- Allow staff_t to communicate and run docker

- Fix *_ecryptfs_home_dirs booleans - Allow ldconfig_t to read/write inherited user tmp pipes - Allow storaged to dbus chat with lvm_t - Add support for storaged and storaged-lvm-helper. Labeled it as lvm_exec_t. - Use proper calling in ssh.te for userdom_home_manager attribute - Use userdom_home_manager_type() also for ssh_keygen_t - Allow locate to list directories without labels - Allow bitlbee to use tcp/7778 port - /etc/cron.daily/logrotate to execute fail2ban-client. - Allow keepalives to connect to SNMP port. Support to do SNMP stuff - Allow staff_t to communicate and run docker - Dontaudit search mgrepl/.local for cobblerd_t - Allow neutron to execute kmod in insmod_t - Allow neutron to execute udevadm in udev_t - Allow also fowner cap for varnishd - Allow keepalived to execute bin_t/shell_exec_t - rhsmcertd seems to need these accesses. We need this backported to RHEL7 and perhaps RHEL6 policy - Add cups_execmem boolean - Allow gear to manage gear service - New requires for gear to use systemctl and init var_run_t - Allow cups to execute its rw_etc_t files, for brothers printers - Add fixes to make munin and munin-cgi working. Allow munin-cgit to create files/dirs in /tmp, list munin co - Allow swift to execute bin_t - Allow swift to bind http_cache
2014-06-09 09:05:58 +02:00 · 2014-06-09 09:05:58 +02:00 · 686a38099f
commit 686a38099f
parent 07a8be1e18
3 changed files with 446 additions and 263 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -18601,7 +18601,7 @@ index 234a940..d340f20 100644
 ########################################
 ## <summary>
 diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 0fef1fc..ee4b689 100644
+index 0fef1fc..46aa66e 100644
 --- a/policy/modules/roles/staff.te
 +++ b/policy/modules/roles/staff.te
@@ -8,12 +8,71 @@ policy_module(staff, 2.4.0)
@ -18676,7 +18676,7 @@ index 0fef1fc..ee4b689 100644
 optional_policy(`
 	apache_role(staff_r, staff_t)
 ')
-@@ -23,11 +82,110 @@ optional_policy(`
+@@ -23,11 +82,115 @@ optional_policy(`
 ')
 optional_policy(`
@ -18705,6 +18705,11 @@ index 0fef1fc..ee4b689 100644
 optional_policy(`
 -	git_role(staff_r, staff_t)
 +	docker_stream_connect(staff_t)
 +	docker_exec(staff_t)
 +')
 +
 +optional_policy(`
 +	dnsmasq_read_pid_files(staff_t)
 +')
 +
@ -18788,7 +18793,7 @@ index 0fef1fc..ee4b689 100644
 ')
 optional_policy(`
-@@ -35,15 +193,31 @@ optional_policy(`
+@@ -35,15 +198,31 @@ optional_policy(`
 ')
 optional_policy(`
@ -18822,7 +18827,7 @@ index 0fef1fc..ee4b689 100644
 ')
 optional_policy(`
-@@ -52,11 +226,61 @@ optional_policy(`
+@@ -52,11 +231,61 @@ optional_policy(`
 ')
 optional_policy(`
@ -18884,7 +18889,7 @@ index 0fef1fc..ee4b689 100644
 ')
 ifndef(`distro_redhat',`
-@@ -65,10 +289,6 @@ ifndef(`distro_redhat',`
+@@ -65,10 +294,6 @@ ifndef(`distro_redhat',`
 	')
 	optional_policy(`
@ -18895,7 +18900,7 @@ index 0fef1fc..ee4b689 100644
 		cdrecord_role(staff_r, staff_t)
 	')
-@@ -78,10 +298,6 @@ ifndef(`distro_redhat',`
+@@ -78,10 +303,6 @@ ifndef(`distro_redhat',`
 	optional_policy(`
 		dbus_role_template(staff, staff_r, staff_t)
@ -18906,7 +18911,7 @@ index 0fef1fc..ee4b689 100644
 	')
 	optional_policy(`
-@@ -101,10 +317,6 @@ ifndef(`distro_redhat',`
+@@ -101,10 +322,6 @@ ifndef(`distro_redhat',`
 	')
 	optional_policy(`
@ -18917,7 +18922,7 @@ index 0fef1fc..ee4b689 100644
 		java_role(staff_r, staff_t)
 	')
-@@ -125,10 +337,6 @@ ifndef(`distro_redhat',`
+@@ -125,10 +342,6 @@ ifndef(`distro_redhat',`
 	')
 	optional_policy(`
@ -18928,7 +18933,7 @@ index 0fef1fc..ee4b689 100644
 		pyzor_role(staff_r, staff_t)
 	')
-@@ -141,10 +349,6 @@ ifndef(`distro_redhat',`
+@@ -141,10 +354,6 @@ ifndef(`distro_redhat',`
 	')
 	optional_policy(`
@ -18939,7 +18944,7 @@ index 0fef1fc..ee4b689 100644
 		spamassassin_role(staff_r, staff_t)
 	')
-@@ -176,3 +380,22 @@ ifndef(`distro_redhat',`
+@@ -176,3 +385,22 @@ ifndef(`distro_redhat',`
 		wireshark_role(staff_r, staff_t)
 	')
 ')
@ -22141,7 +22146,7 @@ index fe0c682..e8dcfa7 100644
 +	ps_process_pattern($1, sshd_t)
 +')
 diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index cc877c7..1d92018 100644
+index cc877c7..b153547 100644
 --- a/policy/modules/services/ssh.te
 +++ b/policy/modules/services/ssh.te
@@ -6,43 +6,68 @@ policy_module(ssh, 2.4.2)
@ -22630,20 +22635,17 @@ index cc877c7..1d92018 100644
 dev_read_urand(ssh_keygen_t)
 term_dontaudit_use_console(ssh_keygen_t)
-@@ -333,6 +507,12 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -332,7 +506,9 @@ auth_use_nsswitch(ssh_keygen_t)
 logging_send_syslog_msg(ssh_keygen_t)
 +userdom_home_manager(ssh_keygen_t)
 userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
 +userdom_use_user_terminals(ssh_keygen_t)
 +
 +tunable_policy(`use_nfs_home_dirs',`
 +    fs_manage_nfs_files(ssh_keygen_t)
 +    fs_manage_nfs_dirs(ssh_keygen_t)
 +')
 optional_policy(`
 	seutil_sigchld_newrole(ssh_keygen_t)
-@@ -341,3 +521,140 @@ optional_policy(`
+@@ -341,3 +517,140 @@ optional_policy(`
 optional_policy(`
 	udev_read_db(ssh_keygen_t)
 ')
@ -32471,7 +32473,7 @@ index 808ba93..57a68da 100644
 +	files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~")
 +')
 diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
-index 54f8fa5..b4c7957 100644
+index 54f8fa5..caf32d6 100644
 --- a/policy/modules/system/libraries.te
 +++ b/policy/modules/system/libraries.te
@@ -32,14 +32,14 @@ files_tmp_file(ldconfig_tmp_t)
@ -32535,7 +32537,7 @@ index 54f8fa5..b4c7957 100644
 userdom_use_all_users_fds(ldconfig_t)
 ifdef(`distro_ubuntu',`
-@@ -103,6 +109,12 @@ ifdef(`distro_ubuntu',`
+@@ -103,6 +109,13 @@ ifdef(`distro_ubuntu',`
 	')
 ')
@ -32544,11 +32546,12 @@ index 54f8fa5..b4c7957 100644
 +userdom_manage_user_home_content_files(ldconfig_t)
 +userdom_manage_user_tmp_files(ldconfig_t)
 +userdom_manage_user_tmp_symlinks(ldconfig_t)
 +userdom_rw_inherited_user_tmp_pipes(ldconfig_t)
 +
 ifdef(`hide_broken_symptoms',`
 	ifdef(`distro_gentoo',`
 		# leaked fds from portage
-@@ -114,6 +126,11 @@ ifdef(`hide_broken_symptoms',`
+@@ -114,6 +127,11 @@ ifdef(`hide_broken_symptoms',`
 		')
 	')
@ -32560,7 +32563,7 @@ index 54f8fa5..b4c7957 100644
 	optional_policy(`
 		unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
 	')
-@@ -131,6 +148,14 @@ optional_policy(`
+@@ -131,6 +149,14 @@ optional_policy(`
 ')
 optional_policy(`
@ -32575,7 +32578,7 @@ index 54f8fa5..b4c7957 100644
 	puppet_rw_tmp(ldconfig_t)
 ')
-@@ -141,6 +166,3 @@ optional_policy(`
+@@ -141,6 +167,3 @@ optional_policy(`
 	rpm_manage_script_tmp_files(ldconfig_t)
 ')
@ -33885,7 +33888,7 @@ index 59b04c1..13c21e8 100644
 +
 +logging_stream_connect_syslog(syslog_client_type)
 diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
-index 6b91740..633e449 100644
+index 6b91740..562d1fd 100644
 --- a/policy/modules/system/lvm.fc
 +++ b/policy/modules/system/lvm.fc
@@ -23,6 +23,8 @@ ifdef(`distro_gentoo',`
@ -33922,7 +33925,7 @@ index 6b91740..633e449 100644
 /sbin/lvmiopversion	--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /sbin/lvmsadc		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /sbin/lvmsar		--	gen_context(system_u:object_r:lvm_exec_t,s0)
-@@ -89,8 +95,72 @@ ifdef(`distro_gentoo',`
+@@ -89,8 +95,74 @@ ifdef(`distro_gentoo',`
 #
 # /usr
 #
@ -33993,11 +33996,13 @@ index 6b91740..633e449 100644
 +/usr/lib/lvm-200/.*		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 +/usr/lib/systemd/systemd-cryptsetup --	gen_context(system_u:object_r:lvm_exec_t,s0)
 +/usr/lib/systemd/system-generators/lvm2.*	--	gen_context(system_u:object_r:lvm_exec_t,s0)
 +/usr/lib/storaged/storaged          --  gen_context(system_u:object_r:lvm_exec_t,s0)
 +/usr/lib/storaged/storaged-lvm-helper         --  gen_context(system_u:object_r:lvm_exec_t,s0)
 +/usr/lib/udev/udisks-lvm-pv-export	--	gen_context(system_u:object_r:lvm_exec_t,s0)
 #
 # /var
-@@ -98,5 +168,9 @@ ifdef(`distro_gentoo',`
+@@ -98,5 +170,9 @@ ifdef(`distro_gentoo',`
 /var/cache/multipathd(/.*)?	gen_context(system_u:object_r:lvm_metadata_t,s0)
 /var/lib/multipath(/.*)?	gen_context(system_u:object_r:lvm_var_lib_t,s0)
 /var/lock/lvm(/.*)?		gen_context(system_u:object_r:lvm_lock_t,s0)
@ -34177,7 +34182,7 @@ index 58bc27f..f887230 100644
 +')
 +
 diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
-index 79048c4..55d6ce4 100644
+index 79048c4..f505f63 100644
 --- a/policy/modules/system/lvm.te
 +++ b/policy/modules/system/lvm.te
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
@ -34405,7 +34410,7 @@ index 79048c4..55d6ce4 100644
 	bootloader_rw_tmp_files(lvm_t)
 ')
-@@ -333,14 +374,30 @@ optional_policy(`
+@@ -333,14 +374,34 @@ optional_policy(`
 ')
 optional_policy(`
@ -34429,6 +34434,10 @@ index 79048c4..55d6ce4 100644
 ')
 optional_policy(`
 +    policykit_dbus_chat(lvm_t)
 +')
 +
 +optional_policy(`
 +	systemd_manage_passwd_run(lvm_t)
 +')
 +
@ -42130,7 +42139,7 @@ index db75976..4ca3a28 100644
 +/var/tmp/hsperfdata_root    gen_context(system_u:object_r:user_tmp_t,s0)
 +
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6..87b5cc3 100644
+index 9dc60c6..139edc7 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@ -44434,7 +44443,35 @@ index 9dc60c6..87b5cc3 100644
 ##	temporary symbolic links.
 ## </summary>
 ## <param name="domain">
-@@ -2661,6 +3362,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2566,6 +3267,27 @@ interface(`userdom_manage_user_tmp_symlinks',`
 ##	</summary>
 ## </param>
 #
 +interface(`userdom_rw_inherited_user_tmp_pipes',`
 +	gen_require(`
 +		type user_tmp_t;
 +	')
 +
 +    allow $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
 +	files_search_tmp($1)
 +')
 +
 +
 +########################################
 +## <summary>
 +##	Create, read, write, and delete user
 +##	temporary named pipes.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 interface(`userdom_manage_user_tmp_pipes',`
 	gen_require(`
 		type user_tmp_t;
@@ -2661,6 +3383,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
 	files_tmp_filetrans($1, user_tmp_t, $2, $3)
 ')
@ -44460,7 +44497,7 @@ index 9dc60c6..87b5cc3 100644
 ########################################
 ## <summary>
 ##	Read user tmpfs files.
-@@ -2677,13 +3397,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2677,13 +3418,14 @@ interface(`userdom_read_user_tmpfs_files',`
 	')
 	read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@ -44476,7 +44513,7 @@ index 9dc60c6..87b5cc3 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -2704,7 +3425,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2704,7 +3446,7 @@ interface(`userdom_rw_user_tmpfs_files',`
 ########################################
 ## <summary>
@ -44485,7 +44522,7 @@ index 9dc60c6..87b5cc3 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -2712,14 +3433,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2712,14 +3454,30 @@ interface(`userdom_rw_user_tmpfs_files',`
 ##	</summary>
 ## </param>
 #
@ -44520,7 +44557,7 @@ index 9dc60c6..87b5cc3 100644
 ')
 ########################################
-@@ -2814,6 +3551,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2814,6 +3572,24 @@ interface(`userdom_use_user_ttys',`
 ########################################
 ## <summary>
@ -44545,7 +44582,7 @@ index 9dc60c6..87b5cc3 100644
 ##	Read and write a user domain pty.
 ## </summary>
 ## <param name="domain">
-@@ -2832,22 +3587,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2832,22 +3608,34 @@ interface(`userdom_use_user_ptys',`
 ########################################
 ## <summary>
@ -44588,7 +44625,7 @@ index 9dc60c6..87b5cc3 100644
 ## </desc>
 ## <param name="domain">
 ##	<summary>
-@@ -2856,14 +3623,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2856,14 +3644,33 @@ interface(`userdom_use_user_ptys',`
 ## </param>
 ## <infoflow type="both" weight="10"/>
 #
@ -44626,7 +44663,7 @@ index 9dc60c6..87b5cc3 100644
 ')
 ########################################
-@@ -2882,8 +3668,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2882,8 +3689,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
 		type user_tty_device_t, user_devpts_t;
 	')
@ -44656,96 +44693,95 @@ index 9dc60c6..87b5cc3 100644
 ')
 ########################################
-@@ -2955,69 +3760,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2955,6 +3781,42 @@ interface(`userdom_spec_domtrans_unpriv_users',`
 	allow unpriv_userdomain $1:process sigchld;
 ')
 -########################################
 +#####################################
- ## <summary>
+## <summary>
 -##	Execute an Xserver session in all unprivileged user domains.  This
 -##	is an explicit transition, requiring the
 -##	caller to use setexeccon().
 +##  Allow domain dyntrans to unpriv userdomain.
- ## </summary>
+## </summary>
- ## <param name="domain">
+## <param name="domain">
 -##	<summary>
 -##	Domain allowed to transition.
 -##	</summary>
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
- ## </param>
+## </param>
- #
+#
 -interface(`userdom_xsession_spec_domtrans_unpriv_users',`
 -	gen_require(`
 -		attribute unpriv_userdomain;
 -	')
 +interface(`userdom_dyntransition_unpriv_users',`
 +    gen_require(`
 +        attribute unpriv_userdomain;
 +    ')
- 
+
 -	xserver_xsession_spec_domtrans($1, unpriv_userdomain)
 -	allow unpriv_userdomain $1:fd use;
 -	allow unpriv_userdomain $1:fifo_file rw_file_perms;
 -	allow unpriv_userdomain $1:process sigchld;
 +    allow $1 unpriv_userdomain:process dyntransition;
- ')
+')
- 
+
 -#######################################
 +####################################
- ## <summary>
+## <summary>
 -##	Read and write unpriviledged user SysV sempaphores.
 +##  Allow domain dyntrans to admin userdomain.
- ## </summary>
+## </summary>
- ## <param name="domain">
+## <param name="domain">
 -##	<summary>
 -##	Domain allowed access.
 -##	</summary>
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
- ## </param>
+## </param>
- #
+#
 -interface(`userdom_rw_unpriv_user_semaphores',`
 -	gen_require(`
 -		attribute unpriv_userdomain;
 -	')
 +interface(`userdom_dyntransition_admin_users',`
 +    gen_require(`
 +        attribute admindomain;
 +    ')
 +
 +    allow $1 admindomain:process dyntransition;
 +')
 +
 ########################################
 ## <summary>
 ##	Execute an Xserver session in all unprivileged user domains.  This
@@ -2978,9 +3840,9 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
 	allow unpriv_userdomain $1:process sigchld;
 ')
 -#######################################
 +########################################
 ## <summary>
 -##	Read and write unpriviledged user SysV sempaphores.
 +##	Manage unpriviledged user SysV sempaphores.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -2988,17 +3850,18 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
 ##	</summary>
 ## </param>
 #
 -interface(`userdom_rw_unpriv_user_semaphores',`
 +interface(`userdom_manage_unpriv_user_semaphores',`
 	gen_require(`
 		attribute unpriv_userdomain;
 	')
 -	allow $1 unpriv_userdomain:sem rw_sem_perms;
-+    allow $1 admindomain:process dyntransition;
+	allow $1 unpriv_userdomain:sem create_sem_perms;
 ')
 ########################################
 ## <summary>
 -##	Manage unpriviledged user SysV sempaphores.
-+##	Execute an Xserver session in all unprivileged user domains.  This
+##	Manage unpriviledged user SysV shared
-+##	is an explicit transition, requiring the
+##	memory segments.
 +##	caller to use setexeccon().
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+@@ -3006,57 +3869,19 @@ interface(`userdom_rw_unpriv_user_semaphores',`
 +##	Domain allowed to transition.
 ##	</summary>
 ## </param>
 #
 -interface(`userdom_manage_unpriv_user_semaphores',`
-+interface(`userdom_xsession_spec_domtrans_unpriv_users',`
+interface(`userdom_manage_unpriv_user_shared_mem',`
 	gen_require(`
 		attribute unpriv_userdomain;
 	')
 -	allow $1 unpriv_userdomain:sem create_sem_perms;
-+	xserver_xsession_spec_domtrans($1, unpriv_userdomain)
+	allow $1 unpriv_userdomain:shm create_shm_perms;
 +	allow unpriv_userdomain $1:fd use;
 +	allow unpriv_userdomain $1:fifo_file rw_file_perms;
 +	allow unpriv_userdomain $1:process sigchld;
 ')
 -#######################################
@ -44753,26 +44789,52 @@ index 9dc60c6..87b5cc3 100644
 ## <summary>
 -##	Read and write unpriviledged user SysV shared
 -##	memory segments.
-+##	Manage unpriviledged user SysV sempaphores.
+-## </summary>
 -## <param name="domain">
 -##	<summary>
 -##	Domain allowed access.
 -##	</summary>
 -## </param>
 -#
 -interface(`userdom_rw_unpriv_user_shared_mem',`
 -	gen_require(`
 -		attribute unpriv_userdomain;
 -	')
 -
 -	allow $1 unpriv_userdomain:shm rw_shm_perms;
 -')
 -
 -########################################
 -## <summary>
 -##	Manage unpriviledged user SysV shared
 -##	memory segments.
 -## </summary>
 -## <param name="domain">
 -##	<summary>
 -##	Domain allowed access.
 -##	</summary>
 -## </param>
 -#
 -interface(`userdom_manage_unpriv_user_shared_mem',`
 -	gen_require(`
 -		attribute unpriv_userdomain;
 -	')
 -
 -	allow $1 unpriv_userdomain:shm create_shm_perms;
 -')
 -
 -########################################
 -## <summary>
 -##	Execute bin_t in the unprivileged user domains. This
 -##	is an explicit transition, requiring the
 -##	caller to use setexeccon().
 +##	Execute bin_t in the unprivileged user domains. This
 +##	is an explicit transition, requiring the
 +##	caller to use setexeccon().
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3025,12 +3829,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3094,7 +3919,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
 ##	</summary>
 ## </param>
 #
 -interface(`userdom_rw_unpriv_user_shared_mem',`
 +interface(`userdom_manage_unpriv_user_semaphores',`
 	gen_require(`
 		attribute unpriv_userdomain;
 	')
 -	allow $1 unpriv_userdomain:shm rw_shm_perms;
 +	allow $1 unpriv_userdomain:sem create_sem_perms;
 ')
 ########################################
@@ -3094,7 +3898,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
 	domain_entry_file_spec_domtrans($1, unpriv_userdomain)
 	allow unpriv_userdomain $1:fd use;
@ -44781,7 +44843,7 @@ index 9dc60c6..87b5cc3 100644
 	allow unpriv_userdomain $1:process sigchld;
 ')
-@@ -3110,16 +3914,18 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3110,29 +3935,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
 #
 interface(`userdom_search_user_home_content',`
 	gen_require(`
@ -44792,33 +44854,11 @@ index 9dc60c6..87b5cc3 100644
 	files_list_home($1)
 -	allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms;
 +	allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms;
 +	allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms;
 ')
 ########################################
 ## <summary>
 -##	Send signull to unprivileged user domains.
 +##	Send general signals to unprivileged user domains.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -3127,30 +3933,12 @@ interface(`userdom_search_user_home_content',`
 ##	</summary>
 ## </param>
 #
 -interface(`userdom_signull_unpriv_users',`
 +interface(`userdom_signal_unpriv_users',`
 	gen_require(`
 		attribute unpriv_userdomain;
 	')
 -	allow $1 unpriv_userdomain:process signull;
 -')
 -
 -########################################
 -## <summary>
-##	Send general signals to unprivileged user domains.
+-##	Send signull to unprivileged user domains.
 -## </summary>
 -## <param name="domain">
 -##	<summary>
@ -44826,17 +44866,18 @@ index 9dc60c6..87b5cc3 100644
 -##	</summary>
 -## </param>
 -#
-interface(`userdom_signal_unpriv_users',`
+-interface(`userdom_signull_unpriv_users',`
 -	gen_require(`
 -		attribute unpriv_userdomain;
 -	')
 -
-	allow $1 unpriv_userdomain:process signal;
+-	allow $1 unpriv_userdomain:process signull;
-+	allow $1 unpriv_userdomain:process signal;
+	allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms;
 +	allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms;
 ')
 ########################################
-@@ -3214,7 +4002,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3214,7 +4023,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
 		type user_devpts_t;
 	')
@ -44863,7 +44904,7 @@ index 9dc60c6..87b5cc3 100644
 ')
 ########################################
-@@ -3269,7 +4075,83 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3269,7 +4096,83 @@ interface(`userdom_write_user_tmp_files',`
 		type user_tmp_t;
 	')
@ -44948,7 +44989,7 @@ index 9dc60c6..87b5cc3 100644
 ')
 ########################################
-@@ -3287,7 +4169,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3287,7 +4190,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
 		type user_tty_device_t;
 	')
@ -44957,7 +44998,7 @@ index 9dc60c6..87b5cc3 100644
 ')
 ########################################
-@@ -3306,6 +4188,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3306,6 +4209,7 @@ interface(`userdom_read_all_users_state',`
 	')
 	read_files_pattern($1, userdomain, userdomain)
@ -44965,7 +45006,7 @@ index 9dc60c6..87b5cc3 100644
 	kernel_search_proc($1)
 ')
-@@ -3382,6 +4265,42 @@ interface(`userdom_signal_all_users',`
+@@ -3382,6 +4286,42 @@ interface(`userdom_signal_all_users',`
 	allow $1 userdomain:process signal;
 ')
@ -45008,7 +45049,7 @@ index 9dc60c6..87b5cc3 100644
 ########################################
 ## <summary>
 ##	Send a SIGCHLD signal to all user domains.
-@@ -3402,6 +4321,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3402,6 +4342,24 @@ interface(`userdom_sigchld_all_users',`
 ########################################
 ## <summary>
@ -45033,7 +45074,7 @@ index 9dc60c6..87b5cc3 100644
 ##	Create keys for all user domains.
 ## </summary>
 ## <param name="domain">
-@@ -3435,4 +4372,1680 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3435,4 +4393,1680 @@ interface(`userdom_dbus_send_all_users',`
 	')
 	allow $1 userdomain:dbus send_msg;
@ -45145,7 +45186,7 @@ index 9dc60c6..87b5cc3 100644
 +	tunable_policy(`deny_ptrace',`',`
 +		allow $1 userdomain:process ptrace;
 +	')
-+')
+ ')
 +
 +########################################
 +## <summary>
@ -45202,7 +45243,7 @@ index 9dc60c6..87b5cc3 100644
 +
 +	allow $1 admin_home_t:lnk_file read_lnk_file_perms;
 +	allow $1 admin_home_t:dir list_dir_perms;
- ')
+')
 +
 +########################################
 +## <summary>
@ -46715,7 +46756,7 @@ index 9dc60c6..87b5cc3 100644
 +')
 +
 diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index f4ac38d..7283238 100644
+index f4ac38d..9284c24 100644
 --- a/policy/modules/system/userdomain.te
 +++ b/policy/modules/system/userdomain.te
@@ -7,48 +7,43 @@ policy_module(userdomain, 4.9.1)
@ -46804,7 +46845,7 @@ index f4ac38d..7283238 100644
 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
 fs_associate_tmpfs(user_home_dir_t)
 files_type(user_home_dir_t)
-@@ -70,26 +83,386 @@ ubac_constrained(user_home_dir_t)
+@@ -70,26 +83,390 @@ ubac_constrained(user_home_dir_t)
 type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
 typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@ -46913,6 +46954,7 @@ index f4ac38d..7283238 100644
 +
 +tunable_policy(`use_ecryptfs_home_dirs',`
 +    fs_read_ecryptfs_files(userdom_home_reader_certs_type)
 +    fs_read_ecryptfs_symlinks(userdom_home_reader_certs_type)
 +')
 +
 +tunable_policy(`use_nfs_home_dirs',`
@ -46930,6 +46972,7 @@ index f4ac38d..7283238 100644
 +
 +tunable_policy(`use_ecryptfs_home_dirs',`
 +        fs_read_ecryptfs_files(userdom_home_reader_type)
 +        fs_read_ecryptfs_symlinks(userdom_home_reader_type)
 +')
 +
 +tunable_policy(`use_nfs_home_dirs',`
@ -46954,7 +46997,9 @@ index f4ac38d..7283238 100644
 +tunable_policy(`use_ecryptfs_home_dirs',`
 +	fs_manage_ecryptfs_dirs(userdom_home_manager_type)
 +	fs_manage_ecryptfs_files(userdom_home_manager_type)
 +    fs_manage_ecryptfs_symlinks(userdom_home_manager_type)
 +')
 +
 +# vi /etc/mtab can cause an avc trying to relabel to self.  
 +dontaudit userdomain self:file relabelto;
 +
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -9231,7 +9231,7 @@ index e73fb79..2badfc0 100644
 	domain_system_change_exemption($1)
 	role_transition $2 bitlbee_initrc_exec_t system_r;
 diff --git a/bitlbee.te b/bitlbee.te
-index f5c1a48..7d8669f 100644
+index f5c1a48..f255b29 100644
 --- a/bitlbee.te
 +++ b/bitlbee.te
@@ -35,9 +35,12 @@ files_pid_file(bitlbee_var_run_t)
@ -9269,7 +9269,17 @@ index f5c1a48..7d8669f 100644
 corenet_all_recvfrom_unlabeled(bitlbee_t)
 corenet_all_recvfrom_netlabel(bitlbee_t)
-@@ -109,16 +114,12 @@ corenet_tcp_sendrecv_interwise_port(bitlbee_t)
+@@ -98,7 +103,9 @@ corenet_tcp_sendrecv_http_cache_port(bitlbee_t)
 corenet_sendrecv_ircd_server_packets(bitlbee_t)
 corenet_tcp_bind_ircd_port(bitlbee_t)
 +corenet_tcp_bind_interwise_port(bitlbee_t)
 corenet_sendrecv_ircd_client_packets(bitlbee_t)
 +corenet_tcp_connect_interwise_port(bitlbee_t)
 corenet_tcp_connect_ircd_port(bitlbee_t)
 corenet_tcp_sendrecv_ircd_port(bitlbee_t)
@@ -109,16 +116,12 @@ corenet_tcp_sendrecv_interwise_port(bitlbee_t)
 dev_read_rand(bitlbee_t)
 dev_read_urand(bitlbee_t)
@ -13147,7 +13157,7 @@ index c223f81..8b567c1 100644
 -	admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t })
 ')
 diff --git a/cobbler.te b/cobbler.te
-index 5f306dd..e01156f 100644
+index 5f306dd..1543aec 100644
 --- a/cobbler.te
 +++ b/cobbler.te
@@ -81,6 +81,7 @@ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
@ -13208,7 +13218,7 @@ index 5f306dd..e01156f 100644
 ')
 optional_policy(`
-@@ -179,12 +183,22 @@ optional_policy(`
+@@ -179,12 +183,26 @@ optional_policy(`
 optional_policy(`
 	dhcpd_domtrans(cobblerd_t)
 	dhcpd_initrc_domtrans(cobblerd_t)
@ -13223,6 +13233,10 @@ index 5f306dd..e01156f 100644
 +')
 +
 +optional_policy(`
 +    gnome_dontaudit_search_config(cobblerd_t)
 +')
 +
 +optional_policy(`
 +    libs_exec_ldconfig(cobblerd_t)
 +')
 +
@ -13231,7 +13245,7 @@ index 5f306dd..e01156f 100644
 ')
 optional_policy(`
-@@ -192,13 +206,13 @@ optional_policy(`
+@@ -192,13 +210,13 @@ optional_policy(`
 ')
 optional_policy(`
@ -18752,14 +18766,21 @@ index 3023be7..303af85 100644
 +	files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups")
 ')
 diff --git a/cups.te b/cups.te
-index c91813c..2230476 100644
+index c91813c..dbd69b1 100644
 --- a/cups.te
 +++ b/cups.te
-@@ -5,19 +5,24 @@ policy_module(cups, 1.16.2)
+@@ -5,19 +5,31 @@ policy_module(cups, 1.16.2)
 # Declarations
 #
 -type cupsd_config_t;
 +## <desc>
 +## <p>
 +## Allow cups execmem/execstack
 +## </p>
 +## </desc>
 +gen_tunable(cups_execmem, false)
 +
 +attribute cups_domain;
 +
 +type cupsd_config_t, cups_domain;
@ -18782,7 +18803,7 @@ index c91813c..2230476 100644
 files_config_file(cupsd_etc_t)
 type cupsd_initrc_exec_t;
-@@ -33,13 +38,15 @@ type cupsd_lock_t;
+@@ -33,13 +45,15 @@ type cupsd_lock_t;
 files_lock_file(cupsd_lock_t)
 type cupsd_log_t;
@ -18802,7 +18823,7 @@ index c91813c..2230476 100644
 type cupsd_lpd_tmp_t;
 files_tmp_file(cupsd_lpd_tmp_t)
-@@ -47,7 +54,7 @@ files_tmp_file(cupsd_lpd_tmp_t)
+@@ -47,7 +61,7 @@ files_tmp_file(cupsd_lpd_tmp_t)
 type cupsd_lpd_var_run_t;
 files_pid_file(cupsd_lpd_var_run_t)
@ -18811,7 +18832,7 @@ index c91813c..2230476 100644
 type cups_pdf_exec_t;
 cups_backend(cups_pdf_t, cups_pdf_exec_t)
-@@ -55,29 +62,17 @@ type cups_pdf_tmp_t;
+@@ -55,29 +69,17 @@ type cups_pdf_tmp_t;
 files_tmp_file(cups_pdf_tmp_t)
 type cupsd_tmp_t;
@ -18845,7 +18866,7 @@ index c91813c..2230476 100644
 type ptal_t;
 type ptal_exec_t;
-@@ -97,21 +92,49 @@ ifdef(`enable_mls',`
+@@ -97,21 +99,49 @@ ifdef(`enable_mls',`
 	init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, mls_systemhigh)
 ')
@ -18899,7 +18920,7 @@ index c91813c..2230476 100644
 allow cupsd_t self:appletalk_socket create_socket_perms;
 allow cupsd_t cupsd_etc_t:dir setattr_dir_perms;
-@@ -120,11 +143,13 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
+@@ -120,11 +150,14 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
 read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
 manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
@ -18910,10 +18931,11 @@ index c91813c..2230476 100644
 filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
 files_var_filetrans(cupsd_t, cupsd_rw_etc_t, { dir file })
 +cups_filetrans_named_content(cupsd_t)
 +can_exec(cupsd_t, cupsd_rw_etc_t)
 allow cupsd_t cupsd_exec_t:dir search_dir_perms;
 allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
-@@ -136,22 +161,23 @@ manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+@@ -136,22 +169,23 @@ manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
 manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
 logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
@ -18941,7 +18963,7 @@ index c91813c..2230476 100644
 stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
 allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
-@@ -159,11 +185,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
+@@ -159,11 +193,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
 can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t })
 kernel_read_system_state(cupsd_t)
@ -18953,7 +18975,7 @@ index c91813c..2230476 100644
 corenet_all_recvfrom_netlabel(cupsd_t)
 corenet_tcp_sendrecv_generic_if(cupsd_t)
 corenet_udp_sendrecv_generic_if(cupsd_t)
-@@ -186,12 +210,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
+@@ -186,12 +218,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
 corenet_tcp_bind_all_rpc_ports(cupsd_t)
 corenet_tcp_connect_all_ports(cupsd_t)
@ -18978,7 +19000,7 @@ index c91813c..2230476 100644
 dev_rw_input_dev(cupsd_t)
 dev_rw_generic_usb_dev(cupsd_t)
 dev_rw_usbfs(cupsd_t)
-@@ -203,7 +235,6 @@ domain_use_interactive_fds(cupsd_t)
+@@ -203,7 +243,6 @@ domain_use_interactive_fds(cupsd_t)
 files_getattr_boot_dirs(cupsd_t)
 files_list_spool(cupsd_t)
 files_read_etc_runtime_files(cupsd_t)
@ -18986,7 +19008,7 @@ index c91813c..2230476 100644
 files_exec_usr_files(cupsd_t)
 # for /var/lib/defoma
 files_read_var_lib_files(cupsd_t)
-@@ -212,17 +243,19 @@ files_read_world_readable_files(cupsd_t)
+@@ -212,17 +251,19 @@ files_read_world_readable_files(cupsd_t)
 files_read_world_readable_symlinks(cupsd_t)
 files_read_var_files(cupsd_t)
 files_read_var_symlinks(cupsd_t)
@ -19008,7 +19030,7 @@ index c91813c..2230476 100644
 mls_fd_use_all_levels(cupsd_t)
 mls_file_downgrade(cupsd_t)
 mls_file_write_all_levels(cupsd_t)
-@@ -232,6 +265,8 @@ mls_socket_write_all_levels(cupsd_t)
+@@ -232,6 +273,8 @@ mls_socket_write_all_levels(cupsd_t)
 term_search_ptys(cupsd_t)
 term_use_unallocated_ttys(cupsd_t)
@ -19017,7 +19039,7 @@ index c91813c..2230476 100644
 selinux_compute_access_vector(cupsd_t)
 selinux_validate_context(cupsd_t)
-@@ -244,21 +279,21 @@ auth_dontaudit_read_pam_pid(cupsd_t)
+@@ -244,23 +287,28 @@ auth_dontaudit_read_pam_pid(cupsd_t)
 auth_rw_faillog(cupsd_t)
 auth_use_nsswitch(cupsd_t)
@ -19043,8 +19065,15 @@ index c91813c..2230476 100644
 +userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
 userdom_dontaudit_search_user_home_content(cupsd_t)
 +tunable_policy(`cups_execmem',`
 +	allow cupsd_t self:process { execmem execstack };
 +')
 +
 +
 optional_policy(`
-@@ -272,6 +307,8 @@ optional_policy(`
+ 	apm_domtrans_client(cupsd_t)
 ')
@@ -272,6 +320,8 @@ optional_policy(`
 optional_policy(`
 	dbus_system_bus_client(cupsd_t)
@ -19053,7 +19082,7 @@ index c91813c..2230476 100644
 	userdom_dbus_send_all_users(cupsd_t)
 	optional_policy(`
-@@ -282,8 +319,10 @@ optional_policy(`
+@@ -282,8 +332,10 @@ optional_policy(`
 		hal_dbus_chat(cupsd_t)
 	')
@ -19064,7 +19093,7 @@ index c91813c..2230476 100644
 	')
 ')
-@@ -296,8 +335,8 @@ optional_policy(`
+@@ -296,8 +348,8 @@ optional_policy(`
 ')
 optional_policy(`
@ -19074,7 +19103,7 @@ index c91813c..2230476 100644
 ')
 optional_policy(`
-@@ -306,7 +345,6 @@ optional_policy(`
+@@ -306,7 +358,6 @@ optional_policy(`
 optional_policy(`
 	lpd_exec_lpr(cupsd_t)
@ -19082,7 +19111,7 @@ index c91813c..2230476 100644
 	lpd_read_config(cupsd_t)
 	lpd_relabel_spool(cupsd_t)
 ')
-@@ -334,7 +372,11 @@ optional_policy(`
+@@ -334,7 +385,11 @@ optional_policy(`
 ')
 optional_policy(`
@ -19095,7 +19124,7 @@ index c91813c..2230476 100644
 ')
 ########################################
-@@ -342,12 +384,11 @@ optional_policy(`
+@@ -342,12 +397,11 @@ optional_policy(`
 # Configuration daemon local policy
 #
@ -19111,7 +19140,7 @@ index c91813c..2230476 100644
 allow cupsd_config_t cupsd_t:process signal;
 ps_process_pattern(cupsd_config_t, cupsd_t)
-@@ -372,18 +413,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
+@@ -372,18 +426,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
 manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
 files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
@ -19132,7 +19161,7 @@ index c91813c..2230476 100644
 corenet_all_recvfrom_netlabel(cupsd_config_t)
 corenet_tcp_sendrecv_generic_if(cupsd_config_t)
 corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -392,20 +431,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+@@ -392,20 +444,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
 corenet_sendrecv_all_client_packets(cupsd_config_t)
 corenet_tcp_connect_all_ports(cupsd_config_t)
@ -19153,7 +19182,7 @@ index c91813c..2230476 100644
 fs_search_auto_mountpoints(cupsd_config_t)
 domain_use_interactive_fds(cupsd_config_t)
-@@ -417,11 +448,6 @@ auth_use_nsswitch(cupsd_config_t)
+@@ -417,11 +461,6 @@ auth_use_nsswitch(cupsd_config_t)
 logging_send_syslog_msg(cupsd_config_t)
@ -19165,7 +19194,7 @@ index c91813c..2230476 100644
 userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
 userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
 userdom_read_all_users_state(cupsd_config_t)
-@@ -449,9 +475,12 @@ optional_policy(`
+@@ -449,9 +488,12 @@ optional_policy(`
 ')
 optional_policy(`
@ -19179,7 +19208,7 @@ index c91813c..2230476 100644
 ')
 optional_policy(`
-@@ -487,10 +516,6 @@ optional_policy(`
+@@ -487,10 +529,6 @@ optional_policy(`
 # Lpd local policy
 #
@ -19190,7 +19219,7 @@ index c91813c..2230476 100644
 allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
 allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
-@@ -508,15 +533,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+@@ -508,15 +546,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
 kernel_read_kernel_sysctls(cupsd_lpd_t)
 kernel_read_system_state(cupsd_lpd_t)
@ -19208,7 +19237,7 @@ index c91813c..2230476 100644
 corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t)
 corenet_sendrecv_printer_server_packets(cupsd_lpd_t)
-@@ -537,9 +562,6 @@ auth_use_nsswitch(cupsd_lpd_t)
+@@ -537,9 +575,6 @@ auth_use_nsswitch(cupsd_lpd_t)
 logging_send_syslog_msg(cupsd_lpd_t)
@ -19218,7 +19247,7 @@ index c91813c..2230476 100644
 optional_policy(`
 	inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
 ')
-@@ -550,7 +572,6 @@ optional_policy(`
+@@ -550,7 +585,6 @@ optional_policy(`
 #
 allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
@ -19226,7 +19255,7 @@ index c91813c..2230476 100644
 allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
 append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
-@@ -566,148 +587,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
+@@ -566,148 +600,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
 kernel_read_system_state(cups_pdf_t)
@ -19255,13 +19284,11 @@ index c91813c..2230476 100644
 -	fs_manage_cifs_dirs(cups_pdf_t)
 -	fs_manage_cifs_files(cups_pdf_t)
 -')
-+userdom_home_manager(cups_pdf_t)
+-
- 
+-optional_policy(`
 optional_policy(`
 -	lpd_manage_spool(cups_pdf_t)
-+	gnome_read_config(cups_pdf_t)
+-')
- ')
+-
 -########################################
 -#
 -# HPLIP local policy
@ -19350,15 +19377,17 @@ index c91813c..2230476 100644
 -userdom_dontaudit_use_unpriv_user_fds(hplip_t)
 -userdom_dontaudit_search_user_home_dirs(hplip_t)
 -userdom_dontaudit_search_user_home_content(hplip_t)
-
+userdom_home_manager(cups_pdf_t)
-optional_policy(`
+ 
 optional_policy(`
 -	dbus_system_bus_client(hplip_t)
 -
 -	optional_policy(`
 -		userdom_dbus_send_all_users(hplip_t)
 -	')
-')
+	gnome_read_config(cups_pdf_t)
-
+ ')
 -optional_policy(`
 -	lpd_read_config(hplip_t)
 -	lpd_manage_spool(hplip_t)
@ -19378,7 +19407,7 @@ index c91813c..2230476 100644
 ########################################
 #
-@@ -735,7 +631,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -735,7 +644,6 @@ kernel_read_kernel_sysctls(ptal_t)
 kernel_list_proc(ptal_t)
 kernel_read_proc_symlinks(ptal_t)
@ -19386,7 +19415,7 @@ index c91813c..2230476 100644
 corenet_all_recvfrom_netlabel(ptal_t)
 corenet_tcp_sendrecv_generic_if(ptal_t)
 corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -745,13 +640,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
+@@ -745,13 +653,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
 corenet_tcp_bind_ptal_port(ptal_t)
 corenet_tcp_sendrecv_ptal_port(ptal_t)
@ -19400,7 +19429,7 @@ index c91813c..2230476 100644
 files_read_etc_runtime_files(ptal_t)
 fs_getattr_all_fs(ptal_t)
-@@ -759,8 +652,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -759,8 +665,6 @@ fs_search_auto_mountpoints(ptal_t)
 logging_send_syslog_msg(ptal_t)
@ -19409,7 +19438,7 @@ index c91813c..2230476 100644
 sysnet_read_config(ptal_t)
 userdom_dontaudit_use_unpriv_user_fds(ptal_t)
-@@ -773,3 +664,4 @@ optional_policy(`
+@@ -773,3 +677,4 @@ optional_policy(`
 optional_policy(`
 	udev_read_db(ptal_t)
 ')
@ -23805,10 +23834,10 @@ index 0000000..fd679a1
 +/var/lib/docker/.*/config\.env	gen_context(system_u:object_r:docker_share_t,s0)
 diff --git a/docker.if b/docker.if
 new file mode 100644
-index 0000000..1048292
+index 0000000..76eb32e
 --- /dev/null
 +++ b/docker.if
-@@ -0,0 +1,345 @@
+@@ -0,0 +1,364 @@
 +
 +## <summary>The open-source application container engine.</summary>
 +
@ -23833,6 +23862,25 @@ index 0000000..1048292
 +
 +########################################
 +## <summary>
 +##	Execute docker in the caller domain.
 +## </summary>
 +## <param name="domain">
 +## <summary>
 +##	Domain allowed to transition.
 +## </summary>
 +## </param>
 +#
 +interface(`docker_exec',`
 +	gen_require(`
 +		type docker_exec_t;
 +	')
 +
 +	corecmd_search_bin($1)
 +	can_exec($1, docker_exec_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Search docker lib directories.
 +## </summary>
 +## <param name="domain">
@ -28316,10 +28364,10 @@ index 0000000..04e159f
 +')
 diff --git a/gear.te b/gear.te
 new file mode 100644
-index 0000000..cb68ca9
+index 0000000..91ed5f4
 --- /dev/null
 +++ b/gear.te
-@@ -0,0 +1,125 @@
+@@ -0,0 +1,134 @@
 +policy_module(gear, 1.0.0)
 +
 +########################################
@ -28348,13 +28396,17 @@ index 0000000..cb68ca9
 +# gear local policy
 +#
 +allow gear_t self:capability { chown net_admin fowner dac_override };
 +dontaudit gear_t self:capability sys_ptrace;
 +allow gear_t self:capability2 block_suspend;
 +allow gear_t self:process { getattr signal_perms };
 +allow gear_t self:fifo_file rw_fifo_file_perms;
 +allow gear_t self:unix_stream_socket create_stream_socket_perms;
 +allow gear_t self:tcp_socket create_stream_socket_perms;
 +
 +allow gear_t gear_unit_file_t:file read_file_perms;
 +allow gear_t gear_unit_file_t:service manage_service_perms;
 +allow gear_t gear_unit_file_t:dir { relabelfrom relabelto };
 +manage_dirs_pattern(gear_t, gear_unit_file_t, gear_unit_file_t)
 +
 +manage_dirs_pattern(gear_t, gear_log_t, gear_log_t)
 +manage_files_pattern(gear_t, gear_log_t, gear_log_t)
@ -28376,6 +28428,7 @@ index 0000000..cb68ca9
 +manage_sock_files_pattern(gear_t, gear_var_run_t, gear_var_run_t)
 +manage_lnk_files_pattern(gear_t, gear_var_run_t, gear_var_run_t)
 +files_pid_filetrans(gear_t, gear_var_run_t, { dir file lnk_file sock_file })
 +init_pid_filetrans(gear_t, gear_var_run_t, { dir file lnk_file sock_file })
 +
 +kernel_read_system_state(gear_t)
 +kernel_read_network_state(gear_t)
@ -28401,8 +28454,10 @@ index 0000000..cb68ca9
 +files_mounton_rootfs(gear_t)
 +files_read_etc_files(gear_t)
 +
 +fs_list_cgroup_dirs(gear_t)
 +fs_read_cgroup_files(gear_t)
 +fs_read_tmpfs_symlinks(gear_t)
 +fs_getattr_all_fs(gear_t)
 +
 +auth_use_nsswitch(gear_t)
 +
@ -28414,6 +28469,7 @@ index 0000000..cb68ca9
 +
 +logging_send_audit_msgs(gear_t)
 +logging_send_syslog_msg(gear_t)
 +logging_read_generic_logs(gear_t)
 +
 +miscfiles_read_localization(gear_t)
 +
@ -28427,6 +28483,7 @@ index 0000000..cb68ca9
 +sysnet_manage_ifconfig_run(gear_t)
 +
 +systemd_manage_all_unit_files(gear_t)
 +systemd_exec_systemctl(gear_t)
 +
 +optional_policy(`
 +	hostname_exec(gear_t)
@ -28621,10 +28678,10 @@ index 0000000..9e17d3e
 +')
 diff --git a/geoclue.te b/geoclue.te
 new file mode 100644
-index 0000000..351f145
+index 0000000..204995f
 --- /dev/null
 +++ b/geoclue.te
-@@ -0,0 +1,53 @@
+@@ -0,0 +1,54 @@
 +policy_module(geoclue, 1.0.0)
 +
 +########################################
@ -28647,6 +28704,7 @@ index 0000000..351f145
 +#
 +# geoclue local policy
 +#
 +allow geoclue_t self:unix_dgram_socket create_socket_perms;
 +
 +manage_dirs_pattern(geoclue_t, geoclue_var_lib_t, geoclue_var_lib_t)
 +manage_files_pattern(geoclue_t, geoclue_var_lib_t, geoclue_var_lib_t)
@ -37100,10 +37158,10 @@ index 0000000..0d61849
 +')
 diff --git a/keepalived.te b/keepalived.te
 new file mode 100644
-index 0000000..535f79b
+index 0000000..2c08717
 --- /dev/null
 +++ b/keepalived.te
-@@ -0,0 +1,47 @@
+@@ -0,0 +1,55 @@
 +policy_module(keepalived, 1.0.0)
 +
 +########################################
@ -37139,6 +37197,11 @@ index 0000000..535f79b
 +kernel_read_system_state(keepalived_t)
 +kernel_read_network_state(keepalived_t)
 +
 +corecmd_exec_bin(keepalived_t)
 +corecmd_exec_shell(keepalived_t)
 +
 +corenet_tcp_connect_snmp_port(keepalived_t)
 +
 +auth_use_nsswitch(keepalived_t)
 +
 +corenet_tcp_connect_connlcli_port(keepalived_t)
@ -37151,6 +37214,9 @@ index 0000000..535f79b
 +
 +logging_send_syslog_msg(keepalived_t)
 +
 +optional_policy(`
 +    snmp_read_snmp_var_lib_files(keepalived_t)
 +')
 diff --git a/kerberos.fc b/kerberos.fc
 index 4fe75fd..b029c28 100644
 --- a/kerberos.fc
@ -40291,7 +40357,7 @@ index dd8e01a..9cd6b0b 100644
 ## <param name="domain">
 ##	<summary>
 diff --git a/logrotate.te b/logrotate.te
-index be0ab84..f4550f1 100644
+index be0ab84..44689e1 100644
 --- a/logrotate.te
 +++ b/logrotate.te
@@ -5,16 +5,22 @@ policy_module(logrotate, 1.15.0)
@ -40488,7 +40554,7 @@ index be0ab84..f4550f1 100644
 ')
 optional_policy(`
-@@ -170,6 +216,10 @@ optional_policy(`
+@@ -170,6 +216,11 @@ optional_policy(`
 ')
 optional_policy(`
@ -40496,10 +40562,11 @@ index be0ab84..f4550f1 100644
 +')
 +
 +optional_policy(`
 +    fail2ban_domtrans_client(logrotate_t)
 	fail2ban_stream_connect(logrotate_t)
 ')
-@@ -178,7 +228,7 @@ optional_policy(`
+@@ -178,7 +229,7 @@ optional_policy(`
 ')
 optional_policy(`
@ -40508,7 +40575,7 @@ index be0ab84..f4550f1 100644
 ')
 optional_policy(`
-@@ -198,21 +248,26 @@ optional_policy(`
+@@ -198,21 +249,26 @@ optional_policy(`
 ')
 optional_policy(`
@ -40539,7 +40606,7 @@ index be0ab84..f4550f1 100644
 ')
 optional_policy(`
-@@ -228,10 +283,21 @@ optional_policy(`
+@@ -228,10 +284,21 @@ optional_policy(`
 ')
 optional_policy(`
@ -40561,7 +40628,7 @@ index be0ab84..f4550f1 100644
 	su_exec(logrotate_t)
 ')
-@@ -241,13 +307,11 @@ optional_policy(`
+@@ -241,13 +308,11 @@ optional_policy(`
 #######################################
 #
@ -44972,7 +45039,7 @@ index 6ffaba2..549fb8c 100644
 +/usr/lib/nspluginwrapper/plugin-config			--	gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
 +')
 diff --git a/mozilla.if b/mozilla.if
-index 6194b80..cafb2b0 100644
+index 6194b80..7490fe3 100644
 --- a/mozilla.if
 +++ b/mozilla.if
@@ -1,146 +1,75 @@
@ -45258,7 +45325,7 @@ index 6194b80..cafb2b0 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -265,140 +173,155 @@ interface(`mozilla_exec_user_plugin_home_files',`
+@@ -265,140 +173,156 @@ interface(`mozilla_exec_user_plugin_home_files',`
 ## </param>
 #
 interface(`mozilla_execmod_user_home_files',`
@ -45362,7 +45429,8 @@ index 6194b80..cafb2b0 100644
 +	allow $1 mozilla_plugin_t:shm rw_shm_perms;
 +
 +	ps_process_pattern($1, mozilla_plugin_t)
-+	allow $1 mozilla_plugin_t:process signal_perms;
+	ps_process_pattern(mozilla_plugin_t, $1)
 +	allow $1 mozilla_plugin_t:process { signal_perms noatsecure };
 +
 +	list_dirs_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
 +	read_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
@ -45474,7 +45542,7 @@ index 6194b80..cafb2b0 100644
 ')
 ########################################
-@@ -424,8 +347,7 @@ interface(`mozilla_dbus_chat',`
+@@ -424,8 +348,7 @@ interface(`mozilla_dbus_chat',`
 ########################################
 ## <summary>
@ -45484,7 +45552,7 @@ index 6194b80..cafb2b0 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -433,76 +355,144 @@ interface(`mozilla_dbus_chat',`
+@@ -433,76 +356,144 @@ interface(`mozilla_dbus_chat',`
 ##	</summary>
 ## </param>
 #
@ -45658,7 +45726,7 @@ index 6194b80..cafb2b0 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -510,19 +500,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
+@@ -510,19 +501,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
 ##	</summary>
 ## </param>
 #
@ -45683,7 +45751,7 @@ index 6194b80..cafb2b0 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -530,45 +519,57 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
+@@ -530,45 +520,57 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
 ##	</summary>
 ## </param>
 #
@ -49123,7 +49191,7 @@ index b744fe3..50c386e 100644
 +	admin_pattern($1, munin_content_t)
 ')
 diff --git a/munin.te b/munin.te
-index b708708..7bdfb65 100644
+index b708708..78fa61c 100644
 --- a/munin.te
 +++ b/munin.te
@@ -44,41 +44,40 @@ files_tmpfs_file(services_munin_plugin_tmpfs_t)
@ -49342,7 +49410,7 @@ index b708708..7bdfb65 100644
 dev_read_sysfs(system_munin_plugin_t)
 dev_read_urand(system_munin_plugin_t)
-@@ -421,3 +431,32 @@ optional_policy(`
+@@ -421,3 +431,33 @@ optional_policy(`
 optional_policy(`
 	unconfined_domain(unconfined_munin_plugin_t)
 ')
@ -49361,12 +49429,13 @@ index b708708..7bdfb65 100644
 +
 +manage_dirs_pattern(munin_script_t, munin_script_tmp_t, munin_script_tmp_t)
 +manage_files_pattern(munin_script_t, munin_script_tmp_t,munin_script_tmp_t)
 +files_tmp_filetrans(munin_script_t, munin_script_tmp_t, { dir file })
 +
 +read_files_pattern(munin_script_t, munin_var_lib_t, munin_var_lib_t)
 +list_dirs_pattern(munin_script_t, munin_etc_t, munin_etc_t)
 +read_files_pattern(munin_script_t, munin_etc_t, munin_etc_t)
 +
-+read_files_pattern(munin_script_t, munin_log_t, munin_log_t)
+manage_files_pattern(munin_script_t, munin_log_t, munin_log_t)
 +append_files_pattern(munin_script_t, munin_log_t, munin_log_t)
 +
 +files_search_var_lib(munin_script_t)
 +
@ -73727,10 +73796,10 @@ index afc0068..3105104 100644
 +	')
 ')
 diff --git a/quantum.te b/quantum.te
-index 8644d8b..f7958c0 100644
+index 8644d8b..e815665 100644
 --- a/quantum.te
 +++ b/quantum.te
-@@ -5,92 +5,138 @@ policy_module(quantum, 1.1.0)
+@@ -5,92 +5,146 @@ policy_module(quantum, 1.1.0)
 # Declarations
 #
@ -73792,40 +73861,42 @@ index 8644d8b..f7958c0 100644
 +create_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
 +setattr_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
 +logging_log_filetrans(neutron_t, neutron_log_t, dir)
 +
 +manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
 +manage_dirs_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
 +files_tmp_filetrans(neutron_t, neutron_tmp_t, { file dir })
 -manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t)
 -append_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
 -create_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
 -setattr_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
 -logging_log_filetrans(quantum_t, quantum_log_t, dir)
 +manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
 +manage_dirs_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
 +files_tmp_filetrans(neutron_t, neutron_tmp_t, { file dir })
 -manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t)
 -files_tmp_filetrans(quantum_t, quantum_tmp_t, file)
 +manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
 +manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
 +manage_sock_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
 +files_var_lib_filetrans(neutron_t, neutron_var_lib_t, dir)
 -manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t)
 -files_tmp_filetrans(quantum_t, quantum_tmp_t, file)
 +can_exec(neutron_t, neutron_tmp_t)
 -manage_dirs_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
 -manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
 -files_var_lib_filetrans(quantum_t, quantum_var_lib_t, dir)
 +can_exec(neutron_t, neutron_tmp_t)
 -can_exec(quantum_t, quantum_tmp_t)
 +kernel_rw_kernel_sysctl(neutron_t)
 +kernel_rw_net_sysctls(neutron_t)
 +kernel_read_system_state(neutron_t)
 +kernel_read_network_state(neutron_t)
 +kernel_request_load_module(neutron_t)
-can_exec(quantum_t, quantum_tmp_t)
+-kernel_read_kernel_sysctls(quantum_t)
 -kernel_read_system_state(quantum_t)
 +corecmd_exec_shell(neutron_t)
 +corecmd_exec_bin(neutron_t)
-kernel_read_kernel_sysctls(quantum_t)
+-corecmd_exec_shell(quantum_t)
-kernel_read_system_state(quantum_t)
+-corecmd_exec_bin(quantum_t)
 +corenet_all_recvfrom_unlabeled(neutron_t)
 +corenet_all_recvfrom_netlabel(neutron_t)
 +corenet_tcp_sendrecv_generic_if(neutron_t)
@ -73833,49 +73904,47 @@ index 8644d8b..f7958c0 100644
 +corenet_tcp_sendrecv_all_ports(neutron_t)
 +corenet_tcp_bind_generic_node(neutron_t)
 -corecmd_exec_shell(quantum_t)
 -corecmd_exec_bin(quantum_t)
 +corenet_tcp_bind_neutron_port(neutron_t)
 +corenet_tcp_connect_keystone_port(neutron_t)
 +corenet_tcp_connect_amqp_port(neutron_t)
 +corenet_tcp_connect_mysqld_port(neutron_t)
 +corenet_tcp_connect_osapi_compute_port(neutron_t)
 -corenet_all_recvfrom_unlabeled(quantum_t)
 -corenet_all_recvfrom_netlabel(quantum_t)
 -corenet_tcp_sendrecv_generic_if(quantum_t)
 -corenet_tcp_sendrecv_generic_node(quantum_t)
 -corenet_tcp_sendrecv_all_ports(quantum_t)
 -corenet_tcp_bind_generic_node(quantum_t)
-+domain_read_all_domains_state(neutron_t)
+corenet_tcp_bind_neutron_port(neutron_t)
-+domain_named_filetrans(neutron_t)
+corenet_tcp_connect_keystone_port(neutron_t)
 +corenet_tcp_connect_amqp_port(neutron_t)
 +corenet_tcp_connect_mysqld_port(neutron_t)
 +corenet_tcp_connect_osapi_compute_port(neutron_t)
 -dev_list_sysfs(quantum_t)
 -dev_read_urand(quantum_t)
 +domain_read_all_domains_state(neutron_t)
 +domain_named_filetrans(neutron_t)
 -files_read_usr_files(quantum_t)
 +dev_read_sysfs(neutron_t)
 +dev_read_urand(neutron_t)
 +dev_mounton_sysfs(neutron_t)
 +dev_mount_sysfs_fs(neutron_t)
 +dev_unmount_sysfs_fs(neutron_t)
-files_read_usr_files(quantum_t)
+-auth_use_nsswitch(quantum_t)
 +files_mounton_non_security(neutron_t)
 -auth_use_nsswitch(quantum_t)
 +auth_use_nsswitch(neutron_t)
 -libs_exec_ldconfig(quantum_t)
-+libs_exec_ldconfig(neutron_t)
+auth_use_nsswitch(neutron_t)
 -logging_send_audit_msgs(quantum_t)
 -logging_send_syslog_msg(quantum_t)
 +libs_exec_ldconfig(neutron_t)
 -miscfiles_read_localization(quantum_t)
 +logging_send_audit_msgs(neutron_t)
 +logging_send_syslog_msg(neutron_t)
 -miscfiles_read_localization(quantum_t)
 +netutils_exec(neutron_t)
 -sysnet_domtrans_ifconfig(quantum_t)
 +netutils_exec(neutron_t)
 +
 +# need to stay in neutron
 +sysnet_exec_ifconfig(neutron_t)
 +sysnet_manage_ifconfig_run(neutron_t)
@ -73902,13 +73971,17 @@ index 8644d8b..f7958c0 100644
 optional_policy(`
 -	postgresql_stream_connect(quantum_t)
 -	postgresql_unpriv_client(quantum_t)
 +    modutils_domtrans_insmod(neutron_t)
 +')
 -	postgresql_tcp_connect(quantum_t)
 +optional_policy(`
 +	mysql_stream_connect(neutron_t)
 +    mysql_read_db_lnk_files(neutron_t)
 +	mysql_read_config(neutron_t)
 +	mysql_tcp_connect(neutron_t)
-+')
+ ')
- 
+
 -	postgresql_tcp_connect(quantum_t)
 +optional_policy(`
 +	postgresql_stream_connect(neutron_t)
 +	postgresql_unpriv_client(neutron_t)
@ -73918,10 +73991,14 @@ index 8644d8b..f7958c0 100644
 +optional_policy(`
 +    openvswitch_domtrans(neutron_t)
 +    openvswitch_stream_connect(neutron_t)
- ')
+')
 +
 +optional_policy(`
 +	sudo_exec(neutron_t)
 +')
 +
 +optional_policy(`
 +    udev_domtrans(neutron_t)
 +')  
 diff --git a/quota.fc b/quota.fc
 index cadabe3..54ba01d 100644
@ -79586,10 +79663,20 @@ index 6dbc905..4b17c93 100644
 -	admin_pattern($1, rhsmcertd_lock_t)
 ')
 diff --git a/rhsmcertd.te b/rhsmcertd.te
-index d32e1a2..54838ad 100644
+index d32e1a2..33ca060 100644
 --- a/rhsmcertd.te
 +++ b/rhsmcertd.te
-@@ -30,14 +30,13 @@ files_pid_file(rhsmcertd_var_run_t)
+@@ -18,6 +18,9 @@ logging_log_file(rhsmcertd_log_t)
 type rhsmcertd_lock_t;
 files_lock_file(rhsmcertd_lock_t)
 +type rhsmcertd_tmp_t;
 +files_tmp_file(rhsmcertd_tmp_t)
 +
 type rhsmcertd_var_lib_t;
 files_type(rhsmcertd_var_lib_t)
@@ -30,18 +33,21 @@ files_pid_file(rhsmcertd_var_run_t)
 #
 allow rhsmcertd_t self:capability sys_nice;
@ -79607,7 +79694,15 @@ index d32e1a2..54838ad 100644
 manage_files_pattern(rhsmcertd_t, rhsmcertd_lock_t, rhsmcertd_lock_t)
 files_lock_filetrans(rhsmcertd_t, rhsmcertd_lock_t, file)
-@@ -50,25 +49,50 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
+ 
 +manage_dirs_pattern(rhsmcertd_t, rhsmcertd_tmp_t, rhsmcertd_tmp_t)
 +manage_files_pattern(rhsmcertd_t, rhsmcertd_tmp_t, rhsmcertd_tmp_t)
 +files_tmp_filetrans(rhsmcertd_t, rhsmcertd_tmp_t, { dir file })
 +
 manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
 manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
@@ -50,25 +56,53 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
 files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
 kernel_read_network_state(rhsmcertd_t)
@ -79632,8 +79727,11 @@ index d32e1a2..54838ad 100644
 -files_read_usr_files(rhsmcertd_t)
 +files_manage_generic_locks(rhsmcertd_t)
 +files_manage_system_conf_files(rhsmcertd_t)
 +files_create_boot_flag(rhsmcertd_t)
 +
 +auth_read_passwd(rhsmcertd_t)
 +
 +libs_exec_ldconfig(rhsmcertd_t)
 init_read_state(rhsmcertd_t)
@ -89876,10 +89974,18 @@ index e2544e1..d3fbd78 100644
 +	xserver_xdm_append_log(shutdown_t)
 ')
 diff --git a/slocate.te b/slocate.te
-index 7292dc0..ce903d6 100644
+index 7292dc0..103278d 100644
 --- a/slocate.te
 +++ b/slocate.te
-@@ -62,7 +62,6 @@ fs_read_noxattr_fs_symlinks(locate_t)
+@@ -44,6 +44,7 @@ dev_getattr_all_blk_files(locate_t)
 dev_getattr_all_chr_files(locate_t)
 files_list_all(locate_t)
 +files_list_isid_type_dirs(locate_t)
 files_dontaudit_read_all_symlinks(locate_t)
 files_getattr_all_files(locate_t)
 files_getattr_all_pipes(locate_t)
@@ -62,7 +63,6 @@ fs_read_noxattr_fs_symlinks(locate_t)
 auth_use_nsswitch(locate_t)
@ -89887,7 +89993,7 @@ index 7292dc0..ce903d6 100644
 ifdef(`enable_mls',`
 	files_dontaudit_getattr_all_dirs(locate_t)
-@@ -71,3 +70,8 @@ ifdef(`enable_mls',`
+@@ -71,3 +71,8 @@ ifdef(`enable_mls',`
 optional_policy(`
 	cron_system_entry(locate_t, locate_exec_t)
 ')
@ -94448,10 +94554,10 @@ index 0000000..6a1f575
 +')
 diff --git a/swift.te b/swift.te
 new file mode 100644
-index 0000000..9ee77b2
+index 0000000..7fce837
 --- /dev/null
 +++ b/swift.te
-@@ -0,0 +1,97 @@
+@@ -0,0 +1,102 @@
 +policy_module(swift, 1.0.0)
 +
 +########################################
@ -94527,7 +94633,12 @@ index 0000000..9ee77b2
 +kernel_read_system_state(swift_t)
 +kernel_read_network_state(swift_t)
 +
 +# bug in swift
 +corenet_tcp_bind_xserver_port(swift_t)
 +corenet_tcp_bind_http_cache_port(swift_t)
 +
 +corecmd_exec_shell(swift_t)
 +corecmd_exec_bin(swift_t)
 +
 +dev_read_urand(swift_t)
 +
@ -99388,7 +99499,7 @@ index 1c35171..2cba4df 100644
 	domain_system_change_exemption($1)
 	role_transition $2 varnishd_initrc_exec_t system_r;
 diff --git a/varnishd.te b/varnishd.te
-index 9d4d8cb..a58e2dd 100644
+index 9d4d8cb..8cade37 100644
 --- a/varnishd.te
 +++ b/varnishd.te
@@ -21,7 +21,7 @@ type varnishd_initrc_exec_t;
@ -99413,22 +99524,22 @@ index 9d4d8cb..a58e2dd 100644
 #
 -allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid };
-+allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid chown };
+allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid chown fowner };
 dontaudit varnishd_t self:capability sys_tty_config;
 -allow varnishd_t self:process signal;
 +allow varnishd_t self:process { execmem signal };
 allow varnishd_t self:fifo_file rw_fifo_file_perms;
 allow varnishd_t self:tcp_socket { accept listen };
-@@ -103,7 +103,6 @@ corenet_tcp_sendrecv_varnishd_port(varnishd_t)
+@@ -103,15 +103,13 @@ corenet_tcp_sendrecv_varnishd_port(varnishd_t)
 dev_read_urand(varnishd_t)
 -files_read_usr_files(varnishd_t)
- 
+-
 fs_getattr_all_fs(varnishd_t)
-@@ -111,7 +110,7 @@ auth_use_nsswitch(varnishd_t)
+ auth_use_nsswitch(varnishd_t)
 logging_send_syslog_msg(varnishd_t)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 56%{?dist}
+Release: 57%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -588,6 +588,33 @@ SELinux Reference policy mls base module.
 %endif
 %changelog
 * Mon Jun 9 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-57
 - Allow staff_t to communicate and run docker
 - Fix *_ecryptfs_home_dirs booleans
 - Allow ldconfig_t to read/write inherited user tmp pipes
 - Allow storaged to dbus chat with lvm_t
 - Add support for storaged  and storaged-lvm-helper. Labeled it as lvm_exec_t.
 - Use proper calling in ssh.te for userdom_home_manager attribute
 - Use userdom_home_manager_type() also for ssh_keygen_t
 - Allow locate to list directories without labels
 - Allow bitlbee to use tcp/7778 port
 - /etc/cron.daily/logrotate to execute fail2ban-client.
 - Allow keepalives to connect to SNMP port. Support to do  SNMP stuff
 - Allow staff_t to communicate and run docker
 - Dontaudit search mgrepl/.local for cobblerd_t
 - Allow neutron to execute kmod in insmod_t
 - Allow neutron to execute udevadm in udev_t
 - Allow also fowner cap for varnishd
 - Allow keepalived to execute bin_t/shell_exec_t
 - rhsmcertd seems to need these accesses.  We need this backported to RHEL7 and perhaps RHEL6 policy
 - Add cups_execmem boolean
 - Allow gear to manage gear service
 - New requires for gear to use systemctl and init var_run_t
 - Allow cups to execute its rw_etc_t files, for brothers printers
 - Add fixes to make munin and munin-cgi working. Allow munin-cgit to create files/dirs in /tmp, list munin conf dirs and manage munin logs.
 - Allow swift to execute bin_t
 - Allow swift to bind http_cache
 * Sun Jun 08 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.13.1-56
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild