From 233534cc519e693dd4703b9cb8c9b8b454231a98 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Wed, 27 Sep 2017 13:16:05 +0200
Subject: [PATCH] * Wed Sep 27 2017 Lukas Vrabec <lvrabec@redhat.com> -
 3.13.1-289 - Allow tlp_t domain stream connect to sssd_t domain - Add missing
 dac_override capability - Add systemd_tmpfiles_t dac_override capability

---
 container-selinux.tgz        | Bin 7007 -> 7009 bytes
 policy-rawhide-base.patch    |  20 +++++++++++---------
 policy-rawhide-contrib.patch |   8 ++++++--
 selinux-policy.spec          |   7 ++++++-
 4 files changed, 23 insertions(+), 12 deletions(-)

diff --git a/container-selinux.tgz b/container-selinux.tgz
index 1eb1b31beeef84370964c2498ad25c083b8c42d3..c35637b8ae532588228f70333da916df5c8aa252 100644
GIT binary patch
literal 7009
zcmbu;g*zOM;{af6VxQ?YdD?Ier%p57(;X*HGfYlQ_jGs1On07%sbTtb=jpER?|=9`
z&-*XDw9!~7l3}CzC~r=T9pjhz6DQ^mOaTk1B18+kx#xqZB8#FNiRef%D*R)h3oX!-
zx~UjB7q?1ZvA2VL>fBSg8O<71%-S?~gQh}f8?SZ!gClXkqE24MYAVb&VJ7Y1Cd)?A
z8PFB*iuu&_vhmn*$W`olx@K$|;P#Ascpk@dUNi0q-8&n?TMHoS{8ocjaWL6vPW^Vx
z^46nOfu4P3;W1#U(dVA$u1;v%TTlG?;PjD^wW`?bUvfA^@q2A$J@`LFBgc1n_hdS@
zuV=pZTPbFSs1c@zI~W1k&pX_axQ>PSWipe<SxncAesN&rwc-Yje>EI37EC{uB;IYN
z#q|On-mvi@2+`LOV|1NNl{5^ONwO$W&esk3@71J4CTj)(Qk)1#D$$=0FI2g-#JMM!
zsG9HjIq_AYt|n;>&lab#s-fYg;<Fu{_tJb=_&a&Cl~qXVg&hKapelOykmKVK<H(jr
zQiw;Rsq^&a6XGa(HiLDt{Xaui0kI|<8=rqB)u3SXtV9NOmG*zDwK|v1OAQJtzSi~z
zoWbp5gm0cqH|pNv6|vf8a%+8xf*;y7KK7m#=l*Nz_F`JfY7(=?J~1hybolP<JVuUn
zP6Z_ixthh*IzH3<#5q*t)+l2xnLMHKbvy9Eo^X(HtrA#wi4M{Xx*I)liQoi(7lE|N
zEU3@$kvQx8s*$j-gT%ppL1i8U>||y9_1oWBuv*WgdSrr$Ag7mDiMPD0squ8D{T~#B
zB|pFPwahbT;;H`)-0Byf*Z#bR19JMuVf$$?I}>sbZ|Iw6w);?&r#VTQ1GrCBC;R5A
z`On`~GU-e2htICok%%R^zgXE_{8hM-*A$kk$NiA|%wkpai!@<|+aEru{G2zAS(8FP
zHWJj5V%=;8Rvg~GV$gzb^K56fl9#m<lASbRbaOvoHH>dk<h%!~rRiQ1Zl-w;`?era
zG7aPSZIb)16r>xfdGg(H+^L#VxhgHLchJVHUUEv%-%2J-&O7a<T+dPN`#)bVVbl}m
zUfXLtz!)pT9ebXMRu`A3j5ToFyTeO`YkOW_lAIm(m4lC?fP0%+uy~M1pwjlZxWp>X
z1B+A%8(o@-n+RZ3dI=efkA=r6->Om+Xt#DxV`eAUuAXsO1?d{{`*Fd`UmiB5R5$pU
z{A?;iNt><3(gReGUqG0UTxvPsHLpR+AIrq<BQR#4bauSScE9mz`qnD+0<S^58+H`@
zGfKYFszYJgVlU;VcSOYfGNR9(iVo;p&4bn574*8=7Z9NLmGfdW;OQx4tiiHQ*H&a)
zwh}K?W&=fw*Zf>gVlX_qLol<r+tl(s6d>L*FmyH3s6f-SsAZb-f>bZ&jO?*z4Wqu4
z2_24T(uvykNK9!3p(~V3=IyKWCYkMyw{uc>p-1fi1`|P4!KX58e=wikS^oX8nnnOL
z$q!UBds6FrrZ7$h$Mn<V(j3k-rjI32S=Vrhm(xnf-g7wrDqv#7X_Te`IRGBtP0xf<
zyv+nZ_Sf6xm8xz8g*lVhfLuE^Cnap`^W;T0_4eOu$Kb0px_&Wjvb^0?A|`(Mu+5Go
z{>j&Rzc8kNcod6*$Su}=0-yi!BYZG`Nk&*^COu3@=#wgT((hH3ne>3p-ICurXU-T_
z4=w8Q0q?s1Van?usj5eeU<C_l-i5cQVr&-*x(>t!rLv6P)SW+0fkCGO0}k1(G05Fu
zaBmk)GFIM%<Qq-X0dFEJHt?w*qfQIDB99V3c2Uf(f)2Z6KX?A)Nv}z%6HK}Q_z}N;
zs64G}|D}fB1v>vZBt!6xq_Qjsyr&!^KvCWyd!nCv)6-|Wa{c1i-k}`z$fR*=^^afa
z&9slB<QT+u<oJb<sTPaFz5)X~Naa4AL-Si$r0mIe7p7|3`ZHVa-&yE@{^l{wf;YV`
z73Om$;jX!)4nVky8sf}6DMg|^nG5AaeqK$V7~TVj#jW<k$1vL$$546Cte|?SH0|&D
zn2~~Ug2Qor%*wNcHcu#It^es(iN_w`sE>IsX<w4_Fw#jkBPfo=<vWQG%Qk<82(PaB
z-&e3pU-I2{f4o2j$wz;sc)EMAT7VjS`B_kHnO~bJutb>KE1n<n$(!7`H+nWzt{Jyl
zDa5l@OriqKMEpz9j|oKpG`-``5CYGwOYNwBn1$0Ix2&x^d&tMWI?i*d(CK!<Wftvg
z`~ASgU3La<t`iEu#SH=J0iQerY}%N>+MyRC&#6qvl8!esXDp=944H#N_Pzd_IW-aV
zX_=woyeL@|MGs2XQoGCaIuV_tySC0qwWss&r`1#SZc&{RJKF)i(Ni<R5t~~c{=SUv
z7A*{fW<cQJQqW23`k~ukX|V$r?<5z~2Un!~>Vo}!M9GEfJ42SR+-CJkKTE;(?_e)K
zqnNn1f;b#)f95V=@%jptoD2&)))2DcLyRNy-mm%Hf+aP9j_{)V5!`%>u2=vUgWk~9
zH-T@x<OZ5+<@A_ar6R<x(r++4HPfc79HjN&v;=c&B(8HbAqM>b5@pk&tQ^q$uz@7h
z+`kmcq-I~>Av)sPOj>FBm9`DXZRw%$HSPmBzSVH62X07n<owQW18Fu=xAtpjt1#$X
zFRTtvD0ZVx(Y0|Nml66@tV1f!2o*FBFYZZ|cVea3fqsIw#L?qO1Bk0!*O_La6dV?(
zLufFmG%o6r!&5Uvj1KRw_Nmg^sG%C8aJTUBye%nit}bKy%PlqNLOh|QQ`G3D(%&gP
z&%B0D+x+B0qMyLgzmxdDP`<|av1}{^VQjX_La{~w8p*|V7O)DkSQ?Mv{UXK1O6kyq
zI}TLazav3PmTy}6*`JTF{zcB@Pn1oh<X1n2g)<U(qf7}A8V}3uQ^;PY{i}3Z3A+Z`
zqO0Wc*-ugmBV*=FWN~i3xsOR$*LlTg65|o-&v&Yvk&NS-KG0qFz!Euq7McI1gg-vL
zKHi?LzUJq>_OuD*yuNZodK=7nQv_QGr*&<3xVU*=KJOr+Q%bq?(pfHR-g@Xa@2qHP
zdSCP0387|Z0!agfY-B1qR5K&O7qmoLnfvfbSXIwz)g<ud>;x6$ck9lGk^}@szxTXe
zDXFJ;utQxw*04}ObV@~uH)MZS8D$2wy+9Vi^plKWGMh{mI-+Z`TB6TCd?()YczSr3
ze|JNswyzs36%jA9LQ#x`9M~z!ojz=SlGZ`rmnhp<DI*;el-V9IPYm|4R(xFkk#rQu
zt9w0eei_e4?leWC?NfH8;*$7owv8p+9hM$t!<A$2WLOav0*Q3(=mRgh*cs0_5Ui4M
z`|`s`W^DzFZ|%s+43Sb5X`A``Ly_6HtGJKp?l!m4<sm}n4TP+~2C`-H!kKU)b0v#6
z8Dr=^5q`Bd!t?jxt#FSuIpo(5dP4VWS{_A+wbrJoAz}nIHaC%^;vOXJouj%$w@jhj
zYPP*{+*F?K8=Sy+%h6ui4;JyWkuj8|ZycHvIHoq#gkPHLu0I~S^qW{AOLm_LaI`(+
zuKU7kAoetn0}#6vWl^4zbCL3~+;I4wYzUw;V(J*`3CQIzYWN1Bt;g>3`YlVVBn#jH
zY%_r=+H@x{V=yH9t0DMYq8-KswC(Z+506GReQn^C!9O=oEg`#|eCfBX#NK}x;I3#9
z@fl%eKX3WHh}J8E6aw;)H=xUDw9Y)Y!MW#XtC&%8zQ2D`)orE%U$7bi7olfS_ruCW
z0ZEn!JPp0jEU*%yY#oY!G8#_bs?>+F1n)Tuu}W&RrP}tCp}<@KHwMYQE)|Ey^ps(G
zVDYO=JE0P?bn;=CPF<_zISnbI>clM6z79+K->><VHLLQ}X7bj?5BB|Dy3bQj-&dDT
zvm5e$2;0ZH<{xw^apiFro8D)gQYSCj^^GIf{OKT3ucG2?y(3t`;=Fncqa^Vc6#})I
zG=3&C6CZ3mO~2_@Rxe#cCwoC8jT2+R8+2%W3Y#>VP(}bW`O4;}7>6pg0LlU(u=eNQ
zKvm=LN^Qw`0vwB9{$t6SDE-ATpIJMHA__;SHMSV^BuPq?8Y#+~I5?4Wo=@wWfVQF9
zAO=Nd`~tuxc-dBc^MpfQw_<xHiaHQ1z(JD)iJi+|h~1qJwd{)%PC(xlPYLy5cHe_U
zBK2#@fIUM>{NdqIy9!+B{6QuVv}F!<$Ac2@qj3?V9%r8C*4K!EzOjLgr1wFrc*-0o
z2So{9ba*CTt`gKv5$$6s6*RF$oiXNvrW9NX<ZQWE1T?@`<+9OubjsBp5Tz@ac!_8c
zpOQ1*yTI7qO1dnI9#qG{FE>1Ht0q7nj28XZRFyjaYwq?y=f{SW4z^q;RgV)`=4o$L
z4cZCATuR|>u-XOoMCS++8*f)<Hj>X9ws<xsm;BUA-1mp>OwB(t4qq$+Fy<s4=>2{k
zVm)vh$@%j!$eCdP9JX^&e>Akd`c%Xgt>kqN*A9x8)m@zwII|_UI_J4_qiWFW7wJ^;
z36gkZY=2KP@_-~9e(9=CJOPa6P7>e|4v+d?Oq2CV6CO+7F<|q*`;QJbavYdzy#BzY
z8YtqbV3>s<JVK3q%#`UCNe<`O&DdHKQvPcO?DGMkqS!3pdREob(sf>2?myANd8Z>o
zlu?U{KJfxT*lJMdZBW5lpS9c=dAF!Q?)5<Dh6sUg`vy06@Slf%vYu1M>uKf>jWShK
zi-in(rg2W%rccnfr>2<5d#?%Q->$cNW6*jTaVESxTSX}Ss8L3q(@KX;&2mfSuYg04
zxrgRSs`qSyE~z_B8%5EW2gCOA#Ac9Co12#zFjm03u><tYAe~69vD(kKj$?$UH2uEw
zw86|XJRpzg#oF8NU(og5A1NV+7e9*i`?J~6xYE%IPle$xvMUQYUTzrOEW4H^dy&HW
z=iZyD0ua$47W+PKBU+V(4qm^_kN@1YLjw}Xz-B{0{VarU7pUw*LT>M6dj{rNwbL&A
z1QYD#`3Bea5ThPB1Mq7<Kl5Sxc`7C^+J75b5CC;aeYqpTb6fWXJi{=d#_jl67QaFM
zM!qfNBhGVwJ?X9(x6F4rx}yun$G1OvBsA{7o-vg%)TpV<Sf>_ZZDM}9p+~Rdn-YtB
z<{84duFIBt-*#BoHc#9@E9>ZkC(YFia(N(Mqqb<jh))aevNgIOIuAJjF4>3zS)OO$
z<E+zhw+mDB2Luhq_=Q-aemhh;F?L_|g3R^`aC6-L%Q2>O3mKKkt6XH!-<90k+lE+R
zHng;`E=-?bmu7g|qN<QKw;^I4n}3Ql;B#nX>}jWp)KsX&UEX{(_{IdYyg)eTc2x;O
z4SgNbQpaP!Gi}{a4J4^gsK_CjY|ihTxFcIkk<S7d_F&%bszbRkH9&Z?Yqi$R<a%El
zl{A4L-C``U$*eH(cKwv!e)F!BGf|S5Ot0|KFk416toV!u4twC-7``?)COt+o^v{WH
z1F9I#!A{IY&?`>mu))e%!tX^x3Dy~Pz~j<OvcA03J#fiWvD&cMQOx(?9uM8@3SLbD
zf^Km=yWj6dM#h~r<*rPs1@DoZD^@`oLUCax9`hONfn^4J;}cRV3>ZZio>PHK&8liy
z@)Q`v{uwW(F!7K{Zg-VlRY;Akn*%jd^Fx+i=)2BPmOy;8Fli512@^Bd$g?z6a{-hp
zAp?k!(}ltn3}`Cap&G>)WaqNep_*kc<=QU8;S6RMYGe~|+p?sjsZVXQq;aIz5YoGC
zkQC<=9QeIF+hBc*Z-9Zr!mP=<0&&G5Lx9J-h20&teXOjjtCkNjyUc!N!1!_h6AomW
z=fr;Dv6o#MglFrFNo5bknihB2*iEs|L|N1p^jOCe2-ifjj6L;Nyxu1i=4bp|Cupw5
z@IrH@k+r{SoU_fIq~*9+dLO>&6J@PR;6!ZVOW-G6D~<tbQ5R`_>Z1wnnFYqasl%l<
z8r`A1#QG>P2*Geb6~WHGip%#~p7ZHE(;&z&lBC6xKOZ}<LBcb}%`XI@-UGvwXvN|X
zG^=2FqauN6LDDqKmOcJhk5-$#4&Ndg`Yjz_=MgH;fa7$o9kHJhoMebEzjZGj0k%tg
zi|!8qy*Hx2{zAev&<0}=h71v1e%v4H;@Km_`u6sAyqRr?f7B!QC99eN6kG5Dna<p5
zQK)_6lC;u$eIx$ptSP4tICl%<Y2`l(l$ahFgZuV*dUUG<+jQsYNY#?1-hS`@=AD)G
zp0#4pyuK-hRN>26{vV|6gyYe)2KdS0P3nk3LW<Q6`c4`XDXwzV(g7Mik5U%6bhvhk
z31V7F)dy;qqIJ2e?!#36^5{gEwwz6QDFDhn$8JSR+0nM6y%eQ)&m6A{Y}_2#+dEJ2
zHpl6T64mVZZ%Xd62bBiE*JexHrwMei%8$b^4_XiD$qbI<n$NBnm{~^Y{mC=yZ!pQ@
z76(xe4x#~#jjRaw$L+6+#RFoJu~h6+$_#voB}S__eDr@YdpdPj{L|cZ40RI|8|^OT
zFe876(CIU&g~0JZimZbJ1rl#~{;ME3_H}~=^(l54vPvQN&L+E!${Oaz++?U_Y3iEW
z&>*Sp#-lyI_sX+H&UXXn<RW%AflVrz7u8{Z4Ya50yEnXRq+Jw7acKnw>L9ptF2=IB
z`V<+TW{$OJI@&dXf$Cu&p~a7;Qb((dJu)(o_ef2c)<u!iqU5P+3Y<ue0xTtm&ZkI9
zuziJLPvs=)%3M|p=dYbeemAD@iT6&=0|Lz**#+&Gw!K{qxo4jFL{qX_$oTo!E?~s=
zGfS##T~h1dhyw{)4@pEwUFfUhPFZLB_u9QUpAUbiOSq>y>_6(2KZ0;s3ifSjiWz&)
zrLtE1A_{&S-8%D&0vc41?_+IUW=nG-+jx~vaa=2p)3Fi$9kUn5L#7!hDUXpb%pUD-
z*OGY&NXWNJ`&QQJiDpM10*Y#t3^ofJIFrs0)9#n%VO}?VqgHbn1m%pxgo>UdTcO+X
zWj<4j@oWaqnR8WeA6)gHNIZ5SMP4_BH5*q)r2;tyklxzW9bp2i&@1KJlezQPiHH=#
zoGJ|+|27Ep1@CmK9Bre@DvKCQ>FN}0e(_JeeWjbfZ^pr)gc59|DhCPwn(HtI>Tqep
zk*y2G)iBl=B#@hDXby)`gGQ$)@-y~8UFXgZ50$Y`oKk>q2cduFq4}z?4Ic%v?Eedo
zxi98ii?k(c_^Y=(&U~6gGqszjJt%u__g_;fF=9?T0`*EU!cZfd=CoJgfZi}#w!!xb
z2VLja%)v=)?sY^*Q5cfu%R;qe_uhmBoo$TeF4wtV@o8Ngk~1B<2-s5IVWE*O!wWP~
zUwlZAE$Anl;k}I2$n;AiS}k$t9Ee2Xi0m5G9Pz;W()eSFtbW9H(s_UEA^bE!KqZ<j
zb~<zN(cl&b$5Sv1v&%HDGw*}NK|xDp!k-1VCbn!F^W}yXwTkRfF(vkS4TJ+O{V6tH
zWJTv&)B+!^)rSfHqe4dB8fmNe#oH7g^Pf)Jsts4yWC!EX+}gly<~cU!EEA%gnUrFN
z-(5q6WajDDPoql<Evm9k4qNlzCt4Ymce1^hQo-|_E{gfVouo*euBk!0fC#nN7%Bpa
zSCgotm3`ZU(Dj@>VbYO)kD09nj^#2jzsVsre?2iHULH}ZM<&WIM`}X;U=<gC77R<%
z`M3abD$B$fl76<x<X#ciomhe~E<ugN_@SQ)(;5H$nr&JcU1#|!2fg|2bSS?#^xf<W
zW&<S&lF46-8??}R5&YKp9(ZR=ee9#bXLu8$LJuoSB=M}Gt)B$4Tjjl_ljtXz>?%@v
zQVyHvE)!zmH9Gn+5GZ@vM5QB@jmND*F2eo|Zk866xkt`BsxsMg32HsTt7v>#0TqYv
zR<!U+Jfbd<rZH00Dfs+_<?rJL>BRH#hv8jv?iN~7mM=Zek97<&SnY&H`{A|hK}eDZ
zRmb|Fi`;;Nr%48ODpdTqJ3QUx@Y39BIc9_Y116mUf7t2Su0lV~pcG*d(BlgIYo6rn
zCG7`+#Fsf4&hN}5cK<dwG~F2m2L5m@H`cyb(rhvc$eiQ2#iWpr8?FXfff~wXE8nkz
z8dYejbYiC}r&L79p(kFybrJD&ydj-U{(B7fwXW32d}_zFB#WP~_XTsWPNQGpIjJWh
znrfxfag#!LDNQe)I+<aIV}_3L9iKhDjIWZFV<r2O;9vIE9EG=35zy0mV<ax31YR6|
zsI)9pQ_1amE4U(!TZ)E9EMA-U-`4QSZTyzbUz%U%yPm1+LCF_izU)Y8%r}vAkpwP$
zp;Q&3A=CDv#~CR3S5CAkM@me6rXpCGa_%Qjgdp4cdK)vupI}AV!LTorcaZfkxX<U<
zzf!rKXa2bCiSUDez2E0=8@g#-Yi|7|e<$ccAucwr5Pz=Pw&H_r|9#cx8glpZ(Y@_M
zfTQsB9=m`Ab46?(<JDkD2I-8(mTe?1?q$qn3>D)A2v%l!=;=PJ1TO9n-H~cEN!dvL
z73Rr48Ksa5gxWI?$RY#O8jFO#ajG-3{Tw}M_=cExe(pIs%DSC@xP7e&db)b<`TL`0
za<~2AI`P|7csFj8F}=6LJ<IW2IG$0$JZ*cyz^{+atMK$r2>4n%)yXBd!$MFuZ7rwE
zdn=ZiwBe}=5@CmCB|a(<OtQ4WiJmSh>x}R8r~S?DtdtBR9*~5XwQ#_0yf;-UN$d5w
zNB8xT+HIW+vF<#1z1$d`l3sM7M#_m}n0#yXbvQ}jpG<)tS#7YB{IG`sa89E_mlO9<
zWWX=(bE?J%uF(1Nz)@I2_l;4fIGYfMfQ2xuJA0?+Qmgr5Q8X^M(c-fZ=8n&~v(2hr
z!rjf=clrGriaTC{$2oEZ)ip?IX5pA83;AvdV+XtxIh5;9O<1H7#&w@xqizR$f}_@%
zh>DBt@SiU_OwX0xy+~QE8Ifa>>P|i|Jd$NP<r!m;7iE^-Fp$yoh<aJDoJn*Fq1E>v
zZ?`H7XfH82jEdwy5@SeoCGK%Fl%i(i{9_`RL?#qRhe;D^S`l;^OD4O!;)?Ht`ACNR
zFhZGrjQbqHnykW1wR{&F^kgI7J%xH?1R5Ka*!B+D^Mhi;G95qnSOYZbtKSOt!)qnR
z8wwnD2;aKR#5B3|nCRGw{4t^mlAh;V=Nnz`+9-=ob%<xT4pu{Q1<ONZhR|v))Kn)`
lukLwBU;=n@ur{s}kZ_46<p1H}`@t)!*13Hi${7mE{{T?m#8LnN

literal 7007
zcmV-l8=&MLiwFRS{=``T1MOXHkK8tr&e!Q*A=m*t6WBAJan1oe**z?h1MWT?5bQ2+
zA1-$twWRJ=MsJbS^Kt|4Z@;SIiztbtD7D(21w<fek5u)LERw}yu}B4ZR{L=lm6!4M
zn-it?kUoC=9)GWY_?P$UFQgA2KU`mbbN%7^<Ms6qKipiy^Xm^c?>~Iwy+2if)O4t7
zzx2FslKax%M1hfR=>0!wTD^Yl{a78+)Gwd@{P%t2<wcaetMWq`M4n$1NgVifoM&Dj
zI*J!%JNUi)@k+3*0K_e|a)Uq4{_Qae4t1oU$C+2})dyjo!apvF^-AIOek}abPrb}f
zqd&c3RImQr%i(8w;rU6DKSZHd=U!d<SrucYbf8y+3jbckSsj&IKZwqMlciaghpdj%
zXbt%h&YQQtt<H8)wl1ST4si*ztFyEEsZeSldFr>ChY?6%UEf-`(qdZ?#hZ)O>MY31
zC`iL~75QbbUvJ{<{M+k`)tM;Jy6|f#H$F9Ir+ZUhtT2Nao020dO}gv6VXfxgv}dE5
z_RQ3@oeau6i8Szkg~t-y4}z$whENeH@QbU#?gPK0dQQ{&;+1G`*7}$+w0jwEunE4s
z(PJRQDaI-Y>BSCI?C@hmEytsEv;}@fl-5yp<be8X<cB2RqRg@Lc`#Ff`15Ulh|M&D
z96Gr{*ih6p6>n0nE<kIsIu2;BV@3KmYDPtVNxbnwC}vRSWgJx_I`3%&$@>`;%SDj)
zeu<=wASr+E+iM-oC#a{#@!_BAA}Z4g7`Jf}RU%_fO`Uw^+2Ey#n#Smt6tqESNWMAL
zMO)m|v|nA&q#Uq@RGdlTHuljo0%x!FszYLZ0hw2Ozl>gz)Tu!3a%bcYQcvQl#=dP5
zItS7`a%r+*?j*aLjNsnjz2^Q4je4Att0D^GZ43>>8WPQwsHgHM&yaNp<Ui70I-wps
zuA>+<+XRtog#Mp?=I^=_$;%jHDHZKxx{bphqum6?(11Cqmh83Qi)uaRmSggh?dH%r
zoI~@-y=80|^R~)MGS0YgaEh7UG?oeK%SrX6nZ1h6a+U6Qm1U9qNj1$+U>)ERdGkBS
zyF&kjuQUbZ(rS(;WO<0|z2^hrp#}-pao|zy8{Y#=?MUY<bAD0A_m~e-e!&LqAoEhJ
zu@oA7bmmf3@-0~%Oekom1SF*~Sux&qkoZ+)$co<e^V&o_yKqc?`2Sa4UZDK_<WH~a
z@?feWl6JD)L~*ur%2q!_#C-1T;MEQgn>SV&1mE7ke;?q#@8?~M{PG_^zmR#BEcPM}
z$Jt2bAu}i(fT~6;{s>6>aCR3*6_xk1Y+=mg=QjA5o~k-ZgE|@OtLwfyWN}U6ZyJhW
zhkQ{XGGeV2BY7DmIW9~=QZe)=dgJjVn0d2qa|T|3VtEL$Bn(I6dr?aA34c7<Go<%r
zfQuK%;}aPFQ*eJl7bOj2KMTEwGS)37(<p_R>+28d2ar)Z$=j=G2}uL(ka`ST$bN)0
zyTbImjx^iDvZ$ZNPT^h$-zZLR<aWiOg3eYyk$S|j&=#r~Asx|%(S1>q-HR_#Q248n
zuOR#s?3tm9GKNyjBV<g>HPSdk*zBta8~+t$^%zlO>gQw;IWde9doxjE{^6RJ5?jH&
z8I<YYKq37l_^vxZl6+@jRpvqi#Xe7?ZXe*2BA;}{MxkM9M3T4OEBWpc_+DL1#tHM_
zZaPQ>-0NP6@aYsZF!fcOcR><E^G-)%b(^6ilVrm%@?e@|J0++%26Vq2*vr%nO(@hw
z1w!%|w6Yi7-&O=}>>7$N5vM1J(FmI6oQUx*0d-fYJ<HMl*Ep@4-oK4^mr-^<C+a@0
z>S}I4TCdHBSw>Z!++U&uW`SibRe>R}$seP6s?RXdsGSimhxJ3^Kh2MLGb5y5=V>f-
z02nSM%-U-|Oyi8rMY!o{8a`~Y5=fWw1)v@2`pL6Q_&21{ftB}s4-EZBud2Z$NojtG
z>aT7;v(liwfu)`tMW$Wg8Y0IGi|BSqCM~25>mWDiPHD%!(k}=*oS%f3-D_<hPOyHh
z9q(_y{M3}8dda=72%LK$(xP1kKdycm_L!DjYbYxjD6HmHX9-W>pHM=gJdDoc#j5io
zTL;!9!aG<Vpi~~OAGuLTXT^{)%-!VUZHKwu$7P<SqZTcvX)Y?~vECY^<6X3<-M!Oa
zwSb+jf3ed(XXcEf8$g7-J;Nfs1Zj9xyvzKA4Os8<?Kp=FWJa@-o=_CbzO!LNP_{3O
zV`7M(dn7yjC}jr#))>ewta-`5b7JS!*Ek7>xs`r0?41*SHdG5eC!28iuZuj1gD2|Y
z!YRnTfIf_XS_B(hDDMZHhHvI}_OAUyz2||RJ&!NFd|?5xRNgUR>%`E~7D|<m3`bXx
zdXJBb(a|^5v7yQ*((6JB&dqUDbh3hQ>^`f;*k*Emxi$~ge!SV;9|c8n02S+O3^^IW
zT};<^;|GkUHM<*C<Y3(7hb*jUz~FA`Ji3f+2ut`Q!up#cPTGS|YuKlP>Fap26J|j_
zd(y!3IfKapOiq~4%BLcS>M~0;uI4=#GxO1vrnpm&RoF~FM#nbsnw(f`D8*t<w{{G7
z1128JF!nyDHau1-PUp1+NgF@eDT^DDHk`0Q>b{mpb|@L;qea5EmLl~-Arz~z=OyjN
zG8n|(js@rlUB0xGs=b44GFtV#>PDNwDjwT%?av)1e~t}Bzx1}P&5u8gVLnO(xhXD-
zuRTX&-CfQSk=tP4^bpa^5>Hmqj8)M-GIJtqb2M@`eiaAp2~^0}ZMrPVXd6Fj<oOG|
zplq<!8Z@&!q2m|02ce3S@vX%xtvs7kgIzv#t^{S>HasMW$ODMZk?2A`LeDU&zm!&W
z>)J1OQ7vfFq*{aC*l}lc=Vee~-$%y`WEP6YI7RUwk#))21YgnY@U;(8|C1)!qL+1a
zsyyuH|37~GaQ#E?{Qu3z<^2DbNX*l+PV*2H+qvuwZ@rt#o9{2*U#vR%f`xf9?}}IE
zd7a;lHI-Mdy`Lk%Dd}PXm~&R7%EG7$c!*8GgKHuTQGw!k5Bmu8V5x?a_+%anKQVc8
zlf?V`PrrCYUe+=Or{H>$p<`w0L*{SPy2_;)nCox7t)EoUMW;x-M9iw^+lZ>CA97E5
z;P<Y~4~2Km-BK4^OFNW;8)XcjDTiq#1J#XvoM_0Z03B#GyxY{m7^jH5(2r73&rE5b
zYjUz3aOSGMI&6MlgW(qJQKdIZUk4|dP@Ow+NQZ{5c;?dC=C+k;NT`z-w;Obm4X5sk
znk~ZHB4*Eet)e;&`}9ujVs*=1DD_et6zw>X^VZvbACvCvb`g~@Cw^7}#ijRxYeSUU
za3X9;Y#@`lKo5}*)_&(*{ywg7-M5jOod#A;{x?-!>-N`fZL~4Pb_YXDM3B;XmrIA%
zD<Iz@=|<k1cbF`rKP`G103XSgfj>HkEmkWsZkYD4*+#NNhd<5u+sf3dsKfPpmA;qi
z_eVOYUFTREyzi<r=FuhXXQgaov~y`~l!^Ta`S4te(1#Z>nr-YR#FK?<)=%esmOdDd
z*l1(PC`2ZNG>0Z5_sV&XQ6p%WReR#4XSXZ#LuXM<f1h_*a4wCvVYEH}EuuMZ4dy*A
zMPBoWaGU_bW2PZk>%I5hdAMp|(%;9sJ<Pnc0B`4<uyy}z8RIfW&2zLR)L1m2Km5dF
z_87ckJ~G|JUq#9GQ{Wf=CQjn|$$R#Keg2SncQF`1Tlg2Au&kmw4!!g)%R>*FhBol%
zUz<3S@%Qwg^ueZy>McOxgtx}vE4u#a^X*V6z={zY_Rl=zm;cRoYRf1At2qJtXc$ba
zo&N!a2@WN6sd|{FZHNv~Z$k`M8YV;MBaMz64TV8!zUPQB)yf7W+thSsR*sW8@}|{}
zwo&2NkpqM4MJqJ{_CrkjhH3B01ZDa|aN)ll*>r&*JZtr#BU&94GoT#89?BT@W}x19
z8?q6qLsdjsXyfeaP_-)PI-)`B)Q_2R@?e<cK@5d=7*SNYBWipEE2yG)jy40emc-fJ
z`i>u5JVf^xHgH7A1R^v<82h^plz2M{(pD-twPFV#%?*pksEmU(D0Z#+bs<@><Bntj
z`Hy9xo(bK#jDmX>?1jtk;gU_^p`tm`OM#7`myQ5C%c`^V>Uit*JY2tTlJ0T;0gHo~
zi~T1T0#P2Am;us7Bk@2UyyWPaPw(3@PnD@2jiWRVVa8u+FG(0Eo(K`{FaLC>%Z~-?
z-@h;!aWE9x5m^%(EueX!ZEIysryC<Mu`Jd{$W3WaJ0gPui_cw74PfUy$*XBqW-E7H
zJl&M)n$bGG1E;zQv}dd<Melo`<r$o5mECC`Os%RFYxK}E;pvYkxq&HylR@C0-83B`
zd=f*L-F^V`7Or*litjU9TDJq=28yW-%jIS79)o-LdzELG@bZ<d0?%4kUf(zHxgTZm
z+WSiwvRK2^zl&OdK>H}T^B(f@?h?rUJujl|AxWOl5f2hb^Lz5rXWm2P?S1&e_cjp<
zz^n4)fSz68`Y%p^JYh~-o7)`g0gd~XMZP@bha}{g<KHPv&tNXWdN2Y2YuFBVtFj*;
zyme$~{2;<J(ujmi0j;B?V?tmUUWbj{2ZnwJlN~W(__o}5#uw9u^GNLRhR4VZM(Yn(
z{I-+SNt<+_4O->M79BYMa&)V@;vXY;_d0OT$0;)r$K6kv$7qXwOdc-NRELQyb7g+I
zweOzUa^I@H{;|V^)lIcqrd3B?S<raoCX6!MjgV72iv#B9&f$PLH{R&cZo_nGVNN{K
zvU2UkvMBSIV*2yGC&6wG|DF>5W`2C#f%Vg5p&T|pT?TkQeD%7aX>w{^5;C7rH*_c7
zl!5PvIa=vC;*M5)j=1BEPDkL;T5t&0MH9B}3?I45)Lm8KUgQ}K*r7|-ruJSZ%&|tK
zBk;6t<^VjYo7r&N0S(UGfJ5rKfvh`q2$yc$zh0`-cORsl;rqhSzcDzg`}i{tbKrX+
z?Pv#WU78RGV#F|hTzl6T%CFbYcOdjA;bG=1zKf#G_2epb7S-tga3!ZBu1{4^Cx)U3
z;s-=_A_cKk!9EJzGRF<|p_~T`xoV=h*A%nw2X%Z8LoYNiaQYD69YVVDkC%tNsciBS
z@r3a%*e5M6EB)BQO(@ci_t?QAbt7h*AVd**_{KV{7}eyk0>REh9UA8pI=eRd2$zdC
zRke?j#DUJu$#ujIW@~Rzu*KU6OcV3!1T-1grfxIt>$-5vLa+pRnifg)xTZci%-h;&
zb(Nr&$!))R@~-ZLZSA35S~fG%Q0MxNMY$X374o177_|~NI<BQ1@JQWguEEUsuBsa`
zKZWd@#<5b_Lxl(DQVd0Kfn+yQI92bEk;|szLpL=SdYhQ^DFWVFM^4FHL<5C)5JuH*
z2}`aI>pWu@*z)Ua^mVD~yhLjc<0(jeKVqO^T-_PyDU1Lov8<{d;yT#t>G%~6-R=Wx
z*f4)EK=WI7#hE%i6%pb4gP}&8ATR9vCUr#b#fp>f-qKwb7?opb=v8x_2@ZIwbz1EV
z)GcB#YH$|~s7>qixC)eEK;f71|M})a2n|Ei1ni{anl{JQL1e1Gj#ZezTX+HpK44f>
zN2j#J<V3lD2>sf(j3YAB#h^16;I-GMwzQmO*}!<^Ma_z%dd2jG{IsEAa7BkY=4Ngf
zZT&-1GndSxNhB%<>wYHarwXT-kh^-;>>fhHpy9-13dLJ1uI6H!s@gY)j<sBG^o(VZ
z8vURb>@^e3#zJ8RFyy+0!JjA9K-(CY<APa;)41`AwD(LcI)z$M3^w%F<S}5!b@7Cm
zdpPw!o+%2N*$NI}%W8lp@TPvSMo()QhY|h3BCnlrD6S`~rWD~u;WZb*H3a+FgSmy`
z!Q~J382l}Eap;M4XzyAs*O*680W#LnV+-JZ0Ht#T<>R*O#tR=6k;xVG@qiT19PY{{
zoLL_xk2982jJzg5`q>gF>jmN(y@AFtxFnlBw{fifJv-Ok8}$$wx7u4%=CJ!?$9yUG
zaRF*M+vWqll0ObnRj<jW>mGvD(DVANQy3*+%-Fp(g4oFyqY}Hgg6I=`ZeE@fIirA-
zbw>wUwGGJ_7Y;4rb!2TBTZ7f^TUy9svsvtnX49z0$8Nqvg$!LP+D8ctMw|J)T7}WQ
zx&|?Lq7)(!9PZ1T++09O%?^{TVYEn+g9A-+PjhZv=9Z%2XB)6oR*EFg3nwVIEU|E4
zQj}H~fRI^S#UVw84KC67QsoGS!4-Os!(|QLW0Ko<qqyYe+>pP4@eF6cbr({*&}Hx+
z#q`B`2fq%tU0+jsbDp7fyy}^-E%ze_GFJ&y?GygCF4ZL+aD{-%u6U4+tuAt*wSHs^
zPd8$6vdrR#p($&BfZ>>IERc@A7($D)ypFd|c9%_@?IYC4p%TqBP$OB&`Q1<h@_ca1
zd)4fBNoTcjB`HaZI(@W|2+0GIQSwA6`~ZW5Vq6?DG#~??8o|6bhZY#D)SHDOv|R-c
z&C7K<Yt1}Y)M4ZiYm+OWVJYji{7Za}%E}XN4rqP&XfEzz)1)cSYPhUbB`xb4j^{cA
zm$dBgfprtB;b0BdWMq+*mPtg-j^#0{JLLihWvDVny8p#D?oIMrRHU=uK88jmKkAkp
z^lnrsJh7CaLujdBhmu7ES-rs>4!fQ>lT%n`8dzt_1ZE|o8GNWZjWJJUvzYR4Yyz+R
zbmMnK9>mU~BvPm5A<A)5CzfHclemV;Y!m{&6^Mkfh5v2kr@Weiu;-R~YRN67(bC&%
zDp;udFb*rB=xGk5B*5W9>)m{ap^$g)->h0fW}Dm>9j4w@n`S2F&d|Nr#Hq4lGHm<p
zwv%T&{z?a^+)qS1__gwlt8NXXL)fLdnu{XMY}=|8k-^%OnIdK;Tw*m`VlHQkJUy4e
zh3glzy+I9R-GmjCB09%D4;pgY6^$ta|28@p4D2+`^T;5Y@#&jkhVrtjnuK9sBVrau
zv+aeJieXx_UWD&vh3M#05N({9+-K~vM_ta_xQrfP#Ds$tePa|VF6SqC{||DVZ`#l>
zF=hd7$z-_mYP{R!V)a@jY>tbK%8G`<;O-J5vuxe45#?Yt>L|rf9Lie`S=+=+)FKqp
zm0p;9Ee7g@2Cmn1!D;dsaDe9X2J4n~(ff?W-E8tc=>csnS!HY#uclCIO0i8{g&07u
z__!6t>G2Mnm@cw4Xf(4&UsGW9N}bl;=vj-nIcjL{A&1Qx<a=%{29kzIrvDPpGkuSB
zaBo3p7&W;C%@vEnEShlfg38v8H1aK$U^g?@7^Ts7IpJN(+FP9H-oRtd<=QSI?0soN
zJ6d|#$P1Fk@+(2)9Kq7V>GMv_uA*_@P;-Z~e$cz+$or`#mL7Vm8kvkew=;$FEVO&}
z<|&nPnP+L`I%<>6LFA3$Au*MgARtta%3IgjZ=L02#x<zyG5fw!E3DOy+-R1z{vy43
zF{H}H*Tfp-ZPII^oLwbp32~ov<+pkX8~cXIz)fuYy3Yxhf2o`!uey?ExB*THV360n
z-Ksa$80`x236X)LAH&~4vAr8S1u_%7_1wlxdDxC{9GivxG=~fN@QDt?2WbY>{;^-E
zA$R?lV@2Zx=XMf6_Vv!O4vphWlG<W3C6N+vC$6&5g1H49O7h`&G)X#9;niJj_uBi3
z-MyGRu^TvI_7NbMw85N4WqgSrOY}6htNhSFQ@#s+2M4=0RLzz>VUq*eo@AZfb`MW<
zE+J)C{S%<(YUkFGB!1Sy>G;x=6BoAi#cV)>_f_^QA<lj1CJdfccfw$oh3e-RJ<E;P
zzRS?NZ4arq{6jOOgp;V{@h3ljXX{E54%iy4XEac{3;ntqL#z!8=3B>E&NfCn_gXWr
z9gl#O7b)_+*_KOGP-;6d4|`?Df232R8!=%CY_P<2*y1@l>dAN%qSl;BVijtK?DlVz
z)Z9!gBr)hJM;~AFdDCwGed9*b-`c1}Fr-4QJ9MRsdgLZH`Fkr^=-)BVZ<Oky^ZGf4
zO6=t=@4zxhSyUtL3SKj`b)KkNjlC+-{o5O3^>8Ft-Hr^?gtFCc=N|d6u^rl=ood$;
zV72?XpxXV;%6i0ImGy|zOuEtz&{+?Q)$Vsu>W1pX+iH)yDz|?P^q5Sw!N8-!ZKvN^
zJK?U{WACV)?{3<;!k_!<OWY-{sxfh=INdJ}rUDNDKd_$y<HODOisKf}9<S%-cabXr
zlJe4V<)TpAbrh`?fY?gwPdN@3P&gv>#nq)zC&XtK?CkN)HL8{N+(#9f7vpBPi^KMh
zVSBnEXhoHEH|w=gX`PL9qmn<twz%td_=s)r!R>E{ZEv^jZdZ};acVPuT&{^8;vI8q
z^$^wwz4hj;_gnKxay72nbehjqZp2Jd8$KcEj0rO>sH4i!673z*8Ri){Amm`sj>**R
zNRX3gNOwERg=n2B!zthN?@XW-lRP!X)=Y|x-2P5zL$`bdaCDMVz1*Jc+jjQv|6O0-
ze7x>{|L^*To8|j|Um{(hZFcqRCHtZeeH|3LMD$qmPuQ&wpSZ#=KQ%*;UsYbchp~Hg
zsLHD(-r#(A#c-}JzdL*P&KXTCdihs%5LE}te&&G&Yqi0f3ov;M-XYwabqCC=nTklB
zUMeV11hdtefz5>`ss8(aum0yd=IEcd!QY{ax~gX@F-PT}ESeiO%kT5#kVfyui$eJ>
zU;|x|kjprqt)o(}njQ8u#XLnR^B@lA!mCukd9+Add(PgUlpN+8u?;j|_VV9pDqH#N
z9!HOAF{zw`a=rN1GiR(oe0zcf(BN>Tay%UN&ZAIPSNA@X9Y%gJBv+s&wuj0ifLfxO
z1q-0ASgC)-`(m9zMevdiQc_ije)-+6_@xAQA+m2S3<HZRXx)+B3r)Ar&I625O=J6!
z4UgX*JhBrwAl@7S*<dzuoTr;A?c&#Y8jl@G+KMZn{D!DG#cD=BM#K^xXQg>$i%3`8
zy%3FUFMabLrG%}TiesKYVF_ft-a1-s>EUP9Ugj+3QDOprW?d#=XIE(*;NvwLm_~ig
zHmYB<&?#9~0-RuB7@(%vP^NMTf+=doSh!y=i#Qx*E)Kw<iyQE&dGOxx(?xT(#}%`|
zNB5Ur#GRsJ0a&poM`$Pde3=Tgn}#E_+}C!PEon(hTGEo1w4^01X-P|3(vp_6q$MqB
xNlRMNl9sfjB`s-5OIp&Bmb9cLEon(hTGEo1w4^01X-Qu({XZQFdZ_^L003lG?VkVu

diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 98ad5a38..7022531d 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -3190,7 +3190,7 @@ index 99e3903ea..fa68362ea 100644
  ## </summary>
  ## <param name="domain">
 diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 1d732f1e7..9823c5a68 100644
+index 1d732f1e7..ae2fa67f8 100644
 --- a/policy/modules/admin/usermanage.te
 +++ b/policy/modules/admin/usermanage.te
 @@ -26,6 +26,7 @@ type chfn_exec_t;
@@ -3376,7 +3376,7 @@ index 1d732f1e7..9823c5a68 100644
  #
  
 -allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_nice sys_resource };
-+allow passwd_t self:capability { chown dac_read_search dac_read_search  ipc_lock fsetid setuid setgid sys_nice sys_resource sys_admin };
++allow passwd_t self:capability { chown dac_read_search dac_override  ipc_lock fsetid setuid setgid sys_nice sys_resource sys_admin };
  dontaudit passwd_t self:capability sys_tty_config;
  allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow passwd_t self:process { setrlimit setfscreate };
@@ -35722,7 +35722,7 @@ index e4376aa98..2c98c5647 100644
 +	allow $1 getty_unit_file_t:service start;
 +')
 diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
-index f6743ea19..abcc39a8c 100644
+index f6743ea19..8c64a7e19 100644
 --- a/policy/modules/system/getty.te
 +++ b/policy/modules/system/getty.te
 @@ -27,13 +27,24 @@ files_tmp_file(getty_tmp_t)
@@ -35747,7 +35747,7 @@ index f6743ea19..abcc39a8c 100644
  
  # Use capabilities.
 -allow getty_t self:capability { dac_override chown setgid sys_resource sys_tty_config fowner fsetid };
-+allow getty_t self:capability { dac_read_search  chown setgid sys_resource sys_tty_config fowner fsetid };
++allow getty_t self:capability { dac_read_search  dac_override chown setgid sys_resource sys_tty_config fowner fsetid };
  dontaudit getty_t self:capability sys_tty_config;
  allow getty_t self:process { getpgid setpgid getsession signal_perms };
  allow getty_t self:fifo_file rw_fifo_file_perms;
@@ -41173,7 +41173,7 @@ index 0e3c2a977..ea9bd57dc 100644
 +	userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin")
 +')
 diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index 446fa9908..a0d1b1ff7 100644
+index 446fa9908..31ffd73ab 100644
 --- a/policy/modules/system/locallogin.te
 +++ b/policy/modules/system/locallogin.te
 @@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t)
@@ -41208,7 +41208,7 @@ index 446fa9908..a0d1b1ff7 100644
 -allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
 -allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 -allow local_login_t self:process { setrlimit setexec };
-+allow local_login_t self:capability { dac_read_search  chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_resource sys_tty_config };
++allow local_login_t self:capability { dac_read_search dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_resource sys_tty_config };
 +allow local_login_t self:process ~{ ptrace setcurrent setfscreate execmem execstack execheap };
  allow local_login_t self:fd use;
  allow local_login_t self:fifo_file rw_fifo_file_perms;
@@ -50091,10 +50091,10 @@ index 000000000..634d9596a
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 000000000..3660fe1c4
+index 000000000..e83a61cca
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,1025 @@
+@@ -0,0 +1,1027 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -50582,7 +50582,7 @@ index 000000000..3660fe1c4
 +# Local policy
 +#
 +
-+allow systemd_tmpfiles_t self:capability { chown dac_read_search  fsetid fowner mknod sys_admin };
++allow systemd_tmpfiles_t self:capability { chown dac_read_search dac_override fsetid fowner mknod sys_admin };
 +allow systemd_tmpfiles_t self:process { setfscreate };
 +
 +allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms;
@@ -51029,6 +51029,8 @@ index 000000000..3660fe1c4
 +dev_read_sysfs(systemd_resolved_t)
 +
 +sysnet_manage_config(systemd_resolved_t)
++sysnet_filetrans_config_fromdir(systemd_resolved_t,systemd_resolved_var_run_t, file, "resolv.conf")
++sysnet_filetrans_config_fromdir(systemd_resolved_t,systemd_resolved_var_run_t, file, "resolv.conf.tmp")
 +
 +userdom_dbus_send_all_users(systemd_resolved_t)
 +
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index a5dfd76c..55371764 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -111760,10 +111760,10 @@ index 000000000..368e18842
 +')
 diff --git a/tlp.te b/tlp.te
 new file mode 100644
-index 000000000..761cc35b0
+index 000000000..1ef713150
 --- /dev/null
 +++ b/tlp.te
-@@ -0,0 +1,80 @@
+@@ -0,0 +1,84 @@
 +policy_module(tlp, 1.0.0)
 +
 +########################################
@@ -111844,6 +111844,10 @@ index 000000000..761cc35b0
 +optional_policy(`
 +    mount_domtrans(tlp_t)
 +')
++
++optional_policy(`
++    sssd_stream_connect(tlp_t)
++')
 diff --git a/tmpreaper.te b/tmpreaper.te
 index 585a77f95..9858c8b8d 100644
 --- a/tmpreaper.te
diff --git a/selinux-policy.spec b/selinux-policy.spec
index bad78440..bbbab847 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 288%{?dist}
+Release: 289%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -682,6 +682,11 @@ exit 0
 %endif
 
 %changelog
+* Wed Sep 27 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-289
+- Allow tlp_t domain stream connect to sssd_t domain
+- Add missing dac_override capability
+- Add systemd_tmpfiles_t dac_override capability
+
 * Fri Sep 22 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-288
 - Remove all unnecessary dac_override capability in SELinux modules