From 8037d64672a1f8252c7559cb2ba3a1a7434b7584 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Wed, 22 Jun 2016 16:29:20 +0200
Subject: [PATCH] * Wed Jun 22 2016 Lukas Vrabec <lvrabec@redhat.com>
 3.13.1-198 - Allow firewalld_t to create entries in net_conf_t dirs. - Allow
 journalctl to read syslogd_var_run_t files. This allows to staff_t and
 sysadm_t to read journals - Allow rhsmcertd connect to port tcp 9090 - Label
 for /bin/mail(x) was removed but /usr/bin/mail(x) not. This path is also
 needed to remove. - Label /usr/libexec/mimedefang-wrapper as spamd_exec_t. -
 Add new boolean spamd_update_can_network. - Add proper label for
 /var/log/proftpd.log - Allow rhsmcertd connect to tcp netport_port_t - Fix
 SELinux context for /usr/share/mirrormanager/server/mirrormanager to Label
 all binaries under dir as mirrormanager_exec_t. - Allow prosody to bind to
 fac_restore tcp port. - Fix SELinux context for
 usr/share/mirrormanager/server/mirrormanager - Allow ninfod to read raw
 packets - Fix broken hostapd policy - Allow hostapd to create netlink_generic
 sockets. BZ(1343683) - Merge pull request #133 from
 vinzent/allow_puppet_transition_to_shorewall - Allow pegasus get attributes
 from qemu binary files. - Allow tuned to use policykit. This change is
 required by cockpit. - Allow conman_t to read dir with
 conman_unconfined_script_t binary files. - Allow pegasus to read
 /proc/sysinfo. - Allow puppet_t transtition to shorewall_t - Allow conman to
 kill conman_unconfined_script. - Allow sysadm_role to run journalctl_t
 domain. This allows sysadm user to read journals. - Merge remote-tracking
 branch 'refs/remotes/origin/rawhide-base' into rawhide-base - Allow systemd
 to execute all init daemon executables. - Add
 init_exec_notrans_direct_init_entry() interface. - Label tcp ports:16379,
 26379 as redis_port_t - Allow systemd to relabel /var and /var/lib
 directories during boot. - Add files_relabel_var_dirs() and
 files_relabel_var_dirs() interfaces. - Add files_relabelto_var_lib_dirs()
 interface. - Label tcp and udp port 5582 as fac_restore_port_t - Allow
 sysadm_t user to run postgresql-setup. - Allow sysadm_t user to dbus chat
 with oddjob_t. This allows confined admin run oddjob mkhomedirfor script. -
 Allow systemd-resolved to connect to llmnr tcp port. BZ(1344849) - Allow
 passwd_t also manage user_tmp_t dirs, this change is needed by gnome-keyringd

---
 docker-selinux.tgz           | Bin 4316 -> 4316 bytes
 policy-rawhide-base.patch    | 896 ++++++++++++++++++++---------------
 policy-rawhide-contrib.patch | 406 +++++++++-------
 selinux-policy.spec          |  38 +-
 4 files changed, 780 insertions(+), 560 deletions(-)

diff --git a/docker-selinux.tgz b/docker-selinux.tgz
index 5224658702e3742acedbce910c60cbc00c9b5974..b57ae16382618bcaeb3c6d10494c950f17f30f0f 100644
GIT binary patch
delta 4022
zcmV;n4@vOcA>1J#ABzY85};~V00Zq@-H+Qg63?ssR|rXg>>iTc&8A6#ksv>R-oO7E
zKi_=w?#ldx>-yc>w{M@lx&G$u^}B2MdHw9_&Gpys-#-hk9&t?iYAB29Ab6JD)zON?
zUb?aNzv#7m@gn$^HhCV^`|p3<lAx?e@tT%R9g`rcsw|BomX<{jmj#Q`g46*iHt>1z
z?WJN{0?4$h(;NI){B%#^hLIqD;c6J9MZmWDS5oHC;{|8BG`NCqtEi6hpontv-E%?p
z{QDmEkGvs>vaH;ZBw%I0>ZqV8PR9j$$x-3^GA$UX*HKK)eiuUtp%c#h^40Il#fB7N
zP5x}s8VHt)1>09@%prTFz7d#O$UZC=FVC0DMO@Y-&XbUmsE)VcDlN``zIt=MTqxkM
ziWqc?cP#|{lbtUS>d3N=K|W7Q);R4^IZu;r92K0hFVzEO`3vtzi84!9K?0+USy`uq
z&XD3_NQzM$6UxyRGsGul0Am^z;$2iDT`Nc4bMV!h9>EPvFObOaHLOUTQ{Y;s8KJ66
zNzFxnOig`K;^pe|d4%hK(q7GUposrXqQsOhU&t>j*&2q#=f=k}U%p;lTySL3>@c$$
z=uw4Cw^2==jF|aoCJI{6P7rgJQiclbl(Iyze~+%t2wzs*K7e=ns`l3OAN(oCos(81
zPS+_(<mQRH9_d;x-eDqE9hnc@b05o`9iR;^8}$G&I|Ti&sE9Uy<cZm+oDb@8tdzul
zn4MDGgU`d`S-SpWJ(&&LSTeLtkFa7sllOSy{sC+sSebJ52gsPBD<3J@Ll+(S?~#6&
zvTYCnRl`7}ER6#`<JLz9+l6$IVbrQRy~9qB@-wcWg)B!A;wT*W7_suHlxuETg+$O2
z$6Q2nx)Qu$oJEv>db;9m{k~R2c9+cQ5C4A-@ixjo%D#Kf>c%%kB(=I-k+j%M>elg0
zDEl=nrgc6M-l)~k`me6x-&^?i^${JZpa1#eQ`iZ(_fe(EjD4VP3XfF*96Hri<tY6-
z#|^nCsqYTY#|(<Smm`=J<nAdWdCao$gv<x)MpLAWOSoNs3xSqMXGlSd1xb;-CRvGI
zGe{)`W#KJ>ycDxsxpgVPE3g#11lLC3*wLRcj2rw2^vdh_Z-_+>C6HT?{Ha)%iwg9o
zE>W>vdUTY)CMuF(SEoI1Hzzr4J74(e+<{2)Ny_1j%~8O4AW)Q0XGqKzSP)neGoGr7
z?dR^Xfd%e=6<IJR@77SzAGYVV3>CX8IHm5U_!4qgF^W>e7L*Tu+OkwsH}SR(g{tpD
z==?Z>#Y@CwZ4@SUMI~U&T$6&$5ief-ZU)568K#T6-9WMPB$Pu$$xjr$u_wElb(Dq;
z9hJ|@4Oe>?pxmHbfZH-B_Cm{TO74MtKAz1A+g}BL&qc!pa6CVsi9q2_*oDDcvvI&J
z)(EfTECs1c3=qr)Tq-UgCkmIGLdfppPTy)hy#1>{!06uqnBq;@New9t(4BR<xgf>e
zaqzY!W%PJZ+{--*T1{w~-Cf{(4+Ip8fIGVc0@GK60SKccPYa>zn22>Qrg#z*$c0|Y
z!vea0vM6LQA+1)4{#O*ho_`-u1_mwX&j4Xx_;i5}1q~LCcgAtpR0p`*!AvLkXbz6C
z9>4tjLwop1pX|C+@#M8ZS~RKfF?ChMZSK2-Fi>u4#k8sA-g5986ptE@pbO-%SUGFM
zcP3y}C|ox%szA<<M-==4PN8Gi|9L{AP|p*8*vGUki+q+R@CXaVM>s!fap#iM(hUSS
z*5(hpsN?RYe^YELLmsk>FM^NY!qzawfTo)w%7j-JeEKjU2mx4baUHFy|KSXrm)*#;
zd6jyQSq9Y>GYW8wTL>9hl}n+SH{-l=%66PP!e^}cNUW&>M|_HVQKL#mg;klQ@t&)H
zrHXH5Knu}k!Boos+-M((e_tLoK@mm`+sdQ-ZkB?#Jf(65KGMncBb>T@$c<?pQb}UK
zbnhK@7Uo!!L(57Y!{VyRPZR#bD@zRaW8_y*jLODR#`FDa++GcD<cqr;;xHKpH{xz6
zd3v@4PIGJ@S}5cbb=bJF%=D%$<4|RP4Qww*^sH^b@rL<E#IbOl^fJ#ntjeZHC^sT_
z%5fZPE)Hrm{9HTUj%#{a(U^;Bf^GS52N-tusMsq^xebc>fyWCQbiJ=in1XPWQz|9+
z`4k?$*JVcHsJisj9q2L6D)sBRHlk5v&|6F{;V)fU`<J+6E{%~#>|><<`<v^3e*O2m
zt2d|m@6T}wM?cKV1Y+qkp$)HsHy2kISF>!?@<s3?i8FZo(MJZyWXX*{LTD^cEGl_c
zK``|X-b=9C5^!;9ou-eteNuS>9?e6j|LYGw2US@!eV$QCQzM|!aImI`R(kY$g98is
zDp*GuB`_1qJiF`*Kj}*%l9xq)C`_S3w2QjWm!dtS&FYUZO~QB^6&r%BIgg+;qozb_
zI7GHIT_wqbx6Y(zg#7ZTF|7F}Miuq4?;?EY-y5H$KlCt%XLuXktovD~)e^aJTp_sl
z+#IpG>&!uAXYo_ql;<U99YTw{O<;%~<!?UJevZMFB@uj?I(azjH1~Lacvtoz!kO7@
zt6^Rl@_-*E18?jztZ9b@ep*aO;E=t0#T@Alld<n#y7_H73#OBgQrQB1^Q=#0@wcap
z;?R)o&#V@UK_7ngRZW*B&NFS&M8V2OSs+X%+>hk3qjc;j$<{aE@kFaMOW8j77{uFh
zR|K~yn6Wi{1B5jtEKP!c{I)2Qpdd`71Nk=yEp>$fzfng!z+`KH#B7?YH?Vvvy;_qD
z_NNTft1ikmS+^k&uCcnCt%H8*EX`BKd!+IJ)zhm^^58+Pk?|2(Bo~J(9n8Dv-W-Bp
zarIEvCh4(`^0e!C9jy2hPa9g1A_05rkKjy$?kwl*Z7BLQscXr9T$P10dHa>1QvpU#
z!~8(jnb@>>C^PKH{Z13&0D#~mEFK!Z!QVZeoi={4A@uUU)5h*$w)P&+z!mdH95_D?
z4L<3^>8XR?*uSO^-OoBf`<(3VQ+OY*F>lpj@af!spiQ0|rOBes6AUf`6lpxyb(yz@
z6wTi>8S>4#`)jIy42M`J$k55&^(Z_Nl$;(3PM$aV8}{!Rb01`%Hvf?k$ld7x3{|#t
z0K_VL_)Of&ESveOV}|yASn9;IuLsZ%(|7c%hZv4&TE+&W3%v5ODOg!deSW;}=}gn3
zG4=_1<b`lgST@f!CjPb2{k@PkJQZRN2V+>YgYO_rSMVu+FcXw~3d|88CM@_MjC;{L
z?`zIjc3*+m(3lP~%Y#+o)1^EHp-b`(#F@BSUKm&L-w=XJwt6mH%I@{=*RfiQzSB=q
z8&zSbW#9fJBUu@Y7y)fNUL&-Hp9RU}QJcsB@e?=07MLUuI_}E)c94c2{_knbGU}k%
zA%?#lW<}$FElCEjG1@dul}u=1g)u)0h+>xBff6Pryd+BSbhAl#)xCrhEwneKr8=GE
zX{wcxusiQI(Jjd`n-M38Q6&$&H}JDg;}GI<VxcHH3eg{6-f7x&J(Y3}DkeKUw0xvo
zzL*g85UKR%ma%FGOwq+<o>v*U54rR`3_OIMG=C?5rDy&f+M#(N;gn_4bS^MyD7aP`
z$v~4tP_!B-b0tCv!RAgRwPDfY65Vd<vZ?yr%4Xq5(S4q!#jQmkk8`7r9>e`kznxAg
zD{Hi`b+ik4qUIj_h$N-ACJ|3!;B#3}x=UHSH5z5*iakT{Rg!XNg2;DdR4IVb#9Q!Y
z(-~TSTNs6F#nE%RF-bZUV2Ut!1CoyalhW8&Ql6Yk{}b7Xb?%Gm0-TP3NW)TTwGy(9
znv4lQ>%OBmCYjKi4#=LO<|Wco3q_T(DFaEt4N<!8BRGn#>MHL#is#~<80yNtZIQlo
zgRVg#%8a^1;o(Rth6gKiSn$sW-3d+d=f?Pd@%QpYkln|kh7*sAMzg6&6o**MQKt#P
zt#y+o_)%eg6h0gLxu-Itir-dc$@mx8f7Mr6s)*kBXqr?4%MTPX?@#v2_rPAwqZ1XD
zAD`$D9)6vC48%6e?|0IX?tG*o6%R`{o9Tq{=V6mg-KJqbx>BM6K6S!*otVx2IFOWo
zZ7Y9W0&+RmZTvV!+>bc@F_wAEBpsI4xcQx$jqru;(h45mVqLo2o<AExS;*fJ?3|<;
zL~?*(4(bI~+2L0y3Wo#bpzyk9O~GAKu=TtiqH~JaBk4WZx)f^(9;mswn2ws!0>i*W
z0=1gCp=tm*aW!Oj+$ylTv|;g$J4Eb%-_FXi@-w*+<tDAhno@`nP#o^PT!tfasoXw9
zkIc2JyD4=zK2EAb?jEVwZK!%bxep~(2}!(-1^lBVZtBzsQCtY!fm@!B*noTf3A8kY
zzpW;|w!!ghAxT%uUPHUx>5A!?F1+W8(;r()!F{%wz8wEUIok&GGFx?hHXav$qC2Le
z0k$^@bbH0}d;7l9bKvO?nYYS8ds>w|n*vR4jDJ)hWZk}(XxhLNYTW^_hZJsF?hrrU
z6+RzdJ$<s<ajIInnuYq8dcoR2RHsp1Z$c9Y57}EKV36v_5^wb5%9c!stcA3v;iOcV
z_eq47g1UUFP1UX~e8;x|M*XmVWYtiWEx@nhRY%it6onwXZ5#Dl#KMTOcdYowRW!#r
z_^yD4#Y300vkAC}@+jV>MQ8IB^^>kX)@e<4uy%=i@Gre0Y4rZn@t}Rw1^3hou}Maq
z+=AKImUxb1-laA3#1W#+_WAiuuj0F!LkfHDs=RkXtHz#o3KEsq8zfSH3f!UMD{7Ly
z2-and{=MXCU!Mr67_~LbSGu@Kk49P~vm>L67lH~NiU>muNrVLvDK9iN24nlM<^bg4
zIw~o|amu1Y+*X*j_zS+;vIb2rwrn<P(bQ}8t{jXjU18F8lO$2h-@9{@c5+HC+<CRf
z5T)TO2hPeD?kQqmX8G5D)}co5sb8KuRL<6Wk)`L!>(d(PtB!LRsddR?D+PaTu?_#c
z0iNRphMw>2#FinE<H!I4BQuXIj|`^I$d-yIV!%*2i}ugmrf9$j8}DNHHWtp%?k*!N
zJyQyfC6BsB_=YWqdW%(?joFGV<;LF<87l1(g^{yspG>xy1yDMFE_GoUNfBK^)>b9C
zcMJ8N#?S%M$lE2}hT$`%gHip*Ob0`IPo5r*Ja8B_3Oar;HGYnw7y7n)BxL6cG@UmA
ztSO8ftE!{w!%RrVYTA*MsiOPRrSbn4myr3z`Y~T@7=Hib>h1O0_r1UW|L*kn|3Axh
ciJ9@s-(<-qe-BHuzz-Aw2sCOaM*w&L0BacNZU6uP

delta 4022
zcmV;n4@vOcA>1J#ABzY8|A}H(00Zq@-H+Qg63?ssR|rXg>>iTc&8BI9ksv>RzWL^B
z{CxBN-Ie(X*Y&%%Z{I$9bN&A9)w`>&-@kwV?CQ<+yQ}xlf~!XylfD|tqB;nkWp{P7
zBC(flto<)~EnmC{zNJl`NA>>uU$-PED^k3sWmCr_h^i_}<A|kY5yWM|qO>4&K#C1~
zUVMA0*p>h??dtRfKNdgTlel4jBuKa#25Awnt^SpiIrMnJnJx{k;M*#yqdX|0oP76O
zP(A;?hy5dO2%;=2cO(f|8L&DkXo}NufnIV{_`XaFM(TAGle6E&P(tX0GrxTG`*N`%
zMOc$Ro3sXk<zm71l^S!%Ua4;crWUdf%f-v{<#G|1HHq^iq$H~2ZMaH*i?grZoG%v&
zIIJQDo#I^!LH}guON2VItYeVR(~>n#dsNQTq#H*Cr|e7hKw196J5r*|(p8YaC}URE
zDWNl@xEPXR6vu>ew8aeZNg2SHMum76)kxRMk@p;Y^`=K~1Jes6GJFjyQs)%7)@eql
z>QYj3(H~P&pOkpH`g|UL;kvX}GaV@6f0HON<;xfH%SyI}A@RBKvCNmRR~Hu?Su{J$
ztOj~iA=7PClP4o)KAMSw7PJ$@oTZeZ0z0KFQS9HNt24rv6}J!IoxZBQHT?&FigD+p
z6^YYzN)oww;;u)!mWy|oh*d}C1NYp=GG_;9gUd!eK+Fz7|0^ngq78XsHY(?XdK@by
zu^(oq6!+ls@OYN4zgSOZ!#0)-ZPO#Hn9t-rp16Mi+Xq&rT>Swurs&E?O7_r2NB(=H
z-=%CDL_pOr5GhOJfX}$~(ZO~hU1S)ws!s2)6Qul%D`+9hQG_@O2R=rud@ALdTUH?v
zw8SwN(VVUXZy0BP5v884cw4`(6_MQ~bNa*opF_Nj@{h9bp0m2~O%X}0ZdW8NHj}z_
zJQK=(O^a!rPlPvWHMIV#YxwsT{(XH!N9yN){`eGj0`7fOX)<FUsGGuLRRD)hbyYb^
z|ITqkE=uaV!}BqNV(;Y$W(B!>%19owY&;?J!Mf2DDdQ4<Zr4JfCDIvE&|*PSB(F(U
zqSp*kNkLh7OCT@BELUz_3h)Xn#V*0M5jb}AXAI*8KLWk-I{q7CkwXdO79@Wv*5#rC
z{i#b-Y?mG#C9sK#B-qty&)dyO4%^NbemZv`l6;bKIAe1Za2^O0CDa)bvjr9emc)#w
zs$%=Odu(8TfqO+3%*neo6!eGfxh+G*?g~z+yD7ee+*ORC6tM;6gP*o671d3=twW*e
zyAV1*j$rW;F<BdhiCs|%7&F(TU~|NaSHGJ9F>{9LqHZ@(>^uqO5K;0IMQ`lMu4Wyj
zVM9mdvvR}L-UTQ(C>P+i%!$3wa+{KSAfJzCv%>a&SHW}9Z~+|8&u1b~xD$3^@YZY`
zaEmp<>o`k6>JkG4vjLZi3&@GWC8rRw`?%A$S`TmkDiARGHvp!1Q+85AN&|Ffoo+5j
zad#ZNZAlqD9u)U-kAhYcT4r|_INt*S#UkL&E`h-G)nEX^D9O`8=sG51or@`+1O;-T
zm-4WGfUYbG8B9p4RighD1+eGe2b6(9%lR`v*cU!s;6p)!h2x!Z95&Sf?shQK2|k*G
zW30z7KmX7ke$pqqE>%2vZIBjCDtt^`6>*#UE+Gt*n_4k#YPq)@{07CN#v|wgIV@Jr
z+VGtTSQQG_4U8&~^WzZ(e}Gfy81{dj&?wY@^91%Wt;-^x<q15(Lh%vKk6PThB(-z{
z0gko#!!GK$yXoH)+scrKEaQvdBe<|NOfjJ8rie1()dinEOb9{%mRnp$tLlF^1LtKo
zGHqU^9%Pn5wZ)7A9OD*3MporgXy(m0ubi?S=Z^3hYd#Wds=yJS;$GCKl2Kt*W@)^C
z=W40qTN%(ov{^8f@;^7)N8;a?M@>+KQNy<KD8HMf;4M$7oPm#Ya{UOWZXa@Enuk=9
z7%<&?hn<Bv*5uH#lE<*PYVy;B|M1EZgZ&u!6%?bgv6S(A{~EVf!yEbHE{8Zw#=(ua
z8%my@ErHV<+lLkk`9vKyt}HXXY0Ef&R9OSt%Mm?m8*sc~z7cUOTqnKEvkt4WDH6(!
z2%d5r$C`_S8Vx_!j<@5Qo>nyGqMBe^KHLF@-90My3R7-_Vt(N9!UkRMs}iOl9OaZs
z34T6>hwpWnkvOU@J#`0qjI&DpdajLV6dCjulS}wZm)8CzE}2VX<PrNAssDa|f9<IM
zzP>)ye}9fkIQn5;CJ;-X32k^4yt%l#xSD07mM?-INu0ssk3KRuCQEJv5<+8nVo}Mn
z3WBMB@Lq!5mVk>>>ok4D?UTwA@Ms=F{a=6hIjG8->GO<Ani>I(hJ!Ulw9=#38yr~3
zSHU{UD1n(+=GkRm_(@+9k-RK_LSYIOqFvN|z7*{tZB~DTX%fcUsMru}&3Oc+88szZ
z!y&Sz=_*Mcymcl$BjlGyjbY6<F{-GSeHY<F|K9j4{h^0BJj2`QX5G&^t(M4*;|jsW
z=jMpjU1ts|JBy#<raUh>>kwMpZ308|D1Y;z_HzubEQ#RD)XBqHr@6;}!@IH%5zfqJ
zTMhHdkO%xQ8F*u#VNE+M@Y7;K0*CC~E9OXdn2de@(#>zvSumY^l*$(9n`eD0i@!Z(
z6o-ave`d8<4Epe^uWGt9ah_?DCJI(Q$^v0B;eI5K9i?MONw&TLk0)BCS<3do#~|L8
zyCS$v!Hlip8z8JHVQCV7<hMnc1O;It9mu~yXsIg<_>DT+0VZ1mBxciGy@BOZ>D8KK
zus>y(UUgBn$+``JaE;a7Y#sDdXK9`?-XoO<sGeSRk_QiRjf{`TBDpwR>0sVP_vR1;
zi>rsSHc5|ll&4+C>tMy7c-qj46baZ{e*|Y5bZ0qdZ$r_iNnJ~S=Bg~5$=k04oeD5|
z8s-PG&cvq8Lz!Vm?su9H2LJ>oVe!!L4gT)&?6mQV4WXC+oi=t4v$gkl2CkSt;=uWF
zXz)oNPEQ^D#{M;Z=zi7-+UI0<pThfijd`mMgHPx718wr$C`}f1o?vhpph)AnuFJeN
zq-g%8$&hc>-Ct9GWjMq-L55EDu1DdKpyc#OaPqv-->`qrnEN36wE2&WK<-WlV5qXC
z10Yt}!)M}FX4%YN9W%7|!%`=veLaAFn7*T5J;ZQK(=s*~UEr0MO~J}y>ht4$PiLAQ
zjj>PABQJz|!m@d;G4ZdB?(c=X;i(XFI2gmC9ef92x`I!CftjG>Q(%q&F=4?6Vcd(}
zd0%tJvil0ehQ@S|SsttspDyJw2wjqQAkM_q^1`@^|Ar7;vek3pQg*L@zmC;f^qqc^
z+NcUcE&KK-8Oh3E#0Y5H@fx8m{47W&kJ>~Ah@ZF_w!kET&~aDRw}UkN@PAKZmQe@A
z4l(@gFe@5=Z%HzMjnSrQs$@b7D~$P3Koqm|4wNu4;U!Umr<+Z}tL`P7Xra9+E!F8P
zPgAXogxz_!iEc@j*^D?zj4FBHy@8)~8ix><6AMMrQHcHk^G?&I>#3A;P%+u*q2(jx
z^2LOxhe)MAw~SRoV2Um-^SsK)eaNNnVc;S3r1?94DLwP=&<@QD38yTRrgMQwL&3Gm
zNCuiDf}+(xnJW=W2sU>jsSS%Bm*{p=mrd30RyGSiith6)Ep9CWd7K+{^ce1U`t5W|
zSy`ift)pGY6E*kXM<gk|HHml<1E0%+(p}2pt<fkeSL_*ruacBI6GXlvqe=mcCf<TK
zo6gXG+QKMYD~_JijY-m>08@m)8<2GTpOnVNlJewS`k%;7taD#f7vOXRL>iV#tCf&-
z)MQNfS@#{iG0BA9bU^kLH7}8#S}3ZNO&LfEZiv!#AHh*{Rabe}Q9Kv-#86lEZHx4!
z8*~i{QD)R73J*tGF+5nA!-9W4=uT*oKR3pIkH42Mg6uvPHJo@{G@4CKqBz82jyg>U
zZmpX%!H){_qwv|_&pnkHRs6OpOUA#z{;R&qQbqK}N7JMdSbm_8d4IBBz6bVd9-XML
z{P;wN@bK&8V<5I!e!r8Bbmt=#sd!kr*-R&lKM$L1>NXAg(UlSn@Tn8d>%?sC$AP4O
zY+L#35|GQeZsW%>;(o;GkFm^SCh4%W#?9~4Y=kd#msarj7VFaG_Waop%0m8*VCN*&
zAd&+Nb5Jj^$_~FuQ8*kZ2Zh%?YYOg?g01KE5S>%R9!c-P)}>fW@IcMY#dOq+78nL5
z5~$V84OIikiK`*I<5q#yr45U3+#zCr|8`cEm7mFtC^u;})|5hwfZ}lP<uV+ZOXc<<
zdStF$-A$>(@o`cea`#BZZbQ}k$$coPN=V{uEZ`p{aZ{&8h~h%%4&3s5#0K2+PoSkK
z{B1SywGED63rV_K_8QvlPFGCFbm2W$oc`Ea3huMb^yT;;%Goxcm)WZ8v+=lp5Zy5y
z4Y0jQpxY~!-`n?<o&!&J$h=h!+S97!*%WAUWBj86A?x<NMAHVIQ0oqWJ*05ca)<c&
zuJHNz>gki+j#Jgr)hyJ%)C<-IqB@Q8dJ~#Jc*x!=0fSUWmUyEdSGHtAWG$pU4JW0_
zyiX#u6x8KYZK`%{;XA$!FzSbYC98(2Yyo~1uR5BJqbLO7ZQH2dA{IuJy<^2cuA({4
z!FL5TEFQX~olU?+lt=M4EjpX8sGoH8u}*8UgSAWCgMaB2Nu&3ljtA|dF1V*&h)pu;
z<QB}vw#0KB^DeEKCyo$pw$IORdKKT*98%bGSLMAES~d2xQ;?{<-XM{GQs531Us03v
zMX)Yw^zS8C`}#yk#i*@ezS6}_dNk4^nH?Ejybx6IP(&DNNFpqVNO_^DF&Nv2H3uLU
z*HK9!j#CyL;<m!H#b5B%mNjU4v1PMSi>6+ycjaJQ=?as!n<R;1{@$INw3AbE;m)f)
zhA0hRIdE3Ka8D5fGt0k!whlFdPyO=Tp>np~i!41)UZ2)TUv-?rNUcjATPgT!i*5Ml
z4e%T<F!X$9C$<cU97hHa7@2uwd1NqsMz&N$5d((GS+sxdHbnzQ*mxJix3O@Bc6S+J
z>6ub+EP2#5!Z&O=)LX3DY|K_{DL4L>$WUpQD2$w4`((1sEP&E~aj6T-NQ&qRvbHM8
zy<4dFG=>h4M&2&*HVmIB9gONfW;z(!d-C*f<blJeQPA;&squ3Zz0kMaBOyCqpy|8`
zU`=7<SXCWWA7(-_R@088OcmXiE{*@cxP;6v){psO!|?kbS8uQ1eq+D?0iUP$KR(BG
ciJ9@s-(<-qe-BHuzz-Aw2+#Z5<N$a80BBj$xc~qF

diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 0af94e94..5c190b10 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -2922,7 +2922,7 @@ index 99e3903..fa68362 100644
  ## </summary>
  ## <param name="domain">
 diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 1d732f1..f6ff7aa 100644
+index 1d732f1..47af4c3 100644
 --- a/policy/modules/admin/usermanage.te
 +++ b/policy/modules/admin/usermanage.te
 @@ -26,6 +26,7 @@ type chfn_exec_t;
@@ -3151,7 +3151,7 @@ index 1d732f1..f6ff7aa 100644
  userdom_use_unpriv_users_fds(passwd_t)
  # make sure that getcon succeeds
  userdom_getattr_all_users(passwd_t)
-@@ -352,6 +383,18 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -352,6 +383,19 @@ userdom_read_user_tmp_files(passwd_t)
  # user generally runs this from their home directory, so do not audit a search
  # on user home dir
  userdom_dontaudit_search_user_home_content(passwd_t)
@@ -3160,6 +3160,7 @@ index 1d732f1..f6ff7aa 100644
 +
 +# needed by gnome-keyring
 +userdom_manage_user_tmp_files(passwd_t)
++userdom_manage_user_tmp_dirs(passwd_t)
 +
 +optional_policy(`
 +	gnome_exec_keyringd(passwd_t)
@@ -3170,7 +3171,7 @@ index 1d732f1..f6ff7aa 100644
  
  optional_policy(`
  	nscd_run(passwd_t, passwd_roles)
-@@ -401,9 +444,10 @@ dev_read_urand(sysadm_passwd_t)
+@@ -401,9 +445,10 @@ dev_read_urand(sysadm_passwd_t)
  fs_getattr_xattr_fs(sysadm_passwd_t)
  fs_search_auto_mountpoints(sysadm_passwd_t)
  
@@ -3183,7 +3184,7 @@ index 1d732f1..f6ff7aa 100644
  auth_manage_shadow(sysadm_passwd_t)
  auth_relabel_shadow(sysadm_passwd_t)
  auth_etc_filetrans_shadow(sysadm_passwd_t)
-@@ -416,7 +460,6 @@ files_read_usr_files(sysadm_passwd_t)
+@@ -416,7 +461,6 @@ files_read_usr_files(sysadm_passwd_t)
  
  domain_use_interactive_fds(sysadm_passwd_t)
  
@@ -3191,7 +3192,7 @@ index 1d732f1..f6ff7aa 100644
  files_relabel_etc_files(sysadm_passwd_t)
  files_read_etc_runtime_files(sysadm_passwd_t)
  # for nscd lookups
-@@ -426,12 +469,9 @@ files_dontaudit_search_pids(sysadm_passwd_t)
+@@ -426,12 +470,9 @@ files_dontaudit_search_pids(sysadm_passwd_t)
  # correctly without it.  Do not audit write denials to utmp.
  init_dontaudit_rw_utmp(sysadm_passwd_t)
  
@@ -3204,7 +3205,7 @@ index 1d732f1..f6ff7aa 100644
  userdom_use_unpriv_users_fds(sysadm_passwd_t)
  # user generally runs this from their home directory, so do not audit a search
  # on user home dir
-@@ -446,7 +486,8 @@ optional_policy(`
+@@ -446,7 +487,8 @@ optional_policy(`
  # Useradd local policy
  #
  
@@ -3214,7 +3215,7 @@ index 1d732f1..f6ff7aa 100644
  dontaudit useradd_t self:capability sys_tty_config;
  allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow useradd_t self:process setfscreate;
-@@ -461,6 +502,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
+@@ -461,6 +503,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
  allow useradd_t self:unix_dgram_socket sendto;
  allow useradd_t self:unix_stream_socket connectto;
  
@@ -3225,7 +3226,7 @@ index 1d732f1..f6ff7aa 100644
  # for getting the number of groups
  kernel_read_kernel_sysctls(useradd_t)
  
-@@ -468,29 +513,28 @@ corecmd_exec_shell(useradd_t)
+@@ -468,29 +514,28 @@ corecmd_exec_shell(useradd_t)
  # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
  corecmd_exec_bin(useradd_t)
  
@@ -3265,7 +3266,7 @@ index 1d732f1..f6ff7aa 100644
  
  auth_run_chk_passwd(useradd_t, useradd_roles)
  auth_rw_lastlog(useradd_t)
-@@ -498,6 +542,7 @@ auth_rw_faillog(useradd_t)
+@@ -498,6 +543,7 @@ auth_rw_faillog(useradd_t)
  auth_use_nsswitch(useradd_t)
  # these may be unnecessary due to the above
  # domtrans_chk_passwd() call.
@@ -3273,7 +3274,7 @@ index 1d732f1..f6ff7aa 100644
  auth_manage_shadow(useradd_t)
  auth_relabel_shadow(useradd_t)
  auth_etc_filetrans_shadow(useradd_t)
-@@ -508,33 +553,32 @@ init_rw_utmp(useradd_t)
+@@ -508,33 +554,32 @@ init_rw_utmp(useradd_t)
  logging_send_audit_msgs(useradd_t)
  logging_send_syslog_msg(useradd_t)
  
@@ -3318,7 +3319,7 @@ index 1d732f1..f6ff7aa 100644
  optional_policy(`
  	apache_manage_all_user_content(useradd_t)
  ')
-@@ -545,14 +589,27 @@ optional_policy(`
+@@ -545,14 +590,27 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -3346,7 +3347,7 @@ index 1d732f1..f6ff7aa 100644
  	tunable_policy(`samba_domain_controller',`
  		samba_append_log(useradd_t)
  	')
-@@ -562,3 +619,12 @@ optional_policy(`
+@@ -562,3 +620,12 @@ optional_policy(`
  	rpm_use_fds(useradd_t)
  	rpm_rw_pipes(useradd_t)
  ')
@@ -5812,7 +5813,7 @@ index 8e0f9cd..b9f45b9 100644
  
  define(`create_packet_interfaces',``
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055..90ffe79 100644
+index b191055..72bc5d0 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
 @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@@ -5886,7 +5887,7 @@ index b191055..90ffe79 100644
  # reserved_port_t is the type of INET port numbers below 1024.
  #
  type reserved_port_t, port_type, reserved_port_type;
-@@ -76,63 +99,79 @@ type server_packet_t, packet_type, server_packet_type;
+@@ -76,63 +99,80 @@ type server_packet_t, packet_type, server_packet_type;
  network_port(afs_bos, udp,7007,s0)
  network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0)
  network_port(afs_ka, udp,7004,s0)
@@ -5956,6 +5957,7 @@ index b191055..90ffe79 100644
  network_port(embrace_dp_c, tcp,3198,s0, udp,3198,s0)
  network_port(epmap, tcp,135,s0, udp,135,s0)
  network_port(epmd, tcp,4369,s0, udp,4369,s0)
++network_port(fac_restore, tcp,5582,s0, udp,5582,s0)
  network_port(fingerd, tcp,79,s0)
 -network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
 +network_port(fmpro_internal, tcp,5003,s0, udp,5003,s0)
@@ -5976,7 +5978,7 @@ index b191055..90ffe79 100644
  network_port(gopher, tcp,70,s0, udp,70,s0)
  network_port(gpsd, tcp,2947,s0)
  network_port(hadoop_datanode, tcp,50010,s0)
-@@ -140,45 +179,60 @@ network_port(hadoop_namenode, tcp,8020,s0)
+@@ -140,45 +180,60 @@ network_port(hadoop_namenode, tcp,8020,s0)
  network_port(hddtemp, tcp,7634,s0)
  network_port(howl, tcp,5335,s0, udp,5353,s0)
  network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
@@ -6052,7 +6054,7 @@ index b191055..90ffe79 100644
  network_port(msnp, tcp,1863,s0, udp,1863,s0)
  network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
  network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -186,101 +240,129 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
+@@ -186,101 +241,129 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
  network_port(mxi, tcp,8005,s0, udp,8005,s0)
  network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
  network_port(mysqlmanagerd, tcp,2273,s0)
@@ -6117,8 +6119,9 @@ index b191055..90ffe79 100644
 +network_port(radius, udp,1645,s0, tcp,1645,s0, tcp,1812,s0, udp,1812,s0, tcp,18120-18121,s0, udp,18120-18121, s0)
  network_port(radsec, tcp,2083,s0)
  network_port(razor, tcp,2703,s0)
+-network_port(redis, tcp,6379,s0)
 +network_port(time, tcp,37,s0, udp,37,s0)
- network_port(redis, tcp,6379,s0)
++network_port(redis, tcp,6379,s0, tcp,26379,s0, tcp,16379,s0)
  network_port(repository, tcp, 6363, s0)
  network_port(ricci, tcp,11111,s0, udp,11111,s0)
  network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
@@ -6200,7 +6203,7 @@ index b191055..90ffe79 100644
  network_port(xserver, tcp,6000-6020,s0)
  network_port(zarafa, tcp,236,s0, tcp,237,s0)
  network_port(zabbix, tcp,10051,s0)
-@@ -288,19 +370,23 @@ network_port(zabbix_agent, tcp,10050,s0)
+@@ -288,19 +371,23 @@ network_port(zabbix_agent, tcp,10050,s0)
  network_port(zookeeper_client, tcp,2181,s0)
  network_port(zookeeper_election, tcp,3888,s0)
  network_port(zookeeper_leader, tcp,2888,s0)
@@ -6227,7 +6230,7 @@ index b191055..90ffe79 100644
  
  ########################################
  #
-@@ -333,6 +419,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -333,6 +420,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
  
  build_option(`enable_mls',`
  network_interface(lo, lo, s0 - mls_systemhigh)
@@ -6236,7 +6239,7 @@ index b191055..90ffe79 100644
  ',`
  typealias netif_t alias { lo_netif_t netif_lo_t };
  ')
-@@ -345,9 +433,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -345,9 +434,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
  allow corenet_unconfined_type node_type:node *;
  allow corenet_unconfined_type netif_type:netif *;
  allow corenet_unconfined_type packet_type:packet *;
@@ -11030,7 +11033,7 @@ index b876c48..03f9342 100644
 +/nsr(/.*)?			gen_context(system_u:object_r:var_t,s0)
 +/nsr/logs(/.*)?			gen_context(system_u:object_r:var_log_t,s0)
 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..917b5b2 100644
+index f962f76..41b68a6 100644
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
 @@ -19,6 +19,136 @@
@@ -15076,7 +15079,7 @@ index f962f76..917b5b2 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5808,165 +6675,156 @@ interface(`files_getattr_generic_locks',`
+@@ -5808,63 +6675,68 @@ interface(`files_getattr_generic_locks',`
  ##	</summary>
  ## </param>
  #
@@ -15134,10 +15137,11 @@ index f962f76..917b5b2 100644
 +	filetrans_pattern($1, var_t, $2, $3, $4)
  ')
  
++
  ########################################
  ## <summary>
 -##	Delete all lock files.
-+##	Get the attributes of the /var/lib directory.
++## Relabel dirs in the /var directory.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -15147,6 +15151,31 @@ index f962f76..917b5b2 100644
 -## <rolecap/>
  #
 -interface(`files_delete_all_locks',`
++interface(`files_relabel_var_dirs',`
+ 	gen_require(`
+-		attribute lockfile;
+-		type var_t, var_lock_t;
++		type var_t;
+ 	')
+-
+-	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	delete_files_pattern($1, lockfile, lockfile)
++    allow $1 var_t:dir relabel_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read all lock files.
++##	Get the attributes of the /var/lib directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5872,101 +6744,87 @@ interface(`files_delete_all_locks',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_read_all_locks',`
 +interface(`files_getattr_var_lib_dirs',`
  	gen_require(`
 -		attribute lockfile;
@@ -15154,15 +15183,17 @@ index f962f76..917b5b2 100644
 +		type var_t, var_lib_t;
  	')
  
--	allow $1 var_t:dir search_dir_perms;
 -	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
--	delete_files_pattern($1, lockfile, lockfile)
+-	allow $1 { var_t var_lock_t }:dir search_dir_perms;
+-	allow $1 lockfile:dir list_dir_perms;
+-	read_files_pattern($1, lockfile, lockfile)
+-	read_lnk_files_pattern($1, lockfile, lockfile)
 +	getattr_dirs_pattern($1, var_t, var_lib_t)
  ')
  
  ########################################
  ## <summary>
--##	Read all lock files.
+-##	manage all lock files.
 +##	Search the /var/lib directory.
  ## </summary>
 +## <desc>
@@ -15185,7 +15216,7 @@ index f962f76..917b5b2 100644
  ## </param>
 +## <infoflow type="read" weight="5"/>
  #
--interface(`files_read_all_locks',`
+-interface(`files_manage_all_locks',`
 +interface(`files_search_var_lib',`
  	gen_require(`
 -		attribute lockfile;
@@ -15193,55 +15224,26 @@ index f962f76..917b5b2 100644
 +		type var_t, var_lib_t;
  	')
  
--	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
--	allow $1 { var_t var_lock_t }:dir search_dir_perms;
--	allow $1 lockfile:dir list_dir_perms;
--	read_files_pattern($1, lockfile, lockfile)
--	read_lnk_files_pattern($1, lockfile, lockfile)
-+	search_dirs_pattern($1, var_t, var_lib_t)
- ')
- 
- ########################################
- ## <summary>
--##	manage all lock files.
-+##	Do not audit attempts to search the
-+##	contents of /var/lib.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain allowed access.
-+##	Domain to not audit.
- ##	</summary>
- ## </param>
-+## <infoflow type="read" weight="5"/>
- #
--interface(`files_manage_all_locks',`
-+interface(`files_dontaudit_search_var_lib',`
- 	gen_require(`
--		attribute lockfile;
--		type var_t, var_lock_t;
-+		type var_lib_t;
- 	')
- 
 -	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
 -	allow $1 { var_t var_lock_t }:dir search_dir_perms;
 -	manage_dirs_pattern($1, lockfile, lockfile)
 -	manage_files_pattern($1, lockfile, lockfile)
 -	manage_lnk_files_pattern($1, lockfile, lockfile)
-+	dontaudit $1 var_lib_t:dir search_dir_perms;
++	search_dirs_pattern($1, var_t, var_lib_t)
  ')
  
  ########################################
  ## <summary>
 -##	Create an object in the locks directory, with a private
 -##	type using a type transition.
-+##	List the contents of the /var/lib directory.
++##	Do not audit attempts to search the
++##	contents of /var/lib.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
+-##	Domain allowed access.
+-##	</summary>
+-## </param>
 -## <param name="private type">
 -##	<summary>
 -##	The type of the object to be created.
@@ -15255,28 +15257,29 @@ index f962f76..917b5b2 100644
 -## <param name="name" optional="true">
 -##	<summary>
 -##	The name of the object being created.
--##	</summary>
--## </param>
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
++## <infoflow type="read" weight="5"/>
  #
 -interface(`files_lock_filetrans',`
-+interface(`files_list_var_lib',`
++interface(`files_dontaudit_search_var_lib',`
  	gen_require(`
 -		type var_t, var_lock_t;
-+		type var_t, var_lib_t;
++		type var_lib_t;
  	')
  
 -	allow $1 var_t:dir search_dir_perms;
 -	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
 -	filetrans_pattern($1, var_lock_t, $2, $3, $4)
-+	list_dirs_pattern($1, var_t, var_lib_t)
++	dontaudit $1 var_lib_t:dir search_dir_perms;
  ')
  
--########################################
-+###########################################
+ ########################################
  ## <summary>
 -##	Do not audit attempts to get the attributes
 -##	of the /var/run directory.
-+##	Read-write /var/lib directories
++##	List the contents of the /var/lib directory.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -15286,30 +15289,31 @@ index f962f76..917b5b2 100644
  ## </param>
  #
 -interface(`files_dontaudit_getattr_pid_dirs',`
-+interface(`files_rw_var_lib_dirs',`
++interface(`files_list_var_lib',`
  	gen_require(`
 -		type var_run_t;
-+		type var_lib_t;
++		type var_t, var_lib_t;
  	')
  
 -	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
 -	dontaudit $1 var_run_t:dir getattr;
-+	rw_dirs_pattern($1, var_lib_t, var_lib_t)
++	list_dirs_pattern($1, var_t, var_lib_t)
  ')
  
- ########################################
+-########################################
++###########################################
  ## <summary>
 -##	Set the attributes of the /var/run directory.
-+##	Create directories in /var/lib
++##	Read-write /var/lib directories
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5974,59 +6832,71 @@ interface(`files_dontaudit_getattr_pid_dirs',`
+@@ -5974,19 +6832,17 @@ interface(`files_dontaudit_getattr_pid_dirs',`
  ##	</summary>
  ## </param>
  #
 -interface(`files_setattr_pid_dirs',`
-+interface(`files_create_var_lib_dirs',`
++interface(`files_rw_var_lib_dirs',`
  	gen_require(`
 -		type var_run_t;
 +		type var_lib_t;
@@ -15317,21 +15321,46 @@ index f962f76..917b5b2 100644
  
 -	allow $1 var_run_t:lnk_file read_lnk_file_perms;
 -	allow $1 var_run_t:dir setattr;
++	rw_dirs_pattern($1, var_lib_t, var_lib_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Search the contents of runtime process
+-##	ID directories (/var/run).
++##	Create directories in /var/lib
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5994,39 +6850,52 @@ interface(`files_setattr_pid_dirs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_search_pids',`
++interface(`files_create_var_lib_dirs',`
+ 	gen_require(`
+-		type var_t, var_run_t;
++		type var_lib_t;
+ 	')
+ 
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	search_dirs_pattern($1, var_t, var_run_t)
 +	allow $1 var_lib_t:dir { create rw_dir_perms };
  ')
  
 +
  ########################################
  ## <summary>
--##	Search the contents of runtime process
--##	ID directories (/var/run).
+-##	Do not audit attempts to search
+-##	the /var/run directory.
 +##	Create objects in the /var/lib directory
  ## </summary>
  ## <param name="domain">
  ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
+-##	Domain to not audit.
++##	Domain allowed access.
++##	</summary>
++## </param>
 +## <param name="file_type">
 +##	<summary>
 +##	The type of the object to be created
@@ -15345,37 +15374,11 @@ index f962f76..917b5b2 100644
 +## <param name="name" optional="true">
 +##	<summary>
 +##	The name of the object being created.
-+##	</summary>
-+## </param>
- #
--interface(`files_search_pids',`
-+interface(`files_var_lib_filetrans',`
- 	gen_require(`
--		type var_t, var_run_t;
-+		type var_t, var_lib_t;
- 	')
- 
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
--	search_dirs_pattern($1, var_t, var_run_t)
-+	allow $1 var_t:dir search_dir_perms;
-+	filetrans_pattern($1, var_lib_t, $2, $3, $4)
- ')
- 
- ########################################
- ## <summary>
--##	Do not audit attempts to search
--##	the /var/run directory.
-+##	Read generic files in /var/lib.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain to not audit.
-+##	Domain allowed access.
  ##	</summary>
  ## </param>
  #
 -interface(`files_dontaudit_search_pids',`
-+interface(`files_read_var_lib_files',`
++interface(`files_var_lib_filetrans',`
  	gen_require(`
 -		type var_run_t;
 +		type var_t, var_lib_t;
@@ -15383,23 +15386,47 @@ index f962f76..917b5b2 100644
  
 -	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
 -	dontaudit $1 var_run_t:dir search_dir_perms;
-+	allow $1 var_lib_t:dir list_dir_perms;
-+	read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
++	allow $1 var_t:dir search_dir_perms;
++	filetrans_pattern($1, var_lib_t, $2, $3, $4)
  ')
  
  ########################################
  ## <summary>
 -##	List the contents of the runtime process
 -##	ID directories (/var/run).
-+##	Read generic symbolic links in /var/lib
++##	Read generic files in /var/lib.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6034,18 +6904,18 @@ interface(`files_dontaudit_search_pids',`
+@@ -6034,18 +6903,18 @@ interface(`files_dontaudit_search_pids',`
  ##	</summary>
  ## </param>
  #
 -interface(`files_list_pids',`
++interface(`files_read_var_lib_files',`
+ 	gen_require(`
+-		type var_t, var_run_t;
++		type var_t, var_lib_t;
+ 	')
+ 
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	list_dirs_pattern($1, var_t, var_run_t)
++	allow $1 var_lib_t:dir list_dir_perms;
++	read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read generic process ID files.
++##	Read generic symbolic links in /var/lib
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6053,19 +6922,18 @@ interface(`files_list_pids',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_read_generic_pids',`
 +interface(`files_read_var_lib_symlinks',`
  	gen_require(`
 -		type var_t, var_run_t;
@@ -15408,31 +15435,31 @@ index f962f76..917b5b2 100644
  
 -	allow $1 var_run_t:lnk_file read_lnk_file_perms;
 -	list_dirs_pattern($1, var_t, var_run_t)
+-	read_files_pattern($1, var_run_t, var_run_t)
 +	read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
  ')
  
  ########################################
  ## <summary>
--##	Read generic process ID files.
+-##	Write named generic process ID pipes
 +##	manage generic symbolic links
 +##	in the /var/lib directory.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6053,19 +6923,21 @@ interface(`files_list_pids',`
+@@ -6073,23 +6941,652 @@ interface(`files_read_generic_pids',`
  ##	</summary>
  ## </param>
  #
--interface(`files_read_generic_pids',`
+-interface(`files_write_generic_pid_pipes',`
 +interface(`files_manage_var_lib_symlinks',`
  	gen_require(`
--		type var_t, var_run_t;
+-		type var_run_t;
 +		type var_lib_t;
  	')
  
 -	allow $1 var_run_t:lnk_file read_lnk_file_perms;
--	list_dirs_pattern($1, var_t, var_run_t)
--	read_files_pattern($1, var_run_t, var_run_t)
+-	allow $1 var_run_t:fifo_file write;
 +	manage_lnk_files_pattern($1,var_lib_t,var_lib_t)
  ')
  
@@ -15441,36 +15468,70 @@ index f962f76..917b5b2 100644
 +
  ########################################
  ## <summary>
--##	Write named generic process ID pipes
+-##	Create an object in the process ID directory, with a private type.
 +##	Create, read, write, and delete the
 +##	pseudorandom number generator seed.
  ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -6073,43 +6945,1377 @@ interface(`files_read_generic_pids',`
- ##	</summary>
- ## </param>
- #
--interface(`files_write_generic_pid_pipes',`
+-## <desc>
+-##	<p>
+-##	Create an object in the process ID directory (e.g., /var/run)
+-##	with a private type.  Typically this is used for creating
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`files_manage_urandom_seed',`
- 	gen_require(`
--		type var_run_t;
++	gen_require(`
 +		type var_t, var_lib_t;
- 	')
- 
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
--	allow $1 var_run_t:fifo_file write;
++	')
++
 +	allow $1 var_t:dir search_dir_perms;
 +	manage_files_pattern($1, var_lib_t, var_lib_t)
- ')
- 
- ########################################
- ## <summary>
--##	Create an object in the process ID directory, with a private type.
++')
++
++
++########################################
++## <summary>
++## Relabel to dirs in the /var/lib directory.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_relabelto_var_lib_dirs',`
++	gen_require(`
++		type var_lib_t;
++	')
++    allow $1 var_lib_t:dir relabelto;
++')
++
++
++########################################
++## <summary>
++## Relabel dirs in the /var/lib directory.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_relabel_var_lib_dirs',`
++	gen_require(`
++		type var_lib_t;
++	')
++    allow $1 var_lib_t:dir relabel_dir_perms;
++')
++
++########################################
++## <summary>
 +##	Allow domain to manage mount tables
 +##	necessary for rpcd, nfsd, etc.
- ## </summary>
--## <desc>
++## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
@@ -16045,14 +16106,14 @@ index f962f76..917b5b2 100644
 +##	<p>
 +##	Create an object in the process ID directory (e.g., /var/run)
 +##	with a private type.  Typically this is used for creating
-+##	private PID files in /var/run with the private type instead
-+##	of the general PID file type. To accomplish this goal,
-+##	either the program must be SELinux-aware, or use this interface.
-+##	</p>
-+##	<p>
-+##	Related interfaces:
-+##	</p>
-+##	<ul>
+ ##	private PID files in /var/run with the private type instead
+ ##	of the general PID file type. To accomplish this goal,
+ ##	either the program must be SELinux-aware, or use this interface.
+@@ -6098,18 +7595,781 @@ interface(`files_write_generic_pid_pipes',`
+ ##	Related interfaces:
+ ##	</p>
+ ##	<ul>
+-##		<li>files_pid_file()</li>
 +##		<li>files_pid_file()</li>
 +##	</ul>
 +##	<p>
@@ -16497,23 +16558,17 @@ index f962f76..917b5b2 100644
 +##	used for spool files.
 +## </summary>
 +## <desc>
- ##	<p>
--##	Create an object in the process ID directory (e.g., /var/run)
--##	with a private type.  Typically this is used for creating
--##	private PID files in /var/run with the private type instead
--##	of the general PID file type. To accomplish this goal,
--##	either the program must be SELinux-aware, or use this interface.
++##	<p>
 +##	Make the specified type usable for spool files.
 +##	This will also make the type usable for files, making
 +##	calls to files_type() redundant.  Failure to use this interface
 +##	for a spool file may result in problems with
 +##	purging spool files.
- ##	</p>
- ##	<p>
- ##	Related interfaces:
- ##	</p>
- ##	<ul>
--##		<li>files_pid_file()</li>
++##	</p>
++##	<p>
++##	Related interfaces:
++##	</p>
++##	<ul>
 +##		<li>files_spool_filetrans()</li>
  ##	</ul>
  ##	<p>
@@ -16843,7 +16898,7 @@ index f962f76..917b5b2 100644
  ##	</p>
  ## </desc>
  ## <param name="domain">
-@@ -6117,80 +8323,157 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6117,80 +8377,157 @@ interface(`files_write_generic_pid_pipes',`
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
@@ -17030,7 +17085,7 @@ index f962f76..917b5b2 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6198,19 +8481,17 @@ interface(`files_rw_generic_pids',`
+@@ -6198,19 +8535,17 @@ interface(`files_rw_generic_pids',`
  ##	</summary>
  ## </param>
  #
@@ -17054,7 +17109,7 @@ index f962f76..917b5b2 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6218,18 +8499,17 @@ interface(`files_dontaudit_getattr_all_pids',`
+@@ -6218,18 +8553,17 @@ interface(`files_dontaudit_getattr_all_pids',`
  ##	</summary>
  ## </param>
  #
@@ -17077,7 +17132,7 @@ index f962f76..917b5b2 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6237,129 +8517,119 @@ interface(`files_dontaudit_write_all_pids',`
+@@ -6237,129 +8571,119 @@ interface(`files_dontaudit_write_all_pids',`
  ##	</summary>
  ## </param>
  #
@@ -17247,7 +17302,7 @@ index f962f76..917b5b2 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6367,18 +8637,19 @@ interface(`files_mounton_all_poly_members',`
+@@ -6367,18 +8691,19 @@ interface(`files_mounton_all_poly_members',`
  ##	</summary>
  ## </param>
  #
@@ -17272,7 +17327,7 @@ index f962f76..917b5b2 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6386,132 +8657,227 @@ interface(`files_search_spool',`
+@@ -6386,132 +8711,227 @@ interface(`files_search_spool',`
  ##	</summary>
  ## </param>
  #
@@ -17546,7 +17601,7 @@ index f962f76..917b5b2 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6519,53 +8885,17 @@ interface(`files_spool_filetrans',`
+@@ -6519,53 +8939,17 @@ interface(`files_spool_filetrans',`
  ##	</summary>
  ## </param>
  #
@@ -17604,7 +17659,7 @@ index f962f76..917b5b2 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6573,10 +8903,10 @@ interface(`files_polyinstantiate_all',`
+@@ -6573,10 +8957,10 @@ interface(`files_polyinstantiate_all',`
  ##	</summary>
  ## </param>
  #
@@ -25199,7 +25254,7 @@ index ff92430..36740ea 100644
  ## <summary>
  ##	Execute a generic bin program in the sysadm domain.
 diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 2522ca6..d2f55a2 100644
+index 2522ca6..fe03d6d 100644
 --- a/policy/modules/roles/sysadm.te
 +++ b/policy/modules/roles/sysadm.te
 @@ -5,39 +5,88 @@ policy_module(sysadm, 2.6.1)
@@ -25359,18 +25414,18 @@ index 2522ca6..d2f55a2 100644
  optional_policy(`
 -	consoletype_run(sysadm_t, sysadm_r)
 +	cron_admin_role(sysadm_r, sysadm_t)
-+')
-+
-+optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	cvs_exec(sysadm_t)
 +	consoletype_exec(sysadm_t)
 +')
 +
 +optional_policy(`
 +    daemonstools_run_start(sysadm_t, sysadm_r)
- ')
- 
- optional_policy(`
--	cvs_exec(sysadm_t)
++')
++
++optional_policy(`
 +	dbus_role_template(sysadm, sysadm_r, sysadm_t)
 +
 +	dontaudit sysadm_dbusd_t self:capability net_admin;
@@ -25494,7 +25549,7 @@ index 2522ca6..d2f55a2 100644
  ')
  
  optional_policy(`
-@@ -237,14 +334,28 @@ optional_policy(`
+@@ -237,14 +334,32 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -25520,10 +25575,14 @@ index 2522ca6..d2f55a2 100644
 +
 +optional_policy(`
 +	nx_filetrans_named_content(sysadm_t)
++')
++
++optional_policy(`
++	oddjob_dbus_chat(sysadm_t)
  ')
  
  optional_policy(`
-@@ -252,10 +363,20 @@ optional_policy(`
+@@ -252,10 +367,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -25544,7 +25603,7 @@ index 2522ca6..d2f55a2 100644
  	portage_run(sysadm_t, sysadm_r)
  	portage_run_fetch(sysadm_t, sysadm_r)
  	portage_run_gcc_config(sysadm_t, sysadm_r)
-@@ -266,35 +387,41 @@ optional_policy(`
+@@ -266,35 +391,46 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -25555,30 +25614,35 @@ index 2522ca6..d2f55a2 100644
  optional_policy(`
 -	quota_run(sysadm_t, sysadm_r)
 +	postgresql_admin(sysadm_t, sysadm_r)
++	postgresql_run(sysadm_t, sysadm_r)
  ')
  
  optional_policy(`
 -	raid_run_mdadm(sysadm_r, sysadm_t)
-+	prelink_run(sysadm_t, sysadm_r)
++	journalctl_role(sysadm_r, sysadm_t)
  ')
  
  optional_policy(`
 -	razor_role(sysadm_r, sysadm_t)
-+	puppet_run_puppetca(sysadm_t, sysadm_r)
++	prelink_run(sysadm_t, sysadm_r)
  ')
  
  optional_policy(`
 -	rpc_domtrans_nfsd(sysadm_t)
-+	quota_filetrans_named_content(sysadm_t)
++	puppet_run_puppetca(sysadm_t, sysadm_r)
  ')
  
  optional_policy(`
 -	rpm_run(sysadm_t, sysadm_r)
-+	raid_domtrans_mdadm(sysadm_t)
++	quota_filetrans_named_content(sysadm_t)
  ')
  
  optional_policy(`
 -	rssh_role(sysadm_r, sysadm_t)
++	raid_domtrans_mdadm(sysadm_t)
++')
++
++optional_policy(`
 +	rpc_domtrans_nfsd(sysadm_t)
 +')
 +
@@ -25593,7 +25657,7 @@ index 2522ca6..d2f55a2 100644
  ')
  
  optional_policy(`
-@@ -308,6 +435,7 @@ optional_policy(`
+@@ -308,6 +444,7 @@ optional_policy(`
  
  optional_policy(`
  	screen_role_template(sysadm, sysadm_r, sysadm_t)
@@ -25601,7 +25665,7 @@ index 2522ca6..d2f55a2 100644
  ')
  
  optional_policy(`
-@@ -315,12 +443,20 @@ optional_policy(`
+@@ -315,12 +452,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -25623,7 +25687,7 @@ index 2522ca6..d2f55a2 100644
  ')
  
  optional_policy(`
-@@ -345,30 +481,37 @@ optional_policy(`
+@@ -345,30 +490,37 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -25670,7 +25734,7 @@ index 2522ca6..d2f55a2 100644
  ')
  
  optional_policy(`
-@@ -380,10 +523,6 @@ optional_policy(`
+@@ -380,10 +532,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -25681,7 +25745,7 @@ index 2522ca6..d2f55a2 100644
  	usermanage_run_admin_passwd(sysadm_t, sysadm_r)
  	usermanage_run_groupadd(sysadm_t, sysadm_r)
  	usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -391,6 +530,9 @@ optional_policy(`
+@@ -391,6 +539,9 @@ optional_policy(`
  
  optional_policy(`
  	virt_stream_connect(sysadm_t)
@@ -25691,7 +25755,7 @@ index 2522ca6..d2f55a2 100644
  ')
  
  optional_policy(`
-@@ -398,31 +540,34 @@ optional_policy(`
+@@ -398,31 +549,34 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -25732,7 +25796,7 @@ index 2522ca6..d2f55a2 100644
  		auth_role(sysadm_r, sysadm_t)
  	')
  
-@@ -435,10 +580,6 @@ ifndef(`distro_redhat',`
+@@ -435,10 +589,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -25743,7 +25807,7 @@ index 2522ca6..d2f55a2 100644
  		dbus_role_template(sysadm, sysadm_r, sysadm_t)
  
  		optional_policy(`
-@@ -459,15 +600,79 @@ ifndef(`distro_redhat',`
+@@ -459,15 +609,79 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -27188,10 +27252,10 @@ index a26f84f..f4a44eb 100644
 -/var/run/postmaster.*			gen_context(system_u:object_r:postgresql_var_run_t,s0)
 +#/var/run/postmaster.*			gen_context(system_u:object_r:postgresql_var_run_t,s0)
 diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
-index 9d2f311..9e87525 100644
+index 9d2f311..2d782e0 100644
 --- a/policy/modules/services/postgresql.if
 +++ b/policy/modules/services/postgresql.if
-@@ -10,90 +10,21 @@
+@@ -10,90 +10,46 @@
  ##	</summary>
  ## </param>
  ## <param name="user_domain">
@@ -27237,7 +27301,8 @@ index 9d2f311..9e87525 100644
  	typeattribute $2 sepgsql_client_type;
  	role $1 types sepgsql_trusted_proc_t;
  	role $1 types sepgsql_ranged_proc_t;
--
++')
+ 
 -	##############################
 -	#
 -	# Client local policy
@@ -27251,8 +27316,27 @@ index 9d2f311..9e87525 100644
 -		allow $2 user_sepgsql_seq_t:db_sequence { create drop setattr set_value };
 -		allow $2 user_sepgsql_view_t:db_view { create drop setattr };
 -		allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr };
--	')
--
++########################################
++## <summary>
++##	Execute the postgresql program in the postgresql domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to allow the postgresql domain.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`postgresql_run',`
++	gen_require(`
++		type postgresql_t;
+ 	')
+ 
 -	allow $2 user_sepgsql_schema_t:db_schema { getattr search add_name remove_name };
 -	type_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t;
 -	type_transition $2 sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp";
@@ -27283,10 +27367,12 @@ index 9d2f311..9e87525 100644
 -
 -	allow $2 sepgsql_trusted_proc_t:process transition;
 -	type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
++	postgresql_domtrans($1)
++	role $2 types postgresql_t;
  ')
  
  ########################################
-@@ -312,7 +243,7 @@ interface(`postgresql_search_db',`
+@@ -312,7 +268,7 @@ interface(`postgresql_search_db',`
  		type postgresql_db_t;
  	')
  
@@ -27295,7 +27381,7 @@ index 9d2f311..9e87525 100644
  ')
  
  ########################################
-@@ -324,14 +255,16 @@ interface(`postgresql_search_db',`
+@@ -324,14 +280,16 @@ interface(`postgresql_search_db',`
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
@@ -27315,7 +27401,7 @@ index 9d2f311..9e87525 100644
  ')
  
  ########################################
-@@ -354,6 +287,24 @@ interface(`postgresql_domtrans',`
+@@ -354,6 +312,24 @@ interface(`postgresql_domtrans',`
  
  ######################################
  ## <summary>
@@ -27340,7 +27426,7 @@ index 9d2f311..9e87525 100644
  ##	Allow domain to signal postgresql
  ## </summary>
  ## <param name="domain">
-@@ -421,7 +372,6 @@ interface(`postgresql_tcp_connect',`
+@@ -421,7 +397,6 @@ interface(`postgresql_tcp_connect',`
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
@@ -27348,7 +27434,7 @@ index 9d2f311..9e87525 100644
  #
  interface(`postgresql_stream_connect',`
  	gen_require(`
-@@ -432,6 +382,7 @@ interface(`postgresql_stream_connect',`
+@@ -432,6 +407,7 @@ interface(`postgresql_stream_connect',`
  
  	files_search_pids($1)
  	files_search_tmp($1)
@@ -27356,7 +27442,7 @@ index 9d2f311..9e87525 100644
  ')
  
  ########################################
-@@ -447,83 +398,10 @@ interface(`postgresql_stream_connect',`
+@@ -447,83 +423,10 @@ interface(`postgresql_stream_connect',`
  #
  interface(`postgresql_unpriv_client',`
  	gen_require(`
@@ -27440,7 +27526,7 @@ index 9d2f311..9e87525 100644
  ')
  
  ########################################
-@@ -547,6 +425,29 @@ interface(`postgresql_unconfined',`
+@@ -547,6 +450,29 @@ interface(`postgresql_unconfined',`
  
  ########################################
  ## <summary>
@@ -27470,7 +27556,7 @@ index 9d2f311..9e87525 100644
  ##	All of the rules required to administrate an postgresql environment
  ## </summary>
  ## <param name="domain">
-@@ -563,35 +464,41 @@ interface(`postgresql_unconfined',`
+@@ -563,35 +489,41 @@ interface(`postgresql_unconfined',`
  #
  interface(`postgresql_admin',`
  	gen_require(`
@@ -35033,7 +35119,7 @@ index bc0ffc8..37b8ea5 100644
  ')
 +/var/run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
 diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 79a45f6..cf6add7 100644
+index 79a45f6..e176b9f 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
 @@ -1,5 +1,21 @@
@@ -35598,12 +35684,36 @@ index 79a45f6..cf6add7 100644
  	files_search_etc($1)
  ')
  
-@@ -1012,26 +1260,27 @@ interface(`init_read_state',`
+@@ -992,7 +1240,7 @@ interface(`init_run_daemon',`
+ 
+ ########################################
+ ## <summary>
+-##	Read the process state (/proc/pid) of init.
++##	Allow execute all init daemon executables type without transition.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -1000,38 +1248,37 @@ interface(`init_run_daemon',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`init_read_state',`
++interface(`init_exec_notrans_direct_init_entry',`
+ 	gen_require(`
+-		type init_t;
++		attribute direct_init_entry;
+ 	')
+ 
+-	allow $1 init_t:dir search_dir_perms;
+-	allow $1 init_t:file read_file_perms;
+-	allow $1 init_t:lnk_file read_lnk_file_perms;
++    allow $1 direct_init_entry:file execute_no_trans;
+ ')
  
  ########################################
  ## <summary>
 -##	Ptrace init
-+##	Dontaudit read the process state (/proc/pid) of init.
++##	Read the process state (/proc/pid) of init.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -35613,12 +35723,36 @@ index 79a45f6..cf6add7 100644
 -## <rolecap/>
  #
 -interface(`init_ptrace',`
-+interface(`init_dontaudit_read_state',`
++interface(`init_read_state',`
  	gen_require(`
  		type init_t;
  	')
  
 -	allow $1 init_t:process ptrace;
++	allow $1 init_t:dir search_dir_perms;
++	allow $1 init_t:file read_file_perms;
++	allow $1 init_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Write an init script unnamed pipe.
++##	Dontaudit read the process state (/proc/pid) of init.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -1039,17 +1286,19 @@ interface(`init_ptrace',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`init_write_script_pipes',`
++interface(`init_dontaudit_read_state',`
+ 	gen_require(`
+-		type initrc_t;
++		type init_t;
+ 	')
+ 
+-	allow $1 initrc_t:fifo_file write;
 +	dontaudit $1 init_t:dir search_dir_perms;
 +	dontaudit $1 init_t:file read_file_perms;
 +	dontaudit $1 init_t:lnk_file read_lnk_file_perms;
@@ -35626,39 +35760,17 @@ index 79a45f6..cf6add7 100644
  
  ########################################
  ## <summary>
--##	Write an init script unnamed pipe.
+-##	Get the attribute of init script entrypoint files.
 +##	Read the process keyring of init.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1039,17 +1288,17 @@ interface(`init_ptrace',`
- ##	</summary>
- ## </param>
- #
--interface(`init_write_script_pipes',`
-+interface(`init_read_key',`
- 	gen_require(`
--		type initrc_t;
-+		type init_t;
- 	')
- 
--	allow $1 initrc_t:fifo_file write;
-+	allow $1 init_t:key read;
- ')
- 
- ########################################
- ## <summary>
--##	Get the attribute of init script entrypoint files.
-+##	Write the process keyring of init.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -1057,37 +1306,38 @@ interface(`init_write_script_pipes',`
+@@ -1057,18 +1306,17 @@ interface(`init_write_script_pipes',`
  ##	</summary>
  ## </param>
  #
 -interface(`init_getattr_script_files',`
-+interface(`init_write_key',`
++interface(`init_read_key',`
  	gen_require(`
 -		type initrc_exec_t;
 +		type init_t;
@@ -35672,6 +35784,29 @@ index 79a45f6..cf6add7 100644
  ########################################
  ## <summary>
 -##	Read init scripts.
++##	Write the process keyring of init.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -1076,37 +1324,38 @@ interface(`init_getattr_script_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`init_read_script_files',`
++interface(`init_write_key',`
+ 	gen_require(`
+-		type initrc_exec_t;
++		type init_t;
+ 	')
+ 
+-	files_search_etc($1)
+-	allow $1 initrc_exec_t:file read_file_perms;
++	allow $1 init_t:key read;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Execute init scripts in the caller domain.
 +##	Ptrace init
  ## </summary>
  ## <param name="domain">
@@ -35681,15 +35816,15 @@ index 79a45f6..cf6add7 100644
  ## </param>
 +## <rolecap/>
  #
--interface(`init_read_script_files',`
+-interface(`init_exec_script_files',`
 +interface(`init_ptrace',`
  	gen_require(`
 -		type initrc_exec_t;
 +		type init_t;
  	')
  
--	files_search_etc($1)
--	allow $1 initrc_exec_t:file read_file_perms;
+-	files_list_etc($1)
+-	can_exec($1, initrc_exec_t)
 +	tunable_policy(`deny_ptrace',`',`
 +		allow $1 init_t:process ptrace;
 +	')
@@ -35697,62 +35832,53 @@ index 79a45f6..cf6add7 100644
  
  ########################################
  ## <summary>
--##	Execute init scripts in the caller domain.
+-##	Get the attribute of all init script entrypoint files.
 +##	Write an init script unnamed pipe.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1095,18 +1345,17 @@ interface(`init_read_script_files',`
- ##	</summary>
- ## </param>
- #
--interface(`init_exec_script_files',`
-+interface(`init_write_script_pipes',`
- 	gen_require(`
--		type initrc_exec_t;
-+		type initrc_t;
- 	')
- 
--	files_list_etc($1)
--	can_exec($1, initrc_exec_t)
-+	allow $1 initrc_t:fifo_file write;
- ')
- 
- ########################################
- ## <summary>
--##	Get the attribute of all init script entrypoint files.
-+##	Get the attribute of init script entrypoint files.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -1114,18 +1363,18 @@ interface(`init_exec_script_files',`
+@@ -1114,7 +1363,82 @@ interface(`init_exec_script_files',`
  ##	</summary>
  ## </param>
  #
 -interface(`init_getattr_all_script_files',`
++interface(`init_write_script_pipes',`
++	gen_require(`
++		type initrc_t;
++	')
++
++	allow $1 initrc_t:fifo_file write;
++')
++
++########################################
++## <summary>
++##	Get the attribute of init script entrypoint files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`init_getattr_script_files',`
- 	gen_require(`
--		attribute init_script_file_type;
++	gen_require(`
 +		type initrc_exec_t;
- 	')
- 
- 	files_list_etc($1)
--	allow $1 init_script_file_type:file getattr;
++	')
++
++	files_list_etc($1)
 +	allow $1 initrc_exec_t:file getattr;
- ')
- 
- ########################################
- ## <summary>
--##	Read all init script files.
++')
++
++########################################
++## <summary>
 +##	Read init scripts.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -1133,7 +1382,102 @@ interface(`init_getattr_all_script_files',`
- ##	</summary>
- ## </param>
- #
--interface(`init_read_all_script_files',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`init_read_script_files',`
 +	gen_require(`
 +		type initrc_exec_t;
@@ -35792,16 +35918,13 @@ index 79a45f6..cf6add7 100644
 +## </param>
 +#
 +interface(`init_getattr_all_script_files',`
-+	gen_require(`
-+		attribute init_script_file_type;
-+	')
-+
-+	files_list_etc($1)
-+	allow $1 init_script_file_type:file getattr;
-+')
-+
-+########################################
-+## <summary>
+ 	gen_require(`
+ 		attribute init_script_file_type;
+ 	')
+@@ -1125,6 +1449,44 @@ interface(`init_getattr_all_script_files',`
+ 
+ ########################################
+ ## <summary>
 +##	Allow the specified domain to modify the systemd configuration of 
 +##	all init scripts.
 +## </summary>
@@ -35840,19 +35963,10 @@ index 79a45f6..cf6add7 100644
 +
 +########################################
 +## <summary>
-+##	Read all init script files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`init_read_all_script_files',`
- 	gen_require(`
- 		attribute init_script_file_type;
- 	')
-@@ -1144,6 +1488,24 @@ interface(`init_read_all_script_files',`
+ ##	Read all init script files.
+ ## </summary>
+ ## <param name="domain">
+@@ -1144,6 +1506,24 @@ interface(`init_read_all_script_files',`
  
  #######################################
  ## <summary>
@@ -35877,7 +35991,7 @@ index 79a45f6..cf6add7 100644
  ##	Dontaudit read all init script files.
  ## </summary>
  ## <param name="domain">
-@@ -1195,12 +1557,7 @@ interface(`init_read_script_state',`
+@@ -1195,12 +1575,7 @@ interface(`init_read_script_state',`
  	')
  
  	kernel_search_proc($1)
@@ -35891,7 +36005,7 @@ index 79a45f6..cf6add7 100644
  ')
  
  ########################################
-@@ -1314,6 +1671,24 @@ interface(`init_signal_script',`
+@@ -1314,6 +1689,24 @@ interface(`init_signal_script',`
  
  ########################################
  ## <summary>
@@ -35916,7 +36030,7 @@ index 79a45f6..cf6add7 100644
  ##	Send null signals to init scripts.
  ## </summary>
  ## <param name="domain">
-@@ -1440,6 +1815,27 @@ interface(`init_dbus_send_script',`
+@@ -1440,6 +1833,27 @@ interface(`init_dbus_send_script',`
  ########################################
  ## <summary>
  ##	Send and receive messages from
@@ -35944,7 +36058,7 @@ index 79a45f6..cf6add7 100644
  ##	init scripts over dbus.
  ## </summary>
  ## <param name="domain">
-@@ -1547,6 +1943,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1547,6 +1961,25 @@ interface(`init_getattr_script_status_files',`
  
  ########################################
  ## <summary>
@@ -35970,7 +36084,7 @@ index 79a45f6..cf6add7 100644
  ##	Do not audit attempts to read init script
  ##	status files.
  ## </summary>
-@@ -1605,6 +2020,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1605,6 +2038,24 @@ interface(`init_rw_script_tmp_files',`
  
  ########################################
  ## <summary>
@@ -35995,7 +36109,7 @@ index 79a45f6..cf6add7 100644
  ##	Create files in a init script
  ##	temporary data directory.
  ## </summary>
-@@ -1677,6 +2110,43 @@ interface(`init_read_utmp',`
+@@ -1677,6 +2128,43 @@ interface(`init_read_utmp',`
  
  ########################################
  ## <summary>
@@ -36039,7 +36153,7 @@ index 79a45f6..cf6add7 100644
  ##	Do not audit attempts to write utmp.
  ## </summary>
  ## <param name="domain">
-@@ -1765,7 +2235,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1765,7 +2253,7 @@ interface(`init_dontaudit_rw_utmp',`
  		type initrc_var_run_t;
  	')
  
@@ -36048,7 +36162,7 @@ index 79a45f6..cf6add7 100644
  ')
  
  ########################################
-@@ -1806,37 +2276,672 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1806,37 +2294,672 @@ interface(`init_pid_filetrans_utmp',`
  	files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
  ')
  
@@ -36057,23 +36171,33 @@ index 79a45f6..cf6add7 100644
  ## <summary>
 -##	Allow the specified domain to connect to daemon with a tcp socket
 +##  Allow search  directory in the /run/systemd directory.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-##	<summary>
+-##	Domain allowed access.
+-##	</summary>
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`init_tcp_recvfrom_all_daemons',`
+-	gen_require(`
+-		attribute daemon;
+-	')
 +interface(`init_search_pid_dirs',`
 +    gen_require(`
 +        type init_var_run_t;
 +    ')
-+
+ 
+-	corenet_tcp_recvfrom_labeled($1, daemon)
 +    allow $1 init_var_run_t:dir search_dir_perms;
-+')
-+
+ ')
+ 
+-########################################
 +######################################
-+## <summary>
+ ## <summary>
+-##	Allow the specified domain to connect to daemon with a udp socket
 +##  Allow listing of the /run/systemd directory.
 +## </summary>
 +## <param name="domain">
@@ -36137,7 +36261,7 @@ index 79a45f6..cf6add7 100644
  ##	</summary>
  ## </param>
  #
--interface(`init_tcp_recvfrom_all_daemons',`
+-interface(`init_udp_recvfrom_all_daemons',`
 -	gen_require(`
 -		attribute daemon;
 -	')
@@ -36145,25 +36269,22 @@ index 79a45f6..cf6add7 100644
 +    gen_require(`
 +        type init_var_run_t;
 +    ')
- 
--	corenet_tcp_recvfrom_labeled($1, daemon)
++
 +	files_search_pids($1)
 +	filetrans_pattern($1, init_var_run_t, $2, $3, $4)
- ')
- 
--########################################
++')
++
 +#######################################
- ## <summary>
--##	Allow the specified domain to connect to daemon with a udp socket
++## <summary>
 +##	Create objects in /run/systemd directory
 +##	with an automatic type transition to
 +##	a specified private type.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
 +## <param name="private_type">
 +##	<summary>
 +##	The type of the object to create.
@@ -36179,14 +36300,11 @@ index 79a45f6..cf6add7 100644
 +##	The name of the object being created.
 +##	</summary>
 +## </param>
- #
--interface(`init_udp_recvfrom_all_daemons',`
++#
 +interface(`init_named_pid_filetrans',`
- 	gen_require(`
--		attribute daemon;
++	gen_require(`
 +		type init_var_run_t;
- 	')
--	corenet_udp_recvfrom_labeled($1, daemon)
++	')
 +
 +	files_search_pids($1)
 +	filetrans_pattern($1, init_var_run_t, $2, $3, $4)
@@ -36224,8 +36342,8 @@ index 79a45f6..cf6add7 100644
 +	gen_require(`
 +		attribute daemon;
 +	')
-+	corenet_udp_recvfrom_labeled($1, daemon)
-+')
+ 	corenet_udp_recvfrom_labeled($1, daemon)
+ ')
 +
 +########################################
 +## <summary>
@@ -36733,9 +36851,9 @@ index 79a45f6..cf6add7 100644
 +
 +	files_search_var_lib($1)
 +    allow $1 init_var_lib_t:dir search_dir_perms;
- ')
++')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..f09c5ae 100644
+index 17eda24..0a4a187 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
 @@ -11,10 +11,31 @@ gen_require(`
@@ -36960,7 +37078,7 @@ index 17eda24..f09c5ae 100644
  # file descriptors inherited from the rootfs:
  files_dontaudit_rw_root_files(init_t)
  files_dontaudit_rw_root_chr_files(init_t)
-@@ -155,29 +256,67 @@ fs_list_inotifyfs(init_t)
+@@ -155,29 +256,68 @@ fs_list_inotifyfs(init_t)
  # cjp: this may be related to /dev/log
  fs_write_ramfs_sockets(init_t)
  
@@ -37003,6 +37121,7 @@ index 17eda24..f09c5ae 100644
  
  # Run init scripts.
  init_domtrans_script(init_t)
++init_exec_notrans_direct_init_entry(init_t)
  
  libs_rw_ld_so_cache(init_t)
  
@@ -37033,7 +37152,7 @@ index 17eda24..f09c5ae 100644
  
  ifdef(`distro_gentoo',`
  	allow init_t self:process { getcap setcap };
-@@ -186,29 +325,256 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +326,258 @@ ifdef(`distro_gentoo',`
  ')
  
  ifdef(`distro_redhat',`
@@ -37168,6 +37287,8 @@ index 17eda24..f09c5ae 100644
 +files_list_home(init_t)
 +files_create_lock_dirs(init_t)
 +files_relabel_all_lock_dirs(init_t)
++files_relabel_var_dirs(init_t)
++files_relabel_var_lib_dirs(init_t)
 +files_read_kernel_modules(init_t)
 +fs_getattr_all_fs(init_t)
 +fs_manage_cgroup_dirs(init_t)
@@ -37299,7 +37420,7 @@ index 17eda24..f09c5ae 100644
  ')
  
  optional_policy(`
-@@ -216,7 +582,30 @@ optional_policy(`
+@@ -216,7 +585,30 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -37331,7 +37452,7 @@ index 17eda24..f09c5ae 100644
  ')
  
  ########################################
-@@ -225,9 +614,9 @@ optional_policy(`
+@@ -225,9 +617,9 @@ optional_policy(`
  #
  
  allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -37343,7 +37464,7 @@ index 17eda24..f09c5ae 100644
  allow initrc_t self:passwd rootok;
  allow initrc_t self:key manage_key_perms;
  
-@@ -258,12 +647,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +650,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
  
  allow initrc_t initrc_var_run_t:file manage_file_perms;
  files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -37360,7 +37481,7 @@ index 17eda24..f09c5ae 100644
  
  manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
  manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +672,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +675,36 @@ kernel_change_ring_buffer_level(initrc_t)
  kernel_clear_ring_buffer(initrc_t)
  kernel_get_sysvipc_info(initrc_t)
  kernel_read_all_sysctls(initrc_t)
@@ -37403,7 +37524,7 @@ index 17eda24..f09c5ae 100644
  corenet_tcp_sendrecv_all_ports(initrc_t)
  corenet_udp_sendrecv_all_ports(initrc_t)
  corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +709,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +712,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
  
  dev_read_rand(initrc_t)
  dev_read_urand(initrc_t)
@@ -37415,7 +37536,7 @@ index 17eda24..f09c5ae 100644
  dev_rw_sysfs(initrc_t)
  dev_list_usbfs(initrc_t)
  dev_read_framebuffer(initrc_t)
-@@ -313,8 +721,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +724,10 @@ dev_write_framebuffer(initrc_t)
  dev_read_realtime_clock(initrc_t)
  dev_read_sound_mixer(initrc_t)
  dev_write_sound_mixer(initrc_t)
@@ -37426,7 +37547,7 @@ index 17eda24..f09c5ae 100644
  dev_delete_lvm_control_dev(initrc_t)
  dev_manage_generic_symlinks(initrc_t)
  dev_manage_generic_files(initrc_t)
-@@ -322,8 +732,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +735,7 @@ dev_manage_generic_files(initrc_t)
  dev_delete_generic_symlinks(initrc_t)
  dev_getattr_all_blk_files(initrc_t)
  dev_getattr_all_chr_files(initrc_t)
@@ -37436,7 +37557,7 @@ index 17eda24..f09c5ae 100644
  
  domain_kill_all_domains(initrc_t)
  domain_signal_all_domains(initrc_t)
-@@ -332,7 +741,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +744,6 @@ domain_sigstop_all_domains(initrc_t)
  domain_sigchld_all_domains(initrc_t)
  domain_read_all_domains_state(initrc_t)
  domain_getattr_all_domains(initrc_t)
@@ -37444,7 +37565,7 @@ index 17eda24..f09c5ae 100644
  domain_getsession_all_domains(initrc_t)
  domain_use_interactive_fds(initrc_t)
  # for lsof which is used by alsa shutdown:
-@@ -340,6 +748,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +751,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
  domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
  domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
  domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -37452,7 +37573,7 @@ index 17eda24..f09c5ae 100644
  
  files_getattr_all_dirs(initrc_t)
  files_getattr_all_files(initrc_t)
-@@ -347,14 +756,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +759,15 @@ files_getattr_all_symlinks(initrc_t)
  files_getattr_all_pipes(initrc_t)
  files_getattr_all_sockets(initrc_t)
  files_purge_tmp(initrc_t)
@@ -37470,7 +37591,7 @@ index 17eda24..f09c5ae 100644
  files_read_usr_files(initrc_t)
  files_manage_urandom_seed(initrc_t)
  files_manage_generic_spool(initrc_t)
-@@ -364,8 +774,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +777,12 @@ files_list_isid_type_dirs(initrc_t)
  files_mounton_isid_type_dirs(initrc_t)
  files_list_default(initrc_t)
  files_mounton_default(initrc_t)
@@ -37484,7 +37605,7 @@ index 17eda24..f09c5ae 100644
  fs_list_inotifyfs(initrc_t)
  fs_register_binary_executable_type(initrc_t)
  # rhgb-console writes to ramfs
-@@ -375,10 +789,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +792,11 @@ fs_mount_all_fs(initrc_t)
  fs_unmount_all_fs(initrc_t)
  fs_remount_all_fs(initrc_t)
  fs_getattr_all_fs(initrc_t)
@@ -37498,7 +37619,7 @@ index 17eda24..f09c5ae 100644
  mcs_process_set_categories(initrc_t)
  
  mls_file_read_all_levels(initrc_t)
-@@ -387,8 +802,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +805,10 @@ mls_process_read_up(initrc_t)
  mls_process_write_down(initrc_t)
  mls_rangetrans_source(initrc_t)
  mls_fd_share_all_levels(initrc_t)
@@ -37509,7 +37630,7 @@ index 17eda24..f09c5ae 100644
  
  storage_getattr_fixed_disk_dev(initrc_t)
  storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +815,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +818,7 @@ term_use_all_terms(initrc_t)
  term_reset_tty_labels(initrc_t)
  
  auth_rw_login_records(initrc_t)
@@ -37517,7 +37638,7 @@ index 17eda24..f09c5ae 100644
  auth_setattr_login_records(initrc_t)
  auth_rw_lastlog(initrc_t)
  auth_read_pam_pid(initrc_t)
-@@ -416,20 +834,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +837,18 @@ logging_read_all_logs(initrc_t)
  logging_append_all_logs(initrc_t)
  logging_read_audit_config(initrc_t)
  
@@ -37541,7 +37662,7 @@ index 17eda24..f09c5ae 100644
  
  ifdef(`distro_debian',`
  	dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +867,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +870,6 @@ ifdef(`distro_gentoo',`
  	allow initrc_t self:process setfscreate;
  	dev_create_null_dev(initrc_t)
  	dev_create_zero_dev(initrc_t)
@@ -37549,7 +37670,7 @@ index 17eda24..f09c5ae 100644
  	term_create_console_dev(initrc_t)
  
  	# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +901,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +904,10 @@ ifdef(`distro_gentoo',`
  	sysnet_setattr_config(initrc_t)
  
  	optional_policy(`
@@ -37560,7 +37681,7 @@ index 17eda24..f09c5ae 100644
  		alsa_read_lib(initrc_t)
  	')
  
-@@ -506,7 +925,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +928,7 @@ ifdef(`distro_redhat',`
  
  	# Red Hat systems seem to have a stray
  	# fd open from the initrd
@@ -37569,7 +37690,7 @@ index 17eda24..f09c5ae 100644
  	files_dontaudit_read_root_files(initrc_t)
  
  	# These seem to be from the initrd
-@@ -521,6 +940,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +943,7 @@ ifdef(`distro_redhat',`
  	files_create_boot_dirs(initrc_t)
  	files_create_boot_flag(initrc_t)
  	files_rw_boot_symlinks(initrc_t)
@@ -37577,7 +37698,7 @@ index 17eda24..f09c5ae 100644
  	# wants to read /.fonts directory
  	files_read_default_files(initrc_t)
  	files_mountpoint(initrc_tmp_t)
-@@ -541,6 +961,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +964,7 @@ ifdef(`distro_redhat',`
  	miscfiles_rw_localization(initrc_t)
  	miscfiles_setattr_localization(initrc_t)
  	miscfiles_relabel_localization(initrc_t)
@@ -37585,7 +37706,7 @@ index 17eda24..f09c5ae 100644
  
  	miscfiles_read_fonts(initrc_t)
  	miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +971,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +974,44 @@ ifdef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -37630,7 +37751,7 @@ index 17eda24..f09c5ae 100644
  	')
  
  	optional_policy(`
-@@ -559,14 +1016,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +1019,31 @@ ifdef(`distro_redhat',`
  		rpc_write_exports(initrc_t)
  		rpc_manage_nfs_state_data(initrc_t)
  	')
@@ -37662,7 +37783,7 @@ index 17eda24..f09c5ae 100644
  	')
  ')
  
-@@ -577,6 +1051,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1054,39 @@ ifdef(`distro_suse',`
  	')
  ')
  
@@ -37702,7 +37823,7 @@ index 17eda24..f09c5ae 100644
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1096,8 @@ optional_policy(`
+@@ -589,6 +1099,8 @@ optional_policy(`
  optional_policy(`
  	apache_read_config(initrc_t)
  	apache_list_modules(initrc_t)
@@ -37711,7 +37832,7 @@ index 17eda24..f09c5ae 100644
  ')
  
  optional_policy(`
-@@ -610,6 +1119,7 @@ optional_policy(`
+@@ -610,6 +1122,7 @@ optional_policy(`
  
  optional_policy(`
  	cgroup_stream_connect_cgred(initrc_t)
@@ -37719,7 +37840,7 @@ index 17eda24..f09c5ae 100644
  ')
  
  optional_policy(`
-@@ -626,6 +1136,17 @@ optional_policy(`
+@@ -626,6 +1139,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -37737,7 +37858,7 @@ index 17eda24..f09c5ae 100644
  	dev_getattr_printer_dev(initrc_t)
  
  	cups_read_log(initrc_t)
-@@ -642,9 +1163,13 @@ optional_policy(`
+@@ -642,9 +1166,13 @@ optional_policy(`
  	dbus_connect_system_bus(initrc_t)
  	dbus_system_bus_client(initrc_t)
  	dbus_read_config(initrc_t)
@@ -37751,7 +37872,7 @@ index 17eda24..f09c5ae 100644
  	')
  
  	optional_policy(`
-@@ -657,15 +1182,11 @@ optional_policy(`
+@@ -657,15 +1185,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -37769,7 +37890,7 @@ index 17eda24..f09c5ae 100644
  ')
  
  optional_policy(`
-@@ -686,6 +1207,15 @@ optional_policy(`
+@@ -686,6 +1210,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -37785,7 +37906,7 @@ index 17eda24..f09c5ae 100644
  	inn_exec_config(initrc_t)
  ')
  
-@@ -726,6 +1256,7 @@ optional_policy(`
+@@ -726,6 +1259,7 @@ optional_policy(`
  	lpd_list_spool(initrc_t)
  
  	lpd_read_config(initrc_t)
@@ -37793,7 +37914,7 @@ index 17eda24..f09c5ae 100644
  ')
  
  optional_policy(`
-@@ -743,7 +1274,13 @@ optional_policy(`
+@@ -743,7 +1277,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -37808,7 +37929,7 @@ index 17eda24..f09c5ae 100644
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
  
-@@ -766,6 +1303,10 @@ optional_policy(`
+@@ -766,6 +1306,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -37819,7 +37940,7 @@ index 17eda24..f09c5ae 100644
  	postgresql_manage_db(initrc_t)
  	postgresql_read_config(initrc_t)
  ')
-@@ -775,10 +1316,20 @@ optional_policy(`
+@@ -775,10 +1319,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -37840,7 +37961,7 @@ index 17eda24..f09c5ae 100644
  	quota_manage_flags(initrc_t)
  ')
  
-@@ -787,6 +1338,10 @@ optional_policy(`
+@@ -787,6 +1341,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -37851,7 +37972,7 @@ index 17eda24..f09c5ae 100644
  	fs_write_ramfs_sockets(initrc_t)
  	fs_search_ramfs(initrc_t)
  
-@@ -808,8 +1363,6 @@ optional_policy(`
+@@ -808,8 +1366,6 @@ optional_policy(`
  	# bash tries ioctl for some reason
  	files_dontaudit_ioctl_all_pids(initrc_t)
  
@@ -37860,7 +37981,7 @@ index 17eda24..f09c5ae 100644
  ')
  
  optional_policy(`
-@@ -818,6 +1371,10 @@ optional_policy(`
+@@ -818,6 +1374,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -37871,7 +37992,7 @@ index 17eda24..f09c5ae 100644
  	# shorewall-init script run /var/lib/shorewall/firewall
  	shorewall_lib_domtrans(initrc_t)
  ')
-@@ -827,10 +1384,12 @@ optional_policy(`
+@@ -827,10 +1387,12 @@ optional_policy(`
  	squid_manage_logs(initrc_t)
  ')
  
@@ -37884,7 +38005,7 @@ index 17eda24..f09c5ae 100644
  
  optional_policy(`
  	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1416,62 @@ optional_policy(`
+@@ -857,21 +1419,62 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -37948,7 +38069,7 @@ index 17eda24..f09c5ae 100644
  ')
  
  optional_policy(`
-@@ -887,6 +1487,10 @@ optional_policy(`
+@@ -887,6 +1490,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -37959,7 +38080,7 @@ index 17eda24..f09c5ae 100644
  	# Set device ownerships/modes.
  	xserver_setattr_console_pipes(initrc_t)
  
-@@ -897,3 +1501,218 @@ optional_policy(`
+@@ -897,3 +1504,218 @@ optional_policy(`
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
@@ -48234,10 +48355,10 @@ index 0000000..ebd6cc8
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..8c07053
+index 0000000..7717a2b
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,931 @@
+@@ -0,0 +1,932 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -49120,6 +49241,7 @@ index 0000000..8c07053
 +
 +corenet_tcp_bind_llmnr_port(systemd_resolved_t)
 +corenet_udp_bind_llmnr_port(systemd_resolved_t)
++corenet_tcp_connect_llmnr_port(systemd_resolved_t)
 +
 +dev_write_kmsg(systemd_resolved_t)
 +dev_read_sysfs(systemd_resolved_t)
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index e5b5dff7..6657026e 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -16593,10 +16593,10 @@ index 0000000..1cc5fa4
 +')
 diff --git a/conman.te b/conman.te
 new file mode 100644
-index 0000000..bce21bf
+index 0000000..2357f3b
 --- /dev/null
 +++ b/conman.te
-@@ -0,0 +1,96 @@
+@@ -0,0 +1,97 @@
 +policy_module(conman, 1.0.0)
 +
 +########################################
@@ -16646,6 +16646,7 @@ index 0000000..bce21bf
 +allow conman_t self:tcp_socket { accept listen create_socket_perms };
 +
 +allow conman_t conman_unconfined_script_t:process sigkill;
++allow conman_t conman_unconfined_script_exec_t:dir list_dir_perms;
 +
 +manage_dirs_pattern(conman_t, conman_log_t, conman_log_t)
 +manage_files_pattern(conman_t, conman_log_t, conman_log_t)
@@ -28762,7 +28763,7 @@ index c62c567..a74f123 100644
 +	allow $1 firewalld_unit_file_t:service all_service_perms;
  ')
 diff --git a/firewalld.te b/firewalld.te
-index 98072a3..d5d852e 100644
+index 98072a3..18a2ef2 100644
 --- a/firewalld.te
 +++ b/firewalld.te
 @@ -21,9 +21,15 @@ logging_log_file(firewalld_var_log_t)
@@ -28806,7 +28807,7 @@ index 98072a3..d5d852e 100644
  
  kernel_read_network_state(firewalld_t)
  kernel_read_system_state(firewalld_t)
-@@ -63,20 +77,19 @@ dev_search_sysfs(firewalld_t)
+@@ -63,20 +77,20 @@ dev_search_sysfs(firewalld_t)
  
  domain_use_interactive_fds(firewalld_t)
  
@@ -28830,10 +28831,11 @@ index 98072a3..d5d852e 100644
  
 -sysnet_read_config(firewalld_t)
 +sysnet_dns_name_resolve(firewalld_t)
++sysnet_manage_config_dirs(firewalld_t)
  
  optional_policy(`
  	dbus_system_domain(firewalld_t, firewalld_exec_t)
-@@ -95,6 +108,10 @@ optional_policy(`
+@@ -95,6 +109,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29529,7 +29531,7 @@ index 0000000..0d09fbd
 +
 +userdom_use_inherited_user_terminals(freqset_t)
 diff --git a/ftp.fc b/ftp.fc
-index ddb75c1..44f74e6 100644
+index ddb75c1..f38075f 100644
 --- a/ftp.fc
 +++ b/ftp.fc
 @@ -1,5 +1,8 @@
@@ -29541,6 +29543,14 @@ index ddb75c1..44f74e6 100644
  /etc/cron\.monthly/proftpd	--	gen_context(system_u:object_r:ftpd_exec_t,s0)
  
  /etc/rc\.d/init\.d/vsftpd	--	gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
+@@ -23,6 +26,7 @@
+ 
+ /var/log/muddleftpd\.log.*	--	gen_context(system_u:object_r:xferlog_t,s0)
+ /var/log/proftpd(/.*)?	gen_context(system_u:object_r:xferlog_t,s0)
++/var/log/proftpd\.log	--		gen_context(system_u:object_r:xferlog_t,s0)
+ /var/log/vsftpd.*	--	gen_context(system_u:object_r:xferlog_t,s0)
+ /var/log/xferlog.*	--	gen_context(system_u:object_r:xferlog_t,s0)
+ /var/log/xferreport.*	--	gen_context(system_u:object_r:xferlog_t,s0)
 diff --git a/ftp.if b/ftp.if
 index 4498143..84a4858 100644
 --- a/ftp.if
@@ -36646,10 +36656,10 @@ index 0000000..d0016da
 +')
 diff --git a/hostapd.te b/hostapd.te
 new file mode 100644
-index 0000000..54deae3
+index 0000000..438573d
 --- /dev/null
 +++ b/hostapd.te
-@@ -0,0 +1,52 @@
+@@ -0,0 +1,53 @@
 +policy_module(hostapd, 1.0.0)
 +
 +########################################
@@ -36675,6 +36685,7 @@ index 0000000..54deae3
 +allow hostapd_t self:fifo_file rw_fifo_file_perms;
 +allow hostapd_t self:unix_stream_socket create_stream_socket_perms;
 +allow hostapd_t self:netlink_socket create_socket_perms;
++allow hostapd_t self:netlink_generic_socket create_socket_perms;
 +allow hostapd_t self:netlink_route_socket create_netlink_socket_perms;
 +allow hostapd_t self:packet_socket create_socket_perms;
 +
@@ -40775,10 +40786,10 @@ index 0000000..17126b6
 +')
 diff --git a/journalctl.te b/journalctl.te
 new file mode 100644
-index 0000000..896cde4
+index 0000000..68dd2b7
 --- /dev/null
 +++ b/journalctl.te
-@@ -0,0 +1,46 @@
+@@ -0,0 +1,47 @@
 +policy_module(journalctl, 1.0.0)
 +
 +########################################
@@ -40819,6 +40830,7 @@ index 0000000..896cde4
 +miscfiles_read_localization(journalctl_t)
 +
 +logging_read_generic_logs(journalctl_t)
++logging_read_syslog_pid(journalctl_t)
 +
 +userdom_list_user_home_dirs(journalctl_t)
 +userdom_read_user_home_content_files(journalctl_t)
@@ -49038,11 +49050,11 @@ index 0000000..0f290e9
 +
 diff --git a/mirrormanager.fc b/mirrormanager.fc
 new file mode 100644
-index 0000000..c713b27
+index 0000000..abd53a4
 --- /dev/null
 +++ b/mirrormanager.fc
 @@ -0,0 +1,7 @@
-+/usr/share/mirrormanager/server/mirrormanager		--	gen_context(system_u:object_r:mirrormanager_exec_t,s0)
++/usr/share/mirrormanager/server/mirrormanager(/.*)?			gen_context(system_u:object_r:mirrormanager_exec_t,s0)
 +
 +/var/lib/mirrormanager(/.*)?		gen_context(system_u:object_r:mirrormanager_var_lib_t,s0)
 +
@@ -53170,10 +53182,10 @@ index 65a246a..fa86320 100644
  netutils_domtrans_ping(mrtg_t)
  
 diff --git a/mta.fc b/mta.fc
-index f42896c..2cf0c23 100644
+index f42896c..fce39c1 100644
 --- a/mta.fc
 +++ b/mta.fc
-@@ -1,34 +1,41 @@
+@@ -1,34 +1,39 @@
 -HOME_DIR/\.esmtp_queue	--	gen_context(system_u:object_r:mail_home_t,s0)
  HOME_DIR/\.forward[^/]*	--	gen_context(system_u:object_r:mail_home_t,s0)
  HOME_DIR/dead\.letter	--	gen_context(system_u:object_r:mail_home_t,s0)
@@ -53195,6 +53207,8 @@ index f42896c..2cf0c23 100644
 -/etc/postfix/aliases.*	--	gen_context(system_u:object_r:etc_aliases_t,s0)
 -
 -/usr/bin/esmtp	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
+-/usr/bin/mail(x)?	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
+-
 +/etc/mail/.*\.db	--	gen_context(system_u:object_r:etc_aliases_t,s0)
 +ifdef(`distro_redhat',`
 +/etc/postfix/aliases.*		gen_context(system_u:object_r:etc_aliases_t,s0)
@@ -53207,8 +53221,6 @@ index f42896c..2cf0c23 100644
 +/root/Maildir(/.*)?		gen_context(system_u:object_r:mail_home_rw_t,s0)
 +
 +/usr/bin/esmtp		-- gen_context(system_u:object_r:sendmail_exec_t,s0)
- /usr/bin/mail(x)?	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
- 
  /usr/lib/sendmail	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
 -/usr/lib/courier/bin/sendmail	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
  
@@ -59325,10 +59337,10 @@ index 0000000..409de8c
 +')
 diff --git a/ninfod.te b/ninfod.te
 new file mode 100644
-index 0000000..d75c408
+index 0000000..b3aa3ce
 --- /dev/null
 +++ b/ninfod.te
-@@ -0,0 +1,35 @@
+@@ -0,0 +1,36 @@
 +policy_module(ninfod, 1.0.0)
 +
 +########################################
@@ -59355,6 +59367,7 @@ index 0000000..d75c408
 +allow ninfod_t self:fifo_file rw_fifo_file_perms;
 +allow ninfod_t self:rawip_socket { create setopt };
 +allow ninfod_t self:unix_stream_socket create_stream_socket_perms;
++allow ninfod_t self:rawip_socket read;
 +
 +manage_files_pattern(ninfod_t, ninfod_run_t, ninfod_run_t)
 +files_pid_filetrans(ninfod_t,ninfod_run_t, { file })
@@ -69117,7 +69130,7 @@ index d2fc677..86dce34 100644
  ')
 +
 diff --git a/pegasus.te b/pegasus.te
-index 608f454..6a92354 100644
+index 608f454..bc31081 100644
 --- a/pegasus.te
 +++ b/pegasus.te
 @@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0)
@@ -69477,7 +69490,7 @@ index 608f454..6a92354 100644
  allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
  
  manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
-@@ -54,22 +368,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
+@@ -54,25 +368,26 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
  manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
  manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
  manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@@ -69508,7 +69521,11 @@ index 608f454..6a92354 100644
  
  kernel_read_network_state(pegasus_t)
  kernel_read_kernel_sysctls(pegasus_t)
-@@ -80,27 +394,21 @@ kernel_read_net_sysctls(pegasus_t)
++kernel_read_sysctl(pegasus_t)
+ kernel_read_fs_sysctls(pegasus_t)
+ kernel_read_system_state(pegasus_t)
+ kernel_search_vm_sysctl(pegasus_t)
+@@ -80,27 +395,21 @@ kernel_read_net_sysctls(pegasus_t)
  kernel_read_xen_state(pegasus_t)
  kernel_write_xen_state(pegasus_t)
  
@@ -69541,7 +69558,7 @@ index 608f454..6a92354 100644
  
  corecmd_exec_bin(pegasus_t)
  corecmd_exec_shell(pegasus_t)
-@@ -114,9 +422,11 @@ files_getattr_all_dirs(pegasus_t)
+@@ -114,9 +423,11 @@ files_getattr_all_dirs(pegasus_t)
  
  auth_use_nsswitch(pegasus_t)
  auth_domtrans_chk_passwd(pegasus_t)
@@ -69553,7 +69570,7 @@ index 608f454..6a92354 100644
  
  files_list_var_lib(pegasus_t)
  files_read_var_lib_files(pegasus_t)
-@@ -128,18 +438,29 @@ init_stream_connect_script(pegasus_t)
+@@ -128,18 +439,29 @@ init_stream_connect_script(pegasus_t)
  logging_send_audit_msgs(pegasus_t)
  logging_send_syslog_msg(pegasus_t)
  
@@ -69575,21 +69592,21 @@ index 608f454..6a92354 100644
 +optional_policy(`
 +    dbus_system_bus_client(pegasus_t)
 +    dbus_connect_system_bus(pegasus_t)
-+
-+    optional_policy(`
-+	networkmanager_dbus_chat(pegasus_t)
-+    ')
-+')
  
 -	optional_policy(`
 -		networkmanager_dbus_chat(pegasus_t)
 -	')
++    optional_policy(`
++	networkmanager_dbus_chat(pegasus_t)
++    ')
++')
++
 +optional_policy(`
 +	rhcs_stream_connect_cluster(pegasus_t)
  ')
  
  optional_policy(`
-@@ -151,16 +472,24 @@ optional_policy(`
+@@ -151,16 +473,24 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -69618,7 +69635,7 @@ index 608f454..6a92354 100644
  ')
  
  optional_policy(`
-@@ -168,7 +497,7 @@ optional_policy(`
+@@ -168,7 +498,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -69627,7 +69644,7 @@ index 608f454..6a92354 100644
  ')
  
  optional_policy(`
-@@ -180,6 +509,7 @@ optional_policy(`
+@@ -180,12 +510,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -69635,6 +69652,16 @@ index 608f454..6a92354 100644
  	virt_domtrans(pegasus_t)
  	virt_stream_connect(pegasus_t)
  	virt_manage_config(pegasus_t)
+ ')
+ 
+ optional_policy(`
++	qemu_getattr_exec(pegasus_t)
++')
++
++optional_policy(`
+ 	xen_stream_connect(pegasus_t)
+ 	xen_stream_connect_xenstore(pegasus_t)
+ ')
 diff --git a/pesign.fc b/pesign.fc
 new file mode 100644
 index 0000000..7b54c39
@@ -77508,10 +77535,10 @@ index 0000000..8231f4f
 +')
 diff --git a/prosody.te b/prosody.te
 new file mode 100644
-index 0000000..3ef4a99
+index 0000000..71f9abb
 --- /dev/null
 +++ b/prosody.te
-@@ -0,0 +1,97 @@
+@@ -0,0 +1,98 @@
 +policy_module(prosody, 1.0.0)
 +
 +########################################
@@ -77588,6 +77615,7 @@ index 0000000..3ef4a99
 +corenet_tcp_bind_jabber_interserver_port(prosody_t)
 +corenet_tcp_bind_jabber_router_port(prosody_t)
 +corenet_tcp_bind_commplex_main_port(prosody_t)
++corenet_tcp_bind_fac_restore_port(prosody_t)
 +
 +tunable_policy(`prosody_bind_http_port',`
 +    corenet_tcp_bind_http_port(prosody_t)
@@ -78923,7 +78951,7 @@ index 7cb8b1f..bef7217 100644
 +    allow $1 puppet_var_run_t:dir search_dir_perms;
  ')
 diff --git a/puppet.te b/puppet.te
-index 618dcfe..1cd6fca 100644
+index 618dcfe..67d166c 100644
 --- a/puppet.te
 +++ b/puppet.te
 @@ -6,25 +6,32 @@ policy_module(puppet, 1.4.0)
@@ -78985,7 +79013,7 @@ index 618dcfe..1cd6fca 100644
  
  type puppetmaster_t;
  type puppetmaster_exec_t;
-@@ -56,161 +62,162 @@ files_tmp_file(puppetmaster_tmp_t)
+@@ -56,161 +62,166 @@ files_tmp_file(puppetmaster_tmp_t)
  
  ########################################
  #
@@ -79184,63 +79212,67 @@ index 618dcfe..1cd6fca 100644
 +
 +optional_policy(`
 +    mysql_stream_connect(puppetagent_t)
- ')
- 
- optional_policy(`
--	cfengine_read_lib_files(puppet_t)
++')
++
++optional_policy(`
 +    postgresql_stream_connect(puppetagent_t)
- ')
- 
- optional_policy(`
--	consoletype_exec(puppet_t)
++')
++
++optional_policy(`
 +	cfengine_read_lib_files(puppetagent_t)
  ')
  
  optional_policy(`
--	hostname_exec(puppet_t)
+-	cfengine_read_lib_files(puppet_t)
 +	consoletype_exec(puppetagent_t)
  ')
  
  optional_policy(`
--	mount_domtrans(puppet_t)
+-	consoletype_exec(puppet_t)
 +	hostname_exec(puppetagent_t)
  ')
  
  optional_policy(`
--	mta_send_mail(puppet_t)
+-	hostname_exec(puppet_t)
 +	mount_domtrans(puppetagent_t)
  ')
  
+ optional_policy(`
+-	mount_domtrans(puppet_t)
++	mta_send_mail(puppetagent_t)
+ ')
+ 
+ optional_policy(`
+-	mta_send_mail(puppet_t)
++        firewalld_dbus_chat(puppetagent_t)
+ ')
+ 
  optional_policy(`
 -	portage_domtrans(puppet_t)
 -	portage_domtrans_fetch(puppet_t)
 -	portage_domtrans_gcc_config(puppet_t)
-+	mta_send_mail(puppetagent_t)
- ')
- 
- optional_policy(`
--	files_rw_var_files(puppet_t)
-+        firewalld_dbus_chat(puppetagent_t)
-+')
- 
--	rpm_domtrans(puppet_t)
--	rpm_manage_db(puppet_t)
--	rpm_manage_log(puppet_t)
-+optional_policy(`
 +	portage_domtrans(puppetagent_t)
 +	portage_domtrans_fetch(puppetagent_t)
 +	portage_domtrans_gcc_config(puppetagent_t)
  ')
  
  optional_policy(`
--	unconfined_domain(puppet_t)
+-	files_rw_var_files(puppet_t)
 +	files_rw_var_files(puppetagent_t)
-+
+ 
+-	rpm_domtrans(puppet_t)
+-	rpm_manage_db(puppet_t)
+-	rpm_manage_log(puppet_t)
 +	rpm_domtrans(puppetagent_t)
 +	rpm_manage_db(puppetagent_t)
 +	rpm_manage_log(puppetagent_t)
  ')
  
+ optional_policy(`
+-	unconfined_domain(puppet_t)
++        shorewall_domtrans(puppetagent_t)
+ ')
+ 
  optional_policy(`
 -	usermanage_domtrans_groupadd(puppet_t)
 -	usermanage_domtrans_useradd(puppet_t)
@@ -79264,7 +79296,7 @@ index 618dcfe..1cd6fca 100644
  
  allow puppetca_t puppet_var_lib_t:dir list_dir_perms;
  manage_files_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t)
-@@ -221,6 +228,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms;
+@@ -221,6 +232,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms;
  allow puppetca_t puppet_var_run_t:dir search_dir_perms;
  
  kernel_read_system_state(puppetca_t)
@@ -79272,7 +79304,7 @@ index 618dcfe..1cd6fca 100644
  kernel_read_kernel_sysctls(puppetca_t)
  
  corecmd_exec_bin(puppetca_t)
-@@ -229,15 +237,12 @@ corecmd_exec_shell(puppetca_t)
+@@ -229,15 +241,12 @@ corecmd_exec_shell(puppetca_t)
  dev_read_urand(puppetca_t)
  dev_search_sysfs(puppetca_t)
  
@@ -79288,7 +79320,7 @@ index 618dcfe..1cd6fca 100644
  miscfiles_read_generic_certs(puppetca_t)
  
  seutil_read_file_contexts(puppetca_t)
-@@ -246,38 +251,48 @@ optional_policy(`
+@@ -246,38 +255,48 @@ optional_policy(`
  	hostname_exec(puppetca_t)
  ')
  
@@ -79353,7 +79385,7 @@ index 618dcfe..1cd6fca 100644
  
  kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
  kernel_read_network_state(puppetmaster_t)
-@@ -289,23 +304,24 @@ corecmd_exec_bin(puppetmaster_t)
+@@ -289,23 +308,24 @@ corecmd_exec_bin(puppetmaster_t)
  corecmd_exec_shell(puppetmaster_t)
  
  corenet_all_recvfrom_netlabel(puppetmaster_t)
@@ -79384,7 +79416,7 @@ index 618dcfe..1cd6fca 100644
  
  selinux_validate_context(puppetmaster_t)
  
-@@ -314,26 +330,31 @@ auth_use_nsswitch(puppetmaster_t)
+@@ -314,26 +334,31 @@ auth_use_nsswitch(puppetmaster_t)
  logging_send_syslog_msg(puppetmaster_t)
  
  miscfiles_read_generic_certs(puppetmaster_t)
@@ -79421,7 +79453,7 @@ index 618dcfe..1cd6fca 100644
  ')
  
  optional_policy(`
-@@ -342,3 +363,9 @@ optional_policy(`
+@@ -342,3 +367,9 @@ optional_policy(`
  	rpm_exec(puppetmaster_t)
  	rpm_read_db(puppetmaster_t)
  ')
@@ -80193,7 +80225,7 @@ index 86ea53c..a2dcf7b 100644
  /usr/bin/qemu-kvm	--	gen_context(system_u:object_r:qemu_exec_t,s0)
  /usr/bin/kvm		--	gen_context(system_u:object_r:qemu_exec_t,s0)
 diff --git a/qemu.if b/qemu.if
-index eaf56b8..aa90671 100644
+index eaf56b8..8894726 100644
 --- a/qemu.if
 +++ b/qemu.if
 @@ -1,19 +1,21 @@
@@ -80419,7 +80451,7 @@ index eaf56b8..aa90671 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -264,48 +239,68 @@ interface(`qemu_kill',`
+@@ -264,28 +239,68 @@ interface(`qemu_kill',`
  
  ########################################
  ## <summary>
@@ -80457,9 +80489,6 @@ index eaf56b8..aa90671 100644
 -		type unconfined_qemu_t, qemu_exec_t;
 +		type qemu_exec_t;
  	')
--
--	corecmd_search_bin($1)
--	domtrans_pattern($1, qemu_exec_t, unconfined_qemu_t)
 +  
 +	read_lnk_files_pattern($1, qemu_exec_t, qemu_exec_t)
 +	domain_transition_pattern($1, qemu_exec_t, $2)
@@ -80469,32 +80498,25 @@ index eaf56b8..aa90671 100644
 +	allow $2 $1:fd use;
 +	allow $2 $1:fifo_file rw_fifo_file_perms;
 +	allow $2 $1:process sigchld;
- ')
++')
  
- ########################################
- ## <summary>
--##	Create, read, write, and delete
--##	qemu temporary directories.
+-	corecmd_search_bin($1)
+-	domtrans_pattern($1, qemu_exec_t, unconfined_qemu_t)
++########################################
++## <summary>
 +##	Execute qemu unconfined programs in the role.
- ## </summary>
--## <param name="domain">
++## </summary>
 +## <param name="role">
- ##	<summary>
--##	Domain allowed access.
++##	<summary>
 +##	The role to allow the qemu unconfined domain.
- ##	</summary>
- ## </param>
- #
--interface(`qemu_manage_tmp_dirs',`
++##	</summary>
++## </param>
++#
 +interface(`qemu_unconfined_role',`
- 	gen_require(`
--		type qemu_tmp_t;
++	gen_require(`
 +		type unconfined_qemu_t;
 +		type qemu_t;
- 	')
--
--	files_search_tmp($1)
--	manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t)
++	')
 +	role $1 types unconfined_qemu_t;
 +	role $1 types qemu_t;
  ')
@@ -80502,30 +80524,40 @@ index eaf56b8..aa90671 100644
  ########################################
  ## <summary>
 -##	Create, read, write, and delete
--##	qemu temporary files.
+-##	qemu temporary directories.
 +##	Manage qemu temporary dirs.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -313,58 +308,41 @@ interface(`qemu_manage_tmp_dirs',`
- ##	</summary>
- ## </param>
- #
--interface(`qemu_manage_tmp_files',`
-+interface(`qemu_manage_tmp_dirs',`
- 	gen_require(`
+@@ -298,14 +313,12 @@ interface(`qemu_manage_tmp_dirs',`
  		type qemu_tmp_t;
  	')
  
 -	files_search_tmp($1)
--	manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
-+	manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t)
+ 	manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete
+-##	qemu temporary files.
++##	Manage qemu temporary files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -318,59 +331,42 @@ interface(`qemu_manage_tmp_files',`
+ 		type qemu_tmp_t;
+ 	')
+ 
+-	files_search_tmp($1)
+ 	manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
  ')
  
  ########################################
  ## <summary>
 -##	Execute qemu in a specified domain.
-+##	Manage qemu temporary files.
++##     Make qemu_exec_t an entrypoint for
++##     the specified domain.
  ## </summary>
 -## <desc>
 -##	<p>
@@ -80543,43 +80575,54 @@ index eaf56b8..aa90671 100644
 -##	</summary>
 -## </param>
 -## <param name="target_domain">
-+## <param name="domain">
- ##	<summary>
--##	Domain to transition to.
-+##	Domain allowed access.
- ##	</summary>
- ## </param>
- #
--interface(`qemu_spec_domtrans',`
-+interface(`qemu_manage_tmp_files',`
- 	gen_require(`
--		type qemu_exec_t;
-+		type qemu_tmp_t;
- 	')
- 
--	corecmd_search_bin($1)
--	domain_auto_trans($1, qemu_exec_t, $2)
-+	manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
- ')
- 
--######################################
-+########################################
- ## <summary>
--##	Make qemu executable files an
--##	entrypoint for the specified domain.
-+##     Make qemu_exec_t an entrypoint for
-+##     the specified domain.
- ## </summary>
- ## <param name="domain">
 -##	<summary>
--##	The domain for which qemu_exec_t is an entrypoint.
+-##	Domain to transition to.
 -##	</summary>
++## <param name="domain">
 +##     <summary>
 +##     The domain for which qemu_exec_t is an entrypoint.
 +##     </summary>
  ## </param>
  #
- interface(`qemu_entry_type',`
+-interface(`qemu_spec_domtrans',`
++interface(`qemu_entry_type',`
+ 	gen_require(`
+ 		type qemu_exec_t;
+ 	')
+ 
+-	corecmd_search_bin($1)
+-	domain_auto_trans($1, qemu_exec_t, $2)
++	domain_entry_file($1, qemu_exec_t)
+ ')
+ 
+-######################################
++#######################################
+ ## <summary>
+-##	Make qemu executable files an
+-##	entrypoint for the specified domain.
++##  Getattr on qemu executable.
+ ## </summary>
+ ## <param name="domain">
+-##	<summary>
+-##	The domain for which qemu_exec_t is an entrypoint.
+-##	</summary>
++##  <summary>
++##  Domain allowed to transition.
++##  </summary>
+ ## </param>
+ #
+-interface(`qemu_entry_type',`
+-	gen_require(`
+-		type qemu_exec_t;
+-	')
++interface(`qemu_getattr_exec',`
++    gen_require(`
++        type qemu_exec_t;
++    ')
+ 
+-	domain_entry_file($1, qemu_exec_t)
++	allow $1 qemu_exec_t:file getattr;
+ ')
 diff --git a/qemu.te b/qemu.te
 index 4f90743..958c0ef 100644
 --- a/qemu.te
@@ -88301,7 +88344,7 @@ index 6dbc905..4b17c93 100644
 -	admin_pattern($1, rhsmcertd_lock_t)
  ')
 diff --git a/rhsmcertd.te b/rhsmcertd.te
-index d32e1a2..2e80d44 100644
+index d32e1a2..cb5f49c 100644
 --- a/rhsmcertd.te
 +++ b/rhsmcertd.te
 @@ -18,6 +18,9 @@ logging_log_file(rhsmcertd_log_t)
@@ -88340,7 +88383,7 @@ index d32e1a2..2e80d44 100644
  manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
  manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
  
-@@ -50,25 +56,87 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
+@@ -50,25 +56,89 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
  files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
  
  kernel_read_network_state(rhsmcertd_t)
@@ -88351,6 +88394,8 @@ index d32e1a2..2e80d44 100644
 +corenet_tcp_connect_http_port(rhsmcertd_t)
 +corenet_tcp_connect_http_cache_port(rhsmcertd_t)
 +corenet_tcp_connect_squid_port(rhsmcertd_t)
++corenet_tcp_connect_netport_port(rhsmcertd_t)
++corenet_tcp_connect_websm_port(rhsmcertd_t)
  
  corecmd_exec_bin(rhsmcertd_t)
 +corecmd_exec_shell(rhsmcertd_t)
@@ -101382,10 +101427,10 @@ index 0919e0c..56a984b 100644
  
  userdom_dontaudit_use_unpriv_user_fds(soundd_t)
 diff --git a/spamassassin.fc b/spamassassin.fc
-index e9bd097..e059e27 100644
+index e9bd097..5724bcf 100644
 --- a/spamassassin.fc
 +++ b/spamassassin.fc
-@@ -1,20 +1,26 @@
+@@ -1,20 +1,27 @@
 -HOME_DIR/\.spamassassin(/.*)?	gen_context(system_u:object_r:spamassassin_home_t,s0)
 -HOME_DIR/\.spamd(/.*)?	gen_context(system_u:object_r:spamd_home_t,s0)
 +HOME_DIR/\.pyzor(/.*)?		gen_context(system_u:object_r:spamc_home_t,s0)
@@ -101417,10 +101462,11 @@ index e9bd097..e059e27 100644
  /usr/bin/mimedefang	--	gen_context(system_u:object_r:spamd_exec_t,s0)
 -/usr/bin/mimedefang-multiplexor	--	gen_context(system_u:object_r:spamd_exec_t,s0)
 +/usr/bin/mimedefang-multiplexor --	gen_context(system_u:object_r:spamd_exec_t,s0)
++/usr/libexec/mimedefang-wrapper --	gen_context(system_u:object_r:spamd_exec_t,s0)
  
  /var/lib/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_var_lib_t,s0)
  /var/lib/spamassassin/compiled(/.*)?	gen_context(system_u:object_r:spamd_compiled_t,s0)
-@@ -25,7 +31,22 @@ HOME_DIR/\.spamd(/.*)?	gen_context(system_u:object_r:spamd_home_t,s0)
+@@ -25,7 +32,22 @@ HOME_DIR/\.spamd(/.*)?	gen_context(system_u:object_r:spamd_home_t,s0)
  /var/run/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_var_run_t,s0)
  
  /var/spool/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_spool_t,s0)
@@ -101901,10 +101947,10 @@ index 1499b0b..6950cab 100644
 -	spamassassin_role($2, $1)
  ')
 diff --git a/spamassassin.te b/spamassassin.te
-index cc58e35..d20d0ed 100644
+index cc58e35..7e5c719 100644
 --- a/spamassassin.te
 +++ b/spamassassin.te
-@@ -7,50 +7,23 @@ policy_module(spamassassin, 2.6.1)
+@@ -7,50 +7,30 @@ policy_module(spamassassin, 2.6.1)
  
  ## <desc>
  ##	<p>
@@ -101924,6 +101970,13 @@ index cc58e35..d20d0ed 100644
  ## </desc>
 -gen_tunable(spamd_enable_home_dirs, false)
 +gen_tunable(spamd_enable_home_dirs, true)
++
++## <desc>
++##	<p>
++##	Allow spamd_update to connect to all ports.
++##	</p>
++## </desc>
++gen_tunable(spamd_update_can_network, false)
 +
  
  type spamd_update_t;
@@ -101961,7 +102014,7 @@ index cc58e35..d20d0ed 100644
  
  type spamd_t;
  type spamd_exec_t;
-@@ -59,12 +32,6 @@ init_daemon_domain(spamd_t, spamd_exec_t)
+@@ -59,12 +39,6 @@ init_daemon_domain(spamd_t, spamd_exec_t)
  type spamd_compiled_t;
  files_type(spamd_compiled_t)
  
@@ -101974,7 +102027,7 @@ index cc58e35..d20d0ed 100644
  type spamd_initrc_exec_t;
  init_script_file(spamd_initrc_exec_t)
  
-@@ -72,87 +39,199 @@ type spamd_log_t;
+@@ -72,87 +46,199 @@ type spamd_log_t;
  logging_log_file(spamd_log_t)
  
  type spamd_spool_t;
@@ -102196,7 +102249,7 @@ index cc58e35..d20d0ed 100644
  		nis_use_ypbind_uncond(spamassassin_t)
  	')
  ')
-@@ -160,6 +239,8 @@ optional_policy(`
+@@ -160,6 +246,8 @@ optional_policy(`
  optional_policy(`
  	mta_read_config(spamassassin_t)
  	sendmail_stub(spamassassin_t)
@@ -102205,7 +102258,7 @@ index cc58e35..d20d0ed 100644
  ')
  
  ########################################
-@@ -167,72 +248,95 @@ optional_policy(`
+@@ -167,72 +255,95 @@ optional_policy(`
  # Client local policy
  #
  
@@ -102309,20 +102362,20 @@ index cc58e35..d20d0ed 100644
  
 -auth_use_nsswitch(spamc_t)
 +fs_search_auto_mountpoints(spamc_t)
-+
+ 
+-logging_send_syslog_msg(spamc_t)
 +libs_exec_ldconfig(spamc_t)
  
- logging_send_syslog_msg(spamc_t)
- 
 -miscfiles_read_localization(spamc_t)
-+auth_use_nsswitch(spamc_t)
++logging_send_syslog_msg(spamc_t)
  
 -tunable_policy(`use_nfs_home_dirs',`
 -	fs_manage_nfs_dirs(spamc_t)
 -	fs_manage_nfs_files(spamc_t)
 -	fs_manage_nfs_symlinks(spamc_t)
 -')
--
++auth_use_nsswitch(spamc_t)
+ 
 -tunable_policy(`use_samba_home_dirs',`
 -	fs_manage_cifs_dirs(spamc_t)
 -	fs_manage_cifs_files(spamc_t)
@@ -102332,7 +102385,7 @@ index cc58e35..d20d0ed 100644
  
  optional_policy(`
  	abrt_stream_connect(spamc_t)
-@@ -243,6 +347,7 @@ optional_policy(`
+@@ -243,6 +354,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -102340,7 +102393,7 @@ index cc58e35..d20d0ed 100644
  	evolution_stream_connect(spamc_t)
  ')
  
-@@ -251,11 +356,18 @@ optional_policy(`
+@@ -251,11 +363,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -102360,7 +102413,7 @@ index cc58e35..d20d0ed 100644
  ')
  
  optional_policy(`
-@@ -267,36 +379,40 @@ optional_policy(`
+@@ -267,36 +386,40 @@ optional_policy(`
  
  ########################################
  #
@@ -102387,17 +102440,17 @@ index cc58e35..d20d0ed 100644
  allow spamd_t self:unix_dgram_socket sendto;
 -allow spamd_t self:unix_stream_socket { accept connectto listen };
 -allow spamd_t self:tcp_socket { accept listen };
--
++allow spamd_t self:unix_stream_socket connectto;
++allow spamd_t self:tcp_socket create_stream_socket_perms;
++allow spamd_t self:udp_socket create_socket_perms;
+ 
 -manage_dirs_pattern(spamd_t, spamd_home_t, spamd_home_t)
 -manage_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
 -manage_lnk_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
 -manage_fifo_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
 -manage_sock_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
 -userdom_user_home_dir_filetrans(spamd_t, spamd_home_t, dir, ".spamd")
-+allow spamd_t self:unix_stream_socket connectto;
-+allow spamd_t self:tcp_socket create_stream_socket_perms;
-+allow spamd_t self:udp_socket create_socket_perms;
- 
+-
 -manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
 -manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
 -manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
@@ -102418,7 +102471,7 @@ index cc58e35..d20d0ed 100644
  logging_log_filetrans(spamd_t, spamd_log_t, file)
  
  manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
-@@ -308,7 +424,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
+@@ -308,7 +431,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
  manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
  files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
  
@@ -102428,7 +102481,7 @@ index cc58e35..d20d0ed 100644
  manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
  manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
  
-@@ -317,12 +434,14 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+@@ -317,12 +441,14 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
  manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
  files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir })
  
@@ -102445,7 +102498,7 @@ index cc58e35..d20d0ed 100644
  corenet_all_recvfrom_netlabel(spamd_t)
  corenet_tcp_sendrecv_generic_if(spamd_t)
  corenet_udp_sendrecv_generic_if(spamd_t)
-@@ -331,78 +450,60 @@ corenet_udp_sendrecv_generic_node(spamd_t)
+@@ -331,78 +457,60 @@ corenet_udp_sendrecv_generic_node(spamd_t)
  corenet_tcp_sendrecv_all_ports(spamd_t)
  corenet_udp_sendrecv_all_ports(spamd_t)
  corenet_tcp_bind_generic_node(spamd_t)
@@ -102550,7 +102603,7 @@ index cc58e35..d20d0ed 100644
  ')
  
  optional_policy(`
-@@ -421,21 +522,13 @@ optional_policy(`
+@@ -421,21 +529,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -102574,7 +102627,7 @@ index cc58e35..d20d0ed 100644
  ')
  
  optional_policy(`
-@@ -443,8 +536,8 @@ optional_policy(`
+@@ -443,8 +543,8 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -102584,7 +102637,7 @@ index cc58e35..d20d0ed 100644
  ')
  
  optional_policy(`
-@@ -455,7 +548,17 @@ optional_policy(`
+@@ -455,7 +555,17 @@ optional_policy(`
  optional_policy(`
  	razor_domtrans(spamd_t)
  	razor_read_lib_files(spamd_t)
@@ -102603,7 +102656,7 @@ index cc58e35..d20d0ed 100644
  ')
  
  optional_policy(`
-@@ -463,9 +566,9 @@ optional_policy(`
+@@ -463,9 +573,9 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -102614,7 +102667,7 @@ index cc58e35..d20d0ed 100644
  ')
  
  optional_policy(`
-@@ -474,32 +577,32 @@ optional_policy(`
+@@ -474,32 +584,32 @@ optional_policy(`
  
  ########################################
  #
@@ -102640,24 +102693,24 @@ index cc58e35..d20d0ed 100644
 -kernel_read_system_state(spamd_update_t)
 +allow spamd_update_t spamc_home_t:dir search_dir_perms;
 +allow spamd_update_t spamd_tmp_t:file read_file_perms;
++
++allow spamd_update_t spamc_home_t:dir search_dir_perms;
  
 -corenet_all_recvfrom_unlabeled(spamd_update_t)
 -corenet_all_recvfrom_netlabel(spamd_update_t)
 -corenet_tcp_sendrecv_generic_if(spamd_update_t)
 -corenet_tcp_sendrecv_generic_node(spamd_update_t)
 -corenet_tcp_sendrecv_all_ports(spamd_update_t)
-+allow spamd_update_t spamc_home_t:dir search_dir_perms;
++kernel_read_system_state(spamd_update_t)
  
 -corenet_sendrecv_http_client_packets(spamd_update_t)
-+kernel_read_system_state(spamd_update_t)
-+
 +# for updating rules 
  corenet_tcp_connect_http_port(spamd_update_t)
 -corenet_tcp_sendrecv_http_port(spamd_update_t)
  
  corecmd_exec_bin(spamd_update_t)
  corecmd_exec_shell(spamd_update_t)
-@@ -508,25 +611,21 @@ dev_read_urand(spamd_update_t)
+@@ -508,25 +618,26 @@ dev_read_urand(spamd_update_t)
  
  domain_use_interactive_fds(spamd_update_t)
  
@@ -102687,8 +102740,13 @@ index cc58e35..d20d0ed 100644
 -	mta_read_config(spamd_update_t)
 +	gpg_domtrans(spamd_update_t)
 +	gpg_manage_home_content(spamd_update_t)
- ')
++')
 +
++tunable_policy(`spamd_update_can_network',`
++	corenet_sendrecv_all_client_packets(spamd_update_t)
++	corenet_tcp_connect_all_ports(spamd_update_t)
++	corenet_tcp_sendrecv_all_ports(spamd_update_t)
+ ')
 diff --git a/speech-dispatcher.fc b/speech-dispatcher.fc
 new file mode 100644
 index 0000000..545f682
@@ -108753,7 +108811,7 @@ index e29db63..061fb98 100644
  	domain_system_change_exemption($1)
  	role_transition $2 tuned_initrc_exec_t system_r;
 diff --git a/tuned.te b/tuned.te
-index 393a330..6893547 100644
+index 393a330..0691d4a 100644
 --- a/tuned.te
 +++ b/tuned.te
 @@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t)
@@ -108818,7 +108876,7 @@ index 393a330..6893547 100644
  
  corecmd_exec_bin(tuned_t)
  corecmd_exec_shell(tuned_t)
-@@ -64,31 +78,60 @@ corecmd_exec_shell(tuned_t)
+@@ -64,35 +78,72 @@ corecmd_exec_shell(tuned_t)
  dev_getattr_all_blk_files(tuned_t)
  dev_getattr_all_chr_files(tuned_t)
  dev_read_urand(tuned_t)
@@ -108879,11 +108937,15 @@ index 393a330..6893547 100644
  	mount_domtrans(tuned_t)
  ')
  
-+# to allow network interface tuning
  optional_policy(`
++	policykit_dbus_chat(tuned_t)
++')
++
++# to allow network interface tuning
++optional_policy(`
  	sysnet_domtrans_ifconfig(tuned_t)
  ')
-@@ -96,3 +139,7 @@ optional_policy(`
+ 
  optional_policy(`
  	unconfined_dbus_send(tuned_t)
  ')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 3e5dd9d1..b3718bc4 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 197%{?dist}
+Release: 198%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -647,6 +647,42 @@ exit 0
 %endif
 
 %changelog
+* Wed Jun 22 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-198
+- Allow firewalld_t to create entries in net_conf_t dirs.
+- Allow journalctl to read syslogd_var_run_t files. This allows to staff_t and sysadm_t to read journals
+- Allow rhsmcertd connect to port tcp 9090
+- Label for /bin/mail(x) was removed but /usr/bin/mail(x) not. This path is also needed to remove.
+- Label /usr/libexec/mimedefang-wrapper as spamd_exec_t.
+- Add new boolean spamd_update_can_network.
+- Add proper label for /var/log/proftpd.log
+- Allow rhsmcertd connect to tcp netport_port_t
+- Fix SELinux context for /usr/share/mirrormanager/server/mirrormanager to Label all binaries under dir as mirrormanager_exec_t.
+- Allow prosody to bind to fac_restore tcp port.
+- Fix SELinux context for usr/share/mirrormanager/server/mirrormanager
+- Allow ninfod to read raw packets
+- Fix broken hostapd policy
+- Allow hostapd to create netlink_generic sockets. BZ(1343683)
+- Merge pull request #133 from vinzent/allow_puppet_transition_to_shorewall
+- Allow pegasus get attributes from qemu binary files.
+- Allow tuned to use policykit. This change is required by cockpit.
+- Allow conman_t to read dir with conman_unconfined_script_t binary files.
+- Allow pegasus to read /proc/sysinfo.
+- Allow puppet_t transtition to shorewall_t
+- Allow conman to kill conman_unconfined_script.
+- Allow sysadm_role to run journalctl_t domain. This allows sysadm user to read journals.
+- Merge remote-tracking branch 'refs/remotes/origin/rawhide-base' into rawhide-base
+- Allow systemd to execute all init daemon executables.
+- Add init_exec_notrans_direct_init_entry() interface.
+- Label tcp ports:16379, 26379 as redis_port_t
+- Allow systemd to relabel /var and /var/lib directories during boot.
+- Add files_relabel_var_dirs() and files_relabel_var_dirs() interfaces.
+- Add files_relabelto_var_lib_dirs() interface.
+- Label tcp and udp port 5582 as fac_restore_port_t
+- Allow sysadm_t user to run postgresql-setup.
+- Allow sysadm_t user to dbus chat with oddjob_t. This allows confined admin run oddjob mkhomedirfor script.
+- Allow systemd-resolved to connect to llmnr tcp port. BZ(1344849)
+- Allow passwd_t also manage user_tmp_t dirs, this change is needed by gnome-keyringd
+
 * Thu Jun 16 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-197
 - Allow conman to kill conman_unconfined_script.
 - Make conman_unconfined_script_t as init_system_domain.