* Thu Sep 07 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-280

- Add rules fixing installing ipa-server-install with SELinux in Enforcing. BZ(1488404) - Fix denials during ipa-server-install process on F27+ - Allow httpd_t to mmap cert_t - Add few rules to make tlp_t domain working in enforcing mode - Allow cloud_init_t to dbus chat with systemd_timedated_t - Allow logrotate_t to write to kmsg - Add capability kill to rhsmcertd_t - Allow winbind to manage smbd_tmp_t files - Allow groupadd_t domain to dbus chat with systemd.BZ(1488404) - Add interface miscfiles_map_generic_certs()
2017-09-07 13:32:34 +02:00 · 2017-09-07 13:32:34 +02:00 · b9bc43a953
parent fcebe07f6c
commit b9bc43a953
4 changed files with 208 additions and 105 deletions
--- a/container-selinux.tgz
+++ b/container-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -2201,7 +2201,7 @@ index c6ca761c9..0c86bfd54 100644
 ')
 
 diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
-index c44c3592a..5038ed0d5 100644
+index c44c3592a..cba535365 100644
 --- a/policy/modules/admin/netutils.te
 +++ b/policy/modules/admin/netutils.te
@@ -7,10 +7,10 @@ policy_module(netutils, 1.12.1)
@ -2259,7 +2259,7 @@ index c44c3592a..5038ed0d5 100644
 
 fs_getattr_xattr_fs(netutils_t)
 
-@@ -80,12 +86,12 @@ init_use_script_ptys(netutils_t)
+@@ -80,15 +86,19 @@ init_use_script_ptys(netutils_t)
 
 auth_use_nsswitch(netutils_t)
 
@ -2275,7 +2275,14 @@ index c44c3592a..5038ed0d5 100644
 userdom_use_all_users_fds(netutils_t)
 
 optional_policy(`
-@@ -110,11 +116,10 @@ allow ping_t self:capability { setuid net_raw };
+    kdump_dontaudit_inherited_kdumpctl_tmp_pipes(netutils_t)
+')
+
+optional_policy(`
+ 	nis_use_ypbind(netutils_t)
+ ')
+ 
+@@ -110,11 +120,10 @@ allow ping_t self:capability { setuid net_raw };
 allow ping_t self:process { getcap setcap };
 dontaudit ping_t self:capability sys_tty_config;
 allow ping_t self:tcp_socket create_socket_perms;
@ -2289,7 +2296,7 @@ index c44c3592a..5038ed0d5 100644
 corenet_all_recvfrom_netlabel(ping_t)
 corenet_tcp_sendrecv_generic_if(ping_t)
 corenet_raw_sendrecv_generic_if(ping_t)
-@@ -124,6 +129,9 @@ corenet_raw_bind_generic_node(ping_t)
+@@ -124,6 +133,9 @@ corenet_raw_bind_generic_node(ping_t)
 corenet_tcp_sendrecv_all_ports(ping_t)
 
 fs_dontaudit_getattr_xattr_fs(ping_t)
@ -2299,7 +2306,7 @@ index c44c3592a..5038ed0d5 100644
 
 domain_use_interactive_fds(ping_t)
 
-@@ -131,14 +139,14 @@ files_read_etc_files(ping_t)
+@@ -131,14 +143,14 @@ files_read_etc_files(ping_t)
 files_dontaudit_search_var(ping_t)
 
 kernel_read_system_state(ping_t)
@ -2318,7 +2325,7 @@ index c44c3592a..5038ed0d5 100644
 
 ifdef(`hide_broken_symptoms',`
 	init_dontaudit_use_fds(ping_t)
-@@ -146,14 +154,29 @@ ifdef(`hide_broken_symptoms',`
+@@ -146,14 +158,29 @@ ifdef(`hide_broken_symptoms',`
 	optional_policy(`
 		nagios_dontaudit_rw_log(ping_t)
 		nagios_dontaudit_rw_pipes(ping_t)
@ -2348,7 +2355,7 @@ index c44c3592a..5038ed0d5 100644
 	pcmcia_use_cardmgr_fds(ping_t)
 ')
 
-@@ -161,6 +184,15 @@ optional_policy(`
+@@ -161,6 +188,15 @@ optional_policy(`
 	hotplug_use_fds(ping_t)
 ')
 
@ -2364,7 +2371,7 @@ index c44c3592a..5038ed0d5 100644
 ########################################
 #
 # Traceroute local policy
-@@ -174,7 +206,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
+@@ -174,7 +210,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
 kernel_read_system_state(traceroute_t)
 kernel_read_network_state(traceroute_t)
 
@ -2372,7 +2379,7 @@ index c44c3592a..5038ed0d5 100644
 corenet_all_recvfrom_netlabel(traceroute_t)
 corenet_tcp_sendrecv_generic_if(traceroute_t)
 corenet_udp_sendrecv_generic_if(traceroute_t)
-@@ -198,6 +229,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
+@@ -198,6 +233,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
 domain_use_interactive_fds(traceroute_t)
 
 files_read_etc_files(traceroute_t)
@ -2380,7 +2387,7 @@ index c44c3592a..5038ed0d5 100644
 files_dontaudit_search_var(traceroute_t)
 
 init_use_fds(traceroute_t)
-@@ -206,11 +238,17 @@ auth_use_nsswitch(traceroute_t)
+@@ -206,11 +242,17 @@ auth_use_nsswitch(traceroute_t)
 
 logging_send_syslog_msg(traceroute_t)
 
@ -3182,7 +3189,7 @@ index 99e3903ea..fa68362ea 100644
 ## </summary>
 ## <param name="domain">
 diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 1d732f1e7..d698fdd02 100644
+index 1d732f1e7..6a7c8001a 100644
 --- a/policy/modules/admin/usermanage.te
 +++ b/policy/modules/admin/usermanage.te
@@ -26,6 +26,7 @@ type chfn_exec_t;
@ -3313,7 +3320,7 @@ index 1d732f1e7..d698fdd02 100644
 dontaudit groupadd_t self:capability { fsetid sys_tty_config };
 allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
 allow groupadd_t self:process { setrlimit setfscreate };
-@@ -212,8 +236,8 @@ selinux_compute_create_context(groupadd_t)
+@@ -212,17 +236,18 @@ selinux_compute_create_context(groupadd_t)
 selinux_compute_relabel_context(groupadd_t)
 selinux_compute_user_contexts(groupadd_t)
 
@ -3324,7 +3331,8 @@ index 1d732f1e7..d698fdd02 100644
 
 init_use_fds(groupadd_t)
 init_read_utmp(groupadd_t)
-@@ -221,8 +245,8 @@ init_dontaudit_write_utmp(groupadd_t)
+ init_dontaudit_write_utmp(groupadd_t)
+init_dbus_chat(groupadd_t)
 
 domain_use_interactive_fds(groupadd_t)
 
@ -3334,7 +3342,7 @@ index 1d732f1e7..d698fdd02 100644
 files_read_etc_runtime_files(groupadd_t)
 files_read_usr_symlinks(groupadd_t)
 
-@@ -232,14 +256,14 @@ corecmd_exec_bin(groupadd_t)
+@@ -232,14 +257,14 @@ corecmd_exec_bin(groupadd_t)
 logging_send_audit_msgs(groupadd_t)
 logging_send_syslog_msg(groupadd_t)
 
@ -3351,7 +3359,7 @@ index 1d732f1e7..d698fdd02 100644
 auth_relabel_shadow(groupadd_t)
 auth_etc_filetrans_shadow(groupadd_t)
 
-@@ -251,6 +275,10 @@ userdom_use_unpriv_users_fds(groupadd_t)
+@@ -251,6 +276,10 @@ userdom_use_unpriv_users_fds(groupadd_t)
 userdom_dontaudit_search_user_home_dirs(groupadd_t)
 
 optional_policy(`
@ -3362,7 +3370,7 @@ index 1d732f1e7..d698fdd02 100644
 	dpkg_use_fds(groupadd_t)
 	dpkg_rw_pipes(groupadd_t)
 ')
-@@ -273,7 +301,7 @@ optional_policy(`
+@@ -273,7 +302,7 @@ optional_policy(`
 # Passwd local policy
 #
 
@ -3371,7 +3379,7 @@ index 1d732f1e7..d698fdd02 100644
 dontaudit passwd_t self:capability sys_tty_config;
 allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow passwd_t self:process { setrlimit setfscreate };
-@@ -288,6 +316,7 @@ allow passwd_t self:shm create_shm_perms;
+@@ -288,6 +317,7 @@ allow passwd_t self:shm create_shm_perms;
 allow passwd_t self:sem create_sem_perms;
 allow passwd_t self:msgq create_msgq_perms;
 allow passwd_t self:msg { send receive };
@ -3379,7 +3387,7 @@ index 1d732f1e7..d698fdd02 100644
 
 allow passwd_t crack_db_t:dir list_dir_perms;
 read_files_pattern(passwd_t, crack_db_t, crack_db_t)
-@@ -296,6 +325,7 @@ kernel_read_kernel_sysctls(passwd_t)
+@@ -296,6 +326,7 @@ kernel_read_kernel_sysctls(passwd_t)
 
 # for SSP
 dev_read_urand(passwd_t)
@ -3387,7 +3395,7 @@ index 1d732f1e7..d698fdd02 100644
 
 fs_getattr_xattr_fs(passwd_t)
 fs_search_auto_mountpoints(passwd_t)
-@@ -310,26 +340,32 @@ selinux_compute_create_context(passwd_t)
+@@ -310,26 +341,32 @@ selinux_compute_create_context(passwd_t)
 selinux_compute_relabel_context(passwd_t)
 selinux_compute_user_contexts(passwd_t)
 
@ -3424,7 +3432,7 @@ index 1d732f1e7..d698fdd02 100644
 # /usr/bin/passwd asks for w access to utmp, but it will operate
 # correctly without it.  Do not audit write denials to utmp.
 init_dontaudit_rw_utmp(passwd_t)
-@@ -338,12 +374,11 @@ init_use_fds(passwd_t)
+@@ -338,12 +375,11 @@ init_use_fds(passwd_t)
 logging_send_audit_msgs(passwd_t)
 logging_send_syslog_msg(passwd_t)
 
@ -3438,7 +3446,7 @@ index 1d732f1e7..d698fdd02 100644
 userdom_use_unpriv_users_fds(passwd_t)
 # make sure that getcon succeeds
 userdom_getattr_all_users(passwd_t)
-@@ -352,6 +387,20 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -352,6 +388,20 @@ userdom_read_user_tmp_files(passwd_t)
 # user generally runs this from their home directory, so do not audit a search
 # on user home dir
 userdom_dontaudit_search_user_home_content(passwd_t)
@ -3459,7 +3467,7 @@ index 1d732f1e7..d698fdd02 100644
 
 optional_policy(`
 	nscd_run(passwd_t, passwd_roles)
-@@ -362,7 +411,7 @@ optional_policy(`
+@@ -362,7 +412,7 @@ optional_policy(`
 # Password admin local policy
 #
 
@ -3468,7 +3476,7 @@ index 1d732f1e7..d698fdd02 100644
 allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow sysadm_passwd_t self:process { setrlimit setfscreate };
 allow sysadm_passwd_t self:fd use;
-@@ -401,9 +450,10 @@ dev_read_urand(sysadm_passwd_t)
+@@ -401,9 +451,10 @@ dev_read_urand(sysadm_passwd_t)
 fs_getattr_xattr_fs(sysadm_passwd_t)
 fs_search_auto_mountpoints(sysadm_passwd_t)
 
@ -3481,7 +3489,7 @@ index 1d732f1e7..d698fdd02 100644
 auth_manage_shadow(sysadm_passwd_t)
 auth_relabel_shadow(sysadm_passwd_t)
 auth_etc_filetrans_shadow(sysadm_passwd_t)
-@@ -416,7 +466,6 @@ files_read_usr_files(sysadm_passwd_t)
+@@ -416,7 +467,6 @@ files_read_usr_files(sysadm_passwd_t)
 
 domain_use_interactive_fds(sysadm_passwd_t)
 
@ -3489,7 +3497,7 @@ index 1d732f1e7..d698fdd02 100644
 files_relabel_etc_files(sysadm_passwd_t)
 files_read_etc_runtime_files(sysadm_passwd_t)
 # for nscd lookups
-@@ -426,12 +475,9 @@ files_dontaudit_search_pids(sysadm_passwd_t)
+@@ -426,12 +476,9 @@ files_dontaudit_search_pids(sysadm_passwd_t)
 # correctly without it.  Do not audit write denials to utmp.
 init_dontaudit_rw_utmp(sysadm_passwd_t)
 
@ -3502,7 +3510,7 @@ index 1d732f1e7..d698fdd02 100644
 userdom_use_unpriv_users_fds(sysadm_passwd_t)
 # user generally runs this from their home directory, so do not audit a search
 # on user home dir
-@@ -446,8 +492,10 @@ optional_policy(`
+@@ -446,8 +493,10 @@ optional_policy(`
 # Useradd local policy
 #
 
@ -3515,7 +3523,7 @@ index 1d732f1e7..d698fdd02 100644
 allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow useradd_t self:process setfscreate;
 allow useradd_t self:fd use;
-@@ -461,6 +509,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
+@@ -461,6 +510,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
 allow useradd_t self:unix_dgram_socket sendto;
 allow useradd_t self:unix_stream_socket connectto;
 
@ -3526,7 +3534,7 @@ index 1d732f1e7..d698fdd02 100644
 # for getting the number of groups
 kernel_read_kernel_sysctls(useradd_t)
 
-@@ -468,29 +520,28 @@ corecmd_exec_shell(useradd_t)
+@@ -468,29 +521,28 @@ corecmd_exec_shell(useradd_t)
 # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
 corecmd_exec_bin(useradd_t)
 
@ -3566,7 +3574,7 @@ index 1d732f1e7..d698fdd02 100644
 
 auth_run_chk_passwd(useradd_t, useradd_roles)
 auth_rw_lastlog(useradd_t)
-@@ -498,6 +549,7 @@ auth_rw_faillog(useradd_t)
+@@ -498,45 +550,50 @@ auth_rw_faillog(useradd_t)
 auth_use_nsswitch(useradd_t)
 # these may be unnecessary due to the above
 # domtrans_chk_passwd() call.
@ -3574,7 +3582,11 @@ index 1d732f1e7..d698fdd02 100644
 auth_manage_shadow(useradd_t)
 auth_relabel_shadow(useradd_t)
 auth_etc_filetrans_shadow(useradd_t)
-@@ -508,35 +560,38 @@ init_rw_utmp(useradd_t)
+ 
+ init_use_fds(useradd_t)
+ init_rw_utmp(useradd_t)
+init_dbus_chat(useradd_t)
+ 
 logging_send_audit_msgs(useradd_t)
 logging_send_syslog_msg(useradd_t)
 
@ -3624,7 +3636,7 @@ index 1d732f1e7..d698fdd02 100644
 ')
 
 optional_policy(`
-@@ -545,14 +600,27 @@ optional_policy(`
+@@ -545,14 +602,27 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -3652,7 +3664,7 @@ index 1d732f1e7..d698fdd02 100644
 	tunable_policy(`samba_domain_controller',`
 		samba_append_log(useradd_t)
 	')
-@@ -562,3 +630,12 @@ optional_policy(`
+@@ -562,3 +632,12 @@ optional_policy(`
 	rpm_use_fds(useradd_t)
 	rpm_rw_pipes(useradd_t)
 ')
@ -42484,7 +42496,7 @@ index 9fe8e01e3..c62c76136 100644
 /var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
 ')
 diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
-index fc28bc31b..e4b9a3bf0 100644
+index fc28bc31b..7ed7664fb 100644
 --- a/policy/modules/system/miscfiles.if
 +++ b/policy/modules/system/miscfiles.if
@@ -67,6 +67,27 @@ interface(`miscfiles_read_all_certs',`
@ -42515,7 +42527,33 @@ index fc28bc31b..e4b9a3bf0 100644
 ##	Read generic SSL certificates.
 ## </summary>
 ## <param name="domain">
-@@ -106,6 +127,24 @@ interface(`miscfiles_manage_generic_cert_dirs',`
+@@ -88,6 +109,25 @@ interface(`miscfiles_read_generic_certs',`
+ 
+ ########################################
+ ## <summary>
+##	mmap generic SSL certificates.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_map_generic_certs',`
+	gen_require(`
+		type cert_t;
+	')
+
+	allow $1 cert_t:file map;
+')
+
+########################################
+## <summary>
+ ##	Manage generic SSL certificates.
+ ## </summary>
+ ## <param name="domain">
+@@ -106,6 +146,24 @@ interface(`miscfiles_manage_generic_cert_dirs',`
 
 ########################################
 ## <summary>
@ -42540,7 +42578,7 @@ index fc28bc31b..e4b9a3bf0 100644
 ##	Manage generic SSL certificates.
 ## </summary>
 ## <param name="domain">
-@@ -121,7 +160,7 @@ interface(`miscfiles_manage_generic_cert_files',`
+@@ -121,7 +179,7 @@ interface(`miscfiles_manage_generic_cert_files',`
 	')
 
 	manage_files_pattern($1, cert_t, cert_t)
@ -42549,7 +42587,7 @@ index fc28bc31b..e4b9a3bf0 100644
 ')
 
 ########################################
-@@ -156,6 +195,26 @@ interface(`miscfiles_manage_cert_dirs',`
+@@ -156,6 +214,26 @@ interface(`miscfiles_manage_cert_dirs',`
 
 ########################################
 ## <summary>
@ -42576,7 +42614,7 @@ index fc28bc31b..e4b9a3bf0 100644
 ##	Manage SSL certificates.
 ## </summary>
 ## <param name="domain">
-@@ -191,6 +250,7 @@ interface(`miscfiles_read_fonts',`
+@@ -191,6 +269,7 @@ interface(`miscfiles_read_fonts',`
 
 	allow $1 fonts_t:dir list_dir_perms;
 	read_files_pattern($1, fonts_t, fonts_t)
@ -42584,7 +42622,7 @@ index fc28bc31b..e4b9a3bf0 100644
 	read_lnk_files_pattern($1, fonts_t, fonts_t)
 
 	allow $1 fonts_cache_t:dir list_dir_perms;
-@@ -414,6 +474,7 @@ interface(`miscfiles_read_localization',`
+@@ -414,6 +493,7 @@ interface(`miscfiles_read_localization',`
 	allow $1 locale_t:dir list_dir_perms;
 	read_files_pattern($1, locale_t, locale_t)
 	read_lnk_files_pattern($1, locale_t, locale_t)
@ -42592,7 +42630,7 @@ index fc28bc31b..e4b9a3bf0 100644
 ')
 
 ########################################
-@@ -434,6 +495,7 @@ interface(`miscfiles_rw_localization',`
+@@ -434,6 +514,7 @@ interface(`miscfiles_rw_localization',`
 	files_search_usr($1)
 	allow $1 locale_t:dir list_dir_perms;
 	rw_files_pattern($1, locale_t, locale_t)
@ -42600,7 +42638,7 @@ index fc28bc31b..e4b9a3bf0 100644
 ')
 
 ########################################
-@@ -453,6 +515,7 @@ interface(`miscfiles_relabel_localization',`
+@@ -453,6 +534,7 @@ interface(`miscfiles_relabel_localization',`
 
 	files_search_usr($1)
 	relabel_files_pattern($1, locale_t, locale_t)
@ -42608,7 +42646,7 @@ index fc28bc31b..e4b9a3bf0 100644
 ')
 
 ########################################
-@@ -470,7 +533,6 @@ interface(`miscfiles_legacy_read_localization',`
+@@ -470,7 +552,6 @@ interface(`miscfiles_legacy_read_localization',`
 		type locale_t;
 	')
 
@ -42616,7 +42654,7 @@ index fc28bc31b..e4b9a3bf0 100644
 	allow $1 locale_t:file execute;
 ')
 
-@@ -531,6 +593,10 @@ interface(`miscfiles_read_man_pages',`
+@@ -531,6 +612,10 @@ interface(`miscfiles_read_man_pages',`
 	allow $1 { man_cache_t man_t }:dir list_dir_perms;
 	read_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
 	read_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
@ -42627,7 +42665,7 @@ index fc28bc31b..e4b9a3bf0 100644
 ')
 
 ########################################
-@@ -554,6 +620,29 @@ interface(`miscfiles_delete_man_pages',`
+@@ -554,6 +639,29 @@ interface(`miscfiles_delete_man_pages',`
 	delete_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
 	delete_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
 	delete_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
@ -42657,7 +42695,7 @@ index fc28bc31b..e4b9a3bf0 100644
 ')
 
 ########################################
-@@ -622,6 +711,30 @@ interface(`miscfiles_manage_man_cache',`
+@@ -622,6 +730,30 @@ interface(`miscfiles_manage_man_cache',`
 
 ########################################
 ## <summary>
@ -42688,7 +42726,7 @@ index fc28bc31b..e4b9a3bf0 100644
 ##	Read public files used for file
 ##	transfer services.
 ## </summary>
-@@ -784,8 +897,11 @@ interface(`miscfiles_etc_filetrans_localization',`
+@@ -784,8 +916,11 @@ interface(`miscfiles_etc_filetrans_localization',`
 		type locale_t;
 	')
 
@ -42702,7 +42740,7 @@ index fc28bc31b..e4b9a3bf0 100644
 ')
 
 ########################################
-@@ -809,3 +925,61 @@ interface(`miscfiles_manage_localization',`
+@@ -809,3 +944,61 @@ interface(`miscfiles_manage_localization',`
 	manage_lnk_files_pattern($1, locale_t, locale_t)
 ')
 
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -5579,7 +5579,7 @@ index f6eb4851f..fe461a3fc 100644
 +		ps_process_pattern(httpd_t, $1)
 ')
 diff --git a/apache.te b/apache.te
-index 6649962b6..6dd10dd7d 100644
+index 6649962b6..a6b4312e6 100644
 --- a/apache.te
 +++ b/apache.te
@@ -5,280 +5,346 @@ policy_module(apache, 2.7.2)
@ -6297,7 +6297,7 @@ index 6649962b6..6dd10dd7d 100644
 files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })
 
 setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
-@@ -450,140 +570,177 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -450,140 +570,178 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
 manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
 manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
 
@ -6419,6 +6419,7 @@ index 6649962b6..6dd10dd7d 100644
 miscfiles_read_fonts(httpd_t)
 miscfiles_read_public_files(httpd_t)
 miscfiles_read_generic_certs(httpd_t)
+miscfiles_map_generic_certs(httpd_t)
 miscfiles_read_tetex_data(httpd_t)
 -
 -seutil_dontaudit_search_config(httpd_t)
@ -6539,7 +6540,7 @@ index 6649962b6..6dd10dd7d 100644
 ')
 
 tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -594,28 +751,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -594,28 +752,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
 	fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
 ')
 
@ -6599,7 +6600,7 @@ index 6649962b6..6dd10dd7d 100644
 ')
 
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -624,68 +803,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -624,68 +804,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
 	fs_read_nfs_symlinks(httpd_t)
 ')
 
@ -6702,7 +6703,7 @@ index 6649962b6..6dd10dd7d 100644
 ')
 
 tunable_policy(`httpd_setrlimit',`
-@@ -695,49 +862,48 @@ tunable_policy(`httpd_setrlimit',`
+@@ -695,49 +863,48 @@ tunable_policy(`httpd_setrlimit',`
 
 tunable_policy(`httpd_ssi_exec',`
 	corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@ -6783,7 +6784,7 @@ index 6649962b6..6dd10dd7d 100644
 ')
 
 optional_policy(`
-@@ -749,24 +915,32 @@ optional_policy(`
+@@ -749,24 +916,32 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -6822,7 +6823,7 @@ index 6649962b6..6dd10dd7d 100644
 ')
 
 optional_policy(`
-@@ -775,6 +949,10 @@ optional_policy(`
+@@ -775,6 +950,10 @@ optional_policy(`
 	tunable_policy(`httpd_dbus_avahi',`
 		avahi_dbus_chat(httpd_t)
 	')
@ -6833,7 +6834,7 @@ index 6649962b6..6dd10dd7d 100644
 ')
 
 optional_policy(`
-@@ -786,35 +964,62 @@ optional_policy(`
+@@ -786,35 +965,62 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -6909,7 +6910,7 @@ index 6649962b6..6dd10dd7d 100644
 
 	tunable_policy(`httpd_manage_ipa',`
 		memcached_manage_pid_files(httpd_t)
-@@ -822,8 +1027,31 @@ optional_policy(`
+@@ -822,8 +1028,31 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -6941,7 +6942,7 @@ index 6649962b6..6dd10dd7d 100644
 
 	tunable_policy(`httpd_can_network_connect_db',`
 		mysql_tcp_connect(httpd_t)
-@@ -832,6 +1060,8 @@ optional_policy(`
+@@ -832,6 +1061,8 @@ optional_policy(`
 
 optional_policy(`
 	nagios_read_config(httpd_t)
@ -6950,7 +6951,7 @@ index 6649962b6..6dd10dd7d 100644
 ')
 
 optional_policy(`
-@@ -842,20 +1072,48 @@ optional_policy(`
+@@ -842,20 +1073,48 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -7005,7 +7006,7 @@ index 6649962b6..6dd10dd7d 100644
 ')
 
 optional_policy(`
-@@ -863,16 +1121,31 @@ optional_policy(`
+@@ -863,16 +1122,31 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -7039,7 +7040,7 @@ index 6649962b6..6dd10dd7d 100644
 ')
 
 optional_policy(`
-@@ -883,65 +1156,189 @@ optional_policy(`
+@@ -883,65 +1157,189 @@ optional_policy(`
 	yam_read_content(httpd_t)
 ')
 
@ -7251,7 +7252,7 @@ index 6649962b6..6dd10dd7d 100644
 files_dontaudit_search_pids(httpd_suexec_t)
 files_search_home(httpd_suexec_t)
 
-@@ -950,123 +1347,75 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -950,123 +1348,75 @@ auth_use_nsswitch(httpd_suexec_t)
 logging_search_logs(httpd_suexec_t)
 logging_send_syslog_msg(httpd_suexec_t)
 
@ -7405,7 +7406,7 @@ index 6649962b6..6dd10dd7d 100644
 	mysql_read_config(httpd_suexec_t)
 
 	tunable_policy(`httpd_can_network_connect_db',`
-@@ -1083,172 +1432,107 @@ optional_policy(`
+@@ -1083,172 +1433,107 @@ optional_policy(`
 	')
 ')
 
@ -7643,7 +7644,7 @@ index 6649962b6..6dd10dd7d 100644
 ')
 
 tunable_policy(`httpd_read_user_content',`
-@@ -1256,64 +1540,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1256,64 +1541,74 @@ tunable_policy(`httpd_read_user_content',`
 ')
 
 tunable_policy(`httpd_use_cifs',`
@ -7741,7 +7742,7 @@ index 6649962b6..6dd10dd7d 100644
 
 ########################################
 #
-@@ -1321,8 +1615,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1321,8 +1616,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
 #
 
 optional_policy(`
@ -7758,7 +7759,7 @@ index 6649962b6..6dd10dd7d 100644
 ')
 
 ########################################
-@@ -1330,49 +1631,41 @@ optional_policy(`
+@@ -1330,49 +1632,41 @@ optional_policy(`
 # User content local policy
 #
 
@ -7825,7 +7826,7 @@ index 6649962b6..6dd10dd7d 100644
 kernel_read_system_state(httpd_passwd_t)
 
 corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1675,109 @@ dev_read_urand(httpd_passwd_t)
+@@ -1382,38 +1676,109 @@ dev_read_urand(httpd_passwd_t)
 
 domain_use_interactive_fds(httpd_passwd_t)
 
@ -9912,7 +9913,7 @@ index 531a8f244..3fcf18722 100644
 +	allow $1 named_unit_file_t:service all_service_perms;
 ')
 diff --git a/bind.te b/bind.te
-index 124112346..73543d306 100644
+index 124112346..57a8b4484 100644
 --- a/bind.te
 +++ b/bind.te
@@ -34,7 +34,7 @@ type named_checkconf_exec_t;
@ -9991,7 +9992,7 @@ index 124112346..73543d306 100644
 corenet_tcp_bind_rndc_port(named_t)
 corenet_tcp_sendrecv_rndc_port(named_t)
 
-@@ -141,9 +150,13 @@ corenet_sendrecv_all_client_packets(named_t)
+@@ -141,13 +150,18 @@ corenet_sendrecv_all_client_packets(named_t)
 corenet_tcp_connect_all_ports(named_t)
 corenet_tcp_sendrecv_all_ports(named_t)
 
@ -10005,7 +10006,12 @@ index 124112346..73543d306 100644
 
 domain_use_interactive_fds(named_t)
 
-@@ -175,6 +188,19 @@ tunable_policy(`named_write_master_zones',`
+ files_read_etc_runtime_files(named_t)
+files_mmap_usr_files(named_t)
+ 
+ fs_getattr_all_fs(named_t)
+ fs_search_auto_mountpoints(named_t)
+@@ -175,6 +189,19 @@ tunable_policy(`named_write_master_zones',`
 ')
 
 optional_policy(`
@ -10025,7 +10031,7 @@ index 124112346..73543d306 100644
 	dbus_system_domain(named_t, named_exec_t)
 
 	init_dbus_chat_script(named_t)
-@@ -187,7 +213,17 @@ optional_policy(`
+@@ -187,7 +214,17 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -10043,7 +10049,7 @@ index 124112346..73543d306 100644
 	kerberos_use(named_t)
 ')
 
-@@ -214,8 +250,9 @@ optional_policy(`
+@@ -214,8 +251,9 @@ optional_policy(`
 # NDC local policy
 #
 
@ -10055,7 +10061,7 @@ index 124112346..73543d306 100644
 allow ndc_t self:fifo_file rw_fifo_file_perms;
 allow ndc_t self:unix_stream_socket { accept listen };
 
-@@ -229,10 +266,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
+@@ -229,10 +267,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
 
 allow ndc_t named_zone_t:dir search_dir_perms;
 
@ -10067,7 +10073,7 @@ index 124112346..73543d306 100644
 corenet_all_recvfrom_netlabel(ndc_t)
 corenet_tcp_sendrecv_generic_if(ndc_t)
 corenet_tcp_sendrecv_generic_node(ndc_t)
-@@ -242,6 +278,9 @@ corenet_tcp_bind_generic_node(ndc_t)
+@@ -242,6 +279,9 @@ corenet_tcp_bind_generic_node(ndc_t)
 corenet_tcp_connect_rndc_port(ndc_t)
 corenet_sendrecv_rndc_client_packets(ndc_t)
 
@ -10077,7 +10083,7 @@ index 124112346..73543d306 100644
 domain_use_interactive_fds(ndc_t)
 
 files_search_pids(ndc_t)
-@@ -257,7 +296,7 @@ init_use_script_ptys(ndc_t)
+@@ -257,7 +297,7 @@ init_use_script_ptys(ndc_t)
 
 logging_send_syslog_msg(ndc_t)
 
@ -14802,10 +14808,10 @@ index 000000000..55fe0d668
 +')
 diff --git a/cloudform.te b/cloudform.te
 new file mode 100644
-index 000000000..21e6ae757
+index 000000000..73f3eb8a0
 --- /dev/null
 +++ b/cloudform.te
-@@ -0,0 +1,249 @@
+@@ -0,0 +1,250 @@
 +policy_module(cloudform, 1.0)
 +########################################
 +#
@ -14913,6 +14919,7 @@ index 000000000..21e6ae757
 +selinux_validate_context(cloud_init_t)
 +
 +systemd_dbus_chat_hostnamed(cloud_init_t)
+systemd_dbus_chat_timedated(cloud_init_t)
 +systemd_exec_systemctl(cloud_init_t)
 +systemd_start_all_services(cloud_init_t)
 +
@ -25774,10 +25781,10 @@ index 000000000..b3784d85d
 +')
 diff --git a/dirsrv.te b/dirsrv.te
 new file mode 100644
-index 000000000..22cafcd43
+index 000000000..86c5021d6
 --- /dev/null
 +++ b/dirsrv.te
-@@ -0,0 +1,207 @@
+@@ -0,0 +1,211 @@
 +policy_module(dirsrv,1.0.0)
 +
 +########################################
@ -25942,6 +25949,10 @@ index 000000000..22cafcd43
 +	systemd_manage_passwd_run(dirsrv_t)
 +')
 +
+optional_policy(`
+    rolekit_read_tmp(dirsrv_t)
+')
+
 +########################################
 +#
 +# dirsrv-snmp local policy
@ -39954,10 +39965,10 @@ index 000000000..d611c53d4
 +')
 diff --git a/ipa.te b/ipa.te
 new file mode 100644
-index 000000000..28955ddc0
+index 000000000..99cb86250
 --- /dev/null
 +++ b/ipa.te
-@@ -0,0 +1,273 @@
+@@ -0,0 +1,275 @@
 +policy_module(ipa, 1.0.0)
 +
 +########################################
@ -40154,6 +40165,8 @@ index 000000000..28955ddc0
 +
 +dev_read_rand(ipa_dnskey_t)
 +
+can_exec(ipa_dnskey_t,ipa_dnskey_exec_t)
+
 +libs_exec_ldconfig(ipa_dnskey_t)
 +
 +logging_send_syslog_msg(ipa_dnskey_t)
@ -47356,7 +47369,7 @@ index 2a491d96c..3399d597a 100644
 +    virt_dgram_send(lldpad_t)
 +')
 diff --git a/loadkeys.te b/loadkeys.te
-index d2f464375..c8e6b37b0 100644
+index d2f464375..ecbfa88ff 100644
 --- a/loadkeys.te
 +++ b/loadkeys.te
@@ -25,20 +25,19 @@ kernel_read_system_state(loadkeys_t)
@ -47383,6 +47396,15 @@ index d2f464375..c8e6b37b0 100644
 userdom_list_user_home_content(loadkeys_t)
 
 ifdef(`hide_broken_symptoms',`
+@@ -52,3 +51,8 @@ optional_policy(`
+ optional_policy(`
+ 	nscd_dontaudit_search_pid(loadkeys_t)
+ ')
+
+optional_policy(`
+    sssd_read_public_files(loadkeys_t)
+    sssd_stream_connect(loadkeys_t)
+')
 diff --git a/lockdev.if b/lockdev.if
 index 4313b8bc0..cd1435cdf 100644
 --- a/lockdev.if
@ -47493,7 +47515,7 @@ index dd8e01af3..9cd6b0b8e 100644
 ## <param name="domain">
 ##	<summary>
 diff --git a/logrotate.te b/logrotate.te
-index be0ab84b3..0129ddb61 100644
+index be0ab84b3..882160882 100644
 --- a/logrotate.te
 +++ b/logrotate.te
@@ -5,16 +5,29 @@ policy_module(logrotate, 1.15.0)
@ -47568,7 +47590,7 @@ index be0ab84b3..0129ddb61 100644
 allow logrotate_t self:shm create_shm_perms;
 allow logrotate_t self:sem create_sem_perms;
 allow logrotate_t self:msgq create_msgq_perms;
-@@ -48,36 +71,53 @@ allow logrotate_t self:msg { send receive };
+@@ -48,36 +71,54 @@ allow logrotate_t self:msg { send receive };
 allow logrotate_t logrotate_lock_t:file manage_file_perms;
 files_lock_filetrans(logrotate_t, logrotate_lock_t, file)
 
@ -47591,6 +47613,7 @@ index be0ab84b3..0129ddb61 100644
 
 +dev_read_urand(logrotate_t)
 +dev_read_sysfs(logrotate_t)
+dev_write_kmsg(logrotate_t)
 +
 +fs_search_auto_mountpoints(logrotate_t)
 +fs_getattr_all_fs(logrotate_t)
@ -47627,7 +47650,7 @@ index be0ab84b3..0129ddb61 100644
 files_manage_generic_spool(logrotate_t)
 files_manage_generic_spool_dirs(logrotate_t)
 files_getattr_generic_locks(logrotate_t)
-@@ -95,32 +135,57 @@ mls_process_write_to_clearance(logrotate_t)
+@@ -95,32 +136,57 @@ mls_process_write_to_clearance(logrotate_t)
 selinux_get_fs_mount(logrotate_t)
 selinux_get_enforce_mode(logrotate_t)
 
@ -47691,7 +47714,7 @@ index be0ab84b3..0129ddb61 100644
 ')
 
 optional_policy(`
-@@ -135,16 +200,17 @@ optional_policy(`
+@@ -135,16 +201,17 @@ optional_policy(`
 
 optional_policy(`
 	apache_read_config(logrotate_t)
@ -47711,7 +47734,7 @@ index be0ab84b3..0129ddb61 100644
 ')
 
 optional_policy(`
-@@ -170,6 +236,11 @@ optional_policy(`
+@@ -170,6 +237,11 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -47723,7 +47746,7 @@ index be0ab84b3..0129ddb61 100644
 	fail2ban_stream_connect(logrotate_t)
 ')
 
-@@ -178,7 +249,8 @@ optional_policy(`
+@@ -178,7 +250,8 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -47733,7 +47756,7 @@ index be0ab84b3..0129ddb61 100644
 ')
 
 optional_policy(`
-@@ -198,17 +270,18 @@ optional_policy(`
+@@ -198,17 +271,18 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -47755,7 +47778,7 @@ index be0ab84b3..0129ddb61 100644
 ')
 
 optional_policy(`
-@@ -216,6 +289,14 @@ optional_policy(`
+@@ -216,6 +290,14 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -47770,7 +47793,7 @@ index be0ab84b3..0129ddb61 100644
 	samba_exec_log(logrotate_t)
 ')
 
-@@ -228,26 +309,50 @@ optional_policy(`
+@@ -228,26 +310,50 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -91002,7 +91025,7 @@ index 6dbc905b3..4b17c933e 100644
 -	admin_pattern($1, rhsmcertd_lock_t)
 ')
 diff --git a/rhsmcertd.te b/rhsmcertd.te
-index d32e1a279..75b615f81 100644
+index d32e1a279..b79ae3194 100644
 --- a/rhsmcertd.te
 +++ b/rhsmcertd.te
@@ -18,6 +18,9 @@ logging_log_file(rhsmcertd_log_t)
@ -91015,11 +91038,13 @@ index d32e1a279..75b615f81 100644
 type rhsmcertd_var_lib_t;
 files_type(rhsmcertd_var_lib_t)
 
-@@ -30,18 +33,21 @@ files_pid_file(rhsmcertd_var_run_t)
+@@ -29,19 +32,22 @@ files_pid_file(rhsmcertd_var_run_t)
+ # Local policy
 #
 
- allow rhsmcertd_t self:capability sys_nice;
+-allow rhsmcertd_t self:capability sys_nice;
 -allow rhsmcertd_t self:process { signal setsched };
+allow rhsmcertd_t self:capability { kill sys_nice };
 +allow rhsmcertd_t self:process { signal_perms setsched };
 +
 allow rhsmcertd_t self:fifo_file rw_fifo_file_perms;
@ -92077,10 +92102,10 @@ index 000000000..504b6e13e
 +/usr/sbin/roled		--	gen_context(system_u:object_r:rolekit_exec_t,s0)
 diff --git a/rolekit.if b/rolekit.if
 new file mode 100644
-index 000000000..b11fb8f6d
+index 000000000..df5e3338c
 --- /dev/null
 +++ b/rolekit.if
-@@ -0,0 +1,120 @@
+@@ -0,0 +1,138 @@
 +## <summary>Daemon for Linux systems providing a stable D-BUS interface to manage the deployment of Server Roles. </summary>
 +
 +########################################
@ -92201,6 +92226,24 @@ index 000000000..b11fb8f6d
 +		systemd_read_fifo_file_passwd_run($1)
 +	')
 +')
+
+########################################
+## <summary>
+##	Allow domain to read rolekit tmp files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rolekit_read_tmp',`
+	gen_require(`
+		type rolekit_tmp_t;
+	')
+
+    read_files_pattern($1, rolekit_tmp_t, rolekit_tmp_t)
+')
 diff --git a/rolekit.te b/rolekit.te
 new file mode 100644
 index 000000000..da944537b
@ -94260,7 +94303,7 @@ index ef3b22507..79518530e 100644
 	admin_pattern($1, { rpm_tmp_t rpm_script_tmp_t })
 
 diff --git a/rpm.te b/rpm.te
-index 6fc360e60..2f24b1e0c 100644
+index 6fc360e60..219964375 100644
 --- a/rpm.te
 +++ b/rpm.te
@@ -1,15 +1,13 @@
@ -94603,7 +94646,7 @@ index 6fc360e60..2f24b1e0c 100644
 mls_file_read_all_levels(rpm_script_t)
 mls_file_write_all_levels(rpm_script_t)
 
-@@ -331,73 +331,129 @@ storage_raw_write_fixed_disk(rpm_script_t)
+@@ -331,73 +331,130 @@ storage_raw_write_fixed_disk(rpm_script_t)
 
 term_getattr_unallocated_ttys(rpm_script_t)
 term_list_ptys(rpm_script_t)
@ -94636,9 +94679,10 @@ index 6fc360e60..2f24b1e0c 100644
 +init_manage_transient_unit(rpm_script_t)
 init_domtrans_script(rpm_script_t)
 init_telinit(rpm_script_t)
- 
-+systemd_config_all_services(rpm_script_t)
+init_dbus_chat(rpm_script_t)
 +
+systemd_config_all_services(rpm_script_t)
+ 
 libs_exec_ld_so(rpm_script_t)
 libs_exec_lib_files(rpm_script_t)
 -libs_run_ldconfig(rpm_script_t, rpm_roles)
@ -94753,7 +94797,7 @@ index 6fc360e60..2f24b1e0c 100644
 
 	optional_policy(`
 		java_domtrans_unconfined(rpm_script_t)
-@@ -409,6 +465,6 @@ optional_policy(`
+@@ -409,6 +466,6 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -96873,7 +96917,7 @@ index 50d07fb2e..a34db489c 100644
 +	allow $1 samba_unit_file_t:service all_service_perms;
 ')
 diff --git a/samba.te b/samba.te
-index 2b7c441e7..c7a475130 100644
+index 2b7c441e7..5d52fba0f 100644
 --- a/samba.te
 +++ b/samba.te
@@ -6,99 +6,86 @@ policy_module(samba, 1.16.3)
@ -98011,9 +98055,12 @@ index 2b7c441e7..c7a475130 100644
 manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
 
 manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -873,38 +972,42 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -871,40 +970,44 @@ manage_lnk_files_pattern(winbind_t, samba_var_t, samba_var_t)
+ manage_sock_files_pattern(winbind_t, samba_var_t, samba_var_t)
+ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
 
- rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+-rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+manage_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
 
 -# This needs a file context specification
 -allow winbind_t winbind_log_t:file { append_file_perms create_file_perms setattr_file_perms };
@ -111369,10 +111416,10 @@ index 000000000..368e18842
 +')
 diff --git a/tlp.te b/tlp.te
 new file mode 100644
-index 000000000..f31ed95d7
+index 000000000..761cc35b0
 --- /dev/null
 +++ b/tlp.te
-@@ -0,0 +1,74 @@
+@@ -0,0 +1,80 @@
 +policy_module(tlp, 1.0.0)
 +
 +########################################
@ -111417,6 +111464,7 @@ index 000000000..f31ed95d7
 +kernel_rw_fs_sysctls(tlp_t)
 +kernel_rw_kernel_sysctl(tlp_t)
 +kernel_rw_vm_sysctls(tlp_t)
+kernel_create_rpc_sysctls(tlp_t)
 +
 +auth_read_passwd(tlp_t)
 +
@ -111425,12 +111473,16 @@ index 000000000..f31ed95d7
 +dev_list_sysfs(tlp_t)
 +dev_manage_sysfs(tlp_t)
 +dev_rw_cpu_microcode(tlp_t)
+dev_rw_wireless(tlp_t)
 +
 +files_read_kernel_modules(tlp_t)
+files_load_kernel_modules(tlp_t)
 +
 +modutils_exec_insmod(tlp_t)
 +modutils_read_module_config(tlp_t)
 +
+logging_send_syslog_msg(tlp_t)
+
 +storage_raw_read_fixed_disk(tlp_t)
 +storage_raw_write_removable_device(tlp_t)
 +
@ -111438,6 +111490,7 @@ index 000000000..f31ed95d7
 +
 +optional_policy(`
 +    dbus_stream_connect_system_dbusd(tlp_t)
+    dbus_system_bus_client(tlp_t)
 +')
 +
 +optional_policy(`
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 279%{?dist}
+Release: 280%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -681,6 +681,18 @@ exit 0
 %endif

 %changelog
+* Thu Sep 07 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-280
+- Add rules fixing installing ipa-server-install with SELinux in Enforcing. BZ(1488404)
+- Fix denials during ipa-server-install process on F27+
+- Allow httpd_t to mmap cert_t
+- Add few rules to make tlp_t domain working in enforcing mode
+- Allow cloud_init_t to dbus chat with systemd_timedated_t
+- Allow logrotate_t to write to kmsg
+- Add capability kill to rhsmcertd_t
+- Allow winbind to manage smbd_tmp_t files
+- Allow groupadd_t domain to dbus chat with systemd.BZ(1488404)
+- Add interface miscfiles_map_generic_certs()
+
 * Tue Sep 05 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-279
 - Allow abrt_dump_oops_t to read sssd_public_t files
 - Allow cockpit_ws_t to mmap usr_t files