From 99509b3f868e60223e0b4e69bcafd7bf94c2f4a4 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Wed, 16 Nov 2016 14:46:50 +0100
Subject: [PATCH] * Wed Nov 16 2016 Lukas Vrabec  <lvrabec@redhat.com> -
 3.13.1-226 - Adding policy for tlp - Add interface  dev_manage_sysfs() -
 Allow ifconfig domain to manage tlp pid files.

---
 container-selinux.tgz        | Bin 4909 -> 4906 bytes
 policy-rawhide-base.patch    | 582 +++++++++++++++++++++++------------
 policy-rawhide-contrib.patch | 297 +++++++++++++++++-
 selinux-policy.spec          |   7 +-
 4 files changed, 675 insertions(+), 211 deletions(-)

diff --git a/container-selinux.tgz b/container-selinux.tgz
index 84868715106d553ef77ba0271c4fc3dc132333bf..9633bb796783c143505c5fe64457f4a5ecb4af2a 100644
GIT binary patch
literal 4906
zcmV+_6V>b=iwFSpVk}qy1MOYwkKDEq&)3_(La+n)F0k)mrw(vVTNH6W^h1##&9|mi
zwGww%v0fFad(`m%-Wfh5N+Kz0S8HF36>#2NY34_ANDgO)Lpd%B7NrHLFVoFeN4l=z
zdi(ZU{Ji<@ch~wSTyL&#-oE+j20q?gzrA^bbT@BaUtfO}Tpz1K`qfYt)j{x8c2`Gh
z5?kq}p8t<ttLM*y?`f0gQT_ObUv?xYD^k3oWmCr_h^i_}<A|kY5yWbs1f<x)=jHcT
zifsiTepjzF_;L2<2NE}oXy|DXu$_J*DRcO8$yu*7-r)Nxs-rw8qMZExnV@?1hfxXd
z`GX+JvhtoJ0V@MmM+Hr>Q6|tUjtbvbX~9UniDGj8ueLT}-4ra%NeJa}oEI<uwL069
zBCN^3o3sYn)!7+)th5%iJnW_6CIJbA?A_|@#l>oM7MC@N^CYAss^eX_PK)!eZ!T76
zs<^O<7}N^y+QCdu*u@G9I6_B(WS?v=p*-gFkY8uSQNbylop7MM|HjMI#GR$<Ac5+~
ztgKT)XGr?YCFv-R3FT;K^F%C#0@d;n@Lg0RX(wA=e(?2;iRKpC8AyEi8djvvDKKu*
zj8Ijuq~<-c@W_5@qUHnYa|+rrz+1ipCH^ysl7YB+*M4z9*HAIuLSCJ{#BCj;XB=ES
zHY@QK>odrl?xLDJC8_fY`O969dq_P?DZ{aC6S@R4-16zNY3{7}us4E#hmX4ZPkh$n
z`b;Ylr<)WyNOUBwtz@L~c$tY95XgVv;(kOuc-TO(Xtq5>ZV>ukqaxZ47m}wj$8uh^
zqv<vYe~5Nd7*iAGs9Mt4gHOp6(E1UT+Htzkp)QXq{U1PMf>tWmzk$3dIvA1G6;MjA
zJ06kcK4rTg0>XxYgjpH~y!D;)0O}6uB25ogb$W;8AmwN5&;hcnMToU9;G-+fn^JDL
zCKf_L<sEY=%_&OohH(~AYAK388<({vvbbbUdHC<MpsY~-QTF?1tZr;gMAAXAYmydQ
zuVT$pMCmwh_uM!^T;8@e3BG;}e{bOL+hy&upZ@axiL4ylimB3M-ns$4utnhj6rEuZ
zb0Fi*#oazi>bpe(P|l7Rg*N8;-H()!JZ9Of$kV&=v!+NH7k}4L0y~k0mMTc}R*K{`
z$x1ZVK~gD<C;lXmmtvOPx+w*C1&ZZ9!I}shgFmX(<Q6}Ic4V|3=>(UoP#_mD`BQPP
z&MFvUb%`@zB7nAtn-vvFa9^h;13M=<tXyAyQs0A&^0_0(7Efqtpda!;U@O_rkmgXB
zK`@YJe_B@Taqbcx4DhYu3}(g~8w!JsJ#zJkbD=L(HA4oXO~_rvC`uL|qM-28AYVmz
z8}I5+OpyB!YO#!v@e=N0=OBvJR}(gVBL$lyYP`lJIYiDGW{JI9sImMcl(ocO@b3m~
z`L|HCJ|sRHPLQnJ^2uRAmJ6W;c~|CSH~{2|C|6wGJo~zcBrk(!?XyeZdv-A&hnBH$
zyLw=FcONt`(RG|xah5{2NF)&07A!n2I2#rhs=~=0;$9_Ghq)>u&9gy8G#F3&&Jd{S
zq_j!5m!!B`5_MNnMwbTU_V|LBHKAp8cZm{M1XlDC8W<7|)M*X6B#e?gEyN_j@U*SN
z#Vk@dmwI;}=8u*|p`5N(6P9QrMgdqK4*_MMCv!e|2>arTx~L5*L9F%O8<W1~d%w87
zO!#A1U|OgB?WZ5Q0_aojxhnSVJ)}j24IjQeC2n&YDulXnEiPJ42R1nezeNeD`Utu}
zR*RLhj16O4TDkjm1GNfd`?z1kr+W$ogYChCHvO!FyR<Hge3lh*obKZFJk<TNM$%M|
zy8X4W83GHq`N7tBU#wrAcD;0-f{$Qz*C366rrRRQg#8(OdN<F*g2K3BHxsIgxkHsM
z1T7wEofA|1GQ=?8M=5&%h|WN6W$d*4TQ7Fme1q3N&8>}-X?I&W&ZrhfUbBkeg;klQ
z@gpDM%FCB-J$Ty%Q#&db+VhDhz>B4$H(}JUolLzLg>d-8CzhhZ>pLflh%@xGh1TQ)
z^M^E~(e1-FBF!CjX!6jJ^tzIQcXu3=FQg$H!B7=)e!4afZ~c6ebvz5ItN|6ftl2um
z^nEse!WepU7<uMFgLT;y3FQ+8w?~%IWnzb?g+CzCuB+l+K}EfVV=7p_4mUet6^x2U
z1H4=_ge<`1gaxgBtV(FEuvAkjrTzJ441BN4jKooOH7WV7y89+Nx=cSoC!+FQNuoEj
zY9**s28n7Nn7ZBO>Ww*#IY5I=DDANW$(STEsEZ$xF=wJf8a{53+)(Ydy%7nYI;u3@
z+qCR^a(y=3oV19&zqx1I`E%5&za?ceTFtzA<XmG_w_T-<*A81O#D!vZy<NWf;VGwl
zUjywQ<yTS06CXC{fNLR(FTF-%+r`ww`c1?nlrFb;f}DoS?MokdI9=M+1^XE}RvGT|
zKi^)z`R;mj{^#b+>HN><xP)sT=4H}k<h&gXFN2%Q>&xp|N^bQ$cu(RCGzz-JpuARG
z$0UTta`Uy4+pYvRFQJ&=en&tJ*7`<c#O*8<aO7dZEDL`5;isS~Yu4`0R#Jfpbks_$
zDWbLBhStUhyYFSNi84x{JvLJmib*3h_4u*?+RSM=^{JIL#d9Q*h~#Av3gvumD9LqZ
zL~w<)S^pNo${X*ZV#}ZAJQibuYnjkw^yFCSYFo17t#hfR5lSX>gf({%sG=UqMYueD
zd5C)>5$YkDF};@%ok0-2U79=C-?}{SJsl5-Hh9>tqP9yc@VL0lF-PMjZy!!={HmQU
z{1i81v4?#=<R9azKxrSji|dMd%HO={#vrRPkle>q!DWG%slDR!A(shlR6!Y#9&Q7l
z511TNHLpg~6>qgY13w0cJys|3h8nOpw1*Bq?f6J*9#wq6jYpMvl$xW_1Jq$Cq7Oa}
zj9AMUl8%egg2w$)dfO5z`rF<-HzJJTRf<a=yUUOf*)Htye9STilN-x@tTu^52q7<_
z%eXUpK4LTo8kU}sc=^3|D~$RTgz?|!LzcM<Xtxl;jEb^AEYI*r_~@o}i;`?}8%I^N
zPP3Ff1|NfXSKb%FhZNS$4SWNz4J9m1g8V~KCIMEKZy@k*>$GSS`uL4Hx(7_Q0Z820
znJ5@mUA0G8lMF1R4EG2pn7ZwxEdkGh)&2b>D80_oJY~EdR3;-$*QMQV!2Bp}??LQm
zOfZ`^J$b?Xo1SPat`<OPk`c-r_HIzT4%S>l(}q^0NL-x55v(@_-A+DWzzlFkaxGSe
z@tDYjg`|=@#_OT!w8Eia<I^X5BTgo<cp@9JTJ~wWTJg<Wt^4$h8&N<J7W=oj103gV
z?bBpol$bVV_i3&jZD1C8wN;^g#J2MMso+za>$YEGw}u=0Hr0tWdy?4j%&CBWV4C1m
zeS%LHUW$z)+^Wea&c(nI$N*EWVVk<lyY&p0o^giTL^X~19kTAjM9Wvd(XzONhkN#Y
z&%Cuh*l#S%#GXAieDV9Xz1K(?KwC!4fdWT+-|^^Rq5I+=B6$BcNSo@Ig{UO=W0tYb
zjwmc26*OStFJjPi4|o+SXJB5%V4mnM>fC7}+NQ5b`!%OMsKDK<vUs=GEOVWW-*>Qh
zV9p*K9+*qx&7SQpOrIW>#4}e--%;FFWtnBxoLPPpY)r7pqQ@h{zg`~Sbd2FRMQBG5
zj#mI4npi#WXe>vA+>YrS<ur8?exHf&i8)*8dE(Aie4e=N;i9F1XKTSJTpvx?dwbGM
z55jbK$-l}A8n9DGtM?tfUYK)@NKfGXhM5QOUc=0VYdTEl4`~_(ZQJ>P@EOMAL#2bU
zd*AArE-Z_&+Tra_GCD6Kl>H#Ru`OEU{sTypWHQM_>^JgU6SJPysSCpH%ld;aIZtqZ
zq%q5kqV9<A5!s6r<U!*dN&E`On73v1ksGj>^Tg9|qL`(3Fi{dq`I0`tXHCM7<;z0E
z6Y3JmN@XeYJ=3*$i~6EZMRz329B?Qx3={Lcgf0B6(>N^3#8L&Fg_0tHlI~izbh8K3
zo@EWTY%FZNRlEx^0b!axmT3n&#wyPu6iZy@d6kiekazGjFW(@TD?uaEv;=!>p5j2B
znS-KbnJ7XkQ9ktJZjakSEr`1rBln%eq`{oa*<6mo&<7Xw+SX-LIqM}Uh2u;g^DHes
z*lA@pdt{r9K+>zDt%8)5HLh%RbRY7)vIj7clazk2(DN-G)K3Ma_bH2aW;%JMWhgGN
z*OT(z0xjPwqLK{FRGbK(H?|ga2d!}E@Zxj2wNUqnLDgee7N~8`K}ut7u<?!A^god!
zyM{+S+QU7zJ|GQC<pPnAP1IyecqtFIA+K|YA#a0zq&Srl>HUP_z_vxUl9(&{bmPP|
z90;qc-0I<9h{vLZYX^lL;Dx!=4GiEiqZ1;wFsBv6M6o@&@%`9$ViI_5dh$f!)$<^G
zh{cgt%!`||o1a8+h+%*_O$gdx+cd$C3is#Xv%#N_RPN~Gw{=-E{sjy*^;I6*1Y2#^
z-n=YBeqcB8qGc7h^)osOI#mD+HdJyUsK$0fI}m0Uzu(*9p4{VBTw==iH_MHPUU>k?
zw(imZKAJY)1JoVDv74V*@X?VJ5X9=J^@K1j9%&bHoyR&3+4=_W^wc+L^>%B3myx^`
z7WZ9RfeI=%<%C83?}kto@;6Zp^HvS?vOQrAqZ-ycw@t5z-4?rn*y%8=z~j*uW{X*`
z5dj>A@NEtNP;#x>fcmnCwx!ALxQ1eN=_nUp+Jr?qDYCMxyr3qFl$MohZA!rv#+0i`
zTTFW72QW+;i6f2)tIW*Q#^`2owGlWMmsqK3doagUfE=Mn?L$|<A0=^9r)DqSgxhbg
z-69r7k;^OvqNea7tBD7huLRnDkmkB$NDWCH9q=5h39A~FTX8nB;FllY{}}uX4Z0)2
zFL>IJr)t^L23Lb4I6PI67bDK)aeIC;SS1+Lrxa=%{RtoVyma<JN6ej<Mf@B7w(ea6
zdLdg|ofjT$LT99P<ME)Fk+vnRSpMK3QHltVtc~V`vf0ywYTPviF2gat%QR%xdaiIC
z1KYl{NnstNaMNz!^E_MO67gx!rq|k>hmNIYVf#zH$<bVn%3<>{bX!{Cqq;KM4P0#q
z3vW0BSRIGximo6>>y1n*nPe`HT|t-}hHcf2FZhnfA?NrT$-1E`G>TuvyVNYslsG%V
z$##*GNDKq<1`B+J2M!-go1E_fX$!;LrqpJPnCSB;-T|GB<Atr{4d}gl7%9nQLtj{h
ziU!JF-e1$2RW^s###nIAy1+P#^<)q%2RdPQDt=Z`cWKS0g9L)i;kxtZJ`>+W8B#Dz
z*QG`0c4aF%*E|%|YLmy8Ud`Gb10RGIuIIs~tkF%E0NvYNLMmElZ_>;5uvB}TzQ-f`
z+~kbiZW4Uo-8<Dxxo+sywha}|0D2|DP=ut%eEgK3<2AR^;j9`eY)J1H=}Bij;_l4=
z#!}DtNR{XF+JV|p#@#tR^#WB>aC{;lth4pw)RB1A*(6tQk6@y-dFQ{u%)^u2#xouK
zTpfl4#t!v3=OOqseiwu5u-@psKNG%un_3|c0?y^vcB>_VW5Ds3&2{l6YedO#qTD<O
z{YsS47Q?1JD|=g@7=JP7SI1H&YhYg;yHoJiwVsoA3x12KJp@UhTGF2St~%i1@wiNf
zDsGGTpuUGVfh=`?v+gTLp|38cRH%B1VW%{0`b5=psGJ;|=32$~J9{NwoiuR(OP+h(
z<KU6bIrG#}8&|WyX@TSRlvnSpj&(g(Z!VfhCYgTylIz)IUdcl6&P<Sn%5Wux99o1s
zKg0)pI!DAS>7X4IgUky<xU(g7?G?5}+J2fkB4h;f+k0!tr#HS7>6d=*!c)0g$y{!Z
z_HGOJ`#-MV-oUfL`#)~JdwY8S$LF}NaEtKj*GqAznZMqL$7>#7=@qMUb1VP<p!&9(
zM)GhX#W#dpHMG70qYwSLD}i&>QvUs)SO54%=%=$+ue|ZqaxULViRGAz5g(V|ECIbv
ziw<uoz+=gwtL&=`tOd%>7OS#^jhh<0qUCXm@~+I9oV=34m;<lBrc@si{oybwV!;xQ
z(4Soy(rb{P`wd3zEejGI)>jF2es%fH#UIbSv0`-|mrJ6<kwfkvxYZR{E1G2If_082
zuUsDtu&zXDzv9UTZ&2m^njl*$is+Z${EFu_{p%}Eeoh0c!xH|;{*~tEB$ffj81mdM
zbK%KzE)sG<#McKv4l(x}_s*dzF^@1}6|#BY9z1T%@QV&#dlAcwVuio(U{<h;kLdyM
z;X@l%qXX2ha5dX{B3Mh1%&eOQPgL$#{9lb`t%4J9=m`TJT?SA7_eKkeP^vFsTF|+m
zqey_J#{l>$dx+;k$~RT$K->LrlqUJoKF{eoU8n1Govzb$x=z>WI$fvhbe*o#b-GU1
c={jAf>vWy2({;K|*Z=eNUuwIkTmYZ|09SCLKmY&$

literal 4909
zcmV+|6VmJ-iwFQC8Y5T$1MOYwkK4Er&)4-|AtVQ6_mJ!(NpryF+M>AYhkht}XzyFE
zRb`2`b<wLLwT}k*-#f#HL`ft?*>bWiEFiHh&HP9X$>Gd!sEx~lMQK6m%XIVXNY^!7
z@87?}&ztXlbFF{E_4fMa{o7|Z@NxbA<~P^x-afm&d3*ESyJx}mu_~lr4P{Xs1kbX&
zI$D$1N;mcVfAm_tcoBS0n>>%|$KU<DBSBe_;x#RsIwnC>RaqKGEG>&5Rs$s<#TGs<
zzrRv!D**AkdZodSvp+tNxM4&?Pm6%<^czW;!<S3WdZqCO-&au`<v|hU<hRcS)$`wt
zO8AjK2%;=2?@1D{GGKL7&=ebG0=?p>@O_mQjMSSbCg=ZZYZKN@!P1<BP#(v5`RZS*
zvn?sYn*6&-YoJ}7ow3JCYeCDyUKwr@kU+>jtj=CutX5}nS(7+VLQ0}K-i7P5IRED6
zVs)m93#*7ht?;fL%=Cm^tgwJ1bQDPT$@UV;V@?nGbw(T&oYL6|2g>_zyi85pS-K7q
zsD8}KIwf?5q|aQEj^db5j&?Rr#8N0wEgu2jMKzLkvgPFm-`tpJZlRrl#D}k8Me3Xa
z<0j1rRRv3G-XjZ-?58GbKA^s&pe+Nu<vUQ~e<e{e5I67IuP*2sD#lyLtFxE5tz-0z
zgNw&zCEj9v0h!ZXRFkJ9bzUKVxeIa+sb?u=IJRv<mq3PFK3z7=ofRMVM)2?OQFs4=
z&w5;+X+`36lR^iHj>NT<j8q;kGZ6y<`43#&kEjO^8z>gdwui_KLjQAAMBCv)@-*gH
z&Z~Ab-6r7=(QXQ3YQh{<OB#FdDVYLVKcZ4QPB%K#<x!>o187XpO6B@jkT*pKBhtD8
zO6hgSBeLA5Y!^g8*f5YVOXGmIzH=Tx-6371>A|W_@30)C{DK`iK$f)#u@(k=bj5j7
z$_>}VLMW)bV=kpRMG4+8&LT=JMe%3jverZvm&_>-|9>8o70N%#e*2u&jjf4DIw*Ec
z(qijXta*wk9p~+y8z+d%+twz*H*etITln{GS^Mm#KmGVbRt|2(RB1AA-2h+MqHq9;
z&M=5Mkn!f?ZXYG}-68=fXGe@e8*}~cN6JVZvusx6>BIP0Q>2WGzw0Q0ok&AV6(o8q
zMe>?tB^v7>sT9T&e-g+`G0Se<lmfg0#d4ouO$3g?AJuAdiyuKdGFp#xf=gB?kPDdn
zskm2X6%4Vu#2GLVKwHGkii#w-uTztOos%3^uCG6-??FcS+!17pC$u!s4|yQ4mF#Co
zb12Lp7)Y}}Ei3jocL@&$_*QWSGvkd7g~7%ixq8I8&=;zjAp_AS<gQ{AC5sPHQ21$(
zuOhsScXcQx$bAU4SVqWr33st`5XI`N2^+tWg3S>%UgMG+BIgXV#NI8`Sbh@9T4FEw
zcZ0V4TPRu|5}yqxNLFt7<gg&ih0ub$D|0d&0CGi?D=u%IeO*M7SHbi4*(LBjznG6h
z%UHNwJutkx4;q;0I?n4jOQBmN5(sPy79JOz4T}p^;baeSuM(=mTosY#*`OjCjHi8P
z2-I{^+N9e{Qrs<xx+^K8O9OIyd_l~b&@#KbL<uYcD|!hH3<(G7v<6)gMoFF)Vv=BZ
z+ScJ>7Ac%dy}J+dN6Vs6PFJf5OSBQA0IZLPfHKgNIiEa)ef33M)CQFx)_U)aNni85
zU))|M{4p#rt<(PY(+^z%^eOjT6?^v{(xSqK58s{=x48`!LS4BQ7cHj)o1BB+qJ&g^
z1YIDj#mZU6hA}R!-2J+NS_QIw+%MwOJ%xh7_TWLAe%8TVT9-vW%L+M8cky~2>V8=x
zX{txv{@U0Kfd$<BU~9ZD)-O-HUOG>~C$PF}kVZh$Z4qU{{tP~UnCD?ZVO+7B301}1
zp-LBm7LT;fi79>=Vi@qFlsy1MXCSvSc3S?e7rSh}!Rw#q*2c-SyR95&R0|`oSw--|
zs?5^(k&kfY<x967yzPRi9hD31`9u`p<<ilcFlyLNre2IfIQ-!gOHtwVos&hx8G716
zYx05lLmJZP_F)^5=8ifvdFV)bT}i>aI}XYh(h!bds0ukhU7Lrue!j^%o&{CbfQnt#
zY#n0yKAS&b481vwJoBKzx@?Ms@(F|6Bg^PAvBT5CACPF*RdKJNqTa$W6)azeo1L%<
zM#ZB6UalEJ7GQG1f>u9PB{Wx9swtJy{&F)0zSm_&;;6cslzdm+eG?sBrk|h_QTeVU
z(HmN|64WV!M70h~-EMRB#+=3+pur}T_Sk`BOcEK?#Sh7tGtnUpAGb(usCL`lh=fla
zRT}SYTJ}A;J{xXMTEyPp+_UZcIcnA4lCl}CW?nsVuCc1yu2RQqhb<Q3LNUAEF5mp{
zlvBR1f%cE`t0?1%4;ysAwUEWvUZb(?V(MZ2CSnpwms>nRPQ&H)wU0cUF74`q{fr!|
z4EOn;ch_&fyB?nZd2{{U>HN=^xP)sT=4H}k<h&gXuY#M)>&xp|N^bQc_>sgJXcTmb
zL3ypXj!6iO<>qT8w_OQtUP3X!{f>Ydto4n?h}&5z;K;**Sr+{K!%sm~)~wx~t)v1I
z=%|%gQ$%aM4Xuq2cHgUD6J?Y@du*mC6q811>hWa(w3*X#>QgIgiswiq5y{IU6w3MB
zP?GD+h~Nrov;H-Nl{el+#g;$Kc`U{R*D|5W=*h9t)wX2ETjx?sBa}?&2y5;jP(?kI
zi*R}R@(}k%BGf}PV|p(kI)fm3yEJ#Ozjb-udpaHvZSb&PMQxW@;Bj%8V~)m6-aee#
z_*FYy_$hA2Vh{U#$Unwafzm#57uOZ_l)rh?jX_ppAi0mJg3AIiQ+vhdLoO5AsDd&e
zJ=_L9A22zlYF>?|E8c2*27U|>d#q064K-kIXb&BJ+VPRrJgWGB8;>gUC^bi;2dKkP
zL?3({7_pWyBpnx}1&#Zq^tL5b^tZivZbTTvs}z?$c9$U|vR&BY`Iu!4CO4M*SZxxA
z5JFx;mvLwIe8gxFG%P(M@$!2gRv7gw2;;xchb(g!&~71w85L!LSf1gL@X<}{7A4u{
zHjb)jon|R}3_b<%uDmaTk14F18~6rb8%kK31o_9JOaiPd-$3Bs)@jiu^zj>YbPt$p
z1CY40Gf^<Cx@wQGCK*^r8SW8IFm>BWTLPX1tNZ&&P<oxEdCGV_s7ywhu1mY!fca6{
z-h<fBm|!+-dh&w%H$Bl<TrGgoBqNkL?A@Sv6Rf$0rVXt~k+?XABUo<=x}AK$fEnP7
z<XWr_<1vv53rQt+jMqccX@x_<#-~sAMx0Dy@kBOcwd~V$wc?w%TKDN0H==+dEcS14
z2RP2#+Na6FC^2o!?$ca5+Q2OGYO6x~gl*;dQ^Dsp*KNPXZVfl~ZK@M%_9U_4nNtD%
zz%;?B`UIaZyc8QpxK)!;oQr`akO8J#!!~u9ck3B0J>v|wiE0}2J7nF5iI%T_rDbsm
z5BKc*o_TA1u-{mii9LI4_~Q3%d#{l)fVPa70|k!uzT?rsLifc#MDYG?kT%sZ3sFh#
z$1G!=9Z^_5DrmsOU&Ns49`Gtu&cM8i!93Aj)Vb3{v`t@=_G?aiP=UKyW$|IJS>`$$
zzwco2z??leJTRBWn?2iIm_9u$iD#~wzN5IU$}-EWIkWsI*qC6GMUO{@f3rNk=@`Rt
ziqMWA9IpU8G_iWo(O8ZKxgFCv%4zB({5})k6LYrG^TeI4_&jmj!$nI2&(?xdxIUV&
z_x7Zj9)#)el7E#KG+?KWR_{A{y)fq*k)FW&4Kokmy@r_!*L0Z9AJQ}o+P3on;WLcK
zhe`)y_rBFLU04=lwZq$=WprLfDEmQrV_USy{YQ`{$z+m=*l*;yCT2aYQx}BYm-R<q
za-QJ+NMn{6MconKBeEAM$b-f^lK2&lF>lN2BR60%=ZUA`L@`V6V4@_J@+EzO&zgiE
z%a?_SC)6dBmC91)d!}pi7WGA+itb33Ip9!Y7$)X>30wGCr*T-6iKPlU3nfJYCEc}b
z>1Ge6J<A$w*;v?kt9Tb;0>U(XEYl8lj8&dRD3-X)^C}|`A@AU6UcNyvSAs^SX$kh&
zJjH=LGY3V>GEsz7qI~Gb-5$4vS`c?LM(#U_NrO3;v$-6Fp${(VwXMsha@I>y3dfl~
z=2=>NwA0FL_Q*CHfuvVQTLmdAYh2mt=sx6oWe;E?Cn^1Cq32sXsGkZ-?^71<%yjZh
z%TQckuP5cb1zNsWL?s!TsW=fnZ)`2<4qD;R;l<~4YoYEDgQ~}{EKu8=gOtYFVB;IJ
z>3<?eb`6huw1<0aeLxzP$^{}Jo2bc{@KPRZLtf_)L*54cNO3A9()$U;fo+RyB{5g@
z>Bfm`I1pA>xz)qJ5RXL**A5Chz)N$f8yLW4MkhpUVNNTCiDG+l<NLAi#3b<A^yG=c
zs~17`5Q`(Pm=`x^H$REu5W@g<nh><XwrPSN74FZ&XM;Z<soc@WZ|kyT{0kUr>Z?4q
z3AWm-y?I%N{J?JFMawF1>t}QnbgBRtY^dZyP>t<|b|B0ye!sWHJ-NrNxWtt2Z<ZSo
zz48E(ZQZ2-d@^mm2dF!QV>dss;FBXMAc)mb>j`06Jkl=YI*)Z6vh@w#>8Wqh>h0D5
zFC%#?EbhCs0u@wj$_b15-wmNG<Zq%H=B*m&WqZOLMm4N?Zkt{ayDfGDvD0B#fybjS
z%oej=BLX-K;oBSlpyXP$0rh1OZA+8gaSg@l(ortHv<ZuJQe<UWc|lDUDJ?72+LVGT
zj44->wwUzD4`7%y5=R^pR+*WpjnU2GY9nwiF0oS6_F#^y069XD+J~-yf0V>cotnLP
z6K=n~c8gdTMJ}@xh?>HStR^00z7lBrL7MB1AvGj*bifO&Cah{yZpGQif}j8L<6nZm
zLWAx|@H3t^<f&Trw87Qj2o6tG<i&_{dEB0#3|0vS^(lqgMt{NwJ};d;&=GUzWfA{|
zzpZ=MfL_SfR_BFBo6s3)-FQ4GW~6ONE0#YvNR%Q1Bx|ENp=|avp&EBhfy;1=?=lUU
zwVo?n$H2DlY*JVUDcrOh_&m>6xI}y!wCS}r=b>Y%S=jzkZ*nx3qjK1M4BeJi_^7Uo
zb^})%!onNQ09MB#x}qz{(Rw43N+y}hV^<I+hhbZF;|spyamYFTMzU_G3XS4d@h&xs
zGbPSWaI#(GBof0wyukur;eo@)(kAD7K-$7Ew<)z5BPRMhig!R~<9KN+c>{Xy9!5$s
z+0d6(p`wAZm-pASW|hsMwJ{dlvo0{sVm%oI%YjbVor<4T)LmM$=^%k1bGYvOxzEHm
zQHB%@({*Xlxn0?c&NUAOwc6zIrB}1I$G``nh3iGIDQk4oB|!Ifmyn7U+MD#MJuKB8
zr|<E|J~ugIx0?jtclSXxQ?46&wQWO%Gk{)+Fccx_F&{tW=XlMnbU3Sq3LDb<MS9X%
zkGOj?fU(pwK2qiRymp{=lyP@XPrX3Z6da!j2<vS9ICUgmbvDV>+as7LZQl8BF!S(a
zxA9B|KUaq#fw4n9&UpwvkKe`MI;=N(@6UuU-=<c`gMf4SwcToo;23cHWpiD;$r@2I
zoG3TXLBA4Zw8gM#&&u8wD8^q5`qi<N$r{*K$L<uob*<;*-Gbj@Y7apYsFt*+zN-#+
zcswrCp^DogKB(^@P9RI2->mz}QRu6SDHW<-V%RB7n?6zX94aTrrny$}{mx#AS0_yz
zz>?=)_c(Z@bIv?<)W+2;a9ZHFJ>}Iqt7Bcy)tieZl1ZjtzvOy0nOCw9yfYJIp)y=a
zA%_;>&JXcHpUx5SN;+sq#US&-5bkVAU3-Nsk+z?vjtCjS{Px~j^68B)Mf$bhyYN)5
zRx+2HqrKb0{r->Z_c!ot^!I<?oZkQOC9W&nBE0(LQXFdLulM2cng>{V#p>ML%D*2}
z-*(eT9!{kAhLEd<)>mNkp+9#eaIRX)zyI^<AKwc7boTnSH@;fV<vS^{98)pk<MP`j
zpx0^9;VlJtEID+QeVu`|K-t-1RhF=EQ-fEuJZ@3mm06RM*HRdB;Puy(>O-PG97aVf
zSi%wdvnxY-4f1op!Kl4uL88O@DxuD=F2B9_{h2pbtj^<dNpv`J$Q=Z?x&muOlk8lu
z&e7zR>w^K-l_>2OJlWt4s=QwlWJ^U6{qoyi@VusfeZ|SoX<&6&!XMec()^snGQb!^
zp4(+EJbBJVLN18-<^aec=APr;IaDR)5k{;+HV@o`$E_KD(cx<^Vwq8_@E0D;3U=`^
zJpev@Xv1oBfch1#W?N4LYYCE>b+h1!%Kd_W)o9i#I01*AFyPT;@Z_I2T1bRaeF@Wo
z&IKJs0yI4az*pHrJQq^FsX_<Z?uVl^$=CLIPS@!=U8n1Govzb$x=z>WI$fvhbe*o#
fb-GU1={jAf>vWy2({;N3pRfM{yc-sD0H6Q>R1cC@

diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index e4bcf7d5..e01d341f 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -6601,7 +6601,7 @@ index b31c054..1ed65a0 100644
 +/usr/lib/udev/devices/null	-c	gen_context(system_u:object_r:null_device_t,s0)
 +/usr/lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
 diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 76f285e..6843613 100644
+index 76f285e..72f99c0 100644
 --- a/policy/modules/kernel/devices.if
 +++ b/policy/modules/kernel/devices.if
 @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -8048,7 +8048,7 @@ index 76f285e..6843613 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4024,17 +4722,243 @@ interface(`dev_rw_sysfs',`
+@@ -4024,17 +4722,262 @@ interface(`dev_rw_sysfs',`
  ##	</summary>
  ## </param>
  #
@@ -8274,6 +8274,25 @@ index 76f285e..6843613 100644
 +
 +########################################
 +## <summary>
++##	Allow caller to modify hardware state information.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_manage_sysfs',`
++	gen_require(`
++		type sysfs_t;
++	')
++
++	manage_dirs_pattern($1, sysfs_t, sysfs_t)
++	manage_files_pattern($1, sysfs_t, sysfs_t)
++')
++
++########################################
++## <summary>
 +##	Read and write the TPM device.
 +## </summary>
 +## <param name="domain">
@@ -8296,7 +8315,7 @@ index 76f285e..6843613 100644
  ## </summary>
  ## <desc>
  ##	<p>
-@@ -4113,6 +5037,25 @@ interface(`dev_write_urand',`
+@@ -4113,6 +5056,25 @@ interface(`dev_write_urand',`
  
  ########################################
  ## <summary>
@@ -8322,7 +8341,7 @@ index 76f285e..6843613 100644
  ##	Getattr generic the USB devices.
  ## </summary>
  ## <param name="domain">
-@@ -4123,7 +5066,7 @@ interface(`dev_write_urand',`
+@@ -4123,7 +5085,7 @@ interface(`dev_write_urand',`
  #
  interface(`dev_getattr_generic_usb_dev',`
  	gen_require(`
@@ -8331,84 +8350,264 @@ index 76f285e..6843613 100644
  	')
  
  	getattr_chr_files_pattern($1, device_t, usb_device_t)
-@@ -4409,9 +5352,9 @@ interface(`dev_rw_usbfs',`
- 	read_lnk_files_pattern($1, usbfs_t, usbfs_t)
- ')
+@@ -4330,28 +5292,180 @@ interface(`dev_search_usbfs',`
  
--########################################
-+######################################
+ ########################################
  ## <summary>
--##	Get the attributes of video4linux devices.
+-##	Allow caller to get a list of usb hardware.
++##	Allow caller to get a list of usb hardware.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_list_usbfs',`
++	gen_require(`
++		type usbfs_t;
++	')
++
++	read_lnk_files_pattern($1, usbfs_t, usbfs_t)
++	getattr_files_pattern($1, usbfs_t, usbfs_t)
++
++	list_dirs_pattern($1, usbfs_t, usbfs_t)
++')
++
++########################################
++## <summary>
++##	Set the attributes of usbfs filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_setattr_usbfs_files',`
++	gen_require(`
++		type usbfs_t;
++	')
++
++	setattr_files_pattern($1, usbfs_t, usbfs_t)
++	list_dirs_pattern($1, usbfs_t, usbfs_t)
++')
++
++########################################
++## <summary>
++##	Read USB hardware information using
++##	the usbfs filesystem interface.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_read_usbfs',`
++	gen_require(`
++		type usbfs_t;
++	')
++
++	read_files_pattern($1, usbfs_t, usbfs_t)
++	read_lnk_files_pattern($1, usbfs_t, usbfs_t)
++	list_dirs_pattern($1, usbfs_t, usbfs_t)
++')
++
++########################################
++## <summary>
++##	Allow caller to modify usb hardware configuration files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_rw_usbfs',`
++	gen_require(`
++		type usbfs_t;
++	')
++
++	list_dirs_pattern($1, usbfs_t, usbfs_t)
++	rw_files_pattern($1, usbfs_t, usbfs_t)
++	read_lnk_files_pattern($1, usbfs_t, usbfs_t)
++')
++
++######################################
++## <summary>
 +##	Read and write userio device.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_rw_userio_dev',`
++	gen_require(`
++		type device_t, userio_device_t;
++	')
++
++	rw_chr_files_pattern($1, device_t, userio_device_t)
++')
++
++########################################
++## <summary>
++##	Get the attributes of video4linux devices.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_getattr_video_dev',`
++	gen_require(`
++		type device_t, v4l_device_t;
++	')
++
++	getattr_chr_files_pattern($1, device_t, v4l_device_t)
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to get the attributes
++##	of video4linux device nodes.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`dev_dontaudit_getattr_video_dev',`
++	gen_require(`
++		type v4l_device_t;
++	')
++
++	dontaudit $1 v4l_device_t:chr_file getattr;
++')
++
++########################################
++## <summary>
++##	Set the attributes of video4linux device nodes.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_setattr_video_dev',`
++	gen_require(`
++		type device_t, v4l_device_t;
++	')
++
++	setattr_chr_files_pattern($1, device_t, v4l_device_t)
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to set the attributes
++##	of video4linux device nodes.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4419,17 +5362,17 @@ interface(`dev_rw_usbfs',`
+-##	Domain allowed access.
++##	Domain to not audit.
  ##	</summary>
  ## </param>
  #
--interface(`dev_getattr_video_dev',`
-+interface(`dev_rw_userio_dev',`
+-interface(`dev_list_usbfs',`
++interface(`dev_dontaudit_setattr_video_dev',`
  	gen_require(`
--		type device_t, v4l_device_t;
-+		type device_t, userio_device_t;
+-		type usbfs_t;
++		type v4l_device_t;
  	')
  
--	getattr_chr_files_pattern($1, device_t, v4l_device_t)
-+	rw_chr_files_pattern($1, device_t, userio_device_t)
+-	read_lnk_files_pattern($1, usbfs_t, usbfs_t)
+-	getattr_files_pattern($1, usbfs_t, usbfs_t)
+-
+-	list_dirs_pattern($1, usbfs_t, usbfs_t)
++	dontaudit $1 v4l_device_t:chr_file setattr;
  ')
  
--######################################
-+########################################
+ ########################################
  ## <summary>
--##	Read and write userio device.
-+##	Get the attributes of video4linux devices.
+-##	Set the attributes of usbfs filesystem.
++##	Read the video4linux devices.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4437,12 +5380,12 @@ interface(`dev_getattr_video_dev',`
+@@ -4359,19 +5473,17 @@ interface(`dev_list_usbfs',`
  ##	</summary>
  ## </param>
  #
--interface(`dev_rw_userio_dev',`
-+interface(`dev_getattr_video_dev',`
+-interface(`dev_setattr_usbfs_files',`
++interface(`dev_read_video_dev',`
  	gen_require(`
--		type device_t, userio_device_t;
+-		type usbfs_t;
 +		type device_t, v4l_device_t;
  	')
  
--	rw_chr_files_pattern($1, device_t, userio_device_t)
-+	getattr_chr_files_pattern($1, device_t, v4l_device_t)
+-	setattr_files_pattern($1, usbfs_t, usbfs_t)
+-	list_dirs_pattern($1, usbfs_t, usbfs_t)
++	read_chr_files_pattern($1, device_t, v4l_device_t)
  ')
  
  ########################################
-@@ -4539,7 +5482,7 @@ interface(`dev_write_video_dev',`
+ ## <summary>
+-##	Read USB hardware information using
+-##	the usbfs filesystem interface.
++##	Write the video4linux devices.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4379,19 +5491,17 @@ interface(`dev_setattr_usbfs_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dev_read_usbfs',`
++interface(`dev_write_video_dev',`
+ 	gen_require(`
+-		type usbfs_t;
++		type device_t, v4l_device_t;
+ 	')
+ 
+-	read_files_pattern($1, usbfs_t, usbfs_t)
+-	read_lnk_files_pattern($1, usbfs_t, usbfs_t)
+-	list_dirs_pattern($1, usbfs_t, usbfs_t)
++	write_chr_files_pattern($1, device_t, v4l_device_t)
+ ')
  
  ########################################
  ## <summary>
--##	Allow read/write the vhost net device
+-##	Allow caller to modify usb hardware configuration files.
 +##	Get the attributes of vfio devices.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4547,35 +5490,36 @@ interface(`dev_write_video_dev',`
+@@ -4399,37 +5509,36 @@ interface(`dev_read_usbfs',`
  ##	</summary>
  ## </param>
  #
--interface(`dev_rw_vhost',`
+-interface(`dev_rw_usbfs',`
 +interface(`dev_getattr_vfio_dev',`
  	gen_require(`
--		type device_t, vhost_device_t;
+-		type usbfs_t;
 +		type device_t, vfio_device_t;
  	')
  
--	rw_chr_files_pattern($1, device_t, vhost_device_t)
+-	list_dirs_pattern($1, usbfs_t, usbfs_t)
+-	rw_files_pattern($1, usbfs_t, usbfs_t)
+-	read_lnk_files_pattern($1, usbfs_t, usbfs_t)
 +	getattr_chr_files_pattern($1, device_t, vfio_device_t)
  ')
  
  ########################################
  ## <summary>
--##	Read and write VMWare devices.
+-##	Get the attributes of video4linux devices.
 +##	Do not audit attempts to get the attributes
 +##	of vfio device nodes.
  ## </summary>
@@ -8419,186 +8618,177 @@ index 76f285e..6843613 100644
  ##	</summary>
  ## </param>
  #
--interface(`dev_rw_vmware',`
+-interface(`dev_getattr_video_dev',`
 +interface(`dev_dontaudit_getattr_vfio_dev',`
  	gen_require(`
--		type device_t, vmware_device_t;
+-		type device_t, v4l_device_t;
 +		type vfio_device_t;
  	')
  
--	rw_chr_files_pattern($1, device_t, vmware_device_t)
+-	getattr_chr_files_pattern($1, device_t, v4l_device_t)
 +	dontaudit $1 vfio_device_t:chr_file getattr;
  ')
  
- ########################################
+-######################################
++########################################
  ## <summary>
--##	Read, write, and mmap VMWare devices.
+-##	Read and write userio device.
 +##	Set the attributes of vfio device nodes.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4583,12 +5527,157 @@ interface(`dev_rw_vmware',`
+@@ -4437,18 +5546,18 @@ interface(`dev_getattr_video_dev',`
  ##	</summary>
  ## </param>
  #
--interface(`dev_rwx_vmware',`
+-interface(`dev_rw_userio_dev',`
 +interface(`dev_setattr_vfio_dev',`
  	gen_require(`
--		type device_t, vmware_device_t;
+-		type device_t, userio_device_t;
 +		type device_t, vfio_device_t;
  	')
  
--	dev_rw_vmware($1)
+-	rw_chr_files_pattern($1, device_t, userio_device_t)
 +	setattr_chr_files_pattern($1, device_t, vfio_device_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Do not audit attempts to set the attributes
-+##	of vfio device nodes.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`dev_dontaudit_setattr_vfio_dev',`
-+	gen_require(`
-+		type vfio_device_t;
-+	')
-+
-+	dontaudit $1 vfio_device_t:chr_file setattr;
-+')
-+
-+########################################
-+## <summary>
-+##	Read the vfio devices.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`dev_read_vfio_dev',`
-+	gen_require(`
-+		type device_t, vfio_device_t;
-+	')
-+
-+	read_chr_files_pattern($1, device_t, vfio_device_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Write the vfio devices.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`dev_write_vfio_dev',`
-+	gen_require(`
-+		type device_t, vfio_device_t;
-+	')
-+
-+	write_chr_files_pattern($1, device_t, vfio_device_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Read and write the VFIO devices.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`dev_rw_vfio_dev',`
-+	gen_require(`
-+		type device_t, vfio_device_t;
-+	')
-+
-+	rw_chr_files_pattern($1, device_t, vfio_device_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Allow read/write the vhost net device
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`dev_rw_vhost',`
-+	gen_require(`
-+		type device_t, vhost_device_t;
-+	')
-+
-+	rw_chr_files_pattern($1, device_t, vhost_device_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Allow read/write inheretid the vhost net device
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`dev_rw_inherited_vhost',`
-+	gen_require(`
-+		type device_t, vhost_device_t;
-+	')
-+
-+	allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+##	Read and write VMWare devices.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`dev_rw_vmware',`
-+	gen_require(`
-+		type device_t, vmware_device_t;
-+	')
-+
-+	rw_chr_files_pattern($1, device_t, vmware_device_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Read, write, and mmap VMWare devices.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`dev_rwx_vmware',`
-+	gen_require(`
-+		type device_t, vmware_device_t;
-+	')
-+
-+	dev_rw_vmware($1)
- 	allow $1 vmware_device_t:chr_file execute;
  ')
  
-@@ -4630,6 +5719,24 @@ interface(`dev_write_watchdog',`
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to get the attributes
+-##	of video4linux device nodes.
++##	Do not audit attempts to set the attributes
++##	of vfio device nodes.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4456,17 +5565,17 @@ interface(`dev_rw_userio_dev',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dev_dontaudit_getattr_video_dev',`
++interface(`dev_dontaudit_setattr_vfio_dev',`
+ 	gen_require(`
+-		type v4l_device_t;
++		type vfio_device_t;
+ 	')
+ 
+-	dontaudit $1 v4l_device_t:chr_file getattr;
++	dontaudit $1 vfio_device_t:chr_file setattr;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Set the attributes of video4linux device nodes.
++##	Read the vfio devices.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4474,36 +5583,35 @@ interface(`dev_dontaudit_getattr_video_dev',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dev_setattr_video_dev',`
++interface(`dev_read_vfio_dev',`
+ 	gen_require(`
+-		type device_t, v4l_device_t;
++		type device_t, vfio_device_t;
+ 	')
+ 
+-	setattr_chr_files_pattern($1, device_t, v4l_device_t)
++	read_chr_files_pattern($1, device_t, vfio_device_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to set the attributes
+-##	of video4linux device nodes.
++##	Write the vfio devices.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dev_dontaudit_setattr_video_dev',`
++interface(`dev_write_vfio_dev',`
+ 	gen_require(`
+-		type v4l_device_t;
++		type device_t, vfio_device_t;
+ 	')
+ 
+-	dontaudit $1 v4l_device_t:chr_file setattr;
++	write_chr_files_pattern($1, device_t, vfio_device_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read the video4linux devices.
++##	Read and write the VFIO devices.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4511,17 +5619,17 @@ interface(`dev_dontaudit_setattr_video_dev',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dev_read_video_dev',`
++interface(`dev_rw_vfio_dev',`
+ 	gen_require(`
+-		type device_t, v4l_device_t;
++		type device_t, vfio_device_t;
+ 	')
+ 
+-	read_chr_files_pattern($1, device_t, v4l_device_t)
++	rw_chr_files_pattern($1, device_t, vfio_device_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Write the video4linux devices.
++##	Allow read/write the vhost net device
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4529,17 +5637,17 @@ interface(`dev_read_video_dev',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dev_write_video_dev',`
++interface(`dev_rw_vhost',`
+ 	gen_require(`
+-		type device_t, v4l_device_t;
++		type device_t, vhost_device_t;
+ 	')
+ 
+-	write_chr_files_pattern($1, device_t, v4l_device_t)
++	rw_chr_files_pattern($1, device_t, vhost_device_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Allow read/write the vhost net device
++##	Allow read/write inheretid the vhost net device
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4547,12 +5655,12 @@ interface(`dev_write_video_dev',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dev_rw_vhost',`
++interface(`dev_rw_inherited_vhost',`
+ 	gen_require(`
+ 		type device_t, vhost_device_t;
+ 	')
+ 
+-	rw_chr_files_pattern($1, device_t, vhost_device_t)
++	allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms;
+ ')
+ 
+ ########################################
+@@ -4630,6 +5738,24 @@ interface(`dev_write_watchdog',`
  
  ########################################
  ## <summary>
@@ -8623,7 +8813,7 @@ index 76f285e..6843613 100644
  ##	Read and write the the wireless device.
  ## </summary>
  ## <param name="domain">
-@@ -4762,6 +5869,44 @@ interface(`dev_rw_xserver_misc',`
+@@ -4762,6 +5888,44 @@ interface(`dev_rw_xserver_misc',`
  
  ########################################
  ## <summary>
@@ -8668,7 +8858,7 @@ index 76f285e..6843613 100644
  ##	Read and write to the zero device (/dev/zero).
  ## </summary>
  ## <param name="domain">
-@@ -4851,3 +5996,1022 @@ interface(`dev_unconfined',`
+@@ -4851,3 +6015,1022 @@ interface(`dev_unconfined',`
  
  	typeattribute $1 devices_unconfined_type;
  ')
@@ -46841,7 +47031,7 @@ index 2cea692..e3cb4f2 100644
 +	files_etc_filetrans($1, net_conf_t, file)
 +')
 diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index a392fc4..518cf50 100644
+index a392fc4..b01eb22 100644
 --- a/policy/modules/system/sysnetwork.te
 +++ b/policy/modules/system/sysnetwork.te
 @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4)
@@ -47240,7 +47430,7 @@ index a392fc4..518cf50 100644
  ')
  
  optional_policy(`
-@@ -371,3 +497,13 @@ optional_policy(`
+@@ -371,3 +497,17 @@ optional_policy(`
  	xen_append_log(ifconfig_t)
  	xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
  ')
@@ -47250,6 +47440,10 @@ index a392fc4..518cf50 100644
 +')
 +
 +optional_policy(`
++    tlp_manage_pid_files(ifconfig_t)
++')
++
++optional_policy(`
 +	tunable_policy(`dhcpc_exec_iptables',`
 +		iptables_domtrans(dhcpc_t)
 +	')
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 811c8b8c..d5c24916 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -87708,7 +87708,7 @@ index c8bdea2..8ad3e01 100644
 +    allow $1 cluster_unit_file_t:service all_service_perms;
  ')
 diff --git a/rhcs.te b/rhcs.te
-index 6cf79c4..943fd8b 100644
+index 6cf79c4..4538e45 100644
 --- a/rhcs.te
 +++ b/rhcs.te
 @@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false)
@@ -87747,7 +87747,7 @@ index 6cf79c4..943fd8b 100644
  attribute cluster_domain;
  attribute cluster_log;
  attribute cluster_pid;
-@@ -44,34 +73,284 @@ type foghorn_initrc_exec_t;
+@@ -44,34 +73,288 @@ type foghorn_initrc_exec_t;
  init_script_file(foghorn_initrc_exec_t)
  
  rhcs_domain_template(gfs_controld)
@@ -87957,6 +87957,10 @@ index 6cf79c4..943fd8b 100644
 +')
 +
 +optional_policy(`
++    fprintd_dbus_chat(cluster_t)
++')
++
++optional_policy(`
 +    ldap_systemctl(cluster_t)
 +')
 +
@@ -88036,7 +88040,7 @@ index 6cf79c4..943fd8b 100644
  ')
  
  #####################################
-@@ -79,13 +358,14 @@ optional_policy(`
+@@ -79,13 +362,14 @@ optional_policy(`
  # dlm_controld local policy
  #
  
@@ -88053,7 +88057,7 @@ index 6cf79c4..943fd8b 100644
  kernel_rw_net_sysctls(dlm_controld_t)
  
  corecmd_exec_bin(dlm_controld_t)
-@@ -98,16 +378,30 @@ fs_manage_configfs_dirs(dlm_controld_t)
+@@ -98,16 +382,30 @@ fs_manage_configfs_dirs(dlm_controld_t)
  
  init_rw_script_tmp_files(dlm_controld_t)
  
@@ -88087,7 +88091,7 @@ index 6cf79c4..943fd8b 100644
  manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
  files_lock_filetrans(fenced_t, fenced_lock_t, file)
  
-@@ -118,9 +412,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
+@@ -118,9 +416,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
  
  stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
  
@@ -88099,7 +88103,7 @@ index 6cf79c4..943fd8b 100644
  
  corecmd_exec_bin(fenced_t)
  corecmd_exec_shell(fenced_t)
-@@ -140,6 +433,8 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t)
+@@ -140,6 +437,8 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t)
  
  corenet_sendrecv_zented_server_packets(fenced_t)
  corenet_tcp_bind_zented_port(fenced_t)
@@ -88108,7 +88112,7 @@ index 6cf79c4..943fd8b 100644
  corenet_tcp_sendrecv_zented_port(fenced_t)
  
  corenet_sendrecv_http_client_packets(fenced_t)
-@@ -148,9 +443,8 @@ corenet_tcp_sendrecv_http_port(fenced_t)
+@@ -148,9 +447,8 @@ corenet_tcp_sendrecv_http_port(fenced_t)
  
  dev_read_sysfs(fenced_t)
  dev_read_urand(fenced_t)
@@ -88120,7 +88124,7 @@ index 6cf79c4..943fd8b 100644
  
  storage_raw_read_fixed_disk(fenced_t)
  storage_raw_write_fixed_disk(fenced_t)
-@@ -160,7 +454,7 @@ term_getattr_pty_fs(fenced_t)
+@@ -160,7 +458,7 @@ term_getattr_pty_fs(fenced_t)
  term_use_generic_ptys(fenced_t)
  term_use_ptmx(fenced_t)
  
@@ -88129,7 +88133,7 @@ index 6cf79c4..943fd8b 100644
  
  tunable_policy(`fenced_can_network_connect',`
  	corenet_sendrecv_all_client_packets(fenced_t)
-@@ -182,7 +476,8 @@ optional_policy(`
+@@ -182,7 +480,8 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -88139,7 +88143,7 @@ index 6cf79c4..943fd8b 100644
  ')
  
  optional_policy(`
-@@ -190,12 +485,17 @@ optional_policy(`
+@@ -190,12 +489,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -88158,7 +88162,7 @@ index 6cf79c4..943fd8b 100644
  ')
  
  optional_policy(`
-@@ -203,6 +503,21 @@ optional_policy(`
+@@ -203,6 +507,21 @@ optional_policy(`
  	snmp_manage_var_lib_dirs(fenced_t)
  ')
  
@@ -88180,7 +88184,7 @@ index 6cf79c4..943fd8b 100644
  #######################################
  #
  # foghorn local policy
-@@ -221,16 +536,22 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
+@@ -221,16 +540,22 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
  corenet_tcp_connect_agentx_port(foghorn_t)
  corenet_tcp_sendrecv_agentx_port(foghorn_t)
  
@@ -88205,7 +88209,7 @@ index 6cf79c4..943fd8b 100644
  	snmp_stream_connect(foghorn_t)
  ')
  
-@@ -247,16 +568,20 @@ stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_
+@@ -247,16 +572,20 @@ stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_
  stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
  stream_connect_pattern(gfs_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
  
@@ -88227,7 +88231,7 @@ index 6cf79c4..943fd8b 100644
  optional_policy(`
  	lvm_exec(gfs_controld_t)
  	dev_rw_lvm_control(gfs_controld_t)
-@@ -275,10 +600,57 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+@@ -275,10 +604,57 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
  
  dev_list_sysfs(groupd_t)
  
@@ -88287,7 +88291,7 @@ index 6cf79c4..943fd8b 100644
  ######################################
  #
  # qdiskd local policy
-@@ -292,7 +664,6 @@ manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
+@@ -292,7 +668,6 @@ manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
  manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
  files_var_lib_filetrans(qdiskd_t, qdiskd_var_lib_t, { file dir sock_file })
  
@@ -88295,7 +88299,7 @@ index 6cf79c4..943fd8b 100644
  kernel_read_software_raid_state(qdiskd_t)
  kernel_getattr_core_if(qdiskd_t)
  
-@@ -321,6 +692,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -321,6 +696,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
  
  auth_use_nsswitch(qdiskd_t)
  
@@ -109009,6 +109013,267 @@ index 97cd155..49321a5 100644
  files_search_tmp(timidity_t)
  
  fs_search_auto_mountpoints(timidity_t)
+diff --git a/tlp.fc b/tlp.fc
+new file mode 100644
+index 0000000..8b8cf4a
+--- /dev/null
++++ b/tlp.fc
+@@ -0,0 +1,5 @@
++/usr/lib/systemd/system/((tlp-sleep.*)|(tlp.*))		--	gen_context(system_u:object_r:tlp_unit_file_t,s0)
++
++/usr/sbin/tlp		--	gen_context(system_u:object_r:tlp_exec_t,s0)
++
++/var/run/tlp(/.*)?		gen_context(system_u:object_r:tlp_var_run_t,s0)
+diff --git a/tlp.if b/tlp.if
+new file mode 100644
+index 0000000..46f12a4
+--- /dev/null
++++ b/tlp.if
+@@ -0,0 +1,184 @@
++
++## <summary>policy for tlp</summary>
++
++########################################
++## <summary>
++##	Execute tlp_exec_t in the tlp domain.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`tlp_domtrans',`
++	gen_require(`
++		type tlp_t, tlp_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	domtrans_pattern($1, tlp_exec_t, tlp_t)
++')
++
++######################################
++## <summary>
++##	Execute tlp in the caller domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`tlp_exec',`
++	gen_require(`
++		type tlp_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	can_exec($1, tlp_exec_t)
++')
++
++########################################
++## <summary>
++##	Search tlp conf directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`tlp_search_conf',`
++	gen_require(`
++		type tlp_etc_rw_t;
++	')
++
++	allow $1 tlp_etc_rw_t:dir search_dir_perms;
++	files_search_etc($1)
++')
++
++########################################
++## <summary>
++##	Read tlp conf files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`tlp_read_conf_files',`
++	gen_require(`
++		type tlp_etc_rw_t;
++	')
++
++	allow $1 tlp_etc_rw_t:dir list_dir_perms;
++	read_files_pattern($1, tlp_etc_rw_t, tlp_etc_rw_t)
++	files_search_etc($1)
++')
++
++########################################
++## <summary>
++##	Manage tlp conf files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`tlp_manage_conf_files',`
++	gen_require(`
++		type tlp_etc_rw_t;
++	')
++
++	manage_files_pattern($1, tlp_etc_rw_t, tlp_etc_rw_t)
++	files_search_etc($1)
++')
++
++########################################
++## <summary>
++##	Execute tlp server in the tlp domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++#
++interface(`tlp_systemctl',`
++	gen_require(`
++		type tlp_t;
++		type tlp_unit_file_t;
++	')
++
++	systemd_exec_systemctl($1)
++        systemd_read_fifo_file_passwd_run($1)
++	allow $1 tlp_unit_file_t:file read_file_perms;
++	allow $1 tlp_unit_file_t:service manage_service_perms;
++
++	ps_process_pattern($1, tlp_t)
++')
++
++########################################
++## <summary>
++##	Read all dbus pid files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`tlp_manage_pid_files',`
++	gen_require(`
++		type tlp_var_run_t;
++	')
++
++	files_search_pids($1)
++	read_files_pattern($1, tlp_var_run_t, tlp_var_run_t)
++')
++
++########################################
++## <summary>
++##	All of the rules required to administrate
++##	an tlp environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	Role allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`tlp_admin',`
++	gen_require(`
++		type tlp_t;
++		type tlp_etc_rw_t;
++	type tlp_unit_file_t;
++	')
++
++	allow $1 tlp_t:process { signal_perms };
++	ps_process_pattern($1, tlp_t)
++
++    tunable_policy(`deny_ptrace',`',`
++        allow $1 tlp_t:process ptrace;
++    ')
++
++	files_search_etc($1)
++	admin_pattern($1, tlp_etc_rw_t)
++
++	tlp_systemctl($1)
++	admin_pattern($1, tlp_unit_file_t)
++	allow $1 tlp_unit_file_t:service all_service_perms;
++	optional_policy(`
++		systemd_passwd_agent_exec($1)
++		systemd_read_fifo_file_passwd_run($1)
++	')
++')
+diff --git a/tlp.te b/tlp.te
+new file mode 100644
+index 0000000..7c81c68
+--- /dev/null
++++ b/tlp.te
+@@ -0,0 +1,54 @@
++policy_module(tlp, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type tlp_t;
++type tlp_exec_t;
++init_daemon_domain(tlp_t, tlp_exec_t)
++
++type tlp_var_run_t;
++files_pid_file(tlp_var_run_t)
++
++type tlp_unit_file_t;
++systemd_unit_file(tlp_unit_file_t)
++
++########################################
++#
++# tlp local policy
++#
++allow tlp_t self:capability { net_admin sys_rawio };
++allow tlp_t self:unix_stream_socket create_stream_socket_perms;
++allow tlp_t self:udp_socket create_socket_perms;
++
++manage_dirs_pattern(tlp_t, tlp_var_run_t, tlp_var_run_t)
++manage_files_pattern(tlp_t, tlp_var_run_t, tlp_var_run_t)
++files_pid_filetrans(tlp_t, tlp_var_run_t, { dir file })
++
++kernel_read_system_state(tlp_t)
++kernel_read_fs_sysctls(tlp_t)
++kernel_rw_fs_sysctls(tlp_t)
++kernel_rw_kernel_sysctl(tlp_t)
++kernel_rw_vm_sysctls(tlp_t)
++
++auth_read_passwd(tlp_t)
++
++corecmd_exec_bin(tlp_t)
++
++dev_list_sysfs(tlp_t)
++dev_manage_sysfs(tlp_t)
++
++files_read_kernel_modules(tlp_t)
++
++modutils_exec_insmod(tlp_t)
++modutils_read_module_config(tlp_t)
++
++storage_raw_read_fixed_disk(tlp_t)
++
++sysnet_exec_ifconfig(tlp_t)
++
++optional_policy(`
++    fstools_exec(tlp_t)
++')
 diff --git a/tmpreaper.te b/tmpreaper.te
 index 585a77f..a7cb326 100644
 --- a/tmpreaper.te
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 4cd8e749..0c11cd7f 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 225%{?dist}
+Release: 226%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -675,6 +675,11 @@ exit 0
 %endif
 
 %changelog
+* Wed Nov 16 2016 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-226
+- Adding policy for tlp
+- Add interface  dev_manage_sysfs()
+- Allow ifconfig domain to manage tlp pid files.
+
 * Wed Nov 09 2016 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-225
 - Allow systemd_logind_t domain to communicate with devicekit_t domain via dbus bz(1393373)