From dfee3bea844674392b0786842d96388e683d772a Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Fri, 12 May 2017 17:03:36 +0200
Subject: [PATCH] * Fri May 12 2017 Lukas Vrabec <lvrabec@redhat.com> -
 3.13.1-253 - auth_use_nsswitch can call only domain not attribute - Dontaudit
 net_admin cap for winbind_t - Allow tlp_t domain to stream connect to system
 bus - Allow tomcat_t domain read pki_common_t files - Add interface
 pki_read_common_files() - Fix broken cermonger module - Fix broken apache
 module - Allow hypervkvp_t domain execute hostname - Dontaudit
 sssd_selinux_manager_t use of net_admin capability - Allow tomcat_t stream
 connect to pki_common_t - Dontaudit xguest_t's attempts to listen to its
 tcp_socket - Allow sssd_selinux_manager_t to ioctl init_t sockets - Improve
 ipa_cert_filetrans_named_content() interface to also allow caller domain
 manage ipa_cert_t type. - Allow pki_tomcat_t domain read /etc/passwd. - Allow
 tomcat_t domain read ipa_tmp_t files - Label new path for ipa-otpd - Allow
 radiusd_t domain stream connect to postgresql_t - Allow rhsmcertd_t to
 execute hostname_exec_t binaries. - Allow virtlogd to append nfs_t files when
 virt_use_nfs=1 - Allow httpd_t domain read also httpd_user_content_type
 lnk_files. - Allow httpd_t domain create /etc/httpd/alias/ipaseesion.key with
 label ipa_cert_t - Dontaudit <user>_gkeyringd_t stream connect to
 system_dbusd_t - Label /var/www/html/nextcloud/data as httpd_sys_rw_content_t
 - Add interface ipa_filetrans_named_content() - Allow tomcat use nsswitch -
 Allow certmonger_t start/status generic services - Allow dirsrv read cgroup
 files. - Allow ganesha_t domain read/write infiniband devices. - Allow
 sendmail_t domain sysctl_net_t files - Allow targetd_t domain read network
 state and getattr on loop_control_device_t - Allow condor_schedd_t domain
 send mails. - Allow ntpd to creating sockets. BZ(1434395) - Alow certmonger
 to create own systemd unit files. - Add kill namespace capability to xdm_t
 domain - Revert "su using libselinux and creating netlink_selinux socket is
 needed to allow libselinux initialization." - Revert "Allow <role>_su_t to
 create netlink_selinux_socket" - Allow <role>_su_t to create
 netlink_selinux_socket - Allow unconfined_t to module_load any file - Allow
 staff to systemctl virt server when staff_use_svirt=1 - Allow unconfined_t
 create /tmp/ca.p12 file with ipa_tmp_t context - Allow netutils setpcap
 capability - Dontaudit leaked file descriptor happening in setfiles_t domain
 BZ(1388124)

---
 container-selinux.tgz        | Bin 6557 -> 6619 bytes
 policy-rawhide-base.patch    | 171 +++++----
 policy-rawhide-contrib.patch | 690 ++++++++++++++++++++++-------------
 selinux-policy.spec          |  46 ++-
 4 files changed, 569 insertions(+), 338 deletions(-)

diff --git a/container-selinux.tgz b/container-selinux.tgz
index 19e9920b25ba1d9294eac4711c7d4fd74e094a44..5ebf4551400748349df5233b771500c90f01019b 100644
GIT binary patch
literal 6619
zcmV<186@T(iwFP_&J|ez1MOYwkK8tr&)4a{La+mPCh$C+#DJaM!y;MW?!y7W?gIPa
za;K;zcDFKmMUQ!$;r-jUsz^$dL{gMmV|(wWfuudHsvnC*vREt@sW8v#AkJ8M5%0cw
zqR$n4zW@GP{Jwts-Ie+cpEqxAzWwg2>o?a|-@W<v?bXfoS6A0>Zm!;Z<y}3MK<cNd
z>Y((zuadhm*s{<_H}(8q^s{;S()*!m(ljU^|M<59^YVga=T+X6A@hQwNa8T4<2>_1
z*-<=}?cw|4hfB$}0T8!OuQd4M<j)T*Y-*;U$C+0j)E}Zeg@0TS>!rf${ZIsDka}5=
zvOm1wR4@KGD&Z%3-~~yN-?PZ8bFVIgtctNxI?zi(g@142tY+md2-)ectu%hwWObY}
zAIc+~SFeBFoa|ZVm+bc@E`fG)a#BAQN)1|``nBdq1{(0|_ZF_S*i}UF>TI()3G<SL
zY2;TdD8qxljkD9Qug^9oQXszwYLFX$H5aFQQlD+GfEAlkAS+F}A3Wi$=H9d?vzqqA
z)U<;F$~<8j_`kr<EqD-ytg5C^5h)Cc%gOEo-?Ms7*ZT62Y;WHBSTMAE8E>%(zP{08
zAjDIQRZ!9wJ5aI1&rx+d9<8G-3^Jm$j<O>M)L*GgMcqlf^&${Itn)Hv)eKEr$BjeR
z)~i@31;lbu@Lf<MX{TE%-~0MnNAnKq=?Q%Jr(du#t$=YCC#;eM3u<bSl}*=|rfTX?
zpHk6=4&L$|sqw$CAR4Hfn)b6Rx&*<fh9u4+bsPKW34!y+`dPZg`UE<!4nfJjB(0M`
z?t16s4q8v*s>Z%;Qn~=r{N&PP)7(jRyBNW}!AH&gCmQuQKUW0{<6R65#2XUlRyHzu
zRA$6G1o9s_xj&&DJg%b{EZYK=Yn1+<K^E+X6Umn`#!?dP$!wc|KgPOAjHv<hq*hYf
zf?tv=ptK_zwWn!Di@AJK?f(cC6Rc9c{SEY8;Q}L2ngUAcHOC{e+{g973xKexLBn+%
zdQ|&v@c`xy=>o+L7G->g<sjuJY|sI+kithPH24^ep{nFNvcy~|XuLzx(ww3=uOB8s
zRT+w+XXCQAOcWQ*DG&eu!pjTPe~|p)MO`+gDkABi*e#2*y;HIJAtG&@bA(1aKy2X@
zWe|LQ1OL5&|Gr(<Kl}MVe)>XY4)S7(IGQ(az*^W~Z~&^B;Sdv$_Q%zieHAP3R*6Bb
z6sR(+yC18XrD2`S4IvGmHCbGf`n!hW*pYCwWI?>OVk9qFlB2T@nu?)6(GyR6B(rGN
zUCzM^Ff8{GO2Tn8>rq9LclhPCJ)>QbPH+i<JTZZZKPC6(q<}6~<~RZ-BBZM<vw|%0
z?#o!`V5cmFnd|cp>U+>px+n;#X^EBw+9CBgw$%L$Z4Q;`c>`_shh<Se&Yi-&0lrb4
z-pqJoQ$c5|AIUu8Sm-NNj*x+BBX(ER6x_#$s3`o_=vNZH3lF8w2gtn-Qmmt7{P5*s
zw?O2xucB=H7t887s>aW_B#X+4VV2svi5km~d?6*af_pP4)4zeDT|?rt;Q&eUy@geo
z3k?*9JY~Z^ASOjI>B>mIVQNH@*WQcv*#+>uI9rSp<>BpekP5i{kwp0G5;So2Rh;uM
ziJ^IyBk{VeAju-#aEv@$rrCi6mB4`Rw+DZjx}gb$x~N1*9>QMnvisXa5YDbagoQXG
zMa)LfH0MH$^90OYrS>dG|6dcx>w5n#-e0inZcWrfUe(pwfV5s)5wm1fp4?ra23CRP
zEmeUdu+1OXI@RZx=+v$Vm&5uY2_Dx+yjc-4sPi<IHUJ!#5@u~bh|)OYa}jO?nT8La
ztR&J!`vB064E^L;CgU5e(}9)u0uLPh2d}EZB}r+1VfAPCpSd*XZ=lqR(?GNfTtn)I
zVG-SzWYI#}unuyA9!NX)k$yoq;Cv@z!d`DnWr6o=?RbCv`NvL%>Pzl@Md;iEkrw?j
z_;QWQ@SkbP<%6u`pzxYkgC#tHze5d4c{rUX#H#ZnTL;!9GCEi`AeATTM`0AQSuqq0
zb2r6!`*~`2ahYf7tVPSyG#ANvY_!H0c$Y0|5ATduE#Rl?AMCZib9cru3?O1H-UnEu
zm!J)=iuYNN@B!<6d_ONB1BKD-q$iYu*>^T<2+H<_aZF6{i-_caAGPcNz#9X(r8nR5
z@1591^)*4lX>O&TOh@NroDI#wD99!Q{(g}sarj6*Tm}V26fl4hP|FS2Gv)b2(D2pT
z!CpUT>VwGC8by5R;TM+CM)J<dJ0*smwNR>jWIm~aH2V3tyajzj9h+<TM0Q<j!MQn(
zN-tCpj@@U~INMy$U#`zXwV&^Hk4Hg~G+<(#ogpVDc!=rxZ2o}JwB~T5iUN$=yvd@9
z1`O_|u4BvihHwjiL|$$u;-WnWwT5FVn7)p8J7E?KvPTWPm@~L8z~zJqt$ZwUs4n+Z
z<7(Z+_LXzbJ8_rhMcZ6IPRBR#x{`QnC}Q!TTR*S01Cu|usl8)PZOWh`&fu{HNt;tP
zki`v2n_|@=4Ij5icBnSXM~j3{Eh3FmAr!B16eS(zG8oj}&jlDLy?tnrs=tG6a$5Dg
z>PDNwDu1?>I-WaB@f;h9e(7ynn;)N{PTQd9|HyS!Ra2hS4j14`$l`O)(O7pr^iaNu
zn1r<DhLs@EklsG`A-Vs<pKgb)W=~ay{ru<m-+uSzdUXEt`t9@i&rk8;3w1xuqb6ae
zZEtw(U0+;XT%BzOqn9TM^0m2F=6Rjp&ULglFTI}_;FNT(6fD+;3`@kSP$Xy+A~l0y
zf&)n7-5(g(zEVv_2*|mTQAUadCW-gAAAk0WysX;{jzU;1j*gY7n=II>Rc#%6aQ0q%
zyCA99*+3*A5%&qjCX^Z{hSF1!HoPzMrtnThP~%M4Ob02%l+FP<IZS>qR5uRL&!jmC
zOsUmv>r+ctj`F#pfTeln^O@mPQ<Cj`8|U(?X8W5D(|&jevOPUbDG;QCYnjkrb>wK5
z!#eTI(rwhKMwE&_or;+SB@j7leo2d(N>UHi$(Lz;HS*s^npeY0V|pjuTLU+0y_6+v
zKa=3J_jKHk+JI+YL?sc1<B_`baZ+s(OCL@qw#Y3;{N_I*AFK{ehx}t)8Qkq7cd=+L
zr}&$yt_=)pgWr8j84%})iA-ZT9dhZ=Mgoc;`Y<=+biia8;b}1%<@i(EGVsR$vBzpf
z#x1oGHs5M&(cw=sKGN!Y6?M3AuhREYeFS}gIt-um!N<WIV;MuzaZyU3yI)FgD@8`E
z+aFK02xEAe#n;E~k^p%^U;TJGW*LKtJ^embo2SN=kmk^2v;aRHF=`YIGv`RX^xOLl
zMk+H_)8D5<7F;LoBDOpImC>~3ry*aS@r+?K@zF684Xg#OymJpw#R~Bd?+;>q)-N|%
zxm*Ao6*<e*>0A~t9zo)9e+wS*5Q=VQuUN8s7Y0SJjgz>3^gejuA-~VO+Za5Y9sCQx
zb``7R$V+dtJo2zzXn%+PwT-hjJ)3?g18`bcy#q*`?R?D5q3b<9zMql;+!VQ=Te1ZF
z-vsw_Cz#|C^&e1Z*p$$3>S><7M>$2_ZWCb|tg>gs_o1Abl{0IOylJ(koiF%y<iLDr
zo=dCdL{BjtI;Mjw6Ug+t<idYDvg!8jMbYYyj%amQtbo!)Ba}Jp-Qc<Lwlry1O;xZg
zvT+WLnpzc%p3uN@=v-iT$zXWUrSmWb;T?KERqluyAHfRdAzq`+z|<shcI)4Yvt|vu
z!=2tEB$J5H5K$cL2T=0qB1oH5?OcZ)fUGI3*jO2dJ{ViAKXlfzV8@-w0{WlJLOm0@
zbIHOxo}Ytj-f78}@Q`SZ^sT~X(6_5^JIltp4`|>K_I;ZS&l6900o;EZ|8gb~+Z^{5
zAYCky$i2Y3IzEVrcvt3WH!0J3{xpwZO5bQtVo!)CvpUD?G2MaSW5LD;ycZ)*X0JLT
zYtmUIv=G|1c-3^eISP~ORDDv@lJ>MCawzc5-1XD}4vql4SXO1el-8v{Evc><ZLpYk
zs;fl%fOVyWYwu%wY+_ku_nIG;R@I6%duW;P^ruSPz!b%`dAlFoEFB@dlS7yvSciG5
z228!-`^eY2{amF9F}0bLLiXXwrSspaJiCC0FKiX~ppC7K7waF#8{;p%KSdEw4@-kv
z*2~>Eu<+Kq&&%5jAp7^cV7n$s9x?h28c6dy3XNypJ@XC${1JFth6?biJZUhT3S55|
z1jrNRw1>FMu^!O4uX(b<ecmLIC>;MzVR{C43D#~50IZo7BF@RbfbhK|Ll>Bkp^8o=
z<O*mb7XudpGp7b@{8}4~1(^JZ1;e)&S2I3XHk@Z-&mP{c`2C=w(_kM!8wUN63ZFPp
zaJ150@sClwdmThz;wcM}2Z*1tjM)zNoHATyk>TkP?3v2+@!r0pWGj8A#>VFk6J9sf
ztyor__7FH($vk_%Xq4IR9b4L29582h4hPJ&@n(;98>UMO3*woMk83Y(MOnvF(x0Gw
z6723c<x|4ntdFld0{k>ZD93l7t^ho7yLs8sbS3q!U0BcOn!06d$-sBSoNe?Rac3Jo
zN8I_rC`aJgR&WZ}#S->zrk%M6)E)kJ7kNbocIw)yrM=e)bFLHV2)wMDIRG!}W;Wb@
z0)TTj5RkfV(AJ$ggiALbU)VF~yZ5b~5oaQyf8!1A!=FEjv;eVH(a#Rh)}>1sAVy4#
z#-(wM$<ccId<#lviAdb#`B0R<t0z~fGgf1G!j+s34L(+3oft%s#P^8oL<(xF!UK!k
z3dg-^gAzo77^;g>n}e{9?_fMdhVlh{gwL9YZblP@@F$f`DKc>`-iL>z$7Q9TE8GH+
z_M#h3iZo0O?Os2?*?3;4d8}}%#asE3J;Dnt#HL*+FRt6_Gd<4wRMmkci36QmVCjfm
z!`^<LWQ%tTm==~b$m&^nYwu9kg<}ztCCt;bNZ5l<eR7(&x4Y@8K`oQp9`E9v)CF6~
zQ#+%4x}%{k%pK3>Hqa~NVV5;&CGKoo&pP1AquE@Og^8U^H)3&EGcb)~rLs+h=ZjL@
z{&#`o2lt(-*JKoj8N{tk&4nQ(u6;`Nw$@Ql^0?20@D9qT`YmB8_1@1je$S`4^+R8m
zs?JMv;V_4R%=ZH(+{M+cfu6SRaT3d_>OQW+gPu;DbRTvfSeQony#ZQWPAZQc>8Xea
zpErgY34*+^^P9{OJ(tT!v13X{{xK8A($Jgk)(0H$RO__b8>oB4;3MJA6;PWN-*FWx
z!+_Ed<NpoJ+4dbn*981Pm`@v0e#lJq*Re{!b_c%zLI4;R(=m{in4BmN_fb#>mT^SB
zw;Xh40bY7zYD>#m)&iWjz0X#OK5w|aXkX!E7+kEWW8u3-Y!@_1&EqT&CY7ihy!)A;
zA1j<<A`!pw`E_lEK_iIC6^eIOT+RI-RdwjjW@@=!=^4u+H3m1&_+ze`t%br2U?_D5
zgFjEIiMBB?#|8HgmvQ5p_wKk^bV_fcTx964$wSDmM#7_1?rFvU_(0jf+*feO1y++P
zfj138AH%0*95MQXXCQx^PTuXV1_HxQNy+UOHWz*u`#AFC%5HRZkZY13jK4Oy&*MwV
zamJu?%HYGU945#fm4Ya&<MDu$z#Hw$E`RrfF0s+W>4L|~=4S+duw;gMp}gvAqHzpC
zzHS$59_x4)%ymCRJ;o$l=H7fY9Z=Zw=)_%IfKAMH`9$>L_l8xqPY%`aq@{*l)W=U@
zlz=B;kAFyFdvrrX>=Im|S0_0kKUH`KNO^a3pjF$DJYg9kB3?(<o~JWe?XjDKEH;P1
z&S>^aMtuBsKFmslF2xQkfx&3=eK(tk-Kh%zLl{UQ0>$A@w<*R1l+^4n(-}rfOVT*d
zBzH97)n#rG4X>6*sjL)9o)=C~ZbhPSFrSy!^|#bnT*VQkLQSrZ#X8{#hRNmeh{I(8
zJYs4$#Ab1|+g($Oea<sofUsRi?LwEqf0V=)>qF)`+<tvc?Janw7SU>0z_!+A4rHzx
zsQTx~ZCz?eIuVBelU<3l7h7H0RgV9_SAA~86yaDU2trfVp@HF;Y%P$Efe=EAv%HRX
zkM?*;oE;ci<VeX6ny67L<@zz834PwXmA&b9klIMGaT(W=7IpeyA(5H~B%|huP%gqJ
z3FWwGGISurfEvNP+l3w&ER(xc8nj&nKbqIdblR7Pji|%4hkQ-z@Q$Ud{q`^U${Z_C
zv~AG)2+&>J$EHcMJ)GdOP;6;=-*7z0Ah}x44u7!jAaxwP;ktq>y3#VqJk+^7W^<=p
zL7)s(&Pcb61SaQlBkt;GSL$~$G%5u#cl@+*XG-B0iwpxoO9cm%JjccwiXCv+?Zint
zg=MCJb)rmQRwA0gr>fIA^CX+am49VZcon4EV4(6ac2*^kIyDbb&eJ-vOsk#LH6^oA
z3F7V<QpOJcw`*TF)Ct0Wx71ThZjnYyZ?CCjq3**utc0?sIgpY9r-jzX*bqY@AKnpI
z^_0wan9l}Gqw4@&nEEM6Iu7L;8`}S_l^5v@(b{mTOVOI!=*(=ps+Z5e8-@E4W+q%C
zbzE{X=BqS4mmvTe6tp=&8n$j>N=liqVxPzirR|H(7lD5pBLoI^nx{pw3{BbeVj_dQ
z{I(xCv)hQc%g}8ap{rq-m#nvKySWiM`V>?PbS92hrjmDY$?m~Vh$bug%BWOak1vXy
zH|;{*v>jk#%tGAI$Z+4%ctgn9=A}y59dMde6b*&Ry%|ns+4$fi%E9f^QOcn>RdzdM
zZ8IxT%j`f`dg-(E7^o8(xL$g@yu?io0npu{?)R*VKIkj2_i8V#)mbE6$hpld64jJu
zO%dDFRfqxXN`M<Vf*x;DiRrdXgGDok<TV0oE@t67izhwe?r@yFhcsIs^m}R*14$z!
z)4%TH1HJTda&tiE*>t6a-A#PbuUT+afXdd-(+MoD+^{g$44>II0^x<N+Pi@0>bYZ1
zlG^UG8(rtG9WA3`+FMxX@+*1O0>RS5=^ZlNwxDt2PjgYMe$cy>DEg@;y&QV0nyiaG
zcQA#EBD6c+<|$QhnP=(l&Re6;LFAp|(PAnOK|yF9m8Y(=pP%LA#&xLtXZ{kGUQ(zX
zxw9;N`$cy1Y|50&R~B`~+ho_IoI@jN$@*3VUv`xje^J83eO}_m$OYF`shl$}XKLMW
z1Dvw`-(DK_UcFnz=vT=16il3kn10!U?b+nPh?U^2M;TTs!*;6S*dpu)99+<+4>=g#
zdNE=4k9`dW#oOncw3(+kw><i`uMbW-Xd+iFsV%dyB~sGW<mD?`Ft?PwmV7#!t0i4%
z@amzpd+GhiZ}v+b`JE9lf71v|+Tc#3F}}bzvUwWc)d!PaB)uT=nYcBA-#n=n%YWgM
z1NxrioxL9(Js8|$$=^0HG^?ZRBV6aeayz``mnX4Qmm1R<P6`%hl@}?APhdMqv^G6Y
z+Sj<(u=UwS(~WhjNUPVPkWEY}leg4~wT*7R7*7@avPnnk8?S%mo@dnQ+)MtByJ66l
z8#XKZYWbag3-0PW_Kv>w?&e!78*V(H<o%}Vz>@cz(w(Q!{X{-s!@mkl7c}2>iUGj`
zUL`8-M^*A=+KW(?i_&c8eS7nX49pIHaXR7ah%{E$kVd^?@&nI(^F*lDYxoydPMy2r
z@^{VLRriy(G}&gg+hM<Y#_6Zp{Y*^len(<G<8H)y#z`KXv=emJgHpBo-G}6@$e`vh
z<*7DjCe`M|tlE;0HE>Ui2Z`$8VFm5^gTaO?ZL<zC2M}mtk=Xl<Je*;KR;1(Dj??gr
zhb-smD1-a#<*1{i|MtFC0oBvEq||yIBGX@g;*oRqj{}Tvh}B&EEsLDo2}Fa}y<ygD
zaOHg7(!aM+OY^KyJMBx7&2^N7Xq}`Glui=ha01rKQHW6@{4~!*2E0Rk<`jCPFqsQ=
zQjM6SZJKepB6o^+&W*iOSTlT<SFgQayEo{nDYm9lRff&>j-Zz#H%vXy=GYC=0*qGa
z2{!p%H}_|3>Q8RwJ8a^+ZQi@8gxZl>V*1dWIX+ocRb-BKS@@>+SL=VJcb2tcU+kXj
z-B$MZe_g%(?)%aEzpmdtzyIr#d@gaFbot8#f87VYtPi^cd#J@bto-JkFu>)zu8)gr
zldCHjC6`TAUMBGt2lpk%xxD!1<ow(jO-3igTQ?9@2g<+Jfd&`7!&?h5c?i!DZq2#_
z=H-ea!n1H40THdG`mg`F{O@mgymj5yImbw0Rj($oKo##LSsOOX@A9Nc+4+1`s4rCS
zLBk3mTB}o4D&RVuv_Cjk*ML&OdVQ>e7Sp--US<)LS3U`JR!f_83S;-|-%gydLV3+P
zDWJm<!{8{m&E;LdYmLbs9LW`^+s-G!Bv7xCt6%}tC71dayfx7oROTz_AX};m(J#LF
z1+VjVS0cX{d>U9@#ORLfE;QZ2xDGHTGR*BqHau~M=FCpufOvBRWQW=5ah-0ev`bLu
zX*_o%X)BH<c^&Z(=~670*xV}XHF%T-vJQ5E`2=HLBI}3#(Ia0Ezp4Q+7qN~VkoYT`
z0|~pjRTuytZydlcSU5>{$p)>Q2-XrT8Oj<wF5E8{MI6oYM<(DfWCnQEI(X+I?|mH=
ziV1)_dDUFdQ7(vL#{gJyduCVwdKHWcv|olJEy?Fz@IQZ^KhK}%&-3T`^Za@KJb#`)
Z&!6Yd^XK{V{P}<P`6roJZV3R$005_UCsF_a

literal 6557
zcmV;O8Di!iiwFSH9rjoN1MOYwkK8tr&)4a{La+mPCa`DhapC}Wb`OhWfx8a}1iK5|
zhs#|@EwQ_`qgV8p#~I$g{i=!&Q4&c}YEA6Dn+B5hw5onA7Rh3<SfrvNZ^9&J)n&5(
z>XAOL;q&g@xA^_$`|n=s-|%_+_WIlJzIyZa_4nU>`{v#E*VkXYe)IPF&AYFH*N-KT
z{%Pwbtb*XH^tK9jEV9x~J^v^DY@R<4eyH0l3#*4e{_V(uqGb82x@fD21z}mHNfb6o
zkq43NC;`h4@O}Bim1Nrhh~KAI8vJqg=X(~l4b#w*JZO&k4{?#fKQ4*&O5+WFD8nku
zf;`OFAD(flXMY@(@Dn`<!Za=JSR6D(&{SbwCs-*H=oO*Dzc)$VuxcMh?EF_H&9-Xu
zCdt?q$|IZ?FMr*f9az4t*l%r80qy4Ota&K48YrITrQt^g8rU`;99&tsuZiNt#b$FB
z6%~uJcw4iuijLb|lAnM5=3;Xu1=^Nj19Ic9_To%Wnu`q<uwqjRWUWaLgD1Sz{G0Y{
zR@0u@ns!h?Riw-S{}=dKfrnAV>Us(lk)p7?n(RLCJ*($*tuG(R_U5gR1w*@6$qt*~
z>uWOxLOjM;1top40~I^`9966F=p1cPm=mRQl$|)B{z_$P>Q0kg5QF$pQ&b77XK30v
zZaliSS;ayrAeN7UZ^H^nJKa+G!Pjq0H1DCFfxw4<ZcA2WH8Adzl-06eK}{{Pvg!KL
zR81Y~_f)i{gDbuhHU1YC#shUz(|&eES0EVGki=P}ZfhSsBXIuMJWDIA-$Cc~F|62^
zq;(R=U+<jUL+fc$H`uprN*6$epM08Znmf&J79;pK_^7%6M57+(=elH3vQMCacthgc
z%0?!S%8Yr3K>iaa_eZpYr*#yIWm}+fgVO&!%)`TQBKb1LSVp2fnr##Cr&u?MF*RTw
z)k+#$@Jn(9w01<J_BhSxFqe<2{U5<%f>kPZe+PZnxWEXtrhrm<&GCRNcS&;$LLh7#
z&~TGP0oA@+Jb<}Fx=^!&WtH4wIY{|CHs}CZNU=pJ4EPw0p{f*nvcy~|XuKoR(ww3=
z?>0)qy0#QW&&Fl#m?$ouQy%{RSx}Uy|1kZ-v!-foRYcN3u{)OJ2d`qyLqys*?+A@?
zfVjdb+93G)8vc6=|9!izfA;gg{q%**9OT86Njz`ffVHs2-~d!T!yzUh<BzK^`)XF*
zt`dV>DNtoucR$n(%c3To8$udBYxATb^>+=$v18$A$%1%mB}iVev_NMaG?hSqq9=j)
zNM_Nj`+|d)U|8;Al!W6L)}xvv@9`^8JwvTXC%A+_ftbL=pOSlXRzer63LF6w5z<wb
zSz#UrcU59?urrpy%=P&P^&RLaTNH#ew1lF8cE|#bEp<Obn?q#=!9bh+VOcg0bEoiN
zfNxc2Ff-oR*3j9S2QrU17Wzt+BV?f3nBA5Q1^4kGDhj_1`jv$5qhqz@1LSTCQmmt7
z{P5*sw?O2xucmDL7t5PDs>aW_B!|k0VV2svi5km~w?ay61^;Hyrhf~CT0`Qq;Q&dC
zgM(F@3oR7KB4fioASOjI>B>mIWokr{m%%gj>=O8%T`b0li|A%KNDbWEkwp0G5;So2
zb(~jGnn3d|N8)u`L6Swf;TT1<OtS+CYJmaW?*RTXbwe8pby10s-bcOSW%qZ9Ae>!`
z2n%sWikOXHXwHQguTn5~wcfKl{eMFsuj~E$<Z#LI+ci;-McveE1JZhJMa+uTMS6RQ
z8dwFEw^R*|z^=Gw>r|g(qEovfTmkEcG<;Ye@p?tbuqm=c+5m7|DwwsmVVos7pNnuK
z$TocVWF?U<)dN5~G4xa9xr}cprvob=gaJ7E_d(r&OOnz2!kW+SKXYl&-$1Dsr-2w3
zxR%rp%Obij$)bg{WgX-PJ&<<pBlCiA!1-RrgoECe$^!4#+427R^N*bj^_SfH%E-G1
zA}#u5@Z}qq;Xl)oYYVcHgTiZG50>x*{vI_X<>7RJ5UVLpY#msa$mn3zf>eR1AB9oK
zW+hNC%-s~@?dPf8CRLGVvlcCn(_AFysnHs1;9a(;JG?VqwSb>)esD1U&fOW$Fo1})
z1Rr6MUV%1(IyvNF$_H%l>BGE$3=~GQlbKKo=HA(GA!yqd)-f@~FCvlye$=uD0B;QB
zmfpPLKX|c=>KlTD)7)A=nU2oMI2)RUQIJgr{I_M1CeZ`+a2XU7QNR#JKqEI`FSO?q
zLBkho2Ya_++Z;uv)+pjj55KUCHj;Nv-YGHktc6zP6Z1(mq|wi(<t>;S>eO7rN3!cu
z3*OCfQhK3=aOys*!P(||{&IaDs{MSodprutv;`CE?F@N2!9z^nXY&V)p*4paRTN;{
z6>T2ZG+=NybsbyAH-r`Z33<7lh>P|h^cs$-VEQ`U?Sxq{%pVN!V$R^Y0GAUcwCbTO
zpt{^sP3m<M+gHv#@5Ei27wvNWI33@_>q_FSp^3$VZvDL04ov>6QhUdo#*{%#oWWxU
zk};=jAd4T8F~zDw8a`G?ZYY)IV?@HI4w1&G5SrIGijod<87yk==K>6rt{yt1>hECN
zoK`chzR{+!%AZ}Oj^_?rJjaD%UV6LM=BH<<(>5sjKXP4FH<Tx}#|5|+viRI{G}fID
zJ(O=ECLwLPWhF>7q_@v~Nbdjer`w@x*khI9KL7dd?RRhAj?RC=PfzDRe}@lWsBg0(
zZc}!ydc(`$&E@OM*B6_?=;cX*d~F_7MbQ*Da~-YC^WY~2I2D~M1&g&I!xFPP5(yfm
zNX=lF-~iGDcSi=cuhNqdLUOKTl#ybAX&U_P$Df0;s2Y{QQ3|WY(Xld3n}<8Ss>-nk
zXYXaO57U}m3`7zVai36ZLg{g0C_NKt!-uM9%ivrDH7<nB^pHYK=^UVw!{!G=b(0YN
zOq!FxlsetEKDBh^D4#11Sytp*J~NyfN^+fV<6PUi-Ti$F(|&Xe^8-E2C=g_VQ%vZu
zdUB}cut_|-bQ^uD5vAf!=VE3-2}I7?wxUH%Evbj<<jb_a8u@P{&Ff*MF};`Woq-#@
zUfL42pGk1udphn%D&W}{QA>p3c%&|KoYa`a(ub3YEpm$yzxj{I2djhgA^#Xx26y|&
zT`Zc*DgLIa8w10};CCNW2E;jHD$`ibhg>GKk$@tIKFrNHA22yacvg-^IsT+t2L2cz
z_E??BxTQA2=39*l9sacABdxhtQHLA%DswM2N6-hT!|+KTd>qWNmN6t97o`Qd`=#`@
zQe?zh{djIf7{kjfzCL!B1jrNmnuqf-%NR`T>G!czo*Gv|RzQ={0{nc$XizlFoFnzp
zZyz=osmxhJf1eLo=Fb1!JPso&OatzOz#|@4Fim$gOZV@iunc!enlul=#~?ZucX@D=
zz_h=Ie*xIOW=#?Y*-c)=0SZf-9`vtWlB=9$`k@M8CTGnaAaM%VV!{gDdGYDPloT*`
z%T3OTrQj5%xXC%eB-d^KfI_3T0%bPSJbgE7id^lTU~Z_kk-|4;yqUFwT%NpHeW2|i
z`1a($Bw?OlswWChF&#Umqc0Q4^qb_ue|xf-Hnc_2`j4JyO;oOc(#9i{Iqcowxej(T
zlhtiqvOIQi4oA9P6$~lR!1Cx^V2sFU2GFI8C;{O;dOua}gc_f~3g#hMqs_q7q)C3W
zy%7hnT6T-upC?Er5uqXCBs>hD<kLlvE~(T6fE|FWDJ)}Hl|)-Gwniu6La|`Soyh|F
zpUXl$6S{N7qFbJ{f(yZE$(HbtXrA;+VKeB}lGM$zac+)Tc!Yi5rNcwE6Kg;2)Qo?*
zkccYrdj&`zizE^f@B)jEVj|vGMb=HqbjUp`Vwlo5#^cEo;>lFU@gl`^O7>K+@u}y<
zh?6Oup2&tAPYErAcCF|Poo<f8<l@bo>9eFg-H03tyfc42b%2As_-D(i%-5Huyr3o3
zwWAGIxL$RYXdkhzl!Y98QfCR4RrX-`VQE#JShI(g4bObk!VgSSoJwZ><Y(y!;k_Kf
z{1i9LTMb~E4c{le0PH95Oo(YrFBGy5kMq3xdtKz0@bH<d0w0Y5r|}B*(|EV|dGMz=
z<~dVYc*A-L4M!H;1b0Psa|vYsT9j<xrs)HQgh2yYaZB;yJh)@QF@!(DV8>7aL0zOR
z#u$O?KLi2t#071v?F+02H112jgMU}FX)FrIzcZMg!Civ28v_7m`hf`k@h>3!;K|Uf
z*5&%WQwg~O#^wCLg}`*80UN*T1>?;&KVre~?FE~x50(w*nb@<3w=aG_(&jbT2hf&5
zf1<)C((F%Gx-b4IiubRB2uwU?A@Wr1W0o=7;hs~5&nz-LQh_~Fn?63cw^>}J@AZK3
z++o7&rn?o(s-sRula(y;4~s^b>oTsToy7xlcIWWGTpMrpXm?@yw6Gwa>G=5eVkOEt
zo|5@k;iF)8XAB<`{(60U)4ABkDMCBb`gjH4G1SfTj;1TAcNf8WKG)RMTT2GMC+2LU
z=ZQPp@Ok3S4@P+c&$fb7xIUJ!cU|kuMWE?KyuZjRI<QlBIW6tIUYK*8NKfEp-OK}c
zQ8#np_IJg-yMcf-bpus*>JUENczlb^pzq!(J0lJXLjT5V&4)jK5_{!htD?VUZmdhU
zk4}u3EsRU!1~Z1u_W1^s&Qg)h%9DgBsntxbQ|GL~@PscpouqrHqb9Y8B8l%1*^3m^
zR!2t``xTCR(-tL&tSM9%<@<(Flib31iY?^}`WT<JF<loX3gJ&`mr`UlS#pSuX^+cE
zKUcT~A{|6GoD^x8FWKG6&)Imgq<yS#s>NIRl0C*-9mJ+xByV%une+QD`c(CirKty<
zUtsBkUBljfo@7h*3z!y`HAr<?d28?3G^J+|k|ip#tW4Scmipv0Z*O<gSA#|-zdhc?
zJE;q{lBae?`E*A^U6?zb;%uSU$fGWm&`I3cxSn;u<2bXqCJPfgnSR9L1Y>9$$696E
z8V}uMxc%<~$xpL;Rj<t{4l{^b+nNhQNL>4r|Lm-zpyY9%3E@4IQTJQIQR>~c$ob`$
z;wlVtUFxQ&(1pVs1~T9GuojGy`o=;}TlYAL<#m0RG||yaCysv)yALc(<KoT&EpF_T
z=W)zbM1;><ON|6UQM&nU=7^rlWu(|KrE~C@3FBz!O?MRn4tT0{Rv#?XJ!0^YaOVoB
zZHw=uj<jJwX^6@Hg!UBlj-hJ;eoAUf8&cbd+3Ig%m459WegT9KFdU|1AT2R@Q6BH&
zun8UGh<tB3=<EVK560AvmUFBHIIp_oRf|4vxV=#CHL?sY);5XoU1PQn+qB_vmV28@
zbPnGAY|sxiPBF2F-)#9EW|l!Ch{+X7_D)>Gr5JU6><%m%xn7tVt1`0&H!t{Ou9}^L
z!VX|5bq|BTNb8BVu`nkk_YjwH<Ll^dxmol|Z=$nE&|lO0h~F24=ZpN)ivRJEvVpm;
z;E@ZgCshJ(7DihPpH@lC=ntNO{AoIQx4SO~3_B$yt1oOW{4Nhk9LSa3=sq3aBtIB`
zD!DJ<OUiM^pm)mP{k|F|$exsfD6He@fRw-+AF3{Y_oFGXF~I49$I9ks1b=j7h6a(m
z|7xOfEJ40*7i%8tco)ofKSV#<BV6X*d^H_VIPmDiZBl|w%=g7a^x?Ob)y<Y1s^RfN
z1HGuvHiJ<Do`gI8A&K454Fj=HaE0C{<c0iL;T<65-O+<qZ$t8gWr&D)Jz0C6&SbU6
zZVs}z90oU|-7gvO@hj^vD-pUBJF*l8qs#Z*Y+`n+F90lIAdLtVhdbT27!y!Zv%^eh
z87+#W^`J>_X~Ju&!XX;ow~kUdDbk`Sy`cPxMB!jQubk^|sk5X`VoHUYTpx>d!U+tM
z%i|G;&jNVFq&CE6ajEUDsl`6$nJz%sE~NIM%i%vtVoS^+a}#dAzP9!jJX4EkJuKi_
zYcmfrUk%j#!_}@XH6)#gLx9PyMcRw2E^3vtz2~bwKVph-tP%vFDeKt6a7=d&NY6kB
zp(T0IB>M+<yd=qw3@vi3<p)jFNJ+VV3}`~1cYbAWx*a4HDYh=-6lvLH_YM-Nc|fvi
zo(Sb4e3DR(i#A6GG76~??7Lm)fx$AlTcttU)$pTztxQK?dDw_Lj5_&hTZeZnRkKxp
z$@j=OdE#A*-baY;;vun3n(A<Z&q7hr^1k7DkU?@O&klcZ?jUs>yy3cn9J(?x$vo7#
zJa%)Zoy*sTDrcmtH$t0pxe*swsFnI{0*y*R%ss!EsWYYUi$jJ1p`(HWN}glm48;yO
z+;-wjO<}ohV4Z0bn3ITR@Tux_&OFKHaOGdP6kdnfE*z*lO1xD`q+ZQKl=HMsEYoTy
zbxp}^Rf4#Xg_N;}|LxT~csfD&?~ZyJ$sN)d>D@JzEYy8Chm%nDG!Ifz;Iz=@7#m_}
z<im^e>YkGM4)eu;X>>=P4^uxS$;6@E?LzzCjrMk#A({%O`V?)rqRq~>uY36nyivF>
zVQ0cMQpY7HW4=l=b6EnQVM&_<q+#b4rlgb!EAENRQre;Hd=dD!H9}xvr+Hc=%g~ff
zZ|kwh%dfzZGrNn3yA0i?5xN?ddC7SNwVxYdqR&9JKxgB4VJmr`RO}A?gm|)|FRV(%
z_4uOLd8-!cw(S5LV;<p#MvnWI)_b8YHqUj!?ts&*qG%{g?#*yA$HoUAQ66reiBb;5
zsj}6Ob<M0qEwclC>7~!sW1voG;d&nIiwZY61VDGO__k+V%t2py=ast2)nt)OA!n6Y
zB&sRRnkKfbs}KX&l@K>_1U=rQlF${B7K>&N$r}VVT+G6E7SDRb-QhTQ4{3K>(C@iZ
z3?z+_%=`|FkMt(Q$;|<iXVaAyb=T8Lzh=Qz0XkbhPbYM^a>K%WGkj*>2#B|s8t($4
z``Au7N$R@fZFI-IakPwzQCE}B<=6761%ji8(~DKQZ9(hCpW*gY^Pu-DQS?(odO7q~
zJy{of?qCWRMHqLy?Nh4Yvd_}pMX*+%gUCC_Lt$zUK|yF9wWq$b-!?DEjq6bP&-~3M
zy`)e#a%Wlk_KWQ1#gr+R@A2u3x6Q6eIfq8lk@c+!zU(S5{`P>0`@F<8iVLo*(m7{d
z&ZOLM3!Jw7uPzPypx>=x^(*A%{S&7lrr$u|dNz45VkLOzQHGVuaGh#6wFvhC2Osq5
zLk^Z#K}?waQ{N3i@%A|<ZRRP?FOOdJ^}$I8L*z=4x-uITk(RC|FJCc&`K9bB^66|Y
zMY_=7HA8FnJou5{?3X_9J0lYQ`VE-0!JS59e2K3q3k<&N7EF4X_JYV4;?@X$9iv_>
z|AkKu=zEfP_F;JRU~su3e+9$Ptd6peaGe9o?dXPIp2RX!YD{N1DOjA>L98V{f$b#G
zRC=DYuSu_An~RO18=F><POn8Ho0w82Z>bY&8`FF-o+|idlb+PqLI29Vz^c=^m;9Y}
z!=NiSY*zNw@;mz$+|_sL9ewNF&9_!I+;~9A`%U$MCGR<<J5QneiG0A8f0dXnXus<e
z1A<4qN>tpBs^!b5i%_+T(p=|#d-I75%npC?I^pYyG*;J;M!#b6BhP&cM5s1s`4?7B
zpSzOkH^bc3^pm#?*=CL3VZUa^>8Hm3Oibf{M`APMZp3EBNgk856LijlQjP!Jhvcou
zpyn{;sj+7!HTJ};#*vUUa8IlUiJIYI1>^aH!G<esvko!`5NKkN*!zt<oMD7kq~o}b
z)9{Rkyx{35gG=7!sH3ERbziH1>S<h38a)q@>2E&q$T|DR0me7P8t%iEMNaMnqQUE4
zyJ|PMaz0n|A6(SZJZscm`;ugHJtZMpFDV42mjpPRfVK7%Vw4C!%`=e!?@^yQg<fk+
z_Cmc>Bj#wAW_+&5o#LHyWA7B!44>u2%i!1UwX%AOt?g8mWwX5_=;g=_QxA+ec7wD4
zt5x#r$|y7yJAFdT9*nE&I<|*)9DLK8iOoOHTdS1Nm-|P1w~_n(Pp`lK?%kWw`=8!i
zKfV9y_xN1llHlr>Oa8hCdRZHG33lIzcNlHk_rlgx@4Fr@ZV0Yl!x*`0>*^{^b{H_Y
z;y72A-<-XA<&7p6;^KY6h-w1mU+X}FH`?K?1(@DPuMlp{x&!9biXy_ZXdM9&O;P>l
ze_#FAH$1esZtJ|lpjh3kCb2*jui#i4HZN|Aw9VM7`Kr)gsNI7GXE<J~Q`I`)I-RsX
zI9JzzR>FFHtb-Plx%ggY5wutS2z1s+n{^Ij_u^m9ys;vAqc|y`!x6*aB)HAhZOChl
zc?}%N7pU90Ccz|7uac`^0n`<j`WL()&>K{4&6^+<RgLJE-~56%SNkiG-+?_1Ebkoj
zNA?$*t{Yqj829Yw_9GXbxGr*LC-6YLJ^`}B?DV)!H`UrDY>F(IJCckQN0Ypcc!+c*
z7E5eymCYJF$pSeCyTE*eF)xwLL;vKFZ-!sh0N9II#|}vRmCb>KUEL}SfKN9L;1?{M
zq`Q4}B`1O@f+a)QfX9XV<+4oTS^mfb97cx#uU-f5l}PbkM}=Yn;7(pW7j%^NpxH41
z*4&;M7J%M*q5~b4;YdsJxflFTpQq2$=jrqGdHOtko<2{Xr_a;p>GSk?`aFG}K2M+j
PSD*g{$i6s90LTCU<OL1`

diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 0738e942..adcd5693 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -2117,7 +2117,7 @@ index c6ca761..0c86bfd 100644
  ')
  
 diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
-index c44c359..a3d4e61 100644
+index c44c359..5038ed0 100644
 --- a/policy/modules/admin/netutils.te
 +++ b/policy/modules/admin/netutils.te
 @@ -7,10 +7,10 @@ policy_module(netutils, 1.12.1)
@@ -2138,7 +2138,7 @@ index c44c359..a3d4e61 100644
  
  # Perform network administration operations and have raw access to the network.
 -allow netutils_t self:capability { dac_read_search net_admin net_raw setuid setgid sys_chroot };
-+allow netutils_t self:capability { chown dac_read_search net_admin net_raw setuid setgid sys_chroot };
++allow netutils_t self:capability { chown dac_read_search net_admin net_raw setuid setgid sys_chroot  setpcap };
  dontaudit netutils_t self:capability { dac_override sys_tty_config };
  allow netutils_t self:process { setcap signal_perms };
  allow netutils_t self:netlink_route_socket create_netlink_socket_perms;
@@ -2328,10 +2328,18 @@ index 688abc2..3d89250 100644
  /usr/bin/kdesu		--	gen_context(system_u:object_r:su_exec_t,s0)
 +/usr/bin/su		--	gen_context(system_u:object_r:su_exec_t,s0)
 diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
-index 03ec5ca..102ccff 100644
+index 03ec5ca..1ed2cd4 100644
 --- a/policy/modules/admin/su.if
 +++ b/policy/modules/admin/su.if
-@@ -58,6 +58,7 @@ template(`su_restricted_domain_template', `
+@@ -48,6 +48,7 @@ template(`su_restricted_domain_template', `
+ 	allow $1_su_t self:fifo_file rw_fifo_file_perms;
+ 	allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
+ 	allow $1_su_t self:unix_stream_socket create_stream_socket_perms;
++    allow $1_su_t self:netlink_selinux_socket create_socket_perms;
+ 
+ 	# Transition from the user domain to this domain.
+ 	domtrans_pattern($2, su_exec_t, $1_su_t)
+@@ -58,6 +59,7 @@ template(`su_restricted_domain_template', `
  	allow $2 $1_su_t:fifo_file rw_file_perms;
  	allow $2 $1_su_t:process sigchld;
  
@@ -2339,7 +2347,7 @@ index 03ec5ca..102ccff 100644
  	kernel_read_system_state($1_su_t)
  	kernel_read_kernel_sysctls($1_su_t)
  	kernel_search_key($1_su_t)
-@@ -86,10 +87,10 @@ template(`su_restricted_domain_template', `
+@@ -86,10 +88,10 @@ template(`su_restricted_domain_template', `
  	# Write to utmp.
  	init_rw_utmp($1_su_t)
  	init_search_script_keys($1_su_t)
@@ -2351,7 +2359,7 @@ index 03ec5ca..102ccff 100644
  
  	ifdef(`distro_redhat',`
  		# RHEL5 and possibly newer releases incl. Fedora
-@@ -119,11 +120,6 @@ template(`su_restricted_domain_template', `
+@@ -119,11 +121,6 @@ template(`su_restricted_domain_template', `
  		userdom_spec_domtrans_unpriv_users($1_su_t)
  	')
  
@@ -2363,7 +2371,7 @@ index 03ec5ca..102ccff 100644
  	optional_policy(`
  		cron_read_pipes($1_su_t)
  	')
-@@ -172,15 +168,8 @@ template(`su_role_template',`
+@@ -172,14 +169,6 @@ template(`su_role_template',`
  	role $2 types $1_su_t;
  
  	allow $3 $1_su_t:process signal;
@@ -2376,10 +2384,8 @@ index 03ec5ca..102ccff 100644
 -	allow $1_su_t self:key { search write };
 -
  	allow $1_su_t $3:key search;
-+    allow $1_su_t self:netlink_selinux_socket create_socket_perms;
  
  	# Transition from the user domain to this domain.
- 	domtrans_pattern($3, su_exec_t, $1_su_t)
 @@ -194,125 +183,16 @@ template(`su_role_template',`
  	allow $3 $1_su_t:process sigchld;
  
@@ -10268,7 +10274,7 @@ index 6a1e4d1..4b87be8 100644
 +	allow $1 domain:process rlimitinh;
  ')
 diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..1de3267 100644
+index cf04cb5..ac8eab0 100644
 --- a/policy/modules/kernel/domain.te
 +++ b/policy/modules/kernel/domain.te
 @@ -4,17 +4,49 @@ policy_module(domain, 1.11.0)
@@ -10436,7 +10442,7 @@ index cf04cb5..1de3267 100644
  
  # Create/access any System V IPC objects.
  allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -160,11 +249,388 @@ allow unconfined_domain_type domain:msg { send receive };
+@@ -160,11 +249,392 @@ allow unconfined_domain_type domain:msg { send receive };
  
  # For /proc/pid
  allow unconfined_domain_type domain:dir list_dir_perms;
@@ -10472,6 +10478,10 @@ index cf04cb5..1de3267 100644
 +')
 +
 +optional_policy(`
++    ipa_filetrans_named_content(named_filetrans_domain)
++')
++
++optional_policy(`
 +	locallogin_filetrans_home_content(named_filetrans_domain)
 +')
 +
@@ -23229,7 +23239,7 @@ index 234a940..a92415a 100644
  ########################################
  ## <summary>
 diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 0fef1fc..aea97fa 100644
+index 0fef1fc..c3c0f6d 100644
 --- a/policy/modules/roles/staff.te
 +++ b/policy/modules/roles/staff.te
 @@ -8,12 +8,73 @@ policy_module(staff, 2.4.0)
@@ -23588,7 +23598,7 @@ index 0fef1fc..aea97fa 100644
  		spamassassin_role(staff_r, staff_t)
  	')
  
-@@ -176,3 +400,23 @@ ifndef(`distro_redhat',`
+@@ -176,3 +400,24 @@ ifndef(`distro_redhat',`
  		wireshark_role(staff_r, staff_t)
  	')
  ')
@@ -23608,6 +23618,7 @@ index 0fef1fc..aea97fa 100644
 +		dev_rw_kvm(staff_t)
 +		virt_manage_images(staff_t)
 +		virt_stream_connect_svirt(staff_t)
++		virt_systemctl(staff_t)
 +		virt_rw_stream_sockets_svirt(staff_t)
 +		virt_exec(staff_t)
 +	')
@@ -25103,10 +25114,10 @@ index 0000000..f730286
 +
 diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
 new file mode 100644
-index 0000000..60c3f9d
+index 0000000..89f4076
 --- /dev/null
 +++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,358 @@
+@@ -0,0 +1,360 @@
 +policy_module(unconfineduser, 1.0.0)
 +
 +########################################
@@ -25169,6 +25180,8 @@ index 0000000..60c3f9d
 +allow unconfined_t self:system syslog_read;
 +dontaudit unconfined_t self:capability sys_module;
 +
++allow unconfined_t file_type:system module_load;
++
 +kernel_rw_unlabeled_socket(unconfined_t)
 +kernel_rw_unlabeled_rawip_socket(unconfined_t)
 +
@@ -29671,7 +29684,7 @@ index 6bf0ecc..e6be63a 100644
 +')
 +
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..a55ca15 100644
+index 8b40377..da86a8e 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
 @@ -26,28 +26,66 @@ gen_require(`
@@ -30030,7 +30043,7 @@ index 8b40377..a55ca15 100644
  	ssh_sigchld(xauth_t)
  	ssh_read_pipes(xauth_t)
  	ssh_dontaudit_rw_tcp_sockets(xauth_t)
-@@ -300,64 +420,106 @@ optional_policy(`
+@@ -300,64 +420,107 @@ optional_policy(`
  # XDM Local policy
  #
  
@@ -30038,6 +30051,7 @@ index 8b40377..a55ca15 100644
 -allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
 +allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service net_admin sys_ptrace };
 +allow xdm_t self:capability2 { block_suspend };
++allow xdm_t self:cap_userns { kill };
 +dontaudit xdm_t self:capability sys_admin;
 +dontaudit xdm_t self:capability2 wake_alarm;
 +tunable_policy(`deny_ptrace',`',`
@@ -30150,7 +30164,7 @@ index 8b40377..a55ca15 100644
  
  # connect to xdm xserver over stream socket
  stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -366,20 +528,31 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -366,20 +529,31 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
  delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
  delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
  
@@ -30184,7 +30198,7 @@ index 8b40377..a55ca15 100644
  corenet_all_recvfrom_netlabel(xdm_t)
  corenet_tcp_sendrecv_generic_if(xdm_t)
  corenet_udp_sendrecv_generic_if(xdm_t)
-@@ -389,38 +562,51 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -389,38 +563,51 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
  corenet_udp_sendrecv_all_ports(xdm_t)
  corenet_tcp_bind_generic_node(xdm_t)
  corenet_udp_bind_generic_node(xdm_t)
@@ -30240,7 +30254,7 @@ index 8b40377..a55ca15 100644
  
  files_read_etc_files(xdm_t)
  files_read_var_files(xdm_t)
-@@ -431,9 +617,30 @@ files_list_mnt(xdm_t)
+@@ -431,9 +618,30 @@ files_list_mnt(xdm_t)
  files_read_usr_files(xdm_t)
  # Poweroff wants to create the /poweroff file when run from xdm
  files_create_boot_flag(xdm_t)
@@ -30271,7 +30285,7 @@ index 8b40377..a55ca15 100644
  
  storage_dontaudit_read_fixed_disk(xdm_t)
  storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -442,28 +649,46 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -442,28 +650,46 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
  storage_dontaudit_raw_write_removable_device(xdm_t)
  storage_dontaudit_setattr_removable_dev(xdm_t)
  storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -30322,7 +30336,7 @@ index 8b40377..a55ca15 100644
  
  userdom_dontaudit_use_unpriv_user_fds(xdm_t)
  userdom_create_all_users_keys(xdm_t)
-@@ -472,24 +697,163 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -472,24 +698,163 @@ userdom_read_user_home_content_files(xdm_t)
  # Search /proc for any user domain processes.
  userdom_read_all_users_state(xdm_t)
  userdom_signal_all_users(xdm_t)
@@ -30492,7 +30506,7 @@ index 8b40377..a55ca15 100644
  tunable_policy(`xdm_sysadm_login',`
  	userdom_xsession_spec_domtrans_all_users(xdm_t)
  	# FIXME:
-@@ -502,12 +866,31 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,12 +867,31 @@ tunable_policy(`xdm_sysadm_login',`
  #	allow xserver_t xdm_tmpfs_t:file rw_file_perms;
  ')
  
@@ -30524,7 +30538,7 @@ index 8b40377..a55ca15 100644
  ')
  
  optional_policy(`
-@@ -518,8 +901,36 @@ optional_policy(`
+@@ -518,8 +902,36 @@ optional_policy(`
  	dbus_system_bus_client(xdm_t)
  	dbus_connect_system_bus(xdm_t)
  
@@ -30562,7 +30576,7 @@ index 8b40377..a55ca15 100644
  	')
  ')
  
-@@ -530,6 +941,20 @@ optional_policy(`
+@@ -530,6 +942,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -30583,7 +30597,7 @@ index 8b40377..a55ca15 100644
  	hostname_exec(xdm_t)
  ')
  
-@@ -547,28 +972,78 @@ optional_policy(`
+@@ -547,28 +973,78 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -30671,7 +30685,7 @@ index 8b40377..a55ca15 100644
  ')
  
  optional_policy(`
-@@ -580,6 +1055,14 @@ optional_policy(`
+@@ -580,6 +1056,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -30686,7 +30700,7 @@ index 8b40377..a55ca15 100644
  	xfs_stream_connect(xdm_t)
  ')
  
-@@ -594,7 +1077,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+@@ -594,7 +1078,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
  type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
  
  allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@@ -30695,7 +30709,7 @@ index 8b40377..a55ca15 100644
  
  # setuid/setgid for the wrapper program to change UID
  # sys_rawio is for iopl access - should not be needed for frame-buffer
-@@ -604,8 +1087,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -604,8 +1088,11 @@ allow xserver_t input_xevent_t:x_event send;
  # execheap needed until the X module loader is fixed.
  # NVIDIA Needs execstack
  
@@ -30708,7 +30722,7 @@ index 8b40377..a55ca15 100644
  allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow xserver_t self:fd use;
  allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -618,8 +1104,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -618,8 +1105,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
  allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow xserver_t self:tcp_socket create_stream_socket_perms;
  allow xserver_t self:udp_socket create_socket_perms;
@@ -30724,7 +30738,7 @@ index 8b40377..a55ca15 100644
  manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -627,6 +1120,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -627,6 +1121,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
  
  filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
  
@@ -30735,7 +30749,7 @@ index 8b40377..a55ca15 100644
  manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
  manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
  manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -638,25 +1135,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -638,25 +1136,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  files_search_var_lib(xserver_t)
  
@@ -30777,7 +30791,7 @@ index 8b40377..a55ca15 100644
  corenet_all_recvfrom_netlabel(xserver_t)
  corenet_tcp_sendrecv_generic_if(xserver_t)
  corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -677,23 +1186,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -677,23 +1187,28 @@ dev_rw_apm_bios(xserver_t)
  dev_rw_agp(xserver_t)
  dev_rw_framebuffer(xserver_t)
  dev_manage_dri_dev(xserver_t)
@@ -30809,7 +30823,7 @@ index 8b40377..a55ca15 100644
  
  # brought on by rhgb
  files_search_mnt(xserver_t)
-@@ -705,6 +1219,14 @@ fs_search_nfs(xserver_t)
+@@ -705,6 +1220,14 @@ fs_search_nfs(xserver_t)
  fs_search_auto_mountpoints(xserver_t)
  fs_search_ramfs(xserver_t)
  
@@ -30824,7 +30838,7 @@ index 8b40377..a55ca15 100644
  mls_xwin_read_to_clearance(xserver_t)
  
  selinux_validate_context(xserver_t)
-@@ -718,20 +1240,18 @@ init_getpgid(xserver_t)
+@@ -718,20 +1241,18 @@ init_getpgid(xserver_t)
  term_setattr_unallocated_ttys(xserver_t)
  term_use_unallocated_ttys(xserver_t)
  
@@ -30848,7 +30862,7 @@ index 8b40377..a55ca15 100644
  
  userdom_search_user_home_dirs(xserver_t)
  userdom_use_user_ttys(xserver_t)
-@@ -739,8 +1259,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -739,8 +1260,6 @@ userdom_setattr_user_ttys(xserver_t)
  userdom_read_user_tmp_files(xserver_t)
  userdom_rw_user_tmpfs_files(xserver_t)
  
@@ -30857,7 +30871,7 @@ index 8b40377..a55ca15 100644
  ifndef(`distro_redhat',`
  	allow xserver_t self:process { execmem execheap execstack };
  	domain_mmap_low_uncond(xserver_t)
-@@ -785,17 +1303,54 @@ optional_policy(`
+@@ -785,17 +1304,54 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -30914,7 +30928,7 @@ index 8b40377..a55ca15 100644
  ')
  
  optional_policy(`
-@@ -803,6 +1358,10 @@ optional_policy(`
+@@ -803,6 +1359,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -30925,7 +30939,7 @@ index 8b40377..a55ca15 100644
  	xfs_stream_connect(xserver_t)
  ')
  
-@@ -818,18 +1377,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -818,18 +1378,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
  
  # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
  # handle of a file inside the dir!!!
@@ -30950,7 +30964,7 @@ index 8b40377..a55ca15 100644
  can_exec(xserver_t, xkb_var_lib_t)
  
  # VNC v4 module in X server
-@@ -842,26 +1400,21 @@ init_use_fds(xserver_t)
+@@ -842,26 +1401,21 @@ init_use_fds(xserver_t)
  # to read ROLE_home_t - examine this in more detail
  # (xauth?)
  userdom_read_user_home_content_files(xserver_t)
@@ -30985,7 +30999,7 @@ index 8b40377..a55ca15 100644
  ')
  
  optional_policy(`
-@@ -912,7 +1465,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -912,7 +1466,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
  allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
  # operations allowed on my windows
  allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -30994,7 +31008,7 @@ index 8b40377..a55ca15 100644
  # operations allowed on all windows
  allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
  
-@@ -966,11 +1519,31 @@ allow x_domain self:x_resource { read write };
+@@ -966,11 +1520,31 @@ allow x_domain self:x_resource { read write };
  # can mess with the screensaver
  allow x_domain xserver_t:x_screen { getattr saver_getattr };
  
@@ -31026,7 +31040,7 @@ index 8b40377..a55ca15 100644
  tunable_policy(`! xserver_object_manager',`
  	# should be xserver_unconfined(x_domain),
  	# but typeattribute doesnt work in conditionals
-@@ -992,18 +1565,148 @@ tunable_policy(`! xserver_object_manager',`
+@@ -992,18 +1566,148 @@ tunable_policy(`! xserver_object_manager',`
  	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
  ')
  
@@ -33598,7 +33612,7 @@ index bc0ffc8..37b8ea5 100644
  ')
 +/var/run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
 diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 79a45f6..e90f7a4 100644
+index 79a45f6..2dad865 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
 @@ -1,5 +1,21 @@
@@ -34582,10 +34596,28 @@ index 79a45f6..e90f7a4 100644
  ##	Do not audit attempts to read init script
  ##	status files.
  ## </summary>
-@@ -1605,6 +2057,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1605,6 +2057,42 @@ interface(`init_rw_script_tmp_files',`
  
  ########################################
  ## <summary>
++##	Do not audit attempts to read initrc_tmp_t files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`init_dontaudit_write_initrc_tmp',`
++	gen_require(`
++		type initrc_tmp_t;
++	')
++
++	dontaudit $1 initrc_tmp_t:fifo_file write_fifo_file_perms;
++')
++
++########################################
++## <summary>
 +##	Read and write init script inherited temporary data.
 +## </summary>
 +## <param name="domain">
@@ -34607,7 +34639,7 @@ index 79a45f6..e90f7a4 100644
  ##	Create files in a init script
  ##	temporary data directory.
  ## </summary>
-@@ -1677,6 +2147,43 @@ interface(`init_read_utmp',`
+@@ -1677,6 +2165,43 @@ interface(`init_read_utmp',`
  
  ########################################
  ## <summary>
@@ -34651,7 +34683,7 @@ index 79a45f6..e90f7a4 100644
  ##	Do not audit attempts to write utmp.
  ## </summary>
  ## <param name="domain">
-@@ -1765,7 +2272,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1765,7 +2290,7 @@ interface(`init_dontaudit_rw_utmp',`
  		type initrc_var_run_t;
  	')
  
@@ -34660,7 +34692,7 @@ index 79a45f6..e90f7a4 100644
  ')
  
  ########################################
-@@ -1806,37 +2313,744 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1806,27 +2331,154 @@ interface(`init_pid_filetrans_utmp',`
  	files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
  ')
  
@@ -34697,21 +34729,13 @@ index 79a45f6..e90f7a4 100644
  ## <summary>
 -##	Allow the specified domain to connect to daemon with a udp socket
 +##  Allow listing of the /run/systemd directory.
- ## </summary>
- ## <param name="domain">
--##	<summary>
--##	Domain allowed access.
--##	</summary>
++## </summary>
++## <param name="domain">
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
- ## </param>
- #
--interface(`init_udp_recvfrom_all_daemons',`
--	gen_require(`
--		attribute daemon;
--	')
--	corenet_udp_recvfrom_labeled($1, daemon)
++## </param>
++#
 +interface(`init_list_pid_dirs',`
 +    gen_require(`
 +        type init_var_run_t;
@@ -34832,19 +34856,13 @@ index 79a45f6..e90f7a4 100644
 +########################################
 +## <summary>
 +##	Allow the specified domain to connect to daemon with a udp socket
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`init_udp_recvfrom_all_daemons',`
-+	gen_require(`
-+		attribute daemon;
-+	')
-+	corenet_udp_recvfrom_labeled($1, daemon)
-+')
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -1840,3 +2492,583 @@ interface(`init_udp_recvfrom_all_daemons',`
+ 	')
+ 	corenet_udp_recvfrom_labeled($1, daemon)
+ ')
 +
 +########################################
 +## <summary>
@@ -35424,7 +35442,7 @@ index 79a45f6..e90f7a4 100644
 +
 +	files_search_var_lib($1)
 +    allow $1 init_var_lib_t:dir search_dir_perms;
- ')
++')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
 index 17eda24..fa4ad6a 100644
 --- a/policy/modules/system/init.te
@@ -43322,7 +43340,7 @@ index 3822072..d358162 100644
 +	allow semanage_t $1:dbus send_msg;
 +')
 diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index dc46420..a86e9eb 100644
+index dc46420..67f4de1 100644
 --- a/policy/modules/system/selinuxutil.te
 +++ b/policy/modules/system/selinuxutil.te
 @@ -11,14 +11,16 @@ gen_require(`
@@ -43857,7 +43875,7 @@ index dc46420..a86e9eb 100644
  ')
  
  ########################################
-@@ -522,111 +597,202 @@ ifdef(`distro_ubuntu',`
+@@ -522,111 +597,203 @@ ifdef(`distro_ubuntu',`
  # Setfiles local policy
  #
  
@@ -44036,6 +44054,7 @@ index dc46420..a86e9eb 100644
 +init_use_script_fds(setfiles_domain)
 +init_use_script_ptys(setfiles_domain)
 +init_exec_script_files(setfiles_domain)
++init_dontaudit_write_initrc_tmp(setfiles_domain)
 +
 +userdom_use_all_users_fds(setfiles_domain)
  # for config files in a home directory
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 62ea368f..3e40862c 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -3521,10 +3521,10 @@ index 0000000..c679dd3
 +	spamassassin_read_pid_files(antivirus_domain)
 +')
 diff --git a/apache.fc b/apache.fc
-index 7caefc3..dac9ad5 100644
+index 7caefc3..966c2f3 100644
 --- a/apache.fc
 +++ b/apache.fc
-@@ -1,162 +1,217 @@
+@@ -1,162 +1,218 @@
 -HOME_DIR/((www)|(web)|(public_html))(/.+)?	gen_context(system_u:object_r:httpd_user_content_t,s0)
 -HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)?	gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
 +HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -3861,6 +3861,7 @@ index 7caefc3..dac9ad5 100644
 +/var/www/html(/.*)?/wp_backups(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 +/var/www/html(/.*)?/uploads(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 +/var/www/html/owncloud/data(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/www/html/nextcloud/data(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 +/var/www/gallery/albums(/.*)?		gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 +/var/www/icons(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
 +/var/www/miq/vmdb/log(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
@@ -5536,7 +5537,7 @@ index f6eb485..fe461a3 100644
 +		ps_process_pattern(httpd_t, $1)
  ')
 diff --git a/apache.te b/apache.te
-index 6649962..1cbf151 100644
+index 6649962..371039c 100644
 --- a/apache.te
 +++ b/apache.te
 @@ -5,280 +5,346 @@ policy_module(apache, 2.7.2)
@@ -6865,7 +6866,7 @@ index 6649962..1cbf151 100644
  
  	tunable_policy(`httpd_manage_ipa',`
  		memcached_manage_pid_files(httpd_t)
-@@ -822,8 +1026,30 @@ optional_policy(`
+@@ -822,8 +1026,31 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6878,6 +6879,7 @@ index 6649962..1cbf151 100644
 +    tunable_policy(`httpd_run_ipa',`
 +        ipa_domtrans_helper(httpd_t)
 +    ')
++    ipa_cert_filetrans_named_content(httpd_t)
 +')
 +
 +optional_policy(`
@@ -6896,7 +6898,7 @@ index 6649962..1cbf151 100644
  
  	tunable_policy(`httpd_can_network_connect_db',`
  		mysql_tcp_connect(httpd_t)
-@@ -832,6 +1058,8 @@ optional_policy(`
+@@ -832,6 +1059,8 @@ optional_policy(`
  
  optional_policy(`
  	nagios_read_config(httpd_t)
@@ -6905,7 +6907,7 @@ index 6649962..1cbf151 100644
  ')
  
  optional_policy(`
-@@ -842,20 +1070,44 @@ optional_policy(`
+@@ -842,20 +1071,44 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6956,7 +6958,7 @@ index 6649962..1cbf151 100644
  ')
  
  optional_policy(`
-@@ -863,16 +1115,31 @@ optional_policy(`
+@@ -863,16 +1116,31 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6990,7 +6992,7 @@ index 6649962..1cbf151 100644
  ')
  
  optional_policy(`
-@@ -883,65 +1150,189 @@ optional_policy(`
+@@ -883,65 +1151,189 @@ optional_policy(`
  	yam_read_content(httpd_t)
  ')
  
@@ -7202,7 +7204,7 @@ index 6649962..1cbf151 100644
  files_dontaudit_search_pids(httpd_suexec_t)
  files_search_home(httpd_suexec_t)
  
-@@ -950,123 +1341,75 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -950,123 +1342,75 @@ auth_use_nsswitch(httpd_suexec_t)
  logging_search_logs(httpd_suexec_t)
  logging_send_syslog_msg(httpd_suexec_t)
  
@@ -7356,7 +7358,7 @@ index 6649962..1cbf151 100644
  	mysql_read_config(httpd_suexec_t)
  
  	tunable_policy(`httpd_can_network_connect_db',`
-@@ -1083,172 +1426,107 @@ optional_policy(`
+@@ -1083,172 +1427,107 @@ optional_policy(`
  	')
  ')
  
@@ -7594,7 +7596,7 @@ index 6649962..1cbf151 100644
  ')
  
  tunable_policy(`httpd_read_user_content',`
-@@ -1256,64 +1534,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1256,64 +1535,74 @@ tunable_policy(`httpd_read_user_content',`
  ')
  
  tunable_policy(`httpd_use_cifs',`
@@ -7691,7 +7693,7 @@ index 6649962..1cbf151 100644
  
  ########################################
  #
-@@ -1321,8 +1609,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1321,8 +1610,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
  #
  
  optional_policy(`
@@ -7708,7 +7710,7 @@ index 6649962..1cbf151 100644
  ')
  
  ########################################
-@@ -1330,49 +1625,40 @@ optional_policy(`
+@@ -1330,49 +1626,41 @@ optional_policy(`
  # User content local policy
  #
  
@@ -7747,6 +7749,7 @@ index 6649962..1cbf151 100644
 -tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',`
 -	fs_exec_nfs_files(httpd_user_script_t)
 +	read_files_pattern(httpd_t, httpd_user_content_type, httpd_user_content_type)
++	read_lnk_files_pattern(httpd_t, httpd_user_content_type, httpd_user_content_type)
  ')
  
  tunable_policy(`httpd_read_user_content',`
@@ -7774,7 +7777,7 @@ index 6649962..1cbf151 100644
  kernel_read_system_state(httpd_passwd_t)
  
  corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1668,109 @@ dev_read_urand(httpd_passwd_t)
+@@ -1382,38 +1670,109 @@ dev_read_urand(httpd_passwd_t)
  
  domain_use_interactive_fds(httpd_passwd_t)
  
@@ -12336,10 +12339,14 @@ index 4a87873..113f3b3 100644
 +
 +mta_send_mail(certmaster_t)
 diff --git a/certmonger.fc b/certmonger.fc
-index ed298d8..cd8eb4d 100644
+index ed298d8..c887648 100644
 --- a/certmonger.fc
 +++ b/certmonger.fc
-@@ -2,6 +2,8 @@
+@@ -1,7 +1,12 @@
++/etc/systemd/system/dirsrv.target.wants(/.*)?      gen_context(system_u:object_r:certmonger_unit_file_t,s0)
++/usr/lib/systemd/system/certmonger.* gen_context(system_u:object_r:certmonger_unit_file_t,s0)
++
+ /etc/rc\.d/init\.d/certmonger	--	gen_context(system_u:object_r:certmonger_initrc_exec_t,s0)
  
  /usr/sbin/certmonger	--	gen_context(system_u:object_r:certmonger_exec_t,s0)
  
@@ -12377,15 +12384,18 @@ index 008f8ef..144c074 100644
  	admin_pattern($1, certmonger_var_run_t)
  ')
 diff --git a/certmonger.te b/certmonger.te
-index 550b287..e799a42 100644
+index 550b287..b4565e3 100644
 --- a/certmonger.te
 +++ b/certmonger.te
-@@ -18,18 +18,23 @@ files_type(certmonger_var_lib_t)
+@@ -18,18 +18,26 @@ files_type(certmonger_var_lib_t)
  type certmonger_var_run_t;
  files_pid_file(certmonger_var_run_t)
  
 +type certmonger_unconfined_exec_t;
 +application_executable_file(certmonger_unconfined_exec_t)
++
++type certmonger_unit_file_t;
++systemd_unit_file(certmonger_unit_file_t)
 +
  ########################################
  #
@@ -12408,7 +12418,7 @@ index 550b287..e799a42 100644
  
  manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
  manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
-@@ -41,6 +46,7 @@ files_pid_filetrans(certmonger_t, certmonger_var_run_t, { dir file })
+@@ -41,6 +49,7 @@ files_pid_filetrans(certmonger_t, certmonger_var_run_t, { dir file })
  
  kernel_read_kernel_sysctls(certmonger_t)
  kernel_read_system_state(certmonger_t)
@@ -12416,7 +12426,7 @@ index 550b287..e799a42 100644
  
  corenet_all_recvfrom_unlabeled(certmonger_t)
  corenet_all_recvfrom_netlabel(certmonger_t)
-@@ -49,17 +55,26 @@ corenet_tcp_sendrecv_generic_node(certmonger_t)
+@@ -49,17 +58,26 @@ corenet_tcp_sendrecv_generic_node(certmonger_t)
  
  corenet_sendrecv_certmaster_client_packets(certmonger_t)
  corenet_tcp_connect_certmaster_port(certmonger_t)
@@ -12444,7 +12454,7 @@ index 550b287..e799a42 100644
  
  fs_search_cgroup_dirs(certmonger_t)
  
-@@ -68,18 +83,22 @@ auth_rw_cache(certmonger_t)
+@@ -68,18 +86,24 @@ auth_rw_cache(certmonger_t)
  
  init_getattr_all_script_files(certmonger_t)
  
@@ -12458,6 +12468,8 @@ index 550b287..e799a42 100644
 +
 +systemd_exec_systemctl(certmonger_t)
 +systemd_manage_all_unit_files(certmonger_t)
++systemd_start_systemd_services(certmonger_t)
++systemd_status_all_unit_files(certmonger_t)
  
  userdom_search_user_home_content(certmonger_t)
  
@@ -12470,7 +12482,7 @@ index 550b287..e799a42 100644
  ')
  
  optional_policy(`
-@@ -92,11 +111,66 @@ optional_policy(`
+@@ -92,11 +116,73 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -12514,6 +12526,13 @@ index 550b287..e799a42 100644
 +	sssd_delete_public_files(certmonger_t)
 +')
 +
++optional_policy(`
++    allow certmonger_t certmonger_unit_file_t:service manage_service_perms;
++    allow certmonger_t certmonger_unit_file_t:file manage_file_perms;
++    allow certmonger_t certmonger_unit_file_t:dir manage_dir_perms;
++    systemd_unit_file_filetrans(certmonger_t, certmonger_unit_file_t, dir)
++')
++
 +########################################
 +#
 +# certmonger_unconfined_script_t local policy
@@ -16514,7 +16533,7 @@ index 881d92f..a2d588a 100644
 +	')
  ')
 diff --git a/condor.te b/condor.te
-index ce9f040..320d6e8 100644
+index ce9f040..bd8d855 100644
 --- a/condor.te
 +++ b/condor.te
 @@ -34,7 +34,7 @@ files_tmp_file(condor_startd_tmp_t)
@@ -16557,15 +16576,17 @@ index ce9f040..320d6e8 100644
  
  rw_files_pattern(condor_domain, condor_conf_t, condor_conf_t)
  
-@@ -86,16 +97,14 @@ files_pid_filetrans(condor_domain, condor_var_run_t, { dir file fifo_file })
+@@ -86,16 +97,15 @@ files_pid_filetrans(condor_domain, condor_var_run_t, { dir file fifo_file })
  
  allow condor_domain condor_master_t:process signull;
  allow condor_domain condor_master_t:tcp_socket getattr;
 +allow condor_domain condor_master_t:udp_socket { read write };
  
- kernel_read_kernel_sysctls(condor_domain)
+-kernel_read_kernel_sysctls(condor_domain)
  kernel_read_network_state(condor_domain)
 -kernel_read_system_state(condor_domain)
++kernel_rw_kernel_sysctl(condor_domain)
++kernel_search_network_sysctl(condor_domain)
  
  corecmd_exec_bin(condor_domain)
  corecmd_exec_shell(condor_domain)
@@ -16575,7 +16596,7 @@ index ce9f040..320d6e8 100644
  corenet_tcp_sendrecv_generic_if(condor_domain)
  corenet_tcp_sendrecv_generic_node(condor_domain)
  
-@@ -109,9 +118,9 @@ dev_read_rand(condor_domain)
+@@ -109,9 +119,9 @@ dev_read_rand(condor_domain)
  dev_read_sysfs(condor_domain)
  dev_read_urand(condor_domain)
  
@@ -16587,7 +16608,7 @@ index ce9f040..320d6e8 100644
  
  sysnet_dns_name_resolve(condor_domain)
  
-@@ -130,7 +139,7 @@ optional_policy(`
+@@ -130,7 +140,7 @@ optional_policy(`
  # Master local policy
  #
  
@@ -16596,7 +16617,7 @@ index ce9f040..320d6e8 100644
  
  allow condor_master_t condor_domain:process { sigkill signal };
  
-@@ -138,6 +147,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
+@@ -138,6 +148,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
  manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
  files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir })
  
@@ -16607,7 +16628,7 @@ index ce9f040..320d6e8 100644
  corenet_udp_sendrecv_generic_if(condor_master_t)
  corenet_udp_sendrecv_generic_node(condor_master_t)
  corenet_tcp_bind_generic_node(condor_master_t)
-@@ -157,6 +170,8 @@ domain_read_all_domains_state(condor_master_t)
+@@ -157,6 +171,8 @@ domain_read_all_domains_state(condor_master_t)
  
  auth_use_nsswitch(condor_master_t)
  
@@ -16616,7 +16637,7 @@ index ce9f040..320d6e8 100644
  optional_policy(`
  	mta_send_mail(condor_master_t)
  	mta_read_config(condor_master_t)
-@@ -174,6 +189,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
+@@ -174,6 +190,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
  
  kernel_read_network_state(condor_collector_t)
  
@@ -16625,7 +16646,7 @@ index ce9f040..320d6e8 100644
  #####################################
  #
  # Negotiator local policy
-@@ -183,12 +200,15 @@ allow condor_negotiator_t self:capability { setuid setgid };
+@@ -183,12 +201,15 @@ allow condor_negotiator_t self:capability { setuid setgid };
  allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms;
  allow condor_negotiator_t condor_master_t:udp_socket getattr;
  
@@ -16641,7 +16662,7 @@ index ce9f040..320d6e8 100644
  
  allow condor_procd_t condor_domain:process sigkill;
  
-@@ -206,6 +226,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
+@@ -206,6 +227,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
  
  allow condor_schedd_t condor_var_lock_t:dir manage_file_perms;
  
@@ -16650,16 +16671,21 @@ index ce9f040..320d6e8 100644
  domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t)
  domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t)
  
-@@ -214,6 +236,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
+@@ -214,6 +237,13 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
  relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
  files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir })
  
 +corenet_tcp_connect_all_ephemeral_ports(condor_schedd_t)
++
++optional_policy(`
++	mta_send_mail(condor_schedd_t)
++	mta_read_config(condor_schedd_t)
++')
 +
  #####################################
  #
  # Startd local policy
-@@ -238,11 +262,10 @@ domain_read_all_domains_state(condor_startd_t)
+@@ -238,11 +268,10 @@ domain_read_all_domains_state(condor_startd_t)
  mcs_process_set_categories(condor_startd_t)
  
  init_domtrans_script(condor_startd_t)
@@ -16672,7 +16698,7 @@ index ce9f040..320d6e8 100644
  optional_policy(`
  	ssh_basic_client_template(condor_startd, condor_startd_t, system_r)
  	ssh_domtrans(condor_startd_t)
-@@ -254,3 +277,7 @@ optional_policy(`
+@@ -254,3 +283,7 @@ optional_policy(`
  		kerberos_use(condor_startd_ssh_t)
  	')
  ')
@@ -25510,10 +25536,10 @@ index 0000000..b3784d8
 +')
 diff --git a/dirsrv.te b/dirsrv.te
 new file mode 100644
-index 0000000..f9f9806
+index 0000000..fa74f85
 --- /dev/null
 +++ b/dirsrv.te
-@@ -0,0 +1,203 @@
+@@ -0,0 +1,204 @@
 +policy_module(dirsrv,1.0.0)
 +
 +########################################
@@ -25635,6 +25661,7 @@ index 0000000..f9f9806
 +files_read_usr_symlinks(dirsrv_t)
 +
 +fs_getattr_all_fs(dirsrv_t)
++fs_read_cgroup_files(dirsrv_t)
 +
 +auth_use_pam(dirsrv_t)
 +
@@ -31118,7 +31145,7 @@ index 0000000..d9ba5fa
 +')
 diff --git a/ganesha.te b/ganesha.te
 new file mode 100644
-index 0000000..fe7b5d7
+index 0000000..9542305
 --- /dev/null
 +++ b/ganesha.te
 @@ -0,0 +1,72 @@
@@ -31172,7 +31199,7 @@ index 0000000..fe7b5d7
 +corenet_tcp_bind_mountd_port(ganesha_t)
 +corenet_udp_bind_mountd_port(ganesha_t)
 +
-+dev_read_infiniband_dev(ganesha_t)
++dev_rw_infiniband_dev(ganesha_t)
 +dev_read_gpfs(ganesha_t)
 +
 +logging_send_syslog_msg(ganesha_t)
@@ -33396,7 +33423,7 @@ index e39de43..5edcb83 100644
 +/usr/libexec/gnome-system-monitor-mechanism 	--      gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper	--		gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 diff --git a/gnome.if b/gnome.if
-index ab09d61..1a07290 100644
+index ab09d61..72d67c2 100644
 --- a/gnome.if
 +++ b/gnome.if
 @@ -1,52 +1,76 @@
@@ -33520,7 +33547,7 @@ index ab09d61..1a07290 100644
  	########################################
  	#
  	# Gkeyringd policy
-@@ -89,37 +110,92 @@ template(`gnome_role_template',`
+@@ -89,37 +110,86 @@ template(`gnome_role_template',`
  
  	domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
  
@@ -33571,6 +33598,7 @@ index ab09d61..1a07290 100644
  	optional_policy(`
 -		dbus_spec_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
 +        dbus_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
++        dbus_dontaudit_stream_connect_system_dbusd($1_gkeyringd_t)
 +		gnome_manage_generic_home_dirs($1_gkeyringd_t)
 +		gnome_read_generic_data_home_files($1_gkeyringd_t)
 +		gnome_read_generic_data_home_dirs($1_gkeyringd_t)
@@ -33579,17 +33607,10 @@ index ab09d61..1a07290 100644
 -			gnome_dbus_chat_gkeyringd($1, $3)
 +			telepathy_mission_control_read_state($1_gkeyringd_t)
 +            telepathy_gabble_stream_connect_to($1_gkeyringd_t,gkeyringd_tmp_t,gkeyringd_tmp_t)
-+		')
-+	')
-+
-+	optional_policy(`
-+		gen_require(`
-+			type xguest_gkeyringd_t;
  		')
-+		dbus_dontaudit_stream_connect_session_bus(xguest_gkeyringd_t)
-+	')
-+')
-+
+ 	')
+ ')
+ 
 +#######################################
 +## <summary>
 +##  Allow domain to run gkeyring in the $1_gkeyringd_t domain.
@@ -33614,11 +33635,11 @@ index ab09d61..1a07290 100644
 +    gen_require(`
 +		type $1_gkeyringd_t;
 +		type gkeyringd_exec_t;
- 	')
++	')
 +	role $2 types $1_gkeyringd_t;
 +	domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
- ')
- 
++')
++
  ########################################
  ## <summary>
 -##	Execute gconf in the caller domain.
@@ -33626,7 +33647,7 @@ index ab09d61..1a07290 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -127,18 +203,18 @@ template(`gnome_role_template',`
+@@ -127,18 +197,18 @@ template(`gnome_role_template',`
  ##	</summary>
  ## </param>
  #
@@ -33650,7 +33671,7 @@ index ab09d61..1a07290 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -146,119 +222,114 @@ interface(`gnome_exec_gconf',`
+@@ -146,119 +216,114 @@ interface(`gnome_exec_gconf',`
  ##	</summary>
  ## </param>
  #
@@ -33807,7 +33828,7 @@ index ab09d61..1a07290 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -266,15 +337,21 @@ interface(`gnome_create_generic_home_dirs',`
+@@ -266,15 +331,21 @@ interface(`gnome_create_generic_home_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -33834,7 +33855,7 @@ index ab09d61..1a07290 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -282,57 +359,89 @@ interface(`gnome_setattr_config_dirs',`
+@@ -282,57 +353,89 @@ interface(`gnome_setattr_config_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -33942,7 +33963,7 @@ index ab09d61..1a07290 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -340,15 +449,18 @@ interface(`gnome_read_generic_home_content',`
+@@ -340,15 +443,18 @@ interface(`gnome_read_generic_home_content',`
  ##	</summary>
  ## </param>
  #
@@ -33966,7 +33987,7 @@ index ab09d61..1a07290 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -356,22 +468,18 @@ interface(`gnome_manage_config',`
+@@ -356,22 +462,18 @@ interface(`gnome_manage_config',`
  ##	</summary>
  ## </param>
  #
@@ -33994,7 +34015,7 @@ index ab09d61..1a07290 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -379,53 +487,37 @@ interface(`gnome_manage_generic_home_content',`
+@@ -379,53 +481,37 @@ interface(`gnome_manage_generic_home_content',`
  ##	</summary>
  ## </param>
  #
@@ -34056,7 +34077,7 @@ index ab09d61..1a07290 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -433,17 +525,18 @@ interface(`gnome_home_filetrans',`
+@@ -433,17 +519,18 @@ interface(`gnome_home_filetrans',`
  ##	</summary>
  ## </param>
  #
@@ -34079,7 +34100,7 @@ index ab09d61..1a07290 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -451,23 +544,18 @@ interface(`gnome_create_generic_gconf_home_dirs',`
+@@ -451,23 +538,18 @@ interface(`gnome_create_generic_gconf_home_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -34107,7 +34128,7 @@ index ab09d61..1a07290 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -475,22 +563,18 @@ interface(`gnome_read_generic_gconf_home_content',`
+@@ -475,22 +557,18 @@ interface(`gnome_read_generic_gconf_home_content',`
  ##	</summary>
  ## </param>
  #
@@ -34134,7 +34155,7 @@ index ab09d61..1a07290 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -498,79 +582,59 @@ interface(`gnome_manage_generic_gconf_home_content',`
+@@ -498,79 +576,59 @@ interface(`gnome_manage_generic_gconf_home_content',`
  ##	</summary>
  ## </param>
  #
@@ -34232,7 +34253,7 @@ index ab09d61..1a07290 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -579,12 +643,12 @@ interface(`gnome_home_filetrans_gnome_home',`
+@@ -579,12 +637,12 @@ interface(`gnome_home_filetrans_gnome_home',`
  ## </param>
  ## <param name="private_type">
  ##	<summary>
@@ -34247,7 +34268,7 @@ index ab09d61..1a07290 100644
  ##	</summary>
  ## </param>
  ## <param name="name" optional="true">
-@@ -593,18 +657,18 @@ interface(`gnome_home_filetrans_gnome_home',`
+@@ -593,18 +651,18 @@ interface(`gnome_home_filetrans_gnome_home',`
  ##	</summary>
  ## </param>
  #
@@ -34272,7 +34293,7 @@ index ab09d61..1a07290 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -612,46 +676,58 @@ interface(`gnome_gconf_home_filetrans',`
+@@ -612,46 +670,80 @@ interface(`gnome_gconf_home_filetrans',`
  ##	</summary>
  ## </param>
  #
@@ -34297,15 +34318,11 @@ index ab09d61..1a07290 100644
 +##  Read generic data home dirs.
  ## </summary>
 -## <param name="role_prefix">
--##	<summary>
--##	The prefix of the user domain (e.g., user
--##	is the prefix for user_t).
--##	</summary>
 +## <param name="domain">
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
- ## </param>
++## </param>
 +#
 +interface(`gnome_read_generic_data_home_dirs',`
 +    gen_require(`
@@ -34318,6 +34335,30 @@ index ab09d61..1a07290 100644
 +#######################################
 +## <summary>
 +##	Manage gconf data home files
++## </summary>
++## <param name="domain">
+ ##	<summary>
+-##	The prefix of the user domain (e.g., user
+-##	is the prefix for user_t).
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
++#
++interface(`gnome_manage_data',`
++	gen_require(`
++		type data_home_t;
++		type gconf_home_t;
++	')
++
++	allow $1 gconf_home_t:dir search_dir_perms;
++	manage_dirs_pattern($1, data_home_t, data_home_t)
++	manage_files_pattern($1, data_home_t, data_home_t)
++	manage_lnk_files_pattern($1, data_home_t, data_home_t)
++')
++
++########################################
++## <summary>
++##	Read icc data home content.
 +## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -34326,44 +34367,15 @@ index ab09d61..1a07290 100644
  ## </param>
  #
 -interface(`gnome_dbus_chat_gkeyringd',`
-+interface(`gnome_manage_data',`
- 	gen_require(`
--		type $1_gkeyringd_t;
--		class dbus send_msg;
-+		type data_home_t;
-+		type gconf_home_t;
- 	')
- 
--	allow $2 $1_gkeyringd_t:dbus send_msg;
--	allow $1_gkeyringd_t $2:dbus send_msg;
-+	allow $1 gconf_home_t:dir search_dir_perms;
-+	manage_dirs_pattern($1, data_home_t, data_home_t)
-+	manage_files_pattern($1, data_home_t, data_home_t)
-+	manage_lnk_files_pattern($1, data_home_t, data_home_t)
- ')
- 
- ########################################
- ## <summary>
--##	Send and receive messages from all
--##	gnome keyring daemon over dbus.
-+##	Read icc data home content.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -659,59 +735,1090 @@ interface(`gnome_dbus_chat_gkeyringd',`
- ##	</summary>
- ## </param>
- #
--interface(`gnome_dbus_chat_all_gkeyringd',`
 +interface(`gnome_read_home_icc_data_content',`
  	gen_require(`
--		attribute gkeyringd_domain;
+-		type $1_gkeyringd_t;
 -		class dbus send_msg;
 +		type icc_data_home_t, gconf_home_t, data_home_t;
  	')
  
--	allow $1 gkeyringd_domain:dbus send_msg;
--	allow gkeyringd_domain $1:dbus send_msg;
+-	allow $2 $1_gkeyringd_t:dbus send_msg;
+-	allow $1_gkeyringd_t $2:dbus send_msg;
 +	userdom_search_user_home_dirs($1)
 +	allow $1 { gconf_home_t data_home_t }:dir search_dir_perms;
 +	list_dirs_pattern($1, icc_data_home_t, icc_data_home_t)
@@ -34371,68 +34383,69 @@ index ab09d61..1a07290 100644
 +	read_lnk_files_pattern($1, icc_data_home_t, icc_data_home_t)
  ')
  
+ ########################################
+ ## <summary>
+-##	Send and receive messages from all
+-##	gnome keyring daemon over dbus.
++##	Read inherited icc data home files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -659,46 +751,64 @@ interface(`gnome_dbus_chat_gkeyringd',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`gnome_dbus_chat_all_gkeyringd',`
++interface(`gnome_read_inherited_home_icc_data_files',`
+ 	gen_require(`
+-		attribute gkeyringd_domain;
+-		class dbus send_msg;
++		type icc_data_home_t;
+ 	')
+ 
+-	allow $1 gkeyringd_domain:dbus send_msg;
+-	allow gkeyringd_domain $1:dbus send_msg;
++	allow $1 icc_data_home_t:file read_inherited_file_perms;
+ ')
+ 
  ########################################
  ## <summary>
 -##	Connect to gnome keyring daemon
 -##	with a unix stream socket.
-+##	Read inherited icc data home files.
++##	Create gconf_home_t objects in the /root directory
  ## </summary>
 -## <param name="role_prefix">
 +## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="object_class">
  ##	<summary>
 -##	The prefix of the user domain (e.g., user
 -##	is the prefix for user_t).
-+##	Domain allowed access.
- ##	</summary>
- ## </param>
-+#
-+interface(`gnome_read_inherited_home_icc_data_files',`
-+	gen_require(`
-+		type icc_data_home_t;
-+	')
-+
-+	allow $1 icc_data_home_t:file read_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+##	Create gconf_home_t objects in the /root directory
-+## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
-+## <param name="object_class">
-+##	<summary>
 +##	The class of the object to be created.
-+##	</summary>
-+## </param>
+ ##	</summary>
+ ## </param>
 +## <param name="name" optional="true">
 +##	<summary>
 +##	The name of the object being created.
 +##	</summary>
 +## </param>
- #
--interface(`gnome_stream_connect_gkeyringd',`
++#
 +interface(`gnome_admin_home_gconf_filetrans',`
- 	gen_require(`
--		type $1_gkeyringd_t, gnome_keyring_tmp_t;
++	gen_require(`
 +		type gconf_home_t;
- 	')
- 
--	files_search_tmp($2)
--	stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, $1_gkeyringd_t)
++	')
++
 +	userdom_admin_home_dir_filetrans($1, gconf_home_t, $2, $3)
- ')
- 
- ########################################
- ## <summary>
--##	Connect to all gnome keyring daemon
--##	with a unix stream socket.
++')
++
++########################################
++## <summary>
 +##	Do not audit attempts to read
 +##	inherited gconf config files.
- ## </summary>
++## </summary>
  ## <param name="domain">
  ##	<summary>
 -##	Domain allowed access.
@@ -34440,31 +34453,35 @@ index ab09d61..1a07290 100644
  ##	</summary>
  ## </param>
  #
--interface(`gnome_stream_connect_all_gkeyringd',`
+-interface(`gnome_stream_connect_gkeyringd',`
 +interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
  	gen_require(`
--		attribute gkeyringd_domain;
--		type gnome_keyring_tmp_t;
+-		type $1_gkeyringd_t, gnome_keyring_tmp_t;
 +		type gconf_etc_t;
  	')
  
--	files_search_tmp($1)
--	stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
+-	files_search_tmp($2)
+-	stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, $1_gkeyringd_t)
 +	dontaudit $1 gconf_etc_t:file read_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Connect to all gnome keyring daemon
+-##	with a unix stream socket.
 +##	read gconf config files
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -706,12 +816,1003 @@ interface(`gnome_stream_connect_gkeyringd',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`gnome_stream_connect_all_gkeyringd',`
 +interface(`gnome_read_gconf_config',`
-+	gen_require(`
+ 	gen_require(`
+-		attribute gkeyringd_domain;
+-		type gnome_keyring_tmp_t;
 +		type gconf_etc_t;
 +	')
 +
@@ -34608,9 +34625,10 @@ index ab09d61..1a07290 100644
 +interface(`gnome_list_gkeyringd_tmp_dirs',`
 +	gen_require(`
 +		type gkeyringd_tmp_t;
-+	')
-+
-+	files_search_tmp($1)
+ 	')
+ 
+ 	files_search_tmp($1)
+-	stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
 +	allow $1 gkeyringd_tmp_t:dir list_dir_perms;
 +')
 +
@@ -38169,10 +38187,10 @@ index 6517fad..f183748 100644
 +	allow $1 hypervkvp_unit_file_t:service all_service_perms;
  ')
 diff --git a/hypervkvp.te b/hypervkvp.te
-index 4eb7041..b205df0 100644
+index 4eb7041..ea3c933 100644
 --- a/hypervkvp.te
 +++ b/hypervkvp.te
-@@ -5,24 +5,154 @@ policy_module(hypervkvp, 1.0.0)
+@@ -5,24 +5,158 @@ policy_module(hypervkvp, 1.0.0)
  # Declarations
  #
  
@@ -38224,10 +38242,12 @@ index 4eb7041..b205df0 100644
 +dev_read_sysfs(hyperv_domain)
 +
 +########################################
-+#
+ #
 +# hypervkvp local policy
-+#
-+
+ #
+ 
+-allow hypervkvpd_t self:fifo_file rw_fifo_file_perms;
+-allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms;
 +allow hypervkvp_t self:capability sys_ptrace;
 +allow hypervkvp_t self:process setfscreate;
 +allow hypervkvp_t self:netlink_route_socket rw_netlink_socket_perms;
@@ -38301,6 +38321,10 @@ index 4eb7041..b205df0 100644
 +')
 +
 +optional_policy(`
++    hostname_exec(hypervkvp_t)
++')
++
++optional_policy(`
 +    netutils_domtrans_ping(hypervkvp_t)
 +    netutils_domtrans(hypervkvp_t)
 +')
@@ -38318,12 +38342,10 @@ index 4eb7041..b205df0 100644
 +')
 +
 +########################################
- #
++#
 +# hypervvssd local policy
- #
- 
--allow hypervkvpd_t self:fifo_file rw_fifo_file_perms;
--allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms;
++#
++
 +allow hypervvssd_t self:capability sys_admin;
 +
 +dev_rw_hypervvssd(hypervvssd_t)
@@ -39043,10 +39065,12 @@ index 0000000..61f2003
 +userdom_use_user_terminals(iotop_t)
 diff --git a/ipa.fc b/ipa.fc
 new file mode 100644
-index 0000000..419d280
+index 0000000..74206ed
 --- /dev/null
 +++ b/ipa.fc
-@@ -0,0 +1,25 @@
+@@ -0,0 +1,29 @@
++/etc/httpd/alias/ipasession.key     --     gen_context(system_u:object_r:ipa_cert_t,s0)
++
 +/usr/lib/systemd/system/ipa-otpd.*		--	gen_context(system_u:object_r:ipa_otpd_unit_file_t,s0)
 +
 +/usr/lib/systemd/system/ipa-dnskeysyncd.*		--	gen_context(system_u:object_r:ipa_dnskey_unit_file_t,s0)
@@ -39054,6 +39078,8 @@ index 0000000..419d280
 +/usr/lib/systemd/system/ipa-ods-exporter.*		--	gen_context(system_u:object_r:ipa_ods_exporter_unit_file_t,s0)
 +
 +/usr/libexec/ipa-otpd		--	gen_context(system_u:object_r:ipa_otpd_exec_t,s0)
++/usr/libexec/ipa/ipa-otpd		--	gen_context(system_u:object_r:ipa_otpd_exec_t,s0)
++
 +
 +/usr/libexec/ipa/ipa-ods-exporter	--	gen_context(system_u:object_r:ipa_ods_exporter_exec_t,s0)
 +
@@ -39074,10 +39100,10 @@ index 0000000..419d280
 +
 diff --git a/ipa.if b/ipa.if
 new file mode 100644
-index 0000000..ddbc007
+index 0000000..d611c53
 --- /dev/null
 +++ b/ipa.if
-@@ -0,0 +1,252 @@
+@@ -0,0 +1,309 @@
 +## <summary>Policy for IPA services.</summary>
 +
 +########################################
@@ -39330,12 +39356,69 @@ index 0000000..ddbc007
 +
 +	logging_log_named_filetrans($1, ipa_log_t, dir, "ipa")
 +')
++
++#######################################
++## <summary>
++##      Allow domain to create /tmp/ca.p12
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`ipa_filetrans_named_content',`
++
++    gen_require(`
++        type ipa_tmp_t;
++    ')
++    
++    files_tmp_filetrans($1, ipa_tmp_t, file, "ca.p12")
++')
++
++########################################
++## <summary>
++##	Create file ipasession.key in cert_t dir
++##  with ipa_cert_t type
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`ipa_cert_filetrans_named_content',`
++	gen_require(`
++		type ipa_cert_t;
++	')
++
++	filetrans_pattern($1, cert_t, ipa_cert_t, file ,"ipasession.key")
++    manage_files_pattern($1, ipa_cert_t, ipa_cert_t)
++')
++
++########################################
++## <summary>
++##	Allow domain to read ipa tmp files/dirs.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`ipa_read_tmp',`
++	gen_require(`
++		type ipa_tmp_t;
++	')
++
++    read_files_pattern($1, ipa_tmp_t, ipa_tmp_t)
++')
 diff --git a/ipa.te b/ipa.te
 new file mode 100644
-index 0000000..55e151e
+index 0000000..d806e25
 --- /dev/null
 +++ b/ipa.te
-@@ -0,0 +1,264 @@
+@@ -0,0 +1,273 @@
 +policy_module(ipa, 1.0.0)
 +
 +########################################
@@ -39385,6 +39468,9 @@ index 0000000..55e151e
 +init_system_domain(ipa_helper_t, ipa_helper_exec_t)
 +role ipa_helper_roles types ipa_helper_t;
 +
++type ipa_cert_t;
++miscfiles_cert_type(ipa_cert_t)
++
 +type ipa_tmp_t;
 +files_tmp_file(ipa_tmp_t)
 +
@@ -39398,6 +39484,9 @@ index 0000000..55e151e
 +allow ipa_otpd_t self:fifo_file rw_fifo_file_perms;
 +allow ipa_otpd_t self:unix_stream_socket create_stream_socket_perms;
 +
++read_files_pattern(ipa_otpd_t, ipa_cert_t, ipa_cert_t)
++read_lnk_files_pattern(ipa_otpd_t, ipa_cert_t, ipa_cert_t)
++
 +manage_dirs_pattern(ipa_otpd_t, ipa_var_run_t, ipa_var_run_t)
 +manage_files_pattern(ipa_otpd_t, ipa_var_run_t, ipa_var_run_t)
 +files_pid_filetrans(ipa_otpd_t, ipa_var_run_t, file)
@@ -39502,6 +39591,9 @@ index 0000000..55e151e
 +allow ipa_dnskey_t self:unix_dgram_socket create_socket_perms;
 +allow ipa_dnskey_t self:netlink_route_socket { create_netlink_socket_perms nlmsg_read };
 +
++read_files_pattern(ipa_dnskey_t, ipa_cert_t, ipa_cert_t)
++read_lnk_files_pattern(ipa_dnskey_t, ipa_cert_t, ipa_cert_t)
++
 +manage_files_pattern(ipa_dnskey_t, ipa_var_lib_t, ipa_var_lib_t)
 +setattr_dirs_pattern(ipa_dnskey_t, ipa_var_lib_t, ipa_var_lib_t)
 +list_dirs_pattern(ipa_dnskey_t, ipa_var_lib_t, ipa_var_lib_t)
@@ -63569,7 +63661,7 @@ index e96a309..4245308 100644
 +')
 +
 diff --git a/ntp.te b/ntp.te
-index f81b113..76db00a 100644
+index f81b113..6d039fb 100644
 --- a/ntp.te
 +++ b/ntp.te
 @@ -18,6 +18,9 @@ role ntpd_roles types ntpd_t;
@@ -63582,7 +63674,11 @@ index f81b113..76db00a 100644
  type ntp_conf_t;
  files_config_file(ntp_conf_t)
  
-@@ -53,6 +56,8 @@ allow ntpd_t self:tcp_socket { accept listen };
+@@ -50,9 +53,12 @@ allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit };
+ allow ntpd_t self:fifo_file rw_fifo_file_perms;
+ allow ntpd_t self:shm create_shm_perms;
+ allow ntpd_t self:tcp_socket { accept listen };
++allow ntpd_t self:socket create_socket_perms;
  
  manage_dirs_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
  manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
@@ -63591,7 +63687,7 @@ index f81b113..76db00a 100644
  
  allow ntpd_t ntp_conf_t:file read_file_perms;
  
-@@ -60,9 +65,7 @@ read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
+@@ -60,9 +66,7 @@ read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
  read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
  
  allow ntpd_t ntpd_log_t:dir setattr_dir_perms;
@@ -63602,7 +63698,7 @@ index f81b113..76db00a 100644
  logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir })
  
  manage_dirs_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t)
-@@ -83,21 +86,16 @@ kernel_read_system_state(ntpd_t)
+@@ -83,21 +87,16 @@ kernel_read_system_state(ntpd_t)
  kernel_read_network_state(ntpd_t)
  kernel_request_load_module(ntpd_t)
  
@@ -63626,7 +63722,7 @@ index f81b113..76db00a 100644
  
  corecmd_exec_bin(ntpd_t)
  corecmd_exec_shell(ntpd_t)
-@@ -110,13 +108,15 @@ domain_use_interactive_fds(ntpd_t)
+@@ -110,13 +109,15 @@ domain_use_interactive_fds(ntpd_t)
  domain_dontaudit_list_all_domains_state(ntpd_t)
  
  files_read_etc_runtime_files(ntpd_t)
@@ -63643,7 +63739,7 @@ index f81b113..76db00a 100644
  
  auth_use_nsswitch(ntpd_t)
  
-@@ -124,12 +124,14 @@ init_exec_script_files(ntpd_t)
+@@ -124,12 +125,14 @@ init_exec_script_files(ntpd_t)
  
  logging_send_syslog_msg(ntpd_t)
  
@@ -63660,7 +63756,7 @@ index f81b113..76db00a 100644
  	cron_system_entry(ntpd_t, ntpdate_exec_t)
  ')
  
-@@ -152,9 +154,18 @@ optional_policy(`
+@@ -152,9 +155,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -72167,10 +72263,10 @@ index 0000000..47cd0f8
 +/usr/lib/systemd/system/pki-tomcat.*	gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0)
 diff --git a/pki.if b/pki.if
 new file mode 100644
-index 0000000..5c7f232
+index 0000000..efe3ad3
 --- /dev/null
 +++ b/pki.if
-@@ -0,0 +1,404 @@
+@@ -0,0 +1,442 @@
 +
 +## <summary>policy for pki</summary>
 +
@@ -72575,12 +72671,50 @@ index 0000000..5c7f232
 +
 +    list_dirs_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t)
 +')
++
++########################################
++## <summary>
++##	Allow read pki_common_t files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`pki_read_common_files',`
++	gen_require(`
++		type pki_common_t;
++	')
++
++	read_files_pattern($1, pki_common_t, pki_common_t)
++')
++
++########################################
++## <summary>
++##	Connect to pki over an unix
++##	stream socket.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`pki_stream_connect',`
++	gen_require(`
++		type pki_tomcat_t, pki_common_t;
++	')
++
++	files_search_pids($1)
++	stream_connect_pattern($1, pki_common_t, pki_common_t, pki_tomcat_t)
++')
 diff --git a/pki.te b/pki.te
 new file mode 100644
-index 0000000..bdeebb9
+index 0000000..555b44a
 --- /dev/null
 +++ b/pki.te
-@@ -0,0 +1,281 @@
+@@ -0,0 +1,283 @@
 +policy_module(pki,10.0.11)
 +
 +########################################
@@ -72693,6 +72827,8 @@ index 0000000..bdeebb9
 +can_exec(pki_tomcat_t, pki_common_t)
 +init_stream_connect_script(pki_tomcat_t)
 +
++auth_read_passwd(pki_tomcat_t)
++
 +search_dirs_pattern(pki_tomcat_t, pki_log_t, pki_log_t)
 +
 +kernel_read_kernel_sysctls(pki_tomcat_t)
@@ -84546,7 +84682,7 @@ index 4460582..4c66c25 100644
 +
  ')
 diff --git a/radius.te b/radius.te
-index 403a4fe..95b5e45 100644
+index 403a4fe..b1668fa 100644
 --- a/radius.te
 +++ b/radius.te
 @@ -5,6 +5,13 @@ policy_module(radius, 1.13.0)
@@ -84669,7 +84805,18 @@ index 403a4fe..95b5e45 100644
  	logrotate_exec(radiusd_t)
  ')
  
-@@ -140,5 +167,10 @@ optional_policy(`
+@@ -132,6 +159,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++    postgresql_tcp_connect(radiusd_t)
++')
++
++optional_policy(`
+ 	samba_domtrans_winbind_helper(radiusd_t)
+ ')
+ 
+@@ -140,5 +171,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -89923,7 +90070,7 @@ index 6dbc905..4b17c93 100644
 -	admin_pattern($1, rhsmcertd_lock_t)
  ')
 diff --git a/rhsmcertd.te b/rhsmcertd.te
-index d32e1a2..7239c98 100644
+index d32e1a2..75b615f 100644
 --- a/rhsmcertd.te
 +++ b/rhsmcertd.te
 @@ -18,6 +18,9 @@ logging_log_file(rhsmcertd_log_t)
@@ -89962,7 +90109,7 @@ index d32e1a2..7239c98 100644
  manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
  manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
  
-@@ -50,25 +56,90 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
+@@ -50,25 +56,94 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
  files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
  
  kernel_read_network_state(rhsmcertd_t)
@@ -90030,6 +90177,10 @@ index d32e1a2..7239c98 100644
 +')
 +
 +optional_policy(`
++	hostname_exec(rhsmcertd_t)
++')
++
++optional_policy(`
 +    rhnsd_manage_config(rhsmcertd_t)
 +')
 +
@@ -95735,7 +95886,7 @@ index 50d07fb..a34db48 100644
 +	allow $1 samba_unit_file_t:service all_service_perms;
  ')
 diff --git a/samba.te b/samba.te
-index 2b7c441..efe3f59 100644
+index 2b7c441..c3db0c7 100644
 --- a/samba.te
 +++ b/samba.te
 @@ -6,99 +6,86 @@ policy_module(samba, 1.16.3)
@@ -96834,9 +96985,10 @@ index 2b7c441..efe3f59 100644
  #
  
 -allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice };
+-dontaudit winbind_t self:capability sys_tty_config;
 +allow winbind_t self:capability { kill dac_override ipc_lock setuid sys_nice };
 +allow winbind_t self:capability2 block_suspend;
- dontaudit winbind_t self:capability sys_tty_config;
++dontaudit winbind_t self:capability { net_admin sys_tty_config };
  allow winbind_t self:process { signal_perms getsched setsched };
  allow winbind_t self:fifo_file rw_fifo_file_perms;
 -allow winbind_t self:unix_stream_socket { accept listen };
@@ -100220,7 +100372,7 @@ index 35ad2a7..afdc7da 100644
 +	admin_pattern($1, mail_spool_t)
  ')
 diff --git a/sendmail.te b/sendmail.te
-index 12700b4..3a32af4 100644
+index 12700b4..2ede411 100644
 --- a/sendmail.te
 +++ b/sendmail.te
 @@ -37,21 +37,23 @@ role sendmail_unconfined_roles types unconfined_sendmail_t;
@@ -100255,7 +100407,7 @@ index 12700b4..3a32af4 100644
  logging_log_filetrans(sendmail_t, sendmail_log_t, { file dir })
  
  manage_dirs_pattern(sendmail_t, sendmail_tmp_t, sendmail_tmp_t)
-@@ -63,33 +65,23 @@ files_pid_filetrans(sendmail_t, sendmail_var_run_t, file)
+@@ -63,33 +65,24 @@ files_pid_filetrans(sendmail_t, sendmail_var_run_t, file)
  
  kernel_read_network_state(sendmail_t)
  kernel_read_kernel_sysctls(sendmail_t)
@@ -100263,6 +100415,7 @@ index 12700b4..3a32af4 100644
  kernel_read_system_state(sendmail_t)
 +kernel_search_network_sysctl(sendmail_t)
 +kernel_read_kernel_sysctls(sendmail_t)
++kernel_read_net_sysctls(sendmail_t)
  
 -corenet_all_recvfrom_unlabeled(sendmail_t)
  corenet_all_recvfrom_netlabel(sendmail_t)
@@ -100295,7 +100448,7 @@ index 12700b4..3a32af4 100644
  
  fs_getattr_all_fs(sendmail_t)
  fs_search_auto_mountpoints(sendmail_t)
-@@ -98,35 +90,49 @@ fs_rw_anon_inodefs_files(sendmail_t)
+@@ -98,35 +91,49 @@ fs_rw_anon_inodefs_files(sendmail_t)
  term_dontaudit_use_console(sendmail_t)
  term_dontaudit_use_generic_ptys(sendmail_t)
  
@@ -100351,7 +100504,7 @@ index 12700b4..3a32af4 100644
  ')
  
  optional_policy(`
-@@ -134,8 +140,8 @@ optional_policy(`
+@@ -134,8 +141,8 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -100362,7 +100515,7 @@ index 12700b4..3a32af4 100644
  ')
  
  optional_policy(`
-@@ -164,6 +170,10 @@ optional_policy(`
+@@ -164,6 +171,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -100373,7 +100526,7 @@ index 12700b4..3a32af4 100644
  	milter_stream_connect_all(sendmail_t)
  ')
  
-@@ -172,6 +182,11 @@ optional_policy(`
+@@ -172,6 +183,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -100385,7 +100538,7 @@ index 12700b4..3a32af4 100644
  	postfix_domtrans_postdrop(sendmail_t)
  	postfix_domtrans_master(sendmail_t)
  	postfix_domtrans_postqueue(sendmail_t)
-@@ -193,6 +208,10 @@ optional_policy(`
+@@ -193,6 +209,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -100396,7 +100549,7 @@ index 12700b4..3a32af4 100644
  	udev_read_db(sendmail_t)
  ')
  
-@@ -206,8 +225,6 @@ optional_policy(`
+@@ -206,8 +226,6 @@ optional_policy(`
  #
  
  optional_policy(`
@@ -105930,7 +106083,7 @@ index a240455..277f8f2 100644
 -	admin_pattern($1, sssd_log_t)
  ')
 diff --git a/sssd.te b/sssd.te
-index 2d8db1f..6efbaac 100644
+index 2d8db1f..d4fee07 100644
 --- a/sssd.te
 +++ b/sssd.te
 @@ -28,19 +28,31 @@ logging_log_file(sssd_var_log_t)
@@ -106048,7 +106201,7 @@ index 2d8db1f..6efbaac 100644
  
  init_read_utmp(sssd_t)
  
-@@ -112,18 +131,64 @@ logging_send_syslog_msg(sssd_t)
+@@ -112,18 +131,67 @@ logging_send_syslog_msg(sssd_t)
  logging_send_audit_msgs(sssd_t)
  
  miscfiles_read_generic_certs(sssd_t)
@@ -106076,7 +106229,7 @@ index 2d8db1f..6efbaac 100644
 +	kerberos_read_home_content(sssd_t)
 +    kerberos_rw_config(sssd_t)
 +    kerberos_rw_keytab(sssd_t)
- ')
++')
 +
 +optional_policy(`
 +	dirsrv_stream_connect(sssd_t)
@@ -106094,7 +106247,7 @@ index 2d8db1f..6efbaac 100644
 +
 +optional_policy(`
 +	systemd_login_read_pid_files(sssd_t)
-+')
+ ')
 +
 +########################################
 +#
@@ -106102,9 +106255,12 @@ index 2d8db1f..6efbaac 100644
 +#
 +
 +allow sssd_selinux_manager_t self:capability { setgid setuid };
++dontaudit sssd_selinux_manager_t self:capability net_admin;
 +
 +domtrans_pattern(sssd_t, sssd_selinux_manager_exec_t, sssd_selinux_manager_t)
 +
++init_ioctl_stream_sockets(sssd_selinux_manager_t)
++
 +logging_send_audit_msgs(sssd_selinux_manager_t)
 +
 +seutil_semanage_policy(sssd_selinux_manager_t)
@@ -107417,10 +107573,10 @@ index 0000000..a6e216c
 +
 diff --git a/targetd.te b/targetd.te
 new file mode 100644
-index 0000000..7f28cdd
+index 0000000..e187320
 --- /dev/null
 +++ b/targetd.te
-@@ -0,0 +1,65 @@
+@@ -0,0 +1,68 @@
 +policy_module(targetd, 1.0.0)
 +
 +########################################
@@ -107446,6 +107602,7 @@ index 0000000..7f28cdd
 +allow targetd_t self:capability { sys_admin };
 +allow targetd_t self:fifo_file rw_fifo_file_perms;
 +allow targetd_t self:unix_stream_socket create_stream_socket_perms;
++allow targetd_t self:unix_dgram_socket create_socket_perms;
 +allow targetd_t self:tcp_socket listen;
 +allow targetd_t self:netlink_route_socket r_netlink_socket_perms;
 +allow targetd_t self:process setfscreate;
@@ -107455,6 +107612,7 @@ index 0000000..7f28cdd
 +files_etc_filetrans(targetd_t, targetd_etc_rw_t, { dir file })
 +
 +kernel_read_system_state(targetd_t)
++kernel_read_network_state(targetd_t)
 +
 +auth_use_nsswitch(targetd_t)
 +
@@ -107467,6 +107625,7 @@ index 0000000..7f28cdd
 +dev_read_sysfs(targetd_t)
 +dev_read_urand(targetd_t)
 +dev_rw_lvm_control(targetd_t)
++dev_getattr_loop_control(targetd_t)
 +
 +libs_exec_ldconfig(targetd_t)
 +
@@ -110041,10 +110200,10 @@ index 0000000..46f12a4
 +')
 diff --git a/tlp.te b/tlp.te
 new file mode 100644
-index 0000000..ae69138
+index 0000000..f31ed95
 --- /dev/null
 +++ b/tlp.te
-@@ -0,0 +1,70 @@
+@@ -0,0 +1,74 @@
 +policy_module(tlp, 1.0.0)
 +
 +########################################
@@ -110109,6 +110268,10 @@ index 0000000..ae69138
 +sysnet_exec_ifconfig(tlp_t)
 +
 +optional_policy(`
++    dbus_stream_connect_system_dbusd(tlp_t)
++')
++
++optional_policy(`
 +    fstools_exec(tlp_t)
 +')
 +
@@ -110687,10 +110850,10 @@ index 0000000..e5cec8f
 +')
 diff --git a/tomcat.te b/tomcat.te
 new file mode 100644
-index 0000000..1aa150f
+index 0000000..71e14ac
 --- /dev/null
 +++ b/tomcat.te
-@@ -0,0 +1,85 @@
+@@ -0,0 +1,86 @@
 +policy_module(tomcat, 1.0.0)
 +
 +########################################
@@ -110710,6 +110873,7 @@ index 0000000..1aa150f
 +# tomcat local policy
 +#
 +
++auth_use_nsswitch(tomcat_t)
 +
 +optional_policy(`
 +    pki_manage_tomcat_cert(tomcat_t)
@@ -110718,6 +110882,8 @@ index 0000000..1aa150f
 +    pki_manage_tomcat_etc_rw(tomcat_t)
 +    pki_search_log_dirs(tomcat_t)
 +    pki_manage_tomcat_log(tomcat_t)
++    pki_read_common_files(tomcat_t)
++    pki_stream_connect(tomcat_t)
 +')
 +
 +optional_policy(`
@@ -110726,6 +110892,7 @@ index 0000000..1aa150f
 +
 +optional_policy(`
 +	ipa_read_lib(tomcat_t)
++	ipa_read_tmp(tomcat_t)
 +')
 +
 +########################################
@@ -110768,9 +110935,6 @@ index 0000000..1aa150f
 +fs_getattr_all_fs(tomcat_domain)
 +fs_read_hugetlbfs_files(tomcat_domain)
 +
-+
-+auth_read_passwd(tomcat_domain)
-+
 +sysnet_dns_name_resolve(tomcat_domain)
 +
 +optional_policy(`
@@ -115377,7 +115541,7 @@ index facdee8..487857a 100644
 +	dontaudit $1 virtd_t:lnk_file read_lnk_file_perms;
  ')
 diff --git a/virt.te b/virt.te
-index f03dcf5..006d4b5 100644
+index f03dcf5..fee0027 100644
 --- a/virt.te
 +++ b/virt.te
 @@ -1,451 +1,413 @@
@@ -116401,7 +116565,7 @@ index f03dcf5..006d4b5 100644
  	kernel_read_xen_state(virtd_t)
  	kernel_write_xen_state(virtd_t)
  
-@@ -746,44 +718,341 @@ optional_policy(`
+@@ -746,44 +718,344 @@ optional_policy(`
  	udev_read_pid_files(virtd_t)
  ')
  
@@ -116479,6 +116643,9 @@ index f03dcf5..006d4b5 100644
 +allow virtlogd_t virtd_t:file read_file_perms;
 +allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms;
 +
++tunable_policy(`virt_use_nfs',`
++	fs_append_nfs_files(virtlogd_t)
++')
 +
 +########################################
 +#
@@ -116551,7 +116718,7 @@ index f03dcf5..006d4b5 100644
 +dontaudit virt_domain virt_tmpfs_type:file { read write };
 +
 +append_files_pattern(virt_domain, virt_log_t, virt_log_t)
- 
++
 +append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
 +
 +corecmd_exec_bin(virt_domain)
@@ -116672,7 +116839,7 @@ index f03dcf5..006d4b5 100644
 +	fs_read_nfs_symlinks(virt_domain)
 +	fs_getattr_nfs(virt_domain)
 +')
-+
+ 
 +tunable_policy(`virt_use_samba',`
 +	fs_manage_cifs_dirs(virt_domain)
 +	fs_manage_cifs_files(virt_domain)
@@ -116765,7 +116932,7 @@ index f03dcf5..006d4b5 100644
  kernel_read_system_state(virsh_t)
  kernel_read_network_state(virsh_t)
  kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +1063,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +1066,18 @@ kernel_write_xen_state(virsh_t)
  corecmd_exec_bin(virsh_t)
  corecmd_exec_shell(virsh_t)
  
@@ -116792,7 +116959,7 @@ index f03dcf5..006d4b5 100644
  
  fs_getattr_all_fs(virsh_t)
  fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +1083,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +1086,25 @@ fs_search_auto_mountpoints(virsh_t)
  
  storage_raw_read_fixed_disk(virsh_t)
  
@@ -116809,10 +116976,10 @@ index f03dcf5..006d4b5 100644
  
 -logging_send_syslog_msg(virsh_t)
 +systemd_exec_systemctl(virsh_t)
-+
-+auth_read_passwd(virsh_t)
  
 -miscfiles_read_localization(virsh_t)
++auth_read_passwd(virsh_t)
++
 +logging_send_syslog_msg(virsh_t)
  
  sysnet_dns_name_resolve(virsh_t)
@@ -116826,7 +116993,7 @@ index f03dcf5..006d4b5 100644
  
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +1120,20 @@ optional_policy(`
+@@ -856,14 +1123,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -116848,7 +117015,7 @@ index f03dcf5..006d4b5 100644
  	xen_stream_connect(virsh_t)
  	xen_stream_connect_xenstore(virsh_t)
  ')
-@@ -888,49 +1158,66 @@ optional_policy(`
+@@ -888,49 +1161,66 @@ optional_policy(`
  	kernel_read_xen_state(virsh_ssh_t)
  	kernel_write_xen_state(virsh_ssh_t)
  
@@ -116933,7 +117100,7 @@ index f03dcf5..006d4b5 100644
  
  corecmd_exec_bin(virtd_lxc_t)
  corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1229,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1232,16 @@ dev_read_urand(virtd_lxc_t)
  
  domain_use_interactive_fds(virtd_lxc_t)
  
@@ -116953,7 +117120,7 @@ index f03dcf5..006d4b5 100644
  fs_getattr_all_fs(virtd_lxc_t)
  fs_manage_tmpfs_dirs(virtd_lxc_t)
  fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,8 +1250,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,8 +1253,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
  fs_unmount_all_fs(virtd_lxc_t)
  fs_relabelfrom_tmpfs(virtd_lxc_t)
  
@@ -116977,7 +117144,7 @@ index f03dcf5..006d4b5 100644
  selinux_get_enforce_mode(virtd_lxc_t)
  selinux_get_fs_mount(virtd_lxc_t)
  selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1275,296 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1278,296 @@ selinux_compute_create_context(virtd_lxc_t)
  selinux_compute_relabel_context(virtd_lxc_t)
  selinux_compute_user_contexts(virtd_lxc_t)
  
@@ -117140,13 +117307,6 @@ index f03dcf5..006d4b5 100644
 +userdom_use_inherited_user_terminals(svirt_sandbox_domain)
 +userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
 +userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
-+
-+optional_policy(`
-+tunable_policy(`virt_sandbox_share_apache_content',`
-+		apache_exec_modules(svirt_sandbox_domain)
-+		apache_read_sys_content(svirt_sandbox_domain)
-+	')
-+')
  
 -allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
 -allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
@@ -117231,17 +117391,24 @@ index f03dcf5..006d4b5 100644
 -
 -mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
 +optional_policy(`
-+	mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
++tunable_policy(`virt_sandbox_share_apache_content',`
++		apache_exec_modules(svirt_sandbox_domain)
++		apache_read_sys_content(svirt_sandbox_domain)
++	')
 +')
  
  optional_policy(`
 -	udev_read_pid_files(svirt_lxc_domain)
-+	ssh_use_ptys(svirt_sandbox_domain)
++	mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
  ')
  
  optional_policy(`
 -	apache_exec_modules(svirt_lxc_domain)
 -	apache_read_sys_content(svirt_lxc_domain)
++	ssh_use_ptys(svirt_sandbox_domain)
++')
++
++optional_policy(`
 +	udev_read_pid_files(svirt_sandbox_domain)
 +')
 +
@@ -117395,10 +117562,10 @@ index f03dcf5..006d4b5 100644
 +term_pty(container_file_t)
 +
 +auth_use_nsswitch(svirt_qemu_net_t)
-+
-+rpm_read_db(svirt_qemu_net_t)
  
 -allow svirt_prot_exec_t self:process { execmem execstack };
++rpm_read_db(svirt_qemu_net_t)
++
 +logging_send_syslog_msg(svirt_qemu_net_t)
 +
 +tunable_policy(`virt_sandbox_use_audit',`
@@ -117421,7 +117588,7 @@ index f03dcf5..006d4b5 100644
  allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
  allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
  
-@@ -1174,12 +1577,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1580,12 @@ dev_read_sysfs(virt_qmf_t)
  dev_read_rand(virt_qmf_t)
  dev_read_urand(virt_qmf_t)
  
@@ -117436,7 +117603,7 @@ index f03dcf5..006d4b5 100644
  sysnet_read_config(virt_qmf_t)
  
  optional_policy(`
-@@ -1192,7 +1595,7 @@ optional_policy(`
+@@ -1192,7 +1598,7 @@ optional_policy(`
  
  ########################################
  #
@@ -117445,7 +117612,7 @@ index f03dcf5..006d4b5 100644
  #
  
  allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1604,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1607,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
  allow virt_bridgehelper_t self:tun_socket create_socket_perms;
  allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
  
@@ -120542,10 +120709,10 @@ index 0928c5d..d270a72 100644
  
  userdom_dontaudit_use_unpriv_user_fds(xfs_t)
 diff --git a/xguest.te b/xguest.te
-index a64aad3..d923154 100644
+index a64aad3..12dc86b 100644
 --- a/xguest.te
 +++ b/xguest.te
-@@ -6,46 +6,47 @@ policy_module(xguest, 1.2.0)
+@@ -6,46 +6,49 @@ policy_module(xguest, 1.2.0)
  #
  
  ## <desc>
@@ -120599,7 +120766,8 @@ index a64aad3..d923154 100644
  #
  
 -kernel_dontaudit_request_load_module(xguest_t)
--
++dontaudit xguest_t xguest_t : tcp_socket { listen };
+ 
  ifndef(`enable_mls',`
  	fs_exec_noxattr(xguest_t)
  
@@ -120611,7 +120779,7 @@ index a64aad3..d923154 100644
  		storage_raw_read_removable_device(xguest_t)
  		storage_raw_write_removable_device(xguest_t)
  	',`
-@@ -54,9 +55,25 @@ ifndef(`enable_mls',`
+@@ -54,9 +57,25 @@ ifndef(`enable_mls',`
  ')
  
  optional_policy(`
@@ -120638,7 +120806,7 @@ index a64aad3..d923154 100644
  		files_dontaudit_getattr_boot_dirs(xguest_t)
  		files_search_mnt(xguest_t)
  
-@@ -65,10 +82,9 @@ optional_policy(`
+@@ -65,10 +84,9 @@ optional_policy(`
  		fs_manage_noxattr_fs_dirs(xguest_t)
  		fs_getattr_noxattr_fs(xguest_t)
  		fs_read_noxattr_fs_symlinks(xguest_t)
@@ -120650,7 +120818,7 @@ index a64aad3..d923154 100644
  	')
  ')
  
-@@ -84,12 +100,25 @@ optional_policy(`
+@@ -84,12 +102,25 @@ optional_policy(`
  	')
  ')
  
@@ -120662,23 +120830,23 @@ index a64aad3..d923154 100644
 +
 +optional_policy(`
 +	colord_dbus_chat(xguest_t)
- ')
- 
- optional_policy(`
--	gnomeclock_dontaudit_dbus_chat(xguest_t)
++')
++
++optional_policy(`
 +	chrome_role(xguest_r, xguest_t)
 +')
 +
 +optional_policy(`
 +    thumb_role(xguest_r, xguest_t)
-+')
-+
-+optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	gnomeclock_dontaudit_dbus_chat(xguest_t)
 +	dbus_dontaudit_chat_system_bus(xguest_t)
  ')
  
  optional_policy(`
-@@ -97,75 +126,78 @@ optional_policy(`
+@@ -97,75 +128,78 @@ optional_policy(`
  ')
  
  optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 614a27f1..aeab6e6f 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 252%{?dist}
+Release: 253%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -689,6 +689,50 @@ exit 0
 %endif
 
 %changelog
+* Fri May 12 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-253
+- auth_use_nsswitch can call only domain not attribute
+- Dontaudit net_admin cap for winbind_t
+- Allow tlp_t domain to stream connect to system bus
+- Allow tomcat_t domain read pki_common_t files
+- Add interface pki_read_common_files()
+- Fix broken cermonger module
+- Fix broken apache module
+- Allow hypervkvp_t domain execute hostname
+- Dontaudit sssd_selinux_manager_t use of net_admin capability
+- Allow tomcat_t stream connect to pki_common_t
+- Dontaudit xguest_t's attempts to listen to its tcp_socket
+- Allow sssd_selinux_manager_t to ioctl init_t sockets
+- Improve ipa_cert_filetrans_named_content() interface to also allow caller domain manage ipa_cert_t type.
+- Allow pki_tomcat_t domain read /etc/passwd.
+- Allow tomcat_t domain read ipa_tmp_t files
+- Label new path for ipa-otpd
+- Allow radiusd_t domain stream connect to postgresql_t
+- Allow rhsmcertd_t to execute hostname_exec_t binaries.
+- Allow virtlogd to append nfs_t files when virt_use_nfs=1
+- Allow httpd_t domain read also httpd_user_content_type lnk_files.
+- Allow httpd_t domain create /etc/httpd/alias/ipaseesion.key with label ipa_cert_t
+- Dontaudit <user>_gkeyringd_t stream connect to system_dbusd_t
+- Label /var/www/html/nextcloud/data as httpd_sys_rw_content_t
+- Add interface ipa_filetrans_named_content()
+- Allow tomcat use nsswitch
+- Allow certmonger_t start/status generic services
+- Allow dirsrv read cgroup files.
+- Allow ganesha_t domain read/write infiniband devices.
+- Allow sendmail_t domain sysctl_net_t files
+- Allow targetd_t domain read network state and getattr on loop_control_device_t
+- Allow condor_schedd_t domain send mails.
+- Allow ntpd to creating sockets. BZ(1434395)
+- Alow certmonger to create own systemd unit files.
+- Add kill namespace capability to xdm_t domain
+- Revert "su using libselinux and creating netlink_selinux socket is needed to allow libselinux initialization."
+- Revert "Allow <role>_su_t to create netlink_selinux_socket"
+- Allow <role>_su_t to create netlink_selinux_socket
+- Allow unconfined_t to module_load any file
+- Allow staff to systemctl virt server when staff_use_svirt=1
+- Allow unconfined_t create /tmp/ca.p12 file with ipa_tmp_t context
+- Allow netutils setpcap capability
+- Dontaudit leaked file descriptor happening in setfiles_t domain BZ(1388124)
+
 * Thu Apr 20 2017 Michael Scherer <misc@fedoraproject.org> - 3.13.1-252
 - fix #1380325, selinux-policy-sandbox always removing sandbox module on upgrade