diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index fac149d..da7ea8e 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -8721,7 +8721,7 @@ index 6a1e4d1..84e8030 100644
+ dontaudit $1 domain:dir_file_class_set audit_access;
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..2b917b5 100644
+index cf04cb5..5a40b38 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -8858,7 +8858,7 @@ index cf04cb5..2b917b5 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +231,296 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +231,297 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -9027,6 +9027,7 @@ index cf04cb5..2b917b5 100644
+ systemd_login_reboot(unconfined_domain_type)
+ systemd_login_halt(unconfined_domain_type)
+ systemd_login_undefined(unconfined_domain_type)
++ systemd_filetrans_named_content(named_filetrans_domain)
+ systemd_filetrans_named_hostname(named_filetrans_domain)
+')
+
@@ -22814,7 +22815,7 @@ index 6bf0ecc..9b46e11 100644
+ dontaudit $1 xserver_log_t:dir search_dir_perms;
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 2696452..93b05fa 100644
+index 2696452..adbe339 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,28 +26,59 @@ gen_require(`
@@ -23179,7 +23180,7 @@ index 2696452..93b05fa 100644
+ allow xdm_t self:process ptrace;
+')
+
-+allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched getsession setsched setrlimit signal_perms setkeycreate };
++allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched getsession setsched setrlimit signal_perms setkeycreate transition };
allow xdm_t self:fifo_file rw_fifo_file_perms;
allow xdm_t self:shm create_shm_perms;
allow xdm_t self:sem create_sem_perms;
@@ -27633,7 +27634,7 @@ index 24e7804..c4155c7 100644
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..df6af48 100644
+index dd3be8d..b717a9e 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,24 @@ gen_require(`
@@ -27681,7 +27682,7 @@ index dd3be8d..df6af48 100644
# Mark file type as a daemon run directory
attribute daemonrundir;
-@@ -35,12 +57,13 @@ attribute daemonrundir;
+@@ -35,12 +57,14 @@ attribute daemonrundir;
#
# init_t is the domain of the init process.
#
@@ -27690,13 +27691,14 @@ index dd3be8d..df6af48 100644
type init_exec_t;
domain_type(init_t)
domain_entry_file(init_t, init_exec_t)
++domain_role_change_exemption(init_t)
kernel_domtrans_to(init_t, init_exec_t)
role system_r types init_t;
+init_initrc_domain(init_t)
#
# init_var_run_t is the type for /var/run/shutdown.pid.
-@@ -49,6 +72,15 @@ type init_var_run_t;
+@@ -49,6 +73,15 @@ type init_var_run_t;
files_pid_file(init_var_run_t)
#
@@ -27712,7 +27714,7 @@ index dd3be8d..df6af48 100644
# initctl_t is the type of the named pipe created
# by init during initialization. This pipe is used
# to communicate with init.
-@@ -57,7 +89,7 @@ type initctl_t;
+@@ -57,7 +90,7 @@ type initctl_t;
files_type(initctl_t)
mls_trusted_object(initctl_t)
@@ -27721,7 +27723,7 @@ index dd3be8d..df6af48 100644
type initrc_exec_t, init_script_file_type;
domain_type(initrc_t)
domain_entry_file(initrc_t, initrc_exec_t)
-@@ -66,6 +98,8 @@ role system_r types initrc_t;
+@@ -66,6 +99,8 @@ role system_r types initrc_t;
# of the below init_upstart tunable
# but this has a typeattribute in it
corecmd_shell_entry_type(initrc_t)
@@ -27730,7 +27732,7 @@ index dd3be8d..df6af48 100644
type initrc_devpts_t;
term_pty(initrc_devpts_t)
-@@ -98,7 +132,8 @@ ifdef(`enable_mls',`
+@@ -98,7 +133,8 @@ ifdef(`enable_mls',`
#
# Use capabilities. old rule:
@@ -27740,7 +27742,7 @@ index dd3be8d..df6af48 100644
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
-@@ -110,12 +145,33 @@ allow init_t self:fifo_file rw_fifo_file_perms;
+@@ -110,12 +146,33 @@ allow init_t self:fifo_file rw_fifo_file_perms;
# Re-exec itself
can_exec(init_t, init_exec_t)
@@ -27780,7 +27782,7 @@ index dd3be8d..df6af48 100644
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -125,13 +181,17 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -125,13 +182,17 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
kernel_read_system_state(init_t)
kernel_share_state(init_t)
@@ -27799,7 +27801,7 @@ index dd3be8d..df6af48 100644
domain_getpgid_all_domains(init_t)
domain_kill_all_domains(init_t)
-@@ -139,14 +199,20 @@ domain_signal_all_domains(init_t)
+@@ -139,14 +200,20 @@ domain_signal_all_domains(init_t)
domain_signull_all_domains(init_t)
domain_sigstop_all_domains(init_t)
domain_sigchld_all_domains(init_t)
@@ -27820,7 +27822,7 @@ index dd3be8d..df6af48 100644
# file descriptors inherited from the rootfs:
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)
-@@ -156,28 +222,49 @@ fs_list_inotifyfs(init_t)
+@@ -156,28 +223,49 @@ fs_list_inotifyfs(init_t)
fs_write_ramfs_sockets(init_t)
mcs_process_set_categories(init_t)
@@ -27873,7 +27875,7 @@ index dd3be8d..df6af48 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +273,182 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +274,182 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -28064,7 +28066,7 @@ index dd3be8d..df6af48 100644
')
optional_policy(`
-@@ -216,7 +456,29 @@ optional_policy(`
+@@ -216,7 +457,29 @@ optional_policy(`
')
optional_policy(`
@@ -28094,7 +28096,7 @@ index dd3be8d..df6af48 100644
')
########################################
-@@ -225,8 +487,9 @@ optional_policy(`
+@@ -225,8 +488,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -28106,7 +28108,7 @@ index dd3be8d..df6af48 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -257,12 +520,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -257,12 +521,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -28123,7 +28125,7 @@ index dd3be8d..df6af48 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -278,23 +545,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -278,23 +546,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -28166,7 +28168,7 @@ index dd3be8d..df6af48 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -302,9 +582,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -302,9 +583,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -28178,7 +28180,7 @@ index dd3be8d..df6af48 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -312,8 +594,10 @@ dev_write_framebuffer(initrc_t)
+@@ -312,8 +595,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -28189,7 +28191,7 @@ index dd3be8d..df6af48 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -321,8 +605,7 @@ dev_manage_generic_files(initrc_t)
+@@ -321,8 +606,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -28199,7 +28201,7 @@ index dd3be8d..df6af48 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -331,7 +614,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -331,7 +615,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -28207,7 +28209,7 @@ index dd3be8d..df6af48 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -339,6 +621,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -339,6 +622,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -28215,7 +28217,7 @@ index dd3be8d..df6af48 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -346,14 +629,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -346,14 +630,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -28233,7 +28235,7 @@ index dd3be8d..df6af48 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -363,8 +647,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -363,8 +648,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -28247,7 +28249,7 @@ index dd3be8d..df6af48 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -374,10 +662,11 @@ fs_mount_all_fs(initrc_t)
+@@ -374,10 +663,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -28261,7 +28263,7 @@ index dd3be8d..df6af48 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -386,6 +675,7 @@ mls_process_read_up(initrc_t)
+@@ -386,6 +676,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -28269,7 +28271,7 @@ index dd3be8d..df6af48 100644
selinux_get_enforce_mode(initrc_t)
-@@ -397,6 +687,7 @@ term_use_all_terms(initrc_t)
+@@ -397,6 +688,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -28277,7 +28279,7 @@ index dd3be8d..df6af48 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -415,20 +706,18 @@ logging_read_all_logs(initrc_t)
+@@ -415,20 +707,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -28301,7 +28303,7 @@ index dd3be8d..df6af48 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -450,7 +739,6 @@ ifdef(`distro_gentoo',`
+@@ -450,7 +740,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -28309,7 +28311,7 @@ index dd3be8d..df6af48 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -485,6 +773,10 @@ ifdef(`distro_gentoo',`
+@@ -485,6 +774,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -28320,7 +28322,7 @@ index dd3be8d..df6af48 100644
alsa_read_lib(initrc_t)
')
-@@ -505,7 +797,7 @@ ifdef(`distro_redhat',`
+@@ -505,7 +798,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -28329,7 +28331,7 @@ index dd3be8d..df6af48 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -520,6 +812,7 @@ ifdef(`distro_redhat',`
+@@ -520,6 +813,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -28337,7 +28339,7 @@ index dd3be8d..df6af48 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -540,6 +833,7 @@ ifdef(`distro_redhat',`
+@@ -540,6 +834,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -28345,7 +28347,7 @@ index dd3be8d..df6af48 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -549,8 +843,44 @@ ifdef(`distro_redhat',`
+@@ -549,8 +844,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -28390,7 +28392,7 @@ index dd3be8d..df6af48 100644
')
optional_policy(`
-@@ -558,14 +888,31 @@ ifdef(`distro_redhat',`
+@@ -558,14 +889,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -28422,7 +28424,7 @@ index dd3be8d..df6af48 100644
')
')
-@@ -576,6 +923,39 @@ ifdef(`distro_suse',`
+@@ -576,6 +924,39 @@ ifdef(`distro_suse',`
')
')
@@ -28462,7 +28464,7 @@ index dd3be8d..df6af48 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -588,6 +968,8 @@ optional_policy(`
+@@ -588,6 +969,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -28471,7 +28473,7 @@ index dd3be8d..df6af48 100644
')
optional_policy(`
-@@ -609,6 +991,7 @@ optional_policy(`
+@@ -609,6 +992,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -28479,7 +28481,7 @@ index dd3be8d..df6af48 100644
')
optional_policy(`
-@@ -625,6 +1008,17 @@ optional_policy(`
+@@ -625,6 +1009,17 @@ optional_policy(`
')
optional_policy(`
@@ -28497,7 +28499,7 @@ index dd3be8d..df6af48 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -641,9 +1035,13 @@ optional_policy(`
+@@ -641,9 +1036,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -28511,7 +28513,7 @@ index dd3be8d..df6af48 100644
')
optional_policy(`
-@@ -656,15 +1054,11 @@ optional_policy(`
+@@ -656,15 +1055,11 @@ optional_policy(`
')
optional_policy(`
@@ -28529,7 +28531,7 @@ index dd3be8d..df6af48 100644
')
optional_policy(`
-@@ -685,6 +1079,15 @@ optional_policy(`
+@@ -685,6 +1080,15 @@ optional_policy(`
')
optional_policy(`
@@ -28545,7 +28547,7 @@ index dd3be8d..df6af48 100644
inn_exec_config(initrc_t)
')
-@@ -725,6 +1128,7 @@ optional_policy(`
+@@ -725,6 +1129,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -28553,7 +28555,7 @@ index dd3be8d..df6af48 100644
')
optional_policy(`
-@@ -742,7 +1146,13 @@ optional_policy(`
+@@ -742,7 +1147,13 @@ optional_policy(`
')
optional_policy(`
@@ -28568,7 +28570,7 @@ index dd3be8d..df6af48 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -765,6 +1175,10 @@ optional_policy(`
+@@ -765,6 +1176,10 @@ optional_policy(`
')
optional_policy(`
@@ -28579,7 +28581,7 @@ index dd3be8d..df6af48 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -774,10 +1188,20 @@ optional_policy(`
+@@ -774,10 +1189,20 @@ optional_policy(`
')
optional_policy(`
@@ -28600,7 +28602,7 @@ index dd3be8d..df6af48 100644
quota_manage_flags(initrc_t)
')
-@@ -786,6 +1210,10 @@ optional_policy(`
+@@ -786,6 +1211,10 @@ optional_policy(`
')
optional_policy(`
@@ -28611,7 +28613,7 @@ index dd3be8d..df6af48 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -807,8 +1235,6 @@ optional_policy(`
+@@ -807,8 +1236,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -28620,7 +28622,7 @@ index dd3be8d..df6af48 100644
')
optional_policy(`
-@@ -817,6 +1243,10 @@ optional_policy(`
+@@ -817,6 +1244,10 @@ optional_policy(`
')
optional_policy(`
@@ -28631,7 +28633,7 @@ index dd3be8d..df6af48 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -826,10 +1256,12 @@ optional_policy(`
+@@ -826,10 +1257,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -28644,7 +28646,7 @@ index dd3be8d..df6af48 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -856,12 +1288,28 @@ optional_policy(`
+@@ -856,12 +1289,28 @@ optional_policy(`
')
optional_policy(`
@@ -28674,7 +28676,7 @@ index dd3be8d..df6af48 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -871,6 +1319,18 @@ optional_policy(`
+@@ -871,6 +1320,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -28693,7 +28695,7 @@ index dd3be8d..df6af48 100644
')
optional_policy(`
-@@ -886,6 +1346,10 @@ optional_policy(`
+@@ -886,6 +1347,10 @@ optional_policy(`
')
optional_policy(`
@@ -28704,7 +28706,7 @@ index dd3be8d..df6af48 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -896,3 +1360,196 @@ optional_policy(`
+@@ -896,3 +1361,196 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -29489,7 +29491,7 @@ index c42fbc3..174cfdb 100644
##
## Set the attributes of iptables config files.
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index 5dfa44b..4abf7fd 100644
+index 5dfa44b..cafb28e 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -16,15 +16,15 @@ role iptables_roles types iptables_t;
@@ -29600,8 +29602,8 @@ index 5dfa44b..4abf7fd 100644
+')
+
+optional_policy(`
-+ quantum_rw_inherited_pipes(iptables_t)
-+ quantum_sigchld(iptables_t)
++ neutron_rw_inherited_pipes(iptables_t)
++ neutron_sigchld(iptables_t)
')
optional_policy(`
@@ -39056,7 +39058,7 @@ index db75976..65191bd 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..fc2fb65 100644
+index 3c5dba7..c4bc032 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -41746,7 +41748,7 @@ index 3c5dba7..fc2fb65 100644
##
##
##
-@@ -3431,11 +4227,1516 @@ interface(`userdom_create_all_users_keys',`
+@@ -3431,11 +4227,1518 @@ interface(`userdom_create_all_users_keys',`
##
##
#
@@ -42659,6 +42661,8 @@ index 3c5dba7..fc2fb65 100644
+
+ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".cert")
+ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".pki")
++ userdom_admin_home_dir_filetrans($1, home_cert_t, dir, ".pki")
++ userdom_admin_home_dir_filetrans($1, home_cert_t, dir, ".cert")
+')
+
+#######################################
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 04f1130..1179d3e 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -2682,10 +2682,10 @@ index 0000000..df5b3be
+')
diff --git a/antivirus.te b/antivirus.te
new file mode 100644
-index 0000000..0c9dc73
+index 0000000..e10fe0d
--- /dev/null
+++ b/antivirus.te
-@@ -0,0 +1,257 @@
+@@ -0,0 +1,261 @@
+policy_module(antivirus, 1.0.0)
+
+########################################
@@ -2783,14 +2783,12 @@ index 0000000..0c9dc73
+
+can_exec(antivirus_domain, antivirus_exec_t)
+
++kernel_read_network_state(antivirus_t)
+kernel_read_net_sysctls(antivirus_t)
+kernel_read_kernel_sysctls(antivirus_domain)
+kernel_read_sysctl(antivirus_domain)
+kernel_read_system_state(antivirus_t)
+
-+kernel_dontaudit_list_proc(antivirus_domain)
-+kernel_dontaudit_read_proc_symlinks(antivirus_domain)
-+
+corecmd_exec_bin(antivirus_domain)
+corecmd_exec_shell(antivirus_domain)
+
@@ -2827,6 +2825,10 @@ index 0000000..0c9dc73
+corenet_tcp_connect_http_port(antivirus_domain)
+corenet_tcp_sendrecv_http_port(antivirus_domain)
+
++corenet_sendrecv_http_cache_client_packets(antivirus_domain)
++corenet_tcp_connect_http_cache_port(antivirus_domain)
++corenet_tcp_sendrecv_http_cache_port(antivirus_domain)
++
+corenet_sendrecv_snmp_client_packets(antivirus_domain)
+corenet_tcp_connect_snmp_port(antivirus_domain)
+
@@ -2851,6 +2853,7 @@ index 0000000..0c9dc73
+init_read_state(antivirus_domain)
+init_read_utmp(antivirus_domain)
+init_stream_connect_script(antivirus_domain)
++init_dontaudit_write_utmp(antivirus_domain)
+
+logging_send_syslog_msg(antivirus_t)
+
@@ -2858,6 +2861,7 @@ index 0000000..0c9dc73
+
+sysnet_use_ldap(antivirus_domain)
+
++userdom_stream_connect(antivirus_domain)
+userdom_dontaudit_search_user_home_dirs(antivirus_domain)
+
+tunable_policy(`antivirus_can_scan_system',`
@@ -9204,10 +9208,10 @@ index 02fefaa..fbcef10 100644
+ ')
')
diff --git a/boinc.te b/boinc.te
-index 7c92aa1..6b6cd51 100644
+index 7c92aa1..47619ff 100644
--- a/boinc.te
+++ b/boinc.te
-@@ -1,11 +1,13 @@
+@@ -1,11 +1,20 @@
-policy_module(boinc, 1.0.3)
+policy_module(boinc, 1.0.0)
@@ -9217,13 +9221,20 @@ index 7c92aa1..6b6cd51 100644
#
-type boinc_t;
++##
++##
++## Allow boinc_domain execmem/execstack.
++##
++##
++gen_tunable(boinc_execmem, true)
++
+attribute boinc_domain;
+
+type boinc_t, boinc_domain;
type boinc_exec_t;
init_daemon_domain(boinc_t, boinc_exec_t)
-@@ -21,31 +23,66 @@ files_tmpfs_file(boinc_tmpfs_t)
+@@ -21,31 +30,69 @@ files_tmpfs_file(boinc_tmpfs_t)
type boinc_var_lib_t;
files_type(boinc_var_lib_t)
@@ -9255,7 +9266,6 @@ index 7c92aa1..6b6cd51 100644
+allow boinc_domain self:fifo_file rw_fifo_file_perms;
+allow boinc_domain self:process signal;
+allow boinc_domain self:sem create_sem_perms;
-+allow boinc_domain self:process execmem;
+
+manage_dirs_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
+manage_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
@@ -9277,6 +9287,10 @@ index 7c92aa1..6b6cd51 100644
+
+miscfiles_read_fonts(boinc_domain)
+
++tunable_policy(`boinc_execmem',`
++ allow boinc_domain self:process { execstack execmem };
++')
++
+optional_policy(`
+ sysnet_dns_name_resolve(boinc_domain)
+')
@@ -9299,7 +9313,7 @@ index 7c92aa1..6b6cd51 100644
manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
-@@ -54,74 +91,48 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
+@@ -54,74 +101,48 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
@@ -9396,7 +9410,7 @@ index 7c92aa1..6b6cd51 100644
term_getattr_all_ptys(boinc_t)
term_getattr_unallocated_ttys(boinc_t)
-@@ -130,55 +141,67 @@ init_read_utmp(boinc_t)
+@@ -130,55 +151,67 @@ init_read_utmp(boinc_t)
logging_send_syslog_msg(boinc_t)
@@ -11811,10 +11825,10 @@ index 0000000..8ac848b
+')
diff --git a/cloudform.te b/cloudform.te
new file mode 100644
-index 0000000..a56e579
+index 0000000..0f133be
--- /dev/null
+++ b/cloudform.te
-@@ -0,0 +1,296 @@
+@@ -0,0 +1,297 @@
+policy_module(cloudform, 1.0)
+########################################
+#
@@ -11919,6 +11933,8 @@ index 0000000..a56e579
+corecmd_exec_bin(cloud_init_t)
+corecmd_exec_shell(cloud_init_t)
+
++domain_read_all_domains_state(cloud_init_t)
++
+fs_getattr_all_fs(cloud_init_t)
+
+storage_raw_read_fixed_disk(cloud_init_t)
@@ -11978,7 +11994,6 @@ index 0000000..a56e579
+ unconfined_domain(cloud_init_t)
+')
+
-+
+########################################
+#
+# deltacloudd local policy
@@ -13908,7 +13923,7 @@ index c086302..4f33119 100644
/etc/rc\.d/init\.d/couchdb -- gen_context(system_u:object_r:couchdb_initrc_exec_t,s0)
diff --git a/couchdb.if b/couchdb.if
-index 83d6744..b934cb7 100644
+index 83d6744..afa2f78 100644
--- a/couchdb.if
+++ b/couchdb.if
@@ -2,6 +2,44 @@
@@ -13956,7 +13971,7 @@ index 83d6744..b934cb7 100644
## All of the rules required to
## administrate an couchdb environment.
##
-@@ -10,6 +48,108 @@
+@@ -10,6 +48,127 @@
## Domain allowed access.
##
##
@@ -14027,6 +14042,25 @@ index 83d6744..b934cb7 100644
+ allow $1 couchdb_var_run_t:file read_file_perms;
+')
+
++#######################################
++##
++## Search couchdb PID dirs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`couchdb_search_pid_dirs',`
++ gen_require(`
++ type couchdb_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 couchdb_var_run_t:dir search_dir_perms;
++')
++
+########################################
+##
+## Execute couchdb server in the couchdb domain.
@@ -14065,7 +14099,7 @@ index 83d6744..b934cb7 100644
##
##
## Role allowed access.
-@@ -19,14 +159,19 @@
+@@ -19,14 +178,19 @@
#
interface(`couchdb_admin',`
gen_require(`
@@ -14086,7 +14120,7 @@ index 83d6744..b934cb7 100644
init_labeled_script_domtrans($1, couchdb_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 couchdb_initrc_exec_t system_r;
-@@ -46,4 +191,13 @@ interface(`couchdb_admin',`
+@@ -46,4 +210,13 @@ interface(`couchdb_admin',`
files_search_pids($1)
admin_pattern($1, couchdb_var_run_t)
@@ -21464,7 +21498,7 @@ index 19aa0b8..1e8b244 100644
+ allow $1 dnsmasq_unit_file_t:service all_service_perms;
')
diff --git a/dnsmasq.te b/dnsmasq.te
-index ba14bcf..0a3179c 100644
+index ba14bcf..a3e6c7c 100644
--- a/dnsmasq.te
+++ b/dnsmasq.te
@@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t)
@@ -21538,10 +21572,10 @@ index ba14bcf..0a3179c 100644
')
+
+optional_policy(`
-+ quantum_manage_lib_files(dnsmasq_t)
-+ quantum_stream_connect(dnsmasq_t)
-+ quantum_rw_fifo_file(dnsmasq_t)
-+ quantum_sigchld(dnsmasq_t)
++ neutron_manage_lib_files(dnsmasq_t)
++ neutron_stream_connect(dnsmasq_t)
++ neutron_rw_fifo_file(dnsmasq_t)
++ neutron_sigchld(dnsmasq_t)
+')
diff --git a/dnssec.fc b/dnssec.fc
new file mode 100644
@@ -23943,7 +23977,7 @@ index 5cf6ac6..0fc685b 100644
+ allow $1 firewalld_unit_file_t:service all_service_perms;
')
diff --git a/firewalld.te b/firewalld.te
-index c8014f8..2888d51 100644
+index c8014f8..bacc80c 100644
--- a/firewalld.te
+++ b/firewalld.te
@@ -21,11 +21,20 @@ logging_log_file(firewalld_var_log_t)
@@ -24024,7 +24058,7 @@ index c8014f8..2888d51 100644
optional_policy(`
dbus_system_domain(firewalld_t, firewalld_exec_t)
-@@ -85,6 +102,10 @@ optional_policy(`
+@@ -85,9 +102,17 @@ optional_policy(`
')
optional_policy(`
@@ -24035,6 +24069,13 @@ index c8014f8..2888d51 100644
iptables_domtrans(firewalld_t)
')
+ optional_policy(`
+ modutils_domtrans_insmod(firewalld_t)
+ ')
++
++optional_policy(`
++ NetworkManager_read_state(firewalld_t)
++')
diff --git a/firewallgui.if b/firewallgui.if
index e6866d1..941f4ef 100644
--- a/firewallgui.if
@@ -29981,7 +30022,7 @@ index fbb54e7..05c3777 100644
########################################
diff --git a/inetd.te b/inetd.te
-index 1a5ed62..9762e4a 100644
+index 1a5ed62..420305b 100644
--- a/inetd.te
+++ b/inetd.te
@@ -37,9 +37,9 @@ ifdef(`enable_mcs',`
@@ -29996,7 +30037,15 @@ index 1a5ed62..9762e4a 100644
allow inetd_t self:fifo_file rw_fifo_file_perms;
allow inetd_t self:tcp_socket { accept listen };
allow inetd_t self:fd use;
-@@ -98,6 +98,11 @@ corenet_sendrecv_inetd_child_server_packets(inetd_t)
+@@ -61,6 +61,7 @@ kernel_read_system_state(inetd_t)
+ kernel_tcp_recvfrom_unlabeled(inetd_t)
+
+ corecmd_bin_domtrans(inetd_t, inetd_child_t)
++corecmd_exec_shell(inetd_t)
+
+ corenet_all_recvfrom_unlabeled(inetd_t)
+ corenet_all_recvfrom_netlabel(inetd_t)
+@@ -98,6 +99,11 @@ corenet_sendrecv_inetd_child_server_packets(inetd_t)
corenet_tcp_bind_inetd_child_port(inetd_t)
corenet_udp_bind_inetd_child_port(inetd_t)
@@ -30008,7 +30057,7 @@ index 1a5ed62..9762e4a 100644
corenet_sendrecv_ircd_server_packets(inetd_t)
corenet_tcp_bind_ircd_port(inetd_t)
-@@ -157,8 +162,6 @@ auth_use_nsswitch(inetd_t)
+@@ -157,8 +163,6 @@ auth_use_nsswitch(inetd_t)
logging_send_syslog_msg(inetd_t)
@@ -30017,7 +30066,7 @@ index 1a5ed62..9762e4a 100644
mls_fd_share_all_levels(inetd_t)
mls_socket_read_to_clearance(inetd_t)
mls_socket_write_to_clearance(inetd_t)
-@@ -188,7 +191,7 @@ optional_policy(`
+@@ -188,7 +192,7 @@ optional_policy(`
')
optional_policy(`
@@ -30026,7 +30075,7 @@ index 1a5ed62..9762e4a 100644
')
optional_policy(`
-@@ -220,6 +223,14 @@ kernel_read_kernel_sysctls(inetd_child_t)
+@@ -220,6 +224,14 @@ kernel_read_kernel_sysctls(inetd_child_t)
kernel_read_network_state(inetd_child_t)
kernel_read_system_state(inetd_child_t)
@@ -30041,7 +30090,7 @@ index 1a5ed62..9762e4a 100644
dev_read_urand(inetd_child_t)
fs_getattr_xattr_fs(inetd_child_t)
-@@ -230,7 +241,11 @@ auth_use_nsswitch(inetd_child_t)
+@@ -230,7 +242,11 @@ auth_use_nsswitch(inetd_child_t)
logging_send_syslog_msg(inetd_child_t)
@@ -37776,7 +37825,7 @@ index 1d4eb19..650014e 100644
admin_pattern($1, memcached_var_run_t)
')
diff --git a/memcached.te b/memcached.te
-index 4926208..018a640 100644
+index 4926208..4396320 100644
--- a/memcached.te
+++ b/memcached.te
@@ -20,7 +20,7 @@ files_pid_file(memcached_var_run_t)
@@ -37788,7 +37837,15 @@ index 4926208..018a640 100644
dontaudit memcached_t self:capability sys_tty_config;
allow memcached_t self:process { setrlimit signal_perms };
allow memcached_t self:tcp_socket { accept listen };
-@@ -57,4 +57,3 @@ term_dontaudit_use_console(memcached_t)
+@@ -51,10 +51,11 @@ corenet_tcp_sendrecv_all_ports(memcached_t)
+ corenet_udp_bind_memcache_port(memcached_t)
+ corenet_udp_sendrecv_all_ports(memcached_t)
+
++dev_read_sysfs(memcached_t)
++
+ term_dontaudit_use_all_ptys(memcached_t)
+ term_dontaudit_use_all_ttys(memcached_t)
+ term_dontaudit_use_console(memcached_t)
auth_use_nsswitch(memcached_t)
@@ -45611,7 +45668,7 @@ index a1fb3c3..82f8ae6 100644
+/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/networkmanager.if b/networkmanager.if
-index 0e8508c..0b68b86 100644
+index 0e8508c..f8893f8 100644
--- a/networkmanager.if
+++ b/networkmanager.if
@@ -2,7 +2,7 @@
@@ -45697,14 +45754,42 @@ index 0e8508c..0b68b86 100644
##
-## Execute networkmanager scripts with
-## an automatic domain transition to initrc.
-+## Execute NetworkManager scripts with an automatic domain transition to initrc.
++## Execute NetworkManager scripts with an automatic domain transition to NetworkManagerrc.
##
##
##
-@@ -114,8 +116,31 @@ interface(`networkmanager_initrc_domtrans',`
-
- ########################################
- ##
+@@ -104,18 +106,59 @@ interface(`networkmanager_domtrans',`
+ ##
+ ##
+ #
++interface(`networkmanager_NetworkManagerrc_domtrans',`
++ gen_require(`
++ type NetworkManager_NetworkManagerrc_exec_t;
++ ')
++
++ NetworkManager_labeled_script_domtrans($1, NetworkManager_NetworkManagerrc_exec_t)
++')
++
++#######################################
++##
++## Execute NetworkManager scripts with an automatic domain transition to initrc.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
+ interface(`networkmanager_initrc_domtrans',`
++ gen_require(`
++ type NetworkManager_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
++')
++
++########################################
++##
+## Execute NetworkManager server in the NetworkManager domain.
+##
+##
@@ -45714,27 +45799,29 @@ index 0e8508c..0b68b86 100644
+##
+#
+interface(`networkmanager_systemctl',`
-+ gen_require(`
+ gen_require(`
+- type NetworkManager_initrc_exec_t;
+ type NetworkManager_unit_file_t;
+ type NetworkManager_t;
-+ ')
-+
+ ')
+
+- init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
+ systemd_exec_systemctl($1)
+ allow $1 NetworkManager_unit_file_t:file read_file_perms;
+ allow $1 NetworkManager_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, NetworkManager_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
## Send and receive messages from
-## networkmanager over dbus.
+## NetworkManager over dbus.
##
##
##
-@@ -135,7 +160,29 @@ interface(`networkmanager_dbus_chat',`
+@@ -135,7 +178,29 @@ interface(`networkmanager_dbus_chat',`
########################################
##
@@ -45765,7 +45852,7 @@ index 0e8508c..0b68b86 100644
##
##
##
-@@ -153,7 +200,7 @@ interface(`networkmanager_signal',`
+@@ -153,7 +218,7 @@ interface(`networkmanager_signal',`
########################################
##
@@ -45774,7 +45861,7 @@ index 0e8508c..0b68b86 100644
##
##
##
-@@ -171,9 +218,28 @@ interface(`networkmanager_read_lib_files',`
+@@ -171,9 +236,28 @@ interface(`networkmanager_read_lib_files',`
read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
')
@@ -45804,7 +45891,7 @@ index 0e8508c..0b68b86 100644
##
##
##
-@@ -181,19 +247,18 @@ interface(`networkmanager_read_lib_files',`
+@@ -181,19 +265,18 @@ interface(`networkmanager_read_lib_files',`
##
##
#
@@ -45829,7 +45916,7 @@ index 0e8508c..0b68b86 100644
##
##
##
-@@ -201,23 +266,23 @@ interface(`networkmanager_append_log_files',`
+@@ -201,23 +284,23 @@ interface(`networkmanager_append_log_files',`
##
##
#
@@ -45858,7 +45945,7 @@ index 0e8508c..0b68b86 100644
##
##
##
-@@ -227,33 +292,112 @@ interface(`networkmanager_read_pid_files',`
+@@ -227,33 +310,132 @@ interface(`networkmanager_read_pid_files',`
##
##
#
@@ -45949,6 +46036,26 @@ index 0e8508c..0b68b86 100644
+ stream_connect_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t, NetworkManager_t)
+')
+
++#######################################
++##
++## Read the process state (/proc/pid) of NetworkManager.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`NetworkManager_read_state',`
++ gen_require(`
++ type NetworkManager_t;
++ ')
++
++ allow $1 NetworkManager_t:dir search_dir_perms;
++ allow $1 NetworkManager_t:file read_file_perms;
++ allow $1 NetworkManager_t:lnk_file read_lnk_file_perms;
++')
++
+########################################
+##
+## Transition to networkmanager named content
@@ -66101,26 +66208,45 @@ index 76f5b39..8bb80a2 100644
+')
+
diff --git a/quantum.fc b/quantum.fc
-index 70ab68b..e97da31 100644
+index 70ab68b..1de192b 100644
--- a/quantum.fc
+++ b/quantum.fc
-@@ -1,9 +1,14 @@
-+/usr/lib/systemd/system/quantum.* -- gen_context(system_u:object_r:quantum_unit_file_t,s0)
-+
- /etc/rc\.d/init\.d/quantum.* -- gen_context(system_u:object_r:quantum_initrc_exec_t,s0)
-
- /usr/bin/quantum-server -- gen_context(system_u:object_r:quantum_exec_t,s0)
- /usr/bin/quantum-openvswitch-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
- /usr/bin/quantum-linuxbridge-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
- /usr/bin/quantum-ryu-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
-+/usr/bin/quantum-dhcp-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
-+/usr/bin/quantum-l3-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
-+/usr/bin/quantum-ovs-cleanup -- gen_context(system_u:object_r:quantum_exec_t,s0)
-
- /var/lib/quantum(/.*)? gen_context(system_u:object_r:quantum_var_lib_t,s0)
-
+@@ -1,10 +1,26 @@
+-/etc/rc\.d/init\.d/quantum.* -- gen_context(system_u:object_r:quantum_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/neutron.* -- gen_context(system_u:object_r:neutron_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/quantum.* -- gen_context(system_u:object_r:neutron_initrc_exec_t,s0)
+
+-/usr/bin/quantum-server -- gen_context(system_u:object_r:quantum_exec_t,s0)
+-/usr/bin/quantum-openvswitch-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
+-/usr/bin/quantum-linuxbridge-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
+-/usr/bin/quantum-ryu-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
++/usr/bin/neutron-dhcp-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/neutron-l3-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/neutron-linuxbridge-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/neutron-openvswitch-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/neutron-ovs-cleanup -- gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/neutron-ryu-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/neutron-server -- gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/quantum-dhcp-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/quantum-l3-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/quantum-linuxbridge-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/quantum-openvswitch-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/quantum-ovs-cleanup -- gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/quantum-ryu-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/quantum-server -- gen_context(system_u:object_r:neutron_exec_t,s0)
+
+-/var/lib/quantum(/.*)? gen_context(system_u:object_r:quantum_var_lib_t,s0)
++/usr/lib/systemd/system/neutron.* -- gen_context(system_u:object_r:neutron_unit_file_t,s0)
++/usr/lib/systemd/system/quantum.* -- gen_context(system_u:object_r:neutron_unit_file_t,s0)
+
+-/var/log/quantum(/.*)? gen_context(system_u:object_r:quantum_log_t,s0)
++/var/lib/neutron(/.*)? gen_context(system_u:object_r:neutron_var_lib_t,s0)
++/var/lib/quantum(/.*)? gen_context(system_u:object_r:neutron_var_lib_t,s0)
++
++/var/log/neutron(/.*)? gen_context(system_u:object_r:neutron_log_t,s0)
++/var/log/quantum(/.*)? gen_context(system_u:object_r:neutron_log_t,s0)
diff --git a/quantum.if b/quantum.if
-index afc0068..7b3cfad 100644
+index afc0068..3105104 100644
--- a/quantum.if
+++ b/quantum.if
@@ -2,41 +2,293 @@
@@ -66129,7 +66255,7 @@ index afc0068..7b3cfad 100644
##
-## All of the rules required to
-## administrate an quantum environment.
-+## Transition to quantum.
++## Transition to neutron.
+##
+##
+##
@@ -66137,77 +66263,78 @@ index afc0068..7b3cfad 100644
+##
+##
+#
-+interface(`quantum_domtrans',`
++interface(`neutron_domtrans',`
+ gen_require(`
-+ type quantum_t, quantum_exec_t;
++ type neutron_t, neutron_exec_t;
+ ')
+
+ corecmd_search_bin($1)
-+ domtrans_pattern($1, quantum_exec_t, quantum_t)
++ domtrans_pattern($1, neutron_exec_t, neutron_t)
+')
+
+########################################
+##
-+## Allow read/write quantum pipes
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
++## Allow read/write neutron pipes
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
+#
-+interface(`quantum_rw_inherited_pipes',`
++interface(`neutron_rw_inherited_pipes',`
+ gen_require(`
-+ type quantum_t;
++ type neutron_t;
+ ')
+
-+ allow $1 quantum_t:fifo_file rw_inherited_fifo_file_perms;
++ allow $1 neutron_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+##
-+## Send sigchld to quantum.
- ##
- ##
++## Send sigchld to neutron.
++##
++##
##
- ## Domain allowed access.
- ##
- ##
--##
+-## Role allowed access.
++## Domain allowed access.
++##
++##
+#
+#
-+interface(`quantum_sigchld',`
++interface(`neutron_sigchld',`
+ gen_require(`
-+ type quantum_t;
++ type neutron_t;
+ ')
+
-+ allow $1 quantum_t:process sigchld;
++ allow $1 neutron_t:process sigchld;
+')
+
+########################################
+##
-+## Read quantum's log files.
++## Read neutron's log files.
+##
+##
- ##
--## Role allowed access.
++##
+## Domain allowed access.
##
##
##
#
-+interface(`quantum_read_log',`
+-interface(`quantum_admin',`
++interface(`neutron_read_log',`
+ gen_require(`
-+ type quantum_log_t;
++ type neutron_log_t;
+ ')
+
+ logging_search_logs($1)
-+ read_files_pattern($1, quantum_log_t, quantum_log_t)
++ read_files_pattern($1, neutron_log_t, neutron_log_t)
+')
+
+########################################
+##
-+## Append to quantum log files.
++## Append to neutron log files.
+##
+##
+##
@@ -66215,18 +66342,18 @@ index afc0068..7b3cfad 100644
+##
+##
+#
-+interface(`quantum_append_log',`
++interface(`neutron_append_log',`
+ gen_require(`
-+ type quantum_log_t;
++ type neutron_log_t;
+ ')
+
+ logging_search_logs($1)
-+ append_files_pattern($1, quantum_log_t, quantum_log_t)
++ append_files_pattern($1, neutron_log_t, neutron_log_t)
+')
+
+########################################
+##
-+## Manage quantum log files
++## Manage neutron log files
+##
+##
+##
@@ -66234,20 +66361,20 @@ index afc0068..7b3cfad 100644
+##
+##
+#
-+interface(`quantum_manage_log',`
++interface(`neutron_manage_log',`
+ gen_require(`
-+ type quantum_log_t;
++ type neutron_log_t;
+ ')
+
+ logging_search_logs($1)
-+ manage_dirs_pattern($1, quantum_log_t, quantum_log_t)
-+ manage_files_pattern($1, quantum_log_t, quantum_log_t)
-+ manage_lnk_files_pattern($1, quantum_log_t, quantum_log_t)
++ manage_dirs_pattern($1, neutron_log_t, neutron_log_t)
++ manage_files_pattern($1, neutron_log_t, neutron_log_t)
++ manage_lnk_files_pattern($1, neutron_log_t, neutron_log_t)
+')
+
+########################################
+##
-+## Search quantum lib directories.
++## Search neutron lib directories.
+##
+##
+##
@@ -66255,18 +66382,18 @@ index afc0068..7b3cfad 100644
+##
+##
+#
-+interface(`quantum_search_lib',`
++interface(`neutron_search_lib',`
+ gen_require(`
-+ type quantum_var_lib_t;
++ type neutron_var_lib_t;
+ ')
+
-+ allow $1 quantum_var_lib_t:dir search_dir_perms;
++ allow $1 neutron_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
-+## Read quantum lib files.
++## Read neutron lib files.
+##
+##
+##
@@ -66274,18 +66401,22 @@ index afc0068..7b3cfad 100644
+##
+##
+#
-+interface(`quantum_read_lib_files',`
-+ gen_require(`
-+ type quantum_var_lib_t;
-+ ')
-+
++interface(`neutron_read_lib_files',`
+ gen_require(`
+- type quantum_t, quantum_initrc_exec_t, quantum_log_t;
+- type quantum_var_lib_t, quantum_tmp_t;
++ type neutron_var_lib_t;
+ ')
+
+- allow $1 quantum_t:process { ptrace signal_perms };
+- ps_process_pattern($1, quantum_t)
+ files_search_var_lib($1)
-+ read_files_pattern($1, quantum_var_lib_t, quantum_var_lib_t)
++ read_files_pattern($1, neutron_var_lib_t, neutron_var_lib_t)
+')
+
+########################################
+##
-+## Manage quantum lib files.
++## Manage neutron lib files.
+##
+##
+##
@@ -66293,18 +66424,22 @@ index afc0068..7b3cfad 100644
+##
+##
+#
-+interface(`quantum_manage_lib_files',`
++interface(`neutron_manage_lib_files',`
+ gen_require(`
-+ type quantum_var_lib_t;
++ type neutron_var_lib_t;
+ ')
-+
+
+- init_labeled_script_domtrans($1, quantum_initrc_exec_t)
+- domain_system_change_exemption($1)
+- role_transition $2 quantum_initrc_exec_t system_r;
+- allow $2 system_r;
+ files_search_var_lib($1)
-+ manage_files_pattern($1, quantum_var_lib_t, quantum_var_lib_t)
++ manage_files_pattern($1, neutron_var_lib_t, neutron_var_lib_t)
+')
+
+########################################
+##
-+## Manage quantum lib directories.
++## Manage neutron lib directories.
+##
+##
+##
@@ -66312,18 +66447,18 @@ index afc0068..7b3cfad 100644
+##
+##
+#
-+interface(`quantum_manage_lib_dirs',`
++interface(`neutron_manage_lib_dirs',`
+ gen_require(`
-+ type quantum_var_lib_t;
++ type neutron_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, quantum_var_lib_t, quantum_var_lib_t)
++ manage_dirs_pattern($1, neutron_var_lib_t, neutron_var_lib_t)
+')
+
+########################################
+##
-+## Read and write quantum fifo files.
++## Read and write neutron fifo files.
+##
+##
+##
@@ -66331,17 +66466,17 @@ index afc0068..7b3cfad 100644
+##
+##
+#
-+interface(`quantum_rw_fifo_file',`
++interface(`neutron_rw_fifo_file',`
+ gen_require(`
-+ type quantum_t;
++ type neutron_t;
+ ')
+
-+ allow $1 quantum_t:fifo_file rw_inherited_fifo_file_perms;
++ allow $1 neutron_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+#####################################
+##
-+## Connect to quantum over a unix domain
++## Connect to neutron over a unix domain
+## stream socket.
+##
+##
@@ -66350,19 +66485,19 @@ index afc0068..7b3cfad 100644
+##
+##
+#
-+interface(`quantum_stream_connect',`
++interface(`neutron_stream_connect',`
+ gen_require(`
-+ type quantum_t;
-+ type quantum_var_lib_t;
++ type neutron_t;
++ type neutron_var_lib_t;
+ ')
+
+ files_search_pids($1)
-+ stream_connect_pattern($1, quantum_var_lib_t, quantum_var_lib_t, quantum_t )
++ stream_connect_pattern($1, neutron_var_lib_t, neutron_var_lib_t, neutron_t )
+')
+
+########################################
+##
-+## Execute quantum server in the quantum domain.
++## Execute neutron server in the neutron domain.
+##
+##
+##
@@ -66370,25 +66505,25 @@ index afc0068..7b3cfad 100644
+##
+##
+#
-+interface(`quantum_systemctl',`
++interface(`neutron_systemctl',`
+ gen_require(`
-+ type quantum_t;
-+ type quantum_unit_file_t;
++ type neutron_t;
++ type neutron_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
-+ allow $1 quantum_unit_file_t:file read_file_perms;
-+ allow $1 quantum_unit_file_t:service manage_service_perms;
++ allow $1 neutron_unit_file_t:file read_file_perms;
++ allow $1 neutron_unit_file_t:service manage_service_perms;
+
-+ ps_process_pattern($1, quantum_t)
++ ps_process_pattern($1, neutron_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
-+## an quantum environment
++## an neutron environment
+##
+##
+##
@@ -66396,92 +66531,203 @@ index afc0068..7b3cfad 100644
+##
+##
+#
- interface(`quantum_admin',`
- gen_require(`
-- type quantum_t, quantum_initrc_exec_t, quantum_log_t;
-- type quantum_var_lib_t, quantum_tmp_t;
-+ type quantum_t;
-+ type quantum_log_t;
-+ type quantum_var_lib_t;
-+ type quantum_unit_file_t;
- ')
-
- allow $1 quantum_t:process { ptrace signal_perms };
- ps_process_pattern($1, quantum_t)
++interface(`neutron_admin',`
++ gen_require(`
++ type neutron_t;
++ type neutron_log_t;
++ type neutron_var_lib_t;
++ type neutron_unit_file_t;
++ ')
++
++ allow $1 neutron_t:process { ptrace signal_perms };
++ ps_process_pattern($1, neutron_t)
-- init_labeled_script_domtrans($1, quantum_initrc_exec_t)
-- domain_system_change_exemption($1)
-- role_transition $2 quantum_initrc_exec_t system_r;
-- allow $2 system_r;
--
logging_search_logs($1)
- admin_pattern($1, quantum_log_t)
+- admin_pattern($1, quantum_log_t)
++ admin_pattern($1, neutron_log_t)
files_search_var_lib($1)
- admin_pattern($1, quantum_var_lib_t)
+- admin_pattern($1, quantum_var_lib_t)
++ admin_pattern($1, neutron_var_lib_t)
- files_search_tmp($1)
- admin_pattern($1, quantum_tmp_t)
-+ quantum_systemctl($1)
-+ admin_pattern($1, quantum_unit_file_t)
-+ allow $1 quantum_unit_file_t:service all_service_perms;
++ neutron_systemctl($1)
++ admin_pattern($1, neutron_unit_file_t)
++ allow $1 neutron_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
')
diff --git a/quantum.te b/quantum.te
-index 769d1fd..bf3f16f 100644
+index 769d1fd..80a4b99 100644
--- a/quantum.te
+++ b/quantum.te
-@@ -21,6 +21,9 @@ files_tmp_file(quantum_tmp_t)
- type quantum_var_lib_t;
- files_type(quantum_var_lib_t)
+@@ -1,96 +1,108 @@
+-policy_module(quantum, 1.0.2)
++policy_module(quantum, 1.0.3)
+
+ ########################################
+ #
+ # Declarations
+ #
+
+-type quantum_t;
+-type quantum_exec_t;
+-init_daemon_domain(quantum_t, quantum_exec_t)
++type neutron_t alias quantum_t;
++type neutron_exec_t alias quantum_exec_t;
++init_daemon_domain(neutron_t, neutron_exec_t)
+
+-type quantum_initrc_exec_t;
+-init_script_file(quantum_initrc_exec_t)
++type neutron_initrc_exec_t alias qauntum_initrc_exec_t;
++init_script_file(neutron_initrc_exec_t)
+
+-type quantum_log_t;
+-logging_log_file(quantum_log_t)
++type neutron_log_t alias quantum_log_t;
++logging_log_file(neutron_log_t)
+
+-type quantum_tmp_t;
+-files_tmp_file(quantum_tmp_t)
++type neutron_tmp_t alias quantum_tmp_t;
++files_tmp_file(neutron_tmp_t)
-+type quantum_unit_file_t;
-+systemd_unit_file(quantum_unit_file_t)
+-type quantum_var_lib_t;
+-files_type(quantum_var_lib_t)
++type neutron_var_lib_t alias quantum_var_lib_t;
++files_type(neutron_var_lib_t)
+
++type neutron_unit_file_t alias quantum_unit_file_t;
++systemd_unit_file(neutron_unit_file_t)
+
########################################
#
# Local policy
-@@ -61,11 +64,13 @@ corenet_tcp_sendrecv_generic_node(quantum_t)
- corenet_tcp_sendrecv_all_ports(quantum_t)
- corenet_tcp_bind_generic_node(quantum_t)
+ #
-+corenet_tcp_bind_quantum_port(quantum_t)
-+corenet_tcp_connect_keystone_port(quantum_t)
-+corenet_tcp_connect_mysqld_port(quantum_t)
-+
- dev_list_sysfs(quantum_t)
- dev_read_urand(quantum_t)
+-allow quantum_t self:capability { setgid setuid sys_resource };
+-allow quantum_t self:process { setsched setrlimit };
+-allow quantum_t self:fifo_file rw_fifo_file_perms;
+-allow quantum_t self:key manage_key_perms;
+-allow quantum_t self:tcp_socket { accept listen };
+-allow quantum_t self:unix_stream_socket { accept listen };
++allow neutron_t self:capability { setgid setuid sys_resource };
++allow neutron_t self:process { setsched setrlimit };
++allow neutron_t self:fifo_file rw_fifo_file_perms;
++allow neutron_t self:key manage_key_perms;
++allow neutron_t self:tcp_socket { accept listen };
++allow neutron_t self:unix_stream_socket { accept listen };
+
+-manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t)
+-append_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
+-create_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
+-setattr_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
+-logging_log_filetrans(quantum_t, quantum_log_t, dir)
++manage_dirs_pattern(neutron_t, neutron_log_t, neutron_log_t)
++append_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
++create_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
++setattr_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
++logging_log_filetrans(neutron_t, neutron_log_t, dir)
+
+-manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t)
+-files_tmp_filetrans(quantum_t, quantum_tmp_t, file)
++manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
++files_tmp_filetrans(neutron_t, neutron_tmp_t, file)
+
+-manage_dirs_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
+-manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
+-files_var_lib_filetrans(quantum_t, quantum_var_lib_t, dir)
++manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
++manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
++files_var_lib_filetrans(neutron_t, neutron_var_lib_t, dir)
+
+-can_exec(quantum_t, quantum_tmp_t)
++can_exec(neutron_t, neutron_tmp_t)
+
+-kernel_read_kernel_sysctls(quantum_t)
+-kernel_read_system_state(quantum_t)
++kernel_read_kernel_sysctls(neutron_t)
++kernel_read_system_state(neutron_t)
+
+-corecmd_exec_shell(quantum_t)
+-corecmd_exec_bin(quantum_t)
++corecmd_exec_shell(neutron_t)
++corecmd_exec_bin(neutron_t)
+
+-corenet_all_recvfrom_unlabeled(quantum_t)
+-corenet_all_recvfrom_netlabel(quantum_t)
+-corenet_tcp_sendrecv_generic_if(quantum_t)
+-corenet_tcp_sendrecv_generic_node(quantum_t)
+-corenet_tcp_sendrecv_all_ports(quantum_t)
+-corenet_tcp_bind_generic_node(quantum_t)
++corenet_all_recvfrom_unlabeled(neutron_t)
++corenet_all_recvfrom_netlabel(neutron_t)
++corenet_tcp_sendrecv_generic_if(neutron_t)
++corenet_tcp_sendrecv_generic_node(neutron_t)
++corenet_tcp_sendrecv_all_ports(neutron_t)
++corenet_tcp_bind_generic_node(neutron_t)
+
+-dev_list_sysfs(quantum_t)
+-dev_read_urand(quantum_t)
++corenet_tcp_bind_quantum_port(neutron_t)
++corenet_tcp_connect_keystone_port(neutron_t)
++corenet_tcp_connect_mysqld_port(neutron_t)
-files_read_usr_files(quantum_t)
--
- auth_use_nsswitch(quantum_t)
++dev_list_sysfs(neutron_t)
++dev_read_urand(neutron_t)
+
+-auth_use_nsswitch(quantum_t)
++auth_use_nsswitch(neutron_t)
+
+-libs_exec_ldconfig(quantum_t)
++libs_exec_ldconfig(neutron_t)
- libs_exec_ldconfig(quantum_t)
-@@ -73,8 +78,6 @@ libs_exec_ldconfig(quantum_t)
- logging_send_audit_msgs(quantum_t)
- logging_send_syslog_msg(quantum_t)
+-logging_send_audit_msgs(quantum_t)
+-logging_send_syslog_msg(quantum_t)
++logging_send_audit_msgs(neutron_t)
++logging_send_syslog_msg(neutron_t)
-miscfiles_read_localization(quantum_t)
--
- sysnet_domtrans_ifconfig(quantum_t)
++sysnet_domtrans_ifconfig(neutron_t)
+
+-sysnet_domtrans_ifconfig(quantum_t)
++optional_policy(`
++ brctl_domtrans(neutron_t)
++')
+
+ optional_policy(`
+- brctl_domtrans(quantum_t)
++ mysql_stream_connect(neutron_t)
++ mysql_read_config(neutron_t)
++
++ mysql_tcp_connect(neutron_t)
+ ')
optional_policy(`
-@@ -94,3 +97,12 @@ optional_policy(`
+- mysql_stream_connect(quantum_t)
+- mysql_read_config(quantum_t)
++ postgresql_stream_connect(neutron_t)
++ postgresql_unpriv_client(neutron_t)
- postgresql_tcp_connect(quantum_t)
+- mysql_tcp_connect(quantum_t)
++ postgresql_tcp_connect(neutron_t)
')
-+
-+optional_policy(`
-+ openvswitch_domtrans(quantum_t)
-+ openvswitch_stream_connect(quantum_t)
+
+ optional_policy(`
+- postgresql_stream_connect(quantum_t)
+- postgresql_unpriv_client(quantum_t)
++ openvswitch_domtrans(neutron_t)
++ openvswitch_stream_connect(neutron_t)
+')
-+
+
+- postgresql_tcp_connect(quantum_t)
+optional_policy(`
-+ sudo_exec(quantum_t)
-+')
++ sudo_exec(neutron_t)
+ ')
diff --git a/quota.fc b/quota.fc
index cadabe3..0ee2489 100644
--- a/quota.fc
@@ -66928,7 +67174,7 @@ index 2c3d338..cf3e5ad 100644
########################################
diff --git a/rabbitmq.te b/rabbitmq.te
-index 3698b51..8c4ba04 100644
+index 3698b51..136b017 100644
--- a/rabbitmq.te
+++ b/rabbitmq.te
@@ -19,6 +19,9 @@ init_script_file(rabbitmq_initrc_exec_t)
@@ -66950,7 +67196,7 @@ index 3698b51..8c4ba04 100644
allow rabbitmq_beam_t self:process { setsched signal signull };
allow rabbitmq_beam_t self:fifo_file rw_fifo_file_perms;
allow rabbitmq_beam_t self:tcp_socket { accept listen };
-@@ -38,13 +43,17 @@ manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
+@@ -38,27 +43,35 @@ manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
@@ -66971,7 +67217,10 @@ index 3698b51..8c4ba04 100644
can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t)
domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t)
-@@ -54,11 +63,14 @@ kernel_read_system_state(rabbitmq_beam_t)
+
+ kernel_read_system_state(rabbitmq_beam_t)
++kernel_read_fs_sysctls(rabbitmq_beam_t)
+
corecmd_exec_bin(rabbitmq_beam_t)
corecmd_exec_shell(rabbitmq_beam_t)
@@ -66986,11 +67235,13 @@ index 3698b51..8c4ba04 100644
corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t)
corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
-@@ -68,20 +80,44 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
+@@ -68,20 +81,50 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
-dev_read_sysfs(rabbitmq_beam_t)
++corenet_tcp_bind_couchdb_port(rabbitmq_beam_t)
++
+corenet_tcp_bind_jabber_client_port(rabbitmq_beam_t)
+corenet_tcp_bind_jabber_interserver_port(rabbitmq_beam_t)
+
@@ -67006,20 +67257,24 @@ index 3698b51..8c4ba04 100644
+fs_getattr_all_fs(rabbitmq_beam_t)
+fs_getattr_all_dirs(rabbitmq_beam_t)
+fs_getattr_cgroup(rabbitmq_beam_t)
++fs_search_cgroup_dirs(rabbitmq_beam_t)
+
+corenet_tcp_connect_couchdb_port(rabbitmq_beam_t)
+
+dev_read_sysfs(rabbitmq_beam_t)
+dev_read_urand(rabbitmq_beam_t)
++
++storage_getattr_fixed_disk_dev(rabbitmq_beam_t)
sysnet_dns_name_resolve(rabbitmq_beam_t)
+logging_send_syslog_msg(rabbitmq_beam_t)
+
+optional_policy(`
++ couchdb_manage_lib_files(rabbitmq_beam_t)
+ couchdb_read_conf_files(rabbitmq_beam_t)
+ couchdb_read_log_files(rabbitmq_beam_t)
-+ couchdb_manage_lib_files(rabbitmq_beam_t)
++ couchdb_search_pid_dirs(rabbitmq_beam_t)
+')
+
+optional_policy(`
@@ -67035,7 +67290,7 @@ index 3698b51..8c4ba04 100644
allow rabbitmq_epmd_t self:process signal;
allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
-@@ -99,8 +135,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
+@@ -99,8 +142,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t)
@@ -85794,10 +86049,10 @@ index ac8213a..20fa71f 100644
-
-miscfiles_read_localization(tcsd_t)
diff --git a/telepathy.fc b/telepathy.fc
-index c7de0cf..9813503 100644
+index c7de0cf..03fc880 100644
--- a/telepathy.fc
+++ b/telepathy.fc
-@@ -1,34 +1,22 @@
+@@ -1,34 +1,23 @@
-HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t,s0)
+HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t, s0)
HOME_DIR/\.cache/telepathy(/.*)? gen_context(system_u:object_r:telepathy_cache_home_t, s0)
@@ -85805,6 +86060,7 @@ index c7de0cf..9813503 100644
-HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t,s0)
-HOME_DIR/\.cache/wocky(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t,s0)
-HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t,s0)
++HOME_DIR/\.cache/telepathy/avatars/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
+HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
+HOME_DIR/\.cache/wocky(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
+HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t, s0)
@@ -86266,7 +86522,7 @@ index 42946bc..741f2f4 100644
+ can_exec($1, telepathy_executable)
')
diff --git a/telepathy.te b/telepathy.te
-index e9c0964..ff77783 100644
+index e9c0964..c0fe4c6 100644
--- a/telepathy.te
+++ b/telepathy.te
@@ -1,29 +1,28 @@
@@ -86309,7 +86565,7 @@ index e9c0964..ff77783 100644
telepathy_domain_template(gabble)
-@@ -67,176 +66,144 @@ userdom_user_home_content(telepathy_sunshine_home_t)
+@@ -67,176 +66,146 @@ userdom_user_home_content(telepathy_sunshine_home_t)
#######################################
#
@@ -86500,6 +86756,8 @@ index e9c0964..ff77783 100644
manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
-userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, dir, ".mission-control")
+userdom_search_user_home_dirs(telepathy_mission_control_t)
++
++read_files_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
-manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t)
+manage_dirs_pattern(telepathy_mission_control_t, { telepathy_data_home_t telepathy_mission_control_data_home_t }, { telepathy_data_home_t telepathy_mission_control_data_home_t })
@@ -86534,7 +86792,7 @@ index e9c0964..ff77783 100644
optional_policy(`
dbus_system_bus_client(telepathy_mission_control_t)
-@@ -245,59 +212,51 @@ optional_policy(`
+@@ -245,59 +214,51 @@ optional_policy(`
devicekit_dbus_chat_power(telepathy_mission_control_t)
')
optional_policy(`
@@ -86609,7 +86867,7 @@ index e9c0964..ff77783 100644
init_read_state(telepathy_msn_t)
-@@ -307,18 +266,19 @@ logging_send_syslog_msg(telepathy_msn_t)
+@@ -307,18 +268,19 @@ logging_send_syslog_msg(telepathy_msn_t)
miscfiles_read_all_certs(telepathy_msn_t)
@@ -86634,7 +86892,7 @@ index e9c0964..ff77783 100644
')
optional_policy(`
-@@ -329,43 +289,33 @@ optional_policy(`
+@@ -329,43 +291,33 @@ optional_policy(`
')
')
@@ -86683,7 +86941,7 @@ index e9c0964..ff77783 100644
')
optional_policy(`
-@@ -378,73 +328,53 @@ optional_policy(`
+@@ -378,73 +330,53 @@ optional_policy(`
#######################################
#
@@ -86767,7 +87025,7 @@ index e9c0964..ff77783 100644
optional_policy(`
xserver_read_xdm_pid(telepathy_sunshine_t)
xserver_stream_connect(telepathy_sunshine_t)
-@@ -452,31 +382,43 @@ optional_policy(`
+@@ -452,31 +384,43 @@ optional_policy(`
#######################################
#
@@ -92250,7 +92508,7 @@ index 9dec06c..4e31afe 100644
+ allow $1 svirt_image_t:chr_file rw_file_perms;
')
diff --git a/virt.te b/virt.te
-index 1f22fba..d48d354 100644
+index 1f22fba..76ccef3 100644
--- a/virt.te
+++ b/virt.te
@@ -1,94 +1,104 @@
@@ -92880,7 +93138,7 @@ index 1f22fba..d48d354 100644
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -496,16 +343,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -496,16 +343,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -92890,6 +93148,7 @@ index 1f22fba..d48d354 100644
+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
++allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto };
+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
@@ -92901,7 +93160,7 @@ index 1f22fba..d48d354 100644
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
-@@ -513,6 +355,7 @@ kernel_read_kernel_sysctls(virtd_t)
+@@ -513,6 +356,7 @@ kernel_read_kernel_sysctls(virtd_t)
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
kernel_setsched(virtd_t)
@@ -92909,7 +93168,7 @@ index 1f22fba..d48d354 100644
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -520,24 +363,16 @@ corecmd_exec_shell(virtd_t)
+@@ -520,24 +364,16 @@ corecmd_exec_shell(virtd_t)
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -92937,13 +93196,14 @@ index 1f22fba..d48d354 100644
dev_rw_sysfs(virtd_t)
dev_read_urand(virtd_t)
dev_read_rand(virtd_t)
-@@ -548,22 +383,23 @@ dev_rw_vhost(virtd_t)
+@@ -548,22 +384,24 @@ dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t)
+# Init script handling
domain_use_interactive_fds(virtd_t)
domain_read_all_domains_state(virtd_t)
++domain_signull_all_domains(virtd_t)
-files_read_usr_files(virtd_t)
files_read_etc_runtime_files(virtd_t)
@@ -92966,7 +93226,7 @@ index 1f22fba..d48d354 100644
fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
-@@ -594,15 +430,18 @@ term_use_ptmx(virtd_t)
+@@ -594,15 +432,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -92986,7 +93246,7 @@ index 1f22fba..d48d354 100644
selinux_validate_context(virtd_t)
-@@ -613,18 +452,26 @@ seutil_read_file_contexts(virtd_t)
+@@ -613,18 +454,26 @@ seutil_read_file_contexts(virtd_t)
sysnet_signull_ifconfig(virtd_t)
sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
@@ -93023,7 +93283,7 @@ index 1f22fba..d48d354 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -633,7 +480,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -633,7 +482,7 @@ tunable_policy(`virt_use_nfs',`
')
tunable_policy(`virt_use_samba',`
@@ -93032,7 +93292,7 @@ index 1f22fba..d48d354 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
-@@ -658,20 +505,12 @@ optional_policy(`
+@@ -658,20 +507,12 @@ optional_policy(`
')
optional_policy(`
@@ -93053,7 +93313,7 @@ index 1f22fba..d48d354 100644
')
optional_policy(`
-@@ -684,14 +523,20 @@ optional_policy(`
+@@ -684,14 +525,20 @@ optional_policy(`
dnsmasq_kill(virtd_t)
dnsmasq_signull(virtd_t)
dnsmasq_create_pid_dirs(virtd_t)
@@ -93076,7 +93336,7 @@ index 1f22fba..d48d354 100644
iptables_manage_config(virtd_t)
')
-@@ -704,11 +549,13 @@ optional_policy(`
+@@ -704,11 +551,13 @@ optional_policy(`
')
optional_policy(`
@@ -93090,7 +93350,7 @@ index 1f22fba..d48d354 100644
policykit_domtrans_auth(virtd_t)
policykit_domtrans_resolve(virtd_t)
policykit_read_lib(virtd_t)
-@@ -719,10 +566,18 @@ optional_policy(`
+@@ -719,10 +568,18 @@ optional_policy(`
')
optional_policy(`
@@ -93109,7 +93369,7 @@ index 1f22fba..d48d354 100644
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
-@@ -737,44 +592,262 @@ optional_policy(`
+@@ -737,44 +594,262 @@ optional_policy(`
udev_read_db(virtd_t)
')
@@ -93394,7 +93654,7 @@ index 1f22fba..d48d354 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +858,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +860,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -93421,7 +93681,7 @@ index 1f22fba..d48d354 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -812,24 +878,22 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,24 +880,22 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -93453,7 +93713,7 @@ index 1f22fba..d48d354 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
fs_manage_nfs_files(virsh_t)
-@@ -847,14 +911,20 @@ optional_policy(`
+@@ -847,14 +913,20 @@ optional_policy(`
')
optional_policy(`
@@ -93475,7 +93735,7 @@ index 1f22fba..d48d354 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -879,49 +949,65 @@ optional_policy(`
+@@ -879,49 +951,65 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -93559,7 +93819,7 @@ index 1f22fba..d48d354 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -933,17 +1019,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,17 +1021,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -93579,7 +93839,7 @@ index 1f22fba..d48d354 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,8 +1040,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,8 +1042,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -93603,7 +93863,7 @@ index 1f22fba..d48d354 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -965,194 +1065,247 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -965,194 +1067,247 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -93981,7 +94241,7 @@ index 1f22fba..d48d354 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1318,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1320,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -93996,7 +94256,7 @@ index 1f22fba..d48d354 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1336,8 @@ optional_policy(`
+@@ -1183,9 +1338,8 @@ optional_policy(`
########################################
#
@@ -94007,7 +94267,7 @@ index 1f22fba..d48d354 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1350,120 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1352,120 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
@@ -97710,7 +97970,7 @@ index b0803c2..f1fa5f7 100644
+')
diff --git a/zoneminder.fc b/zoneminder.fc
new file mode 100644
-index 0000000..a468da3
+index 0000000..d8a6df1
--- /dev/null
+++ b/zoneminder.fc
@@ -0,0 +1,26 @@
@@ -97718,7 +97978,7 @@ index 0000000..a468da3
+
+/etc/rc\.d/init\.d/zoneminder -- gen_context(system_u:object_r:zoneminder_initrc_exec_t,s0)
+
-+/usr/bin/motion -- gen_context(system_u:object_r:zoneminder_exec_t,s0)
++#/usr/bin/motion -- gen_context(system_u:object_r:zoneminder_exec_t,s0)
+
+/usr/bin/zmpkg.pl -- gen_context(system_u:object_r:zoneminder_exec_t,s0)
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 1e8570b..db82b42 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 77%{?dist}
+Release: 78%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -570,6 +570,29 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Sep 9 2013 Miroslav Grepl 3.12.1-78
+- Allow xdm_t to transition to itself
+- Call neutron interfaces instead of quantum
+- Allow init to change targed role to make uncofined services (xrdp which now has own systemd unit file) working. We want them to have in unconfined_t
+- Make sure directories in /run get created with the correct label
+- Make sure /root/.pki gets created with the right label
+- try to remove labeling for motion from zoneminder_exec_t to bin_t
+- Allow inetd_t to execute shell scripts
+- Allow cloud-init to read all domainstate
+- Fix to use quantum port
+- Add interface netowrkmanager_initrc_domtrans
+- Fix boinc_execmem
+- Allow t-mission-control to read gabble cache home
+- Add labeling for ~/.cache/telepathy/avatars/gabble
+- Allow memcache to read sysfs data
+- Cleanup antivirus policy and add additional fixes
+- Add boolean boinc_enable_execstack
+- Add support for couchdb in rabbitmq policy
+- Add interface couchdb_search_pid_dirs
+- Allow firewalld to read NM state
+- Allow systemd running as git_systemd to bind git port
+- Fix mozilla_plugin_rw_tmpfs_files()
+
* Thu Sep 5 2013 Miroslav Grepl 3.12.1-77
- Split out rlogin ports from inetd
- Treat files labeld as usr_t like bin_t when it comes to transitions