* Wed Aug 23 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-275

- Make confined users working - Allow ipmievd_t domain to load kernel modules - Allow logrotate to reload transient systemd unit
2017-08-23 23:17:38 +02:00 · 2017-08-23 23:17:38 +02:00 · c1ce08ecb5
parent b7314cadde
commit c1ce08ecb5
4 changed files with 180 additions and 160 deletions
--- a/container-selinux.tgz
+++ b/container-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -6673,7 +6673,7 @@ index 3f6e16889..abd046c56 100644
 +ifelse(`$2',`',`',`declare_ibendportcons($1_ibendport_t,shift($*))')dnl
 +')
 diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index b31c05491..3b3faeeae 100644
+index b31c05491..a7b0f009a 100644
 --- a/policy/modules/kernel/devices.fc
 +++ b/policy/modules/kernel/devices.fc
@@ -15,15 +15,18 @@
@ -6766,7 +6766,7 @@ index b31c05491..3b3faeeae 100644
 /dev/tlk[0-3]		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/tpm[0-9]*		-c	gen_context(system_u:object_r:tpm_device_t,s0)
 /dev/uinput		-c	gen_context(system_u:object_r:event_device_t,s0)
-@@ -118,6 +138,12 @@
+@@ -118,6 +138,13 @@
 ifdef(`distro_suse', `
 /dev/usbscanner		-c	gen_context(system_u:object_r:scanner_device_t,s0)
 ')
@ -6774,12 +6774,13 @@ index b31c05491..3b3faeeae 100644
 +/dev/vchiq		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 +/dev/vc-mem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
 +/dev/vfio/(vfio)?[0-9]*	-c	gen_context(system_u:object_r:vfio_device_t,s0)
 +/dev/clp[0-9]*            -c  gen_context(system_u:object_r:vfio_device_t,s0)
 +/dev/sclp[0-9]*            -c  gen_context(system_u:object_r:vfio_device_t,s0)
 +/dev/vmcp[0-9]*     -c  gen_context(system_u:object_r:vfio_device_t,s0)
 /dev/vhost-net		-c	gen_context(system_u:object_r:vhost_device_t,s0)
 /dev/vbi.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/vbox.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
-@@ -129,12 +155,14 @@ ifdef(`distro_suse', `
+@@ -129,12 +156,14 @@ ifdef(`distro_suse', `
 /dev/vttuner		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/vtx.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/watchdog.*		-c	gen_context(system_u:object_r:watchdog_device_t,s0)
@ -6794,7 +6795,7 @@ index b31c05491..3b3faeeae 100644
 /dev/card.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 /dev/cmx.*		-c	gen_context(system_u:object_r:smartcard_device_t,s0)
-@@ -169,18 +197,26 @@ ifdef(`distro_suse', `
+@@ -169,18 +198,26 @@ ifdef(`distro_suse', `
 /dev/s(ou)?nd/.*	-c	gen_context(system_u:object_r:sound_device_t,s0)
@ -6821,7 +6822,7 @@ index b31c05491..3b3faeeae 100644
 ifdef(`distro_debian',`
 # this is a static /dev dir "backup mount"
-@@ -198,12 +234,27 @@ ifdef(`distro_debian',`
+@@ -198,12 +235,27 @@ ifdef(`distro_debian',`
 /lib/udev/devices/null	-c	gen_context(system_u:object_r:null_device_t,s0)
 /lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
@ -51001,7 +51002,7 @@ index db7597682..c54480a1d 100644
 +/var/tmp/hsperfdata_root    gen_context(system_u:object_r:user_tmp_t,s0)
 +
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6c0..d5e8f386a 100644
+index 9dc60c6c0..597fe227f 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@ -52328,7 +52329,7 @@ index 9dc60c6c0..d5e8f386a 100644
 ')
 #######################################
-@@ -987,27 +1365,33 @@ template(`userdom_unpriv_user_template', `
+@@ -987,27 +1365,36 @@ template(`userdom_unpriv_user_template', `
 	#
 	# Inherit rules for ordinary users.
@ -52351,6 +52352,9 @@ index 9dc60c6c0..d5e8f386a 100644
 	corenet_tcp_bind_xserver_port($1_t)
 +	corenet_tcp_bind_generic_node($1_usertype)
 +
 +    init_domtrans($1_t)
 +    init_rw_stream_sockets($1_t)
 +
 +	storage_rw_fuse($1_t)
 	files_exec_usr_files($1_t)
@ -52366,7 +52370,7 @@ index 9dc60c6c0..d5e8f386a 100644
 			fs_manage_noxattr_fs_files($1_t)
 			fs_manage_noxattr_fs_dirs($1_t)
 			# Write floppies
-@@ -1018,23 +1402,63 @@ template(`userdom_unpriv_user_template', `
+@@ -1018,23 +1405,64 @@ template(`userdom_unpriv_user_template', `
 		')
 	')
@ -52377,6 +52381,7 @@ index 9dc60c6c0..d5e8f386a 100644
 -	')
 +	miscfiles_read_hwdata($1_usertype)
 +
 +    fs_manage_cgroup_dirs($1_t)
 +	fs_mounton_fusefs($1_usertype)
 	# Allow users to run TCP servers (bind to ports and accept connection from
@ -52403,9 +52408,11 @@ index 9dc60c6c0..d5e8f386a 100644
 +
 +	optional_policy(`
 +		cron_role($1_r, $1_t)
-+	')
+ 	')
-+
+ 
-+	optional_policy(`
+ 	optional_policy(`
 -		netutils_run_ping_cond($1_t, $1_r)
 -		netutils_run_traceroute_cond($1_t, $1_r)
 +        games_manage_data_files($1_usertype)
 +	')
 +
@ -52430,17 +52437,15 @@ index 9dc60c6c0..d5e8f386a 100644
 +
 +	optional_policy(`
 +		wine_role_template($1, $1_r, $1_t)
- 	')
+	')
- 
+
- 	optional_policy(`
+	optional_policy(`
 -		netutils_run_ping_cond($1_t, $1_r)
 -		netutils_run_traceroute_cond($1_t, $1_r)
 +		postfix_run_postdrop($1_t, $1_r)
 +		postfix_search_spool($1_t)
 	')
 	# Run pppd in pppd_t by default for user
-@@ -1043,7 +1467,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1043,7 +1471,9 @@ template(`userdom_unpriv_user_template', `
 	')
 	optional_policy(`
@ -52451,7 +52456,7 @@ index 9dc60c6c0..d5e8f386a 100644
 	')
 ')
-@@ -1079,7 +1505,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1079,7 +1509,9 @@ template(`userdom_unpriv_user_template', `
 template(`userdom_admin_user_template',`
 	gen_require(`
 		attribute admindomain;
@ -52462,7 +52467,7 @@ index 9dc60c6c0..d5e8f386a 100644
 	')
 	##############################
-@@ -1095,6 +1523,7 @@ template(`userdom_admin_user_template',`
+@@ -1095,6 +1527,7 @@ template(`userdom_admin_user_template',`
 	role system_r types $1_t;
 	typeattribute $1_t admindomain;
@ -52470,7 +52475,7 @@ index 9dc60c6c0..d5e8f386a 100644
 	ifdef(`direct_sysadm_daemon',`
 		domain_system_change_exemption($1_t)
-@@ -1105,14 +1534,8 @@ template(`userdom_admin_user_template',`
+@@ -1105,14 +1538,8 @@ template(`userdom_admin_user_template',`
 	# $1_t local policy
 	#
@ -52487,7 +52492,7 @@ index 9dc60c6c0..d5e8f386a 100644
 	kernel_read_software_raid_state($1_t)
 	kernel_getattr_core_if($1_t)
-@@ -1128,6 +1551,8 @@ template(`userdom_admin_user_template',`
+@@ -1128,6 +1555,8 @@ template(`userdom_admin_user_template',`
 	kernel_sigstop_unlabeled($1_t)
 	kernel_signull_unlabeled($1_t)
 	kernel_sigchld_unlabeled($1_t)
@ -52496,7 +52501,7 @@ index 9dc60c6c0..d5e8f386a 100644
 	corenet_tcp_bind_generic_port($1_t)
 	# allow setting up tunnels
-@@ -1145,10 +1570,15 @@ template(`userdom_admin_user_template',`
+@@ -1145,10 +1574,15 @@ template(`userdom_admin_user_template',`
 	dev_rename_all_blk_files($1_t)
 	dev_rename_all_chr_files($1_t)
 	dev_create_generic_symlinks($1_t)
@ -52512,7 +52517,7 @@ index 9dc60c6c0..d5e8f386a 100644
 	domain_dontaudit_ptrace_all_domains($1_t)
 	# signal all domains:
 	domain_kill_all_domains($1_t)
-@@ -1159,29 +1589,40 @@ template(`userdom_admin_user_template',`
+@@ -1159,29 +1593,40 @@ template(`userdom_admin_user_template',`
 	domain_sigchld_all_domains($1_t)
 	# for lsof
 	domain_getattr_all_sockets($1_t)
@ -52557,7 +52562,7 @@ index 9dc60c6c0..d5e8f386a 100644
 	# The following rule is temporary until such time that a complete
 	# policy management infrastructure is in place so that an administrator
-@@ -1191,6 +1632,8 @@ template(`userdom_admin_user_template',`
+@@ -1191,6 +1636,8 @@ template(`userdom_admin_user_template',`
 	# But presently necessary for installing the file_contexts file.
 	seutil_manage_bin_policy($1_t)
@ -52566,7 +52571,7 @@ index 9dc60c6c0..d5e8f386a 100644
 	userdom_manage_user_home_content_dirs($1_t)
 	userdom_manage_user_home_content_files($1_t)
 	userdom_manage_user_home_content_symlinks($1_t)
-@@ -1198,13 +1641,21 @@ template(`userdom_admin_user_template',`
+@@ -1198,13 +1645,21 @@ template(`userdom_admin_user_template',`
 	userdom_manage_user_home_content_sockets($1_t)
 	userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@ -52589,7 +52594,7 @@ index 9dc60c6c0..d5e8f386a 100644
 	optional_policy(`
 		postgresql_unconfined($1_t)
 	')
-@@ -1240,7 +1691,7 @@ template(`userdom_admin_user_template',`
+@@ -1240,7 +1695,7 @@ template(`userdom_admin_user_template',`
 ##	</summary>
 ## </param>
 #
@ -52598,7 +52603,7 @@ index 9dc60c6c0..d5e8f386a 100644
 	allow $1 self:capability { dac_read_search dac_override };
 	corecmd_exec_shell($1)
-@@ -1250,6 +1701,8 @@ template(`userdom_security_admin_template',`
+@@ -1250,6 +1705,8 @@ template(`userdom_security_admin_template',`
 	dev_relabel_all_dev_nodes($1)
 	files_create_boot_flag($1)
@ -52607,7 +52612,7 @@ index 9dc60c6c0..d5e8f386a 100644
 	# Necessary for managing /boot/efi
 	fs_manage_dos_files($1)
-@@ -1262,8 +1715,10 @@ template(`userdom_security_admin_template',`
+@@ -1262,8 +1719,10 @@ template(`userdom_security_admin_template',`
 	selinux_set_enforce_mode($1)
 	selinux_set_all_booleans($1)
 	selinux_set_parameters($1)
@ -52619,7 +52624,7 @@ index 9dc60c6c0..d5e8f386a 100644
 	auth_relabel_shadow($1)
 	init_exec($1)
-@@ -1274,29 +1729,31 @@ template(`userdom_security_admin_template',`
+@@ -1274,29 +1733,31 @@ template(`userdom_security_admin_template',`
 	logging_read_audit_config($1)
 	seutil_manage_bin_policy($1)
@ -52662,7 +52667,7 @@ index 9dc60c6c0..d5e8f386a 100644
 	')
 	optional_policy(`
-@@ -1357,14 +1814,17 @@ interface(`userdom_user_home_content',`
+@@ -1357,14 +1818,17 @@ interface(`userdom_user_home_content',`
 	gen_require(`
 		attribute user_home_content_type;
 		type user_home_t;
@ -52681,7 +52686,7 @@ index 9dc60c6c0..d5e8f386a 100644
 ')
 ########################################
-@@ -1397,12 +1857,52 @@ interface(`userdom_user_tmp_file',`
+@@ -1397,12 +1861,52 @@ interface(`userdom_user_tmp_file',`
 ## </param>
 #
 interface(`userdom_user_tmpfs_file',`
@ -52735,7 +52740,7 @@ index 9dc60c6c0..d5e8f386a 100644
 ##	Allow domain to attach to TUN devices created by administrative users.
 ## </summary>
 ## <param name="domain">
-@@ -1509,11 +2009,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1509,11 +2013,31 @@ interface(`userdom_search_user_home_dirs',`
 	')
 	allow $1 user_home_dir_t:dir search_dir_perms;
@ -52767,7 +52772,7 @@ index 9dc60c6c0..d5e8f386a 100644
 ##	Do not audit attempts to search user home directories.
 ## </summary>
 ## <desc>
-@@ -1555,6 +2075,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1555,6 +2079,14 @@ interface(`userdom_list_user_home_dirs',`
 	allow $1 user_home_dir_t:dir list_dir_perms;
 	files_search_home($1)
@ -52782,7 +52787,7 @@ index 9dc60c6c0..d5e8f386a 100644
 ')
 ########################################
-@@ -1570,9 +2098,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1570,9 +2102,11 @@ interface(`userdom_list_user_home_dirs',`
 interface(`userdom_dontaudit_list_user_home_dirs',`
 	gen_require(`
 		type user_home_dir_t;
@ -52794,7 +52799,7 @@ index 9dc60c6c0..d5e8f386a 100644
 ')
 ########################################
-@@ -1613,6 +2143,24 @@ interface(`userdom_manage_user_home_dirs',`
+@@ -1613,6 +2147,24 @@ interface(`userdom_manage_user_home_dirs',`
 ########################################
 ## <summary>
@ -52819,7 +52824,7 @@ index 9dc60c6c0..d5e8f386a 100644
 ##	Relabel to user home directories.
 ## </summary>
 ## <param name="domain">
-@@ -1631,6 +2179,59 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1631,6 +2183,59 @@ interface(`userdom_relabelto_user_home_dirs',`
 ########################################
 ## <summary>
@ -52879,7 +52884,7 @@ index 9dc60c6c0..d5e8f386a 100644
 ##	Create directories in the home dir root with
 ##	the user home directory type.
 ## </summary>
-@@ -1704,10 +2305,12 @@ interface(`userdom_user_home_domtrans',`
+@@ -1704,10 +2309,12 @@ interface(`userdom_user_home_domtrans',`
 #
 interface(`userdom_dontaudit_search_user_home_content',`
 	gen_require(`
@ -52894,7 +52899,7 @@ index 9dc60c6c0..d5e8f386a 100644
 ')
 ########################################
-@@ -1741,10 +2344,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1741,10 +2348,12 @@ interface(`userdom_list_all_user_home_content',`
 #
 interface(`userdom_list_user_home_content',`
 	gen_require(`
@ -52909,7 +52914,7 @@ index 9dc60c6c0..d5e8f386a 100644
 ')
 ########################################
-@@ -1769,7 +2374,7 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1769,7 +2378,7 @@ interface(`userdom_manage_user_home_content_dirs',`
 ########################################
 ## <summary>
@ -52918,7 +52923,7 @@ index 9dc60c6c0..d5e8f386a 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1777,19 +2382,17 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1777,19 +2386,17 @@ interface(`userdom_manage_user_home_content_dirs',`
 ##	</summary>
 ## </param>
 #
@ -52942,7 +52947,7 @@ index 9dc60c6c0..d5e8f386a 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1797,55 +2400,55 @@ interface(`userdom_delete_all_user_home_content_dirs',`
+@@ -1797,55 +2404,55 @@ interface(`userdom_delete_all_user_home_content_dirs',`
 ##	</summary>
 ## </param>
 #
@ -53013,7 +53018,7 @@ index 9dc60c6c0..d5e8f386a 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1853,18 +2456,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1853,18 +2460,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
 ##	</summary>
 ## </param>
 #
@ -53041,7 +53046,7 @@ index 9dc60c6c0..d5e8f386a 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1872,13 +2476,163 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1872,17 +2480,167 @@ interface(`userdom_mmap_user_home_content_files',`
 ##	</summary>
 ## </param>
 #
@ -53049,14 +53054,12 @@ index 9dc60c6c0..d5e8f386a 100644
 -	gen_require(`
 -		type user_home_dir_t, user_home_t;
 -	')
 -
 -	read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
 -	files_search_home($1)
 +interface(`usedom_dontaudit_user_getattr_tmp_sockets',`
 +    refpolicywarn(`$0($*) has been deprecated, use userdom_getattr_user_tmp_files() instead.')
 +    userdom_getattr_user_tmp_files($1)
 +')
-+
+ 
 -	read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
 +########################################
 +## <summary>
 +##	Dontaudit getattr on user tmp sockets.
@ -53189,11 +53192,11 @@ index 9dc60c6c0..d5e8f386a 100644
 +	allow $1 user_home_dir_t:lnk_file read_lnk_file_perms;
 +	list_dirs_pattern($1, { user_home_dir_t user_home_type }, { user_home_dir_t user_home_type })
 +	read_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
-+	files_search_home($1)
+ 	files_search_home($1)
-+')
+ ')
-+
+ 
-+########################################
+ ########################################
-+## <summary>
+ ## <summary>
 +##	Do not audit attempts to getattr user home files.
 +## </summary>
 +## <param name="domain">
@ -53209,10 +53212,14 @@ index 9dc60c6c0..d5e8f386a 100644
 +
 +	dontaudit $1 user_home_type:dir getattr;
 +	dontaudit $1 user_home_type:file getattr;
- ')
+')
- 
+
- ########################################
+########################################
-@@ -1893,11 +2647,14 @@ interface(`userdom_read_user_home_content_files',`
+## <summary>
 ##	Do not audit attempts to read user home files.
 ## </summary>
 ## <param name="domain">
@@ -1893,11 +2651,14 @@ interface(`userdom_read_user_home_content_files',`
 #
 interface(`userdom_dontaudit_read_user_home_content_files',`
 	gen_require(`
@ -53230,7 +53237,7 @@ index 9dc60c6c0..d5e8f386a 100644
 ')
 ########################################
-@@ -1938,7 +2695,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1938,7 +2699,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
 ########################################
 ## <summary>
@ -53239,7 +53246,7 @@ index 9dc60c6c0..d5e8f386a 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1946,10 +2703,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1946,10 +2707,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
 ##	</summary>
 ## </param>
 #
@ -53252,7 +53259,7 @@ index 9dc60c6c0..d5e8f386a 100644
 	')
 	userdom_search_user_home_content($1)
-@@ -1958,7 +2714,7 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1958,7 +2718,7 @@ interface(`userdom_delete_all_user_home_content_files',`
 ########################################
 ## <summary>
@ -53261,7 +53268,7 @@ index 9dc60c6c0..d5e8f386a 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1966,12 +2722,66 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1966,12 +2726,66 @@ interface(`userdom_delete_all_user_home_content_files',`
 ##	</summary>
 ## </param>
 #
@ -53330,7 +53337,7 @@ index 9dc60c6c0..d5e8f386a 100644
 ')
 ########################################
-@@ -2007,8 +2817,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2007,8 +2821,7 @@ interface(`userdom_read_user_home_content_symlinks',`
 		type user_home_dir_t, user_home_t;
 	')
@ -53340,7 +53347,7 @@ index 9dc60c6c0..d5e8f386a 100644
 ')
 ########################################
-@@ -2024,20 +2833,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2024,20 +2837,14 @@ interface(`userdom_read_user_home_content_symlinks',`
 #
 interface(`userdom_exec_user_home_content_files',`
 	gen_require(`
@ -53365,7 +53372,7 @@ index 9dc60c6c0..d5e8f386a 100644
 ########################################
 ## <summary>
-@@ -2120,7 +2923,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2120,7 +2927,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
 ########################################
 ## <summary>
@ -53374,7 +53381,7 @@ index 9dc60c6c0..d5e8f386a 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -2128,19 +2931,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2128,19 +2935,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
 ##	</summary>
 ## </param>
 #
@ -53398,7 +53405,7 @@ index 9dc60c6c0..d5e8f386a 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -2148,12 +2949,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2148,12 +2953,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
 ##	</summary>
 ## </param>
 #
@ -53414,7 +53421,7 @@ index 9dc60c6c0..d5e8f386a 100644
 ')
 ########################################
-@@ -2388,18 +3189,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2388,18 +3193,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
 ##	</summary>
 ## </param>
 #
@ -53472,7 +53479,7 @@ index 9dc60c6c0..d5e8f386a 100644
 ##	Do not audit attempts to read users
 ##	temporary files.
 ## </summary>
-@@ -2414,7 +3251,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2414,7 +3255,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
 		type user_tmp_t;
 	')
@ -53481,7 +53488,7 @@ index 9dc60c6c0..d5e8f386a 100644
 ')
 ########################################
-@@ -2455,6 +3292,25 @@ interface(`userdom_rw_user_tmp_files',`
+@@ -2455,6 +3296,25 @@ interface(`userdom_rw_user_tmp_files',`
 	rw_files_pattern($1, user_tmp_t, user_tmp_t)
 	files_search_tmp($1)
 ')
@ -53507,12 +53514,35 @@ index 9dc60c6c0..d5e8f386a 100644
 ########################################
 ## <summary>
-@@ -2538,7 +3394,27 @@ interface(`userdom_manage_user_tmp_files',`
+@@ -2538,7 +3398,7 @@ interface(`userdom_manage_user_tmp_files',`
 ########################################
 ## <summary>
 ##	Create, read, write, and delete user
 -##	temporary symbolic links.
 +##	temporary files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -2546,19 +3406,60 @@ interface(`userdom_manage_user_tmp_files',`
 ##	</summary>
 ## </param>
 #
 -interface(`userdom_manage_user_tmp_symlinks',`
 +interface(`userdom_filetrans_named_user_tmp_files',`
 	gen_require(`
 		type user_tmp_t;
 	')
 -	manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
 +    files_tmp_filetrans($1, user_tmp_t, dir, "hsperfdata_root")
 	files_search_tmp($1)
 ')
 ########################################
 ## <summary>
 ##	Create, read, write, and delete user
 -##	temporary named pipes.
 +##	temporary symbolic links.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@ -53520,26 +53550,26 @@ index 9dc60c6c0..d5e8f386a 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_filetrans_named_user_tmp_files',`
+interface(`userdom_manage_user_tmp_symlinks',`
 +	gen_require(`
 +		type user_tmp_t;
 +	')
 +
-+    files_tmp_filetrans($1, user_tmp_t, dir, "hsperfdata_root")
+	manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
 +	files_search_tmp($1)
 +')
 +
 +########################################
 +## <summary>
 +##	Create, read, write, and delete user
-+##	temporary symbolic links.
+##	temporary named pipes.
- ## </summary>
+## </summary>
- ## <param name="domain">
+## <param name="domain">
- ##	<summary>
+##	<summary>
-@@ -2566,6 +3442,27 @@ interface(`userdom_manage_user_tmp_symlinks',`
+##	Domain allowed access.
- ##	</summary>
+##	</summary>
- ## </param>
+## </param>
- #
+#
 +interface(`userdom_rw_inherited_user_tmp_pipes',`
 +	gen_require(`
 +		type user_tmp_t;
@ -53554,17 +53584,10 @@ index 9dc60c6c0..d5e8f386a 100644
 +## <summary>
 +##	Create, read, write, and delete user
 +##	temporary named pipes.
-+## </summary>
+ ## </summary>
-+## <param name="domain">
+ ## <param name="domain">
-+##	<summary>
+ ##	<summary>
-+##	Domain allowed access.
+@@ -2661,6 +3562,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
 +##	</summary>
 +## </param>
 +#
 interface(`userdom_manage_user_tmp_pipes',`
 	gen_require(`
 		type user_tmp_t;
@@ -2661,6 +3558,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
 	files_tmp_filetrans($1, user_tmp_t, $2, $3)
 ')
@ -53586,7 +53609,7 @@ index 9dc60c6c0..d5e8f386a 100644
 ########################################
 ## <summary>
 ##	Read user tmpfs files.
-@@ -2672,18 +3584,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2672,18 +3588,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
 ## </param>
 #
 interface(`userdom_read_user_tmpfs_files',`
@ -53608,7 +53631,7 @@ index 9dc60c6c0..d5e8f386a 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -2692,19 +3599,13 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2692,19 +3603,13 @@ interface(`userdom_read_user_tmpfs_files',`
 ## </param>
 #
 interface(`userdom_rw_user_tmpfs_files',`
@ -53631,7 +53654,7 @@ index 9dc60c6c0..d5e8f386a 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -2713,13 +3614,56 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2713,13 +3618,56 @@ interface(`userdom_rw_user_tmpfs_files',`
 ## </param>
 #
 interface(`userdom_manage_user_tmpfs_files',`
@ -53692,7 +53715,7 @@ index 9dc60c6c0..d5e8f386a 100644
 ')
 ########################################
-@@ -2814,6 +3758,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2814,6 +3762,24 @@ interface(`userdom_use_user_ttys',`
 ########################################
 ## <summary>
@ -53717,7 +53740,7 @@ index 9dc60c6c0..d5e8f386a 100644
 ##	Read and write a user domain pty.
 ## </summary>
 ## <param name="domain">
-@@ -2832,22 +3794,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2832,22 +3798,34 @@ interface(`userdom_use_user_ptys',`
 ########################################
 ## <summary>
@ -53760,7 +53783,7 @@ index 9dc60c6c0..d5e8f386a 100644
 ## </desc>
 ## <param name="domain">
 ##	<summary>
-@@ -2856,14 +3830,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2856,14 +3834,33 @@ interface(`userdom_use_user_ptys',`
 ## </param>
 ## <infoflow type="both" weight="10"/>
 #
@ -53798,7 +53821,7 @@ index 9dc60c6c0..d5e8f386a 100644
 ')
 ########################################
-@@ -2882,8 +3875,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2882,8 +3879,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
 		type user_tty_device_t, user_devpts_t;
 	')
@ -53828,7 +53851,7 @@ index 9dc60c6c0..d5e8f386a 100644
 ')
 ########################################
-@@ -2955,6 +3967,42 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2955,6 +3971,42 @@ interface(`userdom_spec_domtrans_unpriv_users',`
 	allow unpriv_userdomain $1:process sigchld;
 ')
@ -53871,7 +53894,7 @@ index 9dc60c6c0..d5e8f386a 100644
 ########################################
 ## <summary>
 ##	Execute an Xserver session in all unprivileged user domains.  This
-@@ -2978,24 +4026,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
+@@ -2978,24 +4030,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
 	allow unpriv_userdomain $1:process sigchld;
 ')
@ -53896,7 +53919,7 @@ index 9dc60c6c0..d5e8f386a 100644
 ########################################
 ## <summary>
 ##	Manage unpriviledged user SysV sempaphores.
-@@ -3014,9 +4044,9 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3014,9 +4048,9 @@ interface(`userdom_manage_unpriv_user_semaphores',`
 	allow $1 unpriv_userdomain:sem create_sem_perms;
 ')
@ -53908,7 +53931,7 @@ index 9dc60c6c0..d5e8f386a 100644
 ##	memory segments.
 ## </summary>
 ## <param name="domain">
-@@ -3025,17 +4055,17 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3025,17 +4059,17 @@ interface(`userdom_manage_unpriv_user_semaphores',`
 ##	</summary>
 ## </param>
 #
@ -53929,7 +53952,7 @@ index 9dc60c6c0..d5e8f386a 100644
 ##	memory segments.
 ## </summary>
 ## <param name="domain">
-@@ -3044,12 +4074,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',`
+@@ -3044,12 +4078,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',`
 ##	</summary>
 ## </param>
 #
@ -53944,7 +53967,7 @@ index 9dc60c6c0..d5e8f386a 100644
 ')
 ########################################
-@@ -3094,7 +4124,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3094,7 +4128,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
 	domain_entry_file_spec_domtrans($1, unpriv_userdomain)
 	allow unpriv_userdomain $1:fd use;
@ -53953,7 +53976,7 @@ index 9dc60c6c0..d5e8f386a 100644
 	allow unpriv_userdomain $1:process sigchld;
 ')
-@@ -3110,29 +4140,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3110,29 +4144,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
 #
 interface(`userdom_search_user_home_content',`
 	gen_require(`
@ -53987,7 +54010,7 @@ index 9dc60c6c0..d5e8f386a 100644
 ')
 ########################################
-@@ -3214,7 +4228,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3214,7 +4232,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
 		type user_devpts_t;
 	')
@ -54014,7 +54037,7 @@ index 9dc60c6c0..d5e8f386a 100644
 ')
 ########################################
-@@ -3269,12 +4301,13 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3269,12 +4305,13 @@ interface(`userdom_write_user_tmp_files',`
 		type user_tmp_t;
 	')
@ -54030,7 +54053,7 @@ index 9dc60c6c0..d5e8f386a 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3282,54 +4315,56 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3282,54 +4319,56 @@ interface(`userdom_write_user_tmp_files',`
 ##	</summary>
 ## </param>
 #
@ -54102,24 +54125,21 @@ index 9dc60c6c0..d5e8f386a 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3337,18 +4372,92 @@ interface(`userdom_getattr_all_users',`
+@@ -3337,7 +4376,81 @@ interface(`userdom_getattr_all_users',`
 ##	</summary>
 ## </param>
 #
 -interface(`userdom_use_all_users_fds',`
 +interface(`userdom_rw_inherited_user_pipes',`
- 	gen_require(`
+	gen_require(`
- 		attribute userdomain;
+		attribute userdomain;
- 	')
+	')
- 
+
 -	allow $1 userdomain:fd use;
 +	allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms;
- ')
+')
- 
+
- ########################################
+########################################
- ## <summary>
+## <summary>
 -##	Do not audit attempts to inherit the file
 -##	descriptors from any user domains.
 +##	Do not audit attempts to use user ttys.
 +## </summary>
 +## <param name="domain">
@ -54185,21 +54205,10 @@ index 9dc60c6c0..d5e8f386a 100644
 +## </param>
 +#
 +interface(`userdom_use_all_users_fds',`
-+	gen_require(`
+ 	gen_require(`
-+		attribute userdomain;
+ 		attribute userdomain;
-+	')
+ 	')
-+
+@@ -3382,6 +4495,42 @@ interface(`userdom_signal_all_users',`
 +	allow $1 userdomain:fd use;
 +')
 +
 +########################################
 +## <summary>
 +##	Do not audit attempts to inherit the file
 +##	descriptors from any user domains.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -3382,6 +4491,42 @@ interface(`userdom_signal_all_users',`
 	allow $1 userdomain:process signal;
 ')
@ -54242,7 +54251,7 @@ index 9dc60c6c0..d5e8f386a 100644
 ########################################
 ## <summary>
 ##	Send a SIGCHLD signal to all user domains.
-@@ -3402,6 +4547,60 @@ interface(`userdom_sigchld_all_users',`
+@@ -3402,6 +4551,60 @@ interface(`userdom_sigchld_all_users',`
 ########################################
 ## <summary>
@ -54303,7 +54312,7 @@ index 9dc60c6c0..d5e8f386a 100644
 ##	Create keys for all user domains.
 ## </summary>
 ## <param name="domain">
-@@ -3435,4 +4634,1817 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3435,4 +4638,1817 @@ interface(`userdom_dbus_send_all_users',`
 	')
 	allow $1 userdomain:dbus send_msg;
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -12687,12 +12687,15 @@ index 550b287ce..80de6d3b7 100644
 +	')
 +')
 diff --git a/certwatch.te b/certwatch.te
-index 171fafb99..e88a0268a 100644
+index 171fafb99..e3986fd2e 100644
 --- a/certwatch.te
 +++ b/certwatch.te
-@@ -20,33 +20,45 @@ role certwatch_roles types certwatch_t;
+@@ -18,35 +18,47 @@ role certwatch_roles types certwatch_t;
 # Local policy
 #
- allow certwatch_t self:capability sys_nice;
+-allow certwatch_t self:capability sys_nice;
 +allow certwatch_t self:capability { dac_read_search dac_override sys_nice };
 allow certwatch_t self:process { setsched getsched };
 +allow certwatch_t self:tcp_socket create_stream_socket_perms;
@ -22518,7 +22521,7 @@ index dda905b9c..558729530 100644
 /var/named/chroot/var/run/dbus(/.*)?	gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
 +')
 diff --git a/dbus.if b/dbus.if
-index 62d22cb46..01f6380e6 100644
+index 62d22cb46..77afd180d 100644
 --- a/dbus.if
 +++ b/dbus.if
@@ -1,4 +1,4 @@
@ -22597,7 +22600,7 @@ index 62d22cb46..01f6380e6 100644
 -	allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
 +	# For connecting to the bus
 +	allow $3 $1_dbusd_t:unix_stream_socket { connectto rw_socket_perms };
-+	allow $1_dbusd_t $3:unix_stream_socket { accept getattr getopt };
+	allow $1_dbusd_t $3:unix_stream_socket { accept getattr getopt  read write };
 -	allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
 -	allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:file { manage_file_perms relabel_file_perms };
@ -23439,7 +23442,7 @@ index 62d22cb46..01f6380e6 100644
 +
 ')
 diff --git a/dbus.te b/dbus.te
-index c9998c80d..cdf3b2dc7 100644
+index c9998c80d..d8ef03416 100644
 --- a/dbus.te
 +++ b/dbus.te
@@ -4,17 +4,15 @@ gen_require(`
@ -23566,7 +23569,7 @@ index c9998c80d..cdf3b2dc7 100644
 mls_fd_use_all_levels(system_dbusd_t)
 mls_rangetrans_target(system_dbusd_t)
 mls_file_read_all_levels(system_dbusd_t)
-@@ -123,66 +124,175 @@ term_dontaudit_use_console(system_dbusd_t)
+@@ -123,66 +124,176 @@ term_dontaudit_use_console(system_dbusd_t)
 auth_use_nsswitch(system_dbusd_t)
 auth_read_pam_console_data(system_dbusd_t)
@ -23749,14 +23752,15 @@ index c9998c80d..cdf3b2dc7 100644
 manage_dirs_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
 manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
 -files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir file })
-+files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { file dir })
+manage_sock_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
-+userdom_user_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { file dir })
+files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { file dir sock_file })
 +userdom_user_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { file dir sock_file })
 -kernel_read_system_state(session_bus_type)
 kernel_read_kernel_sysctls(session_bus_type)
 corecmd_list_bin(session_bus_type)
-@@ -191,23 +301,18 @@ corecmd_read_bin_files(session_bus_type)
+@@ -191,23 +302,18 @@ corecmd_read_bin_files(session_bus_type)
 corecmd_read_bin_pipes(session_bus_type)
 corecmd_read_bin_sockets(session_bus_type)
@ -23781,7 +23785,7 @@ index c9998c80d..cdf3b2dc7 100644
 files_dontaudit_search_var(session_bus_type)
 fs_getattr_romfs(session_bus_type)
-@@ -215,7 +320,6 @@ fs_getattr_xattr_fs(session_bus_type)
+@@ -215,7 +321,6 @@ fs_getattr_xattr_fs(session_bus_type)
 fs_list_inotifyfs(session_bus_type)
 fs_dontaudit_list_nfs(session_bus_type)
@ -23789,7 +23793,7 @@ index c9998c80d..cdf3b2dc7 100644
 selinux_validate_context(session_bus_type)
 selinux_compute_access_vector(session_bus_type)
 selinux_compute_create_context(session_bus_type)
-@@ -225,18 +329,36 @@ selinux_compute_user_contexts(session_bus_type)
+@@ -225,18 +330,36 @@ selinux_compute_user_contexts(session_bus_type)
 auth_read_pam_console_data(session_bus_type)
 logging_send_audit_msgs(session_bus_type)
@ -23831,7 +23835,7 @@ index c9998c80d..cdf3b2dc7 100644
 ')
 ########################################
-@@ -244,5 +366,9 @@ optional_policy(`
+@@ -244,5 +367,9 @@ optional_policy(`
 # Unconfined access to this module
 #
@ -40345,10 +40349,10 @@ index 000000000..e86db5418
 +')
 diff --git a/ipmievd.te b/ipmievd.te
 new file mode 100644
-index 000000000..a2c964844
+index 000000000..06b8358b4
 --- /dev/null
 +++ b/ipmievd.te
-@@ -0,0 +1,51 @@
+@@ -0,0 +1,52 @@
 +policy_module(ipmievd, 1.0.0)
 +
 +########################################
@ -40384,6 +40388,7 @@ index 000000000..a2c964844
 +files_lock_filetrans(ipmievd_t, ipmievd_lock_t, file)
 +
 +kernel_read_system_state(ipmievd_t)
 +kernel_load_module(ipmievd_t)
 +
 +auth_read_passwd(ipmievd_t)
 +
@ -47463,7 +47468,7 @@ index dd8e01af3..9cd6b0b8e 100644
 ## <param name="domain">
 ##	<summary>
 diff --git a/logrotate.te b/logrotate.te
-index be0ab84b3..6180bdbdc 100644
+index be0ab84b3..0129ddb61 100644
 --- a/logrotate.te
 +++ b/logrotate.te
@@ -5,16 +5,29 @@ policy_module(logrotate, 1.15.0)
@ -47597,7 +47602,7 @@ index be0ab84b3..6180bdbdc 100644
 files_manage_generic_spool(logrotate_t)
 files_manage_generic_spool_dirs(logrotate_t)
 files_getattr_generic_locks(logrotate_t)
-@@ -95,32 +135,56 @@ mls_process_write_to_clearance(logrotate_t)
+@@ -95,32 +135,57 @@ mls_process_write_to_clearance(logrotate_t)
 selinux_get_fs_mount(logrotate_t)
 selinux_get_enforce_mode(logrotate_t)
@ -47624,6 +47629,7 @@ index be0ab84b3..6180bdbdc 100644
 +systemd_status_all_unit_files(logrotate_t)
 +systemd_dbus_chat_logind(logrotate_t)
 +init_stream_connect(logrotate_t)
 +init_reload_transient_unit(logrotate_t)
 -miscfiles_read_localization(logrotate_t)
 +miscfiles_read_hwdata(logrotate_t)
@ -47660,7 +47666,7 @@ index be0ab84b3..6180bdbdc 100644
 ')
 optional_policy(`
-@@ -135,16 +199,17 @@ optional_policy(`
+@@ -135,16 +200,17 @@ optional_policy(`
 optional_policy(`
 	apache_read_config(logrotate_t)
@ -47680,7 +47686,7 @@ index be0ab84b3..6180bdbdc 100644
 ')
 optional_policy(`
-@@ -170,6 +235,11 @@ optional_policy(`
+@@ -170,6 +236,11 @@ optional_policy(`
 ')
 optional_policy(`
@ -47692,7 +47698,7 @@ index be0ab84b3..6180bdbdc 100644
 	fail2ban_stream_connect(logrotate_t)
 ')
-@@ -178,7 +248,8 @@ optional_policy(`
+@@ -178,7 +249,8 @@ optional_policy(`
 ')
 optional_policy(`
@ -47702,7 +47708,7 @@ index be0ab84b3..6180bdbdc 100644
 ')
 optional_policy(`
-@@ -198,17 +269,18 @@ optional_policy(`
+@@ -198,17 +270,18 @@ optional_policy(`
 ')
 optional_policy(`
@ -47724,7 +47730,7 @@ index be0ab84b3..6180bdbdc 100644
 ')
 optional_policy(`
-@@ -216,6 +288,14 @@ optional_policy(`
+@@ -216,6 +289,14 @@ optional_policy(`
 ')
 optional_policy(`
@ -47739,7 +47745,7 @@ index be0ab84b3..6180bdbdc 100644
 	samba_exec_log(logrotate_t)
 ')
-@@ -228,26 +308,50 @@ optional_policy(`
+@@ -228,26 +309,50 @@ optional_policy(`
 ')
 optional_policy(`
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 274%{?dist}
+Release: 275%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -681,6 +681,11 @@ exit 0
 %endif
 %changelog
 * Wed Aug 23 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-275
 - Make confined users working
 - Allow ipmievd_t domain to load kernel modules
 - Allow logrotate to reload transient systemd unit
 * Wed Aug 23 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-274
 - Allow postgrey to execute bin_t files and add postgrey into nsswitch_domain
 - Allow nscd_t domain to search network sysctls