From 7ac1cbb00362a578d2bfe2c6d1364fb3c5079e00 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec
Date: Thu, 8 Jun 2017 12:25:29 +0200
Subject: [PATCH] * Thu Jun 08 2017 Lukas Vrabec -
3.13.1-257 - Merge pull request #10 from mscherer/fix_tor_dac - Merge pull
request #9 from rhatdan/rawhide - Merge pull request #13 from
vinzent/allow_zabbix_t_to_kill_zabbix_script_t - Allow kdumpgui to read
removable disk device - Allow systemd_dbusd_t domain read/write to nvme
devices - Allow udisks2 domain to read removable devices BZ(1443981) - Allow
virtlogd_t to execute itself - Allow keepalived to read/write usermodehelper
state - Allow named_t to bind on udp 4321 port - Fix interface
tlp_manage_pid_files() - Allow collectd domain read lvm config files.
BZ(1459097) - Merge branch 'rawhide' of
github.com:wrabcak/selinux-policy-contrib into rawhide - Allow
samba_manage_home_dirs boolean to manage user content - Merge pull request
#14 from lemenkov/rabbitmq_systemd_notify - Allow pki_tomcat_t execute
ldconfig. - Merge pull request #191 from rhatdan/udev - Allow
systemd_modules_load_t to load modules
---
container-selinux.tgz | Bin 6800 -> 6818 bytes
policy-rawhide-base.patch | 10 +-
policy-rawhide-contrib.patch | 339 +++++++++++++++++++----------------
selinux-policy.spec | 21 ++-
4 files changed, 214 insertions(+), 156 deletions(-)
diff --git a/container-selinux.tgz b/container-selinux.tgz
index be53f4f82f6244047d564cba870b2bc77a92005b..627306af00b02e8e38cf399044f93f5f842f5316 100644
GIT binary patch
delta 6717
zcmV-D8p7p}HKH|tABzY8yBRrI00Zq^>yO+vlF!%aze2DBcqXvtWygE4vwK)12i$!)
zAlO~tK3wiPYDwL#9lau{=W&MjZ@;SILli|)lv*A8aMM82o>tY5WRWZui^Wn@7Hyao
zNqw1azd6z88b0sezr*jFKYV|!e#7VOyW5-FZ*Jb++`PYky?OWk4{yJ@zIl6l{r;Qa
z`cxHCKZm9b>mc|hyRXAd5?SfSp8p^HtX{qherOJP9@bBP`rAGU$|@<|H07a=k|3cK
z_@N5xFb|4FKr)1ZW(=s^%>S^1E}L0blG9TrWBjWU5=5i0z9l@@JMZ^I}#
z|5eszT_1`z&672hM>wxu|GGNcCB?cYvQDBrUN=ctNBi|AEzZBaxmcZv3azVuu!VZ#ulC|hPuhzW7O-Gfa%81T
zciI!yYyMq(HmPgRY+b7rP?uR^fd32pEWyJlN}6U26_KK_x*8om@I7hdbiFSgiT-B2
zj|D@&*Xahk;M-d>211--u7Z%h+KGw-eu}8&e00vXC@hH5Im?cmP=BQ|6>(?jCWxW>
zQCrr3Y0^xPv~%8g3~jTBxlo{5J_5cEYb5PtOXUaO-k4}UKsy7D5C2?ONu4*qxJ|R9
z5e0K<>XC(2*ViU$8c@Hdpe+Mj@*OGhza(L-iJQ9iiwnAjict%xIrU^Pd;5X&Ycx^vl09|e9+y0rdf~c
zb5kWzx=o>jSV!X8nhaDPl^L@Ef&51kbE6;ET^iS
zOt*3PW3-#V7@IIB)sn^@{F+Pwr5{nLou(Td>hh%0{}D7MXr*%VcaV338;nrt3Mi$2
z*BwvD@{qRsAOylg3leVAD4^DNn+H&LNEa%4u&UF0EC(rn#}3tyc`eph3j;oSW2h1N`QLu}N>&cCVyZNrwr;>)*rIR%
zs+nLA6Oi%8#kYM;Qr|D)gIvf_W!ZN>HEohdZ8p_~q(3_pX-neoI*MV(+|UvQvEE9N
zyiT$bjdhSz3gd~M1pFhIdADv$23~<;d5Ezl49Bn^Rci79zXCZj^6vO^;Lw8|4NE>im353EXg5qVwfcMZlT8V<2A1(
z_JV&mD9gWvLhd2)nLa_Xa_3-G)HyXJWj`K;1R!$nv!R4UW8S^l#JMWm4QP
ziMlVFwpkjG_G=4b)=5)l_m?PvMPOM^HDCyA%Ex4x<}*w*Y8QknVgHbYPs=0TE(jU6
zWu6Kh0ESBqtM)pK^R!@pYY`p<*`^O$tOU}fd;n-ix_-){5dIBmbYSCyFaSgUF=$#a
zNpf0WlJ<++RZ(yxwhk+P3xR%fl%O<*ClUW;S%Ra~tTC45UN9GNo#`!_`goECZ
z$_(q*Iq?4a^N(E}ny-2ERgw1yL|U}V;LF!9!+xeM*Ba_d1`2Cvd82LN3H$>}NYsbX
z1-x2qd1UXvzC?Hj>jTs(;O!$f3hAsA3Wl|te7yZQwfnR#i+s|i6oPyj7
z7{Ux_#R2Sv@_fW;_-biq?>aoRdmgDZ@c7chuam|G9)F4Sx{!i*cN`U7s307B&T25W
znVi2~n}=FI-RvIDf+{zyo_KS)A!l*31jF@{h*2*jGOXM#0^atJWX9jm$3t3
z34cUfZdb)wXAo)&hg7h99dCBRDi{_|26(<^Fj;`f2@6{NRF%+NW~rvlvVrXj$DVi9
zof{YJGJpLT9XrJ9N@BgCREs&?`f;rtnD|+S_6|9XA%jYFw8su4V@#P=7e6Fph*gKA
zKbA;tC>iBrM8c$hB1b+Sz#4f6b%9#ApZYaNOH8}RsF$0Cg;%8iFW-3;#k
zzP)+A|NDDGqw!E8aX|G-eKP7-u
z)5T&~vR0%ClmH
zgRSGa&OgKzp8q~_cTmCV$^WLN8-Gs?j3*;~OmSMm5Hk_ubgpxm&;}LcCoFp4&bh|q
znEiP*&;a<8>>2n&L+r6Sk@38BfX&XKB|7|R$46T8sGJ5BTU~$$ub5CWO3%
zE+g;E`GC)T
zhG46B9lQx})4`;_Pj`D*d1?RNFF9jwgT)HQU65MlWJ{>CXh462S-|Wuc*I<6riH&r
zvh9Z`tiny2rR`JjDTwyvLw^z6rCo@ZIU*PgZ!>2;{dyc&j09No3xPO`}9K{
zf=!dOTY$s`Z;i2Al>X)O$FW*~6(i33>m&pFIK%V)5hk(4{s$Bq9cmal?Kn^0;2fde
z#u(K!PKG{8ngt~q1f$gaXc9xOm2*mV_UX;6+>`X=&6^#aw!*h32Y<%kv-oW_4u6bk
z-!bidnV?R;2`>D%Cz~l=gcq&;=!w=w)dDDocz`m6y_=A?!G>&s=Fn705xY2bU8yz&
zJxnxNy~Z(9LIF&ZGD@NH9y5v>cSMViUNnpqc;1qbd#7Lfl`78;o_oa-dIXE9;8
z%^t7W93HBgC%qKd1bVsQceAXtEtclgH}i1)zRC1E>?4*1GYf~mTnI#YuVMj6AC1K0
zeK0@FC%(9E>oV^addeY@mobM(|iP8Z53#r
zu&os2AAFWqb>=m8XZT@mQ=M3orS+mV5K}rYtVu;R{y-J{ethLm$BBVKBza;LmZ)LK5@vF6qS!
z?UU#(cqr?;OCbB#vP!mxEPFzSJ4hfe@5viq1P@8D58;n6*d!=`peeHhdT@d3KR5yM
z#3h}8ZcA(jbna^wAoEZjvX~c+f9J3~gSiCz!2|%D(SJSMeagOo@S`U~=kE|6kWM6I
z3K$(CnhAl?dKw!`rG)+kn;kJ@`u5y))(7*Z^F-{))7uxn@2m8h>>9LX(jO`Cky|WB
z3*8t07{U9ufjcHnS%|o_e#$Z?8{AXM@L5GPCNi9r<>RCK5X)8iR&}{gohGbps#!6w
zIWqA;=YKGpG0R-J?&b~_56sDf!vk|^yveiOh3V77oOq()<2#CFRhF@o%(r$=g56!=
zJth3@^7y7}=cg$`xiWsb0`Qji>SagMmDEf1v7F5{mf3F3#P`IUtn@r_Co4Wr-099J
zPvFT~a17T+6ZWzpPuv8W5>EJ6c|ikqELGav(SPfOIn{{t1fDm{Jb-5nGZ$_@uE2X3
za7fcIkZq>{;WLbfNuso|`yllUzlRIs8)KyOpFi_x1AbJ|4>~ZmrHe!$MhwQst#OM1
z`DXom2SQIW9xTqntSDyOOs-NFNsI0YUvj#r`qV^iW~quGen4a|QV?4c?UUHAa6Ip}
z2!Ejqv|dvB_M~wMMa1f*yJ(;FxSaG;D>tJ`J3b6Y
ztE5Mxb^(4OtnZa`t}v?ENBM%ChZl4XA#^Zp%+VtkeX3@kWSIw@pJVBWQ^VeQo?uJ2
zGni(Ur3DKue6+W3+sd;D!4j2uUS-MSnt#URIB)NC(^rBA0SDz}s$#|_EWqGCb%)msC&dynhvDaQDSSqiGNktwOjZF5JJFks1B{R#N!{@tQqG>?SSV-trGs{>LYZFlM%bM|`mwR0+I!
z7_HHLTBmVBf3T=#FC2=cDVjM|xK()VRqzda{uIF4Lb2BJ3r7roSGzP0#O894G0Qj3
z5LAGSFAUhOb{Mqi9kuwlt$+0x-J_x)xq?0(kYb4AUEPHce=@~Z2DoA|cir@$Vq1hU1XlWsf%Vu#i+D)SYA4^J!3K@n}vQILYj4tzgwThE_bq`|kL@7idI6Q2(xw(Ln
zx*Zl<%WRP(2M?O;p4Qy9E*(|FH!5JQoD^AER$fqkMPlW^q^O-P03oxqNn?t}8r`Dv
zt;!J$qdW8ghtD2-z<(sq+6Spyc1LGMlfa@-#_Mt1_KZ>JE&0c#GZoj>@{^mSm
z`*_te;o9ye9%Q}}X!^J3T|-JI9dU(#%5He%jjJtkqqTly8&5xCa_l$gvWlG}0nj%jMlrBl3LkD}Q^{9b!pmwRI;cNvk%0
zbdU(i1CmwpL@4|Kql98!911ibqmVkme&B`{80^%$jUx1213%ig>vWHqd9G-{$m`2C
zS3t*7w`=*AcvF;Q0ryFOE8BgpLMk
zlq}50=?&I6+T!hlH_(|83=4wz`V2-yQ8Vl7BmDW2AStRIt$SVH{3EG15Fp
zNr2;(HoN%{Lm}5wV>Ue@vqSC+jcJet(}$@a6=mX3lK0RNe5<@aN=K6(U7w;2Nf_;H
z+ol&%!8(Q65_TrsBXwM2F=o3oGnd5&8&-5aK@xVJq6$h8Gvi*!ET!$L&K7}xTRj98
zc3P)-ynhZY+4MdxOMO`$BeAl(h?vRHom-))VOf`)N#^~`2orq{qD>2%|BEG3G?lzf
z>*N9Kgm|=}udG7F{rD{R{XuTjZ6^{o#v;Nql>(1Wt%*-ARxee;?vB-@qG&3N9uF}x
z$Jq;;Q66TWiBe3(v9jfqb*-#KEdmsM>4nYKV}GDQXyJNE$wRZphy!%54p{fJi`nTb
z5|_zb%_faxayiT3Cf-b;)|6`7h6*u&UJ3CmiPK|(n3R&lS~Qy7C2y#(A>Rx;+&t?M
zclYz$Bjm7IgM81O)j-l1$;@xL`9$wJ9X%W{SvFm1QI~&E*fle<6{u|eP@&La%ISsq
z27eh%PIQEMij66bD5>5tmswqz`UY>YFwT}iF*5n^RDLD2nQi$XC~F5cADDQ}xz6ZO=Uq$BWrRyu7pLm7KN
z$Vi$po(pqE#w?X{Vty!ThFjp22n3l6?W3CB#cEfG*K>?q$QXaek`^2YUiLDg_K$u0
zlOz@~e;NG95*B7pENw-~Ua$j;Hki|>j4$y;gn_|!l}Y@&`d#qE6)dNwS}gm8Ee>dV
zl6Ce`zx|+P=wxa13DA)DxOY*AUzYH?R5a(xglm7X7|>{v$6+JH#SPPf!Hd!t431IqJ2ue>D16e9vqPgj=&68K!&ECtalk&!?hyT
zpnlBlFb$(2ZLg5TsIMD+eBG-<_40?tjimqRq88DN3bpCh)F5mT9V89x?(bOQwdRF}44KAYT6tr{^^qtACRvD)$YtF|A{We7lP{jMPLx#GHN
zLFdc9_qJO9+dQp*cE@%?R>yY29VAn2N9deayjuUPji&iIGq3A$No8HJxRat?=cj3%
zk)HL~w5-deV_hoxc&LX&nru}ciFDbNe>xi$dLDm$U|$u6XWLU|;{nVbGg9+3+e&<*
z%%`p7#&o54=-Kb$AZ)l`cqDc3L>h`qr%{))Pb}6r;74QBD&w__Cbn;-?M@Sq!yC)#
za7WM!>eA23jX`1BIkr_>pWsy5_cVIKDfH;+v&X5k-)Xb2NccQ;nJzw=k;izae<=6jOJK2cK?aAJ4=6?U%&Goz6?+5RHyS{#Y|J(2Jxk3Zx>X%FQ
zMi+XyBo2w>vE{EYTOU4ftyq8Pe?~k{VclHA6uUY!^;MQ`aM8G8I9He7oxOSEjV88u
z{H-d8Y64|n%Rqxk*WoP%m_0^s5N^q~1LoC&RfK2JG8IHLN%f!qef3}8F~{?=z4HcL
zrcJw8jX5fR@66J$MR{Llhdg;RT@=bo+&bungj}cPQlsh=cx9BvOW`#tf8a8+sINU1
z?;@pySOS9|6=8)go8`b;WA^3nuFH1{LusCP+!uAo}HZzhDM=e<8A5^y9!H
z_oqLyf2Aqy=Q6+;xH5Gdf4T5@+SZAKzytC22*?hzljAbOROy$nE%S8hOfoiH0p(eI
zmK3WU{TLBTcwCj1ku4%!@jYlVwZF{Wf0Pn-YATL-0)-`z&3fx-wPl81RD0QrSVoBn
z{DpOyfL&arX~4&8HZYB5+9_RRjI1YuNrE|3*?`9?_seCK#*<94PZ2ouH3D9<4Bi`l
zNn;ri^3{vkxy@A2LEw_2#{gKd*(PWJdUcWtw3~+`G|88C$~=FbKhK}%&-3T`^Za@K
TJb#`)C;I#^9yS6h0LTCU4YVFT
delta 6749
zcmV-j8lvT*HIOxbABzY8IzKg800Zq^ZExf@lFnE6uMlPej2(>au_u`TBgS_lYUmOUk5)lhddAK$3Oplp9E!<6z5HOsG}qZ
zt13&QuuaP%h{Qk%l41wn7e8DIwiST*eR`$AA1D9%kVJ3wOQAPqD}K;4doHeo43ENPIgJLu9M#nX$`cilauzbQd%H++P8)u6Oh2Vy>W2m
z)wUsuH)pHWNmSNJl*j8P3F~OT-lWCp*H>q&6H%dmbrrTyZ~WC>oasq>w!#7y>`IQT
zbm>le!g|fWYfmP1?TM{xwF2rgOAPRTg`XvO7)43bjG-b@6jqm`!w0@6jhwFc#Us(*
ztoN~C==VC^U>AISZN@-|=a{P?q%U@&;((tbYB?XBvn>h>qIAx(BPZ0~s7yuNS-J^g
zsD9LcmUWsm6C~}NHy%UVEMhJcsFsg_@4^~MJK0kC!Pi$Nnvc-VfaAkI*Hu#I4KQxg
zENMi+oSJ%MVb%4eiJAt~A1P?d0GE76O8l=$7;ECDuKnzSuAySoLaNRzaa+ge34yc6
z=2co^{Q)v>_FcQg%ibb={5V=9<{}C49PG3mAj5(H5
z)t*haark4jo4^>GFwd$bjXn4!nF2~bqEdUFZgi;2XO;espfN!!m7Cu{-VJUrLZvHz
zpp;&BJR-||+U|o82oEhtxJ{#gTHkFRK;0o-sOZ6}PVcZBr2GRrR72*qSYs^=_~?zH
zrj%RK#7rotyd#p*l%g2#I?BSPu@ptmhGlIMUR*q-JpBKwpsY~-VfLq2ZGEsc5lOXT
zH%VITyoxnX5uxL}Jv7D%;&P`bli=%rYxwUy{P*p$_Sw(>{?iw-a*!2MrSY_N1NOoe
zg#%E{1cR7>j6W{E?Q4?yZV?~kLXIlSzWcFhlRRp(sV*e_*`Y{V5`WiG3_IqAmMDnz
zR*K|xl9gzzgQQXzPxK_#!jI9uUb6{uzlK^YBV_!4u}(ugE)gIDs|1@OH(
zn~f8f(d~SY2DsOQ8sV>V(7@DJan7SGh3=h?#M-t%O=ii4VU*E4$!ax!XgCH8za7}i
zGz@JhG(-hL_7L@o7sKCG1#awGsxT90Ac)BbhVGn+ah`#?Yt)hDY5yA>dEMyWrn`%z
zxLXo+Up8&CG$8HQ7R0QRrp)dxPy&mS6ml{^>br|P=X~EVaJP5K)AGTNtqzm}~(2jKdltm%@8`9{s^^lhWY`zp&yn_biXFEHqw@TkRP;G+o_Mt8$ylqqwom_
zy(5(w)~|Em{q5%;yE-&q^60A~?-7W!XqUm4uV04!Ok1us)Rhcs6xQ-a+rkt0N0gAL
z52Fiswc7H?-hq9I@DA1os8zt*M{X3-St%3@Yd86L`*CV_X>KiC<6XXcEj8-V*-f+yId*C36cNq0q#A*0uX=m>`JhXcrsWtHU(!(z-qK)c1CGM0MdfGy1@{#eR3ew=`
zun5q8NoWH
z@3ZL>#?YJkK@~X|H|3#-8=8MGc$&J5E@KD668?y|+^&kV&LGql4yj=II^OJrRWK|b
z4e)%;V6p&{6Be}ku_~dt%u-F8Wdqw6jy>*#ekB?BNV^Fkz#J;L&
zDNbsO8*s&C@wwM%Y&)BJSicdUgwW-dogmRH5>M99iq+6LGIJtqOEhveVUtGv1ysn_
zZ@H}MWSc%1ka+?i(JGM3ezU
zr$}@re?reNs=u6eb?Y{)cS$Q~@~l~d-q>+xwDvG+aO|UF1`3PC&$vYKAdz*=`vf1+
z>hQU5LjM2!$N_QDCeKxd`~L5T@4kEgVQ~K!etNn8`v-iOqh^1dmoezYQ#l&m2GaVtu%GRqC}ZwgtQBd(IB6mtp;PhLoCG6WpgO_*
zJ^?jatI;SSS=YkNOwQme3;zD&&p}nztqkF*xSD0?*qHWEgd4T3a%TtD{@Y+1W=(RY
zRf*S#Z3_4)qm
zwKT3&J49Urx!GY_t2nhTYPN^(if|^WR7A4k}nZ`QOxZbKCSsgUbuJUypo08_MGxFL)tDT!Kd%NF0DqD_1Al0UJys_&p0^IL**UaC
zhd=H3NNax{RW#s+qslx=&BrSms_t9sgAYA@)-rU`VNuE{NWYZcIh#1nkUyRp5r*(0
z#IujxMToL!&-U?j$T9@u0Uv!V8N|qhkeAS9%q!idBEI?2E|&hW5*
zgh_wwum1ssMu!^4O*_uhw>C$pw=sq^jgz5+lBPh3*1#w=KbOR~YvquV9ejE-E0-ia
zdGlsRN3HPf$$NIiyvK~9#vRe(BUnM@q)YS}
zsIM$7Zr8W`a^oSn!_a~wY9`@Kg+?X}=Q@e*SU?!=vBzsRhli@>NiPL9fnM(R-7G6@f2Dc!%{*McZ!&-V
z0{e(%!ED0eFJ}T#UaD9C(nlllU>{5l^TZeTZC&QwLQe@K@-hZ9VP(AfKTBj(|4(hC;aC(&(iU)Hx5K=yBCm23}L_K4ngkU(DEkt=_`2=0?$
zAHpADut`t=K~rW2bl(Eke{urkiAy^E+?Lo5=-js~I_ADSWHB!s|IT4~26GAag9!jQ
zLwmUIlzjo=jVD9r>=5pcP9$Us7`-8y34x({8XL=_g#HDa9Wi72_I!2L2lJ-$MC{4a
z+ZVs@sPvlb8nk87A1UyWD=dFU3*8t07{U9ufjcIivk-A({W;5+Y;aF0!)F!In8sMmvCWxV}O+Y^Cuo^
zz>g~W5eLS$bYTd@h>?HzxHWDu8sDs+Z$aou#v{d9j1>ipo5@w`B5Bb*;Y&`pR3DqD
z%`8>KQq)
zJ>e+zeq9zUu`EwBV{S{+mNlAi7{fs7`vHUa(&pAePe=E-h!st9pSIE7Ovh6z=)(s#
zrg3?1f#%t8#a%Zu6%pa{gQZ2Bpsd{dHg!bL#Ws?km{Na^354%LI@ZR
z)uGjvn7k;)LFOrWfIpI1y@$ajWWCRcK3Q*OJ)
z$u>M>E%Se~JlI5{agS|$xACQ~TgI&lpNXPRc;T?RICy)iS^
zRc>`|p0USFG#dwn9l%oR7AAk0H6wjvVNNS%Aa(Hh;Sbs8u12aA7d_QIi9nxdIgg=>Y^UIpK<=cfSH
z7K*i&UpQj$yV|93AU2nSbXmS}hM)pud||+LwZouA@2JIxZLP=X9u)=274-3d6hj>E
z>Mn%%$rM`|;EKiEb<=~ApB%xdK_t@KjdYI1&)6NLO=BG%#Q7e{sJFAY)!th&$9)<*
z<{*E$ODj;z#kL%Afc$<)ns!Y#oqoI2K+oH=&S92-G2?c@2x7N`#X#)i-=Wuqc_BZS
zhY3j8aP**6`;d%r;iV#8Pu8BXHQMZ0h094Jn;;#1#T6yWx>HuC{;3
zjn?{sZ9M&m$;q;aABL8!{Q;(9wsAmu`eFzzEy_0CKDu2tX|YdGBgaaJ(nyPBEthvg
zjmY!fuk2NKh$WrX)}5pzt=jy-K_Vm%NLI-cq3{EY5{h|oDA0h6Lh1zjfg4(2uv70g
ziqLlr{Ak~<(mx*SahKW_O?f}UXRj)0
z+1T*BOCh+VWrsgF53xE9)^S}y4p|wQL@4Z39=p0zGAk%kl`&FcmC$Bfu6TM9=`6TQ
zp;O6^x@DKBJ5>t5IO?DgIvS`^vM?W~H(29v>xmP&gcY`lb)qa_P9j>t$C`iB8S_*(
zhbjNYCGaN9H=!o-DD@U4k$QCxQBIROv5bqI#5GoDs}Oj)9TLVC{1@>!9v4_aX1OZNb?{i0ghMN?B+uZg>vy`^0I$H$(ZS@dX*lC^S@jA3*)62Ll^<_zn#LDg>VkSd(ZiS|XWnFS+
znD;XyO!PU3HZ5%aFP25oRPr{hlY6ie;?ah_u?iLUfwcR0=#g
zwI)6}TfJ5ZyE|5silV77dOXC)9A__VMtPWhCQ30C$I6yd*0r({wFpr3r583^kAViE
zh3hqC4$U4S4$!?fVBOO$W~Z;nS|$@Un>3QitwnD#QSKCB(BNPLBy<
zQpyl((P(y;yrIH|d^3OSaPy=`+}+P}kC4M=4e~v8Rs%_6Bs0I_=80Z(I(j%@vTVB2
zqAvNMuxn;yD^S_`p+cdo3xqXJe{dyr!#D
z-Zs4^>ZvP9N8tIaT-s`eGWK$iku+sI5$24HSt{qm{7}*ix4)9db-He6cowq3#D#LZL;@BeGcPxC+$M0EK-t;n}_K$t_lPVT5e;xeD
z5*B8UENw-~-mU|SHki|>j4$vlgn_|!l^OiI`knE_6)d5qS}gm8Ee>dVl67{Y-+s{2
zbFv)z1ZYTl+`A~mFH3k`Dw=a;!nMCx3}`gT>R2Fs*rUSrHG*Fir4
zU~to)Qfd9WVM+-nQO{*hj(Y9ve@POK*c!dxXrkyF{Zs^M{aIJ_ns2_7XOv7l%
z*()S5>gz@yU-#Znz5JnZBk6Bk)FPTup*G!`8iXyPgQS7o{VhxUmgJ_Gf4X5Yu@W(P
z!$++QEf#f8b!i*sv&sF`su5E)`g{iys~wNOYWwkAh5)qI?+PNHE3T^+biV9+Z>#mc
z&C~j4cWftQb!;cxK{C~LgwA=ztM$*?Xqulh^SU0FRMr)XJ1N?Aewx-9=~<6W%eq`T
z)}^A4hk8h)$yW7|NS95if3sns=keDE_ElkcwmoGw9>DA|BQ;O6t;8qFeA-HGOjnAB
zp8YNk!iEcmM^Xn*q@lQU8g)5)VzI^nKN_P}8LwS5v3)CTcba${-dIkDJAz(Nmwr}m
z3<}fEv8~$r8BV2rPopQCLXVz4dz?D^oi_W5gwIo#>Ee?ad5m{Tf1>6wtO`)uzvbHD%X>fP1*cl!I^uHftC{cnH3=Mrt0%U>?o8(rw-k~k!i
zhnBy>Y<>916=VIee;f2Xi*@r3X4&PTsV}p1gX_j6!@0cp=H&d`8%^x;_={B#)db4E
zmVpMVuESdjFnfs35pK!01Loy|RfK2JG8IHLN%ddpIU)23al#vGNu
zdS+?ZqP#1!L!O*Z7lrZ?w+^}?A=hcS)Tnw6yfRATrSKXRe{h*u)Yl%1cac)Ua+9Eg
z=G!CwJx^sRuN~v)Nh_4w5SibPs|5p
zY?k0rddxZ5Ip#CWd4X)6`bW=vGyI|oz+S{MdO+YWtPTY1;#xriK3+M1bun|P@8U~j
zJrPV2%$dptJXX11E~+%1WYvtop~nvJnq~0L`BjHyLqy0I0A?ySQ$YveKZ+g$V8!g2
zpaJLwL@Lm39*)o?pWCnT@_G5Zd|o~;pO??e=jHSAdHKA2hM)fflc3OV0LTCUm+n&&
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 51820512..a8864592 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -47930,10 +47930,10 @@ index 0000000..3303edd
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..746fc9d
+index 0000000..54d6359
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,1018 @@
+@@ -0,0 +1,1020 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -48916,6 +48916,8 @@ index 0000000..746fc9d
+# systemd_modules_load domain
+#
+
++allow systemd_modules_load_t self:system module_load;
++
+kernel_dgram_send(systemd_modules_load_t)
+kernel_load_module(systemd_modules_load_t)
+
@@ -49250,7 +49252,7 @@ index 9a1650d..d7e8a01 100644
########################################
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index 39f185f..b41b341 100644
+index 39f185f..a313a7d 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t)
@@ -49280,7 +49282,7 @@ index 39f185f..b41b341 100644
-allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace };
+allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice };
-+allow udev_t self:capability2 { block_suspend };
++allow udev_t self:capability2 { block_suspend wake_alarm };
dontaudit udev_t self:capability sys_tty_config;
-allow udev_t self:capability2 block_suspend;
-allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 24ad5d32..85bf9dba 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -9823,7 +9823,7 @@ index 531a8f2..3fcf187 100644
+ allow $1 named_unit_file_t:service all_service_perms;
')
diff --git a/bind.te b/bind.te
-index 1241123..4ec3437 100644
+index 1241123..fc5eb99 100644
--- a/bind.te
+++ b/bind.te
@@ -34,7 +34,7 @@ type named_checkconf_exec_t;
@@ -9885,7 +9885,7 @@ index 1241123..4ec3437 100644
corenet_all_recvfrom_netlabel(named_t)
corenet_tcp_sendrecv_generic_if(named_t)
corenet_udp_sendrecv_generic_if(named_t)
-@@ -127,6 +130,12 @@ corenet_udp_bind_generic_node(named_t)
+@@ -127,9 +130,15 @@ corenet_udp_bind_generic_node(named_t)
corenet_sendrecv_all_server_packets(named_t)
corenet_tcp_bind_dns_port(named_t)
corenet_udp_bind_dns_port(named_t)
@@ -9897,6 +9897,10 @@ index 1241123..4ec3437 100644
+corenet_udp_bind_bgp_port(named_t)
corenet_tcp_sendrecv_dns_port(named_t)
corenet_udp_sendrecv_dns_port(named_t)
+-
++corenet_udp_bind_whois_port(named_t)
+ corenet_tcp_bind_rndc_port(named_t)
+ corenet_tcp_sendrecv_rndc_port(named_t)
@@ -141,9 +150,13 @@ corenet_sendrecv_all_client_packets(named_t)
corenet_tcp_connect_all_ports(named_t)
@@ -15713,7 +15717,7 @@ index 954309e..6780142 100644
')
+
diff --git a/collectd.te b/collectd.te
-index 6471fa8..cb6a356 100644
+index 6471fa8..228b603 100644
--- a/collectd.te
+++ b/collectd.te
@@ -26,43 +26,61 @@ files_type(collectd_var_lib_t)
@@ -15788,10 +15792,12 @@ index 6471fa8..cb6a356 100644
logging_send_syslog_msg(collectd_t)
-@@ -74,17 +92,45 @@ tunable_policy(`collectd_tcp_network_connect',`
- corenet_tcp_sendrecv_all_ports(collectd_t)
+@@ -75,16 +93,47 @@ tunable_policy(`collectd_tcp_network_connect',`
')
+ optional_policy(`
++ lvm_read_config(collectd_t)
++')
+
+optional_policy(`
+ pdns_stream_connect(collectd_t)
@@ -15813,7 +15819,7 @@ index 6471fa8..cb6a356 100644
+ snmp_read_snmp_var_lib_dirs(collectd_t)
+')
+
- optional_policy(`
++optional_policy(`
virt_read_config(collectd_t)
+ virt_stream_connect(collectd_t)
')
@@ -23240,7 +23246,7 @@ index 62d22cb..1287d08 100644
+
')
diff --git a/dbus.te b/dbus.te
-index c9998c8..8b447a3 100644
+index c9998c8..27182fd 100644
--- a/dbus.te
+++ b/dbus.te
@@ -4,17 +4,15 @@ gen_require(`
@@ -23284,7 +23290,7 @@ index c9998c8..8b447a3 100644
ifdef(`enable_mcs',`
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
-@@ -51,59 +47,62 @@ ifdef(`enable_mls',`
+@@ -51,59 +47,64 @@ ifdef(`enable_mls',`
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh)
')
@@ -23349,6 +23355,8 @@ index c9998c8..8b447a3 100644
-files_list_home(system_dbusd_t)
-files_read_usr_files(system_dbusd_t)
++dev_rw_nvme(system_dbusd_t)
++
+files_rw_inherited_non_security_files(system_dbusd_t)
fs_getattr_all_fs(system_dbusd_t)
@@ -23364,7 +23372,7 @@ index c9998c8..8b447a3 100644
mls_fd_use_all_levels(system_dbusd_t)
mls_rangetrans_target(system_dbusd_t)
mls_file_read_all_levels(system_dbusd_t)
-@@ -123,66 +122,174 @@ term_dontaudit_use_console(system_dbusd_t)
+@@ -123,66 +124,174 @@ term_dontaudit_use_console(system_dbusd_t)
auth_use_nsswitch(system_dbusd_t)
auth_read_pam_console_data(system_dbusd_t)
@@ -23413,10 +23421,9 @@ index c9998c8..8b447a3 100644
optional_policy(`
- policykit_read_lib(system_dbusd_t)
+ cpufreqselector_dbus_chat(system_dbusd_t)
- ')
-
- optional_policy(`
-- seutil_sigchld_newrole(system_dbusd_t)
++')
++
++optional_policy(`
+ getty_start_services(system_dbusd_t)
+')
+
@@ -23442,9 +23449,10 @@ index c9998c8..8b447a3 100644
+
+optional_policy(`
+ snapper_read_inherited_pipe(system_dbusd_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- seutil_sigchld_newrole(system_dbusd_t)
+ sysnet_domtrans_dhcpc(system_dbusd_t)
+')
+
@@ -23486,7 +23494,7 @@ index c9998c8..8b447a3 100644
+allow system_bus_type system_dbusd_t:unix_stream_socket rw_socket_perms;
+
+fs_search_all(system_bus_type)
-
++
+dbus_system_bus_client(system_bus_type)
+dbus_connect_system_bus(system_bus_type)
+
@@ -23516,7 +23524,7 @@ index c9998c8..8b447a3 100644
+ifdef(`hide_broken_symptoms',`
+ dontaudit system_bus_type system_dbusd_t:netlink_selinux_socket { read write };
+')
-+
+
+########################################
+#
+# session_bus_type rules
@@ -23553,7 +23561,7 @@ index c9998c8..8b447a3 100644
kernel_read_kernel_sysctls(session_bus_type)
corecmd_list_bin(session_bus_type)
-@@ -191,23 +298,18 @@ corecmd_read_bin_files(session_bus_type)
+@@ -191,23 +300,18 @@ corecmd_read_bin_files(session_bus_type)
corecmd_read_bin_pipes(session_bus_type)
corecmd_read_bin_sockets(session_bus_type)
@@ -23578,7 +23586,7 @@ index c9998c8..8b447a3 100644
files_dontaudit_search_var(session_bus_type)
fs_getattr_romfs(session_bus_type)
-@@ -215,7 +317,6 @@ fs_getattr_xattr_fs(session_bus_type)
+@@ -215,7 +319,6 @@ fs_getattr_xattr_fs(session_bus_type)
fs_list_inotifyfs(session_bus_type)
fs_dontaudit_list_nfs(session_bus_type)
@@ -23586,7 +23594,7 @@ index c9998c8..8b447a3 100644
selinux_validate_context(session_bus_type)
selinux_compute_access_vector(session_bus_type)
selinux_compute_create_context(session_bus_type)
-@@ -225,18 +326,36 @@ selinux_compute_user_contexts(session_bus_type)
+@@ -225,18 +328,36 @@ selinux_compute_user_contexts(session_bus_type)
auth_read_pam_console_data(session_bus_type)
logging_send_audit_msgs(session_bus_type)
@@ -23628,7 +23636,7 @@ index c9998c8..8b447a3 100644
')
########################################
-@@ -244,5 +363,9 @@ optional_policy(`
+@@ -244,5 +365,9 @@ optional_policy(`
# Unconfined access to this module
#
@@ -42717,10 +42725,10 @@ index 182ab8b..8b1d9c2 100644
+')
+
diff --git a/kdumpgui.te b/kdumpgui.te
-index 2990962..abd217f 100644
+index 2990962..6629aaf 100644
--- a/kdumpgui.te
+++ b/kdumpgui.te
-@@ -5,79 +5,89 @@ policy_module(kdumpgui, 1.2.0)
+@@ -5,79 +5,90 @@ policy_module(kdumpgui, 1.2.0)
# Declarations
#
@@ -42784,8 +42792,10 @@ index 2990962..abd217f 100644
fs_list_hugetlbfs(kdumpgui_t)
-fs_read_dos_files(kdumpgui_t)
- storage_raw_read_fixed_disk(kdumpgui_t)
+-storage_raw_read_fixed_disk(kdumpgui_t)
storage_raw_write_fixed_disk(kdumpgui_t)
++storage_raw_read_removable_device(kdumpgui_t)
++storage_raw_read_fixed_disk(kdumpgui_t)
+storage_getattr_removable_dev(kdumpgui_t)
auth_use_nsswitch(kdumpgui_t)
@@ -42829,7 +42839,7 @@ index 2990962..abd217f 100644
')
optional_policy(`
-@@ -87,4 +97,10 @@ optional_policy(`
+@@ -87,4 +98,10 @@ optional_policy(`
optional_policy(`
kdump_manage_config(kdumpgui_t)
kdump_initrc_domtrans(kdumpgui_t)
@@ -42941,7 +42951,7 @@ index 0000000..bd7e7fa
+')
diff --git a/keepalived.te b/keepalived.te
new file mode 100644
-index 0000000..c4f0c32
+index 0000000..04c46e7
--- /dev/null
+++ b/keepalived.te
@@ -0,0 +1,95 @@
@@ -42985,7 +42995,7 @@ index 0000000..c4f0c32
+kernel_read_system_state(keepalived_t)
+kernel_read_network_state(keepalived_t)
+kernel_request_load_module(keepalived_t)
-+kernel_read_usermodehelper_state(keepalived_t)
++kernel_rw_usermodehelper_state(keepalived_t)
+
+auth_use_nsswitch(keepalived_t)
+
@@ -72991,10 +73001,10 @@ index 0000000..f18fcc6
+')
diff --git a/pki.te b/pki.te
new file mode 100644
-index 0000000..555b44a
+index 0000000..94da39a
--- /dev/null
+++ b/pki.te
-@@ -0,0 +1,283 @@
+@@ -0,0 +1,285 @@
+policy_module(pki,10.0.11)
+
+########################################
@@ -73121,6 +73131,8 @@ index 0000000..555b44a
+
+selinux_get_enforce_mode(pki_tomcat_t)
+
++libs_exec_ldconfig(pki_tomcat_t)
++
+logging_send_audit_msgs(pki_tomcat_t)
+
+miscfiles_read_hwdata(pki_tomcat_t)
@@ -84656,7 +84668,7 @@ index 2c3d338..7d49554 100644
init_labeled_script_domtrans($1, rabbitmq_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/rabbitmq.te b/rabbitmq.te
-index dc3b0ed..b0ae2c6 100644
+index dc3b0ed..37aa9a7 100644
--- a/rabbitmq.te
+++ b/rabbitmq.te
@@ -5,13 +5,14 @@ policy_module(rabbitmq, 1.0.2)
@@ -84690,7 +84702,7 @@ index dc3b0ed..b0ae2c6 100644
type rabbitmq_var_log_t;
logging_log_file(rabbitmq_var_log_t)
-@@ -27,98 +31,93 @@ files_pid_file(rabbitmq_var_run_t)
+@@ -27,98 +31,96 @@ files_pid_file(rabbitmq_var_run_t)
######################################
#
@@ -84793,6 +84805,7 @@ index dc3b0ed..b0ae2c6 100644
+allow rabbitmq_t self:process { setsched signal signull };
+allow rabbitmq_t self:fifo_file rw_fifo_file_perms;
+allow rabbitmq_t self:tcp_socket { accept listen };
++allow rabbitmq_t self:unix_dgram_socket { connect create getopt setopt write };
+
+manage_dirs_pattern(rabbitmq_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
+manage_files_pattern(rabbitmq_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
@@ -84813,6 +84826,8 @@ index dc3b0ed..b0ae2c6 100644
+manage_lnk_files_pattern(rabbitmq_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
+files_pid_filetrans(rabbitmq_t, rabbitmq_var_run_t, { dir file })
+
++kernel_dgram_send(rabbitmq_t)
++
+kernel_read_system_state(rabbitmq_t)
+kernel_read_fs_sysctls(rabbitmq_t)
+
@@ -96185,7 +96200,7 @@ index 50d07fb..a34db48 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 2b7c441..0aaed65 100644
+index 2b7c441..09e193b 100644
--- a/samba.te
+++ b/samba.te
@@ -6,99 +6,86 @@ policy_module(samba, 1.16.3)
@@ -96717,7 +96732,7 @@ index 2b7c441..0aaed65 100644
')
tunable_policy(`samba_domain_controller',`
-@@ -419,20 +459,10 @@ tunable_policy(`samba_domain_controller',`
+@@ -419,20 +459,16 @@ tunable_policy(`samba_domain_controller',`
')
tunable_policy(`samba_enable_home_dirs',`
@@ -96726,21 +96741,25 @@ index 2b7c441..0aaed65 100644
- userdom_manage_user_home_content_symlinks(smbd_t)
- userdom_manage_user_home_content_sockets(smbd_t)
- userdom_manage_user_home_content_pipes(smbd_t)
--')
--
++ userdom_manage_user_home_content(smbd_t)
+ ')
+
-tunable_policy(`samba_portmapper',`
- corenet_sendrecv_all_server_packets(smbd_t)
- corenet_tcp_bind_epmap_port(smbd_t)
- corenet_tcp_bind_all_unreserved_ports(smbd_t)
- corenet_tcp_sendrecv_all_ports(smbd_t)
-+ userdom_manage_user_home_content(smbd_t)
++optional_policy(`
++ tunable_policy(`samba_enable_home_dirs',`
++ apache_manage_user_content(smbd_t)
++ ')
')
+# Support Samba sharing of NFS mount points
tunable_policy(`samba_share_nfs',`
fs_manage_nfs_dirs(smbd_t)
fs_manage_nfs_files(smbd_t)
-@@ -441,6 +471,7 @@ tunable_policy(`samba_share_nfs',`
+@@ -441,6 +477,7 @@ tunable_policy(`samba_share_nfs',`
fs_manage_nfs_named_sockets(smbd_t)
')
@@ -96748,7 +96767,7 @@ index 2b7c441..0aaed65 100644
tunable_policy(`samba_share_fusefs',`
fs_manage_fusefs_dirs(smbd_t)
fs_manage_fusefs_files(smbd_t)
-@@ -448,15 +479,10 @@ tunable_policy(`samba_share_fusefs',`
+@@ -448,15 +485,10 @@ tunable_policy(`samba_share_fusefs',`
fs_search_fusefs(smbd_t)
')
@@ -96768,7 +96787,7 @@ index 2b7c441..0aaed65 100644
')
optional_policy(`
-@@ -466,6 +492,7 @@ optional_policy(`
+@@ -466,6 +498,7 @@ optional_policy(`
optional_policy(`
ctdbd_stream_connect(smbd_t)
ctdbd_manage_lib_files(smbd_t)
@@ -96776,7 +96795,7 @@ index 2b7c441..0aaed65 100644
')
optional_policy(`
-@@ -474,11 +501,31 @@ optional_policy(`
+@@ -474,11 +507,31 @@ optional_policy(`
')
optional_policy(`
@@ -96808,7 +96827,7 @@ index 2b7c441..0aaed65 100644
lpd_exec_lpr(smbd_t)
')
-@@ -488,6 +535,10 @@ optional_policy(`
+@@ -488,6 +541,10 @@ optional_policy(`
')
optional_policy(`
@@ -96819,7 +96838,7 @@ index 2b7c441..0aaed65 100644
rpc_search_nfs_state_data(smbd_t)
')
-@@ -499,12 +550,53 @@ optional_policy(`
+@@ -499,12 +556,53 @@ optional_policy(`
udev_read_db(smbd_t)
')
@@ -96874,7 +96893,7 @@ index 2b7c441..0aaed65 100644
allow nmbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow nmbd_t self:fd use;
allow nmbd_t self:fifo_file rw_fifo_file_perms;
-@@ -512,9 +604,11 @@ allow nmbd_t self:msg { send receive };
+@@ -512,9 +610,11 @@ allow nmbd_t self:msg { send receive };
allow nmbd_t self:msgq create_msgq_perms;
allow nmbd_t self:sem create_sem_perms;
allow nmbd_t self:shm create_shm_perms;
@@ -96889,7 +96908,7 @@ index 2b7c441..0aaed65 100644
manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-@@ -526,20 +620,16 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+@@ -526,20 +626,16 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
@@ -96914,7 +96933,7 @@ index 2b7c441..0aaed65 100644
kernel_getattr_core_if(nmbd_t)
kernel_getattr_message_if(nmbd_t)
-@@ -547,53 +637,44 @@ kernel_read_kernel_sysctls(nmbd_t)
+@@ -547,53 +643,44 @@ kernel_read_kernel_sysctls(nmbd_t)
kernel_read_network_state(nmbd_t)
kernel_read_software_raid_state(nmbd_t)
kernel_read_system_state(nmbd_t)
@@ -96983,7 +97002,7 @@ index 2b7c441..0aaed65 100644
')
optional_policy(`
-@@ -606,18 +687,29 @@ optional_policy(`
+@@ -606,18 +693,29 @@ optional_policy(`
########################################
#
@@ -97019,7 +97038,7 @@ index 2b7c441..0aaed65 100644
samba_read_config(smbcontrol_t)
samba_search_var(smbcontrol_t)
-@@ -627,39 +719,38 @@ domain_use_interactive_fds(smbcontrol_t)
+@@ -627,39 +725,38 @@ domain_use_interactive_fds(smbcontrol_t)
dev_read_urand(smbcontrol_t)
@@ -97071,7 +97090,7 @@ index 2b7c441..0aaed65 100644
allow smbmount_t samba_secrets_t:file manage_file_perms;
-@@ -668,26 +759,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+@@ -668,26 +765,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
@@ -97107,7 +97126,7 @@ index 2b7c441..0aaed65 100644
fs_getattr_cifs(smbmount_t)
fs_mount_cifs(smbmount_t)
-@@ -699,58 +786,77 @@ fs_read_cifs_files(smbmount_t)
+@@ -699,58 +792,77 @@ fs_read_cifs_files(smbmount_t)
storage_raw_read_fixed_disk(smbmount_t)
storage_raw_write_fixed_disk(smbmount_t)
@@ -97199,7 +97218,7 @@ index 2b7c441..0aaed65 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -759,17 +865,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+@@ -759,17 +871,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
files_pid_filetrans(swat_t, swat_var_run_t, file)
@@ -97223,7 +97242,7 @@ index 2b7c441..0aaed65 100644
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -777,36 +879,25 @@ kernel_read_network_state(swat_t)
+@@ -777,36 +885,25 @@ kernel_read_network_state(swat_t)
corecmd_search_bin(swat_t)
@@ -97266,7 +97285,7 @@ index 2b7c441..0aaed65 100644
auth_domtrans_chk_passwd(swat_t)
auth_use_nsswitch(swat_t)
-@@ -818,10 +909,11 @@ logging_send_syslog_msg(swat_t)
+@@ -818,10 +915,11 @@ logging_send_syslog_msg(swat_t)
logging_send_audit_msgs(swat_t)
logging_search_logs(swat_t)
@@ -97280,7 +97299,7 @@ index 2b7c441..0aaed65 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -840,17 +932,20 @@ optional_policy(`
+@@ -840,17 +938,20 @@ optional_policy(`
# Winbind local policy
#
@@ -97307,7 +97326,7 @@ index 2b7c441..0aaed65 100644
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -860,9 +955,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+@@ -860,9 +961,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@@ -97318,7 +97337,7 @@ index 2b7c441..0aaed65 100644
manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -873,38 +966,42 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -873,38 +972,42 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
@@ -97372,7 +97391,7 @@ index 2b7c441..0aaed65 100644
corenet_tcp_connect_smbd_port(winbind_t)
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -912,38 +1009,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -912,38 +1015,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
dev_read_sysfs(winbind_t)
dev_read_urand(winbind_t)
@@ -97431,7 +97450,7 @@ index 2b7c441..0aaed65 100644
')
optional_policy(`
-@@ -959,31 +1070,36 @@ optional_policy(`
+@@ -959,31 +1076,36 @@ optional_policy(`
# Winbind helper local policy
#
@@ -97475,7 +97494,7 @@ index 2b7c441..0aaed65 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -997,25 +1113,38 @@ optional_policy(`
+@@ -997,25 +1119,38 @@ optional_policy(`
########################################
#
@@ -110367,7 +110386,7 @@ index 0000000..eef708d
+/var/run/tlp(/.*)? gen_context(system_u:object_r:tlp_var_run_t,s0)
diff --git a/tlp.if b/tlp.if
new file mode 100644
-index 0000000..46f12a4
+index 0000000..368e188
--- /dev/null
+++ b/tlp.if
@@ -0,0 +1,184 @@
@@ -110510,7 +110529,7 @@ index 0000000..46f12a4
+ ')
+
+ files_search_pids($1)
-+ read_files_pattern($1, tlp_var_run_t, tlp_var_run_t)
++ manage_files_pattern($1, tlp_var_run_t, tlp_var_run_t)
+')
+
+########################################
@@ -111401,10 +111420,10 @@ index 61c2e07..3b86095 100644
+ ')
')
diff --git a/tor.te b/tor.te
-index 5ceacde..c919a2d 100644
+index 5ceacde..a395940 100644
--- a/tor.te
+++ b/tor.te
-@@ -13,6 +13,13 @@ policy_module(tor, 1.9.0)
+@@ -13,6 +13,20 @@ policy_module(tor, 1.9.0)
##
gen_tunable(tor_bind_all_unreserved_ports, false)
@@ -111414,11 +111433,18 @@ index 5ceacde..c919a2d 100644
+##
+##
+gen_tunable(tor_can_network_relay, false)
++
++##
++##
++## Allow tor to run onion services
++##
++##
++gen_tunable(tor_can_onion_services, false)
+
type tor_t;
type tor_exec_t;
init_daemon_domain(tor_t, tor_exec_t)
-@@ -25,13 +32,19 @@ init_script_file(tor_initrc_exec_t)
+@@ -25,13 +39,19 @@ init_script_file(tor_initrc_exec_t)
type tor_var_lib_t;
files_type(tor_var_lib_t)
@@ -111438,7 +111464,7 @@ index 5ceacde..c919a2d 100644
########################################
#
-@@ -48,6 +61,8 @@ allow tor_t tor_etc_t:dir list_dir_perms;
+@@ -48,6 +68,8 @@ allow tor_t tor_etc_t:dir list_dir_perms;
allow tor_t tor_etc_t:file read_file_perms;
allow tor_t tor_etc_t:lnk_file read_lnk_file_perms;
@@ -111447,7 +111473,7 @@ index 5ceacde..c919a2d 100644
manage_dirs_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
manage_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
manage_sock_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
-@@ -77,7 +92,6 @@ corenet_tcp_sendrecv_generic_node(tor_t)
+@@ -77,7 +99,6 @@ corenet_tcp_sendrecv_generic_node(tor_t)
corenet_udp_sendrecv_generic_node(tor_t)
corenet_tcp_bind_generic_node(tor_t)
corenet_udp_bind_generic_node(tor_t)
@@ -111455,7 +111481,7 @@ index 5ceacde..c919a2d 100644
corenet_sendrecv_dns_server_packets(tor_t)
corenet_udp_bind_dns_port(tor_t)
corenet_udp_sendrecv_dns_port(tor_t)
-@@ -85,6 +99,7 @@ corenet_udp_sendrecv_dns_port(tor_t)
+@@ -85,6 +106,7 @@ corenet_udp_sendrecv_dns_port(tor_t)
corenet_sendrecv_tor_server_packets(tor_t)
corenet_tcp_bind_tor_port(tor_t)
corenet_tcp_sendrecv_tor_port(tor_t)
@@ -111463,7 +111489,7 @@ index 5ceacde..c919a2d 100644
corenet_sendrecv_all_client_packets(tor_t)
corenet_tcp_connect_all_ports(tor_t)
-@@ -98,19 +113,22 @@ dev_read_urand(tor_t)
+@@ -98,19 +120,26 @@ dev_read_urand(tor_t)
domain_use_interactive_fds(tor_t)
files_read_etc_runtime_files(tor_t)
@@ -111485,6 +111511,10 @@ index 5ceacde..c919a2d 100644
+ corenet_tcp_connect_all_ephemeral_ports(tor_t)
+ corenet_tcp_bind_http_port(tor_t)
+')
++
++tunable_policy(`tor_can_onion_services',`
++ allow tor_t self:capability { dac_read_search dac_override };
++')
+
optional_policy(`
seutil_sigchld_newrole(tor_t)
@@ -112061,10 +112091,10 @@ index 0000000..45304ea
+')
diff --git a/udisks2.te b/udisks2.te
new file mode 100644
-index 0000000..5312470
+index 0000000..617ee56
--- /dev/null
+++ b/udisks2.te
-@@ -0,0 +1,57 @@
+@@ -0,0 +1,58 @@
+policy_module(udisks2, 1.0.0)
+
+########################################
@@ -112112,6 +112142,7 @@ index 0000000..5312470
+logging_send_syslog_msg(udisks2_t)
+
+storage_raw_read_fixed_disk(udisks2_t)
++storage_raw_read_removable_device(udisks2_t)
+
+udev_read_db(udisks2_t)
+
@@ -115918,7 +115949,7 @@ index facdee8..b5a815a 100644
+ dontaudit $1 virtd_t:lnk_file read_lnk_file_perms;
')
diff --git a/virt.te b/virt.te
-index f03dcf5..066b1c3 100644
+index f03dcf5..ac277da 100644
--- a/virt.te
+++ b/virt.te
@@ -1,451 +1,422 @@
@@ -116955,7 +116986,7 @@ index f03dcf5..066b1c3 100644
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
-@@ -746,44 +727,350 @@ optional_policy(`
+@@ -746,44 +727,353 @@ optional_policy(`
udev_read_pid_files(virtd_t)
')
@@ -117016,6 +117047,9 @@ index f03dcf5..066b1c3 100644
-can_exec(virsh_t, virsh_exec_t)
+allow virtlogd_t self:unix_stream_socket create_stream_socket_perms;
+
++# Allow virtlogd_t to execute itself.
++allow virtlogd_t virtlogd_exec_t:file execute_no_trans;
++
+dev_read_sysfs(virtlogd_t)
+
+logging_send_syslog_msg(virtlogd_t)
@@ -117104,7 +117138,7 @@ index f03dcf5..066b1c3 100644
+stream_connect_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t, virtd_t)
+
+dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
-
++
+dontaudit virt_domain virt_tmpfs_type:file { read write };
+
+append_files_pattern(virt_domain, virt_log_t, virt_log_t)
@@ -117153,7 +117187,7 @@ index f03dcf5..066b1c3 100644
+fs_rw_inherited_nfs_files(virt_domain)
+fs_rw_inherited_cifs_files(virt_domain)
+fs_rw_inherited_noxattr_fs_files(virt_domain)
-+
+
+# I think we need these for now.
+miscfiles_read_public_files(virt_domain)
+miscfiles_read_generic_certs(virt_domain)
@@ -117328,7 +117362,7 @@ index f03dcf5..066b1c3 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +1081,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +1084,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -117355,7 +117389,7 @@ index f03dcf5..066b1c3 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +1101,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +1104,25 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -117389,7 +117423,7 @@ index f03dcf5..066b1c3 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +1138,20 @@ optional_policy(`
+@@ -856,14 +1141,20 @@ optional_policy(`
')
optional_policy(`
@@ -117411,7 +117445,7 @@ index f03dcf5..066b1c3 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -888,49 +1176,66 @@ optional_policy(`
+@@ -888,49 +1179,66 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -117496,7 +117530,7 @@ index f03dcf5..066b1c3 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1247,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1250,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -117516,7 +117550,7 @@ index f03dcf5..066b1c3 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,8 +1268,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,8 +1271,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -117540,7 +117574,7 @@ index f03dcf5..066b1c3 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1293,296 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1296,296 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -117571,8 +117605,7 @@ index f03dcf5..066b1c3 100644
+optional_policy(`
+ container_exec_lib(virtd_lxc_t)
+')
-
--sysnet_domtrans_ifconfig(virtd_lxc_t)
++
+optional_policy(`
+ gnome_read_generic_cache_files(virtd_lxc_t)
+')
@@ -117580,7 +117613,8 @@ index f03dcf5..066b1c3 100644
+optional_policy(`
+ setrans_manage_pid_files(virtd_lxc_t)
+')
-+
+
+-sysnet_domtrans_ifconfig(virtd_lxc_t)
+optional_policy(`
+ unconfined_domain(virtd_lxc_t)
+')
@@ -117703,6 +117737,21 @@ index f03dcf5..066b1c3 100644
+userdom_use_inherited_user_terminals(svirt_sandbox_domain)
+userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
+userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
++
++optional_policy(`
++tunable_policy(`virt_sandbox_share_apache_content',`
++ apache_exec_modules(svirt_sandbox_domain)
++ apache_read_sys_content(svirt_sandbox_domain)
++ ')
++')
++
++optional_policy(`
++ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
++')
++
++optional_policy(`
++ ssh_use_ptys(svirt_sandbox_domain)
++')
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
@@ -117787,31 +117836,14 @@ index f03dcf5..066b1c3 100644
-
-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
+optional_policy(`
-+tunable_policy(`virt_sandbox_share_apache_content',`
-+ apache_exec_modules(svirt_sandbox_domain)
-+ apache_read_sys_content(svirt_sandbox_domain)
-+ ')
-+')
-+
-+optional_policy(`
-+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
-+')
-+
-+optional_policy(`
-+ ssh_use_ptys(svirt_sandbox_domain)
++ udev_read_pid_files(svirt_sandbox_domain)
+')
optional_policy(`
- udev_read_pid_files(svirt_lxc_domain)
-+ udev_read_pid_files(svirt_sandbox_domain)
- ')
-
- optional_policy(`
-- apache_exec_modules(svirt_lxc_domain)
-- apache_read_sys_content(svirt_lxc_domain)
+ userhelper_dontaudit_write_config(svirt_sandbox_domain)
- ')
-
++')
++
+tunable_policy(`virt_use_nfs',`
+ fs_manage_nfs_dirs(svirt_sandbox_domain)
+ fs_manage_nfs_files(svirt_sandbox_domain)
@@ -117838,9 +117870,11 @@ index f03dcf5..066b1c3 100644
+ fs_mount_fusefs(svirt_sandbox_domain)
+ fs_unmount_fusefs(svirt_sandbox_domain)
+ fs_exec_fusefs_files(svirt_sandbox_domain)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- apache_exec_modules(svirt_lxc_domain)
+- apache_read_sys_content(svirt_lxc_domain)
+ container_read_share_files(svirt_sandbox_domain)
+ container_exec_share_files(svirt_sandbox_domain)
+ container_lib_filetrans(svirt_sandbox_domain,container_file_t, sock_file)
@@ -117848,23 +117882,16 @@ index f03dcf5..066b1c3 100644
+ container_spc_stream_connect(svirt_sandbox_domain)
+ fs_dontaudit_remount_tmpfs(svirt_sandbox_domain)
+ dev_dontaudit_mounton_sysfs(svirt_sandbox_domain)
-+')
-+
-+########################################
-+#
-+# container_t local policy
-+#
-+virt_sandbox_domain_template(container)
-+typealias container_t alias svirt_lxc_net_t;
-+# Policy moved to container-selinux policy package
-+
+ ')
+
########################################
#
-# Lxc net local policy
+# container_t local policy
#
-+virt_sandbox_domain_template(svirt_qemu_net)
-+typeattribute svirt_qemu_net_t sandbox_net_domain;
++virt_sandbox_domain_template(container)
++typealias container_t alias svirt_lxc_net_t;
++# Policy moved to container-selinux policy package
-allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap };
-dontaudit svirt_lxc_net_t self:capability2 block_suspend;
@@ -117877,17 +117904,18 @@ index f03dcf5..066b1c3 100644
-allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
-allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_socket_perms;
-allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms;
-+allow svirt_qemu_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap };
-+dontaudit svirt_qemu_net_t self:capability2 block_suspend;
-+allow svirt_qemu_net_t self:process { execstack execmem };
++########################################
++#
++# container_t local policy
++#
++virt_sandbox_domain_template(svirt_qemu_net)
++typeattribute svirt_qemu_net_t sandbox_net_domain;
-kernel_read_network_state(svirt_lxc_net_t)
-kernel_read_irq_sysctls(svirt_lxc_net_t)
-+tunable_policy(`virt_sandbox_use_netlink',`
-+ allow svirt_qemu_net_t self:netlink_socket create_socket_perms;
-+ allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
-+ allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms;
-+')
++allow svirt_qemu_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap };
++dontaudit svirt_qemu_net_t self:capability2 block_suspend;
++allow svirt_qemu_net_t self:process { execstack execmem };
-corenet_all_recvfrom_unlabeled(svirt_lxc_net_t)
-corenet_all_recvfrom_netlabel(svirt_lxc_net_t)
@@ -117899,6 +117927,15 @@ index f03dcf5..066b1c3 100644
-corenet_udp_sendrecv_all_ports(svirt_lxc_net_t)
-corenet_tcp_bind_generic_node(svirt_lxc_net_t)
-corenet_udp_bind_generic_node(svirt_lxc_net_t)
++tunable_policy(`virt_sandbox_use_netlink',`
++ allow svirt_qemu_net_t self:netlink_socket create_socket_perms;
++ allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
++ allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms;
++')
+
+-corenet_sendrecv_all_server_packets(svirt_lxc_net_t)
+-corenet_udp_bind_all_ports(svirt_lxc_net_t)
+-corenet_tcp_bind_all_ports(svirt_lxc_net_t)
+manage_dirs_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
+manage_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
+manage_fifo_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
@@ -117906,55 +117943,52 @@ index f03dcf5..066b1c3 100644
+manage_sock_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
+filetrans_pattern(sandbox_net_domain, virt_home_t, svirt_home_t, { dir sock_file file })
--corenet_sendrecv_all_server_packets(svirt_lxc_net_t)
--corenet_udp_bind_all_ports(svirt_lxc_net_t)
--corenet_tcp_bind_all_ports(svirt_lxc_net_t)
-+term_use_generic_ptys(svirt_qemu_net_t)
-+term_use_ptmx(svirt_qemu_net_t)
-
-corenet_sendrecv_all_client_packets(svirt_lxc_net_t)
-corenet_tcp_connect_all_ports(svirt_lxc_net_t)
-+dev_rw_kvm(svirt_qemu_net_t)
++term_use_generic_ptys(svirt_qemu_net_t)
++term_use_ptmx(svirt_qemu_net_t)
-dev_getattr_mtrr_dev(svirt_lxc_net_t)
-dev_read_rand(svirt_lxc_net_t)
-dev_read_sysfs(svirt_lxc_net_t)
-dev_read_urand(svirt_lxc_net_t)
-+manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t)
++dev_rw_kvm(svirt_qemu_net_t)
-files_read_kernel_modules(svirt_lxc_net_t)
-+list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
-+read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
++manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t)
-fs_mount_cgroup(svirt_lxc_net_t)
-fs_manage_cgroup_dirs(svirt_lxc_net_t)
-fs_rw_cgroup_files(svirt_lxc_net_t)
-+append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t)
++list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
++read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
-auth_use_nsswitch(svirt_lxc_net_t)
-+kernel_read_irq_sysctls(svirt_qemu_net_t)
++append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t)
-logging_send_audit_msgs(svirt_lxc_net_t)
++kernel_read_irq_sysctls(svirt_qemu_net_t)
+
+-userdom_use_user_ptys(svirt_lxc_net_t)
+dev_read_sysfs(svirt_qemu_net_t)
+dev_getattr_mtrr_dev(svirt_qemu_net_t)
+dev_read_rand(svirt_qemu_net_t)
+dev_read_urand(svirt_qemu_net_t)
--userdom_use_user_ptys(svirt_lxc_net_t)
-+files_read_kernel_modules(svirt_qemu_net_t)
-
-optional_policy(`
- rpm_read_db(svirt_lxc_net_t)
-')
-+fs_noxattr_type(container_file_t)
-+fs_mount_cgroup(svirt_qemu_net_t)
-+fs_manage_cgroup_dirs(svirt_qemu_net_t)
-+fs_manage_cgroup_files(svirt_qemu_net_t)
++files_read_kernel_modules(svirt_qemu_net_t)
-#######################################
-#
-# Prot exec local policy
-#
++fs_noxattr_type(container_file_t)
++fs_mount_cgroup(svirt_qemu_net_t)
++fs_manage_cgroup_dirs(svirt_qemu_net_t)
++fs_manage_cgroup_files(svirt_qemu_net_t)
++
+term_pty(container_file_t)
+
+auth_use_nsswitch(svirt_qemu_net_t)
@@ -117984,7 +118018,7 @@ index f03dcf5..066b1c3 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1595,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1598,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -117999,7 +118033,7 @@ index f03dcf5..066b1c3 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1192,7 +1613,7 @@ optional_policy(`
+@@ -1192,7 +1616,7 @@ optional_policy(`
########################################
#
@@ -118008,7 +118042,7 @@ index f03dcf5..066b1c3 100644
#
allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1622,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1625,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
allow virt_bridgehelper_t self:tun_socket create_socket_perms;
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
@@ -118240,6 +118274,7 @@ index f03dcf5..066b1c3 100644
+kernel_read_network_state(sandbox_net_domain)
+
+allow sandbox_net_domain self:capability { net_raw net_admin net_bind_service };
++allow sandbox_net_domain self:cap_userns { net_raw net_admin net_bind_service };
+
+allow sandbox_net_domain self:udp_socket create_socket_perms;
+allow sandbox_net_domain self:tcp_socket create_stream_socket_perms;
@@ -118267,6 +118302,7 @@ index f03dcf5..066b1c3 100644
+')
+
+allow sandbox_caps_domain self:capability { chown dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap };
++allow sandbox_caps_domain self:cap_userns { chown dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap };
+
+list_dirs_pattern(svirt_sandbox_domain, container_ro_file_t, container_ro_file_t)
+read_files_pattern(svirt_sandbox_domain, container_ro_file_t, container_ro_file_t)
@@ -121629,7 +121665,7 @@ index dd63de0..38ce620 100644
- admin_pattern($1, zabbix_tmpfs_t)
')
diff --git a/zabbix.te b/zabbix.te
-index 7f496c6..aab4f86 100644
+index 7f496c6..bf2ae51 100644
--- a/zabbix.te
+++ b/zabbix.te
@@ -6,27 +6,32 @@ policy_module(zabbix, 1.6.0)
@@ -121879,7 +121915,7 @@ index 7f496c6..aab4f86 100644
corenet_sendrecv_zabbix_client_packets(zabbix_agent_t)
corenet_tcp_connect_zabbix_port(zabbix_agent_t)
corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
-@@ -177,21 +218,49 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
+@@ -177,21 +218,50 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
dev_getattr_all_blk_files(zabbix_agent_t)
dev_getattr_all_chr_files(zabbix_agent_t)
@@ -121923,6 +121959,7 @@ index 7f496c6..aab4f86 100644
+allow zabbix_t zabbix_script_exec_t:dir search_dir_perms;
+allow zabbix_t zabbix_script_exec_t:dir read_file_perms;
+allow zabbix_t zabbix_script_exec_t:file ioctl;
++allow zabbix_t zabbix_script_t:process signal;
+
+init_domtrans_script(zabbix_script_t)
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 64a3b35f..0a0d7bbf 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 256%{?dist}
+Release: 258%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -689,6 +689,25 @@ exit 0
%endif
%changelog
+* Thu Jun 08 2017 Lukas Vrabec - 3.13.1-257
+- Merge pull request #10 from mscherer/fix_tor_dac
+- Merge pull request #9 from rhatdan/rawhide
+- Merge pull request #13 from vinzent/allow_zabbix_t_to_kill_zabbix_script_t
+- Allow kdumpgui to read removable disk device
+- Allow systemd_dbusd_t domain read/write to nvme devices
+- Allow udisks2 domain to read removable devices BZ(1443981)
+- Allow virtlogd_t to execute itself
+- Allow keepalived to read/write usermodehelper state
+- Allow named_t to bind on udp 4321 port
+- Fix interface tlp_manage_pid_files()
+- Allow collectd domain read lvm config files. BZ(1459097)
+- Merge branch 'rawhide' of github.com:wrabcak/selinux-policy-contrib into rawhide
+- Allow samba_manage_home_dirs boolean to manage user content
+- Merge pull request #14 from lemenkov/rabbitmq_systemd_notify
+- Allow pki_tomcat_t execute ldconfig.
+- Merge pull request #191 from rhatdan/udev
+- Allow systemd_modules_load_t to load modules
+
* Mon Jun 05 2017 Lukas Vrabec - 3.13.1-256
- Allow keepalived domain connect to squid tcp port
- Allow krb5kdc_t domain read realmd lib files.