* Mon Nov 06 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-302

- Allow jabber domains to connect to postgresql ports - Dontaudit slapd_t to block suspend system - Allow spamc_t to stream connect to cyrys. - Allow passenger to connect to mysqld_port_t - Allow ipmievd to use nsswitch - Allow chronyc_t domain to use user_ptys - Label all files /var/log/opensm.* as opensm_log_t because opensm creating new log files with name opensm-subnet.lst - Fix typo bug in tlp module - Allow userdomain gkeyringd domain to create stream socket with userdomain
2017-11-06 16:54:47 +01:00 · 2017-11-06 16:54:47 +01:00 · ebb4e5ec53
parent 4c1c744cdd
commit ebb4e5ec53
4 changed files with 256 additions and 216 deletions
--- a/container-selinux.tgz
+++ b/container-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -32046,7 +32046,7 @@ index 6bf0ecc2d..75b2f31f9 100644
 +')
 +
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b403774f..edd47215b 100644
+index 8b403774f..0bdea37e9 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
@@ -26,28 +26,66 @@ gen_require(`
@ -32394,13 +32394,13 @@ index 8b403774f..edd47215b 100644
 +ifdef(`hide_broken_symptoms',`
 +	term_dontaudit_use_unallocated_ttys(xauth_t)
 +	dev_dontaudit_rw_dri(xauth_t)
 ')
 optional_policy(`
 +	nx_var_lib_filetrans(xauth_t, xauth_home_t, file)
 +')
 +
 +optional_policy(`
 +	nx_var_lib_filetrans(xauth_t, xauth_home_t, file)
 ')
 optional_policy(`
 +	ssh_use_ptys(xauth_t)
 	ssh_sigchld(xauth_t)
 	ssh_read_pipes(xauth_t)
@ -32704,7 +32704,7 @@ index 8b403774f..edd47215b 100644
 userdom_dontaudit_use_unpriv_user_fds(xdm_t)
 userdom_create_all_users_keys(xdm_t)
-@@ -472,24 +703,167 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -472,24 +703,171 @@ userdom_read_user_home_content_files(xdm_t)
 # Search /proc for any user domain processes.
 userdom_read_all_users_state(xdm_t)
 userdom_signal_all_users(xdm_t)
@ -32756,6 +32756,10 @@ index 8b403774f..edd47215b 100644
 +')
 +
 +optional_policy(`
 +    cups_stream_connect(xdm_t)
 +')
 +
 +optional_policy(`
 +    colord_read_lib_files(xdm_t)
 +')
 +
@ -32878,7 +32882,7 @@ index 8b403774f..edd47215b 100644
 tunable_policy(`xdm_sysadm_login',`
 	userdom_xsession_spec_domtrans_all_users(xdm_t)
 	# FIXME:
-@@ -502,12 +876,31 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,12 +880,31 @@ tunable_policy(`xdm_sysadm_login',`
 #	allow xserver_t xdm_tmpfs_t:file rw_file_perms;
 ')
@ -32910,7 +32914,7 @@ index 8b403774f..edd47215b 100644
 ')
 optional_policy(`
-@@ -518,8 +911,36 @@ optional_policy(`
+@@ -518,8 +915,36 @@ optional_policy(`
 	dbus_system_bus_client(xdm_t)
 	dbus_connect_system_bus(xdm_t)
@ -32948,7 +32952,7 @@ index 8b403774f..edd47215b 100644
 	')
 ')
-@@ -530,6 +951,20 @@ optional_policy(`
+@@ -530,6 +955,20 @@ optional_policy(`
 ')
 optional_policy(`
@ -32969,7 +32973,7 @@ index 8b403774f..edd47215b 100644
 	hostname_exec(xdm_t)
 ')
-@@ -547,28 +982,78 @@ optional_policy(`
+@@ -547,28 +986,78 @@ optional_policy(`
 ')
 optional_policy(`
@ -33057,7 +33061,7 @@ index 8b403774f..edd47215b 100644
 ')
 optional_policy(`
-@@ -580,6 +1065,14 @@ optional_policy(`
+@@ -580,6 +1069,14 @@ optional_policy(`
 ')
 optional_policy(`
@ -33072,7 +33076,7 @@ index 8b403774f..edd47215b 100644
 	xfs_stream_connect(xdm_t)
 ')
-@@ -594,7 +1087,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+@@ -594,7 +1091,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
 type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
 allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@ -33081,7 +33085,7 @@ index 8b403774f..edd47215b 100644
 # setuid/setgid for the wrapper program to change UID
 # sys_rawio is for iopl access - should not be needed for frame-buffer
-@@ -604,8 +1097,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -604,8 +1101,11 @@ allow xserver_t input_xevent_t:x_event send;
 # execheap needed until the X module loader is fixed.
 # NVIDIA Needs execstack
@ -33094,7 +33098,7 @@ index 8b403774f..edd47215b 100644
 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow xserver_t self:fd use;
 allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -618,8 +1114,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -618,8 +1118,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
 allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow xserver_t self:tcp_socket create_stream_socket_perms;
 allow xserver_t self:udp_socket create_socket_perms;
@ -33110,7 +33114,7 @@ index 8b403774f..edd47215b 100644
 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
 manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
 manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -627,36 +1130,53 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -627,36 +1134,53 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
 filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@ -33168,7 +33172,7 @@ index 8b403774f..edd47215b 100644
 corenet_all_recvfrom_netlabel(xserver_t)
 corenet_tcp_sendrecv_generic_if(xserver_t)
 corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -677,23 +1197,29 @@ dev_rw_apm_bios(xserver_t)
+@@ -677,23 +1201,29 @@ dev_rw_apm_bios(xserver_t)
 dev_rw_agp(xserver_t)
 dev_rw_framebuffer(xserver_t)
 dev_manage_dri_dev(xserver_t)
@ -33201,7 +33205,7 @@ index 8b403774f..edd47215b 100644
 # brought on by rhgb
 files_search_mnt(xserver_t)
-@@ -705,6 +1231,14 @@ fs_search_nfs(xserver_t)
+@@ -705,6 +1235,14 @@ fs_search_nfs(xserver_t)
 fs_search_auto_mountpoints(xserver_t)
 fs_search_ramfs(xserver_t)
@ -33216,7 +33220,7 @@ index 8b403774f..edd47215b 100644
 mls_xwin_read_to_clearance(xserver_t)
 selinux_validate_context(xserver_t)
-@@ -718,28 +1252,25 @@ init_getpgid(xserver_t)
+@@ -718,28 +1256,25 @@ init_getpgid(xserver_t)
 term_setattr_unallocated_ttys(xserver_t)
 term_use_unallocated_ttys(xserver_t)
@ -33249,7 +33253,7 @@ index 8b403774f..edd47215b 100644
 ifndef(`distro_redhat',`
 	allow xserver_t self:process { execmem execheap execstack };
-@@ -785,17 +1316,54 @@ optional_policy(`
+@@ -785,17 +1320,54 @@ optional_policy(`
 ')
 optional_policy(`
@ -33306,7 +33310,7 @@ index 8b403774f..edd47215b 100644
 ')
 optional_policy(`
-@@ -803,6 +1371,10 @@ optional_policy(`
+@@ -803,6 +1375,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -33317,7 +33321,7 @@ index 8b403774f..edd47215b 100644
 	xfs_stream_connect(xserver_t)
 ')
-@@ -818,18 +1390,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -818,18 +1394,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
 # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
 # handle of a file inside the dir!!!
@ -33342,7 +33346,7 @@ index 8b403774f..edd47215b 100644
 can_exec(xserver_t, xkb_var_lib_t)
 # VNC v4 module in X server
-@@ -842,26 +1413,21 @@ init_use_fds(xserver_t)
+@@ -842,26 +1417,21 @@ init_use_fds(xserver_t)
 # to read ROLE_home_t - examine this in more detail
 # (xauth?)
 userdom_read_user_home_content_files(xserver_t)
@ -33377,7 +33381,7 @@ index 8b403774f..edd47215b 100644
 ')
 optional_policy(`
-@@ -912,7 +1478,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -912,7 +1482,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
 allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
 # operations allowed on my windows
 allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@ -33386,7 +33390,7 @@ index 8b403774f..edd47215b 100644
 # operations allowed on all windows
 allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -966,11 +1532,31 @@ allow x_domain self:x_resource { read write };
+@@ -966,11 +1536,31 @@ allow x_domain self:x_resource { read write };
 # can mess with the screensaver
 allow x_domain xserver_t:x_screen { getattr saver_getattr };
@ -33418,7 +33422,7 @@ index 8b403774f..edd47215b 100644
 tunable_policy(`! xserver_object_manager',`
 	# should be xserver_unconfined(x_domain),
 	# but typeattribute doesnt work in conditionals
-@@ -992,18 +1578,148 @@ tunable_policy(`! xserver_object_manager',`
+@@ -992,18 +1582,148 @@ tunable_policy(`! xserver_object_manager',`
 	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
 ')
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -13909,7 +13909,7 @@ index 32e8265c2..508f3b84f 100644
 +    roleattribute $2 chronyc_roles;
 ')
 diff --git a/chronyd.te b/chronyd.te
-index e5b621c29..47b5fe7e4 100644
+index e5b621c29..98e3ce0ab 100644
 --- a/chronyd.te
 +++ b/chronyd.te
@@ -5,6 +5,9 @@ policy_module(chronyd, 1.2.0)
@ -13980,7 +13980,7 @@ index e5b621c29..47b5fe7e4 100644
 corenet_all_recvfrom_unlabeled(chronyd_t)
 corenet_all_recvfrom_netlabel(chronyd_t)
-@@ -76,18 +102,62 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
+@@ -76,18 +102,64 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
 corenet_udp_bind_chronyd_port(chronyd_t)
 corenet_udp_sendrecv_chronyd_port(chronyd_t)
@ -14045,6 +14045,8 @@ index e5b621c29..47b5fe7e4 100644
 +corecmd_exec_bin(chronyc_t)
 +
 +sysnet_read_config(chronyc_t)
 +
 +userdom_use_user_ptys(chronyc_t)
 diff --git a/cinder.fc b/cinder.fc
 new file mode 100644
 index 000000000..4b318b783
@ -16886,7 +16888,7 @@ index 881d92f35..a2d588a51 100644
 +	')
 ')
 diff --git a/condor.te b/condor.te
-index ce9f040e2..eaefb5a97 100644
+index ce9f040e2..7c90ce13c 100644
 --- a/condor.te
 +++ b/condor.te
@@ -34,7 +34,7 @@ files_tmp_file(condor_startd_tmp_t)
@ -16929,7 +16931,7 @@ index ce9f040e2..eaefb5a97 100644
 rw_files_pattern(condor_domain, condor_conf_t, condor_conf_t)
-@@ -86,16 +97,15 @@ files_pid_filetrans(condor_domain, condor_var_run_t, { dir file fifo_file })
+@@ -86,16 +97,16 @@ files_pid_filetrans(condor_domain, condor_var_run_t, { dir file fifo_file })
 allow condor_domain condor_master_t:process signull;
 allow condor_domain condor_master_t:tcp_socket getattr;
@ -16940,6 +16942,7 @@ index ce9f040e2..eaefb5a97 100644
 -kernel_read_system_state(condor_domain)
 +kernel_rw_kernel_sysctl(condor_domain)
 +kernel_search_network_sysctl(condor_domain)
 +kernel_read_vm_sysctls(condor_domain)
 corecmd_exec_bin(condor_domain)
 corecmd_exec_shell(condor_domain)
@ -16949,7 +16952,7 @@ index ce9f040e2..eaefb5a97 100644
 corenet_tcp_sendrecv_generic_if(condor_domain)
 corenet_tcp_sendrecv_generic_node(condor_domain)
-@@ -109,9 +119,9 @@ dev_read_rand(condor_domain)
+@@ -109,9 +120,9 @@ dev_read_rand(condor_domain)
 dev_read_sysfs(condor_domain)
 dev_read_urand(condor_domain)
@ -16961,7 +16964,7 @@ index ce9f040e2..eaefb5a97 100644
 sysnet_dns_name_resolve(condor_domain)
-@@ -130,7 +140,7 @@ optional_policy(`
+@@ -130,7 +141,7 @@ optional_policy(`
 # Master local policy
 #
@ -16970,7 +16973,7 @@ index ce9f040e2..eaefb5a97 100644
 allow condor_master_t condor_domain:process { sigkill signal };
-@@ -138,6 +148,12 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
+@@ -138,6 +149,12 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
 manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
 files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir })
@ -16983,7 +16986,7 @@ index ce9f040e2..eaefb5a97 100644
 corenet_udp_sendrecv_generic_if(condor_master_t)
 corenet_udp_sendrecv_generic_node(condor_master_t)
 corenet_tcp_bind_generic_node(condor_master_t)
-@@ -157,6 +173,8 @@ domain_read_all_domains_state(condor_master_t)
+@@ -157,6 +174,8 @@ domain_read_all_domains_state(condor_master_t)
 auth_use_nsswitch(condor_master_t)
@ -16992,7 +16995,7 @@ index ce9f040e2..eaefb5a97 100644
 optional_policy(`
 	mta_send_mail(condor_master_t)
 	mta_read_config(condor_master_t)
-@@ -174,6 +192,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
+@@ -174,6 +193,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
 kernel_read_network_state(condor_collector_t)
@ -17001,7 +17004,7 @@ index ce9f040e2..eaefb5a97 100644
 #####################################
 #
 # Negotiator local policy
-@@ -183,12 +203,15 @@ allow condor_negotiator_t self:capability { setuid setgid };
+@@ -183,12 +204,15 @@ allow condor_negotiator_t self:capability { setuid setgid };
 allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms;
 allow condor_negotiator_t condor_master_t:udp_socket getattr;
@ -17018,7 +17021,7 @@ index ce9f040e2..eaefb5a97 100644
 allow condor_procd_t condor_domain:process sigkill;
-@@ -199,13 +222,15 @@ domain_read_all_domains_state(condor_procd_t)
+@@ -199,13 +223,15 @@ domain_read_all_domains_state(condor_procd_t)
 # Schedd local policy
 #
@ -17035,7 +17038,7 @@ index ce9f040e2..eaefb5a97 100644
 domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t)
 domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t)
-@@ -214,12 +239,19 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
+@@ -214,12 +240,19 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
 relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
 files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir })
@ -17056,7 +17059,7 @@ index ce9f040e2..eaefb5a97 100644
 allow condor_startd_t self:process execmem;
 manage_dirs_pattern(condor_startd_t, condor_startd_tmp_t, condor_startd_tmp_t)
-@@ -238,11 +270,10 @@ domain_read_all_domains_state(condor_startd_t)
+@@ -238,11 +271,10 @@ domain_read_all_domains_state(condor_startd_t)
 mcs_process_set_categories(condor_startd_t)
 init_domtrans_script(condor_startd_t)
@ -17069,7 +17072,7 @@ index ce9f040e2..eaefb5a97 100644
 optional_policy(`
 	ssh_basic_client_template(condor_startd, condor_startd_t, system_r)
 	ssh_domtrans(condor_startd_t)
-@@ -254,3 +285,7 @@ optional_policy(`
+@@ -254,3 +286,7 @@ optional_policy(`
 		kerberos_use(condor_startd_ssh_t)
 	')
 ')
@ -26235,7 +26238,7 @@ index 000000000..b3784d85d
 +')
 diff --git a/dirsrv.te b/dirsrv.te
 new file mode 100644
-index 000000000..58a8bf4fd
+index 000000000..de56c291d
 --- /dev/null
 +++ b/dirsrv.te
@@ -0,0 +1,210 @@
@ -26292,7 +26295,7 @@ index 000000000..58a8bf4fd
 +# dirsrv local policy
 +#
 +allow dirsrv_t self:process { getsched setsched setfscreate setrlimit signal_perms};
-+allow dirsrv_t self:capability { sys_nice setuid setgid fsetid chown dac_read_search  fowner };
+allow dirsrv_t self:capability { sys_nice setuid setgid fsetid chown dac_read_search dac_override fowner };
 +allow dirsrv_t self:fifo_file manage_fifo_file_perms;
 +allow dirsrv_t self:sem create_sem_perms;
 +allow dirsrv_t self:tcp_socket create_stream_socket_perms;
@ -34490,7 +34493,7 @@ index e39de436a..5edcb8330 100644
 +/usr/libexec/gnome-system-monitor-mechanism 	--      gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper	--		gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 diff --git a/gnome.if b/gnome.if
-index ab09d6195..e591cd040 100644
+index ab09d6195..e1ae96179 100644
 --- a/gnome.if
 +++ b/gnome.if
@@ -1,52 +1,76 @@
@ -34596,7 +34599,7 @@ index ab09d6195..e591cd040 100644
 	')
 	########################################
-@@ -74,14 +98,11 @@ template(`gnome_role_template',`
+@@ -74,52 +98,101 @@ template(`gnome_role_template',`
 	domtrans_pattern($3, gconfd_exec_t, gconfd_t)
@ -34614,8 +34617,10 @@ index ab09d6195..e591cd040 100644
 	########################################
 	#
 	# Gkeyringd policy
-@@ -89,37 +110,86 @@ template(`gnome_role_template',`
+ 	#
 +    allow $1_gkeyringd_t $3:unix_stream_socket { connectto create_stream_socket_perms };
 +
 	domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
 -	allow $3 { gnome_home_t gnome_keyring_home_t gnome_keyring_tmp_t }:dir { relabel_dir_perms manage_dir_perms };
@ -34642,7 +34647,6 @@ index ab09d6195..e591cd040 100644
 +	allow $3 $1_gkeyringd_t:fd use;
 +	allow $3 $1_gkeyringd_t:fifo_file rw_fifo_file_perms;
 +
 +	dontaudit $1_gkeyringd_t $3:unix_stream_socket { getattr read write connectto};
 +	stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t)
 +
 +	kernel_read_system_state($1_gkeyringd_t)
@ -34659,6 +34663,8 @@ index ab09d6195..e591cd040 100644
 +
 +	logging_send_syslog_msg($1_gkeyringd_t)
 +
 +    userdom_rw_user_tmp_sock_files($1_gkeyringd_t)
 +
 +	allow $1_gkeyringd_t $3:dbus send_msg;
 +	allow $3 $1_gkeyringd_t:dbus send_msg;
@ -34714,7 +34720,7 @@ index ab09d6195..e591cd040 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -127,18 +197,18 @@ template(`gnome_role_template',`
+@@ -127,18 +200,18 @@ template(`gnome_role_template',`
 ##	</summary>
 ## </param>
 #
@ -34738,7 +34744,7 @@ index ab09d6195..e591cd040 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -146,119 +216,114 @@ interface(`gnome_exec_gconf',`
+@@ -146,119 +219,114 @@ interface(`gnome_exec_gconf',`
 ##	</summary>
 ## </param>
 #
@ -34895,7 +34901,7 @@ index ab09d6195..e591cd040 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -266,15 +331,21 @@ interface(`gnome_create_generic_home_dirs',`
+@@ -266,15 +334,21 @@ interface(`gnome_create_generic_home_dirs',`
 ##	</summary>
 ## </param>
 #
@ -34922,7 +34928,7 @@ index ab09d6195..e591cd040 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -282,57 +353,89 @@ interface(`gnome_setattr_config_dirs',`
+@@ -282,57 +356,89 @@ interface(`gnome_setattr_config_dirs',`
 ##	</summary>
 ## </param>
 #
@ -35030,7 +35036,7 @@ index ab09d6195..e591cd040 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -340,15 +443,18 @@ interface(`gnome_read_generic_home_content',`
+@@ -340,15 +446,18 @@ interface(`gnome_read_generic_home_content',`
 ##	</summary>
 ## </param>
 #
@ -35054,7 +35060,7 @@ index ab09d6195..e591cd040 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -356,22 +462,18 @@ interface(`gnome_manage_config',`
+@@ -356,22 +465,18 @@ interface(`gnome_manage_config',`
 ##	</summary>
 ## </param>
 #
@ -35082,7 +35088,7 @@ index ab09d6195..e591cd040 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -379,53 +481,37 @@ interface(`gnome_manage_generic_home_content',`
+@@ -379,53 +484,37 @@ interface(`gnome_manage_generic_home_content',`
 ##	</summary>
 ## </param>
 #
@ -35144,7 +35150,7 @@ index ab09d6195..e591cd040 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -433,17 +519,18 @@ interface(`gnome_home_filetrans',`
+@@ -433,17 +522,18 @@ interface(`gnome_home_filetrans',`
 ##	</summary>
 ## </param>
 #
@ -35167,7 +35173,7 @@ index ab09d6195..e591cd040 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -451,23 +538,18 @@ interface(`gnome_create_generic_gconf_home_dirs',`
+@@ -451,23 +541,18 @@ interface(`gnome_create_generic_gconf_home_dirs',`
 ##	</summary>
 ## </param>
 #
@ -35195,7 +35201,7 @@ index ab09d6195..e591cd040 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -475,22 +557,18 @@ interface(`gnome_read_generic_gconf_home_content',`
+@@ -475,22 +560,18 @@ interface(`gnome_read_generic_gconf_home_content',`
 ##	</summary>
 ## </param>
 #
@ -35222,7 +35228,7 @@ index ab09d6195..e591cd040 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -498,79 +576,59 @@ interface(`gnome_manage_generic_gconf_home_content',`
+@@ -498,79 +579,59 @@ interface(`gnome_manage_generic_gconf_home_content',`
 ##	</summary>
 ## </param>
 #
@ -35320,7 +35326,7 @@ index ab09d6195..e591cd040 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -579,12 +637,12 @@ interface(`gnome_home_filetrans_gnome_home',`
+@@ -579,12 +640,12 @@ interface(`gnome_home_filetrans_gnome_home',`
 ## </param>
 ## <param name="private_type">
 ##	<summary>
@ -35335,7 +35341,7 @@ index ab09d6195..e591cd040 100644
 ##	</summary>
 ## </param>
 ## <param name="name" optional="true">
-@@ -593,18 +651,18 @@ interface(`gnome_home_filetrans_gnome_home',`
+@@ -593,18 +654,18 @@ interface(`gnome_home_filetrans_gnome_home',`
 ##	</summary>
 ## </param>
 #
@ -35360,7 +35366,7 @@ index ab09d6195..e591cd040 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -612,46 +670,81 @@ interface(`gnome_gconf_home_filetrans',`
+@@ -612,46 +673,58 @@ interface(`gnome_gconf_home_filetrans',`
 ##	</summary>
 ## </param>
 #
@ -35385,11 +35391,15 @@ index ab09d6195..e591cd040 100644
 +##  Read generic data home dirs.
 ## </summary>
 -## <param name="role_prefix">
 -##	<summary>
 -##	The prefix of the user domain (e.g., user
 -##	is the prefix for user_t).
 -##	</summary>
 +## <param name="domain">
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
-+## </param>
+ ## </param>
 +#
 +interface(`gnome_read_generic_data_home_dirs',`
 +    gen_require(`
@ -35402,30 +35412,6 @@ index ab09d6195..e591cd040 100644
 +#######################################
 +## <summary>
 +##	Manage gconf data home files
 +## </summary>
 +## <param name="domain">
 ##	<summary>
 -##	The prefix of the user domain (e.g., user
 -##	is the prefix for user_t).
 +##	Domain allowed access.
 ##	</summary>
 ## </param>
 +#
 +interface(`gnome_manage_data',`
 +	gen_require(`
 +		type data_home_t;
 +		type gconf_home_t;
 +	')
 +
 +	allow $1 gconf_home_t:dir search_dir_perms;
 +	manage_dirs_pattern($1, data_home_t, data_home_t)
 +	manage_files_pattern($1, data_home_t, data_home_t)
 +	manage_lnk_files_pattern($1, data_home_t, data_home_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Read icc data home content.
 +## </summary>
 ## <param name="domain">
 ##	<summary>
@ -35434,15 +35420,44 @@ index ab09d6195..e591cd040 100644
 ## </param>
 #
 -interface(`gnome_dbus_chat_gkeyringd',`
-+interface(`gnome_read_home_icc_data_content',`
+interface(`gnome_manage_data',`
 	gen_require(`
 -		type $1_gkeyringd_t;
 -		class dbus send_msg;
-+		type icc_data_home_t, gconf_home_t, data_home_t;
+		type data_home_t;
 +		type gconf_home_t;
 	')
 -	allow $2 $1_gkeyringd_t:dbus send_msg;
 -	allow $1_gkeyringd_t $2:dbus send_msg;
 +	allow $1 gconf_home_t:dir search_dir_perms;
 +	manage_dirs_pattern($1, data_home_t, data_home_t)
 +	manage_files_pattern($1, data_home_t, data_home_t)
 +	manage_lnk_files_pattern($1, data_home_t, data_home_t)
 ')
 ########################################
 ## <summary>
 -##	Send and receive messages from all
 -##	gnome keyring daemon over dbus.
 +##	Read icc data home content.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -659,59 +732,1091 @@ interface(`gnome_dbus_chat_gkeyringd',`
 ##	</summary>
 ## </param>
 #
 -interface(`gnome_dbus_chat_all_gkeyringd',`
 +interface(`gnome_read_home_icc_data_content',`
 	gen_require(`
 -		attribute gkeyringd_domain;
 -		class dbus send_msg;
 +		type icc_data_home_t, gconf_home_t, data_home_t;
 	')
 -	allow $1 gkeyringd_domain:dbus send_msg;
 -	allow gkeyringd_domain $1:dbus send_msg;
 +	userdom_search_user_home_dirs($1)
 +	allow $1 { gconf_home_t data_home_t }:dir search_dir_perms;
 +	allow $1 icc_data_home_t:file map;
@ -35451,69 +35466,68 @@ index ab09d6195..e591cd040 100644
 +	read_lnk_files_pattern($1, icc_data_home_t, icc_data_home_t)
 ')
 ########################################
 ## <summary>
 -##	Send and receive messages from all
 -##	gnome keyring daemon over dbus.
 +##	Read inherited icc data home files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -659,46 +752,64 @@ interface(`gnome_dbus_chat_gkeyringd',`
 ##	</summary>
 ## </param>
 #
 -interface(`gnome_dbus_chat_all_gkeyringd',`
 +interface(`gnome_read_inherited_home_icc_data_files',`
 	gen_require(`
 -		attribute gkeyringd_domain;
 -		class dbus send_msg;
 +		type icc_data_home_t;
 	')
 -	allow $1 gkeyringd_domain:dbus send_msg;
 -	allow gkeyringd_domain $1:dbus send_msg;
 +	allow $1 icc_data_home_t:file read_inherited_file_perms;
 ')
 ########################################
 ## <summary>
 -##	Connect to gnome keyring daemon
 -##	with a unix stream socket.
-+##	Create gconf_home_t objects in the /root directory
+##	Read inherited icc data home files.
 ## </summary>
 -## <param name="role_prefix">
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +## <param name="object_class">
 ##	<summary>
 -##	The prefix of the user domain (e.g., user
 -##	is the prefix for user_t).
-+##	The class of the object to be created.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 +#
 +interface(`gnome_read_inherited_home_icc_data_files',`
 +	gen_require(`
 +		type icc_data_home_t;
 +	')
 +
 +	allow $1 icc_data_home_t:file read_inherited_file_perms;
 +')
 +
 +########################################
 +## <summary>
 +##	Create gconf_home_t objects in the /root directory
 +## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 +## <param name="object_class">
 +##	<summary>
 +##	The class of the object to be created.
 +##	</summary>
 +## </param>
 +## <param name="name" optional="true">
 +##	<summary>
 +##	The name of the object being created.
 +##	</summary>
 +## </param>
-+#
+ #
 -interface(`gnome_stream_connect_gkeyringd',`
 +interface(`gnome_admin_home_gconf_filetrans',`
-+	gen_require(`
+ 	gen_require(`
 -		type $1_gkeyringd_t, gnome_keyring_tmp_t;
 +		type gconf_home_t;
-+	')
+ 	')
-+
+ 
 -	files_search_tmp($2)
 -	stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, $1_gkeyringd_t)
 +	userdom_admin_home_dir_filetrans($1, gconf_home_t, $2, $3)
-+')
+ ')
-+
+ 
-+########################################
+ ########################################
-+## <summary>
+ ## <summary>
 -##	Connect to all gnome keyring daemon
 -##	with a unix stream socket.
 +##	Do not audit attempts to read
 +##	inherited gconf config files.
-+## </summary>
+ ## </summary>
 ## <param name="domain">
 ##	<summary>
 -##	Domain allowed access.
@ -35521,35 +35535,31 @@ index ab09d6195..e591cd040 100644
 ##	</summary>
 ## </param>
 #
 -interface(`gnome_stream_connect_gkeyringd',`
 +interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
 	gen_require(`
 -		type $1_gkeyringd_t, gnome_keyring_tmp_t;
 +		type gconf_etc_t;
 	')
 -	files_search_tmp($2)
 -	stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, $1_gkeyringd_t)
 +	dontaudit $1 gconf_etc_t:file read_inherited_file_perms;
 ')
 ########################################
 ## <summary>
 -##	Connect to all gnome keyring daemon
 -##	with a unix stream socket.
 +##	read gconf config files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -706,12 +817,1003 @@ interface(`gnome_stream_connect_gkeyringd',`
 ##	</summary>
 ## </param>
 #
 -interface(`gnome_stream_connect_all_gkeyringd',`
-+interface(`gnome_read_gconf_config',`
+interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
 	gen_require(`
 -		attribute gkeyringd_domain;
 -		type gnome_keyring_tmp_t;
 +		type gconf_etc_t;
 	')
 -	files_search_tmp($1)
 -	stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
 +	dontaudit $1 gconf_etc_t:file read_inherited_file_perms;
 +')
 +
 +########################################
 +## <summary>
 +##	read gconf config files
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`gnome_read_gconf_config',`
 +	gen_require(`
 +		type gconf_etc_t;
 +	')
 +
@ -35693,10 +35703,9 @@ index ab09d6195..e591cd040 100644
 +interface(`gnome_list_gkeyringd_tmp_dirs',`
 +	gen_require(`
 +		type gkeyringd_tmp_t;
- 	')
+	')
- 
+
- 	files_search_tmp($1)
+	files_search_tmp($1)
 -	stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
 +	allow $1 gkeyringd_tmp_t:dir list_dir_perms;
 +')
 +
@ -40966,7 +40975,7 @@ index 000000000..e86db5418
 +')
 diff --git a/ipmievd.te b/ipmievd.te
 new file mode 100644
-index 000000000..06b8358b4
+index 000000000..3990b66b2
 --- /dev/null
 +++ b/ipmievd.te
@@ -0,0 +1,52 @@
@ -41007,7 +41016,7 @@ index 000000000..06b8358b4
 +kernel_read_system_state(ipmievd_t)
 +kernel_load_module(ipmievd_t)
 +
-+auth_read_passwd(ipmievd_t)
+auth_use_nsswitch(ipmievd_t)
 +
 +corecmd_exec_bin(ipmievd_t)
 +
@ -41900,10 +41909,10 @@ index 7eb381121..8075ba5f0 100644
 -	admin_pattern($1, jabberd_var_run_t)
 ')
 diff --git a/jabber.te b/jabber.te
-index af67c36ee..aa88a0ac2 100644
+index af67c36ee..4755e0af8 100644
 --- a/jabber.te
 +++ b/jabber.te
-@@ -9,129 +9,133 @@ attribute jabberd_domain;
+@@ -9,129 +9,137 @@ attribute jabberd_domain;
 jabber_domain_template(jabberd)
 jabber_domain_template(jabberd_router)
@ -41971,6 +41980,7 @@ index af67c36ee..aa88a0ac2 100644
 +corenet_tcp_connect_jabber_router_port(jabberd_router_t)
 +corenet_sendrecv_jabber_router_server_packets(jabberd_router_t)
 +corenet_sendrecv_jabber_client_server_packets(jabberd_router_t)
 +corenet_tcp_connect_postgresql_port(jabberd_router_t)
 -logging_send_syslog_msg(jabberd_domain)
 +fs_getattr_all_fs(jabberd_router_t)
@ -41999,84 +42009,87 @@ index af67c36ee..aa88a0ac2 100644
 -dontaudit jabberd_t self:capability sys_tty_config;
 -allow jabberd_t self:tcp_socket create_socket_perms;
 -allow jabberd_t self:udp_socket create_socket_perms;
 +allow jabberd_t self:netlink_route_socket { create_socket_perms nlmsg_read };
 +
 +manage_files_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t)
 +manage_dirs_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t)
- 
+
 -manage_files_pattern(jabberd_t, jabberd_lock_t, jabberd_lock_t)
 +corenet_tcp_bind_jabber_interserver_port(jabberd_t)
 +corenet_tcp_connect_jabber_interserver_port(jabberd_t)
 +corenet_tcp_connect_jabber_router_port(jabberd_t)
 +corenet_tcp_connect_postgresql_port(jabberd_t)
 -manage_files_pattern(jabberd_t, jabberd_lock_t, jabberd_lock_t)
 +userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
 +userdom_dontaudit_search_user_home_dirs(jabberd_t)
 -allow jabberd_t jabberd_log_t:dir setattr_dir_perms;
 -append_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
 -create_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
 -setattr_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
 -logging_log_filetrans(jabberd_t, jabberd_log_t, { file dir })
 +userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
 +userdom_dontaudit_search_user_home_dirs(jabberd_t)
 -manage_files_pattern(jabberd_domain, jabberd_spool_t, jabberd_spool_t)
 +miscfiles_read_certs(jabberd_t)
-manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t)
+-manage_files_pattern(jabberd_domain, jabberd_spool_t, jabberd_spool_t)
 -files_pid_filetrans(jabberd_t, jabberd_var_run_t, file)
 +optional_policy(`
 +	seutil_sigchld_newrole(jabberd_t)
 +')
-kernel_read_kernel_sysctls(jabberd_t)
+-manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t)
 -files_pid_filetrans(jabberd_t, jabberd_var_run_t, file)
 +optional_policy(`
 +	udev_read_db(jabberd_t)
 +')
-corenet_sendrecv_jabber_client_server_packets(jabberd_t)
+-kernel_read_kernel_sysctls(jabberd_t)
 -corenet_tcp_bind_jabber_client_port(jabberd_t)
 -corenet_tcp_sendrecv_jabber_client_port(jabberd_t)
 +######################################
 +#
 +# Local policy for pyicq-t
 +#
-corenet_sendrecv_jabber_interserver_server_packets(jabberd_t)
+-corenet_sendrecv_jabber_client_server_packets(jabberd_t)
-corenet_tcp_bind_jabber_interserver_port(jabberd_t)
+-corenet_tcp_bind_jabber_client_port(jabberd_t)
-corenet_tcp_sendrecv_jabber_interserver_port(jabberd_t)
+-corenet_tcp_sendrecv_jabber_client_port(jabberd_t)
 +# need for /var/log/pyicq-t.log
 +manage_files_pattern(pyicqt_t, pyicqt_log_t, pyicqt_log_t)
 +logging_log_filetrans(pyicqt_t, pyicqt_log_t, file)
-dev_read_rand(jabberd_t)
+-corenet_sendrecv_jabber_interserver_server_packets(jabberd_t)
 -corenet_tcp_bind_jabber_interserver_port(jabberd_t)
 -corenet_tcp_sendrecv_jabber_interserver_port(jabberd_t)
 +manage_files_pattern(pyicqt_t, pyicqt_var_run_t, pyicqt_var_run_t);
-domain_use_interactive_fds(jabberd_t)
+-dev_read_rand(jabberd_t)
 +files_search_spool(pyicqt_t)
 +manage_files_pattern(pyicqt_t, pyicqt_var_spool_t, pyicqt_var_spool_t);
-files_read_etc_files(jabberd_t)
+-domain_use_interactive_fds(jabberd_t)
 -files_read_etc_runtime_files(jabberd_t)
 +corenet_tcp_bind_jabber_router_port(pyicqt_t)
 +corenet_tcp_connect_jabber_router_port(pyicqt_t)
-fs_search_auto_mountpoints(jabberd_t)
+-files_read_etc_files(jabberd_t)
 -files_read_etc_runtime_files(jabberd_t)
 +corecmd_exec_bin(pyicqt_t)
-sysnet_read_config(jabberd_t)
+-fs_search_auto_mountpoints(jabberd_t)
 +dev_read_urand(pyicqt_t)
 -sysnet_read_config(jabberd_t)
 +auth_use_nsswitch(pyicqt_t)
 -userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
 -userdom_dontaudit_search_user_home_dirs(jabberd_t)
 +auth_use_nsswitch(pyicqt_t)
 +# needed for pyicq-t-mysql
 +optional_policy(`
 +	corenet_tcp_connect_mysqld_port(pyicqt_t)
 +')
 optional_policy(`
 -	udev_read_db(jabberd_t)
-+	corenet_tcp_connect_mysqld_port(pyicqt_t)
+	sysnet_use_ldap(pyicqt_t)
 ')
 -########################################
 +optional_policy(`
 +	sysnet_use_ldap(pyicqt_t)
 +')
 +
 +#######################################
 #
 -# Router local policy
@ -46979,7 +46992,7 @@ index 3602712d0..af83a5b6b 100644
 +	allow $1 slapd_unit_file_t:service all_service_perms;
 ')
 diff --git a/ldap.te b/ldap.te
-index 4c2b1110e..f01469806 100644
+index 4c2b1110e..4baf7a041 100644
 --- a/ldap.te
 +++ b/ldap.te
@@ -21,6 +21,9 @@ files_config_file(slapd_etc_t)
@ -46992,7 +47005,7 @@ index 4c2b1110e..f01469806 100644
 type slapd_keytab_t;
 files_type(slapd_keytab_t)
-@@ -47,9 +50,9 @@ files_pid_file(slapd_var_run_t)
+@@ -47,9 +50,10 @@ files_pid_file(slapd_var_run_t)
 # Local policy
 #
@ -47000,11 +47013,12 @@ index 4c2b1110e..f01469806 100644
 +allow slapd_t self:capability { kill setgid setuid net_raw  dac_read_search };
 dontaudit slapd_t self:capability sys_tty_config;
 -allow slapd_t self:process setsched;
 +dontaudit slapd_t self:capability2 block_suspend;
 +allow slapd_t self:process { setsched signal } ;
 allow slapd_t self:fifo_file rw_fifo_file_perms;
 allow slapd_t self:tcp_socket { accept listen };
-@@ -60,6 +63,7 @@ read_lnk_files_pattern(slapd_t, slapd_cert_t, slapd_cert_t)
+@@ -60,6 +64,7 @@ read_lnk_files_pattern(slapd_t, slapd_cert_t, slapd_cert_t)
 manage_dirs_pattern(slapd_t, slapd_db_t, slapd_db_t)
 manage_files_pattern(slapd_t, slapd_db_t, slapd_db_t)
 manage_lnk_files_pattern(slapd_t, slapd_db_t, slapd_db_t)
@ -47012,7 +47026,7 @@ index 4c2b1110e..f01469806 100644
 allow slapd_t slapd_etc_t:file read_file_perms;
-@@ -69,9 +73,7 @@ allow slapd_t slapd_lock_t:file manage_file_perms;
+@@ -69,9 +74,7 @@ allow slapd_t slapd_lock_t:file manage_file_perms;
 files_lock_filetrans(slapd_t, slapd_lock_t, file)
 manage_dirs_pattern(slapd_t, slapd_log_t, slapd_log_t)
@ -47023,7 +47037,7 @@ index 4c2b1110e..f01469806 100644
 logging_log_filetrans(slapd_t, slapd_log_t, { file dir })
 manage_dirs_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
-@@ -93,7 +95,6 @@ files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file })
+@@ -93,7 +96,6 @@ files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file })
 kernel_read_system_state(slapd_t)
 kernel_read_kernel_sysctls(slapd_t)
@ -47031,7 +47045,7 @@ index 4c2b1110e..f01469806 100644
 corenet_all_recvfrom_netlabel(slapd_t)
 corenet_tcp_sendrecv_generic_if(slapd_t)
 corenet_tcp_sendrecv_generic_node(slapd_t)
-@@ -115,25 +116,26 @@ fs_getattr_all_fs(slapd_t)
+@@ -115,25 +117,26 @@ fs_getattr_all_fs(slapd_t)
 fs_search_auto_mountpoints(slapd_t)
 files_read_etc_runtime_files(slapd_t)
@ -68743,7 +68757,7 @@ index 000000000..3ff5b7610
 +')
 diff --git a/opensm.fc b/opensm.fc
 new file mode 100644
-index 000000000..51650fa65
+index 000000000..65511ed7a
 --- /dev/null
 +++ b/opensm.fc
@@ -0,0 +1,7 @@
@ -68753,7 +68767,7 @@ index 000000000..51650fa65
 +
 +/var/cache/opensm(/.*)?		gen_context(system_u:object_r:opensm_cache_t,s0)
 +
-+/var/log/opensm\.log.*  	--	gen_context(system_u:object_r:opensm_log_t,s0)
+/var/log/opensm.*  	--	gen_context(system_u:object_r:opensm_log_t,s0)
 diff --git a/opensm.if b/opensm.if
 new file mode 100644
 index 000000000..45de66477
@ -70959,7 +70973,7 @@ index bf59ef731..0e333279c 100644
 +')
 +
 diff --git a/passenger.te b/passenger.te
-index 08ec33bf2..e175fc6a9 100644
+index 08ec33bf2..c1af8d7ae 100644
 --- a/passenger.te
 +++ b/passenger.te
@@ -1,4 +1,4 @@
@ -71025,7 +71039,7 @@ index 08ec33bf2..e175fc6a9 100644
 kernel_read_system_state(passenger_t)
 kernel_read_kernel_sysctls(passenger_t)
-@@ -53,13 +63,10 @@ kernel_read_network_state(passenger_t)
+@@ -53,13 +63,11 @@ kernel_read_network_state(passenger_t)
 kernel_read_net_sysctls(passenger_t)
 corenet_all_recvfrom_netlabel(passenger_t)
@ -71037,10 +71051,11 @@ index 08ec33bf2..e175fc6a9 100644
 corenet_tcp_connect_http_port(passenger_t)
 -corenet_tcp_sendrecv_http_port(passenger_t)
 +corenet_tcp_connect_postgresql_port(passenger_t)
 +corenet_tcp_connect_mysqld_port(passenger_t)
 corecmd_exec_bin(passenger_t)
 corecmd_exec_shell(passenger_t)
-@@ -68,10 +75,10 @@ dev_read_urand(passenger_t)
+@@ -68,10 +76,10 @@ dev_read_urand(passenger_t)
 domain_read_all_domains_state(passenger_t)
@ -71053,7 +71068,7 @@ index 08ec33bf2..e175fc6a9 100644
 logging_send_syslog_msg(passenger_t)
 miscfiles_read_localization(passenger_t)
-@@ -83,6 +90,7 @@ userdom_dontaudit_use_user_terminals(passenger_t)
+@@ -83,6 +91,7 @@ userdom_dontaudit_use_user_terminals(passenger_t)
 optional_policy(`
 	apache_append_log(passenger_t)
 	apache_read_sys_content(passenger_t)
@ -71061,7 +71076,7 @@ index 08ec33bf2..e175fc6a9 100644
 ')
 optional_policy(`
-@@ -94,14 +102,21 @@ optional_policy(`
+@@ -94,14 +103,21 @@ optional_policy(`
 ')
 optional_policy(`
@ -106028,7 +106043,7 @@ index 1499b0bbf..e695a62f3 100644
 -	spamassassin_role($2, $1)
 ')
 diff --git a/spamassassin.te b/spamassassin.te
-index cc58e3578..befb6796c 100644
+index cc58e3578..ece033330 100644
 --- a/spamassassin.te
 +++ b/spamassassin.te
@@ -7,50 +7,30 @@ policy_module(spamassassin, 2.6.1)
@ -106464,7 +106479,7 @@ index cc58e3578..befb6796c 100644
 optional_policy(`
 	abrt_stream_connect(spamc_t)
-@@ -243,6 +352,7 @@ optional_policy(`
+@@ -243,19 +352,31 @@ optional_policy(`
 ')
 optional_policy(`
@ -106472,7 +106487,12 @@ index cc58e3578..befb6796c 100644
 	evolution_stream_connect(spamc_t)
 ')
-@@ -251,11 +361,18 @@ optional_policy(`
+ optional_policy(`
 +    cyrus_stream_connect(spamc_t)
 +')
 +
 +optional_policy(`
 	milter_manage_spamass_state(spamc_t)
 ')
 optional_policy(`
@ -106492,7 +106512,7 @@ index cc58e3578..befb6796c 100644
 ')
 optional_policy(`
-@@ -267,48 +384,54 @@ optional_policy(`
+@@ -267,48 +388,54 @@ optional_policy(`
 ########################################
 #
@ -106567,7 +106587,7 @@ index cc58e3578..befb6796c 100644
 manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
 manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
-@@ -317,12 +440,14 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+@@ -317,12 +444,14 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
 manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
 files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir })
@ -106584,7 +106604,7 @@ index cc58e3578..befb6796c 100644
 corenet_all_recvfrom_netlabel(spamd_t)
 corenet_tcp_sendrecv_generic_if(spamd_t)
 corenet_udp_sendrecv_generic_if(spamd_t)
-@@ -331,78 +456,60 @@ corenet_udp_sendrecv_generic_node(spamd_t)
+@@ -331,78 +460,60 @@ corenet_udp_sendrecv_generic_node(spamd_t)
 corenet_tcp_sendrecv_all_ports(spamd_t)
 corenet_udp_sendrecv_all_ports(spamd_t)
 corenet_tcp_bind_generic_node(spamd_t)
@ -106689,7 +106709,7 @@ index cc58e3578..befb6796c 100644
 ')
 optional_policy(`
-@@ -421,21 +528,13 @@ optional_policy(`
+@@ -421,21 +532,13 @@ optional_policy(`
 ')
 optional_policy(`
@ -106713,7 +106733,7 @@ index cc58e3578..befb6796c 100644
 ')
 optional_policy(`
-@@ -443,8 +542,8 @@ optional_policy(`
+@@ -443,8 +546,8 @@ optional_policy(`
 ')
 optional_policy(`
@ -106723,7 +106743,7 @@ index cc58e3578..befb6796c 100644
 ')
 optional_policy(`
-@@ -455,7 +554,17 @@ optional_policy(`
+@@ -455,7 +558,17 @@ optional_policy(`
 optional_policy(`
 	razor_domtrans(spamd_t)
 	razor_read_lib_files(spamd_t)
@ -106742,7 +106762,7 @@ index cc58e3578..befb6796c 100644
 ')
 optional_policy(`
-@@ -463,9 +572,10 @@ optional_policy(`
+@@ -463,9 +576,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -106754,7 +106774,7 @@ index cc58e3578..befb6796c 100644
 ')
 optional_policy(`
-@@ -474,32 +584,31 @@ optional_policy(`
+@@ -474,32 +588,31 @@ optional_policy(`
 ########################################
 #
@ -106796,7 +106816,7 @@ index cc58e3578..befb6796c 100644
 corecmd_exec_bin(spamd_update_t)
 corecmd_exec_shell(spamd_update_t)
-@@ -508,25 +617,26 @@ dev_read_urand(spamd_update_t)
+@@ -508,25 +621,26 @@ dev_read_urand(spamd_update_t)
 domain_use_interactive_fds(spamd_update_t)
@ -112360,10 +112380,10 @@ index 000000000..368e18842
 +')
 diff --git a/tlp.te b/tlp.te
 new file mode 100644
-index 000000000..5185a9e8e
+index 000000000..f124882af
 --- /dev/null
 +++ b/tlp.te
-@@ -0,0 +1,86 @@
+@@ -0,0 +1,91 @@
 +policy_module(tlp, 1.0.0)
 +
 +########################################
@ -112429,6 +112449,7 @@ index 000000000..5185a9e8e
 +logging_send_syslog_msg(tlp_t)
 +
 +storage_raw_read_fixed_disk(tlp_t)
 +storage_raw_read_removable_device(tlp_t)
 +storage_raw_write_removable_device(tlp_t)
 +
 +sysnet_exec_ifconfig(tlp_t)
@ -112450,6 +112471,10 @@ index 000000000..5185a9e8e
 +    sssd_read_public_files(tlp_t)
 +    sssd_stream_connect(tlp_t)
 +')
 +
 +optional_policy(`
 +	udev_domtrans(tlp_t)
 +')
 diff --git a/tmpreaper.te b/tmpreaper.te
 index 585a77f95..71981be9d 100644
 --- a/tmpreaper.te
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 301%{?dist}
+Release: 302%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -717,6 +717,17 @@ exit 0
 %endif
 %changelog
 * Mon Nov 06 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-302
 - Allow jabber domains to connect to postgresql ports
 - Dontaudit slapd_t to block suspend system
 - Allow spamc_t to stream connect to cyrys.
 - Allow passenger to connect to mysqld_port_t
 - Allow ipmievd to use nsswitch
 - Allow chronyc_t domain to use user_ptys
 - Label all files /var/log/opensm.* as opensm_log_t because opensm creating new log files with name opensm-subnet.lst
 - Fix typo bug in tlp module
 - Allow userdomain gkeyringd domain to create stream socket with userdomain
 * Fri Nov 03 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-301
 - Merge pull request #37 from milosmalik/rawhide
 - Allow mozilla_plugin_t domain to dbus chat with devicekit