From 2d6f40abe4e1d3e9cf220df478dff955d3ab2e97 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Thu, 16 Nov 2017 15:30:31 +0100
Subject: [PATCH] * Thu Nov 16 2017 Lukas Vrabec <lvrabec@redhat.com> -
 3.13.1-303 - Allow pcp_pmlogger to send logs to journal BZ(1512367) - Merge
 pull request #40 from lslebodn/kcm_kerberos - Allow services to use kerberos
 KCM BZ(1512128) - Allow system_mail_t domain to be system_dbus_client
 BZ(1512476) - Allow aide domain to stream connect to sssd_t BZ(1512500) -
 Allow squid_t domain to mmap files with label squid_tmpfs_t BZ(1498809) -
 Allow nsd_t domain to mmap files with labels nsd_tmp_t and nsd_zone_t
 BZ(1511269) - Include cupsd_config_t domain into cups_execmem boolean.
 BZ(1417584) - Allow samba_net_t domain to mmap samba_var_t files BZ(1512227)
 - Allow lircd_t domain to execute shell BZ(1512787) - Allow thumb_t domain to
 setattr on cache_home_t dirs BZ(1487814) - Allow redis to creating tmp files
 with own label BZ(1513518) - Create new interface thumb_nnp_domtrans allowing
 domaintransition with NoNewPrivs. This interface added to thumb_run()
 BZ(1509502) - Allow httpd_t to mmap httpd_tmp_t files BZ(1502303) - Add map
 permission to samba_rw_var_files interface. BZ(1513908) - Allow cluster_t
 domain creating bundles directory with label var_log_t instead of
 cluster_var_log_t - Add dac_read_search and dac_override capabilities to
 ganesha - Allow ldap_t domain to manage also slapd_tmp_t lnk files - Allow
 snapperd_t domain to relabeling from snapperd_data_t BZ(1510584) - Add
 dac_override capability to dhcpd_t doamin BZ(1510030) - Allow snapperd_t to
 remove old snaps BZ(1510862) - Allow chkpwd_t domain to mmap system_db_t
 files and be dbus system client BZ(1513704) - Allow xdm_t send signull to all
 xserver unconfined types BZ(1499390) - Allow fs associate for sysctl_vm_t
 BZ(1447301) - Label /etc/init.d/vboxdrv as bin_t to run virtualbox as
 unconfined_service_t BZ(1451479) - Allow xdm_t domain to read
 usermodehelper_t state BZ(1412609) - Allow dhcpc_t domain to stream connect
 to userdomain domains BZ(1511948) - Allow systemd to mmap kernel modules
 BZ(1513399) - Allow userdomains to mmap fifo_files BZ(1512242) - Merge pull
 request #205 from rhatdan/labels - Add map permission to init_domtrans()
 interface BZ(1513832) - Allow xdm_t domain to mmap and execute files in
 xdm_var_run_t BZ(1513883) - Unconfined domains, need to create content with
 the correct labels - Container runtimes are running iptables within a
 different user namespace - Add interface files_rmdir_all_dirs()

---
 container-selinux.tgz        |  Bin 7156 -> 7203 bytes
 policy-rawhide-base.patch    | 1716 +++++++++++++++++++++-------------
 policy-rawhide-contrib.patch |  564 ++++++-----
 selinux-policy.spec          |   39 +-
 4 files changed, 1459 insertions(+), 860 deletions(-)

diff --git a/container-selinux.tgz b/container-selinux.tgz
index af9d4ac86243403233abd34f035c30e837f21331..38614726f14bed5e54ca5759cf508d3a48c9b486 100644
GIT binary patch
delta 7031
zcmZ{i^IP2y13<HFV{zH$RxQ`EeKVJLt53_z#<FX*u((_|*Uh$VyZ8GKyw7ufInVj^
z+z1v50n||_Fwk5~0~q*I<Kws$fyD9o!_H4N@IH(+HYaX>VZ|23*%A@YBq(rBI9#bY
zyeS)s&gNoG5@xQ2AkR&v+LyGEA3iGn@oJO8mtUgOew8OO?X##QNRcHkk<~CQU9MJ5
zUi<U}q3-Bg_g)9?bzVbn-kzJ9)&p+OUQd_r1<u#~-(OqLJHDd>ZQy6^i#shujp=+l
zhzLr@Fx8Q3l8jDE?frX!-R%|V;<NkUbxpwA^!j~5Ed}rtPTt)JhtoMTg8A0`FrtY^
zxg;a47L~VJfxX2O4jADd$MlfDsE2x{Bg>{U0e;<OCNFmJ5Ve~RD0P*7%3FEt!Hrl^
zjD3n3QZ6WjZ|#av0_9ES$wqH1N_AD(vYC5BWLI=qy48TO@kyeEF;gey6q&6qG4ZK;
z@r=|}J*XNJ8$Z6QrQO|icear>QdhTPR#t0HA$j1K5%t)%bFHXvcmBLehqyrMn8h)F
z<zXf#`%nek(1Stbs2E$xcc==67(hGiI2rj*L;u({U>xx%VO#*A19)Q51x0rK>bM`#
zDl(I5VMzggOPbz~{VXVlQIus1o23y3v0wIWqk4jvvkOlKVQ=T@qZK-|jV<=k&5GeJ
z)0Q`J3~dp7J-$WN<d-?HtW}yAcUSfu3Gsj_S*JR`^0HiwOsU{}<}PfkoG!|k@KvLe
zUmMTUlL+!daiBj%P<TW(?c|;G3;d2mLH+ixDp3S*33SV}R-ohAo0%CRHo@%R`#MeX
znibSIN}A~M^RR%^*?wu=c!E#Z46|IQuGi_bkQiaiB(oIj=Pjw#+6hGDF|kM$@hVM}
z?mqr|ssQ_)Q|5$l{APk$QjEJz->W0SI}$bDeXiZicH)YbLb9`_EzMkfSrvWo$GEF#
z{ctJZjqbJ>e=K;wlVD_2;PVbr{=1D{h^Rm9BTv7cs;ubZO8;hD#wtSpLZI*=o3L#+
z=kMD#!`LCU#>_9ru2>Md_f$7?wq+L6#Bcqf!AheqC2nl$xoW>ne=Svv>UT_KOMryw
zfvJqWFB4d<QEiXNgRRofGG%;-J5vs^HdelX^0Ge;+-5!^YLgv-`l;wLJlm-}F^fZh
zb}4o`wnjid(rmo%$2mPTcnLE1a+clHdMri)Ev*lUQ^}Pi=OV*BCAC(v=V881csa&m
z43aPJQF)c>Z{~Lc#7_P-+PDf0j)DpXCvAWEv2km2z~nwL@V%fIZKUq`ri*p(!}&4*
zy8j^gKA>hgD569LPU)ZaD0))YW26YQXLNi+8GLYc!~c>rgB?X-&StgWxR9QcDKJzh
zkZE5ry-pcf&v5CD*;ixPQI11eJExe?rur98u!N?Z;0eDS)dz31O}~i&zS_*fH@cP{
zW55jjRq+ZIfLr7(x&?(q5i@U~le`0(u7Dgq1Lk&3MDTzJzZ2s%eR#_8J@rf+O`%_E
z!~6tZBGM8qHc4arD}voo4+fmduUB*ZhH=fb3n@rbByYNpk(+H^UBft^_?F%Qx^^^<
zO1;~adPC9umJ$KM8`%ykilhv<<e(rrpI`)q6rVT7qaUa7iKV9>V2~A+odMFrgoR~P
zF_L=M*k{s#w!PwBoeLKv&|{OjJQ%fO8d+ZFjG}Vbz&3v&&9~qlwuAXfR+oanAXSdu
zm$EJXyz0k!->hR+bM)DMFke?YRWeHMm^8e$X`e4X=p)~`AH7Z!q9Tuy07hZ-o`Mdm
zG=w|v`BciZ#M$<9J_ifVU!b%st^MGw>Vqq2ULzz!2wqxQj*D+!Ia-iZ**j*bPV5#4
zo@_aOUH0(KCcsuII2$Q(N<}JqT?$I~oJwAV@GF|(>dk3jGQ(wFebg^`!oW{iLflkb
zkhI#ozKUo<{}kqwQEGt&(^nj(4W{h(HK=Jo!4`LdgtP0w9U64N0QGb#lAy0B&tY03
zHCNIkfd%gbeC%cP!hbjwo?DN{EBVS?%*t)R38aF}MC05ej4h^#`s8*a5`)+Vtfw=&
zdzktCkJ5UJ!E2YB7^m}#mv491amJ*-IRD*iCwODa7|e`p49s&tsHRgLFhLB6p|fq1
zjTZ=SunhFWkOMdqpt4cyucw*mhsxkvSVh8%rv%c_y-EU}u!c;>Hh;nS@Oq9Yzp0X4
zKB(-j*qnhSe_IrhXQp>pE78O>l+&w!Upf1d4<040DXvDLTAEBc=`51V5?<iJLl8;>
zpD}r4#YlkYp6l3*le~?7oKCX6Poxk-U3>!DMF#&bRDkml@HRPVdqSey6l$7M>;L24
zGZr@8(>2J5@pk-sbm}1Edovf>H&!zgx;(-$B;Da>+``R@;+Xd1i;1&;h5KDwN}Qcs
z;d(6R1Wle62T&r#lsJzsy75SHao3aFf-|*M!%V;CLkZe4x0%na5H}axb%OswcV2dn
z#I&9d?eAR)0IfyX5<M5tpc3jFxBt2dHCNc&4EFEAuI7)}vMUpT-P1FmJsvL_w#_)#
z<MT+NV~kIKHsjG!tG8!W^$;Oji!kH!7>wxZ!sgNyxfOW7NBCyz_3unZdvtYMw#M3Z
zHZ@*JC`EgZzghgrCx{|leUezAO!r}1T?o&TyVolg0+t+*6DI);)+p-4$?TfXQ>IGv
zg2^{m+#fa#za)fJ;Y7{})g&HuU=Y>b`@{0(kEF$F+^W?$DOP0YirZ@H^;zmxK^h>|
z<8JxsO>0%{kC#o{C%Qjr1pBNm!PS#`-np$ZRstmd#AW!R9+LR$E%-fRN25`e@lvu>
z7K*+C04(9vtszH+$YO~alJA=`Co{QY0~VA+?cjkhN4jjw%Fp3)n0fqcE^n-~Duqk`
zo)BB%!xc<{5`9Zz+yqbbw5e)qizoS9YY`!z?_8z%+Jc*9{T+{e&3U0Y5>Hg0rBOk1
z(qPM;Q&4rRQ3XHskN8^(b@M}cp|Yv*qn&*cfF#a=E$Z{;AtpMspRuXm=O&lv8G&_q
znOn*5;M||-HA})Y(fFiAMKvW{^bK<FvfkcG*$+INQM_-u(_7ma?t?JUmy1s@tAm%1
z@0;dbs&$rRAS-?up6q2Kf7#DVRXZ!vy46rOW(f4)JYor<fo@YWD}BGW#<Wpen5Er-
zpaFllW3xXk_@VXUc>4%e(DA<;=aO#}TA)=$>dHv9Y79!&X{t!q!Z~ecsCnz1$U>NY
zl98S47K25rNI-OD&W+TWu=mUQ>~209$3Ok6NVPMn;tfS%_=92d<)KfW(>R2fQ!M6l
z-p*}LGZwsZR2gpRJ2hf;3@20ZNykBesOeEAWRKcGeWg&G<8ZaWB`8U`ISc$vJ~*}9
z=WgnsM`lWk#cxH7d2*Fuq|!NAXf&5UZk<iA&exd!&)=)P+<t+olfQpN`rVN`0Xjde
zi5uFE4!|W86b#Ts>H|q2a<`P-ZiX!Xa;2g1OrZKeee%lb`9@nM)N)AY&7@KZWWBij
zZn<0-@Ts32AQ&*l;Ko<APZLQ)byAlKkSPJ17~3nyPUh+clfqCBrT&oQ>!qr|C&eB`
zUKmY~DuCpAy*ODOYtL+kwGXc-LH8}memhf~24kx<%!zqSnd=O5>qw@pNtX-7C1P{N
zpnUe(EL<KqGxE!5b$<2}wjvDz+~Tq&Qg1$iJ`F0_^6*p}W07D6g=u@zn0)tY>T!?w
zV0U<~l#Mt)<w4H0JYtG(a6MPk4iO(!3ZR1_4tz)lq1-*W1Pj8Rk!9T6A39^Ra*~=o
z3EMc{*X#8+$7o+?Rib*5VUALp6LI-tnADzT+HJZdIzH2)Rk$Wu+dWeNei#M*k9r9A
zADN{LABfj#oDv0Mf?qnAw_!5Fuv`yKGwb8;IS-^MgH)614Fh`-U1G+(3EqyUSM@$h
zMd4zRQ~w(ge9z3CnO8tEa7TKY6iTnje!)k>r?fxNI2BSe#ih(&>p!RxPz`IfBBNwr
zK`WdY?*CqseP^vxg%7?0_Mow`lbiEN@SM64I!7FO(cGt^CGDK}$%lg7q3?HAyuxso
zm9ybFwoY2?f!`vKnKc($e|#r*l>cIjrIJEW8>N~1dG>c+-%q4kT}kUCO&CZ~v<7qA
zKt#bX<=1UGJ#!YtG+W;Exxe+zrVvh){60^ofP91n@lHgrJk<m;0D_gVofX3LCQJ4a
zMW51U`KM~>QUHSSDp1IlbI@amZdpmO>i)`=fJo-fg6`=~Lhgwt&NVK*G7^{Oh=olE
zO)^1qgln&7Y1Y?Sl28?W;=aD<vq(CurIVW>E&*fZ8llSgK3l`e=N`s@L(O|D<BW6{
z=0H^km}PdmAdDjbGECxTS>)5R?$?~g7s?_;<VZ4VDX>*$+RpU1d(uSe`ctdGT9~S!
zteHielUGyLbdIwO65>%|XO@W6>9?sUUu|n^m?ZbTtfQq#zRw}L#)wN_Dp`#YQ6+}Z
zjjvf+dBxHVwVCF2@<9;Zb?<9<O#~(v0>7)wLzK;6k{&i78L85+*^NidFLyzr{ajX9
zL%A?ckh3+Q^a?8Z>u+;d8mAHAgKa%J7A9tH7>6ilu;c)@yAc%fT(qy<s8;a2QCoRl
z{o`bPgk_QH?+NLjCz>B^el$q{t{7vtgkKl$qDl}P$}b+#ybO}&w<vrXHKQrv$Hw08
zQrjKY&RTKgyR=chdk@}NBfMowHUE@hx(?y{o$61JQO?DZ#xPX@VG!d7ubz+B>6Mde
zLlB#csdRZ>-MLcH`>$E7_kX^-a(SlLw3L4zX*(KxAkOx6>1TEiCC*;f7vo~`#=;&g
zzGRH^A}&!wci;N?E5(H~RaRe)kk^z-64lE)=_UE1X=FRIfI5p2o#9*eAy1bXd_@|i
zN}49;*626IRlUGIKp1`<-~Fm+|EH+$)^%@omB)8DwH(9&SAXjs6PTx;t;(7!`0pP$
z%erD^PcoOm?OdfS2{~QYEg8rcmCk!Tr{FI>-tbs<M@WCqW@!CdF1d6v=DewQ#UR)j
z`9NW5+S>#Eea40jt^Yi#rLhQrX3;B3+kEeQX%gWZ(1Dx}Fp+lFb!GJ(90g?<6>}sK
zol<w~c$hx@`?)l#K_LASF=$dm)5y5QRBO8DBO;l4ZA+`WIvdFU_%HlxrbO376gx(i
zM89`<`qr1Ls~W)=rGOq`?p4|6%7NXYT!Us(*`-S=Q3Lwb*T!pGf`I7iEJ);6=-pSG
zlNFZ&Ue)|sz`@ch?cb3m|1<rF*uhJ*(U&Z<yD=g}!<OuBK3-0!=x~p~eY)FvV~Pz?
z5Ch9~+i+qj|Lu_5+L}T|HA0MXz&^B2&C`a$AufCBZ%RU#NbY(1NL#20ZJfxtCX<`s
zz^yfMTdr`110Qd|@1rlH)%D?xZk1Yh6C3QK6vnuI0FAy6e)SP08qcDwfQO-be#1|N
z+?B&@&z<B^89ogkY;(TXRM(xSW)5^B%!~m!p7~<C5wZsHo6@|)XViA0>Akg2YR(AF
z5rit&>5Y?X$^+X!4px!xYTO=ef9%m_^&zV865?(?2N%m_<yEe{G#*B*MNu+IwikCX
zAEa#C0tec}<jBZkvm!2DL`PKI%=|u)NHdN8-<M>DxoAwsZr(pV$Arb^JHUB~x~ha*
z9y8a@uJ^KNZLo{MhTw2fXol+;SX>pXNcNkPi}d4`A6iT-qF?ZkXown&)jFBA@f<Z-
zl$q2%ehOfk=4np+ocWDkP_=QB)*(Y-Z-@~u1qk+(B)@SFR#F~S5qBV(nc}e(;x7Mm
zIQP>bB5{WA`3$Kw;W#Cuw(462<xOO}b-|(#^9f9<Q4`n0NF}KqIl8+6H>MkvV8GhL
z50xmBDxIAP%vXMJ<ie^;Th-oq=IeOejt0~N5u4g}){wyGn#-WDxIuM0<ju@^#YAXl
z9?;}-k94iLSc=*>9)INyYzWO7*~PvidHLgIM-kzFK+~UDJx-?#J2lU3M!t~`U)+Se
zJKZ>!9T#^sxPyOl8Ms41d44n|xOCzk$C{c3Y42WsDuf&hM93)jC-m2*)3@?A*;PV#
zMc1dvZ{^75m%vJU&5xD?jvuk@5U0P@0_<NL89FHwON^6LOV`WzC$66=-ANeoMw|ce
z2Q7>c72-Xo2OWT819WomNecs$J-=WZG+-)_5+kv1-CCV~G%TE@vNssqn$lm1_L{Zr
z8t5t83c)aDS!5!`kV|`NH|QG*Zb7cqD<JrQLy<GGJZdDR0L6;>1FDx#3`SPD1Ed_B
z4bx%^HU*_>v{WN2*;qN5JK1Vo^E75u@dM-amx{Q3!(yB#A9Z$7!X_!70wFfo5@v}5
z-bu|nn=9$<KQ5zfy7oDW?($hTB(DyYphyAu&Yc~NcY9)%&pxv}n@eX*R8}2$wojXI
zM#hRvl-!|R$*ZnRl)A<{at^P(fIv<_ua%X4FV<(Jxi=UH_p%U;xD$6sDiJ8tId_#Y
zlfy%GAIhger$4+4Rj0f1yBPt`W_v4GHh409RHzUDzQv;q!6#~8$^5rPVTgqh1)3I3
zVLVxPfIv7I$;nJ>%!hhoc<j?<&z5E=o9>MHj=xjp$2`mO<%Sm}zvWS22;T*(%s-@z
z<4j|@;N!Xd!-+Nn`!RXWy$C|u%*n-%Yn+O0Gt7C=PJBv&f)7-6w^q$tkq;GA#v_Nu
zh;J~?=qpcT$L1rS|8*#~1=Q5vT27E7G@OSk!cz8?Cyu6+UvJxW9H00bDyt*>@hAPR
zESdVCIPFr+y>dq^?Y9&_X+tI5<&(<J*CTet54ZMI1zC)q7No?YKOHJZb!abeKGR3D
zzqqh=qR$hCh<ndW%bzjFB&->0c7Iw8cN0RDRlBBPfQ=<ya@_lj5o(0Jw{#OSiuJFW
zuS9x9M--peCVh?kMQf3t)a%8oba(N-lLwZiJN5vfQ(GdvWL}C42=V{z5Fui3vn(JU
zhcQ>8OjygiNmQ|o=ODbilkty@aiykU8`GX<pSCiOU`_bUb0TrM>PU<9p=q|u%)Ato
z14f#RRHM$TOHS+a$BX<C6=6rQT1#xtk_v)8Y9mUr_sZl3+fMgbOIXq}s|XL|1&2ai
z3TNx#9H&KmLuiSCXDK}c#8cS1SZu5*bu&@iT5clToI?U14~G~&_lED~cwYBVMv$zf
z-HlIVg78?tLi~-os7kU0Tih=DK$`=I$$nGmP>Iu{p9=og0)1WyttnGnmLl(Yp}$2?
zJR@f8gT_iqC^&h<0XLy?iXjU9%V>!r$cZwV#7qSJ5+NFxwxq~Swiq*D)OeN-%I~t*
z%Uer0k&SC^-8?wc4Tq8$>`v)p(8nZ<zVMgF-KcC%(qSe^%<U3+ntuot5TIKN9-i}d
zMWaM3%gLyAnA!2sBEeoE`5B2QE3qX~!<x6X;lSNL$ulU2^q4bT{ZQqO@CCc{VrbR8
z<hFSVCwv7EJ9z!J^E$K9gWay}8PT6pVTUD#URV+6&#-UgwJU{M?yTt<(KhW(Uvh<q
z5HekGHRlaAB4)6QqhtY(cHqukmw3{7^C|&v1-{b)p(BV=ez<CxSD4qom`f!TM8uB4
zY{A;Sk`Dfb8?sBX@9w=nnMn9$+U_pl`XrTUDHDN9*FFD&N7$Q%`*68}gG=>4yl_qB
zS@@9TA>%ki)l1@p{HL>-E-4*$WxqF@of7DSV6@S>9Oo(<!g(8GojO$&Iq!h=W{22z
zutdO*{wwbCgx#}+YNg4;!DK_DX@q_6%TITnr$jN`W6TQ1RW*t7mo5Ye!O>;`5;=)}
zE3bfB;#k&&fqx^I^ks0%+IpOALt$8A192G5k<K-zy&pRp2`Sq+fWC-zoe<l%=Tpb;
z#lK9BUuCj0>!(Ctt0IY{QvFMUVKB}Afd#uBmbN?%9mf!f=R54V^CtBQA&L<W0wsvS
zHpQGIY!el}G2C@4NUuW4-Nt}?@vTc3EdwyOzXpp=Sz*f*n&>Jsa3o&%qaah(U=_4{
z5DHa0ib~A>?7%$~diEJ>fCq(9675_+53#rw-<{LaYgzGEpa(KxIJJU<ccC5S8Sm1K
zRlDyL8OM)Wv|I6_@JT7muf?JCa%zkdMN9s_^u~d*75OJo;)V-x?J^bb6=l^DKL<d1
z&r@Bh5NvI$_AQBbhigF3&9i-*Qtv4w%D$*&1M~B;Rg;6ZZWGy`(_rqoSkbWt|1V;}
z`)0@9(E5h&zep*UADG>Z%V{Oy)}MX<y#M(#Cs|-CN}Fgax>=P`UQg#SR^j&tC{mvu
z%ppyGXf7LsM67G_@VD5jeGAK>&hY`{^tLP^xSYhoJ|FjQHXWII`YY;kP^i`Ncckk!
z&K{BPH1qE}#6!fWYEHTFM6pGym05T?+VJ{k3E7I8%yE#jA%w$pVi8PJ>P8|lEdc>m
zRR^$=PZ$ri0*KSDvj2F9N~mXs{aQ<Zo(jOUri^UIk8g!c;NJKld!}I&p64U&ahMyk
zsU~5PdI8yehmadjm0h8rYX8*%fmLKA#<3jS&Q6x}p5P3c6A4zG<<|@OP{bxsL%J45
z==;&j>;y1NpZW3~{MW^>rStvq>~8sd?Qs1)1jzc&gr_iBP6RuR>Nvkoj!Ij;mha})
z7*R`H%(lKwK(Swr;h=`;0?t?}{z=8;TF%Y@$r$ujkl1C-rw|o_`u>}!;Fr|mIL|~)
z=;1{w+-OdLAW9R3NgJ0*z3pZy{BjRb-D2so7p}~tOJ0W{I=>4tDJRm;a6v6_UIY<7
z1H2)cipJ~x``XL6;K_;e;^jS(TJ|pxnThnSX}lp>BQy2zNj#HFNz|uDWe4Qd`1oU>
z-pD?y&ZI%;#4ge|QX};%8E5ExS>VX%hu1#G%eSJPnw5ytynhNm-^UE4Q>ydsM*jSO
zXo2akju`Di?_5!*?`AuVeJo|STBWplvBK4K2O#F1l4u~$YaE{Ld@$SRE5suTnsPBp
z^)?K3wY?}a*cr@<H%=0Q6>_cS$X_%7gLd%2{Q65!F67b$^Ugfm%?#IOg?h1bg22L$
z)a-^fdx_TAM@;6WS9Rlu4;aBJd~wJv!})i;(n6}Qh^IUmYgOPCSD;elY-~Vu1cMky
z*2o}Hf^#!Jd&ZK<-kzkrfcKad#Wezcs+7RE;TJVS>jzmIPB77kvIQKl`A-?>;*cn|
z>lzq$%xlNAX;gUqCG0r-7jFYYyAO_EjkGRB31>9Jx-#^6w?%PV;rl)cMUE@1Ngc)-
zc|fSg&|S0na>&ptXk))(v=*k4xdh*u=}E2_tv)k+I(HX^At&w%Om07Zm^JqQp!+`o
Q<M17}-Pu_f<^l%he>P0#fB*mh

delta 7028
zcmb7|g;tb}0!0ax1`!yV0i;E`8Ha8u>5`5C1_?=lkM2ggq@}xI=xzoCDV6T-y#FiQ
zwazQ-wbwrRLKlJnI1&>D2u9IIK|eIwk6ji>n4I73l&nVgV5+trNDM_)bt8zh@NXl)
zc+rNl96D+w_r9bpY5HA)7mc;Y^HmueR9c-uri8zdVE#qImAsZ%LcdOpF1w87bO<bd
zHf8s!%vy0i&iCe@=!4Jw(Y@Uz=}gmc<rl>L-eHsA$;BP8b?<(RXdMtkJhC<WR-%>c
zPSu-Izc9AEc5POmf48!5|C|rIJhMD8cNsdb_Psk7yHZfoRyZwUC2;-z!c@x=M%)O~
zdlA3GBJt_q@AcW>yY5D`*PXMYcuzw2`{r+`7o{asBY&)v5v=iq0)}t)lX@s0bc0<}
zF=SGi0k3Z0=jR8{xZcSNdd#|VZ~3(!?*kk0BboXY)5NPVNuD|sBLzyDOuuJ7Gbz<o
z63Aq14O5)G&D5y^46+Ur%#4@;su>C!9c$}Djlx;+v-&DL0;0IC)(%(4&ACRp2p!V0
zIX%r^3f~9!nXvY4I#&z&Z|A>oYFp=t@3YzGF5k=o*;%{F-)eerLH3F<<$Sv;-+J}O
zJ7JSd{D)~3um;>c9wpopAaL*vBr2}}HlRkxid|MVeT3eb=%q4$x0Yn{<=0&*cm204
zhiWVYg4>+7&m~Ih^$e+~T1~GiVFOj{#55@QrMigR?|AgRFA8Ld-es+Q6Qo^=FV{Gm
zdg&U0Da^B-4Unmn`n+blUPo(yUgVsU#g&M50Z?qExsg(sK^tNw3)d@F;LSaU#?pF<
z1)AMro<Ymw>xmdP!QPL*q|a&g$Q`|Jwp$hV+EEAK>5S1ssTvy0#vc4PGt$cD7aG`$
zJl66E#-d0>a|ukW?FY=ci{g`$Rru1P+$4aR*&(1x{brwNsQq`S>lvd$7WM|GyX+C&
zB|BXIU`Zg?g|_!?4in|}L`2(f%qKjk%~9vn&q2nPk_48OqABrmI&~w3R~j^%<aPM|
z4|01-lR^YE^XlxpOStirK~Kk~ghv;_8>3|A!X$^kw*>Hku>&TqfmdU76A6K!hde-k
zvTZZ<!J^Hx9)Ft)a`uIsbfC84jFHvaP^h_Y><h&p+U0J+U13SbNap6dm0gWwsk2ED
z<im?aREK!M&cJrcdetCB4RMZ+Ef2}$(E1e&y4N)NagG_XsB?(A4_z}cUvq1>bX>h+
zZ)rD~?bYzoQp}<Yx&G#Jr<8tjP}m1dBqd}R=~<PBBTg&x+3hKmv@aY|=b8Tf?$<c$
zeeT2@!QKR00bbL;FbqiIHAmeN3;HMC8Jxc++;3^}pBEB0{H1I8+S>>H*$3y@r|IDH
zMhb9$i=$_)U|u!jkshN7#vTnqR~ru+2cwdMIULq(67GEC-$n%=EQ2VK8c2Z2bJj`&
z?t0fI72nA4RGCZWHYP|y|Mr(YYr?#O_Syh3Ly{zrCy1&VkS4g_Xz`ciBRc_ia?n3A
zdrn1#)pb?cZz1)FD92N@m)@xB0QQlpO<sX170BsCt+;61B739S+2={(5rt>OTJIa)
zdpg(;>N7u6oZqT(MI2+aQw6|paI)4tpDPvtpLdy1VE7<O=qnL}duim`m|%ojKjySF
zCG)kGk{2gJTH;@o1R~(Xr`|e(V}wkxCMu4b8!2y%Yg$%CZ~vh4sa``m8kU+Uwb93=
zaIhj7eLHCPS<(LGvz1yhfD>Gw@>kTy&th|;yR<wQ6ycM`>;?WCNe>u*?U%^4gh?mN
zcjMe1y}9{pI5rSIy5j(qM_=BT2tV1S;#0fS$`n*jmOP)3Gjlcg!BA(>%Qa$?ZPD<C
zj|#o@5B`PaUWfqkULG3Vw<xdQkw?dDXgY51Wm3a=U-wzOkaC&m^GNLeI{)*-sK&D(
zSw-7wr?PvBf>S5M9>N}2w1SB*R=p3?V^&UEG0uAd^0$0H=SN@73Qn{vo#aw4F?wAY
z^e6>_zK`{&qqSH__GH^aQ8TpFZJ0OBEPiPac`}6*@Ln)ujN{nE5f`1g&;SKje~~Xl
ze+LdiWx0!$Kn5r#Any|DbBqA1LJ1#qr4LJyW6j+S9x-|X(~m&H*rL3_m4xq<KCBqQ
z^97TC;<{&q<|2l`+NN_N=K9*$cW-3Md$^-2qWv4~Oy1{LVhA_#tJFqAJC=8>Eah9#
zjls+(*DQ4EG_s^8W(}M173lYGOsUHW)Jpy4W5-zdtPA6~%U3Mc58GN+i(U0L5(VB*
zA`LYs%q#e{d)ojT^(Ig2W;@gmD-UMY-V?Lrs=R)Vp7$sj7Ze4Ae7lvHyaFbHu}w%^
zo;dOf6)Q<~uIu3t90_4Wbxb(7uS5Lojrs@;N;!9&fz5dWu-!jV_J!+BjLW-6i)9h!
z1AC$OxKZ{!e>*Ej*rT(5hT`PYHlc-Zq3Qp#cg$@Eb5j5a{l$ege1gMlQ7?RU#Kjqo
zOIYEVijx6z$f|v==B>Q@*O#!98zC^Yixl;K>BGnK*0=z77pl#ya$2fy6SiuNX_=jd
zS)sOKMu#*p0c@gO#QPPvo~+#>MaONs=mS&fcM>GzWP+QyVU!eH9_g)Ph6DIPj1Pnk
zk4A*nSrWiceyUI1XRhswSY;-<5c0pb>D?BnY|QL7ml|4<u4zT-0;8*udN+HDI?FBd
zY=))aeDhEbBb9Rg?`GWj27f}^(1~ITDevQuJ2Yj)a^DWcdG1tgEl;I*T8Z4`@9e@i
zLJ~ehWf{EpS!Sk4B&R7bv_Gw+bkkoUIQ^Ku-p&B(rB7Im$}s-(QVckDna9D1YqQ(J
zfiMU0`LCr0L9r)+kViJcjiOX`=ru*O>vfBgv{hjIl9Y5^n3$f_J8h}$p|P;)_v*vH
zgOn*QN!93#J2z`f6XAC@aoe010kz%Q`%?#JK{3Yv$b;Ba2AV)sQD+AZczfP^`dEps
z#-~6W13dw)h+H1dE#~`Pp~uboGJ_`54kdkwMC);it!QdNSv$`BSNBi~E803;$N*!6
zXn48ZD$~v0P=o$CA*S9WDoJuoP$1i5fr@X8|7rC=tq^hcYW0-8y|Z1E+%v33wYs*0
zx~@Lh_egZN_+mHVz$^uRX6V_xF7|M8)CTNlNIZmQ>}x!Ps>Y`l!n0Di+3mM$1>5l*
zI68g4dHU4MFi~u6jh5R<7$w6!1zqoqI&gheP>PGX-u!SWw|Nzn$h5|xP2yguI3<G>
zK?FG<(#5cw%VH@wj2B|2wewAW`FyjR@`G((`_4qm+skrCH|<I-h_a#5*$#iHVIJrf
z7)#%feD{WvaB1$;+~TqT!+El0{kf8ZK+ADrJb~2P`I_aW&Iq}<4*rq~s5B$wr%jwT
zRvp4+eXbak!F@Iq)yojNnfBgvJ0#PPboutvA1Z;)Dha39tL6gtNCcJ&&p+p*VLCkh
zqP5>j+cR+Oy@(PvZo@BptdyDhr2GJH&xOobHlDr=KLx>V$6`M$xkGKQknHE3ujF<|
zQ!kV$miJCZb9wp3h@3d(mbh;x?^h_1gI$lm->i&Rn0NKH*!*p1^V&{P>~a=gjq_P&
z$=-lDczs$MtU=|@-S<(bBx~Q0sa^v0mN4ze)3uUYSQhw<XNBU;VDRc`>NW7KT*U&y
z1vcT8Lkq_T7Eha^D|FODDX-XEIQes8VLw})>ItBHbNc5~3ZZ(egSwA~UKoXI5Jf0N
zkRJD6aI6Ek&E?ecsPzze8)u0*@WJg)cLpa3i;gpQc&ObCYQl#}p*`pCvHSZFdy+1q
zps;h&6=bM{glF1M0!lXHfI;sS{xuipZ8VA@%9?pH-NL>x#uv0@exBW9<O+@UXP&ML
zmx+ZVSWT1@W!aXn9?>2jMXFd2yU86{yV;T;vgZ%O?<*f-?SD+;GgquPuchzLaxsrS
zsrfaYaJHK+F~BJ>ZjICjPzCU)|ITy@!03*RrvgP@WHG^-P{MIm0g9|+mWTPlrJ7HE
zptn>4P{))nPl944Rf)LuTeuhbPF$v<x6H&$BC}J4i%!`HdJ)Nv=xHN(Ca(K1pNOI+
zv200F^reaD;dr?r^VP<91~qklZxu7f=gQX=vqsfq=8NthzZo;JAi)7R&xgZS&M(&V
z$_PG8FaFd=*?di)1{77hqhB&D#KlZerL(b`krqQkOSL2-iSW#-e8-rIQ9=~R3)MVg
z31yN*^9JOqdo;guOj~hPSi+o|LX2NaM(!^@NMcos`r=&0E$0)ApoLA9I#C?)v7EYr
z3d%H{vj$eBM^O%>6GftbRV$LYw%`m0<eSjr@NH>=_O`eLfIWs*>+Hbh6foy+DjK$Q
z<__Y87hW(e$GY-*pG>z4^R0i8{Y*%6xu~C<AFrvPEw97QuEx>gph(JV?A|avaC2pK
z#i-#lr5bW%lx#LMiF<88{xqob){zs2t>wtRz?C{^->2T`rD_qF-{H3v>;`Yg%W{b5
z>Z4gYa1bsAKCFb{V$aF}!mfUcn+2rjrDJ0#Oxt6^a}D{h5X`Dp?0N!SomT8O-rq@E
zx3t`>J-C`mRmz8@MnkL-$6FXhm@2C*H#>qz!k%y3L3%8Bx=oJj7TGt@S|6`Jk<JCF
zvfwYD-5ymoGyY`MHV36}8j{?Y)Z^ge;ekUrL^%UtoqgOchU2|$1>0JUs(EdHbIXr8
z{11#r*?!a19$;16(fYTyGbaLs5Qc7O`ylUc<p4CybRN+kX=Ke$fkd>bhBLyqjeTC?
z>j*0cO@d9jNYAYscl=S_pGws&A5psgQxLrV00Z;Ohs0?-6~J@iqx3=0_LzCCtQaFf
zj-{eG{kWlCj>C$aQ{{5gUU&DbY0qBK-uv^?x9i4Vw>rr4$4EYZb+A6|%3KzPaHR}n
zKo*Tsq3_4SnQgTZ9l9V(a;-6M&j-Egwv3HQET9g8V7==;x5$;|@Ic^lEp+W!${{yr
zBZcZRKM8_N0H=wr>%L6LuIHLc_6@|T_+3_ZSE6+{w_#3NHL0KP8V8d2y03ExhppP2
z@P6y+Gv`=|Vgd6>yTcYLq%5Pw@qU$Xb;VCAz16>5)D<(w0TQKEbh&~dJb5Bzwex3Z
zw@~b9$cO1hPyUZ<k8a9DP5{}d3g%IVK|85gcFwUlu%j?=%+6)a-P&rxq*D@EAafte
zDZG;6YnvxfM=bMNjJB4PHLN21O5q?yIC~;?6QVz)<<4)S?0aN7TXfBJVTOZV9DBM#
zS9BBK4mnU>Psnjp`RG0k-FFh+Ee1Kr#=Er-#()&uI}afg!Ql0G+tp^8bw0!|M6WY;
zqBLxPgT>SpOO89uap*7)fr!}Kc|zvYjyjp{WCv@m@iC?InA+;`4_3=f@XfSflkgEp
zRqck8vX66Sll#oxJBhc6e>~3*G*-w57tM?7?JWy(C$>emc)sN74CPPU&nhgBJ9Yd<
zJ+@Zaq8N|LDZL{+e|MM*r+Sz4fzJbnS5D^z0G0=>_LX^s27DAq$6NVjXahH!VRrYj
zrWR)8C5$Fsl_FE_WTa|=mX8L=NNv@`kGaAYYh~dCkE}L#zS33w^(}Q%iIk`uW->@f
z0lZ!idFnyyb?yJb-Vmz$!xPimNdoy%M*8N-q=b-}<(*(BTqN(>Y;aih3o944*QO9a
z;WgJk(2c6vFp-fJ+$x8wh?kv*+5peV7KrD;9ZKPS%$f4d&o$pk_gld?ME+Y4QMA7l
ztidMnz)?k^dx1MRo12uJ+Rk!K;It4D<0Ng{O7`^%tsOUHHYVA{o|3F8>aK#URL33>
z_h+~sw{l~u$Z$M55$-XhZ<XL#A1)1SnygH|dYt|HhR8)@GW}&kJuZdH$5ORc*ENbf
z2L5qGTeri8m!(yC*|IH0he=hMjQ~Ejs2}6}d)y};JK4p7o=okJQkjF%If4jlWL`=c
ziSSn`V4UWy+cjlX+3mg6^ErBpCa+O<FNXdl=;bOT>X!|y0x6U$mP*+~ihm1S5|3xn
zFSE2?(cj#;0GK9lx^3s%zz?s0G9wBMGq6b5>DK-^riR~zEAGN8j~(&dLy6nw3fJxR
zd<f6&3m*uru-sr<>v^=m{qlOm=BDG9lg6jNC#`t&go#cCPV7v>M`Lh`{gbhY>kHYA
z_<@G2)dXROrv+|<5g+~TdPBf|l+a)p99jUIFF@`J+TvZbL-(m<u~>K=?4oI}YWsio
zL5pbbvh#D2w$q~2#YbB6F)9{A3ZifVL8o4|SKlk9Z3+0_TR82qJIJ=#^8Gb8)pU{!
z;Yd12#C?^o^!T}AZR7Jwpf0;QHX$bd<R;vT<41v2X#X!BeTL!gKqjEAn7^q)NpAXt
zl2(_ESw=fKiS)a1vaXOCt8Fos_z*jMCKb{v+qC0d=KP{}2j8dbUmXURYk0j)!SKw{
zVQjU_V}SRs3+bo(DUuWL?M0y#dM8$sv9ZB7m+Ts!cH1;Z_%#s$k1-bCqa$i1M`2=2
zs-($?LvvzG8HaOzgD+q~sVZj1Q_F4^n#*Vh`29<TQ^jRBl1VB>)+#rtIwUHSiWHw)
zQIy29Z=PBGB=m&dY<BETv=!7WwkCcr(8>@Kkq_EH9cJ^SCwB8wm*nQaf5{f7E+1_o
zmLY|Q>$bNdOSo9+A9{5tVzg|P{BDoy4AD4FJXJG$sQ<)>fCF0_;er^mP)SWv_Y(N@
zcXxj8tI~wzOT5W%)B#GiZZ}<?VRKH^A^SYeLnA{B?N-HS3&o<0=|Mc2<ZoXlVpUit
zLKq_XK+DBbKP}`|Y7N#`G_h5wET=H3NoHBn<l>MN<xb7p;k+$DB#r*AMeHUj^!nX{
zrAXFuO@UChXJCZ!glSALm+6e<62utq#ZREFk|<IW6`9q?uWeQK+9Qna%>d}BDd|t}
zK6X#G=pKy0{riCYab<}~?oqE$W>8+SXIuixAP!vMoGwJN62k@VC21A9OiF>IbtuaU
zPviY~jOSZ=kd7<r+ctN0aBrN3l4K(HHQ)~$_#@Je7QpL)&hblAH`Kv1vgKacX%s~)
zq&fcgIE6Q4!q3JGK|~I^)2FZa<IZ1et6?8gU5nTZ!*yIsaUYg!O{%MrJd+;+ZTgD|
zru0Te*PvMaT{3-qF-HqH{3N5bTMwlHIUuvVNr`%xDQ`~A>+eOG=2P80Td~u&`lyYt
zEJ#-z5a~n9UJ-ERr#Fa!0b{Ao3R@tH#GL$!4QXwVO>fcd(8OxHw@R$dtKsv4^bb*4
zi`mP2{mf!g<W3$uOEzC^s3mGRDZD5o6)}(X_o@lrXAEBYkAD0qAA9qajO;O4YeLqe
zo}LdQn+;*|+Pew;!EdcJ3TqqjWpTN(f<4fHfnDwxRYh*=_e3R+wB2eZ{OoGS@>k_@
z%PWpwugiL^@G6{-*k2_K$Xh+7&tlvao$SPiD1i5!BU`!RB`Grqk0mVkMTLU#UusT{
z&GXwjL)fA)9HONA1L(m{)C(kPPA3gy>o(*TZv(wmH+8({g#+?KHEuSJxR73kurMjW
zf#$+j_{`VV@n7g_sfe`s<QyMHcJQ=T7b3xhqs{q8kY-bfi1g~N=o<}BEVLe&y61kI
zRb^yC{UCnQ2dh7r`<}?w__nk{F<`nKmeI3`MvDk5R=y4KRQ|4!!$6&V`60QRZ7rt(
zp?*StnD;Ea)<+aYLI3&Q!+#B26o(HCdkCFFryo$f4(_Gis$Y2g{6+4+q&X38I<iqY
zh*o?PIi%*(WNSiO24aFf^ExA~9w=oi-Sbl%KmqQb6ZKdK=A+Zh>l}@<PbI*e;^w!h
zvqR4A2lItHUoA%7SHc3$+dSy*TiqfDOsu~baOmhN6x;|#3`xjxiGfuWphv(Hvx2pX
zM+J20zlbw);;mx_oiJE}PtYu1HWCU=eqIYzK@XhZ5PLI|bQ};0F{Lw}v;R%h$dWgq
ztiM~~t0RL$I|@Zg_=Qw2cTk#m!%th^3v35O+8H;HP1%%Bn=<zCQz8Sp>t;xCK|6Ep
z1F3or0lrite;dULX6^`j<A68&F2{bsF<SMBk_tk3=9k&i;?v{w6-Tx3i=Hj!OPS$`
z+=kQ*$!oe$bMhC7;NWZaseqY<@Rk(rHaMfQcxzxpZ)`zB+jKqtH96d?b`=7{OX<=L
zzN4AxwfPb9b4Kz_J~NTcr$eZ6`L>v*1H)rQr2b7d+ia1j0~50b0%)K;7h(A^P0d@+
z+%in=oN8X)+`4*(&+gMB!~e<XBqSGJyVOuxW)S`Bs+-Jika~L&@ix2LrTVhXYEl2g
zcvKAB`+G~}Y#iAC__6)h^DpgvuzG#gYlZqO$N4eMMM9BnEyORePd{N6leizf4K+7R
z`;J-DD2y7Ig{3A5Q~}6a_S2ewVJVSR?cZJQ92<#D*XQ(9gJO%-&VJ}QUO%AUmrQ;8
zLnBE;uy92do)wy<!$d-E{26O~4;wVI#1$4e@eg~Gkfx6a#=?;$Ya}MdrE}p2_IdT7
zn-KtO&NC#(K@!+nB36)nZj^p2Bb!b`)=rW;m|lp$R;7^XYYa7)lxhypWFi5%8?f?x
zU1g+5XylM{xD;}9EQaW~J-TnYy9WP3v<dq>pK27m(_E<Z?XWQZnx_Ficr$E1DrVXY
zZQrhQe?(BKLR!6D@X$~9re<~YTD$uXBmNm0`MO+fMGK}c2%T54(UoF-e`H6;W3vx!
zA~v}q>yT*PJXs4q&6B}tqFMko0%YURmBvWg2w(Ke4*j2=qC+0s@_efrhyL{XAHU<;
zv+^li<~;jc8vm)T%di~$LkV%UNrrj6OadhAVGDWfoOM#!?P(m?o4i@nU!^1~k<KMf
z6JB#`)sq@y+bovkg{Pl9qOqID*k_E#K*y?z_@mJa_~{wMH^=QHnzz_iK<6@r(8mTj
z`l`wVZ5x7ZF1Yc-Xquol0|G}%=D_jht1E=+>ONmhTj!dNh^keNhr#&A1ZvC(619I6
z<<bIy2@*G|*?W$V$nB5_F8hJ?=@WmL@9lWijWF@^FB7mfIR?n7=rR5gN13iD1yvT@
zQ$jrxJSY{UdhmiKOi)f7a7)diO4%(^Yzu;?6>EeR)U08%5TG{|=pOD2hUxaK_q0UW
z6YfSBq$HFaS~@)CTe)n1?B~ug?Rhh_<+;BD8^!J1Ik22GOH=sxmlKkLwa{P8hj(+6
zhF9P8Z%m-Xm^bu;o;F%$ZmI5%EmreJXRH8WWK@G==VxsgMB$jq)xVbrzsoMU`&)0-
zYmVPEI`$b{EuFXzkR)M{A4&h$o&)JWESmmq=Z<%ERJncU>d>a#tM4ki|Nj(}o^d$n
L`;t*kP*DB{1@za(

diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index de2489e1..ecefc649 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -3855,7 +3855,7 @@ index 759016583..1b9a61d18 100644
 +	fs_mounton_fusefs(seunshare_domain)
  ')
 diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 33e0f8dad..1eb3faaa3 100644
+index 33e0f8dad..6fd767031 100644
 --- a/policy/modules/kernel/corecommands.fc
 +++ b/policy/modules/kernel/corecommands.fc
 @@ -1,9 +1,10 @@
@@ -3912,19 +3912,23 @@ index 33e0f8dad..1eb3faaa3 100644
  
  /etc/netplug\.d(/.*)? 	 		gen_context(system_u:object_r:bin_t,s0)
  
-@@ -101,11 +118,8 @@ ifdef(`distro_redhat',`
+@@ -99,13 +116,12 @@ ifdef(`distro_redhat',`
  
- /etc/rc\.d/init\.d/functions	--	gen_context(system_u:object_r:bin_t,s0)
+ /etc/racoon/scripts(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+ 
+-/etc/rc\.d/init\.d/functions	--	gen_context(system_u:object_r:bin_t,s0)
++/etc/init\.d/vboxdrv.*      gen_context(system_u:object_r:bin_t,s0)
  
 -/etc/security/namespace.init	--	gen_context(system_u:object_r:bin_t,s0)
--
++/etc/rc\.d/init\.d/functions	--	gen_context(system_u:object_r:bin_t,s0)
+ 
  /etc/sysconfig/crond		--	gen_context(system_u:object_r:bin_t,s0)
  /etc/sysconfig/init		--	gen_context(system_u:object_r:bin_t,s0)
 -/etc/sysconfig/libvirtd		--	gen_context(system_u:object_r:bin_t,s0)
  /etc/sysconfig/netconsole	--	gen_context(system_u:object_r:bin_t,s0)
  /etc/sysconfig/readonly-root 	--	gen_context(system_u:object_r:bin_t,s0)
  
-@@ -116,6 +130,9 @@ ifdef(`distro_redhat',`
+@@ -116,6 +132,9 @@ ifdef(`distro_redhat',`
  
  /etc/vmware-tools(/.*)?			gen_context(system_u:object_r:bin_t,s0)
  
@@ -3934,7 +3938,7 @@ index 33e0f8dad..1eb3faaa3 100644
  /etc/X11/xdm/GiveConsole	--	gen_context(system_u:object_r:bin_t,s0)
  /etc/X11/xdm/TakeConsole	--	gen_context(system_u:object_r:bin_t,s0)
  /etc/X11/xdm/Xsetup_0		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -128,6 +145,8 @@ ifdef(`distro_debian',`
+@@ -128,6 +147,8 @@ ifdef(`distro_debian',`
  /etc/mysql/debian-start		--	gen_context(system_u:object_r:bin_t,s0)
  ')
  
@@ -3943,7 +3947,7 @@ index 33e0f8dad..1eb3faaa3 100644
  #
  # /lib
  #
-@@ -135,10 +154,12 @@ ifdef(`distro_debian',`
+@@ -135,10 +156,12 @@ ifdef(`distro_debian',`
  /lib/nut/.*			--	gen_context(system_u:object_r:bin_t,s0)
  /lib/readahead(/.*)?			gen_context(system_u:object_r:bin_t,s0)
  /lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
@@ -3957,7 +3961,7 @@ index 33e0f8dad..1eb3faaa3 100644
  
  ifdef(`distro_gentoo',`
  /lib/dhcpcd/dhcpcd-run-hooks	--	gen_context(system_u:object_r:bin_t,s0)
-@@ -149,10 +170,12 @@ ifdef(`distro_gentoo',`
+@@ -149,10 +172,12 @@ ifdef(`distro_gentoo',`
  /lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0)
  ')
  
@@ -3971,7 +3975,7 @@ index 33e0f8dad..1eb3faaa3 100644
  /sbin/.*				gen_context(system_u:object_r:bin_t,s0)
  /sbin/insmod_ksymoops_clean	--	gen_context(system_u:object_r:bin_t,s0)
  /sbin/mkfs\.cramfs		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -168,6 +191,7 @@ ifdef(`distro_gentoo',`
+@@ -168,6 +193,7 @@ ifdef(`distro_gentoo',`
  /opt/(.*/)?sbin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
  
  /opt/google/talkplugin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
@@ -3979,7 +3983,7 @@ index 33e0f8dad..1eb3faaa3 100644
  
  /opt/gutenprint/cups/lib/filter(/.*)?	gen_context(system_u:object_r:bin_t,s0)
  
-@@ -179,34 +203,50 @@ ifdef(`distro_gentoo',`
+@@ -179,34 +205,50 @@ ifdef(`distro_gentoo',`
  /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
  ')
  
@@ -4039,7 +4043,7 @@ index 33e0f8dad..1eb3faaa3 100644
  /usr/lib/dpkg/.+		--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/emacsen-common/.*		gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/gimp/.*/plug-ins(/.*)?		gen_context(system_u:object_r:bin_t,s0)
-@@ -218,19 +258,32 @@ ifdef(`distro_gentoo',`
+@@ -218,19 +260,32 @@ ifdef(`distro_gentoo',`
  /usr/lib/mailman/mail(/.*)?		gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/mediawiki/math/texvc.*		gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/misc/sftp-server	--	gen_context(system_u:object_r:bin_t,s0)
@@ -4079,7 +4083,7 @@ index 33e0f8dad..1eb3faaa3 100644
  /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/xfce4/exo-1/exo-helper-1 --	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/xfce4/panel/migrate	--	gen_context(system_u:object_r:bin_t,s0)
-@@ -245,26 +298,41 @@ ifdef(`distro_gentoo',`
+@@ -245,26 +300,41 @@ ifdef(`distro_gentoo',`
  /usr/lib/debug/sbin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/debug/usr/bin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/debug/usr/sbin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
@@ -4126,7 +4130,7 @@ index 33e0f8dad..1eb3faaa3 100644
  /usr/sbin/scponlyc		--	gen_context(system_u:object_r:shell_exec_t,s0)
  /usr/sbin/sesh			--	gen_context(system_u:object_r:shell_exec_t,s0)
  /usr/sbin/smrsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -280,10 +348,14 @@ ifdef(`distro_gentoo',`
+@@ -280,10 +350,14 @@ ifdef(`distro_gentoo',`
  /usr/share/cluster/.*\.sh		gen_context(system_u:object_r:bin_t,s0)
  /usr/share/cluster/ocf-shellfuncs --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/cluster/svclib_nfslock --	gen_context(system_u:object_r:bin_t,s0)
@@ -4141,7 +4145,7 @@ index 33e0f8dad..1eb3faaa3 100644
  /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -298,16 +370,22 @@ ifdef(`distro_gentoo',`
+@@ -298,16 +372,22 @@ ifdef(`distro_gentoo',`
  /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/smolt/client(/.*)?		gen_context(system_u:object_r:bin_t,s0)
  /usr/share/shorewall/compiler\.pl --	gen_context(system_u:object_r:bin_t,s0)
@@ -4166,7 +4170,7 @@ index 33e0f8dad..1eb3faaa3 100644
  
  ifdef(`distro_debian',`
  /usr/lib/ConsoleKit/.*		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -325,20 +403,27 @@ ifdef(`distro_redhat', `
+@@ -325,20 +405,27 @@ ifdef(`distro_redhat', `
  /etc/gdm/[^/]+			-d	gen_context(system_u:object_r:bin_t,s0)
  /etc/gdm/[^/]+/.*			gen_context(system_u:object_r:bin_t,s0)
  
@@ -4195,7 +4199,7 @@ index 33e0f8dad..1eb3faaa3 100644
  /usr/share/pwlib/make/ptlib-config --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/pydict/pydict\.py	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -346,6 +431,7 @@ ifdef(`distro_redhat', `
+@@ -346,6 +433,7 @@ ifdef(`distro_redhat', `
  /usr/share/ssl/misc(/.*)?		gen_context(system_u:object_r:bin_t,s0)
  /usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0)
@@ -4203,7 +4207,7 @@ index 33e0f8dad..1eb3faaa3 100644
  /usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
-@@ -387,17 +473,36 @@ ifdef(`distro_suse', `
+@@ -387,17 +475,36 @@ ifdef(`distro_suse', `
  #
  # /var
  #
@@ -11422,7 +11426,7 @@ index 0b1a8715a..849b00191 100644
 +dev_getattr_all(devices_unconfined_type)
 +
 diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
-index 6a1e4d156..4b87be8e4 100644
+index 6a1e4d156..452a80549 100644
 --- a/policy/modules/kernel/domain.if
 +++ b/policy/modules/kernel/domain.if
 @@ -76,33 +76,8 @@ interface(`domain_type',`
@@ -11670,7 +11674,7 @@ index 6a1e4d156..4b87be8e4 100644
  ##	Unconfined access to domains.
  ## </summary>
  ## <param name="domain">
-@@ -1530,4 +1636,101 @@ interface(`domain_unconfined',`
+@@ -1530,4 +1636,102 @@ interface(`domain_unconfined',`
  	typeattribute $1 can_change_object_identity;
  	typeattribute $1 set_curr_context;
  	typeattribute $1 process_uncond_exempt;
@@ -11678,6 +11682,7 @@ index 6a1e4d156..4b87be8e4 100644
 +	mcs_process_set_categories($1)
 +
 +	userdom_filetrans_home_content($1)
++	domain_named_filetrans($1)
 +')
 +
 +########################################
@@ -12608,7 +12613,7 @@ index b876c48ad..2e591a538 100644
 +
 +/sysroot/ostree/deploy/.*-atomic/deploy(/.*)?           gen_context(system_u:object_r:root_t,s0)
 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76ad..bb8b58852 100644
+index f962f76ad..74a6d0a54 100644
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
 @@ -19,6 +19,136 @@
@@ -13442,37 +13447,44 @@ index f962f76ad..bb8b58852 100644
  ##	Do not audit attempts to set the attributes on all mount points.
  ## </summary>
  ## <param name="domain">
-@@ -1691,44 +2139,44 @@ interface(`files_dontaudit_list_all_mountpoints',`
+@@ -1691,6 +2139,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
  
  ########################################
  ## <summary>
--##	Do not audit attempts to write to mount points.
 +##	Write all mount points.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain to not audit.
++## </summary>
++## <param name="domain">
++##	<summary>
 +##	Domain allowed access.
- ##	</summary>
- ## </param>
- #
--interface(`files_dontaudit_write_all_mountpoints',`
--	gen_require(`
--		attribute mountpoint;
--	')
++##	</summary>
++## </param>
++#
 +interface(`files_write_all_mountpoints',`
 +    gen_require(`
 +        attribute mountpoint;
 +    ')
- 
--	dontaudit $1 mountpoint:dir write;
++
 +	allow $1 mountpoint:dir write;
++')
++
++########################################
++## <summary>
+ ##	Do not audit attempts to write to mount points.
+ ## </summary>
+ ## <param name="domain">
+@@ -1703,104 +2169,233 @@ interface(`files_dontaudit_write_all_mountpoints',`
+ 	gen_require(`
+ 		attribute mountpoint;
+ 	')
++    dontaudit $1 self:capability  { dac_read_search  };
+ 
+ 	dontaudit $1 mountpoint:dir write;
  ')
  
  ########################################
  ## <summary>
 -##	List the contents of the root directory.
-+##	Do not audit attempts to write to mount points.
++##	Do not audit attempts to unmount all mount points.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -13482,45 +13494,20 @@ index f962f76ad..bb8b58852 100644
  ## </param>
  #
 -interface(`files_list_root',`
-+interface(`files_dontaudit_write_all_mountpoints',`
- 	gen_require(`
--		type root_t;
-+		attribute mountpoint;
- 	')
-+    dontaudit $1 self:capability  { dac_read_search  };
- 
--	allow $1 root_t:dir list_dir_perms;
--	allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock };
-+	dontaudit $1 mountpoint:dir write;
- ')
- 
- ########################################
- ## <summary>
--##	Do not audit attempts to write to / dirs.
-+##	Do not audit attempts to unmount all mount points.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -1736,79 +2184,208 @@ interface(`files_list_root',`
- ##	</summary>
- ## </param>
- #
--interface(`files_dontaudit_write_root_dirs',`
 +interface(`files_dontaudit_unmount_all_mountpoints',`
  	gen_require(`
 -		type root_t;
 +		attribute mountpoint;
  	')
  
--	dontaudit $1 root_t:dir write;
+-	allow $1 root_t:dir list_dir_perms;
+-	allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock };
 +	dontaudit $1 mountpoint:filesystem unmount;
  ')
  
--###################
-+########################################
+ ########################################
  ## <summary>
--##	Do not audit attempts to write
--##	files in the root directory.
+-##	Do not audit attempts to write to / dirs.
 +##	Read  all mountpoint symbolic links.
  ## </summary>
  ## <param name="domain">
@@ -13530,23 +13517,48 @@ index f962f76ad..bb8b58852 100644
  ##	</summary>
  ## </param>
  #
--interface(`files_dontaudit_rw_root_dir',`
+-interface(`files_dontaudit_write_root_dirs',`
 +interface(`files_read_all_mountpoint_symlinks',`
  	gen_require(`
 -		type root_t;
 +		attribute mountpoint;
  	')
  
--	dontaudit $1 root_t:dir rw_dir_perms;
+-	dontaudit $1 root_t:dir write;
 +    allow $1 mountpoint:lnk_file read_lnk_file_perms;
  ')
  
+-###################
 +
++########################################
+ ## <summary>
+-##	Do not audit attempts to write
+-##	files in the root directory.
++##	Make all mountpoint as entrypoint.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_rw_root_dir',`
++interface(`files_entrypoint_all_mountpoint',`
+ 	gen_require(`
+-		type root_t;
++		attribute mountpoint;
+ 	')
+ 
+-	dontaudit $1 root_t:dir rw_dir_perms;
++    allow $1 mountpoint:file entrypoint;
+ ')
+ 
  ########################################
  ## <summary>
 -##	Create an object in the root directory, with a private
 -##	type using a type transition.
-+##	Make all mountpoint as entrypoint.
++##	Remove all file type directories.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -13570,14 +13582,14 @@ index f962f76ad..bb8b58852 100644
 -## </param>
  #
 -interface(`files_root_filetrans',`
-+interface(`files_entrypoint_all_mountpoint',`
++interface(`files_rmdir_all_dirs',`
  	gen_require(`
 -		type root_t;
-+		attribute mountpoint;
++		attribute file_type;
  	')
  
 -	filetrans_pattern($1, root_t, $2, $3, $4)
-+    allow $1 mountpoint:file entrypoint;
++	allow $1 file_type:dir rmdir;
  ')
  
  ########################################
@@ -13585,15 +13597,13 @@ index f962f76ad..bb8b58852 100644
 -##	Do not audit attempts to read files in
 -##	the root directory.
 +##	Write all file type directories.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain to not audit.
++## </summary>
++## <param name="domain">
++##	<summary>
 +##	Domain allowed access.
- ##	</summary>
- ## </param>
- #
--interface(`files_dontaudit_read_root_files',`
++##	</summary>
++## </param>
++#
 +interface(`files_write_all_dirs',`
 +	gen_require(`
 +		attribute file_type;
@@ -13733,18 +13743,10 @@ index f962f76ad..bb8b58852 100644
 +## <summary>
 +##	Do not audit attempts to read files in
 +##	the root directory.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_dontaudit_read_root_files',`
- 	gen_require(`
- 		type root_t;
- 	')
-@@ -1892,25 +2469,25 @@ interface(`files_delete_root_dir_entry',`
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -1892,25 +2487,25 @@ interface(`files_delete_root_dir_entry',`
  
  ########################################
  ## <summary>
@@ -13776,7 +13778,7 @@ index f962f76ad..bb8b58852 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1923,7 +2500,7 @@ interface(`files_relabel_rootfs',`
+@@ -1923,7 +2518,7 @@ interface(`files_relabel_rootfs',`
  		type root_t;
  	')
  
@@ -13785,7 +13787,7 @@ index f962f76ad..bb8b58852 100644
  ')
  
  ########################################
-@@ -1946,6 +2523,42 @@ interface(`files_unmount_rootfs',`
+@@ -1946,6 +2541,42 @@ interface(`files_unmount_rootfs',`
  
  ########################################
  ## <summary>
@@ -13828,7 +13830,7 @@ index f962f76ad..bb8b58852 100644
  ##	Get attributes of the /boot directory.
  ## </summary>
  ## <param name="domain">
-@@ -2181,6 +2794,24 @@ interface(`files_relabelfrom_boot_files',`
+@@ -2181,6 +2812,24 @@ interface(`files_relabelfrom_boot_files',`
  	relabelfrom_files_pattern($1, boot_t, boot_t)
  ')
  
@@ -13853,7 +13855,7 @@ index f962f76ad..bb8b58852 100644
  ######################################
  ## <summary>
  ##	Read symbolic links in the /boot directory.
-@@ -2557,6 +3188,24 @@ interface(`files_read_default_pipes',`
+@@ -2557,6 +3206,24 @@ interface(`files_read_default_pipes',`
  
  ########################################
  ## <summary>
@@ -13878,7 +13880,7 @@ index f962f76ad..bb8b58852 100644
  ##	Search the contents of /etc directories.
  ## </summary>
  ## <param name="domain">
-@@ -2645,6 +3294,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2645,6 +3312,24 @@ interface(`files_rw_etc_dirs',`
  	allow $1 etc_t:dir rw_dir_perms;
  ')
  
@@ -13903,7 +13905,7 @@ index f962f76ad..bb8b58852 100644
  ##########################################
  ## <summary>
  ## 	Manage generic directories in /etc
-@@ -2716,6 +3383,7 @@ interface(`files_read_etc_files',`
+@@ -2716,6 +3401,7 @@ interface(`files_read_etc_files',`
  	allow $1 etc_t:dir list_dir_perms;
  	read_files_pattern($1, etc_t, etc_t)
  	read_lnk_files_pattern($1, etc_t, etc_t)
@@ -13911,7 +13913,7 @@ index f962f76ad..bb8b58852 100644
  ')
  
  ########################################
-@@ -2724,7 +3392,7 @@ interface(`files_read_etc_files',`
+@@ -2724,7 +3410,7 @@ interface(`files_read_etc_files',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -13920,7 +13922,7 @@ index f962f76ad..bb8b58852 100644
  ##	</summary>
  ## </param>
  #
-@@ -2780,6 +3448,25 @@ interface(`files_manage_etc_files',`
+@@ -2780,6 +3466,25 @@ interface(`files_manage_etc_files',`
  
  ########################################
  ## <summary>
@@ -13946,7 +13948,7 @@ index f962f76ad..bb8b58852 100644
  ##	Delete system configuration files in /etc.
  ## </summary>
  ## <param name="domain">
-@@ -2798,6 +3485,24 @@ interface(`files_delete_etc_files',`
+@@ -2798,6 +3503,24 @@ interface(`files_delete_etc_files',`
  
  ########################################
  ## <summary>
@@ -13971,7 +13973,7 @@ index f962f76ad..bb8b58852 100644
  ##	Execute generic files in /etc.
  ## </summary>
  ## <param name="domain">
-@@ -2963,26 +3668,8 @@ interface(`files_delete_boot_flag',`
+@@ -2963,26 +3686,8 @@ interface(`files_delete_boot_flag',`
  
  ########################################
  ## <summary>
@@ -14000,7 +14002,7 @@ index f962f76ad..bb8b58852 100644
  ## </summary>
  ## <desc>
  ##	<p>
-@@ -3021,9 +3708,7 @@ interface(`files_read_etc_runtime_files',`
+@@ -3021,9 +3726,7 @@ interface(`files_read_etc_runtime_files',`
  
  ########################################
  ## <summary>
@@ -14011,7 +14013,7 @@ index f962f76ad..bb8b58852 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3031,18 +3716,17 @@ interface(`files_read_etc_runtime_files',`
+@@ -3031,18 +3734,17 @@ interface(`files_read_etc_runtime_files',`
  ##	</summary>
  ## </param>
  #
@@ -14033,7 +14035,7 @@ index f962f76ad..bb8b58852 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3060,6 +3744,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
+@@ -3060,6 +3762,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
  
  ########################################
  ## <summary>
@@ -14060,7 +14062,7 @@ index f962f76ad..bb8b58852 100644
  ##	Read and write files in /etc that are dynamically
  ##	created on boot, such as mtab.
  ## </summary>
-@@ -3077,6 +3781,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -3077,6 +3799,7 @@ interface(`files_rw_etc_runtime_files',`
  
  	allow $1 etc_t:dir list_dir_perms;
  	rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -14068,7 +14070,7 @@ index f962f76ad..bb8b58852 100644
  ')
  
  ########################################
-@@ -3098,6 +3803,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -3098,6 +3821,7 @@ interface(`files_manage_etc_runtime_files',`
  	')
  
  	manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -14076,7 +14078,7 @@ index f962f76ad..bb8b58852 100644
  ')
  
  ########################################
-@@ -3142,10 +3848,48 @@ interface(`files_etc_filetrans_etc_runtime',`
+@@ -3142,10 +3866,48 @@ interface(`files_etc_filetrans_etc_runtime',`
  #
  interface(`files_getattr_isid_type_dirs',`
  	gen_require(`
@@ -14127,7 +14129,7 @@ index f962f76ad..bb8b58852 100644
  ')
  
  ########################################
-@@ -3161,10 +3905,10 @@ interface(`files_getattr_isid_type_dirs',`
+@@ -3161,10 +3923,10 @@ interface(`files_getattr_isid_type_dirs',`
  #
  interface(`files_dontaudit_search_isid_type_dirs',`
  	gen_require(`
@@ -14140,7 +14142,7 @@ index f962f76ad..bb8b58852 100644
  ')
  
  ########################################
-@@ -3180,10 +3924,10 @@ interface(`files_dontaudit_search_isid_type_dirs',`
+@@ -3180,10 +3942,10 @@ interface(`files_dontaudit_search_isid_type_dirs',`
  #
  interface(`files_list_isid_type_dirs',`
  	gen_require(`
@@ -14153,7 +14155,7 @@ index f962f76ad..bb8b58852 100644
  ')
  
  ########################################
-@@ -3199,10 +3943,10 @@ interface(`files_list_isid_type_dirs',`
+@@ -3199,10 +3961,10 @@ interface(`files_list_isid_type_dirs',`
  #
  interface(`files_rw_isid_type_dirs',`
  	gen_require(`
@@ -14166,7 +14168,7 @@ index f962f76ad..bb8b58852 100644
  ')
  
  ########################################
-@@ -3218,10 +3962,66 @@ interface(`files_rw_isid_type_dirs',`
+@@ -3218,10 +3980,66 @@ interface(`files_rw_isid_type_dirs',`
  #
  interface(`files_delete_isid_type_dirs',`
  	gen_require(`
@@ -14235,7 +14237,7 @@ index f962f76ad..bb8b58852 100644
  ')
  
  ########################################
-@@ -3237,10 +4037,10 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3237,10 +4055,10 @@ interface(`files_delete_isid_type_dirs',`
  #
  interface(`files_manage_isid_type_dirs',`
  	gen_require(`
@@ -14248,7 +14250,7 @@ index f962f76ad..bb8b58852 100644
  ')
  
  ########################################
-@@ -3256,10 +4056,29 @@ interface(`files_manage_isid_type_dirs',`
+@@ -3256,10 +4074,29 @@ interface(`files_manage_isid_type_dirs',`
  #
  interface(`files_mounton_isid_type_dirs',`
  	gen_require(`
@@ -14280,7 +14282,7 @@ index f962f76ad..bb8b58852 100644
  ')
  
  ########################################
-@@ -3275,10 +4094,10 @@ interface(`files_mounton_isid_type_dirs',`
+@@ -3275,10 +4112,10 @@ interface(`files_mounton_isid_type_dirs',`
  #
  interface(`files_read_isid_type_files',`
  	gen_require(`
@@ -14293,7 +14295,7 @@ index f962f76ad..bb8b58852 100644
  ')
  
  ########################################
-@@ -3294,10 +4113,10 @@ interface(`files_read_isid_type_files',`
+@@ -3294,10 +4131,10 @@ interface(`files_read_isid_type_files',`
  #
  interface(`files_delete_isid_type_files',`
  	gen_require(`
@@ -14306,7 +14308,7 @@ index f962f76ad..bb8b58852 100644
  ')
  
  ########################################
-@@ -3313,10 +4132,10 @@ interface(`files_delete_isid_type_files',`
+@@ -3313,10 +4150,10 @@ interface(`files_delete_isid_type_files',`
  #
  interface(`files_delete_isid_type_symlinks',`
  	gen_require(`
@@ -14319,7 +14321,7 @@ index f962f76ad..bb8b58852 100644
  ')
  
  ########################################
-@@ -3332,10 +4151,10 @@ interface(`files_delete_isid_type_symlinks',`
+@@ -3332,10 +4169,10 @@ interface(`files_delete_isid_type_symlinks',`
  #
  interface(`files_delete_isid_type_fifo_files',`
  	gen_require(`
@@ -14332,7 +14334,7 @@ index f962f76ad..bb8b58852 100644
  ')
  
  ########################################
-@@ -3351,10 +4170,10 @@ interface(`files_delete_isid_type_fifo_files',`
+@@ -3351,10 +4188,10 @@ interface(`files_delete_isid_type_fifo_files',`
  #
  interface(`files_delete_isid_type_sock_files',`
  	gen_require(`
@@ -14345,7 +14347,7 @@ index f962f76ad..bb8b58852 100644
  ')
  
  ########################################
-@@ -3370,10 +4189,10 @@ interface(`files_delete_isid_type_sock_files',`
+@@ -3370,10 +4207,10 @@ interface(`files_delete_isid_type_sock_files',`
  #
  interface(`files_delete_isid_type_blk_files',`
  	gen_require(`
@@ -14358,7 +14360,7 @@ index f962f76ad..bb8b58852 100644
  ')
  
  ########################################
-@@ -3389,10 +4208,10 @@ interface(`files_delete_isid_type_blk_files',`
+@@ -3389,10 +4226,10 @@ interface(`files_delete_isid_type_blk_files',`
  #
  interface(`files_dontaudit_write_isid_chr_files',`
  	gen_require(`
@@ -14371,7 +14373,7 @@ index f962f76ad..bb8b58852 100644
  ')
  
  ########################################
-@@ -3408,10 +4227,10 @@ interface(`files_dontaudit_write_isid_chr_files',`
+@@ -3408,10 +4245,10 @@ interface(`files_dontaudit_write_isid_chr_files',`
  #
  interface(`files_delete_isid_type_chr_files',`
  	gen_require(`
@@ -14384,7 +14386,7 @@ index f962f76ad..bb8b58852 100644
  ')
  
  ########################################
-@@ -3427,10 +4246,10 @@ interface(`files_delete_isid_type_chr_files',`
+@@ -3427,10 +4264,10 @@ interface(`files_delete_isid_type_chr_files',`
  #
  interface(`files_manage_isid_type_files',`
  	gen_require(`
@@ -14397,7 +14399,7 @@ index f962f76ad..bb8b58852 100644
  ')
  
  ########################################
-@@ -3446,10 +4265,10 @@ interface(`files_manage_isid_type_files',`
+@@ -3446,10 +4283,10 @@ interface(`files_manage_isid_type_files',`
  #
  interface(`files_manage_isid_type_symlinks',`
  	gen_require(`
@@ -14410,7 +14412,7 @@ index f962f76ad..bb8b58852 100644
  ')
  
  ########################################
-@@ -3465,10 +4284,29 @@ interface(`files_manage_isid_type_symlinks',`
+@@ -3465,10 +4302,29 @@ interface(`files_manage_isid_type_symlinks',`
  #
  interface(`files_rw_isid_type_blk_files',`
  	gen_require(`
@@ -14442,7 +14444,7 @@ index f962f76ad..bb8b58852 100644
  ')
  
  ########################################
-@@ -3484,10 +4322,10 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3484,10 +4340,10 @@ interface(`files_rw_isid_type_blk_files',`
  #
  interface(`files_manage_isid_type_blk_files',`
  	gen_require(`
@@ -14455,7 +14457,7 @@ index f962f76ad..bb8b58852 100644
  ')
  
  ########################################
-@@ -3503,10 +4341,29 @@ interface(`files_manage_isid_type_blk_files',`
+@@ -3503,10 +4359,29 @@ interface(`files_manage_isid_type_blk_files',`
  #
  interface(`files_manage_isid_type_chr_files',`
  	gen_require(`
@@ -14487,7 +14489,7 @@ index f962f76ad..bb8b58852 100644
  ')
  
  ########################################
-@@ -3552,6 +4409,27 @@ interface(`files_dontaudit_getattr_home_dir',`
+@@ -3552,6 +4427,27 @@ interface(`files_dontaudit_getattr_home_dir',`
  
  ########################################
  ## <summary>
@@ -14515,7 +14517,7 @@ index f962f76ad..bb8b58852 100644
  ##	Search home directories root (/home).
  ## </summary>
  ## <param name="domain">
-@@ -3814,20 +4692,38 @@ interface(`files_list_mnt',`
+@@ -3814,20 +4710,38 @@ interface(`files_list_mnt',`
  
  ######################################
  ## <summary>
@@ -14559,7 +14561,7 @@ index f962f76ad..bb8b58852 100644
  ')
  
  ########################################
-@@ -3921,6 +4817,45 @@ interface(`files_read_mnt_symlinks',`
+@@ -3921,6 +4835,45 @@ interface(`files_read_mnt_symlinks',`
  	read_lnk_files_pattern($1, mnt_t, mnt_t)
  ')
  
@@ -14605,7 +14607,7 @@ index f962f76ad..bb8b58852 100644
  ########################################
  ## <summary>
  ##	Create, read, write, and delete symbolic links in /mnt.
-@@ -4012,6 +4947,7 @@ interface(`files_read_kernel_modules',`
+@@ -4012,6 +4965,7 @@ interface(`files_read_kernel_modules',`
  	allow $1 modules_object_t:dir list_dir_perms;
  	read_files_pattern($1, modules_object_t, modules_object_t)
  	read_lnk_files_pattern($1, modules_object_t, modules_object_t)
@@ -14613,7 +14615,7 @@ index f962f76ad..bb8b58852 100644
  ')
  
  ########################################
-@@ -4217,48 +5153,218 @@ interface(`files_read_world_readable_sockets',`
+@@ -4217,48 +5171,235 @@ interface(`files_read_world_readable_sockets',`
  	allow $1 readable_t:sock_file read_sock_file_perms;
  ')
  
@@ -14793,6 +14795,23 @@ index f962f76ad..bb8b58852 100644
 +     files_filetrans_system_db_named_files($1)
 +')
 +
++######################################
++## <summary>
++##  Map manageable system db files in /var/lib.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`files_map_system_db_files',`
++     gen_require(`
++         type system_db_t;
++    ')
++     allow $1 system_db_t:file map;
++')
++
 +#####################################
 +## <summary>
 +##  File name transition for system db files in /var/lib.
@@ -14858,7 +14877,7 @@ index f962f76ad..bb8b58852 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4266,6 +5372,45 @@ interface(`files_getattr_tmp_dirs',`
+@@ -4266,6 +5407,45 @@ interface(`files_getattr_tmp_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -14904,7 +14923,7 @@ index f962f76ad..bb8b58852 100644
  interface(`files_dontaudit_getattr_tmp_dirs',`
  	gen_require(`
  		type tmp_t;
-@@ -4289,6 +5434,8 @@ interface(`files_search_tmp',`
+@@ -4289,6 +5469,8 @@ interface(`files_search_tmp',`
  		type tmp_t;
  	')
  
@@ -14913,7 +14932,7 @@ index f962f76ad..bb8b58852 100644
  	allow $1 tmp_t:dir search_dir_perms;
  ')
  
-@@ -4325,6 +5472,7 @@ interface(`files_list_tmp',`
+@@ -4325,6 +5507,7 @@ interface(`files_list_tmp',`
  		type tmp_t;
  	')
  
@@ -14921,7 +14940,7 @@ index f962f76ad..bb8b58852 100644
  	allow $1 tmp_t:dir list_dir_perms;
  ')
  
-@@ -4334,7 +5482,7 @@ interface(`files_list_tmp',`
+@@ -4334,7 +5517,7 @@ interface(`files_list_tmp',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -14930,7 +14949,7 @@ index f962f76ad..bb8b58852 100644
  ##	</summary>
  ## </param>
  #
-@@ -4346,6 +5494,25 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4346,6 +5529,25 @@ interface(`files_dontaudit_list_tmp',`
  	dontaudit $1 tmp_t:dir list_dir_perms;
  ')
  
@@ -14956,7 +14975,7 @@ index f962f76ad..bb8b58852 100644
  ########################################
  ## <summary>
  ##	Remove entries from the tmp directory.
-@@ -4361,6 +5528,7 @@ interface(`files_delete_tmp_dir_entry',`
+@@ -4361,6 +5563,7 @@ interface(`files_delete_tmp_dir_entry',`
  		type tmp_t;
  	')
  
@@ -14964,7 +14983,7 @@ index f962f76ad..bb8b58852 100644
  	allow $1 tmp_t:dir del_entry_dir_perms;
  ')
  
-@@ -4402,6 +5570,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4402,6 +5605,32 @@ interface(`files_manage_generic_tmp_dirs',`
  
  ########################################
  ## <summary>
@@ -14997,7 +15016,7 @@ index f962f76ad..bb8b58852 100644
  ##	Manage temporary files and directories in /tmp.
  ## </summary>
  ## <param name="domain">
-@@ -4456,6 +5650,42 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4456,6 +5685,42 @@ interface(`files_rw_generic_tmp_sockets',`
  
  ########################################
  ## <summary>
@@ -15040,7 +15059,7 @@ index f962f76ad..bb8b58852 100644
  ##	Set the attributes of all tmp directories.
  ## </summary>
  ## <param name="domain">
-@@ -4474,6 +5704,60 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -4474,6 +5739,60 @@ interface(`files_setattr_all_tmp_dirs',`
  
  ########################################
  ## <summary>
@@ -15101,7 +15120,7 @@ index f962f76ad..bb8b58852 100644
  ##	List all tmp directories.
  ## </summary>
  ## <param name="domain">
-@@ -4519,7 +5803,7 @@ interface(`files_relabel_all_tmp_dirs',`
+@@ -4519,7 +5838,7 @@ interface(`files_relabel_all_tmp_dirs',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -15110,7 +15129,7 @@ index f962f76ad..bb8b58852 100644
  ##	</summary>
  ## </param>
  #
-@@ -4579,7 +5863,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4579,7 +5898,7 @@ interface(`files_relabel_all_tmp_files',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -15119,7 +15138,7 @@ index f962f76ad..bb8b58852 100644
  ##	</summary>
  ## </param>
  #
-@@ -4611,17 +5895,55 @@ interface(`files_read_all_tmp_files',`
+@@ -4611,20 +5930,58 @@ interface(`files_read_all_tmp_files',`
  
  ########################################
  ## <summary>
@@ -15131,10 +15150,15 @@ index f962f76ad..bb8b58852 100644
  ## <param name="domain">
  ##	<summary>
 -##	Domain allowed access.
+-##	</summary>
+-## </param>
+-## <param name="private type">
+-##	<summary>
+-##	The type of the object to be created.
 +##	Domain to not audit.
  ##	</summary>
  ## </param>
--## <param name="private type">
+-## <param name="object">
 +#
 +interface(`files_dontaudit_tmp_file_leaks',`
 +	gen_require(`
@@ -15150,8 +15174,7 @@ index f962f76ad..bb8b58852 100644
 +##	all leaked tmpfiles files.
 +## </summary>
 +## <param name="domain">
- ##	<summary>
--##	The type of the object to be created.
++##	<summary>
 +##	Domain to not audit.
 +##	</summary>
 +## </param>
@@ -15177,10 +15200,13 @@ index f962f76ad..bb8b58852 100644
 +## <param name="private type">
 +##	<summary>
 +##	The type of the object to be created.
++##	</summary>
++## </param>
++## <param name="object">
+ ##	<summary>
+ ##	The object class of the object being created.
  ##	</summary>
- ## </param>
- ## <param name="object">
-@@ -4664,6 +5986,16 @@ interface(`files_purge_tmp',`
+@@ -4664,6 +6021,16 @@ interface(`files_purge_tmp',`
  	delete_lnk_files_pattern($1, tmpfile, tmpfile)
  	delete_fifo_files_pattern($1, tmpfile, tmpfile)
  	delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -15197,7 +15223,7 @@ index f962f76ad..bb8b58852 100644
  ')
  
  ########################################
-@@ -4814,6 +6146,24 @@ interface(`files_delete_usr_files',`
+@@ -4814,6 +6181,24 @@ interface(`files_delete_usr_files',`
  
  ########################################
  ## <summary>
@@ -15222,7 +15248,7 @@ index f962f76ad..bb8b58852 100644
  ##	Get the attributes of files in /usr.
  ## </summary>
  ## <param name="domain">
-@@ -5112,6 +6462,24 @@ interface(`files_create_kernel_symbol_table',`
+@@ -5112,6 +6497,24 @@ interface(`files_create_kernel_symbol_table',`
  
  ########################################
  ## <summary>
@@ -15247,7 +15273,7 @@ index f962f76ad..bb8b58852 100644
  ##	Read system.map in the /boot directory.
  ## </summary>
  ## <param name="domain">
-@@ -5241,6 +6609,24 @@ interface(`files_list_var',`
+@@ -5241,6 +6644,24 @@ interface(`files_list_var',`
  
  ########################################
  ## <summary>
@@ -15272,7 +15298,7 @@ index f962f76ad..bb8b58852 100644
  ##	Create, read, write, and delete directories
  ##	in the /var directory.
  ## </summary>
-@@ -5328,7 +6714,7 @@ interface(`files_dontaudit_rw_var_files',`
+@@ -5328,7 +6749,7 @@ interface(`files_dontaudit_rw_var_files',`
  		type var_t;
  	')
  
@@ -15281,7 +15307,7 @@ index f962f76ad..bb8b58852 100644
  ')
  
  ########################################
-@@ -5419,6 +6805,24 @@ interface(`files_var_filetrans',`
+@@ -5419,6 +6840,24 @@ interface(`files_var_filetrans',`
  	filetrans_pattern($1, var_t, $2, $3, $4)
  ')
  
@@ -15306,7 +15332,7 @@ index f962f76ad..bb8b58852 100644
  ########################################
  ## <summary>
  ##	Get the attributes of the /var/lib directory.
-@@ -5527,6 +6931,25 @@ interface(`files_rw_var_lib_dirs',`
+@@ -5527,6 +6966,25 @@ interface(`files_rw_var_lib_dirs',`
  
  ########################################
  ## <summary>
@@ -15332,7 +15358,7 @@ index f962f76ad..bb8b58852 100644
  ##	Create objects in the /var/lib directory
  ## </summary>
  ## <param name="domain">
-@@ -5596,6 +7019,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5596,6 +7054,25 @@ interface(`files_read_var_lib_symlinks',`
  	read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
  ')
  
@@ -15358,7 +15384,7 @@ index f962f76ad..bb8b58852 100644
  # cjp: the next two interfaces really need to be fixed
  # in some way.  They really neeed their own types.
  
-@@ -5619,6 +7061,42 @@ interface(`files_manage_urandom_seed',`
+@@ -5619,6 +7096,42 @@ interface(`files_manage_urandom_seed',`
  	manage_files_pattern($1, var_lib_t, var_lib_t)
  ')
  
@@ -15401,7 +15427,7 @@ index f962f76ad..bb8b58852 100644
  ########################################
  ## <summary>
  ##	Allow domain to manage mount tables
-@@ -5641,7 +7119,7 @@ interface(`files_manage_mounttab',`
+@@ -5641,7 +7154,7 @@ interface(`files_manage_mounttab',`
  
  ########################################
  ## <summary>
@@ -15410,7 +15436,7 @@ index f962f76ad..bb8b58852 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5649,12 +7127,13 @@ interface(`files_manage_mounttab',`
+@@ -5649,12 +7162,13 @@ interface(`files_manage_mounttab',`
  ##	</summary>
  ## </param>
  #
@@ -15426,7 +15452,7 @@ index f962f76ad..bb8b58852 100644
  ')
  
  ########################################
-@@ -5672,6 +7151,7 @@ interface(`files_search_locks',`
+@@ -5672,6 +7186,7 @@ interface(`files_search_locks',`
  		type var_t, var_lock_t;
  	')
  
@@ -15434,7 +15460,7 @@ index f962f76ad..bb8b58852 100644
  	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
  	search_dirs_pattern($1, var_t, var_lock_t)
  ')
-@@ -5698,7 +7178,26 @@ interface(`files_dontaudit_search_locks',`
+@@ -5698,7 +7213,26 @@ interface(`files_dontaudit_search_locks',`
  
  ########################################
  ## <summary>
@@ -15462,7 +15488,7 @@ index f962f76ad..bb8b58852 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5706,13 +7205,12 @@ interface(`files_dontaudit_search_locks',`
+@@ -5706,13 +7240,12 @@ interface(`files_dontaudit_search_locks',`
  ##	</summary>
  ## </param>
  #
@@ -15479,7 +15505,7 @@ index f962f76ad..bb8b58852 100644
  ')
  
  ########################################
-@@ -5731,7 +7229,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5731,7 +7264,7 @@ interface(`files_rw_lock_dirs',`
  		type var_t, var_lock_t;
  	')
  
@@ -15488,7 +15514,7 @@ index f962f76ad..bb8b58852 100644
  	rw_dirs_pattern($1, var_t, var_lock_t)
  ')
  
-@@ -5764,7 +7262,6 @@ interface(`files_create_lock_dirs',`
+@@ -5764,7 +7297,6 @@ interface(`files_create_lock_dirs',`
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
@@ -15496,7 +15522,7 @@ index f962f76ad..bb8b58852 100644
  #
  interface(`files_relabel_all_lock_dirs',`
  	gen_require(`
-@@ -5779,7 +7276,7 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5779,7 +7311,7 @@ interface(`files_relabel_all_lock_dirs',`
  
  ########################################
  ## <summary>
@@ -15505,7 +15531,7 @@ index f962f76ad..bb8b58852 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5787,13 +7284,33 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5787,13 +7319,33 @@ interface(`files_relabel_all_lock_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -15540,7 +15566,7 @@ index f962f76ad..bb8b58852 100644
  	allow $1 var_lock_t:dir list_dir_perms;
  	getattr_files_pattern($1, var_lock_t, var_lock_t)
  ')
-@@ -5809,13 +7326,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5809,13 +7361,12 @@ interface(`files_getattr_generic_locks',`
  ## </param>
  #
  interface(`files_delete_generic_locks',`
@@ -15558,7 +15584,7 @@ index f962f76ad..bb8b58852 100644
  ')
  
  ########################################
-@@ -5834,9 +7350,7 @@ interface(`files_manage_generic_locks',`
+@@ -5834,9 +7385,7 @@ interface(`files_manage_generic_locks',`
  		type var_t, var_lock_t;
  	')
  
@@ -15569,7 +15595,7 @@ index f962f76ad..bb8b58852 100644
  	manage_files_pattern($1, var_lock_t, var_lock_t)
  ')
  
-@@ -5878,8 +7392,7 @@ interface(`files_read_all_locks',`
+@@ -5878,8 +7427,7 @@ interface(`files_read_all_locks',`
  		type var_t, var_lock_t;
  	')
  
@@ -15579,7 +15605,7 @@ index f962f76ad..bb8b58852 100644
  	allow $1 lockfile:dir list_dir_perms;
  	read_files_pattern($1, lockfile, lockfile)
  	read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5901,8 +7414,7 @@ interface(`files_manage_all_locks',`
+@@ -5901,8 +7449,7 @@ interface(`files_manage_all_locks',`
  		type var_t, var_lock_t;
  	')
  
@@ -15589,7 +15615,7 @@ index f962f76ad..bb8b58852 100644
  	manage_dirs_pattern($1, lockfile, lockfile)
  	manage_files_pattern($1, lockfile, lockfile)
  	manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5939,8 +7451,7 @@ interface(`files_lock_filetrans',`
+@@ -5939,8 +7486,7 @@ interface(`files_lock_filetrans',`
  		type var_t, var_lock_t;
  	')
  
@@ -15599,7 +15625,7 @@ index f962f76ad..bb8b58852 100644
  	filetrans_pattern($1, var_lock_t, $2, $3, $4)
  ')
  
-@@ -5979,7 +7490,7 @@ interface(`files_setattr_pid_dirs',`
+@@ -5979,7 +7525,7 @@ interface(`files_setattr_pid_dirs',`
  		type var_run_t;
  	')
  
@@ -15608,7 +15634,7 @@ index f962f76ad..bb8b58852 100644
  	allow $1 var_run_t:dir setattr;
  ')
  
-@@ -5999,10 +7510,48 @@ interface(`files_search_pids',`
+@@ -5999,10 +7545,48 @@ interface(`files_search_pids',`
  		type var_t, var_run_t;
  	')
  
@@ -15657,69 +15683,101 @@ index f962f76ad..bb8b58852 100644
  ########################################
  ## <summary>
  ##	Do not audit attempts to search
-@@ -6025,6 +7574,43 @@ interface(`files_dontaudit_search_pids',`
+@@ -6025,42 +7609,79 @@ interface(`files_dontaudit_search_pids',`
  
  ########################################
  ## <summary>
+-##	List the contents of the runtime process
+-##	ID directories (/var/run).
 +##	Do not audit attempts to search
 +##	the all /var/run directory.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
 +##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_list_pids',`
 +interface(`files_dontaudit_search_all_pids',`
-+	gen_require(`
+ 	gen_require(`
+-		type var_t, var_run_t;
 +		attribute pidfile;
-+	')
-+
+ 	')
+ 
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	list_dirs_pattern($1, var_t, var_run_t)
 +	dontaudit $1 pidfile:dir search_dir_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read generic process ID files.
 +##	Allow search the all /var/run directory.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
 +##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_read_generic_pids',`
 +interface(`files_search_all_pids',`
-+	gen_require(`
+ 	gen_require(`
+-		type var_t, var_run_t;
 +		attribute pidfile;
-+	')
-+
+ 	')
+ 
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	list_dirs_pattern($1, var_t, var_run_t)
+-	read_files_pattern($1, var_run_t, var_run_t)
 +	allow $1 pidfile:dir search_dir_perms;
 +')
 +
 +########################################
 +## <summary>
- ##	List the contents of the runtime process
- ##	ID directories (/var/run).
- ## </summary>
-@@ -6039,7 +7625,7 @@ interface(`files_list_pids',`
- 		type var_t, var_run_t;
- 	')
- 
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
++##	List the contents of the runtime process
++##	ID directories (/var/run).
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_list_pids',`
++	gen_require(`
++		type var_t, var_run_t;
++	')
++
 +	files_search_pids($1)
- 	list_dirs_pattern($1, var_t, var_run_t)
++	list_dirs_pattern($1, var_t, var_run_t)
++')
++
++########################################
++## <summary>
++##	Read generic process ID files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_read_generic_pids',`
++	gen_require(`
++		type var_t, var_run_t;
++	')
++
++	files_search_pids($1)
++	list_dirs_pattern($1, var_t, var_run_t)
++	read_files_pattern($1, var_run_t, var_run_t)
  ')
  
-@@ -6058,7 +7644,7 @@ interface(`files_read_generic_pids',`
- 		type var_t, var_run_t;
- 	')
- 
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
-+	files_search_pids($1)
- 	list_dirs_pattern($1, var_t, var_run_t)
- 	read_files_pattern($1, var_run_t, var_run_t)
- ')
-@@ -6078,7 +7664,7 @@ interface(`files_write_generic_pid_pipes',`
+ ########################################
+@@ -6078,7 +7699,7 @@ interface(`files_write_generic_pid_pipes',`
  		type var_run_t;
  	')
  
@@ -15728,7 +15786,7 @@ index f962f76ad..bb8b58852 100644
  	allow $1 var_run_t:fifo_file write;
  ')
  
-@@ -6140,7 +7726,6 @@ interface(`files_pid_filetrans',`
+@@ -6140,7 +7761,6 @@ interface(`files_pid_filetrans',`
  	')
  
  	allow $1 var_t:dir search_dir_perms;
@@ -15736,7 +15794,7 @@ index f962f76ad..bb8b58852 100644
  	filetrans_pattern($1, var_run_t, $2, $3, $4)
  ')
  
-@@ -6169,6 +7754,24 @@ interface(`files_pid_filetrans_lock_dir',`
+@@ -6169,6 +7789,24 @@ interface(`files_pid_filetrans_lock_dir',`
  
  ########################################
  ## <summary>
@@ -15761,7 +15819,7 @@ index f962f76ad..bb8b58852 100644
  ##	Read and write generic process ID files.
  ## </summary>
  ## <param name="domain">
-@@ -6182,7 +7785,7 @@ interface(`files_rw_generic_pids',`
+@@ -6182,7 +7820,7 @@ interface(`files_rw_generic_pids',`
  		type var_t, var_run_t;
  	')
  
@@ -15770,221 +15828,307 @@ index f962f76ad..bb8b58852 100644
  	list_dirs_pattern($1, var_t, var_run_t)
  	rw_files_pattern($1, var_run_t, var_run_t)
  ')
-@@ -6249,6 +7852,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6249,55 +7887,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
  
  ########################################
  ## <summary>
+-##	Read all process ID files.
 +##	Relable all pid directories
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_relabel_all_pid_dirs',`
-+	gen_require(`
-+		attribute pidfile;
-+	')
-+
-+	relabel_dirs_pattern($1, pidfile, pidfile)
-+')
-+
-+########################################
-+## <summary>
-+##	Delete all pid sockets
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_delete_all_pid_sockets',`
-+	gen_require(`
-+		attribute pidfile;
-+	')
-+
-+	allow $1 pidfile:sock_file delete_sock_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+##	Create all pid sockets
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_create_all_pid_sockets',`
-+	gen_require(`
-+		attribute pidfile;
-+	')
-+
-+	allow $1 pidfile:sock_file create_sock_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+##	Create all pid named pipes
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_create_all_pid_pipes',`
-+	gen_require(`
-+		attribute pidfile;
-+	')
-+
-+	allow $1 pidfile:fifo_file create_fifo_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+##	Delete all pid named pipes
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_delete_all_pid_pipes',`
-+	gen_require(`
-+		attribute pidfile;
-+	')
-+
-+	allow $1 pidfile:fifo_file delete_fifo_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+##	manage all pidfile directories
-+##	in the /var/run directory.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_manage_all_pid_dirs',`
-+	gen_require(`
-+		attribute pidfile;
-+	')
-+
-+	manage_dirs_pattern($1,pidfile,pidfile)
-+')
-+
-+
-+########################################
-+## <summary>
- ##	Read all process ID files.
  ## </summary>
  ## <param name="domain">
-@@ -6261,12 +7974,105 @@ interface(`files_dontaudit_ioctl_all_pids',`
- interface(`files_read_all_pids',`
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_read_all_pids',`
++interface(`files_relabel_all_pid_dirs',`
  	gen_require(`
  		attribute pidfile;
 -		type var_t, var_run_t;
-+		type var_t;
  	')
  
 -	allow $1 var_run_t:lnk_file read_lnk_file_perms;
- 	list_dirs_pattern($1, var_t, pidfile)
- 	read_files_pattern($1, pidfile, pidfile)
-+	read_lnk_files_pattern($1, pidfile, pidfile)
-+')
-+
-+########################################
-+## <summary>
-+##	Relable all pid files
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+-	list_dirs_pattern($1, var_t, pidfile)
+-	read_files_pattern($1, pidfile, pidfile)
++	relabel_dirs_pattern($1, pidfile, pidfile)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Delete all process IDs.
++##	Delete all pid sockets
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_delete_all_pids',`
++interface(`files_delete_all_pid_sockets',`
+ 	gen_require(`
+ 		attribute pidfile;
+-		type var_t, var_run_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	allow $1 var_run_t:dir rmdir;
+-	allow $1 var_run_t:lnk_file delete_lnk_file_perms;
+-	delete_files_pattern($1, pidfile, pidfile)
+-	delete_fifo_files_pattern($1, pidfile, pidfile)
+-	delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
++	allow $1 pidfile:sock_file delete_sock_file_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Delete all process ID directories.
++##	Create all pid sockets
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6305,42 +7931,35 @@ interface(`files_delete_all_pids',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_delete_all_pid_dirs',`
++interface(`files_create_all_pid_sockets',`
+ 	gen_require(`
+ 		attribute pidfile;
+-		type var_t, var_run_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	delete_dirs_pattern($1, pidfile, pidfile)
++	allow $1 pidfile:sock_file create_sock_file_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write and delete all
+-##	var_run (pid) content
++##	Create all pid named pipes
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain alloed access.
 +##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_relabel_all_pid_files',`
-+	gen_require(`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_manage_all_pids',`
++interface(`files_create_all_pid_pipes',`
+ 	gen_require(`
+ 		attribute pidfile;
+ 	')
+ 
+-	manage_dirs_pattern($1, pidfile, pidfile)
+-	manage_files_pattern($1, pidfile, pidfile)
+-	manage_lnk_files_pattern($1, pidfile, pidfile)
++	allow $1 pidfile:fifo_file create_fifo_file_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Mount filesystems on all polyinstantiation
+-##	member directories.
++##	Delete all pid named pipes
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6348,18 +7967,18 @@ interface(`files_manage_all_pids',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_mounton_all_poly_members',`
++interface(`files_delete_all_pid_pipes',`
+ 	gen_require(`
+-		attribute polymember;
 +		attribute pidfile;
-+	')
+ 	')
+ 
+-	allow $1 polymember:dir mounton;
++	allow $1 pidfile:fifo_file delete_fifo_file_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Search the contents of generic spool
+-##	directories (/var/spool).
++##	manage all pidfile directories
++##	in the /var/run directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6367,37 +7986,40 @@ interface(`files_mounton_all_poly_members',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_search_spool',`
++interface(`files_manage_all_pid_dirs',`
+ 	gen_require(`
+-		type var_t, var_spool_t;
++		attribute pidfile;
+ 	')
+ 
+-	search_dirs_pattern($1, var_t, var_spool_t)
++	manage_dirs_pattern($1,pidfile,pidfile)
+ ')
+ 
 +
-+	relabel_files_pattern($1, pidfile, pidfile)
-+')
-+
-+########################################
-+## <summary>
-+##	Execute generic programs in /var/run in the caller domain.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to search generic
+-##	spool directories.
++##	Read all process ID files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
 +##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`files_dontaudit_search_spool',`
++interface(`files_read_all_pids',`
+ 	gen_require(`
+-		type var_spool_t;
++		attribute pidfile;
++		type var_t;
+ 	')
+ 
+-	dontaudit $1 var_spool_t:dir search_dir_perms;
++	list_dirs_pattern($1, var_t, pidfile)
++	read_files_pattern($1, pidfile, pidfile)
++	read_lnk_files_pattern($1, pidfile, pidfile)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	List the contents of generic spool
+-##	(/var/spool) directories.
++##	Relable all pid files
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6405,18 +8027,17 @@ interface(`files_dontaudit_search_spool',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_list_spool',`
++interface(`files_relabel_all_pid_files',`
+ 	gen_require(`
+-		type var_t, var_spool_t;
++		attribute pidfile;
+ 	')
+ 
+-	list_dirs_pattern($1, var_t, var_spool_t)
++	relabel_files_pattern($1, pidfile, pidfile)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete generic
+-##	spool directories (/var/spool).
++##	Execute generic programs in /var/run in the caller domain.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6424,18 +8045,18 @@ interface(`files_list_spool',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_manage_generic_spool_dirs',`
 +interface(`files_exec_generic_pid_files',`
-+	gen_require(`
+ 	gen_require(`
+-		type var_t, var_spool_t;
 +		type var_run_t;
-+	')
-+
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	manage_dirs_pattern($1, var_spool_t, var_spool_t)
 +	exec_files_pattern($1, var_run_t, var_run_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read generic spool files.
 +##	Write all sockets
 +##	in the /var/run directory.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6443,19 +8064,18 @@ interface(`files_manage_generic_spool_dirs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_read_generic_spool',`
 +interface(`files_write_all_pid_sockets',`
-+	gen_require(`
+ 	gen_require(`
+-		type var_t, var_spool_t;
 +		attribute pidfile;
-+	')
-+
+ 	')
+ 
+-	list_dirs_pattern($1, var_t, var_spool_t)
+-	read_files_pattern($1, var_spool_t, var_spool_t)
 +	allow $1 pidfile:sock_file write_sock_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete generic
+-##	spool files.
 +##	manage all pidfiles 
 +##	in the /var/run directory.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6463,55 +8083,62 @@ interface(`files_read_generic_spool',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_manage_generic_spool',`
 +interface(`files_manage_all_pids',`
-+	gen_require(`
+ 	gen_require(`
+-		type var_t, var_spool_t;
 +		attribute pidfile;
-+	')
-+
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	manage_files_pattern($1, var_spool_t, var_spool_t)
 +	manage_files_pattern($1,pidfile,pidfile)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create objects in the spool directory
+-##	with a private type with a type transition.
 +##	Mount filesystems on all polyinstantiation
 +##	member directories.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <param name="file">
+-##	<summary>
+-##	Type to which the created node will be transitioned.
+-##	</summary>
+-## </param>
+-## <param name="class">
+-##	<summary>
+-##	Object class(es) (single or set including {}) for which this
+-##	the transition will occur.
+-##	</summary>
+-## </param>
+-## <param name="name" optional="true">
 +#
 +interface(`files_mounton_all_poly_members',`
 +	gen_require(`
@@ -15992,36 +16136,107 @@ index f962f76ad..bb8b58852 100644
 +	')
 +
 +	allow $1 polymember:dir mounton;
- ')
- 
- ########################################
-@@ -6286,8 +8092,8 @@ interface(`files_delete_all_pids',`
- 		type var_t, var_run_t;
++')
++
++########################################
++## <summary>
++##	Delete all process IDs.
++## </summary>
++## <param name="domain">
+ ##	<summary>
+-##	The name of the object being created.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`files_spool_filetrans',`
++interface(`files_delete_all_pids',`
+ 	gen_require(`
+-		type var_t, var_spool_t;
++		attribute pidfile;
++		type var_t, var_run_t;
  	')
  
 +	files_search_pids($1)
  	allow $1 var_t:dir search_dir_perms;
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
- 	allow $1 var_run_t:dir rmdir;
- 	allow $1 var_run_t:lnk_file delete_lnk_file_perms;
- 	delete_files_pattern($1, pidfile, pidfile)
-@@ -6311,36 +8117,80 @@ interface(`files_delete_all_pid_dirs',`
- 		type var_t, var_run_t;
- 	')
- 
-+	files_search_pids($1)
- 	allow $1 var_t:dir search_dir_perms;
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
- 	delete_dirs_pattern($1, pidfile, pidfile)
+-	filetrans_pattern($1, var_spool_t, $2, $3, $4)
++	allow $1 var_run_t:dir rmdir;
++	allow $1 var_run_t:lnk_file delete_lnk_file_perms;
++	delete_files_pattern($1, pidfile, pidfile)
++	delete_fifo_files_pattern($1, pidfile, pidfile)
++	delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
  ')
  
  ########################################
  ## <summary>
--##	Create, read, write and delete all
--##	var_run (pid) content
+-##	Allow access to manage all polyinstantiated
+-##	directories on the system.
++##	Delete all process ID directories.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6519,64 +8146,963 @@ interface(`files_spool_filetrans',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_polyinstantiate_all',`
++interface(`files_delete_all_pid_dirs',`
+ 	gen_require(`
+-		attribute polydir, polymember, polyparent;
+-		type poly_t;
++		attribute pidfile;
++		type var_t, var_run_t;
+ 	')
+ 
+-	# Need to give access to /selinux/member
+-	selinux_compute_member($1)
+-
+-	# Need sys_admin capability for mounting
+-	allow $1 self:capability { chown fsetid sys_admin fowner };
+-
+-	# Need to give access to the directories to be polyinstantiated
+-	allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
+-
+-	# Need to give access to the polyinstantiated subdirectories
+-	allow $1 polymember:dir search_dir_perms;
+-
+-	# Need to give access to parent directories where original
+-	# is remounted for polyinstantiation aware programs (like gdm)
+-	allow $1 polyparent:dir { getattr mounton };
+-
+-	# Need to give permission to create directories where applicable
+-	allow $1 self:process setfscreate;
+-	allow $1 polymember: dir { create setattr relabelto };
+-	allow $1 polydir: dir { write add_name open };
+-	allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
+-
+-	# Default type for mountpoints
+-	allow $1 poly_t:dir { create mounton };
+-	fs_unmount_xattr_fs($1)
+-
+-	fs_mount_tmpfs($1)
+-	fs_unmount_tmpfs($1)
+-
+-	ifdef(`distro_redhat',`
+-		# namespace.init
+-		files_search_tmp($1)
+-		files_search_home($1)
+-		corecmd_exec_bin($1)
+-		seutil_domtrans_setfiles($1)
+-	')
++	files_search_pids($1)
++	allow $1 var_t:dir search_dir_perms;
++	delete_dirs_pattern($1, pidfile, pidfile)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Unconfined access to files.
 +##	Make the specified type a file
 +##	used for spool files.
-+## </summary>
+ ## </summary>
+-## <param name="domain">
 +## <desc>
 +##	<p>
 +##	Make the specified type usable for spool files.
@@ -16049,18 +16264,22 @@ index f962f76ad..bb8b58852 100644
 +##	</p>
 +## </desc>
 +## <param name="file_type">
-+##	<summary>
+ ##	<summary>
+-##	Domain allowed access.
 +##	Type of the file to be used as a
 +##	spool file.
-+##	</summary>
-+## </param>
+ ##	</summary>
+ ## </param>
 +## <infoflow type="none"/>
-+#
+ #
+-interface(`files_unconfined',`
 +interface(`files_spool_file',`
-+	gen_require(`
+ 	gen_require(`
+-		attribute files_unconfined_type;
 +		attribute spoolfile;
-+	')
-+
+ 	')
+ 
+-	typeattribute $1 files_unconfined_type;
 +	files_type($1)
 +	typeattribute $1 spoolfile;
 +')
@@ -16068,47 +16287,36 @@ index f962f76ad..bb8b58852 100644
 +########################################
 +## <summary>
 +##	Create all spool sockets
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain alloed access.
++## </summary>
++## <param name="domain">
++##	<summary>
 +##	Domain allowed access.
- ##	</summary>
- ## </param>
- #
--interface(`files_manage_all_pids',`
++##	</summary>
++## </param>
++#
 +interface(`files_create_all_spool_sockets',`
- 	gen_require(`
--		attribute pidfile;
++	gen_require(`
 +		attribute spoolfile;
- 	')
- 
--	manage_dirs_pattern($1, pidfile, pidfile)
--	manage_files_pattern($1, pidfile, pidfile)
--	manage_lnk_files_pattern($1, pidfile, pidfile)
++	')
++
 +	allow $1 spoolfile:sock_file create_sock_file_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Mount filesystems on all polyinstantiation
--##	member directories.
++')
++
++########################################
++## <summary>
 +##	Delete all spool sockets
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -6348,12 +8198,33 @@ interface(`files_manage_all_pids',`
- ##	</summary>
- ## </param>
- #
--interface(`files_mounton_all_poly_members',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`files_delete_all_spool_sockets',`
- 	gen_require(`
--		attribute polymember;
++	gen_require(`
 +		attribute spoolfile;
- 	')
- 
--	allow $1 polymember:dir mounton;
++	')
++
 +	allow $1 spoolfile:sock_file delete_sock_file_perms;
 +')
 +
@@ -16131,13 +16339,232 @@ index f962f76ad..bb8b58852 100644
 +	')
 +
 +	relabel_dirs_pattern($1, spoolfile, spoolfile)
- ')
- 
- ########################################
-@@ -6580,3 +8451,623 @@ interface(`files_unconfined',`
- 
- 	typeattribute $1 files_unconfined_type;
- ')
++')
++
++########################################
++## <summary>
++##	Search the contents of generic spool
++##	directories (/var/spool).
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_search_spool',`
++	gen_require(`
++		type var_t, var_spool_t;
++	')
++
++	search_dirs_pattern($1, var_t, var_spool_t)
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to search generic
++##	spool directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`files_dontaudit_search_spool',`
++	gen_require(`
++		type var_spool_t;
++	')
++
++	dontaudit $1 var_spool_t:dir search_dir_perms;
++')
++
++########################################
++## <summary>
++##	List the contents of generic spool
++##	(/var/spool) directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_list_spool',`
++	gen_require(`
++		type var_t, var_spool_t;
++	')
++
++	list_dirs_pattern($1, var_t, var_spool_t)
++')
++
++########################################
++## <summary>
++##	Create, read, write, and delete generic
++##	spool directories (/var/spool).
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_manage_generic_spool_dirs',`
++	gen_require(`
++		type var_t, var_spool_t;
++	')
++
++	allow $1 var_t:dir search_dir_perms;
++	manage_dirs_pattern($1, var_spool_t, var_spool_t)
++')
++
++########################################
++## <summary>
++##	Read generic spool files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_read_generic_spool',`
++	gen_require(`
++		type var_t, var_spool_t;
++	')
++
++	list_dirs_pattern($1, var_t, var_spool_t)
++	read_files_pattern($1, var_spool_t, var_spool_t)
++')
++
++########################################
++## <summary>
++##	Create, read, write, and delete generic
++##	spool files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_manage_generic_spool',`
++	gen_require(`
++		type var_t, var_spool_t;
++	')
++
++	allow $1 var_t:dir search_dir_perms;
++	manage_files_pattern($1, var_spool_t, var_spool_t)
++')
++
++########################################
++## <summary>
++##	Create objects in the spool directory
++##	with a private type with a type transition.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="file">
++##	<summary>
++##	Type to which the created node will be transitioned.
++##	</summary>
++## </param>
++## <param name="class">
++##	<summary>
++##	Object class(es) (single or set including {}) for which this
++##	the transition will occur.
++##	</summary>
++## </param>
++## <param name="name" optional="true">
++##	<summary>
++##	The name of the object being created.
++##	</summary>
++## </param>
++#
++interface(`files_spool_filetrans',`
++	gen_require(`
++		type var_t, var_spool_t;
++	')
++
++	allow $1 var_t:dir search_dir_perms;
++	filetrans_pattern($1, var_spool_t, $2, $3, $4)
++')
++
++########################################
++## <summary>
++##	Allow access to manage all polyinstantiated
++##	directories on the system.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_polyinstantiate_all',`
++	gen_require(`
++		attribute polydir, polymember, polyparent;
++		type poly_t;
++	')
++
++	# Need to give access to /selinux/member
++	selinux_compute_member($1)
++
++	# Need sys_admin capability for mounting
++	allow $1 self:capability { chown fsetid sys_admin fowner };
++
++	# Need to give access to the directories to be polyinstantiated
++	allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
++
++	# Need to give access to the polyinstantiated subdirectories
++	allow $1 polymember:dir search_dir_perms;
++
++	# Need to give access to parent directories where original
++	# is remounted for polyinstantiation aware programs (like gdm)
++	allow $1 polyparent:dir { getattr mounton };
++
++	# Need to give permission to create directories where applicable
++	allow $1 self:process setfscreate;
++	allow $1 polymember: dir { create setattr relabelto };
++	allow $1 polydir: dir { write add_name open };
++	allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
++
++	# Default type for mountpoints
++	allow $1 poly_t:dir { create mounton };
++	fs_unmount_xattr_fs($1)
++
++	fs_mount_tmpfs($1)
++	fs_unmount_tmpfs($1)
++
++	ifdef(`distro_redhat',`
++		# namespace.init
++		files_search_tmp($1)
++		files_search_home($1)
++		corecmd_exec_bin($1)
++		seutil_domtrans_setfiles($1)
++	')
++')
++
++########################################
++## <summary>
++##	Unconfined access to files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_unconfined',`
++	gen_require(`
++		attribute files_unconfined_type;
++	')
++
++	typeattribute $1 files_unconfined_type;
++')
 +
 +########################################
 +## <summary>
@@ -16757,7 +17184,7 @@ index f962f76ad..bb8b58852 100644
 +	')
 +
 +	allow $1 modules_object_t:dir mounton;
-+')
+ ')
 diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
 index 1a03abdd7..3221f8018 100644
 --- a/policy/modules/kernel/files.te
@@ -22775,7 +23202,7 @@ index e100d886b..355a67b18 100644
 +')
 +
 diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 8dbab4c5e..2d283007a 100644
+index 8dbab4c5e..4818adb52 100644
 --- a/policy/modules/kernel/kernel.te
 +++ b/policy/modules/kernel/kernel.te
 @@ -25,6 +25,9 @@ attribute kern_unconfined;
@@ -22866,8 +23293,11 @@ index 8dbab4c5e..2d283007a 100644
  # /proc/sys/net directory and files
  type sysctl_net_t, sysctl_type;
  genfscon proc /sys/net gen_context(system_u:object_r:sysctl_net_t,s0)
-@@ -153,6 +176,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0)
+@@ -151,8 +174,13 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0)
+ 
+ # /proc/sys/vm directory and files
  type sysctl_vm_t, sysctl_type;
++fs_associate(sysctl_vm_t)
  genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0)
  
 +# /proc/sys/vm/overcommit_memory
@@ -22877,7 +23307,7 @@ index 8dbab4c5e..2d283007a 100644
  # /proc/sys/dev directory and files
  type sysctl_dev_t, sysctl_type;
  genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
-@@ -165,6 +192,14 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
+@@ -165,6 +193,14 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
  type unlabeled_t;
  fs_associate(unlabeled_t)
  sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
@@ -22892,7 +23322,7 @@ index 8dbab4c5e..2d283007a 100644
  
  # These initial sids are no longer used, and can be removed:
  sid any_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-@@ -189,6 +224,7 @@ sid tcp_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+@@ -189,6 +225,7 @@ sid tcp_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
  # kernel local policy
  #
  
@@ -22900,7 +23330,7 @@ index 8dbab4c5e..2d283007a 100644
  allow kernel_t self:capability ~sys_module;
  allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow kernel_t self:shm create_shm_perms;
-@@ -233,7 +269,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
+@@ -233,7 +270,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
  corenet_in_generic_if(unlabeled_t)
  corenet_in_generic_node(unlabeled_t)
  
@@ -22908,7 +23338,7 @@ index 8dbab4c5e..2d283007a 100644
  corenet_all_recvfrom_netlabel(kernel_t)
  # Kernel-generated traffic e.g., ICMP replies:
  corenet_raw_sendrecv_all_if(kernel_t)
-@@ -244,17 +279,26 @@ corenet_tcp_sendrecv_all_if(kernel_t)
+@@ -244,17 +280,26 @@ corenet_tcp_sendrecv_all_if(kernel_t)
  corenet_tcp_sendrecv_all_nodes(kernel_t)
  corenet_raw_send_generic_node(kernel_t)
  corenet_send_all_packets(kernel_t)
@@ -22939,7 +23369,7 @@ index 8dbab4c5e..2d283007a 100644
  
  # Mount root file system. Used when loading a policy
  # from initrd, then mounting the root filesystem
-@@ -263,7 +307,8 @@ fs_unmount_all_fs(kernel_t)
+@@ -263,7 +308,8 @@ fs_unmount_all_fs(kernel_t)
  
  selinux_load_policy(kernel_t)
  
@@ -22949,7 +23379,7 @@ index 8dbab4c5e..2d283007a 100644
  
  corecmd_exec_shell(kernel_t)
  corecmd_list_bin(kernel_t)
-@@ -277,13 +322,23 @@ files_list_root(kernel_t)
+@@ -277,13 +323,23 @@ files_list_root(kernel_t)
  files_list_etc(kernel_t)
  files_list_home(kernel_t)
  files_read_usr_files(kernel_t)
@@ -22973,7 +23403,7 @@ index 8dbab4c5e..2d283007a 100644
  
  ifdef(`distro_redhat',`
  	# Bugzilla 222337
-@@ -291,11 +346,29 @@ ifdef(`distro_redhat',`
+@@ -291,11 +347,29 @@ ifdef(`distro_redhat',`
  ')
  
  optional_policy(`
@@ -23003,7 +23433,7 @@ index 8dbab4c5e..2d283007a 100644
  ')
  
  optional_policy(`
-@@ -305,6 +378,19 @@ optional_policy(`
+@@ -305,6 +379,19 @@ optional_policy(`
  
  optional_policy(`
  	logging_send_syslog_msg(kernel_t)
@@ -23023,7 +23453,7 @@ index 8dbab4c5e..2d283007a 100644
  ')
  
  optional_policy(`
-@@ -312,6 +398,11 @@ optional_policy(`
+@@ -312,6 +399,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -23035,7 +23465,7 @@ index 8dbab4c5e..2d283007a 100644
  	# nfs kernel server needs kernel UDP access. It is less risky and painful
  	# to just give it everything.
  	allow kernel_t self:tcp_socket create_stream_socket_perms;
-@@ -332,9 +423,6 @@ optional_policy(`
+@@ -332,9 +424,6 @@ optional_policy(`
  
  	sysnet_read_config(kernel_t)
  
@@ -23045,7 +23475,7 @@ index 8dbab4c5e..2d283007a 100644
  	rpc_udp_rw_nfs_sockets(kernel_t)
  
  	tunable_policy(`nfs_export_all_ro',`
-@@ -343,9 +431,7 @@ optional_policy(`
+@@ -343,9 +432,7 @@ optional_policy(`
  		fs_read_noxattr_fs_files(kernel_t)
  		fs_read_noxattr_fs_symlinks(kernel_t)
  
@@ -23056,7 +23486,7 @@ index 8dbab4c5e..2d283007a 100644
  	')
  
  	tunable_policy(`nfs_export_all_rw',`
-@@ -354,7 +440,7 @@ optional_policy(`
+@@ -354,7 +441,7 @@ optional_policy(`
  		fs_read_noxattr_fs_files(kernel_t)
  		fs_read_noxattr_fs_symlinks(kernel_t)
  
@@ -23065,7 +23495,7 @@ index 8dbab4c5e..2d283007a 100644
  	')
  ')
  
-@@ -364,9 +450,22 @@ optional_policy(`
+@@ -364,9 +451,22 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -23088,7 +23518,7 @@ index 8dbab4c5e..2d283007a 100644
  ########################################
  #
  # Unlabeled process local policy
-@@ -388,6 +487,8 @@ optional_policy(`
+@@ -388,6 +488,8 @@ optional_policy(`
  if( ! secure_mode_insmod ) {
  	allow can_load_kernmodule self:capability sys_module;
  
@@ -23097,7 +23527,7 @@ index 8dbab4c5e..2d283007a 100644
  	# load_module() calls stop_machine() which
  	# calls sched_setscheduler()
  	allow can_load_kernmodule self:capability sys_nice;
-@@ -399,14 +500,38 @@ if( ! secure_mode_insmod ) {
+@@ -399,14 +501,38 @@ if( ! secure_mode_insmod ) {
  # Rules for unconfined acccess to this module
  #
  
@@ -32046,7 +32476,7 @@ index 6bf0ecc2d..75b2f31f9 100644
 +')
 +
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b403774f..0bdea37e9 100644
+index 8b403774f..f17b76dec 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
 @@ -26,28 +26,66 @@ gen_require(`
@@ -32405,7 +32835,7 @@ index 8b403774f..0bdea37e9 100644
  	ssh_sigchld(xauth_t)
  	ssh_read_pipes(xauth_t)
  	ssh_dontaudit_rw_tcp_sockets(xauth_t)
-@@ -300,64 +420,108 @@ optional_policy(`
+@@ -300,64 +420,110 @@ optional_policy(`
  # XDM Local policy
  #
  
@@ -32438,11 +32868,13 @@ index 8b403774f..0bdea37e9 100644
 +
 +allow xdm_t xauth_home_t:file manage_file_perms;
 +
++allow xdm_t xserver_unconfined_type:process { signull };
+ 
+-allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
 +allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms };
 +manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
 +manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
- 
--allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
++
 +manage_dirs_pattern(xdm_t, xdm_home_t, xdm_home_t)
 +manage_files_pattern(xdm_t, xdm_home_t, xdm_home_t)
 +xserver_filetrans_home_content(xdm_t)
@@ -32499,12 +32931,12 @@ index 8b403774f..0bdea37e9 100644
  
  manage_dirs_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
  manage_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
++exec_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
 +manage_lnk_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
  manage_fifo_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
 -files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file })
 +manage_sock_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
 +files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file sock_file })
-+allow xdm_t xdm_var_run_t:file map;
  
 -allow xdm_t xserver_t:process signal;
 +allow xdm_t xserver_t:process { signal signull };
@@ -32527,7 +32959,7 @@ index 8b403774f..0bdea37e9 100644
  
  # connect to xdm xserver over stream socket
  stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -366,20 +530,31 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -366,20 +532,32 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
  delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
  delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
  
@@ -32552,6 +32984,7 @@ index 8b403774f..0bdea37e9 100644
 +kernel_request_load_module(xdm_t)
 +kernel_stream_connect(xdm_t)
 +kernel_view_key(xdm_t)
++kernel_read_usermodehelper_state(xdm_t)
  
  corecmd_exec_shell(xdm_t)
  corecmd_exec_bin(xdm_t)
@@ -32561,7 +32994,7 @@ index 8b403774f..0bdea37e9 100644
  corenet_all_recvfrom_netlabel(xdm_t)
  corenet_tcp_sendrecv_generic_if(xdm_t)
  corenet_udp_sendrecv_generic_if(xdm_t)
-@@ -389,38 +564,51 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -389,38 +567,51 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
  corenet_udp_sendrecv_all_ports(xdm_t)
  corenet_tcp_bind_generic_node(xdm_t)
  corenet_udp_bind_generic_node(xdm_t)
@@ -32617,7 +33050,7 @@ index 8b403774f..0bdea37e9 100644
  
  files_read_etc_files(xdm_t)
  files_read_var_files(xdm_t)
-@@ -431,9 +619,30 @@ files_list_mnt(xdm_t)
+@@ -431,9 +622,30 @@ files_list_mnt(xdm_t)
  files_read_usr_files(xdm_t)
  # Poweroff wants to create the /poweroff file when run from xdm
  files_create_boot_flag(xdm_t)
@@ -32648,7 +33081,7 @@ index 8b403774f..0bdea37e9 100644
  
  storage_dontaudit_read_fixed_disk(xdm_t)
  storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -442,28 +651,50 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -442,28 +654,50 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
  storage_dontaudit_raw_write_removable_device(xdm_t)
  storage_dontaudit_setattr_removable_dev(xdm_t)
  storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -32704,7 +33137,7 @@ index 8b403774f..0bdea37e9 100644
  
  userdom_dontaudit_use_unpriv_user_fds(xdm_t)
  userdom_create_all_users_keys(xdm_t)
-@@ -472,24 +703,171 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -472,24 +706,171 @@ userdom_read_user_home_content_files(xdm_t)
  # Search /proc for any user domain processes.
  userdom_read_all_users_state(xdm_t)
  userdom_signal_all_users(xdm_t)
@@ -32882,7 +33315,7 @@ index 8b403774f..0bdea37e9 100644
  tunable_policy(`xdm_sysadm_login',`
  	userdom_xsession_spec_domtrans_all_users(xdm_t)
  	# FIXME:
-@@ -502,12 +880,31 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,12 +883,31 @@ tunable_policy(`xdm_sysadm_login',`
  #	allow xserver_t xdm_tmpfs_t:file rw_file_perms;
  ')
  
@@ -32914,7 +33347,7 @@ index 8b403774f..0bdea37e9 100644
  ')
  
  optional_policy(`
-@@ -518,8 +915,36 @@ optional_policy(`
+@@ -518,8 +918,36 @@ optional_policy(`
  	dbus_system_bus_client(xdm_t)
  	dbus_connect_system_bus(xdm_t)
  
@@ -32933,7 +33366,8 @@ index 8b403774f..0bdea37e9 100644
 +		cpufreqselector_dbus_chat(xdm_t)
 +	')
 +
-+	optional_policy(`
+ 	optional_policy(`
+-		accountsd_dbus_chat(xdm_t)
 +		devicekit_dbus_chat_disk(xdm_t)
 +		devicekit_dbus_chat_power(xdm_t)
 +	')
@@ -32942,8 +33376,7 @@ index 8b403774f..0bdea37e9 100644
 +		hal_dbus_chat(xdm_t)
 +	')
 +
- 	optional_policy(`
--		accountsd_dbus_chat(xdm_t)
++	optional_policy(`
 +		gnomeclock_dbus_chat(xdm_t)
 +	')
 +
@@ -32952,7 +33385,7 @@ index 8b403774f..0bdea37e9 100644
  	')
  ')
  
-@@ -530,6 +955,20 @@ optional_policy(`
+@@ -530,6 +958,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -32973,7 +33406,7 @@ index 8b403774f..0bdea37e9 100644
  	hostname_exec(xdm_t)
  ')
  
-@@ -547,28 +986,78 @@ optional_policy(`
+@@ -547,28 +989,78 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -33061,7 +33494,7 @@ index 8b403774f..0bdea37e9 100644
  ')
  
  optional_policy(`
-@@ -580,6 +1069,14 @@ optional_policy(`
+@@ -580,6 +1072,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -33076,7 +33509,7 @@ index 8b403774f..0bdea37e9 100644
  	xfs_stream_connect(xdm_t)
  ')
  
-@@ -594,7 +1091,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+@@ -594,7 +1094,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
  type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
  
  allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@@ -33085,7 +33518,7 @@ index 8b403774f..0bdea37e9 100644
  
  # setuid/setgid for the wrapper program to change UID
  # sys_rawio is for iopl access - should not be needed for frame-buffer
-@@ -604,8 +1101,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -604,8 +1104,11 @@ allow xserver_t input_xevent_t:x_event send;
  # execheap needed until the X module loader is fixed.
  # NVIDIA Needs execstack
  
@@ -33098,7 +33531,7 @@ index 8b403774f..0bdea37e9 100644
  allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow xserver_t self:fd use;
  allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -618,8 +1118,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -618,8 +1121,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
  allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow xserver_t self:tcp_socket create_stream_socket_perms;
  allow xserver_t self:udp_socket create_socket_perms;
@@ -33114,7 +33547,7 @@ index 8b403774f..0bdea37e9 100644
  manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -627,36 +1134,53 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -627,36 +1137,53 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
  
  filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
  
@@ -33172,7 +33605,7 @@ index 8b403774f..0bdea37e9 100644
  corenet_all_recvfrom_netlabel(xserver_t)
  corenet_tcp_sendrecv_generic_if(xserver_t)
  corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -677,23 +1201,29 @@ dev_rw_apm_bios(xserver_t)
+@@ -677,23 +1204,29 @@ dev_rw_apm_bios(xserver_t)
  dev_rw_agp(xserver_t)
  dev_rw_framebuffer(xserver_t)
  dev_manage_dri_dev(xserver_t)
@@ -33205,7 +33638,7 @@ index 8b403774f..0bdea37e9 100644
  
  # brought on by rhgb
  files_search_mnt(xserver_t)
-@@ -705,6 +1235,14 @@ fs_search_nfs(xserver_t)
+@@ -705,6 +1238,14 @@ fs_search_nfs(xserver_t)
  fs_search_auto_mountpoints(xserver_t)
  fs_search_ramfs(xserver_t)
  
@@ -33220,7 +33653,7 @@ index 8b403774f..0bdea37e9 100644
  mls_xwin_read_to_clearance(xserver_t)
  
  selinux_validate_context(xserver_t)
-@@ -718,28 +1256,25 @@ init_getpgid(xserver_t)
+@@ -718,28 +1259,25 @@ init_getpgid(xserver_t)
  term_setattr_unallocated_ttys(xserver_t)
  term_use_unallocated_ttys(xserver_t)
  
@@ -33253,7 +33686,7 @@ index 8b403774f..0bdea37e9 100644
  
  ifndef(`distro_redhat',`
  	allow xserver_t self:process { execmem execheap execstack };
-@@ -785,17 +1320,54 @@ optional_policy(`
+@@ -785,17 +1323,54 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -33310,7 +33743,7 @@ index 8b403774f..0bdea37e9 100644
  ')
  
  optional_policy(`
-@@ -803,6 +1375,10 @@ optional_policy(`
+@@ -803,6 +1378,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -33321,7 +33754,7 @@ index 8b403774f..0bdea37e9 100644
  	xfs_stream_connect(xserver_t)
  ')
  
-@@ -818,18 +1394,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -818,18 +1397,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
  
  # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
  # handle of a file inside the dir!!!
@@ -33346,7 +33779,7 @@ index 8b403774f..0bdea37e9 100644
  can_exec(xserver_t, xkb_var_lib_t)
  
  # VNC v4 module in X server
-@@ -842,26 +1417,21 @@ init_use_fds(xserver_t)
+@@ -842,26 +1420,21 @@ init_use_fds(xserver_t)
  # to read ROLE_home_t - examine this in more detail
  # (xauth?)
  userdom_read_user_home_content_files(xserver_t)
@@ -33381,7 +33814,7 @@ index 8b403774f..0bdea37e9 100644
  ')
  
  optional_policy(`
-@@ -912,7 +1482,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -912,7 +1485,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
  allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
  # operations allowed on my windows
  allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -33390,7 +33823,7 @@ index 8b403774f..0bdea37e9 100644
  # operations allowed on all windows
  allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
  
-@@ -966,11 +1536,31 @@ allow x_domain self:x_resource { read write };
+@@ -966,11 +1539,31 @@ allow x_domain self:x_resource { read write };
  # can mess with the screensaver
  allow x_domain xserver_t:x_screen { getattr saver_getattr };
  
@@ -33422,7 +33855,7 @@ index 8b403774f..0bdea37e9 100644
  tunable_policy(`! xserver_object_manager',`
  	# should be xserver_unconfined(x_domain),
  	# but typeattribute doesnt work in conditionals
-@@ -992,18 +1582,148 @@ tunable_policy(`! xserver_object_manager',`
+@@ -992,18 +1585,148 @@ tunable_policy(`! xserver_object_manager',`
  	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
  ')
  
@@ -34801,7 +35234,7 @@ index 3efd5b669..a8cb6df3d 100644
 +	allow $1 login_pgm:key manage_key_perms;
 +')
 diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 09b791dcc..78d158ca9 100644
+index 09b791dcc..498375fcf 100644
 --- a/policy/modules/system/authlogin.te
 +++ b/policy/modules/system/authlogin.te
 @@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1)
@@ -34894,16 +35327,17 @@ index 09b791dcc..78d158ca9 100644
  dontaudit chkpwd_t self:capability sys_tty_config;
  allow chkpwd_t self:process { getattr signal };
  
-@@ -109,6 +131,8 @@ dev_read_urand(chkpwd_t)
+@@ -109,6 +131,9 @@ dev_read_urand(chkpwd_t)
  files_read_etc_files(chkpwd_t)
  # for nscd
  files_dontaudit_search_var(chkpwd_t)
 +files_read_usr_symlinks(chkpwd_t)
 +files_list_tmp(chkpwd_t)
++files_map_system_db_files(chkpwd_t)
  
  fs_dontaudit_getattr_xattr_fs(chkpwd_t)
  
-@@ -122,12 +146,11 @@ auth_use_nsswitch(chkpwd_t)
+@@ -122,12 +147,11 @@ auth_use_nsswitch(chkpwd_t)
  logging_send_audit_msgs(chkpwd_t)
  logging_send_syslog_msg(chkpwd_t)
  
@@ -34917,7 +35351,18 @@ index 09b791dcc..78d158ca9 100644
  
  ifdef(`distro_ubuntu',`
  	optional_policy(`
-@@ -153,53 +176,52 @@ optional_policy(`
+@@ -141,6 +165,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++    	dbus_system_bus_client(chkpwd_t)
++')
++
++optional_policy(`
+ 	kerberos_use(chkpwd_t)
+ ')
+ 
+@@ -153,53 +181,52 @@ optional_policy(`
  # PAM local policy
  #
  
@@ -34999,7 +35444,7 @@ index 09b791dcc..78d158ca9 100644
  ')
  
  ########################################
-@@ -289,7 +311,6 @@ init_use_script_ptys(pam_console_t)
+@@ -289,7 +316,6 @@ init_use_script_ptys(pam_console_t)
  
  logging_send_syslog_msg(pam_console_t)
  
@@ -35007,7 +35452,7 @@ index 09b791dcc..78d158ca9 100644
  miscfiles_read_generic_certs(pam_console_t)
  
  seutil_read_file_contexts(pam_console_t)
-@@ -330,7 +351,7 @@ optional_policy(`
+@@ -330,7 +356,7 @@ optional_policy(`
  # updpwd local policy
  #
  
@@ -35016,7 +35461,7 @@ index 09b791dcc..78d158ca9 100644
  allow updpwd_t self:process setfscreate;
  allow updpwd_t self:fifo_file rw_fifo_file_perms;
  allow updpwd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -341,6 +362,11 @@ kernel_read_system_state(updpwd_t)
+@@ -341,6 +367,11 @@ kernel_read_system_state(updpwd_t)
  dev_read_urand(updpwd_t)
  
  files_manage_etc_files(updpwd_t)
@@ -35028,7 +35473,7 @@ index 09b791dcc..78d158ca9 100644
  
  term_dontaudit_use_console(updpwd_t)
  term_dontaudit_use_unallocated_ttys(updpwd_t)
-@@ -350,9 +376,7 @@ auth_use_nsswitch(updpwd_t)
+@@ -350,9 +381,7 @@ auth_use_nsswitch(updpwd_t)
  
  logging_send_syslog_msg(updpwd_t)
  
@@ -35039,7 +35484,7 @@ index 09b791dcc..78d158ca9 100644
  
  ifdef(`distro_ubuntu',`
  	optional_policy(`
-@@ -380,13 +404,15 @@ term_dontaudit_use_all_ttys(utempter_t)
+@@ -380,13 +409,15 @@ term_dontaudit_use_all_ttys(utempter_t)
  term_dontaudit_use_all_ptys(utempter_t)
  term_dontaudit_use_ptmx(utempter_t)
  
@@ -35056,7 +35501,7 @@ index 09b791dcc..78d158ca9 100644
  # Allow utemper to write to /tmp/.xses-*
  userdom_write_user_tmp_files(utempter_t)
  
-@@ -397,19 +423,29 @@ ifdef(`distro_ubuntu',`
+@@ -397,19 +428,29 @@ ifdef(`distro_ubuntu',`
  ')
  
  optional_policy(`
@@ -35090,7 +35535,7 @@ index 09b791dcc..78d158ca9 100644
  files_list_var_lib(nsswitch_domain)
  
  # read /etc/nsswitch.conf
-@@ -417,15 +453,42 @@ files_read_etc_files(nsswitch_domain)
+@@ -417,15 +458,42 @@ files_read_etc_files(nsswitch_domain)
  
  sysnet_dns_name_resolve(nsswitch_domain)
  
@@ -35135,7 +35580,7 @@ index 09b791dcc..78d158ca9 100644
  		ldap_stream_connect(nsswitch_domain)
  	')
  ')
-@@ -438,6 +501,7 @@ optional_policy(`
+@@ -438,6 +506,7 @@ optional_policy(`
  	likewise_stream_connect_lsassd(nsswitch_domain)
  ')
  
@@ -35143,7 +35588,7 @@ index 09b791dcc..78d158ca9 100644
  optional_policy(`
  	kerberos_use(nsswitch_domain)
  ')
-@@ -456,10 +520,163 @@ optional_policy(`
+@@ -456,10 +525,163 @@ optional_policy(`
  
  optional_policy(`
  	sssd_stream_connect(nsswitch_domain)
@@ -36088,7 +36533,7 @@ index bc0ffc84e..37b8ea5ec 100644
  ')
 +/var/run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
 diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 79a45f62e..b25993d41 100644
+index 79a45f62e..0244681f0 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
 @@ -1,5 +1,21 @@
@@ -36319,10 +36764,13 @@ index 79a45f62e..b25993d41 100644
  ########################################
  ## <summary>
  ##	Mark the file type as a daemon run dir, allowing initrc_t
-@@ -460,6 +512,25 @@ interface(`init_domtrans',`
- 	domtrans_pattern($1, init_exec_t, init_t)
- ')
+@@ -458,6 +510,26 @@ interface(`init_domtrans',`
+ 	')
  
+ 	domtrans_pattern($1, init_exec_t, init_t)
++    allow $1 init_exec_t:file map;
++')
++
 +
 +########################################
 +## <summary>
@@ -36340,12 +36788,10 @@ index 79a45f62e..b25993d41 100644
 +	')
 +
 +    allow $1 init_exec_t:file entrypoint;
-+')
-+
+ ')
+ 
  ########################################
- ## <summary>
- ##	Execute the init program in the caller domain.
-@@ -469,7 +540,6 @@ interface(`init_domtrans',`
+@@ -469,7 +541,6 @@ interface(`init_domtrans',`
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
@@ -36353,7 +36799,7 @@ index 79a45f62e..b25993d41 100644
  #
  interface(`init_exec',`
  	gen_require(`
-@@ -478,6 +548,48 @@ interface(`init_exec',`
+@@ -478,6 +549,48 @@ interface(`init_exec',`
  
  	corecmd_search_bin($1)
  	can_exec($1, init_exec_t)
@@ -36402,7 +36848,7 @@ index 79a45f62e..b25993d41 100644
  ')
  
  ########################################
-@@ -566,6 +678,58 @@ interface(`init_sigchld',`
+@@ -566,6 +679,58 @@ interface(`init_sigchld',`
  
  ########################################
  ## <summary>
@@ -36461,7 +36907,7 @@ index 79a45f62e..b25993d41 100644
  ##	Connect to init with a unix socket.
  ## </summary>
  ## <param name="domain">
-@@ -576,12 +740,87 @@ interface(`init_sigchld',`
+@@ -576,12 +741,87 @@ interface(`init_sigchld',`
  #
  interface(`init_stream_connect',`
  	gen_require(`
@@ -36549,7 +36995,7 @@ index 79a45f62e..b25993d41 100644
  ########################################
  ## <summary>
  ##	Inherit and use file descriptors from init.
-@@ -743,22 +982,24 @@ interface(`init_write_initctl',`
+@@ -743,22 +983,24 @@ interface(`init_write_initctl',`
  interface(`init_telinit',`
  	gen_require(`
  		type initctl_t;
@@ -36583,7 +37029,7 @@ index 79a45f62e..b25993d41 100644
  ')
  
  ########################################
-@@ -787,7 +1028,7 @@ interface(`init_rw_initctl',`
+@@ -787,7 +1029,7 @@ interface(`init_rw_initctl',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -36592,7 +37038,7 @@ index 79a45f62e..b25993d41 100644
  ##	</summary>
  ## </param>
  #
-@@ -830,11 +1071,12 @@ interface(`init_script_file_entry_type',`
+@@ -830,11 +1072,12 @@ interface(`init_script_file_entry_type',`
  #
  interface(`init_spec_domtrans_script',`
  	gen_require(`
@@ -36607,7 +37053,7 @@ index 79a45f62e..b25993d41 100644
  
  	ifdef(`distro_gentoo',`
  		gen_require(`
-@@ -845,11 +1087,11 @@ interface(`init_spec_domtrans_script',`
+@@ -845,11 +1088,11 @@ interface(`init_spec_domtrans_script',`
  	')
  
  	ifdef(`enable_mcs',`
@@ -36621,7 +37067,7 @@ index 79a45f62e..b25993d41 100644
  	')
  ')
  
-@@ -865,23 +1107,45 @@ interface(`init_spec_domtrans_script',`
+@@ -865,23 +1108,45 @@ interface(`init_spec_domtrans_script',`
  #
  interface(`init_domtrans_script',`
  	gen_require(`
@@ -36671,7 +37117,7 @@ index 79a45f62e..b25993d41 100644
  ##	Execute a init script in a specified domain.
  ## </summary>
  ## <desc>
-@@ -933,9 +1197,14 @@ interface(`init_script_file_domtrans',`
+@@ -933,9 +1198,14 @@ interface(`init_script_file_domtrans',`
  interface(`init_labeled_script_domtrans',`
  	gen_require(`
  		type initrc_t;
@@ -36686,7 +37132,7 @@ index 79a45f62e..b25993d41 100644
  	files_search_etc($1)
  ')
  
-@@ -992,7 +1261,7 @@ interface(`init_run_daemon',`
+@@ -992,7 +1262,7 @@ interface(`init_run_daemon',`
  
  ########################################
  ## <summary>
@@ -36695,7 +37141,7 @@ index 79a45f62e..b25993d41 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1000,38 +1269,37 @@ interface(`init_run_daemon',`
+@@ -1000,38 +1270,37 @@ interface(`init_run_daemon',`
  ##	</summary>
  ## </param>
  #
@@ -36743,7 +37189,7 @@ index 79a45f62e..b25993d41 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1039,17 +1307,19 @@ interface(`init_ptrace',`
+@@ -1039,17 +1308,19 @@ interface(`init_ptrace',`
  ##	</summary>
  ## </param>
  #
@@ -36767,7 +37213,7 @@ index 79a45f62e..b25993d41 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1057,18 +1327,17 @@ interface(`init_write_script_pipes',`
+@@ -1057,18 +1328,17 @@ interface(`init_write_script_pipes',`
  ##	</summary>
  ## </param>
  #
@@ -36790,7 +37236,7 @@ index 79a45f62e..b25993d41 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1076,18 +1345,94 @@ interface(`init_getattr_script_files',`
+@@ -1076,18 +1346,94 @@ interface(`init_getattr_script_files',`
  ##	</summary>
  ## </param>
  #
@@ -36890,7 +37336,7 @@ index 79a45f62e..b25993d41 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1125,6 +1470,63 @@ interface(`init_getattr_all_script_files',`
+@@ -1125,6 +1471,63 @@ interface(`init_getattr_all_script_files',`
  
  ########################################
  ## <summary>
@@ -36954,7 +37400,7 @@ index 79a45f62e..b25993d41 100644
  ##	Read all init script files.
  ## </summary>
  ## <param name="domain">
-@@ -1144,6 +1546,24 @@ interface(`init_read_all_script_files',`
+@@ -1144,6 +1547,24 @@ interface(`init_read_all_script_files',`
  
  #######################################
  ## <summary>
@@ -36979,7 +37425,7 @@ index 79a45f62e..b25993d41 100644
  ##	Dontaudit read all init script files.
  ## </summary>
  ## <param name="domain">
-@@ -1195,12 +1615,7 @@ interface(`init_read_script_state',`
+@@ -1195,12 +1616,7 @@ interface(`init_read_script_state',`
  	')
  
  	kernel_search_proc($1)
@@ -36993,7 +37439,7 @@ index 79a45f62e..b25993d41 100644
  ')
  
  ########################################
-@@ -1314,6 +1729,24 @@ interface(`init_signal_script',`
+@@ -1314,6 +1730,24 @@ interface(`init_signal_script',`
  
  ########################################
  ## <summary>
@@ -37018,7 +37464,7 @@ index 79a45f62e..b25993d41 100644
  ##	Send null signals to init scripts.
  ## </summary>
  ## <param name="domain">
-@@ -1440,6 +1873,27 @@ interface(`init_dbus_send_script',`
+@@ -1440,6 +1874,27 @@ interface(`init_dbus_send_script',`
  ########################################
  ## <summary>
  ##	Send and receive messages from
@@ -37046,7 +37492,7 @@ index 79a45f62e..b25993d41 100644
  ##	init scripts over dbus.
  ## </summary>
  ## <param name="domain">
-@@ -1547,6 +2001,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1547,6 +2002,25 @@ interface(`init_getattr_script_status_files',`
  
  ########################################
  ## <summary>
@@ -37072,7 +37518,7 @@ index 79a45f62e..b25993d41 100644
  ##	Do not audit attempts to read init script
  ##	status files.
  ## </summary>
-@@ -1605,6 +2078,42 @@ interface(`init_rw_script_tmp_files',`
+@@ -1605,6 +2079,42 @@ interface(`init_rw_script_tmp_files',`
  
  ########################################
  ## <summary>
@@ -37115,7 +37561,7 @@ index 79a45f62e..b25993d41 100644
  ##	Create files in a init script
  ##	temporary data directory.
  ## </summary>
-@@ -1677,6 +2186,43 @@ interface(`init_read_utmp',`
+@@ -1677,6 +2187,43 @@ interface(`init_read_utmp',`
  
  ########################################
  ## <summary>
@@ -37159,7 +37605,7 @@ index 79a45f62e..b25993d41 100644
  ##	Do not audit attempts to write utmp.
  ## </summary>
  ## <param name="domain">
-@@ -1765,7 +2311,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1765,7 +2312,7 @@ interface(`init_dontaudit_rw_utmp',`
  		type initrc_var_run_t;
  	')
  
@@ -37168,7 +37614,7 @@ index 79a45f62e..b25993d41 100644
  ')
  
  ########################################
-@@ -1806,30 +2352,157 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1806,30 +2353,157 @@ interface(`init_pid_filetrans_utmp',`
  	files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
  ')
  
@@ -37339,7 +37785,7 @@ index 79a45f62e..b25993d41 100644
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
-@@ -1840,3 +2513,584 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1840,3 +2514,584 @@ interface(`init_udp_recvfrom_all_daemons',`
  	')
  	corenet_udp_recvfrom_labeled($1, daemon)
  ')
@@ -37925,7 +38371,7 @@ index 79a45f62e..b25993d41 100644
 +')
 +
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda2480..cc1720cf2 100644
+index 17eda2480..09d9144cb 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
 @@ -11,10 +11,31 @@ gen_require(`
@@ -38248,7 +38694,7 @@ index 17eda2480..cc1720cf2 100644
  
  ifdef(`distro_gentoo',`
  	allow init_t self:process { getcap setcap };
-@@ -186,29 +348,294 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +348,295 @@ ifdef(`distro_gentoo',`
  ')
  
  ifdef(`distro_redhat',`
@@ -38413,6 +38859,7 @@ index 17eda2480..cc1720cf2 100644
 +files_relabel_var_dirs(init_t)
 +files_relabel_var_lib_dirs(init_t)
 +files_read_kernel_modules(init_t)
++files_map_kernel_modules(init_t)
 +files_dontaudit_mounton_isid(init_t)
 +fs_getattr_all_fs(init_t)
 +fs_manage_cgroup_dirs(init_t)
@@ -38552,7 +38999,7 @@ index 17eda2480..cc1720cf2 100644
  ')
  
  optional_policy(`
-@@ -216,7 +643,35 @@ optional_policy(`
+@@ -216,7 +644,35 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -38589,7 +39036,7 @@ index 17eda2480..cc1720cf2 100644
  ')
  
  ########################################
-@@ -225,9 +680,9 @@ optional_policy(`
+@@ -225,9 +681,9 @@ optional_policy(`
  #
  
  allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -38601,7 +39048,7 @@ index 17eda2480..cc1720cf2 100644
  allow initrc_t self:passwd rootok;
  allow initrc_t self:key manage_key_perms;
  
-@@ -258,12 +713,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +714,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
  
  allow initrc_t initrc_var_run_t:file manage_file_perms;
  files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -38618,7 +39065,7 @@ index 17eda2480..cc1720cf2 100644
  
  manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
  manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +738,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +739,36 @@ kernel_change_ring_buffer_level(initrc_t)
  kernel_clear_ring_buffer(initrc_t)
  kernel_get_sysvipc_info(initrc_t)
  kernel_read_all_sysctls(initrc_t)
@@ -38661,7 +39108,7 @@ index 17eda2480..cc1720cf2 100644
  corenet_tcp_sendrecv_all_ports(initrc_t)
  corenet_udp_sendrecv_all_ports(initrc_t)
  corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +775,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +776,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
  
  dev_read_rand(initrc_t)
  dev_read_urand(initrc_t)
@@ -38673,7 +39120,7 @@ index 17eda2480..cc1720cf2 100644
  dev_rw_sysfs(initrc_t)
  dev_list_usbfs(initrc_t)
  dev_read_framebuffer(initrc_t)
-@@ -313,8 +787,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +788,10 @@ dev_write_framebuffer(initrc_t)
  dev_read_realtime_clock(initrc_t)
  dev_read_sound_mixer(initrc_t)
  dev_write_sound_mixer(initrc_t)
@@ -38684,7 +39131,7 @@ index 17eda2480..cc1720cf2 100644
  dev_delete_lvm_control_dev(initrc_t)
  dev_manage_generic_symlinks(initrc_t)
  dev_manage_generic_files(initrc_t)
-@@ -322,8 +798,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +799,7 @@ dev_manage_generic_files(initrc_t)
  dev_delete_generic_symlinks(initrc_t)
  dev_getattr_all_blk_files(initrc_t)
  dev_getattr_all_chr_files(initrc_t)
@@ -38694,7 +39141,7 @@ index 17eda2480..cc1720cf2 100644
  
  domain_kill_all_domains(initrc_t)
  domain_signal_all_domains(initrc_t)
-@@ -332,7 +807,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +808,6 @@ domain_sigstop_all_domains(initrc_t)
  domain_sigchld_all_domains(initrc_t)
  domain_read_all_domains_state(initrc_t)
  domain_getattr_all_domains(initrc_t)
@@ -38702,7 +39149,7 @@ index 17eda2480..cc1720cf2 100644
  domain_getsession_all_domains(initrc_t)
  domain_use_interactive_fds(initrc_t)
  # for lsof which is used by alsa shutdown:
-@@ -340,6 +814,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +815,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
  domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
  domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
  domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -38710,7 +39157,7 @@ index 17eda2480..cc1720cf2 100644
  
  files_getattr_all_dirs(initrc_t)
  files_getattr_all_files(initrc_t)
-@@ -347,14 +822,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +823,15 @@ files_getattr_all_symlinks(initrc_t)
  files_getattr_all_pipes(initrc_t)
  files_getattr_all_sockets(initrc_t)
  files_purge_tmp(initrc_t)
@@ -38728,7 +39175,7 @@ index 17eda2480..cc1720cf2 100644
  files_read_usr_files(initrc_t)
  files_manage_urandom_seed(initrc_t)
  files_manage_generic_spool(initrc_t)
-@@ -364,8 +840,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +841,12 @@ files_list_isid_type_dirs(initrc_t)
  files_mounton_isid_type_dirs(initrc_t)
  files_list_default(initrc_t)
  files_mounton_default(initrc_t)
@@ -38742,7 +39189,7 @@ index 17eda2480..cc1720cf2 100644
  fs_list_inotifyfs(initrc_t)
  fs_register_binary_executable_type(initrc_t)
  # rhgb-console writes to ramfs
-@@ -375,10 +855,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +856,11 @@ fs_mount_all_fs(initrc_t)
  fs_unmount_all_fs(initrc_t)
  fs_remount_all_fs(initrc_t)
  fs_getattr_all_fs(initrc_t)
@@ -38756,7 +39203,7 @@ index 17eda2480..cc1720cf2 100644
  mcs_process_set_categories(initrc_t)
  
  mls_file_read_all_levels(initrc_t)
-@@ -387,8 +868,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +869,10 @@ mls_process_read_up(initrc_t)
  mls_process_write_down(initrc_t)
  mls_rangetrans_source(initrc_t)
  mls_fd_share_all_levels(initrc_t)
@@ -38767,7 +39214,7 @@ index 17eda2480..cc1720cf2 100644
  
  storage_getattr_fixed_disk_dev(initrc_t)
  storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +881,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +882,7 @@ term_use_all_terms(initrc_t)
  term_reset_tty_labels(initrc_t)
  
  auth_rw_login_records(initrc_t)
@@ -38775,7 +39222,7 @@ index 17eda2480..cc1720cf2 100644
  auth_setattr_login_records(initrc_t)
  auth_rw_lastlog(initrc_t)
  auth_read_pam_pid(initrc_t)
-@@ -416,20 +900,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +901,18 @@ logging_read_all_logs(initrc_t)
  logging_append_all_logs(initrc_t)
  logging_read_audit_config(initrc_t)
  
@@ -38799,7 +39246,7 @@ index 17eda2480..cc1720cf2 100644
  
  ifdef(`distro_debian',`
  	dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +933,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +934,6 @@ ifdef(`distro_gentoo',`
  	allow initrc_t self:process setfscreate;
  	dev_create_null_dev(initrc_t)
  	dev_create_zero_dev(initrc_t)
@@ -38807,7 +39254,7 @@ index 17eda2480..cc1720cf2 100644
  	term_create_console_dev(initrc_t)
  
  	# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +967,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +968,10 @@ ifdef(`distro_gentoo',`
  	sysnet_setattr_config(initrc_t)
  
  	optional_policy(`
@@ -38818,7 +39265,7 @@ index 17eda2480..cc1720cf2 100644
  		alsa_read_lib(initrc_t)
  	')
  
-@@ -506,7 +991,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +992,7 @@ ifdef(`distro_redhat',`
  
  	# Red Hat systems seem to have a stray
  	# fd open from the initrd
@@ -38827,7 +39274,7 @@ index 17eda2480..cc1720cf2 100644
  	files_dontaudit_read_root_files(initrc_t)
  
  	# These seem to be from the initrd
-@@ -521,6 +1006,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +1007,7 @@ ifdef(`distro_redhat',`
  	files_create_boot_dirs(initrc_t)
  	files_create_boot_flag(initrc_t)
  	files_rw_boot_symlinks(initrc_t)
@@ -38835,7 +39282,7 @@ index 17eda2480..cc1720cf2 100644
  	# wants to read /.fonts directory
  	files_read_default_files(initrc_t)
  	files_mountpoint(initrc_tmp_t)
-@@ -541,6 +1027,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +1028,7 @@ ifdef(`distro_redhat',`
  	miscfiles_rw_localization(initrc_t)
  	miscfiles_setattr_localization(initrc_t)
  	miscfiles_relabel_localization(initrc_t)
@@ -38843,7 +39290,7 @@ index 17eda2480..cc1720cf2 100644
  
  	miscfiles_read_fonts(initrc_t)
  	miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +1037,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +1038,44 @@ ifdef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -38888,7 +39335,7 @@ index 17eda2480..cc1720cf2 100644
  	')
  
  	optional_policy(`
-@@ -559,14 +1082,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +1083,31 @@ ifdef(`distro_redhat',`
  		rpc_write_exports(initrc_t)
  		rpc_manage_nfs_state_data(initrc_t)
  	')
@@ -38920,7 +39367,7 @@ index 17eda2480..cc1720cf2 100644
  	')
  ')
  
-@@ -577,6 +1117,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1118,39 @@ ifdef(`distro_suse',`
  	')
  ')
  
@@ -38960,7 +39407,7 @@ index 17eda2480..cc1720cf2 100644
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1162,8 @@ optional_policy(`
+@@ -589,6 +1163,8 @@ optional_policy(`
  optional_policy(`
  	apache_read_config(initrc_t)
  	apache_list_modules(initrc_t)
@@ -38969,7 +39416,7 @@ index 17eda2480..cc1720cf2 100644
  ')
  
  optional_policy(`
-@@ -610,6 +1185,7 @@ optional_policy(`
+@@ -610,6 +1186,7 @@ optional_policy(`
  
  optional_policy(`
  	cgroup_stream_connect_cgred(initrc_t)
@@ -38977,7 +39424,7 @@ index 17eda2480..cc1720cf2 100644
  ')
  
  optional_policy(`
-@@ -626,6 +1202,17 @@ optional_policy(`
+@@ -626,6 +1203,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -38995,7 +39442,7 @@ index 17eda2480..cc1720cf2 100644
  	dev_getattr_printer_dev(initrc_t)
  
  	cups_read_log(initrc_t)
-@@ -642,9 +1229,13 @@ optional_policy(`
+@@ -642,9 +1230,13 @@ optional_policy(`
  	dbus_connect_system_bus(initrc_t)
  	dbus_system_bus_client(initrc_t)
  	dbus_read_config(initrc_t)
@@ -39009,7 +39456,7 @@ index 17eda2480..cc1720cf2 100644
  	')
  
  	optional_policy(`
-@@ -657,15 +1248,11 @@ optional_policy(`
+@@ -657,15 +1249,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39027,7 +39474,7 @@ index 17eda2480..cc1720cf2 100644
  ')
  
  optional_policy(`
-@@ -686,6 +1273,15 @@ optional_policy(`
+@@ -686,6 +1274,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39043,7 +39490,7 @@ index 17eda2480..cc1720cf2 100644
  	inn_exec_config(initrc_t)
  ')
  
-@@ -726,6 +1322,7 @@ optional_policy(`
+@@ -726,6 +1323,7 @@ optional_policy(`
  	lpd_list_spool(initrc_t)
  
  	lpd_read_config(initrc_t)
@@ -39051,7 +39498,7 @@ index 17eda2480..cc1720cf2 100644
  ')
  
  optional_policy(`
-@@ -743,7 +1340,13 @@ optional_policy(`
+@@ -743,7 +1341,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39066,7 +39513,7 @@ index 17eda2480..cc1720cf2 100644
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
  
-@@ -766,6 +1369,10 @@ optional_policy(`
+@@ -766,6 +1370,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39077,7 +39524,7 @@ index 17eda2480..cc1720cf2 100644
  	postgresql_manage_db(initrc_t)
  	postgresql_read_config(initrc_t)
  ')
-@@ -775,10 +1382,20 @@ optional_policy(`
+@@ -775,10 +1383,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39098,7 +39545,7 @@ index 17eda2480..cc1720cf2 100644
  	quota_manage_flags(initrc_t)
  ')
  
-@@ -787,6 +1404,10 @@ optional_policy(`
+@@ -787,6 +1405,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39109,7 +39556,7 @@ index 17eda2480..cc1720cf2 100644
  	fs_write_ramfs_sockets(initrc_t)
  	fs_search_ramfs(initrc_t)
  
-@@ -808,8 +1429,6 @@ optional_policy(`
+@@ -808,8 +1430,6 @@ optional_policy(`
  	# bash tries ioctl for some reason
  	files_dontaudit_ioctl_all_pids(initrc_t)
  
@@ -39118,7 +39565,7 @@ index 17eda2480..cc1720cf2 100644
  ')
  
  optional_policy(`
-@@ -818,6 +1437,10 @@ optional_policy(`
+@@ -818,6 +1438,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39129,7 +39576,7 @@ index 17eda2480..cc1720cf2 100644
  	# shorewall-init script run /var/lib/shorewall/firewall
  	shorewall_lib_domtrans(initrc_t)
  ')
-@@ -827,10 +1450,12 @@ optional_policy(`
+@@ -827,10 +1451,12 @@ optional_policy(`
  	squid_manage_logs(initrc_t)
  ')
  
@@ -39142,7 +39589,7 @@ index 17eda2480..cc1720cf2 100644
  
  optional_policy(`
  	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1482,62 @@ optional_policy(`
+@@ -857,21 +1483,62 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39206,7 +39653,7 @@ index 17eda2480..cc1720cf2 100644
  ')
  
  optional_policy(`
-@@ -887,6 +1553,10 @@ optional_policy(`
+@@ -887,6 +1554,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39217,7 +39664,7 @@ index 17eda2480..cc1720cf2 100644
  	# Set device ownerships/modes.
  	xserver_setattr_console_pipes(initrc_t)
  
-@@ -897,3 +1567,218 @@ optional_policy(`
+@@ -897,3 +1568,218 @@ optional_policy(`
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
@@ -40226,10 +40673,10 @@ index c42fbc329..bf211dbee 100644
 +	files_pid_filetrans($1, iptables_var_run_t, file, "xtables.lock")
 +')
 diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index be8ed1e6c..697c2cf05 100644
+index be8ed1e6c..5a5a54d66 100644
 --- a/policy/modules/system/iptables.te
 +++ b/policy/modules/system/iptables.te
-@@ -16,44 +16,61 @@ role iptables_roles types iptables_t;
+@@ -16,44 +16,62 @@ role iptables_roles types iptables_t;
  type iptables_initrc_exec_t;
  init_script_file(iptables_initrc_exec_t)
  
@@ -40258,6 +40705,7 @@ index be8ed1e6c..697c2cf05 100644
  
 -allow iptables_t self:capability { dac_read_search dac_override net_admin net_raw };
 +allow iptables_t self:capability { dac_read_search  net_admin net_raw };
++allow iptables_t self:cap_userns { dac_read_search  net_admin net_raw };
  dontaudit iptables_t self:capability sys_tty_config;
  allow iptables_t self:fifo_file rw_fifo_file_perms;
  allow iptables_t self:process { sigchld sigkill sigstop signull signal };
@@ -40298,7 +40746,7 @@ index be8ed1e6c..697c2cf05 100644
  kernel_use_fds(iptables_t)
  
  # needed by ipvsadm
-@@ -64,19 +81,24 @@ corenet_relabelto_all_packets(iptables_t)
+@@ -64,19 +82,24 @@ corenet_relabelto_all_packets(iptables_t)
  corenet_dontaudit_rw_tun_tap_dev(iptables_t)
  
  dev_read_sysfs(iptables_t)
@@ -40325,7 +40773,7 @@ index be8ed1e6c..697c2cf05 100644
  
  auth_use_nsswitch(iptables_t)
  
-@@ -85,15 +107,14 @@ init_use_script_ptys(iptables_t)
+@@ -85,15 +108,14 @@ init_use_script_ptys(iptables_t)
  # to allow rules to be saved on reboot:
  init_rw_script_tmp_files(iptables_t)
  init_rw_script_stream_sockets(iptables_t)
@@ -40343,7 +40791,7 @@ index be8ed1e6c..697c2cf05 100644
  userdom_use_all_users_fds(iptables_t)
  
  ifdef(`hide_broken_symptoms',`
-@@ -101,7 +122,14 @@ ifdef(`hide_broken_symptoms',`
+@@ -101,7 +123,14 @@ ifdef(`hide_broken_symptoms',`
  ')
  
  optional_policy(`
@@ -40358,7 +40806,7 @@ index be8ed1e6c..697c2cf05 100644
  ')
  
  optional_policy(`
-@@ -110,7 +138,16 @@ optional_policy(`
+@@ -110,7 +139,16 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -40375,7 +40823,7 @@ index be8ed1e6c..697c2cf05 100644
  ')
  
  optional_policy(`
-@@ -119,11 +156,25 @@ optional_policy(`
+@@ -119,11 +157,25 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -40401,7 +40849,7 @@ index be8ed1e6c..697c2cf05 100644
  ')
  
  optional_policy(`
-@@ -132,12 +183,13 @@ optional_policy(`
+@@ -132,12 +184,13 @@ optional_policy(`
  
  optional_policy(`
  	seutil_sigchld_newrole(iptables_t)
@@ -47802,7 +48250,7 @@ index 2cea692c0..853ddefe4 100644
 +	files_pid_filetrans($1, net_conf_t, dir, "cloud-init")
 +')
 diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index a392fc4bc..a61ba7d4e 100644
+index a392fc4bc..4870f76fd 100644
 --- a/policy/modules/system/sysnetwork.te
 +++ b/policy/modules/system/sysnetwork.te
 @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4)
@@ -47930,7 +48378,7 @@ index a392fc4bc..a61ba7d4e 100644
  
  fs_getattr_all_fs(dhcpc_t)
  fs_search_auto_mountpoints(dhcpc_t)
-@@ -137,11 +158,17 @@ term_dontaudit_use_all_ptys(dhcpc_t)
+@@ -137,16 +158,23 @@ term_dontaudit_use_all_ptys(dhcpc_t)
  term_dontaudit_use_unallocated_ttys(dhcpc_t)
  term_dontaudit_use_generic_ptys(dhcpc_t)
  
@@ -47949,7 +48397,13 @@ index a392fc4bc..a61ba7d4e 100644
  
  modutils_run_insmod(dhcpc_t, dhcpc_roles)
  
-@@ -161,7 +188,21 @@ ifdef(`distro_ubuntu',`
+ sysnet_run_ifconfig(dhcpc_t, dhcpc_roles)
+ 
++userdom_stream_connect(dhcpc_t)
+ userdom_use_user_terminals(dhcpc_t)
+ userdom_dontaudit_search_user_home_dirs(dhcpc_t)
+ 
+@@ -161,7 +189,21 @@ ifdef(`distro_ubuntu',`
  ')
  
  optional_policy(`
@@ -47972,7 +48426,7 @@ index a392fc4bc..a61ba7d4e 100644
  ')
  
  optional_policy(`
-@@ -179,10 +220,6 @@ optional_policy(`
+@@ -179,10 +221,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -47983,7 +48437,7 @@ index a392fc4bc..a61ba7d4e 100644
  	hotplug_getattr_config_dirs(dhcpc_t)
  	hotplug_search_config(dhcpc_t)
  
-@@ -195,23 +232,31 @@ optional_policy(`
+@@ -195,23 +233,31 @@ optional_policy(`
  optional_policy(`
  	netutils_run_ping(dhcpc_t, dhcpc_roles)
  	netutils_run(dhcpc_t, dhcpc_roles)
@@ -48018,7 +48472,7 @@ index a392fc4bc..a61ba7d4e 100644
  ')
  
  optional_policy(`
-@@ -221,7 +266,16 @@ optional_policy(`
+@@ -221,7 +267,16 @@ optional_policy(`
  
  optional_policy(`
  	seutil_sigchld_newrole(dhcpc_t)
@@ -48036,7 +48490,7 @@ index a392fc4bc..a61ba7d4e 100644
  ')
  
  optional_policy(`
-@@ -233,6 +287,10 @@ optional_policy(`
+@@ -233,6 +288,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -48047,7 +48501,7 @@ index a392fc4bc..a61ba7d4e 100644
  	vmware_append_log(dhcpc_t)
  ')
  
-@@ -264,32 +322,73 @@ allow ifconfig_t self:msgq create_msgq_perms;
+@@ -264,32 +323,73 @@ allow ifconfig_t self:msgq create_msgq_perms;
  allow ifconfig_t self:msg { send receive };
  # Create UDP sockets, necessary when called from dhcpc
  allow ifconfig_t self:udp_socket create_socket_perms;
@@ -48121,7 +48575,7 @@ index a392fc4bc..a61ba7d4e 100644
  
  selinux_dontaudit_getattr_fs(ifconfig_t)
  
-@@ -299,33 +398,51 @@ term_dontaudit_use_all_ptys(ifconfig_t)
+@@ -299,33 +399,51 @@ term_dontaudit_use_all_ptys(ifconfig_t)
  term_dontaudit_use_ptmx(ifconfig_t)
  term_dontaudit_use_generic_ptys(ifconfig_t)
  
@@ -48179,7 +48633,7 @@ index a392fc4bc..a61ba7d4e 100644
  	optional_policy(`
  		dev_dontaudit_rw_cardmgr(ifconfig_t)
  	')
-@@ -336,7 +453,11 @@ ifdef(`hide_broken_symptoms',`
+@@ -336,7 +454,11 @@ ifdef(`hide_broken_symptoms',`
  ')
  
  optional_policy(`
@@ -48192,7 +48646,7 @@ index a392fc4bc..a61ba7d4e 100644
  ')
  
  optional_policy(`
-@@ -350,7 +471,16 @@ optional_policy(`
+@@ -350,7 +472,16 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -48210,7 +48664,7 @@ index a392fc4bc..a61ba7d4e 100644
  ')
  
  optional_policy(`
-@@ -371,3 +501,17 @@ optional_policy(`
+@@ -371,3 +502,17 @@ optional_policy(`
  	xen_append_log(ifconfig_t)
  	xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
  ')
@@ -57836,7 +58290,7 @@ index 9dc60c6c0..562afbe9a 100644
 +	')
  ')
 diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index f4ac38dc7..1589d6065 100644
+index f4ac38dc7..e4733e828 100644
 --- a/policy/modules/system/userdomain.te
 +++ b/policy/modules/system/userdomain.te
 @@ -7,48 +7,43 @@ policy_module(userdomain, 4.9.1)
@@ -57986,7 +58440,7 @@ index f4ac38dc7..1589d6065 100644
 +')
 +
 +allow userdomain userdomain:process signull;
-+allow userdomain userdomain:fifo_file rw_inherited_fifo_file_perms;
++allow userdomain userdomain:fifo_file { map rw_inherited_fifo_file_perms };
 +dontaudit unpriv_userdomain self:rawip_socket create_socket_perms;
 +
 +# Nautilus causes this avc
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index c4b24493..b4a2b26d 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -1813,7 +1813,7 @@ index 01cbb67df..94a4a2406 100644
  
  	files_list_etc($1)
 diff --git a/aide.te b/aide.te
-index 03831e6e5..d97de5ad7 100644
+index 03831e6e5..93a15b5de 100644
 --- a/aide.te
 +++ b/aide.te
 @@ -10,6 +10,7 @@ attribute_role aide_roles;
@@ -1824,7 +1824,7 @@ index 03831e6e5..d97de5ad7 100644
  role aide_roles types aide_t;
  
  type aide_log_t;
-@@ -23,22 +24,34 @@ files_type(aide_db_t)
+@@ -23,23 +24,39 @@ files_type(aide_db_t)
  # Local policy
  #
  
@@ -1864,6 +1864,11 @@ index 03831e6e5..d97de5ad7 100644
  
  optional_policy(`
  	seutil_use_newrole_fds(aide_t)
+ ')
++
++optional_policy(`
++    sssd_stream_connect(aide_t)
++')
 diff --git a/aisexec.if b/aisexec.if
 index a2997fa57..861cebdf9 100644
 --- a/aisexec.if
@@ -5626,7 +5631,7 @@ index f6eb4851f..3628a384f 100644
 +    allow $1 httpd_t:process { noatsecure };
  ')
 diff --git a/apache.te b/apache.te
-index 6649962b6..3db9df9f9 100644
+index 6649962b6..0a7b49bbb 100644
 --- a/apache.te
 +++ b/apache.te
 @@ -5,280 +5,346 @@ policy_module(apache, 2.7.2)
@@ -6337,7 +6342,15 @@ index 6649962b6..3db9df9f9 100644
  
  allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
  
-@@ -438,6 +558,7 @@ fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_fi
+@@ -428,6 +548,7 @@ manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
+ manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
+ files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file })
+ userdom_user_tmp_filetrans(httpd_t, httpd_tmp_t, dir)
++allow httpd_t httpd_tmp_t:file map;
+ 
+ manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
+ manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
+@@ -438,6 +559,7 @@ fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_fi
  
  manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
  manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
@@ -6345,7 +6358,7 @@ index 6649962b6..3db9df9f9 100644
  files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })
  
  setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
-@@ -450,140 +571,179 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -450,140 +572,179 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  
@@ -6589,7 +6602,7 @@ index 6649962b6..3db9df9f9 100644
  ')
  
  tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -594,28 +754,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -594,28 +755,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
  	fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
  ')
  
@@ -6649,7 +6662,7 @@ index 6649962b6..3db9df9f9 100644
  ')
  
  tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -624,68 +806,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -624,68 +807,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
  	fs_read_nfs_symlinks(httpd_t)
  ')
  
@@ -6752,7 +6765,7 @@ index 6649962b6..3db9df9f9 100644
  ')
  
  tunable_policy(`httpd_setrlimit',`
-@@ -695,49 +865,48 @@ tunable_policy(`httpd_setrlimit',`
+@@ -695,49 +866,48 @@ tunable_policy(`httpd_setrlimit',`
  
  tunable_policy(`httpd_ssi_exec',`
  	corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -6833,7 +6846,7 @@ index 6649962b6..3db9df9f9 100644
  ')
  
  optional_policy(`
-@@ -749,24 +918,32 @@ optional_policy(`
+@@ -749,24 +919,32 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6872,7 +6885,7 @@ index 6649962b6..3db9df9f9 100644
  ')
  
  optional_policy(`
-@@ -775,6 +952,10 @@ optional_policy(`
+@@ -775,6 +953,10 @@ optional_policy(`
  	tunable_policy(`httpd_dbus_avahi',`
  		avahi_dbus_chat(httpd_t)
  	')
@@ -6883,7 +6896,7 @@ index 6649962b6..3db9df9f9 100644
  ')
  
  optional_policy(`
-@@ -786,35 +967,62 @@ optional_policy(`
+@@ -786,35 +968,62 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6959,7 +6972,7 @@ index 6649962b6..3db9df9f9 100644
  
  	tunable_policy(`httpd_manage_ipa',`
  		memcached_manage_pid_files(httpd_t)
-@@ -822,8 +1030,31 @@ optional_policy(`
+@@ -822,8 +1031,31 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6991,7 +7004,7 @@ index 6649962b6..3db9df9f9 100644
  
  	tunable_policy(`httpd_can_network_connect_db',`
  		mysql_tcp_connect(httpd_t)
-@@ -832,6 +1063,8 @@ optional_policy(`
+@@ -832,6 +1064,8 @@ optional_policy(`
  
  optional_policy(`
  	nagios_read_config(httpd_t)
@@ -7000,7 +7013,7 @@ index 6649962b6..3db9df9f9 100644
  ')
  
  optional_policy(`
-@@ -842,20 +1075,48 @@ optional_policy(`
+@@ -842,20 +1076,48 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -7055,7 +7068,7 @@ index 6649962b6..3db9df9f9 100644
  ')
  
  optional_policy(`
-@@ -863,16 +1124,31 @@ optional_policy(`
+@@ -863,16 +1125,31 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -7089,7 +7102,7 @@ index 6649962b6..3db9df9f9 100644
  ')
  
  optional_policy(`
-@@ -883,65 +1159,189 @@ optional_policy(`
+@@ -883,65 +1160,189 @@ optional_policy(`
  	yam_read_content(httpd_t)
  ')
  
@@ -7301,7 +7314,7 @@ index 6649962b6..3db9df9f9 100644
  files_dontaudit_search_pids(httpd_suexec_t)
  files_search_home(httpd_suexec_t)
  
-@@ -950,123 +1350,75 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -950,123 +1351,75 @@ auth_use_nsswitch(httpd_suexec_t)
  logging_search_logs(httpd_suexec_t)
  logging_send_syslog_msg(httpd_suexec_t)
  
@@ -7455,7 +7468,7 @@ index 6649962b6..3db9df9f9 100644
  	mysql_read_config(httpd_suexec_t)
  
  	tunable_policy(`httpd_can_network_connect_db',`
-@@ -1083,172 +1435,107 @@ optional_policy(`
+@@ -1083,172 +1436,107 @@ optional_policy(`
  	')
  ')
  
@@ -7693,7 +7706,7 @@ index 6649962b6..3db9df9f9 100644
  ')
  
  tunable_policy(`httpd_read_user_content',`
-@@ -1256,64 +1543,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1256,64 +1544,74 @@ tunable_policy(`httpd_read_user_content',`
  ')
  
  tunable_policy(`httpd_use_cifs',`
@@ -7791,7 +7804,7 @@ index 6649962b6..3db9df9f9 100644
  
  ########################################
  #
-@@ -1321,8 +1618,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1321,8 +1619,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
  #
  
  optional_policy(`
@@ -7808,7 +7821,7 @@ index 6649962b6..3db9df9f9 100644
  ')
  
  ########################################
-@@ -1330,49 +1634,43 @@ optional_policy(`
+@@ -1330,49 +1635,43 @@ optional_policy(`
  # User content local policy
  #
  
@@ -7877,7 +7890,7 @@ index 6649962b6..3db9df9f9 100644
  kernel_read_system_state(httpd_passwd_t)
  
  corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1680,109 @@ dev_read_urand(httpd_passwd_t)
+@@ -1382,38 +1681,109 @@ dev_read_urand(httpd_passwd_t)
  
  domain_use_interactive_fds(httpd_passwd_t)
  
@@ -21731,7 +21744,7 @@ index 3023be7f6..5afde8039 100644
 +	files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups")
  ')
 diff --git a/cups.te b/cups.te
-index c91813ccb..774431956 100644
+index c91813ccb..0ea3e3d6a 100644
 --- a/cups.te
 +++ b/cups.te
 @@ -5,19 +5,31 @@ policy_module(cups, 1.16.2)
@@ -22008,7 +22021,7 @@ index c91813ccb..774431956 100644
  
  selinux_compute_access_vector(cupsd_t)
  selinux_validate_context(cupsd_t)
-@@ -244,22 +289,30 @@ auth_dontaudit_read_pam_pid(cupsd_t)
+@@ -244,23 +289,31 @@ auth_dontaudit_read_pam_pid(cupsd_t)
  auth_rw_faillog(cupsd_t)
  auth_use_nsswitch(cupsd_t)
  
@@ -22033,17 +22046,18 @@ index c91813ccb..774431956 100644
  
  userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
 +userdom_dontaudit_search_user_home_dirs(cupsd_t)
- userdom_dontaudit_search_user_home_content(cupsd_t)
-+userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
 +userdom_dontaudit_search_user_home_content(cupsd_t)
-+
++userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
+ userdom_dontaudit_search_user_home_content(cupsd_t)
+ 
 +tunable_policy(`cups_execmem',`
 +	allow cupsd_t self:process { execmem execstack };
 +')
 +
- 
++
  optional_policy(`
  	apm_domtrans_client(cupsd_t)
+ ')
 @@ -272,6 +325,8 @@ optional_policy(`
  optional_policy(`
  	dbus_system_bus_client(cupsd_t)
@@ -22187,7 +22201,7 @@ index c91813ccb..774431956 100644
  fs_search_auto_mountpoints(cupsd_config_t)
  
  domain_use_interactive_fds(cupsd_config_t)
-@@ -417,11 +476,6 @@ auth_use_nsswitch(cupsd_config_t)
+@@ -417,17 +476,16 @@ auth_use_nsswitch(cupsd_config_t)
  
  logging_send_syslog_msg(cupsd_config_t)
  
@@ -22199,7 +22213,17 @@ index c91813ccb..774431956 100644
  userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
  userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
  userdom_read_all_users_state(cupsd_config_t)
-@@ -449,9 +503,12 @@ optional_policy(`
+ userdom_read_user_tmp_symlinks(cupsd_config_t)
+ userdom_rw_user_tmp_files(cupsd_config_t)
+ 
++tunable_policy(`cups_execmem',`
++	allow cupsd_config_t self:process { execmem execstack };
++')
++
+ optional_policy(`
+ 	term_use_generic_ptys(cupsd_config_t)
+ ')
+@@ -449,9 +507,12 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -22213,7 +22237,7 @@ index c91813ccb..774431956 100644
  ')
  
  optional_policy(`
-@@ -467,6 +524,10 @@ optional_policy(`
+@@ -467,6 +528,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -22224,7 +22248,7 @@ index c91813ccb..774431956 100644
  	rpm_read_db(cupsd_config_t)
  ')
  
-@@ -487,10 +548,6 @@ optional_policy(`
+@@ -487,10 +552,6 @@ optional_policy(`
  # Lpd local policy
  #
  
@@ -22235,7 +22259,7 @@ index c91813ccb..774431956 100644
  allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
  
  allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
-@@ -508,15 +565,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+@@ -508,15 +569,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
  
  kernel_read_kernel_sysctls(cupsd_lpd_t)
  kernel_read_system_state(cupsd_lpd_t)
@@ -22253,7 +22277,7 @@ index c91813ccb..774431956 100644
  corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t)
  
  corenet_sendrecv_printer_server_packets(cupsd_lpd_t)
-@@ -537,9 +594,6 @@ auth_use_nsswitch(cupsd_lpd_t)
+@@ -537,9 +598,6 @@ auth_use_nsswitch(cupsd_lpd_t)
  
  logging_send_syslog_msg(cupsd_lpd_t)
  
@@ -22263,7 +22287,7 @@ index c91813ccb..774431956 100644
  optional_policy(`
  	inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
  ')
-@@ -549,9 +603,9 @@ optional_policy(`
+@@ -549,9 +607,9 @@ optional_policy(`
  # Pdf local policy
  #
  
@@ -22275,7 +22299,7 @@ index c91813ccb..774431956 100644
  
  append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
  create_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
-@@ -566,148 +620,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
+@@ -566,148 +624,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
  
  kernel_read_system_state(cups_pdf_t)
  
@@ -22304,13 +22328,11 @@ index c91813ccb..774431956 100644
 -	fs_manage_cifs_dirs(cups_pdf_t)
 -	fs_manage_cifs_files(cups_pdf_t)
 -')
-+userdom_home_manager(cups_pdf_t)
- 
- optional_policy(`
+-
+-optional_policy(`
 -	lpd_manage_spool(cups_pdf_t)
-+	gnome_read_config(cups_pdf_t)
- ')
- 
+-')
+-
 -########################################
 -#
 -# HPLIP local policy
@@ -22412,11 +22434,13 @@ index c91813ccb..774431956 100644
 -	lpd_read_config(hplip_t)
 -	lpd_manage_spool(hplip_t)
 -')
--
--optional_policy(`
++userdom_home_manager(cups_pdf_t)
+ 
+ optional_policy(`
 -	seutil_sigchld_newrole(hplip_t)
--')
--
++	gnome_read_config(cups_pdf_t)
+ ')
+ 
 -optional_policy(`
 -	snmp_read_snmp_var_lib_files(hplip_t)
 -')
@@ -22427,7 +22451,7 @@ index c91813ccb..774431956 100644
  
  ########################################
  #
-@@ -735,7 +664,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -735,7 +668,6 @@ kernel_read_kernel_sysctls(ptal_t)
  kernel_list_proc(ptal_t)
  kernel_read_proc_symlinks(ptal_t)
  
@@ -22435,7 +22459,7 @@ index c91813ccb..774431956 100644
  corenet_all_recvfrom_netlabel(ptal_t)
  corenet_tcp_sendrecv_generic_if(ptal_t)
  corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -745,13 +673,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
+@@ -745,13 +677,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
  corenet_tcp_bind_ptal_port(ptal_t)
  corenet_tcp_sendrecv_ptal_port(ptal_t)
  
@@ -22449,7 +22473,7 @@ index c91813ccb..774431956 100644
  files_read_etc_runtime_files(ptal_t)
  
  fs_getattr_all_fs(ptal_t)
-@@ -759,8 +685,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -759,8 +689,6 @@ fs_search_auto_mountpoints(ptal_t)
  
  logging_send_syslog_msg(ptal_t)
  
@@ -22458,7 +22482,7 @@ index c91813ccb..774431956 100644
  sysnet_read_config(ptal_t)
  
  userdom_dontaudit_use_unpriv_user_fds(ptal_t)
-@@ -773,3 +697,4 @@ optional_policy(`
+@@ -773,3 +701,4 @@ optional_policy(`
  optional_policy(`
  	udev_read_db(ptal_t)
  ')
@@ -25467,7 +25491,7 @@ index c697edbcd..954c090bd 100644
 +	allow $1 dhcpd_unit_file_t:service all_service_perms;
  ')
 diff --git a/dhcp.te b/dhcp.te
-index 98a24b989..9ded26309 100644
+index 98a24b989..c9162e646 100644
 --- a/dhcp.te
 +++ b/dhcp.te
 @@ -20,6 +20,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t)
@@ -25485,7 +25509,7 @@ index 98a24b989..9ded26309 100644
  #
  
 -allow dhcpd_t self:capability { chown dac_override sys_chroot net_raw setgid setuid sys_resource };
-+allow dhcpd_t self:capability { chown dac_read_search  fowner sys_chroot net_raw kill setgid setuid setpcap sys_resource };
++allow dhcpd_t self:capability { chown dac_read_search dac_override fowner sys_chroot net_raw kill setgid setuid setpcap sys_resource };
  dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
  allow dhcpd_t self:process { getcap setcap signal_perms };
  allow dhcpd_t self:fifo_file rw_fifo_file_perms;
@@ -32113,10 +32137,10 @@ index 000000000..d9ba5fa27
 +')
 diff --git a/ganesha.te b/ganesha.te
 new file mode 100644
-index 000000000..0fdeecfd6
+index 000000000..f25a3f34d
 --- /dev/null
 +++ b/ganesha.te
-@@ -0,0 +1,110 @@
+@@ -0,0 +1,111 @@
 +policy_module(ganesha, 1.0.0)
 +
 +########################################
@@ -32153,6 +32177,7 @@ index 000000000..0fdeecfd6
 +#
 +dontaudit ganesha_t self:capability net_admin;
 +
++allow ganesha_t self:capability { dac_read_search dac_override };
 +allow ganesha_t self:capability2 block_suspend;
 +allow ganesha_t self:process { setcap setrlimit };
 +allow ganesha_t self:fifo_file rw_fifo_file_perms;
@@ -44078,7 +44103,7 @@ index 4fe75fd63..3504a9bf7 100644
 +/var/tmp/ldap_487		-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
 +/var/tmp/ldap_55		-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
 diff --git a/kerberos.if b/kerberos.if
-index f6c00d8e6..79ea4d8d2 100644
+index f6c00d8e6..1233a5ba2 100644
 --- a/kerberos.if
 +++ b/kerberos.if
 @@ -1,27 +1,29 @@
@@ -44217,7 +44242,16 @@ index f6c00d8e6..79ea4d8d2 100644
  			pcscd_stream_connect($1)
  		')
  	')
-@@ -119,7 +119,7 @@ interface(`kerberos_use',`
+@@ -115,11 +115,16 @@ interface(`kerberos_use',`
+ 	optional_policy(`
+ 		sssd_read_public_files($1)
+ 	')
++
++	# Allow to use kerberos KCM daemon (sssd-kcm)
++	optional_policy(`
++		sssd_run_stream_connect($1)
++	')
+ ')
  
  ########################################
  ## <summary>
@@ -44226,7 +44260,7 @@ index f6c00d8e6..79ea4d8d2 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -135,15 +135,13 @@ interface(`kerberos_read_config',`
+@@ -135,15 +140,13 @@ interface(`kerberos_read_config',`
  
  	files_search_etc($1)
  	allow $1 krb5_conf_t:file read_file_perms;
@@ -44244,7 +44278,7 @@ index f6c00d8e6..79ea4d8d2 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -156,13 +154,12 @@ interface(`kerberos_dontaudit_write_config',`
+@@ -156,13 +159,12 @@ interface(`kerberos_dontaudit_write_config',`
  		type krb5_conf_t;
  	')
  
@@ -44260,7 +44294,7 @@ index f6c00d8e6..79ea4d8d2 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -182,27 +179,27 @@ interface(`kerberos_rw_config',`
+@@ -182,27 +184,27 @@ interface(`kerberos_rw_config',`
  
  ########################################
  ## <summary>
@@ -44295,7 +44329,7 @@ index f6c00d8e6..79ea4d8d2 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -210,220 +207,252 @@ interface(`kerberos_manage_krb5_home_files',`
+@@ -210,220 +212,252 @@ interface(`kerberos_manage_krb5_home_files',`
  ##	</summary>
  ## </param>
  #
@@ -44638,7 +44672,7 @@ index f6c00d8e6..79ea4d8d2 100644
  ##	</summary>
  ## </param>
  ## <param name="name" optional="true">
-@@ -432,17 +461,18 @@ interface(`kerberos_manage_host_rcache',`
+@@ -432,17 +466,18 @@ interface(`kerberos_manage_host_rcache',`
  ##	</summary>
  ## </param>
  #
@@ -44661,7 +44695,7 @@ index f6c00d8e6..79ea4d8d2 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -450,82 +480,109 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
+@@ -450,82 +485,109 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
  ##	</summary>
  ## </param>
  #
@@ -46992,7 +47026,7 @@ index 3602712d0..af83a5b6b 100644
 +	allow $1 slapd_unit_file_t:service all_service_perms;
  ')
 diff --git a/ldap.te b/ldap.te
-index 4c2b1110e..4baf7a041 100644
+index 4c2b1110e..a9444566a 100644
 --- a/ldap.te
 +++ b/ldap.te
 @@ -21,6 +21,9 @@ files_config_file(slapd_etc_t)
@@ -47037,7 +47071,17 @@ index 4c2b1110e..4baf7a041 100644
  logging_log_filetrans(slapd_t, slapd_log_t, { file dir })
  
  manage_dirs_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
-@@ -93,7 +96,6 @@ files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file })
+@@ -80,7 +83,8 @@ manage_lnk_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
+ 
+ manage_dirs_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
+ manage_files_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
+-files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir })
++manage_lnk_files_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
++files_tmp_filetrans(slapd_t, slapd_tmp_t, { file lnk_file dir })
+ 
+ manage_files_pattern(slapd_t, slapd_tmpfs_t, slapd_tmpfs_t)
+ fs_tmpfs_filetrans(slapd_t, slapd_tmpfs_t, file)
+@@ -93,7 +97,6 @@ files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file })
  kernel_read_system_state(slapd_t)
  kernel_read_kernel_sysctls(slapd_t)
  
@@ -47045,7 +47089,7 @@ index 4c2b1110e..4baf7a041 100644
  corenet_all_recvfrom_netlabel(slapd_t)
  corenet_tcp_sendrecv_generic_if(slapd_t)
  corenet_tcp_sendrecv_generic_node(slapd_t)
-@@ -115,25 +117,26 @@ fs_getattr_all_fs(slapd_t)
+@@ -115,25 +118,26 @@ fs_getattr_all_fs(slapd_t)
  fs_search_auto_mountpoints(slapd_t)
  
  files_read_etc_runtime_files(slapd_t)
@@ -47735,7 +47779,7 @@ index dff21a7c4..b6981c846 100644
  	init_labeled_script_domtrans($1, lircd_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/lircd.te b/lircd.te
-index 483c87bb6..5c41c7557 100644
+index 483c87bb6..1bfb75c34 100644
 --- a/lircd.te
 +++ b/lircd.te
 @@ -13,7 +13,7 @@ type lircd_initrc_exec_t;
@@ -47760,15 +47804,16 @@ index 483c87bb6..5c41c7557 100644
  
  read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t)
  
-@@ -39,6 +40,7 @@ dev_filetrans(lircd_t, lircd_var_run_t, sock_file)
+@@ -39,6 +40,8 @@ dev_filetrans(lircd_t, lircd_var_run_t, sock_file)
  
  kernel_request_load_module(lircd_t)
  
++corecmd_exec_shell(lircd_t)
 +
  corenet_all_recvfrom_unlabeled(lircd_t)
  corenet_all_recvfrom_netlabel(lircd_t)
  corenet_tcp_sendrecv_generic_if(lircd_t)
-@@ -56,7 +58,7 @@ dev_read_mouse(lircd_t)
+@@ -56,7 +59,7 @@ dev_read_mouse(lircd_t)
  dev_filetrans_lirc(lircd_t)
  dev_rw_lirc(lircd_t)
  dev_rw_input_dev(lircd_t)
@@ -47777,7 +47822,7 @@ index 483c87bb6..5c41c7557 100644
  
  files_read_config_files(lircd_t)
  files_list_var(lircd_t)
-@@ -64,9 +66,11 @@ files_manage_generic_locks(lircd_t)
+@@ -64,9 +67,11 @@ files_manage_generic_locks(lircd_t)
  files_read_all_locks(lircd_t)
  
  term_use_ptmx(lircd_t)
@@ -56955,7 +57000,7 @@ index ed81cac5a..cd52baf59 100644
 +	mta_filetrans_admin_home_content($1)
 +')
 diff --git a/mta.te b/mta.te
-index ff1d68c6a..28ff27c22 100644
+index ff1d68c6a..ee540eafd 100644
 --- a/mta.te
 +++ b/mta.te
 @@ -14,8 +14,6 @@ attribute mailserver_sender;
@@ -57103,14 +57148,14 @@ index ff1d68c6a..28ff27c22 100644
  
  init_use_script_ptys(system_mail_t)
 +init_dontaudit_rw_stream_socket(system_mail_t)
-+
+ 
+-userdom_use_user_terminals(system_mail_t)
 +userdom_use_inherited_user_terminals(system_mail_t)
 +userdom_dontaudit_list_user_home_dirs(system_mail_t)
 +userdom_dontaudit_list_admin_dir(system_mail_t)
 +userdom_dontaudit_list_user_tmp(system_mail_t)
 +userdom_dontaudit_read_inherited_admin_home_files(system_mail_t)
- 
--userdom_use_user_terminals(system_mail_t)
++
 +manage_dirs_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
 +manage_files_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
 +
@@ -57177,13 +57222,17 @@ index ff1d68c6a..28ff27c22 100644
  	courier_stream_connect_authdaemon(system_mail_t)
  ')
  
-@@ -244,9 +270,10 @@ optional_policy(`
+@@ -244,9 +270,14 @@ optional_policy(`
  ')
  
  optional_policy(`
 -	fail2ban_dontaudit_rw_stream_sockets(system_mail_t)
 -	fail2ban_append_log(system_mail_t)
 -	fail2ban_rw_inherited_tmp_files(system_mail_t)
++    dbus_system_bus_client(system_mail_t)
++')
++
++optional_policy(`
 +	fail2ban_append_log(user_mail_domain)
 +	fail2ban_dontaudit_leaks(user_mail_domain)
 +	fail2ban_rw_inherited_tmp_files(mta_user_agent)
@@ -57191,7 +57240,7 @@ index ff1d68c6a..28ff27c22 100644
  ')
  
  optional_policy(`
-@@ -258,10 +285,17 @@ optional_policy(`
+@@ -258,10 +289,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -57209,7 +57258,7 @@ index ff1d68c6a..28ff27c22 100644
  	nagios_read_tmp_files(system_mail_t)
  ')
  
-@@ -272,6 +306,19 @@ optional_policy(`
+@@ -272,6 +310,19 @@ optional_policy(`
  	manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
  	manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
  	files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
@@ -57229,7 +57278,7 @@ index ff1d68c6a..28ff27c22 100644
  ')
  
  optional_policy(`
-@@ -279,6 +326,10 @@ optional_policy(`
+@@ -279,6 +330,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -57240,7 +57289,7 @@ index ff1d68c6a..28ff27c22 100644
  	userdom_dontaudit_use_user_ptys(system_mail_t)
  
  	optional_policy(`
-@@ -287,42 +338,36 @@ optional_policy(`
+@@ -287,42 +342,36 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -57293,7 +57342,7 @@ index ff1d68c6a..28ff27c22 100644
  
  allow mailserver_delivery mail_spool_t:dir list_dir_perms;
  create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
-@@ -331,44 +376,48 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+@@ -331,44 +380,48 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
  create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
  read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
  
@@ -57363,7 +57412,7 @@ index ff1d68c6a..28ff27c22 100644
  ')
  
  optional_policy(`
-@@ -381,24 +430,49 @@ optional_policy(`
+@@ -381,24 +434,49 @@ optional_policy(`
  
  ########################################
  #
@@ -63626,7 +63675,7 @@ index a9c60ff87..ad4f14ad6 100644
 +	refpolicywarn(`$0($*) has been deprecated.')
  ')
 diff --git a/nsd.te b/nsd.te
-index 47bb1d204..56874943b 100644
+index 47bb1d204..bd2b122ae 100644
 --- a/nsd.te
 +++ b/nsd.te
 @@ -9,9 +9,7 @@ type nsd_t;
@@ -63640,7 +63689,7 @@ index 47bb1d204..56874943b 100644
  type nsd_conf_t;
  files_type(nsd_conf_t)
  
-@@ -20,41 +18,50 @@ domain_type(nsd_crond_t)
+@@ -20,40 +18,51 @@ domain_type(nsd_crond_t)
  domain_entry_file(nsd_crond_t, nsd_exec_t)
  role system_r types nsd_crond_t;
  
@@ -63695,15 +63744,16 @@ index 47bb1d204..56874943b 100644
  manage_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
  manage_lnk_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
  files_var_lib_filetrans(nsd_t, nsd_zone_t, dir)
- 
++allow nsd_t nsd_zone_t:file { map } ;
++
 +manage_dirs_pattern(nsd_t, nsd_tmp_t, nsd_tmp_t)
 +manage_files_pattern(nsd_t, nsd_tmp_t, nsd_tmp_t)
 +files_tmp_filetrans(nsd_t, nsd_tmp_t, { file dir })
-+
++allow nsd_t nsd_tmp_t:file { map } ;
+ 
  can_exec(nsd_t, nsd_exec_t)
  
- kernel_read_system_state(nsd_t)
-@@ -62,7 +69,6 @@ kernel_read_kernel_sysctls(nsd_t)
+@@ -62,7 +71,6 @@ kernel_read_kernel_sysctls(nsd_t)
  
  corecmd_exec_bin(nsd_t)
  
@@ -63711,7 +63761,7 @@ index 47bb1d204..56874943b 100644
  corenet_all_recvfrom_netlabel(nsd_t)
  corenet_tcp_sendrecv_generic_if(nsd_t)
  corenet_udp_sendrecv_generic_if(nsd_t)
-@@ -72,16 +78,20 @@ corenet_tcp_sendrecv_all_ports(nsd_t)
+@@ -72,16 +80,20 @@ corenet_tcp_sendrecv_all_ports(nsd_t)
  corenet_udp_sendrecv_all_ports(nsd_t)
  corenet_tcp_bind_generic_node(nsd_t)
  corenet_udp_bind_generic_node(nsd_t)
@@ -63734,7 +63784,7 @@ index 47bb1d204..56874943b 100644
  
  fs_getattr_all_fs(nsd_t)
  fs_search_auto_mountpoints(nsd_t)
-@@ -90,8 +100,6 @@ auth_use_nsswitch(nsd_t)
+@@ -90,8 +102,6 @@ auth_use_nsswitch(nsd_t)
  
  logging_send_syslog_msg(nsd_t)
  
@@ -63743,7 +63793,7 @@ index 47bb1d204..56874943b 100644
  userdom_dontaudit_use_unpriv_user_fds(nsd_t)
  userdom_dontaudit_search_user_home_dirs(nsd_t)
  
-@@ -105,23 +113,24 @@ optional_policy(`
+@@ -105,23 +115,24 @@ optional_policy(`
  
  ########################################
  #
@@ -63777,7 +63827,7 @@ index 47bb1d204..56874943b 100644
  
  manage_files_pattern(nsd_crond_t, nsd_zone_t, nsd_zone_t)
  filetrans_pattern(nsd_crond_t, nsd_conf_t, nsd_zone_t, file)
-@@ -133,29 +142,33 @@ kernel_read_system_state(nsd_crond_t)
+@@ -133,29 +144,33 @@ kernel_read_system_state(nsd_crond_t)
  corecmd_exec_bin(nsd_crond_t)
  corecmd_exec_shell(nsd_crond_t)
  
@@ -71346,10 +71396,10 @@ index 000000000..abb250dba
 +')
 diff --git a/pcp.te b/pcp.te
 new file mode 100644
-index 000000000..140ec0d3a
+index 000000000..89e89b240
 --- /dev/null
 +++ b/pcp.te
-@@ -0,0 +1,313 @@
+@@ -0,0 +1,315 @@
 +policy_module(pcp, 1.0.0)
 +
 +########################################
@@ -71656,6 +71706,8 @@ index 000000000..140ec0d3a
 +init_read_utmp(pcp_pmlogger_t)
 +init_status(pcp_pmlogger_t)
 +
++logging_send_syslog_msg(pcp_pmlogger_t)
++
 +systemd_exec_systemctl(pcp_pmlogger_t)
 +systemd_getattr_unit_files(pcp_pmlogger_t)
 +
@@ -88679,7 +88731,7 @@ index 16c8ecbe3..4e021eca7 100644
 +	')
  ')
 diff --git a/redis.te b/redis.te
-index 25cd4175f..84c02e325 100644
+index 25cd4175f..cf565276c 100644
 --- a/redis.te
 +++ b/redis.te
 @@ -12,6 +12,9 @@ init_daemon_domain(redis_t, redis_exec_t)
@@ -88692,17 +88744,20 @@ index 25cd4175f..84c02e325 100644
  type redis_log_t;
  logging_log_file(redis_log_t)
  
-@@ -21,6 +24,9 @@ files_type(redis_var_lib_t)
+@@ -21,6 +24,12 @@ files_type(redis_var_lib_t)
  type redis_var_run_t;
  files_pid_file(redis_var_run_t)
  
++type redis_tmp_t;
++files_tmp_file(redis_tmp_t)
++
 +type redis_unit_file_t;
 +systemd_unit_file(redis_unit_file_t)
 +
  ########################################
  #
  # Local policy
-@@ -31,6 +37,8 @@ allow redis_t self:fifo_file rw_fifo_file_perms;
+@@ -31,6 +40,8 @@ allow redis_t self:fifo_file rw_fifo_file_perms;
  allow redis_t self:unix_stream_socket create_stream_socket_perms;
  allow redis_t self:tcp_socket create_stream_socket_perms;
  
@@ -88711,11 +88766,16 @@ index 25cd4175f..84c02e325 100644
  manage_dirs_pattern(redis_t, redis_log_t, redis_log_t)
  manage_files_pattern(redis_t, redis_log_t, redis_log_t)
  manage_lnk_files_pattern(redis_t, redis_log_t, redis_log_t)
-@@ -42,24 +50,27 @@ manage_lnk_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)
+@@ -42,24 +53,32 @@ manage_lnk_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)
  manage_dirs_pattern(redis_t, redis_var_run_t, redis_var_run_t)
  manage_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
  manage_lnk_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
 +manage_sock_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
++
++
++manage_dirs_pattern(redis_t, redis_tmp_t, redis_tmp_t)
++manage_files_pattern(redis_t, redis_tmp_t, redis_tmp_t)
++files_tmp_filetrans(redis_t, redis_tmp_t, { dir file })
  
  kernel_read_system_state(redis_t)
 +kernel_read_net_sysctls(redis_t)
@@ -89543,7 +89603,7 @@ index 47de2d681..6baf5cdae 100644
 +/var/log/pacemaker\.log.*           --  gen_context(system_u:object_r:cluster_var_log_t,s0) 
 +/var/log/pcsd(/.*)?     gen_context(system_u:object_r:cluster_var_log_t,s0)
 diff --git a/rhcs.if b/rhcs.if
-index c8bdea28d..beb2872e3 100644
+index c8bdea28d..96da15f8a 100644
 --- a/rhcs.if
 +++ b/rhcs.if
 @@ -1,19 +1,19 @@
@@ -89872,8 +89932,10 @@ index c8bdea28d..beb2872e3 100644
 +	manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
 +')
 +
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
+-##	Read and write all cluster domains
+-##	shared memory.
 +##	Read and write to group shared memory.
 +## </summary>
 +## <param name="domain">
@@ -89893,10 +89955,8 @@ index c8bdea28d..beb2872e3 100644
 +	manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
 +')
 +
- ########################################
- ## <summary>
--##	Read and write all cluster domains
--##	shared memory.
++########################################
++## <summary>
 +##	Read and write to group shared memory.
  ## </summary>
  ## <param name="domain">
@@ -89994,7 +90054,7 @@ index c8bdea28d..beb2872e3 100644
  ')
  
  ######################################
-@@ -446,52 +577,404 @@ interface(`rhcs_domtrans_qdiskd',`
+@@ -446,52 +577,423 @@ interface(`rhcs_domtrans_qdiskd',`
  
  ########################################
  ## <summary>
@@ -90032,10 +90092,16 @@ index c8bdea28d..beb2872e3 100644
  #
 -interface(`rhcs_admin',`
 +interface(`rhcs_read_cluster_lib_files',`
-+	gen_require(`
+ 	gen_require(`
+-		attribute cluster_domain, cluster_pid, cluster_tmpfs;
+-		attribute cluster_log;
+-		type dlm_controld_initrc_exec_t, foghorn_initrc_exec_t, fenced_lock_t;
+-		type fenced_tmp_t, qdiskd_var_lib_t;
 +		type cluster_var_lib_t;
-+	')
-+
+ 	')
+ 
+-	allow $1 cluster_domain:process { ptrace signal_perms };
+-	ps_process_pattern($1, cluster_domain)
 +	files_search_var_lib($1)
 +	read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
 +')
@@ -90054,11 +90120,17 @@ index c8bdea28d..beb2872e3 100644
 +    gen_require(`
 +        type cluster_var_lib_t;
 +    ')
-+
+ 
+-	init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t })
+-	domain_system_change_exemption($1)
+-	role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r;
+-	allow $2 system_r;
 +    files_search_var_lib($1)
 +    manage_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
 +')
-+
+ 
+-	files_search_pids($1)
+-	admin_pattern($1, cluster_pid)
 +####################################
 +## <summary>
 +##  Allow domain to relabel cluster lib files
@@ -90078,7 +90150,9 @@ index c8bdea28d..beb2872e3 100644
 +    relabelto_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
 +	relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
 +')
-+
+ 
+-	files_search_locks($1)
+-	admin_pattern($1, fenced_lock_t)
 +######################################
 +## <summary>
 +##  Execute a domain transition to run cluster administrative domain.
@@ -90093,11 +90167,15 @@ index c8bdea28d..beb2872e3 100644
 +    gen_require(`
 +        type cluster_t, cluster_exec_t;
 +    ')
-+
+ 
+-	files_search_tmp($1)
+-	admin_pattern($1, fenced_tmp_t)
 +    corecmd_search_bin($1)
 +    domtrans_pattern($1, cluster_exec_t, cluster_t)
 +')
-+
+ 
+-	files_search_var_lib($1)
+-	admin_pattern($1, qdiskd_var_lib_t)
 +#######################################
 +## <summary>
 +##  Execute cluster init scripts in
@@ -90113,7 +90191,9 @@ index c8bdea28d..beb2872e3 100644
 +    gen_require(`
 +        type cluster_initrc_exec_t;
 +    ')
-+
+ 
+-	fs_search_tmpfs($1)
+-	admin_pattern($1, cluster_tmpfs)
 +    init_labeled_script_domtrans($1, cluster_initrc_exec_t)
 +')
 +
@@ -90324,31 +90404,17 @@ index c8bdea28d..beb2872e3 100644
 +## </param>
 +#
 +interface(`rhcs_dbus_chat_cluster',`
- 	gen_require(`
--		attribute cluster_domain, cluster_pid, cluster_tmpfs;
--		attribute cluster_log;
--		type dlm_controld_initrc_exec_t, foghorn_initrc_exec_t, fenced_lock_t;
--		type fenced_tmp_t, qdiskd_var_lib_t;
++	gen_require(`
 +		type cluster_t;
 +		class dbus send_msg;
- 	')
- 
--	allow $1 cluster_domain:process { ptrace signal_perms };
--	ps_process_pattern($1, cluster_domain)
++	')
++
 +	allow $1 cluster_t:dbus send_msg;
 +	allow cluster_t $1:dbus send_msg;
 +')
- 
--	init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t })
--	domain_system_change_exemption($1)
--	role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r;
--	allow $2 system_r;
- 
--	files_search_pids($1)
--	admin_pattern($1, cluster_pid)
- 
--	files_search_locks($1)
--	admin_pattern($1, fenced_lock_t)
++
++
++
 +#####################################
 +## <summary>
 +##  All of the rules required to administrate
@@ -90372,20 +90438,14 @@ index c8bdea28d..beb2872e3 100644
 +        type cluster_tmpfs_t, cluster_var_log_t, cluster_var_run_t;
 +		type cluster_unit_file_t;
 +    ')
- 
--	files_search_tmp($1)
--	admin_pattern($1, fenced_tmp_t)
++
 +    allow $1 cluster_t:process signal_perms;
 +    ps_process_pattern($1, cluster_t)
- 
--	files_search_var_lib($1)
--	admin_pattern($1, qdiskd_var_lib_t)
++
 +    tunable_policy(`deny_ptrace',`',`
 +        allow $1 cluster_t:process ptrace;
 +    ')
- 
--	fs_search_tmpfs($1)
--	admin_pattern($1, cluster_tmpfs)
++
 +    init_labeled_script_domtrans($1, cluster_initrc_exec_t)
 +    domain_system_change_exemption($1)
 +    role_transition $2 cluster_initrc_exec_t system_r;
@@ -90421,14 +90481,33 @@ index c8bdea28d..beb2872e3 100644
 +	gen_require(`
 +		type haproxy_unit_file_t;
 +	')
++
++	systemd_exec_systemctl($1)
++	allow $1 haproxy_unit_file_t:service {status start};
++')
++
++########################################
++## <summary>
++##	Create log files with a named file
++##	type transition.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`rhcs_named_filetrans_log_dir',`
++	gen_require(`
++		type var_log_t;
++	')
  
 -	logging_search_logs($1)
 -	admin_pattern($1, cluster_log)
-+	systemd_exec_systemctl($1)
-+	allow $1 haproxy_unit_file_t:service {status start};
++	logging_log_named_filetrans($1, var_log_t, dir, "bundles")
  ')
 diff --git a/rhcs.te b/rhcs.te
-index 6cf79c449..7b0fd415b 100644
+index 6cf79c449..5c0bfd05d 100644
 --- a/rhcs.te
 +++ b/rhcs.te
 @@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false)
@@ -90467,7 +90546,7 @@ index 6cf79c449..7b0fd415b 100644
  attribute cluster_domain;
  attribute cluster_log;
  attribute cluster_pid;
-@@ -44,34 +73,291 @@ type foghorn_initrc_exec_t;
+@@ -44,34 +73,295 @@ type foghorn_initrc_exec_t;
  init_script_file(foghorn_initrc_exec_t)
  
  rhcs_domain_template(gfs_controld)
@@ -90722,6 +90801,10 @@ index 6cf79c449..7b0fd415b 100644
 +')
 +
 +optional_policy(`
++    rhcs_named_filetrans_log_dir(cluster_t)
++')
++
++optional_policy(`
 +    rpc_systemctl_nfsd(cluster_t)
 +    rpc_systemctl_rpcd(cluster_t)
 +
@@ -90763,7 +90846,7 @@ index 6cf79c449..7b0fd415b 100644
  ')
  
  #####################################
-@@ -79,13 +365,14 @@ optional_policy(`
+@@ -79,13 +369,14 @@ optional_policy(`
  # dlm_controld local policy
  #
  
@@ -90780,7 +90863,7 @@ index 6cf79c449..7b0fd415b 100644
  kernel_rw_net_sysctls(dlm_controld_t)
  
  corecmd_exec_bin(dlm_controld_t)
-@@ -98,16 +385,30 @@ fs_manage_configfs_dirs(dlm_controld_t)
+@@ -98,16 +389,30 @@ fs_manage_configfs_dirs(dlm_controld_t)
  
  init_rw_script_tmp_files(dlm_controld_t)
  
@@ -90814,7 +90897,7 @@ index 6cf79c449..7b0fd415b 100644
  manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
  files_lock_filetrans(fenced_t, fenced_lock_t, file)
  
-@@ -118,9 +419,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
+@@ -118,9 +423,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
  
  stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
  
@@ -90826,7 +90909,7 @@ index 6cf79c449..7b0fd415b 100644
  
  corecmd_exec_bin(fenced_t)
  corecmd_exec_shell(fenced_t)
-@@ -140,6 +440,8 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t)
+@@ -140,6 +444,8 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t)
  
  corenet_sendrecv_zented_server_packets(fenced_t)
  corenet_tcp_bind_zented_port(fenced_t)
@@ -90835,7 +90918,7 @@ index 6cf79c449..7b0fd415b 100644
  corenet_tcp_sendrecv_zented_port(fenced_t)
  
  corenet_sendrecv_http_client_packets(fenced_t)
-@@ -148,9 +450,8 @@ corenet_tcp_sendrecv_http_port(fenced_t)
+@@ -148,9 +454,8 @@ corenet_tcp_sendrecv_http_port(fenced_t)
  
  dev_read_sysfs(fenced_t)
  dev_read_urand(fenced_t)
@@ -90847,7 +90930,7 @@ index 6cf79c449..7b0fd415b 100644
  
  storage_raw_read_fixed_disk(fenced_t)
  storage_raw_write_fixed_disk(fenced_t)
-@@ -160,7 +461,7 @@ term_getattr_pty_fs(fenced_t)
+@@ -160,7 +465,7 @@ term_getattr_pty_fs(fenced_t)
  term_use_generic_ptys(fenced_t)
  term_use_ptmx(fenced_t)
  
@@ -90856,7 +90939,7 @@ index 6cf79c449..7b0fd415b 100644
  
  tunable_policy(`fenced_can_network_connect',`
  	corenet_sendrecv_all_client_packets(fenced_t)
-@@ -182,7 +483,8 @@ optional_policy(`
+@@ -182,7 +487,8 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -90866,7 +90949,7 @@ index 6cf79c449..7b0fd415b 100644
  ')
  
  optional_policy(`
-@@ -190,12 +492,17 @@ optional_policy(`
+@@ -190,12 +496,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -90885,7 +90968,7 @@ index 6cf79c449..7b0fd415b 100644
  ')
  
  optional_policy(`
-@@ -203,6 +510,21 @@ optional_policy(`
+@@ -203,6 +514,21 @@ optional_policy(`
  	snmp_manage_var_lib_dirs(fenced_t)
  ')
  
@@ -90907,7 +90990,7 @@ index 6cf79c449..7b0fd415b 100644
  #######################################
  #
  # foghorn local policy
-@@ -221,16 +543,22 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
+@@ -221,16 +547,22 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
  corenet_tcp_connect_agentx_port(foghorn_t)
  corenet_tcp_sendrecv_agentx_port(foghorn_t)
  
@@ -90932,7 +91015,7 @@ index 6cf79c449..7b0fd415b 100644
  	snmp_stream_connect(foghorn_t)
  ')
  
-@@ -247,16 +575,20 @@ stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_
+@@ -247,16 +579,20 @@ stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_
  stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
  stream_connect_pattern(gfs_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
  
@@ -90954,7 +91037,7 @@ index 6cf79c449..7b0fd415b 100644
  optional_policy(`
  	lvm_exec(gfs_controld_t)
  	dev_rw_lvm_control(gfs_controld_t)
-@@ -275,10 +607,59 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+@@ -275,10 +611,59 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
  
  dev_list_sysfs(groupd_t)
  
@@ -91016,7 +91099,7 @@ index 6cf79c449..7b0fd415b 100644
  ######################################
  #
  # qdiskd local policy
-@@ -292,7 +673,6 @@ manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
+@@ -292,7 +677,6 @@ manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
  manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
  files_var_lib_filetrans(qdiskd_t, qdiskd_var_lib_t, { file dir sock_file })
  
@@ -91024,7 +91107,7 @@ index 6cf79c449..7b0fd415b 100644
  kernel_read_software_raid_state(qdiskd_t)
  kernel_getattr_core_if(qdiskd_t)
  
-@@ -321,6 +701,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -321,6 +705,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
  
  auth_use_nsswitch(qdiskd_t)
  
@@ -96921,7 +97004,7 @@ index b8b66ff4d..a93346efe 100644
 +/var/lib/samba/scripts(/.*)?		gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
 +')
 diff --git a/samba.if b/samba.if
-index 50d07fb2e..a34db489c 100644
+index 50d07fb2e..e1474fde7 100644
 --- a/samba.if
 +++ b/samba.if
 @@ -1,8 +1,12 @@
@@ -97282,13 +97365,14 @@ index 50d07fb2e..a34db489c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -400,14 +515,15 @@ interface(`samba_rw_var_files',`
+@@ -400,14 +515,16 @@ interface(`samba_rw_var_files',`
  		type samba_var_t;
  	')
  
 +	files_search_var($1)
  	files_search_var_lib($1)
  	rw_files_pattern($1, samba_var_t, samba_var_t)
++    allow $1 samba_var_t:file { map};
  ')
  
  ########################################
@@ -97300,7 +97384,7 @@ index 50d07fb2e..a34db489c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -421,33 +537,55 @@ interface(`samba_manage_var_files',`
+@@ -421,33 +538,55 @@ interface(`samba_manage_var_files',`
  	')
  
  	files_search_var_lib($1)
@@ -97363,7 +97447,7 @@ index 50d07fb2e..a34db489c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -462,16 +600,16 @@ interface(`samba_domtrans_smbcontrol',`
+@@ -462,16 +601,16 @@ interface(`samba_domtrans_smbcontrol',`
  #
  interface(`samba_run_smbcontrol',`
  	gen_require(`
@@ -97383,7 +97467,7 @@ index 50d07fb2e..a34db489c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -488,9 +626,27 @@ interface(`samba_domtrans_smbd',`
+@@ -488,9 +627,27 @@ interface(`samba_domtrans_smbd',`
  	domtrans_pattern($1, smbd_exec_t, smbd_t)
  ')
  
@@ -97412,7 +97496,7 @@ index 50d07fb2e..a34db489c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -505,10 +661,26 @@ interface(`samba_signal_smbd',`
+@@ -505,10 +662,26 @@ interface(`samba_signal_smbd',`
  	allow $1 smbd_t:process signal;
  ')
  
@@ -97441,7 +97525,7 @@ index 50d07fb2e..a34db489c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -526,7 +698,7 @@ interface(`samba_dontaudit_use_fds',`
+@@ -526,7 +699,7 @@ interface(`samba_dontaudit_use_fds',`
  
  ########################################
  ## <summary>
@@ -97450,7 +97534,7 @@ index 50d07fb2e..a34db489c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -544,7 +716,7 @@ interface(`samba_write_smbmount_tcp_sockets',`
+@@ -544,7 +717,7 @@ interface(`samba_write_smbmount_tcp_sockets',`
  
  ########################################
  ## <summary>
@@ -97459,7 +97543,7 @@ index 50d07fb2e..a34db489c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -560,49 +732,47 @@ interface(`samba_rw_smbmount_tcp_sockets',`
+@@ -560,49 +733,47 @@ interface(`samba_rw_smbmount_tcp_sockets',`
  	allow $1 smbmount_t:tcp_socket { read write };
  ')
  
@@ -97528,7 +97612,7 @@ index 50d07fb2e..a34db489c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -618,16 +788,16 @@ interface(`samba_getattr_winbind_exec',`
+@@ -618,16 +789,16 @@ interface(`samba_getattr_winbind_exec',`
  #
  interface(`samba_run_winbind_helper',`
  	gen_require(`
@@ -97548,7 +97632,7 @@ index 50d07fb2e..a34db489c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -637,17 +807,71 @@ interface(`samba_run_winbind_helper',`
+@@ -637,17 +808,71 @@ interface(`samba_run_winbind_helper',`
  #
  interface(`samba_read_winbind_pid',`
  	gen_require(`
@@ -97624,7 +97708,7 @@ index 50d07fb2e..a34db489c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -657,17 +881,61 @@ interface(`samba_read_winbind_pid',`
+@@ -657,17 +882,61 @@ interface(`samba_read_winbind_pid',`
  #
  interface(`samba_stream_connect_winbind',`
  	gen_require(`
@@ -97649,12 +97733,10 @@ index 50d07fb2e..a34db489c 100644
 +		files_search_tmp($1)
 +		stream_connect_pattern($1, winbind_tmp_t, winbind_tmp_t, winbind_t)
 +	')
- ')
- 
- ########################################
- ## <summary>
--##	All of the rules required to
--##	administrate an samba environment.
++')
++
++########################################
++## <summary>
 +##	Create a set of derived types for apache
 +##	web content.
 +## </summary>
@@ -97682,16 +97764,18 @@ index 50d07fb2e..a34db489c 100644
 +
 +	domtrans_pattern(smbd_t, samba_$1_script_exec_t, samba_$1_script_t)
 +	allow smbd_t samba_$1_script_exec_t:file ioctl;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	All of the rules required to
+-##	administrate an samba environment.
 +##	All of the rules required to administrate 
 +##	an samba environment
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -676,7 +944,7 @@ interface(`samba_stream_connect_winbind',`
+@@ -676,7 +945,7 @@ interface(`samba_stream_connect_winbind',`
  ## </param>
  ## <param name="role">
  ##	<summary>
@@ -97700,7 +97784,7 @@ index 50d07fb2e..a34db489c 100644
  ##	</summary>
  ## </param>
  ## <rolecap/>
-@@ -689,11 +957,30 @@ interface(`samba_admin',`
+@@ -689,11 +958,30 @@ interface(`samba_admin',`
  		type samba_etc_t, samba_share_t, samba_initrc_exec_t;
  		type swat_var_run_t, swat_tmp_t, winbind_log_t;
  		type winbind_var_run_t, winbind_tmp_t;
@@ -97734,7 +97818,7 @@ index 50d07fb2e..a34db489c 100644
  
  	init_labeled_script_domtrans($1, samba_initrc_exec_t)
  	domain_system_change_exemption($1)
-@@ -703,23 +990,34 @@ interface(`samba_admin',`
+@@ -703,23 +991,34 @@ interface(`samba_admin',`
  	files_list_etc($1)
  	admin_pattern($1, { samba_etc_t smbd_keytab_t })
  
@@ -97781,7 +97865,7 @@ index 50d07fb2e..a34db489c 100644
 +	allow $1 samba_unit_file_t:service all_service_perms;
  ')
 diff --git a/samba.te b/samba.te
-index 2b7c441e7..7443a9ded 100644
+index 2b7c441e7..0f95635dd 100644
 --- a/samba.te
 +++ b/samba.te
 @@ -6,99 +6,86 @@ policy_module(samba, 1.16.3)
@@ -98021,12 +98105,13 @@ index 2b7c441e7..7443a9ded 100644
  
  allow samba_net_t samba_etc_t:file read_file_perms;
  
-@@ -208,19 +206,25 @@ files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir })
+@@ -208,19 +206,26 @@ files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir })
  manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t)
  manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
  manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t)
 +manage_sock_files_pattern(samba_net_t, samba_var_t, samba_var_t)
  files_var_filetrans(samba_net_t, samba_var_t, dir, "samba")
++allow samba_net_t samba_var_t:file { map } ;
  
 +kernel_read_proc_symlinks(samba_net_t)
  kernel_read_system_state(samba_net_t)
@@ -98051,7 +98136,7 @@ index 2b7c441e7..7443a9ded 100644
  
  dev_read_urand(samba_net_t)
  
-@@ -233,15 +237,22 @@ auth_manage_cache(samba_net_t)
+@@ -233,15 +238,22 @@ auth_manage_cache(samba_net_t)
  
  logging_send_syslog_msg(samba_net_t)
  
@@ -98078,7 +98163,7 @@ index 2b7c441e7..7443a9ded 100644
  ')
  
  optional_policy(`
-@@ -249,46 +260,59 @@ optional_policy(`
+@@ -249,46 +261,59 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -98151,7 +98236,7 @@ index 2b7c441e7..7443a9ded 100644
  manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
  allow smbd_t samba_share_t:filesystem { getattr quotaget };
  
-@@ -297,66 +321,74 @@ manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
+@@ -297,66 +322,74 @@ manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
  manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
  manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t)
  files_var_filetrans(smbd_t, samba_var_t, dir, "samba")
@@ -98250,7 +98335,7 @@ index 2b7c441e7..7443a9ded 100644
  
  fs_getattr_all_fs(smbd_t)
  fs_getattr_all_dirs(smbd_t)
-@@ -366,44 +398,53 @@ fs_getattr_rpc_dirs(smbd_t)
+@@ -366,44 +399,53 @@ fs_getattr_rpc_dirs(smbd_t)
  fs_list_inotifyfs(smbd_t)
  fs_get_all_fs_quotas(smbd_t)
  
@@ -98316,7 +98401,7 @@ index 2b7c441e7..7443a9ded 100644
  ')
  
  tunable_policy(`samba_domain_controller',`
-@@ -419,20 +460,16 @@ tunable_policy(`samba_domain_controller',`
+@@ -419,20 +461,16 @@ tunable_policy(`samba_domain_controller',`
  ')
  
  tunable_policy(`samba_enable_home_dirs',`
@@ -98343,7 +98428,7 @@ index 2b7c441e7..7443a9ded 100644
  tunable_policy(`samba_share_nfs',`
  	fs_manage_nfs_dirs(smbd_t)
  	fs_manage_nfs_files(smbd_t)
-@@ -441,6 +478,7 @@ tunable_policy(`samba_share_nfs',`
+@@ -441,6 +479,7 @@ tunable_policy(`samba_share_nfs',`
  	fs_manage_nfs_named_sockets(smbd_t)
  ')
  
@@ -98351,7 +98436,7 @@ index 2b7c441e7..7443a9ded 100644
  tunable_policy(`samba_share_fusefs',`
  	fs_manage_fusefs_dirs(smbd_t)
  	fs_manage_fusefs_files(smbd_t)
-@@ -448,15 +486,10 @@ tunable_policy(`samba_share_fusefs',`
+@@ -448,15 +487,10 @@ tunable_policy(`samba_share_fusefs',`
  	fs_search_fusefs(smbd_t)
  ')
  
@@ -98371,7 +98456,7 @@ index 2b7c441e7..7443a9ded 100644
  ')
  
  optional_policy(`
-@@ -466,6 +499,7 @@ optional_policy(`
+@@ -466,6 +500,7 @@ optional_policy(`
  optional_policy(`
  	ctdbd_stream_connect(smbd_t)
  	ctdbd_manage_lib_files(smbd_t)
@@ -98379,7 +98464,7 @@ index 2b7c441e7..7443a9ded 100644
  ')
  
  optional_policy(`
-@@ -474,11 +508,31 @@ optional_policy(`
+@@ -474,11 +509,31 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -98411,7 +98496,7 @@ index 2b7c441e7..7443a9ded 100644
  	lpd_exec_lpr(smbd_t)
  ')
  
-@@ -488,6 +542,10 @@ optional_policy(`
+@@ -488,6 +543,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -98422,7 +98507,7 @@ index 2b7c441e7..7443a9ded 100644
  	rpc_search_nfs_state_data(smbd_t)
  ')
  
-@@ -499,12 +557,53 @@ optional_policy(`
+@@ -499,12 +558,53 @@ optional_policy(`
  	udev_read_db(smbd_t)
  ')
  
@@ -98477,7 +98562,7 @@ index 2b7c441e7..7443a9ded 100644
  allow nmbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow nmbd_t self:fd use;
  allow nmbd_t self:fifo_file rw_fifo_file_perms;
-@@ -512,9 +611,11 @@ allow nmbd_t self:msg { send receive };
+@@ -512,9 +612,11 @@ allow nmbd_t self:msg { send receive };
  allow nmbd_t self:msgq create_msgq_perms;
  allow nmbd_t self:sem create_sem_perms;
  allow nmbd_t self:shm create_shm_perms;
@@ -98492,7 +98577,7 @@ index 2b7c441e7..7443a9ded 100644
  
  manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
  manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-@@ -526,20 +627,17 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+@@ -526,20 +628,17 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
  read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
  
  manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
@@ -98518,7 +98603,7 @@ index 2b7c441e7..7443a9ded 100644
  
  kernel_getattr_core_if(nmbd_t)
  kernel_getattr_message_if(nmbd_t)
-@@ -547,53 +645,44 @@ kernel_read_kernel_sysctls(nmbd_t)
+@@ -547,53 +646,44 @@ kernel_read_kernel_sysctls(nmbd_t)
  kernel_read_network_state(nmbd_t)
  kernel_read_software_raid_state(nmbd_t)
  kernel_read_system_state(nmbd_t)
@@ -98587,7 +98672,7 @@ index 2b7c441e7..7443a9ded 100644
  ')
  
  optional_policy(`
-@@ -606,18 +695,29 @@ optional_policy(`
+@@ -606,18 +696,29 @@ optional_policy(`
  
  ########################################
  #
@@ -98623,7 +98708,7 @@ index 2b7c441e7..7443a9ded 100644
  
  samba_read_config(smbcontrol_t)
  samba_search_var(smbcontrol_t)
-@@ -627,39 +727,38 @@ domain_use_interactive_fds(smbcontrol_t)
+@@ -627,39 +728,38 @@ domain_use_interactive_fds(smbcontrol_t)
  
  dev_read_urand(smbcontrol_t)
  
@@ -98675,7 +98760,7 @@ index 2b7c441e7..7443a9ded 100644
  
  allow smbmount_t samba_secrets_t:file manage_file_perms;
  
-@@ -668,26 +767,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+@@ -668,26 +768,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
  manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
  files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
  
@@ -98711,7 +98796,7 @@ index 2b7c441e7..7443a9ded 100644
  
  fs_getattr_cifs(smbmount_t)
  fs_mount_cifs(smbmount_t)
-@@ -699,58 +794,77 @@ fs_read_cifs_files(smbmount_t)
+@@ -699,58 +795,77 @@ fs_read_cifs_files(smbmount_t)
  storage_raw_read_fixed_disk(smbmount_t)
  storage_raw_write_fixed_disk(smbmount_t)
  
@@ -98804,7 +98889,7 @@ index 2b7c441e7..7443a9ded 100644
  
  manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
  manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -759,17 +873,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+@@ -759,17 +874,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
  manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
  files_pid_filetrans(swat_t, swat_var_run_t, file)
  
@@ -98828,7 +98913,7 @@ index 2b7c441e7..7443a9ded 100644
  
  kernel_read_kernel_sysctls(swat_t)
  kernel_read_system_state(swat_t)
-@@ -777,36 +887,25 @@ kernel_read_network_state(swat_t)
+@@ -777,36 +888,25 @@ kernel_read_network_state(swat_t)
  
  corecmd_search_bin(swat_t)
  
@@ -98871,7 +98956,7 @@ index 2b7c441e7..7443a9ded 100644
  
  auth_domtrans_chk_passwd(swat_t)
  auth_use_nsswitch(swat_t)
-@@ -818,10 +917,11 @@ logging_send_syslog_msg(swat_t)
+@@ -818,10 +918,11 @@ logging_send_syslog_msg(swat_t)
  logging_send_audit_msgs(swat_t)
  logging_search_logs(swat_t)
  
@@ -98885,7 +98970,7 @@ index 2b7c441e7..7443a9ded 100644
  optional_policy(`
  	cups_read_rw_config(swat_t)
  	cups_stream_connect(swat_t)
-@@ -840,17 +940,20 @@ optional_policy(`
+@@ -840,17 +941,20 @@ optional_policy(`
  # Winbind local policy
  #
  
@@ -98912,7 +98997,7 @@ index 2b7c441e7..7443a9ded 100644
  
  allow winbind_t samba_etc_t:dir list_dir_perms;
  read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -860,9 +963,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+@@ -860,9 +964,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
  filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
  
  manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@@ -98923,7 +99008,7 @@ index 2b7c441e7..7443a9ded 100644
  manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
  
  manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -870,41 +971,46 @@ manage_files_pattern(winbind_t, samba_var_t, samba_var_t)
+@@ -870,41 +972,46 @@ manage_files_pattern(winbind_t, samba_var_t, samba_var_t)
  manage_lnk_files_pattern(winbind_t, samba_var_t, samba_var_t)
  manage_sock_files_pattern(winbind_t, samba_var_t, samba_var_t)
  files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
@@ -98982,7 +99067,7 @@ index 2b7c441e7..7443a9ded 100644
  corenet_tcp_connect_smbd_port(winbind_t)
  corenet_tcp_connect_epmap_port(winbind_t)
  corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -912,38 +1018,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -912,38 +1019,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
  dev_read_sysfs(winbind_t)
  dev_read_urand(winbind_t)
  
@@ -99041,7 +99126,7 @@ index 2b7c441e7..7443a9ded 100644
  ')
  
  optional_policy(`
-@@ -959,31 +1079,36 @@ optional_policy(`
+@@ -959,31 +1080,36 @@ optional_policy(`
  # Winbind helper local policy
  #
  
@@ -99085,7 +99170,7 @@ index 2b7c441e7..7443a9ded 100644
  
  optional_policy(`
  	apache_append_log(winbind_helper_t)
-@@ -997,25 +1122,38 @@ optional_policy(`
+@@ -997,25 +1123,38 @@ optional_policy(`
  
  ########################################
  #
@@ -104736,10 +104821,10 @@ index 000000000..88490d5c6
 +
 diff --git a/snapper.te b/snapper.te
 new file mode 100644
-index 000000000..11b39923c
+index 000000000..6631a6500
 --- /dev/null
 +++ b/snapper.te
-@@ -0,0 +1,83 @@
+@@ -0,0 +1,85 @@
 +policy_module(snapper, 1.0.0)
 +
 +########################################
@@ -104782,6 +104867,7 @@ index 000000000..11b39923c
 +manage_dirs_pattern(snapperd_t, snapperd_data_t, snapperd_data_t)
 +manage_lnk_files_pattern(snapperd_t, snapperd_data_t, snapperd_data_t)
 +allow snapperd_t snapperd_data_t:dir mounton;
++allow snapperd_t snapperd_data_t:file relabelfrom;
 +snapper_filetrans_named_content(snapperd_t)
 +
 +domain_read_all_domains_state(snapperd_t)
@@ -104795,6 +104881,7 @@ index 000000000..11b39923c
 +files_relabelfrom_isid_type(snapperd_t)
 +files_read_all_files(snapperd_t)
 +files_list_all(snapperd_t)
++files_rmdir_all_dirs(snapperd_t)
 +
 +fs_getattr_all_fs(snapperd_t)
 +
@@ -107180,7 +107267,7 @@ index 5e1f0534c..e7820bce3 100644
  	domain_system_change_exemption($1)
  	role_transition $2 squid_initrc_exec_t system_r;
 diff --git a/squid.te b/squid.te
-index 03472ed9b..deade60a1 100644
+index 03472ed9b..87af88795 100644
 --- a/squid.te
 +++ b/squid.te
 @@ -29,7 +29,7 @@ type squid_cache_t;
@@ -107232,13 +107319,14 @@ index 03472ed9b..deade60a1 100644
  
  allow squid_t squid_conf_t:dir list_dir_perms;
  allow squid_t squid_conf_t:file read_file_perms;
-@@ -78,15 +86,18 @@ manage_files_pattern(squid_t, squid_log_t, squid_log_t)
+@@ -78,15 +86,19 @@ manage_files_pattern(squid_t, squid_log_t, squid_log_t)
  manage_lnk_files_pattern(squid_t, squid_log_t, squid_log_t)
  logging_log_filetrans(squid_t, squid_log_t, { file dir })
  
 +manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
 +manage_dirs_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
 +fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, { dir file })
++allow squid_t squid_tmpfs_t:file map;
 +
  manage_dirs_pattern(squid_t, squid_tmp_t, squid_tmp_t)
  manage_files_pattern(squid_t, squid_tmp_t, squid_tmp_t)
@@ -107255,7 +107343,7 @@ index 03472ed9b..deade60a1 100644
  
  can_exec(squid_t, squid_exec_t)
  
-@@ -94,7 +105,6 @@ kernel_read_kernel_sysctls(squid_t)
+@@ -94,7 +106,6 @@ kernel_read_kernel_sysctls(squid_t)
  kernel_read_system_state(squid_t)
  kernel_read_network_state(squid_t)
  
@@ -107263,7 +107351,7 @@ index 03472ed9b..deade60a1 100644
  corenet_all_recvfrom_netlabel(squid_t)
  corenet_tcp_sendrecv_generic_if(squid_t)
  corenet_udp_sendrecv_generic_if(squid_t)
-@@ -132,6 +142,7 @@ corenet_tcp_sendrecv_gopher_port(squid_t)
+@@ -132,6 +143,7 @@ corenet_tcp_sendrecv_gopher_port(squid_t)
  corenet_udp_sendrecv_gopher_port(squid_t)
  
  corenet_sendrecv_squid_server_packets(squid_t)
@@ -107271,7 +107359,7 @@ index 03472ed9b..deade60a1 100644
  corenet_tcp_bind_squid_port(squid_t)
  corenet_udp_bind_squid_port(squid_t)
  corenet_tcp_sendrecv_squid_port(squid_t)
-@@ -154,7 +165,6 @@ dev_read_urand(squid_t)
+@@ -154,7 +166,6 @@ dev_read_urand(squid_t)
  domain_use_interactive_fds(squid_t)
  
  files_read_etc_runtime_files(squid_t)
@@ -107279,7 +107367,7 @@ index 03472ed9b..deade60a1 100644
  files_search_spool(squid_t)
  files_dontaudit_getattr_tmp_dirs(squid_t)
  files_getattr_home_dir(squid_t)
-@@ -176,7 +186,6 @@ libs_exec_lib_files(squid_t)
+@@ -176,7 +187,6 @@ libs_exec_lib_files(squid_t)
  logging_send_syslog_msg(squid_t)
  
  miscfiles_read_generic_certs(squid_t)
@@ -107287,7 +107375,7 @@ index 03472ed9b..deade60a1 100644
  
  userdom_use_unpriv_users_fds(squid_t)
  userdom_dontaudit_search_user_home_dirs(squid_t)
-@@ -197,28 +206,31 @@ tunable_policy(`squid_use_tproxy',`
+@@ -197,28 +207,31 @@ tunable_policy(`squid_use_tproxy',`
  
  optional_policy(`
  	apache_content_template(squid)
@@ -107333,7 +107421,7 @@ index 03472ed9b..deade60a1 100644
  ')
  
  optional_policy(`
-@@ -236,3 +248,24 @@ optional_policy(`
+@@ -236,3 +249,24 @@ optional_policy(`
  optional_policy(`
  	udev_read_db(squid_t)
  ')
@@ -111773,10 +111861,10 @@ index 000000000..115bf6c42
 +/usr/lib/tumbler-?[^/]*/tumblerd		--	gen_context(system_u:object_r:thumb_exec_t,s0)
 diff --git a/thumb.if b/thumb.if
 new file mode 100644
-index 000000000..9524b50aa
+index 000000000..d371f62f6
 --- /dev/null
 +++ b/thumb.if
-@@ -0,0 +1,134 @@
+@@ -0,0 +1,153 @@
 +
 +## <summary>policy for thumb</summary>
 +
@@ -111800,6 +111888,24 @@ index 000000000..9524b50aa
 +	dontaudit thumb_t $1:unix_stream_socket { getattr read write };
 +')
 +
++########################################
++## <summary>
++##	NNP Transition to thumb.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`thumb_nnp_domtrans',`
++	gen_require(`
++		type thumb_t;
++	')
++
++	allow $1 thumb_t:process2 { nnp_transition nosuid_transition };
++
++')
 +
 +########################################
 +## <summary>
@@ -111823,6 +111929,7 @@ index 000000000..9524b50aa
 +	')
 +
 +	thumb_domtrans($1)
++	thumb_nnp_domtrans($1)
 +	role $2 types thumb_t;
 +
 +	allow $1 thumb_t:process signal_perms;
@@ -111913,10 +112020,10 @@ index 000000000..9524b50aa
 +')
 diff --git a/thumb.te b/thumb.te
 new file mode 100644
-index 000000000..d6affa561
+index 000000000..a34bf9b9f
 --- /dev/null
 +++ b/thumb.te
-@@ -0,0 +1,173 @@
+@@ -0,0 +1,174 @@
 +policy_module(thumb, 1.0.0)
 +
 +########################################
@@ -112066,6 +112173,7 @@ index 000000000..d6affa561
 +	gnome_manage_gstreamer_home_dirs(thumb_t)
 +	gnome_exec_gstreamer_home_files(thumb_t)
 +	gnome_create_generic_cache_dir(thumb_t)
++    gnome_setattr_cache_home_dir(thumb_t)
 +	gnome_cache_filetrans(thumb_t, thumb_home_t, dir, "thumbnails")
 +	gnome_cache_filetrans(thumb_t, thumb_home_t, file)
 +')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 232fd613..413882a3 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 302%{?dist}
+Release: 303%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -717,6 +717,43 @@ exit 0
 %endif
 
 %changelog
+* Thu Nov 16 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-303
+- Allow pcp_pmlogger to send logs to journal BZ(1512367)
+- Merge pull request #40 from lslebodn/kcm_kerberos
+- Allow services to use kerberos KCM BZ(1512128)
+- Allow system_mail_t domain to be system_dbus_client BZ(1512476)
+- Allow aide domain to stream connect to sssd_t BZ(1512500)
+- Allow squid_t domain to mmap files with label squid_tmpfs_t BZ(1498809)
+- Allow nsd_t domain to mmap files with labels nsd_tmp_t and nsd_zone_t BZ(1511269)
+- Include cupsd_config_t domain into cups_execmem boolean. BZ(1417584)
+- Allow samba_net_t domain to mmap samba_var_t files BZ(1512227)
+- Allow lircd_t domain to execute shell BZ(1512787)
+- Allow thumb_t domain to setattr on cache_home_t dirs BZ(1487814)
+- Allow redis to creating tmp files with own label BZ(1513518)
+- Create new interface thumb_nnp_domtrans allowing domaintransition with NoNewPrivs. This interface added to thumb_run() BZ(1509502)
+- Allow httpd_t to mmap httpd_tmp_t files BZ(1502303)
+- Add map permission to samba_rw_var_files interface. BZ(1513908)
+- Allow cluster_t domain creating bundles directory with label var_log_t instead of cluster_var_log_t
+- Add dac_read_search and dac_override capabilities to ganesha
+- Allow ldap_t domain to manage also slapd_tmp_t lnk files
+- Allow snapperd_t domain to relabeling from snapperd_data_t BZ(1510584)
+- Add dac_override capability to dhcpd_t doamin BZ(1510030)
+- Allow snapperd_t to remove old snaps BZ(1510862)
+- Allow chkpwd_t domain to mmap system_db_t files and be dbus system client BZ(1513704)
+- Allow xdm_t send signull to all xserver unconfined types BZ(1499390)
+- Allow fs associate for sysctl_vm_t BZ(1447301)
+- Label /etc/init.d/vboxdrv as bin_t to run virtualbox as unconfined_service_t BZ(1451479)
+- Allow xdm_t domain to read usermodehelper_t state BZ(1412609)
+- Allow dhcpc_t domain to stream connect to userdomain domains BZ(1511948)
+- Allow systemd to mmap kernel modules BZ(1513399)
+- Allow userdomains to mmap fifo_files BZ(1512242)
+- Merge pull request #205 from rhatdan/labels
+- Add map permission to init_domtrans() interface BZ(1513832)
+- Allow xdm_t domain to mmap and execute files in xdm_var_run_t BZ(1513883)
+- Unconfined domains, need to create content with the correct labels
+- Container runtimes are running iptables within a different user namespace
+- Add interface files_rmdir_all_dirs()
+
 * Mon Nov 06 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-302
 - Allow jabber domains to connect to postgresql ports
 - Dontaudit slapd_t to block suspend system