From f6de2d2a2e61e990f7cda78f971d0382766b19aa Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Sep 02 2016 13:13:18 +0000
Subject: * Fri Sep 02 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-213

- Label /var/lib/docker/vfs as svirt_sandbox_file_t in virt SELinux module
- Label /usr/bin/pappet as puppetagent_exec_t
- Allow amanda to create dir in /var/lib/ with amanda_var_lib_t label
- Allow run sulogin_t in range mls_systemlow-mls_systemhigh.

---

diff --git a/docker-selinux.tgz b/docker-selinux.tgz
index f1022ab..fd92246 100644
Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 736b123..26f2fe8 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -40564,7 +40564,7 @@ index 0e3c2a9..ea9bd57 100644
 +	userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin")
 +')
 diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index 446fa99..22f539c 100644
+index 446fa99..d66491c 100644
 --- a/policy/modules/system/locallogin.te
 +++ b/policy/modules/system/locallogin.te
 @@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t)
@@ -40588,7 +40588,7 @@ index 446fa99..22f539c 100644
 +')
 +
 +ifdef(`enable_mls',`
-+	init_ranged_daemon_domain(sulogin_t, sulogin_exec_t, mls_systemhigh)
++	init_ranged_daemon_domain(sulogin_t, sulogin_exec_t, s0 - mls_systemhigh)
 +')
 +
  ########################################
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 522ac0c..ff08db5 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -2275,7 +2275,7 @@ index 7f4dfbc..e5c9f45 100644
  /usr/sbin/amrecover	--	gen_context(system_u:object_r:amanda_recover_exec_t,s0)
  
 diff --git a/amanda.te b/amanda.te
-index 519051c..0f871e6 100644
+index 519051c..69a4c66 100644
 --- a/amanda.te
 +++ b/amanda.te
 @@ -9,11 +9,14 @@ attribute_role amanda_recover_roles;
@@ -2313,7 +2313,15 @@ index 519051c..0f871e6 100644
  filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
  
  allow amanda_t amanda_dumpdates_t:file rw_file_perms;
-@@ -100,13 +104,15 @@ kernel_dontaudit_read_proc_symlinks(amanda_t)
+@@ -81,6 +85,7 @@ allow amanda_t amanda_gnutarlists_t:lnk_file manage_lnk_file_perms;
+ 
+ manage_dirs_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t)
+ manage_files_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t)
++files_var_lib_filetrans(amanda_t, amanda_var_lib_t, dir)
+ 
+ manage_files_pattern(amanda_t, amanda_log_t, amanda_log_t)
+ manage_dirs_pattern(amanda_t, amanda_log_t, amanda_log_t)
+@@ -100,13 +105,15 @@ kernel_dontaudit_read_proc_symlinks(amanda_t)
  corecmd_exec_shell(amanda_t)
  corecmd_exec_bin(amanda_t)
  
@@ -2330,7 +2338,7 @@ index 519051c..0f871e6 100644
  corenet_sendrecv_all_server_packets(amanda_t)
  corenet_tcp_bind_all_rpc_ports(amanda_t)
  corenet_tcp_bind_generic_port(amanda_t)
-@@ -114,6 +120,7 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t)
+@@ -114,6 +121,7 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t)
  
  dev_getattr_all_blk_files(amanda_t)
  dev_getattr_all_chr_files(amanda_t)
@@ -2338,7 +2346,7 @@ index 519051c..0f871e6 100644
  
  files_read_etc_runtime_files(amanda_t)
  files_list_all(amanda_t)
-@@ -130,6 +137,7 @@ fs_list_all(amanda_t)
+@@ -130,6 +138,7 @@ fs_list_all(amanda_t)
  storage_raw_read_fixed_disk(amanda_t)
  storage_read_tape(amanda_t)
  storage_write_tape(amanda_t)
@@ -2346,7 +2354,7 @@ index 519051c..0f871e6 100644
  
  auth_use_nsswitch(amanda_t)
  auth_read_shadow(amanda_t)
-@@ -170,7 +178,6 @@ kernel_read_system_state(amanda_recover_t)
+@@ -170,7 +179,6 @@ kernel_read_system_state(amanda_recover_t)
  corecmd_exec_shell(amanda_recover_t)
  corecmd_exec_bin(amanda_recover_t)
  
@@ -2354,7 +2362,7 @@ index 519051c..0f871e6 100644
  corenet_all_recvfrom_netlabel(amanda_recover_t)
  corenet_tcp_sendrecv_generic_if(amanda_recover_t)
  corenet_udp_sendrecv_generic_if(amanda_recover_t)
-@@ -195,12 +202,16 @@ files_search_tmp(amanda_recover_t)
+@@ -195,12 +203,16 @@ files_search_tmp(amanda_recover_t)
  
  auth_use_nsswitch(amanda_recover_t)
  
@@ -37938,10 +37946,18 @@ index fbb54e7..05c3777 100644
  
  ########################################
 diff --git a/inetd.te b/inetd.te
-index c6450df..6304b00 100644
+index c6450df..ed6af79 100644
 --- a/inetd.te
 +++ b/inetd.te
-@@ -37,9 +37,9 @@ ifdef(`enable_mcs',`
+@@ -21,6 +21,7 @@ files_pid_file(inetd_var_run_t)
+ type inetd_child_t;
+ type inetd_child_exec_t;
+ inetd_service_domain(inetd_child_t, inetd_child_exec_t)
++init_daemon_domain(inetd_child_t, inetd_child_exec_t)
+ 
+ type inetd_child_tmp_t;
+ files_tmp_file(inetd_child_tmp_t)
+@@ -37,9 +38,9 @@ ifdef(`enable_mcs',`
  # Local policy
  #
  
@@ -37953,7 +37969,7 @@ index c6450df..6304b00 100644
  allow inetd_t self:fifo_file rw_fifo_file_perms;
  allow inetd_t self:tcp_socket { accept listen };
  allow inetd_t self:fd use;
-@@ -61,6 +61,7 @@ kernel_read_system_state(inetd_t)
+@@ -61,6 +62,7 @@ kernel_read_system_state(inetd_t)
  kernel_tcp_recvfrom_unlabeled(inetd_t)
  
  corecmd_bin_domtrans(inetd_t, inetd_child_t)
@@ -37961,7 +37977,7 @@ index c6450df..6304b00 100644
  
  corenet_all_recvfrom_unlabeled(inetd_t)
  corenet_all_recvfrom_netlabel(inetd_t)
-@@ -98,6 +99,11 @@ corenet_sendrecv_inetd_child_server_packets(inetd_t)
+@@ -98,6 +100,11 @@ corenet_sendrecv_inetd_child_server_packets(inetd_t)
  corenet_tcp_bind_inetd_child_port(inetd_t)
  corenet_udp_bind_inetd_child_port(inetd_t)
  
@@ -37973,7 +37989,7 @@ index c6450df..6304b00 100644
  corenet_sendrecv_ircd_server_packets(inetd_t)
  corenet_tcp_bind_ircd_port(inetd_t)
  
-@@ -141,6 +147,9 @@ corenet_sendrecv_git_server_packets(inetd_t)
+@@ -141,6 +148,9 @@ corenet_sendrecv_git_server_packets(inetd_t)
  corenet_tcp_bind_git_port(inetd_t)
  corenet_udp_bind_git_port(inetd_t)
  
@@ -37983,7 +37999,7 @@ index c6450df..6304b00 100644
  dev_read_sysfs(inetd_t)
  
  domain_use_interactive_fds(inetd_t)
-@@ -157,8 +166,6 @@ auth_use_nsswitch(inetd_t)
+@@ -157,8 +167,6 @@ auth_use_nsswitch(inetd_t)
  
  logging_send_syslog_msg(inetd_t)
  
@@ -37992,7 +38008,7 @@ index c6450df..6304b00 100644
  mls_fd_share_all_levels(inetd_t)
  mls_socket_read_to_clearance(inetd_t)
  mls_socket_write_to_clearance(inetd_t)
-@@ -188,17 +195,13 @@ optional_policy(`
+@@ -188,17 +196,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -38011,7 +38027,7 @@ index c6450df..6304b00 100644
  ########################################
  #
  # Child local policy
-@@ -220,6 +223,16 @@ kernel_read_kernel_sysctls(inetd_child_t)
+@@ -220,6 +224,16 @@ kernel_read_kernel_sysctls(inetd_child_t)
  kernel_read_network_state(inetd_child_t)
  kernel_read_system_state(inetd_child_t)
  
@@ -38028,7 +38044,7 @@ index c6450df..6304b00 100644
  dev_read_urand(inetd_child_t)
  
  fs_getattr_xattr_fs(inetd_child_t)
-@@ -230,7 +243,15 @@ auth_use_nsswitch(inetd_child_t)
+@@ -230,7 +244,15 @@ auth_use_nsswitch(inetd_child_t)
  
  logging_send_syslog_msg(inetd_child_t)
  
@@ -79153,10 +79169,10 @@ index 6643b49..dd0c3d3 100644
  
  optional_policy(`
 diff --git a/puppet.fc b/puppet.fc
-index d68e26d..2542f5a 100644
+index d68e26d..3b08cfd 100644
 --- a/puppet.fc
 +++ b/puppet.fc
-@@ -1,18 +1,22 @@
+@@ -1,18 +1,23 @@
 -/etc/puppet(/.*)?	gen_context(system_u:object_r:puppet_etc_t,s0)
 +/etc/puppet(/.*)?			        gen_context(system_u:object_r:puppet_etc_t,s0)
 +/etc/puppetlabs(/.*)?			        gen_context(system_u:object_r:puppet_etc_t,s0)
@@ -79178,6 +79194,7 @@ index d68e26d..2542f5a 100644
 -/usr/sbin/puppetd	--	gen_context(system_u:object_r:puppet_exec_t,s0)
 -/usr/sbin/puppetmasterd	--	gen_context(system_u:object_r:puppetmaster_exec_t,s0)
 +/usr/bin/puppetca	        --	gen_context(system_u:object_r:puppetca_exec_t,s0)
++/usr/bin/puppet	        --	gen_context(system_u:object_r:puppetagent_exec_t,s0)
 +/usr/bin/puppetd	        --	gen_context(system_u:object_r:puppetagent_exec_t,s0)
 +/usr/bin/puppetmasterd	    --	gen_context(system_u:object_r:puppetmaster_exec_t,s0)
  
@@ -93000,10 +93017,10 @@ index f1140ef..642e062 100644
 +	files_pid_filetrans($1, rsync_var_run_t, file, "rsyncd.lock")
  ')
 diff --git a/rsync.te b/rsync.te
-index abeb302..6836678 100644
+index abeb302..b27a479 100644
 --- a/rsync.te
 +++ b/rsync.te
-@@ -6,67 +6,45 @@ policy_module(rsync, 1.13.0)
+@@ -6,67 +6,46 @@ policy_module(rsync, 1.13.0)
  #
  
  ## <desc>
@@ -93076,11 +93093,11 @@ index abeb302..6836678 100644
  
  type rsync_t;
  type rsync_exec_t;
--init_daemon_domain(rsync_t, rsync_exec_t)
--application_domain(rsync_t, rsync_exec_t)
--role rsync_roles types rsync_t;
 +application_executable_file(rsync_exec_t)
 +role system_r types rsync_t;
+ init_daemon_domain(rsync_t, rsync_exec_t)
+-application_domain(rsync_t, rsync_exec_t)
+-role rsync_roles types rsync_t;
  
  type rsync_etc_t;
  files_config_file(rsync_etc_t)
@@ -93090,7 +93107,7 @@ index abeb302..6836678 100644
  files_type(rsync_data_t)
  
  type rsync_log_t;
-@@ -86,15 +64,25 @@ files_pid_file(rsync_var_run_t)
+@@ -86,15 +65,25 @@ files_pid_file(rsync_var_run_t)
  allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot };
  allow rsync_t self:process signal_perms;
  allow rsync_t self:fifo_file rw_fifo_file_perms;
@@ -93121,7 +93138,7 @@ index abeb302..6836678 100644
  logging_log_filetrans(rsync_t, rsync_log_t, file)
  
  manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t)
-@@ -108,46 +96,55 @@ kernel_read_kernel_sysctls(rsync_t)
+@@ -108,46 +97,55 @@ kernel_read_kernel_sysctls(rsync_t)
  kernel_read_system_state(rsync_t)
  kernel_read_network_state(rsync_t)
  
@@ -93195,7 +93212,7 @@ index abeb302..6836678 100644
  ')
  
  tunable_policy(`rsync_export_all_ro',`
-@@ -161,38 +158,24 @@ tunable_policy(`rsync_export_all_ro',`
+@@ -161,38 +159,24 @@ tunable_policy(`rsync_export_all_ro',`
  	auth_tunable_read_shadow(rsync_t)
  ')
  
@@ -111608,10 +111625,10 @@ index 3d11c6a..b19a117 100644
  
  optional_policy(`
 diff --git a/virt.fc b/virt.fc
-index a4f20bc..f3d5b04 100644
+index a4f20bc..17edb35 100644
 --- a/virt.fc
 +++ b/virt.fc
-@@ -1,51 +1,111 @@
+@@ -1,51 +1,114 @@
 -HOME_DIR/\.libvirt(/.*)?	gen_context(system_u:object_r:virt_home_t,s0)
 -HOME_DIR/\.libvirt/qemu(/.*)?	gen_context(system_u:object_r:svirt_home_t,s0)
 -HOME_DIR/\.virtinst(/.*)?	gen_context(system_u:object_r:virt_home_t,s0)
@@ -111756,13 +111773,16 @@ index a4f20bc..f3d5b04 100644
 +
 +/var/lib/kubelet(/.*)?              gen_context(system_u:object_r:svirt_sandbox_file_t,s0)
 +
++/var/lib/docker/vfs(/.*)?      gen_context(system_u:object_r:svirt_sandbox_file_t,s0)
++/var/lib/docker-latest/vfs(/.*)?      gen_context(system_u:object_r:svirt_sandbox_file_t,s0)
++
 +/var/run/qemu-ga\.pid           --      gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
 +/var/run/qga\.state             --      gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
 +
 +/var/log/qemu-ga\.log.*           --      gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
 +/var/log/qemu-ga(/.*)?		gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
 diff --git a/virt.if b/virt.if
-index facdee8..816d860 100644
+index facdee8..12e74f1 100644
 --- a/virt.if
 +++ b/virt.if
 @@ -1,318 +1,231 @@
@@ -112589,7 +112609,7 @@ index facdee8..816d860 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -673,54 +539,472 @@ interface(`virt_home_filetrans',`
+@@ -673,107 +539,607 @@ interface(`virt_home_filetrans',`
  ##	</summary>
  ## </param>
  #
@@ -112625,14 +112645,8 @@ index facdee8..816d860 100644
  	gen_require(`
 -		type virt_home_t;
 +		type virt_var_lib_t;
- 	')
- 
--	userdom_search_user_home_dirs($1)
--	allow $1 virt_home_t:dir manage_dir_perms;
--	allow $1 virt_home_t:file manage_file_perms;
--	allow $1 virt_home_t:fifo_file manage_fifo_file_perms;
--	allow $1 virt_home_t:lnk_file manage_lnk_file_perms;
--	allow $1 virt_home_t:sock_file manage_sock_file_perms;
++	')
++
 +	dontaudit $1 virt_var_lib_t:file read_inherited_file_perms;
 +')
 +
@@ -112777,20 +112791,14 @@ index facdee8..816d860 100644
 +	read_lnk_files_pattern($1, virt_image_type, virt_image_type)
 +	read_blk_files_pattern($1, virt_image_type, virt_image_type)
 +	read_chr_files_pattern($1, virt_image_type, virt_image_type)
- 
- 	tunable_policy(`virt_use_nfs',`
--		fs_manage_nfs_dirs($1)
--		fs_manage_nfs_files($1)
--		fs_manage_nfs_symlinks($1)
++
++	tunable_policy(`virt_use_nfs',`
 +		fs_list_nfs($1)
 +		fs_read_nfs_files($1)
 +		fs_read_nfs_symlinks($1)
- 	')
- 
- 	tunable_policy(`virt_use_samba',`
--		fs_manage_cifs_dirs($1)
--		fs_manage_cifs_files($1)
--		fs_manage_cifs_symlinks($1)
++	')
++
++	tunable_policy(`virt_use_samba',`
 +		fs_list_cifs($1)
 +		fs_read_cifs_files($1)
 +		fs_read_cifs_symlinks($1)
@@ -112957,14 +112965,13 @@ index facdee8..816d860 100644
 +interface(`virt_exec_sandbox_files',`
 +	gen_require(`
 +		type svirt_sandbox_file_t;
- 	')
++	')
 +
 +	can_exec($1, svirt_sandbox_file_t)
- ')
- 
- ########################################
- ## <summary>
--##	Relabel virt home content.
++')
++
++########################################
++## <summary>
 +##	Allow any svirt_sandbox_file_t to be an entrypoint of this domain
 +## </summary>
 +## <param name="domain">
@@ -113081,19 +113088,97 @@ index facdee8..816d860 100644
 +#######################################
 +## <summary>
 +##	Connect to virt over a unix domain stream socket.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`virt_stream_connect_sandbox',`
++	gen_require(`
++		attribute svirt_sandbox_domain;
++		type svirt_sandbox_file_t;
++	')
++
++	files_search_pids($1)
++	stream_connect_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t, svirt_sandbox_domain)
++	ps_process_pattern(svirt_sandbox_domain, $1)
++')
++
++########################################
++## <summary>
++##	Execute qemu in the svirt domain, and
++##	allow the specified role the svirt domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed the sandbox domain.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`virt_transition_svirt',`
++	gen_require(`
++		attribute virt_domain;
++		type virt_bridgehelper_t;
++		type svirt_image_t;
++		type svirt_socket_t;
+ 	')
+ 
+-	userdom_search_user_home_dirs($1)
+-	allow $1 virt_home_t:dir manage_dir_perms;
+-	allow $1 virt_home_t:file manage_file_perms;
+-	allow $1 virt_home_t:fifo_file manage_fifo_file_perms;
+-	allow $1 virt_home_t:lnk_file manage_lnk_file_perms;
+-	allow $1 virt_home_t:sock_file manage_sock_file_perms;
++	allow $1 virt_domain:process transition;
++	role $2 types virt_domain;
++	role $2 types virt_bridgehelper_t;
++	role $2 types svirt_socket_t;
+ 
+-	tunable_policy(`virt_use_nfs',`
+-		fs_manage_nfs_dirs($1)
+-		fs_manage_nfs_files($1)
+-		fs_manage_nfs_symlinks($1)
+-	')
++	allow $1 virt_domain:process { sigkill sigstop signull signal };
++	allow $1 svirt_image_t:file { relabelfrom relabelto };
++	allow $1 svirt_image_t:fifo_file { read_fifo_file_perms relabelto };
++	allow $1 svirt_image_t:sock_file { create_sock_file_perms relabelto };
++	allow $1 svirt_socket_t:unix_stream_socket create_stream_socket_perms;
+ 
+-	tunable_policy(`virt_use_samba',`
+-		fs_manage_cifs_dirs($1)
+-		fs_manage_cifs_files($1)
+-		fs_manage_cifs_symlinks($1)
++	optional_policy(`
++		ptchown_run(virt_domain, $2)
+ 	')
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Relabel virt home content.
++##	Do not audit attempts to write virt daemon unnamed pipes.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -728,52 +1012,80 @@ interface(`virt_manage_generic_virt_home_content',`
+-##	Domain allowed access.
++##	Domain to not audit.
  ##	</summary>
  ## </param>
  #
 -interface(`virt_relabel_generic_virt_home_content',`
-+interface(`virt_stream_connect_sandbox',`
++interface(`virt_dontaudit_write_pipes',`
  	gen_require(`
 -		type virt_home_t;
-+		attribute svirt_sandbox_domain;
-+		type svirt_sandbox_file_t;
++		type virtd_t;
  	')
  
 -	userdom_search_user_home_dirs($1)
@@ -113102,9 +113187,8 @@ index facdee8..816d860 100644
 -	allow $1 virt_home_t:fifo_file relabel_fifo_file_perms;
 -	allow $1 virt_home_t:lnk_file relabel_lnk_file_perms;
 -	allow $1 virt_home_t:sock_file relabel_sock_file_perms;
-+	files_search_pids($1)
-+	stream_connect_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t, svirt_sandbox_domain)
-+	ps_process_pattern(svirt_sandbox_domain, $1)
++	dontaudit $1 virtd_t:fd use;
++	dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
  ')
  
  ########################################
@@ -113112,214 +113196,213 @@ index facdee8..816d860 100644
 -##	Create specified objects in user home
 -##	directories with the generic virt
 -##	home type.
-+##	Execute qemu in the svirt domain, and
-+##	allow the specified role the svirt domain.
++##	Send a sigkill to virtual machines
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain allowed access.
-+##	Domain allowed access
+ ##	Domain allowed access.
  ##	</summary>
  ## </param>
 -## <param name="object_class">
-+## <param name="role">
++#
++interface(`virt_kill_svirt',`
++	gen_require(`
++		attribute virt_domain;
++	')
++
++	allow $1 virt_domain:process sigkill;
++')
++
++########################################
++## <summary>
++##	Send a sigkill to virtd daemon.
++## </summary>
++## <param name="domain">
  ##	<summary>
 -##	Class of the object being created.
-+##	The role to be allowed the sandbox domain.
++##	Domain allowed access.
  ##	</summary>
  ## </param>
 -## <param name="name" optional="true">
-+## <rolecap/>
 +#
-+interface(`virt_transition_svirt',`
++interface(`virt_kill',`
 +	gen_require(`
-+		attribute virt_domain;
-+		type virt_bridgehelper_t;
-+		type svirt_image_t;
-+		type svirt_socket_t;
++		type virtd_t;
 +	')
 +
-+	allow $1 virt_domain:process transition;
-+	role $2 types virt_domain;
-+	role $2 types virt_bridgehelper_t;
-+	role $2 types svirt_socket_t;
-+
-+	allow $1 virt_domain:process { sigkill sigstop signull signal };
-+	allow $1 svirt_image_t:file { relabelfrom relabelto };
-+	allow $1 svirt_image_t:fifo_file { read_fifo_file_perms relabelto };
-+	allow $1 svirt_image_t:sock_file { create_sock_file_perms relabelto };
-+	allow $1 svirt_socket_t:unix_stream_socket create_stream_socket_perms;
-+
-+	optional_policy(`
-+		ptchown_run(virt_domain, $2)
-+	')
++	allow $1 virtd_t:process sigkill;
 +')
 +
 +########################################
 +## <summary>
-+##	Do not audit attempts to write virt daemon unnamed pipes.
++##	Send a signal to virtd daemon.
 +## </summary>
 +## <param name="domain">
  ##	<summary>
 -##	The name of the object being created.
-+##	Domain to not audit.
++##	Domain allowed access.
  ##	</summary>
  ## </param>
  #
 -interface(`virt_home_filetrans_virt_home',`
-+interface(`virt_dontaudit_write_pipes',`
++interface(`virt_signal',`
  	gen_require(`
 -		type virt_home_t;
 +		type virtd_t;
  	')
  
 -	userdom_user_home_dir_filetrans($1, virt_home_t, $2, $3)
-+	dontaudit $1 virtd_t:fd use;
-+	dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
++	allow $1 virtd_t:process signal;
  ')
  
  ########################################
  ## <summary>
 -##	Read virt pid files.
-+##	Send a sigkill to virtual machines
++##	Send null signal to virtd daemon.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -781,19 +1093,17 @@ interface(`virt_home_filetrans_virt_home',`
+@@ -781,19 +1147,17 @@ interface(`virt_home_filetrans_virt_home',`
  ##	</summary>
  ## </param>
  #
 -interface(`virt_read_pid_files',`
-+interface(`virt_kill_svirt',`
++interface(`virt_signull',`
  	gen_require(`
 -		type virt_var_run_t;
-+		attribute virt_domain;
++		type virtd_t;
  	')
  
 -	files_search_pids($1)
 -	read_files_pattern($1, virt_var_run_t, virt_var_run_t)
-+	allow $1 virt_domain:process sigkill;
++	allow $1 virtd_t:process signull;
  ')
  
  ########################################
  ## <summary>
 -##	Create, read, write, and delete
 -##	virt pid files.
-+##	Send a sigkill to virtd daemon.
++##	Send a signal to virtual machines
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -801,18 +1111,17 @@ interface(`virt_read_pid_files',`
+@@ -801,18 +1165,17 @@ interface(`virt_read_pid_files',`
  ##	</summary>
  ## </param>
  #
 -interface(`virt_manage_pid_files',`
-+interface(`virt_kill',`
++interface(`virt_signal_svirt',`
  	gen_require(`
 -		type virt_var_run_t;
-+		type virtd_t;
++		attribute virt_domain;
  	')
  
 -	files_search_pids($1)
 -	manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
-+	allow $1 virtd_t:process sigkill;
++	allow $1 virt_domain:process signal;
  ')
  
  ########################################
  ## <summary>
 -##	Search virt lib directories.
-+##	Send a signal to virtd daemon.
++##	Send a signal to sandbox domains
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -820,18 +1129,17 @@ interface(`virt_manage_pid_files',`
+@@ -820,18 +1183,17 @@ interface(`virt_manage_pid_files',`
  ##	</summary>
  ## </param>
  #
 -interface(`virt_search_lib',`
-+interface(`virt_signal',`
++interface(`virt_signal_sandbox',`
  	gen_require(`
 -		type virt_var_lib_t;
-+		type virtd_t;
++		attribute svirt_sandbox_domain;
  	')
  
 -	files_search_var_lib($1)
 -	allow $1 virt_var_lib_t:dir search_dir_perms;
-+	allow $1 virtd_t:process signal;
++	allow $1 svirt_sandbox_domain:process signal;
  ')
  
  ########################################
  ## <summary>
 -##	Read virt lib files.
-+##	Send null signal to virtd daemon.
++##	Manage virt home files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -839,20 +1147,17 @@ interface(`virt_search_lib',`
+@@ -839,192 +1201,243 @@ interface(`virt_search_lib',`
  ##	</summary>
  ## </param>
  #
 -interface(`virt_read_lib_files',`
-+interface(`virt_signull',`
++interface(`virt_manage_home_files',`
  	gen_require(`
 -		type virt_var_lib_t;
-+		type virtd_t;
++		type virt_home_t;
  	')
  
 -	files_search_var_lib($1)
 -	read_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
 -	read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
-+	allow $1 virtd_t:process signull;
++	userdom_search_user_home_dirs($1)
++	manage_files_pattern($1, virt_home_t, virt_home_t)
  ')
  
  ########################################
  ## <summary>
 -##	Create, read, write, and delete
 -##	virt lib files.
-+##	Send a signal to virtual machines
++##	allow domain to read
++##	virt tmpfs files
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -860,74 +1165,123 @@ interface(`virt_read_lib_files',`
+-##	Domain allowed access.
++##	Domain allowed access
  ##	</summary>
  ## </param>
  #
 -interface(`virt_manage_lib_files',`
-+interface(`virt_signal_svirt',`
++interface(`virt_read_tmpfs_files',`
  	gen_require(`
 -		type virt_var_lib_t;
-+		attribute virt_domain;
++		attribute virt_tmpfs_type;
  	')
  
 -	files_search_var_lib($1)
 -	manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
-+	allow $1 virt_domain:process signal;
++	allow $1 virt_tmpfs_type:file read_file_perms;
  ')
  
  ########################################
  ## <summary>
 -##	Create objects in virt pid
 -##	directories with a private type.
-+##	Send a signal to sandbox domains
++##	allow domain to manage
++##	virt tmpfs files
  ## </summary>
  ## <param name="domain">
  ##	<summary>
- ##	Domain allowed access.
+-##	Domain allowed access.
++##	Domain allowed access
  ##	</summary>
  ## </param>
 -## <param name="private type">
 +#
-+interface(`virt_signal_sandbox',`
++interface(`virt_manage_tmpfs_files',`
 +	gen_require(`
-+		attribute svirt_sandbox_domain;
++		attribute virt_tmpfs_type;
 +	')
 +
-+	allow $1 svirt_sandbox_domain:process signal;
++	allow $1 virt_tmpfs_type:file manage_file_perms;
 +')
 +
 +########################################
 +## <summary>
-+##	Manage virt home files.
++##	Create .virt directory in the user home directory
++##	with an correct label.
 +## </summary>
 +## <param name="domain">
  ##	<summary>
@@ -113329,204 +113412,213 @@ index facdee8..816d860 100644
  ## </param>
 -## <param name="object">
 +#
-+interface(`virt_manage_home_files',`
++interface(`virt_filetrans_home_content',`
 +	gen_require(`
 +		type virt_home_t;
++		type svirt_home_t;
 +	')
 +
-+	userdom_search_user_home_dirs($1)
-+	manage_files_pattern($1, virt_home_t, virt_home_t)
++	userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
++	userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
++	filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu")
++
++	optional_policy(`
++		gnome_config_filetrans($1, virt_home_t, dir, "libvirt")
++		gnome_cache_filetrans($1, virt_home_t, dir, "libvirt")
++		gnome_cache_filetrans($1, virt_home_t, dir, "libvirt-sandbox")
++		gnome_cache_filetrans($1, virt_home_t, dir, "gnome-boxes")
++		gnome_data_filetrans($1, svirt_home_t, dir, "images")
++		gnome_data_filetrans($1, svirt_home_t, dir, "boot")
++	')
 +')
 +
 +########################################
 +## <summary>
-+##	allow domain to read
-+##	virt tmpfs files
++##	Dontaudit attempts to Read virt_image_type devices.
 +## </summary>
 +## <param name="domain">
  ##	<summary>
 -##	The object class of the object being created.
-+##	Domain allowed access
++##	Domain allowed access.
  ##	</summary>
  ## </param>
 -## <param name="name" optional="true">
 +#
-+interface(`virt_read_tmpfs_files',`
++interface(`virt_dontaudit_read_chr_dev',`
 +	gen_require(`
-+		attribute virt_tmpfs_type;
++		attribute virt_image_type;
 +	')
 +
-+	allow $1 virt_tmpfs_type:file read_file_perms;
++	dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
 +')
 +
 +########################################
 +## <summary>
-+##	allow domain to manage
-+##	virt tmpfs files
++##	Creates types and rules for a basic
++##	virt_lxc process domain.
 +## </summary>
-+## <param name="domain">
++## <param name="prefix">
  ##	<summary>
 -##	The name of the object being created.
-+##	Domain allowed access
++##	Prefix for the domain.
  ##	</summary>
  ## </param>
 -## <infoflow type="write" weight="10"/>
  #
 -interface(`virt_pid_filetrans',`
-+interface(`virt_manage_tmpfs_files',`
++template(`virt_sandbox_domain_template',`
  	gen_require(`
 -		type virt_var_run_t;
-+		attribute virt_tmpfs_type;
++		attribute svirt_sandbox_domain;
  	')
  
 -	files_search_pids($1)
 -	filetrans_pattern($1, virt_var_run_t, $2, $3, $4)
-+	allow $1 virt_tmpfs_type:file manage_file_perms;
++	type $1_t, svirt_sandbox_domain;
++	domain_type($1_t)
++	domain_user_exemption_target($1_t)
++	mls_rangetrans_target($1_t)
++	mcs_constrained($1_t)
++	role system_r types $1_t;
++
++	logging_send_syslog_msg($1_t)
++
++	kernel_read_system_state($1_t)
++	kernel_read_all_proc($1_t)
  ')
  
  ########################################
  ## <summary>
 -##	Read virt log files.
-+##	Create .virt directory in the user home directory
-+##	with an correct label.
++##	Make the specified type usable as a lxc domain
  ## </summary>
- ## <param name="domain">
+-## <param name="domain">
++## <param name="type">
  ##	<summary>
- ##	Domain allowed access.
+-##	Domain allowed access.
++##	Type to be used as a lxc domain
  ##	</summary>
  ## </param>
 -## <rolecap/>
  #
 -interface(`virt_read_log',`
-+interface(`virt_filetrans_home_content',`
++template(`virt_sandbox_domain',`
  	gen_require(`
 -		type virt_log_t;
-+		type virt_home_t;
-+		type svirt_home_t;
++		attribute svirt_sandbox_domain;
  	')
  
 -	logging_search_logs($1)
 -	read_files_pattern($1, virt_log_t, virt_log_t)
-+	userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
-+	userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
-+	filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu")
-+
-+	optional_policy(`
-+		gnome_config_filetrans($1, virt_home_t, dir, "libvirt")
-+		gnome_cache_filetrans($1, virt_home_t, dir, "libvirt")
-+		gnome_cache_filetrans($1, virt_home_t, dir, "libvirt-sandbox")
-+		gnome_cache_filetrans($1, virt_home_t, dir, "gnome-boxes")
-+		gnome_data_filetrans($1, svirt_home_t, dir, "images")
-+		gnome_data_filetrans($1, svirt_home_t, dir, "boot")
-+	')
++	typeattribute  $1 svirt_sandbox_domain;
  ')
  
  ########################################
  ## <summary>
 -##	Append virt log files.
-+##	Dontaudit attempts to Read virt_image_type devices.
++##	Make the specified type usable as a lxc network domain
  ## </summary>
- ## <param name="domain">
+-## <param name="domain">
++## <param name="type">
  ##	<summary>
-@@ -935,117 +1289,153 @@ interface(`virt_read_log',`
+-##	Domain allowed access.
++##	Type to be used as a lxc network domain
  ##	</summary>
  ## </param>
  #
 -interface(`virt_append_log',`
-+interface(`virt_dontaudit_read_chr_dev',`
++template(`virt_sandbox_net_domain',`
  	gen_require(`
 -		type virt_log_t;
-+		attribute virt_image_type;
++		attribute sandbox_net_domain;
  	')
  
 -	logging_search_logs($1)
 -	append_files_pattern($1, virt_log_t, virt_log_t)
-+	dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
++	virt_sandbox_domain($1)
++	typeattribute  $1 sandbox_net_domain;
  ')
  
  ########################################
  ## <summary>
 -##	Create, read, write, and delete
 -##	virt log files.
-+##	Creates types and rules for a basic
-+##	virt_lxc process domain.
++##	Execute a qemu_exec_t in the callers domain
  ## </summary>
--## <param name="domain">
-+## <param name="prefix">
- ##	<summary>
--##	Domain allowed access.
-+##	Prefix for the domain.
- ##	</summary>
+ ## <param name="domain">
+-##	<summary>
++## <summary>
+ ##	Domain allowed access.
+-##	</summary>
++## </summary>
  ## </param>
  #
 -interface(`virt_manage_log',`
-+template(`virt_sandbox_domain_template',`
++interface(`virt_exec_qemu',`
  	gen_require(`
 -		type virt_log_t;
-+		attribute svirt_sandbox_domain;
++		type qemu_exec_t;
  	')
  
 -	logging_search_logs($1)
 -	manage_dirs_pattern($1, virt_log_t, virt_log_t)
 -	manage_files_pattern($1, virt_log_t, virt_log_t)
 -	manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
-+	type $1_t, svirt_sandbox_domain;
-+	domain_type($1_t)
-+	domain_user_exemption_target($1_t)
-+	mls_rangetrans_target($1_t)
-+	mcs_constrained($1_t)
-+	role system_r types $1_t;
-+
-+	logging_send_syslog_msg($1_t)
-+
-+	kernel_read_system_state($1_t)
-+	kernel_read_all_proc($1_t)
++	can_exec($1, qemu_exec_t)
  ')
  
  ########################################
  ## <summary>
 -##	Search virt image directories.
-+##	Make the specified type usable as a lxc domain
++##	Transition to virt named content
  ## </summary>
--## <param name="domain">
-+## <param name="type">
+ ## <param name="domain">
  ##	<summary>
 -##	Domain allowed access.
-+##	Type to be used as a lxc domain
++##      Domain allowed access.
  ##	</summary>
  ## </param>
  #
 -interface(`virt_search_images',`
-+template(`virt_sandbox_domain',`
++interface(`virt_filetrans_named_content',`
  	gen_require(`
 -		attribute virt_image_type;
-+		attribute svirt_sandbox_domain;
++		type virt_lxc_var_run_t;
++		type virt_var_run_t;
  	')
  
 -	virt_search_lib($1)
 -	allow $1 virt_image_type:dir search_dir_perms;
-+	typeattribute  $1 svirt_sandbox_domain;
++	files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
++	files_pid_filetrans($1, virt_var_run_t, dir, "libvirt")
++	files_pid_filetrans($1, virt_var_run_t, dir, "libguestfs")
  ')
  
  ########################################
  ## <summary>
 -##	Read virt image files.
-+##	Make the specified type usable as a lxc network domain
++##	Execute qemu in the svirt domain, and
++##	allow the specified role the svirt domain.
  ## </summary>
--## <param name="domain">
-+## <param name="type">
+ ## <param name="domain">
  ##	<summary>
 -##	Domain allowed access.
-+##	Type to be used as a lxc network domain
++##	Domain allowed access
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed the sandbox domain.
  ##	</summary>
  ## </param>
++## <rolecap/>
  #
 -interface(`virt_read_images',`
-+template(`virt_sandbox_net_domain',`
++interface(`virt_transition_svirt_sandbox',`
  	gen_require(`
 -		type virt_var_lib_t;
 -		attribute virt_image_type;
-+		attribute sandbox_net_domain;
++		attribute svirt_sandbox_domain;
  	')
  
 -	virt_search_lib($1)
@@ -113535,79 +113627,41 @@ index facdee8..816d860 100644
 -	read_files_pattern($1, virt_image_type, virt_image_type)
 -	read_lnk_files_pattern($1, virt_image_type, virt_image_type)
 -	read_blk_files_pattern($1, virt_image_type, virt_image_type)
-+	virt_sandbox_domain($1)
-+	typeattribute  $1 sandbox_net_domain;
-+')
++	allow $1 svirt_sandbox_domain:process { transition signal_perms };
++	role $2 types svirt_sandbox_domain;
++	allow $1 svirt_sandbox_domain:unix_dgram_socket sendto;
  
 -	tunable_policy(`virt_use_nfs',`
 -		fs_list_nfs($1)
 -		fs_read_nfs_files($1)
 -		fs_read_nfs_symlinks($1)
-+########################################
-+## <summary>
-+##	Execute a qemu_exec_t in the callers domain
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+##	Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`virt_exec_qemu',`
-+	gen_require(`
-+		type qemu_exec_t;
- 	')
+-	')
++	allow svirt_sandbox_domain $1:fd use;
  
 -	tunable_policy(`virt_use_samba',`
 -		fs_list_cifs($1)
 -		fs_read_cifs_files($1)
 -		fs_read_cifs_symlinks($1)
-+	can_exec($1, qemu_exec_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Transition to virt named content
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##      Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`virt_filetrans_named_content',`
-+	gen_require(`
-+		type virt_lxc_var_run_t;
-+		type virt_var_run_t;
- 	')
-+
-+	files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
-+	files_pid_filetrans($1, virt_var_run_t, dir, "libvirt")
-+	files_pid_filetrans($1, virt_var_run_t, dir, "libguestfs")
+-	')
++	allow svirt_sandbox_domain $1:fifo_file rw_fifo_file_perms;
++	allow svirt_sandbox_domain $1:process sigchld;
++	ps_process_pattern($1, svirt_sandbox_domain)
  ')
  
  ########################################
  ## <summary>
 -##	Read and write all virt image
 -##	character files.
-+##	Execute qemu in the svirt domain, and
-+##	allow the specified role the svirt domain.
++##	Read the process state of virt sandbox containers
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain allowed access.
-+##	Domain allowed access
-+##	</summary>
-+## </param>
-+## <param name="role">
-+##	<summary>
-+##	The role to be allowed the sandbox domain.
+@@ -1032,20 +1445,17 @@ interface(`virt_read_images',`
  ##	</summary>
  ## </param>
-+## <rolecap/>
  #
 -interface(`virt_rw_all_image_chr_files',`
-+interface(`virt_transition_svirt_sandbox',`
++interface(`virt_sandbox_read_state',`
  	gen_require(`
 -		attribute virt_image_type;
 +		attribute svirt_sandbox_domain;
@@ -113616,12 +113670,6 @@ index facdee8..816d860 100644
 -	virt_search_lib($1)
 -	allow $1 virt_image_type:dir list_dir_perms;
 -	rw_chr_files_pattern($1, virt_image_type, virt_image_type)
-+	allow $1 svirt_sandbox_domain:process { transition signal_perms };
-+	role $2 types svirt_sandbox_domain;
-+	allow $1 svirt_sandbox_domain:unix_dgram_socket sendto;
-+
-+	allow svirt_sandbox_domain $1:fifo_file rw_fifo_file_perms;
-+	allow svirt_sandbox_domain $1:process sigchld;
 +	ps_process_pattern($1, svirt_sandbox_domain)
  ')
  
@@ -113629,23 +113677,23 @@ index facdee8..816d860 100644
  ## <summary>
 -##	Create, read, write, and delete
 -##	svirt cache files.
-+##	Read the process state of virt sandbox containers
++##	Read and write to svirt_image devices.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1053,15 +1443,17 @@ interface(`virt_rw_all_image_chr_files',`
+@@ -1053,15 +1463,17 @@ interface(`virt_rw_all_image_chr_files',`
  ##	</summary>
  ## </param>
  #
 -interface(`virt_manage_svirt_cache',`
 -	refpolicywarn(`$0($*) has been deprecated, use virt_manage_virt_cache() instead.')
 -	virt_manage_virt_cache($1)
-+interface(`virt_sandbox_read_state',`
++interface(`virt_rw_svirt_dev',`
 +	gen_require(`
-+		attribute svirt_sandbox_domain;
++		type svirt_image_t;
 +	')
 +
-+	ps_process_pattern($1, svirt_sandbox_domain)
++	allow $1 svirt_image_t:chr_file rw_file_perms;
  ')
  
  ########################################
@@ -113656,22 +113704,22 @@ index facdee8..816d860 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1069,21 +1461,17 @@ interface(`virt_manage_svirt_cache',`
+@@ -1069,21 +1481,17 @@ interface(`virt_manage_svirt_cache',`
  ##	</summary>
  ## </param>
  #
 -interface(`virt_manage_virt_cache',`
-+interface(`virt_rw_svirt_dev',`
++interface(`virt_rlimitinh',`
  	gen_require(`
 -		type virt_cache_t;
-+		type svirt_image_t;
++		type virtd_t;
  	')
  
 -	files_search_var($1)
 -	manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
 -	manage_files_pattern($1, virt_cache_t, virt_cache_t)
 -	manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
-+	allow $1 svirt_image_t:chr_file rw_file_perms;
++    allow $1 virtd_t:process { rlimitinh };
  ')
  
  ########################################
@@ -113682,43 +113730,28 @@ index facdee8..816d860 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1091,36 +1479,36 @@ interface(`virt_manage_virt_cache',`
+@@ -1091,36 +1499,18 @@ interface(`virt_manage_virt_cache',`
  ##	</summary>
  ## </param>
  #
 -interface(`virt_manage_images',`
-+interface(`virt_rlimitinh',`
++interface(`virt_noatsecure',`
  	gen_require(`
 -		type virt_var_lib_t;
 -		attribute virt_image_type;
-+		type virtd_t;
- 	')
- 
+-	')
+-
 -	virt_search_lib($1)
 -	allow $1 virt_image_type:dir list_dir_perms;
 -	manage_dirs_pattern($1, virt_image_type, virt_image_type)
 -	manage_files_pattern($1, virt_image_type, virt_image_type)
 -	read_lnk_files_pattern($1, virt_image_type, virt_image_type)
 -	rw_blk_files_pattern($1, virt_image_type, virt_image_type)
-+    allow $1 virtd_t:process { rlimitinh };
-+')
- 
+-
 -	tunable_policy(`virt_use_nfs',`
 -		fs_manage_nfs_dirs($1)
 -		fs_manage_nfs_files($1)
 -		fs_read_nfs_symlinks($1)
-+########################################
-+## <summary>
-+##	Read and write to svirt_image devices.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`virt_noatsecure',`
-+	gen_require(`
 +		type virtd_t;
  	')
  
@@ -113739,7 +113772,7 @@ index facdee8..816d860 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1136,50 +1524,76 @@ interface(`virt_manage_images',`
+@@ -1136,50 +1526,76 @@ interface(`virt_manage_images',`
  #
  interface(`virt_admin',`
  	gen_require(`
@@ -113849,7 +113882,7 @@ index facdee8..816d860 100644
 +        ps_process_pattern(virtd_t, $1)
  ')
 diff --git a/virt.te b/virt.te
-index f03dcf5..a4e5bf6 100644
+index f03dcf5..75d9fa0 100644
 --- a/virt.te
 +++ b/virt.te
 @@ -1,451 +1,402 @@
@@ -115431,7 +115464,7 @@ index f03dcf5..a4e5bf6 100644
  selinux_get_enforce_mode(virtd_lxc_t)
  selinux_get_fs_mount(virtd_lxc_t)
  selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1258,357 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1258,359 @@ selinux_compute_create_context(virtd_lxc_t)
  selinux_compute_relabel_context(virtd_lxc_t)
  selinux_compute_user_contexts(virtd_lxc_t)
  
@@ -115486,6 +115519,7 @@ index f03dcf5..a4e5bf6 100644
 +
 +allow svirt_sandbox_domain self:process { getattr signal_perms getsched getpgid getcap setsched setcap setpgid setrlimit };
 +allow svirt_sandbox_domain self:fifo_file manage_file_perms;
++allow svirt_sandbox_domain self:msg all_msg_perms;
 +allow svirt_sandbox_domain self:sem create_sem_perms;
 +allow svirt_sandbox_domain self:shm create_shm_perms;
 +allow svirt_sandbox_domain self:msgq create_msgq_perms;
@@ -115619,6 +115653,7 @@ index f03dcf5..a4e5bf6 100644
 +kernel_list_all_proc(svirt_sandbox_domain)
 +kernel_read_all_sysctls(svirt_sandbox_domain)
 +kernel_rw_net_sysctls(svirt_sandbox_domain)
++kernel_rw_unix_sysctls(svirt_sandbox_domain)
 +kernel_dontaudit_search_kernel_sysctl(svirt_sandbox_domain)
 +kernel_dontaudit_access_check_proc(svirt_sandbox_domain)
 +kernel_dontaudit_setattr_proc_files(svirt_sandbox_domain)
@@ -115930,7 +115965,7 @@ index f03dcf5..a4e5bf6 100644
  allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
  allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
  
-@@ -1174,12 +1621,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1623,12 @@ dev_read_sysfs(virt_qmf_t)
  dev_read_rand(virt_qmf_t)
  dev_read_urand(virt_qmf_t)
  
@@ -115945,7 +115980,7 @@ index f03dcf5..a4e5bf6 100644
  sysnet_read_config(virt_qmf_t)
  
  optional_policy(`
-@@ -1192,7 +1639,7 @@ optional_policy(`
+@@ -1192,7 +1641,7 @@ optional_policy(`
  
  ########################################
  #
@@ -115954,7 +115989,7 @@ index f03dcf5..a4e5bf6 100644
  #
  
  allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1648,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1650,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
  allow virt_bridgehelper_t self:tun_socket create_socket_perms;
  allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 25f2f24..2242d57 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 212%{?dist}
+Release: 213%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -648,6 +648,12 @@ exit 0
 %endif
 
 %changelog
+* Fri Sep 02 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-213
+- Label /var/lib/docker/vfs as svirt_sandbox_file_t in virt SELinux module
+- Label /usr/bin/pappet as puppetagent_exec_t
+- Allow amanda to create dir in /var/lib/ with amanda_var_lib_t label
+- Allow run sulogin_t in range mls_systemlow-mls_systemhigh.
+
 * Wed Aug 31 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-212
 - udisk2 module is part of devicekit module now
 - Fix file context for /etc/pki/pki-tomcat/ca/