* Fri Sep 23 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-215

- Make tor_var_run_t as mountpoint. BZ(1368621) - Fix typo in ftpd SELinux module. - Allow cockpit-session to reset expired passwords BZ(1374262) - Allow ftp daemon to manage apache_user_content - Label /etc/sysconfig/oracleasm as oracleasm_conf_t - Allow oracleasm to rw inherited fixed disk device - Allow collectd to connect on unix_stream_socket - Add abrt_dump_oops_t kill user namespace capability. BZ(1376868) - Dontaudit systemd is mounting unlabeled dirs BZ(1367292) - Add interface files_dontaudit_mounton_isid()
2016-09-23 10:24:25 +02:00 · 2016-09-23 10:24:25 +02:00 · 4efe5ab99f
parent c49229e77f
commit 4efe5ab99f
4 changed files with 349 additions and 277 deletions
--- a/docker-selinux.tgz
+++ b/docker-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -10993,7 +10993,7 @@ index b876c48..03f9342 100644
 +/nsr(/.*)?			gen_context(system_u:object_r:var_t,s0)
 +/nsr/logs(/.*)?			gen_context(system_u:object_r:var_log_t,s0)
 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..0a685ac 100644
+index f962f76..e06a46c 100644
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@ -12840,20 +12840,39 @@ index f962f76..0a685ac 100644
 ')
 
 ########################################
-@@ -3503,10 +4341,10 @@ interface(`files_manage_isid_type_blk_files',`
+@@ -3503,10 +4341,29 @@ interface(`files_manage_isid_type_blk_files',`
 #
 interface(`files_manage_isid_type_chr_files',`
 	gen_require(`
 -		type file_t;
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:chr_file manage_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Dontaudit Moundon directories on new filesystems
+##	that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_mounton_isid',`
+	gen_require(`
 +		type unlabeled_t;
 	')
 
 -	allow $1 file_t:chr_file manage_chr_file_perms;
-+	allow $1 unlabeled_t:chr_file manage_chr_file_perms;
+	dontaudit $1 unlabeled_t:dir mounton;
 ')
 
 ########################################
-@@ -3552,6 +4390,27 @@ interface(`files_dontaudit_getattr_home_dir',`
+@@ -3552,6 +4409,27 @@ interface(`files_dontaudit_getattr_home_dir',`
 
 ########################################
 ## <summary>
@ -12881,7 +12900,7 @@ index f962f76..0a685ac 100644
 ##	Search home directories root (/home).
 ## </summary>
 ## <param name="domain">
-@@ -3814,20 +4673,38 @@ interface(`files_list_mnt',`
+@@ -3814,20 +4692,38 @@ interface(`files_list_mnt',`
 
 ######################################
 ## <summary>
@ -12925,7 +12944,7 @@ index f962f76..0a685ac 100644
 ')
 
 ########################################
-@@ -4012,6 +4889,12 @@ interface(`files_read_kernel_modules',`
+@@ -4012,6 +4908,12 @@ interface(`files_read_kernel_modules',`
 	allow $1 modules_object_t:dir list_dir_perms;
 	read_files_pattern($1, modules_object_t, modules_object_t)
 	read_lnk_files_pattern($1, modules_object_t, modules_object_t)
@ -12938,7 +12957,7 @@ index f962f76..0a685ac 100644
 ')
 
 ########################################
-@@ -4217,174 +5100,218 @@ interface(`files_read_world_readable_sockets',`
+@@ -4217,174 +5119,218 @@ interface(`files_read_world_readable_sockets',`
 	allow $1 readable_t:sock_file read_sock_file_perms;
 ')
 
@ -13243,7 +13262,7 @@ index f962f76..0a685ac 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4392,53 +5319,56 @@ interface(`files_read_generic_tmp_files',`
+@@ -4392,53 +5338,56 @@ interface(`files_read_generic_tmp_files',`
 ##	</summary>
 ## </param>
 #
@ -13312,7 +13331,7 @@ index f962f76..0a685ac 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4446,35 +5376,37 @@ interface(`files_read_generic_tmp_symlinks',`
+@@ -4446,35 +5395,37 @@ interface(`files_read_generic_tmp_symlinks',`
 ##	</summary>
 ## </param>
 #
@ -13358,7 +13377,7 @@ index f962f76..0a685ac 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4482,59 +5414,55 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -4482,59 +5433,55 @@ interface(`files_setattr_all_tmp_dirs',`
 ##	</summary>
 ## </param>
 #
@ -13439,7 +13458,7 @@ index f962f76..0a685ac 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4542,110 +5470,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
+@@ -4542,110 +5489,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
 ##	</summary>
 ## </param>
 #
@ -13578,7 +13597,7 @@ index f962f76..0a685ac 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4653,22 +5569,17 @@ interface(`files_tmp_filetrans',`
+@@ -4653,22 +5588,17 @@ interface(`files_tmp_filetrans',`
 ##	</summary>
 ## </param>
 #
@ -13605,7 +13624,7 @@ index f962f76..0a685ac 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4676,17 +5587,17 @@ interface(`files_purge_tmp',`
+@@ -4676,17 +5606,17 @@ interface(`files_purge_tmp',`
 ##	</summary>
 ## </param>
 #
@ -13627,7 +13646,7 @@ index f962f76..0a685ac 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4694,18 +5605,17 @@ interface(`files_setattr_usr_dirs',`
+@@ -4694,18 +5624,17 @@ interface(`files_setattr_usr_dirs',`
 ##	</summary>
 ## </param>
 #
@ -13650,7 +13669,7 @@ index f962f76..0a685ac 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4713,35 +5623,35 @@ interface(`files_search_usr',`
+@@ -4713,35 +5642,35 @@ interface(`files_search_usr',`
 ##	</summary>
 ## </param>
 #
@ -13695,7 +13714,7 @@ index f962f76..0a685ac 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4749,36 +5659,35 @@ interface(`files_dontaudit_write_usr_dirs',`
+@@ -4749,36 +5678,35 @@ interface(`files_dontaudit_write_usr_dirs',`
 ##	</summary>
 ## </param>
 #
@ -13741,7 +13760,7 @@ index f962f76..0a685ac 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4786,17 +5695,17 @@ interface(`files_dontaudit_rw_usr_dirs',`
+@@ -4786,17 +5714,17 @@ interface(`files_dontaudit_rw_usr_dirs',`
 ##	</summary>
 ## </param>
 #
@ -13763,7 +13782,7 @@ index f962f76..0a685ac 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4804,73 +5713,59 @@ interface(`files_delete_usr_dirs',`
+@@ -4804,73 +5732,59 @@ interface(`files_delete_usr_dirs',`
 ##	</summary>
 ## </param>
 #
@ -13856,7 +13875,7 @@ index f962f76..0a685ac 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4878,55 +5773,58 @@ interface(`files_read_usr_files',`
+@@ -4878,55 +5792,58 @@ interface(`files_read_usr_files',`
 ##	</summary>
 ## </param>
 #
@ -13931,7 +13950,7 @@ index f962f76..0a685ac 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4934,67 +5832,70 @@ interface(`files_manage_usr_files',`
+@@ -4934,67 +5851,70 @@ interface(`files_manage_usr_files',`
 ##	</summary>
 ## </param>
 #
@ -14020,7 +14039,7 @@ index f962f76..0a685ac 100644
 ##	</summary>
 ## </param>
 ## <param name="name" optional="true">
-@@ -5003,35 +5904,50 @@ interface(`files_read_usr_symlinks',`
+@@ -5003,35 +5923,50 @@ interface(`files_read_usr_symlinks',`
 ##	</summary>
 ## </param>
 #
@ -14080,7 +14099,7 @@ index f962f76..0a685ac 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -5039,20 +5955,17 @@ interface(`files_dontaudit_search_src',`
+@@ -5039,20 +5974,17 @@ interface(`files_dontaudit_search_src',`
 ##	</summary>
 ## </param>
 #
@ -14105,7 +14124,7 @@ index f962f76..0a685ac 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -5060,20 +5973,18 @@ interface(`files_getattr_usr_src_files',`
+@@ -5060,20 +5992,18 @@ interface(`files_getattr_usr_src_files',`
 ##	</summary>
 ## </param>
 #
@ -14130,7 +14149,7 @@ index f962f76..0a685ac 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -5081,38 +5992,35 @@ interface(`files_read_usr_src_files',`
+@@ -5081,38 +6011,35 @@ interface(`files_read_usr_src_files',`
 ##	</summary>
 ## </param>
 #
@ -14178,7 +14197,7 @@ index f962f76..0a685ac 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -5120,37 +6028,36 @@ interface(`files_create_kernel_symbol_table',`
+@@ -5120,37 +6047,36 @@ interface(`files_create_kernel_symbol_table',`
 ##	</summary>
 ## </param>
 #
@ -14226,7 +14245,7 @@ index f962f76..0a685ac 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -5158,35 +6065,35 @@ interface(`files_delete_kernel_symbol_table',`
+@@ -5158,35 +6084,35 @@ interface(`files_delete_kernel_symbol_table',`
 ##	</summary>
 ## </param>
 #
@ -14271,7 +14290,7 @@ index f962f76..0a685ac 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -5194,36 +6101,55 @@ interface(`files_dontaudit_write_var_dirs',`
+@@ -5194,36 +6120,55 @@ interface(`files_dontaudit_write_var_dirs',`
 ##	</summary>
 ## </param>
 #
@ -14337,7 +14356,7 @@ index f962f76..0a685ac 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -5231,36 +6157,37 @@ interface(`files_dontaudit_search_var',`
+@@ -5231,36 +6176,37 @@ interface(`files_dontaudit_search_var',`
 ##	</summary>
 ## </param>
 #
@ -14385,7 +14404,7 @@ index f962f76..0a685ac 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -5268,17 +6195,17 @@ interface(`files_manage_var_dirs',`
+@@ -5268,17 +6214,17 @@ interface(`files_manage_var_dirs',`
 ##	</summary>
 ## </param>
 #
@ -14407,7 +14426,7 @@ index f962f76..0a685ac 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -5286,17 +6213,17 @@ interface(`files_read_var_files',`
+@@ -5286,17 +6232,17 @@ interface(`files_read_var_files',`
 ##	</summary>
 ## </param>
 #
@ -14429,7 +14448,7 @@ index f962f76..0a685ac 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -5304,73 +6231,86 @@ interface(`files_append_var_files',`
+@@ -5304,73 +6250,86 @@ interface(`files_append_var_files',`
 ##	</summary>
 ## </param>
 #
@ -14536,7 +14555,7 @@ index f962f76..0a685ac 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -5378,50 +6318,41 @@ interface(`files_read_var_symlinks',`
+@@ -5378,50 +6337,41 @@ interface(`files_read_var_symlinks',`
 ##	</summary>
 ## </param>
 #
@ -14601,7 +14620,7 @@ index f962f76..0a685ac 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -5429,69 +6360,56 @@ interface(`files_var_filetrans',`
+@@ -5429,69 +6379,56 @@ interface(`files_var_filetrans',`
 ##	</summary>
 ## </param>
 #
@ -14686,7 +14705,7 @@ index f962f76..0a685ac 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -5499,17 +6417,18 @@ interface(`files_dontaudit_search_var_lib',`
+@@ -5499,17 +6436,18 @@ interface(`files_dontaudit_search_var_lib',`
 ##	</summary>
 ## </param>
 #
@ -14710,7 +14729,7 @@ index f962f76..0a685ac 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -5517,70 +6436,54 @@ interface(`files_list_var_lib',`
+@@ -5517,70 +6455,54 @@ interface(`files_list_var_lib',`
 ##	</summary>
 ## </param>
 #
@ -14794,7 +14813,7 @@ index f962f76..0a685ac 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -5588,41 +6491,36 @@ interface(`files_read_var_lib_files',`
+@@ -5588,41 +6510,36 @@ interface(`files_read_var_lib_files',`
 ##	</summary>
 ## </param>
 #
@ -14846,7 +14865,7 @@ index f962f76..0a685ac 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -5630,36 +6528,36 @@ interface(`files_manage_urandom_seed',`
+@@ -5630,36 +6547,36 @@ interface(`files_manage_urandom_seed',`
 ##	</summary>
 ## </param>
 #
@ -14893,7 +14912,7 @@ index f962f76..0a685ac 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -5667,38 +6565,35 @@ interface(`files_setattr_lock_dirs',`
+@@ -5667,38 +6584,35 @@ interface(`files_setattr_lock_dirs',`
 ##	</summary>
 ## </param>
 #
@ -14941,7 +14960,7 @@ index f962f76..0a685ac 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -5706,19 +6601,17 @@ interface(`files_dontaudit_search_locks',`
+@@ -5706,19 +6620,17 @@ interface(`files_dontaudit_search_locks',`
 ##	</summary>
 ## </param>
 #
@ -14965,7 +14984,7 @@ index f962f76..0a685ac 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -5726,60 +6619,54 @@ interface(`files_list_locks',`
+@@ -5726,60 +6638,54 @@ interface(`files_list_locks',`
 ##	</summary>
 ## </param>
 #
@ -15041,7 +15060,7 @@ index f962f76..0a685ac 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -5787,20 +6674,18 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5787,20 +6693,18 @@ interface(`files_relabel_all_lock_dirs',`
 ##	</summary>
 ## </param>
 #
@ -15067,7 +15086,7 @@ index f962f76..0a685ac 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -5808,63 +6693,68 @@ interface(`files_getattr_generic_locks',`
+@@ -5808,63 +6712,68 @@ interface(`files_getattr_generic_locks',`
 ##	</summary>
 ## </param>
 #
@ -15159,7 +15178,7 @@ index f962f76..0a685ac 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -5872,101 +6762,87 @@ interface(`files_delete_all_locks',`
+@@ -5872,101 +6781,87 @@ interface(`files_delete_all_locks',`
 ##	</summary>
 ## </param>
 #
@ -15296,7 +15315,7 @@ index f962f76..0a685ac 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -5974,19 +6850,17 @@ interface(`files_dontaudit_getattr_pid_dirs',`
+@@ -5974,19 +6869,17 @@ interface(`files_dontaudit_getattr_pid_dirs',`
 ##	</summary>
 ## </param>
 #
@ -15320,7 +15339,7 @@ index f962f76..0a685ac 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -5994,39 +6868,52 @@ interface(`files_setattr_pid_dirs',`
+@@ -5994,39 +6887,52 @@ interface(`files_setattr_pid_dirs',`
 ##	</summary>
 ## </param>
 #
@ -15386,44 +15405,35 @@ index f962f76..0a685ac 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6034,18 +6921,18 @@ interface(`files_dontaudit_search_pids',`
+@@ -6034,18 +6940,1302 @@ interface(`files_dontaudit_search_pids',`
 ##	</summary>
 ## </param>
 #
 -interface(`files_list_pids',`
 +interface(`files_read_var_lib_files',`
 	gen_require(`
-		type var_t, var_run_t;
 +		type var_t, var_lib_t;
- 	')
- 
-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
-	list_dirs_pattern($1, var_t, var_run_t)
+	')
+
 +	allow $1 var_lib_t:dir list_dir_perms;
 +	read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
- ')
- 
- ########################################
- ## <summary>
-##	Read generic process ID files.
+')
+
+########################################
+## <summary>
 +##	Read generic symbolic links in /var/lib
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -6053,19 +6940,1283 @@ interface(`files_list_pids',`
- ##	</summary>
- ## </param>
- #
-interface(`files_read_generic_pids',`
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
 +interface(`files_read_var_lib_symlinks',`
- 	gen_require(`
-		type var_t, var_run_t;
+	gen_require(`
 +		type var_t, var_lib_t;
- 	')
- 
-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
-	list_dirs_pattern($1, var_t, var_run_t)
-	read_files_pattern($1, var_run_t, var_run_t)
+	')
+
 +	read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
 +')
 +
@ -16522,9 +16532,11 @@ index f962f76..0a685ac 100644
 +interface(`files_delete_all_pid_dirs',`
 +	gen_require(`
 +		attribute pidfile;
-+		type var_t, var_run_t;
-+	')
-+
+ 		type var_t, var_run_t;
+ 	')
+ 
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	list_dirs_pattern($1, var_t, var_run_t)
 +	files_search_pids($1)
 +	allow $1 var_t:dir search_dir_perms;
 +	delete_dirs_pattern($1, pidfile, pidfile)
@ -16694,18 +16706,43 @@ index f962f76..0a685ac 100644
 
 ########################################
 ## <summary>
-##	Write named generic process ID pipes
+-##	Read generic process ID files.
 +##	Create, read, write, and delete generic
 +##	spool directories (/var/spool).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6073,43 +8224,170 @@ interface(`files_read_generic_pids',`
+@@ -6053,19 +8243,18 @@ interface(`files_list_pids',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_read_generic_pids',`
+interface(`files_manage_generic_spool_dirs',`
+ 	gen_require(`
+-		type var_t, var_run_t;
+		type var_t, var_spool_t;
+ 	')
+ 
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	list_dirs_pattern($1, var_t, var_run_t)
+-	read_files_pattern($1, var_run_t, var_run_t)
+	allow $1 var_t:dir search_dir_perms;
+	manage_dirs_pattern($1, var_spool_t, var_spool_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Write named generic process ID pipes
+##	Read generic spool files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6073,43 +8262,151 @@ interface(`files_read_generic_pids',`
 ##	</summary>
 ## </param>
 #
 -interface(`files_write_generic_pid_pipes',`
-+interface(`files_manage_generic_spool_dirs',`
+interface(`files_read_generic_spool',`
 	gen_require(`
 -		type var_run_t;
 +		type var_t, var_spool_t;
@ -16713,32 +16750,13 @@ index f962f76..0a685ac 100644
 
 -	allow $1 var_run_t:lnk_file read_lnk_file_perms;
 -	allow $1 var_run_t:fifo_file write;
-+	allow $1 var_t:dir search_dir_perms;
-+	manage_dirs_pattern($1, var_spool_t, var_spool_t)
+	list_dirs_pattern($1, var_t, var_spool_t)
+	read_files_pattern($1, var_spool_t, var_spool_t)
 ')
 
 ########################################
 ## <summary>
 -##	Create an object in the process ID directory, with a private type.
-+##	Read generic spool files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_read_generic_spool',`
-+	gen_require(`
-+		type var_t, var_spool_t;
-+	')
-+
-+	list_dirs_pattern($1, var_t, var_spool_t)
-+	read_files_pattern($1, var_spool_t, var_spool_t)
-+')
-+
-+########################################
-+## <summary>
 +##	Create, read, write, and delete generic
 +##	spool files.
 +## </summary>
@ -16898,7 +16916,7 @@ index f962f76..0a685ac 100644
 ##	</p>
 ## </desc>
 ## <param name="domain">
-@@ -6117,80 +8395,157 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6117,80 +8414,157 @@ interface(`files_write_generic_pid_pipes',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
@ -17085,7 +17103,7 @@ index f962f76..0a685ac 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6198,19 +8553,17 @@ interface(`files_rw_generic_pids',`
+@@ -6198,19 +8572,17 @@ interface(`files_rw_generic_pids',`
 ##	</summary>
 ## </param>
 #
@ -17109,7 +17127,7 @@ index f962f76..0a685ac 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6218,18 +8571,17 @@ interface(`files_dontaudit_getattr_all_pids',`
+@@ -6218,18 +8590,17 @@ interface(`files_dontaudit_getattr_all_pids',`
 ##	</summary>
 ## </param>
 #
@ -17132,7 +17150,7 @@ index f962f76..0a685ac 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6237,129 +8589,119 @@ interface(`files_dontaudit_write_all_pids',`
+@@ -6237,129 +8608,119 @@ interface(`files_dontaudit_write_all_pids',`
 ##	</summary>
 ## </param>
 #
@ -17302,7 +17320,7 @@ index f962f76..0a685ac 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6367,18 +8709,19 @@ interface(`files_mounton_all_poly_members',`
+@@ -6367,18 +8728,19 @@ interface(`files_mounton_all_poly_members',`
 ##	</summary>
 ## </param>
 #
@ -17327,7 +17345,7 @@ index f962f76..0a685ac 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6386,132 +8729,227 @@ interface(`files_search_spool',`
+@@ -6386,132 +8748,227 @@ interface(`files_search_spool',`
 ##	</summary>
 ## </param>
 #
@ -17601,7 +17619,7 @@ index f962f76..0a685ac 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6519,53 +8957,17 @@ interface(`files_spool_filetrans',`
+@@ -6519,53 +8976,17 @@ interface(`files_spool_filetrans',`
 ##	</summary>
 ## </param>
 #
@ -17659,7 +17677,7 @@ index f962f76..0a685ac 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6573,10 +8975,10 @@ interface(`files_polyinstantiate_all',`
+@@ -6573,10 +8994,10 @@ interface(`files_polyinstantiate_all',`
 ##	</summary>
 ## </param>
 #
@ -37454,7 +37472,7 @@ index 79a45f6..d092e6e 100644
 +    allow $1 init_var_lib_t:dir search_dir_perms;
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..b37411d 100644
+index 17eda24..6e568f7 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@ -37763,7 +37781,7 @@ index 17eda24..b37411d 100644
 
 ifdef(`distro_gentoo',`
 	allow init_t self:process { getcap setcap };
-@@ -186,29 +336,266 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +336,267 @@ ifdef(`distro_gentoo',`
 ')
 
 ifdef(`distro_redhat',`
@ -37907,6 +37925,7 @@ index 17eda24..b37411d 100644
 +files_relabel_var_dirs(init_t)
 +files_relabel_var_lib_dirs(init_t)
 +files_read_kernel_modules(init_t)
+files_dontaudit_mounton_isid(init_t)
 +fs_getattr_all_fs(init_t)
 +fs_manage_cgroup_dirs(init_t)
 +fs_manage_cgroup_files(init_t)
@ -38039,7 +38058,7 @@ index 17eda24..b37411d 100644
 ')
 
 optional_policy(`
-@@ -216,7 +603,30 @@ optional_policy(`
+@@ -216,7 +604,30 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -38071,7 +38090,7 @@ index 17eda24..b37411d 100644
 ')
 
 ########################################
-@@ -225,9 +635,9 @@ optional_policy(`
+@@ -225,9 +636,9 @@ optional_policy(`
 #
 
 allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@ -38083,7 +38102,7 @@ index 17eda24..b37411d 100644
 allow initrc_t self:passwd rootok;
 allow initrc_t self:key manage_key_perms;
 
-@@ -258,12 +668,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +669,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
 
 allow initrc_t initrc_var_run_t:file manage_file_perms;
 files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@ -38100,7 +38119,7 @@ index 17eda24..b37411d 100644
 
 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
 manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +693,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +694,36 @@ kernel_change_ring_buffer_level(initrc_t)
 kernel_clear_ring_buffer(initrc_t)
 kernel_get_sysvipc_info(initrc_t)
 kernel_read_all_sysctls(initrc_t)
@ -38143,7 +38162,7 @@ index 17eda24..b37411d 100644
 corenet_tcp_sendrecv_all_ports(initrc_t)
 corenet_udp_sendrecv_all_ports(initrc_t)
 corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +730,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +731,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
 
 dev_read_rand(initrc_t)
 dev_read_urand(initrc_t)
@ -38155,7 +38174,7 @@ index 17eda24..b37411d 100644
 dev_rw_sysfs(initrc_t)
 dev_list_usbfs(initrc_t)
 dev_read_framebuffer(initrc_t)
-@@ -313,8 +742,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +743,10 @@ dev_write_framebuffer(initrc_t)
 dev_read_realtime_clock(initrc_t)
 dev_read_sound_mixer(initrc_t)
 dev_write_sound_mixer(initrc_t)
@ -38166,7 +38185,7 @@ index 17eda24..b37411d 100644
 dev_delete_lvm_control_dev(initrc_t)
 dev_manage_generic_symlinks(initrc_t)
 dev_manage_generic_files(initrc_t)
-@@ -322,8 +753,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +754,7 @@ dev_manage_generic_files(initrc_t)
 dev_delete_generic_symlinks(initrc_t)
 dev_getattr_all_blk_files(initrc_t)
 dev_getattr_all_chr_files(initrc_t)
@ -38176,7 +38195,7 @@ index 17eda24..b37411d 100644
 
 domain_kill_all_domains(initrc_t)
 domain_signal_all_domains(initrc_t)
-@@ -332,7 +762,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +763,6 @@ domain_sigstop_all_domains(initrc_t)
 domain_sigchld_all_domains(initrc_t)
 domain_read_all_domains_state(initrc_t)
 domain_getattr_all_domains(initrc_t)
@ -38184,7 +38203,7 @@ index 17eda24..b37411d 100644
 domain_getsession_all_domains(initrc_t)
 domain_use_interactive_fds(initrc_t)
 # for lsof which is used by alsa shutdown:
-@@ -340,6 +769,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +770,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
 domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
 domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
 domain_dontaudit_getattr_all_pipes(initrc_t)
@ -38192,7 +38211,7 @@ index 17eda24..b37411d 100644
 
 files_getattr_all_dirs(initrc_t)
 files_getattr_all_files(initrc_t)
-@@ -347,14 +777,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +778,15 @@ files_getattr_all_symlinks(initrc_t)
 files_getattr_all_pipes(initrc_t)
 files_getattr_all_sockets(initrc_t)
 files_purge_tmp(initrc_t)
@ -38210,7 +38229,7 @@ index 17eda24..b37411d 100644
 files_read_usr_files(initrc_t)
 files_manage_urandom_seed(initrc_t)
 files_manage_generic_spool(initrc_t)
-@@ -364,8 +795,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +796,12 @@ files_list_isid_type_dirs(initrc_t)
 files_mounton_isid_type_dirs(initrc_t)
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
@ -38224,7 +38243,7 @@ index 17eda24..b37411d 100644
 fs_list_inotifyfs(initrc_t)
 fs_register_binary_executable_type(initrc_t)
 # rhgb-console writes to ramfs
-@@ -375,10 +810,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +811,11 @@ fs_mount_all_fs(initrc_t)
 fs_unmount_all_fs(initrc_t)
 fs_remount_all_fs(initrc_t)
 fs_getattr_all_fs(initrc_t)
@ -38238,7 +38257,7 @@ index 17eda24..b37411d 100644
 mcs_process_set_categories(initrc_t)
 
 mls_file_read_all_levels(initrc_t)
-@@ -387,8 +823,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +824,10 @@ mls_process_read_up(initrc_t)
 mls_process_write_down(initrc_t)
 mls_rangetrans_source(initrc_t)
 mls_fd_share_all_levels(initrc_t)
@ -38249,7 +38268,7 @@ index 17eda24..b37411d 100644
 
 storage_getattr_fixed_disk_dev(initrc_t)
 storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +836,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +837,7 @@ term_use_all_terms(initrc_t)
 term_reset_tty_labels(initrc_t)
 
 auth_rw_login_records(initrc_t)
@ -38257,7 +38276,7 @@ index 17eda24..b37411d 100644
 auth_setattr_login_records(initrc_t)
 auth_rw_lastlog(initrc_t)
 auth_read_pam_pid(initrc_t)
-@@ -416,20 +855,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +856,18 @@ logging_read_all_logs(initrc_t)
 logging_append_all_logs(initrc_t)
 logging_read_audit_config(initrc_t)
 
@ -38281,7 +38300,7 @@ index 17eda24..b37411d 100644
 
 ifdef(`distro_debian',`
 	dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +888,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +889,6 @@ ifdef(`distro_gentoo',`
 	allow initrc_t self:process setfscreate;
 	dev_create_null_dev(initrc_t)
 	dev_create_zero_dev(initrc_t)
@ -38289,7 +38308,7 @@ index 17eda24..b37411d 100644
 	term_create_console_dev(initrc_t)
 
 	# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +922,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +923,10 @@ ifdef(`distro_gentoo',`
 	sysnet_setattr_config(initrc_t)
 
 	optional_policy(`
@ -38300,7 +38319,7 @@ index 17eda24..b37411d 100644
 		alsa_read_lib(initrc_t)
 	')
 
-@@ -506,7 +946,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +947,7 @@ ifdef(`distro_redhat',`
 
 	# Red Hat systems seem to have a stray
 	# fd open from the initrd
@ -38309,7 +38328,7 @@ index 17eda24..b37411d 100644
 	files_dontaudit_read_root_files(initrc_t)
 
 	# These seem to be from the initrd
-@@ -521,6 +961,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +962,7 @@ ifdef(`distro_redhat',`
 	files_create_boot_dirs(initrc_t)
 	files_create_boot_flag(initrc_t)
 	files_rw_boot_symlinks(initrc_t)
@ -38317,7 +38336,7 @@ index 17eda24..b37411d 100644
 	# wants to read /.fonts directory
 	files_read_default_files(initrc_t)
 	files_mountpoint(initrc_tmp_t)
-@@ -541,6 +982,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +983,7 @@ ifdef(`distro_redhat',`
 	miscfiles_rw_localization(initrc_t)
 	miscfiles_setattr_localization(initrc_t)
 	miscfiles_relabel_localization(initrc_t)
@ -38325,7 +38344,7 @@ index 17eda24..b37411d 100644
 
 	miscfiles_read_fonts(initrc_t)
 	miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +992,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +993,44 @@ ifdef(`distro_redhat',`
 	')
 
 	optional_policy(`
@ -38370,7 +38389,7 @@ index 17eda24..b37411d 100644
 	')
 
 	optional_policy(`
-@@ -559,14 +1037,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +1038,31 @@ ifdef(`distro_redhat',`
 		rpc_write_exports(initrc_t)
 		rpc_manage_nfs_state_data(initrc_t)
 	')
@ -38402,7 +38421,7 @@ index 17eda24..b37411d 100644
 	')
 ')
 
-@@ -577,6 +1072,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1073,39 @@ ifdef(`distro_suse',`
 	')
 ')
 
@ -38442,7 +38461,7 @@ index 17eda24..b37411d 100644
 optional_policy(`
 	amavis_search_lib(initrc_t)
 	amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1117,8 @@ optional_policy(`
+@@ -589,6 +1118,8 @@ optional_policy(`
 optional_policy(`
 	apache_read_config(initrc_t)
 	apache_list_modules(initrc_t)
@ -38451,7 +38470,7 @@ index 17eda24..b37411d 100644
 ')
 
 optional_policy(`
-@@ -610,6 +1140,7 @@ optional_policy(`
+@@ -610,6 +1141,7 @@ optional_policy(`
 
 optional_policy(`
 	cgroup_stream_connect_cgred(initrc_t)
@ -38459,7 +38478,7 @@ index 17eda24..b37411d 100644
 ')
 
 optional_policy(`
-@@ -626,6 +1157,17 @@ optional_policy(`
+@@ -626,6 +1158,17 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -38477,7 +38496,7 @@ index 17eda24..b37411d 100644
 	dev_getattr_printer_dev(initrc_t)
 
 	cups_read_log(initrc_t)
-@@ -642,9 +1184,13 @@ optional_policy(`
+@@ -642,9 +1185,13 @@ optional_policy(`
 	dbus_connect_system_bus(initrc_t)
 	dbus_system_bus_client(initrc_t)
 	dbus_read_config(initrc_t)
@ -38491,7 +38510,7 @@ index 17eda24..b37411d 100644
 	')
 
 	optional_policy(`
-@@ -657,15 +1203,11 @@ optional_policy(`
+@@ -657,15 +1204,11 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -38509,7 +38528,7 @@ index 17eda24..b37411d 100644
 ')
 
 optional_policy(`
-@@ -686,6 +1228,15 @@ optional_policy(`
+@@ -686,6 +1229,15 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -38525,7 +38544,7 @@ index 17eda24..b37411d 100644
 	inn_exec_config(initrc_t)
 ')
 
-@@ -726,6 +1277,7 @@ optional_policy(`
+@@ -726,6 +1278,7 @@ optional_policy(`
 	lpd_list_spool(initrc_t)
 
 	lpd_read_config(initrc_t)
@ -38533,7 +38552,7 @@ index 17eda24..b37411d 100644
 ')
 
 optional_policy(`
-@@ -743,7 +1295,13 @@ optional_policy(`
+@@ -743,7 +1296,13 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -38548,7 +38567,7 @@ index 17eda24..b37411d 100644
 	mta_dontaudit_read_spool_symlinks(initrc_t)
 ')
 
-@@ -766,6 +1324,10 @@ optional_policy(`
+@@ -766,6 +1325,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -38559,7 +38578,7 @@ index 17eda24..b37411d 100644
 	postgresql_manage_db(initrc_t)
 	postgresql_read_config(initrc_t)
 ')
-@@ -775,10 +1337,20 @@ optional_policy(`
+@@ -775,10 +1338,20 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -38580,7 +38599,7 @@ index 17eda24..b37411d 100644
 	quota_manage_flags(initrc_t)
 ')
 
-@@ -787,6 +1359,10 @@ optional_policy(`
+@@ -787,6 +1360,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -38591,7 +38610,7 @@ index 17eda24..b37411d 100644
 	fs_write_ramfs_sockets(initrc_t)
 	fs_search_ramfs(initrc_t)
 
-@@ -808,8 +1384,6 @@ optional_policy(`
+@@ -808,8 +1385,6 @@ optional_policy(`
 	# bash tries ioctl for some reason
 	files_dontaudit_ioctl_all_pids(initrc_t)
 
@ -38600,7 +38619,7 @@ index 17eda24..b37411d 100644
 ')
 
 optional_policy(`
-@@ -818,6 +1392,10 @@ optional_policy(`
+@@ -818,6 +1393,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -38611,7 +38630,7 @@ index 17eda24..b37411d 100644
 	# shorewall-init script run /var/lib/shorewall/firewall
 	shorewall_lib_domtrans(initrc_t)
 ')
-@@ -827,10 +1405,12 @@ optional_policy(`
+@@ -827,10 +1406,12 @@ optional_policy(`
 	squid_manage_logs(initrc_t)
 ')
 
@ -38624,7 +38643,7 @@ index 17eda24..b37411d 100644
 
 optional_policy(`
 	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1437,62 @@ optional_policy(`
+@@ -857,21 +1438,62 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -38688,7 +38707,7 @@ index 17eda24..b37411d 100644
 ')
 
 optional_policy(`
-@@ -887,6 +1508,10 @@ optional_policy(`
+@@ -887,6 +1509,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -38699,7 +38718,7 @@ index 17eda24..b37411d 100644
 	# Set device ownerships/modes.
 	xserver_setattr_console_pipes(initrc_t)
 
-@@ -897,3 +1522,218 @@ optional_policy(`
+@@ -897,3 +1523,218 @@ optional_policy(`
 optional_policy(`
 	zebra_read_config(initrc_t)
 ')
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -589,7 +589,7 @@ index 058d908..ee0c559 100644
 +')
 +
 diff --git a/abrt.te b/abrt.te
-index eb50f07..22e6c69 100644
+index eb50f07..5f57515 100644
 --- a/abrt.te
 +++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@ -1047,7 +1047,7 @@ index eb50f07..22e6c69 100644
 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
 
 domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -365,38 +469,78 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -365,38 +469,79 @@ corecmd_exec_shell(abrt_retrace_worker_t)
 
 dev_read_urand(abrt_retrace_worker_t)
 
@ -1070,6 +1070,7 @@ index eb50f07..22e6c69 100644
 
 -allow abrt_dump_oops_t self:capability dac_override;
 +allow abrt_dump_oops_t self:capability { kill net_admin sys_ptrace ipc_lock fowner chown fsetid dac_override setuid setgid };
+allow abrt_dump_oops_t self:cap_userns { kill };
 +allow abrt_dump_oops_t self:process setfscreate;
 allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms;
 -allow abrt_dump_oops_t self:unix_stream_socket { accept listen };
@ -1130,7 +1131,7 @@ index eb50f07..22e6c69 100644
 
 #######################################
 #
-@@ -404,25 +548,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
+@@ -404,25 +549,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
 #
 
 allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
@ -1193,7 +1194,7 @@ index eb50f07..22e6c69 100644
 ')
 
 #######################################
-@@ -430,10 +609,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
+@@ -430,10 +610,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
 # Global local policy
 #
 
@ -3838,7 +3839,7 @@ index 7caefc3..2029082 100644
 +/var/run/dirsrv/admin-serv.*	gen_context(system_u:object_r:httpd_var_run_t,s0)
 +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?       gen_context(system_u:object_r:httpd_var_run_t,s0)
 diff --git a/apache.if b/apache.if
-index f6eb485..ce5dba7 100644
+index f6eb485..757b864 100644
 --- a/apache.if
 +++ b/apache.if
@@ -1,9 +1,9 @@
@ -4283,16 +4284,36 @@ index f6eb485..ce5dba7 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -224,7 +351,7 @@ interface(`apache_read_user_content',`
+@@ -224,7 +351,27 @@ interface(`apache_read_user_content',`
 
 ########################################
 ## <summary>
 -##	Execute httpd with a domain transition.
+##	Manage user web content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_manage_user_content',`
+	gen_require(`
+		type httpd_user_content_t;
+	')
+
+	allow $1 httpd_user_content_t:dir manage_dir_perms;
+	manage_files_pattern($1, httpd_user_content_t, httpd_user_content_t)
+	manage_lnk_files_pattern($1, httpd_user_content_t, httpd_user_content_t)
+')
+
+########################################
+## <summary>
 +##	Transition to apache.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -241,27 +368,47 @@ interface(`apache_domtrans',`
+@@ -241,27 +388,47 @@ interface(`apache_domtrans',`
 	domtrans_pattern($1, httpd_exec_t, httpd_t)
 ')
 
@ -4347,7 +4368,7 @@ index f6eb485..ce5dba7 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -279,7 +426,7 @@ interface(`apache_signal',`
+@@ -279,7 +446,7 @@ interface(`apache_signal',`
 
 ########################################
 ## <summary>
@ -4356,7 +4377,7 @@ index f6eb485..ce5dba7 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -297,7 +444,7 @@ interface(`apache_signull',`
+@@ -297,7 +464,7 @@ interface(`apache_signull',`
 
 ########################################
 ## <summary>
@ -4365,7 +4386,7 @@ index f6eb485..ce5dba7 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -315,8 +462,7 @@ interface(`apache_sigchld',`
+@@ -315,8 +482,7 @@ interface(`apache_sigchld',`
 
 ########################################
 ## <summary>
@ -4375,7 +4396,7 @@ index f6eb485..ce5dba7 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -334,8 +480,8 @@ interface(`apache_use_fds',`
+@@ -334,8 +500,8 @@ interface(`apache_use_fds',`
 
 ########################################
 ## <summary>
@ -4386,7 +4407,7 @@ index f6eb485..ce5dba7 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -348,13 +494,32 @@ interface(`apache_dontaudit_rw_fifo_file',`
+@@ -348,13 +514,32 @@ interface(`apache_dontaudit_rw_fifo_file',`
 		type httpd_t;
 	')
 
@ -4422,7 +4443,7 @@ index f6eb485..ce5dba7 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -367,13 +532,13 @@ interface(`apache_dontaudit_rw_stream_sockets',`
+@@ -367,13 +552,13 @@ interface(`apache_dontaudit_rw_stream_sockets',`
 		type httpd_t;
 	')
 
@ -4439,7 +4460,7 @@ index f6eb485..ce5dba7 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -391,8 +556,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
+@@ -391,8 +576,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
 
 ########################################
 ## <summary>
@ -4449,7 +4470,7 @@ index f6eb485..ce5dba7 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -417,7 +581,8 @@ interface(`apache_manage_all_content',`
+@@ -417,7 +601,8 @@ interface(`apache_manage_all_content',`
 
 ########################################
 ## <summary>
@ -4459,7 +4480,7 @@ index f6eb485..ce5dba7 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -435,7 +600,8 @@ interface(`apache_setattr_cache_dirs',`
+@@ -435,7 +620,8 @@ interface(`apache_setattr_cache_dirs',`
 
 ########################################
 ## <summary>
@ -4469,7 +4490,7 @@ index f6eb485..ce5dba7 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -453,7 +619,8 @@ interface(`apache_list_cache',`
+@@ -453,7 +639,8 @@ interface(`apache_list_cache',`
 
 ########################################
 ## <summary>
@ -4479,7 +4500,7 @@ index f6eb485..ce5dba7 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -471,7 +638,8 @@ interface(`apache_rw_cache_files',`
+@@ -471,7 +658,8 @@ interface(`apache_rw_cache_files',`
 
 ########################################
 ## <summary>
@ -4489,7 +4510,7 @@ index f6eb485..ce5dba7 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -489,7 +657,8 @@ interface(`apache_delete_cache_dirs',`
+@@ -489,7 +677,8 @@ interface(`apache_delete_cache_dirs',`
 
 ########################################
 ## <summary>
@ -4499,7 +4520,7 @@ index f6eb485..ce5dba7 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -507,49 +676,51 @@ interface(`apache_delete_cache_files',`
+@@ -507,49 +696,51 @@ interface(`apache_delete_cache_files',`
 
 ########################################
 ## <summary>
@ -4562,7 +4583,7 @@ index f6eb485..ce5dba7 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -570,8 +741,8 @@ interface(`apache_manage_config',`
+@@ -570,8 +761,8 @@ interface(`apache_manage_config',`
 
 ########################################
 ## <summary>
@ -4573,7 +4594,7 @@ index f6eb485..ce5dba7 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -608,16 +779,38 @@ interface(`apache_domtrans_helper',`
+@@ -608,16 +799,38 @@ interface(`apache_domtrans_helper',`
 #
 interface(`apache_run_helper',`
 	gen_require(`
@ -4584,11 +4605,10 @@ index f6eb485..ce5dba7 100644
 	apache_domtrans_helper($1)
 -	roleattribute $2 httpd_helper_roles;
 +	role $2 types httpd_helper_t;
- ')
- 
- ########################################
- ## <summary>
-##	Read httpd log files.
+')
+
+########################################
+## <summary>
 +##	dontaudit attempts to read
 +##	apache log files.
 +## </summary>
@ -4606,16 +4626,17 @@ index f6eb485..ce5dba7 100644
 +
 +	dontaudit $1 httpd_log_t:file read_file_perms;
 +	dontaudit $1 httpd_log_t:lnk_file read_lnk_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read httpd log files.
 +##	Allow the specified domain to read
 +##	apache log files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -639,7 +832,8 @@ interface(`apache_read_log',`
+@@ -639,7 +852,8 @@ interface(`apache_read_log',`
 
 ########################################
 ## <summary>
@ -4625,7 +4646,7 @@ index f6eb485..ce5dba7 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -657,10 +851,29 @@ interface(`apache_append_log',`
+@@ -657,10 +871,29 @@ interface(`apache_append_log',`
 	append_files_pattern($1, httpd_log_t, httpd_log_t)
 ')
 
@ -4657,7 +4678,7 @@ index f6eb485..ce5dba7 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -678,8 +891,8 @@ interface(`apache_dontaudit_append_log',`
+@@ -678,8 +911,8 @@ interface(`apache_dontaudit_append_log',`
 
 ########################################
 ## <summary>
@ -4668,7 +4689,7 @@ index f6eb485..ce5dba7 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -687,20 +900,21 @@ interface(`apache_dontaudit_append_log',`
+@@ -687,20 +920,21 @@ interface(`apache_dontaudit_append_log',`
 ##	</summary>
 ## </param>
 #
@ -4698,7 +4719,7 @@ index f6eb485..ce5dba7 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -708,19 +922,21 @@ interface(`apache_manage_log',`
+@@ -708,19 +942,21 @@ interface(`apache_manage_log',`
 ##	</summary>
 ## </param>
 #
@ -4724,7 +4745,7 @@ index f6eb485..ce5dba7 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -738,7 +954,8 @@ interface(`apache_dontaudit_search_modules',`
+@@ -738,7 +974,8 @@ interface(`apache_dontaudit_search_modules',`
 
 ########################################
 ## <summary>
@ -4734,7 +4755,7 @@ index f6eb485..ce5dba7 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -746,17 +963,19 @@ interface(`apache_dontaudit_search_modules',`
+@@ -746,17 +983,19 @@ interface(`apache_dontaudit_search_modules',`
 ##	</summary>
 ## </param>
 #
@ -4757,7 +4778,7 @@ index f6eb485..ce5dba7 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -764,19 +983,19 @@ interface(`apache_list_modules',`
+@@ -764,19 +1003,19 @@ interface(`apache_list_modules',`
 ##	</summary>
 ## </param>
 #
@ -4781,7 +4802,7 @@ index f6eb485..ce5dba7 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -784,19 +1003,19 @@ interface(`apache_exec_modules',`
+@@ -784,19 +1023,19 @@ interface(`apache_exec_modules',`
 ##	</summary>
 ## </param>
 #
@ -4806,7 +4827,7 @@ index f6eb485..ce5dba7 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -809,13 +1028,50 @@ interface(`apache_domtrans_rotatelogs',`
+@@ -809,13 +1048,50 @@ interface(`apache_domtrans_rotatelogs',`
 		type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
 	')
 
@ -4859,7 +4880,7 @@ index f6eb485..ce5dba7 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -829,13 +1085,14 @@ interface(`apache_list_sys_content',`
+@@ -829,13 +1105,14 @@ interface(`apache_list_sys_content',`
 	')
 
 	list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
@ -4876,7 +4897,7 @@ index f6eb485..ce5dba7 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -844,6 +1101,7 @@ interface(`apache_list_sys_content',`
+@@ -844,6 +1121,7 @@ interface(`apache_list_sys_content',`
 ## </param>
 ## <rolecap/>
 #
@ -4884,32 +4905,28 @@ index f6eb485..ce5dba7 100644
 interface(`apache_manage_sys_content',`
 	gen_require(`
 		type httpd_sys_content_t;
-@@ -855,32 +1113,98 @@ interface(`apache_manage_sys_content',`
+@@ -855,32 +1133,98 @@ interface(`apache_manage_sys_content',`
 	manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
 ')
 
 -########################################
 +######################################
- ## <summary>
-##	Create, read, write, and delete
-##	httpd system rw content.
+## <summary>
 +##	Allow the specified domain to read
 +##	apache system content rw files.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 +## <rolecap/>
- #
-interface(`apache_manage_sys_rw_content',`
+#
 +interface(`apache_read_sys_content_rw_files',`
- 	gen_require(`
- 		type httpd_sys_rw_content_t;
- 	')
- 
-	apache_search_sys_content($1)
+	gen_require(`
+		type httpd_sys_rw_content_t;
+	')
+
 +	read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
 +')
 +
@ -4934,22 +4951,26 @@ index f6eb485..ce5dba7 100644
 +')
 +
 +######################################
-+## <summary>
+ ## <summary>
+-##	Create, read, write, and delete
+-##	httpd system rw content.
 +##	Allow the specified domain to manage
 +##	apache system content rw files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
 +## <rolecap/>
-+#
+ #
+-interface(`apache_manage_sys_rw_content',`
 +interface(`apache_manage_sys_content_rw',`
-+	gen_require(`
-+		type httpd_sys_rw_content_t;
-+	')
-+
+ 	gen_require(`
+ 		type httpd_sys_rw_content_t;
+ 	')
+ 
+-	apache_search_sys_content($1)
 +	files_search_var($1)
 	manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
 -	manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t)
@ -4991,7 +5012,7 @@ index f6eb485..ce5dba7 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -888,10 +1212,17 @@ interface(`apache_manage_sys_rw_content',`
+@@ -888,10 +1232,17 @@ interface(`apache_manage_sys_rw_content',`
 ##	</summary>
 ## </param>
 #
@ -5010,7 +5031,7 @@ index f6eb485..ce5dba7 100644
 	')
 
 	tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -901,9 +1232,8 @@ interface(`apache_domtrans_sys_script',`
+@@ -901,9 +1252,8 @@ interface(`apache_domtrans_sys_script',`
 
 ########################################
 ## <summary>
@ -5022,7 +5043,7 @@ index f6eb485..ce5dba7 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -916,7 +1246,7 @@ interface(`apache_dontaudit_rw_sys_script_stream_sockets',`
+@@ -916,7 +1266,7 @@ interface(`apache_dontaudit_rw_sys_script_stream_sockets',`
 		type httpd_sys_script_t;
 	')
 
@ -5031,7 +5052,7 @@ index f6eb485..ce5dba7 100644
 ')
 
 ########################################
-@@ -941,7 +1271,7 @@ interface(`apache_domtrans_all_scripts',`
+@@ -941,7 +1291,7 @@ interface(`apache_domtrans_all_scripts',`
 ########################################
 ## <summary>
 ##	Execute all user scripts in the user
@ -5040,7 +5061,7 @@ index f6eb485..ce5dba7 100644
 ##	to the specified role.
 ## </summary>
 ## <param name="domain">
-@@ -954,6 +1284,7 @@ interface(`apache_domtrans_all_scripts',`
+@@ -954,6 +1304,7 @@ interface(`apache_domtrans_all_scripts',`
 ##	Role allowed access.
 ##	</summary>
 ## </param>
@ -5048,7 +5069,7 @@ index f6eb485..ce5dba7 100644
 #
 interface(`apache_run_all_scripts',`
 	gen_require(`
-@@ -966,7 +1297,8 @@ interface(`apache_run_all_scripts',`
+@@ -966,7 +1317,8 @@ interface(`apache_run_all_scripts',`
 
 ########################################
 ## <summary>
@ -5058,7 +5079,7 @@ index f6eb485..ce5dba7 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -979,12 +1311,13 @@ interface(`apache_read_squirrelmail_data',`
+@@ -979,12 +1331,13 @@ interface(`apache_read_squirrelmail_data',`
 		type httpd_squirrelmail_t;
 	')
 
@ -5074,7 +5095,7 @@ index f6eb485..ce5dba7 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1002,7 +1335,7 @@ interface(`apache_append_squirrelmail_data',`
+@@ -1002,7 +1355,7 @@ interface(`apache_append_squirrelmail_data',`
 
 ########################################
 ## <summary>
@ -5083,7 +5104,7 @@ index f6eb485..ce5dba7 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1015,13 +1348,12 @@ interface(`apache_search_sys_content',`
+@@ -1015,13 +1368,12 @@ interface(`apache_search_sys_content',`
 		type httpd_sys_content_t;
 	')
 
@ -5098,7 +5119,7 @@ index f6eb485..ce5dba7 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1041,7 +1373,7 @@ interface(`apache_read_sys_content',`
+@@ -1041,7 +1393,7 @@ interface(`apache_read_sys_content',`
 
 ########################################
 ## <summary>
@ -5107,7 +5128,7 @@ index f6eb485..ce5dba7 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1059,8 +1391,7 @@ interface(`apache_search_sys_scripts',`
+@@ -1059,8 +1411,7 @@ interface(`apache_search_sys_scripts',`
 
 ########################################
 ## <summary>
@ -5117,7 +5138,7 @@ index f6eb485..ce5dba7 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1071,18 +1402,21 @@ interface(`apache_search_sys_scripts',`
+@@ -1071,18 +1422,21 @@ interface(`apache_search_sys_scripts',`
 #
 interface(`apache_manage_all_user_content',`
 	gen_require(`
@ -5145,7 +5166,7 @@ index f6eb485..ce5dba7 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1100,7 +1434,8 @@ interface(`apache_search_sys_script_state',`
+@@ -1100,7 +1454,8 @@ interface(`apache_search_sys_script_state',`
 
 ########################################
 ## <summary>
@ -5155,7 +5176,7 @@ index f6eb485..ce5dba7 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1117,10 +1452,29 @@ interface(`apache_read_tmp_files',`
+@@ -1117,10 +1472,29 @@ interface(`apache_read_tmp_files',`
 	read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
 ')
 
@ -5187,7 +5208,7 @@ index f6eb485..ce5dba7 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1133,7 +1487,7 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1133,7 +1507,7 @@ interface(`apache_dontaudit_write_tmp_files',`
 		type httpd_tmp_t;
 	')
 
@ -5196,7 +5217,7 @@ index f6eb485..ce5dba7 100644
 ')
 
 ########################################
-@@ -1142,6 +1496,9 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1142,6 +1516,9 @@ interface(`apache_dontaudit_write_tmp_files',`
 ## </summary>
 ##	<desc>
 ##	<p>
@ -5206,7 +5227,7 @@ index f6eb485..ce5dba7 100644
 ##	This is an interface to support third party modules
 ##	and its use is not allowed in upstream reference
 ##	policy.
-@@ -1171,8 +1528,31 @@ interface(`apache_cgi_domain',`
+@@ -1171,8 +1548,31 @@ interface(`apache_cgi_domain',`
 
 ########################################
 ## <summary>
@ -5240,7 +5261,7 @@ index f6eb485..ce5dba7 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1189,18 +1569,19 @@ interface(`apache_cgi_domain',`
+@@ -1189,18 +1589,19 @@ interface(`apache_cgi_domain',`
 interface(`apache_admin',`
 	gen_require(`
 		attribute httpdcontent, httpd_script_exec_type;
@ -5269,7 +5290,7 @@ index f6eb485..ce5dba7 100644
 
 	init_labeled_script_domtrans($1, httpd_initrc_exec_t)
 	domain_system_change_exemption($1)
-@@ -1210,10 +1591,10 @@ interface(`apache_admin',`
+@@ -1210,10 +1611,10 @@ interface(`apache_admin',`
 	apache_manage_all_content($1)
 	miscfiles_manage_public_files($1)
 
@ -5283,7 +5304,7 @@ index f6eb485..ce5dba7 100644
 	admin_pattern($1, httpd_log_t)
 
 	admin_pattern($1, httpd_modules_t)
-@@ -1224,9 +1605,182 @@ interface(`apache_admin',`
+@@ -1224,9 +1625,182 @@ interface(`apache_admin',`
 	admin_pattern($1, httpd_var_run_t)
 	files_pid_filetrans($1, httpd_var_run_t, file)
 
@ -5427,9 +5448,7 @@ index f6eb485..ce5dba7 100644
 +	filetrans_pattern($1, httpd_user_content_t, httpd_user_content_ra_t, dir, "logs")
 +	filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
 +')
- 
-	apache_run_all_scripts($1, $2)
-	apache_run_helper($1, $2)
+
 +########################################
 +## <summary>
 +##	Read apache pid files.
@ -5448,7 +5467,9 @@ index f6eb485..ce5dba7 100644
 +	files_search_pids($1)
 +	read_files_pattern($1, httpd_var_run_t, httpd_var_run_t)
 +')
-+
+ 
+-	apache_run_all_scripts($1, $2)
+-	apache_run_helper($1, $2)
 +########################################
 +## <summary>
 +##      Send and receive messages from
@ -15252,10 +15273,10 @@ index 0000000..d5920c0
 +')
 diff --git a/cockpit.te b/cockpit.te
 new file mode 100644
-index 0000000..77cdd5e
+index 0000000..23ebc59
 --- /dev/null
 +++ b/cockpit.te
-@@ -0,0 +1,111 @@
+@@ -0,0 +1,115 @@
 +policy_module(cockpit, 1.0.0)
 +
 +########################################
@ -15355,10 +15376,14 @@ index 0000000..77cdd5e
 +
 +# cockpit-session runs a full pam stack, including pam_selinux.so
 +auth_login_pgm_domain(cockpit_session_t)
+# cockpit-session resseting expired passwords
+auth_manage_passwd(cockpit_session_t)
+auth_manage_shadow(cockpit_session_t)
 +auth_write_login_records(cockpit_session_t)
 +
 +# cockpit-session can execute cockpit-agent as the user
 +userdom_spec_domtrans_all_users(cockpit_session_t)
+usermanage_read_crack_db(cockpit_session_t)
 +
 +optional_policy(`
 +    userdom_signal_all_users(cockpit_session_t)
@ -15570,7 +15595,7 @@ index 954309e..6780142 100644
 ')
 +
 diff --git a/collectd.te b/collectd.te
-index 6471fa8..b82bae6 100644
+index 6471fa8..cb6a356 100644
 --- a/collectd.te
 +++ b/collectd.te
@@ -26,43 +26,61 @@ files_type(collectd_var_lib_t)
@ -15596,8 +15621,9 @@ index 6471fa8..b82bae6 100644
 allow collectd_t self:process { getsched setsched signal };
 allow collectd_t self:fifo_file rw_fifo_file_perms;
 allow collectd_t self:packet_socket create_socket_perms;
+-allow collectd_t self:unix_stream_socket { accept listen };
 +allow collectd_t self:rawip_socket create_socket_perms;
- allow collectd_t self:unix_stream_socket { accept listen };
+allow collectd_t self:unix_stream_socket { accept listen connectto };
 +allow collectd_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
 +allow collectd_t self:udp_socket create_socket_perms;
 +allow collectd_t self:rawip_socket create_socket_perms;
@ -29895,7 +29921,7 @@ index 4498143..84a4858 100644
 	ftp_run_ftpdctl($1, $2)
 ')
 diff --git a/ftp.te b/ftp.te
-index 36838c2..21cc5ed 100644
+index 36838c2..34a9ced 100644
 --- a/ftp.te
 +++ b/ftp.te
@@ -13,7 +13,7 @@ policy_module(ftp, 1.15.1)
@ -30069,9 +30095,9 @@ index 36838c2..21cc5ed 100644
 +userdom_manage_user_home_content_files(ftpd_t)
 +userdom_manage_user_tmp_dirs(ftpd_t)
 +userdom_manage_user_tmp_files(ftpd_t)
-+
 
 -tunable_policy(`allow_ftpd_anon_write',`
+
 +tunable_policy(`ftpd_anon_write',`
 	miscfiles_manage_public_files(ftpd_t)
 ')
@ -30130,8 +30156,11 @@ index 36838c2..21cc5ed 100644
 -	corenet_sendrecv_oracledb_client_packets(ftpd_t)
 -	corenet_tcp_connect_oracledb_port(ftpd_t)
 -	corenet_tcp_sendrecv_oracledb_port(ftpd_t)
-')
-
+	corenet_sendrecv_oracle_client_packets(ftpd_t)
+	corenet_tcp_connect_oracle_port(ftpd_t)
+	corenet_tcp_sendrecv_oracle_port(ftpd_t)
+ ')
+ 
 -tunable_policy(`ftp_home_dir',`
 -	allow ftpd_t self:capability { dac_override dac_read_search };
 -
@ -30144,11 +30173,8 @@ index 36838c2..21cc5ed 100644
 -',`
 -	userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file })
 -	userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
-+	corenet_sendrecv_oracle_client_packets(ftpd_t)
-+	corenet_tcp_connect_oracle_port(ftpd_t)
-+	corenet_tcp_sendrecv_oracle_port(ftpd_t)
- ')
- 
+-')
+-
 -tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
 +tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(ftpd_t)
@ -30184,7 +30210,17 @@ index 36838c2..21cc5ed 100644
 	kerberos_use(ftpd_t)
 ')
 
-@@ -416,86 +387,39 @@ optional_policy(`
+@@ -410,92 +381,49 @@ optional_policy(`
+ 	udev_read_db(ftpd_t)
+ ')
+ 
+optional_policy(`
+	apache_manage_user_content(ftpd_t)
+')
+
+ ########################################
+ #
+ # Ctl local policy
 #
 
 stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
@ -30244,14 +30280,13 @@ index 36838c2..21cc5ed 100644
 -	fs_manage_nfs_files(sftpd_t)
 -	fs_manage_nfs_symlinks(sftpd_t)
 -')
- 
+-
 -tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
 -	fs_manage_cifs_dirs(sftpd_t)
 -	fs_manage_cifs_files(sftpd_t)
 -	fs_manage_cifs_symlinks(sftpd_t)
 -')
-+userdom_home_reader(sftpd_t)
- 
+-
 -tunable_policy(`sftpd_anon_write',`
 -	miscfiles_manage_public_files(sftpd_t)
 -')
@ -30265,13 +30300,14 @@ index 36838c2..21cc5ed 100644
 -tunable_policy(`sftpd_write_ssh_home',`
 -	ssh_manage_home_files(sftpd_t)
 -')
-
+ 
 -tunable_policy(`use_samba_home_dirs',`
 -	fs_list_cifs(sftpd_t)
 -	fs_read_cifs_files(sftpd_t)
 -	fs_read_cifs_symlinks(sftpd_t)
 -')
-
+userdom_home_reader(sftpd_t)
+ 
 -tunable_policy(`use_nfs_home_dirs',`
 -	fs_list_nfs(sftpd_t)
 -	fs_read_nfs_files(sftpd_t)
@ -67699,13 +67735,15 @@ index 0000000..3bcd32c
 +
 diff --git a/oracleasm.fc b/oracleasm.fc
 new file mode 100644
-index 0000000..c416596
+index 0000000..5655fac
 --- /dev/null
 +++ b/oracleasm.fc
-@@ -0,0 +1,6 @@
+@@ -0,0 +1,8 @@
 +
 +/etc/rc\.d/init\.d/oracleasm	--	gen_context(system_u:object_r:oracleasm_initrc_exec_t,s0)
 +
+/etc/sysconfig/oracleasm(/.*)?	gen_context(system_u:object_r:oracleasm_conf_t,s0)
+
 +/etc/sysconfig/oracleasm-_dev_oracleasm		--	gen_context(system_u:object_r:oracleasm_conf_t,s0)
 +
 +/usr/sbin/oracleasm		--	gen_context(system_u:object_r:oracleasm_exec_t,s0)
@ -67792,10 +67830,10 @@ index 0000000..6ae382c
 +
 diff --git a/oracleasm.te b/oracleasm.te
 new file mode 100644
-index 0000000..48fdbd5
+index 0000000..c4b5ddb
 --- /dev/null
 +++ b/oracleasm.te
-@@ -0,0 +1,64 @@
+@@ -0,0 +1,66 @@
 +policy_module(oracleasm, 1.0.0)
 +
 +########################################
@ -67826,6 +67864,7 @@ index 0000000..48fdbd5
 +allow oracleasm_t self:unix_stream_socket create_stream_socket_perms;
 +
 +allow oracleasm_t oracleasm_conf_t:file manage_file_perms;
+allow oracleasm_t oracleasm_conf_t:dir manage_dir_perms;
 +
 +manage_dirs_pattern(oracleasm_t, oracleasm_tmp_t, oracleasm_tmp_t)
 +manage_files_pattern(oracleasm_t, oracleasm_tmp_t, oracleasm_tmp_t)
@ -67852,6 +67891,7 @@ index 0000000..48fdbd5
 +
 +storage_raw_read_fixed_disk(oracleasm_t)
 +storage_raw_read_removable_device(oracleasm_t)
+storage_rw_inherited_fixed_disk_dev(oracleasm_t)
 +
 +optional_policy(`
 +    mount_domtrans(oracleasm_t)
@ -109549,7 +109589,7 @@ index 61c2e07..3b86095 100644
 +	')
 ')
 diff --git a/tor.te b/tor.te
-index 5ceacde..9353adb 100644
+index 5ceacde..f24416b 100644
 --- a/tor.te
 +++ b/tor.te
@@ -13,6 +13,13 @@ policy_module(tor, 1.9.0)
@ -109566,17 +109606,18 @@ index 5ceacde..9353adb 100644
 type tor_t;
 type tor_exec_t;
 init_daemon_domain(tor_t, tor_exec_t)
-@@ -33,6 +40,9 @@ type tor_var_run_t;
+@@ -32,6 +39,10 @@ logging_log_file(tor_var_log_t)
+ type tor_var_run_t;
 files_pid_file(tor_var_run_t)
 init_daemon_run_dir(tor_var_run_t, "tor")
- 
+files_mountpoint(tor_var_run_t)
+
 +type tor_unit_file_t;
 +systemd_unit_file(tor_unit_file_t)
-+
+ 
 ########################################
 #
- # Local policy
-@@ -48,6 +58,8 @@ allow tor_t tor_etc_t:dir list_dir_perms;
+@@ -48,6 +59,8 @@ allow tor_t tor_etc_t:dir list_dir_perms;
 allow tor_t tor_etc_t:file read_file_perms;
 allow tor_t tor_etc_t:lnk_file read_lnk_file_perms;
 
@ -109585,7 +109626,7 @@ index 5ceacde..9353adb 100644
 manage_dirs_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
 manage_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
 manage_sock_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
-@@ -77,7 +89,6 @@ corenet_tcp_sendrecv_generic_node(tor_t)
+@@ -77,7 +90,6 @@ corenet_tcp_sendrecv_generic_node(tor_t)
 corenet_udp_sendrecv_generic_node(tor_t)
 corenet_tcp_bind_generic_node(tor_t)
 corenet_udp_bind_generic_node(tor_t)
@ -109593,7 +109634,7 @@ index 5ceacde..9353adb 100644
 corenet_sendrecv_dns_server_packets(tor_t)
 corenet_udp_bind_dns_port(tor_t)
 corenet_udp_sendrecv_dns_port(tor_t)
-@@ -85,6 +96,7 @@ corenet_udp_sendrecv_dns_port(tor_t)
+@@ -85,6 +97,7 @@ corenet_udp_sendrecv_dns_port(tor_t)
 corenet_sendrecv_tor_server_packets(tor_t)
 corenet_tcp_bind_tor_port(tor_t)
 corenet_tcp_sendrecv_tor_port(tor_t)
@ -109601,7 +109642,7 @@ index 5ceacde..9353adb 100644
 
 corenet_sendrecv_all_client_packets(tor_t)
 corenet_tcp_connect_all_ports(tor_t)
-@@ -98,19 +110,22 @@ dev_read_urand(tor_t)
+@@ -98,19 +111,22 @@ dev_read_urand(tor_t)
 domain_use_interactive_fds(tor_t)
 
 files_read_etc_runtime_files(tor_t)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 214%{?dist}
+Release: 215%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -675,6 +675,18 @@ exit 0
 %endif

 %changelog
+* Fri Sep 23 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-215
+- Make tor_var_run_t as mountpoint. BZ(1368621)
+- Fix typo in ftpd SELinux module.
+- Allow cockpit-session to reset expired passwords BZ(1374262)
+- Allow ftp daemon to manage apache_user_content
+- Label /etc/sysconfig/oracleasm as oracleasm_conf_t
+- Allow oracleasm to rw inherited fixed disk device
+- Allow collectd to connect on unix_stream_socket
+- Add abrt_dump_oops_t kill user namespace capability. BZ(1376868)
+- Dontaudit systemd is mounting unlabeled dirs BZ(1367292)
+- Add interface files_dontaudit_mounton_isid()
+
 * Thu Sep 15 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-214
 - Allow attach usb device to virtual machine BZ(1276873)
 - Dontaudit mozilla_plugin to sys_ptrace