diff --git a/docker-selinux.tgz b/docker-selinux.tgz
index ae91b927..088f92ec 100644
Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 6af8a03a..b0588bc8 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -10993,7 +10993,7 @@ index b876c48..03f9342 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..0a685ac 100644
+index f962f76..e06a46c 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -12840,20 +12840,39 @@ index f962f76..0a685ac 100644
')
########################################
-@@ -3503,10 +4341,10 @@ interface(`files_manage_isid_type_blk_files',`
+@@ -3503,10 +4341,29 @@ interface(`files_manage_isid_type_blk_files',`
#
interface(`files_manage_isid_type_chr_files',`
gen_require(`
- type file_t;
++ type unlabeled_t;
++ ')
++
++ allow $1 unlabeled_t:chr_file manage_chr_file_perms;
++')
++
++########################################
++##
++## Dontaudit Moundon directories on new filesystems
++## that have not yet been labeled.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_dontaudit_mounton_isid',`
++ gen_require(`
+ type unlabeled_t;
')
- allow $1 file_t:chr_file manage_chr_file_perms;
-+ allow $1 unlabeled_t:chr_file manage_chr_file_perms;
++ dontaudit $1 unlabeled_t:dir mounton;
')
########################################
-@@ -3552,6 +4390,27 @@ interface(`files_dontaudit_getattr_home_dir',`
+@@ -3552,6 +4409,27 @@ interface(`files_dontaudit_getattr_home_dir',`
########################################
##
@@ -12881,7 +12900,7 @@ index f962f76..0a685ac 100644
## Search home directories root (/home).
##
##
-@@ -3814,20 +4673,38 @@ interface(`files_list_mnt',`
+@@ -3814,20 +4692,38 @@ interface(`files_list_mnt',`
######################################
##
@@ -12925,7 +12944,7 @@ index f962f76..0a685ac 100644
')
########################################
-@@ -4012,6 +4889,12 @@ interface(`files_read_kernel_modules',`
+@@ -4012,6 +4908,12 @@ interface(`files_read_kernel_modules',`
allow $1 modules_object_t:dir list_dir_perms;
read_files_pattern($1, modules_object_t, modules_object_t)
read_lnk_files_pattern($1, modules_object_t, modules_object_t)
@@ -12938,7 +12957,7 @@ index f962f76..0a685ac 100644
')
########################################
-@@ -4217,174 +5100,218 @@ interface(`files_read_world_readable_sockets',`
+@@ -4217,174 +5119,218 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -13243,7 +13262,7 @@ index f962f76..0a685ac 100644
##
##
##
-@@ -4392,53 +5319,56 @@ interface(`files_read_generic_tmp_files',`
+@@ -4392,53 +5338,56 @@ interface(`files_read_generic_tmp_files',`
##
##
#
@@ -13312,7 +13331,7 @@ index f962f76..0a685ac 100644
##
##
##
-@@ -4446,35 +5376,37 @@ interface(`files_read_generic_tmp_symlinks',`
+@@ -4446,35 +5395,37 @@ interface(`files_read_generic_tmp_symlinks',`
##
##
#
@@ -13358,7 +13377,7 @@ index f962f76..0a685ac 100644
##
##
##
-@@ -4482,59 +5414,55 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -4482,59 +5433,55 @@ interface(`files_setattr_all_tmp_dirs',`
##
##
#
@@ -13439,7 +13458,7 @@ index f962f76..0a685ac 100644
##
##
##
-@@ -4542,110 +5470,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
+@@ -4542,110 +5489,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
##
##
#
@@ -13578,7 +13597,7 @@ index f962f76..0a685ac 100644
##
##
##
-@@ -4653,22 +5569,17 @@ interface(`files_tmp_filetrans',`
+@@ -4653,22 +5588,17 @@ interface(`files_tmp_filetrans',`
##
##
#
@@ -13605,7 +13624,7 @@ index f962f76..0a685ac 100644
##
##
##
-@@ -4676,17 +5587,17 @@ interface(`files_purge_tmp',`
+@@ -4676,17 +5606,17 @@ interface(`files_purge_tmp',`
##
##
#
@@ -13627,7 +13646,7 @@ index f962f76..0a685ac 100644
##
##
##
-@@ -4694,18 +5605,17 @@ interface(`files_setattr_usr_dirs',`
+@@ -4694,18 +5624,17 @@ interface(`files_setattr_usr_dirs',`
##
##
#
@@ -13650,7 +13669,7 @@ index f962f76..0a685ac 100644
##
##
##
-@@ -4713,35 +5623,35 @@ interface(`files_search_usr',`
+@@ -4713,35 +5642,35 @@ interface(`files_search_usr',`
##
##
#
@@ -13695,7 +13714,7 @@ index f962f76..0a685ac 100644
##
##
##
-@@ -4749,36 +5659,35 @@ interface(`files_dontaudit_write_usr_dirs',`
+@@ -4749,36 +5678,35 @@ interface(`files_dontaudit_write_usr_dirs',`
##
##
#
@@ -13741,7 +13760,7 @@ index f962f76..0a685ac 100644
##
##
##
-@@ -4786,17 +5695,17 @@ interface(`files_dontaudit_rw_usr_dirs',`
+@@ -4786,17 +5714,17 @@ interface(`files_dontaudit_rw_usr_dirs',`
##
##
#
@@ -13763,7 +13782,7 @@ index f962f76..0a685ac 100644
##
##
##
-@@ -4804,73 +5713,59 @@ interface(`files_delete_usr_dirs',`
+@@ -4804,73 +5732,59 @@ interface(`files_delete_usr_dirs',`
##
##
#
@@ -13856,7 +13875,7 @@ index f962f76..0a685ac 100644
##
##
##
-@@ -4878,55 +5773,58 @@ interface(`files_read_usr_files',`
+@@ -4878,55 +5792,58 @@ interface(`files_read_usr_files',`
##
##
#
@@ -13931,7 +13950,7 @@ index f962f76..0a685ac 100644
##
##
##
-@@ -4934,67 +5832,70 @@ interface(`files_manage_usr_files',`
+@@ -4934,67 +5851,70 @@ interface(`files_manage_usr_files',`
##
##
#
@@ -14020,7 +14039,7 @@ index f962f76..0a685ac 100644
##
##
##
-@@ -5003,35 +5904,50 @@ interface(`files_read_usr_symlinks',`
+@@ -5003,35 +5923,50 @@ interface(`files_read_usr_symlinks',`
##
##
#
@@ -14080,7 +14099,7 @@ index f962f76..0a685ac 100644
##
##
##
-@@ -5039,20 +5955,17 @@ interface(`files_dontaudit_search_src',`
+@@ -5039,20 +5974,17 @@ interface(`files_dontaudit_search_src',`
##
##
#
@@ -14105,7 +14124,7 @@ index f962f76..0a685ac 100644
##
##
##
-@@ -5060,20 +5973,18 @@ interface(`files_getattr_usr_src_files',`
+@@ -5060,20 +5992,18 @@ interface(`files_getattr_usr_src_files',`
##
##
#
@@ -14130,7 +14149,7 @@ index f962f76..0a685ac 100644
##
##
##
-@@ -5081,38 +5992,35 @@ interface(`files_read_usr_src_files',`
+@@ -5081,38 +6011,35 @@ interface(`files_read_usr_src_files',`
##
##
#
@@ -14178,7 +14197,7 @@ index f962f76..0a685ac 100644
##
##
##
-@@ -5120,37 +6028,36 @@ interface(`files_create_kernel_symbol_table',`
+@@ -5120,37 +6047,36 @@ interface(`files_create_kernel_symbol_table',`
##
##
#
@@ -14226,7 +14245,7 @@ index f962f76..0a685ac 100644
##
##
##
-@@ -5158,35 +6065,35 @@ interface(`files_delete_kernel_symbol_table',`
+@@ -5158,35 +6084,35 @@ interface(`files_delete_kernel_symbol_table',`
##
##
#
@@ -14271,7 +14290,7 @@ index f962f76..0a685ac 100644
##
##
##
-@@ -5194,36 +6101,55 @@ interface(`files_dontaudit_write_var_dirs',`
+@@ -5194,36 +6120,55 @@ interface(`files_dontaudit_write_var_dirs',`
##
##
#
@@ -14337,7 +14356,7 @@ index f962f76..0a685ac 100644
##
##
##
-@@ -5231,36 +6157,37 @@ interface(`files_dontaudit_search_var',`
+@@ -5231,36 +6176,37 @@ interface(`files_dontaudit_search_var',`
##
##
#
@@ -14385,7 +14404,7 @@ index f962f76..0a685ac 100644
##
##
##
-@@ -5268,17 +6195,17 @@ interface(`files_manage_var_dirs',`
+@@ -5268,17 +6214,17 @@ interface(`files_manage_var_dirs',`
##
##
#
@@ -14407,7 +14426,7 @@ index f962f76..0a685ac 100644
##
##
##
-@@ -5286,17 +6213,17 @@ interface(`files_read_var_files',`
+@@ -5286,17 +6232,17 @@ interface(`files_read_var_files',`
##
##
#
@@ -14429,7 +14448,7 @@ index f962f76..0a685ac 100644
##
##
##
-@@ -5304,73 +6231,86 @@ interface(`files_append_var_files',`
+@@ -5304,73 +6250,86 @@ interface(`files_append_var_files',`
##
##
#
@@ -14536,7 +14555,7 @@ index f962f76..0a685ac 100644
##
##
##
-@@ -5378,50 +6318,41 @@ interface(`files_read_var_symlinks',`
+@@ -5378,50 +6337,41 @@ interface(`files_read_var_symlinks',`
##
##
#
@@ -14601,7 +14620,7 @@ index f962f76..0a685ac 100644
##
##
##
-@@ -5429,69 +6360,56 @@ interface(`files_var_filetrans',`
+@@ -5429,69 +6379,56 @@ interface(`files_var_filetrans',`
##
##
#
@@ -14686,7 +14705,7 @@ index f962f76..0a685ac 100644
##
##
##
-@@ -5499,17 +6417,18 @@ interface(`files_dontaudit_search_var_lib',`
+@@ -5499,17 +6436,18 @@ interface(`files_dontaudit_search_var_lib',`
##
##
#
@@ -14710,7 +14729,7 @@ index f962f76..0a685ac 100644
##
##
##
-@@ -5517,70 +6436,54 @@ interface(`files_list_var_lib',`
+@@ -5517,70 +6455,54 @@ interface(`files_list_var_lib',`
##
##
#
@@ -14794,7 +14813,7 @@ index f962f76..0a685ac 100644
##
##
##
-@@ -5588,41 +6491,36 @@ interface(`files_read_var_lib_files',`
+@@ -5588,41 +6510,36 @@ interface(`files_read_var_lib_files',`
##
##
#
@@ -14846,7 +14865,7 @@ index f962f76..0a685ac 100644
##
##
##
-@@ -5630,36 +6528,36 @@ interface(`files_manage_urandom_seed',`
+@@ -5630,36 +6547,36 @@ interface(`files_manage_urandom_seed',`
##
##
#
@@ -14893,7 +14912,7 @@ index f962f76..0a685ac 100644
##
##
##
-@@ -5667,38 +6565,35 @@ interface(`files_setattr_lock_dirs',`
+@@ -5667,38 +6584,35 @@ interface(`files_setattr_lock_dirs',`
##
##
#
@@ -14941,7 +14960,7 @@ index f962f76..0a685ac 100644
##
##
##
-@@ -5706,19 +6601,17 @@ interface(`files_dontaudit_search_locks',`
+@@ -5706,19 +6620,17 @@ interface(`files_dontaudit_search_locks',`
##
##
#
@@ -14965,7 +14984,7 @@ index f962f76..0a685ac 100644
##
##
##
-@@ -5726,60 +6619,54 @@ interface(`files_list_locks',`
+@@ -5726,60 +6638,54 @@ interface(`files_list_locks',`
##
##
#
@@ -15041,7 +15060,7 @@ index f962f76..0a685ac 100644
##
##
##
-@@ -5787,20 +6674,18 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5787,20 +6693,18 @@ interface(`files_relabel_all_lock_dirs',`
##
##
#
@@ -15067,7 +15086,7 @@ index f962f76..0a685ac 100644
##
##
##
-@@ -5808,63 +6693,68 @@ interface(`files_getattr_generic_locks',`
+@@ -5808,63 +6712,68 @@ interface(`files_getattr_generic_locks',`
##
##
#
@@ -15159,7 +15178,7 @@ index f962f76..0a685ac 100644
##
##
##
-@@ -5872,101 +6762,87 @@ interface(`files_delete_all_locks',`
+@@ -5872,101 +6781,87 @@ interface(`files_delete_all_locks',`
##
##
#
@@ -15296,7 +15315,7 @@ index f962f76..0a685ac 100644
##
##
##
-@@ -5974,19 +6850,17 @@ interface(`files_dontaudit_getattr_pid_dirs',`
+@@ -5974,19 +6869,17 @@ interface(`files_dontaudit_getattr_pid_dirs',`
##
##
#
@@ -15320,7 +15339,7 @@ index f962f76..0a685ac 100644
##
##
##
-@@ -5994,39 +6868,52 @@ interface(`files_setattr_pid_dirs',`
+@@ -5994,39 +6887,52 @@ interface(`files_setattr_pid_dirs',`
##
##
#
@@ -15386,44 +15405,35 @@ index f962f76..0a685ac 100644
##
##
##
-@@ -6034,18 +6921,18 @@ interface(`files_dontaudit_search_pids',`
+@@ -6034,18 +6940,1302 @@ interface(`files_dontaudit_search_pids',`
##
##
#
-interface(`files_list_pids',`
+interface(`files_read_var_lib_files',`
gen_require(`
-- type var_t, var_run_t;
+ type var_t, var_lib_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_run_t)
++ ')
++
+ allow $1 var_lib_t:dir list_dir_perms;
+ read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
- ')
-
- ########################################
- ##
--## Read generic process ID files.
++')
++
++########################################
++##
+## Read generic symbolic links in /var/lib
- ##
- ##
- ##
-@@ -6053,19 +6940,1283 @@ interface(`files_list_pids',`
- ##
- ##
- #
--interface(`files_read_generic_pids',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_read_var_lib_symlinks',`
- gen_require(`
-- type var_t, var_run_t;
++ gen_require(`
+ type var_t, var_lib_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_run_t)
-- read_files_pattern($1, var_run_t, var_run_t)
++ ')
++
+ read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
+')
+
@@ -16522,9 +16532,11 @@ index f962f76..0a685ac 100644
+interface(`files_delete_all_pid_dirs',`
+ gen_require(`
+ attribute pidfile;
-+ type var_t, var_run_t;
-+ ')
-+
+ type var_t, var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, var_run_t)
+ files_search_pids($1)
+ allow $1 var_t:dir search_dir_perms;
+ delete_dirs_pattern($1, pidfile, pidfile)
@@ -16694,18 +16706,43 @@ index f962f76..0a685ac 100644
########################################
##
--## Write named generic process ID pipes
+-## Read generic process ID files.
+## Create, read, write, and delete generic
+## spool directories (/var/spool).
##
##
##
-@@ -6073,43 +8224,170 @@ interface(`files_read_generic_pids',`
+@@ -6053,19 +8243,18 @@ interface(`files_list_pids',`
+ ##
+ ##
+ #
+-interface(`files_read_generic_pids',`
++interface(`files_manage_generic_spool_dirs',`
+ gen_require(`
+- type var_t, var_run_t;
++ type var_t, var_spool_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, var_run_t)
+- read_files_pattern($1, var_run_t, var_run_t)
++ allow $1 var_t:dir search_dir_perms;
++ manage_dirs_pattern($1, var_spool_t, var_spool_t)
+ ')
+
+ ########################################
+ ##
+-## Write named generic process ID pipes
++## Read generic spool files.
+ ##
+ ##
+ ##
+@@ -6073,43 +8262,151 @@ interface(`files_read_generic_pids',`
##
##
#
-interface(`files_write_generic_pid_pipes',`
-+interface(`files_manage_generic_spool_dirs',`
++interface(`files_read_generic_spool',`
gen_require(`
- type var_run_t;
+ type var_t, var_spool_t;
@@ -16713,32 +16750,13 @@ index f962f76..0a685ac 100644
- allow $1 var_run_t:lnk_file read_lnk_file_perms;
- allow $1 var_run_t:fifo_file write;
-+ allow $1 var_t:dir search_dir_perms;
-+ manage_dirs_pattern($1, var_spool_t, var_spool_t)
++ list_dirs_pattern($1, var_t, var_spool_t)
++ read_files_pattern($1, var_spool_t, var_spool_t)
')
########################################
##
-## Create an object in the process ID directory, with a private type.
-+## Read generic spool files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_read_generic_spool',`
-+ gen_require(`
-+ type var_t, var_spool_t;
-+ ')
-+
-+ list_dirs_pattern($1, var_t, var_spool_t)
-+ read_files_pattern($1, var_spool_t, var_spool_t)
-+')
-+
-+########################################
-+##
+## Create, read, write, and delete generic
+## spool files.
+##
@@ -16898,7 +16916,7 @@ index f962f76..0a685ac 100644
##
##
##
-@@ -6117,80 +8395,157 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6117,80 +8414,157 @@ interface(`files_write_generic_pid_pipes',`
## Domain allowed access.
##
##
@@ -17085,7 +17103,7 @@ index f962f76..0a685ac 100644
##
##
##
-@@ -6198,19 +8553,17 @@ interface(`files_rw_generic_pids',`
+@@ -6198,19 +8572,17 @@ interface(`files_rw_generic_pids',`
##
##
#
@@ -17109,7 +17127,7 @@ index f962f76..0a685ac 100644
##
##
##
-@@ -6218,18 +8571,17 @@ interface(`files_dontaudit_getattr_all_pids',`
+@@ -6218,18 +8590,17 @@ interface(`files_dontaudit_getattr_all_pids',`
##
##
#
@@ -17132,7 +17150,7 @@ index f962f76..0a685ac 100644
##
##
##
-@@ -6237,129 +8589,119 @@ interface(`files_dontaudit_write_all_pids',`
+@@ -6237,129 +8608,119 @@ interface(`files_dontaudit_write_all_pids',`
##
##
#
@@ -17302,7 +17320,7 @@ index f962f76..0a685ac 100644
##
##
##
-@@ -6367,18 +8709,19 @@ interface(`files_mounton_all_poly_members',`
+@@ -6367,18 +8728,19 @@ interface(`files_mounton_all_poly_members',`
##
##
#
@@ -17327,7 +17345,7 @@ index f962f76..0a685ac 100644
##
##
##
-@@ -6386,132 +8729,227 @@ interface(`files_search_spool',`
+@@ -6386,132 +8748,227 @@ interface(`files_search_spool',`
##
##
#
@@ -17601,7 +17619,7 @@ index f962f76..0a685ac 100644
##
##
##
-@@ -6519,53 +8957,17 @@ interface(`files_spool_filetrans',`
+@@ -6519,53 +8976,17 @@ interface(`files_spool_filetrans',`
##
##
#
@@ -17659,7 +17677,7 @@ index f962f76..0a685ac 100644
##
##
##
-@@ -6573,10 +8975,10 @@ interface(`files_polyinstantiate_all',`
+@@ -6573,10 +8994,10 @@ interface(`files_polyinstantiate_all',`
##
##
#
@@ -37454,7 +37472,7 @@ index 79a45f6..d092e6e 100644
+ allow $1 init_var_lib_t:dir search_dir_perms;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..b37411d 100644
+index 17eda24..6e568f7 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -37763,7 +37781,7 @@ index 17eda24..b37411d 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +336,266 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +336,267 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -37907,6 +37925,7 @@ index 17eda24..b37411d 100644
+files_relabel_var_dirs(init_t)
+files_relabel_var_lib_dirs(init_t)
+files_read_kernel_modules(init_t)
++files_dontaudit_mounton_isid(init_t)
+fs_getattr_all_fs(init_t)
+fs_manage_cgroup_dirs(init_t)
+fs_manage_cgroup_files(init_t)
@@ -38039,7 +38058,7 @@ index 17eda24..b37411d 100644
')
optional_policy(`
-@@ -216,7 +603,30 @@ optional_policy(`
+@@ -216,7 +604,30 @@ optional_policy(`
')
optional_policy(`
@@ -38071,7 +38090,7 @@ index 17eda24..b37411d 100644
')
########################################
-@@ -225,9 +635,9 @@ optional_policy(`
+@@ -225,9 +636,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -38083,7 +38102,7 @@ index 17eda24..b37411d 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -258,12 +668,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +669,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -38100,7 +38119,7 @@ index 17eda24..b37411d 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +693,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +694,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -38143,7 +38162,7 @@ index 17eda24..b37411d 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +730,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +731,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -38155,7 +38174,7 @@ index 17eda24..b37411d 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -313,8 +742,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +743,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -38166,7 +38185,7 @@ index 17eda24..b37411d 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -322,8 +753,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +754,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -38176,7 +38195,7 @@ index 17eda24..b37411d 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -332,7 +762,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +763,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -38184,7 +38203,7 @@ index 17eda24..b37411d 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -340,6 +769,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +770,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -38192,7 +38211,7 @@ index 17eda24..b37411d 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -347,14 +777,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +778,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -38210,7 +38229,7 @@ index 17eda24..b37411d 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -364,8 +795,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +796,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -38224,7 +38243,7 @@ index 17eda24..b37411d 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -375,10 +810,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +811,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -38238,7 +38257,7 @@ index 17eda24..b37411d 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -387,8 +823,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +824,10 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -38249,7 +38268,7 @@ index 17eda24..b37411d 100644
storage_getattr_fixed_disk_dev(initrc_t)
storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +836,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +837,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -38257,7 +38276,7 @@ index 17eda24..b37411d 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -416,20 +855,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +856,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -38281,7 +38300,7 @@ index 17eda24..b37411d 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +888,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +889,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -38289,7 +38308,7 @@ index 17eda24..b37411d 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +922,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +923,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -38300,7 +38319,7 @@ index 17eda24..b37411d 100644
alsa_read_lib(initrc_t)
')
-@@ -506,7 +946,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +947,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -38309,7 +38328,7 @@ index 17eda24..b37411d 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -521,6 +961,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +962,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -38317,7 +38336,7 @@ index 17eda24..b37411d 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -541,6 +982,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +983,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -38325,7 +38344,7 @@ index 17eda24..b37411d 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +992,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +993,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -38370,7 +38389,7 @@ index 17eda24..b37411d 100644
')
optional_policy(`
-@@ -559,14 +1037,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +1038,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -38402,7 +38421,7 @@ index 17eda24..b37411d 100644
')
')
-@@ -577,6 +1072,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1073,39 @@ ifdef(`distro_suse',`
')
')
@@ -38442,7 +38461,7 @@ index 17eda24..b37411d 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1117,8 @@ optional_policy(`
+@@ -589,6 +1118,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -38451,7 +38470,7 @@ index 17eda24..b37411d 100644
')
optional_policy(`
-@@ -610,6 +1140,7 @@ optional_policy(`
+@@ -610,6 +1141,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -38459,7 +38478,7 @@ index 17eda24..b37411d 100644
')
optional_policy(`
-@@ -626,6 +1157,17 @@ optional_policy(`
+@@ -626,6 +1158,17 @@ optional_policy(`
')
optional_policy(`
@@ -38477,7 +38496,7 @@ index 17eda24..b37411d 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -642,9 +1184,13 @@ optional_policy(`
+@@ -642,9 +1185,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -38491,7 +38510,7 @@ index 17eda24..b37411d 100644
')
optional_policy(`
-@@ -657,15 +1203,11 @@ optional_policy(`
+@@ -657,15 +1204,11 @@ optional_policy(`
')
optional_policy(`
@@ -38509,7 +38528,7 @@ index 17eda24..b37411d 100644
')
optional_policy(`
-@@ -686,6 +1228,15 @@ optional_policy(`
+@@ -686,6 +1229,15 @@ optional_policy(`
')
optional_policy(`
@@ -38525,7 +38544,7 @@ index 17eda24..b37411d 100644
inn_exec_config(initrc_t)
')
-@@ -726,6 +1277,7 @@ optional_policy(`
+@@ -726,6 +1278,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -38533,7 +38552,7 @@ index 17eda24..b37411d 100644
')
optional_policy(`
-@@ -743,7 +1295,13 @@ optional_policy(`
+@@ -743,7 +1296,13 @@ optional_policy(`
')
optional_policy(`
@@ -38548,7 +38567,7 @@ index 17eda24..b37411d 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -766,6 +1324,10 @@ optional_policy(`
+@@ -766,6 +1325,10 @@ optional_policy(`
')
optional_policy(`
@@ -38559,7 +38578,7 @@ index 17eda24..b37411d 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -775,10 +1337,20 @@ optional_policy(`
+@@ -775,10 +1338,20 @@ optional_policy(`
')
optional_policy(`
@@ -38580,7 +38599,7 @@ index 17eda24..b37411d 100644
quota_manage_flags(initrc_t)
')
-@@ -787,6 +1359,10 @@ optional_policy(`
+@@ -787,6 +1360,10 @@ optional_policy(`
')
optional_policy(`
@@ -38591,7 +38610,7 @@ index 17eda24..b37411d 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -808,8 +1384,6 @@ optional_policy(`
+@@ -808,8 +1385,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -38600,7 +38619,7 @@ index 17eda24..b37411d 100644
')
optional_policy(`
-@@ -818,6 +1392,10 @@ optional_policy(`
+@@ -818,6 +1393,10 @@ optional_policy(`
')
optional_policy(`
@@ -38611,7 +38630,7 @@ index 17eda24..b37411d 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -827,10 +1405,12 @@ optional_policy(`
+@@ -827,10 +1406,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -38624,7 +38643,7 @@ index 17eda24..b37411d 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1437,62 @@ optional_policy(`
+@@ -857,21 +1438,62 @@ optional_policy(`
')
optional_policy(`
@@ -38688,7 +38707,7 @@ index 17eda24..b37411d 100644
')
optional_policy(`
-@@ -887,6 +1508,10 @@ optional_policy(`
+@@ -887,6 +1509,10 @@ optional_policy(`
')
optional_policy(`
@@ -38699,7 +38718,7 @@ index 17eda24..b37411d 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -897,3 +1522,218 @@ optional_policy(`
+@@ -897,3 +1523,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index ecd1d07d..9253e174 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -589,7 +589,7 @@ index 058d908..ee0c559 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index eb50f07..22e6c69 100644
+index eb50f07..5f57515 100644
--- a/abrt.te
+++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@@ -1047,7 +1047,7 @@ index eb50f07..22e6c69 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -365,38 +469,78 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -365,38 +469,79 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
@@ -1070,6 +1070,7 @@ index eb50f07..22e6c69 100644
-allow abrt_dump_oops_t self:capability dac_override;
+allow abrt_dump_oops_t self:capability { kill net_admin sys_ptrace ipc_lock fowner chown fsetid dac_override setuid setgid };
++allow abrt_dump_oops_t self:cap_userns { kill };
+allow abrt_dump_oops_t self:process setfscreate;
allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms;
-allow abrt_dump_oops_t self:unix_stream_socket { accept listen };
@@ -1130,7 +1131,7 @@ index eb50f07..22e6c69 100644
#######################################
#
-@@ -404,25 +548,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
+@@ -404,25 +549,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
#
allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
@@ -1193,7 +1194,7 @@ index eb50f07..22e6c69 100644
')
#######################################
-@@ -430,10 +609,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
+@@ -430,10 +610,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
# Global local policy
#
@@ -3838,7 +3839,7 @@ index 7caefc3..2029082 100644
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/apache.if b/apache.if
-index f6eb485..ce5dba7 100644
+index f6eb485..757b864 100644
--- a/apache.if
+++ b/apache.if
@@ -1,9 +1,9 @@
@@ -4283,16 +4284,36 @@ index f6eb485..ce5dba7 100644
##
##
##
-@@ -224,7 +351,7 @@ interface(`apache_read_user_content',`
+@@ -224,7 +351,27 @@ interface(`apache_read_user_content',`
########################################
##
-## Execute httpd with a domain transition.
++## Manage user web content.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`apache_manage_user_content',`
++ gen_require(`
++ type httpd_user_content_t;
++ ')
++
++ allow $1 httpd_user_content_t:dir manage_dir_perms;
++ manage_files_pattern($1, httpd_user_content_t, httpd_user_content_t)
++ manage_lnk_files_pattern($1, httpd_user_content_t, httpd_user_content_t)
++')
++
++########################################
++##
+## Transition to apache.
##
##
##
-@@ -241,27 +368,47 @@ interface(`apache_domtrans',`
+@@ -241,27 +388,47 @@ interface(`apache_domtrans',`
domtrans_pattern($1, httpd_exec_t, httpd_t)
')
@@ -4347,7 +4368,7 @@ index f6eb485..ce5dba7 100644
##
##
##
-@@ -279,7 +426,7 @@ interface(`apache_signal',`
+@@ -279,7 +446,7 @@ interface(`apache_signal',`
########################################
##
@@ -4356,7 +4377,7 @@ index f6eb485..ce5dba7 100644
##
##
##
-@@ -297,7 +444,7 @@ interface(`apache_signull',`
+@@ -297,7 +464,7 @@ interface(`apache_signull',`
########################################
##
@@ -4365,7 +4386,7 @@ index f6eb485..ce5dba7 100644
##
##
##
-@@ -315,8 +462,7 @@ interface(`apache_sigchld',`
+@@ -315,8 +482,7 @@ interface(`apache_sigchld',`
########################################
##
@@ -4375,7 +4396,7 @@ index f6eb485..ce5dba7 100644
##
##
##
-@@ -334,8 +480,8 @@ interface(`apache_use_fds',`
+@@ -334,8 +500,8 @@ interface(`apache_use_fds',`
########################################
##
@@ -4386,7 +4407,7 @@ index f6eb485..ce5dba7 100644
##
##
##
-@@ -348,13 +494,32 @@ interface(`apache_dontaudit_rw_fifo_file',`
+@@ -348,13 +514,32 @@ interface(`apache_dontaudit_rw_fifo_file',`
type httpd_t;
')
@@ -4422,7 +4443,7 @@ index f6eb485..ce5dba7 100644
##
##
##
-@@ -367,13 +532,13 @@ interface(`apache_dontaudit_rw_stream_sockets',`
+@@ -367,13 +552,13 @@ interface(`apache_dontaudit_rw_stream_sockets',`
type httpd_t;
')
@@ -4439,7 +4460,7 @@ index f6eb485..ce5dba7 100644
##
##
##
-@@ -391,8 +556,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
+@@ -391,8 +576,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
########################################
##
@@ -4449,7 +4470,7 @@ index f6eb485..ce5dba7 100644
##
##
##
-@@ -417,7 +581,8 @@ interface(`apache_manage_all_content',`
+@@ -417,7 +601,8 @@ interface(`apache_manage_all_content',`
########################################
##
@@ -4459,7 +4480,7 @@ index f6eb485..ce5dba7 100644
##
##
##
-@@ -435,7 +600,8 @@ interface(`apache_setattr_cache_dirs',`
+@@ -435,7 +620,8 @@ interface(`apache_setattr_cache_dirs',`
########################################
##
@@ -4469,7 +4490,7 @@ index f6eb485..ce5dba7 100644
##
##
##
-@@ -453,7 +619,8 @@ interface(`apache_list_cache',`
+@@ -453,7 +639,8 @@ interface(`apache_list_cache',`
########################################
##
@@ -4479,7 +4500,7 @@ index f6eb485..ce5dba7 100644
##
##
##
-@@ -471,7 +638,8 @@ interface(`apache_rw_cache_files',`
+@@ -471,7 +658,8 @@ interface(`apache_rw_cache_files',`
########################################
##
@@ -4489,7 +4510,7 @@ index f6eb485..ce5dba7 100644
##
##
##
-@@ -489,7 +657,8 @@ interface(`apache_delete_cache_dirs',`
+@@ -489,7 +677,8 @@ interface(`apache_delete_cache_dirs',`
########################################
##
@@ -4499,7 +4520,7 @@ index f6eb485..ce5dba7 100644
##
##
##
-@@ -507,49 +676,51 @@ interface(`apache_delete_cache_files',`
+@@ -507,49 +696,51 @@ interface(`apache_delete_cache_files',`
########################################
##
@@ -4562,7 +4583,7 @@ index f6eb485..ce5dba7 100644
##
##
##
-@@ -570,8 +741,8 @@ interface(`apache_manage_config',`
+@@ -570,8 +761,8 @@ interface(`apache_manage_config',`
########################################
##
@@ -4573,7 +4594,7 @@ index f6eb485..ce5dba7 100644
##
##
##
-@@ -608,16 +779,38 @@ interface(`apache_domtrans_helper',`
+@@ -608,16 +799,38 @@ interface(`apache_domtrans_helper',`
#
interface(`apache_run_helper',`
gen_require(`
@@ -4584,11 +4605,10 @@ index f6eb485..ce5dba7 100644
apache_domtrans_helper($1)
- roleattribute $2 httpd_helper_roles;
+ role $2 types httpd_helper_t;
- ')
-
- ########################################
- ##
--## Read httpd log files.
++')
++
++########################################
++##
+## dontaudit attempts to read
+## apache log files.
+##
@@ -4606,16 +4626,17 @@ index f6eb485..ce5dba7 100644
+
+ dontaudit $1 httpd_log_t:file read_file_perms;
+ dontaudit $1 httpd_log_t:lnk_file read_lnk_file_perms;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Read httpd log files.
+## Allow the specified domain to read
+## apache log files.
##
##
##
-@@ -639,7 +832,8 @@ interface(`apache_read_log',`
+@@ -639,7 +852,8 @@ interface(`apache_read_log',`
########################################
##
@@ -4625,7 +4646,7 @@ index f6eb485..ce5dba7 100644
##
##
##
-@@ -657,10 +851,29 @@ interface(`apache_append_log',`
+@@ -657,10 +871,29 @@ interface(`apache_append_log',`
append_files_pattern($1, httpd_log_t, httpd_log_t)
')
@@ -4657,7 +4678,7 @@ index f6eb485..ce5dba7 100644
##
##
##
-@@ -678,8 +891,8 @@ interface(`apache_dontaudit_append_log',`
+@@ -678,8 +911,8 @@ interface(`apache_dontaudit_append_log',`
########################################
##
@@ -4668,7 +4689,7 @@ index f6eb485..ce5dba7 100644
##
##
##
-@@ -687,20 +900,21 @@ interface(`apache_dontaudit_append_log',`
+@@ -687,20 +920,21 @@ interface(`apache_dontaudit_append_log',`
##
##
#
@@ -4698,7 +4719,7 @@ index f6eb485..ce5dba7 100644
##
##
##
-@@ -708,19 +922,21 @@ interface(`apache_manage_log',`
+@@ -708,19 +942,21 @@ interface(`apache_manage_log',`
##
##
#
@@ -4724,7 +4745,7 @@ index f6eb485..ce5dba7 100644
##
##
##
-@@ -738,7 +954,8 @@ interface(`apache_dontaudit_search_modules',`
+@@ -738,7 +974,8 @@ interface(`apache_dontaudit_search_modules',`
########################################
##
@@ -4734,7 +4755,7 @@ index f6eb485..ce5dba7 100644
##
##
##
-@@ -746,17 +963,19 @@ interface(`apache_dontaudit_search_modules',`
+@@ -746,17 +983,19 @@ interface(`apache_dontaudit_search_modules',`
##
##
#
@@ -4757,7 +4778,7 @@ index f6eb485..ce5dba7 100644
##
##
##
-@@ -764,19 +983,19 @@ interface(`apache_list_modules',`
+@@ -764,19 +1003,19 @@ interface(`apache_list_modules',`
##
##
#
@@ -4781,7 +4802,7 @@ index f6eb485..ce5dba7 100644
##
##
##
-@@ -784,19 +1003,19 @@ interface(`apache_exec_modules',`
+@@ -784,19 +1023,19 @@ interface(`apache_exec_modules',`
##
##
#
@@ -4806,7 +4827,7 @@ index f6eb485..ce5dba7 100644
##
##
##
-@@ -809,13 +1028,50 @@ interface(`apache_domtrans_rotatelogs',`
+@@ -809,13 +1048,50 @@ interface(`apache_domtrans_rotatelogs',`
type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
')
@@ -4859,7 +4880,7 @@ index f6eb485..ce5dba7 100644
##
##
##
-@@ -829,13 +1085,14 @@ interface(`apache_list_sys_content',`
+@@ -829,13 +1105,14 @@ interface(`apache_list_sys_content',`
')
list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
@@ -4876,7 +4897,7 @@ index f6eb485..ce5dba7 100644
##
##
##
-@@ -844,6 +1101,7 @@ interface(`apache_list_sys_content',`
+@@ -844,6 +1121,7 @@ interface(`apache_list_sys_content',`
##
##
#
@@ -4884,32 +4905,28 @@ index f6eb485..ce5dba7 100644
interface(`apache_manage_sys_content',`
gen_require(`
type httpd_sys_content_t;
-@@ -855,32 +1113,98 @@ interface(`apache_manage_sys_content',`
+@@ -855,32 +1133,98 @@ interface(`apache_manage_sys_content',`
manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
')
-########################################
+######################################
- ##
--## Create, read, write, and delete
--## httpd system rw content.
++##
+## Allow the specified domain to read
+## apache system content rw files.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
++##
++##
++##
++## Domain allowed access.
++##
++##
+##
- #
--interface(`apache_manage_sys_rw_content',`
++#
+interface(`apache_read_sys_content_rw_files',`
- gen_require(`
- type httpd_sys_rw_content_t;
- ')
-
-- apache_search_sys_content($1)
++ gen_require(`
++ type httpd_sys_rw_content_t;
++ ')
++
+ read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
@@ -4934,22 +4951,26 @@ index f6eb485..ce5dba7 100644
+')
+
+######################################
-+##
+ ##
+-## Create, read, write, and delete
+-## httpd system rw content.
+## Allow the specified domain to manage
+## apache system content rw files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+##
-+#
+ #
+-interface(`apache_manage_sys_rw_content',`
+interface(`apache_manage_sys_content_rw',`
-+ gen_require(`
-+ type httpd_sys_rw_content_t;
-+ ')
-+
+ gen_require(`
+ type httpd_sys_rw_content_t;
+ ')
+
+- apache_search_sys_content($1)
+ files_search_var($1)
manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
- manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t)
@@ -4991,7 +5012,7 @@ index f6eb485..ce5dba7 100644
##
##
##
-@@ -888,10 +1212,17 @@ interface(`apache_manage_sys_rw_content',`
+@@ -888,10 +1232,17 @@ interface(`apache_manage_sys_rw_content',`
##
##
#
@@ -5010,7 +5031,7 @@ index f6eb485..ce5dba7 100644
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -901,9 +1232,8 @@ interface(`apache_domtrans_sys_script',`
+@@ -901,9 +1252,8 @@ interface(`apache_domtrans_sys_script',`
########################################
##
@@ -5022,7 +5043,7 @@ index f6eb485..ce5dba7 100644
##
##
##
-@@ -916,7 +1246,7 @@ interface(`apache_dontaudit_rw_sys_script_stream_sockets',`
+@@ -916,7 +1266,7 @@ interface(`apache_dontaudit_rw_sys_script_stream_sockets',`
type httpd_sys_script_t;
')
@@ -5031,7 +5052,7 @@ index f6eb485..ce5dba7 100644
')
########################################
-@@ -941,7 +1271,7 @@ interface(`apache_domtrans_all_scripts',`
+@@ -941,7 +1291,7 @@ interface(`apache_domtrans_all_scripts',`
########################################
##
## Execute all user scripts in the user
@@ -5040,7 +5061,7 @@ index f6eb485..ce5dba7 100644
## to the specified role.
##
##
-@@ -954,6 +1284,7 @@ interface(`apache_domtrans_all_scripts',`
+@@ -954,6 +1304,7 @@ interface(`apache_domtrans_all_scripts',`
## Role allowed access.
##
##
@@ -5048,7 +5069,7 @@ index f6eb485..ce5dba7 100644
#
interface(`apache_run_all_scripts',`
gen_require(`
-@@ -966,7 +1297,8 @@ interface(`apache_run_all_scripts',`
+@@ -966,7 +1317,8 @@ interface(`apache_run_all_scripts',`
########################################
##
@@ -5058,7 +5079,7 @@ index f6eb485..ce5dba7 100644
##
##
##
-@@ -979,12 +1311,13 @@ interface(`apache_read_squirrelmail_data',`
+@@ -979,12 +1331,13 @@ interface(`apache_read_squirrelmail_data',`
type httpd_squirrelmail_t;
')
@@ -5074,7 +5095,7 @@ index f6eb485..ce5dba7 100644
##
##
##
-@@ -1002,7 +1335,7 @@ interface(`apache_append_squirrelmail_data',`
+@@ -1002,7 +1355,7 @@ interface(`apache_append_squirrelmail_data',`
########################################
##
@@ -5083,7 +5104,7 @@ index f6eb485..ce5dba7 100644
##
##
##
-@@ -1015,13 +1348,12 @@ interface(`apache_search_sys_content',`
+@@ -1015,13 +1368,12 @@ interface(`apache_search_sys_content',`
type httpd_sys_content_t;
')
@@ -5098,7 +5119,7 @@ index f6eb485..ce5dba7 100644
##
##
##
-@@ -1041,7 +1373,7 @@ interface(`apache_read_sys_content',`
+@@ -1041,7 +1393,7 @@ interface(`apache_read_sys_content',`
########################################
##
@@ -5107,7 +5128,7 @@ index f6eb485..ce5dba7 100644
##
##
##
-@@ -1059,8 +1391,7 @@ interface(`apache_search_sys_scripts',`
+@@ -1059,8 +1411,7 @@ interface(`apache_search_sys_scripts',`
########################################
##
@@ -5117,7 +5138,7 @@ index f6eb485..ce5dba7 100644
##
##
##
-@@ -1071,18 +1402,21 @@ interface(`apache_search_sys_scripts',`
+@@ -1071,18 +1422,21 @@ interface(`apache_search_sys_scripts',`
#
interface(`apache_manage_all_user_content',`
gen_require(`
@@ -5145,7 +5166,7 @@ index f6eb485..ce5dba7 100644
##
##
##
-@@ -1100,7 +1434,8 @@ interface(`apache_search_sys_script_state',`
+@@ -1100,7 +1454,8 @@ interface(`apache_search_sys_script_state',`
########################################
##
@@ -5155,7 +5176,7 @@ index f6eb485..ce5dba7 100644
##
##
##
-@@ -1117,10 +1452,29 @@ interface(`apache_read_tmp_files',`
+@@ -1117,10 +1472,29 @@ interface(`apache_read_tmp_files',`
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
')
@@ -5187,7 +5208,7 @@ index f6eb485..ce5dba7 100644
##
##
##
-@@ -1133,7 +1487,7 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1133,7 +1507,7 @@ interface(`apache_dontaudit_write_tmp_files',`
type httpd_tmp_t;
')
@@ -5196,7 +5217,7 @@ index f6eb485..ce5dba7 100644
')
########################################
-@@ -1142,6 +1496,9 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1142,6 +1516,9 @@ interface(`apache_dontaudit_write_tmp_files',`
##
##
##
@@ -5206,7 +5227,7 @@ index f6eb485..ce5dba7 100644
## This is an interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
-@@ -1171,8 +1528,31 @@ interface(`apache_cgi_domain',`
+@@ -1171,8 +1548,31 @@ interface(`apache_cgi_domain',`
########################################
##
@@ -5240,7 +5261,7 @@ index f6eb485..ce5dba7 100644
##
##
##
-@@ -1189,18 +1569,19 @@ interface(`apache_cgi_domain',`
+@@ -1189,18 +1589,19 @@ interface(`apache_cgi_domain',`
interface(`apache_admin',`
gen_require(`
attribute httpdcontent, httpd_script_exec_type;
@@ -5269,7 +5290,7 @@ index f6eb485..ce5dba7 100644
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -1210,10 +1591,10 @@ interface(`apache_admin',`
+@@ -1210,10 +1611,10 @@ interface(`apache_admin',`
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
@@ -5283,7 +5304,7 @@ index f6eb485..ce5dba7 100644
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
-@@ -1224,9 +1605,182 @@ interface(`apache_admin',`
+@@ -1224,9 +1625,182 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
@@ -5427,9 +5448,7 @@ index f6eb485..ce5dba7 100644
+ filetrans_pattern($1, httpd_user_content_t, httpd_user_content_ra_t, dir, "logs")
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
+')
-
-- apache_run_all_scripts($1, $2)
-- apache_run_helper($1, $2)
++
+########################################
+##
+## Read apache pid files.
@@ -5448,7 +5467,9 @@ index f6eb485..ce5dba7 100644
+ files_search_pids($1)
+ read_files_pattern($1, httpd_var_run_t, httpd_var_run_t)
+')
-+
+
+- apache_run_all_scripts($1, $2)
+- apache_run_helper($1, $2)
+########################################
+##
+## Send and receive messages from
@@ -15252,10 +15273,10 @@ index 0000000..d5920c0
+')
diff --git a/cockpit.te b/cockpit.te
new file mode 100644
-index 0000000..77cdd5e
+index 0000000..23ebc59
--- /dev/null
+++ b/cockpit.te
-@@ -0,0 +1,111 @@
+@@ -0,0 +1,115 @@
+policy_module(cockpit, 1.0.0)
+
+########################################
@@ -15355,10 +15376,14 @@ index 0000000..77cdd5e
+
+# cockpit-session runs a full pam stack, including pam_selinux.so
+auth_login_pgm_domain(cockpit_session_t)
++# cockpit-session resseting expired passwords
++auth_manage_passwd(cockpit_session_t)
++auth_manage_shadow(cockpit_session_t)
+auth_write_login_records(cockpit_session_t)
+
+# cockpit-session can execute cockpit-agent as the user
+userdom_spec_domtrans_all_users(cockpit_session_t)
++usermanage_read_crack_db(cockpit_session_t)
+
+optional_policy(`
+ userdom_signal_all_users(cockpit_session_t)
@@ -15570,7 +15595,7 @@ index 954309e..6780142 100644
')
+
diff --git a/collectd.te b/collectd.te
-index 6471fa8..b82bae6 100644
+index 6471fa8..cb6a356 100644
--- a/collectd.te
+++ b/collectd.te
@@ -26,43 +26,61 @@ files_type(collectd_var_lib_t)
@@ -15596,8 +15621,9 @@ index 6471fa8..b82bae6 100644
allow collectd_t self:process { getsched setsched signal };
allow collectd_t self:fifo_file rw_fifo_file_perms;
allow collectd_t self:packet_socket create_socket_perms;
+-allow collectd_t self:unix_stream_socket { accept listen };
+allow collectd_t self:rawip_socket create_socket_perms;
- allow collectd_t self:unix_stream_socket { accept listen };
++allow collectd_t self:unix_stream_socket { accept listen connectto };
+allow collectd_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
+allow collectd_t self:udp_socket create_socket_perms;
+allow collectd_t self:rawip_socket create_socket_perms;
@@ -29895,7 +29921,7 @@ index 4498143..84a4858 100644
ftp_run_ftpdctl($1, $2)
')
diff --git a/ftp.te b/ftp.te
-index 36838c2..21cc5ed 100644
+index 36838c2..34a9ced 100644
--- a/ftp.te
+++ b/ftp.te
@@ -13,7 +13,7 @@ policy_module(ftp, 1.15.1)
@@ -30069,9 +30095,9 @@ index 36838c2..21cc5ed 100644
+userdom_manage_user_home_content_files(ftpd_t)
+userdom_manage_user_tmp_dirs(ftpd_t)
+userdom_manage_user_tmp_files(ftpd_t)
-+
-tunable_policy(`allow_ftpd_anon_write',`
++
+tunable_policy(`ftpd_anon_write',`
miscfiles_manage_public_files(ftpd_t)
')
@@ -30130,8 +30156,11 @@ index 36838c2..21cc5ed 100644
- corenet_sendrecv_oracledb_client_packets(ftpd_t)
- corenet_tcp_connect_oracledb_port(ftpd_t)
- corenet_tcp_sendrecv_oracledb_port(ftpd_t)
--')
--
++ corenet_sendrecv_oracle_client_packets(ftpd_t)
++ corenet_tcp_connect_oracle_port(ftpd_t)
++ corenet_tcp_sendrecv_oracle_port(ftpd_t)
+ ')
+
-tunable_policy(`ftp_home_dir',`
- allow ftpd_t self:capability { dac_override dac_read_search };
-
@@ -30144,11 +30173,8 @@ index 36838c2..21cc5ed 100644
-',`
- userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file })
- userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
-+ corenet_sendrecv_oracle_client_packets(ftpd_t)
-+ corenet_tcp_connect_oracle_port(ftpd_t)
-+ corenet_tcp_sendrecv_oracle_port(ftpd_t)
- ')
-
+-')
+-
-tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
+tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(ftpd_t)
@@ -30184,7 +30210,17 @@ index 36838c2..21cc5ed 100644
kerberos_use(ftpd_t)
')
-@@ -416,86 +387,39 @@ optional_policy(`
+@@ -410,92 +381,49 @@ optional_policy(`
+ udev_read_db(ftpd_t)
+ ')
+
++optional_policy(`
++ apache_manage_user_content(ftpd_t)
++')
++
+ ########################################
+ #
+ # Ctl local policy
#
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
@@ -30244,14 +30280,13 @@ index 36838c2..21cc5ed 100644
- fs_manage_nfs_files(sftpd_t)
- fs_manage_nfs_symlinks(sftpd_t)
-')
-
+-
-tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
- fs_manage_cifs_dirs(sftpd_t)
- fs_manage_cifs_files(sftpd_t)
- fs_manage_cifs_symlinks(sftpd_t)
-')
-+userdom_home_reader(sftpd_t)
-
+-
-tunable_policy(`sftpd_anon_write',`
- miscfiles_manage_public_files(sftpd_t)
-')
@@ -30265,13 +30300,14 @@ index 36838c2..21cc5ed 100644
-tunable_policy(`sftpd_write_ssh_home',`
- ssh_manage_home_files(sftpd_t)
-')
--
+
-tunable_policy(`use_samba_home_dirs',`
- fs_list_cifs(sftpd_t)
- fs_read_cifs_files(sftpd_t)
- fs_read_cifs_symlinks(sftpd_t)
-')
--
++userdom_home_reader(sftpd_t)
+
-tunable_policy(`use_nfs_home_dirs',`
- fs_list_nfs(sftpd_t)
- fs_read_nfs_files(sftpd_t)
@@ -67699,13 +67735,15 @@ index 0000000..3bcd32c
+
diff --git a/oracleasm.fc b/oracleasm.fc
new file mode 100644
-index 0000000..c416596
+index 0000000..5655fac
--- /dev/null
+++ b/oracleasm.fc
-@@ -0,0 +1,6 @@
+@@ -0,0 +1,8 @@
+
+/etc/rc\.d/init\.d/oracleasm -- gen_context(system_u:object_r:oracleasm_initrc_exec_t,s0)
+
++/etc/sysconfig/oracleasm(/.*)? gen_context(system_u:object_r:oracleasm_conf_t,s0)
++
+/etc/sysconfig/oracleasm-_dev_oracleasm -- gen_context(system_u:object_r:oracleasm_conf_t,s0)
+
+/usr/sbin/oracleasm -- gen_context(system_u:object_r:oracleasm_exec_t,s0)
@@ -67792,10 +67830,10 @@ index 0000000..6ae382c
+
diff --git a/oracleasm.te b/oracleasm.te
new file mode 100644
-index 0000000..48fdbd5
+index 0000000..c4b5ddb
--- /dev/null
+++ b/oracleasm.te
-@@ -0,0 +1,64 @@
+@@ -0,0 +1,66 @@
+policy_module(oracleasm, 1.0.0)
+
+########################################
@@ -67826,6 +67864,7 @@ index 0000000..48fdbd5
+allow oracleasm_t self:unix_stream_socket create_stream_socket_perms;
+
+allow oracleasm_t oracleasm_conf_t:file manage_file_perms;
++allow oracleasm_t oracleasm_conf_t:dir manage_dir_perms;
+
+manage_dirs_pattern(oracleasm_t, oracleasm_tmp_t, oracleasm_tmp_t)
+manage_files_pattern(oracleasm_t, oracleasm_tmp_t, oracleasm_tmp_t)
@@ -67852,6 +67891,7 @@ index 0000000..48fdbd5
+
+storage_raw_read_fixed_disk(oracleasm_t)
+storage_raw_read_removable_device(oracleasm_t)
++storage_rw_inherited_fixed_disk_dev(oracleasm_t)
+
+optional_policy(`
+ mount_domtrans(oracleasm_t)
@@ -109549,7 +109589,7 @@ index 61c2e07..3b86095 100644
+ ')
')
diff --git a/tor.te b/tor.te
-index 5ceacde..9353adb 100644
+index 5ceacde..f24416b 100644
--- a/tor.te
+++ b/tor.te
@@ -13,6 +13,13 @@ policy_module(tor, 1.9.0)
@@ -109566,17 +109606,18 @@ index 5ceacde..9353adb 100644
type tor_t;
type tor_exec_t;
init_daemon_domain(tor_t, tor_exec_t)
-@@ -33,6 +40,9 @@ type tor_var_run_t;
+@@ -32,6 +39,10 @@ logging_log_file(tor_var_log_t)
+ type tor_var_run_t;
files_pid_file(tor_var_run_t)
init_daemon_run_dir(tor_var_run_t, "tor")
-
++files_mountpoint(tor_var_run_t)
++
+type tor_unit_file_t;
+systemd_unit_file(tor_unit_file_t)
-+
+
########################################
#
- # Local policy
-@@ -48,6 +58,8 @@ allow tor_t tor_etc_t:dir list_dir_perms;
+@@ -48,6 +59,8 @@ allow tor_t tor_etc_t:dir list_dir_perms;
allow tor_t tor_etc_t:file read_file_perms;
allow tor_t tor_etc_t:lnk_file read_lnk_file_perms;
@@ -109585,7 +109626,7 @@ index 5ceacde..9353adb 100644
manage_dirs_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
manage_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
manage_sock_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
-@@ -77,7 +89,6 @@ corenet_tcp_sendrecv_generic_node(tor_t)
+@@ -77,7 +90,6 @@ corenet_tcp_sendrecv_generic_node(tor_t)
corenet_udp_sendrecv_generic_node(tor_t)
corenet_tcp_bind_generic_node(tor_t)
corenet_udp_bind_generic_node(tor_t)
@@ -109593,7 +109634,7 @@ index 5ceacde..9353adb 100644
corenet_sendrecv_dns_server_packets(tor_t)
corenet_udp_bind_dns_port(tor_t)
corenet_udp_sendrecv_dns_port(tor_t)
-@@ -85,6 +96,7 @@ corenet_udp_sendrecv_dns_port(tor_t)
+@@ -85,6 +97,7 @@ corenet_udp_sendrecv_dns_port(tor_t)
corenet_sendrecv_tor_server_packets(tor_t)
corenet_tcp_bind_tor_port(tor_t)
corenet_tcp_sendrecv_tor_port(tor_t)
@@ -109601,7 +109642,7 @@ index 5ceacde..9353adb 100644
corenet_sendrecv_all_client_packets(tor_t)
corenet_tcp_connect_all_ports(tor_t)
-@@ -98,19 +110,22 @@ dev_read_urand(tor_t)
+@@ -98,19 +111,22 @@ dev_read_urand(tor_t)
domain_use_interactive_fds(tor_t)
files_read_etc_runtime_files(tor_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 206fb7fb..29e1857a 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 214%{?dist}
+Release: 215%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -675,6 +675,18 @@ exit 0
%endif
%changelog
+* Fri Sep 23 2016 Lukas Vrabec 3.13.1-215
+- Make tor_var_run_t as mountpoint. BZ(1368621)
+- Fix typo in ftpd SELinux module.
+- Allow cockpit-session to reset expired passwords BZ(1374262)
+- Allow ftp daemon to manage apache_user_content
+- Label /etc/sysconfig/oracleasm as oracleasm_conf_t
+- Allow oracleasm to rw inherited fixed disk device
+- Allow collectd to connect on unix_stream_socket
+- Add abrt_dump_oops_t kill user namespace capability. BZ(1376868)
+- Dontaudit systemd is mounting unlabeled dirs BZ(1367292)
+- Add interface files_dontaudit_mounton_isid()
+
* Thu Sep 15 2016 Lukas Vrabec 3.13.1-214
- Allow attach usb device to virtual machine BZ(1276873)
- Dontaudit mozilla_plugin to sys_ptrace