From 540429c2f10af846131df9ec9ac0b0403c8fb30f Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Jul 31 2014 18:54:49 +0000
Subject: - Add new mozilla_plugin_bind_unreserved_ports boolean to allow mozilla plugin to use tcp/udp unreserved ports. There is a lot of plugins which binds ports without SELinux port type. We want to allow user

- Allow smokeping cgi scripts to accept connection on httpd stream socket.
- docker does a getattr on all file systems
- Label all abort-dump programs
- Allow alsa to create lock file to see if it fixes.
- Add support for zabbix external scripts for which zabbix_script_t domain has been created. This domain is unconfined by default and user needs to run "semodule -d unconfined" to make system running with
- Add interface for journalctl_exec
- Add labels also for glusterd sockets.
- Change virt.te to match default docker capabilies
- Add additional booleans for turning on mknod or all caps.
- Also add interface to allow users to write policy that matches docker defaults
- for capabilies.
- Label dhcpd6 unit file.
- Add support also for dhcp IPv6 services.
- Added support for dhcrelay service
- Additional access for bluejeans
- docker needs more access, need back port to RHEL7
- Allow mdadm to connect to own socket created by mdadm running as kernel_t.
- Fix pkcs, Remove pkcs_lock_filetrans and Add files_search_locks
- Allow bacula manage bacula_log_t dirs
- Allow pkcs_slotd_t read /etc/passwd, Label /var/lock/opencryptoki as pkcs_slotd_lock_t
- Fix mistakes keystone and quantum
- Label neutron var run dir
- Label keystone var run dir
- Fix bad labeling for /usr/s?bin/(oo|rhc)-restorer-wrapper.sh in openshift.fc.
- Dontaudit attempts to access check cert dirs/files for sssd.
- Allow sensord to send a signal.
- Allow certmonger to stream connect to dirsrv to make  ipa-server-install working.
- Label zabbix_var_lib_t directories
- Label conmans pid file as conman_var_run_t
- Label also /var/run/glusterd.socket file as gluster_var_run_t
- Fix policy for pkcsslotd from opencryptoki
- Update cockpik policy from cockpit usptream.
- Allow certmonger to exec ldconfig to make  ipa-server-install  working.
- Added support for Naemon policy
- Allow keepalived manage snmp files
- Add setpgid process to mip6d
- remove duplicate rule
- Allow postfix_smtpd to stream connect to antivirus
- Dontaudit list /tmp for icecast
- Allow zabbix domains to access /proc//net/dev.

Conflicts:
	selinux-policy.spec

---

diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index e5d0790..53b2a80 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -9321,7 +9321,7 @@ index cf04cb5..32d58ca 100644
 +	unconfined_server_stream_connect(domain)
 +')
 diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index b876c48..0f99fae 100644
+index b876c48..d8cdd96 100644
 --- a/policy/modules/kernel/files.fc
 +++ b/policy/modules/kernel/files.fc
 @@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -9486,7 +9486,7 @@ index b876c48..0f99fae 100644
  /tmp/.*				<<none>>
  /tmp/\.journal			<<none>>
  
-@@ -194,9 +208,10 @@ ifdef(`distro_debian',`
+@@ -194,9 +208,11 @@ ifdef(`distro_debian',`
  #
  # /usr
  #
@@ -9495,10 +9495,11 @@ index b876c48..0f99fae 100644
  /usr/.*				gen_context(system_u:object_r:usr_t,s0)
  /usr/\.journal			<<none>>
 +/export(/.*)?			gen_context(system_u:object_r:usr_t,s0)
++/ostree(/.*)?           gen_context(system_u:object_r:usr_t,s0)
  
  /usr/doc(/.*)?/lib(/.*)?	gen_context(system_u:object_r:usr_t,s0)
  
-@@ -204,15 +219,9 @@ ifdef(`distro_debian',`
+@@ -204,15 +220,9 @@ ifdef(`distro_debian',`
  
  /usr/inclu.e(/.*)?		gen_context(system_u:object_r:usr_t,s0)
  
@@ -9515,7 +9516,7 @@ index b876c48..0f99fae 100644
  
  /usr/share/doc(/.*)?/README.*	gen_context(system_u:object_r:usr_t,s0)
  
-@@ -220,8 +229,6 @@ ifdef(`distro_debian',`
+@@ -220,8 +230,6 @@ ifdef(`distro_debian',`
  /usr/tmp/.*			<<none>>
  
  ifndef(`distro_redhat',`
@@ -9524,7 +9525,7 @@ index b876c48..0f99fae 100644
  /usr/src(/.*)?			gen_context(system_u:object_r:src_t,s0)
  /usr/src/kernels/.+/lib(/.*)?	gen_context(system_u:object_r:usr_t,s0)
  ')
-@@ -229,7 +236,7 @@ ifndef(`distro_redhat',`
+@@ -229,7 +237,7 @@ ifndef(`distro_redhat',`
  #
  # /var
  #
@@ -9533,7 +9534,7 @@ index b876c48..0f99fae 100644
  /var/.*				gen_context(system_u:object_r:var_t,s0)
  /var/\.journal			<<none>>
  
-@@ -237,11 +244,25 @@ ifndef(`distro_redhat',`
+@@ -237,11 +245,25 @@ ifndef(`distro_redhat',`
  
  /var/ftp/etc(/.*)?		gen_context(system_u:object_r:etc_t,s0)
  
@@ -9560,7 +9561,7 @@ index b876c48..0f99fae 100644
  
  /var/log/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
  /var/log/lost\+found/.*		<<none>>
-@@ -256,12 +277,14 @@ ifndef(`distro_redhat',`
+@@ -256,12 +278,14 @@ ifndef(`distro_redhat',`
  /var/run		-l	gen_context(system_u:object_r:var_run_t,s0)
  /var/run/.*			gen_context(system_u:object_r:var_run_t,s0)
  /var/run/.*\.*pid		<<none>>
@@ -9575,14 +9576,14 @@ index b876c48..0f99fae 100644
  /var/tmp/.*			<<none>>
  /var/tmp/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
  /var/tmp/lost\+found/.*		<<none>>
-@@ -271,3 +294,5 @@ ifdef(`distro_debian',`
+@@ -271,3 +295,5 @@ ifdef(`distro_debian',`
  /var/run/motd		--	gen_context(system_u:object_r:initrc_var_run_t,s0)
  /var/run/motd\.dynamic	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
  ')
 +/nsr(/.*)?			gen_context(system_u:object_r:var_t,s0)
 +/nsr/logs(/.*)?			gen_context(system_u:object_r:var_log_t,s0)
 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..1f7b192 100644
+index f962f76..d12f46e 100644
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
 @@ -19,6 +19,136 @@
@@ -15299,7 +15300,7 @@ index f962f76..1f7b192 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6386,132 +8439,206 @@ interface(`files_search_spool',`
+@@ -6386,132 +8439,207 @@ interface(`files_search_spool',`
  ##	</summary>
  ## </param>
  #
@@ -15400,6 +15401,7 @@ index f962f76..1f7b192 100644
 +	files_root_filetrans($1, mnt_t, dir, "net")
 +	files_root_filetrans($1, usr_t, dir, "export")
 +	files_root_filetrans($1, usr_t, dir, "opt")
++	files_root_filetrans($1, usr_t, dir, "ostree")
 +	files_root_filetrans($1, usr_t, dir, "emul")
 +	files_root_filetrans($1, var_t, dir, "srv")
 +	files_root_filetrans($1, var_run_t, dir, "run")
@@ -15557,7 +15559,7 @@ index f962f76..1f7b192 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6519,53 +8646,17 @@ interface(`files_spool_filetrans',`
+@@ -6519,53 +8647,17 @@ interface(`files_spool_filetrans',`
  ##	</summary>
  ## </param>
  #
@@ -15615,7 +15617,7 @@ index f962f76..1f7b192 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6573,10 +8664,10 @@ interface(`files_polyinstantiate_all',`
+@@ -6573,10 +8665,10 @@ interface(`files_polyinstantiate_all',`
  ##	</summary>
  ## </param>
  #
@@ -20999,10 +21001,10 @@ index 234a940..d340f20 100644
  ########################################
  ## <summary>
 diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 0fef1fc..45ee29f 100644
+index 0fef1fc..75442d6 100644
 --- a/policy/modules/roles/staff.te
 +++ b/policy/modules/roles/staff.te
-@@ -8,12 +8,71 @@ policy_module(staff, 2.4.0)
+@@ -8,12 +8,72 @@ policy_module(staff, 2.4.0)
  role staff_r;
  
  userdom_unpriv_user_template(staff)
@@ -21035,6 +21037,7 @@ index 0fef1fc..45ee29f 100644
 +dev_read_kmsg(staff_t)
 +
 +domain_read_all_domains_state(staff_t)
++domain_getcap_all_domains(staff_t)
 +domain_getsched_all_domains(staff_t)
 +domain_getattr_all_domains(staff_t)
 +domain_obj_id_change_exemption(staff_t)
@@ -21074,7 +21077,7 @@ index 0fef1fc..45ee29f 100644
  optional_policy(`
  	apache_role(staff_r, staff_t)
  ')
-@@ -23,11 +82,115 @@ optional_policy(`
+@@ -23,11 +83,115 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -21191,7 +21194,7 @@ index 0fef1fc..45ee29f 100644
  ')
  
  optional_policy(`
-@@ -35,15 +198,31 @@ optional_policy(`
+@@ -35,15 +199,31 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -21225,7 +21228,7 @@ index 0fef1fc..45ee29f 100644
  ')
  
  optional_policy(`
-@@ -52,11 +231,60 @@ optional_policy(`
+@@ -52,11 +232,60 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -21287,7 +21290,7 @@ index 0fef1fc..45ee29f 100644
  ')
  
  ifndef(`distro_redhat',`
-@@ -65,10 +293,6 @@ ifndef(`distro_redhat',`
+@@ -65,10 +294,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -21298,7 +21301,7 @@ index 0fef1fc..45ee29f 100644
  		cdrecord_role(staff_r, staff_t)
  	')
  
-@@ -78,10 +302,6 @@ ifndef(`distro_redhat',`
+@@ -78,10 +303,6 @@ ifndef(`distro_redhat',`
  
  	optional_policy(`
  		dbus_role_template(staff, staff_r, staff_t)
@@ -21309,7 +21312,7 @@ index 0fef1fc..45ee29f 100644
  	')
  
  	optional_policy(`
-@@ -101,10 +321,6 @@ ifndef(`distro_redhat',`
+@@ -101,10 +322,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -21320,7 +21323,7 @@ index 0fef1fc..45ee29f 100644
  		java_role(staff_r, staff_t)
  	')
  
-@@ -125,10 +341,6 @@ ifndef(`distro_redhat',`
+@@ -125,10 +342,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -21331,7 +21334,7 @@ index 0fef1fc..45ee29f 100644
  		pyzor_role(staff_r, staff_t)
  	')
  
-@@ -141,10 +353,6 @@ ifndef(`distro_redhat',`
+@@ -141,10 +354,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -21342,7 +21345,7 @@ index 0fef1fc..45ee29f 100644
  		spamassassin_role(staff_r, staff_t)
  	')
  
-@@ -176,3 +384,22 @@ ifndef(`distro_redhat',`
+@@ -176,3 +385,22 @@ ifndef(`distro_redhat',`
  		wireshark_role(staff_r, staff_t)
  	')
  ')
@@ -21394,7 +21397,7 @@ index ff92430..36740ea 100644
  ## <summary>
  ##	Execute a generic bin program in the sysadm domain.
 diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 2522ca6..d58ced2 100644
+index 2522ca6..4786c5e 100644
 --- a/policy/modules/roles/sysadm.te
 +++ b/policy/modules/roles/sysadm.te
 @@ -5,39 +5,86 @@ policy_module(sysadm, 2.6.1)
@@ -21547,7 +21550,7 @@ index 2522ca6..d58ced2 100644
  ')
  
  optional_policy(`
-@@ -122,11 +170,25 @@ optional_policy(`
+@@ -122,11 +170,27 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -21567,6 +21570,8 @@ index 2522ca6..d58ced2 100644
 +optional_policy(`
 +	dbus_role_template(sysadm, sysadm_r, sysadm_t)
 +
++	dontaudit sysadm_dbusd_t self:capability net_admin;
++
 +    optional_policy(`
 +        systemd_dbus_chat_timedated(sysadm_t)
 +        systemd_dbus_chat_hostnamed(sysadm_t)
@@ -21575,7 +21580,7 @@ index 2522ca6..d58ced2 100644
  ')
  
  optional_policy(`
-@@ -140,6 +202,10 @@ optional_policy(`
+@@ -140,6 +204,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -21586,7 +21591,7 @@ index 2522ca6..d58ced2 100644
  	dmesg_exec(sysadm_t)
  ')
  
-@@ -156,6 +222,10 @@ optional_policy(`
+@@ -156,6 +224,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -21597,7 +21602,7 @@ index 2522ca6..d58ced2 100644
  	fstools_run(sysadm_t, sysadm_r)
  ')
  
-@@ -175,6 +245,13 @@ optional_policy(`
+@@ -175,6 +247,13 @@ optional_policy(`
  	ipsec_stream_connect(sysadm_t)
  	# for lsof
  	ipsec_getattr_key_sockets(sysadm_t)
@@ -21611,7 +21616,7 @@ index 2522ca6..d58ced2 100644
  ')
  
  optional_policy(`
-@@ -182,15 +259,20 @@ optional_policy(`
+@@ -182,15 +261,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -21635,7 +21640,7 @@ index 2522ca6..d58ced2 100644
  ')
  
  optional_policy(`
-@@ -210,22 +292,20 @@ optional_policy(`
+@@ -210,22 +294,20 @@ optional_policy(`
  	modutils_run_depmod(sysadm_t, sysadm_r)
  	modutils_run_insmod(sysadm_t, sysadm_r)
  	modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -21664,7 +21669,7 @@ index 2522ca6..d58ced2 100644
  ')
  
  optional_policy(`
-@@ -237,14 +317,27 @@ optional_policy(`
+@@ -237,14 +319,27 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -21692,7 +21697,7 @@ index 2522ca6..d58ced2 100644
  ')
  
  optional_policy(`
-@@ -252,10 +345,20 @@ optional_policy(`
+@@ -252,10 +347,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -21713,7 +21718,7 @@ index 2522ca6..d58ced2 100644
  	portage_run(sysadm_t, sysadm_r)
  	portage_run_fetch(sysadm_t, sysadm_r)
  	portage_run_gcc_config(sysadm_t, sysadm_r)
-@@ -266,35 +369,41 @@ optional_policy(`
+@@ -266,35 +371,41 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -21762,7 +21767,7 @@ index 2522ca6..d58ced2 100644
  ')
  
  optional_policy(`
-@@ -308,6 +417,7 @@ optional_policy(`
+@@ -308,6 +419,7 @@ optional_policy(`
  
  optional_policy(`
  	screen_role_template(sysadm, sysadm_r, sysadm_t)
@@ -21770,7 +21775,7 @@ index 2522ca6..d58ced2 100644
  ')
  
  optional_policy(`
-@@ -315,12 +425,20 @@ optional_policy(`
+@@ -315,12 +427,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -21792,7 +21797,7 @@ index 2522ca6..d58ced2 100644
  ')
  
  optional_policy(`
-@@ -345,7 +463,18 @@ optional_policy(`
+@@ -345,7 +465,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -21812,7 +21817,7 @@ index 2522ca6..d58ced2 100644
  ')
  
  optional_policy(`
-@@ -356,19 +485,11 @@ optional_policy(`
+@@ -356,19 +487,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -21833,7 +21838,7 @@ index 2522ca6..d58ced2 100644
  ')
  
  optional_policy(`
-@@ -380,10 +501,6 @@ optional_policy(`
+@@ -380,10 +503,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -21844,7 +21849,7 @@ index 2522ca6..d58ced2 100644
  	usermanage_run_admin_passwd(sysadm_t, sysadm_r)
  	usermanage_run_groupadd(sysadm_t, sysadm_r)
  	usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -391,6 +508,9 @@ optional_policy(`
+@@ -391,6 +510,9 @@ optional_policy(`
  
  optional_policy(`
  	virt_stream_connect(sysadm_t)
@@ -21854,7 +21859,7 @@ index 2522ca6..d58ced2 100644
  ')
  
  optional_policy(`
-@@ -398,31 +518,34 @@ optional_policy(`
+@@ -398,31 +520,34 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -21895,7 +21900,7 @@ index 2522ca6..d58ced2 100644
  		auth_role(sysadm_r, sysadm_t)
  	')
  
-@@ -435,10 +558,6 @@ ifndef(`distro_redhat',`
+@@ -435,10 +560,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -21906,7 +21911,7 @@ index 2522ca6..d58ced2 100644
  		dbus_role_template(sysadm, sysadm_r, sysadm_t)
  
  		optional_policy(`
-@@ -459,15 +578,79 @@ ifndef(`distro_redhat',`
+@@ -459,15 +580,79 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -22693,7 +22698,7 @@ index 0000000..b1163a6
 +')
 diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
 new file mode 100644
-index 0000000..13a745c
+index 0000000..45aab67
 --- /dev/null
 +++ b/policy/modules/roles/unconfineduser.te
 @@ -0,0 +1,339 @@
@@ -22892,10 +22897,10 @@ index 0000000..13a745c
 +
 +optional_policy(`
 +	dbus_role_template(unconfined, unconfined_r, unconfined_t)
-+    role system_r types unconfined_dbusd_t;
++	role system_r types unconfined_dbusd_t;
 +
 +	optional_policy(`
-+		unconfined_domain(unconfined_dbusd_t)
++		unconfined_domain_noaudit(unconfined_dbusd_t)
 +
 +		optional_policy(`
 +			xserver_rw_shm(unconfined_dbusd_t)
@@ -32323,7 +32328,7 @@ index 79a45f6..532ded5 100644
 +	files_pid_filetrans($1, initctl_t, fifo_file, "fifo" )
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..84a3fcf 100644
+index 17eda24..8e4c2d4 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
 @@ -11,10 +11,31 @@ gen_require(`
@@ -32599,7 +32604,7 @@ index 17eda24..84a3fcf 100644
  
  ifdef(`distro_gentoo',`
  	allow init_t self:process { getcap setcap };
-@@ -186,29 +307,237 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +307,241 @@ ifdef(`distro_gentoo',`
  ')
  
  ifdef(`distro_redhat',`
@@ -32634,6 +32639,10 @@ index 17eda24..84a3fcf 100644
 +')
 +
 +optional_policy(`
++	journalctl_exec(init_t)
++')
++
++optional_policy(`
 +	kdump_read_crash(init_t)
 +	kdump_read_config(init_t)
 +')
@@ -32641,14 +32650,15 @@ index 17eda24..84a3fcf 100644
 +optional_policy(`
 +	gnome_filetrans_home_content(init_t)
 +	gnome_manage_data(init_t)
-+')
-+
-+optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	auth_rw_login_records(init_t)
 +	iscsi_read_lib_files(init_t)
 +	iscsi_manage_lock(init_t)
-+')
-+
-+optional_policy(`
+ ')
+ 
+ optional_policy(`
 +	modutils_domtrans_insmod(init_t)
 +	modutils_list_module_config(init_t)
 +')
@@ -32808,14 +32818,13 @@ index 17eda24..84a3fcf 100644
 +optional_policy(`
 +	lvm_rw_pipes(init_t)
 +	lvm_read_config(init_t)
- ')
- 
- optional_policy(`
--	auth_rw_login_records(init_t)
++')
++
++optional_policy(`
 +	consolekit_manage_log(init_t)
- ')
- 
- optional_policy(`
++')
++
++optional_policy(`
 +	dbus_connect_system_bus(init_t)
  	dbus_system_bus_client(init_t)
 +	dbus_delete_pid_files(init_t)
@@ -32846,7 +32855,7 @@ index 17eda24..84a3fcf 100644
  ')
  
  optional_policy(`
-@@ -216,7 +545,31 @@ optional_policy(`
+@@ -216,7 +549,31 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -32878,7 +32887,7 @@ index 17eda24..84a3fcf 100644
  ')
  
  ########################################
-@@ -225,9 +578,9 @@ optional_policy(`
+@@ -225,9 +582,9 @@ optional_policy(`
  #
  
  allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -32890,7 +32899,7 @@ index 17eda24..84a3fcf 100644
  allow initrc_t self:passwd rootok;
  allow initrc_t self:key manage_key_perms;
  
-@@ -258,12 +611,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +615,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
  
  allow initrc_t initrc_var_run_t:file manage_file_perms;
  files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -32907,7 +32916,7 @@ index 17eda24..84a3fcf 100644
  
  manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
  manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +636,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +640,36 @@ kernel_change_ring_buffer_level(initrc_t)
  kernel_clear_ring_buffer(initrc_t)
  kernel_get_sysvipc_info(initrc_t)
  kernel_read_all_sysctls(initrc_t)
@@ -32950,7 +32959,7 @@ index 17eda24..84a3fcf 100644
  corenet_tcp_sendrecv_all_ports(initrc_t)
  corenet_udp_sendrecv_all_ports(initrc_t)
  corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +673,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +677,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
  
  dev_read_rand(initrc_t)
  dev_read_urand(initrc_t)
@@ -32962,7 +32971,7 @@ index 17eda24..84a3fcf 100644
  dev_rw_sysfs(initrc_t)
  dev_list_usbfs(initrc_t)
  dev_read_framebuffer(initrc_t)
-@@ -313,8 +685,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +689,10 @@ dev_write_framebuffer(initrc_t)
  dev_read_realtime_clock(initrc_t)
  dev_read_sound_mixer(initrc_t)
  dev_write_sound_mixer(initrc_t)
@@ -32973,7 +32982,7 @@ index 17eda24..84a3fcf 100644
  dev_delete_lvm_control_dev(initrc_t)
  dev_manage_generic_symlinks(initrc_t)
  dev_manage_generic_files(initrc_t)
-@@ -322,8 +696,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +700,7 @@ dev_manage_generic_files(initrc_t)
  dev_delete_generic_symlinks(initrc_t)
  dev_getattr_all_blk_files(initrc_t)
  dev_getattr_all_chr_files(initrc_t)
@@ -32983,7 +32992,7 @@ index 17eda24..84a3fcf 100644
  
  domain_kill_all_domains(initrc_t)
  domain_signal_all_domains(initrc_t)
-@@ -332,7 +705,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +709,6 @@ domain_sigstop_all_domains(initrc_t)
  domain_sigchld_all_domains(initrc_t)
  domain_read_all_domains_state(initrc_t)
  domain_getattr_all_domains(initrc_t)
@@ -32991,7 +33000,7 @@ index 17eda24..84a3fcf 100644
  domain_getsession_all_domains(initrc_t)
  domain_use_interactive_fds(initrc_t)
  # for lsof which is used by alsa shutdown:
-@@ -340,6 +712,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +716,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
  domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
  domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
  domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -32999,7 +33008,7 @@ index 17eda24..84a3fcf 100644
  
  files_getattr_all_dirs(initrc_t)
  files_getattr_all_files(initrc_t)
-@@ -347,14 +720,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +724,15 @@ files_getattr_all_symlinks(initrc_t)
  files_getattr_all_pipes(initrc_t)
  files_getattr_all_sockets(initrc_t)
  files_purge_tmp(initrc_t)
@@ -33017,7 +33026,7 @@ index 17eda24..84a3fcf 100644
  files_read_usr_files(initrc_t)
  files_manage_urandom_seed(initrc_t)
  files_manage_generic_spool(initrc_t)
-@@ -364,8 +738,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +742,12 @@ files_list_isid_type_dirs(initrc_t)
  files_mounton_isid_type_dirs(initrc_t)
  files_list_default(initrc_t)
  files_mounton_default(initrc_t)
@@ -33031,7 +33040,7 @@ index 17eda24..84a3fcf 100644
  fs_list_inotifyfs(initrc_t)
  fs_register_binary_executable_type(initrc_t)
  # rhgb-console writes to ramfs
-@@ -375,10 +753,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +757,11 @@ fs_mount_all_fs(initrc_t)
  fs_unmount_all_fs(initrc_t)
  fs_remount_all_fs(initrc_t)
  fs_getattr_all_fs(initrc_t)
@@ -33045,7 +33054,7 @@ index 17eda24..84a3fcf 100644
  mcs_process_set_categories(initrc_t)
  
  mls_file_read_all_levels(initrc_t)
-@@ -387,8 +766,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +770,10 @@ mls_process_read_up(initrc_t)
  mls_process_write_down(initrc_t)
  mls_rangetrans_source(initrc_t)
  mls_fd_share_all_levels(initrc_t)
@@ -33056,7 +33065,7 @@ index 17eda24..84a3fcf 100644
  
  storage_getattr_fixed_disk_dev(initrc_t)
  storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +779,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +783,7 @@ term_use_all_terms(initrc_t)
  term_reset_tty_labels(initrc_t)
  
  auth_rw_login_records(initrc_t)
@@ -33064,7 +33073,7 @@ index 17eda24..84a3fcf 100644
  auth_setattr_login_records(initrc_t)
  auth_rw_lastlog(initrc_t)
  auth_read_pam_pid(initrc_t)
-@@ -416,20 +798,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +802,18 @@ logging_read_all_logs(initrc_t)
  logging_append_all_logs(initrc_t)
  logging_read_audit_config(initrc_t)
  
@@ -33088,7 +33097,7 @@ index 17eda24..84a3fcf 100644
  
  ifdef(`distro_debian',`
  	dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +831,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +835,6 @@ ifdef(`distro_gentoo',`
  	allow initrc_t self:process setfscreate;
  	dev_create_null_dev(initrc_t)
  	dev_create_zero_dev(initrc_t)
@@ -33096,7 +33105,7 @@ index 17eda24..84a3fcf 100644
  	term_create_console_dev(initrc_t)
  
  	# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +865,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +869,10 @@ ifdef(`distro_gentoo',`
  	sysnet_setattr_config(initrc_t)
  
  	optional_policy(`
@@ -33107,7 +33116,7 @@ index 17eda24..84a3fcf 100644
  		alsa_read_lib(initrc_t)
  	')
  
-@@ -506,7 +889,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +893,7 @@ ifdef(`distro_redhat',`
  
  	# Red Hat systems seem to have a stray
  	# fd open from the initrd
@@ -33116,7 +33125,7 @@ index 17eda24..84a3fcf 100644
  	files_dontaudit_read_root_files(initrc_t)
  
  	# These seem to be from the initrd
-@@ -521,6 +904,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +908,7 @@ ifdef(`distro_redhat',`
  	files_create_boot_dirs(initrc_t)
  	files_create_boot_flag(initrc_t)
  	files_rw_boot_symlinks(initrc_t)
@@ -33124,7 +33133,7 @@ index 17eda24..84a3fcf 100644
  	# wants to read /.fonts directory
  	files_read_default_files(initrc_t)
  	files_mountpoint(initrc_tmp_t)
-@@ -541,6 +925,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +929,7 @@ ifdef(`distro_redhat',`
  	miscfiles_rw_localization(initrc_t)
  	miscfiles_setattr_localization(initrc_t)
  	miscfiles_relabel_localization(initrc_t)
@@ -33132,7 +33141,7 @@ index 17eda24..84a3fcf 100644
  
  	miscfiles_read_fonts(initrc_t)
  	miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +935,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +939,44 @@ ifdef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -33177,7 +33186,7 @@ index 17eda24..84a3fcf 100644
  	')
  
  	optional_policy(`
-@@ -559,14 +980,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +984,31 @@ ifdef(`distro_redhat',`
  		rpc_write_exports(initrc_t)
  		rpc_manage_nfs_state_data(initrc_t)
  	')
@@ -33209,7 +33218,7 @@ index 17eda24..84a3fcf 100644
  	')
  ')
  
-@@ -577,6 +1015,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1019,39 @@ ifdef(`distro_suse',`
  	')
  ')
  
@@ -33249,7 +33258,7 @@ index 17eda24..84a3fcf 100644
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1060,8 @@ optional_policy(`
+@@ -589,6 +1064,8 @@ optional_policy(`
  optional_policy(`
  	apache_read_config(initrc_t)
  	apache_list_modules(initrc_t)
@@ -33258,7 +33267,7 @@ index 17eda24..84a3fcf 100644
  ')
  
  optional_policy(`
-@@ -610,6 +1083,7 @@ optional_policy(`
+@@ -610,6 +1087,7 @@ optional_policy(`
  
  optional_policy(`
  	cgroup_stream_connect_cgred(initrc_t)
@@ -33266,7 +33275,7 @@ index 17eda24..84a3fcf 100644
  ')
  
  optional_policy(`
-@@ -626,6 +1100,17 @@ optional_policy(`
+@@ -626,6 +1104,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -33284,7 +33293,7 @@ index 17eda24..84a3fcf 100644
  	dev_getattr_printer_dev(initrc_t)
  
  	cups_read_log(initrc_t)
-@@ -642,9 +1127,13 @@ optional_policy(`
+@@ -642,9 +1131,13 @@ optional_policy(`
  	dbus_connect_system_bus(initrc_t)
  	dbus_system_bus_client(initrc_t)
  	dbus_read_config(initrc_t)
@@ -33298,7 +33307,7 @@ index 17eda24..84a3fcf 100644
  	')
  
  	optional_policy(`
-@@ -657,15 +1146,11 @@ optional_policy(`
+@@ -657,15 +1150,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -33316,7 +33325,7 @@ index 17eda24..84a3fcf 100644
  ')
  
  optional_policy(`
-@@ -686,6 +1171,15 @@ optional_policy(`
+@@ -686,6 +1175,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -33332,7 +33341,7 @@ index 17eda24..84a3fcf 100644
  	inn_exec_config(initrc_t)
  ')
  
-@@ -726,6 +1220,7 @@ optional_policy(`
+@@ -726,6 +1224,7 @@ optional_policy(`
  	lpd_list_spool(initrc_t)
  
  	lpd_read_config(initrc_t)
@@ -33340,7 +33349,7 @@ index 17eda24..84a3fcf 100644
  ')
  
  optional_policy(`
-@@ -743,7 +1238,13 @@ optional_policy(`
+@@ -743,7 +1242,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -33355,7 +33364,7 @@ index 17eda24..84a3fcf 100644
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
  
-@@ -766,6 +1267,10 @@ optional_policy(`
+@@ -766,6 +1271,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -33366,7 +33375,7 @@ index 17eda24..84a3fcf 100644
  	postgresql_manage_db(initrc_t)
  	postgresql_read_config(initrc_t)
  ')
-@@ -775,10 +1280,20 @@ optional_policy(`
+@@ -775,10 +1284,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -33387,7 +33396,7 @@ index 17eda24..84a3fcf 100644
  	quota_manage_flags(initrc_t)
  ')
  
-@@ -787,6 +1302,10 @@ optional_policy(`
+@@ -787,6 +1306,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -33398,7 +33407,7 @@ index 17eda24..84a3fcf 100644
  	fs_write_ramfs_sockets(initrc_t)
  	fs_search_ramfs(initrc_t)
  
-@@ -808,8 +1327,6 @@ optional_policy(`
+@@ -808,8 +1331,6 @@ optional_policy(`
  	# bash tries ioctl for some reason
  	files_dontaudit_ioctl_all_pids(initrc_t)
  
@@ -33407,7 +33416,7 @@ index 17eda24..84a3fcf 100644
  ')
  
  optional_policy(`
-@@ -818,6 +1335,10 @@ optional_policy(`
+@@ -818,6 +1339,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -33418,7 +33427,7 @@ index 17eda24..84a3fcf 100644
  	# shorewall-init script run /var/lib/shorewall/firewall
  	shorewall_lib_domtrans(initrc_t)
  ')
-@@ -827,10 +1348,12 @@ optional_policy(`
+@@ -827,10 +1352,12 @@ optional_policy(`
  	squid_manage_logs(initrc_t)
  ')
  
@@ -33431,14 +33440,14 @@ index 17eda24..84a3fcf 100644
  
  optional_policy(`
  	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1380,60 @@ optional_policy(`
+@@ -857,21 +1384,60 @@ optional_policy(`
  ')
  
  optional_policy(`
 +	virt_read_config(init_t)
 +	virt_stream_connect(init_t)
-+    virt_noatsecure(init_t)
-+    virt_rlimitinh(init_t)
++	virt_noatsecure(init_t)
++	virt_rlimitinh(init_t)
 +')
 +
 +optional_policy(`
@@ -33493,7 +33502,7 @@ index 17eda24..84a3fcf 100644
  ')
  
  optional_policy(`
-@@ -887,6 +1449,10 @@ optional_policy(`
+@@ -887,6 +1453,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -33504,7 +33513,7 @@ index 17eda24..84a3fcf 100644
  	# Set device ownerships/modes.
  	xserver_setattr_console_pipes(initrc_t)
  
-@@ -897,3 +1463,218 @@ optional_policy(`
+@@ -897,3 +1467,218 @@ optional_policy(`
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index ef9b85a..b67a506 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -1,5 +1,5 @@
 diff --git a/abrt.fc b/abrt.fc
-index 1a93dc5..36f5a1f 100644
+index 1a93dc5..dc1d24c 100644
 --- a/abrt.fc
 +++ b/abrt.fc
 @@ -1,31 +1,44 @@
@@ -14,7 +14,7 @@ index 1a93dc5..36f5a1f 100644
 -/usr/bin/retrace-server-worker	--	gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
 +/usr/lib/systemd/system/abrt.*	--	gen_context(system_u:object_r:abrt_unit_file_t,s0)
 +
-+/usr/bin/abrt-dump-oops 	    --	gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
++/usr/bin/abrt-dump-.* 	    --	gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
 +/usr/bin/abrt-uefioops-oops 	--	gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
 +/usr/bin/abrt-pyhook-helper 	--	gen_context(system_u:object_r:abrt_helper_exec_t,s0)
 +/usr/bin/abrt-retrace-worker	--  gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
@@ -1850,16 +1850,18 @@ index 0000000..a95a4ad
 +')
 +
 diff --git a/alsa.fc b/alsa.fc
-index 33d9d31..03a150d 100644
+index 33d9d31..58bf182 100644
 --- a/alsa.fc
 +++ b/alsa.fc
-@@ -23,4 +23,8 @@ ifdef(`distro_debian',`
+@@ -23,4 +23,10 @@ ifdef(`distro_debian',`
  /usr/share/alsa/alsa\.conf	gen_context(system_u:object_r:alsa_etc_rw_t,s0)
  /usr/share/alsa/pcm(/.*)?	gen_context(system_u:object_r:alsa_etc_rw_t,s0)
  
 -/var/lib/alsa(/.*)?	gen_context(system_u:object_r:alsa_var_lib_t,s0)
 +/var/lib/alsa(/.*)?		gen_context(system_u:object_r:alsa_var_lib_t,s0)
 +
++/var/lock/asound\.state\.lock   --  gen_context(system_u:object_r:alsa_lock_t,s0)
++
 +/usr/lib/systemd/system/alsa.*  --              gen_context(system_u:object_r:alsa_unit_file_t,s0)
 +
 +/var/run/alsactl\.pid		--	gen_context(system_u:object_r:alsa_var_run_t,s0)
@@ -1979,10 +1981,20 @@ index ca8d8cf..2cc5ce6 100644
  
  #########################################
 diff --git a/alsa.te b/alsa.te
-index 4b153f1..9b67ee0 100644
+index 4b153f1..a799cd3 100644
 --- a/alsa.te
 +++ b/alsa.te
-@@ -24,16 +24,23 @@ files_tmpfs_file(alsa_tmpfs_t)
+@@ -15,6 +15,9 @@ role alsa_roles types alsa_t;
+ type alsa_etc_rw_t;
+ files_config_file(alsa_etc_rw_t)
+ 
++type alsa_lock_t;
++files_lock_file(alsa_lock_t)
++
+ type alsa_tmp_t;
+ files_tmp_file(alsa_tmp_t)
+ 
+@@ -24,16 +27,23 @@ files_tmpfs_file(alsa_tmpfs_t)
  type alsa_var_lib_t;
  files_type(alsa_var_lib_t)
  
@@ -2008,7 +2020,17 @@ index 4b153f1..9b67ee0 100644
  allow alsa_t self:sem create_sem_perms;
  allow alsa_t self:shm create_shm_perms;
  allow alsa_t self:unix_stream_socket { accept listen };
-@@ -57,7 +64,13 @@ fs_tmpfs_filetrans(alsa_t, alsa_tmpfs_t, file)
+@@ -46,6 +56,9 @@ files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)
+ 
+ can_exec(alsa_t, alsa_exec_t)
+ 
++manage_files_pattern(alsa_t, alsa_lock_t, alsa_lock_t)
++files_lock_filetrans(alsa_t, alsa_lock_t, file)
++
+ manage_dirs_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
+ manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
+ files_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
+@@ -57,7 +70,13 @@ fs_tmpfs_filetrans(alsa_t, alsa_tmpfs_t, file)
  manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
  manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
  
@@ -2022,7 +2044,7 @@ index 4b153f1..9b67ee0 100644
  
  corecmd_exec_bin(alsa_t)
  
-@@ -67,7 +80,6 @@ dev_read_sysfs(alsa_t)
+@@ -67,7 +86,6 @@ dev_read_sysfs(alsa_t)
  dev_read_urand(alsa_t)
  dev_write_sound(alsa_t)
  
@@ -2030,7 +2052,7 @@ index 4b153f1..9b67ee0 100644
  files_search_var_lib(alsa_t)
  
  term_dontaudit_use_console(alsa_t)
-@@ -80,8 +92,6 @@ init_use_fds(alsa_t)
+@@ -80,8 +98,6 @@ init_use_fds(alsa_t)
  
  logging_send_syslog_msg(alsa_t)
  
@@ -3578,7 +3600,7 @@ index 7caefc3..7e70f67 100644
 +/var/run/dirsrv/admin-serv.*	gen_context(system_u:object_r:httpd_var_run_t,s0)
 +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?       gen_context(system_u:object_r:httpd_var_run_t,s0)
 diff --git a/apache.if b/apache.if
-index f6eb485..61f36b6 100644
+index f6eb485..9eba5f5 100644
 --- a/apache.if
 +++ b/apache.if
 @@ -1,9 +1,9 @@
@@ -3727,7 +3749,7 @@ index f6eb485..61f36b6 100644
 +	manage_fifo_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
 +	manage_sock_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
 +
-+	allow $1_script_t httpd_t:unix_stream_socket { getattr read write };
++	allow $1_script_t httpd_t:unix_stream_socket { accept getattr read write };
 +
 +	# Allow the web server to run scripts and serve pages
  	tunable_policy(`httpd_builtin_scripting',`
@@ -8655,10 +8677,10 @@ index dcd774e..c240ffa 100644
  
  	allow $1 bacula_t:process { ptrace signal_perms };
 diff --git a/bacula.te b/bacula.te
-index f16b000..941d3fd 100644
+index f16b000..373576e 100644
 --- a/bacula.te
 +++ b/bacula.te
-@@ -43,7 +43,7 @@ role bacula_admin_roles types bacula_admin_t;
+@@ -43,16 +43,18 @@ role bacula_admin_roles types bacula_admin_t;
  # Local policy
  #
  
@@ -8667,7 +8689,18 @@ index f16b000..941d3fd 100644
  allow bacula_t self:process signal;
  allow bacula_t self:fifo_file rw_fifo_file_perms;
  allow bacula_t self:tcp_socket { accept listen };
-@@ -88,6 +88,10 @@ corenet_udp_bind_generic_node(bacula_t)
+ 
+ read_files_pattern(bacula_t, bacula_etc_t, bacula_etc_t)
+ 
++manage_dirs_pattern(bacula_t,bacula_log_t, bacula_log_t)
+ append_files_pattern(bacula_t, bacula_log_t, bacula_log_t)
+ create_files_pattern(bacula_t, bacula_log_t, bacula_log_t)
+ setattr_files_pattern(bacula_t, bacula_log_t, bacula_log_t)
++logging_log_filetrans(bacula_t, bacula_log_t, { file dir })
+ 
+ manage_dirs_pattern(bacula_t, bacula_spool_t, bacula_spool_t)
+ manage_files_pattern(bacula_t, bacula_spool_t, bacula_spool_t)
+@@ -88,6 +90,10 @@ corenet_udp_bind_generic_node(bacula_t)
  corenet_sendrecv_generic_server_packets(bacula_t)
  corenet_udp_bind_generic_port(bacula_t)
  
@@ -8678,7 +8711,7 @@ index f16b000..941d3fd 100644
  corenet_sendrecv_hplip_server_packets(bacula_t)
  corenet_tcp_bind_hplip_port(bacula_t)
  corenet_udp_bind_hplip_port(bacula_t)
-@@ -105,6 +109,7 @@ files_read_all_symlinks(bacula_t)
+@@ -105,6 +111,7 @@ files_read_all_symlinks(bacula_t)
  fs_getattr_xattr_fs(bacula_t)
  fs_list_all(bacula_t)
  
@@ -8686,7 +8719,7 @@ index f16b000..941d3fd 100644
  auth_read_shadow(bacula_t)
  
  logging_send_syslog_msg(bacula_t)
-@@ -148,9 +153,7 @@ corenet_tcp_connect_hplip_port(bacula_admin_t)
+@@ -148,9 +155,7 @@ corenet_tcp_connect_hplip_port(bacula_admin_t)
  
  domain_use_interactive_fds(bacula_admin_t)
  
@@ -11136,7 +11169,7 @@ index 008f8ef..144c074 100644
  	admin_pattern($1, certmonger_var_run_t)
  ')
 diff --git a/certmonger.te b/certmonger.te
-index 550b287..0b1d596 100644
+index 550b287..3ad65da 100644
 --- a/certmonger.te
 +++ b/certmonger.te
 @@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t)
@@ -11225,7 +11258,7 @@ index 550b287..0b1d596 100644
  ')
  
  optional_policy(`
-@@ -92,11 +109,51 @@ optional_policy(`
+@@ -92,11 +109,52 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -11233,6 +11266,7 @@ index 550b287..0b1d596 100644
 +	dirsrv_manage_config(certmonger_t)
 +	dirsrv_signal(certmonger_t)
 +	dirsrv_signull(certmonger_t)
++    dirsrv_stream_connect(certmonger_t)
 +')
 +
 +optional_policy(`
@@ -11575,15 +11609,16 @@ index 80a88a2..ec869f5 100644
 +logging_send_syslog_msg(cgred_t)
 diff --git a/chrome.fc b/chrome.fc
 new file mode 100644
-index 0000000..d020d89
+index 0000000..5c6bdb6
 --- /dev/null
 +++ b/chrome.fc
-@@ -0,0 +1,10 @@
-+/opt/google/chrome/chrome-sandbox	--	gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
+@@ -0,0 +1,11 @@
++/opt/google/chrome[^/]*/chrome-sandbox	--	gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
 +
 +/usr/lib/chromium-browser/chrome-sandbox	--	gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
 +
 +/opt/google/chrome/nacl_helper_bootstrap	--	gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
++/opt/google/chrome[^/]*/nacl_helper_bootstrap	--	gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
 +/usr/lib/chromium-browser/nacl_helper_bootstrap	--	gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
 +
 +HOME_DIR/\.cache/google-chrome(/.*)?	gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
@@ -14998,10 +15033,10 @@ index ce9f040..32ebb0c 100644
 +')
 diff --git a/conman.fc b/conman.fc
 new file mode 100644
-index 0000000..5f97ba9
+index 0000000..d2f5c80
 --- /dev/null
 +++ b/conman.fc
-@@ -0,0 +1,7 @@
+@@ -0,0 +1,8 @@
 +/usr/lib/systemd/system/conman.*		--	gen_context(system_u:object_r:conman_unit_file_t,s0)
 +
 +/usr/sbin/conmand		--	gen_context(system_u:object_r:conman_exec_t,s0)
@@ -15009,6 +15044,7 @@ index 0000000..5f97ba9
 +/var/log/conman(/.*)?			gen_context(system_u:object_r:conman_log_t,s0)
 +/var/log/conman\.old(/.*)?		gen_context(system_u:object_r:conman_log_t,s0)
 +
++/var/run/conmand.*      --      gen_context(system_u:object_r:conman_var_run_t,s0)
 diff --git a/conman.if b/conman.if
 new file mode 100644
 index 0000000..54b4b04
@@ -15159,10 +15195,10 @@ index 0000000..54b4b04
 +')
 diff --git a/conman.te b/conman.te
 new file mode 100644
-index 0000000..d6b0314
+index 0000000..ccff09f
 --- /dev/null
 +++ b/conman.te
-@@ -0,0 +1,49 @@
+@@ -0,0 +1,55 @@
 +policy_module(conman, 1.0.0)
 +
 +########################################
@@ -15177,6 +15213,9 @@ index 0000000..d6b0314
 +type conman_log_t;
 +logging_log_file(conman_log_t)
 +
++type conman_var_run_t;
++files_pid_file(conman_var_run_t)
++
 +type conman_unit_file_t;
 +systemd_unit_file(conman_unit_file_t)
 +
@@ -15196,13 +15235,16 @@ index 0000000..d6b0314
 +manage_files_pattern(conman_t, conman_log_t, conman_log_t)
 +logging_log_filetrans(conman_t, conman_log_t, { dir })
 +
++manage_files_pattern(conman_t, conman_var_run_t, conman_var_run_t)
++files_pid_filetrans(conman_t, conman_var_run_t, file)
++
++auth_read_passwd(conman_t)
++
 +corenet_tcp_bind_generic_node(conman_t)
 +corenet_tcp_bind_conman_port(conman_t)
 +
 +corecmd_exec_bin(conman_t)
 +
-+auth_read_passwd(conman_t)
-+
 +logging_send_syslog_msg(conman_t)
 +
 +sysnet_dns_name_resolve(conman_t)
@@ -22444,16 +22486,24 @@ index 77a5003..b605240 100644
 +')
 +
 diff --git a/dhcp.fc b/dhcp.fc
-index 8182c48..31364a5 100644
+index 8182c48..0b9bb97 100644
 --- a/dhcp.fc
 +++ b/dhcp.fc
-@@ -1,4 +1,6 @@
+@@ -1,6 +1,13 @@
  /etc/rc\.d/init\.d/dhcpd(6)?	--	gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/dhcrelay(6)?	--	gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
+ 
+-/usr/sbin/dhcpd.*	--	gen_context(system_u:object_r:dhcpd_exec_t,s0)
 +/usr/lib/systemd/system/dhcpcd.*	--	gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
 +/usr/lib/systemd/system/dhcpd.*	    --	gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
++/usr/lib/systemd/system/dhcpd6.*	    --	gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
++/usr/lib/systemd/system/dhcrelay.*	    --	gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
++
++/usr/sbin/dhcpd(6)?	--	gen_context(system_u:object_r:dhcpd_exec_t,s0)
++/usr/sbin/dhcrelay(6)?	--	gen_context(system_u:object_r:dhcpd_exec_t,s0)
  
- /usr/sbin/dhcpd.*	--	gen_context(system_u:object_r:dhcpd_exec_t,s0)
- 
+ /var/lib/dhcpd(/.*)?	gen_context(system_u:object_r:dhcpd_state_t,s0)
+ /var/lib/dhcp(3)?/dhcpd\.leases.*	--	gen_context(system_u:object_r:dhcpd_state_t,s0)
 diff --git a/dhcp.if b/dhcp.if
 index c697edb..31d45bf 100644
 --- a/dhcp.if
@@ -24485,10 +24535,10 @@ index 0000000..76eb32e
 +')
 diff --git a/docker.te b/docker.te
 new file mode 100644
-index 0000000..47c8698
+index 0000000..96c47ea
 --- /dev/null
 +++ b/docker.te
-@@ -0,0 +1,270 @@
+@@ -0,0 +1,273 @@
 +policy_module(docker, 1.0.0)
 +
 +########################################
@@ -24605,6 +24655,7 @@ index 0000000..47c8698
 +kernel_read_network_state(docker_t)
 +kernel_read_all_sysctls(docker_t)
 +kernel_rw_net_sysctls(docker_t)
++kernel_setsched(docker_t)
 +
 +domain_use_interactive_fds(docker_t)
 +
@@ -24628,6 +24679,7 @@ index 0000000..47c8698
 +
 +fs_read_cgroup_files(docker_t)
 +fs_read_tmpfs_symlinks(docker_t)
++fs_search_all(docker_t)
 +fs_getattr_all_fs(docker_t)
 +
 +storage_raw_rw_fixed_disk(docker_t)
@@ -24645,6 +24697,7 @@ index 0000000..47c8698
 +mount_domtrans(docker_t)
 +
 +seutil_read_default_contexts(docker_t)
++seutil_read_config(docker_t)
 +
 +sysnet_dns_name_resolve(docker_t)
 +sysnet_exec_ifconfig(docker_t)
@@ -29608,10 +29661,10 @@ index 5cd0909..e405249 100644
 +')
 diff --git a/glusterd.fc b/glusterd.fc
 new file mode 100644
-index 0000000..9614520
+index 0000000..8431a61
 --- /dev/null
 +++ b/glusterd.fc
-@@ -0,0 +1,16 @@
+@@ -0,0 +1,17 @@
 +/etc/rc\.d/init\.d/gluster.*	--	gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
 +
 +/etc/glusterfs(/.*)?	gen_context(system_u:object_r:glusterd_conf_t,s0)
@@ -29627,7 +29680,8 @@ index 0000000..9614520
 +/var/log/glusterfs(/.*)?	gen_context(system_u:object_r:glusterd_log_t,s0)
 +
 +/var/run/glusterd(/.*)?	gen_context(system_u:object_r:glusterd_var_run_t,s0)
-+/var/run/glusterd\.pid	--	gen_context(system_u:object_r:glusterd_var_run_t,s0)
++/var/run/glusterd.*	--	gen_context(system_u:object_r:glusterd_var_run_t,s0)
++/var/run/glusterd.*	-s	gen_context(system_u:object_r:glusterd_var_run_t,s0)
 diff --git a/glusterd.if b/glusterd.if
 new file mode 100644
 index 0000000..1ed97fe
@@ -36622,10 +36676,10 @@ index 0000000..f270652
 +/usr/bin/journalctl		--	gen_context(system_u:object_r:journalctl_exec_t,s0)
 diff --git a/journalctl.if b/journalctl.if
 new file mode 100644
-index 0000000..9d32f23
+index 0000000..17126b6
 --- /dev/null
 +++ b/journalctl.if
-@@ -0,0 +1,76 @@
+@@ -0,0 +1,95 @@
 +
 +## <summary>policy for journalctl</summary>
 +
@@ -36648,6 +36702,25 @@ index 0000000..9d32f23
 +	domtrans_pattern($1, journalctl_exec_t, journalctl_t)
 +')
 +
++######################################
++## <summary>
++##	Execute journalctl in the caller domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`journalctl_exec',`
++	gen_require(`
++		type journalctl_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	can_exec($1, journalctl_exec_t)
++')
++
 +########################################
 +## <summary>
 +##	Execute journalctl in the journalctl domain, and
@@ -38768,7 +38841,7 @@ index 628b78b..fe65617 100644
 -
 -miscfiles_read_localization(keyboardd_t)
 diff --git a/keystone.fc b/keystone.fc
-index b273d80..186cd86 100644
+index b273d80..6a07210 100644
 --- a/keystone.fc
 +++ b/keystone.fc
 @@ -1,3 +1,5 @@
@@ -38777,6 +38850,12 @@ index b273d80..186cd86 100644
  /etc/rc\.d/init\.d/openstack-keystone	--	gen_context(system_u:object_r:keystone_initrc_exec_t,s0)
  
  /usr/bin/keystone-all	--	gen_context(system_u:object_r:keystone_exec_t,s0)
+@@ -5,3 +7,5 @@
+ /var/lib/keystone(/.*)?	gen_context(system_u:object_r:keystone_var_lib_t,s0)
+ 
+ /var/log/keystone(/.*)?	gen_context(system_u:object_r:keystone_log_t,s0)
++
++/var/run/keystone(/.*)?	gen_context(system_u:object_r:keystone_var_run_t,s0)
 diff --git a/keystone.if b/keystone.if
 index e88fb16..f20248c 100644
 --- a/keystone.if
@@ -39016,10 +39095,16 @@ index e88fb16..f20248c 100644
 +	')
  ')
 diff --git a/keystone.te b/keystone.te
-index 9929647..4b6faae 100644
+index 9929647..eea253d 100644
 --- a/keystone.te
 +++ b/keystone.te
-@@ -21,10 +21,14 @@ files_type(keystone_var_lib_t)
+@@ -18,13 +18,20 @@ logging_log_file(keystone_log_t)
+ type keystone_var_lib_t;
+ files_type(keystone_var_lib_t)
+ 
++type keystone_var_run_t;
++files_pid_file(keystone_var_run_t)
++
  type keystone_tmp_t;
  files_tmp_file(keystone_tmp_t)
  
@@ -39034,7 +39119,18 @@ index 9929647..4b6faae 100644
  
  allow keystone_t self:fifo_file rw_fifo_file_perms;
  allow keystone_t self:unix_stream_socket { accept listen };
-@@ -57,20 +61,36 @@ corenet_all_recvfrom_netlabel(keystone_t)
+@@ -45,6 +52,10 @@ manage_dirs_pattern(keystone_t, keystone_var_lib_t, keystone_var_lib_t)
+ manage_files_pattern(keystone_t, keystone_var_lib_t, keystone_var_lib_t)
+ files_var_lib_filetrans(keystone_t, keystone_var_lib_t, dir)
+ 
++manage_dirs_pattern(keystone_t, keystone_var_run_t, keystone_var_run_t)
++manage_files_pattern(keystone_t, keystone_var_run_t, keystone_var_run_t)
++files_pid_filetrans(keystone_t, keystone_var_run_t, { dir })
++
+ can_exec(keystone_t, keystone_tmp_t)
+ 
+ kernel_read_system_state(keystone_t)
+@@ -57,20 +68,36 @@ corenet_all_recvfrom_netlabel(keystone_t)
  corenet_tcp_sendrecv_generic_if(keystone_t)
  corenet_tcp_sendrecv_generic_node(keystone_t)
  corenet_tcp_bind_generic_node(keystone_t)
@@ -46390,10 +46486,10 @@ index 6194b80..7490fe3 100644
  ')
 +
 diff --git a/mozilla.te b/mozilla.te
-index 11ac8e4..07b06e1 100644
+index 11ac8e4..372b342 100644
 --- a/mozilla.te
 +++ b/mozilla.te
-@@ -6,17 +6,48 @@ policy_module(mozilla, 2.8.0)
+@@ -6,17 +6,56 @@ policy_module(mozilla, 2.8.0)
  #
  
  ## <desc>
@@ -46410,6 +46506,14 @@ index 11ac8e4..07b06e1 100644
 +
 +## <desc>
 +## <p>
++## Allow mozilla plugin domain to bind unreserved tcp/udp ports.
++## </p>
++## </desc>
++
++gen_tunable(mozilla_plugin_bind_unreserved_ports, false)
++
++## <desc>
++## <p>
 +## Allow mozilla plugin to support spice protocols.
 +## </p>
 +## </desc>
@@ -46447,7 +46551,7 @@ index 11ac8e4..07b06e1 100644
  type mozilla_t;
  type mozilla_exec_t;
  typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t };
-@@ -24,6 +55,9 @@ typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
+@@ -24,6 +63,9 @@ typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
  userdom_user_application_domain(mozilla_t, mozilla_exec_t)
  role mozilla_roles types mozilla_t;
  
@@ -46457,7 +46561,7 @@ index 11ac8e4..07b06e1 100644
  type mozilla_home_t;
  typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
  typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t };
-@@ -31,28 +65,24 @@ userdom_user_home_content(mozilla_home_t)
+@@ -31,28 +73,24 @@ userdom_user_home_content(mozilla_home_t)
  
  type mozilla_plugin_t;
  type mozilla_plugin_exec_t;
@@ -46491,7 +46595,7 @@ index 11ac8e4..07b06e1 100644
  role mozilla_plugin_config_roles types mozilla_plugin_config_t;
  
  type mozilla_tmp_t;
-@@ -63,10 +93,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys
+@@ -63,10 +101,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys
  typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t };
  userdom_user_tmpfs_file(mozilla_tmpfs_t)
  
@@ -46502,7 +46606,7 @@ index 11ac8e4..07b06e1 100644
  ########################################
  #
  # Local policy
-@@ -75,27 +101,30 @@ optional_policy(`
+@@ -75,27 +109,30 @@ optional_policy(`
  allow mozilla_t self:capability { sys_nice setgid setuid };
  allow mozilla_t self:process { sigkill signal setsched getsched setrlimit };
  allow mozilla_t self:fifo_file rw_fifo_file_perms;
@@ -46546,7 +46650,7 @@ index 11ac8e4..07b06e1 100644
  
  manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
  manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
-@@ -103,76 +132,69 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
+@@ -103,76 +140,69 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
  manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
  fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })
  
@@ -46654,7 +46758,7 @@ index 11ac8e4..07b06e1 100644
  
  term_dontaudit_getattr_pty_dirs(mozilla_t)
  
-@@ -181,56 +203,73 @@ auth_use_nsswitch(mozilla_t)
+@@ -181,56 +211,73 @@ auth_use_nsswitch(mozilla_t)
  logging_send_syslog_msg(mozilla_t)
  
  miscfiles_read_fonts(mozilla_t)
@@ -46662,8 +46766,7 @@ index 11ac8e4..07b06e1 100644
  miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
  
 -userdom_use_user_ptys(mozilla_t)
-+userdom_use_inherited_user_ptys(mozilla_t)
- 
+-
 -userdom_manage_user_tmp_dirs(mozilla_t)
 -userdom_manage_user_tmp_files(mozilla_t)
 -
@@ -46672,7 +46775,8 @@ index 11ac8e4..07b06e1 100644
 -userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
 -
 -userdom_write_user_tmp_sockets(mozilla_t)
--
++userdom_use_inherited_user_ptys(mozilla_t)
+ 
 -mozilla_run_plugin(mozilla_t, mozilla_roles)
 -mozilla_run_plugin_config(mozilla_t, mozilla_roles)
 +#mozilla_run_plugin(mozilla_t, mozilla_roles)
@@ -46765,7 +46869,7 @@ index 11ac8e4..07b06e1 100644
  ')
  
  optional_policy(`
-@@ -244,19 +283,12 @@ optional_policy(`
+@@ -244,19 +291,12 @@ optional_policy(`
  
  optional_policy(`
  	cups_read_rw_config(mozilla_t)
@@ -46787,7 +46891,7 @@ index 11ac8e4..07b06e1 100644
  
  	optional_policy(`
  		networkmanager_dbus_chat(mozilla_t)
-@@ -265,33 +297,32 @@ optional_policy(`
+@@ -265,33 +305,32 @@ optional_policy(`
  
  optional_policy(`
  	gnome_stream_connect_gconf(mozilla_t)
@@ -46800,34 +46904,34 @@ index 11ac8e4..07b06e1 100644
 -	gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private")
 +	gnome_manage_config(mozilla_t)
 +	gnome_manage_gconf_home_files(mozilla_t)
++')
++
++optional_policy(`
++	java_domtrans(mozilla_t)
  ')
  
  optional_policy(`
 -	java_exec(mozilla_t)
 -	java_manage_generic_home_content(mozilla_t)
 -	java_home_filetrans_java_home(mozilla_t, dir, ".java")
-+	java_domtrans(mozilla_t)
++	lpd_domtrans_lpr(mozilla_t)
  ')
  
  optional_policy(`
 -	lpd_run_lpr(mozilla_t, mozilla_roles)
-+	lpd_domtrans_lpr(mozilla_t)
++	mplayer_domtrans(mozilla_t)
++	mplayer_read_user_home_files(mozilla_t)
  ')
  
  optional_policy(`
 -	mplayer_exec(mozilla_t)
 -	mplayer_manage_generic_home_content(mozilla_t)
 -	mplayer_home_filetrans_mplayer_home(mozilla_t, dir, ".mplayer")
-+	mplayer_domtrans(mozilla_t)
-+	mplayer_read_user_home_files(mozilla_t)
++	nscd_socket_use(mozilla_t)
  ')
  
  optional_policy(`
 -	pulseaudio_run(mozilla_t, mozilla_roles)
-+	nscd_socket_use(mozilla_t)
-+')
-+
-+optional_policy(`
 +	#pulseaudio_role(mozilla_roles, mozilla_t)
 +	pulseaudio_exec(mozilla_t)
 +	pulseaudio_stream_connect(mozilla_t)
@@ -46835,7 +46939,7 @@ index 11ac8e4..07b06e1 100644
  ')
  
  optional_policy(`
-@@ -300,259 +331,249 @@ optional_policy(`
+@@ -300,259 +339,249 @@ optional_policy(`
  
  ########################################
  #
@@ -46917,12 +47021,12 @@ index 11ac8e4..07b06e1 100644
  allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
 -allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms;
 -allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
+-
+-dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+-stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
 +read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
 +read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
  
--dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
--stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
--
 -can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t })
 +can_exec(mozilla_plugin_t, mozilla_exec_t)
  
@@ -47100,12 +47204,12 @@ index 11ac8e4..07b06e1 100644
  
 -userdom_manage_user_tmp_dirs(mozilla_plugin_t)
 -userdom_manage_user_tmp_files(mozilla_plugin_t)
-+systemd_read_logind_sessions_files(mozilla_plugin_t)
- 
+-
 -userdom_manage_user_home_content_dirs(mozilla_plugin_t)
 -userdom_manage_user_home_content_files(mozilla_plugin_t)
 -userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file })
--
++systemd_read_logind_sessions_files(mozilla_plugin_t)
+ 
 -userdom_write_user_tmp_sockets(mozilla_plugin_t)
 +term_getattr_all_ttys(mozilla_plugin_t)
 +term_getattr_all_ptys(mozilla_plugin_t)
@@ -47231,7 +47335,7 @@ index 11ac8e4..07b06e1 100644
  ')
  
  optional_policy(`
-@@ -560,7 +581,11 @@ optional_policy(`
+@@ -560,7 +589,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -47244,7 +47348,7 @@ index 11ac8e4..07b06e1 100644
  ')
  
  optional_policy(`
-@@ -568,108 +593,137 @@ optional_policy(`
+@@ -568,108 +601,144 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -47370,27 +47474,25 @@ index 11ac8e4..07b06e1 100644
 +userdom_dontaudit_rw_user_tmp_pipes(mozilla_plugin_config_t)
 +userdom_dontaudit_write_all_user_home_content_files(mozilla_plugin_config_t)
 +userdom_dontaudit_write_all_user_tmp_content_files(mozilla_plugin_config_t)
- 
--userdom_use_user_ptys(mozilla_plugin_config_t)
++
 +domtrans_pattern(mozilla_plugin_config_t, mozilla_plugin_exec_t, mozilla_plugin_t)
- 
--mozilla_run_plugin(mozilla_plugin_config_t, mozilla_plugin_config_roles)
++
 +tunable_policy(`use_ecryptfs_home_dirs',`
 +        fs_read_ecryptfs_files(mozilla_plugin_config_t)
 +')
  
--tunable_policy(`allow_execmem',`
--	allow mozilla_plugin_config_t self:process execmem;
+-userdom_use_user_ptys(mozilla_plugin_config_t)
 +optional_policy(`
 +	gnome_dontaudit_rw_inherited_config(mozilla_plugin_config_t)
 +')
-+
+ 
+-mozilla_run_plugin(mozilla_plugin_config_t, mozilla_plugin_config_roles)
 +optional_policy(`
 +	xserver_use_user_fonts(mozilla_plugin_config_t)
- ')
++')
  
--tunable_policy(`mozilla_execstack',`
--	allow mozilla_plugin_config_t self:process { execmem execstack };
+-tunable_policy(`allow_execmem',`
+-	allow mozilla_plugin_config_t self:process execmem;
 +ifdef(`distro_redhat',`
 +	typealias mozilla_plugin_t  alias nsplugin_t;
 +	typealias mozilla_plugin_exec_t  alias nsplugin_exec_t;
@@ -47401,10 +47503,8 @@ index 11ac8e4..07b06e1 100644
 +	typealias mozilla_plugin_config_exec_t  alias nsplugin_config_exec_t;
  ')
  
--tunable_policy(`use_nfs_home_dirs',`
--	fs_manage_nfs_dirs(mozilla_plugin_config_t)
--	fs_manage_nfs_files(mozilla_plugin_config_t)
--	fs_manage_nfs_symlinks(mozilla_plugin_config_t)
+-tunable_policy(`mozilla_execstack',`
+-	allow mozilla_plugin_config_t self:process { execmem execstack };
 +#tunable_policy(`mozilla_plugin_enable_homedirs',`
 +#	userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, { dir file })
 +#', `
@@ -47417,29 +47517,40 @@ index 11ac8e4..07b06e1 100644
 +	userdom_execmod_user_home_files(mozilla_plugin_t)
  ')
  
--tunable_policy(`use_samba_home_dirs',`
--	fs_manage_cifs_dirs(mozilla_plugin_config_t)
--	fs_manage_cifs_files(mozilla_plugin_config_t)
--	fs_manage_cifs_symlinks(mozilla_plugin_config_t)
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_dirs(mozilla_plugin_config_t)
+-	fs_manage_nfs_files(mozilla_plugin_config_t)
+-	fs_manage_nfs_symlinks(mozilla_plugin_config_t)
 +tunable_policy(`mozilla_plugin_use_spice',`
 +	dev_rw_generic_usb_dev(mozilla_plugin_t)
 +	dev_setattr_generic_usb_dev(mozilla_plugin_t)
 +	corenet_tcp_bind_vnc_port(mozilla_plugin_t)
  ')
  
--optional_policy(`
--	automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t)
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(mozilla_plugin_config_t)
+-	fs_manage_cifs_files(mozilla_plugin_config_t)
+-	fs_manage_cifs_symlinks(mozilla_plugin_config_t)
 +tunable_policy(`mozilla_plugin_use_gps',`
 +    fs_manage_dos_dirs(mozilla_plugin_t)
 +    fs_manage_dos_files(mozilla_plugin_t)
  ')
  
 -optional_policy(`
--	xserver_use_user_fonts(mozilla_plugin_config_t)
+-	automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t)
 +tunable_policy(`mozilla_plugin_use_bluejeans',`
 +    corenet_tcp_bind_unreserved_ports(mozilla_plugin_t)
 +    corenet_dontaudit_tcp_bind_all_defined_ports(mozilla_plugin_t)
 +    corenet_tcp_connect_commplex_main_port(mozilla_plugin_t)
++    corenet_dontaudit_udp_bind_all_ports(mozilla_plugin_t)
++    corenet_udp_bind_all_unreserved_ports(mozilla_plugin_t)
+ ')
+ 
+-optional_policy(`
+-	xserver_use_user_fonts(mozilla_plugin_config_t)
++tunable_policy(`mozilla_plugin_bind_unreserved_ports',`
++    corenet_tcp_bind_unreserved_ports(mozilla_plugin_t)
++    corenet_udp_bind_all_unreserved_ports(mozilla_plugin_t)
  ')
 diff --git a/mpd.fc b/mpd.fc
 index 313ce52..ae93e07 100644
@@ -58159,7 +58270,7 @@ index 0000000..a437f80
 +files_read_config_files(openshift_domain)
 diff --git a/openshift.fc b/openshift.fc
 new file mode 100644
-index 0000000..418db16
+index 0000000..ba329e2
 --- /dev/null
 +++ b/openshift.fc
 @@ -0,0 +1,28 @@
@@ -58185,7 +58296,7 @@ index 0000000..418db16
 +/usr/s?bin/(oo|rhc)-cgroup-read        --    gen_context(system_u:object_r:openshift_cgroup_read_exec_t,s0)
 +
 +/usr/s?bin/(oo|rhc)-restorer           --    gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
-+/usr/s?bin/(oo|rhc)-restorer-wrapper.sh    --  gen_context(system_u:object_r:openshift_script_exec_t,s0)
++/usr/s?bin/(oo|rhc)-restorer-wrapper.sh    --  gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
 +/usr/s?bin/oo-admin-ctl-gears	--	gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
 +/usr/s?bin/mcollectived			--		gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
 +
@@ -63601,11 +63712,45 @@ index 0000000..a989aea
 +corecmd_exec_shell(piranha_domain)
 +
 +sysnet_read_config(piranha_domain)
+diff --git a/pkcs.fc b/pkcs.fc
+index 9a72226..0351b1e 100644
+--- a/pkcs.fc
++++ b/pkcs.fc
+@@ -4,4 +4,6 @@
+ 
+ /var/lib/opencryptoki(/.*)?	gen_context(system_u:object_r:pkcs_slotd_var_lib_t,s0)
+ 
++/var/lock/opencryptoki(/.*)?	gen_context(system_u:object_r:pkcs_slotd_lock_t,s0)
++
+ /var/run/pkcsslotd.*	gen_context(system_u:object_r:pkcs_slotd_var_run_t,s0)
+diff --git a/pkcs.if b/pkcs.if
+index 69be2aa..2d7b3f6 100644
+--- a/pkcs.if
++++ b/pkcs.if
+@@ -19,7 +19,7 @@
+ #
+ interface(`pkcs_admin_slotd',`
+ 	gen_require(`
+-		type pkcs_slotd_t, pkcs_slotd_initrc_exec_t, pkcs_slotd_var_lib_t;
++		type pkcs_slotd_t, pkcs_slotd_initrc_exec_t, pkcs_slotd_var_lib_t, pkcs_slotd_lock_t;
+ 		type pkcs_slotd_var_run_t, pkcs_slotd_tmp_t, pkcs_slotd_tmpfs_t;
+ 	')
+ 
+@@ -34,6 +34,9 @@ interface(`pkcs_admin_slotd',`
+ 	files_search_var_lib($1)
+ 	admin_pattern($1, pkcs_slotd_var_lib_t)
+ 
++	files_search_locks($1)
++	admin_pattern($1, pkcs_slotd_lock_t)
++
+ 	files_search_pids($1)
+ 	admin_pattern($1, pkcs_slotd_var_run_t)
+ 
 diff --git a/pkcs.te b/pkcs.te
-index 8eb3f7b..1ff0fe3 100644
+index 8eb3f7b..b0fc2a7 100644
 --- a/pkcs.te
 +++ b/pkcs.te
-@@ -7,21 +7,27 @@ policy_module(pkcs, 1.0.1)
+@@ -7,21 +7,30 @@ policy_module(pkcs, 1.0.1)
  
  type pkcs_slotd_t;
  type pkcs_slotd_exec_t;
@@ -63620,6 +63765,9 @@ index 8eb3f7b..1ff0fe3 100644
 +typealias pkcs_slotd_var_lib_t alias pkcsslotd_var_lib_t;
  files_type(pkcs_slotd_var_lib_t)
  
++type pkcs_slotd_lock_t;
++files_lock_file(pkcs_slotd_lock_t)
++
  type pkcs_slotd_var_run_t;
 +typealias pkcs_slotd_var_run_t alias pkcsslotd_var_run_t;
  files_pid_file(pkcs_slotd_var_run_t)
@@ -63633,12 +63781,27 @@ index 8eb3f7b..1ff0fe3 100644
  files_tmpfs_file(pkcs_slotd_tmpfs_t)
  
  ########################################
-@@ -53,8 +59,6 @@ manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t)
+@@ -40,6 +49,8 @@ manage_files_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t)
+ manage_lnk_files_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t)
+ files_var_lib_filetrans(pkcs_slotd_t, pkcs_slotd_var_lib_t, dir)
+ 
++manage_files_pattern(pkcs_slotd_t, pkcs_slotd_lock_t, pkcs_slotd_lock_t)
++
+ manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t)
+ manage_files_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t)
+ manage_sock_files_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t)
+@@ -51,10 +62,12 @@ files_tmp_filetrans(pkcs_slotd_t, pkcs_slotd_tmp_t, dir)
+ 
+ manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t)
  manage_files_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t)
- fs_tmpfs_filetrans(pkcs_slotd_t, pkcs_slotd_tmpfs_t, dir)
+-fs_tmpfs_filetrans(pkcs_slotd_t, pkcs_slotd_tmpfs_t, dir)
++fs_tmpfs_filetrans(pkcs_slotd_t, pkcs_slotd_tmpfs_t, { file dir })
++
++auth_read_passwd(pkcs_slotd_t)
  
 -files_read_etc_files(pkcs_slotd_t)
--
++files_search_locks(pkcs_slotd_t)
+ 
  logging_send_syslog_msg(pkcs_slotd_t)
  
 -miscfiles_read_localization(pkcs_slotd_t)
@@ -74463,10 +74626,10 @@ index 83eb09e..b48c931 100644
 +')
 +
 diff --git a/quantum.fc b/quantum.fc
-index 70ab68b..2a8e41b 100644
+index 70ab68b..b985b65 100644
 --- a/quantum.fc
 +++ b/quantum.fc
-@@ -1,10 +1,31 @@
+@@ -1,10 +1,34 @@
 -/etc/rc\.d/init\.d/quantum.*	--	gen_context(system_u:object_r:quantum_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/neutron.*	--	gen_context(system_u:object_r:neutron_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/quantum.*	--	gen_context(system_u:object_r:neutron_initrc_exec_t,s0)
@@ -74505,6 +74668,9 @@ index 70ab68b..2a8e41b 100644
 +
 +/var/log/neutron(/.*)?	gen_context(system_u:object_r:neutron_log_t,s0)
 +/var/log/quantum(/.*)?	gen_context(system_u:object_r:neutron_log_t,s0)
++
++/var/run/neutron(/.*)?	gen_context(system_u:object_r:neutron_var_run_t,s0)
++/var/run/quantum(/.*)?	gen_context(system_u:object_r:neutron_var_run_t,s0)
 diff --git a/quantum.if b/quantum.if
 index afc0068..97bbea4 100644
 --- a/quantum.if
@@ -74822,10 +74988,10 @@ index afc0068..97bbea4 100644
 +	')
  ')
 diff --git a/quantum.te b/quantum.te
-index 8644d8b..d31e341 100644
+index 8644d8b..e8c81df 100644
 --- a/quantum.te
 +++ b/quantum.te
-@@ -5,92 +5,166 @@ policy_module(quantum, 1.1.0)
+@@ -5,92 +5,173 @@ policy_module(quantum, 1.1.0)
  # Declarations
  #
  
@@ -74864,6 +75030,9 @@ index 8644d8b..d31e341 100644
 +type neutron_var_lib_t alias quantum_var_lib_t;
 +files_type(neutron_var_lib_t)
 +
++type neutron_var_run_t alias quantum_var_run_t;
++files_pid_file(neutron_var_run_t)
++
 +type neutron_unit_file_t alias quantum_unit_file_t;
 +systemd_unit_file(neutron_unit_file_t)
  
@@ -74935,6 +75104,10 @@ index 8644d8b..d31e341 100644
 +manage_dirs_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
 +files_tmp_filetrans(neutron_t, neutron_tmp_t, { file dir })
 +
++manage_files_pattern(neutron_t, neutron_var_run_t, neutron_var_run_t)
++manage_dirs_pattern(neutron_t, neutron_var_run_t, neutron_var_run_t)
++files_pid_filetrans(neutron_t, neutron_var_run_t, { file dir })
++
 +manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
 +manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
 +manage_sock_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
@@ -76081,7 +76254,7 @@ index 951db7f..c0cabe8 100644
 +    files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf")
  ')
 diff --git a/raid.te b/raid.te
-index c99753f..2d260c2 100644
+index c99753f..91ab9f7 100644
 --- a/raid.te
 +++ b/raid.te
 @@ -15,6 +15,15 @@ role mdadm_roles types mdadm_t;
@@ -76100,7 +76273,7 @@ index c99753f..2d260c2 100644
  type mdadm_var_run_t alias mdadm_map_t;
  files_pid_file(mdadm_var_run_t)
  dev_associate(mdadm_var_run_t)
-@@ -25,44 +34,64 @@ dev_associate(mdadm_var_run_t)
+@@ -25,44 +34,66 @@ dev_associate(mdadm_var_run_t)
  #
  
  allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
@@ -76136,6 +76309,8 @@ index c99753f..2d260c2 100644
  kernel_request_load_module(mdadm_t)
  kernel_rw_software_raid_state(mdadm_t)
 +kernel_dontaudit_setsched(mdadm_t)
++kernel_signal(mdadm_t)
++kernel_stream_connect(mdadm_t)
  
  corecmd_exec_bin(mdadm_t)
  corecmd_exec_shell(mdadm_t)
@@ -76174,7 +76349,7 @@ index c99753f..2d260c2 100644
  
  mls_file_read_all_levels(mdadm_t)
  mls_file_write_all_levels(mdadm_t)
-@@ -71,15 +100,20 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
+@@ -71,15 +102,20 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
  storage_manage_fixed_disk(mdadm_t)
  storage_read_scsi_generic(mdadm_t)
  storage_write_scsi_generic(mdadm_t)
@@ -76196,7 +76371,7 @@ index c99753f..2d260c2 100644
  
  userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
  userdom_dontaudit_search_user_home_content(mdadm_t)
-@@ -90,17 +124,38 @@ optional_policy(`
+@@ -90,17 +126,38 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -90005,10 +90180,10 @@ index d204752..31cc6e6 100644
 +	')
  ')
 diff --git a/sensord.te b/sensord.te
-index 5e82fd6..f3e5808 100644
+index 5e82fd6..64e130f 100644
 --- a/sensord.te
 +++ b/sensord.te
-@@ -9,12 +9,18 @@ type sensord_t;
+@@ -9,27 +9,35 @@ type sensord_t;
  type sensord_exec_t;
  init_daemon_domain(sensord_t, sensord_exec_t)
  
@@ -90027,7 +90202,10 @@ index 5e82fd6..f3e5808 100644
  ########################################
  #
  # Local policy
-@@ -23,13 +29,13 @@ files_pid_file(sensord_var_run_t)
+ #
+ 
++allow sensord_t self:process signal;
++
  allow sensord_t self:fifo_file rw_fifo_file_perms;
  allow sensord_t self:unix_stream_socket create_stream_socket_perms;
  
@@ -94803,7 +94981,7 @@ index a240455..16a04bf 100644
 -	admin_pattern($1, sssd_log_t)
  ')
 diff --git a/sssd.te b/sssd.te
-index 2d8db1f..83033bf 100644
+index 2d8db1f..1f205fe 100644
 --- a/sssd.te
 +++ b/sssd.te
 @@ -28,9 +28,12 @@ logging_log_file(sssd_var_log_t)
@@ -94894,11 +95072,12 @@ index 2d8db1f..83033bf 100644
  
  init_read_utmp(sssd_t)
  
-@@ -112,18 +109,34 @@ logging_send_syslog_msg(sssd_t)
+@@ -112,18 +109,35 @@ logging_send_syslog_msg(sssd_t)
  logging_send_audit_msgs(sssd_t)
  
  miscfiles_read_generic_certs(sssd_t)
 -miscfiles_read_localization(sssd_t)
++miscfiles_dontaudit_access_check_cert(sssd_t)
  
  sysnet_dns_name_resolve(sssd_t)
  sysnet_use_ldap(sssd_t)
@@ -101033,7 +101212,7 @@ index a4f20bc..9ccc90c 100644
 +/var/log/qemu-ga\.log.*           --      gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
 +/var/log/qemu-ga(/.*)?		gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
 diff --git a/virt.if b/virt.if
-index facdee8..88dcafb 100644
+index facdee8..d179539 100644
 --- a/virt.if
 +++ b/virt.if
 @@ -1,120 +1,51 @@
@@ -102342,11 +102521,10 @@ index facdee8..88dcafb 100644
 +	optional_policy(`
 +		ptchown_run(virt_domain, $2)
 +	')
- ')
- 
- ########################################
- ## <summary>
--##	Append virt log files.
++')
++
++########################################
++## <summary>
 +##	Do not audit attempts to write virt daemon unnamed pipes.
 +## </summary>
 +## <param name="domain">
@@ -102362,10 +102540,11 @@ index facdee8..88dcafb 100644
 +
 +	dontaudit $1 virtd_t:fd use;
 +	dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Append virt log files.
 +##	Send a sigkill to virtual machines
  ## </summary>
  ## <param name="domain">
@@ -102777,7 +102956,7 @@ index facdee8..88dcafb 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1136,50 +1299,36 @@ interface(`virt_manage_images',`
+@@ -1136,50 +1299,53 @@ interface(`virt_manage_images',`
  #
  interface(`virt_admin',`
  	gen_require(`
@@ -102816,44 +102995,60 @@ index facdee8..88dcafb 100644
  
 -	fs_search_tmpfs($1)
 -	admin_pattern($1, virt_tmpfs_type)
--
++	allow $1 virt_domain:process signal_perms;
+ 
 -	files_search_tmp($1)
 -	admin_pattern($1, { virt_tmp_type virt_tmp_t })
--
++	admin_pattern($1, virt_file_type)
++	admin_pattern($1, svirt_file_type)
+ 
 -	files_search_etc($1)
 -	admin_pattern($1, { virt_etc_t virt_etc_rw_t virtd_keytab_t })
--
++	virt_systemctl($1)
++	allow $1 virtd_unit_file_t:service all_service_perms;
+ 
 -	logging_search_logs($1)
 -	admin_pattern($1, virt_log_t)
 -
 -	files_search_pids($1)
 -	admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t })
-+	allow $1 virt_domain:process signal_perms;
- 
+-
 -	files_search_var($1)
 -	admin_pattern($1, svirt_cache_t)
 -
 -	files_search_var_lib($1)
 -	admin_pattern($1, { virt_image_type virt_var_lib_t svirt_lxc_file_t })
-+	admin_pattern($1, virt_file_type)
-+	admin_pattern($1, svirt_file_type)
- 
+-
 -	files_search_locks($1)
 -	admin_pattern($1, virt_lock_t)
-+	virt_systemctl($1)
-+	allow $1 virtd_unit_file_t:service all_service_perms;
- 
--	dev_list_all_dev_nodes($1)
--	allow $1 virt_ptynode:chr_file rw_term_perms;
 +	virt_stream_connect_sandbox($1)
 +	virt_stream_connect_svirt($1)
 +	virt_stream_connect($1)
++')
++#######################################
++## <summary>
++##  Getattr on virt executable.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed to transition.
++##  </summary>
++## </param>
++#
++interface(`virt_default_capabilities',`
++	gen_require(`
++		attribute sandbox_caps_domain;
++	')
+ 
+-	dev_list_all_dev_nodes($1)
+-	allow $1 virt_ptynode:chr_file rw_term_perms;
++	typeattribute $1 sandbox_caps_domain;
  ')
 diff --git a/virt.te b/virt.te
-index f03dcf5..67904c0 100644
+index f03dcf5..f5766e6 100644
 --- a/virt.te
 +++ b/virt.te
-@@ -1,150 +1,212 @@
+@@ -1,150 +1,227 @@
 -policy_module(virt, 1.7.4)
 +policy_module(virt, 1.5.0)
  
@@ -102876,6 +103071,7 @@ index f03dcf5..67904c0 100644
 +attribute svirt_file_type;
 +attribute virt_file_type;
 +attribute sandbox_net_domain;
++attribute sandbox_caps_domain;
 +
 +type svirt_tmp_t, svirt_file_type;
 +files_tmp_file(svirt_tmp_t)
@@ -103011,35 +103207,49 @@ index f03dcf5..67904c0 100644
 +## </p>
 +## </desc>
 +gen_tunable(virt_sandbox_use_samba, false)
++
++## <desc>
++## <p>
++## Allow sandbox containers to send audit messages
++
++## </p>
++## </desc>
++gen_tunable(virt_sandbox_use_audit, true)
  
 -attribute svirt_lxc_domain;
 +## <desc>
 +## <p>
-+## Allow sandbox containers to send audit messages
++## Allow sandbox containers to use netlink system calls
++## </p>
++## </desc>
++gen_tunable(virt_sandbox_use_netlink, false)
  
 -attribute_role virt_domain_roles;
 -roleattribute system_r virt_domain_roles;
++## <desc>
++## <p>
++## Allow sandbox containers to use sys_admin system calls, for example mount
 +## </p>
 +## </desc>
-+gen_tunable(virt_sandbox_use_audit, true)
++gen_tunable(virt_sandbox_use_sys_admin, false)
  
 -attribute_role virt_bridgehelper_roles;
 -roleattribute system_r virt_bridgehelper_roles;
 +## <desc>
 +## <p>
-+## Allow sandbox containers to use netlink system calls
++## Allow sandbox containers to use mknod system calls
 +## </p>
 +## </desc>
-+gen_tunable(virt_sandbox_use_netlink, false)
++gen_tunable(virt_sandbox_use_mknod, false)
  
 -attribute_role svirt_lxc_domain_roles;
 -roleattribute system_r svirt_lxc_domain_roles;
 +## <desc>
 +## <p>
-+## Allow sandbox containers to use sys_admin system calls, for example mount
++## Allow sandbox containers to use all capabilities
 +## </p>
 +## </desc>
-+gen_tunable(virt_sandbox_use_sys_admin, false)
++gen_tunable(virt_sandbox_use_all_caps, false)
  
  virt_domain_template(svirt)
 -virt_domain_template(svirt_prot_exec)
@@ -103136,7 +103346,7 @@ index f03dcf5..67904c0 100644
  ifdef(`enable_mcs',`
  	init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
  ')
-@@ -153,299 +215,132 @@ ifdef(`enable_mls',`
+@@ -153,299 +230,132 @@ ifdef(`enable_mls',`
  	init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
  ')
  
@@ -103399,16 +103609,16 @@ index f03dcf5..67904c0 100644
 -manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
 -
 -filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
-+# it was a part of auth_use_nsswitch
-+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
- 
+-
 -stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
 -
 -corenet_udp_sendrecv_generic_if(svirt_t)
 -corenet_udp_sendrecv_generic_node(svirt_t)
 -corenet_udp_sendrecv_all_ports(svirt_t)
 -corenet_udp_bind_generic_node(svirt_t)
--
++# it was a part of auth_use_nsswitch
++allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
+ 
 -corenet_all_recvfrom_unlabeled(svirt_t)
 -corenet_all_recvfrom_netlabel(svirt_t)
 -corenet_tcp_sendrecv_generic_if(svirt_t)
@@ -103511,7 +103721,7 @@ index f03dcf5..67904c0 100644
  
  read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
  read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -455,42 +350,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -455,42 +365,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
  manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
  filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
  
@@ -103558,24 +103768,24 @@ index f03dcf5..67904c0 100644
  logging_log_filetrans(virtd_t, virt_log_t, { file dir })
  
  manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -503,23 +385,20 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -503,23 +400,20 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
  manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
  files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
  
 -manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
 -manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
 -filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
--
--stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
--stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
--
--can_exec(virtd_t, virt_tmp_t)
 +manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
 +manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
 +filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
 +allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto };
 +stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
  
+-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
+-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+-
+-can_exec(virtd_t, virt_tmp_t)
+-
 -kernel_read_crypto_sysctls(virtd_t)
  kernel_read_system_state(virtd_t)
  kernel_read_network_state(virtd_t)
@@ -103589,7 +103799,7 @@ index f03dcf5..67904c0 100644
  
  corecmd_exec_bin(virtd_t)
  corecmd_exec_shell(virtd_t)
-@@ -527,24 +406,16 @@ corecmd_exec_shell(virtd_t)
+@@ -527,24 +421,16 @@ corecmd_exec_shell(virtd_t)
  corenet_all_recvfrom_netlabel(virtd_t)
  corenet_tcp_sendrecv_generic_if(virtd_t)
  corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -103617,7 +103827,7 @@ index f03dcf5..67904c0 100644
  dev_rw_sysfs(virtd_t)
  dev_read_urand(virtd_t)
  dev_read_rand(virtd_t)
-@@ -555,22 +426,27 @@ dev_rw_vhost(virtd_t)
+@@ -555,22 +441,27 @@ dev_rw_vhost(virtd_t)
  dev_setattr_generic_usb_dev(virtd_t)
  dev_relabel_generic_usb_dev(virtd_t)
  
@@ -103650,7 +103860,7 @@ index f03dcf5..67904c0 100644
  fs_rw_anon_inodefs_files(virtd_t)
  fs_list_inotifyfs(virtd_t)
  fs_manage_cgroup_dirs(virtd_t)
-@@ -601,15 +477,18 @@ term_use_ptmx(virtd_t)
+@@ -601,15 +492,18 @@ term_use_ptmx(virtd_t)
  
  auth_use_nsswitch(virtd_t)
  
@@ -103670,7 +103880,7 @@ index f03dcf5..67904c0 100644
  
  selinux_validate_context(virtd_t)
  
-@@ -620,18 +499,26 @@ seutil_read_file_contexts(virtd_t)
+@@ -620,18 +514,26 @@ seutil_read_file_contexts(virtd_t)
  sysnet_signull_ifconfig(virtd_t)
  sysnet_signal_ifconfig(virtd_t)
  sysnet_domtrans_ifconfig(virtd_t)
@@ -103707,7 +103917,7 @@ index f03dcf5..67904c0 100644
  
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virtd_t)
-@@ -640,7 +527,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -640,7 +542,7 @@ tunable_policy(`virt_use_nfs',`
  ')
  
  tunable_policy(`virt_use_samba',`
@@ -103716,7 +103926,7 @@ index f03dcf5..67904c0 100644
  	fs_manage_cifs_files(virtd_t)
  	fs_read_cifs_symlinks(virtd_t)
  ')
-@@ -665,20 +552,12 @@ optional_policy(`
+@@ -665,20 +567,12 @@ optional_policy(`
  	')
  
  	optional_policy(`
@@ -103737,7 +103947,7 @@ index f03dcf5..67904c0 100644
  ')
  
  optional_policy(`
-@@ -691,20 +570,26 @@ optional_policy(`
+@@ -691,20 +585,26 @@ optional_policy(`
  	dnsmasq_kill(virtd_t)
  	dnsmasq_signull(virtd_t)
  	dnsmasq_create_pid_dirs(virtd_t)
@@ -103768,7 +103978,7 @@ index f03dcf5..67904c0 100644
  ')
  
  optional_policy(`
-@@ -712,11 +597,18 @@ optional_policy(`
+@@ -712,11 +612,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -103787,7 +103997,7 @@ index f03dcf5..67904c0 100644
  	policykit_domtrans_auth(virtd_t)
  	policykit_domtrans_resolve(virtd_t)
  	policykit_read_lib(virtd_t)
-@@ -727,10 +619,18 @@ optional_policy(`
+@@ -727,10 +634,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -103806,7 +104016,7 @@ index f03dcf5..67904c0 100644
  	kernel_read_xen_state(virtd_t)
  	kernel_write_xen_state(virtd_t)
  
-@@ -746,44 +646,277 @@ optional_policy(`
+@@ -746,44 +661,277 @@ optional_policy(`
  	udev_read_pid_files(virtd_t)
  ')
  
@@ -103844,7 +104054,13 @@ index f03dcf5..67904c0 100644
 -manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
 +kernel_read_net_sysctls(virt_domain)
 +kernel_read_network_state(virt_domain)
-+
+ 
+-manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
 +userdom_search_user_home_content(virt_domain)
 +userdom_read_user_home_content_symlinks(virt_domain)
 +userdom_read_all_users_state(virt_domain)
@@ -103854,17 +104070,15 @@ index f03dcf5..67904c0 100644
 +manage_sock_files_pattern(virt_domain, svirt_home_t, svirt_home_t)
 +filetrans_pattern(virt_domain, virt_home_t, svirt_home_t, { dir sock_file file })
 +stream_connect_pattern(virt_domain, svirt_home_t, svirt_home_t, virtd_t)
-+
+ 
+-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
 +manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
 +manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
 +files_var_filetrans(virt_domain, virt_cache_t, { file dir })
  
--manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
 +read_lnk_files_pattern(virt_domain, virt_image_t, virt_image_t)
 +
 +manage_dirs_pattern(virt_domain, svirt_image_t, svirt_image_t)
@@ -103896,18 +104110,14 @@ index f03dcf5..67904c0 100644
 +
 +dontaudit virtd_t virt_domain:process  { siginh noatsecure rlimitinh };
  
--manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
--manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
--filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
+-allow virsh_t svirt_lxc_domain:process transition;
 +dontaudit virt_domain virt_tmpfs_type:file { read write };
  
--dontaudit virsh_t virt_var_lib_t:file read_file_perms;
+-can_exec(virsh_t, virsh_exec_t)
 +append_files_pattern(virt_domain, virt_log_t, virt_log_t)
- 
--allow virsh_t svirt_lxc_domain:process transition;
++
 +append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
- 
--can_exec(virsh_t, virsh_exec_t)
++
 +corecmd_exec_bin(virt_domain)
 +corecmd_exec_shell(virt_domain)
 +
@@ -104046,7 +104256,7 @@ index f03dcf5..67904c0 100644
 +tunable_policy(`virt_use_rawip',`
 +	allow virt_domain self:rawip_socket create_socket_perms;
 +')
- 
++
 +optional_policy(`
 +	tunable_policy(`virt_use_xserver',`
 +		xserver_stream_connect(virt_domain)
@@ -104070,7 +104280,7 @@ index f03dcf5..67904c0 100644
 +allow virsh_t self:tcp_socket create_stream_socket_perms;
 +
 +ps_process_pattern(virsh_t, svirt_sandbox_domain)
-+
+ 
 +can_exec(virsh_t, virsh_exec_t)
  virt_domtrans(virsh_t)
  virt_manage_images(virsh_t)
@@ -104106,7 +104316,7 @@ index f03dcf5..67904c0 100644
  kernel_read_system_state(virsh_t)
  kernel_read_network_state(virsh_t)
  kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +927,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +942,18 @@ kernel_write_xen_state(virsh_t)
  corecmd_exec_bin(virsh_t)
  corecmd_exec_shell(virsh_t)
  
@@ -104133,7 +104343,7 @@ index f03dcf5..67904c0 100644
  
  fs_getattr_all_fs(virsh_t)
  fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +947,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +962,25 @@ fs_search_auto_mountpoints(virsh_t)
  
  storage_raw_read_fixed_disk(virsh_t)
  
@@ -104167,7 +104377,7 @@ index f03dcf5..67904c0 100644
  
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +984,20 @@ optional_policy(`
+@@ -856,14 +999,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -104189,7 +104399,7 @@ index f03dcf5..67904c0 100644
  	xen_stream_connect(virsh_t)
  	xen_stream_connect_xenstore(virsh_t)
  ')
-@@ -888,49 +1022,65 @@ optional_policy(`
+@@ -888,49 +1037,65 @@ optional_policy(`
  	kernel_read_xen_state(virsh_ssh_t)
  	kernel_write_xen_state(virsh_ssh_t)
  
@@ -104273,7 +104483,7 @@ index f03dcf5..67904c0 100644
  
  corecmd_exec_bin(virtd_lxc_t)
  corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1092,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1107,16 @@ dev_read_urand(virtd_lxc_t)
  
  domain_use_interactive_fds(virtd_lxc_t)
  
@@ -104293,7 +104503,7 @@ index f03dcf5..67904c0 100644
  fs_getattr_all_fs(virtd_lxc_t)
  fs_manage_tmpfs_dirs(virtd_lxc_t)
  fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,8 +1113,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,8 +1128,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
  fs_unmount_all_fs(virtd_lxc_t)
  fs_relabelfrom_tmpfs(virtd_lxc_t)
  
@@ -104317,7 +104527,7 @@ index f03dcf5..67904c0 100644
  selinux_get_enforce_mode(virtd_lxc_t)
  selinux_get_fs_mount(virtd_lxc_t)
  selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1138,308 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1153,316 @@ selinux_compute_create_context(virtd_lxc_t)
  selinux_compute_relabel_context(virtd_lxc_t)
  selinux_compute_user_contexts(virtd_lxc_t)
  
@@ -104455,28 +104665,6 @@ index f03dcf5..67904c0 100644
 +userdom_use_inherited_user_terminals(svirt_sandbox_domain)
 +userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
 +userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
-+
-+optional_policy(`
-+	apache_exec_modules(svirt_sandbox_domain)
-+	apache_read_sys_content(svirt_sandbox_domain)
-+')
-+
-+optional_policy(`
-+	docker_manage_lib_files(svirt_lxc_net_t)
-+	docker_manage_lib_dirs(svirt_lxc_net_t)
-+	docker_read_share_files(svirt_sandbox_domain)
-+	docker_exec_lib(svirt_sandbox_domain)
-+	docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file)
-+	docker_use_ptys(svirt_sandbox_domain)
-+')
-+
-+optional_policy(`
-+	gear_read_pid_files(svirt_sandbox_domain)
-+')
-+
-+optional_policy(`
-+	mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
-+')
  
 -allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
 -allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
@@ -104561,17 +104749,39 @@ index f03dcf5..67904c0 100644
 -
 -mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
 +optional_policy(`
-+	ssh_use_ptys(svirt_sandbox_domain)
++	apache_exec_modules(svirt_sandbox_domain)
++	apache_read_sys_content(svirt_sandbox_domain)
 +')
  
  optional_policy(`
 -	udev_read_pid_files(svirt_lxc_domain)
-+	udev_read_pid_files(svirt_sandbox_domain)
++	docker_manage_lib_files(svirt_lxc_net_t)
++	docker_manage_lib_dirs(svirt_lxc_net_t)
++	docker_read_share_files(svirt_sandbox_domain)
++	docker_exec_lib(svirt_sandbox_domain)
++	docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file)
++	docker_use_ptys(svirt_sandbox_domain)
  ')
  
  optional_policy(`
 -	apache_exec_modules(svirt_lxc_domain)
 -	apache_read_sys_content(svirt_lxc_domain)
++	gear_read_pid_files(svirt_sandbox_domain)
++')
++
++optional_policy(`
++	mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
++')
++
++optional_policy(`
++	ssh_use_ptys(svirt_sandbox_domain)
++')
++
++optional_policy(`
++	udev_read_pid_files(svirt_sandbox_domain)
++')
++
++optional_policy(`
 +	userhelper_dontaudit_write_config(svirt_sandbox_domain)
 +')
 +
@@ -104594,11 +104804,11 @@ index f03dcf5..67904c0 100644
 -# Lxc net local policy
 +# svirt_lxc_net_t local policy
  #
+-
+-allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap };
 +virt_sandbox_domain_template(svirt_lxc_net)
++virt_default_capabilities(svirt_lxc_net_t)
 +typeattribute svirt_lxc_net_t sandbox_net_domain;
- 
--allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap };
-+allow svirt_lxc_net_t self:capability { kill setuid setgid ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_nice sys_ptrace };
  dontaudit svirt_lxc_net_t self:capability2 block_suspend;
 -allow svirt_lxc_net_t self:process setrlimit;
 -allow svirt_lxc_net_t self:tcp_socket { accept listen };
@@ -104613,6 +104823,10 @@ index f03dcf5..67904c0 100644
 -kernel_read_network_state(svirt_lxc_net_t)
 -kernel_read_irq_sysctls(svirt_lxc_net_t)
 +allow svirt_lxc_net_t self:process { execstack execmem };
++
++tunable_policy(`virt_sandbox_use_sys_admin',`
++	allow svirt_lxc_net_t self:capability sys_admin;
++')
  
 -corenet_all_recvfrom_unlabeled(svirt_lxc_net_t)
 -corenet_all_recvfrom_netlabel(svirt_lxc_net_t)
@@ -104624,8 +104838,13 @@ index f03dcf5..67904c0 100644
 -corenet_udp_sendrecv_all_ports(svirt_lxc_net_t)
 -corenet_tcp_bind_generic_node(svirt_lxc_net_t)
 -corenet_udp_bind_generic_node(svirt_lxc_net_t)
-+tunable_policy(`virt_sandbox_use_sys_admin',`
-+	allow svirt_lxc_net_t self:capability sys_admin;
++tunable_policy(`virt_sandbox_use_mknod',`
++	allow svirt_lxc_net_t self:capability mknod;
++')
++
++tunable_policy(`virt_sandbox_use_all_caps',`
++	allow svirt_lxc_net_t self:capability all_capability_perms;
++	allow svirt_lxc_net_t self:capability2 all_capability2_perms;
 +')
  
 -corenet_sendrecv_all_server_packets(svirt_lxc_net_t)
@@ -104638,15 +104857,15 @@ index f03dcf5..67904c0 100644
 +', `
 +	logging_dontaudit_send_audit_msgs(svirt_lxc_net_t)
 +')
- 
--corenet_sendrecv_all_client_packets(svirt_lxc_net_t)
--corenet_tcp_connect_all_ports(svirt_lxc_net_t)
++
 +allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms;
 +allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms;
  
+-corenet_sendrecv_all_client_packets(svirt_lxc_net_t)
+-corenet_tcp_connect_all_ports(svirt_lxc_net_t)
 +kernel_read_irq_sysctls(svirt_lxc_net_t)
 +kernel_read_messages(svirt_lxc_net_t)
-+
+ 
 +dev_read_sysfs(svirt_lxc_net_t)
  dev_getattr_mtrr_dev(svirt_lxc_net_t)
  dev_read_rand(svirt_lxc_net_t)
@@ -104717,7 +104936,8 @@ index f03dcf5..67904c0 100644
 +
 +list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
 +read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
-+
+ 
+-allow svirt_prot_exec_t self:process { execmem execstack };
 +append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t)
 +
 +kernel_read_irq_sysctls(svirt_qemu_net_t)
@@ -104726,8 +104946,7 @@ index f03dcf5..67904c0 100644
 +dev_getattr_mtrr_dev(svirt_qemu_net_t)
 +dev_read_rand(svirt_qemu_net_t)
 +dev_read_urand(svirt_qemu_net_t)
- 
--allow svirt_prot_exec_t self:process { execmem execstack };
++
 +files_read_kernel_modules(svirt_qemu_net_t)
 +
 +fs_noxattr_type(svirt_sandbox_file_t)
@@ -104763,7 +104982,7 @@ index f03dcf5..67904c0 100644
  allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
  allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
  
-@@ -1174,12 +1452,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1475,12 @@ dev_read_sysfs(virt_qmf_t)
  dev_read_rand(virt_qmf_t)
  dev_read_urand(virt_qmf_t)
  
@@ -104778,7 +104997,7 @@ index f03dcf5..67904c0 100644
  sysnet_read_config(virt_qmf_t)
  
  optional_policy(`
-@@ -1192,9 +1470,8 @@ optional_policy(`
+@@ -1192,9 +1493,8 @@ optional_policy(`
  
  ########################################
  #
@@ -104789,7 +105008,7 @@ index f03dcf5..67904c0 100644
  allow virt_bridgehelper_t self:process { setcap getcap };
  allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
  allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1207,5 +1484,216 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1207,5 +1507,218 @@ kernel_read_network_state(virt_bridgehelper_t)
  
  corenet_rw_tun_tap_dev(virt_bridgehelper_t)
  
@@ -105008,6 +105227,8 @@ index f03dcf5..67904c0 100644
 +optional_policy(`
 +	systemd_dbus_chat_logind(sandbox_net_domain)
 +')
++
++allow sandbox_caps_domain self:capability { chown dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap };
 diff --git a/vlock.te b/vlock.te
 index 6b72968..de409cc 100644
 --- a/vlock.te
@@ -108106,10 +108327,10 @@ index 2695db2..123c042 100644
  userdom_search_user_home_dirs(yam_t)
  
 diff --git a/zabbix.fc b/zabbix.fc
-index c3b5a81..6ebb8d6 100644
+index c3b5a81..c384947 100644
 --- a/zabbix.fc
 +++ b/zabbix.fc
-@@ -4,12 +4,17 @@
+@@ -4,12 +4,22 @@
  /usr/bin/zabbix_server	--	gen_context(system_u:object_r:zabbix_exec_t,s0)
  /usr/bin/zabbix_agentd	--	gen_context(system_u:object_r:zabbix_agent_exec_t,s0)
  
@@ -108123,9 +108344,14 @@ index c3b5a81..6ebb8d6 100644
 +/usr/sbin/zabbix_proxy_mysql   --  gen_context(system_u:object_r:zabbix_exec_t,s0)
 +/usr/sbin/zabbix_proxy_pgsql   --  gen_context(system_u:object_r:zabbix_exec_t,s0)
 +/usr/sbin/zabbix_proxy_sqlite3 --  gen_context(system_u:object_r:zabbix_exec_t,s0)
++
++/usr/lib/zabbix/externalscripts(/.*)?    gen_context(system_u:object_r:zabbix_script_exec_t,s0)
++
++/var/lib/zabbixsrv(/.*)?	gen_context(system_u:object_r:zabbix_var_lib_t,s0)
++/var/lib/zabbix(/.*)?    gen_context(system_u:object_r:zabbix_var_lib_t,s0)
++/var/lib/zabbix/externalscripts(/.*)?    gen_context(system_u:object_r:zabbix_script_exec_t,s0)
  
 -/var/log/zabbix(/.*)?	gen_context(system_u:object_r:zabbix_log_t,s0)
-+/var/lib/zabbixsrv(/.*)?	gen_context(system_u:object_r:zabbix_var_lib_t,s0)
 +/var/log/zabbix.*	gen_context(system_u:object_r:zabbix_log_t,s0)
  
  /var/run/zabbix(/.*)?	gen_context(system_u:object_r:zabbix_var_run_t,s0)
@@ -108292,7 +108518,7 @@ index dd63de0..38ce620 100644
 -	admin_pattern($1, zabbix_tmpfs_t)
  ')
 diff --git a/zabbix.te b/zabbix.te
-index 7f496c6..11bcf63 100644
+index 7f496c6..d594e47 100644
 --- a/zabbix.te
 +++ b/zabbix.te
 @@ -6,27 +6,32 @@ policy_module(zabbix, 1.6.0)
@@ -108331,7 +108557,7 @@ index 7f496c6..11bcf63 100644
  type zabbix_log_t;
  logging_log_file(zabbix_log_t)
  
-@@ -36,27 +41,54 @@ files_tmp_file(zabbix_tmp_t)
+@@ -36,27 +41,61 @@ files_tmp_file(zabbix_tmp_t)
  type zabbix_tmpfs_t;
  files_tmpfs_file(zabbix_tmpfs_t)
  
@@ -108341,8 +108567,15 @@ index 7f496c6..11bcf63 100644
  type zabbix_var_run_t;
  files_pid_file(zabbix_var_run_t)
  
- ########################################
- #
++type zabbix_script_t;
++type zabbix_script_exec_t;
++domain_type(zabbix_script_t)
++domain_entry_file(zabbix_script_t, zabbix_script_exec_t)
++application_executable_file(zabbix_script_exec_t)
++role system_r types zabbix_script_t;
++
++########################################
++#
 +# zabbix domain local policy
 +#
 +
@@ -108367,8 +108600,8 @@ index 7f496c6..11bcf63 100644
 +dev_read_sysfs(zabbix_domain)
 +dev_read_urand(zabbix_domain)
 +
-+########################################
-+#
+ ########################################
+ #
  # Local policy
  #
  
@@ -108398,7 +108631,7 @@ index 7f496c6..11bcf63 100644
  
  manage_dirs_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t)
  manage_files_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t)
-@@ -70,13 +102,9 @@ manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
+@@ -70,13 +109,9 @@ manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
  files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file })
  
  kernel_read_system_state(zabbix_t)
@@ -108412,7 +108645,7 @@ index 7f496c6..11bcf63 100644
  
  corenet_sendrecv_ftp_client_packets(zabbix_t)
  corenet_tcp_connect_ftp_port(zabbix_t)
-@@ -85,24 +113,18 @@ corenet_tcp_sendrecv_ftp_port(zabbix_t)
+@@ -85,24 +120,18 @@ corenet_tcp_sendrecv_ftp_port(zabbix_t)
  corenet_sendrecv_http_client_packets(zabbix_t)
  corenet_tcp_connect_http_port(zabbix_t)
  corenet_tcp_sendrecv_http_port(zabbix_t)
@@ -108440,7 +108673,7 @@ index 7f496c6..11bcf63 100644
  tunable_policy(`zabbix_can_network',`
  	corenet_sendrecv_all_client_packets(zabbix_t)
  	corenet_tcp_connect_all_ports(zabbix_t)
-@@ -110,12 +132,11 @@ tunable_policy(`zabbix_can_network',`
+@@ -110,12 +139,11 @@ tunable_policy(`zabbix_can_network',`
  ')
  
  optional_policy(`
@@ -108455,7 +108688,7 @@ index 7f496c6..11bcf63 100644
  ')
  
  optional_policy(`
-@@ -125,6 +146,7 @@ optional_policy(`
+@@ -125,6 +153,7 @@ optional_policy(`
  
  optional_policy(`
  	snmp_read_snmp_var_lib_files(zabbix_t)
@@ -108463,7 +108696,7 @@ index 7f496c6..11bcf63 100644
  ')
  
  ########################################
-@@ -132,18 +154,7 @@ optional_policy(`
+@@ -132,18 +161,7 @@ optional_policy(`
  # Agent local policy
  #
  
@@ -108483,7 +108716,7 @@ index 7f496c6..11bcf63 100644
  
  rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
  fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
-@@ -151,16 +162,13 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
+@@ -151,16 +169,13 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
  manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t)
  files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file)
  
@@ -108503,7 +108736,7 @@ index 7f496c6..11bcf63 100644
  
  corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t)
  corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t)
-@@ -177,21 +185,28 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
+@@ -177,21 +192,49 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
  dev_getattr_all_blk_files(zabbix_agent_t)
  dev_getattr_all_chr_files(zabbix_agent_t)
  
@@ -108536,6 +108769,27 @@ index 7f496c6..11bcf63 100644
 +optional_policy(`
 +	hostname_exec(zabbix_agent_t)
 +')
++
++########################################
++#
++# zabbix_script_t local policy
++#
++
++domtrans_pattern(zabbix_t, zabbix_script_exec_t, zabbix_script_t)
++
++allow zabbix_t zabbix_script_exec_t:dir search_dir_perms;
++allow zabbix_t zabbix_script_exec_t:dir read_file_perms;
++allow zabbix_t zabbix_script_exec_t:file ioctl;
++
++init_domtrans_script(zabbix_script_t)
++
++optional_policy(`
++    mta_send_mail(zabbix_script_t)
++')
++
++optional_policy(`
++    unconfined_domain(zabbix_script_t)
++')
 diff --git a/zarafa.fc b/zarafa.fc
 index faf99ed..44e94fa 100644
 --- a/zarafa.fc
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 9c6e386..f91be52 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 67%{?dist}
+Release: 68%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -600,7 +600,50 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
-* Thu Jul 24 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-67
+* Thu Jul 31 2014 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-68
+- Add new mozilla_plugin_bind_unreserved_ports boolean to allow mozilla plugin to use tcp/udp unreserved ports. There is a lot of plugins which binds ports without SELinux port type. We want to allow users to use these plugins properly using this boolean. (#1109681)
+- Allow smokeping cgi scripts to accept connection on httpd stream socket.
+- docker does a getattr on all file systems
+- Label all abort-dump programs
+- Allow alsa to create lock file to see if it fixes.
+- Add support for zabbix external scripts for which zabbix_script_t domain has been created. This domain is unconfined by default and user needs to run "semodule -d unconfined" to make system running without unconfined domains. The default location of these scripts is /usr/lib/zabbix/externalscripts. If a user change DATADIR in CONFIG_EXTERNALSCRIPTS then he needs to set labeling for this new location.
+- Add interface for journalctl_exec
+- Add labels also for glusterd sockets.
+- Change virt.te to match default docker capabilies
+- Add additional booleans for turning on mknod or all caps.
+- Also add interface to allow users to write policy that matches docker defaults
+- for capabilies.
+- Label dhcpd6 unit file.
+- Add support also for dhcp IPv6 services.
+- Added support for dhcrelay service
+- Additional access for bluejeans
+- docker needs more access, need back port to RHEL7
+- Allow mdadm to connect to own socket created by mdadm running as kernel_t.
+- Fix pkcs, Remove pkcs_lock_filetrans and Add files_search_locks
+- Allow bacula manage bacula_log_t dirs
+- Allow pkcs_slotd_t read /etc/passwd, Label /var/lock/opencryptoki as pkcs_slotd_lock_t 
+- Fix mistakes keystone and quantum
+- Label neutron var run dir 
+- Label keystone var run dir
+- Fix bad labeling for /usr/s?bin/(oo|rhc)-restorer-wrapper.sh in openshift.fc.
+- Dontaudit attempts to access check cert dirs/files for sssd.
+- Allow sensord to send a signal.
+- Allow certmonger to stream connect to dirsrv to make  ipa-server-install working.
+- Label zabbix_var_lib_t directories
+- Label conmans pid file as conman_var_run_t
+- Label also /var/run/glusterd.socket file as gluster_var_run_t
+- Fix policy for pkcsslotd from opencryptoki
+- Update cockpik policy from cockpit usptream.
+- Allow certmonger to exec ldconfig to make  ipa-server-install  working. 
+- Added support for Naemon policy 
+- Allow keepalived manage snmp files
+- Add setpgid process to mip6d
+- remove duplicate rule
+- Allow postfix_smtpd to stream connect to antivirus 
+- Dontaudit list /tmp for icecast 
+- Allow zabbix domains to access /proc//net/dev.
+
+* Wed Jul 23 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-67
 - Allow zabbix domains to access /proc//net/dev.
 - Dontaudit list /tmp for icecast (#894387)
 - Allow postfix_smtpd to stream connect to antivirus (#1105889)