Add latest fixes

2013-02-22 13:31:10 +01:00 · 2013-02-22 13:31:10 +01:00 · 7ed95be644
parent 2aca9b6e0b
commit 7ed95be644
2 changed files with 311 additions and 190 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -31994,10 +31994,10 @@ index 0000000..595f756
 +/var/run/initramfs(/.*)?	<<none>>
 diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
 new file mode 100644
-index 0000000..a4b0917
+index 0000000..8b02900
 --- /dev/null
 +++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1041 @@
+@@ -0,0 +1,1043 @@
 +## <summary>SELinux policy for systemd components</summary>
 +
 +#######################################
@ -33016,12 +33016,13 @@ index 0000000..a4b0917
 +
 +	allow $1 systemd_timedated_t:dbus send_msg;
 +	allow systemd_timedated_t $1:dbus send_msg;
+	ps_process_pattern(systemd_hostnamed_t, $1)
 +')
 +
 +########################################
 +## <summary>
 +##	Send and receive messages from
-+##	systemd hostnamed over dbus.
+##	systemd timedated over dbus.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@ -33037,14 +33038,15 @@ index 0000000..a4b0917
 +
 +	allow $1 systemd_hostnamed_t:dbus send_msg;
 +	allow systemd_hostnamed_t $1:dbus send_msg;
+	ps_process_pattern(systemd_hostnamed_t, $1)
 +')
 +
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..6c712b8
+index 0000000..913fc52
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,618 @@
+@@ -0,0 +1,620 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@ -33521,6 +33523,8 @@ index 0000000..6c712b8
 +seutil_read_config(systemd_localed_t)
 +seutil_read_file_contexts(systemd_localed_t)
 +
+logging_stream_connect_syslog(systemd_localed_t)
+
 +miscfiles_manage_localization(systemd_localed_t)
 +miscfiles_etc_filetrans_localization(systemd_localed_t)
 +
@ -35034,7 +35038,7 @@ index db75976..65191bd 100644
 +
 +/var/run/user(/.*)?	gen_context(system_u:object_r:user_tmp_t,s0)
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..4efa151 100644
+index 3c5dba7..c270e54 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@ -35050,7 +35054,7 @@ index 3c5dba7..4efa151 100644
 	corecmd_shell_entry_type($1_t)
 	corecmd_bin_entry_type($1_t)
 	domain_user_exemption_target($1_t)
-@@ -44,79 +46,132 @@ template(`userdom_base_user_template',`
+@@ -44,79 +46,133 @@ template(`userdom_base_user_template',`
 	term_user_pty($1_t, user_devpts_t)
 
 	term_user_tty($1_t, user_tty_device_t)
@ -35202,6 +35206,7 @@ index 3c5dba7..4efa151 100644
 +	miscfiles_read_public_files($1_usertype)
 
 -	tunable_policy(`allow_execmem',`
+	systemd_dbus_chat_hostnamed($1_usertype)
 +	systemd_dbus_chat_logind($1_usertype)
 +	systemd_read_logind_sessions_files($1_usertype)
 +	systemd_write_inhibit_pipes($1_usertype)
@ -35235,7 +35240,7 @@ index 3c5dba7..4efa151 100644
 ')
 
 #######################################
-@@ -150,6 +205,8 @@ interface(`userdom_ro_home_role',`
+@@ -150,6 +206,8 @@ interface(`userdom_ro_home_role',`
 		type user_home_t, user_home_dir_t;
 	')
 
@ -35244,7 +35249,7 @@ index 3c5dba7..4efa151 100644
 	##############################
 	#
 	# Domain access to home dir
-@@ -167,27 +224,6 @@ interface(`userdom_ro_home_role',`
+@@ -167,27 +225,6 @@ interface(`userdom_ro_home_role',`
 	read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
 	files_list_home($2)
 
@ -35272,7 +35277,7 @@ index 3c5dba7..4efa151 100644
 ')
 
 #######################################
-@@ -219,8 +255,11 @@ interface(`userdom_ro_home_role',`
+@@ -219,8 +256,11 @@ interface(`userdom_ro_home_role',`
 interface(`userdom_manage_home_role',`
 	gen_require(`
 		type user_home_t, user_home_dir_t;
@ -35284,7 +35289,7 @@ index 3c5dba7..4efa151 100644
 	##############################
 	#
 	# Domain access to home dir
-@@ -229,43 +268,47 @@ interface(`userdom_manage_home_role',`
+@@ -229,43 +269,47 @@ interface(`userdom_manage_home_role',`
 	type_member $2 user_home_dir_t:dir user_home_dir_t;
 
 	# full control of the home directory
@ -35348,7 +35353,7 @@ index 3c5dba7..4efa151 100644
 	')
 ')
 
-@@ -273,6 +316,25 @@ interface(`userdom_manage_home_role',`
+@@ -273,6 +317,25 @@ interface(`userdom_manage_home_role',`
 ## <summary>
 ##	Manage user temporary files
 ## </summary>
@ -35374,7 +35379,7 @@ index 3c5dba7..4efa151 100644
 ## <param name="role">
 ##	<summary>
 ##	Role allowed access.
-@@ -287,17 +349,64 @@ interface(`userdom_manage_home_role',`
+@@ -287,17 +350,64 @@ interface(`userdom_manage_home_role',`
 #
 interface(`userdom_manage_tmp_role',`
 	gen_require(`
@ -35444,7 +35449,7 @@ index 3c5dba7..4efa151 100644
 ')
 
 #######################################
-@@ -317,11 +426,31 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -317,11 +427,31 @@ interface(`userdom_exec_user_tmp_files',`
 	')
 
 	exec_files_pattern($1, user_tmp_t, user_tmp_t)
@ -35476,7 +35481,7 @@ index 3c5dba7..4efa151 100644
 ##	Role access for the user tmpfs type
 ##	that the user has full access.
 ## </summary>
-@@ -348,59 +477,60 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -348,59 +478,60 @@ interface(`userdom_exec_user_tmp_files',`
 #
 interface(`userdom_manage_tmpfs_role',`
 	gen_require(`
@ -35567,7 +35572,7 @@ index 3c5dba7..4efa151 100644
 ')
 
 #######################################
-@@ -431,6 +561,7 @@ template(`userdom_xwindows_client_template',`
+@@ -431,6 +562,7 @@ template(`userdom_xwindows_client_template',`
 	dev_dontaudit_rw_dri($1_t)
 	# GNOME checks for usb and other devices:
 	dev_rw_usbfs($1_t)
@ -35575,7 +35580,7 @@ index 3c5dba7..4efa151 100644
 
 	xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
 	xserver_xsession_entry_type($1_t)
-@@ -463,8 +594,8 @@ template(`userdom_change_password_template',`
+@@ -463,8 +595,8 @@ template(`userdom_change_password_template',`
 	')
 
 	optional_policy(`
@ -35586,7 +35591,7 @@ index 3c5dba7..4efa151 100644
 	')
 ')
 
-@@ -491,7 +622,8 @@ template(`userdom_common_user_template',`
+@@ -491,7 +623,8 @@ template(`userdom_common_user_template',`
 		attribute unpriv_userdomain;
 	')
 
@ -35596,7 +35601,7 @@ index 3c5dba7..4efa151 100644
 
 	##############################
 	#
-@@ -501,41 +633,51 @@ template(`userdom_common_user_template',`
+@@ -501,41 +634,51 @@ template(`userdom_common_user_template',`
 	# evolution and gnome-session try to create a netlink socket
 	dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
 	dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@ -35671,7 +35676,7 @@ index 3c5dba7..4efa151 100644
 
 	# cjp: some of this probably can be removed
 	selinux_get_fs_mount($1_t)
-@@ -546,93 +688,121 @@ template(`userdom_common_user_template',`
+@@ -546,93 +689,121 @@ template(`userdom_common_user_template',`
 	selinux_compute_user_contexts($1_t)
 
 	# for eject
@ -35831,7 +35836,7 @@ index 3c5dba7..4efa151 100644
 	')
 
 	optional_policy(`
-@@ -646,19 +816,17 @@ template(`userdom_common_user_template',`
+@@ -646,19 +817,17 @@ template(`userdom_common_user_template',`
 
 	# for running depmod as part of the kernel packaging process
 	optional_policy(`
@ -35856,7 +35861,7 @@ index 3c5dba7..4efa151 100644
 			mysql_stream_connect($1_t)
 		')
 	')
-@@ -671,7 +839,7 @@ template(`userdom_common_user_template',`
+@@ -671,7 +840,7 @@ template(`userdom_common_user_template',`
 
 	optional_policy(`
 		# to allow monitoring of pcmcia status
@ -35865,7 +35870,7 @@ index 3c5dba7..4efa151 100644
 	')
 
 	optional_policy(`
-@@ -680,9 +848,9 @@ template(`userdom_common_user_template',`
+@@ -680,9 +849,9 @@ template(`userdom_common_user_template',`
 	')
 
 	optional_policy(`
@ -35878,7 +35883,7 @@ index 3c5dba7..4efa151 100644
 		')
 	')
 
-@@ -693,32 +861,36 @@ template(`userdom_common_user_template',`
+@@ -693,32 +862,36 @@ template(`userdom_common_user_template',`
 	')
 
 	optional_policy(`
@ -35926,7 +35931,7 @@ index 3c5dba7..4efa151 100644
 	')
 ')
 
-@@ -743,17 +915,33 @@ template(`userdom_common_user_template',`
+@@ -743,17 +916,33 @@ template(`userdom_common_user_template',`
 template(`userdom_login_user_template', `
 	gen_require(`
 		class context contains;
@ -35965,7 +35970,7 @@ index 3c5dba7..4efa151 100644
 
 	userdom_change_password_template($1)
 
-@@ -761,82 +949,100 @@ template(`userdom_login_user_template', `
+@@ -761,82 +950,100 @@ template(`userdom_login_user_template', `
 	#
 	# User domain Local policy
 	#
@ -36102,7 +36107,7 @@ index 3c5dba7..4efa151 100644
 	')
 ')
 
-@@ -868,6 +1074,12 @@ template(`userdom_restricted_user_template',`
+@@ -868,6 +1075,12 @@ template(`userdom_restricted_user_template',`
 	typeattribute $1_t unpriv_userdomain;
 	domain_interactive_fd($1_t)
 
@ -36115,7 +36120,7 @@ index 3c5dba7..4efa151 100644
 	##############################
 	#
 	# Local policy
-@@ -908,41 +1120,97 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -908,41 +1121,97 @@ template(`userdom_restricted_xwindows_user_template',`
 	# Local policy
 	#
 
@ -36226,7 +36231,7 @@ index 3c5dba7..4efa151 100644
 		')
 
 		optional_policy(`
-@@ -951,12 +1219,30 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -951,12 +1220,30 @@ template(`userdom_restricted_xwindows_user_template',`
 	')
 
 	optional_policy(`
@ -36258,7 +36263,7 @@ index 3c5dba7..4efa151 100644
 ')
 
 #######################################
-@@ -990,27 +1276,33 @@ template(`userdom_unpriv_user_template', `
+@@ -990,27 +1277,33 @@ template(`userdom_unpriv_user_template', `
 	#
 
 	# Inherit rules for ordinary users.
@ -36296,7 +36301,7 @@ index 3c5dba7..4efa151 100644
 			fs_manage_noxattr_fs_files($1_t)
 			fs_manage_noxattr_fs_dirs($1_t)
 			# Write floppies
-@@ -1021,23 +1313,57 @@ template(`userdom_unpriv_user_template', `
+@@ -1021,23 +1314,57 @@ template(`userdom_unpriv_user_template', `
 		')
 	')
 
@ -36364,7 +36369,7 @@ index 3c5dba7..4efa151 100644
 	')
 
 	# Run pppd in pppd_t by default for user
-@@ -1046,7 +1372,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1046,7 +1373,9 @@ template(`userdom_unpriv_user_template', `
 	')
 
 	optional_policy(`
@ -36375,7 +36380,7 @@ index 3c5dba7..4efa151 100644
 	')
 ')
 
-@@ -1082,7 +1410,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1082,7 +1411,7 @@ template(`userdom_unpriv_user_template', `
 template(`userdom_admin_user_template',`
 	gen_require(`
 		attribute admindomain;
@ -36384,7 +36389,7 @@ index 3c5dba7..4efa151 100644
 	')
 
 	##############################
-@@ -1109,6 +1437,7 @@ template(`userdom_admin_user_template',`
+@@ -1109,6 +1438,7 @@ template(`userdom_admin_user_template',`
 	#
 
 	allow $1_t self:capability ~{ sys_module audit_control audit_write };
@ -36392,7 +36397,7 @@ index 3c5dba7..4efa151 100644
 	allow $1_t self:process { setexec setfscreate };
 	allow $1_t self:netlink_audit_socket nlmsg_readpriv;
 	allow $1_t self:tun_socket create;
-@@ -1117,6 +1446,9 @@ template(`userdom_admin_user_template',`
+@@ -1117,6 +1447,9 @@ template(`userdom_admin_user_template',`
 	# Skip authentication when pam_rootok is specified.
 	allow $1_t self:passwd rootok;
 
@ -36402,7 +36407,7 @@ index 3c5dba7..4efa151 100644
 	kernel_read_software_raid_state($1_t)
 	kernel_getattr_core_if($1_t)
 	kernel_getattr_message_if($1_t)
-@@ -1131,6 +1463,7 @@ template(`userdom_admin_user_template',`
+@@ -1131,6 +1464,7 @@ template(`userdom_admin_user_template',`
 	kernel_sigstop_unlabeled($1_t)
 	kernel_signull_unlabeled($1_t)
 	kernel_sigchld_unlabeled($1_t)
@ -36410,7 +36415,7 @@ index 3c5dba7..4efa151 100644
 
 	corenet_tcp_bind_generic_port($1_t)
 	# allow setting up tunnels
-@@ -1148,10 +1481,14 @@ template(`userdom_admin_user_template',`
+@@ -1148,10 +1482,14 @@ template(`userdom_admin_user_template',`
 	dev_rename_all_blk_files($1_t)
 	dev_rename_all_chr_files($1_t)
 	dev_create_generic_symlinks($1_t)
@ -36425,7 +36430,7 @@ index 3c5dba7..4efa151 100644
 	domain_dontaudit_ptrace_all_domains($1_t)
 	# signal all domains:
 	domain_kill_all_domains($1_t)
-@@ -1162,30 +1499,39 @@ template(`userdom_admin_user_template',`
+@@ -1162,30 +1500,39 @@ template(`userdom_admin_user_template',`
 	domain_sigchld_all_domains($1_t)
 	# for lsof
 	domain_getattr_all_sockets($1_t)
@ -36470,7 +36475,7 @@ index 3c5dba7..4efa151 100644
 	# The following rule is temporary until such time that a complete
 	# policy management infrastructure is in place so that an administrator
 	# cannot directly manipulate policy files with arbitrary programs.
-@@ -1194,6 +1540,8 @@ template(`userdom_admin_user_template',`
+@@ -1194,6 +1541,8 @@ template(`userdom_admin_user_template',`
 	# But presently necessary for installing the file_contexts file.
 	seutil_manage_bin_policy($1_t)
 
@ -36479,7 +36484,7 @@ index 3c5dba7..4efa151 100644
 	userdom_manage_user_home_content_dirs($1_t)
 	userdom_manage_user_home_content_files($1_t)
 	userdom_manage_user_home_content_symlinks($1_t)
-@@ -1201,13 +1549,17 @@ template(`userdom_admin_user_template',`
+@@ -1201,13 +1550,17 @@ template(`userdom_admin_user_template',`
 	userdom_manage_user_home_content_sockets($1_t)
 	userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
 
@ -36498,7 +36503,7 @@ index 3c5dba7..4efa151 100644
 	optional_policy(`
 		postgresql_unconfined($1_t)
 	')
-@@ -1253,6 +1605,8 @@ template(`userdom_security_admin_template',`
+@@ -1253,6 +1606,8 @@ template(`userdom_security_admin_template',`
 	dev_relabel_all_dev_nodes($1)
 
 	files_create_boot_flag($1)
@ -36507,7 +36512,7 @@ index 3c5dba7..4efa151 100644
 
 	# Necessary for managing /boot/efi
 	fs_manage_dos_files($1)
-@@ -1265,8 +1619,10 @@ template(`userdom_security_admin_template',`
+@@ -1265,8 +1620,10 @@ template(`userdom_security_admin_template',`
 	selinux_set_enforce_mode($1)
 	selinux_set_all_booleans($1)
 	selinux_set_parameters($1)
@ -36519,7 +36524,7 @@ index 3c5dba7..4efa151 100644
 	auth_relabel_shadow($1)
 
 	init_exec($1)
-@@ -1277,29 +1633,31 @@ template(`userdom_security_admin_template',`
+@@ -1277,29 +1634,31 @@ template(`userdom_security_admin_template',`
 	logging_read_audit_config($1)
 
 	seutil_manage_bin_policy($1)
@ -36562,7 +36567,7 @@ index 3c5dba7..4efa151 100644
 	')
 
 	optional_policy(`
-@@ -1360,14 +1718,17 @@ interface(`userdom_user_home_content',`
+@@ -1360,14 +1719,17 @@ interface(`userdom_user_home_content',`
 	gen_require(`
 		attribute user_home_content_type;
 		type user_home_t;
@ -36581,7 +36586,7 @@ index 3c5dba7..4efa151 100644
 ')
 
 ########################################
-@@ -1408,6 +1769,51 @@ interface(`userdom_user_tmpfs_file',`
+@@ -1408,6 +1770,51 @@ interface(`userdom_user_tmpfs_file',`
 ## <summary>
 ##	Allow domain to attach to TUN devices created by administrative users.
 ## </summary>
@ -36633,7 +36638,7 @@ index 3c5dba7..4efa151 100644
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
-@@ -1512,11 +1918,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1512,11 +1919,31 @@ interface(`userdom_search_user_home_dirs',`
 	')
 
 	allow $1 user_home_dir_t:dir search_dir_perms;
@ -36665,7 +36670,7 @@ index 3c5dba7..4efa151 100644
 ##	Do not audit attempts to search user home directories.
 ## </summary>
 ## <desc>
-@@ -1558,6 +1984,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1558,6 +1985,14 @@ interface(`userdom_list_user_home_dirs',`
 
 	allow $1 user_home_dir_t:dir list_dir_perms;
 	files_search_home($1)
@ -36680,7 +36685,7 @@ index 3c5dba7..4efa151 100644
 ')
 
 ########################################
-@@ -1573,9 +2007,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1573,9 +2008,11 @@ interface(`userdom_list_user_home_dirs',`
 interface(`userdom_dontaudit_list_user_home_dirs',`
 	gen_require(`
 		type user_home_dir_t;
@ -36692,7 +36697,7 @@ index 3c5dba7..4efa151 100644
 ')
 
 ########################################
-@@ -1632,6 +2068,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1632,6 +2069,42 @@ interface(`userdom_relabelto_user_home_dirs',`
 	allow $1 user_home_dir_t:dir relabelto;
 ')
 
@ -36735,7 +36740,7 @@ index 3c5dba7..4efa151 100644
 ########################################
 ## <summary>
 ##	Create directories in the home dir root with
-@@ -1711,6 +2183,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1711,6 +2184,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
 	')
 
 	dontaudit $1 user_home_t:dir search_dir_perms;
@ -36744,7 +36749,7 @@ index 3c5dba7..4efa151 100644
 ')
 
 ########################################
-@@ -1744,10 +2218,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1744,10 +2219,12 @@ interface(`userdom_list_all_user_home_content',`
 #
 interface(`userdom_list_user_home_content',`
 	gen_require(`
@ -36759,7 +36764,7 @@ index 3c5dba7..4efa151 100644
 ')
 
 ########################################
-@@ -1772,7 +2248,7 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1772,7 +2249,7 @@ interface(`userdom_manage_user_home_content_dirs',`
 
 ########################################
 ## <summary>
@ -36768,7 +36773,7 @@ index 3c5dba7..4efa151 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1780,19 +2256,17 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1780,19 +2257,17 @@ interface(`userdom_manage_user_home_content_dirs',`
 ##	</summary>
 ## </param>
 #
@ -36792,7 +36797,7 @@ index 3c5dba7..4efa151 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1800,31 +2274,31 @@ interface(`userdom_delete_all_user_home_content_dirs',`
+@@ -1800,31 +2275,31 @@ interface(`userdom_delete_all_user_home_content_dirs',`
 ##	</summary>
 ## </param>
 #
@ -36832,7 +36837,7 @@ index 3c5dba7..4efa151 100644
 ')
 
 ########################################
-@@ -1848,6 +2322,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1848,6 +2323,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
 
 ########################################
 ## <summary>
@ -36858,7 +36863,7 @@ index 3c5dba7..4efa151 100644
 ##	Mmap user home files.
 ## </summary>
 ## <param name="domain">
-@@ -1878,14 +2371,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1878,14 +2372,36 @@ interface(`userdom_mmap_user_home_content_files',`
 interface(`userdom_read_user_home_content_files',`
 	gen_require(`
 		type user_home_dir_t, user_home_t;
@ -36896,7 +36901,7 @@ index 3c5dba7..4efa151 100644
 ##	Do not audit attempts to read user home files.
 ## </summary>
 ## <param name="domain">
-@@ -1896,11 +2411,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1896,11 +2412,14 @@ interface(`userdom_read_user_home_content_files',`
 #
 interface(`userdom_dontaudit_read_user_home_content_files',`
 	gen_require(`
@ -36914,7 +36919,7 @@ index 3c5dba7..4efa151 100644
 ')
 
 ########################################
-@@ -1941,7 +2459,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1941,7 +2460,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
 
 ########################################
 ## <summary>
@ -36941,7 +36946,7 @@ index 3c5dba7..4efa151 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1951,17 +2487,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1951,17 +2488,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
 #
 interface(`userdom_delete_all_user_home_content_files',`
 	gen_require(`
@ -36962,7 +36967,7 @@ index 3c5dba7..4efa151 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1969,12 +2503,48 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1969,12 +2504,48 @@ interface(`userdom_delete_all_user_home_content_files',`
 ##	</summary>
 ## </param>
 #
@ -37013,7 +37018,7 @@ index 3c5dba7..4efa151 100644
 ')
 
 ########################################
-@@ -2010,8 +2580,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2010,8 +2581,7 @@ interface(`userdom_read_user_home_content_symlinks',`
 		type user_home_dir_t, user_home_t;
 	')
 
@ -37023,7 +37028,7 @@ index 3c5dba7..4efa151 100644
 ')
 
 ########################################
-@@ -2027,20 +2596,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2027,20 +2597,14 @@ interface(`userdom_read_user_home_content_symlinks',`
 #
 interface(`userdom_exec_user_home_content_files',`
 	gen_require(`
@ -37048,7 +37053,7 @@ index 3c5dba7..4efa151 100644
 
 ########################################
 ## <summary>
-@@ -2123,7 +2686,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2123,7 +2687,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
 
 ########################################
 ## <summary>
@ -37057,7 +37062,7 @@ index 3c5dba7..4efa151 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -2131,19 +2694,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2131,19 +2695,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
 ##	</summary>
 ## </param>
 #
@ -37081,7 +37086,7 @@ index 3c5dba7..4efa151 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -2151,12 +2712,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2151,12 +2713,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
 ##	</summary>
 ## </param>
 #
@ -37097,7 +37102,7 @@ index 3c5dba7..4efa151 100644
 ')
 
 ########################################
-@@ -2393,11 +2954,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2393,11 +2955,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
 #
 interface(`userdom_read_user_tmp_files',`
 	gen_require(`
@ -37112,7 +37117,7 @@ index 3c5dba7..4efa151 100644
 	files_search_tmp($1)
 ')
 
-@@ -2417,7 +2978,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2417,7 +2979,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
 		type user_tmp_t;
 	')
 
@ -37121,7 +37126,7 @@ index 3c5dba7..4efa151 100644
 ')
 
 ########################################
-@@ -2664,6 +3225,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2664,6 +3226,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
 	files_tmp_filetrans($1, user_tmp_t, $2, $3)
 ')
 
@ -37147,7 +37152,7 @@ index 3c5dba7..4efa151 100644
 ########################################
 ## <summary>
 ##	Read user tmpfs files.
-@@ -2680,13 +3260,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2680,13 +3261,14 @@ interface(`userdom_read_user_tmpfs_files',`
 	')
 
 	read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@ -37163,7 +37168,7 @@ index 3c5dba7..4efa151 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -2707,7 +3288,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2707,7 +3289,7 @@ interface(`userdom_rw_user_tmpfs_files',`
 
 ########################################
 ## <summary>
@ -37172,7 +37177,7 @@ index 3c5dba7..4efa151 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -2715,19 +3296,17 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2715,19 +3297,17 @@ interface(`userdom_rw_user_tmpfs_files',`
 ##	</summary>
 ## </param>
 #
@ -37195,7 +37200,7 @@ index 3c5dba7..4efa151 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -2735,21 +3314,39 @@ interface(`userdom_manage_user_tmpfs_files',`
+@@ -2735,21 +3315,39 @@ interface(`userdom_manage_user_tmpfs_files',`
 ##	</summary>
 ## </param>
 #
@ -37240,7 +37245,7 @@ index 3c5dba7..4efa151 100644
 ##	</summary>
 ## </param>
 #
-@@ -2817,6 +3414,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2817,6 +3415,24 @@ interface(`userdom_use_user_ttys',`
 
 ########################################
 ## <summary>
@ -37265,7 +37270,7 @@ index 3c5dba7..4efa151 100644
 ##	Read and write a user domain pty.
 ## </summary>
 ## <param name="domain">
-@@ -2835,22 +3450,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2835,22 +3451,34 @@ interface(`userdom_use_user_ptys',`
 
 ########################################
 ## <summary>
@ -37308,7 +37313,7 @@ index 3c5dba7..4efa151 100644
 ## </desc>
 ## <param name="domain">
 ##	<summary>
-@@ -2859,14 +3486,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2859,14 +3487,33 @@ interface(`userdom_use_user_ptys',`
 ## </param>
 ## <infoflow type="both" weight="10"/>
 #
@ -37346,7 +37351,7 @@ index 3c5dba7..4efa151 100644
 ')
 
 ########################################
-@@ -2885,8 +3531,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2885,8 +3532,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
 		type user_tty_device_t, user_devpts_t;
 	')
 
@ -37376,7 +37381,7 @@ index 3c5dba7..4efa151 100644
 ')
 
 ########################################
-@@ -2958,69 +3623,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2958,69 +3624,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
 	allow unpriv_userdomain $1:process sigchld;
 ')
 
@ -37477,7 +37482,7 @@ index 3c5dba7..4efa151 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3028,12 +3692,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3028,12 +3693,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
 ##	</summary>
 ## </param>
 #
@ -37492,7 +37497,7 @@ index 3c5dba7..4efa151 100644
 ')
 
 ########################################
-@@ -3097,7 +3761,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3097,7 +3762,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
 
 	domain_entry_file_spec_domtrans($1, unpriv_userdomain)
 	allow unpriv_userdomain $1:fd use;
@ -37501,7 +37506,7 @@ index 3c5dba7..4efa151 100644
 	allow unpriv_userdomain $1:process sigchld;
 ')
 
-@@ -3113,29 +3777,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3113,29 +3778,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
 #
 interface(`userdom_search_user_home_content',`
 	gen_require(`
@ -37535,7 +37540,7 @@ index 3c5dba7..4efa151 100644
 ')
 
 ########################################
-@@ -3217,7 +3865,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3217,7 +3866,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
 		type user_devpts_t;
 	')
 
@ -37544,7 +37549,7 @@ index 3c5dba7..4efa151 100644
 ')
 
 ########################################
-@@ -3272,7 +3920,64 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3272,7 +3921,64 @@ interface(`userdom_write_user_tmp_files',`
 		type user_tmp_t;
 	')
 
@ -37610,7 +37615,7 @@ index 3c5dba7..4efa151 100644
 ')
 
 ########################################
-@@ -3290,7 +3995,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3290,7 +3996,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
 		type user_tty_device_t;
 	')
 
@ -37619,7 +37624,7 @@ index 3c5dba7..4efa151 100644
 ')
 
 ########################################
-@@ -3309,6 +4014,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3309,6 +4015,7 @@ interface(`userdom_read_all_users_state',`
 	')
 
 	read_files_pattern($1, userdomain, userdomain)
@ -37627,7 +37632,7 @@ index 3c5dba7..4efa151 100644
 	kernel_search_proc($1)
 ')
 
-@@ -3385,6 +4091,42 @@ interface(`userdom_signal_all_users',`
+@@ -3385,6 +4092,42 @@ interface(`userdom_signal_all_users',`
 	allow $1 userdomain:process signal;
 ')
 
@ -37670,7 +37675,7 @@ index 3c5dba7..4efa151 100644
 ########################################
 ## <summary>
 ##	Send a SIGCHLD signal to all user domains.
-@@ -3405,6 +4147,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3405,6 +4148,24 @@ interface(`userdom_sigchld_all_users',`
 
 ########################################
 ## <summary>
@ -37695,7 +37700,7 @@ index 3c5dba7..4efa151 100644
 ##	Create keys for all user domains.
 ## </summary>
 ## <param name="domain">
-@@ -3439,3 +4199,1365 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3439,3 +4200,1365 @@ interface(`userdom_dbus_send_all_users',`
 
 	allow $1 userdomain:dbus send_msg;
 ')
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -64,7 +64,7 @@ index e4f84de..94697ea 100644
 +/var/cache/retrace-server(/.*)?						gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
 +/var/spool/retrace-server(/.*)?						gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
 diff --git a/abrt.if b/abrt.if
-index 058d908..cce58bb 100644
+index 058d908..b7620e3 100644
 --- a/abrt.if
 +++ b/abrt.if
@@ -1,4 +1,26 @@
@ -314,7 +314,7 @@ index 058d908..cce58bb 100644
 +	')
 +
 +	systemd_exec_systemctl($1)
-+	allow $1 abrt_unit_file_t:file read_file_perms;
+	allow $1 abrt_unit_file_t:file manage_file_perms;
 +	allow $1 abrt_unit_file_t:service manage_service_perms;
 +
 +	ps_process_pattern($1, abrt_t)
@ -16924,7 +16924,7 @@ index dda905b..31f269b 100644
 /var/named/chroot/var/run/dbus(/.*)?	gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
 +')
 diff --git a/dbus.if b/dbus.if
-index afcf3a2..90299b3 100644
+index afcf3a2..0730306 100644
 --- a/dbus.if
 +++ b/dbus.if
@@ -1,4 +1,4 @@
@ -17409,7 +17409,7 @@ index afcf3a2..90299b3 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -543,33 +387,57 @@ interface(`dbus_system_bus_unconfined',`
+@@ -543,33 +387,24 @@ interface(`dbus_system_bus_unconfined',`
 #
 interface(`dbus_system_domain',`
 	gen_require(`
@ -17425,122 +17425,114 @@ index afcf3a2..90299b3 100644
 -	role system_r types $1;
 -
 	domtrans_pattern(system_dbusd_t, $2, $1)
-+')
 
 -	dbus_system_bus_client($1)
 -	dbus_connect_system_bus($1)
 -
 -	ps_process_pattern(system_dbusd_t, $1)
-+########################################
-+## <summary>
-+##	Use and inherit system DBUS file descriptors.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`dbus_use_system_bus_fds',`
-+	gen_require(`
-+		type system_dbusd_t;
-+	')
- 
+-
 -	userdom_read_all_users_state($1)
-+	allow $1 system_dbusd_t:fd use;
-+')
+	ps_process_pattern($1, system_dbusd_t)
 
 -	ifdef(`hide_broken_symptoms', `
 -		dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
-+########################################
-+## <summary>
-+##	Allow unconfined access to the system DBUS.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`dbus_unconfined',`
-+	gen_require(`
-+		attribute dbusd_unconfined;
- 	')
-+
-+	typeattribute $1 dbusd_unconfined;
+-	')
 ')
 
 ########################################
 ## <summary>
 -##	Use and inherit DBUS system bus
 -##	file descriptors.
-+##	Delete all dbus pid files
+##	Use and inherit system DBUS file descriptors.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -577,18 +445,20 @@ interface(`dbus_system_domain',`
- ##	</summary>
- ## </param>
- #
-interface(`dbus_use_system_bus_fds',`
-+interface(`dbus_delete_pid_files',`
- 	gen_require(`
-		type system_dbusd_t;
-+		type system_dbusd_var_run_t;
- 	')
- 
-	allow $1 system_dbusd_t:fd use;
-+	files_search_pids($1)
-+	delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
- ')
+@@ -587,26 +422,25 @@ interface(`dbus_use_system_bus_fds',`
 
 ########################################
 ## <summary>
 -##	Do not audit attempts to read and
 -##	write DBUS system bus TCP sockets.
-+##	Do not audit attempts to connect to
-+##	session bus types with a unix
-+##	stream socket.
+##	Allow unconfined access to the system DBUS.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -596,28 +466,51 @@ interface(`dbus_use_system_bus_fds',`
+-##	Domain to not audit.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 -interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
-+interface(`dbus_dontaudit_stream_connect_session_bus',`
+interface(`dbus_unconfined',`
 	gen_require(`
 -		type system_dbusd_t;
-+		attribute session_bus_type;
+		attribute dbusd_unconfined;
 	')
 
 -	dontaudit $1 system_dbusd_t:tcp_socket { read write };
-+	dontaudit $1 session_bus_type:unix_stream_socket connectto;
+	typeattribute $1 dbusd_unconfined;
 ')
 
 ########################################
 ## <summary>
 -##	Unconfined access to DBUS.
-+##	Do not audit attempts to send dbus
-+##	messages to session bus types.
+##	Delete all dbus pid files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
-+##	Domain to not audit.
+@@ -614,10 +448,72 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
 ##	</summary>
 ## </param>
 #
 -interface(`dbus_unconfined',`
-+interface(`dbus_dontaudit_chat_session_bus',`
+interface(`dbus_delete_pid_files',`
 	gen_require(`
 -		attribute dbusd_unconfined;
-+		attribute session_bus_type;
-+		class dbus send_msg;
+		type system_dbusd_var_run_t;
 	')
 
 -	typeattribute $1 dbusd_unconfined;
+	files_search_pids($1)
+	delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to connect to
+##	session bus types with a unix
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dbus_dontaudit_stream_connect_session_bus',`
+	gen_require(`
+		attribute session_bus_type;
+	')
+
+	dontaudit $1 session_bus_type:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send dbus
+##	messages to session bus types.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dbus_dontaudit_chat_session_bus',`
+	gen_require(`
+		attribute session_bus_type;
+		class dbus send_msg;
+	')
+
 +	dontaudit $1 session_bus_type:dbus send_msg;
 +')
 +
@ -23707,12 +23699,35 @@ index 0000000..1ed97fe
 +
 diff --git a/glusterd.te b/glusterd.te
 new file mode 100644
-index 0000000..6704414
+index 0000000..9cfc035
 --- /dev/null
 +++ b/glusterd.te
-@@ -0,0 +1,104 @@
+@@ -0,0 +1,145 @@
 +policy_module(glusterfs, 1.0.1)
 +
+## <desc>
+## <p>
+## Allow glusterfsd to modify public files used for public file
+## transfer services.  Files/Directories must be labeled
+## public_content_rw_t.
+## </p>
+## </desc>
+gen_tunable(gluster_anon_write, false)
+
+## <desc>
+## <p>
+## Allow glusterfsd to share any file/directory read only.
+## </p>
+## </desc>
+gen_tunable(gluster_export_all_ro, false)
+
+## <desc>
+## <p>
+## Allow glusterfsd to share any file/directory read/write.
+## </p>
+## </desc>
+gen_tunable(gluster_export_all_rw, false)
+
 +########################################
 +#
 +# Declarations
@ -23806,6 +23821,8 @@ index 0000000..6704414
 +
 +domain_use_interactive_fds(glusterd_t)
 +
+fs_getattr_all_fs(glusterd_t)
+
 +auth_use_nsswitch(glusterd_t)
 +
 +fs_getattr_all_fs(glusterd_t)
@ -23813,8 +23830,24 @@ index 0000000..6704414
 +logging_send_syslog_msg(glusterd_t)
 +
 +miscfiles_read_localization(glusterd_t)
+miscfiles_read_public_files(glusterd_t)
 +
 +userdom_manage_user_home_dirs(glusterd_t)
+
+tunable_policy(`gluster_anon_write',`
+	miscfiles_manage_public_files(glusterd_t)
+') 
+
+tunable_policy(`gluster_export_all_ro',`
+	fs_read_noxattr_fs_files(glusterd_t) 
+	files_read_non_security_files(glusterd_t) 
+')
+
+tunable_policy(`gluster_export_all_rw',`
+	fs_manage_noxattr_fs_files(glusterd_t) 
+	files_manage_non_security_files(glusterd_t)
+')
+
 diff --git a/glusterfs.fc b/glusterfs.fc
 deleted file mode 100644
 index 4bd6ade..0000000
@ -28136,10 +28169,84 @@ index c5a8112..947efe0 100644
 userdom_dontaudit_use_unpriv_user_fds(irqbalance_t)
 userdom_dontaudit_search_user_home_dirs(irqbalance_t)
 
+diff --git a/iscsi.fc b/iscsi.fc
+index 08b7560..9d1930b 100644
+--- a/iscsi.fc
+++ b/iscsi.fc
+@@ -1,19 +1,17 @@
+-/etc/rc\.d/init\.d/((iscsi)|(iscsid))	--	gen_context(system_u:object_r:iscsi_initrc_exec_t,s0)
+-
+ /sbin/iscsid	--	gen_context(system_u:object_r:iscsid_exec_t,s0)
+-/sbin/brcm_iscsiuio	--	gen_context(system_u:object_r:iscsid_exec_t,s0)
+ /sbin/iscsiuio	--	gen_context(system_u:object_r:iscsid_exec_t,s0)
+ 
+ /usr/sbin/iscsid	--	gen_context(system_u:object_r:iscsid_exec_t,s0)
+-/usr/sbin/brcm_iscsiuio	--	gen_context(system_u:object_r:iscsid_exec_t,s0)
+ /usr/sbin/iscsiuio	--	gen_context(system_u:object_r:iscsid_exec_t,s0)
+ 
+ /var/lib/iscsi(/.*)?	gen_context(system_u:object_r:iscsi_var_lib_t,s0)
+ 
+ /var/lock/iscsi(/.*)?	gen_context(system_u:object_r:iscsi_lock_t,s0)
+ 
+-/var/log/brcm-iscsi\.log.*	--	gen_context(system_u:object_r:iscsi_log_t,s0)
+ /var/log/iscsiuio\.log.*	--	gen_context(system_u:object_r:iscsi_log_t,s0)
+ 
+ /var/run/iscsid\.pid	--	gen_context(system_u:object_r:iscsi_var_run_t,s0)
+ /var/run/iscsiuio\.pid	--	gen_context(system_u:object_r:iscsi_var_run_t,s0)
+
+/usr/lib/systemd/system/((iscsi)|(iscsid)|(iscsiuio))\.service	--	gen_context(system_u:object_r:iscsi_unit_file_t,s0)
+/usr/lib/systemd/system/((iscsid)|(iscsiuio))\.socket	--	gen_context(system_u:object_r:iscsi_unit_file_t,s0)
+diff --git a/iscsi.if b/iscsi.if
+index 1a35420..1d27695 100644
+--- a/iscsi.if
+++ b/iscsi.if
+@@ -88,27 +88,21 @@ interface(`iscsi_read_lib_files',`
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <param name="role">
+-##	<summary>
+-##	Role allowed access.
+-##	</summary>
+-## </param>
+ ## <rolecap/>
+ #
+ interface(`iscsi_admin',`
+ 	gen_require(`
+ 		type iscsid_t, iscsi_lock_t, iscsi_log_t;
+ 		type iscsi_var_lib_t, iscsi_var_run_t, iscsi_tmp_t;
+-		type iscsi_initrc_exec_t;
+		type iscsi_unit_file_t;
+ 	')
+ 
+ 	allow $1 iscsid_t:process { ptrace signal_perms };
+ 	ps_process_pattern($1, iscsid_t)
+ 
+-	init_labeled_script_domtrans($1, iscsi_initrc_exec_t)
+-	domain_system_change_exemption($1)
+-	role_transition $2 iscsi_initrc_exec_t system_r;
+-	allow $2 system_r;
+	systemd_exec_systemctl($1)
+	allow $1 iscsi_unit_file_t:file manage_file_perms;
+	allow $1 iscsi_unit_file_t:service manage_service_perms;
+ 
+ 	logging_search_logs($1)
+ 	admin_pattern($1, iscsi_log_t)
 diff --git a/iscsi.te b/iscsi.te
-index 57304e4..3dba77f 100644
+index 57304e4..74153ec 100644
 --- a/iscsi.te
 +++ b/iscsi.te
+@@ -9,8 +9,8 @@ type iscsid_t;
+ type iscsid_exec_t;
+ init_daemon_domain(iscsid_t, iscsid_exec_t)
+ 
+-type iscsi_initrc_exec_t;
+-init_script_file(iscsi_initrc_exec_t)
+type iscsi_unit_file_t;
+systemd_unit_file(iscsi_unit_file_t)
+ 
+ type iscsi_lock_t;
+ files_lock_file(iscsi_lock_t)
@@ -33,7 +33,6 @@ files_pid_file(iscsi_var_run_t)
 #
 
@ -28148,7 +28255,12 @@ index 57304e4..3dba77f 100644
 allow iscsid_t self:process { setrlimit setsched signal };
 allow iscsid_t self:fifo_file rw_fifo_file_perms;
 allow iscsid_t self:unix_stream_socket { accept connectto listen };
-@@ -68,7 +67,6 @@ kernel_read_network_state(iscsid_t)
+@@ -64,11 +63,11 @@ files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
+ 
+ can_exec(iscsid_t, iscsid_exec_t)
+ 
+kernel_request_load_module(iscsid_t)
+ kernel_read_network_state(iscsid_t)
 kernel_read_system_state(iscsid_t)
 kernel_setsched(iscsid_t)
 
@ -28156,18 +28268,22 @@ index 57304e4..3dba77f 100644
 corenet_all_recvfrom_netlabel(iscsid_t)
 corenet_tcp_sendrecv_generic_if(iscsid_t)
 corenet_tcp_sendrecv_generic_node(iscsid_t)
-@@ -85,6 +83,10 @@ corenet_sendrecv_isns_client_packets(iscsid_t)
+@@ -85,10 +84,12 @@ corenet_sendrecv_isns_client_packets(iscsid_t)
 corenet_tcp_connect_isns_port(iscsid_t)
 corenet_tcp_sendrecv_isns_port(iscsid_t)
 
+-dev_read_raw_memory(iscsid_t)
 +corenet_sendrecv_winshadow_client_packets(iscsid_t)
 +corenet_tcp_connect_winshadow_port(iscsid_t)
 +corenet_tcp_sendrecv_winshadow_port(iscsid_t)
 +
- dev_read_raw_memory(iscsid_t)
 dev_rw_sysfs(iscsid_t)
 dev_rw_userio_dev(iscsid_t)
-@@ -99,8 +101,6 @@ init_stream_connect_script(iscsid_t)
+-dev_write_raw_memory(iscsid_t)
+ 
+ domain_use_interactive_fds(iscsid_t)
+ domain_dontaudit_read_all_domains_state(iscsid_t)
+@@ -99,8 +100,6 @@ init_stream_connect_script(iscsid_t)
 
 logging_send_syslog_msg(iscsid_t)
 
@ -42489,7 +42605,7 @@ index 8aa1bfa..cd0e015 100644
 +/usr/lib/systemd/system/yppasswdd.*	--	gen_context(system_u:object_r:nis_unit_file_t,s0)
 +/usr/lib/systemd/system/ypxfrd.*	--	gen_context(system_u:object_r:nis_unit_file_t,s0)
 diff --git a/nis.if b/nis.if
-index 46e55c3..1112fae 100644
+index 46e55c3..346242e 100644
 --- a/nis.if
 +++ b/nis.if
@@ -1,4 +1,4 @@
@ -42518,14 +42634,12 @@ index 46e55c3..1112fae 100644
 	corenet_tcp_sendrecv_generic_if($1)
 	corenet_udp_sendrecv_generic_if($1)
 	corenet_tcp_sendrecv_generic_node($1)
-@@ -49,14 +44,13 @@ interface(`nis_use_ypbind_uncond',`
+@@ -49,14 +44,11 @@ interface(`nis_use_ypbind_uncond',`
 	corenet_udp_bind_generic_node($1)
 	corenet_tcp_bind_generic_port($1)
 	corenet_udp_bind_generic_port($1)
 -	corenet_dontaudit_tcp_bind_all_reserved_ports($1)
 -	corenet_dontaudit_udp_bind_all_reserved_ports($1)
-+	corenet_tcp_bind_all_rpc_ports($1)
-+	corenet_udp_bind_all_rpc_ports($1)
 	corenet_dontaudit_tcp_bind_all_ports($1)
 	corenet_dontaudit_udp_bind_all_ports($1)
 	corenet_tcp_connect_portmap_port($1)
@ -42536,7 +42650,7 @@ index 46e55c3..1112fae 100644
 	corenet_sendrecv_portmap_client_packets($1)
 	corenet_sendrecv_generic_client_packets($1)
 	corenet_sendrecv_generic_server_packets($1)
-@@ -88,14 +82,14 @@ interface(`nis_use_ypbind_uncond',`
+@@ -88,14 +80,14 @@ interface(`nis_use_ypbind_uncond',`
 ## <rolecap/>
 #
 interface(`nis_use_ypbind',`
@ -42553,7 +42667,7 @@ index 46e55c3..1112fae 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -105,7 +99,7 @@ interface(`nis_use_ypbind',`
+@@ -105,7 +97,7 @@ interface(`nis_use_ypbind',`
 ## <rolecap/>
 #
 interface(`nis_authenticate',`
@ -42562,7 +42676,7 @@ index 46e55c3..1112fae 100644
 		nis_use_ypbind_uncond($1)
 		corenet_tcp_bind_all_rpc_ports($1)
 		corenet_udp_bind_all_rpc_ports($1)
-@@ -133,20 +127,19 @@ interface(`nis_domtrans_ypbind',`
+@@ -133,20 +125,19 @@ interface(`nis_domtrans_ypbind',`
 
 #######################################
 ## <summary>
@ -42590,7 +42704,7 @@ index 46e55c3..1112fae 100644
 	can_exec($1, ypbind_exec_t)
 ')
 
-@@ -169,11 +162,11 @@ interface(`nis_exec_ypbind',`
+@@ -169,11 +160,11 @@ interface(`nis_exec_ypbind',`
 #
 interface(`nis_run_ypbind',`
 	gen_require(`
@ -42604,7 +42718,7 @@ index 46e55c3..1112fae 100644
 ')
 
 ########################################
-@@ -196,7 +189,7 @@ interface(`nis_signal_ypbind',`
+@@ -196,7 +187,7 @@ interface(`nis_signal_ypbind',`
 
 ########################################
 ## <summary>
@ -42613,7 +42727,7 @@ index 46e55c3..1112fae 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -272,10 +265,11 @@ interface(`nis_read_ypbind_pid',`
+@@ -272,10 +263,11 @@ interface(`nis_read_ypbind_pid',`
 #
 interface(`nis_delete_ypbind_pid',`
 	gen_require(`
@ -42627,7 +42741,7 @@ index 46e55c3..1112fae 100644
 ')
 
 ########################################
-@@ -355,8 +349,57 @@ interface(`nis_initrc_domtrans_ypbind',`
+@@ -355,8 +347,57 @@ interface(`nis_initrc_domtrans_ypbind',`
 
 ########################################
 ## <summary>
@ -42687,7 +42801,7 @@ index 46e55c3..1112fae 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -372,32 +415,56 @@ interface(`nis_initrc_domtrans_ypbind',`
+@@ -372,32 +413,56 @@ interface(`nis_initrc_domtrans_ypbind',`
 #
 interface(`nis_admin',`
 	gen_require(`
@ -51986,7 +52100,7 @@ index 032a84d..be00a65 100644
 +	allow $1 policykit_auth_t:process signal;
 ')
 diff --git a/policykit.te b/policykit.te
-index 49694e8..0372dfd 100644
+index 49694e8..e426304 100644
 --- a/policykit.te
 +++ b/policykit.te
@@ -1,4 +1,4 @@
@ -52018,7 +52132,7 @@ index 49694e8..0372dfd 100644
 
 type policykit_resolve_t, policykit_domain;
 type policykit_resolve_exec_t;
-@@ -42,48 +37,43 @@ files_pid_file(policykit_var_run_t)
+@@ -42,63 +37,64 @@ files_pid_file(policykit_var_run_t)
 
 #######################################
 #
@ -52081,7 +52195,10 @@ index 49694e8..0372dfd 100644
 
 domain_read_all_domains_state(policykit_t)
 
-@@ -93,12 +83,17 @@ fs_list_inotifyfs(policykit_t)
+ files_dontaudit_search_all_mountpoints(policykit_t)
+ 
+fs_getattr_all_fs(policykit_t)
+ fs_list_inotifyfs(policykit_t)
 
 auth_use_nsswitch(policykit_t)
 
@ -52099,7 +52216,7 @@ index 49694e8..0372dfd 100644
 	optional_policy(`
 		consolekit_dbus_chat(policykit_t)
 	')
-@@ -109,29 +104,43 @@ optional_policy(`
+@@ -109,29 +105,43 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -52151,7 +52268,7 @@ index 49694e8..0372dfd 100644
 
 rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
 
-@@ -145,9 +154,6 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
+@@ -145,9 +155,6 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
 manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
 files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
 
@ -52161,7 +52278,7 @@ index 49694e8..0372dfd 100644
 kernel_dontaudit_search_kernel_sysctl(policykit_auth_t)
 
 dev_read_video_dev(policykit_auth_t)
-@@ -162,48 +168,58 @@ auth_rw_var_auth(policykit_auth_t)
+@@ -162,48 +169,58 @@ auth_rw_var_auth(policykit_auth_t)
 auth_use_nsswitch(policykit_auth_t)
 auth_domtrans_chk_passwd(policykit_auth_t)
 
@ -52230,7 +52347,7 @@ index 49694e8..0372dfd 100644
 
 rw_files_pattern(policykit_grant_t, policykit_reload_t, policykit_reload_t)
 
-@@ -211,23 +227,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t
+@@ -211,23 +228,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t
 
 manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t)
 
@ -52257,7 +52374,7 @@ index 49694e8..0372dfd 100644
 	optional_policy(`
 		consolekit_dbus_chat(policykit_grant_t)
 	')
-@@ -235,26 +248,28 @@ optional_policy(`
+@@ -235,26 +249,28 @@ optional_policy(`
 
 ########################################
 #
@ -52292,7 +52409,7 @@ index 49694e8..0372dfd 100644
 userdom_read_all_users_state(policykit_resolve_t)
 
 optional_policy(`
-@@ -266,6 +281,7 @@ optional_policy(`
+@@ -266,6 +282,7 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -69204,7 +69321,7 @@ index aee75af..a6bab06 100644
 +	allow $1 samba_unit_file_t:service all_service_perms;
 ')
 diff --git a/samba.te b/samba.te
-index 57c034b..4d983f7 100644
+index 57c034b..055c3c5 100644
 --- a/samba.te
 +++ b/samba.te
@@ -1,4 +1,4 @@
@ -69758,9 +69875,9 @@ index 57c034b..4d983f7 100644
 +
 +tunable_policy(`samba_export_all_rw',`
 +	allow nmbd_t self:capability { dac_read_search dac_override };
-+	fs_read_noxattr_fs_files(smbd_t) 
+	fs_manage_noxattr_fs_files(smbd_t) 
 +	files_manage_non_security_files(smbd_t)
-+	fs_read_noxattr_fs_files(nmbd_t) 
+	fs_manage_noxattr_fs_files(nmbd_t) 
 +	files_manage_non_security_files(nmbd_t)
 +')
 +
@ -79818,10 +79935,10 @@ index 0000000..601aea3
 +/usr/lib/tumbler[^/]*/tumblerd		--	gen_context(system_u:object_r:thumb_exec_t,s0)
 diff --git a/thumb.if b/thumb.if
 new file mode 100644
-index 0000000..72c42ad
+index 0000000..eb30b4c
 --- /dev/null
 +++ b/thumb.if
-@@ -0,0 +1,126 @@
+@@ -0,0 +1,125 @@
 +
 +## <summary>policy for thumb</summary>
 +
@ -79901,8 +80018,7 @@ index 0000000..72c42ad
 +	ps_process_pattern($2, thumb_t)
 +	allow thumb_t $2:unix_stream_socket connectto;
 +
-+	allow $2 thumb_t:dbus send_msg;
-+	allow thumb_t $2:dbus send_msg;
+	thumb_dbus_chat($2)
 +	thumb_filetrans_home_content($2)
 +')
 +