* Tue Oct 24 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-299

- Label /usr/libexec/bluetooth/obexd as bluetoothd_exec_t to run process as bluetooth_t - Allow chronyd_t do request kernel module and block_suspend capability - Allow system_cronjob_t to create /var/lib/letsencrypt dir with right label - Allow slapd_t domain to mmap files labeled as slpad_db_t BZ(1505414) - Allow dnssec_trigger_t domain to execute binaries with dnssec_trigeer_exec_t BZ(1487912) - Allow l2tpd_t domain to send SIGKILL to ipsec_mgmt_t domains BZ(1505220) - Allow thumb_t creating thumb_home_t files in user_home_dir_t direcotry BZ(1474110) - Allow httpd_t also read httpd_user_content_type dirs when httpd_enable_homedirs is enables - Allow svnserve to use kerberos - Allow conman to use ptmx. Add conman_use_nfs boolean - Allow nnp transition for amavis and tmpreaper SELinux domains - Allow chronyd_t to mmap chronyc_exec_t binary files - Add dac_read_search capability to openvswitch_t domain - Allow svnserve to manage own svnserve_log_t files/dirs - Allow keepalived_t to search network sysctls - Allow puppetagent_t domain dbus chat with rhsmcertd_t domain - Add kill capability to openvswitch_t domain - Label also compressed logs in /var/log for different services - Allow inetd_child_t and system_cronjob_t to run chronyc. - Allow chrony to create netlink route sockets - Add SELinux support for chronyc - Add support for running certbot(letsencrypt) in crontab - Allow nnp trasintion for unconfined_service_t - Allow unpriv user domains and unconfined_service_t to use chronyc
2017-10-24 21:29:48 +02:00 · 2017-10-24 21:29:48 +02:00 · 7911257b23
parent 2fff8fe522
commit 7911257b23
4 changed files with 470 additions and 259 deletions
--- a/container-selinux.tgz
+++ b/container-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -27411,10 +27411,10 @@ index 000000000..bb9082586
 +
 diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
 new file mode 100644
-index 000000000..bdfe41b61
+index 000000000..93d7f8839
 --- /dev/null
 +++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,363 @@
+@@ -0,0 +1,367 @@
 +policy_module(unconfineduser, 1.0.0)
 +
 +########################################
@ -27735,6 +27735,10 @@ index 000000000..bdfe41b61
 +')
 +
 +optional_policy(`
+	chronyd_run_chronyc(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
 +	oddjob_run_mkhomedir(unconfined_t, unconfined_r)
 +	oddjob_run(unconfined_t, unconfined_r)
 +')
@ -43463,7 +43467,7 @@ index 79048c410..d404d6528 100644
 	udev_read_pid_files(lvm_t)
 ')
 diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
-index 9fe8e01e3..c62c76136 100644
+index 9fe8e01e3..6aa1ea05a 100644
 --- a/policy/modules/system/miscfiles.fc
 +++ b/policy/modules/system/miscfiles.fc
@@ -9,11 +9,16 @@ ifdef(`distro_gentoo',`
@ -43524,16 +43528,19 @@ index 9fe8e01e3..c62c76136 100644
 
 /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
 
-@@ -90,6 +91,7 @@ ifdef(`distro_debian',`
+@@ -89,7 +90,10 @@ ifdef(`distro_debian',`
+ /var/lib/usbutils(/.*)?		gen_context(system_u:object_r:hwdata_t,s0)
 ')
 
+/var/lib/letsencrypt(/.*)?			gen_context(system_u:object_r:cert_t,s0)
+
 ifdef(`distro_redhat',`
 +/var/named/chroot/etc/localtime	--	gen_context(system_u:object_r:locale_t,s0)
 /var/empty/sshd/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
 /var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
 ')
 diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
-index fc28bc31b..7ed7664fb 100644
+index fc28bc31b..1701f0861 100644
 --- a/policy/modules/system/miscfiles.if
 +++ b/policy/modules/system/miscfiles.if
@@ -67,6 +67,27 @@ interface(`miscfiles_read_all_certs',`
@ -43777,7 +43784,7 @@ index fc28bc31b..7ed7664fb 100644
 ')
 
 ########################################
-@@ -809,3 +944,61 @@ interface(`miscfiles_manage_localization',`
+@@ -809,3 +944,81 @@ interface(`miscfiles_manage_localization',`
 	manage_lnk_files_pattern($1, locale_t, locale_t)
 ')
 
@ -43831,6 +43838,7 @@ index fc28bc31b..7ed7664fb 100644
 +	files_var_filetrans($1, man_t, dir, "man")
 +	files_etc_filetrans($1, cert_t, dir, "pki")
 +	files_usr_filetrans($1, cert_t, dir, "certs")
+	files_var_lib_filetrans($1, cert_t, dir, "letsencrypt")
 +	files_usr_filetrans($1, fonts_t, dir, "fonts")
 +	files_usr_filetrans($1, hwdata_t, dir, "hwdata")
 +	files_var_filetrans($1, fonts_cache_t, dir, "fontconfig")
@ -43839,6 +43847,25 @@ index fc28bc31b..7ed7664fb 100644
 +	files_var_lib_filetrans($1, tetex_data_t, dir, "texmf")
 +	files_var_filetrans($1, public_content_t, dir, "ftp")
 +')
+
+
+########################################
+## <summary>
+##	Transition to miscfiles named content
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`miscfiles_filetrans_named_content_letsencrypt',`
+	gen_require(`
+		type cert_t;
+	')
+
+	files_var_lib_filetrans($1, cert_t, dir, "letsencrypt")
+')
 diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
 index 1361961d0..be6b7fc80 100644
 --- a/policy/modules/system/miscfiles.te
@ -52359,10 +52386,10 @@ index 5ca20a97d..43bb011b3 100644
 +    allow $1 unconfined_service_t:process { noatsecure };
 ')
 diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
-index 5fe902db3..0a7c3bb00 100644
+index 5fe902db3..52a051d8a 100644
 --- a/policy/modules/system/unconfined.te
 +++ b/policy/modules/system/unconfined.te
-@@ -1,207 +1,33 @@
+@@ -1,207 +1,38 @@
 -policy_module(unconfined, 3.5.1)
 +policy_module(unconfined, 3.5.0)
 
@ -52382,6 +52409,7 @@ index 5fe902db3..0a7c3bb00 100644
 +type unconfined_service_t;
 +domain_type(unconfined_service_t)
 +role system_r types unconfined_service_t;
+init_nnp_daemon_domain(unconfined_service_t)
 
 -type unconfined_exec_t;
 -init_system_domain(unconfined_t, unconfined_exec_t)
@ -52434,24 +52462,30 @@ index 5fe902db3..0a7c3bb00 100644
 -	apache_run_helper(unconfined_t, unconfined_r)
 -	apache_role(unconfined_r, unconfined_t)
 -')
-
+role unconfined_r types unconfined_service_t;
+ 
 -optional_policy(`
 -	bind_run_ndc(unconfined_t, unconfined_r)
 -')
-
-optional_policy(`
+corecmd_bin_entry_type(unconfined_service_t)
+corecmd_shell_entry_type(unconfined_service_t)
+ 
+ optional_policy(`
 -	bootloader_run(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
+	rpm_transition_script(unconfined_service_t, system_r)
+ ')
+ 
+ optional_policy(`
 -	cron_unconfined_role(unconfined_r, unconfined_t)
-')
-
-optional_policy(`
+    chronyd_run_chronyc(unconfined_service_t, system_r)
+ ')
+ 
+ optional_policy(`
 -	firstboot_run(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
+	dbus_chat_system_bus(unconfined_service_t)
+ ')
+ 
+ optional_policy(`
 -	ftp_run_ftpdctl(unconfined_t, unconfined_r)
 -')
 -
@ -52523,8 +52557,7 @@ index 5fe902db3..0a7c3bb00 100644
 -optional_policy(`
 -	rpm_run(unconfined_t, unconfined_r)
 -')
-+role unconfined_r types unconfined_service_t;
- 
+-
 -optional_policy(`
 -	samba_run_net(unconfined_t, unconfined_r)
 -	samba_run_winbind_helper(unconfined_t, unconfined_r)
@ -52546,20 +52579,16 @@ index 5fe902db3..0a7c3bb00 100644
 -optional_policy(`
 -	unconfined_dbus_chat(unconfined_t)
 -')
-+corecmd_bin_entry_type(unconfined_service_t)
-+corecmd_shell_entry_type(unconfined_service_t)
- 
- optional_policy(`
+-
+-optional_policy(`
 -	usermanage_run_admin_passwd(unconfined_t, unconfined_r)
-+	rpm_transition_script(unconfined_service_t, system_r)
- ')
- 
- optional_policy(`
+-')
+-
+-optional_policy(`
 -	vpn_run(unconfined_t, unconfined_r)
-+	dbus_chat_system_bus(unconfined_service_t)
- ')
- 
- optional_policy(`
+-')
+-
+-optional_policy(`
 -	webalizer_run(unconfined_t, unconfined_r)
 -')
 -
@ -52628,7 +52657,7 @@ index db7597682..c54480a1d 100644
 +/var/tmp/hsperfdata_root    gen_context(system_u:object_r:user_tmp_t,s0)
 +
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6c0..1d1213e00 100644
+index 9dc60c6c0..562afbe9a 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@ -53653,7 +53682,7 @@ index 9dc60c6c0..1d1213e00 100644
 
 	userdom_change_password_template($1)
 
-@@ -761,86 +1031,117 @@ template(`userdom_login_user_template', `
+@@ -761,86 +1031,121 @@ template(`userdom_login_user_template', `
 	#
 	# User domain Local policy
 	#
@ -53797,6 +53826,10 @@ index 9dc60c6c0..1d1213e00 100644
 +	')
 +
 +    optional_policy(`
+        chronyd_run_chronyc($1_t, $1_r)
+    ')
+
+    optional_policy(`
 +        ipa_run_helper($1_t, $1_r)
 +    ')
 +
@ -53809,7 +53842,7 @@ index 9dc60c6c0..1d1213e00 100644
 ## <summary>
 ##	The template for creating a unprivileged login user.
 ## </summary>
-@@ -868,6 +1169,12 @@ template(`userdom_restricted_user_template',`
+@@ -868,6 +1173,12 @@ template(`userdom_restricted_user_template',`
 	typeattribute $1_t unpriv_userdomain;
 	domain_interactive_fd($1_t)
 
@ -53822,7 +53855,7 @@ index 9dc60c6c0..1d1213e00 100644
 	##############################
 	#
 	# Local policy
-@@ -907,53 +1214,143 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -907,53 +1218,143 @@ template(`userdom_restricted_xwindows_user_template',`
 	#
 	# Local policy
 	#
@ -53901,13 +53934,15 @@ index 9dc60c6c0..1d1213e00 100644
 +		dbus_role_template($1, $1_r, $1_usertype)
 +		dbus_system_bus_client($1_usertype)
 +		allow $1_usertype $1_usertype:dbus send_msg;
-+
-+		optional_policy(`
+ 
+ 		optional_policy(`
+-			consolekit_dbus_chat($1_t)
 +			abrt_dbus_chat($1_usertype)
 +			abrt_run_helper($1_usertype, $1_r)
-+		')
-+
-+		optional_policy(`
+ 		')
+ 
+ 		optional_policy(`
+-			cups_dbus_chat($1_t)
 +			accountsd_dbus_chat($1_usertype)
 +		')
 +
@ -53915,15 +53950,13 @@ index 9dc60c6c0..1d1213e00 100644
 +			consolekit_dontaudit_read_log($1_usertype)
 +			consolekit_dbus_chat($1_usertype)
 +		')
- 
- 		optional_policy(`
-			consolekit_dbus_chat($1_t)
+
+		optional_policy(`
 +			cups_dbus_chat($1_usertype)
 +			cups_dbus_chat_config($1_usertype)
- 		')
- 
- 		optional_policy(`
-			cups_dbus_chat($1_t)
+		')
+
+		optional_policy(`
 +			devicekit_dbus_chat($1_usertype)
 +			devicekit_dbus_chat_disk($1_usertype)
 +			devicekit_dbus_chat_power($1_usertype)
@ -53978,7 +54011,7 @@ index 9dc60c6c0..1d1213e00 100644
 ')
 
 #######################################
-@@ -987,27 +1384,36 @@ template(`userdom_unpriv_user_template', `
+@@ -987,27 +1388,36 @@ template(`userdom_unpriv_user_template', `
 	#
 
 	# Inherit rules for ordinary users.
@ -54019,7 +54052,7 @@ index 9dc60c6c0..1d1213e00 100644
 			fs_manage_noxattr_fs_files($1_t)
 			fs_manage_noxattr_fs_dirs($1_t)
 			# Write floppies
-@@ -1018,23 +1424,64 @@ template(`userdom_unpriv_user_template', `
+@@ -1018,23 +1428,64 @@ template(`userdom_unpriv_user_template', `
 		')
 	')
 
@ -54080,21 +54113,21 @@ index 9dc60c6c0..1d1213e00 100644
 +	optional_policy(`
 +		mount_run_fusermount($1_t, $1_r)
 +		mount_read_pid_files($1_t)
-+	')
-+
-+	optional_policy(`
-+		wine_role_template($1, $1_r, $1_t)
 	')
 
 	optional_policy(`
 -		netutils_run_ping_cond($1_t, $1_r)
 -		netutils_run_traceroute_cond($1_t, $1_r)
+		wine_role_template($1, $1_r, $1_t)
+	')
+
+	optional_policy(`
 +		postfix_run_postdrop($1_t, $1_r)
 +		postfix_search_spool($1_t)
 	')
 
 	# Run pppd in pppd_t by default for user
-@@ -1043,7 +1490,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1043,7 +1494,9 @@ template(`userdom_unpriv_user_template', `
 	')
 
 	optional_policy(`
@ -54105,7 +54138,7 @@ index 9dc60c6c0..1d1213e00 100644
 	')
 ')
 
-@@ -1079,7 +1528,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1079,7 +1532,9 @@ template(`userdom_unpriv_user_template', `
 template(`userdom_admin_user_template',`
 	gen_require(`
 		attribute admindomain;
@ -54116,7 +54149,7 @@ index 9dc60c6c0..1d1213e00 100644
 	')
 
 	##############################
-@@ -1095,6 +1546,7 @@ template(`userdom_admin_user_template',`
+@@ -1095,6 +1550,7 @@ template(`userdom_admin_user_template',`
 	role system_r types $1_t;
 
 	typeattribute $1_t admindomain;
@ -54124,7 +54157,7 @@ index 9dc60c6c0..1d1213e00 100644
 
 	ifdef(`direct_sysadm_daemon',`
 		domain_system_change_exemption($1_t)
-@@ -1105,14 +1557,8 @@ template(`userdom_admin_user_template',`
+@@ -1105,14 +1561,8 @@ template(`userdom_admin_user_template',`
 	# $1_t local policy
 	#
 
@ -54141,7 +54174,7 @@ index 9dc60c6c0..1d1213e00 100644
 
 	kernel_read_software_raid_state($1_t)
 	kernel_getattr_core_if($1_t)
-@@ -1128,6 +1574,8 @@ template(`userdom_admin_user_template',`
+@@ -1128,6 +1578,8 @@ template(`userdom_admin_user_template',`
 	kernel_sigstop_unlabeled($1_t)
 	kernel_signull_unlabeled($1_t)
 	kernel_sigchld_unlabeled($1_t)
@ -54150,7 +54183,7 @@ index 9dc60c6c0..1d1213e00 100644
 
 	corenet_tcp_bind_generic_port($1_t)
 	# allow setting up tunnels
-@@ -1145,10 +1593,15 @@ template(`userdom_admin_user_template',`
+@@ -1145,10 +1597,15 @@ template(`userdom_admin_user_template',`
 	dev_rename_all_blk_files($1_t)
 	dev_rename_all_chr_files($1_t)
 	dev_create_generic_symlinks($1_t)
@ -54166,7 +54199,7 @@ index 9dc60c6c0..1d1213e00 100644
 	domain_dontaudit_ptrace_all_domains($1_t)
 	# signal all domains:
 	domain_kill_all_domains($1_t)
-@@ -1159,29 +1612,40 @@ template(`userdom_admin_user_template',`
+@@ -1159,29 +1616,40 @@ template(`userdom_admin_user_template',`
 	domain_sigchld_all_domains($1_t)
 	# for lsof
 	domain_getattr_all_sockets($1_t)
@ -54211,7 +54244,7 @@ index 9dc60c6c0..1d1213e00 100644
 
 	# The following rule is temporary until such time that a complete
 	# policy management infrastructure is in place so that an administrator
-@@ -1191,6 +1655,8 @@ template(`userdom_admin_user_template',`
+@@ -1191,6 +1659,8 @@ template(`userdom_admin_user_template',`
 	# But presently necessary for installing the file_contexts file.
 	seutil_manage_bin_policy($1_t)
 
@ -54220,7 +54253,7 @@ index 9dc60c6c0..1d1213e00 100644
 	userdom_manage_user_home_content_dirs($1_t)
 	userdom_manage_user_home_content_files($1_t)
 	userdom_manage_user_home_content_symlinks($1_t)
-@@ -1198,13 +1664,21 @@ template(`userdom_admin_user_template',`
+@@ -1198,13 +1668,21 @@ template(`userdom_admin_user_template',`
 	userdom_manage_user_home_content_sockets($1_t)
 	userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
 
@ -54243,7 +54276,7 @@ index 9dc60c6c0..1d1213e00 100644
 	optional_policy(`
 		postgresql_unconfined($1_t)
 	')
-@@ -1240,8 +1714,8 @@ template(`userdom_admin_user_template',`
+@@ -1240,8 +1718,8 @@ template(`userdom_admin_user_template',`
 ##	</summary>
 ## </param>
 #
@ -54254,7 +54287,7 @@ index 9dc60c6c0..1d1213e00 100644
 
 	corecmd_exec_shell($1)
 
-@@ -1250,6 +1724,8 @@ template(`userdom_security_admin_template',`
+@@ -1250,6 +1728,8 @@ template(`userdom_security_admin_template',`
 	dev_relabel_all_dev_nodes($1)
 
 	files_create_boot_flag($1)
@ -54263,7 +54296,7 @@ index 9dc60c6c0..1d1213e00 100644
 
 	# Necessary for managing /boot/efi
 	fs_manage_dos_files($1)
-@@ -1262,8 +1738,10 @@ template(`userdom_security_admin_template',`
+@@ -1262,8 +1742,10 @@ template(`userdom_security_admin_template',`
 	selinux_set_enforce_mode($1)
 	selinux_set_all_booleans($1)
 	selinux_set_parameters($1)
@ -54275,7 +54308,7 @@ index 9dc60c6c0..1d1213e00 100644
 	auth_relabel_shadow($1)
 
 	init_exec($1)
-@@ -1274,29 +1752,31 @@ template(`userdom_security_admin_template',`
+@@ -1274,29 +1756,31 @@ template(`userdom_security_admin_template',`
 	logging_read_audit_config($1)
 
 	seutil_manage_bin_policy($1)
@ -54318,7 +54351,7 @@ index 9dc60c6c0..1d1213e00 100644
 	')
 
 	optional_policy(`
-@@ -1357,14 +1837,17 @@ interface(`userdom_user_home_content',`
+@@ -1357,14 +1841,17 @@ interface(`userdom_user_home_content',`
 	gen_require(`
 		attribute user_home_content_type;
 		type user_home_t;
@ -54337,7 +54370,7 @@ index 9dc60c6c0..1d1213e00 100644
 ')
 
 ########################################
-@@ -1397,12 +1880,52 @@ interface(`userdom_user_tmp_file',`
+@@ -1397,12 +1884,52 @@ interface(`userdom_user_tmp_file',`
 ## </param>
 #
 interface(`userdom_user_tmpfs_file',`
@ -54391,7 +54424,7 @@ index 9dc60c6c0..1d1213e00 100644
 ##	Allow domain to attach to TUN devices created by administrative users.
 ## </summary>
 ## <param name="domain">
-@@ -1509,11 +2032,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1509,11 +2036,31 @@ interface(`userdom_search_user_home_dirs',`
 	')
 
 	allow $1 user_home_dir_t:dir search_dir_perms;
@ -54423,7 +54456,7 @@ index 9dc60c6c0..1d1213e00 100644
 ##	Do not audit attempts to search user home directories.
 ## </summary>
 ## <desc>
-@@ -1555,6 +2098,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1555,6 +2102,14 @@ interface(`userdom_list_user_home_dirs',`
 
 	allow $1 user_home_dir_t:dir list_dir_perms;
 	files_search_home($1)
@ -54438,7 +54471,7 @@ index 9dc60c6c0..1d1213e00 100644
 ')
 
 ########################################
-@@ -1570,9 +2121,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1570,9 +2125,11 @@ interface(`userdom_list_user_home_dirs',`
 interface(`userdom_dontaudit_list_user_home_dirs',`
 	gen_require(`
 		type user_home_dir_t;
@ -54450,7 +54483,7 @@ index 9dc60c6c0..1d1213e00 100644
 ')
 
 ########################################
-@@ -1613,6 +2166,24 @@ interface(`userdom_manage_user_home_dirs',`
+@@ -1613,6 +2170,24 @@ interface(`userdom_manage_user_home_dirs',`
 
 ########################################
 ## <summary>
@ -54475,7 +54508,7 @@ index 9dc60c6c0..1d1213e00 100644
 ##	Relabel to user home directories.
 ## </summary>
 ## <param name="domain">
-@@ -1631,6 +2202,59 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1631,6 +2206,59 @@ interface(`userdom_relabelto_user_home_dirs',`
 
 ########################################
 ## <summary>
@ -54535,7 +54568,7 @@ index 9dc60c6c0..1d1213e00 100644
 ##	Create directories in the home dir root with
 ##	the user home directory type.
 ## </summary>
-@@ -1704,10 +2328,12 @@ interface(`userdom_user_home_domtrans',`
+@@ -1704,10 +2332,12 @@ interface(`userdom_user_home_domtrans',`
 #
 interface(`userdom_dontaudit_search_user_home_content',`
 	gen_require(`
@ -54550,7 +54583,7 @@ index 9dc60c6c0..1d1213e00 100644
 ')
 
 ########################################
-@@ -1741,10 +2367,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1741,10 +2371,12 @@ interface(`userdom_list_all_user_home_content',`
 #
 interface(`userdom_list_user_home_content',`
 	gen_require(`
@ -54565,7 +54598,7 @@ index 9dc60c6c0..1d1213e00 100644
 ')
 
 ########################################
-@@ -1769,7 +2397,7 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1769,7 +2401,7 @@ interface(`userdom_manage_user_home_content_dirs',`
 
 ########################################
 ## <summary>
@ -54574,7 +54607,7 @@ index 9dc60c6c0..1d1213e00 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1777,19 +2405,17 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1777,19 +2409,17 @@ interface(`userdom_manage_user_home_content_dirs',`
 ##	</summary>
 ## </param>
 #
@ -54598,7 +54631,7 @@ index 9dc60c6c0..1d1213e00 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1797,47 +2423,157 @@ interface(`userdom_delete_all_user_home_content_dirs',`
+@@ -1797,45 +2427,155 @@ interface(`userdom_delete_all_user_home_content_dirs',`
 ##	</summary>
 ## </param>
 #
@ -54653,8 +54686,7 @@ index 9dc60c6c0..1d1213e00 100644
 #
 -interface(`userdom_dontaudit_setattr_user_home_content_files',`
 +interface(`userdom_setattr_user_tmp_files',`
- 	gen_require(`
-		type user_home_t;
+	gen_require(`
 +		type user_tmp_t;
 +	')
 +
@ -54764,12 +54796,10 @@ index 9dc60c6c0..1d1213e00 100644
 +## </param>
 +#
 +interface(`userdom_dontaudit_setattr_user_home_content_files',`
-+	gen_require(`
-+		type user_home_t;
+ 	gen_require(`
+ 		type user_home_t;
 	')
- 
- 	dontaudit $1 user_home_t:file setattr_file_perms;
-@@ -1845,6 +2581,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1845,6 +2585,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
 
 ########################################
 ## <summary>
@ -54795,7 +54825,7 @@ index 9dc60c6c0..1d1213e00 100644
 ##	Mmap user home files.
 ## </summary>
 ## <param name="domain">
-@@ -1875,14 +2630,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1875,14 +2634,36 @@ interface(`userdom_mmap_user_home_content_files',`
 interface(`userdom_read_user_home_content_files',`
 	gen_require(`
 		type user_home_dir_t, user_home_t;
@ -54833,7 +54863,7 @@ index 9dc60c6c0..1d1213e00 100644
 ##	Do not audit attempts to read user home files.
 ## </summary>
 ## <param name="domain">
-@@ -1893,11 +2670,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1893,11 +2674,14 @@ interface(`userdom_read_user_home_content_files',`
 #
 interface(`userdom_dontaudit_read_user_home_content_files',`
 	gen_require(`
@ -54851,7 +54881,7 @@ index 9dc60c6c0..1d1213e00 100644
 ')
 
 ########################################
-@@ -1938,7 +2718,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1938,7 +2722,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
 
 ########################################
 ## <summary>
@ -54860,7 +54890,7 @@ index 9dc60c6c0..1d1213e00 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1946,10 +2726,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1946,10 +2730,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
 ##	</summary>
 ## </param>
 #
@ -54873,7 +54903,7 @@ index 9dc60c6c0..1d1213e00 100644
 	')
 
 	userdom_search_user_home_content($1)
-@@ -1958,7 +2737,7 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1958,7 +2741,7 @@ interface(`userdom_delete_all_user_home_content_files',`
 
 ########################################
 ## <summary>
@ -54882,7 +54912,7 @@ index 9dc60c6c0..1d1213e00 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1966,12 +2745,66 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1966,12 +2749,66 @@ interface(`userdom_delete_all_user_home_content_files',`
 ##	</summary>
 ## </param>
 #
@ -54951,7 +54981,7 @@ index 9dc60c6c0..1d1213e00 100644
 ')
 
 ########################################
-@@ -2007,8 +2840,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2007,8 +2844,7 @@ interface(`userdom_read_user_home_content_symlinks',`
 		type user_home_dir_t, user_home_t;
 	')
 
@ -54961,7 +54991,7 @@ index 9dc60c6c0..1d1213e00 100644
 ')
 
 ########################################
-@@ -2024,20 +2856,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2024,20 +2860,14 @@ interface(`userdom_read_user_home_content_symlinks',`
 #
 interface(`userdom_exec_user_home_content_files',`
 	gen_require(`
@ -54986,7 +55016,7 @@ index 9dc60c6c0..1d1213e00 100644
 
 ########################################
 ## <summary>
-@@ -2120,7 +2946,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2120,7 +2950,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
 
 ########################################
 ## <summary>
@ -54995,7 +55025,7 @@ index 9dc60c6c0..1d1213e00 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -2128,19 +2954,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2128,19 +2958,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
 ##	</summary>
 ## </param>
 #
@ -55019,7 +55049,7 @@ index 9dc60c6c0..1d1213e00 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -2148,12 +2972,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2148,12 +2976,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
 ##	</summary>
 ## </param>
 #
@ -55035,7 +55065,7 @@ index 9dc60c6c0..1d1213e00 100644
 ')
 
 ########################################
-@@ -2388,18 +3212,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2388,18 +3216,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
 ##	</summary>
 ## </param>
 #
@ -55093,7 +55123,7 @@ index 9dc60c6c0..1d1213e00 100644
 ##	Do not audit attempts to read users
 ##	temporary files.
 ## </summary>
-@@ -2414,7 +3274,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2414,7 +3278,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
 		type user_tmp_t;
 	')
 
@ -55102,7 +55132,7 @@ index 9dc60c6c0..1d1213e00 100644
 ')
 
 ########################################
-@@ -2455,6 +3315,25 @@ interface(`userdom_rw_user_tmp_files',`
+@@ -2455,6 +3319,25 @@ interface(`userdom_rw_user_tmp_files',`
 	rw_files_pattern($1, user_tmp_t, user_tmp_t)
 	files_search_tmp($1)
 ')
@ -55128,7 +55158,7 @@ index 9dc60c6c0..1d1213e00 100644
 
 ########################################
 ## <summary>
-@@ -2538,7 +3417,7 @@ interface(`userdom_manage_user_tmp_files',`
+@@ -2538,7 +3421,7 @@ interface(`userdom_manage_user_tmp_files',`
 ########################################
 ## <summary>
 ##	Create, read, write, and delete user
@ -55137,7 +55167,7 @@ index 9dc60c6c0..1d1213e00 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -2546,19 +3425,19 @@ interface(`userdom_manage_user_tmp_files',`
+@@ -2546,19 +3429,19 @@ interface(`userdom_manage_user_tmp_files',`
 ##	</summary>
 ## </param>
 #
@ -55160,7 +55190,7 @@ index 9dc60c6c0..1d1213e00 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -2566,19 +3445,19 @@ interface(`userdom_manage_user_tmp_symlinks',`
+@@ -2566,19 +3449,19 @@ interface(`userdom_manage_user_tmp_symlinks',`
 ##	</summary>
 ## </param>
 #
@ -55183,7 +55213,7 @@ index 9dc60c6c0..1d1213e00 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -2586,19 +3465,60 @@ interface(`userdom_manage_user_tmp_pipes',`
+@@ -2586,20 +3469,61 @@ interface(`userdom_manage_user_tmp_pipes',`
 ##	</summary>
 ## </param>
 #
@ -55203,6 +55233,7 @@ index 9dc60c6c0..1d1213e00 100644
 ## <summary>
 -##	Create objects in a user temporary directory
 -##	with an automatic type transition to
+-##	a specified private type.
 +##	Create, read, write, and delete user
 +##	temporary named pipes.
 +## </summary>
@ -55245,10 +55276,11 @@ index 9dc60c6c0..1d1213e00 100644
 +## <summary>
 +##	Create objects in a user temporary directory
 +##	with an automatic type transition to
- ##	a specified private type.
+##	a specified private type.
 ## </summary>
 ## <param name="domain">
-@@ -2661,6 +3581,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+ ##	<summary>
+@@ -2661,6 +3585,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
 	files_tmp_filetrans($1, user_tmp_t, $2, $3)
 ')
 
@ -55270,7 +55302,7 @@ index 9dc60c6c0..1d1213e00 100644
 ########################################
 ## <summary>
 ##	Read user tmpfs files.
-@@ -2672,18 +3607,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2672,18 +3611,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
 ## </param>
 #
 interface(`userdom_read_user_tmpfs_files',`
@ -55292,7 +55324,7 @@ index 9dc60c6c0..1d1213e00 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -2692,19 +3622,13 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2692,19 +3626,13 @@ interface(`userdom_read_user_tmpfs_files',`
 ## </param>
 #
 interface(`userdom_rw_user_tmpfs_files',`
@ -55315,7 +55347,7 @@ index 9dc60c6c0..1d1213e00 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -2713,13 +3637,56 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2713,13 +3641,56 @@ interface(`userdom_rw_user_tmpfs_files',`
 ## </param>
 #
 interface(`userdom_manage_user_tmpfs_files',`
@ -55376,7 +55408,7 @@ index 9dc60c6c0..1d1213e00 100644
 ')
 
 ########################################
-@@ -2814,6 +3781,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2814,6 +3785,24 @@ interface(`userdom_use_user_ttys',`
 
 ########################################
 ## <summary>
@ -55401,7 +55433,7 @@ index 9dc60c6c0..1d1213e00 100644
 ##	Read and write a user domain pty.
 ## </summary>
 ## <param name="domain">
-@@ -2832,22 +3817,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2832,22 +3821,34 @@ interface(`userdom_use_user_ptys',`
 
 ########################################
 ## <summary>
@ -55444,7 +55476,7 @@ index 9dc60c6c0..1d1213e00 100644
 ## </desc>
 ## <param name="domain">
 ##	<summary>
-@@ -2856,14 +3853,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2856,14 +3857,33 @@ interface(`userdom_use_user_ptys',`
 ## </param>
 ## <infoflow type="both" weight="10"/>
 #
@ -55482,7 +55514,7 @@ index 9dc60c6c0..1d1213e00 100644
 ')
 
 ########################################
-@@ -2882,8 +3898,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2882,8 +3902,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
 		type user_tty_device_t, user_devpts_t;
 	')
 
@ -55512,7 +55544,7 @@ index 9dc60c6c0..1d1213e00 100644
 ')
 
 ########################################
-@@ -2955,6 +3990,42 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2955,6 +3994,42 @@ interface(`userdom_spec_domtrans_unpriv_users',`
 	allow unpriv_userdomain $1:process sigchld;
 ')
 
@ -55555,7 +55587,7 @@ index 9dc60c6c0..1d1213e00 100644
 ########################################
 ## <summary>
 ##	Execute an Xserver session in all unprivileged user domains.  This
-@@ -2978,24 +4049,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
+@@ -2978,24 +4053,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
 	allow unpriv_userdomain $1:process sigchld;
 ')
 
@ -55580,7 +55612,7 @@ index 9dc60c6c0..1d1213e00 100644
 ########################################
 ## <summary>
 ##	Manage unpriviledged user SysV sempaphores.
-@@ -3014,9 +4067,9 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3014,9 +4071,9 @@ interface(`userdom_manage_unpriv_user_semaphores',`
 	allow $1 unpriv_userdomain:sem create_sem_perms;
 ')
 
@ -55592,7 +55624,7 @@ index 9dc60c6c0..1d1213e00 100644
 ##	memory segments.
 ## </summary>
 ## <param name="domain">
-@@ -3025,17 +4078,17 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3025,17 +4082,17 @@ interface(`userdom_manage_unpriv_user_semaphores',`
 ##	</summary>
 ## </param>
 #
@ -55613,7 +55645,7 @@ index 9dc60c6c0..1d1213e00 100644
 ##	memory segments.
 ## </summary>
 ## <param name="domain">
-@@ -3044,12 +4097,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',`
+@@ -3044,12 +4101,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',`
 ##	</summary>
 ## </param>
 #
@ -55628,7 +55660,7 @@ index 9dc60c6c0..1d1213e00 100644
 ')
 
 ########################################
-@@ -3094,7 +4147,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3094,7 +4151,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
 
 	domain_entry_file_spec_domtrans($1, unpriv_userdomain)
 	allow unpriv_userdomain $1:fd use;
@ -55637,7 +55669,7 @@ index 9dc60c6c0..1d1213e00 100644
 	allow unpriv_userdomain $1:process sigchld;
 ')
 
-@@ -3110,29 +4163,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3110,29 +4167,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
 #
 interface(`userdom_search_user_home_content',`
 	gen_require(`
@ -55671,7 +55703,7 @@ index 9dc60c6c0..1d1213e00 100644
 ')
 
 ########################################
-@@ -3214,7 +4251,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3214,7 +4255,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
 		type user_devpts_t;
 	')
 
@ -55698,7 +55730,7 @@ index 9dc60c6c0..1d1213e00 100644
 ')
 
 ########################################
-@@ -3269,12 +4324,13 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3269,12 +4328,13 @@ interface(`userdom_write_user_tmp_files',`
 		type user_tmp_t;
 	')
 
@ -55714,7 +55746,7 @@ index 9dc60c6c0..1d1213e00 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3282,49 +4338,125 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3282,46 +4342,122 @@ interface(`userdom_write_user_tmp_files',`
 ##	</summary>
 ## </param>
 #
@ -55772,9 +55804,8 @@ index 9dc60c6c0..1d1213e00 100644
 	gen_require(`
 -		attribute userdomain;
 +		type user_tmp_t;
- 	')
- 
-	allow $1 userdomain:process getattr;
+	')
+
 +	dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
 +')
 +
@ -55848,13 +55879,10 @@ index 9dc60c6c0..1d1213e00 100644
 +interface(`userdom_getattr_all_users',`
 +	gen_require(`
 +		attribute userdomain;
-+	')
-+
-+	allow $1 userdomain:process getattr;
- ')
+ 	')
 
- ########################################
-@@ -3382,6 +4514,42 @@ interface(`userdom_signal_all_users',`
+ 	allow $1 userdomain:process getattr;
+@@ -3382,6 +4518,42 @@ interface(`userdom_signal_all_users',`
 	allow $1 userdomain:process signal;
 ')
 
@ -55897,7 +55925,7 @@ index 9dc60c6c0..1d1213e00 100644
 ########################################
 ## <summary>
 ##	Send a SIGCHLD signal to all user domains.
-@@ -3402,6 +4570,60 @@ interface(`userdom_sigchld_all_users',`
+@@ -3402,6 +4574,60 @@ interface(`userdom_sigchld_all_users',`
 
 ########################################
 ## <summary>
@ -55958,7 +55986,7 @@ index 9dc60c6c0..1d1213e00 100644
 ##	Create keys for all user domains.
 ## </summary>
 ## <param name="domain">
-@@ -3435,4 +4657,1835 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3435,4 +4661,1835 @@ interface(`userdom_dbus_send_all_users',`
 	')
 
 	allow $1 userdomain:dbus send_msg;
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -2531,10 +2531,18 @@ index 60d4f8c90..18ef0772c 100644
  	domain_system_change_exemption($1)
  	role_transition $2 amavis_initrc_exec_t system_r;
 diff --git a/amavis.te b/amavis.te
-index 91fa72ae1..2e9b8246a 100644
+index 91fa72ae1..11a55da57 100644
 --- a/amavis.te
 +++ b/amavis.te
-@@ -39,14 +39,14 @@ type amavis_quarantine_t;
+@@ -16,6 +16,7 @@ gen_tunable(amavis_use_jit, false)
+ type amavis_t;
+ type amavis_exec_t;
+ init_daemon_domain(amavis_t, amavis_exec_t)
+init_nnp_daemon_domain(amavis_t)
+ 
+ type amavis_etc_t;
+ files_config_file(amavis_etc_t)
+@@ -39,14 +40,14 @@ type amavis_quarantine_t;
 files_type(amavis_quarantine_t)
 
 type amavis_spool_t;
@ -2551,7 +2559,7 @@ index 91fa72ae1..2e9b8246a 100644
 dontaudit amavis_t self:capability sys_tty_config;
 allow amavis_t self:process signal_perms;
 allow amavis_t self:fifo_file rw_fifo_file_perms;
-@@ -67,9 +67,12 @@ manage_lnk_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
+@@ -67,9 +68,12 @@ manage_lnk_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
 manage_sock_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
 filetrans_pattern(amavis_t, amavis_spool_t, amavis_var_run_t, sock_file)
 
@ -2565,7 +2573,7 @@ index 91fa72ae1..2e9b8246a 100644
 
 manage_dirs_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
 manage_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
-@@ -95,7 +98,6 @@ kernel_dontaudit_read_proc_symlinks(amavis_t)
+@@ -95,7 +99,6 @@ kernel_dontaudit_read_proc_symlinks(amavis_t)
 corecmd_exec_bin(amavis_t)
 corecmd_exec_shell(amavis_t)
 
@ -2573,7 +2581,7 @@ index 91fa72ae1..2e9b8246a 100644
 corenet_all_recvfrom_netlabel(amavis_t)
 corenet_tcp_sendrecv_generic_if(amavis_t)
 corenet_udp_sendrecv_generic_if(amavis_t)
-@@ -118,6 +120,7 @@ corenet_dontaudit_udp_bind_all_ports(amavis_t)
+@@ -118,6 +121,7 @@ corenet_dontaudit_udp_bind_all_ports(amavis_t)
 
 corenet_sendrecv_razor_client_packets(amavis_t)
 corenet_tcp_connect_razor_port(amavis_t)
@ -2581,7 +2589,7 @@ index 91fa72ae1..2e9b8246a 100644
 
 dev_read_rand(amavis_t)
 dev_read_sysfs(amavis_t)
-@@ -127,7 +130,6 @@ domain_use_interactive_fds(amavis_t)
+@@ -127,7 +131,6 @@ domain_use_interactive_fds(amavis_t)
 domain_dontaudit_read_all_domains_state(amavis_t)
 
 files_read_etc_runtime_files(amavis_t)
@ -2589,7 +2597,7 @@ index 91fa72ae1..2e9b8246a 100644
 files_search_spool(amavis_t)
 
 fs_getattr_xattr_fs(amavis_t)
-@@ -141,14 +143,20 @@ init_stream_connect_script(amavis_t)
+@@ -141,14 +144,20 @@ init_stream_connect_script(amavis_t)
 
 logging_send_syslog_msg(amavis_t)
 
@ -2613,7 +2621,7 @@ index 91fa72ae1..2e9b8246a 100644
 ')
 
 optional_policy(`
-@@ -173,6 +181,10 @@ optional_policy(`
+@@ -173,6 +182,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -5615,7 +5623,7 @@ index f6eb4851f..3628a384f 100644
 +    allow $1 httpd_t:process { noatsecure };
 ')
 diff --git a/apache.te b/apache.te
-index 6649962b6..f6ac61e03 100644
+index 6649962b6..cb95398ea 100644
 --- a/apache.te
 +++ b/apache.te
@@ -5,280 +5,346 @@ policy_module(apache, 2.7.2)
@ -7796,7 +7804,7 @@ index 6649962b6..f6ac61e03 100644
 ')
 
 ########################################
-@@ -1330,49 +1633,42 @@ optional_policy(`
+@@ -1330,49 +1633,43 @@ optional_policy(`
 # User content local policy
 #
 
@ -7836,6 +7844,7 @@ index 6649962b6..f6ac61e03 100644
 -	fs_exec_nfs_files(httpd_user_script_t)
 +	read_files_pattern(httpd_t, httpd_user_content_type, httpd_user_content_type)
 +	read_lnk_files_pattern(httpd_t, httpd_user_content_type, httpd_user_content_type)
+	list_dirs_pattern(httpd_t, httpd_user_content_type, httpd_user_content_type)
 +    allow httpd_t httpd_user_content_type:file map;
 ')
 
@ -7864,7 +7873,7 @@ index 6649962b6..f6ac61e03 100644
 kernel_read_system_state(httpd_passwd_t)
 
 corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1678,109 @@ dev_read_urand(httpd_passwd_t)
+@@ -1382,38 +1679,109 @@ dev_read_urand(httpd_passwd_t)
 
 domain_use_interactive_fds(httpd_passwd_t)
 
@ -10562,10 +10571,10 @@ index 3a5032e06..3facb7156 100644
 +	xserver_read_state_xdm(blueman_t)
 +')
 diff --git a/bluetooth.fc b/bluetooth.fc
-index 2b9c7f329..0086b95d1 100644
+index 2b9c7f329..6ae8a62c9 100644
 --- a/bluetooth.fc
 +++ b/bluetooth.fc
-@@ -5,10 +5,14 @@
+@@ -5,10 +5,15 @@
 /etc/rc\.d/init\.d/dund	--	gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/pand	--	gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
 
@ -10577,6 +10586,7 @@ index 2b9c7f329..0086b95d1 100644
 /usr/bin/rfcomm	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
 +/usr/bin/pand	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
 +/usr/libexec/bluetooth/bluetoothd 	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/libexec/bluetooth/obexd 	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
 
 /usr/sbin/bluetoothd	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
 /usr/sbin/hciattach	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
@ -13642,10 +13652,10 @@ index 000000000..ca526f823
 +	gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t)
 +')
 diff --git a/chronyd.fc b/chronyd.fc
-index 4e4143ed8..f03dba037 100644
+index 4e4143ed8..9c06350c2 100644
 --- a/chronyd.fc
 +++ b/chronyd.fc
-@@ -1,13 +1,18 @@
+@@ -1,13 +1,20 @@
 -/etc/chrony\.keys	--	gen_context(system_u:object_r:chronyd_keys_t,s0)
 +/etc/chrony\.keys.*	--	gen_context(system_u:object_r:chronyd_keys_t,s0)
 
@ -13655,6 +13665,8 @@ index 4e4143ed8..f03dba037 100644
 +
 /usr/sbin/chronyd	--	gen_context(system_u:object_r:chronyd_exec_t,s0)
 +/usr/libexec/chrony-helper	--	gen_context(system_u:object_r:chronyd_exec_t,s0)
+
+/usr/bin/chronyc	--	gen_context(system_u:object_r:chronyc_exec_t,s0)
 
 /var/lib/chrony(/.*)?	gen_context(system_u:object_r:chronyd_var_lib_t,s0)
 
@ -13667,7 +13679,7 @@ index 4e4143ed8..f03dba037 100644
 /var/run/chronyd\.pid	--	gen_context(system_u:object_r:chronyd_var_run_t,s0)
 /var/run/chronyd\.sock	-s	gen_context(system_u:object_r:chronyd_var_run_t,s0)
 diff --git a/chronyd.if b/chronyd.if
-index 32e8265c2..ac74503d1 100644
+index 32e8265c2..508f3b84f 100644
 --- a/chronyd.if
 +++ b/chronyd.if
@@ -57,6 +57,24 @@ interface(`chronyd_exec',`
@ -13801,7 +13813,7 @@ index 32e8265c2..ac74503d1 100644
 ')
 
 ####################################
-@@ -176,28 +255,38 @@ interface(`chronyd_read_key_files',`
+@@ -176,28 +255,81 @@ interface(`chronyd_read_key_files',`
 #
 interface(`chronyd_admin',`
 	gen_require(`
@ -13848,12 +13860,65 @@ index 32e8265c2..ac74503d1 100644
 +	admin_pattern($1, chronyd_unit_file_t)
 +	chronyd_systemctl($1)
 +	allow $1 chronyd_unit_file_t:service all_service_perms;
+')
+
+########################################
+## <summary>
+##	Execute chronyc in the chronyc domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`chronyd_domtrans_chronyc',`
+	gen_require(`
+		type chronyc_t, chronyc_exec_t;
+	')
+
+	domtrans_pattern($1, chronyc_exec_t, chronyc_t)
+')
+
+########################################
+## <summary>
+##	Execute chronyc in the chronyc domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`chronyd_run_chronyc',`
+	gen_require(`
+		type chronyc_t;
+        attribute_role chronyc_roles;
+	')
+
+    chronyd_domtrans_chronyc($1)
+    roleattribute $2 chronyc_roles;
 ')
 diff --git a/chronyd.te b/chronyd.te
-index e5b621c29..cfc64f1b0 100644
+index e5b621c29..89ecee1f7 100644
 --- a/chronyd.te
 +++ b/chronyd.te
-@@ -18,6 +18,9 @@ files_type(chronyd_keys_t)
+@@ -5,6 +5,9 @@ policy_module(chronyd, 1.2.0)
+ # Declarations
+ #
+ 
+attribute_role chronyc_roles;
+roleattribute system_r chronyc_roles;
+
+ type chronyd_t;
+ type chronyd_exec_t;
+ init_daemon_domain(chronyd_t, chronyd_exec_t)
+@@ -18,6 +21,9 @@ files_type(chronyd_keys_t)
 type chronyd_tmpfs_t;
 files_tmpfs_file(chronyd_tmpfs_t)
 
@ -13863,13 +13928,25 @@ index e5b621c29..cfc64f1b0 100644
 type chronyd_var_lib_t;
 files_type(chronyd_var_lib_t)
 
-@@ -32,11 +35,15 @@ files_pid_file(chronyd_var_run_t)
+@@ -27,18 +33,33 @@ logging_log_file(chronyd_var_log_t)
+ type chronyd_var_run_t;
+ files_pid_file(chronyd_var_run_t)
+ 
+type chronyc_t;
+type chronyc_exec_t;
+domain_type(chronyc_t, chronyc_exec_t)
+init_system_domain(chronyc_t, chronyc_exec_t)
+role chronyc_roles types chronyc_t;
+
+ ########################################
+ #
 # Local policy
 #
 
 -allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time };
 -allow chronyd_t self:process { getcap setcap setrlimit signal };
 +allow chronyd_t self:capability { dac_read_search dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_time chown net_admin };
+allow chronyd_t self:capability2 block_suspend;
 +allow chronyd_t self:process { getsched setsched getcap setcap setrlimit signal };
 allow chronyd_t self:shm create_shm_perms;
 +allow chronyd_t self:udp_socket create_socket_perms;
@ -13880,17 +13957,24 @@ index e5b621c29..cfc64f1b0 100644
 +allow chronyd_t chronyd_keys_t:file setattr_file_perms;
 allow chronyd_t chronyd_keys_t:file read_file_perms;
 
+allow chronyd_t chronyc_t:unix_dgram_socket sendto;
+
+allow chronyd_t chronyc_exec_t:file mmap_file_perms;
+
 manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
-@@ -62,6 +69,8 @@ files_pid_filetrans(chronyd_t, chronyd_var_run_t, { dir file sock_file })
+ manage_files_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
+ fs_tmpfs_filetrans(chronyd_t, chronyd_tmpfs_t, { dir file })
+@@ -61,6 +82,9 @@ files_pid_filetrans(chronyd_t, chronyd_var_run_t, { dir file sock_file })
+ 
 kernel_read_system_state(chronyd_t)
 kernel_read_network_state(chronyd_t)
- 
-+clock_read_adjtime(chronyd_t)
+kernel_request_load_module(chronyd_t)
 +
+clock_read_adjtime(chronyd_t)
+ 
 corenet_all_recvfrom_unlabeled(chronyd_t)
 corenet_all_recvfrom_netlabel(chronyd_t)
- corenet_udp_sendrecv_generic_if(chronyd_t)
-@@ -76,18 +85,42 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
+@@ -76,18 +100,62 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
 corenet_udp_bind_chronyd_port(chronyd_t)
 corenet_udp_sendrecv_chronyd_port(chronyd_t)
 
@ -13935,6 +14019,26 @@ index e5b621c29..cfc64f1b0 100644
 +optional_policy(`
 +    ptp4l_rw_shm(chronyd_t)
 ')
+
+########################################
+#
+# Local policy
+#
+
+allow chronyc_t self:capability { dac_read_search dac_override };
+allow chronyc_t self:udp_socket create_socket_perms;
+allow chronyc_t self:unix_dgram_socket create_socket_perms;
+allow chronyc_t self:netlink_route_socket create_netlink_socket_perms;
+
+allow chronyc_t chronyd_t:unix_dgram_socket sendto;
+
+manage_dirs_pattern(chronyc_t, chronyd_var_run_t, chronyd_var_run_t)
+manage_files_pattern(chronyc_t, chronyd_var_run_t, chronyd_var_run_t)
+manage_sock_files_pattern(chronyc_t, chronyd_var_run_t, chronyd_var_run_t)
+
+corecmd_exec_bin(chronyc_t)
+
+sysnet_read_config(chronyc_t)
 diff --git a/cinder.fc b/cinder.fc
 new file mode 100644
 index 000000000..4b318b783
@ -17134,10 +17238,10 @@ index 000000000..1cc5fa464
 +')
 diff --git a/conman.te b/conman.te
 new file mode 100644
-index 000000000..25cbb9aff
+index 000000000..246420052
 --- /dev/null
 +++ b/conman.te
-@@ -0,0 +1,99 @@
+@@ -0,0 +1,114 @@
 +policy_module(conman, 1.0.0)
 +
 +########################################
@ -17153,6 +17257,13 @@ index 000000000..25cbb9aff
 +## </desc>
 +gen_tunable(conman_can_network, false)
 +
+## <desc>
+## <p>
+## Allow conman to manage nfs files
+## </p>
+## </desc>
+gen_tunable(conman_use_nfs, false)
+
 +type conman_t;
 +type conman_exec_t;
 +init_daemon_domain(conman_t, conman_exec_t)
@ -17209,6 +17320,8 @@ index 000000000..25cbb9aff
 +
 +corecmd_exec_bin(conman_t)
 +
+dev_read_urand(conman_t)
+
 +logging_send_syslog_msg(conman_t)
 +
 +sysnet_dns_name_resolve(conman_t)
@ -17216,6 +17329,7 @@ index 000000000..25cbb9aff
 +userdom_use_user_ptys(conman_t)
 +
 +term_use_usb_ttys(conman_t)
+term_use_ptmx(conman_t)
 +
 +tunable_policy(`conman_can_network',`
 +	corenet_sendrecv_all_client_packets(conman_t)
@ -17223,6 +17337,11 @@ index 000000000..25cbb9aff
 +	corenet_tcp_sendrecv_all_ports(conman_t)
 +')
 +
+tunable_policy(`conman_use_nfs',`
+	fs_manage_nfs_files(conman_t)
+	fs_read_nfs_symlinks(conman_t)
+')
+
 +optional_policy(`
 +    freeipmi_stream_connect(conman_t)
 +')
@ -19865,7 +19984,7 @@ index 1303b3036..f5bd4aee8 100644
 +    logging_log_filetrans($1, var_log_t, file, "redhat-access-insights.log")
 ')
 diff --git a/cron.te b/cron.te
-index 7de385956..f91dd2fe5 100644
+index 7de385956..46400791a 100644
 --- a/cron.te
 +++ b/cron.te
@@ -11,46 +11,54 @@ gen_require(`
@ -20504,12 +20623,13 @@ index 7de385956..f91dd2fe5 100644
 
 auth_use_nsswitch(system_cronjob_t)
 
-@@ -516,20 +520,26 @@ logging_read_generic_logs(system_cronjob_t)
+@@ -516,20 +520,28 @@ logging_read_generic_logs(system_cronjob_t)
 logging_send_audit_msgs(system_cronjob_t)
 logging_send_syslog_msg(system_cronjob_t)
 
 -miscfiles_read_localization(system_cronjob_t)
-
+miscfiles_filetrans_named_content_letsencrypt(system_cronjob_t)
+ 
 seutil_read_config(system_cronjob_t)
 
 +userdom_manage_tmpfs_files(system_cronjob_t, file)
@ -20534,7 +20654,7 @@ index 7de385956..f91dd2fe5 100644
 	selinux_validate_context(system_cronjob_t)
 	selinux_compute_access_vector(system_cronjob_t)
 	selinux_compute_create_context(system_cronjob_t)
-@@ -539,10 +549,22 @@ tunable_policy(`cron_can_relabel',`
+@@ -539,10 +551,26 @@ tunable_policy(`cron_can_relabel',`
 ')
 
 optional_policy(`
@ -20554,10 +20674,14 @@ index 7de385956..f91dd2fe5 100644
 +
 +optional_policy(`
 +    cron_generic_log_filetrans_log_insights(system_cronjob_t)
+')
+
+optional_policy(`
+    chronyd_run_chronyc(system_cronjob_t,system_r)
 ')
 
 optional_policy(`
-@@ -551,10 +573,6 @@ optional_policy(`
+@@ -551,10 +579,6 @@ optional_policy(`
 
 optional_policy(`
 	dbus_system_bus_client(system_cronjob_t)
@ -20568,7 +20692,7 @@ index 7de385956..f91dd2fe5 100644
 ')
 
 optional_policy(`
-@@ -567,6 +585,10 @@ optional_policy(`
+@@ -567,6 +591,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -20579,7 +20703,7 @@ index 7de385956..f91dd2fe5 100644
 	ftp_read_log(system_cronjob_t)
 ')
 
-@@ -591,6 +613,8 @@ optional_policy(`
+@@ -591,6 +619,8 @@ optional_policy(`
 optional_policy(`
 	mta_read_config(system_cronjob_t)
 	mta_send_mail(system_cronjob_t)
@ -20588,7 +20712,7 @@ index 7de385956..f91dd2fe5 100644
 ')
 
 optional_policy(`
-@@ -598,7 +622,31 @@ optional_policy(`
+@@ -598,7 +628,31 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -20620,7 +20744,7 @@ index 7de385956..f91dd2fe5 100644
 ')
 
 optional_policy(`
-@@ -607,7 +655,12 @@ optional_policy(`
+@@ -607,7 +661,12 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -20633,7 +20757,7 @@ index 7de385956..f91dd2fe5 100644
 ')
 
 optional_policy(`
-@@ -615,12 +668,27 @@ optional_policy(`
+@@ -615,12 +674,27 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -20663,7 +20787,7 @@ index 7de385956..f91dd2fe5 100644
 #
 
 allow cronjob_t self:process { signal_perms setsched };
-@@ -628,12 +696,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
+@@ -628,12 +702,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
 allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
 allow cronjob_t self:unix_dgram_socket create_socket_perms;
 
@ -20697,7 +20821,7 @@ index 7de385956..f91dd2fe5 100644
 corenet_all_recvfrom_netlabel(cronjob_t)
 corenet_tcp_sendrecv_generic_if(cronjob_t)
 corenet_udp_sendrecv_generic_if(cronjob_t)
-@@ -641,66 +729,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
+@@ -641,66 +735,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
 corenet_udp_sendrecv_generic_node(cronjob_t)
 corenet_tcp_sendrecv_all_ports(cronjob_t)
 corenet_udp_sendrecv_all_ports(cronjob_t)
@ -27002,10 +27126,10 @@ index 000000000..d22ed691a
 +')
 diff --git a/dnssec.te b/dnssec.te
 new file mode 100644
-index 000000000..238787661
+index 000000000..b93540692
 --- /dev/null
 +++ b/dnssec.te
-@@ -0,0 +1,91 @@
+@@ -0,0 +1,93 @@
 +policy_module(dnssec, 1.0.0)
 +
 +########################################
@ -27049,6 +27173,8 @@ index 000000000..238787661
 +
 +kernel_read_system_state(dnssec_trigger_t)
 +
+can_exec(dnssec_trigger_t, dnssec_trigger_exec_t)
+
 +corecmd_exec_bin(dnssec_trigger_t)
 +corecmd_exec_shell(dnssec_trigger_t)
 +corecmd_read_all_executables(dnssec_trigger_t)
@ -31797,7 +31923,7 @@ index e5b15fb7e..220622e84 100644
 
 diff --git a/ganesha.fc b/ganesha.fc
 new file mode 100644
-index 000000000..855f58e55
+index 000000000..c723bfb97
 --- /dev/null
 +++ b/ganesha.fc
@@ -0,0 +1,12 @@
@ -31809,8 +31935,8 @@ index 000000000..855f58e55
 +
 +/usr/lib/systemd/system/nfs-ganesha.*e		--	gen_context(system_u:object_r:ganesha_unit_file_t,s0)
 +
-+/var/log/ganesha.log	--	gen_context(system_u:object_r:ganesha_var_log_t,s0)
-+/var/log/ganesha-gfapi.log	--	gen_context(system_u:object_r:ganesha_var_log_t,s0)
+/var/log/ganesha.log.*	--	gen_context(system_u:object_r:ganesha_var_log_t,s0)
+/var/log/ganesha-gfapi.log.*	--	gen_context(system_u:object_r:ganesha_var_log_t,s0)
 +
 +/var/run/ganesha(/.*)?		gen_context(system_u:object_r:ganesha_var_run_t,s0)
 diff --git a/ganesha.if b/ganesha.if
@ -39473,7 +39599,7 @@ index fbb54e7d8..05c377768 100644
 
 ########################################
 diff --git a/inetd.te b/inetd.te
-index c6450df8a..ed6af7994 100644
+index c6450df8a..94760a2ec 100644
 --- a/inetd.te
 +++ b/inetd.te
@@ -21,6 +21,7 @@ files_pid_file(inetd_var_run_t)
@ -39571,7 +39697,7 @@ index c6450df8a..ed6af7994 100644
 dev_read_urand(inetd_child_t)
 
 fs_getattr_xattr_fs(inetd_child_t)
-@@ -230,7 +244,15 @@ auth_use_nsswitch(inetd_child_t)
+@@ -230,7 +244,19 @@ auth_use_nsswitch(inetd_child_t)
 
 logging_send_syslog_msg(inetd_child_t)
 
@ -39579,6 +39705,10 @@ index c6450df8a..ed6af7994 100644
 +sysnet_read_config(inetd_child_t)
 +
 +optional_policy(`
+    chronyd_run_chronyc(inetd_child_t,system_r)
+')
+
+optional_policy(`
 +	kerberos_use(inetd_child_t)
 +')
 +
@ -40028,7 +40158,7 @@ index 000000000..61f2003c8
 +userdom_use_user_terminals(iotop_t)
 diff --git a/ipa.fc b/ipa.fc
 new file mode 100644
-index 000000000..74206edcb
+index 000000000..61fd84f00
 --- /dev/null
 +++ b/ipa.fc
@@ -0,0 +1,29 @@
@ -40057,7 +40187,7 @@ index 000000000..74206edcb
 +
 +/var/log/ipa(/.*)?              gen_context(system_u:object_r:ipa_log_t,s0)
 +
-+/var/log/ipareplica-conncheck.log	--	gen_context(system_u:object_r:ipa_log_t,s0)
+/var/log/ipareplica-conncheck.log.*	--	gen_context(system_u:object_r:ipa_log_t,s0)
 +
 +/var/run/ipa(/.*)?              gen_context(system_u:object_r:ipa_var_run_t,s0)
 +
@ -43698,10 +43828,10 @@ index 000000000..bd7e7fa17
 +')
 diff --git a/keepalived.te b/keepalived.te
 new file mode 100644
-index 000000000..e5b8b3bbf
+index 000000000..f84877209
 --- /dev/null
 +++ b/keepalived.te
-@@ -0,0 +1,100 @@
+@@ -0,0 +1,101 @@
 +policy_module(keepalived, 1.0.0)
 +
 +########################################
@ -43743,6 +43873,7 @@ index 000000000..e5b8b3bbf
 +kernel_read_network_state(keepalived_t)
 +kernel_request_load_module(keepalived_t)
 +kernel_rw_usermodehelper_state(keepalived_t)
+kernel_search_network_sysctl(keepalived_t)
 +
 +auth_use_nsswitch(keepalived_t)
 +
@ -46465,7 +46596,7 @@ index 73e2803ee..34ca3aa22 100644
 	role_transition $2 l2tpd_initrc_exec_t system_r;
 	allow $2 system_r;
 diff --git a/l2tp.te b/l2tp.te
-index bb06a7fee..01e784bf5 100644
+index bb06a7fee..3339bd85c 100644
 --- a/l2tp.te
 +++ b/l2tp.te
@@ -27,7 +27,7 @@ files_pid_file(l2tpd_var_run_t)
@ -46492,7 +46623,7 @@ index bb06a7fee..01e784bf5 100644
 corenet_all_recvfrom_unlabeled(l2tpd_t)
 corenet_all_recvfrom_netlabel(l2tpd_t)
 corenet_raw_sendrecv_generic_if(l2tpd_t)
-@@ -75,19 +77,37 @@ corecmd_exec_bin(l2tpd_t)
+@@ -75,19 +77,38 @@ corecmd_exec_bin(l2tpd_t)
 
 dev_read_urand(l2tpd_t)
 
@ -46524,6 +46655,7 @@ index bb06a7fee..01e784bf5 100644
 +    ipsec_mgmt_read_pid(l2tpd_t)
 +    ipsec_filetrans_key_file(l2tpd_t)
 +    ipsec_manage_key_file(l2tpd_t)
+    ipsec_kill_mgmt(l2tpd_t)
 +')
 +
 +optional_policy(`
@ -46812,7 +46944,7 @@ index 3602712d0..af83a5b6b 100644
 +	allow $1 slapd_unit_file_t:service all_service_perms;
 ')
 diff --git a/ldap.te b/ldap.te
-index 4c2b1110e..7b306e4bb 100644
+index 4c2b1110e..f01469806 100644
 --- a/ldap.te
 +++ b/ldap.te
@@ -21,6 +21,9 @@ files_config_file(slapd_etc_t)
@ -46837,7 +46969,15 @@ index 4c2b1110e..7b306e4bb 100644
 allow slapd_t self:fifo_file rw_fifo_file_perms;
 allow slapd_t self:tcp_socket { accept listen };
 
-@@ -69,9 +72,7 @@ allow slapd_t slapd_lock_t:file manage_file_perms;
+@@ -60,6 +63,7 @@ read_lnk_files_pattern(slapd_t, slapd_cert_t, slapd_cert_t)
+ manage_dirs_pattern(slapd_t, slapd_db_t, slapd_db_t)
+ manage_files_pattern(slapd_t, slapd_db_t, slapd_db_t)
+ manage_lnk_files_pattern(slapd_t, slapd_db_t, slapd_db_t)
+allow slapd_t slapd_db_t:file map;
+ 
+ allow slapd_t slapd_etc_t:file read_file_perms;
+ 
+@@ -69,9 +73,7 @@ allow slapd_t slapd_lock_t:file manage_file_perms;
 files_lock_filetrans(slapd_t, slapd_lock_t, file)
 
 manage_dirs_pattern(slapd_t, slapd_log_t, slapd_log_t)
@ -46848,7 +46988,7 @@ index 4c2b1110e..7b306e4bb 100644
 logging_log_filetrans(slapd_t, slapd_log_t, { file dir })
 
 manage_dirs_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
-@@ -93,7 +94,6 @@ files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file })
+@@ -93,7 +95,6 @@ files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file })
 kernel_read_system_state(slapd_t)
 kernel_read_kernel_sysctls(slapd_t)
 
@ -46856,7 +46996,7 @@ index 4c2b1110e..7b306e4bb 100644
 corenet_all_recvfrom_netlabel(slapd_t)
 corenet_tcp_sendrecv_generic_if(slapd_t)
 corenet_tcp_sendrecv_generic_node(slapd_t)
-@@ -115,25 +115,26 @@ fs_getattr_all_fs(slapd_t)
+@@ -115,25 +116,26 @@ fs_getattr_all_fs(slapd_t)
 fs_search_auto_mountpoints(slapd_t)
 
 files_read_etc_runtime_files(slapd_t)
@ -63258,7 +63398,7 @@ index bcd7d0a7d..9b397fdd7 100644
 +	unconfined_dontaudit_rw_packet_sockets(nscd_t)
 +')
 diff --git a/nsd.fc b/nsd.fc
-index 4f2b1b663..6b300d54f 100644
+index 4f2b1b663..0e24b49a9 100644
 --- a/nsd.fc
 +++ b/nsd.fc
@@ -1,16 +1,19 @@
@ -63290,7 +63430,7 @@ index 4f2b1b663..6b300d54f 100644
 +/var/lib/nsd(/.*)?		gen_context(system_u:object_r:nsd_zone_t,s0)
 /var/run/nsd\.pid	--	gen_context(system_u:object_r:nsd_var_run_t,s0)
 +
-+/var/log/nsd\.log	--	gen_context(system_u:object_r:nsd_log_t,s0)
+/var/log/nsd\.log.*	--	gen_context(system_u:object_r:nsd_log_t,s0)
 diff --git a/nsd.if b/nsd.if
 index a9c60ff87..ad4f14ad6 100644
 --- a/nsd.if
@ -69407,7 +69547,7 @@ index 9b157305b..cb00f200a 100644
 +	')
 ')
 diff --git a/openvswitch.te b/openvswitch.te
-index 44dbc99ab..7bcb16c59 100644
+index 44dbc99ab..6221f5b9a 100644
 --- a/openvswitch.te
 +++ b/openvswitch.te
@@ -9,11 +9,8 @@ type openvswitch_t;
@ -69439,7 +69579,7 @@ index 44dbc99ab..7bcb16c59 100644
 
 -allow openvswitch_t self:capability { net_admin sys_nice sys_resource ipc_lock };
 -allow openvswitch_t self:process { setrlimit setsched signal };
-+allow openvswitch_t self:capability { dac_override net_admin ipc_lock sys_module sys_nice sys_rawio sys_resource chown setgid setpcap setuid };
+allow openvswitch_t self:capability { dac_override dac_read_search net_admin ipc_lock sys_module sys_nice sys_rawio sys_resource chown setgid setpcap setuid kill };
 +allow openvswitch_t self:capability2 block_suspend;
 +allow openvswitch_t self:process { fork setsched setrlimit signal setcap };
 allow openvswitch_t self:fifo_file rw_fifo_file_perms;
@ -82044,7 +82184,7 @@ index 7cb8b1f9c..bef72173b 100644
 +    allow $1 puppet_var_run_t:dir search_dir_perms;
 ')
 diff --git a/puppet.te b/puppet.te
-index 618dcfeed..5bd88a99d 100644
+index 618dcfeed..56b9252c6 100644
 --- a/puppet.te
 +++ b/puppet.te
@@ -6,25 +6,32 @@ policy_module(puppet, 1.4.0)
@ -82106,7 +82246,7 @@ index 618dcfeed..5bd88a99d 100644
 
 type puppetmaster_t;
 type puppetmaster_exec_t;
-@@ -56,161 +62,174 @@ files_tmp_file(puppetmaster_tmp_t)
+@@ -56,161 +62,178 @@ files_tmp_file(puppetmaster_tmp_t)
 
 ########################################
 #
@ -82305,53 +82445,49 @@ index 618dcfeed..5bd88a99d 100644
 +
 +optional_policy(`
 +    mysql_stream_connect(puppetagent_t)
- ')
- 
- optional_policy(`
-	cfengine_read_lib_files(puppet_t)
+')
+
+optional_policy(`
 +    postgresql_stream_connect(puppetagent_t)
- ')
- 
- optional_policy(`
-	consoletype_exec(puppet_t)
+')
+
+optional_policy(`
 +	cfengine_read_lib_files(puppetagent_t)
- ')
- 
- optional_policy(`
-	hostname_exec(puppet_t)
+')
+
+optional_policy(`
 +	consoletype_exec(puppetagent_t)
 ')
 
 optional_policy(`
-	mount_domtrans(puppet_t)
+-	cfengine_read_lib_files(puppet_t)
 +	hostname_exec(puppetagent_t)
 ')
 
 optional_policy(`
-	mta_send_mail(puppet_t)
+-	consoletype_exec(puppet_t)
 +	mount_domtrans(puppetagent_t)
 ')
 
+ optional_policy(`
+-	hostname_exec(puppet_t)
+	mta_send_mail(puppetagent_t)
+ ')
+ 
+ optional_policy(`
+-	mount_domtrans(puppet_t)
+	networkmanager_dbus_chat(puppetagent_t)
+ ')
+ 
+ optional_policy(`
+-	mta_send_mail(puppet_t)
+        firewalld_dbus_chat(puppetagent_t)
+ ')
+ 
 optional_policy(`
 -	portage_domtrans(puppet_t)
 -	portage_domtrans_fetch(puppet_t)
 -	portage_domtrans_gcc_config(puppet_t)
-+	mta_send_mail(puppetagent_t)
- ')
- 
- optional_policy(`
-	files_rw_var_files(puppet_t)
-+	networkmanager_dbus_chat(puppetagent_t)
-+')
-+
-+optional_policy(`
-+        firewalld_dbus_chat(puppetagent_t)
-+')
- 
-	rpm_domtrans(puppet_t)
-	rpm_manage_db(puppet_t)
-	rpm_manage_log(puppet_t)
-+optional_policy(`
 +	portage_domtrans(puppetagent_t)
 +	portage_domtrans_fetch(puppetagent_t)
 +	portage_domtrans_gcc_config(puppetagent_t)
@ -82363,21 +82499,29 @@ index 618dcfeed..5bd88a99d 100644
 +	rpm_domtrans(puppetagent_t)
 +	rpm_manage_db(puppetagent_t)
 +	rpm_manage_log(puppetagent_t)
-+')
-+
-+optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	files_rw_var_files(puppet_t)
 +        shorewall_domtrans(puppetagent_t)
+')
+ 
+-	rpm_domtrans(puppet_t)
+-	rpm_manage_db(puppet_t)
+-	rpm_manage_log(puppet_t)
+optional_policy(`
+    unconfined_domain_noaudit(puppetagent_t)
 ')
 
 optional_policy(`
 -	unconfined_domain(puppet_t)
-+    unconfined_domain_noaudit(puppetagent_t)
+        shorewall_domtrans(puppet_t)
 ')
 
 optional_policy(`
 -	usermanage_domtrans_groupadd(puppet_t)
 -	usermanage_domtrans_useradd(puppet_t)
-+        shorewall_domtrans(puppet_t)
+    rhsmcertd_dbus_chat(puppetagent_t)
 ')
 
 ########################################
@ -82398,7 +82542,7 @@ index 618dcfeed..5bd88a99d 100644
 
 allow puppetca_t puppet_var_lib_t:dir list_dir_perms;
 manage_files_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t)
-@@ -221,6 +240,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms;
+@@ -221,6 +244,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms;
 allow puppetca_t puppet_var_run_t:dir search_dir_perms;
 
 kernel_read_system_state(puppetca_t)
@ -82406,7 +82550,7 @@ index 618dcfeed..5bd88a99d 100644
 kernel_read_kernel_sysctls(puppetca_t)
 
 corecmd_exec_bin(puppetca_t)
-@@ -229,15 +249,12 @@ corecmd_exec_shell(puppetca_t)
+@@ -229,15 +253,12 @@ corecmd_exec_shell(puppetca_t)
 dev_read_urand(puppetca_t)
 dev_search_sysfs(puppetca_t)
 
@ -82422,7 +82566,7 @@ index 618dcfeed..5bd88a99d 100644
 miscfiles_read_generic_certs(puppetca_t)
 
 seutil_read_file_contexts(puppetca_t)
-@@ -246,38 +263,48 @@ optional_policy(`
+@@ -246,38 +267,48 @@ optional_policy(`
 	hostname_exec(puppetca_t)
 ')
 
@ -82488,7 +82632,7 @@ index 618dcfeed..5bd88a99d 100644
 
 kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
 kernel_read_network_state(puppetmaster_t)
-@@ -289,23 +316,24 @@ corecmd_exec_bin(puppetmaster_t)
+@@ -289,23 +320,24 @@ corecmd_exec_bin(puppetmaster_t)
 corecmd_exec_shell(puppetmaster_t)
 
 corenet_all_recvfrom_netlabel(puppetmaster_t)
@ -82519,7 +82663,7 @@ index 618dcfeed..5bd88a99d 100644
 
 selinux_validate_context(puppetmaster_t)
 
-@@ -314,26 +342,32 @@ auth_use_nsswitch(puppetmaster_t)
+@@ -314,26 +346,32 @@ auth_use_nsswitch(puppetmaster_t)
 logging_send_syslog_msg(puppetmaster_t)
 
 miscfiles_read_generic_certs(puppetmaster_t)
@ -82557,7 +82701,7 @@ index 618dcfeed..5bd88a99d 100644
 ')
 
 optional_policy(`
-@@ -342,3 +376,9 @@ optional_policy(`
+@@ -342,3 +380,9 @@ optional_policy(`
 	rpm_exec(puppetmaster_t)
 	rpm_read_db(puppetmaster_t)
 ')
@ -108436,10 +108580,10 @@ index 27a8480bc..fc3fca520 100644
 +
 allow stunnel_t stunnel_port_t:tcp_socket name_bind;
 diff --git a/svnserve.fc b/svnserve.fc
-index effffd028..12ca090e1 100644
+index effffd028..0d5c275de 100644
 --- a/svnserve.fc
 +++ b/svnserve.fc
-@@ -1,8 +1,13 @@
+@@ -1,8 +1,15 @@
 -/etc/rc\.d/init\.d/svnserve	--	gen_context(system_u:object_r:svnserve_initrc_exec_t,s0)
 +/etc/rc.d/init.d/svnserve	--	gen_context(system_u:object_r:svnserve_initrc_exec_t,s0)
 
@ -108458,6 +108602,8 @@ index effffd028..12ca090e1 100644
 +/var/svn(/.*)?                  gen_context(system_u:object_r:svnserve_content_t,s0)
 +/var/subversion/repo(/.*)?		gen_context(system_u:object_r:svnserve_content_t,s0)	
 +/var/lib/subversion/repo(/.*)?		gen_context(system_u:object_r:svnserve_content_t,s0)	
+
+/var/log/svnserve(/.*)?					gen_context(system_u:object_r:svnserve_log_t,s0)
 diff --git a/svnserve.if b/svnserve.if
 index 2ac91b6e0..a97033d2b 100644
 --- a/svnserve.if
@ -108596,10 +108742,10 @@ index 2ac91b6e0..a97033d2b 100644
 ')
 +
 diff --git a/svnserve.te b/svnserve.te
-index 49d688d66..451a64768 100644
+index 49d688d66..f7e23fe71 100644
 --- a/svnserve.te
 +++ b/svnserve.te
-@@ -12,12 +12,18 @@ init_daemon_domain(svnserve_t, svnserve_exec_t)
+@@ -12,12 +12,21 @@ init_daemon_domain(svnserve_t, svnserve_exec_t)
 type svnserve_initrc_exec_t;
 init_script_file(svnserve_initrc_exec_t)
 
@ -108614,11 +108760,14 @@ index 49d688d66..451a64768 100644
 
 +type svnserve_tmp_t;
 +files_tmp_file(svnserve_tmp_t)
+
+type svnserve_log_t;
+logging_log_file(svnserve_log_t)
 +
 ########################################
 #
 # Local policy
-@@ -27,6 +33,11 @@ allow svnserve_t self:fifo_file rw_fifo_file_perms;
+@@ -27,6 +36,11 @@ allow svnserve_t self:fifo_file rw_fifo_file_perms;
 allow svnserve_t self:tcp_socket create_stream_socket_perms;
 allow svnserve_t self:unix_stream_socket { listen accept };
 
@ -108630,17 +108779,19 @@ index 49d688d66..451a64768 100644
 manage_dirs_pattern(svnserve_t, svnserve_content_t, svnserve_content_t)
 manage_files_pattern(svnserve_t, svnserve_content_t, svnserve_content_t)
 
-@@ -34,9 +45,6 @@ manage_dirs_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t)
+@@ -34,8 +48,9 @@ manage_dirs_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t)
 manage_files_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t)
 files_pid_filetrans(svnserve_t, svnserve_var_run_t, { dir file })
 
 -files_read_etc_files(svnserve_t)
 -files_read_usr_files(svnserve_t)
-
+manage_files_pattern(svnserve_t, svnserve_log_t, svnserve_log_t)
+manage_dirs_pattern(svnserve_t, svnserve_log_t, svnserve_log_t)
+logging_log_filetrans(svnserve_t, svnserve_log_t, { dir file })
+ 
 corenet_all_recvfrom_unlabeled(svnserve_t)
 corenet_all_recvfrom_netlabel(svnserve_t)
- corenet_tcp_sendrecv_generic_if(svnserve_t)
-@@ -52,8 +60,9 @@ corenet_tcp_sendrecv_svn_port(svnserve_t)
+@@ -52,8 +67,13 @@ corenet_tcp_sendrecv_svn_port(svnserve_t)
 corenet_udp_bind_svn_port(svnserve_t)
 corenet_udp_sendrecv_svn_port(svnserve_t)
 
@ -108652,6 +108803,10 @@ index 49d688d66..451a64768 100644
 +logging_send_syslog_msg(svnserve_t)
 
 sysnet_dns_name_resolve(svnserve_t)
+
+optional_policy(`
+	kerberos_use(svnserve_t)
+')
 diff --git a/swift.fc b/swift.fc
 new file mode 100644
 index 000000000..6d897bc25
@ -111616,10 +111771,10 @@ index 000000000..9524b50aa
 +')
 diff --git a/thumb.te b/thumb.te
 new file mode 100644
-index 000000000..2b15dca23
+index 000000000..d6affa561
 --- /dev/null
 +++ b/thumb.te
-@@ -0,0 +1,172 @@
+@@ -0,0 +1,173 @@
 +policy_module(thumb, 1.0.0)
 +
 +########################################
@ -111670,6 +111825,7 @@ index 000000000..2b15dca23
 +manage_files_pattern(thumb_t, thumb_home_t, thumb_home_t)
 +userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, dir, ".thumbnails")
 +userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, file, "missfont.log")
+userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, file)
 +userdom_dontaudit_access_check_user_content(thumb_t)
 +userdom_rw_inherited_user_tmp_files(thumb_t)
 +userdom_manage_home_texlive(thumb_t)
@ -112173,10 +112329,10 @@ index 000000000..5185a9e8e
 +    sssd_stream_connect(tlp_t)
 +')
 diff --git a/tmpreaper.te b/tmpreaper.te
-index 585a77f95..9858c8b8d 100644
+index 585a77f95..71981be9d 100644
 --- a/tmpreaper.te
 +++ b/tmpreaper.te
-@@ -5,20 +5,46 @@ policy_module(tmpreaper, 1.7.1)
+@@ -5,20 +5,47 @@ policy_module(tmpreaper, 1.7.1)
 # Declarations
 #
 
@ -112208,6 +112364,7 @@ index 585a77f95..9858c8b8d 100644
 type tmpreaper_exec_t;
 init_system_domain(tmpreaper_t, tmpreaper_exec_t)
 +application_domain(tmpreaper_t, tmpreaper_exec_t)
+init_nnp_daemon_domain(tmpreaper_t)
 
 ########################################
 #
@ -112224,7 +112381,7 @@ index 585a77f95..9858c8b8d 100644
 
 dev_read_urand(tmpreaper_t)
 
-@@ -27,15 +53,16 @@ corecmd_exec_shell(tmpreaper_t)
+@@ -27,15 +54,16 @@ corecmd_exec_shell(tmpreaper_t)
 
 fs_getattr_xattr_fs(tmpreaper_t)
 fs_list_all(tmpreaper_t)
@ -112246,7 +112403,7 @@ index 585a77f95..9858c8b8d 100644
 mls_file_read_all_levels(tmpreaper_t)
 mls_file_write_all_levels(tmpreaper_t)
 
-@@ -45,7 +72,6 @@ init_use_inherited_script_ptys(tmpreaper_t)
+@@ -45,7 +73,6 @@ init_use_inherited_script_ptys(tmpreaper_t)
 
 logging_send_syslog_msg(tmpreaper_t)
 
@ -112254,7 +112411,7 @@ index 585a77f95..9858c8b8d 100644
 miscfiles_delete_man_pages(tmpreaper_t)
 
 ifdef(`distro_debian',`
-@@ -53,10 +79,33 @@ ifdef(`distro_debian',`
+@@ -53,10 +80,33 @@ ifdef(`distro_debian',`
 ')
 
 ifdef(`distro_redhat',`
@ -112289,7 +112446,7 @@ index 585a77f95..9858c8b8d 100644
 ')
 
 optional_policy(`
-@@ -64,6 +113,7 @@ optional_policy(`
+@@ -64,6 +114,7 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -112297,7 +112454,7 @@ index 585a77f95..9858c8b8d 100644
 	apache_list_cache(tmpreaper_t)
 	apache_delete_cache_dirs(tmpreaper_t)
 	apache_delete_cache_files(tmpreaper_t)
-@@ -79,7 +129,19 @@ optional_policy(`
+@@ -79,7 +130,19 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -112318,7 +112475,7 @@ index 585a77f95..9858c8b8d 100644
 ')
 
 optional_policy(`
-@@ -89,3 +151,8 @@ optional_policy(`
+@@ -89,3 +152,8 @@ optional_policy(`
 optional_policy(`
 	rpm_manage_cache(tmpreaper_t)
 ')
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 298%{?dist}
+Release: 299%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -719,6 +719,32 @@ exit 0
 %endif

 %changelog
+* Tue Oct 24 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-299
+- Label /usr/libexec/bluetooth/obexd as bluetoothd_exec_t to run process as bluetooth_t
+- Allow chronyd_t do request kernel module and block_suspend capability
+- Allow system_cronjob_t to create /var/lib/letsencrypt dir with right label
+- Allow slapd_t domain to mmap files labeled as slpad_db_t BZ(1505414)
+- Allow dnssec_trigger_t domain to execute binaries with dnssec_trigeer_exec_t BZ(1487912)
+- Allow l2tpd_t domain to send SIGKILL to ipsec_mgmt_t domains BZ(1505220)
+- Allow thumb_t creating thumb_home_t files in user_home_dir_t direcotry BZ(1474110)
+- Allow httpd_t also read httpd_user_content_type dirs when httpd_enable_homedirs is enables
+- Allow svnserve to use kerberos
+- Allow conman to use ptmx. Add conman_use_nfs boolean
+- Allow nnp transition for amavis and tmpreaper SELinux domains
+- Allow chronyd_t to mmap chronyc_exec_t binary files
+- Add dac_read_search capability to openvswitch_t domain
+- Allow svnserve to manage own svnserve_log_t files/dirs
+- Allow keepalived_t to search network sysctls
+- Allow puppetagent_t domain dbus chat with rhsmcertd_t domain
+- Add kill capability to openvswitch_t domain
+- Label also compressed logs in /var/log for different services
+- Allow inetd_child_t and system_cronjob_t to run chronyc.
+- Allow chrony to create netlink route sockets
+- Add SELinux support for chronyc
+- Add support for running certbot(letsencrypt) in crontab
+- Allow nnp trasintion for unconfined_service_t
+- Allow unpriv user domains and unconfined_service_t to use chronyc
+
 * Sun Oct 22 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-298
 - Drop *.lst files from file list
 - Ship file_contexts.homedirs in store