From 0d1055a7873d5799e64a4f3a345642be5f3678fb Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Apr 03 2017 10:05:44 +0000
Subject: * Mon Apr 03 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-249

- Merge pull request #4 from lslebodn/sssd_socket_activated
- Remove /proc <<none>> from fedora policy, it's no longer necessary
- Allow iptables get list of kernel modules
- Allow unconfined_domain_type to enable/disable transient unit
- Add interfaces init_enable_transient_unit() and init_disable_transient_unit
- Revert "Allow sshd setcap capability. This is needed due to latest changes in sshd"
- Label sysroot dir under ostree as root_t

---

diff --git a/container-selinux.tgz b/container-selinux.tgz
index fb4b70a..a98f4fe 100644
Binary files a/container-selinux.tgz and b/container-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 2a56ec0..bf33bd5 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -10252,7 +10252,7 @@ index 6a1e4d1..4b87be8 100644
 +	allow $1 domain:process rlimitinh;
  ')
 diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..3c25609 100644
+index cf04cb5..1de3267 100644
 --- a/policy/modules/kernel/domain.te
 +++ b/policy/modules/kernel/domain.te
 @@ -4,17 +4,49 @@ policy_module(domain, 1.11.0)
@@ -10420,7 +10420,7 @@ index cf04cb5..3c25609 100644
  
  # Create/access any System V IPC objects.
  allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -160,11 +249,386 @@ allow unconfined_domain_type domain:msg { send receive };
+@@ -160,11 +249,388 @@ allow unconfined_domain_type domain:msg { send receive };
  
  # For /proc/pid
  allow unconfined_domain_type domain:dir list_dir_perms;
@@ -10496,6 +10496,8 @@ index cf04cb5..3c25609 100644
 +    init_stop_transient_unit(unconfined_domain_type)
 +    init_status_transient_unit(unconfined_domain_type)
 +    init_reload_transient_unit(unconfined_domain_type)
++    init_enable_transient_unit(unconfined_domain_type)
++    init_disable_transient_unit(unconfined_domain_type)
 +')
 +
 +optional_policy(`
@@ -10809,7 +10811,7 @@ index cf04cb5..3c25609 100644
 +	unconfined_server_stream_connect(domain)
 +')
 diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index b876c48..3690ce4 100644
+index b876c48..2e591a5 100644
 --- a/policy/modules/kernel/files.fc
 +++ b/policy/modules/kernel/files.fc
 @@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -10929,7 +10931,7 @@ index b876c48..3690ce4 100644
  /mnt(/[^/]*)?		-d	gen_context(system_u:object_r:mnt_t,s0)
  /mnt/[^/]*/.*			<<none>>
  
-@@ -150,10 +162,10 @@ ifdef(`distro_debian',`
+@@ -150,17 +162,22 @@ ifdef(`distro_debian',`
  #
  # /opt
  #
@@ -10942,8 +10944,8 @@ index b876c48..3690ce4 100644
  
  #
  # /proc
-@@ -161,6 +173,12 @@ ifdef(`distro_debian',`
- /proc			-d	<<none>>
+ #
+-/proc			-d	<<none>>
  /proc/.*			<<none>>
  
 +ifdef(`distro_redhat',`
@@ -10955,7 +10957,7 @@ index b876c48..3690ce4 100644
  #
  # /run
  #
-@@ -169,6 +187,7 @@ ifdef(`distro_debian',`
+@@ -169,6 +186,7 @@ ifdef(`distro_debian',`
  /run/.*\.*pid			<<none>>
  /run/lock(/.*)?			gen_context(system_u:object_r:var_lock_t,s0)
  
@@ -10963,7 +10965,7 @@ index b876c48..3690ce4 100644
  #
  # /selinux
  #
-@@ -178,13 +197,14 @@ ifdef(`distro_debian',`
+@@ -178,13 +196,14 @@ ifdef(`distro_debian',`
  #
  # /srv
  #
@@ -10980,7 +10982,7 @@ index b876c48..3690ce4 100644
  /tmp/.*				<<none>>
  /tmp/\.journal			<<none>>
  
-@@ -194,9 +214,11 @@ ifdef(`distro_debian',`
+@@ -194,9 +213,11 @@ ifdef(`distro_debian',`
  #
  # /usr
  #
@@ -10993,7 +10995,7 @@ index b876c48..3690ce4 100644
  
  /usr/doc(/.*)?/lib(/.*)?	gen_context(system_u:object_r:usr_t,s0)
  
-@@ -204,15 +226,9 @@ ifdef(`distro_debian',`
+@@ -204,15 +225,9 @@ ifdef(`distro_debian',`
  
  /usr/inclu.e(/.*)?		gen_context(system_u:object_r:usr_t,s0)
  
@@ -11010,7 +11012,7 @@ index b876c48..3690ce4 100644
  
  /usr/share/doc(/.*)?/README.*	gen_context(system_u:object_r:usr_t,s0)
  
-@@ -220,8 +236,6 @@ ifdef(`distro_debian',`
+@@ -220,8 +235,6 @@ ifdef(`distro_debian',`
  /usr/tmp/.*			<<none>>
  
  ifndef(`distro_redhat',`
@@ -11019,7 +11021,7 @@ index b876c48..3690ce4 100644
  /usr/src(/.*)?			gen_context(system_u:object_r:src_t,s0)
  /usr/src/kernels/.+/lib(/.*)?	gen_context(system_u:object_r:usr_t,s0)
  ')
-@@ -229,19 +243,33 @@ ifndef(`distro_redhat',`
+@@ -229,19 +242,33 @@ ifndef(`distro_redhat',`
  #
  # /var
  #
@@ -11056,7 +11058,7 @@ index b876c48..3690ce4 100644
  
  /var/log/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
  /var/log/lost\+found/.*		<<none>>
-@@ -256,12 +284,14 @@ ifndef(`distro_redhat',`
+@@ -256,12 +283,14 @@ ifndef(`distro_redhat',`
  /var/run		-l	gen_context(system_u:object_r:var_run_t,s0)
  /var/run/.*			gen_context(system_u:object_r:var_run_t,s0)
  /var/run/.*\.*pid		<<none>>
@@ -11071,12 +11073,14 @@ index b876c48..3690ce4 100644
  /var/tmp/.*			<<none>>
  /var/tmp/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
  /var/tmp/lost\+found/.*		<<none>>
-@@ -271,3 +301,5 @@ ifdef(`distro_debian',`
+@@ -271,3 +300,7 @@ ifdef(`distro_debian',`
  /var/run/motd		--	gen_context(system_u:object_r:initrc_var_run_t,s0)
  /var/run/motd\.dynamic	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
  ')
 +/nsr(/.*)?			gen_context(system_u:object_r:var_t,s0)
 +/nsr/logs(/.*)?			gen_context(system_u:object_r:var_log_t,s0)
++
++/sysroot/ostree/deploy/.*-atomic/deploy(/.*)?           gen_context(system_u:object_r:root_t,s0)
 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
 index f962f76..b64717f 100644
 --- a/policy/modules/kernel/files.if
@@ -15467,7 +15471,7 @@ index d7c11a0..f521a50 100644
  /var/run/shm/.*			<<none>>
 -')
 diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 8416beb..f1ebb1b 100644
+index 8416beb..d651a7d 100644
 --- a/policy/modules/kernel/filesystem.if
 +++ b/policy/modules/kernel/filesystem.if
 @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -18631,7 +18635,7 @@ index 8416beb..f1ebb1b 100644
  ##	Search all directories with a filesystem type.
  ## </summary>
  ## <param name="domain">
-@@ -4912,3 +6589,175 @@ interface(`fs_unconfined',`
+@@ -4912,3 +6589,176 @@ interface(`fs_unconfined',`
  
  	typeattribute $1 filesystem_unconfined_type;
  ')
@@ -18714,6 +18718,7 @@ index 8416beb..f1ebb1b 100644
 +	')
 +
 +	rw_sock_files_pattern($1, onload_fs_t, onload_fs_t)
++    allow $1 onload_fs_t:sock_file ioctl;
 +')
 +
 +########################################
@@ -23097,7 +23102,7 @@ index 234a940..a92415a 100644
  ########################################
  ## <summary>
 diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 0fef1fc..bfeb102 100644
+index 0fef1fc..93ad99f 100644
 --- a/policy/modules/roles/staff.te
 +++ b/policy/modules/roles/staff.te
 @@ -8,12 +8,73 @@ policy_module(staff, 2.4.0)
@@ -23174,7 +23179,7 @@ index 0fef1fc..bfeb102 100644
  optional_policy(`
  	apache_role(staff_r, staff_t)
  ')
-@@ -23,11 +84,119 @@ optional_policy(`
+@@ -23,11 +84,127 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -23208,6 +23213,14 @@ index 0fef1fc..bfeb102 100644
 +')
 +
 +optional_policy(`
++    dirsrv_stream_connect(staff_t)
++    dirsrv_manage_log(staff_t)
++    dirsrv_manage_var_lib(staff_t)
++    dirsrv_manage_var_run(staff_t)
++    dirsrv_manage_config(staff_t)
++')
++
++optional_policy(`
 +	dnsmasq_read_pid_files(staff_t)
 +')
 +
@@ -23295,7 +23308,7 @@ index 0fef1fc..bfeb102 100644
  ')
  
  optional_policy(`
-@@ -35,15 +204,31 @@ optional_policy(`
+@@ -35,15 +212,31 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -23329,7 +23342,7 @@ index 0fef1fc..bfeb102 100644
  ')
  
  optional_policy(`
-@@ -52,11 +237,61 @@ optional_policy(`
+@@ -52,11 +245,61 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -23392,7 +23405,7 @@ index 0fef1fc..bfeb102 100644
  ')
  
  ifndef(`distro_redhat',`
-@@ -65,10 +300,6 @@ ifndef(`distro_redhat',`
+@@ -65,10 +308,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -23403,7 +23416,7 @@ index 0fef1fc..bfeb102 100644
  		cdrecord_role(staff_r, staff_t)
  	')
  
-@@ -78,10 +309,6 @@ ifndef(`distro_redhat',`
+@@ -78,10 +317,6 @@ ifndef(`distro_redhat',`
  
  	optional_policy(`
  		dbus_role_template(staff, staff_r, staff_t)
@@ -23414,7 +23427,7 @@ index 0fef1fc..bfeb102 100644
  	')
  
  	optional_policy(`
-@@ -101,10 +328,6 @@ ifndef(`distro_redhat',`
+@@ -101,10 +336,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -23425,7 +23438,7 @@ index 0fef1fc..bfeb102 100644
  		java_role(staff_r, staff_t)
  	')
  
-@@ -125,10 +348,6 @@ ifndef(`distro_redhat',`
+@@ -125,10 +356,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -23436,7 +23449,7 @@ index 0fef1fc..bfeb102 100644
  		pyzor_role(staff_r, staff_t)
  	')
  
-@@ -141,10 +360,6 @@ ifndef(`distro_redhat',`
+@@ -141,10 +368,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -23447,7 +23460,7 @@ index 0fef1fc..bfeb102 100644
  		spamassassin_role(staff_r, staff_t)
  	')
  
-@@ -176,3 +391,23 @@ ifndef(`distro_redhat',`
+@@ -176,3 +399,23 @@ ifndef(`distro_redhat',`
  		wireshark_role(staff_r, staff_t)
  	')
  ')
@@ -23500,10 +23513,10 @@ index ff92430..36740ea 100644
  ## <summary>
  ##	Execute a generic bin program in the sysadm domain.
 diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 2522ca6..47b6d44 100644
+index 2522ca6..020ae3f 100644
 --- a/policy/modules/roles/sysadm.te
 +++ b/policy/modules/roles/sysadm.te
-@@ -5,39 +5,92 @@ policy_module(sysadm, 2.6.1)
+@@ -5,39 +5,101 @@ policy_module(sysadm, 2.6.1)
  # Declarations
  #
  
@@ -23600,13 +23613,22 @@ index 2522ca6..47b6d44 100644
 +')
 +
 +optional_policy(`
++    dirsrv_domtrans(sysadm_t)
++    dirsrv_stream_connect(sysadm_t)
++    dirsrv_manage_log(sysadm_t)
++    dirsrv_manage_var_lib(sysadm_t)
++    dirsrv_manage_var_run(sysadm_t)
++    dirsrv_manage_config(sysadm_t)
++')
++
++optional_policy(`
 +	ssh_filetrans_admin_home_content(sysadm_t)
 +	ssh_filetrans_keys(sysadm_t)
 +')
  
  ifdef(`direct_sysadm_daemon',`
  	optional_policy(`
-@@ -55,13 +108,7 @@ ifdef(`distro_gentoo',`
+@@ -55,13 +117,7 @@ ifdef(`distro_gentoo',`
  	init_exec_rc(sysadm_t)
  ')
  
@@ -23621,7 +23643,7 @@ index 2522ca6..47b6d44 100644
  	domain_ptrace_all_domains(sysadm_t)
  ')
  
-@@ -71,9 +118,9 @@ optional_policy(`
+@@ -71,9 +127,9 @@ optional_policy(`
  
  optional_policy(`
  	apache_run_helper(sysadm_t, sysadm_r)
@@ -23632,7 +23654,7 @@ index 2522ca6..47b6d44 100644
  ')
  
  optional_policy(`
-@@ -87,6 +134,7 @@ optional_policy(`
+@@ -87,6 +143,7 @@ optional_policy(`
  
  optional_policy(`
  	asterisk_stream_connect(sysadm_t)
@@ -23640,7 +23662,7 @@ index 2522ca6..47b6d44 100644
  ')
  
  optional_policy(`
-@@ -110,11 +158,17 @@ optional_policy(`
+@@ -110,11 +167,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -23658,20 +23680,20 @@ index 2522ca6..47b6d44 100644
  ')
  
  optional_policy(`
-@@ -122,11 +176,27 @@ optional_policy(`
+@@ -122,11 +185,27 @@ optional_policy(`
  ')
  
  optional_policy(`
 -	consoletype_run(sysadm_t, sysadm_r)
 +	cron_admin_role(sysadm_r, sysadm_t)
-+')
-+
-+optional_policy(`
-+	consoletype_exec(sysadm_t)
  ')
  
  optional_policy(`
 -	cvs_exec(sysadm_t)
++	consoletype_exec(sysadm_t)
++')
++
++optional_policy(`
 +    daemonstools_run_start(sysadm_t, sysadm_r)
 +')
 +
@@ -23688,7 +23710,7 @@ index 2522ca6..47b6d44 100644
  ')
  
  optional_policy(`
-@@ -140,6 +210,10 @@ optional_policy(`
+@@ -140,6 +219,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -23699,7 +23721,7 @@ index 2522ca6..47b6d44 100644
  	dmesg_exec(sysadm_t)
  ')
  
-@@ -156,6 +230,10 @@ optional_policy(`
+@@ -156,6 +239,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -23710,7 +23732,7 @@ index 2522ca6..47b6d44 100644
  	fstools_run(sysadm_t, sysadm_r)
  ')
  
-@@ -164,6 +242,11 @@ optional_policy(`
+@@ -164,6 +251,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -23722,7 +23744,7 @@ index 2522ca6..47b6d44 100644
  	hadoop_role(sysadm_r, sysadm_t)
  ')
  
-@@ -172,13 +255,31 @@ optional_policy(`
+@@ -172,13 +264,31 @@ optional_policy(`
  	# at things (e.g., ipsec auto --status)
  	# probably should create an ipsec_admin role for this kind of thing
  	ipsec_exec_mgmt(sysadm_t)
@@ -23754,7 +23776,7 @@ index 2522ca6..47b6d44 100644
  ')
  
  optional_policy(`
-@@ -190,11 +291,12 @@ optional_policy(`
+@@ -190,11 +300,12 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -23769,7 +23791,7 @@ index 2522ca6..47b6d44 100644
  ')
  
  optional_policy(`
-@@ -210,22 +312,21 @@ optional_policy(`
+@@ -210,22 +321,21 @@ optional_policy(`
  	modutils_run_depmod(sysadm_t, sysadm_r)
  	modutils_run_insmod(sysadm_t, sysadm_r)
  	modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -23799,7 +23821,7 @@ index 2522ca6..47b6d44 100644
  ')
  
  optional_policy(`
-@@ -237,14 +338,32 @@ optional_policy(`
+@@ -237,14 +347,32 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -23832,7 +23854,7 @@ index 2522ca6..47b6d44 100644
  ')
  
  optional_policy(`
-@@ -252,10 +371,20 @@ optional_policy(`
+@@ -252,10 +380,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -23853,7 +23875,7 @@ index 2522ca6..47b6d44 100644
  	portage_run(sysadm_t, sysadm_r)
  	portage_run_fetch(sysadm_t, sysadm_r)
  	portage_run_gcc_config(sysadm_t, sysadm_r)
-@@ -266,35 +395,46 @@ optional_policy(`
+@@ -266,35 +404,46 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -23885,18 +23907,18 @@ index 2522ca6..47b6d44 100644
  optional_policy(`
 -	rpm_run(sysadm_t, sysadm_r)
 +	quota_filetrans_named_content(sysadm_t)
+ ')
+ 
+ optional_policy(`
+-	rssh_role(sysadm_r, sysadm_t)
++	raid_domtrans_mdadm(sysadm_t)
 +')
 +
 +optional_policy(`
-+	raid_domtrans_mdadm(sysadm_t)
++	rpc_domtrans_nfsd(sysadm_t)
 +')
 +
 +optional_policy(`
-+	rpc_domtrans_nfsd(sysadm_t)
- ')
- 
- optional_policy(`
--	rssh_role(sysadm_r, sysadm_t)
 +	rpm_run(sysadm_t, sysadm_r)
 +	rpm_dbus_chat(sysadm_t, sysadm_r)
  ')
@@ -23907,7 +23929,7 @@ index 2522ca6..47b6d44 100644
  ')
  
  optional_policy(`
-@@ -308,6 +448,7 @@ optional_policy(`
+@@ -308,6 +457,7 @@ optional_policy(`
  
  optional_policy(`
  	screen_role_template(sysadm, sysadm_r, sysadm_t)
@@ -23915,7 +23937,7 @@ index 2522ca6..47b6d44 100644
  ')
  
  optional_policy(`
-@@ -315,12 +456,20 @@ optional_policy(`
+@@ -315,12 +465,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -23937,7 +23959,7 @@ index 2522ca6..47b6d44 100644
  ')
  
  optional_policy(`
-@@ -345,30 +494,38 @@ optional_policy(`
+@@ -345,30 +503,38 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -23985,7 +24007,7 @@ index 2522ca6..47b6d44 100644
  ')
  
  optional_policy(`
-@@ -380,10 +537,6 @@ optional_policy(`
+@@ -380,10 +546,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -23996,7 +24018,7 @@ index 2522ca6..47b6d44 100644
  	usermanage_run_admin_passwd(sysadm_t, sysadm_r)
  	usermanage_run_groupadd(sysadm_t, sysadm_r)
  	usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -391,6 +544,9 @@ optional_policy(`
+@@ -391,6 +553,9 @@ optional_policy(`
  
  optional_policy(`
  	virt_stream_connect(sysadm_t)
@@ -24006,7 +24028,7 @@ index 2522ca6..47b6d44 100644
  ')
  
  optional_policy(`
-@@ -398,31 +554,34 @@ optional_policy(`
+@@ -398,31 +563,34 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -24047,7 +24069,7 @@ index 2522ca6..47b6d44 100644
  		auth_role(sysadm_r, sysadm_t)
  	')
  
-@@ -435,10 +594,6 @@ ifndef(`distro_redhat',`
+@@ -435,10 +603,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -24058,7 +24080,7 @@ index 2522ca6..47b6d44 100644
  		dbus_role_template(sysadm, sysadm_r, sysadm_t)
  
  		optional_policy(`
-@@ -459,15 +614,79 @@ ifndef(`distro_redhat',`
+@@ -459,15 +623,79 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -25326,7 +25348,7 @@ index 3835596..fbca2be 100644
  ########################################
  ## <summary>
 diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index 6d77e81..20657b8 100644
+index 6d77e81..74de333 100644
 --- a/policy/modules/roles/unprivuser.te
 +++ b/policy/modules/roles/unprivuser.te
 @@ -1,5 +1,12 @@
@@ -25342,7 +25364,7 @@ index 6d77e81..20657b8 100644
  # this module should be named user, but that is
  # a compile error since user is a keyword.
  
-@@ -12,12 +19,103 @@ role user_r;
+@@ -12,12 +19,107 @@ role user_r;
  
  userdom_unpriv_user_template(user)
  
@@ -25390,6 +25412,10 @@ index 6d77e81..20657b8 100644
 +')
 +
 +optional_policy(`
++    dirsrv_stream_connect(user_t)
++')
++
++optional_policy(`
 +	journalctl_role(user_r, user_t)
 +')
 +
@@ -25447,7 +25473,7 @@ index 6d77e81..20657b8 100644
  ')
  
  optional_policy(`
-@@ -25,11 +123,19 @@ optional_policy(`
+@@ -25,11 +127,19 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -25469,7 +25495,7 @@ index 6d77e81..20657b8 100644
  ')
  
  ifndef(`distro_redhat',`
-@@ -102,10 +208,6 @@ ifndef(`distro_redhat',`
+@@ -102,10 +212,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -25480,7 +25506,7 @@ index 6d77e81..20657b8 100644
  		postgresql_role(user_r, user_t)
  	')
  
-@@ -128,7 +230,6 @@ ifndef(`distro_redhat',`
+@@ -128,7 +234,6 @@ ifndef(`distro_redhat',`
  	optional_policy(`
  		ssh_role_template(user, user_r, user_t)
  	')
@@ -25488,7 +25514,7 @@ index 6d77e81..20657b8 100644
  	optional_policy(`
  		su_role_template(user, user_r, user_t)
  	')
-@@ -160,4 +261,24 @@ ifndef(`distro_redhat',`
+@@ -160,4 +265,24 @@ ifndef(`distro_redhat',`
  	optional_policy(`
  		wireshark_role(user_r, user_t)
  	')
@@ -26183,7 +26209,7 @@ index 76d9f66..7528851 100644
 +/root/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
 +/root/\.shosts				gen_context(system_u:object_r:ssh_home_t,s0)
 diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index fe0c682..5f4da9d 100644
+index fe0c682..20f3ba4 100644
 --- a/policy/modules/services/ssh.if
 +++ b/policy/modules/services/ssh.if
 @@ -32,10 +32,11 @@
@@ -26309,15 +26335,16 @@ index fe0c682..5f4da9d 100644
  	type $1_t, ssh_server;
  	auth_login_pgm_domain($1_t)
  
-@@ -181,20 +209,22 @@ template(`ssh_server_template', `
+@@ -181,20 +209,23 @@ template(`ssh_server_template', `
  	type $1_var_run_t;
  	files_pid_file($1_var_run_t)
  
 -	allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
-+	allow $1_t self:capability { setpcap kill sys_admin sys_chroot sys_nice sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config };
++	allow $1_t self:capability { kill sys_admin sys_chroot sys_nice sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config };
  	allow $1_t self:fifo_file rw_fifo_file_perms;
 -	allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate };
-+	allow $1_t self:process { setcap getcap signal getsched setsched setrlimit setexec };
++	allow $1_t self:process { getcap signal getsched setsched setrlimit setexec };
++	allow $1_t self:process { signal getcap getsched setsched setrlimit setexec };
  	allow $1_t self:tcp_socket create_stream_socket_perms;
  	allow $1_t self:udp_socket create_socket_perms;
 +	allow $1_t self:tun_socket { create_socket_perms relabelfrom relabelto };
@@ -26337,7 +26364,7 @@ index fe0c682..5f4da9d 100644
  
  	allow $1_t $1_var_run_t:file manage_file_perms;
  	files_pid_filetrans($1_t, $1_var_run_t, file)
-@@ -206,6 +236,7 @@ template(`ssh_server_template', `
+@@ -206,6 +237,7 @@ template(`ssh_server_template', `
  
  	kernel_read_kernel_sysctls($1_t)
  	kernel_read_network_state($1_t)
@@ -26345,7 +26372,7 @@ index fe0c682..5f4da9d 100644
  
  	corenet_all_recvfrom_unlabeled($1_t)
  	corenet_all_recvfrom_netlabel($1_t)
-@@ -220,10 +251,13 @@ template(`ssh_server_template', `
+@@ -220,10 +252,13 @@ template(`ssh_server_template', `
  	corenet_tcp_bind_generic_node($1_t)
  	corenet_udp_bind_generic_node($1_t)
  	corenet_tcp_bind_ssh_port($1_t)
@@ -26361,7 +26388,7 @@ index fe0c682..5f4da9d 100644
  
  	auth_rw_login_records($1_t)
  	auth_rw_faillog($1_t)
-@@ -233,7 +267,10 @@ template(`ssh_server_template', `
+@@ -233,7 +268,10 @@ template(`ssh_server_template', `
  	# for sshd subsystems, such as sftp-server.
  	corecmd_getattr_bin_files($1_t)
  
@@ -26372,7 +26399,7 @@ index fe0c682..5f4da9d 100644
  
  	files_read_etc_files($1_t)
  	files_read_etc_runtime_files($1_t)
-@@ -241,35 +278,33 @@ template(`ssh_server_template', `
+@@ -241,35 +279,33 @@ template(`ssh_server_template', `
  
  	logging_search_logs($1_t)
  
@@ -26419,7 +26446,7 @@ index fe0c682..5f4da9d 100644
  ')
  
  ########################################
-@@ -292,14 +327,15 @@ template(`ssh_server_template', `
+@@ -292,14 +328,15 @@ template(`ssh_server_template', `
  ##	User domain for the role
  ##	</summary>
  ## </param>
@@ -26436,7 +26463,7 @@ index fe0c682..5f4da9d 100644
  	')
  
  	##############################
-@@ -328,103 +364,56 @@ template(`ssh_role_template',`
+@@ -328,103 +365,56 @@ template(`ssh_role_template',`
  
  	# allow ps to show ssh
  	ps_process_pattern($3, ssh_t)
@@ -26550,7 +26577,7 @@ index fe0c682..5f4da9d 100644
  ')
  
  ########################################
-@@ -496,8 +485,27 @@ interface(`ssh_read_pipes',`
+@@ -496,8 +486,27 @@ interface(`ssh_read_pipes',`
  		type sshd_t;
  	')
  
@@ -26579,7 +26606,7 @@ index fe0c682..5f4da9d 100644
  ########################################
  ## <summary>
  ##	Read and write a ssh server unnamed pipe.
-@@ -513,7 +521,7 @@ interface(`ssh_rw_pipes',`
+@@ -513,7 +522,7 @@ interface(`ssh_rw_pipes',`
  		type sshd_t;
  	')
  
@@ -26588,7 +26615,7 @@ index fe0c682..5f4da9d 100644
  ')
  
  ########################################
-@@ -605,6 +613,24 @@ interface(`ssh_domtrans',`
+@@ -605,6 +614,24 @@ interface(`ssh_domtrans',`
  
  ########################################
  ## <summary>
@@ -26613,7 +26640,7 @@ index fe0c682..5f4da9d 100644
  ##	Execute the ssh client in the caller domain.
  ## </summary>
  ## <param name="domain">
-@@ -637,7 +663,7 @@ interface(`ssh_setattr_key_files',`
+@@ -637,7 +664,7 @@ interface(`ssh_setattr_key_files',`
  		type sshd_key_t;
  	')
  
@@ -26622,7 +26649,7 @@ index fe0c682..5f4da9d 100644
  	files_search_pids($1)
  ')
  
-@@ -662,6 +688,42 @@ interface(`ssh_agent_exec',`
+@@ -662,6 +689,42 @@ interface(`ssh_agent_exec',`
  
  ########################################
  ## <summary>
@@ -26665,7 +26692,7 @@ index fe0c682..5f4da9d 100644
  ##	Read ssh home directory content
  ## </summary>
  ## <param name="domain">
-@@ -701,6 +763,68 @@ interface(`ssh_domtrans_keygen',`
+@@ -701,6 +764,68 @@ interface(`ssh_domtrans_keygen',`
  
  ########################################
  ## <summary>
@@ -26734,7 +26761,7 @@ index fe0c682..5f4da9d 100644
  ##	Read ssh server keys
  ## </summary>
  ## <param name="domain">
-@@ -714,7 +838,26 @@ interface(`ssh_dontaudit_read_server_keys',`
+@@ -714,7 +839,26 @@ interface(`ssh_dontaudit_read_server_keys',`
  		type sshd_key_t;
  	')
  
@@ -26762,7 +26789,7 @@ index fe0c682..5f4da9d 100644
  ')
  
  ######################################
-@@ -754,3 +897,151 @@ interface(`ssh_delete_tmp',`
+@@ -754,3 +898,151 @@ interface(`ssh_delete_tmp',`
  	files_search_tmp($1)
  	delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
  ')
@@ -33441,7 +33468,7 @@ index bc0ffc8..37b8ea5 100644
  ')
 +/var/run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
 diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 79a45f6..6126f21 100644
+index 79a45f6..e90f7a4 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
 @@ -1,5 +1,21 @@
@@ -34503,7 +34530,7 @@ index 79a45f6..6126f21 100644
  ')
  
  ########################################
-@@ -1806,37 +2313,708 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1806,37 +2313,744 @@ interface(`init_pid_filetrans_utmp',`
  	files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
  ')
  
@@ -35106,6 +35133,42 @@ index 79a45f6..6126f21 100644
 +##	</summary>
 +## </param>
 +#
++interface(`init_enable_transient_unit',`
++	gen_require(`
++		type init_t;
++	')
++
++	allow $1 init_t:service enable;
++')
++
++########################################
++## <summary>
++##	Tell init to do an unknown access.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`init_disable_transient_unit',`
++	gen_require(`
++		type init_t;
++	')
++
++	allow $1 init_t:service disable;
++')
++
++########################################
++## <summary>
++##	Tell init to do an unknown access.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`init_stop_transient_unit',`
 +	gen_require(`
 +		type init_t;
@@ -37497,7 +37560,7 @@ index c42fbc3..bf211db 100644
 +	files_pid_filetrans($1, iptables_var_run_t, file, "xtables.lock")
 +')
 diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index be8ed1e..aa38f90 100644
+index be8ed1e..2cf6f42 100644
 --- a/policy/modules/system/iptables.te
 +++ b/policy/modules/system/iptables.te
 @@ -16,15 +16,21 @@ role iptables_roles types iptables_t;
@@ -37565,7 +37628,7 @@ index be8ed1e..aa38f90 100644
  kernel_use_fds(iptables_t)
  
  # needed by ipvsadm
-@@ -64,19 +81,23 @@ corenet_relabelto_all_packets(iptables_t)
+@@ -64,19 +81,24 @@ corenet_relabelto_all_packets(iptables_t)
  corenet_dontaudit_rw_tun_tap_dev(iptables_t)
  
  dev_read_sysfs(iptables_t)
@@ -37588,10 +37651,11 @@ index be8ed1e..aa38f90 100644
 -files_read_etc_runtime_files(iptables_t)
 +files_rw_etc_runtime_files(iptables_t)
 +files_rw_inherited_tmp_file(iptables_t)
++files_read_kernel_modules(iptables_t)
  
  auth_use_nsswitch(iptables_t)
  
-@@ -85,15 +106,14 @@ init_use_script_ptys(iptables_t)
+@@ -85,15 +107,14 @@ init_use_script_ptys(iptables_t)
  # to allow rules to be saved on reboot:
  init_rw_script_tmp_files(iptables_t)
  init_rw_script_stream_sockets(iptables_t)
@@ -37609,7 +37673,7 @@ index be8ed1e..aa38f90 100644
  userdom_use_all_users_fds(iptables_t)
  
  ifdef(`hide_broken_symptoms',`
-@@ -102,6 +122,9 @@ ifdef(`hide_broken_symptoms',`
+@@ -102,6 +123,9 @@ ifdef(`hide_broken_symptoms',`
  
  optional_policy(`
  	fail2ban_append_log(iptables_t)
@@ -37619,7 +37683,7 @@ index be8ed1e..aa38f90 100644
  ')
  
  optional_policy(`
-@@ -110,6 +133,13 @@ optional_policy(`
+@@ -110,7 +134,16 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -37631,9 +37695,12 @@ index be8ed1e..aa38f90 100644
 +
 +optional_policy(`
  	modutils_run_insmod(iptables_t, iptables_roles)
++    modutils_list_module_config(iptables_t)
++')
  ')
  
-@@ -119,11 +149,25 @@ optional_policy(`
+ optional_policy(`
+@@ -119,11 +152,25 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -37659,7 +37726,7 @@ index be8ed1e..aa38f90 100644
  ')
  
  optional_policy(`
-@@ -135,9 +179,9 @@ optional_policy(`
+@@ -135,9 +182,9 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -46979,10 +47046,10 @@ index 0000000..86e3d01
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..c9d14fd
+index 0000000..746fc9d
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,1017 @@
+@@ -0,0 +1,1018 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -47413,6 +47480,7 @@ index 0000000..c9d14fd
 +
 +optional_policy(`
 +	unconfined_dbus_acquire_svc(systemd_networkd_t)
++    unconfined_dbus_send(systemd_networkd_t)
 +')
 +
 +#######################################
@@ -49416,7 +49484,7 @@ index db75976..c54480a 100644
 +/var/tmp/hsperfdata_root    gen_context(system_u:object_r:user_tmp_t,s0)
 +
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6..4b0a3ed 100644
+index 9dc60c6..d5e8f38 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
 @@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -50432,7 +50500,7 @@ index 9dc60c6..4b0a3ed 100644
 +	allow $1_t self:process ~{ ptrace execmem execstack execheap };
 +
 +	tunable_policy(`selinuxuser_use_ssh_chroot',`
-+		allow $1_t self:capability { sys_chroot };
++		allow $1_t self:capability { setuid setgid sys_chroot };
 +	')
  
 -	allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index f406fdc..39466f6 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -2295,7 +2295,7 @@ index 7f4dfbc..e5c9f45 100644
  /usr/sbin/amrecover	--	gen_context(system_u:object_r:amanda_recover_exec_t,s0)
  
 diff --git a/amanda.te b/amanda.te
-index 519051c..c3a718a 100644
+index 519051c..8b7ad5f 100644
 --- a/amanda.te
 +++ b/amanda.te
 @@ -9,11 +9,14 @@ attribute_role amanda_recover_roles;
@@ -2326,11 +2326,13 @@ index 519051c..c3a718a 100644
  type amanda_amandates_t;
  files_type(amanda_amandates_t)
  
-@@ -60,7 +66,7 @@ optional_policy(`
+@@ -59,8 +65,8 @@ optional_policy(`
+ # Local policy
  #
  
- allow amanda_t self:capability { chown dac_override setuid kill };
+-allow amanda_t self:capability { chown dac_override setuid kill };
 -allow amanda_t self:process { setpgid signal };
++allow amanda_t self:capability { chown dac_override setuid kill sys_admin };
 +allow amanda_t self:process { getsched setsched setpgid signal };
  allow amanda_t self:fifo_file rw_fifo_file_perms;
  allow amanda_t self:unix_stream_socket { accept listen };
@@ -5533,7 +5535,7 @@ index f6eb485..fe461a3 100644
 +		ps_process_pattern(httpd_t, $1)
  ')
 diff --git a/apache.te b/apache.te
-index 6649962..0d0ffbd 100644
+index 6649962..1cbf151 100644
 --- a/apache.te
 +++ b/apache.te
 @@ -5,280 +5,346 @@ policy_module(apache, 2.7.2)
@@ -6787,7 +6789,7 @@ index 6649962..0d0ffbd 100644
  ')
  
  optional_policy(`
-@@ -786,35 +964,60 @@ optional_policy(`
+@@ -786,35 +964,61 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6810,7 +6812,8 @@ index 6649962..0d0ffbd 100644
 -		ldap_tcp_connect(httpd_t)
 -	')
 +optional_policy(`
-+    ipa_search_lib(httpd_t)
++    ipa_read_lib(httpd_t)
++    ipa_manage_pid_files(httpd_t)
 +')
 +
 +optional_policy(`
@@ -6861,7 +6864,7 @@ index 6649962..0d0ffbd 100644
  
  	tunable_policy(`httpd_manage_ipa',`
  		memcached_manage_pid_files(httpd_t)
-@@ -822,8 +1025,30 @@ optional_policy(`
+@@ -822,8 +1026,30 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6892,7 +6895,7 @@ index 6649962..0d0ffbd 100644
  
  	tunable_policy(`httpd_can_network_connect_db',`
  		mysql_tcp_connect(httpd_t)
-@@ -832,6 +1057,8 @@ optional_policy(`
+@@ -832,6 +1058,8 @@ optional_policy(`
  
  optional_policy(`
  	nagios_read_config(httpd_t)
@@ -6901,7 +6904,7 @@ index 6649962..0d0ffbd 100644
  ')
  
  optional_policy(`
-@@ -842,20 +1069,44 @@ optional_policy(`
+@@ -842,20 +1070,44 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6952,7 +6955,7 @@ index 6649962..0d0ffbd 100644
  ')
  
  optional_policy(`
-@@ -863,16 +1114,31 @@ optional_policy(`
+@@ -863,16 +1115,31 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6986,7 +6989,7 @@ index 6649962..0d0ffbd 100644
  ')
  
  optional_policy(`
-@@ -883,65 +1149,189 @@ optional_policy(`
+@@ -883,65 +1150,189 @@ optional_policy(`
  	yam_read_content(httpd_t)
  ')
  
@@ -7198,7 +7201,7 @@ index 6649962..0d0ffbd 100644
  files_dontaudit_search_pids(httpd_suexec_t)
  files_search_home(httpd_suexec_t)
  
-@@ -950,123 +1340,75 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -950,123 +1341,75 @@ auth_use_nsswitch(httpd_suexec_t)
  logging_search_logs(httpd_suexec_t)
  logging_send_syslog_msg(httpd_suexec_t)
  
@@ -7352,7 +7355,7 @@ index 6649962..0d0ffbd 100644
  	mysql_read_config(httpd_suexec_t)
  
  	tunable_policy(`httpd_can_network_connect_db',`
-@@ -1083,172 +1425,107 @@ optional_policy(`
+@@ -1083,172 +1426,107 @@ optional_policy(`
  	')
  ')
  
@@ -7590,7 +7593,7 @@ index 6649962..0d0ffbd 100644
  ')
  
  tunable_policy(`httpd_read_user_content',`
-@@ -1256,64 +1533,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1256,64 +1534,74 @@ tunable_policy(`httpd_read_user_content',`
  ')
  
  tunable_policy(`httpd_use_cifs',`
@@ -7687,7 +7690,7 @@ index 6649962..0d0ffbd 100644
  
  ########################################
  #
-@@ -1321,8 +1608,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1321,8 +1609,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
  #
  
  optional_policy(`
@@ -7704,7 +7707,7 @@ index 6649962..0d0ffbd 100644
  ')
  
  ########################################
-@@ -1330,49 +1624,40 @@ optional_policy(`
+@@ -1330,49 +1625,40 @@ optional_policy(`
  # User content local policy
  #
  
@@ -7770,7 +7773,7 @@ index 6649962..0d0ffbd 100644
  kernel_read_system_state(httpd_passwd_t)
  
  corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1667,109 @@ dev_read_urand(httpd_passwd_t)
+@@ -1382,38 +1668,109 @@ dev_read_urand(httpd_passwd_t)
  
  domain_use_interactive_fds(httpd_passwd_t)
  
@@ -9815,7 +9818,7 @@ index 531a8f2..3fcf187 100644
 +	allow $1 named_unit_file_t:service all_service_perms;
  ')
 diff --git a/bind.te b/bind.te
-index 1241123..f726b13 100644
+index 1241123..4ec3437 100644
 --- a/bind.te
 +++ b/bind.te
 @@ -34,7 +34,7 @@ type named_checkconf_exec_t;
@@ -9877,7 +9880,20 @@ index 1241123..f726b13 100644
  corenet_all_recvfrom_netlabel(named_t)
  corenet_tcp_sendrecv_generic_if(named_t)
  corenet_udp_sendrecv_generic_if(named_t)
-@@ -141,9 +144,13 @@ corenet_sendrecv_all_client_packets(named_t)
+@@ -127,6 +130,12 @@ corenet_udp_bind_generic_node(named_t)
+ corenet_sendrecv_all_server_packets(named_t)
+ corenet_tcp_bind_dns_port(named_t)
+ corenet_udp_bind_dns_port(named_t)
++corenet_udp_bind_ipp_port(named_t)
++corenet_udp_bind_rtsp_port(named_t)
++corenet_udp_bind_dhcpc_port(named_t)
++corenet_udp_bind_kerberos_port(named_t)
++corenet_udp_bind_flash_port(named_t)
++corenet_udp_bind_bgp_port(named_t)
+ corenet_tcp_sendrecv_dns_port(named_t)
+ corenet_udp_sendrecv_dns_port(named_t)
+ 
+@@ -141,9 +150,13 @@ corenet_sendrecv_all_client_packets(named_t)
  corenet_tcp_connect_all_ports(named_t)
  corenet_tcp_sendrecv_all_ports(named_t)
  
@@ -9891,7 +9907,7 @@ index 1241123..f726b13 100644
  
  domain_use_interactive_fds(named_t)
  
-@@ -175,6 +182,19 @@ tunable_policy(`named_write_master_zones',`
+@@ -175,6 +188,19 @@ tunable_policy(`named_write_master_zones',`
  ')
  
  optional_policy(`
@@ -9911,7 +9927,7 @@ index 1241123..f726b13 100644
  	dbus_system_domain(named_t, named_exec_t)
  
  	init_dbus_chat_script(named_t)
-@@ -187,7 +207,17 @@ optional_policy(`
+@@ -187,7 +213,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -9929,7 +9945,7 @@ index 1241123..f726b13 100644
  	kerberos_use(named_t)
  ')
  
-@@ -215,7 +245,8 @@ optional_policy(`
+@@ -215,7 +251,8 @@ optional_policy(`
  #
  
  allow ndc_t self:capability { dac_override net_admin };
@@ -9939,7 +9955,7 @@ index 1241123..f726b13 100644
  allow ndc_t self:fifo_file rw_fifo_file_perms;
  allow ndc_t self:unix_stream_socket { accept listen };
  
-@@ -229,10 +260,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
+@@ -229,10 +266,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
  
  allow ndc_t named_zone_t:dir search_dir_perms;
  
@@ -9951,7 +9967,7 @@ index 1241123..f726b13 100644
  corenet_all_recvfrom_netlabel(ndc_t)
  corenet_tcp_sendrecv_generic_if(ndc_t)
  corenet_tcp_sendrecv_generic_node(ndc_t)
-@@ -242,6 +272,9 @@ corenet_tcp_bind_generic_node(ndc_t)
+@@ -242,6 +278,9 @@ corenet_tcp_bind_generic_node(ndc_t)
  corenet_tcp_connect_rndc_port(ndc_t)
  corenet_sendrecv_rndc_client_packets(ndc_t)
  
@@ -9961,7 +9977,7 @@ index 1241123..f726b13 100644
  domain_use_interactive_fds(ndc_t)
  
  files_search_pids(ndc_t)
-@@ -257,7 +290,7 @@ init_use_script_ptys(ndc_t)
+@@ -257,7 +296,7 @@ init_use_script_ptys(ndc_t)
  
  logging_send_syslog_msg(ndc_t)
  
@@ -14599,10 +14615,10 @@ index 0000000..55fe0d6
 +')
 diff --git a/cloudform.te b/cloudform.te
 new file mode 100644
-index 0000000..af630a4
+index 0000000..27c0ed9
 --- /dev/null
 +++ b/cloudform.te
-@@ -0,0 +1,247 @@
+@@ -0,0 +1,249 @@
 +policy_module(cloudform, 1.0)
 +########################################
 +#
@@ -14684,6 +14700,8 @@ index 0000000..af630a4
 +manage_files_pattern(cloud_init_t, cloud_log_t, cloud_log_t)
 +logging_log_filetrans(cloud_init_t, cloud_log_t, { file })
 +
++init_dbus_chat(cloud_init_t)
++
 +kernel_read_network_state(cloud_init_t)
 +
 +corenet_tcp_connect_http_port(cloud_init_t)
@@ -15340,7 +15358,7 @@ index 0000000..d5920c0
 +')
 diff --git a/cockpit.te b/cockpit.te
 new file mode 100644
-index 0000000..da93926
+index 0000000..0167d62
 --- /dev/null
 +++ b/cockpit.te
 @@ -0,0 +1,120 @@
@@ -15434,8 +15452,8 @@ index 0000000..da93926
 +#
 +
 +# cockpit-session changes to the actual logged in user
-+allow cockpit_session_t self:capability { sys_admin dac_override setuid setgid };
-+allow cockpit_session_t self:process { setexec setsched signal_perms };
++allow cockpit_session_t self:capability { sys_admin dac_override setuid setgid sys_resource};
++allow cockpit_session_t self:process { setexec setsched signal_perms setrlimit };
 +
 +read_files_pattern(cockpit_session_t, cockpit_var_lib_t, cockpit_var_lib_t)
 +list_dirs_pattern(cockpit_session_t, cockpit_var_lib_t, cockpit_var_lib_t)
@@ -21009,7 +21027,7 @@ index 3023be7..5afde80 100644
 +	files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups")
  ')
 diff --git a/cups.te b/cups.te
-index c91813c..6f66ea4 100644
+index c91813c..da04f2d 100644
 --- a/cups.te
 +++ b/cups.te
 @@ -5,19 +5,31 @@ policy_module(cups, 1.16.2)
@@ -21539,15 +21557,17 @@ index c91813c..6f66ea4 100644
  optional_policy(`
  	inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
  ')
-@@ -550,7 +602,6 @@ optional_policy(`
+@@ -550,8 +602,8 @@ optional_policy(`
  #
  
  allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
 -allow cups_pdf_t self:fifo_file rw_fifo_file_perms;
  allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
++allow cups_pdf_t cupsd_rw_etc_t:dir search;
  
  append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
-@@ -566,148 +617,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
+ create_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
+@@ -566,148 +618,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
  
  kernel_read_system_state(cups_pdf_t)
  
@@ -21699,7 +21719,7 @@ index c91813c..6f66ea4 100644
  
  ########################################
  #
-@@ -735,7 +661,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -735,7 +662,6 @@ kernel_read_kernel_sysctls(ptal_t)
  kernel_list_proc(ptal_t)
  kernel_read_proc_symlinks(ptal_t)
  
@@ -21707,7 +21727,7 @@ index c91813c..6f66ea4 100644
  corenet_all_recvfrom_netlabel(ptal_t)
  corenet_tcp_sendrecv_generic_if(ptal_t)
  corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -745,13 +670,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
+@@ -745,13 +671,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
  corenet_tcp_bind_ptal_port(ptal_t)
  corenet_tcp_sendrecv_ptal_port(ptal_t)
  
@@ -21721,7 +21741,7 @@ index c91813c..6f66ea4 100644
  files_read_etc_runtime_files(ptal_t)
  
  fs_getattr_all_fs(ptal_t)
-@@ -759,8 +682,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -759,8 +683,6 @@ fs_search_auto_mountpoints(ptal_t)
  
  logging_send_syslog_msg(ptal_t)
  
@@ -21730,7 +21750,7 @@ index c91813c..6f66ea4 100644
  sysnet_read_config(ptal_t)
  
  userdom_dontaudit_use_unpriv_user_fds(ptal_t)
-@@ -773,3 +694,4 @@ optional_policy(`
+@@ -773,3 +695,4 @@ optional_policy(`
  optional_policy(`
  	udev_read_db(ptal_t)
  ')
@@ -27367,10 +27387,10 @@ index 9a21639..26c5986 100644
  ')
 +
 diff --git a/drbd.te b/drbd.te
-index f2516cc..6b232ae 100644
+index f2516cc..af2c2ad 100644
 --- a/drbd.te
 +++ b/drbd.te
-@@ -18,38 +18,71 @@ files_type(drbd_var_lib_t)
+@@ -18,38 +18,72 @@ files_type(drbd_var_lib_t)
  type drbd_lock_t;
  files_lock_file(drbd_lock_t)
  
@@ -27413,7 +27433,8 @@ index f2516cc..6b232ae 100644
 +files_tmp_filetrans(drbd_t, drbd_tmp_t, {file dir})
  
  kernel_read_system_state(drbd_t)
- 
++kernel_load_module(drbd_t)
++
 +auth_use_nsswitch(drbd_t)
 +
 +can_exec(drbd_t, drbd_exec_t)
@@ -27421,7 +27442,7 @@ index f2516cc..6b232ae 100644
 +corecmd_exec_bin(drbd_t)
 +
 +corenet_tcp_connect_http_port(drbd_t)
-+
+ 
  dev_read_rand(drbd_t)
  dev_read_sysfs(drbd_t)
  dev_read_urand(drbd_t)
@@ -37020,10 +37041,10 @@ index 0000000..2277038
 +')
 diff --git a/gssproxy.te b/gssproxy.te
 new file mode 100644
-index 0000000..dc1385d
+index 0000000..5e43ca7
 --- /dev/null
 +++ b/gssproxy.te
-@@ -0,0 +1,70 @@
+@@ -0,0 +1,74 @@
 +policy_module(gssproxy, 1.0.0)
 +
 +########################################
@@ -37086,6 +37107,10 @@ index 0000000..dc1385d
 +userdom_manage_user_tmp_files(gssproxy_t)
 +
 +optional_policy(`
++    ipa_read_lib(gssproxy_t)
++')
++
++optional_policy(`
 +	kerberos_use(gssproxy_t)
 +	kerberos_filetrans_named_content(gssproxy_t)
 +')
@@ -54254,7 +54279,7 @@ index f42896c..fce39c1 100644
 +/var/spool/mail(/.*)?		gen_context(system_u:object_r:mail_spool_t,s0)
 +/var/spool/smtpd(/.*)?		gen_context(system_u:object_r:mail_spool_t,s0)
 diff --git a/mta.if b/mta.if
-index ed81cac..ad452db 100644
+index ed81cac..cd52baf 100644
 --- a/mta.if
 +++ b/mta.if
 @@ -1,4 +1,4 @@
@@ -55210,7 +55235,7 @@ index ed81cac..ad452db 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1081,3 +1067,204 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -1081,3 +1067,209 @@ interface(`mta_rw_user_mail_stream_sockets',`
  
  	allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
  ')
@@ -55412,6 +55437,11 @@ index ed81cac..ad452db 100644
 +    mta_etc_filetrans_aliases($1, "virtusertable.db")
 +    mta_etc_filetrans_aliases($1, "access.db")
 +    mta_etc_filetrans_aliases($1, "domaintable.db")
++    filetrans_pattern($1, etc_mail_t, etc_aliases_t, file, "virtusertable.db")
++    filetrans_pattern($1, etc_mail_t, etc_aliases_t, file, "access.db")
++    filetrans_pattern($1, etc_mail_t, etc_aliases_t, file, "domaintable.db")
++    filetrans_pattern($1, etc_mail_t, etc_aliases_t, file, "mailertable.db")
++    filetrans_pattern($1, etc_mail_t, etc_aliases_t, file, "aliasesdb-stamp")
 +	mta_filetrans_home_content($1)
 +	mta_filetrans_admin_home_content($1)
 +')
@@ -58559,7 +58589,7 @@ index 0641e97..f3b1111 100644
 +	admin_pattern($1, nrpe_etc_t)
  ')
 diff --git a/nagios.te b/nagios.te
-index 7b3e682..e4b8c8a 100644
+index 7b3e682..d1e103e 100644
 --- a/nagios.te
 +++ b/nagios.te
 @@ -5,6 +5,25 @@ policy_module(nagios, 1.13.0)
@@ -58688,7 +58718,7 @@ index 7b3e682..e4b8c8a 100644
  corenet_all_recvfrom_netlabel(nagios_t)
  corenet_tcp_sendrecv_generic_if(nagios_t)
  corenet_tcp_sendrecv_generic_node(nagios_t)
-@@ -143,7 +172,6 @@ domain_read_all_domains_state(nagios_t)
+@@ -143,18 +172,16 @@ domain_read_all_domains_state(nagios_t)
  
  files_read_etc_runtime_files(nagios_t)
  files_read_kernel_symbol_table(nagios_t)
@@ -58696,7 +58726,10 @@ index 7b3e682..e4b8c8a 100644
  files_search_spool(nagios_t)
  
  fs_getattr_all_fs(nagios_t)
-@@ -153,8 +181,6 @@ auth_use_nsswitch(nagios_t)
+ fs_search_auto_mountpoints(nagios_t)
++fs_search_cgroup_dirs(nagios_t)
+ 
+ auth_use_nsswitch(nagios_t)
  
  logging_send_syslog_msg(nagios_t)
  
@@ -58705,10 +58738,12 @@ index 7b3e682..e4b8c8a 100644
  userdom_dontaudit_use_unpriv_user_fds(nagios_t)
  userdom_dontaudit_search_user_home_dirs(nagios_t)
  
-@@ -162,6 +188,35 @@ mta_send_mail(nagios_t)
+@@ -162,6 +189,37 @@ mta_send_mail(nagios_t)
  mta_signal_system_mail(nagios_t)
  mta_kill_system_mail(nagios_t)
  
++systemd_exec_systemctl(nagios_t)
++
 +tunable_policy(`nagios_run_sudo',`
 +    allow nagios_t self:capability { setuid setgid sys_resource sys_ptrace };
 +    allow nagios_t self:process { setrlimit setsched };
@@ -58741,7 +58776,7 @@ index 7b3e682..e4b8c8a 100644
  optional_policy(`
  	netutils_kill_ping(nagios_t)
  ')
-@@ -178,35 +233,37 @@ optional_policy(`
+@@ -178,35 +236,37 @@ optional_policy(`
  #
  # CGI local policy
  #
@@ -58797,7 +58832,7 @@ index 7b3e682..e4b8c8a 100644
  ')
  
  ########################################
-@@ -214,7 +271,7 @@ optional_policy(`
+@@ -214,7 +274,7 @@ optional_policy(`
  # Nrpe local policy
  #
  
@@ -58806,7 +58841,7 @@ index 7b3e682..e4b8c8a 100644
  dontaudit nrpe_t self:capability { sys_tty_config sys_resource };
  allow nrpe_t self:process { setpgid signal_perms setsched setrlimit };
  allow nrpe_t self:fifo_file rw_fifo_file_perms;
-@@ -229,9 +286,9 @@ files_pid_filetrans(nrpe_t, nrpe_var_run_t, file)
+@@ -229,9 +289,9 @@ files_pid_filetrans(nrpe_t, nrpe_var_run_t, file)
  
  domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t)
  
@@ -58817,7 +58852,7 @@ index 7b3e682..e4b8c8a 100644
  
  corecmd_exec_bin(nrpe_t)
  corecmd_exec_shell(nrpe_t)
-@@ -252,8 +309,8 @@ dev_read_urand(nrpe_t)
+@@ -252,8 +312,8 @@ dev_read_urand(nrpe_t)
  domain_use_interactive_fds(nrpe_t)
  domain_read_all_domains_state(nrpe_t)
  
@@ -58827,7 +58862,7 @@ index 7b3e682..e4b8c8a 100644
  
  fs_getattr_all_fs(nrpe_t)
  fs_search_auto_mountpoints(nrpe_t)
-@@ -262,10 +319,34 @@ auth_use_nsswitch(nrpe_t)
+@@ -262,10 +322,34 @@ auth_use_nsswitch(nrpe_t)
  
  logging_send_syslog_msg(nrpe_t)
  
@@ -58864,7 +58899,7 @@ index 7b3e682..e4b8c8a 100644
  optional_policy(`
  	inetd_tcp_service_domain(nrpe_t, nrpe_exec_t)
  ')
-@@ -310,15 +391,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
+@@ -310,15 +394,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
  #
  
  allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
@@ -58883,7 +58918,7 @@ index 7b3e682..e4b8c8a 100644
  logging_send_syslog_msg(nagios_mail_plugin_t)
  
  sysnet_dns_name_resolve(nagios_mail_plugin_t)
-@@ -345,6 +426,9 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
+@@ -345,6 +429,9 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
  
  kernel_read_software_raid_state(nagios_checkdisk_plugin_t)
  
@@ -58893,7 +58928,7 @@ index 7b3e682..e4b8c8a 100644
  files_getattr_all_mountpoints(nagios_checkdisk_plugin_t)
  files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
  
-@@ -357,9 +441,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
+@@ -357,9 +444,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
  # Services local policy
  #
  
@@ -58907,7 +58942,7 @@ index 7b3e682..e4b8c8a 100644
  
  corecmd_exec_bin(nagios_services_plugin_t)
  
-@@ -391,6 +477,11 @@ optional_policy(`
+@@ -391,6 +480,11 @@ optional_policy(`
  
  optional_policy(`
  	mysql_stream_connect(nagios_services_plugin_t)
@@ -58919,7 +58954,7 @@ index 7b3e682..e4b8c8a 100644
  ')
  
  optional_policy(`
-@@ -406,28 +497,36 @@ allow nagios_system_plugin_t self:capability dac_override;
+@@ -406,28 +500,36 @@ allow nagios_system_plugin_t self:capability dac_override;
  dontaudit nagios_system_plugin_t self:capability { setuid setgid };
  
  read_files_pattern(nagios_system_plugin_t, nagios_log_t, nagios_log_t)
@@ -58958,7 +58993,7 @@ index 7b3e682..e4b8c8a 100644
  #######################################
  #
  # Event local policy
-@@ -442,9 +541,39 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
+@@ -442,9 +544,39 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
  
  init_domtrans_script(nagios_eventhandler_plugin_t)
  
@@ -61114,10 +61149,10 @@ index 0000000..e328327
 +')
 diff --git a/nova.te b/nova.te
 new file mode 100644
-index 0000000..6c813d7
+index 0000000..a10559b
 --- /dev/null
 +++ b/nova.te
-@@ -0,0 +1,199 @@
+@@ -0,0 +1,203 @@
 +policy_module(nova, 1.0.0)
 +
 +########################################
@@ -61257,6 +61292,10 @@ index 0000000..6c813d7
 +libs_exec_ldconfig(nova_domain)
 +
 +optional_policy(`
++    apache_search_config(nova_domain)
++')
++
++optional_policy(`
 +    mysql_stream_connect(nova_domain)
 +    mysql_read_db_lnk_files(nova_domain)
 +')
@@ -61343,7 +61382,7 @@ index ba64485..429bd79 100644
 +
 +/usr/lib/systemd/system/nscd\.service -- gen_context(system_u:object_r:nscd_unit_file_t,s0)
 diff --git a/nscd.if b/nscd.if
-index 8f2ab09..a298198 100644
+index 8f2ab09..8ca8a6f 100644
 --- a/nscd.if
 +++ b/nscd.if
 @@ -1,8 +1,8 @@
@@ -61499,11 +61538,11 @@ index 8f2ab09..a298198 100644
 +interface(`nscd_shm_use',`
 +	gen_require(`
 +		type nscd_t, nscd_var_run_t;
-+		class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv };
++		class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv shmemnetgrp getnetgrp };
  	')
 +
 +	allow $1 nscd_var_run_t:dir list_dir_perms;
-+    allow $1 nscd_t:nscd { shmempwd shmemgrp shmemhost shmemserv };
++    allow $1 nscd_t:nscd { shmempwd shmemgrp shmemhost shmemserv  shmemnetgrp};
 +	# Receive fd from nscd and map the backing file with read access.
 +	allow $1 nscd_t:fd use;
 +
@@ -61517,7 +61556,7 @@ index 8f2ab09..a298198 100644
 +
 +	stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
 +	files_search_pids($1)
-+	allow $1 nscd_t:nscd { getpwd getgrp gethost getserv };
++	allow $1 nscd_t:nscd { getpwd getgrp gethost getserv getnetgrp };
 +	dontaudit $1 nscd_var_run_t:file read_file_perms;
  ')
  
@@ -63488,7 +63527,7 @@ index e96a309..4245308 100644
 +')
 +
 diff --git a/ntp.te b/ntp.te
-index f81b113..ab4d914 100644
+index f81b113..76db00a 100644
 --- a/ntp.te
 +++ b/ntp.te
 @@ -18,6 +18,9 @@ role ntpd_roles types ntpd_t;
@@ -63562,7 +63601,7 @@ index f81b113..ab4d914 100644
  
  auth_use_nsswitch(ntpd_t)
  
-@@ -124,8 +124,6 @@ init_exec_script_files(ntpd_t)
+@@ -124,12 +124,14 @@ init_exec_script_files(ntpd_t)
  
  logging_send_syslog_msg(ntpd_t)
  
@@ -63571,7 +63610,15 @@ index f81b113..ab4d914 100644
  userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
  userdom_list_user_home_dirs(ntpd_t)
  
-@@ -152,9 +150,18 @@ optional_policy(`
+ optional_policy(`
++    clock_domtrans(ntpd_t)
++')
++
++optional_policy(`
+ 	cron_system_entry(ntpd_t, ntpdate_exec_t)
+ ')
+ 
+@@ -152,9 +154,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -64701,7 +64748,7 @@ index c87bd2a..6180fba 100644
 +	allow $1 oddjob_mkhomedir_exec_t:file entrypoint;
  ')
 diff --git a/oddjob.te b/oddjob.te
-index e403097..45d387d 100644
+index e403097..9080b3f 100644
 --- a/oddjob.te
 +++ b/oddjob.te
 @@ -5,8 +5,6 @@ policy_module(oddjob, 1.10.0)
@@ -64758,7 +64805,7 @@ index e403097..45d387d 100644
  
  locallogin_dontaudit_use_fds(oddjob_t)
  
-@@ -66,27 +66,27 @@ optional_policy(`
+@@ -66,27 +66,29 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -64780,6 +64827,8 @@ index e403097..45d387d 100644
  
  kernel_read_system_state(oddjob_mkhomedir_t)
  
++fs_manage_auto_mountpoints(oddjob_mkhomedir_t)
++
 +mls_file_upgrade(oddjob_mkhomedir_t)
 +
  auth_use_nsswitch(oddjob_mkhomedir_t)
@@ -64791,7 +64840,7 @@ index e403097..45d387d 100644
  selinux_get_fs_mount(oddjob_mkhomedir_t)
  selinux_validate_context(oddjob_mkhomedir_t)
  selinux_compute_access_vector(oddjob_mkhomedir_t)
-@@ -98,8 +98,11 @@ seutil_read_config(oddjob_mkhomedir_t)
+@@ -98,8 +100,11 @@ seutil_read_config(oddjob_mkhomedir_t)
  seutil_read_file_contexts(oddjob_mkhomedir_t)
  seutil_read_default_contexts(oddjob_mkhomedir_t)
  
@@ -69621,10 +69670,10 @@ index 0000000..80246e6
 +
 diff --git a/pcp.te b/pcp.te
 new file mode 100644
-index 0000000..04a0b20
+index 0000000..e55bf80
 --- /dev/null
 +++ b/pcp.te
-@@ -0,0 +1,299 @@
+@@ -0,0 +1,308 @@
 +policy_module(pcp, 1.0.0)
 +
 +########################################
@@ -69735,7 +69784,7 @@ index 0000000..04a0b20
 +# pcp_pmcd local  policy
 +#
 +
-+allow pcp_pmcd_t self:capability sys_admin;
++allow pcp_pmcd_t self:capability { sys_admin sys_ptrace };
 +allow pcp_pmcd_t self:process { setsched };
 +allow pcp_pmcd_t self:unix_dgram_socket create_socket_perms;
 +
@@ -69745,6 +69794,7 @@ index 0000000..04a0b20
 +kernel_read_state(pcp_pmcd_t)
 +kernel_read_fs_sysctls(pcp_pmcd_t)
 +kernel_read_rpc_sysctls(pcp_pmcd_t)
++kernel_search_network_sysctl(pcp_pmcd_t)
 +
 +corecmd_exec_bin(pcp_pmcd_t)
 +
@@ -69816,6 +69866,8 @@ index 0000000..04a0b20
 +allow pcp_pmproxy_t self:process setsched;
 +allow pcp_pmproxy_t self:unix_dgram_socket create_socket_perms;
 +
++kernel_search_network_sysctl(pcp_pmproxy_t)
++
 +logging_send_syslog_msg(pcp_pmproxy_t)
 +
 +optional_policy(`
@@ -69874,7 +69926,7 @@ index 0000000..04a0b20
 +#
 +# pcp_pmie local  policy
 +#
-+
++allow pcp_pmie_t self:capability chown;
 +allow pcp_pmie_t self:netlink_route_socket { create_socket_perms nlmsg_read };
 +allow pcp_pmie_t self:unix_dgram_socket { create_socket_perms sendto };
 +
@@ -69885,11 +69937,16 @@ index 0000000..04a0b20
 +kernel_read_system_state(pcp_pmie_t)
 +
 +corecmd_exec_bin(pcp_pmie_t)
++corecmd_getattr_all_executables(pcp_pmie_t)
 +
 +domain_read_all_domains_state(pcp_pmie_t)
 +
++fs_search_cgroup_dirs(pcp_pmie_t)
++
 +logging_send_syslog_msg(pcp_pmie_t)
 +
++systemd_search_unit_dirs(pcp_pmie_t)
++
 +userdom_read_user_tmp_files(pcp_pmie_t)
 +
 +########################################
@@ -69916,6 +69973,7 @@ index 0000000..04a0b20
 +domain_read_all_domains_state(pcp_pmlogger_t)
 +
 +init_read_utmp(pcp_pmlogger_t)
++init_status(pcp_pmlogger_t)
 +
 +systemd_exec_systemctl(pcp_pmlogger_t)
 +systemd_getattr_unit_files(pcp_pmlogger_t)
@@ -75411,7 +75469,7 @@ index ded95ec..3cf7146 100644
 +	postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
  ')
 diff --git a/postfix.te b/postfix.te
-index 5cfb83e..6167c01 100644
+index 5cfb83e..b140dcb 100644
 --- a/postfix.te
 +++ b/postfix.te
 @@ -6,27 +6,23 @@ policy_module(postfix, 1.15.1)
@@ -76256,7 +76314,7 @@ index 5cfb83e..6167c01 100644
  ')
  
  optional_policy(`
-@@ -774,31 +720,100 @@ optional_policy(`
+@@ -774,31 +720,101 @@ optional_policy(`
  	sasl_connect(postfix_smtpd_t)
  ')
  
@@ -76327,6 +76385,7 @@ index 5cfb83e..6167c01 100644
 +
 +kernel_read_network_state(postfix_domain)
 +kernel_read_all_sysctls(postfix_domain)
++kernel_dontaudit_request_load_module(postfix_domain)
 +
 +dev_read_sysfs(postfix_domain)
 +dev_read_rand(postfix_domain)
@@ -84309,7 +84368,7 @@ index 4460582..4c66c25 100644
 +
  ')
 diff --git a/radius.te b/radius.te
-index 403a4fe..159f21e 100644
+index 403a4fe..93085f2 100644
 --- a/radius.te
 +++ b/radius.te
 @@ -5,6 +5,13 @@ policy_module(radius, 1.13.0)
@@ -84336,6 +84395,15 @@ index 403a4fe..159f21e 100644
  ########################################
  #
  # Local policy
+@@ -34,7 +44,7 @@ files_pid_file(radiusd_var_run_t)
+ 
+ allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config };
+ dontaudit radiusd_t self:capability sys_tty_config;
+-allow radiusd_t self:process { getsched setrlimit setsched sigkill signal };
++allow radiusd_t self:process { getsched setrlimit setsched sigkill signal ptrace};
+ allow radiusd_t self:fifo_file rw_fifo_file_perms;
+ allow radiusd_t self:unix_stream_socket { accept listen };
+ allow radiusd_t self:tcp_socket { accept listen };
 @@ -49,9 +59,7 @@ manage_lnk_files_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t)
  filetrans_pattern(radiusd_t, radiusd_etc_t, radiusd_etc_rw_t, { dir file lnk_file })
  
@@ -87219,7 +87287,7 @@ index c8a1e16..2d409bf 100644
  	xen_domtrans_xm(rgmanager_t)
  ')
 diff --git a/rhcs.fc b/rhcs.fc
-index 47de2d6..c2bc05a 100644
+index 47de2d6..6baf5cd 100644
 --- a/rhcs.fc
 +++ b/rhcs.fc
 @@ -1,31 +1,104 @@
@@ -87284,7 +87352,7 @@ index 47de2d6..c2bc05a 100644
 +/var/run/groupd\.pid			--	gen_context(system_u:object_r:groupd_var_run_t,s0)
 +/var/run/haproxy\.pid           --  gen_context(system_u:object_r:haproxy_var_run_t,s0)
 +/var/run/haproxy\.stat.*        --  gen_context(system_u:object_r:haproxy_var_run_t,s0)
-+/var/run/haproxy\.sock.*        --  gen_context(system_u:object_r:haproxy_var_run_t,s0)
++/var/run/haproxy\.sock.*        -s  gen_context(system_u:object_r:haproxy_var_run_t,s0)
 +/var/run/qdiskd\.pid			--	gen_context(system_u:object_r:qdiskd_var_run_t,s0)
 +
 +# cluster administrative domains file spec
@@ -88217,7 +88285,7 @@ index c8bdea2..8ad3e01 100644
 +    allow $1 cluster_unit_file_t:service all_service_perms;
  ')
 diff --git a/rhcs.te b/rhcs.te
-index 6cf79c4..4538e45 100644
+index 6cf79c4..5279416 100644
 --- a/rhcs.te
 +++ b/rhcs.te
 @@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false)
@@ -88758,7 +88826,7 @@ index 6cf79c4..4538e45 100644
 +# bug in haproxy and process vs pid owner
 +allow haproxy_t self:capability { dac_override kill };
 +
-+allow haproxy_t self:capability { chown setgid setuid sys_chroot sys_resource net_admin net_raw };
++allow haproxy_t self:capability { chown fowner setgid setuid sys_chroot sys_resource net_admin net_raw };
 +allow haproxy_t self:capability2 block_suspend;
 +allow haproxy_t self:process { fork setrlimit signal_perms };
 +allow haproxy_t self:fifo_file rw_fifo_file_perms;
@@ -104637,16 +104705,17 @@ index b38b8b1..eb36653 100644
  userdom_dontaudit_search_user_home_dirs(speedmgmt_t)
  
 diff --git a/squid.fc b/squid.fc
-index 0a8b0f7..03fb6b1 100644
+index 0a8b0f7..80c1d57 100644
 --- a/squid.fc
 +++ b/squid.fc
-@@ -1,20 +1,28 @@
+@@ -1,20 +1,31 @@
 -/etc/squid(/.*)?	gen_context(system_u:object_r:squid_conf_t,s0)
 +/dev/shm/squid-*	--	gen_context(system_u:object_r:squid_tmpfs_t,s0)
  
 -/etc/rc\.d/init\.d/squid	--	gen_context(system_u:object_r:squid_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/squid --	gen_context(system_u:object_r:squid_initrc_exec_t,s0)
 +/etc/squid(/.*)?		gen_context(system_u:object_r:squid_conf_t,s0)
++/etc/squid/ssl_db(/.*)?		gen_context(system_u:object_r:squid_cache_t,s0)
 +/etc/lightsquid(/.*)?		gen_context(system_u:object_r:squid_conf_t,s0)
  
 -/usr/lib/squid/cachemgr\.cgi	--	gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
@@ -104668,11 +104737,13 @@ index 0a8b0f7..03fb6b1 100644
  
 -/var/run/squid\.pid	--	gen_context(system_u:object_r:squid_var_run_t,s0)
 +/var/run/squid.*	gen_context(system_u:object_r:squid_var_run_t,s0)
- 
--/var/spool/squid(/.*)?	gen_context(system_u:object_r:squid_cache_t,s0)
++
 +/var/spool/squid(/.*)?		gen_context(system_u:object_r:squid_cache_t,s0)
 +/var/squidGuard(/.*)?		gen_context(system_u:object_r:squid_cache_t,s0)
  
+-/var/spool/squid(/.*)?	gen_context(system_u:object_r:squid_cache_t,s0)
++/var/lib/ssl_db(/.*)?       gen_context(system_u:object_r:squid_cache_t,s0)
+ 
 -/var/squidGuard(/.*)?	gen_context(system_u:object_r:squid_cache_t,s0)
 +/var/lightsquid(/.*)?		gen_context(system_u:object_r:squid_cache_t,s0)
 diff --git a/squid.if b/squid.if
@@ -104712,7 +104783,7 @@ index 5e1f053..e7820bc 100644
  	domain_system_change_exemption($1)
  	role_transition $2 squid_initrc_exec_t system_r;
 diff --git a/squid.te b/squid.te
-index 03472ed..48b5633 100644
+index 03472ed..e03b69a 100644
 --- a/squid.te
 +++ b/squid.te
 @@ -29,7 +29,7 @@ type squid_cache_t;
@@ -104749,7 +104820,15 @@ index 03472ed..48b5633 100644
  ########################################
  #
  # Local policy
-@@ -78,15 +85,18 @@ manage_files_pattern(squid_t, squid_log_t, squid_log_t)
+@@ -68,6 +75,7 @@ manage_dirs_pattern(squid_t, squid_cache_t, squid_cache_t)
+ manage_files_pattern(squid_t, squid_cache_t, squid_cache_t)
+ manage_lnk_files_pattern(squid_t, squid_cache_t, squid_cache_t)
+ files_var_filetrans(squid_t, squid_cache_t, dir, "squid")
++filetrans_pattern(squid_t, squid_conf_t, squid_cache_t, dir, "ssl_db")
+ 
+ allow squid_t squid_conf_t:dir list_dir_perms;
+ allow squid_t squid_conf_t:file read_file_perms;
+@@ -78,15 +86,18 @@ manage_files_pattern(squid_t, squid_log_t, squid_log_t)
  manage_lnk_files_pattern(squid_t, squid_log_t, squid_log_t)
  logging_log_filetrans(squid_t, squid_log_t, { file dir })
  
@@ -104772,7 +104851,7 @@ index 03472ed..48b5633 100644
  
  can_exec(squid_t, squid_exec_t)
  
-@@ -94,7 +104,6 @@ kernel_read_kernel_sysctls(squid_t)
+@@ -94,7 +105,6 @@ kernel_read_kernel_sysctls(squid_t)
  kernel_read_system_state(squid_t)
  kernel_read_network_state(squid_t)
  
@@ -104780,7 +104859,7 @@ index 03472ed..48b5633 100644
  corenet_all_recvfrom_netlabel(squid_t)
  corenet_tcp_sendrecv_generic_if(squid_t)
  corenet_udp_sendrecv_generic_if(squid_t)
-@@ -132,6 +141,7 @@ corenet_tcp_sendrecv_gopher_port(squid_t)
+@@ -132,6 +142,7 @@ corenet_tcp_sendrecv_gopher_port(squid_t)
  corenet_udp_sendrecv_gopher_port(squid_t)
  
  corenet_sendrecv_squid_server_packets(squid_t)
@@ -104788,7 +104867,7 @@ index 03472ed..48b5633 100644
  corenet_tcp_bind_squid_port(squid_t)
  corenet_udp_bind_squid_port(squid_t)
  corenet_tcp_sendrecv_squid_port(squid_t)
-@@ -154,7 +164,6 @@ dev_read_urand(squid_t)
+@@ -154,7 +165,6 @@ dev_read_urand(squid_t)
  domain_use_interactive_fds(squid_t)
  
  files_read_etc_runtime_files(squid_t)
@@ -104796,7 +104875,7 @@ index 03472ed..48b5633 100644
  files_search_spool(squid_t)
  files_dontaudit_getattr_tmp_dirs(squid_t)
  files_getattr_home_dir(squid_t)
-@@ -176,7 +185,6 @@ libs_exec_lib_files(squid_t)
+@@ -176,7 +186,6 @@ libs_exec_lib_files(squid_t)
  logging_send_syslog_msg(squid_t)
  
  miscfiles_read_generic_certs(squid_t)
@@ -104804,7 +104883,7 @@ index 03472ed..48b5633 100644
  
  userdom_use_unpriv_users_fds(squid_t)
  userdom_dontaudit_search_user_home_dirs(squid_t)
-@@ -197,28 +205,31 @@ tunable_policy(`squid_use_tproxy',`
+@@ -197,28 +206,31 @@ tunable_policy(`squid_use_tproxy',`
  
  optional_policy(`
  	apache_content_template(squid)
@@ -104850,7 +104929,7 @@ index 03472ed..48b5633 100644
  ')
  
  optional_policy(`
-@@ -236,3 +247,24 @@ optional_policy(`
+@@ -236,3 +248,24 @@ optional_policy(`
  optional_policy(`
  	udev_read_db(squid_t)
  ')
@@ -105130,10 +105209,10 @@ index 0000000..821e158
 +')
 +
 diff --git a/sssd.fc b/sssd.fc
-index dbb005a..d4328ed 100644
+index dbb005a..25d119e 100644
 --- a/sssd.fc
 +++ b/sssd.fc
-@@ -1,15 +1,21 @@
+@@ -1,15 +1,28 @@
  /etc/rc\.d/init\.d/sssd	--	gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
  
 -/etc/sssd(/.*)?	gen_context(system_u:object_r:sssd_conf_t,s0)
@@ -105141,7 +105220,14 @@ index dbb005a..d4328ed 100644
  
 -/usr/sbin/sssd	--	gen_context(system_u:object_r:sssd_exec_t,s0)
 +/usr/sbin/sssd		--	gen_context(system_u:object_r:sssd_exec_t,s0)
++/usr/libexec/sssd/sssd_autofs	--	gen_context(system_u:object_r:sssd_exec_t,s0)
++/usr/libexec/sssd/sssd_ifp	--	gen_context(system_u:object_r:sssd_exec_t,s0)
++/usr/libexec/sssd/sssd_nss	--	gen_context(system_u:object_r:sssd_exec_t,s0)
++/usr/libexec/sssd/sssd_pac	--	gen_context(system_u:object_r:sssd_exec_t,s0)
++/usr/libexec/sssd/sssd_pam	--	gen_context(system_u:object_r:sssd_exec_t,s0)
 +/usr/libexec/sssd/sssd_secrets	--	gen_context(system_u:object_r:sssd_exec_t,s0)
++/usr/libexec/sssd/sssd_ssh	--	gen_context(system_u:object_r:sssd_exec_t,s0)
++/usr/libexec/sssd/sssd_sudo	--	gen_context(system_u:object_r:sssd_exec_t,s0)
  
 -/var/lib/sss(/.*)?	gen_context(system_u:object_r:sssd_var_lib_t,s0)
 +/usr/lib/systemd/system/sssd.*      --      gen_context(system_u:object_r:sssd_unit_file_t,s0)
@@ -105621,10 +105707,10 @@ index a240455..277f8f2 100644
 -	admin_pattern($1, sssd_log_t)
  ')
 diff --git a/sssd.te b/sssd.te
-index 2d8db1f..1139567 100644
+index 2d8db1f..6efbaac 100644
 --- a/sssd.te
 +++ b/sssd.te
-@@ -28,19 +28,28 @@ logging_log_file(sssd_var_log_t)
+@@ -28,19 +28,31 @@ logging_log_file(sssd_var_log_t)
  type sssd_var_run_t;
  files_pid_file(sssd_var_run_t)
  
@@ -105651,24 +105737,31 @@ index 2d8db1f..1139567 100644
  allow sssd_t self:key manage_key_perms;
 -allow sssd_t self:unix_stream_socket { accept connectto listen };
 +allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
++
++# Allow sssd_t to execute responders; which has different context now
++allow sssd_t sssd_exec_t:file execute_no_trans;
  
  read_files_pattern(sssd_t, sssd_conf_t, sssd_conf_t)
 +list_dirs_pattern(sssd_t, sssd_conf_t, sssd_conf_t)
  
  manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t)
  manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
-@@ -51,9 +60,7 @@ manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
+@@ -51,9 +63,11 @@ manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
  manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
  files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir })
  
 -append_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
 -create_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
 -setattr_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
++# Allow systemd to create sockets for socket activated responders
++create_sock_files_pattern(init_t, sssd_var_lib_t, sssd_var_lib_t)
++delete_sock_files_pattern(init_t, sssd_var_lib_t, sssd_var_lib_t)
++
 +manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
  logging_log_filetrans(sssd_t, sssd_var_log_t, file)
  
  manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
-@@ -62,17 +69,14 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
+@@ -62,17 +76,14 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
  
  kernel_read_network_state(sssd_t)
  kernel_read_system_state(sssd_t)
@@ -105691,7 +105784,7 @@ index 2d8db1f..1139567 100644
  
  corecmd_exec_bin(sssd_t)
  
-@@ -83,28 +87,36 @@ domain_read_all_domains_state(sssd_t)
+@@ -83,28 +94,36 @@ domain_read_all_domains_state(sssd_t)
  domain_obj_id_change_exemption(sssd_t)
  
  files_list_tmp(sssd_t)
@@ -105732,7 +105825,7 @@ index 2d8db1f..1139567 100644
  
  init_read_utmp(sssd_t)
  
-@@ -112,18 +124,64 @@ logging_send_syslog_msg(sssd_t)
+@@ -112,18 +131,64 @@ logging_send_syslog_msg(sssd_t)
  logging_send_audit_msgs(sssd_t)
  
  miscfiles_read_generic_certs(sssd_t)
@@ -105760,7 +105853,7 @@ index 2d8db1f..1139567 100644
 +	kerberos_read_home_content(sssd_t)
 +    kerberos_rw_config(sssd_t)
 +    kerberos_rw_keytab(sssd_t)
-+')
+ ')
 +
 +optional_policy(`
 +	dirsrv_stream_connect(sssd_t)
@@ -105774,7 +105867,7 @@ index 2d8db1f..1139567 100644
 +optional_policy(`
 +    samba_manage_var_dirs(sssd_t)
 +    samba_manage_var_files(sssd_t)
- ')
++')
 +
 +optional_policy(`
 +	systemd_login_read_pid_files(sssd_t)
@@ -105974,7 +106067,7 @@ diff --git a/systemtap.te b/stapserver.te
 similarity index 64%
 rename from systemtap.te
 rename to stapserver.te
-index ffde368..e847ea3 100644
+index ffde368..f8c70e4 100644
 --- a/systemtap.te
 +++ b/stapserver.te
 @@ -1,4 +1,4 @@
@@ -105996,7 +106089,7 @@ index ffde368..e847ea3 100644
  type stapserver_var_lib_t;
  files_type(stapserver_var_lib_t)
  
-@@ -24,50 +18,62 @@ logging_log_file(stapserver_log_t)
+@@ -24,50 +18,63 @@ logging_log_file(stapserver_log_t)
  type stapserver_var_run_t;
  files_pid_file(stapserver_var_run_t)
  
@@ -106050,6 +106143,7 @@ index ffde368..e847ea3 100644
 -kernel_read_kernel_sysctls(stapserver_t)
  kernel_read_system_state(stapserver_t)
 +kernel_read_kernel_sysctls(stapserver_t)
++files_list_kernel_modules(stapserver_t)
  
  corecmd_exec_bin(stapserver_t)
  corecmd_exec_shell(stapserver_t)
@@ -106072,7 +106166,7 @@ index ffde368..e847ea3 100644
  auth_use_nsswitch(stapserver_t)
  
  init_read_utmp(stapserver_t)
-@@ -75,12 +81,18 @@ init_read_utmp(stapserver_t)
+@@ -75,12 +82,18 @@ init_read_utmp(stapserver_t)
  logging_send_audit_msgs(stapserver_t)
  logging_send_syslog_msg(stapserver_t)
  
@@ -106092,7 +106186,7 @@ index ffde368..e847ea3 100644
  	consoletype_exec(stapserver_t)
  ')
  
-@@ -99,3 +111,4 @@ optional_policy(`
+@@ -99,3 +112,4 @@ optional_policy(`
  optional_policy(`
  	rpm_exec(stapserver_t)
  ')
@@ -107100,10 +107194,10 @@ index 0000000..a6e216c
 +
 diff --git a/targetd.te b/targetd.te
 new file mode 100644
-index 0000000..e372bd7
+index 0000000..7f28cdd
 --- /dev/null
 +++ b/targetd.te
-@@ -0,0 +1,63 @@
+@@ -0,0 +1,65 @@
 +policy_module(targetd, 1.0.0)
 +
 +########################################
@@ -107126,6 +107220,7 @@ index 0000000..e372bd7
 +# targetd local policy
 +#
 +
++allow targetd_t self:capability { sys_admin };
 +allow targetd_t self:fifo_file rw_fifo_file_perms;
 +allow targetd_t self:unix_stream_socket create_stream_socket_perms;
 +allow targetd_t self:tcp_socket listen;
@@ -107141,6 +107236,7 @@ index 0000000..e372bd7
 +auth_use_nsswitch(targetd_t)
 +
 +corecmd_exec_shell(targetd_t)
++corecmd_exec_bin(targetd_t)
 +
 +corenet_tcp_bind_generic_node(targetd_t)
 +corenet_tcp_bind_lsm_plugin_port(targetd_t)
@@ -110363,10 +110459,10 @@ index 0000000..e5cec8f
 +')
 diff --git a/tomcat.te b/tomcat.te
 new file mode 100644
-index 0000000..5a263b2
+index 0000000..3157eb8
 --- /dev/null
 +++ b/tomcat.te
-@@ -0,0 +1,69 @@
+@@ -0,0 +1,70 @@
 +policy_module(tomcat, 1.0.0)
 +
 +########################################
@@ -110418,6 +110514,7 @@ index 0000000..5a263b2
 +corenet_tcp_bind_mxi_port(tomcat_domain)
 +corenet_tcp_connect_http_port(tomcat_domain)
 +corenet_tcp_connect_mxi_port(tomcat_domain)
++corenet_tcp_connect_http_cache_port(tomcat_domain)
 +
 +dev_read_rand(tomcat_domain)
 +dev_read_urand(tomcat_domain)
@@ -112837,7 +112934,7 @@ index a4f20bc..9777de2 100644
 +/var/log/qemu-ga\.log.*           --      gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
 +/var/log/qemu-ga(/.*)?		gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
 diff --git a/virt.if b/virt.if
-index facdee8..2cff369 100644
+index facdee8..487857a 100644
 --- a/virt.if
 +++ b/virt.if
 @@ -1,120 +1,111 @@
@@ -113690,7 +113787,7 @@ index facdee8..2cff369 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -673,107 +565,625 @@ interface(`virt_home_filetrans',`
+@@ -673,54 +565,571 @@ interface(`virt_home_filetrans',`
  ##	</summary>
  ## </param>
  #
@@ -113726,8 +113823,14 @@ index facdee8..2cff369 100644
  	gen_require(`
 -		type virt_home_t;
 +		type virt_var_lib_t;
-+	')
-+
+ 	')
+ 
+-	userdom_search_user_home_dirs($1)
+-	allow $1 virt_home_t:dir manage_dir_perms;
+-	allow $1 virt_home_t:file manage_file_perms;
+-	allow $1 virt_home_t:fifo_file manage_fifo_file_perms;
+-	allow $1 virt_home_t:lnk_file manage_lnk_file_perms;
+-	allow $1 virt_home_t:sock_file manage_sock_file_perms;
 +	dontaudit $1 virt_var_lib_t:file read_inherited_file_perms;
 +')
 +
@@ -113872,8 +113975,11 @@ index facdee8..2cff369 100644
 +	read_lnk_files_pattern($1, virt_image_type, virt_image_type)
 +	read_blk_files_pattern($1, virt_image_type, virt_image_type)
 +	read_chr_files_pattern($1, virt_image_type, virt_image_type)
-+
-+	tunable_policy(`virt_use_nfs',`
+ 
+ 	tunable_policy(`virt_use_nfs',`
+-		fs_manage_nfs_dirs($1)
+-		fs_manage_nfs_files($1)
+-		fs_manage_nfs_symlinks($1)
 +		fs_list_nfs($1)
 +		fs_read_nfs_files($1)
 +		fs_read_nfs_symlinks($1)
@@ -114228,56 +114334,64 @@ index facdee8..2cff369 100644
 +		type virt_bridgehelper_t;
 +		type svirt_image_t;
 +		type svirt_socket_t;
- 	')
- 
--	userdom_search_user_home_dirs($1)
--	allow $1 virt_home_t:dir manage_dir_perms;
--	allow $1 virt_home_t:file manage_file_perms;
--	allow $1 virt_home_t:fifo_file manage_fifo_file_perms;
--	allow $1 virt_home_t:lnk_file manage_lnk_file_perms;
--	allow $1 virt_home_t:sock_file manage_sock_file_perms;
++	')
++
 +	allow $1 virt_domain:process transition;
 +	role $2 types virt_domain;
 +	role $2 types virt_bridgehelper_t;
 +	role $2 types svirt_socket_t;
- 
--	tunable_policy(`virt_use_nfs',`
--		fs_manage_nfs_dirs($1)
--		fs_manage_nfs_files($1)
--		fs_manage_nfs_symlinks($1)
--	')
++
 +	allow $1 virt_domain:process { sigkill sigstop signull signal };
 +	allow $1 svirt_image_t:file { relabelfrom relabelto };
 +	allow $1 svirt_image_t:fifo_file { read_fifo_file_perms relabelto };
 +	allow $1 svirt_image_t:sock_file { create_sock_file_perms relabelto };
 +	allow $1 svirt_socket_t:unix_stream_socket create_stream_socket_perms;
++
++	optional_policy(`
++		ptchown_run(virt_domain, $2)
++	')
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to write virt daemon unnamed pipes.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`virt_dontaudit_write_pipes',`
++	gen_require(`
++		type virtd_t;
+ 	')
  
 -	tunable_policy(`virt_use_samba',`
 -		fs_manage_cifs_dirs($1)
 -		fs_manage_cifs_files($1)
 -		fs_manage_cifs_symlinks($1)
-+	optional_policy(`
-+		ptchown_run(virt_domain, $2)
- 	')
+-	')
++	dontaudit $1 virtd_t:fd use;
++	dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
  ')
  
  ########################################
  ## <summary>
 -##	Relabel virt home content.
-+##	Do not audit attempts to write virt daemon unnamed pipes.
++##	Send a sigkill to virtual machines
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain allowed access.
-+##	Domain to not audit.
+@@ -728,52 +1137,53 @@ interface(`virt_manage_generic_virt_home_content',`
  ##	</summary>
  ## </param>
  #
 -interface(`virt_relabel_generic_virt_home_content',`
-+interface(`virt_dontaudit_write_pipes',`
++interface(`virt_kill_svirt',`
  	gen_require(`
 -		type virt_home_t;
-+		type virtd_t;
++		attribute virt_domain;
  	')
  
 -	userdom_search_user_home_dirs($1)
@@ -114286,8 +114400,7 @@ index facdee8..2cff369 100644
 -	allow $1 virt_home_t:fifo_file relabel_fifo_file_perms;
 -	allow $1 virt_home_t:lnk_file relabel_lnk_file_perms;
 -	allow $1 virt_home_t:sock_file relabel_sock_file_perms;
-+	dontaudit $1 virtd_t:fd use;
-+	dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
++	allow $1 virt_domain:process sigkill;
  ')
  
  ########################################
@@ -114295,7 +114408,7 @@ index facdee8..2cff369 100644
 -##	Create specified objects in user home
 -##	directories with the generic virt
 -##	home type.
-+##	Send a sigkill to virtual machines
++##	Send a sigkill to virtd daemon.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -114303,25 +114416,10 @@ index facdee8..2cff369 100644
  ##	</summary>
  ## </param>
 -## <param name="object_class">
-+#
-+interface(`virt_kill_svirt',`
-+	gen_require(`
-+		attribute virt_domain;
-+	')
-+
-+	allow $1 virt_domain:process sigkill;
-+')
-+
-+########################################
-+## <summary>
-+##	Send a sigkill to virtd daemon.
-+## </summary>
-+## <param name="domain">
- ##	<summary>
+-##	<summary>
 -##	Class of the object being created.
-+##	Domain allowed access.
- ##	</summary>
- ## </param>
+-##	</summary>
+-## </param>
 -## <param name="name" optional="true">
 +#
 +interface(`virt_kill',`
@@ -114707,13 +114805,13 @@ index facdee8..2cff369 100644
  ##	<summary>
 -##	Domain allowed access.
 +##	Domain allowed access
-+##	</summary>
-+## </param>
+ ##	</summary>
+ ## </param>
 +## <param name="role">
 +##	<summary>
 +##	The role to be allowed the sandbox domain.
- ##	</summary>
- ## </param>
++##	</summary>
++## </param>
 +## <rolecap/>
  #
 -interface(`virt_read_images',`
@@ -114875,7 +114973,7 @@ index facdee8..2cff369 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1136,50 +1574,109 @@ interface(`virt_manage_images',`
+@@ -1136,50 +1574,129 @@ interface(`virt_manage_images',`
  #
  interface(`virt_admin',`
  	gen_require(`
@@ -114978,9 +115076,7 @@ index facdee8..2cff369 100644
 +        allow virtd_t $1:dbus send_msg;
 +        ps_process_pattern(virtd_t, $1)
 +')
- 
--	files_search_locks($1)
--	admin_pattern($1, virt_lock_t)
++
 +########################################
 +## <summary>
 +##	Execute a file in a sandbox directory
@@ -115010,16 +115106,38 @@ index facdee8..2cff369 100644
 +	gen_require(`
 +		type container_file_t;
 +	')
++
++	domtrans_pattern($1,container_file_t, $2)
++')
+ 
+-	files_search_locks($1)
+-	admin_pattern($1, virt_lock_t)
++########################################
++## <summary>
++##	Dontaudit read the process state (/proc/pid) of libvirt
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`virt_dontaudit_read_state',`
++	gen_require(`
++		type virtd_t;
++	')
  
 -	dev_list_all_dev_nodes($1)
 -	allow $1 virt_ptynode:chr_file rw_term_perms;
-+	domtrans_pattern($1,container_file_t, $2)
++	dontaudit $1 virtd_t:dir search_dir_perms;
++	dontaudit $1 virtd_t:file read_file_perms;
++	dontaudit $1 virtd_t:lnk_file read_lnk_file_perms;
  ')
 diff --git a/virt.te b/virt.te
-index f03dcf5..482c24b 100644
+index f03dcf5..d790a0d 100644
 --- a/virt.te
 +++ b/virt.te
-@@ -1,451 +1,411 @@
+@@ -1,451 +1,413 @@
 -policy_module(virt, 1.7.4)
 +policy_module(virt, 1.5.0)
  
@@ -115655,6 +115773,8 @@ index f03dcf5..482c24b 100644
  
 +init_dontaudit_read_state(svirt_t)
 +
++virt_dontaudit_read_state(svirt_t)
++
 +#######################################
 +#
 +# svirt_prot_exec local policy
@@ -115741,7 +115861,7 @@ index f03dcf5..482c24b 100644
  
  read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
  read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -455,42 +415,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -455,42 +417,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
  manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
  filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
  
@@ -115788,22 +115908,22 @@ index f03dcf5..482c24b 100644
  logging_log_filetrans(virtd_t, virt_log_t, { file dir })
  
  manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -503,23 +450,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -503,23 +452,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
  manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
  files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
  
 -manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
 -manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
 -filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
+-
+-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
+-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
 +manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
 +manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
 +filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
 +allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto };
 +stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
  
--stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
--stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
--
 -can_exec(virtd_t, virt_tmp_t)
 +# libvirtd is permitted to talk to virtlogd
 +stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_var_run_t, virtlogd_t)
@@ -115822,7 +115942,7 @@ index f03dcf5..482c24b 100644
  
  corecmd_exec_bin(virtd_t)
  corecmd_exec_shell(virtd_t)
-@@ -527,24 +475,16 @@ corecmd_exec_shell(virtd_t)
+@@ -527,24 +477,16 @@ corecmd_exec_shell(virtd_t)
  corenet_all_recvfrom_netlabel(virtd_t)
  corenet_tcp_sendrecv_generic_if(virtd_t)
  corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -115850,7 +115970,7 @@ index f03dcf5..482c24b 100644
  dev_rw_sysfs(virtd_t)
  dev_read_urand(virtd_t)
  dev_read_rand(virtd_t)
-@@ -555,20 +495,26 @@ dev_rw_vhost(virtd_t)
+@@ -555,20 +497,26 @@ dev_rw_vhost(virtd_t)
  dev_setattr_generic_usb_dev(virtd_t)
  dev_relabel_generic_usb_dev(virtd_t)
  
@@ -115881,7 +116001,7 @@ index f03dcf5..482c24b 100644
  fs_list_auto_mountpoints(virtd_t)
  fs_getattr_all_fs(virtd_t)
  fs_rw_anon_inodefs_files(virtd_t)
-@@ -601,15 +547,18 @@ term_use_ptmx(virtd_t)
+@@ -601,15 +549,18 @@ term_use_ptmx(virtd_t)
  
  auth_use_nsswitch(virtd_t)
  
@@ -115901,7 +116021,7 @@ index f03dcf5..482c24b 100644
  
  selinux_validate_context(virtd_t)
  
-@@ -620,18 +569,26 @@ seutil_read_file_contexts(virtd_t)
+@@ -620,18 +571,26 @@ seutil_read_file_contexts(virtd_t)
  sysnet_signull_ifconfig(virtd_t)
  sysnet_signal_ifconfig(virtd_t)
  sysnet_domtrans_ifconfig(virtd_t)
@@ -115938,7 +116058,7 @@ index f03dcf5..482c24b 100644
  
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virtd_t)
-@@ -640,7 +597,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -640,7 +599,7 @@ tunable_policy(`virt_use_nfs',`
  ')
  
  tunable_policy(`virt_use_samba',`
@@ -115947,7 +116067,7 @@ index f03dcf5..482c24b 100644
  	fs_manage_cifs_files(virtd_t)
  	fs_read_cifs_symlinks(virtd_t)
  ')
-@@ -665,20 +622,12 @@ optional_policy(`
+@@ -665,20 +624,12 @@ optional_policy(`
  	')
  
  	optional_policy(`
@@ -115955,7 +116075,8 @@ index f03dcf5..482c24b 100644
 -	')
 -
 -	optional_policy(`
- 		hal_dbus_chat(virtd_t)
+-		hal_dbus_chat(virtd_t)
++		hal_dbus_chat(virtd_t)
  	')
  
  	optional_policy(`
@@ -115968,7 +116089,7 @@ index f03dcf5..482c24b 100644
  ')
  
  optional_policy(`
-@@ -691,20 +640,26 @@ optional_policy(`
+@@ -691,20 +642,26 @@ optional_policy(`
  	dnsmasq_kill(virtd_t)
  	dnsmasq_signull(virtd_t)
  	dnsmasq_create_pid_dirs(virtd_t)
@@ -115999,7 +116120,7 @@ index f03dcf5..482c24b 100644
  ')
  
  optional_policy(`
-@@ -712,11 +667,18 @@ optional_policy(`
+@@ -712,11 +669,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -116018,7 +116139,7 @@ index f03dcf5..482c24b 100644
  	policykit_domtrans_auth(virtd_t)
  	policykit_domtrans_resolve(virtd_t)
  	policykit_read_lib(virtd_t)
-@@ -727,10 +689,18 @@ optional_policy(`
+@@ -727,10 +691,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -116037,7 +116158,7 @@ index f03dcf5..482c24b 100644
  	kernel_read_xen_state(virtd_t)
  	kernel_write_xen_state(virtd_t)
  
-@@ -746,44 +716,336 @@ optional_policy(`
+@@ -746,44 +718,336 @@ optional_policy(`
  	udev_read_pid_files(virtd_t)
  ')
  
@@ -116096,7 +116217,7 @@ index f03dcf5..482c24b 100644
 +dev_read_sysfs(virtlogd_t)
 +
 +logging_send_syslog_msg(virtlogd_t)
- 
++
 +auth_use_nsswitch(virtlogd_t)
 +
 +manage_files_pattern(virtlogd_t, virt_log_t, virt_log_t)
@@ -116240,7 +116361,7 @@ index f03dcf5..482c24b 100644
 +term_getattr_pty_fs(virt_domain)
 +term_use_generic_ptys(virt_domain)
 +term_use_ptmx(virt_domain)
-+
+ 
 +tunable_policy(`virt_use_execmem',`
 +	allow virt_domain self:process { execmem execstack };
 +')
@@ -116396,7 +116517,7 @@ index f03dcf5..482c24b 100644
  kernel_read_system_state(virsh_t)
  kernel_read_network_state(virsh_t)
  kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +1056,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +1058,18 @@ kernel_write_xen_state(virsh_t)
  corecmd_exec_bin(virsh_t)
  corecmd_exec_shell(virsh_t)
  
@@ -116423,7 +116544,7 @@ index f03dcf5..482c24b 100644
  
  fs_getattr_all_fs(virsh_t)
  fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +1076,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +1078,25 @@ fs_search_auto_mountpoints(virsh_t)
  
  storage_raw_read_fixed_disk(virsh_t)
  
@@ -116440,10 +116561,10 @@ index f03dcf5..482c24b 100644
  
 -logging_send_syslog_msg(virsh_t)
 +systemd_exec_systemctl(virsh_t)
++
++auth_read_passwd(virsh_t)
  
 -miscfiles_read_localization(virsh_t)
-+auth_read_passwd(virsh_t)
-+
 +logging_send_syslog_msg(virsh_t)
  
  sysnet_dns_name_resolve(virsh_t)
@@ -116457,7 +116578,7 @@ index f03dcf5..482c24b 100644
  
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +1113,20 @@ optional_policy(`
+@@ -856,14 +1115,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -116479,7 +116600,7 @@ index f03dcf5..482c24b 100644
  	xen_stream_connect(virsh_t)
  	xen_stream_connect_xenstore(virsh_t)
  ')
-@@ -888,49 +1151,66 @@ optional_policy(`
+@@ -888,49 +1153,66 @@ optional_policy(`
  	kernel_read_xen_state(virsh_ssh_t)
  	kernel_write_xen_state(virsh_ssh_t)
  
@@ -116564,7 +116685,7 @@ index f03dcf5..482c24b 100644
  
  corecmd_exec_bin(virtd_lxc_t)
  corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1222,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1224,16 @@ dev_read_urand(virtd_lxc_t)
  
  domain_use_interactive_fds(virtd_lxc_t)
  
@@ -116584,7 +116705,7 @@ index f03dcf5..482c24b 100644
  fs_getattr_all_fs(virtd_lxc_t)
  fs_manage_tmpfs_dirs(virtd_lxc_t)
  fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,8 +1243,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,8 +1245,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
  fs_unmount_all_fs(virtd_lxc_t)
  fs_relabelfrom_tmpfs(virtd_lxc_t)
  
@@ -116608,7 +116729,7 @@ index f03dcf5..482c24b 100644
  selinux_get_enforce_mode(virtd_lxc_t)
  selinux_get_fs_mount(virtd_lxc_t)
  selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1268,296 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1270,296 @@ selinux_compute_create_context(virtd_lxc_t)
  selinux_compute_relabel_context(virtd_lxc_t)
  selinux_compute_user_contexts(virtd_lxc_t)
  
@@ -116639,7 +116760,8 @@ index f03dcf5..482c24b 100644
 +optional_policy(`
 +    container_exec_lib(virtd_lxc_t)
 +')
-+
+ 
+-sysnet_domtrans_ifconfig(virtd_lxc_t)
 +optional_policy(`
 +	gnome_read_generic_cache_files(virtd_lxc_t)
 +')
@@ -116647,8 +116769,7 @@ index f03dcf5..482c24b 100644
 +optional_policy(`
 +	setrans_manage_pid_files(virtd_lxc_t)
 +')
- 
--sysnet_domtrans_ifconfig(virtd_lxc_t)
++
 +optional_policy(`
 +	unconfined_domain(virtd_lxc_t)
 +')
@@ -116681,7 +116802,89 @@ index f03dcf5..482c24b 100644
 +tunable_policy(`deny_ptrace',`',`
 +	allow svirt_sandbox_domain self:process ptrace;
 +')
-+
+ 
+-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
+-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
+-allow svirt_lxc_domain self:fifo_file manage_file_perms;
+-allow svirt_lxc_domain self:sem create_sem_perms;
+-allow svirt_lxc_domain self:shm create_shm_perms;
+-allow svirt_lxc_domain self:msgq create_msgq_perms;
+-allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
+-allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
+-
+-allow svirt_lxc_domain virtd_lxc_t:fd use;
+-allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms;
+-allow svirt_lxc_domain virtd_lxc_t:process sigchld;
+-
+-allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
+-
+-allow svirt_lxc_domain virsh_t:fd use;
+-allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms;
+-allow svirt_lxc_domain virsh_t:process sigchld;
+-
+-allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms;
+-allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms;
+-
+-manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-
+-allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton;
+-allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr;
+-
+-can_exec(svirt_lxc_domain, svirt_lxc_file_t)
+-
+-kernel_getattr_proc(svirt_lxc_domain)
+-kernel_list_all_proc(svirt_lxc_domain)
+-kernel_read_kernel_sysctls(svirt_lxc_domain)
+-kernel_rw_net_sysctls(svirt_lxc_domain)
+-kernel_read_system_state(svirt_lxc_domain)
+-kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
+-
+-corecmd_exec_all_executables(svirt_lxc_domain)
+-
+-files_dontaudit_getattr_all_dirs(svirt_lxc_domain)
+-files_dontaudit_getattr_all_files(svirt_lxc_domain)
+-files_dontaudit_getattr_all_symlinks(svirt_lxc_domain)
+-files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
+-files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
+-files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
+-files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
+-# files_entrypoint_all_files(svirt_lxc_domain)
+-files_list_var(svirt_lxc_domain)
+-files_list_var_lib(svirt_lxc_domain)
+-files_search_all(svirt_lxc_domain)
+-files_read_config_files(svirt_lxc_domain)
+-files_read_usr_files(svirt_lxc_domain)
+-files_read_usr_symlinks(svirt_lxc_domain)
+-
+-fs_getattr_all_fs(svirt_lxc_domain)
+-fs_list_inotifyfs(svirt_lxc_domain)
+-
+-# fs_rw_inherited_tmpfs_files(svirt_lxc_domain)
+-# fs_rw_inherited_cifs_files(svirt_lxc_domain)
+-# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain)
+-
+-auth_dontaudit_read_login_records(svirt_lxc_domain)
+-auth_dontaudit_write_login_records(svirt_lxc_domain)
+-auth_search_pam_console_data(svirt_lxc_domain)
+-
+-clock_read_adjtime(svirt_lxc_domain)
+-
+-init_read_utmp(svirt_lxc_domain)
+-init_dontaudit_write_utmp(svirt_lxc_domain)
+-
+-libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
+-
+-miscfiles_read_localization(svirt_lxc_domain)
+-miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain)
+-miscfiles_read_fonts(svirt_lxc_domain)
+-
+-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
 +allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto };
 +allow virtd_t svirt_sandbox_domain:process { signal_perms getattr };
 +allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms };
@@ -116772,103 +116975,21 @@ index f03dcf5..482c24b 100644
 +userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
 +userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
  
--allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
--allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
--allow svirt_lxc_domain self:fifo_file manage_file_perms;
--allow svirt_lxc_domain self:sem create_sem_perms;
--allow svirt_lxc_domain self:shm create_shm_perms;
--allow svirt_lxc_domain self:msgq create_msgq_perms;
--allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
--allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
--
--allow svirt_lxc_domain virtd_lxc_t:fd use;
--allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms;
--allow svirt_lxc_domain virtd_lxc_t:process sigchld;
--
--allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
--
--allow svirt_lxc_domain virsh_t:fd use;
--allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms;
--allow svirt_lxc_domain virsh_t:process sigchld;
--
--allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms;
--allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms;
--
--manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--
--allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton;
--allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr;
--
--can_exec(svirt_lxc_domain, svirt_lxc_file_t)
--
--kernel_getattr_proc(svirt_lxc_domain)
--kernel_list_all_proc(svirt_lxc_domain)
--kernel_read_kernel_sysctls(svirt_lxc_domain)
--kernel_rw_net_sysctls(svirt_lxc_domain)
--kernel_read_system_state(svirt_lxc_domain)
--kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
--
--corecmd_exec_all_executables(svirt_lxc_domain)
--
--files_dontaudit_getattr_all_dirs(svirt_lxc_domain)
--files_dontaudit_getattr_all_files(svirt_lxc_domain)
--files_dontaudit_getattr_all_symlinks(svirt_lxc_domain)
--files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
--files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
--files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
--files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
--# files_entrypoint_all_files(svirt_lxc_domain)
--files_list_var(svirt_lxc_domain)
--files_list_var_lib(svirt_lxc_domain)
--files_search_all(svirt_lxc_domain)
--files_read_config_files(svirt_lxc_domain)
--files_read_usr_files(svirt_lxc_domain)
--files_read_usr_symlinks(svirt_lxc_domain)
--
--fs_getattr_all_fs(svirt_lxc_domain)
--fs_list_inotifyfs(svirt_lxc_domain)
--
--# fs_rw_inherited_tmpfs_files(svirt_lxc_domain)
--# fs_rw_inherited_cifs_files(svirt_lxc_domain)
--# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain)
--
--auth_dontaudit_read_login_records(svirt_lxc_domain)
--auth_dontaudit_write_login_records(svirt_lxc_domain)
--auth_search_pam_console_data(svirt_lxc_domain)
--
--clock_read_adjtime(svirt_lxc_domain)
--
--init_read_utmp(svirt_lxc_domain)
--init_dontaudit_write_utmp(svirt_lxc_domain)
--
--libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
--
--miscfiles_read_localization(svirt_lxc_domain)
--miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain)
--miscfiles_read_fonts(svirt_lxc_domain)
--
--mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
-+optional_policy(`
+ optional_policy(`
+-	udev_read_pid_files(svirt_lxc_domain)
 +tunable_policy(`virt_sandbox_share_apache_content',`
 +		apache_exec_modules(svirt_sandbox_domain)
 +		apache_read_sys_content(svirt_sandbox_domain)
 +	')
-+')
- 
- optional_policy(`
--	udev_read_pid_files(svirt_lxc_domain)
-+	mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
  ')
  
  optional_policy(`
 -	apache_exec_modules(svirt_lxc_domain)
 -	apache_read_sys_content(svirt_lxc_domain)
++	mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
++')
++
++optional_policy(`
 +	ssh_use_ptys(svirt_sandbox_domain)
 +')
 +
@@ -117028,10 +117149,10 @@ index f03dcf5..482c24b 100644
 +auth_use_nsswitch(svirt_qemu_net_t)
 +
 +rpm_read_db(svirt_qemu_net_t)
-+
-+logging_send_syslog_msg(svirt_qemu_net_t)
  
 -allow svirt_prot_exec_t self:process { execmem execstack };
++logging_send_syslog_msg(svirt_qemu_net_t)
++
 +tunable_policy(`virt_sandbox_use_audit',`
 +	logging_send_audit_msgs(svirt_qemu_net_t)
 +')
@@ -117052,7 +117173,7 @@ index f03dcf5..482c24b 100644
  allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
  allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
  
-@@ -1174,12 +1570,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1572,12 @@ dev_read_sysfs(virt_qmf_t)
  dev_read_rand(virt_qmf_t)
  dev_read_urand(virt_qmf_t)
  
@@ -117067,7 +117188,7 @@ index f03dcf5..482c24b 100644
  sysnet_read_config(virt_qmf_t)
  
  optional_policy(`
-@@ -1192,7 +1588,7 @@ optional_policy(`
+@@ -1192,7 +1590,7 @@ optional_policy(`
  
  ########################################
  #
@@ -117076,7 +117197,7 @@ index f03dcf5..482c24b 100644
  #
  
  allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1597,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1599,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
  allow virt_bridgehelper_t self:tun_socket create_socket_perms;
  allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 3f746d7..0014e49 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 248%{?dist}
+Release: 249%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -682,6 +682,15 @@ exit 0
 %endif
 
 %changelog
+* Mon Apr 03 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-249
+- Merge pull request #4 from lslebodn/sssd_socket_activated
+- Remove /proc <<none>> from fedora policy, it's no longer necessary
+- Allow iptables get list of kernel modules
+- Allow unconfined_domain_type to enable/disable transient unit
+- Add interfaces init_enable_transient_unit() and init_disable_transient_unit
+- Revert "Allow sshd setcap capability. This is needed due to latest changes in sshd"
+- Label sysroot dir under ostree as root_t
+
 * Mon Mar 27 2017 Adam Williamson <awilliam@redhat.com> - 3.13.1-248
 - Put tomcat_t back in unconfined domains for now. BZ(1436434)