From 313e17b74ece7e24ce0c0e4450d658fea0e65ca6 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Thu, 31 Aug 2017 17:55:58 +0200
Subject: [PATCH] * Thu Aug 31 2017 Lukas Vrabec <lvrabec@redhat.com> -
 3.13.1-278 - Add couple rules related to map permissions - Allow ddclient use
 nsswitch BZ(1456241) - Allow thumb_t domain getattr fixed_disk device.
 BZ(1379137) - Add interface dbus_manage_session_tmp_dirs() - Dontaudit
 useradd_t sys_ptrace BZ(1480121) - Allow ipsec_t can exec ipsec_exec_t -
 Allow systemd_logind_t to mamange session_dbusd_tmp_t dirs

---
 container-selinux.tgz        | Bin 6903 -> 6903 bytes
 policy-rawhide-base.patch    |  62 +++++++-----
 policy-rawhide-contrib.patch | 185 ++++++++++++++++++++++++-----------
 selinux-policy.spec          |  11 ++-
 4 files changed, 176 insertions(+), 82 deletions(-)

diff --git a/container-selinux.tgz b/container-selinux.tgz
index a7e7037193b3f861a287abab3a3465926ea60e7a..11ff2f9f857ec4ad54e99c5fbcb59a4934bef486 100644
GIT binary patch
delta 6604
zcmV;-88hbhHTN}tABzY8ATg*}00Zq^ZExH-lAf>bUm+v|#2zGe>}0Y)JiCX*%mH^F
z78vX<a35~&deoA-TVuVAr1r}h+26iZ#TQW&Nl|J!@g8De#<5iOkSvnLVzF3?%AyU^
zBB{^Q?Ke;K^A>(Se0Yz)FaPlUTlF{my!-I(^75O@cbDIPU%h?z_WgT!4uAaN{Wrne
zr>c<pb7<PI4uWs8+dAANk(F-j{lDnX>gCJehvtyyVg2x@zweWvtdinQQy%Il3Bsz%
z(kN`xvIrtEP=ch`!SC}QE(F^OK>U7srNJL3|9+oDhc;2r(;{g1>Vvq<;UDM3dZF+J
zKU85I=0OpE=E)ylFsc`S8kF!8y$HfAEANsxXv?6j!=g#CQ6|s}LWO^?(xOf3Z5Sn|
zzslOI>qF6|d9sG`2<O%7Usor)q*&L<?}xMo+SSQP`%oz@kUZ^c!@~q5ux_s%TzR!^
zh~m}RYIPEobrR+Ax=F%1+OIchar*7$+3G}8XkCSWEz}#I+KV&2Y0p+zz=B=Lk(Dmp
zX>VAs`FHKfq^>=&b*)xFU1o^^{;%*@f`?I*G|d<)B1K_!F*<zU_oR{2^}cu|`kVDW
z77YDfryJ~oZ?DW42=Nqi6@>I`Cn^s3DWaD1(K*|qupmn3EIV>S{WS?=l5bU)IQRls
zsX+XH<#ss57MejGgWMu)sOp-kH)~W^ptV>VN3_?mBK;e6qawd7-2^dIGiu8^O_~XV
z_h|&l#~D=1N07H+jij9*sr=yEOB2mUXlKCj;h*a&sq+RHw`rC%qF_!<gM8uD;JJyK
z=IG}Xv_)q~z9rN}U)<ESUtG|n9I%B{omt|4wvN#g0%xzyszYLZ2AMbeuuh(n)Tu)L
za%bcoQqR(+#j$M@ItMa5^69d1?yR_(jo{zmgYNz_&3astn<|OYZ3-R4Iugy5WT5h>
z%$N-b<Ui70dO|&T+(5BtwizNf2>mZ%5$^Pb<ax}ooT~O@x{bphqum6?*o1jfEjj3a
z!DrQb-aW_UC;QE#cQ}XPk$=y)FqZ9==VY95;ouT8ziS)|)aR4xb2EDto#iXt=_<=1
z`6tyhKZ13DTjb4eAnykK6QR--P)e^m9+2fOZTCS4gohR++@?`Lt?zsfu(TsxsI2)_
zo!(+ONckB%R72*qSYs^=_~^`~rj%QMvO1Vh&`^m;N>hqryz3|no5oTUy&IObNqBMb
zl=ATZFM_f{`G?sbU$phX)<h)Lirpk>vGXd{JVnHM?(N_;P7s$jR+$9fUcrCw;J^3F
z?nQq7&!3*jI!hLNmB!O-r20@;6b?W&6E=SYWPG@|i=#>E+eMBr7V>jjd`u62O`GIV
zn@#oA>F*9j+LHLYj$+s`-&BZ#SZ}3BUME?J8&i-}3ge011pG%Z^KRXi47>uxau;Jw
z7>>dBqSWLg{tD#CklvROE?%L4FJSyn!TlLslr)XQA`b5A)U=t*lN?sAFF&d8Kt}m2
zZ?B;zBn|XK9x!Yn`w7z2g&72Ynl$^<vT7fuF5!WOZxv@S@wnp9z+h`1NIl|Q=nGZM
z5KXjka$B`z_u@+w6#h2IR}g-T_RP>l8AC0W5i<TT*GT6KVXLnqZ2VVJv{OWlKf{t7
zA}5APV(%7eEI(fJT4FEwcZ0J0TPUQz1mEcsBrA6gR%I=;Q0&V*(Z>LPUljSGD-H@R
zOCyrJ4qnK2=fL;kY&K3@MmO_88sJ_JYJ^Ycpn<8c;=GBn6uNgl5^LK6HJK$FhEYcI
zB&*e+;TSOdc3>~lFtnl25ETg7ebg&n41ZS@xUp-g!c3fjASNRix^pJRn+()lqmC?3
z``_TS?neJM-JK`J?UJZ}`?6`9r2%QbwjgGmG-Y;sjuKb|mi1HvhQOx0PnKyu!$hNY
zLAVn34_WxIJmS@YkYQWqsn7vnxYV#}ufsS`3$_;Fp{H&7u*FIsoy!-1cBJd4EDGV@
zkVXeKJ_rLa^zVbF1(PJF^(AS)xc$s(gZ2j2dUh0<af54#9J6eHqWd+OwUM^$gZ!Yi
z+D?6C-Vkb>ABC4a=p7%<uzsBb?{7c<*wvwV&ZDo2yhk9?qFn~ReEl-)F>SflP**Zg
zSj!u23s2x5Q9`0Vj4t5SYRe;g2lgexJ6Io}RsnAxxlu@GrBE=e-Q?r#hq>OSby?(-
zHZ4!nT~yCwy){;U$GhlJw|i%}YXLjm{9<Q(&deE4H-HFvdxTAT4bljjbXSBKo3O#B
z>uC-dD2!GoGoh%M`((p~pd4RV=foI4_eg5|C}j@-))~kxta-`5^J3@CH#iB$xs`D;
z?wu2UHdG4(C!28iud6akqX!z{!YRnTfFaC)Rs<WIDep&roQAKKcJ{8rL%ZjJo&%3B
zy?kZ?u~gqFVe7=u(-umTj|@jwkOq&Bi_tN6)Ulz;Po&p{6ui6RsOV$`;n;IlgR#xz
z{CsU5YW;MxdpHZK>;Nj(+ZggPf^|&ache_~p*Qt|DsnJx%0m%1G-2>Gbs1g84umEA
z5n=sZ6=$7)L8vVpQo-_dyx9q>U|2jD;Q5-tWC128ENJyZRYG%_rJ6R&-iulI>PlDL
zxz{ROrXQnYhj?8{tT&WuF{fKUhPwk3k7XG9kkc3*t5ipO?LacdPil4XLo$XFc1Zeb
ziR6ZoQ9ec_eCw#vFcd<u8V6odJ(j^D_I@mYCUp6K(ow7a3AW8>HS?+mZ3?S+>?(D*
zcG&zmE)?_D+qE}8{x*jFDiM^XxGcW(8jWrDxl2TDgOS@qM6*adSwkyUL+8lMiLfov
z$k~KV8ub@YAz#1cvZ|A9dT)^D&-8+d!Cvdo?DB+xU*Q>qDo)0?7O#x*>~0O}eCk>W
z%DQiVct{da1`wSh(V2XNo?%pfIqmA!ZCLM;R?y^Gvj)Af<IZU9Wz^u<N5>2l7K_KY
zMDZYzb<O((U(xFDr7u$di~h(SJ#UkzD#LyM|HFs3-@nuE|6g5xz5oANewe3aotH5v
zwo^G8UI$m_SC{8+&sLhgU}2ujyAsr8*_JmVQ%&X7%iyO3aB4~{0Bg>QR9T!f5f8Dc
zcyLXEAu3Rv;BJ!<2@@Of=b$R<R>t5|Tu(A|Y)pG7!j0NixitfG{dJQ+2~z>LlamSY
z0XUO|3Lk%7p&z<PTKfA`XTh~J-NwoG^w)&eyfv8jxD|QHBf@b3h>ux@V6XQ!coX2R
zfk}U#?)I?q(gwU=a>n-kixrI97`4pFmQZKWfc^-xfZ1d4iuuS)3xAVj+mBILg_|@>
z+lSyWi1y`O5!|F;0Bzx4c*C+u+B6RGo1%;Z>>7VMz@vX{(n7}H(}Ow$n<i<u0Er9U
z8iTJW{nMxGv08u?BM$8ABm?_6!vp&fCb38U2NW6|Y8X20I8Wc;9HHLE7?w0nhE7JB
z1tl5;qtyIt5o4#7gGP3E>CLQM8};PPn;jjO!f#Iw45DWN*lHmC7}LIE+WRs=oqiWw
z_-}ttHdDX{FIs)*iPlEd0w{-gfHH->n~+z*hHQc6&{RngyEt`SsWt^&L^N5w#xYYu
z0ZfxJN}=)|Gm08_M2nAL1(lO7(PyB(vb4Ba-|!2HhvXK+1CFSfK!lEn({QIjiMO*L
zUA2-+C=LM9(6C8N>NHw|0ymmjXOaa6?nHkUkpEN`8ksPh>m<5mL0!1b9<SLP9;%ur
zy%g94db#0uv#hi&mgbc=^KkvX$@FXeBbEg-3x`k61fskcu>hoxM&bcGn9S&rFYepA
z%)5o25}xE`3}(X0m<(a0dLk5fxXm-&B0m;vm}g-&;%LaTC$b?1T0rwkyY|F}K{tOz
zU}F1gj)a@jpKe431s0#boH{`5-pGr2O=dfEQ{3E~=GxITAAwg}1==IFm7?^6Px7wK
zyvFVf59T)2i8Xm@+3?I)k^I0E!O39nPkx$?5I%}2%(5K7y43=vS@C^hTj+j(+ekHy
z;kUf*`gONAzcpoX4liH08t`az*$sbv0H21@6fc86$1#g3%)^_c7x1%BqMP8ZtZ&YN
z>_5sX*&ed&0UhojfxNsWZ+sElCBZ&~Kf+*>pa6oV%ns<m1+M?%1jrMYbcDGru^rI4
zuUUl4U3ti2UO4`p!}1K~66^;P0C0xqaQ7+u1%%h044uD2ctARlkSSnvh-iN%1cuvb
zY%K2=`WI|=#Ej|NbJtm4%$v>=u_sS&U;MtW(rdD7(3VMmq`*h6p&TuAU;JYP@81UQ
zn0U%U#I5tEEMv04J*5nvRYYSV!&zBAuHA=NuF|)v%YEuJVQo{*ih0eEnFBh9*^F7{
zO3XNSuy|lj9vmK+OXE$R?Jj>zpC0DK6Ad5VQ7o&njHP70cKamQ-5uPgguhxI-*j*M
zX^K$pd_P?QcujltvZLur>gDQK&gL3RO*d!adty#jdY-tG6`v>WbZ3+&@MJAGhU=pV
zd#Sr8ZURjiBmAqppaDCU>um1m^}?KLM0x_x8)hEBvxb=qw;xyFJq&+1q-hw)w$p&{
z8OFmbPukeMlX`|<q=oT~F;e>DPdwUyA64{&4vcN-A`yrYqv>&L++sw%SwG)^(36Zu
zd$TYr3i>vatJFo(qI<%ZoNk&vG*O#bsv?N*5ZQ|q#MVUnB=##D&$}%`=pv=p6b~Op
zZF&pyDYlf)>0^9%h$(-a9xsHwX<R}Pv3lt)+Gjm3C;imQ&8X6j55v(a>CvcNfS(BK
zd*z%fjB55#zF_C!1)W0(9ZVZ@^vGGCs@W%5=0WG@SUTd=uy>v(*wXC`rkQ1F!9oik
z?d{vP@+?BIL}i{=S#rOoF*(lLJKgk^ppnV%jCb})>Wri0v6FvMw%pNF=jx6{kXz^#
z@~8{ObP{(uuBRRFy4qx}(ZcvirXMlC;TziKvC`N>gO}2BJpT8AWZ53Pns+G352N|5
zZQX?~Bqn`|E_b$(Q!>BLNaa0*(e!)5QR>~gELd__o+`%NmZmLhG~qCYfz<as2JxlM
zjfI|$?r{+-n&y8lZKJ)Jj;BY^hYxH_<MPe|%`@7H`)Xz?BEt6vON%%`S-JUb>WJQp
zZ6rT2r92TB3FGMKRhKFRCp@(}Z*~^y9x>QRcya~Qw#|3iM9MUv(8l!tLVJLJ$Ix{F
zyG6LB1F3bC*xGMm6?W|wo&Z7!7!K8;)s~pNDED`9*oJ?Oc|^9im~{3EybOlaj-GSu
z1sJbPf~<I-S4>~X&jwm1S8`}mZo9_GHaui4^RwLBM51!A;b((>XmE*%x&LO(a{O5)
z4JRg3DBU`74M}5~X5U@tHFCW&GuBmZb#9)q*Gx1U2ZbHLQtB2af0;ESePdxxD`p|i
z<HoPO-ZFo+=oQ{X@y#$^v-^l$g~i)j{-MhMc%%qpW-EBa7pp;)z?+BB8r`RL8YlDz
zi)!}5p;(%tnNx);h1XsM->~P$0M-_YwU)nd#Nh90m&SqETn<uR`NkQ73Xt)I0o&CM
zgBHD`7Vo#U9;16y6eL&B#{*IfalEU$5aLHuY-N9dD;9ItO%F<bbOfgckw{TD(m57C
zV|S1?jdges=X)fhUeMxJdvD1c_i5~ygXA`?KrI*Ba>N1h`ypxCHQ99f1ych(Z_hf1
zSpvq4+XW+t-3}H5v5$X;K5yrR{8Sz$AZ5eRgI4WBGRB3Mig-O)d&bsivxk-zvbby(
zH=}>uG#c=+tdgjZVMrzWB!kK5GQU@=IJs5#AQn%QLIi@t!*-jS3n;1EVX?K$7D;mO
zpvi7&&28(_Q8oM|0@lh&k(FiT1?5*HRt`*x+UWuiGE18@rf96uEjr(-9KkTULmzPX
z?7;_2@=R_LmppMB^EWV_@dCK+LTVqn0{(xaIJ(sAwKw7R+iUA@&NH@;S3MK1?SA4x
z<|~1we|z3Fq;%2|R|u%=hDYAG+9Eev>wC8G^dlxG%OZXlTC(;Bn2y=T0qN<BA+)q8
z+jRTjcG;xGK0%EfD<MiFEt0id-VHS(&pW@eSKT3&bXHq;l9IG)^Lq!0kUSt+B~O2Z
z!VfS?DCWhXKm#%gsT1r6ZfJqQPQBYGLf<v;(7s)#d(6ypMFU1&U$(gdI+nU!%fG~@
zo}4`K=782mi00xhwJn<ReuU3nRnoGt;dz%ra7oJ!A2<)OIu6!xT|o|68JR>V>{K4R
zx>J%XC{vX&Qf`&dW?Zg#h7##4xJ`edQ^}9IWtXTsRSHiWb<hYM4b&)En2*yNtZ}&Y
z#ED$O3fsgwQ5G;K5v|~3&FPGJs++@<f8`Q*6Xu&x6M2++i;_sax`!yINu5~6#ZKZH
ztFu)IJmU@tV+;S=%FkqV6=BaE?KF}*YGb5#w^Xpu@L?QILNU@jNJ)U>l{SC7`4B@P
z*K=DoJt4D0?lX;PkjB!^#M~LC_lDq8b~S|^zg=r(_JgWSfJ*KkI>B$1??>q^kPcy=
z<{FYP+S#^EFCv5WDKkavOt{7BxWrn{HhE?)iwifb=y-!V$ax4WC`HJPdmXftwyQc*
z2L5ezFj&}Wndjj?wBpnExGaD5WoeLvVc;TS7DspNg_eqCS#u_t_p?Gw^f`z&Eo|;H
zmPpZ5@;0rLJD4%?XhUCFg^JtxS>FGH+~?a4G;EATghw(3p1fM~rkt%_s)XGYtw}}E
zR2V&7Vq}h^8#bdntVR>1n2KX%%PH$xn2B1%H~P{Glds1>gV4hDl9GRiX7>>X=sq2=
z?r9gZ&sgL=lewBlw7F!Ju~EF4Laiy)wha|x0KF38Q52`g{4yyeiM41nyGP$pVMDqa
zb~bv_Bkr#Exkt!hvj+K|I;(-CF_M|Ta`Q;vIvqV*Fd0T&X;GKHP?$wCk{zgQ{YazG
zVF~Jm`Nk+s&Xa_Bij996k|-zNF?V5IiT(y(u`te-K`}D<@Kk;!GMpngMmT*ssXJA)
zo*NqSBbz6^Ux|F28Uo~Dw5s98IC8ZmoEKp{v$rp)oXfsSE2*AsHV2V+hKIydUV?y7
zJt}W~SHE>pk{Q>bvd8S(MZK_AH*%+0`udCX=GmAk7hme?l(&CPuZeo<O41RxJ}aHJ
zn&6CmA7muU8Be7-BjJ|HIWfJIG{Y@$N&tgQrFN}mhq2lf;`1CM_c_MDG2(hRdbMLA
zc;{t|h01W<%Q&_O_Z1Bv^zmyNmXE!RsQqKV{zC5hDR+gY3C`~(fE?@ET@8cdOOm=`
zGbND{a3|8o7{P!1f(|A5cs!aUovH9zUE943eq{L$vj>*-B4r=gfkhk4X;jAN_#wi;
zV7tmB{$2gfc-{+^l2a{~Jz<Lj+MZ;cUF(-8v;?0ljXnVy(kA!r8S%RoUU!n_+_-S<
zFBStD%@H|lgt+%%S}=G~`hvj{ahlf{Gs{)b&mS0E_oshUTK{gCQo>2p^Z1jWUpu;z
zgd?^_?-@-LeWTy%F~r8OV19I5l<Z(s%NfnQc02-BCNJb?vptunpfnC*9`?$v|465X
z9x>qvY;eSNxZ*i9^<=#Y(Hd?gu?F=+c86IU4OxGMBt~83=;P}?9jcc<G;SpQwToH=
zLn_p!OILrUs7G#MlfSotjs6Yu{3f|6I&WBFti)bk^8qY_ltnXAUGRpfZSq95YV1{w
z?%%;2YsVwG+J0o1A(XB4yUfU^jqB0|omBhY0Bim41-1TpBHIc1A=?SJnM}1Ep>tjq
zYyI;-nx^W^46(<hryZtPo>HhW7<f{+?fg8kGxC4K9-9|-xqProg+C9~m&nttsxgtT
zn{s!9slWrk5A0Wk@!|HI-FSqv$CTJS&$kjFDHD1t$vIs)CVD#nag;V(ay+t1cp?qO
zrPHVj;v)-o4*203waR$!qlxXCal6~a<M_vNJlzrWqRRBcdSg_Yc93pW@=tIq?t2_Q
z;TV5>^!VH3*xT>8+gBufp1O=5pVZ7_yi+nok6}&FTd!URzjmMdR^zH|xA}bKM$9C&
z@f(8Pn6T1<I%+&E(ZMC1ah{P2LLLU~ltTTk1bK;ubhoEmh}NqyobuH$X9De*<gGEb
zXHsnB{x>)~y02f@`+xZ(d;Wa;WZ$-PfB%2)^6mSp@AdEhU4Hob{lCxhbAk5b#V_aV
zi$3&qP#hA;eak;#w?2I2i&FiuQxiOedGi+Z%f+FoFS2xlYxV`hxj6ss<joszG_f(~
zU)4cW6Da$&3^Z8O9o|xa*?sf|;g)PWU|uX(MR*r2Q$a+NRR8_I7yt7eJ2_akciw-X
z&%0?Ct1(CA-yK>SwkU7Q?2spKri()Ph+hZYkdW)NTxwK31zs7Y@ltq=3b@QH>T8e1
zyGSWvxk=DL^Q|fWJx^sRpPl3ANh_4<DJYk-e>?HUio`b=NB|uUpQp#e;pjXHWp!~I
zGTC8t7DMs{>f&#xJ_4vGsztB>>VkjO`WH;p>J2Iaj7*S{szLPg?|#8A2>1(;eT!fm
zSmb{7NA|BYrF~rn7$c9Sjw2TyPun|j5O^S79Rb;4c5+;1m@54ewq>49ok_-qE1*1!
z(~@GfqaPz;36HDNGO|Ua3+@6)ruLV)`;St>PEExzpFm*=WV7BnT5Xx(7u9rL_9B*1
zVgi3*T_#``S7{pX@tO@xqnUO}7uqE2iC~go&QvzwvC92&UZwFQlWYVIUA=(UEQ9xk
z-?CXognad4c5X8jbP#!_=rI6RY_<s+fIgk20`2DE2u<>(oibm4zW#ju`TFx2e*OvX
K8JTbZ$N&J3JP4Wq

delta 6645
zcmV<R84Bk2HTN}tABzY8$3LW500Zq^>u=;XlFwK7Um?r{7(1BpYw`fb**z?h1MWT?
z5bQ2+A1-$twWRJ=tXCwpA7{+|?N?QNh@wb}Qp+>m!x%_Bma2Xvi)67_ES93OXv4Hf
z>hpB_)ieEE!q4~Le~Z7be)#TE{S80wzkh#q_0`q;tM9IVF5my~!{rZOU0%JvzPkJ>
zxO}b(sXvFN4eKEID!Z%0O%hq@#@_#v{;XcV4t{J7c^=k}fBySE3Cb!d-ZkZ+j*=j(
zsw|DdHZ6-F5(6bjiXHqu|M5bwtpLRDr&k*Maq_PZNpxrv1wAc-cCS8&%N+i3POKLS
zZ}4Lk)?prh6k(qH=@p}T_2)qeKhujK%(C)6iG#Kb+Bz(n6dPp%y&zQh_bM&gq~3;6
za{8OB&AL7mZJH-*D35U7y!~x;vP+6}o&0e~YoJ}7oV1UX(gMlTzBN2dKmzOb#=(_W
z+lDCKoUK+TQCTNZ9<Q4utfT#UlNP66U!AQ^M1|IWRoFtk@u|Hy)0_5eg#|3wl^j{=
z(w+8(^_qXzo=oc66I<761=MAh7~ua3k0p2*MM=|)p(0WgRu`kg2Yyc)IbH9ISE9dJ
z?_<Hx?{&JtF8KP|jDZl(F;_uIFLt8hfS)32IUk*~EeZ>wbk4FPC)8h)Fedp{b%}#7
zfRze=#9wZQQ*5Cb<T1!C!iK7@sd}?Ubp=|BwQ)py9V^nmQ8y~`%hF8{Lp7tetka~K
zFnFIwkbIm$wR{A57uHDH36jbWzP>Wie1LWa93TF<u97-$fN`5<Nh1p8)HKK!UJYKF
zsA-OVN<mw6hU8m9UG&9GUHjPuP09gVNY$BtC2s2&Jt1)R+N?Sx)+dm8vk&X!B}tts
z<S%zd?jiLoZCV`LHlcGM!y}(A8|Ti7+t~>I9X{ypztF75CAq1RDBY&eL98RuTuBBh
zkIIbMfI$8u?WJebgU1aNi)Nc4a)Z$SBP_z5zL30(IhIq^o=vxL_+zx2z!;k_&#EPV
z2R-<rde6J(nEYhFdGrqFFg)__85hQ~z4DTbGcFulV&->^V}bf~QhjM=ucEVjr8`|^
zIVAtAn&v044seUS`5ollpnoD%x&lh+b;l#J+^6k62!Zg>f`r>N3aIs+?*W!}qzjcb
zzpB$aEC(q+VTWqSycTP$g#jO(xzv<@a!XbR6ABtC5lLxEQH*yTWnt4;ilTSJvNj1X
zE}l{z{{K}_Rw(~4`_rqoKG>Rwq*}3?BrSGc#hRyxSkJv3yv7OQ^2REY;OlGn?>+qY
z?Xr83U;h2)7qZTh#a^ZHG#jZt6c&X8P|bwR9|0L3F7D!JlKO6uBaDUo+!h~y(__;n
zdDLc8eRcY~Ly@*5{;s1KcFZ>wq9E2=DU#PoR^rAKB$dK=qBjBm5zM?>w<QCwK(XA%
zSQCb0@VzKC`GCIyIWna8WrT}YDBuei|5I>(LKh`X<FJT>`#LpkCi5hRmFx3Q>U)q;
zKFix{=m|*!{g4L?TgZNbG<9Kr27xBc{<N&x$Eizrpy6A^8B9E`I5aTW+DB54I2Zat
z6*EK=ZJgXyE!n;J5(S074e}L)AEG@obWz4oi)Dn2Kg>1KIYZd$s|Xwal@#q1QRC0B
zB!|d}VUpOpg&NC`*Swb43;x}pEdLe?=`X=|`UJ_!or6_b3oR7;GEek>F~Ao^zUYdB
zLd(*KByWRP^4&S`y*itX6PMBLe2@mX*Ml12(>Z8h>Z>^KqAZ2(osY!Ywm?m0$%bK+
z(LBj&HE1{n48I-N%QOsaC^SR`LiP~#iWkG*RRwPBTB<M;XCR2l2!`&QiSaH2b=RmP
z%hUchIIX+UzfE`NNpZJ-B<j9w+Gc4$+OI8$Stm`I-JPQZ7J+3w)qo+eDIbz$n$IxN
zs9g}Qg#AMnJ}!@Vy&z=RmU$|402nSctlH}^&eMXeMR@3Gn?7u@5=iIr1)v@2`YDS-
z_&21{fsGHs01W+yplQJ*$!UE_+Rtu3v)Z7&fwi6;MP}UKS|Z1PESu<lO=fMRE&Cup
zXsxzWUzs<A8s`V$We<AChcm2S=fL~hFF$p4XkPN@t0M0ah_q;z!7pFG40}vlt~Jz^
z3>4P#M%%&@_y?4bs1KtHc(vN{$lif{iSQ2A2dGuR+edB`(pf1K3~M*}c>7_lcWGS~
z`J_$D^K=*0^H^_xjn(lkderUS8SYxZPB*{U8J{zA#?uWTLf)QWlU{=~f+pP+Va6tG
z@bPAvLk0??)yYgKD&{`fa3Lti7uGp3#?L*H8b3<e1Auh~atmu-^6$LZdGifU!f|e8
zoQ!+tgr5!7!obNU9RBO7%+lzQM!0YaaxY*AGoTg024~8D`w^$%o28w->+sO-d7$UO
z<4Z4JSU@b*cS_hgG4!;B(&Qt<(G{e@<Ktp<%pG-XsPZ%Ebs+`s?l>wsSwT4VoYi1#
zGdaIpn}=FI-RvIDf+{<JiuE>zyo_KS)A!x<31jF@{h*2*jGOXM#0^atJWX9jm$3t3
z34cUbe^<qSS!WPx3x`y&d>wCg!YUXRj|O<YW-wWR$q5Tu{aBUITxO}J&9e7m7QVXD
zRd?>S3YY1}=-44%R}$+DrCQAC){o)tz{F!2#y;dUhQ}(^(Ox@{jPa9NUHp)Y;e;KM
z{#qirp=6Yg5eeTqsx%CRP^`v*msF2su!y}M3!n*qUA}bGs(*rQGg{5O>Oq^rDjvH^
z9j+ZVe~t^qy!CeN&5ys0VZTZQr713p&%H)t+kNg5k=tP8_7Kr55>M99iq+6LGIJtq
zOEhveVUtGv1ysn_Z@H}MWSc%1<oOG|pklDsIyAdHVc=JI2BC_R@vX%xqddD?gF2tO
zR)VsB?i(JGM3ezUr$}@rAE9R$)n87#x^)}YyQCE~dDg5!Z|t};T6-BaIQG#o1BJ!n
zF)mR&NMv2}KEYSCI(+Vn)c>SEvPaL`<hjal-~a#q`^)d%5AOfJ|8oETll(AG%Q`P(
zP;94iG`tP2&#$k}FV9w*zF=XV%)1iQW!aWdw^L2!)$8Er1aN9fEC6fHid0#gG!YN6
zsd#Wrf*~qUo#1|-fF7*XaFUSBW8o(zZ*G<afB)&1pepND#^6+3Pcn3DOnWH8joMbZ
zH3M_~ZIeC;Qvvsrk_qvDJRPzO!Fa?*A4^6dG9lz8bQ!r<P6vzzLBpy#5HCHuS)m`g
zNLu>)RA<4pG~LF@_Vl-e*1R>C_qY{#%_G8b0f>)ThG4IE8N3T{*TAH|Pj`D*d1(XQ
zFF9lT{>2K$ZH!vxWJ{>CXh462S-|Wuc*T5VriH&rvh9Z`tinxynx*Yy@DxP*^1cXe
zQ!s$G@Grb!*(7Zm2l;JL#sPK>9pKTwHfbT_@99Auf=!dOTY$s`Z;ioMl>X`C%~&nK
ziV+9)b&`R7oZ*4}2$R?&{{sq*4mAv&cATegaE?%KV+>0gCqpMA&4LmQf>COIwurIQ
z%0VMLy!2*Pu8n$s^5)Hsj!WUUCkF=6vjA*0kbaD5-!bidnV?R82rm4$Cz~nYgBPtn
z^h9f;Y5|l(JV2Sk-c88sU_-V*b7-ohh+Ukzu2h?XE+U$&UgMZ4p#Y{y8KqEpj~PXc
zJEFx$u!71-m*_K4Us+n*u5bAT#Y1w3;Q>d~Odvu>#A&#H)1buLS&*(;$t4sA0BLC0
zBqntltwDhs&8#!Yf&+IV3&?*e3yn+|&UF&qv7j#8W{=lw4i8n$lU@pJ0=?YuyIEG+
z7EANWn|Zi?-(>o={t?T9nT5kAX97`Pj938DM<elo9ZY8Q#25E%UFO|FPYF-*G6pkY
zWlV-JQaurW3OwBAnQoCE3pUKNFdK0+<k=J15Cbisd8J)@V#A=DA~3Q2HAlkD=}$Kz
zg93}sUrrsMc5md>ye6|9x+!jMPIK*OnvcM%tpe={+e%UT!AE)5W?o}=h6i(->cpBn
zwQP9it4Mxeir{3h_eVcXM+hIp6lPftVBKl~)2#S^KC&%zKfrCIn#S;3UU&Vv+q>VJ
zvN(sAuUrjyGP>-BK7fzIXo}atU*ed>6z1V=(hK<6C(&(iU)HzhK=yBCm23}L_J|I5
zkU(DEkvF~w?vr32!XII<Nl*YmQ)UPB-~!iwasuRuOFF{bme>yH+_x;k<-R;*F)tkd
z&S80f26GAag9!jQ!*jU%l>Gw28&8JL-yu98ok++OFgipu69U8SG&Yv^3;hc=J7UK4
z?YZl$FXm0>iP)2;w=aI*SLrp`HE7GEKT_Z$*HDfYx-b4Qg7<F&cT7BIA>!8gbCxmL
z;GR;3&nluZk>RW?A2;qpELZ7U)#W~Qny|Kisb<Bz=E%$eox^O#EORAhoI6-NFeeWV
z56q?UCeL;krcV!Z;)#Zj?<kg4S;kT_U%P!4?CuWkbHZOQk8ip+{yaq}cfOym0KBHX
zdfm}<CG~Q3EN63#rKX!R@jWpoD?Lx#$%@Ytce*pm6L_)~9K-d|guT?=6E}gTj1m5S
zRbJ459m{n#cl3H;PBkJuf#(e~58zqD%!S*JEASo$9MUulWZP*#_zdG=mM3lO-b+2h
zFVe#J#uzF6@kbtQz>g~WK?laRbdd<eh|%=8HEuDY-mIT*LFh@wqrF*}6$O2p$yMqi
zY0*95OHMaUADgJnEL9Q2_lWF83Sw)2qJ0wk6^`fK79n(z(rb!`52H4{gZUI&%IEYk
zzB|N}PLCJD-ZU<uh*-UJ7wxkimy>>K<z`fA$A{r)mGo%TF2GNO^}TV<6-G7tC||Ji
z@Pf`Egbt>SIeO%*Pu1*`Ec2lAb1WTkYS=r^6Kv^r2Gh*4v|yoykM{O$TX`0LAy}d^
z&#NqXSksss=k1+t`byBq<afq9`y_S7QS#WyC|mAms&jS6BFHWD3VGB8V>*dD9oN$i
zcwKEW*Jxq<B-4+W-|!7>^H^!@p}|XOIUfJ}K(cHPUd=lc<cHDx*0%0K7ZQ^`MVC9<
z$SIlMXQc8T!f5(E;VAWfT^1~VIV?{VV{S{+mNlAi7{fs7`vHUa(&pAePe=E-h!st9
zpSIE7OvlqB=)(s#rg3?1f#w-)#eFq16%pb4gQZ2Bpsd{dHg!br#Ws?km{OhyjD&G?
z^r}l0f)k!voi{rRb&nWqBs{qSYTM>JZ6akFP-tWNzo9+AzhmgSfZZa0T+@NnI!bKq
zH?a!4b_-7cAp{JE>d<OSOkR}x`#5Yv$2=n2TTD881zrb3YDdpG_5zGoCP7xb&nu=c
z<YxmdlPfv2DYsqYWE&o`mibv8Y$8!P*zmJKKQ_3;#N2<gW;y;WlZF$MDU@!VxQ3)L
zO|$PV^cuO|m>KITw>md}&)91wnvH|P4qz#D3zNUhnvuS-FsBu>5a)5@*Iw_KTJ#EU
zqWESQuh~PyuEOH&E&ovEe>_oyF|!ps;)~UwO5n}IXpQdEI*k+hgGDua;ZQ71(afpB
zwZdz!f^XRKQvhoV#ahc>IAZX3wM*kbY%T{WuYBVSK?TV8!hr36YKK9K-cgGW+ggv&
zJt_*4E9m0^DTX-S)m;ejlPR_`z!i(R>!t@KKRJR^gGi*P8|fU2pRqego5ngki1R&?
zQ7>q5tG%~mj{7ur%t3OOR-l%PZ8_oq`Qwl@?V4;l{er21p0{V6!z=+~#_fU;#BK+R
zf!N2tL!Y<vLVhlP4-=5G;pjoD_8}SL!b?TGo~%7%YqZ%zOAA?CHjA6lZW;~vSXN0?
z$S|ameUiasbeZ3)Rh-<Zdk~8!N+ANl;bFVY%>|Uy?XcKdW{V^_c+g~bwC1*T>8Kih
z5&>)Fq{zy$@`Ca!5-SHLMeTF}2$`i#8dEgZ=oX!CRgPeP7~P={IDGct115PUH;GH0
zxQ+Q67|(bCTz4V04_yKOQ5;=r_S&0p`|Y*$H|H7K$E%(R*LFYgAoG<#)4x6M8d5sx
zh${qCcEclYTy2pXt@Q)jc={2OlVuS<3@usv15C$k<AC(^#SmIrlx@0wbh~WQVxOQ!
zj+GFlkrv5+S}yN~8j<I{U)ihf5KB6%tvg9cTDAFugG5LkkgSp?Lg5D(B^2}GP@n-B
zh13c512?q5V5i<~6rt}Lcxd0Q(>-S9xuO9huP@tN0Ub--uH|3iQ%_EwcymDOBSdp?
zm)aIhc|XEuuPSNT*zmkdA-JSvhYy^GSRDuJxUL|7hpdcDA{2Hik6qm<$rY5T$`~oP
zN@z1KS3E<BbQavD(5d7{-Lgy6ohpSVjyh<Bjs|L!EX>F04c0i^dg4SbVTEmCohS>K
zlZaOEvF3EfJk`x%%D-_5yb1G7sEIsEy+ui+Ufn~K)1*!;<6<Xqjn&yI1fFq+gt3MH
zZRKZwvbu_}=Z<z7$sM&Z(z{zKSZMe#4kw`)X&$5`!0}3(-F%3lkn6cEo1T!_A@`Za
zG)QA<XJYOQ(|bekDZ84&j^A#yGW$VQCO{?k51rt*%J-x67D$J%Pjd}P80~D^rWcXH
z`jnX>b|&0nbzEXCXPZ1Tm&Jt}R&=~U9ppTJgcXz`<i@=YT1wkhohbwVwmKLr?6l1D
za35On>3dw3`m!`g!Z2_VF^i)+_Cia=vaC6i%==j(Ci)yin-(_r8B3&SDtVjM$vw=N
zc(kE!tU|@@{4DSPLGJTy2O2iUBEln?0#9D8c~j0-uT{eCiq@o}Xex}JE-^C4(G8n_
zQ65&KiBe3(v9jfqbuG+9E#ez}>4nMHW1vB3;d)KUL$im719YDbSogGx*=H>Bp2=Lz
zBidZD%GfC0Orh44YTJeiF@RnP@hFPZV}6;GlEhjxn%$#ssIVbj4Lch>=@EC=``jbs
zuvvqAPo333(iq9iU%7drZ=H^wEtm{{qpq~5OJ69=q8Z5!RJMMkQRuJ)^}>8(lqTm%
z!aT*s3`vxe@0h!=u0(%>uUHso%b*yUe0VCq5*f}B93z}Qoz$HwTF(s)`H{_&-mgSH
zP7ML_Fk01cV;s5K63&Y-p4r=%RL*5zrIl3AHk*UUJHta_Dlb7ms2-KKzN_DVx+uwv
z>rmNa_U)oxSgRYk(=2`cMSAmWOqGi-b#=<yrq@J0btUPDTc4FqTTO7rz7H~z<&3A&
zoRM%#<(!yaN}AyoI3<8Vrc%36v%^^J3h{Z4k^3Cu-xzVd8@<}G5WMp;#zJMd?qwWX
zg!_ty5Bm5u4a>(~M%4bXUw<Kgcm0&RLem82cN0L4b?vT(!SN+YU9p*xNC~(T>0^vw
zenE$ld^{dalFn3kt*-4}2S2fVhuI^`dXcgZ?7*T8<}@nfbNmotV6a_f692A#XFTr(
zOUbDg%bu{s0c}sR&TjO}6Iy~#mPVfd4QZ2m_l)>m3$Hs#b8cL?_7{tP0gdK}95zDS
z`!FpSyeNIaV2L=*YmAxYI_T#Q3~u^UDy{!8Oex_c>UsRh&#xU_Nx~6ZqxXy^ioVfr
z^%!DfSTH|2E=qPVs^yGkUOOHEE0Y)Uv)P_YR8SfRF%NrX*MFo_Lywqn1U5M0I$ZG_
zntHNcg=h`8l30WKA-ltWERKe(zd{nDu5$G8b)OE^%O4sylK#d;ErKBxYSX1FQ`93j
zvB}@tz()U;d47}J6rDFLF;-$PZ}<R~LCT^TsV;cK)HZpdS~d2nM)&Vvj<w^FTx~xx
z%n-`f`dwz^)5djagHEb_Z-BM__kvpgJdy2${E+R0+f1g~j?g)OFN?MQ`5#SFb!LXx
z<I>X(Q!Gy@)EEprDcp8`p4b`rVUNuVyIellrNW<w>PzJ5R@Iou*G;**!BpS@;0N}r
z!uW7|&Tc%y*<(s<p66Q$kdz6%mE@eR9231AfH+DUE;$}qB|MRa;?il<1@VamI|ux5
zjap^A_tC`m&A8ov?c#C#V>zDg2zpUv`eD5>Dor~`w<`H(I2QLk4xexgK6?D^aqR7P
z-0dq8K2Kf7k56jmG2SVeqQ|f%=&d(zgWtN(eXDWRw%dHZawBGv+V~AYZ%kNeK^--o
zmgwM;&N$D=1tAZEc1odsSAx7mL%Q2jE=23q7*6?Sm@|QYc1-ft7~3-`Hgf+PoE_bl
zFYNul{E<C>zJ0cD+qu90cXj#g^>>5s|6P9h{@*A0xj_5z;@5NbMIZV)C=Q9_q2-^j
zTOU5~MXCPKsR^FKytxGZa&c(ti!9yXntj1=F3!I>dH2p6O>E5hS9K881j>Fb0}U2+
zhqn}9_7J^)L%1c|4wx4URuSGs%Ty52B-MZY&&7X#!%hyC?VWe%^KRP3YRpmjcZZgS
zEy}wxJLJi`>7r0R;@3epB;-0Rml{>ifmcRpycAxe0xmO)`r2dhE>cQZZW46Rd~3>o
z&r?~-XXiM2(h8+|3d-f|UrxNSBJoWI5<rK;=jri(a5y@TLRnqhg-muBoyCxRfx7q`
zs*eEbiE0rnfVyC{{uL9odV`7pBNL>gY7qVWn_uw@0{%i|-y#?X7P(*jk^L)8X<wHC
z#>k_o<H&`_)Amjr1RjXjM?iL%og9}Lrb@qrZJDQ2XOgku3MkLww4_+==*Ngy!sDv6
zjBF8q>4LielBxY=?*5~cuv1fU%x6$o0@<v$j#gV{_(ipsy@+L$n806HmkHR#RhkBT
zyk-N_Xr`Ugg*M50BA6tYGnEZ^ta87eS7|)SBpZQ4S1;f-%iz7^w``UXAz!_io!d+W
z9YmffdJKRSn{9#ypigJ1K)ZQ3LX&)Mr_7fWpD#aOe!l#Cf}j5b0?Ga=0LTCUB+>r~

diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 5fc67302..4e2480bb 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -3182,7 +3182,7 @@ index 99e3903ea..fa68362ea 100644
  ## </summary>
  ## <param name="domain">
 diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 1d732f1e7..121ace88e 100644
+index 1d732f1e7..d698fdd02 100644
 --- a/policy/modules/admin/usermanage.te
 +++ b/policy/modules/admin/usermanage.te
 @@ -26,6 +26,7 @@ type chfn_exec_t;
@@ -3502,7 +3502,7 @@ index 1d732f1e7..121ace88e 100644
  userdom_use_unpriv_users_fds(sysadm_passwd_t)
  # user generally runs this from their home directory, so do not audit a search
  # on user home dir
-@@ -446,8 +492,9 @@ optional_policy(`
+@@ -446,8 +492,10 @@ optional_policy(`
  # Useradd local policy
  #
  
@@ -3511,10 +3511,11 @@ index 1d732f1e7..121ace88e 100644
 +allow useradd_t self:capability { dac_read_search dac_override chown kill fowner fsetid setuid sys_ptrace sys_resource sys_chroot };
 +
 +dontaudit useradd_t self:capability { net_admin sys_tty_config };
++dontaudit useradd_t self:cap_userns { sys_ptrace };
  allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow useradd_t self:process setfscreate;
  allow useradd_t self:fd use;
-@@ -461,6 +508,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
+@@ -461,6 +509,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
  allow useradd_t self:unix_dgram_socket sendto;
  allow useradd_t self:unix_stream_socket connectto;
  
@@ -3525,7 +3526,7 @@ index 1d732f1e7..121ace88e 100644
  # for getting the number of groups
  kernel_read_kernel_sysctls(useradd_t)
  
-@@ -468,29 +519,28 @@ corecmd_exec_shell(useradd_t)
+@@ -468,29 +520,28 @@ corecmd_exec_shell(useradd_t)
  # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
  corecmd_exec_bin(useradd_t)
  
@@ -3565,7 +3566,7 @@ index 1d732f1e7..121ace88e 100644
  
  auth_run_chk_passwd(useradd_t, useradd_roles)
  auth_rw_lastlog(useradd_t)
-@@ -498,6 +548,7 @@ auth_rw_faillog(useradd_t)
+@@ -498,6 +549,7 @@ auth_rw_faillog(useradd_t)
  auth_use_nsswitch(useradd_t)
  # these may be unnecessary due to the above
  # domtrans_chk_passwd() call.
@@ -3573,7 +3574,7 @@ index 1d732f1e7..121ace88e 100644
  auth_manage_shadow(useradd_t)
  auth_relabel_shadow(useradd_t)
  auth_etc_filetrans_shadow(useradd_t)
-@@ -508,35 +559,38 @@ init_rw_utmp(useradd_t)
+@@ -508,35 +560,38 @@ init_rw_utmp(useradd_t)
  logging_send_audit_msgs(useradd_t)
  logging_send_syslog_msg(useradd_t)
  
@@ -3623,7 +3624,7 @@ index 1d732f1e7..121ace88e 100644
  ')
  
  optional_policy(`
-@@ -545,14 +599,27 @@ optional_policy(`
+@@ -545,14 +600,27 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -3651,7 +3652,7 @@ index 1d732f1e7..121ace88e 100644
  	tunable_policy(`samba_domain_controller',`
  		samba_append_log(useradd_t)
  	')
-@@ -562,3 +629,12 @@ optional_policy(`
+@@ -562,3 +630,12 @@ optional_policy(`
  	rpm_use_fds(useradd_t)
  	rpm_rw_pipes(useradd_t)
  ')
@@ -38740,7 +38741,7 @@ index 0d4c8d35e..537aa4274 100644
 +    ps_process_pattern($1, ipsec_mgmt_t)
 +')
 diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 312cd0417..102b975de 100644
+index 312cd0417..56961b493 100644
 --- a/policy/modules/system/ipsec.te
 +++ b/policy/modules/system/ipsec.te
 @@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@@ -38802,7 +38803,15 @@ index 312cd0417..102b975de 100644
  
  manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
  manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
-@@ -110,10 +127,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
+@@ -101,6 +118,7 @@ manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
+ files_pid_filetrans(ipsec_t, ipsec_var_run_t, { dir file sock_file })
+ 
+ can_exec(ipsec_t, ipsec_mgmt_exec_t)
++can_exec(ipsec_t, ipsec_exec_t)
+ 
+ # pluto runs an updown script (by calling popen()!) as this is by default
+ # a shell script, we need to find a way to make things work without
+@@ -110,10 +128,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
  allow ipsec_mgmt_t ipsec_t:fd use;
  allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
  allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
@@ -38815,7 +38824,7 @@ index 312cd0417..102b975de 100644
  kernel_list_proc(ipsec_t)
  kernel_read_proc_symlinks(ipsec_t)
  # allow pluto to access /proc/net/ipsec_eroute;
-@@ -128,20 +145,24 @@ corecmd_exec_shell(ipsec_t)
+@@ -128,20 +146,24 @@ corecmd_exec_shell(ipsec_t)
  corecmd_exec_bin(ipsec_t)
  
  # Pluto needs network access
@@ -38847,7 +38856,7 @@ index 312cd0417..102b975de 100644
  
  dev_read_sysfs(ipsec_t)
  dev_read_rand(ipsec_t)
-@@ -157,22 +178,32 @@ files_dontaudit_search_home(ipsec_t)
+@@ -157,22 +179,32 @@ files_dontaudit_search_home(ipsec_t)
  fs_getattr_all_fs(ipsec_t)
  fs_search_auto_mountpoints(ipsec_t)
  
@@ -38882,7 +38891,7 @@ index 312cd0417..102b975de 100644
  
  optional_policy(`
  	seutil_sigchld_newrole(ipsec_t)
-@@ -182,19 +213,30 @@ optional_policy(`
+@@ -182,19 +214,30 @@ optional_policy(`
  	udev_read_db(ipsec_t)
  ')
  
@@ -38917,7 +38926,7 @@ index 312cd0417..102b975de 100644
  
  allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
  files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
-@@ -208,12 +250,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
+@@ -208,12 +251,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
  
  allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
  files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
@@ -38933,7 +38942,7 @@ index 312cd0417..102b975de 100644
  
  # _realsetup needs to be able to cat /var/run/pluto.pid,
  # run ps on that pid, and delete the file
-@@ -246,6 +290,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
+@@ -246,6 +291,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
  kernel_getattr_core_if(ipsec_mgmt_t)
  kernel_getattr_message_if(ipsec_mgmt_t)
  
@@ -38950,7 +38959,7 @@ index 312cd0417..102b975de 100644
  files_read_kernel_symbol_table(ipsec_mgmt_t)
  files_getattr_kernel_modules(ipsec_mgmt_t)
  
-@@ -255,6 +309,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
+@@ -255,6 +310,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
  corecmd_exec_bin(ipsec_mgmt_t)
  corecmd_exec_shell(ipsec_mgmt_t)
  
@@ -38959,7 +38968,7 @@ index 312cd0417..102b975de 100644
  dev_read_rand(ipsec_mgmt_t)
  dev_read_urand(ipsec_mgmt_t)
  
-@@ -269,6 +325,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
+@@ -269,6 +326,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
  files_read_etc_files(ipsec_mgmt_t)
  files_exec_etc_files(ipsec_mgmt_t)
  files_read_etc_runtime_files(ipsec_mgmt_t)
@@ -38967,7 +38976,7 @@ index 312cd0417..102b975de 100644
  files_read_usr_files(ipsec_mgmt_t)
  files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
  files_dontaudit_getattr_default_files(ipsec_mgmt_t)
-@@ -278,9 +335,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+@@ -278,9 +336,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
  fs_list_tmpfs(ipsec_mgmt_t)
  
  term_use_console(ipsec_mgmt_t)
@@ -38979,7 +38988,7 @@ index 312cd0417..102b975de 100644
  
  init_read_utmp(ipsec_mgmt_t)
  init_use_script_ptys(ipsec_mgmt_t)
-@@ -288,17 +346,28 @@ init_exec_script_files(ipsec_mgmt_t)
+@@ -288,17 +347,28 @@ init_exec_script_files(ipsec_mgmt_t)
  init_use_fds(ipsec_mgmt_t)
  init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
  
@@ -39013,7 +39022,7 @@ index 312cd0417..102b975de 100644
  
  optional_policy(`
  	consoletype_exec(ipsec_mgmt_t)
-@@ -322,6 +391,10 @@ optional_policy(`
+@@ -322,6 +392,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39024,7 +39033,7 @@ index 312cd0417..102b975de 100644
  	modutils_domtrans_insmod(ipsec_mgmt_t)
  ')
  
-@@ -335,7 +408,7 @@ optional_policy(`
+@@ -335,7 +409,7 @@ optional_policy(`
  #
  
  allow racoon_t self:capability { net_admin net_bind_service };
@@ -39033,7 +39042,7 @@ index 312cd0417..102b975de 100644
  allow racoon_t self:unix_dgram_socket { connect create ioctl write };
  allow racoon_t self:netlink_selinux_socket { bind create read };
  allow racoon_t self:udp_socket create_socket_perms;
-@@ -370,13 +443,12 @@ kernel_request_load_module(racoon_t)
+@@ -370,13 +444,12 @@ kernel_request_load_module(racoon_t)
  corecmd_exec_shell(racoon_t)
  corecmd_exec_bin(racoon_t)
  
@@ -39053,7 +39062,7 @@ index 312cd0417..102b975de 100644
  corenet_udp_bind_isakmp_port(racoon_t)
  corenet_udp_bind_ipsecnat_port(racoon_t)
  
-@@ -401,10 +473,10 @@ locallogin_use_fds(racoon_t)
+@@ -401,10 +474,10 @@ locallogin_use_fds(racoon_t)
  logging_send_syslog_msg(racoon_t)
  logging_send_audit_msgs(racoon_t)
  
@@ -39066,7 +39075,7 @@ index 312cd0417..102b975de 100644
  auth_can_read_shadow_passwords(racoon_t)
  tunable_policy(`racoon_read_shadow',`
  	auth_tunable_read_shadow(racoon_t)
-@@ -438,9 +510,8 @@ corenet_setcontext_all_spds(setkey_t)
+@@ -438,9 +511,8 @@ corenet_setcontext_all_spds(setkey_t)
  
  locallogin_use_fds(setkey_t)
  
@@ -49031,10 +49040,10 @@ index 000000000..634d9596a
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 000000000..35fc2b865
+index 000000000..e7c2cc70b
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,1020 @@
+@@ -0,0 +1,1021 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -49325,6 +49334,7 @@ index 000000000..35fc2b865
 +optional_policy(`
 +	dbus_connect_system_bus(systemd_logind_t)
 +	dbus_system_bus_client(systemd_logind_t)
++    dbus_manage_session_tmp_dirs(systemd_logind_t)
 +')
 +
 +optional_policy(`
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 0a5c4e16..f1b26385 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -12512,7 +12512,7 @@ index 008f8ef26..144c0740a 100644
  	admin_pattern($1, certmonger_var_run_t)
  ')
 diff --git a/certmonger.te b/certmonger.te
-index 550b287ce..80de6d3b7 100644
+index 550b287ce..c2433ff15 100644
 --- a/certmonger.te
 +++ b/certmonger.te
 @@ -18,18 +18,26 @@ files_type(certmonger_var_lib_t)
@@ -12611,7 +12611,7 @@ index 550b287ce..80de6d3b7 100644
  ')
  
  optional_policy(`
-@@ -92,11 +116,73 @@ optional_policy(`
+@@ -92,11 +116,74 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -12645,6 +12645,7 @@ index 550b287ce..80de6d3b7 100644
 +optional_policy(`
 +	pki_rw_tomcat_cert(certmonger_t)
 +	pki_read_tomcat_lib_files(certmonger_t)
++    pki_tomcat_systemctl(certmonger_t)
 +')
 +
 +optional_policy(`
@@ -22522,7 +22523,7 @@ index dda905b9c..558729530 100644
  /var/named/chroot/var/run/dbus(/.*)?	gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
 +')
 diff --git a/dbus.if b/dbus.if
-index 62d22cb46..77afd180d 100644
+index 62d22cb46..c0c2ed47d 100644
 --- a/dbus.if
 +++ b/dbus.if
 @@ -1,4 +1,4 @@
@@ -22671,9 +22672,9 @@ index 62d22cb46..77afd180d 100644
 -	files_search_var_lib($1)
  	read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
 +	files_search_var_lib($1)
- 
-+	dev_read_urand($1)
 +
++	dev_read_urand($1)
+ 
 +	# For connecting to the bus
  	files_search_pids($1)
  	stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
@@ -23383,7 +23384,7 @@ index 62d22cb46..77afd180d 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -597,28 +661,50 @@ interface(`dbus_use_system_bus_fds',`
+@@ -597,28 +661,68 @@ interface(`dbus_use_system_bus_fds',`
  ##	</summary>
  ## </param>
  #
@@ -23441,6 +23442,24 @@ index 62d22cb46..77afd180d 100644
 -	typeattribute $1 dbusd_unconfined;
 +	allow $1 system_dbusd_t:dbus acquire_svc;
 +
++')
++
++########################################
++## <summary>
++##      Manage session_dbusd tmp dirs.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`dbus_manage_session_tmp_dirs',`
++        gen_require(`
++                type session_dbusd_tmp_t;
++        ')
++
++	manage_dirs_pattern($1, session_dbusd_tmp_t, session_dbusd_tmp_t)
  ')
 diff --git a/dbus.te b/dbus.te
 index c9998c80d..d8ef03416 100644
@@ -24046,7 +24065,7 @@ index 5606b4069..cd18cf2a7 100644
  	domain_system_change_exemption($1)
  	role_transition $2 ddclient_initrc_exec_t system_r;
 diff --git a/ddclient.te b/ddclient.te
-index a4caa1b5b..42f30662d 100644
+index a4caa1b5b..f244f9a63 100644
 --- a/ddclient.te
 +++ b/ddclient.te
 @@ -38,9 +38,13 @@ files_pid_file(ddclient_var_run_t)
@@ -24091,7 +24110,7 @@ index a4caa1b5b..42f30662d 100644
  fs_getattr_all_fs(ddclient_t)
  fs_search_auto_mountpoints(ddclient_t)
  
-+auth_read_passwd(ddclient_t)
++auth_use_nsswitch(ddclient_t)
 +
  logging_send_syslog_msg(ddclient_t)
  
@@ -25752,10 +25771,10 @@ index 000000000..b3784d85d
 +')
 diff --git a/dirsrv.te b/dirsrv.te
 new file mode 100644
-index 000000000..cb6af79d7
+index 000000000..22cafcd43
 --- /dev/null
 +++ b/dirsrv.te
-@@ -0,0 +1,205 @@
+@@ -0,0 +1,207 @@
 +policy_module(dirsrv,1.0.0)
 +
 +########################################
@@ -25818,11 +25837,13 @@ index 000000000..cb6af79d7
 +manage_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
 +manage_lnk_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
 +fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, { dir file })
++allow dirsrv_t dirsrv_tmpfs_t:file map;
 +
 +manage_dirs_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
 +manage_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
 +manage_sock_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
 +files_var_lib_filetrans(dirsrv_t,dirsrv_var_lib_t, { file dir sock_file })
++allow dirsrv_t dirsrv_var_lib_t:file map;
 +
 +manage_dirs_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
 +manage_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
@@ -72978,10 +72999,10 @@ index 000000000..47cd0f8ba
 +/usr/lib/systemd/system/pki-tomcat.*	gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0)
 diff --git a/pki.if b/pki.if
 new file mode 100644
-index 000000000..f18fcc68f
+index 000000000..f69ae0298
 --- /dev/null
 +++ b/pki.if
-@@ -0,0 +1,479 @@
+@@ -0,0 +1,503 @@
 +
 +## <summary>policy for pki</summary>
 +
@@ -73461,9 +73482,33 @@ index 000000000..f18fcc68f
 +	files_search_pids($1)
 +	stream_connect_pattern($1, pki_common_t, pki_common_t, pki_tomcat_t)
 +')
++
++########################################
++## <summary>
++##	Execute pki in the pkit_tomcat_t domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++#
++interface(`pki_tomcat_systemctl',`
++	gen_require(`
++		type pki_tomcat_t;
++		type pki_tomcat_unit_file_t;
++	')
++
++	systemd_exec_systemctl($1)
++    systemd_read_fifo_file_passwd_run($1)
++	allow $1 pki_tomcat_unit_file_t:file read_file_perms;
++	allow $1 pki_tomcat_unit_file_t:service manage_service_perms;
++
++	ps_process_pattern($1, pki_tomcat_t)
++')
 diff --git a/pki.te b/pki.te
 new file mode 100644
-index 000000000..cde75a219
+index 000000000..9c27847b2
 --- /dev/null
 +++ b/pki.te
 @@ -0,0 +1,285 @@
@@ -73579,7 +73624,7 @@ index 000000000..cde75a219
 +can_exec(pki_tomcat_t, pki_common_t)
 +init_stream_connect_script(pki_tomcat_t)
 +
-+auth_read_passwd(pki_tomcat_t)
++auth_use_nsswitch(pki_tomcat_t)
 +
 +search_dirs_pattern(pki_tomcat_t, pki_log_t, pki_log_t)
 +
@@ -93545,7 +93590,7 @@ index ebe91fc70..6ba4338cb 100644
 +/sbin/cpio			--	gen_context(system_u:object_r:rpm_exec_t,s0)
  ')
 diff --git a/rpm.if b/rpm.if
-index ef3b22507..d2b4c1697 100644
+index ef3b22507..79518530e 100644
 --- a/rpm.if
 +++ b/rpm.if
 @@ -1,8 +1,8 @@
@@ -93646,16 +93691,34 @@ index ef3b22507..d2b4c1697 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -109,7 +116,7 @@ interface(`rpm_exec',`
+@@ -109,7 +116,25 @@ interface(`rpm_exec',`
  
  ########################################
  ## <summary>
 -##	Send null signals to rpm.
++##	Do not audit to execute a rpm.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`rpm_dontaudit_exec',`
++	gen_require(`
++		type rpm_exec_t;
++	')
++
++	dontaudit $1 rpm_exec_t:file exec_file_perms;
++')
++
++########################################
++## <summary>
 +##	Send a null signal to rpm.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -127,7 +134,7 @@ interface(`rpm_signull',`
+@@ -127,7 +152,7 @@ interface(`rpm_signull',`
  
  ########################################
  ## <summary>
@@ -93664,7 +93727,7 @@ index ef3b22507..d2b4c1697 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -145,7 +152,7 @@ interface(`rpm_use_fds',`
+@@ -145,7 +170,7 @@ interface(`rpm_use_fds',`
  
  ########################################
  ## <summary>
@@ -93673,7 +93736,7 @@ index ef3b22507..d2b4c1697 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -163,7 +170,7 @@ interface(`rpm_read_pipes',`
+@@ -163,7 +188,7 @@ interface(`rpm_read_pipes',`
  
  ########################################
  ## <summary>
@@ -93682,7 +93745,7 @@ index ef3b22507..d2b4c1697 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -181,6 +188,60 @@ interface(`rpm_rw_pipes',`
+@@ -181,6 +206,60 @@ interface(`rpm_rw_pipes',`
  
  ########################################
  ## <summary>
@@ -93743,7 +93806,7 @@ index ef3b22507..d2b4c1697 100644
  ##	Send and receive messages from
  ##	rpm over dbus.
  ## </summary>
-@@ -224,7 +285,7 @@ interface(`rpm_dontaudit_dbus_chat',`
+@@ -224,7 +303,7 @@ interface(`rpm_dontaudit_dbus_chat',`
  ########################################
  ## <summary>
  ##	Send and receive messages from
@@ -93752,7 +93815,7 @@ index ef3b22507..d2b4c1697 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -244,7 +305,7 @@ interface(`rpm_script_dbus_chat',`
+@@ -244,7 +323,7 @@ interface(`rpm_script_dbus_chat',`
  
  ########################################
  ## <summary>
@@ -93761,7 +93824,7 @@ index ef3b22507..d2b4c1697 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -263,7 +324,8 @@ interface(`rpm_search_log',`
+@@ -263,7 +342,8 @@ interface(`rpm_search_log',`
  
  #####################################
  ## <summary>
@@ -93771,19 +93834,17 @@ index ef3b22507..d2b4c1697 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -276,14 +338,30 @@ interface(`rpm_append_log',`
+@@ -276,14 +356,30 @@ interface(`rpm_append_log',`
  		type rpm_log_t;
  	')
  
 -	logging_search_logs($1)
 -	append_files_pattern($1, rpm_log_t, rpm_log_t)
 +	allow $1 rpm_log_t:file append_inherited_file_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Create, read, write, and delete
--##	rpm log files.
++')
++
++########################################
++## <summary>
 +##	Create, read, write, and delete the RPM log.
 +## </summary>
 +## <param name="domain">
@@ -93798,15 +93859,17 @@ index ef3b22507..d2b4c1697 100644
 +	')
 +
 +    read_files_pattern($1, rpm_log_t, rpm_log_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete
+-##	rpm log files.
 +##	Create, read, write, and delete the RPM log.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -302,7 +380,32 @@ interface(`rpm_manage_log',`
+@@ -302,7 +398,32 @@ interface(`rpm_manage_log',`
  
  ########################################
  ## <summary>
@@ -93840,7 +93903,7 @@ index ef3b22507..d2b4c1697 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -320,8 +423,8 @@ interface(`rpm_use_script_fds',`
+@@ -320,8 +441,8 @@ interface(`rpm_use_script_fds',`
  
  ########################################
  ## <summary>
@@ -93851,7 +93914,7 @@ index ef3b22507..d2b4c1697 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -335,12 +438,15 @@ interface(`rpm_manage_script_tmp_files',`
+@@ -335,12 +456,15 @@ interface(`rpm_manage_script_tmp_files',`
  	')
  
  	files_search_tmp($1)
@@ -93868,7 +93931,7 @@ index ef3b22507..d2b4c1697 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -353,14 +459,13 @@ interface(`rpm_append_tmp_files',`
+@@ -353,14 +477,13 @@ interface(`rpm_append_tmp_files',`
  		type rpm_tmp_t;
  	')
  
@@ -93886,7 +93949,7 @@ index ef3b22507..d2b4c1697 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -374,12 +479,34 @@ interface(`rpm_manage_tmp_files',`
+@@ -374,12 +497,34 @@ interface(`rpm_manage_tmp_files',`
  	')
  
  	files_search_tmp($1)
@@ -93922,7 +93985,7 @@ index ef3b22507..d2b4c1697 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -399,7 +526,7 @@ interface(`rpm_read_script_tmp_files',`
+@@ -399,7 +544,7 @@ interface(`rpm_read_script_tmp_files',`
  
  ########################################
  ## <summary>
@@ -93931,7 +93994,7 @@ index ef3b22507..d2b4c1697 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -420,8 +547,7 @@ interface(`rpm_read_cache',`
+@@ -420,8 +565,7 @@ interface(`rpm_read_cache',`
  
  ########################################
  ## <summary>
@@ -93941,7 +94004,7 @@ index ef3b22507..d2b4c1697 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -442,7 +568,7 @@ interface(`rpm_manage_cache',`
+@@ -442,7 +586,7 @@ interface(`rpm_manage_cache',`
  
  ########################################
  ## <summary>
@@ -93950,7 +94013,7 @@ index ef3b22507..d2b4c1697 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -459,11 +585,13 @@ interface(`rpm_read_db',`
+@@ -459,11 +603,13 @@ interface(`rpm_read_db',`
  	allow $1 rpm_var_lib_t:dir list_dir_perms;
  	read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
  	read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
@@ -93965,7 +94028,7 @@ index ef3b22507..d2b4c1697 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -482,8 +610,7 @@ interface(`rpm_delete_db',`
+@@ -482,8 +628,7 @@ interface(`rpm_delete_db',`
  
  ########################################
  ## <summary>
@@ -93975,7 +94038,7 @@ index ef3b22507..d2b4c1697 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -499,12 +626,33 @@ interface(`rpm_manage_db',`
+@@ -499,12 +644,33 @@ interface(`rpm_manage_db',`
  	files_search_var_lib($1)
  	manage_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
  	manage_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
@@ -94010,7 +94073,7 @@ index ef3b22507..d2b4c1697 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -517,9 +665,10 @@ interface(`rpm_dontaudit_manage_db',`
+@@ -517,9 +683,10 @@ interface(`rpm_dontaudit_manage_db',`
  		type rpm_var_lib_t;
  	')
  
@@ -94022,7 +94085,7 @@ index ef3b22507..d2b4c1697 100644
  ')
  
  #####################################
-@@ -543,8 +692,7 @@ interface(`rpm_read_pid_files',`
+@@ -543,8 +710,7 @@ interface(`rpm_read_pid_files',`
  
  #####################################
  ## <summary>
@@ -94032,7 +94095,7 @@ index ef3b22507..d2b4c1697 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -563,8 +711,7 @@ interface(`rpm_manage_pid_files',`
+@@ -563,8 +729,7 @@ interface(`rpm_manage_pid_files',`
  
  ######################################
  ## <summary>
@@ -94042,7 +94105,7 @@ index ef3b22507..d2b4c1697 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -573,43 +720,54 @@ interface(`rpm_manage_pid_files',`
+@@ -573,43 +738,54 @@ interface(`rpm_manage_pid_files',`
  ## </param>
  #
  interface(`rpm_pid_filetrans',`
@@ -94114,7 +94177,7 @@ index ef3b22507..d2b4c1697 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -617,22 +775,57 @@ interface(`rpm_pid_filetrans_rpm_pid',`
+@@ -617,22 +793,57 @@ interface(`rpm_pid_filetrans_rpm_pid',`
  ##	</summary>
  ## </param>
  ## <param name="role">
@@ -94183,7 +94246,7 @@ index ef3b22507..d2b4c1697 100644
  
  	init_labeled_script_domtrans($1, rpm_initrc_exec_t)
  	domain_system_change_exemption($1)
-@@ -641,9 +834,6 @@ interface(`rpm_admin',`
+@@ -641,9 +852,6 @@ interface(`rpm_admin',`
  
  	admin_pattern($1, rpm_file_t)
  
@@ -108617,10 +108680,10 @@ index 000000000..a6e216c73
 +
 diff --git a/targetd.te b/targetd.te
 new file mode 100644
-index 000000000..681ec9f67
+index 000000000..acdccbb18
 --- /dev/null
 +++ b/targetd.te
-@@ -0,0 +1,101 @@
+@@ -0,0 +1,109 @@
 +policy_module(targetd, 1.0.0)
 +
 +########################################
@@ -108638,6 +108701,9 @@ index 000000000..681ec9f67
 +type targetd_unit_file_t;
 +systemd_unit_file(targetd_unit_file_t)
 +
++type targetd_tmp_t;
++files_tmp_file(targetd_tmp_t)
++
 +########################################
 +#
 +# targetd local policy
@@ -108655,6 +108721,10 @@ index 000000000..681ec9f67
 +manage_files_pattern(targetd_t, targetd_etc_rw_t, targetd_etc_rw_t)
 +files_etc_filetrans(targetd_t, targetd_etc_rw_t, { dir file })
 +
++manage_dirs_pattern(targetd_t, targetd_tmp_t, targetd_tmp_t)
++manage_files_pattern(targetd_t, targetd_tmp_t, targetd_tmp_t)
++files_tmp_filetrans(targetd_t, targetd_tmp_t, { file dir })
++
 +files_rw_isid_type_dirs(targetd_t)
 +
 +fs_getattr_xattr_fs(targetd_t)
@@ -108716,6 +108786,7 @@ index 000000000..681ec9f67
 +
 +optional_policy(`
 +    rpm_dontaudit_read_db(targetd_t)
++    rpm_dontaudit_exec(targetd_t)
 +')
 +
 +optional_policy(`
@@ -110838,10 +110909,10 @@ index 000000000..9524b50aa
 +')
 diff --git a/thumb.te b/thumb.te
 new file mode 100644
-index 000000000..d366c8b37
+index 000000000..2b15dca23
 --- /dev/null
 +++ b/thumb.te
-@@ -0,0 +1,168 @@
+@@ -0,0 +1,172 @@
 +policy_module(thumb, 1.0.0)
 +
 +########################################
@@ -111010,6 +111081,10 @@ index 000000000..d366c8b37
 +	corenet_dontaudit_udp_bind_all_ports(thumb_t)
 +	corenet_dontaudit_udp_bind_generic_node(thumb_t)
 +')
++
++optional_policy(`
++    storage_getattr_fixed_disk_dev(thumb_t)
++')
 diff --git a/thunderbird.te b/thunderbird.te
 index 5e867da56..b25ea6e08 100644
 --- a/thunderbird.te
diff --git a/selinux-policy.spec b/selinux-policy.spec
index dfdb9a19..aa074f6f 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 277%{?dist}
+Release: 278%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -681,6 +681,15 @@ exit 0
 %endif
 
 %changelog
+* Thu Aug 31 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-278
+- Add couple rules related to map permissions
+- Allow ddclient use nsswitch BZ(1456241)
+- Allow thumb_t domain getattr fixed_disk device. BZ(1379137)
+- Add interface dbus_manage_session_tmp_dirs()
+- Dontaudit useradd_t sys_ptrace BZ(1480121)
+- Allow ipsec_t can exec ipsec_exec_t
+- Allow systemd_logind_t to mamange session_dbusd_tmp_t dirs
+
 * Mon Aug 28 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-277
 - Allow cupsd_t to execute ld_so_cache
 - Add cgroup_seclabel policycap.