diff --git a/modules-targeted-contrib.conf b/modules-targeted-contrib.conf
index 646691b6..c8c502ac 100644
--- a/modules-targeted-contrib.conf
+++ b/modules-targeted-contrib.conf
@@ -2460,3 +2460,17 @@ gear = module
# naemon policy
#
naemon = module
+
+# Layer: contrib
+# Module: brltty
+#
+# brltty policy
+#
+brltty = module
+
+# Layer: contrib
+# Module: cpuplug
+#
+# cpuplug policy
+#
+cpuplug = module
diff --git a/permissivedomains.pp b/permissivedomains.pp
index a03fff4f..f06a07b3 100644
Binary files a/permissivedomains.pp and b/permissivedomains.pp differ
diff --git a/permissivedomains.te b/permissivedomains.te
index 1db0deac..32d5d868 100644
--- a/permissivedomains.te
+++ b/permissivedomains.te
@@ -55,3 +55,17 @@ optional_policy(`
')
permissive naemon_t;
')
+
+optional_policy(`
+ gen_require(`
+ type brltty_t;
+ ')
+ permissive brltty_t;
+')
+
+optional_policy(`
+ gen_require(`
+ type cpuplug_t;
+ ')
+ permissive cpuplug_t;
+')
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 24cc48b9..c4b22b1f 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -5466,7 +5466,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055..6b99aea 100644
+index b191055..57afd42 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@@ -5540,7 +5540,7 @@ index b191055..6b99aea 100644
# reserved_port_t is the type of INET port numbers below 1024.
#
type reserved_port_t, port_type, reserved_port_type;
-@@ -84,55 +107,68 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
+@@ -84,55 +107,69 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
network_port(amavisd_recv, tcp,10024,s0)
network_port(amavisd_send, tcp,10025,s0)
network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0)
@@ -5557,6 +5557,7 @@ index b191055..6b99aea 100644
network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
network_port(boinc, tcp,31416,s0)
network_port(boinc_client, tcp,1043,s0, udp,1034,s0)
++network_port(brlp, tcp,4101,s0)
network_port(biff) # no defined portcon
network_port(certmaster, tcp,51235,s0)
+network_port(collectd, udp,25826,s0)
@@ -5617,7 +5618,7 @@ index b191055..6b99aea 100644
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
network_port(hadoop_datanode, tcp,50010,s0)
-@@ -140,45 +176,54 @@ network_port(hadoop_namenode, tcp,8020,s0)
+@@ -140,45 +177,54 @@ network_port(hadoop_namenode, tcp,8020,s0)
network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
@@ -5686,7 +5687,7 @@ index b191055..6b99aea 100644
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -186,26 +231,36 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
+@@ -186,26 +232,36 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
network_port(mxi, tcp,8005,s0, udp,8005,s0)
network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
network_port(mysqlmanagerd, tcp,2273,s0)
@@ -5727,7 +5728,7 @@ index b191055..6b99aea 100644
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postfix_policyd, tcp,10031,s0)
network_port(postgresql, tcp,5432,s0)
-@@ -213,68 +268,79 @@ network_port(postgrey, tcp,60000,s0)
+@@ -213,68 +269,79 @@ network_port(postgrey, tcp,60000,s0)
network_port(pptp, tcp,1723,s0, udp,1723,s0)
network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
@@ -5739,9 +5740,11 @@ index b191055..6b99aea 100644
network_port(puppet, tcp, 8140, s0)
network_port(pxe, udp,4011,s0)
network_port(pyzor, udp,24441,s0)
+-network_port(radacct, udp,1646,s0, udp,1813,s0)
+-network_port(radius, udp,1645,s0, udp,1812,s0)
+network_port(neutron, tcp, 8775, s0, tcp,9696,s0, tcp,9697,s0)
- network_port(radacct, udp,1646,s0, udp,1813,s0)
- network_port(radius, udp,1645,s0, udp,1812,s0)
++network_port(radacct, udp,1646,s0, tcp,1646,s0, tcp,1813,s0, udp,1813,s0)
++network_port(radius, udp,1645,s0, tcp,1645,s0, tcp,1812,s0, udp,1812,s0)
network_port(radsec, tcp,2083,s0)
network_port(razor, tcp,2703,s0)
+network_port(time, tcp,37,s0, udp,37,s0)
@@ -5818,7 +5821,7 @@ index b191055..6b99aea 100644
network_port(winshadow, tcp,3161,s0, udp,3261,s0)
network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
-@@ -288,19 +354,23 @@ network_port(zabbix_agent, tcp,10050,s0)
+@@ -288,19 +355,23 @@ network_port(zabbix_agent, tcp,10050,s0)
network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
@@ -5845,7 +5848,7 @@ index b191055..6b99aea 100644
########################################
#
-@@ -333,6 +403,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -333,6 +404,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
build_option(`enable_mls',`
network_interface(lo, lo, s0 - mls_systemhigh)
@@ -5854,7 +5857,7 @@ index b191055..6b99aea 100644
',`
typealias netif_t alias { lo_netif_t netif_lo_t };
')
-@@ -345,9 +417,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -345,9 +418,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -6019,7 +6022,7 @@ index b31c054..5e37a40 100644
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 76f285e..a3c0103 100644
+index 76f285e..03d4787 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -7297,6 +7300,15 @@ index 76f285e..a3c0103 100644
## Getattr generic the USB devices.
##
##
+@@ -4123,7 +4766,7 @@ interface(`dev_write_urand',`
+ #
+ interface(`dev_getattr_generic_usb_dev',`
+ gen_require(`
+- type usb_device_t;
++ type usb_device_t,device_t;
+ ')
+
+ getattr_chr_files_pattern($1, device_t, usb_device_t)
@@ -4409,9 +5052,9 @@ interface(`dev_rw_usbfs',`
read_lnk_files_pattern($1, usbfs_t, usbfs_t)
')
@@ -8827,7 +8839,7 @@ index 6a1e4d1..1b9b0b5 100644
+ dontaudit $1 domain:dir_file_class_set audit_access;
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..8fd98fc 100644
+index cf04cb5..16c88de 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,17 +4,41 @@ policy_module(domain, 1.11.0)
@@ -8926,7 +8938,7 @@ index cf04cb5..8fd98fc 100644
ifdef(`hide_broken_symptoms',`
# This check is in the general socket
-@@ -121,8 +173,18 @@ tunable_policy(`global_ssp',`
+@@ -121,8 +173,19 @@ tunable_policy(`global_ssp',`
')
optional_policy(`
@@ -8942,10 +8954,11 @@ index cf04cb5..8fd98fc 100644
+optional_policy(`
+ miscfiles_read_localization(domain)
+ miscfiles_read_man_pages(domain)
++ miscfiles_read_fonts(domain)
')
optional_policy(`
-@@ -133,6 +195,9 @@ optional_policy(`
+@@ -133,6 +196,9 @@ optional_policy(`
optional_policy(`
xserver_dontaudit_use_xdm_fds(domain)
xserver_dontaudit_rw_xdm_pipes(domain)
@@ -8955,7 +8968,7 @@ index cf04cb5..8fd98fc 100644
')
########################################
-@@ -147,12 +212,18 @@ optional_policy(`
+@@ -147,12 +213,18 @@ optional_policy(`
# Use/sendto/connectto sockets created by any domain.
allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
@@ -8975,7 +8988,7 @@ index cf04cb5..8fd98fc 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +237,348 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +238,348 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -29122,7 +29135,7 @@ index bc0ffc8..7198bd9 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 79a45f6..c4546e2 100644
+index 79a45f6..f142c45 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1,5 +1,21 @@
@@ -30144,7 +30157,7 @@ index 79a45f6..c4546e2 100644
########################################
##
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1840,3 +2380,470 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1840,3 +2380,473 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -30608,12 +30621,15 @@ index 79a45f6..c4546e2 100644
+ type initrc_var_run_t;
+ type machineid_t;
+ type initctl_t;
++ type systemd_unit_file_t;
+ ')
+
+ files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
+ files_pid_filetrans($1, init_var_run_t, file, "random-seed")
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
+ files_pid_filetrans($1, initctl_t, fifo_file, "fifo" )
++ init_pid_filetrans($1, systemd_unit_file_t, dir, "generator")
++ init_pid_filetrans($1, systemd_unit_file_t, dir, "system")
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 17eda24..dd417eb 100644
@@ -32270,7 +32286,7 @@ index 0d4c8d3..e6ffda3 100644
+ ps_process_pattern($1, ipsec_mgmt_t)
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 312cd04..3c62b4c 100644
+index 312cd04..efe343f 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@@ -32455,7 +32471,15 @@ index 312cd04..3c62b4c 100644
dev_read_rand(ipsec_mgmt_t)
dev_read_urand(ipsec_mgmt_t)
-@@ -278,9 +314,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+@@ -269,6 +305,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
+ files_read_etc_files(ipsec_mgmt_t)
+ files_exec_etc_files(ipsec_mgmt_t)
+ files_read_etc_runtime_files(ipsec_mgmt_t)
++files_list_kernel_modules(ipsec_mgmt_t)
+ files_read_usr_files(ipsec_mgmt_t)
+ files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
+ files_dontaudit_getattr_default_files(ipsec_mgmt_t)
+@@ -278,9 +315,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
fs_list_tmpfs(ipsec_mgmt_t)
term_use_console(ipsec_mgmt_t)
@@ -32467,7 +32491,7 @@ index 312cd04..3c62b4c 100644
init_read_utmp(ipsec_mgmt_t)
init_use_script_ptys(ipsec_mgmt_t)
-@@ -288,17 +325,23 @@ init_exec_script_files(ipsec_mgmt_t)
+@@ -288,17 +326,23 @@ init_exec_script_files(ipsec_mgmt_t)
init_use_fds(ipsec_mgmt_t)
init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
@@ -32496,7 +32520,7 @@ index 312cd04..3c62b4c 100644
optional_policy(`
consoletype_exec(ipsec_mgmt_t)
-@@ -322,6 +365,10 @@ optional_policy(`
+@@ -322,6 +366,10 @@ optional_policy(`
')
optional_policy(`
@@ -32507,7 +32531,7 @@ index 312cd04..3c62b4c 100644
modutils_domtrans_insmod(ipsec_mgmt_t)
')
-@@ -335,7 +382,7 @@ optional_policy(`
+@@ -335,7 +383,7 @@ optional_policy(`
#
allow racoon_t self:capability { net_admin net_bind_service };
@@ -32516,7 +32540,7 @@ index 312cd04..3c62b4c 100644
allow racoon_t self:unix_dgram_socket { connect create ioctl write };
allow racoon_t self:netlink_selinux_socket { bind create read };
allow racoon_t self:udp_socket create_socket_perms;
-@@ -370,13 +417,12 @@ kernel_request_load_module(racoon_t)
+@@ -370,13 +418,12 @@ kernel_request_load_module(racoon_t)
corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)
@@ -32536,7 +32560,7 @@ index 312cd04..3c62b4c 100644
corenet_udp_bind_isakmp_port(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t)
-@@ -401,10 +447,10 @@ locallogin_use_fds(racoon_t)
+@@ -401,10 +448,10 @@ locallogin_use_fds(racoon_t)
logging_send_syslog_msg(racoon_t)
logging_send_audit_msgs(racoon_t)
@@ -32549,7 +32573,7 @@ index 312cd04..3c62b4c 100644
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -438,9 +484,8 @@ corenet_setcontext_all_spds(setkey_t)
+@@ -438,9 +485,8 @@ corenet_setcontext_all_spds(setkey_t)
locallogin_use_fds(setkey_t)
@@ -43068,7 +43092,7 @@ index db75976..1ee08ec 100644
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
+
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6..3104d12 100644
+index 9dc60c6..d04015e 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -45700,15 +45724,35 @@ index 9dc60c6..3104d12 100644
##
##
##
-@@ -2692,19 +3517,43 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2692,19 +3517,13 @@ interface(`userdom_read_user_tmpfs_files',`
##
#
interface(`userdom_rw_user_tmpfs_files',`
- gen_require(`
- type user_tmpfs_t;
- ')
+-
+- rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+- read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+- allow $1 user_tmpfs_t:dir list_dir_perms;
+- fs_search_tmpfs($1)
+ refpolicywarn(`$0($*) has been deprecated, use userdom_rw_user_tmp_files() instead.')
+ userdom_rw_user_tmp_files($1)
+ ')
+
+ ########################################
+ ##
+-## Create, read, write, and delete user tmpfs files.
++## Manage user tmpfs files.
+ ##
+ ##
+ ##
+@@ -2713,13 +3532,56 @@ interface(`userdom_rw_user_tmpfs_files',`
+ ##
+ #
+ interface(`userdom_manage_user_tmpfs_files',`
++ refpolicywarn(`$0($*) has been deprecated, use userdom_manage_user_tmp_files() instead.')
++ userdom_manage_user_tmp_files($1)
+')
+
+########################################
@@ -45725,11 +45769,7 @@ index 9dc60c6..3104d12 100644
+ refpolicywarn(`$0($*) has been deprecated, use userdom_rw_inherited_user_tmp_files instead.')
+ userdom_rw_inherited_user_tmp_files($1)
+')
-
-- rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
-- read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
-- allow $1 user_tmpfs_t:dir list_dir_perms;
-- fs_search_tmpfs($1)
++
+########################################
+##
+## Execute user tmpfs files.
@@ -45743,20 +45783,18 @@ index 9dc60c6..3104d12 100644
+interface(`userdom_execute_user_tmpfs_files',`
+ refpolicywarn(`$0($*) has been deprecated, use userdom_execute_user_tmp_files instead.')
+ userdom_execute_user_tmp_files($1)
- ')
-
- ########################################
- ##
--## Create, read, write, and delete user tmpfs files.
++')
++
++########################################
++##
+## Execute user tmpfs files.
- ##
- ##
- ##
-@@ -2712,14 +3561,12 @@ interface(`userdom_rw_user_tmpfs_files',`
- ##
- ##
- #
--interface(`userdom_manage_user_tmpfs_files',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`userdom_execute_user_tmp_files',`
gen_require(`
- type user_tmpfs_t;
@@ -45770,7 +45808,7 @@ index 9dc60c6..3104d12 100644
')
########################################
-@@ -2814,6 +3661,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2814,6 +3676,24 @@ interface(`userdom_use_user_ttys',`
########################################
##
@@ -45795,7 +45833,7 @@ index 9dc60c6..3104d12 100644
## Read and write a user domain pty.
##
##
-@@ -2832,22 +3697,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2832,22 +3712,34 @@ interface(`userdom_use_user_ptys',`
########################################
##
@@ -45838,7 +45876,7 @@ index 9dc60c6..3104d12 100644
##
##
##
-@@ -2856,14 +3733,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2856,14 +3748,33 @@ interface(`userdom_use_user_ptys',`
##
##
#
@@ -45876,7 +45914,7 @@ index 9dc60c6..3104d12 100644
')
########################################
-@@ -2882,8 +3778,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2882,8 +3793,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -45906,7 +45944,7 @@ index 9dc60c6..3104d12 100644
')
########################################
-@@ -2955,69 +3870,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2955,69 +3885,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -46007,7 +46045,7 @@ index 9dc60c6..3104d12 100644
##
##
##
-@@ -3025,12 +3939,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3025,12 +3954,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
##
##
#
@@ -46022,7 +46060,7 @@ index 9dc60c6..3104d12 100644
')
########################################
-@@ -3094,7 +4008,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3094,7 +4023,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -46031,7 +46069,7 @@ index 9dc60c6..3104d12 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3110,29 +4024,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3110,29 +4039,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -46065,7 +46103,7 @@ index 9dc60c6..3104d12 100644
')
########################################
-@@ -3214,7 +4112,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3214,7 +4127,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -46092,7 +46130,7 @@ index 9dc60c6..3104d12 100644
')
########################################
-@@ -3269,12 +4185,13 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3269,12 +4200,13 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -46108,7 +46146,7 @@ index 9dc60c6..3104d12 100644
##
##
##
-@@ -3282,54 +4199,56 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3282,46 +4214,122 @@ interface(`userdom_write_user_tmp_files',`
##
##
#
@@ -46166,54 +46204,45 @@ index 9dc60c6..3104d12 100644
gen_require(`
- attribute userdomain;
+ type user_tmp_t;
- ')
-
-- allow $1 userdomain:process getattr;
++ ')
++
+ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
- ')
-
- ########################################
- ##
--## Inherit the file descriptors from all user domains
++')
++
++########################################
++##
+## Allow domain to read/write inherited users
+## fifo files.
- ##
- ##
- ##
-@@ -3337,18 +4256,17 @@ interface(`userdom_getattr_all_users',`
- ##
- ##
- #
--interface(`userdom_use_all_users_fds',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`userdom_rw_inherited_user_pipes',`
- gen_require(`
- attribute userdomain;
- ')
-
-- allow $1 userdomain:fd use;
++ gen_require(`
++ attribute userdomain;
++ ')
++
+ allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms;
- ')
-
- ########################################
- ##
--## Do not audit attempts to inherit the file
--## descriptors from any user domains.
++')
++
++########################################
++##
+## Do not audit attempts to use user ttys.
- ##
- ##
- ##
-@@ -3356,12 +4274,87 @@ interface(`userdom_use_all_users_fds',`
- ##
- ##
- #
--interface(`userdom_dontaudit_use_all_users_fds',`
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
+interface(`userdom_dontaudit_use_user_ttys',`
- gen_require(`
-- attribute userdomain;
++ gen_require(`
+ type user_tty_device_t;
- ')
-
-- dontaudit $1 userdomain:fd use;
++ ')
++
+ dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms;
+')
+
@@ -46250,50 +46279,10 @@ index 9dc60c6..3104d12 100644
+interface(`userdom_getattr_all_users',`
+ gen_require(`
+ attribute userdomain;
-+ ')
-+
-+ allow $1 userdomain:process getattr;
-+')
-+
-+########################################
-+##
-+## Inherit the file descriptors from all user domains
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_use_all_users_fds',`
-+ gen_require(`
-+ attribute userdomain;
-+ ')
-+
-+ allow $1 userdomain:fd use;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to inherit the file
-+## descriptors from any user domains.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`userdom_dontaudit_use_all_users_fds',`
-+ gen_require(`
-+ attribute userdomain;
-+ ')
-+
-+ dontaudit $1 userdomain:fd use;
- ')
+ ')
- ########################################
-@@ -3382,6 +4375,42 @@ interface(`userdom_signal_all_users',`
+ allow $1 userdomain:process getattr;
+@@ -3382,6 +4390,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -46336,7 +46325,7 @@ index 9dc60c6..3104d12 100644
########################################
##
## Send a SIGCHLD signal to all user domains.
-@@ -3402,6 +4431,60 @@ interface(`userdom_sigchld_all_users',`
+@@ -3402,6 +4446,60 @@ interface(`userdom_sigchld_all_users',`
########################################
##
@@ -46397,7 +46386,7 @@ index 9dc60c6..3104d12 100644
## Create keys for all user domains.
##
##
-@@ -3435,4 +4518,1686 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3435,4 +4533,1686 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 5a3fddc1..8299b969 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -538,7 +538,7 @@ index 058d908..2f6c3a9 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index eb50f07..0a78b7e 100644
+index eb50f07..95bf222 100644
--- a/abrt.te
+++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@@ -686,7 +686,7 @@ index eb50f07..0a78b7e 100644
manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
logging_log_filetrans(abrt_t, abrt_var_log_t, file)
-@@ -125,41 +135,47 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
+@@ -125,48 +135,54 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
@@ -740,6 +740,14 @@ index eb50f07..0a78b7e 100644
dev_getattr_all_chr_files(abrt_t)
dev_getattr_all_blk_files(abrt_t)
+ dev_read_rand(abrt_t)
+ dev_read_urand(abrt_t)
+ dev_rw_sysfs(abrt_t)
+-dev_dontaudit_read_raw_memory(abrt_t)
++dev_read_raw_memory(abrt_t)
+
+ domain_getattr_all_domains(abrt_t)
+ domain_read_all_domains_state(abrt_t)
@@ -176,29 +192,43 @@ files_getattr_all_files(abrt_t)
files_read_config_files(abrt_t)
files_read_etc_runtime_files(abrt_t)
@@ -3623,7 +3631,7 @@ index 7caefc3..7e70f67 100644
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/apache.if b/apache.if
-index f6eb485..918ae86 100644
+index f6eb485..f6d065e 100644
--- a/apache.if
+++ b/apache.if
@@ -1,9 +1,9 @@
@@ -3772,7 +3780,7 @@ index f6eb485..918ae86 100644
+ manage_fifo_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+ manage_sock_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+
-+ allow $1_script_t httpd_t:unix_stream_socket { accept getattr read write };
++ allow $1_script_t httpd_t:unix_stream_socket { ioctl accept getattr read write };
+
+ # Allow the web server to run scripts and serve pages
tunable_policy(`httpd_builtin_scripting',`
@@ -10307,6 +10315,159 @@ index c5a9113..6ad8ccb 100644
optional_policy(`
xen_append_log(brctl_t)
xen_dontaudit_rw_unix_stream_sockets(brctl_t)
+diff --git a/brltty.fc b/brltty.fc
+new file mode 100644
+index 0000000..d541924
+--- /dev/null
++++ b/brltty.fc
+@@ -0,0 +1,6 @@
++/usr/lib/systemd/system/brltty.* -- gen_context(system_u:object_r:brltty_unit_file_t,s0)
++
++/usr/bin/brltty -- gen_context(system_u:object_r:brltty_exec_t,s0)
++
++/var/lib/BrlAPI(/.*)? gen_context(system_u:object_r:brltty_var_lib_t,s0)
++
+diff --git a/brltty.if b/brltty.if
+new file mode 100644
+index 0000000..b552259
+--- /dev/null
++++ b/brltty.if
+@@ -0,0 +1,79 @@
++
++## brltty is refreshable braille display driver for Linux/Unix
++
++########################################
++##
++## Execute brltty in the brltty domin.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`brltty_domtrans',`
++ gen_require(`
++ type brltty_t, brltty_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, brltty_exec_t, brltty_t)
++')
++########################################
++##
++## Execute brltty server in the brltty domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`brltty_systemctl',`
++ gen_require(`
++ type brltty_t;
++ type brltty_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 brltty_unit_file_t:file read_file_perms;
++ allow $1 brltty_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, brltty_t)
++')
++
++
++########################################
++##
++## All of the rules required to administrate
++## an brltty environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`brltty_admin',`
++ gen_require(`
++ type brltty_t;
++ type brltty_unit_file_t;
++ ')
++
++ allow $1 brltty_t:process { signal_perms };
++ ps_process_pattern($1, brltty_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 brltty_t:process ptrace;
++ ')
++
++ brltty_systemctl($1)
++ admin_pattern($1, brltty_unit_file_t)
++ allow $1 brltty_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/brltty.te b/brltty.te
+new file mode 100644
+index 0000000..d1b76d8
+--- /dev/null
++++ b/brltty.te
+@@ -0,0 +1,50 @@
++policy_module(brltty, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type brltty_t;
++type brltty_exec_t;
++init_daemon_domain(brltty_t, brltty_exec_t)
++
++type brltty_var_lib_t;
++files_type(brltty_var_lib_t)
++
++type brltty_unit_file_t;
++systemd_unit_file(brltty_unit_file_t)
++
++########################################
++#
++# brltty local policy
++#
++allow brltty_t self:capability { sys_admin sys_tty_config };
++allow brltty_t self:process { fork signal_perms };
++
++allow brltty_t self:fifo_file rw_fifo_file_perms;
++allow brltty_t self:unix_stream_socket create_stream_socket_perms;
++allow brltty_t self:tcp_socket listen;
++
++manage_dirs_pattern(brltty_t, brltty_var_lib_t, brltty_var_lib_t)
++manage_files_pattern(brltty_t, brltty_var_lib_t, brltty_var_lib_t)
++manage_sock_files_pattern(brltty_t,brltty_var_lib_t, brltty_var_lib_t)
++files_var_lib_filetrans(brltty_t, brltty_var_lib_t, {file sock_file dir})
++
++kernel_read_system_state(brltty_t)
++kernel_read_usermodehelper_state(brltty_t)
++
++auth_use_nsswitch(brltty_t)
++
++corenet_tcp_bind_brlp_port(brltty_t)
++
++dev_read_sysfs(brltty_t)
++dev_getattr_generic_usb_dev(brltty_t)
++
++logging_send_syslog_msg(brltty_t)
++
++modutils_domtrans_insmod(brltty_t)
++
++sysnet_dns_name_resolve(brltty_t)
++
++term_use_unallocated_ttys(brltty_t)
diff --git a/bugzilla.fc b/bugzilla.fc
index fce0b6e..9efceac 100644
--- a/bugzilla.fc
@@ -13887,10 +14048,10 @@ index 0000000..573dcae
+')
diff --git a/cockpit.te b/cockpit.te
new file mode 100644
-index 0000000..2b8cac8
+index 0000000..4d89495
--- /dev/null
+++ b/cockpit.te
-@@ -0,0 +1,91 @@
+@@ -0,0 +1,98 @@
+policy_module(cockpit, 1.0.0)
+
+########################################
@@ -13946,6 +14107,8 @@ index 0000000..2b8cac8
+
+auth_use_nsswitch(cockpit_ws_t)
+
++init_stream_connect(cockpit_ws_t)
++
+logging_send_syslog_msg(cockpit_ws_t)
+
+# cockpit-ws launches cockpit-session
@@ -13956,6 +14119,11 @@ index 0000000..2b8cac8
+allow cockpit_session_t cockpit_ws_t:unix_stream_socket rw_stream_socket_perms;
+
+optional_policy(`
++ kerberos_use(cockpit_ws_t)
++ kerberos_etc_filetrans_keytab(cockpit_ws_t)
++')
++
++optional_policy(`
+ ssh_read_user_home_files(cockpit_ws_t)
+')
+
@@ -13983,10 +14151,10 @@ index 0000000..2b8cac8
+ unconfined_domtrans(cockpit_session_t)
+')
diff --git a/collectd.fc b/collectd.fc
-index 79a3abe..8d70290 100644
+index 79a3abe..3237fb0 100644
--- a/collectd.fc
+++ b/collectd.fc
-@@ -1,9 +1,11 @@
+@@ -1,9 +1,12 @@
/etc/rc\.d/init\.d/collectd -- gen_context(system_u:object_r:collectd_initrc_exec_t,s0)
+/usr/lib/systemd/system/collectd.* -- gen_context(system_u:object_r:collectd_unit_file_t,s0)
@@ -13996,6 +14164,7 @@ index 79a3abe..8d70290 100644
/var/lib/collectd(/.*)? gen_context(system_u:object_r:collectd_var_lib_t,s0)
/var/run/collectd\.pid -- gen_context(system_u:object_r:collectd_var_run_t,s0)
++/var/run/collectd-unixsock -s gen_context(system_u:object_r:collectd_var_run_t,s0)
-/usr/share/collectd/collection3/bin/.*\.cgi -- gen_context(system_u:object_r:httpd_collectd_script_exec_t,s0)
+/usr/share/collectd/collection3/bin/.*\.cgi -- gen_context(system_u:object_r:collectd_script_exec_t,s0)
@@ -14182,10 +14351,10 @@ index 954309e..f4db2ca 100644
')
+
diff --git a/collectd.te b/collectd.te
-index 6471fa8..e6d320a 100644
+index 6471fa8..74ffeda 100644
--- a/collectd.te
+++ b/collectd.te
-@@ -26,18 +26,28 @@ files_type(collectd_var_lib_t)
+@@ -26,43 +26,59 @@ files_type(collectd_var_lib_t)
type collectd_var_run_t;
files_pid_file(collectd_var_run_t)
@@ -14204,7 +14373,7 @@ index 6471fa8..e6d320a 100644
#
-allow collectd_t self:capability { ipc_lock sys_nice };
-+allow collectd_t self:capability { ipc_lock net_admin sys_nice };
++allow collectd_t self:capability { ipc_lock net_admin sys_nice sys_ptrace dac_override };
allow collectd_t self:process { getsched setsched signal };
allow collectd_t self:fifo_file rw_fifo_file_perms;
allow collectd_t self:packet_socket create_socket_perms;
@@ -14215,9 +14384,12 @@ index 6471fa8..e6d320a 100644
manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
-@@ -46,23 +56,29 @@ files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir)
+ files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir)
+
manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
- files_pid_filetrans(collectd_t, collectd_var_run_t, file)
+-files_pid_filetrans(collectd_t, collectd_var_run_t, file)
++manage_sock_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
++files_pid_filetrans(collectd_t, collectd_var_run_t, { file sock_file })
-domain_use_interactive_fds(collectd_t)
+kernel_read_all_sysctls(collectd_t)
@@ -14227,8 +14399,7 @@ index 6471fa8..e6d320a 100644
-kernel_read_network_state(collectd_t)
-kernel_read_net_sysctls(collectd_t)
-kernel_read_system_state(collectd_t)
-+auth_getattr_passwd(collectd_t)
-+auth_read_passwd(collectd_t)
++auth_use_nsswitch(collectd_t)
+
+corenet_udp_bind_generic_node(collectd_t)
+corenet_udp_bind_collectd_port(collectd_t)
@@ -16453,6 +16624,86 @@ index 6cedb87..530e250 100644
+optional_policy(`
+ xserver_dbus_chat_xdm(cpufreqselector_t)
+')
+diff --git a/cpuplug.fc b/cpuplug.fc
+new file mode 100644
+index 0000000..be203ff
+--- /dev/null
++++ b/cpuplug.fc
+@@ -0,0 +1,3 @@
++/etc/rc.d/init.d/cpuplugd -- gen_context(system_u:object_r:cpuplug_initrc_exec_t,s0)
++
++/usr/sbin/cpuplugd -- gen_context(system_u:object_r:cpuplug_exec_t,s0)
+diff --git a/cpuplug.if b/cpuplug.if
+new file mode 100644
+index 0000000..c68d1d3
+--- /dev/null
++++ b/cpuplug.if
+@@ -0,0 +1,20 @@
++## cpuplugd - Linux on System z CPU and memory hotplug daemon
++
++########################################
++##
++## Execute cpuplug in the cpuplug domin.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`cpuplug_domtrans',`
++ gen_require(`
++ type cpuplug_t, cpuplug_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, cpuplug_exec_t, cpuplug_t)
++')
+diff --git a/cpuplug.te b/cpuplug.te
+new file mode 100644
+index 0000000..11361fc
+--- /dev/null
++++ b/cpuplug.te
+@@ -0,0 +1,39 @@
++policy_module(cpuplug, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type cpuplug_t;
++type cpuplug_exec_t;
++init_daemon_domain(cpuplug_t, cpuplug_exec_t)
++
++type cpuplug_initrc_exec_t;
++init_script_file(cpuplug_initrc_exec_t)
++
++type cpuplug_lock_t;
++files_lock_file(cpuplug_lock_t)
++
++type cpuplug_var_run_t;
++files_pid_file(cpuplug_var_run_t)
++
++########################################
++#
++# cpuplug local policy
++#
++allow cpuplug_t self:fifo_file rw_fifo_file_perms;
++allow cpuplug_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_files_pattern(cpuplug_t, cpuplug_lock_t, cpuplug_lock_t)
++files_lock_filetrans(cpuplug_t, cpuplug_lock_t, { file })
++
++manage_files_pattern(cpuplug_t, cpuplug_var_run_t, cpuplug_var_run_t)
++files_pid_filetrans(cpuplug_t, cpuplug_var_run_t, { file })
++
++kernel_read_system_state(cpuplug_t)
++
++dev_rw_sysfs(cpuplug_t)
++
++logging_send_syslog_msg(cpuplug_t)
++
diff --git a/cron.fc b/cron.fc
index ad0bae9..615a947 100644
--- a/cron.fc
@@ -21265,7 +21516,7 @@ index 62d22cb..cbf09ce 100644
+ files_var_filetrans($1, system_dbusd_var_lib_t, dir, "ibus")
')
diff --git a/dbus.te b/dbus.te
-index c9998c8..9c12159 100644
+index c9998c8..94ff984 100644
--- a/dbus.te
+++ b/dbus.te
@@ -4,17 +4,15 @@ gen_require(`
@@ -21389,7 +21640,7 @@ index c9998c8..9c12159 100644
mls_fd_use_all_levels(system_dbusd_t)
mls_rangetrans_target(system_dbusd_t)
mls_file_read_all_levels(system_dbusd_t)
-@@ -123,66 +122,162 @@ term_dontaudit_use_console(system_dbusd_t)
+@@ -123,66 +122,165 @@ term_dontaudit_use_console(system_dbusd_t)
auth_use_nsswitch(system_dbusd_t)
auth_read_pam_console_data(system_dbusd_t)
@@ -21407,7 +21658,6 @@ index c9998c8..9c12159 100644
init_use_fds(system_dbusd_t)
init_use_script_ptys(system_dbusd_t)
-init_all_labeled_script_domtrans(system_dbusd_t)
-+init_bin_domtrans_spec(system_dbusd_t)
+init_domtrans_script(system_dbusd_t)
+init_rw_stream_sockets(system_dbusd_t)
+init_status(system_dbusd_t)
@@ -21442,9 +21692,10 @@ index c9998c8..9c12159 100644
+
+optional_policy(`
+ getty_start_services(system_dbusd_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- seutil_sigchld_newrole(system_dbusd_t)
+ gnome_exec_gconf(system_dbusd_t)
+ gnome_read_inherited_home_icc_data_files(system_dbusd_t)
+')
@@ -21466,10 +21717,9 @@ index c9998c8..9c12159 100644
+
+optional_policy(`
+ sysnet_domtrans_dhcpc(system_dbusd_t)
- ')
-
- optional_policy(`
-- seutil_sigchld_newrole(system_dbusd_t)
++')
++
++optional_policy(`
+ systemd_use_fds_logind(system_dbusd_t)
+ systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
+ systemd_write_inhibit_pipes(system_dbusd_t)
@@ -21487,6 +21737,10 @@ index c9998c8..9c12159 100644
+ # /var/lib/gdm/.local/share/icc/edid-0a027915105823af34f99b1704e80336.icc
+ xserver_read_inherited_xdm_lib_files(system_dbusd_t)
+')
++
++optional_policy(`
++ unconfined_server_domtrans(system_dbusd_t)
++')
+
########################################
#
@@ -21510,7 +21764,7 @@ index c9998c8..9c12159 100644
+init_rw_stream_sockets(system_bus_type)
+
+ps_process_pattern(system_dbusd_t, system_bus_type)
-
++
+userdom_dontaudit_search_admin_dir(system_bus_type)
+userdom_read_all_users_state(system_bus_type)
+
@@ -21525,7 +21779,7 @@ index c9998c8..9c12159 100644
+optional_policy(`
+ unconfined_dbus_send(system_bus_type)
+')
-+
+
+ifdef(`hide_broken_symptoms',`
+ dontaudit system_bus_type system_dbusd_t:netlink_selinux_socket { read write };
+')
@@ -21566,7 +21820,7 @@ index c9998c8..9c12159 100644
kernel_read_kernel_sysctls(session_bus_type)
corecmd_list_bin(session_bus_type)
-@@ -191,23 +286,18 @@ corecmd_read_bin_files(session_bus_type)
+@@ -191,23 +289,18 @@ corecmd_read_bin_files(session_bus_type)
corecmd_read_bin_pipes(session_bus_type)
corecmd_read_bin_sockets(session_bus_type)
@@ -21591,7 +21845,7 @@ index c9998c8..9c12159 100644
files_dontaudit_search_var(session_bus_type)
fs_getattr_romfs(session_bus_type)
-@@ -215,7 +305,6 @@ fs_getattr_xattr_fs(session_bus_type)
+@@ -215,7 +308,6 @@ fs_getattr_xattr_fs(session_bus_type)
fs_list_inotifyfs(session_bus_type)
fs_dontaudit_list_nfs(session_bus_type)
@@ -21599,7 +21853,7 @@ index c9998c8..9c12159 100644
selinux_validate_context(session_bus_type)
selinux_compute_access_vector(session_bus_type)
selinux_compute_create_context(session_bus_type)
-@@ -225,18 +314,36 @@ selinux_compute_user_contexts(session_bus_type)
+@@ -225,18 +317,36 @@ selinux_compute_user_contexts(session_bus_type)
auth_read_pam_console_data(session_bus_type)
logging_send_audit_msgs(session_bus_type)
@@ -21641,7 +21895,7 @@ index c9998c8..9c12159 100644
')
########################################
-@@ -244,5 +351,9 @@ optional_policy(`
+@@ -244,5 +354,9 @@ optional_policy(`
# Unconfined access to this module
#
@@ -25861,10 +26115,24 @@ index 9a21639..26c5986 100644
')
+
diff --git a/drbd.te b/drbd.te
-index f2516cc..fa9ba56 100644
+index f2516cc..5138658 100644
--- a/drbd.te
+++ b/drbd.te
-@@ -28,7 +28,7 @@ dontaudit drbd_t self:capability sys_tty_config;
+@@ -18,17 +18,20 @@ files_type(drbd_var_lib_t)
+ type drbd_lock_t;
+ files_lock_file(drbd_lock_t)
+
++type drbd_tmp_t;
++files_tmp_file(drbd_tmp_t)
++
+ ########################################
+ #
+ # Local policy
+ #
+
+-allow drbd_t self:capability { kill net_admin };
++allow drbd_t self:capability { dac_read_search dac_override kill net_admin sys_admin };
+ dontaudit drbd_t self:capability sys_tty_config;
allow drbd_t self:fifo_file rw_fifo_file_perms;
allow drbd_t self:unix_stream_socket create_stream_socket_perms;
allow drbd_t self:netlink_socket create_socket_perms;
@@ -25873,10 +26141,21 @@ index f2516cc..fa9ba56 100644
manage_dirs_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
manage_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
-@@ -42,14 +42,16 @@ can_exec(drbd_t, drbd_exec_t)
+@@ -38,18 +41,32 @@ files_var_lib_filetrans(drbd_t, drbd_var_lib_t, dir)
+ manage_files_pattern(drbd_t, drbd_lock_t, drbd_lock_t)
+ files_lock_filetrans(drbd_t, drbd_lock_t, file)
+
+-can_exec(drbd_t, drbd_exec_t)
++manage_dirs_pattern(drbd_t, drbd_tmp_t, drbd_tmp_t)
++manage_files_pattern(drbd_t, drbd_tmp_t, drbd_tmp_t)
++files_tmp_filetrans(drbd_t, drbd_tmp_t, dir)
kernel_read_system_state(drbd_t)
++auth_read_passwd(drbd_t)
++
++can_exec(drbd_t, drbd_exec_t)
++
+corecmd_exec_bin(drbd_t)
+
dev_read_rand(drbd_t)
@@ -25884,15 +26163,21 @@ index f2516cc..fa9ba56 100644
dev_read_urand(drbd_t)
-files_read_etc_files(drbd_t)
--
- storage_raw_read_fixed_disk(drbd_t)
++logging_send_syslog_msg(drbd_t)
--miscfiles_read_localization(drbd_t)
-+auth_read_passwd(drbd_t)
-+
+-storage_raw_read_fixed_disk(drbd_t)
+modutils_exec_insmod(drbd_t)
+-miscfiles_read_localization(drbd_t)
++storage_raw_read_fixed_disk(drbd_t)
+
sysnet_dns_name_resolve(drbd_t)
++
++optional_policy(`
++ rhcs_read_log_cluster(drbd_t)
++ rhcs_rw_cluster_tmpfs(drbd_t)
++ rhcs_manage_cluster_lib_files(drbd_t)
++')
diff --git a/dspam.fc b/dspam.fc
index 5eddac5..b5fcb77 100644
--- a/dspam.fc
@@ -29640,7 +29925,7 @@ index 1e29af1..6c64f55 100644
+ userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git")
+')
diff --git a/git.te b/git.te
-index dc49c71..3ef1e93 100644
+index dc49c71..54df5e3 100644
--- a/git.te
+++ b/git.te
@@ -49,14 +49,6 @@ gen_tunable(git_session_users, false)
@@ -29666,7 +29951,7 @@ index dc49c71..3ef1e93 100644
type git_system_t, git_daemon;
type gitd_exec_t;
-@@ -93,10 +86,10 @@ type git_session_t, git_daemon;
+@@ -93,12 +86,15 @@ type git_session_t, git_daemon;
userdom_user_application_domain(git_session_t, gitd_exec_t)
role git_session_roles types git_session_t;
@@ -29678,8 +29963,13 @@ index dc49c71..3ef1e93 100644
+type git_user_content_t alias git_session_content_t;
userdom_user_home_content(git_user_content_t)
++type git_script_tmp_t;
++files_tmp_file(git_script_tmp_t)
++
########################################
-@@ -110,6 +103,8 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t)
+ #
+ # Session policy
+@@ -110,6 +106,8 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t)
read_files_pattern(git_session_t, git_user_content_t, git_user_content_t)
userdom_search_user_home_dirs(git_session_t)
@@ -29688,7 +29978,7 @@ index dc49c71..3ef1e93 100644
corenet_all_recvfrom_netlabel(git_session_t)
corenet_all_recvfrom_unlabeled(git_session_t)
corenet_tcp_bind_generic_node(git_session_t)
-@@ -130,9 +125,7 @@ tunable_policy(`git_session_bind_all_unreserved_ports',`
+@@ -130,9 +128,7 @@ tunable_policy(`git_session_bind_all_unreserved_ports',`
corenet_tcp_sendrecv_all_ports(git_session_t)
')
@@ -29699,7 +29989,7 @@ index dc49c71..3ef1e93 100644
tunable_policy(`use_nfs_home_dirs',`
fs_getattr_nfs(git_session_t)
-@@ -158,6 +151,9 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -158,6 +154,9 @@ tunable_policy(`use_samba_home_dirs',`
list_dirs_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
read_files_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
@@ -29709,31 +29999,34 @@ index dc49c71..3ef1e93 100644
corenet_all_recvfrom_unlabeled(git_system_t)
corenet_all_recvfrom_netlabel(git_system_t)
corenet_tcp_sendrecv_generic_if(git_system_t)
-@@ -176,6 +172,10 @@ logging_send_syslog_msg(git_system_t)
+@@ -176,6 +175,10 @@ logging_send_syslog_msg(git_system_t)
tunable_policy(`git_system_enable_homedirs',`
userdom_search_user_home_dirs(git_system_t)
-+ list_dirs_pattern(httpd_git_script_t, git_user_content_t, git_user_content_t)
++ list_dirs_pattern(git_script_t, git_user_content_t, git_user_content_t)
+ list_dirs_pattern(git_system_t, git_user_content_t, git_user_content_t)
+ read_files_pattern(git_system_t, git_user_content_t, git_user_content_t)
+
')
tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
-@@ -215,48 +215,48 @@ tunable_policy(`git_system_use_nfs',`
+@@ -215,48 +218,52 @@ tunable_policy(`git_system_use_nfs',`
# CGI policy
#
-list_dirs_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
-read_files_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
-files_search_var_lib(httpd_git_script_t)
++manage_dirs_pattern(git_script_t, git_script_tmp_t, git_script_tmp_t)
++manage_files_pattern(git_script_t, git_script_tmp_t, git_script_tmp_t)
++manage_lnk_files_pattern(git_script_t, git_script_tmp_t, git_script_tmp_t)
++files_tmp_filetrans(git_script_t, git_script_tmp_t, { file dir })
+
+-files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
+list_dirs_pattern(git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
+read_files_pattern(git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
+files_search_var_lib(git_script_t)
--files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
-+files_dontaudit_getattr_tmp_dirs(git_script_t)
-
-auth_use_nsswitch(httpd_git_script_t)
+auth_use_nsswitch(git_script_t)
@@ -29742,6 +30035,7 @@ index dc49c71..3ef1e93 100644
+ userdom_search_user_home_dirs(git_script_t)
')
++fs_getattr_tmpfs(git_script_t)
tunable_policy(`git_cgi_enable_homedirs && use_nfs_home_dirs',`
- fs_getattr_nfs(httpd_git_script_t)
- fs_list_nfs(httpd_git_script_t)
@@ -29791,7 +30085,7 @@ index dc49c71..3ef1e93 100644
')
########################################
-@@ -266,12 +266,9 @@ tunable_policy(`git_cgi_use_nfs',`
+@@ -266,12 +273,9 @@ tunable_policy(`git_cgi_use_nfs',`
allow git_daemon self:fifo_file rw_fifo_file_perms;
@@ -38089,10 +38383,10 @@ index 0000000..0d61849
+')
diff --git a/keepalived.te b/keepalived.te
new file mode 100644
-index 0000000..a5b2f96
+index 0000000..ad2d023
--- /dev/null
+++ b/keepalived.te
-@@ -0,0 +1,55 @@
+@@ -0,0 +1,57 @@
+policy_module(keepalived, 1.0.0)
+
+########################################
@@ -38147,6 +38441,8 @@ index 0000000..a5b2f96
+
+optional_policy(`
+ snmp_manage_var_lib_files(keepalived_t)
++ snmp_manage_var_lib_sock_files(keepalived_t)
++ snmp_manage_var_lib_dirs(keepalived_t)
+')
diff --git a/kerberos.fc b/kerberos.fc
index 4fe75fd..b029c28 100644
@@ -39561,7 +39857,7 @@ index e88fb16..f20248c 100644
+ ')
')
diff --git a/keystone.te b/keystone.te
-index 9929647..eea253d 100644
+index 9929647..4a4ccf1 100644
--- a/keystone.te
+++ b/keystone.te
@@ -18,13 +18,20 @@ logging_log_file(keystone_log_t)
@@ -39596,7 +39892,7 @@ index 9929647..eea253d 100644
can_exec(keystone_t, keystone_tmp_t)
kernel_read_system_state(keystone_t)
-@@ -57,20 +68,36 @@ corenet_all_recvfrom_netlabel(keystone_t)
+@@ -57,20 +68,53 @@ corenet_all_recvfrom_netlabel(keystone_t)
corenet_tcp_sendrecv_generic_if(keystone_t)
corenet_tcp_sendrecv_generic_node(keystone_t)
corenet_tcp_bind_generic_node(keystone_t)
@@ -39634,6 +39930,23 @@ index 9929647..eea253d 100644
+
+optional_policy(`
+ rpm_exec(keystone_t)
++')
++
++#######################################
++#
++# Cgi local policy
++#
++
++optional_policy(`
++ apache_content_template(keystone_cgi)
++ apache_content_alias_template(keystone_cgi, keystone_cgi)
++
++ getattr_dirs_pattern(keystone_cgi_script_t, keystone_var_lib_t, keystone_var_lib_t)
++
++ read_files_pattern(keystone_cgi_script_t, keystone_log_t, keystone_log_t)
++
++ corenet_tcp_bind_commplex_main_port(keystone_t)
++ corenet_tcp_sendrecv_commplex_main_port(keystone_t)
')
diff --git a/kismet.if b/kismet.if
index aa2a337..7ff229f 100644
@@ -42512,7 +42825,7 @@ index d314333..da30c5d 100644
+ ')
')
diff --git a/lsm.te b/lsm.te
-index 4ec0eea..0f702df 100644
+index 4ec0eea..2eaa558 100644
--- a/lsm.te
+++ b/lsm.te
@@ -4,6 +4,13 @@ policy_module(lsm, 1.0.0)
@@ -42547,11 +42860,12 @@ index 4ec0eea..0f702df 100644
########################################
#
# Local policy
-@@ -26,4 +44,47 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
+@@ -26,4 +44,48 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file })
+corecmd_exec_bin(lsmd_t)
++corecmd_getattr_all_executables(lsmd_t)
+
logging_send_syslog_msg(lsmd_t)
+
@@ -49818,7 +50132,7 @@ index ed81cac..837a43a 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/mta.te b/mta.te
-index ff1d68c..c8070da 100644
+index ff1d68c..bc8340d 100644
--- a/mta.te
+++ b/mta.te
@@ -14,8 +14,6 @@ attribute mailserver_sender;
@@ -49855,7 +50169,13 @@ index ff1d68c..c8070da 100644
userdom_user_tmp_file(user_mail_tmp_t)
########################################
-@@ -66,8 +64,6 @@ allow user_mail_domain mail_home_t:file { append_file_perms read_file_perms };
+@@ -61,13 +59,11 @@ allow user_mail_domain self:fifo_file rw_fifo_file_perms;
+
+ allow user_mail_domain mta_exec_type:file entrypoint;
+
+-allow user_mail_domain mail_home_t:file { append_file_perms read_file_perms };
++manage_files_pattern(user_mail_domain, mail_home_t, mail_home_t)
+
manage_dirs_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
manage_files_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
manage_lnk_files_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
@@ -53872,7 +54192,7 @@ index 86dc29d..1cd0d0e 100644
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
')
diff --git a/networkmanager.te b/networkmanager.te
-index 55f2009..5fa2fb5 100644
+index 55f2009..4e7b106 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -9,15 +9,18 @@ type NetworkManager_t;
@@ -53897,7 +54217,7 @@ index 55f2009..5fa2fb5 100644
type NetworkManager_log_t;
logging_log_file(NetworkManager_log_t)
-@@ -39,25 +42,53 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
+@@ -39,25 +42,54 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
# Local policy
#
@@ -53939,6 +54259,7 @@ index 55f2009..5fa2fb5 100644
+allow NetworkManager_t self:udp_socket create_socket_perms;
allow NetworkManager_t self:packet_socket create_socket_perms;
+allow NetworkManager_t self:rawip_socket create_socket_perms;
++allow NetworkManager_t self:socket create_socket_perms;
allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
@@ -53960,7 +54281,7 @@ index 55f2009..5fa2fb5 100644
manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
filetrans_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_rw_t, { dir file })
-@@ -68,6 +99,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_
+@@ -68,6 +100,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_
setattr_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
@@ -53968,7 +54289,7 @@ index 55f2009..5fa2fb5 100644
manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
-@@ -81,17 +113,14 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_
+@@ -81,17 +114,14 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_
manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file })
@@ -53987,7 +54308,7 @@ index 55f2009..5fa2fb5 100644
corenet_all_recvfrom_netlabel(NetworkManager_t)
corenet_tcp_sendrecv_generic_if(NetworkManager_t)
corenet_udp_sendrecv_generic_if(NetworkManager_t)
-@@ -102,22 +131,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
+@@ -102,22 +132,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
corenet_tcp_sendrecv_all_ports(NetworkManager_t)
corenet_udp_sendrecv_all_ports(NetworkManager_t)
corenet_udp_bind_generic_node(NetworkManager_t)
@@ -54013,7 +54334,7 @@ index 55f2009..5fa2fb5 100644
dev_rw_sysfs(NetworkManager_t)
dev_read_rand(NetworkManager_t)
dev_read_urand(NetworkManager_t)
-@@ -125,13 +147,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
+@@ -125,13 +148,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
dev_getattr_all_chr_files(NetworkManager_t)
dev_rw_wireless(NetworkManager_t)
@@ -54027,7 +54348,7 @@ index 55f2009..5fa2fb5 100644
fs_getattr_all_fs(NetworkManager_t)
fs_search_auto_mountpoints(NetworkManager_t)
fs_list_inotifyfs(NetworkManager_t)
-@@ -140,18 +155,33 @@ mls_file_read_all_levels(NetworkManager_t)
+@@ -140,18 +156,33 @@ mls_file_read_all_levels(NetworkManager_t)
selinux_dontaudit_search_fs(NetworkManager_t)
@@ -54062,7 +54383,7 @@ index 55f2009..5fa2fb5 100644
seutil_read_config(NetworkManager_t)
-@@ -166,21 +196,32 @@ sysnet_kill_dhcpc(NetworkManager_t)
+@@ -166,21 +197,32 @@ sysnet_kill_dhcpc(NetworkManager_t)
sysnet_read_dhcpc_state(NetworkManager_t)
sysnet_delete_dhcpc_state(NetworkManager_t)
sysnet_search_dhcp_state(NetworkManager_t)
@@ -54099,7 +54420,7 @@ index 55f2009..5fa2fb5 100644
')
optional_policy(`
-@@ -196,10 +237,6 @@ optional_policy(`
+@@ -196,10 +238,6 @@ optional_policy(`
')
optional_policy(`
@@ -54110,7 +54431,7 @@ index 55f2009..5fa2fb5 100644
consoletype_exec(NetworkManager_t)
')
-@@ -210,16 +247,11 @@ optional_policy(`
+@@ -210,16 +248,11 @@ optional_policy(`
optional_policy(`
dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -54129,7 +54450,7 @@ index 55f2009..5fa2fb5 100644
')
')
-@@ -231,10 +263,11 @@ optional_policy(`
+@@ -231,10 +264,11 @@ optional_policy(`
dnsmasq_kill(NetworkManager_t)
dnsmasq_signal(NetworkManager_t)
dnsmasq_signull(NetworkManager_t)
@@ -54142,7 +54463,7 @@ index 55f2009..5fa2fb5 100644
')
optional_policy(`
-@@ -246,10 +279,26 @@ optional_policy(`
+@@ -246,10 +280,26 @@ optional_policy(`
')
optional_policy(`
@@ -54169,7 +54490,7 @@ index 55f2009..5fa2fb5 100644
')
optional_policy(`
-@@ -257,15 +306,19 @@ optional_policy(`
+@@ -257,15 +307,19 @@ optional_policy(`
')
optional_policy(`
@@ -54191,7 +54512,7 @@ index 55f2009..5fa2fb5 100644
')
optional_policy(`
-@@ -274,10 +327,17 @@ optional_policy(`
+@@ -274,10 +328,17 @@ optional_policy(`
nscd_signull(NetworkManager_t)
nscd_kill(NetworkManager_t)
nscd_initrc_domtrans(NetworkManager_t)
@@ -54209,7 +54530,7 @@ index 55f2009..5fa2fb5 100644
')
optional_policy(`
-@@ -289,6 +349,7 @@ optional_policy(`
+@@ -289,6 +350,7 @@ optional_policy(`
')
optional_policy(`
@@ -54217,7 +54538,7 @@ index 55f2009..5fa2fb5 100644
policykit_domtrans_auth(NetworkManager_t)
policykit_read_lib(NetworkManager_t)
policykit_read_reload(NetworkManager_t)
-@@ -296,7 +357,7 @@ optional_policy(`
+@@ -296,7 +358,7 @@ optional_policy(`
')
optional_policy(`
@@ -54226,7 +54547,7 @@ index 55f2009..5fa2fb5 100644
')
optional_policy(`
-@@ -307,6 +368,7 @@ optional_policy(`
+@@ -307,6 +369,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
@@ -54234,7 +54555,7 @@ index 55f2009..5fa2fb5 100644
')
optional_policy(`
-@@ -320,14 +382,20 @@ optional_policy(`
+@@ -320,14 +383,20 @@ optional_policy(`
')
optional_policy(`
@@ -54260,7 +54581,7 @@ index 55f2009..5fa2fb5 100644
')
optional_policy(`
-@@ -357,6 +425,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -357,6 +426,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t)
@@ -55119,7 +55440,7 @@ index 0000000..ce897e2
+')
diff --git a/nova.te b/nova.te
new file mode 100644
-index 0000000..459a025
+index 0000000..6d3a4fe
--- /dev/null
+++ b/nova.te
@@ -0,0 +1,335 @@
@@ -55200,7 +55521,7 @@ index 0000000..459a025
+dev_read_sysfs(nova_domain)
+dev_read_urand(nova_domain)
+
-+fs_getattr_xattr_fs(nova_domain)
++fs_getattr_all_fs(nova_domain)
+
+init_read_utmp(nova_domain)
+
@@ -65021,10 +65342,10 @@ index 0000000..798efb6
+')
diff --git a/pki.te b/pki.te
new file mode 100644
-index 0000000..0cb8f0a
+index 0000000..995cc23
--- /dev/null
+++ b/pki.te
-@@ -0,0 +1,280 @@
+@@ -0,0 +1,281 @@
+policy_module(pki,10.0.11)
+
+########################################
@@ -65057,6 +65378,7 @@ index 0000000..0cb8f0a
+miscfiles_cert_type(pki_tomcat_cert_t)
+
+tomcat_domain_template(pki_tomcat)
++domain_obj_id_change_exemption(pki_tomcat_t)
+
+type pki_tomcat_unit_file_t;
+systemd_unit_file(pki_tomcat_unit_file_t)
@@ -69713,7 +70035,7 @@ index cd8b8b9..6c73980 100644
+ allow $1 pppd_unit_file_t:service all_service_perms;
')
diff --git a/ppp.te b/ppp.te
-index d616ca3..414a04f 100644
+index d616ca3..e7f793e 100644
--- a/ppp.te
+++ b/ppp.te
@@ -6,41 +6,47 @@ policy_module(ppp, 1.14.0)
@@ -69806,7 +70128,7 @@ index d616ca3..414a04f 100644
-allow pppd_t self:netlink_route_socket nlmsg_write;
-allow pppd_t self:tcp_socket { accept listen };
+allow pppd_t self:unix_dgram_socket create_socket_perms;
-+allow pppd_t self:unix_stream_socket create_socket_perms;
++allow pppd_t self:unix_stream_socket { connectto create_socket_perms };
+allow pppd_t self:netlink_route_socket rw_netlink_socket_perms;
+allow pppd_t self:tcp_socket create_stream_socket_perms;
+allow pppd_t self:udp_socket { connect connected_socket_perms };
@@ -74063,7 +74385,7 @@ index 86ea53c..a2dcf7b 100644
/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
/usr/bin/kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
diff --git a/qemu.if b/qemu.if
-index eaf56b8..c32349e 100644
+index eaf56b8..aa90671 100644
--- a/qemu.if
+++ b/qemu.if
@@ -1,19 +1,21 @@
@@ -74114,7 +74436,7 @@ index eaf56b8..c32349e 100644
+ manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+ manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
-+ files_tmpfs_filetrans($1_t, $1_tmpfs_t, { file dir })
++ fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { file dir })
+
kernel_read_system_state($1_t)
@@ -76554,7 +76876,7 @@ index 2c3d338..7d49554 100644
init_labeled_script_domtrans($1, rabbitmq_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/rabbitmq.te b/rabbitmq.te
-index dc3b0ed..8c4255e 100644
+index dc3b0ed..42203ed 100644
--- a/rabbitmq.te
+++ b/rabbitmq.te
@@ -5,13 +5,14 @@ policy_module(rabbitmq, 1.0.2)
@@ -76588,7 +76910,7 @@ index dc3b0ed..8c4255e 100644
type rabbitmq_var_log_t;
logging_log_file(rabbitmq_var_log_t)
-@@ -27,98 +31,81 @@ files_pid_file(rabbitmq_var_run_t)
+@@ -27,98 +31,82 @@ files_pid_file(rabbitmq_var_run_t)
######################################
#
@@ -76694,6 +77016,7 @@ index dc3b0ed..8c4255e 100644
+
+manage_dirs_pattern(rabbitmq_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
+manage_files_pattern(rabbitmq_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
++manage_lnk_files_pattern(rabbitmq_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
+files_var_lib_filetrans(rabbitmq_t, rabbitmq_var_lib_t, { dir file })
+
+manage_dirs_pattern(rabbitmq_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
@@ -76839,7 +77162,7 @@ index 4460582..60cf556 100644
+
')
diff --git a/radius.te b/radius.te
-index 403a4fe..de6f803 100644
+index 403a4fe..8fc3712 100644
--- a/radius.te
+++ b/radius.te
@@ -27,6 +27,9 @@ files_type(radiusd_var_lib_t)
@@ -76865,16 +77188,17 @@ index 403a4fe..de6f803 100644
corenet_all_recvfrom_netlabel(radiusd_t)
corenet_tcp_sendrecv_generic_if(radiusd_t)
corenet_udp_sendrecv_generic_if(radiusd_t)
-@@ -74,6 +77,8 @@ corenet_tcp_sendrecv_all_ports(radiusd_t)
+@@ -74,6 +77,9 @@ corenet_tcp_sendrecv_all_ports(radiusd_t)
corenet_udp_sendrecv_all_ports(radiusd_t)
corenet_udp_bind_generic_node(radiusd_t)
+corenet_tcp_connect_postgresql_port(radiusd_t)
++corenet_tcp_connect_http_port(radiusd_t)
+
corenet_sendrecv_radacct_server_packets(radiusd_t)
corenet_udp_bind_radacct_port(radiusd_t)
-@@ -97,7 +102,6 @@ domain_use_interactive_fds(radiusd_t)
+@@ -97,7 +103,6 @@ domain_use_interactive_fds(radiusd_t)
fs_getattr_all_fs(radiusd_t)
fs_search_auto_mountpoints(radiusd_t)
@@ -76882,7 +77206,7 @@ index 403a4fe..de6f803 100644
files_read_etc_runtime_files(radiusd_t)
files_dontaudit_list_tmp(radiusd_t)
-@@ -109,7 +113,6 @@ libs_exec_lib_files(radiusd_t)
+@@ -109,7 +114,6 @@ libs_exec_lib_files(radiusd_t)
logging_send_syslog_msg(radiusd_t)
@@ -76890,7 +77214,7 @@ index 403a4fe..de6f803 100644
miscfiles_read_generic_certs(radiusd_t)
sysnet_use_ldap(radiusd_t)
-@@ -122,6 +125,11 @@ optional_policy(`
+@@ -122,6 +126,11 @@ optional_policy(`
')
optional_policy(`
@@ -76902,7 +77226,7 @@ index 403a4fe..de6f803 100644
logrotate_exec(radiusd_t)
')
-@@ -140,5 +148,10 @@ optional_policy(`
+@@ -140,5 +149,10 @@ optional_policy(`
')
optional_policy(`
@@ -81591,10 +81915,10 @@ index 0000000..4c6fd7a
+')
diff --git a/rhnsd.te b/rhnsd.te
new file mode 100644
-index 0000000..898d82c
+index 0000000..b947f09
--- /dev/null
+++ b/rhnsd.te
-@@ -0,0 +1,47 @@
+@@ -0,0 +1,48 @@
+policy_module(rhnsd, 1.0.0)
+
+########################################
@@ -81633,6 +81957,7 @@ index 0000000..898d82c
+files_pid_filetrans(rhnsd_t, rhnsd_var_run_t, { dir file })
+
+manage_files_pattern(rhnsd_t, rhnsd_conf_t, rhnsd_conf_t)
++manage_lnk_files_pattern(rhnsd_t, rhnsd_conf_t, rhnsd_conf_t)
+
+corecmd_exec_bin(rhnsd_t)
+
@@ -81642,6 +81967,19 @@ index 0000000..898d82c
+ # execute rhn_check
+ rpm_domtrans(rhnsd_t)
+')
+diff --git a/rhsmcertd.fc b/rhsmcertd.fc
+index 8c02804..896c8c6 100644
+--- a/rhsmcertd.fc
++++ b/rhsmcertd.fc
+@@ -2,6 +2,8 @@
+
+ /usr/bin/rhsmcertd -- gen_context(system_u:object_r:rhsmcertd_exec_t,s0)
+
++/usr/libexec/rhsmd -- gen_context(system_u:object_r:rhsmcertd_exec_t,s0)
++
+ /var/lib/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_var_lib_t,s0)
+
+ /var/lock/subsys/rhsmcertd -- gen_context(system_u:object_r:rhsmcertd_lock_t,s0)
diff --git a/rhsmcertd.if b/rhsmcertd.if
index 6dbc905..4b17c93 100644
--- a/rhsmcertd.if
@@ -81902,7 +82240,7 @@ index 6dbc905..4b17c93 100644
- admin_pattern($1, rhsmcertd_lock_t)
')
diff --git a/rhsmcertd.te b/rhsmcertd.te
-index d32e1a2..b541f8f 100644
+index d32e1a2..902fa17 100644
--- a/rhsmcertd.te
+++ b/rhsmcertd.te
@@ -18,6 +18,9 @@ logging_log_file(rhsmcertd_log_t)
@@ -81941,7 +82279,7 @@ index d32e1a2..b541f8f 100644
manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
-@@ -50,25 +56,57 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
+@@ -50,25 +56,61 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
kernel_read_network_state(rhsmcertd_t)
@@ -81984,6 +82322,7 @@ index d32e1a2..b541f8f 100644
sysnet_dns_name_resolve(rhsmcertd_t)
optional_policy(`
+- rpm_read_db(rhsmcertd_t)
+ dmidecode_domtrans(rhsmcertd_t)
+')
+
@@ -82000,7 +82339,11 @@ index d32e1a2..b541f8f 100644
+')
+
+optional_policy(`
- rpm_read_db(rhsmcertd_t)
++ setroubleshoot_signull(rhsmcertd_t)
++')
++
++optional_policy(`
++ rpm_manage_db(rhsmcertd_t)
+ rpm_signull(rhsmcertd_t)
')
diff --git a/ricci.if b/ricci.if
@@ -88185,7 +88528,7 @@ index e18b0a2..463e207 100644
samba_domtrans_nmbd(sambagui_t)
')
diff --git a/samhain.if b/samhain.if
-index f0236d6..78a792a 100644
+index f0236d6..37665a1 100644
--- a/samhain.if
+++ b/samhain.if
@@ -23,6 +23,8 @@ template(`samhain_service_template',`
@@ -88193,7 +88536,7 @@ index f0236d6..78a792a 100644
mls_file_write_all_levels($1_t)
+
-+ logging_send_sylog_msg($1_t)
++ logging_send_syslog_msg($1_t)
')
########################################
@@ -90580,7 +90923,7 @@ index d14b6bf..da5d41d 100644
+/var/run/sendmail\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0)
+/var/run/sm-client\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0)
diff --git a/sendmail.if b/sendmail.if
-index 35ad2a7..6f947f6 100644
+index 35ad2a7..6b75e85 100644
--- a/sendmail.if
+++ b/sendmail.if
@@ -1,4 +1,4 @@
@@ -90615,7 +90958,10 @@ index 35ad2a7..6f947f6 100644
- corecmd_search_bin($1)
mta_sendmail_domtrans($1, sendmail_t)
+')
-+
+
+- allow sendmail_t $1:fd use;
+- allow sendmail_t $1:fifo_file rw_fifo_file_perms;
+- allow sendmail_t $1:process sigchld;
+#######################################
+##
+## Execute sendmail in the sendmail domain.
@@ -90630,10 +90976,7 @@ index 35ad2a7..6f947f6 100644
+ gen_require(`
+ type sendmail_initrc_exec_t;
+ ')
-
-- allow sendmail_t $1:fd use;
-- allow sendmail_t $1:fifo_file rw_fifo_file_perms;
-- allow sendmail_t $1:process sigchld;
++
+ init_labeled_script_domtrans($1, sendmail_initrc_exec_t)
')
@@ -90664,10 +91007,27 @@ index 35ad2a7..6f947f6 100644
')
########################################
-@@ -102,6 +114,34 @@ interface(`sendmail_signal',`
- allow $1 sendmail_t:process signal;
- ')
+@@ -104,6 +116,53 @@ interface(`sendmail_signal',`
+ ########################################
+ ##
++## Execute sendmail in the sendmail_unconfined domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`sendmail_domtrans_unconfined',`
++ gen_require(`
++ type unconfined_sendmail_t, sendmail_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, sendmail_exec_t, unconfined_sendmail_t)
++')
++
+#######################################
+##
+## Execute sendmail in the unconfined
@@ -90696,10 +91056,12 @@ index 35ad2a7..6f947f6 100644
+ roleattribute $2 sendmail_unconfined_roles;
+')
+
- ########################################
- ##
++########################################
++##
## Read and write sendmail TCP sockets.
-@@ -141,8 +181,7 @@ interface(`sendmail_dontaudit_rw_tcp_sockets',`
+ ##
+ ##
+@@ -141,8 +200,7 @@ interface(`sendmail_dontaudit_rw_tcp_sockets',`
########################################
##
@@ -90709,7 +91071,7 @@ index 35ad2a7..6f947f6 100644
##
##
##
-@@ -179,7 +218,7 @@ interface(`sendmail_dontaudit_rw_unix_stream_sockets',`
+@@ -179,7 +237,7 @@ interface(`sendmail_dontaudit_rw_unix_stream_sockets',`
########################################
##
@@ -90718,7 +91080,7 @@ index 35ad2a7..6f947f6 100644
##
##
##
-@@ -199,8 +238,7 @@ interface(`sendmail_read_log',`
+@@ -199,8 +257,7 @@ interface(`sendmail_read_log',`
########################################
##
@@ -90728,7 +91090,7 @@ index 35ad2a7..6f947f6 100644
##
##
##
-@@ -220,8 +258,7 @@ interface(`sendmail_manage_log',`
+@@ -220,8 +277,7 @@ interface(`sendmail_manage_log',`
########################################
##
@@ -90738,7 +91100,7 @@ index 35ad2a7..6f947f6 100644
##
##
##
-@@ -265,8 +302,7 @@ interface(`sendmail_log_filetrans_sendmail_log',`
+@@ -265,8 +321,7 @@ interface(`sendmail_log_filetrans_sendmail_log',`
########################################
##
@@ -90748,15 +91110,14 @@ index 35ad2a7..6f947f6 100644
##
##
##
-@@ -285,58 +321,27 @@ interface(`sendmail_manage_tmp_files',`
+@@ -285,58 +340,27 @@ interface(`sendmail_manage_tmp_files',`
########################################
##
-## Execute sendmail in the unconfined sendmail domain.
-+## Set the attributes of sendmail pid files.
- ##
- ##
- ##
+-##
+-##
+-##
-## Domain allowed to transition.
-##
-##
@@ -90779,9 +91140,10 @@ index 35ad2a7..6f947f6 100644
-## sendmail domain, and allow the
-## specified role the unconfined
-## sendmail domain.
--##
--##
--##
++## Set the attributes of sendmail pid files.
+ ##
+ ##
+ ##
-## Domain allowed to transition.
-##
-##
@@ -90815,7 +91177,7 @@ index 35ad2a7..6f947f6 100644
##
##
##
-@@ -355,12 +360,17 @@ interface(`sendmail_admin',`
+@@ -355,12 +379,17 @@ interface(`sendmail_admin',`
type sendmail_t, sendmail_initrc_exec_t, sendmail_log_t;
type sendmail_tmp_t, sendmail_var_run_t, unconfined_sendmail_t;
type sendmail_keytab_t;
@@ -90836,7 +91198,7 @@ index 35ad2a7..6f947f6 100644
domain_system_change_exemption($1)
role_transition $2 sendmail_initrc_exec_t system_r;
-@@ -376,6 +386,6 @@ interface(`sendmail_admin',`
+@@ -376,6 +405,6 @@ interface(`sendmail_admin',`
files_list_pids($1)
admin_pattern($1, sendmail_var_run_t)
@@ -91145,10 +91507,10 @@ index d204752..31cc6e6 100644
+ ')
')
diff --git a/sensord.te b/sensord.te
-index 5e82fd6..64e130f 100644
+index 5e82fd6..d31876d 100644
--- a/sensord.te
+++ b/sensord.te
-@@ -9,27 +9,35 @@ type sensord_t;
+@@ -9,27 +9,37 @@ type sensord_t;
type sensord_exec_t;
init_daemon_domain(sensord_t, sensord_exec_t)
@@ -91180,10 +91542,12 @@ index 5e82fd6..64e130f 100644
manage_files_pattern(sensord_t, sensord_var_run_t, sensord_var_run_t)
files_pid_filetrans(sensord_t, sensord_var_run_t, file)
- dev_read_sysfs(sensord_t)
+-dev_read_sysfs(sensord_t)
++kernel_read_system_state(sensord_t)
-files_read_etc_files(sensord_t)
--
++dev_read_sysfs(sensord_t)
+
logging_send_syslog_msg(sensord_t)
-miscfiles_read_localization(sensord_t)
@@ -93217,7 +93581,7 @@ index 2f0a2f2..1569e33 100644
+/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0)
/var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0)
diff --git a/snmp.if b/snmp.if
-index 7a9cc9d..86cbca9 100644
+index 7a9cc9d..d55da32 100644
--- a/snmp.if
+++ b/snmp.if
@@ -57,8 +57,7 @@ interface(`snmp_udp_chat',`
@@ -93230,7 +93594,7 @@ index 7a9cc9d..86cbca9 100644
##
##
##
-@@ -66,19 +65,39 @@ interface(`snmp_udp_chat',`
+@@ -66,19 +65,58 @@ interface(`snmp_udp_chat',`
##
##
#
@@ -93241,7 +93605,6 @@ index 7a9cc9d..86cbca9 100644
')
files_search_var_lib($1)
-- allow $1 snmpd_var_lib_t:dir manage_dir_perms;
+ allow $1 snmpd_var_lib_t:dir list_dir_perms;
+ read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
+ read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
@@ -93264,32 +93627,36 @@ index 7a9cc9d..86cbca9 100644
+
+ files_search_var_lib($1)
+ allow $1 snmpd_var_lib_t:dir list_dir_perms;
++')
++
++########################################
++##
++## Manage snmpd libraries directories
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`snmp_manage_var_lib_dirs',`
++ gen_require(`
++ type snmpd_var_lib_t;
++ ')
++
+ allow $1 snmpd_var_lib_t:dir manage_dir_perms;
++ files_var_lib_filetrans($1, snmpd_var_lib_t, dir)
')
########################################
##
-## Create, read, write, and delete
-## snmp lib files.
-+## Manage snmpd libraries directories
++## Manage snmpd libraries.
##
##
##
-@@ -86,19 +105,18 @@ interface(`snmp_manage_var_lib_dirs',`
- ##
- ##
- #
--interface(`snmp_manage_var_lib_files',`
-+interface(`snmp_manage_var_lib_dirs',`
- gen_require(`
- type snmpd_var_lib_t;
- ')
-
-- files_search_var_lib($1)
-- allow $1 snmpd_var_lib_t:dir list_dir_perms;
-- manage_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
-+ allow $1 snmpd_var_lib_t:dir manage_dir_perms;
-+ files_var_lib_filetrans($1, snmpd_var_lib_t, dir)
- ')
+@@ -98,7 +136,7 @@ interface(`snmp_manage_var_lib_files',`
########################################
##
@@ -93298,12 +93665,12 @@ index 7a9cc9d..86cbca9 100644
##
##
##
-@@ -106,14 +124,14 @@ interface(`snmp_manage_var_lib_files',`
+@@ -106,14 +144,14 @@ interface(`snmp_manage_var_lib_files',`
##
##
#
-interface(`snmp_read_snmp_var_lib_files',`
-+interface(`snmp_manage_var_lib_files',`
++interface(`snmp_manage_var_lib_sock_files',`
gen_require(`
type snmpd_var_lib_t;
')
@@ -93312,11 +93679,11 @@ index 7a9cc9d..86cbca9 100644
allow $1 snmpd_var_lib_t:dir list_dir_perms;
- read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
- read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
-+ manage_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
++ manage_sock_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
')
########################################
-@@ -179,8 +197,12 @@ interface(`snmp_admin',`
+@@ -179,8 +217,12 @@ interface(`snmp_admin',`
type snmpd_var_lib_t, snmpd_var_run_t;
')
@@ -94331,7 +94698,7 @@ index 1499b0b..6950cab 100644
- spamassassin_role($2, $1)
')
diff --git a/spamassassin.te b/spamassassin.te
-index cc58e35..de9c4d9 100644
+index cc58e35..025b7d5 100644
--- a/spamassassin.te
+++ b/spamassassin.te
@@ -7,50 +7,23 @@ policy_module(spamassassin, 2.6.1)
@@ -94635,7 +95002,7 @@ index cc58e35..de9c4d9 100644
')
########################################
-@@ -167,72 +248,90 @@ optional_policy(`
+@@ -167,72 +248,92 @@ optional_policy(`
# Client local policy
#
@@ -94736,18 +95103,20 @@ index cc58e35..de9c4d9 100644
-auth_use_nsswitch(spamc_t)
+fs_search_auto_mountpoints(spamc_t)
++
++libs_exec_ldconfig(spamc_t)
logging_send_syslog_msg(spamc_t)
-miscfiles_read_localization(spamc_t)
--
++auth_use_nsswitch(spamc_t)
+
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(spamc_t)
- fs_manage_nfs_files(spamc_t)
- fs_manage_nfs_symlinks(spamc_t)
-')
-+auth_use_nsswitch(spamc_t)
-
+-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(spamc_t)
- fs_manage_cifs_files(spamc_t)
@@ -94757,7 +95126,7 @@ index cc58e35..de9c4d9 100644
optional_policy(`
abrt_stream_connect(spamc_t)
-@@ -243,6 +342,7 @@ optional_policy(`
+@@ -243,6 +344,7 @@ optional_policy(`
')
optional_policy(`
@@ -94765,7 +95134,7 @@ index cc58e35..de9c4d9 100644
evolution_stream_connect(spamc_t)
')
-@@ -251,10 +351,16 @@ optional_policy(`
+@@ -251,10 +353,16 @@ optional_policy(`
')
optional_policy(`
@@ -94783,7 +95152,7 @@ index cc58e35..de9c4d9 100644
sendmail_stub(spamc_t)
')
-@@ -267,36 +373,38 @@ optional_policy(`
+@@ -267,36 +375,38 @@ optional_policy(`
########################################
#
@@ -94839,7 +95208,7 @@ index cc58e35..de9c4d9 100644
logging_log_filetrans(spamd_t, spamd_log_t, file)
manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
-@@ -308,7 +416,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
+@@ -308,7 +418,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
@@ -94849,7 +95218,7 @@ index cc58e35..de9c4d9 100644
manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
-@@ -317,12 +426,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+@@ -317,12 +428,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir })
@@ -94865,7 +95234,7 @@ index cc58e35..de9c4d9 100644
corenet_all_recvfrom_netlabel(spamd_t)
corenet_tcp_sendrecv_generic_if(spamd_t)
corenet_udp_sendrecv_generic_if(spamd_t)
-@@ -331,78 +441,59 @@ corenet_udp_sendrecv_generic_node(spamd_t)
+@@ -331,78 +443,59 @@ corenet_udp_sendrecv_generic_node(spamd_t)
corenet_tcp_sendrecv_all_ports(spamd_t)
corenet_udp_sendrecv_all_ports(spamd_t)
corenet_tcp_bind_generic_node(spamd_t)
@@ -94969,7 +95338,7 @@ index cc58e35..de9c4d9 100644
')
optional_policy(`
-@@ -421,21 +512,13 @@ optional_policy(`
+@@ -421,21 +514,13 @@ optional_policy(`
')
optional_policy(`
@@ -94993,7 +95362,7 @@ index cc58e35..de9c4d9 100644
')
optional_policy(`
-@@ -443,8 +526,8 @@ optional_policy(`
+@@ -443,8 +528,8 @@ optional_policy(`
')
optional_policy(`
@@ -95003,7 +95372,7 @@ index cc58e35..de9c4d9 100644
')
optional_policy(`
-@@ -455,7 +538,17 @@ optional_policy(`
+@@ -455,7 +540,17 @@ optional_policy(`
optional_policy(`
razor_domtrans(spamd_t)
razor_read_lib_files(spamd_t)
@@ -95022,7 +95391,7 @@ index cc58e35..de9c4d9 100644
')
optional_policy(`
-@@ -463,9 +556,9 @@ optional_policy(`
+@@ -463,9 +558,9 @@ optional_policy(`
')
optional_policy(`
@@ -95033,7 +95402,7 @@ index cc58e35..de9c4d9 100644
')
optional_policy(`
-@@ -474,32 +567,32 @@ optional_policy(`
+@@ -474,32 +569,32 @@ optional_policy(`
########################################
#
@@ -95076,7 +95445,7 @@ index cc58e35..de9c4d9 100644
corecmd_exec_bin(spamd_update_t)
corecmd_exec_shell(spamd_update_t)
-@@ -508,25 +601,21 @@ dev_read_urand(spamd_update_t)
+@@ -508,25 +603,21 @@ dev_read_urand(spamd_update_t)
domain_use_interactive_fds(spamd_update_t)
@@ -96013,7 +96382,7 @@ index a240455..f4d8c79 100644
- admin_pattern($1, sssd_log_t)
')
diff --git a/sssd.te b/sssd.te
-index 2d8db1f..e1c568a 100644
+index 2d8db1f..ababeba 100644
--- a/sssd.te
+++ b/sssd.te
@@ -28,9 +28,12 @@ logging_log_file(sssd_var_log_t)
@@ -96071,7 +96440,7 @@ index 2d8db1f..e1c568a 100644
corecmd_exec_bin(sssd_t)
-@@ -83,9 +79,7 @@ domain_read_all_domains_state(sssd_t)
+@@ -83,28 +79,30 @@ domain_read_all_domains_state(sssd_t)
domain_obj_id_change_exemption(sssd_t)
files_list_tmp(sssd_t)
@@ -96081,7 +96450,9 @@ index 2d8db1f..e1c568a 100644
files_list_var_lib(sssd_t)
fs_list_inotifyfs(sssd_t)
-@@ -94,17 +88,20 @@ selinux_validate_context(sssd_t)
+
+ selinux_validate_context(sssd_t)
++seutil_read_config(sssd_t)
seutil_read_file_contexts(sssd_t)
# sssd wants to write /etc/selinux//logins/ for SELinux PAM module
@@ -96104,7 +96475,7 @@ index 2d8db1f..e1c568a 100644
init_read_utmp(sssd_t)
-@@ -112,18 +109,36 @@ logging_send_syslog_msg(sssd_t)
+@@ -112,18 +110,36 @@ logging_send_syslog_msg(sssd_t)
logging_send_audit_msgs(sssd_t)
miscfiles_read_generic_certs(sssd_t)
@@ -96877,10 +97248,10 @@ index 0000000..6a1f575
+')
diff --git a/swift.te b/swift.te
new file mode 100644
-index 0000000..43a0495
+index 0000000..c2f086f
--- /dev/null
+++ b/swift.te
-@@ -0,0 +1,128 @@
+@@ -0,0 +1,129 @@
+policy_module(swift, 1.0.0)
+
+########################################
@@ -96975,6 +97346,7 @@ index 0000000..43a0495
+corenet_tcp_connect_swift_port(swift_t)
+corenet_tcp_connect_keystone_port(swift_t)
+corenet_tcp_connect_memcache_port(swift_t)
++corenet_tcp_connect_all_ephemeral_ports(swift_t)
+
+corecmd_exec_shell(swift_t)
+corecmd_exec_bin(swift_t)
@@ -100978,7 +101350,7 @@ index 1ec5e99..88e287d 100644
+ allow $1 usbmuxd_unit_file_t:service all_service_perms;
+')
diff --git a/usbmuxd.te b/usbmuxd.te
-index 34a8917..21add3e 100644
+index 34a8917..a6b9e84 100644
--- a/usbmuxd.te
+++ b/usbmuxd.te
@@ -10,34 +10,54 @@ roleattribute system_r usbmuxd_roles;
@@ -101004,9 +101376,10 @@ index 34a8917..21add3e 100644
#
-allow usbmuxd_t self:capability { kill setgid setuid };
-+allow usbmuxd_t self:capability { chown kill setgid setuid };
+-allow usbmuxd_t self:process { signal signull };
++allow usbmuxd_t self:capability { fowner fsetid chown kill setgid setuid };
+dontaudit usbmuxd_t self:capability sys_resource;
- allow usbmuxd_t self:process { signal signull };
++allow usbmuxd_t self:process { signal_perms setrlimit };
allow usbmuxd_t self:fifo_file rw_fifo_file_perms;
+allow usbmuxd_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow usbmuxd_t self:unix_stream_socket connectto;
@@ -104104,7 +104477,7 @@ index facdee8..c43ef2e 100644
+ typeattribute $1 sandbox_caps_domain;
')
diff --git a/virt.te b/virt.te
-index f03dcf5..fe1bceb 100644
+index f03dcf5..e74f60a 100644
--- a/virt.te
+++ b/virt.te
@@ -1,150 +1,227 @@
@@ -104889,7 +105262,7 @@ index f03dcf5..fe1bceb 100644
dev_rw_sysfs(virtd_t)
dev_read_urand(virtd_t)
dev_read_rand(virtd_t)
-@@ -555,22 +444,27 @@ dev_rw_vhost(virtd_t)
+@@ -555,20 +444,25 @@ dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t)
@@ -104917,11 +105290,8 @@ index f03dcf5..fe1bceb 100644
+fs_read_tmpfs_symlinks(virtd_t)
fs_list_auto_mountpoints(virtd_t)
--fs_getattr_all_fs(virtd_t)
-+fs_getattr_xattr_fs(virtd_t)
+ fs_getattr_all_fs(virtd_t)
fs_rw_anon_inodefs_files(virtd_t)
- fs_list_inotifyfs(virtd_t)
- fs_manage_cgroup_dirs(virtd_t)
@@ -601,15 +495,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -110499,7 +110869,7 @@ index 3416401..676925c 100644
+ allow $1 zebra_unit_file_t:service all_service_perms;
')
diff --git a/zebra.te b/zebra.te
-index 2e80d04..3a76167 100644
+index 2e80d04..5bf04b2 100644
--- a/zebra.te
+++ b/zebra.te
@@ -6,23 +6,26 @@ policy_module(zebra, 1.13.0)
@@ -110629,7 +110999,7 @@ index 2e80d04..3a76167 100644
+files_read_etc_runtime_files(zebra_t)
-miscfiles_read_localization(zebra_t)
-+auth_read_passwd(zebra_t)
++auth_use_nsswitch(zebra_t)
+
+logging_send_syslog_msg(zebra_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 6ee3ce09..bfb08536 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 82%{?dist}
+Release: 85%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -602,6 +602,41 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Oct 06 2014 Lukas Vrabec 3.13.1-85
+- Allow nova domains to getattr on all filesystems.
+- ALlow zebra for user/group look-ups.
+- Allow lsmd to search own plguins.
+- Allow sssd to read selinux config to add SELinux user mapping.
+- Allow swift to connect to all ephemeral ports by default.
+- Allow NetworkManager to create Bluetooth SDP sockets
+- Allow keepalived manage snmp var lib sock files. BZ(1102228)
+- Added policy for blrtty. BZ(1083162)
+- Allow rhsmcertd manage rpm db. BZ(#1134173)
+- Allow rhsmcertd send signull to setroubleshoot. BZ (#1134173)
+- Label /usr/libexec/rhsmd as rhsmcertd_exec_t
+- Fix broken interfaces
+- Added sendmail_domtrans_unconfined interface
+- Added support for cpuplug. BZ (#1077831)
+- Fix bug in drbd policy, BZ (#1134883)
+- Make keystone_cgi_script_t domain. BZ (#1138424)
+- fix dev_getattr_generic_usb_dev interface
+- Label 4101 tcp port as brlp port
+- Allow libreswan to connect to VPN via NM-libreswan.
+- Add userdom_manage_user_tmpfs_files interface
+
+* Tue Sep 30 2014 Lukas Vrabec 3.13.1-84
+- Allow all domains to read fonts
+- Allow rabbitmq_t read rabbitmq_var_lib_t lnk files. BZ (#1147028)
+- Allow pki-tomcat to change SELinux object identity.
+- Allow radious to connect to apache ports to do OCSP check
+- Allow git cgi scripts to create content in /tmp
+- Allow cockpit-session to do GSSAPI logins.
+
+* Mon Sep 22 2014 Lukas Vrabec 3.13.1-83
+- Make sure /run/systemd/generator and system is labeled correctly on creation.
+- Additional access required by usbmuxd
+- Allow sensord read in /proc BZ(#1143799)
+
* Thu Sep 18 2014 Miroslav Grepl 3.13.1-82
- Allow du running in logwatch_t read hwdata.
- Allow sys_admin capability for antivirus domians.