diff --git a/policy-f23-base.patch b/policy-f23-base.patch
index dcb6d6c..566dec2 100644
--- a/policy-f23-base.patch
+++ b/policy-f23-base.patch
@@ -15375,7 +15375,7 @@ index d7c11a0..6b3331d 100644
/var/run/shm/.* <>
-')
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 8416beb..f1378d6 100644
+index 8416beb..b66e93a 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -15823,7 +15823,7 @@ index 8416beb..f1378d6 100644
##
##
##
-@@ -1878,135 +2085,151 @@ interface(`fs_search_fusefs',`
+@@ -1878,117 +2085,190 @@ interface(`fs_search_fusefs',`
##
##
#
@@ -15993,93 +15993,83 @@ index 8416beb..f1378d6 100644
-## read, write, and delete files
-## on a FUSEFS filesystem.
+## Unmount a FUSE filesystem.
- ##
- ##
- ##
--## Domain to not audit.
++##
++##
++##
+## Domain allowed access.
- ##
- ##
- #
--interface(`fs_dontaudit_manage_fusefs_files',`
++##
++##
++#
+interface(`fs_unmount_fusefs',`
- gen_require(`
- type fusefs_t;
- ')
-
-- dontaudit $1 fusefs_t:file manage_file_perms;
++ gen_require(`
++ type fusefs_t;
++ ')
++
+ allow $1 fusefs_t:filesystem unmount;
- ')
-
- ########################################
- ##
--## Read symbolic links on a FUSEFS filesystem.
++')
++
++########################################
++##
+## Mounton a FUSEFS filesystem.
- ##
- ##
- ##
-@@ -2014,145 +2237,194 @@ interface(`fs_dontaudit_manage_fusefs_files',`
- ##
- ##
- #
--interface(`fs_read_fusefs_symlinks',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`fs_mounton_fusefs',`
- gen_require(`
- type fusefs_t;
- ')
-
-- allow $1 fusefs_t:dir list_dir_perms;
-- read_lnk_files_pattern($1, fusefs_t, fusefs_t)
++ gen_require(`
++ type fusefs_t;
++ ')
++
+ allow $1 fusefs_t:dir mounton;
- ')
-
- ########################################
- ##
--## Get the attributes of an hugetlbfs
--## filesystem.
++')
++
++########################################
++##
+## Search directories
+## on a FUSEFS filesystem.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`fs_getattr_hugetlbfs',`
-+interface(`fs_search_fusefs',`
- gen_require(`
-- type hugetlbfs_t;
-+ type fusefs_t;
- ')
-
-- allow $1 hugetlbfs_t:filesystem getattr;
-+ allow $1 fusefs_t:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## List hugetlbfs.
-+## Do not audit attempts to list the contents
-+## of directories on a FUSEFS filesystem.
+##
+##
+##
-+## Domain to not audit.
++## Domain allowed access.
+##
+##
++##
+#
-+interface(`fs_dontaudit_list_fusefs',`
++interface(`fs_search_fusefs',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
-+ dontaudit $1 fusefs_t:dir list_dir_perms;
++ allow $1 fusefs_t:dir search_dir_perms;
+')
+
+########################################
+##
++## Do not audit attempts to list the contents
++## of directories on a FUSEFS filesystem.
+ ##
+ ##
+ ##
+@@ -1996,91 +2276,173 @@ interface(`fs_manage_fusefs_files',`
+ ##
+ ##
+ #
+-interface(`fs_dontaudit_manage_fusefs_files',`
++interface(`fs_dontaudit_list_fusefs',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
+- dontaudit $1 fusefs_t:file manage_file_perms;
++ dontaudit $1 fusefs_t:dir list_dir_perms;
+ ')
+
+ ########################################
+ ##
+-## Read symbolic links on a FUSEFS filesystem.
+## Create, read, write, and delete directories
+## on a FUSEFS filesystem.
##
@@ -16090,20 +16080,21 @@ index 8416beb..f1378d6 100644
##
+##
#
--interface(`fs_list_hugetlbfs',`
+-interface(`fs_read_fusefs_symlinks',`
+interface(`fs_manage_fusefs_dirs',`
gen_require(`
-- type hugetlbfs_t;
-+ type fusefs_t;
+ type fusefs_t;
')
-- allow $1 hugetlbfs_t:dir list_dir_perms;
+- allow $1 fusefs_t:dir list_dir_perms;
+- read_lnk_files_pattern($1, fusefs_t, fusefs_t)
+ allow $1 fusefs_t:dir manage_dir_perms;
')
########################################
##
--## Manage hugetlbfs dirs.
+-## Get the attributes of an hugetlbfs
+-## filesystem.
+## Do not audit attempts to create, read,
+## write, and delete directories
+## on a FUSEFS filesystem.
@@ -16133,20 +16124,20 @@ index 8416beb..f1378d6 100644
##
+##
#
--interface(`fs_manage_hugetlbfs_dirs',`
+-interface(`fs_getattr_hugetlbfs',`
+interface(`fs_read_fusefs_files',`
gen_require(`
- type hugetlbfs_t;
+ type fusefs_t;
')
-- manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
+- allow $1 hugetlbfs_t:filesystem getattr;
+ read_files_pattern($1, fusefs_t, fusefs_t)
')
########################################
##
--## Read and write hugetlbfs files.
+-## List hugetlbfs.
+## Execute files on a FUSEFS filesystem.
##
##
@@ -16156,69 +16147,58 @@ index 8416beb..f1378d6 100644
##
+##
#
--interface(`fs_rw_hugetlbfs_files',`
+-interface(`fs_list_hugetlbfs',`
+interface(`fs_exec_fusefs_files',`
gen_require(`
- type hugetlbfs_t;
+ type fusefs_t;
')
-- rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
+- allow $1 hugetlbfs_t:dir list_dir_perms;
+ exec_files_pattern($1, fusefs_t, fusefs_t)
')
########################################
##
--## Allow the type to associate to hugetlbfs filesystems.
+-## Manage hugetlbfs dirs.
+## Make general progams in FUSEFS an entrypoint for
+## the specified domain.
- ##
--##
++##
+##
- ##
--## The type of the object to be associated.
++##
+## The domain for which fusefs_t is an entrypoint.
- ##
- ##
- #
--interface(`fs_associate_hugetlbfs',`
++##
++##
++#
+interface(`fs_fusefs_entry_type',`
- gen_require(`
-- type hugetlbfs_t;
++ gen_require(`
+ type fusefs_t;
- ')
-
-- allow $1 hugetlbfs_t:filesystem associate;
++ ')
++
+ domain_entry_file($1, fusefs_t)
- ')
-
- ########################################
- ##
--## Search inotifyfs filesystem.
++')
++
++########################################
++##
+## Make general progams in FUSEFS an entrypoint for
+## the specified domain.
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## The domain for which fusefs_t is an entrypoint.
- ##
- ##
- #
--interface(`fs_search_inotifyfs',`
++##
++##
++#
+interface(`fs_fusefs_entrypoint',`
- gen_require(`
-- type inotifyfs_t;
++ gen_require(`
+ type fusefs_t;
- ')
-
-- allow $1 inotifyfs_t:dir search_dir_perms;
++ ')
++
+ allow $1 fusefs_t:file entrypoint;
- ')
-
- ########################################
- ##
--## List inotifyfs filesystem.
++')
++
++########################################
++##
+## Create, read, write, and delete files
+## on a FUSEFS filesystem.
##
@@ -16229,85 +16209,87 @@ index 8416beb..f1378d6 100644
##
+##
#
--interface(`fs_list_inotifyfs',`
+-interface(`fs_manage_hugetlbfs_dirs',`
+interface(`fs_manage_fusefs_files',`
gen_require(`
-- type inotifyfs_t;
+- type hugetlbfs_t;
+ type fusefs_t;
')
-- allow $1 inotifyfs_t:dir list_dir_perms;
+- manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
+ manage_files_pattern($1, fusefs_t, fusefs_t)
')
########################################
##
--## Dontaudit List inotifyfs filesystem.
+-## Read and write hugetlbfs files.
+## Do not audit attempts to create,
+## read, write, and delete files
+## on a FUSEFS filesystem.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`fs_dontaudit_manage_fusefs_files',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
++ dontaudit $1 fusefs_t:file manage_file_perms;
++')
++
++########################################
++##
++## Read symbolic links on a FUSEFS filesystem.
##
##
##
-@@ -2160,53 +2432,626 @@ interface(`fs_list_inotifyfs',`
+@@ -2088,53 +2450,100 @@ interface(`fs_manage_hugetlbfs_dirs',`
##
##
#
--interface(`fs_dontaudit_list_inotifyfs',`
-+interface(`fs_dontaudit_manage_fusefs_files',`
+-interface(`fs_rw_hugetlbfs_files',`
++interface(`fs_read_fusefs_symlinks',`
gen_require(`
-- type inotifyfs_t;
+- type hugetlbfs_t;
+ type fusefs_t;
')
-- dontaudit $1 inotifyfs_t:dir list_dir_perms;
-+ dontaudit $1 fusefs_t:file manage_file_perms;
+- rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
++ allow $1 fusefs_t:dir list_dir_perms;
++ read_lnk_files_pattern($1, fusefs_t, fusefs_t)
')
########################################
##
--## Create an object in a hugetlbfs filesystem, with a private
--## type using a type transition.
-+## Read symbolic links on a FUSEFS filesystem.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
-+#
-+interface(`fs_read_fusefs_symlinks',`
-+ gen_require(`
-+ type fusefs_t;
-+ ')
-+
-+ allow $1 fusefs_t:dir list_dir_perms;
-+ read_lnk_files_pattern($1, fusefs_t, fusefs_t)
-+')
-+
-+########################################
-+##
+-## Allow the type to associate to hugetlbfs filesystems.
+## Manage symbolic links on a FUSEFS filesystem.
-+##
+ ##
+-##
+##
##
--## The type of the object to be created.
+-## The type of the object to be associated.
+## Domain allowed access.
##
##
--##
-+#
+ #
+-interface(`fs_associate_hugetlbfs',`
+interface(`fs_manage_fusefs_symlinks',`
-+ gen_require(`
+ gen_require(`
+- type hugetlbfs_t;
+ type fusefs_t;
-+ ')
-+
+ ')
+
+- allow $1 hugetlbfs_t:filesystem associate;
+ manage_lnk_files_pattern($1, fusefs_t, fusefs_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Search inotifyfs filesystem.
+## Execute a file on a FUSE filesystem
+## in the specified domain.
+##
@@ -16331,15 +16313,12 @@ index 8416beb..f1378d6 100644
+##
+##
+##
- ##
--## The object class of the object being created.
++##
+## Domain allowed to transition.
- ##
- ##
--##
++##
++##
+##
- ##
--## The name of the object being created.
++##
+## The type of the new process.
+##
+##
@@ -16356,61 +16335,75 @@ index 8416beb..f1378d6 100644
+########################################
+##
+## Get the attributes of a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+##
-+#
+ #
+-interface(`fs_search_inotifyfs',`
+interface(`fs_getattr_fusefs',`
-+ gen_require(`
+ gen_require(`
+- type inotifyfs_t;
+ type fusefs_t;
-+ ')
-+
+ ')
+
+- allow $1 inotifyfs_t:dir search_dir_perms;
+ allow $1 fusefs_t:filesystem getattr;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## List inotifyfs filesystem.
+## Get the attributes of an hugetlbfs
+## filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -2142,71 +2551,527 @@ interface(`fs_search_inotifyfs',`
+ ##
+ ##
+ #
+-interface(`fs_list_inotifyfs',`
+interface(`fs_getattr_hugetlbfs',`
-+ gen_require(`
+ gen_require(`
+- type inotifyfs_t;
+ type hugetlbfs_t;
-+ ')
-+
+ ')
+
+- allow $1 inotifyfs_t:dir list_dir_perms;
+ allow $1 hugetlbfs_t:filesystem getattr;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Dontaudit List inotifyfs filesystem.
+## List hugetlbfs.
-+##
-+##
-+##
+ ##
+ ##
+ ##
+-## Domain to not audit.
+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`fs_dontaudit_list_inotifyfs',`
+interface(`fs_list_hugetlbfs',`
-+ gen_require(`
+ gen_require(`
+- type inotifyfs_t;
+ type hugetlbfs_t;
-+ ')
-+
+ ')
+
+- dontaudit $1 inotifyfs_t:dir list_dir_perms;
+ allow $1 hugetlbfs_t:dir list_dir_perms;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Create an object in a hugetlbfs filesystem, with a private
+-## type using a type transition.
+## Manage hugetlbfs dirs.
+##
+##
@@ -16868,19 +16861,55 @@ index 8416beb..f1378d6 100644
+##
+##
+## Domain allowed access.
++##
++##
++#
++interface(`fs_delete_kdbus_dirs', `
++ gen_require(`
++ type kdbusfs_t;
++ ')
++
++ delete_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
++ fs_search_tmpfs($1)
++ dev_search_sysfs($1)
++')
++
++########################################
++##
++## Manage kdbusfs directories.
+ ##
+ ##
+ ##
+ ## Domain allowed access.
##
##
+-##
+-##
+-## The type of the object to be created.
+-##
+-##
+-##
+-##
+-## The object class of the object being created.
+-##
+-##
+-##
+-##
+-## The name of the object being created.
+-##
+-##
#
-interface(`fs_hugetlbfs_filetrans',`
-+interface(`fs_delete_kdbus_dirs', `
++interface(`fs_manage_kdbus_dirs',`
gen_require(`
- type hugetlbfs_t;
+- ')
+ type kdbusfs_t;
- ')
- allow $2 hugetlbfs_t:filesystem associate;
- filetrans_pattern($1, hugetlbfs_t, $2, $3, $4)
-+ delete_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
++ ')
++ manage_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
')
@@ -16889,24 +16918,25 @@ index 8416beb..f1378d6 100644
##
-## Mount an iso9660 filesystem, which
-## is usually used on CDs.
-+## Manage kdbusfs directories.
++## Read kdbusfs files.
##
##
##
-@@ -2214,19 +3059,19 @@ interface(`fs_hugetlbfs_filetrans',`
+@@ -2214,19 +3079,21 @@ interface(`fs_hugetlbfs_filetrans',`
##
##
#
-interface(`fs_mount_iso9660_fs',`
-+interface(`fs_manage_kdbus_dirs',`
++interface(`fs_read_kdbus_files',`
gen_require(`
- type iso9660_t;
-- ')
-+ type kdbusfs_t;
++ type cgroup_t;
++
+ ')
- allow $1 iso9660_t:filesystem mount;
-+ ')
-+ manage_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
++ read_files_pattern($1, kdbusfs_t, kdbusfs_t)
++ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
')
@@ -16916,25 +16946,23 @@ index 8416beb..f1378d6 100644
-## Remount an iso9660 filesystem, which
-## is usually used on CDs. This allows
-## some mount options to be changed.
-+## Read kdbusfs files.
++## Write kdbusfs files.
##
##
##
-@@ -2234,18 +3079,21 @@ interface(`fs_mount_iso9660_fs',`
+@@ -2234,18 +3101,19 @@ interface(`fs_mount_iso9660_fs',`
##
##
#
-interface(`fs_remount_iso9660_fs',`
-+interface(`fs_read_kdbus_files',`
++interface(`fs_write_kdbus_files', `
gen_require(`
- type iso9660_t;
-+ type cgroup_t;
-+
++ type kdbusfs_t;
')
- allow $1 iso9660_t:filesystem remount;
-+ read_files_pattern($1, kdbusfs_t, kdbusfs_t)
-+ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
++ write_files_pattern($1, kdbusfs_t, kdbusfs_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
')
@@ -16943,23 +16971,25 @@ index 8416beb..f1378d6 100644
##
-## Unmount an iso9660 filesystem, which
-## is usually used on CDs.
-+## Write kdbusfs files.
++## Read and write kdbusfs files.
##
##
##
-@@ -2253,38 +3101,61 @@ interface(`fs_remount_iso9660_fs',`
+@@ -2253,38 +3121,41 @@ interface(`fs_remount_iso9660_fs',`
##
##
#
-interface(`fs_unmount_iso9660_fs',`
-+interface(`fs_write_kdbus_files', `
++interface(`fs_rw_kdbus_files',`
gen_require(`
- type iso9660_t;
+ type kdbusfs_t;
++
')
- allow $1 iso9660_t:filesystem unmount;
-+ write_files_pattern($1, kdbusfs_t, kdbusfs_t)
++ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
++ rw_files_pattern($1, kdbusfs_t, kdbusfs_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
')
@@ -16968,54 +16998,33 @@ index 8416beb..f1378d6 100644
##
-## Get the attributes of an iso9660
-## filesystem, which is usually used on CDs.
-+## Read and write kdbusfs files.
++## Do not audit attempts to open,
++## get attributes, read and write
++## cgroup files.
##
##
##
- ## Domain allowed access.
+-## Domain allowed access.
++## Domain to not audit.
##
##
-##
#
-interface(`fs_getattr_iso9660_fs',`
-+interface(`fs_rw_kdbus_files',`
++interface(`fs_dontaudit_rw_kdbus_files',`
gen_require(`
- type iso9660_t;
+ type kdbusfs_t;
-+
')
- allow $1 iso9660_t:filesystem getattr;
-+ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
-+ rw_files_pattern($1, kdbusfs_t, kdbusfs_t)
-+ fs_search_tmpfs($1)
-+ dev_search_sysfs($1)
++ dontaudit $1 kdbusfs_t:file rw_file_perms;
')
########################################
##
-## Read files on an iso9660 filesystem, which
-## is usually used on CDs.
-+## Do not audit attempts to open,
-+## get attributes, read and write
-+## cgroup files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`fs_dontaudit_rw_kdbus_files',`
-+ gen_require(`
-+ type kdbusfs_t;
-+ ')
-+
-+ dontaudit $1 kdbusfs_t:file rw_file_perms;
-+')
-+
-+########################################
-+##
+## Manage kdbusfs files.
##
##
@@ -17417,79 +17426,47 @@ index 8416beb..f1378d6 100644
##
##
##
-@@ -3743,25 +4807,61 @@ interface(`fs_getattr_rpc_pipefs',`
-
- #########################################
- ##
--## Read and write RPC pipe filesystem named pipes.
-+## Read and write RPC pipe filesystem named pipes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_rw_rpc_named_pipes',`
+@@ -3769,17 +4833,53 @@ interface(`fs_rw_rpc_named_pipes',`
+ ##
+ ##
+ #
+-interface(`fs_mount_tmpfs',`
++interface(`fs_mount_tmpfs',`
+ gen_require(`
-+ type rpc_pipefs_t;
++ type tmpfs_t;
+ ')
+
-+ allow $1 rpc_pipefs_t:fifo_file rw_fifo_file_perms;
++ allow $1 tmpfs_t:filesystem mount;
+')
+
+########################################
+##
-+## Mount a tmpfs filesystem.
++## Dontaudit remount a tmpfs filesystem.
+##
+##
+##
-+## Domain allowed access.
++## Domain to not audit.
+##
+##
+#
-+interface(`fs_mount_tmpfs',`
++interface(`fs_dontaudit_remount_tmpfs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
-+ allow $1 tmpfs_t:filesystem mount;
++ dontaudit $1 tmpfs_t:filesystem remount;
+')
+
+########################################
+##
-+## Dontaudit remount a tmpfs filesystem.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`fs_rw_rpc_named_pipes',`
-+interface(`fs_dontaudit_remount_tmpfs',`
- gen_require(`
-- type rpc_pipefs_t;
-+ type tmpfs_t;
- ')
-
-- allow $1 rpc_pipefs_t:fifo_file rw_fifo_file_perms;
-+ dontaudit $1 tmpfs_t:filesystem remount;
- ')
-
- ########################################
- ##
--## Mount a tmpfs filesystem.
+## Remount a tmpfs filesystem.
- ##
- ##
- ##
-@@ -3769,17 +4869,17 @@ interface(`fs_rw_rpc_named_pipes',`
- ##
- ##
- #
--interface(`fs_mount_tmpfs',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`fs_remount_tmpfs',`
gen_require(`
type tmpfs_t;
@@ -17935,7 +17912,7 @@ index 8416beb..f1378d6 100644
## Search all directories with a filesystem type.
##
##
-@@ -4912,3 +6218,43 @@ interface(`fs_unconfined',`
+@@ -4912,3 +6218,63 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -17979,6 +17956,26 @@ index 8416beb..f1378d6 100644
+ fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpu")
+ fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct")
+')
++
++#######################################
++##
++## Read files in efivarfs
++## - contains Linux Kernel configuration options for UEFI systems
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`fs_read_efivarfs_files',`
++ gen_require(`
++ type efivarfs_t;
++ ')
++
++ read_files_pattern($1, efivarfs_t, efivarfs_t)
++')
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index e7d1738..3e3ed4e 100644
--- a/policy/modules/kernel/filesystem.te
@@ -18152,7 +18149,7 @@ index 7be4ddf..9710b33 100644
+/sys/kernel/debug -d gen_context(system_u:object_r:debugfs_t,s0)
+/sys/kernel/debug/.* <>
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index e100d88..d2fc766 100644
+index e100d88..65a3b6d 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -126,6 +126,24 @@ interface(`kernel_setsched',`
@@ -18783,7 +18780,7 @@ index e100d88..d2fc766 100644
## Unconfined access to kernel module resources.
##
##
-@@ -2972,5 +3284,628 @@ interface(`kernel_unconfined',`
+@@ -2972,5 +3284,630 @@ interface(`kernel_unconfined',`
')
typeattribute $1 kern_unconfined;
@@ -19146,12 +19143,14 @@ index e100d88..d2fc766 100644
+interface(`kernel_read_security_state',`
+ gen_require(`
+ type proc_t, proc_security_t;
++ attribute sysctl_type;
+ ')
+
+ read_files_pattern($1, { proc_t proc_security_t }, proc_security_t)
+ read_lnk_files_pattern($1, { proc_t proc_security_t }, proc_security_t)
+
+ list_dirs_pattern($1, proc_t, proc_security_t)
++ allow $1 sysctl_type:dir search_dir_perms;
+')
+
+########################################
@@ -44709,10 +44708,10 @@ index 0000000..cde0261
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..8209291
+index 0000000..92de375
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,725 @@
+@@ -0,0 +1,728 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -44821,6 +44820,9 @@ index 0000000..8209291
+fs_mount_tmpfs(systemd_logind_t)
+fs_unmount_tmpfs(systemd_logind_t)
+fs_list_tmpfs(systemd_logind_t)
++
++fs_read_efivarfs_files(systemd_logind_t)
++
+fs_manage_fusefs_dirs(systemd_logind_t)
+fs_manage_fusefs_files(systemd_logind_t)
+
diff --git a/policy-f23-contrib.patch b/policy-f23-contrib.patch
index 38a8f9b..7ffc5ed 100644
--- a/policy-f23-contrib.patch
+++ b/policy-f23-contrib.patch
@@ -6,10 +6,10 @@ index 0000000..bea5755
@@ -0,0 +1 @@
+TAGS
diff --git a/abrt.fc b/abrt.fc
-index 1a93dc5..f2b26f5 100644
+index 1a93dc5..e948aef 100644
--- a/abrt.fc
+++ b/abrt.fc
-@@ -1,31 +1,46 @@
+@@ -1,31 +1,47 @@
-/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
-/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
+/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
@@ -38,10 +38,8 @@ index 1a93dc5..f2b26f5 100644
-/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
/usr/libexec/abrt-handle-event -- gen_context(system_u:object_r:abrt_handle_event_exec_t,s0)
-/usr/libexec/abrt-hook-python -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
-
--/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
--/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0)
--/usr/sbin/abrt-upload-watch -- gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0)
++/usr/libexec/abrt-hook-ccpp -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
++
+/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+/var/cache/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
@@ -55,7 +53,10 @@ index 1a93dc5..f2b26f5 100644
+/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
+/var/run/abrtd?\.socket -- gen_context(system_u:object_r:abrt_var_run_t,s0)
+/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0)
-+
+
+-/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
+-/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0)
+-/usr/sbin/abrt-upload-watch -- gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0)
+/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
+/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
@@ -9516,7 +9517,7 @@ index 531a8f2..0b86f2f 100644
+ allow $1 named_unit_file_t:service all_service_perms;
')
diff --git a/bind.te b/bind.te
-index 1241123..cce7112 100644
+index 1241123..5336071 100644
--- a/bind.te
+++ b/bind.te
@@ -34,7 +34,7 @@ type named_checkconf_exec_t;
@@ -9572,7 +9573,12 @@ index 1241123..cce7112 100644
corenet_all_recvfrom_netlabel(named_t)
corenet_tcp_sendrecv_generic_if(named_t)
corenet_udp_sendrecv_generic_if(named_t)
-@@ -144,6 +146,7 @@ corenet_tcp_sendrecv_all_ports(named_t)
+@@ -141,9 +143,12 @@ corenet_sendrecv_all_client_packets(named_t)
+ corenet_tcp_connect_all_ports(named_t)
+ corenet_tcp_sendrecv_all_ports(named_t)
+
++corenet_tcp_bind_all_ephemeral_ports(named_t)
++
dev_read_sysfs(named_t)
dev_read_rand(named_t)
dev_read_urand(named_t)
@@ -9580,7 +9586,7 @@ index 1241123..cce7112 100644
domain_use_interactive_fds(named_t)
-@@ -175,6 +178,19 @@ tunable_policy(`named_write_master_zones',`
+@@ -175,6 +180,19 @@ tunable_policy(`named_write_master_zones',`
')
optional_policy(`
@@ -9600,7 +9606,7 @@ index 1241123..cce7112 100644
dbus_system_domain(named_t, named_exec_t)
init_dbus_chat_script(named_t)
-@@ -187,7 +203,13 @@ optional_policy(`
+@@ -187,7 +205,13 @@ optional_policy(`
')
optional_policy(`
@@ -9614,7 +9620,7 @@ index 1241123..cce7112 100644
kerberos_use(named_t)
')
-@@ -215,7 +237,8 @@ optional_policy(`
+@@ -215,7 +239,8 @@ optional_policy(`
#
allow ndc_t self:capability { dac_override net_admin };
@@ -9624,7 +9630,7 @@ index 1241123..cce7112 100644
allow ndc_t self:fifo_file rw_fifo_file_perms;
allow ndc_t self:unix_stream_socket { accept listen };
-@@ -229,10 +252,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
+@@ -229,10 +254,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
allow ndc_t named_zone_t:dir search_dir_perms;
@@ -9636,7 +9642,7 @@ index 1241123..cce7112 100644
corenet_all_recvfrom_netlabel(ndc_t)
corenet_tcp_sendrecv_generic_if(ndc_t)
corenet_tcp_sendrecv_generic_node(ndc_t)
-@@ -242,6 +264,9 @@ corenet_tcp_bind_generic_node(ndc_t)
+@@ -242,6 +266,9 @@ corenet_tcp_bind_generic_node(ndc_t)
corenet_tcp_connect_rndc_port(ndc_t)
corenet_sendrecv_rndc_client_packets(ndc_t)
@@ -9646,7 +9652,7 @@ index 1241123..cce7112 100644
domain_use_interactive_fds(ndc_t)
files_search_pids(ndc_t)
-@@ -257,7 +282,7 @@ init_use_script_ptys(ndc_t)
+@@ -257,7 +284,7 @@ init_use_script_ptys(ndc_t)
logging_send_syslog_msg(ndc_t)
@@ -20430,7 +20436,7 @@ index 3023be7..0317731 100644
+ files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups")
')
diff --git a/cups.te b/cups.te
-index c91813c..84c4ee4 100644
+index c91813c..999581c 100644
--- a/cups.te
+++ b/cups.te
@@ -5,19 +5,31 @@ policy_module(cups, 1.16.2)
@@ -20530,7 +20536,7 @@ index c91813c..84c4ee4 100644
type ptal_t;
type ptal_exec_t;
-@@ -97,21 +99,49 @@ ifdef(`enable_mls',`
+@@ -97,21 +99,50 @@ ifdef(`enable_mls',`
init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, mls_systemhigh)
')
@@ -20578,13 +20584,14 @@ index c91813c..84c4ee4 100644
+allow cupsd_t self:process { getpgid setpgid setsched };
allow cupsd_t self:unix_stream_socket { accept connectto listen };
allow cupsd_t self:netlink_selinux_socket create_socket_perms;
++allow cupsd_t self:socket connect;
allow cupsd_t self:shm create_shm_perms;
allow cupsd_t self:sem create_sem_perms;
-allow cupsd_t self:tcp_socket { accept listen };
allow cupsd_t self:appletalk_socket create_socket_perms;
allow cupsd_t cupsd_etc_t:dir setattr_dir_perms;
-@@ -120,11 +150,14 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
+@@ -120,11 +151,14 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
@@ -20599,7 +20606,7 @@ index c91813c..84c4ee4 100644
allow cupsd_t cupsd_exec_t:dir search_dir_perms;
allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
-@@ -136,22 +169,23 @@ manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+@@ -136,22 +170,23 @@ manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
@@ -20627,7 +20634,7 @@ index c91813c..84c4ee4 100644
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
-@@ -159,11 +193,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
+@@ -159,11 +194,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t })
kernel_read_system_state(cupsd_t)
@@ -20639,7 +20646,7 @@ index c91813c..84c4ee4 100644
corenet_all_recvfrom_netlabel(cupsd_t)
corenet_tcp_sendrecv_generic_if(cupsd_t)
corenet_udp_sendrecv_generic_if(cupsd_t)
-@@ -186,12 +218,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
+@@ -186,12 +219,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_bind_all_rpc_ports(cupsd_t)
corenet_tcp_connect_all_ports(cupsd_t)
@@ -20664,7 +20671,7 @@ index c91813c..84c4ee4 100644
dev_rw_input_dev(cupsd_t)
dev_rw_generic_usb_dev(cupsd_t)
dev_rw_usbfs(cupsd_t)
-@@ -203,7 +243,6 @@ domain_use_interactive_fds(cupsd_t)
+@@ -203,7 +244,6 @@ domain_use_interactive_fds(cupsd_t)
files_getattr_boot_dirs(cupsd_t)
files_list_spool(cupsd_t)
files_read_etc_runtime_files(cupsd_t)
@@ -20672,7 +20679,7 @@ index c91813c..84c4ee4 100644
files_exec_usr_files(cupsd_t)
# for /var/lib/defoma
files_read_var_lib_files(cupsd_t)
-@@ -212,17 +251,19 @@ files_read_world_readable_files(cupsd_t)
+@@ -212,17 +252,19 @@ files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
files_read_var_files(cupsd_t)
files_read_var_symlinks(cupsd_t)
@@ -20694,7 +20701,7 @@ index c91813c..84c4ee4 100644
mls_fd_use_all_levels(cupsd_t)
mls_file_downgrade(cupsd_t)
mls_file_write_all_levels(cupsd_t)
-@@ -232,6 +273,8 @@ mls_socket_write_all_levels(cupsd_t)
+@@ -232,6 +274,8 @@ mls_socket_write_all_levels(cupsd_t)
term_search_ptys(cupsd_t)
term_use_unallocated_ttys(cupsd_t)
@@ -20703,7 +20710,7 @@ index c91813c..84c4ee4 100644
selinux_compute_access_vector(cupsd_t)
selinux_validate_context(cupsd_t)
-@@ -244,22 +287,27 @@ auth_dontaudit_read_pam_pid(cupsd_t)
+@@ -244,22 +288,27 @@ auth_dontaudit_read_pam_pid(cupsd_t)
auth_rw_faillog(cupsd_t)
auth_use_nsswitch(cupsd_t)
@@ -20736,7 +20743,7 @@ index c91813c..84c4ee4 100644
optional_policy(`
apm_domtrans_client(cupsd_t)
-@@ -272,6 +320,8 @@ optional_policy(`
+@@ -272,6 +321,8 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(cupsd_t)
@@ -20745,7 +20752,7 @@ index c91813c..84c4ee4 100644
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
-@@ -279,11 +329,17 @@ optional_policy(`
+@@ -279,11 +330,17 @@ optional_policy(`
')
optional_policy(`
@@ -20763,7 +20770,7 @@ index c91813c..84c4ee4 100644
')
')
-@@ -296,8 +352,8 @@ optional_policy(`
+@@ -296,8 +353,8 @@ optional_policy(`
')
optional_policy(`
@@ -20773,7 +20780,7 @@ index c91813c..84c4ee4 100644
')
optional_policy(`
-@@ -306,7 +362,6 @@ optional_policy(`
+@@ -306,7 +363,6 @@ optional_policy(`
optional_policy(`
lpd_exec_lpr(cupsd_t)
@@ -20781,7 +20788,7 @@ index c91813c..84c4ee4 100644
lpd_read_config(cupsd_t)
lpd_relabel_spool(cupsd_t)
')
-@@ -316,6 +371,10 @@ optional_policy(`
+@@ -316,6 +372,10 @@ optional_policy(`
')
optional_policy(`
@@ -20792,7 +20799,7 @@ index c91813c..84c4ee4 100644
samba_read_config(cupsd_t)
samba_rw_var_files(cupsd_t)
samba_stream_connect_nmbd(cupsd_t)
-@@ -334,7 +393,11 @@ optional_policy(`
+@@ -334,7 +394,11 @@ optional_policy(`
')
optional_policy(`
@@ -20805,7 +20812,7 @@ index c91813c..84c4ee4 100644
')
########################################
-@@ -342,12 +405,11 @@ optional_policy(`
+@@ -342,12 +406,11 @@ optional_policy(`
# Configuration daemon local policy
#
@@ -20821,7 +20828,7 @@ index c91813c..84c4ee4 100644
allow cupsd_config_t cupsd_t:process signal;
ps_process_pattern(cupsd_config_t, cupsd_t)
-@@ -372,18 +434,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
+@@ -372,18 +435,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
@@ -20842,7 +20849,7 @@ index c91813c..84c4ee4 100644
corenet_all_recvfrom_netlabel(cupsd_config_t)
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -392,20 +452,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+@@ -392,20 +453,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
corenet_sendrecv_all_client_packets(cupsd_config_t)
corenet_tcp_connect_all_ports(cupsd_config_t)
@@ -20863,7 +20870,7 @@ index c91813c..84c4ee4 100644
fs_search_auto_mountpoints(cupsd_config_t)
domain_use_interactive_fds(cupsd_config_t)
-@@ -417,11 +469,6 @@ auth_use_nsswitch(cupsd_config_t)
+@@ -417,11 +470,6 @@ auth_use_nsswitch(cupsd_config_t)
logging_send_syslog_msg(cupsd_config_t)
@@ -20875,7 +20882,7 @@ index c91813c..84c4ee4 100644
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
-@@ -449,9 +496,12 @@ optional_policy(`
+@@ -449,9 +497,12 @@ optional_policy(`
')
optional_policy(`
@@ -20889,7 +20896,7 @@ index c91813c..84c4ee4 100644
')
optional_policy(`
-@@ -467,6 +517,10 @@ optional_policy(`
+@@ -467,6 +518,10 @@ optional_policy(`
')
optional_policy(`
@@ -20900,7 +20907,7 @@ index c91813c..84c4ee4 100644
rpm_read_db(cupsd_config_t)
')
-@@ -487,10 +541,6 @@ optional_policy(`
+@@ -487,10 +542,6 @@ optional_policy(`
# Lpd local policy
#
@@ -20911,7 +20918,7 @@ index c91813c..84c4ee4 100644
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
-@@ -508,15 +558,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+@@ -508,15 +559,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
@@ -20929,7 +20936,7 @@ index c91813c..84c4ee4 100644
corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t)
corenet_sendrecv_printer_server_packets(cupsd_lpd_t)
-@@ -537,9 +587,6 @@ auth_use_nsswitch(cupsd_lpd_t)
+@@ -537,9 +588,6 @@ auth_use_nsswitch(cupsd_lpd_t)
logging_send_syslog_msg(cupsd_lpd_t)
@@ -20939,7 +20946,7 @@ index c91813c..84c4ee4 100644
optional_policy(`
inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
')
-@@ -550,7 +597,6 @@ optional_policy(`
+@@ -550,7 +598,6 @@ optional_policy(`
#
allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
@@ -20947,7 +20954,7 @@ index c91813c..84c4ee4 100644
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
-@@ -566,148 +612,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
+@@ -566,148 +613,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
kernel_read_system_state(cups_pdf_t)
@@ -21099,7 +21106,7 @@ index c91813c..84c4ee4 100644
########################################
#
-@@ -735,7 +656,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -735,7 +657,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@@ -21107,7 +21114,7 @@ index c91813c..84c4ee4 100644
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -745,13 +665,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
+@@ -745,13 +666,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
corenet_tcp_bind_ptal_port(ptal_t)
corenet_tcp_sendrecv_ptal_port(ptal_t)
@@ -21121,7 +21128,7 @@ index c91813c..84c4ee4 100644
files_read_etc_runtime_files(ptal_t)
fs_getattr_all_fs(ptal_t)
-@@ -759,8 +677,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -759,8 +678,6 @@ fs_search_auto_mountpoints(ptal_t)
logging_send_syslog_msg(ptal_t)
@@ -21130,7 +21137,7 @@ index c91813c..84c4ee4 100644
sysnet_read_config(ptal_t)
userdom_dontaudit_use_unpriv_user_fds(ptal_t)
-@@ -773,3 +689,4 @@ optional_policy(`
+@@ -773,3 +690,4 @@ optional_policy(`
optional_policy(`
udev_read_db(ptal_t)
')
@@ -38125,7 +38132,7 @@ index 1a35420..8101022 100644
logging_search_logs($1)
admin_pattern($1, iscsi_log_t)
diff --git a/iscsi.te b/iscsi.te
-index ca020fa..989eba9 100644
+index ca020fa..d546e07 100644
--- a/iscsi.te
+++ b/iscsi.te
@@ -5,12 +5,15 @@ policy_module(iscsi, 1.9.0)
@@ -38146,7 +38153,7 @@ index ca020fa..989eba9 100644
type iscsi_lock_t;
files_lock_file(iscsi_lock_t)
-@@ -32,8 +35,7 @@ files_pid_file(iscsi_var_run_t)
+@@ -32,13 +35,13 @@ files_pid_file(iscsi_var_run_t)
# Local policy
#
@@ -38156,7 +38163,13 @@ index ca020fa..989eba9 100644
allow iscsid_t self:process { setrlimit setsched signal };
allow iscsid_t self:fifo_file rw_fifo_file_perms;
allow iscsid_t self:unix_stream_socket { accept connectto listen };
-@@ -55,20 +57,22 @@ manage_dirs_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t)
+ allow iscsid_t self:sem create_sem_perms;
+ allow iscsid_t self:shm create_shm_perms;
++allow iscsid_t self:netlink_iscsi_socket create_socket_perms;
+ allow iscsid_t self:netlink_socket create_socket_perms;
+ allow iscsid_t self:netlink_kobject_uevent_socket create_socket_perms;
+ allow iscsid_t self:netlink_route_socket nlmsg_write;
+@@ -55,20 +58,22 @@ manage_dirs_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t)
manage_files_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t)
fs_tmpfs_filetrans(iscsid_t, iscsi_tmp_t, { dir file })
@@ -38184,7 +38197,7 @@ index ca020fa..989eba9 100644
corenet_all_recvfrom_netlabel(iscsid_t)
corenet_tcp_sendrecv_generic_if(iscsid_t)
corenet_tcp_sendrecv_generic_node(iscsid_t)
-@@ -85,22 +89,38 @@ corenet_sendrecv_isns_client_packets(iscsid_t)
+@@ -85,22 +90,38 @@ corenet_sendrecv_isns_client_packets(iscsid_t)
corenet_tcp_connect_isns_port(iscsid_t)
corenet_tcp_sendrecv_isns_port(iscsid_t)
@@ -66361,10 +66374,10 @@ index 0000000..80246e6
+
diff --git a/pcp.te b/pcp.te
new file mode 100644
-index 0000000..5b5747f
+index 0000000..b7242be
--- /dev/null
+++ b/pcp.te
-@@ -0,0 +1,264 @@
+@@ -0,0 +1,266 @@
+policy_module(pcp, 1.0.0)
+
+########################################
@@ -66625,6 +66638,8 @@ index 0000000..5b5747f
+
+allow pcp_pmlogger_t pcp_pmcd_t:unix_stream_socket connectto;
+
++kernel_read_system_state(pcp_pmlogger_t)
++
+corenet_tcp_bind_dey_sapi_port(pcp_pmlogger_t)
+corenet_tcp_bind_commplex_link_port(pcp_pmlogger_t)
+corenet_tcp_bind_generic_node(pcp_pmlogger_t)
@@ -93313,7 +93328,7 @@ index 0000000..3e89d71
+')
diff --git a/sandboxX.te b/sandboxX.te
new file mode 100644
-index 0000000..7a8e744
+index 0000000..c9449b4
--- /dev/null
+++ b/sandboxX.te
@@ -0,0 +1,505 @@
@@ -93611,8 +93626,8 @@ index 0000000..7a8e744
+userdom_use_user_ptys(sandbox_x_t)
+
+#1103622
-+corenet_tcp_connect_xserver_port(sandbox_x_t)
-+xserver_stream_connect(sandbox_x_t)
++corenet_tcp_connect_xserver_port(sandbox_x_domain)
++xserver_stream_connect(sandbox_x_domain)
+
+########################################
+#
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d770b8a..50506b8 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 149%{?dist}
+Release: 150%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -656,6 +656,18 @@ exit 0
%endif
%changelog
+* Thu Oct 08 2015 Lukas Vrabec 3.13.1-150
+- Allow pcp_pmlogger to read system state. BZ(1258699)
+- Allow cupsd to connect on socket. BZ(1258089)
+- Allow named to bind on ephemeral ports. BZ(#1259766)
+- Allow iscsid create netlink iscsid sockets.
+- We need allow connect to xserver for all sandbox_x domain because we have one type for all sandbox processes.
+- Add missing labeling for /usr/libexec/abrt-hook-ccpp as a part of #1245477 and #1242467 bugs.
+- Allow search dirs in sysfs types in kernel_read_security_state.
+- Fix kernel_read_security_state interface that source domain of this interface can search sysctl_fs_t dirs.
+- Allow systemd-logind read access to efivarfs - Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables). #1244973, #1267207 (partial solution)
+- Add interface to allow reading files in efivarfs - contains Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables)
+
* Fri Oct 02 2015 Lukas Vrabec 3.13.1-149
- Allow acpid to attempt to connect to the Linux kernel via generic netlink socket.
- We need to require sandbox_web_type attribute in sandbox_x_domain_template().