diff --git a/policy-f21-base.patch b/policy-f21-base.patch
index 8185e71..361df19 100644
--- a/policy-f21-base.patch
+++ b/policy-f21-base.patch
@@ -1972,10 +1972,22 @@ index 688abc2..3d89250 100644
/usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0)
+/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
-index 03ec5ca..025c177 100644
+index 03ec5ca..a777e72 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
-@@ -89,7 +89,6 @@ template(`su_restricted_domain_template', `
+@@ -58,6 +58,7 @@ template(`su_restricted_domain_template', `
+ allow $2 $1_su_t:fifo_file rw_file_perms;
+ allow $2 $1_su_t:process sigchld;
+
++ kernel_getattr_core_if($1_su_t)
+ kernel_read_system_state($1_su_t)
+ kernel_read_kernel_sysctls($1_su_t)
+ kernel_search_key($1_su_t)
+@@ -86,10 +87,10 @@ template(`su_restricted_domain_template', `
+ # Write to utmp.
+ init_rw_utmp($1_su_t)
+ init_search_script_keys($1_su_t)
++ init_getattr_initctl($1_su_t)
logging_send_syslog_msg($1_su_t)
@@ -1983,7 +1995,7 @@ index 03ec5ca..025c177 100644
ifdef(`distro_redhat',`
# RHEL5 and possibly newer releases incl. Fedora
-@@ -119,11 +118,6 @@ template(`su_restricted_domain_template', `
+@@ -119,11 +120,6 @@ template(`su_restricted_domain_template', `
userdom_spec_domtrans_unpriv_users($1_su_t)
')
@@ -1995,7 +2007,7 @@ index 03ec5ca..025c177 100644
optional_policy(`
cron_read_pipes($1_su_t)
')
-@@ -172,14 +166,6 @@ template(`su_role_template',`
+@@ -172,14 +168,6 @@ template(`su_role_template',`
role $2 types $1_su_t;
allow $3 $1_su_t:process signal;
@@ -2010,7 +2022,7 @@ index 03ec5ca..025c177 100644
allow $1_su_t $3:key search;
# Transition from the user domain to this domain.
-@@ -194,125 +180,12 @@ template(`su_role_template',`
+@@ -194,125 +182,12 @@ template(`su_role_template',`
allow $3 $1_su_t:process sigchld;
kernel_read_system_state($1_su_t)
@@ -35642,7 +35654,7 @@ index 9fe8e01..3d71062 100644
/var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
')
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
-index fc28bc3..faa2281 100644
+index fc28bc3..8828b8a 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -67,6 +67,27 @@ interface(`miscfiles_read_all_certs',`
@@ -35698,6 +35710,15 @@ index fc28bc3..faa2281 100644
## Manage generic SSL certificates.
##
##
+@@ -121,7 +160,7 @@ interface(`miscfiles_manage_generic_cert_files',`
+ ')
+
+ manage_files_pattern($1, cert_t, cert_t)
+- read_lnk_files_pattern($1, cert_t, cert_t)
++ manage_lnk_files_pattern($1, cert_t, cert_t)
+ ')
+
+ ########################################
@@ -156,6 +195,26 @@ interface(`miscfiles_manage_cert_dirs',`
########################################
@@ -38040,7 +38061,7 @@ index 3822072..a7912c5 100644
+ allow semanage_t $1:dbus send_msg;
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index dc46420..4cc658b 100644
+index dc46420..fa0e220 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -11,14 +11,16 @@ gen_require(`
@@ -38222,11 +38243,15 @@ index dc46420..4cc658b 100644
optional_policy(`
unconfined_dontaudit_read_pipes(load_policy_t)
-@@ -215,12 +242,17 @@ optional_policy(`
+@@ -215,12 +242,21 @@ optional_policy(`
portage_dontaudit_use_fds(load_policy_t)
')
+optional_policy(`
++ sssd_rw_inherited_pipes(load_policy_t)
++')
++
++optional_policy(`
+ # pki is leaking
+ pki_dontaudit_write_log(load_policy_t)
+')
@@ -38241,7 +38266,7 @@ index dc46420..4cc658b 100644
allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow newrole_t self:process setexec;
allow newrole_t self:fd use;
-@@ -232,7 +264,7 @@ allow newrole_t self:msgq create_msgq_perms;
+@@ -232,7 +268,7 @@ allow newrole_t self:msgq create_msgq_perms;
allow newrole_t self:msg { send receive };
allow newrole_t self:unix_dgram_socket sendto;
allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -38250,7 +38275,7 @@ index dc46420..4cc658b 100644
read_files_pattern(newrole_t, default_context_t, default_context_t)
read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
-@@ -249,6 +281,7 @@ domain_use_interactive_fds(newrole_t)
+@@ -249,6 +285,7 @@ domain_use_interactive_fds(newrole_t)
# for when the user types "exec newrole" at the command line:
domain_sigchld_interactive_fds(newrole_t)
@@ -38258,7 +38283,7 @@ index dc46420..4cc658b 100644
files_read_etc_files(newrole_t)
files_read_var_files(newrole_t)
files_read_var_symlinks(newrole_t)
-@@ -276,25 +309,34 @@ term_relabel_all_ptys(newrole_t)
+@@ -276,25 +313,34 @@ term_relabel_all_ptys(newrole_t)
term_getattr_unallocated_ttys(newrole_t)
term_dontaudit_use_unallocated_ttys(newrole_t)
@@ -38300,7 +38325,7 @@ index dc46420..4cc658b 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(newrole_t)
-@@ -309,7 +351,7 @@ if(secure_mode) {
+@@ -309,7 +355,7 @@ if(secure_mode) {
userdom_spec_domtrans_all_users(newrole_t)
}
@@ -38309,7 +38334,7 @@ index dc46420..4cc658b 100644
files_polyinstantiate_all(newrole_t)
')
-@@ -328,9 +370,13 @@ kernel_use_fds(restorecond_t)
+@@ -328,9 +374,13 @@ kernel_use_fds(restorecond_t)
kernel_rw_pipes(restorecond_t)
kernel_read_system_state(restorecond_t)
@@ -38324,7 +38349,7 @@ index dc46420..4cc658b 100644
fs_list_inotifyfs(restorecond_t)
selinux_validate_context(restorecond_t)
-@@ -341,16 +387,17 @@ selinux_compute_user_contexts(restorecond_t)
+@@ -341,16 +391,17 @@ selinux_compute_user_contexts(restorecond_t)
files_relabel_non_auth_files(restorecond_t )
files_read_non_auth_files(restorecond_t)
@@ -38344,7 +38369,7 @@ index dc46420..4cc658b 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(restorecond_t)
-@@ -366,21 +413,24 @@ optional_policy(`
+@@ -366,21 +417,24 @@ optional_policy(`
# Run_init local policy
#
@@ -38371,7 +38396,7 @@ index dc46420..4cc658b 100644
dev_dontaudit_list_all_dev_nodes(run_init_t)
domain_use_interactive_fds(run_init_t)
-@@ -398,23 +448,30 @@ selinux_compute_create_context(run_init_t)
+@@ -398,23 +452,30 @@ selinux_compute_create_context(run_init_t)
selinux_compute_relabel_context(run_init_t)
selinux_compute_user_contexts(run_init_t)
@@ -38407,7 +38432,7 @@ index dc46420..4cc658b 100644
ifndef(`direct_sysadm_daemon',`
ifdef(`distro_gentoo',`
-@@ -425,6 +482,19 @@ ifndef(`direct_sysadm_daemon',`
+@@ -425,6 +486,19 @@ ifndef(`direct_sysadm_daemon',`
')
')
@@ -38427,7 +38452,7 @@ index dc46420..4cc658b 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(run_init_t)
-@@ -440,81 +510,87 @@ optional_policy(`
+@@ -440,81 +514,87 @@ optional_policy(`
# semodule local policy
#
@@ -38471,16 +38496,16 @@ index dc46420..4cc658b 100644
+can_exec(semanage_t, semanage_exec_t)
-term_use_all_terms(semanage_t)
-+# Admins are creating pp files in random locations
-+files_read_non_security_files(semanage_t)
-
+-
-# Running genhomedircon requires this for finding all users
-auth_use_nsswitch(semanage_t)
-
-locallogin_use_fds(semanage_t)
-
-logging_send_syslog_msg(semanage_t)
--
++# Admins are creating pp files in random locations
++files_read_non_security_files(semanage_t)
+
-miscfiles_read_localization(semanage_t)
-
-seutil_libselinux_linked(semanage_t)
@@ -38568,7 +38593,7 @@ index dc46420..4cc658b 100644
')
########################################
-@@ -522,111 +598,196 @@ ifdef(`distro_ubuntu',`
+@@ -522,111 +602,196 @@ ifdef(`distro_ubuntu',`
# Setfiles local policy
#
@@ -38664,8 +38689,7 @@ index dc46420..4cc658b 100644
+')
+
+ifdef(`hide_broken_symptoms',`
-
--userdom_use_all_users_fds(setfiles_t)
++
+ optional_policy(`
+ setroubleshoot_fixit_dontaudit_leaks(setfiles_t)
+ setroubleshoot_fixit_dontaudit_leaks(setsebool_t)
@@ -38677,7 +38701,8 @@ index dc46420..4cc658b 100644
+ unconfined_domain(setfiles_t)
+ ')
+')
-+
+
+-userdom_use_all_users_fds(setfiles_t)
+########################################
+#
+# Setfiles common policy
@@ -43481,7 +43506,7 @@ index db75976..1ee08ec 100644
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
+
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6..2861886 100644
+index 9dc60c6..05274ae 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -44976,7 +45001,7 @@ index 9dc60c6..2861886 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1159,29 +1568,38 @@ template(`userdom_admin_user_template',`
+@@ -1159,29 +1568,40 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -45006,6 +45031,8 @@ index 9dc60c6..2861886 100644
# Relabel almost all files
- files_relabel_non_auth_files($1_t)
+ files_relabel_non_security_files($1_t)
++
++ files_mounton_rootfs($1_t)
init_telinit($1_t)
@@ -45019,7 +45046,7 @@ index 9dc60c6..2861886 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1191,6 +1609,8 @@ template(`userdom_admin_user_template',`
+@@ -1191,6 +1611,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -45028,7 +45055,7 @@ index 9dc60c6..2861886 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1198,13 +1618,21 @@ template(`userdom_admin_user_template',`
+@@ -1198,13 +1620,21 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@@ -45051,7 +45078,7 @@ index 9dc60c6..2861886 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1240,7 +1668,7 @@ template(`userdom_admin_user_template',`
+@@ -1240,7 +1670,7 @@ template(`userdom_admin_user_template',`
##
##
#
@@ -45060,7 +45087,7 @@ index 9dc60c6..2861886 100644
allow $1 self:capability { dac_read_search dac_override };
corecmd_exec_shell($1)
-@@ -1250,6 +1678,8 @@ template(`userdom_security_admin_template',`
+@@ -1250,6 +1680,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -45069,7 +45096,7 @@ index 9dc60c6..2861886 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1262,8 +1692,10 @@ template(`userdom_security_admin_template',`
+@@ -1262,8 +1694,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -45081,7 +45108,7 @@ index 9dc60c6..2861886 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1274,29 +1706,31 @@ template(`userdom_security_admin_template',`
+@@ -1274,29 +1708,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -45124,7 +45151,7 @@ index 9dc60c6..2861886 100644
')
optional_policy(`
-@@ -1357,14 +1791,17 @@ interface(`userdom_user_home_content',`
+@@ -1357,14 +1793,17 @@ interface(`userdom_user_home_content',`
gen_require(`
attribute user_home_content_type;
type user_home_t;
@@ -45143,7 +45170,7 @@ index 9dc60c6..2861886 100644
')
########################################
-@@ -1397,12 +1834,51 @@ interface(`userdom_user_tmp_file',`
+@@ -1397,12 +1836,51 @@ interface(`userdom_user_tmp_file',`
##
#
interface(`userdom_user_tmpfs_file',`
@@ -45196,7 +45223,7 @@ index 9dc60c6..2861886 100644
## Allow domain to attach to TUN devices created by administrative users.
##
##
-@@ -1509,11 +1985,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1509,11 +1987,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -45228,7 +45255,7 @@ index 9dc60c6..2861886 100644
## Do not audit attempts to search user home directories.
##
##
-@@ -1555,6 +2051,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1555,6 +2053,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -45243,7 +45270,7 @@ index 9dc60c6..2861886 100644
')
########################################
-@@ -1570,9 +2074,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1570,9 +2076,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -45255,7 +45282,7 @@ index 9dc60c6..2861886 100644
')
########################################
-@@ -1613,6 +2119,24 @@ interface(`userdom_manage_user_home_dirs',`
+@@ -1613,6 +2121,24 @@ interface(`userdom_manage_user_home_dirs',`
########################################
##
@@ -45280,7 +45307,7 @@ index 9dc60c6..2861886 100644
## Relabel to user home directories.
##
##
-@@ -1629,6 +2153,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1629,6 +2155,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -45323,7 +45350,7 @@ index 9dc60c6..2861886 100644
########################################
##
## Create directories in the home dir root with
-@@ -1708,6 +2268,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1708,6 +2270,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -45332,7 +45359,7 @@ index 9dc60c6..2861886 100644
')
########################################
-@@ -1741,10 +2303,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1741,10 +2305,12 @@ interface(`userdom_list_all_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -45347,7 +45374,7 @@ index 9dc60c6..2861886 100644
')
########################################
-@@ -1769,7 +2333,7 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1769,7 +2335,7 @@ interface(`userdom_manage_user_home_content_dirs',`
########################################
##
@@ -45356,7 +45383,7 @@ index 9dc60c6..2861886 100644
##
##
##
-@@ -1777,19 +2341,17 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1777,19 +2343,17 @@ interface(`userdom_manage_user_home_content_dirs',`
##
##
#
@@ -45380,7 +45407,7 @@ index 9dc60c6..2861886 100644
##
##
##
-@@ -1797,55 +2359,55 @@ interface(`userdom_delete_all_user_home_content_dirs',`
+@@ -1797,55 +2361,55 @@ interface(`userdom_delete_all_user_home_content_dirs',`
##
##
#
@@ -45451,7 +45478,7 @@ index 9dc60c6..2861886 100644
##
##
##
-@@ -1853,18 +2415,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1853,18 +2417,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
##
##
#
@@ -45479,7 +45506,7 @@ index 9dc60c6..2861886 100644
##
##
##
-@@ -1872,45 +2435,182 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1872,41 +2437,178 @@ interface(`userdom_mmap_user_home_content_files',`
##
##
#
@@ -45531,11 +45558,10 @@ index 9dc60c6..2861886 100644
##
-## Domain to not audit.
+## Domain allowed access.
- ##
- ##
++##
++##
+##
- #
--interface(`userdom_dontaudit_append_user_home_content_files',`
++#
+interface(`userdom_relabel_user_tmp_dirs',`
+ gen_require(`
+ type user_tmp_t;
@@ -45671,14 +45697,10 @@ index 9dc60c6..2861886 100644
+##
+##
+## Domain to not audit.
-+##
-+##
-+#
-+interface(`userdom_dontaudit_append_user_home_content_files',`
- gen_require(`
- type user_home_t;
- ')
-@@ -1938,7 +2638,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+ ##
+ ##
+ #
+@@ -1938,7 +2640,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
########################################
##
@@ -45687,7 +45709,7 @@ index 9dc60c6..2861886 100644
##
##
##
-@@ -1946,10 +2646,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1946,10 +2648,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
##
##
#
@@ -45700,7 +45722,7 @@ index 9dc60c6..2861886 100644
')
userdom_search_user_home_content($1)
-@@ -1958,7 +2657,7 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1958,7 +2659,7 @@ interface(`userdom_delete_all_user_home_content_files',`
########################################
##
@@ -45709,7 +45731,7 @@ index 9dc60c6..2861886 100644
##
##
##
-@@ -1966,12 +2665,66 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1966,12 +2667,66 @@ interface(`userdom_delete_all_user_home_content_files',`
##
##
#
@@ -45778,7 +45800,7 @@ index 9dc60c6..2861886 100644
')
########################################
-@@ -2007,8 +2760,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2007,8 +2762,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -45788,7 +45810,7 @@ index 9dc60c6..2861886 100644
')
########################################
-@@ -2024,20 +2776,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2024,21 +2778,15 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -45802,18 +45824,19 @@ index 9dc60c6..2861886 100644
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files($1)
-- ')
--
-- tunable_policy(`use_samba_home_dirs',`
-- fs_exec_cifs_files($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ dontaudit $1 user_home_type:sock_file execute;
')
--')
+- tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files($1)
+- ')
+-')
+-
########################################
##
-@@ -2120,7 +2866,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+ ## Do not audit attempts to execute user home files.
+@@ -2120,7 +2868,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
##
@@ -45822,7 +45845,7 @@ index 9dc60c6..2861886 100644
##
##
##
-@@ -2128,19 +2874,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2128,19 +2876,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
##
##
#
@@ -45846,7 +45869,7 @@ index 9dc60c6..2861886 100644
##
##
##
-@@ -2148,12 +2892,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2148,12 +2894,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
##
##
#
@@ -45862,7 +45885,7 @@ index 9dc60c6..2861886 100644
')
########################################
-@@ -2388,18 +3132,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2388,18 +3134,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
##
##
#
@@ -45920,7 +45943,7 @@ index 9dc60c6..2861886 100644
## Do not audit attempts to read users
## temporary files.
##
-@@ -2414,7 +3194,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2414,7 +3196,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -45929,7 +45952,7 @@ index 9dc60c6..2861886 100644
')
########################################
-@@ -2455,6 +3235,25 @@ interface(`userdom_rw_user_tmp_files',`
+@@ -2455,6 +3237,25 @@ interface(`userdom_rw_user_tmp_files',`
rw_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
')
@@ -45955,7 +45978,7 @@ index 9dc60c6..2861886 100644
########################################
##
-@@ -2538,7 +3337,7 @@ interface(`userdom_manage_user_tmp_files',`
+@@ -2538,7 +3339,7 @@ interface(`userdom_manage_user_tmp_files',`
########################################
##
## Create, read, write, and delete user
@@ -45964,7 +45987,7 @@ index 9dc60c6..2861886 100644
##
##
##
-@@ -2546,19 +3345,19 @@ interface(`userdom_manage_user_tmp_files',`
+@@ -2546,19 +3347,19 @@ interface(`userdom_manage_user_tmp_files',`
##
##
#
@@ -45987,7 +46010,7 @@ index 9dc60c6..2861886 100644
##
##
##
-@@ -2566,19 +3365,19 @@ interface(`userdom_manage_user_tmp_symlinks',`
+@@ -2566,19 +3367,19 @@ interface(`userdom_manage_user_tmp_symlinks',`
##
##
#
@@ -46010,7 +46033,7 @@ index 9dc60c6..2861886 100644
##
##
##
-@@ -2586,12 +3385,53 @@ interface(`userdom_manage_user_tmp_pipes',`
+@@ -2586,18 +3387,59 @@ interface(`userdom_manage_user_tmp_pipes',`
##
##
#
@@ -46022,12 +46045,13 @@ index 9dc60c6..2861886 100644
- manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
+ allow $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
-+ files_search_tmp($1)
-+')
-+
+ files_search_tmp($1)
+ ')
+
+
-+########################################
-+##
+ ########################################
+ ##
+-## Create objects in a user temporary directory
+## Create, read, write, and delete user
+## temporary named pipes.
+##
@@ -46063,10 +46087,16 @@ index 9dc60c6..2861886 100644
+ ')
+
+ manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
- files_search_tmp($1)
- ')
-
-@@ -2661,6 +3501,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
++ files_search_tmp($1)
++')
++
++########################################
++##
++## Create objects in a user temporary directory
+ ## with an automatic type transition to
+ ## a specified private type.
+ ##
+@@ -2661,6 +3503,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -46088,7 +46118,7 @@ index 9dc60c6..2861886 100644
########################################
##
## Read user tmpfs files.
-@@ -2672,18 +3527,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2672,18 +3529,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
##
#
interface(`userdom_read_user_tmpfs_files',`
@@ -46110,7 +46140,7 @@ index 9dc60c6..2861886 100644
##
##
##
-@@ -2692,19 +3542,13 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2692,19 +3544,13 @@ interface(`userdom_read_user_tmpfs_files',`
##
#
interface(`userdom_rw_user_tmpfs_files',`
@@ -46133,7 +46163,7 @@ index 9dc60c6..2861886 100644
##
##
##
-@@ -2713,13 +3557,56 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2713,13 +3559,56 @@ interface(`userdom_rw_user_tmpfs_files',`
##
#
interface(`userdom_manage_user_tmpfs_files',`
@@ -46194,7 +46224,7 @@ index 9dc60c6..2861886 100644
')
########################################
-@@ -2814,6 +3701,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2814,6 +3703,24 @@ interface(`userdom_use_user_ttys',`
########################################
##
@@ -46219,7 +46249,7 @@ index 9dc60c6..2861886 100644
## Read and write a user domain pty.
##
##
-@@ -2832,22 +3737,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2832,22 +3739,34 @@ interface(`userdom_use_user_ptys',`
########################################
##
@@ -46262,7 +46292,7 @@ index 9dc60c6..2861886 100644
##
##
##
-@@ -2856,14 +3773,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2856,14 +3775,33 @@ interface(`userdom_use_user_ptys',`
##
##
#
@@ -46300,7 +46330,7 @@ index 9dc60c6..2861886 100644
')
########################################
-@@ -2882,8 +3818,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2882,8 +3820,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -46330,7 +46360,7 @@ index 9dc60c6..2861886 100644
')
########################################
-@@ -2955,69 +3910,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2955,69 +3912,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -46431,7 +46461,7 @@ index 9dc60c6..2861886 100644
##
##
##
-@@ -3025,12 +3979,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3025,12 +3981,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
##
##
#
@@ -46446,7 +46476,7 @@ index 9dc60c6..2861886 100644
')
########################################
-@@ -3094,7 +4048,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3094,7 +4050,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -46455,7 +46485,7 @@ index 9dc60c6..2861886 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3110,29 +4064,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3110,29 +4066,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -46489,7 +46519,7 @@ index 9dc60c6..2861886 100644
')
########################################
-@@ -3214,7 +4152,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3214,7 +4154,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -46516,7 +46546,7 @@ index 9dc60c6..2861886 100644
')
########################################
-@@ -3269,12 +4225,13 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3269,12 +4227,13 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -46532,7 +46562,7 @@ index 9dc60c6..2861886 100644
##
##
##
-@@ -3282,49 +4239,125 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3282,46 +4241,122 @@ interface(`userdom_write_user_tmp_files',`
##
##
#
@@ -46590,9 +46620,8 @@ index 9dc60c6..2861886 100644
gen_require(`
- attribute userdomain;
+ type user_tmp_t;
- ')
-
-- allow $1 userdomain:process getattr;
++ ')
++
+ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
@@ -46666,13 +46695,10 @@ index 9dc60c6..2861886 100644
+interface(`userdom_getattr_all_users',`
+ gen_require(`
+ attribute userdomain;
-+ ')
-+
-+ allow $1 userdomain:process getattr;
- ')
+ ')
- ########################################
-@@ -3382,6 +4415,42 @@ interface(`userdom_signal_all_users',`
+ allow $1 userdomain:process getattr;
+@@ -3382,6 +4417,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -46715,7 +46741,7 @@ index 9dc60c6..2861886 100644
########################################
##
## Send a SIGCHLD signal to all user domains.
-@@ -3402,6 +4471,60 @@ interface(`userdom_sigchld_all_users',`
+@@ -3402,6 +4473,60 @@ interface(`userdom_sigchld_all_users',`
########################################
##
@@ -46776,7 +46802,7 @@ index 9dc60c6..2861886 100644
## Create keys for all user domains.
##
##
-@@ -3435,4 +4558,1686 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3435,4 +4560,1686 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
diff --git a/policy-f21-contrib.patch b/policy-f21-contrib.patch
index 01b68b1..11469d7 100644
--- a/policy-f21-contrib.patch
+++ b/policy-f21-contrib.patch
@@ -8774,7 +8774,7 @@ index dcd774e..c240ffa 100644
allow $1 bacula_t:process { ptrace signal_perms };
diff --git a/bacula.te b/bacula.te
-index f16b000..5aaaf4f 100644
+index f16b000..4e48c62 100644
--- a/bacula.te
+++ b/bacula.te
@@ -27,6 +27,9 @@ type bacula_store_t;
@@ -8830,18 +8830,20 @@ index f16b000..5aaaf4f 100644
auth_read_shadow(bacula_t)
logging_send_syslog_msg(bacula_t)
-@@ -125,6 +139,10 @@ optional_policy(`
+@@ -125,6 +139,12 @@ optional_policy(`
ldap_stream_connect(bacula_t)
')
+optional_policy(`
+ postgresql_tcp_connect(bacula_t)
++ postgresql_stream_connect(bacula_t)
+')
+
++
########################################
#
# Client local policy
-@@ -148,11 +166,8 @@ corenet_tcp_connect_hplip_port(bacula_admin_t)
+@@ -148,11 +168,8 @@ corenet_tcp_connect_hplip_port(bacula_admin_t)
domain_use_interactive_fds(bacula_admin_t)
@@ -10363,16 +10365,18 @@ index c5a9113..1919abd 100644
xen_dontaudit_rw_unix_stream_sockets(brctl_t)
diff --git a/brltty.fc b/brltty.fc
new file mode 100644
-index 0000000..d541924
+index 0000000..0cfe342
--- /dev/null
+++ b/brltty.fc
-@@ -0,0 +1,6 @@
+@@ -0,0 +1,8 @@
+/usr/lib/systemd/system/brltty.* -- gen_context(system_u:object_r:brltty_unit_file_t,s0)
+
+/usr/bin/brltty -- gen_context(system_u:object_r:brltty_exec_t,s0)
+
+/var/lib/BrlAPI(/.*)? gen_context(system_u:object_r:brltty_var_lib_t,s0)
+
++/var/run/brltty(/.*)? gen_context(system_u:object_r:brltty_var_run_t,s0)
++
diff --git a/brltty.if b/brltty.if
new file mode 100644
index 0000000..968c957
@@ -10461,10 +10465,10 @@ index 0000000..968c957
+')
diff --git a/brltty.te b/brltty.te
new file mode 100644
-index 0000000..d1b76d8
+index 0000000..03032f9
--- /dev/null
+++ b/brltty.te
-@@ -0,0 +1,50 @@
+@@ -0,0 +1,60 @@
+policy_module(brltty, 1.0.0)
+
+########################################
@@ -10479,6 +10483,9 @@ index 0000000..d1b76d8
+type brltty_var_lib_t;
+files_type(brltty_var_lib_t)
+
++type brltty_var_run_t;
++files_pid_file(brltty_var_run_t)
++
+type brltty_unit_file_t;
+systemd_unit_file(brltty_unit_file_t)
+
@@ -10498,6 +10505,11 @@ index 0000000..d1b76d8
+manage_sock_files_pattern(brltty_t,brltty_var_lib_t, brltty_var_lib_t)
+files_var_lib_filetrans(brltty_t, brltty_var_lib_t, {file sock_file dir})
+
++manage_dirs_pattern(brltty_t, brltty_var_run_t, brltty_var_run_t)
++manage_files_pattern(brltty_t, brltty_var_run_t, brltty_var_run_t)
++files_pid_filetrans(brltty_t, brltty_var_run_t, { dir file })
++allow brltty_t brltty_var_run_t:dir mounton;
++
+kernel_read_system_state(brltty_t)
+kernel_read_usermodehelper_state(brltty_t)
+
@@ -10508,6 +10520,8 @@ index 0000000..d1b76d8
+dev_read_sysfs(brltty_t)
+dev_getattr_generic_usb_dev(brltty_t)
+
++fs_getattr_all_fs(brltty_t)
++
+logging_send_syslog_msg(brltty_t)
+
+modutils_domtrans_insmod(brltty_t)
@@ -18927,12 +18941,14 @@ index 7de3859..d88194b 100644
type unconfined_cronjob_t;
diff --git a/ctdb.fc b/ctdb.fc
-index 8401fe6..9131995 100644
+index 8401fe6..d58f3e7 100644
--- a/ctdb.fc
+++ b/ctdb.fc
-@@ -2,11 +2,16 @@
+@@ -1,12 +1,18 @@
+ /etc/rc\.d/init\.d/ctdb -- gen_context(system_u:object_r:ctdbd_initrc_exec_t,s0)
/usr/sbin/ctdbd -- gen_context(system_u:object_r:ctdbd_exec_t,s0)
++/usr/sbin/ctdbd_wrapper -- gen_context(system_u:object_r:ctdbd_exec_t,s0)
+/var/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_t,s0)
+
@@ -25099,10 +25115,10 @@ index 0000000..b2c82df
+')
diff --git a/docker.te b/docker.te
new file mode 100644
-index 0000000..559af49
+index 0000000..91d8c90
--- /dev/null
+++ b/docker.te
-@@ -0,0 +1,285 @@
+@@ -0,0 +1,286 @@
+policy_module(docker, 1.0.0)
+
+########################################
@@ -25355,6 +25371,7 @@ index 0000000..559af49
+optional_policy(`
+ dbus_system_bus_client(docker_t)
+ init_dbus_chat(docker_t)
++ init_start_transient_unit(docker_t)
+
+ optional_policy(`
+ systemd_dbus_chat_logind(docker_t)
@@ -30550,10 +30567,10 @@ index 5cd0909..b558e60 100644
+')
diff --git a/glusterd.fc b/glusterd.fc
new file mode 100644
-index 0000000..8431a61
+index 0000000..8c8c6c9
--- /dev/null
+++ b/glusterd.fc
-@@ -0,0 +1,17 @@
+@@ -0,0 +1,18 @@
+/etc/rc\.d/init\.d/gluster.* -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
+
+/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0)
@@ -30568,6 +30585,7 @@ index 0000000..8431a61
+
+/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0)
+
++/var/run/gluster(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0)
+/var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0)
+/var/run/glusterd.* -- gen_context(system_u:object_r:glusterd_var_run_t,s0)
+/var/run/glusterd.* -s gen_context(system_u:object_r:glusterd_var_run_t,s0)
@@ -43512,7 +43530,7 @@ index d314333..27ede09 100644
+ ')
')
diff --git a/lsm.te b/lsm.te
-index 4ec0eea..01db8ca 100644
+index 4ec0eea..2a6d99e 100644
--- a/lsm.te
+++ b/lsm.te
@@ -4,6 +4,13 @@ policy_module(lsm, 1.0.0)
@@ -43547,7 +43565,7 @@ index 4ec0eea..01db8ca 100644
########################################
#
# Local policy
-@@ -26,4 +44,50 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
+@@ -26,4 +44,51 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file })
@@ -43563,6 +43581,7 @@ index 4ec0eea..01db8ca 100644
+
+allow lsmd_plugin_t self:udp_socket create_socket_perms;
+allow lsmd_plugin_t self:tcp_socket create_stream_socket_perms;
++allow lsmd_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+
+domtrans_pattern(lsmd_t, lsmd_plugin_exec_t, lsmd_plugin_t)
+allow lsmd_plugin_t lsmd_t:unix_stream_socket { read write };
@@ -49833,7 +49852,7 @@ index f42896c..bd1eb52 100644
+/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+/var/spool/smtpd(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/mta.if b/mta.if
-index ed81cac..837a43a 100644
+index ed81cac..2224799 100644
--- a/mta.if
+++ b/mta.if
@@ -1,4 +1,4 @@
@@ -50210,11 +50229,29 @@ index ed81cac..837a43a 100644
interface(`mta_signal_system_mail',`
gen_require(`
type system_mail_t;
-@@ -475,7 +392,43 @@ interface(`mta_signal_system_mail',`
+@@ -475,7 +392,61 @@ interface(`mta_signal_system_mail',`
########################################
##
-## Send kill signals to system mail.
++## Allow role to access system_mail_t.
++##
++##
++##
++## Role allowed access.
++##
++##
++#
++interface(`mta_role_access_system_mail',`
++ gen_require(`
++ type system_mail_t;
++ ')
++
++ role $1 types system_mail_t;
++')
++
++########################################
++##
+## Send all user mail client a signal
+##
+##
@@ -50255,7 +50292,7 @@ index ed81cac..837a43a 100644
##
##
##
-@@ -506,13 +459,32 @@ interface(`mta_sendmail_exec',`
+@@ -506,13 +477,32 @@ interface(`mta_sendmail_exec',`
type sendmail_exec_t;
')
@@ -50290,7 +50327,7 @@ index ed81cac..837a43a 100644
##
##
##
-@@ -528,13 +500,13 @@ interface(`mta_read_config',`
+@@ -528,13 +518,13 @@ interface(`mta_read_config',`
files_search_etc($1)
allow $1 etc_mail_t:dir list_dir_perms;
@@ -50307,7 +50344,7 @@ index ed81cac..837a43a 100644
##
##
##
-@@ -548,33 +520,31 @@ interface(`mta_write_config',`
+@@ -548,33 +538,31 @@ interface(`mta_write_config',`
type etc_mail_t;
')
@@ -50347,7 +50384,7 @@ index ed81cac..837a43a 100644
##
##
##
-@@ -582,84 +552,66 @@ interface(`mta_read_aliases',`
+@@ -582,84 +570,66 @@ interface(`mta_read_aliases',`
##
##
#
@@ -50448,7 +50485,7 @@ index ed81cac..837a43a 100644
##
##
##
-@@ -674,14 +626,13 @@ interface(`mta_rw_aliases',`
+@@ -674,14 +644,13 @@ interface(`mta_rw_aliases',`
')
files_search_etc($1)
@@ -50466,7 +50503,7 @@ index ed81cac..837a43a 100644
##
##
##
-@@ -697,6 +648,25 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
+@@ -697,6 +666,25 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
dontaudit $1 mailserver_delivery:tcp_socket { read write };
')
@@ -50492,7 +50529,7 @@ index ed81cac..837a43a 100644
#######################################
##
## Connect to all mail servers over TCP. (Deprecated)
-@@ -713,8 +683,8 @@ interface(`mta_tcp_connect_all_mailservers',`
+@@ -713,8 +701,8 @@ interface(`mta_tcp_connect_all_mailservers',`
#######################################
##
@@ -50503,7 +50540,7 @@ index ed81cac..837a43a 100644
##
##
##
-@@ -732,7 +702,7 @@ interface(`mta_dontaudit_read_spool_symlinks',`
+@@ -732,7 +720,7 @@ interface(`mta_dontaudit_read_spool_symlinks',`
########################################
##
@@ -50512,7 +50549,7 @@ index ed81cac..837a43a 100644
##
##
##
-@@ -753,8 +723,8 @@ interface(`mta_getattr_spool',`
+@@ -753,8 +741,8 @@ interface(`mta_getattr_spool',`
########################################
##
@@ -50523,7 +50560,7 @@ index ed81cac..837a43a 100644
##
##
##
-@@ -775,9 +745,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
+@@ -775,9 +763,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
#######################################
##
@@ -50535,7 +50572,7 @@ index ed81cac..837a43a 100644
##
##
##
-@@ -811,7 +780,7 @@ interface(`mta_spool_filetrans',`
+@@ -811,7 +798,7 @@ interface(`mta_spool_filetrans',`
#######################################
##
@@ -50544,7 +50581,7 @@ index ed81cac..837a43a 100644
##
##
##
-@@ -819,10 +788,10 @@ interface(`mta_spool_filetrans',`
+@@ -819,10 +806,10 @@ interface(`mta_spool_filetrans',`
##
##
#
@@ -50559,7 +50596,7 @@ index ed81cac..837a43a 100644
files_search_spool($1)
read_files_pattern($1, mail_spool_t, mail_spool_t)
-@@ -830,7 +799,7 @@ interface(`mta_read_spool_files',`
+@@ -830,7 +817,7 @@ interface(`mta_read_spool_files',`
########################################
##
@@ -50568,7 +50605,7 @@ index ed81cac..837a43a 100644
##
##
##
-@@ -845,13 +814,14 @@ interface(`mta_rw_spool',`
+@@ -845,13 +832,14 @@ interface(`mta_rw_spool',`
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
@@ -50586,7 +50623,7 @@ index ed81cac..837a43a 100644
##
##
##
-@@ -866,13 +836,14 @@ interface(`mta_append_spool',`
+@@ -866,13 +854,14 @@ interface(`mta_append_spool',`
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
@@ -50604,7 +50641,7 @@ index ed81cac..837a43a 100644
##
##
##
-@@ -891,8 +862,7 @@ interface(`mta_delete_spool',`
+@@ -891,8 +880,7 @@ interface(`mta_delete_spool',`
########################################
##
@@ -50614,7 +50651,7 @@ index ed81cac..837a43a 100644
##
##
##
-@@ -911,45 +881,9 @@ interface(`mta_manage_spool',`
+@@ -911,45 +899,9 @@ interface(`mta_manage_spool',`
manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
@@ -50661,7 +50698,7 @@ index ed81cac..837a43a 100644
##
##
##
-@@ -968,7 +902,7 @@ interface(`mta_search_queue',`
+@@ -968,7 +920,7 @@ interface(`mta_search_queue',`
#######################################
##
@@ -50670,7 +50707,7 @@ index ed81cac..837a43a 100644
##
##
##
-@@ -981,13 +915,13 @@ interface(`mta_list_queue',`
+@@ -981,13 +933,13 @@ interface(`mta_list_queue',`
type mqueue_spool_t;
')
@@ -50686,7 +50723,7 @@ index ed81cac..837a43a 100644
##
##
##
-@@ -1000,14 +934,14 @@ interface(`mta_read_queue',`
+@@ -1000,14 +952,14 @@ interface(`mta_read_queue',`
type mqueue_spool_t;
')
@@ -50703,7 +50740,7 @@ index ed81cac..837a43a 100644
##
##
##
-@@ -1027,7 +961,7 @@ interface(`mta_dontaudit_rw_queue',`
+@@ -1027,7 +979,7 @@ interface(`mta_dontaudit_rw_queue',`
########################################
##
## Create, read, write, and delete
@@ -50712,7 +50749,7 @@ index ed81cac..837a43a 100644
##
##
##
-@@ -1047,6 +981,41 @@ interface(`mta_manage_queue',`
+@@ -1047,6 +999,41 @@ interface(`mta_manage_queue',`
#######################################
##
@@ -50754,7 +50791,7 @@ index ed81cac..837a43a 100644
## Read sendmail binary.
##
##
-@@ -1055,6 +1024,7 @@ interface(`mta_manage_queue',`
+@@ -1055,6 +1042,7 @@ interface(`mta_manage_queue',`
##
##
#
@@ -50762,7 +50799,7 @@ index ed81cac..837a43a 100644
interface(`mta_read_sendmail_bin',`
gen_require(`
type sendmail_exec_t;
-@@ -1065,8 +1035,8 @@ interface(`mta_read_sendmail_bin',`
+@@ -1065,8 +1053,8 @@ interface(`mta_read_sendmail_bin',`
#######################################
##
@@ -50773,7 +50810,7 @@ index ed81cac..837a43a 100644
##
##
##
-@@ -1081,3 +1051,200 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -1081,3 +1069,200 @@ interface(`mta_rw_user_mail_stream_sockets',`
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
@@ -58495,11 +58532,14 @@ index 8ec7859..719cffd 100644
fs_getattr_all_fs(ntop_t)
fs_search_auto_mountpoints(ntop_t)
diff --git a/ntp.fc b/ntp.fc
-index af3c91e..2d41c4c 100644
+index af3c91e..3e5f9cf 100644
--- a/ntp.fc
+++ b/ntp.fc
-@@ -13,7 +13,10 @@
+@@ -11,9 +11,13 @@
+
+ /usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
++/usr/libexec/ntpdate-wrapper -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
/usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
+/usr/lib/systemd/system/ntpd.* -- gen_context(system_u:object_r:ntpd_unit_file_t,s0)
@@ -62051,7 +62091,7 @@ index 6837e9a..9bac89c 100644
domain_system_change_exemption($1)
role_transition $2 openvpn_initrc_exec_t system_r;
diff --git a/openvpn.te b/openvpn.te
-index 63957a3..57fbf6d 100644
+index 63957a3..4b43430 100644
--- a/openvpn.te
+++ b/openvpn.te
@@ -6,6 +6,13 @@ policy_module(openvpn, 1.12.2)
@@ -62142,7 +62182,7 @@ index 63957a3..57fbf6d 100644
corenet_rw_tun_tap_dev(openvpn_t)
dev_read_rand(openvpn_t)
-@@ -132,21 +147,30 @@ files_read_etc_runtime_files(openvpn_t)
+@@ -132,21 +147,31 @@ files_read_etc_runtime_files(openvpn_t)
fs_getattr_all_fs(openvpn_t)
fs_search_auto_mountpoints(openvpn_t)
@@ -62163,6 +62203,7 @@ index 63957a3..57fbf6d 100644
-userdom_use_user_terminals(openvpn_t)
+systemd_passwd_agent_domtrans(openvpn_t)
++systemd_manage_passwd_run(openvpn_t)
+
+userdom_use_inherited_user_terminals(openvpn_t)
+userdom_read_home_certs(openvpn_t)
@@ -62176,7 +62217,7 @@ index 63957a3..57fbf6d 100644
')
tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
-@@ -164,10 +188,20 @@ tunable_policy(`openvpn_can_network_connect',`
+@@ -164,10 +189,20 @@ tunable_policy(`openvpn_can_network_connect',`
')
optional_policy(`
@@ -62197,7 +62238,7 @@ index 63957a3..57fbf6d 100644
dbus_system_bus_client(openvpn_t)
dbus_connect_system_bus(openvpn_t)
-@@ -175,3 +209,27 @@ optional_policy(`
+@@ -175,3 +210,27 @@ optional_policy(`
networkmanager_dbus_chat(openvpn_t)
')
')
@@ -63138,10 +63179,10 @@ index 0000000..05648bd
+')
diff --git a/osad.te b/osad.te
new file mode 100644
-index 0000000..1d33fea
+index 0000000..6c2f264
--- /dev/null
+++ b/osad.te
-@@ -0,0 +1,49 @@
+@@ -0,0 +1,56 @@
+policy_module(osad, 1.0.0)
+
+########################################
@@ -63177,6 +63218,8 @@ index 0000000..1d33fea
+
+kernel_read_system_state(osad_t)
+
++corecmd_exec_bin(osad_t)
++
+corenet_tcp_connect_http_port(osad_t)
+corenet_tcp_connect_jabber_client_port(osad_t)
+
@@ -63191,6 +63234,11 @@ index 0000000..1d33fea
+optional_policy(`
+ rhnsd_manage_config(osad_t)
+')
++
++# execute rhn_check
++optional_policy(`
++ rpm_domtrans(osad_t)
++')
diff --git a/pacemaker.fc b/pacemaker.fc
index 2f0ad56..d4da0b8 100644
--- a/pacemaker.fc
@@ -64589,7 +64637,7 @@ index d2fc677..ded726f 100644
')
+
diff --git a/pegasus.te b/pegasus.te
-index 608f454..6054e92 100644
+index 608f454..251160b 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0)
@@ -64608,7 +64656,7 @@ index 608f454..6054e92 100644
type pegasus_cache_t;
files_type(pegasus_cache_t)
-@@ -30,20 +29,324 @@ files_type(pegasus_mof_t)
+@@ -30,20 +29,326 @@ files_type(pegasus_mof_t)
type pegasus_var_run_t;
files_pid_file(pegasus_var_run_t)
@@ -64844,6 +64892,8 @@ index 608f454..6054e92 100644
+kernel_get_sysvipc_info(pegasus_openlmi_storage_t)
+kernel_request_load_module(pegasus_openlmi_storage_t)
+
++auth_use_nsswitch(pegasus_openlmi_storage_t)
++
+dev_read_raw_memory(pegasus_openlmi_storage_t)
+dev_read_rand(pegasus_openlmi_storage_t)
+dev_read_urand(pegasus_openlmi_storage_t)
@@ -64938,7 +64988,7 @@ index 608f454..6054e92 100644
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
-@@ -54,22 +357,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
+@@ -54,22 +359,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@@ -64969,7 +65019,7 @@ index 608f454..6054e92 100644
kernel_read_network_state(pegasus_t)
kernel_read_kernel_sysctls(pegasus_t)
-@@ -80,27 +383,21 @@ kernel_read_net_sysctls(pegasus_t)
+@@ -80,27 +385,21 @@ kernel_read_net_sysctls(pegasus_t)
kernel_read_xen_state(pegasus_t)
kernel_write_xen_state(pegasus_t)
@@ -65002,7 +65052,7 @@ index 608f454..6054e92 100644
corecmd_exec_bin(pegasus_t)
corecmd_exec_shell(pegasus_t)
-@@ -114,9 +411,11 @@ files_getattr_all_dirs(pegasus_t)
+@@ -114,9 +413,11 @@ files_getattr_all_dirs(pegasus_t)
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
@@ -65014,7 +65064,7 @@ index 608f454..6054e92 100644
files_list_var_lib(pegasus_t)
files_read_var_lib_files(pegasus_t)
-@@ -128,18 +427,29 @@ init_stream_connect_script(pegasus_t)
+@@ -128,18 +429,29 @@ init_stream_connect_script(pegasus_t)
logging_send_audit_msgs(pegasus_t)
logging_send_syslog_msg(pegasus_t)
@@ -65050,7 +65100,7 @@ index 608f454..6054e92 100644
')
optional_policy(`
-@@ -151,16 +461,24 @@ optional_policy(`
+@@ -151,16 +463,24 @@ optional_policy(`
')
optional_policy(`
@@ -65079,7 +65129,7 @@ index 608f454..6054e92 100644
')
optional_policy(`
-@@ -168,7 +486,7 @@ optional_policy(`
+@@ -168,7 +488,7 @@ optional_policy(`
')
optional_policy(`
@@ -65088,7 +65138,7 @@ index 608f454..6054e92 100644
')
optional_policy(`
-@@ -180,6 +498,7 @@ optional_policy(`
+@@ -180,6 +500,7 @@ optional_policy(`
')
optional_policy(`
@@ -70977,7 +71027,7 @@ index cd8b8b9..2cfa88a 100644
+ allow $1 pppd_unit_file_t:service all_service_perms;
')
diff --git a/ppp.te b/ppp.te
-index d616ca3..e7f793e 100644
+index d616ca3..6b73bbd 100644
--- a/ppp.te
+++ b/ppp.te
@@ -6,41 +6,47 @@ policy_module(ppp, 1.14.0)
@@ -71060,7 +71110,8 @@ index d616ca3..e7f793e 100644
+# PPPD Local policy
#
- allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override sys_nice };
+-allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override sys_nice };
++allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override sys_nice sys_chroot };
dontaudit pppd_t self:capability sys_tty_config;
-allow pppd_t self:process { getsched setsched signal };
+dontaudit pppd_t self:capability2 block_suspend;
@@ -85996,7 +86047,7 @@ index ef3b225..d248cd3 100644
init_labeled_script_domtrans($1, rpm_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/rpm.te b/rpm.te
-index 6fc360e..15fcd26 100644
+index 6fc360e..75415ab 100644
--- a/rpm.te
+++ b/rpm.te
@@ -1,15 +1,13 @@
@@ -86338,7 +86389,7 @@ index 6fc360e..15fcd26 100644
mls_file_read_all_levels(rpm_script_t)
mls_file_write_all_levels(rpm_script_t)
-@@ -331,30 +331,53 @@ storage_raw_write_fixed_disk(rpm_script_t)
+@@ -331,73 +331,125 @@ storage_raw_write_fixed_disk(rpm_script_t)
term_getattr_unallocated_ttys(rpm_script_t)
term_list_ptys(rpm_script_t)
@@ -86401,7 +86452,9 @@ index 6fc360e..15fcd26 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -363,41 +386,69 @@ ifdef(`distro_redhat',`
+ mta_send_mail(rpm_script_t)
++ mta_role_access_system_mail(rpm_script_roles)
+ mta_system_content(rpm_var_run_t)
')
')
@@ -86482,7 +86535,7 @@ index 6fc360e..15fcd26 100644
optional_policy(`
java_domtrans_unconfined(rpm_script_t)
-@@ -409,6 +460,6 @@ optional_policy(`
+@@ -409,6 +461,6 @@ optional_policy(`
')
optional_policy(`
@@ -87196,13 +87249,14 @@ index abeb302..7c1f218 100644
')
diff --git a/rtas.fc b/rtas.fc
new file mode 100644
-index 0000000..4552e91
+index 0000000..8d12521
--- /dev/null
+++ b/rtas.fc
-@@ -0,0 +1,13 @@
+@@ -0,0 +1,14 @@
+/usr/lib/systemd/system/rtas_errd.* -- gen_context(system_u:object_r:rtas_errd_unit_file_t,s0)
+
+/usr/sbin/rtas_errd -- gen_context(system_u:object_r:rtas_errd_exec_t,s0)
++/usr/libexec/ppc64-diag/rtas_errd -- gen_context(system_u:object_r:rtas_errd_exec_t,s0)
+
+/var/lock/subsys/rtas_errd -- gen_context(system_u:object_r:rtas_errd_var_lock_t)
+/var/lock/.*librtas -- gen_context(system_u:object_r:rtas_errd_var_lock_t)
@@ -88486,7 +88540,7 @@ index 50d07fb..dc069c8 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 2b7c441..b2692f5 100644
+index 2b7c441..c2cd297 100644
--- a/samba.te
+++ b/samba.te
@@ -6,100 +6,80 @@ policy_module(samba, 1.16.3)
@@ -89279,7 +89333,7 @@ index 2b7c441..b2692f5 100644
manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
-@@ -627,16 +682,11 @@ domain_use_interactive_fds(smbcontrol_t)
+@@ -627,16 +682,13 @@ domain_use_interactive_fds(smbcontrol_t)
dev_read_urand(smbcontrol_t)
@@ -89289,7 +89343,8 @@ index 2b7c441..b2692f5 100644
term_use_console(smbcontrol_t)
-miscfiles_read_localization(smbcontrol_t)
--
++auth_read_passwd(smbcontrol_t)
+
sysnet_use_ldap(smbcontrol_t)
-userdom_use_user_terminals(smbcontrol_t)
@@ -89297,7 +89352,7 @@ index 2b7c441..b2692f5 100644
optional_policy(`
ctdbd_stream_connect(smbcontrol_t)
-@@ -644,22 +694,23 @@ optional_policy(`
+@@ -644,22 +696,23 @@ optional_policy(`
########################################
#
@@ -89329,7 +89384,7 @@ index 2b7c441..b2692f5 100644
allow smbmount_t samba_secrets_t:file manage_file_perms;
-@@ -668,26 +719,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+@@ -668,26 +721,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
@@ -89365,19 +89420,19 @@ index 2b7c441..b2692f5 100644
fs_getattr_cifs(smbmount_t)
fs_mount_cifs(smbmount_t)
-@@ -699,58 +746,77 @@ fs_read_cifs_files(smbmount_t)
+@@ -699,58 +748,77 @@ fs_read_cifs_files(smbmount_t)
storage_raw_read_fixed_disk(smbmount_t)
storage_raw_write_fixed_disk(smbmount_t)
-auth_use_nsswitch(smbmount_t)
+corecmd_list_bin(smbmount_t)
-+
+
+-miscfiles_read_localization(smbmount_t)
+files_list_mnt(smbmount_t)
+files_mounton_mnt(smbmount_t)
+files_manage_etc_runtime_files(smbmount_t)
+files_etc_filetrans_etc_runtime(smbmount_t, file)
-
--miscfiles_read_localization(smbmount_t)
++
+auth_use_nsswitch(smbmount_t)
-mount_use_fds(smbmount_t)
@@ -89457,7 +89512,7 @@ index 2b7c441..b2692f5 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -759,17 +825,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+@@ -759,17 +827,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
files_pid_filetrans(swat_t, swat_var_run_t, file)
@@ -89481,7 +89536,7 @@ index 2b7c441..b2692f5 100644
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -777,36 +839,25 @@ kernel_read_network_state(swat_t)
+@@ -777,36 +841,25 @@ kernel_read_network_state(swat_t)
corecmd_search_bin(swat_t)
@@ -89524,7 +89579,7 @@ index 2b7c441..b2692f5 100644
auth_domtrans_chk_passwd(swat_t)
auth_use_nsswitch(swat_t)
-@@ -818,10 +869,11 @@ logging_send_syslog_msg(swat_t)
+@@ -818,10 +871,11 @@ logging_send_syslog_msg(swat_t)
logging_send_audit_msgs(swat_t)
logging_search_logs(swat_t)
@@ -89538,7 +89593,7 @@ index 2b7c441..b2692f5 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -840,17 +892,20 @@ optional_policy(`
+@@ -840,17 +894,20 @@ optional_policy(`
# Winbind local policy
#
@@ -89564,7 +89619,7 @@ index 2b7c441..b2692f5 100644
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -860,9 +915,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+@@ -860,9 +917,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@@ -89575,7 +89630,7 @@ index 2b7c441..b2692f5 100644
manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -873,38 +926,41 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -873,38 +928,41 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
@@ -89628,7 +89683,7 @@ index 2b7c441..b2692f5 100644
corenet_tcp_connect_smbd_port(winbind_t)
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -912,38 +968,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -912,38 +970,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
dev_read_sysfs(winbind_t)
dev_read_urand(winbind_t)
@@ -89687,7 +89742,7 @@ index 2b7c441..b2692f5 100644
')
optional_policy(`
-@@ -959,31 +1029,35 @@ optional_policy(`
+@@ -959,31 +1031,35 @@ optional_policy(`
# Winbind helper local policy
#
@@ -89730,7 +89785,7 @@ index 2b7c441..b2692f5 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -997,25 +1071,38 @@ optional_policy(`
+@@ -997,25 +1073,38 @@ optional_policy(`
########################################
#
@@ -97302,10 +97357,10 @@ index 03472ed..48b5633 100644
+ cron_system_entry(squid_cron_t, squid_cron_exec_t)
+')
diff --git a/sssd.fc b/sssd.fc
-index dbb005a..45291bb 100644
+index dbb005a..835122a 100644
--- a/sssd.fc
+++ b/sssd.fc
-@@ -1,15 +1,17 @@
+@@ -1,15 +1,19 @@
/etc/rc\.d/init\.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
-/etc/sssd(/.*)? gen_context(system_u:object_r:sssd_conf_t,s0)
@@ -97318,6 +97373,8 @@ index dbb005a..45291bb 100644
+/usr/lib/systemd/system/sssd.* -- gen_context(system_u:object_r:sssd_unit_file_t,s0)
-/var/lib/sss/mc(/.*)? gen_context(system_u:object_r:sssd_public_t,s0)
++/usr/libexec/sssd/selinux_child -- gen_context(system_u:object_r:sssd_selinux_manager_exec_t,s0)
++
+/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
+
+/var/lib/sss/mc(/.*)? gen_context(system_u:object_r:sssd_public_t,s0)
@@ -97330,7 +97387,7 @@ index dbb005a..45291bb 100644
-/var/run/sssd\.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
+/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
diff --git a/sssd.if b/sssd.if
-index a240455..de2172a 100644
+index a240455..b25b2ce 100644
--- a/sssd.if
+++ b/sssd.if
@@ -1,21 +1,21 @@
@@ -97625,7 +97682,7 @@ index a240455..de2172a 100644
##
##
##
-@@ -317,8 +389,46 @@ interface(`sssd_stream_connect',`
+@@ -317,8 +389,65 @@ interface(`sssd_stream_connect',`
########################################
##
@@ -97667,6 +97724,25 @@ index a240455..de2172a 100644
+ allow sssd_t $1:key manage_key_perms;
+')
+
++#######################################
++##
++## Allow attempts to read and write to
++## sssd pipes
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`sssd_rw_inherited_pipes',`
++ gen_require(`
++ type sssd_t;
++ ')
++
++ allow $1 sssd_t:fifo_file rw_inherited_fifo_file_perms;
++')
++
+########################################
+##
+## All of the rules required to administrate
@@ -97674,7 +97750,7 @@ index a240455..de2172a 100644
##
##
##
-@@ -327,7 +437,7 @@ interface(`sssd_stream_connect',`
+@@ -327,7 +456,7 @@ interface(`sssd_stream_connect',`
##
##
##
@@ -97683,7 +97759,7 @@ index a240455..de2172a 100644
##
##
##
-@@ -335,27 +445,29 @@ interface(`sssd_stream_connect',`
+@@ -335,27 +464,29 @@ interface(`sssd_stream_connect',`
interface(`sssd_admin',`
gen_require(`
type sssd_t, sssd_public_t, sssd_initrc_exec_t;
@@ -97725,16 +97801,21 @@ index a240455..de2172a 100644
- admin_pattern($1, sssd_log_t)
')
diff --git a/sssd.te b/sssd.te
-index 2d8db1f..5bc1bc1 100644
+index 2d8db1f..bce5858 100644
--- a/sssd.te
+++ b/sssd.te
-@@ -28,9 +28,12 @@ logging_log_file(sssd_var_log_t)
+@@ -28,9 +28,17 @@ logging_log_file(sssd_var_log_t)
type sssd_var_run_t;
files_pid_file(sssd_var_run_t)
+type sssd_unit_file_t;
+systemd_unit_file(sssd_unit_file_t)
+
++type sssd_selinux_manager_t;
++type sssd_selinux_manager_exec_t;
++application_domain(sssd_selinux_manager_t, sssd_selinux_manager_exec_t)
++role system_r types sssd_selinux_manager_t;
++
########################################
#
-# Local policy
@@ -97742,7 +97823,7 @@ index 2d8db1f..5bc1bc1 100644
#
allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid sys_admin sys_resource };
-@@ -38,7 +41,7 @@ allow sssd_t self:capability2 block_suspend;
+@@ -38,7 +46,7 @@ allow sssd_t self:capability2 block_suspend;
allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit };
allow sssd_t self:fifo_file rw_fifo_file_perms;
allow sssd_t self:key manage_key_perms;
@@ -97751,7 +97832,7 @@ index 2d8db1f..5bc1bc1 100644
read_files_pattern(sssd_t, sssd_conf_t, sssd_conf_t)
-@@ -51,9 +54,7 @@ manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
+@@ -51,9 +59,7 @@ manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir })
@@ -97762,7 +97843,7 @@ index 2d8db1f..5bc1bc1 100644
logging_log_filetrans(sssd_t, sssd_var_log_t, file)
manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
-@@ -62,17 +63,12 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
+@@ -62,17 +68,12 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
kernel_read_network_state(sssd_t)
kernel_read_system_state(sssd_t)
@@ -97783,7 +97864,7 @@ index 2d8db1f..5bc1bc1 100644
corecmd_exec_bin(sssd_t)
-@@ -83,28 +79,35 @@ domain_read_all_domains_state(sssd_t)
+@@ -83,28 +84,35 @@ domain_read_all_domains_state(sssd_t)
domain_obj_id_change_exemption(sssd_t)
files_list_tmp(sssd_t)
@@ -97823,7 +97904,7 @@ index 2d8db1f..5bc1bc1 100644
init_read_utmp(sssd_t)
-@@ -112,18 +115,36 @@ logging_send_syslog_msg(sssd_t)
+@@ -112,18 +120,55 @@ logging_send_syslog_msg(sssd_t)
logging_send_audit_msgs(sssd_t)
miscfiles_read_generic_certs(sssd_t)
@@ -97858,11 +97939,30 @@ index 2d8db1f..5bc1bc1 100644
+optional_policy(`
+ ldap_stream_connect(sssd_t)
+ ldap_read_certs(sssd_t)
-+')
+ ')
+
+optional_policy(`
+ systemd_login_read_pid_files(sssd_t)
- ')
++')
++
++########################################
++#
++# sssd SELinux manager local policy
++#
++
++domtrans_pattern(sssd_t, sssd_selinux_manager_exec_t, sssd_selinux_manager_t)
++
++logging_send_audit_msgs(sssd_selinux_manager_t)
++
++seutil_semanage_policy(sssd_selinux_manager_t)
++seutil_manage_file_contexts(sssd_selinux_manager_t)
++seutil_manage_config(sssd_selinux_manager_t)
++seutil_manage_login_config(sssd_selinux_manager_t)
++seutil_manage_default_contexts(sssd_selinux_manager_t)
++
++seutil_exec_setfiles(sssd_selinux_manager_t)
++logging_dontaudit_search_audit_logs(sssd_selinux_manager_t)
++
diff --git a/stapserver.fc b/stapserver.fc
new file mode 100644
index 0000000..0ccce59
@@ -101450,13 +101550,14 @@ index 585a77f..10d7105 100644
optional_policy(`
diff --git a/tomcat.fc b/tomcat.fc
new file mode 100644
-index 0000000..a8385bc
+index 0000000..ae28ea3
--- /dev/null
+++ b/tomcat.fc
-@@ -0,0 +1,11 @@
+@@ -0,0 +1,12 @@
+/usr/lib/systemd/system/tomcat.service -- gen_context(system_u:object_r:tomcat_unit_file_t,s0)
+
+/usr/sbin/tomcat(6)? -- gen_context(system_u:object_r:tomcat_exec_t,s0)
++/usr/libexec/tomcat/server -- gen_context(system_u:object_r:tomcat_exec_t,s0)
+
+/var/cache/tomcat6?(/.*)? gen_context(system_u:object_r:tomcat_cache_t,s0)
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 7af10fe..b17158d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 101%{?dist}
+Release: 102%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -604,6 +604,14 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Dec 11 2014 Lukas Vrabec 3.13.1-102
+- Allow pegasus_openlmi_storage_t use nsswitch. BZ(1172258)
+- Allow docker daemon to start transitiant units
+- Add support for /var/run/gluster.
+- Allow openvpn manage systemd_passwd_var_run_t files. BZ(1170085)
+- Fix /usr/libexec/sssd/selinux_child labeling.
+- Label /usr/libexec/tomcat/server as tomcat_exec_t.
+
* Tue Dec 02 2014 Lukas Vrabec 3.13.1-101
- Add files_dontaudit_list_security_dirs() interface
- Allow rlogind to use also rlogin ports