From fc41f8a9df458cb1410aa5359edcffd7f1617989 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Fri, 22 Sep 2017 10:26:38 +0200
Subject: [PATCH] * Fri Sep 22 2017 Lukas Vrabec <lvrabec@redhat.com> -
 3.13.1-287 - Allow init noatsecure httpd_t - Allow mysqld_t domain to mmap
 mysqld db files. BZ(1483331) - Allow unconfined_t domain to create new users
 with proper SELinux lables -  Allow init noatsecure httpd_t - Label tcp port
 3269 as ldap_port_t

---
 container-selinux.tgz        | Bin 6998 -> 7000 bytes
 policy-rawhide-base.patch    |  94 +++++++++++-----------
 policy-rawhide-contrib.patch | 151 +++++++++++++++++++++--------------
 selinux-policy.spec          |   9 ++-
 4 files changed, 145 insertions(+), 109 deletions(-)

diff --git a/container-selinux.tgz b/container-selinux.tgz
index f68e7840dfa1a7abaaf2efdb0e7f10d57dbc9971..1fbd717fa98fd7f82f07406c4b8382a62eb9dca3 100644
GIT binary patch
delta 3886
zcmV+}57F?}HrO^cABzY8D#*lH00Zq^ZI9eGlFrxZUm@55JQLV6o^jR-c(Qv~Bn#Yq
zI3U<v;67aLI%-MXt&EX2H-GUD@6}&OA3lD#zW(O=!}Z7O>+ipR|A(7z-d}&Xd4K(l
z_x@A`Qq!TT{nGQkN$yL369q=Pq4)oyY4!TG_d|6^Q@?!r^FQ{Hmlsj?uF4N(5P5!4
zByr%^ah`dB=qO&4?cn$FhbzIh0uZ;<$_@TF`|D#A9O_6xk29~{tA7u|JcWN;66=-1
z>-|vprJs74pGJRr#i(BWxtGIF^uqI#B!7rPug<-?^s_3)O6fqa2o?UlinBT@w|)?v
z|0+wfE)Q89r_mbnBb+yHe_fsJqHJA8zaQcfXjf-v^;4nLK=RaYH4h_@z`DM*aHYkz
zB8oQ`tJPVMmr;<0>whZp%V59W#M$|`*B7fZQJ{6<*HCVJYR*pgroLEV1~WD#M^>72
z*LlNQ&An;QMm6o3scAbIlz9?q;Qt1XCAc31QB@70B2wTNSA*RLen<73ruD@u(cY}}
zF=J@=GTvYle0!tEK!{U}RS?pP9jMsh$B0^vN9$+{{ER5Aqkrtk0rj`Y4@tg7nPcbk
zV5S1`=iB}en`s0&baI2Rp{Q#r-lSe#fYxGl9ME3JiuCW)jEek{c;kgo%%IN8II2c;
z-qQ$@_cJJ#iy-g)5=k3DQvTkz*E*U{P*0EJ!#~$WRHhX$ZsR1XM8=$&I{D1A!Alc0
zjnOYDXoJp>e1CJOi?+C_X}`LlNjYE*sW_9wZS13G1kPUTRfoj-0y3}mei^+asZ)X6
z<<7_*q@Ki8jeXlBbPl9><kDor+(~vf8Nt25d(Hh98ud6OS49-W+ZY;%H6)rVQBUPj
zo+0ZH$bY20bV5CNTt_izwh1EF2>n0(%-?k<l9w^YQhzGi$#ffsKSsL=jG+N@QZ3nQ
z!57tf&Mn8}C)>@TbvTFSk$cP7Fy?KQmt>rA;ouZAy=g2H)R&X$OEY^Fo#iUs@hZzA
z`IBmzAHh1nCGzGskavat314Xn$feaBPss8R*L%+g!b1%buH(R?+Bd!jnA(xfSLXbp
zjPEfYq<{Q^4cbBGrC4JrH2CPurK;pxvO1Vh&`=3TN@KEOyz3zGtICiSz3b<-iFkJ5
znEdenue`iK`TNPAUe)EnR7E81WV?ytZ0D4%eu#+q+}Xja9UwMutTG6`y@CHez<=M*
zyB7KRKYn^4^DJ5HMI4T^k;+46P&fcpjad8<kbm~!>@JQfD(`36!kEd=ZSXNYRdtjG
zbu!jh*L`=$;+n+YG!(-Q`JzH(#9Avx@-j+tT$qBSV(3rw#^Xsa^Jd-V47>ov@(^N4
z7>>sGqLkzl{&=!yNbk!47cY><Couk};QoRxN*cy~7J3h5tXoW`Q3^BH*B{gmAft4W
zw|`gD5|RemA@vxxko^d0c7^GA9ci|QWl=wkox;5izEPas$nA<l1)Z&aBK3%4p)FJ~
zLOP-iqx+&JyBA-gpzv2CUqSdO*fT>HWela5N646%You|8u-R7;HvTKh>M^3m)X&Kx
za$*=I_GY5S{KGXbCANZlGbq!)fkOIA@PA!*fF$|O!m7-L28w;2M%_NZCq+K#ij6|U
z)QBW+y;t(xCGfqvn2ZzV!QFI_3b@z365-P+XkhBAIPZcahUT4)#OgLfNhZmLVdTLy
z$#zOmaSZ5wJFu6j8=6q4iwcC~F=%Bky1%Um+}Je~VIodX5Tg+^%{dX{T>|Q^Qh$4v
zqy4XOS~tCa8}BZo?0!zveO}eo+<>%Rn-Q~&syw;BL<!6S%UY@eLtv9XM)OpkVWLqx
zBU}#ahs1xHAMs{JNWae0Sm*#STuPX=*M6AB8Jml6)6+D3*kmP;F69eAJJR)&XPNMC
zNTUNQ@A)1W`j1{!gGrLo{1Vk)-G6>&r9pcGOFcP?OuN7}M2;C2(e08<T1Xq#L2l5U
z(vE$lUl4XUKM60p*V;auVEtM<-rs-zu_;6Kl6zkfIQKxLMY{}sT>UcaF)g{)P*yTf
zSk0@>5}v?6p@c+v7@fz9Rp&>x4y;Rrcd$G_sXSgka-)#WiXmf|yUEAf4u5mKkIOtu
zM=e@T(_B=}W4$#-$Gd1zyL+d<Y5_Z4|6-?o&deD{H-HFvdxk}N3DWSYc$fJJ8?fHz
z+i?yV$c$zuJ)tO=eP_dlpln|l$HWjn_egg5QOXVgtTB*VSo4y9=fuvduW=F%b1VI1
z*gGfuY^WA`PB!82Ul(~22Y*l0!-Z3jdjWkI0ksG=xKQ2?I1S&-?d)CqhkDNgJ$oKs
zdilZvVyV1i!q$nQr7e^y9~q9WAoU&}7o($ZsAEHwPo&p{6r7vmsOV$`;n;mvjj_$-
z{Bms`s{MGgyFUtw<Nzwx*%)#%g1eZm@5T=pO>1^Hs>s2($q!jr(SLx!-PCz>8QTz+
z@JEF8H$|MZ2cg!mPX*K0@n$E?f`0a-f#-7ulLeTZFrk%CMGn<vmTFwhdoE_?qbp5u
zryi@YnSP9pZQ?aKvDQ$E#hh;K814p4JeFbXeNJt7tWuoLYYUP#ezH>*HzaL1VT06t
zEs^X{GRjAbgl{cH>VJnqC{|<7OWKWPFo?Y!3(yg|d}%3Fdk5QOwCZ`)jW&f<JhtW9
zpF2$c92<&$>1|t^AAcIde3S@sQ(P8bdydAsyPPE=x52>aA)=Wjo~)u7tD=2m=0w=$
zXyk1CDh}EcsF1JQbXk<qHh$E|^JjWN*<h<RXl8jr$1iXXLVpz}<6DbYT6s372D^Of
zTnWm$ZFoo$kp~c+BhiI?gq~qke<`i%*0o>mqFT_TNwo&OvE$C@&dZ>}zK@O>$Sf3(
zaf;$WBI}a33BID);cFkH{ufQMMK9~<RC(CX|9|{=bNzkq{Qu4S<^2DbNX*l+PV*2H
z+qvuwZ@rt#n|}|N?=MyzeZj&!nRmr2^SsXQ#+u5j*WOPN;FNT+0L(cnQe|OO1w6#2
z;K4N!hNwVsyoY@RdazW(NqjPog`b$bxk=*v<Hw)9A}?zhgHv!l$<VPf^&#^&YF*{h
z49xYn-qug5=%Q03ULt1I^KC@c(+|0)Jn(y0=7+*N=YMXg3$CRdO2LgX2GEqlw3319
z#y(CoWL1C;v>M)RYGI61L|*7eDX3?rw9hp;*$y~!RbL%8zpcS=3-+ke8>O#<lT4`2
z9XX^!LsvX=>1=b`N;M?ZNsQYKy2*x9cSX$>;cXGKXT4TYorZmSr*^Tr<t~(ZDGrKu
zoXC0WZGXRyNq2U;h)S3fKP!Ra(tE+RAxdpH5w;{YkjY%2hsXzOzw<7CA6K~U+sMsM
z11l&0o2ssL`)jv0+L&UygCQm&Na?)Gr9<l#kZ+N6BX7<-OqS7~7CjAsk7UchA05ON
zs}&hHOncaDBUz%upJx1RW$IPb;rhKw-%IuTBYz##u5+vn-gng*^XQWHvr@J(+PSng
z%EW$ze0Z)!=);Q`%{F!u;>p4_>!<TROCO9!Y_zdt6e1HsnnRP3d*!^xs1Y>Gsy*@2
zv)dK=p|hx_zt6iYIG4uTFxsB~8qu7$2J;@5BCmNwI8FfJG1CyN_1=5$JX|#}>F?v+
z9)D(DT7b86PT0DCwv2HZqvko<5^5|O&>w!{F?$SNF&~+3;;*7)`zi1Xe-kHh{p3A+
z!9IV;yt^0-pe_6hPgqt_9fw|em*t^{O+y=a^sh~v$@qJEQ2JogMD-RRal%_;@D*ME
z^!awE6kx@O4f`@mz&=iJ!+wBCtdai-nSTa{61q-3%+oeF2dK9ph9wP?p_7qDL5>E&
zAT{4x#Mo(NqmgZ1Ix{QBMjd(6YDe3p@axEdLG&yDTMeWiV%j%MdsikX)9-={|Lw@8
z3;5t!s}CK~>Y$hb<q-Bz#;`X7^2XbcEl?e*BFaJ=XIEFMRY4aK4OXXq%#@G^!+#_X
zVko@Bh@#3JQR5?6LFL4Av>B+cB+l;Ecl?0jA-c!#fFnvK5TPN$*xz-a#M?=bwo=I{
z6gvQEXjmjhWgM(QfosjI3(0~VcO(nQe=H02Oz6&K6x_3*E?j00muw0T70r=e3Ty<u
zT=3gjR-GkQ$1AVr;re}(bdU89SbrAGEbKqI5Qy?%#0-!w8i@z&;AKY7d~)BGdD=|$
zbm2*whhQeGw3i_a6i<W#_m_FPQ{=~j_3v4jj5rwb?1-$1ffmrb(6%+PrqhiPm{|Vm
zBjKjBryY?&fyL)8rv|WdZsgUpDzg>3E^cm0b<JoUAAwU{1==&#m7?^$&sXxS&9uty
zG!Ld$)rvKGXqoWzN0HpX6v4@0@6T?Uju1YHA<S+$fO)G1Ougd!%$CsY0Jni+YQt}N
z*}KQx-u+hP*(JPuWvjrm)@9fC0etR9Q@r;660<1{h6w@4v#=Hs0s*y?!Wd<L|G0er
z?~9}>H1Do{xny7Tp|68tmxvx~{t3JF;S--T%1_NG=2w_k?_u~~9jfvwi8nZ<UNM}j
z%kR$Ky>mtr>t_B{9YocEvY&aN!QgH1<^oI}gLeowXWaqwYNjHRvzQ7B6v1q@W?*xn
zNvi+;->d)mj_no9+u-le%U#ufvz3^m@=qDf4V&fnd2&djcjHB&d>62Ru1LsboX^%#
zsaMSodzxaNqLg_MhjZaoD&Ra?q^&(??@vk&^NrXBny;Ms?=+RIe0GncN41z#&Oy0e
z{M(r`Rv^AfK>}!SxKcSD4twWOD66Y`pUDn`#~6|;P!k?R<q<$FQO$yX1yEP4)W6_8
zvd*9){z(TZsVYRj{O%Y0f`Ypc*|!*mfyLFd?#S+irdw&}0mi_nvHi$~$8QxL*$EsF
zZ;pU$FdI3}(@m9j@#{Q|$Braz#T8I~$<&-;HKQLRVhNA4(mb+7q$}>Bh{m>;zWI+*
z!d6YiF;Aed1hQUl9j&%(^zgH4FLM_2C^3OQvn~^`v#YcY@bQ`rOrySL8`ZB_^pz|t
z0Zy<m3{cZ-C{wuv!4x%PEZi@bMI4SY7YE?bOAdI|Jb3T;0i`+H<BHkfqx(xQXiw3x
w0Ib-PBeWBJ)=UN3O~Vmd?rS^DlOG!^lRp~^5R#U(q_3F%AGh1fWB~900CTp%!~g&Q

delta 3880
zcmV+@57+S6Hr6&aABzY82Ee~r00Zq^ZI9eGlFrxZUm@55JQLV6o^jRzJlQ=gk_GNQ
z91!d-a33yr9krzH){c=jH-GSl_v$aC4<A2VUw?D`;rb6h{O~<ee)InN!_E62zVY6l
zsz7QwRJC7v-Z#m8>2IRINH_HUUo@>=zxIBt4r%I_Pk;LRKJxM+%HCD^p$sC=FN!1%
z{5sAvFAyEYi?SX3UjBF`*j51ImRh;NA7_7gjDkZQDd=(L)qC|pn1846k4s{`Qh2=|
z3%~SJFZ0vrkFOZjt3UN}_?cdKev;%5QRvmVSC@WP#aJmF=oO*DzgKZqN9EQJqVwNm
zY1ZW-tK&3ULw<zw=Iw8*vt5*}%jow*TmtRt?5ut&lp08$`mN?+1QJ-+w-&Cn*j7aG
z=3=!v3-U4w(r{fxet#M4*PA#y|MvP~btVe5F8mtGjZe+l>E6^AE6iZVrsT*<lkPfi
zSgW}=?b)cNJu@|JCxbFiA`Sds;jskwgCMG^Ayh;P{Nie``@rw0p3}6xcqQ7KwLWGH
z?Ow(kY=UoZ^cV<nim?hpda(l)JNy_?%kgL(ZGoQ=rFE1YIe(!38u=l~w<vS$d>+hH
zApU&YA7V3&AcszF5H=KbO~sqks|(Ottd0ZP>sXQgjha!BUlMP;5Q-Vpc^OC5h|YT&
zLGpeE#c~nky<Z|}BS^~M`}SH#^9kzdaeVmax`@iO0>*8eM3u;xQ&T6Oc{X@yqNXwW
zB?WEJ8Io@fb$`(oH#O~77c?mctRWR=lDLh1^o+pSYrX1_SYJTq)!r|omn3y6kh|O&
zxr5Y`xT>*ln}p7RG>=@GY?wRA?j|F+H+ZkP|4gGEr{t=Lf_NK41F?ogb0zAjJjyd<
z9Rm4}w3kk(2aoG02F*4><Qk#>r=R(|?nLr3##l;4JAavO<M795H-RxUU{0zfdoB2)
zTF<%VnEYhBIkXPv&^&T)85_pDt@4tLGcFvQVx~8ZWrF&0QhjM=ucEVDr8{0_StNf_
zP4g322e?Gu`~&1&p?|_xngViZHOCXOJjC_h^MUYCgM{li@Tm5U?*XQEr1O<IzbNB-
z%m*pIV1I*lka;QASPBh3I&-Ni`If8>CKNPO0+Q00tQhY)Nc^fYWJT}#d2J$|T{tE`
z{QoO2FHrt|^2b+oc`#KGNjuqYqBz?*Wvd?|Vm^0v@M;H$%^Rx>f^To&zYp-=_w%kr
ze)*4|U&uU57JCtg<7}kzkQo#XKvg3ae*~m`IDfl~ql(J=S++1{@^c$}OixuEr9qvH
z_0@IX9kRG4@iz^{utUD65E-%7ijlmGk{lPNAgLJo6TR_x63o0=w>bkZK(Rc8SQ3V#
z@x3S|`Gh~7>>1MgGQh<P<nalN|0%e?po@}*v7d$BLmBH9lWCN~%=PsL^#jN#o#gG+
zw10%8fp$nehAm`2LYiG+dR|AG?O|EePh+QWuY+$Cr#EuD;!r_ntDi_c;#g=4Rg931
zXv65fsLAfdmnbOw)yP*6ehT)?&_x+TDdrI}CgvJxoFQ!XRfLWIin4l)s4?|(vWT1*
zMv1+ds4@R=%}a@`;NA?%^lzY${t|rG9e*H6zO%3@bD@D^pQll`5AaEmPr72G&@eS3
z$y@K0e0K?auP!Fzgn4i`9i#&8b+1JDbP5`n`YO)5Ac>)Qrz5et%}|m_vSAo`Fio<Z
z5>y-my5A1$W$K0|6zZY^A$bg1*^BOPD*`um4MmuU(-XvK1Wj{J#CVs0x~tTl<$q}Z
zYn;|i@88C|%P6~_6Lp_gbu~92t=DG6ETbw<?k`aSv%s>Js=yG~<d4xj)n}M!)XoT(
z!}=ldpXNurnGw>j^E4JZ01THBX6>~frg6sRBHZ*e4IegH38YK;0?>|h{p49D{2S8f
zz{-2R2ZsKmSJhyWq%^-o^;fr_S$}EJ-oR2%jv~`8a1D`ThDCI{B$F1>hINn|bf>gq
zU+EWw9nMd}%kH(d4<}f^){ghLUw&%JP`%{dR|L*I5NXjagCAGF40}vVt~HdE3=~%L
zs<VVA@J}cqQ65I;@nY5ak*x#k65$;z4^S$P*N@yNq_bkk80K#B@wUTU?|<Vm&(cwg
zmeVvBmGf9{jnVNgTGZ~|>91PAPS?NKX`eH5#?cKRLf)QXkzRr{yei&he!>Q<_xX05
zLk2RV*-1|*3TEHgupubh7sfF$#LqpF9e$Lu0|09b<QCSv<li~5^XhAygu~oQKN<GU
z2|pXEg`Sg5IQ-W|p2Wcu^?z{T6y#n&A4Whef(<T|_XAGDH*-6C*Z!g2^FYs@$CqBd
zuz*-9@0hT4VrXd#rOHQ!qbo?g$H&F!=o{+TP~{Wpbs+`k<~S-kSwT2<pH*XQGdaIp
zn}=#Y-t6v=f+9J9igh-IoQ&Wurt7=$14h%D-Hj@8FmCcg7FIN1aDO*-9$m&ZgeCkD
zVf{@JC+$I~HSANt^mV-13A3P|J!#<ioWW!PCMQg2<x`PEb(y6aSM#2Wnfd5SQ{1V?
zDr}}7qhp(RO-`&elwvWbTRVok0TYj97<->n8y>3^r}Nr^q>Z2Kl*J868&23Dbze&)
zJCuy_(IVknOOg7a5Pyo**z=NhV;Kx$Z^r_3gf3rNO4Z)MHW{sYUUj2QVHJ;Ux%TG{
zlRw9XqF;L3*5=2b#xNfxg4`6B#n+yrvF<KsiO6j*aC(SnW{D@OXvV5&ADKB3wmBL(
z8^4N!_5>>A>o#2$WwebSHS+w0UQjmJY7LrMp3w0N+=EcX$$$9P;+0mO&8fjIpE_59
zvThq5l0@VIMCV9!As?Y<7}Z}&tGadVm%FGIG-*<;L2vB1GrIFKsIc#&V+Jw{#bcbJ
zc#z1t<ZXhlXm<G82dV!>lWft;IyzMz_VfQAKi*t_-#h<*^Km)<|0NRhw5-!S1jTkP
zd&67r=JMvl<$wE&RYza2Fi+-P@ya}}^SiO8^6Itsa|AdgT`T}|&Wco77*zoeu_<_P
zO@tvTP#o`JAAue$)o>D@%wypvCU0(%cz^%t7q7_6TE^fMTu(A|tW15#{Eb>yxikZF
z{jIn4lPbFC6p5FJS@nDyQT6mg?kNxa-j(^G@Xong>VJZ3X@^p9ql^JG<uI*ept`Y-
z6Af7vpaZRjcbi%m;}nq>`cVq%nJMjaO-{B0&Ro@3hs{6MV7LW)ROyY<*TG39ROgNy
z(xIU%p1E|kxoxEy66z$z?FQXs!>PNXW{dE)h}pAVtEf)HKD|@BSlx0LO1%^ZMLSO9
zy!E!<$A6?dyIn*j%!!|sKym54;Mx$SHk=4s5*x^5F3>~dgSFpzm%ooIT=#9{W~YIb
zlmAUs*Sh_+TN`amvE9KC6A`3z-sRGv^$N(hNV<_X=N%@?=ueBD2Ea$MW#EqvVvE&^
zj2ossY_^ds(cw=s{<bppD(Z0kUZwA)`u&j(YJb-`)&}pp>Wq1GN&8tT+ZgR!S{r3z
zKSDk{*CO=cMT}+}y9x1R;hOc+d7q^Z#v?Y`STYKc2_em)$;iEO-ec4V8fMj=c<I^g
z3jNSoRMX$*T^5{6<82si&wq<(&Rc_dk4ur)JR%$?fbf`U2-bS<y>}k28kqF=@oo<@
zFMln-+c_s}-9KB#xQtQr9Bm0T77geRKk=A72CtZpOgHgYQL_CM_=UfTlem8Jp1ok7
zKV;rr3<l5^{)HzjtEi4cFTKn1(8H#o4LthSCeCF1Jv}IWuxX-t3y?VBtugqDu7CP`
zJ5&m=V#J1h86{vJC%9ohz$Dhl|Ab6~Lw^Zfryk~M8=M2w+YrN&hRM*$NTVP}gJ6)F
z?=52Nw6f92HZPr-m1CohylJ(g?Na!4<iH?$7J#h=(ho818>YQ06O`$9!G-^JWYYzF
z@T}E`j%amI%z$zTdnjYrn*n*_ZO9g=4pk9lp^dYvE7hu?i--oRQ$J=($b(^$2Y)dX
z-eE*h<&LQF5v-tc;yKz3)K?N`ck4TTK=BaWV|c(3B@>9y5Mk`^I#A;6BuHDS<P?e>
zfHX8L5~DH>)}X+(X4Zvd!HzqU1>`@Lg?c7*=Q0ZJSx^@)vxiGIg@=mfNG}C8f?h88
z?JTR#6075t*Yj}wzDc^r`UflvW`7p;pIit;c`#xINEeO719tE-qh~(3Z_7MwCVIN?
zB+WxG6IR;G5C)1TLV^3sJl!esW5N3OEKEim40(1$*2F*yXkKXBnpo56#t2L-fAx`Y
zQ`*yx$e_UDbC**C*f}@yYFd@q3SAdBH>J8}w2qI!sjdR;8S6?>`rc=G)>UR&Wp|nf
zQ>$vl8a=d3c>1GAZeWVwWU%*VH%&(fpTrPmw;aH{RRgA8@qK1X=yrhHKryx9x4i7#
z<8JT%QRUesynJP=z_Zq6*Y^Q@?nhI+_Wm5RD-DJT0mQSi77+pgt&_wUWq*HIzW?_{
z(iNI_SHE7eFZ$5eL9t6jk2U{<-TLr}&l%;XW)$-)%&Ye>{I3pGd6mQ)oKmkC&ei32
zXYbxQqltAh|Edn6>Ok4gJkVh9Hh6OZCXc~8gqySOfO$1j5y@Fh1qF&=wpuf=xzHrl
zfB)~*|9r>x3g&I_cj)D=>VMfv%u)HLjOK>T^7}kFq|v+aqENmI*g#h#<TB1@>!{SL
zW`{jZF;7v-Jcz@&@G2E>9xc+=p0oESC5QP&Yy-_#&ir?p%2qzR$I+u&Oe*J~Trd9Z
z%o!^X-=rV`G&o$T91n-R^C*<n)xFPThrweE$rY#x52Er2pq8j+!G8j%D^}`X@g7-c
zP!a#6gOpSiqF;XZD}F)2U5M;k48y?UYFc+>_d?UHwDSOCVAR-tWW(dP3Xkjr4v05L
zKsK0-9Ovn#O1t=Vp2lNGlD6UsD8FQCPO+NNj}fti$609}*&@;v_fSM*+e_d4M=4>e
zrs9|<P*?(4ueXj?TWosxS+$ori+Ploz@J%{3E0_HS_k-e%?74XU$c$s*DU%<mX!b}
zSQrMVX*QIpT!LVVnlTpc*UKUfN12NQaOfomylNi2cl?0Tob7SNZ1B<jr5CiP=vV+&
q?8y<@i9Tzl0_~>Z2rc)u9cGg+8y%A?8yyT+O#cu2D?kkZ@Bje&5UaHS

diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 61241e12..4b91b049 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -6162,7 +6162,7 @@ index 8e0f9cd14..2fe34db47 100644
 +create_ibendport_type_interfaces($*)
 +')
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055f9..15ec98f76 100644
+index b191055f9..12aecdf4e 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
 @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@@ -6386,7 +6386,7 @@ index b191055f9..15ec98f76 100644
  network_port(ktalkd, udp,517,s0, udp,518,s0)
 -network_port(l2tp, tcp,1701,s0, udp,1701,s0)
 -network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
-+network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0, tcp, 7389,s0)
++network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0, tcp,3269,s0, tcp, 7389,s0)
  network_port(lirc, tcp,8765,s0)
 -network_port(lmtp, tcp,24,s0, udp,24,s0)
 +network_port(luci, tcp,8084,s0)
@@ -27377,10 +27377,10 @@ index 000000000..f73028658
 +
 diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
 new file mode 100644
-index 000000000..883d9eaa3
+index 000000000..bdfe41b61
 --- /dev/null
 +++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,362 @@
+@@ -0,0 +1,363 @@
 +policy_module(unconfineduser, 1.0.0)
 +
 +########################################
@@ -27418,6 +27418,7 @@ index 000000000..883d9eaa3
 +userdom_manage_tmp_role(unconfined_r, unconfined_t)
 +userdom_unpriv_type(unconfined_t)
 +userdom_login_userdomain(unconfined_t)
++userdom_home_filetrans_user_home_dir(unconfined_t)
 +
 +type unconfined_exec_t;
 +application_domain(unconfined_t, unconfined_exec_t)
@@ -37845,7 +37846,7 @@ index 79a45f62e..6ed0c399a 100644
 +    allow $1 init_var_lib_t:dir search_dir_perms;
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda2480..6c22a0a1f 100644
+index 17eda2480..7d76c87ce 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
 @@ -11,10 +11,31 @@ gen_require(`
@@ -38167,7 +38168,7 @@ index 17eda2480..6c22a0a1f 100644
  
  ifdef(`distro_gentoo',`
  	allow init_t self:process { getcap setcap };
-@@ -186,29 +347,292 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +347,293 @@ ifdef(`distro_gentoo',`
  ')
  
  ifdef(`distro_redhat',`
@@ -38208,6 +38209,7 @@ index 17eda2480..6c22a0a1f 100644
 +
 +optional_policy(`
 +    apache_delete_tmp(init_t)
++    apache_noatsecure(init_t)
 +')
 +
 +optional_policy(`
@@ -38469,7 +38471,7 @@ index 17eda2480..6c22a0a1f 100644
  ')
  
  optional_policy(`
-@@ -216,7 +640,30 @@ optional_policy(`
+@@ -216,7 +641,30 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -38501,7 +38503,7 @@ index 17eda2480..6c22a0a1f 100644
  ')
  
  ########################################
-@@ -225,9 +672,9 @@ optional_policy(`
+@@ -225,9 +673,9 @@ optional_policy(`
  #
  
  allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -38513,7 +38515,7 @@ index 17eda2480..6c22a0a1f 100644
  allow initrc_t self:passwd rootok;
  allow initrc_t self:key manage_key_perms;
  
-@@ -258,12 +705,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +706,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
  
  allow initrc_t initrc_var_run_t:file manage_file_perms;
  files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -38530,7 +38532,7 @@ index 17eda2480..6c22a0a1f 100644
  
  manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
  manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +730,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +731,36 @@ kernel_change_ring_buffer_level(initrc_t)
  kernel_clear_ring_buffer(initrc_t)
  kernel_get_sysvipc_info(initrc_t)
  kernel_read_all_sysctls(initrc_t)
@@ -38573,7 +38575,7 @@ index 17eda2480..6c22a0a1f 100644
  corenet_tcp_sendrecv_all_ports(initrc_t)
  corenet_udp_sendrecv_all_ports(initrc_t)
  corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +767,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +768,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
  
  dev_read_rand(initrc_t)
  dev_read_urand(initrc_t)
@@ -38585,7 +38587,7 @@ index 17eda2480..6c22a0a1f 100644
  dev_rw_sysfs(initrc_t)
  dev_list_usbfs(initrc_t)
  dev_read_framebuffer(initrc_t)
-@@ -313,8 +779,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +780,10 @@ dev_write_framebuffer(initrc_t)
  dev_read_realtime_clock(initrc_t)
  dev_read_sound_mixer(initrc_t)
  dev_write_sound_mixer(initrc_t)
@@ -38596,7 +38598,7 @@ index 17eda2480..6c22a0a1f 100644
  dev_delete_lvm_control_dev(initrc_t)
  dev_manage_generic_symlinks(initrc_t)
  dev_manage_generic_files(initrc_t)
-@@ -322,8 +790,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +791,7 @@ dev_manage_generic_files(initrc_t)
  dev_delete_generic_symlinks(initrc_t)
  dev_getattr_all_blk_files(initrc_t)
  dev_getattr_all_chr_files(initrc_t)
@@ -38606,7 +38608,7 @@ index 17eda2480..6c22a0a1f 100644
  
  domain_kill_all_domains(initrc_t)
  domain_signal_all_domains(initrc_t)
-@@ -332,7 +799,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +800,6 @@ domain_sigstop_all_domains(initrc_t)
  domain_sigchld_all_domains(initrc_t)
  domain_read_all_domains_state(initrc_t)
  domain_getattr_all_domains(initrc_t)
@@ -38614,7 +38616,7 @@ index 17eda2480..6c22a0a1f 100644
  domain_getsession_all_domains(initrc_t)
  domain_use_interactive_fds(initrc_t)
  # for lsof which is used by alsa shutdown:
-@@ -340,6 +806,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +807,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
  domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
  domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
  domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -38622,7 +38624,7 @@ index 17eda2480..6c22a0a1f 100644
  
  files_getattr_all_dirs(initrc_t)
  files_getattr_all_files(initrc_t)
-@@ -347,14 +814,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +815,15 @@ files_getattr_all_symlinks(initrc_t)
  files_getattr_all_pipes(initrc_t)
  files_getattr_all_sockets(initrc_t)
  files_purge_tmp(initrc_t)
@@ -38640,7 +38642,7 @@ index 17eda2480..6c22a0a1f 100644
  files_read_usr_files(initrc_t)
  files_manage_urandom_seed(initrc_t)
  files_manage_generic_spool(initrc_t)
-@@ -364,8 +832,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +833,12 @@ files_list_isid_type_dirs(initrc_t)
  files_mounton_isid_type_dirs(initrc_t)
  files_list_default(initrc_t)
  files_mounton_default(initrc_t)
@@ -38654,7 +38656,7 @@ index 17eda2480..6c22a0a1f 100644
  fs_list_inotifyfs(initrc_t)
  fs_register_binary_executable_type(initrc_t)
  # rhgb-console writes to ramfs
-@@ -375,10 +847,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +848,11 @@ fs_mount_all_fs(initrc_t)
  fs_unmount_all_fs(initrc_t)
  fs_remount_all_fs(initrc_t)
  fs_getattr_all_fs(initrc_t)
@@ -38668,7 +38670,7 @@ index 17eda2480..6c22a0a1f 100644
  mcs_process_set_categories(initrc_t)
  
  mls_file_read_all_levels(initrc_t)
-@@ -387,8 +860,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +861,10 @@ mls_process_read_up(initrc_t)
  mls_process_write_down(initrc_t)
  mls_rangetrans_source(initrc_t)
  mls_fd_share_all_levels(initrc_t)
@@ -38679,7 +38681,7 @@ index 17eda2480..6c22a0a1f 100644
  
  storage_getattr_fixed_disk_dev(initrc_t)
  storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +873,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +874,7 @@ term_use_all_terms(initrc_t)
  term_reset_tty_labels(initrc_t)
  
  auth_rw_login_records(initrc_t)
@@ -38687,7 +38689,7 @@ index 17eda2480..6c22a0a1f 100644
  auth_setattr_login_records(initrc_t)
  auth_rw_lastlog(initrc_t)
  auth_read_pam_pid(initrc_t)
-@@ -416,20 +892,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +893,18 @@ logging_read_all_logs(initrc_t)
  logging_append_all_logs(initrc_t)
  logging_read_audit_config(initrc_t)
  
@@ -38711,7 +38713,7 @@ index 17eda2480..6c22a0a1f 100644
  
  ifdef(`distro_debian',`
  	dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +925,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +926,6 @@ ifdef(`distro_gentoo',`
  	allow initrc_t self:process setfscreate;
  	dev_create_null_dev(initrc_t)
  	dev_create_zero_dev(initrc_t)
@@ -38719,7 +38721,7 @@ index 17eda2480..6c22a0a1f 100644
  	term_create_console_dev(initrc_t)
  
  	# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +959,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +960,10 @@ ifdef(`distro_gentoo',`
  	sysnet_setattr_config(initrc_t)
  
  	optional_policy(`
@@ -38730,7 +38732,7 @@ index 17eda2480..6c22a0a1f 100644
  		alsa_read_lib(initrc_t)
  	')
  
-@@ -506,7 +983,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +984,7 @@ ifdef(`distro_redhat',`
  
  	# Red Hat systems seem to have a stray
  	# fd open from the initrd
@@ -38739,7 +38741,7 @@ index 17eda2480..6c22a0a1f 100644
  	files_dontaudit_read_root_files(initrc_t)
  
  	# These seem to be from the initrd
-@@ -521,6 +998,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +999,7 @@ ifdef(`distro_redhat',`
  	files_create_boot_dirs(initrc_t)
  	files_create_boot_flag(initrc_t)
  	files_rw_boot_symlinks(initrc_t)
@@ -38747,7 +38749,7 @@ index 17eda2480..6c22a0a1f 100644
  	# wants to read /.fonts directory
  	files_read_default_files(initrc_t)
  	files_mountpoint(initrc_tmp_t)
-@@ -541,6 +1019,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +1020,7 @@ ifdef(`distro_redhat',`
  	miscfiles_rw_localization(initrc_t)
  	miscfiles_setattr_localization(initrc_t)
  	miscfiles_relabel_localization(initrc_t)
@@ -38755,7 +38757,7 @@ index 17eda2480..6c22a0a1f 100644
  
  	miscfiles_read_fonts(initrc_t)
  	miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +1029,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +1030,44 @@ ifdef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -38800,7 +38802,7 @@ index 17eda2480..6c22a0a1f 100644
  	')
  
  	optional_policy(`
-@@ -559,14 +1074,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +1075,31 @@ ifdef(`distro_redhat',`
  		rpc_write_exports(initrc_t)
  		rpc_manage_nfs_state_data(initrc_t)
  	')
@@ -38832,7 +38834,7 @@ index 17eda2480..6c22a0a1f 100644
  	')
  ')
  
-@@ -577,6 +1109,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1110,39 @@ ifdef(`distro_suse',`
  	')
  ')
  
@@ -38872,7 +38874,7 @@ index 17eda2480..6c22a0a1f 100644
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1154,8 @@ optional_policy(`
+@@ -589,6 +1155,8 @@ optional_policy(`
  optional_policy(`
  	apache_read_config(initrc_t)
  	apache_list_modules(initrc_t)
@@ -38881,7 +38883,7 @@ index 17eda2480..6c22a0a1f 100644
  ')
  
  optional_policy(`
-@@ -610,6 +1177,7 @@ optional_policy(`
+@@ -610,6 +1178,7 @@ optional_policy(`
  
  optional_policy(`
  	cgroup_stream_connect_cgred(initrc_t)
@@ -38889,7 +38891,7 @@ index 17eda2480..6c22a0a1f 100644
  ')
  
  optional_policy(`
-@@ -626,6 +1194,17 @@ optional_policy(`
+@@ -626,6 +1195,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -38907,7 +38909,7 @@ index 17eda2480..6c22a0a1f 100644
  	dev_getattr_printer_dev(initrc_t)
  
  	cups_read_log(initrc_t)
-@@ -642,9 +1221,13 @@ optional_policy(`
+@@ -642,9 +1222,13 @@ optional_policy(`
  	dbus_connect_system_bus(initrc_t)
  	dbus_system_bus_client(initrc_t)
  	dbus_read_config(initrc_t)
@@ -38921,7 +38923,7 @@ index 17eda2480..6c22a0a1f 100644
  	')
  
  	optional_policy(`
-@@ -657,15 +1240,11 @@ optional_policy(`
+@@ -657,15 +1241,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -38939,7 +38941,7 @@ index 17eda2480..6c22a0a1f 100644
  ')
  
  optional_policy(`
-@@ -686,6 +1265,15 @@ optional_policy(`
+@@ -686,6 +1266,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -38955,7 +38957,7 @@ index 17eda2480..6c22a0a1f 100644
  	inn_exec_config(initrc_t)
  ')
  
-@@ -726,6 +1314,7 @@ optional_policy(`
+@@ -726,6 +1315,7 @@ optional_policy(`
  	lpd_list_spool(initrc_t)
  
  	lpd_read_config(initrc_t)
@@ -38963,7 +38965,7 @@ index 17eda2480..6c22a0a1f 100644
  ')
  
  optional_policy(`
-@@ -743,7 +1332,13 @@ optional_policy(`
+@@ -743,7 +1333,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -38978,7 +38980,7 @@ index 17eda2480..6c22a0a1f 100644
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
  
-@@ -766,6 +1361,10 @@ optional_policy(`
+@@ -766,6 +1362,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -38989,7 +38991,7 @@ index 17eda2480..6c22a0a1f 100644
  	postgresql_manage_db(initrc_t)
  	postgresql_read_config(initrc_t)
  ')
-@@ -775,10 +1374,20 @@ optional_policy(`
+@@ -775,10 +1375,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39010,7 +39012,7 @@ index 17eda2480..6c22a0a1f 100644
  	quota_manage_flags(initrc_t)
  ')
  
-@@ -787,6 +1396,10 @@ optional_policy(`
+@@ -787,6 +1397,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39021,7 +39023,7 @@ index 17eda2480..6c22a0a1f 100644
  	fs_write_ramfs_sockets(initrc_t)
  	fs_search_ramfs(initrc_t)
  
-@@ -808,8 +1421,6 @@ optional_policy(`
+@@ -808,8 +1422,6 @@ optional_policy(`
  	# bash tries ioctl for some reason
  	files_dontaudit_ioctl_all_pids(initrc_t)
  
@@ -39030,7 +39032,7 @@ index 17eda2480..6c22a0a1f 100644
  ')
  
  optional_policy(`
-@@ -818,6 +1429,10 @@ optional_policy(`
+@@ -818,6 +1430,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39041,7 +39043,7 @@ index 17eda2480..6c22a0a1f 100644
  	# shorewall-init script run /var/lib/shorewall/firewall
  	shorewall_lib_domtrans(initrc_t)
  ')
-@@ -827,10 +1442,12 @@ optional_policy(`
+@@ -827,10 +1443,12 @@ optional_policy(`
  	squid_manage_logs(initrc_t)
  ')
  
@@ -39054,7 +39056,7 @@ index 17eda2480..6c22a0a1f 100644
  
  optional_policy(`
  	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1474,62 @@ optional_policy(`
+@@ -857,21 +1475,62 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39118,7 +39120,7 @@ index 17eda2480..6c22a0a1f 100644
  ')
  
  optional_policy(`
-@@ -887,6 +1545,10 @@ optional_policy(`
+@@ -887,6 +1546,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39129,7 +39131,7 @@ index 17eda2480..6c22a0a1f 100644
  	# Set device ownerships/modes.
  	xserver_setattr_console_pipes(initrc_t)
  
-@@ -897,3 +1559,218 @@ optional_policy(`
+@@ -897,3 +1560,218 @@ optional_policy(`
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 902c1f0a..e27883eb 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -3925,7 +3925,7 @@ index 7caefc353..966c2f3e6 100644
 +/var/run/dirsrv/admin-serv.*	gen_context(system_u:object_r:httpd_var_run_t,s0)
 +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?       gen_context(system_u:object_r:httpd_var_run_t,s0)
 diff --git a/apache.if b/apache.if
-index f6eb4851f..422f408d4 100644
+index f6eb4851f..3628a384f 100644
 --- a/apache.if
 +++ b/apache.if
 @@ -1,9 +1,9 @@
@@ -4218,11 +4218,11 @@ index f6eb4851f..422f408d4 100644
 -	')
 +		# privileged users run the script:
 +		domtrans_pattern(httpd_exec_scripts, $1_script_exec_t, $1_script_t)
++
++		allow httpd_exec_scripts $1_script_exec_t:file read_file_perms;
  
 -	tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
 -		filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file })
-+		allow httpd_exec_scripts $1_script_exec_t:file read_file_perms;
-+
 +		# apache runs the script:
 +		domtrans_pattern(httpd_t, $1_script_exec_t, $1_script_t)
 +		allow httpd_t $1_script_t:unix_dgram_socket sendto;
@@ -4499,12 +4499,10 @@ index f6eb4851f..422f408d4 100644
  
 -	dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms;
 +	dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Do not audit attempts to read and
--##	write httpd unix domain stream sockets.
++')
++
++########################################
++## <summary>
 +##	Allow attempts to read and write Apache
 +##	unix domain stream sockets.
 +## </summary>
@@ -4520,10 +4518,12 @@ index f6eb4851f..422f408d4 100644
 +	')
 +
 +	allow $1 httpd_t:unix_stream_socket { getattr read write };
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to read and
+-##	write httpd unix domain stream sockets.
 +##	Do not audit attempts to read and write Apache
 +##	unix domain stream sockets.
  ## </summary>
@@ -4996,32 +4996,12 @@ index f6eb4851f..422f408d4 100644
  ')
  
 -########################################
-+######################################
-+## <summary>
-+##	Allow the specified domain to read
-+##	apache system content rw files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`apache_read_sys_content_rw_files',`
-+	gen_require(`
-+		type httpd_sys_rw_content_t;
-+	')
-+
-+	read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
-+')
-+
 +######################################
  ## <summary>
 -##	Create, read, write, and delete
 -##	httpd system rw content.
 +##	Allow the specified domain to read
-+##	apache system content rw dirs.
++##	apache system content rw files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -5031,12 +5011,32 @@ index f6eb4851f..422f408d4 100644
 +## <rolecap/>
  #
 -interface(`apache_manage_sys_rw_content',`
-+interface(`apache_read_sys_content_rw_dirs',`
++interface(`apache_read_sys_content_rw_files',`
  	gen_require(`
  		type httpd_sys_rw_content_t;
  	')
  
 -	apache_search_sys_content($1)
++	read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
++')
++
++######################################
++## <summary>
++##	Allow the specified domain to read
++##	apache system content rw dirs.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`apache_read_sys_content_rw_dirs',`
++	gen_require(`
++		type httpd_sys_rw_content_t;
++	')
++
 +	list_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
 +')
 +
@@ -5390,7 +5390,7 @@ index f6eb4851f..422f408d4 100644
  	admin_pattern($1, httpd_log_t)
  
  	admin_pattern($1, httpd_modules_t)
-@@ -1224,9 +1625,201 @@ interface(`apache_admin',`
+@@ -1224,9 +1625,219 @@ interface(`apache_admin',`
  	admin_pattern($1, httpd_var_run_t)
  	files_pid_filetrans($1, httpd_var_run_t, file)
  
@@ -5591,10 +5591,28 @@ index f6eb4851f..422f408d4 100644
 +	gen_require(`
 +		type httpd_tmp_t;
 +	')
++
++	allow $1 httpd_tmp_t:file unlink;
++')
++
++########################################
++## <summary>
++##	Allow httpd noatsecure
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`apache_noatsecure',`
++	gen_require(`
++		type httpd_t;
++	')
  
 -	apache_run_all_scripts($1, $2)
 -	apache_run_helper($1, $2)
-+	allow $1 httpd_tmp_t:file unlink;
++    allow $1 httpd_t:process { noatsecure };
  ')
 diff --git a/apache.te b/apache.te
 index 6649962b6..1a0189a44 100644
@@ -58089,7 +58107,7 @@ index 687af38bb..5381f1b39 100644
 +	mysql_stream_connect($1)
  ')
 diff --git a/mysql.te b/mysql.te
-index 7584bbe7c..a89f6d665 100644
+index 7584bbe7c..9c33fb9ac 100644
 --- a/mysql.te
 +++ b/mysql.te
 @@ -6,20 +6,22 @@ policy_module(mysql, 1.14.1)
@@ -58140,7 +58158,7 @@ index 7584bbe7c..a89f6d665 100644
  type mysqld_initrc_exec_t;
  init_script_file(mysqld_initrc_exec_t)
  
-@@ -62,28 +66,29 @@ files_pid_file(mysqlmanagerd_var_run_t)
+@@ -62,28 +66,30 @@ files_pid_file(mysqlmanagerd_var_run_t)
  # Local policy
  #
  
@@ -58161,6 +58179,7 @@ index 7584bbe7c..a89f6d665 100644
 +manage_sock_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
  manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
  files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file })
++allow mysqld_t mysqld_db_t:file map;
  
 -filetrans_pattern(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file)
 -
@@ -58177,7 +58196,7 @@ index 7584bbe7c..a89f6d665 100644
  logging_log_filetrans(mysqld_t, mysqld_log_t, { dir file })
  
  manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
-@@ -95,50 +100,66 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
+@@ -95,50 +101,66 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
  manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
  files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file })
  
@@ -58262,7 +58281,7 @@ index 7584bbe7c..a89f6d665 100644
  ')
  
  optional_policy(`
-@@ -146,6 +167,10 @@ optional_policy(`
+@@ -146,6 +168,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -58273,7 +58292,7 @@ index 7584bbe7c..a89f6d665 100644
  	seutil_sigchld_newrole(mysqld_t)
  ')
  
-@@ -155,21 +180,20 @@ optional_policy(`
+@@ -155,21 +181,20 @@ optional_policy(`
  
  #######################################
  #
@@ -58301,7 +58320,7 @@ index 7584bbe7c..a89f6d665 100644
  
  list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
  manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
-@@ -177,9 +201,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
+@@ -177,9 +202,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
  logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
  
  manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
@@ -58312,7 +58331,7 @@ index 7584bbe7c..a89f6d665 100644
  
  kernel_read_system_state(mysqld_safe_t)
  kernel_read_kernel_sysctls(mysqld_safe_t)
-@@ -187,21 +209,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
+@@ -187,21 +210,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
  corecmd_exec_bin(mysqld_safe_t)
  corecmd_exec_shell(mysqld_safe_t)
  
@@ -58348,7 +58367,7 @@ index 7584bbe7c..a89f6d665 100644
  
  optional_policy(`
  	hostname_exec(mysqld_safe_t)
-@@ -209,20 +239,21 @@ optional_policy(`
+@@ -209,20 +240,21 @@ optional_policy(`
  
  ########################################
  #
@@ -58377,7 +58396,7 @@ index 7584bbe7c..a89f6d665 100644
  
  domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
  
-@@ -230,31 +261,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
+@@ -230,31 +262,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
  manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
  filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
  
@@ -112229,10 +112248,10 @@ index 000000000..e5cec8fda
 +')
 diff --git a/tomcat.te b/tomcat.te
 new file mode 100644
-index 000000000..9c3b00220
+index 000000000..31baf3bb8
 --- /dev/null
 +++ b/tomcat.te
-@@ -0,0 +1,117 @@
+@@ -0,0 +1,124 @@
 +policy_module(tomcat, 1.0.0)
 +
 +########################################
@@ -112292,8 +112311,7 @@ index 000000000..9c3b00220
 +
 +allow tomcat_t self:capability { dac_override setuid kill };
 +
-+allow tomcat_t self:process execmem;
-+allow tomcat_t self:process { setcap signal signull };
++allow tomcat_t self:process { execmem setcap setsched signal signull };
 +
 +allow tomcat_t self:tcp_socket { accept listen };
 +allow tomcat_domain self:fifo_file rw_fifo_file_perms;
@@ -112333,6 +112351,8 @@ index 000000000..9c3b00220
 +
 +domain_use_interactive_fds(tomcat_domain)
 +
++libs_exec_ldconfig(tomcat_domain)
++
 +fs_getattr_all_fs(tomcat_domain)
 +fs_read_hugetlbfs_files(tomcat_domain)
 +
@@ -112343,6 +112363,12 @@ index 000000000..9c3b00220
 +')
 +
 +optional_policy(`
++	# needed by FreeIPA
++	ldap_stream_connect(tomcat_domain)
++	ldap_read_certs(tomcat_domain)
++')
++
++optional_policy(`
 +	tomcat_search_lib(tomcat_domain)
 +')
 +
@@ -117037,7 +117063,7 @@ index facdee8b3..2a619ba9e 100644
 +	dgram_send_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
  ')
 diff --git a/virt.te b/virt.te
-index f03dcf567..529ae6612 100644
+index f03dcf567..cf9950e36 100644
 --- a/virt.te
 +++ b/virt.te
 @@ -1,451 +1,424 @@
@@ -118002,7 +118028,7 @@ index f03dcf567..529ae6612 100644
  ')
  
  optional_policy(`
-@@ -691,99 +653,432 @@ optional_policy(`
+@@ -691,99 +653,433 @@ optional_policy(`
  	dnsmasq_kill(virtd_t)
  	dnsmasq_signull(virtd_t)
  	dnsmasq_create_pid_dirs(virtd_t)
@@ -118247,6 +118273,7 @@ index f03dcf567..529ae6612 100644
 +dev_rw_inherited_vhost(virt_domain)
 +dev_rw_infiniband_dev(virt_domain)
 +dev_rw_dri(virt_domain)
++dev_rw_tpm(virt_domain)
 +
 +domain_use_interactive_fds(virt_domain)
 +
@@ -118484,7 +118511,7 @@ index f03dcf567..529ae6612 100644
  kernel_read_system_state(virsh_t)
  kernel_read_network_state(virsh_t)
  kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +1089,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +1090,18 @@ kernel_write_xen_state(virsh_t)
  corecmd_exec_bin(virsh_t)
  corecmd_exec_shell(virsh_t)
  
@@ -118511,7 +118538,7 @@ index f03dcf567..529ae6612 100644
  
  fs_getattr_all_fs(virsh_t)
  fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +1109,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +1110,25 @@ fs_search_auto_mountpoints(virsh_t)
  
  storage_raw_read_fixed_disk(virsh_t)
  
@@ -118545,7 +118572,7 @@ index f03dcf567..529ae6612 100644
  
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +1146,20 @@ optional_policy(`
+@@ -856,14 +1147,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -118567,7 +118594,7 @@ index f03dcf567..529ae6612 100644
  	xen_stream_connect(virsh_t)
  	xen_stream_connect_xenstore(virsh_t)
  ')
-@@ -888,49 +1184,66 @@ optional_policy(`
+@@ -888,49 +1185,66 @@ optional_policy(`
  	kernel_read_xen_state(virsh_ssh_t)
  	kernel_write_xen_state(virsh_ssh_t)
  
@@ -118652,7 +118679,7 @@ index f03dcf567..529ae6612 100644
  
  corecmd_exec_bin(virtd_lxc_t)
  corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1255,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1256,16 @@ dev_read_urand(virtd_lxc_t)
  
  domain_use_interactive_fds(virtd_lxc_t)
  
@@ -118672,7 +118699,7 @@ index f03dcf567..529ae6612 100644
  fs_getattr_all_fs(virtd_lxc_t)
  fs_manage_tmpfs_dirs(virtd_lxc_t)
  fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,8 +1276,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,8 +1277,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
  fs_unmount_all_fs(virtd_lxc_t)
  fs_relabelfrom_tmpfs(virtd_lxc_t)
  
@@ -118696,7 +118723,7 @@ index f03dcf567..529ae6612 100644
  selinux_get_enforce_mode(virtd_lxc_t)
  selinux_get_fs_mount(virtd_lxc_t)
  selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1301,296 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1302,296 @@ selinux_compute_create_context(virtd_lxc_t)
  selinux_compute_relabel_context(virtd_lxc_t)
  selinux_compute_user_contexts(virtd_lxc_t)
  
@@ -119140,7 +119167,7 @@ index f03dcf567..529ae6612 100644
  allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
  allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
  
-@@ -1174,12 +1603,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1604,12 @@ dev_read_sysfs(virt_qmf_t)
  dev_read_rand(virt_qmf_t)
  dev_read_urand(virt_qmf_t)
  
@@ -119155,7 +119182,7 @@ index f03dcf567..529ae6612 100644
  sysnet_read_config(virt_qmf_t)
  
  optional_policy(`
-@@ -1192,7 +1621,7 @@ optional_policy(`
+@@ -1192,7 +1622,7 @@ optional_policy(`
  
  ########################################
  #
@@ -119164,7 +119191,7 @@ index f03dcf567..529ae6612 100644
  #
  
  allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1630,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1631,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
  allow virt_bridgehelper_t self:tun_socket create_socket_perms;
  allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 290d0690..110607f5 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 286%{?dist}
+Release: 287%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -682,6 +682,13 @@ exit 0
 %endif
 
 %changelog
+* Fri Sep 22 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-287
+- Allow init noatsecure httpd_t
+- Allow mysqld_t domain to mmap mysqld db files. BZ(1483331)
+- Allow unconfined_t domain to create new users with proper SELinux lables
+-  Allow init noatsecure httpd_t
+- Label tcp port 3269 as ldap_port_t
+
 * Mon Sep 18 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-286
 - Add new boolean tomcat_read_rpm_db()
 - Allow tomcat to connect on mysqld tcp ports