diff --git a/modules-targeted-contrib.conf b/modules-targeted-contrib.conf
index 0dc040b..5144752 100644
--- a/modules-targeted-contrib.conf
+++ b/modules-targeted-contrib.conf
@@ -174,11 +174,11 @@ bind = module
rpcbind = module
# Layer: contrib
-# Module: rng
+# Module: rngd
#
# Daemon used to feed random data from hardware device to kernel random device
#
-rng = module
+rngd = module
# Layer: services
# Module: bitlbee
diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index 9978ecb..e75a369 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -114011,7 +114011,7 @@ index 8796ca3..0cabe1f 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index e1e814d..5060977 100644
+index e1e814d..cbcb4aa 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
@@ -115512,7 +115512,7 @@ index e1e814d..5060977 100644
## Search the contents of generic spool
## directories (/var/spool).
##
-@@ -6467,3 +7403,439 @@ interface(`files_unconfined',`
+@@ -6467,3 +7403,459 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -115952,6 +115952,26 @@ index e1e814d..5060977 100644
+ read_files_pattern($1, base_ro_file_type, base_ro_file_type)
+ read_lnk_files_pattern($1, base_ro_file_type, base_ro_file_type)
+')
++
++########################################
++##
++## Allow the specified domain to modify the systemd configuration of
++## any file.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_config_all_files',`
++ gen_require(`
++ attribute file_type;
++ ')
++
++ allow $1 file_type:service all_service_perms;
++')
++
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 52ef84e..45cb0bc 100644
--- a/policy/modules/kernel/files.te
@@ -124912,7 +124932,7 @@ index 130ced9..af3532c 100644
+ files_search_tmp($1)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index d40f750..8e37e5c 100644
+index d40f750..fa7e3cb 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -125441,7 +125461,7 @@ index d40f750..8e37e5c 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -430,9 +591,25 @@ files_list_mnt(xdm_t)
+@@ -430,9 +591,26 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -125455,6 +125475,7 @@ index d40f750..8e37e5c 100644
fs_getattr_all_fs(xdm_t)
fs_search_auto_mountpoints(xdm_t)
++fs_search_all(xdm_t)
+fs_rw_anon_inodefs_files(xdm_t)
+fs_mount_tmpfs(xdm_t)
+fs_list_inotifyfs(xdm_t)
@@ -125467,7 +125488,7 @@ index d40f750..8e37e5c 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -441,28 +618,41 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -441,28 +619,41 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -125512,7 +125533,7 @@ index d40f750..8e37e5c 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -471,24 +661,43 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -471,24 +662,43 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -125562,7 +125583,7 @@ index d40f750..8e37e5c 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -502,11 +711,21 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,11 +712,21 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -125584,7 +125605,7 @@ index d40f750..8e37e5c 100644
')
optional_policy(`
-@@ -514,12 +733,65 @@ optional_policy(`
+@@ -514,12 +734,65 @@ optional_policy(`
')
optional_policy(`
@@ -125650,7 +125671,7 @@ index d40f750..8e37e5c 100644
hostname_exec(xdm_t)
')
-@@ -537,28 +809,74 @@ optional_policy(`
+@@ -537,28 +810,74 @@ optional_policy(`
')
optional_policy(`
@@ -125734,7 +125755,7 @@ index d40f750..8e37e5c 100644
')
optional_policy(`
-@@ -570,6 +888,14 @@ optional_policy(`
+@@ -570,6 +889,14 @@ optional_policy(`
')
optional_policy(`
@@ -125749,7 +125770,7 @@ index d40f750..8e37e5c 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,8 +920,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -594,8 +921,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -125762,7 +125783,7 @@ index d40f750..8e37e5c 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -608,8 +937,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +938,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -125778,7 +125799,7 @@ index d40f750..8e37e5c 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -628,12 +964,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -628,12 +965,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -125800,7 +125821,7 @@ index d40f750..8e37e5c 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -641,12 +984,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,12 +985,12 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -125814,7 +125835,7 @@ index d40f750..8e37e5c 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +1010,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +1011,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -125846,7 +125867,7 @@ index d40f750..8e37e5c 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -694,8 +1042,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,8 +1043,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -125860,7 +125881,7 @@ index d40f750..8e37e5c 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -708,20 +1061,18 @@ init_getpgid(xserver_t)
+@@ -708,20 +1062,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -125884,7 +125905,7 @@ index d40f750..8e37e5c 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -775,16 +1126,40 @@ optional_policy(`
+@@ -775,16 +1127,40 @@ optional_policy(`
')
optional_policy(`
@@ -125926,7 +125947,7 @@ index d40f750..8e37e5c 100644
unconfined_domtrans(xserver_t)
')
-@@ -793,6 +1168,10 @@ optional_policy(`
+@@ -793,6 +1169,10 @@ optional_policy(`
')
optional_policy(`
@@ -125937,7 +125958,7 @@ index d40f750..8e37e5c 100644
xfs_stream_connect(xserver_t)
')
-@@ -808,10 +1187,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1188,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -125951,7 +125972,7 @@ index d40f750..8e37e5c 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1198,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1199,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -125960,7 +125981,7 @@ index d40f750..8e37e5c 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -832,26 +1211,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1212,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -125995,7 +126016,7 @@ index d40f750..8e37e5c 100644
')
optional_policy(`
-@@ -859,6 +1233,10 @@ optional_policy(`
+@@ -859,6 +1234,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -126006,7 +126027,7 @@ index d40f750..8e37e5c 100644
########################################
#
# Rules common to all X window domains
-@@ -902,7 +1280,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1281,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -126015,7 +126036,7 @@ index d40f750..8e37e5c 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -956,11 +1334,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1335,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -126047,7 +126068,7 @@ index d40f750..8e37e5c 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -982,18 +1380,44 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1381,44 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -137338,10 +137359,10 @@ index 0000000..0d6acca
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..05da975
+index 0000000..f474076
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,444 @@
+@@ -0,0 +1,442 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -137768,8 +137789,6 @@ index 0000000..05da975
+logging_send_syslog_msg(systemd_logger_t)
+logging_stream_connect_syslog(systemd_logger_t)
+
-+
-+
+########################################
+#
+# systemd_sysctl domains local policy
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index ad94e53..19bd039 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -8949,7 +8949,7 @@ index bbac14a..99c5cca 100644
+
')
diff --git a/clamav.te b/clamav.te
-index a10350e..cf360c2 100644
+index a10350e..789ac95 100644
--- a/clamav.te
+++ b/clamav.te
@@ -1,9 +1,23 @@
@@ -9133,12 +9133,13 @@ index a10350e..cf360c2 100644
corenet_sendrecv_http_client_packets(freshclam_t)
dev_read_rand(freshclam_t)
-@@ -196,27 +246,30 @@ dev_read_urand(freshclam_t)
+@@ -196,27 +246,31 @@ dev_read_urand(freshclam_t)
domain_use_interactive_fds(freshclam_t)
-files_read_etc_files(freshclam_t)
files_read_etc_runtime_files(freshclam_t)
++files_read_usr_files(freshclam_t)
auth_use_nsswitch(freshclam_t)
@@ -9171,7 +9172,7 @@ index a10350e..cf360c2 100644
########################################
#
# clamscam local policy
-@@ -242,15 +295,38 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
+@@ -242,15 +296,38 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t)
allow clamscan_t clamd_var_lib_t:dir list_dir_perms;
@@ -9211,7 +9212,7 @@ index a10350e..cf360c2 100644
files_read_etc_files(clamscan_t)
files_read_etc_runtime_files(clamscan_t)
-@@ -259,15 +335,19 @@ files_search_var_lib(clamscan_t)
+@@ -259,15 +336,19 @@ files_search_var_lib(clamscan_t)
init_read_utmp(clamscan_t)
init_dontaudit_write_utmp(clamscan_t)
@@ -15382,7 +15383,7 @@ index fb4bf82..126d543 100644
+ dontaudit $1 session_bus_type:dbus send_msg;
')
diff --git a/dbus.te b/dbus.te
-index 625cb32..530fbfa 100644
+index 625cb32..90ad9da 100644
--- a/dbus.te
+++ b/dbus.te
@@ -10,6 +10,7 @@ gen_require(`
@@ -15498,14 +15499,17 @@ index 625cb32..530fbfa 100644
policykit_dbus_chat(system_dbusd_t)
policykit_domtrans_auth(system_dbusd_t)
policykit_search_lib(system_dbusd_t)
-@@ -150,12 +182,159 @@ optional_policy(`
+@@ -150,12 +182,162 @@ optional_policy(`
')
optional_policy(`
+ systemd_use_fds_logind(system_dbusd_t)
+ systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
+ systemd_write_inhibit_pipes(system_dbusd_t)
++# These are caused by broken systemd patch
+ systemd_start_power_services(system_dbusd_t)
++ systemd_config_all_services(system_dbusd_t)
++ files_config_all_files(system_dbusd_t)
+')
+
+optional_policy(`
@@ -24670,10 +24674,10 @@ index 4fde46b..3cece7c 100644
policykit_domtrans_auth(gnomeclock_t)
policykit_read_lib(gnomeclock_t)
diff --git a/gpg.fc b/gpg.fc
-index 5207fc2..a7848a2 100644
+index 5207fc2..c02fa56 100644
--- a/gpg.fc
+++ b/gpg.fc
-@@ -1,6 +1,10 @@
+@@ -1,10 +1,13 @@
HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
HOME_DIR/\.gnupg/log-socket gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
@@ -24684,6 +24688,10 @@ index 5207fc2..a7848a2 100644
/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
+-/usr/bin/kgpg -- gen_context(system_u:object_r:gpg_exec_t,s0)
+ /usr/bin/pinentry.* -- gen_context(system_u:object_r:pinentry_exec_t,s0)
+
+ /usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
diff --git a/gpg.if b/gpg.if
index 6d50300..2f0feca 100644
--- a/gpg.if
@@ -44321,7 +44329,7 @@ index 9759ed8..17c097d 100644
admin_pattern($1, plymouthd_var_run_t)
')
diff --git a/plymouthd.te b/plymouthd.te
-index 86700ed..ac3821e 100644
+index 86700ed..5772ef0 100644
--- a/plymouthd.te
+++ b/plymouthd.te
@@ -1,4 +1,4 @@
@@ -44353,7 +44361,15 @@ index 86700ed..ac3821e 100644
type plymouthd_var_run_t;
files_pid_file(plymouthd_var_run_t)
-@@ -42,6 +46,10 @@ manage_dirs_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
+@@ -28,6 +32,7 @@ files_pid_file(plymouthd_var_run_t)
+ #
+
+ allow plymouthd_t self:capability { sys_admin sys_tty_config };
++allow plymouthd_t self:capability2 block_suspend;
+ dontaudit plymouthd_t self:capability dac_override;
+ allow plymouthd_t self:process { signal getsched };
+ allow plymouthd_t self:fifo_file rw_fifo_file_perms;
+@@ -42,6 +47,10 @@ manage_dirs_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir })
@@ -44364,7 +44380,7 @@ index 86700ed..ac3821e 100644
manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
files_pid_filetrans(plymouthd_t, plymouthd_var_run_t, { file dir })
-@@ -57,13 +65,42 @@ dev_write_framebuffer(plymouthd_t)
+@@ -57,13 +66,42 @@ dev_write_framebuffer(plymouthd_t)
domain_use_interactive_fds(plymouthd_t)
@@ -44408,7 +44424,7 @@ index 86700ed..ac3821e 100644
########################################
#
# Plymouth private policy
-@@ -74,6 +111,7 @@ allow plymouth_t self:fifo_file rw_file_perms;
+@@ -74,6 +112,7 @@ allow plymouth_t self:fifo_file rw_file_perms;
allow plymouth_t self:unix_stream_socket create_stream_socket_perms;
kernel_read_system_state(plymouth_t)
@@ -44416,7 +44432,7 @@ index 86700ed..ac3821e 100644
domain_use_interactive_fds(plymouth_t)
-@@ -81,7 +119,6 @@ files_read_etc_files(plymouth_t)
+@@ -81,7 +120,6 @@ files_read_etc_files(plymouth_t)
term_use_ptmx(plymouth_t)
@@ -54163,6 +54179,129 @@ index 16304ec..3293b25 100644
')
optional_policy(`
+diff --git a/rngd.fc b/rngd.fc
+new file mode 100644
+index 0000000..f6be09d
+--- /dev/null
++++ b/rngd.fc
+@@ -0,0 +1,6 @@
++
++/etc/rc\.d/init\.d/rngd -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0)
++
++/usr/lib/systemd/system/rngd.* -- gen_context(system_u:object_r:rngd_unit_file_t,s0)
++
++/usr/sbin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0)
+diff --git a/rngd.if b/rngd.if
+new file mode 100644
+index 0000000..8b505d5
+--- /dev/null
++++ b/rngd.if
+@@ -0,0 +1,62 @@
++## Check and feed random data from hardware device to kernel random device.
++
++########################################
++##
++## Execute rngd in the rngd domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`rng_systemctl_rngd',`
++ gen_require(`
++ type rngd_t, rngd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 rngd_unit_file_t:file read_file_perms;
++ allow $1 rngd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, rngd_t)
++')
++
++########################################
++##
++## All of the rules required to
++## administrate an rng environment.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`rng_admin',`
++ gen_require(`
++ type rngd_t, rngd_initrc_exec_t, rngd_unit_file_t;
++ ')
++
++ allow $1 rngd_t:process signal_perms;
++ ps_process_pattern($1, rngd_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 rngd_t:process ptrace;
++ ')
++
++ init_labeled_script_domtrans($1, rngd_initrc_exec_t)
++ domain_system_change_exemption($1)
++ role_transition $2 rngd_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ rng_systemctl($1)
++ admin_pattern($1, rngd_unit_file_t)
++ allow $1 rngd_unit_file_t:service all_service_perms;
++')
+diff --git a/rngd.te b/rngd.te
+new file mode 100644
+index 0000000..bbd9fbc
+--- /dev/null
++++ b/rngd.te
+@@ -0,0 +1,37 @@
++policy_module(rngd, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type rngd_t;
++type rngd_exec_t;
++init_daemon_domain(rngd_t, rngd_exec_t)
++
++type rngd_initrc_exec_t;
++init_script_file(rngd_initrc_exec_t)
++
++type rngd_unit_file_t;
++systemd_unit_file(rngd_unit_file_t)
++
++########################################
++#
++# Local policy
++#
++
++allow rngd_t self:capability sys_admin;
++allow rngd_t self:process { signal };
++allow rngd_t self:fifo_file rw_fifo_file_perms;
++allow rngd_t self:unix_stream_socket create_stream_socket_perms;
++
++dev_read_rand(rngd_t)
++dev_read_urand(rngd_t)
++dev_rw_tpm(rngd_t)
++dev_write_rand(rngd_t)
++
++files_read_etc_files(rngd_t)
++
++logging_send_syslog_msg(rngd_t)
++
++miscfiles_read_localization(rngd_t)
diff --git a/roundup.if b/roundup.if
index 30c4b75..e07c2ff 100644
--- a/roundup.if
@@ -66120,7 +66259,7 @@ index 93975d6..bd248ce 100644
init_labeled_script_domtrans($1, varnishd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/varnishd.te b/varnishd.te
-index f9310f3..c321cd2 100644
+index f9310f3..b4dafb7 100644
--- a/varnishd.te
+++ b/varnishd.te
@@ -21,7 +21,7 @@ type varnishd_initrc_exec_t;
@@ -66141,6 +66280,15 @@ index f9310f3..c321cd2 100644
########################################
#
+@@ -52,7 +52,7 @@ files_type(varnishlog_log_t)
+
+ allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid };
+ dontaudit varnishd_t self:capability sys_tty_config;
+-allow varnishd_t self:process signal;
++allow varnishd_t self:process { execmem signal };
+ allow varnishd_t self:fifo_file rw_fifo_file_perms;
+ allow varnishd_t self:tcp_socket create_stream_socket_perms;
+ allow varnishd_t self:udp_socket create_socket_perms;
@@ -87,14 +87,14 @@ corenet_tcp_connect_http_port(varnishd_t)
dev_read_urand(varnishd_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 63a7336..9dd59e5 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 36%{?dist}
+Release: 37%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -521,6 +521,17 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Oct 11 2012 Miroslav Grepl 3.11.1-37
+- Allow xdm to search all file systems
+- Add interface to allow the config of all files
+- Add rngd policy
+- Remove kgpg as a gpg_exec_t type
+- Allow plymouthd to block suspend
+- Allow systemd_dbus to config any file
+- Allow system_dbus_t to configure all services
+- Allow freshclam_t to read usr_files
+- varnishd requires execmem to load modules
+
* Thu Oct 11 2012 Miroslav Grepl 3.11.1-36
- Allow semanage to verify types
- Allow sudo domain to execute user home files