* Mon Jul 11 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-201

- Allow lttng tools to block suspending - Allow creation of vpnaas in openstack - remove rules with compromised_kernel permission - Allow dnssec-trigger to chat with NetworkManager over DBUS BZ(1350100) - Allow virtual machines to rw infiniband devices. Resolves: rhbz#1210263 - Update makefile to support snapperd_contexts file - Remove compromize_kernel permission Remove unused mac_admin permission Add undefined system permission - Remove duplicate declaration of class service - Fix typo in access_vectors file - Merge branch 'rawhide-base-modules-load' into rawhide-base - Add new policy for systemd-modules-load - Add systemd access vectors. - Revert "Revert "Revert "Missed this version of exec_all""" - Revert "Revert "Missed this version of exec_all"" - Revert "Missed this version of exec_all" - Revert "Revert "Fix name of capability2 secure_firmware->compromise_kernel"" BZ(1351624) This reverts commit 3e0e7e70de481589440f3f79cccff08d6e62f644. - Revert "Fix name of capability2 secure_firmware->compromise_kernel" BZ(1351624) This reverts commit 7a0348a2d167a72c8ab8974a1b0fc33407f72c48. - Revert "Allow xserver to compromise_kernel access"BZ(1351624) - Revert "Allow anyone who can load a kernel module to compromise_kernel"BZ(1351624) - Revert "add ptrace_child access to process" (BZ1351624) - Add user namespace capability object classes. - Allow udev to manage systemd-hwdb files - Add interface systemd_hwdb_manage_config() - Fix paths to infiniband devices. This allows use more then two infiniband interfaces. - corecmd: Remove fcontext for /etc/sysconfig/libvirtd - iptables: add fcontext for nftables
2016-07-11 16:49:35 +02:00 · 2016-07-11 16:49:35 +02:00 · 1ad8909907
commit 1ad8909907
parent c3183ad46d
4 changed files with 306 additions and 127 deletions
--- a/docker-selinux.tgz
+++ b/docker-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -1,5 +1,5 @@
 diff --git a/Makefile b/Makefile
-index ec7b5cb..a027110 100644
+index ec7b5cb..e2936c6 100644
 --- a/Makefile
 +++ b/Makefile
@@ -61,6 +61,7 @@ SEMODULE ?= $(tc_usrsbindir)/semodule
@ -15,7 +15,7 @@ index ec7b5cb..a027110 100644
 user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
 user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
 -appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_domain_context virtual_image_context) $(contextpath)/files/media $(fcsubspath) $(user_default_contexts_names)
-+appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context lxc_contexts openssh_contexts systemd_contexts) $(contextpath)/files/media $(user_default_contexts_names)
+appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context lxc_contexts openssh_contexts systemd_contexts snapperd_contexts) $(contextpath)/files/media $(user_default_contexts_names)
 net_contexts := $(builddir)net_contexts
 all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
@ -877,47 +877,150 @@ index 3a45f23..ee7d7b3 100644
 constrain socket_class_set { create relabelto relabelfrom } 
 (
 diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
-index a94b169..2e137e6 100644
+index a94b169..7c036a8 100644
 --- a/policy/flask/access_vectors
 +++ b/policy/flask/access_vectors
-@@ -329,6 +329,7 @@ class process
+@@ -121,6 +121,60 @@ common x_device
 	execheap
 	setkeycreate
 	setsockcreate
 +	ptrace_child
 }
- 
+ #
-@@ -393,6 +394,13 @@ class system
+# Define a common for capability access vectors.
 +#
 +common cap
 +{
 +	# The capabilities are defined in include/linux/capability.h
 +	# Capabilities >= 32 are defined in the cap2 common.
 +	# Care should be taken to ensure that these are consistent with
 +	# those definitions. (Order matters)
 +
 +	chown
 +	dac_override
 +	dac_read_search
 +	fowner
 +	fsetid
 +	kill
 +	setgid
 +	setuid
 +	setpcap
 +	linux_immutable
 +	net_bind_service
 +	net_broadcast
 +	net_admin
 +	net_raw
 +	ipc_lock
 +	ipc_owner
 +	sys_module
 +	sys_rawio
 +	sys_chroot
 +	sys_ptrace
 +	sys_pacct
 +	sys_admin
 +	sys_boot
 +	sys_nice
 +	sys_resource
 +	sys_time
 +	sys_tty_config
 +	mknod
 +	lease
 +	audit_write
 +	audit_control
 +	setfcap
 +}
 +
 +common cap2
 +{
 +	mac_override	# unused by SELinux
 +	mac_admin	# unused by SELinux
 +	syslog
 +	wake_alarm
 +	block_suspend
 +	audit_read
 +}
 +
 +#
 # Define the access vectors.
 #
 # class class_name [ inherits common_name ] { permission_name ... }
@@ -393,62 +447,31 @@ class system
 	syslog_mod
 	syslog_console
 	module_request
 +	# these are overloaded userspace
 +	# permissions from systemd
 +	halt
 +	reboot
 +	status
-+	undefined
+	start
 +	stop
 +	enable
 +	disable
 +	reload
 +	undefined
 }
 #
-@@ -443,10 +451,13 @@ class capability
+-# Define the access vector interpretation for controling capabilies
- class capability2 
+# Define the access vector interpretation for controlling capabilities
 #
 class capability
 -{
 -	# The capabilities are defined in include/linux/capability.h
 -	# Capabilities >= 32 are defined in the capability2 class.
 -	# Care should be taken to ensure that these are consistent with
 -	# those definitions. (Order matters)
 +inherits cap
 -	chown           
 -	dac_override    
 -	dac_read_search 
 -	fowner          
 -	fsetid          
 -	kill            
 -	setgid           
 -	setuid           
 -	setpcap          
 -	linux_immutable  
 -	net_bind_service 
 -	net_broadcast    
 -	net_admin        
 -	net_raw          
 -	ipc_lock         
 -	ipc_owner        
 -	sys_module       
 -	sys_rawio        
 -	sys_chroot       
 -	sys_ptrace       
 -	sys_pacct        
 -	sys_admin        
 -	sys_boot         
 -	sys_nice         
 -	sys_resource     
 -	sys_time         
 -	sys_tty_config  
 -	mknod
 -	lease
 -	audit_write
 -	audit_control
 -	setfcap
 -}
 -
 -class capability2 
 +class capability2
 +inherits cap2
 {
- 	mac_override	# unused by SELinux
+-	mac_override	# unused by SELinux
 -	mac_admin	# unused by SELinux
-+	mac_admin
+-	syslog
- 	syslog
+-	wake_alarm
- 	wake_alarm
+-	block_suspend
 +	epolwakeup
 	block_suspend
 +	compromise_kernel
 +	audit_read
 }
- 
+-
 #
-@@ -690,6 +701,8 @@ class nscd
+ # Define the access vector interpretation for controlling
 # changes to passwd information.
@@ -690,6 +713,8 @@ class nscd
 	shmemhost
 	getserv
 	shmemserv
@ -926,7 +1029,7 @@ index a94b169..2e137e6 100644
 }
 # Define the access vector interpretation for controlling
-@@ -831,6 +844,38 @@ inherits socket
+@@ -831,6 +856,38 @@ inherits socket
 	attach_queue
 }
@ -965,7 +1068,7 @@ index a94b169..2e137e6 100644
 class x_pointer
 inherits x_device
-@@ -865,3 +910,18 @@ inherits database
+@@ -865,3 +922,28 @@ inherits database
 	implement
 	execute
 }
@ -984,8 +1087,18 @@ index a94b169..2e137e6 100644
 +{
 +	read
 +}
 +
 +#
 +# Define the access vector interpretation for controlling capabilities
 +# in user namespaces
 +#
 +class cap_userns
 +inherits cap
 +
 +class cap2_userns
 +inherits cap2
 diff --git a/policy/flask/security_classes b/policy/flask/security_classes
-index 14a4799..9bb9aa4 100644
+index 14a4799..6e16f5e 100644
 --- a/policy/flask/security_classes
 +++ b/policy/flask/security_classes
@@ -121,6 +121,18 @@ class kernel_service
@ -1007,7 +1120,7 @@ index 14a4799..9bb9aa4 100644
 # Still More SE-X Windows stuff
 class x_pointer			# userspace
 class x_keyboard		# userspace
-@@ -131,4 +143,11 @@ class db_view			# userspace
+@@ -131,4 +143,15 @@ class db_view			# userspace
 class db_sequence		# userspace
 class db_language		# userspace
@ -1017,6 +1130,10 @@ index 14a4799..9bb9aa4 100644
 +# gssd services 
 +class proxy
 +
 +
 +# Capability checks when on a non-init user namespace
 +class cap_userns
 +class cap2_userns
 +
 # FLASK
 diff --git a/policy/global_booleans b/policy/global_booleans
@ -3537,7 +3654,7 @@ index 7590165..d81185e 100644
 +	fs_mounton_fusefs(seunshare_domain)
 ')
 diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 33e0f8d..48f001d 100644
+index 33e0f8d..3437271 100644
 --- a/policy/modules/kernel/corecommands.fc
 +++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@ -3594,7 +3711,7 @@ index 33e0f8d..48f001d 100644
 /etc/netplug\.d(/.*)? 	 		gen_context(system_u:object_r:bin_t,s0)
-@@ -101,8 +118,6 @@ ifdef(`distro_redhat',`
+@@ -101,11 +118,8 @@ ifdef(`distro_redhat',`
 /etc/rc\.d/init\.d/functions	--	gen_context(system_u:object_r:bin_t,s0)
@ -3602,8 +3719,11 @@ index 33e0f8d..48f001d 100644
 -
 /etc/sysconfig/crond		--	gen_context(system_u:object_r:bin_t,s0)
 /etc/sysconfig/init		--	gen_context(system_u:object_r:bin_t,s0)
- /etc/sysconfig/libvirtd		--	gen_context(system_u:object_r:bin_t,s0)
+-/etc/sysconfig/libvirtd		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -116,6 +131,9 @@ ifdef(`distro_redhat',`
+ /etc/sysconfig/netconsole	--	gen_context(system_u:object_r:bin_t,s0)
 /etc/sysconfig/readonly-root 	--	gen_context(system_u:object_r:bin_t,s0)
@@ -116,6 +130,9 @@ ifdef(`distro_redhat',`
 /etc/vmware-tools(/.*)?			gen_context(system_u:object_r:bin_t,s0)
@ -3613,7 +3733,7 @@ index 33e0f8d..48f001d 100644
 /etc/X11/xdm/GiveConsole	--	gen_context(system_u:object_r:bin_t,s0)
 /etc/X11/xdm/TakeConsole	--	gen_context(system_u:object_r:bin_t,s0)
 /etc/X11/xdm/Xsetup_0		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -128,6 +146,8 @@ ifdef(`distro_debian',`
+@@ -128,6 +145,8 @@ ifdef(`distro_debian',`
 /etc/mysql/debian-start		--	gen_context(system_u:object_r:bin_t,s0)
 ')
@ -3622,7 +3742,7 @@ index 33e0f8d..48f001d 100644
 #
 # /lib
 #
-@@ -135,10 +155,12 @@ ifdef(`distro_debian',`
+@@ -135,10 +154,12 @@ ifdef(`distro_debian',`
 /lib/nut/.*			--	gen_context(system_u:object_r:bin_t,s0)
 /lib/readahead(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
@ -3636,7 +3756,7 @@ index 33e0f8d..48f001d 100644
 ifdef(`distro_gentoo',`
 /lib/dhcpcd/dhcpcd-run-hooks	--	gen_context(system_u:object_r:bin_t,s0)
-@@ -149,10 +171,12 @@ ifdef(`distro_gentoo',`
+@@ -149,10 +170,12 @@ ifdef(`distro_gentoo',`
 /lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0)
 ')
@ -3650,7 +3770,7 @@ index 33e0f8d..48f001d 100644
 /sbin/.*				gen_context(system_u:object_r:bin_t,s0)
 /sbin/insmod_ksymoops_clean	--	gen_context(system_u:object_r:bin_t,s0)
 /sbin/mkfs\.cramfs		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -168,6 +192,7 @@ ifdef(`distro_gentoo',`
+@@ -168,6 +191,7 @@ ifdef(`distro_gentoo',`
 /opt/(.*/)?sbin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /opt/google/talkplugin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
@ -3658,7 +3778,7 @@ index 33e0f8d..48f001d 100644
 /opt/gutenprint/cups/lib/filter(/.*)?	gen_context(system_u:object_r:bin_t,s0)
-@@ -179,34 +204,50 @@ ifdef(`distro_gentoo',`
+@@ -179,34 +203,50 @@ ifdef(`distro_gentoo',`
 /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
 ')
@ -3718,7 +3838,7 @@ index 33e0f8d..48f001d 100644
 /usr/lib/dpkg/.+		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/emacsen-common/.*		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/gimp/.*/plug-ins(/.*)?		gen_context(system_u:object_r:bin_t,s0)
-@@ -218,19 +259,32 @@ ifdef(`distro_gentoo',`
+@@ -218,19 +258,32 @@ ifdef(`distro_gentoo',`
 /usr/lib/mailman/mail(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/mediawiki/math/texvc.*		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/misc/sftp-server	--	gen_context(system_u:object_r:bin_t,s0)
@ -3758,7 +3878,7 @@ index 33e0f8d..48f001d 100644
 /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/xfce4/exo-1/exo-helper-1 --	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/xfce4/panel/migrate	--	gen_context(system_u:object_r:bin_t,s0)
-@@ -245,26 +299,40 @@ ifdef(`distro_gentoo',`
+@@ -245,26 +298,40 @@ ifdef(`distro_gentoo',`
 /usr/lib/debug/sbin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/debug/usr/bin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/debug/usr/sbin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
@ -3804,7 +3924,7 @@ index 33e0f8d..48f001d 100644
 /usr/sbin/scponlyc		--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/sbin/sesh			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/sbin/smrsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -280,10 +348,14 @@ ifdef(`distro_gentoo',`
+@@ -280,10 +347,14 @@ ifdef(`distro_gentoo',`
 /usr/share/cluster/.*\.sh		gen_context(system_u:object_r:bin_t,s0)
 /usr/share/cluster/ocf-shellfuncs --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/cluster/svclib_nfslock --	gen_context(system_u:object_r:bin_t,s0)
@ -3819,7 +3939,7 @@ index 33e0f8d..48f001d 100644
 /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -298,16 +370,22 @@ ifdef(`distro_gentoo',`
+@@ -298,16 +369,22 @@ ifdef(`distro_gentoo',`
 /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/smolt/client(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/share/shorewall/compiler\.pl --	gen_context(system_u:object_r:bin_t,s0)
@ -3844,7 +3964,7 @@ index 33e0f8d..48f001d 100644
 ifdef(`distro_debian',`
 /usr/lib/ConsoleKit/.*		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -325,20 +403,27 @@ ifdef(`distro_redhat', `
+@@ -325,20 +402,27 @@ ifdef(`distro_redhat', `
 /etc/gdm/[^/]+			-d	gen_context(system_u:object_r:bin_t,s0)
 /etc/gdm/[^/]+/.*			gen_context(system_u:object_r:bin_t,s0)
@ -3873,7 +3993,7 @@ index 33e0f8d..48f001d 100644
 /usr/share/pwlib/make/ptlib-config --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/pydict/pydict\.py	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -346,6 +431,7 @@ ifdef(`distro_redhat', `
+@@ -346,6 +430,7 @@ ifdef(`distro_redhat', `
 /usr/share/ssl/misc(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0)
@ -3881,7 +4001,7 @@ index 33e0f8d..48f001d 100644
 /usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
-@@ -387,17 +473,34 @@ ifdef(`distro_suse', `
+@@ -387,17 +472,34 @@ ifdef(`distro_suse', `
 #
 # /var
 #
@ -3918,7 +4038,7 @@ index 33e0f8d..48f001d 100644
 +/usr/lib/ruby/gems/.*/agents(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/virtualbox/VBoxManage		--	gen_context(system_u:object_r:bin_t,s0)
 diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
-index 9e9263a..f0aef3e 100644
+index 9e9263a..cb42593 100644
 --- a/policy/modules/kernel/corecommands.if
 +++ b/policy/modules/kernel/corecommands.if
@@ -8,6 +8,22 @@
@ -4144,18 +4264,7 @@ index 9e9263a..f0aef3e 100644
 ')
 ########################################
-@@ -1012,6 +1065,10 @@ interface(`corecmd_exec_all_executables',`
+@@ -1049,6 +1102,7 @@ interface(`corecmd_manage_all_executables',`
 	can_exec($1, exec_type)
 	list_dirs_pattern($1, bin_t, bin_t)
 	read_lnk_files_pattern($1, bin_t, exec_type)
 +
 +	ifdef(`enable_mls',`',`
 +		files_exec_all_base_ro_files($1)
 +	')
 ')
 ########################################
@@ -1049,6 +1106,7 @@ interface(`corecmd_manage_all_executables',`
 		type bin_t;
 	')
@ -4163,7 +4272,7 @@ index 9e9263a..f0aef3e 100644
 	manage_files_pattern($1, bin_t, exec_type)
 	manage_lnk_files_pattern($1, bin_t, bin_t)
 ')
-@@ -1091,3 +1149,74 @@ interface(`corecmd_mmap_all_executables',`
+@@ -1091,3 +1145,74 @@ interface(`corecmd_mmap_all_executables',`
 	mmap_files_pattern($1, bin_t, exec_type)
 ')
@ -6307,7 +6416,7 @@ index 3f6e168..340e49f 100644
 ')
 diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index b31c054..ed25075 100644
+index b31c054..ab7c054 100644
 --- a/policy/modules/kernel/devices.fc
 +++ b/policy/modules/kernel/devices.fc
@@ -15,15 +15,18 @@
@ -6331,24 +6440,20 @@ index b31c054..ed25075 100644
 /dev/efirtc		-c	gen_context(system_u:object_r:clock_device_t,s0)
 /dev/elographics/e2201	-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/em8300.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
-@@ -44,6 +47,16 @@
+@@ -44,6 +47,12 @@
 /dev/hwrng		-c	gen_context(system_u:object_r:random_device_t,s0)
 /dev/i915		-c	gen_context(system_u:object_r:dri_device_t,s0)
 /dev/inportbm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 +/dev/infiniband/.*	-c	gen_context(system_u:object_r:infiniband_device_t,mls_systemhigh)
-+/dev/infiniband/issm0		-c	gen_context(system_u:object_r:infiniband_mgmt_device_t,mls_systemhigh)
+/dev/infiniband/issm[0-9]+		-c	gen_context(system_u:object_r:infiniband_mgmt_device_t,mls_systemhigh)
-+/dev/infiniband/issm1		-c	gen_context(system_u:object_r:infiniband_mgmt_device_t,mls_systemhigh)
+/dev/infiniband/umad[0-9]+		-c	gen_context(system_u:object_r:infiniband_mgmt_device_t,mls_systemhigh)
 +/dev/infiniband/umad0		-c	gen_context(system_u:object_r:infiniband_mgmt_device_t,mls_systemhigh)
 +/dev/infiniband/umad1		-c	gen_context(system_u:object_r:infiniband_mgmt_device_t,mls_systemhigh)
 +/dev/infiniband/.*	-b	gen_context(system_u:object_r:infiniband_device_t,mls_systemhigh)
-+/dev/infiniband/issm0		-b	gen_context(system_u:object_r:infiniband_mgmt_device_t,mls_systemhigh)
+/dev/infiniband/issm[0-9]+		-b	gen_context(system_u:object_r:infiniband_mgmt_device_t,mls_systemhigh)
-+/dev/infiniband/issm1		-b	gen_context(system_u:object_r:infiniband_mgmt_device_t,mls_systemhigh)
+/dev/infiniband/umad[0-9]+		-b	gen_context(system_u:object_r:infiniband_mgmt_device_t,mls_systemhigh)
 +/dev/infiniband/umad0		-b	gen_context(system_u:object_r:infiniband_mgmt_device_t,mls_systemhigh)
 +/dev/infiniband/umad1		-b	gen_context(system_u:object_r:infiniband_mgmt_device_t,mls_systemhigh)
 /dev/ipmi[0-9]+		-c	gen_context(system_u:object_r:ipmi_device_t,s0)
 /dev/ipmi/[0-9]+	-c	gen_context(system_u:object_r:ipmi_device_t,s0)
 /dev/irlpt[0-9]+	-c	gen_context(system_u:object_r:printer_device_t,s0)
-@@ -61,8 +74,10 @@
+@@ -61,8 +70,10 @@
 /dev/loop-control	-c	gen_context(system_u:object_r:loop_control_device_t,s0)
 /dev/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
 /dev/mcelog		-c	gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
@ -6360,7 +6465,7 @@ index b31c054..ed25075 100644
 /dev/mergemem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
 /dev/mga_vid.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 /dev/mice		-c	gen_context(system_u:object_r:mouse_device_t,s0)
-@@ -72,7 +87,9 @@
+@@ -72,7 +83,9 @@
 /dev/mixer.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/mmetfgrab		-c	gen_context(system_u:object_r:scanner_device_t,s0)
 /dev/modem		-c	gen_context(system_u:object_r:modem_device_t,s0)
@ -6370,7 +6475,7 @@ index b31c054..ed25075 100644
 /dev/msr.*		-c	gen_context(system_u:object_r:cpu_device_t,s0)
 /dev/net/vhost		-c	gen_context(system_u:object_r:vhost_device_t,s0)
 /dev/network_latency	-c	gen_context(system_u:object_r:netcontrol_device_t,s0)
-@@ -80,6 +97,8 @@
+@@ -80,6 +93,8 @@
 /dev/noz.* 		-c	gen_context(system_u:object_r:modem_device_t,s0)
 /dev/null		-c	gen_context(system_u:object_r:null_device_t,s0)
 /dev/nvidia.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
@ -6379,7 +6484,7 @@ index b31c054..ed25075 100644
 /dev/nvram		-c	gen_context(system_u:object_r:nvram_device_t,mls_systemhigh)
 /dev/oldmem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
 /dev/opengl		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
-@@ -90,6 +109,7 @@
+@@ -90,6 +105,7 @@
 /dev/pmu		-c	gen_context(system_u:object_r:power_device_t,s0)
 /dev/port		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
 /dev/pps.*		-c	gen_context(system_u:object_r:clock_device_t,s0)
@ -6387,7 +6492,7 @@ index b31c054..ed25075 100644
 /dev/(misc/)?psaux	-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/rmidi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/radeon		-c	gen_context(system_u:object_r:dri_device_t,s0)
-@@ -106,6 +126,7 @@
+@@ -106,6 +122,7 @@
 /dev/snapshot		-c	gen_context(system_u:object_r:apm_bios_t,s0)
 /dev/sndstat		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/sonypi		-c	gen_context(system_u:object_r:v4l_device_t,s0)
@ -6395,7 +6500,7 @@ index b31c054..ed25075 100644
 /dev/tlk[0-3]		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/tpm[0-9]*		-c	gen_context(system_u:object_r:tpm_device_t,s0)
 /dev/uinput		-c	gen_context(system_u:object_r:event_device_t,s0)
-@@ -118,6 +139,12 @@
+@@ -118,6 +135,12 @@
 ifdef(`distro_suse', `
 /dev/usbscanner		-c	gen_context(system_u:object_r:scanner_device_t,s0)
 ')
@ -6408,7 +6513,7 @@ index b31c054..ed25075 100644
 /dev/vhost-net		-c	gen_context(system_u:object_r:vhost_device_t,s0)
 /dev/vbi.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/vbox.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
-@@ -129,12 +156,14 @@ ifdef(`distro_suse', `
+@@ -129,12 +152,14 @@ ifdef(`distro_suse', `
 /dev/vttuner		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/vtx.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/watchdog.*		-c	gen_context(system_u:object_r:watchdog_device_t,s0)
@ -6423,7 +6528,7 @@ index b31c054..ed25075 100644
 /dev/card.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 /dev/cmx.*		-c	gen_context(system_u:object_r:smartcard_device_t,s0)
-@@ -172,15 +201,21 @@ ifdef(`distro_suse', `
+@@ -172,15 +197,21 @@ ifdef(`distro_suse', `
 /dev/touchscreen/ucb1x00 -c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/touchscreen/mk712	-c	gen_context(system_u:object_r:mouse_device_t,s0)
@ -6445,7 +6550,7 @@ index b31c054..ed25075 100644
 ifdef(`distro_debian',`
 # this is a static /dev dir "backup mount"
-@@ -198,12 +233,27 @@ ifdef(`distro_debian',`
+@@ -198,12 +229,27 @@ ifdef(`distro_debian',`
 /lib/udev/devices/null	-c	gen_context(system_u:object_r:null_device_t,s0)
 /lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
@ -22247,7 +22352,7 @@ index e100d88..1428581 100644
 +')
 +
 diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 8dbab4c..5b93205 100644
+index 8dbab4c..5deb336 100644
 --- a/policy/modules/kernel/kernel.te
 +++ b/policy/modules/kernel/kernel.te
@@ -25,6 +25,9 @@ attribute kern_unconfined;
@ -22542,7 +22647,7 @@ index 8dbab4c..5b93205 100644
 ########################################
 #
 # Unlabeled process local policy
-@@ -399,14 +491,39 @@ if( ! secure_mode_insmod ) {
+@@ -399,14 +491,38 @@ if( ! secure_mode_insmod ) {
 # Rules for unconfined acccess to this module
 #
@ -22571,7 +22676,6 @@ index 8dbab4c..5b93205 100644
 +
 +if( ! secure_mode_insmod ) {
 +    allow can_load_kernmodule self:capability sys_module;
 +    allow can_load_kernmodule self:capability2 compromise_kernel;
 +    # load_module() calls stop_machine() which
 +    # calls sched_setscheduler()
 +    allow can_load_kernmodule self:capability sys_nice;
@ -31241,7 +31345,7 @@ index 6bf0ecc..e6be63a 100644
 +')
 +
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..5d9d50d 100644
+index 8b40377..a1eab03 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
@@ -26,28 +26,66 @@ gen_require(`
@ -32267,7 +32371,7 @@ index 8b40377..5d9d50d 100644
 +allow xserver_t self:capability { sys_ptrace dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
 +
 dontaudit xserver_t self:capability chown;
-+allow xserver_t self:capability2 compromise_kernel;
+#allow xserver_t self:capability2 compromise_kernel;
 +
 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow xserver_t self:fd use;
@ -38978,15 +39082,16 @@ index 312cd04..102b975 100644
 +userdom_use_inherited_user_terminals(setkey_t)
 +userdom_read_user_tmp_files(setkey_t)
 diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
-index 73a1c4e..ec4c7c7 100644
+index 73a1c4e..a143623 100644
 --- a/policy/modules/system/iptables.fc
 +++ b/policy/modules/system/iptables.fc
-@@ -1,22 +1,43 @@
+@@ -1,22 +1,45 @@
 /etc/rc\.d/init\.d/ip6?tables	--	gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
 -/etc/rc\.d/init\.d/ebtables	--	gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
 -/etc/sysconfig/ip6?tables.*	--	gen_context(system_u:object_r:iptables_conf_t,s0)
 -/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
 +/etc/rc\.d/init\.d/ebtables		--  gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/nftables	--	gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
 -/sbin/ebtables			--	gen_context(system_u:object_r:iptables_exec_t,s0)
 +/usr/lib/systemd/system/arptables.*     --  gen_context(system_u:object_r:iptables_unit_file_t,s0)
@ -39017,6 +39122,7 @@ index 73a1c4e..ec4c7c7 100644
 -/sbin/ipvsadm-save		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 -/sbin/xtables-multi		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 +/sbin/ipvsadm-save		    --	gen_context(system_u:object_r:iptables_exec_t,s0)
 +/sbin/nft			--	gen_context(system_u:object_r:iptables_exec_t,s0)
 +/sbin/xtables-multi		    --	gen_context(system_u:object_r:iptables_exec_t,s0)
 -/usr/sbin/conntrack		--	gen_context(system_u:object_r:iptables_exec_t,s0)
@ -46612,10 +46718,10 @@ index a392fc4..79fadfc 100644
 +')
 diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
 new file mode 100644
-index 0000000..6cf3942
+index 0000000..8b77d7a
 --- /dev/null
 +++ b/policy/modules/system/systemd.fc
-@@ -0,0 +1,69 @@
+@@ -0,0 +1,71 @@
 +HOME_DIR/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_home_t,s0)
 +/root/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_home_t,s0)
 +
@ -46642,6 +46748,7 @@ index 0000000..6cf3942
 +/usr/lib/systemd/system/systemd-machined\.service	--	gen_context(system_u:object_r:systemd_machined_unit_file_t,s0)
 +/usr/lib/systemd/system/systemd-networkd\.service     gen_context(system_u:object_r:systemd_networkd_unit_file_t,s0)
 +/usr/lib/systemd/system/systemd-resolved\.service     gen_context(system_u:object_r:systemd_resolved_unit_file_t,s0)
 +/usr/lib/systemd/system/systemd-modules-load\.service     gen_context(system_u:object_r:systemd_modules_load_unit_file_t,s0)
 +/usr/lib/systemd/system/systemd-vconsole-setup\.service		gen_context(system_u:object_r:systemd_vconsole_unit_file_t,s0)
 +/usr/lib/systemd/system/systemd-rfkill\.service	--	gen_context(system_u:object_r:systemd_rfkill_unit_file_t,s0)
 +/usr/lib/systemd/system/systemd-time.*\.service	--	gen_context(system_u:object_r:systemd_timedated_unit_file_t,s0)
@ -46664,6 +46771,7 @@ index 0000000..6cf3942
 +/usr/lib/systemd/systemd-networkd   --  gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
 +/usr/lib/systemd/systemd-tmpfiles --	gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
 +/usr/lib/systemd/systemd-coredump	--	gen_context(system_u:object_r:systemd_coredump_exec_t,s0)
 +/usr/lib/systemd/systemd-modules-load	--	gen_context(system_u:object_r:systemd_modules_load_exec_t,s0)
 +/usr/lib/systemd/system-generators/systemd-gpt-auto-generator	--	gen_context(system_u:object_r:systemd_gpt_generator_exec_t,s0)
 +/usr/lib/systemd/systemd-resolve(d|-host)			gen_context(system_u:object_r:systemd_resolved_exec_t,s0)
 +
@ -46687,10 +46795,10 @@ index 0000000..6cf3942
 +/var/run/initramfs(/.*)?	<<none>>
 diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
 new file mode 100644
-index 0000000..ebd6cc8
+index 0000000..513b97b
 --- /dev/null
 +++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1716 @@
+@@ -0,0 +1,1738 @@
 +## <summary>SELinux policy for systemd components</summary>
 +
 +######################################
@ -48407,12 +48515,34 @@ index 0000000..ebd6cc8
 +	files_search_etc($1)
 +	allow $1 systemd_hwdb_etc_t:file read_file_perms;
 +')
 +
 +########################################
 +## <summary>
 +##	Allow process to manage hwdb config file.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +## <rolecap/>
 +#
 +interface(`systemd_hwdb_manage_config',`
 +	gen_require(`
 +		type systemd_hwdb_etc_t;
 +	')
 +
 +	files_search_etc($1)
 +	manage_files_pattern($1, systemd_hwdb_etc_t, systemd_hwdb_etc_t)
 +	allow $1 systemd_hwdb_etc_t:file {relabelfrom relabelto};
 +	files_etc_filetrans($1, systemd_hwdb_etc_t, file)
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..f26d95b
+index 0000000..7877160
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,939 @@
+@@ -0,0 +1,957 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@ -48474,6 +48604,11 @@ index 0000000..f26d95b
 +type systemd_resolved_unit_file_t;
 +systemd_unit_file(systemd_resolved_unit_file_t)
 +
 +systemd_domain_template(systemd_modules_load)
 +
 +type systemd_modules_load_unit_file_t;
 +systemd_unit_file(systemd_modules_load_unit_file_t)
 +
 +# domain for systemd-tty-ask-password-agent and systemd-gnome-ask-password-agent
 +# systemd components
 +
@ -49352,6 +49487,19 @@ index 0000000..f26d95b
 +
 +read_files_pattern(systemd_domain, systemd_home_t, systemd_home_t)
 +read_lnk_files_pattern(systemd_domain, systemd_home_t, systemd_home_t)
 +
 +#######################################
 +#
 +# systemd_modules_load domain
 +#
 +
 +kernel_dgram_send(systemd_modules_load_t)
 +
 +dev_read_sysfs(systemd_modules_load_t)
 +
 +files_read_kernel_modules(systemd_modules_load_t)
 +modutils_list_module_config(systemd_modules_load_t)
 +
 diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
 index f41857e..49fd32e 100644
 --- a/policy/modules/system/udev.fc
@ -49650,7 +49798,7 @@ index 9a1650d..d7e8a01 100644
 ########################################
 diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index 39f185f..5658ab4 100644
+index 39f185f..b41b341 100644
 --- a/policy/modules/system/udev.te
 +++ b/policy/modules/system/udev.te
@@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t)
@ -49680,7 +49828,7 @@ index 39f185f..5658ab4 100644
 -allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace };
 +allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice };
-+allow udev_t self:capability2 { block_suspend compromise_kernel };
+allow udev_t self:capability2 { block_suspend };
 dontaudit udev_t self:capability sys_tty_config;
 -allow udev_t self:capability2 block_suspend;
 -allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
@ -49812,7 +49960,7 @@ index 39f185f..5658ab4 100644
 seutil_read_config(udev_t)
 seutil_read_default_contexts(udev_t)
-@@ -169,9 +193,13 @@ sysnet_read_dhcpc_pid(udev_t)
+@@ -169,9 +193,14 @@ sysnet_read_dhcpc_pid(udev_t)
 sysnet_delete_dhcpc_pid(udev_t)
 sysnet_signal_dhcpc(udev_t)
 sysnet_manage_config(udev_t)
@ -49821,13 +49969,14 @@ index 39f185f..5658ab4 100644
 +
 +systemd_login_read_pid_files(udev_t)
 +systemd_getattr_unit_files(udev_t)
 +systemd_hwdb_manage_config(udev_t)
 userdom_dontaudit_search_user_home_content(udev_t)
 +userdom_rw_inherited_user_tmp_pipes(udev_t)
 ifdef(`distro_debian',`
 	files_pid_filetrans(udev_t, udev_var_run_t, dir, "xen-hotplug")
-@@ -195,16 +223,9 @@ ifdef(`distro_gentoo',`
+@@ -195,16 +224,9 @@ ifdef(`distro_gentoo',`
 ')
 ifdef(`distro_redhat',`
@ -49846,7 +49995,7 @@ index 39f185f..5658ab4 100644
 	# for arping used for static IP addresses on PCMCIA ethernet
 	netutils_domtrans(udev_t)
-@@ -242,6 +263,7 @@ optional_policy(`
+@@ -242,6 +264,7 @@ optional_policy(`
 optional_policy(`
 	cups_domtrans_config(udev_t)
@ -49854,7 +50003,7 @@ index 39f185f..5658ab4 100644
 ')
 optional_policy(`
-@@ -249,17 +271,31 @@ optional_policy(`
+@@ -249,17 +272,31 @@ optional_policy(`
 	dbus_use_system_bus_fds(udev_t)
 	optional_policy(`
@ -49888,7 +50037,7 @@ index 39f185f..5658ab4 100644
 ')
 optional_policy(`
-@@ -289,6 +325,10 @@ optional_policy(`
+@@ -289,6 +326,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -49899,7 +50048,7 @@ index 39f185f..5658ab4 100644
 	openct_read_pid_files(udev_t)
 	openct_domtrans(udev_t)
 ')
-@@ -303,6 +343,15 @@ optional_policy(`
+@@ -303,6 +344,15 @@ optional_policy(`
 ')
 optional_policy(`
@ -49915,7 +50064,7 @@ index 39f185f..5658ab4 100644
 	unconfined_signal(udev_t)
 ')
-@@ -315,6 +364,7 @@ optional_policy(`
+@@ -315,6 +365,7 @@ optional_policy(`
 	kernel_read_xen_state(udev_t)
 	xen_manage_log(udev_t)
 	xen_read_image_files(udev_t)
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -24056,7 +24056,7 @@ index 8ce99ff..1bc5d3a 100644
 +	logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
 ')
 diff --git a/devicekit.te b/devicekit.te
-index 77a5003..b605240 100644
+index 77a5003..9e56e3e 100644
 --- a/devicekit.te
 +++ b/devicekit.te
@@ -7,15 +7,15 @@ policy_module(devicekit, 1.3.1)
@ -24200,7 +24200,7 @@ index 77a5003..b605240 100644
 -allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace };
 +allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice };
-+allow devicekit_power_t self:capability2 compromise_kernel;
+#allow devicekit_power_t self:capability2 compromise_kernel;
 allow devicekit_power_t self:process { getsched signal_perms };
 allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
 allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
@ -26033,10 +26033,10 @@ index 0000000..d22ed69
 +')
 diff --git a/dnssec.te b/dnssec.te
 new file mode 100644
-index 0000000..f186d85
+index 0000000..e44017c
 --- /dev/null
 +++ b/dnssec.te
-@@ -0,0 +1,88 @@
+@@ -0,0 +1,89 @@
 +policy_module(dnssec, 1.0.0)
 +
 +########################################
@ -26118,6 +26118,7 @@ index 0000000..f186d85
 +')
 +
 +optional_policy(`
 +	networkmanager_dbus_chat(dnssec_trigger_t)
 +    networkmanager_stream_connect(dnssec_trigger_t)
 +    networkmanager_signal(dnssec_trigger_t)
 +    networkmanager_sigchld(dnssec_trigger_t)
@ -41315,7 +41316,7 @@ index 3a00b3a..92f125f 100644
 +')
 +
 diff --git a/kdump.te b/kdump.te
-index 715fc21..e8792ed 100644
+index 715fc21..3cac629 100644
 --- a/kdump.te
 +++ b/kdump.te
@@ -12,35 +12,58 @@ init_system_domain(kdump_t, kdump_exec_t)
@ -41350,7 +41351,7 @@ index 715fc21..e8792ed 100644
 #
 allow kdump_t self:capability { sys_boot dac_override };
-+allow kdump_t self:capability2 compromise_kernel;
+#allow kdump_t self:capability2 compromise_kernel;
 +
 +manage_dirs_pattern(kdump_t, kdump_crash_t, kdump_crash_t)
 +manage_files_pattern(kdump_t, kdump_crash_t, kdump_crash_t)
@ -46987,7 +46988,7 @@ index 0000000..e86897d
 +')
 diff --git a/lttng-tools.te b/lttng-tools.te
 new file mode 100644
-index 0000000..0b9ade5
+index 0000000..1d2ca22
 --- /dev/null
 +++ b/lttng-tools.te
@@ -0,0 +1,60 @@
@ -47017,7 +47018,7 @@ index 0000000..0b9ade5
 +#
 +
 +allow lttng_sessiond_t self:capability { chown setgid setuid fsetid net_admin sys_resource };
-+
+allow lttng_sessiond_t self:capability2 block_suspend;
 +allow lttng_sessiond_t self:process { setrlimit signal_perms };
 +allow lttng_sessiond_t self:fifo_file rw_fifo_file_perms;
 +allow lttng_sessiond_t self:tcp_socket listen;
@ -82191,7 +82192,7 @@ index afc0068..589a7fd 100644
 +	')
 ')
 diff --git a/quantum.te b/quantum.te
-index 8644d8b..4d073e9 100644
+index 8644d8b..e39f835 100644
 --- a/quantum.te
 +++ b/quantum.te
@@ -5,92 +5,183 @@ policy_module(quantum, 1.1.0)
@ -82281,7 +82282,7 @@ index 8644d8b..4d073e9 100644
 -
 -dev_list_sysfs(quantum_t)
 -dev_read_urand(quantum_t)
-+allow neutron_t self:capability { dac_override sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw net_bind_service};
+allow neutron_t self:capability { chown dac_override sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw net_bind_service};
 +allow neutron_t self:capability2 block_suspend;
 +allow neutron_t self:process { setsched setrlimit setcap signal_perms };
 +
@ -110651,14 +110652,14 @@ index 9d4d8cb..1189323 100644
 tunable_policy(`varnishd_connect_any',`
 	corenet_sendrecv_all_client_packets(varnishd_t)
 diff --git a/vbetool.te b/vbetool.te
-index 2a61f75..02a87c0 100644
+index 2a61f75..b026ab7 100644
 --- a/vbetool.te
 +++ b/vbetool.te
@@ -27,6 +27,7 @@ role vbetool_roles types vbetool_t;
 #
 allow vbetool_t self:capability { dac_override sys_tty_config sys_admin };
-+allow vbetool_t self:capability2 compromise_kernel;
+#allow vbetool_t self:capability2 compromise_kernel;
 allow vbetool_t self:process execmem;
 dev_wx_raw_memory(vbetool_t)
@ -113097,7 +113098,7 @@ index facdee8..816d860 100644
 +        ps_process_pattern(virtd_t, $1)
 ')
 diff --git a/virt.te b/virt.te
-index f03dcf5..88489f7 100644
+index f03dcf5..cd95400 100644
 --- a/virt.te
 +++ b/virt.te
@@ -1,451 +1,402 @@
@ -113751,7 +113752,7 @@ index f03dcf5..88489f7 100644
 -allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice };
 +allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
-+allow virtd_t self:capability2 compromise_kernel;
+#allow virtd_t self:capability2 compromise_kernel;
 allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
 +ifdef(`hide_broken_symptoms',`
 +	# caused by some bogus kernel code
@ -114109,7 +114110,7 @@ index f03dcf5..88489f7 100644
 	kernel_read_xen_state(virtd_t)
 	kernel_write_xen_state(virtd_t)
-@@ -746,44 +707,331 @@ optional_policy(`
+@@ -746,44 +707,332 @@ optional_policy(`
 	udev_read_pid_files(virtd_t)
 ')
@ -114185,7 +114186,7 @@ index f03dcf5..88489f7 100644
 +#
 +# virtual domains common policy
 +#
-+allow virt_domain self:capability2 compromise_kernel;
+#allow virt_domain self:capability2 compromise_kernel;
 +allow virt_domain self:process { setrlimit signal_perms getsched setsched };
 +allow virt_domain self:fifo_file rw_fifo_file_perms;
 +allow virt_domain self:shm create_shm_perms;
@ -114280,6 +114281,7 @@ index f03dcf5..88489f7 100644
 +dev_rw_kvm(virt_domain)
 +dev_rw_qemu(virt_domain)
 +dev_rw_inherited_vhost(virt_domain)
 +dev_rw_infiniband_dev(virt_domain)
 +
 +domain_use_interactive_fds(virt_domain)
 +
@ -114463,7 +114465,7 @@ index f03dcf5..88489f7 100644
 kernel_read_system_state(virsh_t)
 kernel_read_network_state(virsh_t)
 kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +1042,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +1043,18 @@ kernel_write_xen_state(virsh_t)
 corecmd_exec_bin(virsh_t)
 corecmd_exec_shell(virsh_t)
@ -114490,7 +114492,7 @@ index f03dcf5..88489f7 100644
 fs_getattr_all_fs(virsh_t)
 fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +1062,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +1063,25 @@ fs_search_auto_mountpoints(virsh_t)
 storage_raw_read_fixed_disk(virsh_t)
@ -114524,7 +114526,7 @@ index f03dcf5..88489f7 100644
 tunable_policy(`virt_use_nfs',`
 	fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +1099,20 @@ optional_policy(`
+@@ -856,14 +1100,20 @@ optional_policy(`
 ')
 optional_policy(`
@ -114546,7 +114548,7 @@ index f03dcf5..88489f7 100644
 	xen_stream_connect(virsh_t)
 	xen_stream_connect_xenstore(virsh_t)
 ')
-@@ -888,49 +1137,66 @@ optional_policy(`
+@@ -888,49 +1138,66 @@ optional_policy(`
 	kernel_read_xen_state(virsh_ssh_t)
 	kernel_write_xen_state(virsh_ssh_t)
@ -114566,7 +114568,7 @@ index f03dcf5..88489f7 100644
 #
 +allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource setuid sys_nice setgid };
 +allow virtd_lxc_t self:process { setsockcreate transition setpgid signal_perms };
-+allow virtd_lxc_t self:capability2 compromise_kernel;
+#allow virtd_lxc_t self:capability2 compromise_kernel;
 -allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource };
 allow virtd_lxc_t self:process { setexec setrlimit setsched getcap setcap signal_perms };
@ -114631,7 +114633,7 @@ index f03dcf5..88489f7 100644
 corecmd_exec_bin(virtd_lxc_t)
 corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1208,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1209,16 @@ dev_read_urand(virtd_lxc_t)
 domain_use_interactive_fds(virtd_lxc_t)
@ -114651,7 +114653,7 @@ index f03dcf5..88489f7 100644
 fs_getattr_all_fs(virtd_lxc_t)
 fs_manage_tmpfs_dirs(virtd_lxc_t)
 fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,8 +1229,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,8 +1230,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
 fs_unmount_all_fs(virtd_lxc_t)
 fs_relabelfrom_tmpfs(virtd_lxc_t)
@ -114675,7 +114677,7 @@ index f03dcf5..88489f7 100644
 selinux_get_enforce_mode(virtd_lxc_t)
 selinux_get_fs_mount(virtd_lxc_t)
 selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1254,355 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1255,355 @@ selinux_compute_create_context(virtd_lxc_t)
 selinux_compute_relabel_context(virtd_lxc_t)
 selinux_compute_user_contexts(virtd_lxc_t)
@ -115172,7 +115174,7 @@ index f03dcf5..88489f7 100644
 allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
 allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1615,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1616,12 @@ dev_read_sysfs(virt_qmf_t)
 dev_read_rand(virt_qmf_t)
 dev_read_urand(virt_qmf_t)
@ -115187,7 +115189,7 @@ index f03dcf5..88489f7 100644
 sysnet_read_config(virt_qmf_t)
 optional_policy(`
-@@ -1192,7 +1633,7 @@ optional_policy(`
+@@ -1192,7 +1634,7 @@ optional_policy(`
 ########################################
 #
@ -115196,7 +115198,7 @@ index f03dcf5..88489f7 100644
 #
 allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1642,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1643,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
 allow virt_bridgehelper_t self:tun_socket create_socket_perms;
 allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 200%{?dist}
+Release: 201%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -648,6 +648,34 @@ exit 0
 %endif
 %changelog
 * Mon Jul 11 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-201
 - Allow lttng tools to block suspending
 - Allow creation of vpnaas in openstack
 - remove rules with compromised_kernel permission
 - Allow dnssec-trigger to chat with NetworkManager over DBUS BZ(1350100)
 - Allow virtual machines to rw infiniband devices. Resolves: rhbz#1210263
 - Update makefile to support snapperd_contexts file
 - Remove compromize_kernel permission Remove unused mac_admin permission Add undefined system permission
 - Remove duplicate declaration of class service
 - Fix typo in access_vectors file
 - Merge branch 'rawhide-base-modules-load' into rawhide-base
 - Add new policy for systemd-modules-load
 - Add systemd access vectors.
 - Revert "Revert "Revert "Missed this version of exec_all"""
 - Revert "Revert "Missed this version of exec_all""
 - Revert "Missed this version of exec_all"
 - Revert "Revert "Fix name of capability2 secure_firmware->compromise_kernel"" BZ(1351624) This reverts commit 3e0e7e70de481589440f3f79cccff08d6e62f644.
 - Revert "Fix name of capability2 secure_firmware->compromise_kernel" BZ(1351624) This reverts commit 7a0348a2d167a72c8ab8974a1b0fc33407f72c48.
 - Revert "Allow xserver to compromise_kernel access"BZ(1351624)
 - Revert "Allow anyone who can load a kernel module to compromise_kernel"BZ(1351624)
 - Revert "add ptrace_child access to process" (BZ1351624)
 - Add user namespace capability object classes.
 - Allow udev to manage systemd-hwdb files
 - Add interface systemd_hwdb_manage_config()
 - Fix paths to infiniband devices. This allows use more then two infiniband interfaces.
 - corecmd: Remove fcontext for /etc/sysconfig/libvirtd
 - iptables: add fcontext for nftables
 * Tue Jul 05 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-200
 - Fix typo in brltty policy
 - Add new SELinux module sbd