- Allow mozilla plugin to chat with policykit, needed for spice

- Allow gssprozy to change user and gid, as well as read user keyrings - Allow sandbox apps to attempt to set and get capabilties - Label upgrades directory under /var/www as httpd_sys_rw_content_t, add other filetrans rules to label content correctly - allow modemmanger to read /dev/urand - Allow polipo to connect to http_cache_ports - Allow cron jobs to manage apache var lib content - Allow yppassword to manage the passwd_file_t - Allow showall_t to send itself signals - Allow cobbler to restart dhcpc, dnsmasq and bind services - Allow rsync_t to manage all non auth files - Allow certmonger to manage home cert files - Allow user_mail_domains to write certain files to the /root and ~/ directories - Allow apcuspd_t to status and start the power unit file - Allow cgroupdrulesengd to create content in cgoups directories - Add new access for mythtv - Allow irc_t to execute shell and bin-t files: - Allow smbd_t to signull cluster - Allow sssd to read systemd_login_var_run_t - Allow gluster daemon to create fifo files in glusterd_brick_t and sock_file in glusterd_var_lib_t - Add label for /var/spool/cron.aquota.user - Allow sandbox_x domains to use work with the mozilla plugin semaphore - Added new policy for speech-dispatcher - Added dontaudit rule for insmod_exec_t in rasdaemon policy - Updated rasdaemon policy - Allow virt_domains to read cert files - Allow system_mail_t to transition to postfix_postdrop_t - Clean up mirrormanager policy - Allow subscription-manager running as sosreport_t to manage rhsmcertd - Remove ability to do mount/sys_admin by default in virt_sandbox domains - New rules required to run docker images within libivrt - Fixed bumblebee_admin() and mip6d_admin() - Add log support for sensord - Add label for ~/.cvsignore - Change mirrormanager to be run by cron - Add mirrormanager policy - Additional fixes for docker.te - Allow cobblerd to read/write undionly.kpxe located in /var/lib/tftpboot - Add tftp_write_rw_content/tftp_read_rw_content interfaces - Allow amanda to do backups over UDP
2014-01-06 07:31:14 +01:00 · 2014-01-06 07:31:14 +01:00 · 9d88e18305
parent 804870d8a3
commit 9d88e18305
3 changed files with 2877 additions and 1127 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -2631,7 +2631,7 @@ index 99e3903..fa68362 100644
 ## </summary>
 ## <param name="domain">
 diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 1d732f1..7ba0bd8 100644
+index 1d732f1..9647c14 100644
 --- a/policy/modules/admin/usermanage.te
 +++ b/policy/modules/admin/usermanage.te
@@ -26,6 +26,7 @@ type chfn_exec_t;
@ -2851,7 +2851,7 @@ index 1d732f1..7ba0bd8 100644
 userdom_use_unpriv_users_fds(passwd_t)
 # make sure that getcon succeeds
 userdom_getattr_all_users(passwd_t)
-@@ -352,6 +383,13 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -352,6 +383,14 @@ userdom_read_user_tmp_files(passwd_t)
 # user generally runs this from their home directory, so do not audit a search
 # on user home dir
 userdom_dontaudit_search_user_home_content(passwd_t)
@ -2860,12 +2860,13 @@ index 1d732f1..7ba0bd8 100644
 +optional_policy(`
 +	gnome_exec_keyringd(passwd_t)
 +	gnome_manage_cache_home_dir(passwd_t)
 +	gnome_manage_generic_cache_sockets(passwd_t)
 +	gnome_stream_connect_gkeyringd(passwd_t)
 +')
 optional_policy(`
 	nscd_run(passwd_t, passwd_roles)
-@@ -401,9 +439,10 @@ dev_read_urand(sysadm_passwd_t)
+@@ -401,9 +440,10 @@ dev_read_urand(sysadm_passwd_t)
 fs_getattr_xattr_fs(sysadm_passwd_t)
 fs_search_auto_mountpoints(sysadm_passwd_t)
@ -2878,7 +2879,7 @@ index 1d732f1..7ba0bd8 100644
 auth_manage_shadow(sysadm_passwd_t)
 auth_relabel_shadow(sysadm_passwd_t)
 auth_etc_filetrans_shadow(sysadm_passwd_t)
-@@ -416,7 +455,6 @@ files_read_usr_files(sysadm_passwd_t)
+@@ -416,7 +456,6 @@ files_read_usr_files(sysadm_passwd_t)
 domain_use_interactive_fds(sysadm_passwd_t)
@ -2886,7 +2887,7 @@ index 1d732f1..7ba0bd8 100644
 files_relabel_etc_files(sysadm_passwd_t)
 files_read_etc_runtime_files(sysadm_passwd_t)
 # for nscd lookups
-@@ -426,12 +464,9 @@ files_dontaudit_search_pids(sysadm_passwd_t)
+@@ -426,12 +465,9 @@ files_dontaudit_search_pids(sysadm_passwd_t)
 # correctly without it.  Do not audit write denials to utmp.
 init_dontaudit_rw_utmp(sysadm_passwd_t)
@ -2899,7 +2900,7 @@ index 1d732f1..7ba0bd8 100644
 userdom_use_unpriv_users_fds(sysadm_passwd_t)
 # user generally runs this from their home directory, so do not audit a search
 # on user home dir
-@@ -446,7 +481,8 @@ optional_policy(`
+@@ -446,7 +482,8 @@ optional_policy(`
 # Useradd local policy
 #
@ -2909,7 +2910,7 @@ index 1d732f1..7ba0bd8 100644
 dontaudit useradd_t self:capability sys_tty_config;
 allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow useradd_t self:process setfscreate;
-@@ -461,6 +497,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
+@@ -461,6 +498,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
 allow useradd_t self:unix_dgram_socket sendto;
 allow useradd_t self:unix_stream_socket connectto;
@ -2920,7 +2921,7 @@ index 1d732f1..7ba0bd8 100644
 # for getting the number of groups
 kernel_read_kernel_sysctls(useradd_t)
-@@ -468,29 +508,27 @@ corecmd_exec_shell(useradd_t)
+@@ -468,29 +509,27 @@ corecmd_exec_shell(useradd_t)
 # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
 corecmd_exec_bin(useradd_t)
@ -2959,7 +2960,7 @@ index 1d732f1..7ba0bd8 100644
 auth_run_chk_passwd(useradd_t, useradd_roles)
 auth_rw_lastlog(useradd_t)
-@@ -498,6 +536,7 @@ auth_rw_faillog(useradd_t)
+@@ -498,6 +537,7 @@ auth_rw_faillog(useradd_t)
 auth_use_nsswitch(useradd_t)
 # these may be unnecessary due to the above
 # domtrans_chk_passwd() call.
@ -2967,7 +2968,7 @@ index 1d732f1..7ba0bd8 100644
 auth_manage_shadow(useradd_t)
 auth_relabel_shadow(useradd_t)
 auth_etc_filetrans_shadow(useradd_t)
-@@ -508,33 +547,32 @@ init_rw_utmp(useradd_t)
+@@ -508,33 +548,32 @@ init_rw_utmp(useradd_t)
 logging_send_audit_msgs(useradd_t)
 logging_send_syslog_msg(useradd_t)
@ -3012,7 +3013,7 @@ index 1d732f1..7ba0bd8 100644
 optional_policy(`
 	apache_manage_all_user_content(useradd_t)
 ')
-@@ -549,10 +587,19 @@ optional_policy(`
+@@ -549,10 +588,19 @@ optional_policy(`
 ')
 optional_policy(`
@ -3032,7 +3033,7 @@ index 1d732f1..7ba0bd8 100644
 	tunable_policy(`samba_domain_controller',`
 		samba_append_log(useradd_t)
 	')
-@@ -562,3 +609,12 @@ optional_policy(`
+@@ -562,3 +610,12 @@ optional_policy(`
 	rpm_use_fds(useradd_t)
 	rpm_rw_pipes(useradd_t)
 ')
@ -8699,7 +8700,7 @@ index 6a1e4d1..84e8030 100644
 +	dontaudit $1 domain:dir_file_class_set audit_access;
 ')
 diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..c47a578 100644
+index cf04cb5..4182845 100644
 --- a/policy/modules/kernel/domain.te
 +++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@ -8836,7 +8837,7 @@ index cf04cb5..c47a578 100644
 # Create/access any System V IPC objects.
 allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +231,314 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +231,318 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
 # act on all domains keys
 allow unconfined_domain_type domain:key *;
@ -8933,6 +8934,10 @@ index cf04cb5..c47a578 100644
 +')
 +
 +optional_policy(`
 +	cvs_filetrans_home_content(named_filetrans_domain)
 +')
 +
 +optional_policy(`
 +	devicekit_filetrans_named_content(named_filetrans_domain)
 +')
 +
@ -9152,7 +9157,7 @@ index cf04cb5..c47a578 100644
 +	')
 +')
 diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index b876c48..bd5b58c 100644
+index b876c48..27f60c6 100644
 --- a/policy/modules/kernel/files.fc
 +++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@ -9353,7 +9358,7 @@ index b876c48..bd5b58c 100644
 /var/.*				gen_context(system_u:object_r:var_t,s0)
 /var/\.journal			<<none>>
-@@ -237,11 +245,24 @@ ifndef(`distro_redhat',`
+@@ -237,11 +245,25 @@ ifndef(`distro_redhat',`
 /var/ftp/etc(/.*)?		gen_context(system_u:object_r:etc_t,s0)
@ -9371,7 +9376,8 @@ index b876c48..bd5b58c 100644
 +/var/lib/openshift/.stickshift-proxy.d(/.*)?   gen_context(system_u:object_r:etc_t,s0)
 +/var/lib/openshift/.limits.d(/.*)?        gen_context(system_u:object_r:etc_t,s0)
 +
-+/var/lib/servicelog/servicelog.db    --  gen_context(system_u:object_r:system_db_t,s0)
+/var/lib/servicelog/servicelog\.db    --  gen_context(system_u:object_r:system_db_t,s0)
 +/var/lib/servicelog/servicelog\.db-journal  --  gen_context(system_u:object_r:system_db_t,s0)
 +
 +/var/lock			-d	gen_context(system_u:object_r:var_lock_t,s0)
 +/var/lock			-l	gen_context(system_u:object_r:var_lock_t,s0)
@ -9379,7 +9385,7 @@ index b876c48..bd5b58c 100644
 /var/log/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
 /var/log/lost\+found/.*		<<none>>
-@@ -256,12 +277,14 @@ ifndef(`distro_redhat',`
+@@ -256,12 +278,14 @@ ifndef(`distro_redhat',`
 /var/run		-l	gen_context(system_u:object_r:var_run_t,s0)
 /var/run/.*			gen_context(system_u:object_r:var_run_t,s0)
 /var/run/.*\.*pid		<<none>>
@ -9394,14 +9400,14 @@ index b876c48..bd5b58c 100644
 /var/tmp/.*			<<none>>
 /var/tmp/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
 /var/tmp/lost\+found/.*		<<none>>
-@@ -271,3 +294,5 @@ ifdef(`distro_debian',`
+@@ -271,3 +295,5 @@ ifdef(`distro_debian',`
 /var/run/motd		--	gen_context(system_u:object_r:initrc_var_run_t,s0)
 /var/run/motd\.dynamic	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
 ')
 +/nsr(/.*)?			gen_context(system_u:object_r:var_t,s0)
 +/nsr/logs(/.*)?			gen_context(system_u:object_r:var_log_t,s0)
 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..70fb827 100644
+index f962f76..35cd90c 100644
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@ -12032,7 +12038,7 @@ index f962f76..70fb827 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6519,64 +7762,749 @@ interface(`files_spool_filetrans',`
+@@ -6519,64 +7762,767 @@ interface(`files_spool_filetrans',`
 ##	</summary>
 ## </param>
 #
@ -12639,6 +12645,24 @@ index f962f76..70fb827 100644
 +
 +########################################
 +## <summary>
 +##	Allow domain to delete to all dirs
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
 +interface(`files_delete_all_non_security_dirs',`
 +	gen_require(`
 +		attribute non_security_file_type;
 +	')
 +
 +	allow $1 non_security_file_type:dir { del_entry_dir_perms delete_dir_perms };
 +')
 +
 +########################################
 +## <summary>
 +##	Transition named content in the var_run_t directory
 +## </summary>
 +## <param name="domain">
@ -21068,10 +21092,10 @@ index fe0c682..c0413e8 100644
 +	ps_process_pattern($1, sshd_t)
 +')
 diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index cc877c7..f2db99e 100644
+index cc877c7..07f129b 100644
 --- a/policy/modules/services/ssh.te
 +++ b/policy/modules/services/ssh.te
-@@ -6,43 +6,64 @@ policy_module(ssh, 2.4.2)
+@@ -6,43 +6,65 @@ policy_module(ssh, 2.4.2)
 #
 ## <desc>
@ -21128,6 +21152,7 @@ index cc877c7..f2db99e 100644
 ssh_server_template(sshd)
 init_daemon_domain(sshd_t, sshd_exec_t)
 +mls_trusted_object(sshd_t)
 +mls_process_write_all_levels(sshd_t)
 +
 +type sshd_initrc_exec_t;
 +init_script_file(sshd_initrc_exec_t)
@ -21150,7 +21175,7 @@ index cc877c7..f2db99e 100644
 type ssh_t;
 type ssh_exec_t;
-@@ -73,9 +94,11 @@ type ssh_home_t;
+@@ -73,9 +95,11 @@ type ssh_home_t;
 typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
 typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
 userdom_user_home_content(ssh_home_t)
@ -21164,7 +21189,7 @@ index cc877c7..f2db99e 100644
 ##############################
 #
-@@ -86,6 +109,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
+@@ -86,6 +110,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
 allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow ssh_t self:fd use;
 allow ssh_t self:fifo_file rw_fifo_file_perms;
@ -21172,7 +21197,7 @@ index cc877c7..f2db99e 100644
 allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
 allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow ssh_t self:shm create_shm_perms;
-@@ -93,15 +117,11 @@ allow ssh_t self:sem create_sem_perms;
+@@ -93,15 +118,11 @@ allow ssh_t self:sem create_sem_perms;
 allow ssh_t self:msgq create_msgq_perms;
 allow ssh_t self:msg { send receive };
 allow ssh_t self:tcp_socket create_stream_socket_perms;
@ -21189,7 +21214,7 @@ index cc877c7..f2db99e 100644
 manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
 manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
 manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
-@@ -110,33 +130,42 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
+@@ -110,33 +131,42 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
 manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
 manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
@ -21237,7 +21262,7 @@ index cc877c7..f2db99e 100644
 dev_read_urand(ssh_t)
 fs_getattr_all_fs(ssh_t)
-@@ -157,40 +186,46 @@ files_read_var_files(ssh_t)
+@@ -157,40 +187,46 @@ files_read_var_files(ssh_t)
 logging_send_syslog_msg(ssh_t)
 logging_read_generic_logs(ssh_t)
@ -21303,7 +21328,7 @@ index cc877c7..f2db99e 100644
 ')
 optional_policy(`
-@@ -198,6 +233,7 @@ optional_policy(`
+@@ -198,6 +234,7 @@ optional_policy(`
 	xserver_domtrans_xauth(ssh_t)
 ')
@ -21311,7 +21336,7 @@ index cc877c7..f2db99e 100644
 ##############################
 #
 # ssh_keysign_t local policy
-@@ -209,6 +245,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
+@@ -209,6 +246,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
 allow ssh_keysign_t sshd_key_t:file { getattr read };
 dev_read_urand(ssh_keysign_t)
@ -21319,7 +21344,7 @@ index cc877c7..f2db99e 100644
 files_read_etc_files(ssh_keysign_t)
-@@ -226,39 +263,56 @@ optional_policy(`
+@@ -226,39 +264,56 @@ optional_policy(`
 # so a tunnel can point to another ssh tunnel
 allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
 allow sshd_t self:key { search link write };
@ -21388,7 +21413,7 @@ index cc877c7..f2db99e 100644
 ')
 optional_policy(`
-@@ -266,6 +320,15 @@ optional_policy(`
+@@ -266,6 +321,15 @@ optional_policy(`
 ')
 optional_policy(`
@ -21404,7 +21429,7 @@ index cc877c7..f2db99e 100644
 	inetd_tcp_service_domain(sshd_t, sshd_exec_t)
 ')
-@@ -275,6 +338,18 @@ optional_policy(`
+@@ -275,6 +339,18 @@ optional_policy(`
 ')
 optional_policy(`
@ -21423,7 +21448,7 @@ index cc877c7..f2db99e 100644
 	oddjob_domtrans_mkhomedir(sshd_t)
 ')
-@@ -289,13 +364,93 @@ optional_policy(`
+@@ -289,13 +365,93 @@ optional_policy(`
 ')
 optional_policy(`
@ -21517,7 +21542,7 @@ index cc877c7..f2db99e 100644
 ########################################
 #
 # ssh_keygen local policy
-@@ -304,19 +459,29 @@ optional_policy(`
+@@ -304,19 +460,29 @@ optional_policy(`
 # ssh_keygen_t is the type of the ssh-keygen program when run at install time
 # and by sysadm_t
@ -21548,7 +21573,7 @@ index cc877c7..f2db99e 100644
 dev_read_urand(ssh_keygen_t)
 term_dontaudit_use_console(ssh_keygen_t)
-@@ -333,6 +498,12 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -333,6 +499,12 @@ auth_use_nsswitch(ssh_keygen_t)
 logging_send_syslog_msg(ssh_keygen_t)
 userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@ -21561,7 +21586,7 @@ index cc877c7..f2db99e 100644
 optional_policy(`
 	seutil_sigchld_newrole(ssh_keygen_t)
-@@ -341,3 +512,140 @@ optional_policy(`
+@@ -341,3 +513,140 @@ optional_policy(`
 optional_policy(`
 	udev_read_db(ssh_keygen_t)
 ')
@ -25994,7 +26019,7 @@ index 3efd5b6..08c3e93 100644
 +	allow $1 login_pgm:process sigchld;
 +')
 diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 09b791d..7345117 100644
+index 09b791d..4f331be 100644
 --- a/policy/modules/system/authlogin.te
 +++ b/policy/modules/system/authlogin.te
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1)
@ -26191,7 +26216,7 @@ index 09b791d..7345117 100644
 miscfiles_read_generic_certs(pam_console_t)
 seutil_read_file_contexts(pam_console_t)
-@@ -341,6 +362,10 @@ kernel_read_system_state(updpwd_t)
+@@ -341,6 +362,11 @@ kernel_read_system_state(updpwd_t)
 dev_read_urand(updpwd_t)
 files_manage_etc_files(updpwd_t)
@ -26199,10 +26224,11 @@ index 09b791d..7345117 100644
 +
 +mls_file_read_all_levels(updpwd_t)
 +mls_file_write_all_levels(updpwd_t)
 +mls_file_downgrade(updpwd_t)
 term_dontaudit_use_console(updpwd_t)
 term_dontaudit_use_unallocated_ttys(updpwd_t)
-@@ -350,9 +375,7 @@ auth_use_nsswitch(updpwd_t)
+@@ -350,9 +376,7 @@ auth_use_nsswitch(updpwd_t)
 logging_send_syslog_msg(updpwd_t)
@ -26213,7 +26239,7 @@ index 09b791d..7345117 100644
 ifdef(`distro_ubuntu',`
 	optional_policy(`
-@@ -380,13 +403,15 @@ term_dontaudit_use_all_ttys(utempter_t)
+@@ -380,13 +404,15 @@ term_dontaudit_use_all_ttys(utempter_t)
 term_dontaudit_use_all_ptys(utempter_t)
 term_dontaudit_use_ptmx(utempter_t)
@ -26230,7 +26256,7 @@ index 09b791d..7345117 100644
 # Allow utemper to write to /tmp/.xses-*
 userdom_write_user_tmp_files(utempter_t)
-@@ -397,19 +422,29 @@ ifdef(`distro_ubuntu',`
+@@ -397,19 +423,29 @@ ifdef(`distro_ubuntu',`
 ')
 optional_policy(`
@ -26264,7 +26290,7 @@ index 09b791d..7345117 100644
 files_list_var_lib(nsswitch_domain)
 # read /etc/nsswitch.conf
-@@ -417,15 +452,21 @@ files_read_etc_files(nsswitch_domain)
+@@ -417,15 +453,21 @@ files_read_etc_files(nsswitch_domain)
 sysnet_dns_name_resolve(nsswitch_domain)
@ -26288,7 +26314,7 @@ index 09b791d..7345117 100644
 		ldap_stream_connect(nsswitch_domain)
 	')
 ')
-@@ -438,6 +479,7 @@ optional_policy(`
+@@ -438,6 +480,7 @@ optional_policy(`
 	likewise_stream_connect_lsassd(nsswitch_domain)
 ')
@ -26296,7 +26322,7 @@ index 09b791d..7345117 100644
 optional_policy(`
 	kerberos_use(nsswitch_domain)
 ')
-@@ -456,6 +498,8 @@ optional_policy(`
+@@ -456,6 +499,8 @@ optional_policy(`
 optional_policy(`
 	sssd_stream_connect(nsswitch_domain)
@ -26305,7 +26331,7 @@ index 09b791d..7345117 100644
 ')
 optional_policy(`
-@@ -463,3 +507,134 @@ optional_policy(`
+@@ -463,3 +508,134 @@ optional_policy(`
 	samba_read_var_files(nsswitch_domain)
 	samba_dontaudit_write_var_files(nsswitch_domain)
 ')
@ -28404,7 +28430,7 @@ index 79a45f6..edf52ea 100644
 +	files_etc_filetrans($1, machineid_t, file, "machine-id" )
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..3ac9985 100644
+index 17eda24..7acba2b 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@ -28648,11 +28674,12 @@ index 17eda24..3ac9985 100644
 ifdef(`distro_gentoo',`
 	allow init_t self:process { getcap setcap };
-@@ -186,29 +284,209 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +284,210 @@ ifdef(`distro_gentoo',`
 ')
 ifdef(`distro_redhat',`
 +	fs_manage_tmpfs_files(init_t)
 +	fs_manage_tmpfs_symlinks(init_t)
 +	fs_manage_tmpfs_sockets(init_t)
 +	fs_exec_tmpfs_files(init_t)
 	fs_read_tmpfs_symlinks(init_t)
@ -28866,7 +28893,7 @@ index 17eda24..3ac9985 100644
 ')
 optional_policy(`
-@@ -216,7 +494,30 @@ optional_policy(`
+@@ -216,7 +495,30 @@ optional_policy(`
 ')
 optional_policy(`
@ -28897,7 +28924,7 @@ index 17eda24..3ac9985 100644
 ')
 ########################################
-@@ -225,9 +526,9 @@ optional_policy(`
+@@ -225,9 +527,9 @@ optional_policy(`
 #
 allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@ -28909,7 +28936,7 @@ index 17eda24..3ac9985 100644
 allow initrc_t self:passwd rootok;
 allow initrc_t self:key manage_key_perms;
-@@ -258,12 +559,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +560,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
 allow initrc_t initrc_var_run_t:file manage_file_perms;
 files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@ -28926,7 +28953,7 @@ index 17eda24..3ac9985 100644
 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
 manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +584,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +585,36 @@ kernel_change_ring_buffer_level(initrc_t)
 kernel_clear_ring_buffer(initrc_t)
 kernel_get_sysvipc_info(initrc_t)
 kernel_read_all_sysctls(initrc_t)
@ -28969,7 +28996,7 @@ index 17eda24..3ac9985 100644
 corenet_tcp_sendrecv_all_ports(initrc_t)
 corenet_udp_sendrecv_all_ports(initrc_t)
 corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +621,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +622,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
 dev_read_rand(initrc_t)
 dev_read_urand(initrc_t)
@ -28981,7 +29008,7 @@ index 17eda24..3ac9985 100644
 dev_rw_sysfs(initrc_t)
 dev_list_usbfs(initrc_t)
 dev_read_framebuffer(initrc_t)
-@@ -313,8 +633,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +634,10 @@ dev_write_framebuffer(initrc_t)
 dev_read_realtime_clock(initrc_t)
 dev_read_sound_mixer(initrc_t)
 dev_write_sound_mixer(initrc_t)
@ -28992,7 +29019,7 @@ index 17eda24..3ac9985 100644
 dev_delete_lvm_control_dev(initrc_t)
 dev_manage_generic_symlinks(initrc_t)
 dev_manage_generic_files(initrc_t)
-@@ -322,8 +644,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +645,7 @@ dev_manage_generic_files(initrc_t)
 dev_delete_generic_symlinks(initrc_t)
 dev_getattr_all_blk_files(initrc_t)
 dev_getattr_all_chr_files(initrc_t)
@ -29002,7 +29029,7 @@ index 17eda24..3ac9985 100644
 domain_kill_all_domains(initrc_t)
 domain_signal_all_domains(initrc_t)
-@@ -332,7 +653,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +654,6 @@ domain_sigstop_all_domains(initrc_t)
 domain_sigchld_all_domains(initrc_t)
 domain_read_all_domains_state(initrc_t)
 domain_getattr_all_domains(initrc_t)
@ -29010,7 +29037,7 @@ index 17eda24..3ac9985 100644
 domain_getsession_all_domains(initrc_t)
 domain_use_interactive_fds(initrc_t)
 # for lsof which is used by alsa shutdown:
-@@ -340,6 +660,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +661,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
 domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
 domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
 domain_dontaudit_getattr_all_pipes(initrc_t)
@ -29018,7 +29045,7 @@ index 17eda24..3ac9985 100644
 files_getattr_all_dirs(initrc_t)
 files_getattr_all_files(initrc_t)
-@@ -347,14 +668,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +669,15 @@ files_getattr_all_symlinks(initrc_t)
 files_getattr_all_pipes(initrc_t)
 files_getattr_all_sockets(initrc_t)
 files_purge_tmp(initrc_t)
@ -29036,7 +29063,7 @@ index 17eda24..3ac9985 100644
 files_read_usr_files(initrc_t)
 files_manage_urandom_seed(initrc_t)
 files_manage_generic_spool(initrc_t)
-@@ -364,8 +686,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +687,12 @@ files_list_isid_type_dirs(initrc_t)
 files_mounton_isid_type_dirs(initrc_t)
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
@ -29050,7 +29077,7 @@ index 17eda24..3ac9985 100644
 fs_list_inotifyfs(initrc_t)
 fs_register_binary_executable_type(initrc_t)
 # rhgb-console writes to ramfs
-@@ -375,10 +701,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +702,11 @@ fs_mount_all_fs(initrc_t)
 fs_unmount_all_fs(initrc_t)
 fs_remount_all_fs(initrc_t)
 fs_getattr_all_fs(initrc_t)
@ -29064,7 +29091,7 @@ index 17eda24..3ac9985 100644
 mcs_process_set_categories(initrc_t)
 mls_file_read_all_levels(initrc_t)
-@@ -387,6 +714,7 @@ mls_process_read_up(initrc_t)
+@@ -387,6 +715,7 @@ mls_process_read_up(initrc_t)
 mls_process_write_down(initrc_t)
 mls_rangetrans_source(initrc_t)
 mls_fd_share_all_levels(initrc_t)
@ -29072,7 +29099,7 @@ index 17eda24..3ac9985 100644
 selinux_get_enforce_mode(initrc_t)
-@@ -398,6 +726,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +727,7 @@ term_use_all_terms(initrc_t)
 term_reset_tty_labels(initrc_t)
 auth_rw_login_records(initrc_t)
@ -29080,7 +29107,7 @@ index 17eda24..3ac9985 100644
 auth_setattr_login_records(initrc_t)
 auth_rw_lastlog(initrc_t)
 auth_read_pam_pid(initrc_t)
-@@ -416,20 +745,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +746,18 @@ logging_read_all_logs(initrc_t)
 logging_append_all_logs(initrc_t)
 logging_read_audit_config(initrc_t)
@ -29104,7 +29131,7 @@ index 17eda24..3ac9985 100644
 ifdef(`distro_debian',`
 	dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +778,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +779,6 @@ ifdef(`distro_gentoo',`
 	allow initrc_t self:process setfscreate;
 	dev_create_null_dev(initrc_t)
 	dev_create_zero_dev(initrc_t)
@ -29112,7 +29139,7 @@ index 17eda24..3ac9985 100644
 	term_create_console_dev(initrc_t)
 	# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +812,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +813,10 @@ ifdef(`distro_gentoo',`
 	sysnet_setattr_config(initrc_t)
 	optional_policy(`
@ -29123,7 +29150,7 @@ index 17eda24..3ac9985 100644
 		alsa_read_lib(initrc_t)
 	')
-@@ -506,7 +836,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +837,7 @@ ifdef(`distro_redhat',`
 	# Red Hat systems seem to have a stray
 	# fd open from the initrd
@ -29132,7 +29159,7 @@ index 17eda24..3ac9985 100644
 	files_dontaudit_read_root_files(initrc_t)
 	# These seem to be from the initrd
-@@ -521,6 +851,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +852,7 @@ ifdef(`distro_redhat',`
 	files_create_boot_dirs(initrc_t)
 	files_create_boot_flag(initrc_t)
 	files_rw_boot_symlinks(initrc_t)
@ -29140,7 +29167,7 @@ index 17eda24..3ac9985 100644
 	# wants to read /.fonts directory
 	files_read_default_files(initrc_t)
 	files_mountpoint(initrc_tmp_t)
-@@ -541,6 +872,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +873,7 @@ ifdef(`distro_redhat',`
 	miscfiles_rw_localization(initrc_t)
 	miscfiles_setattr_localization(initrc_t)
 	miscfiles_relabel_localization(initrc_t)
@ -29148,7 +29175,7 @@ index 17eda24..3ac9985 100644
 	miscfiles_read_fonts(initrc_t)
 	miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +882,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +883,44 @@ ifdef(`distro_redhat',`
 	')
 	optional_policy(`
@ -29193,7 +29220,7 @@ index 17eda24..3ac9985 100644
 	')
 	optional_policy(`
-@@ -559,14 +927,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +928,31 @@ ifdef(`distro_redhat',`
 		rpc_write_exports(initrc_t)
 		rpc_manage_nfs_state_data(initrc_t)
 	')
@ -29225,7 +29252,7 @@ index 17eda24..3ac9985 100644
 	')
 ')
-@@ -577,6 +962,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +963,39 @@ ifdef(`distro_suse',`
 	')
 ')
@ -29265,7 +29292,7 @@ index 17eda24..3ac9985 100644
 optional_policy(`
 	amavis_search_lib(initrc_t)
 	amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1007,8 @@ optional_policy(`
+@@ -589,6 +1008,8 @@ optional_policy(`
 optional_policy(`
 	apache_read_config(initrc_t)
 	apache_list_modules(initrc_t)
@ -29274,7 +29301,7 @@ index 17eda24..3ac9985 100644
 ')
 optional_policy(`
-@@ -610,6 +1030,7 @@ optional_policy(`
+@@ -610,6 +1031,7 @@ optional_policy(`
 optional_policy(`
 	cgroup_stream_connect_cgred(initrc_t)
@ -29282,7 +29309,7 @@ index 17eda24..3ac9985 100644
 ')
 optional_policy(`
-@@ -626,6 +1047,17 @@ optional_policy(`
+@@ -626,6 +1048,17 @@ optional_policy(`
 ')
 optional_policy(`
@ -29300,7 +29327,7 @@ index 17eda24..3ac9985 100644
 	dev_getattr_printer_dev(initrc_t)
 	cups_read_log(initrc_t)
-@@ -642,9 +1074,13 @@ optional_policy(`
+@@ -642,9 +1075,13 @@ optional_policy(`
 	dbus_connect_system_bus(initrc_t)
 	dbus_system_bus_client(initrc_t)
 	dbus_read_config(initrc_t)
@ -29314,7 +29341,7 @@ index 17eda24..3ac9985 100644
 	')
 	optional_policy(`
-@@ -657,15 +1093,11 @@ optional_policy(`
+@@ -657,15 +1094,11 @@ optional_policy(`
 ')
 optional_policy(`
@ -29332,7 +29359,7 @@ index 17eda24..3ac9985 100644
 ')
 optional_policy(`
-@@ -686,6 +1118,15 @@ optional_policy(`
+@@ -686,6 +1119,15 @@ optional_policy(`
 ')
 optional_policy(`
@ -29348,7 +29375,7 @@ index 17eda24..3ac9985 100644
 	inn_exec_config(initrc_t)
 ')
-@@ -726,6 +1167,7 @@ optional_policy(`
+@@ -726,6 +1168,7 @@ optional_policy(`
 	lpd_list_spool(initrc_t)
 	lpd_read_config(initrc_t)
@ -29356,7 +29383,7 @@ index 17eda24..3ac9985 100644
 ')
 optional_policy(`
-@@ -743,7 +1185,13 @@ optional_policy(`
+@@ -743,7 +1186,13 @@ optional_policy(`
 ')
 optional_policy(`
@ -29371,7 +29398,7 @@ index 17eda24..3ac9985 100644
 	mta_dontaudit_read_spool_symlinks(initrc_t)
 ')
-@@ -766,6 +1214,10 @@ optional_policy(`
+@@ -766,6 +1215,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -29382,7 +29409,7 @@ index 17eda24..3ac9985 100644
 	postgresql_manage_db(initrc_t)
 	postgresql_read_config(initrc_t)
 ')
-@@ -775,10 +1227,20 @@ optional_policy(`
+@@ -775,10 +1228,20 @@ optional_policy(`
 ')
 optional_policy(`
@ -29403,7 +29430,7 @@ index 17eda24..3ac9985 100644
 	quota_manage_flags(initrc_t)
 ')
-@@ -787,6 +1249,10 @@ optional_policy(`
+@@ -787,6 +1250,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -29414,7 +29441,7 @@ index 17eda24..3ac9985 100644
 	fs_write_ramfs_sockets(initrc_t)
 	fs_search_ramfs(initrc_t)
-@@ -808,8 +1274,6 @@ optional_policy(`
+@@ -808,8 +1275,6 @@ optional_policy(`
 	# bash tries ioctl for some reason
 	files_dontaudit_ioctl_all_pids(initrc_t)
@ -29423,7 +29450,7 @@ index 17eda24..3ac9985 100644
 ')
 optional_policy(`
-@@ -818,6 +1282,10 @@ optional_policy(`
+@@ -818,6 +1283,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -29434,7 +29461,7 @@ index 17eda24..3ac9985 100644
 	# shorewall-init script run /var/lib/shorewall/firewall
 	shorewall_lib_domtrans(initrc_t)
 ')
-@@ -827,10 +1295,12 @@ optional_policy(`
+@@ -827,10 +1296,12 @@ optional_policy(`
 	squid_manage_logs(initrc_t)
 ')
@ -29447,7 +29474,7 @@ index 17eda24..3ac9985 100644
 optional_policy(`
 	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,12 +1327,35 @@ optional_policy(`
+@@ -857,12 +1328,35 @@ optional_policy(`
 ')
 optional_policy(`
@ -29484,7 +29511,7 @@ index 17eda24..3ac9985 100644
 	ifdef(`distro_redhat',`
 		# system-config-services causes avc messages that should be dontaudited
-@@ -872,6 +1365,18 @@ optional_policy(`
+@@ -872,6 +1366,18 @@ optional_policy(`
 	optional_policy(`
 		mono_domtrans(initrc_t)
 	')
@ -29503,7 +29530,7 @@ index 17eda24..3ac9985 100644
 ')
 optional_policy(`
-@@ -887,6 +1392,10 @@ optional_policy(`
+@@ -887,6 +1393,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -29514,7 +29541,7 @@ index 17eda24..3ac9985 100644
 	# Set device ownerships/modes.
 	xserver_setattr_console_pipes(initrc_t)
-@@ -897,3 +1406,218 @@ optional_policy(`
+@@ -897,3 +1407,218 @@ optional_policy(`
 optional_policy(`
 	zebra_read_config(initrc_t)
 ')
@ -33153,7 +33180,7 @@ index 9933677..ca14c17 100644
 +
 +/var/run/tmpfiles.d/kmod.conf --	gen_context(system_u:object_r:insmod_var_run_t,s0)
 diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
-index 7449974..6375786 100644
+index 7449974..28cb8a3 100644
 --- a/policy/modules/system/modutils.if
 +++ b/policy/modules/system/modutils.if
@@ -12,7 +12,7 @@
@ -33210,7 +33237,32 @@ index 7449974..6375786 100644
 ##	Read the configuration options used when
 ##	loading modules.
 ## </summary>
-@@ -308,11 +346,18 @@ interface(`modutils_domtrans_update_mods',`
+@@ -208,6 +246,24 @@ interface(`modutils_exec_insmod',`
 	can_exec($1, insmod_exec_t)
 ')
 +#######################################
 +## <summary>
 +## Don't audit execute insmod in the caller domain.
 +## </summary>
 +## <param name="domain">
 +## <summary>
 +## Domain allowed access.
 +## </summary>
 +## </param>
 +#
 +interface(`modutils_dontaudit_exec_insmod',`
 +    gen_require(`
 +        type insmod_exec_t;
 +    ')
 +
 +    dontaudit $1 insmod_exec_t:file exec_file_perms;
 +')
 +
 ########################################
 ## <summary>
 ##	Execute depmod in the depmod domain.
@@ -308,11 +364,18 @@ interface(`modutils_domtrans_update_mods',`
 #
 interface(`modutils_run_update_mods',`
 	gen_require(`
@ -33231,7 +33283,7 @@ index 7449974..6375786 100644
 ')
 ########################################
-@@ -333,3 +378,25 @@ interface(`modutils_exec_update_mods',`
+@@ -333,3 +396,25 @@ interface(`modutils_exec_update_mods',`
 	corecmd_search_bin($1)
 	can_exec($1, update_modules_exec_t)
 ')
@ -35968,7 +36020,7 @@ index 40edc18..7cc0c8a 100644
 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
 +
 diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 2cea692..7bb31c4 100644
+index 2cea692..b324c5c 100644
 --- a/policy/modules/system/sysnetwork.if
 +++ b/policy/modules/system/sysnetwork.if
@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@ -36001,6 +36053,15 @@ index 2cea692..7bb31c4 100644
 +	seutil_run_setfiles(dhcpc_t, $2)
 ')
 ########################################
@@ -231,7 +250,7 @@ interface(`sysnet_rw_dhcp_config',`
 	')
 	files_search_etc($1)
 -	allow $1 dhcp_etc_t:file rw_file_perms;
 +	rw_files_pattern($1, dhcp_etc_t, dhcp_etc_t)
 ')
 ########################################
@@ -269,6 +288,7 @@ interface(`sysnet_read_dhcpc_state',`
 		type dhcpc_state_t;
@ -36757,10 +36818,10 @@ index 0000000..e9f1096
 +/var/run/initramfs(/.*)?	<<none>>
 diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
 new file mode 100644
-index 0000000..35b4178
+index 0000000..1d9bdfd
 --- /dev/null
 +++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1400 @@
+@@ -0,0 +1,1419 @@
 +## <summary>SELinux policy for systemd components</summary>
 +
 +######################################
@ -38039,6 +38100,25 @@ index 0000000..35b4178
 +	allow $1 power_unit_file_t:service start;
 +')
 +
 +########################################
 +## <summary>
 +##	Status power unit files domain.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed to transition.
 +##	</summary>
 +## </param>
 +#
 +interface(`systemd_status_power_services',`
 +	gen_require(`
 +		type power_unit_file_t;
 +	')
 +
 +	systemd_exec_systemctl($1)
 +	allow $1 power_unit_file_t:service status;
 +')
 +
 +#######################################
 +## <summary>
 +##  Start power unit files domain.
@ -38163,10 +38243,10 @@ index 0000000..35b4178
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..c31945a
+index 0000000..2109915
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,652 @@
+@@ -0,0 +1,653 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@ -38466,6 +38546,7 @@ index 0000000..c31945a
 +files_read_generic_tmp_symlinks(systemd_tmpfiles_t)
 +files_setattr_all_tmp_dirs(systemd_tmpfiles_t)
 +files_delete_boot_flag(systemd_tmpfiles_t)
 +files_delete_all_non_security_dirs(systemd_tmpfiles_t)
 +files_delete_all_non_security_files(systemd_tmpfiles_t)
 +files_delete_all_pid_sockets(systemd_tmpfiles_t)
 +files_delete_all_pid_pipes(systemd_tmpfiles_t)
@ -38778,7 +38859,7 @@ index 0000000..c31945a
 +#
 +# systemd_sysctl domains local policy
 +#
-+allow systemd_sysctl_t self:capability net_admin;
+allow systemd_sysctl_t self:capability { sys_admin net_admin };
 +allow systemd_sysctl_t self:unix_dgram_socket create_socket_perms;
 +
 +kernel_dgram_send(systemd_sysctl_t)
@ -39117,7 +39198,7 @@ index 9a1650d..d7e8a01 100644
 ########################################
 diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index 39f185f..ef4c635 100644
+index 39f185f..d3c9fcc 100644
 --- a/policy/modules/system/udev.te
 +++ b/policy/modules/system/udev.te
@@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t)
@ -39314,7 +39395,7 @@ index 39f185f..ef4c635 100644
 ')
 optional_policy(`
-@@ -249,17 +270,27 @@ optional_policy(`
+@@ -249,17 +270,31 @@ optional_policy(`
 	dbus_use_system_bus_fds(udev_t)
 	optional_policy(`
@ -39336,6 +39417,10 @@ index 39f185f..ef4c635 100644
 +
 +optional_policy(`
 +	gpsd_domtrans(udev_t)
 +')
 +
 +optional_policy(`
 +	kdump_systemctl(udev_t)
 ')
 optional_policy(`
@ -39344,7 +39429,7 @@ index 39f185f..ef4c635 100644
 ')
 optional_policy(`
-@@ -289,6 +320,10 @@ optional_policy(`
+@@ -289,6 +324,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -39355,7 +39440,7 @@ index 39f185f..ef4c635 100644
 	openct_read_pid_files(udev_t)
 	openct_domtrans(udev_t)
 ')
-@@ -303,6 +338,15 @@ optional_policy(`
+@@ -303,6 +342,15 @@ optional_policy(`
 ')
 optional_policy(`
@ -39371,7 +39456,7 @@ index 39f185f..ef4c635 100644
 	unconfined_signal(udev_t)
 ')
-@@ -315,6 +359,7 @@ optional_policy(`
+@@ -315,6 +363,7 @@ optional_policy(`
 	kernel_read_xen_state(udev_t)
 	xen_manage_log(udev_t)
 	xen_read_image_files(udev_t)
@ -44699,7 +44784,7 @@ index 9dc60c6..daee32c 100644
 +')
 +
 diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index f4ac38d..cf1296e 100644
+index f4ac38d..99c8197 100644
 --- a/policy/modules/system/userdomain.te
 +++ b/policy/modules/system/userdomain.te
@@ -7,48 +7,43 @@ policy_module(userdomain, 4.9.1)
@ -44788,7 +44873,7 @@ index f4ac38d..cf1296e 100644
 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
 fs_associate_tmpfs(user_home_dir_t)
 files_type(user_home_dir_t)
-@@ -70,26 +83,366 @@ ubac_constrained(user_home_dir_t)
+@@ -70,26 +83,370 @@ ubac_constrained(user_home_dir_t)
 type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
 typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@ -44968,6 +45053,10 @@ index f4ac38d..cf1296e 100644
 +')
 +
 +optional_policy(`
 +	cvs_filetrans_home_content(userdom_filetrans_domain)
 +')
 +
 +optional_policy(`
 +	gnome_filetrans_home_content(userdom_filetrans_type)
 +')
 +
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 10%{?dist}
+Release: 11%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -576,6 +576,62 @@ SELinux Reference policy mls base module.
 %endif
 %changelog
 * Mon Jan 6 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-11
 - passwd to create gnome-keyring passwd socket
 - systemd_systemctl needs sys_admin capability
 - Allow cobbler to search dhcp_etc_t directory
 - Allow sytemd_tmpfiles_t to delete all directories
 - allow sshd to write to all process levels in order to change passwd when running at a level
 - Allow updpwd_t to downgrade /etc/passwd file to s0, if it is not running with this range
 - Allow apcuspd_t to status and start the power unit file
 - Allow udev to manage kdump unit file
 - Added new interface modutils_dontaudit_exec_insmod
 - Add labeling for /var/lib/servicelog/servicelog.db-journal
 - Allow init_t to create tmpfs_t lnk_file
 - Add label for ~/.cvsignore
 - Allow fprintd_t to send syslog messages
 - Add  zabbix_var_lib_t for /var/lib/zabbixsrv, also allow zabix to connect to smtp port
 - Allow mozilla plugin to chat with policykit, needed for spice
 - Allow gssprozy to change user and gid, as well as read user keyrings
 - Allow sandbox apps to attempt to set and get capabilties
 - Label upgrades directory under /var/www as httpd_sys_rw_content_t, add other filetrans rules to label content correctly
 - allow modemmanger to read /dev/urand
 - Allow polipo to connect to http_cache_ports
 - Allow cron jobs to manage apache var lib content
 - Allow yppassword to manage the passwd_file_t
 - Allow showall_t to send itself signals
 - Allow cobbler to restart dhcpc, dnsmasq and bind services
 - Allow rsync_t to manage all non auth files
 - Allow certmonger to manage home cert files
 - Allow user_mail_domains to write certain files to the /root and ~/ directories
 - Allow apcuspd_t to status and start the power unit file
 - Allow cgroupdrulesengd to create content in cgoups directories
 - Add new access for mythtv
 - Allow irc_t to execute shell and bin-t files:
 - Allow smbd_t to signull cluster
 - Allow sssd to read systemd_login_var_run_t
 - Allow gluster daemon to create fifo files in glusterd_brick_t and sock_file in glusterd_var_lib_t
 - Add label for /var/spool/cron.aquota.user
 - Allow sandbox_x domains to use work with the mozilla plugin semaphore
 - Added new policy for speech-dispatcher
 - Added dontaudit rule for insmod_exec_t  in rasdaemon policy
 - Updated rasdaemon policy
 - Allow virt_domains to read cert files
 - Allow system_mail_t to transition to postfix_postdrop_t
 - Clean up mirrormanager policy
 - Allow subscription-manager running as sosreport_t to manage rhsmcertd
 - Remove ability to do mount/sys_admin by default in virt_sandbox domains
 - New rules required to run docker images within libivrt
 - Fixed bumblebee_admin() and mip6d_admin()
 - Add log support for sensord
 - Add label for ~/.cvsignore
 - Change mirrormanager to be run by cron
 - Add mirrormanager policy
 - Additional fixes for docker.te
 - Allow cobblerd to read/write undionly.kpxe located in /var/lib/tftpboot
 - Add tftp_write_rw_content/tftp_read_rw_content interfaces
 - Allow amanda to do backups over UDP
 * Thu Dec 13 2013 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-10
 - Allow freeipmi_ipmidetectd_t to use freeipmi port
 - Update freeipmi_domain_template()