From f1ab24fa937ea86e7399823602650d46feb3c8c1 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Tue, 1 Sep 2015 18:25:49 +0200
Subject: [PATCH] * Tue Sep 01 2015 Lukas Vrabec <lvrabec@redhat.com>
 3.13.1-146 - Allow passenger to getattr filesystem xattr - Revert "Allow
 pegasus_openlmi_storage_t create mdadm.conf.anacbak file in /etc." - Label
 mdadm.conf.anackbak as mdadm_conf_t file. - Allow dnssec-ttrigger to relabel
 net_conf_t files. BZ(1251765) - Allow dnssec-trigger to exec pidof.
 BZ(#1256737) - Allow blueman to create own tmp files in /tmp. (#1234647) -
 Add new audit_read access vector in capability2 class - Add "binder" security
 class and access vectors - Update netlink socket classes. - Allow getty to
 read network state. BZ(#1255177) - Remove labeling for /var/db/.*\.db as
 etc_t to label db files as system_db_t.

---
 policy-rawhide-base.patch    | 250 ++++++++++++++++++-------
 policy-rawhide-contrib.patch | 343 +++++++++++++++++++++++++++++------
 selinux-policy.spec          |  15 +-
 3 files changed, 479 insertions(+), 129 deletions(-)

diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 1568f3c4..f7031bd4 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -801,7 +801,7 @@ index 5061a5f..0000000
 -.SH "SEE ALSO"
 -selinux(8), ypbind(8), chcon(1), setsebool(8)
 diff --git a/policy/constraints b/policy/constraints
-index 3a45f23..f4754f0 100644
+index 3a45f23..ee7d7b3 100644
 --- a/policy/constraints
 +++ b/policy/constraints
 @@ -105,6 +105,18 @@ constrain process { transition dyntransition noatsecure siginh rlimitinh }
@@ -823,8 +823,23 @@ index 3a45f23..f4754f0 100644
  # These permissions do not have ubac constraints:
  # fork
  # setexec
+@@ -150,6 +162,14 @@ exempted_ubac_constraint(netlink_kobject_uevent_socket, ubacsock)
+ exempted_ubac_constraint(appletalk_socket, ubacsock)
+ exempted_ubac_constraint(dccp_socket, ubacsock)
+ exempted_ubac_constraint(tun_socket, ubacsock)
++exempted_ubac_constraint(netlink_iscsi_socket, ubacsock)
++exempted_ubac_constraint(netlink_fib_lookup_socket, ubacsock)
++exempted_ubac_constraint(netlink_connector_socket, ubacsock)
++exempted_ubac_constraint(netlink_netfilter_socket, ubacsock)
++exempted_ubac_constraint(netlink_generic_socket, ubacsock)
++exempted_ubac_constraint(netlink_scsitransport_socket, ubacsock)
++exempted_ubac_constraint(netlink_rdma_socket, ubacsock)
++exempted_ubac_constraint(netlink_crypto_socket, ubacsock)
+ 
+ constrain socket_class_set { create relabelto relabelfrom } 
+ (
 diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
-index a94b169..1afd77b 100644
+index a94b169..2e137e6 100644
 --- a/policy/flask/access_vectors
 +++ b/policy/flask/access_vectors
 @@ -329,6 +329,7 @@ class process
@@ -849,7 +864,7 @@ index a94b169..1afd77b 100644
  }
  
  #
-@@ -443,10 +451,12 @@ class capability
+@@ -443,10 +451,13 @@ class capability
  class capability2 
  {
  	mac_override	# unused by SELinux
@@ -860,10 +875,11 @@ index a94b169..1afd77b 100644
 +	epolwakeup
  	block_suspend
 +	compromise_kernel
++	audit_read
  }
  
  #
-@@ -690,6 +700,8 @@ class nscd
+@@ -690,6 +701,8 @@ class nscd
  	shmemhost
  	getserv
  	shmemserv
@@ -872,7 +888,46 @@ index a94b169..1afd77b 100644
  }
  
  # Define the access vector interpretation for controlling
-@@ -865,3 +877,18 @@ inherits database
+@@ -831,6 +844,38 @@ inherits socket
+ 	attach_queue
+ }
+ 
++class binder
++{
++	impersonate
++	call
++	set_context_mgr
++	transfer
++}
++
++class netlink_iscsi_socket
++inherits socket
++
++class netlink_fib_lookup_socket
++inherits socket
++
++class netlink_connector_socket
++inherits socket
++
++class netlink_netfilter_socket
++inherits socket
++
++class netlink_generic_socket
++inherits socket
++
++class netlink_scsitransport_socket
++inherits socket
++
++class netlink_rdma_socket
++inherits socket
++
++class netlink_crypto_socket
++inherits socket
++
+ class x_pointer
+ inherits x_device
+ 
+@@ -865,3 +910,18 @@ inherits database
  	implement
  	execute
  }
@@ -892,10 +947,29 @@ index a94b169..1afd77b 100644
 +	read
 +}
 diff --git a/policy/flask/security_classes b/policy/flask/security_classes
-index 14a4799..db2e4a0 100644
+index 14a4799..9bb9aa4 100644
 --- a/policy/flask/security_classes
 +++ b/policy/flask/security_classes
-@@ -131,4 +131,11 @@ class db_view			# userspace
+@@ -121,6 +121,18 @@ class kernel_service
+ 
+ class tun_socket
+ 
++class binder
++
++# Updated netlink classes for more recent netlink protocols.
++class netlink_iscsi_socket
++class netlink_fib_lookup_socket
++class netlink_connector_socket
++class netlink_netfilter_socket
++class netlink_generic_socket
++class netlink_scsitransport_socket
++class netlink_rdma_socket
++class netlink_crypto_socket
++
+ # Still More SE-X Windows stuff
+ class x_pointer			# userspace
+ class x_keyboard		# userspace
+@@ -131,4 +143,11 @@ class db_view			# userspace
  class db_sequence		# userspace
  class db_language		# userspace
  
@@ -1174,10 +1248,10 @@ index 216b3d1..064ec83 100644
 +
  ') dnl end enable_mcs
 diff --git a/policy/mls b/policy/mls
-index f11e5e2..9e0c245 100644
+index f11e5e2..2d2ab83 100644
 --- a/policy/mls
 +++ b/policy/mls
-@@ -156,9 +156,6 @@ mlsconstrain filesystem { mount remount unmount relabelfrom quotamod }
+@@ -156,15 +156,12 @@ mlsconstrain filesystem { mount remount unmount relabelfrom quotamod }
  # these access vectors have no MLS restrictions
  # filesystem { transition associate }
  
@@ -1187,7 +1261,28 @@ index f11e5e2..9e0c245 100644
  #
  # MLS policy for the socket classes
  #
-@@ -195,7 +192,8 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
+ 
+ # new socket labels must be dominated by the relabeling subjects clearance
+-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto
++mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } relabelto
+ 	( h1 dom h2 );
+ 
+ # the socket "read+write" ops
+@@ -180,7 +177,7 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
+ 
+ 
+ # the socket "read" ops (note the check is dominance of the low level)
+-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recv_msg }
++mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } { read getattr listen accept getopt recv_msg }
+ 	(( l1 dom l2 ) or
+ 	 (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
+ 	 ( t1 == mlsnetread ));
+@@ -191,11 +188,12 @@ mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_sock
+ 	 ( t1 == mlsnetread ));
+ 
+ # the socket "write" ops
+-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { write setattr relabelfrom connect setopt shutdown }
++mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } { write setattr relabelfrom connect setopt shutdown }
  	(( l1 eq l2 ) or 
  	 (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
  	 (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
@@ -1802,7 +1897,7 @@ index c6ca761..0c86bfd 100644
  ')
  
 diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
-index c44c359..e679c18 100644
+index c44c359..5210ca5 100644
 --- a/policy/modules/admin/netutils.te
 +++ b/policy/modules/admin/netutils.te
 @@ -7,10 +7,10 @@ policy_module(netutils, 1.12.1)
@@ -1818,7 +1913,7 @@ index c44c359..e679c18 100644
  
  type netutils_t;
  type netutils_exec_t;
-@@ -33,7 +33,7 @@ init_system_domain(traceroute_t, traceroute_exec_t)
+@@ -33,25 +33,28 @@ init_system_domain(traceroute_t, traceroute_exec_t)
  #
  
  # Perform network administration operations and have raw access to the network.
@@ -1827,7 +1922,10 @@ index c44c359..e679c18 100644
  dontaudit netutils_t self:capability { dac_override sys_tty_config };
  allow netutils_t self:process { setcap signal_perms };
  allow netutils_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -42,16 +42,17 @@ allow netutils_t self:packet_socket create_socket_perms;
+ allow netutils_t self:netlink_socket create_socket_perms;
++# For tcpdump.
++allow netutils_t self:netlink_netfilter_socket create_socket_perms;
+ allow netutils_t self:packet_socket create_socket_perms;
  allow netutils_t self:udp_socket create_socket_perms;
  allow netutils_t self:tcp_socket create_stream_socket_perms;
  allow netutils_t self:socket create_socket_perms;
@@ -1847,7 +1945,7 @@ index c44c359..e679c18 100644
  corenet_all_recvfrom_netlabel(netutils_t)
  corenet_tcp_sendrecv_generic_if(netutils_t)
  corenet_raw_sendrecv_generic_if(netutils_t)
-@@ -66,6 +67,9 @@ corenet_sendrecv_all_client_packets(netutils_t)
+@@ -66,6 +69,9 @@ corenet_sendrecv_all_client_packets(netutils_t)
  corenet_udp_bind_generic_node(netutils_t)
  
  dev_read_sysfs(netutils_t)
@@ -1857,7 +1955,7 @@ index c44c359..e679c18 100644
  
  fs_getattr_xattr_fs(netutils_t)
  
-@@ -80,12 +84,12 @@ init_use_script_ptys(netutils_t)
+@@ -80,12 +86,12 @@ init_use_script_ptys(netutils_t)
  
  auth_use_nsswitch(netutils_t)
  
@@ -1873,7 +1971,7 @@ index c44c359..e679c18 100644
  userdom_use_all_users_fds(netutils_t)
  
  optional_policy(`
-@@ -110,11 +114,10 @@ allow ping_t self:capability { setuid net_raw };
+@@ -110,11 +116,10 @@ allow ping_t self:capability { setuid net_raw };
  allow ping_t self:process { getcap setcap };
  dontaudit ping_t self:capability sys_tty_config;
  allow ping_t self:tcp_socket create_socket_perms;
@@ -1887,7 +1985,7 @@ index c44c359..e679c18 100644
  corenet_all_recvfrom_netlabel(ping_t)
  corenet_tcp_sendrecv_generic_if(ping_t)
  corenet_raw_sendrecv_generic_if(ping_t)
-@@ -124,6 +127,9 @@ corenet_raw_bind_generic_node(ping_t)
+@@ -124,6 +129,9 @@ corenet_raw_bind_generic_node(ping_t)
  corenet_tcp_sendrecv_all_ports(ping_t)
  
  fs_dontaudit_getattr_xattr_fs(ping_t)
@@ -1897,7 +1995,7 @@ index c44c359..e679c18 100644
  
  domain_use_interactive_fds(ping_t)
  
-@@ -131,14 +137,13 @@ files_read_etc_files(ping_t)
+@@ -131,14 +139,13 @@ files_read_etc_files(ping_t)
  files_dontaudit_search_var(ping_t)
  
  kernel_read_system_state(ping_t)
@@ -1915,7 +2013,7 @@ index c44c359..e679c18 100644
  
  ifdef(`hide_broken_symptoms',`
  	init_dontaudit_use_fds(ping_t)
-@@ -149,11 +154,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -149,11 +156,25 @@ ifdef(`hide_broken_symptoms',`
  	')
  ')
  
@@ -1941,7 +2039,7 @@ index c44c359..e679c18 100644
  	pcmcia_use_cardmgr_fds(ping_t)
  ')
  
-@@ -161,6 +180,15 @@ optional_policy(`
+@@ -161,6 +182,15 @@ optional_policy(`
  	hotplug_use_fds(ping_t)
  ')
  
@@ -1957,7 +2055,7 @@ index c44c359..e679c18 100644
  ########################################
  #
  # Traceroute local policy
-@@ -174,7 +202,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
+@@ -174,7 +204,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
  kernel_read_system_state(traceroute_t)
  kernel_read_network_state(traceroute_t)
  
@@ -1965,7 +2063,7 @@ index c44c359..e679c18 100644
  corenet_all_recvfrom_netlabel(traceroute_t)
  corenet_tcp_sendrecv_generic_if(traceroute_t)
  corenet_udp_sendrecv_generic_if(traceroute_t)
-@@ -198,6 +225,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
+@@ -198,6 +227,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
  domain_use_interactive_fds(traceroute_t)
  
  files_read_etc_files(traceroute_t)
@@ -1973,7 +2071,7 @@ index c44c359..e679c18 100644
  files_dontaudit_search_var(traceroute_t)
  
  init_use_fds(traceroute_t)
-@@ -206,11 +234,17 @@ auth_use_nsswitch(traceroute_t)
+@@ -206,11 +236,17 @@ auth_use_nsswitch(traceroute_t)
  
  logging_send_syslog_msg(traceroute_t)
  
@@ -10507,7 +10605,7 @@ index cf04cb5..e8da15e 100644
 +	unconfined_server_stream_connect(domain)
 +')
 diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index b876c48..a351aff 100644
+index b876c48..03f9342 100644
 --- a/policy/modules/kernel/files.fc
 +++ b/policy/modules/kernel/files.fc
 @@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -10717,7 +10815,7 @@ index b876c48..a351aff 100644
  /usr/src(/.*)?			gen_context(system_u:object_r:src_t,s0)
  /usr/src/kernels/.+/lib(/.*)?	gen_context(system_u:object_r:usr_t,s0)
  ')
-@@ -229,19 +243,34 @@ ifndef(`distro_redhat',`
+@@ -229,19 +243,33 @@ ifndef(`distro_redhat',`
  #
  # /var
  #
@@ -10726,8 +10824,8 @@ index b876c48..a351aff 100644
  /var/.*				gen_context(system_u:object_r:var_t,s0)
  /var/\.journal			<<none>>
  
+-/var/db/.*\.db		--	gen_context(system_u:object_r:etc_t,s0)
 +/var/db(/.*)?		gen_context(system_u:object_r:system_db_t,s0)
- /var/db/.*\.db		--	gen_context(system_u:object_r:etc_t,s0)
  
  /var/ftp/etc(/.*)?		gen_context(system_u:object_r:etc_t,s0)
  
@@ -10754,7 +10852,7 @@ index b876c48..a351aff 100644
  
  /var/log/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
  /var/log/lost\+found/.*		<<none>>
-@@ -256,12 +285,14 @@ ifndef(`distro_redhat',`
+@@ -256,12 +284,14 @@ ifndef(`distro_redhat',`
  /var/run		-l	gen_context(system_u:object_r:var_run_t,s0)
  /var/run/.*			gen_context(system_u:object_r:var_run_t,s0)
  /var/run/.*\.*pid		<<none>>
@@ -10769,7 +10867,7 @@ index b876c48..a351aff 100644
  /var/tmp/.*			<<none>>
  /var/tmp/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
  /var/tmp/lost\+found/.*		<<none>>
-@@ -271,3 +302,5 @@ ifdef(`distro_debian',`
+@@ -271,3 +301,5 @@ ifdef(`distro_debian',`
  /var/run/motd		--	gen_context(system_u:object_r:initrc_var_run_t,s0)
  /var/run/motd\.dynamic	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
  ')
@@ -31758,7 +31856,7 @@ index e4376aa..2c98c56 100644
 +	allow $1 getty_unit_file_t:service start;
 +')
 diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
-index f6743ea..77a3b65 100644
+index f6743ea..22425f5 100644
 --- a/policy/modules/system/getty.te
 +++ b/policy/modules/system/getty.te
 @@ -27,6 +27,17 @@ files_tmp_file(getty_tmp_t)
@@ -31779,7 +31877,15 @@ index f6743ea..77a3b65 100644
  ########################################
  #
  # Getty local policy
-@@ -83,8 +94,11 @@ term_use_unallocated_ttys(getty_t)
+@@ -56,6 +67,7 @@ manage_files_pattern(getty_t, getty_var_run_t, getty_var_run_t)
+ files_pid_filetrans(getty_t, getty_var_run_t, file)
+ 
+ kernel_read_system_state(getty_t)
++kernel_read_network_state(getty_t)
+ 
+ # these two needed for receiving faxes
+ corecmd_exec_bin(getty_t)
+@@ -83,8 +95,11 @@ term_use_unallocated_ttys(getty_t)
  term_setattr_all_ttys(getty_t)
  term_setattr_unallocated_ttys(getty_t)
  term_setattr_console(getty_t)
@@ -31791,7 +31897,7 @@ index f6743ea..77a3b65 100644
  
  init_rw_utmp(getty_t)
  init_use_script_ptys(getty_t)
-@@ -94,7 +108,6 @@ locallogin_domtrans(getty_t)
+@@ -94,7 +109,6 @@ locallogin_domtrans(getty_t)
  
  logging_send_syslog_msg(getty_t)
  
@@ -31799,7 +31905,7 @@ index f6743ea..77a3b65 100644
  
  ifdef(`distro_gentoo',`
  	# Gentoo default /etc/issue makes agetty
-@@ -113,7 +126,7 @@ ifdef(`distro_ubuntu',`
+@@ -113,7 +127,7 @@ ifdef(`distro_ubuntu',`
  	')
  ')
  
@@ -31808,7 +31914,7 @@ index f6743ea..77a3b65 100644
  	# Support logging in from /dev/console
  	term_use_console(getty_t)
  ',`
-@@ -121,11 +134,19 @@ tunable_policy(`console_login',`
+@@ -121,11 +135,19 @@ tunable_policy(`console_login',`
  ')
  
  optional_policy(`
@@ -35677,7 +35783,7 @@ index c42fbc3..277fe6c 100644
  ## <summary>
  ##	Set the attributes of iptables config files.
 diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index be8ed1e..e93440e 100644
+index be8ed1e..3c2729f 100644
 --- a/policy/modules/system/iptables.te
 +++ b/policy/modules/system/iptables.te
 @@ -16,15 +16,18 @@ role iptables_roles types iptables_t;
@@ -35702,8 +35808,11 @@ index be8ed1e..e93440e 100644
  ########################################
  #
  # Iptables local policy
-@@ -37,23 +40,29 @@ allow iptables_t self:process { sigchld sigkill sigstop signull signal };
+@@ -35,25 +38,32 @@ dontaudit iptables_t self:capability sys_tty_config;
+ allow iptables_t self:fifo_file rw_fifo_file_perms;
+ allow iptables_t self:process { sigchld sigkill sigstop signull signal };
  allow iptables_t self:netlink_socket create_socket_perms;
++allow iptables_t self:netlink_netfilter_socket create_socket_perms;
  allow iptables_t self:rawip_socket create_socket_perms;
  
 -manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t)
@@ -35735,7 +35844,7 @@ index be8ed1e..e93440e 100644
  kernel_use_fds(iptables_t)
  
  # needed by ipvsadm
-@@ -64,6 +73,8 @@ corenet_relabelto_all_packets(iptables_t)
+@@ -64,6 +74,8 @@ corenet_relabelto_all_packets(iptables_t)
  corenet_dontaudit_rw_tun_tap_dev(iptables_t)
  
  dev_read_sysfs(iptables_t)
@@ -35744,7 +35853,7 @@ index be8ed1e..e93440e 100644
  
  fs_getattr_xattr_fs(iptables_t)
  fs_search_auto_mountpoints(iptables_t)
-@@ -72,11 +83,12 @@ fs_list_inotifyfs(iptables_t)
+@@ -72,11 +84,12 @@ fs_list_inotifyfs(iptables_t)
  mls_file_read_all_levels(iptables_t)
  
  term_dontaudit_use_console(iptables_t)
@@ -35759,7 +35868,7 @@ index be8ed1e..e93440e 100644
  
  auth_use_nsswitch(iptables_t)
  
-@@ -85,15 +97,14 @@ init_use_script_ptys(iptables_t)
+@@ -85,15 +98,14 @@ init_use_script_ptys(iptables_t)
  # to allow rules to be saved on reboot:
  init_rw_script_tmp_files(iptables_t)
  init_rw_script_stream_sockets(iptables_t)
@@ -35777,7 +35886,7 @@ index be8ed1e..e93440e 100644
  userdom_use_all_users_fds(iptables_t)
  
  ifdef(`hide_broken_symptoms',`
-@@ -102,6 +113,9 @@ ifdef(`hide_broken_symptoms',`
+@@ -102,6 +114,9 @@ ifdef(`hide_broken_symptoms',`
  
  optional_policy(`
  	fail2ban_append_log(iptables_t)
@@ -35787,7 +35896,7 @@ index be8ed1e..e93440e 100644
  ')
  
  optional_policy(`
-@@ -110,6 +124,11 @@ optional_policy(`
+@@ -110,6 +125,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -35799,7 +35908,7 @@ index be8ed1e..e93440e 100644
  	modutils_run_insmod(iptables_t, iptables_roles)
  ')
  
-@@ -124,6 +143,16 @@ optional_policy(`
+@@ -124,6 +144,16 @@ optional_policy(`
  
  optional_policy(`
  	psad_rw_tmp_files(iptables_t)
@@ -35816,7 +35925,7 @@ index be8ed1e..e93440e 100644
  ')
  
  optional_policy(`
-@@ -135,9 +164,9 @@ optional_policy(`
+@@ -135,9 +165,9 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -40225,7 +40334,7 @@ index b263a8a..15576ab 100644
 +/usr/sbin/netlabelctl	--	gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0)
 +/usr/sbin/netlabel-config   --  gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0)
 diff --git a/policy/modules/system/netlabel.te b/policy/modules/system/netlabel.te
-index cbbda4a..b569d5f 100644
+index cbbda4a..d7c67bc 100644
 --- a/policy/modules/system/netlabel.te
 +++ b/policy/modules/system/netlabel.te
 @@ -7,9 +7,13 @@ policy_module(netlabel, 1.3.0)
@@ -40242,12 +40351,14 @@ index cbbda4a..b569d5f 100644
  ########################################
  #
  # NetLabel Management Tools Local policy
-@@ -19,10 +23,21 @@ role system_r types netlabel_mgmt_t;
+@@ -18,11 +22,23 @@ role system_r types netlabel_mgmt_t;
+ # modify the network subsystem configuration
  allow netlabel_mgmt_t self:capability net_admin;
  allow netlabel_mgmt_t self:netlink_socket create_socket_perms;
- 
-+can_exec(netlabel_mgmt_t, netlabel_mgmt_t)
++allow netlabel_mgmt_t self:netlink_generic_socket create_socket_perms;
 +
++can_exec(netlabel_mgmt_t, netlabel_mgmt_t)
+ 
  kernel_read_network_state(netlabel_mgmt_t)
 +kernel_read_system_state(netlabel_mgmt_t)
 +
@@ -42585,7 +42696,7 @@ index 2cea692..57c9025 100644
 +	files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns")
 +')
 diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index a392fc4..bf8b888 100644
+index a392fc4..30cf590 100644
 --- a/policy/modules/system/sysnetwork.te
 +++ b/policy/modules/system/sysnetwork.te
 @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4)
@@ -42814,7 +42925,7 @@ index a392fc4..bf8b888 100644
  	vmware_append_log(dhcpc_t)
  ')
  
-@@ -264,12 +308,24 @@ allow ifconfig_t self:msgq create_msgq_perms;
+@@ -264,12 +308,25 @@ allow ifconfig_t self:msgq create_msgq_perms;
  allow ifconfig_t self:msg { send receive };
  # Create UDP sockets, necessary when called from dhcpc
  allow ifconfig_t self:udp_socket create_socket_perms;
@@ -42822,6 +42933,7 @@ index a392fc4..bf8b888 100644
  # for /sbin/ip
  allow ifconfig_t self:packet_socket create_socket_perms;
 +allow ifconfig_t self:netlink_socket create_socket_perms;
++allow ifconfig_t self:netlink_generic_socket create_socket_perms;
  allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
  allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read };
 +allow ifconfig_t self:tun_socket { relabelfrom relabelto create_socket_perms };
@@ -42839,7 +42951,7 @@ index a392fc4..bf8b888 100644
  kernel_use_fds(ifconfig_t)
  kernel_read_system_state(ifconfig_t)
  kernel_read_network_state(ifconfig_t)
-@@ -279,14 +335,32 @@ kernel_rw_net_sysctls(ifconfig_t)
+@@ -279,14 +336,32 @@ kernel_rw_net_sysctls(ifconfig_t)
  
  corenet_rw_tun_tap_dev(ifconfig_t)
  
@@ -42872,7 +42984,7 @@ index a392fc4..bf8b888 100644
  
  fs_getattr_xattr_fs(ifconfig_t)
  fs_search_auto_mountpoints(ifconfig_t)
-@@ -299,33 +373,51 @@ term_dontaudit_use_all_ptys(ifconfig_t)
+@@ -299,33 +374,51 @@ term_dontaudit_use_all_ptys(ifconfig_t)
  term_dontaudit_use_ptmx(ifconfig_t)
  term_dontaudit_use_generic_ptys(ifconfig_t)
  
@@ -42930,7 +43042,7 @@ index a392fc4..bf8b888 100644
  	optional_policy(`
  		dev_dontaudit_rw_cardmgr(ifconfig_t)
  	')
-@@ -336,7 +428,11 @@ ifdef(`hide_broken_symptoms',`
+@@ -336,7 +429,11 @@ ifdef(`hide_broken_symptoms',`
  ')
  
  optional_policy(`
@@ -42943,7 +43055,7 @@ index a392fc4..bf8b888 100644
  ')
  
  optional_policy(`
-@@ -350,7 +446,16 @@ optional_policy(`
+@@ -350,7 +447,16 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -42961,7 +43073,7 @@ index a392fc4..bf8b888 100644
  ')
  
  optional_policy(`
-@@ -371,3 +476,13 @@ optional_policy(`
+@@ -371,3 +477,13 @@ optional_policy(`
  	xen_append_log(ifconfig_t)
  	xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
  ')
@@ -45562,7 +45674,7 @@ index 9a1650d..d7e8a01 100644
  
  ########################################
 diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index 39f185f..703b804 100644
+index 39f185f..125f7fe 100644
 --- a/policy/modules/system/udev.te
 +++ b/policy/modules/system/udev.te
 @@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t)
@@ -45600,15 +45712,17 @@ index 39f185f..703b804 100644
  allow udev_t self:process { execmem setfscreate };
  allow udev_t self:fd use;
  allow udev_t self:fifo_file rw_fifo_file_perms;
-@@ -54,6 +55,7 @@ allow udev_t self:unix_dgram_socket sendto;
+@@ -53,7 +54,9 @@ allow udev_t self:unix_stream_socket { listen accept };
+ allow udev_t self:unix_dgram_socket sendto;
  allow udev_t self:unix_stream_socket connectto;
  allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
++allow udev_t self:netlink_generic_socket create_socket_perms;
  allow udev_t self:rawip_socket create_socket_perms;
 +allow udev_t self:netlink_socket create_socket_perms;
  
  allow udev_t udev_exec_t:file write;
  can_exec(udev_t, udev_exec_t)
-@@ -64,31 +66,39 @@ can_exec(udev_t, udev_helper_exec_t)
+@@ -64,31 +67,39 @@ can_exec(udev_t, udev_helper_exec_t)
  # read udev config
  allow udev_t udev_etc_t:file read_file_perms;
  
@@ -45655,7 +45769,7 @@ index 39f185f..703b804 100644
  
  #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
  kernel_rw_net_sysctls(udev_t)
-@@ -99,6 +109,7 @@ corecmd_exec_all_executables(udev_t)
+@@ -99,6 +110,7 @@ corecmd_exec_all_executables(udev_t)
  
  dev_rw_sysfs(udev_t)
  dev_manage_all_dev_nodes(udev_t)
@@ -45663,7 +45777,7 @@ index 39f185f..703b804 100644
  dev_rw_generic_files(udev_t)
  dev_delete_generic_files(udev_t)
  dev_search_usbfs(udev_t)
-@@ -107,23 +118,31 @@ dev_relabel_all_dev_nodes(udev_t)
+@@ -107,23 +119,31 @@ dev_relabel_all_dev_nodes(udev_t)
  # preserved, instead of short circuiting the relabel
  dev_relabel_generic_symlinks(udev_t)
  dev_manage_generic_symlinks(udev_t)
@@ -45699,7 +45813,7 @@ index 39f185f..703b804 100644
  
  mls_file_read_all_levels(udev_t)
  mls_file_write_all_levels(udev_t)
-@@ -145,17 +164,20 @@ auth_use_nsswitch(udev_t)
+@@ -145,17 +165,20 @@ auth_use_nsswitch(udev_t)
  init_read_utmp(udev_t)
  init_dontaudit_write_utmp(udev_t)
  init_getattr_initctl(udev_t)
@@ -45721,7 +45835,7 @@ index 39f185f..703b804 100644
  
  seutil_read_config(udev_t)
  seutil_read_default_contexts(udev_t)
-@@ -169,9 +191,13 @@ sysnet_read_dhcpc_pid(udev_t)
+@@ -169,9 +192,13 @@ sysnet_read_dhcpc_pid(udev_t)
  sysnet_delete_dhcpc_pid(udev_t)
  sysnet_signal_dhcpc(udev_t)
  sysnet_manage_config(udev_t)
@@ -45736,7 +45850,7 @@ index 39f185f..703b804 100644
  
  ifdef(`distro_debian',`
  	files_pid_filetrans(udev_t, udev_var_run_t, dir, "xen-hotplug")
-@@ -195,16 +221,9 @@ ifdef(`distro_gentoo',`
+@@ -195,16 +222,9 @@ ifdef(`distro_gentoo',`
  ')
  
  ifdef(`distro_redhat',`
@@ -45755,7 +45869,7 @@ index 39f185f..703b804 100644
  
  	# for arping used for static IP addresses on PCMCIA ethernet
  	netutils_domtrans(udev_t)
-@@ -242,6 +261,7 @@ optional_policy(`
+@@ -242,6 +262,7 @@ optional_policy(`
  
  optional_policy(`
  	cups_domtrans_config(udev_t)
@@ -45763,7 +45877,7 @@ index 39f185f..703b804 100644
  ')
  
  optional_policy(`
-@@ -249,17 +269,31 @@ optional_policy(`
+@@ -249,17 +270,31 @@ optional_policy(`
  	dbus_use_system_bus_fds(udev_t)
  
  	optional_policy(`
@@ -45797,7 +45911,7 @@ index 39f185f..703b804 100644
  ')
  
  optional_policy(`
-@@ -289,6 +323,10 @@ optional_policy(`
+@@ -289,6 +324,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -45808,7 +45922,7 @@ index 39f185f..703b804 100644
  	openct_read_pid_files(udev_t)
  	openct_domtrans(udev_t)
  ')
-@@ -303,6 +341,15 @@ optional_policy(`
+@@ -303,6 +342,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -45824,7 +45938,7 @@ index 39f185f..703b804 100644
  	unconfined_signal(udev_t)
  ')
  
-@@ -315,6 +362,7 @@ optional_policy(`
+@@ -315,6 +363,7 @@ optional_policy(`
  	kernel_read_xen_state(udev_t)
  	xen_manage_log(udev_t)
  	xen_read_image_files(udev_t)
@@ -52190,7 +52304,7 @@ index e79d545..101086d 100644
  ')
  
 diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
-index 6e91317..8fc985f 100644
+index 6e91317..b80ffcb 100644
 --- a/policy/support/obj_perm_sets.spt
 +++ b/policy/support/obj_perm_sets.spt
 @@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
@@ -52199,7 +52313,7 @@ index 6e91317..8fc985f 100644
  #
 -define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
 -
-+define(`socket_class_set', `{ socket dccp_socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
++define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket }')
  
  #
  # Datagram socket classes.
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 36bbc41e..e6c90eb2 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -3394,10 +3394,10 @@ index 0000000..6183b21
 +	spamassassin_read_pid_files(antivirus_domain)
 +')
 diff --git a/apache.fc b/apache.fc
-index 7caefc3..239cefa 100644
+index 7caefc3..77e26bf 100644
 --- a/apache.fc
 +++ b/apache.fc
-@@ -1,162 +1,211 @@
+@@ -1,162 +1,210 @@
 -HOME_DIR/((www)|(web)|(public_html))(/.+)?	gen_context(system_u:object_r:httpd_user_content_t,s0)
 -HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)?	gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
 +HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -3456,25 +3456,22 @@ index 7caefc3..239cefa 100644
 +/opt/.*\.cgi			-- 	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
 +/usr/lib/systemd/system/httpd.*  --     gen_context(system_u:object_r:httpd_unit_file_t,s0)
 +/usr/lib/systemd/system/thttpd.*  --     gen_context(system_u:object_r:httpd_unit_file_t,s0)
-+/usr/lib/systemd/system/jetty.* --      gen_context(system_u:object_r:httpd_unit_file_t,s0)
-+/usr/lib/systemd/system/php-fpm.*	--  gen_context(system_u:object_r:httpd_unit_file_t,s0)
-+/usr/lib/systemd/system/nginx.*     --  gen_context(system_u:object_r:httpd_unit_file_t,s0)
  
 -/srv/([^/]*/)?www(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
 -/srv/gallery2(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-+/usr/libexec/httpd-ssl-pass-dialog      --      gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
++/usr/lib/systemd/system/php-fpm.*	--  gen_context(system_u:object_r:httpd_unit_file_t,s0)
++/usr/lib/systemd/system/nginx.*     --  gen_context(system_u:object_r:httpd_unit_file_t,s0)
  
 -/usr/.*\.cgi	--	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
++/usr/libexec/httpd-ssl-pass-dialog      --      gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
+ 
+-/usr/bin/htsslpass	--	gen_context(system_u:object_r:httpd_helper_exec_t,s0)
+-/usr/bin/mongrel_rails	--	gen_context(system_u:object_r:httpd_exec_t,s0)
 +/srv/([^/]*/)?www(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
 +/srv/([^/]*/)?www/logs(/.*)?        gen_context(system_u:object_r:httpd_log_t,s0)
 +/srv/gallery2(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
 +/srv/gallery2/smarty(/.*)?		gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
  
--/usr/bin/htsslpass	--	gen_context(system_u:object_r:httpd_helper_exec_t,s0)
--/usr/bin/mongrel_rails	--	gen_context(system_u:object_r:httpd_exec_t,s0)
-+/usr/bin/htsslpass 		--	gen_context(system_u:object_r:httpd_helper_exec_t,s0)
-+/usr/bin/mongrel_rails		--	gen_context(system_u:object_r:httpd_exec_t,s0)
- 
 -/usr/lib/apache-ssl/.+	--	gen_context(system_u:object_r:httpd_exec_t,s0)
 -/usr/lib/apache(/.*)?	gen_context(system_u:object_r:httpd_modules_t,s0)
 -/usr/lib/apache2/modules(/.*)?	gen_context(system_u:object_r:httpd_modules_t,s0)
@@ -3485,7 +3482,9 @@ index 7caefc3..239cefa 100644
 -/usr/lib/dirsrv/cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
 -/usr/lib/httpd(/.*)?	gen_context(system_u:object_r:httpd_modules_t,s0)
 -/usr/lib/lighttpd(/.*)?	gen_context(system_u:object_r:httpd_modules_t,s0)
-+/usr/share/jetty/bin/jetty.sh		--	gen_context(system_u:object_r:httpd_exec_t,s0)
++/usr/bin/htsslpass 		--	gen_context(system_u:object_r:httpd_helper_exec_t,s0)
++/usr/bin/mongrel_rails		--	gen_context(system_u:object_r:httpd_exec_t,s0)
++
 +/usr/share/joomla(/.*)?                 gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
  
 -/usr/libexec/httpd-ssl-pass-dialog	--	gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
@@ -9937,7 +9936,7 @@ index 16ec525..1dd4059 100644
  
  ########################################
 diff --git a/blueman.te b/blueman.te
-index 3a5032e..7987a21 100644
+index 3a5032e..3facb71 100644
 --- a/blueman.te
 +++ b/blueman.te
 @@ -7,7 +7,7 @@ policy_module(blueman, 1.1.0)
@@ -9949,7 +9948,16 @@ index 3a5032e..7987a21 100644
  
  type blueman_var_lib_t;
  files_type(blueman_var_lib_t)
-@@ -21,7 +21,8 @@ files_pid_file(blueman_var_run_t)
+@@ -15,13 +15,17 @@ files_type(blueman_var_lib_t)
+ type blueman_var_run_t;
+ files_pid_file(blueman_var_run_t)
+ 
++type blueman_tmp_t;
++files_tmp_file(blueman_tmp_t)
++
+ ########################################
+ #
+ # Local policy
  #
  
  allow blueman_t self:capability { net_admin sys_nice };
@@ -9959,16 +9967,21 @@ index 3a5032e..7987a21 100644
  allow blueman_t self:fifo_file rw_fifo_file_perms;
  
  manage_dirs_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t)
-@@ -32,7 +33,7 @@ manage_dirs_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t)
+@@ -32,7 +36,12 @@ manage_dirs_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t)
  manage_files_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t)
  files_pid_filetrans(blueman_t, blueman_var_run_t, { dir file })
  
 -kernel_read_net_sysctls(blueman_t)
++manage_dirs_pattern(blueman_t, blueman_tmp_t, blueman_tmp_t)
++manage_files_pattern(blueman_t, blueman_tmp_t, blueman_tmp_t)
++exec_files_pattern(blueman_t, blueman_tmp_t, blueman_tmp_t)
++files_tmp_filetrans(blueman_t, blueman_tmp_t, { file dir })
++
 +kernel_rw_net_sysctls(blueman_t)
  kernel_read_system_state(blueman_t)
  kernel_request_load_module(blueman_t)
  
-@@ -41,29 +42,45 @@ corecmd_exec_bin(blueman_t)
+@@ -41,29 +50,45 @@ corecmd_exec_bin(blueman_t)
  dev_read_rand(blueman_t)
  dev_read_urand(blueman_t)
  dev_rw_wireless(blueman_t)
@@ -25517,10 +25530,10 @@ index 0000000..d22ed69
 +')
 diff --git a/dnssec.te b/dnssec.te
 new file mode 100644
-index 0000000..225fcfd
+index 0000000..bfa9ff5
 --- /dev/null
 +++ b/dnssec.te
-@@ -0,0 +1,82 @@
+@@ -0,0 +1,86 @@
 +policy_module(dnssec, 1.0.0)
 +
 +########################################
@@ -25545,7 +25558,7 @@ index 0000000..225fcfd
 +#
 +# dnssec_trigger local policy
 +#
-+allow dnssec_trigger_t self:capability { net_admin linux_immutable };
++allow dnssec_trigger_t self:capability { net_admin linux_immutable sys_ptrace };
 +allow dnssec_trigger_t self:process signal;
 +allow dnssec_trigger_t self:fifo_file rw_fifo_file_perms;
 +allow dnssec_trigger_t self:unix_stream_socket create_stream_socket_perms;
@@ -25565,6 +25578,7 @@ index 0000000..225fcfd
 +
 +corecmd_exec_bin(dnssec_trigger_t)
 +corecmd_exec_shell(dnssec_trigger_t)
++corecmd_read_all_executables(dnssec_trigger_t)
 +
 +corenet_tcp_bind_generic_node(dnssec_trigger_t)
 +corenet_tcp_bind_dnssec_port(dnssec_trigger_t)
@@ -25574,6 +25588,7 @@ index 0000000..225fcfd
 +dev_read_urand(dnssec_trigger_t)
 +
 +domain_use_interactive_fds(dnssec_trigger_t)
++domain_read_all_domains_state(dnssec_trigger_t)
 +
 +files_read_etc_runtime_files(dnssec_trigger_t)
 +files_dontaudit_list_tmp(dnssec_trigger_t)
@@ -25585,6 +25600,8 @@ index 0000000..225fcfd
 +sysnet_dns_name_resolve(dnssec_trigger_t)
 +sysnet_manage_config(dnssec_trigger_t)
 +sysnet_filetrans_named_content(dnssec_trigger_t)
++sysnet_relabelfrom_net_conf(dnssec_trigger_t)
++sysnet_relabelto_net_conf(dnssec_trigger_t)
 +
 +optional_policy(`
 +    dbus_system_bus_client(dnssec_trigger_t)
@@ -38655,27 +38672,68 @@ index a7ae153..6341e31 100644
  	libs_legacy_use_shared_libs(java_domain)
 diff --git a/jetty.fc b/jetty.fc
 new file mode 100644
-index 0000000..1725b7e
+index 0000000..c7c4fba
 --- /dev/null
 +++ b/jetty.fc
-@@ -0,0 +1,9 @@
+@@ -0,0 +1,12 @@
 +
-+/var/cache/jetty(/.*)?		gen_context(system_u:object_r:jetty_cache_t,s0)
++/usr/lib/systemd/system/jetty\.service	--	gen_context(system_u:object_r:jetty_unit_file_t,s0)
 +
-+/var/lib/jetty(/.*)?		gen_context(system_u:object_r:jetty_var_lib_t,s0)
++/usr/share/jetty/bin/jetty\.sh		--	gen_context(system_u:object_r:jetty_exec_t,s0)
 +
-+/var/log/jetty(/.*)?		gen_context(system_u:object_r:jetty_log_t,s0)
++/var/cache/jetty(/.*)?				gen_context(system_u:object_r:jetty_cache_t,s0)
 +
-+/var/run/jetty(/.*)?		gen_context(system_u:object_r:jetty_var_run_t,s0)
++/var/lib/jetty(/.*)?				gen_context(system_u:object_r:jetty_var_lib_t,s0)
 +
++/var/log/jetty(/.*)?				gen_context(system_u:object_r:jetty_log_t,s0)
++
++/var/run/jetty(/.*)?				gen_context(system_u:object_r:jetty_var_run_t,s0)
 diff --git a/jetty.if b/jetty.if
 new file mode 100644
-index 0000000..2abc285
+index 0000000..6679a02
 --- /dev/null
 +++ b/jetty.if
-@@ -0,0 +1,268 @@
+@@ -0,0 +1,415 @@
 +
-+## <summary>policy for jetty</summary>
++## <summary>Jetty - HTTP server and Servlet container</summary>
++
++########################################
++## <summary>
++##	Execute jetty_exec_t in the jetty domain.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`jetty_domtrans',`
++	gen_require(`
++		type jetty_t, jetty_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	domtrans_pattern($1, jetty_exec_t, jetty_t)
++')
++
++######################################
++## <summary>
++##	Execute jetty in the caller domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`jetty_exec',`
++	gen_require(`
++		type jetty_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	can_exec($1, jetty_exec_t)
++')
 +
 +########################################
 +## <summary>
@@ -38816,6 +38874,65 @@ index 0000000..2abc285
 +
 +########################################
 +## <summary>
++##	Do not audit attempts to read,
++##	jetty tmp files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`jetty_dontaudit_read_tmp_files',`
++	gen_require(`
++		type jetty_tmp_t;
++	')
++
++	dontaudit $1 jetty_tmp_t:file read_file_perms;
++')
++
++########################################
++## <summary>
++##	Read jetty tmp files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`jetty_read_tmp_files',`
++	gen_require(`
++		type jetty_tmp_t;
++	')
++
++	files_search_tmp($1)
++	read_files_pattern($1, jetty_tmp_t, jetty_tmp_t)
++')
++
++########################################
++## <summary>
++##	Manage jetty tmp files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`jetty_manage_tmp',`
++	gen_require(`
++		type jetty_tmp_t;
++	')
++
++	files_search_tmp($1)
++	manage_dirs_pattern($1, jetty_tmp_t, jetty_tmp_t)
++	manage_files_pattern($1, jetty_tmp_t, jetty_tmp_t)
++	manage_lnk_files_pattern($1, jetty_tmp_t, jetty_tmp_t)
++')
++
++########################################
++## <summary>
 +##	Search jetty lib directories.
 +## </summary>
 +## <param name="domain">
@@ -38906,7 +39023,31 @@ index 0000000..2abc285
 +	')
 +
 +	files_search_pids($1)
-+	allow $1 jetty_var_run_t:file read_file_perms;
++	read_files_pattern($1, jetty_var_run_t, jetty_var_run_t)
++')
++
++########################################
++## <summary>
++##	Execute jetty server in the jetty domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++#
++interface(`jetty_systemctl',`
++	gen_require(`
++		type jetty_t;
++		type jetty_unit_file_t;
++	')
++
++	systemd_exec_systemctl($1)
++        systemd_read_fifo_file_passwd_run($1)
++	allow $1 jetty_unit_file_t:file read_file_perms;
++	allow $1 jetty_unit_file_t:service manage_service_perms;
++
++	ps_process_pattern($1, jetty_t)
 +')
 +
 +
@@ -38920,34 +39061,60 @@ index 0000000..2abc285
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
++## <param name="role">
++##	<summary>
++##	Role allowed access.
++##	</summary>
++## </param>
 +## <rolecap/>
 +#
 +interface(`jetty_admin',`
 +	gen_require(`
++		type jetty_t;
 +		type jetty_cache_t;
 +		type jetty_log_t;
++		type jetty_tmp_t;
 +		type jetty_var_lib_t;
 +		type jetty_var_run_t;
++	type jetty_unit_file_t;
 +	')
 +
++	allow $1 jetty_t:process { signal_perms };
++	ps_process_pattern($1, jetty_t)
++
++    tunable_policy(`deny_ptrace',`',`
++        allow $1 jetty_t:process ptrace;
++    ')
++
 +	files_search_var($1)
 +	admin_pattern($1, jetty_cache_t)
 +
 +	logging_search_logs($1)
 +	admin_pattern($1, jetty_log_t)
 +
++	files_search_tmp($1)
++	admin_pattern($1, jetty_tmp_t)
++
 +	files_search_var_lib($1)
 +	admin_pattern($1, jetty_var_lib_t)
 +
 +	files_search_pids($1)
 +	admin_pattern($1, jetty_var_run_t)
++
++	jetty_systemctl($1)
++	admin_pattern($1, jetty_unit_file_t)
++	allow $1 jetty_unit_file_t:service all_service_perms;
++	optional_policy(`
++		systemd_passwd_agent_exec($1)
++		systemd_read_fifo_file_passwd_run($1)
++	')
 +')
 diff --git a/jetty.te b/jetty.te
 new file mode 100644
-index 0000000..af510ea
+index 0000000..71325e5
 --- /dev/null
 +++ b/jetty.te
-@@ -0,0 +1,25 @@
+@@ -0,0 +1,78 @@
 +policy_module(jetty, 1.0.0)
 +
 +########################################
@@ -38955,24 +39122,77 @@ index 0000000..af510ea
 +# Declarations
 +#
 +
++type jetty_t;
++type jetty_exec_t;
++init_daemon_domain(jetty_t, jetty_exec_t)
++
 +type jetty_cache_t;
 +files_type(jetty_cache_t)
 +
 +type jetty_log_t;
 +logging_log_file(jetty_log_t)
 +
++type jetty_tmp_t;
++files_tmp_file(jetty_tmp_t)
++
 +type jetty_var_lib_t;
 +files_type(jetty_var_lib_t)
 +
 +type jetty_var_run_t;
 +files_pid_file(jetty_var_run_t)
 +
++type jetty_unit_file_t;
++systemd_unit_file(jetty_unit_file_t)
++
 +########################################
 +#
 +# jetty local policy
 +#
 +
-+# No local policy. This module just contains type definitions
++allow jetty_t self:process execmem;
++allow jetty_t self:process { signal signull };
++
++allow jetty_t self:fifo_file rw_fifo_file_perms;
++allow jetty_t self:tcp_socket { accept listen };
++
++manage_dirs_pattern(jetty_t, jetty_cache_t, jetty_cache_t)
++manage_files_pattern(jetty_t, jetty_cache_t, jetty_cache_t)
++files_var_filetrans(jetty_t, jetty_cache_t, dir)
++
++manage_dirs_pattern(jetty_t, jetty_log_t, jetty_log_t)
++manage_files_pattern(jetty_t, jetty_log_t, jetty_log_t)
++logging_log_filetrans(jetty_t, jetty_log_t, dir)
++
++manage_dirs_pattern(jetty_t, jetty_tmp_t, jetty_tmp_t)
++manage_files_pattern(jetty_t, jetty_tmp_t, jetty_tmp_t)
++files_tmp_filetrans(jetty_t, jetty_tmp_t, { dir file })
++
++manage_dirs_pattern(jetty_t, jetty_var_lib_t, jetty_var_lib_t)
++manage_files_pattern(jetty_t, jetty_var_lib_t, jetty_var_lib_t)
++files_var_lib_filetrans(jetty_t, jetty_var_lib_t, dir)
++
++manage_dirs_pattern(jetty_t, jetty_var_run_t, jetty_var_run_t)
++manage_files_pattern(jetty_t, jetty_var_run_t, jetty_var_run_t)
++files_pid_filetrans(jetty_t, jetty_var_run_t, dir)
++
++kernel_read_system_state(jetty_t)
++kernel_read_network_state(jetty_t)
++
++corecmd_exec_bin(jetty_t)
++corecmd_exec_shell(jetty_t)
++
++corenet_tcp_bind_http_cache_port(jetty_t)
++
++dev_read_rand(jetty_t)
++dev_read_sysfs(jetty_t)
++dev_read_urand(jetty_t)
++
++auth_use_nsswitch(jetty_t)
++
++optional_policy(`
++    #allow access to /etc/abrt/plugins/java.conf
++    abrt_read_config(jetty_t)
++')
 diff --git a/jockey.if b/jockey.if
 index 2fb7a20..c6ba007 100644
 --- a/jockey.if
@@ -65712,7 +65932,7 @@ index bf59ef7..0e33327 100644
 +')
 +
 diff --git a/passenger.te b/passenger.te
-index 08ec33b..56fba2e 100644
+index 08ec33b..3b92c4d 100644
 --- a/passenger.te
 +++ b/passenger.te
 @@ -14,6 +14,9 @@ role system_r types passenger_t;
@@ -65786,7 +66006,7 @@ index 08ec33b..56fba2e 100644
  
  corecmd_exec_bin(passenger_t)
  corecmd_exec_shell(passenger_t)
-@@ -68,8 +75,6 @@ dev_read_urand(passenger_t)
+@@ -68,10 +75,10 @@ dev_read_urand(passenger_t)
  
  domain_read_all_domains_state(passenger_t)
  
@@ -65794,8 +66014,12 @@ index 08ec33b..56fba2e 100644
 -
  auth_use_nsswitch(passenger_t)
  
++fs_getattr_xattr_fs(passenger_t)
++
  logging_send_syslog_msg(passenger_t)
-@@ -83,6 +88,7 @@ userdom_dontaudit_use_user_terminals(passenger_t)
+ 
+ miscfiles_read_localization(passenger_t)
+@@ -83,6 +90,7 @@ userdom_dontaudit_use_user_terminals(passenger_t)
  optional_policy(`
  	apache_append_log(passenger_t)
  	apache_read_sys_content(passenger_t)
@@ -65803,7 +66027,7 @@ index 08ec33b..56fba2e 100644
  ')
  
  optional_policy(`
-@@ -94,14 +100,21 @@ optional_policy(`
+@@ -94,14 +102,21 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -66602,15 +66826,14 @@ index 0000000..509d898
 +        ')
 +')
 diff --git a/pegasus.fc b/pegasus.fc
-index dfd46e4..747aa2a 100644
+index dfd46e4..d40433a 100644
 --- a/pegasus.fc
 +++ b/pegasus.fc
-@@ -1,15 +1,33 @@
+@@ -1,15 +1,32 @@
 -/etc/Pegasus(/.*)?	gen_context(system_u:object_r:pegasus_conf_t,s0)
 +
 +/etc/Pegasus(/.*)?			gen_context(system_u:object_r:pegasus_conf_t,s0)
  /etc/Pegasus/pegasus_current\.conf	gen_context(system_u:object_r:pegasus_data_t,s0)
-+/etc/mdadm\.conf\.anacbak			gen_context(system_u:object_r:pegasus_conf_t,s0)
  
 -/etc/rc\.d/init\.d/tog-pegasus	--	gen_context(system_u:object_r:pegasus_initrc_exec_t,s0)
 +/usr/sbin/cimserver		--	gen_context(system_u:object_r:pegasus_exec_t,s0)
@@ -66749,7 +66972,7 @@ index d2fc677..86dce34 100644
  ')
 +
 diff --git a/pegasus.te b/pegasus.te
-index 608f454..3e3fd3d 100644
+index 608f454..0aa43fc 100644
 --- a/pegasus.te
 +++ b/pegasus.te
 @@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0)
@@ -66768,7 +66991,7 @@ index 608f454..3e3fd3d 100644
  type pegasus_cache_t;
  files_type(pegasus_cache_t)
  
-@@ -30,20 +29,337 @@ files_type(pegasus_mof_t)
+@@ -30,20 +29,334 @@ files_type(pegasus_mof_t)
  type pegasus_var_run_t;
  files_pid_file(pegasus_var_run_t)
  
@@ -67003,9 +67226,6 @@ index 608f454..3e3fd3d 100644
 +manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_var_run_t, pegasus_openlmi_storage_var_run_t)
 +files_pid_filetrans(pegasus_openlmi_storage_t, pegasus_openlmi_storage_var_run_t, dir, "openlmi-storage")
 +
-+manage_files_pattern(pegasus_openlmi_storage_t, pegasus_conf_t, pegasus_conf_t)
-+files_etc_filetrans(pegasus_openlmi_storage_t, pegasus_conf_t, file, "mdadm.conf.anacbak" )
-+
 +kernel_read_all_sysctls(pegasus_openlmi_storage_t)
 +kernel_read_network_state(pegasus_openlmi_storage_t)
 +kernel_get_sysvipc_info(pegasus_openlmi_storage_t)
@@ -67111,7 +67331,7 @@ index 608f454..3e3fd3d 100644
  allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
  
  manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
-@@ -54,22 +370,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
+@@ -54,22 +367,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
  manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
  manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
  manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@@ -67142,7 +67362,7 @@ index 608f454..3e3fd3d 100644
  
  kernel_read_network_state(pegasus_t)
  kernel_read_kernel_sysctls(pegasus_t)
-@@ -80,27 +396,21 @@ kernel_read_net_sysctls(pegasus_t)
+@@ -80,27 +393,21 @@ kernel_read_net_sysctls(pegasus_t)
  kernel_read_xen_state(pegasus_t)
  kernel_write_xen_state(pegasus_t)
  
@@ -67175,7 +67395,7 @@ index 608f454..3e3fd3d 100644
  
  corecmd_exec_bin(pegasus_t)
  corecmd_exec_shell(pegasus_t)
-@@ -114,9 +424,11 @@ files_getattr_all_dirs(pegasus_t)
+@@ -114,9 +421,11 @@ files_getattr_all_dirs(pegasus_t)
  
  auth_use_nsswitch(pegasus_t)
  auth_domtrans_chk_passwd(pegasus_t)
@@ -67187,7 +67407,7 @@ index 608f454..3e3fd3d 100644
  
  files_list_var_lib(pegasus_t)
  files_read_var_lib_files(pegasus_t)
-@@ -128,18 +440,29 @@ init_stream_connect_script(pegasus_t)
+@@ -128,18 +437,29 @@ init_stream_connect_script(pegasus_t)
  logging_send_audit_msgs(pegasus_t)
  logging_send_syslog_msg(pegasus_t)
  
@@ -67223,7 +67443,7 @@ index 608f454..3e3fd3d 100644
  ')
  
  optional_policy(`
-@@ -151,16 +474,24 @@ optional_policy(`
+@@ -151,16 +471,24 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -67252,7 +67472,7 @@ index 608f454..3e3fd3d 100644
  ')
  
  optional_policy(`
-@@ -168,7 +499,7 @@ optional_policy(`
+@@ -168,7 +496,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -67261,7 +67481,7 @@ index 608f454..3e3fd3d 100644
  ')
  
  optional_policy(`
-@@ -180,6 +511,7 @@ optional_policy(`
+@@ -180,6 +508,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -80533,14 +80753,15 @@ index 6d162e4..9027807 100644
  userdom_dontaudit_search_user_home_dirs(radvd_t)
  
 diff --git a/raid.fc b/raid.fc
-index 5806046..8bce88f 100644
+index 5806046..2a4769f 100644
 --- a/raid.fc
 +++ b/raid.fc
-@@ -3,6 +3,11 @@
+@@ -3,6 +3,12 @@
  
  /etc/rc\.d/init\.d/mdmonitor	--	gen_context(system_u:object_r:mdadm_initrc_exec_t,s0)
  
 +/etc/mdadm\.conf    --  gen_context(system_u:object_r:mdadm_conf_t,s0)
++/etc/mdadm\.conf\.anacbak    --  gen_context(system_u:object_r:mdadm_conf_t,s0)
 +
 +/usr/lib/systemd/system/mdmon@.* --  gen_context(system_u:object_r:mdadm_unit_file_t,s0)
 +/usr/lib/systemd/system/mdmonitor.* --  gen_context(system_u:object_r:mdadm_unit_file_t,s0)
@@ -80548,7 +80769,7 @@ index 5806046..8bce88f 100644
  /sbin/iprdump	--	gen_context(system_u:object_r:mdadm_exec_t,s0)
  /sbin/iprinit	--	gen_context(system_u:object_r:mdadm_exec_t,s0)
  /sbin/iprupdate	--	gen_context(system_u:object_r:mdadm_exec_t,s0)
-@@ -16,6 +21,10 @@
+@@ -16,6 +22,10 @@
  /usr/sbin/iprupdate	--	gen_context(system_u:object_r:mdadm_exec_t,s0)
  /usr/sbin/mdadm	--	gen_context(system_u:object_r:mdadm_exec_t,s0)
  /usr/sbin/mdmpd	--	gen_context(system_u:object_r:mdadm_exec_t,s0)
@@ -80560,7 +80781,7 @@ index 5806046..8bce88f 100644
 +
  /var/run/mdadm(/.*)?	gen_context(system_u:object_r:mdadm_var_run_t,s0)
 diff --git a/raid.if b/raid.if
-index 951db7f..04b6dde 100644
+index 951db7f..00e699d 100644
 --- a/raid.if
 +++ b/raid.if
 @@ -1,9 +1,8 @@
@@ -80642,7 +80863,7 @@ index 951db7f..04b6dde 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -57,47 +79,112 @@ interface(`raid_run_mdadm',`
+@@ -57,47 +79,113 @@ interface(`raid_run_mdadm',`
  ##	</summary>
  ## </param>
  #
@@ -80773,12 +80994,13 @@ index 951db7f..04b6dde 100644
  
 -	raid_run_mdadm($2, $1)
 +    files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf")
++    files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf.anacbak")
  ')
 diff --git a/raid.te b/raid.te
-index c99753f..f6bd1c6 100644
+index c99753f..1c950ed 100644
 --- a/raid.te
 +++ b/raid.te
-@@ -15,54 +15,100 @@ role mdadm_roles types mdadm_t;
+@@ -15,54 +15,101 @@ role mdadm_roles types mdadm_t;
  type mdadm_initrc_exec_t;
  init_script_file(mdadm_initrc_exec_t)
  
@@ -80817,6 +81039,7 @@ index c99753f..f6bd1c6 100644
 +
 +manage_files_pattern(mdadm_t, mdadm_conf_t, mdadm_conf_t)
 +files_etc_filetrans(mdadm_t, mdadm_conf_t, file, "mdadm.conf")
++files_etc_filetrans(mdadm_t, mdadm_conf_t, file, "mdadm.conf.anacbak")
 +
 +manage_files_pattern(mdadm_t, mdadm_tmp_t, mdadm_tmp_t)
 +manage_dirs_pattern(mdadm_t, mdadm_tmp_t, mdadm_tmp_t)
@@ -80888,7 +81111,7 @@ index c99753f..f6bd1c6 100644
  
  mls_file_read_all_levels(mdadm_t)
  mls_file_write_all_levels(mdadm_t)
-@@ -71,15 +117,22 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
+@@ -71,15 +118,22 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
  storage_manage_fixed_disk(mdadm_t)
  storage_read_scsi_generic(mdadm_t)
  storage_write_scsi_generic(mdadm_t)
@@ -80912,7 +81135,7 @@ index c99753f..f6bd1c6 100644
  
  userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
  userdom_dontaudit_search_user_home_content(mdadm_t)
-@@ -90,17 +143,38 @@ optional_policy(`
+@@ -90,17 +144,38 @@ optional_policy(`
  ')
  
  optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 43d45ea0..58839460 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 145%{?dist}
+Release: 146%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -647,6 +647,19 @@ exit 0
 %endif
 
 %changelog
+* Tue Sep 01 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-146
+- Allow passenger to getattr filesystem xattr
+- Revert "Allow pegasus_openlmi_storage_t create mdadm.conf.anacbak file in /etc."
+- Label mdadm.conf.anackbak as mdadm_conf_t file.
+- Allow dnssec-ttrigger to relabel net_conf_t files. BZ(1251765)
+- Allow dnssec-trigger to exec pidof. BZ(#1256737)
+- Allow blueman to create own tmp files in /tmp. (#1234647)
+- Add new audit_read access vector in capability2 class
+- Add "binder" security class and access vectors
+- Update netlink socket classes.
+- Allow getty to read network state. BZ(#1255177)
+- Remove labeling for /var/db/.*\.db as etc_t to label db files as system_db_t.
+
 * Sun Aug 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-145
 - Allow watchdog execute fenced python script.
 - Added inferface watchdog_unconfined_exec_read_lnk_files()