* Tue Aug 15 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-272

- Allow sssd_t domain to map sssd_var_lib_t files - allow map permission where needed - contrib: allow map permission where needed - Allow syslogd_t to map syslogd_var_run_t files - allow map permission where needed
2017-08-15 16:29:24 +02:00 · 2017-08-15 16:29:24 +02:00 · 284401b055
parent c6aaaee231
commit 284401b055
4 changed files with 188 additions and 126 deletions
--- a/container-selinux.tgz
+++ b/container-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -6849,7 +6849,7 @@ index b31c05491..3ad1127cc 100644
 +/usr/lib/udev/devices/null	-c	gen_context(system_u:object_r:null_device_t,s0)
 +/usr/lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
 diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 76f285ea6..732931f47 100644
+index 76f285ea6..917fc3cc5 100644
 --- a/policy/modules/kernel/devices.if
 +++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@ -8135,7 +8135,7 @@ index 76f285ea6..732931f47 100644
 ')
 ########################################
-@@ -3669,6 +4404,7 @@ interface(`dev_read_sound_mixer',`
+@@ -3633,6 +4368,7 @@ interface(`dev_read_sound',`
 	')
 	read_chr_files_pattern($1, device_t, sound_device_t)
@ -8143,7 +8143,15 @@ index 76f285ea6..732931f47 100644
 ')
 ########################################
-@@ -3855,7 +4591,7 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3669,6 +4405,7 @@ interface(`dev_read_sound_mixer',`
 	')
 	read_chr_files_pattern($1, device_t, sound_device_t)
 +	allow $1 sound_device_t:chr_file map;
 ')
 ########################################
@@ -3855,7 +4592,7 @@ interface(`dev_getattr_sysfs_dirs',`
 ########################################
 ## <summary>
@ -8152,7 +8160,7 @@ index 76f285ea6..732931f47 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3863,91 +4599,89 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3863,91 +4600,89 @@ interface(`dev_getattr_sysfs_dirs',`
 ##	</summary>
 ## </param>
 #
@ -8263,7 +8271,7 @@ index 76f285ea6..732931f47 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3955,60 +4689,215 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+@@ -3955,60 +4690,215 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
 ##	</summary>
 ## </param>
 #
@ -8500,7 +8508,7 @@ index 76f285ea6..732931f47 100644
 	read_lnk_files_pattern($1, sysfs_t, sysfs_t)
 	list_dirs_pattern($1, sysfs_t, sysfs_t)
-@@ -4016,6 +4905,81 @@ interface(`dev_rw_sysfs',`
+@@ -4016,6 +4906,81 @@ interface(`dev_rw_sysfs',`
 ########################################
 ## <summary>
@ -8582,7 +8590,7 @@ index 76f285ea6..732931f47 100644
 ##	Read and write the TPM device.
 ## </summary>
 ## <param name="domain">
-@@ -4113,6 +5077,25 @@ interface(`dev_write_urand',`
+@@ -4113,6 +5078,25 @@ interface(`dev_write_urand',`
 ########################################
 ## <summary>
@ -8608,7 +8616,7 @@ index 76f285ea6..732931f47 100644
 ##	Getattr generic the USB devices.
 ## </summary>
 ## <param name="domain">
-@@ -4123,7 +5106,7 @@ interface(`dev_write_urand',`
+@@ -4123,7 +5107,7 @@ interface(`dev_write_urand',`
 #
 interface(`dev_getattr_generic_usb_dev',`
 	gen_require(`
@ -8617,7 +8625,7 @@ index 76f285ea6..732931f47 100644
 	')
 	getattr_chr_files_pattern($1, device_t, usb_device_t)
-@@ -4409,9 +5392,9 @@ interface(`dev_rw_usbfs',`
+@@ -4409,9 +5393,9 @@ interface(`dev_rw_usbfs',`
 	read_lnk_files_pattern($1, usbfs_t, usbfs_t)
 ')
@ -8629,7 +8637,7 @@ index 76f285ea6..732931f47 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4419,17 +5402,17 @@ interface(`dev_rw_usbfs',`
+@@ -4419,17 +5403,17 @@ interface(`dev_rw_usbfs',`
 ##	</summary>
 ## </param>
 #
@ -8652,7 +8660,7 @@ index 76f285ea6..732931f47 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4437,12 +5420,12 @@ interface(`dev_getattr_video_dev',`
+@@ -4437,12 +5421,12 @@ interface(`dev_getattr_video_dev',`
 ##	</summary>
 ## </param>
 #
@ -8668,7 +8676,7 @@ index 76f285ea6..732931f47 100644
 ')
 ########################################
-@@ -4539,6 +5522,134 @@ interface(`dev_write_video_dev',`
+@@ -4539,6 +5523,134 @@ interface(`dev_write_video_dev',`
 ########################################
 ## <summary>
@ -8803,7 +8811,7 @@ index 76f285ea6..732931f47 100644
 ##	Allow read/write the vhost net device
 ## </summary>
 ## <param name="domain">
-@@ -4557,6 +5668,24 @@ interface(`dev_rw_vhost',`
+@@ -4557,6 +5669,24 @@ interface(`dev_rw_vhost',`
 ########################################
 ## <summary>
@ -8828,7 +8836,7 @@ index 76f285ea6..732931f47 100644
 ##	Read and write VMWare devices.
 ## </summary>
 ## <param name="domain">
-@@ -4589,7 +5718,7 @@ interface(`dev_rwx_vmware',`
+@@ -4589,7 +5719,7 @@ interface(`dev_rwx_vmware',`
 	')
 	dev_rw_vmware($1)
@ -8837,7 +8845,7 @@ index 76f285ea6..732931f47 100644
 ')
 ########################################
-@@ -4630,6 +5759,24 @@ interface(`dev_write_watchdog',`
+@@ -4630,6 +5760,24 @@ interface(`dev_write_watchdog',`
 ########################################
 ## <summary>
@ -8862,7 +8870,7 @@ index 76f285ea6..732931f47 100644
 ##	Read and write the the wireless device.
 ## </summary>
 ## <param name="domain">
-@@ -4762,6 +5909,44 @@ interface(`dev_rw_xserver_misc',`
+@@ -4762,6 +5910,44 @@ interface(`dev_rw_xserver_misc',`
 ########################################
 ## <summary>
@ -8907,7 +8915,7 @@ index 76f285ea6..732931f47 100644
 ##	Read and write to the zero device (/dev/zero).
 ## </summary>
 ## <param name="domain">
-@@ -4794,7 +5979,7 @@ interface(`dev_rwx_zero',`
+@@ -4794,7 +5980,7 @@ interface(`dev_rwx_zero',`
 	')
 	dev_rw_zero($1)
@ -8916,7 +8924,7 @@ index 76f285ea6..732931f47 100644
 ')
 ########################################
-@@ -4851,3 +6036,1042 @@ interface(`dev_unconfined',`
+@@ -4851,3 +6037,1042 @@ interface(`dev_unconfined',`
 	typeattribute $1 devices_unconfined_type;
 ')
@ -28908,7 +28916,7 @@ index 8274418c6..a47fd0b4d 100644
 +/var/lib/pqsql/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 +
 diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc2d..e6be63aa8 100644
+index 6bf0ecc2d..29db5fd25 100644
 --- a/policy/modules/services/xserver.if
 +++ b/policy/modules/services/xserver.if
@@ -18,100 +18,36 @@
@ -29625,7 +29633,7 @@ index 6bf0ecc2d..e6be63aa8 100644
 +		type xdm_var_lib_t;
 +	')
 +
-+	allow $1 xdm_var_lib_t:file read_inherited_file_perms;
+	allow $1 xdm_var_lib_t:file { read_inherited_file_perms map };
 ')
 ########################################
@ -40037,7 +40045,7 @@ index b50c5fe81..9eacd9ba1 100644
 +/var/webmin(/.*)?		gen_context(system_u:object_r:var_log_t,s0)
 +
 diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 4e9488463..7b395456f 100644
+index 4e9488463..5f5045ae1 100644
 --- a/policy/modules/system/logging.if
 +++ b/policy/modules/system/logging.if
@@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
@ -40361,7 +40369,13 @@ index 4e9488463..7b395456f 100644
 ')
 ########################################
-@@ -885,6 +1107,63 @@ interface(`logging_read_generic_logs',`
+@@ -880,11 +1102,69 @@ interface(`logging_read_generic_logs',`
 	files_search_var($1)
 	allow $1 var_log_t:dir list_dir_perms;
 +	allow $1 var_log_t:file map;
 	read_files_pattern($1, var_log_t, var_log_t)
 ')
 ########################################
 ## <summary>
@ -40425,7 +40439,7 @@ index 4e9488463..7b395456f 100644
 ##	Write generic log files.
 ## </summary>
 ## <param name="domain">
-@@ -905,6 +1184,24 @@ interface(`logging_write_generic_logs',`
+@@ -905,6 +1185,24 @@ interface(`logging_write_generic_logs',`
 ########################################
 ## <summary>
@ -40450,7 +40464,7 @@ index 4e9488463..7b395456f 100644
 ##	Dontaudit Write generic log files.
 ## </summary>
 ## <param name="domain">
-@@ -984,11 +1281,16 @@ interface(`logging_admin_audit',`
+@@ -984,11 +1282,16 @@ interface(`logging_admin_audit',`
 		type auditd_t, auditd_etc_t, auditd_log_t;
 		type auditd_var_run_t;
 		type auditd_initrc_exec_t;
@ -40468,7 +40482,7 @@ index 4e9488463..7b395456f 100644
 	manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
 	manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
-@@ -1004,6 +1306,55 @@ interface(`logging_admin_audit',`
+@@ -1004,6 +1307,55 @@ interface(`logging_admin_audit',`
 	domain_system_change_exemption($1)
 	role_transition $2 auditd_initrc_exec_t system_r;
 	allow $2 system_r;
@ -40524,7 +40538,7 @@ index 4e9488463..7b395456f 100644
 ')
 ########################################
-@@ -1032,10 +1383,15 @@ interface(`logging_admin_syslog',`
+@@ -1032,10 +1384,15 @@ interface(`logging_admin_syslog',`
 		type syslogd_initrc_exec_t;
 	')
@ -40542,7 +40556,7 @@ index 4e9488463..7b395456f 100644
 	manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
 	manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
-@@ -1057,6 +1413,8 @@ interface(`logging_admin_syslog',`
+@@ -1057,6 +1414,8 @@ interface(`logging_admin_syslog',`
 	manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
 	logging_manage_all_logs($1)
@ -40551,7 +40565,7 @@ index 4e9488463..7b395456f 100644
 	init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
 	domain_system_change_exemption($1)
-@@ -1085,3 +1443,110 @@ interface(`logging_admin',`
+@@ -1085,3 +1444,110 @@ interface(`logging_admin',`
 	logging_admin_audit($1, $2)
 	logging_admin_syslog($1, $2)
 ')
@ -40663,7 +40677,7 @@ index 4e9488463..7b395456f 100644
 +')
 +
 diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 59b04c1a2..2ad89c533 100644
+index 59b04c1a2..483fb780e 100644
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
@@ -4,6 +4,29 @@ policy_module(logging, 1.20.1)
@ -40947,7 +40961,7 @@ index 59b04c1a2..2ad89c533 100644
 rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
 files_search_spool(syslogd_t)
-@@ -389,30 +456,47 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -389,30 +456,48 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
 manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
 files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
@ -40964,6 +40978,7 @@ index 59b04c1a2..2ad89c533 100644
 manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
 -files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
 +manage_sock_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
 +mmap_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
 +files_pid_filetrans(syslogd_t, syslogd_var_run_t, { file dir })
 +kernel_rw_stream_socket_perms(syslogd_t)
@ -40998,7 +41013,7 @@ index 59b04c1a2..2ad89c533 100644
 # syslog-ng can listen and connect on tcp port 514 (rsh)
 corenet_tcp_sendrecv_generic_if(syslogd_t)
 corenet_tcp_sendrecv_generic_node(syslogd_t)
-@@ -422,6 +506,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
+@@ -422,6 +507,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
 corenet_tcp_connect_rsh_port(syslogd_t)
 # Allow users to define additional syslog ports to connect to
 corenet_tcp_bind_syslogd_port(syslogd_t)
@ -41007,7 +41022,7 @@ index 59b04c1a2..2ad89c533 100644
 corenet_tcp_connect_syslogd_port(syslogd_t)
 corenet_tcp_connect_postgresql_port(syslogd_t)
 corenet_tcp_connect_mysqld_port(syslogd_t)
-@@ -432,9 +518,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+@@ -432,9 +519,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
 corenet_sendrecv_postgresql_client_packets(syslogd_t)
 corenet_sendrecv_mysqld_client_packets(syslogd_t)
@ -41041,7 +41056,7 @@ index 59b04c1a2..2ad89c533 100644
 domain_use_interactive_fds(syslogd_t)
 files_read_etc_files(syslogd_t)
-@@ -448,13 +557,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
+@@ -448,13 +558,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
 fs_getattr_all_fs(syslogd_t)
 fs_search_auto_mountpoints(syslogd_t)
@ -41059,7 +41074,7 @@ index 59b04c1a2..2ad89c533 100644
 # for sending messages to logged in users
 init_read_utmp(syslogd_t)
 init_dontaudit_write_utmp(syslogd_t)
-@@ -466,11 +579,12 @@ init_use_fds(syslogd_t)
+@@ -466,11 +580,12 @@ init_use_fds(syslogd_t)
 # cjp: this doesnt make sense
 logging_send_syslog_msg(syslogd_t)
@ -41075,7 +41090,7 @@ index 59b04c1a2..2ad89c533 100644
 ifdef(`distro_gentoo',`
 	# default gentoo syslog-ng config appends kernel
-@@ -497,6 +611,7 @@ optional_policy(`
+@@ -497,6 +612,7 @@ optional_policy(`
 optional_policy(`
 	cron_manage_log_files(syslogd_t)
 	cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
@ -41083,7 +41098,7 @@ index 59b04c1a2..2ad89c533 100644
 ')
 optional_policy(`
-@@ -507,15 +622,44 @@ optional_policy(`
+@@ -507,15 +623,44 @@ optional_policy(`
 ')
 optional_policy(`
@ -41128,7 +41143,7 @@ index 59b04c1a2..2ad89c533 100644
 ')
 optional_policy(`
-@@ -526,3 +670,29 @@ optional_policy(`
+@@ -526,3 +671,29 @@ optional_policy(`
 	# log to the xconsole
 	xserver_rw_console(syslogd_t)
 ')
@ -46632,10 +46647,10 @@ index 000000000..121b42208
 +/var/run/initramfs(/.*)?	<<none>>
 diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
 new file mode 100644
-index 000000000..d1356af89
+index 000000000..278a1f69b
 --- /dev/null
 +++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1842 @@
+@@ -0,0 +1,1843 @@
 +## <summary>SELinux policy for systemd components</summary>
 +
 +######################################
@ -48435,6 +48450,7 @@ index 000000000..d1356af89
 +
 +	files_search_etc($1)
 +	manage_files_pattern($1, systemd_hwdb_etc_t, systemd_hwdb_etc_t)
 +	mmap_files_pattern($1, systemd_hwdb_etc_t, systemd_hwdb_etc_t)
 +	allow $1 systemd_hwdb_etc_t:file {relabelfrom relabelto};
 +	files_etc_filetrans($1, systemd_hwdb_etc_t, file)
 +')
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -589,7 +589,7 @@ index 058d908e4..ee0c55969 100644
 +')
 +
 diff --git a/abrt.te b/abrt.te
-index eb50f070f..4e5a59207 100644
+index eb50f070f..53dd1ab4d 100644
 --- a/abrt.te
 +++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@ -738,7 +738,7 @@ index eb50f070f..4e5a59207 100644
 manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
 logging_log_filetrans(abrt_t, abrt_var_log_t, file)
-@@ -125,48 +136,59 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
+@@ -125,48 +136,60 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
 manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
 manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
 files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
@ -748,6 +748,7 @@ index eb50f070f..4e5a59207 100644
 manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
 manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
 manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
 +mmap_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
 files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir })
 files_spool_filetrans(abrt_t, abrt_var_cache_t, dir)
 +files_tmp_filetrans(abrt_t, abrt_var_cache_t, dir, "abrt")
@ -805,7 +806,7 @@ index eb50f070f..4e5a59207 100644
 domain_getattr_all_domains(abrt_t)
 domain_read_all_domains_state(abrt_t)
-@@ -176,29 +198,44 @@ files_getattr_all_files(abrt_t)
+@@ -176,29 +199,44 @@ files_getattr_all_files(abrt_t)
 files_read_config_files(abrt_t)
 files_read_etc_runtime_files(abrt_t)
 files_read_var_symlinks(abrt_t)
@ -853,7 +854,7 @@ index eb50f070f..4e5a59207 100644
 tunable_policy(`abrt_anon_write',`
 	miscfiles_manage_public_files(abrt_t)
-@@ -206,15 +243,11 @@ tunable_policy(`abrt_anon_write',`
+@@ -206,15 +244,11 @@ tunable_policy(`abrt_anon_write',`
 optional_policy(`
 	apache_list_modules(abrt_t)
@ -870,7 +871,7 @@ index eb50f070f..4e5a59207 100644
 ')
 optional_policy(`
-@@ -222,6 +255,37 @@ optional_policy(`
+@@ -222,6 +256,37 @@ optional_policy(`
 ')
 optional_policy(`
@ -908,7 +909,7 @@ index eb50f070f..4e5a59207 100644
 	policykit_domtrans_auth(abrt_t)
 	policykit_read_lib(abrt_t)
 	policykit_read_reload(abrt_t)
-@@ -234,18 +298,25 @@ optional_policy(`
+@@ -234,18 +299,25 @@ optional_policy(`
 ')
 optional_policy(`
@ -937,7 +938,7 @@ index eb50f070f..4e5a59207 100644
 optional_policy(`
 	sosreport_domtrans(abrt_t)
-@@ -253,9 +324,21 @@ optional_policy(`
+@@ -253,9 +325,21 @@ optional_policy(`
 	sosreport_delete_tmp_files(abrt_t)
 ')
@ -960,7 +961,7 @@ index eb50f070f..4e5a59207 100644
 #
 allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -266,9 +349,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -266,9 +350,13 @@ tunable_policy(`abrt_handle_event',`
 	can_exec(abrt_t, abrt_handle_event_exec_t)
 ')
@ -975,7 +976,7 @@ index eb50f070f..4e5a59207 100644
 #
 allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -281,6 +368,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -281,6 +369,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
 manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
 manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
 files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@ -983,7 +984,7 @@ index eb50f070f..4e5a59207 100644
 read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
 read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-@@ -289,15 +377,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -289,15 +378,20 @@ corecmd_read_all_executables(abrt_helper_t)
 domain_read_all_domains_state(abrt_helper_t)
@ -1004,7 +1005,7 @@ index eb50f070f..4e5a59207 100644
 	userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
 	userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
 	dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -305,11 +398,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -305,11 +399,25 @@ ifdef(`hide_broken_symptoms',`
 	dev_dontaudit_write_all_chr_files(abrt_helper_t)
 	dev_dontaudit_write_all_blk_files(abrt_helper_t)
 	fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@ -1031,7 +1032,7 @@ index eb50f070f..4e5a59207 100644
 #
 allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -327,10 +434,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+@@ -327,10 +435,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
 dev_read_urand(abrt_retrace_coredump_t)
@ -1045,7 +1046,7 @@ index eb50f070f..4e5a59207 100644
 optional_policy(`
 	rpm_exec(abrt_retrace_coredump_t)
 	rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -343,10 +452,11 @@ optional_policy(`
+@@ -343,10 +453,11 @@ optional_policy(`
 #######################################
 #
@ -1059,7 +1060,7 @@ index eb50f070f..4e5a59207 100644
 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
 domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -365,38 +475,84 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -365,38 +476,86 @@ corecmd_exec_shell(abrt_retrace_worker_t)
 dev_read_urand(abrt_retrace_worker_t)
@ -1135,6 +1136,8 @@ index eb50f070f..4e5a59207 100644
 logging_read_generic_logs(abrt_dump_oops_t)
 +logging_read_syslog_pid(abrt_dump_oops_t)
 +logging_send_syslog_msg(abrt_dump_oops_t)
 +logging_mmap_generic_logs(abrt_dump_oops_t)
 +logging_mmap_journal(abrt_dump_oops_t)
 +
 +init_read_var_lib_files(abrt_dump_oops_t)
 +
@ -1148,7 +1151,7 @@ index eb50f070f..4e5a59207 100644
 #######################################
 #
-@@ -404,25 +560,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
+@@ -404,25 +563,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
 #
 allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
@ -1211,7 +1214,7 @@ index eb50f070f..4e5a59207 100644
 ')
 #######################################
-@@ -430,10 +621,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
+@@ -430,10 +624,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
 # Global local policy
 #
@ -10663,7 +10666,7 @@ index c723a0ae0..1c29d21e7 100644
 +	allow $1 bluetooth_unit_file_t:service all_service_perms;
 ')
 diff --git a/bluetooth.te b/bluetooth.te
-index 851769e55..4b11e9620 100644
+index 851769e55..4bb326132 100644
 --- a/bluetooth.te
 +++ b/bluetooth.te
@@ -49,12 +49,15 @@ files_type(bluetooth_var_lib_t)
@ -10683,7 +10686,7 @@ index 851769e55..4b11e9620 100644
 dontaudit bluetooth_t self:capability sys_tty_config;
 allow bluetooth_t self:process { getcap setcap getsched signal_perms };
 allow bluetooth_t self:fifo_file rw_fifo_file_perms;
-@@ -78,7 +81,8 @@ files_lock_filetrans(bluetooth_t, bluetooth_lock_t, file)
+@@ -78,10 +81,12 @@ files_lock_filetrans(bluetooth_t, bluetooth_lock_t, file)
 manage_dirs_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
 manage_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
@ -10693,7 +10696,11 @@ index 851769e55..4b11e9620 100644
 manage_dirs_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
 manage_files_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
-@@ -90,27 +94,37 @@ files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file })
+mmap_files_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
 files_var_lib_filetrans(bluetooth_t, bluetooth_var_lib_t, { dir file } )
 manage_files_pattern(bluetooth_t, bluetooth_var_run_t, bluetooth_var_run_t)
@@ -90,27 +95,37 @@ files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file })
 can_exec(bluetooth_t, bluetooth_helper_exec_t)
@ -10736,7 +10743,7 @@ index 851769e55..4b11e9620 100644
 fs_getattr_all_fs(bluetooth_t)
 fs_search_auto_mountpoints(bluetooth_t)
-@@ -122,7 +136,6 @@ auth_use_nsswitch(bluetooth_t)
+@@ -122,7 +137,6 @@ auth_use_nsswitch(bluetooth_t)
 logging_send_syslog_msg(bluetooth_t)
@ -10744,7 +10751,7 @@ index 851769e55..4b11e9620 100644
 miscfiles_read_fonts(bluetooth_t)
 miscfiles_read_hwdata(bluetooth_t)
-@@ -130,6 +143,10 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
+@@ -130,6 +144,10 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
 userdom_dontaudit_use_user_terminals(bluetooth_t)
 userdom_dontaudit_search_user_home_dirs(bluetooth_t)
@ -10755,7 +10762,7 @@ index 851769e55..4b11e9620 100644
 optional_policy(`
 	dbus_system_bus_client(bluetooth_t)
 	dbus_connect_system_bus(bluetooth_t)
-@@ -200,7 +217,6 @@ dev_read_urand(bluetooth_helper_t)
+@@ -200,7 +218,6 @@ dev_read_urand(bluetooth_helper_t)
 domain_read_all_domains_state(bluetooth_helper_t)
 files_read_etc_runtime_files(bluetooth_helper_t)
@ -33889,7 +33896,7 @@ index e39de436a..5edcb8330 100644
 +/usr/libexec/gnome-system-monitor-mechanism 	--      gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper	--		gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 diff --git a/gnome.if b/gnome.if
-index ab09d6195..72d67c2cb 100644
+index ab09d6195..0007f00b3 100644
 --- a/gnome.if
 +++ b/gnome.if
@@ -1,52 +1,76 @@
@ -34307,7 +34314,7 @@ index ab09d6195..72d67c2cb 100644
 +	')
 +
 +	allow $1 gnome_home_type:dir manage_dir_perms;
-+	allow $1 gnome_home_type:file manage_file_perms;
+	allow $1 gnome_home_type:file { manage_file_perms map };
 +	allow $1 gnome_home_type:lnk_file manage_lnk_file_perms;
 +	allow $1 gnome_home_type:sock_file manage_sock_file_perms;
 +	userdom_search_user_home_dirs($1)
@ -34543,7 +34550,7 @@ index ab09d6195..72d67c2cb 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -433,17 +519,18 @@ interface(`gnome_home_filetrans',`
+@@ -433,17 +519,19 @@ interface(`gnome_home_filetrans',`
 ##	</summary>
 ## </param>
 #
@ -34557,6 +34564,7 @@ index ab09d6195..72d67c2cb 100644
 -	allow $1 gconf_home_t:dir create_dir_perms;
 +	append_files_pattern($1, cache_home_t, cache_home_t)
 +	userdom_search_user_home_dirs($1)
 +	allow $1 gnome_home_t:file { read_file_perms map };
 ')
 ########################################
@ -34566,7 +34574,7 @@ index ab09d6195..72d67c2cb 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -451,23 +538,18 @@ interface(`gnome_create_generic_gconf_home_dirs',`
+@@ -451,23 +539,18 @@ interface(`gnome_create_generic_gconf_home_dirs',`
 ##	</summary>
 ## </param>
 #
@ -34594,7 +34602,7 @@ index ab09d6195..72d67c2cb 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -475,22 +557,18 @@ interface(`gnome_read_generic_gconf_home_content',`
+@@ -475,22 +558,18 @@ interface(`gnome_read_generic_gconf_home_content',`
 ##	</summary>
 ## </param>
 #
@ -34621,7 +34629,7 @@ index ab09d6195..72d67c2cb 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -498,79 +576,59 @@ interface(`gnome_manage_generic_gconf_home_content',`
+@@ -498,79 +577,59 @@ interface(`gnome_manage_generic_gconf_home_content',`
 ##	</summary>
 ## </param>
 #
@ -34719,7 +34727,7 @@ index ab09d6195..72d67c2cb 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -579,12 +637,12 @@ interface(`gnome_home_filetrans_gnome_home',`
+@@ -579,12 +638,12 @@ interface(`gnome_home_filetrans_gnome_home',`
 ## </param>
 ## <param name="private_type">
 ##	<summary>
@ -34734,7 +34742,7 @@ index ab09d6195..72d67c2cb 100644
 ##	</summary>
 ## </param>
 ## <param name="name" optional="true">
-@@ -593,18 +651,18 @@ interface(`gnome_home_filetrans_gnome_home',`
+@@ -593,18 +652,18 @@ interface(`gnome_home_filetrans_gnome_home',`
 ##	</summary>
 ## </param>
 #
@ -34759,7 +34767,7 @@ index ab09d6195..72d67c2cb 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -612,46 +670,80 @@ interface(`gnome_gconf_home_filetrans',`
+@@ -612,46 +671,81 @@ interface(`gnome_gconf_home_filetrans',`
 ##	</summary>
 ## </param>
 #
@ -34844,6 +34852,7 @@ index ab09d6195..72d67c2cb 100644
 -	allow $1_gkeyringd_t $2:dbus send_msg;
 +	userdom_search_user_home_dirs($1)
 +	allow $1 { gconf_home_t data_home_t }:dir search_dir_perms;
 +	allow $1 icc_data_home_t:file map;
 +	list_dirs_pattern($1, icc_data_home_t, icc_data_home_t)
 +	read_files_pattern($1, icc_data_home_t, icc_data_home_t)
 +	read_lnk_files_pattern($1, icc_data_home_t, icc_data_home_t)
@ -34857,7 +34866,7 @@ index ab09d6195..72d67c2cb 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -659,46 +751,64 @@ interface(`gnome_dbus_chat_gkeyringd',`
+@@ -659,46 +753,64 @@ interface(`gnome_dbus_chat_gkeyringd',`
 ##	</summary>
 ## </param>
 #
@ -34939,7 +34948,7 @@ index ab09d6195..72d67c2cb 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -706,12 +816,1003 @@ interface(`gnome_stream_connect_gkeyringd',`
+@@ -706,12 +818,1003 @@ interface(`gnome_stream_connect_gkeyringd',`
 ##	</summary>
 ## </param>
 #
@ -60092,7 +60101,7 @@ index 94b973407..448a7e836 100644
 +/var/run/wpa_supplicant(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 /var/run/wpa_supplicant-global	-s	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 diff --git a/networkmanager.if b/networkmanager.if
-index 86dc29dfa..c7d9376d5 100644
+index 86dc29dfa..cb39739a5 100644
 --- a/networkmanager.if
 +++ b/networkmanager.if
@@ -2,7 +2,7 @@
@ -60262,10 +60271,21 @@ index 86dc29dfa..c7d9376d5 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -211,9 +259,30 @@ interface(`networkmanager_read_lib_files',`
+@@ -189,6 +237,7 @@ interface(`networkmanager_manage_lib_files',`
- 	read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
+ 
 	files_search_var_lib($1)
 	manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
 +	allow $1 NetworkManager_var_lib_t:file map;
 ')
 ########################################
@@ -209,11 +258,33 @@ interface(`networkmanager_read_lib_files',`
 	files_search_var_lib($1)
 	list_dirs_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
 	read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
 +	allow $1 NetworkManager_var_lib_t:file map;
 +')
 +
 +#######################################
 +## <summary>
 +##  Read NetworkManager conf files.
@ -60285,8 +60305,8 @@ index 86dc29dfa..c7d9376d5 100644
 +	allow $1 NetworkManager_etc_t:dir list_dir_perms;
 +	read_files_pattern($1,NetworkManager_etc_t,NetworkManager_etc_t)
 +	read_files_pattern($1,NetworkManager_etc_rw_t,NetworkManager_etc_rw_t)
-+')
+ ')
-+
+ 
 ########################################
 ## <summary>
 -##	Append networkmanager log files.
@ -60294,7 +60314,7 @@ index 86dc29dfa..c7d9376d5 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -221,19 +290,18 @@ interface(`networkmanager_read_lib_files',`
+@@ -221,19 +292,18 @@ interface(`networkmanager_read_lib_files',`
 ##	</summary>
 ## </param>
 #
@ -60319,18 +60339,17 @@ index 86dc29dfa..c7d9376d5 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -241,13 +309,66 @@ interface(`networkmanager_append_log_files',`
+@@ -241,13 +311,66 @@ interface(`networkmanager_append_log_files',`
 ##	</summary>
 ## </param>
 #
 -interface(`networkmanager_read_pid_files',`
 +interface(`networkmanager_manage_pid_files',`
- 	gen_require(`
+	gen_require(`
- 		type NetworkManager_var_run_t;
+		type NetworkManager_var_run_t;
- 	')
+	')
- 
+
- 	files_search_pids($1)
+	files_search_pids($1)
 -	allow $1 NetworkManager_var_run_t:file read_file_perms;
 +	manage_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
 +')
 +
@ -60345,11 +60364,12 @@ index 86dc29dfa..c7d9376d5 100644
 +## </param>
 +#
 +interface(`networkmanager_manage_pid_sock_files',`
-+	gen_require(`
+ 	gen_require(`
-+		type NetworkManager_var_run_t;
+ 		type NetworkManager_var_run_t;
-+	')
+ 	')
-+
+ 
-+	files_search_pids($1)
+ 	files_search_pids($1)
 -	allow $1 NetworkManager_var_run_t:file read_file_perms;
 +	manage_sock_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
 +')
 +
@ -60388,7 +60408,7 @@ index 86dc29dfa..c7d9376d5 100644
 ')
 ####################################
-@@ -272,14 +393,33 @@ interface(`networkmanager_stream_connect',`
+@@ -272,14 +395,33 @@ interface(`networkmanager_stream_connect',`
 ########################################
 ## <summary>
@ -60424,7 +60444,7 @@ index 86dc29dfa..c7d9376d5 100644
 ## <param name="role">
 ##	<summary>
 ##	Role allowed access.
-@@ -287,33 +427,190 @@ interface(`networkmanager_stream_connect',`
+@@ -287,33 +429,194 @@ interface(`networkmanager_stream_connect',`
 ## </param>
 ## <rolecap/>
 #
@ -60470,10 +60490,12 @@ index 86dc29dfa..c7d9376d5 100644
 -	admin_pattern($1, NetworkManager_log_t)
 +	allow $1 NetworkManager_log_t:dir list_dir_perms;
 +	append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
-+')
+	allow $1 NetworkManager_var_lib_t:file map;
 -	files_search_var_lib($1)
 -	admin_pattern($1, NetworkManager_var_lib_t)
 +')
 +
 +#######################################
 +## <summary>
 +##  Allow the specified domain to manage
@ -60491,6 +60513,8 @@ index 86dc29dfa..c7d9376d5 100644
 +    ')
 +
 +    manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
 +    allow $1 NetworkManager_var_lib_t:file map;
 +
 +')
 +
 +#######################################
@ -93498,7 +93522,7 @@ index ebe91fc70..6ba4338cb 100644
 +/sbin/cpio			--	gen_context(system_u:object_r:rpm_exec_t,s0)
 ')
 diff --git a/rpm.if b/rpm.if
-index ef3b22507..b15d901a4 100644
+index ef3b22507..d2b4c1697 100644
 --- a/rpm.if
 +++ b/rpm.if
@@ -1,8 +1,8 @@
@ -93903,10 +93927,11 @@ index ef3b22507..b15d901a4 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -459,11 +585,12 @@ interface(`rpm_read_db',`
+@@ -459,11 +585,13 @@ interface(`rpm_read_db',`
 	allow $1 rpm_var_lib_t:dir list_dir_perms;
 	read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
 	read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
 +	allow $1 rpm_var_lib_t:file map;
 +	rpm_read_cache($1)
 ')
@ -93917,7 +93942,7 @@ index ef3b22507..b15d901a4 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -482,8 +609,7 @@ interface(`rpm_delete_db',`
+@@ -482,8 +610,7 @@ interface(`rpm_delete_db',`
 ########################################
 ## <summary>
@ -93927,10 +93952,15 @@ index ef3b22507..b15d901a4 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -503,8 +629,28 @@ interface(`rpm_manage_db',`
+@@ -499,12 +626,33 @@ interface(`rpm_manage_db',`
- 
+ 	files_search_var_lib($1)
- ########################################
+ 	manage_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
- ## <summary>
+ 	manage_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
 +	allow $1 rpm_var_lib_t:file map;
 +')
 +
 +########################################
 +## <summary>
 +##	Do not audit attempts to create, read,the RPM package database.
 +## </summary>
 +## <param name="domain">
@ -93947,17 +93977,17 @@ index ef3b22507..b15d901a4 100644
 +	dontaudit $1 rpm_var_lib_t:dir list_dir_perms;
 +	dontaudit $1 rpm_var_lib_t:file read_file_perms;
 +	dontaudit $1 rpm_var_lib_t:lnk_file read_lnk_file_perms;
-+')
+ ')
-+
+ 
-+########################################
+ ########################################
-+## <summary>
+ ## <summary>
 ##	Do not audit attempts to create, read,
 -##	write, and delete rpm lib content.
 +##	write, and delete the RPM package database.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -517,7 +663,7 @@ interface(`rpm_dontaudit_manage_db',`
+@@ -517,9 +665,10 @@ interface(`rpm_dontaudit_manage_db',`
 		type rpm_var_lib_t;
 	')
@ -93965,8 +93995,11 @@ index ef3b22507..b15d901a4 100644
 +	dontaudit $1 rpm_var_lib_t:dir manage_dir_perms;
 	dontaudit $1 rpm_var_lib_t:file manage_file_perms;
 	dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
 +	dontaudit $1 rpm_var_lib_t:file map;
 ')
-@@ -543,8 +689,7 @@ interface(`rpm_read_pid_files',`
+ 
 #####################################
@@ -543,8 +692,7 @@ interface(`rpm_read_pid_files',`
 #####################################
 ## <summary>
@ -93976,7 +94009,7 @@ index ef3b22507..b15d901a4 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -563,8 +708,7 @@ interface(`rpm_manage_pid_files',`
+@@ -563,8 +711,7 @@ interface(`rpm_manage_pid_files',`
 ######################################
 ## <summary>
@ -93986,7 +94019,7 @@ index ef3b22507..b15d901a4 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -573,43 +717,54 @@ interface(`rpm_manage_pid_files',`
+@@ -573,43 +720,54 @@ interface(`rpm_manage_pid_files',`
 ## </param>
 #
 interface(`rpm_pid_filetrans',`
@ -94058,7 +94091,7 @@ index ef3b22507..b15d901a4 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -617,22 +772,57 @@ interface(`rpm_pid_filetrans_rpm_pid',`
+@@ -617,22 +775,57 @@ interface(`rpm_pid_filetrans_rpm_pid',`
 ##	</summary>
 ## </param>
 ## <param name="role">
@ -94127,7 +94160,7 @@ index ef3b22507..b15d901a4 100644
 	init_labeled_script_domtrans($1, rpm_initrc_exec_t)
 	domain_system_change_exemption($1)
-@@ -641,9 +831,6 @@ interface(`rpm_admin',`
+@@ -641,9 +834,6 @@ interface(`rpm_admin',`
 	admin_pattern($1, rpm_file_t)
@ -106555,7 +106588,7 @@ index dbb005aca..2655c75ab 100644
 +/var/run/secrets\.socket	-s	gen_context(system_u:object_r:sssd_var_run_t,s0)
 +/var/run/\.heim_org\.h5l\.kcm-socket	-s	gen_context(system_u:object_r:sssd_var_run_t,s0)
 diff --git a/sssd.if b/sssd.if
-index a24045518..aac25848d 100644
+index a24045518..8e00992e4 100644
 --- a/sssd.if
 +++ b/sssd.if
@@ -1,21 +1,21 @@
@ -106736,13 +106769,14 @@ index a24045518..aac25848d 100644
 ')
 ########################################
-@@ -131,14 +171,13 @@ interface(`sssd_read_public_files',`
+@@ -131,14 +171,14 @@ interface(`sssd_read_public_files',`
 	')
 	sssd_search_lib($1)
 -	allow $1 sssd_public_t:dir list_dir_perms;
 +	list_dirs_pattern($1, sssd_public_t, sssd_public_t)
 	read_files_pattern($1, sssd_public_t, sssd_public_t)
 +	mmap_files_pattern($1, sssd_public_t, sssd_public_t)
 ')
 -#######################################
@ -106754,7 +106788,7 @@ index a24045518..aac25848d 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -146,18 +185,55 @@ interface(`sssd_read_public_files',`
+@@ -146,18 +186,55 @@ interface(`sssd_read_public_files',`
 ##	</summary>
 ## </param>
 #
@ -106813,7 +106847,7 @@ index a24045518..aac25848d 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -176,8 +252,7 @@ interface(`sssd_read_pid_files',`
+@@ -176,8 +253,7 @@ interface(`sssd_read_pid_files',`
 ########################################
 ## <summary>
@ -106823,7 +106857,7 @@ index a24045518..aac25848d 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -216,8 +291,7 @@ interface(`sssd_search_lib',`
+@@ -216,8 +292,7 @@ interface(`sssd_search_lib',`
 ########################################
 ## <summary>
@ -106833,7 +106867,7 @@ index a24045518..aac25848d 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -235,6 +309,24 @@ interface(`sssd_dontaudit_search_lib',`
+@@ -235,6 +310,24 @@ interface(`sssd_dontaudit_search_lib',`
 ########################################
 ## <summary>
@ -106858,7 +106892,7 @@ index a24045518..aac25848d 100644
 ##	Read sssd lib files.
 ## </summary>
 ## <param name="domain">
-@@ -297,8 +389,7 @@ interface(`sssd_dbus_chat',`
+@@ -297,8 +390,7 @@ interface(`sssd_dbus_chat',`
 ########################################
 ## <summary>
@ -106868,7 +106902,7 @@ index a24045518..aac25848d 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -317,8 +408,130 @@ interface(`sssd_stream_connect',`
+@@ -317,8 +409,130 @@ interface(`sssd_stream_connect',`
 ########################################
 ## <summary>
@ -107001,7 +107035,7 @@ index a24045518..aac25848d 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -327,7 +540,7 @@ interface(`sssd_stream_connect',`
+@@ -327,7 +541,7 @@ interface(`sssd_stream_connect',`
 ## </param>
 ## <param name="role">
 ##	<summary>
@ -107010,7 +107044,7 @@ index a24045518..aac25848d 100644
 ##	</summary>
 ## </param>
 ## <rolecap/>
-@@ -335,27 +548,29 @@ interface(`sssd_stream_connect',`
+@@ -335,27 +549,29 @@ interface(`sssd_stream_connect',`
 interface(`sssd_admin',`
 	gen_require(`
 		type sssd_t, sssd_public_t, sssd_initrc_exec_t;
@ -107052,10 +107086,10 @@ index a24045518..aac25848d 100644
 -	admin_pattern($1, sssd_log_t)
 ')
 diff --git a/sssd.te b/sssd.te
-index 2d8db1fa3..9b13b3058 100644
+index 2d8db1fa3..b4eaeb4cc 100644
 --- a/sssd.te
 +++ b/sssd.te
-@@ -28,19 +28,31 @@ logging_log_file(sssd_var_log_t)
+@@ -28,51 +28,65 @@ logging_log_file(sssd_var_log_t)
 type sssd_var_run_t;
 files_pid_file(sssd_var_run_t)
@ -107091,8 +107125,13 @@ index 2d8db1fa3..9b13b3058 100644
 manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t)
 manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
-@@ -51,28 +63,28 @@ manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
+mmap_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
 manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
 manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
 manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
 manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
 +mmap_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
 files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir })
 -append_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
@ -107132,7 +107171,7 @@ index 2d8db1fa3..9b13b3058 100644
 corecmd_exec_bin(sssd_t)
-@@ -83,28 +95,36 @@ domain_read_all_domains_state(sssd_t)
+@@ -83,28 +97,36 @@ domain_read_all_domains_state(sssd_t)
 domain_obj_id_change_exemption(sssd_t)
 files_list_tmp(sssd_t)
@ -107173,7 +107212,7 @@ index 2d8db1fa3..9b13b3058 100644
 init_read_utmp(sssd_t)
-@@ -112,18 +132,71 @@ logging_send_syslog_msg(sssd_t)
+@@ -112,18 +134,71 @@ logging_send_syslog_msg(sssd_t)
 logging_send_audit_msgs(sssd_t)
 miscfiles_read_generic_certs(sssd_t)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 271%{?dist}
+Release: 272%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -681,6 +681,13 @@ exit 0
 %endif
 %changelog
 * Tue Aug 15 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-272
 - Allow sssd_t domain to map sssd_var_lib_t files
 - allow map permission where needed
 - contrib: allow map permission where needed
 - Allow syslogd_t to map syslogd_var_run_t files
 - allow map permission where needed
 * Mon Aug 14 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-271
 - Allow tomcat_t domain couple capabilities to make working tomcat-jsvc
 - Label /usr/libexec/sudo/sesh as shell_exec_t