diff --git a/container-selinux.tgz b/container-selinux.tgz
index bea3569..92b855c 100644
Binary files a/container-selinux.tgz and b/container-selinux.tgz differ
diff --git a/policy-f25-base.patch b/policy-f25-base.patch
index 3ca1b3f..d6fb92d 100644
--- a/policy-f25-base.patch
+++ b/policy-f25-base.patch
@@ -3081,7 +3081,7 @@ index 99e3903..fa68362 100644
##
##
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 1d732f1..c2962a5 100644
+index 1d732f1..09a9fb3 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -26,6 +26,7 @@ type chfn_exec_t;
@@ -3234,7 +3234,18 @@ index 1d732f1..c2962a5 100644
auth_relabel_shadow(groupadd_t)
auth_etc_filetrans_shadow(groupadd_t)
-@@ -273,7 +297,7 @@ optional_policy(`
+@@ -251,6 +275,10 @@ userdom_use_unpriv_users_fds(groupadd_t)
+ userdom_dontaudit_search_user_home_dirs(groupadd_t)
+
+ optional_policy(`
++ dbus_system_bus_client(groupadd_t)
++')
++
++optional_policy(`
+ dpkg_use_fds(groupadd_t)
+ dpkg_rw_pipes(groupadd_t)
+ ')
+@@ -273,7 +301,7 @@ optional_policy(`
# Passwd local policy
#
@@ -3243,7 +3254,7 @@ index 1d732f1..c2962a5 100644
dontaudit passwd_t self:capability sys_tty_config;
allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow passwd_t self:process { setrlimit setfscreate };
-@@ -288,6 +312,7 @@ allow passwd_t self:shm create_shm_perms;
+@@ -288,6 +316,7 @@ allow passwd_t self:shm create_shm_perms;
allow passwd_t self:sem create_sem_perms;
allow passwd_t self:msgq create_msgq_perms;
allow passwd_t self:msg { send receive };
@@ -3251,7 +3262,7 @@ index 1d732f1..c2962a5 100644
allow passwd_t crack_db_t:dir list_dir_perms;
read_files_pattern(passwd_t, crack_db_t, crack_db_t)
-@@ -296,6 +321,7 @@ kernel_read_kernel_sysctls(passwd_t)
+@@ -296,6 +325,7 @@ kernel_read_kernel_sysctls(passwd_t)
# for SSP
dev_read_urand(passwd_t)
@@ -3259,7 +3270,7 @@ index 1d732f1..c2962a5 100644
fs_getattr_xattr_fs(passwd_t)
fs_search_auto_mountpoints(passwd_t)
-@@ -310,26 +336,32 @@ selinux_compute_create_context(passwd_t)
+@@ -310,26 +340,32 @@ selinux_compute_create_context(passwd_t)
selinux_compute_relabel_context(passwd_t)
selinux_compute_user_contexts(passwd_t)
@@ -3296,7 +3307,7 @@ index 1d732f1..c2962a5 100644
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(passwd_t)
-@@ -338,12 +370,11 @@ init_use_fds(passwd_t)
+@@ -338,12 +374,11 @@ init_use_fds(passwd_t)
logging_send_audit_msgs(passwd_t)
logging_send_syslog_msg(passwd_t)
@@ -3310,7 +3321,7 @@ index 1d732f1..c2962a5 100644
userdom_use_unpriv_users_fds(passwd_t)
# make sure that getcon succeeds
userdom_getattr_all_users(passwd_t)
-@@ -352,6 +383,20 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -352,6 +387,20 @@ userdom_read_user_tmp_files(passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
@@ -3331,7 +3342,7 @@ index 1d732f1..c2962a5 100644
optional_policy(`
nscd_run(passwd_t, passwd_roles)
-@@ -401,9 +446,10 @@ dev_read_urand(sysadm_passwd_t)
+@@ -401,9 +450,10 @@ dev_read_urand(sysadm_passwd_t)
fs_getattr_xattr_fs(sysadm_passwd_t)
fs_search_auto_mountpoints(sysadm_passwd_t)
@@ -3344,7 +3355,7 @@ index 1d732f1..c2962a5 100644
auth_manage_shadow(sysadm_passwd_t)
auth_relabel_shadow(sysadm_passwd_t)
auth_etc_filetrans_shadow(sysadm_passwd_t)
-@@ -416,7 +462,6 @@ files_read_usr_files(sysadm_passwd_t)
+@@ -416,7 +466,6 @@ files_read_usr_files(sysadm_passwd_t)
domain_use_interactive_fds(sysadm_passwd_t)
@@ -3352,7 +3363,7 @@ index 1d732f1..c2962a5 100644
files_relabel_etc_files(sysadm_passwd_t)
files_read_etc_runtime_files(sysadm_passwd_t)
# for nscd lookups
-@@ -426,12 +471,9 @@ files_dontaudit_search_pids(sysadm_passwd_t)
+@@ -426,12 +475,9 @@ files_dontaudit_search_pids(sysadm_passwd_t)
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(sysadm_passwd_t)
@@ -3365,7 +3376,7 @@ index 1d732f1..c2962a5 100644
userdom_use_unpriv_users_fds(sysadm_passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
-@@ -446,7 +488,8 @@ optional_policy(`
+@@ -446,7 +492,8 @@ optional_policy(`
# Useradd local policy
#
@@ -3375,7 +3386,7 @@ index 1d732f1..c2962a5 100644
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
-@@ -461,6 +504,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
+@@ -461,6 +508,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
allow useradd_t self:unix_dgram_socket sendto;
allow useradd_t self:unix_stream_socket connectto;
@@ -3386,7 +3397,7 @@ index 1d732f1..c2962a5 100644
# for getting the number of groups
kernel_read_kernel_sysctls(useradd_t)
-@@ -468,29 +515,28 @@ corecmd_exec_shell(useradd_t)
+@@ -468,29 +519,28 @@ corecmd_exec_shell(useradd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(useradd_t)
@@ -3426,7 +3437,7 @@ index 1d732f1..c2962a5 100644
auth_run_chk_passwd(useradd_t, useradd_roles)
auth_rw_lastlog(useradd_t)
-@@ -498,6 +544,7 @@ auth_rw_faillog(useradd_t)
+@@ -498,6 +548,7 @@ auth_rw_faillog(useradd_t)
auth_use_nsswitch(useradd_t)
# these may be unnecessary due to the above
# domtrans_chk_passwd() call.
@@ -3434,7 +3445,7 @@ index 1d732f1..c2962a5 100644
auth_manage_shadow(useradd_t)
auth_relabel_shadow(useradd_t)
auth_etc_filetrans_shadow(useradd_t)
-@@ -508,33 +555,32 @@ init_rw_utmp(useradd_t)
+@@ -508,35 +559,38 @@ init_rw_utmp(useradd_t)
logging_send_audit_msgs(useradd_t)
logging_send_syslog_msg(useradd_t)
@@ -3474,12 +3485,17 @@ index 1d732f1..c2962a5 100644
- optional_policy(`
- unconfined_domain(useradd_t)
- ')
--')
--
++optional_policy(`
++ apache_manage_all_user_content(useradd_t)
+ ')
+
optional_policy(`
- apache_manage_all_user_content(useradd_t)
+- apache_manage_all_user_content(useradd_t)
++ dbus_system_bus_client(useradd_t)
')
-@@ -545,14 +591,27 @@ optional_policy(`
+
+ optional_policy(`
+@@ -545,14 +599,27 @@ optional_policy(`
')
optional_policy(`
@@ -3507,7 +3523,7 @@ index 1d732f1..c2962a5 100644
tunable_policy(`samba_domain_controller',`
samba_append_log(useradd_t)
')
-@@ -562,3 +621,12 @@ optional_policy(`
+@@ -562,3 +629,12 @@ optional_policy(`
rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t)
')
@@ -18946,7 +18962,7 @@ index 7be4ddf..9710b33 100644
+/sys/kernel/debug -d gen_context(system_u:object_r:debugfs_t,s0)
+/sys/kernel/debug/.* <>
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index e100d88..7a08793 100644
+index e100d88..f005fc5 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -126,6 +126,24 @@ interface(`kernel_setsched',`
@@ -19017,7 +19033,49 @@ index e100d88..7a08793 100644
')
########################################
-@@ -762,8 +798,8 @@ interface(`kernel_manage_debugfs',`
+@@ -441,6 +477,41 @@ interface(`kernel_dontaudit_link_key',`
+
+ ########################################
+ ##
++## Allow view the kernel key ring.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_view_key',`
++ gen_require(`
++ type kernel_t;
++ ')
++
++ allow $1 kernel_t:key view;
++')
++
++########################################
++##
++## dontaudit view the kernel key ring.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`kernel_dontaudit_view_key',`
++ gen_require(`
++ type kernel_t;
++ ')
++
++ dontaudit $1 kernel_t:key view;
++')
++########################################
++##
+ ## Allows caller to read the ring buffer.
+ ##
+ ##
+@@ -762,8 +833,8 @@ interface(`kernel_manage_debugfs',`
')
manage_files_pattern($1, debugfs_t, debugfs_t)
@@ -19027,7 +19085,7 @@ index e100d88..7a08793 100644
')
########################################
-@@ -786,6 +822,24 @@ interface(`kernel_mount_kvmfs',`
+@@ -786,6 +857,24 @@ interface(`kernel_mount_kvmfs',`
########################################
##
@@ -19052,7 +19110,7 @@ index e100d88..7a08793 100644
## Unmount the proc filesystem.
##
##
-@@ -804,6 +858,24 @@ interface(`kernel_unmount_proc',`
+@@ -804,6 +893,24 @@ interface(`kernel_unmount_proc',`
########################################
##
@@ -19077,7 +19135,7 @@ index e100d88..7a08793 100644
## Get the attributes of the proc filesystem.
##
##
-@@ -841,6 +913,25 @@ interface(`kernel_dontaudit_setattr_proc_dirs',`
+@@ -841,6 +948,25 @@ interface(`kernel_dontaudit_setattr_proc_dirs',`
########################################
##
@@ -19103,7 +19161,7 @@ index e100d88..7a08793 100644
## Search directories in /proc.
##
##
-@@ -991,13 +1082,10 @@ interface(`kernel_read_proc_symlinks',`
+@@ -991,13 +1117,10 @@ interface(`kernel_read_proc_symlinks',`
#
interface(`kernel_read_system_state',`
gen_require(`
@@ -19119,7 +19177,7 @@ index e100d88..7a08793 100644
')
########################################
-@@ -1025,6 +1113,44 @@ interface(`kernel_write_proc_files',`
+@@ -1025,6 +1148,44 @@ interface(`kernel_write_proc_files',`
########################################
##
@@ -19164,7 +19222,7 @@ index e100d88..7a08793 100644
## Do not audit attempts by caller to
## read system state information in proc.
##
-@@ -1208,6 +1334,24 @@ interface(`kernel_read_messages',`
+@@ -1208,6 +1369,24 @@ interface(`kernel_read_messages',`
########################################
##
@@ -19189,7 +19247,7 @@ index e100d88..7a08793 100644
## Allow caller to get the attributes of kernel message
## interface (/proc/kmsg).
##
-@@ -1458,6 +1602,25 @@ interface(`kernel_list_all_proc',`
+@@ -1458,6 +1637,25 @@ interface(`kernel_list_all_proc',`
########################################
##
@@ -19215,7 +19273,7 @@ index e100d88..7a08793 100644
## Do not audit attempts to list all proc directories.
##
##
-@@ -1477,6 +1640,28 @@ interface(`kernel_dontaudit_list_all_proc',`
+@@ -1477,6 +1675,28 @@ interface(`kernel_dontaudit_list_all_proc',`
########################################
##
@@ -19244,7 +19302,7 @@ index e100d88..7a08793 100644
## Do not audit attempts by caller to search
## the base directory of sysctls.
##
-@@ -1672,7 +1857,7 @@ interface(`kernel_read_net_sysctls',`
+@@ -1672,7 +1892,7 @@ interface(`kernel_read_net_sysctls',`
')
read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
@@ -19253,7 +19311,7 @@ index e100d88..7a08793 100644
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
')
-@@ -1693,7 +1878,7 @@ interface(`kernel_rw_net_sysctls',`
+@@ -1693,7 +1913,7 @@ interface(`kernel_rw_net_sysctls',`
')
rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
@@ -19262,7 +19320,7 @@ index e100d88..7a08793 100644
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
')
-@@ -1715,7 +1900,6 @@ interface(`kernel_read_unix_sysctls',`
+@@ -1715,7 +1935,6 @@ interface(`kernel_read_unix_sysctls',`
')
read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t)
@@ -19270,7 +19328,7 @@ index e100d88..7a08793 100644
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
')
-@@ -1750,16 +1934,9 @@ interface(`kernel_rw_unix_sysctls',`
+@@ -1750,16 +1969,9 @@ interface(`kernel_rw_unix_sysctls',`
## Domain allowed access.
##
##
@@ -19288,7 +19346,7 @@ index e100d88..7a08793 100644
')
########################################
-@@ -1771,16 +1948,9 @@ interface(`kernel_read_hotplug_sysctls',`
+@@ -1771,16 +1983,9 @@ interface(`kernel_read_hotplug_sysctls',`
## Domain allowed access.
##
##
@@ -19306,7 +19364,7 @@ index e100d88..7a08793 100644
')
########################################
-@@ -1792,16 +1962,9 @@ interface(`kernel_rw_hotplug_sysctls',`
+@@ -1792,16 +1997,9 @@ interface(`kernel_rw_hotplug_sysctls',`
## Domain allowed access.
##
##
@@ -19324,7 +19382,7 @@ index e100d88..7a08793 100644
')
########################################
-@@ -1813,16 +1976,9 @@ interface(`kernel_read_modprobe_sysctls',`
+@@ -1813,16 +2011,9 @@ interface(`kernel_read_modprobe_sysctls',`
## Domain allowed access.
##
##
@@ -19342,38 +19400,137 @@ index e100d88..7a08793 100644
')
########################################
-@@ -2048,6 +2204,26 @@ interface(`kernel_read_rpc_sysctls',`
+@@ -2048,9 +2239,10 @@ interface(`kernel_read_rpc_sysctls',`
list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t)
')
+
+ ########################################
+ ##
+-## Read and write RPC sysctls.
++## Read RPC sysctls.
+ ##
+ ##
+ ##
+@@ -2059,38 +2251,38 @@ interface(`kernel_read_rpc_sysctls',`
+ ##
+ ##
+ #
+-interface(`kernel_rw_rpc_sysctls',`
++interface(`kernel_rw_rpc_sysctls_dirs',`
+ gen_require(`
+ type proc_t, proc_net_t, sysctl_rpc_t;
+ ')
+
+- rw_files_pattern($1, { proc_t proc_net_t sysctl_rpc_t }, sysctl_rpc_t)
+-
+- list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t)
++ rw_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t)
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to list all sysctl directories.
++## Read and write RPC sysctls.
+ ##
+ ##
+ ##
+-## Domain to not audit.
++## Domain allowed access.
+ ##
+ ##
++##
+ #
+-interface(`kernel_dontaudit_list_all_sysctls',`
++interface(`kernel_rw_rpc_sysctls',`
+ gen_require(`
+- attribute sysctl_type;
++ type proc_t, proc_net_t, sysctl_rpc_t;
+ ')
+
+- dontaudit $1 sysctl_type:dir list_dir_perms;
+- dontaudit $1 sysctl_type:file getattr;
++ rw_files_pattern($1, { proc_t proc_net_t sysctl_rpc_t }, sysctl_rpc_t)
++
++ list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t)
+ ')
+
+ ########################################
+ ##
+-## Allow caller to read all sysctls.
++## Read and write RPC sysctls.
+ ##
+ ##
+ ##
+@@ -2099,40 +2291,98 @@ interface(`kernel_dontaudit_list_all_sysctls',`
+ ##
+ ##
+ #
+-interface(`kernel_read_all_sysctls',`
++interface(`kernel_create_rpc_sysctls',`
+ gen_require(`
+- attribute sysctl_type;
+- type proc_t, proc_net_t;
++ type proc_t, proc_net_t, sysctl_rpc_t;
+ ')
+
+- # proc_net_t for /proc/net/rpc sysctls
+- read_files_pattern($1, { proc_t proc_net_t sysctl_type }, sysctl_type)
++ create_files_pattern($1, { proc_t proc_net_t sysctl_rpc_t }, sysctl_rpc_t)
+
+- list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_type)
+ ')
+
+ ########################################
+ ##
+-## Read and write all sysctls.
++## Do not audit attempts to list all sysctl directories.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+-##
+ #
+-interface(`kernel_rw_all_sysctls',`
++interface(`kernel_dontaudit_list_all_sysctls',`
+ gen_require(`
+ attribute sysctl_type;
+- type proc_t, proc_net_t;
+ ')
+
+- # proc_net_t for /proc/net/rpc sysctls
+- rw_files_pattern($1, { proc_t proc_net_t sysctl_type }, sysctl_type)
++ dontaudit $1 sysctl_type:dir list_dir_perms;
++ dontaudit $1 sysctl_type:file read_file_perms;
++')
+
+- allow $1 sysctl_type:dir list_dir_perms;
+- # why is setattr needed?
+########################################
+##
-+## Read RPC sysctls.
++## Allow attempts to mounton all sysctl directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
-+##
+#
-+interface(`kernel_rw_rpc_sysctls_dirs',`
++interface(`kernel_mounton_all_sysctls',`
+ gen_require(`
-+ type proc_t, proc_net_t, sysctl_rpc_t;
++ attribute sysctl_type;
+ ')
+
-+ rw_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t)
++ allow $1 sysctl_type:dir mounton;
+')
+
- ########################################
- ##
- ## Read and write RPC sysctls.
-@@ -2071,6 +2247,26 @@ interface(`kernel_rw_rpc_sysctls',`
-
- ########################################
- ##
-+## Read and write RPC sysctls.
++
++########################################
++##
++## Allow caller to read all sysctls.
+##
+##
+##
@@ -19382,51 +19539,44 @@ index e100d88..7a08793 100644
+##
+##
+#
-+interface(`kernel_create_rpc_sysctls',`
++interface(`kernel_read_all_sysctls',`
+ gen_require(`
-+ type proc_t, proc_net_t, sysctl_rpc_t;
++ attribute sysctl_type;
++ type proc_t, proc_net_t;
+ ')
+
-+ create_files_pattern($1, { proc_t proc_net_t sysctl_rpc_t }, sysctl_rpc_t)
-+
-+')
++ # proc_net_t for /proc/net/rpc sysctls
++ read_files_pattern($1, { proc_t proc_net_t sysctl_type }, sysctl_type)
+
-+########################################
-+##
- ## Do not audit attempts to list all sysctl directories.
- ##
- ##
-@@ -2085,9 +2281,28 @@ interface(`kernel_dontaudit_list_all_sysctls',`
- ')
-
- dontaudit $1 sysctl_type:dir list_dir_perms;
-- dontaudit $1 sysctl_type:file getattr;
-+ dontaudit $1 sysctl_type:file read_file_perms;
++ list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_type)
+')
+
+########################################
+##
-+## Allow attempts to mounton all sysctl directories.
++## Read and write all sysctls.
+##
+##
+##
+## Domain allowed access.
+##
+##
++##
+#
-+interface(`kernel_mounton_all_sysctls',`
++interface(`kernel_rw_all_sysctls',`
+ gen_require(`
+ attribute sysctl_type;
++ type proc_t, proc_net_t;
+ ')
+
-+ allow $1 sysctl_type:dir mounton;
++ # proc_net_t for /proc/net/rpc sysctls
++ rw_files_pattern($1, { proc_t proc_net_t sysctl_type }, sysctl_type)
++
++ allow $1 sysctl_type:dir list_dir_perms;
++ # why is setattr needed?
+ allow $1 sysctl_type:file setattr;
')
-+
- ########################################
- ##
- ## Allow caller to read all sysctls.
-@@ -2282,6 +2497,25 @@ interface(`kernel_list_unlabeled',`
+@@ -2282,6 +2532,25 @@ interface(`kernel_list_unlabeled',`
########################################
##
@@ -19452,7 +19602,7 @@ index e100d88..7a08793 100644
## Read the process state (/proc/pid) of all unlabeled_t.
##
##
-@@ -2306,7 +2540,7 @@ interface(`kernel_read_unlabeled_state',`
+@@ -2306,7 +2575,7 @@ interface(`kernel_read_unlabeled_state',`
##
##
##
@@ -19461,17 +19611,14 @@ index e100d88..7a08793 100644
##
##
#
-@@ -2488,12 +2722,30 @@ interface(`kernel_rw_unlabeled_blk_files',`
+@@ -2488,6 +2757,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
########################################
##
--## Do not audit attempts by caller to get attributes for
--## unlabeled character devices.
+## Read and write unlabeled sockets.
- ##
- ##
- ##
--## Domain to not audit.
++##
++##
++##
+## Domain allowed access.
+##
+##
@@ -19486,16 +19633,10 @@ index e100d88..7a08793 100644
+
+########################################
+##
-+## Do not audit attempts by caller to get attributes for
-+## unlabeled character devices.
-+##
-+##
-+##
-+## Domain to not audit.
- ##
- ##
- #
-@@ -2525,6 +2777,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
+ ## Do not audit attempts by caller to get attributes for
+ ## unlabeled character devices.
+ ##
+@@ -2525,6 +2812,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
########################################
##
@@ -19520,7 +19661,7 @@ index e100d88..7a08793 100644
## Allow caller to relabel unlabeled files.
##
##
-@@ -2667,6 +2937,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+@@ -2667,6 +2972,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
########################################
##
@@ -19545,7 +19686,7 @@ index e100d88..7a08793 100644
## Receive TCP packets from an unlabeled connection.
##
##
-@@ -2694,6 +2982,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+@@ -2694,6 +3017,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
########################################
##
@@ -19571,7 +19712,7 @@ index e100d88..7a08793 100644
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
##
-@@ -2803,6 +3110,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+@@ -2803,6 +3145,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
allow $1 unlabeled_t:rawip_socket recvfrom;
')
@@ -19605,7 +19746,7 @@ index e100d88..7a08793 100644
########################################
##
-@@ -2958,6 +3292,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2958,6 +3327,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
########################################
##
@@ -19630,7 +19771,7 @@ index e100d88..7a08793 100644
## Unconfined access to kernel module resources.
##
##
-@@ -2972,5 +3324,649 @@ interface(`kernel_unconfined',`
+@@ -2972,5 +3359,649 @@ interface(`kernel_unconfined',`
')
typeattribute $1 kern_unconfined;
@@ -19750,7 +19891,7 @@ index e100d88..7a08793 100644
+ allow $1 kernel_t:dir search_dir_perms;
+ allow $1 kernel_t:file read_file_perms;
+ allow $1 kernel_t:lnk_file read_lnk_file_perms;
-+')
+ ')
+
+########################################
+##
@@ -19770,7 +19911,7 @@ index e100d88..7a08793 100644
+ dontaudit $1 kernel_t:dir search_dir_perms;
+ dontaudit $1 kernel_t:file read_file_perms;
+ dontaudit $1 kernel_t:lnk_file read_lnk_file_perms;
- ')
++')
+
+########################################
+##
@@ -22991,7 +23132,7 @@ index 234a940..a92415a 100644
########################################
##
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 0fef1fc..bfeb102 100644
+index 0fef1fc..1ded252 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,73 @@ policy_module(staff, 2.4.0)
@@ -23068,7 +23209,7 @@ index 0fef1fc..bfeb102 100644
optional_policy(`
apache_role(staff_r, staff_t)
')
-@@ -23,11 +84,119 @@ optional_policy(`
+@@ -23,11 +84,120 @@ optional_policy(`
')
optional_policy(`
@@ -23123,6 +23264,7 @@ index 0fef1fc..bfeb102 100644
+
+optional_policy(`
+ fwupd_dbus_chat(staff_t)
++ fwupd_read_cache_files(staff_t)
+')
+
+optional_policy(`
@@ -23189,7 +23331,7 @@ index 0fef1fc..bfeb102 100644
')
optional_policy(`
-@@ -35,15 +204,31 @@ optional_policy(`
+@@ -35,15 +205,31 @@ optional_policy(`
')
optional_policy(`
@@ -23223,7 +23365,7 @@ index 0fef1fc..bfeb102 100644
')
optional_policy(`
-@@ -52,11 +237,61 @@ optional_policy(`
+@@ -52,11 +238,61 @@ optional_policy(`
')
optional_policy(`
@@ -23286,7 +23428,7 @@ index 0fef1fc..bfeb102 100644
')
ifndef(`distro_redhat',`
-@@ -65,10 +300,6 @@ ifndef(`distro_redhat',`
+@@ -65,10 +301,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -23297,7 +23439,7 @@ index 0fef1fc..bfeb102 100644
cdrecord_role(staff_r, staff_t)
')
-@@ -78,10 +309,6 @@ ifndef(`distro_redhat',`
+@@ -78,10 +310,6 @@ ifndef(`distro_redhat',`
optional_policy(`
dbus_role_template(staff, staff_r, staff_t)
@@ -23308,7 +23450,7 @@ index 0fef1fc..bfeb102 100644
')
optional_policy(`
-@@ -101,10 +328,6 @@ ifndef(`distro_redhat',`
+@@ -101,10 +329,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -23319,7 +23461,7 @@ index 0fef1fc..bfeb102 100644
java_role(staff_r, staff_t)
')
-@@ -125,10 +348,6 @@ ifndef(`distro_redhat',`
+@@ -125,10 +349,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -23330,7 +23472,7 @@ index 0fef1fc..bfeb102 100644
pyzor_role(staff_r, staff_t)
')
-@@ -141,10 +360,6 @@ ifndef(`distro_redhat',`
+@@ -141,10 +361,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -23341,7 +23483,7 @@ index 0fef1fc..bfeb102 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -176,3 +391,23 @@ ifndef(`distro_redhat',`
+@@ -176,3 +392,23 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -29388,7 +29530,7 @@ index 6bf0ecc..e6be63a 100644
+')
+
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..84a88ff 100644
+index 8b40377..a55ca15 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,28 +26,66 @@ gen_require(`
@@ -29747,7 +29889,7 @@ index 8b40377..84a88ff 100644
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
ssh_dontaudit_rw_tcp_sockets(xauth_t)
-@@ -300,64 +420,105 @@ optional_policy(`
+@@ -300,64 +420,106 @@ optional_policy(`
# XDM Local policy
#
@@ -29831,6 +29973,7 @@ index 8b40377..84a88ff 100644
manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
manage_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
-files_var_lib_filetrans(xdm_t, xdm_var_lib_t, file)
++exec_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
+manage_lnk_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
+manage_sock_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
+files_var_lib_filetrans(xdm_t, xdm_var_lib_t, { file dir })
@@ -29866,7 +30009,7 @@ index 8b40377..84a88ff 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -366,20 +527,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -366,20 +528,31 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -29890,6 +30033,7 @@ index 8b40377..84a88ff 100644
kernel_read_network_state(xdm_t)
+kernel_request_load_module(xdm_t)
+kernel_stream_connect(xdm_t)
++kernel_dontaudit_view_key(xdm_t)
corecmd_exec_shell(xdm_t)
corecmd_exec_bin(xdm_t)
@@ -29899,7 +30043,7 @@ index 8b40377..84a88ff 100644
corenet_all_recvfrom_netlabel(xdm_t)
corenet_tcp_sendrecv_generic_if(xdm_t)
corenet_udp_sendrecv_generic_if(xdm_t)
-@@ -389,38 +560,50 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -389,38 +562,51 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -29945,6 +30089,7 @@ index 8b40377..84a88ff 100644
+dev_getattr_null_dev(xdm_t)
+dev_setattr_null_dev(xdm_t)
+dev_read_nvme(xdm_t)
++dev_getattr_loop_control(xdm_t)
domain_use_interactive_fds(xdm_t)
# Do not audit denied probes of /proc.
@@ -29954,7 +30099,7 @@ index 8b40377..84a88ff 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -431,9 +614,30 @@ files_list_mnt(xdm_t)
+@@ -431,9 +617,30 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -29985,7 +30130,7 @@ index 8b40377..84a88ff 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -442,28 +646,46 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -442,28 +649,46 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -30036,7 +30181,7 @@ index 8b40377..84a88ff 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -472,24 +694,163 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -472,24 +697,163 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -30206,7 +30351,7 @@ index 8b40377..84a88ff 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -502,12 +863,31 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,12 +866,31 @@ tunable_policy(`xdm_sysadm_login',`
# allow xserver_t xdm_tmpfs_t:file rw_file_perms;
')
@@ -30238,7 +30383,7 @@ index 8b40377..84a88ff 100644
')
optional_policy(`
-@@ -518,8 +898,36 @@ optional_policy(`
+@@ -518,8 +901,36 @@ optional_policy(`
dbus_system_bus_client(xdm_t)
dbus_connect_system_bus(xdm_t)
@@ -30276,7 +30421,7 @@ index 8b40377..84a88ff 100644
')
')
-@@ -530,6 +938,20 @@ optional_policy(`
+@@ -530,6 +941,20 @@ optional_policy(`
')
optional_policy(`
@@ -30297,7 +30442,7 @@ index 8b40377..84a88ff 100644
hostname_exec(xdm_t)
')
-@@ -547,28 +969,78 @@ optional_policy(`
+@@ -547,28 +972,78 @@ optional_policy(`
')
optional_policy(`
@@ -30385,7 +30530,7 @@ index 8b40377..84a88ff 100644
')
optional_policy(`
-@@ -580,6 +1052,14 @@ optional_policy(`
+@@ -580,6 +1055,14 @@ optional_policy(`
')
optional_policy(`
@@ -30400,7 +30545,7 @@ index 8b40377..84a88ff 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,7 +1074,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+@@ -594,7 +1077,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@@ -30409,7 +30554,7 @@ index 8b40377..84a88ff 100644
# setuid/setgid for the wrapper program to change UID
# sys_rawio is for iopl access - should not be needed for frame-buffer
-@@ -604,8 +1084,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -604,8 +1087,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -30422,7 +30567,7 @@ index 8b40377..84a88ff 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -618,8 +1101,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -618,8 +1104,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -30438,7 +30583,7 @@ index 8b40377..84a88ff 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -627,6 +1117,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -627,6 +1120,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@@ -30449,7 +30594,7 @@ index 8b40377..84a88ff 100644
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -638,25 +1132,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -638,25 +1135,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -30491,7 +30636,7 @@ index 8b40377..84a88ff 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -677,23 +1183,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -677,23 +1186,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -30523,7 +30668,7 @@ index 8b40377..84a88ff 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -705,6 +1216,14 @@ fs_search_nfs(xserver_t)
+@@ -705,6 +1219,14 @@ fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -30538,7 +30683,7 @@ index 8b40377..84a88ff 100644
mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
-@@ -718,20 +1237,18 @@ init_getpgid(xserver_t)
+@@ -718,20 +1240,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -30562,7 +30707,7 @@ index 8b40377..84a88ff 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -739,8 +1256,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -739,8 +1259,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
@@ -30571,7 +30716,7 @@ index 8b40377..84a88ff 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
-@@ -785,17 +1300,54 @@ optional_policy(`
+@@ -785,17 +1303,54 @@ optional_policy(`
')
optional_policy(`
@@ -30628,7 +30773,7 @@ index 8b40377..84a88ff 100644
')
optional_policy(`
-@@ -803,6 +1355,10 @@ optional_policy(`
+@@ -803,6 +1358,10 @@ optional_policy(`
')
optional_policy(`
@@ -30639,7 +30784,7 @@ index 8b40377..84a88ff 100644
xfs_stream_connect(xserver_t)
')
-@@ -818,18 +1374,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -818,18 +1377,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -30664,7 +30809,7 @@ index 8b40377..84a88ff 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -842,26 +1397,21 @@ init_use_fds(xserver_t)
+@@ -842,26 +1400,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -30699,7 +30844,7 @@ index 8b40377..84a88ff 100644
')
optional_policy(`
-@@ -912,7 +1462,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -912,7 +1465,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -30708,7 +30853,7 @@ index 8b40377..84a88ff 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -966,11 +1516,31 @@ allow x_domain self:x_resource { read write };
+@@ -966,11 +1519,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -30740,7 +30885,7 @@ index 8b40377..84a88ff 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -992,18 +1562,148 @@ tunable_policy(`! xserver_object_manager',`
+@@ -992,18 +1565,148 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -35104,7 +35249,7 @@ index 79a45f6..6126f21 100644
+ allow $1 init_var_lib_t:dir search_dir_perms;
')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..b7c9304 100644
+index 17eda24..9c87847 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -35401,10 +35546,10 @@ index 17eda24..b7c9304 100644
+
+miscfiles_manage_localization(init_t)
+miscfiles_filetrans_named_content(init_t)
++
++udev_manage_rules_files(init_t)
-miscfiles_read_localization(init_t)
-+udev_manage_rules_files(init_t)
-+
+userdom_use_user_ttys(init_t)
+userdom_manage_tmp_dirs(init_t)
+userdom_manage_tmp_sockets(init_t)
@@ -35417,7 +35562,7 @@ index 17eda24..b7c9304 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +339,275 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +339,283 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -35458,12 +35603,21 @@ index 17eda24..b7c9304 100644
+optional_policy(`
+ kdump_read_crash(init_t)
+ kdump_read_config(init_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- auth_rw_login_records(init_t)
+ gnome_filetrans_home_content(init_t)
+ gnome_manage_data(init_t)
+ gnome_manage_config(init_t)
+ ')
+
+ optional_policy(`
++ gssproxy_noatsecure(init_t)
++')
++
++optional_policy(`
++ rpc_gssd_noatsecure(init_t)
+')
+
+optional_policy(`
@@ -35660,14 +35814,13 @@ index 17eda24..b7c9304 100644
+
+optional_policy(`
+ lldpad_relabel_tmpfs(init_t)
- ')
-
- optional_policy(`
-- auth_rw_login_records(init_t)
++')
++
++optional_policy(`
+ consolekit_manage_log(init_t)
- ')
-
- optional_policy(`
++')
++
++optional_policy(`
+ dbus_connect_system_bus(init_t)
dbus_system_bus_client(init_t)
+ dbus_delete_pid_files(init_t)
@@ -35675,9 +35828,10 @@ index 17eda24..b7c9304 100644
+ optional_policy(`
+ devicekit_dbus_chat_power(init_t)
+ ')
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- nscd_use(init_t)
+ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to
+ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
+ # the directory. But we do not want to allow this.
@@ -35688,10 +35842,9 @@ index 17eda24..b7c9304 100644
+optional_policy(`
+ networkmanager_stream_connect(init_t)
+ networkmanager_stream_connect(initrc_t)
- ')
-
- optional_policy(`
-- nscd_use(init_t)
++')
++
++optional_policy(`
+ plymouthd_stream_connect(init_t)
+ plymouthd_exec_plymouth(init_t)
+ plymouthd_filetrans_named_content(init_t)
@@ -35702,7 +35855,7 @@ index 17eda24..b7c9304 100644
')
optional_policy(`
-@@ -216,7 +615,30 @@ optional_policy(`
+@@ -216,7 +623,30 @@ optional_policy(`
')
optional_policy(`
@@ -35734,7 +35887,7 @@ index 17eda24..b7c9304 100644
')
########################################
-@@ -225,9 +647,9 @@ optional_policy(`
+@@ -225,9 +655,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -35746,7 +35899,7 @@ index 17eda24..b7c9304 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -258,12 +680,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +688,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -35763,7 +35916,7 @@ index 17eda24..b7c9304 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +705,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +713,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -35806,7 +35959,7 @@ index 17eda24..b7c9304 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +742,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +750,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -35818,7 +35971,7 @@ index 17eda24..b7c9304 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -313,8 +754,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +762,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -35829,7 +35982,7 @@ index 17eda24..b7c9304 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -322,8 +765,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +773,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -35839,7 +35992,7 @@ index 17eda24..b7c9304 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -332,7 +774,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +782,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -35847,7 +36000,7 @@ index 17eda24..b7c9304 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -340,6 +781,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +789,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -35855,7 +36008,7 @@ index 17eda24..b7c9304 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -347,14 +789,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +797,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -35873,7 +36026,7 @@ index 17eda24..b7c9304 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -364,8 +807,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +815,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -35887,7 +36040,7 @@ index 17eda24..b7c9304 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -375,10 +822,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +830,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -35901,7 +36054,7 @@ index 17eda24..b7c9304 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -387,8 +835,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +843,10 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -35912,7 +36065,7 @@ index 17eda24..b7c9304 100644
storage_getattr_fixed_disk_dev(initrc_t)
storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +848,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +856,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -35920,7 +36073,7 @@ index 17eda24..b7c9304 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -416,20 +867,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +875,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -35944,7 +36097,7 @@ index 17eda24..b7c9304 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +900,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +908,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -35952,7 +36105,7 @@ index 17eda24..b7c9304 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +934,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +942,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -35963,7 +36116,7 @@ index 17eda24..b7c9304 100644
alsa_read_lib(initrc_t)
')
-@@ -506,7 +958,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +966,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -35972,7 +36125,7 @@ index 17eda24..b7c9304 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -521,6 +973,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +981,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -35980,7 +36133,7 @@ index 17eda24..b7c9304 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -541,6 +994,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +1002,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -35988,7 +36141,7 @@ index 17eda24..b7c9304 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +1004,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +1012,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -36033,7 +36186,7 @@ index 17eda24..b7c9304 100644
')
optional_policy(`
-@@ -559,14 +1049,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +1057,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -36065,7 +36218,7 @@ index 17eda24..b7c9304 100644
')
')
-@@ -577,6 +1084,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1092,39 @@ ifdef(`distro_suse',`
')
')
@@ -36105,7 +36258,7 @@ index 17eda24..b7c9304 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1129,8 @@ optional_policy(`
+@@ -589,6 +1137,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -36114,7 +36267,7 @@ index 17eda24..b7c9304 100644
')
optional_policy(`
-@@ -610,6 +1152,7 @@ optional_policy(`
+@@ -610,6 +1160,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -36122,7 +36275,7 @@ index 17eda24..b7c9304 100644
')
optional_policy(`
-@@ -626,6 +1169,17 @@ optional_policy(`
+@@ -626,6 +1177,17 @@ optional_policy(`
')
optional_policy(`
@@ -36140,7 +36293,7 @@ index 17eda24..b7c9304 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -642,9 +1196,13 @@ optional_policy(`
+@@ -642,9 +1204,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -36154,7 +36307,7 @@ index 17eda24..b7c9304 100644
')
optional_policy(`
-@@ -657,15 +1215,11 @@ optional_policy(`
+@@ -657,15 +1223,11 @@ optional_policy(`
')
optional_policy(`
@@ -36172,7 +36325,7 @@ index 17eda24..b7c9304 100644
')
optional_policy(`
-@@ -686,6 +1240,15 @@ optional_policy(`
+@@ -686,6 +1248,15 @@ optional_policy(`
')
optional_policy(`
@@ -36188,7 +36341,7 @@ index 17eda24..b7c9304 100644
inn_exec_config(initrc_t)
')
-@@ -726,6 +1289,7 @@ optional_policy(`
+@@ -726,6 +1297,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -36196,7 +36349,7 @@ index 17eda24..b7c9304 100644
')
optional_policy(`
-@@ -743,7 +1307,13 @@ optional_policy(`
+@@ -743,7 +1315,13 @@ optional_policy(`
')
optional_policy(`
@@ -36211,7 +36364,7 @@ index 17eda24..b7c9304 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -766,6 +1336,10 @@ optional_policy(`
+@@ -766,6 +1344,10 @@ optional_policy(`
')
optional_policy(`
@@ -36222,7 +36375,7 @@ index 17eda24..b7c9304 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -775,10 +1349,20 @@ optional_policy(`
+@@ -775,10 +1357,20 @@ optional_policy(`
')
optional_policy(`
@@ -36243,7 +36396,7 @@ index 17eda24..b7c9304 100644
quota_manage_flags(initrc_t)
')
-@@ -787,6 +1371,10 @@ optional_policy(`
+@@ -787,6 +1379,10 @@ optional_policy(`
')
optional_policy(`
@@ -36254,7 +36407,7 @@ index 17eda24..b7c9304 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -808,8 +1396,6 @@ optional_policy(`
+@@ -808,8 +1404,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -36263,7 +36416,7 @@ index 17eda24..b7c9304 100644
')
optional_policy(`
-@@ -818,6 +1404,10 @@ optional_policy(`
+@@ -818,6 +1412,10 @@ optional_policy(`
')
optional_policy(`
@@ -36274,7 +36427,7 @@ index 17eda24..b7c9304 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -827,10 +1417,12 @@ optional_policy(`
+@@ -827,10 +1425,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -36287,7 +36440,7 @@ index 17eda24..b7c9304 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1449,62 @@ optional_policy(`
+@@ -857,21 +1457,62 @@ optional_policy(`
')
optional_policy(`
@@ -36351,7 +36504,7 @@ index 17eda24..b7c9304 100644
')
optional_policy(`
-@@ -887,6 +1520,10 @@ optional_policy(`
+@@ -887,6 +1528,10 @@ optional_policy(`
')
optional_policy(`
@@ -36362,7 +36515,7 @@ index 17eda24..b7c9304 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -897,3 +1534,218 @@ optional_policy(`
+@@ -897,3 +1542,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
diff --git a/policy-f25-contrib.patch b/policy-f25-contrib.patch
index 89e228b..4842c5d 100644
--- a/policy-f25-contrib.patch
+++ b/policy-f25-contrib.patch
@@ -12356,7 +12356,7 @@ index 008f8ef..144c074 100644
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/certmonger.te b/certmonger.te
-index 550b287..1401e7b 100644
+index 550b287..61ce134 100644
--- a/certmonger.te
+++ b/certmonger.te
@@ -18,18 +18,23 @@ files_type(certmonger_var_lib_t)
@@ -12449,7 +12449,7 @@ index 550b287..1401e7b 100644
')
optional_policy(`
-@@ -92,11 +111,60 @@ optional_policy(`
+@@ -92,11 +111,65 @@ optional_policy(`
')
optional_policy(`
@@ -12471,6 +12471,7 @@ index 550b287..1401e7b 100644
+optional_policy(`
kerberos_use(certmonger_t)
+ kerberos_read_keytab(certmonger_t)
++ kerberos_filetrans_named_content(certmonger_t)
')
optional_policy(`
@@ -12484,6 +12485,10 @@ index 550b287..1401e7b 100644
+')
+
+optional_policy(`
++ rhcs_start_haproxy_services(certmonger_t)
++')
++
++optional_policy(`
+ sssd_delete_public_files(certmonger_t)
+')
+
@@ -36569,10 +36574,10 @@ index 0000000..f4659d1
+/var/run/gssproxy\.sock -s gen_context(system_u:object_r:gssproxy_var_run_t,s0)
diff --git a/gssproxy.if b/gssproxy.if
new file mode 100644
-index 0000000..2277038
+index 0000000..8a2013a
--- /dev/null
+++ b/gssproxy.if
-@@ -0,0 +1,199 @@
+@@ -0,0 +1,217 @@
+
+## policy for gssproxy
+
@@ -36772,9 +36777,27 @@ index 0000000..2277038
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
++
++########################################
++##
++## Read and write to svirt_image devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gssproxy_noatsecure',`
++ gen_require(`
++ type gssproxy_t;
++ ')
++
++ allow $1 gssproxy_t:process { noatsecure rlimitinh };
++')
diff --git a/gssproxy.te b/gssproxy.te
new file mode 100644
-index 0000000..5e43ca7
+index 0000000..27abcbb
--- /dev/null
+++ b/gssproxy.te
@@ -0,0 +1,74 @@
@@ -36802,7 +36825,7 @@ index 0000000..5e43ca7
+#
+# gssproxy local policy
+#
-+allow gssproxy_t self:capability { setuid setgid };
++allow gssproxy_t self:capability { setuid setgid dac_override };
+allow gssproxy_t self:capability2 block_suspend;
+allow gssproxy_t self:fifo_file rw_fifo_file_perms;
+allow gssproxy_t self:unix_stream_socket create_stream_socket_perms;
@@ -39036,10 +39059,10 @@ index 0000000..ddbc007
+')
diff --git a/ipa.te b/ipa.te
new file mode 100644
-index 0000000..e4c5d89
+index 0000000..55e151e
--- /dev/null
+++ b/ipa.te
-@@ -0,0 +1,260 @@
+@@ -0,0 +1,264 @@
+policy_module(ipa, 1.0.0)
+
+########################################
@@ -39139,6 +39162,10 @@ index 0000000..e4c5d89
+manage_files_pattern(ipa_helper_t, ipa_log_t, ipa_log_t)
+logging_log_filetrans(ipa_helper_t, ipa_log_t, file)
+
++manage_dirs_pattern(ipa_helper_t, ipa_var_run_t, ipa_var_run_t)
++manage_files_pattern(ipa_helper_t, ipa_var_run_t, ipa_var_run_t)
++files_pid_filetrans(ipa_helper_t, ipa_var_run_t, { dir file })
++
+kernel_read_system_state(ipa_helper_t)
+kernel_read_network_state(ipa_helper_t)
+
@@ -42524,7 +42551,7 @@ index 4fe75fd..3504a9b 100644
+/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --git a/kerberos.if b/kerberos.if
-index f6c00d8..192df56 100644
+index f6c00d8..214369f 100644
--- a/kerberos.if
+++ b/kerberos.if
@@ -1,27 +1,29 @@
@@ -42820,7 +42847,7 @@ index f6c00d8..192df56 100644
##
##
##
-@@ -259,18 +272,18 @@ interface(`kerberos_home_filetrans_krb5_home',`
+@@ -259,18 +272,20 @@ interface(`kerberos_home_filetrans_krb5_home',`
##
##
#
@@ -42839,11 +42866,13 @@ index f6c00d8..192df56 100644
########################################
##
-## Read and write kerberos key table files.
++ manage_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
++ manage_dirs_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
+## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
##
##
##
-@@ -278,49 +291,122 @@ interface(`kerberos_read_keytab',`
+@@ -278,49 +293,122 @@ interface(`kerberos_read_keytab',`
##
##
#
@@ -42982,7 +43011,7 @@ index f6c00d8..192df56 100644
##
##
##
-@@ -329,60 +415,63 @@ interface(`kerberos_manage_keytab_files',`
+@@ -329,60 +417,63 @@ interface(`kerberos_manage_keytab_files',`
##
##
#
@@ -43067,7 +43096,7 @@ index f6c00d8..192df56 100644
##
##
##
-@@ -391,141 +480,88 @@ interface(`kerberos_read_kdc_config',`
+@@ -391,141 +482,88 @@ interface(`kerberos_read_kdc_config',`
##
##
#
@@ -46089,7 +46118,7 @@ index dff21a7..b6981c8 100644
init_labeled_script_domtrans($1, lircd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/lircd.te b/lircd.te
-index 483c87b..f68ee3a 100644
+index 483c87b..df73ba0 100644
--- a/lircd.te
+++ b/lircd.te
@@ -13,7 +13,7 @@ type lircd_initrc_exec_t;
@@ -46122,6 +46151,15 @@ index 483c87b..f68ee3a 100644
corenet_all_recvfrom_unlabeled(lircd_t)
corenet_all_recvfrom_netlabel(lircd_t)
corenet_tcp_sendrecv_generic_if(lircd_t)
+@@ -56,7 +58,7 @@ dev_read_mouse(lircd_t)
+ dev_filetrans_lirc(lircd_t)
+ dev_rw_lirc(lircd_t)
+ dev_rw_input_dev(lircd_t)
+-dev_read_sysfs(lircd_t)
++dev_rw_sysfs(lircd_t)
+
+ files_read_config_files(lircd_t)
+ files_list_var(lircd_t)
@@ -64,9 +66,11 @@ files_manage_generic_locks(lircd_t)
files_read_all_locks(lircd_t)
@@ -87117,7 +87155,7 @@ index 47de2d6..6baf5cd 100644
+/var/log/pacemaker\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
+/var/log/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_log_t,s0)
diff --git a/rhcs.if b/rhcs.if
-index c8bdea2..8ad3e01 100644
+index c8bdea2..beb2872 100644
--- a/rhcs.if
+++ b/rhcs.if
@@ -1,19 +1,19 @@
@@ -87568,7 +87606,7 @@ index c8bdea2..8ad3e01 100644
')
######################################
-@@ -446,52 +577,385 @@ interface(`rhcs_domtrans_qdiskd',`
+@@ -446,52 +577,404 @@ interface(`rhcs_domtrans_qdiskd',`
########################################
##
@@ -87606,16 +87644,10 @@ index c8bdea2..8ad3e01 100644
#
-interface(`rhcs_admin',`
+interface(`rhcs_read_cluster_lib_files',`
- gen_require(`
-- attribute cluster_domain, cluster_pid, cluster_tmpfs;
-- attribute cluster_log;
-- type dlm_controld_initrc_exec_t, foghorn_initrc_exec_t, fenced_lock_t;
-- type fenced_tmp_t, qdiskd_var_lib_t;
++ gen_require(`
+ type cluster_var_lib_t;
- ')
-
-- allow $1 cluster_domain:process { ptrace signal_perms };
-- ps_process_pattern($1, cluster_domain)
++ ')
++
+ files_search_var_lib($1)
+ read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
@@ -87634,17 +87666,11 @@ index c8bdea2..8ad3e01 100644
+ gen_require(`
+ type cluster_var_lib_t;
+ ')
-
-- init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t })
-- domain_system_change_exemption($1)
-- role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r;
-- allow $2 system_r;
++
+ files_search_var_lib($1)
+ manage_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
-
-- files_search_pids($1)
-- admin_pattern($1, cluster_pid)
++
+####################################
+##
+## Allow domain to relabel cluster lib files
@@ -87664,9 +87690,7 @@ index c8bdea2..8ad3e01 100644
+ relabelto_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+ relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
-
-- files_search_locks($1)
-- admin_pattern($1, fenced_lock_t)
++
+######################################
+##
+## Execute a domain transition to run cluster administrative domain.
@@ -87681,15 +87705,11 @@ index c8bdea2..8ad3e01 100644
+ gen_require(`
+ type cluster_t, cluster_exec_t;
+ ')
-
-- files_search_tmp($1)
-- admin_pattern($1, fenced_tmp_t)
++
+ corecmd_search_bin($1)
+ domtrans_pattern($1, cluster_exec_t, cluster_t)
+')
-
-- files_search_var_lib($1)
-- admin_pattern($1, qdiskd_var_lib_t)
++
+#######################################
+##
+## Execute cluster init scripts in
@@ -87705,9 +87725,7 @@ index c8bdea2..8ad3e01 100644
+ gen_require(`
+ type cluster_initrc_exec_t;
+ ')
-
-- fs_search_tmpfs($1)
-- admin_pattern($1, cluster_tmpfs)
++
+ init_labeled_script_domtrans($1, cluster_initrc_exec_t)
+')
+
@@ -87918,17 +87936,31 @@ index c8bdea2..8ad3e01 100644
+##
+#
+interface(`rhcs_dbus_chat_cluster',`
-+ gen_require(`
+ gen_require(`
+- attribute cluster_domain, cluster_pid, cluster_tmpfs;
+- attribute cluster_log;
+- type dlm_controld_initrc_exec_t, foghorn_initrc_exec_t, fenced_lock_t;
+- type fenced_tmp_t, qdiskd_var_lib_t;
+ type cluster_t;
+ class dbus send_msg;
-+ ')
-+
+ ')
+
+- allow $1 cluster_domain:process { ptrace signal_perms };
+- ps_process_pattern($1, cluster_domain)
+ allow $1 cluster_t:dbus send_msg;
+ allow cluster_t $1:dbus send_msg;
+')
-+
-+
-+
+
+- init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t })
+- domain_system_change_exemption($1)
+- role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r;
+- allow $2 system_r;
+
+- files_search_pids($1)
+- admin_pattern($1, cluster_pid)
+
+- files_search_locks($1)
+- admin_pattern($1, fenced_lock_t)
+#####################################
+##
+## All of the rules required to administrate
@@ -87952,14 +87984,20 @@ index c8bdea2..8ad3e01 100644
+ type cluster_tmpfs_t, cluster_var_log_t, cluster_var_run_t;
+ type cluster_unit_file_t;
+ ')
-+
+
+- files_search_tmp($1)
+- admin_pattern($1, fenced_tmp_t)
+ allow $1 cluster_t:process signal_perms;
+ ps_process_pattern($1, cluster_t)
-+
+
+- files_search_var_lib($1)
+- admin_pattern($1, qdiskd_var_lib_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 cluster_t:process ptrace;
+ ')
-+
+
+- fs_search_tmpfs($1)
+- admin_pattern($1, cluster_tmpfs)
+ init_labeled_script_domtrans($1, cluster_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 cluster_initrc_exec_t system_r;
@@ -87975,12 +88013,31 @@ index c8bdea2..8ad3e01 100644
+
+ files_list_pids($1)
+ admin_pattern($1, cluster_var_run_t)
-
-- logging_search_logs($1)
-- admin_pattern($1, cluster_log)
++
+ rhcs_systemctl_cluster($1)
+ admin_pattern($1, cluster_unit_file_t)
+ allow $1 cluster_unit_file_t:service all_service_perms;
++')
++
++########################################
++##
++## Start haproxy unit files domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`rhcs_start_haproxy_services',`
++ gen_require(`
++ type haproxy_unit_file_t;
++ ')
+
+- logging_search_logs($1)
+- admin_pattern($1, cluster_log)
++ systemd_exec_systemctl($1)
++ allow $1 haproxy_unit_file_t:service {status start};
')
diff --git a/rhcs.te b/rhcs.te
index 6cf79c4..5279416 100644
@@ -90777,7 +90834,7 @@ index a6fb30c..97ef313 100644
+/var/run/rpc\.statd\.lock -- gen_context(system_u:object_r:rpcd_lock_t,s0)
+
diff --git a/rpc.if b/rpc.if
-index 0bf13c2..ed393a0 100644
+index 0bf13c2..9572351 100644
--- a/rpc.if
+++ b/rpc.if
@@ -1,4 +1,4 @@
@@ -91095,11 +91152,10 @@ index 0bf13c2..ed393a0 100644
files_search_var_lib($1)
- allow $1 var_lib_nfs_t:dir search;
+ allow $1 var_lib_nfs_t:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## Read nfs lib files.
++')
++
++########################################
++##
+## List NFS state data in /var/lib/nfs.
+##
+##
@@ -91115,10 +91171,11 @@ index 0bf13c2..ed393a0 100644
+
+ files_search_var_lib($1)
+ allow $1 var_lib_nfs_t:dir list_dir_perms;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Read nfs lib files.
+## Manage NFS state data in /var/lib/nfs.
+##
+##
@@ -91227,7 +91284,7 @@ index 0bf13c2..ed393a0 100644
')
allow $1 rpc_domain:process { ptrace signal_perms };
-@@ -411,7 +504,7 @@ interface(`rpc_admin',`
+@@ -411,10 +504,28 @@ interface(`rpc_admin',`
admin_pattern($1, rpcd_var_run_t)
files_list_all($1)
@@ -91236,6 +91293,27 @@ index 0bf13c2..ed393a0 100644
files_list_tmp($1)
admin_pattern($1, gssd_tmp_t)
+
+ fs_search_nfsd_fs($1)
+ ')
++
++########################################
++##
++## Read and write to svirt_image devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`rpc_gssd_noatsecure',`
++ gen_require(`
++ type gssd_t;
++ ')
++
++ allow $1 gssd_t:process { noatsecure rlimitinh };
++')
diff --git a/rpc.te b/rpc.te
index 2da9fca..f97a61a 100644
--- a/rpc.te
@@ -98509,10 +98587,10 @@ index 0000000..7a058a8
+')
diff --git a/sbd.te b/sbd.te
new file mode 100644
-index 0000000..95a5182
+index 0000000..9c44c87
--- /dev/null
+++ b/sbd.te
-@@ -0,0 +1,52 @@
+@@ -0,0 +1,54 @@
+policy_module(sbd, 1.0.0)
+
+########################################
@@ -98560,6 +98638,8 @@ index 0000000..95a5182
+
+logging_send_syslog_msg(sbd_t)
+
++storage_raw_rw_fixed_disk(sbd_t)
++
+optional_policy(`
+ rhcs_rw_cluster_tmpfs(sbd_t)
+ rhcs_stream_connect_cluster(sbd_t)
@@ -99697,7 +99777,7 @@ index 35ad2a7..afdc7da 100644
+ admin_pattern($1, mail_spool_t)
')
diff --git a/sendmail.te b/sendmail.te
-index 12700b4..27adacc 100644
+index 12700b4..fde469b 100644
--- a/sendmail.te
+++ b/sendmail.te
@@ -37,21 +37,23 @@ role sendmail_unconfined_roles types unconfined_sendmail_t;
@@ -99732,12 +99812,13 @@ index 12700b4..27adacc 100644
logging_log_filetrans(sendmail_t, sendmail_log_t, { file dir })
manage_dirs_pattern(sendmail_t, sendmail_tmp_t, sendmail_tmp_t)
-@@ -63,33 +65,21 @@ files_pid_filetrans(sendmail_t, sendmail_var_run_t, file)
+@@ -63,33 +65,22 @@ files_pid_filetrans(sendmail_t, sendmail_var_run_t, file)
kernel_read_network_state(sendmail_t)
kernel_read_kernel_sysctls(sendmail_t)
+# for piping mail to a command
kernel_read_system_state(sendmail_t)
++kernel_search_network_sysctl(sendmail_t)
-corenet_all_recvfrom_unlabeled(sendmail_t)
corenet_all_recvfrom_netlabel(sendmail_t)
@@ -99770,7 +99851,7 @@ index 12700b4..27adacc 100644
fs_getattr_all_fs(sendmail_t)
fs_search_auto_mountpoints(sendmail_t)
-@@ -98,35 +88,49 @@ fs_rw_anon_inodefs_files(sendmail_t)
+@@ -98,35 +89,49 @@ fs_rw_anon_inodefs_files(sendmail_t)
term_dontaudit_use_console(sendmail_t)
term_dontaudit_use_generic_ptys(sendmail_t)
@@ -99826,7 +99907,7 @@ index 12700b4..27adacc 100644
')
optional_policy(`
-@@ -134,8 +138,8 @@ optional_policy(`
+@@ -134,8 +139,8 @@ optional_policy(`
')
optional_policy(`
@@ -99837,7 +99918,7 @@ index 12700b4..27adacc 100644
')
optional_policy(`
-@@ -164,6 +168,10 @@ optional_policy(`
+@@ -164,6 +169,10 @@ optional_policy(`
')
optional_policy(`
@@ -99848,7 +99929,7 @@ index 12700b4..27adacc 100644
milter_stream_connect_all(sendmail_t)
')
-@@ -172,6 +180,11 @@ optional_policy(`
+@@ -172,6 +181,11 @@ optional_policy(`
')
optional_policy(`
@@ -99860,7 +99941,7 @@ index 12700b4..27adacc 100644
postfix_domtrans_postdrop(sendmail_t)
postfix_domtrans_master(sendmail_t)
postfix_domtrans_postqueue(sendmail_t)
-@@ -193,6 +206,10 @@ optional_policy(`
+@@ -193,6 +207,10 @@ optional_policy(`
')
optional_policy(`
@@ -99871,7 +99952,7 @@ index 12700b4..27adacc 100644
udev_read_db(sendmail_t)
')
-@@ -206,8 +223,6 @@ optional_policy(`
+@@ -206,8 +224,6 @@ optional_policy(`
#
optional_policy(`
@@ -109486,10 +109567,10 @@ index 0000000..46f12a4
+')
diff --git a/tlp.te b/tlp.te
new file mode 100644
-index 0000000..0183c55
+index 0000000..ae69138
--- /dev/null
+++ b/tlp.te
-@@ -0,0 +1,65 @@
+@@ -0,0 +1,70 @@
+policy_module(tlp, 1.0.0)
+
+########################################
@@ -109549,12 +109630,17 @@ index 0000000..0183c55
+modutils_read_module_config(tlp_t)
+
+storage_raw_read_fixed_disk(tlp_t)
++storage_raw_write_removable_device(tlp_t)
+
+sysnet_exec_ifconfig(tlp_t)
+
+optional_policy(`
+ fstools_exec(tlp_t)
+')
++
++optional_policy(`
++ mount_domtrans(tlp_t)
++')
diff --git a/tmpreaper.te b/tmpreaper.te
index 585a77f..a7cb326 100644
--- a/tmpreaper.te
@@ -114801,7 +114887,7 @@ index facdee8..487857a 100644
+ dontaudit $1 virtd_t:lnk_file read_lnk_file_perms;
')
diff --git a/virt.te b/virt.te
-index f03dcf5..411b4fe 100644
+index f03dcf5..6c17c3f 100644
--- a/virt.te
+++ b/virt.te
@@ -1,451 +1,412 @@
@@ -115824,7 +115910,7 @@ index f03dcf5..411b4fe 100644
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
-@@ -746,44 +717,336 @@ optional_policy(`
+@@ -746,44 +717,341 @@ optional_policy(`
udev_read_pid_files(virtd_t)
')
@@ -115874,12 +115960,17 @@ index f03dcf5..411b4fe 100644
+files_pid_filetrans(virtlogd_t, virtlogd_var_run_t, file)
-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
-+kernel_read_network_state(virtlogd_t)
++manage_dirs_pattern(virtlogd_t, svirt_tmp_t, svirt_tmp_t)
++manage_files_pattern(virtlogd_t, svirt_tmp_t, svirt_tmp_t)
++manage_lnk_files_pattern(virtlogd_t, svirt_tmp_t, svirt_tmp_t)
++files_tmp_filetrans(virtlogd_t, svirt_tmp_t, { file dir lnk_file })
-allow virsh_t svirt_lxc_domain:process transition;
-+allow virtlogd_t self:unix_stream_socket create_stream_socket_perms;
++kernel_read_network_state(virtlogd_t)
-can_exec(virsh_t, virsh_exec_t)
++allow virtlogd_t self:unix_stream_socket create_stream_socket_perms;
++
+dev_read_sysfs(virtlogd_t)
+
+logging_send_syslog_msg(virtlogd_t)
@@ -115965,7 +116056,7 @@ index f03dcf5..411b4fe 100644
+stream_connect_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t, virtd_t)
+
+dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
-
++
+dontaudit virt_domain virt_tmpfs_type:file { read write };
+
+append_files_pattern(virt_domain, virt_log_t, virt_log_t)
@@ -116098,7 +116189,7 @@ index f03dcf5..411b4fe 100644
+ fs_read_cifs_symlinks(virt_domain)
+ fs_getattr_cifs(virt_domain)
+')
-+
+
+tunable_policy(`virt_use_usb',`
+ dev_rw_usbfs(virt_domain)
+ dev_read_sysfs(virt_domain)
@@ -116183,7 +116274,7 @@ index f03dcf5..411b4fe 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +1057,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +1062,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -116210,7 +116301,7 @@ index f03dcf5..411b4fe 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +1077,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +1082,25 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -116244,7 +116335,7 @@ index f03dcf5..411b4fe 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +1114,20 @@ optional_policy(`
+@@ -856,14 +1119,20 @@ optional_policy(`
')
optional_policy(`
@@ -116266,7 +116357,7 @@ index f03dcf5..411b4fe 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -888,49 +1152,66 @@ optional_policy(`
+@@ -888,49 +1157,66 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -116351,7 +116442,7 @@ index f03dcf5..411b4fe 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1223,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1228,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -116371,7 +116462,7 @@ index f03dcf5..411b4fe 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,8 +1244,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,8 +1249,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -116395,7 +116486,7 @@ index f03dcf5..411b4fe 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1269,355 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1274,355 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -116896,7 +116987,7 @@ index f03dcf5..411b4fe 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1630,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1635,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -116911,7 +117002,7 @@ index f03dcf5..411b4fe 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1192,7 +1648,7 @@ optional_policy(`
+@@ -1192,7 +1653,7 @@ optional_policy(`
########################################
#
@@ -116920,7 +117011,7 @@ index f03dcf5..411b4fe 100644
#
allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1657,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1662,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
allow virt_bridgehelper_t self:tun_socket create_socket_perms;
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 3f8fb28..cb2e639 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 225.12%{?dist}
+Release: 225.13%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -675,6 +675,30 @@ exit 0
%endif
%changelog
+* Tue Apr 18 2017 Lukas Vrabec - 3.13.1-225.13
+- Add interface gssd_noatsecure()
+- Add interface gssproxy_noatsecure()
+- Fix policy to reflect all changes in new IPA release
+- Allow tlp_t domain to ioctl removable devices BZ(1436830)
+- Allow tlp_t domain domtrans into mount_t BZ(1442571)
+- Allow lircd_t to read/write to sysfs BZ(1442443)
+- Allow virtlogd_t to creating tmp files with virt_tmp_t labels.
+- Allow sbd_t to read/write fixed disk devices
+- Allow sendmail to search network sysctls
+- Allow certmonger to start haproxy service
+- Allow drbd load modules
+- Revert "Add sys_module capability for drbd"
+- Fix cockpit module
+- Fix init Module
+- Make groupadd_t domain as system bus client BZ(1416963)
+- Allow init noatsecure for gssd and gssproxy
+- Make useradd_t domain as system bus client BZ(1442572)
+- Allow xdm_t to gettattr /dev/loop-control device BZ(1385090)
+- Dontaudit gdm-session-worker to view key unknown. BZ(1433191)
+- Allow staff user to read fwupd_cache_t files
+- Allow xdm_t to execute files labeled as xdm_var_lib_t
+- Remove /proc <> from fedora policy, it's no longer necessary
+
* Mon Apr 03 2017 Lukas Vrabec - 3.13.1-225.12
- Allow drbd load modules
- Revert "Add sys_module capability for drbd"