diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index a50e3ca..39e1baa 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -25701,10 +25701,10 @@ index 6bf0ecc..b036584 100644
 +')
 +
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..635442b 100644
+index 8b40377..5a2c173 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
-@@ -26,28 +26,59 @@ gen_require(`
+@@ -26,28 +26,66 @@ gen_require(`
  #
  
  ## <desc>
@@ -25754,6 +25754,13 @@ index 8b40377..635442b 100644
 +
 +## <desc>
 +##	<p>
++##	Allows xdm_t to bind on vnc_port_t(5910)
++##	</p>
++## </desc>
++gen_tunable(xdm_bind_vnc_tcp_port, false)
++
++## <desc>
++##	<p>
 +##	Support X userspace object manager
 +##	</p>
  ## </desc>
@@ -25773,7 +25780,7 @@ index 8b40377..635442b 100644
  
  # X Events
  attribute xevent_type;
-@@ -107,44 +138,54 @@ xserver_object_types_template(remote)
+@@ -107,44 +145,54 @@ xserver_object_types_template(remote)
  xserver_common_x_domain_template(remote, remote_t)
  
  type user_fonts_t;
@@ -25829,7 +25836,7 @@ index 8b40377..635442b 100644
  typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t };
  userdom_user_tmp_file(xauth_tmp_t)
  
-@@ -155,19 +196,28 @@ dev_associate(xconsole_device_t)
+@@ -155,19 +203,28 @@ dev_associate(xconsole_device_t)
  fs_associate_tmpfs(xconsole_device_t)
  files_associate_tmp(xconsole_device_t)
  
@@ -25861,7 +25868,7 @@ index 8b40377..635442b 100644
  
  type xdm_var_lib_t;
  files_type(xdm_var_lib_t)
-@@ -175,13 +225,21 @@ files_type(xdm_var_lib_t)
+@@ -175,13 +232,21 @@ files_type(xdm_var_lib_t)
  type xdm_var_run_t;
  files_pid_file(xdm_var_run_t)
  
@@ -25886,7 +25893,7 @@ index 8b40377..635442b 100644
  # type for /var/lib/xkb
  type xkb_var_lib_t;
  files_type(xkb_var_lib_t)
-@@ -194,15 +252,13 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t };
+@@ -194,15 +259,13 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t };
  init_system_domain(xserver_t, xserver_exec_t)
  ubac_constrained(xserver_t)
  
@@ -25907,7 +25914,7 @@ index 8b40377..635442b 100644
  
  type xsession_exec_t;
  corecmd_executable_file(xsession_exec_t)
-@@ -226,21 +282,35 @@ optional_policy(`
+@@ -226,21 +289,35 @@ optional_policy(`
  #
  
  allow iceauth_t iceauth_home_t:file manage_file_perms;
@@ -25950,7 +25957,7 @@ index 8b40377..635442b 100644
  ')
  
  ########################################
-@@ -248,48 +318,91 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -248,48 +325,91 @@ tunable_policy(`use_samba_home_dirs',`
  # Xauth local policy
  #
  
@@ -26042,18 +26049,18 @@ index 8b40377..635442b 100644
 +ifdef(`hide_broken_symptoms',`
 +	term_dontaudit_use_unallocated_ttys(xauth_t)
 +	dev_dontaudit_rw_dri(xauth_t)
-+')
-+
-+optional_policy(`
-+	nx_var_lib_filetrans(xauth_t, xauth_home_t, file)
  ')
  
  optional_policy(`
++	nx_var_lib_filetrans(xauth_t, xauth_home_t, file)
++')
++
++optional_policy(`
 +	ssh_use_ptys(xauth_t)
  	ssh_sigchld(xauth_t)
  	ssh_read_pipes(xauth_t)
  	ssh_dontaudit_rw_tcp_sockets(xauth_t)
-@@ -300,64 +413,103 @@ optional_policy(`
+@@ -300,64 +420,103 @@ optional_policy(`
  # XDM Local policy
  #
  
@@ -26081,14 +26088,14 @@ index 8b40377..635442b 100644
  allow xdm_t self:appletalk_socket create_socket_perms;
  allow xdm_t self:key { search link write };
 +allow xdm_t self:dbus { send_msg acquire_svc };
-+
+ 
+-allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
 +allow xdm_t xauth_home_t:file manage_file_perms;
 +
 +allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms };
 +manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
 +manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
- 
--allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
++
 +manage_dirs_pattern(xdm_t, xdm_home_t, xdm_home_t)
 +manage_files_pattern(xdm_t, xdm_home_t, xdm_home_t)
 +xserver_filetrans_home_content(xdm_t)
@@ -26170,7 +26177,7 @@ index 8b40377..635442b 100644
  
  # connect to xdm xserver over stream socket
  stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -366,20 +518,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -366,20 +525,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
  delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
  delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
  
@@ -26203,7 +26210,7 @@ index 8b40377..635442b 100644
  corenet_all_recvfrom_netlabel(xdm_t)
  corenet_tcp_sendrecv_generic_if(xdm_t)
  corenet_udp_sendrecv_generic_if(xdm_t)
-@@ -389,38 +551,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -389,38 +558,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
  corenet_udp_sendrecv_all_ports(xdm_t)
  corenet_tcp_bind_generic_node(xdm_t)
  corenet_udp_bind_generic_node(xdm_t)
@@ -26257,7 +26264,7 @@ index 8b40377..635442b 100644
  
  files_read_etc_files(xdm_t)
  files_read_var_files(xdm_t)
-@@ -431,9 +604,28 @@ files_list_mnt(xdm_t)
+@@ -431,9 +611,28 @@ files_list_mnt(xdm_t)
  files_read_usr_files(xdm_t)
  # Poweroff wants to create the /poweroff file when run from xdm
  files_create_boot_flag(xdm_t)
@@ -26286,7 +26293,7 @@ index 8b40377..635442b 100644
  
  storage_dontaudit_read_fixed_disk(xdm_t)
  storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -442,28 +634,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -442,28 +641,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
  storage_dontaudit_raw_write_removable_device(xdm_t)
  storage_dontaudit_setattr_removable_dev(xdm_t)
  storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -26335,7 +26342,7 @@ index 8b40377..635442b 100644
  
  userdom_dontaudit_use_unpriv_user_fds(xdm_t)
  userdom_create_all_users_keys(xdm_t)
-@@ -472,24 +681,155 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -472,24 +688,155 @@ userdom_read_user_home_content_files(xdm_t)
  # Search /proc for any user domain processes.
  userdom_read_all_users_state(xdm_t)
  userdom_signal_all_users(xdm_t)
@@ -26497,10 +26504,15 @@ index 8b40377..635442b 100644
  tunable_policy(`xdm_sysadm_login',`
  	userdom_xsession_spec_domtrans_all_users(xdm_t)
  	# FIXME:
-@@ -503,11 +843,26 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,12 +849,31 @@ tunable_policy(`xdm_sysadm_login',`
+ #	allow xserver_t xdm_tmpfs_t:file rw_file_perms;
  ')
  
- optional_policy(`
++tunable_policy(`xdm_bind_vnc_tcp_port',`
++    corenet_tcp_bind_vnc_port(xdm_t)
++')
++
++optional_policy(`
 +	accountsd_read_lib_files(xdm_t)
 +	accountsd_dbus_chat(xdm_t)
 +')
@@ -26513,7 +26525,7 @@ index 8b40377..635442b 100644
 +	boinc_dontaudit_getattr_lib(xdm_t)
 +')
 +
-+optional_policy(`
+ optional_policy(`
  	alsa_domtrans(xdm_t)
 +	alsa_read_rw_config(xdm_t)
  ')
@@ -26524,7 +26536,7 @@ index 8b40377..635442b 100644
  ')
  
  optional_policy(`
-@@ -517,9 +872,34 @@ optional_policy(`
+@@ -517,9 +883,34 @@ optional_policy(`
  optional_policy(`
  	dbus_system_bus_client(xdm_t)
  	dbus_connect_system_bus(xdm_t)
@@ -26560,7 +26572,7 @@ index 8b40377..635442b 100644
  	')
  ')
  
-@@ -530,6 +910,20 @@ optional_policy(`
+@@ -530,6 +921,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -26581,7 +26593,7 @@ index 8b40377..635442b 100644
  	hostname_exec(xdm_t)
  ')
  
-@@ -547,28 +941,78 @@ optional_policy(`
+@@ -547,28 +952,78 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -26669,7 +26681,7 @@ index 8b40377..635442b 100644
  ')
  
  optional_policy(`
-@@ -580,6 +1024,14 @@ optional_policy(`
+@@ -580,6 +1035,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -26684,7 +26696,7 @@ index 8b40377..635442b 100644
  	xfs_stream_connect(xdm_t)
  ')
  
-@@ -594,7 +1046,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+@@ -594,7 +1057,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
  type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
  
  allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@@ -26693,7 +26705,7 @@ index 8b40377..635442b 100644
  
  # setuid/setgid for the wrapper program to change UID
  # sys_rawio is for iopl access - should not be needed for frame-buffer
-@@ -604,8 +1056,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -604,8 +1067,11 @@ allow xserver_t input_xevent_t:x_event send;
  # execheap needed until the X module loader is fixed.
  # NVIDIA Needs execstack
  
@@ -26706,7 +26718,7 @@ index 8b40377..635442b 100644
  allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow xserver_t self:fd use;
  allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -618,8 +1073,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -618,8 +1084,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
  allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow xserver_t self:tcp_socket create_stream_socket_perms;
  allow xserver_t self:udp_socket create_socket_perms;
@@ -26722,7 +26734,7 @@ index 8b40377..635442b 100644
  manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -627,6 +1089,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -627,6 +1100,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
  
  filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
  
@@ -26733,7 +26745,7 @@ index 8b40377..635442b 100644
  manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
  manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
  manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -638,25 +1104,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -638,25 +1115,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  files_search_var_lib(xserver_t)
  
@@ -26770,7 +26782,7 @@ index 8b40377..635442b 100644
  corenet_all_recvfrom_netlabel(xserver_t)
  corenet_tcp_sendrecv_generic_if(xserver_t)
  corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -677,23 +1150,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -677,23 +1161,28 @@ dev_rw_apm_bios(xserver_t)
  dev_rw_agp(xserver_t)
  dev_rw_framebuffer(xserver_t)
  dev_manage_dri_dev(xserver_t)
@@ -26802,7 +26814,7 @@ index 8b40377..635442b 100644
  
  # brought on by rhgb
  files_search_mnt(xserver_t)
-@@ -705,6 +1183,14 @@ fs_search_nfs(xserver_t)
+@@ -705,6 +1194,14 @@ fs_search_nfs(xserver_t)
  fs_search_auto_mountpoints(xserver_t)
  fs_search_ramfs(xserver_t)
  
@@ -26817,7 +26829,7 @@ index 8b40377..635442b 100644
  mls_xwin_read_to_clearance(xserver_t)
  
  selinux_validate_context(xserver_t)
-@@ -718,20 +1204,18 @@ init_getpgid(xserver_t)
+@@ -718,20 +1215,18 @@ init_getpgid(xserver_t)
  term_setattr_unallocated_ttys(xserver_t)
  term_use_unallocated_ttys(xserver_t)
  
@@ -26841,7 +26853,7 @@ index 8b40377..635442b 100644
  
  userdom_search_user_home_dirs(xserver_t)
  userdom_use_user_ttys(xserver_t)
-@@ -739,8 +1223,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -739,8 +1234,6 @@ userdom_setattr_user_ttys(xserver_t)
  userdom_read_user_tmp_files(xserver_t)
  userdom_rw_user_tmpfs_files(xserver_t)
  
@@ -26850,7 +26862,7 @@ index 8b40377..635442b 100644
  ifndef(`distro_redhat',`
  	allow xserver_t self:process { execmem execheap execstack };
  	domain_mmap_low_uncond(xserver_t)
-@@ -785,17 +1267,50 @@ optional_policy(`
+@@ -785,17 +1278,50 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -26903,7 +26915,7 @@ index 8b40377..635442b 100644
  ')
  
  optional_policy(`
-@@ -803,6 +1318,10 @@ optional_policy(`
+@@ -803,6 +1329,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -26914,7 +26926,7 @@ index 8b40377..635442b 100644
  	xfs_stream_connect(xserver_t)
  ')
  
-@@ -818,18 +1337,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -818,18 +1348,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
  
  # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
  # handle of a file inside the dir!!!
@@ -26939,7 +26951,7 @@ index 8b40377..635442b 100644
  can_exec(xserver_t, xkb_var_lib_t)
  
  # VNC v4 module in X server
-@@ -842,26 +1360,21 @@ init_use_fds(xserver_t)
+@@ -842,26 +1371,21 @@ init_use_fds(xserver_t)
  # to read ROLE_home_t - examine this in more detail
  # (xauth?)
  userdom_read_user_home_content_files(xserver_t)
@@ -26974,7 +26986,7 @@ index 8b40377..635442b 100644
  ')
  
  optional_policy(`
-@@ -912,7 +1425,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -912,7 +1436,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
  allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
  # operations allowed on my windows
  allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -26983,7 +26995,7 @@ index 8b40377..635442b 100644
  # operations allowed on all windows
  allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
  
-@@ -966,11 +1479,31 @@ allow x_domain self:x_resource { read write };
+@@ -966,11 +1490,31 @@ allow x_domain self:x_resource { read write };
  # can mess with the screensaver
  allow x_domain xserver_t:x_screen { getattr saver_getattr };
  
@@ -27015,7 +27027,7 @@ index 8b40377..635442b 100644
  tunable_policy(`! xserver_object_manager',`
  	# should be xserver_unconfined(x_domain),
  	# but typeattribute doesnt work in conditionals
-@@ -992,18 +1525,148 @@ tunable_policy(`! xserver_object_manager',`
+@@ -992,18 +1536,148 @@ tunable_policy(`! xserver_object_manager',`
  	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
  ')
  
@@ -30997,7 +31009,7 @@ index 79a45f6..b88e8a2 100644
 +	init_pid_filetrans($1, systemd_unit_file_t, dir, "system")
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..32af6e4 100644
+index 17eda24..1381948 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
 @@ -11,10 +11,31 @@ gen_require(`
@@ -31875,7 +31887,7 @@ index 17eda24..32af6e4 100644
 +		sysnet_relabelfrom_dhcpc_state(initrc_t)
 +		sysnet_relabelfrom_net_conf(initrc_t)
 +		sysnet_relabelto_net_conf(initrc_t)
-+		sysnet_filetrans_named_content(initrc_t)
++		#sysnet_filetrans_named_content(initrc_t)
 +	')
 +
 +	optional_policy(`
@@ -39130,10 +39142,10 @@ index 1447687..d5e6fb9 100644
  seutil_read_config(setrans_t)
  
 diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
-index 40edc18..bdc6d52 100644
+index 40edc18..963b974 100644
 --- a/policy/modules/system/sysnetwork.fc
 +++ b/policy/modules/system/sysnetwork.fc
-@@ -17,23 +17,28 @@ ifdef(`distro_debian',`
+@@ -17,23 +17,27 @@ ifdef(`distro_debian',`
  /etc/dhclient.*conf	--	gen_context(system_u:object_r:dhcp_etc_t,s0)
  /etc/dhclient-script	--	gen_context(system_u:object_r:dhcp_etc_t,s0)
  /etc/dhcpc.*			gen_context(system_u:object_r:dhcp_etc_t,s0)
@@ -39146,10 +39158,10 @@ index 40edc18..bdc6d52 100644
 +/etc/hosts[^/]*		--	gen_context(system_u:object_r:net_conf_t,s0)
  /etc/hosts\.deny.*	--	gen_context(system_u:object_r:net_conf_t,s0)
  /etc/denyhosts.*	--	gen_context(system_u:object_r:net_conf_t,s0)
- /etc/resolv\.conf.*	--	gen_context(system_u:object_r:net_conf_t,s0)
+-/etc/resolv\.conf.*	--	gen_context(system_u:object_r:net_conf_t,s0)
++/etc/resolv\.conf.*		gen_context(system_u:object_r:net_conf_t,s0)
  /etc/yp\.conf.*		--	gen_context(system_u:object_r:net_conf_t,s0)
 +/etc/ntp\.conf		--	gen_context(system_u:object_r:net_conf_t,s0)
-+/etc/\.resolv\.conf\.NetworkManager gen_context(system_u:object_r:net_conf_t,s0)
  
 -/etc/dhcp3(/.*)?		gen_context(system_u:object_r:dhcp_etc_t,s0)
 +/etc/dhcp3?(/.*)?		gen_context(system_u:object_r:dhcp_etc_t,s0)
@@ -39162,11 +39174,11 @@ index 40edc18..bdc6d52 100644
 +/var/run/systemd/network(/.*)?  gen_context(system_u:object_r:net_conf_t,s0)
 +/var/run/systemd/resolve/resolv\.conf   --  gen_context(system_u:object_r:net_conf_t,s0)
  ')
-+/var/run/NetworkManager/resolve/resolv\.conf   --  gen_context(system_u:object_r:net_conf_t,s0)
++/var/run/NetworkManager/resolv\.conf   --  gen_context(system_u:object_r:net_conf_t,s0)
  
  #
  # /sbin
-@@ -44,6 +49,7 @@ ifdef(`distro_redhat',`
+@@ -44,6 +48,7 @@ ifdef(`distro_redhat',`
  /sbin/ethtool		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
  /sbin/ifconfig		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
  /sbin/ip		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
@@ -39174,7 +39186,7 @@ index 40edc18..bdc6d52 100644
  /sbin/ipx_configure	--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
  /sbin/ipx_interface	--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
  /sbin/ipx_internal_net	--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
-@@ -55,6 +61,21 @@ ifdef(`distro_redhat',`
+@@ -55,6 +60,21 @@ ifdef(`distro_redhat',`
  #
  # /usr
  #
@@ -39196,7 +39208,7 @@ index 40edc18..bdc6d52 100644
  /usr/sbin/tc		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
  
  #
-@@ -77,3 +98,6 @@ ifdef(`distro_debian',`
+@@ -77,3 +97,6 @@ ifdef(`distro_debian',`
  /var/run/network(/.*)?	gen_context(system_u:object_r:net_conf_t,s0)
  ')
  
@@ -39204,7 +39216,7 @@ index 40edc18..bdc6d52 100644
 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
 +
 diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 2cea692..b52919c 100644
+index 2cea692..fcd75c1 100644
 --- a/policy/modules/system/sysnetwork.if
 +++ b/policy/modules/system/sysnetwork.if
 @@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@@ -39355,10 +39367,14 @@ index 2cea692..b52919c 100644
  		read_files_pattern($1, net_conf_t, net_conf_t)
  	')
  ')
-@@ -440,6 +538,40 @@ interface(`sysnet_etc_filetrans_config',`
- 	files_etc_filetrans($1, net_conf_t, file, $2)
- ')
+@@ -438,6 +536,42 @@ interface(`sysnet_etc_filetrans_config',`
+ 	')
  
+ 	files_etc_filetrans($1, net_conf_t, file, $2)
++	files_etc_filetrans($1, net_conf_t, lnk_file, $2)
++
++')
++
 +########################################
 +## <summary>
 +##	Transition content to the type used for
@@ -39391,12 +39407,19 @@ index 2cea692..b52919c 100644
 +	')
 +
 +	filetrans_pattern($1, $2, net_conf_t, $3, $4)
-+')
-+
+ ')
+ 
  #######################################
- ## <summary>
- ##	Create, read, write, and delete network config files.
-@@ -463,12 +595,45 @@ interface(`sysnet_manage_config',`
+@@ -453,7 +587,7 @@ interface(`sysnet_etc_filetrans_config',`
+ interface(`sysnet_manage_config',`
+ 	gen_require(`
+ 		type net_conf_t;
+-	')
++        ')
+ 
+ 	allow $1 net_conf_t:file manage_file_perms;
+ 
+@@ -463,7 +597,42 @@ interface(`sysnet_manage_config',`
  	')
  
  	ifdef(`distro_redhat',`
@@ -39404,11 +39427,13 @@ index 2cea692..b52919c 100644
 +        init_search_pid_dirs($1)
 +		allow $1 net_conf_t:dir list_dir_perms;
  		manage_files_pattern($1, net_conf_t, net_conf_t)
- 	')
- ')
- 
- #######################################
- ## <summary>
++		manage_lnk_files_pattern($1, net_conf_t, net_conf_t)
++	')
++    sysnet_filetrans_named_content($1)
++')
++
++#######################################
++## <summary>
 +##	Create, read, write, and delete network config dirs.
 +## </summary>
 +## <param name="domain">
@@ -39434,15 +39459,10 @@ index 2cea692..b52919c 100644
 +        init_search_pid_dirs($1)
 +		allow $1 net_conf_t:dir list_dir_perms;
 +		manage_dirs_pattern($1, net_conf_t, net_conf_t)
-+	')
-+')
-+
-+#######################################
-+## <summary>
- ##	Read the dhcp client pid file.
- ## </summary>
- ## <param name="domain">
-@@ -501,6 +666,7 @@ interface(`sysnet_delete_dhcpc_pid',`
+ 	')
+ ')
+ 
+@@ -501,6 +670,7 @@ interface(`sysnet_delete_dhcpc_pid',`
  		type dhcpc_var_run_t;
  	')
  
@@ -39450,7 +39470,7 @@ index 2cea692..b52919c 100644
  	allow $1 dhcpc_var_run_t:file unlink;
  ')
  
-@@ -610,6 +776,25 @@ interface(`sysnet_signull_ifconfig',`
+@@ -610,6 +780,25 @@ interface(`sysnet_signull_ifconfig',`
  
  ########################################
  ## <summary>
@@ -39476,7 +39496,7 @@ index 2cea692..b52919c 100644
  ##	Read the DHCP configuration files.
  ## </summary>
  ## <param name="domain">
-@@ -626,6 +811,7 @@ interface(`sysnet_read_dhcp_config',`
+@@ -626,6 +815,7 @@ interface(`sysnet_read_dhcp_config',`
  	files_search_etc($1)
  	allow $1 dhcp_etc_t:dir list_dir_perms;
  	read_files_pattern($1, dhcp_etc_t, dhcp_etc_t)
@@ -39484,7 +39504,7 @@ index 2cea692..b52919c 100644
  ')
  
  ########################################
-@@ -647,6 +833,26 @@ interface(`sysnet_search_dhcp_state',`
+@@ -647,6 +837,26 @@ interface(`sysnet_search_dhcp_state',`
  	allow $1 dhcp_state_t:dir search_dir_perms;
  ')
  
@@ -39511,7 +39531,7 @@ index 2cea692..b52919c 100644
  ########################################
  ## <summary>
  ##	Create DHCP state data.
-@@ -711,8 +917,6 @@ interface(`sysnet_dns_name_resolve',`
+@@ -711,8 +921,6 @@ interface(`sysnet_dns_name_resolve',`
  	allow $1 self:udp_socket create_socket_perms;
  	allow $1 self:netlink_route_socket r_netlink_socket_perms;
  
@@ -39520,7 +39540,7 @@ index 2cea692..b52919c 100644
  	corenet_tcp_sendrecv_generic_if($1)
  	corenet_udp_sendrecv_generic_if($1)
  	corenet_tcp_sendrecv_generic_node($1)
-@@ -720,8 +924,11 @@ interface(`sysnet_dns_name_resolve',`
+@@ -720,8 +928,11 @@ interface(`sysnet_dns_name_resolve',`
  	corenet_tcp_sendrecv_dns_port($1)
  	corenet_udp_sendrecv_dns_port($1)
  	corenet_tcp_connect_dns_port($1)
@@ -39532,7 +39552,7 @@ index 2cea692..b52919c 100644
  	sysnet_read_config($1)
  
  	optional_policy(`
-@@ -750,8 +957,6 @@ interface(`sysnet_use_ldap',`
+@@ -750,8 +961,6 @@ interface(`sysnet_use_ldap',`
  
  	allow $1 self:tcp_socket create_socket_perms;
  
@@ -39541,7 +39561,7 @@ index 2cea692..b52919c 100644
  	corenet_tcp_sendrecv_generic_if($1)
  	corenet_tcp_sendrecv_generic_node($1)
  	corenet_tcp_sendrecv_ldap_port($1)
-@@ -760,9 +965,14 @@ interface(`sysnet_use_ldap',`
+@@ -760,9 +969,14 @@ interface(`sysnet_use_ldap',`
  
  	# Support for LDAPS
  	dev_read_rand($1)
@@ -39556,7 +39576,7 @@ index 2cea692..b52919c 100644
  ')
  
  ########################################
-@@ -784,7 +994,6 @@ interface(`sysnet_use_portmap',`
+@@ -784,7 +998,6 @@ interface(`sysnet_use_portmap',`
  	allow $1 self:udp_socket create_socket_perms;
  
  	corenet_all_recvfrom_unlabeled($1)
@@ -39564,7 +39584,7 @@ index 2cea692..b52919c 100644
  	corenet_tcp_sendrecv_generic_if($1)
  	corenet_udp_sendrecv_generic_if($1)
  	corenet_tcp_sendrecv_generic_node($1)
-@@ -796,3 +1005,120 @@ interface(`sysnet_use_portmap',`
+@@ -796,3 +1009,122 @@ interface(`sysnet_use_portmap',`
  
  	sysnet_read_config($1)
  ')
@@ -39634,6 +39654,7 @@ index 2cea692..b52919c 100644
 +	files_etc_filetrans($1, net_conf_t, file, "resolv.conf.tmp")
 +	files_etc_filetrans($1, net_conf_t, file, "resolv.conf.fp-tmp")
 +	files_etc_filetrans($1, net_conf_t, file, "resolv.conf.fp-saved")
++	files_etc_filetrans($1, net_conf_t, lnk_file, ".resolv.conf")
 +	files_etc_filetrans($1, net_conf_t, lnk_file, ".resolv.conf.NetworkManager")
 +	files_etc_filetrans($1, net_conf_t, file, "denyhosts")
 +	files_etc_filetrans($1, net_conf_t, file, "hosts")
@@ -39644,8 +39665,9 @@ index 2cea692..b52919c 100644
 +	init_pid_filetrans($1, net_conf_t, dir, "network")
 +
 +	optional_policy(`
-+		networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf")
-+	')
++	    networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf")
++	    networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf.tmp")
++    ')
 +')
 +
 +########################################
@@ -41601,10 +41623,10 @@ index 0000000..d2a8fc7
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..db531dc
+index 0000000..3ebbad0
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,707 @@
+@@ -0,0 +1,706 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -41863,7 +41885,6 @@ index 0000000..db531dc
 +
 +auth_read_passwd(systemd_networkd_t)
 +
-+sysnet_filetrans_named_content(systemd_networkd_t)
 +sysnet_manage_config(systemd_networkd_t)
 +sysnet_manage_config_dirs(systemd_networkd_t)
 +
@@ -42610,7 +42631,7 @@ index 9a1650d..d7e8a01 100644
  
  ########################################
 diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index 39f185f..880b174 100644
+index 39f185f..a253f3f 100644
 --- a/policy/modules/system/udev.te
 +++ b/policy/modules/system/udev.te
 @@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t)
@@ -42769,12 +42790,11 @@ index 39f185f..880b174 100644
  
  seutil_read_config(udev_t)
  seutil_read_default_contexts(udev_t)
-@@ -169,7 +191,11 @@ sysnet_read_dhcpc_pid(udev_t)
+@@ -169,7 +191,10 @@ sysnet_read_dhcpc_pid(udev_t)
  sysnet_delete_dhcpc_pid(udev_t)
  sysnet_signal_dhcpc(udev_t)
  sysnet_manage_config(udev_t)
 -sysnet_etc_filetrans_config(udev_t)
-+sysnet_filetrans_named_content(udev_t)
 +#sysnet_etc_filetrans_config(udev_t)
 +
 +systemd_login_read_pid_files(udev_t)
@@ -42782,7 +42802,7 @@ index 39f185f..880b174 100644
  
  userdom_dontaudit_search_user_home_content(udev_t)
  
-@@ -195,16 +221,9 @@ ifdef(`distro_gentoo',`
+@@ -195,16 +220,9 @@ ifdef(`distro_gentoo',`
  ')
  
  ifdef(`distro_redhat',`
@@ -42801,7 +42821,7 @@ index 39f185f..880b174 100644
  
  	# for arping used for static IP addresses on PCMCIA ethernet
  	netutils_domtrans(udev_t)
-@@ -242,6 +261,7 @@ optional_policy(`
+@@ -242,6 +260,7 @@ optional_policy(`
  
  optional_policy(`
  	cups_domtrans_config(udev_t)
@@ -42809,7 +42829,7 @@ index 39f185f..880b174 100644
  ')
  
  optional_policy(`
-@@ -249,17 +269,31 @@ optional_policy(`
+@@ -249,17 +268,31 @@ optional_policy(`
  	dbus_use_system_bus_fds(udev_t)
  
  	optional_policy(`
@@ -42843,7 +42863,7 @@ index 39f185f..880b174 100644
  ')
  
  optional_policy(`
-@@ -289,6 +323,10 @@ optional_policy(`
+@@ -289,6 +322,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -42854,7 +42874,7 @@ index 39f185f..880b174 100644
  	openct_read_pid_files(udev_t)
  	openct_domtrans(udev_t)
  ')
-@@ -303,6 +341,15 @@ optional_policy(`
+@@ -303,6 +340,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -42870,7 +42890,7 @@ index 39f185f..880b174 100644
  	unconfined_signal(udev_t)
  ')
  
-@@ -315,6 +362,7 @@ optional_policy(`
+@@ -315,6 +361,7 @@ optional_policy(`
  	kernel_read_xen_state(udev_t)
  	xen_manage_log(udev_t)
  	xen_read_image_files(udev_t)
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 4febba8..94d6196 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -27741,7 +27741,7 @@ index 50d0084..94e1936 100644
  
  	fail2ban_run_client($1, $2)
 diff --git a/fail2ban.te b/fail2ban.te
-index cf0e567..9ebb247 100644
+index cf0e567..6c3ce35 100644
 --- a/fail2ban.te
 +++ b/fail2ban.te
 @@ -37,7 +37,7 @@ role fail2ban_client_roles types fail2ban_client_t;
@@ -27769,7 +27769,7 @@ index cf0e567..9ebb247 100644
  files_list_var(fail2ban_t)
  files_dontaudit_list_tmp(fail2ban_t)
  
-@@ -92,24 +90,38 @@ fs_getattr_all_fs(fail2ban_t)
+@@ -92,24 +90,37 @@ fs_getattr_all_fs(fail2ban_t)
  auth_use_nsswitch(fail2ban_t)
  
  logging_read_all_logs(fail2ban_t)
@@ -27785,7 +27785,6 @@ index cf0e567..9ebb247 100644
 -sysnet_etc_filetrans_config(fail2ban_t)
 -
 -mta_send_mail(fail2ban_t)
-+sysnet_filetrans_named_content(fail2ban_t)
  
  optional_policy(`
  	apache_read_log(fail2ban_t)
@@ -27812,7 +27811,7 @@ index cf0e567..9ebb247 100644
  	iptables_domtrans(fail2ban_t)
  ')
  
-@@ -118,6 +130,10 @@ optional_policy(`
+@@ -118,6 +129,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -27823,7 +27822,7 @@ index cf0e567..9ebb247 100644
  	shorewall_domtrans(fail2ban_t)
  ')
  
-@@ -131,22 +147,30 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
+@@ -131,22 +146,30 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
  
  domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
  
@@ -101816,10 +101815,10 @@ index 0000000..9524b50
 +')
 diff --git a/thumb.te b/thumb.te
 new file mode 100644
-index 0000000..02ed710
+index 0000000..e80cde4
 --- /dev/null
 +++ b/thumb.te
-@@ -0,0 +1,161 @@
+@@ -0,0 +1,162 @@
 +policy_module(thumb, 1.0.0)
 +
 +########################################
@@ -101891,6 +101890,7 @@ index 0000000..02ed710
 +corecmd_exec_shell(thumb_t)
 +
 +corenet_tcp_connect_xserver_port(thumb_t)
++corenet_dontaudit_tcp_connect_all_ports(thumb_t)
 +
 +dev_read_sysfs(thumb_t)
 +dev_read_urand(thumb_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index df4dbf4..0643b43 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 107%{?dist}
+Release: 108%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -605,6 +605,12 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Wed Feb 04 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-108
+- Fix labels, improve sysnet_manage_config interface.
+- Label /var/run/NetworkManager/resolv.conf.tmp as net_conf_t.
+- Dontaudit network connections related to thumb_t. BZ(1187981)
+- Remove sysnet_filetrans_named_content from fail2ban
+
 * Thu Feb 02 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-107
 - Fix labels on new location of resolv.conf
 - syslog is not writing to the audit socket