diff --git a/docker-selinux.tgz b/docker-selinux.tgz
index 16f1156..c75579b 100644
Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ
diff --git a/policy-f24-base.patch b/policy-f24-base.patch
index 3a23692..3dc3cde 100644
--- a/policy-f24-base.patch
+++ b/policy-f24-base.patch
@@ -1286,10 +1286,21 @@ index 216b3d1..064ec83 100644
+
') dnl end enable_mcs
diff --git a/policy/mls b/policy/mls
-index f11e5e2..2d2ab83 100644
+index f11e5e2..b723977 100644
--- a/policy/mls
+++ b/policy/mls
-@@ -156,15 +156,12 @@ mlsconstrain filesystem { mount remount unmount relabelfrom quotamod }
+@@ -70,7 +70,9 @@ mlsconstrain { file lnk_file fifo_file } { create relabelto }
+
+ # new file labels must be dominated by the relabeling subjects clearance
+ mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto
+- ( h1 dom h2 );
++ (( h1 dom h2 ) or
++ (( t1 == mlsfilerelabeltoclr ) and ( h1 dom l2 )) or
++ ( t1 == mlsfilewrite ));
+
+ # the file "read" ops (note the check is dominance of the low level)
+ mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { read getattr execute }
+@@ -156,15 +158,12 @@ mlsconstrain filesystem { mount remount unmount relabelfrom quotamod }
# these access vectors have no MLS restrictions
# filesystem { transition associate }
@@ -1306,7 +1317,7 @@ index f11e5e2..2d2ab83 100644
( h1 dom h2 );
# the socket "read+write" ops
-@@ -180,7 +177,7 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
+@@ -180,7 +179,7 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
# the socket "read" ops (note the check is dominance of the low level)
@@ -1315,7 +1326,7 @@ index f11e5e2..2d2ab83 100644
(( l1 dom l2 ) or
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsnetread ));
-@@ -191,11 +188,12 @@ mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_sock
+@@ -191,11 +190,12 @@ mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_sock
( t1 == mlsnetread ));
# the socket "write" ops
@@ -1330,7 +1341,7 @@ index f11e5e2..2d2ab83 100644
# used by netlabel to restrict normal domains to same level connections
mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom
-@@ -252,6 +250,11 @@ mlsconstrain msg receive
+@@ -252,6 +252,11 @@ mlsconstrain msg receive
(( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsipcread ));
@@ -1342,7 +1353,7 @@ index f11e5e2..2d2ab83 100644
# the ipc "write" ops (implicit single level)
mlsconstrain { ipc sem msgq shm } { create destroy setattr write unix_write }
(( l1 eq l2 ) or
-@@ -361,9 +364,6 @@ mlsconstrain { peer packet } { recv }
+@@ -361,9 +366,6 @@ mlsconstrain { peer packet } { recv }
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsnetread ));
@@ -2898,7 +2909,7 @@ index 99e3903..fa68362 100644
##
##
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 1d732f1..47af4c3 100644
+index 1d732f1..c2962a5 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -26,6 +26,7 @@ type chfn_exec_t;
@@ -3127,7 +3138,7 @@ index 1d732f1..47af4c3 100644
userdom_use_unpriv_users_fds(passwd_t)
# make sure that getcon succeeds
userdom_getattr_all_users(passwd_t)
-@@ -352,6 +383,19 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -352,6 +383,20 @@ userdom_read_user_tmp_files(passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
@@ -3136,6 +3147,7 @@ index 1d732f1..47af4c3 100644
+
+# needed by gnome-keyring
+userdom_manage_user_tmp_files(passwd_t)
++userdom_manage_user_tmp_sockets(passwd_t)
+userdom_manage_user_tmp_dirs(passwd_t)
+
+optional_policy(`
@@ -3147,7 +3159,7 @@ index 1d732f1..47af4c3 100644
optional_policy(`
nscd_run(passwd_t, passwd_roles)
-@@ -401,9 +445,10 @@ dev_read_urand(sysadm_passwd_t)
+@@ -401,9 +446,10 @@ dev_read_urand(sysadm_passwd_t)
fs_getattr_xattr_fs(sysadm_passwd_t)
fs_search_auto_mountpoints(sysadm_passwd_t)
@@ -3160,7 +3172,7 @@ index 1d732f1..47af4c3 100644
auth_manage_shadow(sysadm_passwd_t)
auth_relabel_shadow(sysadm_passwd_t)
auth_etc_filetrans_shadow(sysadm_passwd_t)
-@@ -416,7 +461,6 @@ files_read_usr_files(sysadm_passwd_t)
+@@ -416,7 +462,6 @@ files_read_usr_files(sysadm_passwd_t)
domain_use_interactive_fds(sysadm_passwd_t)
@@ -3168,7 +3180,7 @@ index 1d732f1..47af4c3 100644
files_relabel_etc_files(sysadm_passwd_t)
files_read_etc_runtime_files(sysadm_passwd_t)
# for nscd lookups
-@@ -426,12 +470,9 @@ files_dontaudit_search_pids(sysadm_passwd_t)
+@@ -426,12 +471,9 @@ files_dontaudit_search_pids(sysadm_passwd_t)
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(sysadm_passwd_t)
@@ -3181,7 +3193,7 @@ index 1d732f1..47af4c3 100644
userdom_use_unpriv_users_fds(sysadm_passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
-@@ -446,7 +487,8 @@ optional_policy(`
+@@ -446,7 +488,8 @@ optional_policy(`
# Useradd local policy
#
@@ -3191,7 +3203,7 @@ index 1d732f1..47af4c3 100644
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
-@@ -461,6 +503,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
+@@ -461,6 +504,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
allow useradd_t self:unix_dgram_socket sendto;
allow useradd_t self:unix_stream_socket connectto;
@@ -3202,7 +3214,7 @@ index 1d732f1..47af4c3 100644
# for getting the number of groups
kernel_read_kernel_sysctls(useradd_t)
-@@ -468,29 +514,28 @@ corecmd_exec_shell(useradd_t)
+@@ -468,29 +515,28 @@ corecmd_exec_shell(useradd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(useradd_t)
@@ -3242,7 +3254,7 @@ index 1d732f1..47af4c3 100644
auth_run_chk_passwd(useradd_t, useradd_roles)
auth_rw_lastlog(useradd_t)
-@@ -498,6 +543,7 @@ auth_rw_faillog(useradd_t)
+@@ -498,6 +544,7 @@ auth_rw_faillog(useradd_t)
auth_use_nsswitch(useradd_t)
# these may be unnecessary due to the above
# domtrans_chk_passwd() call.
@@ -3250,7 +3262,7 @@ index 1d732f1..47af4c3 100644
auth_manage_shadow(useradd_t)
auth_relabel_shadow(useradd_t)
auth_etc_filetrans_shadow(useradd_t)
-@@ -508,33 +554,32 @@ init_rw_utmp(useradd_t)
+@@ -508,33 +555,32 @@ init_rw_utmp(useradd_t)
logging_send_audit_msgs(useradd_t)
logging_send_syslog_msg(useradd_t)
@@ -3295,7 +3307,7 @@ index 1d732f1..47af4c3 100644
optional_policy(`
apache_manage_all_user_content(useradd_t)
')
-@@ -545,14 +590,27 @@ optional_policy(`
+@@ -545,14 +591,27 @@ optional_policy(`
')
optional_policy(`
@@ -3323,7 +3335,7 @@ index 1d732f1..47af4c3 100644
tunable_policy(`samba_domain_controller',`
samba_append_log(useradd_t)
')
-@@ -562,3 +620,12 @@ optional_policy(`
+@@ -562,3 +621,12 @@ optional_policy(`
rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t)
')
@@ -11017,7 +11029,7 @@ index b876c48..03f9342 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..890900c 100644
+index f962f76..50b1f05 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -12262,7 +12274,32 @@ index f962f76..890900c 100644
######################################
##
## Read symbolic links in the /boot directory.
-@@ -2645,6 +3276,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2557,6 +3188,24 @@ interface(`files_read_default_pipes',`
+
+ ########################################
+ ##
++## Mounton directories on filesystem /etc.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_mounton_etc',`
++ gen_require(`
++ type etc_t;
++ ')
++
++ allow $1 etc_t:dir mounton;
++')
++
++########################################
++##
+ ## Search the contents of /etc directories.
+ ##
+ ##
+@@ -2645,6 +3294,24 @@ interface(`files_rw_etc_dirs',`
allow $1 etc_t:dir rw_dir_perms;
')
@@ -12287,7 +12324,7 @@ index f962f76..890900c 100644
##########################################
##
## Manage generic directories in /etc
-@@ -2716,6 +3365,7 @@ interface(`files_read_etc_files',`
+@@ -2716,6 +3383,7 @@ interface(`files_read_etc_files',`
allow $1 etc_t:dir list_dir_perms;
read_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
@@ -12295,7 +12332,7 @@ index f962f76..890900c 100644
')
########################################
-@@ -2724,7 +3374,7 @@ interface(`files_read_etc_files',`
+@@ -2724,7 +3392,7 @@ interface(`files_read_etc_files',`
##
##
##
@@ -12304,7 +12341,7 @@ index f962f76..890900c 100644
##
##
#
-@@ -2780,6 +3430,25 @@ interface(`files_manage_etc_files',`
+@@ -2780,6 +3448,25 @@ interface(`files_manage_etc_files',`
########################################
##
@@ -12330,7 +12367,7 @@ index f962f76..890900c 100644
## Delete system configuration files in /etc.
##
##
-@@ -2798,6 +3467,24 @@ interface(`files_delete_etc_files',`
+@@ -2798,6 +3485,24 @@ interface(`files_delete_etc_files',`
########################################
##
@@ -12355,7 +12392,7 @@ index f962f76..890900c 100644
## Execute generic files in /etc.
##
##
-@@ -2963,24 +3650,6 @@ interface(`files_delete_boot_flag',`
+@@ -2963,26 +3668,8 @@ interface(`files_delete_boot_flag',`
########################################
##
@@ -12377,10 +12414,14 @@ index f962f76..890900c 100644
-
-########################################
-##
- ## Read files in /etc that are dynamically
- ## created on boot, such as mtab.
+-## Read files in /etc that are dynamically
+-## created on boot, such as mtab.
++## Read files in /etc that are dynamically
++## created on boot, such as mtab.
##
-@@ -3021,9 +3690,7 @@ interface(`files_read_etc_runtime_files',`
+ ##
+ ##
+@@ -3021,9 +3708,7 @@ interface(`files_read_etc_runtime_files',`
########################################
##
@@ -12391,7 +12432,7 @@ index f962f76..890900c 100644
##
##
##
-@@ -3031,18 +3698,17 @@ interface(`files_read_etc_runtime_files',`
+@@ -3031,18 +3716,17 @@ interface(`files_read_etc_runtime_files',`
##
##
#
@@ -12413,7 +12454,7 @@ index f962f76..890900c 100644
##
##
##
-@@ -3060,6 +3726,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
+@@ -3060,6 +3744,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
########################################
##
@@ -12440,7 +12481,7 @@ index f962f76..890900c 100644
## Read and write files in /etc that are dynamically
## created on boot, such as mtab.
##
-@@ -3077,6 +3763,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -3077,6 +3781,7 @@ interface(`files_rw_etc_runtime_files',`
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -12448,7 +12489,7 @@ index f962f76..890900c 100644
')
########################################
-@@ -3098,6 +3785,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -3098,6 +3803,7 @@ interface(`files_manage_etc_runtime_files',`
')
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -12456,7 +12497,7 @@ index f962f76..890900c 100644
')
########################################
-@@ -3142,10 +3830,48 @@ interface(`files_etc_filetrans_etc_runtime',`
+@@ -3142,10 +3848,48 @@ interface(`files_etc_filetrans_etc_runtime',`
#
interface(`files_getattr_isid_type_dirs',`
gen_require(`
@@ -12507,7 +12548,7 @@ index f962f76..890900c 100644
')
########################################
-@@ -3161,10 +3887,10 @@ interface(`files_getattr_isid_type_dirs',`
+@@ -3161,10 +3905,10 @@ interface(`files_getattr_isid_type_dirs',`
#
interface(`files_dontaudit_search_isid_type_dirs',`
gen_require(`
@@ -12520,7 +12561,7 @@ index f962f76..890900c 100644
')
########################################
-@@ -3180,10 +3906,10 @@ interface(`files_dontaudit_search_isid_type_dirs',`
+@@ -3180,10 +3924,10 @@ interface(`files_dontaudit_search_isid_type_dirs',`
#
interface(`files_list_isid_type_dirs',`
gen_require(`
@@ -12533,7 +12574,7 @@ index f962f76..890900c 100644
')
########################################
-@@ -3199,10 +3925,10 @@ interface(`files_list_isid_type_dirs',`
+@@ -3199,10 +3943,10 @@ interface(`files_list_isid_type_dirs',`
#
interface(`files_rw_isid_type_dirs',`
gen_require(`
@@ -12546,7 +12587,7 @@ index f962f76..890900c 100644
')
########################################
-@@ -3218,10 +3944,66 @@ interface(`files_rw_isid_type_dirs',`
+@@ -3218,10 +3962,66 @@ interface(`files_rw_isid_type_dirs',`
#
interface(`files_delete_isid_type_dirs',`
gen_require(`
@@ -12615,7 +12656,7 @@ index f962f76..890900c 100644
')
########################################
-@@ -3237,10 +4019,10 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3237,10 +4037,10 @@ interface(`files_delete_isid_type_dirs',`
#
interface(`files_manage_isid_type_dirs',`
gen_require(`
@@ -12628,7 +12669,7 @@ index f962f76..890900c 100644
')
########################################
-@@ -3256,10 +4038,29 @@ interface(`files_manage_isid_type_dirs',`
+@@ -3256,10 +4056,29 @@ interface(`files_manage_isid_type_dirs',`
#
interface(`files_mounton_isid_type_dirs',`
gen_require(`
@@ -12660,7 +12701,7 @@ index f962f76..890900c 100644
')
########################################
-@@ -3275,10 +4076,10 @@ interface(`files_mounton_isid_type_dirs',`
+@@ -3275,10 +4094,10 @@ interface(`files_mounton_isid_type_dirs',`
#
interface(`files_read_isid_type_files',`
gen_require(`
@@ -12673,7 +12714,7 @@ index f962f76..890900c 100644
')
########################################
-@@ -3294,10 +4095,10 @@ interface(`files_read_isid_type_files',`
+@@ -3294,10 +4113,10 @@ interface(`files_read_isid_type_files',`
#
interface(`files_delete_isid_type_files',`
gen_require(`
@@ -12686,7 +12727,7 @@ index f962f76..890900c 100644
')
########################################
-@@ -3313,10 +4114,10 @@ interface(`files_delete_isid_type_files',`
+@@ -3313,10 +4132,10 @@ interface(`files_delete_isid_type_files',`
#
interface(`files_delete_isid_type_symlinks',`
gen_require(`
@@ -12699,7 +12740,7 @@ index f962f76..890900c 100644
')
########################################
-@@ -3332,10 +4133,10 @@ interface(`files_delete_isid_type_symlinks',`
+@@ -3332,10 +4151,10 @@ interface(`files_delete_isid_type_symlinks',`
#
interface(`files_delete_isid_type_fifo_files',`
gen_require(`
@@ -12712,7 +12753,7 @@ index f962f76..890900c 100644
')
########################################
-@@ -3351,10 +4152,10 @@ interface(`files_delete_isid_type_fifo_files',`
+@@ -3351,10 +4170,10 @@ interface(`files_delete_isid_type_fifo_files',`
#
interface(`files_delete_isid_type_sock_files',`
gen_require(`
@@ -12725,7 +12766,7 @@ index f962f76..890900c 100644
')
########################################
-@@ -3370,10 +4171,10 @@ interface(`files_delete_isid_type_sock_files',`
+@@ -3370,10 +4189,10 @@ interface(`files_delete_isid_type_sock_files',`
#
interface(`files_delete_isid_type_blk_files',`
gen_require(`
@@ -12738,7 +12779,7 @@ index f962f76..890900c 100644
')
########################################
-@@ -3389,10 +4190,10 @@ interface(`files_delete_isid_type_blk_files',`
+@@ -3389,10 +4208,10 @@ interface(`files_delete_isid_type_blk_files',`
#
interface(`files_dontaudit_write_isid_chr_files',`
gen_require(`
@@ -12751,7 +12792,7 @@ index f962f76..890900c 100644
')
########################################
-@@ -3408,10 +4209,10 @@ interface(`files_dontaudit_write_isid_chr_files',`
+@@ -3408,10 +4227,10 @@ interface(`files_dontaudit_write_isid_chr_files',`
#
interface(`files_delete_isid_type_chr_files',`
gen_require(`
@@ -12764,7 +12805,7 @@ index f962f76..890900c 100644
')
########################################
-@@ -3427,10 +4228,10 @@ interface(`files_delete_isid_type_chr_files',`
+@@ -3427,10 +4246,10 @@ interface(`files_delete_isid_type_chr_files',`
#
interface(`files_manage_isid_type_files',`
gen_require(`
@@ -12777,7 +12818,7 @@ index f962f76..890900c 100644
')
########################################
-@@ -3446,10 +4247,10 @@ interface(`files_manage_isid_type_files',`
+@@ -3446,10 +4265,10 @@ interface(`files_manage_isid_type_files',`
#
interface(`files_manage_isid_type_symlinks',`
gen_require(`
@@ -12790,7 +12831,7 @@ index f962f76..890900c 100644
')
########################################
-@@ -3465,10 +4266,29 @@ interface(`files_manage_isid_type_symlinks',`
+@@ -3465,10 +4284,29 @@ interface(`files_manage_isid_type_symlinks',`
#
interface(`files_rw_isid_type_blk_files',`
gen_require(`
@@ -12822,7 +12863,7 @@ index f962f76..890900c 100644
')
########################################
-@@ -3484,10 +4304,10 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3484,10 +4322,10 @@ interface(`files_rw_isid_type_blk_files',`
#
interface(`files_manage_isid_type_blk_files',`
gen_require(`
@@ -12835,7 +12876,7 @@ index f962f76..890900c 100644
')
########################################
-@@ -3503,10 +4323,10 @@ interface(`files_manage_isid_type_blk_files',`
+@@ -3503,10 +4341,10 @@ interface(`files_manage_isid_type_blk_files',`
#
interface(`files_manage_isid_type_chr_files',`
gen_require(`
@@ -12848,7 +12889,7 @@ index f962f76..890900c 100644
')
########################################
-@@ -3552,6 +4372,27 @@ interface(`files_dontaudit_getattr_home_dir',`
+@@ -3552,6 +4390,27 @@ interface(`files_dontaudit_getattr_home_dir',`
########################################
##
@@ -12876,7 +12917,7 @@ index f962f76..890900c 100644
## Search home directories root (/home).
##
##
-@@ -3814,20 +4655,38 @@ interface(`files_list_mnt',`
+@@ -3814,20 +4673,38 @@ interface(`files_list_mnt',`
######################################
##
@@ -12920,7 +12961,7 @@ index f962f76..890900c 100644
')
########################################
-@@ -4012,6 +4871,12 @@ interface(`files_read_kernel_modules',`
+@@ -4012,6 +4889,12 @@ interface(`files_read_kernel_modules',`
allow $1 modules_object_t:dir list_dir_perms;
read_files_pattern($1, modules_object_t, modules_object_t)
read_lnk_files_pattern($1, modules_object_t, modules_object_t)
@@ -12933,7 +12974,7 @@ index f962f76..890900c 100644
')
########################################
-@@ -4217,192 +5082,218 @@ interface(`files_read_world_readable_sockets',`
+@@ -4217,174 +5100,218 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -13168,36 +13209,26 @@ index f962f76..890900c 100644
+## File name transition for system db files in /var/lib.
##
##
--##
--## Domain allowed access.
--##
+##
+## Domain allowed access.
+##
- ##
- #
--interface(`files_delete_tmp_dir_entry',`
-- gen_require(`
-- type tmp_t;
-- ')
++##
++#
+interface(`files_filetrans_system_db_named_files',`
+ gen_require(`
+ type var_lib_t, system_db_t;
+ ')
-
-- allow $1 tmp_t:dir del_entry_dir_perms;
++
+ filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db")
+ filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db-journal")
- ')
-
- ########################################
- ##
--## Read files in the tmp directory (/tmp).
++')
++
++########################################
++##
+## Allow the specified type to associate
+## to a filesystem with the type of the
+## temporary directory (/tmp).
- ##
--##
++##
+##
##
-## Domain allowed access.
@@ -13205,19 +13236,19 @@ index f962f76..890900c 100644
##
##
#
--interface(`files_read_generic_tmp_files',`
+-interface(`files_delete_tmp_dir_entry',`
+interface(`files_associate_tmp',`
gen_require(`
type tmp_t;
')
-- read_files_pattern($1, tmp_t, tmp_t)
+- allow $1 tmp_t:dir del_entry_dir_perms;
+ allow $1 tmp_t:filesystem associate;
')
########################################
##
--## Manage temporary directories in /tmp.
+-## Read files in the tmp directory (/tmp).
+## Allow the specified type to associate
+## to a filesystem with the type of the
+## / file system
@@ -13230,42 +13261,42 @@ index f962f76..890900c 100644
##
##
#
--interface(`files_manage_generic_tmp_dirs',`
+-interface(`files_read_generic_tmp_files',`
+interface(`files_associate_rootfs',`
gen_require(`
- type tmp_t;
+ type root_t;
')
-- manage_dirs_pattern($1, tmp_t, tmp_t)
+- read_files_pattern($1, tmp_t, tmp_t)
+ allow $1 root_t:filesystem associate;
')
########################################
##
--## Manage temporary files and directories in /tmp.
+-## Manage temporary directories in /tmp.
+## Get the attributes of the tmp directory (/tmp).
##
##
##
-@@ -4410,53 +5301,56 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4392,53 +5319,56 @@ interface(`files_read_generic_tmp_files',`
##
##
#
--interface(`files_manage_generic_tmp_files',`
+-interface(`files_manage_generic_tmp_dirs',`
+interface(`files_getattr_tmp_dirs',`
gen_require(`
type tmp_t;
')
-- manage_files_pattern($1, tmp_t, tmp_t)
+- manage_dirs_pattern($1, tmp_t, tmp_t)
+ read_lnk_files_pattern($1, tmp_t, tmp_t)
+ allow $1 tmp_t:dir getattr;
')
########################################
##
--## Read symbolic links in the tmp directory (/tmp).
+-## Manage temporary files and directories in /tmp.
+## Do not audit attempts to check the
+## access on tmp files
##
@@ -13276,20 +13307,20 @@ index f962f76..890900c 100644
##
##
#
--interface(`files_read_generic_tmp_symlinks',`
+-interface(`files_manage_generic_tmp_files',`
+interface(`files_dontaudit_access_check_tmp',`
gen_require(`
- type tmp_t;
+ type etc_t;
')
-- read_lnk_files_pattern($1, tmp_t, tmp_t)
+- manage_files_pattern($1, tmp_t, tmp_t)
+ dontaudit $1 tmp_t:dir_file_class_set audit_access;
')
########################################
##
--## Read and write generic named sockets in the tmp directory (/tmp).
+-## Read symbolic links in the tmp directory (/tmp).
+## Do not audit attempts to get the
+## attributes of the tmp directory (/tmp).
##
@@ -13300,35 +13331,34 @@ index f962f76..890900c 100644
##
##
#
--interface(`files_rw_generic_tmp_sockets',`
+-interface(`files_read_generic_tmp_symlinks',`
+interface(`files_dontaudit_getattr_tmp_dirs',`
gen_require(`
type tmp_t;
')
-- rw_sock_files_pattern($1, tmp_t, tmp_t)
+- read_lnk_files_pattern($1, tmp_t, tmp_t)
+ dontaudit $1 tmp_t:dir getattr;
')
########################################
##
--## Set the attributes of all tmp directories.
+-## Read and write generic named sockets in the tmp directory (/tmp).
+## Search the tmp directory (/tmp).
##
##
##
-@@ -4464,77 +5358,93 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4446,35 +5376,37 @@ interface(`files_read_generic_tmp_symlinks',`
##
##
#
--interface(`files_setattr_all_tmp_dirs',`
+-interface(`files_rw_generic_tmp_sockets',`
+interface(`files_search_tmp',`
gen_require(`
-- attribute tmpfile;
-+ type tmp_t;
+ type tmp_t;
')
-- allow $1 tmpfile:dir { search_dir_perms setattr };
+- rw_sock_files_pattern($1, tmp_t, tmp_t)
+ fs_search_tmpfs($1)
+ read_lnk_files_pattern($1, tmp_t, tmp_t)
+ allow $1 tmp_t:dir search_dir_perms;
@@ -13336,7 +13366,7 @@ index f962f76..890900c 100644
########################################
##
--## List all tmp directories.
+-## Set the attributes of all tmp directories.
+## Do not audit attempts to search the tmp directory (/tmp).
##
##
@@ -13346,83 +13376,93 @@ index f962f76..890900c 100644
##
##
#
--interface(`files_list_all_tmp',`
+-interface(`files_setattr_all_tmp_dirs',`
+interface(`files_dontaudit_search_tmp',`
gen_require(`
- attribute tmpfile;
+ type tmp_t;
')
-- allow $1 tmpfile:dir list_dir_perms;
+- allow $1 tmpfile:dir { search_dir_perms setattr };
+ dontaudit $1 tmp_t:dir search_dir_perms;
')
########################################
##
--## Relabel to and from all temporary
--## directory types.
+-## List all tmp directories.
+## Read the tmp directory (/tmp).
##
##
##
- ## Domain allowed access.
+@@ -4482,59 +5414,55 @@ interface(`files_setattr_all_tmp_dirs',`
##
##
--##
#
--interface(`files_relabel_all_tmp_dirs',`
+-interface(`files_list_all_tmp',`
+interface(`files_list_tmp',`
gen_require(`
- attribute tmpfile;
-- type var_t;
+ type tmp_t;
')
-- allow $1 var_t:dir search_dir_perms;
-- relabel_dirs_pattern($1, tmpfile, tmpfile)
+- allow $1 tmpfile:dir list_dir_perms;
+ read_lnk_files_pattern($1, tmp_t, tmp_t)
+ allow $1 tmp_t:dir list_dir_perms;
')
########################################
##
--## Do not audit attempts to get the attributes
--## of all tmp files.
+-## Relabel to and from all temporary
+-## directory types.
+## Do not audit listing of the tmp directory (/tmp).
##
##
##
--## Domain not to audit.
+-## Domain allowed access.
+## Domain to not audit.
##
##
+-##
#
--interface(`files_dontaudit_getattr_all_tmp_files',`
+-interface(`files_relabel_all_tmp_dirs',`
+interface(`files_dontaudit_list_tmp',`
gen_require(`
- attribute tmpfile;
+- type var_t;
+ type tmp_t;
')
-- dontaudit $1 tmpfile:file getattr;
+- allow $1 var_t:dir search_dir_perms;
+- relabel_dirs_pattern($1, tmpfile, tmpfile)
+ dontaudit $1 tmp_t:dir list_dir_perms;
-+')
-+
+ ')
+
+-########################################
+#######################################
-+##
+ ##
+-## Do not audit attempts to get the attributes
+-## of all tmp files.
+## Allow read and write to the tmp directory (/tmp).
-+##
-+##
+ ##
+ ##
+-##
+-## Domain not to audit.
+-##
+##
+## Domain not to audit.
+##
-+##
-+#
+ ##
+ #
+-interface(`files_dontaudit_getattr_all_tmp_files',`
+- gen_require(`
+- attribute tmpfile;
+- ')
+interface(`files_rw_generic_tmp_dir',`
+ gen_require(`
+ type tmp_t;
+ ')
-+
+
+- dontaudit $1 tmpfile:file getattr;
+ files_search_tmp($1)
+ allow $1 tmp_t:dir rw_dir_perms;
')
@@ -13435,7 +13475,7 @@ index f962f76..890900c 100644
##
##
##
-@@ -4542,110 +5452,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
+@@ -4542,110 +5470,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
##
##
#
@@ -13574,7 +13614,7 @@ index f962f76..890900c 100644
##
##
##
-@@ -4653,22 +5551,17 @@ interface(`files_tmp_filetrans',`
+@@ -4653,22 +5569,17 @@ interface(`files_tmp_filetrans',`
##
##
#
@@ -13601,7 +13641,7 @@ index f962f76..890900c 100644
##
##
##
-@@ -4676,17 +5569,17 @@ interface(`files_purge_tmp',`
+@@ -4676,17 +5587,17 @@ interface(`files_purge_tmp',`
##
##
#
@@ -13623,7 +13663,7 @@ index f962f76..890900c 100644
##
##
##
-@@ -4694,18 +5587,17 @@ interface(`files_setattr_usr_dirs',`
+@@ -4694,18 +5605,17 @@ interface(`files_setattr_usr_dirs',`
##
##
#
@@ -13646,7 +13686,7 @@ index f962f76..890900c 100644
##
##
##
-@@ -4713,35 +5605,35 @@ interface(`files_search_usr',`
+@@ -4713,35 +5623,35 @@ interface(`files_search_usr',`
##
##
#
@@ -13691,7 +13731,7 @@ index f962f76..890900c 100644
##
##
##
-@@ -4749,36 +5641,35 @@ interface(`files_dontaudit_write_usr_dirs',`
+@@ -4749,36 +5659,35 @@ interface(`files_dontaudit_write_usr_dirs',`
##
##
#
@@ -13737,7 +13777,7 @@ index f962f76..890900c 100644
##
##
##
-@@ -4786,17 +5677,17 @@ interface(`files_dontaudit_rw_usr_dirs',`
+@@ -4786,17 +5695,17 @@ interface(`files_dontaudit_rw_usr_dirs',`
##
##
#
@@ -13759,7 +13799,7 @@ index f962f76..890900c 100644
##
##
##
-@@ -4804,73 +5695,59 @@ interface(`files_delete_usr_dirs',`
+@@ -4804,73 +5713,59 @@ interface(`files_delete_usr_dirs',`
##
##
#
@@ -13852,7 +13892,7 @@ index f962f76..890900c 100644
##
##
##
-@@ -4878,55 +5755,58 @@ interface(`files_read_usr_files',`
+@@ -4878,55 +5773,58 @@ interface(`files_read_usr_files',`
##
##
#
@@ -13927,7 +13967,7 @@ index f962f76..890900c 100644
##
##
##
-@@ -4934,67 +5814,70 @@ interface(`files_manage_usr_files',`
+@@ -4934,67 +5832,70 @@ interface(`files_manage_usr_files',`
##
##
#
@@ -14016,7 +14056,7 @@ index f962f76..890900c 100644
##
##
##
-@@ -5003,35 +5886,50 @@ interface(`files_read_usr_symlinks',`
+@@ -5003,35 +5904,50 @@ interface(`files_read_usr_symlinks',`
##
##
#
@@ -14076,7 +14116,7 @@ index f962f76..890900c 100644
##
##
##
-@@ -5039,20 +5937,17 @@ interface(`files_dontaudit_search_src',`
+@@ -5039,20 +5955,17 @@ interface(`files_dontaudit_search_src',`
##
##
#
@@ -14101,7 +14141,7 @@ index f962f76..890900c 100644
##
##
##
-@@ -5060,20 +5955,18 @@ interface(`files_getattr_usr_src_files',`
+@@ -5060,20 +5973,18 @@ interface(`files_getattr_usr_src_files',`
##
##
#
@@ -14126,7 +14166,7 @@ index f962f76..890900c 100644
##
##
##
-@@ -5081,38 +5974,35 @@ interface(`files_read_usr_src_files',`
+@@ -5081,38 +5992,35 @@ interface(`files_read_usr_src_files',`
##
##
#
@@ -14174,7 +14214,7 @@ index f962f76..890900c 100644
##
##
##
-@@ -5120,37 +6010,36 @@ interface(`files_create_kernel_symbol_table',`
+@@ -5120,37 +6028,36 @@ interface(`files_create_kernel_symbol_table',`
##
##
#
@@ -14222,7 +14262,7 @@ index f962f76..890900c 100644
##
##
##
-@@ -5158,35 +6047,35 @@ interface(`files_delete_kernel_symbol_table',`
+@@ -5158,35 +6065,35 @@ interface(`files_delete_kernel_symbol_table',`
##
##
#
@@ -14267,7 +14307,7 @@ index f962f76..890900c 100644
##
##
##
-@@ -5194,36 +6083,55 @@ interface(`files_dontaudit_write_var_dirs',`
+@@ -5194,36 +6101,55 @@ interface(`files_dontaudit_write_var_dirs',`
##
##
#
@@ -14333,7 +14373,7 @@ index f962f76..890900c 100644
##
##
##
-@@ -5231,36 +6139,37 @@ interface(`files_dontaudit_search_var',`
+@@ -5231,36 +6157,37 @@ interface(`files_dontaudit_search_var',`
##
##
#
@@ -14381,7 +14421,7 @@ index f962f76..890900c 100644
##
##
##
-@@ -5268,17 +6177,17 @@ interface(`files_manage_var_dirs',`
+@@ -5268,17 +6195,17 @@ interface(`files_manage_var_dirs',`
##
##
#
@@ -14403,7 +14443,7 @@ index f962f76..890900c 100644
##
##
##
-@@ -5286,17 +6195,17 @@ interface(`files_read_var_files',`
+@@ -5286,17 +6213,17 @@ interface(`files_read_var_files',`
##
##
#
@@ -14425,7 +14465,7 @@ index f962f76..890900c 100644
##
##
##
-@@ -5304,73 +6213,86 @@ interface(`files_append_var_files',`
+@@ -5304,73 +6231,86 @@ interface(`files_append_var_files',`
##
##
#
@@ -14532,7 +14572,7 @@ index f962f76..890900c 100644
##
##
##
-@@ -5378,50 +6300,41 @@ interface(`files_read_var_symlinks',`
+@@ -5378,50 +6318,41 @@ interface(`files_read_var_symlinks',`
##
##
#
@@ -14597,7 +14637,7 @@ index f962f76..890900c 100644
##
##
##
-@@ -5429,69 +6342,56 @@ interface(`files_var_filetrans',`
+@@ -5429,69 +6360,56 @@ interface(`files_var_filetrans',`
##
##
#
@@ -14682,7 +14722,7 @@ index f962f76..890900c 100644
##
##
##
-@@ -5499,17 +6399,18 @@ interface(`files_dontaudit_search_var_lib',`
+@@ -5499,17 +6417,18 @@ interface(`files_dontaudit_search_var_lib',`
##
##
#
@@ -14706,7 +14746,7 @@ index f962f76..890900c 100644
##
##
##
-@@ -5517,70 +6418,54 @@ interface(`files_list_var_lib',`
+@@ -5517,70 +6436,54 @@ interface(`files_list_var_lib',`
##
##
#
@@ -14790,7 +14830,7 @@ index f962f76..890900c 100644
##
##
##
-@@ -5588,41 +6473,36 @@ interface(`files_read_var_lib_files',`
+@@ -5588,41 +6491,36 @@ interface(`files_read_var_lib_files',`
##
##
#
@@ -14842,7 +14882,7 @@ index f962f76..890900c 100644
##
##
##
-@@ -5630,36 +6510,36 @@ interface(`files_manage_urandom_seed',`
+@@ -5630,36 +6528,36 @@ interface(`files_manage_urandom_seed',`
##
##
#
@@ -14889,7 +14929,7 @@ index f962f76..890900c 100644
##
##
##
-@@ -5667,38 +6547,35 @@ interface(`files_setattr_lock_dirs',`
+@@ -5667,38 +6565,35 @@ interface(`files_setattr_lock_dirs',`
##
##
#
@@ -14937,7 +14977,7 @@ index f962f76..890900c 100644
##
##
##
-@@ -5706,19 +6583,17 @@ interface(`files_dontaudit_search_locks',`
+@@ -5706,19 +6601,17 @@ interface(`files_dontaudit_search_locks',`
##
##
#
@@ -14961,7 +15001,7 @@ index f962f76..890900c 100644
##
##
##
-@@ -5726,60 +6601,54 @@ interface(`files_list_locks',`
+@@ -5726,60 +6619,54 @@ interface(`files_list_locks',`
##
##
#
@@ -15037,7 +15077,7 @@ index f962f76..890900c 100644
##
##
##
-@@ -5787,20 +6656,18 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5787,20 +6674,18 @@ interface(`files_relabel_all_lock_dirs',`
##
##
#
@@ -15063,7 +15103,7 @@ index f962f76..890900c 100644
##
##
##
-@@ -5808,63 +6675,68 @@ interface(`files_getattr_generic_locks',`
+@@ -5808,63 +6693,68 @@ interface(`files_getattr_generic_locks',`
##
##
#
@@ -15155,7 +15195,7 @@ index f962f76..890900c 100644
##
##
##
-@@ -5872,101 +6744,87 @@ interface(`files_delete_all_locks',`
+@@ -5872,101 +6762,87 @@ interface(`files_delete_all_locks',`
##
##
#
@@ -15292,7 +15332,7 @@ index f962f76..890900c 100644
##
##
##
-@@ -5974,19 +6832,17 @@ interface(`files_dontaudit_getattr_pid_dirs',`
+@@ -5974,19 +6850,17 @@ interface(`files_dontaudit_getattr_pid_dirs',`
##
##
#
@@ -15316,7 +15356,7 @@ index f962f76..890900c 100644
##
##
##
-@@ -5994,39 +6850,52 @@ interface(`files_setattr_pid_dirs',`
+@@ -5994,39 +6868,52 @@ interface(`files_setattr_pid_dirs',`
##
##
#
@@ -15382,7 +15422,7 @@ index f962f76..890900c 100644
##
##
##
-@@ -6034,18 +6903,18 @@ interface(`files_dontaudit_search_pids',`
+@@ -6034,18 +6921,18 @@ interface(`files_dontaudit_search_pids',`
##
##
#
@@ -15406,7 +15446,7 @@ index f962f76..890900c 100644
##
##
##
-@@ -6053,19 +6922,18 @@ interface(`files_list_pids',`
+@@ -6053,19 +6940,1283 @@ interface(`files_list_pids',`
##
##
#
@@ -15421,45 +15461,35 @@ index f962f76..890900c 100644
- list_dirs_pattern($1, var_t, var_run_t)
- read_files_pattern($1, var_run_t, var_run_t)
+ read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
- ')
-
- ########################################
- ##
--## Write named generic process ID pipes
++')
++
++########################################
++##
+## manage generic symbolic links
+## in the /var/lib directory.
- ##
- ##
- ##
-@@ -6073,23 +6941,652 @@ interface(`files_read_generic_pids',`
- ##
- ##
- #
--interface(`files_write_generic_pid_pipes',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_manage_var_lib_symlinks',`
- gen_require(`
-- type var_run_t;
++ gen_require(`
+ type var_lib_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- allow $1 var_run_t:fifo_file write;
++ ')
++
+ manage_lnk_files_pattern($1,var_lib_t,var_lib_t)
- ')
-
++')
++
+# cjp: the next two interfaces really need to be fixed
+# in some way. They really neeed their own types.
+
- ########################################
- ##
--## Create an object in the process ID directory, with a private type.
++########################################
++##
+## Create, read, write, and delete the
+## pseudorandom number generator seed.
- ##
--##
--##
--## Create an object in the process ID directory (e.g., /var/run)
--## with a private type. Typically this is used for creating
++##
+##
+##
+## Domain allowed access.
@@ -16090,14 +16120,14 @@ index f962f76..890900c 100644
+##
+## Create an object in the process ID directory (e.g., /var/run)
+## with a private type. Typically this is used for creating
- ## private PID files in /var/run with the private type instead
- ## of the general PID file type. To accomplish this goal,
- ## either the program must be SELinux-aware, or use this interface.
-@@ -6098,18 +7595,781 @@ interface(`files_write_generic_pid_pipes',`
- ## Related interfaces:
- ##
- ##
--## - files_pid_file()
++## private PID files in /var/run with the private type instead
++## of the general PID file type. To accomplish this goal,
++## either the program must be SELinux-aware, or use this interface.
++##
++##
++## Related interfaces:
++##
++##
+##
@@ -16554,11 +16584,9 @@ index f962f76..890900c 100644
+##
+##
+## - files_spool_filetrans()
- ##
- ##
- ## Example usage with a domain that can create and
--## write its PID file with a private PID file type in the
--## /var/run directory:
++##
++##
++## Example usage with a domain that can create and
+## write its spool file in the system spool file
+## directories (/var/spool):
+##
@@ -16567,7 +16595,7 @@ index f962f76..890900c 100644
+## files_spool_file(myfile_spool_t)
+## allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms };
+## files_spool_filetrans(mydomain_t, myfile_spool_t, file)
- ##
++##
+##
+##
+##
@@ -16698,30 +16726,36 @@ index f962f76..890900c 100644
+ ')
+
+ list_dirs_pattern($1, var_t, var_spool_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Write named generic process ID pipes
+## Create, read, write, and delete generic
+## spool directories (/var/spool).
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -6073,43 +8224,170 @@ interface(`files_read_generic_pids',`
+ ##
+ ##
+ #
+-interface(`files_write_generic_pid_pipes',`
+interface(`files_manage_generic_spool_dirs',`
-+ gen_require(`
+ gen_require(`
+- type var_run_t;
+ type var_t, var_spool_t;
-+ ')
-+
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- allow $1 var_run_t:fifo_file write;
+ allow $1 var_t:dir search_dir_perms;
+ manage_dirs_pattern($1, var_spool_t, var_spool_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Create an object in the process ID directory, with a private type.
+## Read generic spool files.
+##
+##
@@ -16871,9 +16905,27 @@ index f962f76..890900c 100644
+########################################
+##
+## Create a core files in /
-+##
-+##
+ ##
+ ##
##
+-## Create an object in the process ID directory (e.g., /var/run)
+-## with a private type. Typically this is used for creating
+-## private PID files in /var/run with the private type instead
+-## of the general PID file type. To accomplish this goal,
+-## either the program must be SELinux-aware, or use this interface.
+-##
+-##
+-## Related interfaces:
+-##
+-##
+-## - files_pid_file()
+-##
+-##
+-## Example usage with a domain that can create and
+-## write its PID file with a private PID file type in the
+-## /var/run directory:
+-##
+-##
-## type mypidfile_t;
-## files_pid_file(mypidfile_t)
-## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
@@ -16882,7 +16934,7 @@ index f962f76..890900c 100644
##
##
##
-@@ -6117,80 +8377,157 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6117,80 +8395,157 @@ interface(`files_write_generic_pid_pipes',`
## Domain allowed access.
##
##
@@ -17069,7 +17121,7 @@ index f962f76..890900c 100644
##
##
##
-@@ -6198,19 +8535,17 @@ interface(`files_rw_generic_pids',`
+@@ -6198,19 +8553,17 @@ interface(`files_rw_generic_pids',`
##
##
#
@@ -17093,7 +17145,7 @@ index f962f76..890900c 100644
##
##
##
-@@ -6218,18 +8553,17 @@ interface(`files_dontaudit_getattr_all_pids',`
+@@ -6218,18 +8571,17 @@ interface(`files_dontaudit_getattr_all_pids',`
##
##
#
@@ -17116,7 +17168,7 @@ index f962f76..890900c 100644
##
##
##
-@@ -6237,129 +8571,118 @@ interface(`files_dontaudit_write_all_pids',`
+@@ -6237,129 +8589,118 @@ interface(`files_dontaudit_write_all_pids',`
##
##
#
@@ -17285,7 +17337,7 @@ index f962f76..890900c 100644
##
##
##
-@@ -6367,18 +8690,19 @@ interface(`files_mounton_all_poly_members',`
+@@ -6367,18 +8708,19 @@ interface(`files_mounton_all_poly_members',`
##
##
#
@@ -17310,7 +17362,7 @@ index f962f76..890900c 100644
##
##
##
-@@ -6386,132 +8710,227 @@ interface(`files_search_spool',`
+@@ -6386,132 +8728,227 @@ interface(`files_search_spool',`
##
##
#
@@ -17584,7 +17636,7 @@ index f962f76..890900c 100644
##
##
##
-@@ -6519,53 +8938,17 @@ interface(`files_spool_filetrans',`
+@@ -6519,53 +8956,17 @@ interface(`files_spool_filetrans',`
##
##
#
@@ -17642,7 +17694,7 @@ index f962f76..890900c 100644
##
##
##
-@@ -6573,10 +8956,10 @@ interface(`files_polyinstantiate_all',`
+@@ -6573,10 +8974,10 @@ interface(`files_polyinstantiate_all',`
##
##
#
@@ -22638,6 +22690,49 @@ index 2da98c2..31bed0a 100644
attribute mcsreadall;
attribute mcs_constrained_type;
+attribute mcsnetwrite;
+diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if
+index d178478..42bf05b 100644
+--- a/policy/modules/kernel/mls.if
++++ b/policy/modules/kernel/mls.if
+@@ -100,6 +100,26 @@ interface(`mls_file_write_to_clearance',`
+ ########################################
+ ##
+ ## Make specified domain MLS trusted
++## for relabelto to files up to its clearance.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`mls_file_relabel_to_clearance',`
++ gen_require(`
++ attribute mlsfilerelabeltoclr;
++ ')
++
++ typeattribute $1 mlsfilerelabeltoclr;
++')
++
++########################################
++##
++## Make specified domain MLS trusted
+ ## for writing to files at all levels. (Deprecated)
+ ##
+ ##
+diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te
+index 8c7bd90..66ee5b9 100644
+--- a/policy/modules/kernel/mls.te
++++ b/policy/modules/kernel/mls.te
+@@ -12,6 +12,7 @@ attribute mlsfilewritetoclr;
+ attribute mlsfilewriteinrange;
+ attribute mlsfileupgrade;
+ attribute mlsfiledowngrade;
++attribute mlsfilerelabeltoclr;
+
+ attribute mlsnetread;
+ attribute mlsnetreadtoclr;
diff --git a/policy/modules/kernel/selinux.fc b/policy/modules/kernel/selinux.fc
index 7be4ddf..4d4c577 100644
--- a/policy/modules/kernel/selinux.fc
@@ -36748,7 +36843,7 @@ index 79a45f6..e69fa39 100644
+ allow $1 init_var_lib_t:dir search_dir_perms;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..ca7fe18 100644
+index 17eda24..ef7952e 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -37043,7 +37138,7 @@ index 17eda24..ca7fe18 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +323,263 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +323,264 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -37163,6 +37258,7 @@ index 17eda24..ca7fe18 100644
+
+files_search_all(init_t)
+files_mounton_all_mountpoints(init_t)
++files_mounton_etc(init_t)
+files_unmount_all_file_type_fs(init_t)
+files_manage_all_pid_dirs(init_t)
+files_manage_etc_dirs(init_t)
@@ -37316,7 +37412,7 @@ index 17eda24..ca7fe18 100644
')
optional_policy(`
-@@ -216,7 +587,30 @@ optional_policy(`
+@@ -216,7 +588,30 @@ optional_policy(`
')
optional_policy(`
@@ -37348,7 +37444,7 @@ index 17eda24..ca7fe18 100644
')
########################################
-@@ -225,9 +619,9 @@ optional_policy(`
+@@ -225,9 +620,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -37360,7 +37456,7 @@ index 17eda24..ca7fe18 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -258,12 +652,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +653,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -37377,7 +37473,7 @@ index 17eda24..ca7fe18 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +677,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +678,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -37420,7 +37516,7 @@ index 17eda24..ca7fe18 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +714,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +715,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -37432,7 +37528,7 @@ index 17eda24..ca7fe18 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -313,8 +726,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +727,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -37443,7 +37539,7 @@ index 17eda24..ca7fe18 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -322,8 +737,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +738,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -37453,7 +37549,7 @@ index 17eda24..ca7fe18 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -332,7 +746,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +747,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -37461,7 +37557,7 @@ index 17eda24..ca7fe18 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -340,6 +753,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +754,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -37469,7 +37565,7 @@ index 17eda24..ca7fe18 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -347,14 +761,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +762,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -37487,7 +37583,7 @@ index 17eda24..ca7fe18 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -364,8 +779,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +780,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -37501,7 +37597,7 @@ index 17eda24..ca7fe18 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -375,10 +794,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +795,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -37515,7 +37611,7 @@ index 17eda24..ca7fe18 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -387,8 +807,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +808,10 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -37526,7 +37622,7 @@ index 17eda24..ca7fe18 100644
storage_getattr_fixed_disk_dev(initrc_t)
storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +820,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +821,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -37534,7 +37630,7 @@ index 17eda24..ca7fe18 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -416,20 +839,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +840,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -37558,7 +37654,7 @@ index 17eda24..ca7fe18 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +872,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +873,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -37566,7 +37662,7 @@ index 17eda24..ca7fe18 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +906,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +907,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -37577,7 +37673,7 @@ index 17eda24..ca7fe18 100644
alsa_read_lib(initrc_t)
')
-@@ -506,7 +930,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +931,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -37586,7 +37682,7 @@ index 17eda24..ca7fe18 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -521,6 +945,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +946,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -37594,7 +37690,7 @@ index 17eda24..ca7fe18 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -541,6 +966,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +967,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -37602,7 +37698,7 @@ index 17eda24..ca7fe18 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +976,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +977,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -37647,7 +37743,7 @@ index 17eda24..ca7fe18 100644
')
optional_policy(`
-@@ -559,14 +1021,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +1022,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -37679,7 +37775,7 @@ index 17eda24..ca7fe18 100644
')
')
-@@ -577,6 +1056,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1057,39 @@ ifdef(`distro_suse',`
')
')
@@ -37719,7 +37815,7 @@ index 17eda24..ca7fe18 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1101,8 @@ optional_policy(`
+@@ -589,6 +1102,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -37728,7 +37824,7 @@ index 17eda24..ca7fe18 100644
')
optional_policy(`
-@@ -610,6 +1124,7 @@ optional_policy(`
+@@ -610,6 +1125,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -37736,7 +37832,7 @@ index 17eda24..ca7fe18 100644
')
optional_policy(`
-@@ -626,6 +1141,17 @@ optional_policy(`
+@@ -626,6 +1142,17 @@ optional_policy(`
')
optional_policy(`
@@ -37754,7 +37850,7 @@ index 17eda24..ca7fe18 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -642,9 +1168,13 @@ optional_policy(`
+@@ -642,9 +1169,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -37768,7 +37864,7 @@ index 17eda24..ca7fe18 100644
')
optional_policy(`
-@@ -657,15 +1187,11 @@ optional_policy(`
+@@ -657,15 +1188,11 @@ optional_policy(`
')
optional_policy(`
@@ -37786,7 +37882,7 @@ index 17eda24..ca7fe18 100644
')
optional_policy(`
-@@ -686,6 +1212,15 @@ optional_policy(`
+@@ -686,6 +1213,15 @@ optional_policy(`
')
optional_policy(`
@@ -37802,7 +37898,7 @@ index 17eda24..ca7fe18 100644
inn_exec_config(initrc_t)
')
-@@ -726,6 +1261,7 @@ optional_policy(`
+@@ -726,6 +1262,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -37810,7 +37906,7 @@ index 17eda24..ca7fe18 100644
')
optional_policy(`
-@@ -743,7 +1279,13 @@ optional_policy(`
+@@ -743,7 +1280,13 @@ optional_policy(`
')
optional_policy(`
@@ -37825,7 +37921,7 @@ index 17eda24..ca7fe18 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -766,6 +1308,10 @@ optional_policy(`
+@@ -766,6 +1309,10 @@ optional_policy(`
')
optional_policy(`
@@ -37836,7 +37932,7 @@ index 17eda24..ca7fe18 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -775,10 +1321,20 @@ optional_policy(`
+@@ -775,10 +1322,20 @@ optional_policy(`
')
optional_policy(`
@@ -37857,7 +37953,7 @@ index 17eda24..ca7fe18 100644
quota_manage_flags(initrc_t)
')
-@@ -787,6 +1343,10 @@ optional_policy(`
+@@ -787,6 +1344,10 @@ optional_policy(`
')
optional_policy(`
@@ -37868,7 +37964,7 @@ index 17eda24..ca7fe18 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -808,8 +1368,6 @@ optional_policy(`
+@@ -808,8 +1369,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -37877,7 +37973,7 @@ index 17eda24..ca7fe18 100644
')
optional_policy(`
-@@ -818,6 +1376,10 @@ optional_policy(`
+@@ -818,6 +1377,10 @@ optional_policy(`
')
optional_policy(`
@@ -37888,7 +37984,7 @@ index 17eda24..ca7fe18 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -827,10 +1389,12 @@ optional_policy(`
+@@ -827,10 +1390,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -37901,7 +37997,7 @@ index 17eda24..ca7fe18 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1421,60 @@ optional_policy(`
+@@ -857,21 +1422,60 @@ optional_policy(`
')
optional_policy(`
@@ -37963,7 +38059,7 @@ index 17eda24..ca7fe18 100644
')
optional_policy(`
-@@ -887,6 +1490,10 @@ optional_policy(`
+@@ -887,6 +1491,10 @@ optional_policy(`
')
optional_policy(`
@@ -37974,7 +38070,7 @@ index 17eda24..ca7fe18 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -897,3 +1504,218 @@ optional_policy(`
+@@ -897,3 +1505,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -39164,7 +39260,7 @@ index 0000000..c814795
+fs_manage_kdbus_dirs(systemd_logind_t)
+fs_manage_kdbus_files(systemd_logind_t)
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index 73bb3c0..4fef124 100644
+index 73bb3c0..0dd3f58 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -1,3 +1,4 @@
@@ -39331,7 +39427,7 @@ index 73bb3c0..4fef124 100644
/usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -299,17 +311,155 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+@@ -299,17 +311,156 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
#
/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0)
@@ -39453,6 +39549,7 @@ index 73bb3c0..4fef124 100644
+/usr/lib/httpd/modules/libphp5\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+')
+/opt/VBoxGuestAdditions.*/lib/VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/var/lib/VBoxGuestAdditions.*/lib/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/nmm/liba52\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/lampp/lib/libct\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -48294,10 +48391,10 @@ index 0000000..16cd1ac
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..1d1f80b
+index 0000000..0a20dcb
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,950 @@
+@@ -0,0 +1,952 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -49154,6 +49251,8 @@ index 0000000..1d1f80b
+dev_write_kmsg(systemd_gpt_generator_t)
+dev_read_nvme(systemd_gpt_generator_t)
+
++fstools_exec(systemd_gpt_generator_t)
++
+storage_raw_read_fixed_disk(systemd_gpt_generator_t)
+storage_raw_read_removable_device(systemd_gpt_generator_t)
+
diff --git a/policy-f24-contrib.patch b/policy-f24-contrib.patch
index e4152ae..c2f7d64 100644
--- a/policy-f24-contrib.patch
+++ b/policy-f24-contrib.patch
@@ -29669,7 +29669,7 @@ index 4498143..84a4858 100644
ftp_run_ftpdctl($1, $2)
')
diff --git a/ftp.te b/ftp.te
-index 36838c2..0a8b621 100644
+index 36838c2..21cc5ed 100644
--- a/ftp.te
+++ b/ftp.te
@@ -13,7 +13,7 @@ policy_module(ftp, 1.15.1)
@@ -29834,11 +29834,16 @@ index 36838c2..0a8b621 100644
miscfiles_read_public_files(ftpd_t)
seutil_dontaudit_search_config(ftpd_t)
-@@ -259,32 +228,50 @@ sysnet_use_ldap(ftpd_t)
+@@ -259,32 +228,55 @@ sysnet_use_ldap(ftpd_t)
userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
userdom_dontaudit_search_user_home_dirs(ftpd_t)
+userdom_filetrans_home_content(ftpd_t)
++userdom_manage_user_home_content_dirs(ftpd_t)
++userdom_manage_user_home_content_files(ftpd_t)
++userdom_manage_user_tmp_dirs(ftpd_t)
++userdom_manage_user_tmp_files(ftpd_t)
++
-tunable_policy(`allow_ftpd_anon_write',`
+tunable_policy(`ftpd_anon_write',`
@@ -29892,7 +29897,7 @@ index 36838c2..0a8b621 100644
')
tunable_policy(`ftpd_use_passive_mode',`
-@@ -304,44 +291,24 @@ tunable_policy(`ftpd_connect_db',`
+@@ -304,44 +296,24 @@ tunable_policy(`ftpd_connect_db',`
corenet_sendrecv_mssql_client_packets(ftpd_t)
corenet_tcp_connect_mssql_port(ftpd_t)
corenet_tcp_sendrecv_mssql_port(ftpd_t)
@@ -29942,7 +29947,7 @@ index 36838c2..0a8b621 100644
corecmd_exec_shell(ftpd_t)
files_read_usr_files(ftpd_t)
-@@ -363,9 +330,8 @@ optional_policy(`
+@@ -363,9 +335,8 @@ optional_policy(`
optional_policy(`
selinux_validate_context(ftpd_t)
@@ -29953,7 +29958,7 @@ index 36838c2..0a8b621 100644
kerberos_use(ftpd_t)
')
-@@ -416,86 +382,39 @@ optional_policy(`
+@@ -416,86 +387,39 @@ optional_policy(`
#
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
@@ -45848,7 +45853,7 @@ index dd8e01a..9cd6b0b 100644
##
##
diff --git a/logrotate.te b/logrotate.te
-index be0ab84..6f475e4 100644
+index be0ab84..9059174 100644
--- a/logrotate.te
+++ b/logrotate.te
@@ -5,16 +5,29 @@ policy_module(logrotate, 1.15.0)
@@ -45885,7 +45890,7 @@ index be0ab84..6f475e4 100644
type logrotate_lock_t;
files_lock_file(logrotate_lock_t)
-@@ -25,21 +38,30 @@ files_tmp_file(logrotate_tmp_t)
+@@ -25,21 +38,31 @@ files_tmp_file(logrotate_tmp_t)
type logrotate_var_lib_t;
files_type(logrotate_var_lib_t)
@@ -45919,10 +45924,11 @@ index be0ab84..6f475e4 100644
allow logrotate_t self:unix_dgram_socket sendto;
-allow logrotate_t self:unix_stream_socket { accept connectto listen };
+allow logrotate_t self:unix_stream_socket connectto;
++allow logrotate_t self:netlink_selinux_socket create_socket_perms;
allow logrotate_t self:shm create_shm_perms;
allow logrotate_t self:sem create_sem_perms;
allow logrotate_t self:msgq create_msgq_perms;
-@@ -48,36 +70,52 @@ allow logrotate_t self:msg { send receive };
+@@ -48,36 +71,52 @@ allow logrotate_t self:msg { send receive };
allow logrotate_t logrotate_lock_t:file manage_file_perms;
files_lock_filetrans(logrotate_t, logrotate_lock_t, file)
@@ -45980,7 +45986,7 @@ index be0ab84..6f475e4 100644
files_manage_generic_spool(logrotate_t)
files_manage_generic_spool_dirs(logrotate_t)
files_getattr_generic_locks(logrotate_t)
-@@ -95,32 +133,55 @@ mls_process_write_to_clearance(logrotate_t)
+@@ -95,32 +134,55 @@ mls_process_write_to_clearance(logrotate_t)
selinux_get_fs_mount(logrotate_t)
selinux_get_enforce_mode(logrotate_t)
@@ -46042,7 +46048,7 @@ index be0ab84..6f475e4 100644
')
optional_policy(`
-@@ -135,16 +196,17 @@ optional_policy(`
+@@ -135,16 +197,17 @@ optional_policy(`
optional_policy(`
apache_read_config(logrotate_t)
@@ -46062,7 +46068,7 @@ index be0ab84..6f475e4 100644
')
optional_policy(`
-@@ -170,6 +232,11 @@ optional_policy(`
+@@ -170,6 +233,11 @@ optional_policy(`
')
optional_policy(`
@@ -46074,7 +46080,7 @@ index be0ab84..6f475e4 100644
fail2ban_stream_connect(logrotate_t)
')
-@@ -178,7 +245,7 @@ optional_policy(`
+@@ -178,7 +246,7 @@ optional_policy(`
')
optional_policy(`
@@ -46083,7 +46089,7 @@ index be0ab84..6f475e4 100644
')
optional_policy(`
-@@ -198,17 +265,18 @@ optional_policy(`
+@@ -198,17 +266,18 @@ optional_policy(`
')
optional_policy(`
@@ -46105,7 +46111,7 @@ index be0ab84..6f475e4 100644
')
optional_policy(`
-@@ -216,6 +284,14 @@ optional_policy(`
+@@ -216,6 +285,14 @@ optional_policy(`
')
optional_policy(`
@@ -46120,7 +46126,7 @@ index be0ab84..6f475e4 100644
samba_exec_log(logrotate_t)
')
-@@ -228,26 +304,50 @@ optional_policy(`
+@@ -228,26 +305,50 @@ optional_policy(`
')
optional_policy(`
@@ -49816,10 +49822,10 @@ index 0000000..f5b98e6
+')
diff --git a/mock.te b/mock.te
new file mode 100644
-index 0000000..942a31e
+index 0000000..d854e6c
--- /dev/null
+++ b/mock.te
-@@ -0,0 +1,286 @@
+@@ -0,0 +1,287 @@
+policy_module(mock,1.0.0)
+
+##
@@ -50102,6 +50108,7 @@ index 0000000..942a31e
+
+term_use_all_inherited_terms(mock_build_t)
+userdom_use_inherited_user_ptys(mock_build_t)
++term_dontaudit_manage_pty_dirs(mock_build_t)
+
+tunable_policy(`mock_enable_homedirs',`
+ userdom_read_user_home_content_files(mock_build_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 464f016..27988ac 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 191.8%{?dist}
+Release: 191.9%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -645,6 +645,16 @@ exit 0
%endif
%changelog
+* Fri Jul 29 2016 Lukas Vrabec 3.13.1-191.9
+- Dontaudit mock_build_t can list all ptys.
+- Allow ftpd_t to mamange userhome data without any boolean.
+- Add logrotate permissions for creating netlink selinux sockets.
+- Add new MLS attribute to allow relabeling objects higher than system low. This exception is needed for package managers when processing sensitive data.
+- Label all VBox libraries stored in /var/lib/VBoxGuestAdditions/lib/ as textrel_shlib_t BZ(1356654)
+- Allow systemd gpt generator to run fstools BZ(1353585)
+- Allow gnome-keyring also manage user_tmp_t sockets.
+- Allow systemd to mounton /etc filesystem. BZ(1341753)
+
* Wed Jul 27 2016 Lukas Vrabec 3.13.1-191.8
- Fix typo bug in ssh policy