet_udp_sendrecv_generic_node(cronjob_t)
 corenet_tcp_sendrecv_all_ports(cronjob_t)
 corenet_udp_sendrecv_all_ports(cronjob_t)
@ -23908,14 +23921,14 @@ index 583a527..91c4104 100644
 +	gnome_dontaudit_search_config(denyhosts_t)
 +')
 diff --git a/devicekit.fc b/devicekit.fc
-index ae49c9d..6eb0842 100644
+index ae49c9d..99a54eb 100644
 --- a/devicekit.fc
 +++ b/devicekit.fc
@@ -11,6 +11,8 @@
 /usr/libexec/devkit-power-daemon	--	gen_context(system_u:object_r:devicekit_power_exec_t,s0)
 /usr/libexec/udisks-daemon	--	gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
 /usr/libexec/upowerd	--	gen_context(system_u:object_r:devicekit_power_exec_t,s0)
-+/usr/libexec/udisks2/udisksd		--	gen_context(system_u:object_r:devicekit_exec_t,s0)
+/usr/libexec/udisks2/udisksd		--	gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
 +/usr/bin/udisksctl		--	gen_context(system_u:object_r:devicekit_exec_t,s0)
 /var/lib/DeviceKit-.*	gen_context(system_u:object_r:devicekit_var_lib_t,s0)
@ -30736,10 +30749,10 @@ index 0000000..daef190
 +')
 diff --git a/fwupd.te b/fwupd.te
 new file mode 100644
-index 0000000..e0bb02d
+index 0000000..77a7b23
 --- /dev/null
 +++ b/fwupd.te
-@@ -0,0 +1,64 @@
+@@ -0,0 +1,69 @@
 +policy_module(fwupd, 1.0.0)
 +
 +########################################
@ -30785,13 +30798,18 @@ index 0000000..e0bb02d
 +manage_lnk_files_pattern(fwupd_t, fwupd_var_lib_t, fwupd_var_lib_t)
 +files_var_lib_filetrans(fwupd_t, fwupd_var_lib_t, { dir })
 +
 +kernel_dgram_send(fwupd_t)
 +
 +auth_read_passwd(fwupd_t)
 +
 +dev_rw_sysfs(fwupd_t)
 +dev_rw_generic_usb_dev(fwupd_t)
 +dev_read_raw_memory(fwupd_t)
 +
 +fs_getattr_all_fs(fwupd_t)
 +
 +logging_send_syslog_msg(fwupd_t)
 +
 +udev_read_pid_files(fwupd_t)
 +
 +optional_policy(`
@ -31051,10 +31069,10 @@ index 0000000..d9ba5fa
 +')
 diff --git a/ganesha.te b/ganesha.te
 new file mode 100644
-index 0000000..20b9fcf
+index 0000000..4125c8d
 --- /dev/null
 +++ b/ganesha.te
-@@ -0,0 +1,61 @@
+@@ -0,0 +1,71 @@
 +policy_module(ganesha, 1.0.0)
 +
 +########################################
@ -31102,6 +31120,11 @@ index 0000000..20b9fcf
 +corenet_udp_bind_nfs_port(ganesha_t)
 +corenet_udp_bind_all_rpc_ports(ganesha_t)
 +corenet_tcp_bind_all_rpc_ports(ganesha_t)
 +corenet_tcp_bind_mountd_port(ganesha_t)
 +corenet_udp_bind_mountd_port(ganesha_t)
 +
 +dev_read_infiniband_dev(ganesha_t)
 +dev_read_gpfs(ganesha_t)
 +
 +logging_send_syslog_msg(ganesha_t)
 +
@ -31112,6 +31135,11 @@ index 0000000..20b9fcf
 +	dbus_connect_system_bus(ganesha_t)
 +')
 +
 +
 +optional_policy(`
 +    kerberos_read_keytab(ganesha_t)
 +')
 +
 +optional_policy(`
 +	rpc_manage_nfs_state_data_dir(ganesha_t)
 +	rpcbind_stream_connect(ganesha_t)
@ -67899,12 +67927,14 @@ index 9b15730..cb00f20 100644
 +	')
 ')
 diff --git a/openvswitch.te b/openvswitch.te
-index 44dbc99..34682ff 100644
+index 44dbc99..e1fbbd9 100644
 --- a/openvswitch.te
 +++ b/openvswitch.te
-@@ -9,11 +9,8 @@ type openvswitch_t;
+@@ -8,12 +8,10 @@ policy_module(openvswitch, 1.1.1)
 type openvswitch_t;
 type openvswitch_exec_t;
 init_daemon_domain(openvswitch_t, openvswitch_exec_t)
 +init_initrc_domain(openvswitch_t)
 -type openvswitch_initrc_exec_t;
 -init_script_file(openvswitch_initrc_exec_t)
@ -67916,7 +67946,7 @@ index 44dbc99..34682ff 100644
 type openvswitch_var_lib_t;
 files_type(openvswitch_var_lib_t)
-@@ -27,20 +24,29 @@ files_tmp_file(openvswitch_tmp_t)
+@@ -27,20 +25,29 @@ files_tmp_file(openvswitch_tmp_t)
 type openvswitch_var_run_t;
 files_pid_file(openvswitch_var_run_t)
@ -67942,19 +67972,19 @@ index 44dbc99..34682ff 100644
 +allow openvswitch_t self:netlink_socket create_socket_perms;
 +allow openvswitch_t self:netlink_route_socket rw_netlink_socket_perms;
 +allow openvswitch_t self:netlink_generic_socket create_socket_perms;
 +
 +can_exec(openvswitch_t, openvswitch_exec_t)
 -manage_dirs_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
 -manage_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
 -manage_lnk_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
 +can_exec(openvswitch_t, openvswitch_exec_t)
 +
 +manage_dirs_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
 +manage_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
 +manage_lnk_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
 manage_dirs_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
 manage_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
-@@ -48,9 +54,7 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l
+@@ -48,9 +55,7 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l
 files_var_lib_filetrans(openvswitch_t, openvswitch_var_lib_t, { dir file lnk_file })
 manage_dirs_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
@ -67965,7 +67995,7 @@ index 44dbc99..34682ff 100644
 manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
 logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file })
-@@ -63,35 +67,52 @@ manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
+@@ -63,35 +68,56 @@ manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
 manage_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
 manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
 manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
@ -68021,6 +68051,10 @@ index 44dbc99..34682ff 100644
 sysnet_dns_name_resolve(openvswitch_t)
 optional_policy(`
 +    hostname_exec(openvswitch_t)
 +')
 +
 +optional_policy(`
 	iptables_domtrans(openvswitch_t)
 ')
 +
@ -75334,7 +75368,7 @@ index ded95ec..3cf7146 100644
 +	postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
 ')
 diff --git a/postfix.te b/postfix.te
-index 5cfb83e..501c935 100644
+index 5cfb83e..6167c01 100644
 --- a/postfix.te
 +++ b/postfix.te
@@ -6,27 +6,23 @@ policy_module(postfix, 1.15.1)
@ -75959,7 +75993,7 @@ index 5cfb83e..501c935 100644
 	dovecot_domtrans_deliver(postfix_pipe_t)
 ')
-@@ -584,19 +503,26 @@ optional_policy(`
+@@ -584,19 +503,28 @@ optional_policy(`
 ########################################
 #
@ -75979,11 +76013,13 @@ index 5cfb83e..501c935 100644
 rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
 +rw_sock_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
-+postfix_list_spool(postfix_postdrop_t)
+-manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
- manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+rw_fifo_files_pattern(postfix_postdrop_t, postfix_master_t, postfix_master_t)
 -allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
-
+postfix_list_spool(postfix_postdrop_t)
 +manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
 -mcs_file_read_all(postfix_postdrop_t)
 -mcs_file_write_all(postfix_postdrop_t)
 +corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
@ -75991,7 +76027,7 @@ index 5cfb83e..501c935 100644
 term_dontaudit_use_all_ptys(postfix_postdrop_t)
 term_dontaudit_use_all_ttys(postfix_postdrop_t)
-@@ -611,10 +537,7 @@ optional_policy(`
+@@ -611,10 +539,7 @@ optional_policy(`
 	cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
 ')
@ -76003,7 +76039,7 @@ index 5cfb83e..501c935 100644
 optional_policy(`
 	fstools_read_pipes(postfix_postdrop_t)
 ')
-@@ -629,17 +552,24 @@ optional_policy(`
+@@ -629,17 +554,24 @@ optional_policy(`
 #######################################
 #
@ -76031,7 +76067,7 @@ index 5cfb83e..501c935 100644
 init_sigchld_script(postfix_postqueue_t)
 init_use_script_fds(postfix_postqueue_t)
-@@ -655,69 +585,78 @@ optional_policy(`
+@@ -655,69 +587,78 @@ optional_policy(`
 ########################################
 #
@ -76128,7 +76164,7 @@ index 5cfb83e..501c935 100644
 ')
 optional_policy(`
-@@ -730,28 +669,32 @@ optional_policy(`
+@@ -730,28 +671,32 @@ optional_policy(`
 ########################################
 #
@ -76169,7 +76205,7 @@ index 5cfb83e..501c935 100644
 optional_policy(`
 	dovecot_stream_connect_auth(postfix_smtpd_t)
-@@ -764,6 +707,7 @@ optional_policy(`
+@@ -764,6 +709,7 @@ optional_policy(`
 optional_policy(`
 	milter_stream_connect_all(postfix_smtpd_t)
@ -76177,7 +76213,7 @@ index 5cfb83e..501c935 100644
 ')
 optional_policy(`
-@@ -774,31 +718,100 @@ optional_policy(`
+@@ -774,31 +720,100 @@ optional_policy(`
 	sasl_connect(postfix_smtpd_t)
 ')
@ -105874,40 +105910,47 @@ index 0000000..80c6480
 +		systemd_read_fifo_file_passwd_run($1)
 +	')
 +')
-diff --git a/stapserver.te b/stapserver.te
+diff --git a/systemtap.te b/stapserver.te
-new file mode 100644
+similarity index 64%
-index 0000000..e847ea3
+rename from systemtap.te
--- /dev/null
+rename to stapserver.te
 index ffde368..e847ea3 100644
 --- a/systemtap.te
 +++ b/stapserver.te
-@@ -0,0 +1,114 @@
+@@ -1,4 +1,4 @@
 -policy_module(systemtap, 1.1.0)
 +policy_module(stapserver, 1.1.1)
-+
+ 
-+########################################
+ ########################################
-+#
+ #
-+# Declarations
+@@ -9,12 +9,6 @@ type stapserver_t;
-+#
+ type stapserver_exec_t;
-+
+ init_daemon_domain(stapserver_t, stapserver_exec_t)
-+type stapserver_t;
+ 
-+type stapserver_exec_t;
+-type stapserver_initrc_exec_t;
-+init_daemon_domain(stapserver_t, stapserver_exec_t)
+-init_script_file(stapserver_initrc_exec_t)
-+
+-
-+type stapserver_var_lib_t;
+-type stapserver_conf_t;
-+files_type(stapserver_var_lib_t)
+-files_config_file(stapserver_conf_t)
-+
+-
-+type stapserver_log_t;
+ type stapserver_var_lib_t;
-+logging_log_file(stapserver_log_t)
+ files_type(stapserver_var_lib_t)
-+
+ 
-+type stapserver_var_run_t;
+@@ -24,50 +18,62 @@ logging_log_file(stapserver_log_t)
-+files_pid_file(stapserver_var_run_t)
+ type stapserver_var_run_t;
-+
+ files_pid_file(stapserver_var_run_t)
 +type stapserver_tmp_t;
 +files_tmp_file(stapserver_tmp_t)
 +
-+########################################
+ ########################################
-+#
+ #
 -# Local policy
 +# stapserver local policy
-+#
+ #
-+
+ 
 -allow stapserver_t self:capability { dac_override kill setuid setgid };
 -allow stapserver_t self:process { setrlimit setsched signal };
 +#runuser
 +allow stapserver_t self:capability { setuid setgid };
 +allow stapserver_t self:process setsched;
@ -105915,84 +105958,84 @@ index 0000000..e847ea3
 +allow stapserver_t self:capability { dac_override kill sys_ptrace};
 +allow stapserver_t self:process { setrlimit signal };
 +
-+allow stapserver_t self:fifo_file rw_fifo_file_perms;
+ allow stapserver_t self:fifo_file rw_fifo_file_perms;
-+allow stapserver_t self:key write;
+ allow stapserver_t self:key write;
 -allow stapserver_t self:unix_stream_socket { accept listen };
 -allow stapserver_t self:tcp_socket create_stream_socket_perms;
 -
 -allow stapserver_t stapserver_conf_t:file read_file_perms;
 +allow stapserver_t self:unix_stream_socket create_stream_socket_perms;
 +allow stapserver_t self:tcp_socket { accept listen };
-+
+ 
-+manage_dirs_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t)
+ manage_dirs_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t)
-+manage_files_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t)
+ manage_files_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t)
-+files_var_lib_filetrans(stapserver_t, stapserver_var_lib_t, dir)
+ files_var_lib_filetrans(stapserver_t, stapserver_var_lib_t, dir)
-+
+ 
-+manage_dirs_pattern(stapserver_t, stapserver_log_t, stapserver_log_t)
+ manage_dirs_pattern(stapserver_t, stapserver_log_t, stapserver_log_t)
 -append_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t)
 -create_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t)
 -setattr_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t)
 +manage_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t)
-+logging_log_filetrans(stapserver_t, stapserver_log_t, dir )
+ logging_log_filetrans(stapserver_t, stapserver_log_t, dir )
-+
+ 
 +manage_dirs_pattern(stapserver_t, stapserver_tmp_t, stapserver_tmp_t)
 +manage_files_pattern(stapserver_t, stapserver_tmp_t, stapserver_tmp_t)
 +manage_lnk_files_pattern(stapserver_t, stapserver_tmp_t, stapserver_tmp_t)
 +files_tmp_filetrans(stapserver_t, stapserver_tmp_t, { file dir })
 +
-+manage_dirs_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t)
+ manage_dirs_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t)
-+manage_files_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t)
+ manage_files_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t)
-+files_pid_filetrans(stapserver_t, stapserver_var_run_t, dir )
+ files_pid_filetrans(stapserver_t, stapserver_var_run_t, dir )
-+
+ 
-+kernel_read_system_state(stapserver_t)
+-kernel_read_kernel_sysctls(stapserver_t)
 kernel_read_system_state(stapserver_t)
 +kernel_read_kernel_sysctls(stapserver_t)
-+
+ 
-+corecmd_exec_bin(stapserver_t)
+ corecmd_exec_bin(stapserver_t)
-+corecmd_exec_shell(stapserver_t)
+ corecmd_exec_shell(stapserver_t)
-+
+ 
-+domain_read_all_domains_state(stapserver_t)
+ domain_read_all_domains_state(stapserver_t)
 +domain_use_interactive_fds(stapserver_t)
-+
+ 
-+dev_read_sysfs(stapserver_t)
+-dev_read_rand(stapserver_t)
 dev_read_sysfs(stapserver_t)
 +dev_read_rand(stapserver_t)
-+dev_read_urand(stapserver_t)
+ dev_read_urand(stapserver_t)
-+
+ 
-+files_list_tmp(stapserver_t)
+ files_list_tmp(stapserver_t)
-+files_search_kernel_modules(stapserver_t)
+-files_read_usr_files(stapserver_t)
-+
+ files_search_kernel_modules(stapserver_t)
 +fs_search_cgroup_dirs(stapserver_t)
 +fs_getattr_all_fs(stapserver_t)
 +
-+auth_use_nsswitch(stapserver_t)
+ auth_use_nsswitch(stapserver_t)
-+
+ 
-+init_read_utmp(stapserver_t)
+ init_read_utmp(stapserver_t)
-+
+@@ -75,12 +81,18 @@ init_read_utmp(stapserver_t)
-+logging_send_audit_msgs(stapserver_t)
+ logging_send_audit_msgs(stapserver_t)
-+logging_send_syslog_msg(stapserver_t)
+ logging_send_syslog_msg(stapserver_t)
-+
+ 
 -miscfiles_read_localization(stapserver_t)
 +#lspci
-+miscfiles_read_hwdata(stapserver_t)
+ miscfiles_read_hwdata(stapserver_t)
-+
+ 
 +systemd_dbus_chat_logind(stapserver_t)
 +
-+userdom_use_user_terminals(stapserver_t)
+ userdom_use_user_terminals(stapserver_t)
-+
+ 
-+optional_policy(`
+ optional_policy(`
 +    avahi_dbus_chat(stapserver_t)
 +')
 +
 +optional_policy(`
-+	consoletype_exec(stapserver_t)
+ 	consoletype_exec(stapserver_t)
-+')
+ ')
-+
+ 
-+optional_policy(`
+@@ -99,3 +111,4 @@ optional_policy(`
-+	dbus_system_bus_client(stapserver_t)
+ optional_policy(`
-+')
+ 	rpm_exec(stapserver_t)
-+
+ ')
 +optional_policy(`
 +	hostname_exec(stapserver_t)
 +')
 +
 +optional_policy(`
 +	plymouthd_exec_plymouth(stapserver_t)
 +')
 +
 +optional_policy(`
 +	rpm_exec(stapserver_t)
 +')
 +
 diff --git a/stunnel.fc b/stunnel.fc
 index 49dd63c..ae2e798 100644
@ -106811,113 +106854,6 @@ index c755e2d..0000000
 -	files_search_pids($1)
 -	admin_pattern($1, stapserver_var_run_t)
 -')
 diff --git a/systemtap.te b/systemtap.te
 deleted file mode 100644
 index ffde368..0000000
 --- a/systemtap.te
 +++ /dev/null
@@ -1,101 +0,0 @@
 -policy_module(systemtap, 1.1.0)
 -
 -########################################
 -#
 -# Declarations
 -#
 -
 -type stapserver_t;
 -type stapserver_exec_t;
 -init_daemon_domain(stapserver_t, stapserver_exec_t)
 -
 -type stapserver_initrc_exec_t;
 -init_script_file(stapserver_initrc_exec_t)
 -
 -type stapserver_conf_t;
 -files_config_file(stapserver_conf_t)
 -
 -type stapserver_var_lib_t;
 -files_type(stapserver_var_lib_t)
 -
 -type stapserver_log_t;
 -logging_log_file(stapserver_log_t)
 -
 -type stapserver_var_run_t;
 -files_pid_file(stapserver_var_run_t)
 -
 -########################################
 -#
 -# Local policy
 -#
 -
 -allow stapserver_t self:capability { dac_override kill setuid setgid };
 -allow stapserver_t self:process { setrlimit setsched signal };
 -allow stapserver_t self:fifo_file rw_fifo_file_perms;
 -allow stapserver_t self:key write;
 -allow stapserver_t self:unix_stream_socket { accept listen };
 -allow stapserver_t self:tcp_socket create_stream_socket_perms;
 -
 -allow stapserver_t stapserver_conf_t:file read_file_perms;
 -
 -manage_dirs_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t)
 -manage_files_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t)
 -files_var_lib_filetrans(stapserver_t, stapserver_var_lib_t, dir)
 -
 -manage_dirs_pattern(stapserver_t, stapserver_log_t, stapserver_log_t)
 -append_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t)
 -create_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t)
 -setattr_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t)
 -logging_log_filetrans(stapserver_t, stapserver_log_t, dir )
 -
 -manage_dirs_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t)
 -manage_files_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t)
 -files_pid_filetrans(stapserver_t, stapserver_var_run_t, dir )
 -
 -kernel_read_kernel_sysctls(stapserver_t)
 -kernel_read_system_state(stapserver_t)
 -
 -corecmd_exec_bin(stapserver_t)
 -corecmd_exec_shell(stapserver_t)
 -
 -domain_read_all_domains_state(stapserver_t)
 -
 -dev_read_rand(stapserver_t)
 -dev_read_sysfs(stapserver_t)
 -dev_read_urand(stapserver_t)
 -
 -files_list_tmp(stapserver_t)
 -files_read_usr_files(stapserver_t)
 -files_search_kernel_modules(stapserver_t)
 -
 -auth_use_nsswitch(stapserver_t)
 -
 -init_read_utmp(stapserver_t)
 -
 -logging_send_audit_msgs(stapserver_t)
 -logging_send_syslog_msg(stapserver_t)
 -
 -miscfiles_read_localization(stapserver_t)
 -miscfiles_read_hwdata(stapserver_t)
 -
 -userdom_use_user_terminals(stapserver_t)
 -
 -optional_policy(`
 -	consoletype_exec(stapserver_t)
 -')
 -
 -optional_policy(`
 -	dbus_system_bus_client(stapserver_t)
 -')
 -
 -optional_policy(`
 -	hostname_exec(stapserver_t)
 -')
 -
 -optional_policy(`
 -	plymouthd_exec_plymouth(stapserver_t)
 -')
 -
 -optional_policy(`
 -	rpm_exec(stapserver_t)
 -')
 diff --git a/targetd.fc b/targetd.fc
 new file mode 100644
 index 0000000..c1ef053
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 243%{?dist}
+Release: 244%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -682,6 +682,15 @@ exit 0
 %endif
 %changelog
 * Tue Mar 07 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-244
 - Update fwupd policy
 - /usr/libexec/udisks2/udisksd should be labeled as devicekit_disk_exec_t
 - Update ganesha policy
 - Allow chronyd to read adjtime
 - Merge pull request #194 from hogarthj/certbot_policy
 - get the correct cert_t context on certbot certificates bz#1289778
 - Label /dev/ss0 as gpfs_device_t
 * Thu Mar 02 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-243
 -  Allow abrt_t to send mails.