diff --git a/container-selinux.tgz b/container-selinux.tgz
index 99a1c17a..b681098d 100644
Binary files a/container-selinux.tgz and b/container-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 98851bf8..08f8a56c 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -4246,7 +4246,7 @@ index 33e0f8dad..6fd767031 100644
+/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/virtualbox/VBoxManage -- gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
-index 9e9263a68..cb425934b 100644
+index 9e9263a68..464be5733 100644
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
@@ -8,6 +8,22 @@
@@ -4377,14 +4377,16 @@ index 9e9263a68..cb425934b 100644
manage_files_pattern($1, bin_t, bin_t)
')
-@@ -398,6 +444,7 @@ interface(`corecmd_mmap_bin_files',`
+@@ -398,7 +444,8 @@ interface(`corecmd_mmap_bin_files',`
type bin_t;
')
+- mmap_files_pattern($1, bin_t, bin_t)
+ corecmd_read_bin_symlinks($1)
- mmap_files_pattern($1, bin_t, bin_t)
++ mmap_exec_files_pattern($1, bin_t, bin_t)
')
+ ########################################
@@ -440,10 +487,14 @@ interface(`corecmd_mmap_bin_files',`
interface(`corecmd_bin_spec_domtrans',`
gen_require(`
@@ -4480,10 +4482,13 @@ index 9e9263a68..cb425934b 100644
manage_files_pattern($1, bin_t, exec_type)
manage_lnk_files_pattern($1, bin_t, bin_t)
')
-@@ -1091,3 +1145,74 @@ interface(`corecmd_mmap_all_executables',`
+@@ -1089,5 +1143,76 @@ interface(`corecmd_mmap_all_executables',`
+ type bin_t;
+ ')
- mmap_files_pattern($1, bin_t, exec_type)
- ')
+- mmap_files_pattern($1, bin_t, exec_type)
++ mmap_exec_files_pattern($1, bin_t, exec_type)
++')
+
+########################################
+##
@@ -4554,7 +4559,7 @@ index 9e9263a68..cb425934b 100644
+ ')
+
+ filetrans_pattern($1, bin_t, $2, $3, $4)
-+')
+ ')
diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
index 20c76cff9..cc63dcc9c 100644
--- a/policy/modules/kernel/corecommands.te
@@ -11517,7 +11522,7 @@ index 0b1a8715a..849b00191 100644
+dev_getattr_all(devices_unconfined_type)
+
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
-index 6a1e4d156..452a80549 100644
+index 6a1e4d156..5fd375329 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -76,33 +76,8 @@ interface(`domain_type',`
@@ -11556,7 +11561,13 @@ index 6a1e4d156..452a80549 100644
')
########################################
-@@ -133,6 +108,10 @@ interface(`domain_entry_file',`
+@@ -128,11 +103,15 @@ interface(`domain_entry_file',`
+ ')
+
+ allow $1 $2:file entrypoint;
+- allow $1 $2:file { mmap_file_perms ioctl lock };
++ allow $1 $2:file { mmap_exec_file_perms ioctl lock };
+
typeattribute $2 entry_type;
corecmd_executable_file($2)
@@ -11706,6 +11717,15 @@ index 6a1e4d156..452a80549 100644
## Relabel to and from all entry point
## file types.
##
+@@ -1390,7 +1462,7 @@ interface(`domain_mmap_all_entry_files',`
+ attribute entry_type;
+ ')
+
+- allow $1 entry_type:file mmap_file_perms;
++ allow $1 entry_type:file mmap_exec_file_perms;
+ ')
+
+ ########################################
@@ -1421,7 +1493,7 @@ interface(`domain_entry_file_spec_domtrans',`
##
## Ability to mmap a low area of the address
@@ -32841,7 +32861,7 @@ index 6bf0ecc2d..a6b6087eb 100644
+')
+
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b403774f..f17b76dec 100644
+index 8b403774f..676215ff3 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,28 +26,66 @@ gen_require(`
@@ -33234,12 +33254,12 @@ index 8b403774f..f17b76dec 100644
+allow xdm_t xauth_home_t:file manage_file_perms;
+
+allow xdm_t xserver_unconfined_type:process { signull };
-
--allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
++
+allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms };
+manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
+manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
-+
+
+-allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
+manage_dirs_pattern(xdm_t, xdm_home_t, xdm_home_t)
+manage_files_pattern(xdm_t, xdm_home_t, xdm_home_t)
+xserver_filetrans_home_content(xdm_t)
@@ -33712,7 +33732,7 @@ index 8b403774f..f17b76dec 100644
')
optional_policy(`
-@@ -518,8 +918,36 @@ optional_policy(`
+@@ -518,8 +918,40 @@ optional_policy(`
dbus_system_bus_client(xdm_t)
dbus_connect_system_bus(xdm_t)
@@ -33731,8 +33751,7 @@ index 8b403774f..f17b76dec 100644
+ cpufreqselector_dbus_chat(xdm_t)
+ ')
+
- optional_policy(`
-- accountsd_dbus_chat(xdm_t)
++ optional_policy(`
+ devicekit_dbus_chat_disk(xdm_t)
+ devicekit_dbus_chat_power(xdm_t)
+ ')
@@ -33741,16 +33760,21 @@ index 8b403774f..f17b76dec 100644
+ hal_dbus_chat(xdm_t)
+ ')
+
-+ optional_policy(`
+ optional_policy(`
+- accountsd_dbus_chat(xdm_t)
+ gnomeclock_dbus_chat(xdm_t)
+ ')
+
+ optional_policy(`
++ modemmanager_dbus_chat(xdm_t)
++ ')
++
++ optional_policy(`
+ networkmanager_dbus_chat(xdm_t)
')
')
-@@ -530,6 +958,20 @@ optional_policy(`
+@@ -530,6 +962,20 @@ optional_policy(`
')
optional_policy(`
@@ -33771,7 +33795,7 @@ index 8b403774f..f17b76dec 100644
hostname_exec(xdm_t)
')
-@@ -547,28 +989,78 @@ optional_policy(`
+@@ -547,28 +993,78 @@ optional_policy(`
')
optional_policy(`
@@ -33859,7 +33883,7 @@ index 8b403774f..f17b76dec 100644
')
optional_policy(`
-@@ -580,6 +1072,14 @@ optional_policy(`
+@@ -580,6 +1076,14 @@ optional_policy(`
')
optional_policy(`
@@ -33874,7 +33898,7 @@ index 8b403774f..f17b76dec 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,7 +1094,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+@@ -594,7 +1098,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@@ -33883,7 +33907,7 @@ index 8b403774f..f17b76dec 100644
# setuid/setgid for the wrapper program to change UID
# sys_rawio is for iopl access - should not be needed for frame-buffer
-@@ -604,8 +1104,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -604,8 +1108,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -33896,7 +33920,7 @@ index 8b403774f..f17b76dec 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -618,8 +1121,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -618,8 +1125,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -33912,7 +33936,7 @@ index 8b403774f..f17b76dec 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -627,36 +1137,53 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -627,36 +1141,53 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@@ -33970,7 +33994,7 @@ index 8b403774f..f17b76dec 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -677,23 +1204,29 @@ dev_rw_apm_bios(xserver_t)
+@@ -677,23 +1208,29 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -34003,7 +34027,7 @@ index 8b403774f..f17b76dec 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -705,6 +1238,14 @@ fs_search_nfs(xserver_t)
+@@ -705,6 +1242,14 @@ fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -34018,7 +34042,7 @@ index 8b403774f..f17b76dec 100644
mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
-@@ -718,28 +1259,25 @@ init_getpgid(xserver_t)
+@@ -718,28 +1263,25 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -34051,7 +34075,7 @@ index 8b403774f..f17b76dec 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
-@@ -785,17 +1323,54 @@ optional_policy(`
+@@ -785,17 +1327,54 @@ optional_policy(`
')
optional_policy(`
@@ -34108,7 +34132,7 @@ index 8b403774f..f17b76dec 100644
')
optional_policy(`
-@@ -803,6 +1378,10 @@ optional_policy(`
+@@ -803,6 +1382,10 @@ optional_policy(`
')
optional_policy(`
@@ -34119,7 +34143,7 @@ index 8b403774f..f17b76dec 100644
xfs_stream_connect(xserver_t)
')
-@@ -818,18 +1397,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -818,18 +1401,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -34144,7 +34168,7 @@ index 8b403774f..f17b76dec 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -842,26 +1420,21 @@ init_use_fds(xserver_t)
+@@ -842,26 +1424,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -34179,7 +34203,7 @@ index 8b403774f..f17b76dec 100644
')
optional_policy(`
-@@ -912,7 +1485,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -912,7 +1489,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -34188,7 +34212,7 @@ index 8b403774f..f17b76dec 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -966,11 +1539,31 @@ allow x_domain self:x_resource { read write };
+@@ -966,11 +1543,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -34220,7 +34244,7 @@ index 8b403774f..f17b76dec 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -992,18 +1585,148 @@ tunable_policy(`! xserver_object_manager',`
+@@ -992,18 +1589,148 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -41631,7 +41655,7 @@ index 73bb3c00c..4ddc8145a 100644
+/usr/sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0)
+/usr/sbin/sln -- gen_context(system_u:object_r:ldconfig_exec_t,s0)
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
-index 808ba93eb..b717d9709 100644
+index 808ba93eb..16ed55e55 100644
--- a/policy/modules/system/libraries.if
+++ b/policy/modules/system/libraries.if
@@ -66,6 +66,25 @@ interface(`libs_exec_ldconfig',`
@@ -41660,9 +41684,12 @@ index 808ba93eb..b717d9709 100644
## Use the dynamic link/loader for automatic loading
## of shared libraries.
##
-@@ -86,7 +105,7 @@ interface(`libs_use_ld_so',`
+@@ -84,9 +103,9 @@ interface(`libs_use_ld_so',`
+ allow $1 lib_t:dir list_dir_perms;
+
read_lnk_files_pattern($1, lib_t, { lib_t ld_so_t })
- mmap_files_pattern($1, lib_t, ld_so_t)
+- mmap_files_pattern($1, lib_t, ld_so_t)
++ mmap_exec_files_pattern($1, lib_t, { lib_t ld_so_t })
- allow $1 ld_so_cache_t:file read_file_perms;
+ allow $1 ld_so_cache_t:file { map read_file_perms };
@@ -41810,7 +41837,7 @@ index 808ba93eb..b717d9709 100644
- mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
+ allow $1 { textrel_shlib_t lib_t }:dir list_dir_perms;
+ read_lnk_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t })
-+ mmap_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t })
++ mmap_exec_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t })
+# allow $1 lib_t:file execmod;
allow $1 textrel_shlib_t:file execmod;
')
@@ -43066,7 +43093,7 @@ index 4e9488463..c54641fbb 100644
+')
+
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 59b04c1a2..e9545b961 100644
+index 59b04c1a2..d4fd81a7b 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -4,6 +4,29 @@ policy_module(logging, 1.20.1)
@@ -43498,7 +43525,7 @@ index 59b04c1a2..e9545b961 100644
')
optional_policy(`
-@@ -507,15 +625,44 @@ optional_policy(`
+@@ -507,15 +625,45 @@ optional_policy(`
')
optional_policy(`
@@ -43536,6 +43563,7 @@ index 59b04c1a2..e9545b961 100644
+
+optional_policy(`
+ systemd_rw_coredump_tmpfs_files(syslogd_t)
++ systemd_read_unit_files(syslogd_t)
+')
+
+optional_policy(`
@@ -43543,7 +43571,7 @@ index 59b04c1a2..e9545b961 100644
')
optional_policy(`
-@@ -526,3 +673,29 @@ optional_policy(`
+@@ -526,3 +674,29 @@ optional_policy(`
# log to the xconsole
xserver_rw_console(syslogd_t)
')
@@ -47050,7 +47078,7 @@ index 38220721d..abac74231 100644
+ allow semanage_t $1:dbus send_msg;
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index dc4642022..5b26b2de2 100644
+index dc4642022..d3320bdd9 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -11,14 +11,16 @@ gen_require(`
@@ -47473,7 +47501,7 @@ index dc4642022..5b26b2de2 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(run_init_t)
-@@ -440,81 +512,86 @@ optional_policy(`
+@@ -440,81 +512,87 @@ optional_policy(`
# semodule local policy
#
@@ -47541,6 +47569,7 @@ index dc4642022..5b26b2de2 100644
-seutil_manage_module_store(semanage_t)
-seutil_get_semanage_trans_lock(semanage_t)
-seutil_get_semanage_read_lock(semanage_t)
++seutil_rw_login_config(semanage_t)
+seutil_domtrans_setfiles(semanage_t)
+
+#seutil_run_setfiles(semanage_t, semanage_roles)
@@ -47616,7 +47645,7 @@ index dc4642022..5b26b2de2 100644
')
########################################
-@@ -522,111 +599,204 @@ ifdef(`distro_ubuntu',`
+@@ -522,111 +600,204 @@ ifdef(`distro_ubuntu',`
# Setfiles local policy
#
@@ -49077,10 +49106,10 @@ index a392fc4bc..4870f76fd 100644
+')
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
new file mode 100644
-index 000000000..121b42208
+index 000000000..ce07ba149
--- /dev/null
+++ b/policy/modules/system/systemd.fc
-@@ -0,0 +1,81 @@
+@@ -0,0 +1,82 @@
+HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0)
+/root/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0)
+
@@ -49108,6 +49137,7 @@ index 000000000..121b42208
+/usr/lib/dracut/modules.d/.*\.service gen_context(system_u:object_r:systemd_unit_file_t,s0)
+/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0)
+/run/systemd/transient(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0)
++/run/systemd/units(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0)
+/usr/lib/systemd/system/systemd-machined\.service -- gen_context(system_u:object_r:systemd_machined_unit_file_t,s0)
+/usr/lib/systemd/system/systemd-networkd\.service gen_context(system_u:object_r:systemd_networkd_unit_file_t,s0)
+/usr/lib/systemd/system/systemd-resolved\.service gen_context(system_u:object_r:systemd_resolved_unit_file_t,s0)
@@ -53555,7 +53585,7 @@ index db7597682..c54480a1d 100644
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
+
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6c0..3f5aa5f3b 100644
+index 9dc60c6c0..8c0b17aa8 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -55723,7 +55753,39 @@ index 9dc60c6c0..3f5aa5f3b 100644
## Mmap user home files.
##
##
-@@ -1875,14 +2634,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1858,12 +2617,30 @@ interface(`userdom_mmap_user_home_content_files',`
+ type user_home_dir_t, user_home_t;
+ ')
+
+- mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
++ mmap_exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+ files_search_home($1)
+ ')
+
+ ########################################
+ ##
++## map user home files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_map_user_home_files',`
++ gen_require(`
++ type user_home_t;
++ ')
++
++ allow $1 user_home_t:file map;
++')
++
++########################################
++##
+ ## Read user home files.
+ ##
+ ##
+@@ -1875,14 +2652,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -55761,7 +55823,7 @@ index 9dc60c6c0..3f5aa5f3b 100644
## Do not audit attempts to read user home files.
##
##
-@@ -1893,11 +2674,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1893,11 +2692,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -55779,7 +55841,7 @@ index 9dc60c6c0..3f5aa5f3b 100644
')
########################################
-@@ -1938,7 +2722,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1938,7 +2740,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
########################################
##
@@ -55788,7 +55850,7 @@ index 9dc60c6c0..3f5aa5f3b 100644
##
##
##
-@@ -1946,10 +2730,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1946,10 +2748,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
##
##
#
@@ -55801,7 +55863,7 @@ index 9dc60c6c0..3f5aa5f3b 100644
')
userdom_search_user_home_content($1)
-@@ -1958,7 +2741,7 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1958,7 +2759,7 @@ interface(`userdom_delete_all_user_home_content_files',`
########################################
##
@@ -55810,7 +55872,7 @@ index 9dc60c6c0..3f5aa5f3b 100644
##
##
##
-@@ -1966,12 +2749,66 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1966,12 +2767,66 @@ interface(`userdom_delete_all_user_home_content_files',`
##
##
#
@@ -55879,7 +55941,7 @@ index 9dc60c6c0..3f5aa5f3b 100644
')
########################################
-@@ -2007,8 +2844,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2007,8 +2862,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -55889,7 +55951,7 @@ index 9dc60c6c0..3f5aa5f3b 100644
')
########################################
-@@ -2024,20 +2860,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2024,20 +2878,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -55914,7 +55976,7 @@ index 9dc60c6c0..3f5aa5f3b 100644
########################################
##
-@@ -2075,6 +2905,7 @@ interface(`userdom_manage_user_home_content_files',`
+@@ -2075,6 +2923,7 @@ interface(`userdom_manage_user_home_content_files',`
manage_files_pattern($1, user_home_t, user_home_t)
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -55922,7 +55984,7 @@ index 9dc60c6c0..3f5aa5f3b 100644
files_search_home($1)
')
-@@ -2120,7 +2951,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2120,7 +2969,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
##
@@ -55931,7 +55993,7 @@ index 9dc60c6c0..3f5aa5f3b 100644
##
##
##
-@@ -2128,19 +2959,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2128,19 +2977,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
##
##
#
@@ -55955,7 +56017,7 @@ index 9dc60c6c0..3f5aa5f3b 100644
##
##
##
-@@ -2148,12 +2977,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2148,12 +2995,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
##
##
#
@@ -55971,7 +56033,7 @@ index 9dc60c6c0..3f5aa5f3b 100644
')
########################################
-@@ -2388,18 +3217,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2388,18 +3235,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
##
##
#
@@ -56029,7 +56091,7 @@ index 9dc60c6c0..3f5aa5f3b 100644
## Do not audit attempts to read users
## temporary files.
##
-@@ -2414,7 +3279,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2414,7 +3297,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -56038,7 +56100,7 @@ index 9dc60c6c0..3f5aa5f3b 100644
')
########################################
-@@ -2455,6 +3320,25 @@ interface(`userdom_rw_user_tmp_files',`
+@@ -2455,6 +3338,25 @@ interface(`userdom_rw_user_tmp_files',`
rw_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
')
@@ -56064,7 +56126,7 @@ index 9dc60c6c0..3f5aa5f3b 100644
########################################
##
-@@ -2538,7 +3422,7 @@ interface(`userdom_manage_user_tmp_files',`
+@@ -2538,7 +3440,7 @@ interface(`userdom_manage_user_tmp_files',`
########################################
##
## Create, read, write, and delete user
@@ -56073,73 +56135,51 @@ index 9dc60c6c0..3f5aa5f3b 100644
##
##
##
-@@ -2546,19 +3430,19 @@ interface(`userdom_manage_user_tmp_files',`
+@@ -2546,7 +3448,27 @@ interface(`userdom_manage_user_tmp_files',`
##
##
#
-interface(`userdom_manage_user_tmp_symlinks',`
+interface(`userdom_filetrans_named_user_tmp_files',`
- gen_require(`
- type user_tmp_t;
- ')
-
-- manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
++ gen_require(`
++ type user_tmp_t;
++ ')
++
+ files_tmp_filetrans($1, user_tmp_t, dir, "hsperfdata_root")
- files_search_tmp($1)
- ')
-
- ########################################
- ##
- ## Create, read, write, and delete user
--## temporary named pipes.
++ files_search_tmp($1)
++')
++
++########################################
++##
++## Create, read, write, and delete user
+## temporary symbolic links.
- ##
- ##
- ##
-@@ -2566,19 +3450,19 @@ interface(`userdom_manage_user_tmp_symlinks',`
- ##
- ##
- #
--interface(`userdom_manage_user_tmp_pipes',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`userdom_manage_user_tmp_symlinks',`
gen_require(`
type user_tmp_t;
')
-
-- manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t)
-+ manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
- files_search_tmp($1)
- ')
-
- ########################################
- ##
- ## Create, read, write, and delete user
--## temporary named sockets.
-+## temporary named pipes.
- ##
- ##
- ##
-@@ -2586,20 +3470,61 @@ interface(`userdom_manage_user_tmp_pipes',`
+@@ -2566,6 +3488,27 @@ interface(`userdom_manage_user_tmp_symlinks',`
##
##
#
--interface(`userdom_manage_user_tmp_sockets',`
+interface(`userdom_rw_inherited_user_tmp_pipes',`
- gen_require(`
- type user_tmp_t;
- ')
-
-- manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
-+ allow $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
- files_search_tmp($1)
- ')
-
++ gen_require(`
++ type user_tmp_t;
++ ')
+
- ########################################
- ##
--## Create objects in a user temporary directory
--## with an automatic type transition to
--## a specified private type.
++ allow $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
++ files_search_tmp($1)
++')
++
++
++########################################
++##
+## Create, read, write, and delete user
+## temporary named pipes.
+##
@@ -56149,44 +56189,10 @@ index 9dc60c6c0..3f5aa5f3b 100644
+##
+##
+#
-+interface(`userdom_manage_user_tmp_pipes',`
-+ gen_require(`
-+ type user_tmp_t;
-+ ')
-+
-+ manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t)
-+ files_search_tmp($1)
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete user
-+## temporary named sockets.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_manage_user_tmp_sockets',`
-+ gen_require(`
-+ type user_tmp_t;
-+ ')
-+
-+ manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
-+ files_search_tmp($1)
-+')
-+
-+########################################
-+##
-+## Create objects in a user temporary directory
-+## with an automatic type transition to
-+## a specified private type.
- ##
- ##
- ##
-@@ -2661,6 +3586,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+ interface(`userdom_manage_user_tmp_pipes',`
+ gen_require(`
+ type user_tmp_t;
+@@ -2661,6 +3604,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -56208,7 +56214,7 @@ index 9dc60c6c0..3f5aa5f3b 100644
########################################
##
## Read user tmpfs files.
-@@ -2672,18 +3612,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2672,18 +3630,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
##
#
interface(`userdom_read_user_tmpfs_files',`
@@ -56230,7 +56236,7 @@ index 9dc60c6c0..3f5aa5f3b 100644
##
##
##
-@@ -2692,19 +3627,13 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2692,19 +3645,13 @@ interface(`userdom_read_user_tmpfs_files',`
##
#
interface(`userdom_rw_user_tmpfs_files',`
@@ -56253,7 +56259,7 @@ index 9dc60c6c0..3f5aa5f3b 100644
##
##
##
-@@ -2713,13 +3642,56 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2713,13 +3660,56 @@ interface(`userdom_rw_user_tmpfs_files',`
##
#
interface(`userdom_manage_user_tmpfs_files',`
@@ -56314,7 +56320,7 @@ index 9dc60c6c0..3f5aa5f3b 100644
')
########################################
-@@ -2814,6 +3786,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2814,6 +3804,24 @@ interface(`userdom_use_user_ttys',`
########################################
##
@@ -56339,7 +56345,7 @@ index 9dc60c6c0..3f5aa5f3b 100644
## Read and write a user domain pty.
##
##
-@@ -2832,22 +3822,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2832,22 +3840,34 @@ interface(`userdom_use_user_ptys',`
########################################
##
@@ -56382,7 +56388,7 @@ index 9dc60c6c0..3f5aa5f3b 100644
##
##
##
-@@ -2856,14 +3858,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2856,14 +3876,33 @@ interface(`userdom_use_user_ptys',`
##
##
#
@@ -56420,7 +56426,7 @@ index 9dc60c6c0..3f5aa5f3b 100644
')
########################################
-@@ -2882,8 +3903,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2882,8 +3921,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -56450,7 +56456,7 @@ index 9dc60c6c0..3f5aa5f3b 100644
')
########################################
-@@ -2955,6 +3995,42 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2955,6 +4013,42 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -56493,7 +56499,7 @@ index 9dc60c6c0..3f5aa5f3b 100644
########################################
##
## Execute an Xserver session in all unprivileged user domains. This
-@@ -2978,24 +4054,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
+@@ -2978,24 +4072,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -56518,7 +56524,7 @@ index 9dc60c6c0..3f5aa5f3b 100644
########################################
##
## Manage unpriviledged user SysV sempaphores.
-@@ -3014,9 +4072,9 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3014,9 +4090,9 @@ interface(`userdom_manage_unpriv_user_semaphores',`
allow $1 unpriv_userdomain:sem create_sem_perms;
')
@@ -56530,7 +56536,7 @@ index 9dc60c6c0..3f5aa5f3b 100644
## memory segments.
##
##
-@@ -3025,17 +4083,17 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3025,17 +4101,17 @@ interface(`userdom_manage_unpriv_user_semaphores',`
##
##
#
@@ -56551,7 +56557,7 @@ index 9dc60c6c0..3f5aa5f3b 100644
## memory segments.
##
##
-@@ -3044,12 +4102,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',`
+@@ -3044,12 +4120,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',`
##
##
#
@@ -56566,7 +56572,7 @@ index 9dc60c6c0..3f5aa5f3b 100644
')
########################################
-@@ -3094,7 +4152,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3094,7 +4170,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -56575,7 +56581,7 @@ index 9dc60c6c0..3f5aa5f3b 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3110,29 +4168,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3110,29 +4186,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -56609,7 +56615,7 @@ index 9dc60c6c0..3f5aa5f3b 100644
')
########################################
-@@ -3214,7 +4256,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3214,7 +4274,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -56636,7 +56642,7 @@ index 9dc60c6c0..3f5aa5f3b 100644
')
########################################
-@@ -3269,12 +4329,13 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3269,12 +4347,13 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -56652,7 +56658,7 @@ index 9dc60c6c0..3f5aa5f3b 100644
##
##
##
-@@ -3282,46 +4343,122 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3282,54 +4361,56 @@ interface(`userdom_write_user_tmp_files',`
##
##
#
@@ -56710,32 +56716,37 @@ index 9dc60c6c0..3f5aa5f3b 100644
gen_require(`
- attribute userdomain;
+ type user_tmp_t;
-+ ')
-+
+ ')
+
+- allow $1 userdomain:process getattr;
+ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Inherit the file descriptors from all user domains
+## Allow domain to read/write inherited users
+## fifo files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -3337,17 +4418,91 @@ interface(`userdom_getattr_all_users',`
+ ##
+ ##
+ #
+-interface(`userdom_use_all_users_fds',`
+interface(`userdom_rw_inherited_user_pipes',`
-+ gen_require(`
-+ attribute userdomain;
-+ ')
-+
+ gen_require(`
+ attribute userdomain;
+ ')
+
+- allow $1 userdomain:fd use;
+ allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to inherit the file
+## Do not audit attempts to use user ttys.
+##
+##
@@ -56785,10 +56796,36 @@ index 9dc60c6c0..3f5aa5f3b 100644
+interface(`userdom_getattr_all_users',`
+ gen_require(`
+ attribute userdomain;
- ')
-
- allow $1 userdomain:process getattr;
-@@ -3382,6 +4519,42 @@ interface(`userdom_signal_all_users',`
++ ')
++
++ allow $1 userdomain:process getattr;
++')
++
++########################################
++##
++## Inherit the file descriptors from all user domains
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_use_all_users_fds',`
++ gen_require(`
++ attribute userdomain;
++ ')
++
++ allow $1 userdomain:fd use;
++')
++
++########################################
++##
++## Do not audit attempts to inherit the file
+ ## descriptors from any user domains.
+ ##
+ ##
+@@ -3382,6 +4537,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -56831,7 +56868,7 @@ index 9dc60c6c0..3f5aa5f3b 100644
########################################
##
## Send a SIGCHLD signal to all user domains.
-@@ -3402,6 +4575,60 @@ interface(`userdom_sigchld_all_users',`
+@@ -3402,6 +4593,60 @@ interface(`userdom_sigchld_all_users',`
########################################
##
@@ -56892,7 +56929,7 @@ index 9dc60c6c0..3f5aa5f3b 100644
## Create keys for all user domains.
##
##
-@@ -3435,4 +4662,1853 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3435,4 +4680,1853 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
@@ -58747,7 +58784,7 @@ index 9dc60c6c0..3f5aa5f3b 100644
+ ')
')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index f4ac38dc7..0fce86e80 100644
+index f4ac38dc7..8bbc532c5 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,48 +7,43 @@ policy_module(userdomain, 4.9.1)
@@ -58836,7 +58873,7 @@ index f4ac38dc7..0fce86e80 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -70,26 +83,399 @@ ubac_constrained(user_home_dir_t)
+@@ -70,26 +83,400 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -58949,6 +58986,7 @@ index f4ac38dc7..0fce86e80 100644
+read_files_pattern(userdom_home_reader_certs_type, home_cert_t, home_cert_t)
+read_lnk_files_pattern(userdom_home_reader_certs_type, home_cert_t, home_cert_t)
+userdom_search_user_home_content(userdom_home_reader_certs_type)
++allow userdom_home_reader_certs_type home_cert_t:file map;
+
+tunable_policy(`use_ecryptfs_home_dirs',`
+ fs_read_ecryptfs_files(userdom_home_reader_certs_type)
@@ -59267,6 +59305,58 @@ index db3cbca45..3cc5cf448 100644
+policycap nnp_nosuid_transition;
+
+
+diff --git a/policy/support/file_patterns.spt b/policy/support/file_patterns.spt
+index 8b785c9a3..8aa8c3610 100644
+--- a/policy/support/file_patterns.spt
++++ b/policy/support/file_patterns.spt
+@@ -99,9 +99,21 @@ define(`read_files_pattern',`
+ allow $1 $3:file read_file_perms;
+ ')
+
++define(`mmap_read_files_pattern',`
++ allow $1 $2:dir search_dir_perms;
++ allow $1 $3:file mmap_read_file_perms;
++')
++
+ define(`mmap_files_pattern',`
++ # deprecated 20171213
++ refpolicywarn(`mmap_files_pattern() is deprecated, please use mmap_exec_files_pattern() instead')
+ allow $1 $2:dir search_dir_perms;
+- allow $1 $3:file mmap_file_perms;
++ allow $1 $3:file mmap_exec_file_perms;
++')
++
++define(`mmap_exec_files_pattern',`
++ allow $1 $2:dir search_dir_perms;
++ allow $1 $3:file mmap_exec_file_perms;
+ ')
+
+ define(`exec_files_pattern',`
+@@ -124,6 +136,11 @@ define(`rw_files_pattern',`
+ allow $1 $3:file rw_file_perms;
+ ')
+
++define(`mmap_rw_files_pattern',`
++ allow $1 $2:dir search_dir_perms;
++ allow $1 $3:file mmap_rw_file_perms;
++')
++
+ define(`create_files_pattern',`
+ allow $1 $2:dir add_entry_dir_perms;
+ allow $1 $3:file create_file_perms;
+diff --git a/policy/support/misc_macros.spt b/policy/support/misc_macros.spt
+index 4ca5688c3..355ff953c 100644
+--- a/policy/support/misc_macros.spt
++++ b/policy/support/misc_macros.spt
+@@ -67,7 +67,7 @@ define(`gen_context',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'if
+ #
+ # can_exec(domain,executable)
+ #
+-define(`can_exec',`allow $1 $2:file { mmap_file_perms ioctl lock execute_no_trans };')
++define(`can_exec',`allow $1 $2:file { mmap_exec_file_perms ioctl lock execute_no_trans };')
+
+ ########################################
+ #
diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt
index e79d54501..101086d66 100644
--- a/policy/support/misc_patterns.spt
@@ -59299,7 +59389,7 @@ index e79d54501..101086d66 100644
')
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
-index 6e9131723..528c5d2d1 100644
+index 6e9131723..d63bb8b45 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
@@ -59321,7 +59411,7 @@ index 6e9131723..528c5d2d1 100644
#
# Permissions for creating and using sockets.
-@@ -153,12 +152,16 @@ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }')
+@@ -153,12 +152,22 @@ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }')
#
define(`getattr_file_perms',`{ getattr }')
define(`setattr_file_perms',`{ setattr }')
@@ -59334,6 +59424,10 @@ index 6e9131723..528c5d2d1 100644
+define(`read_inherited_file_perms',`{ getattr read ioctl lock }')
+define(`read_file_perms',`{ open read_inherited_file_perms }')
+define(`mmap_file_perms',`{ getattr open map read execute ioctl }')
++define(`mmap_read_inherited_file_perms',`{ getattr map read ioctl }')
++define(`mmap_read_file_perms',`{ getattr open map read ioctl }')
++define(`mmap_exec_inherited_file_perms',`{ getattr map read execute ioctl }')
++define(`mmap_exec_file_perms',`{ getattr open map read execute ioctl }')
+define(`exec_file_perms',`{ getattr open map read execute ioctl execute_no_trans }')
+define(`append_inherited_file_perms',`{ getattr append }')
+define(`append_file_perms',`{ open lock ioctl append_inherited_file_perms }')
@@ -59341,10 +59435,12 @@ index 6e9131723..528c5d2d1 100644
+define(`write_file_perms',`{ open write_inherited_file_perms }')
+define(`rw_inherited_file_perms',`{ getattr read write append ioctl lock }')
+define(`rw_file_perms',`{ open rw_inherited_file_perms }')
++define(`mmap_rw_inherited_file_perms',`{ getattr map read write ioctl }')
++define(`mmap_rw_file_perms',`{ getattr open map read write ioctl }')
define(`create_file_perms',`{ getattr create open }')
define(`rename_file_perms',`{ getattr rename }')
define(`delete_file_perms',`{ getattr unlink }')
-@@ -179,7 +182,7 @@ define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }')
+@@ -179,7 +188,7 @@ define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }')
define(`create_lnk_file_perms',`{ create getattr }')
define(`rename_lnk_file_perms',`{ getattr rename }')
define(`delete_lnk_file_perms',`{ getattr unlink }')
@@ -59353,7 +59449,7 @@ index 6e9131723..528c5d2d1 100644
define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }')
define(`relabelto_lnk_file_perms',`{ getattr relabelto }')
define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }')
-@@ -192,7 +195,8 @@ define(`setattr_fifo_file_perms',`{ setattr }')
+@@ -192,7 +201,8 @@ define(`setattr_fifo_file_perms',`{ setattr }')
define(`read_fifo_file_perms',`{ getattr open read lock ioctl }')
define(`append_fifo_file_perms',`{ getattr open append lock ioctl }')
define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }')
@@ -59363,7 +59459,7 @@ index 6e9131723..528c5d2d1 100644
define(`create_fifo_file_perms',`{ getattr create open }')
define(`rename_fifo_file_perms',`{ getattr rename }')
define(`delete_fifo_file_perms',`{ getattr unlink }')
-@@ -208,8 +212,9 @@ define(`getattr_sock_file_perms',`{ getattr }')
+@@ -208,8 +218,9 @@ define(`getattr_sock_file_perms',`{ getattr }')
define(`setattr_sock_file_perms',`{ setattr }')
define(`read_sock_file_perms',`{ getattr open read }')
define(`write_sock_file_perms',`{ getattr write open append }')
@@ -59375,7 +59471,7 @@ index 6e9131723..528c5d2d1 100644
define(`rename_sock_file_perms',`{ getattr rename }')
define(`delete_sock_file_perms',`{ getattr unlink }')
define(`manage_sock_file_perms',`{ create open getattr setattr read write rename link unlink ioctl lock append }')
-@@ -225,7 +230,8 @@ define(`setattr_blk_file_perms',`{ setattr }')
+@@ -225,7 +236,8 @@ define(`setattr_blk_file_perms',`{ setattr }')
define(`read_blk_file_perms',`{ getattr open read lock ioctl }')
define(`append_blk_file_perms',`{ getattr open append lock ioctl }')
define(`write_blk_file_perms',`{ getattr open write append lock ioctl }')
@@ -59385,7 +59481,7 @@ index 6e9131723..528c5d2d1 100644
define(`create_blk_file_perms',`{ getattr create }')
define(`rename_blk_file_perms',`{ getattr rename }')
define(`delete_blk_file_perms',`{ getattr unlink }')
-@@ -242,7 +248,8 @@ define(`setattr_chr_file_perms',`{ setattr }')
+@@ -242,7 +254,8 @@ define(`setattr_chr_file_perms',`{ setattr }')
define(`read_chr_file_perms',`{ getattr open read lock ioctl }')
define(`append_chr_file_perms',`{ getattr open append lock ioctl }')
define(`write_chr_file_perms',`{ getattr open write append lock ioctl }')
@@ -59395,7 +59491,7 @@ index 6e9131723..528c5d2d1 100644
define(`create_chr_file_perms',`{ getattr create }')
define(`rename_chr_file_perms',`{ getattr rename }')
define(`delete_chr_file_perms',`{ getattr unlink }')
-@@ -259,7 +266,8 @@ define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }')
+@@ -259,7 +272,8 @@ define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }')
#
# Use (read and write) terminals
#
@@ -59405,7 +59501,7 @@ index 6e9131723..528c5d2d1 100644
#
# Sockets
-@@ -271,3 +279,8 @@ define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept
+@@ -271,3 +285,8 @@ define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept
# Keys
#
define(`manage_key_perms', `{ create link read search setattr view write } ')
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 3e59f8bb..c0fc4738 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -12792,10 +12792,10 @@ index 550b287ce..73104ec93 100644
+ ')
+')
diff --git a/certwatch.te b/certwatch.te
-index 171fafb99..38614a0e9 100644
+index 171fafb99..6cf8b7957 100644
--- a/certwatch.te
+++ b/certwatch.te
-@@ -18,35 +18,47 @@ role certwatch_roles types certwatch_t;
+@@ -18,35 +18,48 @@ role certwatch_roles types certwatch_t;
# Local policy
#
@@ -12827,6 +12827,7 @@ index 171fafb99..38614a0e9 100644
miscfiles_read_all_certs(certwatch_t)
-miscfiles_read_localization(certwatch_t)
+miscfiles_manage_generic_cert_dirs(certwatch_t)
++miscfiles_map_generic_certs(certwatch_t)
+
+sysnet_read_config(certwatch_t)
@@ -20020,7 +20021,7 @@ index 1303b3036..f5bd4aee8 100644
+ logging_log_filetrans($1, var_log_t, file, "redhat-access-insights.log")
')
diff --git a/cron.te b/cron.te
-index 7de385956..46400791a 100644
+index 7de385956..31053c2a9 100644
--- a/cron.te
+++ b/cron.te
@@ -11,46 +11,54 @@ gen_require(`
@@ -20439,7 +20440,7 @@ index 7de385956..46400791a 100644
')
optional_policy(`
-@@ -354,103 +314,141 @@ optional_policy(`
+@@ -354,103 +314,145 @@ optional_policy(`
')
optional_policy(`
@@ -20448,22 +20449,20 @@ index 7de385956..46400791a 100644
- optional_policy(`
- hal_dbus_chat(crond_t)
- ')
--
++ djbdns_search_tinydns_keys(crond_t)
++ djbdns_link_tinydns_keys(crond_t)
++')
+
- optional_policy(`
- unconfined_dbus_send(crond_t)
- ')
-+ djbdns_search_tinydns_keys(crond_t)
-+ djbdns_link_tinydns_keys(crond_t)
- ')
-
- optional_policy(`
-- amanda_search_var_lib(crond_t)
++optional_policy(`
+ locallogin_search_keys(crond_t)
+ locallogin_link_keys(crond_t)
')
optional_policy(`
-- amavis_search_lib(crond_t)
+- amanda_search_var_lib(crond_t)
+ # these should probably be unconfined_crond_t
+ dbus_system_bus_client(crond_t)
+ init_dbus_send_script(crond_t)
@@ -20471,28 +20470,32 @@ index 7de385956..46400791a 100644
')
optional_policy(`
-- djbdns_search_tinydns_keys(crond_t)
-- djbdns_link_tinydns_keys(crond_t)
+- amavis_search_lib(crond_t)
+ amanda_search_var_lib(crond_t)
')
optional_policy(`
-- hal_write_log(crond_t)
+- djbdns_search_tinydns_keys(crond_t)
+- djbdns_link_tinydns_keys(crond_t)
+ antivirus_search_db(crond_t)
')
+ optional_policy(`
++ hal_dbus_chat(crond_t)
+ hal_write_log(crond_t)
++ hal_dbus_chat(system_cronjob_t)
+ ')
+
optional_policy(`
- locallogin_search_keys(crond_t)
- locallogin_link_keys(crond_t)
-+ hal_dbus_chat(crond_t)
-+ hal_write_log(crond_t)
-+ hal_dbus_chat(system_cronjob_t)
++ # cjp: why?
++ munin_search_lib(crond_t)
')
optional_policy(`
- mta_send_mail(crond_t)
-+ # cjp: why?
-+ munin_search_lib(crond_t)
++ pcp_read_lib_files(crond_t)
')
optional_policy(`
@@ -20613,7 +20616,7 @@ index 7de385956..46400791a 100644
allow system_cronjob_t cron_spool_t:dir list_dir_perms;
allow system_cronjob_t cron_spool_t:file rw_file_perms;
-@@ -461,11 +459,11 @@ kernel_read_network_state(system_cronjob_t)
+@@ -461,11 +463,11 @@ kernel_read_network_state(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
kernel_read_software_raid_state(system_cronjob_t)
@@ -20626,7 +20629,7 @@ index 7de385956..46400791a 100644
corenet_all_recvfrom_netlabel(system_cronjob_t)
corenet_tcp_sendrecv_generic_if(system_cronjob_t)
corenet_udp_sendrecv_generic_if(system_cronjob_t)
-@@ -485,6 +483,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
+@@ -485,6 +487,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
fs_getattr_all_pipes(system_cronjob_t)
fs_getattr_all_sockets(system_cronjob_t)
@@ -20634,7 +20637,7 @@ index 7de385956..46400791a 100644
domain_dontaudit_read_all_domains_state(system_cronjob_t)
files_exec_etc_files(system_cronjob_t)
-@@ -495,17 +494,22 @@ files_getattr_all_files(system_cronjob_t)
+@@ -495,17 +498,22 @@ files_getattr_all_files(system_cronjob_t)
files_getattr_all_symlinks(system_cronjob_t)
files_getattr_all_pipes(system_cronjob_t)
files_getattr_all_sockets(system_cronjob_t)
@@ -20659,7 +20662,7 @@ index 7de385956..46400791a 100644
auth_use_nsswitch(system_cronjob_t)
-@@ -516,20 +520,28 @@ logging_read_generic_logs(system_cronjob_t)
+@@ -516,20 +524,28 @@ logging_read_generic_logs(system_cronjob_t)
logging_send_audit_msgs(system_cronjob_t)
logging_send_syslog_msg(system_cronjob_t)
@@ -20690,7 +20693,7 @@ index 7de385956..46400791a 100644
selinux_validate_context(system_cronjob_t)
selinux_compute_access_vector(system_cronjob_t)
selinux_compute_create_context(system_cronjob_t)
-@@ -539,10 +551,26 @@ tunable_policy(`cron_can_relabel',`
+@@ -539,10 +555,26 @@ tunable_policy(`cron_can_relabel',`
')
optional_policy(`
@@ -20717,7 +20720,7 @@ index 7de385956..46400791a 100644
')
optional_policy(`
-@@ -551,10 +579,6 @@ optional_policy(`
+@@ -551,10 +583,6 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(system_cronjob_t)
@@ -20728,7 +20731,7 @@ index 7de385956..46400791a 100644
')
optional_policy(`
-@@ -567,6 +591,10 @@ optional_policy(`
+@@ -567,6 +595,10 @@ optional_policy(`
')
optional_policy(`
@@ -20739,7 +20742,7 @@ index 7de385956..46400791a 100644
ftp_read_log(system_cronjob_t)
')
-@@ -591,6 +619,8 @@ optional_policy(`
+@@ -591,6 +623,8 @@ optional_policy(`
optional_policy(`
mta_read_config(system_cronjob_t)
mta_send_mail(system_cronjob_t)
@@ -20748,7 +20751,7 @@ index 7de385956..46400791a 100644
')
optional_policy(`
-@@ -598,7 +628,31 @@ optional_policy(`
+@@ -598,7 +632,31 @@ optional_policy(`
')
optional_policy(`
@@ -20780,7 +20783,7 @@ index 7de385956..46400791a 100644
')
optional_policy(`
-@@ -607,7 +661,12 @@ optional_policy(`
+@@ -607,7 +665,12 @@ optional_policy(`
')
optional_policy(`
@@ -20793,7 +20796,7 @@ index 7de385956..46400791a 100644
')
optional_policy(`
-@@ -615,12 +674,27 @@ optional_policy(`
+@@ -615,12 +678,27 @@ optional_policy(`
')
optional_policy(`
@@ -20823,7 +20826,7 @@ index 7de385956..46400791a 100644
#
allow cronjob_t self:process { signal_perms setsched };
-@@ -628,12 +702,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
+@@ -628,12 +706,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
allow cronjob_t self:unix_dgram_socket create_socket_perms;
@@ -20857,7 +20860,7 @@ index 7de385956..46400791a 100644
corenet_all_recvfrom_netlabel(cronjob_t)
corenet_tcp_sendrecv_generic_if(cronjob_t)
corenet_udp_sendrecv_generic_if(cronjob_t)
-@@ -641,66 +735,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
+@@ -641,66 +739,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
corenet_udp_sendrecv_generic_node(cronjob_t)
corenet_tcp_sendrecv_all_ports(cronjob_t)
corenet_udp_sendrecv_all_ports(cronjob_t)
@@ -23031,7 +23034,7 @@ index dda905b9c..60806a524 100644
/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+')
diff --git a/dbus.if b/dbus.if
-index 62d22cb46..c0c2ed47d 100644
+index 62d22cb46..d9c0343da 100644
--- a/dbus.if
+++ b/dbus.if
@@ -1,4 +1,4 @@
@@ -23109,7 +23112,7 @@ index 62d22cb46..c0c2ed47d 100644
-
- allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
+ # For connecting to the bus
-+ allow $3 $1_dbusd_t:unix_stream_socket { connectto rw_socket_perms };
++ allow $3 $1_dbusd_t:unix_stream_socket { connectto rw_socket_perms create };
+ allow $1_dbusd_t $3:unix_stream_socket { accept getattr getopt read write };
- allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
@@ -23561,7 +23564,7 @@ index 62d22cb46..c0c2ed47d 100644
##
##
## Type to be used as a domain.
-@@ -397,199 +410,250 @@ interface(`dbus_manage_lib_files',`
+@@ -397,199 +410,251 @@ interface(`dbus_manage_lib_files',`
##
##
##
@@ -23881,6 +23884,7 @@ index 62d22cb46..c0c2ed47d 100644
- allow $1 system_dbusd_t:fd use;
+ dontaudit $1 system_dbusd_t:unix_stream_socket connectto;
++ dontaudit $1 system_dbusd_t:sock_file write;
')
########################################
@@ -23892,7 +23896,7 @@ index 62d22cb46..c0c2ed47d 100644
##
##
##
-@@ -597,28 +661,68 @@ interface(`dbus_use_system_bus_fds',`
+@@ -597,28 +662,68 @@ interface(`dbus_use_system_bus_fds',`
##
##
#
@@ -23970,7 +23974,7 @@ index 62d22cb46..c0c2ed47d 100644
+ manage_dirs_pattern($1, session_dbusd_tmp_t, session_dbusd_tmp_t)
')
diff --git a/dbus.te b/dbus.te
-index c9998c80d..328aa81d2 100644
+index c9998c80d..5a9dfdf1e 100644
--- a/dbus.te
+++ b/dbus.te
@@ -4,17 +4,15 @@ gen_require(`
@@ -24004,7 +24008,15 @@ index c9998c80d..328aa81d2 100644
type session_dbusd_tmp_t;
typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t };
typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t };
-@@ -41,7 +36,8 @@ files_type(system_dbusd_var_lib_t)
+@@ -36,12 +31,16 @@ init_system_domain(system_dbusd_t, dbusd_exec_t)
+ type system_dbusd_tmp_t;
+ files_tmp_file(system_dbusd_tmp_t)
+
++type system_dbusd_tmpfs_t;
++files_tmpfs_file(system_dbusd_tmpfs_t)
++
+ type system_dbusd_var_lib_t;
+ files_type(system_dbusd_var_lib_t)
type system_dbusd_var_run_t;
files_pid_file(system_dbusd_var_run_t)
@@ -24014,7 +24026,7 @@ index c9998c80d..328aa81d2 100644
ifdef(`enable_mcs',`
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
-@@ -51,59 +47,64 @@ ifdef(`enable_mls',`
+@@ -51,59 +50,69 @@ ifdef(`enable_mls',`
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh)
')
@@ -24050,6 +24062,11 @@ index c9998c80d..328aa81d2 100644
manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
-files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { dir file })
+files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
++
++manage_files_pattern(system_dbusd_t, system_dbusd_tmpfs_t, system_dbusd_tmpfs_t)
++manage_dirs_pattern(system_dbusd_t, system_dbusd_tmpfs_t, system_dbusd_tmpfs_t)
++fs_tmpfs_filetrans(system_dbusd_t, system_dbusd_tmpfs_t, { dir file })
++allow system_dbusd_t system_dbusd_tmpfs_t:file map;
read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
@@ -24097,7 +24114,7 @@ index c9998c80d..328aa81d2 100644
mls_fd_use_all_levels(system_dbusd_t)
mls_rangetrans_target(system_dbusd_t)
mls_file_read_all_levels(system_dbusd_t)
-@@ -123,66 +124,177 @@ term_dontaudit_use_console(system_dbusd_t)
+@@ -123,66 +132,177 @@ term_dontaudit_use_console(system_dbusd_t)
auth_use_nsswitch(system_dbusd_t)
auth_read_pam_console_data(system_dbusd_t)
@@ -24175,14 +24192,14 @@ index c9998c80d..328aa81d2 100644
+
+optional_policy(`
+ snapper_read_inherited_pipe(system_dbusd_t)
++')
++
++optional_policy(`
++ sysnet_domtrans_dhcpc(system_dbusd_t)
')
optional_policy(`
- seutil_sigchld_newrole(system_dbusd_t)
-+ sysnet_domtrans_dhcpc(system_dbusd_t)
-+')
-+
-+optional_policy(`
+ systemd_use_fds_logind(system_dbusd_t)
+ systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
+ systemd_write_inhibit_pipes(system_dbusd_t)
@@ -24216,7 +24233,7 @@ index c9998c80d..328aa81d2 100644
#
+role system_r types system_bus_type;
+dontaudit system_bus_type self:capability net_admin;
-+
+
+allow system_bus_type system_dbusd_t:unix_stream_socket rw_socket_perms;
+
+fs_search_all(system_bus_type)
@@ -24250,7 +24267,7 @@ index c9998c80d..328aa81d2 100644
+ifdef(`hide_broken_symptoms',`
+ dontaudit system_bus_type system_dbusd_t:netlink_selinux_socket { read write };
+')
-
++
+########################################
+#
+# session_bus_type rules
@@ -24289,7 +24306,7 @@ index c9998c80d..328aa81d2 100644
kernel_read_kernel_sysctls(session_bus_type)
corecmd_list_bin(session_bus_type)
-@@ -191,23 +303,18 @@ corecmd_read_bin_files(session_bus_type)
+@@ -191,23 +311,18 @@ corecmd_read_bin_files(session_bus_type)
corecmd_read_bin_pipes(session_bus_type)
corecmd_read_bin_sockets(session_bus_type)
@@ -24314,7 +24331,7 @@ index c9998c80d..328aa81d2 100644
files_dontaudit_search_var(session_bus_type)
fs_getattr_romfs(session_bus_type)
-@@ -215,7 +322,6 @@ fs_getattr_xattr_fs(session_bus_type)
+@@ -215,7 +330,6 @@ fs_getattr_xattr_fs(session_bus_type)
fs_list_inotifyfs(session_bus_type)
fs_dontaudit_list_nfs(session_bus_type)
@@ -24322,7 +24339,7 @@ index c9998c80d..328aa81d2 100644
selinux_validate_context(session_bus_type)
selinux_compute_access_vector(session_bus_type)
selinux_compute_create_context(session_bus_type)
-@@ -225,18 +331,36 @@ selinux_compute_user_contexts(session_bus_type)
+@@ -225,18 +339,36 @@ selinux_compute_user_contexts(session_bus_type)
auth_read_pam_console_data(session_bus_type)
logging_send_audit_msgs(session_bus_type)
@@ -24364,7 +24381,7 @@ index c9998c80d..328aa81d2 100644
')
########################################
-@@ -244,5 +368,9 @@ optional_policy(`
+@@ -244,5 +376,9 @@ optional_policy(`
# Unconfined access to this module
#
@@ -28598,7 +28615,7 @@ index 18f245250..a446210f0 100644
+
')
diff --git a/dspam.te b/dspam.te
-index ef6236335..084171673 100644
+index ef6236335..25dcb975a 100644
--- a/dspam.te
+++ b/dspam.te
@@ -28,6 +28,9 @@ files_pid_file(dspam_var_run_t)
@@ -28624,7 +28641,7 @@ index ef6236335..084171673 100644
files_search_spool(dspam_t)
-@@ -64,14 +73,32 @@ auth_use_nsswitch(dspam_t)
+@@ -64,14 +73,35 @@ auth_use_nsswitch(dspam_t)
logging_send_syslog_msg(dspam_t)
@@ -28634,6 +28651,9 @@ index ef6236335..084171673 100644
apache_content_template(dspam)
+ apache_content_alias_template(dspam, dspam)
+
++ manage_dirs_pattern(dspam_t, dspam_rw_content_t, dspam_rw_content_t)
++ manage_files_pattern(dspam_t, dspam_rw_content_t, dspam_rw_content_t)
++
+ read_files_pattern(dspam_script_t, dspam_var_lib_t, dspam_var_lib_t)
+
+ auth_read_passwd(dspam_script_t)
@@ -28641,14 +28661,14 @@ index ef6236335..084171673 100644
+ files_search_var_lib(dspam_script_t)
+
+ domain_dontaudit_read_all_domains_state(dspam_script_t)
-+
-+ term_dontaudit_search_ptys(dspam_script_t)
-+ term_dontaudit_getattr_all_ttys(dspam_script_t)
-+ term_dontaudit_getattr_all_ptys(dspam_script_t)
- list_dirs_pattern(dspam_t, httpd_dspam_content_t, httpd_dspam_content_t)
- manage_dirs_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t)
- manage_files_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t)
++ term_dontaudit_search_ptys(dspam_script_t)
++ term_dontaudit_getattr_all_ttys(dspam_script_t)
++ term_dontaudit_getattr_all_ptys(dspam_script_t)
++
+ init_read_utmp(dspam_script_t)
+
+ logging_send_syslog_msg(dspam_script_t)
@@ -28662,7 +28682,7 @@ index ef6236335..084171673 100644
')
optional_policy(`
-@@ -87,3 +114,12 @@ optional_policy(`
+@@ -87,3 +117,12 @@ optional_policy(`
postgresql_tcp_connect(dspam_t)
')
@@ -50810,7 +50830,7 @@ index 1d4eb19b8..650014e0f 100644
admin_pattern($1, memcached_var_run_t)
')
diff --git a/memcached.te b/memcached.te
-index 29b752160..8c41e59db 100644
+index 29b752160..5000dd91c 100644
--- a/memcached.te
+++ b/memcached.te
@@ -8,6 +8,7 @@ policy_module(memcached, 1.3.1)
@@ -50830,7 +50850,16 @@ index 29b752160..8c41e59db 100644
dontaudit memcached_t self:capability sys_tty_config;
allow memcached_t self:process { setrlimit signal_perms };
allow memcached_t self:tcp_socket { accept listen };
-@@ -59,4 +60,3 @@ term_dontaudit_use_console(memcached_t)
+@@ -28,6 +29,8 @@ allow memcached_t self:udp_socket { accept listen };
+ allow memcached_t self:fifo_file rw_fifo_file_perms;
+ allow memcached_t self:unix_stream_socket create_stream_socket_perms;
+
++allow memcached_t memcached_exec_t:file map;
++
+ manage_dirs_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
+ manage_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
+ manage_sock_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
+@@ -59,4 +62,3 @@ term_dontaudit_use_console(memcached_t)
auth_use_nsswitch(memcached_t)
@@ -54082,7 +54111,7 @@ index 6194b806b..e27c53d6e 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 11ac8e4fc..bb6533dae 100644
+index 11ac8e4fc..7e6607cab 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -6,17 +6,56 @@ policy_module(mozilla, 2.8.0)
@@ -54536,7 +54565,7 @@ index 11ac8e4fc..bb6533dae 100644
')
optional_policy(`
-@@ -300,259 +340,265 @@ optional_policy(`
+@@ -300,259 +340,266 @@ optional_policy(`
########################################
#
@@ -54833,6 +54862,7 @@ index 11ac8e4fc..bb6533dae 100644
+userdom_read_user_tmp_symlinks(mozilla_plugin_t)
+userdom_stream_connect(mozilla_plugin_t)
+userdom_dontaudit_rw_user_tmp_pipes(mozilla_plugin_t)
++userdom_map_user_home_files(mozilla_plugin_t)
-ifndef(`enable_mls',`
- fs_list_dos(mozilla_plugin_t)
@@ -54948,7 +54978,7 @@ index 11ac8e4fc..bb6533dae 100644
')
optional_policy(`
-@@ -560,7 +606,11 @@ optional_policy(`
+@@ -560,7 +607,11 @@ optional_policy(`
')
optional_policy(`
@@ -54961,7 +54991,7 @@ index 11ac8e4fc..bb6533dae 100644
')
optional_policy(`
-@@ -568,108 +618,144 @@ optional_policy(`
+@@ -568,108 +619,144 @@ optional_policy(`
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index fcd59870..92ae0c90 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 306%{?dist}
+Release: 307%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -717,6 +717,16 @@ exit 0
%endif
%changelog
+* Tue Dec 19 2017 Lukas Vrabec - 3.13.1-307
+- Allow crond_t to read pcp lib files BZ(1525420)
+- Allow mozilla plugin domain to mmap user_home_t files BZ(1452783)
+- Allow certwatch_t to mmap generic certs. BZ(1527173)
+- Allow dspam_t to manage dspam_rw_conent_t objects. BZ(1290876)
+- Add interface userdom_map_user_home_files()
+- Sytemd introduced new feature when journald(syslogd_t) is trying to read symlinks to unit files in /run/systemd/units. This commit label /run/systemd/units/* as systemd_unit_file_t and allow syslogd_t to read this content. BZ(1527202)
+- Allow xdm_t dbus chat with modemmanager_t BZ(1526722)
+- All domains accessing home_cert_t objects should also mmap it. BZ(1519810)
+
* Wed Dec 13 2017 Lukas Vrabec - 3.13.1-306
- Allow thumb_t domain to dosfs_t BZ(1517720)
- Allow gssd_t to read realmd_var_lib_t files BZ(1521125)