diff --git a/container-selinux.tgz b/container-selinux.tgz
index 92b855c..8e1c934 100644
Binary files a/container-selinux.tgz and b/container-selinux.tgz differ
diff --git a/policy-f25-base.patch b/policy-f25-base.patch
index d6fb92d..a2c939a 100644
--- a/policy-f25-base.patch
+++ b/policy-f25-base.patch
@@ -2108,7 +2108,7 @@ index c6ca761..0c86bfd 100644
')
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
-index c44c359..a3d4e61 100644
+index c44c359..5038ed0 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -7,10 +7,10 @@ policy_module(netutils, 1.12.1)
@@ -2129,7 +2129,7 @@ index c44c359..a3d4e61 100644
# Perform network administration operations and have raw access to the network.
-allow netutils_t self:capability { dac_read_search net_admin net_raw setuid setgid sys_chroot };
-+allow netutils_t self:capability { chown dac_read_search net_admin net_raw setuid setgid sys_chroot };
++allow netutils_t self:capability { chown dac_read_search net_admin net_raw setuid setgid sys_chroot setpcap };
dontaudit netutils_t self:capability { dac_override sys_tty_config };
allow netutils_t self:process { setcap signal_perms };
allow netutils_t self:netlink_route_socket create_netlink_socket_perms;
@@ -10227,7 +10227,7 @@ index 6a1e4d1..08fd8e4 100644
+ allow $1 domain:process rlimitinh;
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..0d258dc 100644
+index cf04cb5..31ebde7 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,17 +4,49 @@ policy_module(domain, 1.11.0)
@@ -10395,7 +10395,7 @@ index cf04cb5..0d258dc 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -160,11 +249,382 @@ allow unconfined_domain_type domain:msg { send receive };
+@@ -160,11 +249,386 @@ allow unconfined_domain_type domain:msg { send receive };
# For /proc/pid
allow unconfined_domain_type domain:dir list_dir_perms;
@@ -10431,6 +10431,10 @@ index cf04cb5..0d258dc 100644
+')
+
+optional_policy(`
++ ipa_filetrans_named_content(named_filetrans_domain)
++')
++
++optional_policy(`
+ locallogin_filetrans_home_content(named_filetrans_domain)
+')
+
@@ -23132,7 +23136,7 @@ index 234a940..a92415a 100644
########################################
##
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 0fef1fc..1ded252 100644
+index 0fef1fc..8116042 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,73 @@ policy_module(staff, 2.4.0)
@@ -23483,7 +23487,7 @@ index 0fef1fc..1ded252 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -176,3 +392,23 @@ ifndef(`distro_redhat',`
+@@ -176,3 +392,24 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -23503,6 +23507,7 @@ index 0fef1fc..1ded252 100644
+ dev_rw_kvm(staff_t)
+ virt_manage_images(staff_t)
+ virt_stream_connect_svirt(staff_t)
++ virt_systemctl(staff_t)
+ virt_rw_stream_sockets_svirt(staff_t)
+ virt_exec(staff_t)
+ ')
@@ -24971,10 +24976,10 @@ index 0000000..15b42ae
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..60c3f9d
+index 0000000..89f4076
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,358 @@
+@@ -0,0 +1,360 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -25037,6 +25042,8 @@ index 0000000..60c3f9d
+allow unconfined_t self:system syslog_read;
+dontaudit unconfined_t self:capability sys_module;
+
++allow unconfined_t file_type:system module_load;
++
+kernel_rw_unlabeled_socket(unconfined_t)
+kernel_rw_unlabeled_rawip_socket(unconfined_t)
+
@@ -33457,7 +33464,7 @@ index bc0ffc8..37b8ea5 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 79a45f6..6126f21 100644
+index 79a45f6..4181811 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1,5 +1,21 @@
@@ -34441,10 +34448,28 @@ index 79a45f6..6126f21 100644
## Do not audit attempts to read init script
## status files.
##
-@@ -1605,6 +2057,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1605,6 +2057,42 @@ interface(`init_rw_script_tmp_files',`
########################################
##
++## Do not audit attempts to read initrc_tmp_t files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`init_dontaudit_write_initrc_tmp',`
++ gen_require(`
++ type initrc_tmp_t;
++ ')
++
++ dontaudit $1 initrc_tmp_t:fifo_file write_fifo_file_perms;
++')
++
++########################################
++##
+## Read and write init script inherited temporary data.
+##
+##
@@ -34466,7 +34491,7 @@ index 79a45f6..6126f21 100644
## Create files in a init script
## temporary data directory.
##
-@@ -1677,6 +2147,43 @@ interface(`init_read_utmp',`
+@@ -1677,6 +2165,43 @@ interface(`init_read_utmp',`
########################################
##
@@ -34510,7 +34535,7 @@ index 79a45f6..6126f21 100644
## Do not audit attempts to write utmp.
##
##
-@@ -1765,7 +2272,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1765,7 +2290,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -34519,7 +34544,7 @@ index 79a45f6..6126f21 100644
')
########################################
-@@ -1806,37 +2313,708 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1806,27 +2331,154 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
')
@@ -34556,21 +34581,13 @@ index 79a45f6..6126f21 100644
##
-## Allow the specified domain to connect to daemon with a udp socket
+## Allow listing of the /run/systemd directory.
- ##
- ##
--##
--## Domain allowed access.
--##
++##
++##
+##
+## Domain allowed access.
+##
- ##
- #
--interface(`init_udp_recvfrom_all_daemons',`
-- gen_require(`
-- attribute daemon;
-- ')
-- corenet_udp_recvfrom_labeled($1, daemon)
++##
++#
+interface(`init_list_pid_dirs',`
+ gen_require(`
+ type init_var_run_t;
@@ -34691,19 +34708,13 @@ index 79a45f6..6126f21 100644
+########################################
+##
+## Allow the specified domain to connect to daemon with a udp socket
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_udp_recvfrom_all_daemons',`
-+ gen_require(`
-+ attribute daemon;
-+ ')
-+ corenet_udp_recvfrom_labeled($1, daemon)
-+')
+ ##
+ ##
+ ##
+@@ -1840,3 +2492,547 @@ interface(`init_udp_recvfrom_all_daemons',`
+ ')
+ corenet_udp_recvfrom_labeled($1, daemon)
+ ')
+
+########################################
+##
@@ -35247,7 +35258,7 @@ index 79a45f6..6126f21 100644
+
+ files_search_var_lib($1)
+ allow $1 init_var_lib_t:dir search_dir_perms;
- ')
++')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 17eda24..9c87847 100644
--- a/policy/modules/system/init.te
@@ -43131,7 +43142,7 @@ index 3822072..d358162 100644
+ allow semanage_t $1:dbus send_msg;
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index dc46420..8d4ed0f 100644
+index dc46420..ab282cf 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -11,14 +11,16 @@ gen_require(`
@@ -43666,7 +43677,7 @@ index dc46420..8d4ed0f 100644
')
########################################
-@@ -522,111 +597,201 @@ ifdef(`distro_ubuntu',`
+@@ -522,111 +597,202 @@ ifdef(`distro_ubuntu',`
# Setfiles local policy
#
@@ -43844,6 +43855,7 @@ index dc46420..8d4ed0f 100644
+init_use_script_fds(setfiles_domain)
+init_use_script_ptys(setfiles_domain)
+init_exec_script_files(setfiles_domain)
++init_dontaudit_write_initrc_tmp(setfiles_domain)
+
+userdom_use_all_users_fds(setfiles_domain)
# for config files in a home directory
diff --git a/policy-f25-contrib.patch b/policy-f25-contrib.patch
index 4842c5d..888a1ea 100644
--- a/policy-f25-contrib.patch
+++ b/policy-f25-contrib.patch
@@ -3513,10 +3513,10 @@ index 0000000..c679dd3
+ spamassassin_read_pid_files(antivirus_domain)
+')
diff --git a/apache.fc b/apache.fc
-index 7caefc3..dac9ad5 100644
+index 7caefc3..966c2f3 100644
--- a/apache.fc
+++ b/apache.fc
-@@ -1,162 +1,217 @@
+@@ -1,162 +1,218 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -3853,6 +3853,7 @@ index 7caefc3..dac9ad5 100644
+/var/www/html(/.*)?/wp_backups(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/html(/.*)?/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/html/owncloud/data(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/www/html/nextcloud/data(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/www/miq/vmdb/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
@@ -5528,7 +5529,7 @@ index f6eb485..fe461a3 100644
+ ps_process_pattern(httpd_t, $1)
')
diff --git a/apache.te b/apache.te
-index 6649962..2e31ff5 100644
+index 6649962..721a639 100644
--- a/apache.te
+++ b/apache.te
@@ -5,280 +5,346 @@ policy_module(apache, 2.7.2)
@@ -7700,7 +7701,7 @@ index 6649962..2e31ff5 100644
')
########################################
-@@ -1330,49 +1630,40 @@ optional_policy(`
+@@ -1330,49 +1630,41 @@ optional_policy(`
# User content local policy
#
@@ -7739,6 +7740,7 @@ index 6649962..2e31ff5 100644
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',`
- fs_exec_nfs_files(httpd_user_script_t)
+ read_files_pattern(httpd_t, httpd_user_content_type, httpd_user_content_type)
++ read_lnk_files_pattern(httpd_t, httpd_user_content_type, httpd_user_content_type)
')
tunable_policy(`httpd_read_user_content',`
@@ -7766,7 +7768,7 @@ index 6649962..2e31ff5 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1673,109 @@ dev_read_urand(httpd_passwd_t)
+@@ -1382,38 +1674,109 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -12315,10 +12317,14 @@ index 4a87873..113f3b3 100644
+
+mta_send_mail(certmaster_t)
diff --git a/certmonger.fc b/certmonger.fc
-index ed298d8..cd8eb4d 100644
+index ed298d8..c887648 100644
--- a/certmonger.fc
+++ b/certmonger.fc
-@@ -2,6 +2,8 @@
+@@ -1,7 +1,12 @@
++/etc/systemd/system/dirsrv.target.wants(/.*)? gen_context(system_u:object_r:certmonger_unit_file_t,s0)
++/usr/lib/systemd/system/certmonger.* gen_context(system_u:object_r:certmonger_unit_file_t,s0)
++
+ /etc/rc\.d/init\.d/certmonger -- gen_context(system_u:object_r:certmonger_initrc_exec_t,s0)
/usr/sbin/certmonger -- gen_context(system_u:object_r:certmonger_exec_t,s0)
@@ -12356,16 +12362,19 @@ index 008f8ef..144c074 100644
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/certmonger.te b/certmonger.te
-index 550b287..61ce134 100644
+index 550b287..df89a52 100644
--- a/certmonger.te
+++ b/certmonger.te
-@@ -18,18 +18,23 @@ files_type(certmonger_var_lib_t)
+@@ -18,18 +18,26 @@ files_type(certmonger_var_lib_t)
type certmonger_var_run_t;
files_pid_file(certmonger_var_run_t)
+type certmonger_unconfined_exec_t;
+application_executable_file(certmonger_unconfined_exec_t)
+
++type certmonger_unit_file_t;
++systemd_unit_file(certmonger_unit_file_t)
++
########################################
#
# Local policy
@@ -12387,7 +12396,7 @@ index 550b287..61ce134 100644
manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
-@@ -41,6 +46,7 @@ files_pid_filetrans(certmonger_t, certmonger_var_run_t, { dir file })
+@@ -41,6 +49,7 @@ files_pid_filetrans(certmonger_t, certmonger_var_run_t, { dir file })
kernel_read_kernel_sysctls(certmonger_t)
kernel_read_system_state(certmonger_t)
@@ -12395,7 +12404,7 @@ index 550b287..61ce134 100644
corenet_all_recvfrom_unlabeled(certmonger_t)
corenet_all_recvfrom_netlabel(certmonger_t)
-@@ -49,17 +55,26 @@ corenet_tcp_sendrecv_generic_node(certmonger_t)
+@@ -49,17 +58,26 @@ corenet_tcp_sendrecv_generic_node(certmonger_t)
corenet_sendrecv_certmaster_client_packets(certmonger_t)
corenet_tcp_connect_certmaster_port(certmonger_t)
@@ -12423,7 +12432,7 @@ index 550b287..61ce134 100644
fs_search_cgroup_dirs(certmonger_t)
-@@ -68,18 +83,22 @@ auth_rw_cache(certmonger_t)
+@@ -68,18 +86,24 @@ auth_rw_cache(certmonger_t)
init_getattr_all_script_files(certmonger_t)
@@ -12437,6 +12446,8 @@ index 550b287..61ce134 100644
+
+systemd_exec_systemctl(certmonger_t)
+systemd_manage_all_unit_files(certmonger_t)
++systemd_start_systemd_services(certmonger_t)
++systemd_status_all_unit_files(certmonger_t)
userdom_search_user_home_content(certmonger_t)
@@ -12449,7 +12460,7 @@ index 550b287..61ce134 100644
')
optional_policy(`
-@@ -92,11 +111,65 @@ optional_policy(`
+@@ -92,11 +116,72 @@ optional_policy(`
')
optional_policy(`
@@ -12492,6 +12503,13 @@ index 550b287..61ce134 100644
+ sssd_delete_public_files(certmonger_t)
+')
+
++optional_policy(`
++ allow certmonger_t certmonger_unit_file_t:service manage_service_perms;
++ allow certmonger_t certmonger_unit_file_t:file manage_file_perms;
++ allow certmonger_t certmonger_unit_file_t:dir manage_dir_perms;
++ systemd_unit_file_filetrans(certmonger_t, certmonger_unit_file_t, dir)
++')
++
+########################################
+#
+# certmonger_unconfined_script_t local policy
@@ -16491,7 +16509,7 @@ index 881d92f..a2d588a 100644
+ ')
')
diff --git a/condor.te b/condor.te
-index ce9f040..320d6e8 100644
+index ce9f040..bd8d855 100644
--- a/condor.te
+++ b/condor.te
@@ -34,7 +34,7 @@ files_tmp_file(condor_startd_tmp_t)
@@ -16534,15 +16552,17 @@ index ce9f040..320d6e8 100644
rw_files_pattern(condor_domain, condor_conf_t, condor_conf_t)
-@@ -86,16 +97,14 @@ files_pid_filetrans(condor_domain, condor_var_run_t, { dir file fifo_file })
+@@ -86,16 +97,15 @@ files_pid_filetrans(condor_domain, condor_var_run_t, { dir file fifo_file })
allow condor_domain condor_master_t:process signull;
allow condor_domain condor_master_t:tcp_socket getattr;
+allow condor_domain condor_master_t:udp_socket { read write };
- kernel_read_kernel_sysctls(condor_domain)
+-kernel_read_kernel_sysctls(condor_domain)
kernel_read_network_state(condor_domain)
-kernel_read_system_state(condor_domain)
++kernel_rw_kernel_sysctl(condor_domain)
++kernel_search_network_sysctl(condor_domain)
corecmd_exec_bin(condor_domain)
corecmd_exec_shell(condor_domain)
@@ -16552,7 +16572,7 @@ index ce9f040..320d6e8 100644
corenet_tcp_sendrecv_generic_if(condor_domain)
corenet_tcp_sendrecv_generic_node(condor_domain)
-@@ -109,9 +118,9 @@ dev_read_rand(condor_domain)
+@@ -109,9 +119,9 @@ dev_read_rand(condor_domain)
dev_read_sysfs(condor_domain)
dev_read_urand(condor_domain)
@@ -16564,7 +16584,7 @@ index ce9f040..320d6e8 100644
sysnet_dns_name_resolve(condor_domain)
-@@ -130,7 +139,7 @@ optional_policy(`
+@@ -130,7 +140,7 @@ optional_policy(`
# Master local policy
#
@@ -16573,7 +16593,7 @@ index ce9f040..320d6e8 100644
allow condor_master_t condor_domain:process { sigkill signal };
-@@ -138,6 +147,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
+@@ -138,6 +148,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir })
@@ -16584,7 +16604,7 @@ index ce9f040..320d6e8 100644
corenet_udp_sendrecv_generic_if(condor_master_t)
corenet_udp_sendrecv_generic_node(condor_master_t)
corenet_tcp_bind_generic_node(condor_master_t)
-@@ -157,6 +170,8 @@ domain_read_all_domains_state(condor_master_t)
+@@ -157,6 +171,8 @@ domain_read_all_domains_state(condor_master_t)
auth_use_nsswitch(condor_master_t)
@@ -16593,7 +16613,7 @@ index ce9f040..320d6e8 100644
optional_policy(`
mta_send_mail(condor_master_t)
mta_read_config(condor_master_t)
-@@ -174,6 +189,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
+@@ -174,6 +190,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
kernel_read_network_state(condor_collector_t)
@@ -16602,7 +16622,7 @@ index ce9f040..320d6e8 100644
#####################################
#
# Negotiator local policy
-@@ -183,12 +200,15 @@ allow condor_negotiator_t self:capability { setuid setgid };
+@@ -183,12 +201,15 @@ allow condor_negotiator_t self:capability { setuid setgid };
allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms;
allow condor_negotiator_t condor_master_t:udp_socket getattr;
@@ -16618,7 +16638,7 @@ index ce9f040..320d6e8 100644
allow condor_procd_t condor_domain:process sigkill;
-@@ -206,6 +226,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
+@@ -206,6 +227,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
allow condor_schedd_t condor_var_lock_t:dir manage_file_perms;
@@ -16627,16 +16647,21 @@ index ce9f040..320d6e8 100644
domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t)
domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t)
-@@ -214,6 +236,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
+@@ -214,6 +237,13 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir })
+corenet_tcp_connect_all_ephemeral_ports(condor_schedd_t)
+
++optional_policy(`
++ mta_send_mail(condor_schedd_t)
++ mta_read_config(condor_schedd_t)
++')
++
#####################################
#
# Startd local policy
-@@ -238,11 +262,10 @@ domain_read_all_domains_state(condor_startd_t)
+@@ -238,11 +268,10 @@ domain_read_all_domains_state(condor_startd_t)
mcs_process_set_categories(condor_startd_t)
init_domtrans_script(condor_startd_t)
@@ -16649,7 +16674,7 @@ index ce9f040..320d6e8 100644
optional_policy(`
ssh_basic_client_template(condor_startd, condor_startd_t, system_r)
ssh_domtrans(condor_startd_t)
-@@ -254,3 +277,7 @@ optional_policy(`
+@@ -254,3 +283,7 @@ optional_policy(`
kerberos_use(condor_startd_ssh_t)
')
')
@@ -25481,10 +25506,10 @@ index 0000000..b3784d8
+')
diff --git a/dirsrv.te b/dirsrv.te
new file mode 100644
-index 0000000..f9f9806
+index 0000000..fa74f85
--- /dev/null
+++ b/dirsrv.te
-@@ -0,0 +1,203 @@
+@@ -0,0 +1,204 @@
+policy_module(dirsrv,1.0.0)
+
+########################################
@@ -25606,6 +25631,7 @@ index 0000000..f9f9806
+files_read_usr_symlinks(dirsrv_t)
+
+fs_getattr_all_fs(dirsrv_t)
++fs_read_cgroup_files(dirsrv_t)
+
+auth_use_pam(dirsrv_t)
+
@@ -33123,7 +33149,7 @@ index e39de43..5edcb83 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
-index ab09d61..1a07290 100644
+index ab09d61..72d67c2 100644
--- a/gnome.if
+++ b/gnome.if
@@ -1,52 +1,76 @@
@@ -33247,7 +33273,7 @@ index ab09d61..1a07290 100644
########################################
#
# Gkeyringd policy
-@@ -89,37 +110,92 @@ template(`gnome_role_template',`
+@@ -89,37 +110,86 @@ template(`gnome_role_template',`
domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
@@ -33298,6 +33324,7 @@ index ab09d61..1a07290 100644
optional_policy(`
- dbus_spec_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
+ dbus_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
++ dbus_dontaudit_stream_connect_system_dbusd($1_gkeyringd_t)
+ gnome_manage_generic_home_dirs($1_gkeyringd_t)
+ gnome_read_generic_data_home_files($1_gkeyringd_t)
+ gnome_read_generic_data_home_dirs($1_gkeyringd_t)
@@ -33306,17 +33333,10 @@ index ab09d61..1a07290 100644
- gnome_dbus_chat_gkeyringd($1, $3)
+ telepathy_mission_control_read_state($1_gkeyringd_t)
+ telepathy_gabble_stream_connect_to($1_gkeyringd_t,gkeyringd_tmp_t,gkeyringd_tmp_t)
-+ ')
-+ ')
-+
-+ optional_policy(`
-+ gen_require(`
-+ type xguest_gkeyringd_t;
')
-+ dbus_dontaudit_stream_connect_session_bus(xguest_gkeyringd_t)
-+ ')
-+')
-+
+ ')
+ ')
+
+#######################################
+##
+## Allow domain to run gkeyring in the $1_gkeyringd_t domain.
@@ -33341,11 +33361,11 @@ index ab09d61..1a07290 100644
+ gen_require(`
+ type $1_gkeyringd_t;
+ type gkeyringd_exec_t;
- ')
++ ')
+ role $2 types $1_gkeyringd_t;
+ domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
- ')
-
++')
++
########################################
##
-## Execute gconf in the caller domain.
@@ -33353,7 +33373,7 @@ index ab09d61..1a07290 100644
##
##
##
-@@ -127,18 +203,18 @@ template(`gnome_role_template',`
+@@ -127,18 +197,18 @@ template(`gnome_role_template',`
##
##
#
@@ -33377,7 +33397,7 @@ index ab09d61..1a07290 100644
##
##
##
-@@ -146,119 +222,114 @@ interface(`gnome_exec_gconf',`
+@@ -146,119 +216,114 @@ interface(`gnome_exec_gconf',`
##
##
#
@@ -33534,7 +33554,7 @@ index ab09d61..1a07290 100644
##
##
##
-@@ -266,15 +337,21 @@ interface(`gnome_create_generic_home_dirs',`
+@@ -266,15 +331,21 @@ interface(`gnome_create_generic_home_dirs',`
##
##
#
@@ -33561,7 +33581,7 @@ index ab09d61..1a07290 100644
##
##
##
-@@ -282,57 +359,89 @@ interface(`gnome_setattr_config_dirs',`
+@@ -282,57 +353,89 @@ interface(`gnome_setattr_config_dirs',`
##
##
#
@@ -33669,7 +33689,7 @@ index ab09d61..1a07290 100644
##
##
##
-@@ -340,15 +449,18 @@ interface(`gnome_read_generic_home_content',`
+@@ -340,15 +443,18 @@ interface(`gnome_read_generic_home_content',`
##
##
#
@@ -33693,7 +33713,7 @@ index ab09d61..1a07290 100644
##
##
##
-@@ -356,22 +468,18 @@ interface(`gnome_manage_config',`
+@@ -356,22 +462,18 @@ interface(`gnome_manage_config',`
##
##
#
@@ -33721,7 +33741,7 @@ index ab09d61..1a07290 100644
##
##
##
-@@ -379,53 +487,37 @@ interface(`gnome_manage_generic_home_content',`
+@@ -379,53 +481,37 @@ interface(`gnome_manage_generic_home_content',`
##
##
#
@@ -33783,7 +33803,7 @@ index ab09d61..1a07290 100644
##
##
##
-@@ -433,17 +525,18 @@ interface(`gnome_home_filetrans',`
+@@ -433,17 +519,18 @@ interface(`gnome_home_filetrans',`
##
##
#
@@ -33806,7 +33826,7 @@ index ab09d61..1a07290 100644
##
##
##
-@@ -451,23 +544,18 @@ interface(`gnome_create_generic_gconf_home_dirs',`
+@@ -451,23 +538,18 @@ interface(`gnome_create_generic_gconf_home_dirs',`
##
##
#
@@ -33834,7 +33854,7 @@ index ab09d61..1a07290 100644
##
##
##
-@@ -475,22 +563,18 @@ interface(`gnome_read_generic_gconf_home_content',`
+@@ -475,22 +557,18 @@ interface(`gnome_read_generic_gconf_home_content',`
##
##
#
@@ -33861,7 +33881,7 @@ index ab09d61..1a07290 100644
##
##
##
-@@ -498,79 +582,59 @@ interface(`gnome_manage_generic_gconf_home_content',`
+@@ -498,79 +576,59 @@ interface(`gnome_manage_generic_gconf_home_content',`
##
##
#
@@ -33959,7 +33979,7 @@ index ab09d61..1a07290 100644
##
##
##
-@@ -579,12 +643,12 @@ interface(`gnome_home_filetrans_gnome_home',`
+@@ -579,12 +637,12 @@ interface(`gnome_home_filetrans_gnome_home',`
##
##
##
@@ -33974,7 +33994,7 @@ index ab09d61..1a07290 100644
##
##
##
-@@ -593,18 +657,18 @@ interface(`gnome_home_filetrans_gnome_home',`
+@@ -593,18 +651,18 @@ interface(`gnome_home_filetrans_gnome_home',`
##
##
#
@@ -33999,7 +34019,7 @@ index ab09d61..1a07290 100644
##
##
##
-@@ -612,46 +676,58 @@ interface(`gnome_gconf_home_filetrans',`
+@@ -612,46 +670,80 @@ interface(`gnome_gconf_home_filetrans',`
##
##
#
@@ -34024,15 +34044,11 @@ index ab09d61..1a07290 100644
+## Read generic data home dirs.
##
-##
--##
--## The prefix of the user domain (e.g., user
--## is the prefix for user_t).
--##
+##
+##
+## Domain allowed access.
+##
- ##
++##
+#
+interface(`gnome_read_generic_data_home_dirs',`
+ gen_require(`
@@ -34046,6 +34062,30 @@ index ab09d61..1a07290 100644
+##
+## Manage gconf data home files
+##
++##
+ ##
+-## The prefix of the user domain (e.g., user
+-## is the prefix for user_t).
++## Domain allowed access.
+ ##
+ ##
++#
++interface(`gnome_manage_data',`
++ gen_require(`
++ type data_home_t;
++ type gconf_home_t;
++ ')
++
++ allow $1 gconf_home_t:dir search_dir_perms;
++ manage_dirs_pattern($1, data_home_t, data_home_t)
++ manage_files_pattern($1, data_home_t, data_home_t)
++ manage_lnk_files_pattern($1, data_home_t, data_home_t)
++')
++
++########################################
++##
++## Read icc data home content.
++##
##
##
## Domain allowed access.
@@ -34053,146 +34093,122 @@ index ab09d61..1a07290 100644
##
#
-interface(`gnome_dbus_chat_gkeyringd',`
-+interface(`gnome_manage_data',`
++interface(`gnome_read_home_icc_data_content',`
gen_require(`
- type $1_gkeyringd_t;
- class dbus send_msg;
-+ type data_home_t;
-+ type gconf_home_t;
++ type icc_data_home_t, gconf_home_t, data_home_t;
')
- allow $2 $1_gkeyringd_t:dbus send_msg;
- allow $1_gkeyringd_t $2:dbus send_msg;
-+ allow $1 gconf_home_t:dir search_dir_perms;
-+ manage_dirs_pattern($1, data_home_t, data_home_t)
-+ manage_files_pattern($1, data_home_t, data_home_t)
-+ manage_lnk_files_pattern($1, data_home_t, data_home_t)
++ userdom_search_user_home_dirs($1)
++ allow $1 { gconf_home_t data_home_t }:dir search_dir_perms;
++ list_dirs_pattern($1, icc_data_home_t, icc_data_home_t)
++ read_files_pattern($1, icc_data_home_t, icc_data_home_t)
++ read_lnk_files_pattern($1, icc_data_home_t, icc_data_home_t)
')
########################################
##
-## Send and receive messages from all
-## gnome keyring daemon over dbus.
-+## Read icc data home content.
++## Read inherited icc data home files.
##
##
##
-@@ -659,59 +735,1090 @@ interface(`gnome_dbus_chat_gkeyringd',`
+@@ -659,46 +751,64 @@ interface(`gnome_dbus_chat_gkeyringd',`
##
##
#
-interface(`gnome_dbus_chat_all_gkeyringd',`
-+interface(`gnome_read_home_icc_data_content',`
++interface(`gnome_read_inherited_home_icc_data_files',`
gen_require(`
- attribute gkeyringd_domain;
- class dbus send_msg;
-+ type icc_data_home_t, gconf_home_t, data_home_t;
++ type icc_data_home_t;
')
- allow $1 gkeyringd_domain:dbus send_msg;
- allow gkeyringd_domain $1:dbus send_msg;
-+ userdom_search_user_home_dirs($1)
-+ allow $1 { gconf_home_t data_home_t }:dir search_dir_perms;
-+ list_dirs_pattern($1, icc_data_home_t, icc_data_home_t)
-+ read_files_pattern($1, icc_data_home_t, icc_data_home_t)
-+ read_lnk_files_pattern($1, icc_data_home_t, icc_data_home_t)
++ allow $1 icc_data_home_t:file read_inherited_file_perms;
')
########################################
##
-## Connect to gnome keyring daemon
-## with a unix stream socket.
-+## Read inherited icc data home files.
++## Create gconf_home_t objects in the /root directory
##
-##
+##
++##
++## Domain allowed access.
++##
++##
++##
##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-+## Domain allowed access.
++## The class of the object to be created.
##
##
++##
++##
++## The name of the object being created.
++##
++##
+#
-+interface(`gnome_read_inherited_home_icc_data_files',`
++interface(`gnome_admin_home_gconf_filetrans',`
+ gen_require(`
-+ type icc_data_home_t;
++ type gconf_home_t;
+ ')
+
-+ allow $1 icc_data_home_t:file read_inherited_file_perms;
++ userdom_admin_home_dir_filetrans($1, gconf_home_t, $2, $3)
+')
+
+########################################
+##
-+## Create gconf_home_t objects in the /root directory
++## Do not audit attempts to read
++## inherited gconf config files.
+##
##
##
- ## Domain allowed access.
+-## Domain allowed access.
++## Domain to not audit.
##
##
-+##
-+##
-+## The class of the object to be created.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
#
-interface(`gnome_stream_connect_gkeyringd',`
-+interface(`gnome_admin_home_gconf_filetrans',`
++interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
gen_require(`
- type $1_gkeyringd_t, gnome_keyring_tmp_t;
-+ type gconf_home_t;
++ type gconf_etc_t;
')
- files_search_tmp($2)
- stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, $1_gkeyringd_t)
-+ userdom_admin_home_dir_filetrans($1, gconf_home_t, $2, $3)
++ dontaudit $1 gconf_etc_t:file read_inherited_file_perms;
')
########################################
##
-## Connect to all gnome keyring daemon
-## with a unix stream socket.
-+## Do not audit attempts to read
-+## inherited gconf config files.
++## read gconf config files
##
##
##
--## Domain allowed access.
-+## Domain to not audit.
+@@ -706,12 +816,1003 @@ interface(`gnome_stream_connect_gkeyringd',`
##
##
#
-interface(`gnome_stream_connect_all_gkeyringd',`
-+interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
++interface(`gnome_read_gconf_config',`
gen_require(`
- attribute gkeyringd_domain;
- type gnome_keyring_tmp_t;
+ type gconf_etc_t;
- ')
-
-- files_search_tmp($1)
-- stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
-+ dontaudit $1 gconf_etc_t:file read_inherited_file_perms;
-+')
-+
-+########################################
-+##
-+## read gconf config files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`gnome_read_gconf_config',`
-+ gen_require(`
-+ type gconf_etc_t;
+ ')
+
+ allow $1 gconf_etc_t:dir list_dir_perms;
@@ -34335,9 +34351,10 @@ index ab09d61..1a07290 100644
+interface(`gnome_list_gkeyringd_tmp_dirs',`
+ gen_require(`
+ type gkeyringd_tmp_t;
-+ ')
-+
-+ files_search_tmp($1)
+ ')
+
+ files_search_tmp($1)
+- stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
+ allow $1 gkeyringd_tmp_t:dir list_dir_perms;
+')
+
@@ -37896,10 +37913,10 @@ index 6517fad..f183748 100644
+ allow $1 hypervkvp_unit_file_t:service all_service_perms;
')
diff --git a/hypervkvp.te b/hypervkvp.te
-index 4eb7041..b205df0 100644
+index 4eb7041..ea3c933 100644
--- a/hypervkvp.te
+++ b/hypervkvp.te
-@@ -5,24 +5,154 @@ policy_module(hypervkvp, 1.0.0)
+@@ -5,24 +5,158 @@ policy_module(hypervkvp, 1.0.0)
# Declarations
#
@@ -37951,10 +37968,12 @@ index 4eb7041..b205df0 100644
+dev_read_sysfs(hyperv_domain)
+
+########################################
-+#
+ #
+# hypervkvp local policy
-+#
-+
+ #
+
+-allow hypervkvpd_t self:fifo_file rw_fifo_file_perms;
+-allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms;
+allow hypervkvp_t self:capability sys_ptrace;
+allow hypervkvp_t self:process setfscreate;
+allow hypervkvp_t self:netlink_route_socket rw_netlink_socket_perms;
@@ -38028,6 +38047,10 @@ index 4eb7041..b205df0 100644
+')
+
+optional_policy(`
++ hostname_exec(hypervkvp_t)
++')
++
++optional_policy(`
+ netutils_domtrans_ping(hypervkvp_t)
+ netutils_domtrans(hypervkvp_t)
+')
@@ -38045,12 +38068,10 @@ index 4eb7041..b205df0 100644
+')
+
+########################################
- #
++#
+# hypervvssd local policy
- #
-
--allow hypervkvpd_t self:fifo_file rw_fifo_file_perms;
--allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms;
++#
++
+allow hypervvssd_t self:capability sys_admin;
+
+dev_rw_hypervvssd(hypervvssd_t)
@@ -38770,10 +38791,10 @@ index 0000000..61f2003
+userdom_use_user_terminals(iotop_t)
diff --git a/ipa.fc b/ipa.fc
new file mode 100644
-index 0000000..419d280
+index 0000000..f4f8ed0
--- /dev/null
+++ b/ipa.fc
-@@ -0,0 +1,25 @@
+@@ -0,0 +1,27 @@
+/usr/lib/systemd/system/ipa-otpd.* -- gen_context(system_u:object_r:ipa_otpd_unit_file_t,s0)
+
+/usr/lib/systemd/system/ipa-dnskeysyncd.* -- gen_context(system_u:object_r:ipa_dnskey_unit_file_t,s0)
@@ -38781,6 +38802,8 @@ index 0000000..419d280
+/usr/lib/systemd/system/ipa-ods-exporter.* -- gen_context(system_u:object_r:ipa_ods_exporter_unit_file_t,s0)
+
+/usr/libexec/ipa-otpd -- gen_context(system_u:object_r:ipa_otpd_exec_t,s0)
++/usr/libexec/ipa/ipa-otpd -- gen_context(system_u:object_r:ipa_otpd_exec_t,s0)
++
+
+/usr/libexec/ipa/ipa-ods-exporter -- gen_context(system_u:object_r:ipa_ods_exporter_exec_t,s0)
+
@@ -38801,10 +38824,10 @@ index 0000000..419d280
+
diff --git a/ipa.if b/ipa.if
new file mode 100644
-index 0000000..ddbc007
+index 0000000..a25fe88
--- /dev/null
+++ b/ipa.if
-@@ -0,0 +1,252 @@
+@@ -0,0 +1,272 @@
+## Policy for IPA services.
+
+########################################
@@ -39057,6 +39080,26 @@ index 0000000..ddbc007
+
+ logging_log_named_filetrans($1, ipa_log_t, dir, "ipa")
+')
++
++#######################################
++##
++## Allow domain to create /tmp/ca.p12
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ipa_filetrans_named_content',`
++
++ gen_require(`
++ type ipa_tmp_t;
++ ')
++
++ files_tmp_filetrans($1, ipa_tmp_t, file, "ca.p12")
++')
++
diff --git a/ipa.te b/ipa.te
new file mode 100644
index 0000000..55e151e
@@ -63265,7 +63308,7 @@ index e96a309..4245308 100644
+')
+
diff --git a/ntp.te b/ntp.te
-index f81b113..76db00a 100644
+index f81b113..6d039fb 100644
--- a/ntp.te
+++ b/ntp.te
@@ -18,6 +18,9 @@ role ntpd_roles types ntpd_t;
@@ -63278,7 +63321,11 @@ index f81b113..76db00a 100644
type ntp_conf_t;
files_config_file(ntp_conf_t)
-@@ -53,6 +56,8 @@ allow ntpd_t self:tcp_socket { accept listen };
+@@ -50,9 +53,12 @@ allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit };
+ allow ntpd_t self:fifo_file rw_fifo_file_perms;
+ allow ntpd_t self:shm create_shm_perms;
+ allow ntpd_t self:tcp_socket { accept listen };
++allow ntpd_t self:socket create_socket_perms;
manage_dirs_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
@@ -63287,7 +63334,7 @@ index f81b113..76db00a 100644
allow ntpd_t ntp_conf_t:file read_file_perms;
-@@ -60,9 +65,7 @@ read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
+@@ -60,9 +66,7 @@ read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
allow ntpd_t ntpd_log_t:dir setattr_dir_perms;
@@ -63298,7 +63345,7 @@ index f81b113..76db00a 100644
logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir })
manage_dirs_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t)
-@@ -83,21 +86,16 @@ kernel_read_system_state(ntpd_t)
+@@ -83,21 +87,16 @@ kernel_read_system_state(ntpd_t)
kernel_read_network_state(ntpd_t)
kernel_request_load_module(ntpd_t)
@@ -63322,7 +63369,7 @@ index f81b113..76db00a 100644
corecmd_exec_bin(ntpd_t)
corecmd_exec_shell(ntpd_t)
-@@ -110,13 +108,15 @@ domain_use_interactive_fds(ntpd_t)
+@@ -110,13 +109,15 @@ domain_use_interactive_fds(ntpd_t)
domain_dontaudit_list_all_domains_state(ntpd_t)
files_read_etc_runtime_files(ntpd_t)
@@ -63339,7 +63386,7 @@ index f81b113..76db00a 100644
auth_use_nsswitch(ntpd_t)
-@@ -124,12 +124,14 @@ init_exec_script_files(ntpd_t)
+@@ -124,12 +125,14 @@ init_exec_script_files(ntpd_t)
logging_send_syslog_msg(ntpd_t)
@@ -63356,7 +63403,7 @@ index f81b113..76db00a 100644
cron_system_entry(ntpd_t, ntpdate_exec_t)
')
-@@ -152,9 +154,18 @@ optional_policy(`
+@@ -152,9 +155,18 @@ optional_policy(`
')
optional_policy(`
@@ -72139,10 +72186,10 @@ index 0000000..798efb6
+')
diff --git a/pki.te b/pki.te
new file mode 100644
-index 0000000..bdeebb9
+index 0000000..555b44a
--- /dev/null
+++ b/pki.te
-@@ -0,0 +1,281 @@
+@@ -0,0 +1,283 @@
+policy_module(pki,10.0.11)
+
+########################################
@@ -72255,6 +72302,8 @@ index 0000000..bdeebb9
+can_exec(pki_tomcat_t, pki_common_t)
+init_stream_connect_script(pki_tomcat_t)
+
++auth_read_passwd(pki_tomcat_t)
++
+search_dirs_pattern(pki_tomcat_t, pki_log_t, pki_log_t)
+
+kernel_read_kernel_sysctls(pki_tomcat_t)
@@ -84104,7 +84153,7 @@ index 4460582..4c66c25 100644
+
')
diff --git a/radius.te b/radius.te
-index 403a4fe..93085f2 100644
+index 403a4fe..0958dc1 100644
--- a/radius.te
+++ b/radius.te
@@ -5,6 +5,13 @@ policy_module(radius, 1.13.0)
@@ -84226,7 +84275,18 @@ index 403a4fe..93085f2 100644
logrotate_exec(radiusd_t)
')
-@@ -140,5 +167,10 @@ optional_policy(`
+@@ -132,6 +159,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ postgresql_tcp_connect(radiusd_t)
++')
++
++optional_policy(`
+ samba_domtrans_winbind_helper(radiusd_t)
+ ')
+
+@@ -140,5 +171,10 @@ optional_policy(`
')
optional_policy(`
@@ -89480,7 +89540,7 @@ index 6dbc905..4b17c93 100644
- admin_pattern($1, rhsmcertd_lock_t)
')
diff --git a/rhsmcertd.te b/rhsmcertd.te
-index d32e1a2..7239c98 100644
+index d32e1a2..75b615f 100644
--- a/rhsmcertd.te
+++ b/rhsmcertd.te
@@ -18,6 +18,9 @@ logging_log_file(rhsmcertd_log_t)
@@ -89519,7 +89579,7 @@ index d32e1a2..7239c98 100644
manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
-@@ -50,25 +56,90 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
+@@ -50,25 +56,94 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
kernel_read_network_state(rhsmcertd_t)
@@ -89587,6 +89647,10 @@ index d32e1a2..7239c98 100644
+')
+
+optional_policy(`
++ hostname_exec(rhsmcertd_t)
++')
++
++optional_policy(`
+ rhnsd_manage_config(rhsmcertd_t)
+')
+
@@ -95292,7 +95356,7 @@ index 50d07fb..a34db48 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 2b7c441..efe3f59 100644
+index 2b7c441..c3db0c7 100644
--- a/samba.te
+++ b/samba.te
@@ -6,99 +6,86 @@ policy_module(samba, 1.16.3)
@@ -96391,9 +96455,10 @@ index 2b7c441..efe3f59 100644
#
-allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice };
+-dontaudit winbind_t self:capability sys_tty_config;
+allow winbind_t self:capability { kill dac_override ipc_lock setuid sys_nice };
+allow winbind_t self:capability2 block_suspend;
- dontaudit winbind_t self:capability sys_tty_config;
++dontaudit winbind_t self:capability { net_admin sys_tty_config };
allow winbind_t self:process { signal_perms getsched setsched };
allow winbind_t self:fifo_file rw_fifo_file_perms;
-allow winbind_t self:unix_stream_socket { accept listen };
@@ -99777,7 +99842,7 @@ index 35ad2a7..afdc7da 100644
+ admin_pattern($1, mail_spool_t)
')
diff --git a/sendmail.te b/sendmail.te
-index 12700b4..fde469b 100644
+index 12700b4..b520092 100644
--- a/sendmail.te
+++ b/sendmail.te
@@ -37,21 +37,23 @@ role sendmail_unconfined_roles types unconfined_sendmail_t;
@@ -99812,13 +99877,14 @@ index 12700b4..fde469b 100644
logging_log_filetrans(sendmail_t, sendmail_log_t, { file dir })
manage_dirs_pattern(sendmail_t, sendmail_tmp_t, sendmail_tmp_t)
-@@ -63,33 +65,22 @@ files_pid_filetrans(sendmail_t, sendmail_var_run_t, file)
+@@ -63,33 +65,23 @@ files_pid_filetrans(sendmail_t, sendmail_var_run_t, file)
kernel_read_network_state(sendmail_t)
kernel_read_kernel_sysctls(sendmail_t)
+# for piping mail to a command
kernel_read_system_state(sendmail_t)
+kernel_search_network_sysctl(sendmail_t)
++kernel_read_net_sysctls(sendmail_t)
-corenet_all_recvfrom_unlabeled(sendmail_t)
corenet_all_recvfrom_netlabel(sendmail_t)
@@ -99851,7 +99917,7 @@ index 12700b4..fde469b 100644
fs_getattr_all_fs(sendmail_t)
fs_search_auto_mountpoints(sendmail_t)
-@@ -98,35 +89,49 @@ fs_rw_anon_inodefs_files(sendmail_t)
+@@ -98,35 +90,49 @@ fs_rw_anon_inodefs_files(sendmail_t)
term_dontaudit_use_console(sendmail_t)
term_dontaudit_use_generic_ptys(sendmail_t)
@@ -99907,7 +99973,7 @@ index 12700b4..fde469b 100644
')
optional_policy(`
-@@ -134,8 +139,8 @@ optional_policy(`
+@@ -134,8 +140,8 @@ optional_policy(`
')
optional_policy(`
@@ -99918,7 +99984,7 @@ index 12700b4..fde469b 100644
')
optional_policy(`
-@@ -164,6 +169,10 @@ optional_policy(`
+@@ -164,6 +170,10 @@ optional_policy(`
')
optional_policy(`
@@ -99929,7 +99995,7 @@ index 12700b4..fde469b 100644
milter_stream_connect_all(sendmail_t)
')
-@@ -172,6 +181,11 @@ optional_policy(`
+@@ -172,6 +182,11 @@ optional_policy(`
')
optional_policy(`
@@ -99941,7 +100007,7 @@ index 12700b4..fde469b 100644
postfix_domtrans_postdrop(sendmail_t)
postfix_domtrans_master(sendmail_t)
postfix_domtrans_postqueue(sendmail_t)
-@@ -193,6 +207,10 @@ optional_policy(`
+@@ -193,6 +208,10 @@ optional_policy(`
')
optional_policy(`
@@ -99952,7 +100018,7 @@ index 12700b4..fde469b 100644
udev_read_db(sendmail_t)
')
-@@ -206,8 +224,6 @@ optional_policy(`
+@@ -206,8 +225,6 @@ optional_policy(`
#
optional_policy(`
@@ -104988,10 +105054,10 @@ index 0000000..821e158
+')
+
diff --git a/sssd.fc b/sssd.fc
-index dbb005a..8d53b6e 100644
+index dbb005a..e760512 100644
--- a/sssd.fc
+++ b/sssd.fc
-@@ -1,15 +1,26 @@
+@@ -1,15 +1,28 @@
/etc/rc\.d/init\.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
-/etc/sssd(/.*)? gen_context(system_u:object_r:sssd_conf_t,s0)
@@ -104999,6 +105065,7 @@ index dbb005a..8d53b6e 100644
-/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0)
+/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0)
++/usr/libexec/sssd/sssd_secrets -- gen_context(system_u:object_r:sssd_exec_t,s0)
+/usr/libexec/sssd/sssd_autofs -- gen_context(system_u:object_r:sssd_exec_t,s0)
+/usr/libexec/sssd/sssd_ifp -- gen_context(system_u:object_r:sssd_exec_t,s0)
+/usr/libexec/sssd/sssd_nss -- gen_context(system_u:object_r:sssd_exec_t,s0)
@@ -105024,8 +105091,9 @@ index dbb005a..8d53b6e 100644
-/var/run/sssd\.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
+/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
++/var/run/secrets.socket gen_context(system_u:object_r:sssd_var_run_t,s0)
diff --git a/sssd.if b/sssd.if
-index a240455..04419ae 100644
+index a240455..277f8f2 100644
--- a/sssd.if
+++ b/sssd.if
@@ -1,21 +1,21 @@
@@ -105338,7 +105406,7 @@ index a240455..04419ae 100644
##
##
##
-@@ -317,8 +408,65 @@ interface(`sssd_stream_connect',`
+@@ -317,8 +408,92 @@ interface(`sssd_stream_connect',`
########################################
##
@@ -105401,12 +105469,39 @@ index a240455..04419ae 100644
+
+########################################
+##
++## Transition to sssd named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`sssd_filetrans_named_content',`
++ gen_require(`
++ type sssd_var_run_t;
++ type sssd_var_log_t;
++ type sssd_var_lib_t;
++ type sssd_public_t;
++ type sssd_conf_t;
++ ')
++
++ files_pid_filetrans($1, sssd_var_run_t, sock_file, "secrets.socket")
++ logging_log_filetrans($1, sssd_var_log_t, dir, "sssd")
++ files_var_lib_filetrans($1, sssd_var_lib_t, dir, "sss")
++ filetrans_pattern($1, sssd_var_lib_t, sssd_public_t, dir, "mc")
++ filetrans_pattern($1, sssd_var_lib_t, sssd_public_t, dir, "pubconf")
++ files_etc_filetrans($1, sssd_conf_t, dir, "sssd")
++')
++
++########################################
++##
+## All of the rules required to administrate
+## an sssd environment
##
##
##
-@@ -327,7 +475,7 @@ interface(`sssd_stream_connect',`
+@@ -327,7 +502,7 @@ interface(`sssd_stream_connect',`
##
##
##
@@ -105415,7 +105510,7 @@ index a240455..04419ae 100644
##
##
##
-@@ -335,27 +483,29 @@ interface(`sssd_stream_connect',`
+@@ -335,27 +510,29 @@ interface(`sssd_stream_connect',`
interface(`sssd_admin',`
gen_require(`
type sssd_t, sssd_public_t, sssd_initrc_exec_t;
@@ -105457,7 +105552,7 @@ index a240455..04419ae 100644
- admin_pattern($1, sssd_log_t)
')
diff --git a/sssd.te b/sssd.te
-index 2d8db1f..6efbaac 100644
+index 2d8db1f..d4fee07 100644
--- a/sssd.te
+++ b/sssd.te
@@ -28,19 +28,31 @@ logging_log_file(sssd_var_log_t)
@@ -105575,7 +105670,7 @@ index 2d8db1f..6efbaac 100644
init_read_utmp(sssd_t)
-@@ -112,18 +131,64 @@ logging_send_syslog_msg(sssd_t)
+@@ -112,18 +131,67 @@ logging_send_syslog_msg(sssd_t)
logging_send_audit_msgs(sssd_t)
miscfiles_read_generic_certs(sssd_t)
@@ -105603,7 +105698,7 @@ index 2d8db1f..6efbaac 100644
+ kerberos_read_home_content(sssd_t)
+ kerberos_rw_config(sssd_t)
+ kerberos_rw_keytab(sssd_t)
- ')
++')
+
+optional_policy(`
+ dirsrv_stream_connect(sssd_t)
@@ -105621,7 +105716,7 @@ index 2d8db1f..6efbaac 100644
+
+optional_policy(`
+ systemd_login_read_pid_files(sssd_t)
-+')
+ ')
+
+########################################
+#
@@ -105629,9 +105724,12 @@ index 2d8db1f..6efbaac 100644
+#
+
+allow sssd_selinux_manager_t self:capability { setgid setuid };
++dontaudit sssd_selinux_manager_t self:capability net_admin;
+
+domtrans_pattern(sssd_t, sssd_selinux_manager_exec_t, sssd_selinux_manager_t)
+
++init_ioctl_stream_sockets(sssd_selinux_manager_t)
++
+logging_send_audit_msgs(sssd_selinux_manager_t)
+
+seutil_semanage_policy(sssd_selinux_manager_t)
@@ -106943,10 +107041,10 @@ index 0000000..a6e216c
+
diff --git a/targetd.te b/targetd.te
new file mode 100644
-index 0000000..7f28cdd
+index 0000000..e187320
--- /dev/null
+++ b/targetd.te
-@@ -0,0 +1,65 @@
+@@ -0,0 +1,68 @@
+policy_module(targetd, 1.0.0)
+
+########################################
@@ -106972,6 +107070,7 @@ index 0000000..7f28cdd
+allow targetd_t self:capability { sys_admin };
+allow targetd_t self:fifo_file rw_fifo_file_perms;
+allow targetd_t self:unix_stream_socket create_stream_socket_perms;
++allow targetd_t self:unix_dgram_socket create_socket_perms;
+allow targetd_t self:tcp_socket listen;
+allow targetd_t self:netlink_route_socket r_netlink_socket_perms;
+allow targetd_t self:process setfscreate;
@@ -106981,6 +107080,7 @@ index 0000000..7f28cdd
+files_etc_filetrans(targetd_t, targetd_etc_rw_t, { dir file })
+
+kernel_read_system_state(targetd_t)
++kernel_read_network_state(targetd_t)
+
+auth_use_nsswitch(targetd_t)
+
@@ -106993,6 +107093,7 @@ index 0000000..7f28cdd
+dev_read_sysfs(targetd_t)
+dev_read_urand(targetd_t)
+dev_rw_lvm_control(targetd_t)
++dev_getattr_loop_control(targetd_t)
+
+libs_exec_ldconfig(targetd_t)
+
@@ -109567,10 +109668,10 @@ index 0000000..46f12a4
+')
diff --git a/tlp.te b/tlp.te
new file mode 100644
-index 0000000..ae69138
+index 0000000..f31ed95
--- /dev/null
+++ b/tlp.te
-@@ -0,0 +1,70 @@
+@@ -0,0 +1,74 @@
+policy_module(tlp, 1.0.0)
+
+########################################
@@ -109635,6 +109736,10 @@ index 0000000..ae69138
+sysnet_exec_ifconfig(tlp_t)
+
+optional_policy(`
++ dbus_stream_connect_system_dbusd(tlp_t)
++')
++
++optional_policy(`
+ fstools_exec(tlp_t)
+')
+
@@ -110213,10 +110318,10 @@ index 0000000..e5cec8f
+')
diff --git a/tomcat.te b/tomcat.te
new file mode 100644
-index 0000000..3157eb8
+index 0000000..be57360
--- /dev/null
+++ b/tomcat.te
-@@ -0,0 +1,70 @@
+@@ -0,0 +1,68 @@
+policy_module(tomcat, 1.0.0)
+
+########################################
@@ -110236,6 +110341,7 @@ index 0000000..3157eb8
+# tomcat local policy
+#
+
++auth_use_nsswitch(tomcat_t)
+optional_policy(`
+ unconfined_domain(tomcat_t)
+')
@@ -110279,9 +110385,6 @@ index 0000000..3157eb8
+fs_getattr_all_fs(tomcat_domain)
+fs_read_hugetlbfs_files(tomcat_domain)
+
-+
-+auth_read_passwd(tomcat_domain)
-+
+sysnet_dns_name_resolve(tomcat_domain)
+
+optional_policy(`
@@ -114887,7 +114990,7 @@ index facdee8..487857a 100644
+ dontaudit $1 virtd_t:lnk_file read_lnk_file_perms;
')
diff --git a/virt.te b/virt.te
-index f03dcf5..6c17c3f 100644
+index f03dcf5..975501d 100644
--- a/virt.te
+++ b/virt.te
@@ -1,451 +1,412 @@
@@ -115910,7 +116013,7 @@ index f03dcf5..6c17c3f 100644
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
-@@ -746,44 +717,341 @@ optional_policy(`
+@@ -746,44 +717,344 @@ optional_policy(`
udev_read_pid_files(virtd_t)
')
@@ -115988,6 +116091,9 @@ index f03dcf5..6c17c3f 100644
+allow virtlogd_t virtd_t:file read_file_perms;
+allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms;
+
++tunable_policy(`virt_use_nfs',`
++ fs_append_nfs_files(virtlogd_t)
++')
+
+########################################
+#
@@ -116074,7 +116180,7 @@ index f03dcf5..6c17c3f 100644
+corenet_tcp_bind_virt_migration_port(virt_domain)
+corenet_tcp_connect_virt_migration_port(virt_domain)
+corenet_rw_inherited_tun_tap_dev(virt_domain)
-+
+
+dev_list_sysfs(virt_domain)
+dev_getattr_fs(virt_domain)
+dev_dontaudit_getattr_all(virt_domain)
@@ -116189,7 +116295,7 @@ index f03dcf5..6c17c3f 100644
+ fs_read_cifs_symlinks(virt_domain)
+ fs_getattr_cifs(virt_domain)
+')
-
++
+tunable_policy(`virt_use_usb',`
+ dev_rw_usbfs(virt_domain)
+ dev_read_sysfs(virt_domain)
@@ -116274,7 +116380,7 @@ index f03dcf5..6c17c3f 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +1062,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +1065,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -116301,7 +116407,7 @@ index f03dcf5..6c17c3f 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +1082,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +1085,25 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -116335,7 +116441,7 @@ index f03dcf5..6c17c3f 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +1119,20 @@ optional_policy(`
+@@ -856,14 +1122,20 @@ optional_policy(`
')
optional_policy(`
@@ -116357,7 +116463,7 @@ index f03dcf5..6c17c3f 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -888,49 +1157,66 @@ optional_policy(`
+@@ -888,49 +1160,66 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -116442,7 +116548,7 @@ index f03dcf5..6c17c3f 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1228,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1231,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -116462,7 +116568,7 @@ index f03dcf5..6c17c3f 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,8 +1249,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,8 +1252,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -116486,7 +116592,7 @@ index f03dcf5..6c17c3f 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1274,355 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1277,355 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -116656,6 +116762,10 @@ index f03dcf5..6c17c3f 100644
+ apache_read_sys_content(svirt_sandbox_domain)
+ ')
+')
++
++optional_policy(`
++ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
++')
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
@@ -116740,10 +116850,6 @@ index f03dcf5..6c17c3f 100644
-
-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
+optional_policy(`
-+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
-+')
-+
-+optional_policy(`
+ ssh_use_ptys(svirt_sandbox_domain)
+')
@@ -116934,10 +117040,10 @@ index f03dcf5..6c17c3f 100644
+
+term_use_generic_ptys(svirt_qemu_net_t)
+term_use_ptmx(svirt_qemu_net_t)
-+
-+dev_rw_kvm(svirt_qemu_net_t)
-allow svirt_prot_exec_t self:process { execmem execstack };
++dev_rw_kvm(svirt_qemu_net_t)
++
+manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t)
+
+list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
@@ -116987,7 +117093,7 @@ index f03dcf5..6c17c3f 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1635,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1638,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -117002,7 +117108,7 @@ index f03dcf5..6c17c3f 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1192,7 +1653,7 @@ optional_policy(`
+@@ -1192,7 +1656,7 @@ optional_policy(`
########################################
#
@@ -117011,7 +117117,7 @@ index f03dcf5..6c17c3f 100644
#
allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1662,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1665,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
allow virt_bridgehelper_t self:tun_socket create_socket_perms;
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 7f04686..42709bb 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 225.14%{?dist}
+Release: 225.15%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -678,6 +678,41 @@ exit 0
%endif
%changelog
+* Sun May 14 2017 Lukas Vrabec - 3.13.1-225.15
+- auth_use_nsswitch can call only domain not attribute
+- Fix broken cermonger module
+- Dontaudit net_admin cap for winbind_t
+- Allow tlp_t domain to stream connect to system bus
+- Allow hypervkvp_t domain execute hostname
+- Dontaudit sssd_selinux_manager_t use of net_admin capability
+- Allow sssd_selinux_manager_t to ioctl init_t sockets
+- Allow pki_tomcat_t domain read /etc/passwd.
+- Label new path for ipa-otpd
+- Allow radiusd_t domain stream connect to postgresql_t
+- Allow rhsmcertd_t to execute hostname_exec_t binaries.
+- Allow virtlogd to append nfs_t files when virt_use_nfs=1
+- Allow httpd_t domain read also httpd_user_content_type lnk_files.
+- Dontaudit _gkeyringd_t stream connect to system_dbusd_t
+- Label /var/www/html/nextcloud/data as httpd_sys_rw_content_t
+- Add interface ipa_filetrans_named_content()
+- Allow tomcat use nsswitch
+- Allow dirsrv read cgroup files.
+- Allow certmonger_t start/status generic services
+- Allow sendmail_t domain sysctl_net_t files
+- Allow targetd_t domain read network state and getattr on loop_control_device_t
+- Allow condor_schedd_t domain send mails.
+- Fixed typo bugs from sssd module
+- Fix typo in sssd interface file
+- Add sssd_secrets labeling
+- Allow ntpd to creating sockets. BZ(1434395)
+- Revert "Allow _su_t to create netlink_selinux_socket"
+- Allow _su_t to create netlink_selinux_socket
+- Allow unconfined_t to module_load any file
+- Allow staff to systemctl virt server when staff_use_svirt=1
+- Allow unconfined_t create /tmp/ca.p12 file with ipa_tmp_t context
+- Allow netutils setpcap capability
+- Dontaudit leaked file descriptor happening in setfiles_t domain BZ(1388124)
+
* Thu Apr 20 2017 Michael Scherer - 3.13.1-225.14
- fix #1380325, selinux-policy-sandbox always removing sandbox module on upgrade