From 7216220f4a5395109e02a468e9d04c84981b470f Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Mon, 5 Dec 2016 16:48:37 +0100
Subject: [PATCH] * Mon Dec 05 2016 Lukas Vrabec  <lvrabec@redhat.com> -
 3.13.1-226 - Fix some boolean descriptions. - Add fwupd_dbus_chat() interface
 - Allow tgtd_t domain wake_alarm - Merge pull request #172 from
 vinzent/allow_puppetagent_timedated - Dontaudit logrotate_t to getattr nsfs_t
 BZ(1399081) - Allow systemd_machined_t to start unit files labeled as
 init_var_run_t - Add init_manage_config_transient_files() interface - In
 Atomic /usr/local is a soft symlink to /var/usrlocal, so the default policy
 to apply bin_t on /usr/...bin doesn't work and binaries dumped here get
 mislabeled as var_t. - Allow systemd to raise rlimit to all
 domains.BZ(1365435) - Add interface domain_setrlimit_all_domains() interface
 - Allow staff_t user to chat with fwupd_t domain via dbus - Update
 logging_create_devlog_dev() interface to allow calling domain create also
 sock_file dev-log. BZ(1393774) - Allow systemd-networkd to read network state
 BZ(1400016) - Allow systemd-resolved bind to dns port. BZ(1400023) - Allow
 systemd create /dev/log in own mount-namespace. BZ(1383867) - Add interface
 fs_dontaudit_getattr_nsfs_files() - Label /usr/lib/systemd/resolv.conf as
 lib_t to allow all domains read this file. BZ(1398853)

---
 container-selinux.tgz        | Bin 4908 -> 4955 bytes
 policy-rawhide-base.patch    | 261 +++++++++++++++++++++--------------
 policy-rawhide-contrib.patch |  55 ++++++--
 selinux-policy.spec          |  21 ++-
 4 files changed, 221 insertions(+), 116 deletions(-)

diff --git a/container-selinux.tgz b/container-selinux.tgz
index 3472067586c2770e074fe16b09761a59be7a3334..e0774ec5573d95debf9fba420a7f284615ad56d4 100644
GIT binary patch
literal 4955
zcmV-h6Qt}PiwFSii$z!f1MOW|kK8sA_UrVo5bOY+3G6w1#K1VoViE7dJ}eR>ep~M<
zYKh&gSXV@8jy3$>w~B{ENhC$7)%FBv0d{vwRUgSBS*$7+HDR7rL7b8DJl;Gy&~*vd
zci+9j&#O1DFV#=DUS7St{O%F__X7UCe)IbEqsyz8FD_p_@-7cmA@!<h6_lR$D7h(v
zH3^M$W6%Gh*Xqd=?|WLOX;9w(_<l#cydc?gn%8AWyr3wOI1H*d&%96$6pv(E_&opq
zLb9y@#O>;o20u>zaYw?sA_{t(dDTw65#=d-IcKaF3a|Hl5tKpdWkE`Qc+9CD|2Qb&
z9edyfNs`}^$g6U%Duay1*eD(71w)1Jt2nDjxd}pY`g>CwzpS$=PKgiYF`TE*eqWtz
zN#>X2&pIxFc6D-6-4{v=8lLKz<|Y9N_|@Ch$<wpd>Lkod5~h()Nl=D6e;sG1-&~!o
zPGoU@5mZnsylV#2J*m!CSik`~3MBhrdkN(+rH9-)BMdS|Y3+nP<^3BgQxSI(ue}JW
zA69u86FNcCCpJk3VMr)LJDDb8Arz>Vi-2!}5=mRxvhuxeu5>il&`wX_!&ko`WlDi@
z6DNeqf(13}k%dS0LlZR{P+wBeh5_F2?J4nJNf7nK&ARrh3%Z1gu@<uG%o4Y8jGi!X
z{#dWX8>}xNbGi#k@{pv?D&#JAPVOM}B&HRPZIjRikmi<4myL5L*~i%k?j1hp?!U8H
zkLxonNEmNo=pf#axVDmk%420ld_W-oo{Red_27O3#h}?{h+HG|e+5~v?Jpz`V~(Y)
zY6sJ80)8LuCNah)%t5uJwg(@QDWLQtDz(FOqeWdFRQf-G#ssaDum1pfQ*<x_r7NJ6
zPIufR%WYikyZ{L63M5>`p~qU^IuD@kkS<X4U{S_5SPoKt!4B;qi(2?t3k^QH;;bq8
zhG}9h6ja_JlhTx;IIkZj0i}kb*t20-Ya)t^rj&>OKlbth<sT$JJg&;x)I=oh6}u*J
zwsk62KSiXDb9T?Q6U63iE0f@x7x3>T{Cl;mefG;g-#w6(gIO^}98Fs{z!x?s9Dt$|
z3}ObPy}7vCM@f0JNC3*(5rfdiRKNS4RwNCpWK!hm?eJNh#T65O+ff`l5{8y6i1${E
z<RwXRG}b{<F^nhn#1off7TvnZId}nz<u<~aa2$<4s?_8fKfGpSG#=>)m#B~@7BKNs
za<5Jb7-D6PGhifuwuqY*WRZ7U#ySH#B`K_2Uw=~Hf{fCsBghm_XlS4xQjcRx*-wyW
zUzncPlV*2X7S;XKCEV-b8^!5Oj5pR423vK{)FaM?u2AI+>4`QXH$_EJviJ}Mg`XPv
zO2X@KSNeQ{-1<<9WrU0ucNbd+k*~gru<;woswtwzYgm#+<cwjG*xQ8~%a43fOY8;r
zZcvtg14ZLQ;<Nq)N%F0QRapxS6uUen{V^aGMX~6z7MhnvBzfjNZl0Y3-{Z5{I8h#c
zoDV{Q+aJ^j@6JI3Q(wh-9wsq#?|dZQwgqY;WdohR1#6WJ0uu@wAQB<D3p>Tj!Dp+2
zFg1Hsp!?xyL@^WNc>=0}s=eZ9J8Obq?a0~0+jElLEQz|yX+@U?WWLUVm?fcka&wLn
zSOk{$6dG>}!sTEmC&B&lh%Xj|45~bh<!plmx`frq527^AxX#5557SWRN?9VEHxB@9
z&k#qRWzvst7FTS%7kFUM-g&fwr8i}IlvH2cPUN-0browpd#~HoBkUG8%PTyDQLl8`
zZ@>K17C;|z&lRC_?;$O&-SFYsQ~WkF%YCRTTSj@yY0u4L;MXW2Ssza4iE35(B>Ppn
z)gdEDWev6RMEjVl&E|Uy1;ZM};(*;mmYcZDvviVSdzkKG_1xE^HwI^AkJ>{3L(3Ly
zIsJpJ_C8;>9bHA?k9(iMkt;zO9*wtIkZ_mA`}}sA(+-6(&8{bu6|+abZ3s$;+c+o2
z_(jyJ$B$BW0N|a0+|uT3__t2%qWPLY(m1y=PR1iRG8ThsVGxLsL1DkhlQ_I*BU}cK
zM5HKy8Bobhx-;eZNMPyd(g8s~sH>gG<{3l<*~15x^~CBsB{7XLbhL%i<ULc;6r{oJ
z{r0x?9kp*h+JW@Cl!9}2?3IG1AS`F|^yK_-Z64P8=_c!N78FShDt1}3wU6ogZ2E-J
z^k#oEg9V}1d7VX+O&Hv9TSk}hO~VF$kKE0+inHR>Y72){uzc-rcETzcWcM0)v1V{t
zfXN99T6tgO&|Ge*##BiA%gq@0Ugil2gW_UT@@;kJ=FZwoKTgLtdfJkBZz$E`!KH5Q
zV+$s4H|d{4PHkG5Qk~vo3z9bPs8<&^ByAc_i`0MIAladsOb{&+KDAV7xLvMTje}@l
zf4|!x_U?XhPw34<ORc)QoF=1H&#P|6D6I0ft<>S#VTy&=Q1q_1%{Sjai<xbeq5UKM
zDq68znhiSOO331CuhH0cKJ~DEBQXi7%MG3&qhWIU+NWs#x>vhNQ;|cJVL$)%>hk5A
z%fb1tt2f8<Uti+lez>3JQJs*}W;8tWuFfydFDGfF)f4X>2@{z9=)Z!dSuuqW5gLlk
z_d;yD6WqLpV!YcO0i9K<8_fYTiez+<#qg5Ed;ilfUXhnovpZi1ZNt$~g;aGGtkpI&
z200jM&%8~LPy+2S*^N+49H3psbU3IUtC`cKmZlHOk%<D5=9$km>8Yk9+nFKG<<olo
zhY!nSxC^o^dz!Mqi4Lw|Li^5<W2Nd?!H&01g-S&zk<jCp%$lc?x-S>*pLFHH?+rw#
z##4s$PC~RsEYx->zFT*r_q6kLI3SuxU$=@%mH@|N;?f5QwLAP>IJxUD_oeWY-wb&U
z!)c#?h%2L-UF0?h%j+qAv!-h!qS~l$7gI)pIbtIB_)q&>I<!FrMfAA8b$;4ovP{*q
z7))2Z)$|Pf=plAkt;idy!QRjgI{Y-_BdvZ^u>m(6Rr*n?4;}YV`*DLV_%MoLETd04
zEJ}&+c1!8(A;?f|bMsV-Foc&WPF?IaLyBiRRrjYumLZtf2<~DvNjzK#X%1b+JkQes
zqejrM^bEwy?!8@Mh%O@)`+eGHnYw_s3n9#?Ao2L}43D@&ty{M!NjBHu*9Yr3iK~0>
zlNavt+sykI!@9YFZveKTq>3Xi{g~yEhm~c~e)er0XH7yUyHN(WfLUz-61QPS3Wilz
zZs?UH0ShU?4ZRVjcJF6PzzwL%?&c4aUM6uGSF9dXB%_VjrP&+6{5WN!fNwsGFza?G
zS;5_#j%Za_EPzr+1C%N3?Vxz!t(k_VH7!UM**N<nSZxaWh-|=s8DI^&8mtcOF`*F)
zNv2{9*F)WDm3_g6r;lbMj;5SABI|NcW;9){`1*a(IXz=X<WQsv-CNuO_Hx~3HklhG
zx?R*c%{8O-%p#|@O0-YdR+jJNeQxpt=QVb#xiPn?R;<aB#Du3$pL7FL1Sjj`eLizi
zYz*OAPDXw%3YNeMFvS|SDf6^l&v5A(W~7Z&Q=5z->fTR~ef|f{vvYVjv+q0Rt?|LU
zu`m&P^4M_2@7nfGBc%sz7%_Va9PNF}qrHXhiocKG-P<5+szVkc4>=sNjCFEAVY#TF
z9us>JhoXDHtB@P~(<%n@M0HW8P7~fXbxoSroaUekbF=d7?W|d5dpE+|!Qy~9d2l#j
zE{!*Nw%agWdRP!oTs2)saZ{CLmRWuF`$4eVRQN-}zgQk$churAMJUH44p#sk>{vZ%
zX$(ih?2hRa<uvvtggF!65p%NAbHtsj_#APYLt#q;Pu7BCxGtKo^Y*NX9)#|Ym3x&J
zG+@V$*3TWiPMA}TNJrp#!^{DA)-bc->W&_|L+XY>({?r>T!!)RP;qbU-Zpxs4a;Jz
zwtxGxh|Y@$Wj9E#ZHp4Q{|M3~iO2}y`;9CyM6ah+>WoykdHK<moMofm)38dkqHc+A
z5!s0p<Uzw7iQEdun73i|5gV|Wpu}=!g0PBjV4_5Z@&$c_&+3T1mO&K4pHQ1nRx+iS
z?U}CiThwP=D!L;{Vu3@6VVIchC2Zkm8HawBM}{h>ER<vslyuXu#hV#SGt262*%;VZ
zt5_Fe0>U_bDAEpgRaH0^Az8vaO^bxw`K*J-dD#ZRR0(RC#wFNca})>iOdJ#q%SaJI
ziL#*|wtL(LYEInF7_slfCk-Y@PUf-{hCVp2*S5^-!dfpu$sK2UpC)nk(M&5+&jZtJ
z1d>i2O%<e7UgFAD2Dd)jE4u>|Ig05=13lZ~LH(3bdK*{aPERKep!CHB_Ii}x8lc5{
zWn@O6o{ACS^V-y+_EZ!O9aelww+8ACF{pYB%L28@If!Yf3^ukg8~-n`WY@5$M{^R#
z)CZ)lVzEF(WE0d$#l4g}(~ws=_>eb2-&34Qk??+eeyH3aTS3eeeY~;aYEEyJMQZf$
z&-i2B!nK9M4DeK6>IMdIp3o5y8<^vw!bGu|-1vU<8$Jn~Ha%HZ@9K${+=cvnD(1ya
z+0BoF(8n-98Ak+dux%XSM}hnE@LA)}dn$JH@!LAjEA|BpHThMXu>@Of(%!r%LwsO2
zv7$v4nDsL_w>ee-3^r79KB&fKL)+tK7rWot;vU`OmRx+wcQ?zmh)#I`(Y9>U06yt9
z-#yeF+_9UUSn$b`6ySyOT=a-A4IXJ5a-GIH4B5H{@6^;cVfD6afRmBD<reo%T!0G7
zHu;D}{bx;R<+C@D_48IW^rAg}3Zoj<JiARViR~7<hS=&btia<@7iNQ5uMhzohVV@e
z08lcmT7&vBh_<0gZkUFu%G^>ezO)OAv{EE_UN}LG7AY(%+1i+bD~u^uqqdmv$oF6v
zH4+CLBUYK7sfp1|;%XvrHZHzW)8-V7tpG7Xk=lhWgMXBSbs6iucpYxHy=IG;8$~v=
z6o~4~iL4|JWUdlu`aziMmLb(AwRFG}tR}2#RBXkW$h`MIzx&zy6&iFyy!UuCkfmyw
z(*{?)^D-<|krl%a(J^~|G+4zM<fjm76aDe;*u1p%KugS=mqq*=_O|w24SFG28=V&x
zZ9-?HapUn+mzK66Evod+LLwCrAQ>CY2t~8U3FWw}GhBv4e3z|X8SA;ibqs9#)+U8@
zkit!~fzR@6xl6>RL6cr<avoZivhtf>@=c!la%2vhi=o@lav#-}(XQcYLRfgi8o+8f
zcvrLqSz51UlF1}fdCUqz=P+!Gc6`BiJi9o>--y;Vm7!7m%HM%!aHja#2}ZUHtVDbm
z@YhY?`!;a+7}{igX-88S<~GG9V?;-v2H_6qOdL;5C2v6Q-NHzTMjQInC{#31W_f>g
zV^*0QS`%Z&JnIbOEXI>TupFp_?Gg4#Mcu?@H6A43WER(*J$IS-I!d2{VY<!@I=3xb
z(%I%Ar<R*MuJm%&b{N<oG;lrfHhGC|x&UZj#o|-mLUWUzHHW2|v+o@q(dRm6?0OU7
z+v(oQW{Pz~t+r{XFb2>o0fr(3J?7)b?9i>gl@@1JQ(;YdKTl6O=@7Ta__d{;u#qax
z=QRVhr3~A1dh!Ljy5RUoKv-q##;F7TUb0cH&K|)?Y10mCgPDiNu(fA8*tt3k2@D<T
zVa|j1dHCW4+hM)IOL|6p`6jhO90Z)ouk2O}1j~S9Z-#5*O~#0l=J>aM4!V^nqAi+D
z`zr5jfnxkcqhBpcnW%wzb!?BU8`pY9-Y)nJrt%OZfoe&4>bmNHhsWYFEh@jw<AdrR
z;s~<P`SrT19J#(a8&je3jf1VyH0cvr&%Sc9Y?><-pLh0(zvpP=0G2rSI^*Dx$~p1W
zQ4?1)z$t;_=9E|Gtd4O#m#-NbNhTS8SCZ}7XkN)e@YYO_h03rch3s2|JwL<+eLP3R
zDe0gY6}`+0O}Mimwe1x)M9O}eJR+n8bK84s$j3LnB<a_F@4`d58p)h*4)$&f`};pG
zzk7Z4=J@xYztVMqTZ9)M&iSEc_AVY4uepPzm#@zCwfOr{<#jua#NkAWZwR@lX?X!g
zANq3_9OvTv+mq+dozdjtEnXLis5(&brwJB;UdLIBw-g{e3lVN9yoT!E|GoInw_M9F
z+j#Nv{^hDHV8glupK5vBEWgQ<IwjAAFs8t(ZzNTRSa*00ide9O<+`zj7OsZ)oHwSG
zS2GB7Sd<0SDa_@wznwT^h4K(D6F`e2M%rF*s|zr36oF0!YrRuexh@!BUGUOA;Bg3N
zQ0X%3AR8)*=;z;lz(bzy_2tJ!$ARSu3wLDqO0&Zi%K&5Gd1{y0@WkO50l6UJi#;G)
z%vO#Q;S9r6=@<UDEf%TeUbE9Wp#<gu=9NU&Pp`dammYr6NoFo$nYkwM7oKtwcJZ0l
z1KxiE!kW3qBEh}rrk)7a5JWR(vj&e>?gRdztx0S32pl^3fJc|X6Mu1QArT5C%MBnp
z6?72fQ1lo8UnF<oR7mj>4i#uS4@YW}ukFqquj6&Rj@R)zUdQWr9k1hcypGrLI$p=?
Zcpb0fb-a$(@j71Y`aef%?2rJU006)Eq#pnP

literal 4908
zcmV+{6VvP;iwFRxggsaQ1MOYwkKDMC_t)vaLa-O`%)*|Roi#AtBnWo%As-G|B>V05
zPEkwjZmso-NX_F6|L<4DheSyvMRlv~Ia~`EcehmaBUvPiRmGwlmj#Q`g4CDk=Eae&
zYq);+;XQudeE7q){t4H+>zg0my|{so5AUvTZ{L4-aeedd_WJfkaDA)_=~qKpR0qL}
z?7oiHB(~B`J^w#?tzNwfexyyFNA=U6e%+CvtVr>emQ5X#AgZb?jU$$pMG&ij5|CmG
zpO-&gDYg}W_+7oy;K$itA4%LWqM@fnz;^nLq|D*VC1<_Tc!M9SsE+cWh;s7BmxAi$
zpGGD8%pU|%mX!}A30N7hIx1+2jWU5=aa8!eN()BnO%#*!f3>v<>!x67PC_V;<Gg<J
zuhrR>6k$#N-J~_puFlTbQ>C?_<za6OHwj1}WFJ>&uP;`sv$(8DoF^eAQ62BXby}Q%
zcXP2iQ^kc<#GqDq*A8ZS!Y)==z!5qMB>QZ83FR@Thx|GtjtWlc?1Tg5{ZC$|Chja<
z2MJU^W@VicIz!TDE=fmmOejY?n<ru^6sVSufbXLkNjur{@`LYgOf+}U&OqYB*RUdW
zPJwZgW`wGOB{lDng-7;t6Ez=DUsKSQ0p9W*DDi)gC>e;GckMS9bPW~bE#%eNOWf8m
zdd9)UW3v)(vA%-L=`O0tbCNo*kiXmoxrfxVlrkLKHla%(!!4gKo951nPkSTyclfBg
z|H5ZIuFte0ak@#NgG5K-+Db+$kC&N<0fGDnF78LvgNF?ii)PzH<OZStM^r@H;X?8}
z=2*_Fb~N24;SbSn3S(-*992sid+<4#0$M+!QaesJI@IM+rT-IXOwdZ@`gf2wMF%6&
zx&lh+b;lF3Jfv(FL_pXukT6T*fVaML9zfk8U8L#3s!s2*9Hjh;9XddkwFt2m27GkI
zc~i;_*Th07sJvq?r8z|j-Z0K0N-ah4XXCQgL>8CKDG&dB8I%>uKg$02lGTl^iAXvq
zc1_Y^>s73IiYOiD?VcMah|Am7Cc$^N@b?b>-Y;vP{qnb;pUKL>t(YoJ=B*px3tJQp
zK+zcnF$Xf<T-@!Wq`qGy0Ojn6QD|eX-~B`x$zztyiadQBKWmDVaq)K@C9o4|XsLok
zZ>30HldMEz9VC^)c;Zh2c`0Vut(#JSSD;uP60C{9G5DieP44g`Xh%ltkxp>Q3I%cj
zlRp*r>a2nxR+l&fCIV=SxLHw=1P^s;GO%-!!^-vTC-no!D4#omZ1IGa2Kpfn1h$g>
z3~3I983Y4q_NQgVp5`v$!2sVX&R}M|v7s>7*b`TeI2ZatRWoED+JxL!jG|=mAqomV
z4f0ilck!+c#RPc>p%%*s886{3b`GLgeKld@H&U=UqQ+}nl0)R2VV2mtg&NCGLRm}f
z1^;f)mVXOH>qFwR;RMObEuS0~WVsMpkauNHh66yZh;qf{&9kqINb)9l**?1jzLyvC
zacCI}x2p$+clSX96J5u78)qqWi$nr}ZNb9hg0o?9p(>p0G454Db(pIn(mWefM1%3P
z?+k&OPD-0}dr6A>B~f=JWprskZjUdBSrb}j_m?PvMPNlQp@AXcK%Lg0OTsA0(?U!V
z3{TrST+AYcbE$XtVg6`Y6w2vpHDQT1VibV&@fc7BdNSvehp=zHsEgX562w~Xy)o%)
zzW0mU%Y;9M1*Ub{KY#hDD}X-do~vT--a}ec*zn=oQ{pzap+cxD*W#k(bYPQn@H>={
zs*j)xWVKj1%h)i+rIov1H&ClUwvYQoe7dJlFxVbEXw%O+xKHb{$Y)t0$LTI!&qLiW
zYa~tesM}u~n<21(n;&eA_r?0<Y1d2VDfkRlcMZ}AXu2(;OxT~nmyh#2EGUdCb~B->
zm^)PILeS!o);Tf7FGCCiew4BYfanb5R>n@tzx865%{O@c)7;uPnRd68<BV!y<Ta}Z
zURae`8b9$7uDpEd)`PcQFtwv{p*^370=!;2dJ{$s+sV|6Q3!`Wd}b*syuNd?h&V$}
zTWC!_Fn>rx8r?o@BhuVahb9jlNv|s@cz4G^`9d1P5e!u!=jUtl@Yc^aS;w=W${J9y
z%bKl2Oy6hoCyb#thmmI<G+38Skx)KiaC>AKT_$#TTKEGJ?Yb)N6;#w)IHrQ->u|FZ
zR>7!vGQi6<L&yS5PFT?Dr>cbJ3QIMmQrcf{#=!Tw%t#znSCf+Os=IHZqs#OYbRsI>
zl_YvYt5$+KWss=WfvMYVuHKl_m;*G}gwh^6kc>$pgSz-38FMB&q~YTh$qm(R+Z&Pa
zsiR8cy-mx$C)a1g%}I;c`<r{Voj*sd`dd;qqt(o-N6s}?b=y_yc<r#oLR=_j*W2Zr
zAD(i`_chS|QGOL=Jn><J4!9Pw_||JQwp~m;tlvaTLg{jgC&+2I+`jdZhts89U9g{#
zW0m1P|MUL(-G}SZ`JbCVoX-DzjZ3)pVO}OpM$X&O@FuvqyuQ4irQ}wxf}cs8fkr`>
z7?jtF>zIVlSZ=;na@&>Q<|PypJnRUl!CK#FjJTbp0**W^m}SAQKm8I^WzE{%*-9!f
zfsR^<HAS@6+tAwhVE4TVHc>_iw8v(OLNRHCrXF7wK$|%&r#`i^rg)A-5|O+tLZO_`
z4JEnGj0mofHtXL*Sb5`JRBZXvoX28Ja4i#>jGi1TU2RKtymc<MG(yRQj<Dtq0#(#Q
zxd@l1FAs5VBtktzGp6?vqB97hw@Y&e`&*aiy{F>=(FPCuRn&Hg1s)fdIp%2G<n6<$
zjbF9Xg`eVPEcUR^hx}t)6)5c^cX3@&Px+fS-56vw29o=jD!42VGqqQIKIAf?jVdSu
z(!*`w^8u4%s^-;by5g<2XW+*GvB&B}-cSSfhW60mryU<@&7+DBxbdhmk5Y3qdVo3%
zMfAbPfe~vNL(*|kTF|&(N^e_2MSt6y=SGAvyh?HDV|N)cBHM*MosU_@U~*%*kJTn|
z2qEMpbQyPM&qs^~LBrBB5--2^afMO8f-wI3e8@6)0qqt-m{Cy{h~*g`2_N0GZc&nL
z?&7G5)@hcqr{HrC@5+ZF_>{uBxq)v0wxNWjNsxak$|S(b@(l$3ZJicvLLa|TM-PC>
zHUNn`I}-)Ns;l-0Ym$M5l;IxX1XH)2v?btKu)4pW1f|zmnx~A{gUV#2>AJMr4VWLL
z?LCP7j0tAbrYA4Bf726<#nl2RO)^56!`=;w+hEN#G;L@_ip0e^9Km{1(Cy>{2Fw6w
zB-dhf7>|ieSV$_lW4s=kPAeP=Ha>l_H{xUxizl)nt7V_2s}<k8)w)m5xDf>uVX=RU
zJHT<?);>)ZMu}--cAw_j(FSIbS6da@XKX9ap9;RTxo-P4c5Aq?Z&RIEvnPoS&zuVA
z2c`*5)hGCJ;icF(!kwCo;#>?YfebL^8n&s+yj#z3=^1CZO;ppE-y!QhOtgIaJ1vV#
zc(`ZZ_sm=CgZ;+BOzhcX!xz7A+k1_a0kmbr94K(K_Z^Q87P>F~A%gdBgS4rRS%^w<
zKV}*0?1;khQ9%PH{vrlV_kdTSat7vA4CaaMqRyQrqHX$`v|n@Dg9_ZuDvOVM%`(^7
z_<aY92j=X-;eoj{-t5`#!u083Nj!7a^c}@*RhC(1&6(v#!NvreEP6UJ{O$7ireh4p
zDMCAfaJ&NW(8TIhM`Jk}<aSKwD5t5D@cT@BPt4g$&l7jH;`7994;L*BJX;G+;reL8
z-rJLAdJv|=Oa4_}(14vfTD|Y+^}?KMM0x`6H_SYM_Zns{T+?AXe@N3XXxq*QgwHS@
zA1WP;-G^4sbYWSH)ediek<ob>q3j3gjcw5)_n$zTB$G)dV!x5+nwa&pPF)c8P}ZM(
z$$5hN6OCDB6m>`ZfXH5?AP*YvNa9yG#=I@7kKBO8oF|@!6U8jOhl!F{%9r#BK5G(w
zEMFEPo=}%iRw_%G@0qU6ThteQD!L<C=72+qVVIcjC2ZkmoyK8NCYCDbER+-plyu*+
zrJFsN_AG0#Wn*FEt>RsX2?*2lu}nMIF;;mNp;+QF&#R0)hP;EPdHDvxTnQSPrX|>8
z^Ard2%p4Rg%R~`UiSnTzcYE9xYC+u17`g8xCJp9X&gOCyhCaBc*S0R3%2_W-DI90|
zlxJ!2$xbV?*(2L*1d?7IZ55=ftZ`+lqlb|1l|6!qoTT)Vg`RKmpnfVSeMninGt<d4
zEkkjEy`Gd07HIii5tU?Urs72Sys@>YJ7|SNhZmpIt%bTr45}W(vOsNf4pJIxgN<*@
zrvDQ;vTJzMqdnYX>jToTR4xz+*+fmogqQMY8}d4b81gpgCyG-kk={=z4s2UwD~Y+H
zPd83n!-256%B>#$g?KDlxOPz30bZL+-M|1YGddw+3v*gAOcdLb8{dz8FD8N4rYBDn
zUcCyk$5<SB#k{yVyZK2JhZqK^(}bW6woMcKsBnKCJ{$b`MCFb?ep{C%<6po~Q(xt=
zO|aEw?aj+F<Og;WFIrZCTR)?tpi>3FU_&Jrf@*9xv;$#w@%z0k?#VrF#U-YEf3w_(
z=#>YMZ0jx!;InD-JwV+d9J~361)m*B0YR*eT2Bbm;*oYC*Lketkgad<PEUQ4R&Tck
zcp1rCVR7H56{w(MQ%+da|859nA%7FqFmKgBFWVF5FsfnAbKCTa*ln>Jh@B3@3OpWt
zVYZm{8WF%@2;b%a043L|4X7`RXj_`>o@*#pmyUArrA=6*lOik2$_r|;NNHKA)}|C(
zVNAK2w8f-HegMOykvQU*u*%F#ZH#UfR~vzIafy|hwg+=u1;`PK)IM|t{817&b!ztF
zO}PE`+AU&X6uHb&AZiLPvYL31`AVSe2WhT5hSZSM(E+cpny{)-xfN$43x56k&wmg8
z0S&q*!LNAQkf&<d(*{?ABRD)&kryM*<#Bs{GFT-T)Tb0`8~q6%`Mh-YKu64-mqq*=
z{<iL219~A_Tb&mkZ9-?Hb>s1%n31+6tyuo(AW@14kgSd7gtFPwglgP11unxezRNUZ
z)_SgR9Ru6Gvq@ncq;S)2;PX6N;S%v_(5BbgoQIC3W?}nFy~)vBj>=*4F?3s6;iI}T
z+6`Q72n%mG16Uo0=!&i&N9&DDDw$+1k6l5S9ENSxjW76)$06tV8_Bw%Dm02;#k<rj
z&XhPi!O3=!lSm8$@dgWgg$E8FOPieU0ci`v+@{oKjF{;2DBb~`jpMbg<PGS(2N)^I
zWJ6zDg^C8sUfy5RnpHN3*2Y+H&$_@ki}hp>EC)JacPf5XQTJ)hrh^26%;CE8=ROnP
zL>W>rOxLAF=XPZ)I@dfD)M}H*mtM`<9s?hQ7Oq#prmWFTmjK<{T|z2aXm8S+_OMiY
zoW92+``qM=-E9(l-`z*mOu268)wT^4&H#EP!cc^y$9(*hpW`*R(&4NcDr`va7wJi7
zJ>u@o0LD_!_(+xK^V)&hQO4alJ@o=rQ*eADAgr_X<J6IO)!8IhZ;xQ2w0Y;h!OX*x
z-NrK={9GM|1jY{aIOiewGJY3>>#*MFy+0Gae4AP!4+75R*LJHVf@8q(m(6wYCTm2=
zaH8Bi2mMNv(H6s|Ju7=#pcsEK=vT*5CTn0{9lKNT*0r9KcME=tsXYWqpjy(N`mQ?Q
z;qkakhbnH1_@KUrIDss6ezWc?N1?ASrc|hUiD9QSZTdvjbEupgo90@@_d9zfUY#^?
z085^G-Q(bq&N=hcQ5#pYz-fWw_LNuetd4a(S8pzwNG6$n{gUh1WM0Wa@Xkz-h01Ux
zg&bOhJ3qt+eL6?PE9sye6@$zRL%6dgb?p_lMB09uIwE8Q^V@rC$)`8I6zR8q@4|Dr
zTFG2)j`nT~_xnGtf4F&nJAD7g&4>4=_kVni>k79BuYS7}hno58eR#a)5td%DIyZOn
z{|~C~x@ja2CsKSv$W=q@D=_-dpSuz`SC`+Py?yJArWSAc21-OVfr^i1px0^9;VlK&
zQvK(DU;WqjLMty@*|!<k29%vGR%HnrH#PV`%i|X1eVH{mc`Jo62VQ?EsXiq7!(mj!
zf+ZZGKf5xdk03wy8;sgJ6(l;WrV{ELCgH`O&%Ci>b^4Y|qQj9x?jX3;71$=4Waol)
zZY8f=9}KXrL}|a_IR<Y~<?EUtTPlj^m*4+}r!)QQE6#aN1FNGE{>c87=BFZ-0mg{&
z+%9wB$x|&7azVt~10aW(dyaeOP?eZR7_kc3Ja7*lw`TZ7hp)YeWk#{WUwAMp*u}^6
z0Qm5s4Xe=s>Q^|HZ9NgJB}iu0&4MQ?_Z$8nMzdDI2{`n70go<&C;u~}g+wUTmoP2p
zT+or<ujw%WzRDisxsdX`6gtp$KOCh=zO{#Qx=z>WI$fvhbe*o#b-GU1={jAf>vWy2
e({;K|*XcT4r|Wc`uG97Z>-t|0&@#pVpa1}><Ce?-

diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index fbb472aa..f55f1e63 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -3667,7 +3667,7 @@ index 7590165..d81185e 100644
 +	fs_mounton_fusefs(seunshare_domain)
  ')
 diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 33e0f8d..3437271 100644
+index 33e0f8d..184c5a4 100644
 --- a/policy/modules/kernel/corecommands.fc
 +++ b/policy/modules/kernel/corecommands.fc
 @@ -1,9 +1,10 @@
@@ -4014,7 +4014,7 @@ index 33e0f8d..3437271 100644
  /usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
-@@ -387,17 +472,34 @@ ifdef(`distro_suse', `
+@@ -387,17 +472,36 @@ ifdef(`distro_suse', `
  #
  # /var
  #
@@ -4042,6 +4042,8 @@ index 33e0f8d..3437271 100644
  /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
  ')
 +
++/var/usrlocal/(.*/)?bin(/.*)?    gen_context(system_u:object_r:bin_t:s0)
++
 +#
 +# /usr/lib
 +#
@@ -10066,7 +10068,7 @@ index 0b1a871..29965c3 100644
 +dev_getattr_all(devices_unconfined_type)
 +
 diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
-index 6a1e4d1..26e5558 100644
+index 6a1e4d1..1a2713b 100644
 --- a/policy/modules/kernel/domain.if
 +++ b/policy/modules/kernel/domain.if
 @@ -76,33 +76,8 @@ interface(`domain_type',`
@@ -10312,7 +10314,7 @@ index 6a1e4d1..26e5558 100644
  ##	Unconfined access to domains.
  ## </summary>
  ## <param name="domain">
-@@ -1530,4 +1632,63 @@ interface(`domain_unconfined',`
+@@ -1530,4 +1632,82 @@ interface(`domain_unconfined',`
  	typeattribute $1 can_change_object_identity;
  	typeattribute $1 set_curr_context;
  	typeattribute $1 process_uncond_exempt;
@@ -10375,6 +10377,25 @@ index 6a1e4d1..26e5558 100644
 +	')
 +
 +	dontaudit $1 domain:dir_file_class_set audit_access;
++')
++
++########################################
++## <summary>
++##	Allow set resource limits to all domains.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`domain_setrlimit_all_domains',`
++	gen_require(`
++		attribute domain;
++	')
++
++	allow $1 domain:process setrlimit;
  ')
 diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
 index cf04cb5..43876e0 100644
@@ -25600,7 +25621,7 @@ index 234a940..a92415a 100644
  ########################################
  ## <summary>
 diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 0fef1fc..c3b8b13 100644
+index 0fef1fc..bfeb102 100644
 --- a/policy/modules/roles/staff.te
 +++ b/policy/modules/roles/staff.te
 @@ -8,12 +8,73 @@ policy_module(staff, 2.4.0)
@@ -25677,7 +25698,7 @@ index 0fef1fc..c3b8b13 100644
  optional_policy(`
  	apache_role(staff_r, staff_t)
  ')
-@@ -23,11 +84,115 @@ optional_policy(`
+@@ -23,11 +84,119 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -25731,6 +25752,10 @@ index 0fef1fc..c3b8b13 100644
 +')
 +
 +optional_policy(`
++    fwupd_dbus_chat(staff_t)
++')
++
++optional_policy(`
 +	irc_role(staff_r, staff_t)
 +')
 +
@@ -25794,7 +25819,7 @@ index 0fef1fc..c3b8b13 100644
  ')
  
  optional_policy(`
-@@ -35,15 +200,31 @@ optional_policy(`
+@@ -35,15 +204,31 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -25828,7 +25853,7 @@ index 0fef1fc..c3b8b13 100644
  ')
  
  optional_policy(`
-@@ -52,11 +233,61 @@ optional_policy(`
+@@ -52,11 +237,61 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -25891,7 +25916,7 @@ index 0fef1fc..c3b8b13 100644
  ')
  
  ifndef(`distro_redhat',`
-@@ -65,10 +296,6 @@ ifndef(`distro_redhat',`
+@@ -65,10 +300,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -25902,7 +25927,7 @@ index 0fef1fc..c3b8b13 100644
  		cdrecord_role(staff_r, staff_t)
  	')
  
-@@ -78,10 +305,6 @@ ifndef(`distro_redhat',`
+@@ -78,10 +309,6 @@ ifndef(`distro_redhat',`
  
  	optional_policy(`
  		dbus_role_template(staff, staff_r, staff_t)
@@ -25913,7 +25938,7 @@ index 0fef1fc..c3b8b13 100644
  	')
  
  	optional_policy(`
-@@ -101,10 +324,6 @@ ifndef(`distro_redhat',`
+@@ -101,10 +328,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -25924,7 +25949,7 @@ index 0fef1fc..c3b8b13 100644
  		java_role(staff_r, staff_t)
  	')
  
-@@ -125,10 +344,6 @@ ifndef(`distro_redhat',`
+@@ -125,10 +348,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -25935,7 +25960,7 @@ index 0fef1fc..c3b8b13 100644
  		pyzor_role(staff_r, staff_t)
  	')
  
-@@ -141,10 +356,6 @@ ifndef(`distro_redhat',`
+@@ -141,10 +360,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -25946,7 +25971,7 @@ index 0fef1fc..c3b8b13 100644
  		spamassassin_role(staff_r, staff_t)
  	')
  
-@@ -176,3 +387,23 @@ ifndef(`distro_redhat',`
+@@ -176,3 +391,23 @@ ifndef(`distro_redhat',`
  		wireshark_role(staff_r, staff_t)
  	')
  ')
@@ -35903,7 +35928,7 @@ index bc0ffc8..37b8ea5 100644
  ')
 +/var/run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
 diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 79a45f6..d092e6e 100644
+index 79a45f6..6126f21 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
 @@ -1,5 +1,21 @@
@@ -36705,7 +36730,7 @@ index 79a45f6..d092e6e 100644
  	gen_require(`
  		attribute init_script_file_type;
  	')
-@@ -1125,6 +1449,44 @@ interface(`init_getattr_all_script_files',`
+@@ -1125,6 +1449,63 @@ interface(`init_getattr_all_script_files',`
  
  ########################################
  ## <summary>
@@ -36746,11 +36771,30 @@ index 79a45f6..d092e6e 100644
 +')
 +
 +########################################
++## <summary>
++##	Allow the specified domain to modify the systemd configuration of 
++##	transient scripts.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`init_manage_config_transient_files',`
++	gen_require(`
++		attribute init_var_run_t;
++	')
++
++	allow $1 init_var_run_t:service manage_service_perms;
++')
++
++########################################
 +## <summary>
  ##	Read all init script files.
  ## </summary>
  ## <param name="domain">
-@@ -1144,6 +1506,24 @@ interface(`init_read_all_script_files',`
+@@ -1144,6 +1525,24 @@ interface(`init_read_all_script_files',`
  
  #######################################
  ## <summary>
@@ -36775,7 +36819,7 @@ index 79a45f6..d092e6e 100644
  ##	Dontaudit read all init script files.
  ## </summary>
  ## <param name="domain">
-@@ -1195,12 +1575,7 @@ interface(`init_read_script_state',`
+@@ -1195,12 +1594,7 @@ interface(`init_read_script_state',`
  	')
  
  	kernel_search_proc($1)
@@ -36789,7 +36833,7 @@ index 79a45f6..d092e6e 100644
  ')
  
  ########################################
-@@ -1314,6 +1689,24 @@ interface(`init_signal_script',`
+@@ -1314,6 +1708,24 @@ interface(`init_signal_script',`
  
  ########################################
  ## <summary>
@@ -36814,7 +36858,7 @@ index 79a45f6..d092e6e 100644
  ##	Send null signals to init scripts.
  ## </summary>
  ## <param name="domain">
-@@ -1440,6 +1833,27 @@ interface(`init_dbus_send_script',`
+@@ -1440,6 +1852,27 @@ interface(`init_dbus_send_script',`
  ########################################
  ## <summary>
  ##	Send and receive messages from
@@ -36842,7 +36886,7 @@ index 79a45f6..d092e6e 100644
  ##	init scripts over dbus.
  ## </summary>
  ## <param name="domain">
-@@ -1547,6 +1961,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1547,6 +1980,25 @@ interface(`init_getattr_script_status_files',`
  
  ########################################
  ## <summary>
@@ -36868,7 +36912,7 @@ index 79a45f6..d092e6e 100644
  ##	Do not audit attempts to read init script
  ##	status files.
  ## </summary>
-@@ -1605,6 +2038,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1605,6 +2057,24 @@ interface(`init_rw_script_tmp_files',`
  
  ########################################
  ## <summary>
@@ -36893,7 +36937,7 @@ index 79a45f6..d092e6e 100644
  ##	Create files in a init script
  ##	temporary data directory.
  ## </summary>
-@@ -1677,6 +2128,43 @@ interface(`init_read_utmp',`
+@@ -1677,6 +2147,43 @@ interface(`init_read_utmp',`
  
  ########################################
  ## <summary>
@@ -36937,7 +36981,7 @@ index 79a45f6..d092e6e 100644
  ##	Do not audit attempts to write utmp.
  ## </summary>
  ## <param name="domain">
-@@ -1765,7 +2253,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1765,7 +2272,7 @@ interface(`init_dontaudit_rw_utmp',`
  		type initrc_var_run_t;
  	')
  
@@ -36946,7 +36990,7 @@ index 79a45f6..d092e6e 100644
  ')
  
  ########################################
-@@ -1806,37 +2294,708 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1806,37 +2313,708 @@ interface(`init_pid_filetrans_utmp',`
  	files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
  ')
  
@@ -36983,13 +37027,21 @@ index 79a45f6..d092e6e 100644
  ## <summary>
 -##	Allow the specified domain to connect to daemon with a udp socket
 +##  Allow listing of the /run/systemd directory.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-##	<summary>
+-##	Domain allowed access.
+-##	</summary>
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`init_udp_recvfrom_all_daemons',`
+-	gen_require(`
+-		attribute daemon;
+-	')
+-	corenet_udp_recvfrom_labeled($1, daemon)
 +interface(`init_list_pid_dirs',`
 +    gen_require(`
 +        type init_var_run_t;
@@ -37022,8 +37074,8 @@ index 79a45f6..d092e6e 100644
 +##  Create objects in /run/systemd directory
 +##  with an automatic type transition to
 +##  a specified private type.
- ## </summary>
- ## <param name="domain">
++## </summary>
++## <param name="domain">
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
@@ -37039,16 +37091,11 @@ index 79a45f6..d092e6e 100644
 +##  </summary>
 +## </param>
 +## <param name="name" optional="true">
- ##	<summary>
--##	Domain allowed access.
++##	<summary>
 +##	The name of the object being created.
- ##	</summary>
- ## </param>
- #
--interface(`init_udp_recvfrom_all_daemons',`
--	gen_require(`
--		attribute daemon;
--	')
++##	</summary>
++## </param>
++#
 +interface(`init_pid_filetrans',`
 +    gen_require(`
 +        type init_var_run_t;
@@ -37126,8 +37173,8 @@ index 79a45f6..d092e6e 100644
 +	gen_require(`
 +		attribute daemon;
 +	')
- 	corenet_udp_recvfrom_labeled($1, daemon)
- ')
++	corenet_udp_recvfrom_labeled($1, daemon)
++')
 +
 +########################################
 +## <summary>
@@ -37671,9 +37718,9 @@ index 79a45f6..d092e6e 100644
 +
 +	files_search_var_lib($1)
 +    allow $1 init_var_lib_t:dir search_dir_perms;
-+')
+ ')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..e59e001 100644
+index 17eda24..25e49cf 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
 @@ -11,10 +11,31 @@ gen_require(`
@@ -37878,12 +37925,13 @@ index 17eda24..e59e001 100644
  
  domain_getpgid_all_domains(init_t)
  domain_kill_all_domains(init_t)
-@@ -139,14 +236,24 @@ domain_signal_all_domains(init_t)
+@@ -139,14 +236,25 @@ domain_signal_all_domains(init_t)
  domain_signull_all_domains(init_t)
  domain_sigstop_all_domains(init_t)
  domain_sigchld_all_domains(init_t)
 +domain_read_all_domains_state(init_t)
 +domain_getattr_all_domains(init_t)
++domain_setrlimit_all_domains(init_t)
  
 -files_read_etc_files(init_t)
 +files_read_config_files(init_t)
@@ -37904,7 +37952,7 @@ index 17eda24..e59e001 100644
  # file descriptors inherited from the rootfs:
  files_dontaudit_rw_root_files(init_t)
  files_dontaudit_rw_root_chr_files(init_t)
-@@ -155,29 +262,73 @@ fs_list_inotifyfs(init_t)
+@@ -155,29 +263,73 @@ fs_list_inotifyfs(init_t)
  # cjp: this may be related to /dev/log
  fs_write_ramfs_sockets(init_t)
  
@@ -37983,7 +38031,7 @@ index 17eda24..e59e001 100644
  
  ifdef(`distro_gentoo',`
  	allow init_t self:process { getcap setcap };
-@@ -186,29 +337,275 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +338,275 @@ ifdef(`distro_gentoo',`
  ')
  
  ifdef(`distro_redhat',`
@@ -38268,7 +38316,7 @@ index 17eda24..e59e001 100644
  ')
  
  optional_policy(`
-@@ -216,7 +613,30 @@ optional_policy(`
+@@ -216,7 +614,30 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -38300,7 +38348,7 @@ index 17eda24..e59e001 100644
  ')
  
  ########################################
-@@ -225,9 +645,9 @@ optional_policy(`
+@@ -225,9 +646,9 @@ optional_policy(`
  #
  
  allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -38312,7 +38360,7 @@ index 17eda24..e59e001 100644
  allow initrc_t self:passwd rootok;
  allow initrc_t self:key manage_key_perms;
  
-@@ -258,12 +678,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +679,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
  
  allow initrc_t initrc_var_run_t:file manage_file_perms;
  files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -38329,7 +38377,7 @@ index 17eda24..e59e001 100644
  
  manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
  manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +703,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +704,36 @@ kernel_change_ring_buffer_level(initrc_t)
  kernel_clear_ring_buffer(initrc_t)
  kernel_get_sysvipc_info(initrc_t)
  kernel_read_all_sysctls(initrc_t)
@@ -38372,7 +38420,7 @@ index 17eda24..e59e001 100644
  corenet_tcp_sendrecv_all_ports(initrc_t)
  corenet_udp_sendrecv_all_ports(initrc_t)
  corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +740,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +741,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
  
  dev_read_rand(initrc_t)
  dev_read_urand(initrc_t)
@@ -38384,7 +38432,7 @@ index 17eda24..e59e001 100644
  dev_rw_sysfs(initrc_t)
  dev_list_usbfs(initrc_t)
  dev_read_framebuffer(initrc_t)
-@@ -313,8 +752,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +753,10 @@ dev_write_framebuffer(initrc_t)
  dev_read_realtime_clock(initrc_t)
  dev_read_sound_mixer(initrc_t)
  dev_write_sound_mixer(initrc_t)
@@ -38395,7 +38443,7 @@ index 17eda24..e59e001 100644
  dev_delete_lvm_control_dev(initrc_t)
  dev_manage_generic_symlinks(initrc_t)
  dev_manage_generic_files(initrc_t)
-@@ -322,8 +763,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +764,7 @@ dev_manage_generic_files(initrc_t)
  dev_delete_generic_symlinks(initrc_t)
  dev_getattr_all_blk_files(initrc_t)
  dev_getattr_all_chr_files(initrc_t)
@@ -38405,7 +38453,7 @@ index 17eda24..e59e001 100644
  
  domain_kill_all_domains(initrc_t)
  domain_signal_all_domains(initrc_t)
-@@ -332,7 +772,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +773,6 @@ domain_sigstop_all_domains(initrc_t)
  domain_sigchld_all_domains(initrc_t)
  domain_read_all_domains_state(initrc_t)
  domain_getattr_all_domains(initrc_t)
@@ -38413,7 +38461,7 @@ index 17eda24..e59e001 100644
  domain_getsession_all_domains(initrc_t)
  domain_use_interactive_fds(initrc_t)
  # for lsof which is used by alsa shutdown:
-@@ -340,6 +779,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +780,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
  domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
  domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
  domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -38421,7 +38469,7 @@ index 17eda24..e59e001 100644
  
  files_getattr_all_dirs(initrc_t)
  files_getattr_all_files(initrc_t)
-@@ -347,14 +787,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +788,15 @@ files_getattr_all_symlinks(initrc_t)
  files_getattr_all_pipes(initrc_t)
  files_getattr_all_sockets(initrc_t)
  files_purge_tmp(initrc_t)
@@ -38439,7 +38487,7 @@ index 17eda24..e59e001 100644
  files_read_usr_files(initrc_t)
  files_manage_urandom_seed(initrc_t)
  files_manage_generic_spool(initrc_t)
-@@ -364,8 +805,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +806,12 @@ files_list_isid_type_dirs(initrc_t)
  files_mounton_isid_type_dirs(initrc_t)
  files_list_default(initrc_t)
  files_mounton_default(initrc_t)
@@ -38453,7 +38501,7 @@ index 17eda24..e59e001 100644
  fs_list_inotifyfs(initrc_t)
  fs_register_binary_executable_type(initrc_t)
  # rhgb-console writes to ramfs
-@@ -375,10 +820,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +821,11 @@ fs_mount_all_fs(initrc_t)
  fs_unmount_all_fs(initrc_t)
  fs_remount_all_fs(initrc_t)
  fs_getattr_all_fs(initrc_t)
@@ -38467,7 +38515,7 @@ index 17eda24..e59e001 100644
  mcs_process_set_categories(initrc_t)
  
  mls_file_read_all_levels(initrc_t)
-@@ -387,8 +833,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +834,10 @@ mls_process_read_up(initrc_t)
  mls_process_write_down(initrc_t)
  mls_rangetrans_source(initrc_t)
  mls_fd_share_all_levels(initrc_t)
@@ -38478,7 +38526,7 @@ index 17eda24..e59e001 100644
  
  storage_getattr_fixed_disk_dev(initrc_t)
  storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +846,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +847,7 @@ term_use_all_terms(initrc_t)
  term_reset_tty_labels(initrc_t)
  
  auth_rw_login_records(initrc_t)
@@ -38486,7 +38534,7 @@ index 17eda24..e59e001 100644
  auth_setattr_login_records(initrc_t)
  auth_rw_lastlog(initrc_t)
  auth_read_pam_pid(initrc_t)
-@@ -416,20 +865,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +866,18 @@ logging_read_all_logs(initrc_t)
  logging_append_all_logs(initrc_t)
  logging_read_audit_config(initrc_t)
  
@@ -38510,7 +38558,7 @@ index 17eda24..e59e001 100644
  
  ifdef(`distro_debian',`
  	dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +898,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +899,6 @@ ifdef(`distro_gentoo',`
  	allow initrc_t self:process setfscreate;
  	dev_create_null_dev(initrc_t)
  	dev_create_zero_dev(initrc_t)
@@ -38518,7 +38566,7 @@ index 17eda24..e59e001 100644
  	term_create_console_dev(initrc_t)
  
  	# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +932,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +933,10 @@ ifdef(`distro_gentoo',`
  	sysnet_setattr_config(initrc_t)
  
  	optional_policy(`
@@ -38529,7 +38577,7 @@ index 17eda24..e59e001 100644
  		alsa_read_lib(initrc_t)
  	')
  
-@@ -506,7 +956,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +957,7 @@ ifdef(`distro_redhat',`
  
  	# Red Hat systems seem to have a stray
  	# fd open from the initrd
@@ -38538,7 +38586,7 @@ index 17eda24..e59e001 100644
  	files_dontaudit_read_root_files(initrc_t)
  
  	# These seem to be from the initrd
-@@ -521,6 +971,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +972,7 @@ ifdef(`distro_redhat',`
  	files_create_boot_dirs(initrc_t)
  	files_create_boot_flag(initrc_t)
  	files_rw_boot_symlinks(initrc_t)
@@ -38546,7 +38594,7 @@ index 17eda24..e59e001 100644
  	# wants to read /.fonts directory
  	files_read_default_files(initrc_t)
  	files_mountpoint(initrc_tmp_t)
-@@ -541,6 +992,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +993,7 @@ ifdef(`distro_redhat',`
  	miscfiles_rw_localization(initrc_t)
  	miscfiles_setattr_localization(initrc_t)
  	miscfiles_relabel_localization(initrc_t)
@@ -38554,7 +38602,7 @@ index 17eda24..e59e001 100644
  
  	miscfiles_read_fonts(initrc_t)
  	miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +1002,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +1003,44 @@ ifdef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -38599,7 +38647,7 @@ index 17eda24..e59e001 100644
  	')
  
  	optional_policy(`
-@@ -559,14 +1047,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +1048,31 @@ ifdef(`distro_redhat',`
  		rpc_write_exports(initrc_t)
  		rpc_manage_nfs_state_data(initrc_t)
  	')
@@ -38631,7 +38679,7 @@ index 17eda24..e59e001 100644
  	')
  ')
  
-@@ -577,6 +1082,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1083,39 @@ ifdef(`distro_suse',`
  	')
  ')
  
@@ -38671,7 +38719,7 @@ index 17eda24..e59e001 100644
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1127,8 @@ optional_policy(`
+@@ -589,6 +1128,8 @@ optional_policy(`
  optional_policy(`
  	apache_read_config(initrc_t)
  	apache_list_modules(initrc_t)
@@ -38680,7 +38728,7 @@ index 17eda24..e59e001 100644
  ')
  
  optional_policy(`
-@@ -610,6 +1150,7 @@ optional_policy(`
+@@ -610,6 +1151,7 @@ optional_policy(`
  
  optional_policy(`
  	cgroup_stream_connect_cgred(initrc_t)
@@ -38688,7 +38736,7 @@ index 17eda24..e59e001 100644
  ')
  
  optional_policy(`
-@@ -626,6 +1167,17 @@ optional_policy(`
+@@ -626,6 +1168,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -38706,7 +38754,7 @@ index 17eda24..e59e001 100644
  	dev_getattr_printer_dev(initrc_t)
  
  	cups_read_log(initrc_t)
-@@ -642,9 +1194,13 @@ optional_policy(`
+@@ -642,9 +1195,13 @@ optional_policy(`
  	dbus_connect_system_bus(initrc_t)
  	dbus_system_bus_client(initrc_t)
  	dbus_read_config(initrc_t)
@@ -38720,7 +38768,7 @@ index 17eda24..e59e001 100644
  	')
  
  	optional_policy(`
-@@ -657,15 +1213,11 @@ optional_policy(`
+@@ -657,15 +1214,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -38738,7 +38786,7 @@ index 17eda24..e59e001 100644
  ')
  
  optional_policy(`
-@@ -686,6 +1238,15 @@ optional_policy(`
+@@ -686,6 +1239,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -38754,7 +38802,7 @@ index 17eda24..e59e001 100644
  	inn_exec_config(initrc_t)
  ')
  
-@@ -726,6 +1287,7 @@ optional_policy(`
+@@ -726,6 +1288,7 @@ optional_policy(`
  	lpd_list_spool(initrc_t)
  
  	lpd_read_config(initrc_t)
@@ -38762,7 +38810,7 @@ index 17eda24..e59e001 100644
  ')
  
  optional_policy(`
-@@ -743,7 +1305,13 @@ optional_policy(`
+@@ -743,7 +1306,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -38777,7 +38825,7 @@ index 17eda24..e59e001 100644
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
  
-@@ -766,6 +1334,10 @@ optional_policy(`
+@@ -766,6 +1335,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -38788,7 +38836,7 @@ index 17eda24..e59e001 100644
  	postgresql_manage_db(initrc_t)
  	postgresql_read_config(initrc_t)
  ')
-@@ -775,10 +1347,20 @@ optional_policy(`
+@@ -775,10 +1348,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -38809,7 +38857,7 @@ index 17eda24..e59e001 100644
  	quota_manage_flags(initrc_t)
  ')
  
-@@ -787,6 +1369,10 @@ optional_policy(`
+@@ -787,6 +1370,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -38820,7 +38868,7 @@ index 17eda24..e59e001 100644
  	fs_write_ramfs_sockets(initrc_t)
  	fs_search_ramfs(initrc_t)
  
-@@ -808,8 +1394,6 @@ optional_policy(`
+@@ -808,8 +1395,6 @@ optional_policy(`
  	# bash tries ioctl for some reason
  	files_dontaudit_ioctl_all_pids(initrc_t)
  
@@ -38829,7 +38877,7 @@ index 17eda24..e59e001 100644
  ')
  
  optional_policy(`
-@@ -818,6 +1402,10 @@ optional_policy(`
+@@ -818,6 +1403,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -38840,7 +38888,7 @@ index 17eda24..e59e001 100644
  	# shorewall-init script run /var/lib/shorewall/firewall
  	shorewall_lib_domtrans(initrc_t)
  ')
-@@ -827,10 +1415,12 @@ optional_policy(`
+@@ -827,10 +1416,12 @@ optional_policy(`
  	squid_manage_logs(initrc_t)
  ')
  
@@ -38853,7 +38901,7 @@ index 17eda24..e59e001 100644
  
  optional_policy(`
  	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1447,62 @@ optional_policy(`
+@@ -857,21 +1448,62 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -38917,7 +38965,7 @@ index 17eda24..e59e001 100644
  ')
  
  optional_policy(`
-@@ -887,6 +1518,10 @@ optional_policy(`
+@@ -887,6 +1519,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -38928,7 +38976,7 @@ index 17eda24..e59e001 100644
  	# Set device ownerships/modes.
  	xserver_setattr_console_pipes(initrc_t)
  
-@@ -897,3 +1532,218 @@ optional_policy(`
+@@ -897,3 +1533,218 @@ optional_policy(`
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
@@ -41132,7 +41180,7 @@ index b50c5fe..9eacd9b 100644
 +/var/webmin(/.*)?		gen_context(system_u:object_r:var_log_t,s0)
 +
 diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 4e94884..31be8ac 100644
+index 4e94884..0690edf 100644
 --- a/policy/modules/system/logging.if
 +++ b/policy/modules/system/logging.if
 @@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
@@ -41222,7 +41270,7 @@ index 4e94884..31be8ac 100644
  ########################################
  ## <summary>
  ##	Send system log messages.
-@@ -530,22 +592,106 @@ interface(`logging_log_filetrans',`
+@@ -530,22 +592,107 @@ interface(`logging_log_filetrans',`
  #
  interface(`logging_send_syslog_msg',`
  	gen_require(`
@@ -41249,6 +41297,7 @@ index 4e94884..31be8ac 100644
 +	')
 +
 +	allow $1 devlog_t:lnk_file manage_lnk_file_perms;
++    allow $1 devlog_t:sock_file manage_sock_file_perms;
 +	dev_filetrans($1, devlog_t, lnk_file, "log")
 +	init_pid_filetrans($1, devlog_t, sock_file, "syslog")
 +    logging_syslogd_pid_filetrans($1, devlog_t, sock_file, "dev-log")
@@ -41341,7 +41390,7 @@ index 4e94884..31be8ac 100644
  ')
  
  ########################################
-@@ -571,6 +717,25 @@ interface(`logging_read_audit_config',`
+@@ -571,6 +718,25 @@ interface(`logging_read_audit_config',`
  
  ########################################
  ## <summary>
@@ -41367,7 +41416,7 @@ index 4e94884..31be8ac 100644
  ##	dontaudit search of auditd configuration files.
  ## </summary>
  ## <param name="domain">
-@@ -609,6 +774,25 @@ interface(`logging_read_syslog_config',`
+@@ -609,6 +775,25 @@ interface(`logging_read_syslog_config',`
  
  ########################################
  ## <summary>
@@ -41393,7 +41442,7 @@ index 4e94884..31be8ac 100644
  ##	Allows the domain to open a file in the
  ##	log directory, but does not allow the listing
  ##	of the contents of the log directory.
-@@ -722,6 +906,25 @@ interface(`logging_setattr_all_log_dirs',`
+@@ -722,6 +907,25 @@ interface(`logging_setattr_all_log_dirs',`
  	allow $1 logfile:dir setattr;
  ')
  
@@ -41419,7 +41468,7 @@ index 4e94884..31be8ac 100644
  ########################################
  ## <summary>
  ##	Do not audit attempts to get the attributes
-@@ -776,7 +979,25 @@ interface(`logging_append_all_logs',`
+@@ -776,7 +980,25 @@ interface(`logging_append_all_logs',`
  	')
  
  	files_search_var($1)
@@ -41446,7 +41495,7 @@ index 4e94884..31be8ac 100644
  ')
  
  ########################################
-@@ -859,7 +1080,7 @@ interface(`logging_manage_all_logs',`
+@@ -859,7 +1081,7 @@ interface(`logging_manage_all_logs',`
  
  	files_search_var($1)
  	manage_files_pattern($1, logfile, logfile)
@@ -41455,7 +41504,7 @@ index 4e94884..31be8ac 100644
  ')
  
  ########################################
-@@ -885,6 +1106,44 @@ interface(`logging_read_generic_logs',`
+@@ -885,6 +1107,44 @@ interface(`logging_read_generic_logs',`
  
  ########################################
  ## <summary>
@@ -41500,7 +41549,7 @@ index 4e94884..31be8ac 100644
  ##	Write generic log files.
  ## </summary>
  ## <param name="domain">
-@@ -905,6 +1164,24 @@ interface(`logging_write_generic_logs',`
+@@ -905,6 +1165,24 @@ interface(`logging_write_generic_logs',`
  
  ########################################
  ## <summary>
@@ -41525,7 +41574,7 @@ index 4e94884..31be8ac 100644
  ##	Dontaudit Write generic log files.
  ## </summary>
  ## <param name="domain">
-@@ -984,11 +1261,16 @@ interface(`logging_admin_audit',`
+@@ -984,11 +1262,16 @@ interface(`logging_admin_audit',`
  		type auditd_t, auditd_etc_t, auditd_log_t;
  		type auditd_var_run_t;
  		type auditd_initrc_exec_t;
@@ -41543,7 +41592,7 @@ index 4e94884..31be8ac 100644
  	manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
  	manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
  
-@@ -1004,6 +1286,55 @@ interface(`logging_admin_audit',`
+@@ -1004,6 +1287,55 @@ interface(`logging_admin_audit',`
  	domain_system_change_exemption($1)
  	role_transition $2 auditd_initrc_exec_t system_r;
  	allow $2 system_r;
@@ -41599,7 +41648,7 @@ index 4e94884..31be8ac 100644
  ')
  
  ########################################
-@@ -1032,10 +1363,15 @@ interface(`logging_admin_syslog',`
+@@ -1032,10 +1364,15 @@ interface(`logging_admin_syslog',`
  		type syslogd_initrc_exec_t;
  	')
  
@@ -41617,7 +41666,7 @@ index 4e94884..31be8ac 100644
  
  	manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
  	manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
-@@ -1057,6 +1393,8 @@ interface(`logging_admin_syslog',`
+@@ -1057,6 +1394,8 @@ interface(`logging_admin_syslog',`
  	manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
  
  	logging_manage_all_logs($1)
@@ -41626,7 +41675,7 @@ index 4e94884..31be8ac 100644
  
  	init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
  	domain_system_change_exemption($1)
-@@ -1085,3 +1423,90 @@ interface(`logging_admin',`
+@@ -1085,3 +1424,90 @@ interface(`logging_admin',`
  	logging_admin_audit($1, $2)
  	logging_admin_syslog($1, $2)
  ')
@@ -49362,10 +49411,10 @@ index 0000000..86e3d01
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..373d526
+index 0000000..caba12b
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,974 @@
+@@ -0,0 +1,978 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -49700,6 +49749,7 @@ index 0000000..373d526
 +init_status(systemd_machined_t)
 +init_start(systemd_machined_t)
 +init_stop(systemd_machined_t)
++init_manage_config_transient_files(systemd_machined_t)
 +
 +userdom_dbus_send_all_users(systemd_machined_t)
 +
@@ -49750,6 +49800,7 @@ index 0000000..373d526
 +kernel_request_load_module(systemd_networkd_t)
 +kernel_rw_net_sysctls(systemd_networkd_t)
 +kernel_read_xen_state(systemd_networkd_t)
++kernel_read_network_state(systemd_networkd_t)
 +
 +corenet_tcp_bind_all_nodes(systemd_networkd_t)
 +corenet_udp_bind_all_nodes(systemd_networkd_t)
@@ -50254,7 +50305,7 @@ index 0000000..373d526
 +# systemd_resolved domain
 +#
 +
-+allow systemd_resolved_t self:capability { chown setgid setpcap setuid };
++allow systemd_resolved_t self:capability { chown net_raw setgid setpcap setuid };
 +allow systemd_resolved_t self:process setcap;
 +allow systemd_resolved_t self:tcp_socket { accept listen };
 +allow systemd_resolved_t self:unix_dgram_socket create_socket_perms;
@@ -50274,6 +50325,8 @@ index 0000000..373d526
 +corenet_tcp_bind_llmnr_port(systemd_resolved_t)
 +corenet_udp_bind_llmnr_port(systemd_resolved_t)
 +corenet_tcp_connect_llmnr_port(systemd_resolved_t)
++corenet_udp_bind_dns_port(systemd_resolved_t)
++corenet_tcp_bind_dns_port(systemd_resolved_t)
 +
 +dev_write_kmsg(systemd_resolved_t)
 +dev_read_sysfs(systemd_resolved_t)
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 15c12d82..b1004d02 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -3203,7 +3203,7 @@ index 0000000..36251b9
 +')
 diff --git a/antivirus.te b/antivirus.te
 new file mode 100644
-index 0000000..d8b04b5
+index 0000000..6bd2eb9
 --- /dev/null
 +++ b/antivirus.te
 @@ -0,0 +1,273 @@
@@ -3223,7 +3223,7 @@ index 0000000..d8b04b5
 +
 +## <desc>
 +##  <p>
-+##  Determine whether can antivirus programs use JIT compiler.
++##  Determine whether antivirus programs can use JIT compiler.
 +##  </p>
 +## </desc>
 +gen_tunable(antivirus_use_jit, false)
@@ -14188,9 +14188,18 @@ index 4cc4a5c..a6c6322 100644
 +
  ')
 diff --git a/clamav.te b/clamav.te
-index ce3836a..94aa8a6 100644
+index ce3836a..8dc2b45 100644
 --- a/clamav.te
 +++ b/clamav.te
+@@ -18,7 +18,7 @@ gen_tunable(clamav_read_all_non_security_files_clamscan, false)
+ 
+ ## <desc>
+ ##	<p>
+-##	Determine whether can clamd use JIT compiler.
++##	Determine whether clamd can use JIT compiler.
+ ##	</p>
+ ## </desc>
+ gen_tunable(clamd_use_jit, false)
 @@ -38,6 +38,9 @@ files_config_file(clamd_etc_t)
  type clamd_initrc_exec_t;
  init_script_file(clamd_initrc_exec_t)
@@ -30368,10 +30377,10 @@ index 0000000..859dc40
 +/var/lib/fwupd(/.*)?		gen_context(system_u:object_r:fwupd_var_lib_t,s0)
 diff --git a/fwupd.if b/fwupd.if
 new file mode 100644
-index 0000000..c4d2c2d
+index 0000000..daef190
 --- /dev/null
 +++ b/fwupd.if
-@@ -0,0 +1,260 @@
+@@ -0,0 +1,281 @@
 +
 +## <summary>fwupd is a daemon to allow session software to update device firmware</summary>
 +
@@ -30632,6 +30641,27 @@ index 0000000..c4d2c2d
 +		systemd_read_fifo_file_passwd_run($1)
 +	')
 +')
++
++########################################
++## <summary>
++##	Send and receive messages from
++##	fwupd over dbus.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`fwupd_dbus_chat',`
++	gen_require(`
++		type fwupd_t;
++		class dbus send_msg;
++	')
++
++	allow $1 fwupd_t:dbus send_msg;
++	allow fwupd_t $1:dbus send_msg;
++')
 diff --git a/fwupd.te b/fwupd.te
 new file mode 100644
 index 0000000..e0bb02d
@@ -79739,7 +79769,7 @@ index 7cb8b1f..bef7217 100644
 +    allow $1 puppet_var_run_t:dir search_dir_perms;
  ')
 diff --git a/puppet.te b/puppet.te
-index 618dcfe..9f36ed5 100644
+index 618dcfe..bba4a3e 100644
 --- a/puppet.te
 +++ b/puppet.te
 @@ -6,25 +6,32 @@ policy_module(puppet, 1.4.0)
@@ -80212,7 +80242,7 @@ index 618dcfe..9f36ed5 100644
  
  selinux_validate_context(puppetmaster_t)
  
-@@ -314,26 +342,31 @@ auth_use_nsswitch(puppetmaster_t)
+@@ -314,26 +342,32 @@ auth_use_nsswitch(puppetmaster_t)
  logging_send_syslog_msg(puppetmaster_t)
  
  miscfiles_read_generic_certs(puppetmaster_t)
@@ -80240,6 +80270,7 @@ index 618dcfe..9f36ed5 100644
  
  optional_policy(`
 -	mysql_stream_connect(puppetmaster_t)
++	systemd_dbus_chat_timedated(puppetagent_t)
 +	systemd_dbus_chat_timedated(puppetmaster_t)
  ')
  
@@ -80249,7 +80280,7 @@ index 618dcfe..9f36ed5 100644
  ')
  
  optional_policy(`
-@@ -342,3 +375,9 @@ optional_policy(`
+@@ -342,3 +376,9 @@ optional_policy(`
  	rpm_exec(puppetmaster_t)
  	rpm_read_db(puppetmaster_t)
  ')
@@ -108362,18 +108393,20 @@ index 5406b6e..dc5b46e 100644
  	admin_pattern($1, tgtd_tmpfs_t)
  ')
 diff --git a/tgtd.te b/tgtd.te
-index d010963..3822bc7 100644
+index d010963..e7e55c7 100644
 --- a/tgtd.te
 +++ b/tgtd.te
-@@ -29,7 +29,7 @@ files_pid_file(tgtd_var_run_t)
+@@ -29,8 +29,8 @@ files_pid_file(tgtd_var_run_t)
  # Local policy
  #
  
 -allow tgtd_t self:capability sys_resource;
+-allow tgtd_t self:capability2 block_suspend;
 +allow tgtd_t self:capability { dac_override ipc_lock sys_resource sys_rawio sys_admin };
- allow tgtd_t self:capability2 block_suspend;
++allow tgtd_t self:capability2 { block_suspend wake_alarm };
  allow tgtd_t self:process { setrlimit signal };
  allow tgtd_t self:fifo_file rw_fifo_file_perms;
+ allow tgtd_t self:netlink_route_socket r_netlink_socket_perms;
 @@ -56,15 +56,16 @@ files_pid_filetrans(tgtd_t,tgtd_var_run_t, { file sock_file })
  
  kernel_read_system_state(tgtd_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b10f5804..13322fc6 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 227%{?dist}
+Release: 228%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -675,6 +675,25 @@ exit 0
 %endif
 
 %changelog
+* Mon Dec 05 2016 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-228
+- Fix some boolean descriptions.
+- Add fwupd_dbus_chat() interface
+- Allow tgtd_t domain wake_alarm
+- Merge pull request #172 from vinzent/allow_puppetagent_timedated
+- Dontaudit logrotate_t to getattr nsfs_t BZ(1399081)
+- Allow systemd_machined_t to start unit files labeled as init_var_run_t
+- Add init_manage_config_transient_files() interface
+- In Atomic /usr/local is a soft symlink to /var/usrlocal, so the default policy to apply bin_t on /usr/...bin doesn't work and binaries dumped here get mislabeled as var_t.
+- Allow systemd to raise rlimit to all domains.BZ(1365435)
+- Add interface domain_setrlimit_all_domains() interface
+- Allow staff_t user to chat with fwupd_t domain via dbus
+- Update logging_create_devlog_dev() interface to allow calling domain create also sock_file dev-log. BZ(1393774)
+- Allow systemd-networkd to read network state BZ(1400016)
+- Allow systemd-resolved bind to dns port. BZ(1400023)
+- Allow systemd create /dev/log in own mount-namespace. BZ(1383867)
+- Add interface fs_dontaudit_getattr_nsfs_files()
+- Label /usr/lib/systemd/resolv.conf as lib_t to allow all domains read this file. BZ(1398853)
+
 * Tue Nov 29 2016 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-227
 - Dontaudit logrotate_t to getattr nsfs_t BZ(1399081)
 - Allow pmie daemon to send signal pcmd daemon BZ(1398078)