diff --git a/config.tgz b/config.tgz
index c4a79da..c230d9f 100644
Binary files a/config.tgz and b/config.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 01faa3e..deb0e92 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -765,7 +765,7 @@ index 66e85ea..d02654d 100644
## user domains.
##
diff --git a/policy/global_tunables b/policy/global_tunables
-index 4705ab6..629fe1b 100644
+index 4705ab6..b7e7ea5 100644
--- a/policy/global_tunables
+++ b/policy/global_tunables
@@ -6,52 +6,59 @@
@@ -854,7 +854,7 @@ index 4705ab6..629fe1b 100644
## Allow any files/directories to be exported read/write via NFS.
##
##
-@@ -105,9 +103,24 @@ gen_tunable(use_samba_home_dirs,false)
+@@ -105,9 +103,30 @@ gen_tunable(use_samba_home_dirs,false)
##
##
@@ -880,6 +880,12 @@ index 4705ab6..629fe1b 100644
-gen_tunable(user_tcp_server,false)
+gen_tunable(selinuxuser_tcp_server,false)
+
++##
++##
++## Allow the mount commands to mount any directory or file.
++##
++##
++gen_tunable(mount_anyfile, false)
diff --git a/policy/mcs b/policy/mcs
index 216b3d1..81bc8c4 100644
--- a/policy/mcs
@@ -2367,7 +2373,7 @@ index 99e3903..7270808 100644
########################################
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index d555767..4165b4d 100644
+index d555767..4065a9a 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.1)
@@ -2808,10 +2814,10 @@ index d555767..4165b4d 100644
userdom_use_unpriv_users_fds(useradd_t)
# Add/remove user home directories
-userdom_manage_user_home_dirs(useradd_t)
--userdom_home_filetrans_user_home_dir(useradd_t)
+ userdom_home_filetrans_user_home_dir(useradd_t)
-userdom_manage_user_home_content_dirs(useradd_t)
-userdom_manage_user_home_content_files(useradd_t)
- userdom_home_filetrans_user_home_dir(useradd_t)
+-userdom_home_filetrans_user_home_dir(useradd_t)
-userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set)
+userdom_manage_home_role(system_r, useradd_t)
+userdom_delete_all_user_home_content(useradd_t)
@@ -2829,17 +2835,21 @@ index d555767..4165b4d 100644
optional_policy(`
apache_manage_all_user_content(useradd_t)
')
-@@ -542,7 +593,8 @@ optional_policy(`
+@@ -542,7 +593,12 @@ optional_policy(`
')
optional_policy(`
- nscd_run(useradd_t, useradd_roles)
+ nscd_domtrans(useradd_t)
+# nscd_run(useradd_t, useradd_roles)
++')
++
++optional_policy(`
++ openshift_manage_lib_dirs(useradd_t)
')
optional_policy(`
-@@ -550,6 +602,11 @@ optional_policy(`
+@@ -550,6 +606,11 @@ optional_policy(`
')
optional_policy(`
@@ -2851,7 +2861,7 @@ index d555767..4165b4d 100644
tunable_policy(`samba_domain_controller',`
samba_append_log(useradd_t)
')
-@@ -559,3 +616,12 @@ optional_policy(`
+@@ -559,3 +620,12 @@ optional_policy(`
rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t)
')
@@ -2865,7 +2875,7 @@ index d555767..4165b4d 100644
+ stapserver_manage_lib(useradd_t)
+')
diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if
-index 1dc7a85..dcc6337 100644
+index 1dc7a85..c6f4da0 100644
--- a/policy/modules/apps/seunshare.if
+++ b/policy/modules/apps/seunshare.if
@@ -43,18 +43,18 @@ interface(`seunshare_run',`
@@ -2894,7 +2904,7 @@ index 1dc7a85..dcc6337 100644
##
##
## Role allowed access.
-@@ -66,15 +66,43 @@ interface(`seunshare_run',`
+@@ -66,15 +66,44 @@ interface(`seunshare_run',`
##
##
#
@@ -2933,6 +2943,7 @@ index 1dc7a85..dcc6337 100644
+ ')
+
+ ps_process_pattern($3, $1_seunshare_t)
++ dontaudit $1_seunshare_t $3:file read;
+ allow $3 $1_seunshare_t:process signal_perms;
+ allow $3 $1_seunshare_t:fd use;
+
@@ -5537,7 +5548,7 @@ index 3f6e168..51ad69a 100644
')
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index b31c054..3035b45 100644
+index b31c054..17e11e0 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -15,15 +15,18 @@
@@ -5571,15 +5582,25 @@ index b31c054..3035b45 100644
/dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
-@@ -118,6 +122,7 @@
+@@ -106,6 +110,7 @@
+ /dev/snapshot -c gen_context(system_u:object_r:apm_bios_t,s0)
+ /dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0)
++/dev/spidev.* -c gen_context(system_u:object_r:usb_device_t,s0)
+ /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
+ /dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0)
+ /dev/uinput -c gen_context(system_u:object_r:event_device_t,s0)
+@@ -118,6 +123,9 @@
ifdef(`distro_suse', `
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
')
++/dev/vchiq -c gen_context(system_u:object_r:v4l_device_t,s0)
++/dev/vc-mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+/dev/vfio/vfio -c gen_context(system_u:object_r:vfio_device_t,s0)
/dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0)
/dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
-@@ -129,12 +134,14 @@ ifdef(`distro_suse', `
+@@ -129,12 +137,14 @@ ifdef(`distro_suse', `
/dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/watchdog.* -c gen_context(system_u:object_r:watchdog_device_t,s0)
@@ -5594,7 +5615,7 @@ index b31c054..3035b45 100644
/dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0)
-@@ -198,12 +205,22 @@ ifdef(`distro_debian',`
+@@ -198,12 +208,22 @@ ifdef(`distro_debian',`
/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
@@ -5620,7 +5641,7 @@ index b31c054..3035b45 100644
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 76f285e..e26dfc3 100644
+index 76f285e..7a424f4 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -6313,18 +6334,105 @@ index 76f285e..e26dfc3 100644
##
##
#
-@@ -2975,8 +3250,8 @@ interface(`dev_dontaudit_write_mtrr',`
+@@ -2903,20 +3178,20 @@ interface(`dev_getattr_mtrr_dev',`
+
+ ########################################
+ ##
+-## Read the memory type range
++## Write the memory type range
+ ## registers (MTRR). (Deprecated)
+ ##
+ ##
+ ##
+-## Read the memory type range
++## Write the memory type range
+ ## registers (MTRR). This interface has
+ ## been deprecated, dev_rw_mtrr() should be
+ ## used instead.
+ ##
+ ##
+ ## The MTRR device ioctls can be used for
+-## reading and writing; thus, read access to the
+-## device cannot be separated from write access.
++## reading and writing; thus, write access to the
++## device cannot be separated from read access.
+ ##
+ ##
+ ##
+@@ -2925,43 +3200,34 @@ interface(`dev_getattr_mtrr_dev',`
+ ##
+ ##
+ #
+-interface(`dev_read_mtrr',`
++interface(`dev_write_mtrr',`
+ refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().')
+ dev_rw_mtrr($1)
+ ')
+
+ ########################################
+ ##
+-## Write the memory type range
+-## registers (MTRR). (Deprecated)
++## Do not audit attempts to write the memory type
++## range registers (MTRR).
+ ##
+-##
+-##
+-## Write the memory type range
+-## registers (MTRR). This interface has
+-## been deprecated, dev_rw_mtrr() should be
+-## used instead.
+-##
+-##
+-## The MTRR device ioctls can be used for
+-## reading and writing; thus, write access to the
+-## device cannot be separated from read access.
+-##
+-##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+-interface(`dev_write_mtrr',`
+- refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().')
+- dev_rw_mtrr($1)
++interface(`dev_dontaudit_write_mtrr',`
++ gen_require(`
++ type mtrr_device_t;
++ ')
++
++ dontaudit $1 mtrr_device_t:file write_file_perms;
++ dontaudit $1 mtrr_device_t:chr_file write_chr_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to write the memory type
++## Do not audit attempts to read the memory type
+ ## range registers (MTRR).
+ ##
+ ##
+@@ -2970,13 +3236,13 @@ interface(`dev_write_mtrr',`
+ ##
+ ##
+ #
+-interface(`dev_dontaudit_write_mtrr',`
++interface(`dev_dontaudit_read_mtrr',`
+ gen_require(`
type mtrr_device_t;
')
- dontaudit $1 mtrr_device_t:file write;
- dontaudit $1 mtrr_device_t:chr_file write;
-+ dontaudit $1 mtrr_device_t:file write_file_perms;
-+ dontaudit $1 mtrr_device_t:chr_file write_chr_file_perms;
++ dontaudit $1 mtrr_device_t:file { open read };
++ dontaudit $1 mtrr_device_t:chr_file { open read };
')
########################################
-@@ -3144,6 +3419,42 @@ interface(`dev_create_null_dev',`
+@@ -3144,6 +3410,42 @@ interface(`dev_create_null_dev',`
########################################
##
@@ -6367,7 +6475,32 @@ index 76f285e..e26dfc3 100644
## Do not audit attempts to get the attributes
## of the BIOS non-volatile RAM device.
##
-@@ -3254,7 +3565,25 @@ interface(`dev_rw_printer',`
+@@ -3163,6 +3465,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',`
+
+ ########################################
+ ##
++## Read BIOS non-volatile RAM.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_read_nvram',`
++ gen_require(`
++ type nvram_device_t;
++ ')
++
++ read_chr_files_pattern($1, device_t, nvram_device_t)
++')
++
++########################################
++##
+ ## Read and write BIOS non-volatile RAM.
+ ##
+ ##
+@@ -3254,7 +3574,25 @@ interface(`dev_rw_printer',`
########################################
##
@@ -6394,7 +6527,7 @@ index 76f285e..e26dfc3 100644
##
##
##
-@@ -3262,12 +3591,13 @@ interface(`dev_rw_printer',`
+@@ -3262,12 +3600,13 @@ interface(`dev_rw_printer',`
##
##
#
@@ -6411,7 +6544,7 @@ index 76f285e..e26dfc3 100644
')
########################################
-@@ -3855,7 +4185,7 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3855,7 +4194,7 @@ interface(`dev_getattr_sysfs_dirs',`
########################################
##
@@ -6420,7 +6553,7 @@ index 76f285e..e26dfc3 100644
##
##
##
-@@ -3863,53 +4193,53 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3863,53 +4202,53 @@ interface(`dev_getattr_sysfs_dirs',`
##
##
#
@@ -6485,7 +6618,7 @@ index 76f285e..e26dfc3 100644
##
##
##
-@@ -3917,37 +4247,35 @@ interface(`dev_list_sysfs',`
+@@ -3917,37 +4256,35 @@ interface(`dev_list_sysfs',`
##
##
#
@@ -6530,7 +6663,7 @@ index 76f285e..e26dfc3 100644
##
##
##
-@@ -3955,47 +4283,35 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+@@ -3955,47 +4292,35 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
##
##
#
@@ -6585,7 +6718,7 @@ index 76f285e..e26dfc3 100644
##
##
##
-@@ -4003,20 +4319,18 @@ interface(`dev_read_sysfs',`
+@@ -4003,20 +4328,18 @@ interface(`dev_read_sysfs',`
##
##
#
@@ -6608,7 +6741,7 @@ index 76f285e..e26dfc3 100644
##
##
##
-@@ -4024,78 +4338,60 @@ interface(`dev_rw_sysfs',`
+@@ -4024,21 +4347,210 @@ interface(`dev_rw_sysfs',`
##
##
#
@@ -6632,106 +6765,69 @@ index 76f285e..e26dfc3 100644
-##
-##
-## Allow the specified domain to read from pseudo random number
--## generator devices (e.g., /dev/urandom). Typically this is
--## used in situations when a cryptographically secure random
--## number is not necessarily needed. One example is the Stack
--## Smashing Protector (SSP, formerly known as ProPolice) support
--## that may be compiled into programs.
--##
--##
--## Related interface:
--##
--##
--## - dev_read_rand()
--##
--##
--## Related tunable:
--##
--##
--##
- ##
- ##
--## Domain allowed access.
++##
++##
+## Domain to not audit.
- ##
- ##
--##
- #
--interface(`dev_read_urand',`
++##
++##
++#
+interface(`dev_dontaudit_write_sysfs_dirs',`
- gen_require(`
-- type device_t, urandom_device_t;
++ gen_require(`
+ type sysfs_t;
- ')
-
-- read_chr_files_pattern($1, device_t, urandom_device_t)
++ ')
++
+ dontaudit $1 sysfs_t:dir write;
- ')
-
- ########################################
- ##
--## Do not audit attempts to read from pseudo
--## random devices (e.g., /dev/urandom)
++')
++
++########################################
++##
+## Read cpu online hardware state information.
- ##
++##
+##
+##
+## Allow the specified domain to read /sys/devices/system/cpu/online file.
+##
+##
- ##
- ##
--## Domain to not audit.
++##
++##
+## Domain allowed access.
- ##
- ##
- #
--interface(`dev_dontaudit_read_urand',`
++##
++##
++#
+interface(`dev_read_cpu_online',`
- gen_require(`
-- type urandom_device_t;
++ gen_require(`
+ type cpu_online_t;
- ')
-
-- dontaudit $1 urandom_device_t:chr_file { getattr read };
++ ')
++
+ dev_search_sysfs($1)
+ read_files_pattern($1, cpu_online_t, cpu_online_t)
- ')
-
- ########################################
- ##
--## Write to the pseudo random device (e.g., /dev/urandom). This
--## sets the random number generator seed.
++')
++
++########################################
++##
+## Relabel cpu online hardware state information.
- ##
- ##
- ##
-@@ -4103,19 +4399,245 @@ interface(`dev_dontaudit_read_urand',`
- ##
- ##
- #
--interface(`dev_write_urand',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`dev_relabel_cpu_online',`
- gen_require(`
-- type device_t, urandom_device_t;
++ gen_require(`
+ type cpu_online_t;
+ type sysfs_t;
- ')
-
-- write_chr_files_pattern($1, device_t, urandom_device_t)
++ ')
++
+ dev_search_sysfs($1)
+ allow $1 cpu_online_t:file relabel_file_perms;
- ')
-
++')
+
- ########################################
- ##
--## Getattr generic the USB devices.
++
++########################################
++##
+## Read hardware state information.
- ##
--##
++##
+##
+##
+## Allow the specified domain to read the contents of
@@ -6860,80 +6956,13 @@ index 76f285e..e26dfc3 100644
+##
+##
+## Allow the specified domain to read from pseudo random number
-+## generator devices (e.g., /dev/urandom). Typically this is
-+## used in situations when a cryptographically secure random
-+## number is not necessarily needed. One example is the Stack
-+## Smashing Protector (SSP, formerly known as ProPolice) support
-+## that may be compiled into programs.
-+##
-+##
-+## Related interface:
-+##
-+##
-+## - dev_read_rand()
-+##
-+##
-+## Related tunable:
-+##
-+##
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`dev_read_urand',`
-+ gen_require(`
-+ type device_t, urandom_device_t;
-+ ')
-+
-+ read_chr_files_pattern($1, device_t, urandom_device_t)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to read from pseudo
-+## random devices (e.g., /dev/urandom)
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`dev_dontaudit_read_urand',`
-+ gen_require(`
-+ type urandom_device_t;
-+ ')
-+
-+ dontaudit $1 urandom_device_t:chr_file { getattr read };
-+')
-+
-+########################################
-+##
-+## Write to the pseudo random device (e.g., /dev/urandom). This
-+## sets the random number generator seed.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_write_urand',`
-+ gen_require(`
-+ type device_t, urandom_device_t;
-+ ')
-+
-+ write_chr_files_pattern($1, device_t, urandom_device_t)
-+')
-+
-+########################################
-+##
+ ## generator devices (e.g., /dev/urandom). Typically this is
+ ## used in situations when a cryptographically secure random
+ ## number is not necessarily needed. One example is the Stack
+@@ -4113,6 +4625,25 @@ interface(`dev_write_urand',`
+
+ ########################################
+ ##
+## Do not audit attempts to write to pseudo
+## random devices (e.g., /dev/urandom)
+##
@@ -6953,13 +6982,10 @@ index 76f285e..e26dfc3 100644
+
+########################################
+##
-+## Getattr generic the USB devices.
-+##
-+##
- ##
- ## Domain allowed access.
- ##
-@@ -4409,9 +4931,9 @@ interface(`dev_rw_usbfs',`
+ ## Getattr generic the USB devices.
+ ##
+ ##
+@@ -4409,9 +4940,9 @@ interface(`dev_rw_usbfs',`
read_lnk_files_pattern($1, usbfs_t, usbfs_t)
')
@@ -6971,7 +6997,7 @@ index 76f285e..e26dfc3 100644
##
##
##
-@@ -4419,17 +4941,17 @@ interface(`dev_rw_usbfs',`
+@@ -4419,17 +4950,17 @@ interface(`dev_rw_usbfs',`
##
##
#
@@ -6994,7 +7020,7 @@ index 76f285e..e26dfc3 100644
##
##
##
-@@ -4437,12 +4959,12 @@ interface(`dev_getattr_video_dev',`
+@@ -4437,12 +4968,12 @@ interface(`dev_getattr_video_dev',`
##
##
#
@@ -7010,7 +7036,7 @@ index 76f285e..e26dfc3 100644
')
########################################
-@@ -4539,6 +5061,134 @@ interface(`dev_write_video_dev',`
+@@ -4539,6 +5070,134 @@ interface(`dev_write_video_dev',`
########################################
##
@@ -7145,7 +7171,7 @@ index 76f285e..e26dfc3 100644
## Allow read/write the vhost net device
##
##
-@@ -4557,6 +5207,24 @@ interface(`dev_rw_vhost',`
+@@ -4557,6 +5216,24 @@ interface(`dev_rw_vhost',`
########################################
##
@@ -7170,7 +7196,7 @@ index 76f285e..e26dfc3 100644
## Read and write VMWare devices.
##
##
-@@ -4762,6 +5430,26 @@ interface(`dev_rw_xserver_misc',`
+@@ -4762,6 +5439,26 @@ interface(`dev_rw_xserver_misc',`
########################################
##
@@ -7197,7 +7223,7 @@ index 76f285e..e26dfc3 100644
## Read and write to the zero device (/dev/zero).
##
##
-@@ -4851,3 +5539,943 @@ interface(`dev_unconfined',`
+@@ -4851,3 +5548,943 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -8372,7 +8398,7 @@ index 6a1e4d1..adafd25 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..5376a48 100644
+index cf04cb5..19c3e01 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -8500,7 +8526,7 @@ index cf04cb5..5376a48 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +229,275 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +229,287 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -8521,6 +8547,10 @@ index cf04cb5..5376a48 100644
+')
+
+optional_policy(`
++ mandb_filetrans_named_home_content(unconfined_domain_type)
++')
++
++optional_policy(`
+ seutil_filetrans_named_content(unconfined_domain_type)
+')
+
@@ -8590,6 +8620,10 @@ index cf04cb5..5376a48 100644
+')
+
+optional_policy(`
++ iscsi_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
+ kerberos_filetrans_named_content(unconfined_domain_type)
+')
+
@@ -8598,6 +8632,10 @@ index cf04cb5..5376a48 100644
+')
+
+optional_policy(`
++ mplayer_filetrans_home_content(unconfined_domain_type)
++')
++
++optional_policy(`
+ modules_filetrans_named_content(unconfined_domain_type)
+')
+
@@ -9020,7 +9058,7 @@ index c2c6e05..be423a7 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 64ff4d7..455cc6c 100644
+index 64ff4d7..fe6d89c 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -10696,17 +10734,51 @@ index 64ff4d7..455cc6c 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5774,8 +6714,7 @@ interface(`files_getattr_generic_locks',`
+@@ -5761,7 +6701,7 @@ interface(`files_relabel_all_lock_dirs',`
+
+ ########################################
+ ##
+-## Get the attributes of generic lock files.
++## Relabel to and from all lock file types.
+ ##
+ ##
+ ##
+@@ -5769,13 +6709,33 @@ interface(`files_relabel_all_lock_dirs',`
+ ##
+ ##
+ #
+-interface(`files_getattr_generic_locks',`
++interface(`files_relabel_all_lock_files',`
+ gen_require(`
++ attribute lockfile;
type var_t, var_lock_t;
')
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++ relabel_files_pattern($1, lockfile, lockfile)
++')
++
++########################################
++##
++## Get the attributes of generic lock files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_getattr_generic_locks',`
++ gen_require(`
++ type var_t, var_lock_t;
++ ')
++
+ files_search_locks($1)
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5791,13 +6730,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5791,13 +6751,12 @@ interface(`files_getattr_generic_locks',`
##
#
interface(`files_delete_generic_locks',`
@@ -10724,7 +10796,7 @@ index 64ff4d7..455cc6c 100644
')
########################################
-@@ -5816,9 +6754,7 @@ interface(`files_manage_generic_locks',`
+@@ -5816,9 +6775,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -10735,7 +10807,7 @@ index 64ff4d7..455cc6c 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5860,8 +6796,7 @@ interface(`files_read_all_locks',`
+@@ -5860,8 +6817,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -10745,7 +10817,7 @@ index 64ff4d7..455cc6c 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5883,8 +6818,7 @@ interface(`files_manage_all_locks',`
+@@ -5883,8 +6839,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -10755,7 +10827,7 @@ index 64ff4d7..455cc6c 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5921,8 +6855,7 @@ interface(`files_lock_filetrans',`
+@@ -5921,8 +6876,7 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -10765,7 +10837,7 @@ index 64ff4d7..455cc6c 100644
filetrans_pattern($1, var_lock_t, $2, $3, $4)
')
-@@ -5961,7 +6894,7 @@ interface(`files_setattr_pid_dirs',`
+@@ -5961,7 +6915,7 @@ interface(`files_setattr_pid_dirs',`
type var_run_t;
')
@@ -10774,7 +10846,7 @@ index 64ff4d7..455cc6c 100644
allow $1 var_run_t:dir setattr;
')
-@@ -5981,10 +6914,48 @@ interface(`files_search_pids',`
+@@ -5981,10 +6935,48 @@ interface(`files_search_pids',`
type var_t, var_run_t;
')
@@ -10823,7 +10895,7 @@ index 64ff4d7..455cc6c 100644
########################################
##
## Do not audit attempts to search
-@@ -6007,6 +6978,25 @@ interface(`files_dontaudit_search_pids',`
+@@ -6007,6 +6999,25 @@ interface(`files_dontaudit_search_pids',`
########################################
##
@@ -10849,7 +10921,7 @@ index 64ff4d7..455cc6c 100644
## List the contents of the runtime process
## ID directories (/var/run).
##
-@@ -6021,7 +7011,7 @@ interface(`files_list_pids',`
+@@ -6021,7 +7032,7 @@ interface(`files_list_pids',`
type var_t, var_run_t;
')
@@ -10858,7 +10930,7 @@ index 64ff4d7..455cc6c 100644
list_dirs_pattern($1, var_t, var_run_t)
')
-@@ -6040,7 +7030,7 @@ interface(`files_read_generic_pids',`
+@@ -6040,7 +7051,7 @@ interface(`files_read_generic_pids',`
type var_t, var_run_t;
')
@@ -10867,7 +10939,7 @@ index 64ff4d7..455cc6c 100644
list_dirs_pattern($1, var_t, var_run_t)
read_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6060,7 +7050,7 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6060,7 +7071,7 @@ interface(`files_write_generic_pid_pipes',`
type var_run_t;
')
@@ -10876,7 +10948,7 @@ index 64ff4d7..455cc6c 100644
allow $1 var_run_t:fifo_file write;
')
-@@ -6122,7 +7112,6 @@ interface(`files_pid_filetrans',`
+@@ -6122,7 +7133,6 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -10884,7 +10956,32 @@ index 64ff4d7..455cc6c 100644
filetrans_pattern($1, var_run_t, $2, $3, $4)
')
-@@ -6164,7 +7153,7 @@ interface(`files_rw_generic_pids',`
+@@ -6151,6 +7161,24 @@ interface(`files_pid_filetrans_lock_dir',`
+
+ ########################################
+ ##
++## rw generic pid files inherited from another process
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_rw_inherited_generic_pid_files',`
++ gen_require(`
++ type var_run_t;
++ ')
++
++ allow $1 var_run_t:file rw_inherited_file_perms;
++')
++
++########################################
++##
+ ## Read and write generic process ID files.
+ ##
+ ##
+@@ -6164,7 +7192,7 @@ interface(`files_rw_generic_pids',`
type var_t, var_run_t;
')
@@ -10893,7 +10990,7 @@ index 64ff4d7..455cc6c 100644
list_dirs_pattern($1, var_t, var_run_t)
rw_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6231,55 +7220,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6231,55 +7259,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
##
@@ -10956,7 +11053,7 @@ index 64ff4d7..455cc6c 100644
##
##
##
-@@ -6287,42 +7264,35 @@ interface(`files_delete_all_pids',`
+@@ -6287,42 +7303,35 @@ interface(`files_delete_all_pids',`
##
##
#
@@ -11006,7 +11103,7 @@ index 64ff4d7..455cc6c 100644
##
##
##
-@@ -6330,18 +7300,18 @@ interface(`files_manage_all_pids',`
+@@ -6330,18 +7339,18 @@ interface(`files_manage_all_pids',`
##
##
#
@@ -11030,7 +11127,7 @@ index 64ff4d7..455cc6c 100644
##
##
##
-@@ -6349,37 +7319,40 @@ interface(`files_mounton_all_poly_members',`
+@@ -6349,37 +7358,40 @@ interface(`files_mounton_all_poly_members',`
##
##
#
@@ -11082,7 +11179,7 @@ index 64ff4d7..455cc6c 100644
##
##
##
-@@ -6387,18 +7360,17 @@ interface(`files_dontaudit_search_spool',`
+@@ -6387,18 +7399,17 @@ interface(`files_dontaudit_search_spool',`
##
##
#
@@ -11105,7 +11202,7 @@ index 64ff4d7..455cc6c 100644
##
##
##
-@@ -6406,18 +7378,18 @@ interface(`files_list_spool',`
+@@ -6406,18 +7417,18 @@ interface(`files_list_spool',`
##
##
#
@@ -11129,7 +11226,7 @@ index 64ff4d7..455cc6c 100644
##
##
##
-@@ -6425,19 +7397,18 @@ interface(`files_manage_generic_spool_dirs',`
+@@ -6425,19 +7436,18 @@ interface(`files_manage_generic_spool_dirs',`
##
##
#
@@ -11154,7 +11251,7 @@ index 64ff4d7..455cc6c 100644
##
##
##
-@@ -6445,55 +7416,43 @@ interface(`files_read_generic_spool',`
+@@ -6445,45 +7455,312 @@ interface(`files_read_generic_spool',`
##
##
#
@@ -11205,57 +11302,38 @@ index 64ff4d7..455cc6c 100644
- type var_t, var_spool_t;
+ attribute pidfile;
+ type var_t, var_run_t;
- ')
-
++ ')
++
+ files_search_pids($1)
- allow $1 var_t:dir search_dir_perms;
-- filetrans_pattern($1, var_spool_t, $2, $3, $4)
++ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_run_t:dir rmdir;
+ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
+ delete_files_pattern($1, pidfile, pidfile)
+ delete_fifo_files_pattern($1, pidfile, pidfile)
+ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
- ')
-
- ########################################
- ##
--## Allow access to manage all polyinstantiated
--## directories on the system.
++')
++
++########################################
++##
+## Delete all process ID directories.
- ##
- ##
- ##
-@@ -6501,64 +7460,814 @@ interface(`files_spool_filetrans',`
- ##
- ##
- #
--interface(`files_polyinstantiate_all',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_delete_all_pid_dirs',`
- gen_require(`
-- attribute polydir, polymember, polyparent;
-- type poly_t;
++ gen_require(`
+ attribute pidfile;
+ type var_t, var_run_t;
- ')
-
-- # Need to give access to /selinux/member
-- selinux_compute_member($1)
--
-- # Need sys_admin capability for mounting
-- allow $1 self:capability { chown fsetid sys_admin fowner };
--
-- # Need to give access to the directories to be polyinstantiated
-- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
--
-- # Need to give access to the polyinstantiated subdirectories
-- allow $1 polymember:dir search_dir_perms;
++ ')
++
+ files_search_pids($1)
+ allow $1 var_t:dir search_dir_perms;
+ delete_dirs_pattern($1, pidfile, pidfile)
+')
-
-- # Need to give access to parent directories where original
-- # is remounted for polyinstantiation aware programs (like gdm)
++
+########################################
+##
+## Make the specified type a file
@@ -11507,89 +11585,13 @@ index 64ff4d7..455cc6c 100644
+interface(`files_spool_filetrans',`
+ gen_require(`
+ type var_t, var_spool_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ filetrans_pattern($1, var_spool_t, $2, $3, $4)
-+')
-+
-+########################################
-+##
-+## Allow access to manage all polyinstantiated
-+## directories on the system.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_polyinstantiate_all',`
-+ gen_require(`
-+ attribute polydir, polymember, polyparent;
-+ type poly_t;
-+ ')
-+
-+ # Need to give access to /selinux/member
-+ selinux_compute_member($1)
-+
-+ # Need sys_admin capability for mounting
-+ allow $1 self:capability { chown fsetid sys_admin fowner };
-+
-+ # Need to give access to the directories to be polyinstantiated
-+ allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
-+
-+ # Need to give access to the polyinstantiated subdirectories
-+ allow $1 polymember:dir search_dir_perms;
-+
-+ # Need to give access to parent directories where original
-+ # is remounted for polyinstantiation aware programs (like gdm)
- allow $1 polyparent:dir { getattr mounton };
+ ')
-- # Need to give permission to create directories where applicable
-- allow $1 self:process setfscreate;
-- allow $1 polymember: dir { create setattr relabelto };
-- allow $1 polydir: dir { write add_name open };
-- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
-+ # Need to give permission to create directories where applicable
-+ allow $1 self:process setfscreate;
-+ allow $1 polymember: dir { create setattr relabelto };
-+ allow $1 polydir: dir { write add_name open };
-+ allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
-+
-+ # Default type for mountpoints
-+ allow $1 poly_t:dir { create mounton };
-+ fs_unmount_xattr_fs($1)
-+
-+ fs_mount_tmpfs($1)
-+ fs_unmount_tmpfs($1)
-+
-+ ifdef(`distro_redhat',`
-+ # namespace.init
-+ files_search_tmp($1)
-+ files_search_home($1)
-+ corecmd_exec_bin($1)
-+ seutil_domtrans_setfiles($1)
-+ ')
-+')
-+
-+########################################
-+##
-+## Unconfined access to files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_unconfined',`
-+ gen_require(`
-+ attribute files_unconfined_type;
-+ ')
-+
-+ typeattribute $1 files_unconfined_type;
-+')
+ allow $1 var_t:dir search_dir_perms;
+@@ -6562,3 +7839,474 @@ interface(`files_unconfined',`
+
+ typeattribute $1 files_unconfined_type;
+ ')
+
+########################################
+##
@@ -11715,15 +11717,10 @@ index 64ff4d7..455cc6c 100644
+ gen_require(`
+ attribute tmpfsfile;
+ ')
-
-- # Default type for mountpoints
-- allow $1 poly_t:dir { create mounton };
-- fs_unmount_xattr_fs($1)
++
+ allow $1 tmpfsfile:file { read write };
+')
-
-- fs_mount_tmpfs($1)
-- fs_unmount_tmpfs($1)
++
+########################################
+##
+## Do not audit attempts to read security files
@@ -11738,13 +11735,7 @@ index 64ff4d7..455cc6c 100644
+ gen_require(`
+ attribute security_file_type;
+ ')
-
-- ifdef(`distro_redhat',`
-- # namespace.init
-- files_search_tmp($1)
-- files_search_home($1)
-- corecmd_exec_bin($1)
-- seutil_domtrans_setfiles($1)
++
+ dontaudit $1 security_file_type:file read_file_perms;
+')
+
@@ -11766,36 +11757,32 @@ index 64ff4d7..455cc6c 100644
+interface(`files_rw_all_inherited_files',`
+ gen_require(`
+ attribute file_type;
- ')
++ ')
+
+ allow $1 { file_type $2 }:file rw_inherited_file_perms;
+ allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms;
+ allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms;
+ allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms;
- ')
-
- ########################################
- ##
--## Unconfined access to files.
++')
++
++########################################
++##
+## Allow any file point to be the entrypoint of this domain
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
++##
++##
++##
++## Domain allowed access.
++##
++##
+##
- #
--interface(`files_unconfined',`
++#
+interface(`files_entrypoint_all_files',`
- gen_require(`
-- attribute files_unconfined_type;
++ gen_require(`
+ attribute file_type;
- ')
++ ')
+ allow $1 file_type:file entrypoint;
+')
-
-- typeattribute $1 files_unconfined_type;
++
+########################################
+##
+## Do not audit attempts to rw inherited file perms
@@ -11990,7 +11977,7 @@ index 64ff4d7..455cc6c 100644
+ ')
+ files_type($1)
+ typeattribute $1 base_file_type;
- ')
++')
+
+########################################
+##
@@ -15117,7 +15104,7 @@ index 522ab32..cb9c3a2 100644
')
}
diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
-index 54f1827..409df4f 100644
+index 54f1827..cc2de1a 100644
--- a/policy/modules/kernel/storage.fc
+++ b/policy/modules/kernel/storage.fc
@@ -23,12 +23,15 @@
@@ -15137,16 +15124,17 @@ index 54f1827..409df4f 100644
/dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/mtd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-@@ -51,7 +54,7 @@ ifdef(`distro_redhat', `
+@@ -51,7 +54,8 @@ ifdef(`distro_redhat', `
/dev/sjcd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/sonycd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/tape.* -c gen_context(system_u:object_r:tape_device_t,s0)
-/dev/tw[a-z][^/]+ -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
++/dev/tgt -c gen_context(system_u:object_r:scsi_generic_device_t,s0)
+/dev/tw[a-z][^/]* -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/ub[a-z][^/]+ -b gen_context(system_u:object_r:removable_device_t,mls_systemhigh)
/dev/ubd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/vd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-@@ -81,3 +84,6 @@ ifdef(`distro_redhat', `
+@@ -81,3 +85,6 @@ ifdef(`distro_redhat', `
/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
@@ -15703,7 +15691,7 @@ index 7d45d15..22c9cfe 100644
+
+/usr/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index 771bce1..55ebf4b 100644
+index 771bce1..5bbf50b 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -124,7 +124,7 @@ interface(`term_user_tty',`
@@ -15715,7 +15703,33 @@ index 771bce1..55ebf4b 100644
# When user logs in from /dev/console, relabel it
# to user tty type as well.
type_change $1 console_device_t:chr_file $2;
-@@ -208,6 +208,27 @@ interface(`term_use_all_terms',`
+@@ -133,6 +133,25 @@ interface(`term_user_tty',`
+
+ ########################################
+ ##
++## Create the /dev/pts directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`term_create_pty_dir',`
++ gen_require(`
++ type devpts_t;
++ ')
++
++ allow $1 devpts_t:dir create_dir_perms;
++ dev_filetrans($1, devpts_t, dir, "devpts")
++')
++
++########################################
++##
+ ## Create a pty in the /dev/pts directory.
+ ##
+ ##
+@@ -208,6 +227,27 @@ interface(`term_use_all_terms',`
########################################
##
@@ -15743,7 +15757,7 @@ index 771bce1..55ebf4b 100644
## Write to the console.
##
##
-@@ -274,7 +295,6 @@ interface(`term_dontaudit_read_console',`
+@@ -274,7 +314,6 @@ interface(`term_dontaudit_read_console',`
## Domain allowed access.
##
##
@@ -15751,7 +15765,7 @@ index 771bce1..55ebf4b 100644
#
interface(`term_use_console',`
gen_require(`
-@@ -299,9 +319,12 @@ interface(`term_use_console',`
+@@ -299,9 +338,12 @@ interface(`term_use_console',`
interface(`term_dontaudit_use_console',`
gen_require(`
type console_device_t;
@@ -15765,7 +15779,7 @@ index 771bce1..55ebf4b 100644
')
########################################
-@@ -384,6 +407,42 @@ interface(`term_getattr_pty_fs',`
+@@ -384,6 +426,42 @@ interface(`term_getattr_pty_fs',`
########################################
##
@@ -15808,7 +15822,7 @@ index 771bce1..55ebf4b 100644
## Relabel from and to pty filesystem.
##
##
-@@ -481,6 +540,24 @@ interface(`term_list_ptys',`
+@@ -481,6 +559,24 @@ interface(`term_list_ptys',`
########################################
##
@@ -15833,7 +15847,7 @@ index 771bce1..55ebf4b 100644
## Do not audit attempts to read the
## /dev/pts directory.
##
-@@ -620,7 +697,7 @@ interface(`term_use_generic_ptys',`
+@@ -620,7 +716,7 @@ interface(`term_use_generic_ptys',`
########################################
##
@@ -15842,7 +15856,7 @@ index 771bce1..55ebf4b 100644
## write the generic pty type. This is
## generally only used in the targeted policy.
##
-@@ -635,6 +712,7 @@ interface(`term_dontaudit_use_generic_ptys',`
+@@ -635,6 +731,7 @@ interface(`term_dontaudit_use_generic_ptys',`
type devpts_t;
')
@@ -15850,7 +15864,7 @@ index 771bce1..55ebf4b 100644
dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
')
-@@ -879,6 +957,26 @@ interface(`term_use_all_ptys',`
+@@ -879,6 +976,26 @@ interface(`term_use_all_ptys',`
########################################
##
@@ -15877,7 +15891,7 @@ index 771bce1..55ebf4b 100644
## Do not audit attempts to read or write any ptys.
##
##
-@@ -892,7 +990,7 @@ interface(`term_dontaudit_use_all_ptys',`
+@@ -892,7 +1009,7 @@ interface(`term_dontaudit_use_all_ptys',`
attribute ptynode;
')
@@ -15886,7 +15900,7 @@ index 771bce1..55ebf4b 100644
')
########################################
-@@ -912,7 +1010,7 @@ interface(`term_relabel_all_ptys',`
+@@ -912,7 +1029,7 @@ interface(`term_relabel_all_ptys',`
')
dev_list_all_dev_nodes($1)
@@ -15895,7 +15909,7 @@ index 771bce1..55ebf4b 100644
')
########################################
-@@ -940,7 +1038,7 @@ interface(`term_getattr_all_user_ptys',`
+@@ -940,7 +1057,7 @@ interface(`term_getattr_all_user_ptys',`
##
##
##
@@ -15904,7 +15918,7 @@ index 771bce1..55ebf4b 100644
##
##
#
-@@ -1259,7 +1357,47 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1259,7 +1376,47 @@ interface(`term_dontaudit_use_unallocated_ttys',`
type tty_device_t;
')
@@ -15953,7 +15967,7 @@ index 771bce1..55ebf4b 100644
')
########################################
-@@ -1275,11 +1413,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1275,11 +1432,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
#
interface(`term_getattr_all_ttys',`
gen_require(`
@@ -15967,7 +15981,7 @@ index 771bce1..55ebf4b 100644
')
########################################
-@@ -1296,10 +1436,12 @@ interface(`term_getattr_all_ttys',`
+@@ -1296,10 +1455,12 @@ interface(`term_getattr_all_ttys',`
interface(`term_dontaudit_getattr_all_ttys',`
gen_require(`
attribute ttynode;
@@ -15980,7 +15994,7 @@ index 771bce1..55ebf4b 100644
')
########################################
-@@ -1377,7 +1519,27 @@ interface(`term_use_all_ttys',`
+@@ -1377,7 +1538,27 @@ interface(`term_use_all_ttys',`
')
dev_list_all_dev_nodes($1)
@@ -16009,7 +16023,7 @@ index 771bce1..55ebf4b 100644
')
########################################
-@@ -1396,7 +1558,7 @@ interface(`term_dontaudit_use_all_ttys',`
+@@ -1396,7 +1577,7 @@ interface(`term_dontaudit_use_all_ttys',`
attribute ttynode;
')
@@ -16018,7 +16032,7 @@ index 771bce1..55ebf4b 100644
')
########################################
-@@ -1504,7 +1666,7 @@ interface(`term_use_all_user_ttys',`
+@@ -1504,7 +1685,7 @@ interface(`term_use_all_user_ttys',`
##
##
##
@@ -16027,7 +16041,7 @@ index 771bce1..55ebf4b 100644
##
##
#
-@@ -1512,3 +1674,436 @@ interface(`term_dontaudit_use_all_user_ttys',`
+@@ -1512,3 +1693,436 @@ interface(`term_dontaudit_use_all_user_ttys',`
refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
term_dontaudit_use_all_ttys($1)
')
@@ -16957,10 +16971,10 @@ index ff92430..36740ea 100644
##
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 88d0028..45f4d0a 100644
+index 88d0028..c461b2b 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
-@@ -5,39 +5,79 @@ policy_module(sysadm, 2.5.1)
+@@ -5,39 +5,80 @@ policy_module(sysadm, 2.5.1)
# Declarations
#
@@ -17032,6 +17046,7 @@ index 88d0028..45f4d0a 100644
+sysnet_filetrans_named_content(sysadm_t)
# Add/remove user home directories
++userdom_manage_user_tmp_chr_files(sysadm_t)
userdom_manage_user_home_dirs(sysadm_t)
userdom_home_filetrans_user_home_dir(sysadm_t)
+userdom_manage_tmp_role(sysadm_r, sysadm_t)
@@ -17051,7 +17066,7 @@ index 88d0028..45f4d0a 100644
ifdef(`direct_sysadm_daemon',`
optional_policy(`
-@@ -55,13 +95,7 @@ ifdef(`distro_gentoo',`
+@@ -55,13 +96,7 @@ ifdef(`distro_gentoo',`
init_exec_rc(sysadm_t)
')
@@ -17066,7 +17081,7 @@ index 88d0028..45f4d0a 100644
domain_ptrace_all_domains(sysadm_t)
')
-@@ -71,9 +105,9 @@ optional_policy(`
+@@ -71,9 +106,9 @@ optional_policy(`
optional_policy(`
apache_run_helper(sysadm_t, sysadm_r)
@@ -17077,7 +17092,7 @@ index 88d0028..45f4d0a 100644
')
optional_policy(`
-@@ -87,6 +121,7 @@ optional_policy(`
+@@ -87,6 +122,7 @@ optional_policy(`
optional_policy(`
asterisk_stream_connect(sysadm_t)
@@ -17085,7 +17100,7 @@ index 88d0028..45f4d0a 100644
')
optional_policy(`
-@@ -110,11 +145,17 @@ optional_policy(`
+@@ -110,11 +146,17 @@ optional_policy(`
')
optional_policy(`
@@ -17103,7 +17118,7 @@ index 88d0028..45f4d0a 100644
')
optional_policy(`
-@@ -122,11 +163,19 @@ optional_policy(`
+@@ -122,11 +164,19 @@ optional_policy(`
')
optional_policy(`
@@ -17125,7 +17140,7 @@ index 88d0028..45f4d0a 100644
')
optional_policy(`
-@@ -140,6 +189,10 @@ optional_policy(`
+@@ -140,6 +190,10 @@ optional_policy(`
')
optional_policy(`
@@ -17136,7 +17151,7 @@ index 88d0028..45f4d0a 100644
dmesg_exec(sysadm_t)
')
-@@ -156,11 +209,11 @@ optional_policy(`
+@@ -156,11 +210,11 @@ optional_policy(`
')
optional_policy(`
@@ -17150,7 +17165,7 @@ index 88d0028..45f4d0a 100644
')
optional_policy(`
-@@ -179,6 +232,13 @@ optional_policy(`
+@@ -179,6 +233,13 @@ optional_policy(`
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -17164,7 +17179,7 @@ index 88d0028..45f4d0a 100644
')
optional_policy(`
-@@ -186,15 +246,20 @@ optional_policy(`
+@@ -186,15 +247,20 @@ optional_policy(`
')
optional_policy(`
@@ -17188,7 +17203,7 @@ index 88d0028..45f4d0a 100644
')
optional_policy(`
-@@ -214,22 +279,20 @@ optional_policy(`
+@@ -214,22 +280,20 @@ optional_policy(`
modutils_run_depmod(sysadm_t, sysadm_r)
modutils_run_insmod(sysadm_t, sysadm_r)
modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -17217,7 +17232,7 @@ index 88d0028..45f4d0a 100644
')
optional_policy(`
-@@ -241,14 +304,27 @@ optional_policy(`
+@@ -241,14 +305,27 @@ optional_policy(`
')
optional_policy(`
@@ -17245,7 +17260,7 @@ index 88d0028..45f4d0a 100644
')
optional_policy(`
-@@ -256,10 +332,20 @@ optional_policy(`
+@@ -256,10 +333,20 @@ optional_policy(`
')
optional_policy(`
@@ -17266,7 +17281,7 @@ index 88d0028..45f4d0a 100644
portage_run(sysadm_t, sysadm_r)
portage_run_fetch(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
-@@ -270,31 +356,36 @@ optional_policy(`
+@@ -270,31 +357,36 @@ optional_policy(`
')
optional_policy(`
@@ -17310,7 +17325,7 @@ index 88d0028..45f4d0a 100644
')
optional_policy(`
-@@ -319,12 +410,18 @@ optional_policy(`
+@@ -319,12 +411,18 @@ optional_policy(`
')
optional_policy(`
@@ -17330,7 +17345,7 @@ index 88d0028..45f4d0a 100644
')
optional_policy(`
-@@ -349,7 +446,18 @@ optional_policy(`
+@@ -349,7 +447,18 @@ optional_policy(`
')
optional_policy(`
@@ -17350,7 +17365,7 @@ index 88d0028..45f4d0a 100644
')
optional_policy(`
-@@ -360,19 +468,15 @@ optional_policy(`
+@@ -360,19 +469,15 @@ optional_policy(`
')
optional_policy(`
@@ -17372,7 +17387,7 @@ index 88d0028..45f4d0a 100644
')
optional_policy(`
-@@ -384,10 +488,6 @@ optional_policy(`
+@@ -384,10 +489,6 @@ optional_policy(`
')
optional_policy(`
@@ -17383,7 +17398,7 @@ index 88d0028..45f4d0a 100644
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
usermanage_run_groupadd(sysadm_t, sysadm_r)
usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -395,6 +495,9 @@ optional_policy(`
+@@ -395,6 +496,9 @@ optional_policy(`
optional_policy(`
virt_stream_connect(sysadm_t)
@@ -17393,7 +17408,7 @@ index 88d0028..45f4d0a 100644
')
optional_policy(`
-@@ -402,31 +505,34 @@ optional_policy(`
+@@ -402,31 +506,34 @@ optional_policy(`
')
optional_policy(`
@@ -17434,7 +17449,7 @@ index 88d0028..45f4d0a 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -439,10 +545,6 @@ ifndef(`distro_redhat',`
+@@ -439,10 +546,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -17445,7 +17460,7 @@ index 88d0028..45f4d0a 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
optional_policy(`
-@@ -463,15 +565,75 @@ ifndef(`distro_redhat',`
+@@ -463,15 +566,75 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -20737,7 +20752,7 @@ index d1f64a0..97140ee 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc..f0080ba 100644
+index 6bf0ecc..18223e7 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -21209,7 +21224,7 @@ index 6bf0ecc..f0080ba 100644
')
########################################
-@@ -765,11 +904,71 @@ interface(`xserver_manage_xdm_spool_files',`
+@@ -765,11 +904,91 @@ interface(`xserver_manage_xdm_spool_files',`
#
interface(`xserver_stream_connect_xdm',`
gen_require(`
@@ -21225,6 +21240,26 @@ index 6bf0ecc..f0080ba 100644
+
+########################################
+##
++## Allow domain to append XDM unix domain
++## stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++
++interface(`xserver_append_xdm_stream_socket',`
++ gen_require(`
++ type xdm_t;
++ ')
++
++ allow $1 xdm_t:unix_stream_socket append;
++')
++
++########################################
++##
+## Read XDM files in user home directories.
+##
+##
@@ -21283,7 +21318,7 @@ index 6bf0ecc..f0080ba 100644
')
########################################
-@@ -793,6 +992,25 @@ interface(`xserver_read_xdm_rw_config',`
+@@ -793,6 +1012,25 @@ interface(`xserver_read_xdm_rw_config',`
########################################
##
@@ -21309,7 +21344,7 @@ index 6bf0ecc..f0080ba 100644
## Set the attributes of XDM temporary directories.
##
##
-@@ -806,7 +1024,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
+@@ -806,7 +1044,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
type xdm_tmp_t;
')
@@ -21336,7 +21371,7 @@ index 6bf0ecc..f0080ba 100644
')
########################################
-@@ -846,7 +1082,26 @@ interface(`xserver_read_xdm_pid',`
+@@ -846,7 +1102,26 @@ interface(`xserver_read_xdm_pid',`
')
files_search_pids($1)
@@ -21364,7 +21399,7 @@ index 6bf0ecc..f0080ba 100644
')
########################################
-@@ -869,6 +1124,24 @@ interface(`xserver_read_xdm_lib_files',`
+@@ -869,6 +1144,24 @@ interface(`xserver_read_xdm_lib_files',`
########################################
##
@@ -21389,7 +21424,7 @@ index 6bf0ecc..f0080ba 100644
## Make an X session script an entrypoint for the specified domain.
##
##
-@@ -938,7 +1211,26 @@ interface(`xserver_getattr_log',`
+@@ -938,7 +1231,26 @@ interface(`xserver_getattr_log',`
')
logging_search_logs($1)
@@ -21417,7 +21452,7 @@ index 6bf0ecc..f0080ba 100644
')
########################################
-@@ -957,7 +1249,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -957,7 +1269,7 @@ interface(`xserver_dontaudit_write_log',`
type xserver_log_t;
')
@@ -21426,7 +21461,7 @@ index 6bf0ecc..f0080ba 100644
')
########################################
-@@ -1004,6 +1296,45 @@ interface(`xserver_read_xkb_libs',`
+@@ -1004,6 +1316,45 @@ interface(`xserver_read_xkb_libs',`
########################################
##
@@ -21472,7 +21507,7 @@ index 6bf0ecc..f0080ba 100644
## Read xdm temporary files.
##
##
-@@ -1017,7 +1348,7 @@ interface(`xserver_read_xdm_tmp_files',`
+@@ -1017,7 +1368,7 @@ interface(`xserver_read_xdm_tmp_files',`
type xdm_tmp_t;
')
@@ -21481,113 +21516,73 @@ index 6bf0ecc..f0080ba 100644
read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
')
-@@ -1079,53 +1410,91 @@ interface(`xserver_manage_xdm_tmp_files',`
+@@ -1079,7 +1430,43 @@ interface(`xserver_manage_xdm_tmp_files',`
########################################
##
-## Do not audit attempts to get the attributes of
--## xdm temporary named sockets.
+## Create, read, write, and delete xdm temporary dirs.
- ##
- ##
- ##
--## Domain to not audit.
++##
++##
++##
+## Domain allowed access.
- ##
- ##
- #
--interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
++##
++##
++#
+interface(`xserver_relabel_xdm_tmp_dirs',`
- gen_require(`
- type xdm_tmp_t;
- ')
-
-- dontaudit $1 xdm_tmp_t:sock_file getattr;
-+ allow $1 xdm_tmp_t:dir relabel_dir_perms;
- ')
-
- ########################################
- ##
--## Execute the X server in the X server domain.
-+## Create, read, write, and delete xdm temporary dirs.
- ##
- ##
- ##
--## Domain allowed to transition.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`xserver_domtrans',`
-+interface(`xserver_manage_xdm_tmp_dirs',`
- gen_require(`
-- type xserver_t, xserver_exec_t;
-+ type xdm_tmp_t;
- ')
-
-- allow $1 xserver_t:process siginh;
-- domtrans_pattern($1, xserver_exec_t, xserver_t)
-+ manage_dirs_pattern($1, xdm_tmp_t, xdm_tmp_t)
- ')
-
- ########################################
- ##
--## Signal X servers
-+## Do not audit attempts to get the attributes of
-+## xdm temporary named sockets.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`xserver_signal',`
-+interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+ gen_require(`
+ type xdm_tmp_t;
+ ')
+
-+ dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms;
++ allow $1 xdm_tmp_t:dir relabel_dir_perms;
+')
+
+########################################
+##
-+## Execute the X server in the X server domain.
++## Create, read, write, and delete xdm temporary dirs.
+##
+##
+##
-+## Domain allowed to transition.
++## Domain allowed access.
+##
+##
+#
-+interface(`xserver_domtrans',`
++interface(`xserver_manage_xdm_tmp_dirs',`
+ gen_require(`
-+ type xserver_t, xserver_exec_t;
++ type xdm_tmp_t;
+ ')
+
-+ allow $1 xserver_t:process siginh;
-+ domtrans_pattern($1, xserver_exec_t, xserver_t)
-+
-+ allow xserver_t $1:process getpgid;
++ manage_dirs_pattern($1, xdm_tmp_t, xdm_tmp_t)
+')
+
+########################################
+##
-+## Signal X servers
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_signal',`
- gen_require(`
- type xserver_t;
++## Do not audit attempts to get the attributes of
+ ## xdm temporary named sockets.
+ ##
+ ##
+@@ -1093,7 +1480,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+ type xdm_tmp_t;
+ ')
+
+- dontaudit $1 xdm_tmp_t:sock_file getattr;
++ dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms;
+ ')
+
+ ########################################
+@@ -1111,8 +1498,10 @@ interface(`xserver_domtrans',`
+ type xserver_t, xserver_exec_t;
')
-@@ -1210,6 +1579,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',`
+
+- allow $1 xserver_t:process siginh;
++ allow $1 xserver_t:process siginh;
+ domtrans_pattern($1, xserver_exec_t, xserver_t)
++
++ allow xserver_t $1:process getpgid;
+ ')
+
+ ########################################
+@@ -1210,6 +1599,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',`
########################################
##
@@ -21613,7 +21608,7 @@ index 6bf0ecc..f0080ba 100644
## Connect to the X server over a unix domain
## stream socket.
##
-@@ -1226,6 +1614,26 @@ interface(`xserver_stream_connect',`
+@@ -1226,6 +1634,26 @@ interface(`xserver_stream_connect',`
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -21640,7 +21635,7 @@ index 6bf0ecc..f0080ba 100644
')
########################################
-@@ -1251,7 +1659,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1251,7 +1679,7 @@ interface(`xserver_read_tmp_files',`
##
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@@ -21649,7 +21644,7 @@ index 6bf0ecc..f0080ba 100644
##
##
##
-@@ -1261,13 +1669,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1261,13 +1689,23 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
@@ -21674,7 +21669,7 @@ index 6bf0ecc..f0080ba 100644
')
########################################
-@@ -1284,10 +1702,604 @@ interface(`xserver_manage_core_devices',`
+@@ -1284,10 +1722,604 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -26908,7 +26903,7 @@ index 24e7804..d0780a9 100644
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..969bda2 100644
+index dd3be8d..8cda2bb 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,24 @@ gen_require(`
@@ -27095,7 +27090,7 @@ index dd3be8d..969bda2 100644
# file descriptors inherited from the rootfs:
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)
-@@ -156,28 +222,48 @@ fs_list_inotifyfs(init_t)
+@@ -156,28 +222,49 @@ fs_list_inotifyfs(init_t)
fs_write_ramfs_sockets(init_t)
mcs_process_set_categories(init_t)
@@ -27119,6 +27114,7 @@ index dd3be8d..969bda2 100644
+allow init_t security_t:security load_policy;
-term_use_all_terms(init_t)
++term_create_pty_dir(init_t)
+term_use_unallocated_ttys(init_t)
+term_use_console(init_t)
+term_use_all_inherited_terms(init_t)
@@ -27147,7 +27143,7 @@ index dd3be8d..969bda2 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +272,178 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +273,182 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -27175,9 +27171,14 @@ index dd3be8d..969bda2 100644
+
+optional_policy(`
+ gnome_filetrans_home_content(init_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- auth_rw_login_records(init_t)
++ iscsi_read_lib_files(init_t)
+ ')
+
+ optional_policy(`
+ modutils_domtrans_insmod(init_t)
+ modutils_list_module_config(init_t)
+')
@@ -27306,14 +27307,13 @@ index dd3be8d..969bda2 100644
+optional_policy(`
+ lvm_rw_pipes(init_t)
+ lvm_read_config(init_t)
- ')
-
- optional_policy(`
-- auth_rw_login_records(init_t)
++')
++
++optional_policy(`
+ consolekit_manage_log(init_t)
- ')
-
- optional_policy(`
++')
++
++optional_policy(`
+ dbus_connect_system_bus(init_t)
dbus_system_bus_client(init_t)
+ dbus_delete_pid_files(init_t)
@@ -27334,7 +27334,7 @@ index dd3be8d..969bda2 100644
')
optional_policy(`
-@@ -216,6 +451,27 @@ optional_policy(`
+@@ -216,6 +456,27 @@ optional_policy(`
')
optional_policy(`
@@ -27362,7 +27362,7 @@ index dd3be8d..969bda2 100644
unconfined_domain(init_t)
')
-@@ -225,8 +481,9 @@ optional_policy(`
+@@ -225,8 +486,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -27374,7 +27374,7 @@ index dd3be8d..969bda2 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -257,12 +514,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -257,12 +519,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -27391,7 +27391,7 @@ index dd3be8d..969bda2 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -278,23 +539,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -278,23 +544,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -27434,7 +27434,7 @@ index dd3be8d..969bda2 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -302,9 +576,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -302,9 +581,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -27446,7 +27446,7 @@ index dd3be8d..969bda2 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -312,8 +588,10 @@ dev_write_framebuffer(initrc_t)
+@@ -312,8 +593,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -27457,7 +27457,7 @@ index dd3be8d..969bda2 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -321,8 +599,7 @@ dev_manage_generic_files(initrc_t)
+@@ -321,8 +604,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -27467,7 +27467,7 @@ index dd3be8d..969bda2 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -331,7 +608,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -331,7 +613,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -27475,7 +27475,7 @@ index dd3be8d..969bda2 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -339,6 +615,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -339,6 +620,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -27483,7 +27483,7 @@ index dd3be8d..969bda2 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -346,14 +623,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -346,14 +628,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -27501,7 +27501,7 @@ index dd3be8d..969bda2 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -363,8 +641,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -363,8 +646,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -27515,7 +27515,7 @@ index dd3be8d..969bda2 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -374,10 +656,11 @@ fs_mount_all_fs(initrc_t)
+@@ -374,10 +661,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -27529,7 +27529,7 @@ index dd3be8d..969bda2 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -386,6 +669,7 @@ mls_process_read_up(initrc_t)
+@@ -386,6 +674,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -27537,7 +27537,7 @@ index dd3be8d..969bda2 100644
selinux_get_enforce_mode(initrc_t)
-@@ -397,6 +681,7 @@ term_use_all_terms(initrc_t)
+@@ -397,6 +686,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -27545,7 +27545,7 @@ index dd3be8d..969bda2 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -415,20 +700,18 @@ logging_read_all_logs(initrc_t)
+@@ -415,20 +705,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -27569,7 +27569,7 @@ index dd3be8d..969bda2 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -450,7 +733,6 @@ ifdef(`distro_gentoo',`
+@@ -450,7 +738,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -27577,7 +27577,7 @@ index dd3be8d..969bda2 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -485,6 +767,10 @@ ifdef(`distro_gentoo',`
+@@ -485,6 +772,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -27588,7 +27588,7 @@ index dd3be8d..969bda2 100644
alsa_read_lib(initrc_t)
')
-@@ -505,7 +791,7 @@ ifdef(`distro_redhat',`
+@@ -505,7 +796,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -27597,7 +27597,7 @@ index dd3be8d..969bda2 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -520,6 +806,7 @@ ifdef(`distro_redhat',`
+@@ -520,6 +811,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -27605,7 +27605,7 @@ index dd3be8d..969bda2 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -540,6 +827,7 @@ ifdef(`distro_redhat',`
+@@ -540,6 +832,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -27613,7 +27613,7 @@ index dd3be8d..969bda2 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -549,8 +837,44 @@ ifdef(`distro_redhat',`
+@@ -549,8 +842,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -27658,7 +27658,7 @@ index dd3be8d..969bda2 100644
')
optional_policy(`
-@@ -558,14 +882,31 @@ ifdef(`distro_redhat',`
+@@ -558,14 +887,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -27690,7 +27690,7 @@ index dd3be8d..969bda2 100644
')
')
-@@ -576,6 +917,39 @@ ifdef(`distro_suse',`
+@@ -576,6 +922,39 @@ ifdef(`distro_suse',`
')
')
@@ -27730,7 +27730,7 @@ index dd3be8d..969bda2 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -588,6 +962,8 @@ optional_policy(`
+@@ -588,6 +967,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -27739,7 +27739,7 @@ index dd3be8d..969bda2 100644
')
optional_policy(`
-@@ -609,6 +985,7 @@ optional_policy(`
+@@ -609,6 +990,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -27747,7 +27747,7 @@ index dd3be8d..969bda2 100644
')
optional_policy(`
-@@ -625,6 +1002,17 @@ optional_policy(`
+@@ -625,6 +1007,17 @@ optional_policy(`
')
optional_policy(`
@@ -27765,7 +27765,7 @@ index dd3be8d..969bda2 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -641,9 +1029,13 @@ optional_policy(`
+@@ -641,9 +1034,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -27779,7 +27779,7 @@ index dd3be8d..969bda2 100644
')
optional_policy(`
-@@ -656,15 +1048,11 @@ optional_policy(`
+@@ -656,15 +1053,11 @@ optional_policy(`
')
optional_policy(`
@@ -27797,7 +27797,7 @@ index dd3be8d..969bda2 100644
')
optional_policy(`
-@@ -685,6 +1073,15 @@ optional_policy(`
+@@ -685,6 +1078,15 @@ optional_policy(`
')
optional_policy(`
@@ -27813,7 +27813,7 @@ index dd3be8d..969bda2 100644
inn_exec_config(initrc_t)
')
-@@ -725,6 +1122,7 @@ optional_policy(`
+@@ -725,6 +1127,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -27821,7 +27821,7 @@ index dd3be8d..969bda2 100644
')
optional_policy(`
-@@ -742,7 +1140,14 @@ optional_policy(`
+@@ -742,7 +1145,14 @@ optional_policy(`
')
optional_policy(`
@@ -27836,7 +27836,7 @@ index dd3be8d..969bda2 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -765,6 +1170,10 @@ optional_policy(`
+@@ -765,6 +1175,10 @@ optional_policy(`
')
optional_policy(`
@@ -27847,7 +27847,7 @@ index dd3be8d..969bda2 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -774,10 +1183,20 @@ optional_policy(`
+@@ -774,10 +1188,20 @@ optional_policy(`
')
optional_policy(`
@@ -27868,7 +27868,7 @@ index dd3be8d..969bda2 100644
quota_manage_flags(initrc_t)
')
-@@ -786,6 +1205,10 @@ optional_policy(`
+@@ -786,6 +1210,10 @@ optional_policy(`
')
optional_policy(`
@@ -27879,7 +27879,7 @@ index dd3be8d..969bda2 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -807,8 +1230,6 @@ optional_policy(`
+@@ -807,8 +1235,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -27888,7 +27888,7 @@ index dd3be8d..969bda2 100644
')
optional_policy(`
-@@ -817,6 +1238,10 @@ optional_policy(`
+@@ -817,6 +1243,10 @@ optional_policy(`
')
optional_policy(`
@@ -27899,7 +27899,7 @@ index dd3be8d..969bda2 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -826,10 +1251,12 @@ optional_policy(`
+@@ -826,10 +1256,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -27912,7 +27912,7 @@ index dd3be8d..969bda2 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -856,12 +1283,27 @@ optional_policy(`
+@@ -856,12 +1288,27 @@ optional_policy(`
')
optional_policy(`
@@ -27941,7 +27941,7 @@ index dd3be8d..969bda2 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -871,6 +1313,18 @@ optional_policy(`
+@@ -871,6 +1318,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -27960,7 +27960,7 @@ index dd3be8d..969bda2 100644
')
optional_policy(`
-@@ -886,6 +1340,10 @@ optional_policy(`
+@@ -886,6 +1345,10 @@ optional_policy(`
')
optional_policy(`
@@ -27971,7 +27971,7 @@ index dd3be8d..969bda2 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -896,3 +1354,196 @@ optional_policy(`
+@@ -896,3 +1359,196 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -28398,7 +28398,7 @@ index 0d4c8d3..a89c4a2 100644
+ ps_process_pattern($1, ipsec_mgmt_t)
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 9e54bf9..b6e9ebc 100644
+index 9e54bf9..468dc31 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@@ -28424,7 +28424,7 @@ index 9e54bf9..b6e9ebc 100644
allow ipsec_t self:fifo_file read_fifo_file_perms;
allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write };
+allow ipsec_t self:netlink_selinux_socket create_socket_perms;
-+allow ipsec_t self:unix_stream_socket create_stream_socket_perms;
++allow ipsec_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
@@ -28699,7 +28699,7 @@ index c42fbc3..174cfdb 100644
##
## Set the attributes of iptables config files.
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index 5dfa44b..022d91d 100644
+index 5dfa44b..2502d06 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -16,15 +16,15 @@ role iptables_roles types iptables_t;
@@ -28796,15 +28796,20 @@ index 5dfa44b..022d91d 100644
')
optional_policy(`
-@@ -124,6 +129,7 @@ optional_policy(`
+@@ -124,6 +129,12 @@ optional_policy(`
optional_policy(`
psad_rw_tmp_files(iptables_t)
+ psad_write_log(iptables_t)
++')
++
++optional_policy(`
++ quantum_rw_inherited_pipes(iptables_t)
++ quantum_sigchld(iptables_t)
')
optional_policy(`
-@@ -135,9 +141,9 @@ optional_policy(`
+@@ -135,9 +146,9 @@ optional_policy(`
')
optional_policy(`
@@ -28816,7 +28821,7 @@ index 5dfa44b..022d91d 100644
optional_policy(`
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index 73bb3c0..46439b4 100644
+index 73bb3c0..dc79c6f 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -1,3 +1,4 @@
@@ -28978,7 +28983,7 @@ index 73bb3c0..46439b4 100644
/usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -299,17 +310,152 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+@@ -299,17 +310,153 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
#
/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0)
@@ -29013,6 +29018,7 @@ index 73bb3c0..46439b4 100644
-/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
+/var/spool/postfix/lib/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
+
++/usr/lib/libbcm_host\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/libmyth[^/]+\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/mythtv/filters/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
@@ -29487,7 +29493,7 @@ index 0e3c2a9..ea9bd57 100644
+ userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin")
+')
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index c04ac46..e06286c 100644
+index c04ac46..799d194 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t)
@@ -29611,15 +29617,19 @@ index c04ac46..e06286c 100644
unconfined_shell_domtrans(local_login_t)
')
-@@ -215,6 +211,7 @@ allow sulogin_t self:sem create_sem_perms;
+@@ -215,37 +211,55 @@ allow sulogin_t self:sem create_sem_perms;
allow sulogin_t self:msgq create_msgq_perms;
allow sulogin_t self:msg { send receive };
+kernel_read_crypto_sysctls(sulogin_t)
kernel_read_system_state(sulogin_t)
++dev_getattr_all_chr_files(sulogin_t)
++dev_getattr_all_blk_files(sulogin_t)
++
fs_search_auto_mountpoints(sulogin_t)
-@@ -223,13 +220,16 @@ fs_rw_tmpfs_chr_files(sulogin_t)
+ fs_rw_tmpfs_chr_files(sulogin_t)
+
files_read_etc_files(sulogin_t)
# because file systems are not mounted:
files_dontaudit_search_isid_type_dirs(sulogin_t)
@@ -29636,7 +29646,9 @@ index c04ac46..e06286c 100644
seutil_read_config(sulogin_t)
seutil_read_default_contexts(sulogin_t)
-@@ -238,14 +238,24 @@ userdom_use_unpriv_users_fds(sulogin_t)
+ userdom_use_unpriv_users_fds(sulogin_t)
+
++userdom_search_admin_dir(sulogin_t)
userdom_search_user_home_dirs(sulogin_t)
userdom_use_user_ptys(sulogin_t)
@@ -29663,7 +29675,7 @@ index c04ac46..e06286c 100644
init_getpgid(sulogin_t)
', `
allow sulogin_t self:process setexec;
-@@ -256,11 +266,3 @@ ifdef(`sulogin_no_pam', `
+@@ -256,11 +270,3 @@ ifdef(`sulogin_no_pam', `
selinux_compute_relabel_context(sulogin_t)
selinux_compute_user_contexts(sulogin_t)
')
@@ -31286,7 +31298,7 @@ index fc28bc3..2960ed7 100644
+ files_var_filetrans($1, public_content_t, dir, "ftp")
+')
diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
-index d6293de..3225647 100644
+index d6293de..8f8d80d 100644
--- a/policy/modules/system/miscfiles.te
+++ b/policy/modules/system/miscfiles.te
@@ -4,7 +4,6 @@ policy_module(miscfiles, 1.10.2)
@@ -31297,6 +31309,19 @@ index d6293de..3225647 100644
attribute cert_type;
#
+@@ -48,10 +47,10 @@ files_type(man_cache_t)
+ # Types for public content
+ #
+ type public_content_t; #, customizable;
+-files_type(public_content_t)
++files_mountpoint(public_content_t)
+
+ type public_content_rw_t; #, customizable;
+-files_type(public_content_rw_t)
++files_mountpoint(public_content_rw_t)
+
+ #
+ # Base type for the tests directory.
diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc
index 9933677..b155a0d 100644
--- a/policy/modules/system/modutils.fc
@@ -31421,7 +31446,7 @@ index 7449974..6375786 100644
+ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin")
+')
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index 7a49e28..3e5393b 100644
+index 7a49e28..1d374a0 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -5,7 +5,7 @@ policy_module(modutils, 1.13.3)
@@ -31602,7 +31627,7 @@ index 7a49e28..3e5393b 100644
userdom_dontaudit_search_user_home_dirs(insmod_t)
kernel_domtrans_to(insmod_t, insmod_exec_t)
-@@ -184,28 +202,32 @@ optional_policy(`
+@@ -184,28 +202,33 @@ optional_policy(`
')
optional_policy(`
@@ -31619,6 +31644,7 @@ index 7a49e28..3e5393b 100644
optional_policy(`
- hotplug_search_config(insmod_t)
++ firewalld_dontaudit_write_tmp_files(insmod_t)
+ firewallgui_dontaudit_rw_pipes(insmod_t)
')
@@ -31642,7 +31668,7 @@ index 7a49e28..3e5393b 100644
')
optional_policy(`
-@@ -225,6 +247,7 @@ optional_policy(`
+@@ -225,6 +248,7 @@ optional_policy(`
optional_policy(`
rpm_rw_pipes(insmod_t)
@@ -31650,7 +31676,7 @@ index 7a49e28..3e5393b 100644
')
optional_policy(`
-@@ -233,6 +256,10 @@ optional_policy(`
+@@ -233,6 +257,10 @@ optional_policy(`
')
optional_policy(`
@@ -31661,7 +31687,7 @@ index 7a49e28..3e5393b 100644
# cjp: why is this needed:
dev_rw_xserver_misc(insmod_t)
-@@ -291,11 +318,10 @@ init_use_script_ptys(update_modules_t)
+@@ -291,11 +319,10 @@ init_use_script_ptys(update_modules_t)
logging_send_syslog_msg(update_modules_t)
@@ -32015,16 +32041,20 @@ index 4584457..e432df3 100644
+ domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t)
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 6a50270..ca097a7 100644
+index 6a50270..fa545e7 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
-@@ -10,35 +10,60 @@ policy_module(mount, 1.15.1)
- ## Allow the mount command to mount any directory or file.
- ##
- ##
--gen_tunable(allow_mount_anyfile, false)
-+gen_tunable(mount_anyfile, false)
+@@ -5,40 +5,58 @@ policy_module(mount, 1.15.1)
+ # Declarations
+ #
+-##
+-##
+-## Allow the mount command to mount any directory or file.
+-##
+-##
+-gen_tunable(allow_mount_anyfile, false)
+-
-attribute_role mount_roles;
-roleattribute system_r mount_roles;
+#attribute_role mount_roles;
@@ -32090,13 +32120,13 @@ index 6a50270..ca097a7 100644
allow mount_t mount_loopback_t:file read_file_perms;
-@@ -49,9 +74,24 @@ can_exec(mount_t, mount_exec_t)
+@@ -49,9 +67,24 @@ can_exec(mount_t, mount_exec_t)
files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
+manage_dirs_pattern(mount_t,mount_var_run_t,mount_var_run_t)
+manage_files_pattern(mount_t,mount_var_run_t,mount_var_run_t)
-+files_pid_filetrans(mount_t,mount_var_run_t,dir)
++files_pid_filetrans(mount_t,mount_var_run_t,dir,"mount")
+files_var_filetrans(mount_t,mount_var_run_t,dir)
+dev_filetrans(mount_t, mount_var_run_t, dir)
+
@@ -32116,7 +32146,7 @@ index 6a50270..ca097a7 100644
kernel_dontaudit_write_debugfs_dirs(mount_t)
kernel_dontaudit_write_proc_dirs(mount_t)
# To load binfmt_misc kernel module
-@@ -60,31 +100,47 @@ kernel_request_load_module(mount_t)
+@@ -60,31 +93,47 @@ kernel_request_load_module(mount_t)
# required for mount.smbfs
corecmd_exec_bin(mount_t)
@@ -32167,7 +32197,7 @@ index 6a50270..ca097a7 100644
files_read_isid_type_files(mount_t)
# For reading cert files
files_read_usr_files(mount_t)
-@@ -92,28 +148,39 @@ files_list_mnt(mount_t)
+@@ -92,28 +141,39 @@ files_list_mnt(mount_t)
files_dontaudit_write_all_mountpoints(mount_t)
files_dontaudit_setattr_all_mountpoints(mount_t)
@@ -32213,7 +32243,7 @@ index 6a50270..ca097a7 100644
term_dontaudit_manage_pty_dirs(mount_t)
auth_use_nsswitch(mount_t)
-@@ -121,16 +188,21 @@ auth_use_nsswitch(mount_t)
+@@ -121,16 +181,21 @@ auth_use_nsswitch(mount_t)
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@@ -32237,7 +32267,7 @@ index 6a50270..ca097a7 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -146,26 +218,27 @@ ifdef(`distro_ubuntu',`
+@@ -146,26 +211,27 @@ ifdef(`distro_ubuntu',`
')
')
@@ -32277,7 +32307,7 @@ index 6a50270..ca097a7 100644
corenet_tcp_bind_generic_port(mount_t)
corenet_udp_bind_generic_port(mount_t)
corenet_tcp_bind_reserved_port(mount_t)
-@@ -179,6 +252,9 @@ optional_policy(`
+@@ -179,6 +245,9 @@ optional_policy(`
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -32287,7 +32317,7 @@ index 6a50270..ca097a7 100644
')
optional_policy(`
-@@ -186,6 +262,36 @@ optional_policy(`
+@@ -186,6 +255,40 @@ optional_policy(`
')
optional_policy(`
@@ -32299,6 +32329,10 @@ index 6a50270..ca097a7 100644
+')
+
+optional_policy(`
++ fsadm_manage_pid(mount_t)
++')
++
++optional_policy(`
+ glusterd_domtrans(mount_t)
+')
+
@@ -32324,7 +32358,7 @@ index 6a50270..ca097a7 100644
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -194,24 +300,129 @@ optional_policy(`
+@@ -194,24 +297,128 @@ optional_policy(`
')
optional_policy(`
@@ -32393,16 +32427,16 @@ index 6a50270..ca097a7 100644
+optional_policy(`
+ unconfined_write_keys(mount_t)
+')
++
++optional_policy(`
++ virt_read_blk_images(mount_t)
++')
optional_policy(`
- files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
- unconfined_domain(unconfined_mount_t)
-+ virt_read_blk_images(mount_t)
- ')
-+
-+optional_policy(`
+ vmware_exec_host(mount_t)
-+')
+ ')
+
+######################################
+#
@@ -32460,7 +32494,6 @@ index 6a50270..ca097a7 100644
+fs_read_ecryptfs_files(mount_ecryptfs_t)
+
+auth_use_nsswitch(mount_ecryptfs_t)
-+
diff --git a/policy/modules/system/netlabel.fc b/policy/modules/system/netlabel.fc
index b263a8a..9348c8c 100644
--- a/policy/modules/system/netlabel.fc
@@ -33122,7 +33155,7 @@ index 3822072..1029e3b 100644
+ userdom_admin_home_dir_filetrans($1, default_context_t, file, ".default_context")
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index ec01d0b..73ef1e8 100644
+index ec01d0b..64db314 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -11,14 +11,17 @@ gen_require(`
@@ -33559,11 +33592,11 @@ index ec01d0b..73ef1e8 100644
-auth_use_nsswitch(semanage_t)
-
-locallogin_use_fds(semanage_t)
+-
+-logging_send_syslog_msg(semanage_t)
+# Admins are creating pp files in random locations
+files_read_non_security_files(semanage_t)
--logging_send_syslog_msg(semanage_t)
--
-miscfiles_read_localization(semanage_t)
-
-seutil_libselinux_linked(semanage_t)
@@ -33651,7 +33684,7 @@ index ec01d0b..73ef1e8 100644
')
########################################
-@@ -522,108 +599,178 @@ ifdef(`distro_ubuntu',`
+@@ -522,108 +599,181 @@ ifdef(`distro_ubuntu',`
# Setfiles local policy
#
@@ -33733,12 +33766,12 @@ index ec01d0b..73ef1e8 100644
+ # pki is leaking
+ pki_dontaudit_write_log(setfiles_t)
+')
-
--seutil_libselinux_linked(setfiles_t)
++
+optional_policy(`
+ xserver_append_xdm_tmp_files(setfiles_t)
+')
-+
+
+-seutil_libselinux_linked(setfiles_t)
+ifdef(`hide_broken_symptoms',`
+
+ optional_policy(`
@@ -33915,6 +33948,9 @@ index ec01d0b..73ef1e8 100644
+
+userdom_dontaudit_write_user_home_content_files(policy_manager_domain)
+userdom_use_user_ptys(policy_manager_domain)
++
++files_rw_inherited_generic_pid_files(setfiles_domain)
++files_rw_inherited_generic_pid_files(seutil_semanage_domain)
diff --git a/policy/modules/system/setrans.fc b/policy/modules/system/setrans.fc
index bea4629..06e2834 100644
--- a/policy/modules/system/setrans.fc
@@ -34304,7 +34340,7 @@ index 6944526..ec17624 100644
+ files_etc_filetrans($1, net_conf_t, file, "ntp.conf")
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index b7686d5..fda9b8a 100644
+index b7686d5..9c7aa79 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.14.6)
@@ -34636,7 +34672,7 @@ index b7686d5..fda9b8a 100644
')
optional_policy(`
-@@ -339,7 +423,11 @@ optional_policy(`
+@@ -339,7 +423,15 @@ optional_policy(`
')
optional_policy(`
@@ -34645,16 +34681,24 @@ index b7686d5..fda9b8a 100644
+')
+
+optional_policy(`
++ libs_exec_ldconfig(ifconfig_t)
++')
++
++optional_policy(`
+ modutils_domtrans_insmod(ifconfig_t)
')
optional_policy(`
-@@ -360,3 +448,9 @@ optional_policy(`
+@@ -360,3 +452,13 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
+
+optional_policy(`
++ iptables_domtrans(ifconfig_t)
++')
++
++optional_policy(`
+ tunable_policy(`dhcpc_exec_iptables',`
+ iptables_domtrans(dhcpc_t)
+ ')
@@ -35910,10 +35954,10 @@ index 0000000..2e5b822
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..35c1a7d
+index 0000000..87474b2
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,645 @@
+@@ -0,0 +1,647 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -36215,6 +36259,7 @@ index 0000000..35c1a7d
+files_getattr_all_sockets(systemd_tmpfiles_t)
+files_getattr_all_symlinks(systemd_tmpfiles_t)
+files_relabel_all_lock_dirs(systemd_tmpfiles_t)
++files_relabel_all_lock_files(systemd_tmpfiles_t)
+files_relabel_all_pid_dirs(systemd_tmpfiles_t)
+files_relabel_all_pid_files(systemd_tmpfiles_t)
+files_relabel_all_spool_dirs(systemd_tmpfiles_t)
@@ -36238,6 +36283,7 @@ index 0000000..35c1a7d
+
+mls_file_read_all_levels(systemd_tmpfiles_t)
+mls_file_write_all_levels(systemd_tmpfiles_t)
++mls_file_upgrade(systemd_tmpfiles_t)
+
+selinux_get_enforce_mode(systemd_tmpfiles_t)
+
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index f091d89..41328d9 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -518,7 +518,7 @@ index 058d908..702b716 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index cc43d25..5e60ff3 100644
+index cc43d25..b4c749b 100644
--- a/abrt.te
+++ b/abrt.te
@@ -1,4 +1,4 @@
@@ -668,8 +668,9 @@ index cc43d25..5e60ff3 100644
#
-allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice };
+-dontaudit abrt_t self:capability sys_rawio;
+allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_ptrace };
- dontaudit abrt_t self:capability sys_rawio;
++dontaudit abrt_t self:capability { sys_rawio sys_ptrace };
allow abrt_t self:process { setpgid sigkill signal signull setsched getsched };
+
allow abrt_t self:fifo_file rw_fifo_file_perms;
@@ -1097,7 +1098,7 @@ index bd5ec9a..a5ed692 100644
+ allow $1 accountsd_unit_file_t:service all_service_perms;
')
diff --git a/accountsd.te b/accountsd.te
-index 313b33f..f9d3343 100644
+index 313b33f..6e0a894 100644
--- a/accountsd.te
+++ b/accountsd.te
@@ -4,6 +4,10 @@ gen_require(`
@@ -1136,16 +1137,18 @@ index 313b33f..f9d3343 100644
fs_getattr_xattr_fs(accountsd_t)
fs_list_inotifyfs(accountsd_t)
-@@ -48,7 +55,7 @@ auth_use_nsswitch(accountsd_t)
+@@ -48,8 +55,9 @@ auth_use_nsswitch(accountsd_t)
auth_read_login_records(accountsd_t)
auth_read_shadow(accountsd_t)
-miscfiles_read_localization(accountsd_t)
+init_dbus_chat(accountsd_t)
++logging_list_logs(accountsd_t)
logging_send_syslog_msg(accountsd_t)
logging_set_loginuid(accountsd_t)
-@@ -65,9 +72,16 @@ optional_policy(`
+
+@@ -65,9 +73,16 @@ optional_policy(`
')
optional_policy(`
@@ -1465,7 +1468,7 @@ index 01cbb67..94a4a24 100644
files_list_etc($1)
diff --git a/aide.te b/aide.te
-index 4b28ab3..cf64a9a 100644
+index 4b28ab3..6e8746f 100644
--- a/aide.te
+++ b/aide.te
@@ -10,6 +10,7 @@ attribute_role aide_roles;
@@ -1476,7 +1479,16 @@ index 4b28ab3..cf64a9a 100644
role aide_roles types aide_t;
type aide_log_t;
-@@ -34,11 +35,16 @@ logging_log_filetrans(aide_t, aide_log_t, file)
+@@ -23,7 +24,7 @@ files_type(aide_db_t)
+ # Local policy
+ #
+
+-allow aide_t self:capability { dac_override fowner };
++allow aide_t self:capability { dac_override fowner ipc_lock };
+
+ manage_files_pattern(aide_t, aide_db_t, aide_db_t)
+
+@@ -34,11 +35,20 @@ logging_log_filetrans(aide_t, aide_log_t, file)
files_read_all_files(aide_t)
files_read_all_symlinks(aide_t)
@@ -1491,6 +1503,10 @@ index 4b28ab3..cf64a9a 100644
-userdom_use_user_terminals(aide_t)
+userdom_use_inherited_user_terminals(aide_t)
++
++optional_policy(`
++ prelink_domtrans(aide_t)
++')
optional_policy(`
seutil_use_newrole_fds(aide_t)
@@ -1883,24 +1899,41 @@ index cda6d20..fbe259e 100644
userdom_manage_unpriv_user_semaphores(alsa_t)
userdom_manage_unpriv_user_shared_mem(alsa_t)
userdom_search_user_home_dirs(alsa_t)
+diff --git a/amanda.fc b/amanda.fc
+index 7f4dfbc..4d750fa 100644
+--- a/amanda.fc
++++ b/amanda.fc
+@@ -13,6 +13,8 @@
+ /usr/lib/amanda/amidxtaped -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
+ /usr/lib/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
+
++/usr/lib/systemd/system/amanda.* -- gen_context(system_u:object_r:amanda_unit_file_t,s0)
++
+ /usr/sbin/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
+ /usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0)
+
diff --git a/amanda.te b/amanda.te
-index ed45974..46e2c0d 100644
+index ed45974..95b56a6 100644
--- a/amanda.te
+++ b/amanda.te
-@@ -9,11 +9,10 @@ attribute_role amanda_recover_roles;
+@@ -9,11 +9,13 @@ attribute_role amanda_recover_roles;
roleattribute system_r amanda_recover_roles;
type amanda_t;
+type amanda_exec_t;
type amanda_inetd_exec_t;
- inetd_service_domain(amanda_t, amanda_inetd_exec_t)
+-inetd_service_domain(amanda_t, amanda_inetd_exec_t)
++init_daemon_domain(amanda_t, amanda_exec_t)
++role system_r types amanda_t;
-type amanda_exec_t;
-domain_entry_file(amanda_t, amanda_exec_t)
++type amanda_unit_file_t;
++systemd_unit_file(amanda_unit_file_t)
type amanda_log_t;
logging_log_file(amanda_log_t)
-@@ -60,7 +59,7 @@ optional_policy(`
+@@ -60,7 +62,7 @@ optional_policy(`
#
allow amanda_t self:capability { chown dac_override setuid kill };
@@ -1909,7 +1942,7 @@ index ed45974..46e2c0d 100644
allow amanda_t self:fifo_file rw_fifo_file_perms;
allow amanda_t self:unix_stream_socket { accept listen };
allow amanda_t self:tcp_socket { accept listen };
-@@ -71,6 +70,7 @@ allow amanda_t amanda_config_t:file read_file_perms;
+@@ -71,6 +73,7 @@ allow amanda_t amanda_config_t:file read_file_perms;
manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t)
manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
@@ -1917,7 +1950,7 @@ index ed45974..46e2c0d 100644
filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
allow amanda_t amanda_dumpdates_t:file rw_file_perms;
-@@ -100,7 +100,6 @@ kernel_dontaudit_read_proc_symlinks(amanda_t)
+@@ -100,13 +103,14 @@ kernel_dontaudit_read_proc_symlinks(amanda_t)
corecmd_exec_shell(amanda_t)
corecmd_exec_bin(amanda_t)
@@ -1925,7 +1958,15 @@ index ed45974..46e2c0d 100644
corenet_all_recvfrom_netlabel(amanda_t)
corenet_tcp_sendrecv_generic_if(amanda_t)
corenet_tcp_sendrecv_generic_node(amanda_t)
-@@ -170,7 +169,6 @@ kernel_read_system_state(amanda_recover_t)
+ corenet_tcp_sendrecv_all_ports(amanda_t)
+ corenet_tcp_bind_generic_node(amanda_t)
+
++corenet_tcp_bind_amanda_port(amanda_t)
++
+ corenet_sendrecv_all_server_packets(amanda_t)
+ corenet_tcp_bind_all_rpc_ports(amanda_t)
+ corenet_tcp_bind_generic_port(amanda_t)
+@@ -170,7 +174,6 @@ kernel_read_system_state(amanda_recover_t)
corecmd_exec_shell(amanda_recover_t)
corecmd_exec_bin(amanda_recover_t)
@@ -1933,7 +1974,7 @@ index ed45974..46e2c0d 100644
corenet_all_recvfrom_netlabel(amanda_recover_t)
corenet_tcp_sendrecv_generic_if(amanda_recover_t)
corenet_udp_sendrecv_generic_if(amanda_recover_t)
-@@ -195,12 +193,12 @@ files_search_tmp(amanda_recover_t)
+@@ -195,12 +198,16 @@ files_search_tmp(amanda_recover_t)
auth_use_nsswitch(amanda_recover_t)
@@ -1949,6 +1990,10 @@ index ed45974..46e2c0d 100644
userdom_search_user_home_content(amanda_recover_t)
+
+optional_policy(`
++ inetd_service_domain(amanda_t, amanda_inetd_exec_t)
++')
++
++optional_policy(`
+ fstools_domtrans(amanda_t)
+ fstools_signal(amanda_t)
+')
@@ -2527,10 +2572,10 @@ index 0000000..df5b3be
+')
diff --git a/antivirus.te b/antivirus.te
new file mode 100644
-index 0000000..1a35e88
+index 0000000..36cb011
--- /dev/null
+++ b/antivirus.te
-@@ -0,0 +1,248 @@
+@@ -0,0 +1,252 @@
+policy_module(antivirus, 1.0.0)
+
+########################################
@@ -2753,6 +2798,10 @@ index 0000000..1a35e88
+')
+
+optional_policy(`
++ mysql_stream_connect(antivirus_domain)
++')
++
++optional_policy(`
+ postfix_read_config(antivirus_domain)
+ postfix_list_spool(antivirus_domain)
+')
@@ -4475,10 +4524,10 @@ index 83e899c..c5be77c 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 1a82e29..3a12c26 100644
+index 1a82e29..392480e 100644
--- a/apache.te
+++ b/apache.te
-@@ -1,297 +1,360 @@
+@@ -1,297 +1,367 @@
-policy_module(apache, 2.6.10)
+policy_module(apache, 2.4.0)
+
@@ -4895,6 +4944,13 @@ index 1a82e29..3a12c26 100644
-## nfs file systems.
-##
+##
++## Allow httpd to connect to sasl
++##
++##
++gen_tunable(httpd_use_sasl, false)
++
++##