diff --git a/policy-f23-base.patch b/policy-f23-base.patch
index b9a8050..3b4fe09 100644
--- a/policy-f23-base.patch
+++ b/policy-f23-base.patch
@@ -2112,7 +2112,7 @@ index 688abc2..3d89250 100644
/usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0)
+/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
-index 03ec5ca..a777e72 100644
+index 03ec5ca..48ab7f8 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -58,6 +58,7 @@ template(`su_restricted_domain_template', `
@@ -2162,7 +2162,7 @@ index 03ec5ca..a777e72 100644
allow $1_su_t $3:key search;
# Transition from the user domain to this domain.
-@@ -194,125 +182,12 @@ template(`su_role_template',`
+@@ -194,125 +182,16 @@ template(`su_role_template',`
allow $3 $1_su_t:process sigchld;
kernel_read_system_state($1_su_t)
@@ -2174,7 +2174,7 @@ index 03ec5ca..a777e72 100644
- dev_read_urand($1_su_t)
-
- fs_search_auto_mountpoints($1_su_t)
-
+-
- # needed for pam_rootok
- selinux_compute_access_vector($1_su_t)
-
@@ -2184,9 +2184,11 @@ index 03ec5ca..a777e72 100644
- auth_rw_faillog($1_su_t)
-
- corecmd_search_bin($1_su_t)
--
++ kernel_dontaudit_getattr_core_if($1_su_t)
+
- domain_use_interactive_fds($1_su_t)
--
++ auth_use_pam($1_su_t)
+
- files_read_etc_files($1_su_t)
- files_read_etc_runtime_files($1_su_t)
- files_search_var_lib($1_su_t)
@@ -2195,12 +2197,12 @@ index 03ec5ca..a777e72 100644
- init_dontaudit_use_fds($1_su_t)
- # Write to utmp.
- init_rw_utmp($1_su_t)
-+ auth_use_pam($1_su_t)
++ init_dontaudit_getattr_initctl($1_su_t)
mls_file_write_all_levels($1_su_t)
logging_send_syslog_msg($1_su_t)
--
+
- miscfiles_read_localization($1_su_t)
-
- userdom_use_user_terminals($1_su_t)
@@ -3475,7 +3477,7 @@ index 7590165..d81185e 100644
+ fs_mounton_fusefs(seunshare_domain)
')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 33e0f8d..b94f32f 100644
+index 33e0f8d..4b14465 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@@ -3532,7 +3534,7 @@ index 33e0f8d..b94f32f 100644
/etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -101,8 +118,6 @@ ifdef(`distro_redhat',`
+@@ -101,11 +118,8 @@ ifdef(`distro_redhat',`
/etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
@@ -3540,8 +3542,11 @@ index 33e0f8d..b94f32f 100644
-
/etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0)
- /etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0)
-@@ -116,6 +131,9 @@ ifdef(`distro_redhat',`
+-/etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0)
+ /etc/sysconfig/netconsole -- gen_context(system_u:object_r:bin_t,s0)
+ /etc/sysconfig/readonly-root -- gen_context(system_u:object_r:bin_t,s0)
+
+@@ -116,6 +130,9 @@ ifdef(`distro_redhat',`
/etc/vmware-tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -3551,7 +3556,7 @@ index 33e0f8d..b94f32f 100644
/etc/X11/xdm/GiveConsole -- gen_context(system_u:object_r:bin_t,s0)
/etc/X11/xdm/TakeConsole -- gen_context(system_u:object_r:bin_t,s0)
/etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0)
-@@ -135,10 +153,12 @@ ifdef(`distro_debian',`
+@@ -135,10 +152,12 @@ ifdef(`distro_debian',`
/lib/nut/.* -- gen_context(system_u:object_r:bin_t,s0)
/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
@@ -3565,7 +3570,7 @@ index 33e0f8d..b94f32f 100644
ifdef(`distro_gentoo',`
/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
-@@ -149,10 +169,12 @@ ifdef(`distro_gentoo',`
+@@ -149,10 +168,12 @@ ifdef(`distro_gentoo',`
/lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -3579,7 +3584,7 @@ index 33e0f8d..b94f32f 100644
/sbin/.* gen_context(system_u:object_r:bin_t,s0)
/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
-@@ -168,6 +190,7 @@ ifdef(`distro_gentoo',`
+@@ -168,6 +189,7 @@ ifdef(`distro_gentoo',`
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -3587,7 +3592,7 @@ index 33e0f8d..b94f32f 100644
/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -179,34 +202,50 @@ ifdef(`distro_gentoo',`
+@@ -179,34 +201,50 @@ ifdef(`distro_gentoo',`
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -3647,7 +3652,7 @@ index 33e0f8d..b94f32f 100644
/usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -218,19 +257,32 @@ ifdef(`distro_gentoo',`
+@@ -218,19 +256,32 @@ ifdef(`distro_gentoo',`
/usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -3687,7 +3692,7 @@ index 33e0f8d..b94f32f 100644
/usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0)
-@@ -245,26 +297,40 @@ ifdef(`distro_gentoo',`
+@@ -245,26 +296,40 @@ ifdef(`distro_gentoo',`
/usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@@ -3733,7 +3738,7 @@ index 33e0f8d..b94f32f 100644
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -280,10 +346,14 @@ ifdef(`distro_gentoo',`
+@@ -280,10 +345,14 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
@@ -3748,7 +3753,7 @@ index 33e0f8d..b94f32f 100644
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -298,16 +368,22 @@ ifdef(`distro_gentoo',`
+@@ -298,16 +367,22 @@ ifdef(`distro_gentoo',`
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
@@ -3773,7 +3778,7 @@ index 33e0f8d..b94f32f 100644
ifdef(`distro_debian',`
/usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -325,20 +401,27 @@ ifdef(`distro_redhat', `
+@@ -325,20 +400,27 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
@@ -3802,7 +3807,7 @@ index 33e0f8d..b94f32f 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -346,6 +429,7 @@ ifdef(`distro_redhat', `
+@@ -346,6 +428,7 @@ ifdef(`distro_redhat', `
/usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0)
@@ -3810,7 +3815,7 @@ index 33e0f8d..b94f32f 100644
/usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
-@@ -387,17 +471,34 @@ ifdef(`distro_suse', `
+@@ -387,17 +470,34 @@ ifdef(`distro_suse', `
#
# /var
#
@@ -5689,7 +5694,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055..e3122b4 100644
+index b191055..e4b4e8d 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@@ -5927,7 +5932,7 @@ index b191055..e3122b4 100644
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -186,101 +238,128 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
+@@ -186,101 +238,129 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
network_port(mxi, tcp,8005,s0, udp,8005,s0)
network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
network_port(mysqlmanagerd, tcp,2273,s0)
@@ -5978,6 +5983,7 @@ index b191055..e3122b4 100644
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
+network_port(preupgrade, tcp, 8099, s0)
network_port(printer, tcp,515,s0)
++network_port(prosody, tcp,5280-5281,s0)
network_port(ptal, tcp,5703,s0)
-network_port(pulseaudio, tcp,4713,s0)
+network_port(pulseaudio, tcp,4713,s0, udp,4713,s0)
@@ -6074,7 +6080,7 @@ index b191055..e3122b4 100644
network_port(xserver, tcp,6000-6020,s0)
network_port(zarafa, tcp,236,s0, tcp,237,s0)
network_port(zabbix, tcp,10051,s0)
-@@ -288,19 +367,23 @@ network_port(zabbix_agent, tcp,10050,s0)
+@@ -288,19 +368,23 @@ network_port(zabbix_agent, tcp,10050,s0)
network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
@@ -6101,7 +6107,7 @@ index b191055..e3122b4 100644
########################################
#
-@@ -333,6 +416,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -333,6 +417,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
build_option(`enable_mls',`
network_interface(lo, lo, s0 - mls_systemhigh)
@@ -6110,7 +6116,7 @@ index b191055..e3122b4 100644
',`
typealias netif_t alias { lo_netif_t netif_lo_t };
')
-@@ -345,9 +430,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -345,9 +431,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -25849,7 +25855,7 @@ index fe0c682..3ad1b1f 100644
+ ps_process_pattern($1, sshd_t)
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index cc877c7..b8e6e98 100644
+index cc877c7..4d56aea 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,43 +6,69 @@ policy_module(ssh, 2.4.2)
@@ -25936,7 +25942,7 @@ index cc877c7..b8e6e98 100644
type ssh_t;
type ssh_exec_t;
-@@ -67,15 +93,17 @@ userdom_user_application_domain(ssh_keysign_t, ssh_keysign_exec_t)
+@@ -67,25 +93,28 @@ userdom_user_application_domain(ssh_keysign_t, ssh_keysign_exec_t)
type ssh_tmpfs_t;
typealias ssh_tmpfs_t alias { user_ssh_tmpfs_t staff_ssh_tmpfs_t sysadm_ssh_tmpfs_t };
typealias ssh_tmpfs_t alias { auditadm_ssh_tmpfs_t secadm_ssh_tmpfs_t };
@@ -25957,7 +25963,11 @@ index cc877c7..b8e6e98 100644
##############################
#
-@@ -86,6 +114,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
+ # SSH client local policy
+ #
+
+-allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
++allow ssh_t self:capability { setpcap setuid setgid dac_override dac_read_search };
allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow ssh_t self:fd use;
allow ssh_t self:fifo_file rw_fifo_file_perms;
@@ -38417,10 +38427,10 @@ index 6b91740..3af8a10 100644
+/var/run/clvmd\.pid -- gen_context(system_u:object_r:clvmd_var_run_t,s0)
/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0)
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
-index 58bc27f..8f7b119 100644
+index 58bc27f..9e86fce 100644
--- a/policy/modules/system/lvm.if
+++ b/policy/modules/system/lvm.if
-@@ -1,5 +1,22 @@
+@@ -1,5 +1,41 @@
## Policy for logical volume management programs.
+
@@ -38440,10 +38450,29 @@ index 58bc27f..8f7b119 100644
+ ')
+')
+
++########################################
++##
++## Get the attribute of lvm entrypoint files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`lvm_getattr_exec_files',`
++ gen_require(`
++ type lvm_exec_t;
++ ')
++
++ files_list_etc($1)
++ allow $1 lvm_exec_t:file getattr;
++')
++
########################################
##
## Execute lvm programs in the lvm domain.
-@@ -86,6 +103,50 @@ interface(`lvm_read_config',`
+@@ -86,6 +122,50 @@ interface(`lvm_read_config',`
########################################
##
@@ -38494,7 +38523,7 @@ index 58bc27f..8f7b119 100644
## Manage LVM configuration files.
##
##
-@@ -105,6 +166,25 @@ interface(`lvm_manage_config',`
+@@ -105,6 +185,25 @@ interface(`lvm_manage_config',`
manage_files_pattern($1, lvm_etc_t, lvm_etc_t)
')
@@ -38520,7 +38549,7 @@ index 58bc27f..8f7b119 100644
######################################
##
## Execute a domain transition to run clvmd.
-@@ -123,3 +203,175 @@ interface(`lvm_domtrans_clvmd',`
+@@ -123,3 +222,175 @@ interface(`lvm_domtrans_clvmd',`
corecmd_search_bin($1)
domtrans_pattern($1, clvmd_exec_t, clvmd_t)
')
@@ -47232,7 +47261,7 @@ index db75976..c54480a 100644
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
+
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6..faf2340 100644
+index 9dc60c6..6879008 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -48243,7 +48272,7 @@ index 9dc60c6..faf2340 100644
+ allow $1_t self:process ~{ ptrace execmem execstack execheap };
+
+ tunable_policy(`selinuxuser_use_ssh_chroot',`
-+ allow $1_t self:capability { setuid setgid sys_chroot };
++ allow $1_t self:capability { sys_chroot };
+ ')
- allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
diff --git a/policy-f23-contrib.patch b/policy-f23-contrib.patch
index e3def8d..6b3d7d8 100644
--- a/policy-f23-contrib.patch
+++ b/policy-f23-contrib.patch
@@ -11075,10 +11075,12 @@ index c5a9113..1919abd 100644
xen_dontaudit_rw_unix_stream_sockets(brctl_t)
diff --git a/brltty.fc b/brltty.fc
new file mode 100644
-index 0000000..0cfe342
+index 0000000..05e3528
--- /dev/null
+++ b/brltty.fc
-@@ -0,0 +1,8 @@
+@@ -0,0 +1,10 @@
++/tmp/brltty\.log.* -- gen_context(system_u:object_r:brltty_log_t,s0)
++
+/usr/lib/systemd/system/brltty.* -- gen_context(system_u:object_r:brltty_unit_file_t,s0)
+
+/usr/bin/brltty -- gen_context(system_u:object_r:brltty_exec_t,s0)
@@ -11175,10 +11177,10 @@ index 0000000..968c957
+')
diff --git a/brltty.te b/brltty.te
new file mode 100644
-index 0000000..eabda1e
+index 0000000..c167267
--- /dev/null
+++ b/brltty.te
-@@ -0,0 +1,62 @@
+@@ -0,0 +1,70 @@
+policy_module(brltty, 1.0.0)
+
+########################################
@@ -11196,6 +11198,9 @@ index 0000000..eabda1e
+type brltty_var_run_t;
+files_pid_file(brltty_var_run_t)
+
++type brltty_log_t;
++logging_log_file(brltty_log_t)
++
+type brltty_unit_file_t;
+systemd_unit_file(brltty_unit_file_t)
+
@@ -11210,6 +11215,11 @@ index 0000000..eabda1e
+allow brltty_t self:unix_stream_socket create_stream_socket_perms;
+allow brltty_t self:tcp_socket listen;
+
++manage_files_pattern(brltty_t, brltty_log_t, brltty_log_t)
++manage_sock_files_pattern(brltty_t, brltty_log_t, brltty_log_t)
++manage_lnk_files_pattern(brltty_t, brltty_log_t, brltty_log_t)
++files_tmp_filetrans(brltty_t, brltty_log_t, { file dir })
++
+manage_dirs_pattern(brltty_t, brltty_var_lib_t, brltty_var_lib_t)
+manage_files_pattern(brltty_t, brltty_var_lib_t, brltty_var_lib_t)
+manage_sock_files_pattern(brltty_t,brltty_var_lib_t, brltty_var_lib_t)
@@ -28193,7 +28203,7 @@ index 50d0084..94e1936 100644
fail2ban_run_client($1, $2)
diff --git a/fail2ban.te b/fail2ban.te
-index cf0e567..7945ad9 100644
+index cf0e567..7bebd26 100644
--- a/fail2ban.te
+++ b/fail2ban.te
@@ -37,7 +37,7 @@ role fail2ban_client_roles types fail2ban_client_t;
@@ -28274,7 +28284,13 @@ index cf0e567..7945ad9 100644
shorewall_domtrans(fail2ban_t)
')
-@@ -131,22 +146,32 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
+@@ -126,27 +141,37 @@ optional_policy(`
+ # Client Local policy
+ #
+
+-allow fail2ban_client_t self:capability dac_read_search;
++allow fail2ban_client_t self:capability { dac_read_search dac_override };
+ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
@@ -28652,7 +28668,7 @@ index c62c567..2d9e254 100644
+ allow $1 firewalld_unit_file_t:service all_service_perms;
')
diff --git a/firewalld.te b/firewalld.te
-index 98072a3..18a2ef2 100644
+index 98072a3..50e7985 100644
--- a/firewalld.te
+++ b/firewalld.te
@@ -21,9 +21,15 @@ logging_log_file(firewalld_var_log_t)
@@ -28696,7 +28712,7 @@ index 98072a3..18a2ef2 100644
kernel_read_network_state(firewalld_t)
kernel_read_system_state(firewalld_t)
-@@ -63,20 +77,20 @@ dev_search_sysfs(firewalld_t)
+@@ -63,20 +77,21 @@ dev_search_sysfs(firewalld_t)
domain_use_interactive_fds(firewalld_t)
@@ -28721,10 +28737,11 @@ index 98072a3..18a2ef2 100644
-sysnet_read_config(firewalld_t)
+sysnet_dns_name_resolve(firewalld_t)
+sysnet_manage_config_dirs(firewalld_t)
++sysnet_create_config(firewalld_t)
optional_policy(`
dbus_system_domain(firewalld_t, firewalld_exec_t)
-@@ -95,6 +109,10 @@ optional_policy(`
+@@ -95,6 +110,10 @@ optional_policy(`
')
optional_policy(`
@@ -36688,10 +36705,10 @@ index 6517fad..f183748 100644
+ allow $1 hypervkvp_unit_file_t:service all_service_perms;
')
diff --git a/hypervkvp.te b/hypervkvp.te
-index 4eb7041..3ba4a51 100644
+index 4eb7041..9717a5a 100644
--- a/hypervkvp.te
+++ b/hypervkvp.te
-@@ -5,24 +5,139 @@ policy_module(hypervkvp, 1.0.0)
+@@ -5,24 +5,141 @@ policy_module(hypervkvp, 1.0.0)
# Declarations
#
@@ -36778,6 +36795,8 @@ index 4eb7041..3ba4a51 100644
+
+files_dontaudit_search_home(hypervkvp_t)
+
++fs_getattr_all_fs(hypervkvp_t)
++
+auth_use_nsswitch(hypervkvp_t)
+
+logging_send_syslog_msg(hypervkvp_t)
@@ -37000,7 +37019,7 @@ index fbb54e7..05c3777 100644
########################################
diff --git a/inetd.te b/inetd.te
-index c6450df..a28aa13 100644
+index c6450df..6304b00 100644
--- a/inetd.te
+++ b/inetd.te
@@ -37,9 +37,9 @@ ifdef(`enable_mcs',`
@@ -37090,7 +37109,7 @@ index c6450df..a28aa13 100644
dev_read_urand(inetd_child_t)
fs_getattr_xattr_fs(inetd_child_t)
-@@ -230,7 +243,11 @@ auth_use_nsswitch(inetd_child_t)
+@@ -230,7 +243,15 @@ auth_use_nsswitch(inetd_child_t)
logging_send_syslog_msg(inetd_child_t)
@@ -37100,6 +37119,10 @@ index c6450df..a28aa13 100644
+optional_policy(`
+ kerberos_use(inetd_child_t)
+')
++
++optional_policy(`
++ systemd_dbus_chat_logind(inetd_child_t)
++')
optional_policy(`
unconfined_domain(inetd_child_t)
@@ -41779,7 +41802,7 @@ index f6c00d8..e3cb4f1 100644
+ kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
')
diff --git a/kerberos.te b/kerberos.te
-index 8833d59..1d0599a 100644
+index 8833d59..a6356be 100644
--- a/kerberos.te
+++ b/kerberos.te
@@ -6,11 +6,11 @@ policy_module(kerberos, 1.12.0)
@@ -42048,7 +42071,7 @@ index 8833d59..1d0599a 100644
selinux_validate_context(krb5kdc_t)
-+auth_read_passwd(krb5kdc_t)
++auth_use_nsswitch(krb5kdc_t)
+
logging_send_syslog_msg(krb5kdc_t)
@@ -45966,10 +45989,10 @@ index 0000000..bdd17ca
+/var/run/lttng(/.*)? gen_context(system_u:object_r:lttng_sessiond_var_run_t,s0)
diff --git a/lttng-tools.if b/lttng-tools.if
new file mode 100644
-index 0000000..6b0da33
+index 0000000..e86897d
--- /dev/null
+++ b/lttng-tools.if
-@@ -0,0 +1,98 @@
+@@ -0,0 +1,117 @@
+
+## LTTng 2.x central tracing registry session daemon.
+
@@ -46068,6 +46091,25 @@ index 0000000..6b0da33
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
++
++########################################
++##
++## Read and write lttng-tools shared memory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`lttng_read_shm',`
++ gen_require(`
++ type lttng_sessiond_tmpfs_t;
++ ')
++
++ read_files_pattern($1, lttng_sessiond_tmpfs_t, lttng_sessiond_tmpfs_t)
++ fs_search_tmpfs($1)
++')
diff --git a/lttng-tools.te b/lttng-tools.te
new file mode 100644
index 0000000..0b9ade5
@@ -48881,10 +48923,10 @@ index 0000000..f5b98e6
+')
diff --git a/mock.te b/mock.te
new file mode 100644
-index 0000000..86766b0
+index 0000000..66c45cb
--- /dev/null
+++ b/mock.te
-@@ -0,0 +1,278 @@
+@@ -0,0 +1,284 @@
+policy_module(mock,1.0.0)
+
+##
@@ -49031,7 +49073,13 @@ index 0000000..86766b0
+logging_send_audit_msgs(mock_t)
+logging_send_syslog_msg(mock_t)
+
++lvm_manage_lock(mock_t)
++lvm_read_config(mock_t)
++lvm_read_metadata(mock_t)
++lvm_getattr_exec_files(mock_t)
++
+userdom_use_user_ptys(mock_t)
++userdom_use_user_ttys(mock_t)
+
+files_search_home(mock_t)
+
@@ -59428,7 +59476,7 @@ index ba64485..429bd79 100644
+
+/usr/lib/systemd/system/nscd\.service -- gen_context(system_u:object_r:nscd_unit_file_t,s0)
diff --git a/nscd.if b/nscd.if
-index 8f2ab09..cd5d344 100644
+index 8f2ab09..a298198 100644
--- a/nscd.if
+++ b/nscd.if
@@ -1,8 +1,8 @@
@@ -59614,16 +59662,34 @@ index 8f2ab09..cd5d344 100644
##
##
##
-@@ -193,7 +214,7 @@ interface(`nscd_dontaudit_search_pid',`
+@@ -193,7 +214,25 @@ interface(`nscd_dontaudit_search_pid',`
########################################
##
-## Read nscd pid files.
++## Do not audit attempts to read the NSCD pid directory.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`nscd_dontaudit_read_pid',`
++ gen_require(`
++ type nscd_var_run_t;
++ ')
++
++ dontaudit $1 nscd_var_run_t:file read_file_perms;
++')
++
++########################################
++##
+## Read NSCD pid file.
##
##
##
-@@ -212,7 +233,7 @@ interface(`nscd_read_pid',`
+@@ -212,7 +251,7 @@ interface(`nscd_read_pid',`
########################################
##
@@ -59632,7 +59698,7 @@ index 8f2ab09..cd5d344 100644
##
##
##
-@@ -244,20 +265,20 @@ interface(`nscd_unconfined',`
+@@ -244,20 +283,20 @@ interface(`nscd_unconfined',`
## Role allowed access.
##
##
@@ -59657,7 +59723,7 @@ index 8f2ab09..cd5d344 100644
##
##
##
-@@ -275,8 +296,32 @@ interface(`nscd_initrc_domtrans',`
+@@ -275,8 +314,32 @@ interface(`nscd_initrc_domtrans',`
########################################
##
@@ -59692,7 +59758,7 @@ index 8f2ab09..cd5d344 100644
##
##
##
-@@ -285,7 +330,7 @@ interface(`nscd_initrc_domtrans',`
+@@ -285,7 +348,7 @@ interface(`nscd_initrc_domtrans',`
##
##
##
@@ -59701,7 +59767,7 @@ index 8f2ab09..cd5d344 100644
##
##
##
-@@ -294,10 +339,14 @@ interface(`nscd_admin',`
+@@ -294,10 +357,14 @@ interface(`nscd_admin',`
gen_require(`
type nscd_t, nscd_log_t, nscd_var_run_t;
type nscd_initrc_exec_t;
@@ -59717,7 +59783,7 @@ index 8f2ab09..cd5d344 100644
init_labeled_script_domtrans($1, nscd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -310,5 +359,7 @@ interface(`nscd_admin',`
+@@ -310,5 +377,7 @@ interface(`nscd_admin',`
files_list_pids($1)
admin_pattern($1, nscd_var_run_t)
@@ -60040,7 +60106,7 @@ index a9c60ff..ad4f14a 100644
+ refpolicywarn(`$0($*) has been deprecated.')
')
diff --git a/nsd.te b/nsd.te
-index 47bb1d2..b73b24e 100644
+index 47bb1d2..fcd0c38 100644
--- a/nsd.te
+++ b/nsd.te
@@ -9,9 +9,7 @@ type nsd_t;
@@ -60088,14 +60154,15 @@ index 47bb1d2..b73b24e 100644
+allow nsd_t self:udp_socket create_socket_perms;
allow nsd_t self:fifo_file rw_fifo_file_perms;
-allow nsd_t self:tcp_socket { accept listen };
-
- allow nsd_t nsd_conf_t:dir list_dir_perms;
+-
+-allow nsd_t nsd_conf_t:dir list_dir_perms;
-allow nsd_t nsd_conf_t:file read_file_perms;
-allow nsd_t nsd_conf_t:lnk_file read_lnk_file_perms;
--
+
-allow nsd_t nsd_db_t:file manage_file_perms;
-filetrans_pattern(nsd_t, nsd_zone_t, nsd_db_t, file)
-+read_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t)
++manage_dirs_pattern(nsd_t, nsd_conf_t, nsd_conf_t)
++manage_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t)
+read_lnk_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t)
manage_files_pattern(nsd_t, nsd_var_run_t, nsd_var_run_t)
@@ -64937,7 +65004,7 @@ index 6837e9a..8d6e33b 100644
domain_system_change_exemption($1)
role_transition $2 openvpn_initrc_exec_t system_r;
diff --git a/openvpn.te b/openvpn.te
-index 63957a3..a6cf637 100644
+index 63957a3..91dead6 100644
--- a/openvpn.te
+++ b/openvpn.te
@@ -6,6 +6,13 @@ policy_module(openvpn, 1.12.2)
@@ -64991,7 +65058,7 @@ index 63957a3..a6cf637 100644
allow openvpn_t openvpn_etc_t:dir list_dir_perms;
allow openvpn_t openvpn_etc_t:file read_file_perms;
allow openvpn_t openvpn_etc_t:lnk_file read_lnk_file_perms;
-@@ -73,13 +85,17 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
+@@ -73,18 +85,23 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
allow openvpn_t openvpn_status_t:file manage_file_perms;
logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log")
@@ -65012,7 +65079,14 @@ index 63957a3..a6cf637 100644
logging_log_filetrans(openvpn_t, openvpn_var_log_t, file)
manage_dirs_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
-@@ -97,7 +113,6 @@ kernel_request_load_module(openvpn_t)
+ manage_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
+-files_pid_filetrans(openvpn_t, openvpn_var_run_t, { file dir })
++manage_sock_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
++files_pid_filetrans(openvpn_t, openvpn_var_run_t, { sock_file file dir })
+
+ can_exec(openvpn_t, openvpn_etc_t)
+
+@@ -97,7 +114,6 @@ kernel_request_load_module(openvpn_t)
corecmd_exec_bin(openvpn_t)
corecmd_exec_shell(openvpn_t)
@@ -65020,7 +65094,7 @@ index 63957a3..a6cf637 100644
corenet_all_recvfrom_netlabel(openvpn_t)
corenet_tcp_sendrecv_generic_if(openvpn_t)
corenet_udp_sendrecv_generic_if(openvpn_t)
-@@ -117,13 +132,15 @@ corenet_udp_sendrecv_openvpn_port(openvpn_t)
+@@ -117,13 +133,15 @@ corenet_udp_sendrecv_openvpn_port(openvpn_t)
corenet_sendrecv_http_server_packets(openvpn_t)
corenet_tcp_bind_http_port(openvpn_t)
corenet_sendrecv_http_client_packets(openvpn_t)
@@ -65037,7 +65111,7 @@ index 63957a3..a6cf637 100644
corenet_rw_tun_tap_dev(openvpn_t)
dev_read_rand(openvpn_t)
-@@ -132,21 +149,31 @@ files_read_etc_runtime_files(openvpn_t)
+@@ -132,21 +150,31 @@ files_read_etc_runtime_files(openvpn_t)
fs_getattr_all_fs(openvpn_t)
fs_search_auto_mountpoints(openvpn_t)
@@ -65072,7 +65146,7 @@ index 63957a3..a6cf637 100644
')
tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
-@@ -164,10 +191,20 @@ tunable_policy(`openvpn_can_network_connect',`
+@@ -164,10 +192,20 @@ tunable_policy(`openvpn_can_network_connect',`
')
optional_policy(`
@@ -65093,7 +65167,7 @@ index 63957a3..a6cf637 100644
dbus_system_bus_client(openvpn_t)
dbus_connect_system_bus(openvpn_t)
-@@ -175,3 +212,27 @@ optional_policy(`
+@@ -175,3 +213,27 @@ optional_policy(`
networkmanager_dbus_chat(openvpn_t)
')
')
@@ -67026,10 +67100,10 @@ index 0000000..80246e6
+
diff --git a/pcp.te b/pcp.te
new file mode 100644
-index 0000000..778faa9
+index 0000000..2692b16
--- /dev/null
+++ b/pcp.te
-@@ -0,0 +1,276 @@
+@@ -0,0 +1,278 @@
+policy_module(pcp, 1.0.0)
+
+########################################
@@ -67140,6 +67214,7 @@ index 0000000..778faa9
+# pcp_pmcd local policy
+#
+
++allow pcp_pmcd_t self:capability sys_admin;
+allow pcp_pmcd_t self:process { setsched };
+allow pcp_pmcd_t self:unix_dgram_socket create_socket_perms;
+
@@ -67156,6 +67231,7 @@ index 0000000..778faa9
+corenet_tcp_connect_amqp_port(pcp_pmcd_t)
+
+dev_read_sysfs(pcp_pmcd_t)
++dev_rw_lvm_control(pcp_pmcd_t)
+
+domain_read_all_domains_state(pcp_pmcd_t)
+domain_getattr_all_domains(pcp_pmcd_t)
@@ -69003,13 +69079,15 @@ index 0000000..a989aea
+
+sysnet_read_config(piranha_domain)
diff --git a/pkcs.fc b/pkcs.fc
-index 9a72226..0351b1e 100644
+index 9a72226..b296894 100644
--- a/pkcs.fc
+++ b/pkcs.fc
-@@ -4,4 +4,6 @@
+@@ -4,4 +4,8 @@
/var/lib/opencryptoki(/.*)? gen_context(system_u:object_r:pkcs_slotd_var_lib_t,s0)
++/var/log/opencryptoki(/.*)? gen_context(system_u:object_r:pkcs_slotd_log_t,s0)
++
+/var/lock/opencryptoki(/.*)? gen_context(system_u:object_r:pkcs_slotd_lock_t,s0)
+
/var/run/pkcsslotd.* gen_context(system_u:object_r:pkcs_slotd_var_run_t,s0)
@@ -69037,10 +69115,10 @@ index 69be2aa..2d7b3f6 100644
admin_pattern($1, pkcs_slotd_var_run_t)
diff --git a/pkcs.te b/pkcs.te
-index 8eb3f7b..ee837c6 100644
+index 8eb3f7b..81ee57d 100644
--- a/pkcs.te
+++ b/pkcs.te
-@@ -7,21 +7,31 @@ policy_module(pkcs, 1.0.1)
+@@ -7,21 +7,34 @@ policy_module(pkcs, 1.0.1)
type pkcs_slotd_t;
type pkcs_slotd_exec_t;
@@ -69059,6 +69137,9 @@ index 8eb3f7b..ee837c6 100644
+typealias pkcs_slotd_lock_t alias pkcsslotd_lock_t;
+files_lock_file(pkcs_slotd_lock_t)
+
++type pkcs_slotd_log_t;
++logging_log_file(pkcs_slotd_log_t)
++
type pkcs_slotd_var_run_t;
+typealias pkcs_slotd_var_run_t alias pkcsslotd_var_run_t;
files_pid_file(pkcs_slotd_var_run_t)
@@ -69072,16 +69153,22 @@ index 8eb3f7b..ee837c6 100644
files_tmpfs_file(pkcs_slotd_tmpfs_t)
########################################
-@@ -40,6 +50,8 @@ manage_files_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t)
+@@ -40,6 +53,14 @@ manage_files_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t)
manage_lnk_files_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t)
files_var_lib_filetrans(pkcs_slotd_t, pkcs_slotd_var_lib_t, dir)
+manage_files_pattern(pkcs_slotd_t, pkcs_slotd_lock_t, pkcs_slotd_lock_t)
++manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_lock_t, pkcs_slotd_lock_t)
++files_lock_filetrans(pkcs_slotd_t, pkcs_slotd_lock_t, dir)
++
++manage_files_pattern(pkcs_slotd_t, pkcs_slotd_log_t, pkcs_slotd_log_t)
++manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_log_t, pkcs_slotd_log_t)
++logging_log_filetrans(pkcs_slotd_t, pkcs_slotd_log_t, dir)
+
manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t)
manage_files_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t)
manage_sock_files_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t)
-@@ -51,10 +63,12 @@ files_tmp_filetrans(pkcs_slotd_t, pkcs_slotd_tmp_t, dir)
+@@ -51,10 +72,12 @@ files_tmp_filetrans(pkcs_slotd_t, pkcs_slotd_tmp_t, dir)
manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t)
manage_files_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t)
@@ -76121,10 +76208,10 @@ index 0000000..8231f4f
+')
diff --git a/prosody.te b/prosody.te
new file mode 100644
-index 0000000..3ef4a99
+index 0000000..d9a9124
--- /dev/null
+++ b/prosody.te
-@@ -0,0 +1,97 @@
+@@ -0,0 +1,98 @@
+policy_module(prosody, 1.0.0)
+
+########################################
@@ -76197,6 +76284,7 @@ index 0000000..3ef4a99
+corenet_tcp_connect_postgresql_port(prosody_t)
+corenet_tcp_connect_jabber_interserver_port(prosody_t)
+corenet_tcp_connect_jabber_client_port(prosody_t)
++corenet_tcp_bind_prosody_port(prosody_t)
+corenet_tcp_bind_jabber_client_port(prosody_t)
+corenet_tcp_bind_jabber_interserver_port(prosody_t)
+corenet_tcp_bind_jabber_router_port(prosody_t)
@@ -84609,7 +84697,7 @@ index 47de2d6..dfb3396 100644
+/var/log/pacemaker\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
+/var/log/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_log_t,s0)
diff --git a/rhcs.if b/rhcs.if
-index c8bdea2..29df561 100644
+index c8bdea2..b2d9745 100644
--- a/rhcs.if
+++ b/rhcs.if
@@ -1,19 +1,19 @@
@@ -84638,7 +84726,7 @@ index c8bdea2..29df561 100644
')
##############################
-@@ -43,33 +43,29 @@ template(`rhcs_domain_template',`
+@@ -43,11 +43,6 @@ template(`rhcs_domain_template',`
manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file })
@@ -84650,11 +84738,9 @@ index c8bdea2..29df561 100644
logging_log_filetrans($1_t, $1_var_log_t, { dir file sock_file })
manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
- manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
- manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+@@ -56,20 +51,21 @@ template(`rhcs_domain_template',`
manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
-- files_pid_filetrans($1_t, $1_var_run_t, { dir file sock_file fifo_file })
-+ files_pid_filetrans($1_t, $1_var_run_t, { file sock_file fifo_file })
+ files_pid_filetrans($1_t, $1_var_run_t, { dir file sock_file fifo_file })
- optional_policy(`
- dbus_system_bus_client($1_t)
@@ -99338,7 +99424,7 @@ index 7d86b34..5f58180 100644
+ files_list_pids($1)
')
diff --git a/snort.te b/snort.te
-index 1af72df..7e55b50 100644
+index 1af72df..ffccc41 100644
--- a/snort.te
+++ b/snort.te
@@ -32,10 +32,13 @@ files_pid_file(snort_var_run_t)
@@ -99375,7 +99461,7 @@ index 1af72df..7e55b50 100644
corenet_all_recvfrom_netlabel(snort_t)
corenet_tcp_sendrecv_generic_if(snort_t)
corenet_udp_sendrecv_generic_if(snort_t)
-@@ -86,18 +86,17 @@ dev_rw_generic_usb_dev(snort_t)
+@@ -86,18 +86,19 @@ dev_rw_generic_usb_dev(snort_t)
domain_use_interactive_fds(snort_t)
@@ -99387,6 +99473,8 @@ index 1af72df..7e55b50 100644
+auth_read_passwd(snort_t)
+
++auth_use_nsswitch(snort_t)
++
init_read_utmp(snort_t)
logging_send_syslog_msg(snort_t)
@@ -101249,10 +101337,10 @@ index b38b8b1..eb36653 100644
userdom_dontaudit_search_user_home_dirs(speedmgmt_t)
diff --git a/squid.fc b/squid.fc
-index 0a8b0f7..0630506 100644
+index 0a8b0f7..03fb6b1 100644
--- a/squid.fc
+++ b/squid.fc
-@@ -1,20 +1,26 @@
+@@ -1,20 +1,28 @@
-/etc/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
+/dev/shm/squid-* -- gen_context(system_u:object_r:squid_tmpfs_t,s0)
@@ -101262,6 +101350,8 @@ index 0a8b0f7..0630506 100644
+/etc/lightsquid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
-/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
++/usr/libexec/squid/cache_swap\.sh -- gen_context(system_u:object_r:squid_exec_t,s0)
++
+/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:squid_script_exec_t,s0)
+
+/usr/sbin/lightparser.pl -- gen_context(system_u:object_r:squid_cron_exec_t,s0)
@@ -102202,10 +102292,10 @@ index a240455..04419ae 100644
- admin_pattern($1, sssd_log_t)
')
diff --git a/sssd.te b/sssd.te
-index 2d8db1f..a696686 100644
+index 2d8db1f..c420309 100644
--- a/sssd.te
+++ b/sssd.te
-@@ -28,17 +28,25 @@ logging_log_file(sssd_var_log_t)
+@@ -28,19 +28,28 @@ logging_log_file(sssd_var_log_t)
type sssd_var_run_t;
files_pid_file(sssd_var_run_t)
@@ -102233,8 +102323,11 @@ index 2d8db1f..a696686 100644
+allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
read_files_pattern(sssd_t, sssd_conf_t, sssd_conf_t)
++list_dirs_pattern(sssd_t, sssd_conf_t, sssd_conf_t)
-@@ -51,9 +59,7 @@ manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
+ manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t)
+ manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
+@@ -51,9 +60,7 @@ manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir })
@@ -102245,7 +102338,7 @@ index 2d8db1f..a696686 100644
logging_log_filetrans(sssd_t, sssd_var_log_t, file)
manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
-@@ -62,17 +68,13 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
+@@ -62,17 +69,13 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
kernel_read_network_state(sssd_t)
kernel_read_system_state(sssd_t)
@@ -102267,7 +102360,7 @@ index 2d8db1f..a696686 100644
corecmd_exec_bin(sssd_t)
-@@ -83,28 +85,35 @@ domain_read_all_domains_state(sssd_t)
+@@ -83,28 +86,35 @@ domain_read_all_domains_state(sssd_t)
domain_obj_id_change_exemption(sssd_t)
files_list_tmp(sssd_t)
@@ -102307,7 +102400,7 @@ index 2d8db1f..a696686 100644
init_read_utmp(sssd_t)
-@@ -112,18 +121,64 @@ logging_send_syslog_msg(sssd_t)
+@@ -112,18 +122,64 @@ logging_send_syslog_msg(sssd_t)
logging_send_audit_msgs(sssd_t)
miscfiles_read_generic_certs(sssd_t)
@@ -110834,7 +110927,7 @@ index facdee8..a81bff7 100644
+ typeattribute $1 sandbox_caps_domain;
')
diff --git a/virt.te b/virt.te
-index f03dcf5..4ad762f 100644
+index f03dcf5..c998aa3 100644
--- a/virt.te
+++ b/virt.te
@@ -1,150 +1,234 @@
@@ -111814,7 +111907,7 @@ index f03dcf5..4ad762f 100644
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
-@@ -746,44 +674,284 @@ optional_policy(`
+@@ -746,44 +674,288 @@ optional_policy(`
udev_read_pid_files(virtd_t)
')
@@ -111942,7 +112035,7 @@ index f03dcf5..4ad762f 100644
+dev_rw_kvm(virt_domain)
+dev_rw_qemu(virt_domain)
+dev_rw_inherited_vhost(virt_domain)
-+
+
+domain_use_interactive_fds(virt_domain)
+
+files_read_mnt_symlinks(virt_domain)
@@ -111984,6 +112077,10 @@ index f03dcf5..4ad762f 100644
+')
+
+optional_policy(`
++ nscd_dontaudit_read_pid(virt_domain)
++')
++
++optional_policy(`
+ ptchown_domtrans(virt_domain)
+')
+
@@ -112037,7 +112134,7 @@ index f03dcf5..4ad762f 100644
+ fs_read_cifs_symlinks(virt_domain)
+ fs_getattr_cifs(virt_domain)
+')
-
++
+tunable_policy(`virt_use_usb',`
+ dev_rw_usbfs(virt_domain)
+ dev_read_sysfs(virt_domain)
@@ -112121,7 +112218,7 @@ index f03dcf5..4ad762f 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +962,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +966,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -112148,7 +112245,7 @@ index f03dcf5..4ad762f 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +982,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +986,25 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -112165,10 +112262,10 @@ index f03dcf5..4ad762f 100644
-logging_send_syslog_msg(virsh_t)
+systemd_exec_systemctl(virsh_t)
-+
-+auth_read_passwd(virsh_t)
-miscfiles_read_localization(virsh_t)
++auth_read_passwd(virsh_t)
++
+logging_send_syslog_msg(virsh_t)
sysnet_dns_name_resolve(virsh_t)
@@ -112182,7 +112279,7 @@ index f03dcf5..4ad762f 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +1019,20 @@ optional_policy(`
+@@ -856,14 +1023,20 @@ optional_policy(`
')
optional_policy(`
@@ -112204,7 +112301,7 @@ index f03dcf5..4ad762f 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -888,49 +1057,65 @@ optional_policy(`
+@@ -888,49 +1061,65 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -112288,7 +112385,7 @@ index f03dcf5..4ad762f 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1127,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1131,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -112308,7 +112405,7 @@ index f03dcf5..4ad762f 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,8 +1148,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,8 +1152,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -112332,7 +112429,7 @@ index f03dcf5..4ad762f 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1173,325 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1177,325 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -112348,21 +112445,21 @@ index f03dcf5..4ad762f 100644
+optional_policy(`
+ dbus_system_bus_client(virtd_lxc_t)
+ init_dbus_chat(virtd_lxc_t)
-+
+
+-miscfiles_read_localization(virtd_lxc_t)
+ optional_policy(`
+ hal_dbus_chat(virtd_lxc_t)
+ ')
+')
--miscfiles_read_localization(virtd_lxc_t)
-+optional_policy(`
-+ gnome_read_generic_cache_files(virtd_lxc_t)
-+')
-
-seutil_domtrans_setfiles(virtd_lxc_t)
-seutil_read_config(virtd_lxc_t)
-seutil_read_default_contexts(virtd_lxc_t)
+optional_policy(`
++ gnome_read_generic_cache_files(virtd_lxc_t)
++')
++
++optional_policy(`
+ setrans_manage_pid_files(virtd_lxc_t)
+')
@@ -112563,19 +112660,19 @@ index f03dcf5..4ad762f 100644
+ apache_exec_modules(svirt_sandbox_domain)
+ apache_read_sys_content(svirt_sandbox_domain)
+')
-+
-+optional_policy(`
-+ gear_read_pid_files(svirt_sandbox_domain)
-+')
optional_policy(`
- udev_read_pid_files(svirt_lxc_domain)
-+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
++ gear_read_pid_files(svirt_sandbox_domain)
')
optional_policy(`
- apache_exec_modules(svirt_lxc_domain)
- apache_read_sys_content(svirt_lxc_domain)
++ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
++')
++
++optional_policy(`
+ ssh_use_ptys(svirt_sandbox_domain)
+')
+
@@ -112771,10 +112868,10 @@ index f03dcf5..4ad762f 100644
+fs_manage_cgroup_files(svirt_qemu_net_t)
+
+term_pty(svirt_sandbox_file_t)
-+
-+auth_use_nsswitch(svirt_qemu_net_t)
-allow svirt_prot_exec_t self:process { execmem execstack };
++auth_use_nsswitch(svirt_qemu_net_t)
++
+rpm_read_db(svirt_qemu_net_t)
+
+logging_send_syslog_msg(svirt_qemu_net_t)
@@ -112799,7 +112896,7 @@ index f03dcf5..4ad762f 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1504,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1508,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -112814,7 +112911,7 @@ index f03dcf5..4ad762f 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1192,7 +1522,7 @@ optional_policy(`
+@@ -1192,7 +1526,7 @@ optional_policy(`
########################################
#
@@ -112823,7 +112920,7 @@ index f03dcf5..4ad762f 100644
#
allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1531,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1535,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
allow virt_bridgehelper_t self:tun_socket create_socket_perms;
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
@@ -113237,10 +113334,10 @@ index 0000000..afd0c97
+')
diff --git a/vmtools.te b/vmtools.te
new file mode 100644
-index 0000000..1928ad9
+index 0000000..f98f288
--- /dev/null
+++ b/vmtools.te
-@@ -0,0 +1,96 @@
+@@ -0,0 +1,100 @@
+policy_module(vmtools, 1.0.0)
+
+########################################
@@ -113316,6 +113413,10 @@ index 0000000..1928ad9
+')
+
+optional_policy(`
++ rpm_transition_script(vmtools_t,system_r)
++')
++
++optional_policy(`
+ unconfined_domain(vmtools_t)
+')
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index cc43e3b..464f96f 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 158.21%{?dist}
+Release: 158.22%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -653,6 +653,19 @@ exit 0
%endif
%changelog
+* Wed Jul 27 2016 Lukas Vrabec 3.13.1-158.22
+- Fix typo in brltty policy.
+- Allow pcp dmcache metrics collection
+- Allow pkcs_slotd_t to create dir in /var/lock Add label pkcs_slotd_log_t
+- Allow openvpn to create sock files labeled as openvpn_var_run_t
+- Allow hypervkvp daemon to getattr on all filesystem types.
+- Allow firewalld to create net_conf_t files
+- Allow mock to use lvm
+- Allow sshd setcap capability. This is needed due to latest changes in sshd Resolves: rhbz#1356245
+- corecmd: Remove fcontext for /etc/sysconfig/libvirtd
+- Add interface lvm_getattr_exec_files()
+- Dontaudit su_role_template interface to getattr /proc/kcore Dontaudit su_role_template interface to getattr /dev/initctl
+
* Tue Jun 28 2016 Lukas Vrabec 3.13.1-158.21
- Label /var/lib/softhsm as named_cache_t. Allow named_t to manage named_cache_t dirs.
- Allow firewalld_t to create entries in net_conf_t dirs.