* Thu Mar 05 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-115

- Allow glusterd_t exec glusterd_var_lib_t files. BZ(1198406) - Add gluster_exec_lib interface. - Allow l2tpd to manage NetworkManager pid files - Allow firewalld_t relabelfrom firewalld_rw_etc_t. BZ(1195327) - Allow cyrus bind tcp berknet port. BZ(1198347) - Add nsswitch domain for more serviecs. - Allow abrt_dump_oops_t read /etc/passwd file. BZ(1197190) - Remove ftpd_use_passive_mode boolean. It does not make sense due to ephemeral port handling. - Make munin yum plugin as unconfined by default. - Allow bitlbee connections to the system DBUS. - Allow system apache scripts to send log messages. - Allow denyhosts execute iptables. BZ(1197371) - Allow brltty rw event device. BZ(1190349) - Allow cupsd config to execute ldconfig. BZ(1196608) - xdm_t now needs to manage user ttys - Allow ping_t read urand. BZ(1181831) - Add support for tcp/2005 port. - Allow setfiles domain to access files with admin_home_t. semanage -i /root/testfile. - In F23 we are running xserver as the user, need this to allow confined users to us X
2015-03-05 20:22:19 +01:00 · 2015-03-05 20:22:19 +01:00 · f6c1168684
commit f6c1168684
parent 2ee001bdc9
3 changed files with 247 additions and 146 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -1802,7 +1802,7 @@ index c6ca761..0c86bfd 100644
 ')
 
 diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
-index c44c359..ec441aa 100644
+index c44c359..bb78970 100644
 --- a/policy/modules/admin/netutils.te
 +++ b/policy/modules/admin/netutils.te
@@ -7,10 +7,10 @@ policy_module(netutils, 1.12.1)
@ -1883,15 +1883,17 @@ index c44c359..ec441aa 100644
 corenet_all_recvfrom_netlabel(ping_t)
 corenet_tcp_sendrecv_generic_if(ping_t)
 corenet_raw_sendrecv_generic_if(ping_t)
-@@ -124,6 +126,7 @@ corenet_raw_bind_generic_node(ping_t)
+@@ -124,6 +126,9 @@ corenet_raw_bind_generic_node(ping_t)
 corenet_tcp_sendrecv_all_ports(ping_t)
 
 fs_dontaudit_getattr_xattr_fs(ping_t)
 +fs_dontaudit_rw_anon_inodefs_files(ping_t)
+
+dev_read_urand(ping_t)
 
 domain_use_interactive_fds(ping_t)
 
-@@ -131,14 +134,13 @@ files_read_etc_files(ping_t)
+@@ -131,14 +136,13 @@ files_read_etc_files(ping_t)
 files_dontaudit_search_var(ping_t)
 
 kernel_read_system_state(ping_t)
@ -1909,7 +1911,7 @@ index c44c359..ec441aa 100644
 
 ifdef(`hide_broken_symptoms',`
 	init_dontaudit_use_fds(ping_t)
-@@ -149,11 +151,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -149,11 +153,25 @@ ifdef(`hide_broken_symptoms',`
 	')
 ')
 
@ -1935,7 +1937,7 @@ index c44c359..ec441aa 100644
 	pcmcia_use_cardmgr_fds(ping_t)
 ')
 
-@@ -161,6 +177,15 @@ optional_policy(`
+@@ -161,6 +179,15 @@ optional_policy(`
 	hotplug_use_fds(ping_t)
 ')
 
@ -1951,7 +1953,7 @@ index c44c359..ec441aa 100644
 ########################################
 #
 # Traceroute local policy
-@@ -174,7 +199,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
+@@ -174,7 +201,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
 kernel_read_system_state(traceroute_t)
 kernel_read_network_state(traceroute_t)
 
@ -1959,7 +1961,7 @@ index c44c359..ec441aa 100644
 corenet_all_recvfrom_netlabel(traceroute_t)
 corenet_tcp_sendrecv_generic_if(traceroute_t)
 corenet_udp_sendrecv_generic_if(traceroute_t)
-@@ -198,6 +222,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
+@@ -198,6 +224,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
 domain_use_interactive_fds(traceroute_t)
 
 files_read_etc_files(traceroute_t)
@ -1967,7 +1969,7 @@ index c44c359..ec441aa 100644
 files_dontaudit_search_var(traceroute_t)
 
 init_use_fds(traceroute_t)
-@@ -206,11 +231,17 @@ auth_use_nsswitch(traceroute_t)
+@@ -206,11 +233,17 @@ auth_use_nsswitch(traceroute_t)
 
 logging_send_syslog_msg(traceroute_t)
 
@ -5527,7 +5529,7 @@ index 8e0f9cd..b9f45b9 100644
 
 define(`create_packet_interfaces',``
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055..87b5aa1 100644
+index b191055..a60bc60 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@ -5601,7 +5603,7 @@ index b191055..87b5aa1 100644
 # reserved_port_t is the type of INET port numbers below 1024.
 #
 type reserved_port_t, port_type, reserved_port_type;
-@@ -83,56 +106,70 @@ network_port(agentx, udp,705,s0, tcp,705,s0)
+@@ -83,56 +106,71 @@ network_port(agentx, udp,705,s0, tcp,705,s0)
 network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
 network_port(amavisd_recv, tcp,10024,s0)
 network_port(amavisd_send, tcp,10025,s0)
@ -5644,6 +5646,7 @@ index b191055..87b5aa1 100644
 +network_port(ctdb, tcp,4379,s0, udp,4379,s0)
 network_port(cvs, tcp,2401,s0, udp,2401,s0)
 network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
+network_port(cyrus_imapd, tcp,2005,s0)
 network_port(daap, tcp,3689,s0, udp,3689,s0)
 network_port(dbskkd, tcp,1178,s0)
 network_port(dcc, udp,6276,s0, udp,6277,s0)
@ -5681,7 +5684,7 @@ index b191055..87b5aa1 100644
 network_port(gopher, tcp,70,s0, udp,70,s0)
 network_port(gpsd, tcp,2947,s0)
 network_port(hadoop_datanode, tcp,50010,s0)
-@@ -140,45 +177,55 @@ network_port(hadoop_namenode, tcp,8020,s0)
+@@ -140,45 +178,55 @@ network_port(hadoop_namenode, tcp,8020,s0)
 network_port(hddtemp, tcp,7634,s0)
 network_port(howl, tcp,5335,s0, udp,5353,s0)
 network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
@ -5752,7 +5755,7 @@ index b191055..87b5aa1 100644
 network_port(msnp, tcp,1863,s0, udp,1863,s0)
 network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
 network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -186,95 +233,116 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
+@@ -186,95 +234,116 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
 network_port(mxi, tcp,8005,s0, udp,8005,s0)
 network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
 network_port(mysqlmanagerd, tcp,2273,s0)
@ -5887,7 +5890,7 @@ index b191055..87b5aa1 100644
 network_port(winshadow, tcp,3161,s0, udp,3261,s0)
 network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
 network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
-@@ -288,19 +356,23 @@ network_port(zabbix_agent, tcp,10050,s0)
+@@ -288,19 +357,23 @@ network_port(zabbix_agent, tcp,10050,s0)
 network_port(zookeeper_client, tcp,2181,s0)
 network_port(zookeeper_election, tcp,3888,s0)
 network_port(zookeeper_leader, tcp,2888,s0)
@ -5914,7 +5917,7 @@ index b191055..87b5aa1 100644
 
 ########################################
 #
-@@ -333,6 +405,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -333,6 +406,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
 
 build_option(`enable_mls',`
 network_interface(lo, lo, s0 - mls_systemhigh)
@ -5923,7 +5926,7 @@ index b191055..87b5aa1 100644
 ',`
 typealias netif_t alias { lo_netif_t netif_lo_t };
 ')
-@@ -345,9 +419,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -345,9 +420,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
 allow corenet_unconfined_type node_type:node *;
 allow corenet_unconfined_type netif_type:netif *;
 allow corenet_unconfined_type packet_type:packet *;
@ -19590,7 +19593,7 @@ index 234a940..d340f20 100644
 ########################################
 ## <summary>
 diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 0fef1fc..43bc4f2 100644
+index 0fef1fc..405687c 100644
 --- a/policy/modules/roles/staff.te
 +++ b/policy/modules/roles/staff.te
@@ -8,12 +8,72 @@ policy_module(staff, 2.4.0)
@ -19817,7 +19820,7 @@ index 0fef1fc..43bc4f2 100644
 ')
 
 optional_policy(`
-@@ -52,10 +232,60 @@ optional_policy(`
+@@ -52,11 +232,61 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -19862,6 +19865,7 @@ index 0fef1fc..43bc4f2 100644
 ')
 
 optional_policy(`
+-	xserver_role(staff_r, staff_t)
 +    vmtools_run_helper(staff_t, staff_r)
 +')
 +
@ -19875,9 +19879,10 @@ index 0fef1fc..43bc4f2 100644
 +
 +optional_policy(`
 +	xserver_read_log(staff_t)
- 	xserver_role(staff_r, staff_t)
+	xserver_run(staff_t, staff_r)
 ')
 
+ ifndef(`distro_redhat',`
@@ -65,10 +295,6 @@ ifndef(`distro_redhat',`
 	')
 
@ -21676,7 +21681,7 @@ index 3835596..fbca2be 100644
 ########################################
 ## <summary>
 diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index 6d77e81..ee93201 100644
+index 6d77e81..656a8c4 100644
 --- a/policy/modules/roles/unprivuser.te
 +++ b/policy/modules/roles/unprivuser.te
@@ -1,5 +1,12 @@
@ -21839,7 +21844,7 @@ index 6d77e81..ee93201 100644
 	')
 +
 +	optional_policy(`
-+		xserver_role(user_r, user_t)
+		xserver_run(user_t, user_r)
 +	')
 +')
 +
@ -25765,7 +25770,7 @@ index 6bf0ecc..b036584 100644
 +')
 +
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..415f8be 100644
+index 8b40377..07ff17c 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
@@ -26,28 +26,66 @@ gen_require(`
@ -26357,17 +26362,16 @@ index 8b40377..415f8be 100644
 
 storage_dontaudit_read_fixed_disk(xdm_t)
 storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -442,28 +641,46 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -442,28 +641,44 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
 storage_dontaudit_raw_write_removable_device(xdm_t)
 storage_dontaudit_setattr_removable_dev(xdm_t)
 storage_dontaudit_rw_scsi_generic(xdm_t)
 +storage_dontaudit_rw_fuse(xdm_t)
 
 term_setattr_console(xdm_t)
-+term_use_console(xdm_t)
-+term_use_virtio_console(xdm_t)
- term_use_unallocated_ttys(xdm_t)
+-term_use_unallocated_ttys(xdm_t)
 term_setattr_unallocated_ttys(xdm_t)
+term_use_all_terms(xdm_t)
 +term_relabel_all_ttys(xdm_t)
 +term_relabel_unallocated_ttys(xdm_t)
 
@ -26407,7 +26411,7 @@ index 8b40377..415f8be 100644
 
 userdom_dontaudit_use_unpriv_user_fds(xdm_t)
 userdom_create_all_users_keys(xdm_t)
-@@ -472,24 +689,155 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -472,24 +687,155 @@ userdom_read_user_home_content_files(xdm_t)
 # Search /proc for any user domain processes.
 userdom_read_all_users_state(xdm_t)
 userdom_signal_all_users(xdm_t)
@ -26569,7 +26573,7 @@ index 8b40377..415f8be 100644
 tunable_policy(`xdm_sysadm_login',`
 	userdom_xsession_spec_domtrans_all_users(xdm_t)
 	# FIXME:
-@@ -502,12 +850,31 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,12 +848,31 @@ tunable_policy(`xdm_sysadm_login',`
 #	allow xserver_t xdm_tmpfs_t:file rw_file_perms;
 ')
 
@ -26601,7 +26605,7 @@ index 8b40377..415f8be 100644
 ')
 
 optional_policy(`
-@@ -517,9 +884,34 @@ optional_policy(`
+@@ -517,9 +882,34 @@ optional_policy(`
 optional_policy(`
 	dbus_system_bus_client(xdm_t)
 	dbus_connect_system_bus(xdm_t)
@ -26637,7 +26641,7 @@ index 8b40377..415f8be 100644
 	')
 ')
 
-@@ -530,6 +922,20 @@ optional_policy(`
+@@ -530,6 +920,20 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -26658,7 +26662,7 @@ index 8b40377..415f8be 100644
 	hostname_exec(xdm_t)
 ')
 
-@@ -547,28 +953,78 @@ optional_policy(`
+@@ -547,28 +951,78 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -26746,7 +26750,7 @@ index 8b40377..415f8be 100644
 ')
 
 optional_policy(`
-@@ -580,6 +1036,14 @@ optional_policy(`
+@@ -580,6 +1034,14 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -26761,7 +26765,7 @@ index 8b40377..415f8be 100644
 	xfs_stream_connect(xdm_t)
 ')
 
-@@ -594,7 +1058,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+@@ -594,7 +1056,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
 type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
 
 allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@ -26770,7 +26774,7 @@ index 8b40377..415f8be 100644
 
 # setuid/setgid for the wrapper program to change UID
 # sys_rawio is for iopl access - should not be needed for frame-buffer
-@@ -604,8 +1068,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -604,8 +1066,11 @@ allow xserver_t input_xevent_t:x_event send;
 # execheap needed until the X module loader is fixed.
 # NVIDIA Needs execstack
 
@ -26783,7 +26787,7 @@ index 8b40377..415f8be 100644
 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow xserver_t self:fd use;
 allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -618,8 +1085,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -618,8 +1083,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
 allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow xserver_t self:tcp_socket create_stream_socket_perms;
 allow xserver_t self:udp_socket create_socket_perms;
@ -26799,7 +26803,7 @@ index 8b40377..415f8be 100644
 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
 manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
 manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -627,6 +1101,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -627,6 +1099,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
 
 filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
 
@ -26810,7 +26814,7 @@ index 8b40377..415f8be 100644
 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -638,25 +1116,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -638,25 +1114,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 files_search_var_lib(xserver_t)
 
@ -26847,7 +26851,7 @@ index 8b40377..415f8be 100644
 corenet_all_recvfrom_netlabel(xserver_t)
 corenet_tcp_sendrecv_generic_if(xserver_t)
 corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -677,23 +1162,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -677,23 +1160,28 @@ dev_rw_apm_bios(xserver_t)
 dev_rw_agp(xserver_t)
 dev_rw_framebuffer(xserver_t)
 dev_manage_dri_dev(xserver_t)
@ -26879,7 +26883,7 @@ index 8b40377..415f8be 100644
 
 # brought on by rhgb
 files_search_mnt(xserver_t)
-@@ -705,6 +1195,14 @@ fs_search_nfs(xserver_t)
+@@ -705,6 +1193,14 @@ fs_search_nfs(xserver_t)
 fs_search_auto_mountpoints(xserver_t)
 fs_search_ramfs(xserver_t)
 
@ -26894,7 +26898,7 @@ index 8b40377..415f8be 100644
 mls_xwin_read_to_clearance(xserver_t)
 
 selinux_validate_context(xserver_t)
-@@ -718,20 +1216,18 @@ init_getpgid(xserver_t)
+@@ -718,20 +1214,18 @@ init_getpgid(xserver_t)
 term_setattr_unallocated_ttys(xserver_t)
 term_use_unallocated_ttys(xserver_t)
 
@ -26918,7 +26922,7 @@ index 8b40377..415f8be 100644
 
 userdom_search_user_home_dirs(xserver_t)
 userdom_use_user_ttys(xserver_t)
-@@ -739,8 +1235,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -739,8 +1233,6 @@ userdom_setattr_user_ttys(xserver_t)
 userdom_read_user_tmp_files(xserver_t)
 userdom_rw_user_tmpfs_files(xserver_t)
 
@ -26927,7 +26931,7 @@ index 8b40377..415f8be 100644
 ifndef(`distro_redhat',`
 	allow xserver_t self:process { execmem execheap execstack };
 	domain_mmap_low_uncond(xserver_t)
-@@ -785,17 +1279,50 @@ optional_policy(`
+@@ -785,17 +1277,50 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -26980,7 +26984,7 @@ index 8b40377..415f8be 100644
 ')
 
 optional_policy(`
-@@ -803,6 +1330,10 @@ optional_policy(`
+@@ -803,6 +1328,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -26991,7 +26995,7 @@ index 8b40377..415f8be 100644
 	xfs_stream_connect(xserver_t)
 ')
 
-@@ -818,18 +1349,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -818,18 +1347,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
 
 # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
 # handle of a file inside the dir!!!
@ -27016,7 +27020,7 @@ index 8b40377..415f8be 100644
 can_exec(xserver_t, xkb_var_lib_t)
 
 # VNC v4 module in X server
-@@ -842,26 +1372,21 @@ init_use_fds(xserver_t)
+@@ -842,26 +1370,21 @@ init_use_fds(xserver_t)
 # to read ROLE_home_t - examine this in more detail
 # (xauth?)
 userdom_read_user_home_content_files(xserver_t)
@ -27051,7 +27055,7 @@ index 8b40377..415f8be 100644
 ')
 
 optional_policy(`
-@@ -912,7 +1437,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -912,7 +1435,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
 allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
 # operations allowed on my windows
 allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@ -27060,7 +27064,7 @@ index 8b40377..415f8be 100644
 # operations allowed on all windows
 allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
 
-@@ -966,11 +1491,31 @@ allow x_domain self:x_resource { read write };
+@@ -966,11 +1489,31 @@ allow x_domain self:x_resource { read write };
 # can mess with the screensaver
 allow x_domain xserver_t:x_screen { getattr saver_getattr };
 
@ -27092,7 +27096,7 @@ index 8b40377..415f8be 100644
 tunable_policy(`! xserver_object_manager',`
 	# should be xserver_unconfined(x_domain),
 	# but typeattribute doesnt work in conditionals
-@@ -992,18 +1537,148 @@ tunable_policy(`! xserver_object_manager',`
+@@ -992,18 +1535,148 @@ tunable_policy(`! xserver_object_manager',`
 	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
 ')
 
@ -38400,7 +38404,7 @@ index 3822072..8a23b62 100644
 +	allow semanage_t $1:dbus send_msg;
 +')
 diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index dc46420..fa0e220 100644
+index dc46420..90ff61b 100644
 --- a/policy/modules/system/selinuxutil.te
 +++ b/policy/modules/system/selinuxutil.te
@@ -11,14 +11,16 @@ gen_require(`
@ -38932,7 +38936,7 @@ index dc46420..fa0e220 100644
 ')
 
 ########################################
-@@ -522,111 +602,196 @@ ifdef(`distro_ubuntu',`
+@@ -522,111 +602,197 @@ ifdef(`distro_ubuntu',`
 # Setfiles local policy
 #
 
@ -39111,6 +39115,7 @@ index dc46420..fa0e220 100644
 # for config files in a home directory
 -userdom_read_user_home_content_files(setfiles_t)
 +userdom_read_user_home_content_files(setfiles_domain)
+userdom_read_admin_home_files(setfiles_domain)
 +userdom_rw_inherited_user_home_content_files(setfiles_domain)
 
 ifdef(`distro_debian',`
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -546,7 +546,7 @@ index 058d908..1e92177 100644
 +')
 +
 diff --git a/abrt.te b/abrt.te
-index eb50f07..d77f4a6 100644
+index eb50f07..2e7633c 100644
 --- a/abrt.te
 +++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@ -984,7 +984,7 @@ index eb50f07..d77f4a6 100644
 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
 
 domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -365,38 +451,58 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -365,38 +451,60 @@ corecmd_exec_shell(abrt_retrace_worker_t)
 
 dev_read_urand(abrt_retrace_worker_t)
 
@ -1030,6 +1030,8 @@ index eb50f07..d77f4a6 100644
 kernel_read_kernel_sysctls(abrt_dump_oops_t)
 kernel_read_ring_buffer(abrt_dump_oops_t)
 
+auth_read_passwd(abrt_dump_oops_t)
+
 +dev_read_urand(abrt_dump_oops_t)
 +dev_read_rand(abrt_dump_oops_t)
 +
@ -1047,7 +1049,7 @@ index eb50f07..d77f4a6 100644
 
 #######################################
 #
-@@ -404,7 +510,7 @@ logging_read_generic_logs(abrt_dump_oops_t)
+@@ -404,7 +512,7 @@ logging_read_generic_logs(abrt_dump_oops_t)
 #
 
 allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
@ -1056,7 +1058,7 @@ index eb50f07..d77f4a6 100644
 
 read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
 
-@@ -413,16 +519,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+@@ -413,16 +521,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
 corecmd_exec_bin(abrt_watch_log_t)
 
 logging_read_all_logs(abrt_watch_log_t)
@ -1100,7 +1102,7 @@ index eb50f07..d77f4a6 100644
 ')
 
 #######################################
-@@ -430,10 +562,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
+@@ -430,10 +564,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
 # Global local policy
 #
 
@ -5147,7 +5149,7 @@ index f6eb485..164501c 100644
 +	filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
 ')
 diff --git a/apache.te b/apache.te
-index 6649962..3226dec 100644
+index 6649962..12fcbb6 100644
 --- a/apache.te
 +++ b/apache.te
@@ -5,280 +5,339 @@ policy_module(apache, 2.7.2)
@ -6924,7 +6926,7 @@ index 6649962..3226dec 100644
 	mysql_read_config(httpd_suexec_t)
 
 	tunable_policy(`httpd_can_network_connect_db',`
-@@ -1083,172 +1391,106 @@ optional_policy(`
+@@ -1083,172 +1391,107 @@ optional_policy(`
 	')
 ')
 
@ -6989,6 +6991,7 @@ index 6649962..3226dec 100644
 +files_search_spool(httpd_sys_script_t)
 
 -seutil_dontaudit_search_config(httpd_script_domains)
+logging_send_syslog_msg(httpd_sys_script_t)
 +logging_inherit_append_all_logs(httpd_sys_script_t)
 
 -tunable_policy(`httpd_enable_cgi && httpd_unified',`
@ -7161,7 +7164,7 @@ index 6649962..3226dec 100644
 ')
 
 tunable_policy(`httpd_read_user_content',`
-@@ -1256,64 +1498,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1256,64 +1499,74 @@ tunable_policy(`httpd_read_user_content',`
 ')
 
 tunable_policy(`httpd_use_cifs',`
@ -7258,7 +7261,7 @@ index 6649962..3226dec 100644
 
 ########################################
 #
-@@ -1321,8 +1573,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1321,8 +1574,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
 #
 
 optional_policy(`
@ -7275,7 +7278,7 @@ index 6649962..3226dec 100644
 ')
 
 ########################################
-@@ -1330,49 +1589,38 @@ optional_policy(`
+@@ -1330,49 +1590,38 @@ optional_policy(`
 # User content local policy
 #
 
@ -7340,7 +7343,7 @@ index 6649962..3226dec 100644
 kernel_read_system_state(httpd_passwd_t)
 
 corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1630,101 @@ dev_read_urand(httpd_passwd_t)
+@@ -1382,38 +1631,101 @@ dev_read_urand(httpd_passwd_t)
 
 domain_use_interactive_fds(httpd_passwd_t)
 
@ -9460,7 +9463,7 @@ index e73fb79..2badfc0 100644
 	domain_system_change_exemption($1)
 	role_transition $2 bitlbee_initrc_exec_t system_r;
 diff --git a/bitlbee.te b/bitlbee.te
-index f5c1a48..f255b29 100644
+index f5c1a48..f7b4f1d 100644
 --- a/bitlbee.te
 +++ b/bitlbee.te
@@ -35,9 +35,12 @@ files_pid_file(bitlbee_var_run_t)
@ -9508,7 +9511,7 @@ index f5c1a48..f255b29 100644
 corenet_tcp_connect_ircd_port(bitlbee_t)
 corenet_tcp_sendrecv_ircd_port(bitlbee_t)
 
-@@ -109,16 +116,12 @@ corenet_tcp_sendrecv_interwise_port(bitlbee_t)
+@@ -109,16 +116,17 @@ corenet_tcp_sendrecv_interwise_port(bitlbee_t)
 dev_read_rand(bitlbee_t)
 dev_read_urand(bitlbee_t)
 
@ -9521,10 +9524,14 @@ index f5c1a48..f255b29 100644
 logging_send_syslog_msg(bitlbee_t)
 
 -miscfiles_read_localization(bitlbee_t)
-
+optional_policy(`
+    dbus_system_bus_client(bitlbee_t)
+')
+ 
 optional_policy(`
 	tcpd_wrapped_domain(bitlbee_t, bitlbee_exec_t)
 ')
+
 diff --git a/blueman.fc b/blueman.fc
 index c295d2e..4f84e9c 100644
 --- a/blueman.fc
@ -10522,10 +10529,10 @@ index 0000000..968c957
 +')
 diff --git a/brltty.te b/brltty.te
 new file mode 100644
-index 0000000..0efa3a2
+index 0000000..eabda1e
 --- /dev/null
 +++ b/brltty.te
-@@ -0,0 +1,61 @@
+@@ -0,0 +1,62 @@
 +policy_module(brltty, 1.0.0)
 +
 +########################################
@ -10577,6 +10584,7 @@ index 0000000..0efa3a2
 +
 +dev_read_sysfs(brltty_t)
 +dev_rw_generic_usb_dev(brltty_t)
+dev_rw_input_dev(brltty_t)
 +
 +fs_getattr_all_fs(brltty_t)
 +
@ -19713,7 +19721,7 @@ index 3023be7..0317731 100644
 +	files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups")
 ')
 diff --git a/cups.te b/cups.te
-index c91813c..325c5e3 100644
+index c91813c..9533fa0 100644
 --- a/cups.te
 +++ b/cups.te
@@ -5,19 +5,31 @@ policy_module(cups, 1.16.2)
@ -19986,7 +19994,7 @@ index c91813c..325c5e3 100644
 
 selinux_compute_access_vector(cupsd_t)
 selinux_validate_context(cupsd_t)
-@@ -244,23 +287,28 @@ auth_dontaudit_read_pam_pid(cupsd_t)
+@@ -244,22 +287,27 @@ auth_dontaudit_read_pam_pid(cupsd_t)
 auth_rw_faillog(cupsd_t)
 auth_use_nsswitch(cupsd_t)
 
@ -20008,18 +20016,17 @@ index c91813c..325c5e3 100644
 
 userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
 +userdom_dontaudit_search_user_home_dirs(cupsd_t)
-+userdom_dontaudit_search_user_home_content(cupsd_t)
-+userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
 userdom_dontaudit_search_user_home_content(cupsd_t)
- 
+userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
+userdom_dontaudit_search_user_home_content(cupsd_t)
+
 +tunable_policy(`cups_execmem',`
 +	allow cupsd_t self:process { execmem execstack };
 +')
 +
-+
+ 
 optional_policy(`
 	apm_domtrans_client(cupsd_t)
- ')
@@ -272,6 +320,8 @@ optional_policy(`
 optional_policy(`
 	dbus_system_bus_client(cupsd_t)
@ -20166,7 +20173,18 @@ index c91813c..325c5e3 100644
 ')
 
 optional_policy(`
-@@ -487,10 +533,6 @@ optional_policy(`
+@@ -467,6 +513,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+	libs_exec_ldconfig(cupsd_config_t)
+')
+
+optional_policy(`
+ 	rpm_read_db(cupsd_config_t)
+ ')
+ 
+@@ -487,10 +537,6 @@ optional_policy(`
 # Lpd local policy
 #
 
@ -20177,7 +20195,7 @@ index c91813c..325c5e3 100644
 allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
 
 allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
-@@ -508,15 +550,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+@@ -508,15 +554,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
 
 kernel_read_kernel_sysctls(cupsd_lpd_t)
 kernel_read_system_state(cupsd_lpd_t)
@ -20195,7 +20213,7 @@ index c91813c..325c5e3 100644
 corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t)
 
 corenet_sendrecv_printer_server_packets(cupsd_lpd_t)
-@@ -537,9 +579,6 @@ auth_use_nsswitch(cupsd_lpd_t)
+@@ -537,9 +583,6 @@ auth_use_nsswitch(cupsd_lpd_t)
 
 logging_send_syslog_msg(cupsd_lpd_t)
 
@ -20205,7 +20223,7 @@ index c91813c..325c5e3 100644
 optional_policy(`
 	inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
 ')
-@@ -550,7 +589,6 @@ optional_policy(`
+@@ -550,7 +593,6 @@ optional_policy(`
 #
 
 allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
@ -20213,7 +20231,7 @@ index c91813c..325c5e3 100644
 allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
 
 append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
-@@ -566,148 +604,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
+@@ -566,148 +608,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
 
 kernel_read_system_state(cups_pdf_t)
 
@ -20242,11 +20260,13 @@ index c91813c..325c5e3 100644
 -	fs_manage_cifs_dirs(cups_pdf_t)
 -	fs_manage_cifs_files(cups_pdf_t)
 -')
-
-optional_policy(`
+userdom_home_manager(cups_pdf_t)
+ 
+ optional_policy(`
 -	lpd_manage_spool(cups_pdf_t)
-')
-
+	gnome_read_config(cups_pdf_t)
+ ')
+ 
 -########################################
 -#
 -# HPLIP local policy
@ -20352,20 +20372,18 @@ index c91813c..325c5e3 100644
 -optional_policy(`
 -	seutil_sigchld_newrole(hplip_t)
 -')
-+userdom_home_manager(cups_pdf_t)
- 
- optional_policy(`
+-
+-optional_policy(`
 -	snmp_read_snmp_var_lib_files(hplip_t)
-+	gnome_read_config(cups_pdf_t)
- ')
- 
+-')
+-
 -optional_policy(`
 -	udev_read_db(hplip_t)
 -')
 
 ########################################
 #
-@@ -735,7 +648,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -735,7 +652,6 @@ kernel_read_kernel_sysctls(ptal_t)
 kernel_list_proc(ptal_t)
 kernel_read_proc_symlinks(ptal_t)
 
@ -20373,7 +20391,7 @@ index c91813c..325c5e3 100644
 corenet_all_recvfrom_netlabel(ptal_t)
 corenet_tcp_sendrecv_generic_if(ptal_t)
 corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -745,13 +657,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
+@@ -745,13 +661,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
 corenet_tcp_bind_ptal_port(ptal_t)
 corenet_tcp_sendrecv_ptal_port(ptal_t)
 
@ -20387,7 +20405,7 @@ index c91813c..325c5e3 100644
 files_read_etc_runtime_files(ptal_t)
 
 fs_getattr_all_fs(ptal_t)
-@@ -759,8 +669,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -759,8 +673,6 @@ fs_search_auto_mountpoints(ptal_t)
 
 logging_send_syslog_msg(ptal_t)
 
@ -20396,7 +20414,7 @@ index c91813c..325c5e3 100644
 sysnet_read_config(ptal_t)
 
 userdom_dontaudit_use_unpriv_user_fds(ptal_t)
-@@ -773,3 +681,4 @@ optional_policy(`
+@@ -773,3 +685,4 @@ optional_policy(`
 optional_policy(`
 	udev_read_db(ptal_t)
 ')
@ -20666,7 +20684,7 @@ index 83bfda6..92d9fb2 100644
 	domain_system_change_exemption($1)
 	role_transition $2 cyrus_initrc_exec_t system_r;
 diff --git a/cyrus.te b/cyrus.te
-index 4283f2d..0632ef7 100644
+index 4283f2d..21a3620 100644
 --- a/cyrus.te
 +++ b/cyrus.te
@@ -29,7 +29,7 @@ files_pid_file(cyrus_var_run_t)
@ -20678,7 +20696,7 @@ index 4283f2d..0632ef7 100644
 dontaudit cyrus_t self:capability sys_tty_config;
 allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow cyrus_t self:process setrlimit;
-@@ -63,7 +63,6 @@ kernel_read_kernel_sysctls(cyrus_t)
+@@ -63,12 +63,12 @@ kernel_read_kernel_sysctls(cyrus_t)
 kernel_read_system_state(cyrus_t)
 kernel_read_all_sysctls(cyrus_t)
 
@ -20686,7 +20704,13 @@ index 4283f2d..0632ef7 100644
 corenet_all_recvfrom_netlabel(cyrus_t)
 corenet_tcp_sendrecv_generic_if(cyrus_t)
 corenet_tcp_sendrecv_generic_node(cyrus_t)
-@@ -76,6 +75,9 @@ corenet_tcp_bind_mail_port(cyrus_t)
+ corenet_tcp_sendrecv_all_ports(cyrus_t)
+ corenet_tcp_bind_generic_node(cyrus_t)
+corenet_tcp_bind_cyrus_imapd_port(cyrus_t)
+ 
+ corenet_sendrecv_mail_server_packets(cyrus_t)
+ corenet_tcp_bind_mail_port(cyrus_t)
+@@ -76,6 +76,9 @@ corenet_tcp_bind_mail_port(cyrus_t)
 corenet_sendrecv_lmtp_server_packets(cyrus_t)
 corenet_tcp_bind_lmtp_port(cyrus_t)
 
@ -20696,7 +20720,7 @@ index 4283f2d..0632ef7 100644
 corenet_sendrecv_pop_server_packets(cyrus_t)
 corenet_tcp_bind_pop_port(cyrus_t)
 
-@@ -95,8 +97,6 @@ domain_use_interactive_fds(cyrus_t)
+@@ -95,8 +98,6 @@ domain_use_interactive_fds(cyrus_t)
 
 files_list_var_lib(cyrus_t)
 files_read_etc_runtime_files(cyrus_t)
@ -20705,7 +20729,7 @@ index 4283f2d..0632ef7 100644
 
 fs_getattr_all_fs(cyrus_t)
 fs_search_auto_mountpoints(cyrus_t)
-@@ -107,7 +107,6 @@ libs_exec_lib_files(cyrus_t)
+@@ -107,7 +108,6 @@ libs_exec_lib_files(cyrus_t)
 
 logging_send_syslog_msg(cyrus_t)
 
@ -20713,7 +20737,7 @@ index 4283f2d..0632ef7 100644
 miscfiles_read_generic_certs(cyrus_t)
 
 userdom_use_unpriv_users_fds(cyrus_t)
-@@ -121,6 +120,10 @@ optional_policy(`
+@@ -121,6 +121,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -20724,7 +20748,7 @@ index 4283f2d..0632ef7 100644
 	kerberos_read_keytab(cyrus_t)
 	kerberos_use(cyrus_t)
 ')
-@@ -134,8 +137,8 @@ optional_policy(`
+@@ -134,8 +138,8 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -22477,7 +22501,7 @@ index a7326da..c87b5b7 100644
 	admin_pattern($1, denyhosts_var_lock_t)
 ')
 diff --git a/denyhosts.te b/denyhosts.te
-index 583a527..1053281 100644
+index 583a527..91c4104 100644
 --- a/denyhosts.te
 +++ b/denyhosts.te
@@ -25,6 +25,9 @@ logging_log_file(denyhosts_var_log_t)
@ -22498,7 +22522,7 @@ index 583a527..1053281 100644
 corenet_all_recvfrom_netlabel(denyhosts_t)
 corenet_tcp_sendrecv_generic_if(denyhosts_t)
 corenet_tcp_sendrecv_generic_node(denyhosts_t)
-@@ -57,13 +59,17 @@ corenet_sendrecv_smtp_client_packets(denyhosts_t)
+@@ -57,13 +59,19 @@ corenet_sendrecv_smtp_client_packets(denyhosts_t)
 corenet_tcp_connect_smtp_port(denyhosts_t)
 corenet_tcp_sendrecv_smtp_port(denyhosts_t)
 
@ -22509,6 +22533,8 @@ index 583a527..1053281 100644
 dev_read_urand(denyhosts_t)
 
 +auth_use_nsswitch(denyhosts_t)
+
+iptables_domtrans(denyhosts_t)
 +
 logging_read_generic_logs(denyhosts_t)
 logging_send_syslog_msg(denyhosts_t)
@ -22518,7 +22544,7 @@ index 583a527..1053281 100644
 sysnet_dns_name_resolve(denyhosts_t)
 sysnet_manage_config(denyhosts_t)
 sysnet_etc_filetrans_config(denyhosts_t)
-@@ -71,3 +77,7 @@ sysnet_etc_filetrans_config(denyhosts_t)
+@@ -71,3 +79,7 @@ sysnet_etc_filetrans_config(denyhosts_t)
 optional_policy(`
 	cron_system_entry(denyhosts_t, denyhosts_exec_t)
 ')
@ -28235,7 +28261,7 @@ index c62c567..6460877 100644
 +	allow $1 firewalld_unit_file_t:service all_service_perms;
 ')
 diff --git a/firewalld.te b/firewalld.te
-index 98072a3..cbaf309 100644
+index 98072a3..e91b89f 100644
 --- a/firewalld.te
 +++ b/firewalld.te
@@ -21,9 +21,15 @@ logging_log_file(firewalld_var_log_t)
@ -28254,15 +28280,16 @@ index 98072a3..cbaf309 100644
 ########################################
 #
 # Local policy
-@@ -37,6 +43,7 @@ allow firewalld_t self:udp_socket create_socket_perms;
+@@ -37,6 +43,8 @@ allow firewalld_t self:udp_socket create_socket_perms;
 
 manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
 manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
+relabelfrom_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
 +manage_lnk_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
 
 allow firewalld_t firewalld_var_log_t:file append_file_perms;
 allow firewalld_t firewalld_var_log_t:file create_file_perms;
-@@ -48,8 +55,13 @@ manage_files_pattern(firewalld_t, firewalld_tmp_t, firewalld_tmp_t)
+@@ -48,8 +56,13 @@ manage_files_pattern(firewalld_t, firewalld_tmp_t, firewalld_tmp_t)
 files_tmp_filetrans(firewalld_t, firewalld_tmp_t, file)
 allow firewalld_t firewalld_tmp_t:file mmap_file_perms;
 
@ -28276,7 +28303,7 @@ index 98072a3..cbaf309 100644
 
 kernel_read_network_state(firewalld_t)
 kernel_read_system_state(firewalld_t)
-@@ -63,20 +75,17 @@ dev_search_sysfs(firewalld_t)
+@@ -63,20 +76,17 @@ dev_search_sysfs(firewalld_t)
 
 domain_use_interactive_fds(firewalld_t)
 
@ -28302,7 +28329,7 @@ index 98072a3..cbaf309 100644
 
 optional_policy(`
 	dbus_system_domain(firewalld_t, firewalld_exec_t)
-@@ -95,6 +104,10 @@ optional_policy(`
+@@ -95,6 +105,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -29106,7 +29133,7 @@ index 4498143..84a4858 100644
 	ftp_run_ftpdctl($1, $2)
 ')
 diff --git a/ftp.te b/ftp.te
-index 36838c2..a09e8b2 100644
+index 36838c2..a422d04 100644
 --- a/ftp.te
 +++ b/ftp.te
@@ -13,7 +13,7 @@ policy_module(ftp, 1.15.1)
@ -29152,7 +29179,22 @@ index 36838c2..a09e8b2 100644
 
 ## <desc>
 ##	<p>
-@@ -124,6 +131,9 @@ files_config_file(ftpd_etc_t)
+@@ -50,14 +57,6 @@ gen_tunable(ftpd_connect_db, false)
+ 
+ ## <desc>
+ ##	<p>
+-##	Determine whether ftpd can bind to all
+-##	unreserved ports for passive mode.
+-##	</p>
+-##	</desc>
+-gen_tunable(ftpd_use_passive_mode, false)
+-
+-## <desc>
+-##	<p>
+ ##	Determine whether ftpd can connect to
+ ##	all unreserved ports.
+ ##	</p>
+@@ -124,6 +123,9 @@ files_config_file(ftpd_etc_t)
 type ftpd_initrc_exec_t;
 init_script_file(ftpd_initrc_exec_t)
 
@ -29162,7 +29204,7 @@ index 36838c2..a09e8b2 100644
 type ftpd_keytab_t;
 files_type(ftpd_keytab_t)
 
-@@ -184,6 +194,9 @@ allow ftpd_t ftpd_keytab_t:file read_file_perms;
+@@ -184,6 +186,9 @@ allow ftpd_t ftpd_keytab_t:file read_file_perms;
 allow ftpd_t ftpd_lock_t:file manage_file_perms;
 files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
 
@ -29172,7 +29214,7 @@ index 36838c2..a09e8b2 100644
 manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
 manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
 manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
-@@ -198,22 +211,19 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir })
+@@ -198,22 +203,19 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir })
 
 allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms;
 
@ -29199,7 +29241,7 @@ index 36838c2..a09e8b2 100644
 corenet_all_recvfrom_netlabel(ftpd_t)
 corenet_tcp_sendrecv_generic_if(ftpd_t)
 corenet_udp_sendrecv_generic_if(ftpd_t)
-@@ -229,9 +239,12 @@ corenet_tcp_bind_ftp_port(ftpd_t)
+@@ -229,9 +231,12 @@ corenet_tcp_bind_ftp_port(ftpd_t)
 corenet_sendrecv_ftp_data_server_packets(ftpd_t)
 corenet_tcp_bind_ftp_data_port(ftpd_t)
 
@ -29213,7 +29255,7 @@ index 36838c2..a09e8b2 100644
 files_read_etc_runtime_files(ftpd_t)
 files_search_var_lib(ftpd_t)
 
-@@ -250,7 +263,6 @@ logging_send_audit_msgs(ftpd_t)
+@@ -250,7 +255,6 @@ logging_send_audit_msgs(ftpd_t)
 logging_send_syslog_msg(ftpd_t)
 logging_set_loginuid(ftpd_t)
 
@ -29221,7 +29263,7 @@ index 36838c2..a09e8b2 100644
 miscfiles_read_public_files(ftpd_t)
 
 seutil_dontaudit_search_config(ftpd_t)
-@@ -259,32 +271,50 @@ sysnet_use_ldap(ftpd_t)
+@@ -259,37 +263,47 @@ sysnet_use_ldap(ftpd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
 userdom_dontaudit_search_user_home_dirs(ftpd_t)
@ -29268,18 +29310,18 @@ index 36838c2..a09e8b2 100644
 -	files_manage_non_auth_files(ftpd_t)
 +	files_manage_non_security_dirs(ftpd_t)
 +	files_manage_non_security_files(ftpd_t)
-+')
-+
-+tunable_policy(`ftpd_use_passive_mode',`
-+	corenet_tcp_bind_all_unreserved_ports(ftpd_t)
-+')
+ ')
+ 
+-tunable_policy(`ftpd_use_passive_mode',`
+-	corenet_sendrecv_all_server_packets(ftpd_t)
+-	corenet_tcp_bind_all_unreserved_ports(ftpd_t)
 +
 +tunable_policy(`ftpd_connect_all_unreserved',`
 +	corenet_tcp_connect_all_unreserved_ports(ftpd_t)
 ')
 
- tunable_policy(`ftpd_use_passive_mode',`
-@@ -304,22 +334,19 @@ tunable_policy(`ftpd_connect_db',`
+ tunable_policy(`ftpd_connect_all_unreserved',`
+@@ -304,22 +318,19 @@ tunable_policy(`ftpd_connect_db',`
 	corenet_sendrecv_mssql_client_packets(ftpd_t)
 	corenet_tcp_connect_mssql_port(ftpd_t)
 	corenet_tcp_sendrecv_mssql_port(ftpd_t)
@ -29307,7 +29349,7 @@ index 36838c2..a09e8b2 100644
 	userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
 ')
 
-@@ -363,9 +390,8 @@ optional_policy(`
+@@ -363,9 +374,8 @@ optional_policy(`
 
 optional_policy(`
 	selinux_validate_context(ftpd_t)
@ -29318,7 +29360,7 @@ index 36838c2..a09e8b2 100644
 	kerberos_use(ftpd_t)
 ')
 
-@@ -416,21 +442,20 @@ optional_policy(`
+@@ -416,21 +426,20 @@ optional_policy(`
 #
 
 stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
@ -29342,7 +29384,7 @@ index 36838c2..a09e8b2 100644
 
 miscfiles_read_public_files(anon_sftpd_t)
 
-@@ -443,23 +468,34 @@ tunable_policy(`sftpd_anon_write',`
+@@ -443,23 +452,34 @@ tunable_policy(`sftpd_anon_write',`
 # Sftpd local policy
 #
 
@ -29383,7 +29425,7 @@ index 36838c2..a09e8b2 100644
 ')
 
 tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -481,21 +517,11 @@ tunable_policy(`sftpd_anon_write',`
+@@ -481,21 +501,11 @@ tunable_policy(`sftpd_anon_write',`
 tunable_policy(`sftpd_full_access',`
 	allow sftpd_t self:capability { dac_override dac_read_search };
 	fs_read_noxattr_fs_files(sftpd_t)
@ -30816,10 +30858,10 @@ index 0000000..8c8c6c9
 +/var/run/glusterd.*	-s	gen_context(system_u:object_r:glusterd_var_run_t,s0)
 diff --git a/glusterd.if b/glusterd.if
 new file mode 100644
-index 0000000..1ed97fe
+index 0000000..07b266a
 --- /dev/null
 +++ b/glusterd.if
-@@ -0,0 +1,150 @@
+@@ -0,0 +1,170 @@
 +
 +## <summary>policy for glusterd</summary>
 +
@ -30923,6 +30965,26 @@ index 0000000..1ed97fe
 +	manage_lnk_files_pattern($1, glusterd_log_t, glusterd_log_t)
 +')
 +
+######################################
+## <summary>
+##  Allow the specified domain to execute gluster's lib files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`gluster_execute_lib',`
+    gen_require(`
+        type glusterd_var_lib_t;
+    ')
+
+    files_list_var_lib($1)
+    allow $1 glusterd_var_lib_t:dir search_dir_perms;
+    can_exec($1, glusterd_var_lib_t)
+')
+
 +########################################
 +## <summary>
 +##	All of the rules required to administrate
@ -30972,10 +31034,10 @@ index 0000000..1ed97fe
 +
 diff --git a/glusterd.te b/glusterd.te
 new file mode 100644
-index 0000000..fbc6a67
+index 0000000..9040220
 --- /dev/null
 +++ b/glusterd.te
-@@ -0,0 +1,201 @@
+@@ -0,0 +1,205 @@
 +policy_module(glusterfs, 1.1.2)
 +
 +## <desc>
@ -31166,6 +31228,10 @@ index 0000000..fbc6a67
 +')
 +
 +optional_policy(`
+    gluster_execute_lib(glusterd_t)
+')
+
+optional_policy(`
 +    rpc_domtrans_rpcd(glusterd_t)
 +    rpc_kill_rpcd(glusterd_t)
 +')
@ -37092,7 +37158,7 @@ index ca020fa..5f1a035 100644
 optional_policy(`
 	tgtd_manage_semaphores(iscsid_t)
 diff --git a/isns.te b/isns.te
-index bc11034..107ed2f 100644
+index bc11034..81253f4 100644
 --- a/isns.te
 +++ b/isns.te
@@ -26,6 +26,7 @@ files_pid_file(isnsd_var_run_t)
@ -37103,15 +37169,18 @@ index bc11034..107ed2f 100644
 allow isnsd_t self:udp_socket { accept listen };
 allow isnsd_t self:unix_stream_socket { accept listen };
 
-@@ -46,8 +47,6 @@ corenet_tcp_bind_generic_node(isnsd_t)
+@@ -46,10 +47,7 @@ corenet_tcp_bind_generic_node(isnsd_t)
 corenet_sendrecv_isns_server_packets(isnsd_t)
 corenet_tcp_bind_isns_port(isnsd_t)
 
 -files_read_etc_files(isnsd_t)
-
+auth_use_nsswitch(isnsd_t)
+ 
 logging_send_syslog_msg(isnsd_t)
 
- miscfiles_read_localization(isnsd_t)
+-miscfiles_read_localization(isnsd_t)
+-
+-sysnet_dns_name_resolve(isnsd_t)
 diff --git a/jabber.fc b/jabber.fc
 index 59ad3b3..bd02cc8 100644
 --- a/jabber.fc
@ -41524,10 +41593,10 @@ index 1664036..51dd14f 100644
 -	unconfined_domtrans(kudzu_t)
 -')
 diff --git a/l2tp.fc b/l2tp.fc
-index d5d1572..82267a7 100644
+index d5d1572..ddc6ef2 100644
 --- a/l2tp.fc
 +++ b/l2tp.fc
-@@ -5,6 +5,7 @@
+@@ -5,7 +5,9 @@
 /etc/sysconfig/.*l2tpd	--	gen_context(system_u:object_r:l2tp_conf_t,s0)
 
 /usr/sbin/.*l2tpd	--	gen_context(system_u:object_r:l2tpd_exec_t,s0)
@ -41535,6 +41604,8 @@ index d5d1572..82267a7 100644
 
 /var/run/.*l2tpd(/.*)?	gen_context(system_u:object_r:l2tpd_var_run_t,s0)
 /var/run/prol2tpd\.ctl	-s	gen_context(system_u:object_r:l2tpd_var_run_t,s0)
+ /var/run/.*l2tpd\.pid	--	gen_context(system_u:object_r:l2tpd_var_run_t,s0)
+/var/run/*.xl2tpd.*	--	gen_context(system_u:object_r:l2tpd_var_run_t,s0)
 diff --git a/l2tp.if b/l2tp.if
 index 73e2803..34ca3aa 100644
 --- a/l2tp.if
@ -41765,7 +41836,7 @@ index 73e2803..34ca3aa 100644
 	role_transition $2 l2tpd_initrc_exec_t system_r;
 	allow $2 system_r;
 diff --git a/l2tp.te b/l2tp.te
-index bb06a7f..5546de2 100644
+index bb06a7f..01e784b 100644
 --- a/l2tp.te
 +++ b/l2tp.te
@@ -27,7 +27,7 @@ files_pid_file(l2tpd_var_run_t)
@ -41827,7 +41898,7 @@ index bb06a7f..5546de2 100644
 +')
 +
 +optional_policy(`
-+	networkmanager_read_pid_files(l2tpd_t)
+	networkmanager_manage_pid_files(l2tpd_t)
 +')
 +
 +optional_policy(`
@ -51967,10 +52038,10 @@ index ff1d68c..86d8c9b 100644
 +
 +
 diff --git a/munin.fc b/munin.fc
-index eb4b72a..af28bb5 100644
+index eb4b72a..4ea6ce7 100644
 --- a/munin.fc
 +++ b/munin.fc
-@@ -1,77 +1,79 @@
+@@ -1,77 +1,78 @@
 -/etc/munin(/.*)?	gen_context(system_u:object_r:munin_etc_t,s0)
 -
 +/etc/munin(/.*)?			gen_context(system_u:object_r:munin_etc_t,s0)
@ -52077,7 +52148,7 @@ index eb4b72a..af28bb5 100644
 /usr/share/munin/plugins/unbound	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
 /usr/share/munin/plugins/uptime	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
 /usr/share/munin/plugins/users	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
- /usr/share/munin/plugins/yum	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+-/usr/share/munin/plugins/yum	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
 
 -/var/lib/munin(/.*)?	gen_context(system_u:object_r:munin_var_lib_t,s0)
 +/var/lib/munin(/.*)?			gen_context(system_u:object_r:munin_var_lib_t,s0)
@ -53191,7 +53262,7 @@ index 687af38..5381f1b 100644
 +	mysql_stream_connect($1)
 ')
 diff --git a/mysql.te b/mysql.te
-index 7584bbe..e14423d 100644
+index 7584bbe..a110a1a 100644
 --- a/mysql.te
 +++ b/mysql.te
@@ -6,20 +6,15 @@ policy_module(mysql, 1.14.1)
@ -53418,7 +53489,7 @@ index 7584bbe..e14423d 100644
 logging_send_syslog_msg(mysqld_safe_t)
 
 -miscfiles_read_localization(mysqld_safe_t)
-+auth_read_passwd(mysqld_safe_t)
+auth_use_nsswitch(mysqld_safe_t)
 +
 +domain_dontaudit_signull_all_domains(mysqld_safe_t)
 
@ -92290,7 +92361,7 @@ index 98c9e0a..562666e 100644
 	files_search_pids($1)
 	admin_pattern($1, sblim_var_run_t)
 diff --git a/sblim.te b/sblim.te
-index 299756b..2b642a3 100644
+index 299756b..1a69cf7 100644
 --- a/sblim.te
 +++ b/sblim.te
@@ -7,13 +7,11 @@ policy_module(sblim, 1.1.0)
@ -92376,8 +92447,12 @@ index 299756b..2b642a3 100644
 allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms;
 allow sblim_gatherd_t self:unix_stream_socket { accept listen };
 
-@@ -84,6 +97,8 @@ storage_raw_read_removable_device(sblim_gatherd_t)
+@@ -82,8 +95,12 @@ fs_search_cgroup_dirs(sblim_gatherd_t)
+ storage_raw_read_fixed_disk(sblim_gatherd_t)
+ storage_raw_read_removable_device(sblim_gatherd_t)
 
+auth_use_nsswitch(sblim_gatherd_t)
+
 init_read_utmp(sblim_gatherd_t)
 
 +logging_send_syslog_msg(sblim_gatherd_t)
@ -92385,7 +92460,7 @@ index 299756b..2b642a3 100644
 sysnet_dns_name_resolve(sblim_gatherd_t)
 
 term_getattr_pty_fs(sblim_gatherd_t)
-@@ -103,8 +118,9 @@ optional_policy(`
+@@ -103,8 +120,9 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -92396,7 +92471,7 @@ index 299756b..2b642a3 100644
 ')
 
 optional_policy(`
-@@ -117,6 +133,59 @@ optional_policy(`
+@@ -117,6 +135,59 @@ optional_policy(`
 # Reposd local policy
 #
 
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 114%{?dist}
+Release: 115%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -602,6 +602,27 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Thu Mar 05 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-115
+- Allow glusterd_t exec glusterd_var_lib_t files. BZ(1198406)
+- Add gluster_exec_lib interface.
+- Allow l2tpd to manage NetworkManager pid files
+- Allow firewalld_t relabelfrom firewalld_rw_etc_t. BZ(1195327)
+- Allow cyrus bind tcp berknet port. BZ(1198347)
+- Add nsswitch domain for more serviecs.
+- Allow abrt_dump_oops_t read /etc/passwd file. BZ(1197190)
+- Remove ftpd_use_passive_mode boolean. It does not make sense due to ephemeral port handling.
+- Make munin yum plugin as unconfined by default.
+- Allow bitlbee connections to the system DBUS.
+- Allow system apache scripts to send log messages.
+- Allow denyhosts execute iptables. BZ(1197371)
+- Allow brltty rw event device. BZ(1190349)
+- Allow cupsd config to execute ldconfig. BZ(1196608)
+- xdm_t now needs to manage user ttys
+- Allow ping_t read urand. BZ(1181831)
+- Add support for tcp/2005 port.
+- Allow setfiles domain to access files with admin_home_t. semanage -i /root/testfile.
+- In F23 we are running xserver as the user, need this to allow confined users to us X
+
 * Mon Feb 25 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-114
 - Fix source filepath for moving html files.