* Wed Jun 22 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-198

- Allow firewalld_t to create entries in net_conf_t dirs. - Allow journalctl to read syslogd_var_run_t files. This allows to staff_t and sysadm_t to read journals - Allow rhsmcertd connect to port tcp 9090 - Label for /bin/mail(x) was removed but /usr/bin/mail(x) not. This path is also needed to remove. - Label /usr/libexec/mimedefang-wrapper as spamd_exec_t. - Add new boolean spamd_update_can_network. - Add proper label for /var/log/proftpd.log - Allow rhsmcertd connect to tcp netport_port_t - Fix SELinux context for /usr/share/mirrormanager/server/mirrormanager to Label all binaries under dir as mirrormanager_exec_t. - Allow prosody to bind to fac_restore tcp port. - Fix SELinux context for usr/share/mirrormanager/server/mirrormanager - Allow ninfod to read raw packets - Fix broken hostapd policy - Allow hostapd to create netlink_generic sockets. BZ(1343683) - Merge pull request #133 from vinzent/allow_puppet_transition_to_shorewall - Allow pegasus get attributes from qemu binary files. - Allow tuned to use policykit. This change is required by cockpit. - Allow conman_t to read dir with conman_unconfined_script_t binary files. - Allow pegasus to read /proc/sysinfo. - Allow puppet_t transtition to shorewall_t - Allow conman to kill conman_unconfined_script. - Allow sysadm_role to run journalctl_t domain. This allows sysadm user to read journals. - Merge remote-tracking branch 'refs/remotes/origin/rawhide-base' into rawhide-base - Allow systemd to execute all init daemon executables. - Add init_exec_notrans_direct_init_entry() interface. - Label tcp ports:16379, 26379 as redis_port_t - Allow systemd to relabel /var and /var/lib directories during boot. - Add files_relabel_var_dirs() and files_relabel_var_dirs() interfaces. - Add files_relabelto_var_lib_dirs() interface. - Label tcp and udp port 5582 as fac_restore_port_t - Allow sysadm_t user to run postgresql-setup. - Allow sysadm_t user to dbus chat with oddjob_t. This allows confined admin run oddjob mkhomedirfor script. - Allow systemd-resolved to connect to llmnr tcp port. BZ(1344849) - Allow passwd_t also manage user_tmp_t dirs, this change is needed by gnome-keyringd
2016-06-22 16:29:20 +02:00 · 2016-06-22 16:29:20 +02:00 · 8037d64672
parent a24ea5d79b
commit 8037d64672
4 changed files with 780 additions and 560 deletions
--- a/docker-selinux.tgz
+++ b/docker-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -16593,10 +16593,10 @@ index 0000000..1cc5fa4
 +')
 diff --git a/conman.te b/conman.te
 new file mode 100644
-index 0000000..bce21bf
+index 0000000..2357f3b
 --- /dev/null
 +++ b/conman.te
-@@ -0,0 +1,96 @@
+@@ -0,0 +1,97 @@
 +policy_module(conman, 1.0.0)
 +
 +########################################
@ -16646,6 +16646,7 @@ index 0000000..bce21bf
 +allow conman_t self:tcp_socket { accept listen create_socket_perms };
 +
 +allow conman_t conman_unconfined_script_t:process sigkill;
 +allow conman_t conman_unconfined_script_exec_t:dir list_dir_perms;
 +
 +manage_dirs_pattern(conman_t, conman_log_t, conman_log_t)
 +manage_files_pattern(conman_t, conman_log_t, conman_log_t)
@ -28762,7 +28763,7 @@ index c62c567..a74f123 100644
 +	allow $1 firewalld_unit_file_t:service all_service_perms;
 ')
 diff --git a/firewalld.te b/firewalld.te
-index 98072a3..d5d852e 100644
+index 98072a3..18a2ef2 100644
 --- a/firewalld.te
 +++ b/firewalld.te
@@ -21,9 +21,15 @@ logging_log_file(firewalld_var_log_t)
@ -28806,7 +28807,7 @@ index 98072a3..d5d852e 100644
 kernel_read_network_state(firewalld_t)
 kernel_read_system_state(firewalld_t)
-@@ -63,20 +77,19 @@ dev_search_sysfs(firewalld_t)
+@@ -63,20 +77,20 @@ dev_search_sysfs(firewalld_t)
 domain_use_interactive_fds(firewalld_t)
@ -28830,10 +28831,11 @@ index 98072a3..d5d852e 100644
 -sysnet_read_config(firewalld_t)
 +sysnet_dns_name_resolve(firewalld_t)
 +sysnet_manage_config_dirs(firewalld_t)
 optional_policy(`
 	dbus_system_domain(firewalld_t, firewalld_exec_t)
-@@ -95,6 +108,10 @@ optional_policy(`
+@@ -95,6 +109,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -29529,7 +29531,7 @@ index 0000000..0d09fbd
 +
 +userdom_use_inherited_user_terminals(freqset_t)
 diff --git a/ftp.fc b/ftp.fc
-index ddb75c1..44f74e6 100644
+index ddb75c1..f38075f 100644
 --- a/ftp.fc
 +++ b/ftp.fc
@@ -1,5 +1,8 @@
@ -29541,6 +29543,14 @@ index ddb75c1..44f74e6 100644
 /etc/cron\.monthly/proftpd	--	gen_context(system_u:object_r:ftpd_exec_t,s0)
 /etc/rc\.d/init\.d/vsftpd	--	gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
@@ -23,6 +26,7 @@
 /var/log/muddleftpd\.log.*	--	gen_context(system_u:object_r:xferlog_t,s0)
 /var/log/proftpd(/.*)?	gen_context(system_u:object_r:xferlog_t,s0)
 +/var/log/proftpd\.log	--		gen_context(system_u:object_r:xferlog_t,s0)
 /var/log/vsftpd.*	--	gen_context(system_u:object_r:xferlog_t,s0)
 /var/log/xferlog.*	--	gen_context(system_u:object_r:xferlog_t,s0)
 /var/log/xferreport.*	--	gen_context(system_u:object_r:xferlog_t,s0)
 diff --git a/ftp.if b/ftp.if
 index 4498143..84a4858 100644
 --- a/ftp.if
@ -36646,10 +36656,10 @@ index 0000000..d0016da
 +')
 diff --git a/hostapd.te b/hostapd.te
 new file mode 100644
-index 0000000..54deae3
+index 0000000..438573d
 --- /dev/null
 +++ b/hostapd.te
-@@ -0,0 +1,52 @@
+@@ -0,0 +1,53 @@
 +policy_module(hostapd, 1.0.0)
 +
 +########################################
@ -36675,6 +36685,7 @@ index 0000000..54deae3
 +allow hostapd_t self:fifo_file rw_fifo_file_perms;
 +allow hostapd_t self:unix_stream_socket create_stream_socket_perms;
 +allow hostapd_t self:netlink_socket create_socket_perms;
 +allow hostapd_t self:netlink_generic_socket create_socket_perms;
 +allow hostapd_t self:netlink_route_socket create_netlink_socket_perms;
 +allow hostapd_t self:packet_socket create_socket_perms;
 +
@ -40775,10 +40786,10 @@ index 0000000..17126b6
 +')
 diff --git a/journalctl.te b/journalctl.te
 new file mode 100644
-index 0000000..896cde4
+index 0000000..68dd2b7
 --- /dev/null
 +++ b/journalctl.te
-@@ -0,0 +1,46 @@
+@@ -0,0 +1,47 @@
 +policy_module(journalctl, 1.0.0)
 +
 +########################################
@ -40819,6 +40830,7 @@ index 0000000..896cde4
 +miscfiles_read_localization(journalctl_t)
 +
 +logging_read_generic_logs(journalctl_t)
 +logging_read_syslog_pid(journalctl_t)
 +
 +userdom_list_user_home_dirs(journalctl_t)
 +userdom_read_user_home_content_files(journalctl_t)
@ -49038,11 +49050,11 @@ index 0000000..0f290e9
 +
 diff --git a/mirrormanager.fc b/mirrormanager.fc
 new file mode 100644
-index 0000000..c713b27
+index 0000000..abd53a4
 --- /dev/null
 +++ b/mirrormanager.fc
@@ -0,0 +1,7 @@
-+/usr/share/mirrormanager/server/mirrormanager		--	gen_context(system_u:object_r:mirrormanager_exec_t,s0)
+/usr/share/mirrormanager/server/mirrormanager(/.*)?			gen_context(system_u:object_r:mirrormanager_exec_t,s0)
 +
 +/var/lib/mirrormanager(/.*)?		gen_context(system_u:object_r:mirrormanager_var_lib_t,s0)
 +
@ -53170,10 +53182,10 @@ index 65a246a..fa86320 100644
 netutils_domtrans_ping(mrtg_t)
 diff --git a/mta.fc b/mta.fc
-index f42896c..2cf0c23 100644
+index f42896c..fce39c1 100644
 --- a/mta.fc
 +++ b/mta.fc
-@@ -1,34 +1,41 @@
+@@ -1,34 +1,39 @@
 -HOME_DIR/\.esmtp_queue	--	gen_context(system_u:object_r:mail_home_t,s0)
 HOME_DIR/\.forward[^/]*	--	gen_context(system_u:object_r:mail_home_t,s0)
 HOME_DIR/dead\.letter	--	gen_context(system_u:object_r:mail_home_t,s0)
@ -53195,6 +53207,8 @@ index f42896c..2cf0c23 100644
 -/etc/postfix/aliases.*	--	gen_context(system_u:object_r:etc_aliases_t,s0)
 -
 -/usr/bin/esmtp	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
 -/usr/bin/mail(x)?	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
 -
 +/etc/mail/.*\.db	--	gen_context(system_u:object_r:etc_aliases_t,s0)
 +ifdef(`distro_redhat',`
 +/etc/postfix/aliases.*		gen_context(system_u:object_r:etc_aliases_t,s0)
@ -53207,8 +53221,6 @@ index f42896c..2cf0c23 100644
 +/root/Maildir(/.*)?		gen_context(system_u:object_r:mail_home_rw_t,s0)
 +
 +/usr/bin/esmtp		-- gen_context(system_u:object_r:sendmail_exec_t,s0)
 /usr/bin/mail(x)?	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
 /usr/lib/sendmail	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
 -/usr/lib/courier/bin/sendmail	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
@ -59325,10 +59337,10 @@ index 0000000..409de8c
 +')
 diff --git a/ninfod.te b/ninfod.te
 new file mode 100644
-index 0000000..d75c408
+index 0000000..b3aa3ce
 --- /dev/null
 +++ b/ninfod.te
-@@ -0,0 +1,35 @@
+@@ -0,0 +1,36 @@
 +policy_module(ninfod, 1.0.0)
 +
 +########################################
@ -59355,6 +59367,7 @@ index 0000000..d75c408
 +allow ninfod_t self:fifo_file rw_fifo_file_perms;
 +allow ninfod_t self:rawip_socket { create setopt };
 +allow ninfod_t self:unix_stream_socket create_stream_socket_perms;
 +allow ninfod_t self:rawip_socket read;
 +
 +manage_files_pattern(ninfod_t, ninfod_run_t, ninfod_run_t)
 +files_pid_filetrans(ninfod_t,ninfod_run_t, { file })
@ -69117,7 +69130,7 @@ index d2fc677..86dce34 100644
 ')
 +
 diff --git a/pegasus.te b/pegasus.te
-index 608f454..6a92354 100644
+index 608f454..bc31081 100644
 --- a/pegasus.te
 +++ b/pegasus.te
@@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0)
@ -69477,7 +69490,7 @@ index 608f454..6a92354 100644
 allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
 manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
-@@ -54,22 +368,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
+@@ -54,25 +368,26 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
 manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
 manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
 manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@ -69508,7 +69521,11 @@ index 608f454..6a92354 100644
 kernel_read_network_state(pegasus_t)
 kernel_read_kernel_sysctls(pegasus_t)
-@@ -80,27 +394,21 @@ kernel_read_net_sysctls(pegasus_t)
+kernel_read_sysctl(pegasus_t)
 kernel_read_fs_sysctls(pegasus_t)
 kernel_read_system_state(pegasus_t)
 kernel_search_vm_sysctl(pegasus_t)
@@ -80,27 +395,21 @@ kernel_read_net_sysctls(pegasus_t)
 kernel_read_xen_state(pegasus_t)
 kernel_write_xen_state(pegasus_t)
@ -69541,7 +69558,7 @@ index 608f454..6a92354 100644
 corecmd_exec_bin(pegasus_t)
 corecmd_exec_shell(pegasus_t)
-@@ -114,9 +422,11 @@ files_getattr_all_dirs(pegasus_t)
+@@ -114,9 +423,11 @@ files_getattr_all_dirs(pegasus_t)
 auth_use_nsswitch(pegasus_t)
 auth_domtrans_chk_passwd(pegasus_t)
@ -69553,7 +69570,7 @@ index 608f454..6a92354 100644
 files_list_var_lib(pegasus_t)
 files_read_var_lib_files(pegasus_t)
-@@ -128,18 +438,29 @@ init_stream_connect_script(pegasus_t)
+@@ -128,18 +439,29 @@ init_stream_connect_script(pegasus_t)
 logging_send_audit_msgs(pegasus_t)
 logging_send_syslog_msg(pegasus_t)
@ -69575,21 +69592,21 @@ index 608f454..6a92354 100644
 +optional_policy(`
 +    dbus_system_bus_client(pegasus_t)
 +    dbus_connect_system_bus(pegasus_t)
 +
 +    optional_policy(`
 +	networkmanager_dbus_chat(pegasus_t)
 +    ')
 +')
 -	optional_policy(`
 -		networkmanager_dbus_chat(pegasus_t)
 -	')
 +    optional_policy(`
 +	networkmanager_dbus_chat(pegasus_t)
 +    ')
 +')
 +
 +optional_policy(`
 +	rhcs_stream_connect_cluster(pegasus_t)
 ')
 optional_policy(`
-@@ -151,16 +472,24 @@ optional_policy(`
+@@ -151,16 +473,24 @@ optional_policy(`
 ')
 optional_policy(`
@ -69618,7 +69635,7 @@ index 608f454..6a92354 100644
 ')
 optional_policy(`
-@@ -168,7 +497,7 @@ optional_policy(`
+@@ -168,7 +498,7 @@ optional_policy(`
 ')
 optional_policy(`
@ -69627,7 +69644,7 @@ index 608f454..6a92354 100644
 ')
 optional_policy(`
-@@ -180,6 +509,7 @@ optional_policy(`
+@@ -180,12 +510,17 @@ optional_policy(`
 ')
 optional_policy(`
@ -69635,6 +69652,16 @@ index 608f454..6a92354 100644
 	virt_domtrans(pegasus_t)
 	virt_stream_connect(pegasus_t)
 	virt_manage_config(pegasus_t)
 ')
 optional_policy(`
 +	qemu_getattr_exec(pegasus_t)
 +')
 +
 +optional_policy(`
 	xen_stream_connect(pegasus_t)
 	xen_stream_connect_xenstore(pegasus_t)
 ')
 diff --git a/pesign.fc b/pesign.fc
 new file mode 100644
 index 0000000..7b54c39
@ -77508,10 +77535,10 @@ index 0000000..8231f4f
 +')
 diff --git a/prosody.te b/prosody.te
 new file mode 100644
-index 0000000..3ef4a99
+index 0000000..71f9abb
 --- /dev/null
 +++ b/prosody.te
-@@ -0,0 +1,97 @@
+@@ -0,0 +1,98 @@
 +policy_module(prosody, 1.0.0)
 +
 +########################################
@ -77588,6 +77615,7 @@ index 0000000..3ef4a99
 +corenet_tcp_bind_jabber_interserver_port(prosody_t)
 +corenet_tcp_bind_jabber_router_port(prosody_t)
 +corenet_tcp_bind_commplex_main_port(prosody_t)
 +corenet_tcp_bind_fac_restore_port(prosody_t)
 +
 +tunable_policy(`prosody_bind_http_port',`
 +    corenet_tcp_bind_http_port(prosody_t)
@ -78923,7 +78951,7 @@ index 7cb8b1f..bef7217 100644
 +    allow $1 puppet_var_run_t:dir search_dir_perms;
 ')
 diff --git a/puppet.te b/puppet.te
-index 618dcfe..1cd6fca 100644
+index 618dcfe..67d166c 100644
 --- a/puppet.te
 +++ b/puppet.te
@@ -6,25 +6,32 @@ policy_module(puppet, 1.4.0)
@ -78985,7 +79013,7 @@ index 618dcfe..1cd6fca 100644
 type puppetmaster_t;
 type puppetmaster_exec_t;
-@@ -56,161 +62,162 @@ files_tmp_file(puppetmaster_tmp_t)
+@@ -56,161 +62,166 @@ files_tmp_file(puppetmaster_tmp_t)
 ########################################
 #
@ -79184,63 +79212,67 @@ index 618dcfe..1cd6fca 100644
 +
 +optional_policy(`
 +    mysql_stream_connect(puppetagent_t)
- ')
+')
- 
+
- optional_policy(`
+optional_policy(`
 -	cfengine_read_lib_files(puppet_t)
 +    postgresql_stream_connect(puppetagent_t)
- ')
+')
- 
+
- optional_policy(`
+optional_policy(`
 -	consoletype_exec(puppet_t)
 +	cfengine_read_lib_files(puppetagent_t)
 ')
 optional_policy(`
-	hostname_exec(puppet_t)
+-	cfengine_read_lib_files(puppet_t)
 +	consoletype_exec(puppetagent_t)
 ')
 optional_policy(`
-	mount_domtrans(puppet_t)
+-	consoletype_exec(puppet_t)
 +	hostname_exec(puppetagent_t)
 ')
 optional_policy(`
-	mta_send_mail(puppet_t)
+-	hostname_exec(puppet_t)
 +	mount_domtrans(puppetagent_t)
 ')
 optional_policy(`
 -	mount_domtrans(puppet_t)
 +	mta_send_mail(puppetagent_t)
 ')
 optional_policy(`
 -	mta_send_mail(puppet_t)
 +        firewalld_dbus_chat(puppetagent_t)
 ')
 optional_policy(`
 -	portage_domtrans(puppet_t)
 -	portage_domtrans_fetch(puppet_t)
 -	portage_domtrans_gcc_config(puppet_t)
 +	mta_send_mail(puppetagent_t)
 ')
 optional_policy(`
 -	files_rw_var_files(puppet_t)
 +        firewalld_dbus_chat(puppetagent_t)
 +')
 -	rpm_domtrans(puppet_t)
 -	rpm_manage_db(puppet_t)
 -	rpm_manage_log(puppet_t)
 +optional_policy(`
 +	portage_domtrans(puppetagent_t)
 +	portage_domtrans_fetch(puppetagent_t)
 +	portage_domtrans_gcc_config(puppetagent_t)
 ')
 optional_policy(`
-	unconfined_domain(puppet_t)
+-	files_rw_var_files(puppet_t)
 +	files_rw_var_files(puppetagent_t)
-+
+ 
 -	rpm_domtrans(puppet_t)
 -	rpm_manage_db(puppet_t)
 -	rpm_manage_log(puppet_t)
 +	rpm_domtrans(puppetagent_t)
 +	rpm_manage_db(puppetagent_t)
 +	rpm_manage_log(puppetagent_t)
 ')
 optional_policy(`
 -	unconfined_domain(puppet_t)
 +        shorewall_domtrans(puppetagent_t)
 ')
 optional_policy(`
 -	usermanage_domtrans_groupadd(puppet_t)
 -	usermanage_domtrans_useradd(puppet_t)
@ -79264,7 +79296,7 @@ index 618dcfe..1cd6fca 100644
 allow puppetca_t puppet_var_lib_t:dir list_dir_perms;
 manage_files_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t)
-@@ -221,6 +228,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms;
+@@ -221,6 +232,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms;
 allow puppetca_t puppet_var_run_t:dir search_dir_perms;
 kernel_read_system_state(puppetca_t)
@ -79272,7 +79304,7 @@ index 618dcfe..1cd6fca 100644
 kernel_read_kernel_sysctls(puppetca_t)
 corecmd_exec_bin(puppetca_t)
-@@ -229,15 +237,12 @@ corecmd_exec_shell(puppetca_t)
+@@ -229,15 +241,12 @@ corecmd_exec_shell(puppetca_t)
 dev_read_urand(puppetca_t)
 dev_search_sysfs(puppetca_t)
@ -79288,7 +79320,7 @@ index 618dcfe..1cd6fca 100644
 miscfiles_read_generic_certs(puppetca_t)
 seutil_read_file_contexts(puppetca_t)
-@@ -246,38 +251,48 @@ optional_policy(`
+@@ -246,38 +255,48 @@ optional_policy(`
 	hostname_exec(puppetca_t)
 ')
@ -79353,7 +79385,7 @@ index 618dcfe..1cd6fca 100644
 kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
 kernel_read_network_state(puppetmaster_t)
-@@ -289,23 +304,24 @@ corecmd_exec_bin(puppetmaster_t)
+@@ -289,23 +308,24 @@ corecmd_exec_bin(puppetmaster_t)
 corecmd_exec_shell(puppetmaster_t)
 corenet_all_recvfrom_netlabel(puppetmaster_t)
@ -79384,7 +79416,7 @@ index 618dcfe..1cd6fca 100644
 selinux_validate_context(puppetmaster_t)
-@@ -314,26 +330,31 @@ auth_use_nsswitch(puppetmaster_t)
+@@ -314,26 +334,31 @@ auth_use_nsswitch(puppetmaster_t)
 logging_send_syslog_msg(puppetmaster_t)
 miscfiles_read_generic_certs(puppetmaster_t)
@ -79421,7 +79453,7 @@ index 618dcfe..1cd6fca 100644
 ')
 optional_policy(`
-@@ -342,3 +363,9 @@ optional_policy(`
+@@ -342,3 +367,9 @@ optional_policy(`
 	rpm_exec(puppetmaster_t)
 	rpm_read_db(puppetmaster_t)
 ')
@ -80193,7 +80225,7 @@ index 86ea53c..a2dcf7b 100644
 /usr/bin/qemu-kvm	--	gen_context(system_u:object_r:qemu_exec_t,s0)
 /usr/bin/kvm		--	gen_context(system_u:object_r:qemu_exec_t,s0)
 diff --git a/qemu.if b/qemu.if
-index eaf56b8..aa90671 100644
+index eaf56b8..8894726 100644
 --- a/qemu.if
 +++ b/qemu.if
@@ -1,19 +1,21 @@
@ -80419,7 +80451,7 @@ index eaf56b8..aa90671 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -264,48 +239,68 @@ interface(`qemu_kill',`
+@@ -264,28 +239,68 @@ interface(`qemu_kill',`
 ########################################
 ## <summary>
@ -80457,9 +80489,6 @@ index eaf56b8..aa90671 100644
 -		type unconfined_qemu_t, qemu_exec_t;
 +		type qemu_exec_t;
 	')
 -
 -	corecmd_search_bin($1)
 -	domtrans_pattern($1, qemu_exec_t, unconfined_qemu_t)
 +  
 +	read_lnk_files_pattern($1, qemu_exec_t, qemu_exec_t)
 +	domain_transition_pattern($1, qemu_exec_t, $2)
@ -80469,32 +80498,25 @@ index eaf56b8..aa90671 100644
 +	allow $2 $1:fd use;
 +	allow $2 $1:fifo_file rw_fifo_file_perms;
 +	allow $2 $1:process sigchld;
- ')
+')
- ########################################
+-	corecmd_search_bin($1)
- ## <summary>
+-	domtrans_pattern($1, qemu_exec_t, unconfined_qemu_t)
-##	Create, read, write, and delete
+########################################
-##	qemu temporary directories.
+## <summary>
 +##	Execute qemu unconfined programs in the role.
- ## </summary>
+## </summary>
 -## <param name="domain">
 +## <param name="role">
- ##	<summary>
+##	<summary>
 -##	Domain allowed access.
 +##	The role to allow the qemu unconfined domain.
- ##	</summary>
+##	</summary>
- ## </param>
+## </param>
- #
+#
 -interface(`qemu_manage_tmp_dirs',`
 +interface(`qemu_unconfined_role',`
- 	gen_require(`
+	gen_require(`
 -		type qemu_tmp_t;
 +		type unconfined_qemu_t;
 +		type qemu_t;
- 	')
+	')
 -
 -	files_search_tmp($1)
 -	manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t)
 +	role $1 types unconfined_qemu_t;
 +	role $1 types qemu_t;
 ')
@ -80502,30 +80524,40 @@ index eaf56b8..aa90671 100644
 ########################################
 ## <summary>
 -##	Create, read, write, and delete
-##	qemu temporary files.
+-##	qemu temporary directories.
 +##	Manage qemu temporary dirs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -313,58 +308,41 @@ interface(`qemu_manage_tmp_dirs',`
+@@ -298,14 +313,12 @@ interface(`qemu_manage_tmp_dirs',`
 ##	</summary>
 ## </param>
 #
 -interface(`qemu_manage_tmp_files',`
 +interface(`qemu_manage_tmp_dirs',`
 	gen_require(`
 		type qemu_tmp_t;
 	')
 -	files_search_tmp($1)
-	manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
+ 	manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t)
-+	manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t)
+ ')
 ########################################
 ## <summary>
 -##	Create, read, write, and delete
 -##	qemu temporary files.
 +##	Manage qemu temporary files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -318,59 +331,42 @@ interface(`qemu_manage_tmp_files',`
 		type qemu_tmp_t;
 	')
 -	files_search_tmp($1)
 	manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
 ')
 ########################################
 ## <summary>
 -##	Execute qemu in a specified domain.
-+##	Manage qemu temporary files.
+##     Make qemu_exec_t an entrypoint for
 +##     the specified domain.
 ## </summary>
 -## <desc>
 -##	<p>
@ -80543,43 +80575,54 @@ index eaf56b8..aa90671 100644
 -##	</summary>
 -## </param>
 -## <param name="target_domain">
-+## <param name="domain">
+-##	<summary>
 ##	<summary>
 -##	Domain to transition to.
-+##	Domain allowed access.
+-##	</summary>
- ##	</summary>
+## <param name="domain">
 +##     <summary>
 +##     The domain for which qemu_exec_t is an entrypoint.
 +##     </summary>
 ## </param>
 #
 -interface(`qemu_spec_domtrans',`
-+interface(`qemu_manage_tmp_files',`
+interface(`qemu_entry_type',`
 	gen_require(`
-		type qemu_exec_t;
+ 		type qemu_exec_t;
 +		type qemu_tmp_t;
 	')
 -	corecmd_search_bin($1)
 -	domain_auto_trans($1, qemu_exec_t, $2)
-+	manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
+	domain_entry_file($1, qemu_exec_t)
 ')
 -######################################
-+########################################
+#######################################
 ## <summary>
 -##	Make qemu executable files an
 -##	entrypoint for the specified domain.
-+##     Make qemu_exec_t an entrypoint for
+##  Getattr on qemu executable.
 +##     the specified domain.
 ## </summary>
 ## <param name="domain">
 -##	<summary>
 -##	The domain for which qemu_exec_t is an entrypoint.
 -##	</summary>
 +##  <summary>
-+##     The domain for which qemu_exec_t is an entrypoint.
+##  Domain allowed to transition.
 +##  </summary>
 ## </param>
 #
- interface(`qemu_entry_type',`
+-interface(`qemu_entry_type',`
 -	gen_require(`
 -		type qemu_exec_t;
 -	')
 +interface(`qemu_getattr_exec',`
 +    gen_require(`
 +        type qemu_exec_t;
 +    ')
 -	domain_entry_file($1, qemu_exec_t)
 +	allow $1 qemu_exec_t:file getattr;
 ')
 diff --git a/qemu.te b/qemu.te
 index 4f90743..958c0ef 100644
 --- a/qemu.te
@ -88301,7 +88344,7 @@ index 6dbc905..4b17c93 100644
 -	admin_pattern($1, rhsmcertd_lock_t)
 ')
 diff --git a/rhsmcertd.te b/rhsmcertd.te
-index d32e1a2..2e80d44 100644
+index d32e1a2..cb5f49c 100644
 --- a/rhsmcertd.te
 +++ b/rhsmcertd.te
@@ -18,6 +18,9 @@ logging_log_file(rhsmcertd_log_t)
@ -88340,7 +88383,7 @@ index d32e1a2..2e80d44 100644
 manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
 manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
-@@ -50,25 +56,87 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
+@@ -50,25 +56,89 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
 files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
 kernel_read_network_state(rhsmcertd_t)
@ -88351,6 +88394,8 @@ index d32e1a2..2e80d44 100644
 +corenet_tcp_connect_http_port(rhsmcertd_t)
 +corenet_tcp_connect_http_cache_port(rhsmcertd_t)
 +corenet_tcp_connect_squid_port(rhsmcertd_t)
 +corenet_tcp_connect_netport_port(rhsmcertd_t)
 +corenet_tcp_connect_websm_port(rhsmcertd_t)
 corecmd_exec_bin(rhsmcertd_t)
 +corecmd_exec_shell(rhsmcertd_t)
@ -101382,10 +101427,10 @@ index 0919e0c..56a984b 100644
 userdom_dontaudit_use_unpriv_user_fds(soundd_t)
 diff --git a/spamassassin.fc b/spamassassin.fc
-index e9bd097..e059e27 100644
+index e9bd097..5724bcf 100644
 --- a/spamassassin.fc
 +++ b/spamassassin.fc
-@@ -1,20 +1,26 @@
+@@ -1,20 +1,27 @@
 -HOME_DIR/\.spamassassin(/.*)?	gen_context(system_u:object_r:spamassassin_home_t,s0)
 -HOME_DIR/\.spamd(/.*)?	gen_context(system_u:object_r:spamd_home_t,s0)
 +HOME_DIR/\.pyzor(/.*)?		gen_context(system_u:object_r:spamc_home_t,s0)
@ -101417,10 +101462,11 @@ index e9bd097..e059e27 100644
 /usr/bin/mimedefang	--	gen_context(system_u:object_r:spamd_exec_t,s0)
 -/usr/bin/mimedefang-multiplexor	--	gen_context(system_u:object_r:spamd_exec_t,s0)
 +/usr/bin/mimedefang-multiplexor --	gen_context(system_u:object_r:spamd_exec_t,s0)
 +/usr/libexec/mimedefang-wrapper --	gen_context(system_u:object_r:spamd_exec_t,s0)
 /var/lib/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_var_lib_t,s0)
 /var/lib/spamassassin/compiled(/.*)?	gen_context(system_u:object_r:spamd_compiled_t,s0)
-@@ -25,7 +31,22 @@ HOME_DIR/\.spamd(/.*)?	gen_context(system_u:object_r:spamd_home_t,s0)
+@@ -25,7 +32,22 @@ HOME_DIR/\.spamd(/.*)?	gen_context(system_u:object_r:spamd_home_t,s0)
 /var/run/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_var_run_t,s0)
 /var/spool/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_spool_t,s0)
@ -101901,10 +101947,10 @@ index 1499b0b..6950cab 100644
 -	spamassassin_role($2, $1)
 ')
 diff --git a/spamassassin.te b/spamassassin.te
-index cc58e35..d20d0ed 100644
+index cc58e35..7e5c719 100644
 --- a/spamassassin.te
 +++ b/spamassassin.te
-@@ -7,50 +7,23 @@ policy_module(spamassassin, 2.6.1)
+@@ -7,50 +7,30 @@ policy_module(spamassassin, 2.6.1)
 ## <desc>
 ##	<p>
@ -101924,6 +101970,13 @@ index cc58e35..d20d0ed 100644
 ## </desc>
 -gen_tunable(spamd_enable_home_dirs, false)
 +gen_tunable(spamd_enable_home_dirs, true)
 +
 +## <desc>
 +##	<p>
 +##	Allow spamd_update to connect to all ports.
 +##	</p>
 +## </desc>
 +gen_tunable(spamd_update_can_network, false)
 +
 type spamd_update_t;
@ -101961,7 +102014,7 @@ index cc58e35..d20d0ed 100644
 type spamd_t;
 type spamd_exec_t;
-@@ -59,12 +32,6 @@ init_daemon_domain(spamd_t, spamd_exec_t)
+@@ -59,12 +39,6 @@ init_daemon_domain(spamd_t, spamd_exec_t)
 type spamd_compiled_t;
 files_type(spamd_compiled_t)
@ -101974,7 +102027,7 @@ index cc58e35..d20d0ed 100644
 type spamd_initrc_exec_t;
 init_script_file(spamd_initrc_exec_t)
-@@ -72,87 +39,199 @@ type spamd_log_t;
+@@ -72,87 +46,199 @@ type spamd_log_t;
 logging_log_file(spamd_log_t)
 type spamd_spool_t;
@ -102196,7 +102249,7 @@ index cc58e35..d20d0ed 100644
 		nis_use_ypbind_uncond(spamassassin_t)
 	')
 ')
-@@ -160,6 +239,8 @@ optional_policy(`
+@@ -160,6 +246,8 @@ optional_policy(`
 optional_policy(`
 	mta_read_config(spamassassin_t)
 	sendmail_stub(spamassassin_t)
@ -102205,7 +102258,7 @@ index cc58e35..d20d0ed 100644
 ')
 ########################################
-@@ -167,72 +248,95 @@ optional_policy(`
+@@ -167,72 +255,95 @@ optional_policy(`
 # Client local policy
 #
@ -102309,20 +102362,20 @@ index cc58e35..d20d0ed 100644
 -auth_use_nsswitch(spamc_t)
 +fs_search_auto_mountpoints(spamc_t)
-+
+ 
 -logging_send_syslog_msg(spamc_t)
 +libs_exec_ldconfig(spamc_t)
 logging_send_syslog_msg(spamc_t)
 -miscfiles_read_localization(spamc_t)
-+auth_use_nsswitch(spamc_t)
+logging_send_syslog_msg(spamc_t)
 -tunable_policy(`use_nfs_home_dirs',`
 -	fs_manage_nfs_dirs(spamc_t)
 -	fs_manage_nfs_files(spamc_t)
 -	fs_manage_nfs_symlinks(spamc_t)
 -')
-
+auth_use_nsswitch(spamc_t)
 -tunable_policy(`use_samba_home_dirs',`
 -	fs_manage_cifs_dirs(spamc_t)
 -	fs_manage_cifs_files(spamc_t)
@ -102332,7 +102385,7 @@ index cc58e35..d20d0ed 100644
 optional_policy(`
 	abrt_stream_connect(spamc_t)
-@@ -243,6 +347,7 @@ optional_policy(`
+@@ -243,6 +354,7 @@ optional_policy(`
 ')
 optional_policy(`
@ -102340,7 +102393,7 @@ index cc58e35..d20d0ed 100644
 	evolution_stream_connect(spamc_t)
 ')
-@@ -251,11 +356,18 @@ optional_policy(`
+@@ -251,11 +363,18 @@ optional_policy(`
 ')
 optional_policy(`
@ -102360,7 +102413,7 @@ index cc58e35..d20d0ed 100644
 ')
 optional_policy(`
-@@ -267,36 +379,40 @@ optional_policy(`
+@@ -267,36 +386,40 @@ optional_policy(`
 ########################################
 #
@ -102387,17 +102440,17 @@ index cc58e35..d20d0ed 100644
 allow spamd_t self:unix_dgram_socket sendto;
 -allow spamd_t self:unix_stream_socket { accept connectto listen };
 -allow spamd_t self:tcp_socket { accept listen };
-
+allow spamd_t self:unix_stream_socket connectto;
 +allow spamd_t self:tcp_socket create_stream_socket_perms;
 +allow spamd_t self:udp_socket create_socket_perms;
 -manage_dirs_pattern(spamd_t, spamd_home_t, spamd_home_t)
 -manage_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
 -manage_lnk_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
 -manage_fifo_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
 -manage_sock_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
 -userdom_user_home_dir_filetrans(spamd_t, spamd_home_t, dir, ".spamd")
-+allow spamd_t self:unix_stream_socket connectto;
+-
 +allow spamd_t self:tcp_socket create_stream_socket_perms;
 +allow spamd_t self:udp_socket create_socket_perms;
 -manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
 -manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
 -manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
@ -102418,7 +102471,7 @@ index cc58e35..d20d0ed 100644
 logging_log_filetrans(spamd_t, spamd_log_t, file)
 manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
-@@ -308,7 +424,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
+@@ -308,7 +431,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
 manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
 files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
@ -102428,7 +102481,7 @@ index cc58e35..d20d0ed 100644
 manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
 manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
-@@ -317,12 +434,14 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+@@ -317,12 +441,14 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
 manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
 files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir })
@ -102445,7 +102498,7 @@ index cc58e35..d20d0ed 100644
 corenet_all_recvfrom_netlabel(spamd_t)
 corenet_tcp_sendrecv_generic_if(spamd_t)
 corenet_udp_sendrecv_generic_if(spamd_t)
-@@ -331,78 +450,60 @@ corenet_udp_sendrecv_generic_node(spamd_t)
+@@ -331,78 +457,60 @@ corenet_udp_sendrecv_generic_node(spamd_t)
 corenet_tcp_sendrecv_all_ports(spamd_t)
 corenet_udp_sendrecv_all_ports(spamd_t)
 corenet_tcp_bind_generic_node(spamd_t)
@ -102550,7 +102603,7 @@ index cc58e35..d20d0ed 100644
 ')
 optional_policy(`
-@@ -421,21 +522,13 @@ optional_policy(`
+@@ -421,21 +529,13 @@ optional_policy(`
 ')
 optional_policy(`
@ -102574,7 +102627,7 @@ index cc58e35..d20d0ed 100644
 ')
 optional_policy(`
-@@ -443,8 +536,8 @@ optional_policy(`
+@@ -443,8 +543,8 @@ optional_policy(`
 ')
 optional_policy(`
@ -102584,7 +102637,7 @@ index cc58e35..d20d0ed 100644
 ')
 optional_policy(`
-@@ -455,7 +548,17 @@ optional_policy(`
+@@ -455,7 +555,17 @@ optional_policy(`
 optional_policy(`
 	razor_domtrans(spamd_t)
 	razor_read_lib_files(spamd_t)
@ -102603,7 +102656,7 @@ index cc58e35..d20d0ed 100644
 ')
 optional_policy(`
-@@ -463,9 +566,9 @@ optional_policy(`
+@@ -463,9 +573,9 @@ optional_policy(`
 ')
 optional_policy(`
@ -102614,7 +102667,7 @@ index cc58e35..d20d0ed 100644
 ')
 optional_policy(`
-@@ -474,32 +577,32 @@ optional_policy(`
+@@ -474,32 +584,32 @@ optional_policy(`
 ########################################
 #
@ -102640,24 +102693,24 @@ index cc58e35..d20d0ed 100644
 -kernel_read_system_state(spamd_update_t)
 +allow spamd_update_t spamc_home_t:dir search_dir_perms;
 +allow spamd_update_t spamd_tmp_t:file read_file_perms;
 +
 +allow spamd_update_t spamc_home_t:dir search_dir_perms;
 -corenet_all_recvfrom_unlabeled(spamd_update_t)
 -corenet_all_recvfrom_netlabel(spamd_update_t)
 -corenet_tcp_sendrecv_generic_if(spamd_update_t)
 -corenet_tcp_sendrecv_generic_node(spamd_update_t)
 -corenet_tcp_sendrecv_all_ports(spamd_update_t)
-+allow spamd_update_t spamc_home_t:dir search_dir_perms;
+kernel_read_system_state(spamd_update_t)
 -corenet_sendrecv_http_client_packets(spamd_update_t)
 +kernel_read_system_state(spamd_update_t)
 +
 +# for updating rules 
 corenet_tcp_connect_http_port(spamd_update_t)
 -corenet_tcp_sendrecv_http_port(spamd_update_t)
 corecmd_exec_bin(spamd_update_t)
 corecmd_exec_shell(spamd_update_t)
-@@ -508,25 +611,21 @@ dev_read_urand(spamd_update_t)
+@@ -508,25 +618,26 @@ dev_read_urand(spamd_update_t)
 domain_use_interactive_fds(spamd_update_t)
@ -102687,8 +102740,13 @@ index cc58e35..d20d0ed 100644
 -	mta_read_config(spamd_update_t)
 +	gpg_domtrans(spamd_update_t)
 +	gpg_manage_home_content(spamd_update_t)
- ')
+')
 +
 +tunable_policy(`spamd_update_can_network',`
 +	corenet_sendrecv_all_client_packets(spamd_update_t)
 +	corenet_tcp_connect_all_ports(spamd_update_t)
 +	corenet_tcp_sendrecv_all_ports(spamd_update_t)
 ')
 diff --git a/speech-dispatcher.fc b/speech-dispatcher.fc
 new file mode 100644
 index 0000000..545f682
@ -108753,7 +108811,7 @@ index e29db63..061fb98 100644
 	domain_system_change_exemption($1)
 	role_transition $2 tuned_initrc_exec_t system_r;
 diff --git a/tuned.te b/tuned.te
-index 393a330..6893547 100644
+index 393a330..0691d4a 100644
 --- a/tuned.te
 +++ b/tuned.te
@@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t)
@ -108818,7 +108876,7 @@ index 393a330..6893547 100644
 corecmd_exec_bin(tuned_t)
 corecmd_exec_shell(tuned_t)
-@@ -64,31 +78,60 @@ corecmd_exec_shell(tuned_t)
+@@ -64,35 +78,72 @@ corecmd_exec_shell(tuned_t)
 dev_getattr_all_blk_files(tuned_t)
 dev_getattr_all_chr_files(tuned_t)
 dev_read_urand(tuned_t)
@ -108879,11 +108937,15 @@ index 393a330..6893547 100644
 	mount_domtrans(tuned_t)
 ')
 +# to allow network interface tuning
 optional_policy(`
 +	policykit_dbus_chat(tuned_t)
 +')
 +
 +# to allow network interface tuning
 +optional_policy(`
 	sysnet_domtrans_ifconfig(tuned_t)
 ')
-@@ -96,3 +139,7 @@ optional_policy(`
+ 
 optional_policy(`
 	unconfined_dbus_send(tuned_t)
 ')
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 197%{?dist}
+Release: 198%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -647,6 +647,42 @@ exit 0
 %endif
 %changelog
 * Wed Jun 22 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-198
 - Allow firewalld_t to create entries in net_conf_t dirs.
 - Allow journalctl to read syslogd_var_run_t files. This allows to staff_t and sysadm_t to read journals
 - Allow rhsmcertd connect to port tcp 9090
 - Label for /bin/mail(x) was removed but /usr/bin/mail(x) not. This path is also needed to remove.
 - Label /usr/libexec/mimedefang-wrapper as spamd_exec_t.
 - Add new boolean spamd_update_can_network.
 - Add proper label for /var/log/proftpd.log
 - Allow rhsmcertd connect to tcp netport_port_t
 - Fix SELinux context for /usr/share/mirrormanager/server/mirrormanager to Label all binaries under dir as mirrormanager_exec_t.
 - Allow prosody to bind to fac_restore tcp port.
 - Fix SELinux context for usr/share/mirrormanager/server/mirrormanager
 - Allow ninfod to read raw packets
 - Fix broken hostapd policy
 - Allow hostapd to create netlink_generic sockets. BZ(1343683)
 - Merge pull request #133 from vinzent/allow_puppet_transition_to_shorewall
 - Allow pegasus get attributes from qemu binary files.
 - Allow tuned to use policykit. This change is required by cockpit.
 - Allow conman_t to read dir with conman_unconfined_script_t binary files.
 - Allow pegasus to read /proc/sysinfo.
 - Allow puppet_t transtition to shorewall_t
 - Allow conman to kill conman_unconfined_script.
 - Allow sysadm_role to run journalctl_t domain. This allows sysadm user to read journals.
 - Merge remote-tracking branch 'refs/remotes/origin/rawhide-base' into rawhide-base
 - Allow systemd to execute all init daemon executables.
 - Add init_exec_notrans_direct_init_entry() interface.
 - Label tcp ports:16379, 26379 as redis_port_t
 - Allow systemd to relabel /var and /var/lib directories during boot.
 - Add files_relabel_var_dirs() and files_relabel_var_dirs() interfaces.
 - Add files_relabelto_var_lib_dirs() interface.
 - Label tcp and udp port 5582 as fac_restore_port_t
 - Allow sysadm_t user to run postgresql-setup.
 - Allow sysadm_t user to dbus chat with oddjob_t. This allows confined admin run oddjob mkhomedirfor script.
 - Allow systemd-resolved to connect to llmnr tcp port. BZ(1344849)
 - Allow passwd_t also manage user_tmp_t dirs, this change is needed by gnome-keyringd
 * Thu Jun 16 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-197
 - Allow conman to kill conman_unconfined_script.
 - Make conman_unconfined_script_t as init_system_domain.