From c2ab480fb00142d2faea1e95d07a014189311dab Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Tue, 7 Jun 2016 15:57:53 +0200
Subject: [PATCH] * Tue Jun 07 2016 Lukas Vrabec <lvrabec@redhat.com>
 3.13.1-194 - Allow boinc to use dri devices. This allows use Boinc for a
 openCL GPU calculations. BZ(1340886) - Add nrpe_dontaudit_write_pipes() -
 Merge pull request #129 from rhatdan/onload - Add support for onloadfs -
 Merge pull request #127 from rhatdan/device-node - Additional access required
 for unconfined domains - Dontaudit ping attempts to write to nrpe unnamed
 pipes - Allow ifconfig_t to mounton also ifconfig_var_run_t dirs, not just
 files. Needed for: #ip netns add foo BZ(1340952)

---
 docker-selinux.tgz           | Bin 4317 -> 4316 bytes
 policy-rawhide-base.patch    | 191 +++++++++++++++++------------------
 policy-rawhide-contrib.patch |  89 +++++++++-------
 selinux-policy.spec          |  11 +-
 4 files changed, 155 insertions(+), 136 deletions(-)

diff --git a/docker-selinux.tgz b/docker-selinux.tgz
index 02bfac3fef0af86bbe67a19aae0f7e4f1cfd1629..35c2662f8a0d80bedb974f6d082a273af9ab8292 100644
GIT binary patch
delta 4030
zcmV;v4?*zVA>1K<ABzY8yUtcu00Zq@>yO(u63<uruMm;~**zrtO40yH+ry!~5BK4K
z;@Xb|R9T{Jb@e)tTCXq2|9&%kiK0k7*4|`$X90<Aapp&II2z6jN1K%KEvYZk^|Qyj
zuHgFi+qd|6{r=sR`3cv}yEkv%JiESmfAj9$+xIu`-#oj2y1sdLef=!Bdc-m5tD!8a
zgWy?qS4S%nd+Em7|D@OQ#f#uO+T?ju?|=ApOM<c@#cNtNbxeY&s<JeWSXvfATox=!
z3sMK9*udw-cbAH72_Vz1PH*sI@%MWYH;e=cSHmDJ0=Ct^k}`)LFF4bs!4-U0MRk-1
zMU<28p9`vg=RfqYf8q^6lx5|PBmpY}R!0R*aXK#0OO6WPmubOBy^dmX_PZEL2%T`|
zm#=<bE;ghHYx3_Vt$|><Sg?Ji#vHO&>KlQnh3w;U@$!7RT*PHf;yei{iRyS8uF~S{
zo9pxCLIH<W#Gq5WYa!^L?0kt(N0xOA@_Aaa#%Yf~%6Xb}<EY@2eW@NO%U^g$N|af;
z3KAG)%*r|?bcPfcLsE?5m{5+km?1tX0~ph&5bvTI=~_ARo`Y|$djub|y8$f$33G_I
zQT|c({d1G?0v~?^|K7mAw?}lOe*VW#PhltE-ba-tGxmYHDLhsMaOhN5m810U95>{m
zq`o^mA2TTSUXEZ^kh`ah<T1;}6EYvI8%>ciF5z}91X?1UAq6cKBt`O?WF>mdAe9u9
zg|`IqQp|GY)};Wiz*6iITpNL7M}NjJKHx{7S6;_|Lo9!CD1qF9<WI%ATvVVxb%~1Y
z(xamUHc^oTyE^T8yE(~W+xf~*=MF@YPf`wNY>ooX1A(H1IzwW%z=FV%nDJCqY(IC8
z4J>f4$bva}w}yiLusyeBsMuY>DRno+myo-PQIsOKpnUMtmZhTl5O3>HsQNC1&W|Hl
zyhKdaMqz(qS5yMV%rz<49P#4S?`A;EoMF1C+YJ;uPeM6Fl>9`|8+)>=Sx0Hu&{6rU
z+;Fvb0m==^1-LD9VlTAZrsN*T=i}L|u>Do=Tr^w&$Mf@<2o&ywT^PJI8wcECjqp0o
zQjogD0Ksg)rQ!l|qHxJ6gzP@<^sUyz+rJ6~jQ)QOfGOUToz#%h0Nq)qn+sCh9S3h)
zQbvyl#l764pw)zy+1&-s_dr0g2)MILATWJ37=SQJ^0W}Tj)_?3Vu~k0fn4aNJS?Cq
zi$Vqy(rT6He?<Z8`S$^3V9;{@3=sB}PZ#)5&|u+sXB>x3b%47a%yfc}=HM9X@ypLY
zwugV8^vSME6;ECpq(zeoA5&LF+~&SZ2m|G&R!o~(?kxxZfZ|c(5p;nZ7At3M_|62Z
z3We(iMit2U@rZ&yz$tVL`#(=;6zX{b`<T{ck<ao39$}&Q2<JyF?p%^ux`6=4+WcV`
zb==+bZ;EYY$U~O#Meqq+*czr7&~#Honecz=g3li(1R(&+Ev}<g^*@|}^RgS6Hm_0-
zGRvUaVnzXuaSI_Mt8ytc^Jbh^PT7ugNBE32ABi<p;D}FgFKSfDsIV%tG~RQyRPn70
zXd&7xm`eGd8|@?U@5`emD8i^=TX~e<%~J4|r&P|sM>@HFgj2T<xiQT{DoG5O?!AA*
z&cYmPa%fq}V^~}@`Dwy`cx8#fevJGIic#5E%6PtijoYi?jeK>NLmVdK;6~gHB~Q<m
zz-f-{Lkop`q7EBZmYLqPWgM!kf$impp0y1)-Z0;YI2NvxUglYcRoN5?<wgWgIgVq^
z#X*gRpKHh4aZOJv8go%iuq_|%0K<Ro9u<3qDYro}Kk#^AgRb{g2~!Y`a!REHznsFu
z_qxnT995T|x&uANS*3nG*G4po40?;nCH%EZYyT9N%%w5%h<%LIf4{$R)PLW+J=K4I
ziAy;8VO}N>OP>jCcoke<TwPqvvQf(y!A~U4;PFQv861-(Hv$Qvu{^P;<XL|O!PGx^
zFTrk0z{RO`nm*$8N#zN6G!LQvuRs1ARAtTdc}68ojethO!I~mk>Cx*A4lLxWU>#+Y
zz)URj?6NQXq%Vm`UKXJ+g$mIw>ONnJ_K-HKKf*K#<84%I2)5=tg3^qd60PA7+0t~C
zBoE#?lb#Xs%cI7y=9?H*)XRUqi}103Z+w>i(8C;_;caxY?q{7=OXS9Jh2Y|IbHwVd
zGY6HO#ZPflo|l|;2rce5fgyU7zxh!6IR;mjMDS(m<l(H-+~eV0*@p;cX0xq^d1c50
zewYlrvCpuk9Txa$F(H9N_U;vPq&rN;zJKZFx9KdHPCiOy3-ryiK9zsP-<~pxLqoPd
zvsx?$efZT^HC>uG&$LMs1uGwAfiRhHKa$6e(y^l?TYmtLCt9Uh%J#vhAl{a{BDhV#
zjIH4tAgn22X%ghOMVSNzVIm#Kzd>lJD-8IJI@$pyTLUC!(_FoQ<x}a^nq;s)Wtd)d
zQMSpt4S{ft)!l3z^izLlX`V9PBb5iJo?dm52M=<MjE~47xj0<uVBSUd<`4vntB0~S
zNso1ur(MUJV8x$!+R%y=3D{eI1ZNs_XE|qYL(!*6T}$SwES$;PuLPY6FnSv12eQt@
zrp-f{VMp$Fnh*y71Setf(C`iZ?(yuj@rw<im;aqMb`P_)_jrE>u9!dJ!1-}#@L3;D
zPaXWm{xyB*e%1-v=VW)E!uxoQd8-bC&*%07ZSs6jnk?!(!Qe7Lk;Zdfmw9VQ(fm!5
zA>XXKzoyD?h;@Pto$OtY!XrV+>5<^%d85B!|DG}TLH23$9~pt%oescIWlIM@tg?sC
z#I4M-nZG(_Xzzc=rA|!ydI0?}eMi4~h~b!~Wo$6Iz$-7Cf|bS8=g0e=&NMw5W1pZ$
zUI_PuW%FEP;$Iux-wS!eQz7PXFos1t_zuE!1)l;lLCL4U906j&f)B#D7rpbo=8R?c
z6^IRu=^(Q_SS3DP%3~0^B=10+iL2#>aTWg!A-H6#=fZ!b>|XzV9jmqIJN+cJQ5A+-
z_U+Fyl9j=T5zw~dH9}kXS&&Q~wTTQ6KXEf`fk^_P<F2f42Wj}>|DMJyqYjE4V))x(
zRy5v{WB?nZP197#gcep9^P_+$X6YR$VPe8dq6AMjn}k>0OE}R&dsAAf(^;OTS{Vtu
z^KKK}k}Q9-8F7*rRr0`l13&9D4k0cl7K);y5d8t>ou*CKQz_@5VzSdi%SX!PiwRK=
zkxGAV8LNiC6kS~Ad6kj-kW1ggz(eRs^LJ8u=HH<mnimpIStd>A0+WV<Yn71<G)V+S
ztAR3CB9stp?nF`>7CkP}?WQi9s^6__7Jd}n=UIPR+*$<kI5+C(G2HL;+v$|DvPSz_
zN4t<GYVN_0NK$%h67eJkK9>chyOhOSqfu6_*fRuQB`J3%h<ryzl>!(|yajJIouRdb
zQMgtdJ*OL!q(cFw2!l5u>G(e>jg2Mc$+`4Dk)2rQzNjw1=?I84ER|L(A?v8gnDDdi
zJ9>X(k_o-(fb1!1ULrlUP*f?KGLRJ95T)xrf}`lFuJW#<crNaVp|0%P7U@ej=o%EF
z%&1Eg9*(qPc(5{u1^;}|ozNtIZj2v)FJA=NeJpA?@wjL-o0>#%h{YUrnh@MtH)(<&
z73N3bv%#NxDl@A1ZB>?xe}Vm1eU+t(=#77mrb#8R{6Hb|{$#&=5A4-EI#FTy@re%M
z;n&H>Ky0)8ekUF2&POUz@vwBWnNApg9yZz3Z5sBID<vA>Qzx9)iP_vw14-Go^4BFG
zmvi05k7LCBh|?cqna51hVQGz<->KOMU+6Ba;PEZirOWO4cS9%(`8$H0lT?F94lsYr
zLA}5#JNzm|;c%cF6khkNDY#1tww~8RbWRa_B)tb)mtrl!12s1n(@`^8U>KN4pjI<C
zR1F{}u7>Q6TLo5^HY~nzhlu^#Sy@(oCO4woq}5nc3NZqT!@ZZwaAYo(+lT0pxps9o
zr4Gl(Np;BGBNe+1RqrSFp`<DyiMM~TfPa+4O`RGciVLATaLe-%8*tA*ftIH5x7Ebg
zHaLDQB<X6|YiPGST`?Wgh4)->`eSP;xX(7zm*amZXWM{YW~;8x#^XYC$8<En_9lUD
zuULL>-&cALJl!GlRyk--tCD9^pvjH#j|zmW+xHSp8+bykI{@~O!cEH^;^%+6!sp|w
zr%!e}PE|`+vrzw1FIXFh>NLvhO=tq)A$zL?3{o9g;*EY>*^&v7wUG8SoRli_K8es$
zP?t}&soJ%L@Ax*rs2`TB8mh7d_*J~>XgZFf5QMjFqkfB67*Y0)75})3<~Rr670|GF
z=#q9e0T)po#oM&#Y`&s?($#;*I<3hL)-G`m{-swWjoyDc9<-0T;GTLRHp!@yTQD2j
z63=nWyR>GWI6}19K0m+dReV=-NMX-imG@3))!5TcL89_{gG5S!J5+o{P0|;^x~$Q^
zmt5`Z6Co9&wubpi7dPqANQ-24WOVUDP{BhHVW=UAuplDkg{H<}Y#)Et9DrP0M<s<g
zPFZw_+X~Ybf5BH<)}ZOdmd!>jntH9?m4k7mD@@vMk|c`xdv|WqPEN^%JFoT_qBMNv
zz*+giJw*)6EdSa%)CfNJ%X5dy*?KRs^gMZeS|fecaSkK3E_rOF;IA#V;h#6abG*RN
z^PQd8G9+>w89-oU=8=Epk-_vC*-{Zj3>YeB(f+yH6b%?*<6R8j#=;re-DQNOXG+1b
z<WbiM->~ISZ?S5#F<Y^v-1u7}L#17!FmiV7lgT!-07}QDE-WJ{qASSSswDSrq2ALN
zIzSqEyTscte5Q0Ts{fejU}*2j)5DPm4x>gv#}B5)&r$S3-*$hGgzS8Qrt>C%HHDF5
zRdrN-m<h>PO*@h@RdipwH2(kM5;DJ7Kjw=K!|#7wy}5bwZSVb$tJB~A|035VX2vgn
zlO>z{JuG<yawd1y=7aphi1i2gfXZr5if@QqHnhH6rNyNLSS((@o`xb{M@AG2<aJTr
zm06RM*TP0l$25Q6bJoD%B}rf({zKtgeCbZfPub6fOlM3VzflC=9lsObo`>%5q1`Pn
z!N5!Kv&)OWod0z(4M-Qz3KZDW45`mTYTa5se}#10Kyby5fh0BIZcQcHFjzNO?8pic
zVdsA6EXAg;$JQeKhJPSyy3UMXp#uS6^ax<`?`0itrk7?yZ|N+=p5J8X98g?l_wg(|
zSwn52Y#spO)Ba1$rp>}qahywS+gJYq@sj_ku17&dzw8LWfF?}CZ}|7g=Hq?s-SKpt
kuG4k8PS@!=U8n1Govzb$x=z>W`ro+z3q!zRL;!dI0JFgCod5s;

delta 4058
zcmV<04<+#2A>AQ=ABzY8+MY~T00Zq@>yO(u63<uruMm;~**zrtOcP+!_HbzL!+kiQ
zxb|ZKRhDR5UA<1E*6R!MzuydBq9{_2wKv(`t$@U~IP)Vp91UlNqfN^AmegnI`o-g2
z7jV6Q{|-MdKYV*(e!_M2?e+Ebi_5DISJ#)9AFi*jUR+#%UcLM9?nQ9%h-1=MLs?V@
z!Hev!j#ec0(v7wMNw4LrSHX9*$@8e*|M2UU1Z72vx3p~Pm;_N(WoaC-v@C+SELfBl
zqz*{2fzPw=&K27dK&D-t-r&dL@Ao8b7zq-thCx~cY^#4IWez=_ai(*FEBLO8>L?G2
zC@0^)6jU#Nf9PTV#2bPr%gP-|0#*jBjtZLMbX=h492LGV(}IzD9mVA2cQKR@I^oQ(
z-~7H@Y)BE-<ljwN1Hp2!VEamqIb?6tHv&@&*~jJL_33iCh|8M9c@k0*)$ul5rNzlN
zm#52x0uHN)L8o}vLeM|i=@OxiEbAEL^R#4*(;k&R^EBzkQNbzuQaw<XzwnNfD6@1G
zBrwXDm32z!3@I*#q!`69p&V^7Lwr&OFs4x<-bFRiwQ}S=2j5)w2yU~y0WAT4ONh5o
z{!#Y*OIA0&DI%%W?TVzuW>U9~XF}PpX)&$yiSS0PhSq;`1^=$$-@79^Qa}IWr>C$J
zaPOl^lNtL!-4q_H0yuQ4tIAROca9r!QBvO>o{t$6doM>YE6CkbM)H_t;|ZCM){Uk}
z8JBRo76L7i&X9r@3z8yvO|lYyy=IU~3d+J;0(mKBxpM1LfLCBCb_uSHz_Fu0V;DF1
z5$KiI@!t@O97-U!Ao)|VE*BN(PhFy7yY%QNflX8-!LCkw-fm8E*ml11)42nY<dc-c
z8JnYk^FW{|q0W$)EwCW4BxXES72D6<V*?A^E3#lt-mRgaKWxu!87g*vS8z(*P4Ok<
zu3{9Wh%G1|{Iq4MsBYqI9ST+7h0ytN1dEr5$=WDP?21ajn7Jken<HMl`rQnOnKMim
zb-RIL=Se7sh?1WudSg#^HR~u18#*eVl^d@1E<m|Kxd69iPV9x2+mze``FuQ^6}G<#
zUW$e@;COjD6M@2=unU8Kw`SvjTdWb@##stdmlz<J4Y*WXKu#1cIfanj$DO{_dU*R+
zfq>D!0WigzvXdH88lXGtbaO_EyW`+(OUmf+ptzTN6ttSqGP^s&`5p);76Es52?VCE
z1_KaANuCx$*D(?6TukvKD3CL~l!pa$Wl_jrLRzg7{jVs1J^wy`pbQLJ&YuCozVhh;
z9|{^Q9Pf<du&EAkw}Y8Z@X;I`V?BQP`N#I~lRnvXsp83NgS2Q;;bZEmh}+zE31Ohz
z)QV|S%f02`Hz*!89zhq#VX<=7hVM+ks!+IYU{ryeACD;b1Dry~u>bRfMxmZ3u#ah7
z7Wphs;1L#zk8pl})Z)%1sihkTaIDQAc2UROP5-9YR)#!e8D9jSz=f@0iUCbGMU)Az
zF8KU$LJ$J5+~PV~RsX{oI4`@AY4a-eAhQgrEoKzp7`G5IvMQHCGjGOu<&^C>cZAPa
z^O0Cn1&;U>_o7CXj0&qVOXEFPOBLVBfEJ?7f~l1MsnI@v692wFYJwt+8n%^3`Q0o9
zZ+S}P41A=M>qj_s`;Z&cJfxDufa%^l>@3W&CWn@lJch+plb<I1hgX&u?8nHjpcs{n
zrHtqM*SNhJ-pE&XImBTy4sOKVQ1bL_37qEGKD1ECC+e_qWtr(sTgIWv8rWWr=vmu<
z;|=qTh-2Y@I_YJeby$^6kx*_#@RZ{?)?6IaX!yByydBr{w4yN=)dbt};SMnD?oqK<
zm~tBw^8=3;Ht2d^l`sY2D5q3P@XIMYe6P!l#8GwbsXNePoK@=Ab8SSU$e_2FT*6<w
zwDwPN$y^#EkJ!gZ{r88fe*O2i7ayMMzrVyK9Q`nVFB6ERPlPtS2`<kr&Ms!zsO78R
zClY7y_@j>uj>(c6frQXlo>)}!tb$<bAH0`fw<X}>)H+Qcar>n51U#CDQ2*B-e-5g$
zX8Js%lBPyLqv2pp5v}y-^#%tP@=dUgGD=`3mU(vB7k<*0L?kbZP?$o6Xcu*#E=7At
zo7EqGVVZ>THYzp*TXP;kX+}+n)^LbyX}U_12XCE7&j|VDQDa#1O^hn)W#2{k*uOVE
zOMmEL4$ts5x>@&=POBwy<G4a_@wqu-b=R4L%Fg1axGB#|PCA4ZcbmWvJ<8vFsQny+
zD@!8yGIjEB(rNDT@UHAbgcGybR>Qn9<N-f_Oa|WAXIRq?3;eX0kia2(_lh~v9VTPn
zzjX84bQVk}AEmMd`sPWW%HnTN8O5O?+n-o17K1+g>Z_VAO`K=iq=|x+kFr3ROt>G(
zV@K)OQIf51z~hNlX_m5m@F|G5<*o>BQ!ry|_y!1TN?4i%`E5}qK|z>E2l8(aTIvda
z1Ae29c7Vy&0EyW&S8rhXRC={08SGCPrdM5*ZL)4dAY5a0H(Lk&)LELRjQ2?80jj50
zo#erTTqENnvPdotS2~z?(Y-kY!Q$$ntWDBm9p!1)@hVvHC!RL6B1HoB)*r!{2HjcC
z+1pU`X;Rmcxhe~1^7bo1rvi+ghWUYitTVA`^H65kk^7w{!~p=oNmx8Ie1pGxJUeat
zVngWVf2WPz!))z6o`EaoPdIRX92$JqhtpFBzp;N!AG)7)g7!Jt-KX$AUSr;>!{GC&
z{Xm;MH%gO5ohKMv1}M^auIn;y4Jn$xX)@%Sb@$g)84j^dkfD>k>rr?lC^<cU5}Z75
z^f&C^Gv+?XK5hOZBapk(0T`-m=>UjT_VAgwm033PSH}$P{kYVLX<rYZAExi<R}V29
z)3l5YMi+SHWmB-SnEL#9-_x0<M`P?0^vDb0p0I45YfSuWqx*X$Z+I%i91g~?Xb0ax
zn6BVcU?wQ}6qqAGOjz(i826%ociz{WvFyGAv7s>?WR?f3#HUMn3__RW9f&h=wY)H{
z;=dsTmu&T1xRl-N->+k}7Ja9mq&BL;P|LpkSw^xl7%>9ccDzPt3qK2z$)h%r0pcfa
zhAl8jAavZ7_3a=HKm6a*m}S&Ku|o`hJIsp4TapZ5W3*|SDw)v23S)kM6cEKMy#pmo
zOn6C@;OS<Q@Tz+WCt7H4N=tP*%hOaVBVl*iZK7L}Wi}&D5~E5UcyHimoyH-=<-|f!
zbQGdLz`WD6>3S;V98^qpdT9AbxqLAp>LF6;&n;us5SXHi%RH|#avyT(dl+~KJ!$?<
zO3(Z|v_tbk!YRw7>0Drc(ok@%GLnHNiJ)jTQ07X65`xX0NNU5P$0fSm)MZokyOqtt
zkD~iLON(2JKpy8t9X*Eooqju=QdZVzU+ZWW@<h!&_z_7;Z%rbe#K7mWpmdkAcxyDu
z$`yNt;HxC%&IFO~$f!~PqlvfR&89Q7wlE6UilgUrW0G_zz!YJB@CGCu|0kufv7|gX
zm;NWR6YJa;)de^m0g;BK(rP7S9W@yfe%5_QZ%i_wHyw~YMa@g3rxuDTWm5){f*YcA
z-A8Z~UDZ|Ibres<Ju%dkecK{^?FL<gLX;VGiNeE?RtyhT=CI(O54sbY<j;-q<L~9G
zAiIx64JRHKjb>ASlPC_cn4?Y;f?Mk*P4J__{3v`j_;XKXMisxU%98Ofu>Y#BvQ!bh
z@zFG?1ePBtWZs|bm+yhSnnx!pEI&TcAw2v#`51_8mf!EBBi;E(MJgVaZZ^{i<Ilq;
zo4QTIesZNm1AOX)^Exq``)MF4+gAR%1mtqA+xT&exF2zU`eQ8fm`OS;t#R`^H5=gz
z-K7;gzQww9xjp}G2xTFEN3e5}Y7of*hB>GgSY?M_r6?Q@l!L<So;3w`Nx|0hdWg;`
zVvnTvVCzz>C3v9b=3+W(MhgrB6A9F6=7y>P<iypG-EphH>e7bAH|`Lze>*G7%FpCR
zl$*2~Yf2%1MnG}6_i`DI%%yVs5Ir*2uI{GP;rKYI4!L`zVz;5{{p3EBR3#+wHWu)Y
zlDMf;BSdi_bO&yEK4Jsz`6tlQ6#llF_}T`?uZ1LCEqe{^cBd<*W4iF3D^7oGEd}@4
zX8Lmc59Mqd(93Mq_1Sn_i0+t<2H4&t(Crn=@9q14O3#6(J7nG}2kmK9@@xt;xiS7x
zfsl3kUZQCOPpEYVz#dY#X}LrEd{_8<eD(CnZpW!=>1r10U+M*G15uqudA$iuAUtGm
zm4HF2BTKx|k1Ja;A+i?Io`#cBW!@(dS_<m&sWw%+w(uR_1{n3jl2t=hwgA71R~=2q
zQ51rI@V0H#ZxIV4%HFZ!A6L;F=is{n8Ws;-(#|H}BFdw9n--nTSJY3s`dFtm*}>W+
z?!mwIilou|PsfAyQ5W1(FT^Gpb#e=4V_V`mj(L~X%o9h5HrwatH@%AQY7QyvxvTQt
z39TA?+9^m>UT=^{DR761uc%4-Dp;2_`uCE5t9^YUq+-<8FyH9nCOsNyk<5;aE?x;L
zcqk$aH6#%hM5MgX)EJEI!<qw-i|eSQ5XUKt4slyy+Tt(xYReilz1XtZs6|t+)w^;q
zu5^V-+f9;0F@NvQP1?yRxp3#z9z&FduN*ilU%01;ftlrBTZbCK=YDzaP&r%gMV6j_
zC$CRyq^~;8VWie2kF6B^wZ%64^9Fd17Z`fJvlCl}M2;f^2#m};vOF@FJ|kNyqKE-Q
z<t*C2bep09BW%2j;oDd^L%X|-u=GqRIF>x>8sQtZ9O^ArZ8l~rwv-!xOJu0DOB6=V
zu6;7uW)?u{xYUJZBt>)uSzDFl-YwLBdm2LrNF#5TcpHY#lnzGqA2S^c?LB#VIP$<@
z)F|lq!PNLUieBj3?vaq4FVJ+}1hA$sa;&P3st+?E8LMeWQl^UTYnR6VUtB`wXY0p&
zv0?cAkBjT8>-W9C|Ns8^@Be?1>l`!V=fBC4P5vI1JOVk9J8N?z|1e^GBOg$IS?x*j
z4UzMP*5|9VIF|s6#oM>jP~_{#h+=`fEy}wxYjW~d*vRRa=6lW>7`!A2?8AR3e2XvL
zDfub;Ig{y(>Ekzw;Jf2@;@k7k{XMk1<vAF534U^Z_LtMYE~WwL0$PCrdzvBjSxBv0
z%jd6<ZW{=$*fEf#Cfu#5L>mTw>jsM*Ss^0q+z*|l*!1<-TBP6b4`fZ(nGq~>AOMUW
z0ZjhAtmDn}T<9&Gh1m0(44ngt^XxvJg(qvMO_a?8Kz!PNj@h(XSSpTlscrk}KOmm-
zKh^apsOXm+0T|GPY4{EQKG}S{uf01yU(eU`^?W^F&)4(yd_7;!*Youed_7;!*Z;=#
MUnUO#aR7J#03J>H%>V!Z

diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index b5bc472a..1593fb57 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -1961,7 +1961,7 @@ index c6ca761..0c86bfd 100644
  ')
  
 diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
-index c44c359..5210ca5 100644
+index c44c359..ae484a0 100644
 --- a/policy/modules/admin/netutils.te
 +++ b/policy/modules/admin/netutils.te
 @@ -7,10 +7,10 @@ policy_module(netutils, 1.12.1)
@@ -2077,7 +2077,11 @@ index c44c359..5210ca5 100644
  
  ifdef(`hide_broken_symptoms',`
  	init_dontaudit_use_fds(ping_t)
-@@ -149,11 +156,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -146,14 +153,29 @@ ifdef(`hide_broken_symptoms',`
+ 	optional_policy(`
+ 		nagios_dontaudit_rw_log(ping_t)
+ 		nagios_dontaudit_rw_pipes(ping_t)
++        nagios_dontaudit_write_pipes_nrpe(ping_t)
  	')
  ')
  
@@ -2103,7 +2107,7 @@ index c44c359..5210ca5 100644
  	pcmcia_use_cardmgr_fds(ping_t)
  ')
  
-@@ -161,6 +182,15 @@ optional_policy(`
+@@ -161,6 +183,15 @@ optional_policy(`
  	hotplug_use_fds(ping_t)
  ')
  
@@ -2119,7 +2123,7 @@ index c44c359..5210ca5 100644
  ########################################
  #
  # Traceroute local policy
-@@ -174,7 +204,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
+@@ -174,7 +205,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
  kernel_read_system_state(traceroute_t)
  kernel_read_network_state(traceroute_t)
  
@@ -2127,7 +2131,7 @@ index c44c359..5210ca5 100644
  corenet_all_recvfrom_netlabel(traceroute_t)
  corenet_tcp_sendrecv_generic_if(traceroute_t)
  corenet_udp_sendrecv_generic_if(traceroute_t)
-@@ -198,6 +227,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
+@@ -198,6 +228,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
  domain_use_interactive_fds(traceroute_t)
  
  files_read_etc_files(traceroute_t)
@@ -2135,7 +2139,7 @@ index c44c359..5210ca5 100644
  files_dontaudit_search_var(traceroute_t)
  
  init_use_fds(traceroute_t)
-@@ -206,11 +236,17 @@ auth_use_nsswitch(traceroute_t)
+@@ -206,11 +237,17 @@ auth_use_nsswitch(traceroute_t)
  
  logging_send_syslog_msg(traceroute_t)
  
@@ -9743,7 +9747,7 @@ index 76f285e..5cd2702 100644
 +	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
 +')
 diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
-index 0b1a871..8d4003a 100644
+index 0b1a871..4cef59b 100644
 --- a/policy/modules/kernel/devices.te
 +++ b/policy/modules/kernel/devices.te
 @@ -15,11 +15,12 @@ attribute devices_unconfined_type;
@@ -9899,7 +9903,7 @@ index 0b1a871..8d4003a 100644
  
  # Type for vmware devices.
  type vmware_device_t;
-@@ -319,5 +371,6 @@ files_associate_tmp(device_node)
+@@ -319,5 +371,8 @@ files_associate_tmp(device_node)
  #
  
  allow devices_unconfined_type self:capability sys_rawio;
@@ -9908,6 +9912,8 @@ index 0b1a871..8d4003a 100644
 +allow devices_unconfined_type device_node:{ blk_file lnk_file } *;
 +allow devices_unconfined_type device_node:{ file chr_file } ~{ execmod entrypoint };
 +allow devices_unconfined_type mtrr_device_t:file ~{ execmod entrypoint };
++dev_getattr_all(devices_unconfined_type)
++
 diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
 index 6a1e4d1..26e5558 100644
 --- a/policy/modules/kernel/domain.if
@@ -17882,7 +17888,7 @@ index d7c11a0..6b3331d 100644
  /var/run/shm/.*			<<none>>
 -')
 diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 8416beb..531dfef 100644
+index 8416beb..761fbab 100644
 --- a/policy/modules/kernel/filesystem.if
 +++ b/policy/modules/kernel/filesystem.if
 @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -19654,16 +19660,11 @@ index 8416beb..531dfef 100644
  ########################################
  ## <summary>
  ##	Mount a NFS filesystem.
-@@ -2356,44 +3283,62 @@ interface(`fs_remount_nfs',`
- 		type nfs_t;
- 	')
+@@ -2361,39 +3288,57 @@ interface(`fs_remount_nfs',`
  
--	allow $1 nfs_t:filesystem remount;
-+	allow $1 nfs_t:filesystem remount;
-+')
-+
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
+-##	Unmount a NFS filesystem.
 +##	Unmount a NFS filesystem.
 +## </summary>
 +## <param name="domain">
@@ -19678,11 +19679,10 @@ index 8416beb..531dfef 100644
 +	')
 +
 +	allow $1 nfs_t:filesystem unmount;
- ')
- 
- ########################################
- ## <summary>
--##	Unmount a NFS filesystem.
++')
++
++########################################
++## <summary>
 +##	Get the attributes of a NFS filesystem.
  ## </summary>
  ## <param name="domain">
@@ -20153,38 +20153,11 @@ index 8416beb..531dfef 100644
  ##	Get the attributes of a tmpfs
  ##	filesystem.
  ## </summary>
-@@ -3839,39 +5047,76 @@ interface(`fs_getattr_tmpfs',`
- ## </summary>
- ## <param name="type">
- ##	<summary>
--##	The type of the object to be associated.
-+##	The type of the object to be associated.
-+##	</summary>
-+## </param>
-+#
-+interface(`fs_associate_tmpfs',`
-+	gen_require(`
-+		type tmpfs_t;
-+	')
-+
-+	allow $1 tmpfs_t:filesystem associate;
-+')
-+
-+########################################
-+## <summary>
-+##	Relabel from tmpfs filesystem.
-+## </summary>
-+## <param name="type">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`fs_relabelfrom_tmpfs',`
-+	gen_require(`
-+		type tmpfs_t;
-+	')
-+
+@@ -3866,12 +5074,49 @@ interface(`fs_relabelfrom_tmpfs',`
+ 		type tmpfs_t;
+ 	')
+ 
+-	allow $1 tmpfs_t:filesystem relabelfrom;
 +	allow $1 tmpfs_t:filesystem relabelfrom;
 +')
 +
@@ -20195,40 +20168,33 @@ index 8416beb..531dfef 100644
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
- ##	</summary>
- ## </param>
- #
--interface(`fs_associate_tmpfs',`
++##	</summary>
++## </param>
++#
 +interface(`fs_getattr_tmpfs_dirs',`
- 	gen_require(`
- 		type tmpfs_t;
- 	')
- 
--	allow $1 tmpfs_t:filesystem associate;
++	gen_require(`
++		type tmpfs_t;
++	')
++
 +	allow $1 tmpfs_t:dir getattr;
- ')
- 
- ########################################
- ## <summary>
--##	Relabel from tmpfs filesystem.
++')
++
++########################################
++## <summary>
 +##	Do not audit attempts to get the attributes
 +##	of tmpfs directories.
- ## </summary>
--## <param name="type">
++## </summary>
 +## <param name="domain">
- ##	<summary>
--##	Domain allowed access.
++##	<summary>
 +##	Domain to not audit.
- ##	</summary>
- ## </param>
- #
--interface(`fs_relabelfrom_tmpfs',`
++##	</summary>
++## </param>
++#
 +interface(`fs_dontaudit_getattr_tmpfs_dirs',`
- 	gen_require(`
- 		type tmpfs_t;
- 	')
- 
--	allow $1 tmpfs_t:filesystem relabelfrom;
++	gen_require(`
++		type tmpfs_t;
++	')
++
 +	dontaudit $1 tmpfs_t:dir getattr;
  ')
  
@@ -20658,7 +20624,7 @@ index 8416beb..531dfef 100644
  ##	Search all directories with a filesystem type.
  ## </summary>
  ## <param name="domain">
-@@ -4912,3 +6345,63 @@ interface(`fs_unconfined',`
+@@ -4912,3 +6345,82 @@ interface(`fs_unconfined',`
  
  	typeattribute $1 filesystem_unconfined_type;
  ')
@@ -20722,8 +20688,27 @@ index 8416beb..531dfef 100644
 +
 +        read_files_pattern($1, efivarfs_t, efivarfs_t)
 +')
++
++########################################
++## <summary>
++##	Read and write sockets of ONLOAD file system pipes.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`fs_rw_onload_sockets',`
++	gen_require(`
++		type onload_fs_t;
++	')
++
++	rw_sock_files_pattern($1, onload_fs_t, onload_fs_t)
++')
++
 diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index e7d1738..fc52817 100644
+index e7d1738..59c1cb8 100644
 --- a/policy/modules/kernel/filesystem.te
 +++ b/policy/modules/kernel/filesystem.te
 @@ -26,14 +26,19 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
@@ -20817,7 +20802,7 @@ index e7d1738..fc52817 100644
  type mvfs_t;
  fs_noxattr_type(mvfs_t)
  allow mvfs_t self:filesystem associate;
-@@ -118,13 +148,18 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
+@@ -118,13 +148,23 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
  
  type nfsd_fs_t;
  fs_type(nfsd_fs_t)
@@ -20827,6 +20812,11 @@ index e7d1738..fc52817 100644
 +type nsfs_t;
 +fs_type(nsfs_t)
 +genfscon nsfs / gen_context(system_u:object_r:nsfs_t,s0)
++
++type onload_fs_t;
++fs_type(onload_fs_t)
++files_mountpoint(onload_fs_t)
++genfscon onloadfs / gen_context(system_u:object_r:onload_fs_t,s0)
 +
  type oprofilefs_t;
  fs_type(oprofilefs_t)
@@ -20837,7 +20827,7 @@ index e7d1738..fc52817 100644
  fs_type(pstore_t)
  files_mountpoint(pstore_t)
  dev_associate_sysfs(pstore_t)
-@@ -150,17 +185,16 @@ fs_type(spufs_t)
+@@ -150,17 +190,16 @@ fs_type(spufs_t)
  genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
  files_mountpoint(spufs_t)
  
@@ -20859,7 +20849,7 @@ index e7d1738..fc52817 100644
  type vmblock_t;
  fs_noxattr_type(vmblock_t)
  files_mountpoint(vmblock_t)
-@@ -172,6 +206,8 @@ type vxfs_t;
+@@ -172,6 +211,8 @@ type vxfs_t;
  fs_noxattr_type(vxfs_t)
  files_mountpoint(vxfs_t)
  genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
@@ -20868,7 +20858,7 @@ index e7d1738..fc52817 100644
  
  #
  # tmpfs_t is the type for tmpfs filesystems
-@@ -182,6 +218,8 @@ fs_type(tmpfs_t)
+@@ -182,6 +223,8 @@ fs_type(tmpfs_t)
  files_type(tmpfs_t)
  files_mountpoint(tmpfs_t)
  files_poly_parent(tmpfs_t)
@@ -20877,7 +20867,7 @@ index e7d1738..fc52817 100644
  
  # Use a transition SID based on the allocating task SID and the
  # filesystem SID to label inodes in the following filesystem types,
-@@ -261,6 +299,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+@@ -261,6 +304,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
  type removable_t;
  allow removable_t noxattrfs:filesystem associate;
  fs_noxattr_type(removable_t)
@@ -20886,7 +20876,7 @@ index e7d1738..fc52817 100644
  files_mountpoint(removable_t)
  
  #
-@@ -280,6 +320,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
+@@ -280,6 +325,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
  genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
  genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
  genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
@@ -20894,7 +20884,7 @@ index e7d1738..fc52817 100644
  
  ########################################
  #
-@@ -301,9 +342,10 @@ fs_associate_noxattr(noxattrfs)
+@@ -301,9 +347,10 @@ fs_associate_noxattr(noxattrfs)
  # Unconfined access to this module
  #
  
@@ -22211,7 +22201,7 @@ index e100d88..1428581 100644
 +')
 +
 diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 8dbab4c..092e065 100644
+index 8dbab4c..5b93205 100644
 --- a/policy/modules/kernel/kernel.te
 +++ b/policy/modules/kernel/kernel.te
 @@ -25,6 +25,9 @@ attribute kern_unconfined;
@@ -22516,7 +22506,7 @@ index 8dbab4c..092e065 100644
  
 -allow kern_unconfined sysctl_type:{ dir file } *;
 +allow kern_unconfined sysctl_type:{ file } ~entrypoint;
-+allow kern_unconfined sysctl_type:{ dir } *;
++allow kern_unconfined sysctl_type:{ dir lnk_file } *;
  
  allow kern_unconfined kernel_t:system *;
  
@@ -45976,7 +45966,7 @@ index 2cea692..bf86a31 100644
 +	files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns")
 +')
 diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index a392fc4..78fa512 100644
+index a392fc4..155d5ce 100644
 --- a/policy/modules/system/sysnetwork.te
 +++ b/policy/modules/system/sysnetwork.te
 @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4)
@@ -46210,7 +46200,7 @@ index a392fc4..78fa512 100644
  	vmware_append_log(dhcpc_t)
  ')
  
-@@ -264,12 +313,25 @@ allow ifconfig_t self:msgq create_msgq_perms;
+@@ -264,12 +313,26 @@ allow ifconfig_t self:msgq create_msgq_perms;
  allow ifconfig_t self:msg { send receive };
  # Create UDP sockets, necessary when called from dhcpc
  allow ifconfig_t self:udp_socket create_socket_perms;
@@ -46232,11 +46222,12 @@ index a392fc4..78fa512 100644
 +create_dirs_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t)
 +files_pid_filetrans(ifconfig_t, ifconfig_var_run_t, { file dir })
 +allow ifconfig_t ifconfig_var_run_t:file mounton;
++allow ifconfig_t ifconfig_var_run_t:dir mounton;
 +
  kernel_use_fds(ifconfig_t)
  kernel_read_system_state(ifconfig_t)
  kernel_read_network_state(ifconfig_t)
-@@ -279,14 +341,32 @@ kernel_rw_net_sysctls(ifconfig_t)
+@@ -279,14 +342,32 @@ kernel_rw_net_sysctls(ifconfig_t)
  
  corenet_rw_tun_tap_dev(ifconfig_t)
  
@@ -46269,7 +46260,7 @@ index a392fc4..78fa512 100644
  
  fs_getattr_xattr_fs(ifconfig_t)
  fs_search_auto_mountpoints(ifconfig_t)
-@@ -299,33 +379,51 @@ term_dontaudit_use_all_ptys(ifconfig_t)
+@@ -299,33 +380,51 @@ term_dontaudit_use_all_ptys(ifconfig_t)
  term_dontaudit_use_ptmx(ifconfig_t)
  term_dontaudit_use_generic_ptys(ifconfig_t)
  
@@ -46327,7 +46318,7 @@ index a392fc4..78fa512 100644
  	optional_policy(`
  		dev_dontaudit_rw_cardmgr(ifconfig_t)
  	')
-@@ -336,7 +434,11 @@ ifdef(`hide_broken_symptoms',`
+@@ -336,7 +435,11 @@ ifdef(`hide_broken_symptoms',`
  ')
  
  optional_policy(`
@@ -46340,7 +46331,7 @@ index a392fc4..78fa512 100644
  ')
  
  optional_policy(`
-@@ -350,7 +452,16 @@ optional_policy(`
+@@ -350,7 +453,16 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -46358,7 +46349,7 @@ index a392fc4..78fa512 100644
  ')
  
  optional_policy(`
-@@ -371,3 +482,13 @@ optional_policy(`
+@@ -371,3 +483,13 @@ optional_policy(`
  	xen_append_log(ifconfig_t)
  	xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
  ')
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 596ccb2c..fb9b9956 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -10794,7 +10794,7 @@ index 02fefaa..308616e 100644
 +	')
  ')
 diff --git a/boinc.te b/boinc.te
-index 687d4c4..3c5a83a 100644
+index 687d4c4..f668033 100644
 --- a/boinc.te
 +++ b/boinc.te
 @@ -12,7 +12,9 @@ policy_module(boinc, 1.1.1)
@@ -10887,7 +10887,7 @@ index 687d4c4..3c5a83a 100644
  
  manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
  manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
-@@ -61,74 +101,48 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
+@@ -61,74 +101,49 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
  manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
  fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
  
@@ -10925,6 +10925,7 @@ index 687d4c4..3c5a83a 100644
  
 -corenet_all_recvfrom_unlabeled(boinc_t)
 +dev_getattr_mouse_dev(boinc_t)
++dev_rw_dri(boinc_t)
 +
 +files_getattr_all_dirs(boinc_t)
 +files_getattr_all_files(boinc_t)
@@ -10984,7 +10985,7 @@ index 687d4c4..3c5a83a 100644
  
  term_getattr_all_ptys(boinc_t)
  term_getattr_unallocated_ttys(boinc_t)
-@@ -137,8 +151,9 @@ init_read_utmp(boinc_t)
+@@ -137,8 +152,9 @@ init_read_utmp(boinc_t)
  
  logging_send_syslog_msg(boinc_t)
  
@@ -10996,7 +10997,7 @@ index 687d4c4..3c5a83a 100644
  
  tunable_policy(`boinc_execmem',`
  	allow boinc_t self:process { execstack execmem };
-@@ -148,48 +163,61 @@ optional_policy(`
+@@ -148,48 +164,61 @@ optional_policy(`
  	mta_send_mail(boinc_t)
  ')
  
@@ -57009,7 +57010,7 @@ index d78dfc3..40e1c77 100644
  
 -/var/spool/nagios(/.*)?	gen_context(system_u:object_r:nagios_spool_t,s0)
 diff --git a/nagios.if b/nagios.if
-index 0641e97..438eeb3 100644
+index 0641e97..f3b1111 100644
 --- a/nagios.if
 +++ b/nagios.if
 @@ -1,12 +1,13 @@
@@ -57058,12 +57059,10 @@ index 0641e97..438eeb3 100644
 +
 +	kernel_read_system_state(nagios_$1_plugin_t)
 +
- ')
- 
- ########################################
- ## <summary>
--##	Do not audit attempts to read or
--##	write nagios unnamed pipes.
++')
++
++########################################
++## <summary>
 +## Execute the nagios unconfined plugins with
 +## a domain transition.
 +## </summary>
@@ -57080,10 +57079,12 @@ index 0641e97..438eeb3 100644
 +   ')
 +
 +    domtrans_pattern($1, nagios_unconfined_plugin_exec_t, nagios_unconfined_plugin_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to read or
+-##	write nagios unnamed pipes.
 +##	Do not audit attempts to read or write nagios
 +##	unnamed pipes.
  ## </summary>
@@ -57160,10 +57161,11 @@ index 0641e97..438eeb3 100644
 -	files_search_spool($1)
  	allow $1 nagios_spool_t:dir search_dir_perms;
 +	files_search_spool($1)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read nagios temporary files.
 +##	Append nagios spool files.
 +## </summary>
 +## <param name="domain">
@@ -57179,11 +57181,10 @@ index 0641e97..438eeb3 100644
 +
 +	allow $1 nagios_spool_t:file append_file_perms;
 +	files_search_spool($1)
- ')
- 
- ########################################
- ## <summary>
--##	Read nagios temporary files.
++')
++
++########################################
++## <summary>
 +##	Allow the specified domain to read
 +##	nagios temporary files.
  ## </summary>
@@ -57196,11 +57197,10 @@ index 0641e97..438eeb3 100644
 -	files_search_tmp($1)
  	allow $1 nagios_tmp_t:file read_file_perms;
 +	files_search_tmp($1)
- ')
- 
- ########################################
- ## <summary>
--##	Execute nrpe with a domain transition.
++')
++
++########################################
++## <summary>
 +##	Allow the specified domain to read
 +##	nagios temporary files.
 +## </summary>
@@ -57217,16 +57217,17 @@ index 0641e97..438eeb3 100644
 +
 +	allow $1 nagios_tmp_t:file rw_inherited_file_perms;
 +	files_search_tmp($1)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Execute nrpe with a domain transition.
 +##	Execute the nagios NRPE with
 +##	a domain transition.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -170,14 +243,13 @@ interface(`nagios_domtrans_nrpe',`
+@@ -170,14 +243,31 @@ interface(`nagios_domtrans_nrpe',`
  		type nrpe_t, nrpe_exec_t;
  	')
  
@@ -57234,6 +57235,24 @@ index 0641e97..438eeb3 100644
  	domtrans_pattern($1, nrpe_exec_t, nrpe_t)
  ')
  
++######################################
++## <summary>
++## Do not audit attempts to write nrpe daemon unnamed pipes.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`nagios_dontaudit_write_pipes_nrpe',`
++ gen_require(`
++                type nrpe_t;
++        ')
++
++        dontaudit $1 nrpe_t:fifo_file write;
++')
++
  ########################################
  ## <summary>
 -##	All of the rules required to
@@ -57243,7 +57262,7 @@ index 0641e97..438eeb3 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -186,44 +258,43 @@ interface(`nagios_domtrans_nrpe',`
+@@ -186,44 +276,43 @@ interface(`nagios_domtrans_nrpe',`
  ## </param>
  ## <param name="role">
  ##	<summary>
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f12dbb02..00c614af 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 193%{?dist}
+Release: 194%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -647,6 +647,15 @@ exit 0
 %endif
 
 %changelog
+* Tue Jun 07 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-194
+- Allow boinc to use dri devices. This allows use Boinc for a openCL GPU calculations. BZ(1340886)
+- Add nrpe_dontaudit_write_pipes()
+- Merge pull request #129 from rhatdan/onload
+- Add support for onloadfs
+- Merge pull request #127 from rhatdan/device-node
+- Additional access required for unconfined domains
+- Dontaudit ping attempts to write to nrpe unnamed pipes
+- Allow ifconfig_t to mounton also ifconfig_var_run_t dirs, not just files. Needed for: #ip netns add foo BZ(1340952)
 * Mon May 30 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-193
 - Directory Server (389-ds-base) has been updated to use systemd-ask-password. In order to function correctly we need the following added to dirsrv.te
 - Update opendnssec_manage_config() interface to allow caller domain also manage opendnssec_conf_t dirs