From fa95f253bf55bdf83d0b55539266d6ad5449449d Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Mon, 19 Jun 2017 10:01:33 +0200
Subject: [PATCH] * Mon Jun 19 2017 Lukas Vrabec <lvrabec@redhat.com> -
 3.13.1-258 - Allow rpcbind_t to execute systemd_tmpfiles_exec_t binary files.
 - Merge branch 'rawhide' of github.com:wrabcak/selinux-policy-contrib into
 rawhide - Allow qemu to authenticate SPICE connections with SASL GSSAPI when
 SSSD is in use - Fix dbus_dontaudit_stream_connect_system_dbusd() interface
 to require TYPE rather than ATTRIBUTE for systemd_dbusd_t. - Allow httpd_t to
 read realmd_var_lib_t files - Allow unconfined_t user all user namespace
 capabilties. - Add interface systemd_tmpfiles_exec() - Add interface
 libs_dontaudit_setattr_lib_files() - Dontaudit xdm_t domain to setattr on
 lib_t dirs - Allow sysadm_r role to jump into dirsrv_t

---
 container-selinux.tgz        | Bin 6818 -> 6832 bytes
 policy-rawhide-base.patch    | 269 ++++++++++++++++++++++-------------
 policy-rawhide-contrib.patch | 124 ++++++++--------
 selinux-policy.spec          |  14 +-
 4 files changed, 250 insertions(+), 157 deletions(-)

diff --git a/container-selinux.tgz b/container-selinux.tgz
index 627306af00b02e8e38cf399044f93f5f842f5316..96ee255553f7635c6d53ee843549716e08de4b3c 100644
GIT binary patch
delta 6312
zcmV;Z7+2?_HLx{*ABzY8T!cqi00Zq^>yO+vlF!%aze2DBcqXvt<v79F**z?h1@1l^
z5bQ2+A1-$twWRJ=Mz2Wfd7R<>+pntl5Jiy`rB*vWU>Zo;)2jNBERw}yu~>@Aq7Bm`
zsV~#*S10;h!{@v2zQymG@84ak-|%_+?e}lreRcEp=Jw_``|I1Aw{O3?zIl6l{qC#a
z`cxHCKZm9b>mc|lyRXAd5?SfSp8r4ntX{qherOJP9@bBP{>PEED}VJdi4JX|pr=L9
z?$saSGKYU$66=-18~jj(b(jZ5m?wXF!KhyRc~HVn^dJbctb9n~pe=*84vQwmMwvjb
z2o?UlN{cqBw_%i=|0-*<t`9|<=E)k$Bb-;Se_fsJl44yazaP>XXjf-v?Ng<+K=QP&
z4L>Fzfpz=A!If9rhJPqtU947TQCTNZ9<Q4utfT#UlNRS+-(0NDM1|H>*h0PWS9@`$
zC+)=w3s|r#IkM8FJM9VUHUF+Xo7A;uwyxC*sLL!d!2b<?mf&F&B~3GiibzpdU5ySO
z_?|R!y51L$M1Qm1$AY2X>vV%%@b#@310hZ^S3yW$>_o)@KYvBkay~j|TND;V>6~Rp
zPN=^nVNCL^>JkTE04o)UzuXR|*g`YNV~|^f4OLxJ^=6Ig3bYn$<B0Y;R-}KYZdBx#
zrJEpzYDR5Yr%5wm@SaAHe4IhGd<1zP)=1h3lFARhzA@3fhjs=WAO5+nk~(jIahqmI
zBMRo!G{_fT4S&8gQPUj#oPxIK49T~Iy6B6Wy7mtjG${vcAysFVxUFOKjKJArv+9so
zpF!r$KCF{3N$OM~f4MVq52<Hq)8g2+37rEOe)8$Eaqg_Rn~mV#;e+n}3(b05lA9`t
z(rpSI#5xkqm1LmusLYrR2;@J~UOJ&3JZ_*^G}{c38-IlUA7K&h^o8Whm}5Cr?PR)*
z!ylvF1jg8eIjNR3_TZOf3Ml=EO6@e==unp@mHv;QF>%|l`3>aV;GQj1x&lh+b;lF3
zJf!VD2!Zg>f`r>N3aItnehkzd(uIm1tm^b0%R$P|*r6ISuf-Z`VZcWR7c~VoQK*TT
zP*8bCB!8tTMKRuWl!Z-WDT<yA%i1KoxOhr=`2QC{S)u&H>`yP+`e17!l4`|nlC;=)
z6>FX%LdSVKy^IsY<)Kn0!PmF&-&^?a+hy&upa1=*FJ$E)E2c{0Y3l}TgDnaNpqdE=
zF##EWTzuQtB=!9wZrz1^f0ljsQ`07S)Miut7k~P*Ly@*5{;s1KcFYYeQ4s5`6v^u(
zE74d7Nu@BJ=t;mof|+;gwq)QHD3*s9Yr=30`%$GP@9`^;BSY>;N4R)}0=|IpKLz(^
zblcE04vRQ=s8f@HohLc0Tz~weegGNevpisio{%)q4|%|_h3qFtQx|3sXwvLY%c^~v
zx+{bS8opJW!9*ACp@G5HK9PFFxzHD?m?4^I<K(_->AVCVqM-2GAYVcFK9gt!QGep_
z#IiIZ$?M>Se0B+ZFD_=|#AS3hAEW{9^`J)h>l`#N^;MiVQI<mY&PQTxTc9ShWWzAZ
zXr5%X8Z;aOhTjhCWg3Py6dIxeA$yE^#f#zZsscB5EmfF_GZ4gN1VeYu#CVf|x@**t
z<!S#L9C_X7-=@3Eq_|%abze4Zvwt)o?bjB>tdpk9?k`aSi@>s;YQPZKl#j_W&1aZs
z)Gi2D!u}x(pO#0wT@W&C%RCi201THJR_%2d=V`&#B0LDPO&_*c38YK;0ML$f{gg!^
z{2S8fz{Uq*0EYf!(6nHZ<g~sd?H_JGv)Z7&fwi6;S!3MbTB2zzo9KQ`W`Av@E&Cup
zXsxzWADK6V8s~fA6ApSuDl@EK=fL~>&p&o`XujmpS4G|<5NXjagD+pd4Eve3Tx+N+
z87Qpfjkbj+@b@SoQ6EMZ@M^W?k-Y=^65$=J4^XRsw~yQ?q_a{e7}jp`@%BUi?$f#~
z@=2SP({vZr^H^_<)$uNR)PL>X8SYxZPB%Z;8GmQyjHeqwgaLhoO?nN|2%2<Pgc+N#
z!KV+?95PTCtxje_Q8D+)h6_PCzOc@TF@Elm)c8@#9ssN}kXu;ul7HvL&YN#=5{`2#
z<7C`BC;V)v76wi>;qYHqWtK)yG{S{bkb40`m;tRgfW1(jk2noqEr0FoU5AHu&x79v
z9$$L+g#`&xeW!%-5<^d0C`~>xL{~u?{Cr&8g1MuP4c|PGUKdjE?vA4(HWh?p&shz|
zHk0$0Yx7X+r<>iwSx{vMP_f>|ke3mxWBNXuK4A>KsUK94gK<+HinyT(gQuy>=rVR7
zEa8s`b?&M->kL9|;eU_{mapT@PFMxQ;>iHd*9;~LFgamCtDmY8n#(NJv|0A9z{27D
zU3KS%n!8LtM#m2Ex{_FLDAi(4w|-n}2PS@&p}j*+W5}RV9qq9L$rw|n)x{6V7-H2S
z>5nCn8%jp`7?JR)qe{b22*qj~cuDnG28-DHu>hLT<wHlU`hO?bHlx+ds~)r|tm0=^
zsl&Cy=Ff4Vn77`pz4`GG>h|juP@3Yh_@mcoY`f3>3UV8a+^8U$MdHaCTCo~BM`lih
zZHY$CCT!BEzkmw)`Yo4Loov%bgFJtx2UHC9T8CzrCk*@w&mdHBGQPEVWRz!jlS=1P
z*Gf><eZxbNh<`GG=p2bI<WJ}sM)jA|u5R6i^)6`zO`bJt&>K7MjMg4T4UT<u%s^qW
z_!*Zd9wf4^d7t1TS{*#@f6Cflw#ljPn7Z%(e)sOXx7UOFzc<hKe?QBIc@@@q8N(z#
zm!sizaC>?4FPGOBD{XGDkVfW72<ozI%e$#&;p%1ZQ-1<DHC-$Q{ko!Q8z)V~!$~S0
zNRnVU22>|_*e5XOYc+HtBvVlMM9FiRWx+pw{5hz~x|Q)J71s$29UIdgig2U0Rc=GT
zG<_Xx!>mazv?}o$F$<O-nW<iFC_U#v&bzuiRKYoS!CY{S<WUQ5fG~ir9yY5Tnwy5G
zRA~i;`G4*-GW*oR@TBOoI81U-MNC1R8%lCraO7&OIc$DggOL*LQGIm^&IBi!P<457
z$j!T{diL76^!Q3$G*yMo*GQ9M<<z>U*@m+(V)omhS5ybtklw3boGz#frCrKqydM*B
z-g`P6W72iouc8vt!|+I4W{<Bi9H$Q_LUhDoDSs`E^ds`YKIdHLAL0r(bsxF&s<V3X
zzp3d)7q`)k-^UcLeTJBcfShxk%Y-(lAU_V!qfE{<Cdcg0tAPf<pJdO#9~xqh)rpLU
zg9B`KXe!a+Pdh%+nnx84xZ$WWk5cnlfQG6&g8JY?x0JOEope}~;<E3T(mNCqzIXZK
zxqlI12ruFh``BGLBMVJzpU#IYLognl(8rPycT5O*30+36g!2KTLC~<O4#Z2peORH-
zwMbg}`&?(iwKUzv$@cu$gx0(@n6hYgzvR)+xB$e*EJLubxene0XdyG{@6+8LR$kg{
z_Djy#9(S>V(PUT4oNNho77gf+FbkMH27iy3KghK3H%YdAAB9!8Nwc(l3O)wWzI-Tx
zyA%wdE&L0>woTHeagg5?WgKAF&|ww*Ym*i-)|`H*L$GO*b_<ZW;H@#xh|<4&`Y=`t
zuwumFbe&{iA7^+tJ;EgRga3p=qeBftryb|%8=NE5+ZaP|#>vp3Mzf$qgJ6`JpMRra
zoUn4J#t!PdnUza@p1gUpqoYCi_T<2TaTaW>291v~?K`HuFB8=1cfp1K_GB{!H}Im>
zA3f39s9FH!5D!qMuy+&kHrS9Y&>Wg7DPk9=t}E51pgV*ntJgSYN+^J7Qbs9M-eX2l
z<Bn+Y5v-tc(k1!~)K``kck4TT8GrAP+~ZOB5j7Kt&=GMO?ldUzbQYwmR&oi&0YDlW
zHi=1{Mr%;uMl<U|vf#j-$O7`8%0eR(hI5@n_bh-3x7p)0o5Mp@^Q4yon?Nr&{BD+&
zw#Cvs&}JU4-#3|l;d;cfU}oX)mkWU?F99q7>7$W&a0(_f`N$XdZC&QwLVr&Q5Arew
zGht=Csy<RZ5%xOV=9z9x9}70T0Y4jYG`!an*%0q5pn0WTdt$?&n<6l={WV8@&FN1!
zB7*{p&tFa*pms;%#k?l79l9w-Y)*6SXqu0}tE~d<Bes<y(t}U(Udg=1?hHT7ZK@M%
z^3<~7nXldWfhmHMfz6-%G=Ci-ycbiL-ROsPs|8H6;`_w5(EVVpk!l)4O?ln*t6gt?
zYs%sh9=>oj;G@xHH}nB~8b%Jh4E_?wEPgHz?~-0{%RY(jf`_ucy9Ba-E30IC$g(GN
zxPt`p@}9i$MevXW`w;#JgH3`02%0iGpa&PY{*x0RPh8S*-L}MbK!4}HX3-oE<splC
z;rMqB%QKiuupdkSz!{3d-KXpe2tRl-bp8(E0qI0Srhw5QqL~mFTBfnFyg%q)u-Oqa
zrf<((XMHelI#0x&JiUGK`@TxA$*w_LCjF5DAGvaIw9tL=j}g3o8@OZQl!b^J)~76E
zvcWy244+j*V<N*@S${r0xDT;hrEgW2`_yT|+NPQn^O_@X$#)L38MDllm~HN0@xYus
zI6N?y#+y9bU6?*S%!wx&KE9(^R%IDW$$Z81B-q`3(^JCVE{|`zBYm18l>5!6D*&$~
zuU>XET}i#X6wBFMV`<ptOngtw$x6=?ce3L1#GUSp@&ul&1%JnIeKcV&b??MYpeZ|o
zf0Y+BV8`-$%^kg7m{W~NPvCjO%maAVFmvJd;|jco0f#gV1KD;O5I)0rn9)cZyAM*&
z@JpjGzA;8h|M?S-HsD7U{h$M5Te?UDV#LUC+#0tSJ#N;|cOdj6<B`oQ%!&e>&EzU|
zk+kTZ@Fk~Pm48o7)Ml2d2;v7s_96wbHPJqa{R+qPZi^7QsNglleuq(;-ot!~E#-6i
z7@r+tN*%`wVNV*DP(-X=x{LN%kIP9vwQ@76wBy5Yv`Tt3Y8T)q!uno0=L(~meUvZQ
zd3ZtR5JCsj#vDCz(Wh$mNtSug`8k%3I5q5@=LxoSJAZ>|W?5RW(85Q1`?jq-ix4bP
zndeoOJg#X>j`Q|TH+>~&Wb!-Xoqduz<0yITWRxv;G}XDfV-e&QdWAgdf-#-MosR2i
z2fUg!nQOE#ev;`&%x|-Xwt1{H_R!!3tQ?R3eIQw81Fz;C3i88fersEIp$mygpQ6j1
zZRC{9?|(B=c@JSU{hn}?`minwmI#%nMKQOfY0DZ-IE-N+_5FxJd}(uMp{JvJT*Qi|
zc}Ux6Z>Hm^0QBJl8`HRaut4+dt>SK$nTm+;`N7g6PEb~Eew#X?=VBYlPfRH%0!G3(
zI(pTm#lQ(qt<IaBg}O%!HWHp(0kv)Ooi>p&4Sy)KG5z1r9^l_GbX~x1%&qA_Y8@rE
z_M2FRUAu)}03ienhw9L3OH5vr`-eDeL&rQK+gnUJdj(zwLuyCQIrajKS0?;byw5A9
zFXU^(ER!oav?;e;<768ivX=Q-9&I8~IoR;CK|eLP#Khcxvu641ER%*4lPQ#Low$Ys
zDSu6~?=G(zxn7wW>ngW8H!s*@CYp_d!VX|5bqkZf%$kwDu`s6<vk>QT<J%tZnOgJ;
zZ=(2S7_Zr5#IAkf?JfUM<$r#p2xDd|c*Ga0L6yLphtV3{r*#@9^aqP-_QIi9nxdIg
zg<FN!UIpK<=Z^ubEfi}lzi`ChceP97K!0p52kD)B;|xIs$oRs5?P`ZXi{4R-kK0<0
z(LE{(k}K%r0V#$!-ql?Q@kdi^Wq>OdbJtA|O8)2wP7NZFj%}oKEPlrBAZ;4!@F33j
zNJhP&#jW<<k~!|v*f9smeOiH9F1F=}1LXHZ(zI)`>GTVx272C}bq=!xj2X8JMt=~y
z9V`Z7AO8-$-pUL4R30WEWy8^fR_#MF#)X%Pcs*Hr#@1-Fhn5zyxNH_Tqun$b@UaYv
zsE}buCHo|U$>=h_SF1R=SN9+mPn1Fgg2Tgho0|(LsoP<(wagYta`2$Z?rF_!>(Ws*
zO#hFya#CbvS$RSE6^WGtlcILI0Dpwc(k6{58f$cm&bKN@FpTcd2OK_o@Bx!NlbggP
zPu#}*4UA{J0Is``+J~-y|0s?wHGAz%xc&Cp`kV8N?c-I?gloH>c#!!@py}V9cMU0>
zbi@?`D!bv4H?FqGjn?{+Z9M&m$;q;aABL8!{Q;(9wsAmu`eFzzEy_0CK7YAgHfga>
zP$S1mh|)-lWG$C>LygGu!LRI9cZemO)z+P)B(2)~(Lo|44@g$Y6QS?}j1r1@aVXG$
zj6&)J`+*x;V6ao~Hj2=94g6@|uG2kc=DDH)Bd;&pTmc<R-LB<d;<ZLjo_KRW>mx*S
zahKW_O?f}UXRj)0+1T*BOMfA_q-BRcI1jNp4%Ts9K@M3NnM5e;R35v!Q<5tvQ<X7N
zZk5nxT&{SA66q|sPoY!EkGf@-s5?~(zc}ik5jq;EQL-=}r#D#RaO;UPxr7zAiFKwd
zU``@h!N;1@8S_*(hbjNcCGaN9H=!o-DD@U4k$QCxQBIROv5bqI#D6tbXR8o+#vKyI
z7XG)DuY~F<!hUzO(@5^9jgj8nQo%yQhjBOw#YpoYB>|3C+U({-424|J<Jk0s%nrFP
zG^RnyMjxhrRFsKBN!~+8@U8N)BOOh8bbX38WDK;kZJS<51?v=MOW2ukkJNFA#hC5V
z%v=^9Y*^9x1WDL=ihn97Ma+zQA+waWt2$c*{%!RTSlDTu=J7hTWYf!|EcIo1jKs?B
zB4Q>(cW#BIhGkuHW<>WhBTV!;h&C;3{x6pG&s6d@t&<0^6XMZ^zOo7x_v5qN_XoLA
zx1C7X7>fwcR0=#gwI)8fSiMvUyE|5silV77dOXC)9A__VMl*SseI`mV701e!Q`WVz
z6150W^raUzTaSSTp@r)uWxC8BBM#8zxnK9Ri`nTb5|_!u!js_?9Rf0%k`*EcuVnd1
zFXkMRDHS0uNp+1Wjwq?#F_&3gnfeB=Trkd-K`}B@?o@syw3{P1MmW9ar#lw39{d@S
z`I?h>6(0h5iIbTX94d=;dU2_4<W95n^%v>Qi!oI$UMtlpZ<}5d_0*N5Bk+7y?q@Ya
z8GD(<liw8>G=rMn#cEfGcS(#~$QXYihU?kr-He6cowq3#D#LZL;@BeGcPxC+$M0EK
z-b^y0_K$s436m=pJ22h`1B*78)2NIu@vV7*!FH7y=ezn{@Wd4?r>0sg`-LqIXnT@%
z_Cde>pk?S}Ip33(7BU7ye@dnG?~~3JX$pHT_40?tjimqJlR+0B0S}X57gc|UiIJxi
zY7F6>6eK%8yX%asuE%C`T`r63QbEf@^(C@vt7=SS*`|!!U?1?X?F0L&Fsj?0X&cXN
z_L#_;XXjSJ8f6-8C8ee-Gepnq7w2cgb;ctXgeTHaTsn=q3VviE$^k!7qgEMjYc#Qa
z2X6PZc%1oI4wXBCUM!e?#BP6#CDV?-txEm`huOY|*b@$~M-Qz%4y*kRseMJl=c&u$
z@kyvW#ycgy^BC3yz4hvK@N4%%YBd_#b_dT_Zp2Jd8^71*jR`9)sH4Wy{2W}Z8Rr?f
z*5hHtPASyyB9E77NOyb6g=oDR!zuk<-L}X_*5-11vUi)g-~V=V{q2A4JN^A{H{U(K
z|LwDUuFw*>`sI?n(S_cGh(jWIZ22q9)`$08z18o#q03WPH`g#%t`1Fom8Bch{#Oj=
z>hhbjH*dVr#1@agRRvK^pzLcIXt2#XyrlrM$LI~hE!lR!yjrk|@GM%Uf`}%m{_B6P
z{`(u|cwV-5-k{60X%~O1F-PU^omm>TDDTVckSA}Zi$ZycTL;~ckn6NuYE+#9uZ+@o
zDZEAnTxJ&awa4OJq?EASB<P^|CWn8|Q(4Mu$2fY@3Z;4u%H`r;&%CiBk&~YU(BbfT
zdORGC&ZAIPSN9>49R~L>BwwH|e1qyEfO?`@1Ph?9Sgn7-M4f-$pdvoS1SzQ+M8Evz
z7tA2<FGQA$ejHfj{`5!ouQa9oTm~2eSEi057amXBI&lzqAl@DU*<p5aTxOUm{Svli
zo=%-f#)d1PJd4kgVzr|mBVq}UtI{&EMWidfnM|hkm%00oQo>G6#W7EyumrMMZyl|+
z%<zk9FMAQoC^2|}zpyS7u#2lS4fuG?2By(WJEe<^k@Z9{Nib(B8}L}=ez~mDc#=sr
z0*6jRz-yMld&4hjEF(g`dNDh<nF=}xTvGHH04p}z1Pws1PEvt(^KgVF`J<gO&!6Yd
e^XK{V{CWO7f1W?jpXbksKK}=7n4kIp$N&IUCsq0Y

delta 6281
zcmV;47<T8dHKH|tABzY8yBRrI00Zq^>yO+vlF!%aze2DBcqXvtWygE4vwK)12i$!)
zAlO~tK3wiPYDwL#9lau{=W&MjZ@;SILli|)lv*A8aMM82o>tY5WRWZui^Wn@7Hyao
zNqw1azd6z88b0sezr*jFKYV|!e#7VOyW5-FZ*Jb++`PXwy?OWk4{yJ@zIl6l{r;Qa
z`cxHCKZm9b>mc|hyRXAd5?SfSp8p^HtX{qherOJP9@bBP`rDDUD}T#l5*^w^K~IaI
z-K#&uWe)$iB-Sg1H~66n>o5<BFi-yYf>FKr)1ZW(=s^%>S^1E}L0blG9TrWBjWU5=
z5i0z9l@@JMZ^I}#|5eszT_1`z&672hM>wxu|GGNcCB?c<emkT!(5}wT+NVlsf#hjl
z8-7ec0_*mpgDbDL4S!L*x>&8wqOwk+JYF|RSV#NyCN0jty}4MOi3+W&u!VZ#ulC|h
zPuhzW7O-Gfa%81TciI!yYyMq(HmPgRY+b7rP?uR^fd32pEWyJlN}6U26_KK_x*8om
z@I7hdbiFSgiT-B2j|D@&*Xahk;M-d>211--u7Z%h+KGw-et(Ln<$QF`wkRx!(mBhH
zoKSzIG8J)W=_ZJw`cYffY0^xPv~%8g3~jTBxlo{5J_5cEYb5PtOXUaO-k4}UKsy7D
z5C2?ONu4*qxJ|R95e0K<>XC(2*ViU$8c@Hdpe+Mj@*OGhza(L-iJQ9iiwnAjict%x
zI<v%W9iwLi&VL@8S80j$JIK7*hjsEbNu4U>FLy@nA@wY6S{&Opp>rU^Pd;5X&Ycx^
zvl09|e9+y0rdf~cb5kWzx=o>jSV!X8nhaDPl^L@Ef&51<?kCiP#|;#VW}6{$gV6sy
zEW(|>kbE6;ET^iSOt*3PW3-#V7@IIB)sn^@{F+PwrGFn$shy@99qRI=(*F@OCTOK{
z^LLPUgBy%c=?W;N*BwvD@{qRsAOylg3leVAD4^DNn+H&LNEa%4u&UF0EC(rn#}3ty
zc`eph3j;oSW2h<RmNYRF3M%i2q%@@{#=DNPuxTts(X(M$n}in^Pbm-o{~{<Wlz*80
z@kLu7Y=2EeQmxock`_C!V$D-T=s0f=jd6mw+$qW=`1Th5dkg=)Th>1N`QLu}N>&cC
zVyZNrwr;>)*rIR%s+nLA6Oi%8#kYM;Qr|D)gIvf_W!ZN>HEohdZ8p_~q(3_pX-neo
zI*MV(+|UvQvEE9NyiT$bjdhSz3gd~M1pFhId4IQVO9oznVtI(MCJe{0A607d0lxw{
zGUSeQgo{@w;0qZ4Q*f`&Di~sQi8EltL%PT|D=gyRp-xQ(cAn(0a(($p{Qxq`XE`Aa
zJt1kJAM$`<3)xSQrY_7N(4^U)mR0*SbqNnNe5*KviT=hz1B0!7BK3%Kp)XW1Lp0IG
z$q#+il5-y)qM-2GAYVcFA(MmzQGdeIZ&@0V<aO{uKDz|I7Z<Z};xf9M57GeldQc<$
zbq*Ss`YO(wC`+Mx=OeMUEl`tLvSAoyG*7Zx4H}LC!*2)nG7Uo;3Jp<#kUd7d;>GZH
zRe>A3mMYA|83<xBf}uNSV!X*f-8JgS^0faAj=XO4Z`0jnQrs_zx-XlyS$`Uk_G=4b
z)=5)l_m?PvMPOM^HDCyA%Ex4x<}*w*Y8QknVgHbYPs=0TE(jU6Wu6Kh0ESBqtM)pK
z^R!@V5gr8DrVm@J1k$B^0BA?Le#)W{{tan#VB>=@07L&VXj(8ya#~-K_KVxktTt$G
zV6A6|ffzTqme3E&Cc0mfS$`X8%Ra~tTC45UN9GNo#`!_`goECZ$_(q*Iq?4a^N(E}
zny-2ERgw1yL|U}V;LF!9!+xeM*Ba_d1`2C=qix{{`~ylz)Q8apyjpE}WbeSfM0f}5
z1Jo+u?ISk|>8unAhP9h~y!|+}`?M~LeA1@nG~Gq@Jl0!db-arnb$`2ehPxK9)6EZd
z#^0Ga<LL(AzLww<Y|?9xM$n|YBFxx?4L*OI=8%EHXmv6Zii){UHe3kG@r89xjPY}i
zq{fd@_5fg=f!xBHm;5^~cHVr0lW?3{87Jf3IpJqRwJ>n935Wl>Dzh|tq7g2fg4_!j
z!VGA|0qlkHe8g$^YJX{G?>aoRdmgDZ@c7chuPmaC>N_Rwlo)#2LTU1m@uUjU;OFDw
z7R()WY^>pl^tzCOcXu2WUZ@}(d(LVwwwav2UYmznKi%ve&VnjCfQt1thP;em9n<&O
z^a*3=P5q#X9E_XtP{a*Q7(7i~MwhVzVF`akTy9szS!WPx3x9`HuzVeFcETzc7EcCv
zzGg64fXN99TK!a&&|GGzrp>Z}?F+}Ach#L67wt0r7#%yr>q=t1p;U`G-THB@9hmr8
zhV~9QjUj_db+pG0Bx6jORu?}cV~ACUq(7EOZYUY$V?@HIjw%g9Arz}|;3d^#87yM&
z#{y_Vmk%Aa>VKbL+l*E-uX@m?u!^5ur4H8)n?J{eV%~bY_U6Y&sM9eh+CO4n)wC2R
zwZ#p%;<EVCYc#f<O+BpNh)+W3a?4JTXcmblYiPx4=p30j5w;~7Ih(Laqy7Ra<m<Ow
zR&}yX9}V*SnI2Fv*lQh{U7j%TD?Ecx#mV^A;*n9F-G8+ooljjWL0R_=4@n}*0HSjw
zx{yDiXBgFAPP@8w8`is|6*PI)tU+(=xHDRN7&SQd(J=#s#o}jNqIi(Vy5@a?k7#xH
z(l;Uhe}3eExNMVCmEpes`~Lgy-`x!E|GvF>zW@7se3+wVotH7_#dA3tUI(|AH~(~b
zeX-Ki4S$OgWzLzPF3YyOn`&vVUIsrUfK$`OVpy_PqzU7siFkxg#ba|4jBtVK1P}WJ
z)M%|nql9E#3pX=4gR?C7+mAm7Rav((gs0+amZ4)~+Cvd;)V9i<9a#IXgKd~K$%R%W
zUL&?C;HQx4K>?JW^SJR{T^_37oO`t{xRUp%1%J2c7(iDK+eQeQn})bfkx>FF)M>Z(
zsf8_10ex|p<e=S|&ObMl<htO<SBmDa`TH8|zG#mtLbqm^;3N~S2A&+!A7ZMWy>_mp
zai!WJ>Ke$+4%1r2sdZ7aJ$zrp?6*O$s6NLby;r|Dy?Pf)yA=OMKg{I3_jEYMq&K`@
zMSmqqis6yC%uaM;gi{|*L_LY~XR<cvN92R8<GId1#1)?ZK5}<Z!RpEXrluQD4U8uv
zeN1s$!VohN<8-cbna~Cm<R>h8;Lf?m<e2?=HP8U~lk6GzLqqJbI+5|bb%4#zp(Q%}
zX~#!e^QfW$Hyl;wQEEP3(NJ~YS|5Dq>3_49p_2}aQcgkorS#6(#BqlF@!W_ogcl*6
zee5nmltp{CPv=9HAs7$%=wrzsMka*3gf1iR%=v)PAZS=s2jZpQKCaM>T_i32eXg_M
zTAFU-WPAQ=LTla{b_ckVdC3FHaRG>rS%zS%cpbb6aMQu0zfX62Sb1sx-Y+?0ZhwQt
z3dUWKTIOU+sIzE5e}q}U>@j%6Tx_O=ze%#~hbXMVO`4_cQ}8K>_T@tn+@)XuZQ)-4
zwr!F&jf4EIDB}RThR*-!Uz@a$;rsMM9fD1hv|E701#gY9Ta^Cg^T)ATfE6Ro`|BhF
z`#8h%{t+gz#r_8r8XamFI_)@5-+$m7q29(A)ih3qK1!MeB^m^y)cj}?L$8%{N_O_?
z&8*y$^yJN(9i6tqw<ib2;IsH`H4cA_Y2PvJeVL$6zX>k<w<nt^UW6B|{^*I;M%4l+
zhj@T8g}s}Qx50*Nf#%RuNfEm^bzP}81wBkOS-r+FQ$hhulQK%7@*Xpa8h>|0i;rLh
zm6I;fXP~~aw76T}@%xR3<Q}67j;NVHgpP>QaHm0ur?VhkwUSFH4gk{7ut`knG+KiK
zH=0=&k_89uL>7?$R2CYUFr4cox@R$AxXm7~*&H6KnkT&!*aUjH;disFv@MqA)Hm~R
z{l3ZcJM1Ht1v3kWzg!4Jd4I2B0Z1Q>#N&N1Kg=h-xNqw+?-qK>A(59cm<cQ6?f;SL
ziAdt%HqUek{aCPJQi0isqY=}d$c7MV0nIDz+7lZF-4ua|?XNkIZccx?5g8O%eExFk
z0JUo;FXlCw?a)nOcXOI+N7H-+UTqa<pRlbI<R5&NS9Rt!c4zouZhupqSd*ug4bOa&
z$q!5soQxI!?5F7n;e(jMEJ*^aTP<Lk72jvJh3?14ja1VZz02#a-<Esx_ogf^;o%Ec
z13npDc0(V)=V36$%izy(%t8|L@Gj}a3+<EWE_f*GyGtPZ*Ro2shb((ShdW3hFYn14
zUjz?Hun*ynFxVt0fPbJVvjci?f$Kjw0rJEpoq%pjYzK7iYZf5$P#&_F7mk1Dusnmg
z1pC1R0G!c1+<nTvfbgRyL+9@h9*|BXWC|D^BAN+-(RvyiOQnSV1)Ci)WBT^ob=C*-
zrt?JX$<x~xzwfK`n(P|1Wzruh@R3_AM+@B-{}{phw}Cq*PJda5xU_!CGA0|`Q_ApJ
zMKmTdoR#I{qx%rcRr*$Sxlf%YtZk}UF|Ro?@j&M=n=#8=x$fo;77xtHgTn)JX}rm^
z-G%AX!<=}c;p01sWmT53l+3qwPlDZD;XNh%?eh4hYv-paLb)=2x&rW)_v&Rw)0Naq
z^|74IHI~_K&VR)B#GI`3JaH#0K2O}~&L~gd$y#s>*GCifvLR301ey{~_*Z#B19mJ`
z+T79Wg*nxT^aP$a%shZ+4Ko*RKd!)g7;s3_FpzDh0pT-@he@KevHKwP48Mm9;~Qh7
z^q)WTXajy!(GNN>wxx?iAVv(v$E|UT0r_VAd<Q~LGJhT{&cduHX537!QWr^!?g?LV
zx~TfpL~UlNiXeVKWG_+>TNCY**spLr@3sh`3$$KSIDHtk={?M+*it^HkMY?drfht?
z5cZ^T2}Q)}rMqaK^|+k$Q!6*4N;^IbN2{bqqjmv)BCPL~bFMI|*+=<;orf264k2_f
zZOqXl7k_=KW}jr42c4f|>4;Oq-g%y2OSdzaW|pM|3oU%Kw{P3Zvk1Wwm3dxe$>W;F
z<T!8dbkkRYMkc>A-q|OqGmetSPDa^sM^l}vI~GB1p;ySGE*R5E-08TUcEH<iletC<
z<0qMZ#QcJAXq(4MV-F49Y0L5W-v^Q<i|}gRp?@GhjOMqtbr-sjnDi;S+}TD>$^1Se
zmG=-v)9(pKsSoS2V7X;^rWtcvnzpRbgu@sHQs0jl#FsXA7J53m$3?7YnuoNF_GUVs
zT|pl{urZCx2MaV$h%2tUnW=~fpC2qO;sj;o=C`RMdM>t+{KS;fOkgC8qoY?{rV*U*
z)PL%{*;%N2#9$-g$rVuBHs5IzDbs*L8`J*@?E(HBL)QiD65^T;q}EYlYrlzA*tJ{u
z1rS2OaHtNgw#4K`xqpbmHgwD*vc1Kmvsd6{Fr;?$oMSJ*cx4V{#rwQs`a-@o%rd!>
zLz{BjHBPqSA#0hR<<TY*m4gjG8}w6yOMgtv{WoitBG58vI5C+*>DGyB$T`zA`|dul
zk?WP2v95BfbMt~dW}?|RDC_{1QnxVq%d8pc8w+z<F$-}XH@@xho~cEz@Ft3HhVhy`
zM(idn-rn*LRsP2(iZEujf=7I@8dM3qc^IwHeOjk+LVvKRW-lCyr74;@Rk&4n?SED9
z4SW6+z}iBw*76HS41QO;G!De(a*#30H_i}LfQ&B;*sgXMwCEkR__(e07~P|yAi07*
z9*|;)<6Yf_5PveoRtC6YF?ZecpyW@E;M5=z8SX|p$Kq$~4$`Kv4iDmdk7U#fTHI>y
zEt%s!jU984+@}?&<zicoI6!_oB!5l2CYw&bU}~V}?OEqAOTd_MyI=&d+reTW_VMq~
z8^gSiPvv0(QZ^htXw^O>V_bNth}V;~XKal&duVAPi_2zlGulm~0Ut|Bi3%BpRI*Pp
zn2av-d$o#_dvy<D@kA*^AUHg1x4F51lDZuhTgz;bBnJ<g?4H)#wk{o2!+$p_V6B`K
zSy@(IP<};X<-nw<oh|?&v$RQLipCn<qVuiF5e%a{^Z|#@9(=$g&*Ua?$rHCRe*@zg
zFM#VVr1qgJ;6I9^OU+(;6K=n~w*KZkWBYj3GvV6qCmv+J5@`Cj=UqceCmnHxfXZ%o
z<c+H>a-+3=WE)REVsf%9;(v#sC2N0x>6mRCke<F6LQ9LXO}9^OmrYvi6V%AD5~4KH
zB3aAj-B2U)eDEuK)g59<XSH=FDM_m~e{_%t$peyA@<b^70HcIrUK|QEAfu2v!G7R|
z78vZ*yNx3BT?0Sbx9fC|nR%{gz{u;%HdjE$QnzdQmv~c@lPBIB(0}>}(Olf6wnbCk
zkMP;6N?JBHJnvEnE@|1}56(lZj)QevSCB(iMkWyoJC(<-?v&&T%2Z{Hlv^dV8J8=b
zp+q_h?o;Sg@}q9qCF)L<!Y__GXoQXiYLqO@$LS5$INW;TOfF%CZDO4%3z(CLR`9Xr
zbjCc@&0)&FatXW%^M6gKi9AZZMM<Py-9wbqq)sg3VkdEp)!8Zpo^gkSv4#I_<y*G8
zim=}u?KF}*YGb5#w^Xpu@L?QILNU@jNJ)U>l{UNi5JMr?Q)4zgA+tm73yo=z1=EMA
z9~EWdP?Go15qzt>KT1cF9$lZJ4M`a7Y}=+6Qo%Zf*%Edp+<zl=Tw*b1yEHSG#RnT!
zbUr~6cAlaNN)a>TUdSw^?W)cefqz>)1QvE$r+K^%E!p%wE=zq`9wV``yNH;{(4AYM
zsbN`{oJr>W%m@>G4x&v9oBxX?QZ$vkP3z<V?1Xr<p|7k$#r^m!_x(X`)NLmcHpU{t
zGnE35POXVgE=X1{Rl@F$)uf_mDvTZvF*3*53!70MW}k^tOvSOX<&<@;tVAsW6n*K1
z&DLX}L1^K6Ny$UA$A|-TuMSxEw2Rs4D-xH<T+Nf{6deMR#FGaVA_s4|`9$wJ9g{E>
zAuf4}jVX>OsopV{SzVd>25+%2&Xz$jGWqaSekHV<BREDly*jBo7PKDx8S*2WlYbQ-
z0;!&ppcNcayNh~pscz&>v-I^B>CKBVRW9Dt)hTbAUK91ym82u^d{#PbHA5MDKgdX$
zGM)=_M#e0ab7FodX@*<iln4Zw3+<zt-o<KHh}UzBT*w%I$B2^-78?m(_A;XOkA3?K
zlQI@N6JD?bi#C|ksEjZ1MTCLDc9lu|lYkZ!2~ofOpk?S}Y4nqw7BU87e@dnGZ<Ey)
zX$q@D_40?tjimqRlSmgI0gsbt7gc{<vAC0>UFWB1ospjP*tD$6rDI(x`go{^M4D_>
zABl9?lsX$0dLDm$U|$u6XWLU|;{nVbGg9+3+e&<*%%`p7#&o54=-Kb$AZ)l`cqDc3
zL>h`qr%{))Pb}6r;74QBD&w__Cbn;-?M@Sq!yC)#a7WM!>eA23jX`1BIktaQTc6-m
z+V?bi!YTCV>9fbFv)^g6uSobjb(t<cnUTkMrzC0~!<wMCUcC-}?OxWchBezR)A`Dc
zm`Q5m7xcU_VaWt_)OgyFgF7<gJR|pWJj~H4h5Fsd@e&Q`Zcn)otyg0><=6jOJK2cK
z?aAJ4=6?U%&Goz6?+5RHyS{&Ze*fF=@wq|+=IWPA_C^<axg-vW<gw+iFk2r!aIIK>
z=tewGVclHA6uUY!^;MQ`aM8G8I9He7oxOSEjV88u{H-d8Y64|n%Rqxk*WoP%m_0^s
z5N^q~1LoC&RfK2JG8IHLN%f!qef3}8F~{?=z4HcLrcJw8jX5fR@63PFutj-aW`{g^
zGhGzQOWZo>hJ;+F<x->S6nJHn#!KNfD&R7+sINU1?;@py<t9M~&G$z9d!EWtUOUFo
zlU69zb5Jf9|9s|+6^WeuB!CWw&(q`KaC9Dpvbwqtnd~sQhavd_b>SOS9|6=8)go8`
zb;WA^3nuFH1{LusCP;rt)gb!icfVi;d4D0YT=e6>BKN01vVWy1?dLMU7`QTZ9J%m#
z+SZAKzytC22*?hzljAbOROy$nE%S8hOfoiH0p(eImK3WU{TLBTcwCj1ku4%!@jYlV
zwZF{Wf0Pn-YATL-0)-`z&3fx-wPl81RD0QrSVoBn{DpOyfL(E1rD?#&Yc?>AX4)xT
zWQ?pQf=PloQ`vyWD)-A}mBy1yvJp7+H3D9<4Bi`lNn;ri^3{vkxy@A2LEw_2#{gKd
z*(PWJdUcWtw3~+`G|88C$~=FbKhK}%&-3T`^Za@KJb#`)C;I#^9yS6h0LTCUwv#ow

diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index a8864592..7e1ae612 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -24358,10 +24358,10 @@ index ff92430..36740ea 100644
  ## <summary>
  ##	Execute a generic bin program in the sysadm domain.
 diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 2522ca6..020ae3f 100644
+index 2522ca6..e5d8ff8 100644
 --- a/policy/modules/roles/sysadm.te
 +++ b/policy/modules/roles/sysadm.te
-@@ -5,39 +5,101 @@ policy_module(sysadm, 2.6.1)
+@@ -5,39 +5,102 @@ policy_module(sysadm, 2.6.1)
  # Declarations
  #
  
@@ -24464,6 +24464,7 @@ index 2522ca6..020ae3f 100644
 +    dirsrv_manage_var_lib(sysadm_t)
 +    dirsrv_manage_var_run(sysadm_t)
 +    dirsrv_manage_config(sysadm_t)
++    dirsrv_run(sysadm_t, sysadm_r)
 +')
 +
 +optional_policy(`
@@ -24473,7 +24474,7 @@ index 2522ca6..020ae3f 100644
  
  ifdef(`direct_sysadm_daemon',`
  	optional_policy(`
-@@ -55,13 +117,7 @@ ifdef(`distro_gentoo',`
+@@ -55,13 +118,7 @@ ifdef(`distro_gentoo',`
  	init_exec_rc(sysadm_t)
  ')
  
@@ -24488,7 +24489,7 @@ index 2522ca6..020ae3f 100644
  	domain_ptrace_all_domains(sysadm_t)
  ')
  
-@@ -71,9 +127,9 @@ optional_policy(`
+@@ -71,9 +128,9 @@ optional_policy(`
  
  optional_policy(`
  	apache_run_helper(sysadm_t, sysadm_r)
@@ -24499,7 +24500,7 @@ index 2522ca6..020ae3f 100644
  ')
  
  optional_policy(`
-@@ -87,6 +143,7 @@ optional_policy(`
+@@ -87,6 +144,7 @@ optional_policy(`
  
  optional_policy(`
  	asterisk_stream_connect(sysadm_t)
@@ -24507,7 +24508,7 @@ index 2522ca6..020ae3f 100644
  ')
  
  optional_policy(`
-@@ -110,11 +167,17 @@ optional_policy(`
+@@ -110,11 +168,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -24525,7 +24526,7 @@ index 2522ca6..020ae3f 100644
  ')
  
  optional_policy(`
-@@ -122,11 +185,27 @@ optional_policy(`
+@@ -122,11 +186,27 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -24555,7 +24556,7 @@ index 2522ca6..020ae3f 100644
  ')
  
  optional_policy(`
-@@ -140,6 +219,10 @@ optional_policy(`
+@@ -140,6 +220,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -24566,7 +24567,7 @@ index 2522ca6..020ae3f 100644
  	dmesg_exec(sysadm_t)
  ')
  
-@@ -156,6 +239,10 @@ optional_policy(`
+@@ -156,6 +240,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -24577,7 +24578,7 @@ index 2522ca6..020ae3f 100644
  	fstools_run(sysadm_t, sysadm_r)
  ')
  
-@@ -164,6 +251,11 @@ optional_policy(`
+@@ -164,6 +252,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -24589,7 +24590,7 @@ index 2522ca6..020ae3f 100644
  	hadoop_role(sysadm_r, sysadm_t)
  ')
  
-@@ -172,13 +264,31 @@ optional_policy(`
+@@ -172,13 +265,31 @@ optional_policy(`
  	# at things (e.g., ipsec auto --status)
  	# probably should create an ipsec_admin role for this kind of thing
  	ipsec_exec_mgmt(sysadm_t)
@@ -24621,7 +24622,7 @@ index 2522ca6..020ae3f 100644
  ')
  
  optional_policy(`
-@@ -190,11 +300,12 @@ optional_policy(`
+@@ -190,11 +301,12 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -24636,7 +24637,7 @@ index 2522ca6..020ae3f 100644
  ')
  
  optional_policy(`
-@@ -210,22 +321,21 @@ optional_policy(`
+@@ -210,22 +322,21 @@ optional_policy(`
  	modutils_run_depmod(sysadm_t, sysadm_r)
  	modutils_run_insmod(sysadm_t, sysadm_r)
  	modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -24666,7 +24667,7 @@ index 2522ca6..020ae3f 100644
  ')
  
  optional_policy(`
-@@ -237,14 +347,32 @@ optional_policy(`
+@@ -237,14 +348,32 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -24699,7 +24700,7 @@ index 2522ca6..020ae3f 100644
  ')
  
  optional_policy(`
-@@ -252,10 +380,20 @@ optional_policy(`
+@@ -252,10 +381,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -24720,7 +24721,7 @@ index 2522ca6..020ae3f 100644
  	portage_run(sysadm_t, sysadm_r)
  	portage_run_fetch(sysadm_t, sysadm_r)
  	portage_run_gcc_config(sysadm_t, sysadm_r)
-@@ -266,35 +404,46 @@ optional_policy(`
+@@ -266,35 +405,46 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -24774,7 +24775,7 @@ index 2522ca6..020ae3f 100644
  ')
  
  optional_policy(`
-@@ -308,6 +457,7 @@ optional_policy(`
+@@ -308,6 +458,7 @@ optional_policy(`
  
  optional_policy(`
  	screen_role_template(sysadm, sysadm_r, sysadm_t)
@@ -24782,7 +24783,7 @@ index 2522ca6..020ae3f 100644
  ')
  
  optional_policy(`
-@@ -315,12 +465,20 @@ optional_policy(`
+@@ -315,12 +466,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -24804,7 +24805,7 @@ index 2522ca6..020ae3f 100644
  ')
  
  optional_policy(`
-@@ -345,30 +503,38 @@ optional_policy(`
+@@ -345,30 +504,38 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -24852,7 +24853,7 @@ index 2522ca6..020ae3f 100644
  ')
  
  optional_policy(`
-@@ -380,10 +546,6 @@ optional_policy(`
+@@ -380,10 +547,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -24863,7 +24864,7 @@ index 2522ca6..020ae3f 100644
  	usermanage_run_admin_passwd(sysadm_t, sysadm_r)
  	usermanage_run_groupadd(sysadm_t, sysadm_r)
  	usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -391,6 +553,9 @@ optional_policy(`
+@@ -391,6 +554,9 @@ optional_policy(`
  
  optional_policy(`
  	virt_stream_connect(sysadm_t)
@@ -24873,7 +24874,7 @@ index 2522ca6..020ae3f 100644
  ')
  
  optional_policy(`
-@@ -398,31 +563,34 @@ optional_policy(`
+@@ -398,31 +564,34 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -24914,7 +24915,7 @@ index 2522ca6..020ae3f 100644
  		auth_role(sysadm_r, sysadm_t)
  	')
  
-@@ -435,10 +603,6 @@ ifndef(`distro_redhat',`
+@@ -435,10 +604,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -24925,7 +24926,7 @@ index 2522ca6..020ae3f 100644
  		dbus_role_template(sysadm, sysadm_r, sysadm_t)
  
  		optional_policy(`
-@@ -459,15 +623,79 @@ ifndef(`distro_redhat',`
+@@ -459,15 +624,79 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -25820,10 +25821,10 @@ index 0000000..f730286
 +
 diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
 new file mode 100644
-index 0000000..89f4076
+index 0000000..883d9ea
 --- /dev/null
 +++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,360 @@
+@@ -0,0 +1,362 @@
 +policy_module(unconfineduser, 1.0.0)
 +
 +########################################
@@ -25888,6 +25889,8 @@ index 0000000..89f4076
 +
 +allow unconfined_t file_type:system module_load;
 +
++allow unconfined_t self:cap_userns all_cap_userns_perms;
++
 +kernel_rw_unlabeled_socket(unconfined_t)
 +kernel_rw_unlabeled_rawip_socket(unconfined_t)
 +
@@ -30392,7 +30395,7 @@ index 6bf0ecc..e6be63a 100644
 +')
 +
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..4758042 100644
+index 8b40377..950a3dd 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
 @@ -26,28 +26,66 @@ gen_require(`
@@ -30993,7 +30996,7 @@ index 8b40377..4758042 100644
  
  storage_dontaudit_read_fixed_disk(xdm_t)
  storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -442,28 +650,46 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -442,28 +650,47 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
  storage_dontaudit_raw_write_removable_device(xdm_t)
  storage_dontaudit_setattr_removable_dev(xdm_t)
  storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -31025,6 +31028,7 @@ index 8b40377..4758042 100644
  
  libs_exec_lib_files(xdm_t)
 +libs_exec_ldconfig(xdm_t)
++libs_dontaudit_setattr_lib_files(xdm_t)
  
  logging_read_generic_logs(xdm_t)
  
@@ -31044,7 +31048,7 @@ index 8b40377..4758042 100644
  
  userdom_dontaudit_use_unpriv_user_fds(xdm_t)
  userdom_create_all_users_keys(xdm_t)
-@@ -472,24 +698,163 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -472,24 +699,163 @@ userdom_read_user_home_content_files(xdm_t)
  # Search /proc for any user domain processes.
  userdom_read_all_users_state(xdm_t)
  userdom_signal_all_users(xdm_t)
@@ -31214,7 +31218,7 @@ index 8b40377..4758042 100644
  tunable_policy(`xdm_sysadm_login',`
  	userdom_xsession_spec_domtrans_all_users(xdm_t)
  	# FIXME:
-@@ -502,12 +867,31 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,12 +868,31 @@ tunable_policy(`xdm_sysadm_login',`
  #	allow xserver_t xdm_tmpfs_t:file rw_file_perms;
  ')
  
@@ -31246,7 +31250,7 @@ index 8b40377..4758042 100644
  ')
  
  optional_policy(`
-@@ -518,8 +902,36 @@ optional_policy(`
+@@ -518,8 +903,36 @@ optional_policy(`
  	dbus_system_bus_client(xdm_t)
  	dbus_connect_system_bus(xdm_t)
  
@@ -31284,7 +31288,7 @@ index 8b40377..4758042 100644
  	')
  ')
  
-@@ -530,6 +942,20 @@ optional_policy(`
+@@ -530,6 +943,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -31305,7 +31309,7 @@ index 8b40377..4758042 100644
  	hostname_exec(xdm_t)
  ')
  
-@@ -547,28 +973,78 @@ optional_policy(`
+@@ -547,28 +974,78 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -31393,7 +31397,7 @@ index 8b40377..4758042 100644
  ')
  
  optional_policy(`
-@@ -580,6 +1056,14 @@ optional_policy(`
+@@ -580,6 +1057,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -31408,7 +31412,7 @@ index 8b40377..4758042 100644
  	xfs_stream_connect(xdm_t)
  ')
  
-@@ -594,7 +1078,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+@@ -594,7 +1079,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
  type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
  
  allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@@ -31417,7 +31421,7 @@ index 8b40377..4758042 100644
  
  # setuid/setgid for the wrapper program to change UID
  # sys_rawio is for iopl access - should not be needed for frame-buffer
-@@ -604,8 +1088,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -604,8 +1089,11 @@ allow xserver_t input_xevent_t:x_event send;
  # execheap needed until the X module loader is fixed.
  # NVIDIA Needs execstack
  
@@ -31430,7 +31434,7 @@ index 8b40377..4758042 100644
  allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow xserver_t self:fd use;
  allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -618,8 +1105,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -618,8 +1106,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
  allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow xserver_t self:tcp_socket create_stream_socket_perms;
  allow xserver_t self:udp_socket create_socket_perms;
@@ -31446,7 +31450,7 @@ index 8b40377..4758042 100644
  manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -627,6 +1121,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -627,6 +1122,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
  
  filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
  
@@ -31457,7 +31461,7 @@ index 8b40377..4758042 100644
  manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
  manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
  manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -638,25 +1136,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -638,25 +1137,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  files_search_var_lib(xserver_t)
  
@@ -31499,7 +31503,7 @@ index 8b40377..4758042 100644
  corenet_all_recvfrom_netlabel(xserver_t)
  corenet_tcp_sendrecv_generic_if(xserver_t)
  corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -677,23 +1187,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -677,23 +1188,28 @@ dev_rw_apm_bios(xserver_t)
  dev_rw_agp(xserver_t)
  dev_rw_framebuffer(xserver_t)
  dev_manage_dri_dev(xserver_t)
@@ -31531,7 +31535,7 @@ index 8b40377..4758042 100644
  
  # brought on by rhgb
  files_search_mnt(xserver_t)
-@@ -705,6 +1220,14 @@ fs_search_nfs(xserver_t)
+@@ -705,6 +1221,14 @@ fs_search_nfs(xserver_t)
  fs_search_auto_mountpoints(xserver_t)
  fs_search_ramfs(xserver_t)
  
@@ -31546,7 +31550,7 @@ index 8b40377..4758042 100644
  mls_xwin_read_to_clearance(xserver_t)
  
  selinux_validate_context(xserver_t)
-@@ -718,20 +1241,18 @@ init_getpgid(xserver_t)
+@@ -718,20 +1242,18 @@ init_getpgid(xserver_t)
  term_setattr_unallocated_ttys(xserver_t)
  term_use_unallocated_ttys(xserver_t)
  
@@ -31570,7 +31574,7 @@ index 8b40377..4758042 100644
  
  userdom_search_user_home_dirs(xserver_t)
  userdom_use_user_ttys(xserver_t)
-@@ -739,8 +1260,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -739,8 +1261,6 @@ userdom_setattr_user_ttys(xserver_t)
  userdom_read_user_tmp_files(xserver_t)
  userdom_rw_user_tmpfs_files(xserver_t)
  
@@ -31579,7 +31583,7 @@ index 8b40377..4758042 100644
  ifndef(`distro_redhat',`
  	allow xserver_t self:process { execmem execheap execstack };
  	domain_mmap_low_uncond(xserver_t)
-@@ -785,17 +1304,54 @@ optional_policy(`
+@@ -785,17 +1305,54 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -31636,7 +31640,7 @@ index 8b40377..4758042 100644
  ')
  
  optional_policy(`
-@@ -803,6 +1359,10 @@ optional_policy(`
+@@ -803,6 +1360,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -31647,7 +31651,7 @@ index 8b40377..4758042 100644
  	xfs_stream_connect(xserver_t)
  ')
  
-@@ -818,18 +1378,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -818,18 +1379,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
  
  # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
  # handle of a file inside the dir!!!
@@ -31672,7 +31676,7 @@ index 8b40377..4758042 100644
  can_exec(xserver_t, xkb_var_lib_t)
  
  # VNC v4 module in X server
-@@ -842,26 +1401,21 @@ init_use_fds(xserver_t)
+@@ -842,26 +1402,21 @@ init_use_fds(xserver_t)
  # to read ROLE_home_t - examine this in more detail
  # (xauth?)
  userdom_read_user_home_content_files(xserver_t)
@@ -31707,7 +31711,7 @@ index 8b40377..4758042 100644
  ')
  
  optional_policy(`
-@@ -912,7 +1466,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -912,7 +1467,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
  allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
  # operations allowed on my windows
  allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -31716,7 +31720,7 @@ index 8b40377..4758042 100644
  # operations allowed on all windows
  allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
  
-@@ -966,11 +1520,31 @@ allow x_domain self:x_resource { read write };
+@@ -966,11 +1521,31 @@ allow x_domain self:x_resource { read write };
  # can mess with the screensaver
  allow x_domain xserver_t:x_screen { getattr saver_getattr };
  
@@ -31748,7 +31752,7 @@ index 8b40377..4758042 100644
  tunable_policy(`! xserver_object_manager',`
  	# should be xserver_unconfined(x_domain),
  	# but typeattribute doesnt work in conditionals
-@@ -992,18 +1566,148 @@ tunable_policy(`! xserver_object_manager',`
+@@ -992,18 +1567,148 @@ tunable_policy(`! xserver_object_manager',`
  	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
  ')
  
@@ -38980,7 +38984,7 @@ index 73bb3c0..a70bee5 100644
 +
 +/usr/sbin/ldconfig		--	gen_context(system_u:object_r:ldconfig_exec_t,s0)
 diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
-index 808ba93..57a68da 100644
+index 808ba93..baca326 100644
 --- a/policy/modules/system/libraries.if
 +++ b/policy/modules/system/libraries.if
 @@ -66,6 +66,25 @@ interface(`libs_exec_ldconfig',`
@@ -39017,65 +39021,113 @@ index 808ba93..57a68da 100644
  	manage_files_pattern($1, lib_t, ld_so_t)
  ')
  
-@@ -205,8 +225,26 @@ interface(`libs_search_lib',`
+@@ -205,68 +225,87 @@ interface(`libs_search_lib',`
  		type lib_t;
  	')
  
 +	read_lnk_files_pattern($1, lib_t, lib_t)
  	allow $1 lib_t:dir search_dir_perms;
  ')
-+########################################
-+## <summary>
-+##	dontaudit attempts to setattr on library files
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`libs_dontaudit_setattr_lib_files',`
-+	gen_require(`
-+		type lib_t;
-+	')
-+
-+	dontaudit $1 lib_t:file setattr;
-+')
- 
+-
  ########################################
  ## <summary>
-@@ -248,29 +286,12 @@ interface(`libs_manage_lib_dirs',`
+-##	Do not audit attempts to write to library directories.
++##	dontaudit attempts to setattr on library files
+ ## </summary>
+-## <desc>
+-##	<p>
+-##	Do not audit attempts to write to library directories.
+-##	Typically this is used to quiet attempts to recompile
+-##	python byte code.
+-##	</p>
+-## </desc>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`libs_dontaudit_write_lib_dirs',`
++interface(`libs_dontaudit_setattr_lib_files',`
+ 	gen_require(`
  		type lib_t;
  	')
  
-+	read_lnk_files_pattern($1, lib_t, lib_t)
- 	allow $1 lib_t:dir manage_dir_perms;
+-	dontaudit $1 lib_t:dir write;
++	dontaudit $1 lib_t:file setattr;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete library directories.
++##	dontaudit attempts to setattr on library dirs
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`libs_manage_lib_dirs',`
++interface(`libs_dontaudit_setattr_lib_dirs',`
+ 	gen_require(`
+ 		type lib_t;
+ 	')
+ 
+-	allow $1 lib_t:dir manage_dir_perms;
++	dontaudit $1 lib_t:dir setattr;
  ')
  
  ########################################
  ## <summary>
 -##	dontaudit attempts to setattr on library files
--## </summary>
--## <param name="domain">
--##	<summary>
--##	Domain to not audit.
--##	</summary>
--## </param>
--#
--interface(`libs_dontaudit_setattr_lib_files',`
--	gen_require(`
--		type lib_t;
--	')
--
--	dontaudit $1 lib_t:file setattr;
--')
--
--########################################
--## <summary>
- ##	Read files in the library directories, such
- ##	as static libraries.
++##	Do not audit attempts to write to library directories.
  ## </summary>
-@@ -345,6 +366,7 @@ interface(`libs_manage_lib_files',`
++## <desc>
++##	<p>
++##	Do not audit attempts to write to library directories.
++##	Typically this is used to quiet attempts to recompile
++##	python byte code.
++##	</p>
++## </desc>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`libs_dontaudit_setattr_lib_files',`
++interface(`libs_dontaudit_write_lib_dirs',`
+ 	gen_require(`
+ 		type lib_t;
+ 	')
+ 
+-	dontaudit $1 lib_t:file setattr;
++	dontaudit $1 lib_t:dir write;
++')
++
++########################################
++## <summary>
++##	Create, read, write, and delete library directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`libs_manage_lib_dirs',`
++	gen_require(`
++		type lib_t;
++	')
++
++	read_lnk_files_pattern($1, lib_t, lib_t)
++	allow $1 lib_t:dir manage_dir_perms;
+ ')
+ 
+ ########################################
+@@ -345,6 +384,7 @@ interface(`libs_manage_lib_files',`
  		type lib_t;
  	')
  
@@ -39083,7 +39135,7 @@ index 808ba93..57a68da 100644
  	manage_files_pattern($1, lib_t, lib_t)
  ')
  
-@@ -421,7 +443,8 @@ interface(`libs_manage_shared_libs',`
+@@ -421,7 +461,8 @@ interface(`libs_manage_shared_libs',`
  		type lib_t, textrel_shlib_t;
  	')
  
@@ -39093,7 +39145,7 @@ index 808ba93..57a68da 100644
  ')
  
  ########################################
-@@ -440,9 +463,10 @@ interface(`libs_use_shared_libs',`
+@@ -440,9 +481,10 @@ interface(`libs_use_shared_libs',`
  	')
  
  	files_search_usr($1)
@@ -39107,7 +39159,7 @@ index 808ba93..57a68da 100644
  	allow $1 textrel_shlib_t:file execmod;
  ')
  
-@@ -483,7 +507,7 @@ interface(`libs_relabel_shared_libs',`
+@@ -483,7 +525,7 @@ interface(`libs_relabel_shared_libs',`
  		type lib_t, textrel_shlib_t;
  	')
  
@@ -39116,7 +39168,7 @@ index 808ba93..57a68da 100644
  ')
  
  ########################################
-@@ -534,3 +558,28 @@ interface(`lib_filetrans_shared_lib',`
+@@ -534,3 +576,28 @@ interface(`lib_filetrans_shared_lib',`
  interface(`files_lib_filetrans_shared_lib',`
  	refpolicywarn(`$0($*) has been deprecated.')
  ')
@@ -46101,10 +46153,10 @@ index 0000000..121b422
 +/var/run/initramfs(/.*)?	<<none>>
 diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
 new file mode 100644
-index 0000000..3303edd
+index 0000000..d1356af
 --- /dev/null
 +++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1823 @@
+@@ -0,0 +1,1842 @@
 +## <summary>SELinux policy for systemd components</summary>
 +
 +######################################
@@ -46615,6 +46667,25 @@ index 0000000..3303edd
 +
 +#######################################
 +## <summary>
++##  Allow a domain to execute systemd-sysctl in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++##  Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_tmpfiles_exec',`
++    gen_require(`
++        type systemd_tmpfiles_exec_t;
++    ')
++
++    can_exec($1,systemd_tmpfiles_exec_t)
++
++')
++
++#######################################
++## <summary>
 +##  Execute a domain transition to run systemd-tmpfiles.
 +## </summary>
 +## <param name="domain">
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 85bf9dba..29026745 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -5537,7 +5537,7 @@ index f6eb485..fe461a3 100644
 +		ps_process_pattern(httpd_t, $1)
  ')
 diff --git a/apache.te b/apache.te
-index 6649962..24e7705 100644
+index 6649962..516985d 100644
 --- a/apache.te
 +++ b/apache.te
 @@ -5,280 +5,346 @@ policy_module(apache, 2.7.2)
@@ -6908,7 +6908,7 @@ index 6649962..24e7705 100644
  ')
  
  optional_policy(`
-@@ -842,20 +1072,44 @@ optional_policy(`
+@@ -842,20 +1072,48 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6943,23 +6943,27 @@ index 6649962..24e7705 100644
 +	pki_manage_apache_log_files(httpd_t)
 +	pki_manage_apache_run(httpd_t)
 +	pki_read_tomcat_cert(httpd_t)
-+')
-+
-+optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	puppet_read_lib_files(httpd_t)
 +	puppet_read_lib(httpd_t)
 +')
 +
 +optional_policy(`
 +	pwauth_domtrans(httpd_t)
- ')
- 
- optional_policy(`
--	puppet_read_lib_files(httpd_t)
++')
++
++optional_policy(`
++    realmd_read_var_lib(httpd_t)
++')
++
++optional_policy(`
 +	rpm_dontaudit_read_db(httpd_t)
  ')
  
  optional_policy(`
-@@ -863,16 +1117,31 @@ optional_policy(`
+@@ -863,16 +1121,31 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6979,21 +6983,21 @@ index 6649962..24e7705 100644
  optional_policy(`
  	smokeping_read_lib_files(httpd_t)
 +    smokeping_read_pid_files(httpd_t)
++')
++
++optional_policy(`
++	files_dontaudit_rw_usr_dirs(httpd_t)
++    snmp_dontaudit_manage_snmp_var_lib_files(httpd_t)
  ')
  
  optional_policy(`
 -	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
 -	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
-+	files_dontaudit_rw_usr_dirs(httpd_t)
-+    snmp_dontaudit_manage_snmp_var_lib_files(httpd_t)
-+')
-+
-+optional_policy(`
 +    thin_stream_connect(httpd_t)
  ')
  
  optional_policy(`
-@@ -883,65 +1152,189 @@ optional_policy(`
+@@ -883,65 +1156,189 @@ optional_policy(`
  	yam_read_content(httpd_t)
  ')
  
@@ -7205,7 +7209,7 @@ index 6649962..24e7705 100644
  files_dontaudit_search_pids(httpd_suexec_t)
  files_search_home(httpd_suexec_t)
  
-@@ -950,123 +1343,75 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -950,123 +1347,75 @@ auth_use_nsswitch(httpd_suexec_t)
  logging_search_logs(httpd_suexec_t)
  logging_send_syslog_msg(httpd_suexec_t)
  
@@ -7359,7 +7363,7 @@ index 6649962..24e7705 100644
  	mysql_read_config(httpd_suexec_t)
  
  	tunable_policy(`httpd_can_network_connect_db',`
-@@ -1083,172 +1428,107 @@ optional_policy(`
+@@ -1083,172 +1432,107 @@ optional_policy(`
  	')
  ')
  
@@ -7381,14 +7385,14 @@ index 6649962..24e7705 100644
 -allow httpd_script_domains self:unix_stream_socket connectto;
 -
 -allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms;
-+allow httpd_sys_script_t self:process getsched;
- 
+-
 -append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
 -read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
 -
 -kernel_dontaudit_search_sysctl(httpd_script_domains)
 -kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
--
++allow httpd_sys_script_t self:process getsched;
+ 
 -corenet_all_recvfrom_unlabeled(httpd_script_domains)
 -corenet_all_recvfrom_netlabel(httpd_script_domains)
 -corenet_tcp_sendrecv_generic_if(httpd_script_domains)
@@ -7532,8 +7536,7 @@ index 6649962..24e7705 100644
 -allow httpd_sys_script_t httpd_t:tcp_socket { read write };
 -
 -dontaudit httpd_sys_script_t httpd_config_t:dir search;
-+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
- 
+-
 -allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
 -
 -allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
@@ -7541,7 +7544,8 @@ index 6649962..24e7705 100644
 -allow httpd_sys_script_t squirrelmail_spool_t:lnk_file read_lnk_file_perms;
 -
 -kernel_read_kernel_sysctls(httpd_sys_script_t)
--
++corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+ 
 -fs_search_auto_mountpoints(httpd_sys_script_t)
 -
 -files_read_var_symlinks(httpd_sys_script_t)
@@ -7597,7 +7601,7 @@ index 6649962..24e7705 100644
  ')
  
  tunable_policy(`httpd_read_user_content',`
-@@ -1256,64 +1536,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1256,64 +1540,74 @@ tunable_policy(`httpd_read_user_content',`
  ')
  
  tunable_policy(`httpd_use_cifs',`
@@ -7694,7 +7698,7 @@ index 6649962..24e7705 100644
  
  ########################################
  #
-@@ -1321,8 +1611,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1321,8 +1615,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
  #
  
  optional_policy(`
@@ -7711,7 +7715,7 @@ index 6649962..24e7705 100644
  ')
  
  ########################################
-@@ -1330,49 +1627,41 @@ optional_policy(`
+@@ -1330,49 +1631,41 @@ optional_policy(`
  # User content local policy
  #
  
@@ -7778,7 +7782,7 @@ index 6649962..24e7705 100644
  kernel_read_system_state(httpd_passwd_t)
  
  corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1671,109 @@ dev_read_urand(httpd_passwd_t)
+@@ -1382,38 +1675,109 @@ dev_read_urand(httpd_passwd_t)
  
  domain_use_interactive_fds(httpd_passwd_t)
  
@@ -22324,7 +22328,7 @@ index dda905b..5587295 100644
  /var/named/chroot/var/run/dbus(/.*)?	gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
 +')
 diff --git a/dbus.if b/dbus.if
-index 62d22cb..1287d08 100644
+index 62d22cb..01f6380 100644
 --- a/dbus.if
 +++ b/dbus.if
 @@ -1,4 +1,4 @@
@@ -23169,8 +23173,7 @@ index 62d22cb..1287d08 100644
 -interface(`dbus_use_system_bus_fds',`
 +interface(`dbus_dontaudit_stream_connect_system_dbusd',`
  	gen_require(`
--		type system_dbusd_t;
-+		attribute system_dbusd_t;
+ 		type system_dbusd_t;
  	')
  
 -	allow $1 system_dbusd_t:fd use;
@@ -92762,7 +92765,7 @@ index 3b5e9ee..ff1163f 100644
 +	admin_pattern($1, rpcbind_var_run_t)
  ')
 diff --git a/rpcbind.te b/rpcbind.te
-index 54de77c..4ce4fb9 100644
+index 54de77c..8891c9d 100644
 --- a/rpcbind.te
 +++ b/rpcbind.te
 @@ -12,6 +12,9 @@ init_daemon_domain(rpcbind_t, rpcbind_exec_t)
@@ -92808,7 +92811,7 @@ index 54de77c..4ce4fb9 100644
  corenet_all_recvfrom_netlabel(rpcbind_t)
  corenet_tcp_sendrecv_generic_if(rpcbind_t)
  corenet_udp_sendrecv_generic_if(rpcbind_t)
-@@ -68,7 +77,11 @@ auth_use_nsswitch(rpcbind_t)
+@@ -68,7 +77,15 @@ auth_use_nsswitch(rpcbind_t)
  
  logging_send_syslog_msg(rpcbind_t)
  
@@ -92817,6 +92820,10 @@ index 54de77c..4ce4fb9 100644
 +
 +optional_policy(`
 +	nis_use_ypbind(rpcbind_t)
++')
++
++optional_policy(`
++    systemd_tmpfiles_exec(rpcbind_t)
 +')
  
  ifdef(`distro_debian',`
@@ -115949,7 +115956,7 @@ index facdee8..b5a815a 100644
 +	dontaudit $1 virtd_t:lnk_file read_lnk_file_perms;
  ')
 diff --git a/virt.te b/virt.te
-index f03dcf5..ac277da 100644
+index f03dcf5..49d4083 100644
 --- a/virt.te
 +++ b/virt.te
 @@ -1,451 +1,422 @@
@@ -116986,7 +116993,7 @@ index f03dcf5..ac277da 100644
  	kernel_read_xen_state(virtd_t)
  	kernel_write_xen_state(virtd_t)
  
-@@ -746,44 +727,353 @@ optional_policy(`
+@@ -746,44 +727,356 @@ optional_policy(`
  	udev_read_pid_files(virtd_t)
  ')
  
@@ -117051,7 +117058,7 @@ index f03dcf5..ac277da 100644
 +allow virtlogd_t virtlogd_exec_t:file execute_no_trans;
 +
 +dev_read_sysfs(virtlogd_t)
-+
+ 
 +logging_send_syslog_msg(virtlogd_t)
 +
 +auth_use_nsswitch(virtlogd_t)
@@ -117187,7 +117194,7 @@ index f03dcf5..ac277da 100644
 +fs_rw_inherited_nfs_files(virt_domain)
 +fs_rw_inherited_cifs_files(virt_domain)
 +fs_rw_inherited_noxattr_fs_files(virt_domain)
- 
++
 +# I think we need these for now.
 +miscfiles_read_public_files(virt_domain)
 +miscfiles_read_generic_certs(virt_domain)
@@ -117228,7 +117235,10 @@ index f03dcf5..ac277da 100644
 +optional_policy(`
 +	sssd_dontaudit_stream_connect(virt_domain)
 +	sssd_dontaudit_read_lib(virt_domain)
-+	sssd_dontaudit_read_public_files(virt_domain)
++')
++
++optional_policy(`
++	sssd_read_public_files(virt_domain)
 +')
 +
 +optional_policy(`
@@ -117362,7 +117372,7 @@ index f03dcf5..ac277da 100644
  kernel_read_system_state(virsh_t)
  kernel_read_network_state(virsh_t)
  kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +1084,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +1087,18 @@ kernel_write_xen_state(virsh_t)
  corecmd_exec_bin(virsh_t)
  corecmd_exec_shell(virsh_t)
  
@@ -117389,7 +117399,7 @@ index f03dcf5..ac277da 100644
  
  fs_getattr_all_fs(virsh_t)
  fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +1104,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +1107,25 @@ fs_search_auto_mountpoints(virsh_t)
  
  storage_raw_read_fixed_disk(virsh_t)
  
@@ -117406,10 +117416,10 @@ index f03dcf5..ac277da 100644
  
 -logging_send_syslog_msg(virsh_t)
 +systemd_exec_systemctl(virsh_t)
++
++auth_read_passwd(virsh_t)
  
 -miscfiles_read_localization(virsh_t)
-+auth_read_passwd(virsh_t)
-+
 +logging_send_syslog_msg(virsh_t)
  
  sysnet_dns_name_resolve(virsh_t)
@@ -117423,7 +117433,7 @@ index f03dcf5..ac277da 100644
  
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +1141,20 @@ optional_policy(`
+@@ -856,14 +1144,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -117445,7 +117455,7 @@ index f03dcf5..ac277da 100644
  	xen_stream_connect(virsh_t)
  	xen_stream_connect_xenstore(virsh_t)
  ')
-@@ -888,49 +1179,66 @@ optional_policy(`
+@@ -888,49 +1182,66 @@ optional_policy(`
  	kernel_read_xen_state(virsh_ssh_t)
  	kernel_write_xen_state(virsh_ssh_t)
  
@@ -117530,7 +117540,7 @@ index f03dcf5..ac277da 100644
  
  corecmd_exec_bin(virtd_lxc_t)
  corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1250,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1253,16 @@ dev_read_urand(virtd_lxc_t)
  
  domain_use_interactive_fds(virtd_lxc_t)
  
@@ -117550,7 +117560,7 @@ index f03dcf5..ac277da 100644
  fs_getattr_all_fs(virtd_lxc_t)
  fs_manage_tmpfs_dirs(virtd_lxc_t)
  fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,8 +1271,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,8 +1274,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
  fs_unmount_all_fs(virtd_lxc_t)
  fs_relabelfrom_tmpfs(virtd_lxc_t)
  
@@ -117574,7 +117584,7 @@ index f03dcf5..ac277da 100644
  selinux_get_enforce_mode(virtd_lxc_t)
  selinux_get_fs_mount(virtd_lxc_t)
  selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1296,296 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1299,296 @@ selinux_compute_create_context(virtd_lxc_t)
  selinux_compute_relabel_context(virtd_lxc_t)
  selinux_compute_user_contexts(virtd_lxc_t)
  
@@ -117748,10 +117758,6 @@ index f03dcf5..ac277da 100644
 +optional_policy(`
 +	mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
 +')
-+
-+optional_policy(`
-+	ssh_use_ptys(svirt_sandbox_domain)
-+')
  
 -allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
 -allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
@@ -117836,11 +117842,15 @@ index f03dcf5..ac277da 100644
 -
 -mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
 +optional_policy(`
-+	udev_read_pid_files(svirt_sandbox_domain)
++	ssh_use_ptys(svirt_sandbox_domain)
 +')
  
  optional_policy(`
 -	udev_read_pid_files(svirt_lxc_domain)
++	udev_read_pid_files(svirt_sandbox_domain)
++')
++
++optional_policy(`
 +	userhelper_dontaudit_write_config(svirt_sandbox_domain)
 +')
 +
@@ -117990,10 +118000,10 @@ index f03dcf5..ac277da 100644
 +fs_manage_cgroup_files(svirt_qemu_net_t)
 +
 +term_pty(container_file_t)
-+
-+auth_use_nsswitch(svirt_qemu_net_t)
  
 -allow svirt_prot_exec_t self:process { execmem execstack };
++auth_use_nsswitch(svirt_qemu_net_t)
++
 +rpm_read_db(svirt_qemu_net_t)
 +
 +logging_send_syslog_msg(svirt_qemu_net_t)
@@ -118018,7 +118028,7 @@ index f03dcf5..ac277da 100644
  allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
  allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
  
-@@ -1174,12 +1598,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1601,12 @@ dev_read_sysfs(virt_qmf_t)
  dev_read_rand(virt_qmf_t)
  dev_read_urand(virt_qmf_t)
  
@@ -118033,7 +118043,7 @@ index f03dcf5..ac277da 100644
  sysnet_read_config(virt_qmf_t)
  
  optional_policy(`
-@@ -1192,7 +1616,7 @@ optional_policy(`
+@@ -1192,7 +1619,7 @@ optional_policy(`
  
  ########################################
  #
@@ -118042,7 +118052,7 @@ index f03dcf5..ac277da 100644
  #
  
  allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1625,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1628,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
  allow virt_bridgehelper_t self:tun_socket create_socket_perms;
  allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 0a0d7bbf..71273f4b 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 258%{?dist}
+Release: 259%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -689,6 +689,18 @@ exit 0
 %endif
 
 %changelog
+* Mon Jun 19 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-258
+- Allow rpcbind_t to execute systemd_tmpfiles_exec_t binary files.
+- Merge branch 'rawhide' of github.com:wrabcak/selinux-policy-contrib into rawhide
+- Allow qemu to authenticate SPICE connections with SASL GSSAPI when SSSD is in use
+- Fix dbus_dontaudit_stream_connect_system_dbusd() interface to require TYPE rather than ATTRIBUTE for systemd_dbusd_t.
+- Allow httpd_t to read realmd_var_lib_t files
+- Allow unconfined_t user all user namespace capabilties.
+- Add interface systemd_tmpfiles_exec()
+- Add interface libs_dontaudit_setattr_lib_files()
+- Dontaudit xdm_t domain to setattr on lib_t dirs
+- Allow sysadm_r role to jump into dirsrv_t
+
 * Thu Jun 08 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-257
 - Merge pull request #10 from mscherer/fix_tor_dac
 - Merge pull request #9 from rhatdan/rawhide