* Fri Mar 17 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-245

- Allow vdagent domain to getattr cgroup filesystem - Allow abrt_dump_oops_t stream connect to sssd_t domain - Allow cyrus stream connect to gssproxy - Label /usr/libexec/cockpit-ssh as cockpit_session_exec_t and allow few rules - Allow colord_t to read systemd hwdb.bin file - Allow dirsrv_t to create /var/lock/dirsrv labeled as dirsrc_var_lock_t - Allow certmonger to manage /etc/krb5kdc_conf_t - Allow kdumpctl to getenforce - Allow ptp4l wake_alarm capability - Allow ganesha to chat with unconfined domains via dbus - Add nmbd_t capability2 block_suspend - Add domain transition from sosreport_t to iptables_t - Dontaudit init_t to mounton modules_object_t - Add interface files_dontaudit_mounton_modules_object - Allow xdm_t to execute files labeled as xdm_var_lib_t - Make mtrr_device_t mountpoint. - Fix path to /usr/lib64/erlang/erts-5.10.4/bin/epmd
2017-03-17 17:34:02 +01:00 · 2017-03-17 17:34:02 +01:00 · 96feeb5e20
parent 29c9d82cda
commit 96feeb5e20
4 changed files with 214 additions and 142 deletions
--- a/container-selinux.tgz
+++ b/container-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -9912,7 +9912,7 @@ index 76f285e..47c1b4d 100644
 +	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
 +')
 diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
-index 0b1a871..9099db5 100644
+index 0b1a871..db382e7 100644
 --- a/policy/modules/kernel/devices.te
 +++ b/policy/modules/kernel/devices.te
@@ -15,11 +15,12 @@ attribute devices_unconfined_type;
@ -10017,7 +10017,7 @@ index 0b1a871..9099db5 100644
 type loop_control_device_t;
 dev_node(loop_control_device_t)
 
-@@ -150,12 +185,24 @@ type modem_device_t;
+@@ -150,16 +185,29 @@ type modem_device_t;
 dev_node(modem_device_t)
 
 #
@ -10042,7 +10042,12 @@ index 0b1a871..9099db5 100644
 # Type for /dev/cpu/mtrr and /proc/mtrr
 #
 type mtrr_device_t;
-@@ -183,6 +230,12 @@ type nvram_device_t;
+ dev_node(mtrr_device_t)
+files_mountpoint(mtrr_device_t)
+ genfscon proc /mtrr gen_context(system_u:object_r:mtrr_device_t,s0)
+ 
+ #
+@@ -183,6 +231,12 @@ type nvram_device_t;
 dev_node(nvram_device_t)
 
 #
@ -10055,7 +10060,7 @@ index 0b1a871..9099db5 100644
 # Type for /dev/pmu
 #
 type power_device_t;
-@@ -227,6 +280,10 @@ files_mountpoint(sysfs_t)
+@@ -227,6 +281,10 @@ files_mountpoint(sysfs_t)
 fs_type(sysfs_t)
 genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
 
@ -10066,7 +10071,7 @@ index 0b1a871..9099db5 100644
 #
 # Type for /dev/tpm
 #
-@@ -266,6 +323,15 @@ dev_node(usbmon_device_t)
+@@ -266,6 +324,15 @@ dev_node(usbmon_device_t)
 type userio_device_t;
 dev_node(userio_device_t)
 
@ -10082,7 +10087,7 @@ index 0b1a871..9099db5 100644
 type v4l_device_t;
 dev_node(v4l_device_t)
 
-@@ -274,6 +340,7 @@ dev_node(v4l_device_t)
+@@ -274,6 +341,7 @@ dev_node(v4l_device_t)
 #
 type vhost_device_t;
 dev_node(vhost_device_t)
@ -10090,7 +10095,7 @@ index 0b1a871..9099db5 100644
 
 # Type for vmware devices.
 type vmware_device_t;
-@@ -319,5 +386,8 @@ files_associate_tmp(device_node)
+@@ -319,5 +387,8 @@ files_associate_tmp(device_node)
 #
 
 allow devices_unconfined_type self:capability sys_rawio;
@ -11279,7 +11284,7 @@ index b876c48..3690ce4 100644
 +/nsr(/.*)?			gen_context(system_u:object_r:var_t,s0)
 +/nsr/logs(/.*)?			gen_context(system_u:object_r:var_log_t,s0)
 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..1ac470a 100644
+index f962f76..b64717f 100644
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@ -14797,7 +14802,7 @@ index f962f76..1ac470a 100644
 ')
 
 ########################################
-@@ -6580,3 +8414,605 @@ interface(`files_unconfined',`
+@@ -6580,3 +8414,623 @@ interface(`files_unconfined',`
 
 	typeattribute $1 files_unconfined_type;
 ')
@ -15403,6 +15408,24 @@ index f962f76..1ac470a 100644
 +
 +	allow $1 etc_t:service status;
 +')
+
+########################################
+## <summary>
+##	Dontaudit Mount a modules_object_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_mounton_modules_object',`
+	gen_require(`
+		type modules_object_t;
+	')
+
+	allow $1 modules_object_t:dir mounton;
+')
 diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
 index 1a03abd..3221f80 100644
 --- a/policy/modules/kernel/files.te
@ -29699,7 +29722,7 @@ index 6bf0ecc..e6be63a 100644
 +')
 +
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..84a88ff 100644
+index 8b40377..bd907ca 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
@@ -26,28 +26,66 @@ gen_require(`
@ -30058,7 +30081,7 @@ index 8b40377..84a88ff 100644
 	ssh_sigchld(xauth_t)
 	ssh_read_pipes(xauth_t)
 	ssh_dontaudit_rw_tcp_sockets(xauth_t)
-@@ -300,64 +420,105 @@ optional_policy(`
+@@ -300,64 +420,106 @@ optional_policy(`
 # XDM Local policy
 #
 
@ -30142,6 +30165,7 @@ index 8b40377..84a88ff 100644
 manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
 manage_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
 -files_var_lib_filetrans(xdm_t, xdm_var_lib_t, file)
+exec_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
 +manage_lnk_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
 +manage_sock_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
 +files_var_lib_filetrans(xdm_t, xdm_var_lib_t, { file dir })
@ -30177,7 +30201,7 @@ index 8b40377..84a88ff 100644
 
 # connect to xdm xserver over stream socket
 stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -366,20 +527,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -366,20 +528,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
 delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
 delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
 
@ -30210,7 +30234,7 @@ index 8b40377..84a88ff 100644
 corenet_all_recvfrom_netlabel(xdm_t)
 corenet_tcp_sendrecv_generic_if(xdm_t)
 corenet_udp_sendrecv_generic_if(xdm_t)
-@@ -389,38 +560,50 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -389,38 +561,50 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
 corenet_udp_sendrecv_all_ports(xdm_t)
 corenet_tcp_bind_generic_node(xdm_t)
 corenet_udp_bind_generic_node(xdm_t)
@ -30265,7 +30289,7 @@ index 8b40377..84a88ff 100644
 
 files_read_etc_files(xdm_t)
 files_read_var_files(xdm_t)
-@@ -431,9 +614,30 @@ files_list_mnt(xdm_t)
+@@ -431,9 +615,30 @@ files_list_mnt(xdm_t)
 files_read_usr_files(xdm_t)
 # Poweroff wants to create the /poweroff file when run from xdm
 files_create_boot_flag(xdm_t)
@ -30296,7 +30320,7 @@ index 8b40377..84a88ff 100644
 
 storage_dontaudit_read_fixed_disk(xdm_t)
 storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -442,28 +646,46 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -442,28 +647,46 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
 storage_dontaudit_raw_write_removable_device(xdm_t)
 storage_dontaudit_setattr_removable_dev(xdm_t)
 storage_dontaudit_rw_scsi_generic(xdm_t)
@ -30347,7 +30371,7 @@ index 8b40377..84a88ff 100644
 
 userdom_dontaudit_use_unpriv_user_fds(xdm_t)
 userdom_create_all_users_keys(xdm_t)
-@@ -472,24 +694,163 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -472,24 +695,163 @@ userdom_read_user_home_content_files(xdm_t)
 # Search /proc for any user domain processes.
 userdom_read_all_users_state(xdm_t)
 userdom_signal_all_users(xdm_t)
@ -30517,7 +30541,7 @@ index 8b40377..84a88ff 100644
 tunable_policy(`xdm_sysadm_login',`
 	userdom_xsession_spec_domtrans_all_users(xdm_t)
 	# FIXME:
-@@ -502,12 +863,31 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,12 +864,31 @@ tunable_policy(`xdm_sysadm_login',`
 #	allow xserver_t xdm_tmpfs_t:file rw_file_perms;
 ')
 
@ -30549,7 +30573,7 @@ index 8b40377..84a88ff 100644
 ')
 
 optional_policy(`
-@@ -518,8 +898,36 @@ optional_policy(`
+@@ -518,8 +899,36 @@ optional_policy(`
 	dbus_system_bus_client(xdm_t)
 	dbus_connect_system_bus(xdm_t)
 
@ -30587,7 +30611,7 @@ index 8b40377..84a88ff 100644
 	')
 ')
 
-@@ -530,6 +938,20 @@ optional_policy(`
+@@ -530,6 +939,20 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30608,7 +30632,7 @@ index 8b40377..84a88ff 100644
 	hostname_exec(xdm_t)
 ')
 
-@@ -547,28 +969,78 @@ optional_policy(`
+@@ -547,28 +970,78 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30696,7 +30720,7 @@ index 8b40377..84a88ff 100644
 ')
 
 optional_policy(`
-@@ -580,6 +1052,14 @@ optional_policy(`
+@@ -580,6 +1053,14 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30711,7 +30735,7 @@ index 8b40377..84a88ff 100644
 	xfs_stream_connect(xdm_t)
 ')
 
-@@ -594,7 +1074,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+@@ -594,7 +1075,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
 type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
 
 allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@ -30720,7 +30744,7 @@ index 8b40377..84a88ff 100644
 
 # setuid/setgid for the wrapper program to change UID
 # sys_rawio is for iopl access - should not be needed for frame-buffer
-@@ -604,8 +1084,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -604,8 +1085,11 @@ allow xserver_t input_xevent_t:x_event send;
 # execheap needed until the X module loader is fixed.
 # NVIDIA Needs execstack
 
@ -30733,7 +30757,7 @@ index 8b40377..84a88ff 100644
 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow xserver_t self:fd use;
 allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -618,8 +1101,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -618,8 +1102,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
 allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow xserver_t self:tcp_socket create_stream_socket_perms;
 allow xserver_t self:udp_socket create_socket_perms;
@ -30749,7 +30773,7 @@ index 8b40377..84a88ff 100644
 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
 manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
 manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -627,6 +1117,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -627,6 +1118,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
 
 filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
 
@ -30760,7 +30784,7 @@ index 8b40377..84a88ff 100644
 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -638,25 +1132,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -638,25 +1133,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 files_search_var_lib(xserver_t)
 
@ -30802,7 +30826,7 @@ index 8b40377..84a88ff 100644
 corenet_all_recvfrom_netlabel(xserver_t)
 corenet_tcp_sendrecv_generic_if(xserver_t)
 corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -677,23 +1183,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -677,23 +1184,28 @@ dev_rw_apm_bios(xserver_t)
 dev_rw_agp(xserver_t)
 dev_rw_framebuffer(xserver_t)
 dev_manage_dri_dev(xserver_t)
@ -30834,7 +30858,7 @@ index 8b40377..84a88ff 100644
 
 # brought on by rhgb
 files_search_mnt(xserver_t)
-@@ -705,6 +1216,14 @@ fs_search_nfs(xserver_t)
+@@ -705,6 +1217,14 @@ fs_search_nfs(xserver_t)
 fs_search_auto_mountpoints(xserver_t)
 fs_search_ramfs(xserver_t)
 
@ -30849,7 +30873,7 @@ index 8b40377..84a88ff 100644
 mls_xwin_read_to_clearance(xserver_t)
 
 selinux_validate_context(xserver_t)
-@@ -718,20 +1237,18 @@ init_getpgid(xserver_t)
+@@ -718,20 +1238,18 @@ init_getpgid(xserver_t)
 term_setattr_unallocated_ttys(xserver_t)
 term_use_unallocated_ttys(xserver_t)
 
@ -30873,7 +30897,7 @@ index 8b40377..84a88ff 100644
 
 userdom_search_user_home_dirs(xserver_t)
 userdom_use_user_ttys(xserver_t)
-@@ -739,8 +1256,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -739,8 +1257,6 @@ userdom_setattr_user_ttys(xserver_t)
 userdom_read_user_tmp_files(xserver_t)
 userdom_rw_user_tmpfs_files(xserver_t)
 
@ -30882,7 +30906,7 @@ index 8b40377..84a88ff 100644
 ifndef(`distro_redhat',`
 	allow xserver_t self:process { execmem execheap execstack };
 	domain_mmap_low_uncond(xserver_t)
-@@ -785,17 +1300,54 @@ optional_policy(`
+@@ -785,17 +1301,54 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30939,7 +30963,7 @@ index 8b40377..84a88ff 100644
 ')
 
 optional_policy(`
-@@ -803,6 +1355,10 @@ optional_policy(`
+@@ -803,6 +1356,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30950,7 +30974,7 @@ index 8b40377..84a88ff 100644
 	xfs_stream_connect(xserver_t)
 ')
 
-@@ -818,18 +1374,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -818,18 +1375,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
 
 # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
 # handle of a file inside the dir!!!
@ -30975,7 +30999,7 @@ index 8b40377..84a88ff 100644
 can_exec(xserver_t, xkb_var_lib_t)
 
 # VNC v4 module in X server
-@@ -842,26 +1397,21 @@ init_use_fds(xserver_t)
+@@ -842,26 +1398,21 @@ init_use_fds(xserver_t)
 # to read ROLE_home_t - examine this in more detail
 # (xauth?)
 userdom_read_user_home_content_files(xserver_t)
@ -31010,7 +31034,7 @@ index 8b40377..84a88ff 100644
 ')
 
 optional_policy(`
-@@ -912,7 +1462,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -912,7 +1463,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
 allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
 # operations allowed on my windows
 allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@ -31019,7 +31043,7 @@ index 8b40377..84a88ff 100644
 # operations allowed on all windows
 allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
 
-@@ -966,11 +1516,31 @@ allow x_domain self:x_resource { read write };
+@@ -966,11 +1517,31 @@ allow x_domain self:x_resource { read write };
 # can mess with the screensaver
 allow x_domain xserver_t:x_screen { getattr saver_getattr };
 
@ -31051,7 +31075,7 @@ index 8b40377..84a88ff 100644
 tunable_policy(`! xserver_object_manager',`
 	# should be xserver_unconfined(x_domain),
 	# but typeattribute doesnt work in conditionals
-@@ -992,18 +1562,148 @@ tunable_policy(`! xserver_object_manager',`
+@@ -992,18 +1563,148 @@ tunable_policy(`! xserver_object_manager',`
 	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
 ')
 
@ -35415,7 +35439,7 @@ index 79a45f6..6126f21 100644
 +    allow $1 init_var_lib_t:dir search_dir_perms;
 ')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..3395ea6 100644
+index 17eda24..a78f8b6 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@ -35623,7 +35647,7 @@ index 17eda24..3395ea6 100644
 
 domain_getpgid_all_domains(init_t)
 domain_kill_all_domains(init_t)
-@@ -139,14 +239,26 @@ domain_signal_all_domains(init_t)
+@@ -139,45 +239,102 @@ domain_signal_all_domains(init_t)
 domain_signull_all_domains(init_t)
 domain_sigstop_all_domains(init_t)
 domain_sigchld_all_domains(init_t)
@ -35652,7 +35676,9 @@ index 17eda24..3395ea6 100644
 # file descriptors inherited from the rootfs:
 files_dontaudit_rw_root_files(init_t)
 files_dontaudit_rw_root_chr_files(init_t)
-@@ -155,29 +267,73 @@ fs_list_inotifyfs(init_t)
+files_dontaudit_mounton_modules_object(init_t)
+ 
+ fs_list_inotifyfs(init_t)
 # cjp: this may be related to /dev/log
 fs_write_ramfs_sockets(init_t)
 
@ -35731,7 +35757,7 @@ index 17eda24..3395ea6 100644
 
 ifdef(`distro_gentoo',`
 	allow init_t self:process { getcap setcap };
-@@ -186,29 +342,275 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +343,275 @@ ifdef(`distro_gentoo',`
 ')
 
 ifdef(`distro_redhat',`
@ -36016,7 +36042,7 @@ index 17eda24..3395ea6 100644
 ')
 
 optional_policy(`
-@@ -216,7 +618,30 @@ optional_policy(`
+@@ -216,7 +619,30 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -36048,7 +36074,7 @@ index 17eda24..3395ea6 100644
 ')
 
 ########################################
-@@ -225,9 +650,9 @@ optional_policy(`
+@@ -225,9 +651,9 @@ optional_policy(`
 #
 
 allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@ -36060,7 +36086,7 @@ index 17eda24..3395ea6 100644
 allow initrc_t self:passwd rootok;
 allow initrc_t self:key manage_key_perms;
 
-@@ -258,12 +683,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +684,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
 
 allow initrc_t initrc_var_run_t:file manage_file_perms;
 files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@ -36077,7 +36103,7 @@ index 17eda24..3395ea6 100644
 
 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
 manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +708,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +709,36 @@ kernel_change_ring_buffer_level(initrc_t)
 kernel_clear_ring_buffer(initrc_t)
 kernel_get_sysvipc_info(initrc_t)
 kernel_read_all_sysctls(initrc_t)
@ -36120,7 +36146,7 @@ index 17eda24..3395ea6 100644
 corenet_tcp_sendrecv_all_ports(initrc_t)
 corenet_udp_sendrecv_all_ports(initrc_t)
 corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +745,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +746,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
 
 dev_read_rand(initrc_t)
 dev_read_urand(initrc_t)
@ -36132,7 +36158,7 @@ index 17eda24..3395ea6 100644
 dev_rw_sysfs(initrc_t)
 dev_list_usbfs(initrc_t)
 dev_read_framebuffer(initrc_t)
-@@ -313,8 +757,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +758,10 @@ dev_write_framebuffer(initrc_t)
 dev_read_realtime_clock(initrc_t)
 dev_read_sound_mixer(initrc_t)
 dev_write_sound_mixer(initrc_t)
@ -36143,7 +36169,7 @@ index 17eda24..3395ea6 100644
 dev_delete_lvm_control_dev(initrc_t)
 dev_manage_generic_symlinks(initrc_t)
 dev_manage_generic_files(initrc_t)
-@@ -322,8 +768,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +769,7 @@ dev_manage_generic_files(initrc_t)
 dev_delete_generic_symlinks(initrc_t)
 dev_getattr_all_blk_files(initrc_t)
 dev_getattr_all_chr_files(initrc_t)
@ -36153,7 +36179,7 @@ index 17eda24..3395ea6 100644
 
 domain_kill_all_domains(initrc_t)
 domain_signal_all_domains(initrc_t)
-@@ -332,7 +777,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +778,6 @@ domain_sigstop_all_domains(initrc_t)
 domain_sigchld_all_domains(initrc_t)
 domain_read_all_domains_state(initrc_t)
 domain_getattr_all_domains(initrc_t)
@ -36161,7 +36187,7 @@ index 17eda24..3395ea6 100644
 domain_getsession_all_domains(initrc_t)
 domain_use_interactive_fds(initrc_t)
 # for lsof which is used by alsa shutdown:
-@@ -340,6 +784,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +785,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
 domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
 domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
 domain_dontaudit_getattr_all_pipes(initrc_t)
@ -36169,7 +36195,7 @@ index 17eda24..3395ea6 100644
 
 files_getattr_all_dirs(initrc_t)
 files_getattr_all_files(initrc_t)
-@@ -347,14 +792,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +793,15 @@ files_getattr_all_symlinks(initrc_t)
 files_getattr_all_pipes(initrc_t)
 files_getattr_all_sockets(initrc_t)
 files_purge_tmp(initrc_t)
@ -36187,7 +36213,7 @@ index 17eda24..3395ea6 100644
 files_read_usr_files(initrc_t)
 files_manage_urandom_seed(initrc_t)
 files_manage_generic_spool(initrc_t)
-@@ -364,8 +810,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +811,12 @@ files_list_isid_type_dirs(initrc_t)
 files_mounton_isid_type_dirs(initrc_t)
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
@ -36201,7 +36227,7 @@ index 17eda24..3395ea6 100644
 fs_list_inotifyfs(initrc_t)
 fs_register_binary_executable_type(initrc_t)
 # rhgb-console writes to ramfs
-@@ -375,10 +825,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +826,11 @@ fs_mount_all_fs(initrc_t)
 fs_unmount_all_fs(initrc_t)
 fs_remount_all_fs(initrc_t)
 fs_getattr_all_fs(initrc_t)
@ -36215,7 +36241,7 @@ index 17eda24..3395ea6 100644
 mcs_process_set_categories(initrc_t)
 
 mls_file_read_all_levels(initrc_t)
-@@ -387,8 +838,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +839,10 @@ mls_process_read_up(initrc_t)
 mls_process_write_down(initrc_t)
 mls_rangetrans_source(initrc_t)
 mls_fd_share_all_levels(initrc_t)
@ -36226,7 +36252,7 @@ index 17eda24..3395ea6 100644
 
 storage_getattr_fixed_disk_dev(initrc_t)
 storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +851,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +852,7 @@ term_use_all_terms(initrc_t)
 term_reset_tty_labels(initrc_t)
 
 auth_rw_login_records(initrc_t)
@ -36234,7 +36260,7 @@ index 17eda24..3395ea6 100644
 auth_setattr_login_records(initrc_t)
 auth_rw_lastlog(initrc_t)
 auth_read_pam_pid(initrc_t)
-@@ -416,20 +870,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +871,18 @@ logging_read_all_logs(initrc_t)
 logging_append_all_logs(initrc_t)
 logging_read_audit_config(initrc_t)
 
@ -36258,7 +36284,7 @@ index 17eda24..3395ea6 100644
 
 ifdef(`distro_debian',`
 	dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +903,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +904,6 @@ ifdef(`distro_gentoo',`
 	allow initrc_t self:process setfscreate;
 	dev_create_null_dev(initrc_t)
 	dev_create_zero_dev(initrc_t)
@ -36266,7 +36292,7 @@ index 17eda24..3395ea6 100644
 	term_create_console_dev(initrc_t)
 
 	# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +937,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +938,10 @@ ifdef(`distro_gentoo',`
 	sysnet_setattr_config(initrc_t)
 
 	optional_policy(`
@ -36277,7 +36303,7 @@ index 17eda24..3395ea6 100644
 		alsa_read_lib(initrc_t)
 	')
 
-@@ -506,7 +961,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +962,7 @@ ifdef(`distro_redhat',`
 
 	# Red Hat systems seem to have a stray
 	# fd open from the initrd
@ -36286,7 +36312,7 @@ index 17eda24..3395ea6 100644
 	files_dontaudit_read_root_files(initrc_t)
 
 	# These seem to be from the initrd
-@@ -521,6 +976,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +977,7 @@ ifdef(`distro_redhat',`
 	files_create_boot_dirs(initrc_t)
 	files_create_boot_flag(initrc_t)
 	files_rw_boot_symlinks(initrc_t)
@ -36294,7 +36320,7 @@ index 17eda24..3395ea6 100644
 	# wants to read /.fonts directory
 	files_read_default_files(initrc_t)
 	files_mountpoint(initrc_tmp_t)
-@@ -541,6 +997,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +998,7 @@ ifdef(`distro_redhat',`
 	miscfiles_rw_localization(initrc_t)
 	miscfiles_setattr_localization(initrc_t)
 	miscfiles_relabel_localization(initrc_t)
@ -36302,7 +36328,7 @@ index 17eda24..3395ea6 100644
 
 	miscfiles_read_fonts(initrc_t)
 	miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +1007,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +1008,44 @@ ifdef(`distro_redhat',`
 	')
 
 	optional_policy(`
@ -36347,7 +36373,7 @@ index 17eda24..3395ea6 100644
 	')
 
 	optional_policy(`
-@@ -559,14 +1052,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +1053,31 @@ ifdef(`distro_redhat',`
 		rpc_write_exports(initrc_t)
 		rpc_manage_nfs_state_data(initrc_t)
 	')
@ -36379,7 +36405,7 @@ index 17eda24..3395ea6 100644
 	')
 ')
 
-@@ -577,6 +1087,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1088,39 @@ ifdef(`distro_suse',`
 	')
 ')
 
@ -36419,7 +36445,7 @@ index 17eda24..3395ea6 100644
 optional_policy(`
 	amavis_search_lib(initrc_t)
 	amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1132,8 @@ optional_policy(`
+@@ -589,6 +1133,8 @@ optional_policy(`
 optional_policy(`
 	apache_read_config(initrc_t)
 	apache_list_modules(initrc_t)
@ -36428,7 +36454,7 @@ index 17eda24..3395ea6 100644
 ')
 
 optional_policy(`
-@@ -610,6 +1155,7 @@ optional_policy(`
+@@ -610,6 +1156,7 @@ optional_policy(`
 
 optional_policy(`
 	cgroup_stream_connect_cgred(initrc_t)
@ -36436,7 +36462,7 @@ index 17eda24..3395ea6 100644
 ')
 
 optional_policy(`
-@@ -626,6 +1172,17 @@ optional_policy(`
+@@ -626,6 +1173,17 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -36454,7 +36480,7 @@ index 17eda24..3395ea6 100644
 	dev_getattr_printer_dev(initrc_t)
 
 	cups_read_log(initrc_t)
-@@ -642,9 +1199,13 @@ optional_policy(`
+@@ -642,9 +1200,13 @@ optional_policy(`
 	dbus_connect_system_bus(initrc_t)
 	dbus_system_bus_client(initrc_t)
 	dbus_read_config(initrc_t)
@ -36468,7 +36494,7 @@ index 17eda24..3395ea6 100644
 	')
 
 	optional_policy(`
-@@ -657,15 +1218,11 @@ optional_policy(`
+@@ -657,15 +1219,11 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -36486,7 +36512,7 @@ index 17eda24..3395ea6 100644
 ')
 
 optional_policy(`
-@@ -686,6 +1243,15 @@ optional_policy(`
+@@ -686,6 +1244,15 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -36502,7 +36528,7 @@ index 17eda24..3395ea6 100644
 	inn_exec_config(initrc_t)
 ')
 
-@@ -726,6 +1292,7 @@ optional_policy(`
+@@ -726,6 +1293,7 @@ optional_policy(`
 	lpd_list_spool(initrc_t)
 
 	lpd_read_config(initrc_t)
@ -36510,7 +36536,7 @@ index 17eda24..3395ea6 100644
 ')
 
 optional_policy(`
-@@ -743,7 +1310,13 @@ optional_policy(`
+@@ -743,7 +1311,13 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -36525,7 +36551,7 @@ index 17eda24..3395ea6 100644
 	mta_dontaudit_read_spool_symlinks(initrc_t)
 ')
 
-@@ -766,6 +1339,10 @@ optional_policy(`
+@@ -766,6 +1340,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -36536,7 +36562,7 @@ index 17eda24..3395ea6 100644
 	postgresql_manage_db(initrc_t)
 	postgresql_read_config(initrc_t)
 ')
-@@ -775,10 +1352,20 @@ optional_policy(`
+@@ -775,10 +1353,20 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -36557,7 +36583,7 @@ index 17eda24..3395ea6 100644
 	quota_manage_flags(initrc_t)
 ')
 
-@@ -787,6 +1374,10 @@ optional_policy(`
+@@ -787,6 +1375,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -36568,7 +36594,7 @@ index 17eda24..3395ea6 100644
 	fs_write_ramfs_sockets(initrc_t)
 	fs_search_ramfs(initrc_t)
 
-@@ -808,8 +1399,6 @@ optional_policy(`
+@@ -808,8 +1400,6 @@ optional_policy(`
 	# bash tries ioctl for some reason
 	files_dontaudit_ioctl_all_pids(initrc_t)
 
@ -36577,7 +36603,7 @@ index 17eda24..3395ea6 100644
 ')
 
 optional_policy(`
-@@ -818,6 +1407,10 @@ optional_policy(`
+@@ -818,6 +1408,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -36588,7 +36614,7 @@ index 17eda24..3395ea6 100644
 	# shorewall-init script run /var/lib/shorewall/firewall
 	shorewall_lib_domtrans(initrc_t)
 ')
-@@ -827,10 +1420,12 @@ optional_policy(`
+@@ -827,10 +1421,12 @@ optional_policy(`
 	squid_manage_logs(initrc_t)
 ')
 
@ -36601,7 +36627,7 @@ index 17eda24..3395ea6 100644
 
 optional_policy(`
 	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1452,62 @@ optional_policy(`
+@@ -857,21 +1453,62 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -36665,7 +36691,7 @@ index 17eda24..3395ea6 100644
 ')
 
 optional_policy(`
-@@ -887,6 +1523,10 @@ optional_policy(`
+@@ -887,6 +1524,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -36676,7 +36702,7 @@ index 17eda24..3395ea6 100644
 	# Set device ownerships/modes.
 	xserver_setattr_console_pipes(initrc_t)
 
-@@ -897,3 +1537,218 @@ optional_policy(`
+@@ -897,3 +1538,218 @@ optional_policy(`
 optional_policy(`
 	zebra_read_config(initrc_t)
 ')
@ -37886,7 +37912,7 @@ index 0000000..c814795
 +fs_manage_kdbus_dirs(systemd_logind_t)
 +fs_manage_kdbus_files(systemd_logind_t)
 diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index 73bb3c0..f36d28b 100644
+index 73bb3c0..a70bee5 100644
 --- a/policy/modules/system/libraries.fc
 +++ b/policy/modules/system/libraries.fc
@@ -1,3 +1,4 @@
@ -38218,7 +38244,7 @@ index 73bb3c0..f36d28b 100644
 +
 +/usr/lib/libGTL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 +
-+/usr/lib64/erlang/erts-[^/]*/bin/epmd  --  gen_context(system_u:object_r:lib_t,s0)
+/usr/lib/erlang/erts-[^/]*/bin/epmd  --  gen_context(system_u:object_r:lib_t,s0)
 +
 +/usr/lib/nsr/(.*/)?.*\.so		-- gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/opt/lgtonmc/bin/.*\.so(\.[0-9])?  	--  gen_context(system_u:object_r:textrel_shlib_t,s0)
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -589,7 +589,7 @@ index 058d908..ee0c559 100644
 +')
 +
 diff --git a/abrt.te b/abrt.te
-index eb50f07..963ccdc 100644
+index eb50f07..1c4fbd3 100644
 --- a/abrt.te
 +++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@ -1058,7 +1058,7 @@ index eb50f07..963ccdc 100644
 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
 
 domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -365,38 +474,80 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -365,38 +474,84 @@ corecmd_exec_shell(abrt_retrace_worker_t)
 
 dev_read_urand(abrt_retrace_worker_t)
 
@ -1120,10 +1120,10 @@ index eb50f07..963ccdc 100644
 +domain_ptrace_all_domains(abrt_dump_oops_t)
 +domain_read_all_domains_state(abrt_dump_oops_t)
 +domain_getattr_all_domains(abrt_dump_oops_t)
-+
+ 
 +files_manage_non_security_dirs(abrt_dump_oops_t)
 +files_manage_non_security_files(abrt_dump_oops_t)
- 
+
 +fs_getattr_all_fs(abrt_dump_oops_t)
 fs_list_inotifyfs(abrt_dump_oops_t)
 +fs_list_pstorefs(abrt_dump_oops_t)
@ -1138,12 +1138,16 @@ index eb50f07..963ccdc 100644
 +init_read_var_lib_files(abrt_dump_oops_t)
 +
 +optional_policy(`
+    sssd_stream_connect(abrt_dump_oops_t)
+')
+
+optional_policy(`
 +	xserver_exec(abrt_dump_oops_t)
 +')
 
 #######################################
 #
-@@ -404,25 +555,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
+@@ -404,25 +559,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
 #
 
 allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
@ -1206,7 +1210,7 @@ index eb50f07..963ccdc 100644
 ')
 
 #######################################
-@@ -430,10 +616,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
+@@ -430,10 +620,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
 # Global local policy
 #
 
@ -12356,7 +12360,7 @@ index 008f8ef..144c074 100644
 	admin_pattern($1, certmonger_var_run_t)
 ')
 diff --git a/certmonger.te b/certmonger.te
-index 550b287..1401e7b 100644
+index 550b287..814aeca 100644
 --- a/certmonger.te
 +++ b/certmonger.te
@@ -18,18 +18,23 @@ files_type(certmonger_var_lib_t)
@ -12449,7 +12453,7 @@ index 550b287..1401e7b 100644
 ')
 
 optional_policy(`
-@@ -92,11 +111,60 @@ optional_policy(`
+@@ -92,11 +111,61 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -12471,6 +12475,7 @@ index 550b287..1401e7b 100644
 +optional_policy(`
 	kerberos_use(certmonger_t)
 +	kerberos_read_keytab(certmonger_t)
+	kerberos_manage_config(certmonger_t)
 ')
 
 optional_policy(`
@ -15122,10 +15127,10 @@ index 5f306dd..cf347c6 100644
 ')
 diff --git a/cockpit.fc b/cockpit.fc
 new file mode 100644
-index 0000000..9ed6fdc
+index 0000000..bf80173
 --- /dev/null
 +++ b/cockpit.fc
-@@ -0,0 +1,12 @@
+@@ -0,0 +1,13 @@
 +# cockpit stuff
 +
 +/usr/lib/systemd/system/cockpit.*		--	gen_context(system_u:object_r:cockpit_unit_file_t,s0)
@ -15134,6 +15139,7 @@ index 0000000..9ed6fdc
 +/usr/libexec/cockpit-ws		--	gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
 +
 +/usr/libexec/cockpit-session	--	gen_context(system_u:object_r:cockpit_session_exec_t,s0)
+/usr/libexec/cockpit-ssh	--	gen_context(system_u:object_r:cockpit_session_exec_t,s0)
 +
 +/var/lib/cockpit(/.*)?      gen_context(system_u:object_r:cockpit_var_lib_t,s0)
 +
@ -15334,10 +15340,10 @@ index 0000000..d5920c0
 +')
 diff --git a/cockpit.te b/cockpit.te
 new file mode 100644
-index 0000000..e7b8c7e
+index 0000000..da93926
 --- /dev/null
 +++ b/cockpit.te
-@@ -0,0 +1,115 @@
+@@ -0,0 +1,120 @@
 +policy_module(cockpit, 1.0.0)
 +
 +########################################
@ -15431,6 +15437,9 @@ index 0000000..e7b8c7e
 +allow cockpit_session_t self:capability { sys_admin dac_override setuid setgid };
 +allow cockpit_session_t self:process { setexec setsched signal_perms };
 +
+read_files_pattern(cockpit_session_t, cockpit_var_lib_t, cockpit_var_lib_t)
+list_dirs_pattern(cockpit_session_t, cockpit_var_lib_t, cockpit_var_lib_t)
+
 +manage_dirs_pattern(cockpit_session_t, cockpit_tmp_t, cockpit_tmp_t)
 +manage_files_pattern(cockpit_session_t, cockpit_tmp_t, cockpit_tmp_t)
 +files_tmp_filetrans(cockpit_session_t, cockpit_tmp_t, { dir file })
@ -15442,6 +15451,8 @@ index 0000000..e7b8c7e
 +auth_manage_shadow(cockpit_session_t)
 +auth_write_login_records(cockpit_session_t)
 +
+corenet_tcp_bind_ssh_port(cockpit_session_t)
+
 +# cockpit-session can execute cockpit-agent as the user
 +userdom_spec_domtrans_all_users(cockpit_session_t)
 +usermanage_read_crack_db(cockpit_session_t)
@ -15850,7 +15861,7 @@ index 8e27a37..c69be28 100644
 +	ps_process_pattern($1, colord_t)
 +')
 diff --git a/colord.te b/colord.te
-index 9f2dfb2..def3424 100644
+index 9f2dfb2..86836f9 100644
 --- a/colord.te
 +++ b/colord.te
@@ -8,6 +8,7 @@ policy_module(colord, 1.1.0)
@ -15913,7 +15924,7 @@ index 9f2dfb2..def3424 100644
 
 storage_getattr_fixed_disk_dev(colord_t)
 storage_getattr_removable_dev(colord_t)
-@@ -100,19 +106,16 @@ init_read_state(colord_t)
+@@ -100,19 +106,17 @@ init_read_state(colord_t)
 
 auth_use_nsswitch(colord_t)
 
@ -15928,6 +15939,7 @@ index 9f2dfb2..def3424 100644
 -	fs_read_nfs_files(colord_t)
 -')
 +systemd_read_logind_sessions_files(colord_t)
+systemd_hwdb_manage_config(colord_t)
 
 -tunable_policy(`use_samba_home_dirs',`
 -	fs_getattr_cifs(colord_t)
@ -15940,7 +15952,7 @@ index 9f2dfb2..def3424 100644
 
 optional_policy(`
 	cups_read_config(colord_t)
-@@ -120,6 +123,13 @@ optional_policy(`
+@@ -120,6 +124,13 @@ optional_policy(`
 	cups_read_state(colord_t)
 	cups_stream_connect(colord_t)
 	cups_dbus_chat(colord_t)
@ -15954,7 +15966,7 @@ index 9f2dfb2..def3424 100644
 ')
 
 optional_policy(`
-@@ -134,6 +144,23 @@ optional_policy(`
+@@ -134,6 +145,23 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -21988,7 +22000,7 @@ index 83bfda6..92d9fb2 100644
 	domain_system_change_exemption($1)
 	role_transition $2 cyrus_initrc_exec_t system_r;
 diff --git a/cyrus.te b/cyrus.te
-index 4283f2d..21a3620 100644
+index 4283f2d..30b684c 100644
 --- a/cyrus.te
 +++ b/cyrus.te
@@ -29,7 +29,7 @@ files_pid_file(cyrus_var_run_t)
@ -22041,18 +22053,22 @@ index 4283f2d..21a3620 100644
 miscfiles_read_generic_certs(cyrus_t)
 
 userdom_use_unpriv_users_fds(cyrus_t)
-@@ -121,6 +121,10 @@ optional_policy(`
+@@ -121,6 +121,14 @@ optional_policy(`
 ')
 
 optional_policy(`
 +	dirsrv_stream_connect(cyrus_t)
 +')
 +
+optional_policy(`
+    gssproxy_stream_connect(cyrus_t)
+')
+
 +optional_policy(`
 	kerberos_read_keytab(cyrus_t)
 	kerberos_use(cyrus_t)
 ')
-@@ -134,8 +138,8 @@ optional_policy(`
+@@ -134,8 +142,8 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -25463,7 +25479,7 @@ index 0000000..b3784d8
 +')
 diff --git a/dirsrv.te b/dirsrv.te
 new file mode 100644
-index 0000000..89f1271
+index 0000000..f9f9806
 --- /dev/null
 +++ b/dirsrv.te
@@ -0,0 +1,203 @@
@ -25548,7 +25564,7 @@ index 0000000..89f1271
 +
 +manage_files_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t)
 +manage_dirs_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t)
-+files_lock_filetrans(dirsrv_t, dirsrv_var_lock_t, file)
+files_lock_filetrans(dirsrv_t, dirsrv_var_lock_t, { dir file })
 +files_setattr_lock_dirs(dirsrv_t)
 +
 +manage_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
@ -31069,10 +31085,10 @@ index 0000000..d9ba5fa
 +')
 diff --git a/ganesha.te b/ganesha.te
 new file mode 100644
-index 0000000..4125c8d
+index 0000000..fe7b5d7
 --- /dev/null
 +++ b/ganesha.te
-@@ -0,0 +1,71 @@
+@@ -0,0 +1,72 @@
 +policy_module(ganesha, 1.0.0)
 +
 +########################################
@ -31133,6 +31149,7 @@ index 0000000..4125c8d
 +optional_policy(`
 +	dbus_system_bus_client(ganesha_t)
 +	dbus_connect_system_bus(ganesha_t)
+    unconfined_dbus_chat(ganesha_t)
 +')
 +
 +
@ -42122,7 +42139,7 @@ index 3a00b3a..92f125f 100644
 +')
 +
 diff --git a/kdump.te b/kdump.te
-index 715fc21..14a5a0f 100644
+index 715fc21..446ebb4 100644
 --- a/kdump.te
 +++ b/kdump.te
@@ -12,35 +12,58 @@ init_system_domain(kdump_t, kdump_exec_t)
@ -42230,7 +42247,7 @@ index 715fc21..14a5a0f 100644
 
 kernel_read_system_state(kdumpctl_t)
 
-@@ -71,46 +107,60 @@ corecmd_exec_bin(kdumpctl_t)
+@@ -71,46 +107,62 @@ corecmd_exec_bin(kdumpctl_t)
 corecmd_exec_shell(kdumpctl_t)
 
 dev_read_sysfs(kdumpctl_t)
@ -42264,6 +42281,8 @@ index 715fc21..14a5a0f 100644
 logging_send_syslog_msg(kdumpctl_t)
 +# Need log file from /var/log/dracut.log
 +logging_write_generic_logs(kdumpctl_t)
+
+selinux_get_enforce_mode(kdumpctl_t)
 
 -miscfiles_read_localization(kdumpctl_t)
 +optional_policy(`
@ -46111,10 +46130,10 @@ index 0000000..7ba5060
 +
 diff --git a/linuxptp.te b/linuxptp.te
 new file mode 100644
-index 0000000..9f7ea8e
+index 0000000..7acdb2d
 --- /dev/null
 +++ b/linuxptp.te
-@@ -0,0 +1,179 @@
+@@ -0,0 +1,180 @@
 +policy_module(linuxptp, 1.0.0)
 +
 +
@ -46267,6 +46286,7 @@ index 0000000..9f7ea8e
 +allow ptp4l_t self:shm create_shm_perms;
 +allow ptp4l_t self:udp_socket create_socket_perms;
 +allow ptp4l_t self:capability { net_admin net_raw sys_time };
+allow ptp4l_t self:capability2 { wake_alarm };
 +allow ptp4l_t self:netlink_route_socket rw_netlink_socket_perms;
 +
 +allow ptp4l_t phc2sys_t:unix_dgram_socket sendto;
@ -67927,14 +67947,12 @@ index 9b15730..cb00f20 100644
 +	')
 ')
 diff --git a/openvswitch.te b/openvswitch.te
-index 44dbc99..e1fbbd9 100644
+index 44dbc99..9e70db7 100644
 --- a/openvswitch.te
 +++ b/openvswitch.te
-@@ -8,12 +8,10 @@ policy_module(openvswitch, 1.1.1)
- type openvswitch_t;
+@@ -9,11 +9,8 @@ type openvswitch_t;
 type openvswitch_exec_t;
 init_daemon_domain(openvswitch_t, openvswitch_exec_t)
-+init_initrc_domain(openvswitch_t)
 
 -type openvswitch_initrc_exec_t;
 -init_script_file(openvswitch_initrc_exec_t)
@ -67946,7 +67964,7 @@ index 44dbc99..e1fbbd9 100644
 
 type openvswitch_var_lib_t;
 files_type(openvswitch_var_lib_t)
-@@ -27,20 +25,29 @@ files_tmp_file(openvswitch_tmp_t)
+@@ -27,20 +24,29 @@ files_tmp_file(openvswitch_tmp_t)
 type openvswitch_var_run_t;
 files_pid_file(openvswitch_var_run_t)
 
@ -67984,7 +68002,7 @@ index 44dbc99..e1fbbd9 100644
 
 manage_dirs_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
 manage_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
-@@ -48,9 +55,7 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l
+@@ -48,9 +54,7 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l
 files_var_lib_filetrans(openvswitch_t, openvswitch_var_lib_t, { dir file lnk_file })
 
 manage_dirs_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
@ -67995,7 +68013,7 @@ index 44dbc99..e1fbbd9 100644
 manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
 logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file })
 
-@@ -63,35 +68,56 @@ manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
+@@ -63,35 +67,59 @@ manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
 manage_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
 manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
 manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
@ -68032,6 +68050,7 @@ index 44dbc99..e1fbbd9 100644
 
 -files_read_etc_files(openvswitch_t)
 +files_read_kernel_modules(openvswitch_t)
+files_load_kernel_modules(openvswitch_t)
 
 fs_getattr_all_fs(openvswitch_t)
 fs_search_cgroup_dirs(openvswitch_t)
@ -68043,6 +68062,8 @@ index 44dbc99..e1fbbd9 100644
 logging_send_syslog_msg(openvswitch_t)
 
 -miscfiles_read_localization(openvswitch_t)
+init_read_script_state(openvswitch_t)
+
 +modutils_exec_insmod(openvswitch_t)
 +modutils_list_module_config(openvswitch_t)
 +modutils_read_module_config(openvswitch_t)
@ -95405,7 +95426,7 @@ index 50d07fb..a34db48 100644
 +	allow $1 samba_unit_file_t:service all_service_perms;
 ')
 diff --git a/samba.te b/samba.te
-index 2b7c441..02be6db 100644
+index 2b7c441..efe3f59 100644
 --- a/samba.te
 +++ b/samba.te
@@ -6,99 +6,86 @@ policy_module(samba, 1.16.3)
@ -96038,7 +96059,7 @@ index 2b7c441..02be6db 100644
 	rpc_search_nfs_state_data(smbd_t)
 ')
 
-@@ -499,12 +549,52 @@ optional_policy(`
+@@ -499,12 +549,53 @@ optional_policy(`
 	udev_read_db(smbd_t)
 ')
 
@ -96089,10 +96110,11 @@ index 2b7c441..02be6db 100644
 
 dontaudit nmbd_t self:capability sys_tty_config;
 +allow nmbd_t self:capability {net_admin};
+allow nmbd_t self:capability2 block_suspend;
 allow nmbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow nmbd_t self:fd use;
 allow nmbd_t self:fifo_file rw_fifo_file_perms;
-@@ -512,9 +602,11 @@ allow nmbd_t self:msg { send receive };
+@@ -512,9 +603,11 @@ allow nmbd_t self:msg { send receive };
 allow nmbd_t self:msgq create_msgq_perms;
 allow nmbd_t self:sem create_sem_perms;
 allow nmbd_t self:shm create_shm_perms;
@ -96107,7 +96129,7 @@ index 2b7c441..02be6db 100644
 
 manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
 manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-@@ -526,20 +618,16 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+@@ -526,20 +619,16 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
 read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
 
 manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
@ -96132,7 +96154,7 @@ index 2b7c441..02be6db 100644
 
 kernel_getattr_core_if(nmbd_t)
 kernel_getattr_message_if(nmbd_t)
-@@ -547,53 +635,44 @@ kernel_read_kernel_sysctls(nmbd_t)
+@@ -547,53 +636,44 @@ kernel_read_kernel_sysctls(nmbd_t)
 kernel_read_network_state(nmbd_t)
 kernel_read_software_raid_state(nmbd_t)
 kernel_read_system_state(nmbd_t)
@ -96201,7 +96223,7 @@ index 2b7c441..02be6db 100644
 ')
 
 optional_policy(`
-@@ -606,18 +685,29 @@ optional_policy(`
+@@ -606,18 +686,29 @@ optional_policy(`
 
 ########################################
 #
@ -96237,7 +96259,7 @@ index 2b7c441..02be6db 100644
 
 samba_read_config(smbcontrol_t)
 samba_search_var(smbcontrol_t)
-@@ -627,39 +717,38 @@ domain_use_interactive_fds(smbcontrol_t)
+@@ -627,39 +718,38 @@ domain_use_interactive_fds(smbcontrol_t)
 
 dev_read_urand(smbcontrol_t)
 
@ -96289,7 +96311,7 @@ index 2b7c441..02be6db 100644
 
 allow smbmount_t samba_secrets_t:file manage_file_perms;
 
-@@ -668,26 +757,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+@@ -668,26 +758,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
 manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
 files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
 
@ -96325,7 +96347,7 @@ index 2b7c441..02be6db 100644
 
 fs_getattr_cifs(smbmount_t)
 fs_mount_cifs(smbmount_t)
-@@ -699,58 +784,77 @@ fs_read_cifs_files(smbmount_t)
+@@ -699,58 +785,77 @@ fs_read_cifs_files(smbmount_t)
 storage_raw_read_fixed_disk(smbmount_t)
 storage_raw_write_fixed_disk(smbmount_t)
 
@ -96417,7 +96439,7 @@ index 2b7c441..02be6db 100644
 
 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
 manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -759,17 +863,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+@@ -759,17 +864,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
 manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
 files_pid_filetrans(swat_t, swat_var_run_t, file)
 
@ -96441,7 +96463,7 @@ index 2b7c441..02be6db 100644
 
 kernel_read_kernel_sysctls(swat_t)
 kernel_read_system_state(swat_t)
-@@ -777,36 +877,25 @@ kernel_read_network_state(swat_t)
+@@ -777,36 +878,25 @@ kernel_read_network_state(swat_t)
 
 corecmd_search_bin(swat_t)
 
@ -96484,7 +96506,7 @@ index 2b7c441..02be6db 100644
 
 auth_domtrans_chk_passwd(swat_t)
 auth_use_nsswitch(swat_t)
-@@ -818,10 +907,11 @@ logging_send_syslog_msg(swat_t)
+@@ -818,10 +908,11 @@ logging_send_syslog_msg(swat_t)
 logging_send_audit_msgs(swat_t)
 logging_search_logs(swat_t)
 
@ -96498,7 +96520,7 @@ index 2b7c441..02be6db 100644
 optional_policy(`
 	cups_read_rw_config(swat_t)
 	cups_stream_connect(swat_t)
-@@ -840,17 +930,20 @@ optional_policy(`
+@@ -840,17 +931,20 @@ optional_policy(`
 # Winbind local policy
 #
 
@ -96524,7 +96546,7 @@ index 2b7c441..02be6db 100644
 
 allow winbind_t samba_etc_t:dir list_dir_perms;
 read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -860,9 +953,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+@@ -860,9 +954,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
 filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
 
 manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@ -96535,7 +96557,7 @@ index 2b7c441..02be6db 100644
 manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
 
 manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -873,38 +964,42 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -873,38 +965,42 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
 
 rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
 
@ -96589,7 +96611,7 @@ index 2b7c441..02be6db 100644
 corenet_tcp_connect_smbd_port(winbind_t)
 corenet_tcp_connect_epmap_port(winbind_t)
 corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -912,38 +1007,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -912,38 +1008,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
 dev_read_sysfs(winbind_t)
 dev_read_urand(winbind_t)
 
@ -96648,7 +96670,7 @@ index 2b7c441..02be6db 100644
 ')
 
 optional_policy(`
-@@ -959,31 +1068,36 @@ optional_policy(`
+@@ -959,31 +1069,36 @@ optional_policy(`
 # Winbind helper local policy
 #
 
@ -96692,7 +96714,7 @@ index 2b7c441..02be6db 100644
 
 optional_policy(`
 	apache_append_log(winbind_helper_t)
-@@ -997,25 +1111,38 @@ optional_policy(`
+@@ -997,25 +1112,38 @@ optional_policy(`
 
 ########################################
 #
@ -102743,7 +102765,7 @@ index 634c6b4..f6db7a7 100644
 +')
 +
 diff --git a/sosreport.te b/sosreport.te
-index f2f507d..4dd29c9 100644
+index f2f507d..7db383e 100644
 --- a/sosreport.te
 +++ b/sosreport.te
@@ -13,15 +13,15 @@ type sosreport_exec_t;
@ -102883,10 +102905,14 @@ index f2f507d..4dd29c9 100644
 	cups_stream_connect(sosreport_t)
 ')
 
-@@ -127,6 +167,16 @@ optional_policy(`
+@@ -127,6 +167,20 @@ optional_policy(`
 ')
 
 optional_policy(`
+	iptables_domtrans(sosreport_t)
+')
+
+optional_policy(`
 +    lvm_read_config(sosreport_t)
 +    lvm_dontaudit_access_check_lock(sosreport_t)
 +')
@ -102900,7 +102926,7 @@ index f2f507d..4dd29c9 100644
 	fstools_domtrans(sosreport_t)
 ')
 
-@@ -136,6 +186,14 @@ optional_policy(`
+@@ -136,6 +190,14 @@ optional_policy(`
 	optional_policy(`
 		hal_dbus_chat(sosreport_t)
 	')
@ -102915,7 +102941,7 @@ index f2f507d..4dd29c9 100644
 ')
 
 optional_policy(`
-@@ -147,13 +205,35 @@ optional_policy(`
+@@ -147,13 +209,35 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -112533,7 +112559,7 @@ index 31c752e..ef52235 100644
 	init_labeled_script_domtrans($1, vdagentd_initrc_exec_t)
 	domain_system_change_exemption($1)
 diff --git a/vdagent.te b/vdagent.te
-index 87da8a2..4be1fcb 100644
+index 87da8a2..b80a6f4 100644
 --- a/vdagent.te
 +++ b/vdagent.te
@@ -25,6 +25,7 @@ logging_log_file(vdagent_log_t)
@ -112544,7 +112570,7 @@ index 87da8a2..4be1fcb 100644
 allow vdagent_t self:fifo_file rw_fifo_file_perms;
 allow vdagent_t self:unix_stream_socket { accept listen };
 
-@@ -39,23 +40,29 @@ create_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
+@@ -39,23 +40,30 @@ create_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
 setattr_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
 logging_log_filetrans(vdagent_t, vdagent_log_t, file)
 
@ -112556,6 +112582,7 @@ index 87da8a2..4be1fcb 100644
 dev_dontaudit_write_mtrr(vdagent_t)
 
 -files_read_etc_files(vdagent_t)
+fs_getattr_cgroup(vdagent_t)
 +fs_getattr_tmpfs(vdagent_t)
 
 term_use_virtio_console(vdagent_t)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 244%{?dist}
+Release: 245%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -682,6 +682,25 @@ exit 0
 %endif

 %changelog
+* Fri Mar 17 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-245
+- Allow vdagent domain to getattr cgroup filesystem
+- Allow abrt_dump_oops_t stream connect to sssd_t domain
+- Allow cyrus stream connect to gssproxy
+- Label /usr/libexec/cockpit-ssh as cockpit_session_exec_t and allow few rules
+- Allow colord_t to read systemd hwdb.bin file
+- Allow dirsrv_t to create /var/lock/dirsrv labeled as dirsrc_var_lock_t
+- Allow certmonger to manage /etc/krb5kdc_conf_t
+- Allow kdumpctl to getenforce
+- Allow ptp4l wake_alarm capability
+- Allow ganesha to chat with unconfined domains via dbus
+- Add nmbd_t capability2 block_suspend
+- Add domain transition from sosreport_t to iptables_t
+- Dontaudit init_t to mounton modules_object_t
+- Add interface files_dontaudit_mounton_modules_object
+- Allow xdm_t to execute files labeled as xdm_var_lib_t
+- Make mtrr_device_t mountpoint.
+- Fix path to /usr/lib64/erlang/erts-5.10.4/bin/epmd
+
 * Tue Mar 07 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-244
 - Update fwupd policy
 - /usr/libexec/udisks2/udisksd should be labeled as devicekit_disk_exec_t