* Wed Jan 13 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-166

- Allow logrotate to systemctl rsyslog service. BZ(1284173) - Allow condor_master_t domain capability chown. BZ(1297048) - Allow chronyd to be dbus bus client. BZ(1297129) - Allow openvswitch read/write hugetlb filesystem. - Revert "Allow openvswitch read/write hugetlb filesystem." - Allow smbcontrol domain to send sigchld to ctdbd domain. - Allow openvswitch read/write hugetlb filesystem. - Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib - Label /var/log/ipareplica-conncheck.log file as ipa_log_t Allow ipa_helper_t domain to manage logs labeledas ipa_log_t Allow ipa_helper_t to connect on http and kerberos_passwd ports. BZ(1289930) - Allow keepalived to connect to 3306/tcp port - mysqld_port_t. - Merge remote-tracking branch 'refs/remotes/origin/rawhide-contrib' into rawhide-contrib - Merge remote-tracking branch 'refs/remotes/origin/rawhide-contrib' into rawhide-contrib - Merge pull request #86 from rhatdan/rawhide-contrib - Label some new nsd binaries as nsd_exec_t Allow nsd domain net_admin cap. Create label nsd_tmp_t for nsd tmp files/dirs BZ (1293146) - Added interface logging_systemctl_syslogd - Label rsyslog unit file - Added policy for systemd-coredump service. Added domain transition from kernel_t to systemd_coredump_t. Allow syslogd_t domain to read/write tmpfs systemd-coredump files. Make new domain uconfined for now.
2016-01-13 16:26:02 +01:00 · 2016-01-13 16:26:02 +01:00 · 5d165e36c4
commit 5d165e36c4
parent 936bb7a648
4 changed files with 289 additions and 121 deletions
--- a/docker-selinux.tgz
+++ b/docker-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -19566,7 +19566,7 @@ index e100d88..65a3b6d 100644
 +')
 +
 diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 8dbab4c..a85c5d7 100644
+index 8dbab4c..7c405f5 100644
 --- a/policy/modules/kernel/kernel.te
 +++ b/policy/modules/kernel/kernel.te
@@ -25,6 +25,9 @@ attribute kern_unconfined;
@ -19722,7 +19722,7 @@ index 8dbab4c..a85c5d7 100644
 corecmd_exec_shell(kernel_t)
 corecmd_list_bin(kernel_t)
-@@ -277,25 +315,54 @@ files_list_root(kernel_t)
+@@ -277,13 +315,23 @@ files_list_root(kernel_t)
 files_list_etc(kernel_t)
 files_list_home(kernel_t)
 files_read_usr_files(kernel_t)
@ -19746,11 +19746,10 @@ index 8dbab4c..a85c5d7 100644
 ifdef(`distro_redhat',`
 	# Bugzilla 222337
- 	fs_rw_tmpfs_chr_files(kernel_t)
+@@ -291,11 +339,29 @@ ifdef(`distro_redhat',`
 ')
-+
+ optional_policy(`
 +optional_policy(`
 +    abrt_filetrans_named_content(kernel_t)
 +    abrt_dump_oops_domtrans(kernel_t)
 +')
@ -19767,7 +19766,7 @@ index 8dbab4c..a85c5d7 100644
 +	kerberos_filetrans_home_content(kernel_t)
 +')
 +
- optional_policy(`
+optional_policy(`
 	hotplug_search_config(kernel_t)
 ')
@ -19777,7 +19776,7 @@ index 8dbab4c..a85c5d7 100644
 ')
 optional_policy(`
-@@ -305,6 +372,19 @@ optional_policy(`
+@@ -305,6 +371,19 @@ optional_policy(`
 optional_policy(`
 	logging_send_syslog_msg(kernel_t)
@ -19797,7 +19796,7 @@ index 8dbab4c..a85c5d7 100644
 ')
 optional_policy(`
-@@ -312,6 +392,11 @@ optional_policy(`
+@@ -312,6 +391,11 @@ optional_policy(`
 ')
 optional_policy(`
@ -19809,7 +19808,7 @@ index 8dbab4c..a85c5d7 100644
 	# nfs kernel server needs kernel UDP access. It is less risky and painful
 	# to just give it everything.
 	allow kernel_t self:tcp_socket create_stream_socket_perms;
-@@ -332,9 +417,6 @@ optional_policy(`
+@@ -332,9 +416,6 @@ optional_policy(`
 	sysnet_read_config(kernel_t)
@ -19819,7 +19818,7 @@ index 8dbab4c..a85c5d7 100644
 	rpc_udp_rw_nfs_sockets(kernel_t)
 	tunable_policy(`nfs_export_all_ro',`
-@@ -343,9 +425,7 @@ optional_policy(`
+@@ -343,9 +424,7 @@ optional_policy(`
 		fs_read_noxattr_fs_files(kernel_t)
 		fs_read_noxattr_fs_symlinks(kernel_t)
@ -19830,7 +19829,7 @@ index 8dbab4c..a85c5d7 100644
 	')
 	tunable_policy(`nfs_export_all_rw',`
-@@ -354,7 +434,7 @@ optional_policy(`
+@@ -354,7 +433,7 @@ optional_policy(`
 		fs_read_noxattr_fs_files(kernel_t)
 		fs_read_noxattr_fs_symlinks(kernel_t)
@ -19839,7 +19838,14 @@ index 8dbab4c..a85c5d7 100644
 	')
 ')
-@@ -367,6 +447,15 @@ optional_policy(`
+@@ -364,9 +443,22 @@ optional_policy(`
 ')
 optional_policy(`
 +	systemd_coredump_domtrans(kernel_t)
 +')
 +
 +optional_policy(`
 	unconfined_domain_noaudit(kernel_t)
 ')
@ -19855,7 +19861,7 @@ index 8dbab4c..a85c5d7 100644
 ########################################
 #
 # Unlabeled process local policy
-@@ -399,14 +488,39 @@ if( ! secure_mode_insmod ) {
+@@ -399,14 +491,39 @@ if( ! secure_mode_insmod ) {
 # Rules for unconfined acccess to this module
 #
@ -37265,10 +37271,10 @@ index 446fa99..22f539c 100644
 +	plymouthd_exec_plymouth(sulogin_t)
 ')
 diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index b50c5fe..13da95a 100644
+index b50c5fe..5c39fe5 100644
 --- a/policy/modules/system/logging.fc
 +++ b/policy/modules/system/logging.fc
-@@ -1,11 +1,14 @@
+@@ -1,11 +1,15 @@
 -/dev/log		-s	gen_context(system_u:object_r:devlog_t,mls_systemhigh)
 +/dev/log		-l	gen_context(system_u:object_r:devlog_t,mls_systemhigh)
@ -37280,11 +37286,12 @@ index b50c5fe..13da95a 100644
 /etc/rc\.d/init\.d/rsyslog --	gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
 +/usr/lib/systemd/system/auditd.*	--	gen_context(system_u:object_r:auditd_unit_file_t,s0)
 +/usr/lib/systemd/system/syslogd.*	--	gen_context(system_u:object_r:syslogd_unit_file_t,s0)
 +
 /sbin/audispd		--	gen_context(system_u:object_r:audisp_exec_t,s0)
 /sbin/audisp-remote	--	gen_context(system_u:object_r:audisp_remote_exec_t,s0)
 /sbin/auditctl		--	gen_context(system_u:object_r:auditctl_exec_t,s0)
-@@ -17,12 +20,25 @@
+@@ -17,12 +21,25 @@
 /sbin/syslogd		--	gen_context(system_u:object_r:syslogd_exec_t,s0)
 /sbin/syslog-ng		--	gen_context(system_u:object_r:syslogd_exec_t,s0)
@ -37311,7 +37318,7 @@ index b50c5fe..13da95a 100644
 /var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
 /var/lib/syslog-ng(/.*)? 	gen_context(system_u:object_r:syslogd_var_lib_t,s0)
-@@ -38,21 +54,22 @@ ifdef(`distro_suse', `
+@@ -38,21 +55,22 @@ ifdef(`distro_suse', `
 /var/log		-d	gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
 /var/log/.*			gen_context(system_u:object_r:var_log_t,s0)
@ -37337,7 +37344,7 @@ index b50c5fe..13da95a 100644
 ')
 /var/run/audit_events	-s	gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
-@@ -65,11 +82,16 @@ ifdef(`distro_redhat',`
+@@ -65,11 +83,16 @@ ifdef(`distro_redhat',`
 /var/run/syslogd\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
 /var/run/syslog-ng.ctl	--	gen_context(system_u:object_r:syslogd_var_run_t,s0)
 /var/run/syslog-ng(/.*)?	gen_context(system_u:object_r:syslogd_var_run_t,s0)
@ -37356,7 +37363,7 @@ index b50c5fe..13da95a 100644
 +/var/webmin(/.*)?		gen_context(system_u:object_r:var_log_t,s0)
 +
 diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 4e94884..3c33045 100644
+index 4e94884..41a18bc 100644
 --- a/policy/modules/system/logging.if
 +++ b/policy/modules/system/logging.if
@@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
@ -37470,21 +37477,14 @@ index 4e94884..3c33045 100644
 +interface(`logging_create_devlog_dev',`
 +	gen_require(`
 +		type devlog_t;
- 	')
+	')
- 
+
 -	allow $1 devlog_t:lnk_file read_lnk_file_perms;
 -	allow $1 devlog_t:sock_file write_sock_file_perms;
 +	allow $1 devlog_t:lnk_file manage_lnk_file_perms;
 +	dev_filetrans($1, devlog_t, lnk_file, "log")
 +	init_pid_filetrans($1, devlog_t, sock_file, "syslog")
 +    logging_syslogd_pid_filetrans($1, devlog_t, sock_file, "dev-log")
 +')
- 
+
 -	# the type of socket depends on the syslog daemon
 -	allow $1 syslogd_t:unix_dgram_socket sendto;
 -	allow $1 syslogd_t:unix_stream_socket connectto;
 -	allow $1 self:unix_dgram_socket create_socket_perms;
 -	allow $1 self:unix_stream_socket create_socket_perms;
 +########################################
 +## <summary>
 +##	Relabel the devlog sock_file.
@ -37498,16 +37498,19 @@ index 4e94884..3c33045 100644
 +interface(`logging_relabel_devlog_dev',`
 +	gen_require(`
 +		type devlog_t;
-+	')
+ 	')
-	# If syslog is down, the glibc syslog() function
+-	allow $1 devlog_t:lnk_file read_lnk_file_perms;
-	# will write to the console.
+-	allow $1 devlog_t:sock_file write_sock_file_perms;
 -	term_write_console($1)
 -	term_dontaudit_read_console($1)
 +	allow $1 devlog_t:sock_file relabel_sock_file_perms;
 +	allow $1 devlog_t:lnk_file relabelto_lnk_file_perms;
 +')
-+
+ 
 -	# the type of socket depends on the syslog daemon
 -	allow $1 syslogd_t:unix_dgram_socket sendto;
 -	allow $1 syslogd_t:unix_stream_socket connectto;
 -	allow $1 self:unix_dgram_socket create_socket_perms;
 -	allow $1 self:unix_stream_socket create_socket_perms;
 +########################################
 +## <summary>
 +##	Allow domain to read the syslog pid files.
@ -37522,7 +37525,11 @@ index 4e94884..3c33045 100644
 +	gen_require(`
 +		type syslogd_var_run_t;
 +	')
-+
+ 
 -	# If syslog is down, the glibc syslog() function
 -	# will write to the console.
 -	term_write_console($1)
 -	term_dontaudit_read_console($1)
 +    read_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
 +    list_dirs_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
 +')
@ -37767,7 +37774,7 @@ index 4e94884..3c33045 100644
 	manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
 	manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
-@@ -1004,6 +1286,33 @@ interface(`logging_admin_audit',`
+@@ -1004,6 +1286,55 @@ interface(`logging_admin_audit',`
 	domain_system_change_exemption($1)
 	role_transition $2 auditd_initrc_exec_t system_r;
 	allow $2 system_r;
@ -37798,10 +37805,32 @@ index 4e94884..3c33045 100644
 +	allow $1 auditd_unit_file_t:service manage_service_perms;
 +
 +	ps_process_pattern($1, auditd_t)
 +')
 +########################################
 +## <summary>
 +##	Execute auditd server in the auditd domain.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed to transition.
 +##	</summary>
 +## </param>
 +#
 +interface(`logging_systemctl_syslogd',`
 +	gen_require(`
 +		type syslogd_t;
 +		type syslogd_unit_file_t;
 +	')
 +
 +	systemd_exec_systemctl($1)
 +	allow $1 syslogd_unit_file_t:file read_file_perms;
 +	allow $1 syslog_unit_file_t:service manage_service_perms;
 +
 +	ps_process_pattern($1, syslogd_t)
 ')
 ########################################
-@@ -1032,10 +1341,15 @@ interface(`logging_admin_syslog',`
+@@ -1032,10 +1363,15 @@ interface(`logging_admin_syslog',`
 		type syslogd_initrc_exec_t;
 	')
@ -37819,7 +37848,7 @@ index 4e94884..3c33045 100644
 	manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
 	manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
-@@ -1057,6 +1371,8 @@ interface(`logging_admin_syslog',`
+@@ -1057,6 +1393,8 @@ interface(`logging_admin_syslog',`
 	manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
 	logging_manage_all_logs($1)
@ -37828,7 +37857,7 @@ index 4e94884..3c33045 100644
 	init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
 	domain_system_change_exemption($1)
-@@ -1085,3 +1401,90 @@ interface(`logging_admin',`
+@@ -1085,3 +1423,90 @@ interface(`logging_admin',`
 	logging_admin_audit($1, $2)
 	logging_admin_syslog($1, $2)
 ')
@ -37920,7 +37949,7 @@ index 4e94884..3c33045 100644
 +	filetrans_pattern($1, syslogd_var_run_t, $2, $3, $4)
 +')
 diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 59b04c1..e1ec2e8 100644
+index 59b04c1..6810e0b 100644
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
@@ -4,6 +4,29 @@ policy_module(logging, 1.20.1)
@ -37979,7 +38008,7 @@ index 59b04c1..e1ec2e8 100644
 type syslogd_initrc_exec_t;
 init_script_file(syslogd_initrc_exec_t)
-@@ -71,11 +99,15 @@ init_script_file(syslogd_initrc_exec_t)
+@@ -71,16 +99,23 @@ init_script_file(syslogd_initrc_exec_t)
 type syslogd_tmp_t;
 files_tmp_file(syslogd_tmp_t)
@ -37995,7 +38024,15 @@ index 59b04c1..e1ec2e8 100644
 type var_log_t;
 logging_log_file(var_log_t)
-@@ -94,6 +126,8 @@ ifdef(`enable_mls',`
+ files_mountpoint(var_log_t)
 +type syslogd_unit_file_t;
 +systemd_unit_file(syslogd_unit_file_t)
 +
 ifdef(`enable_mls',`
 	init_ranged_daemon_domain(auditd_t, auditd_exec_t, mls_systemhigh)
 	init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh)
@@ -94,6 +129,8 @@ ifdef(`enable_mls',`
 allow auditctl_t self:capability { fsetid dac_read_search dac_override };
 allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;
@ -38004,7 +38041,7 @@ index 59b04c1..e1ec2e8 100644
 read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t)
 allow auditctl_t auditd_etc_t:dir list_dir_perms;
-@@ -111,7 +145,9 @@ domain_use_interactive_fds(auditctl_t)
+@@ -111,7 +148,9 @@ domain_use_interactive_fds(auditctl_t)
 mls_file_read_all_levels(auditctl_t)
@ -38015,7 +38052,7 @@ index 59b04c1..e1ec2e8 100644
 init_dontaudit_use_fds(auditctl_t)
-@@ -136,9 +172,10 @@ allow auditd_t self:tcp_socket create_stream_socket_perms;
+@@ -136,9 +175,10 @@ allow auditd_t self:tcp_socket create_stream_socket_perms;
 allow auditd_t auditd_etc_t:dir list_dir_perms;
 allow auditd_t auditd_etc_t:file read_file_perms;
@ -38027,7 +38064,7 @@ index 59b04c1..e1ec2e8 100644
 manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
 manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
-@@ -148,6 +185,7 @@ kernel_read_kernel_sysctls(auditd_t)
+@@ -148,6 +188,7 @@ kernel_read_kernel_sysctls(auditd_t)
 # Needs to be able to run dispatcher.  see /etc/audit/auditd.conf
 # Probably want a transition, and a new auditd_helper app
 kernel_read_system_state(auditd_t)
@ -38035,7 +38072,7 @@ index 59b04c1..e1ec2e8 100644
 dev_read_sysfs(auditd_t)
-@@ -155,9 +193,6 @@ fs_getattr_all_fs(auditd_t)
+@@ -155,9 +196,6 @@ fs_getattr_all_fs(auditd_t)
 fs_search_auto_mountpoints(auditd_t)
 fs_rw_anon_inodefs_files(auditd_t)
@ -38045,7 +38082,7 @@ index 59b04c1..e1ec2e8 100644
 corenet_all_recvfrom_netlabel(auditd_t)
 corenet_tcp_sendrecv_generic_if(auditd_t)
 corenet_tcp_sendrecv_generic_node(auditd_t)
-@@ -183,16 +218,17 @@ logging_send_syslog_msg(auditd_t)
+@@ -183,16 +221,17 @@ logging_send_syslog_msg(auditd_t)
 logging_domtrans_dispatcher(auditd_t)
 logging_signal_dispatcher(auditd_t)
@ -38067,7 +38104,7 @@ index 59b04c1..e1ec2e8 100644
 userdom_dontaudit_use_unpriv_user_fds(auditd_t)
 userdom_dontaudit_search_user_home_dirs(auditd_t)
-@@ -237,19 +273,29 @@ corecmd_exec_shell(audisp_t)
+@@ -237,19 +276,29 @@ corecmd_exec_shell(audisp_t)
 domain_use_interactive_fds(audisp_t)
@ -38099,7 +38136,7 @@ index 59b04c1..e1ec2e8 100644
 ')
 ########################################
-@@ -266,9 +312,10 @@ manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
+@@ -266,9 +315,10 @@ manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
 manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
 files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
@ -38111,7 +38148,7 @@ index 59b04c1..e1ec2e8 100644
 corenet_all_recvfrom_netlabel(audisp_remote_t)
 corenet_tcp_sendrecv_generic_if(audisp_remote_t)
 corenet_tcp_sendrecv_generic_node(audisp_remote_t)
-@@ -280,13 +327,26 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
+@@ -280,13 +330,26 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
 files_read_etc_files(audisp_remote_t)
@ -38139,7 +38176,7 @@ index 59b04c1..e1ec2e8 100644
 ########################################
 #
 # klogd local policy
-@@ -326,7 +386,6 @@ files_read_etc_files(klogd_t)
+@@ -326,7 +389,6 @@ files_read_etc_files(klogd_t)
 logging_send_syslog_msg(klogd_t)
@ -38147,7 +38184,7 @@ index 59b04c1..e1ec2e8 100644
 mls_file_read_all_levels(klogd_t)
-@@ -355,13 +414,12 @@ optional_policy(`
+@@ -355,13 +417,12 @@ optional_policy(`
 # sys_admin for the integrated klog of syslog-ng and metalog
 # sys_nice for rsyslog
 # cjp: why net_admin!
@ -38164,7 +38201,7 @@ index 59b04c1..e1ec2e8 100644
 # receive messages to be logged
 allow syslogd_t self:unix_dgram_socket create_socket_perms;
 allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -369,11 +427,15 @@ allow syslogd_t self:unix_dgram_socket sendto;
+@@ -369,11 +430,15 @@ allow syslogd_t self:unix_dgram_socket sendto;
 allow syslogd_t self:fifo_file rw_fifo_file_perms;
 allow syslogd_t self:udp_socket create_socket_perms;
 allow syslogd_t self:tcp_socket create_stream_socket_perms;
@ -38181,7 +38218,7 @@ index 59b04c1..e1ec2e8 100644
 files_pid_filetrans(syslogd_t, devlog_t, sock_file)
 # create/append log files.
-@@ -389,30 +451,47 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -389,30 +454,47 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
 manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
 files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
@ -38232,7 +38269,7 @@ index 59b04c1..e1ec2e8 100644
 # syslog-ng can listen and connect on tcp port 514 (rsh)
 corenet_tcp_sendrecv_generic_if(syslogd_t)
 corenet_tcp_sendrecv_generic_node(syslogd_t)
-@@ -422,6 +501,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
+@@ -422,6 +504,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
 corenet_tcp_connect_rsh_port(syslogd_t)
 # Allow users to define additional syslog ports to connect to
 corenet_tcp_bind_syslogd_port(syslogd_t)
@ -38241,7 +38278,7 @@ index 59b04c1..e1ec2e8 100644
 corenet_tcp_connect_syslogd_port(syslogd_t)
 corenet_tcp_connect_postgresql_port(syslogd_t)
 corenet_tcp_connect_mysqld_port(syslogd_t)
-@@ -432,9 +513,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+@@ -432,9 +516,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
 corenet_sendrecv_postgresql_client_packets(syslogd_t)
 corenet_sendrecv_mysqld_client_packets(syslogd_t)
@ -38275,7 +38312,7 @@ index 59b04c1..e1ec2e8 100644
 domain_use_interactive_fds(syslogd_t)
 files_read_etc_files(syslogd_t)
-@@ -448,13 +552,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
+@@ -448,13 +555,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
 fs_getattr_all_fs(syslogd_t)
 fs_search_auto_mountpoints(syslogd_t)
@ -38293,7 +38330,7 @@ index 59b04c1..e1ec2e8 100644
 # for sending messages to logged in users
 init_read_utmp(syslogd_t)
 init_dontaudit_write_utmp(syslogd_t)
-@@ -466,11 +574,12 @@ init_use_fds(syslogd_t)
+@@ -466,11 +577,12 @@ init_use_fds(syslogd_t)
 # cjp: this doesnt make sense
 logging_send_syslog_msg(syslogd_t)
@ -38309,7 +38346,7 @@ index 59b04c1..e1ec2e8 100644
 ifdef(`distro_gentoo',`
 	# default gentoo syslog-ng config appends kernel
-@@ -497,6 +606,7 @@ optional_policy(`
+@@ -497,6 +609,7 @@ optional_policy(`
 optional_policy(`
 	cron_manage_log_files(syslogd_t)
 	cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
@ -38317,7 +38354,7 @@ index 59b04c1..e1ec2e8 100644
 ')
 optional_policy(`
-@@ -507,15 +617,40 @@ optional_policy(`
+@@ -507,15 +620,44 @@ optional_policy(`
 ')
 optional_policy(`
@ -38354,11 +38391,15 @@ index 59b04c1..e1ec2e8 100644
 +')
 +
 +optional_policy(`
 +	systemd_rw_coredump_tmpfs_files(syslogd_t)
 +')
 +
 +optional_policy(`
 +    daemontools_search_svc_dir(syslogd_t)
 ')
 optional_policy(`
-@@ -526,3 +661,26 @@ optional_policy(`
+@@ -526,3 +668,26 @@ optional_policy(`
 	# log to the xconsole
 	xserver_rw_console(syslogd_t)
 ')
@ -43551,10 +43592,10 @@ index a392fc4..78fa512 100644
 +')
 diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
 new file mode 100644
-index 0000000..884ac5c
+index 0000000..b53de2b
 --- /dev/null
 +++ b/policy/modules/system/systemd.fc
-@@ -0,0 +1,59 @@
+@@ -0,0 +1,61 @@
 +HOME_DIR/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_home_t,s0)
 +/root/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_home_t,s0)
 +
@ -43565,6 +43606,7 @@ index 0000000..884ac5c
 +/bin/systemctl					--	gen_context(system_u:object_r:systemd_systemctl_exec_t,s0)
 +/bin/systemd-tty-ask-password-agent		--		gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
 +/bin/systemd-tmpfiles				--		gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
 +/bin/systemd-coredump		--	gen_context(system_u:object_r:systemd_coredump_exec_t,s0)
 +
 +/usr/bin/systemctl				--	gen_context(system_u:object_r:systemd_systemctl_exec_t,s0)
 +/usr/bin/systemd-gnome-ask-password-agent	--		gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
@ -43596,6 +43638,7 @@ index 0000000..884ac5c
 +/usr/lib/systemd/systemd-logger	--	gen_context(system_u:object_r:systemd_logger_exec_t,s0)
 +/usr/lib/systemd/systemd-networkd   --  gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
 +/usr/lib/systemd/systemd-tmpfiles --	gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
 +/usr/lib/systemd/systemd-coredump	--	gen_context(system_u:object_r:systemd_coredump_exec_t,s0)
 +
 +/var/lib/machines(/.*)?			gen_context(system_u:object_r:systemd_machined_var_lib_t,s0)
 +/var/lib/systemd/rfkill(/.*)?         gen_context(system_u:object_r:systemd_rfkill_var_lib_t,s0)
@ -43616,10 +43659,10 @@ index 0000000..884ac5c
 +/var/run/initramfs(/.*)?	<<none>>
 diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
 new file mode 100644
-index 0000000..c253b33
+index 0000000..300bf59
 --- /dev/null
 +++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1640 @@
+@@ -0,0 +1,1676 @@
 +## <summary>SELinux policy for systemd components</summary>
 +
 +######################################
@ -45260,12 +45303,48 @@ index 0000000..c253b33
 +	allow systemd_machined_t $1:dbus send_msg;
 +	ps_process_pattern(systemd_machined_t, $1)
 +')
 +
 +#######################################
 +## <summary>
 +##  Execute a domain transition to run systemd-coredump.
 +## </summary>
 +## <param name="domain">
 +## <summary>
 +##  Domain allowed access.
 +## </summary>
 +## </param>
 +#
 +interface(`systemd_coredump_domtrans',`
 +    gen_require(`
 +        type systemd_coredump_t, systemd_coredump_exec_t;
 +    ')
 +
 +    domtrans_pattern($1, systemd_coredump_exec_t, systemd_coredump_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Read and write to systemd-coredump temporary file system.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`systemd_rw_coredump_tmpfs_files',`
 +	gen_require(`
 +		type systemd_coredump_tmpfs_t;
 +	')
 +
 +	allow $1 systemd_coredump_tmpfs_t:file rw_file_perms;
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..b4a073f
+index 0000000..eb1b3c3
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,825 @@
+@@ -0,0 +1,842 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@ -45301,6 +45380,11 @@ index 0000000..b4a073f
 +files_security_file(random_seed_t)
 +files_mountpoint(random_seed_t)
 +
 +systemd_domain_template(systemd_coredump)
 +
 +type systemd_coredump_tmpfs_t;
 +files_tmpfs_file(systemd_coredump_tmpfs_t)
 +
 +systemd_domain_template(systemd_networkd)
 +
 +type systemd_networkd_unit_file_t;
@ -46052,6 +46136,18 @@ index 0000000..b4a073f
 +
 +logging_send_syslog_msg(systemd_sysctl_t)
 +
 +#######################################
 +#
 +# systemd_coredump domains
 +#
 +
 +manage_files_pattern(systemd_coredump_t, systemd_coredump_tmpfs_t, systemd_coredump_tmpfs_t)
 +fs_tmpfs_filetrans(systemd_coredump_t, systemd_coredump_tmpfs_t, file )
 +
 +optional_policy(`
 +	unconfined_domain(systemd_coredump_t)
 +')
 +
 +########################################
 +#
 +# Common rules for systemd domains
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -13298,7 +13298,7 @@ index 32e8265..c5a2913 100644
 +	allow $1 chronyd_unit_file_t:service all_service_perms;
 ')
 diff --git a/chronyd.te b/chronyd.te
-index e5b621c..135100a 100644
+index e5b621c..74e168f 100644
 --- a/chronyd.te
 +++ b/chronyd.te
@@ -18,6 +18,9 @@ files_type(chronyd_keys_t)
@ -13329,7 +13329,7 @@ index e5b621c..135100a 100644
 allow chronyd_t chronyd_keys_t:file read_file_perms;
 manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
-@@ -76,18 +83,38 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
+@@ -76,18 +83,41 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
 corenet_udp_bind_chronyd_port(chronyd_t)
 corenet_udp_sendrecv_chronyd_port(chronyd_t)
@ -13355,6 +13355,9 @@ index e5b621c..135100a 100644
 +systemd_exec_systemctl(chronyd_t)
 +
 +userdom_dgram_send(chronyd_t)
 +
 +optional_policy(`
 +	dbus_system_bus_client(chronyd_t)
 optional_policy(`
 	gpsd_rw_shm(chronyd_t)
@ -16066,7 +16069,7 @@ index 881d92f..a2d588a 100644
 +	')
 ')
 diff --git a/condor.te b/condor.te
-index ce9f040..32ebb0c 100644
+index ce9f040..dc29445 100644
 --- a/condor.te
 +++ b/condor.te
@@ -34,7 +34,7 @@ files_tmp_file(condor_startd_tmp_t)
@ -16144,7 +16147,7 @@ index ce9f040..32ebb0c 100644
 #
 -allow condor_master_t self:capability { setuid setgid dac_override sys_ptrace };
-+allow condor_master_t self:capability { setuid setgid sys_ptrace };
+allow condor_master_t self:capability { chown setuid setgid sys_ptrace };
 allow condor_master_t condor_domain:process { sigkill signal };
@ -19829,10 +19832,10 @@ index 8401fe6..d58f3e7 100644
 /var/spool/ctdb(/.*)?	gen_context(system_u:object_r:ctdbd_spool_t,s0)
 diff --git a/ctdb.if b/ctdb.if
-index b25b01d..6b7d687 100644
+index b25b01d..06895f3 100644
 --- a/ctdb.if
 +++ b/ctdb.if
-@@ -1,9 +1,161 @@
+@@ -1,9 +1,178 @@
 -## <summary>Clustered Database based on Samba Trivial Database.</summary>
 +
 +## <summary>policy for ctdbd</summary>
@ -19891,6 +19894,23 @@ index b25b01d..6b7d687 100644
 +        allow $1 ctdbd_t:process signal;
 +')
 +
 +#######################################
 +## <summary>
 +##  Allow domain to sigchld ctdbd.
 +## </summary>
 +## <param name="domain">
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
 +## </param>
 +#
 +interface(`ctdbd_sigchld',`
 +    gen_require(`
 +        type ctdbd_t;
 +    ')
 +        allow $1 ctdbd_t:process sigchld;
 +')
 +
 +########################################
 +## <summary>
 +##	Read ctdbd's log files.
@ -19997,7 +20017,7 @@ index b25b01d..6b7d687 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -17,13 +169,12 @@ interface(`ctdbd_manage_lib_files',`
+@@ -17,13 +186,12 @@ interface(`ctdbd_manage_lib_files',`
 	')
 	files_search_var_lib($1)
@ -20014,7 +20034,7 @@ index b25b01d..6b7d687 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -31,19 +182,58 @@ interface(`ctdbd_manage_lib_files',`
+@@ -31,19 +199,58 @@ interface(`ctdbd_manage_lib_files',`
 ##	</summary>
 ## </param>
 #
@ -20078,7 +20098,7 @@ index b25b01d..6b7d687 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -57,16 +247,19 @@ interface(`ctdbd_stream_connect',`
+@@ -57,16 +264,19 @@ interface(`ctdbd_stream_connect',`
 ## </param>
 ## <rolecap/>
 #
@ -20102,7 +20122,7 @@ index b25b01d..6b7d687 100644
 	domain_system_change_exemption($1)
 	role_transition $2 ctdbd_initrc_exec_t system_r;
 	allow $2 system_r;
-@@ -74,12 +267,10 @@ interface(`ctdb_admin',`
+@@ -74,12 +284,10 @@ interface(`ctdb_admin',`
 	logging_search_logs($1)
 	admin_pattern($1, ctdbd_log_t)
@ -37248,10 +37268,10 @@ index 0000000..61f2003
 +userdom_use_user_terminals(iotop_t)
 diff --git a/ipa.fc b/ipa.fc
 new file mode 100644
-index 0000000..749756a
+index 0000000..3a71430
 --- /dev/null
 +++ b/ipa.fc
-@@ -0,0 +1,11 @@
+@@ -0,0 +1,13 @@
 +/usr/lib/systemd/system/ipa-otpd.*		--	gen_context(system_u:object_r:ipa_otpd_unit_file_t,s0)
 +
 +/usr/libexec/ipa-otpd		--	gen_context(system_u:object_r:ipa_otpd_exec_t,s0)
@ -37261,6 +37281,8 @@ index 0000000..749756a
 +
 +/var/lib/ipa(/.*)?              gen_context(system_u:object_r:ipa_var_lib_t,s0)
 +
 +/var/log/ipareplica-conncheck.log	--	gen_context(system_u:object_r:ipa_log_t,s0)
 +
 +/var/run/ipa(/.*)?              gen_context(system_u:object_r:ipa_var_run_t,s0)
 +
 diff --git a/ipa.if b/ipa.if
@ -37449,10 +37471,10 @@ index 0000000..904782d
 +')
 diff --git a/ipa.te b/ipa.te
 new file mode 100644
-index 0000000..694c092
+index 0000000..af46439
 --- /dev/null
 +++ b/ipa.te
-@@ -0,0 +1,122 @@
+@@ -0,0 +1,130 @@
 +policy_module(ipa, 1.0.0)
 +
 +########################################
@ -37472,6 +37494,9 @@ index 0000000..694c092
 +type ipa_otpd_unit_file_t;
 +systemd_unit_file(ipa_otpd_unit_file_t)
 +
 +type ipa_log_t;
 +logging_log_file(ipa_log_t)
 +
 +type ipa_var_lib_t;
 +files_type(ipa_var_lib_t)
 +
@ -37529,10 +37554,15 @@ index 0000000..694c092
 +allow ipa_helper_t self:fifo_file rw_fifo_file_perms;
 +allow ipa_helper_t self:netlink_route_socket r_netlink_socket_perms;
 +
 +manage_files_pattern(ipa_helper_t, ipa_log_t, ipa_log_t)
 +logging_log_filetrans(ipa_helper_t, ipa_log_t, file)
 +
 +kernel_read_system_state(ipa_helper_t)
 +
 +corenet_tcp_connect_ldap_port(ipa_helper_t)
 +corenet_tcp_connect_smbd_port(ipa_helper_t)
 +corenet_tcp_connect_http_port(ipa_helper_t)
 +corenet_tcp_connect_kerberos_password_port(ipa_helper_t)
 +
 +corecmd_exec_bin(ipa_helper_t)
 +corecmd_exec_shell(ipa_helper_t)
@ -40563,10 +40593,10 @@ index 0000000..bd7e7fa
 +')
 diff --git a/keepalived.te b/keepalived.te
 new file mode 100644
-index 0000000..20adcb3
+index 0000000..8ab40b5
 --- /dev/null
 +++ b/keepalived.te
-@@ -0,0 +1,90 @@
+@@ -0,0 +1,91 @@
 +policy_module(keepalived, 1.0.0)
 +
 +########################################
@ -40613,6 +40643,7 @@ index 0000000..20adcb3
 +
 +corenet_tcp_connect_connlcli_port(keepalived_t)
 +corenet_tcp_connect_http_port(keepalived_t)
 +corenet_tcp_connect_mysqld_port(keepalived_t)
 +corenet_tcp_connect_smtp_port(keepalived_t)
 +corenet_tcp_connect_snmp_port(keepalived_t)
 +corenet_tcp_connect_agentx_port(keepalived_t)
@ -44665,7 +44696,7 @@ index dd8e01a..9cd6b0b 100644
 ## <param name="domain">
 ##	<summary>
 diff --git a/logrotate.te b/logrotate.te
-index be0ab84..08c168f 100644
+index be0ab84..24e669e 100644
 --- a/logrotate.te
 +++ b/logrotate.te
@@ -5,16 +5,22 @@ policy_module(logrotate, 1.15.0)
@ -44787,7 +44818,7 @@ index be0ab84..08c168f 100644
 files_manage_generic_spool(logrotate_t)
 files_manage_generic_spool_dirs(logrotate_t)
 files_getattr_generic_locks(logrotate_t)
-@@ -95,32 +123,51 @@ mls_process_write_to_clearance(logrotate_t)
+@@ -95,32 +123,52 @@ mls_process_write_to_clearance(logrotate_t)
 selinux_get_fs_mount(logrotate_t)
 selinux_get_enforce_mode(logrotate_t)
@ -44804,6 +44835,7 @@ index be0ab84..08c168f 100644
 logging_send_audit_msgs(logrotate_t)
 +# cjp: why is this needed?
 logging_exec_all_logs(logrotate_t)
 +logging_systemctl_syslogd(logrotate_t)
 -miscfiles_read_localization(logrotate_t)
 +systemd_exec_systemctl(logrotate_t)
@ -44845,7 +44877,7 @@ index be0ab84..08c168f 100644
 ')
 optional_policy(`
-@@ -135,16 +182,17 @@ optional_policy(`
+@@ -135,16 +183,17 @@ optional_policy(`
 optional_policy(`
 	apache_read_config(logrotate_t)
@ -44865,7 +44897,7 @@ index be0ab84..08c168f 100644
 ')
 optional_policy(`
-@@ -170,6 +218,11 @@ optional_policy(`
+@@ -170,6 +219,11 @@ optional_policy(`
 ')
 optional_policy(`
@ -44877,7 +44909,7 @@ index be0ab84..08c168f 100644
 	fail2ban_stream_connect(logrotate_t)
 ')
-@@ -178,7 +231,7 @@ optional_policy(`
+@@ -178,7 +232,7 @@ optional_policy(`
 ')
 optional_policy(`
@ -44886,7 +44918,7 @@ index be0ab84..08c168f 100644
 ')
 optional_policy(`
-@@ -198,17 +251,18 @@ optional_policy(`
+@@ -198,17 +252,18 @@ optional_policy(`
 ')
 optional_policy(`
@ -44908,7 +44940,7 @@ index be0ab84..08c168f 100644
 ')
 optional_policy(`
-@@ -216,6 +270,14 @@ optional_policy(`
+@@ -216,6 +271,14 @@ optional_policy(`
 ')
 optional_policy(`
@ -44923,7 +44955,7 @@ index be0ab84..08c168f 100644
 	samba_exec_log(logrotate_t)
 ')
-@@ -228,26 +290,43 @@ optional_policy(`
+@@ -228,26 +291,43 @@ optional_policy(`
 ')
 optional_policy(`
@ -59456,10 +59488,10 @@ index bcd7d0a..0188086 100644
 +	unconfined_dontaudit_rw_packet_sockets(nscd_t)
 +')
 diff --git a/nsd.fc b/nsd.fc
-index 4f2b1b6..5348e92 100644
+index 4f2b1b6..adea830 100644
 --- a/nsd.fc
 +++ b/nsd.fc
-@@ -1,16 +1,13 @@
+@@ -1,16 +1,17 @@
 -/etc/rc\.d/init\.d/nsd	--	gen_context(system_u:object_r:nsd_initrc_exec_t,s0)
 -/etc/nsd(/.*)?	gen_context(system_u:object_r:nsd_conf_t,s0)
@ -59480,6 +59512,10 @@ index 4f2b1b6..5348e92 100644
 -/var/lib/nsd(/.*)?	gen_context(system_u:object_r:nsd_zone_t,s0)
 -/var/lib/nsd/nsd\.db	--	gen_context(system_u:object_r:nsd_db_t,s0)
 +/usr/sbin/zonec		--	gen_context(system_u:object_r:nsd_exec_t,s0)
 +/usr/sbin/nsd-checkconf		--	gen_context(system_u:object_r:nsd_exec_t,s0)
 +/usr/sbin/nsd-checkzone		--	gen_context(system_u:object_r:nsd_exec_t,s0)
 +/usr/sbin/nsd-control		--	gen_context(system_u:object_r:nsd_exec_t,s0)
 +/usr/sbin/nsd-control-setup		--	gen_context(system_u:object_r:nsd_exec_t,s0)
 +/var/lib/nsd(/.*)?		gen_context(system_u:object_r:nsd_zone_t,s0)
 /var/run/nsd\.pid	--	gen_context(system_u:object_r:nsd_var_run_t,s0)
@ -59573,7 +59609,7 @@ index a9c60ff..ad4f14a 100644
 +	refpolicywarn(`$0($*) has been deprecated.')
 ')
 diff --git a/nsd.te b/nsd.te
-index 47bb1d2..a97c60f 100644
+index 47bb1d2..3316c17 100644
 --- a/nsd.te
 +++ b/nsd.te
@@ -9,9 +9,7 @@ type nsd_t;
@ -59587,7 +59623,7 @@ index 47bb1d2..a97c60f 100644
 type nsd_conf_t;
 files_type(nsd_conf_t)
-@@ -20,32 +18,28 @@ domain_type(nsd_crond_t)
+@@ -20,32 +18,31 @@ domain_type(nsd_crond_t)
 domain_entry_file(nsd_crond_t, nsd_exec_t)
 role system_r types nsd_crond_t;
@ -59602,13 +59638,17 @@ index 47bb1d2..a97c60f 100644
 +type nsd_zone_t alias nsd_db_t;
 files_type(nsd_zone_t)
 +type nsd_tmp_t;
 +files_tmp_file(nsd_tmp_t)
 +
 ########################################
 #
 -# Local policy
 +# NSD Local policy
 #
- allow nsd_t self:capability { chown dac_override kill setgid setuid };
+-allow nsd_t self:capability { chown dac_override kill setgid setuid };
 +allow nsd_t self:capability { chown dac_override kill setgid setuid net_admin };
 dontaudit nsd_t self:capability sys_tty_config;
 allow nsd_t self:process signal_perms;
 +allow nsd_t self:tcp_socket create_stream_socket_perms;
@ -59627,7 +59667,18 @@ index 47bb1d2..a97c60f 100644
 manage_files_pattern(nsd_t, nsd_var_run_t, nsd_var_run_t)
 files_pid_filetrans(nsd_t, nsd_var_run_t, file)
-@@ -62,7 +56,6 @@ kernel_read_kernel_sysctls(nsd_t)
+@@ -55,6 +52,10 @@ manage_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
 manage_lnk_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
 files_var_lib_filetrans(nsd_t, nsd_zone_t, dir)
 +manage_dirs_pattern(nsd_t, nsd_tmp_t, nsd_tmp_t)
 +manage_files_pattern(nsd_t, nsd_tmp_t, nsd_tmp_t)
 +files_tmp_filetrans(nsd_t, nsd_tmp_t, { file dir })
 +
 can_exec(nsd_t, nsd_exec_t)
 kernel_read_system_state(nsd_t)
@@ -62,7 +63,6 @@ kernel_read_kernel_sysctls(nsd_t)
 corecmd_exec_bin(nsd_t)
@ -59635,7 +59686,7 @@ index 47bb1d2..a97c60f 100644
 corenet_all_recvfrom_netlabel(nsd_t)
 corenet_tcp_sendrecv_generic_if(nsd_t)
 corenet_udp_sendrecv_generic_if(nsd_t)
-@@ -72,16 +65,17 @@ corenet_tcp_sendrecv_all_ports(nsd_t)
+@@ -72,16 +72,17 @@ corenet_tcp_sendrecv_all_ports(nsd_t)
 corenet_udp_sendrecv_all_ports(nsd_t)
 corenet_tcp_bind_generic_node(nsd_t)
 corenet_udp_bind_generic_node(nsd_t)
@ -59655,7 +59706,7 @@ index 47bb1d2..a97c60f 100644
 fs_getattr_all_fs(nsd_t)
 fs_search_auto_mountpoints(nsd_t)
-@@ -90,8 +84,6 @@ auth_use_nsswitch(nsd_t)
+@@ -90,8 +91,6 @@ auth_use_nsswitch(nsd_t)
 logging_send_syslog_msg(nsd_t)
@ -59664,7 +59715,7 @@ index 47bb1d2..a97c60f 100644
 userdom_dontaudit_use_unpriv_user_fds(nsd_t)
 userdom_dontaudit_search_user_home_dirs(nsd_t)
-@@ -105,23 +97,24 @@ optional_policy(`
+@@ -105,23 +104,24 @@ optional_policy(`
 ########################################
 #
@ -59697,7 +59748,7 @@ index 47bb1d2..a97c60f 100644
 manage_files_pattern(nsd_crond_t, nsd_zone_t, nsd_zone_t)
 filetrans_pattern(nsd_crond_t, nsd_conf_t, nsd_zone_t, file)
-@@ -133,27 +126,27 @@ kernel_read_system_state(nsd_crond_t)
+@@ -133,27 +133,27 @@ kernel_read_system_state(nsd_crond_t)
 corecmd_exec_bin(nsd_crond_t)
 corecmd_exec_shell(nsd_crond_t)
@ -65138,7 +65189,7 @@ index 9b15730..cb00f20 100644
 +	')
 ')
 diff --git a/openvswitch.te b/openvswitch.te
-index 44dbc99..a17af8b 100644
+index 44dbc99..fce33b0 100644
 --- a/openvswitch.te
 +++ b/openvswitch.te
@@ -9,11 +9,8 @@ type openvswitch_t;
@ -65204,7 +65255,7 @@ index 44dbc99..a17af8b 100644
 manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
 logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file })
-@@ -65,33 +69,47 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
+@@ -65,33 +69,48 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
 manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
 files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file })
@ -65240,9 +65291,10 @@ index 44dbc99..a17af8b 100644
 fs_getattr_all_fs(openvswitch_t)
 fs_search_cgroup_dirs(openvswitch_t)
- 
+fs_rw_hugetlbfs_files(openvswitch_t)
 +auth_use_nsswitch(openvswitch_t)
 +
 +auth_use_nsswitch(openvswitch_t)
 logging_send_syslog_msg(openvswitch_t)
 -miscfiles_read_localization(openvswitch_t)
@ -92007,7 +92059,7 @@ index 50d07fb..e9569d2 100644
 +	allow $1 samba_unit_file_t:service all_service_perms;
 ')
 diff --git a/samba.te b/samba.te
-index 2b7c441..0232e85 100644
+index 2b7c441..ca83568 100644
 --- a/samba.te
 +++ b/samba.te
@@ -6,99 +6,86 @@ policy_module(samba, 1.16.3)
@ -92835,7 +92887,7 @@ index 2b7c441..0232e85 100644
 samba_read_config(smbcontrol_t)
 samba_search_var(smbcontrol_t)
-@@ -627,16 +716,13 @@ domain_use_interactive_fds(smbcontrol_t)
+@@ -627,39 +716,38 @@ domain_use_interactive_fds(smbcontrol_t)
 dev_read_urand(smbcontrol_t)
@ -92854,7 +92906,8 @@ index 2b7c441..0232e85 100644
 optional_policy(`
 	ctdbd_stream_connect(smbcontrol_t)
-@@ -644,22 +730,23 @@ optional_policy(`
+	ctdbd_sigchld(smbcontrol_t)
 ')
 ########################################
 #
@ -92886,7 +92939,7 @@ index 2b7c441..0232e85 100644
 allow smbmount_t samba_secrets_t:file manage_file_perms;
-@@ -668,26 +755,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+@@ -668,26 +756,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
 manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
 files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
@ -92922,7 +92975,7 @@ index 2b7c441..0232e85 100644
 fs_getattr_cifs(smbmount_t)
 fs_mount_cifs(smbmount_t)
-@@ -699,58 +782,77 @@ fs_read_cifs_files(smbmount_t)
+@@ -699,58 +783,77 @@ fs_read_cifs_files(smbmount_t)
 storage_raw_read_fixed_disk(smbmount_t)
 storage_raw_write_fixed_disk(smbmount_t)
@ -93014,7 +93067,7 @@ index 2b7c441..0232e85 100644
 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
 manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -759,17 +861,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+@@ -759,17 +862,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
 manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
 files_pid_filetrans(swat_t, swat_var_run_t, file)
@ -93038,7 +93091,7 @@ index 2b7c441..0232e85 100644
 kernel_read_kernel_sysctls(swat_t)
 kernel_read_system_state(swat_t)
-@@ -777,36 +875,25 @@ kernel_read_network_state(swat_t)
+@@ -777,36 +876,25 @@ kernel_read_network_state(swat_t)
 corecmd_search_bin(swat_t)
@ -93081,7 +93134,7 @@ index 2b7c441..0232e85 100644
 auth_domtrans_chk_passwd(swat_t)
 auth_use_nsswitch(swat_t)
-@@ -818,10 +905,11 @@ logging_send_syslog_msg(swat_t)
+@@ -818,10 +906,11 @@ logging_send_syslog_msg(swat_t)
 logging_send_audit_msgs(swat_t)
 logging_search_logs(swat_t)
@ -93095,7 +93148,7 @@ index 2b7c441..0232e85 100644
 optional_policy(`
 	cups_read_rw_config(swat_t)
 	cups_stream_connect(swat_t)
-@@ -840,17 +928,20 @@ optional_policy(`
+@@ -840,17 +929,20 @@ optional_policy(`
 # Winbind local policy
 #
@ -93121,7 +93174,7 @@ index 2b7c441..0232e85 100644
 allow winbind_t samba_etc_t:dir list_dir_perms;
 read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -860,9 +951,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+@@ -860,9 +952,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
 filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
 manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@ -93132,7 +93185,7 @@ index 2b7c441..0232e85 100644
 manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
 manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -873,38 +962,42 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -873,38 +963,42 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
 rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
@ -93186,7 +93239,7 @@ index 2b7c441..0232e85 100644
 corenet_tcp_connect_smbd_port(winbind_t)
 corenet_tcp_connect_epmap_port(winbind_t)
 corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -912,38 +1005,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -912,38 +1006,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
 dev_read_sysfs(winbind_t)
 dev_read_urand(winbind_t)
@ -93245,7 +93298,7 @@ index 2b7c441..0232e85 100644
 ')
 optional_policy(`
-@@ -959,31 +1066,36 @@ optional_policy(`
+@@ -959,31 +1067,36 @@ optional_policy(`
 # Winbind helper local policy
 #
@ -93289,7 +93342,7 @@ index 2b7c441..0232e85 100644
 optional_policy(`
 	apache_append_log(winbind_helper_t)
-@@ -997,25 +1109,38 @@ optional_policy(`
+@@ -997,25 +1110,38 @@ optional_policy(`
 ########################################
 #
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 165%{?dist}
+Release: 166%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -664,6 +664,25 @@ exit 0
 %endif
 %changelog
 * Wed Jan 13 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-166
 - Allow logrotate to systemctl rsyslog service. BZ(1284173)
 - Allow condor_master_t domain capability chown. BZ(1297048)
 - Allow chronyd to be dbus bus client. BZ(1297129)
 - Allow openvswitch read/write hugetlb filesystem.
 - Revert "Allow openvswitch read/write hugetlb filesystem."
 - Allow smbcontrol domain to send sigchld to ctdbd domain.
 - Allow openvswitch read/write hugetlb filesystem.
 - Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib
 - Label /var/log/ipareplica-conncheck.log file as ipa_log_t Allow ipa_helper_t domain to manage logs labeledas ipa_log_t Allow ipa_helper_t to connect on http and kerberos_passwd ports. BZ(1289930)
 - Allow keepalived to connect to 3306/tcp port - mysqld_port_t.
 - Merge remote-tracking branch 'refs/remotes/origin/rawhide-contrib' into rawhide-contrib
 - Merge remote-tracking branch 'refs/remotes/origin/rawhide-contrib' into rawhide-contrib
 - Merge pull request #86 from rhatdan/rawhide-contrib
 - Label some new nsd binaries as nsd_exec_t Allow nsd domain net_admin cap. Create label nsd_tmp_t for nsd tmp files/dirs BZ (1293146)
 - Added interface logging_systemctl_syslogd
 - Label rsyslog unit file
 - Added policy for systemd-coredump service. Added domain transition from kernel_t to systemd_coredump_t. Allow syslogd_t domain to read/write tmpfs systemd-coredump files. Make new domain uconfined for now.
 * Wed Jan 06 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-165
 - Allow sddm-helper running as xdm_t to create .wayland-errors with correct labeling. BZ(#1291085)
 - Revert "Allow arping running as netutils_t sys_module capability for removing tap devices."