diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index c9dcd7a..dfc2324 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -109451,7 +109451,7 @@ index db981df..0b6597c 100644
+/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/virtualbox/VBoxManage -- gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
-index 9e9263a..2a7d3c1 100644
+index 9e9263a..4c513c1 100644
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
@@ -122,6 +122,7 @@ interface(`corecmd_search_bin',`
@@ -109580,7 +109580,18 @@ index 9e9263a..2a7d3c1 100644
## Get the attributes of all executable files.
##
##
-@@ -1049,6 +1096,7 @@ interface(`corecmd_manage_all_executables',`
+@@ -1012,6 +1059,10 @@ interface(`corecmd_exec_all_executables',`
+ can_exec($1, exec_type)
+ list_dirs_pattern($1, bin_t, bin_t)
+ read_lnk_files_pattern($1, bin_t, exec_type)
++
++ ifdef(`enable_mls',`',`
++ files_exec_all_base_ro_files($1)
++ ')
+ ')
+
+ ########################################
+@@ -1049,6 +1100,7 @@ interface(`corecmd_manage_all_executables',`
type bin_t;
')
@@ -117438,7 +117449,7 @@ index 7be4ddf..f7021a0 100644
+
+/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index 4bf45cb..69eae93 100644
+index 4bf45cb..58ee17c 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -267,7 +267,7 @@ interface(`kernel_rw_unix_dgram_sockets',`
@@ -117704,7 +117715,7 @@ index 4bf45cb..69eae93 100644
## Unconfined access to kernel module resources.
##
##
-@@ -2956,5 +3108,117 @@ interface(`kernel_unconfined',`
+@@ -2956,5 +3108,157 @@ interface(`kernel_unconfined',`
')
typeattribute $1 kern_unconfined;
@@ -117822,6 +117833,46 @@ index 4bf45cb..69eae93 100644
+ ')
+
+ dontaudit $1 sysctl_type:file getattr;
++')
++
++########################################
++##
++## Read the process state (/proc/pid) of the kernel.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_read_state',`
++ gen_require(`
++ type kernel_t;
++ ')
++
++ allow $1 kernel_t:dir search_dir_perms;
++ allow $1 kernel_t:file read_file_perms;
++ allow $1 kernel_t:lnk_file read_lnk_file_perms;
++')
++
++########################################
++##
++## Dontaudit attempts to read the process state (/proc/pid) of the kernel.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_dontaudit_read_state',`
++ gen_require(`
++ type kernel_t;
++ ')
++
++ dontaudit $1 kernel_t:dir search_dir_perms;
++ dontaudit $1 kernel_t:file read_file_perms;
++ dontaudit $1 kernel_t:lnk_file read_lnk_file_perms;
')
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index ab9b6cd..4c699a3 100644
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index 7100942..1c7e27e 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -2240,7 +2240,7 @@ index fd9fa07..50e40f7 100644
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/apache.if b/apache.if
-index 6480167..604d2bd 100644
+index 6480167..e77ad76 100644
--- a/apache.if
+++ b/apache.if
@@ -13,62 +13,48 @@
@@ -2825,7 +2825,7 @@ index 6480167..604d2bd 100644
##
##
+#
-+interface(`httpd_systemctl',`
++interface(`apache_systemctl',`
+ gen_require(`
+ type httpd_t;
+ type httpd_unit_file_t;
@@ -2906,7 +2906,7 @@ index 6480167..604d2bd 100644
admin_pattern($1, httpd_php_tmp_t)
admin_pattern($1, httpd_suexec_tmp_t)
+
-+ httpd_systemctl($1)
++ apache_systemctl($1)
+ admin_pattern($1, httpd_unit_file_t)
+ allow $1 httpd_unit_file_t:service all_service_perms;
+
@@ -3000,7 +3000,7 @@ index 6480167..604d2bd 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 0833afb..d53ed27 100644
+index 0833afb..6b3a61b 100644
--- a/apache.te
+++ b/apache.te
@@ -18,6 +18,8 @@ policy_module(apache, 2.4.0)
@@ -3709,35 +3709,12 @@ index 0833afb..d53ed27 100644
')
optional_policy(`
-@@ -594,6 +927,51 @@ optional_policy(`
+@@ -594,6 +927,32 @@ optional_policy(`
')
optional_policy(`
-+ pwauth_domtrans(httpd_t)
-+')
-+
-+optional_policy(`
-+ tunable_policy(`httpd_run_stickshift', `
-+ allow httpd_t self:capability { fowner fsetid sys_resource };
-+ dontaudit httpd_t self:capability sys_ptrace;
-+ allow httpd_t self:process setexec;
-+
-+ files_dontaudit_getattr_all_files(httpd_t)
-+ domain_dontaudit_read_all_domains_state(httpd_t)
-+ domain_getpgid_all_domains(httpd_t)
-+
-+ #optional_policy(`
-+ passenger_exec(httpd_t)
-+ passenger_manage_pid_content(httpd_t)
-+ passenger_manage_lib_files(httpd_t)
-+ #')
-+ ',`
-+ passenger_domtrans(httpd_t)
-+ passenger_manage_pid_content(httpd_t)
-+ passenger_read_lib_files(httpd_t)
-+ passenger_stream_connect(httpd_t)
-+ passenger_manage_tmp_files(httpd_t)
-+ ')
++ passenger_exec(httpd_t)
++ passenger_manage_pid_content(httpd_t)
+')
+
+optional_policy(`
@@ -3754,6 +3731,10 @@ index 0833afb..d53ed27 100644
+')
+
+optional_policy(`
++ pwauth_domtrans(httpd_t)
++')
++
++optional_policy(`
+ rpc_search_nfs_state_data(httpd_t)
+')
+
@@ -3761,7 +3742,7 @@ index 0833afb..d53ed27 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -608,6 +986,11 @@ optional_policy(`
+@@ -608,6 +967,11 @@ optional_policy(`
')
optional_policy(`
@@ -3773,7 +3754,7 @@ index 0833afb..d53ed27 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -620,6 +1003,12 @@ optional_policy(`
+@@ -620,6 +984,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -3786,20 +3767,47 @@ index 0833afb..d53ed27 100644
########################################
#
# Apache helper local policy
-@@ -633,7 +1022,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -633,7 +1003,38 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
-userdom_use_user_terminals(httpd_helper_t)
+userdom_use_inherited_user_terminals(httpd_helper_t)
+
++tunable_policy(`httpd_run_stickshift', `
++ allow httpd_t self:capability { fowner fsetid sys_resource };
++ dontaudit httpd_t self:capability sys_ptrace;
++ allow httpd_t self:process setexec;
++
++ files_dontaudit_getattr_all_files(httpd_t)
++ domain_dontaudit_read_all_domains_state(httpd_t)
++ domain_getpgid_all_domains(httpd_t)
++')
++
++optional_policy(`
++ tunable_policy(`httpd_run_stickshift', `
++ passenger_manage_lib_files(httpd_t)
++ ',`
++ passenger_domtrans(httpd_t)
++ passenger_read_lib_files(httpd_t)
++ passenger_stream_connect(httpd_t)
++ passenger_manage_tmp_files(httpd_t)
++ ')
++')
++
++optional_policy(`
++ tunable_policy(`httpd_run_stickshift', `
++ oddjob_dbus_chat(httpd_t)
++ ')
++')
++
+tunable_policy(`httpd_tty_comm',`
+ userdom_use_inherited_user_terminals(httpd_helper_t)
+')
########################################
#
-@@ -671,28 +1064,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -671,28 +1072,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -3843,7 +3851,7 @@ index 0833afb..d53ed27 100644
')
########################################
-@@ -702,6 +1097,7 @@ optional_policy(`
+@@ -702,6 +1105,7 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -3851,7 +3859,7 @@ index 0833afb..d53ed27 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -716,19 +1112,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -716,19 +1120,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -3880,7 +3888,7 @@ index 0833afb..d53ed27 100644
files_read_usr_files(httpd_suexec_t)
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -738,15 +1142,14 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -738,15 +1150,14 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -3898,7 +3906,7 @@ index 0833afb..d53ed27 100644
corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
corenet_udp_sendrecv_generic_if(httpd_suexec_t)
corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
-@@ -757,13 +1160,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -757,13 +1168,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -3931,7 +3939,7 @@ index 0833afb..d53ed27 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -786,6 +1207,25 @@ optional_policy(`
+@@ -786,6 +1215,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -3957,7 +3965,7 @@ index 0833afb..d53ed27 100644
########################################
#
# Apache system script local policy
-@@ -806,12 +1246,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -806,12 +1254,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -3975,7 +3983,7 @@ index 0833afb..d53ed27 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -820,18 +1265,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -820,18 +1273,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -4034,7 +4042,7 @@ index 0833afb..d53ed27 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -839,14 +1316,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -839,14 +1324,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -4075,7 +4083,7 @@ index 0833afb..d53ed27 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -859,10 +1361,20 @@ optional_policy(`
+@@ -859,10 +1369,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -4096,7 +4104,7 @@ index 0833afb..d53ed27 100644
')
########################################
-@@ -878,11 +1390,9 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t)
+@@ -878,11 +1398,9 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t)
kernel_dontaudit_list_proc(httpd_rotatelogs_t)
kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
@@ -4108,7 +4116,7 @@ index 0833afb..d53ed27 100644
########################################
#
-@@ -908,11 +1418,138 @@ optional_policy(`
+@@ -908,11 +1426,138 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -7610,10 +7618,10 @@ index 7a6e5ba..7475aa5 100644
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/certmonger.te b/certmonger.te
-index c3e3f79..6cfcb87 100644
+index c3e3f79..5449b48 100644
--- a/certmonger.te
+++ b/certmonger.te
-@@ -18,12 +18,17 @@ files_pid_file(certmonger_var_run_t)
+@@ -18,12 +18,18 @@ files_pid_file(certmonger_var_run_t)
type certmonger_var_lib_t;
files_type(certmonger_var_lib_t)
@@ -7628,11 +7636,12 @@ index c3e3f79..6cfcb87 100644
-allow certmonger_t self:capability { kill sys_nice };
+allow certmonger_t self:capability { dac_override dac_read_search setgid setuid kill sys_nice };
+dontaudit certmonger_t self:capability sys_tty_config;
++allow certmonger_t self:capability2 block_suspend;
+
allow certmonger_t self:process { getsched setsched sigkill };
allow certmonger_t self:fifo_file rw_file_perms;
allow certmonger_t self:unix_stream_socket create_stream_socket_perms;
-@@ -38,25 +43,47 @@ manage_dirs_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
+@@ -38,25 +44,52 @@ manage_dirs_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
manage_files_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
files_pid_filetrans(certmonger_t, certmonger_var_run_t, { file dir })
@@ -7658,6 +7667,8 @@ index c3e3f79..6cfcb87 100644
files_read_usr_files(certmonger_t)
files_list_tmp(certmonger_t)
++fs_search_cgroup_dirs(certmonger_t)
++
+auth_use_nsswitch(certmonger_t)
+auth_rw_cache(certmonger_t)
+
@@ -7669,12 +7680,15 @@ index c3e3f79..6cfcb87 100644
miscfiles_manage_generic_cert_files(certmonger_t)
-sysnet_dns_name_resolve(certmonger_t)
++systemd_exec_systemctl(certmonger_t)
++
+userdom_search_user_home_content(certmonger_t)
+
+optional_policy(`
+ apache_search_config(certmonger_t)
+ apache_signal(certmonger_t)
+ apache_signull(certmonger_t)
++ apache_systemctl(certmonger_t)
+')
+
+optional_policy(`
@@ -7683,7 +7697,7 @@ index c3e3f79..6cfcb87 100644
optional_policy(`
dbus_system_bus_client(certmonger_t)
-@@ -64,9 +91,46 @@ optional_policy(`
+@@ -64,9 +97,46 @@ optional_policy(`
')
optional_policy(`
@@ -8303,10 +8317,10 @@ index 0000000..efebae7
+')
diff --git a/chrome.te b/chrome.te
new file mode 100644
-index 0000000..0444bb3
+index 0000000..d4d04d0
--- /dev/null
+++ b/chrome.te
-@@ -0,0 +1,183 @@
+@@ -0,0 +1,185 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -8448,7 +8462,8 @@ index 0000000..0444bb3
+# chrome_sandbox_nacl local policy
+#
+
-+allow chrome_sandbox_nacl_t self:process { execmem setsched };
++allow chrome_sandbox_nacl_t self:process { execmem setsched sigkill sigstop signull signal };
++
+allow chrome_sandbox_nacl_t self:fifo_file manage_fifo_file_perms;
+allow chrome_sandbox_nacl_t self:unix_stream_socket create_stream_socket_perms;
+allow chrome_sandbox_nacl_t self:shm create_shm_perms;
@@ -8471,6 +8486,7 @@ index 0000000..0444bb3
+domtrans_pattern(chrome_sandbox_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_nacl_t)
+ps_process_pattern(chrome_sandbox_t, chrome_sandbox_nacl_t)
+
++kernel_read_state(chrome_sandbox_nacl_t)
+kernel_read_system_state(chrome_sandbox_nacl_t)
+
+dev_read_urand(chrome_sandbox_nacl_t)
@@ -40685,10 +40701,10 @@ index 0000000..3eb6a30
+##
diff --git a/openshift-origin.te b/openshift-origin.te
new file mode 100644
-index 0000000..966d0b3
+index 0000000..a437f80
--- /dev/null
+++ b/openshift-origin.te
-@@ -0,0 +1,14 @@
+@@ -0,0 +1,13 @@
+policy_module(openshift-origin,1.0.0)
+gen_require(`
+ attribute openshift_domain;
@@ -40701,14 +40717,13 @@ index 0000000..966d0b3
+allow openshift_domain self:socket_class_set create_socket_perms;
+corenet_tcp_connect_all_ports(openshift_domain)
+corenet_tcp_bind_all_ports(openshift_domain)
-+dev_read_sysfs(openshift_domain)
+files_read_config_files(openshift_domain)
diff --git a/openshift.fc b/openshift.fc
new file mode 100644
-index 0000000..fdff8eb
+index 0000000..8283601
--- /dev/null
+++ b/openshift.fc
-@@ -0,0 +1,22 @@
+@@ -0,0 +1,23 @@
+/etc/rc\.d/init\.d/libra gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mcollective gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+
@@ -40728,6 +40743,7 @@ index 0000000..fdff8eb
+
+/usr/bin/rhc-restorer -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+/usr/bin/rhc-restorer-wrapper.sh -- gen_context(unconfined_u:object_r:httpd_openshift_script_exec_t,s0)
++/usr/bin/oo-admin-ctl-gears -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+
+/var/run/stickshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0)
+/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0)
@@ -41295,7 +41311,7 @@ index 0000000..681f8a0
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
-index 0000000..91c558e
+index 0000000..8f642e4
--- /dev/null
+++ b/openshift.te
@@ -0,0 +1,351 @@
@@ -41462,7 +41478,7 @@ index 0000000..91c558e
+corecmd_bin_entry_type(openshift_domain)
+corecmd_exec_all_executables(openshift_domain)
+
-+dev_list_sysfs(openshift_domain)
++dev_read_sysfs(openshift_domain)
+dev_read_rand(openshift_domain)
+dev_dontaudit_append_rand(openshift_domain)
+dev_dontaudit_write_urand(openshift_domain)
@@ -41477,7 +41493,7 @@ index 0000000..91c558e
+fs_rw_hugetlbfs_files(openshift_domain)
+fs_rw_anon_inodefs_files(openshift_domain)
+fs_search_tmpfs(openshift_domain)
-+fs_getattr_xattr_fs(openshift_domain)
++fs_getattr_all_fs(openshift_domain)
+fs_dontaudit_getattr_all_fs(openshift_domain)
+fs_list_inotifyfs(openshift_domain)
+fs_dontaudit_list_auto_mountpoints(openshift_domain)
@@ -42848,10 +42864,10 @@ index 0000000..9dcdaa8
+')
diff --git a/phpfpm.te b/phpfpm.te
new file mode 100644
-index 0000000..4e2336b
+index 0000000..78af4d7
--- /dev/null
+++ b/phpfpm.te
-@@ -0,0 +1,60 @@
+@@ -0,0 +1,61 @@
+policy_module(phpfpm, 1.0.0)
+
+########################################
@@ -42891,6 +42907,7 @@ index 0000000..4e2336b
+manage_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)
+files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, dir )
+
++kernel_read_system_state(phpfpm_t)
+kernel_read_kernel_sysctls(phpfpm_t)
+
+corenet_tcp_bind_generic_port(phpfpm_t)
@@ -51992,7 +52009,7 @@ index 0000000..e38693b
+')
diff --git a/realmd.te b/realmd.te
new file mode 100644
-index 0000000..9177fa2
+index 0000000..8c75780
--- /dev/null
+++ b/realmd.te
@@ -0,0 +1,58 @@
@@ -52029,6 +52046,7 @@ index 0000000..9177fa2
+logging_send_syslog_msg(realmd_t)
+
+sysnet_dns_name_resolve(realmd_t)
++systemd_exec_systemctl(realmd_t)
+
+optional_policy(`
+ dbus_system_domain(realmd_t, realmd_exec_t)
@@ -52051,8 +52069,7 @@ index 0000000..9177fa2
+
+optional_policy(`
+ sssd_read_config(realmd_t)
-+ sssd_write_config(realmd_t)
-+ sssd_create_config(realmd_t)
++ sssd_manage_config(realmd_t)
+')
diff --git a/remotelogin.te b/remotelogin.te
index 0a76027..18f59a7 100644
@@ -60318,10 +60335,10 @@ index 0000000..75931f8
+')
diff --git a/slpd.te b/slpd.te
new file mode 100644
-index 0000000..d76b43b
+index 0000000..cd475d6
--- /dev/null
+++ b/slpd.te
-@@ -0,0 +1,51 @@
+@@ -0,0 +1,52 @@
+policy_module(slpd, 1.0.0)
+
+########################################
@@ -60365,13 +60382,14 @@ index 0000000..d76b43b
+corenet_tcp_bind_all_ports(slpd_t)
+corenet_udp_bind_all_ports(slpd_t)
+
++dev_read_urand(slpd_t)
++
+domain_use_interactive_fds(slpd_t)
+
+files_read_etc_files(slpd_t)
+
+auth_use_nsswitch(slpd_t)
+
-+
+sysnet_dns_name_resolve(slpd_t)
diff --git a/slrnpull.te b/slrnpull.te
index e5e72fd..84936ca 100644
@@ -62133,7 +62151,7 @@ index 4271815..fb5520f 100644
/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_log_t,s0)
diff --git a/sssd.if b/sssd.if
-index 941380a..a61f9fd 100644
+index 941380a..a86bc33 100644
--- a/sssd.if
+++ b/sssd.if
@@ -5,9 +5,9 @@
@@ -62148,7 +62166,7 @@ index 941380a..a61f9fd 100644
##
#
interface(`sssd_domtrans',`
-@@ -36,6 +36,64 @@ interface(`sssd_initrc_domtrans',`
+@@ -36,6 +36,83 @@ interface(`sssd_initrc_domtrans',`
init_labeled_script_domtrans($1, sssd_initrc_exec_t)
')
@@ -62210,10 +62228,29 @@ index 941380a..a61f9fd 100644
+ create_files_pattern($1, sssd_conf_t, sssd_conf_t)
+')
+
++####################################
++##
++## Manage sssd configuration.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`sssd_manage_config',`
++ gen_require(`
++ type sssd_conf_t;
++ ')
++
++ files_search_etc($1)
++ manage_files_pattern($1, sssd_conf_t, sssd_conf_t)
++')
++
########################################
##
## Read sssd public files.
-@@ -89,6 +147,7 @@ interface(`sssd_manage_pids',`
+@@ -89,6 +166,7 @@ interface(`sssd_manage_pids',`
type sssd_var_run_t;
')
@@ -62221,7 +62258,7 @@ index 941380a..a61f9fd 100644
manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t)
manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t)
')
-@@ -128,7 +187,6 @@ interface(`sssd_dontaudit_search_lib',`
+@@ -128,7 +206,6 @@ interface(`sssd_dontaudit_search_lib',`
')
dontaudit $1 sssd_var_lib_t:dir search_dir_perms;
@@ -62229,7 +62266,7 @@ index 941380a..a61f9fd 100644
')
########################################
-@@ -148,6 +206,7 @@ interface(`sssd_read_lib_files',`
+@@ -148,6 +225,7 @@ interface(`sssd_read_lib_files',`
files_search_var_lib($1)
read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
@@ -62237,7 +62274,7 @@ index 941380a..a61f9fd 100644
')
########################################
-@@ -168,6 +227,7 @@ interface(`sssd_manage_lib_files',`
+@@ -168,6 +246,7 @@ interface(`sssd_manage_lib_files',`
files_search_var_lib($1)
manage_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
@@ -62245,7 +62282,7 @@ index 941380a..a61f9fd 100644
')
########################################
-@@ -193,7 +253,7 @@ interface(`sssd_dbus_chat',`
+@@ -193,7 +272,7 @@ interface(`sssd_dbus_chat',`
########################################
##
@@ -62254,7 +62291,7 @@ index 941380a..a61f9fd 100644
##
##
##
-@@ -225,21 +285,18 @@ interface(`sssd_stream_connect',`
+@@ -225,21 +304,18 @@ interface(`sssd_stream_connect',`
## The role to be allowed to manage the sssd domain.
##
##
@@ -65819,11 +65856,107 @@ index 74354da..f04565f 100644
+optional_policy(`
+ modutils_read_module_deps(usbmodules_t)
+')
+diff --git a/usbmuxd.fc b/usbmuxd.fc
+index 40b8b8d..cd80b9b 100644
+--- a/usbmuxd.fc
++++ b/usbmuxd.fc
+@@ -1,3 +1,4 @@
+ /usr/sbin/usbmuxd -- gen_context(system_u:object_r:usbmuxd_exec_t,s0)
+
+ /var/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
++/usr/lib/systemd/system/usbmuxd.* -- gen_context(system_u:object_r:usbmuxd_unit_file_t,s0)
+diff --git a/usbmuxd.if b/usbmuxd.if
+index 53792d3..823ac94 100644
+--- a/usbmuxd.if
++++ b/usbmuxd.if
+@@ -37,3 +37,65 @@ interface(`usbmuxd_stream_connect',`
+ files_search_pids($1)
+ stream_connect_pattern($1, usbmuxd_var_run_t, usbmuxd_var_run_t, usbmuxd_t)
+ ')
++
++########################################
++##
++## Execute usbmuxd server in the usbmuxd domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`usbmuxd_systemctl',`
++ gen_require(`
++ type usbmuxd_t;
++ type usbmuxd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 usbmuxd_unit_file_t:file read_file_perms;
++ allow $1 usbmuxd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, usbmuxd_t)
++')
++
++#####################################
++##
++## All of the rules required to administrate
++## an usbmuxd environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The role to be allowed to manage the usbmuxd domain.
++##
++##
++##
++#
++interface(`usbmuxd_admin',`
++ gen_require(`
++ type usbmuxd_t,usbmuxd_var_run_t;
++ type usbmuxd_unit_file_t;
++ ')
++
++ allow $1 usbmuxd_t:process { signal_perms };
++ ps_process_pattern($1, usbmuxd_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 usbmuxd_t:process ptrace;
++ ')
++ allow $2 system_r;
++
++ files_list_pids($1)
++ admin_pattern($1, usbmuxd_var_run_t)
++
++ usbmuxd_systemctl($1)
++ admin_pattern($1, usbmuxd_unit_file_t)
++ allow $1 usbmuxd_unit_file_t:service all_service_perms;
++')
diff --git a/usbmuxd.te b/usbmuxd.te
-index 4440aa6..7f74e52 100644
+index 4440aa6..bfa8770 100644
--- a/usbmuxd.te
+++ b/usbmuxd.te
-@@ -33,10 +33,10 @@ kernel_read_system_state(usbmuxd_t)
+@@ -7,12 +7,15 @@ policy_module(usbmuxd, 1.1.0)
+
+ type usbmuxd_t;
+ type usbmuxd_exec_t;
+-application_domain(usbmuxd_t, usbmuxd_exec_t)
++init_system_domain(usbmuxd_t, usbmuxd_exec_t)
+ role system_r types usbmuxd_t;
+
+ type usbmuxd_var_run_t;
+ files_pid_file(usbmuxd_var_run_t)
+
++type usbmuxd_unit_file_t;
++systemd_unit_file(usbmuxd_unit_file_t)
++
+ ########################################
+ #
+ # usbmuxd local policy
+@@ -33,10 +36,10 @@ kernel_read_system_state(usbmuxd_t)
dev_read_sysfs(usbmuxd_t)
dev_rw_generic_usb_dev(usbmuxd_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 34309d0..985edd5 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 38%{?dist}
+Release: 39%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -521,6 +521,16 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Oct 16 2012 Miroslav Grepl 3.11.1-39
+- Add interfaces to read kernel_t proc info
+- Missed this version of exec_all
+- Allow anyone who can load a kernel module to compromise kernel
+- Add oddjob_dbus_chat to openshift apache policy
+- Allow chrome_sandbox_nacl_t to send signals to itself
+- Add unit file support to usbmuxd_t
+- Allow all openshift domains to read sysfs info
+- Allow openshift domains to getattr on all domains
+
* Fri Oct 12 2012 Miroslav Grepl 3.11.1-38
- MLS fixes from Dan
- Fix name of capability2 secure_firmware->compromise_kerne