+##
-+## Allow users to login using a yubikey server
++## Allow users to login using a yubikey OTP server or challenge response mode
+##
+##
+gen_tunable(authlogin_yubikey, false)
@@ -33068,7 +33095,7 @@ index 0d4c8d3..3a3ec52 100644
+ ps_process_pattern($1, ipsec_mgmt_t)
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 9e54bf9..4917c6e 100644
+index 9e54bf9..5338f4d 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@@ -33265,7 +33292,7 @@ index 9e54bf9..4917c6e 100644
init_read_utmp(ipsec_mgmt_t)
init_use_script_ptys(ipsec_mgmt_t)
-@@ -288,17 +325,22 @@ init_exec_script_files(ipsec_mgmt_t)
+@@ -288,17 +325,23 @@ init_exec_script_files(ipsec_mgmt_t)
init_use_fds(ipsec_mgmt_t)
init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
@@ -33289,11 +33316,12 @@ index 9e54bf9..4917c6e 100644
+optional_policy(`
+ bind_read_dnssec_keys(ipsec_mgmt_t)
+ bind_read_config(ipsec_mgmt_t)
++ bind_read_state(ipsec_mgmt_t)
+')
optional_policy(`
consoletype_exec(ipsec_mgmt_t)
-@@ -322,6 +364,10 @@ optional_policy(`
+@@ -322,6 +365,10 @@ optional_policy(`
')
optional_policy(`
@@ -33304,7 +33332,7 @@ index 9e54bf9..4917c6e 100644
modutils_domtrans_insmod(ipsec_mgmt_t)
')
-@@ -335,7 +381,7 @@ optional_policy(`
+@@ -335,7 +382,7 @@ optional_policy(`
#
allow racoon_t self:capability { net_admin net_bind_service };
@@ -33313,7 +33341,7 @@ index 9e54bf9..4917c6e 100644
allow racoon_t self:unix_dgram_socket { connect create ioctl write };
allow racoon_t self:netlink_selinux_socket { bind create read };
allow racoon_t self:udp_socket create_socket_perms;
-@@ -370,13 +416,12 @@ kernel_request_load_module(racoon_t)
+@@ -370,13 +417,12 @@ kernel_request_load_module(racoon_t)
corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)
@@ -33333,7 +33361,7 @@ index 9e54bf9..4917c6e 100644
corenet_udp_bind_isakmp_port(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t)
-@@ -401,10 +446,10 @@ locallogin_use_fds(racoon_t)
+@@ -401,10 +447,10 @@ locallogin_use_fds(racoon_t)
logging_send_syslog_msg(racoon_t)
logging_send_audit_msgs(racoon_t)
@@ -33346,7 +33374,7 @@ index 9e54bf9..4917c6e 100644
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -438,9 +483,8 @@ corenet_setcontext_all_spds(setkey_t)
+@@ -438,9 +484,8 @@ corenet_setcontext_all_spds(setkey_t)
locallogin_use_fds(setkey_t)
@@ -39247,7 +39275,7 @@ index 346a7cc..42a48b6 100644
+/var/run/netns(/.*)? gen_context(system_u:object_r:ifconfig_var_run_t,s0)
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 6944526..98ac8bf 100644
+index 6944526..07fa942 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@@ -39543,17 +39571,19 @@ index 6944526..98ac8bf 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
corenet_tcp_sendrecv_ldap_port($1)
-@@ -733,6 +904,9 @@ interface(`sysnet_use_ldap',`
+@@ -733,6 +904,11 @@ interface(`sysnet_use_ldap',`
dev_read_urand($1)
sysnet_read_config($1)
+
+ # LDAP Configuration using encrypted requires
+ dev_read_urand($1)
++
++ ldap_read_certs($1)
')
########################################
-@@ -754,7 +928,6 @@ interface(`sysnet_use_portmap',`
+@@ -754,7 +930,6 @@ interface(`sysnet_use_portmap',`
allow $1 self:udp_socket create_socket_perms;
corenet_all_recvfrom_unlabeled($1)
@@ -39561,7 +39591,7 @@ index 6944526..98ac8bf 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
-@@ -766,3 +939,114 @@ interface(`sysnet_use_portmap',`
+@@ -766,3 +941,114 @@ interface(`sysnet_use_portmap',`
sysnet_read_config($1)
')
@@ -39677,7 +39707,7 @@ index 6944526..98ac8bf 100644
+ files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns")
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index b7686d5..28f16ce 100644
+index b7686d5..3c77852 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.14.6)
@@ -39905,7 +39935,7 @@ index b7686d5..28f16ce 100644
vmware_append_log(dhcpc_t)
')
-@@ -259,12 +307,23 @@ allow ifconfig_t self:msgq create_msgq_perms;
+@@ -259,12 +307,24 @@ allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
@@ -39922,6 +39952,7 @@ index b7686d5..28f16ce 100644
+can_exec(ifconfig_t, ifconfig_exec_t)
+
+manage_files_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t)
++manage_lnk_files_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t)
+create_dirs_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t)
+files_pid_filetrans(ifconfig_t, ifconfig_var_run_t, { file dir })
+allow ifconfig_t ifconfig_var_run_t:file mounton;
@@ -39929,7 +39960,7 @@ index b7686d5..28f16ce 100644
kernel_use_fds(ifconfig_t)
kernel_read_system_state(ifconfig_t)
kernel_read_network_state(ifconfig_t)
-@@ -274,14 +333,31 @@ kernel_rw_net_sysctls(ifconfig_t)
+@@ -274,14 +334,32 @@ kernel_rw_net_sysctls(ifconfig_t)
corenet_rw_tun_tap_dev(ifconfig_t)
@@ -39946,7 +39977,8 @@ index b7686d5..28f16ce 100644
+dev_unmount_sysfs_fs(ifconfig_t)
domain_use_interactive_fds(ifconfig_t)
-
++domain_read_all_domains_state(ifconfig_t)
++
+read_files_pattern(ifconfig_t, dhcpc_state_t, dhcpc_state_t)
+
+files_dontaudit_rw_inherited_pipes(ifconfig_t)
@@ -39954,14 +39986,14 @@ index b7686d5..28f16ce 100644
+files_dontaudit_read_root_files(ifconfig_t)
+files_rw_inherited_tmp_file(ifconfig_t)
+files_dontaudit_rw_var_files(ifconfig_t)
-+
+
files_read_etc_files(ifconfig_t)
files_read_etc_runtime_files(ifconfig_t)
+files_read_usr_files(ifconfig_t)
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
-@@ -294,22 +370,22 @@ term_dontaudit_use_all_ptys(ifconfig_t)
+@@ -294,31 +372,50 @@ term_dontaudit_use_all_ptys(ifconfig_t)
term_dontaudit_use_ptmx(ifconfig_t)
term_dontaudit_use_generic_ptys(ifconfig_t)
@@ -39988,8 +40020,13 @@ index b7686d5..28f16ce 100644
+userdom_use_inherited_user_terminals(ifconfig_t)
userdom_use_all_users_fds(ifconfig_t)
++optional_policy(`
++ hostname_exec(ifconfig_t)
++')
++
ifdef(`distro_ubuntu',`
-@@ -318,7 +394,22 @@ ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(ifconfig_t)
')
')
@@ -40012,7 +40049,7 @@ index b7686d5..28f16ce 100644
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
')
-@@ -329,8 +420,11 @@ ifdef(`hide_broken_symptoms',`
+@@ -329,8 +426,11 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
@@ -40026,7 +40063,7 @@ index b7686d5..28f16ce 100644
')
optional_policy(`
-@@ -339,7 +433,15 @@ optional_policy(`
+@@ -339,7 +439,15 @@ optional_policy(`
')
optional_policy(`
@@ -40043,7 +40080,7 @@ index b7686d5..28f16ce 100644
')
optional_policy(`
-@@ -360,3 +462,13 @@ optional_policy(`
+@@ -360,3 +468,13 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
@@ -40112,10 +40149,10 @@ index 0000000..e9f1096
+/var/run/initramfs(/.*)? <