From acb049dbc47bcaf2b32454c0dea4cd2c09c6d6aa Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Tue, 21 Feb 2017 14:04:18 +0100
Subject: [PATCH] * Tue Feb 21 2017 Lukas Vrabec  <lvrabec@redhat.com> -
 3.13.1-241 - Remove ganesha from gluster module and create own module for
 ganesha - FIx label for /usr/lib/libGLdispatch.so.0.0.0

---
 container-selinux.tgz        | Bin 5822 -> 5821 bytes
 policy-rawhide-base.patch    | 178 +++++++++++----------
 policy-rawhide-contrib.patch | 289 ++++++++++++++++++++++++++++++++---
 selinux-policy.spec          |   6 +-
 4 files changed, 369 insertions(+), 104 deletions(-)

diff --git a/container-selinux.tgz b/container-selinux.tgz
index c34b7711933d016ac8f6bc7d797f57973a6c12a5..08e41542befe505de98c085378c9bfa134792d45 100644
GIT binary patch
delta 5763
zcmV-}7JTWxExj!tABzY8YdWl000Zq^ZI9eGlJ?i>Um<t`cqXuC#^X4VA3=Y;I8nNR
z^!@kW;pf{Q-ruO7klww!{qFsXx9@J=zq@(&{_XpBFK*txyS;h;!n-+Dh168jDkweg
zMe<MvTM`=S#@_!QO`G#`??+mvX;41@`R@nf<ps&!(7Y}~;sr&K#9>gydFF+3pm-$P
z!{^nH*D~7%K-^NNH287$mnVM`))i6E<IJlL>Vqgx;mZ}vdadO3ek_7ANWCmb$)8?w
zs+WHrl<+fq;RQ*OKa$9+a<3|bjK<g~9q2Vfh3}g<t4O&ELUQq2Qyagmvno!B59KkO
zSFeBDob5^Gm*kH+E`fG)c2+$XN(-7i)oaZ|0vzzG50+eMv7?OQ)#ZO?a~9?$3Dd}@
zBq+m!zm2ntZ{A*R&SZuBBB-F=_|#mS?oD;M!2%ZSN`b6&>Av@d_nLdxo=xi7GgH_0
z3Mli0XyE?}j~nnH3<;%UsE8B>#r5d$fzL@Jr|o_DO7=JJeJmLIy^Ocm1>fB2F%aSu
za}}8M)lO6#@Kadb%twFgYzu>oQCer&krV1~tW1U7NxbzUsD4=GWlZP<PFv@V!_d~V
zSTF^u<-*{HphVJ^x2$~co3}ceJ7}jT@ZqapkTRu^aTh0q%7O(o>yd>;*Vo2sHlRKy
zqYVSR$#*2j|4M?W$8OfOU!2h;RE)KdRc98vjbrqTf%Dh;Rl0w{`V2g$hoB^16W3XV
z-1*MQ9k`yvw8F7%V!8m*JaXx>@!UyvKO4cl!w22{uWZ)i`b-NF#=96gh<7Betz;nb
zSeX$Y5SahS#r=eG@VJ3ukZdzpu3`Fr1X-}}FC<^b97|c%PA1y~{4vr^VvJ3glS)Z#
z4}MLmfYOgB)J}iXjTUivQttl*5)-6SzWp8eO>u(}C|v=ibh_givpmMt!3%(}u7JZ;
z9D1zv?dAc*9nuAg94yNC0n0(k&)A_oWKjzrYoWnMYYb~jzGIS@GX;fr$hb76D4y33
zlYmk~QS9BYtSu46MN`Vd|6h7}f&34WKfSEV+SEiO?G=B!C2_WQDpo&5q>OX6&}b)!
z&77i4f^Tl&-#hsC-Lm@GFaQ4YSF&<2EvAU0Y3l~;g$)7+py&jJm;q@YF23!fq<mP!
z2Dy--%CPT#rWHxUDw%3R>c6YAxMJ*YJBnjRLeY{1@!pD&yd+7E$~tf=hVjJScp}Nn
zqFZ-42QPm>uslXs6ON<Vk192}!w;_+8O@G#B$ud=Cl)aAQ|8{B6)?og9B06Yg>;c^
zR**&BV;Sod?3ARia(($p{RlitXBi<iJ<-rWKcpVVmb{<9%|0_dugA^qv@ELUsY|%m
z!#A?in`m#WDGavinTbc73tgtl8Pa2IL>`KY8TWtjB{B*>HT;!?cj2M*`2>0Np%%+9
z857?wwi`sg`YO!EZzQXxuo}~_Bn!(~hDmI17iug&@<lDN7u>r+S^f<a%^nip^(RP@
z?=4xCwa`Fu$WziE17cAWi>|cv8<s{SdF{Py-d#bymzT3~qCC8x4?-cgKd2Etor4Cd
zzKVbICQM@J-uXzpZ41<77H>F49?s)zuLe|L!0_9HzRZT9355+&iI6;no#N&2w^czX
zyM`*v#2GMRGJ>W%XJWibK-^JvWI5{p8be+?`gigEiewK<q8@Tu(WL>|er-X_lF&SP
zxIzvr0?T`ff+DcZpU5)J=a{I}E(n*y{vm$}o|i|wT@W&;@-&t*02G%JR&76s(m3O5
z5juiQ(}yos66vaW0cb~>e)24n_KimAz{Y!l2a5iaM=MZCQntR3>Wk~oyf&zBV6A6|
zfoM0lhR_egCc0abSsQ7?KFAHaSKFzt^c%un&O2!n_Bt+=8QQOP;Qj5FpV~UmuX%s;
z6`}J8L|W9#;KS7}!ymIPmk)Ji3JPyI?QP*1_#JXc)`!!1qFPmcWbeSfL|O;S8fxW<
z_AxUGlUXqo3~M*D@pj|X9^x|3(n*_^({vZB=dsorqv2ilsNK9X+_iw7u79!DKIiI;
zqZvThTD*_2NiTsL9*y@|knjoXefobe%^(AXvDHaWC@W_7Y}gPK_l0pzjO7;=$zFcs
zvI79`49qRH`6mC~DZ6OC#z;7xTNx+g);VcsL$NS0vPpx#U*t&~KC=-nje^1o7{Cmu
zqyzR+c|T$_e6_T(*AMFIAR@H}7GL)AD~o7j^_>!T$})7Mh0^3B<4F~y!Q+49;uiEB
zb!@ERiR8NEf^&Bq6<(+y9P4M*DBGORU$4%?T0dRw9?pUysX@d#D??67a39n4-Si2g
z>CL{QiWwNUd7VX+O&Ij1E+fmhL%4xIA}+VB;w&G8+QK0fEMLc~ov;c9*|P>-tQnja
zpmM^3Rz4RwG?#0tF<myWec^xD^R~Kk<DzY<AE)C^ytX9X8%njf(XAWT+Jec)O=#~h
zr#56zsZQ^;1xXuI)~kyfk~YMuMe4t9knB)Rl#dn(-&(3P424j%#(|ZzAIo51dp8!K
z$Moi<rB+=Jwn=H#=T#kTN>=&UR_bu=Fxhi#DEh6pZEt>jggSGBqW*s)_f@oFaZ)?n
zfGZ}8FTF-%+xgVP`i<Bmq%1e=1Q`wE+m}8h_y0Jx9=eL0sto)2&-XVsKMc=*zWrf6
z|M@u*->Ca(9@PoCXhy?p@9ovi)y*W4wK?~GCSd~d0XMiHiZ)DQM1+PS@}dwi7X%|0
zpcwD*KtQOKYLr31v?hOPK4eC|B=P?K(=T3;msJy*Q3!Fw(NV@!brx*ZHZ&SLXmPK-
zU64?6*{hPM5m)wvcS$t>L+PoA2i})?U3eG5T5&0ap+haiTFn94dYBYkXl@*!0?8H|
zkdan>tV=C*G#0281tiTgpNsqpO-Z(cYdn`v>+SD8tmok&$o7BiZOSY>I=ChiDx!`#
zntiUWdgj_~)HOtuijOYDl7Tf4!DxQTb}Lj;_u0w!UtKoxX9Lcw_M#!Z6Ys4S8MR%?
z-n1JcaM5`?97l~Mvs*<a!iD28cIgeE+US%noQznJzC--v4>2F8{TKcGLtJUK?IO2E
zW?oP6n>Af)@zsA?wY!+o(#;VQ8J}{|&!s~fR8UyQ`#~2My-b!Fo)&{yj*pt2fge4@
zPF5>2`pO2_+=tkp!%s6l(&|SQ8*sx>r5~kw(|8ZHZx`u;53MxDGWw*$q7(~ux0H^L
zM4F<ThZkCeA-oLF>teUjeLPaHdcGKD8G;FCeHW_<K;wT*NOR~iwzIw%WYjPkR?Y!?
z*|QHDG(l#hV!to?S*EW4?K%!KDo8x8UBD}DFwiY`lq9>mFerj;oW#|$_t6Uv`D5nY
z$FS`0;2VJLD5>JeOYgHh^02bZo58+q<E#lrW)I2$R&rA901}q~A0tuNWfq@4jMW0x
zZt1-&NdkY`UV`4skxZ?lYfmaXg5ULYK~>5mPUDJIii)U86!<Ag*(d0q;k`rc8rKMh
zeky(v?t2-@taH$^s&pSZqE%tB07@MVP^M&W$IPv_WdfYmv>;hz%h?~`YEy8F%*K;L
zSHK)(vcd}}<c^{8pjuc>)p`YJqdhh^qO8dfoZ){Ot2@1QEZFcg-fYCtP$NfVUF^|}
zrb{hC?@ON3Gj>D{MXJ!f#Vuej@^WUAxuT=<JkM#a8Lg*kIki=yeZ;o1I5+Q86RkS0
zv3t#fxlOfVO`aqsJbf^)8<@hlCS2;%rIR#d2zPQa@^gZ)tX6<2mcm_`r|q(c>(ww4
zaio8m+5i?&_kO_mo8M`kUBSzjwg!CE?tF%-)Tg080(SjT#J%!qa8Eievjc$@`7tl=
zuYl~|@`CK@BzZ>L1aKhDADH1H^B#$J2;fKHZ3!~Kqj^%}W*2h(ry#&QQO-=ayBymA
zo%@>mh#vDgiA3S}I|WS))|ap@2>@6fTw;G0%0GbcgJXtPZIp^+%MuporPV9d4ZCny
z_p<TZ1kmuI9jo)EZ)ewId@*l2PsE-)y<PFUTRx}B-h(zw`Xd=W63BTp(_Qh8VZ3`A
zgf4x`LgcxvQ<kw!PRJ~mRiq!Ziz8E6K0es(eYVnfs^wzpG~sPi)rxt|Y0lm;DVcv~
zA7;%m+jTE<2a5yd<iX*9xisG7*>1yh>0v=UQSosd#Z6U~(UkNDS5AW6o?<yA{O$7i
zx|3I@DMC3lb-DuZpws5OrD;p*oOWGK=Nh}*WzNKR#GEYj9C0TLK1bZ<oa@rSlcnGo
zu8Sn>TnIRE6R10L>0adp71*)cLgs&tUMI|{N~9z3ykX`5JZqTQaJ%jq=V2fqb;F=(
zI~x!#!+3a4LT~IoHgcvl(4*D9|M-(|+6c>Z*LS0Bi{j9^2X2x?1VV8)G>eDQ%W0K5
zBNf^mT*=uXjAt5FiDBO@i60T!i4^!j!vl%j3P<mUVf7Jyd5p_rp<+Q;#SeclQ6fY6
zf<D4`b;NF(5ryzK)W($7FoA}Stv=x4vP(q|BuOlA$T4&eFc;GvewK0QXL)3(f|`Yr
zEP|3Anr!iIMy8o%^*nioY^+tR3o)!_oIVu6G>57x9E*@y!aPljggp7IgU9nS$Iw&`
zYBP;<u#?S^9hhh0plGs;6d`|vC>#1=8~R|N=EUuc5gtfBX)rE$a<0+BnCCK&#)xsl
z&KtqPo~*cnlJBzVbDG52y_r@V&j?IY7f3n{GF6aPd5Ozl89e&Tq51^+bQIHj13h!;
zp)kuReT=K{pr;duwEDaS<vz+E4bb9VEg3bdr(#6-zBaX}JvoTuj1_;M(!GJYLk#Nz
zn&E-kw3CQwsEkbJ+>ie^Fb8&Rn2Dslq~6d6q^@GInnYw5)Jes+G*71aq2}Q8!vy_I
zao$B@tK{<wDGa<7#B5cFcUD}@3CFTXjpl$${+hRNYoRa$ywaDtg8`f;bcDr*%yGeu
z_49J$p9p#2lfcQz%_4u_H|JjR6!J6N7#cbyA|whzA8iI@9HED#+Q$)o6fDMrR5kv5
zrXnf?zisopVqZY3lV8O-WKirTg>;BA#0Pd0D_T^6sY-*h&0__?U_&A2gJ^7`9z3q2
zvFDvQh|y>Snd@m+_JcdLfUbC4ge(Baf={A-*~XrH)J1%FD2spiu5x-b%STHjiWkbe
z2u3=`upMsgz0<M|?ZvK^Lp2;zsNC(E;-sPPxw`)l7a-EIT|T1D|4|cK`Rr!Lekizx
zUbM$gVV1xeYTr;uV*7SMLu}oxY+$>kF7$>yg+c^y=sz&+K7f)*=^DhLfwc`y^1vis
zRpyp*@e)KV(n^1k<ayx)HCm+5&tz+33j1($36Cm*!W?i!hEb()kYhy4(`RZ7gp+bL
z=D#tmmggBSK#WkNcA?AQA9L!*dJ}>Ux7%K`hRu~Mo0<zmb>>8dfeoW%t{kA<QxCQw
z)h8X<DZnC0g&WY;md4`aKe6dxZFoz}_8^OFQ`jG!IMjbI9h0qb55g==xTk2g?s$Mv
zOWTkZRr+Khk@FvrjE!c5qS@nwvb*aHSHBRi<n}9LJvX>~fQsI#mazO#cxcwsS;#ft
z*|5>qL|U8n0Bx4C@|$1sLSlV6GW5_zUu|glR?~L4L6fU7Tj2w%(W=eCyP_?~(t2$s
z89*{Mk9mJy>h%77(T*?pj>mMTY#X9&O{F;$zw)a*4SOPfjE0dN0xJ<82K;6fyjli_
zkD*Q0`)QiOFeEKD=>R(VGzbqsXUg%)RPrt^$s>%EXtbfPj7&wnVAdwCZnPQGzSNX4
zV;kfQ%_YXOWtW?Cm9ULXn^e?8Tvp?IeNJZCfwO=2E)!oz>5F55V`WP^+dSmd(y`-8
zFK2Bh0~>^fT<6{{FLAdm0NPuJe9BvBZqn=K++1_bLnn{ubKM^3ZWrNYk{@I<#k!$Z
z+cZ>I29PTOS`-95p2mpT`Eq?LEqg>wg*Asecu3M&hq#Sv)Rub2MyfdD*$mW{GHg$r
z%6osnbq4VfBe0sSYnu-E6?~()I(~tX(x%-@usLTp4rq_}up^eo#N^t}Z4U0E8recO
z;S}Ob=+yj*hgu+51{}Ktu{9eR4MUon4)k--twdqu&^YR=yyNynvxi2$T9z_V1M}+G
z-p*iL>lt~w;5V4cOW*{GCFQN_sskG<W)6R8QTbzT=2QKKBgjJL*W0de<nrorOoYnI
zHCv%+k|(mBec@zrlq(gVcMOkT={0f|PaJ`samY-~Iq`&9W6m<bDfZvyz+dNxm2o|n
zH)@Rpkc?joW_vdpOR^BWHTq+rGHih$#};9a32{Lmj|(x}&o(08kG-&M_*W$tEYN>7
ze4-iay%-XW?X)4aIWij}#n~s%t7*a99D@z{xL2+rohk6DzO*~{eyU5*imK$9AG3-1
zop`W1gBpv%_zLe1_B1-94<fxtI@|Y4anObzrB;jOPx#^hsyFKe&|7-9AN3Aq^Lx?y
zVs+q#YL5xagTuI>v!WWesg##-r=x#Z2*O}k>ULv%%ngO|P#*Ks*m@DJIh)%(oa+r&
zk(tMVk2{NO^TbW^b;-_Rs`;D-%*av(kMR<%z88NMuqF>^IkDBmAxO6)(fCaX!zWH*
zxsFI(u@{$rXvALCjak!ptSYw%ylO&JSmhooq>y4HiX-Xh{;rx3;iRkW2%Ud5fUMF-
zff-0!uUg+*rh42!OD+wsdj2|_FR!<<H9kjlc=oF`9w4I_R&hCHM%A7HAAv^p7oBHp
zaqJt_gtI5hxhtc0bB~-1=OCB;<~9Q1P3iDcQfikZ?tBsVboRvt&)E<e?my66aw3cD
zTTD8QM&>o)8|=zJgV<8mpoV|`gVrK5z-L#7IASweM_e4#kd-<@|KlU8IUjNC7W~mX
zx0oqa17Pq64|VzESW6-AZI$dUcKS77EHBLVC=T{c%jg)^gr(`#Ywx%A-h4Gq!W0K5
z_S9xOUdJWL*f!?U#GU=9FVj%&a8zNXS+V0WeP+W3r8F{clP&qi9U^}s^OwH7a7{<2
zrcbYSC%fCye*fpq58u7}esKTi&Fy;s=jTY*7$154>lMEhj9u1?LxMb2;;Ku(z7wLj
zylVx3xQU124WZXHEw7V!i+j^+j&ptW?b(|*&S-LDD*m1XqUu1!-=$mx8no9IZz(|7
z_rF27rSRZgxExwT^<RJgbN%1na+A}ttQ3Dkaj_Z;)Q}r+mWIvphdilM@@6_K)W3ex
zfyTdRxzq@tD&R7+sXLPv=YUeea$~H87K(}ZoHu=yYa9hSsic6p0I_xXFK5nJp}d@n
zF`&f})8Ht$&GkdTTMa@*Ah`myu1i)i3DjxiB3J-*&1?NDp0$5>29>^99b`jA5&i1h
zU-1$scP8@dq{e~e@qKq>_e!&q`^x}hgwxb<WWy6TFH9T+4v4o$K(?4IAD0=XO26>G
zdAdZyQ6w)@Jw&>0{;2ID96U+_Stq-|Ji(lo$oi>&^vu`8FDd}cMJyu+B>uwUK*BCA
z6?(wO3kT2(W-dq4t-rOYCxSHubEdKek5}&3t0Imj=_4a>Xz2nxx(wbM5puf>3&jG!
zl{`8Xbl?tG<QM=eYR?1-z%CF~f%fxoq$K&$yYrKf79x|J78MI&`X^+x!2bZq0073x
BR!sl^

delta 5762
zcmV-|7JccxExs)uABzY8-e;s(00Zq^ZI9eGlFrxZUm<t`cqXuC#^czLA3=Y8bE0$u
z>HYif@$=0O?{3sjNN?ZXe*f;9H*as=y}5b+_J_Cczqxty_V&%&Z@imRRY*-Wt%B0?
zzDXX+U`s+H-Prs8qiJ(~?)^yXG!4q<KmYweyu2XUYns<(NW7pZk~j>iIM2LL4it}M
zd-%Ni@mglv0Ek=alm<V}{_=lB!nz^~dYpOHL46SADSWwNS+AA6-j7942C0_?Df!b2
zPW9r?gA#sbFT5a0@<$SRRqj<~kkJ?$r31ZYsPKIgXB8=TK}arsYii?{bymeG@u571
z^YYbio3lO1{F3}p$0g8i&d#dmLTN#hr+TG%NPq)=^}&)WEq0Vqyu5$hY|g^GBw-r)
zlmumX@V9Yx@$H+-&6%u_Uj!A@8=sns)4i!KH(0=eT`7>2F5UOu@LqH8+OtVrduHm|
zUIAsE5Dola;c){Vgdw4H3>A^Wptv3#KJYnd<g~pnU&;RFy^jS$znAeAyWrbfJqALY
zVy*&{zS@b31AYptoB4leoo!)|F-q$!J90w(jg_geJBhbm1l13#yo?E*z-jBeaTwZq
z77M08wOknd5R^#T@|KnFefvg7a|iA81U`KA3sR;OGVbDpP+72`W<9d7==$1N%?8xx
zWVB&`H~Eg__+Lp7_1Mk2_KP#Rgo?2ivg*uYw{eV~F>wA`ze;~MSf7FC^bnNfYvMYq
zkUQTwxdYdem{vHpO-vU+nnx~OHl91l?q?&ocle;Y|CP;pT%Tz{!gv=$2l0-?wUrD+
z9xF5A0|N6OxwxND4jwm943cdI%QZ~@k01;7{e|S~m}4oc+R0>_fImjMNsO@xb5bd(
z?ZK}}6;S#Sh1!2<y3ryoPs;tDKw^Sa%D2A*zbS4o0;MaUluma%W0uFbI(PvP))jEL
zibIdJzTG^4xI?-?k%L7UKVUgX`58O3hb(I0V=XlJXpLb_$#+Z=bEcs14jGrG6vgxU
zVG>YkD2lxsmbE3KxM)gw`2PzpFOdI1@~0P7S(}=Oq`iM)w<ON?PQ~h{h?H^878>mY
zv6)kpN$~A0{Cf-kzF$^9`{mz%{z_I3ro|L-G;Q60y|6*x02G~|5Hld{!^O9Kl#~yP
z*dP}&R2lZ&&$J?GSS3?UNd0$p7FUe@ZAWqJNGMveAl_Rsl9wdOQCSC0#W0@O8&4#e
zS#;|z=iq+@2$shPYr=6f`%$GPclhBoBcs`oj^q**^27ore#+dNvjT=#nd1x?v5+pZ
z%?h%}dn{v}f}N5SR<18UsULwy=`16prY9O2=!ewf*pl}XxY=i>=k>VRot8!QJaq~8
zdiX|mdK2x9HHE=eJu~r$bD_&rIYWA^jmSe$G2?$ezC=dhr-r|h@Gd-*KA#|uKGb3v
zCS&5;#dd?pS6_wM_>E-M6joyzmSkZ$%P@)U?Lv*^N4}^f_JVsiD9gWrqS-^@yZ!`8
z^1UUivKAUB4tYxYV?Zp5V$qeBe#6p;B(J;|&AThe_u_IkPLzlD^Fb)&_6Ie>r*qIi
z)mMLUUWZ8x-8&zNw{3x%%;F8l$isP@?bUz^3>bcU(3jaTG@-B|DiM;Wuv5Go{<bOz
zW!F%JnK%PROh(Xj=S+;(35YwYjx0z0Ut`E?NB=I~Uy<x#Nz_A5E4nlw+pjH%SrVEj
z4_C;6MPPYPQBVZ7`4d^D`5Y6K+6Ccq*gt<H!SnKnw+liBRi4ID27uyH!m8~DQ5t7_
zEkZ|-Y5MTRN+Mk~F97XG(@&md(!S9s9oTp;@IcXj@@NGrNy^q2Qhjm#nb!vO4XpL-
zFc9qq*AV()*hF`0GHWAk*ax{m_i8)!m3~9m%Xuel!d}OvGDG{d4!pnp@>5#}`Za%#
zz9MuUfk=yb8GN|fW%y&Z<?^AfOhMr-r@bva1HVHK$@*|QPgJYQkL(@Tmq_biSwpQn
z(LQEIVKOU*f?@4uHr{TW+CyCCSvqOca+>a9^*q*EV>G<W9<`fyhPxKf)AcX*+UH!I
zaWn%6TZ{J*Ht8jB!=v#&3lctIy-$B1rWs_QFt$4B31!9Xo(&s<;=VA>iLv~`BH7E2
zTy_B9oq@TfHs9pmJ7pKm*BA-Mb1UOy+&U-iY$z56MmA~i_lrD<!)G?arBP5=0Rxx;
zm2|*fD(^>(hA)>k_WD6x9Ymzoz~akZeq|ADtiDs?PFaSIv{0ISWIU;YG<bh}T-<`b
zqmGR=Jds?NTyXA=qrwXngk$}z8fBaF`RmnrSnH>&-NRW>BsGXwXJyDq3GQRMzMDQ_
zG`-n(R51hNHm|dYvI&FU)MaEDcL+D|N5ti}Rh;F6P+K^pg5~RYwG&psAbZxpi#3Du
z0#r^|(8}i`hvsrkHKxl3wl9Aid)`)eZd|lY_2YEhiPx6Idqb%fH@bD>T3ayrxC!kY
z=G2A^D%I(|wjgO^%6fHiL(+y=wMhNf4U!$IiSp4R;af|UhM^FO);O?|_G1|gZ12Vb
z^qAhfwA8BW!8R$a`n;;6P01=B+e#g-9VUB@4Mo58w(ZT2k5FfBP}F~a<i3hlEKX{N
z8*s&B@uk;jY&)NNSicdQgp}omogkxOeEZUe<o+M0)<aj3Q<Y&q|M~9b=7-_=&)awF
z`OnXh_(t7N^Qcb9MKc;+d2g<6u5KoYtj)RiGYJ!r54gbvQM6$aBO){ukr#!CxgZ$1
z0L6HZ2LeK^RHF<6rZs;_^C2_xC5iX<pMLR*ysVngj6#Sbj*c>>s<U9LwxQA3L5q9k
z?Sh1o%U+d4jkvNWyi2M97)nn?Jn+8E>%zMb){09Z3>|7A)@lyW*2ARWLUZE)6-c(&
zfQ+>2V_j;gqp?7(C?IK``CQ~*XiBmjT;sWXT5o^%VLcBILAHNqZ&POB(ZMyDP!V;^
z(d=_|)ic*_qpl&MRD5(HmJF<c2uAZuwp*c+y3bC&|LU@lKO1mfwHFQPop^7x$f)g7
z_NLtsfs4-D;W%n6ncXTX5iT5$u}g0N)kddu;bg>$^c~_Se~9@&?Z4>fAL2@@Z5O#U
zGV^+h->m6ci?4sys@=tumTr!i$oQ0tel8u_pn}3W-VeIC=w-6Z@U$4ra(vYE4E*RJ
zcCuQL(N{LW=03y*9e$eekybyd*nk_3D*Y(co5p*neY;2(d}yUHmeD627NuCQyQOq|
zB+?Y!JiO2%4B=&XUKhKK?&Fbq)$_$L%MeUB>$_M@02+U1LYhODv7PnBAftxSuyPLA
z%btDMpb0V~75jbB&oXuWZ`W~{Q9<Hy?E+qLgMn_jqa@kgg+UQ)<0P)0y^mga$R9KB
zK89s~2j2i}M@bb&UV5M9k%yIK-VF9_8)r>0GJ8-4u#%H%2avb~_!x=8F0=UbVXPLg
zc1!PNNfLk1_7e17j$~>bU3*gD5&W*F3#w8kaT-^wQdC4$qQFl{%05B=4DTIk*SJP7
z^i%PZaNo;FW}SnURi*pT5v>Y~1yJf}fHEa}J7#XZEfe6hrUl6&Th9IfSDS)cWHz20
zx&r1PlNDY-A$JUw2i3xAs@5w&8||^V5oJw=;0%A)Sl#KZW5I@}@n$2Ah8j5{>tc^)
zG+k;DdSCLKp0OixC{l&)Ep7pOk(V=@%oQD-=Xp+Z&1gMU%c-pr?IX68#kqN(nrPK|
zjooV=%x$U_Yw{#9;pu~U-M|#aHQ`d9E}f(yL%5TZk)IQUWwioKu@vsgJZ+anT(5?a
zh$Da1)CRDKy7vRdU;j??><V7Kur=VLcIPuxr9KV)5wPozBJPz>gL~3(nH>nM$d7q>
ze+6X!mKS7KC&@F~CV&HJ{=f_unfFM%LjXSlZ%dE?9?g>)H@lGQKLr8iiE?JT-R0O0
z=-gM_NA#H2NhAu#-zjKfu)c(KNdUm=;1YkkQ2qgg9~?8ZYNJ#nTb8guFRfmwZrFvx
zx|faLCV++y?O2^ReLK4z<BNIIc_Q}Y>FtW&-SRn2_8zoh(jUq2kwDI)neK{z4CCF~
zAav<d79!7WowAH=azbXgtRnrOT^yOp^6|lL@3WP@Q!N)$rwMPHs#eTvPILB-Ny&da
z`!H*k*{*w;J6IerCl3w>%%$-r&vqN8OAia;iHeWwC~m5<jHaYNxN;Kg_7ux0;cu76
z*PXmNO%ckesnZpJ2c0(OElpce=d|l`I@j3cE^{WnBj#kG=ZHI5@Hyf(=UkTto-75&
za9t!}=R&}Vn?T)}OZO@-sKAch7BYW#^g3ZqRU#dM=M6Il;90}WhTC<|I1d8>sT&4O
z+u49{8OFnV5_)6zv5_;afgY{){l}k#(?(dPyS^K3TNH=RJ#dpGA`ptZp;<hXUQVmj
z8L80j;7ZO8VLa2YN(}pMN&JY&PNcvO8XidGRycY;46Bdu%VS&~3l$5(Dt>=}i4qyg
z7xWRnt0Q*Pj3|V^p*E(ph6yxuZ1n*Tmt87)AW33@Lyn<)fVr6V@Ux6VKg%OS71S)0
zWD%6~&}55uGcwIAtLMoxWMi#jU5H^d<Mg2jra4qq;aG&s66R@IB;?6w9Xy_wIfkZk
zP@8F-gPm-S?7%z|2St-*qzHc@MA^^}+t3FCH79OojPOA6NrQ30lXHz0#yppKG)9aY
zcHRgU_GHBslzf*>pVK7H?#;B~ct&8Fx<Jxtkg0;S%1c}Z%iz&x4%H{nr=ytO8|ax!
z4~1Dq>0?}l2R)rQq}AswDECqRXn+>?YRRZsJryIu_qC}-?a4tLXRLqtl<p1G9b#A)
z&<qdMrkzAgLuF(#=YIUZfjO{i!%QUYCH00rAaxas)g&UjpiU~jrFk;V4>bp$A13H$
zit{cKTP2@gNMYcuAZDvVytCqJPB@lDYBUF2^4GkDTMLC5;HAFQ9Sq<+p(89dWR44N
zte=+~|3t_Gp9D@$ZWe#}zB%`jr;wlF#?a6y5g}0!`e-vK;|M(@)jp2!qhK)}q^j}f
zGZj%G_-&i#75f5Oo%|}!A%kK!DWpS`AwIC1Ska;iOjR13Z5}HC1{(@FA4Fpl_26+G
zjXm$gL5xNt$XrjmvLD=`1$4#ZB4hzT7JL%z%Qp7pqb}mZLs@^sca_tlSw31KQM^#z
zMKIDihV5``@12%)XfJlP9ID}%LgjAP6ekUR&(-~hxB!us?eY<I{*Ri_%4at__Cvun
z^rAg}3bO>(Q2T~L65F>68e;2iWdqwSb)h%xDHI}rL;rzk_W_hlO4lF`4XkZwk_RU7
zsxr5fi<cl`kyd|-B+m;csL>*YekNNRQ`m>2OL$Zf6y|^<GK?yXgB&ATo<37!Ae@w|
zG5?KewLH&w0b+zAwF_Ma|Cm!h)|(J?xZU=eHEgbA+0<Mhsxv1t3~U%BbL9Z-o_eqi
zsXpn*P5~B4D%^m!wlo$W|A|cpYr|V&wg*{co5KF+#G!wN>6mPddk|(}!aYT^b;kpY
zTH1!RsM043iJbp{WNb7e6wMwdl-*rtxcY^7CAVK0>$$<@161@@wS?t|!b7v3&O)yF
z&W4S?Ceqrp2WYdDmEZi57ZU5sk)ek!`f5YVx0<%Y4Vqky*$N+6jaF?A-W6>@mey-C
z$pDh6dCY(FQm6Oti*|g$cRZ#$W!n&KYbwp5_?2JfY1k9-V>FEH5Lk)$FyJ?<;MFoX
zd<<=}-cQpMh9POONe9r;r$KlCI#Z69rjmDYNgiROM57ITX=Ezu1+zABb)(Ig_NAtb
z8QUOdXf83HExX*DtAuTA+N7c$;<6gw>vJ;84xE3zcbWJ)N?#lc94lMW+2$dqmW~})
zdO2%58Q35+<U03ud5ODi0npw$<Wt^4bCX^*=jNJg9y)nMpX>HOce@BLll&l?Db@|O
z+NPnxGJsqO(4rvd@ia!v&X?<3Y1t!cDy%u&!9$YHI>c>UqqfvDHd4hI&t{;ulwo_~
zRNj9Bt}}>_7=hJnUE6fPuizWa)$t3Als4^Ng3UR*aX@>#haIszCMMT*ZgX%S)yNjQ
z38xTeLZ{|eJk$cgGT_)Hh^^VkXc*GmbfBMuZY2sMhsIG~<sG*tnmsh~)v}a{8kkqd
z_I3v2TF=Pa1;4>mUIHgjEGchYR~^_`F>`-Ni^?B!GoR`=96=T`zutC*BbQf~V<J>u
zuGtDrlRT02><cH0qg<)@ykmI$O0SW#c;X23j6-H>&WR_?8grHbPO<+s2mU%otc>fq
zyisc;fMonyFx$J)SdxX{t<fI~m0=46IkpIUOo$8mcwC6#ezp<$e(Z&9!@nxIV1a+G
z;S<eR@5PX4Y^M#W&5_v<Db7B5UQG+;<``_q$Gvh5=}duF^`+gp_fuVhR#YX={FqJ5
z@5F=E8Pr%5##eZEu&2=(eGutI(%HUWii0-%D79KFf5I0BP`z0%fZo!({it^^o8ODp
z7pns|RC`QV9vsF6ofXx%O{KhyI~{+;LJ$VSQnwr9V{Ryvhw_-8#@35)&Dq@U;aqRH
zip)F?eB4=Nn<s9PuS<3oQ_bfzU`CcQc#M~5^}YDBfHiqQ%ZaTf4nevdiN<eA7(Q_d
z%XLKRioLk}LnHR8Zp@m-V^z6D;8hc%!YcPzA%zqpQ5;D}_jlEV2q#@_N9cd70c4dv
z3d}&-de!>gGS%Y-T5@T4)$`Zce0jZ<t?@ac!?Rzl@c<dcu!_qmGphCs_y{zzzvw(;
zi(}uYCY(K4&RrS3n|tJBI0w1xH@6W8Z%T)sl2W@Qap#M;r?W3Mc+Q5%aQ}hkk`q~E
z-(u2fG%~LV-(Xh;8pM{e1~q^5AG8*k0Y1Ar#1Wg(I^yD>hOE>P`X3)z&H0F9x8RTF
zxy4MW8UTYoc&N)K$65+`Z>wZ?vD2>sV|ih=M{%%sT1LmPCM-=aUwOZ^_vWi{5~esf
zv8OiM@j5O^#<nq+ChqJ<eVK-GhocHB&59k5=`$NPD5a5kn{3H9?ht<wnZNYqg=;!G
zHGO)uJK5cq_WM6?e)#_F`@#L6Z*JE6KR-vh#`wtVU$6MBVC=G991`TI5?5XN^_>vK
z<y|WP#7#UDZwS4vX?dN*TilyobDZm|@6KMoc1DvMQ}OpC5LE{%{x0Pr(4f7xcuN7o
zzW+7CErkc~!sXB!s{eobpX>krj+>m8Wu^EVii_1)poZLlvovg$KjcZBlGoE&q5k!g
z4mAEn%cVvDRRNcoP2HKaI0uvxmK$R&v`|dM=e+5wT;nLvNhJl$1&FQ7e>ro;3gzWo
zi~%i<m<C6|ZLS{z-f9pk0?8GqbzQQGNuW+67r_FkYhLSL@vMKnGpO{<>L42`is)D0
z{fd`BxigVpCp8W%kMFx9yH}c>++PM5Bb=s=BO9K$d12xpa6r600<y(y`MAt5Rr-bh
z&C?|sjv{%P>LJo~^G9tL;owmc$U4~t<_YG!MAlFJqi4Pzeo+BnE@BxuAn_L#2NHI1
zsn7#HUO0eWFmp(eZvCxIJrS%Sm@}0%c)W7IUKMdPNgo-3LrWLn(Pi*ni;&x8SSS_%
zuH@0FpaXZfBF6w&QF|sx0Cs_>3bdbxBPGd~-kq<LeHJwhH4W200R<~$zW~Sp09ltY
A2LJ#7

diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 6bdaf0c1..afa94bc6 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -1,3 +1,13 @@
+diff --git a/.gitmodules b/.gitmodules
+index 360bd03..e794aa3 100644
+--- a/.gitmodules
++++ b/.gitmodules
+@@ -1,3 +1,4 @@
+ [submodule "policy/modules/contrib"]
+ 	path = policy/modules/contrib
+-	url = http://oss.tresys.com/git/refpolicy-contrib.git
++    url = https://github.com/fedora-selinux/selinux-policy-contrib
++    branch = rawhide
 diff --git a/Makefile b/Makefile
 index ec7b5cb..e2936c6 100644
 --- a/Makefile
@@ -19165,7 +19175,7 @@ index 7be4ddf..9710b33 100644
 +/sys/kernel/debug -d	gen_context(system_u:object_r:debugfs_t,s0)
 +/sys/kernel/debug/.*	<<none>>
 diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index e100d88..342fb1e 100644
+index e100d88..d780b64 100644
 --- a/policy/modules/kernel/kernel.if
 +++ b/policy/modules/kernel/kernel.if
 @@ -126,6 +126,24 @@ interface(`kernel_setsched',`
@@ -19561,7 +19571,34 @@ index e100d88..342fb1e 100644
  ')
  
  ########################################
-@@ -2085,7 +2241,54 @@ interface(`kernel_dontaudit_list_all_sysctls',`
+@@ -2048,6 +2204,26 @@ interface(`kernel_read_rpc_sysctls',`
+ 	list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t)
+ ')
+ 
++
++########################################
++## <summary>
++##	Read RPC sysctls.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`kernel_rw_rpc_sysctls_dirs',`
++	gen_require(`
++		type proc_t, proc_net_t, sysctl_rpc_t;
++	')
++
++	rw_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t)
++')
++
+ ########################################
+ ## <summary>
+ ##	Read and write RPC sysctls.
+@@ -2085,7 +2261,54 @@ interface(`kernel_dontaudit_list_all_sysctls',`
  	')
  
  	dontaudit $1 sysctl_type:dir list_dir_perms;
@@ -19617,7 +19654,7 @@ index e100d88..342fb1e 100644
  ')
  
  ########################################
-@@ -2282,6 +2485,25 @@ interface(`kernel_list_unlabeled',`
+@@ -2282,6 +2505,25 @@ interface(`kernel_list_unlabeled',`
  
  ########################################
  ## <summary>
@@ -19643,7 +19680,7 @@ index e100d88..342fb1e 100644
  ##	Read the process state (/proc/pid) of all unlabeled_t.
  ## </summary>
  ## <param name="domain">
-@@ -2306,7 +2528,7 @@ interface(`kernel_read_unlabeled_state',`
+@@ -2306,7 +2548,7 @@ interface(`kernel_read_unlabeled_state',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -19652,80 +19689,56 @@ index e100d88..342fb1e 100644
  ##	</summary>
  ## </param>
  #
-@@ -2488,6 +2710,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
+@@ -2488,21 +2730,39 @@ interface(`kernel_rw_unlabeled_blk_files',`
  
  ########################################
  ## <summary>
+-##	Do not audit attempts by caller to get attributes for
+-##	unlabeled character devices.
 +##	Read and write unlabeled sockets.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
 +##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`kernel_dontaudit_getattr_unlabeled_chr_files',`
 +interface(`kernel_rw_unlabeled_socket',`
-+	gen_require(`
-+		type unlabeled_t;
-+	')
-+
+ 	gen_require(`
+ 		type unlabeled_t;
+ 	')
+ 
+-	dontaudit $1 unlabeled_t:chr_file getattr;
 +	allow $1 unlabeled_t:socket rw_socket_perms;
 +')
 +
 +########################################
 +## <summary>
- ##	Do not audit attempts by caller to get attributes for
- ##	unlabeled character devices.
- ## </summary>
-@@ -2525,7 +2765,7 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
- 
- ########################################
- ## <summary>
--##	Allow caller to relabel unlabeled files.
-+##	Allow caller to relabel unlabeled filesystems.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -2533,18 +2773,17 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
- ##	</summary>
- ## </param>
- #
--interface(`kernel_relabelfrom_unlabeled_files',`
-+interface(`kernel_relabelfrom_unlabeled_fs',`
- 	gen_require(`
- 		type unlabeled_t;
- 	')
- 
--	kernel_list_unlabeled($1)
--	allow $1 unlabeled_t:file { getattr relabelfrom };
-+	allow $1 unlabeled_t:filesystem relabelfrom;
++##	Do not audit attempts by caller to get attributes for
++##	unlabeled character devices.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`kernel_dontaudit_getattr_unlabeled_chr_files',`
++	gen_require(`
++		type unlabeled_t;
++	')
++
++	dontaudit $1 unlabeled_t:chr_file getattr;
  ')
  
  ########################################
- ## <summary>
--##	Allow caller to relabel unlabeled symbolic links.
-+##	Allow caller to relabel unlabeled files.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -2552,13 +2791,32 @@ interface(`kernel_relabelfrom_unlabeled_files',`
- ##	</summary>
- ## </param>
- #
--interface(`kernel_relabelfrom_unlabeled_symlinks',`
-+interface(`kernel_relabelfrom_unlabeled_files',`
- 	gen_require(`
- 		type unlabeled_t;
- 	')
+@@ -2525,6 +2785,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
  
- 	kernel_list_unlabeled($1)
--	allow $1 unlabeled_t:lnk_file { getattr relabelfrom };
-+	allow $1 unlabeled_t:file { getattr relabelfrom };
-+')
-+
-+########################################
-+## <summary>
-+##	Allow caller to relabel unlabeled symbolic links.
+ ########################################
+ ## <summary>
++##	Allow caller to relabel unlabeled filesystems.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -19733,17 +19746,20 @@ index e100d88..342fb1e 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`kernel_relabelfrom_unlabeled_symlinks',`
++interface(`kernel_relabelfrom_unlabeled_fs',`
 +	gen_require(`
 +		type unlabeled_t;
 +	')
 +
-+	kernel_list_unlabeled($1)
-+	allow $1 unlabeled_t:lnk_file { getattr relabelfrom };
- ')
- 
- ########################################
-@@ -2667,6 +2925,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
++	allow $1 unlabeled_t:filesystem relabelfrom;
++')
++
++########################################
++## <summary>
+ ##	Allow caller to relabel unlabeled files.
+ ## </summary>
+ ## <param name="domain">
+@@ -2667,6 +2945,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
  
  ########################################
  ## <summary>
@@ -19768,7 +19784,7 @@ index e100d88..342fb1e 100644
  ##	Receive TCP packets from an unlabeled connection.
  ## </summary>
  ## <desc>
-@@ -2694,6 +2970,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+@@ -2694,6 +2990,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
  
  ########################################
  ## <summary>
@@ -19794,7 +19810,7 @@ index e100d88..342fb1e 100644
  ##	Do not audit attempts to receive TCP packets from an unlabeled
  ##	connection.
  ## </summary>
-@@ -2803,6 +3098,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+@@ -2803,6 +3118,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
  
  	allow $1 unlabeled_t:rawip_socket recvfrom;
  ')
@@ -19828,7 +19844,7 @@ index e100d88..342fb1e 100644
  
  ########################################
  ## <summary>
-@@ -2958,6 +3280,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2958,6 +3300,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
  
  ########################################
  ## <summary>
@@ -19853,7 +19869,7 @@ index e100d88..342fb1e 100644
  ##	Unconfined access to kernel module resources.
  ## </summary>
  ## <param name="domain">
-@@ -2972,5 +3312,649 @@ interface(`kernel_unconfined',`
+@@ -2972,5 +3332,649 @@ interface(`kernel_unconfined',`
  	')
  
  	typeattribute $1 kern_unconfined;
@@ -37802,7 +37818,7 @@ index 0000000..c814795
 +fs_manage_kdbus_dirs(systemd_logind_t)
 +fs_manage_kdbus_files(systemd_logind_t)
 diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index 73bb3c0..7b05663 100644
+index 73bb3c0..5d62107 100644
 --- a/policy/modules/system/libraries.fc
 +++ b/policy/modules/system/libraries.fc
 @@ -1,3 +1,4 @@
@@ -37886,7 +37902,7 @@ index 73bb3c0..7b05663 100644
  /usr/lib/libADM5.*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/libatiadlxx\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/win32/.*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/libGLdispatch/.*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libGLdispatch.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  
  /usr/lib/ADM_plugins/videoFilter/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  
@@ -43211,7 +43227,7 @@ index 3822072..d358162 100644
 +	allow semanage_t $1:dbus send_msg;
 +')
 diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index dc46420..8d4ed0f 100644
+index dc46420..a86e9eb 100644
 --- a/policy/modules/system/selinuxutil.te
 +++ b/policy/modules/system/selinuxutil.te
 @@ -11,14 +11,16 @@ gen_require(`
@@ -43746,7 +43762,7 @@ index dc46420..8d4ed0f 100644
  ')
  
  ########################################
-@@ -522,111 +597,201 @@ ifdef(`distro_ubuntu',`
+@@ -522,111 +597,202 @@ ifdef(`distro_ubuntu',`
  # Setfiles local policy
  #
  
@@ -43911,6 +43927,7 @@ index dc46420..8d4ed0f 100644
 +fs_getattr_all_files(setfiles_domain)
 +fs_search_auto_mountpoints(setfiles_domain)
 +fs_relabelfrom_noxattr_fs(setfiles_domain)
++fs_mount_tracefs(setfiles_domain)
 +
 +selinux_validate_context(setfiles_domain)
 +selinux_compute_access_vector(setfiles_domain)
@@ -47071,10 +47088,10 @@ index 0000000..86e3d01
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..c6280dc
+index 0000000..0100a56
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,1017 @@
+@@ -0,0 +1,1018 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -48072,6 +48089,7 @@ index 0000000..c6280dc
 +#
 +
 +allow systemd_bootchart_t self:capability2 wake_alarm;
++allow systemd_bootchart_t self:unix_dgram_socket create_socket_perms;
 +
 +kernel_dgram_send(systemd_bootchart_t)
 +kernel_rw_kernel_sysctl(systemd_bootchart_t)
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 2396b2bb..30ee75ed 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -12878,7 +12878,7 @@ index 85ca63f..1d1c99c 100644
  	admin_pattern($1, { cgconfig_etc_t cgrules_etc_t })
  	files_list_etc($1)
 diff --git a/cgroup.te b/cgroup.te
-index 80a88a2..ec869f5 100644
+index 80a88a2..71c25c3 100644
 --- a/cgroup.te
 +++ b/cgroup.te
 @@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
@@ -12906,7 +12906,7 @@ index 80a88a2..ec869f5 100644
  domain_setpriority_all_domains(cgclear_t)
  
  fs_manage_cgroup_dirs(cgclear_t)
-@@ -64,23 +66,25 @@ allow cgconfig_t cgconfig_etc_t:file read_file_perms;
+@@ -64,23 +66,26 @@ allow cgconfig_t cgconfig_etc_t:file read_file_perms;
  kernel_list_unlabeled(cgconfig_t)
  kernel_read_system_state(cgconfig_t)
  
@@ -12930,12 +12930,13 @@ index 80a88a2..ec869f5 100644
 -allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override };
  allow cgred_t self:netlink_socket { write bind create read };
  allow cgred_t self:unix_dgram_socket { write create connect };
++allow cgred_t self:netlink_connector_socket create_socket_perms;
  
 +allow cgred_t cgconfig_etc_t:file read_file_perms;
  allow cgred_t cgrules_etc_t:file read_file_perms;
  
  allow cgred_t cgred_log_t:file { append_file_perms create_file_perms setattr_file_perms };
-@@ -99,10 +103,11 @@ domain_setpriority_all_domains(cgred_t)
+@@ -99,10 +104,11 @@ domain_setpriority_all_domains(cgred_t)
  files_getattr_all_files(cgred_t)
  files_getattr_all_sockets(cgred_t)
  files_read_all_symlinks(cgred_t)
@@ -14855,10 +14856,10 @@ index cc4e7cb..f348d27 100644
  	domain_system_change_exemption($1)
  	role_transition $2 cmirrord_initrc_exec_t system_r;
 diff --git a/cmirrord.te b/cmirrord.te
-index bbdd396..8328b95 100644
+index bbdd396..28b1761 100644
 --- a/cmirrord.te
 +++ b/cmirrord.te
-@@ -23,7 +23,7 @@ files_pid_file(cmirrord_var_run_t)
+@@ -23,13 +23,14 @@ files_pid_file(cmirrord_var_run_t)
  # Local policy
  #
  
@@ -14867,7 +14868,14 @@ index bbdd396..8328b95 100644
  dontaudit cmirrord_t self:capability sys_tty_config;
  allow cmirrord_t self:process { setfscreate signal };
  allow cmirrord_t self:fifo_file rw_fifo_file_perms;
-@@ -42,16 +42,18 @@ files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file)
+ allow cmirrord_t self:sem create_sem_perms;
+ allow cmirrord_t self:shm create_shm_perms;
+ allow cmirrord_t self:netlink_socket create_socket_perms;
++allow cmirrord_t self:netlink_connector_socket create_socket_perms;
+ allow cmirrord_t self:unix_stream_socket { accept listen };
+ 
+ manage_dirs_pattern(cmirrord_t, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+@@ -42,16 +43,18 @@ files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file)
  domain_use_interactive_fds(cmirrord_t)
  domain_obj_id_change_exemption(cmirrord_t)
  
@@ -30858,6 +30866,243 @@ index e5b15fb..220622e 100644
  	allow games_t self:process execmem;
  ')
  
+diff --git a/ganesha.fc b/ganesha.fc
+new file mode 100644
+index 0000000..c5982d5
+--- /dev/null
++++ b/ganesha.fc
+@@ -0,0 +1,11 @@
++/usr/bin/ganesha.nfsd		--	gen_context(system_u:object_r:ganesha_exec_t,s0)
++
++/usr/lib/systemd/system/nfs-ganesha-config.*		--	gen_context(system_u:object_r:ganesha_unit_file_t,s0)
++
++/usr/lib/systemd/system/nfs-ganesha-lock.*		--	gen_context(system_u:object_r:ganesha_unit_file_t,s0)
++
++/usr/lib/systemd/system/nfs-ganesha.*e		--	gen_context(system_u:object_r:ganesha_unit_file_t,s0)
++
++/var/log/ganesha.log	--	gen_context(system_u:object_r:ganesha_var_log_t,s0)
++
++/var/run/ganesha(/.*)?		gen_context(system_u:object_r:ganesha_var_run_t,s0)
+diff --git a/ganesha.if b/ganesha.if
+new file mode 100644
+index 0000000..d9ba5fa
+--- /dev/null
++++ b/ganesha.if
+@@ -0,0 +1,147 @@
++
++## <summary>policy for ganesha</summary>
++
++########################################
++## <summary>
++##	Execute ganesha_exec_t in the ganesha domain.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`ganesha_domtrans',`
++	gen_require(`
++		type ganesha_t, ganesha_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	domtrans_pattern($1, ganesha_exec_t, ganesha_t)
++')
++
++######################################
++## <summary>
++##	Execute ganesha in the caller domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`ganesha_exec',`
++	gen_require(`
++		type ganesha_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	can_exec($1, ganesha_exec_t)
++')
++########################################
++## <summary>
++##	Read ganesha PID files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`ganesha_read_pid_files',`
++	gen_require(`
++		type ganesha_var_run_t;
++	')
++
++	files_search_pids($1)
++	read_files_pattern($1, ganesha_var_run_t, ganesha_var_run_t)
++')
++
++########################################
++## <summary>
++##	Execute ganesha server in the ganesha domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++#
++interface(`ganesha_systemctl',`
++	gen_require(`
++		type ganesha_t;
++		type ganesha_unit_file_t;
++	')
++
++	systemd_exec_systemctl($1)
++        systemd_read_fifo_file_passwd_run($1)
++	allow $1 ganesha_unit_file_t:file read_file_perms;
++	allow $1 ganesha_unit_file_t:service manage_service_perms;
++
++	ps_process_pattern($1, ganesha_t)
++')
++
++
++########################################
++## <summary>
++##	Send and receive messages from
++##	ganesha over dbus.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`ganesha_dbus_chat',`
++	gen_require(`
++		type ganesha_t;
++		class dbus send_msg;
++	')
++
++	allow $1 ganesha_t:dbus send_msg;
++	allow ganesha_t $1:dbus send_msg;
++')
++
++########################################
++## <summary>
++##	All of the rules required to administrate
++##	an ganesha environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	Role allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`ganesha_admin',`
++	gen_require(`
++		type ganesha_t;
++		type ganesha_var_run_t;
++	type ganesha_unit_file_t;
++	')
++
++	allow $1 ganesha_t:process { signal_perms };
++	ps_process_pattern($1, ganesha_t)
++
++    tunable_policy(`deny_ptrace',`',`
++        allow $1 ganesha_t:process ptrace;
++    ')
++
++	files_search_pids($1)
++	admin_pattern($1, ganesha_var_run_t)
++
++	ganesha_systemctl($1)
++	admin_pattern($1, ganesha_unit_file_t)
++	allow $1 ganesha_unit_file_t:service all_service_perms;
++	optional_policy(`
++		systemd_passwd_agent_exec($1)
++		systemd_read_fifo_file_passwd_run($1)
++	')
++')
+diff --git a/ganesha.te b/ganesha.te
+new file mode 100644
+index 0000000..20b9fcf
+--- /dev/null
++++ b/ganesha.te
+@@ -0,0 +1,61 @@
++policy_module(ganesha, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type ganesha_t;
++type ganesha_exec_t;
++init_daemon_domain(ganesha_t, ganesha_exec_t)
++
++permissive ganesha_t;
++
++type ganesha_var_log_t;
++logging_log_file(ganesha_var_log_t)
++
++type ganesha_var_run_t;
++files_pid_file(ganesha_var_run_t)
++
++type ganesha_unit_file_t;
++systemd_unit_file(ganesha_unit_file_t)
++
++########################################
++#
++# ganesha local policy
++#
++allow ganesha_t self:process { setcap setrlimit };
++allow ganesha_t self:fifo_file rw_fifo_file_perms;
++allow ganesha_t self:unix_stream_socket create_stream_socket_perms;
++allow ganesha_t self:tcp_socket { accept listen };
++
++manage_dirs_pattern(ganesha_t, ganesha_var_run_t, ganesha_var_run_t)
++manage_files_pattern(ganesha_t, ganesha_var_run_t, ganesha_var_run_t)
++manage_lnk_files_pattern(ganesha_t, ganesha_var_run_t, ganesha_var_run_t)
++files_pid_filetrans(ganesha_t, ganesha_var_run_t, { dir file lnk_file })
++
++manage_dirs_pattern(ganesha_t, ganesha_var_log_t, ganesha_var_log_t)
++manage_files_pattern(ganesha_t, ganesha_var_log_t, ganesha_var_log_t)
++logging_log_filetrans(ganesha_t, ganesha_var_log_t, { file dir })
++
++auth_use_nsswitch(ganesha_t)
++
++corenet_tcp_bind_nfs_port(ganesha_t)
++corenet_tcp_connect_generic_port(ganesha_t)
++corenet_udp_bind_nfs_port(ganesha_t)
++corenet_udp_bind_all_rpc_ports(ganesha_t)
++corenet_tcp_bind_all_rpc_ports(ganesha_t)
++
++logging_send_syslog_msg(ganesha_t)
++
++sysnet_dns_name_resolve(ganesha_t)
++
++optional_policy(`
++	dbus_system_bus_client(ganesha_t)
++	dbus_connect_system_bus(ganesha_t)
++')
++
++optional_policy(`
++	rpc_manage_nfs_state_data_dir(ganesha_t)
++	rpcbind_stream_connect(ganesha_t)
++')
 diff --git a/gatekeeper.te b/gatekeeper.te
 index 2820368..88c98f4 100644
 --- a/gatekeeper.te
@@ -32165,10 +32410,10 @@ index 5cd0909..bd3c3d2 100644
 +corenet_tcp_connect_glance_registry_port(glance_scrubber_t)
 diff --git a/glusterd.fc b/glusterd.fc
 new file mode 100644
-index 0000000..a3633cd
+index 0000000..9806f50
 --- /dev/null
 +++ b/glusterd.fc
-@@ -0,0 +1,29 @@
+@@ -0,0 +1,25 @@
 +/etc/rc\.d/init\.d/gluster.*	--	gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
 +
 +/etc/glusterfs(/.*)?	gen_context(system_u:object_r:glusterd_conf_t,s0)
@@ -32184,20 +32429,16 @@ index 0000000..a3633cd
 +/usr/libexec/glusterfs/peer_eventsapi.py    -- 	gen_context(system_u:object_r:glusterd_exec_t,s0)
 +/usr/libexec/glusterfs/events/glustereventsd.py   -- 	gen_context(system_u:object_r:glusterd_exec_t,s0)
 +
-+/usr/bin/ganesha.nfsd	--	gen_context(system_u:object_r:glusterd_exec_t,s0)
-+
 +/opt/glusterfs/[^/]+/sbin/glusterfsd	--	gen_context(system_u:object_r:glusterd_exec_t,s0)
 +
 +/var/lib/glusterd(/.*)?		gen_context(system_u:object_r:glusterd_var_lib_t,s0)
 +
 +/var/log/glusterfs(/.*)?	gen_context(system_u:object_r:glusterd_log_t,s0)
-+/var/log/ganesha.log	--	gen_context(system_u:object_r:glusterd_log_t,s0)
 +
 +/var/run/gluster(/.*)?	gen_context(system_u:object_r:glusterd_var_run_t,s0)
 +/var/run/glusterd(/.*)?	gen_context(system_u:object_r:glusterd_var_run_t,s0)
 +/var/run/glusterd.*	--	gen_context(system_u:object_r:glusterd_var_run_t,s0)
 +/var/run/glusterd.*	-s	gen_context(system_u:object_r:glusterd_var_run_t,s0)
-+/var/run/ganesha.*	--	gen_context(system_u:object_r:glusterd_var_run_t,s0)
 diff --git a/glusterd.if b/glusterd.if
 new file mode 100644
 index 0000000..764ae00
@@ -83507,7 +83748,7 @@ index da64218..3fb8575 100644
 +    domtrans_pattern($1, quota_nld_exec_t, quota_nld_t)
  ')
 diff --git a/quota.te b/quota.te
-index f47c8e8..d4e9042 100644
+index f47c8e8..af09c76 100644
 --- a/quota.te
 +++ b/quota.te
 @@ -5,12 +5,10 @@ policy_module(quota, 1.6.0)
@@ -83602,7 +83843,7 @@ index f47c8e8..d4e9042 100644
  ')
  
  optional_policy(`
-@@ -103,12 +102,12 @@ optional_policy(`
+@@ -103,12 +102,13 @@ optional_policy(`
  
  #######################################
  #
@@ -83613,11 +83854,12 @@ index f47c8e8..d4e9042 100644
  allow quota_nld_t self:fifo_file rw_fifo_file_perms;
  allow quota_nld_t self:netlink_socket create_socket_perms;
 -allow quota_nld_t self:unix_stream_socket { accept listen };
++allow quota_nld_t self:netlink_generic_socket create_socket_perms;
 +allow quota_nld_t self:unix_stream_socket create_stream_socket_perms;
  
  manage_files_pattern(quota_nld_t, quota_nld_var_run_t, quota_nld_var_run_t)
  files_pid_filetrans(quota_nld_t, quota_nld_var_run_t, { file })
-@@ -121,11 +120,9 @@ init_read_utmp(quota_nld_t)
+@@ -121,11 +121,9 @@ init_read_utmp(quota_nld_t)
  
  logging_send_syslog_msg(quota_nld_t)
  
@@ -91112,7 +91354,7 @@ index 0bf13c2..ed393a0 100644
  	files_list_tmp($1)
  	admin_pattern($1, gssd_tmp_t)
 diff --git a/rpc.te b/rpc.te
-index 2da9fca..a37f579 100644
+index 2da9fca..be1fab2 100644
 --- a/rpc.te
 +++ b/rpc.te
 @@ -6,22 +6,27 @@ policy_module(rpc, 1.15.1)
@@ -91316,7 +91558,7 @@ index 2da9fca..a37f579 100644
  ')
  
  ########################################
-@@ -202,41 +232,61 @@ optional_policy(`
+@@ -202,41 +232,62 @@ optional_policy(`
  #
  
  allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
@@ -91334,6 +91576,7 @@ index 2da9fca..a37f579 100644
  kernel_request_load_module(nfsd_t)
 -# kernel_mounton_proc(nfsd_t)
 +kernel_mounton_proc(nfsd_t)
++kernel_rw_rpc_sysctls_dirs(nfsd_t)
  
 -corenet_sendrecv_nfs_server_packets(nfsd_t)
 +corecmd_exec_shell(nfsd_t)
@@ -91388,7 +91631,7 @@ index 2da9fca..a37f579 100644
  	miscfiles_manage_public_files(nfsd_t)
  ')
  
-@@ -245,7 +295,6 @@ tunable_policy(`nfs_export_all_rw',`
+@@ -245,7 +296,6 @@ tunable_policy(`nfs_export_all_rw',`
  	dev_getattr_all_chr_files(nfsd_t)
  
  	fs_read_noxattr_fs_files(nfsd_t)
@@ -91396,7 +91639,7 @@ index 2da9fca..a37f579 100644
  ')
  
  tunable_policy(`nfs_export_all_ro',`
-@@ -257,12 +306,12 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -257,12 +307,12 @@ tunable_policy(`nfs_export_all_ro',`
  
  	fs_read_noxattr_fs_files(nfsd_t)
  
@@ -91411,7 +91654,7 @@ index 2da9fca..a37f579 100644
  ')
  
  ########################################
-@@ -270,7 +319,7 @@ optional_policy(`
+@@ -270,7 +320,7 @@ optional_policy(`
  # GSSD local policy
  #
  
@@ -91420,7 +91663,7 @@ index 2da9fca..a37f579 100644
  allow gssd_t self:process { getsched setsched };
  allow gssd_t self:fifo_file rw_fifo_file_perms;
  
-@@ -280,6 +329,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+@@ -280,6 +330,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
  manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
  files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
  
@@ -91428,7 +91671,7 @@ index 2da9fca..a37f579 100644
  kernel_read_network_state(gssd_t)
  kernel_read_network_state_symlinks(gssd_t)
  kernel_request_load_module(gssd_t)
-@@ -288,25 +338,31 @@ kernel_signal(gssd_t)
+@@ -288,25 +339,31 @@ kernel_signal(gssd_t)
  
  corecmd_exec_bin(gssd_t)
  
@@ -91463,7 +91706,7 @@ index 2da9fca..a37f579 100644
  ')
  
  optional_policy(`
-@@ -314,9 +370,12 @@ optional_policy(`
+@@ -314,9 +371,12 @@ optional_policy(`
  ')
  
  optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 5862875b..72a09547 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 240%{?dist}
+Release: 241%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -675,6 +675,10 @@ exit 0
 %endif
 
 %changelog
+* Tue Feb 21 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-241
+- Remove ganesha from gluster module and create own module for ganesha
+- FIx label for /usr/lib/libGLdispatch.so.0.0.0
+
 * Wed Feb 15 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-240
 - Dontaudit xdm_t wake_alarm capability2
 - Allow systemd_initctl_t to create and connect unix_dgram sockets