* Wed Feb 03 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-169

- Allow openvswitch domain capability sys_rawio. - Revert "Allow NetworkManager create dhcpc pid files. BZ(1229755)" - Allow openvswitch to manage hugetlfs files and dirs. - Allow NetworkManager create dhcpc pid files. BZ(1229755) - Allow apcupsd to read kernel network state. BZ(1282003) - Label /sys/kernel/debug/tracing filesystem - Add fs_manage_hugetlbfs_files() interface. - Add sysnet_filetrans_dhcpc_pid() interface.
2016-02-03 10:57:06 +01:00 · 2016-02-03 10:57:06 +01:00 · edb36e0557
commit edb36e0557
parent 4c488a69fa
4 changed files with 318 additions and 215 deletions
--- a/docker-selinux.tgz
+++ b/docker-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -15451,7 +15451,7 @@ index d7c11a0..6b3331d 100644
 /var/run/shm/.*			<<none>>
 -')
 diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 8416beb..843f849 100644
+index 8416beb..1a164a7 100644
 --- a/policy/modules/kernel/filesystem.if
 +++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@ -16373,11 +16373,16 @@ index 8416beb..843f849 100644
 ##	Get the attributes of an hugetlbfs
 ##	filesystem.
 ## </summary>
-@@ -2062,7 +2579,43 @@ interface(`fs_list_hugetlbfs',`
+@@ -2057,12 +2574,66 @@ interface(`fs_list_hugetlbfs',`
 		type hugetlbfs_t;
 	')
- ########################################
+-	allow $1 hugetlbfs_t:dir list_dir_perms;
- ## <summary>
+	allow $1 hugetlbfs_t:dir list_dir_perms;
-##	Manage hugetlbfs dirs.
+')
 +
 +########################################
 +## <summary>
 +##	Manage hugetlbfs dirs.
 +## </summary>
 +## <param name="domain">
@ -16415,21 +16420,40 @@ index 8416beb..843f849 100644
 +########################################
 +## <summary>
 +##	Read and write hugetlbfs files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`fs_rw_hugetlbfs_files',`
 +	gen_require(`
 +		type hugetlbfs_t;
 +	')
 +
 +	rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
 ')
 ########################################
 ## <summary>
 -##	Manage hugetlbfs dirs.
 +##	Manage  hugetlbfs files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -2070,17 +2623,17 @@ interface(`fs_list_hugetlbfs',`
+@@ -2070,17 +2641,17 @@ interface(`fs_list_hugetlbfs',`
 ##	</summary>
 ## </param>
 #
 -interface(`fs_manage_hugetlbfs_dirs',`
-+interface(`fs_rw_hugetlbfs_files',`
+interface(`fs_manage_hugetlbfs_files',`
 	gen_require(`
 		type hugetlbfs_t;
 	')
 -	manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
-+	rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
+	manage_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
 ')
 ########################################
@ -16439,7 +16463,7 @@ index 8416beb..843f849 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -2088,12 +2641,13 @@ interface(`fs_manage_hugetlbfs_dirs',`
+@@ -2088,12 +2659,13 @@ interface(`fs_manage_hugetlbfs_dirs',`
 ##	</summary>
 ## </param>
 #
@ -16455,7 +16479,7 @@ index 8416beb..843f849 100644
 ')
 ########################################
-@@ -2148,11 +2702,12 @@ interface(`fs_list_inotifyfs',`
+@@ -2148,11 +2720,12 @@ interface(`fs_list_inotifyfs',`
 	')
 	allow $1 inotifyfs_t:dir list_dir_perms;
@ -16469,7 +16493,7 @@ index 8416beb..843f849 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -2297,14 +2852,332 @@ interface(`fs_getattr_iso9660_files',`
+@@ -2297,14 +2870,332 @@ interface(`fs_getattr_iso9660_files',`
 		type iso9660_t;
 	')
@ -16806,7 +16830,7 @@ index 8416beb..843f849 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -2312,16 +3185,15 @@ interface(`fs_getattr_iso9660_files',`
+@@ -2312,16 +3203,15 @@ interface(`fs_getattr_iso9660_files',`
 ##	</summary>
 ## </param>
 #
@ -16827,7 +16851,7 @@ index 8416beb..843f849 100644
 ########################################
 ## <summary>
 ##	Mount a NFS filesystem.
-@@ -2398,6 +3270,24 @@ interface(`fs_getattr_nfs',`
+@@ -2398,6 +3288,24 @@ interface(`fs_getattr_nfs',`
 ########################################
 ## <summary>
@ -16852,7 +16876,7 @@ index 8416beb..843f849 100644
 ##	Search directories on a NFS filesystem.
 ## </summary>
 ## <param name="domain">
-@@ -2485,6 +3375,7 @@ interface(`fs_read_nfs_files',`
+@@ -2485,6 +3393,7 @@ interface(`fs_read_nfs_files',`
 		type nfs_t;
 	')
@ -16860,7 +16884,7 @@ index 8416beb..843f849 100644
 	allow $1 nfs_t:dir list_dir_perms;
 	read_files_pattern($1, nfs_t, nfs_t)
 ')
-@@ -2523,6 +3414,7 @@ interface(`fs_write_nfs_files',`
+@@ -2523,6 +3432,7 @@ interface(`fs_write_nfs_files',`
 		type nfs_t;
 	')
@ -16868,7 +16892,7 @@ index 8416beb..843f849 100644
 	allow $1 nfs_t:dir list_dir_perms;
 	write_files_pattern($1, nfs_t, nfs_t)
 ')
-@@ -2549,6 +3441,44 @@ interface(`fs_exec_nfs_files',`
+@@ -2549,6 +3459,44 @@ interface(`fs_exec_nfs_files',`
 ########################################
 ## <summary>
@ -16913,7 +16937,7 @@ index 8416beb..843f849 100644
 ##	Append files
 ##	on a NFS filesystem.
 ## </summary>
-@@ -2569,7 +3499,7 @@ interface(`fs_append_nfs_files',`
+@@ -2569,7 +3517,7 @@ interface(`fs_append_nfs_files',`
 ########################################
 ## <summary>
@ -16922,7 +16946,7 @@ index 8416beb..843f849 100644
 ##	on a NFS filesystem.
 ## </summary>
 ## <param name="domain">
-@@ -2589,6 +3519,42 @@ interface(`fs_dontaudit_append_nfs_files',`
+@@ -2589,6 +3537,42 @@ interface(`fs_dontaudit_append_nfs_files',`
 ########################################
 ## <summary>
@ -16965,7 +16989,7 @@ index 8416beb..843f849 100644
 ##	Do not audit attempts to read or
 ##	write files on a NFS filesystem.
 ## </summary>
-@@ -2603,7 +3569,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2603,7 +3587,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
 		type nfs_t;
 	')
@ -16974,7 +16998,7 @@ index 8416beb..843f849 100644
 ')
 ########################################
-@@ -2627,7 +3593,7 @@ interface(`fs_read_nfs_symlinks',`
+@@ -2627,7 +3611,7 @@ interface(`fs_read_nfs_symlinks',`
 ########################################
 ## <summary>
@ -16983,7 +17007,7 @@ index 8416beb..843f849 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -2719,6 +3685,65 @@ interface(`fs_search_rpc',`
+@@ -2719,6 +3703,65 @@ interface(`fs_search_rpc',`
 ########################################
 ## <summary>
@ -17049,7 +17073,7 @@ index 8416beb..843f849 100644
 ##	Search removable storage directories.
 ## </summary>
 ## <param name="domain">
-@@ -2741,7 +3766,7 @@ interface(`fs_search_removable',`
+@@ -2741,7 +3784,7 @@ interface(`fs_search_removable',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -17058,7 +17082,7 @@ index 8416beb..843f849 100644
 ##	</summary>
 ## </param>
 #
-@@ -2777,7 +3802,7 @@ interface(`fs_read_removable_files',`
+@@ -2777,7 +3820,7 @@ interface(`fs_read_removable_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -17067,7 +17091,7 @@ index 8416beb..843f849 100644
 ##	</summary>
 ## </param>
 #
-@@ -2970,6 +3995,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2970,6 +4013,7 @@ interface(`fs_manage_nfs_dirs',`
 		type nfs_t;
 	')
@ -17075,7 +17099,7 @@ index 8416beb..843f849 100644
 	allow $1 nfs_t:dir manage_dir_perms;
 ')
-@@ -3010,6 +4036,7 @@ interface(`fs_manage_nfs_files',`
+@@ -3010,6 +4054,7 @@ interface(`fs_manage_nfs_files',`
 		type nfs_t;
 	')
@ -17083,7 +17107,7 @@ index 8416beb..843f849 100644
 	manage_files_pattern($1, nfs_t, nfs_t)
 ')
-@@ -3050,6 +4077,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -3050,6 +4095,7 @@ interface(`fs_manage_nfs_symlinks',`
 		type nfs_t;
 	')
@ -17091,7 +17115,7 @@ index 8416beb..843f849 100644
 	manage_lnk_files_pattern($1, nfs_t, nfs_t)
 ')
-@@ -3137,6 +4165,24 @@ interface(`fs_nfs_domtrans',`
+@@ -3137,6 +4183,24 @@ interface(`fs_nfs_domtrans',`
 ########################################
 ## <summary>
@ -17116,7 +17140,7 @@ index 8416beb..843f849 100644
 ##	Mount a NFS server pseudo filesystem.
 ## </summary>
 ## <param name="domain">
-@@ -3263,7 +4309,25 @@ interface(`fs_getattr_nfsd_files',`
+@@ -3263,7 +4327,25 @@ interface(`fs_getattr_nfsd_files',`
 	getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
 ')
@ -17143,7 +17167,7 @@ index 8416beb..843f849 100644
 ## <summary>
 ##	Read and write NFS server files.
 ## </summary>
-@@ -3281,6 +4345,42 @@ interface(`fs_rw_nfsd_fs',`
+@@ -3281,6 +4363,42 @@ interface(`fs_rw_nfsd_fs',`
 	rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
 ')
@ -17186,7 +17210,7 @@ index 8416beb..843f849 100644
 ########################################
 ## <summary>
 ##	Allow the type to associate to ramfs filesystems.
-@@ -3392,7 +4492,7 @@ interface(`fs_search_ramfs',`
+@@ -3392,7 +4510,7 @@ interface(`fs_search_ramfs',`
 ########################################
 ## <summary>
@ -17195,7 +17219,7 @@ index 8416beb..843f849 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3429,7 +4529,7 @@ interface(`fs_manage_ramfs_dirs',`
+@@ -3429,7 +4547,7 @@ interface(`fs_manage_ramfs_dirs',`
 ########################################
 ## <summary>
@ -17204,7 +17228,7 @@ index 8416beb..843f849 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3447,7 +4547,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
+@@ -3447,7 +4565,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
 ########################################
 ## <summary>
@ -17213,7 +17237,7 @@ index 8416beb..843f849 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3779,6 +4879,24 @@ interface(`fs_mount_tmpfs',`
+@@ -3779,6 +4897,24 @@ interface(`fs_mount_tmpfs',`
 ########################################
 ## <summary>
@ -17238,7 +17262,7 @@ index 8416beb..843f849 100644
 ##	Remount a tmpfs filesystem.
 ## </summary>
 ## <param name="domain">
-@@ -3815,6 +4933,24 @@ interface(`fs_unmount_tmpfs',`
+@@ -3815,6 +4951,24 @@ interface(`fs_unmount_tmpfs',`
 ########################################
 ## <summary>
@ -17263,7 +17287,7 @@ index 8416beb..843f849 100644
 ##	Get the attributes of a tmpfs
 ##	filesystem.
 ## </summary>
-@@ -3839,39 +4975,76 @@ interface(`fs_getattr_tmpfs',`
+@@ -3839,39 +4993,76 @@ interface(`fs_getattr_tmpfs',`
 ## </summary>
 ## <param name="type">
 ##	<summary>
@ -17349,7 +17373,7 @@ index 8416beb..843f849 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3879,36 +5052,35 @@ interface(`fs_relabelfrom_tmpfs',`
+@@ -3879,36 +5070,35 @@ interface(`fs_relabelfrom_tmpfs',`
 ##	</summary>
 ## </param>
 #
@ -17393,7 +17417,7 @@ index 8416beb..843f849 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3916,35 +5088,36 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3916,35 +5106,36 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
 ##	</summary>
 ## </param>
 #
@ -17437,7 +17461,7 @@ index 8416beb..843f849 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3952,17 +5125,17 @@ interface(`fs_setattr_tmpfs_dirs',`
+@@ -3952,17 +5143,17 @@ interface(`fs_setattr_tmpfs_dirs',`
 ##	</summary>
 ## </param>
 #
@ -17458,7 +17482,7 @@ index 8416beb..843f849 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3970,31 +5143,30 @@ interface(`fs_search_tmpfs',`
+@@ -3970,31 +5161,30 @@ interface(`fs_search_tmpfs',`
 ##	</summary>
 ## </param>
 #
@ -17496,7 +17520,7 @@ index 8416beb..843f849 100644
 ')
 ########################################
-@@ -4105,7 +5277,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
+@@ -4105,7 +5295,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
 		type tmpfs_t;
 	')
@ -17505,7 +17529,7 @@ index 8416beb..843f849 100644
 ')
 ########################################
-@@ -4165,6 +5337,24 @@ interface(`fs_rw_tmpfs_files',`
+@@ -4165,6 +5355,24 @@ interface(`fs_rw_tmpfs_files',`
 ########################################
 ## <summary>
@ -17530,7 +17554,7 @@ index 8416beb..843f849 100644
 ##	Read tmpfs link files.
 ## </summary>
 ## <param name="domain">
-@@ -4202,7 +5392,7 @@ interface(`fs_rw_tmpfs_chr_files',`
+@@ -4202,7 +5410,7 @@ interface(`fs_rw_tmpfs_chr_files',`
 ########################################
 ## <summary>
@ -17539,7 +17563,7 @@ index 8416beb..843f849 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4221,6 +5411,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4221,6 +5429,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
 ########################################
 ## <summary>
@ -17600,7 +17624,7 @@ index 8416beb..843f849 100644
 ##	Relabel character nodes on tmpfs filesystems.
 ## </summary>
 ## <param name="domain">
-@@ -4278,6 +5522,44 @@ interface(`fs_relabel_tmpfs_blk_file',`
+@@ -4278,6 +5540,44 @@ interface(`fs_relabel_tmpfs_blk_file',`
 ########################################
 ## <summary>
@ -17645,7 +17669,7 @@ index 8416beb..843f849 100644
 ##	Read and write, create and delete generic
 ##	files on tmpfs filesystems.
 ## </summary>
-@@ -4297,6 +5579,25 @@ interface(`fs_manage_tmpfs_files',`
+@@ -4297,6 +5597,25 @@ interface(`fs_manage_tmpfs_files',`
 ########################################
 ## <summary>
@ -17671,7 +17695,7 @@ index 8416beb..843f849 100644
 ##	Read and write, create and delete symbolic
 ##	links on tmpfs filesystems.
 ## </summary>
-@@ -4407,6 +5708,25 @@ interface(`fs_search_xenfs',`
+@@ -4407,6 +5726,25 @@ interface(`fs_search_xenfs',`
 	allow $1 xenfs_t:dir search_dir_perms;
 ')
@ -17697,7 +17721,7 @@ index 8416beb..843f849 100644
 ########################################
 ## <summary>
 ##	Create, read, write, and delete directories
-@@ -4503,6 +5823,8 @@ interface(`fs_mount_all_fs',`
+@@ -4503,6 +5841,8 @@ interface(`fs_mount_all_fs',`
 	')
 	allow $1 filesystem_type:filesystem mount;
@ -17706,7 +17730,7 @@ index 8416beb..843f849 100644
 ')
 ########################################
-@@ -4549,7 +5871,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4549,7 +5889,7 @@ interface(`fs_unmount_all_fs',`
 ## <desc>
 ##	<p>
 ##	Allow the specified domain to
@ -17715,7 +17739,7 @@ index 8416beb..843f849 100644
 ##	Example attributes:
 ##	</p>
 ##	<ul>
-@@ -4596,6 +5918,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
+@@ -4596,6 +5936,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
 ########################################
 ## <summary>
@ -17742,7 +17766,7 @@ index 8416beb..843f849 100644
 ##	Get the quotas of all filesystems.
 ## </summary>
 ## <param name="domain">
-@@ -4671,6 +6013,25 @@ interface(`fs_getattr_all_dirs',`
+@@ -4671,6 +6031,25 @@ interface(`fs_getattr_all_dirs',`
 ########################################
 ## <summary>
@ -17768,7 +17792,7 @@ index 8416beb..843f849 100644
 ##	Search all directories with a filesystem type.
 ## </summary>
 ## <param name="domain">
-@@ -4912,3 +6273,63 @@ interface(`fs_unconfined',`
+@@ -4912,3 +6291,63 @@ interface(`fs_unconfined',`
 	typeattribute $1 filesystem_unconfined_type;
 ')
@ -17833,7 +17857,7 @@ index 8416beb..843f849 100644
 +        read_files_pattern($1, efivarfs_t, efivarfs_t)
 +')
 diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index e7d1738..235b730 100644
+index e7d1738..b00be59 100644
 --- a/policy/modules/kernel/filesystem.te
 +++ b/policy/modules/kernel/filesystem.te
@@ -26,14 +26,19 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
@ -17937,7 +17961,7 @@ index e7d1738..235b730 100644
 fs_type(pstore_t)
 files_mountpoint(pstore_t)
 dev_associate_sysfs(pstore_t)
-@@ -150,11 +179,6 @@ fs_type(spufs_t)
+@@ -150,17 +179,16 @@ fs_type(spufs_t)
 genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
 files_mountpoint(spufs_t)
@ -17949,7 +17973,17 @@ index e7d1738..235b730 100644
 type sysv_t;
 fs_noxattr_type(sysv_t)
 files_mountpoint(sysv_t)
-@@ -172,6 +196,8 @@ type vxfs_t;
+ genfscon sysv / gen_context(system_u:object_r:sysv_t,s0)
 genfscon v7 / gen_context(system_u:object_r:sysv_t,s0)
 +type tracefs_t;
 +fs_type(tracefs_t)
 +genfscon tracefs / gen_context(system_u:object_r:tracefs_t,s0)
 +
 type vmblock_t;
 fs_noxattr_type(vmblock_t)
 files_mountpoint(vmblock_t)
@@ -172,6 +200,8 @@ type vxfs_t;
 fs_noxattr_type(vxfs_t)
 files_mountpoint(vxfs_t)
 genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
@ -17958,7 +17992,7 @@ index e7d1738..235b730 100644
 #
 # tmpfs_t is the type for tmpfs filesystems
-@@ -182,6 +208,8 @@ fs_type(tmpfs_t)
+@@ -182,6 +212,8 @@ fs_type(tmpfs_t)
 files_type(tmpfs_t)
 files_mountpoint(tmpfs_t)
 files_poly_parent(tmpfs_t)
@ -17967,7 +18001,7 @@ index e7d1738..235b730 100644
 # Use a transition SID based on the allocating task SID and the
 # filesystem SID to label inodes in the following filesystem types,
-@@ -261,6 +289,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+@@ -261,6 +293,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
 type removable_t;
 allow removable_t noxattrfs:filesystem associate;
 fs_noxattr_type(removable_t)
@ -17976,7 +18010,7 @@ index e7d1738..235b730 100644
 files_mountpoint(removable_t)
 #
-@@ -280,6 +310,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
+@@ -280,6 +314,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
 genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
 genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
 genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
@ -17984,7 +18018,7 @@ index e7d1738..235b730 100644
 ########################################
 #
-@@ -301,9 +332,10 @@ fs_associate_noxattr(noxattrfs)
+@@ -301,9 +336,10 @@ fs_associate_noxattr(noxattrfs)
 # Unconfined access to this module
 #
@ -28137,7 +28171,7 @@ index 6bf0ecc..7d0c3c3 100644
 +')
 +
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..69be4cf 100644
+index 8b40377..23560f0 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
@@ -26,28 +26,66 @@ gen_require(`
@ -28496,7 +28530,7 @@ index 8b40377..69be4cf 100644
 	ssh_sigchld(xauth_t)
 	ssh_read_pipes(xauth_t)
 	ssh_dontaudit_rw_tcp_sockets(xauth_t)
-@@ -300,64 +420,103 @@ optional_policy(`
+@@ -300,64 +420,104 @@ optional_policy(`
 # XDM Local policy
 #
@ -28596,6 +28630,7 @@ index 8b40377..69be4cf 100644
 -allow xdm_t xserver_t:process signal;
 +allow xdm_t xserver_t:process { signal signull };
 allow xdm_t xserver_t:unix_stream_socket connectto;
 +allow xdm_t xserver_t:unix_dgram_socket sendto;
 allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms;
 -allow xdm_t xserver_tmp_t:dir { setattr list_dir_perms };
@ -28613,7 +28648,7 @@ index 8b40377..69be4cf 100644
 # connect to xdm xserver over stream socket
 stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -366,20 +525,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -366,20 +526,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
 delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
 delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@ -28646,7 +28681,7 @@ index 8b40377..69be4cf 100644
 corenet_all_recvfrom_netlabel(xdm_t)
 corenet_tcp_sendrecv_generic_if(xdm_t)
 corenet_udp_sendrecv_generic_if(xdm_t)
-@@ -389,38 +558,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -389,38 +559,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
 corenet_udp_sendrecv_all_ports(xdm_t)
 corenet_tcp_bind_generic_node(xdm_t)
 corenet_udp_bind_generic_node(xdm_t)
@ -28700,7 +28735,7 @@ index 8b40377..69be4cf 100644
 files_read_etc_files(xdm_t)
 files_read_var_files(xdm_t)
-@@ -431,9 +611,29 @@ files_list_mnt(xdm_t)
+@@ -431,9 +612,29 @@ files_list_mnt(xdm_t)
 files_read_usr_files(xdm_t)
 # Poweroff wants to create the /poweroff file when run from xdm
 files_create_boot_flag(xdm_t)
@ -28730,7 +28765,7 @@ index 8b40377..69be4cf 100644
 storage_dontaudit_read_fixed_disk(xdm_t)
 storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -442,28 +642,44 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -442,28 +643,44 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
 storage_dontaudit_raw_write_removable_device(xdm_t)
 storage_dontaudit_setattr_removable_dev(xdm_t)
 storage_dontaudit_rw_scsi_generic(xdm_t)
@ -28779,7 +28814,7 @@ index 8b40377..69be4cf 100644
 userdom_dontaudit_use_unpriv_user_fds(xdm_t)
 userdom_create_all_users_keys(xdm_t)
-@@ -472,24 +688,163 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -472,24 +689,163 @@ userdom_read_user_home_content_files(xdm_t)
 # Search /proc for any user domain processes.
 userdom_read_all_users_state(xdm_t)
 userdom_signal_all_users(xdm_t)
@ -28949,7 +28984,7 @@ index 8b40377..69be4cf 100644
 tunable_policy(`xdm_sysadm_login',`
 	userdom_xsession_spec_domtrans_all_users(xdm_t)
 	# FIXME:
-@@ -502,12 +857,31 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,12 +858,31 @@ tunable_policy(`xdm_sysadm_login',`
 #	allow xserver_t xdm_tmpfs_t:file rw_file_perms;
 ')
@ -28981,7 +29016,7 @@ index 8b40377..69be4cf 100644
 ')
 optional_policy(`
-@@ -518,8 +892,36 @@ optional_policy(`
+@@ -518,8 +893,36 @@ optional_policy(`
 	dbus_system_bus_client(xdm_t)
 	dbus_connect_system_bus(xdm_t)
@ -29019,7 +29054,7 @@ index 8b40377..69be4cf 100644
 	')
 ')
-@@ -530,6 +932,20 @@ optional_policy(`
+@@ -530,6 +933,20 @@ optional_policy(`
 ')
 optional_policy(`
@ -29040,7 +29075,7 @@ index 8b40377..69be4cf 100644
 	hostname_exec(xdm_t)
 ')
-@@ -547,28 +963,78 @@ optional_policy(`
+@@ -547,28 +964,78 @@ optional_policy(`
 ')
 optional_policy(`
@ -29128,7 +29163,7 @@ index 8b40377..69be4cf 100644
 ')
 optional_policy(`
-@@ -580,6 +1046,14 @@ optional_policy(`
+@@ -580,6 +1047,14 @@ optional_policy(`
 ')
 optional_policy(`
@ -29143,7 +29178,7 @@ index 8b40377..69be4cf 100644
 	xfs_stream_connect(xdm_t)
 ')
-@@ -594,7 +1068,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+@@ -594,7 +1069,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
 type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
 allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@ -29152,7 +29187,7 @@ index 8b40377..69be4cf 100644
 # setuid/setgid for the wrapper program to change UID
 # sys_rawio is for iopl access - should not be needed for frame-buffer
-@@ -604,8 +1078,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -604,8 +1079,11 @@ allow xserver_t input_xevent_t:x_event send;
 # execheap needed until the X module loader is fixed.
 # NVIDIA Needs execstack
@ -29165,7 +29200,7 @@ index 8b40377..69be4cf 100644
 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow xserver_t self:fd use;
 allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -618,8 +1095,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -618,8 +1096,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
 allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow xserver_t self:tcp_socket create_stream_socket_perms;
 allow xserver_t self:udp_socket create_socket_perms;
@ -29181,7 +29216,7 @@ index 8b40377..69be4cf 100644
 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
 manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
 manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -627,6 +1111,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -627,6 +1112,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
 filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@ -29192,7 +29227,7 @@ index 8b40377..69be4cf 100644
 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -638,25 +1126,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -638,25 +1127,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 files_search_var_lib(xserver_t)
@ -29229,7 +29264,7 @@ index 8b40377..69be4cf 100644
 corenet_all_recvfrom_netlabel(xserver_t)
 corenet_tcp_sendrecv_generic_if(xserver_t)
 corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -677,23 +1172,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -677,23 +1173,28 @@ dev_rw_apm_bios(xserver_t)
 dev_rw_agp(xserver_t)
 dev_rw_framebuffer(xserver_t)
 dev_manage_dri_dev(xserver_t)
@ -29261,7 +29296,7 @@ index 8b40377..69be4cf 100644
 # brought on by rhgb
 files_search_mnt(xserver_t)
-@@ -705,6 +1205,14 @@ fs_search_nfs(xserver_t)
+@@ -705,6 +1206,14 @@ fs_search_nfs(xserver_t)
 fs_search_auto_mountpoints(xserver_t)
 fs_search_ramfs(xserver_t)
@ -29276,7 +29311,7 @@ index 8b40377..69be4cf 100644
 mls_xwin_read_to_clearance(xserver_t)
 selinux_validate_context(xserver_t)
-@@ -718,20 +1226,18 @@ init_getpgid(xserver_t)
+@@ -718,20 +1227,18 @@ init_getpgid(xserver_t)
 term_setattr_unallocated_ttys(xserver_t)
 term_use_unallocated_ttys(xserver_t)
@ -29300,7 +29335,7 @@ index 8b40377..69be4cf 100644
 userdom_search_user_home_dirs(xserver_t)
 userdom_use_user_ttys(xserver_t)
-@@ -739,8 +1245,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -739,8 +1246,6 @@ userdom_setattr_user_ttys(xserver_t)
 userdom_read_user_tmp_files(xserver_t)
 userdom_rw_user_tmpfs_files(xserver_t)
@ -29309,7 +29344,7 @@ index 8b40377..69be4cf 100644
 ifndef(`distro_redhat',`
 	allow xserver_t self:process { execmem execheap execstack };
 	domain_mmap_low_uncond(xserver_t)
-@@ -785,17 +1289,54 @@ optional_policy(`
+@@ -785,17 +1290,54 @@ optional_policy(`
 ')
 optional_policy(`
@ -29366,7 +29401,7 @@ index 8b40377..69be4cf 100644
 ')
 optional_policy(`
-@@ -803,6 +1344,10 @@ optional_policy(`
+@@ -803,6 +1345,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -29377,7 +29412,7 @@ index 8b40377..69be4cf 100644
 	xfs_stream_connect(xserver_t)
 ')
-@@ -818,18 +1363,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -818,18 +1364,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
 # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
 # handle of a file inside the dir!!!
@ -29402,7 +29437,7 @@ index 8b40377..69be4cf 100644
 can_exec(xserver_t, xkb_var_lib_t)
 # VNC v4 module in X server
-@@ -842,26 +1386,21 @@ init_use_fds(xserver_t)
+@@ -842,26 +1387,21 @@ init_use_fds(xserver_t)
 # to read ROLE_home_t - examine this in more detail
 # (xauth?)
 userdom_read_user_home_content_files(xserver_t)
@ -29437,7 +29472,7 @@ index 8b40377..69be4cf 100644
 ')
 optional_policy(`
-@@ -912,7 +1451,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -912,7 +1452,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
 allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
 # operations allowed on my windows
 allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@ -29446,7 +29481,7 @@ index 8b40377..69be4cf 100644
 # operations allowed on all windows
 allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -966,11 +1505,31 @@ allow x_domain self:x_resource { read write };
+@@ -966,11 +1506,31 @@ allow x_domain self:x_resource { read write };
 # can mess with the screensaver
 allow x_domain xserver_t:x_screen { getattr saver_getattr };
@ -29478,7 +29513,7 @@ index 8b40377..69be4cf 100644
 tunable_policy(`! xserver_object_manager',`
 	# should be xserver_unconfined(x_domain),
 	# but typeattribute doesnt work in conditionals
-@@ -992,18 +1551,148 @@ tunable_policy(`! xserver_object_manager',`
+@@ -992,18 +1552,148 @@ tunable_policy(`! xserver_object_manager',`
 	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
 ')
@ -42386,7 +42421,7 @@ index 40edc18..95f4458 100644
 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
 +
 diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 2cea692..57c9025 100644
+index 2cea692..bf86a31 100644
 --- a/policy/modules/system/sysnetwork.if
 +++ b/policy/modules/system/sysnetwork.if
@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@ -42631,7 +42666,7 @@ index 2cea692..57c9025 100644
 	')
 ')
-@@ -501,11 +669,31 @@ interface(`sysnet_delete_dhcpc_pid',`
+@@ -501,11 +669,55 @@ interface(`sysnet_delete_dhcpc_pid',`
 		type dhcpc_var_run_t;
 	')
@ -42658,12 +42693,36 @@ index 2cea692..57c9025 100644
 +    manage_files_pattern($1, dhcpc_var_run_t, dhcpc_var_run_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Create specified objects in generic
 +##	pid directories with the dhcpc pid file type.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +## <param name="name" optional="true">
 +##	<summary>
 +##	The name of the object being created.
 +##	</summary>
 +## </param>
 +#
 +interface(`sysnet_filetrans_dhcpc_pid',`
 +	gen_require(`
 +		type dhcpc_var_run_t;
 +	')
 +
 +	files_pid_filetrans($1, dhcpc_var_run_t, file, $2)
 +')
 +
 +#######################################
 +## <summary>
 ##	Execute ifconfig in the ifconfig domain.
 ## </summary>
 ## <param name="domain">
-@@ -610,6 +798,25 @@ interface(`sysnet_signull_ifconfig',`
+@@ -610,6 +822,25 @@ interface(`sysnet_signull_ifconfig',`
 ########################################
 ## <summary>
@ -42689,7 +42748,7 @@ index 2cea692..57c9025 100644
 ##	Read the DHCP configuration files.
 ## </summary>
 ## <param name="domain">
-@@ -626,6 +833,7 @@ interface(`sysnet_read_dhcp_config',`
+@@ -626,6 +857,7 @@ interface(`sysnet_read_dhcp_config',`
 	files_search_etc($1)
 	allow $1 dhcp_etc_t:dir list_dir_perms;
 	read_files_pattern($1, dhcp_etc_t, dhcp_etc_t)
@ -42697,7 +42756,7 @@ index 2cea692..57c9025 100644
 ')
 ########################################
-@@ -647,6 +855,26 @@ interface(`sysnet_search_dhcp_state',`
+@@ -647,6 +879,26 @@ interface(`sysnet_search_dhcp_state',`
 	allow $1 dhcp_state_t:dir search_dir_perms;
 ')
@ -42724,7 +42783,7 @@ index 2cea692..57c9025 100644
 ########################################
 ## <summary>
 ##	Create DHCP state data.
-@@ -711,8 +939,6 @@ interface(`sysnet_dns_name_resolve',`
+@@ -711,8 +963,6 @@ interface(`sysnet_dns_name_resolve',`
 	allow $1 self:udp_socket create_socket_perms;
 	allow $1 self:netlink_route_socket r_netlink_socket_perms;
@ -42733,7 +42792,7 @@ index 2cea692..57c9025 100644
 	corenet_tcp_sendrecv_generic_if($1)
 	corenet_udp_sendrecv_generic_if($1)
 	corenet_tcp_sendrecv_generic_node($1)
-@@ -720,8 +946,13 @@ interface(`sysnet_dns_name_resolve',`
+@@ -720,8 +970,13 @@ interface(`sysnet_dns_name_resolve',`
 	corenet_tcp_sendrecv_dns_port($1)
 	corenet_udp_sendrecv_dns_port($1)
 	corenet_tcp_connect_dns_port($1)
@ -42747,7 +42806,7 @@ index 2cea692..57c9025 100644
 	sysnet_read_config($1)
 	optional_policy(`
-@@ -750,8 +981,6 @@ interface(`sysnet_use_ldap',`
+@@ -750,8 +1005,6 @@ interface(`sysnet_use_ldap',`
 	allow $1 self:tcp_socket create_socket_perms;
@ -42756,7 +42815,7 @@ index 2cea692..57c9025 100644
 	corenet_tcp_sendrecv_generic_if($1)
 	corenet_tcp_sendrecv_generic_node($1)
 	corenet_tcp_sendrecv_ldap_port($1)
-@@ -760,9 +989,14 @@ interface(`sysnet_use_ldap',`
+@@ -760,9 +1013,14 @@ interface(`sysnet_use_ldap',`
 	# Support for LDAPS
 	dev_read_rand($1)
@ -42771,7 +42830,7 @@ index 2cea692..57c9025 100644
 ')
 ########################################
-@@ -784,7 +1018,6 @@ interface(`sysnet_use_portmap',`
+@@ -784,7 +1042,6 @@ interface(`sysnet_use_portmap',`
 	allow $1 self:udp_socket create_socket_perms;
 	corenet_all_recvfrom_unlabeled($1)
@ -42779,7 +42838,7 @@ index 2cea692..57c9025 100644
 	corenet_tcp_sendrecv_generic_if($1)
 	corenet_udp_sendrecv_generic_if($1)
 	corenet_tcp_sendrecv_generic_node($1)
-@@ -796,3 +1029,125 @@ interface(`sysnet_use_portmap',`
+@@ -796,3 +1053,125 @@ interface(`sysnet_use_portmap',`
 	sysnet_read_config($1)
 ')
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -3799,7 +3799,7 @@ index 7caefc3..b25689b 100644
 +/var/run/dirsrv/admin-serv.*	gen_context(system_u:object_r:httpd_var_run_t,s0)
 +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?       gen_context(system_u:object_r:httpd_var_run_t,s0)
 diff --git a/apache.if b/apache.if
-index f6eb485..f1f976b 100644
+index f6eb485..438bc20 100644
 --- a/apache.if
 +++ b/apache.if
@@ -1,9 +1,9 @@
@ -4255,10 +4255,12 @@ index f6eb485..f1f976b 100644
 -	dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms;
 +	dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
-+')
+ ')
-+
+ 
-+########################################
+ ########################################
-+## <summary>
+ ## <summary>
 -##	Do not audit attempts to read and
 -##	write httpd unix domain stream sockets.
 +##	Allow attempts to read and write Apache
 +##	unix domain stream sockets.
 +## </summary>
@ -4274,12 +4276,10 @@ index f6eb485..f1f976b 100644
 +	')
 +
 +	allow $1 httpd_t:unix_stream_socket { getattr read write };
- ')
+')
- 
+
- ########################################
+########################################
- ## <summary>
+## <summary>
 -##	Do not audit attempts to read and
 -##	write httpd unix domain stream sockets.
 +##	Do not audit attempts to read and write Apache
 +##	unix domain stream sockets.
 ## </summary>
@ -4752,12 +4752,32 @@ index f6eb485..f1f976b 100644
 ')
 -########################################
 +######################################
 +## <summary>
 +##	Allow the specified domain to read
 +##	apache system content rw files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +## <rolecap/>
 +#
 +interface(`apache_read_sys_content_rw_files',`
 +	gen_require(`
 +		type httpd_sys_rw_content_t;
 +	')
 +
 +	read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
 +')
 +
 +######################################
 ## <summary>
 -##	Create, read, write, and delete
 -##	httpd system rw content.
 +##	Allow the specified domain to read
-+##	apache system content rw files.
+##	apache system content rw dirs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -4767,32 +4787,12 @@ index f6eb485..f1f976b 100644
 +## <rolecap/>
 #
 -interface(`apache_manage_sys_rw_content',`
-+interface(`apache_read_sys_content_rw_files',`
+interface(`apache_read_sys_content_rw_dirs',`
 	gen_require(`
 		type httpd_sys_rw_content_t;
 	')
 -	apache_search_sys_content($1)
 +	read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
 +')
 +
 +######################################
 +## <summary>
 +##	Allow the specified domain to read
 +##	apache system content rw dirs.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +## <rolecap/>
 +#
 +interface(`apache_read_sys_content_rw_dirs',`
 +	gen_require(`
 +		type httpd_sys_rw_content_t;
 +	')
 +
 +	list_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
 +')
 +
@ -5146,7 +5146,7 @@ index f6eb485..f1f976b 100644
 	admin_pattern($1, httpd_log_t)
 	admin_pattern($1, httpd_modules_t)
-@@ -1224,9 +1500,160 @@ interface(`apache_admin',`
+@@ -1224,9 +1500,182 @@ interface(`apache_admin',`
 	admin_pattern($1, httpd_var_run_t)
 	files_pid_filetrans($1, httpd_var_run_t, file)
@ -5282,7 +5282,9 @@ index f6eb485..f1f976b 100644
 +		type httpd_user_content_t, httpd_user_script_exec_t, httpd_user_htaccess_t;
 +		type httpd_user_content_ra_t;
 +	')
-+
+ 
 -	apache_run_all_scripts($1, $2)
 -	apache_run_helper($1, $2)
 +	userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "public_html")
 +	userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "www")
 +	userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "web")
@ -5305,11 +5307,31 @@ index f6eb485..f1f976b 100644
 +	gen_require(`
 +		type httpd_var_run_t;
 +	')
- 
+
 -	apache_run_all_scripts($1, $2)
 -	apache_run_helper($1, $2)
 +	files_search_pids($1)
 +	read_files_pattern($1, httpd_var_run_t, httpd_var_run_t)
 +')
 +
 +########################################
 +## <summary>
 +##      Send and receive messages from
 +##      httpd over dbus.
 +## </summary>
 +## <param name="domain">
 +##      <summary>
 +##      Domain allowed access.
 +##      </summary>
 +## </param>
 +#
 +interface(`apache_dbus_chat',`
 +        gen_require(`
 +                type httpd_t;
 +                class dbus send_msg;
 +        ')
 +
 +        allow $1 httpd_t:dbus send_msg;
 +        allow httpd_t $1:dbus send_msg;
 +		ps_process_pattern(httpd_t, $1)
 ')
 diff --git a/apache.te b/apache.te
 index 6649962..1862dfb 100644
@ -7819,7 +7841,7 @@ index f3c0aba..f6e25ed 100644
 +	files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail")
 ')
 diff --git a/apcupsd.te b/apcupsd.te
-index 080bc4d..5b4d973 100644
+index 080bc4d..f46078f 100644
 --- a/apcupsd.te
 +++ b/apcupsd.te
@@ -24,6 +24,12 @@ files_tmp_file(apcupsd_tmp_t)
@ -7849,7 +7871,12 @@ index 080bc4d..5b4d973 100644
 logging_log_filetrans(apcupsd_t, apcupsd_log_t, file)
 manage_files_pattern(apcupsd_t, apcupsd_tmp_t, apcupsd_tmp_t)
-@@ -54,7 +61,6 @@ kernel_read_system_state(apcupsd_t)
+@@ -50,11 +57,11 @@ manage_files_pattern(apcupsd_t, apcupsd_var_run_t, apcupsd_var_run_t)
 files_pid_filetrans(apcupsd_t, apcupsd_var_run_t, file)
 kernel_read_system_state(apcupsd_t)
 +kernel_read_network_state(apcupsd_t)
 corecmd_exec_bin(apcupsd_t)
 corecmd_exec_shell(apcupsd_t)
@ -7857,7 +7884,7 @@ index 080bc4d..5b4d973 100644
 corenet_all_recvfrom_netlabel(apcupsd_t)
 corenet_tcp_sendrecv_generic_if(apcupsd_t)
 corenet_tcp_sendrecv_generic_node(apcupsd_t)
-@@ -67,26 +73,41 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t)
+@@ -67,26 +74,41 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t)
 corenet_sendrecv_apcupsd_server_packets(apcupsd_t)
 corenet_tcp_sendrecv_apcupsd_port(apcupsd_t)
 corenet_tcp_connect_apcupsd_port(apcupsd_t)
@ -7904,7 +7931,7 @@ index 080bc4d..5b4d973 100644
 optional_policy(`
 	hostname_exec(apcupsd_t)
-@@ -101,6 +122,11 @@ optional_policy(`
+@@ -101,6 +123,11 @@ optional_policy(`
 	shutdown_domtrans(apcupsd_t)
 ')
@ -7916,7 +7943,7 @@ index 080bc4d..5b4d973 100644
 ########################################
 #
 # CGI local policy
-@@ -108,20 +134,20 @@ optional_policy(`
+@@ -108,20 +135,20 @@ optional_policy(`
 optional_policy(`
 	apache_content_template(apcupsd_cgi)
@ -29909,10 +29936,10 @@ index 0000000..c4d2c2d
 +')
 diff --git a/fwupd.te b/fwupd.te
 new file mode 100644
-index 0000000..8937282
+index 0000000..53ba6cd
 --- /dev/null
 +++ b/fwupd.te
-@@ -0,0 +1,48 @@
+@@ -0,0 +1,50 @@
 +policy_module(fwupd, 1.0.0)
 +
 +########################################
@ -29956,6 +29983,8 @@ index 0000000..8937282
 +dev_rw_sysfs(fwupd_t)
 +dev_rw_generic_usb_dev(fwupd_t)
 +
 +fs_getattr_all_fs(fwupd_t)
 +
 +udev_read_pid_files(fwupd_t)
 +
 +optional_policy(`
@ -54538,7 +54567,7 @@ index b708708..f4c0e61 100644
 +	apache_search_sys_content(munin_t)
 +')
 diff --git a/mysql.fc b/mysql.fc
-index 06f8666..c2c13aa 100644
+index 06f8666..4599ab5 100644
 --- a/mysql.fc
 +++ b/mysql.fc
@@ -1,27 +1,46 @@
@ -54581,7 +54610,8 @@ index 06f8666..c2c13aa 100644
 +/usr/libexec/mysqld_safe-scl-helper --  gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
 +
- /usr/sbin/mysqld(-max)?	--	gen_context(system_u:object_r:mysqld_exec_t,s0)
+-/usr/sbin/mysqld(-max)?	--	gen_context(system_u:object_r:mysqld_exec_t,s0)
 +/usr/sbin/mysqld(-max|-debug)?	--	gen_context(system_u:object_r:mysqld_exec_t,s0)
 /usr/sbin/mysqlmanager	--	gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
 -/usr/sbin/ndbd	--	gen_context(system_u:object_r:mysqld_exec_t,s0)
 +/usr/sbin/ndbd		--	gen_context(system_u:object_r:mysqld_exec_t,s0)
@ -54591,7 +54621,7 @@ index 06f8666..c2c13aa 100644
 +#
 +# /var
 +#
-+/var/lib/mysql(/.*)?		gen_context(system_u:object_r:mysqld_db_t,s0)
+/var/lib/mysql(-files)?(/.*)?		gen_context(system_u:object_r:mysqld_db_t,s0)
 +/var/lib/mysql/mysql\.sock -s	gen_context(system_u:object_r:mysqld_var_run_t,s0)
 /var/log/mariadb(/.*)?	gen_context(system_u:object_r:mysqld_log_t,s0)
@ -62609,7 +62639,7 @@ index c87bd2a..4c17c99 100644
 +	')
 ')
 diff --git a/oddjob.te b/oddjob.te
-index e403097..033911e 100644
+index e403097..45d387d 100644
 --- a/oddjob.te
 +++ b/oddjob.te
@@ -5,8 +5,6 @@ policy_module(oddjob, 1.10.0)
@ -62666,14 +62696,14 @@ index e403097..033911e 100644
 locallogin_dontaudit_use_fds(oddjob_t)
-@@ -65,28 +65,24 @@ optional_policy(`
+@@ -66,27 +66,27 @@ optional_policy(`
 	dbus_connect_system_bus(oddjob_t)
 ')
-optional_policy(`
+ optional_policy(`
 -	unconfined_domtrans(oddjob_t)
-')
+	apache_dbus_chat(oddjob_t)
-
+ ')
 ########################################
 #
 -# Mkhomedir local policy
@ -62699,7 +62729,7 @@ index e403097..033911e 100644
 selinux_get_fs_mount(oddjob_mkhomedir_t)
 selinux_validate_context(oddjob_mkhomedir_t)
 selinux_compute_access_vector(oddjob_mkhomedir_t)
-@@ -98,8 +94,11 @@ seutil_read_config(oddjob_mkhomedir_t)
+@@ -98,8 +98,11 @@ seutil_read_config(oddjob_mkhomedir_t)
 seutil_read_file_contexts(oddjob_mkhomedir_t)
 seutil_read_default_contexts(oddjob_mkhomedir_t)
@ -65525,7 +65555,7 @@ index 9b15730..cb00f20 100644
 +	')
 ')
 diff --git a/openvswitch.te b/openvswitch.te
-index 44dbc99..fce33b0 100644
+index 44dbc99..ede6e1c 100644
 --- a/openvswitch.te
 +++ b/openvswitch.te
@@ -9,11 +9,8 @@ type openvswitch_t;
@ -65557,7 +65587,7 @@ index 44dbc99..fce33b0 100644
 -allow openvswitch_t self:capability { net_admin sys_nice sys_resource ipc_lock };
 -allow openvswitch_t self:process { setrlimit setsched signal };
-+allow openvswitch_t self:capability { net_admin ipc_lock sys_module sys_nice sys_resource };
+allow openvswitch_t self:capability { net_admin ipc_lock sys_module sys_nice sys_rawio sys_resource };
 +allow openvswitch_t self:capability2 block_suspend;
 +allow openvswitch_t self:process { fork setsched setrlimit signal };
 allow openvswitch_t self:fifo_file rw_fifo_file_perms;
@ -65591,7 +65621,7 @@ index 44dbc99..fce33b0 100644
 manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
 logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file })
-@@ -65,33 +69,48 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
+@@ -65,33 +69,49 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
 manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
 files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file })
@ -65627,7 +65657,8 @@ index 44dbc99..fce33b0 100644
 fs_getattr_all_fs(openvswitch_t)
 fs_search_cgroup_dirs(openvswitch_t)
-+fs_rw_hugetlbfs_files(openvswitch_t)
+fs_manage_hugetlbfs_files(openvswitch_t)
 +fs_manage_hugetlbfs_dirs(openvswitch_t)
 +
 +auth_use_nsswitch(openvswitch_t)
@ -108851,7 +108882,7 @@ index a4f20bc..58f9c69 100644
 +/var/log/qemu-ga\.log.*           --      gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
 +/var/log/qemu-ga(/.*)?		gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
 diff --git a/virt.if b/virt.if
-index facdee8..19b6ffb 100644
+index facdee8..65b5a0d 100644
 --- a/virt.if
 +++ b/virt.if
@@ -1,318 +1,226 @@
@ -110497,7 +110528,7 @@ index facdee8..19b6ffb 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -935,117 +1266,133 @@ interface(`virt_read_log',`
+@@ -935,117 +1266,134 @@ interface(`virt_read_log',`
 ##	</summary>
 ## </param>
 #
@ -110549,6 +110580,7 @@ index facdee8..19b6ffb 100644
 +	logging_send_syslog_msg($1_t)
 +
 +	kernel_read_system_state($1_t)
 +	kernel_read_all_proc($1_t)
 ')
 ########################################
@ -110683,7 +110715,7 @@ index facdee8..19b6ffb 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1053,15 +1400,17 @@ interface(`virt_rw_all_image_chr_files',`
+@@ -1053,15 +1401,17 @@ interface(`virt_rw_all_image_chr_files',`
 ##	</summary>
 ## </param>
 #
@ -110706,7 +110738,7 @@ index facdee8..19b6ffb 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1069,21 +1418,17 @@ interface(`virt_manage_svirt_cache',`
+@@ -1069,21 +1419,17 @@ interface(`virt_manage_svirt_cache',`
 ##	</summary>
 ## </param>
 #
@ -110732,7 +110764,7 @@ index facdee8..19b6ffb 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1091,36 +1436,36 @@ interface(`virt_manage_virt_cache',`
+@@ -1091,36 +1437,36 @@ interface(`virt_manage_virt_cache',`
 ##	</summary>
 ## </param>
 #
@ -110789,7 +110821,7 @@ index facdee8..19b6ffb 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1136,50 +1481,76 @@ interface(`virt_manage_images',`
+@@ -1136,50 +1482,76 @@ interface(`virt_manage_images',`
 #
 interface(`virt_admin',`
 	gen_require(`
@ -110899,7 +110931,7 @@ index facdee8..19b6ffb 100644
 +        ps_process_pattern(virtd_t, $1)
 ')
 diff --git a/virt.te b/virt.te
-index f03dcf5..7056171 100644
+index f03dcf5..f347621 100644
 --- a/virt.te
 +++ b/virt.te
@@ -1,150 +1,248 @@
@ -111221,7 +111253,7 @@ index f03dcf5..7056171 100644
 ifdef(`enable_mcs',`
 	init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
 ')
-@@ -153,299 +251,135 @@ ifdef(`enable_mls',`
+@@ -153,299 +251,137 @@ ifdef(`enable_mls',`
 	init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
 ')
@ -111486,24 +111518,25 @@ index f03dcf5..7056171 100644
 -filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
 -
 -stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
 +allow svirt_t self:process ptrace;
 -corenet_udp_sendrecv_generic_if(svirt_t)
 -corenet_udp_sendrecv_generic_node(svirt_t)
 -corenet_udp_sendrecv_all_ports(svirt_t)
 -corenet_udp_bind_generic_node(svirt_t)
 +# it was a part of auth_use_nsswitch
 +allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
 corenet_udp_sendrecv_generic_if(svirt_t)
 corenet_udp_sendrecv_generic_node(svirt_t)
 corenet_udp_sendrecv_all_ports(svirt_t)
 corenet_udp_bind_generic_node(svirt_t)
 -
 -corenet_all_recvfrom_unlabeled(svirt_t)
 -corenet_all_recvfrom_netlabel(svirt_t)
 -corenet_tcp_sendrecv_generic_if(svirt_t)
-corenet_udp_sendrecv_generic_if(svirt_t)
+ corenet_udp_sendrecv_generic_if(svirt_t)
 -corenet_tcp_sendrecv_generic_node(svirt_t)
-corenet_udp_sendrecv_generic_node(svirt_t)
+ corenet_udp_sendrecv_generic_node(svirt_t)
 -corenet_tcp_sendrecv_all_ports(svirt_t)
-corenet_udp_sendrecv_all_ports(svirt_t)
+ corenet_udp_sendrecv_all_ports(svirt_t)
 -corenet_tcp_bind_generic_node(svirt_t)
-corenet_udp_bind_generic_node(svirt_t)
+ corenet_udp_bind_generic_node(svirt_t)
 -
 -corenet_sendrecv_all_server_packets(svirt_t)
 corenet_udp_bind_all_ports(svirt_t)
@ -111599,7 +111632,7 @@ index f03dcf5..7056171 100644
 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
 read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -455,42 +389,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -455,42 +391,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
 manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
 filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@ -111646,7 +111679,7 @@ index f03dcf5..7056171 100644
 logging_log_filetrans(virtd_t, virt_log_t, { file dir })
 manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -503,23 +424,20 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -503,23 +426,20 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
 manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
 files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@ -111677,7 +111710,7 @@ index f03dcf5..7056171 100644
 corecmd_exec_bin(virtd_t)
 corecmd_exec_shell(virtd_t)
-@@ -527,24 +445,16 @@ corecmd_exec_shell(virtd_t)
+@@ -527,24 +447,16 @@ corecmd_exec_shell(virtd_t)
 corenet_all_recvfrom_netlabel(virtd_t)
 corenet_tcp_sendrecv_generic_if(virtd_t)
 corenet_tcp_sendrecv_generic_node(virtd_t)
@ -111705,7 +111738,7 @@ index f03dcf5..7056171 100644
 dev_rw_sysfs(virtd_t)
 dev_read_urand(virtd_t)
 dev_read_rand(virtd_t)
-@@ -555,20 +465,26 @@ dev_rw_vhost(virtd_t)
+@@ -555,20 +467,26 @@ dev_rw_vhost(virtd_t)
 dev_setattr_generic_usb_dev(virtd_t)
 dev_relabel_generic_usb_dev(virtd_t)
@ -111736,7 +111769,7 @@ index f03dcf5..7056171 100644
 fs_list_auto_mountpoints(virtd_t)
 fs_getattr_all_fs(virtd_t)
 fs_rw_anon_inodefs_files(virtd_t)
-@@ -601,15 +517,18 @@ term_use_ptmx(virtd_t)
+@@ -601,15 +519,18 @@ term_use_ptmx(virtd_t)
 auth_use_nsswitch(virtd_t)
@ -111756,7 +111789,7 @@ index f03dcf5..7056171 100644
 selinux_validate_context(virtd_t)
-@@ -620,18 +539,26 @@ seutil_read_file_contexts(virtd_t)
+@@ -620,18 +541,26 @@ seutil_read_file_contexts(virtd_t)
 sysnet_signull_ifconfig(virtd_t)
 sysnet_signal_ifconfig(virtd_t)
 sysnet_domtrans_ifconfig(virtd_t)
@ -111793,7 +111826,7 @@ index f03dcf5..7056171 100644
 tunable_policy(`virt_use_nfs',`
 	fs_manage_nfs_dirs(virtd_t)
-@@ -640,7 +567,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -640,7 +569,7 @@ tunable_policy(`virt_use_nfs',`
 ')
 tunable_policy(`virt_use_samba',`
@ -111802,7 +111835,7 @@ index f03dcf5..7056171 100644
 	fs_manage_cifs_files(virtd_t)
 	fs_read_cifs_symlinks(virtd_t)
 ')
-@@ -665,20 +592,12 @@ optional_policy(`
+@@ -665,20 +594,12 @@ optional_policy(`
 	')
 	optional_policy(`
@ -111823,7 +111856,7 @@ index f03dcf5..7056171 100644
 ')
 optional_policy(`
-@@ -691,20 +610,26 @@ optional_policy(`
+@@ -691,20 +612,26 @@ optional_policy(`
 	dnsmasq_kill(virtd_t)
 	dnsmasq_signull(virtd_t)
 	dnsmasq_create_pid_dirs(virtd_t)
@ -111834,11 +111867,12 @@ index f03dcf5..7056171 100644
 ')
 optional_policy(`
 -	iptables_domtrans(virtd_t)
 +	firewalld_dbus_chat(virtd_t)
 +')
 +
 +optional_policy(`
- 	iptables_domtrans(virtd_t)
+	iptables_domtrans(virtd_t)
 	iptables_initrc_domtrans(virtd_t)
 +	iptables_systemctl(virtd_t)
 +
@ -111854,7 +111888,7 @@ index f03dcf5..7056171 100644
 ')
 optional_policy(`
-@@ -712,11 +637,18 @@ optional_policy(`
+@@ -712,11 +639,18 @@ optional_policy(`
 ')
 optional_policy(`
@ -111873,7 +111907,7 @@ index f03dcf5..7056171 100644
 	policykit_domtrans_auth(virtd_t)
 	policykit_domtrans_resolve(virtd_t)
 	policykit_read_lib(virtd_t)
-@@ -727,10 +659,18 @@ optional_policy(`
+@@ -727,10 +661,18 @@ optional_policy(`
 ')
 optional_policy(`
@ -111892,7 +111926,7 @@ index f03dcf5..7056171 100644
 	kernel_read_xen_state(virtd_t)
 	kernel_write_xen_state(virtd_t)
-@@ -746,44 +686,278 @@ optional_policy(`
+@@ -746,44 +688,278 @@ optional_policy(`
 	udev_read_pid_files(virtd_t)
 ')
@ -111930,13 +111964,7 @@ index f03dcf5..7056171 100644
 -manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
 +kernel_read_net_sysctls(virt_domain)
 +kernel_read_network_state(virt_domain)
- 
+
 -manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
 -manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
 -manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
 -manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
 -manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
 -manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
 +userdom_search_user_home_content(virt_domain)
 +userdom_read_user_home_content_symlinks(virt_domain)
 +userdom_read_all_users_state(virt_domain)
@ -111946,15 +111974,17 @@ index f03dcf5..7056171 100644
 +manage_sock_files_pattern(virt_domain, svirt_home_t, svirt_home_t)
 +filetrans_pattern(virt_domain, virt_home_t, svirt_home_t, { dir sock_file file })
 +stream_connect_pattern(virt_domain, svirt_home_t, svirt_home_t, virtd_t)
- 
+
 -manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
 -manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
 -filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
 +manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
 +manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
 +files_var_filetrans(virt_domain, virt_cache_t, { file dir })
-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
+-manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
 -manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
 -manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
 -manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
 -manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
 -manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
 +read_lnk_files_pattern(virt_domain, virt_image_t, virt_image_t)
 +
 +manage_dirs_pattern(virt_domain, svirt_image_t, svirt_image_t)
@ -111987,14 +112017,18 @@ index f03dcf5..7056171 100644
 +
 +dontaudit virtd_t virt_domain:process  { siginh noatsecure rlimitinh };
-allow virsh_t svirt_lxc_domain:process transition;
+-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
 -manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
 -filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
 +dontaudit virt_domain virt_tmpfs_type:file { read write };
-can_exec(virsh_t, virsh_exec_t)
+-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
 +append_files_pattern(virt_domain, virt_log_t, virt_log_t)
-+
+ 
 -allow virsh_t svirt_lxc_domain:process transition;
 +append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-+
+ 
 -can_exec(virsh_t, virsh_exec_t)
 +corecmd_exec_bin(virt_domain)
 +corecmd_exec_shell(virt_domain)
 +
@ -112074,7 +112108,7 @@ index f03dcf5..7056171 100644
 +	sssd_dontaudit_read_lib(virt_domain)
 +	sssd_dontaudit_read_public_files(virt_domain)
 +')
-+
+ 
 +optional_policy(`
 +	virt_read_config(virt_domain)
 +	virt_read_lib_files(virt_domain)
@ -112139,7 +112173,7 @@ index f03dcf5..7056171 100644
 +		xserver_stream_connect(virt_domain)
 +	')
 +')
- 
+
 +########################################
 +#
 +# xm local policy
@ -112193,7 +112227,7 @@ index f03dcf5..7056171 100644
 kernel_read_system_state(virsh_t)
 kernel_read_network_state(virsh_t)
 kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +968,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +970,18 @@ kernel_write_xen_state(virsh_t)
 corecmd_exec_bin(virsh_t)
 corecmd_exec_shell(virsh_t)
@ -112220,7 +112254,7 @@ index f03dcf5..7056171 100644
 fs_getattr_all_fs(virsh_t)
 fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +988,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +990,25 @@ fs_search_auto_mountpoints(virsh_t)
 storage_raw_read_fixed_disk(virsh_t)
@ -112254,7 +112288,7 @@ index f03dcf5..7056171 100644
 tunable_policy(`virt_use_nfs',`
 	fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +1025,20 @@ optional_policy(`
+@@ -856,14 +1027,20 @@ optional_policy(`
 ')
 optional_policy(`
@ -112276,7 +112310,7 @@ index f03dcf5..7056171 100644
 	xen_stream_connect(virsh_t)
 	xen_stream_connect_xenstore(virsh_t)
 ')
-@@ -888,49 +1063,65 @@ optional_policy(`
+@@ -888,49 +1065,65 @@ optional_policy(`
 	kernel_read_xen_state(virsh_ssh_t)
 	kernel_write_xen_state(virsh_ssh_t)
@ -112360,7 +112394,7 @@ index f03dcf5..7056171 100644
 corecmd_exec_bin(virtd_lxc_t)
 corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1133,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1135,16 @@ dev_read_urand(virtd_lxc_t)
 domain_use_interactive_fds(virtd_lxc_t)
@ -112380,7 +112414,7 @@ index f03dcf5..7056171 100644
 fs_getattr_all_fs(virtd_lxc_t)
 fs_manage_tmpfs_dirs(virtd_lxc_t)
 fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,8 +1154,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,8 +1156,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
 fs_unmount_all_fs(virtd_lxc_t)
 fs_relabelfrom_tmpfs(virtd_lxc_t)
@ -112404,7 +112438,7 @@ index f03dcf5..7056171 100644
 selinux_get_enforce_mode(virtd_lxc_t)
 selinux_get_fs_mount(virtd_lxc_t)
 selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1179,343 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1181,343 @@ selinux_compute_create_context(virtd_lxc_t)
 selinux_compute_relabel_context(virtd_lxc_t)
 selinux_compute_user_contexts(virtd_lxc_t)
@ -112889,7 +112923,7 @@ index f03dcf5..7056171 100644
 allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
 allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1528,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1530,12 @@ dev_read_sysfs(virt_qmf_t)
 dev_read_rand(virt_qmf_t)
 dev_read_urand(virt_qmf_t)
@ -112904,7 +112938,7 @@ index f03dcf5..7056171 100644
 sysnet_read_config(virt_qmf_t)
 optional_policy(`
-@@ -1192,7 +1546,7 @@ optional_policy(`
+@@ -1192,7 +1548,7 @@ optional_policy(`
 ########################################
 #
@ -112913,7 +112947,7 @@ index f03dcf5..7056171 100644
 #
 allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1555,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1557,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
 allow virt_bridgehelper_t self:tun_socket create_socket_perms;
 allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 168%{?dist}
+Release: 169%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -664,6 +664,16 @@ exit 0
 %endif
 %changelog
 * Wed Feb 03 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-169
 - Allow openvswitch domain capability sys_rawio.
 - Revert "Allow NetworkManager create dhcpc pid files. BZ(1229755)"
 - Allow openvswitch to manage hugetlfs files and dirs.
 - Allow NetworkManager create dhcpc pid files. BZ(1229755)
 - Allow apcupsd to read kernel network state. BZ(1282003)
 - Label /sys/kernel/debug/tracing filesystem
 - Add fs_manage_hugetlbfs_files() interface.
 - Add sysnet_filetrans_dhcpc_pid() interface.
 * Wed Jan 20 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-168
 - Label virtlogd binary as virtd_exec_t. BZ(1291940)
 - Allow iptables to read nsfs files. BZ(1296826)