diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index a94c887..42c6b4f 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -15055,7 +15055,7 @@ index 649e458..646d467 100644
+ list_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
')
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 6fac350..5a087a7 100644
+index 6fac350..cdc610d 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -25,6 +25,9 @@ attribute kern_unconfined;
@@ -15236,18 +15236,19 @@ index 6fac350..5a087a7 100644
')
optional_policy(`
-@@ -312,6 +368,10 @@ optional_policy(`
+@@ -312,6 +368,11 @@ optional_policy(`
')
optional_policy(`
+ plymouthd_create_log(kernel_t)
++ plymouthd_filetrans_named_content(kernel_t)
+')
+
+optional_policy(`
# nfs kernel server needs kernel UDP access. It is less risky and painful
# to just give it everything.
allow kernel_t self:tcp_socket create_stream_socket_perms;
-@@ -332,9 +392,6 @@ optional_policy(`
+@@ -332,9 +393,6 @@ optional_policy(`
sysnet_read_config(kernel_t)
@@ -15257,7 +15258,7 @@ index 6fac350..5a087a7 100644
rpc_udp_rw_nfs_sockets(kernel_t)
tunable_policy(`nfs_export_all_ro',`
-@@ -343,9 +400,7 @@ optional_policy(`
+@@ -343,9 +401,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@@ -15268,7 +15269,7 @@ index 6fac350..5a087a7 100644
')
tunable_policy(`nfs_export_all_rw',`
-@@ -354,7 +409,7 @@ optional_policy(`
+@@ -354,7 +410,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@@ -15277,7 +15278,7 @@ index 6fac350..5a087a7 100644
')
')
-@@ -367,6 +422,15 @@ optional_policy(`
+@@ -367,6 +423,15 @@ optional_policy(`
unconfined_domain_noaudit(kernel_t)
')
@@ -15293,7 +15294,7 @@ index 6fac350..5a087a7 100644
########################################
#
# Unlabeled process local policy
-@@ -409,4 +473,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
+@@ -409,4 +474,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
allow kern_unconfined unlabeled_t:filesystem *;
allow kern_unconfined unlabeled_t:association *;
allow kern_unconfined unlabeled_t:packet *;
@@ -19031,7 +19032,7 @@ index 0000000..cf6582f
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..1357cda
+index 0000000..539c163
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
@@ -0,0 +1,328 @@
@@ -19327,7 +19328,7 @@ index 0000000..1357cda
+')
+
+optional_policy(`
-+# rpm_run(unconfined_t, unconfined_r)
++ rpm_run(unconfined_t, unconfined_r)
+ # Allow SELinux aware applications to request rpm_script execution
+ rpm_transition_script(unconfined_t)
+ rpm_dbus_chat(unconfined_t)
@@ -31278,7 +31279,7 @@ index b50c5fe..e55a556 100644
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 4e94884..ae63d78 100644
+index 4e94884..6118015 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
@@ -31485,7 +31486,33 @@ index 4e94884..ae63d78 100644
')
########################################
-@@ -722,6 +866,25 @@ interface(`logging_setattr_all_log_dirs',`
+@@ -609,6 +753,25 @@ interface(`logging_read_syslog_config',`
+
+ ########################################
+ ##
++## Manage syslog configuration files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`logging_manage_syslog_config',`
++ gen_require(`
++ type syslog_conf_t;
++ ')
++
++ manage_files_pattern($1, syslog_conf_t, syslog_conf_t)
++')
++
++########################################
++##
+ ## Allows the domain to open a file in the
+ ## log directory, but does not allow the listing
+ ## of the contents of the log directory.
+@@ -722,6 +885,25 @@ interface(`logging_setattr_all_log_dirs',`
allow $1 logfile:dir setattr;
')
@@ -31511,7 +31538,7 @@ index 4e94884..ae63d78 100644
########################################
##
## Do not audit attempts to get the attributes
-@@ -776,7 +939,25 @@ interface(`logging_append_all_logs',`
+@@ -776,7 +958,25 @@ interface(`logging_append_all_logs',`
')
files_search_var($1)
@@ -31538,7 +31565,7 @@ index 4e94884..ae63d78 100644
')
########################################
-@@ -859,7 +1040,7 @@ interface(`logging_manage_all_logs',`
+@@ -859,7 +1059,7 @@ interface(`logging_manage_all_logs',`
files_search_var($1)
manage_files_pattern($1, logfile, logfile)
@@ -31547,7 +31574,7 @@ index 4e94884..ae63d78 100644
')
########################################
-@@ -885,6 +1066,44 @@ interface(`logging_read_generic_logs',`
+@@ -885,6 +1085,44 @@ interface(`logging_read_generic_logs',`
########################################
##
@@ -31592,7 +31619,7 @@ index 4e94884..ae63d78 100644
## Write generic log files.
##
##
-@@ -905,6 +1124,24 @@ interface(`logging_write_generic_logs',`
+@@ -905,6 +1143,24 @@ interface(`logging_write_generic_logs',`
########################################
##
@@ -31617,7 +31644,7 @@ index 4e94884..ae63d78 100644
## Dontaudit Write generic log files.
##
##
-@@ -984,11 +1221,16 @@ interface(`logging_admin_audit',`
+@@ -984,11 +1240,16 @@ interface(`logging_admin_audit',`
type auditd_t, auditd_etc_t, auditd_log_t;
type auditd_var_run_t;
type auditd_initrc_exec_t;
@@ -31635,7 +31662,7 @@ index 4e94884..ae63d78 100644
manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
-@@ -1004,6 +1246,33 @@ interface(`logging_admin_audit',`
+@@ -1004,6 +1265,33 @@ interface(`logging_admin_audit',`
domain_system_change_exemption($1)
role_transition $2 auditd_initrc_exec_t system_r;
allow $2 system_r;
@@ -31669,7 +31696,7 @@ index 4e94884..ae63d78 100644
')
########################################
-@@ -1032,10 +1301,15 @@ interface(`logging_admin_syslog',`
+@@ -1032,10 +1320,15 @@ interface(`logging_admin_syslog',`
type syslogd_initrc_exec_t;
')
@@ -31687,7 +31714,7 @@ index 4e94884..ae63d78 100644
manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
-@@ -1057,6 +1331,8 @@ interface(`logging_admin_syslog',`
+@@ -1057,6 +1350,8 @@ interface(`logging_admin_syslog',`
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
logging_manage_all_logs($1)
@@ -31696,7 +31723,7 @@ index 4e94884..ae63d78 100644
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -1085,3 +1361,35 @@ interface(`logging_admin',`
+@@ -1085,3 +1380,35 @@ interface(`logging_admin',`
logging_admin_audit($1, $2)
logging_admin_syslog($1, $2)
')
@@ -35814,7 +35841,7 @@ index 346a7cc..42a48b6 100644
+/var/run/netns(/.*)? gen_context(system_u:object_r:ifconfig_var_run_t,s0)
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 6944526..c9ab542 100644
+index 6944526..86c7a82 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@@ -36062,8 +36089,11 @@ index 6944526..c9ab542 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
-@@ -692,6 +842,8 @@ interface(`sysnet_dns_name_resolve',`
+@@ -690,8 +840,11 @@ interface(`sysnet_dns_name_resolve',`
+ corenet_tcp_sendrecv_dns_port($1)
+ corenet_udp_sendrecv_dns_port($1)
corenet_tcp_connect_dns_port($1)
++ corenet_tcp_connect_dnssec_port($1)
corenet_sendrecv_dns_client_packets($1)
+ miscfiles_read_generic_certs($1)
@@ -36071,7 +36101,7 @@ index 6944526..c9ab542 100644
sysnet_read_config($1)
optional_policy(`
-@@ -720,8 +872,6 @@ interface(`sysnet_use_ldap',`
+@@ -720,8 +873,6 @@ interface(`sysnet_use_ldap',`
allow $1 self:tcp_socket create_socket_perms;
@@ -36080,7 +36110,7 @@ index 6944526..c9ab542 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
corenet_tcp_sendrecv_ldap_port($1)
-@@ -733,6 +883,9 @@ interface(`sysnet_use_ldap',`
+@@ -733,6 +884,9 @@ interface(`sysnet_use_ldap',`
dev_read_urand($1)
sysnet_read_config($1)
@@ -36090,7 +36120,7 @@ index 6944526..c9ab542 100644
')
########################################
-@@ -754,7 +907,6 @@ interface(`sysnet_use_portmap',`
+@@ -754,7 +908,6 @@ interface(`sysnet_use_portmap',`
allow $1 self:udp_socket create_socket_perms;
corenet_all_recvfrom_unlabeled($1)
@@ -36098,7 +36128,7 @@ index 6944526..c9ab542 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
-@@ -766,3 +918,76 @@ interface(`sysnet_use_portmap',`
+@@ -766,3 +919,76 @@ interface(`sysnet_use_portmap',`
sysnet_read_config($1)
')
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index a5fd50f..c50e452 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -68,7 +68,7 @@ index e4f84de..2ed712d 100644
+/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
diff --git a/abrt.if b/abrt.if
-index 058d908..ff0f9c2 100644
+index 058d908..10edac5 100644
--- a/abrt.if
+++ b/abrt.if
@@ -1,4 +1,26 @@
@@ -278,8 +278,30 @@ index 058d908..ff0f9c2 100644
##
##
##
-@@ -220,7 +297,7 @@ interface(`abrt_read_config',`
+@@ -218,9 +295,29 @@ interface(`abrt_read_config',`
+ read_files_pattern($1, abrt_etc_t, abrt_etc_t)
+ ')
++####################################
++##
++## Dontaudit read abrt configuration file.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`abrt_dontaudit_read_config',`
++ gen_require(`
++ type abrt_etc_t;
++ ')
++
++ files_search_etc($1)
++ dontaudit $1 abrt_etc_t:dir list_dir_perms;
++ dontaudit $1 abrt_etc_t:file read_file_perms;
++')
++
######################################
##
-## Read abrt log files.
@@ -287,7 +309,7 @@ index 058d908..ff0f9c2 100644
##
##
##
-@@ -258,8 +335,7 @@ interface(`abrt_read_pid_files',`
+@@ -258,8 +355,7 @@ interface(`abrt_read_pid_files',`
######################################
##
@@ -297,7 +319,7 @@ index 058d908..ff0f9c2 100644
##
##
##
-@@ -276,10 +352,51 @@ interface(`abrt_manage_pid_files',`
+@@ -276,10 +372,51 @@ interface(`abrt_manage_pid_files',`
manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
')
@@ -351,7 +373,7 @@ index 058d908..ff0f9c2 100644
##
##
##
-@@ -288,39 +405,172 @@ interface(`abrt_manage_pid_files',`
+@@ -288,39 +425,172 @@ interface(`abrt_manage_pid_files',`
##
##
##
@@ -2016,7 +2038,7 @@ index 708b743..cc78465 100644
+ ps_process_pattern($1, alsa_t)
')
diff --git a/alsa.te b/alsa.te
-index cda6d20..443ce3c 100644
+index cda6d20..a80ddb9 100644
--- a/alsa.te
+++ b/alsa.te
@@ -21,16 +21,23 @@ files_tmp_file(alsa_tmp_t)
@@ -2045,7 +2067,7 @@ index cda6d20..443ce3c 100644
allow alsa_t self:sem create_sem_perms;
allow alsa_t self:shm create_shm_perms;
allow alsa_t self:unix_stream_socket { accept listen };
-@@ -51,6 +58,11 @@ userdom_user_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
+@@ -51,7 +58,13 @@ userdom_user_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
@@ -2055,9 +2077,11 @@ index cda6d20..443ce3c 100644
+files_pid_filetrans(alsa_t, alsa_var_run_t, { file dir })
+
kernel_read_system_state(alsa_t)
++kernel_signal(alsa_t)
corecmd_exec_bin(alsa_t)
-@@ -59,7 +71,6 @@ dev_read_sound(alsa_t)
+
+@@ -59,7 +72,6 @@ dev_read_sound(alsa_t)
dev_read_sysfs(alsa_t)
dev_write_sound(alsa_t)
@@ -2065,7 +2089,7 @@ index cda6d20..443ce3c 100644
files_search_var_lib(alsa_t)
term_dontaudit_use_console(alsa_t)
-@@ -72,8 +83,6 @@ init_use_fds(alsa_t)
+@@ -72,8 +84,6 @@ init_use_fds(alsa_t)
logging_send_syslog_msg(alsa_t)
@@ -4792,7 +4816,7 @@ index 83e899c..64beed7 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 1a82e29..b192ed8 100644
+index 1a82e29..9ac02fd 100644
--- a/apache.te
+++ b/apache.te
@@ -1,297 +1,367 @@
@@ -5482,7 +5506,7 @@ index 1a82e29..b192ed8 100644
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -445,140 +552,167 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -445,140 +552,168 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@@ -5560,6 +5584,7 @@ index 1a82e29..b192ed8 100644
+domain_use_interactive_fds(httpd_t)
+domain_dontaudit_read_all_domains_state(httpd_t)
++files_dontaudit_search_all_pids(httpd_t)
files_dontaudit_getattr_all_pids(httpd_t)
-files_read_usr_files(httpd_t)
+files_exec_usr_files(httpd_t)
@@ -5715,7 +5740,7 @@ index 1a82e29..b192ed8 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -589,28 +723,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -589,28 +724,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@@ -5775,7 +5800,7 @@ index 1a82e29..b192ed8 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -619,68 +775,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -619,68 +776,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
@@ -5866,7 +5891,7 @@ index 1a82e29..b192ed8 100644
')
tunable_policy(`httpd_setrlimit',`
-@@ -690,66 +822,56 @@ tunable_policy(`httpd_setrlimit',`
+@@ -690,66 +823,56 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -5964,7 +5989,7 @@ index 1a82e29..b192ed8 100644
')
optional_policy(`
-@@ -765,6 +887,23 @@ optional_policy(`
+@@ -765,6 +888,23 @@ optional_policy(`
')
optional_policy(`
@@ -5988,7 +6013,7 @@ index 1a82e29..b192ed8 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -781,34 +920,52 @@ optional_policy(`
+@@ -781,34 +921,53 @@ optional_policy(`
')
optional_policy(`
@@ -6002,6 +6027,7 @@ index 1a82e29..b192ed8 100644
+')
+
+optional_policy(`
++ mirrormanager_read_pid_files(httpd_t)
+ mirrormanager_read_lib_files(httpd_t)
+ mirrormanager_read_log(httpd_t)
+')
@@ -6052,7 +6078,7 @@ index 1a82e29..b192ed8 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
-@@ -816,8 +973,18 @@ optional_policy(`
+@@ -816,8 +975,18 @@ optional_policy(`
')
optional_policy(`
@@ -6071,7 +6097,7 @@ index 1a82e29..b192ed8 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
-@@ -826,6 +993,7 @@ optional_policy(`
+@@ -826,6 +995,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -6079,7 +6105,7 @@ index 1a82e29..b192ed8 100644
')
optional_policy(`
-@@ -836,20 +1004,39 @@ optional_policy(`
+@@ -836,20 +1006,39 @@ optional_policy(`
')
optional_policy(`
@@ -6125,7 +6151,7 @@ index 1a82e29..b192ed8 100644
')
optional_policy(`
-@@ -857,19 +1044,35 @@ optional_policy(`
+@@ -857,19 +1046,35 @@ optional_policy(`
')
optional_policy(`
@@ -6161,7 +6187,7 @@ index 1a82e29..b192ed8 100644
udev_read_db(httpd_t)
')
-@@ -877,65 +1080,173 @@ optional_policy(`
+@@ -877,65 +1082,173 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -6357,7 +6383,7 @@ index 1a82e29..b192ed8 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -944,123 +1255,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -944,123 +1257,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -6512,7 +6538,7 @@ index 1a82e29..b192ed8 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1339,106 @@ optional_policy(`
+@@ -1077,172 +1341,106 @@ optional_policy(`
')
')
@@ -6749,7 +6775,7 @@ index 1a82e29..b192ed8 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1446,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1448,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -6846,7 +6872,7 @@ index 1a82e29..b192ed8 100644
########################################
#
-@@ -1315,8 +1521,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1523,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -6863,7 +6889,7 @@ index 1a82e29..b192ed8 100644
')
########################################
-@@ -1324,49 +1537,38 @@ optional_policy(`
+@@ -1324,49 +1539,38 @@ optional_policy(`
# User content local policy
#
@@ -6928,7 +6954,7 @@ index 1a82e29..b192ed8 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1578,99 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1580,99 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -17195,18 +17221,26 @@ index 28e1b86..0cf34ad 100644
+ openshift_transition(system_cronjob_t)
')
diff --git a/ctdb.fc b/ctdb.fc
-index 8401fe6..507804b 100644
+index 8401fe6..9131995 100644
--- a/ctdb.fc
+++ b/ctdb.fc
-@@ -2,6 +2,8 @@
+@@ -2,11 +2,16 @@
/usr/sbin/ctdbd -- gen_context(system_u:object_r:ctdbd_exec_t,s0)
+/var/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_t,s0)
+
++/var/lib/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
/var/lib/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
/var/log/ctdb\.log.* -- gen_context(system_u:object_r:ctdbd_log_t,s0)
+ /var/log/log\.ctdb.* -- gen_context(system_u:object_r:ctdbd_log_t,s0)
+
++
++/var/run/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_run_t,s0)
+ /var/run/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_run_t,s0)
+
+ /var/spool/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_spool_t,s0)
diff --git a/ctdb.if b/ctdb.if
index b25b01d..e99c5c6 100644
--- a/ctdb.if
@@ -17498,7 +17532,7 @@ index b25b01d..e99c5c6 100644
')
+
diff --git a/ctdb.te b/ctdb.te
-index 6ce66e7..dc080a7 100644
+index 6ce66e7..06f71d5 100644
--- a/ctdb.te
+++ b/ctdb.te
@@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t)
@@ -17526,19 +17560,22 @@ index 6ce66e7..dc080a7 100644
append_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)
create_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)
-@@ -59,6 +64,11 @@ manage_dirs_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
+@@ -57,7 +62,13 @@ files_spool_filetrans(ctdbd_t, ctdbd_spool_t, dir)
+ exec_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
+ manage_dirs_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
manage_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
- files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, dir)
-
+-files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, dir)
++files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, dir, "ctdb")
++
+manage_dirs_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t)
+manage_files_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t)
+manage_lnk_files_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t)
++files_var_filetrans(ctdbd_t, ctdbd_var_t, dir, "ctdbd")
+files_var_filetrans(ctdbd_t, ctdbd_var_t, dir, "ctdb")
-+
+
manage_dirs_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
manage_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
- files_pid_filetrans(ctdbd_t, ctdbd_var_run_t, dir)
-@@ -72,9 +82,11 @@ corenet_all_recvfrom_netlabel(ctdbd_t)
+@@ -72,9 +83,11 @@ corenet_all_recvfrom_netlabel(ctdbd_t)
corenet_tcp_sendrecv_generic_if(ctdbd_t)
corenet_tcp_sendrecv_generic_node(ctdbd_t)
corenet_tcp_bind_generic_node(ctdbd_t)
@@ -17550,7 +17587,7 @@ index 6ce66e7..dc080a7 100644
corenet_tcp_sendrecv_ctdb_port(ctdbd_t)
corecmd_exec_bin(ctdbd_t)
-@@ -85,12 +97,14 @@ dev_read_urand(ctdbd_t)
+@@ -85,12 +98,14 @@ dev_read_urand(ctdbd_t)
domain_dontaudit_read_all_domains_state(ctdbd_t)
@@ -17567,7 +17604,7 @@ index 6ce66e7..dc080a7 100644
miscfiles_read_public_files(ctdbd_t)
optional_policy(`
-@@ -109,6 +123,7 @@ optional_policy(`
+@@ -109,6 +124,7 @@ optional_policy(`
samba_initrc_domtrans(ctdbd_t)
samba_domtrans_net(ctdbd_t)
samba_rw_var_files(ctdbd_t)
@@ -27070,7 +27107,7 @@ index 0000000..1ed97fe
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
-index 0000000..ed9fdd0
+index 0000000..36ff903
--- /dev/null
+++ b/glusterd.te
@@ -0,0 +1,200 @@
@@ -27228,7 +27265,7 @@ index 0000000..ed9fdd0
+fs_unmount_all_fs(glusterd_t)
+fs_getattr_all_fs(glusterd_t)
+
-+files_mounton_mnt(glusterd_t)
++files_mounton_non_security(glusterd_t)
+
+storage_rw_fuse(glusterd_t)
+
@@ -31556,10 +31593,10 @@ index 0000000..b7ca833
+')
diff --git a/hypervkvp.te b/hypervkvp.te
new file mode 100644
-index 0000000..3543847
+index 0000000..b2d134d
--- /dev/null
+++ b/hypervkvp.te
-@@ -0,0 +1,65 @@
+@@ -0,0 +1,74 @@
+policy_module(hypervkvp, 1.0.0)
+
+########################################
@@ -31601,6 +31638,7 @@ index 0000000..3543847
+allow hyperv_domain self:unix_stream_socket create_stream_socket_perms;
+
+corecmd_exec_shell(hyperv_domain)
++corecmd_exec_bin(hyperv_domain)
+
+dev_read_sysfs(hyperv_domain)
+
@@ -31613,10 +31651,18 @@ index 0000000..3543847
+manage_files_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
+files_var_lib_filetrans(hypervkvp_t, hypervkvp_var_lib_t, dir)
+
++files_dontaudit_search_home(hypervkvp_t)
++
+logging_send_syslog_msg(hypervkvp_t)
+
+sysnet_dns_name_resolve(hypervkvp_t)
+
++userdom_dontaudit_search_admin_dir(hypervkvp_t)
++
++optional_policy(`
++ sysnet_exec_ifconfig(hypervkvp_t)
++')
++
+########################################
+#
+# hypervvssd local policy
@@ -42102,7 +42148,7 @@ index 6ffaba2..cb1e8b0 100644
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/mozilla.if b/mozilla.if
-index 6194b80..b8952a1 100644
+index 6194b80..03c6414 100644
--- a/mozilla.if
+++ b/mozilla.if
@@ -1,146 +1,75 @@
@@ -42388,7 +42434,7 @@ index 6194b80..b8952a1 100644
##
##
##
-@@ -265,140 +173,153 @@ interface(`mozilla_exec_user_plugin_home_files',`
+@@ -265,140 +173,155 @@ interface(`mozilla_exec_user_plugin_home_files',`
##
#
interface(`mozilla_execmod_user_home_files',`
@@ -42488,6 +42534,8 @@ index 6194b80..b8952a1 100644
+ allow mozilla_plugin_t $1:unix_dgram_socket { sendto rw_socket_perms };
+ allow mozilla_plugin_t $1:shm { rw_shm_perms destroy };
+ allow mozilla_plugin_t $1:sem create_sem_perms;
++ allow $1 mozilla_plugin_t:sem rw_sem_perms;
++ allow $1 mozilla_plugin_t:shm rw_shm_perms;
+
+ ps_process_pattern($1, mozilla_plugin_t)
+ allow $1 mozilla_plugin_t:process signal_perms;
@@ -42602,7 +42650,7 @@ index 6194b80..b8952a1 100644
')
########################################
-@@ -424,8 +345,7 @@ interface(`mozilla_dbus_chat',`
+@@ -424,8 +347,7 @@ interface(`mozilla_dbus_chat',`
########################################
##
@@ -42612,7 +42660,7 @@ index 6194b80..b8952a1 100644
##
##
##
-@@ -433,76 +353,144 @@ interface(`mozilla_dbus_chat',`
+@@ -433,76 +355,144 @@ interface(`mozilla_dbus_chat',`
##
##
#
@@ -42786,7 +42834,7 @@ index 6194b80..b8952a1 100644
##
##
##
-@@ -510,19 +498,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
+@@ -510,19 +500,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
##
##
#
@@ -42811,7 +42859,7 @@ index 6194b80..b8952a1 100644
##
##
##
-@@ -530,45 +517,56 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
+@@ -530,45 +519,56 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
##
##
#
@@ -48514,10 +48562,10 @@ index 0000000..8d7c751
+')
diff --git a/namespace.te b/namespace.te
new file mode 100644
-index 0000000..c674894
+index 0000000..e289f2d
--- /dev/null
+++ b/namespace.te
-@@ -0,0 +1,39 @@
+@@ -0,0 +1,41 @@
+policy_module(namespace,1.0.0)
+
+########################################
@@ -48549,6 +48597,8 @@ index 0000000..c674894
+
+files_polyinstantiate_all(namespace_init_t)
+
++fs_getattr_xattr_fs(namespace_init_t)
++
+auth_use_nsswitch(namespace_init_t)
+
+term_use_console(namespace_init_t)
@@ -49161,7 +49211,7 @@ index 0e8508c..ee2e3de 100644
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
')
diff --git a/networkmanager.te b/networkmanager.te
-index 0b48a30..bcaf742 100644
+index 0b48a30..34207b9 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -1,4 +1,4 @@
@@ -49201,7 +49251,7 @@ index 0b48a30..bcaf742 100644
-allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
+# networkmanager will ptrace itself if gdb is installed
+# and it receives a unexpected signal (rh bug #204161)
-+allow NetworkManager_t self:capability { fowner chown fsetid kill setgid setuid sys_admin sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
++allow NetworkManager_t self:capability { fowner chown fsetid kill setgid setuid sys_admin sys_nice dac_override net_admin net_raw net_bind_service ipc_lock sys_chroot };
+dontaudit NetworkManager_t self:capability sys_tty_config;
+ifdef(`hide_broken_symptoms',`
+ # caused by some bogus kernel code
@@ -60329,7 +60379,7 @@ index 30e751f..78fb7c6 100644
admin_pattern($1, plymouthd_var_run_t)
')
diff --git a/plymouthd.te b/plymouthd.te
-index b1f412b..52acfb0 100644
+index b1f412b..b78836f 100644
--- a/plymouthd.te
+++ b/plymouthd.te
@@ -1,4 +1,4 @@
@@ -60375,13 +60425,13 @@ index b1f412b..52acfb0 100644
logging_log_filetrans(plymouthd_t, plymouthd_var_log_t, { file dir })
manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
-@@ -70,19 +69,27 @@ domain_use_interactive_fds(plymouthd_t)
+@@ -70,19 +69,26 @@ domain_use_interactive_fds(plymouthd_t)
fs_getattr_all_fs(plymouthd_t)
-files_read_etc_files(plymouthd_t)
-files_read_usr_files(plymouthd_t)
-
+-
term_getattr_pty_fs(plymouthd_t)
term_use_all_terms(plymouthd_t)
term_use_ptmx(plymouthd_t)
@@ -60407,12 +60457,16 @@ index b1f412b..52acfb0 100644
')
optional_policy(`
-@@ -90,35 +97,33 @@ optional_policy(`
+@@ -90,35 +96,37 @@ optional_policy(`
')
optional_policy(`
- xserver_manage_xdm_spool_files(plymouthd_t)
- xserver_read_xdm_state(plymouthd_t)
++ udev_read_pid_files(plymouthd_t)
++')
++
++optional_policy(`
+ xserver_xdm_manage_spool(plymouthd_t)
+ xserver_read_state_xdm(plymouthd_t)
')
@@ -88302,7 +88356,7 @@ index 1499b0b..6950cab 100644
- spamassassin_role($2, $1)
')
diff --git a/spamassassin.te b/spamassassin.te
-index 4faa7e0..4babad1 100644
+index 4faa7e0..04dd34a 100644
--- a/spamassassin.te
+++ b/spamassassin.te
@@ -1,4 +1,4 @@
@@ -88381,7 +88435,7 @@ index 4faa7e0..4babad1 100644
type spamd_initrc_exec_t;
init_script_file(spamd_initrc_exec_t)
-@@ -72,87 +39,196 @@ type spamd_log_t;
+@@ -72,87 +39,198 @@ type spamd_log_t;
logging_log_file(spamd_log_t)
type spamd_spool_t;
@@ -88518,6 +88572,8 @@ index 4faa7e0..4babad1 100644
+manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
++userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, dir, ".spamassassin")
++userdom_admin_home_dir_filetrans(spamd_t, spamassassin_home_t, dir, ".spamassassin")
+userdom_home_manager(spamassassin_t)
+
kernel_read_kernel_sysctls(spamassassin_t)
@@ -88600,7 +88656,7 @@ index 4faa7e0..4babad1 100644
nis_use_ypbind_uncond(spamassassin_t)
')
')
-@@ -160,6 +236,8 @@ optional_policy(`
+@@ -160,6 +238,8 @@ optional_policy(`
optional_policy(`
mta_read_config(spamassassin_t)
sendmail_stub(spamassassin_t)
@@ -88609,7 +88665,7 @@ index 4faa7e0..4babad1 100644
')
########################################
-@@ -167,72 +245,85 @@ optional_policy(`
+@@ -167,72 +247,85 @@ optional_policy(`
# Client local policy
#
@@ -88726,7 +88782,7 @@ index 4faa7e0..4babad1 100644
optional_policy(`
abrt_stream_connect(spamc_t)
-@@ -243,6 +334,7 @@ optional_policy(`
+@@ -243,6 +336,7 @@ optional_policy(`
')
optional_policy(`
@@ -88734,7 +88790,7 @@ index 4faa7e0..4babad1 100644
evolution_stream_connect(spamc_t)
')
-@@ -251,52 +343,55 @@ optional_policy(`
+@@ -251,52 +345,55 @@ optional_policy(`
')
optional_policy(`
@@ -88815,7 +88871,7 @@ index 4faa7e0..4babad1 100644
logging_log_filetrans(spamd_t, spamd_log_t, file)
manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
-@@ -308,7 +403,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
+@@ -308,7 +405,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
@@ -88825,7 +88881,7 @@ index 4faa7e0..4babad1 100644
manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
-@@ -317,12 +413,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+@@ -317,12 +415,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir })
@@ -88841,7 +88897,7 @@ index 4faa7e0..4babad1 100644
corenet_all_recvfrom_netlabel(spamd_t)
corenet_tcp_sendrecv_generic_if(spamd_t)
corenet_udp_sendrecv_generic_if(spamd_t)
-@@ -331,78 +428,58 @@ corenet_udp_sendrecv_generic_node(spamd_t)
+@@ -331,78 +430,58 @@ corenet_udp_sendrecv_generic_node(spamd_t)
corenet_tcp_sendrecv_all_ports(spamd_t)
corenet_udp_sendrecv_all_ports(spamd_t)
corenet_tcp_bind_generic_node(spamd_t)
@@ -88944,7 +89000,7 @@ index 4faa7e0..4babad1 100644
')
optional_policy(`
-@@ -421,21 +498,13 @@ optional_policy(`
+@@ -421,21 +500,13 @@ optional_policy(`
')
optional_policy(`
@@ -88968,7 +89024,7 @@ index 4faa7e0..4babad1 100644
')
optional_policy(`
-@@ -443,8 +512,8 @@ optional_policy(`
+@@ -443,8 +514,8 @@ optional_policy(`
')
optional_policy(`
@@ -88978,7 +89034,7 @@ index 4faa7e0..4babad1 100644
')
optional_policy(`
-@@ -455,7 +524,12 @@ optional_policy(`
+@@ -455,7 +526,12 @@ optional_policy(`
optional_policy(`
razor_domtrans(spamd_t)
razor_read_lib_files(spamd_t)
@@ -88992,7 +89048,7 @@ index 4faa7e0..4babad1 100644
')
optional_policy(`
-@@ -463,9 +537,9 @@ optional_policy(`
+@@ -463,9 +539,9 @@ optional_policy(`
')
optional_policy(`
@@ -89003,7 +89059,7 @@ index 4faa7e0..4babad1 100644
')
optional_policy(`
-@@ -474,32 +548,32 @@ optional_policy(`
+@@ -474,32 +550,32 @@ optional_policy(`
########################################
#
@@ -89046,7 +89102,7 @@ index 4faa7e0..4babad1 100644
corecmd_exec_bin(spamd_update_t)
corecmd_exec_shell(spamd_update_t)
-@@ -508,25 +582,21 @@ dev_read_urand(spamd_update_t)
+@@ -508,25 +584,21 @@ dev_read_urand(spamd_update_t)
domain_use_interactive_fds(spamd_update_t)
@@ -94238,7 +94294,7 @@ index e29db63..061fb98 100644
domain_system_change_exemption($1)
role_transition $2 tuned_initrc_exec_t system_r;
diff --git a/tuned.te b/tuned.te
-index 7116181..92703c0 100644
+index 7116181..177ecd6 100644
--- a/tuned.te
+++ b/tuned.te
@@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t)
@@ -94301,7 +94357,7 @@ index 7116181..92703c0 100644
corecmd_exec_bin(tuned_t)
corecmd_exec_shell(tuned_t)
-@@ -64,31 +78,57 @@ corecmd_exec_shell(tuned_t)
+@@ -64,31 +78,59 @@ corecmd_exec_shell(tuned_t)
dev_getattr_all_blk_files(tuned_t)
dev_getattr_all_chr_files(tuned_t)
dev_read_urand(tuned_t)
@@ -94323,10 +94379,12 @@ index 7116181..92703c0 100644
+auth_use_nsswitch(tuned_t)
logging_send_syslog_msg(tuned_t)
++#bug in tuned
++logging_manage_syslog_config(tuned_t)
++
++mount_read_pid_files(tuned_t)
-miscfiles_read_localization(tuned_t)
-+mount_read_pid_files(tuned_t)
-+
+modutils_domtrans_insmod(tuned_t)
udev_read_pid_files(tuned_t)
@@ -102271,7 +102329,7 @@ index 0cea2cd..7668014 100644
userdom_dontaudit_use_unpriv_user_fds(xfs_t)
diff --git a/xguest.te b/xguest.te
-index 2882821..8cf4841 100644
+index 2882821..0f1f514 100644
--- a/xguest.te
+++ b/xguest.te
@@ -1,4 +1,4 @@
@@ -102382,18 +102440,26 @@ index 2882821..8cf4841 100644
')
')
-@@ -84,12 +97,17 @@ optional_policy(`
+@@ -84,12 +97,25 @@ optional_policy(`
')
')
+
optional_policy(`
- apache_role(xguest_r, xguest_t)
++ abrt_dontaudit_read_config(xguest_t)
++')
++
++optional_policy(`
+ colord_dbus_chat(xguest_t)
+')
+
+optional_policy(`
+ chrome_role(xguest_r, xguest_t)
++')
++
++optional_policy(`
++ thumb_role(xguest_r, xguest_t)
')
optional_policy(`
@@ -102402,7 +102468,7 @@ index 2882821..8cf4841 100644
')
optional_policy(`
-@@ -97,75 +115,82 @@ optional_policy(`
+@@ -97,75 +123,82 @@ optional_policy(`
')
optional_policy(`
@@ -102420,7 +102486,7 @@ index 2882821..8cf4841 100644
- kernel_read_network_state(xguest_t)
+ mozilla_run_plugin(xguest_t, xguest_r)
+')
-
++
+optional_policy(`
+ mount_run_fusermount(xguest_t, xguest_r)
+')
@@ -102429,7 +102495,7 @@ index 2882821..8cf4841 100644
+ pcscd_read_pid_files(xguest_t)
+ pcscd_stream_connect(xguest_t)
+')
-+
+
+optional_policy(`
+ rhsmcertd_dontaudit_dbus_chat(xguest_t)
+')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 3ea8db9..ed7629e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 116%{?dist}
+Release: 117%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -576,6 +576,9 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Jan 15 2014 Miroslav Grepl 3.12.1-117
+- Add back rpm_run for unconfined_t
+
* Mon Jan 13 2014 Miroslav Grepl 3.12.1-116
- Add missing files_create_var_lib_dirs()
- Fix typo in ipsec.te