From b9bc43a953ad4e4aaf7fd5d68b2d9e8eeb47ed02 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Thu, 7 Sep 2017 13:32:34 +0200
Subject: [PATCH] * Thu Sep 07 2017 Lukas Vrabec <lvrabec@redhat.com> -
 3.13.1-280 - Add rules fixing installing ipa-server-install with SELinux in
 Enforcing. BZ(1488404) - Fix denials during ipa-server-install process on
 F27+ - Allow httpd_t to mmap cert_t - Add few rules to make tlp_t domain
 working in enforcing mode - Allow cloud_init_t to dbus chat with
 systemd_timedated_t - Allow logrotate_t to write to kmsg - Add capability
 kill to rhsmcertd_t - Allow winbind to manage smbd_tmp_t files - Allow
 groupadd_t domain to dbus chat with systemd.BZ(1488404) - Add interface
 miscfiles_map_generic_certs()

---
 container-selinux.tgz        | Bin 6902 -> 7000 bytes
 policy-rawhide-base.patch    | 130 +++++++++++++++++----------
 policy-rawhide-contrib.patch | 169 +++++++++++++++++++++++------------
 selinux-policy.spec          |  14 ++-
 4 files changed, 208 insertions(+), 105 deletions(-)

diff --git a/container-selinux.tgz b/container-selinux.tgz
index 96dd93e9612f4c258feb25566d33504f8119107a..b1bd8aaedd8173ced0444db34e99882cd926d07f 100644
GIT binary patch
literal 7000
zcmb7{<69&S!$!kao3Xpu=49K}rp@-Y*>+8~IrYodZj;T)Zo+0x*sS;Y7v698_j6t6
zTsKABXShkWCVe=>3uC9GO}<pf%84n}D!j;-RqjI9Wq6S_QPxzXOEFTMbASs4z?-bC
z>~cAAi@NIQ0C{UWNN1Qp6Higop-mJ$Mq-}4>Xb^KHg4D=1?{Hxevg%zeeZ&wK?z0`
z`1&aNZt`&z{cy@&hD{-EWE$-Lw)>2|y}cRmy8ArH4{H$LH0u2r@ei&>s5;SD3Oe!K
zrhO>yjYXh=&b|cCwfeoSzcdMzRhf#toxonkCgT|W^$w!BVnliwQw6Th1ZKJ<Jif9|
zcwPBF?PZu5!p9go93Thhza4O*VR@DnkLKvXmQc(K2gCufcS^f=L9DOy>fKZ7An_gx
z?S}Wo$z5B&-6zFVahVdmBNO9i{co1#9>sbQXdfoS`eYe~;xUlmv~vBd=-R{uJIp6s
zNM1*89mGqs9RS+Kc13NiX=!<`(r}>kJ?+Si##Jyg-ZuC>Z()c#oENur$~rd5s4(dH
z?a8{))cNoE>&98!QV!#6=anNPzZkD=g};_*Ek`&}UMdZXYUf#(dEMbwt1T$^ermC`
z0AoTVmgg!saujb9JFK!gN&}baDz2vg60sNLr?&9?H^a_(`8k`j)t|_@5w)j#&XRJ7
zX@vRn$uO4o`IV&%+bGDh6)8wAeOc3MKjhhQKbm&CbgJprmqRP`@zyCgW|}9AROpZ7
zs>UMkH|OsS013w?AuPKFOW9|B2RYdw#ja~9MjMSIYf>E=A(;KA@fV`6ld{PVL9t~C
zluW^}4M(zRhRTZ3>)oO=YUTwr!VXtF9coK8)q;S-wVm?V+>zs~udR}{3O$00vWA<B
zt)|AaWu%Q!+WCrq`R?bq5o{aos--Og;dAu-d*e+~7po*L-E8-<zN`PO9_ewy6GE96
zakFnWzoZ4{#qVtGbRWKRC-~*3)=;DUb;7_LBF3A}sI0hQoJsclye~d)B2+>yQV$~J
z+4z*=81Y^dbO`JGGCoOY$@J~Qsxx7b0tEduG8-aTm3iK_6Xzg$lxcaBc5yf>lrMcd
z)@}Wh@V0$InG5pU#RZtN#gmD8I;nV9p3@D4xMf`WWLT%XD)LUNo009{`QBnDdq=*b
zn%bj{l`oO1kKN#`_|KpWNMqvF@AZM!`Fl{Z*Ha*Rhp(maFiwiH*D%a=$;0v=mP|a4
z$5Z9i`-aUz*&4GNs0vD!%@$o}l-D&A$=|xqj@n{<ymqr+uRa>Ox+I=n#wkpf4*Ioa
zX)mn6v44LarPl?;#5`@T_1BP5@;TRXeeUTF{SfO5-kt&DKOKk%1yS9y>YvM!CbpzZ
zNZV)#!09CXc*RY=-#rH;GBd+$*9Nl3XPmA$MRh#Wkv+MV^;QDC$NuIHZS#B`#Cj@~
zvKlgAk-Oniax=;fE3-IO|2MLy$Z=}}J;dmO8@|D@P$Wzoc_>Za|MKqBY^wm9gd<>2
z9%bNouh@AH11J%X1mXK(Th|(@{HKY=y|O~Fh)oIdNbS&Dz)MA5r@A9-Pk#Gs?-hCC
zOJ?65ZLKMuP%zMq)uWleHFg1%Mk=TaqP~l<EMe2;loBe%1ih5fg9%Jai?8%(OeG(g
zR=K4KtTD>7<;SwK9m`y!8rSr2`QBM3PB}|Q7H7t(-7E;{?rlm(UI%&E>Dt5mxfvIF
zL#3XTuZ+DzXrCYh)l-qkz`#N|s8}C^tk?-KL27U@hSs@T?*>YD)!msL|K+eB>XD50
zd!-w1cY(>y?6gJz7DgL&Sdch$$|tQzKOSYi-_JAdrKI7CaU3Mvm{moRt5F$;7O~H1
zXU*Q(TlaZ$mG`STwVFB(2$yGC5O>cQ;k5p{e<tXy!PS7jJD3Cp0G$V^Ee4t_Ep3Lh
zn&jcO#8->_>6Jm9LYOqDMvyj36PLTyE;29G6s9r4I*T3(&ZW4vkyGe}Ec`fz<1kXn
zZd(b;9wEw$b6Hs630SqFO9mXEO9;>3rP=0OIV*q=Szu4(gwIJPI^l|`^RIYIrqCdp
za!G$gWl=$(3b>C~CXon#?jlviK!Idg^4Dy^d}3g^DUO$bI4V1MWnC=a?9D*<e_ns8
zVv@c~^*6;8c#tTQ1!Dvmy>Xp$vi(`s(B;zjF<k?}E9?_5iIDLnEEtW`Ig)S3s#T8g
zZWNKI5-|~X10_R%RF>J`@zD(|_wJ-g5oLKc1GNPsZHQ$zuiPluP7~~3(dz&&Z2VzS
z5eS(glIIWk?CT#T>xVjjRqd1Ygi6x5b+qA%MKl&~!ysD1m>p<47*+h!lyGziNBlv-
z>rrz83$B(k+3?40YVgqzq^7|Y56hk9&1zMc;q_-FzMmT3?v*KlFCL2e;$Wm!vOjzv
zA$;3szTX;K*aDc_Qy1sPFVTK8h@$@FrhZQY2o_acmIKSNCFN}C%oIe4^^|wy6a*lU
zbETzphI-jb<k$SXy~<-Nq}|m(-Grv;{Z}_9^6EFA7O*%Pa379&d5zGGD-4`n4;#TI
zRCV;?uO93FJ&vvaV=km0y6Edcw1Ja(B_DCeFPq<rQnK8rj<m3HZNo4X7Ia@0dgP9r
zhLoMpQIer9i?w8(>0mVN53o4|v8cLMkk>Tk1jQ#h{pA&GTGjv#=l{AOyhK(J$uvI?
zRCDsF{hkkTL{H@lYSzN%r*#rA4_^#qOF7rznvjo+aAuP|jh156wVY92Pq5~Q=_W&;
z#qA8RXVURU*|2Io^<7Hfi_{TmKUgmkR(U5S0S28o8Rk(06AuQYe|FO{!Z-C#9O(q-
z(@}Ty_nlCc=Fk<^mJ-#J23j4;tRC9!|9oY}TK`g++_2%HpFYPIv^aK4;3v6eR>Ny&
z<101F?t(4#jbYC)PS3!XuL2nyaB74)(dp!)fR}=TQ$RBp84yuut{u!&ce>nWdRb~P
zTc+5C+}*SXIfhIY5A-A@5{<EbO>zbPm83pP?Lh4*UE6h}D0?SRZI)#}JJ$AHo%slU
z^>Kd-guQ-DV^2PPu%~2KSQi{pF}Ay}k!<<#XYo@2woPk=p2H%2xnMxOL*Ih!1l|n2
zhVCMoKBf~3_-uFGvWbC8G@lsN{%}WX49(ELKG-jx|Cv=qr9E1aql<I;x~C1jyr}p3
z$eJv3Ay@49rIuJ)pGqG(FLq9p6J?({ch?nZ&&gIObjeIrA8o``S5UaA`|do{Phm%T
zL!jRYjFg4b!$_<#ikYJA=@6F^0`u+0s^Q4&c)K<h2M8--x@MEUYs{$F7dg5$lervL
z_Xz!bZ$chqTLmdOr}to~ag_*p?<Zqn8edP9w@f>+EG26&aQ@;yrYBK@e&aQa=#ZT%
zyfcvXB)&f>SRX#k1Z$j@3ox#`QXkcIyou36*Dk1;&DCCOKLM3tNGnl{ZM!n7sjCw7
z?xEz=6t!;<@N1yaZl^O1zc6NP{;P9!=ki4ZbluJpc!3p_9Ya}u3&_H%)060tolocz
zgmLK01snY1ffGw*Lk#x7F|5_K+T^$}Z%MF<#R|^7?#QUp(~LfQU=Czof+cxqfFVtM
zKHECBQy}H_8Kt!myQBGa#xF0pH@koEOR(83cs5p5V;Im^YKtH*tbrWlO>-lunlUP$
z?XgtlE;DY)L2|PkHTOfxGr#nXqamfa?_#j#9V24rK|B9<LmBri;wgV4VAmn;t^j<*
zsETysvOlc*)@7-$tT)NqKik(HehVUKe)hh`HDVo~dt|3v*<>dX{1`iW&gnB8VAUDh
z3rxMJ=wp9X%^$i;dpJjWd8N9&wBQJ7zhW0L*O&Dq^*b@nj3(#9blREg<#VOqgPlm8
zgsXm8G7K3)bx!El^LSf0+9>%R@{NY?e3B9VMW7$^1)jc1?w!Gkm{jRl=#E2uV~4bO
zD~d3aM<q&4ju=Uh_*3{|fHSUTMMi>LyYI<VEh&lTzG@AbQ`SHO4GQvH3*1lM<e(V)
zZH^1$oMM$;biiu|O&(w;+_p~4L#8I&0y$lJRhnpU3uBDLS-M@qvl7UN?v!tAT&0U-
zEW`7o;F(iPiX0<NB&OsFiw4N-Et8OBhLrJTX3nO#CshD!xP6TXj6NnGL`-DNk%)-;
zY#F=~is#HAxvoT4p>YmZR$`t)nBm%pj8xCt0-#0r+Du`k{Aglb<Sr4;(sY>#>vYKx
zHEL!O(dLo&V`{|x=hp9RtM8flgRG&e@PF)8=S7#r&Gb218b9`>C?~>kxg|R7XvrJH
zvxr1*#{&%y?YZX`A{p$-!*UwuO`<q7L~zkIO%G4hQYg@udu`3R{+f-o&@|H{8%W$r
zZ7dJvs`1O2Sv=JwMdZyFddVOo;TM7PiTfabQuG$8r*w}yfB#`x;stpId{XoLW;gRg
z4><oIHrc|rzzkjx$u`hoSw1eY9$27|bwkwp#1P&s4z?GPdZdlw03W~|))8~u0b$&R
zQXPn!$iOPh-UDkGxwrpA67vjT_khI^sjv+I?!n%17tj6M_He{u#Ti)@Owfi9bg$`h
zB)We9rAvPEH<8(pP8BH`B%@6}eArKz>53lPc)5y(IZ=NN(K{H27yaFLXPOV^JCNVb
z(IL2uNc_MS=i)nttvJR#+N+ga*l!eeXZ8th`HJ*X%vxN+=WJ~DQ8)sn3>P&A!5~^;
zG@{Q1j70)|Kz~E07q%F<a{6-?&;B3gQOfEbW>N}K{4z!TqmylA8sCWoN$W%kn~)3S
z;8@plSX}Pv(sQRUNy~;hv8{+JX%7D_Tg2$UDy%R1hZC<Jj@xuC2R%B0&z8}sHF*vl
zDm95+xy9FGs)W|<c@!01_$X6z1%vSJzq;l?(5RF7fqb7b>x1<;Yt2K>;eSVd>S0jQ
z8&SH~>DR~3@RN#hDM9U^PK+zk$5T(~h5f}&3@b6vuj5NF6XG_md+WUW5Lw+Lsp}|7
zL1G`MZ3m}5j{YYUQ_L-+3Y<F7J;qJkD4kWMdeN<xZJD4Tzhe)bg7^8(-?H0|NRSVP
zk6!dd)b~Ec0YHBTCumo|#1upa)la29Mks49_hv-$Lt&AvAmUa}dnvLQ+`&873uDW%
z9ux8H&{<GKbXto50LZ+OR<o$D4f+_&$WLq*(~&G71X9OP;H<@d9nwX5Vf2_J<zK{<
zvXg3B`RW2g@eIJ;W8&GLIgt+V{(RCSR*34awH84g2ES+AsBU1S``i?nr%^@*iwc)L
zjRN!GMo|B{O7N`Zs2*=Z2rC$6=OJhKXXf;8mx;is+JS;D7O^1j=rqP@d^xJbEUx2A
zHvQpJtQ=RPDpYuL#d9}1(hT*6hb{HkRW;BpyQ3}elv$E3ZG--1ziu7Xe@WV~;b$kP
z1hPbiuE{^kvM>4N!k+Gz$N$>0<NJHgC_Lx7?mNFlP{b;Kf@OJgG@5#MIicwe!gzg}
zOZ65NjkwAv=Pw6<2Nmau)?;T|Vt(pVATk<^GQJv$muW<?>^t(S=)imK`0V?VZ!A42
zvSRXc&=6z)?@sPnt)Fme7Wz7(L!ON*3)e3Molq3~|IFXbLJsu~frzet%+v!9DAEZ6
zk|wK9s;4nqan`ikspWBu9E&6Kvo(hRJkl%ev(|N@O2Z*Dn%!kWjXeBq*Kdr2Ar=gK
zAGgyCpNXUXLtW(@=DqN#3m?-CCaY<5?6~@b6VTUKnW$zTJ09!yf%DwvOeAmRA17%G
z=yPmPcd{3pGzht#FwFc0y9J)0KN(96?f|hor<_(e)}N!xY=Sc7(-gF^mfuun)xW86
zQax<fuF-`>Ne;%2e+72v8co;n=(IVjVL1NTIwqQ=<`v>+Uv;F<O^6)8FdOqk4;NRj
z4sGY;7)5Hqsc_vpvV!FpcmRt^;T(<|#x46G>wm8~9)27Li)nr4Zuv%vkiAr?x}*AL
zmT<Yig+=om9;qt4tI?>YtI9NxFyIIXb2PeZL2*Y%a-XC)=X^9g|2z97ZgQ)@pguId
z7{Lk-G^*S7R;h5*I5z6EhKV4?JeA6Fya&&uAh?;K8h_IQ@L3oniu-dmA}=a#SZdlW
zu^GxgD}XF+*^<JS*w%}C)JX>_gxk~gcbp)-w?EGg-xmW&u-R?|^ugb}P*tDuu6aPe
z)Drud6nUb7KE)G((dBS9$XJOj2tKd^#b;2Tw8`lyt)X+Fx=zwuBavA^A2NNzk!7>C
zmrVTT)t~snpf#S;>n2AQO)BXu;Jqe7_?%5pgRZ$pL%k$MA!Fp{Ptkc7^!x-G-&+Q)
z90}P{_je@HHW%^@v;LIZJx(LBW@J#0-wvQouqm^WW`8YTLZY<7*K<|aH3?Vt=+PDo
zGk1yH+H=tlf5_f1+++m&+2h-HHWL{na)CxJ0z8Ob<wO0Nwj3J<omN&BxAJZ6$Qu0U
ze@?!Qg-+=p=)Cy!)G2!^q8L#XH?xrYTGqrF+0{|34J;&N=d-pvn%hmRQ<w?Rlc1M@
z*rR6uvNr5pq(QB}*uH$`b*qeE#9UO!bPM8N3=yH&yfNX;`!TQYWTdDxU#dpIMk{p_
zVwL{CJc;*FmJkv|V_=T;RmgET|1Lp7X1TK|`Rt_EFMaD)fThGe^UagcS8RPB&F;s9
zAKM4sc53rYL>{66g;;JJc$LR~0+A5lsG~Uf9JObT*-ytN9AE|=auE12$V;SeRc?(}
z(rD>Bb*lEKTau_cJ_X=>tvYf5G!3OLKziWhVSdu=I8XNiDecCVV~|NHBMGOoPK};o
zUb?K_4dvtya4qx+Y0-1A;7;#IFWJZYGUpAa2U~veIjA7%rMaQ>!lz3S;>FfXOcQFt
zh$|T4)wTiQJZ6Z|#<RUTv-A!weT@+9SkzMf#gve_WunzD1&wz7fhw!+PDuxkMPL9s
zl*Wkc^7pk_!sFW5?>XkUyBz1?=Jbxb?52NAF9<Z>aPBA&*^tx`k~naqTJLYjz}EJ3
zq$C>v{O{r3*x798*2Q2f|2OrOlY1AhW*5(0&~X3c4+g-fxA+3nf%1&Lw)iU*|Gn>Q
z@<zR#3ejW7T)&xFg?(Z4%WS+l#Vc2O7PN&H1Ca!`MIhISy;U1yA@>g7pPxlWz9`IY
zZ)#u6lArg~ZEM8(9~=!mY3(ryNW)c7eEcOi`7B@|Dk_!}-9?#xut0Bbn3bSrh1uL4
z`KPun&sSvcEW#Y?v#10{lp0NWrl`LfTW(|P^fsmV*9rCi2KF5}H5hnYy8qiyOdAbB
z<k_bG(a{>WWy=cCP0NzRwsRk6wgma`MjB`VolcpD;QWS1>loFN2v&zY(CZ{YIik<G
z2#%M7=KdgCw!eq3#of`Qe2&SmKW&5x#MC+O+(I+|IG6gnkqXQg_wjiiXwX{h2At5C
z4Ta~&I(~#fr;IGq<xGbn2&fzz%u1C%5(R%cf)yJdaxgCJPONF1`N=06WTM<ZDPvbS
zbMu0MBZ1P>NK?;}uuK|QMJ}B0ah=0&&ihTsS4hk3<yu~aHpIHHJOf;&%7>D|9~C{M
zZ4wruA<FD*Y}@OZnMSly+&p@|r%>0ZE9?f+Uw@AKcQ~BPOi+a2nBJk-5bNfZQAYPG
za6S-vis^8UNQ<~qc?}j~*gP(GOYG`Z%H2g4pbL@QTJowf5w~n*8F~;$hPYz{4-MV_
zy0RNpxmq41<UTML&T{>Ue@{aUI3673!7xoD(s&sSGKt!}vxJ}}e97NXgj-t?w&mqX
zWLI>En@*Qe>MQtNB!_;8@4+}8y*EdDA`_|S-3E1pF?f|&+ziz(#jFton9U=*6K7o0
z1)a<;tk&PKz^gt19*2p~A?mz__YtaCcK)fJUK^q!bAKe$p$qCEx&AqZNAZvP=oQ?G
zT53kC%LFa(m?lzd4G{tlC3ze^x=_?`=)bBW%YUr=CNE)9uy)b1zc=2~$#`m|nWIIo
zuLX51iUMYit%Y+ECxCxvzc8BkShJnUYy~$6FN~C?ySzjYbhi@69&8K&nvzu)Ln7xH
zWFIMN3BQIS=o<U+R?Op$jw>1VG-C|hnPYV-$(lEM>A$<zH6{-g*N_GVOm`@PpB@rO
z6oVZ>`2ERfZI`ndfYX$`)qPl<SxNAyNUvsf9OUeXkhv+VqYH78(pod&H;d2o?6PmE
z1Mhvc%!9LY{L)~Gk*6@1%9jaUFqzH%;E0!9xL38YddSk{QJBL+9OD@-fyOe88uy8k
zu!OBBt1j4-ql%>ZOGB~f<@?4v8N`xn2^ld7t)n0a_aXw_E~(qcs|Vfo2rc-shTRqS
zclF3n<c^1+KsK5P+-qMDT0AztDO#eTfPa^Jo+)kpCxr=;!Hf-YCvTNjT{sJtI`IR6
zP3GO0MFPDnxdNOb{l=D2{*_AIb$1FKJCpc4C;)3iJnG^ks`#7EGPHI@uH2JvK0)dI
z)5hQWja{1dew2=0vi5FhJJ?uuV6<xb(e=-ZZ;bbp&Z6`Wnt#iA9b3-R4?|189Tx1x
z^#0&-D>^+!6m!#0wH7Bb%PY5fE7)e+?t~<VOA6C#b<jwvl~O@37zs)}t1&797J9iu
zbyaQ_2@ScK_}pG-iZG!!sJ#s-R)a>r)bE{yUmiZ{8=S>Vyn8>q-v)2qdf8L!XS=}9
zcd3DM(LGo|V`{(JCx-LoX!QUHqc|@p+tl2oJ9;<RvvQ(_c55fyZ`h?C&@1f!03lMX
z&3n@G#L+>S2s#W!4)5sCL+9|t*rM9Z_e7bh$pI=rESMQJKD8|6hE7M)SG~UkH@qJS
zx9f2@hxbaed+W^TS|m=0Tl4V$%-lX2r%KpLAc(v%?nCaRrpj^^Gn6kk;T1l&2l@iP
zA4-x!BK4|5ZtYUq@AJFGnFOc!ElBKo+zxvewA*jiL=(xEEWQh(9Qa*3+d_VXKGGwh
z7WeNe9ry^G7s!{?)?WtF3uBO5D%4A;`ru^9!?nrqqT@>#H+}yAK8y*410Na4%F3#7
z-fqCA*XU@MQdZj*gvj`M3!OAzg4|!_1t^4wppknT67pUhA1ekIi7r8e=Ki1i0_yxa
z>%$GVJmkWut>5${p6ImPflKj0@iBBF5T)BO{FM6N(bU8nCeMfBN~ngs-$q432k^%H
zx;<Oh=Lcu1yQlQ0KtrG2r#e;oAocS?eWQ+i90||4PTIXTb9&9Sp9J~`I3!eCN>mQ;
zK4~q+H@Wnh;JXS;7?FlZvkUI%-0pPmp`;)FOk%MKPr799E*6y?MQF58Pn=czr_cS(
ojvrIr?oY!7hv9r`W@{N8o4um4!T)deSUd+WN+FxWUBSWq9|8u}1ONa4

literal 6902
zcmV<S8VTheiwFRfQ?6M61MOXHZ`?SNp0Dm-AtVFD9wc_`OmaXxyNAWh0(Tz{80;>v
zA8zh?)RMYeW4(=}_RAUB-@aAF7f}>RQEEBy9%5j|u~hYtERw}yu~>@Aq7Bm`sn65x
zH&68Q7Jfc__#S^>{@eSv>TmdY_u<{;<u{k_F5kcV{{7{LtM}i$y?l2CkAk;PRU!4~
z(6nJ41m9%0b+}0)E8W=pf6<@S%a_3q%^}aj`r(g%+b2O;CB>VjJk(JVgjJQLQP`$s
z5kz931WB=j-{(JE2(}e~`2F-sgFjCGe4j*zHc`;iB53#OgSgD$ALqn+q3{MjRAC+F
zK@sN3A6_u37k?a-@DsfV!YnKAk~nC~psmBANwHBT&<jF^f3MP_P3mnJC8xj2+N|qC
z(WZH_hVlsK)$3nZC%dFr*U9gPv<BMM$w~WADJ_sZ?Q6rs1SGI-uN_=@wQY#v)!Axw
z5|wol<?*^n!aCZoH)(PD?d93(L{w;9g)P(@pW2Hvy=l)@Sipi^$&r;V-Dz)FulaZF
z$)v75v30FhKwV~u0sb%WSb~R9lr+s4Dk4Q;bul`8;P<4F)Ahc1CHkB7J{Ao9UZ)%E
zf^V<P7zptca}|X2Y$qxX_$i{6^U*omqOc%J=PWyNLj5HPW0G%GmpJ$WSgAn#<#ss5
z7MejGgWMu)sOp-kH)~W^ptV>VN3_?mBK<3Mqawd7-2^dIGiu8^O_~XV_h|&l#~D=1
zN07H+jij9*sr=yEOB2mUXlKCj;h*a&sq+RHw`rC%qF_!<gM8uD;JJyK=IG}Xv_)q~
zz9rN}U)<ESUtG|n9I%B{omt|xj?ohWXRpnwLt=dfnK%2ePM(w0sY3p8XXGAI&(fyF
zv27DN2QobJ>9TR|thkwt;NRhc?*0?adR&s5Dv8o<3LV5c63vxlpz^59m<<TzKhj=$
zLOpogK(T1H86r0b{lCH@-02I+^O$2fRqe@i8;3tey9tc33G<{{a?pd%s`tEmj>%8<
zn@8_(4#Ok=o^fF;+bhq>IOD>>C1!rtI2NeSC)MX>_9{BdSGv<xmP7JSs%d@%>j1aN
zo8Lg*4f-cSr7NJ6UUxho%U#;;gAfQ0El9Xcqkvl9`5s_tN4ij1^Q$_&#d47HGj^zk
z%xkg6S{U%rnM+M6w`6rNp`f7>k(8zs#dz0I7B-EgD0(+6Ym@Ne;wk0f|6c@Uh4K%x
zKfGw`gRO~3sujCQ(qiXTta*xv_1xRRYn&i1Z>%y2zP*C~-obz0FS{4{`9FVpChII&
z>{S|1vytjUVNo~$)lAs@5s>lW;x3LRsc#oK!dS@9ZSgTZG;NYcZ8p_cr@uQCX-neo
zI*MV(d{ZF`V!f3jd7We>ZcIT^DU2t26Yw9w%)514GVlr%%Uz5$VK@fgi&B%1_$!bj
zLwa9ExOjyEzJT#R1@~ukQPMOHi#WKeQ`2TLPjXnfzWk)V0~zJByuF5=kTlQ_dBCuR
z>?cT57iJJ>((F&ms(qNcga;bFRh+@Z<BCHAgROla^@ww!FH|u@G||S%ZPk+9i!V`7
z_}d^~LHIG+GeZ|;47FHB$oRutBb_sZt-gw|@n1>NP7yW!3`=r|oERpFy<4cU{CLf4
ziM`<84a)Lwp^*L(e5X&4tlT+Rm9@}9u`lyP9|L?*<cqF2D6}k%Nb)*(A>W+?-;1-^
zIB^->%m-<Jdp)QTKAnRGroM{vCdyLi-uXzZZ41<7mTVYC8O@WdR)dCP!0_9Fy-dT<
zhC)MBAY}JZuXr*1T~*-5uB8eyaR!2zj9}=_nHX;}P<M?wvOMj7gVVYj{o8bRo)ouB
zqVCJ4ZI%Y4{n~<<b<&jC?Kw(d5m?q!4HyEO@;+In`3w_{+6CcC*gs_9!}5q%3qpo%
znWsVrfZ<ZZs=W^5JT2H-gomEC>BAN)fpjik0NRnRpRy=~e?uA_*!Um}z|g-Bnifow
zoYt45{o?jBs}0&4SnJtQWX27yC34KNiSE~A)<)X05AuW7YCH9nc|)jieiUBzpm%&Y
z!}@g&yubeZV^@dfIgh?7@*aUmi*_0O^7YHG$F${ILtV*0VJ&a8Ej)pLL<x!dFuH(O
zt1XZ09oUx$?_hm^S_Qm)<VGQ#l|sR=c9V~{ALe?S)@6}T+O#}PcTqi$_10J&@1jTD
z?w#ST1?+V5i=FW~GiN;A03zh=5jN>HNF!*{T@hw%!UmtNr#WPxFj}3=grZ{ZlMNSw
za(rQ(6Jz|`BdPJDlsy1gXCSw*<|Y5mi=8*$;3OR9R>sM=cTV`(P%R9cY{KEcuF5Qp
z9%zIMry%zNhA;zK5o~a#ydQBIzFOMZyABWSo(FmkJiheunFYjBeW!%26GKm1C`~>x
z99=;gJU%W)$J|lJhAKaiUKdjE?vA6PlNE$x&shz|Hk0%7wRx!Z)6MSTEU2;rs90}f
z$jb=UF@4`npD>2r)DNo2!MG_8McmMY!PC@bbQwDkmheY}^><aAbq1lfa7YEq*YRd2
ztb$?jV1Vaq29pJtoUowP4^;`xWtM8%EPF3z;j1fMb?08IaG8FLjveB4C9&R6s>Pgc
z{TS{JOgxrh>_bjtc&t(#?X?5R7(c1i#Sh6CPS_#ouO*TjN=Eq@k?^gfO2beH#cCXQ
zN%dF;i`e_I0GiO{OGmBxC)hTl)y%6Nv?;9Ov8&YK+F|qOxKPYnZ`a=Z_}duvt3*(m
z;<EVCYc#gq=PnVs4MuJc5zQj;WDTuY4V@!1C&IQwBWDvfY1Cgpg?#;%%c@Sc>AgXo
zKhp~;279eTv&$0(euZZcsyG?nTD&sKv%58@^QmhkDC@rAAxT6TKy->kXYvtxhEe_H
zw5waUVZBRQL6c|A8uZ4FJEOIiQG;V29Wzi^EFR+$#e+oFHSZIAMXSS?zDWHq`XhVv
zyiJ~}4EO#24<FvXe>b@Q|L*Jk|IhNnJT2?Ij6t!T%F*yTxH`YOJb!z(()0xj^JLzY
zpf1a{yqRh$uU-Z}C4f^?VgXolR;0?}q=|TlO~r$25)4s+>I8TD1oU97hLeP39t%G)
zd2_QY_}h;^2US_OG6tvOdXk}IW7<OzZq&BQtr?i>uY+xvHOZM)C0-+D)$?OS)zc59
z=RELxSC@w>IOT4sGp?mQYQc>%2GG^Rwv&P8rXemgWL1C;bQ<1$YGI61L|z;wIjCo*
zv`-Bsxh^<!Ro@&ozpcS=i}t9}JEd=elT4`2JvpR9!&E(c?ObcyN;M?ZMU2}Grp1O+
z>!N0x@V<!Ivq7(@PQxL+SHC#ja%W1r6bD5=PUN)rb~whQJG);+CCrK6l|XTsz2L?W
zr9PYpTM`GzWG>J{<b%E6sm?#d6|Va}a(B|e>dF76rW@V<#-oisra10kh?xjdI@P&M
zXoCv!BN9FG=2T;H%>KL@XaIa9dj|f{5PPgnWIQk(V6%f{i4K3-@wbg_RMCJNjw<sg
zHJ^`YsJe5k4?c9&S<BE#heavJ82wUu2W8?sLOwh-A`Ib0jAkFZ3-M&(n(f2skYxzQ
zBR2Y2G76CiAuplJ$h~qpU^ECCR@H%c>Dl!P{m@0y(%+{#3$CT<Hcqyuzb3Tit--v<
zt;kCr5snK$e9STgd%d^8n*etWO#1tDw}+LNHsJk|Gq&$vtYF;6sAW#JggT1`^hcNl
z%pQYR%tvNg_?sl#evHB@+@x9BJ_L_Jv@h?9;3fqFXbb<s8<tJdrg4zp6lEM>*U$kT
z{cDpJGX9<()FIe3NxKC|T=3Qyd`0P>K3$L10<0KuU|%O0*vA<j*pD!YJ@P-G(CARZ
z&}qkc`Ud9+^)|+^q;WEIGSVz4(I6P5=4Xo-JFOfvvcpSnX64$bCvV>D=(rSqdvah9
zJqy5A1L?<@_8rsSmkH|hyWqlqd$O4VK6ugULr=6esun;w!~>Km?A?UC3N~a5G>4{2
zirB@e>q@mL=pv%Y>NSp;5(;3Nlu-(m_n1-CxFcG81S_bVbcsF#^_8W?&H9F4P&_2J
z7#?s$%>*KJM4W~@4NAP71?j4lTtaaGkcNg$Vp6Bk8WgzE%sP`SIB+Mjfc&Sj(8z@0
zTqn^j3+lpc_IS<a@KDt}>7~FX(8~?Kn`NbKu{5u|nTPB5O{QP#AF(W$SvY)hCJ^Pt
zhy@^hG!hTk!DL2{d~x5_W!^3Hl<*`kV=xm|#$*U1)f1t>!)>1F7WuJY!#oSK5l2Iw
zJ&_GD&;puQ+O;P(47w=-6Wd>NB;1_-bR#k-u=xDt)B$SuMqbQoGTWh>;^yWw*N&$7
z2)x=V&>pd^6r~@0l6P(9HFjrsFt@2rtjSZ$hG)Kt<Oik*P6m5_^3!yL@KH=*mgNA}
ztrjrNitiKKLiYpQMyhEHzvXq;ue-hZttpFhc=^KBfJdXtZs-H}G>oQr8T=`ZSxjLb
z-Xy(%pM4VD1b1b9a}H$xQC7+JkYx|(a0dzG<t=&Ri{LH^_96Tc2Ac#05Hw|WKo2f(
z{hbpaPh8Rw=C;IkK<B<@5iWP-A&Yt8_;(J=Gnh-TA4~wi8J@%4r|cIHUVAch{tn>*
z=|n=NfYBkMnGhImr?IiTU+7=3*%33QZ_iz4eKBu3PsE-)y?ycfzDlpju0dNS{gDD6
zxrTDI(0%cb5xjpJxMSie3lX=@pR$a}2KSUQd{z;Si413D`M7o;V!2A+sxJ4b(}cB6
zH7n*dM`jM_9A-0SnJY2l+`;03IeBn+U@na}dA7SSeR`M^Pc(ddN3pERGM1A0+U=8I
zcXx1~68>s=eAB)0rzt|Y^Zj%M;5F^l%Z{cish6u`Ih$)NHQk(v?}<5C>3QN#R(zhg
z)16VCz>~G$7_N^d?4|CWxCu06jPS4Wf(GnZuCuwL*9&v15$Op$Z<u)i&l+Yf+<shv
z_b}j)rePr4P6NVc7!R{NX=C?J>KT5K7REQmNa>G1@n{2nRM8JQFt(+OL?A|trpK*u
zixKr^{d@yLPck0u&BClG=-W)LQWr^!?g?LVx@r2*L~UlNiXgs2WG_+>TNCY**spLr
z@3sh`i<DkdJbW0n=`GBs*it^HkMZ3hrgVC|5cZ~V2}Q)}rMqaK^|+k$Q!6*4N;^Ib
zN2{bqqjmv)BCPL~bFMI|*+=<;orf264k2_fZOqXlXML(>pJbT_ou6arh*QJfd7fZP
zw=<Y#mZb#?Eqt`MZ`;bV2*DDSd0u77{hG$)IB)NC(^rB<CciV@*(a$pj*`btM%i*l
zQ=O|j7C~;ISIDC-7}H7I>A0SD!0T$0xkd})Cz*c4{DyC6o5xCH4-H;Q%klW%2a;ub
z@M_+nAU}-ex3+Z`x{#RkDZ1R*Mo!86J|mU)5JuDQ2}h}S>#|_UVR@<;b6c9WtkHzS
z7zR?`_ZY;NHa8Y}I=aV2tZ16Mw2k&=I-VXuA3m@#jmtX=G|y-&?yH%phzQ>wEG^;$
zW##6#sUvzXwvqhAl=4JiB#fh@S6!+Qobc4@yxCc(d&FQP;mH+H+cw{66DiYxLL1Zn
z3+(~^9Yfaz>=xmg4y4vmVr##NRoJy#cmfC^U^rBVR$F57qTJubVH-N;5!v2i(%CEU
zG8j@jdd{&IV7xL3vf_PSF?}IF8)%ta$)QcT?HVWB@Q}64&vI`QiORu-pAGt<!6hc<
z{+l(+@n@MdoS00ZbnC=5B#mjBeRrYP$o0z1SXa5#xp~H3Gtq1u6m|ehsau%*W!8-J
zjfFX_n1wix8^88?%haM*coW4p!+6c^BX$)QZ*TdBD*xk=B8-`>;1OS}22}!Y9!6_)
zpVn!d&>t+S*$anaX^Lh}6|NLsdlh`co*x5PTPW6A{=yN1zpGsu2V!$MNO|QOX9y}l
z#uo-`S33+^^p0A*-`0AJ?om;YTtOcXNHN6muI@sJA5F290j^lgT{k@_`Oy)a8bl&R
z-ALzH{EXc}+BDYTL7eZAjCw(fTkX9ibKIw~V-Awrv;wtUY|9Y`$nS@wY1d@a=@(25
z^t?Um9A*g^Gj11*Aa*-g48%VE9s0bT7xGhin1GZGM-N)H56Ku8UMk}CWbGMSqs<;#
zTFBzES=@|v(`dlQvPz;th9Q;glME)K%luxg;^bD{gIGLK3K0kn58G{SE}*1thsD-1
zTO`TBgC@JBHMgxxN7e9?2v{p8MOK!T7nEO-SUE5$YNrc8$SiHrn4+;px9EJUas<QZ
z4t>Dkvj-nA$uqf0T=K+i%-_Ix#tY!O3#onR3iyxW=u)%S-h|t4udTm1&)7a*^-Q?7
z`-umcuLPR@?RnRb(n&{LA)vAw9(m(xi`;0f@7c!FkC>b+i}+z^$=V-aI%XROq^B>2
z(9)u8)9r)XWs?^B1T}K3geZ-)NY-+BH`Itc@BGSMb%$8eS#8}(O46#$?;RvU@_=NO
zJP`^%z$l@Z7l#53$S9;vuphXg1qM6yZlef&*T6&jcAf4qGtU(b7<ql!<_hRo>UJ&v
z5}$f<^2D11S|1^ri@VgeXv+H$K6_P3%f^Q1T?)Y^EjxVRJjCiaSjTk*Ib>yI5}~kD
zdF<*=Nv@zwRmMoURYIF_x#Ag0q_f~Qg-#_u>Xu!i?o=r}anwO0bTm+-WMMu|Z?MMU
z))Oak2`g+9>qJ?=oJ6#Ok2R+==BaKDQ~s4p;7yosLQUjR>Mcql_39p?oF;W*85cW=
zYpl*zA@GblB#bTmZ!15O)m4N&ceK+;?x>BC-rZ8cLc@n~I0?l_^B^Swj#t|3=0gmH
zT+eOU^n}a~xz9AFK^jXt6LV*n-W!5X+0_(w{C2IC*$=8R0V=tF=mfu2z8|HxKstnd
znrleHXlL6ty@(9fr_2<wGvOAi;}UB*+vJ(KEH2!zqT>zfAm<^hpcElD?sd>o+OFzM
z8Thx=!C+yhWuAxo(27sr<FeG3r9l#gfs2S)9Nn=OS}K-h&6#B0&k8Zo=OEg&u({7z
zB1Kcl+q6#ZV8+Cw4Si)5DsJazdH)Y`pKm+RurU@99?2AV@@mbSa<+P@5_VU#CKW|f
zVf1u~kvWcT*o^Y98cmd9Dvp&cr>tvXCTbDi=u0n5z8(V&LJQYRN*<csM;xI0bilf&
zUCcgXk@rmIY97(%l2yh=@n#COrc~QDREPoeN{B~MoF4Pbq?9DqqS5RgeM5x}>1x>7
z=t+;byWZy>A&1Qx<a_F@29m}|X8y{}BYo?1^lZUo7<HvZUHU>{7R^X@ptAKNjY5Yd
zs2AoNqck~B66Ps3W=Nu(e8=2{btU>6e8s{zTL#6*<ik_>mB?_8;27cb>7?#d(RyxZ
z$d7EE^nNAsacT&VhtaBr8{^2;mT+E#@yy=7q;f9%Dy^h?w%Hs+-WeVeQ+WvjLiMP;
z^<DkeMM-8{hsqwaZx{8#THVN<X6frM(wk>vs$6`jt5e=Ky(a3ZD@jM(`mA)?YJxNN
zeUOnXXFQeWjD%Y%=fw0<(hRr2DFF;JmD;tM9mZ-`h|hD3+~*ko#)#|P=+%ye;GLH-
z7AnJaFXPxE+*dSw(8sT7SU&bLqV|vd`U|=1r`#2qCOE&F0CKErcQp)-FG=c(&6Gq+
zz@11RV+8XHI+Wz&@o18CrowA=ZTB+xk>xwg9$40klzm_a7Hu%6Q5m1(hX@0M?JAS_
zclA5tc`sN>PPJI}ge?wedy;i_tzVwd5`3~W`UGf5o7}r+#P3>o-AS5r<HEJSSPW=1
zN93>(;@*d8!Qe&d3kFNXX<lQ@ELTB4e_(LkpHgZ4yJ1QRCsEJiPkw&w=t>ff*c!cO
zG*R@8eyhh28^eP6(Q#3-gHbJKH1pc=2w0iCke|)=T%v-~IEZ=JE4%(9of>+?gd?!Q
z5!d00=g`!X^(sVbxRt~j)DPJmW^puR{S}fJb(N!!ulsbUUjERyk@VLtY7q>nP@67Y
znW7%KiB10A1~&RP%=4S%rs%w3iLnxUdCdo~3{n=&NOi#*rnbow)vB>qHM)NXbF3YY
z<ZAnoVTMq)*6%VSpEj;b8+20bdjqWXzZcZ{=ZS15<cDl0+-5S>c7)D(S*-QX|7e=3
zGc&{<m!5W*VtGoT#$ez{;kNVh#LmbMdu(3V<?_KU75+R_Um{Pps>VdVZpz&arUDND
zKd@gF#)sQ;cH<Gw9#dlTJl{%yq)h0oB<FPHnCR^Q#8KLC$??c4;fXX9mrkQDh>tAT
zIpBwD)GFh>k0!Qn#_etwkK-T9@pMPfiz?F(>y1%q+CjQi$v?rdxbJcJgk$j0<8O~+
zZ@=SiUy<;6>N0+OQZtY7PRSHKhBZNNy?Pz|+I{X@jjOiZ=JS;sF_YBBZwPv0!b%J3
zsPVK!2bXllc}6Y>c^I@)3iZ1Z<Ru!?-JWtGTCc`%%2&gj3AAI9x5n6>NwJap-{9=%
zzJ6iv|K*SD`Sb0QecR6c{lCk%-(S5SeE;w5*YE#*mY)l>A1{76XJ7Q8uY=-{NbXzy
z3A^>-BVUy2kDZ#}Da@O<pkFQyO?{E28(gz57|zA{cPDS&c%zApIsd8-qMAV2uVtXY
zqVDjP0?h8CHwd?6+X3@p!79SLXqgHknxy*g|GoI1@7T$~vc2;LecnyGSdBR<|L)Mz
zutj-WW`{g^GhGzQNBlbIhJ;+F<x->SDe%fDjhDh}RKR6sQD1v3-bG3Y%T0m~nr}_{
z?|CXq`Rp7=Pg<c=PeHky{ribGRwTa3KmzD+_&hxx4oBxvD65OxkjW0Cvlx;uP#1qg
z^$|clQ7wW6P#3J$zhI(PZ%`3nWP+4b4Wgfa_X~bOz+Z^$TLk04BKNC5vVWy1?dvkY
z7<n{x9J%m#+TMwSzytB>2*?hzljAbOROy$nE%S8hOfoiH0p(eomK3WU{TLBTcwCj1
zku4%!a2G%_wZF{Wf0Pn-YATNT1PV(aoAuVwYRe42sP?iKv5XQE_zUYY0lT<L(}0iH
zY+xGAv{Sm!CRtAelLT|7vH_1(?w9i_jVGC8BXH>I1-xb%yf^%o%`zh7s~59#o2j6K
w$TLNc0kC4TP0#@J=`0m!HxEZ>k}vI)`TFzq=j+ecpU?2~Px@Y0k^sm601ZL3umAu6

diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 4b9c6c9d..b7cc288b 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -2201,7 +2201,7 @@ index c6ca761c9..0c86bfd54 100644
  ')
  
 diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
-index c44c3592a..5038ed0d5 100644
+index c44c3592a..cba535365 100644
 --- a/policy/modules/admin/netutils.te
 +++ b/policy/modules/admin/netutils.te
 @@ -7,10 +7,10 @@ policy_module(netutils, 1.12.1)
@@ -2259,7 +2259,7 @@ index c44c3592a..5038ed0d5 100644
  
  fs_getattr_xattr_fs(netutils_t)
  
-@@ -80,12 +86,12 @@ init_use_script_ptys(netutils_t)
+@@ -80,15 +86,19 @@ init_use_script_ptys(netutils_t)
  
  auth_use_nsswitch(netutils_t)
  
@@ -2275,7 +2275,14 @@ index c44c3592a..5038ed0d5 100644
  userdom_use_all_users_fds(netutils_t)
  
  optional_policy(`
-@@ -110,11 +116,10 @@ allow ping_t self:capability { setuid net_raw };
++    kdump_dontaudit_inherited_kdumpctl_tmp_pipes(netutils_t)
++')
++
++optional_policy(`
+ 	nis_use_ypbind(netutils_t)
+ ')
+ 
+@@ -110,11 +120,10 @@ allow ping_t self:capability { setuid net_raw };
  allow ping_t self:process { getcap setcap };
  dontaudit ping_t self:capability sys_tty_config;
  allow ping_t self:tcp_socket create_socket_perms;
@@ -2289,7 +2296,7 @@ index c44c3592a..5038ed0d5 100644
  corenet_all_recvfrom_netlabel(ping_t)
  corenet_tcp_sendrecv_generic_if(ping_t)
  corenet_raw_sendrecv_generic_if(ping_t)
-@@ -124,6 +129,9 @@ corenet_raw_bind_generic_node(ping_t)
+@@ -124,6 +133,9 @@ corenet_raw_bind_generic_node(ping_t)
  corenet_tcp_sendrecv_all_ports(ping_t)
  
  fs_dontaudit_getattr_xattr_fs(ping_t)
@@ -2299,7 +2306,7 @@ index c44c3592a..5038ed0d5 100644
  
  domain_use_interactive_fds(ping_t)
  
-@@ -131,14 +139,14 @@ files_read_etc_files(ping_t)
+@@ -131,14 +143,14 @@ files_read_etc_files(ping_t)
  files_dontaudit_search_var(ping_t)
  
  kernel_read_system_state(ping_t)
@@ -2318,7 +2325,7 @@ index c44c3592a..5038ed0d5 100644
  
  ifdef(`hide_broken_symptoms',`
  	init_dontaudit_use_fds(ping_t)
-@@ -146,14 +154,29 @@ ifdef(`hide_broken_symptoms',`
+@@ -146,14 +158,29 @@ ifdef(`hide_broken_symptoms',`
  	optional_policy(`
  		nagios_dontaudit_rw_log(ping_t)
  		nagios_dontaudit_rw_pipes(ping_t)
@@ -2348,7 +2355,7 @@ index c44c3592a..5038ed0d5 100644
  	pcmcia_use_cardmgr_fds(ping_t)
  ')
  
-@@ -161,6 +184,15 @@ optional_policy(`
+@@ -161,6 +188,15 @@ optional_policy(`
  	hotplug_use_fds(ping_t)
  ')
  
@@ -2364,7 +2371,7 @@ index c44c3592a..5038ed0d5 100644
  ########################################
  #
  # Traceroute local policy
-@@ -174,7 +206,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
+@@ -174,7 +210,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
  kernel_read_system_state(traceroute_t)
  kernel_read_network_state(traceroute_t)
  
@@ -2372,7 +2379,7 @@ index c44c3592a..5038ed0d5 100644
  corenet_all_recvfrom_netlabel(traceroute_t)
  corenet_tcp_sendrecv_generic_if(traceroute_t)
  corenet_udp_sendrecv_generic_if(traceroute_t)
-@@ -198,6 +229,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
+@@ -198,6 +233,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
  domain_use_interactive_fds(traceroute_t)
  
  files_read_etc_files(traceroute_t)
@@ -2380,7 +2387,7 @@ index c44c3592a..5038ed0d5 100644
  files_dontaudit_search_var(traceroute_t)
  
  init_use_fds(traceroute_t)
-@@ -206,11 +238,17 @@ auth_use_nsswitch(traceroute_t)
+@@ -206,11 +242,17 @@ auth_use_nsswitch(traceroute_t)
  
  logging_send_syslog_msg(traceroute_t)
  
@@ -3182,7 +3189,7 @@ index 99e3903ea..fa68362ea 100644
  ## </summary>
  ## <param name="domain">
 diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 1d732f1e7..d698fdd02 100644
+index 1d732f1e7..6a7c8001a 100644
 --- a/policy/modules/admin/usermanage.te
 +++ b/policy/modules/admin/usermanage.te
 @@ -26,6 +26,7 @@ type chfn_exec_t;
@@ -3313,7 +3320,7 @@ index 1d732f1e7..d698fdd02 100644
  dontaudit groupadd_t self:capability { fsetid sys_tty_config };
  allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
  allow groupadd_t self:process { setrlimit setfscreate };
-@@ -212,8 +236,8 @@ selinux_compute_create_context(groupadd_t)
+@@ -212,17 +236,18 @@ selinux_compute_create_context(groupadd_t)
  selinux_compute_relabel_context(groupadd_t)
  selinux_compute_user_contexts(groupadd_t)
  
@@ -3324,7 +3331,8 @@ index 1d732f1e7..d698fdd02 100644
  
  init_use_fds(groupadd_t)
  init_read_utmp(groupadd_t)
-@@ -221,8 +245,8 @@ init_dontaudit_write_utmp(groupadd_t)
+ init_dontaudit_write_utmp(groupadd_t)
++init_dbus_chat(groupadd_t)
  
  domain_use_interactive_fds(groupadd_t)
  
@@ -3334,7 +3342,7 @@ index 1d732f1e7..d698fdd02 100644
  files_read_etc_runtime_files(groupadd_t)
  files_read_usr_symlinks(groupadd_t)
  
-@@ -232,14 +256,14 @@ corecmd_exec_bin(groupadd_t)
+@@ -232,14 +257,14 @@ corecmd_exec_bin(groupadd_t)
  logging_send_audit_msgs(groupadd_t)
  logging_send_syslog_msg(groupadd_t)
  
@@ -3351,7 +3359,7 @@ index 1d732f1e7..d698fdd02 100644
  auth_relabel_shadow(groupadd_t)
  auth_etc_filetrans_shadow(groupadd_t)
  
-@@ -251,6 +275,10 @@ userdom_use_unpriv_users_fds(groupadd_t)
+@@ -251,6 +276,10 @@ userdom_use_unpriv_users_fds(groupadd_t)
  userdom_dontaudit_search_user_home_dirs(groupadd_t)
  
  optional_policy(`
@@ -3362,7 +3370,7 @@ index 1d732f1e7..d698fdd02 100644
  	dpkg_use_fds(groupadd_t)
  	dpkg_rw_pipes(groupadd_t)
  ')
-@@ -273,7 +301,7 @@ optional_policy(`
+@@ -273,7 +302,7 @@ optional_policy(`
  # Passwd local policy
  #
  
@@ -3371,7 +3379,7 @@ index 1d732f1e7..d698fdd02 100644
  dontaudit passwd_t self:capability sys_tty_config;
  allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow passwd_t self:process { setrlimit setfscreate };
-@@ -288,6 +316,7 @@ allow passwd_t self:shm create_shm_perms;
+@@ -288,6 +317,7 @@ allow passwd_t self:shm create_shm_perms;
  allow passwd_t self:sem create_sem_perms;
  allow passwd_t self:msgq create_msgq_perms;
  allow passwd_t self:msg { send receive };
@@ -3379,7 +3387,7 @@ index 1d732f1e7..d698fdd02 100644
  
  allow passwd_t crack_db_t:dir list_dir_perms;
  read_files_pattern(passwd_t, crack_db_t, crack_db_t)
-@@ -296,6 +325,7 @@ kernel_read_kernel_sysctls(passwd_t)
+@@ -296,6 +326,7 @@ kernel_read_kernel_sysctls(passwd_t)
  
  # for SSP
  dev_read_urand(passwd_t)
@@ -3387,7 +3395,7 @@ index 1d732f1e7..d698fdd02 100644
  
  fs_getattr_xattr_fs(passwd_t)
  fs_search_auto_mountpoints(passwd_t)
-@@ -310,26 +340,32 @@ selinux_compute_create_context(passwd_t)
+@@ -310,26 +341,32 @@ selinux_compute_create_context(passwd_t)
  selinux_compute_relabel_context(passwd_t)
  selinux_compute_user_contexts(passwd_t)
  
@@ -3424,7 +3432,7 @@ index 1d732f1e7..d698fdd02 100644
  # /usr/bin/passwd asks for w access to utmp, but it will operate
  # correctly without it.  Do not audit write denials to utmp.
  init_dontaudit_rw_utmp(passwd_t)
-@@ -338,12 +374,11 @@ init_use_fds(passwd_t)
+@@ -338,12 +375,11 @@ init_use_fds(passwd_t)
  logging_send_audit_msgs(passwd_t)
  logging_send_syslog_msg(passwd_t)
  
@@ -3438,7 +3446,7 @@ index 1d732f1e7..d698fdd02 100644
  userdom_use_unpriv_users_fds(passwd_t)
  # make sure that getcon succeeds
  userdom_getattr_all_users(passwd_t)
-@@ -352,6 +387,20 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -352,6 +388,20 @@ userdom_read_user_tmp_files(passwd_t)
  # user generally runs this from their home directory, so do not audit a search
  # on user home dir
  userdom_dontaudit_search_user_home_content(passwd_t)
@@ -3459,7 +3467,7 @@ index 1d732f1e7..d698fdd02 100644
  
  optional_policy(`
  	nscd_run(passwd_t, passwd_roles)
-@@ -362,7 +411,7 @@ optional_policy(`
+@@ -362,7 +412,7 @@ optional_policy(`
  # Password admin local policy
  #
  
@@ -3468,7 +3476,7 @@ index 1d732f1e7..d698fdd02 100644
  allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow sysadm_passwd_t self:process { setrlimit setfscreate };
  allow sysadm_passwd_t self:fd use;
-@@ -401,9 +450,10 @@ dev_read_urand(sysadm_passwd_t)
+@@ -401,9 +451,10 @@ dev_read_urand(sysadm_passwd_t)
  fs_getattr_xattr_fs(sysadm_passwd_t)
  fs_search_auto_mountpoints(sysadm_passwd_t)
  
@@ -3481,7 +3489,7 @@ index 1d732f1e7..d698fdd02 100644
  auth_manage_shadow(sysadm_passwd_t)
  auth_relabel_shadow(sysadm_passwd_t)
  auth_etc_filetrans_shadow(sysadm_passwd_t)
-@@ -416,7 +466,6 @@ files_read_usr_files(sysadm_passwd_t)
+@@ -416,7 +467,6 @@ files_read_usr_files(sysadm_passwd_t)
  
  domain_use_interactive_fds(sysadm_passwd_t)
  
@@ -3489,7 +3497,7 @@ index 1d732f1e7..d698fdd02 100644
  files_relabel_etc_files(sysadm_passwd_t)
  files_read_etc_runtime_files(sysadm_passwd_t)
  # for nscd lookups
-@@ -426,12 +475,9 @@ files_dontaudit_search_pids(sysadm_passwd_t)
+@@ -426,12 +476,9 @@ files_dontaudit_search_pids(sysadm_passwd_t)
  # correctly without it.  Do not audit write denials to utmp.
  init_dontaudit_rw_utmp(sysadm_passwd_t)
  
@@ -3502,7 +3510,7 @@ index 1d732f1e7..d698fdd02 100644
  userdom_use_unpriv_users_fds(sysadm_passwd_t)
  # user generally runs this from their home directory, so do not audit a search
  # on user home dir
-@@ -446,8 +492,10 @@ optional_policy(`
+@@ -446,8 +493,10 @@ optional_policy(`
  # Useradd local policy
  #
  
@@ -3515,7 +3523,7 @@ index 1d732f1e7..d698fdd02 100644
  allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow useradd_t self:process setfscreate;
  allow useradd_t self:fd use;
-@@ -461,6 +509,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
+@@ -461,6 +510,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
  allow useradd_t self:unix_dgram_socket sendto;
  allow useradd_t self:unix_stream_socket connectto;
  
@@ -3526,7 +3534,7 @@ index 1d732f1e7..d698fdd02 100644
  # for getting the number of groups
  kernel_read_kernel_sysctls(useradd_t)
  
-@@ -468,29 +520,28 @@ corecmd_exec_shell(useradd_t)
+@@ -468,29 +521,28 @@ corecmd_exec_shell(useradd_t)
  # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
  corecmd_exec_bin(useradd_t)
  
@@ -3566,7 +3574,7 @@ index 1d732f1e7..d698fdd02 100644
  
  auth_run_chk_passwd(useradd_t, useradd_roles)
  auth_rw_lastlog(useradd_t)
-@@ -498,6 +549,7 @@ auth_rw_faillog(useradd_t)
+@@ -498,45 +550,50 @@ auth_rw_faillog(useradd_t)
  auth_use_nsswitch(useradd_t)
  # these may be unnecessary due to the above
  # domtrans_chk_passwd() call.
@@ -3574,7 +3582,11 @@ index 1d732f1e7..d698fdd02 100644
  auth_manage_shadow(useradd_t)
  auth_relabel_shadow(useradd_t)
  auth_etc_filetrans_shadow(useradd_t)
-@@ -508,35 +560,38 @@ init_rw_utmp(useradd_t)
+ 
+ init_use_fds(useradd_t)
+ init_rw_utmp(useradd_t)
++init_dbus_chat(useradd_t)
+ 
  logging_send_audit_msgs(useradd_t)
  logging_send_syslog_msg(useradd_t)
  
@@ -3624,7 +3636,7 @@ index 1d732f1e7..d698fdd02 100644
  ')
  
  optional_policy(`
-@@ -545,14 +600,27 @@ optional_policy(`
+@@ -545,14 +602,27 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -3652,7 +3664,7 @@ index 1d732f1e7..d698fdd02 100644
  	tunable_policy(`samba_domain_controller',`
  		samba_append_log(useradd_t)
  	')
-@@ -562,3 +630,12 @@ optional_policy(`
+@@ -562,3 +632,12 @@ optional_policy(`
  	rpm_use_fds(useradd_t)
  	rpm_rw_pipes(useradd_t)
  ')
@@ -42484,7 +42496,7 @@ index 9fe8e01e3..c62c76136 100644
  /var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
  ')
 diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
-index fc28bc31b..e4b9a3bf0 100644
+index fc28bc31b..7ed7664fb 100644
 --- a/policy/modules/system/miscfiles.if
 +++ b/policy/modules/system/miscfiles.if
 @@ -67,6 +67,27 @@ interface(`miscfiles_read_all_certs',`
@@ -42515,7 +42527,33 @@ index fc28bc31b..e4b9a3bf0 100644
  ##	Read generic SSL certificates.
  ## </summary>
  ## <param name="domain">
-@@ -106,6 +127,24 @@ interface(`miscfiles_manage_generic_cert_dirs',`
+@@ -88,6 +109,25 @@ interface(`miscfiles_read_generic_certs',`
+ 
+ ########################################
+ ## <summary>
++##	mmap generic SSL certificates.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`miscfiles_map_generic_certs',`
++	gen_require(`
++		type cert_t;
++	')
++
++	allow $1 cert_t:file map;
++')
++
++########################################
++## <summary>
+ ##	Manage generic SSL certificates.
+ ## </summary>
+ ## <param name="domain">
+@@ -106,6 +146,24 @@ interface(`miscfiles_manage_generic_cert_dirs',`
  
  ########################################
  ## <summary>
@@ -42540,7 +42578,7 @@ index fc28bc31b..e4b9a3bf0 100644
  ##	Manage generic SSL certificates.
  ## </summary>
  ## <param name="domain">
-@@ -121,7 +160,7 @@ interface(`miscfiles_manage_generic_cert_files',`
+@@ -121,7 +179,7 @@ interface(`miscfiles_manage_generic_cert_files',`
  	')
  
  	manage_files_pattern($1, cert_t, cert_t)
@@ -42549,7 +42587,7 @@ index fc28bc31b..e4b9a3bf0 100644
  ')
  
  ########################################
-@@ -156,6 +195,26 @@ interface(`miscfiles_manage_cert_dirs',`
+@@ -156,6 +214,26 @@ interface(`miscfiles_manage_cert_dirs',`
  
  ########################################
  ## <summary>
@@ -42576,7 +42614,7 @@ index fc28bc31b..e4b9a3bf0 100644
  ##	Manage SSL certificates.
  ## </summary>
  ## <param name="domain">
-@@ -191,6 +250,7 @@ interface(`miscfiles_read_fonts',`
+@@ -191,6 +269,7 @@ interface(`miscfiles_read_fonts',`
  
  	allow $1 fonts_t:dir list_dir_perms;
  	read_files_pattern($1, fonts_t, fonts_t)
@@ -42584,7 +42622,7 @@ index fc28bc31b..e4b9a3bf0 100644
  	read_lnk_files_pattern($1, fonts_t, fonts_t)
  
  	allow $1 fonts_cache_t:dir list_dir_perms;
-@@ -414,6 +474,7 @@ interface(`miscfiles_read_localization',`
+@@ -414,6 +493,7 @@ interface(`miscfiles_read_localization',`
  	allow $1 locale_t:dir list_dir_perms;
  	read_files_pattern($1, locale_t, locale_t)
  	read_lnk_files_pattern($1, locale_t, locale_t)
@@ -42592,7 +42630,7 @@ index fc28bc31b..e4b9a3bf0 100644
  ')
  
  ########################################
-@@ -434,6 +495,7 @@ interface(`miscfiles_rw_localization',`
+@@ -434,6 +514,7 @@ interface(`miscfiles_rw_localization',`
  	files_search_usr($1)
  	allow $1 locale_t:dir list_dir_perms;
  	rw_files_pattern($1, locale_t, locale_t)
@@ -42600,7 +42638,7 @@ index fc28bc31b..e4b9a3bf0 100644
  ')
  
  ########################################
-@@ -453,6 +515,7 @@ interface(`miscfiles_relabel_localization',`
+@@ -453,6 +534,7 @@ interface(`miscfiles_relabel_localization',`
  
  	files_search_usr($1)
  	relabel_files_pattern($1, locale_t, locale_t)
@@ -42608,7 +42646,7 @@ index fc28bc31b..e4b9a3bf0 100644
  ')
  
  ########################################
-@@ -470,7 +533,6 @@ interface(`miscfiles_legacy_read_localization',`
+@@ -470,7 +552,6 @@ interface(`miscfiles_legacy_read_localization',`
  		type locale_t;
  	')
  
@@ -42616,7 +42654,7 @@ index fc28bc31b..e4b9a3bf0 100644
  	allow $1 locale_t:file execute;
  ')
  
-@@ -531,6 +593,10 @@ interface(`miscfiles_read_man_pages',`
+@@ -531,6 +612,10 @@ interface(`miscfiles_read_man_pages',`
  	allow $1 { man_cache_t man_t }:dir list_dir_perms;
  	read_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
  	read_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
@@ -42627,7 +42665,7 @@ index fc28bc31b..e4b9a3bf0 100644
  ')
  
  ########################################
-@@ -554,6 +620,29 @@ interface(`miscfiles_delete_man_pages',`
+@@ -554,6 +639,29 @@ interface(`miscfiles_delete_man_pages',`
  	delete_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
  	delete_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
  	delete_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
@@ -42657,7 +42695,7 @@ index fc28bc31b..e4b9a3bf0 100644
  ')
  
  ########################################
-@@ -622,6 +711,30 @@ interface(`miscfiles_manage_man_cache',`
+@@ -622,6 +730,30 @@ interface(`miscfiles_manage_man_cache',`
  
  ########################################
  ## <summary>
@@ -42688,7 +42726,7 @@ index fc28bc31b..e4b9a3bf0 100644
  ##	Read public files used for file
  ##	transfer services.
  ## </summary>
-@@ -784,8 +897,11 @@ interface(`miscfiles_etc_filetrans_localization',`
+@@ -784,8 +916,11 @@ interface(`miscfiles_etc_filetrans_localization',`
  		type locale_t;
  	')
  
@@ -42702,7 +42740,7 @@ index fc28bc31b..e4b9a3bf0 100644
  ')
  
  ########################################
-@@ -809,3 +925,61 @@ interface(`miscfiles_manage_localization',`
+@@ -809,3 +944,61 @@ interface(`miscfiles_manage_localization',`
  	manage_lnk_files_pattern($1, locale_t, locale_t)
  ')
  
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 59f9fbf9..9809300f 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -5579,7 +5579,7 @@ index f6eb4851f..fe461a3fc 100644
 +		ps_process_pattern(httpd_t, $1)
  ')
 diff --git a/apache.te b/apache.te
-index 6649962b6..6dd10dd7d 100644
+index 6649962b6..a6b4312e6 100644
 --- a/apache.te
 +++ b/apache.te
 @@ -5,280 +5,346 @@ policy_module(apache, 2.7.2)
@@ -6297,7 +6297,7 @@ index 6649962b6..6dd10dd7d 100644
  files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })
  
  setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
-@@ -450,140 +570,177 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -450,140 +570,178 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  
@@ -6419,6 +6419,7 @@ index 6649962b6..6dd10dd7d 100644
  miscfiles_read_fonts(httpd_t)
  miscfiles_read_public_files(httpd_t)
  miscfiles_read_generic_certs(httpd_t)
++miscfiles_map_generic_certs(httpd_t)
  miscfiles_read_tetex_data(httpd_t)
 -
 -seutil_dontaudit_search_config(httpd_t)
@@ -6539,7 +6540,7 @@ index 6649962b6..6dd10dd7d 100644
  ')
  
  tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -594,28 +751,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -594,28 +752,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
  	fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
  ')
  
@@ -6599,7 +6600,7 @@ index 6649962b6..6dd10dd7d 100644
  ')
  
  tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -624,68 +803,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -624,68 +804,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
  	fs_read_nfs_symlinks(httpd_t)
  ')
  
@@ -6702,7 +6703,7 @@ index 6649962b6..6dd10dd7d 100644
  ')
  
  tunable_policy(`httpd_setrlimit',`
-@@ -695,49 +862,48 @@ tunable_policy(`httpd_setrlimit',`
+@@ -695,49 +863,48 @@ tunable_policy(`httpd_setrlimit',`
  
  tunable_policy(`httpd_ssi_exec',`
  	corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -6783,7 +6784,7 @@ index 6649962b6..6dd10dd7d 100644
  ')
  
  optional_policy(`
-@@ -749,24 +915,32 @@ optional_policy(`
+@@ -749,24 +916,32 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6822,7 +6823,7 @@ index 6649962b6..6dd10dd7d 100644
  ')
  
  optional_policy(`
-@@ -775,6 +949,10 @@ optional_policy(`
+@@ -775,6 +950,10 @@ optional_policy(`
  	tunable_policy(`httpd_dbus_avahi',`
  		avahi_dbus_chat(httpd_t)
  	')
@@ -6833,7 +6834,7 @@ index 6649962b6..6dd10dd7d 100644
  ')
  
  optional_policy(`
-@@ -786,35 +964,62 @@ optional_policy(`
+@@ -786,35 +965,62 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6909,7 +6910,7 @@ index 6649962b6..6dd10dd7d 100644
  
  	tunable_policy(`httpd_manage_ipa',`
  		memcached_manage_pid_files(httpd_t)
-@@ -822,8 +1027,31 @@ optional_policy(`
+@@ -822,8 +1028,31 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6941,7 +6942,7 @@ index 6649962b6..6dd10dd7d 100644
  
  	tunable_policy(`httpd_can_network_connect_db',`
  		mysql_tcp_connect(httpd_t)
-@@ -832,6 +1060,8 @@ optional_policy(`
+@@ -832,6 +1061,8 @@ optional_policy(`
  
  optional_policy(`
  	nagios_read_config(httpd_t)
@@ -6950,7 +6951,7 @@ index 6649962b6..6dd10dd7d 100644
  ')
  
  optional_policy(`
-@@ -842,20 +1072,48 @@ optional_policy(`
+@@ -842,20 +1073,48 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -7005,7 +7006,7 @@ index 6649962b6..6dd10dd7d 100644
  ')
  
  optional_policy(`
-@@ -863,16 +1121,31 @@ optional_policy(`
+@@ -863,16 +1122,31 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -7039,7 +7040,7 @@ index 6649962b6..6dd10dd7d 100644
  ')
  
  optional_policy(`
-@@ -883,65 +1156,189 @@ optional_policy(`
+@@ -883,65 +1157,189 @@ optional_policy(`
  	yam_read_content(httpd_t)
  ')
  
@@ -7251,7 +7252,7 @@ index 6649962b6..6dd10dd7d 100644
  files_dontaudit_search_pids(httpd_suexec_t)
  files_search_home(httpd_suexec_t)
  
-@@ -950,123 +1347,75 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -950,123 +1348,75 @@ auth_use_nsswitch(httpd_suexec_t)
  logging_search_logs(httpd_suexec_t)
  logging_send_syslog_msg(httpd_suexec_t)
  
@@ -7405,7 +7406,7 @@ index 6649962b6..6dd10dd7d 100644
  	mysql_read_config(httpd_suexec_t)
  
  	tunable_policy(`httpd_can_network_connect_db',`
-@@ -1083,172 +1432,107 @@ optional_policy(`
+@@ -1083,172 +1433,107 @@ optional_policy(`
  	')
  ')
  
@@ -7643,7 +7644,7 @@ index 6649962b6..6dd10dd7d 100644
  ')
  
  tunable_policy(`httpd_read_user_content',`
-@@ -1256,64 +1540,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1256,64 +1541,74 @@ tunable_policy(`httpd_read_user_content',`
  ')
  
  tunable_policy(`httpd_use_cifs',`
@@ -7741,7 +7742,7 @@ index 6649962b6..6dd10dd7d 100644
  
  ########################################
  #
-@@ -1321,8 +1615,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1321,8 +1616,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
  #
  
  optional_policy(`
@@ -7758,7 +7759,7 @@ index 6649962b6..6dd10dd7d 100644
  ')
  
  ########################################
-@@ -1330,49 +1631,41 @@ optional_policy(`
+@@ -1330,49 +1632,41 @@ optional_policy(`
  # User content local policy
  #
  
@@ -7825,7 +7826,7 @@ index 6649962b6..6dd10dd7d 100644
  kernel_read_system_state(httpd_passwd_t)
  
  corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1675,109 @@ dev_read_urand(httpd_passwd_t)
+@@ -1382,38 +1676,109 @@ dev_read_urand(httpd_passwd_t)
  
  domain_use_interactive_fds(httpd_passwd_t)
  
@@ -9912,7 +9913,7 @@ index 531a8f244..3fcf18722 100644
 +	allow $1 named_unit_file_t:service all_service_perms;
  ')
 diff --git a/bind.te b/bind.te
-index 124112346..73543d306 100644
+index 124112346..57a8b4484 100644
 --- a/bind.te
 +++ b/bind.te
 @@ -34,7 +34,7 @@ type named_checkconf_exec_t;
@@ -9991,7 +9992,7 @@ index 124112346..73543d306 100644
  corenet_tcp_bind_rndc_port(named_t)
  corenet_tcp_sendrecv_rndc_port(named_t)
  
-@@ -141,9 +150,13 @@ corenet_sendrecv_all_client_packets(named_t)
+@@ -141,13 +150,18 @@ corenet_sendrecv_all_client_packets(named_t)
  corenet_tcp_connect_all_ports(named_t)
  corenet_tcp_sendrecv_all_ports(named_t)
  
@@ -10005,7 +10006,12 @@ index 124112346..73543d306 100644
  
  domain_use_interactive_fds(named_t)
  
-@@ -175,6 +188,19 @@ tunable_policy(`named_write_master_zones',`
+ files_read_etc_runtime_files(named_t)
++files_mmap_usr_files(named_t)
+ 
+ fs_getattr_all_fs(named_t)
+ fs_search_auto_mountpoints(named_t)
+@@ -175,6 +189,19 @@ tunable_policy(`named_write_master_zones',`
  ')
  
  optional_policy(`
@@ -10025,7 +10031,7 @@ index 124112346..73543d306 100644
  	dbus_system_domain(named_t, named_exec_t)
  
  	init_dbus_chat_script(named_t)
-@@ -187,7 +213,17 @@ optional_policy(`
+@@ -187,7 +214,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -10043,7 +10049,7 @@ index 124112346..73543d306 100644
  	kerberos_use(named_t)
  ')
  
-@@ -214,8 +250,9 @@ optional_policy(`
+@@ -214,8 +251,9 @@ optional_policy(`
  # NDC local policy
  #
  
@@ -10055,7 +10061,7 @@ index 124112346..73543d306 100644
  allow ndc_t self:fifo_file rw_fifo_file_perms;
  allow ndc_t self:unix_stream_socket { accept listen };
  
-@@ -229,10 +266,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
+@@ -229,10 +267,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
  
  allow ndc_t named_zone_t:dir search_dir_perms;
  
@@ -10067,7 +10073,7 @@ index 124112346..73543d306 100644
  corenet_all_recvfrom_netlabel(ndc_t)
  corenet_tcp_sendrecv_generic_if(ndc_t)
  corenet_tcp_sendrecv_generic_node(ndc_t)
-@@ -242,6 +278,9 @@ corenet_tcp_bind_generic_node(ndc_t)
+@@ -242,6 +279,9 @@ corenet_tcp_bind_generic_node(ndc_t)
  corenet_tcp_connect_rndc_port(ndc_t)
  corenet_sendrecv_rndc_client_packets(ndc_t)
  
@@ -10077,7 +10083,7 @@ index 124112346..73543d306 100644
  domain_use_interactive_fds(ndc_t)
  
  files_search_pids(ndc_t)
-@@ -257,7 +296,7 @@ init_use_script_ptys(ndc_t)
+@@ -257,7 +297,7 @@ init_use_script_ptys(ndc_t)
  
  logging_send_syslog_msg(ndc_t)
  
@@ -14802,10 +14808,10 @@ index 000000000..55fe0d668
 +')
 diff --git a/cloudform.te b/cloudform.te
 new file mode 100644
-index 000000000..21e6ae757
+index 000000000..73f3eb8a0
 --- /dev/null
 +++ b/cloudform.te
-@@ -0,0 +1,249 @@
+@@ -0,0 +1,250 @@
 +policy_module(cloudform, 1.0)
 +########################################
 +#
@@ -14913,6 +14919,7 @@ index 000000000..21e6ae757
 +selinux_validate_context(cloud_init_t)
 +
 +systemd_dbus_chat_hostnamed(cloud_init_t)
++systemd_dbus_chat_timedated(cloud_init_t)
 +systemd_exec_systemctl(cloud_init_t)
 +systemd_start_all_services(cloud_init_t)
 +
@@ -25774,10 +25781,10 @@ index 000000000..b3784d85d
 +')
 diff --git a/dirsrv.te b/dirsrv.te
 new file mode 100644
-index 000000000..22cafcd43
+index 000000000..86c5021d6
 --- /dev/null
 +++ b/dirsrv.te
-@@ -0,0 +1,207 @@
+@@ -0,0 +1,211 @@
 +policy_module(dirsrv,1.0.0)
 +
 +########################################
@@ -25942,6 +25949,10 @@ index 000000000..22cafcd43
 +	systemd_manage_passwd_run(dirsrv_t)
 +')
 +
++optional_policy(`
++    rolekit_read_tmp(dirsrv_t)
++')
++
 +########################################
 +#
 +# dirsrv-snmp local policy
@@ -39954,10 +39965,10 @@ index 000000000..d611c53d4
 +')
 diff --git a/ipa.te b/ipa.te
 new file mode 100644
-index 000000000..28955ddc0
+index 000000000..99cb86250
 --- /dev/null
 +++ b/ipa.te
-@@ -0,0 +1,273 @@
+@@ -0,0 +1,275 @@
 +policy_module(ipa, 1.0.0)
 +
 +########################################
@@ -40154,6 +40165,8 @@ index 000000000..28955ddc0
 +
 +dev_read_rand(ipa_dnskey_t)
 +
++can_exec(ipa_dnskey_t,ipa_dnskey_exec_t)
++
 +libs_exec_ldconfig(ipa_dnskey_t)
 +
 +logging_send_syslog_msg(ipa_dnskey_t)
@@ -47356,7 +47369,7 @@ index 2a491d96c..3399d597a 100644
 +    virt_dgram_send(lldpad_t)
 +')
 diff --git a/loadkeys.te b/loadkeys.te
-index d2f464375..c8e6b37b0 100644
+index d2f464375..ecbfa88ff 100644
 --- a/loadkeys.te
 +++ b/loadkeys.te
 @@ -25,20 +25,19 @@ kernel_read_system_state(loadkeys_t)
@@ -47383,6 +47396,15 @@ index d2f464375..c8e6b37b0 100644
  userdom_list_user_home_content(loadkeys_t)
  
  ifdef(`hide_broken_symptoms',`
+@@ -52,3 +51,8 @@ optional_policy(`
+ optional_policy(`
+ 	nscd_dontaudit_search_pid(loadkeys_t)
+ ')
++
++optional_policy(`
++    sssd_read_public_files(loadkeys_t)
++    sssd_stream_connect(loadkeys_t)
++')
 diff --git a/lockdev.if b/lockdev.if
 index 4313b8bc0..cd1435cdf 100644
 --- a/lockdev.if
@@ -47493,7 +47515,7 @@ index dd8e01af3..9cd6b0b8e 100644
  ## <param name="domain">
  ##	<summary>
 diff --git a/logrotate.te b/logrotate.te
-index be0ab84b3..0129ddb61 100644
+index be0ab84b3..882160882 100644
 --- a/logrotate.te
 +++ b/logrotate.te
 @@ -5,16 +5,29 @@ policy_module(logrotate, 1.15.0)
@@ -47568,7 +47590,7 @@ index be0ab84b3..0129ddb61 100644
  allow logrotate_t self:shm create_shm_perms;
  allow logrotate_t self:sem create_sem_perms;
  allow logrotate_t self:msgq create_msgq_perms;
-@@ -48,36 +71,53 @@ allow logrotate_t self:msg { send receive };
+@@ -48,36 +71,54 @@ allow logrotate_t self:msg { send receive };
  allow logrotate_t logrotate_lock_t:file manage_file_perms;
  files_lock_filetrans(logrotate_t, logrotate_lock_t, file)
  
@@ -47591,6 +47613,7 @@ index be0ab84b3..0129ddb61 100644
  
 +dev_read_urand(logrotate_t)
 +dev_read_sysfs(logrotate_t)
++dev_write_kmsg(logrotate_t)
 +
 +fs_search_auto_mountpoints(logrotate_t)
 +fs_getattr_all_fs(logrotate_t)
@@ -47627,7 +47650,7 @@ index be0ab84b3..0129ddb61 100644
  files_manage_generic_spool(logrotate_t)
  files_manage_generic_spool_dirs(logrotate_t)
  files_getattr_generic_locks(logrotate_t)
-@@ -95,32 +135,57 @@ mls_process_write_to_clearance(logrotate_t)
+@@ -95,32 +136,57 @@ mls_process_write_to_clearance(logrotate_t)
  selinux_get_fs_mount(logrotate_t)
  selinux_get_enforce_mode(logrotate_t)
  
@@ -47691,7 +47714,7 @@ index be0ab84b3..0129ddb61 100644
  ')
  
  optional_policy(`
-@@ -135,16 +200,17 @@ optional_policy(`
+@@ -135,16 +201,17 @@ optional_policy(`
  
  optional_policy(`
  	apache_read_config(logrotate_t)
@@ -47711,7 +47734,7 @@ index be0ab84b3..0129ddb61 100644
  ')
  
  optional_policy(`
-@@ -170,6 +236,11 @@ optional_policy(`
+@@ -170,6 +237,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -47723,7 +47746,7 @@ index be0ab84b3..0129ddb61 100644
  	fail2ban_stream_connect(logrotate_t)
  ')
  
-@@ -178,7 +249,8 @@ optional_policy(`
+@@ -178,7 +250,8 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -47733,7 +47756,7 @@ index be0ab84b3..0129ddb61 100644
  ')
  
  optional_policy(`
-@@ -198,17 +270,18 @@ optional_policy(`
+@@ -198,17 +271,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -47755,7 +47778,7 @@ index be0ab84b3..0129ddb61 100644
  ')
  
  optional_policy(`
-@@ -216,6 +289,14 @@ optional_policy(`
+@@ -216,6 +290,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -47770,7 +47793,7 @@ index be0ab84b3..0129ddb61 100644
  	samba_exec_log(logrotate_t)
  ')
  
-@@ -228,26 +309,50 @@ optional_policy(`
+@@ -228,26 +310,50 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -91002,7 +91025,7 @@ index 6dbc905b3..4b17c933e 100644
 -	admin_pattern($1, rhsmcertd_lock_t)
  ')
 diff --git a/rhsmcertd.te b/rhsmcertd.te
-index d32e1a279..75b615f81 100644
+index d32e1a279..b79ae3194 100644
 --- a/rhsmcertd.te
 +++ b/rhsmcertd.te
 @@ -18,6 +18,9 @@ logging_log_file(rhsmcertd_log_t)
@@ -91015,11 +91038,13 @@ index d32e1a279..75b615f81 100644
  type rhsmcertd_var_lib_t;
  files_type(rhsmcertd_var_lib_t)
  
-@@ -30,18 +33,21 @@ files_pid_file(rhsmcertd_var_run_t)
+@@ -29,19 +32,22 @@ files_pid_file(rhsmcertd_var_run_t)
+ # Local policy
  #
  
- allow rhsmcertd_t self:capability sys_nice;
+-allow rhsmcertd_t self:capability sys_nice;
 -allow rhsmcertd_t self:process { signal setsched };
++allow rhsmcertd_t self:capability { kill sys_nice };
 +allow rhsmcertd_t self:process { signal_perms setsched };
 +
  allow rhsmcertd_t self:fifo_file rw_fifo_file_perms;
@@ -92077,10 +92102,10 @@ index 000000000..504b6e13e
 +/usr/sbin/roled		--	gen_context(system_u:object_r:rolekit_exec_t,s0)
 diff --git a/rolekit.if b/rolekit.if
 new file mode 100644
-index 000000000..b11fb8f6d
+index 000000000..df5e3338c
 --- /dev/null
 +++ b/rolekit.if
-@@ -0,0 +1,120 @@
+@@ -0,0 +1,138 @@
 +## <summary>Daemon for Linux systems providing a stable D-BUS interface to manage the deployment of Server Roles. </summary>
 +
 +########################################
@@ -92201,6 +92226,24 @@ index 000000000..b11fb8f6d
 +		systemd_read_fifo_file_passwd_run($1)
 +	')
 +')
++
++########################################
++## <summary>
++##	Allow domain to read rolekit tmp files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`rolekit_read_tmp',`
++	gen_require(`
++		type rolekit_tmp_t;
++	')
++
++    read_files_pattern($1, rolekit_tmp_t, rolekit_tmp_t)
++')
 diff --git a/rolekit.te b/rolekit.te
 new file mode 100644
 index 000000000..da944537b
@@ -94260,7 +94303,7 @@ index ef3b22507..79518530e 100644
  	admin_pattern($1, { rpm_tmp_t rpm_script_tmp_t })
  
 diff --git a/rpm.te b/rpm.te
-index 6fc360e60..2f24b1e0c 100644
+index 6fc360e60..219964375 100644
 --- a/rpm.te
 +++ b/rpm.te
 @@ -1,15 +1,13 @@
@@ -94603,7 +94646,7 @@ index 6fc360e60..2f24b1e0c 100644
  mls_file_read_all_levels(rpm_script_t)
  mls_file_write_all_levels(rpm_script_t)
  
-@@ -331,73 +331,129 @@ storage_raw_write_fixed_disk(rpm_script_t)
+@@ -331,73 +331,130 @@ storage_raw_write_fixed_disk(rpm_script_t)
  
  term_getattr_unallocated_ttys(rpm_script_t)
  term_list_ptys(rpm_script_t)
@@ -94636,9 +94679,10 @@ index 6fc360e60..2f24b1e0c 100644
 +init_manage_transient_unit(rpm_script_t)
  init_domtrans_script(rpm_script_t)
  init_telinit(rpm_script_t)
- 
-+systemd_config_all_services(rpm_script_t)
++init_dbus_chat(rpm_script_t)
 +
++systemd_config_all_services(rpm_script_t)
+ 
  libs_exec_ld_so(rpm_script_t)
  libs_exec_lib_files(rpm_script_t)
 -libs_run_ldconfig(rpm_script_t, rpm_roles)
@@ -94753,7 +94797,7 @@ index 6fc360e60..2f24b1e0c 100644
  
  	optional_policy(`
  		java_domtrans_unconfined(rpm_script_t)
-@@ -409,6 +465,6 @@ optional_policy(`
+@@ -409,6 +466,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -96873,7 +96917,7 @@ index 50d07fb2e..a34db489c 100644
 +	allow $1 samba_unit_file_t:service all_service_perms;
  ')
 diff --git a/samba.te b/samba.te
-index 2b7c441e7..c7a475130 100644
+index 2b7c441e7..5d52fba0f 100644
 --- a/samba.te
 +++ b/samba.te
 @@ -6,99 +6,86 @@ policy_module(samba, 1.16.3)
@@ -98011,9 +98055,12 @@ index 2b7c441e7..c7a475130 100644
  manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
  
  manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -873,38 +972,42 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -871,40 +970,44 @@ manage_lnk_files_pattern(winbind_t, samba_var_t, samba_var_t)
+ manage_sock_files_pattern(winbind_t, samba_var_t, samba_var_t)
+ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
  
- rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+-rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
++manage_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
  
 -# This needs a file context specification
 -allow winbind_t winbind_log_t:file { append_file_perms create_file_perms setattr_file_perms };
@@ -111369,10 +111416,10 @@ index 000000000..368e18842
 +')
 diff --git a/tlp.te b/tlp.te
 new file mode 100644
-index 000000000..f31ed95d7
+index 000000000..761cc35b0
 --- /dev/null
 +++ b/tlp.te
-@@ -0,0 +1,74 @@
+@@ -0,0 +1,80 @@
 +policy_module(tlp, 1.0.0)
 +
 +########################################
@@ -111417,6 +111464,7 @@ index 000000000..f31ed95d7
 +kernel_rw_fs_sysctls(tlp_t)
 +kernel_rw_kernel_sysctl(tlp_t)
 +kernel_rw_vm_sysctls(tlp_t)
++kernel_create_rpc_sysctls(tlp_t)
 +
 +auth_read_passwd(tlp_t)
 +
@@ -111425,12 +111473,16 @@ index 000000000..f31ed95d7
 +dev_list_sysfs(tlp_t)
 +dev_manage_sysfs(tlp_t)
 +dev_rw_cpu_microcode(tlp_t)
++dev_rw_wireless(tlp_t)
 +
 +files_read_kernel_modules(tlp_t)
++files_load_kernel_modules(tlp_t)
 +
 +modutils_exec_insmod(tlp_t)
 +modutils_read_module_config(tlp_t)
 +
++logging_send_syslog_msg(tlp_t)
++
 +storage_raw_read_fixed_disk(tlp_t)
 +storage_raw_write_removable_device(tlp_t)
 +
@@ -111438,6 +111490,7 @@ index 000000000..f31ed95d7
 +
 +optional_policy(`
 +    dbus_stream_connect_system_dbusd(tlp_t)
++    dbus_system_bus_client(tlp_t)
 +')
 +
 +optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 1c037307..9635f28f 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 279%{?dist}
+Release: 280%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -681,6 +681,18 @@ exit 0
 %endif
 
 %changelog
+* Thu Sep 07 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-280
+- Add rules fixing installing ipa-server-install with SELinux in Enforcing. BZ(1488404)
+- Fix denials during ipa-server-install process on F27+
+- Allow httpd_t to mmap cert_t
+- Add few rules to make tlp_t domain working in enforcing mode
+- Allow cloud_init_t to dbus chat with systemd_timedated_t
+- Allow logrotate_t to write to kmsg
+- Add capability kill to rhsmcertd_t
+- Allow winbind to manage smbd_tmp_t files
+- Allow groupadd_t domain to dbus chat with systemd.BZ(1488404)
+- Add interface miscfiles_map_generic_certs()
+
 * Tue Sep 05 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-279
 - Allow abrt_dump_oops_t to read sssd_public_t files
 - Allow cockpit_ws_t to mmap usr_t files