* Tue Oct 17 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-296

- Merge pull request #19 from RodrigoQuesadaDev/snapper-fix-1
- Allow httpd_t domain to mmap httpd_user_content_t files. BZ(1494852)
- Add nnp transition rule for services using NoNewPrivileges systemd feature
- Add map permission into dev_rw_infiniband_dev() interface to allow caller domain mmap infiniband chr device BZ(1500923)
- Add init_nnp_daemon_domain interface
- Allow nnp transition capability
- Merge pull request #204 from konradwilk/rhbz1484908
- Label postgresql-check-db-dir as postgresql_exec_t

policy-rawhide-base.patch

@@ -6690,7 +6690,7 @@ index 3f6e16889..abd046c56 100644
 +ifelse(`$2',`',`',`declare_ibendportcons($1_ibendport_t,shift($*))')dnl
 +')
 diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index b31c05491..b15a7aa05 100644
+index b31c05491..c3fd31813 100644
 --- a/policy/modules/kernel/devices.fc
 +++ b/policy/modules/kernel/devices.fc
 @@ -15,15 +15,18 @@
@@ -6814,7 +6814,7 @@ index b31c05491..b15a7aa05 100644
  /dev/card.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
  /dev/cmx.*		-c	gen_context(system_u:object_r:smartcard_device_t,s0)
  
-@@ -169,18 +200,26 @@ ifdef(`distro_suse', `
+@@ -169,18 +200,27 @@ ifdef(`distro_suse', `
  
  /dev/s(ou)?nd/.*	-c	gen_context(system_u:object_r:sound_device_t,s0)
  
@@ -6838,10 +6838,11 @@ index b31c05491..b15a7aa05 100644
  /dev/xen/gntdev		-c	gen_context(system_u:object_r:xen_device_t,s0)
  /dev/xen/gntalloc	-c	gen_context(system_u:object_r:xen_device_t,s0)
 +/dev/xen/privcmd	-c	gen_context(system_u:object_r:xen_device_t,s0)
++/dev/xen/xenbus		-c	gen_context(system_u:object_r:xen_device_t,s0)
  
  ifdef(`distro_debian',`
  # this is a static /dev dir "backup mount"
-@@ -198,12 +237,27 @@ ifdef(`distro_debian',`
+@@ -198,12 +238,27 @@ ifdef(`distro_debian',`
  /lib/udev/devices/null	-c	gen_context(system_u:object_r:null_device_t,s0)
  /lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
  
@@ -6872,7 +6873,7 @@ index b31c05491..b15a7aa05 100644
 +/usr/lib/udev/devices/null	-c	gen_context(system_u:object_r:null_device_t,s0)
 +/usr/lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
 diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 76f285ea6..f0bb3da0c 100644
+index 76f285ea6..1de2a51f0 100644
 --- a/policy/modules/kernel/devices.if
 +++ b/policy/modules/kernel/devices.if
 @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -7440,7 +7441,7 @@ index 76f285ea6..f0bb3da0c 100644
  ##	The name of the object being created.
  ##	</summary>
  ## </param>
-@@ -2017,6 +2277,180 @@ interface(`dev_rw_input_dev',`
+@@ -2017,6 +2277,181 @@ interface(`dev_rw_input_dev',`
  
  ########################################
  ## <summary>
@@ -7576,6 +7577,7 @@ index 76f285ea6..f0bb3da0c 100644
 +
 +	rw_chr_files_pattern($1, device_t, infiniband_device_t)
 +    rw_blk_files_pattern($1, device_t, infiniband_device_t)
++	allow $1 infiniband_device_t:chr_file map;
 +')
 +
 +########################################
@@ -7621,7 +7623,7 @@ index 76f285ea6..f0bb3da0c 100644
  ##	Get the attributes of the framebuffer device node.
  ## </summary>
  ## <param name="domain">
-@@ -2402,7 +2836,7 @@ interface(`dev_filetrans_lirc',`
+@@ -2402,7 +2837,7 @@ interface(`dev_filetrans_lirc',`
  
  ########################################
  ## <summary>
@@ -7630,7 +7632,7 @@ index 76f285ea6..f0bb3da0c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2410,17 +2844,17 @@ interface(`dev_filetrans_lirc',`
+@@ -2410,17 +2845,17 @@ interface(`dev_filetrans_lirc',`
  ##	</summary>
  ## </param>
  #
@@ -7652,7 +7654,7 @@ index 76f285ea6..f0bb3da0c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2428,17 +2862,17 @@ interface(`dev_getattr_lvm_control',`
+@@ -2428,17 +2863,17 @@ interface(`dev_getattr_lvm_control',`
  ##	</summary>
  ## </param>
  #
@@ -7674,7 +7676,7 @@ index 76f285ea6..f0bb3da0c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2446,17 +2880,17 @@ interface(`dev_read_lvm_control',`
+@@ -2446,17 +2881,17 @@ interface(`dev_read_lvm_control',`
  ##	</summary>
  ## </param>
  #
@@ -7696,7 +7698,7 @@ index 76f285ea6..f0bb3da0c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2464,17 +2898,17 @@ interface(`dev_rw_lvm_control',`
+@@ -2464,17 +2899,17 @@ interface(`dev_rw_lvm_control',`
  ##	</summary>
  ## </param>
  #
@@ -7718,7 +7720,7 @@ index 76f285ea6..f0bb3da0c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2482,35 +2916,35 @@ interface(`dev_dontaudit_rw_lvm_control',`
+@@ -2482,35 +2917,35 @@ interface(`dev_dontaudit_rw_lvm_control',`
  ##	</summary>
  ## </param>
  #
@@ -7763,7 +7765,7 @@ index 76f285ea6..f0bb3da0c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2518,62 +2952,53 @@ interface(`dev_dontaudit_getattr_memory_dev',`
+@@ -2518,62 +2953,53 @@ interface(`dev_dontaudit_getattr_memory_dev',`
  ##	</summary>
  ## </param>
  #
@@ -7840,7 +7842,7 @@ index 76f285ea6..f0bb3da0c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2581,32 +3006,168 @@ interface(`dev_write_raw_memory',`
+@@ -2581,32 +3007,168 @@ interface(`dev_write_raw_memory',`
  ##	</summary>
  ## </param>
  #
@@ -8018,7 +8020,7 @@ index 76f285ea6..f0bb3da0c 100644
  ')
  
  ########################################
-@@ -2725,7 +3286,7 @@ interface(`dev_write_misc',`
+@@ -2725,7 +3287,7 @@ interface(`dev_write_misc',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -8027,7 +8029,7 @@ index 76f285ea6..f0bb3da0c 100644
  ##	</summary>
  ## </param>
  #
-@@ -2811,6 +3372,78 @@ interface(`dev_rw_modem',`
+@@ -2811,6 +3373,78 @@ interface(`dev_rw_modem',`
  
  ########################################
  ## <summary>
@@ -8106,7 +8108,7 @@ index 76f285ea6..f0bb3da0c 100644
  ##	Get the attributes of the mouse devices.
  ## </summary>
  ## <param name="domain">
-@@ -2903,20 +3536,20 @@ interface(`dev_getattr_mtrr_dev',`
+@@ -2903,20 +3537,20 @@ interface(`dev_getattr_mtrr_dev',`
  
  ########################################
  ## <summary>
@@ -8131,7 +8133,7 @@ index 76f285ea6..f0bb3da0c 100644
  ##	</p>
  ## </desc>
  ## <param name="domain">
-@@ -2925,43 +3558,34 @@ interface(`dev_getattr_mtrr_dev',`
+@@ -2925,43 +3559,34 @@ interface(`dev_getattr_mtrr_dev',`
  ##	</summary>
  ## </param>
  #
@@ -8187,7 +8189,7 @@ index 76f285ea6..f0bb3da0c 100644
  ##	range registers (MTRR).
  ## </summary>
  ## <param name="domain">
-@@ -2970,13 +3594,32 @@ interface(`dev_write_mtrr',`
+@@ -2970,13 +3595,32 @@ interface(`dev_write_mtrr',`
  ##	</summary>
  ## </param>
  #
@@ -8223,7 +8225,7 @@ index 76f285ea6..f0bb3da0c 100644
  ')
  
  ########################################
-@@ -3144,44 +3787,43 @@ interface(`dev_create_null_dev',`
+@@ -3144,44 +3788,43 @@ interface(`dev_create_null_dev',`
  
  ########################################
  ## <summary>
@@ -8279,7 +8281,7 @@ index 76f285ea6..f0bb3da0c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3189,12 +3831,105 @@ interface(`dev_rw_nvram',`
+@@ -3189,12 +3832,105 @@ interface(`dev_rw_nvram',`
  ##	</summary>
  ## </param>
  #
@@ -8388,7 +8390,7 @@ index 76f285ea6..f0bb3da0c 100644
  ')
  
  ########################################
-@@ -3254,7 +3989,25 @@ interface(`dev_rw_printer',`
+@@ -3254,7 +3990,25 @@ interface(`dev_rw_printer',`
  
  ########################################
  ## <summary>
@@ -8415,7 +8417,7 @@ index 76f285ea6..f0bb3da0c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3262,12 +4015,13 @@ interface(`dev_rw_printer',`
+@@ -3262,12 +4016,13 @@ interface(`dev_rw_printer',`
  ##	</summary>
  ## </param>
  #
@@ -8432,7 +8434,7 @@ index 76f285ea6..f0bb3da0c 100644
  ')
  
  ########################################
-@@ -3399,7 +4153,7 @@ interface(`dev_dontaudit_read_rand',`
+@@ -3399,7 +4154,7 @@ interface(`dev_dontaudit_read_rand',`
  
  ########################################
  ## <summary>
@@ -8441,7 +8443,7 @@ index 76f285ea6..f0bb3da0c 100644
  ##	number generator devices (e.g., /dev/random)
  ## </summary>
  ## <param name="domain">
-@@ -3413,7 +4167,7 @@ interface(`dev_dontaudit_append_rand',`
+@@ -3413,7 +4168,7 @@ interface(`dev_dontaudit_append_rand',`
  		type random_device_t;
  	')
  
@@ -8450,7 +8452,7 @@ index 76f285ea6..f0bb3da0c 100644
  ')
  
  ########################################
-@@ -3633,6 +4387,7 @@ interface(`dev_read_sound',`
+@@ -3633,6 +4388,7 @@ interface(`dev_read_sound',`
  	')
  
  	read_chr_files_pattern($1, device_t, sound_device_t)
@@ -8458,7 +8460,7 @@ index 76f285ea6..f0bb3da0c 100644
  ')
  
  ########################################
-@@ -3669,6 +4424,7 @@ interface(`dev_read_sound_mixer',`
+@@ -3669,6 +4425,7 @@ interface(`dev_read_sound_mixer',`
  	')
  
  	read_chr_files_pattern($1, device_t, sound_device_t)
@@ -8466,7 +8468,7 @@ index 76f285ea6..f0bb3da0c 100644
  ')
  
  ########################################
-@@ -3855,7 +4611,7 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3855,7 +4612,7 @@ interface(`dev_getattr_sysfs_dirs',`
  
  ########################################
  ## <summary>
@@ -8475,7 +8477,7 @@ index 76f285ea6..f0bb3da0c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3863,91 +4619,89 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3863,91 +4620,89 @@ interface(`dev_getattr_sysfs_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -8586,7 +8588,7 @@ index 76f285ea6..f0bb3da0c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3955,68 +4709,53 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+@@ -3955,68 +4710,53 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -8665,7 +8667,7 @@ index 76f285ea6..f0bb3da0c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4024,114 +4763,97 @@ interface(`dev_rw_sysfs',`
+@@ -4024,114 +4764,97 @@ interface(`dev_rw_sysfs',`
  ##	</summary>
  ## </param>
  #
@@ -8810,7 +8812,7 @@ index 76f285ea6..f0bb3da0c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4139,35 +4861,50 @@ interface(`dev_getattr_generic_usb_dev',`
+@@ -4139,35 +4862,50 @@ interface(`dev_getattr_generic_usb_dev',`
  ##	</summary>
  ## </param>
  #
@@ -8869,7 +8871,7 @@ index 76f285ea6..f0bb3da0c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4175,12 +4912,278 @@ interface(`dev_read_generic_usb_dev',`
+@@ -4175,12 +4913,278 @@ interface(`dev_read_generic_usb_dev',`
  ##	</summary>
  ## </param>
  #
@@ -9151,7 +9153,7 @@ index 76f285ea6..f0bb3da0c 100644
  ')
  
  ########################################
-@@ -4249,33 +5252,462 @@ interface(`dev_write_usbmon_dev',`
+@@ -4249,33 +5253,462 @@ interface(`dev_write_usbmon_dev',`
  #
  interface(`dev_mount_usbfs',`
  	gen_require(`
@@ -9623,7 +9625,7 @@ index 76f285ea6..f0bb3da0c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4283,36 +5715,35 @@ interface(`dev_associate_usbfs',`
+@@ -4283,36 +5716,35 @@ interface(`dev_associate_usbfs',`
  ##	</summary>
  ## </param>
  #
@@ -9669,7 +9671,7 @@ index 76f285ea6..f0bb3da0c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4320,17 +5751,18 @@ interface(`dev_dontaudit_getattr_usbfs_dirs',`
+@@ -4320,17 +5752,18 @@ interface(`dev_dontaudit_getattr_usbfs_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -9692,7 +9694,7 @@ index 76f285ea6..f0bb3da0c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4338,20 +5770,17 @@ interface(`dev_search_usbfs',`
+@@ -4338,20 +5771,17 @@ interface(`dev_search_usbfs',`
  ##	</summary>
  ## </param>
  #
@@ -9717,7 +9719,7 @@ index 76f285ea6..f0bb3da0c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4359,19 +5788,17 @@ interface(`dev_list_usbfs',`
+@@ -4359,19 +5789,17 @@ interface(`dev_list_usbfs',`
  ##	</summary>
  ## </param>
  #
@@ -9741,7 +9743,7 @@ index 76f285ea6..f0bb3da0c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4379,19 +5806,17 @@ interface(`dev_setattr_usbfs_files',`
+@@ -4379,19 +5807,17 @@ interface(`dev_setattr_usbfs_files',`
  ##	</summary>
  ## </param>
  #
@@ -9765,7 +9767,7 @@ index 76f285ea6..f0bb3da0c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4399,19 +5824,17 @@ interface(`dev_read_usbfs',`
+@@ -4399,19 +5825,17 @@ interface(`dev_read_usbfs',`
  ##	</summary>
  ## </param>
  #
@@ -9789,7 +9791,7 @@ index 76f285ea6..f0bb3da0c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4419,17 +5842,17 @@ interface(`dev_rw_usbfs',`
+@@ -4419,17 +5843,18 @@ interface(`dev_rw_usbfs',`
  ##	</summary>
  ## </param>
  #
@@ -9802,6 +9804,7 @@ index 76f285ea6..f0bb3da0c 100644
  
 -	getattr_chr_files_pattern($1, device_t, v4l_device_t)
 +	rw_chr_files_pattern($1, device_t, xen_device_t)
++	allow $1 xen_device_t:chr_file map;
  ')
  
 -######################################
@@ -9812,7 +9815,7 @@ index 76f285ea6..f0bb3da0c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4437,36 +5860,41 @@ interface(`dev_getattr_video_dev',`
+@@ -4437,36 +5862,41 @@ interface(`dev_getattr_video_dev',`
  ##	</summary>
  ## </param>
  #
@@ -9864,7 +9867,7 @@ index 76f285ea6..f0bb3da0c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4474,36 +5902,35 @@ interface(`dev_dontaudit_getattr_video_dev',`
+@@ -4474,36 +5904,35 @@ interface(`dev_dontaudit_getattr_video_dev',`
  ##	</summary>
  ## </param>
  #
@@ -9910,7 +9913,7 @@ index 76f285ea6..f0bb3da0c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4511,35 +5938,36 @@ interface(`dev_dontaudit_setattr_video_dev',`
+@@ -4511,35 +5940,36 @@ interface(`dev_dontaudit_setattr_video_dev',`
  ##	</summary>
  ## </param>
  #
@@ -9956,7 +9959,7 @@ index 76f285ea6..f0bb3da0c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4547,17 +5975,19 @@ interface(`dev_write_video_dev',`
+@@ -4547,17 +5977,19 @@ interface(`dev_write_video_dev',`
  ##	</summary>
  ## </param>
  #
@@ -9980,7 +9983,7 @@ index 76f285ea6..f0bb3da0c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4565,17 +5995,17 @@ interface(`dev_rw_vhost',`
+@@ -4565,17 +5997,17 @@ interface(`dev_rw_vhost',`
  ##	</summary>
  ## </param>
  #
@@ -10002,7 +10005,7 @@ index 76f285ea6..f0bb3da0c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4583,18 +6013,18 @@ interface(`dev_rw_vmware',`
+@@ -4583,18 +6015,18 @@ interface(`dev_rw_vmware',`
  ##	</summary>
  ## </param>
  #
@@ -10026,7 +10029,7 @@ index 76f285ea6..f0bb3da0c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4602,17 +6032,18 @@ interface(`dev_rwx_vmware',`
+@@ -4602,17 +6034,18 @@ interface(`dev_rwx_vmware',`
  ##	</summary>
  ## </param>
  #
@@ -10049,7 +10052,7 @@ index 76f285ea6..f0bb3da0c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4620,17 +6051,17 @@ interface(`dev_read_watchdog',`
+@@ -4620,17 +6053,17 @@ interface(`dev_read_watchdog',`
  ##	</summary>
  ## </param>
  #
@@ -10071,7 +10074,7 @@ index 76f285ea6..f0bb3da0c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4638,35 +6069,36 @@ interface(`dev_write_watchdog',`
+@@ -4638,35 +6071,36 @@ interface(`dev_write_watchdog',`
  ##	</summary>
  ## </param>
  #
@@ -10117,7 +10120,7 @@ index 76f285ea6..f0bb3da0c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4674,41 +6106,35 @@ interface(`dev_rw_xen',`
+@@ -4674,41 +6108,35 @@ interface(`dev_rw_xen',`
  ##	</summary>
  ## </param>
  #
@@ -10167,7 +10170,7 @@ index 76f285ea6..f0bb3da0c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4716,17 +6142,17 @@ interface(`dev_filetrans_xen',`
+@@ -4716,17 +6144,17 @@ interface(`dev_filetrans_xen',`
  ##	</summary>
  ## </param>
  #
@@ -10189,7 +10192,7 @@ index 76f285ea6..f0bb3da0c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4734,17 +6160,18 @@ interface(`dev_getattr_xserver_misc_dev',`
+@@ -4734,17 +6162,18 @@ interface(`dev_getattr_xserver_misc_dev',`
  ##	</summary>
  ## </param>
  #
@@ -10212,7 +10215,7 @@ index 76f285ea6..f0bb3da0c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4752,17 +6179,17 @@ interface(`dev_setattr_xserver_misc_dev',`
+@@ -4752,17 +6181,17 @@ interface(`dev_setattr_xserver_misc_dev',`
  ##	</summary>
  ## </param>
  #
@@ -10234,7 +10237,7 @@ index 76f285ea6..f0bb3da0c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4770,17 +6197,17 @@ interface(`dev_rw_xserver_misc',`
+@@ -4770,17 +6199,17 @@ interface(`dev_rw_xserver_misc',`
  ##	</summary>
  ## </param>
  #
@@ -10256,7 +10259,7 @@ index 76f285ea6..f0bb3da0c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4788,18 +6215,17 @@ interface(`dev_rw_zero',`
+@@ -4788,18 +6217,17 @@ interface(`dev_rw_zero',`
  ##	</summary>
  ## </param>
  #
@@ -10279,7 +10282,7 @@ index 76f285ea6..f0bb3da0c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4807,47 +6233,911 @@ interface(`dev_rwx_zero',`
+@@ -4807,47 +6235,912 @@ interface(`dev_rwx_zero',`
  ##	</summary>
  ## </param>
  #
@@ -11088,6 +11091,7 @@ index 76f285ea6..f0bb3da0c 100644
 +	filetrans_pattern($1, device_t, xen_device_t, chr_file, "gntdev")
 +	filetrans_pattern($1, device_t, xen_device_t, chr_file, "gntalloc")
 +	filetrans_pattern($1, device_t, xen_device_t, chr_file, "privcmd")
++	filetrans_pattern($1, device_t, xen_device_t, chr_file, "xenbus")
 +	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC0")
 +	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC1")
 +	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC2")
@@ -27977,14 +27981,15 @@ index 6d77e81c5..74de33345 100644
 +	')
  ')
 diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
-index a26f84f40..f4a44ebc6 100644
+index a26f84f40..225d6961d 100644
 --- a/policy/modules/services/postgresql.fc
 +++ b/policy/modules/services/postgresql.fc
-@@ -10,11 +10,16 @@
+@@ -10,11 +10,17 @@
  #
  /usr/bin/initdb(\.sepgsql)?	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
  /usr/bin/(se)?postgres		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
 +/usr/bin/pg_ctl				--	gen_context(system_u:object_r:postgresql_exec_t,s0)
++/usr/bin/postgresql-check-db-dir				--	gen_context(system_u:object_r:postgresql_exec_t,s0)
 +
 +/usr/libexec/postgresql-ctl     --  gen_context(system_u:object_r:postgresql_exec_t,s0)
  
@@ -27997,7 +28002,7 @@ index a26f84f40..f4a44ebc6 100644
  ifdef(`distro_debian', `
  /usr/lib/postgresql/.*/bin/.*	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
  ')
-@@ -28,9 +33,10 @@ ifdef(`distro_redhat', `
+@@ -28,9 +34,10 @@ ifdef(`distro_redhat', `
  #
  /var/lib/postgres(ql)?(/.*)? 		gen_context(system_u:object_r:postgresql_db_t,s0)
  
@@ -28010,7 +28015,7 @@ index a26f84f40..f4a44ebc6 100644
  
  /var/lib/sepgsql(/.*)?			gen_context(system_u:object_r:postgresql_db_t,s0)
  /var/lib/sepgsql/pgstartup\.log	--	gen_context(system_u:object_r:postgresql_log_t,s0)
-@@ -45,4 +51,4 @@ ifdef(`distro_redhat', `
+@@ -45,4 +52,4 @@ ifdef(`distro_redhat', `
  
  /var/run/postgresql(/.*)?		gen_context(system_u:object_r:postgresql_var_run_t,s0)
  
@@ -36073,7 +36078,7 @@ index bc0ffc84e..37b8ea5ec 100644
  ')
 +/var/run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
 diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 79a45f62e..6ed0c399a 100644
+index 79a45f62e..b25993d41 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
 @@ -1,5 +1,21 @@
@@ -36110,7 +36115,33 @@ index 79a45f62e..6ed0c399a 100644
  	ifdef(`hide_broken_symptoms',`
  		# RHEL4 systems seem to have a stray
  		# fds open from the initrd
-@@ -192,50 +212,43 @@ interface(`init_ranged_domain',`
+@@ -115,6 +135,25 @@ interface(`init_domain',`
+ 		')
+ 	')
+ ')
++########################################
++## <summary>
++##	Allow SELinux Domain trasition from sytemd
++##  into confined domain with NoNewPrivileges 
++##  Systemd Security feature.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`init_nnp_daemon_domain',`
++    gen_require(`
++        type init_t;
++    ')
++
++    allow init_t $1:process2 { nnp_transition nosuid_transition };
++')
+ 
+ ########################################
+ ## <summary>
+@@ -192,50 +231,43 @@ interface(`init_ranged_domain',`
  interface(`init_daemon_domain',`
  	gen_require(`
  		attribute direct_run_init, direct_init, direct_init_entry;
@@ -36183,7 +36214,7 @@ index 79a45f62e..6ed0c399a 100644
  ')
  
  ########################################
-@@ -283,17 +296,20 @@ interface(`init_daemon_domain',`
+@@ -283,17 +315,20 @@ interface(`init_daemon_domain',`
  interface(`init_ranged_daemon_domain',`
  	gen_require(`
  		type initrc_t;
@@ -36205,7 +36236,7 @@ index 79a45f62e..6ed0c399a 100644
  	')
  ')
  
-@@ -336,23 +352,19 @@ interface(`init_ranged_daemon_domain',`
+@@ -336,23 +371,19 @@ interface(`init_ranged_daemon_domain',`
  #
  interface(`init_system_domain',`
  	gen_require(`
@@ -36236,7 +36267,7 @@ index 79a45f62e..6ed0c399a 100644
  ')
  
  ########################################
-@@ -401,20 +413,41 @@ interface(`init_system_domain',`
+@@ -401,20 +432,41 @@ interface(`init_system_domain',`
  interface(`init_ranged_system_domain',`
  	gen_require(`
  		type initrc_t;
@@ -36278,7 +36309,7 @@ index 79a45f62e..6ed0c399a 100644
  ########################################
  ## <summary>
  ##	Mark the file type as a daemon run dir, allowing initrc_t
-@@ -460,6 +493,25 @@ interface(`init_domtrans',`
+@@ -460,6 +512,25 @@ interface(`init_domtrans',`
  	domtrans_pattern($1, init_exec_t, init_t)
  ')
  
@@ -36304,7 +36335,7 @@ index 79a45f62e..6ed0c399a 100644
  ########################################
  ## <summary>
  ##	Execute the init program in the caller domain.
-@@ -469,7 +521,6 @@ interface(`init_domtrans',`
+@@ -469,7 +540,6 @@ interface(`init_domtrans',`
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
@@ -36312,7 +36343,7 @@ index 79a45f62e..6ed0c399a 100644
  #
  interface(`init_exec',`
  	gen_require(`
-@@ -478,6 +529,48 @@ interface(`init_exec',`
+@@ -478,6 +548,48 @@ interface(`init_exec',`
  
  	corecmd_search_bin($1)
  	can_exec($1, init_exec_t)
@@ -36361,7 +36392,7 @@ index 79a45f62e..6ed0c399a 100644
  ')
  
  ########################################
-@@ -566,6 +659,58 @@ interface(`init_sigchld',`
+@@ -566,6 +678,58 @@ interface(`init_sigchld',`
  
  ########################################
  ## <summary>
@@ -36420,7 +36451,7 @@ index 79a45f62e..6ed0c399a 100644
  ##	Connect to init with a unix socket.
  ## </summary>
  ## <param name="domain">
-@@ -576,12 +721,87 @@ interface(`init_sigchld',`
+@@ -576,12 +740,87 @@ interface(`init_sigchld',`
  #
  interface(`init_stream_connect',`
  	gen_require(`
@@ -36508,7 +36539,7 @@ index 79a45f62e..6ed0c399a 100644
  ########################################
  ## <summary>
  ##	Inherit and use file descriptors from init.
-@@ -743,22 +963,24 @@ interface(`init_write_initctl',`
+@@ -743,22 +982,24 @@ interface(`init_write_initctl',`
  interface(`init_telinit',`
  	gen_require(`
  		type initctl_t;
@@ -36542,7 +36573,7 @@ index 79a45f62e..6ed0c399a 100644
  ')
  
  ########################################
-@@ -787,7 +1009,7 @@ interface(`init_rw_initctl',`
+@@ -787,7 +1028,7 @@ interface(`init_rw_initctl',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -36551,7 +36582,7 @@ index 79a45f62e..6ed0c399a 100644
  ##	</summary>
  ## </param>
  #
-@@ -830,11 +1052,12 @@ interface(`init_script_file_entry_type',`
+@@ -830,11 +1071,12 @@ interface(`init_script_file_entry_type',`
  #
  interface(`init_spec_domtrans_script',`
  	gen_require(`
@@ -36566,7 +36597,7 @@ index 79a45f62e..6ed0c399a 100644
  
  	ifdef(`distro_gentoo',`
  		gen_require(`
-@@ -845,11 +1068,11 @@ interface(`init_spec_domtrans_script',`
+@@ -845,11 +1087,11 @@ interface(`init_spec_domtrans_script',`
  	')
  
  	ifdef(`enable_mcs',`
@@ -36580,7 +36611,7 @@ index 79a45f62e..6ed0c399a 100644
  	')
  ')
  
-@@ -865,19 +1088,41 @@ interface(`init_spec_domtrans_script',`
+@@ -865,23 +1107,45 @@ interface(`init_spec_domtrans_script',`
  #
  interface(`init_domtrans_script',`
  	gen_require(`
@@ -36603,11 +36634,11 @@ index 79a45f62e..6ed0c399a 100644
  	ifdef(`enable_mls',`
 -		range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
 +		range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
-+	')
+ 	')
-+')
+ ')
-+
+ 
-+########################################
+ ########################################
-+## <summary>
+ ## <summary>
 +##	Execute a file in a bin directory
 +##	in the initrc_t domain 
 +## </summary>
@@ -36620,13 +36651,17 @@ index 79a45f62e..6ed0c399a 100644
 +interface(`init_bin_domtrans_spec',`
 +	gen_require(`
 +		type initrc_t;
- 	')
++	')
 +
 +	corecmd_bin_domtrans($1, initrc_t)
- ')
++')
- 
++
- ########################################
++########################################
-@@ -933,9 +1178,14 @@ interface(`init_script_file_domtrans',`
++## <summary>
+ ##	Execute a init script in a specified domain.
+ ## </summary>
+ ## <desc>
+@@ -933,9 +1197,14 @@ interface(`init_script_file_domtrans',`
  interface(`init_labeled_script_domtrans',`
  	gen_require(`
  		type initrc_t;
@@ -36641,7 +36676,7 @@ index 79a45f62e..6ed0c399a 100644
  	files_search_etc($1)
  ')
  
-@@ -992,7 +1242,7 @@ interface(`init_run_daemon',`
+@@ -992,7 +1261,7 @@ interface(`init_run_daemon',`
  
  ########################################
  ## <summary>
@@ -36650,7 +36685,7 @@ index 79a45f62e..6ed0c399a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1000,38 +1250,37 @@ interface(`init_run_daemon',`
+@@ -1000,38 +1269,37 @@ interface(`init_run_daemon',`
  ##	</summary>
  ## </param>
  #
@@ -36698,7 +36733,7 @@ index 79a45f62e..6ed0c399a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1039,17 +1288,19 @@ interface(`init_ptrace',`
+@@ -1039,17 +1307,19 @@ interface(`init_ptrace',`
  ##	</summary>
  ## </param>
  #
@@ -36722,7 +36757,7 @@ index 79a45f62e..6ed0c399a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1057,18 +1308,17 @@ interface(`init_write_script_pipes',`
+@@ -1057,18 +1327,17 @@ interface(`init_write_script_pipes',`
  ##	</summary>
  ## </param>
  #
@@ -36745,7 +36780,7 @@ index 79a45f62e..6ed0c399a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1076,37 +1326,38 @@ interface(`init_getattr_script_files',`
+@@ -1076,18 +1345,94 @@ interface(`init_getattr_script_files',`
  ##	</summary>
  ## </param>
  #
@@ -36765,40 +36800,34 @@ index 79a45f62e..6ed0c399a 100644
  ## <summary>
 -##	Execute init scripts in the caller domain.
 +##	Ptrace init
- ## </summary>
++## </summary>
- ## <param name="domain">
++## <param name="domain">
- ##	<summary>
++##	<summary>
- ##	Domain allowed access.
++##	Domain allowed access.
- ##	</summary>
++##	</summary>
- ## </param>
++## </param>
 +## <rolecap/>
- #
++#
--interface(`init_exec_script_files',`
 +interface(`init_ptrace',`
- 	gen_require(`
++	gen_require(`
--		type initrc_exec_t;
 +		type init_t;
- 	')
++	')
- 
++
--	files_list_etc($1)
--	can_exec($1, initrc_exec_t)
 +	tunable_policy(`deny_ptrace',`',`
 +		allow $1 init_t:process ptrace;
 +	')
- ')
++')
- 
++
- ########################################
++########################################
- ## <summary>
++## <summary>
--##	Get the attribute of all init script entrypoint files.
 +##	Write an init script unnamed pipe.
- ## </summary>
++## </summary>
- ## <param name="domain">
++## <param name="domain">
- ##	<summary>
++##	<summary>
-@@ -1114,7 +1365,82 @@ interface(`init_exec_script_files',`
++##	Domain allowed access.
- ##	</summary>
++##	</summary>
- ## </param>
++## </param>
- #
++#
--interface(`init_getattr_all_script_files',`
 +interface(`init_write_script_pipes',`
 +	gen_require(`
 +		type initrc_t;
@@ -36848,37 +36877,10 @@ index 79a45f62e..6ed0c399a 100644
 +########################################
 +## <summary>
 +##	Execute init scripts in the caller domain.
-+## </summary>
+ ## </summary>
-+## <param name="domain">
+ ## <param name="domain">
-+##	<summary>
+ ##	<summary>
-+##	Domain allowed access.
+@@ -1125,6 +1470,63 @@ interface(`init_getattr_all_script_files',`
-+##	</summary>
-+## </param>
-+#
-+interface(`init_exec_script_files',`
-+	gen_require(`
-+		type initrc_exec_t;
-+	')
-+
-+	files_list_etc($1)
-+	can_exec($1, initrc_exec_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Get the attribute of all init script entrypoint files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`init_getattr_all_script_files',`
- 	gen_require(`
- 		attribute init_script_file_type;
- 	')
-@@ -1125,6 +1451,63 @@ interface(`init_getattr_all_script_files',`
  
  ########################################
  ## <summary>
@@ -36942,7 +36944,7 @@ index 79a45f62e..6ed0c399a 100644
  ##	Read all init script files.
  ## </summary>
  ## <param name="domain">
-@@ -1144,6 +1527,24 @@ interface(`init_read_all_script_files',`
+@@ -1144,6 +1546,24 @@ interface(`init_read_all_script_files',`
  
  #######################################
  ## <summary>
@@ -36967,7 +36969,7 @@ index 79a45f62e..6ed0c399a 100644
  ##	Dontaudit read all init script files.
  ## </summary>
  ## <param name="domain">
-@@ -1195,12 +1596,7 @@ interface(`init_read_script_state',`
+@@ -1195,12 +1615,7 @@ interface(`init_read_script_state',`
  	')
  
  	kernel_search_proc($1)
@@ -36981,7 +36983,7 @@ index 79a45f62e..6ed0c399a 100644
  ')
  
  ########################################
-@@ -1314,6 +1710,24 @@ interface(`init_signal_script',`
+@@ -1314,6 +1729,24 @@ interface(`init_signal_script',`
  
  ########################################
  ## <summary>
@@ -37006,7 +37008,7 @@ index 79a45f62e..6ed0c399a 100644
  ##	Send null signals to init scripts.
  ## </summary>
  ## <param name="domain">
-@@ -1440,6 +1854,27 @@ interface(`init_dbus_send_script',`
+@@ -1440,6 +1873,27 @@ interface(`init_dbus_send_script',`
  ########################################
  ## <summary>
  ##	Send and receive messages from
@@ -37034,7 +37036,7 @@ index 79a45f62e..6ed0c399a 100644
  ##	init scripts over dbus.
  ## </summary>
  ## <param name="domain">
-@@ -1547,6 +1982,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1547,6 +2001,25 @@ interface(`init_getattr_script_status_files',`
  
  ########################################
  ## <summary>
@@ -37060,7 +37062,7 @@ index 79a45f62e..6ed0c399a 100644
  ##	Do not audit attempts to read init script
  ##	status files.
  ## </summary>
-@@ -1605,6 +2059,42 @@ interface(`init_rw_script_tmp_files',`
+@@ -1605,6 +2078,42 @@ interface(`init_rw_script_tmp_files',`
  
  ########################################
  ## <summary>
@@ -37103,7 +37105,7 @@ index 79a45f62e..6ed0c399a 100644
  ##	Create files in a init script
  ##	temporary data directory.
  ## </summary>
-@@ -1677,6 +2167,43 @@ interface(`init_read_utmp',`
+@@ -1677,6 +2186,43 @@ interface(`init_read_utmp',`
  
  ########################################
  ## <summary>
@@ -37147,7 +37149,7 @@ index 79a45f62e..6ed0c399a 100644
  ##	Do not audit attempts to write utmp.
  ## </summary>
  ## <param name="domain">
-@@ -1765,7 +2292,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1765,7 +2311,7 @@ interface(`init_dontaudit_rw_utmp',`
  		type initrc_var_run_t;
  	')
  
@@ -37156,7 +37158,7 @@ index 79a45f62e..6ed0c399a 100644
  ')
  
  ########################################
-@@ -1806,27 +2333,154 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1806,30 +2352,157 @@ interface(`init_pid_filetrans_utmp',`
  	files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
  ')
  
@@ -37193,8 +37195,9 @@ index 79a45f62e..6ed0c399a 100644
  ## <summary>
 -##	Allow the specified domain to connect to daemon with a udp socket
 +##  Allow listing of the /run/systemd directory.
-+## </summary>
+ ## </summary>
-+## <param name="domain">
+ ## <param name="domain">
+-##	<summary>
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
@@ -37320,10 +37323,13 @@ index 79a45f62e..6ed0c399a 100644
 +########################################
 +## <summary>
 +##	Allow the specified domain to connect to daemon with a udp socket
- ## </summary>
++## </summary>
- ## <param name="domain">
++## <param name="domain">
- ##	<summary>
++##	<summary>
-@@ -1840,3 +2494,583 @@ interface(`init_udp_recvfrom_all_daemons',`
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+@@ -1840,3 +2513,584 @@ interface(`init_udp_recvfrom_all_daemons',`
  	')
  	corenet_udp_recvfrom_labeled($1, daemon)
  ')
@@ -37907,6 +37913,7 @@ index 79a45f62e..6ed0c399a 100644
 +	files_search_var_lib($1)
 +    allow $1 init_var_lib_t:dir search_dir_perms;
 +')
++
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
 index 17eda2480..cc1720cf2 100644
 --- a/policy/modules/system/init.te
@@ -58272,7 +58279,7 @@ index f4ac38dc7..1589d6065 100644
 +	ssh_signal(confined_admindomain)
 +')
 diff --git a/policy/policy_capabilities b/policy/policy_capabilities
-index db3cbca45..40fd5a518 100644
+index db3cbca45..3cc5cf448 100644
 --- a/policy/policy_capabilities
 +++ b/policy/policy_capabilities
 @@ -31,3 +31,21 @@ policycap network_peer_controls;
@@ -58294,7 +58301,7 @@ index db3cbca45..40fd5a518 100644
 +# Checks enabled;
 +# process2: nnp_transition, nosuid_transition
 +#
-+#policycap nnp_nosuid_transition;
++policycap nnp_nosuid_transition;
 +
 +
 diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt

policy-rawhide-contrib.patch

@@ -5615,7 +5615,7 @@ index f6eb4851f..3628a384f 100644
 +    allow $1 httpd_t:process { noatsecure };
  ')
 diff --git a/apache.te b/apache.te
-index 6649962b6..513f68674 100644
+index 6649962b6..1362c1bc9 100644
 --- a/apache.te
 +++ b/apache.te
 @@ -5,280 +5,346 @@ policy_module(apache, 2.7.2)
@@ -7796,7 +7796,7 @@ index 6649962b6..513f68674 100644
  ')
  
  ########################################
-@@ -1330,49 +1633,41 @@ optional_policy(`
+@@ -1330,49 +1633,42 @@ optional_policy(`
  # User content local policy
  #
  
@@ -7836,6 +7836,7 @@ index 6649962b6..513f68674 100644
 -	fs_exec_nfs_files(httpd_user_script_t)
 +	read_files_pattern(httpd_t, httpd_user_content_type, httpd_user_content_type)
 +	read_lnk_files_pattern(httpd_t, httpd_user_content_type, httpd_user_content_type)
++    allow httpd_t httpd_sys_content_type:file map;
  ')
  
  tunable_policy(`httpd_read_user_content',`
@@ -7863,7 +7864,7 @@ index 6649962b6..513f68674 100644
  kernel_read_system_state(httpd_passwd_t)
  
  corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1677,109 @@ dev_read_urand(httpd_passwd_t)
+@@ -1382,38 +1678,109 @@ dev_read_urand(httpd_passwd_t)
  
  domain_use_interactive_fds(httpd_passwd_t)
  
@@ -10711,10 +10712,18 @@ index c723a0ae0..1c29d21e7 100644
 +	allow $1 bluetooth_unit_file_t:service all_service_perms;
  ')
 diff --git a/bluetooth.te b/bluetooth.te
-index 851769e55..45de12d70 100644
+index 851769e55..53e2283cb 100644
 --- a/bluetooth.te
 +++ b/bluetooth.te
-@@ -49,12 +49,15 @@ files_type(bluetooth_var_lib_t)
+@@ -10,6 +10,7 @@ attribute_role bluetooth_helper_roles;
+ type bluetooth_t;
+ type bluetooth_exec_t;
+ init_daemon_domain(bluetooth_t, bluetooth_exec_t)
++init_nnp_daemon_domain(bluetooth_t)
+ 
+ type bluetooth_conf_t;
+ files_config_file(bluetooth_conf_t)
+@@ -49,12 +50,15 @@ files_type(bluetooth_var_lib_t)
  type bluetooth_var_run_t;
  files_pid_file(bluetooth_var_run_t)
  
@@ -10731,7 +10740,7 @@ index 851769e55..45de12d70 100644
  dontaudit bluetooth_t self:capability sys_tty_config;
  allow bluetooth_t self:process { getcap setcap getsched signal_perms };
  allow bluetooth_t self:fifo_file rw_fifo_file_perms;
-@@ -78,10 +81,12 @@ files_lock_filetrans(bluetooth_t, bluetooth_lock_t, file)
+@@ -78,10 +82,12 @@ files_lock_filetrans(bluetooth_t, bluetooth_lock_t, file)
  
  manage_dirs_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
  manage_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
@@ -10745,7 +10754,7 @@ index 851769e55..45de12d70 100644
  files_var_lib_filetrans(bluetooth_t, bluetooth_var_lib_t, { dir file } )
  
  manage_files_pattern(bluetooth_t, bluetooth_var_run_t, bluetooth_var_run_t)
-@@ -90,27 +95,37 @@ files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file })
+@@ -90,27 +96,37 @@ files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file })
  
  can_exec(bluetooth_t, bluetooth_helper_exec_t)
  
@@ -10788,7 +10797,7 @@ index 851769e55..45de12d70 100644
  
  fs_getattr_all_fs(bluetooth_t)
  fs_search_auto_mountpoints(bluetooth_t)
-@@ -122,7 +137,6 @@ auth_use_nsswitch(bluetooth_t)
+@@ -122,7 +138,6 @@ auth_use_nsswitch(bluetooth_t)
  
  logging_send_syslog_msg(bluetooth_t)
  
@@ -10796,7 +10805,7 @@ index 851769e55..45de12d70 100644
  miscfiles_read_fonts(bluetooth_t)
  miscfiles_read_hwdata(bluetooth_t)
  
-@@ -130,6 +144,10 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
+@@ -130,6 +145,10 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
  userdom_dontaudit_use_user_terminals(bluetooth_t)
  userdom_dontaudit_search_user_home_dirs(bluetooth_t)
  
@@ -10807,7 +10816,7 @@ index 851769e55..45de12d70 100644
  optional_policy(`
  	dbus_system_bus_client(bluetooth_t)
  	dbus_connect_system_bus(bluetooth_t)
-@@ -200,7 +218,6 @@ dev_read_urand(bluetooth_helper_t)
+@@ -200,7 +219,6 @@ dev_read_urand(bluetooth_helper_t)
  domain_read_all_domains_state(bluetooth_helper_t)
  
  files_read_etc_runtime_files(bluetooth_helper_t)
@@ -17226,6 +17235,222 @@ index 000000000..2357f3ba8
 +optional_policy(`
 +	unconfined_domain(conman_unconfined_script_t)
 +')
+diff --git a/conntrackd.fc b/conntrackd.fc
+new file mode 100644
+index 000000000..c743543cc
+--- /dev/null
++++ b/conntrackd.fc
+@@ -0,0 +1,11 @@
++/usr/lib/systemd/system/conntrackd.*    --  gen_context(system_u:object_r:conntrackd_unit_file_t,s0)
++
++/usr/sbin/conntrackd    --  gen_context(system_u:object_r:conntrackd_exec_t,s0)
++
++/etc/conntrackd(/.*)?		gen_context(system_u:object_r:conntrackd_conf_t,s0)
++
++/var/log/conntrackd.log		gen_context(system_u:object_r:conntrackd_log_t,s0)     
++
++/var/lock/conntrack.lock	gen_context(system_u:object_r:conntrackd_var_lock_t,s0)
++
++/run/conntrackd.ctl	-s	gen_context(system_u:object_r:conntrackd_var_run_t,s0)
+diff --git a/conntrackd.if b/conntrackd.if
+new file mode 100644
+index 000000000..601b56a46
+--- /dev/null
++++ b/conntrackd.if
+@@ -0,0 +1,118 @@
++## <summary>Conntrackd connection tracking service</summary>
++
++########################################
++## <summary>
++##	Read the configuration files for conntrackd.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`conntrackd_read_config',`
++	gen_require(`
++		type conntrackd_conf_t;
++	')
++
++	files_search_etc($1)
++	allow $1 conntrackd_conf_t:dir list_dir_perms;
++	read_files_pattern($1, conntrackd_conf_t, conntrackd_conf_t)
++	read_lnk_files_pattern($1, conntrackd_conf_t, conntrackd_conf_t)
++')
++
++########################################
++## <summary>
++##	Connect to conntrackd over an unix stream socket.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`conntrackd_stream_connect',`
++	gen_require(`
++		type conntrackd_t, conntrackd_var_run_t;
++	')
++
++	files_search_pids($1)
++	stream_connect_pattern($1, conntrackd_var_run_t, conntrackd_var_run_t, conntrackd_t)
++')
++
++#######################################
++## <summary>
++##  Execute conntrackd services in the conntrackd domain.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed to transition.
++##  </summary>
++## </param>
++#
++interface(`conntrackd_systemctl',`
++    gen_require(`
++        type conntrackd_t;
++        type conntrackd_unit_file_t;
++    ')
++
++        systemd_exec_systemctl($1)
++	init_reload_services($1)
++        allow $1 conntrackd_unit_file_t:file read_file_perms;
++        allow $1 conntrackd_unit_file_t:service manage_service_perms;
++
++        ps_process_pattern($1, conntrackd_t)
++')
++
++########################################
++## <summary>
++##	All of the rules required to administrate
++##	an conntrackd environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed to manage the conntrackd domain.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`conntrackd_admin',`
++	gen_require(`
++		type conntrackd_t, conntrackd_tmp_t, conntrackd_log_t;
++		type conntrackd_conf_t, conntrackd_var_run_t, conntrackd_initrc_exec_t;
++	')
++
++	allow $1 conntrackd_t:process signal_perms;
++	ps_process_pattern($1, conntrackd_t)
++
++	tunable_policy(`deny_ptrace',`',`
++		allow $1 conntrackd_t:process ptrace;
++	')
++
++	init_labeled_script_domtrans($1, conntrackd_initrc_exec_t)
++	domain_system_change_exemption($1)
++	role_transition $2 conntrackd_initrc_exec_t system_r;
++	allow $2 system_r;
++
++	files_list_etc($1)
++	admin_pattern($1, conntrackd_conf_t)
++
++	logging_list_logs($1)
++	admin_pattern($1, conntrackd_log_t)
++
++	files_list_tmp($1)
++	admin_pattern($1, conntrackd_tmp_t)
++
++	files_list_pids($1)
++	admin_pattern($1, conntrackd_var_run_t)
++
++    conntrackd_systemctl($1)
++    admin_pattern($1, conntrackd_unit_file_t)
++    allow $1 conntrackd_unit_file_t:service all_service_perms;
++')
+diff --git a/conntrackd.te b/conntrackd.te
+new file mode 100644
+index 000000000..72e0d23db
+--- /dev/null
++++ b/conntrackd.te
+@@ -0,0 +1,69 @@
++policy_module(conntrackd, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type conntrackd_t;
++type conntrackd_exec_t;
++init_daemon_domain(conntrackd_t, conntrackd_exec_t)
++
++type conntrackd_conf_t;
++files_config_file(conntrackd_conf_t)
++
++type conntrackd_initrc_exec_t;
++init_script_file(conntrackd_initrc_exec_t)
++
++type conntrackd_unit_file_t;
++systemd_unit_file(conntrackd_unit_file_t)
++
++type conntrackd_log_t;
++logging_log_file(conntrackd_log_t)
++
++type conntrackd_var_run_t;
++files_pid_file(conntrackd_var_run_t)
++
++type conntrackd_var_lock_t;
++files_lock_file(conntrackd_var_lock_t)
++
++########################################
++#
++# Local policy
++#
++#
++
++allow conntrackd_t self:capability { sys_nice };
++allow conntrackd_t self:netlink_route_socket rw_netlink_socket_perms;
++allow conntrackd_t self:netlink_netfilter_socket create_socket_perms;
++allow conntrackd_t self:udp_socket create_socket_perms;
++allow conntrackd_t self:unix_dgram_socket create_socket_perms;
++allow conntrackd_t self:process { setsched signal };
++
++allow conntrackd_t conntrackd_conf_t:dir list_dir_perms;
++read_files_pattern(conntrackd_t, conntrackd_conf_t, conntrackd_conf_t)
++read_lnk_files_pattern(conntrackd_t, conntrackd_conf_t, conntrackd_conf_t)
++
++allow conntrackd_t conntrackd_log_t:dir setattr_dir_perms;
++manage_files_pattern(conntrackd_t, conntrackd_log_t, conntrackd_log_t)
++manage_sock_files_pattern(conntrackd_t, conntrackd_log_t, conntrackd_log_t)
++logging_log_filetrans(conntrackd_t, conntrackd_log_t, { sock_file file dir })
++
++manage_dirs_pattern(conntrackd_t, conntrackd_var_run_t, conntrackd_var_run_t)
++manage_files_pattern(conntrackd_t, conntrackd_var_run_t, conntrackd_var_run_t)
++manage_sock_files_pattern(conntrackd_t, conntrackd_var_run_t, conntrackd_var_run_t)
++files_pid_filetrans(conntrackd_t, conntrackd_var_run_t, { dir file sock_file })
++
++manage_dirs_pattern(conntrackd_t, conntrackd_var_lock_t, conntrackd_var_lock_t)
++manage_files_pattern(conntrackd_t, conntrackd_var_lock_t, conntrackd_var_lock_t)
++
++files_lock_filetrans(conntrackd_t, conntrackd_var_lock_t, { dir file sock_file })
++
++kernel_read_network_state(conntrackd_t)
++corenet_udp_sendrecv_generic_if(conntrackd_t)
++corenet_udp_sendrecv_generic_node(conntrackd_t)
++corenet_udp_sendrecv_all_ports(conntrackd_t)
++corenet_udp_bind_generic_node(conntrackd_t)
++
++corenet_udp_bind_conntrackd_port(conntrackd_t)
++corenet_udp_sendrecv_conntrackd_port(conntrackd_t)
 diff --git a/consolekit.fc b/consolekit.fc
 index 23c95582f..29e5fd38d 100644
 --- a/consolekit.fc
@@ -30223,10 +30448,18 @@ index 8081132cd..4fb5a13bc 100644
 +	allow $1 fprintd_var_lib_t:dir mounton;
 +')
 diff --git a/fprintd.te b/fprintd.te
-index 92a6479a2..f064c940d 100644
+index 92a6479a2..f0ef28ef4 100644
 --- a/fprintd.te
 +++ b/fprintd.te
-@@ -18,25 +18,29 @@ files_type(fprintd_var_lib_t)
+@@ -8,6 +8,7 @@ policy_module(fprintd, 1.2.0)
+ type fprintd_t;
+ type fprintd_exec_t;
+ init_daemon_domain(fprintd_t, fprintd_exec_t)
++init_nnp_daemon_domain(fprintd_t)
+ 
+ type fprintd_var_lib_t;
+ files_type(fprintd_var_lib_t)
+@@ -18,25 +19,29 @@ files_type(fprintd_var_lib_t)
  #
  
  allow fprintd_t self:capability sys_nice;
@@ -30259,7 +30492,7 @@ index 92a6479a2..f064c940d 100644
  
  userdom_use_user_ptys(fprintd_t)
  userdom_read_all_users_state(fprintd_t)
-@@ -54,8 +58,21 @@ optional_policy(`
+@@ -54,8 +59,21 @@ optional_policy(`
  	')
  ')
  
@@ -69170,7 +69403,7 @@ index 9b157305b..cb00f200a 100644
 +	')
  ')
 diff --git a/openvswitch.te b/openvswitch.te
-index 44dbc99ab..9e70db7ef 100644
+index 44dbc99ab..d11c99a93 100644
 --- a/openvswitch.te
 +++ b/openvswitch.te
 @@ -9,11 +9,8 @@ type openvswitch_t;
@@ -69202,7 +69435,7 @@ index 44dbc99ab..9e70db7ef 100644
  
 -allow openvswitch_t self:capability { net_admin sys_nice sys_resource ipc_lock };
 -allow openvswitch_t self:process { setrlimit setsched signal };
-+allow openvswitch_t self:capability { net_admin ipc_lock sys_module sys_nice sys_rawio sys_resource chown setgid setpcap setuid };
++allow openvswitch_t self:capability { dac_override net_admin ipc_lock sys_module sys_nice sys_rawio sys_resource chown setgid setpcap setuid };
 +allow openvswitch_t self:capability2 block_suspend;
 +allow openvswitch_t self:process { fork setsched setrlimit signal setcap };
  allow openvswitch_t self:fifo_file rw_fifo_file_perms;
@@ -69236,7 +69469,7 @@ index 44dbc99ab..9e70db7ef 100644
  manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
  logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file })
  
-@@ -63,35 +67,59 @@ manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
+@@ -63,35 +67,63 @@ manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
  manage_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
  manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
  manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
@@ -69294,11 +69527,15 @@ index 44dbc99ab..9e70db7ef 100644
  
  sysnet_dns_name_resolve(openvswitch_t)
  
- optional_policy(`
++logging_send_audit_msgs(openvswitch_t)
++
++write_sock_files_pattern(init_t, openvswitch_var_run_t, openvswitch_var_run_t)
++
++optional_policy(`
 +    hostname_exec(openvswitch_t)
 +')
 +
-+optional_policy(`
+ optional_policy(`
  	iptables_domtrans(openvswitch_t)
  ')
 +
@@ -76903,7 +77140,7 @@ index ded95ec3a..210018ce4 100644
 +	postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
  ')
 diff --git a/postfix.te b/postfix.te
-index 5cfb83eca..6835f1e58 100644
+index 5cfb83eca..657a4346e 100644
 --- a/postfix.te
 +++ b/postfix.te
 @@ -6,27 +6,23 @@ policy_module(postfix, 1.15.1)
@@ -77180,12 +77417,13 @@ index 5cfb83eca..6835f1e58 100644
  corenet_all_recvfrom_netlabel(postfix_master_t)
  corenet_tcp_sendrecv_generic_if(postfix_master_t)
  corenet_udp_sendrecv_generic_if(postfix_master_t)
-@@ -270,50 +175,44 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
+@@ -270,50 +175,45 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
  corenet_udp_sendrecv_generic_node(postfix_master_t)
  corenet_tcp_sendrecv_all_ports(postfix_master_t)
  corenet_udp_sendrecv_all_ports(postfix_master_t)
 +corenet_udp_bind_generic_node(postfix_master_t)
 +corenet_udp_bind_all_unreserved_ports(postfix_master_t)
++corenet_tcp_bind_all_unreserved_ports(postfix_master_t)
 +corenet_dontaudit_udp_bind_all_ports(postfix_master_t)
  corenet_tcp_bind_generic_node(postfix_master_t)
 -
@@ -77249,7 +77487,7 @@ index 5cfb83eca..6835f1e58 100644
  optional_policy(`
  	cyrus_stream_connect(postfix_master_t)
  ')
-@@ -324,14 +223,6 @@ optional_policy(`
+@@ -324,14 +224,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -77264,7 +77502,7 @@ index 5cfb83eca..6835f1e58 100644
  	postgrey_search_spool(postfix_master_t)
  ')
  
-@@ -341,12 +232,14 @@ optional_policy(`
+@@ -341,12 +233,14 @@ optional_policy(`
  
  ########################################
  #
@@ -77281,7 +77519,7 @@ index 5cfb83eca..6835f1e58 100644
  
  manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
  manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
-@@ -363,74 +256,89 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
+@@ -363,74 +257,89 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
  
  ########################################
  #
@@ -77392,7 +77630,7 @@ index 5cfb83eca..6835f1e58 100644
  ')
  
  optional_policy(`
-@@ -442,16 +350,25 @@ optional_policy(`
+@@ -442,16 +351,25 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -77418,7 +77656,7 @@ index 5cfb83eca..6835f1e58 100644
  	procmail_domtrans(postfix_local_t)
  ')
  
-@@ -466,15 +383,17 @@ optional_policy(`
+@@ -466,15 +384,17 @@ optional_policy(`
  
  ########################################
  #
@@ -77443,7 +77681,7 @@ index 5cfb83eca..6835f1e58 100644
  
  manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
  manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
-@@ -484,14 +403,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
+@@ -484,14 +404,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
  kernel_dontaudit_list_proc(postfix_map_t)
  kernel_dontaudit_read_system_state(postfix_map_t)
  
@@ -77463,7 +77701,7 @@ index 5cfb83eca..6835f1e58 100644
  
  corecmd_list_bin(postfix_map_t)
  corecmd_read_bin_symlinks(postfix_map_t)
-@@ -500,7 +420,6 @@ corecmd_read_bin_pipes(postfix_map_t)
+@@ -500,7 +421,6 @@ corecmd_read_bin_pipes(postfix_map_t)
  corecmd_read_bin_sockets(postfix_map_t)
  
  files_list_home(postfix_map_t)
@@ -77471,7 +77709,7 @@ index 5cfb83eca..6835f1e58 100644
  files_read_etc_runtime_files(postfix_map_t)
  files_dontaudit_search_var(postfix_map_t)
  
-@@ -508,21 +427,24 @@ auth_use_nsswitch(postfix_map_t)
+@@ -508,21 +428,24 @@ auth_use_nsswitch(postfix_map_t)
  
  logging_send_syslog_msg(postfix_map_t)
  
@@ -77499,7 +77737,7 @@ index 5cfb83eca..6835f1e58 100644
  stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
  
  rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
-@@ -532,21 +454,21 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
+@@ -532,21 +455,21 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
  read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
  delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
  
@@ -77525,7 +77763,7 @@ index 5cfb83eca..6835f1e58 100644
  
  write_fifo_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t)
  
-@@ -557,6 +479,10 @@ domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
+@@ -557,6 +480,10 @@ domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
  corecmd_exec_bin(postfix_pipe_t)
  
  optional_policy(`
@@ -77536,7 +77774,7 @@ index 5cfb83eca..6835f1e58 100644
  	dovecot_domtrans_deliver(postfix_pipe_t)
  ')
  
-@@ -584,19 +510,28 @@ optional_policy(`
+@@ -584,19 +511,28 @@ optional_policy(`
  
  ########################################
  #
@@ -77570,7 +77808,7 @@ index 5cfb83eca..6835f1e58 100644
  
  term_dontaudit_use_all_ptys(postfix_postdrop_t)
  term_dontaudit_use_all_ttys(postfix_postdrop_t)
-@@ -611,10 +546,7 @@ optional_policy(`
+@@ -611,10 +547,7 @@ optional_policy(`
  	cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
  ')
  
@@ -77582,7 +77820,7 @@ index 5cfb83eca..6835f1e58 100644
  optional_policy(`
  	fstools_read_pipes(postfix_postdrop_t)
  ')
-@@ -629,17 +561,24 @@ optional_policy(`
+@@ -629,17 +562,24 @@ optional_policy(`
  
  #######################################
  #
@@ -77610,7 +77848,7 @@ index 5cfb83eca..6835f1e58 100644
  
  init_sigchld_script(postfix_postqueue_t)
  init_use_script_fds(postfix_postqueue_t)
-@@ -655,69 +594,80 @@ optional_policy(`
+@@ -655,69 +595,80 @@ optional_policy(`
  
  ########################################
  #
@@ -77708,7 +77946,7 @@ index 5cfb83eca..6835f1e58 100644
  ')
  
  optional_policy(`
-@@ -730,28 +680,32 @@ optional_policy(`
+@@ -730,28 +681,32 @@ optional_policy(`
  
  ########################################
  #
@@ -77749,7 +77987,7 @@ index 5cfb83eca..6835f1e58 100644
  
  optional_policy(`
  	dovecot_stream_connect_auth(postfix_smtpd_t)
-@@ -764,6 +718,7 @@ optional_policy(`
+@@ -764,6 +719,7 @@ optional_policy(`
  
  optional_policy(`
  	milter_stream_connect_all(postfix_smtpd_t)
@@ -77757,7 +77995,7 @@ index 5cfb83eca..6835f1e58 100644
  ')
  
  optional_policy(`
-@@ -774,31 +729,101 @@ optional_policy(`
+@@ -774,31 +730,101 @@ optional_policy(`
  	sasl_connect(postfix_smtpd_t)
  ')
  
@@ -91351,7 +91589,7 @@ index 6dbc905b3..42e4306c8 100644
 -	admin_pattern($1, rhsmcertd_lock_t)
  ')
 diff --git a/rhsmcertd.te b/rhsmcertd.te
-index d32e1a279..b79ae3194 100644
+index d32e1a279..795cd3890 100644
 --- a/rhsmcertd.te
 +++ b/rhsmcertd.te
 @@ -18,6 +18,9 @@ logging_log_file(rhsmcertd_log_t)
@@ -91392,7 +91630,7 @@ index d32e1a279..b79ae3194 100644
  manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
  manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
  
-@@ -50,25 +56,94 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
+@@ -50,25 +56,98 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
  files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
  
  kernel_read_network_state(rhsmcertd_t)
@@ -91468,6 +91706,10 @@ index d32e1a279..b79ae3194 100644
 +')
 +
 +optional_policy(`
++    snmp_signull(rhsmcertd_t)
++')
++
++optional_policy(`
 +    sosreport_signull(rhsmcertd_t)
 +')
 +
@@ -92393,7 +92635,7 @@ index 13f788fd5..10e203301 100644
 +	allow $1 rngd_unit_file_t:service all_service_perms;
  ')
 diff --git a/rngd.te b/rngd.te
-index a7b7717b7..41bca3bb8 100644
+index a7b7717b7..cdf68a3ae 100644
 --- a/rngd.te
 +++ b/rngd.te
 @@ -12,6 +12,9 @@ init_daemon_domain(rngd_t, rngd_exec_t)
@@ -92406,7 +92648,7 @@ index a7b7717b7..41bca3bb8 100644
  type rngd_var_run_t;
  files_pid_file(rngd_var_run_t)
  
-@@ -34,9 +37,7 @@ dev_read_rand(rngd_t)
+@@ -34,9 +37,8 @@ dev_read_rand(rngd_t)
  dev_read_urand(rngd_t)
  dev_rw_tpm(rngd_t)
  dev_write_rand(rngd_t)
@@ -92417,6 +92659,7 @@ index a7b7717b7..41bca3bb8 100644
  logging_send_syslog_msg(rngd_t)
  
 -miscfiles_read_localization(rngd_t)
++term_use_usb_ttys(rngd_t)
 diff --git a/rolekit.fc b/rolekit.fc
 new file mode 100644
 index 000000000..504b6e13e
@@ -104054,10 +104297,10 @@ index cbfe369a6..6594af373 100644
  	files_search_var_lib($1)
 diff --git a/snapper.fc b/snapper.fc
 new file mode 100644
-index 000000000..34f7846b3
+index 000000000..b4e0699bc
 --- /dev/null
 +++ b/snapper.fc
-@@ -0,0 +1,16 @@
+@@ -0,0 +1,15 @@
 +/usr/sbin/snapperd		--	gen_context(system_u:object_r:snapperd_exec_t,s0)
 +
 +/usr/lib/snapper/systemd-helper		--	gen_context(system_u:object_r:snapperd_exec_t,s0)
@@ -104072,8 +104315,7 @@ index 000000000..34f7846b3
 +/usr/\.snapshots(/.*)?   gen_context(system_u:object_r:snapperd_data_t,s0)
 +/var/\.snapshots(/.*)?   gen_context(system_u:object_r:snapperd_data_t,s0)
 +/etc/\.snapshots(/.*)?   gen_context(system_u:object_r:snapperd_data_t,s0)
-+/home/\.snapshots(/.*)?   gen_context(system_u:object_r:snapperd_data_t,s0)
++HOME_ROOT/(.*/)?\.snapshots(/.*)?   gen_context(system_u:object_r:snapperd_data_t,s0)
-+/home/(.*/)?\.snapshots(/.*)?   gen_context(system_u:object_r:snapperd_data_t,s0)
 diff --git a/snapper.if b/snapper.if
 new file mode 100644
 index 000000000..88490d5c6
@@ -104296,10 +104538,35 @@ index 2f0a2f205..1569e3369 100644
 +/var/run/snmpd(/.*)?		gen_context(system_u:object_r:snmpd_var_run_t,s0)
  /var/run/snmpd\.pid	--	gen_context(system_u:object_r:snmpd_var_run_t,s0)
 diff --git a/snmp.if b/snmp.if
-index 7a9cc9df7..23cb6589e 100644
+index 7a9cc9df7..6085a4160 100644
 --- a/snmp.if
 +++ b/snmp.if
-@@ -57,8 +57,7 @@ interface(`snmp_udp_chat',`
+@@ -2,6 +2,24 @@
+ 
+ ########################################
+ ## <summary>
++##	Send null signals to snmp.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`snmp_signull',`
++	gen_require(`
++		type snmpd_t;
++	')
++
++	allow $1 snmpd_t:process signull;
++')
++
++########################################
++## <summary>
+ ##	Connect to snmpd with a unix
+ ##	domain stream socket.
+ ## </summary>
+@@ -57,8 +75,7 @@ interface(`snmp_udp_chat',`
  
  ########################################
  ## <summary>
@@ -104309,7 +104576,7 @@ index 7a9cc9df7..23cb6589e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -66,19 +65,57 @@ interface(`snmp_udp_chat',`
+@@ -66,19 +83,57 @@ interface(`snmp_udp_chat',`
  ##	</summary>
  ## </param>
  #
@@ -104370,7 +104637,7 @@ index 7a9cc9df7..23cb6589e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -98,7 +135,7 @@ interface(`snmp_manage_var_lib_files',`
+@@ -98,7 +153,7 @@ interface(`snmp_manage_var_lib_files',`
  
  ########################################
  ## <summary>
@@ -104379,7 +104646,7 @@ index 7a9cc9df7..23cb6589e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -106,14 +143,35 @@ interface(`snmp_manage_var_lib_files',`
+@@ -106,14 +161,35 @@ interface(`snmp_manage_var_lib_files',`
  ##	</summary>
  ## </param>
  #
@@ -104418,7 +104685,7 @@ index 7a9cc9df7..23cb6589e 100644
  ')
  
  ########################################
-@@ -179,8 +237,12 @@ interface(`snmp_admin',`
+@@ -179,8 +255,12 @@ interface(`snmp_admin',`
  		type snmpd_var_lib_t, snmpd_var_run_t;
  	')
  
@@ -112448,10 +112715,10 @@ index 000000000..e5cec8fda
 +')
 diff --git a/tomcat.te b/tomcat.te
 new file mode 100644
-index 000000000..d503f1b51
+index 000000000..6db6edad3
 --- /dev/null
 +++ b/tomcat.te
-@@ -0,0 +1,124 @@
+@@ -0,0 +1,126 @@
 +policy_module(tomcat, 1.0.0)
 +
 +########################################
@@ -112509,7 +112776,7 @@ index 000000000..d503f1b51
 +# tomcat domain local policy
 +#
 +
-+allow tomcat_t self:capability {  setuid kill };
++allow tomcat_t self:capability { setuid kill };
 +
 +allow tomcat_t self:process { execmem setcap setsched signal signull };
 +
@@ -112523,6 +112790,7 @@ index 000000000..d503f1b51
 +
 +kernel_read_network_state(tomcat_domain)
 +kernel_read_net_sysctls(tomcat_domain)
++kernel_read_usermodehelper_state(tomcat_domain)
 +
 +corecmd_exec_bin(tomcat_domain)
 +corecmd_exec_shell(tomcat_domain)
@@ -112544,6 +112812,7 @@ index 000000000..d503f1b51
 +corenet_tcp_connect_unreserved_ports(tomcat_domain)
 +corenet_tcp_connect_mssql_port(tomcat_domain)
 +corenet_tcp_connect_mysqld_port(tomcat_domain)
++corenet_tcp_bind_jboss_management_port(tomcat_domain)
 +
 +dev_read_rand(tomcat_domain)
 +dev_read_urand(tomcat_domain)
@@ -112660,7 +112929,7 @@ index 61c2e07d6..3b860953c 100644
 +	')
  ')
 diff --git a/tor.te b/tor.te
-index 5ceacde8c..363931dc2 100644
+index 5ceacde8c..792523bdb 100644
 --- a/tor.te
 +++ b/tor.te
 @@ -13,6 +13,20 @@ policy_module(tor, 1.9.0)
@@ -112704,7 +112973,7 @@ index 5ceacde8c..363931dc2 100644
  
  ########################################
  #
-@@ -48,6 +68,8 @@ allow tor_t tor_etc_t:dir list_dir_perms;
+@@ -48,10 +68,13 @@ allow tor_t tor_etc_t:dir list_dir_perms;
  allow tor_t tor_etc_t:file read_file_perms;
  allow tor_t tor_etc_t:lnk_file read_lnk_file_perms;
  
@@ -112713,7 +112982,12 @@ index 5ceacde8c..363931dc2 100644
  manage_dirs_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
  manage_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
  manage_sock_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
-@@ -77,7 +99,6 @@ corenet_tcp_sendrecv_generic_node(tor_t)
+ files_var_lib_filetrans(tor_t, tor_var_lib_t, dir)
++allow tor_t tor_var_lib_t:file map;
+ 
+ allow tor_t tor_var_log_t:dir setattr_dir_perms;
+ append_files_pattern(tor_t, tor_var_log_t, tor_var_log_t)
+@@ -77,7 +100,6 @@ corenet_tcp_sendrecv_generic_node(tor_t)
  corenet_udp_sendrecv_generic_node(tor_t)
  corenet_tcp_bind_generic_node(tor_t)
  corenet_udp_bind_generic_node(tor_t)
@@ -112721,7 +112995,7 @@ index 5ceacde8c..363931dc2 100644
  corenet_sendrecv_dns_server_packets(tor_t)
  corenet_udp_bind_dns_port(tor_t)
  corenet_udp_sendrecv_dns_port(tor_t)
-@@ -85,6 +106,7 @@ corenet_udp_sendrecv_dns_port(tor_t)
+@@ -85,6 +107,7 @@ corenet_udp_sendrecv_dns_port(tor_t)
  corenet_sendrecv_tor_server_packets(tor_t)
  corenet_tcp_bind_tor_port(tor_t)
  corenet_tcp_sendrecv_tor_port(tor_t)
@@ -112729,7 +113003,7 @@ index 5ceacde8c..363931dc2 100644
  
  corenet_sendrecv_all_client_packets(tor_t)
  corenet_tcp_connect_all_ports(tor_t)
-@@ -98,19 +120,26 @@ dev_read_urand(tor_t)
+@@ -98,19 +121,26 @@ dev_read_urand(tor_t)
  domain_use_interactive_fds(tor_t)
  
  files_read_etc_runtime_files(tor_t)

selinux-policy.spec

@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 295%{?dist}
+Release: 296%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -722,6 +722,16 @@ exit 0
 %endif
 
 %changelog
+* Tue Oct 17 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-296
+- Merge pull request #19 from RodrigoQuesadaDev/snapper-fix-1
+- Allow httpd_t domain to mmap httpd_user_content_t files. BZ(1494852)
+- Add nnp transition rule for services using NoNewPrivileges systemd feature
+- Add map permission into dev_rw_infiniband_dev() interface to allow caller domain mmap infiniband chr device BZ(1500923)
+- Add init_nnp_daemon_domain interface
+- Allow nnp transition capability
+- Merge pull request #204 from konradwilk/rhbz1484908
+- Label postgresql-check-db-dir as postgresql_exec_t
+
 * Tue Oct 10 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-295
 - Allow boinc_t to mmap files with label boinc_project_var_lib_t BZ(1500088)
 - Allow fail2ban_t domain to mmap journals. BZ(1500089)