From 64b72debbe6163bdd1fb01d9d4cd48fb7383bd6b Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Nov 21 2017 15:42:21 +0000
Subject: * Tue Nov 21 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-304

- Add interface raid_relabel_mdadm_var_run_content()
- Fix iscsi SELinux module
- Allow spamc_t domain to read home mail content BZ(1414366)
- Allow sendmail_t to list postfix config dirs BZ(1514868)
- Allow dovecot_t domain to mmap mail content in homedirs BZ(1513153)
- Allow iscsid_t domain to requesting loading kernel modules BZ(1448877)
- Allow svirt_t domain to mmap svirt_tmpfs_t files BZ(1515304)
- Allow cupsd_t domain to localization BZ(1514350)
- Allow antivirus_t nnp domain transition because of systemd security features. BZ(1514451)
- Allow tlp_t domain transition to systemd_rfkill_t domain BZ(1416301)
- Allow abrt_t domain to mmap fusefs_t files BZ(1515169)
- Allow memcached_t domain nnp_transition becuase of systemd security features BZ(1514867)
- Allow httpd_t domain to mmap all httpd content type BZ(1514866)
- Allow mandb_t to read /etc/passwd BZ(1514903)
- Allow mandb_t domain to mmap files with label mandb_cache_t BZ(1514093)
- Allow abrt_t domain to mmap files with label syslogd_var_run_t BZ(1514975)
- Allow nnp transition for systemd-networkd daemon to run in proper SELinux domain BZ(1507263)
- Allow systemd to read/write to mount_var_run_t files BZ(1515373)
- Allow systemd to relabel mdadm_var_run_t sock files BZ(1515373)
- Allow home managers to mmap nfs_t files BZ(1514372)
- Add interface fs_mmap_nfs_files()
- Allow systemd-mount to create new directory for mountpoint BZ(1514880)
- Allow getty to use usbttys
- Add interface systemd_rfkill_domtrans()
- Allow syslogd_t to mmap files with label syslogd_var_lib_t BZ(1513403)
- Add interface fs_mmap_fusefs_files()
- Allow ipsec_t domain to mmap files with label ipsec_key_file_t BZ(1514251)

---

diff --git a/container-selinux.tgz b/container-selinux.tgz
index 3861472..f1a0fe3 100644
Binary files a/container-selinux.tgz and b/container-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index ecefc64..b1dd7bd 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -17432,7 +17432,7 @@ index d7c11a0b3..f521a50f8 100644
  /var/run/shm/.*			<<none>>
 -')
 diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 8416beb43..2aa8d9ff4 100644
+index 8416beb43..0444eacf4 100644
 --- a/policy/modules/kernel/filesystem.if
 +++ b/policy/modules/kernel/filesystem.if
 @@ -577,6 +577,24 @@ interface(`fs_mount_cgroup', `
@@ -18316,7 +18316,7 @@ index 8416beb43..2aa8d9ff4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1839,174 +2234,989 @@ interface(`fs_unmount_fusefs',`
+@@ -1839,115 +2234,875 @@ interface(`fs_unmount_fusefs',`
  ##	</summary>
  ## </param>
  #
@@ -18413,55 +18413,66 @@ index 8416beb43..2aa8d9ff4 100644
  #
 -interface(`fs_dontaudit_list_fusefs',`
 +interface(`fs_ecryptfs_domtrans',`
-+	gen_require(`
+ 	gen_require(`
+-		type fusefs_t;
 +		type ecryptfs_t;
-+	')
-+
+ 	')
+ 
+-	dontaudit $1 fusefs_t:dir list_dir_perms;
 +	allow $1 ecryptfs_t:dir search_dir_perms;
 +	domain_auto_transition_pattern($1, ecryptfs_t, $2)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete directories
+-##	on a FUSEFS filesystem.
 +##	Mount a FUSE filesystem.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`fs_manage_fusefs_dirs',`
 +interface(`fs_mount_fusefs',`
  	gen_require(`
  		type fusefs_t;
  	')
  
--	dontaudit $1 fusefs_t:dir list_dir_perms;
+-	allow $1 fusefs_t:dir manage_dir_perms;
 +	allow $1 fusefs_t:filesystem mount;
  ')
  
  ########################################
  ## <summary>
--##	Create, read, write, and delete directories
+-##	Do not audit attempts to create, read,
+-##	write, and delete directories
 -##	on a FUSEFS filesystem.
 +##	Unmount a FUSE filesystem.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
 +##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_dontaudit_manage_fusefs_dirs',`
 +interface(`fs_unmount_fusefs',`
-+	gen_require(`
-+		type fusefs_t;
-+	')
-+
+ 	gen_require(`
+ 		type fusefs_t;
+ 	')
+ 
+-	dontaudit $1 fusefs_t:dir manage_dir_perms;
 +	allow $1 fusefs_t:filesystem unmount;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read, a FUSEFS filesystem.
 +##	Mounton a FUSEFS filesystem.
 +## </summary>
 +## <param name="domain">
@@ -18597,6 +18608,25 @@ index 8416beb43..2aa8d9ff4 100644
 +
 +########################################
 +## <summary>
++##	mmap files on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`fs_mmap_fusefs_files',`
++	gen_require(`
++		type fusefs_t;
++	')
++
++	allow $1 fusefs_t:file map;
++')
++
++########################################
++## <summary>
 +##	Make general progams in FUSEFS an entrypoint for
 +##	the specified domain.
 +## </summary>
@@ -19167,98 +19197,6 @@ index 8416beb43..2aa8d9ff4 100644
 +## <summary>
 +##	Unmount an iso9660 filesystem, which
 +##	is usually used on CDs.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`fs_unmount_iso9660_fs',`
-+	gen_require(`
-+		type iso9660_t;
-+	')
-+
-+	allow $1 iso9660_t:filesystem unmount;
-+')
-+
-+########################################
-+## <summary>
-+##	Get the attributes of an iso9660
-+##	filesystem, which is usually used on CDs.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`fs_getattr_iso9660_fs',`
-+	gen_require(`
-+		type iso9660_t;
-+	')
-+
-+	allow $1 iso9660_t:filesystem getattr;
-+')
-+
-+########################################
-+## <summary>
-+##	Read files on an iso9660 filesystem, which
-+##	is usually used on CDs.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <rolecap/>
- #
--interface(`fs_manage_fusefs_dirs',`
-+interface(`fs_getattr_iso9660_files',`
- 	gen_require(`
--		type fusefs_t;
-+		type iso9660_t;
- 	')
- 
--	allow $1 fusefs_t:dir manage_dir_perms;
-+	allow $1 iso9660_t:dir list_dir_perms;
-+	allow $1 iso9660_t:file getattr;
- ')
- 
- ########################################
- ## <summary>
--##	Do not audit attempts to create, read,
--##	write, and delete directories
--##	on a FUSEFS filesystem.
-+##	Read files on an iso9660 filesystem, which
-+##	is usually used on CDs.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain to not audit.
-+##	Domain allowed access.
- ##	</summary>
- ## </param>
- #
--interface(`fs_dontaudit_manage_fusefs_dirs',`
-+interface(`fs_read_iso9660_files',`
- 	gen_require(`
--		type fusefs_t;
-+		type iso9660_t;
- 	')
- 
--	dontaudit $1 fusefs_t:dir manage_dir_perms;
-+	allow $1 iso9660_t:dir list_dir_perms;
-+	read_files_pattern($1, iso9660_t, iso9660_t)
-+	read_lnk_files_pattern($1, iso9660_t, iso9660_t)
- ')
- 
-+
- ########################################
- ## <summary>
--##	Read, a FUSEFS filesystem.
-+##	Mount kdbus filesystems.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -19268,44 +19206,45 @@ index 8416beb43..2aa8d9ff4 100644
 -## <rolecap/>
  #
 -interface(`fs_read_fusefs_files',`
-+interface(`fs_mount_kdbus', `
++interface(`fs_unmount_iso9660_fs',`
  	gen_require(`
 -		type fusefs_t;
-+		type kdbusfs_t;
++		type iso9660_t;
  	')
  
 -	read_files_pattern($1, fusefs_t, fusefs_t)
-+	allow $1 kdbusfs_t:filesystem mount;
++	allow $1 iso9660_t:filesystem unmount;
  ')
  
  ########################################
  ## <summary>
 -##	Execute files on a FUSEFS filesystem.
-+##	Remount kdbus filesystems.
++##	Get the attributes of an iso9660
++##	filesystem, which is usually used on CDs.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
+@@ -1956,57 +3111,59 @@ interface(`fs_read_fusefs_files',`
  ## </param>
--## <rolecap/>
+ ## <rolecap/>
  #
 -interface(`fs_exec_fusefs_files',`
-+interface(`fs_remount_kdbus', `
++interface(`fs_getattr_iso9660_fs',`
  	gen_require(`
 -		type fusefs_t;
-+		type kdbusfs_t;
++		type iso9660_t;
  	')
  
 -	exec_files_pattern($1, fusefs_t, fusefs_t)
-+	allow $1 kdbusfs_t:filesystem remount;
++	allow $1 iso9660_t:filesystem getattr;
  ')
  
  ########################################
  ## <summary>
 -##	Create, read, write, and delete files
 -##	on a FUSEFS filesystem.
-+##	Unmount kdbus filesystems.
++##	Read files on an iso9660 filesystem, which
++##	is usually used on CDs.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -19315,14 +19254,15 @@ index 8416beb43..2aa8d9ff4 100644
 -## <rolecap/>
  #
 -interface(`fs_manage_fusefs_files',`
-+interface(`fs_unmount_kdbus', `
++interface(`fs_getattr_iso9660_files',`
  	gen_require(`
 -		type fusefs_t;
-+		type kdbusfs_t;
++		type iso9660_t;
  	')
  
 -	manage_files_pattern($1, fusefs_t, fusefs_t)
-+	allow $1 kdbusfs_t:filesystem unmount;
++	allow $1 iso9660_t:dir list_dir_perms;
++	allow $1 iso9660_t:file getattr;
  ')
  
  ########################################
@@ -19330,7 +19270,8 @@ index 8416beb43..2aa8d9ff4 100644
 -##	Do not audit attempts to create,
 -##	read, write, and delete files
 -##	on a FUSEFS filesystem.
-+##	Get attributes of kdbus filesystems.
++##	Read files on an iso9660 filesystem, which
++##	is usually used on CDs.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -19340,154 +19281,130 @@ index 8416beb43..2aa8d9ff4 100644
  ## </param>
  #
 -interface(`fs_dontaudit_manage_fusefs_files',`
-+interface(`fs_getattr_kdbus',`
++interface(`fs_read_iso9660_files',`
  	gen_require(`
 -		type fusefs_t;
-+		type kdbusfs_t;
++		type iso9660_t;
  	')
  
 -	dontaudit $1 fusefs_t:file manage_file_perms;
-+	allow $1 kdbusfs_t:filesystem getattr;
++	allow $1 iso9660_t:dir list_dir_perms;
++	read_files_pattern($1, iso9660_t, iso9660_t)
++	read_lnk_files_pattern($1, iso9660_t, iso9660_t)
  ')
  
++
  ########################################
  ## <summary>
 -##	Read symbolic links on a FUSEFS filesystem.
-+##	Search kdbusfs directories.
++##	Mount kdbus filesystems.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2014,19 +3224,20 @@ interface(`fs_dontaudit_manage_fusefs_files',`
+@@ -2014,19 +3171,17 @@ interface(`fs_dontaudit_manage_fusefs_files',`
  ##	</summary>
  ## </param>
  #
 -interface(`fs_read_fusefs_symlinks',`
-+interface(`fs_search_kdbus_dirs',`
++interface(`fs_mount_kdbus', `
  	gen_require(`
 -		type fusefs_t;
 +		type kdbusfs_t;
-+
  	')
  
 -	allow $1 fusefs_t:dir list_dir_perms;
 -	read_lnk_files_pattern($1, fusefs_t, fusefs_t)
-+	search_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
-+	fs_search_tmpfs($1)
-+	dev_search_sysfs($1)
++	allow $1 kdbusfs_t:filesystem mount;
  ')
  
  ########################################
  ## <summary>
 -##	Get the attributes of an hugetlbfs
 -##	filesystem.
-+##	Relabel kdbusfs directories.
++##	Remount kdbus filesystems.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2034,17 +3245,18 @@ interface(`fs_read_fusefs_symlinks',`
+@@ -2034,17 +3189,17 @@ interface(`fs_read_fusefs_symlinks',`
  ##	</summary>
  ## </param>
  #
 -interface(`fs_getattr_hugetlbfs',`
-+interface(`fs_relabel_kdbus_dirs',`
++interface(`fs_remount_kdbus', `
  	gen_require(`
 -		type hugetlbfs_t;
 +		type kdbusfs_t;
-+
  	')
  
 -	allow $1 hugetlbfs_t:filesystem getattr;
-+	relabel_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
++	allow $1 kdbusfs_t:filesystem remount;
  ')
  
  ########################################
  ## <summary>
 -##	List hugetlbfs.
-+##	List kdbusfs directories.
++##	Unmount kdbus filesystems.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2052,17 +3264,38 @@ interface(`fs_getattr_hugetlbfs',`
+@@ -2052,17 +3207,17 @@ interface(`fs_getattr_hugetlbfs',`
  ##	</summary>
  ## </param>
  #
 -interface(`fs_list_hugetlbfs',`
-+interface(`fs_list_kdbus_dirs',`
++interface(`fs_unmount_kdbus', `
  	gen_require(`
 -		type hugetlbfs_t;
 +		type kdbusfs_t;
  	')
  
 -	allow $1 hugetlbfs_t:dir list_dir_perms;
-+	list_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
-+	fs_search_tmpfs($1)
-+	dev_search_sysfs($1)
-+')
-+
-+#######################################
-+## <summary>
-+##  Do not audit attempts to search kdbusfs directories.
-+## </summary>
-+## <param name="domain">
-+##  <summary>
-+##	Domain to not audit.
-+##  </summary>
-+## </param>
-+#
-+interface(`fs_dontaudit_search_kdbus_dirs', `
-+    gen_require(`
-+        type kdbusfs_t;
-+    ')
-+
-+	dontaudit $1 kdbusfs_t:dir search_dir_perms;
-+	dev_dontaudit_search_sysfs($1)
++	allow $1 kdbusfs_t:filesystem unmount;
  ')
  
  ########################################
  ## <summary>
 -##	Manage hugetlbfs dirs.
-+##	Delete kdbusfs directories.
++##	Get attributes of kdbus filesystems.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2070,17 +3303,19 @@ interface(`fs_list_hugetlbfs',`
+@@ -2070,17 +3225,17 @@ interface(`fs_list_hugetlbfs',`
  ##	</summary>
  ## </param>
  #
 -interface(`fs_manage_hugetlbfs_dirs',`
-+interface(`fs_delete_kdbus_dirs', `
++interface(`fs_getattr_kdbus',`
  	gen_require(`
 -		type hugetlbfs_t;
 +		type kdbusfs_t;
  	')
  
 -	manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
-+	delete_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
-+	fs_search_tmpfs($1)
-+	dev_search_sysfs($1)
++	allow $1 kdbusfs_t:filesystem getattr;
  ')
  
  ########################################
  ## <summary>
 -##	Read and write hugetlbfs files.
-+##	Manage kdbusfs directories.
++##	Search kdbusfs directories.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2088,35 +3323,41 @@ interface(`fs_manage_hugetlbfs_dirs',`
+@@ -2088,35 +3243,39 @@ interface(`fs_manage_hugetlbfs_dirs',`
  ##	</summary>
  ## </param>
  #
 -interface(`fs_rw_hugetlbfs_files',`
-+interface(`fs_manage_kdbus_dirs',`
++interface(`fs_search_kdbus_dirs',`
  	gen_require(`
 -		type hugetlbfs_t;
--	')
 +		type kdbusfs_t;
++
+ 	')
  
 -	rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
-+	')
-+	manage_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
++	search_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
 +	fs_search_tmpfs($1)
 +	dev_search_sysfs($1)
  ')
@@ -19495,7 +19412,7 @@ index 8416beb43..2aa8d9ff4 100644
  ########################################
  ## <summary>
 -##	Allow the type to associate to hugetlbfs filesystems.
-+##	Read kdbusfs files.
++##	Relabel kdbusfs directories.
  ## </summary>
 -## <param name="type">
 +## <param name="domain">
@@ -19506,7 +19423,7 @@ index 8416beb43..2aa8d9ff4 100644
  ## </param>
  #
 -interface(`fs_associate_hugetlbfs',`
-+interface(`fs_read_kdbus_files',`
++interface(`fs_relabel_kdbus_dirs',`
  	gen_require(`
 -		type hugetlbfs_t;
 +		type kdbusfs_t;
@@ -19514,91 +19431,92 @@ index 8416beb43..2aa8d9ff4 100644
  	')
  
 -	allow $1 hugetlbfs_t:filesystem associate;
-+	read_files_pattern($1, kdbusfs_t, kdbusfs_t)
-+	read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
-+	fs_search_tmpfs($1)
-+	dev_search_sysfs($1)
++	relabel_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
  ')
  
  ########################################
  ## <summary>
 -##	Search inotifyfs filesystem.
-+##	Write kdbusfs files.
++##	List kdbusfs directories.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2124,17 +3365,19 @@ interface(`fs_associate_hugetlbfs',`
+@@ -2124,89 +3283,78 @@ interface(`fs_associate_hugetlbfs',`
  ##	</summary>
  ## </param>
  #
 -interface(`fs_search_inotifyfs',`
-+interface(`fs_write_kdbus_files', `
++interface(`fs_list_kdbus_dirs',`
  	gen_require(`
 -		type inotifyfs_t;
 +		type kdbusfs_t;
  	')
  
 -	allow $1 inotifyfs_t:dir search_dir_perms;
-+	write_files_pattern($1, kdbusfs_t, kdbusfs_t)
++	list_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
 +	fs_search_tmpfs($1)
 +	dev_search_sysfs($1)
  ')
  
- ########################################
+-########################################
++#######################################
  ## <summary>
 -##	List inotifyfs filesystem.
-+##	Read and write kdbusfs files.
++##  Do not audit attempts to search kdbusfs directories.
  ## </summary>
  ## <param name="domain">
- ##	<summary>
-@@ -2142,17 +3385,23 @@ interface(`fs_search_inotifyfs',`
- ##	</summary>
+-##	<summary>
+-##	Domain allowed access.
+-##	</summary>
++##  <summary>
++##	Domain to not audit.
++##  </summary>
  ## </param>
  #
 -interface(`fs_list_inotifyfs',`
-+interface(`fs_rw_kdbus_files',`
- 	gen_require(`
+-	gen_require(`
 -		type inotifyfs_t;
-+		type kdbusfs_t;
-+
- 	')
+-	')
++interface(`fs_dontaudit_search_kdbus_dirs', `
++    gen_require(`
++        type kdbusfs_t;
++    ')
  
 -	allow $1 inotifyfs_t:dir list_dir_perms;
-+	read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
-+	rw_files_pattern($1, kdbusfs_t, kdbusfs_t)
-+	fs_search_tmpfs($1)
-+	dev_search_sysfs($1)
++	dontaudit $1 kdbusfs_t:dir search_dir_perms;
++	dev_dontaudit_search_sysfs($1)
  ')
  
  ########################################
  ## <summary>
 -##	Dontaudit List inotifyfs filesystem.
-+##	Do not audit attempts to open,
-+##	get attributes, read and write
-+##	cgroup files.
++##	Delete kdbusfs directories.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2160,53 +3409,39 @@ interface(`fs_list_inotifyfs',`
+-##	Domain to not audit.
++##	Domain allowed access.
  ##	</summary>
  ## </param>
  #
 -interface(`fs_dontaudit_list_inotifyfs',`
-+interface(`fs_dontaudit_rw_kdbus_files',`
++interface(`fs_delete_kdbus_dirs', `
  	gen_require(`
 -		type inotifyfs_t;
 +		type kdbusfs_t;
  	')
  
 -	dontaudit $1 inotifyfs_t:dir list_dir_perms;
-+	dontaudit $1 kdbusfs_t:file rw_file_perms;
++	delete_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
++	fs_search_tmpfs($1)
++	dev_search_sysfs($1)
  ')
  
  ########################################
  ## <summary>
 -##	Create an object in a hugetlbfs filesystem, with a private
 -##	type using a type transition.
-+##	Manage kdbusfs files.
++##	Manage kdbusfs directories.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -19622,17 +19540,16 @@ index 8416beb43..2aa8d9ff4 100644
 -## </param>
  #
 -interface(`fs_hugetlbfs_filetrans',`
-+interface(`fs_manage_kdbus_files',`
++interface(`fs_manage_kdbus_dirs',`
  	gen_require(`
 -		type hugetlbfs_t;
+-	')
 +		type kdbusfs_t;
-+
- 	')
  
 -	allow $2 hugetlbfs_t:filesystem associate;
 -	filetrans_pattern($1, hugetlbfs_t, $2, $3, $4)
-+	manage_files_pattern($1, kdbusfs_t, kdbusfs_t)
-+	manage_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
++	')
++	manage_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
 +	fs_search_tmpfs($1)
 +	dev_search_sysfs($1)
  ')
@@ -19641,394 +19558,284 @@ index 8416beb43..2aa8d9ff4 100644
  ## <summary>
 -##	Mount an iso9660 filesystem, which
 -##	is usually used on CDs.
-+##	Mount on kdbusfs directories.
++##	Read kdbusfs files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2214,19 +3449,18 @@ interface(`fs_hugetlbfs_filetrans',`
+@@ -2214,19 +3362,21 @@ interface(`fs_hugetlbfs_filetrans',`
  ##	</summary>
  ## </param>
  #
 -interface(`fs_mount_iso9660_fs',`
-+interface(`fs_mounton_kdbus', `
++interface(`fs_read_kdbus_files',`
  	gen_require(`
 -		type iso9660_t;
 +		type kdbusfs_t;
++
  	')
  
 -	allow $1 iso9660_t:filesystem mount;
-+	allow $1 kdbusfs_t:dir mounton;
++	read_files_pattern($1, kdbusfs_t, kdbusfs_t)
++	read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
++	fs_search_tmpfs($1)
++	dev_search_sysfs($1)
  ')
  
-+
  ########################################
  ## <summary>
 -##	Remount an iso9660 filesystem, which
 -##	is usually used on CDs.  This allows
 -##	some mount options to be changed.
-+##	Mount a NFS filesystem.
++##	Write kdbusfs files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2234,18 +3468,18 @@ interface(`fs_mount_iso9660_fs',`
+@@ -2234,18 +3384,19 @@ interface(`fs_mount_iso9660_fs',`
  ##	</summary>
  ## </param>
  #
 -interface(`fs_remount_iso9660_fs',`
-+interface(`fs_mount_nfs',`
++interface(`fs_write_kdbus_files', `
  	gen_require(`
 -		type iso9660_t;
-+		type nfs_t;
++		type kdbusfs_t;
  	')
  
 -	allow $1 iso9660_t:filesystem remount;
-+	allow $1 nfs_t:filesystem mount;
++	write_files_pattern($1, kdbusfs_t, kdbusfs_t)
++	fs_search_tmpfs($1)
++	dev_search_sysfs($1)
  ')
  
  ########################################
  ## <summary>
 -##	Unmount an iso9660 filesystem, which
 -##	is usually used on CDs.
-+##	Remount a NFS filesystem.  This allows
-+##	some mount options to be changed.
++##	Read and write kdbusfs files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2253,58 +3487,54 @@ interface(`fs_remount_iso9660_fs',`
+@@ -2253,38 +3404,41 @@ interface(`fs_remount_iso9660_fs',`
  ##	</summary>
  ## </param>
  #
 -interface(`fs_unmount_iso9660_fs',`
-+interface(`fs_remount_nfs',`
++interface(`fs_rw_kdbus_files',`
  	gen_require(`
 -		type iso9660_t;
-+		type nfs_t;
++		type kdbusfs_t;
++
  	')
  
 -	allow $1 iso9660_t:filesystem unmount;
-+	allow $1 nfs_t:filesystem remount;
++	read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
++	rw_files_pattern($1, kdbusfs_t, kdbusfs_t)
++	fs_search_tmpfs($1)
++	dev_search_sysfs($1)
  ')
  
  ########################################
  ## <summary>
 -##	Get the attributes of an iso9660
 -##	filesystem, which is usually used on CDs.
-+##	Unmount a NFS filesystem.
++##	Do not audit attempts to open,
++##	get attributes, read and write
++##	cgroup files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
- ##	Domain allowed access.
+-##	Domain allowed access.
++##	Domain to not audit.
  ##	</summary>
  ## </param>
 -## <rolecap/>
  #
 -interface(`fs_getattr_iso9660_fs',`
-+interface(`fs_unmount_nfs',`
++interface(`fs_dontaudit_rw_kdbus_files',`
  	gen_require(`
 -		type iso9660_t;
-+		type nfs_t;
++		type kdbusfs_t;
  	')
  
 -	allow $1 iso9660_t:filesystem getattr;
-+	allow $1 nfs_t:filesystem unmount;
++	dontaudit $1 kdbusfs_t:file rw_file_perms;
  ')
  
  ########################################
  ## <summary>
 -##	Read files on an iso9660 filesystem, which
 -##	is usually used on CDs.
-+##	Get the attributes of a NFS filesystem.
++##	Manage kdbusfs files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
- ##	Domain allowed access.
+@@ -2292,19 +3446,21 @@ interface(`fs_getattr_iso9660_fs',`
  ##	</summary>
  ## </param>
-+## <rolecap/>
  #
 -interface(`fs_getattr_iso9660_files',`
-+interface(`fs_getattr_nfs',`
++interface(`fs_manage_kdbus_files',`
  	gen_require(`
 -		type iso9660_t;
-+		type nfs_t;
++		type kdbusfs_t;
++
  	')
  
 -	allow $1 iso9660_t:dir list_dir_perms;
 -	allow $1 iso9660_t:file getattr;
-+	allow $1 nfs_t:filesystem getattr;
++	manage_files_pattern($1, kdbusfs_t, kdbusfs_t)
++	manage_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
++	fs_search_tmpfs($1)
++	dev_search_sysfs($1)
  ')
  
  ########################################
  ## <summary>
 -##	Read files on an iso9660 filesystem, which
 -##	is usually used on CDs.
-+##	Set the attributes of nfs directories.
++##	Mount on kdbusfs directories.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2312,19 +3542,17 @@ interface(`fs_getattr_iso9660_files',`
+@@ -2312,16 +3468,15 @@ interface(`fs_getattr_iso9660_files',`
  ##	</summary>
  ## </param>
  #
 -interface(`fs_read_iso9660_files',`
-+interface(`fs_setattr_nfs_dirs',`
++interface(`fs_mounton_kdbus', `
  	gen_require(`
 -		type iso9660_t;
-+		type nfs_t;
++		type kdbusfs_t;
  	')
  
 -	allow $1 iso9660_t:dir list_dir_perms;
 -	read_files_pattern($1, iso9660_t, iso9660_t)
 -	read_lnk_files_pattern($1, iso9660_t, iso9660_t)
-+	allow $1 nfs_t:dir setattr;
- ')
- 
- ########################################
- ## <summary>
--##	Mount a NFS filesystem.
-+##	Search directories on a NFS filesystem.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -2332,18 +3560,17 @@ interface(`fs_read_iso9660_files',`
- ##	</summary>
- ## </param>
- #
--interface(`fs_mount_nfs',`
-+interface(`fs_search_nfs',`
- 	gen_require(`
- 		type nfs_t;
- 	')
- 
--	allow $1 nfs_t:filesystem mount;
-+	allow $1 nfs_t:dir search_dir_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Remount a NFS filesystem.  This allows
--##	some mount options to be changed.
-+##	List NFS filesystem.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -2351,240 +3578,243 @@ interface(`fs_mount_nfs',`
- ##	</summary>
- ## </param>
- #
--interface(`fs_remount_nfs',`
-+interface(`fs_list_nfs',`
- 	gen_require(`
- 		type nfs_t;
- 	')
- 
--	allow $1 nfs_t:filesystem remount;
-+	allow $1 nfs_t:dir list_dir_perms;
++	allow $1 kdbusfs_t:dir mounton;
  ')
  
++
  ########################################
  ## <summary>
--##	Unmount a NFS filesystem.
-+##	Do not audit attempts to list the contents
-+##	of directories on a NFS filesystem.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain allowed access.
-+##	Domain to not audit.
- ##	</summary>
- ## </param>
- #
--interface(`fs_unmount_nfs',`
-+interface(`fs_dontaudit_list_nfs',`
- 	gen_require(`
- 		type nfs_t;
- 	')
- 
--	allow $1 nfs_t:filesystem unmount;
-+	dontaudit $1 nfs_t:dir list_dir_perms;
- ')
+ ##	Mount a NFS filesystem.
+@@ -2398,6 +3553,24 @@ interface(`fs_getattr_nfs',`
  
  ########################################
  ## <summary>
--##	Get the attributes of a NFS filesystem.
-+##	Mounton a NFS filesystem.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <rolecap/>
- #
--interface(`fs_getattr_nfs',`
-+interface(`fs_mounton_nfs',`
- 	gen_require(`
- 		type nfs_t;
- 	')
- 
--	allow $1 nfs_t:filesystem getattr;
-+	allow $1 nfs_t:dir mounton;
- ')
- 
- ########################################
- ## <summary>
--##	Search directories on a NFS filesystem.
-+##	Read files on a NFS filesystem.
++##	Set the attributes of nfs directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`fs_setattr_nfs_dirs',`
++	gen_require(`
++		type nfs_t;
++	')
++
++	allow $1 nfs_t:dir setattr;
++')
++
++########################################
++## <summary>
+ ##	Search directories on a NFS filesystem.
  ## </summary>
  ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
-+## <rolecap/>
- #
--interface(`fs_search_nfs',`
-+interface(`fs_read_nfs_files',`
- 	gen_require(`
+@@ -2485,6 +3658,7 @@ interface(`fs_read_nfs_files',`
  		type nfs_t;
  	')
  
--	allow $1 nfs_t:dir search_dir_perms;
 +	fs_search_auto_mountpoints($1)
-+	allow $1 nfs_t:dir list_dir_perms;
-+	read_files_pattern($1, nfs_t, nfs_t)
+ 	allow $1 nfs_t:dir list_dir_perms;
+ 	read_files_pattern($1, nfs_t, nfs_t)
  ')
- 
- ########################################
- ## <summary>
--##	List NFS filesystem.
-+##	Do not audit attempts to read
-+##	files on a NFS filesystem.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain allowed access.
-+##	Domain to not audit.
+@@ -2518,73 +3692,148 @@ interface(`fs_dontaudit_read_nfs_files',`
  ##	</summary>
  ## </param>
  #
--interface(`fs_list_nfs',`
-+interface(`fs_dontaudit_read_nfs_files',`
- 	gen_require(`
- 		type nfs_t;
- 	')
- 
--	allow $1 nfs_t:dir list_dir_perms;
-+	dontaudit $1 nfs_t:file read_file_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Do not audit attempts to list the contents
--##	of directories on a NFS filesystem.
-+##	Read files on a NFS filesystem.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain to not audit.
-+##	Domain allowed access.
- ##	</summary>
- ## </param>
- #
--interface(`fs_dontaudit_list_nfs',`
+-interface(`fs_write_nfs_files',`
 +interface(`fs_write_nfs_files',`
- 	gen_require(`
- 		type nfs_t;
- 	')
- 
--	dontaudit $1 nfs_t:dir list_dir_perms;
++	gen_require(`
++		type nfs_t;
++	')
++
 +	fs_search_auto_mountpoints($1)
 +	allow $1 nfs_t:dir list_dir_perms;
 +	write_files_pattern($1, nfs_t, nfs_t)
- ')
- 
- ########################################
- ## <summary>
--##	Mounton a NFS filesystem.
++')
++
++########################################
++## <summary>
 +##	Execute files on a NFS filesystem.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
 +## <rolecap/>
- #
--interface(`fs_mounton_nfs',`
++#
 +interface(`fs_exec_nfs_files',`
- 	gen_require(`
- 		type nfs_t;
- 	')
- 
--	allow $1 nfs_t:dir mounton;
++	gen_require(`
++		type nfs_t;
++	')
++
 +	allow $1 nfs_t:dir list_dir_perms;
 +	exec_files_pattern($1, nfs_t, nfs_t)
- ')
- 
- ########################################
- ## <summary>
--##	Read files on a NFS filesystem.
++')
++
++########################################
++## <summary>
 +##	Make general progams in nfs an entrypoint for
 +##	the specified domain.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain allowed access.
++## </summary>
++## <param name="domain">
++##	<summary>
 +##	The domain for which nfs_t is an entrypoint.
- ##	</summary>
- ## </param>
--## <rolecap/>
- #
--interface(`fs_read_nfs_files',`
++##	</summary>
++## </param>
++#
 +interface(`fs_nfs_entry_type',`
- 	gen_require(`
- 		type nfs_t;
- 	')
- 
--	allow $1 nfs_t:dir list_dir_perms;
--	read_files_pattern($1, nfs_t, nfs_t)
++	gen_require(`
++		type nfs_t;
++	')
++
 +	domain_entry_file($1, nfs_t)
- ')
- 
- ########################################
- ## <summary>
--##	Do not audit attempts to read
--##	files on a NFS filesystem.
++')
++
++########################################
++## <summary>
 +##	Make general progams in NFS an entrypoint for
 +##	the specified domain.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain to not audit.
++## </summary>
++## <param name="domain">
++##	<summary>
 +##	The domain for which nfs_t is an entrypoint.
- ##	</summary>
- ## </param>
- #
--interface(`fs_dontaudit_read_nfs_files',`
++##	</summary>
++## </param>
++#
 +interface(`fs_nfs_entrypoint',`
- 	gen_require(`
- 		type nfs_t;
- 	')
- 
--	dontaudit $1 nfs_t:file read_file_perms;
++	gen_require(`
++		type nfs_t;
++	')
++
 +    allow $1 nfs_t:file entrypoint;
- ')
- 
- ########################################
- ## <summary>
--##	Read files on a NFS filesystem.
++')
++
++########################################
++## <summary>
 +##	Append files
 +##	on a NFS filesystem.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
 +## <rolecap/>
- #
--interface(`fs_write_nfs_files',`
++#
 +interface(`fs_append_nfs_files',`
  	gen_require(`
  		type nfs_t;
@@ -20112,7 +19919,7 @@ index 8416beb43..2aa8d9ff4 100644
  ')
  
  ########################################
-@@ -2603,7 +3833,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2603,7 +3852,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
  		type nfs_t;
  	')
  
@@ -20121,7 +19928,7 @@ index 8416beb43..2aa8d9ff4 100644
  ')
  
  ########################################
-@@ -2627,7 +3857,7 @@ interface(`fs_read_nfs_symlinks',`
+@@ -2627,7 +3876,7 @@ interface(`fs_read_nfs_symlinks',`
  
  ########################################
  ## <summary>
@@ -20130,7 +19937,7 @@ index 8416beb43..2aa8d9ff4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2719,6 +3949,65 @@ interface(`fs_search_rpc',`
+@@ -2719,6 +3968,65 @@ interface(`fs_search_rpc',`
  
  ########################################
  ## <summary>
@@ -20196,7 +20003,7 @@ index 8416beb43..2aa8d9ff4 100644
  ##	Search removable storage directories.
  ## </summary>
  ## <param name="domain">
-@@ -2741,7 +4030,7 @@ interface(`fs_search_removable',`
+@@ -2741,7 +4049,7 @@ interface(`fs_search_removable',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -20205,7 +20012,7 @@ index 8416beb43..2aa8d9ff4 100644
  ##	</summary>
  ## </param>
  #
-@@ -2777,7 +4066,7 @@ interface(`fs_read_removable_files',`
+@@ -2777,7 +4085,7 @@ interface(`fs_read_removable_files',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -20214,7 +20021,7 @@ index 8416beb43..2aa8d9ff4 100644
  ##	</summary>
  ## </param>
  #
-@@ -2970,6 +4259,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2970,6 +4278,7 @@ interface(`fs_manage_nfs_dirs',`
  		type nfs_t;
  	')
  
@@ -20222,7 +20029,7 @@ index 8416beb43..2aa8d9ff4 100644
  	allow $1 nfs_t:dir manage_dir_perms;
  ')
  
-@@ -3010,6 +4300,7 @@ interface(`fs_manage_nfs_files',`
+@@ -3010,11 +4319,31 @@ interface(`fs_manage_nfs_files',`
  		type nfs_t;
  	')
  
@@ -20230,7 +20037,31 @@ index 8416beb43..2aa8d9ff4 100644
  	manage_files_pattern($1, nfs_t, nfs_t)
  ')
  
-@@ -3050,6 +4341,7 @@ interface(`fs_manage_nfs_symlinks',`
+ ########################################
+ ## <summary>
++##	mmap files on a NFS filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`fs_mmap_nfs_files',`
++	gen_require(`
++		type nfs_t;
++	')
++
++	allow $1 nfs_t:file map;
++')
++
++########################################
++## <summary>
+ ##	Do not audit attempts to create,
+ ##	read, write, and delete files
+ ##	on a NFS filesystem.
+@@ -3050,6 +4379,7 @@ interface(`fs_manage_nfs_symlinks',`
  		type nfs_t;
  	')
  
@@ -20238,7 +20069,7 @@ index 8416beb43..2aa8d9ff4 100644
  	manage_lnk_files_pattern($1, nfs_t, nfs_t)
  ')
  
-@@ -3137,6 +4429,24 @@ interface(`fs_nfs_domtrans',`
+@@ -3137,6 +4467,24 @@ interface(`fs_nfs_domtrans',`
  
  ########################################
  ## <summary>
@@ -20263,7 +20094,7 @@ index 8416beb43..2aa8d9ff4 100644
  ##	Mount a NFS server pseudo filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -3239,15 +4549,198 @@ interface(`fs_search_nfsd_fs',`
+@@ -3239,15 +4587,198 @@ interface(`fs_search_nfsd_fs',`
  #
  interface(`fs_list_nfsd_fs',`
  	gen_require(`
@@ -20465,7 +20296,7 @@ index 8416beb43..2aa8d9ff4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3255,35 +4748,35 @@ interface(`fs_list_nfsd_fs',`
+@@ -3255,35 +4786,35 @@ interface(`fs_list_nfsd_fs',`
  ##	</summary>
  ## </param>
  #
@@ -20510,7 +20341,7 @@ index 8416beb43..2aa8d9ff4 100644
  ## </summary>
  ## <param name="type">
  ##	<summary>
-@@ -3291,12 +4784,12 @@ interface(`fs_rw_nfsd_fs',`
+@@ -3291,12 +4822,12 @@ interface(`fs_rw_nfsd_fs',`
  ##	</summary>
  ## </param>
  #
@@ -20526,7 +20357,7 @@ index 8416beb43..2aa8d9ff4 100644
  ')
  
  ########################################
-@@ -3392,7 +4885,7 @@ interface(`fs_search_ramfs',`
+@@ -3392,7 +4923,7 @@ interface(`fs_search_ramfs',`
  
  ########################################
  ## <summary>
@@ -20535,7 +20366,7 @@ index 8416beb43..2aa8d9ff4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3429,7 +4922,7 @@ interface(`fs_manage_ramfs_dirs',`
+@@ -3429,7 +4960,7 @@ interface(`fs_manage_ramfs_dirs',`
  
  ########################################
  ## <summary>
@@ -20544,7 +20375,7 @@ index 8416beb43..2aa8d9ff4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3447,7 +4940,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
+@@ -3447,7 +4978,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
  
  ########################################
  ## <summary>
@@ -20553,7 +20384,7 @@ index 8416beb43..2aa8d9ff4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3779,6 +5272,24 @@ interface(`fs_mount_tmpfs',`
+@@ -3779,6 +5310,24 @@ interface(`fs_mount_tmpfs',`
  
  ########################################
  ## <summary>
@@ -20578,7 +20409,7 @@ index 8416beb43..2aa8d9ff4 100644
  ##	Remount a tmpfs filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -3815,6 +5326,24 @@ interface(`fs_unmount_tmpfs',`
+@@ -3815,6 +5364,24 @@ interface(`fs_unmount_tmpfs',`
  
  ########################################
  ## <summary>
@@ -20603,7 +20434,7 @@ index 8416beb43..2aa8d9ff4 100644
  ##	Get the attributes of a tmpfs
  ##	filesystem.
  ## </summary>
-@@ -3908,7 +5437,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3908,7 +5475,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
  
  ########################################
  ## <summary>
@@ -20612,7 +20443,7 @@ index 8416beb43..2aa8d9ff4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3916,17 +5445,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3916,17 +5483,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -20633,7 +20464,7 @@ index 8416beb43..2aa8d9ff4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3934,17 +5463,17 @@ interface(`fs_mounton_tmpfs',`
+@@ -3934,17 +5501,17 @@ interface(`fs_mounton_tmpfs',`
  ##	</summary>
  ## </param>
  #
@@ -20654,7 +20485,7 @@ index 8416beb43..2aa8d9ff4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3952,17 +5481,36 @@ interface(`fs_setattr_tmpfs_dirs',`
+@@ -3952,17 +5519,36 @@ interface(`fs_setattr_tmpfs_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -20694,7 +20525,7 @@ index 8416beb43..2aa8d9ff4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3970,31 +5518,48 @@ interface(`fs_search_tmpfs',`
+@@ -3970,31 +5556,48 @@ interface(`fs_search_tmpfs',`
  ##	</summary>
  ## </param>
  #
@@ -20750,7 +20581,7 @@ index 8416beb43..2aa8d9ff4 100644
  ')
  
  ########################################
-@@ -4057,23 +5622,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',`
+@@ -4057,23 +5660,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',`
  ## </param>
  ## <param name="name" optional="true">
  ##	<summary>
@@ -20927,7 +20758,7 @@ index 8416beb43..2aa8d9ff4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4081,18 +5793,18 @@ interface(`fs_tmpfs_filetrans',`
+@@ -4081,18 +5831,18 @@ interface(`fs_tmpfs_filetrans',`
  ##	</summary>
  ## </param>
  #
@@ -20950,7 +20781,7 @@ index 8416beb43..2aa8d9ff4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4100,54 +5812,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',`
+@@ -4100,54 +5850,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',`
  ##	</summary>
  ## </param>
  #
@@ -21017,7 +20848,7 @@ index 8416beb43..2aa8d9ff4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4155,17 +5866,18 @@ interface(`fs_read_tmpfs_files',`
+@@ -4155,17 +5904,18 @@ interface(`fs_read_tmpfs_files',`
  ##	</summary>
  ## </param>
  #
@@ -21039,7 +20870,7 @@ index 8416beb43..2aa8d9ff4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4173,17 +5885,18 @@ interface(`fs_rw_tmpfs_files',`
+@@ -4173,17 +5923,18 @@ interface(`fs_rw_tmpfs_files',`
  ##	</summary>
  ## </param>
  #
@@ -21061,7 +20892,7 @@ index 8416beb43..2aa8d9ff4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4191,37 +5904,36 @@ interface(`fs_read_tmpfs_symlinks',`
+@@ -4191,37 +5942,36 @@ interface(`fs_read_tmpfs_symlinks',`
  ##	</summary>
  ## </param>
  #
@@ -21107,7 +20938,7 @@ index 8416beb43..2aa8d9ff4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4229,18 +5941,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4229,18 +5979,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
  ##	</summary>
  ## </param>
  #
@@ -21129,7 +20960,7 @@ index 8416beb43..2aa8d9ff4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4248,18 +5960,19 @@ interface(`fs_relabel_tmpfs_chr_file',`
+@@ -4248,18 +5998,19 @@ interface(`fs_relabel_tmpfs_chr_file',`
  ##	</summary>
  ## </param>
  #
@@ -21153,7 +20984,7 @@ index 8416beb43..2aa8d9ff4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4267,32 +5980,31 @@ interface(`fs_rw_tmpfs_blk_files',`
+@@ -4267,32 +6018,31 @@ interface(`fs_rw_tmpfs_blk_files',`
  ##	</summary>
  ## </param>
  #
@@ -21192,7 +21023,7 @@ index 8416beb43..2aa8d9ff4 100644
  ')
  
  ########################################
-@@ -4407,6 +6119,25 @@ interface(`fs_search_xenfs',`
+@@ -4407,6 +6157,25 @@ interface(`fs_search_xenfs',`
  	allow $1 xenfs_t:dir search_dir_perms;
  ')
  
@@ -21218,7 +21049,7 @@ index 8416beb43..2aa8d9ff4 100644
  ########################################
  ## <summary>
  ##	Create, read, write, and delete directories
-@@ -4503,6 +6234,8 @@ interface(`fs_mount_all_fs',`
+@@ -4503,6 +6272,8 @@ interface(`fs_mount_all_fs',`
  	')
  
  	allow $1 filesystem_type:filesystem mount;
@@ -21227,7 +21058,7 @@ index 8416beb43..2aa8d9ff4 100644
  ')
  
  ########################################
-@@ -4549,7 +6282,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4549,7 +6320,7 @@ interface(`fs_unmount_all_fs',`
  ## <desc>
  ##	<p>
  ##	Allow the specified domain to
@@ -21236,7 +21067,7 @@ index 8416beb43..2aa8d9ff4 100644
  ##	Example attributes:
  ##	</p>
  ##	<ul>
-@@ -4596,6 +6329,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
+@@ -4596,6 +6367,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
  
  ########################################
  ## <summary>
@@ -21263,7 +21094,7 @@ index 8416beb43..2aa8d9ff4 100644
  ##	Get the quotas of all filesystems.
  ## </summary>
  ## <param name="domain">
-@@ -4671,6 +6424,25 @@ interface(`fs_getattr_all_dirs',`
+@@ -4671,6 +6462,25 @@ interface(`fs_getattr_all_dirs',`
  
  ########################################
  ## <summary>
@@ -21289,7 +21120,7 @@ index 8416beb43..2aa8d9ff4 100644
  ##	Search all directories with a filesystem type.
  ## </summary>
  ## <param name="domain">
-@@ -4912,3 +6684,176 @@ interface(`fs_unconfined',`
+@@ -4912,3 +6722,176 @@ interface(`fs_unconfined',`
  
  	typeattribute $1 filesystem_unconfined_type;
  ')
@@ -36205,7 +36036,7 @@ index e4376aa98..2c98c5647 100644
 +	allow $1 getty_unit_file_t:service start;
 +')
 diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
-index f6743ea19..8c64a7e19 100644
+index f6743ea19..743d661ec 100644
 --- a/policy/modules/system/getty.te
 +++ b/policy/modules/system/getty.te
 @@ -27,13 +27,24 @@ files_tmp_file(getty_tmp_t)
@@ -36246,8 +36077,8 @@ index f6743ea19..8c64a7e19 100644
  term_setattr_all_ttys(getty_t)
  term_setattr_unallocated_ttys(getty_t)
  term_setattr_console(getty_t)
-+term_setattr_usb_ttys(getty_t)
 +term_use_console(getty_t)
++term_use_usb_ttys(getty_t)
  
  auth_rw_login_records(getty_t)
 +auth_use_nsswitch(getty_t)
@@ -38371,7 +38202,7 @@ index 79a45f62e..0244681f0 100644
 +')
 +
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda2480..09d9144cb 100644
+index 17eda2480..fecc37500 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
 @@ -11,10 +11,31 @@ gen_require(`
@@ -38583,7 +38414,7 @@ index 17eda2480..09d9144cb 100644
  
  domain_getpgid_all_domains(init_t)
  domain_kill_all_domains(init_t)
-@@ -139,45 +243,103 @@ domain_signal_all_domains(init_t)
+@@ -139,45 +243,105 @@ domain_signal_all_domains(init_t)
  domain_signull_all_domains(init_t)
  domain_sigstop_all_domains(init_t)
  domain_sigchld_all_domains(init_t)
@@ -38613,6 +38444,8 @@ index 17eda2480..09d9144cb 100644
  files_dontaudit_rw_root_files(init_t)
  files_dontaudit_rw_root_chr_files(init_t)
 +files_dontaudit_mounton_modules_object(init_t)
++files_manage_mnt_dirs(init_t)
++files_manage_mnt_files(init_t)
  
  fs_list_inotifyfs(init_t)
  # cjp: this may be related to /dev/log
@@ -38680,12 +38513,12 @@ index 17eda2480..09d9144cb 100644
 +miscfiles_filetrans_named_content(init_t)
 +
 +udev_manage_rules_files(init_t)
- 
--miscfiles_read_localization(init_t)
++
 +userdom_use_user_ttys(init_t)
 +userdom_manage_tmp_dirs(init_t)
 +userdom_manage_tmp_sockets(init_t)
-+
+ 
+-miscfiles_read_localization(init_t)
 +userdom_transition_login_userdomain(init_t)
 +userdom_noatsecure_login_userdomain(init_t)
 +userdom_sigchld_login_userdomain(init_t)
@@ -38694,7 +38527,7 @@ index 17eda2480..09d9144cb 100644
  
  ifdef(`distro_gentoo',`
  	allow init_t self:process { getcap setcap };
-@@ -186,29 +348,295 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +350,303 @@ ifdef(`distro_gentoo',`
  ')
  
  ifdef(`distro_redhat',`
@@ -38788,9 +38621,14 @@ index 17eda2480..09d9144cb 100644
 +	postfix_list_spool(init_t)
 +	mta_read_config(init_t)
 +	mta_manage_aliases(init_t)
-+')
-+
-+optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	auth_rw_login_records(init_t)
++	raid_relabel_mdadm_var_run_content(init_t)
+ ')
+ 
+ optional_policy(`
 +    systemd_allow_mount_dir(init_t)
 +')
 +
@@ -38953,14 +38791,13 @@ index 17eda2480..09d9144cb 100644
 +optional_policy(`
 +	lvm_rw_pipes(init_t)
 +	lvm_read_config(init_t)
- ')
- 
- optional_policy(`
--	auth_rw_login_records(init_t)
++')
++
++optional_policy(`
 +    lldpad_relabel_tmpfs(init_t)
- ')
- 
- optional_policy(`
++')
++
++optional_policy(`
 +	consolekit_manage_log(init_t)
 +')
 +
@@ -38983,23 +38820,27 @@ index 17eda2480..09d9144cb 100644
 +')
 +
 +optional_policy(`
-+	networkmanager_stream_connect(init_t)
-+	networkmanager_stream_connect(initrc_t)
++    mount_rw_pid_files(init_t)
 +')
 +
 +optional_policy(`
-+	plymouthd_stream_connect(init_t)
-+	plymouthd_exec_plymouth(init_t)
-+	plymouthd_filetrans_named_content(init_t)
++	networkmanager_stream_connect(init_t)
++	networkmanager_stream_connect(initrc_t)
  ')
  
  optional_policy(`
 -	nscd_use(init_t)
++	plymouthd_stream_connect(init_t)
++	plymouthd_exec_plymouth(init_t)
++	plymouthd_filetrans_named_content(init_t)
++')
++
++optional_policy(`
 +	ssh_getattr_server_keys(init_t)
  ')
  
  optional_policy(`
-@@ -216,7 +644,35 @@ optional_policy(`
+@@ -216,7 +654,35 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39036,7 +38877,7 @@ index 17eda2480..09d9144cb 100644
  ')
  
  ########################################
-@@ -225,9 +681,9 @@ optional_policy(`
+@@ -225,9 +691,9 @@ optional_policy(`
  #
  
  allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -39048,7 +38889,7 @@ index 17eda2480..09d9144cb 100644
  allow initrc_t self:passwd rootok;
  allow initrc_t self:key manage_key_perms;
  
-@@ -258,12 +714,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +724,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
  
  allow initrc_t initrc_var_run_t:file manage_file_perms;
  files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -39065,7 +38906,7 @@ index 17eda2480..09d9144cb 100644
  
  manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
  manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +739,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +749,36 @@ kernel_change_ring_buffer_level(initrc_t)
  kernel_clear_ring_buffer(initrc_t)
  kernel_get_sysvipc_info(initrc_t)
  kernel_read_all_sysctls(initrc_t)
@@ -39108,7 +38949,7 @@ index 17eda2480..09d9144cb 100644
  corenet_tcp_sendrecv_all_ports(initrc_t)
  corenet_udp_sendrecv_all_ports(initrc_t)
  corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +776,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +786,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
  
  dev_read_rand(initrc_t)
  dev_read_urand(initrc_t)
@@ -39120,7 +38961,7 @@ index 17eda2480..09d9144cb 100644
  dev_rw_sysfs(initrc_t)
  dev_list_usbfs(initrc_t)
  dev_read_framebuffer(initrc_t)
-@@ -313,8 +788,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +798,10 @@ dev_write_framebuffer(initrc_t)
  dev_read_realtime_clock(initrc_t)
  dev_read_sound_mixer(initrc_t)
  dev_write_sound_mixer(initrc_t)
@@ -39131,7 +38972,7 @@ index 17eda2480..09d9144cb 100644
  dev_delete_lvm_control_dev(initrc_t)
  dev_manage_generic_symlinks(initrc_t)
  dev_manage_generic_files(initrc_t)
-@@ -322,8 +799,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +809,7 @@ dev_manage_generic_files(initrc_t)
  dev_delete_generic_symlinks(initrc_t)
  dev_getattr_all_blk_files(initrc_t)
  dev_getattr_all_chr_files(initrc_t)
@@ -39141,7 +38982,7 @@ index 17eda2480..09d9144cb 100644
  
  domain_kill_all_domains(initrc_t)
  domain_signal_all_domains(initrc_t)
-@@ -332,7 +808,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +818,6 @@ domain_sigstop_all_domains(initrc_t)
  domain_sigchld_all_domains(initrc_t)
  domain_read_all_domains_state(initrc_t)
  domain_getattr_all_domains(initrc_t)
@@ -39149,7 +38990,7 @@ index 17eda2480..09d9144cb 100644
  domain_getsession_all_domains(initrc_t)
  domain_use_interactive_fds(initrc_t)
  # for lsof which is used by alsa shutdown:
-@@ -340,6 +815,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +825,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
  domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
  domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
  domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -39157,7 +38998,7 @@ index 17eda2480..09d9144cb 100644
  
  files_getattr_all_dirs(initrc_t)
  files_getattr_all_files(initrc_t)
-@@ -347,14 +823,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +833,15 @@ files_getattr_all_symlinks(initrc_t)
  files_getattr_all_pipes(initrc_t)
  files_getattr_all_sockets(initrc_t)
  files_purge_tmp(initrc_t)
@@ -39175,7 +39016,7 @@ index 17eda2480..09d9144cb 100644
  files_read_usr_files(initrc_t)
  files_manage_urandom_seed(initrc_t)
  files_manage_generic_spool(initrc_t)
-@@ -364,8 +841,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +851,12 @@ files_list_isid_type_dirs(initrc_t)
  files_mounton_isid_type_dirs(initrc_t)
  files_list_default(initrc_t)
  files_mounton_default(initrc_t)
@@ -39189,7 +39030,7 @@ index 17eda2480..09d9144cb 100644
  fs_list_inotifyfs(initrc_t)
  fs_register_binary_executable_type(initrc_t)
  # rhgb-console writes to ramfs
-@@ -375,10 +856,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +866,11 @@ fs_mount_all_fs(initrc_t)
  fs_unmount_all_fs(initrc_t)
  fs_remount_all_fs(initrc_t)
  fs_getattr_all_fs(initrc_t)
@@ -39203,7 +39044,7 @@ index 17eda2480..09d9144cb 100644
  mcs_process_set_categories(initrc_t)
  
  mls_file_read_all_levels(initrc_t)
-@@ -387,8 +869,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +879,10 @@ mls_process_read_up(initrc_t)
  mls_process_write_down(initrc_t)
  mls_rangetrans_source(initrc_t)
  mls_fd_share_all_levels(initrc_t)
@@ -39214,7 +39055,7 @@ index 17eda2480..09d9144cb 100644
  
  storage_getattr_fixed_disk_dev(initrc_t)
  storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +882,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +892,7 @@ term_use_all_terms(initrc_t)
  term_reset_tty_labels(initrc_t)
  
  auth_rw_login_records(initrc_t)
@@ -39222,7 +39063,7 @@ index 17eda2480..09d9144cb 100644
  auth_setattr_login_records(initrc_t)
  auth_rw_lastlog(initrc_t)
  auth_read_pam_pid(initrc_t)
-@@ -416,20 +901,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +911,18 @@ logging_read_all_logs(initrc_t)
  logging_append_all_logs(initrc_t)
  logging_read_audit_config(initrc_t)
  
@@ -39246,7 +39087,7 @@ index 17eda2480..09d9144cb 100644
  
  ifdef(`distro_debian',`
  	dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +934,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +944,6 @@ ifdef(`distro_gentoo',`
  	allow initrc_t self:process setfscreate;
  	dev_create_null_dev(initrc_t)
  	dev_create_zero_dev(initrc_t)
@@ -39254,7 +39095,7 @@ index 17eda2480..09d9144cb 100644
  	term_create_console_dev(initrc_t)
  
  	# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +968,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +978,10 @@ ifdef(`distro_gentoo',`
  	sysnet_setattr_config(initrc_t)
  
  	optional_policy(`
@@ -39265,7 +39106,7 @@ index 17eda2480..09d9144cb 100644
  		alsa_read_lib(initrc_t)
  	')
  
-@@ -506,7 +992,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +1002,7 @@ ifdef(`distro_redhat',`
  
  	# Red Hat systems seem to have a stray
  	# fd open from the initrd
@@ -39274,7 +39115,7 @@ index 17eda2480..09d9144cb 100644
  	files_dontaudit_read_root_files(initrc_t)
  
  	# These seem to be from the initrd
-@@ -521,6 +1007,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +1017,7 @@ ifdef(`distro_redhat',`
  	files_create_boot_dirs(initrc_t)
  	files_create_boot_flag(initrc_t)
  	files_rw_boot_symlinks(initrc_t)
@@ -39282,7 +39123,7 @@ index 17eda2480..09d9144cb 100644
  	# wants to read /.fonts directory
  	files_read_default_files(initrc_t)
  	files_mountpoint(initrc_tmp_t)
-@@ -541,6 +1028,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +1038,7 @@ ifdef(`distro_redhat',`
  	miscfiles_rw_localization(initrc_t)
  	miscfiles_setattr_localization(initrc_t)
  	miscfiles_relabel_localization(initrc_t)
@@ -39290,7 +39131,7 @@ index 17eda2480..09d9144cb 100644
  
  	miscfiles_read_fonts(initrc_t)
  	miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +1038,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +1048,44 @@ ifdef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -39335,7 +39176,7 @@ index 17eda2480..09d9144cb 100644
  	')
  
  	optional_policy(`
-@@ -559,14 +1083,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +1093,31 @@ ifdef(`distro_redhat',`
  		rpc_write_exports(initrc_t)
  		rpc_manage_nfs_state_data(initrc_t)
  	')
@@ -39367,7 +39208,7 @@ index 17eda2480..09d9144cb 100644
  	')
  ')
  
-@@ -577,6 +1118,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1128,39 @@ ifdef(`distro_suse',`
  	')
  ')
  
@@ -39407,7 +39248,7 @@ index 17eda2480..09d9144cb 100644
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1163,8 @@ optional_policy(`
+@@ -589,6 +1173,8 @@ optional_policy(`
  optional_policy(`
  	apache_read_config(initrc_t)
  	apache_list_modules(initrc_t)
@@ -39416,7 +39257,7 @@ index 17eda2480..09d9144cb 100644
  ')
  
  optional_policy(`
-@@ -610,6 +1186,7 @@ optional_policy(`
+@@ -610,6 +1196,7 @@ optional_policy(`
  
  optional_policy(`
  	cgroup_stream_connect_cgred(initrc_t)
@@ -39424,7 +39265,7 @@ index 17eda2480..09d9144cb 100644
  ')
  
  optional_policy(`
-@@ -626,6 +1203,17 @@ optional_policy(`
+@@ -626,6 +1213,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39442,7 +39283,7 @@ index 17eda2480..09d9144cb 100644
  	dev_getattr_printer_dev(initrc_t)
  
  	cups_read_log(initrc_t)
-@@ -642,9 +1230,13 @@ optional_policy(`
+@@ -642,9 +1240,13 @@ optional_policy(`
  	dbus_connect_system_bus(initrc_t)
  	dbus_system_bus_client(initrc_t)
  	dbus_read_config(initrc_t)
@@ -39456,7 +39297,7 @@ index 17eda2480..09d9144cb 100644
  	')
  
  	optional_policy(`
-@@ -657,15 +1249,11 @@ optional_policy(`
+@@ -657,15 +1259,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39474,7 +39315,7 @@ index 17eda2480..09d9144cb 100644
  ')
  
  optional_policy(`
-@@ -686,6 +1274,15 @@ optional_policy(`
+@@ -686,6 +1284,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39490,7 +39331,7 @@ index 17eda2480..09d9144cb 100644
  	inn_exec_config(initrc_t)
  ')
  
-@@ -726,6 +1323,7 @@ optional_policy(`
+@@ -726,6 +1333,7 @@ optional_policy(`
  	lpd_list_spool(initrc_t)
  
  	lpd_read_config(initrc_t)
@@ -39498,7 +39339,7 @@ index 17eda2480..09d9144cb 100644
  ')
  
  optional_policy(`
-@@ -743,7 +1341,13 @@ optional_policy(`
+@@ -743,7 +1351,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39513,7 +39354,7 @@ index 17eda2480..09d9144cb 100644
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
  
-@@ -766,6 +1370,10 @@ optional_policy(`
+@@ -766,6 +1380,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39524,7 +39365,7 @@ index 17eda2480..09d9144cb 100644
  	postgresql_manage_db(initrc_t)
  	postgresql_read_config(initrc_t)
  ')
-@@ -775,10 +1383,20 @@ optional_policy(`
+@@ -775,10 +1393,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39545,7 +39386,7 @@ index 17eda2480..09d9144cb 100644
  	quota_manage_flags(initrc_t)
  ')
  
-@@ -787,6 +1405,10 @@ optional_policy(`
+@@ -787,6 +1415,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39556,7 +39397,7 @@ index 17eda2480..09d9144cb 100644
  	fs_write_ramfs_sockets(initrc_t)
  	fs_search_ramfs(initrc_t)
  
-@@ -808,8 +1430,6 @@ optional_policy(`
+@@ -808,8 +1440,6 @@ optional_policy(`
  	# bash tries ioctl for some reason
  	files_dontaudit_ioctl_all_pids(initrc_t)
  
@@ -39565,7 +39406,7 @@ index 17eda2480..09d9144cb 100644
  ')
  
  optional_policy(`
-@@ -818,6 +1438,10 @@ optional_policy(`
+@@ -818,6 +1448,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39576,7 +39417,7 @@ index 17eda2480..09d9144cb 100644
  	# shorewall-init script run /var/lib/shorewall/firewall
  	shorewall_lib_domtrans(initrc_t)
  ')
-@@ -827,10 +1451,12 @@ optional_policy(`
+@@ -827,10 +1461,12 @@ optional_policy(`
  	squid_manage_logs(initrc_t)
  ')
  
@@ -39589,7 +39430,7 @@ index 17eda2480..09d9144cb 100644
  
  optional_policy(`
  	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1483,62 @@ optional_policy(`
+@@ -857,21 +1493,62 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39653,7 +39494,7 @@ index 17eda2480..09d9144cb 100644
  ')
  
  optional_policy(`
-@@ -887,6 +1554,10 @@ optional_policy(`
+@@ -887,6 +1564,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39664,7 +39505,7 @@ index 17eda2480..09d9144cb 100644
  	# Set device ownerships/modes.
  	xserver_setattr_console_pipes(initrc_t)
  
-@@ -897,3 +1568,218 @@ optional_policy(`
+@@ -897,3 +1578,218 @@ optional_policy(`
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
@@ -40188,7 +40029,7 @@ index 0d4c8d35e..537aa4274 100644
 +    ps_process_pattern($1, ipsec_mgmt_t)
 +')
 diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 312cd0417..27a5d0650 100644
+index 312cd0417..07a92cc93 100644
 --- a/policy/modules/system/ipsec.te
 +++ b/policy/modules/system/ipsec.te
 @@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@@ -40201,7 +40042,7 @@ index 312cd0417..27a5d0650 100644
  type ipsec_mgmt_lock_t;
  files_lock_file(ipsec_mgmt_lock_t)
  
-@@ -67,29 +70,43 @@ type setkey_exec_t;
+@@ -67,29 +70,44 @@ type setkey_exec_t;
  init_system_domain(setkey_t, setkey_exec_t)
  role system_r types setkey_t;
  
@@ -40244,13 +40085,14 @@ index 312cd0417..27a5d0650 100644
 -manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
  read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
 +manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
++allow ipsec_t ipsec_key_file_t:file map;
 +
 +manage_files_pattern(ipsec_t, ipsec_log_t, ipsec_log_t)
 +logging_log_filetrans(ipsec_t, ipsec_log_t, file, "pluto.log")
  
  manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
  manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
-@@ -101,6 +118,7 @@ manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
+@@ -101,6 +119,7 @@ manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
  files_pid_filetrans(ipsec_t, ipsec_var_run_t, { dir file sock_file })
  
  can_exec(ipsec_t, ipsec_mgmt_exec_t)
@@ -40258,7 +40100,7 @@ index 312cd0417..27a5d0650 100644
  
  # pluto runs an updown script (by calling popen()!) as this is by default
  # a shell script, we need to find a way to make things work without
-@@ -110,10 +128,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
+@@ -110,10 +129,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
  allow ipsec_mgmt_t ipsec_t:fd use;
  allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
  allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
@@ -40271,7 +40113,7 @@ index 312cd0417..27a5d0650 100644
  kernel_list_proc(ipsec_t)
  kernel_read_proc_symlinks(ipsec_t)
  # allow pluto to access /proc/net/ipsec_eroute;
-@@ -128,20 +146,24 @@ corecmd_exec_shell(ipsec_t)
+@@ -128,20 +147,24 @@ corecmd_exec_shell(ipsec_t)
  corecmd_exec_bin(ipsec_t)
  
  # Pluto needs network access
@@ -40303,7 +40145,7 @@ index 312cd0417..27a5d0650 100644
  
  dev_read_sysfs(ipsec_t)
  dev_read_rand(ipsec_t)
-@@ -157,22 +179,32 @@ files_dontaudit_search_home(ipsec_t)
+@@ -157,22 +180,32 @@ files_dontaudit_search_home(ipsec_t)
  fs_getattr_all_fs(ipsec_t)
  fs_search_auto_mountpoints(ipsec_t)
  
@@ -40338,7 +40180,7 @@ index 312cd0417..27a5d0650 100644
  
  optional_policy(`
  	seutil_sigchld_newrole(ipsec_t)
-@@ -182,19 +214,30 @@ optional_policy(`
+@@ -182,19 +215,30 @@ optional_policy(`
  	udev_read_db(ipsec_t)
  ')
  
@@ -40373,7 +40215,7 @@ index 312cd0417..27a5d0650 100644
  
  allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
  files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
-@@ -208,12 +251,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
+@@ -208,12 +252,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
  
  allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
  files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
@@ -40389,7 +40231,7 @@ index 312cd0417..27a5d0650 100644
  
  # _realsetup needs to be able to cat /var/run/pluto.pid,
  # run ps on that pid, and delete the file
-@@ -246,6 +291,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
+@@ -246,6 +292,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
  kernel_getattr_core_if(ipsec_mgmt_t)
  kernel_getattr_message_if(ipsec_mgmt_t)
  
@@ -40406,7 +40248,7 @@ index 312cd0417..27a5d0650 100644
  files_read_kernel_symbol_table(ipsec_mgmt_t)
  files_getattr_kernel_modules(ipsec_mgmt_t)
  
-@@ -255,6 +310,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
+@@ -255,6 +311,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
  corecmd_exec_bin(ipsec_mgmt_t)
  corecmd_exec_shell(ipsec_mgmt_t)
  
@@ -40415,7 +40257,7 @@ index 312cd0417..27a5d0650 100644
  dev_read_rand(ipsec_mgmt_t)
  dev_read_urand(ipsec_mgmt_t)
  
-@@ -269,6 +326,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
+@@ -269,6 +327,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
  files_read_etc_files(ipsec_mgmt_t)
  files_exec_etc_files(ipsec_mgmt_t)
  files_read_etc_runtime_files(ipsec_mgmt_t)
@@ -40423,7 +40265,7 @@ index 312cd0417..27a5d0650 100644
  files_read_usr_files(ipsec_mgmt_t)
  files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
  files_dontaudit_getattr_default_files(ipsec_mgmt_t)
-@@ -278,9 +336,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+@@ -278,9 +337,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
  fs_list_tmpfs(ipsec_mgmt_t)
  
  term_use_console(ipsec_mgmt_t)
@@ -40435,7 +40277,7 @@ index 312cd0417..27a5d0650 100644
  
  init_read_utmp(ipsec_mgmt_t)
  init_use_script_ptys(ipsec_mgmt_t)
-@@ -288,17 +347,28 @@ init_exec_script_files(ipsec_mgmt_t)
+@@ -288,17 +348,28 @@ init_exec_script_files(ipsec_mgmt_t)
  init_use_fds(ipsec_mgmt_t)
  init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
  
@@ -40469,7 +40311,7 @@ index 312cd0417..27a5d0650 100644
  
  optional_policy(`
  	consoletype_exec(ipsec_mgmt_t)
-@@ -322,6 +392,10 @@ optional_policy(`
+@@ -322,6 +393,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -40480,7 +40322,7 @@ index 312cd0417..27a5d0650 100644
  	modutils_domtrans_insmod(ipsec_mgmt_t)
  ')
  
-@@ -335,7 +409,7 @@ optional_policy(`
+@@ -335,7 +410,7 @@ optional_policy(`
  #
  
  allow racoon_t self:capability { net_admin net_bind_service };
@@ -40489,7 +40331,7 @@ index 312cd0417..27a5d0650 100644
  allow racoon_t self:unix_dgram_socket { connect create ioctl write };
  allow racoon_t self:netlink_selinux_socket { bind create read };
  allow racoon_t self:udp_socket create_socket_perms;
-@@ -370,13 +444,12 @@ kernel_request_load_module(racoon_t)
+@@ -370,13 +445,12 @@ kernel_request_load_module(racoon_t)
  corecmd_exec_shell(racoon_t)
  corecmd_exec_bin(racoon_t)
  
@@ -40509,7 +40351,7 @@ index 312cd0417..27a5d0650 100644
  corenet_udp_bind_isakmp_port(racoon_t)
  corenet_udp_bind_ipsecnat_port(racoon_t)
  
-@@ -401,10 +474,10 @@ locallogin_use_fds(racoon_t)
+@@ -401,10 +475,10 @@ locallogin_use_fds(racoon_t)
  logging_send_syslog_msg(racoon_t)
  logging_send_audit_msgs(racoon_t)
  
@@ -40522,7 +40364,7 @@ index 312cd0417..27a5d0650 100644
  auth_can_read_shadow_passwords(racoon_t)
  tunable_policy(`racoon_read_shadow',`
  	auth_tunable_read_shadow(racoon_t)
-@@ -438,9 +511,8 @@ corenet_setcontext_all_spds(setkey_t)
+@@ -438,9 +512,8 @@ corenet_setcontext_all_spds(setkey_t)
  
  locallogin_use_fds(setkey_t)
  
@@ -42680,7 +42522,7 @@ index 4e9488463..2db173f77 100644
 +')
 +
 diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 59b04c1a2..6ae1e2663 100644
+index 59b04c1a2..e9545b961 100644
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
 @@ -4,6 +4,29 @@ policy_module(logging, 1.20.1)
@@ -42974,7 +42816,7 @@ index 59b04c1a2..6ae1e2663 100644
  rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
  files_search_spool(syslogd_t)
  
-@@ -389,30 +457,48 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -389,30 +457,49 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
  manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
  files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
  
@@ -42984,6 +42826,7 @@ index 59b04c1a2..6ae1e2663 100644
 +
 +manage_sock_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
  manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
++allow syslogd_t syslogd_var_lib_t:file map;
  files_search_var_lib(syslogd_t)
  
 -# manage pid file
@@ -43026,7 +42869,7 @@ index 59b04c1a2..6ae1e2663 100644
  # syslog-ng can listen and connect on tcp port 514 (rsh)
  corenet_tcp_sendrecv_generic_if(syslogd_t)
  corenet_tcp_sendrecv_generic_node(syslogd_t)
-@@ -422,6 +508,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
+@@ -422,6 +509,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
  corenet_tcp_connect_rsh_port(syslogd_t)
  # Allow users to define additional syslog ports to connect to
  corenet_tcp_bind_syslogd_port(syslogd_t)
@@ -43035,7 +42878,7 @@ index 59b04c1a2..6ae1e2663 100644
  corenet_tcp_connect_syslogd_port(syslogd_t)
  corenet_tcp_connect_postgresql_port(syslogd_t)
  corenet_tcp_connect_mysqld_port(syslogd_t)
-@@ -432,9 +520,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+@@ -432,9 +521,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
  corenet_sendrecv_postgresql_client_packets(syslogd_t)
  corenet_sendrecv_mysqld_client_packets(syslogd_t)
  
@@ -43069,7 +42912,7 @@ index 59b04c1a2..6ae1e2663 100644
  domain_use_interactive_fds(syslogd_t)
  
  files_read_etc_files(syslogd_t)
-@@ -448,13 +559,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
+@@ -448,13 +560,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
  
  fs_getattr_all_fs(syslogd_t)
  fs_search_auto_mountpoints(syslogd_t)
@@ -43087,7 +42930,7 @@ index 59b04c1a2..6ae1e2663 100644
  # for sending messages to logged in users
  init_read_utmp(syslogd_t)
  init_dontaudit_write_utmp(syslogd_t)
-@@ -466,11 +581,12 @@ init_use_fds(syslogd_t)
+@@ -466,11 +582,12 @@ init_use_fds(syslogd_t)
  
  # cjp: this doesnt make sense
  logging_send_syslog_msg(syslogd_t)
@@ -43103,7 +42946,7 @@ index 59b04c1a2..6ae1e2663 100644
  
  ifdef(`distro_gentoo',`
  	# default gentoo syslog-ng config appends kernel
-@@ -497,6 +613,7 @@ optional_policy(`
+@@ -497,6 +614,7 @@ optional_policy(`
  optional_policy(`
  	cron_manage_log_files(syslogd_t)
  	cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
@@ -43111,7 +42954,7 @@ index 59b04c1a2..6ae1e2663 100644
  ')
  
  optional_policy(`
-@@ -507,15 +624,44 @@ optional_policy(`
+@@ -507,15 +625,44 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -43156,7 +42999,7 @@ index 59b04c1a2..6ae1e2663 100644
  ')
  
  optional_policy(`
-@@ -526,3 +672,29 @@ optional_policy(`
+@@ -526,3 +673,29 @@ optional_policy(`
  	# log to the xconsole
  	xserver_rw_console(syslogd_t)
  ')
@@ -48771,10 +48614,10 @@ index 000000000..121b42208
 +/var/run/initramfs(/.*)?	<<none>>
 diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
 new file mode 100644
-index 000000000..5871e072d
+index 000000000..dc06d3b3f
 --- /dev/null
 +++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1880 @@
+@@ -0,0 +1,1898 @@
 +## <summary>SELinux policy for systemd components</summary>
 +
 +######################################
@@ -49377,6 +49220,24 @@ index 000000000..5871e072d
 +
 +########################################
 +## <summary>
++##	Execute a domain transition to run systemd_rfkill.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_rfkill_domtrans',`
++	gen_require(`
++		type systemd_rfkill_t, systemd_rfkill_exec_t;
++	')
++
++	domtrans_pattern($1, systemd_rfkill_exec_t, systemd_rfkill_t)
++')
++
++########################################
++## <summary>
 +##	Execute a domain transition to run systemd_notify.
 +## </summary>
 +## <param name="domain">
@@ -50657,10 +50518,10 @@ index 000000000..5871e072d
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 000000000..bb880db4a
+index 000000000..598ce3fca
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,1040 @@
+@@ -0,0 +1,1041 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -50708,6 +50569,7 @@ index 000000000..bb880db4a
 +systemd_unit_file(systemd_hwdb_unit_file_t)
 +
 +systemd_domain_template(systemd_networkd)
++init_nnp_daemon_domain(systemd_networkd_t)
 +
 +type systemd_networkd_unit_file_t;
 +systemd_unit_file(systemd_networkd_unit_file_t)
@@ -58290,7 +58152,7 @@ index 9dc60c6c0..562afbe9a 100644
 +	')
  ')
 diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index f4ac38dc7..e4733e828 100644
+index f4ac38dc7..f3819687f 100644
 --- a/policy/modules/system/userdomain.te
 +++ b/policy/modules/system/userdomain.te
 @@ -7,48 +7,43 @@ policy_module(userdomain, 4.9.1)
@@ -58379,7 +58241,7 @@ index f4ac38dc7..e4733e828 100644
  type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
  fs_associate_tmpfs(user_home_dir_t)
  files_type(user_home_dir_t)
-@@ -70,26 +83,396 @@ ubac_constrained(user_home_dir_t)
+@@ -70,26 +83,397 @@ ubac_constrained(user_home_dir_t)
  
  type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
  typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -58521,6 +58383,7 @@ index f4ac38dc7..e4733e828 100644
 +    fs_manage_nfs_dirs(userdom_home_manager_type)
 +    fs_manage_nfs_files(userdom_home_manager_type)
 +    fs_manage_nfs_symlinks(userdom_home_manager_type)
++    fs_mmap_nfs_files(userdom_home_manager_type)
 +')
 +
 +tunable_policy(`use_samba_home_dirs',`
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index b4a2b26..de01743 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -589,7 +589,7 @@ index 058d908e4..ee0c55969 100644
 +')
 +
 diff --git a/abrt.te b/abrt.te
-index eb50f070f..4a8367de4 100644
+index eb50f070f..c23bb4b86 100644
 --- a/abrt.te
 +++ b/abrt.te
 @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@@ -806,7 +806,7 @@ index eb50f070f..4a8367de4 100644
  
  domain_getattr_all_domains(abrt_t)
  domain_read_all_domains_state(abrt_t)
-@@ -176,29 +199,44 @@ files_getattr_all_files(abrt_t)
+@@ -176,29 +199,46 @@ files_getattr_all_files(abrt_t)
  files_read_config_files(abrt_t)
  files_read_etc_runtime_files(abrt_t)
  files_read_var_symlinks(abrt_t)
@@ -826,6 +826,7 @@ index eb50f070f..4a8367de4 100644
  fs_getattr_all_dirs(abrt_t)
 -fs_list_inotifyfs(abrt_t)
  fs_read_fusefs_files(abrt_t)
++fs_mmap_fusefs_files(abrt_t)
  fs_read_noxattr_fs_files(abrt_t)
  fs_read_nfs_files(abrt_t)
  fs_read_nfs_symlinks(abrt_t)
@@ -836,6 +837,7 @@ index eb50f070f..4a8367de4 100644
 +storage_dontaudit_read_fixed_disk(abrt_t)
  
  logging_read_generic_logs(abrt_t)
++logging_mmap_journal(abrt_t)
 +logging_send_syslog_msg(abrt_t)
 +logging_stream_connect_syslog(abrt_t)
 +logging_read_syslog_pid(abrt_t)
@@ -854,7 +856,7 @@ index eb50f070f..4a8367de4 100644
  
  tunable_policy(`abrt_anon_write',`
  	miscfiles_manage_public_files(abrt_t)
-@@ -206,15 +244,11 @@ tunable_policy(`abrt_anon_write',`
+@@ -206,15 +246,11 @@ tunable_policy(`abrt_anon_write',`
  
  optional_policy(`
  	apache_list_modules(abrt_t)
@@ -871,7 +873,7 @@ index eb50f070f..4a8367de4 100644
  ')
  
  optional_policy(`
-@@ -222,6 +256,37 @@ optional_policy(`
+@@ -222,6 +258,37 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -909,7 +911,7 @@ index eb50f070f..4a8367de4 100644
  	policykit_domtrans_auth(abrt_t)
  	policykit_read_lib(abrt_t)
  	policykit_read_reload(abrt_t)
-@@ -234,18 +299,25 @@ optional_policy(`
+@@ -234,18 +301,25 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -938,7 +940,7 @@ index eb50f070f..4a8367de4 100644
  
  optional_policy(`
  	sosreport_domtrans(abrt_t)
-@@ -253,9 +325,21 @@ optional_policy(`
+@@ -253,9 +327,21 @@ optional_policy(`
  	sosreport_delete_tmp_files(abrt_t)
  ')
  
@@ -961,7 +963,7 @@ index eb50f070f..4a8367de4 100644
  #
  
  allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -266,9 +350,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -266,9 +352,13 @@ tunable_policy(`abrt_handle_event',`
  	can_exec(abrt_t, abrt_handle_event_exec_t)
  ')
  
@@ -976,7 +978,7 @@ index eb50f070f..4a8367de4 100644
  #
  
  allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -281,6 +369,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -281,6 +371,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
  manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
  manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
  files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@@ -984,7 +986,7 @@ index eb50f070f..4a8367de4 100644
  
  read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
  read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-@@ -289,15 +378,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -289,15 +380,20 @@ corecmd_read_all_executables(abrt_helper_t)
  
  domain_read_all_domains_state(abrt_helper_t)
  
@@ -1005,7 +1007,7 @@ index eb50f070f..4a8367de4 100644
  	userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
  	userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
  	dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -305,11 +399,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -305,11 +401,25 @@ ifdef(`hide_broken_symptoms',`
  	dev_dontaudit_write_all_chr_files(abrt_helper_t)
  	dev_dontaudit_write_all_blk_files(abrt_helper_t)
  	fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -1032,7 +1034,7 @@ index eb50f070f..4a8367de4 100644
  #
  
  allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -327,10 +435,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+@@ -327,10 +437,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
  
  dev_read_urand(abrt_retrace_coredump_t)
  
@@ -1046,7 +1048,7 @@ index eb50f070f..4a8367de4 100644
  optional_policy(`
  	rpm_exec(abrt_retrace_coredump_t)
  	rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -343,10 +453,11 @@ optional_policy(`
+@@ -343,10 +455,11 @@ optional_policy(`
  
  #######################################
  #
@@ -1060,7 +1062,7 @@ index eb50f070f..4a8367de4 100644
  allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
  
  domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -365,38 +476,90 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -365,38 +478,90 @@ corecmd_exec_shell(abrt_retrace_worker_t)
  
  dev_read_urand(abrt_retrace_worker_t)
  
@@ -1155,7 +1157,7 @@ index eb50f070f..4a8367de4 100644
  
  #######################################
  #
-@@ -404,25 +567,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
+@@ -404,25 +569,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
  #
  
  allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
@@ -1218,7 +1220,7 @@ index eb50f070f..4a8367de4 100644
  ')
  
  #######################################
-@@ -430,10 +628,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
+@@ -430,10 +630,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
  # Global local policy
  #
  
@@ -3300,10 +3302,10 @@ index 000000000..36251b926
 +')
 diff --git a/antivirus.te b/antivirus.te
 new file mode 100644
-index 000000000..28cdddda9
+index 000000000..547ee89dd
 --- /dev/null
 +++ b/antivirus.te
-@@ -0,0 +1,274 @@
+@@ -0,0 +1,275 @@
 +policy_module(antivirus, 1.0.0)
 +
 +########################################
@@ -3333,6 +3335,7 @@ index 000000000..28cdddda9
 +typealias antivirus_t alias { amavis_t clamd_t clamscan_t freshclam_t } ;
 +typealias antivirus_exec_t alias { amavis_exec_t clamd_exec_t clamscan_exec_t freshclam_exec_t };
 +init_daemon_domain(antivirus_t, antivirus_exec_t)
++init_nnp_daemon_domain(antivirus_t)
 +
 +type antivirus_initrc_exec_t;
 +typealias antivirus_initrc_exec_t alias { clamd_initrc_exec_t amavis_initrc_exec_t };
@@ -5631,7 +5634,7 @@ index f6eb4851f..3628a384f 100644
 +    allow $1 httpd_t:process { noatsecure };
  ')
 diff --git a/apache.te b/apache.te
-index 6649962b6..0a7b49bbb 100644
+index 6649962b6..b7ac74501 100644
 --- a/apache.te
 +++ b/apache.te
 @@ -5,280 +5,346 @@ policy_module(apache, 2.7.2)
@@ -7890,7 +7893,7 @@ index 6649962b6..0a7b49bbb 100644
  kernel_read_system_state(httpd_passwd_t)
  
  corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1681,109 @@ dev_read_urand(httpd_passwd_t)
+@@ -1382,38 +1681,110 @@ dev_read_urand(httpd_passwd_t)
  
  domain_use_interactive_fds(httpd_passwd_t)
  
@@ -7989,6 +7992,7 @@ index 6649962b6..0a7b49bbb 100644
 +')
 +
 +read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
++allow httpd_t httpd_content_type:file map;
 +
 +tunable_policy(`httpd_builtin_scripting',`
 +	allow httpd_t httpd_content_type:dir search_dir_perms;
@@ -21744,7 +21748,7 @@ index 3023be7f6..5afde8039 100644
 +	files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups")
  ')
 diff --git a/cups.te b/cups.te
-index c91813ccb..0ea3e3d6a 100644
+index c91813ccb..dd52ab6ad 100644
 --- a/cups.te
 +++ b/cups.te
 @@ -5,19 +5,31 @@ policy_module(cups, 1.16.2)
@@ -22021,7 +22025,7 @@ index c91813ccb..0ea3e3d6a 100644
  
  selinux_compute_access_vector(cupsd_t)
  selinux_validate_context(cupsd_t)
-@@ -244,23 +289,31 @@ auth_dontaudit_read_pam_pid(cupsd_t)
+@@ -244,23 +289,33 @@ auth_dontaudit_read_pam_pid(cupsd_t)
  auth_rw_faillog(cupsd_t)
  auth_use_nsswitch(cupsd_t)
  
@@ -22038,7 +22042,8 @@ index c91813ccb..0ea3e3d6a 100644
 -miscfiles_read_localization(cupsd_t)
 -miscfiles_read_fonts(cupsd_t)
 -miscfiles_setattr_fonts_cache_dirs(cupsd_t)
--
++miscfiles_legacy_read_localization(cupsd_t)
+ 
  seutil_read_config(cupsd_t)
  
  sysnet_exec_ifconfig(cupsd_t)
@@ -22058,7 +22063,7 @@ index c91813ccb..0ea3e3d6a 100644
  optional_policy(`
  	apm_domtrans_client(cupsd_t)
  ')
-@@ -272,6 +325,8 @@ optional_policy(`
+@@ -272,6 +327,8 @@ optional_policy(`
  optional_policy(`
  	dbus_system_bus_client(cupsd_t)
  
@@ -22067,7 +22072,7 @@ index c91813ccb..0ea3e3d6a 100644
  	userdom_dbus_send_all_users(cupsd_t)
  
  	optional_policy(`
-@@ -279,11 +334,17 @@ optional_policy(`
+@@ -279,11 +336,17 @@ optional_policy(`
  	')
  
  	optional_policy(`
@@ -22085,7 +22090,7 @@ index c91813ccb..0ea3e3d6a 100644
  	')
  ')
  
-@@ -296,8 +357,8 @@ optional_policy(`
+@@ -296,8 +359,8 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -22095,7 +22100,7 @@ index c91813ccb..0ea3e3d6a 100644
  ')
  
  optional_policy(`
-@@ -306,7 +367,6 @@ optional_policy(`
+@@ -306,7 +369,6 @@ optional_policy(`
  
  optional_policy(`
  	lpd_exec_lpr(cupsd_t)
@@ -22103,7 +22108,7 @@ index c91813ccb..0ea3e3d6a 100644
  	lpd_read_config(cupsd_t)
  	lpd_relabel_spool(cupsd_t)
  ')
-@@ -316,6 +376,10 @@ optional_policy(`
+@@ -316,6 +378,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -22114,7 +22119,7 @@ index c91813ccb..0ea3e3d6a 100644
  	samba_read_config(cupsd_t)
  	samba_rw_var_files(cupsd_t)
  	samba_stream_connect_nmbd(cupsd_t)
-@@ -326,7 +390,7 @@ optional_policy(`
+@@ -326,7 +392,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -22123,7 +22128,7 @@ index c91813ccb..0ea3e3d6a 100644
  ')
  
  optional_policy(`
-@@ -334,7 +398,11 @@ optional_policy(`
+@@ -334,7 +400,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -22136,7 +22141,7 @@ index c91813ccb..0ea3e3d6a 100644
  ')
  
  ########################################
-@@ -342,12 +410,11 @@ optional_policy(`
+@@ -342,12 +412,11 @@ optional_policy(`
  # Configuration daemon local policy
  #
  
@@ -22152,7 +22157,7 @@ index c91813ccb..0ea3e3d6a 100644
  allow cupsd_config_t cupsd_t:process signal;
  ps_process_pattern(cupsd_config_t, cupsd_t)
  
-@@ -367,23 +434,23 @@ manage_dirs_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
+@@ -367,23 +436,23 @@ manage_dirs_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
  files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
  
  allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
@@ -22180,7 +22185,7 @@ index c91813ccb..0ea3e3d6a 100644
  corenet_all_recvfrom_netlabel(cupsd_config_t)
  corenet_tcp_sendrecv_generic_if(cupsd_config_t)
  corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -392,20 +459,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+@@ -392,20 +461,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
  corenet_sendrecv_all_client_packets(cupsd_config_t)
  corenet_tcp_connect_all_ports(cupsd_config_t)
  
@@ -22201,7 +22206,7 @@ index c91813ccb..0ea3e3d6a 100644
  fs_search_auto_mountpoints(cupsd_config_t)
  
  domain_use_interactive_fds(cupsd_config_t)
-@@ -417,17 +476,16 @@ auth_use_nsswitch(cupsd_config_t)
+@@ -417,17 +478,16 @@ auth_use_nsswitch(cupsd_config_t)
  
  logging_send_syslog_msg(cupsd_config_t)
  
@@ -22223,7 +22228,7 @@ index c91813ccb..0ea3e3d6a 100644
  optional_policy(`
  	term_use_generic_ptys(cupsd_config_t)
  ')
-@@ -449,9 +507,12 @@ optional_policy(`
+@@ -449,9 +509,12 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -22237,7 +22242,7 @@ index c91813ccb..0ea3e3d6a 100644
  ')
  
  optional_policy(`
-@@ -467,6 +528,10 @@ optional_policy(`
+@@ -467,6 +530,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -22248,7 +22253,7 @@ index c91813ccb..0ea3e3d6a 100644
  	rpm_read_db(cupsd_config_t)
  ')
  
-@@ -487,10 +552,6 @@ optional_policy(`
+@@ -487,10 +554,6 @@ optional_policy(`
  # Lpd local policy
  #
  
@@ -22259,7 +22264,7 @@ index c91813ccb..0ea3e3d6a 100644
  allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
  
  allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
-@@ -508,15 +569,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+@@ -508,15 +571,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
  
  kernel_read_kernel_sysctls(cupsd_lpd_t)
  kernel_read_system_state(cupsd_lpd_t)
@@ -22277,7 +22282,7 @@ index c91813ccb..0ea3e3d6a 100644
  corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t)
  
  corenet_sendrecv_printer_server_packets(cupsd_lpd_t)
-@@ -537,9 +598,6 @@ auth_use_nsswitch(cupsd_lpd_t)
+@@ -537,9 +600,6 @@ auth_use_nsswitch(cupsd_lpd_t)
  
  logging_send_syslog_msg(cupsd_lpd_t)
  
@@ -22287,7 +22292,7 @@ index c91813ccb..0ea3e3d6a 100644
  optional_policy(`
  	inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
  ')
-@@ -549,9 +607,9 @@ optional_policy(`
+@@ -549,9 +609,9 @@ optional_policy(`
  # Pdf local policy
  #
  
@@ -22299,7 +22304,7 @@ index c91813ccb..0ea3e3d6a 100644
  
  append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
  create_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
-@@ -566,148 +624,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
+@@ -566,148 +626,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
  
  kernel_read_system_state(cups_pdf_t)
  
@@ -22328,11 +22333,13 @@ index c91813ccb..0ea3e3d6a 100644
 -	fs_manage_cifs_dirs(cups_pdf_t)
 -	fs_manage_cifs_files(cups_pdf_t)
 -')
--
--optional_policy(`
++userdom_home_manager(cups_pdf_t)
+ 
+ optional_policy(`
 -	lpd_manage_spool(cups_pdf_t)
--')
--
++	gnome_read_config(cups_pdf_t)
+ ')
+ 
 -########################################
 -#
 -# HPLIP local policy
@@ -22434,13 +22441,11 @@ index c91813ccb..0ea3e3d6a 100644
 -	lpd_read_config(hplip_t)
 -	lpd_manage_spool(hplip_t)
 -')
-+userdom_home_manager(cups_pdf_t)
- 
- optional_policy(`
+-
+-optional_policy(`
 -	seutil_sigchld_newrole(hplip_t)
-+	gnome_read_config(cups_pdf_t)
- ')
- 
+-')
+-
 -optional_policy(`
 -	snmp_read_snmp_var_lib_files(hplip_t)
 -')
@@ -22451,7 +22456,7 @@ index c91813ccb..0ea3e3d6a 100644
  
  ########################################
  #
-@@ -735,7 +668,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -735,7 +670,6 @@ kernel_read_kernel_sysctls(ptal_t)
  kernel_list_proc(ptal_t)
  kernel_read_proc_symlinks(ptal_t)
  
@@ -22459,7 +22464,7 @@ index c91813ccb..0ea3e3d6a 100644
  corenet_all_recvfrom_netlabel(ptal_t)
  corenet_tcp_sendrecv_generic_if(ptal_t)
  corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -745,13 +677,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
+@@ -745,13 +679,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
  corenet_tcp_bind_ptal_port(ptal_t)
  corenet_tcp_sendrecv_ptal_port(ptal_t)
  
@@ -22473,7 +22478,7 @@ index c91813ccb..0ea3e3d6a 100644
  files_read_etc_runtime_files(ptal_t)
  
  fs_getattr_all_fs(ptal_t)
-@@ -759,8 +689,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -759,8 +691,6 @@ fs_search_auto_mountpoints(ptal_t)
  
  logging_send_syslog_msg(ptal_t)
  
@@ -22482,7 +22487,7 @@ index c91813ccb..0ea3e3d6a 100644
  sysnet_read_config(ptal_t)
  
  userdom_dontaudit_use_unpriv_user_fds(ptal_t)
-@@ -773,3 +701,4 @@ optional_policy(`
+@@ -773,3 +703,4 @@ optional_policy(`
  optional_policy(`
  	udev_read_db(ptal_t)
  ')
@@ -27568,7 +27573,7 @@ index d5badb755..c2431fc73 100644
 +	admin_pattern($1, dovecot_passwd_t)
  ')
 diff --git a/dovecot.te b/dovecot.te
-index 0aabc7e66..958d6c8df 100644
+index 0aabc7e66..6786b1a40 100644
 --- a/dovecot.te
 +++ b/dovecot.te
 @@ -7,12 +7,10 @@ policy_module(dovecot, 1.16.1)
@@ -27760,7 +27765,7 @@ index 0aabc7e66..958d6c8df 100644
  
  init_getattr_utmp(dovecot_t)
  
-@@ -171,45 +170,44 @@ auth_use_nsswitch(dovecot_t)
+@@ -171,45 +170,45 @@ auth_use_nsswitch(dovecot_t)
  
  miscfiles_read_generic_certs(dovecot_t)
  
@@ -27788,6 +27793,7 @@ index 0aabc7e66..958d6c8df 100644
 -	fs_manage_cifs_symlinks(dovecot_t)
 +optional_policy(`
 +	mta_manage_home_rw(dovecot_t)
++    mta_mmap_home_rw(dovecot_t)
 +	mta_manage_spool(dovecot_t)
  ')
  
@@ -27824,7 +27830,7 @@ index 0aabc7e66..958d6c8df 100644
  	sendmail_domtrans(dovecot_t)
  ')
  
-@@ -227,49 +225,73 @@ optional_policy(`
+@@ -227,49 +226,73 @@ optional_policy(`
  
  ########################################
  #
@@ -27908,7 +27914,7 @@ index 0aabc7e66..958d6c8df 100644
  ')
  
  optional_policy(`
-@@ -277,53 +299,79 @@ optional_policy(`
+@@ -277,53 +300,79 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -28007,7 +28013,7 @@ index 0aabc7e66..958d6c8df 100644
  	mta_read_queue(dovecot_deliver_t)
  ')
  
-@@ -332,5 +380,6 @@ optional_policy(`
+@@ -332,5 +381,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -41535,7 +41541,7 @@ index 1a354203e..8101022be 100644
  	logging_search_logs($1)
  	admin_pattern($1, iscsi_log_t)
 diff --git a/iscsi.te b/iscsi.te
-index ca020faa9..58233a218 100644
+index ca020faa9..4afdcc8f9 100644
 --- a/iscsi.te
 +++ b/iscsi.te
 @@ -5,12 +5,15 @@ policy_module(iscsi, 1.9.0)
@@ -41572,7 +41578,7 @@ index ca020faa9..58233a218 100644
  allow iscsid_t self:netlink_socket create_socket_perms;
  allow iscsid_t self:netlink_kobject_uevent_socket create_socket_perms;
  allow iscsid_t self:netlink_route_socket nlmsg_write;
-@@ -55,20 +58,22 @@ manage_dirs_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t)
+@@ -55,20 +58,23 @@ manage_dirs_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t)
  manage_files_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t)
  fs_tmpfs_filetrans(iscsid_t, iscsi_tmp_t, { dir file })
  
@@ -41595,12 +41601,13 @@ index ca020faa9..58233a218 100644
  kernel_read_system_state(iscsid_t)
 -kernel_setsched(iscsid_t)
 +kernel_dontaudit_setsched(iscsid_t)
++kernel_request_load_module(iscsid_t)
  
 -corenet_all_recvfrom_unlabeled(iscsid_t)
  corenet_all_recvfrom_netlabel(iscsid_t)
  corenet_tcp_sendrecv_generic_if(iscsid_t)
  corenet_tcp_sendrecv_generic_node(iscsid_t)
-@@ -85,22 +90,40 @@ corenet_sendrecv_isns_client_packets(iscsid_t)
+@@ -85,22 +91,40 @@ corenet_sendrecv_isns_client_packets(iscsid_t)
  corenet_tcp_connect_isns_port(iscsid_t)
  corenet_tcp_sendrecv_isns_port(iscsid_t)
  
@@ -50510,10 +50517,10 @@ index 327f3f726..d6ae4eab6 100644
 +	')
  ')
 diff --git a/mandb.te b/mandb.te
-index e6136fd37..56fa2cfc1 100644
+index e6136fd37..afaa79b11 100644
 --- a/mandb.te
 +++ b/mandb.te
-@@ -10,19 +10,40 @@ roleattribute system_r mandb_roles;
+@@ -10,22 +10,46 @@ roleattribute system_r mandb_roles;
  
  type mandb_t;
  type mandb_exec_t;
@@ -50546,6 +50553,7 @@ index e6136fd37..56fa2cfc1 100644
 +manage_lnk_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t)
 +files_var_filetrans(mandb_t, mandb_cache_t, { dir file lnk_file })
 +can_exec(mandb_t, mandb_exec_t)
++allow mandb_t mandb_cache_t:file map;
 +
 +userdom_search_user_home_dirs(mandb_t)
 +allow mandb_t mandb_home_t:file read_file_perms;
@@ -50556,7 +50564,12 @@ index e6136fd37..56fa2cfc1 100644
  kernel_read_kernel_sysctls(mandb_t)
  kernel_read_system_state(mandb_t)
  
-@@ -33,11 +54,14 @@ dev_search_sysfs(mandb_t)
++auth_read_passwd(mandb_t)
++
+ corecmd_exec_bin(mandb_t)
+ corecmd_exec_shell(mandb_t)
+ 
+@@ -33,11 +57,14 @@ dev_search_sysfs(mandb_t)
  
  domain_use_interactive_fds(mandb_t)
  
@@ -51050,10 +51063,18 @@ index 1d4eb19b8..650014e0f 100644
  	admin_pattern($1, memcached_var_run_t)
  ')
 diff --git a/memcached.te b/memcached.te
-index 29b752160..68ec663c2 100644
+index 29b752160..8c41e59db 100644
 --- a/memcached.te
 +++ b/memcached.te
-@@ -20,7 +20,7 @@ files_pid_file(memcached_var_run_t)
+@@ -8,6 +8,7 @@ policy_module(memcached, 1.3.1)
+ type memcached_t;
+ type memcached_exec_t;
+ init_daemon_domain(memcached_t, memcached_exec_t)
++init_nnp_daemon_domain(memcached_t)
+ 
+ type memcached_initrc_exec_t;
+ init_script_file(memcached_initrc_exec_t)
+@@ -20,7 +21,7 @@ files_pid_file(memcached_var_run_t)
  # Local policy
  #
  
@@ -51062,7 +51083,7 @@ index 29b752160..68ec663c2 100644
  dontaudit memcached_t self:capability sys_tty_config;
  allow memcached_t self:process { setrlimit signal_perms };
  allow memcached_t self:tcp_socket { accept listen };
-@@ -59,4 +59,3 @@ term_dontaudit_use_console(memcached_t)
+@@ -59,4 +60,3 @@ term_dontaudit_use_console(memcached_t)
  
  auth_use_nsswitch(memcached_t)
  
@@ -55833,7 +55854,7 @@ index f42896cbf..fce39c1ce 100644
 +/var/spool/mail(/.*)?		gen_context(system_u:object_r:mail_spool_t,s0)
 +/var/spool/smtpd(/.*)?		gen_context(system_u:object_r:mail_spool_t,s0)
 diff --git a/mta.if b/mta.if
-index ed81cac5a..cd52baf59 100644
+index ed81cac5a..4ea31b5e2 100644
 --- a/mta.if
 +++ b/mta.if
 @@ -1,4 +1,4 @@
@@ -55985,13 +56006,11 @@ index ed81cac5a..cd52baf59 100644
  ')
  
 -#######################################
-+######################################
- ## <summary>
+-## <summary>
 -##	Read mta mail home files.
-+##  Dontaudit read and write an leaked file descriptors
- ## </summary>
- ## <param name="domain">
- ##	<summary>
+-## </summary>
+-## <param name="domain">
+-##	<summary>
 -##	Domain allowed access.
 -##	</summary>
 -## </param>
@@ -56026,13 +56045,15 @@ index ed81cac5a..cd52baf59 100644
 -')
 -
 -########################################
--## <summary>
++######################################
+ ## <summary>
 -##	Create specified objects in user home
 -##	directories with the generic mail
 -##	home type.
--## </summary>
--## <param name="domain">
--##	<summary>
++##  Dontaudit read and write an leaked file descriptors
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
 -##	Domain allowed access.
 -##	</summary>
 -## </param>
@@ -56789,7 +56810,7 @@ index ed81cac5a..cd52baf59 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1081,3 +1067,209 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -1081,3 +1067,228 @@ interface(`mta_rw_user_mail_stream_sockets',`
  
  	allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
  ')
@@ -56866,6 +56887,24 @@ index ed81cac5a..cd52baf59 100644
 +
 +####################################
 +## <summary>
++##      ALlow domain to mmap mail content in the homedir
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`mta_mmap_home_rw',`
++        gen_require(`
++                type mail_home_rw_t;
++        ')
++
++		allow $1 mail_home_rw_t:file map;
++')
++
++####################################
++## <summary>
 +##      ALlow domain to read mail content in the homedir
 +## </summary>
 +## <param name="domain">
@@ -56881,6 +56920,7 @@ index ed81cac5a..cd52baf59 100644
 +
 +        userdom_search_user_home_dirs($1)
 +        read_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
++        list_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t)
 +		read_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
 +
 +        ifdef(`distro_redhat',`
@@ -76570,7 +76610,7 @@ index c0e878537..3070aa066 100644
 +/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
 +/var/spool/postfix/flush(/.*)?	gen_context(system_u:object_r:postfix_spool_t,s0)
 diff --git a/postfix.if b/postfix.if
-index ded95ec3a..210018ce4 100644
+index ded95ec3a..30d57cf13 100644
 --- a/postfix.if
 +++ b/postfix.if
 @@ -1,4 +1,4 @@
@@ -76738,11 +76778,12 @@ index ded95ec3a..210018ce4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -143,16 +132,15 @@ interface(`postfix_read_config',`
+@@ -143,16 +132,16 @@ interface(`postfix_read_config',`
  		type postfix_etc_t;
  	')
  
 +	read_files_pattern($1, postfix_etc_t, postfix_etc_t)
++	list_dirs_pattern($1, postfix_etc_t, postfix_etc_t)
 +	read_lnk_files_pattern($1, postfix_etc_t, postfix_etc_t)
  	files_search_etc($1)
 -	allow $1 postfix_etc_t:dir list_dir_perms;
@@ -76759,7 +76800,7 @@ index ded95ec3a..210018ce4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -180,6 +168,7 @@ interface(`postfix_config_filetrans',`
+@@ -180,6 +169,7 @@ interface(`postfix_config_filetrans',`
  		type postfix_etc_t;
  	')
  
@@ -76767,7 +76808,7 @@ index ded95ec3a..210018ce4 100644
  	filetrans_pattern($1, postfix_etc_t, $2, $3, $4)
  ')
  
-@@ -205,7 +194,8 @@ interface(`postfix_dontaudit_rw_local_tcp_sockets',`
+@@ -205,7 +195,8 @@ interface(`postfix_dontaudit_rw_local_tcp_sockets',`
  
  ########################################
  ## <summary>
@@ -76777,7 +76818,7 @@ index ded95ec3a..210018ce4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -221,30 +211,28 @@ interface(`postfix_rw_local_pipes',`
+@@ -221,30 +212,28 @@ interface(`postfix_rw_local_pipes',`
  	allow $1 postfix_local_t:fifo_file rw_fifo_file_perms;
  ')
  
@@ -76820,7 +76861,7 @@ index ded95ec3a..210018ce4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -252,18 +240,18 @@ interface(`postfix_read_local_state',`
+@@ -252,18 +241,18 @@ interface(`postfix_read_local_state',`
  ##	</summary>
  ## </param>
  #
@@ -76844,7 +76885,7 @@ index ded95ec3a..210018ce4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -277,14 +265,13 @@ interface(`postfix_read_master_state',`
+@@ -277,14 +266,13 @@ interface(`postfix_read_master_state',`
  	')
  
  	kernel_search_proc($1)
@@ -76862,7 +76903,7 @@ index ded95ec3a..210018ce4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -335,15 +322,13 @@ interface(`postfix_domtrans_map',`
+@@ -335,15 +323,13 @@ interface(`postfix_domtrans_map',`
  		type postfix_map_t, postfix_map_exec_t;
  	')
  
@@ -76880,7 +76921,7 @@ index ded95ec3a..210018ce4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -359,17 +344,17 @@ interface(`postfix_domtrans_map',`
+@@ -359,17 +345,17 @@ interface(`postfix_domtrans_map',`
  #
  interface(`postfix_run_map',`
  	gen_require(`
@@ -76902,7 +76943,7 @@ index ded95ec3a..210018ce4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -380,16 +365,35 @@ interface(`postfix_run_map',`
+@@ -380,16 +366,35 @@ interface(`postfix_run_map',`
  interface(`postfix_domtrans_master',`
  	gen_require(`
  		type postfix_master_t, postfix_master_exec_t;
@@ -76941,7 +76982,7 @@ index ded95ec3a..210018ce4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -402,21 +406,18 @@ interface(`postfix_exec_master',`
+@@ -402,21 +407,18 @@ interface(`postfix_exec_master',`
  		type postfix_master_exec_t;
  	')
  
@@ -76964,7 +77005,7 @@ index ded95ec3a..210018ce4 100644
  #
  interface(`postfix_stream_connect_master',`
  	gen_require(`
-@@ -428,8 +429,7 @@ interface(`postfix_stream_connect_master',`
+@@ -428,8 +430,7 @@ interface(`postfix_stream_connect_master',`
  
  ########################################
  ## <summary>
@@ -76974,7 +77015,7 @@ index ded95ec3a..210018ce4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -437,15 +437,18 @@ interface(`postfix_stream_connect_master',`
+@@ -437,15 +438,18 @@ interface(`postfix_stream_connect_master',`
  ##	</summary>
  ## </param>
  #
@@ -76997,7 +77038,7 @@ index ded95ec3a..210018ce4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -458,14 +461,13 @@ interface(`postfix_domtrans_postdrop',`
+@@ -458,14 +462,13 @@ interface(`postfix_domtrans_postdrop',`
  		type postfix_postdrop_t, postfix_postdrop_exec_t;
  	')
  
@@ -77013,7 +77054,7 @@ index ded95ec3a..210018ce4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -478,30 +480,85 @@ interface(`postfix_domtrans_postqueue',`
+@@ -478,30 +481,85 @@ interface(`postfix_domtrans_postqueue',`
  		type postfix_postqueue_t, postfix_postqueue_exec_t;
  	')
  
@@ -77109,7 +77150,7 @@ index ded95ec3a..210018ce4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -514,13 +571,12 @@ interface(`postfix_exec_postqueue',`
+@@ -514,13 +572,12 @@ interface(`postfix_exec_postqueue',`
  		type postfix_postqueue_exec_t;
  	')
  
@@ -77124,7 +77165,7 @@ index ded95ec3a..210018ce4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -533,13 +589,13 @@ interface(`postfix_create_private_sockets',`
+@@ -533,13 +590,13 @@ interface(`postfix_create_private_sockets',`
  		type postfix_private_t;
  	')
  
@@ -77140,7 +77181,7 @@ index ded95ec3a..210018ce4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -552,13 +608,14 @@ interface(`postfix_manage_private_sockets',`
+@@ -552,13 +609,14 @@ interface(`postfix_manage_private_sockets',`
  		type postfix_private_t;
  	')
  
@@ -77157,7 +77198,7 @@ index ded95ec3a..210018ce4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -571,14 +628,12 @@ interface(`postfix_domtrans_smtp',`
+@@ -571,14 +629,12 @@ interface(`postfix_domtrans_smtp',`
  		type postfix_smtp_t, postfix_smtp_exec_t;
  	')
  
@@ -77173,7 +77214,7 @@ index ded95ec3a..210018ce4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -586,7 +641,7 @@ interface(`postfix_domtrans_smtp',`
+@@ -586,7 +642,7 @@ interface(`postfix_domtrans_smtp',`
  ##	</summary>
  ## </param>
  #
@@ -77182,7 +77223,7 @@ index ded95ec3a..210018ce4 100644
  	gen_require(`
  		attribute postfix_spool_type;
  	')
-@@ -607,11 +662,11 @@ interface(`postfix_getattr_all_spool_files',`
+@@ -607,11 +663,11 @@ interface(`postfix_getattr_all_spool_files',`
  #
  interface(`postfix_search_spool',`
  	gen_require(`
@@ -77196,7 +77237,7 @@ index ded95ec3a..210018ce4 100644
  ')
  
  ########################################
-@@ -626,11 +681,11 @@ interface(`postfix_search_spool',`
+@@ -626,11 +682,11 @@ interface(`postfix_search_spool',`
  #
  interface(`postfix_list_spool',`
  	gen_require(`
@@ -77210,7 +77251,7 @@ index ded95ec3a..210018ce4 100644
  ')
  
  ########################################
-@@ -645,17 +700,16 @@ interface(`postfix_list_spool',`
+@@ -645,17 +701,16 @@ interface(`postfix_list_spool',`
  #
  interface(`postfix_read_spool_files',`
  	gen_require(`
@@ -77231,7 +77272,7 @@ index ded95ec3a..210018ce4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -665,11 +719,50 @@ interface(`postfix_read_spool_files',`
+@@ -665,11 +720,50 @@ interface(`postfix_read_spool_files',`
  #
  interface(`postfix_manage_spool_files',`
  	gen_require(`
@@ -77284,7 +77325,7 @@ index ded95ec3a..210018ce4 100644
  ')
  
  ########################################
-@@ -693,8 +786,8 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -693,8 +787,8 @@ interface(`postfix_domtrans_user_mail_handler',`
  
  ########################################
  ## <summary>
@@ -77295,7 +77336,7 @@ index ded95ec3a..210018ce4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -710,38 +803,137 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -710,38 +804,137 @@ interface(`postfix_domtrans_user_mail_handler',`
  #
  interface(`postfix_admin',`
  	gen_require(`
@@ -86725,7 +86766,7 @@ index 5806046b1..2a4769ff4 100644
 +
  /var/run/mdadm(/.*)?	gen_context(system_u:object_r:mdadm_var_run_t,s0)
 diff --git a/raid.if b/raid.if
-index 951db7f1b..00e699da4 100644
+index 951db7f1b..65666b765 100644
 --- a/raid.if
 +++ b/raid.if
 @@ -1,9 +1,8 @@
@@ -86807,27 +86848,22 @@ index 951db7f1b..00e699da4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -57,47 +79,113 @@ interface(`raid_run_mdadm',`
+@@ -57,47 +79,131 @@ interface(`raid_run_mdadm',`
  ##	</summary>
  ## </param>
  #
--interface(`raid_manage_mdadm_pid',`
 +interface(`raid_read_mdadm_pid',`
- 	gen_require(`
- 		type mdadm_var_run_t;
- 	')
- 
--	files_search_pids($1)
--	allow $1 mdadm_var_run_t:file manage_file_perms;
++	gen_require(`
++		type mdadm_var_run_t;
++	')
++
 +	read_files_pattern($1, mdadm_var_run_t, mdadm_var_run_t)
- ')
- 
- ########################################
- ## <summary>
--##	All of the rules required to
--##	administrate an mdadm environment.
++')
++
++########################################
++## <summary>
 +##	Create, read, write, and delete the mdadm pid files.
- ## </summary>
++## </summary>
 +## <desc>
 +##	<p>
 +##	Create, read, write, and delete the mdadm pid files.
@@ -86836,24 +86872,24 @@ index 951db7f1b..00e699da4 100644
 +##	Added for use in the init module.
 +##	</p>
 +## </desc>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <param name="role">
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
 +#
-+interface(`raid_manage_mdadm_pid',`
-+	gen_require(`
-+		type mdadm_var_run_t;
-+	')
-+
+ interface(`raid_manage_mdadm_pid',`
+ 	gen_require(`
+ 		type mdadm_var_run_t;
+ 	')
+ 
+-	files_search_pids($1)
 +	# FIXME: maybe should have a type_transition.  not
 +	# clear what this is doing, from the original
 +	# mdadm policy
-+	allow $1 mdadm_var_run_t:file manage_file_perms;
-+')
-+
+ 	allow $1 mdadm_var_run_t:file manage_file_perms;
+ ')
+ 
 +#######################################
 +## <summary>
 +##      Check access to the mdadm executable.
@@ -86873,9 +86909,31 @@ index 951db7f1b..00e699da4 100644
 +	allow $1 mdadm_exec_t:file { getattr_file_perms execute };
 +')
 +
+ ########################################
+ ## <summary>
+-##	All of the rules required to
+-##	administrate an mdadm environment.
++##	Read mdadm config files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##      Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <param name="role">
++#
++interface(`raid_read_conf_files',`
++	gen_require(`
++		type mdadm_conf_t;
++	')
++
++    read_files_pattern($1, mdadm_conf_t, mdadm_conf_t)
++')
++
 +########################################
 +## <summary>
-+##	Read mdadm config files.
++##	Manage mdadm config files.
 +## </summary>
 +## <param name="domain">
  ##	<summary>
@@ -86886,7 +86944,7 @@ index 951db7f1b..00e699da4 100644
 -## <rolecap/>
  #
 -interface(`raid_admin_mdadm',`
-+interface(`raid_read_conf_files',`
++interface(`raid_manage_conf_files',`
  	gen_require(`
 -		type mdadm_t, mdadm_initrc_exec_t, mdadm_var_run_t;
 +		type mdadm_conf_t;
@@ -86894,12 +86952,12 @@ index 951db7f1b..00e699da4 100644
  
 -	allow $1 mdadm_t:process { ptrace signal_perms };
 -	ps_process_pattern($1, mdadm_t)
-+    read_files_pattern($1, mdadm_conf_t, mdadm_conf_t)
++    manage_files_pattern($1, mdadm_conf_t, mdadm_conf_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Manage mdadm config files.
++##	Transition to mdadm named content
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -86907,7 +86965,7 @@ index 951db7f1b..00e699da4 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`raid_manage_conf_files',`
++interface(`raid_filetrans_named_content',`
 +	gen_require(`
 +		type mdadm_conf_t;
 +	')
@@ -86916,29 +86974,29 @@ index 951db7f1b..00e699da4 100644
 -	domain_system_change_exemption($1)
 -	role_transition $2 mdadm_initrc_exec_t system_r;
 -	allow $2 system_r;
-+    manage_files_pattern($1, mdadm_conf_t, mdadm_conf_t)
++    files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf")
++    files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf.anacbak")
 +')
  
 -	files_search_pids($1)
 -	admin_pattern($1, mdadm_var_run_t)
 +########################################
 +## <summary>
-+##	Transition to mdadm named content
++##	Relabel from mdadm_var_run_t sock file.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##      Domain allowed access.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`raid_filetrans_named_content',`
++interface(`raid_relabel_mdadm_var_run_content',`
 +	gen_require(`
-+		type mdadm_conf_t;
++		type mdadm_var_run_t;
 +	')
  
 -	raid_run_mdadm($2, $1)
-+    files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf")
-+    files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf.anacbak")
++	allow $1 mdadm_var_run_t:sock_file relabel_sock_file_perms;
  ')
 diff --git a/raid.te b/raid.te
 index c99753f2c..082d5f686 100644
@@ -106130,7 +106188,7 @@ index 1499b0bbf..e695a62f3 100644
 -	spamassassin_role($2, $1)
  ')
 diff --git a/spamassassin.te b/spamassassin.te
-index cc58e3578..ece033330 100644
+index cc58e3578..0c421b171 100644
 --- a/spamassassin.te
 +++ b/spamassassin.te
 @@ -7,50 +7,30 @@ policy_module(spamassassin, 2.6.1)
@@ -106566,7 +106624,7 @@ index cc58e3578..ece033330 100644
  
  optional_policy(`
  	abrt_stream_connect(spamc_t)
-@@ -243,19 +352,31 @@ optional_policy(`
+@@ -243,19 +352,32 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -106596,10 +106654,11 @@ index cc58e3578..ece033330 100644
 -	sendmail_rw_pipes(spamc_t)
  	sendmail_stub(spamc_t)
 +	sendmail_rw_pipes(spamc_t)
++    mta_read_home_rw(spamc_t)
  ')
  
  optional_policy(`
-@@ -267,48 +388,54 @@ optional_policy(`
+@@ -267,48 +389,54 @@ optional_policy(`
  
  ########################################
  #
@@ -106674,7 +106733,7 @@ index cc58e3578..ece033330 100644
  manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
  manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
  
-@@ -317,12 +444,14 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+@@ -317,12 +445,14 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
  manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
  files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir })
  
@@ -106691,7 +106750,7 @@ index cc58e3578..ece033330 100644
  corenet_all_recvfrom_netlabel(spamd_t)
  corenet_tcp_sendrecv_generic_if(spamd_t)
  corenet_udp_sendrecv_generic_if(spamd_t)
-@@ -331,78 +460,60 @@ corenet_udp_sendrecv_generic_node(spamd_t)
+@@ -331,78 +461,60 @@ corenet_udp_sendrecv_generic_node(spamd_t)
  corenet_tcp_sendrecv_all_ports(spamd_t)
  corenet_udp_sendrecv_all_ports(spamd_t)
  corenet_tcp_bind_generic_node(spamd_t)
@@ -106796,7 +106855,7 @@ index cc58e3578..ece033330 100644
  ')
  
  optional_policy(`
-@@ -421,21 +532,13 @@ optional_policy(`
+@@ -421,21 +533,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -106820,7 +106879,7 @@ index cc58e3578..ece033330 100644
  ')
  
  optional_policy(`
-@@ -443,8 +546,8 @@ optional_policy(`
+@@ -443,8 +547,8 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -106830,7 +106889,7 @@ index cc58e3578..ece033330 100644
  ')
  
  optional_policy(`
-@@ -455,7 +558,17 @@ optional_policy(`
+@@ -455,7 +559,17 @@ optional_policy(`
  optional_policy(`
  	razor_domtrans(spamd_t)
  	razor_read_lib_files(spamd_t)
@@ -106849,7 +106908,7 @@ index cc58e3578..ece033330 100644
  ')
  
  optional_policy(`
-@@ -463,9 +576,10 @@ optional_policy(`
+@@ -463,9 +577,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -106861,7 +106920,7 @@ index cc58e3578..ece033330 100644
  ')
  
  optional_policy(`
-@@ -474,32 +588,31 @@ optional_policy(`
+@@ -474,32 +589,31 @@ optional_policy(`
  
  ########################################
  #
@@ -106903,7 +106962,7 @@ index cc58e3578..ece033330 100644
  
  corecmd_exec_bin(spamd_update_t)
  corecmd_exec_shell(spamd_update_t)
-@@ -508,25 +621,26 @@ dev_read_urand(spamd_update_t)
+@@ -508,25 +622,26 @@ dev_read_urand(spamd_update_t)
  
  domain_use_interactive_fds(spamd_update_t)
  
@@ -112488,10 +112547,10 @@ index 000000000..368e18842
 +')
 diff --git a/tlp.te b/tlp.te
 new file mode 100644
-index 000000000..f124882af
+index 000000000..80e71067a
 --- /dev/null
 +++ b/tlp.te
-@@ -0,0 +1,91 @@
+@@ -0,0 +1,95 @@
 +policy_module(tlp, 1.0.0)
 +
 +########################################
@@ -112581,6 +112640,10 @@ index 000000000..f124882af
 +')
 +
 +optional_policy(`
++    systemd_rfkill_domtrans(tlp_t)
++')
++
++optional_policy(`
 +	udev_domtrans(tlp_t)
 +')
 diff --git a/tmpreaper.te b/tmpreaper.te
@@ -117985,7 +118048,7 @@ index facdee8b3..2a619ba9e 100644
 +	dgram_send_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
  ')
 diff --git a/virt.te b/virt.te
-index f03dcf567..3fde9b1cd 100644
+index f03dcf567..6467b8676 100644
 --- a/virt.te
 +++ b/virt.te
 @@ -1,451 +1,424 @@
@@ -118950,7 +119013,7 @@ index f03dcf567..3fde9b1cd 100644
  ')
  
  optional_policy(`
-@@ -691,99 +653,449 @@ optional_policy(`
+@@ -691,99 +653,450 @@ optional_policy(`
  	dnsmasq_kill(virtd_t)
  	dnsmasq_signull(virtd_t)
  	dnsmasq_create_pid_dirs(virtd_t)
@@ -119160,6 +119223,7 @@ index f03dcf567..3fde9b1cd 100644
 +manage_files_pattern(virt_domain, svirt_tmpfs_t, svirt_tmpfs_t)
 +manage_lnk_files_pattern(virt_domain, svirt_tmpfs_t, svirt_tmpfs_t)
 +fs_tmpfs_filetrans(virt_domain, svirt_tmpfs_t, { dir file lnk_file })
++allow virt_domain svirt_tmpfs_t:file map;
 +
 +manage_dirs_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t)
 +manage_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t)
@@ -119451,7 +119515,7 @@ index f03dcf567..3fde9b1cd 100644
  kernel_read_system_state(virsh_t)
  kernel_read_network_state(virsh_t)
  kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +1106,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +1107,18 @@ kernel_write_xen_state(virsh_t)
  corecmd_exec_bin(virsh_t)
  corecmd_exec_shell(virsh_t)
  
@@ -119478,7 +119542,7 @@ index f03dcf567..3fde9b1cd 100644
  
  fs_getattr_all_fs(virsh_t)
  fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +1126,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +1127,25 @@ fs_search_auto_mountpoints(virsh_t)
  
  storage_raw_read_fixed_disk(virsh_t)
  
@@ -119512,7 +119576,7 @@ index f03dcf567..3fde9b1cd 100644
  
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +1163,20 @@ optional_policy(`
+@@ -856,14 +1164,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -119534,7 +119598,7 @@ index f03dcf567..3fde9b1cd 100644
  	xen_stream_connect(virsh_t)
  	xen_stream_connect_xenstore(virsh_t)
  ')
-@@ -888,49 +1201,66 @@ optional_policy(`
+@@ -888,49 +1202,66 @@ optional_policy(`
  	kernel_read_xen_state(virsh_ssh_t)
  	kernel_write_xen_state(virsh_ssh_t)
  
@@ -119619,7 +119683,7 @@ index f03dcf567..3fde9b1cd 100644
  
  corecmd_exec_bin(virtd_lxc_t)
  corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1272,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1273,16 @@ dev_read_urand(virtd_lxc_t)
  
  domain_use_interactive_fds(virtd_lxc_t)
  
@@ -119639,7 +119703,7 @@ index f03dcf567..3fde9b1cd 100644
  fs_getattr_all_fs(virtd_lxc_t)
  fs_manage_tmpfs_dirs(virtd_lxc_t)
  fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,15 +1293,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,15 +1294,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
  fs_unmount_all_fs(virtd_lxc_t)
  fs_relabelfrom_tmpfs(virtd_lxc_t)
  
@@ -119658,7 +119722,7 @@ index f03dcf567..3fde9b1cd 100644
  
  term_use_generic_ptys(virtd_lxc_t)
  term_use_ptmx(virtd_lxc_t)
-@@ -982,186 +1307,307 @@ auth_use_nsswitch(virtd_lxc_t)
+@@ -982,186 +1308,307 @@ auth_use_nsswitch(virtd_lxc_t)
  
  logging_send_syslog_msg(virtd_lxc_t)
  
@@ -120095,7 +120159,7 @@ index f03dcf567..3fde9b1cd 100644
  allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
  allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
  
-@@ -1174,12 +1620,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1621,12 @@ dev_read_sysfs(virt_qmf_t)
  dev_read_rand(virt_qmf_t)
  dev_read_urand(virt_qmf_t)
  
@@ -120110,7 +120174,7 @@ index f03dcf567..3fde9b1cd 100644
  sysnet_read_config(virt_qmf_t)
  
  optional_policy(`
-@@ -1192,7 +1638,7 @@ optional_policy(`
+@@ -1192,7 +1639,7 @@ optional_policy(`
  
  ########################################
  #
@@ -120119,7 +120183,7 @@ index f03dcf567..3fde9b1cd 100644
  #
  
  allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1647,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1648,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
  allow virt_bridgehelper_t self:tun_socket create_socket_perms;
  allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 413882a..b26ba55 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 303%{?dist}
+Release: 304%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -717,6 +717,35 @@ exit 0
 %endif
 
 %changelog
+* Tue Nov 21 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-304
+- Add interface raid_relabel_mdadm_var_run_content()
+- Fix iscsi SELinux module
+- Allow spamc_t domain to read home mail content BZ(1414366)
+- Allow sendmail_t to list postfix config dirs BZ(1514868)
+- Allow dovecot_t domain to mmap mail content in homedirs BZ(1513153)
+- Allow iscsid_t domain to requesting loading kernel modules BZ(1448877)
+- Allow svirt_t domain to mmap svirt_tmpfs_t files BZ(1515304)
+- Allow cupsd_t domain to localization BZ(1514350)
+- Allow antivirus_t nnp domain transition because of systemd security features. BZ(1514451)
+- Allow tlp_t domain transition to systemd_rfkill_t domain BZ(1416301)
+- Allow abrt_t domain to mmap fusefs_t files BZ(1515169)
+- Allow memcached_t domain nnp_transition becuase of systemd security features BZ(1514867)
+- Allow httpd_t domain to mmap all httpd content type BZ(1514866)
+- Allow mandb_t to read /etc/passwd BZ(1514903)
+- Allow mandb_t domain to mmap files with label mandb_cache_t BZ(1514093)
+- Allow abrt_t domain to mmap files with label syslogd_var_run_t BZ(1514975)
+- Allow nnp transition for systemd-networkd daemon to run in proper SELinux domain BZ(1507263)
+- Allow systemd to read/write to mount_var_run_t files BZ(1515373)
+- Allow systemd to relabel mdadm_var_run_t sock files BZ(1515373)
+- Allow home managers to mmap nfs_t files BZ(1514372)
+- Add interface fs_mmap_nfs_files()
+- Allow systemd-mount to create new directory for mountpoint BZ(1514880)
+- Allow getty to use usbttys
+- Add interface systemd_rfkill_domtrans()
+- Allow syslogd_t to mmap files with label syslogd_var_lib_t BZ(1513403)
+- Add interface fs_mmap_fusefs_files()
+- Allow ipsec_t domain to mmap files with label ipsec_key_file_t BZ(1514251)
+
 * Thu Nov 16 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-303
 - Allow pcp_pmlogger to send logs to journal BZ(1512367)
 - Merge pull request #40 from lslebodn/kcm_kerberos