diff --git a/container-selinux.tgz b/container-selinux.tgz
index 09d36e2..ba6d48a 100644
Binary files a/container-selinux.tgz and b/container-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 2487a9f..7a93d33 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -5946,7 +5946,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055..25a5cfe 100644
+index b191055..9729941 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@@ -6134,7 +6134,8 @@ index b191055..25a5cfe 100644
+network_port(ircd, tcp,6667,s0, tcp,6697,s0)
network_port(isakmp, udp,500,s0)
network_port(iscsi, tcp,3260,s0)
- network_port(isns, tcp,3205,s0, udp,3205,s0)
+-network_port(isns, tcp,3205,s0, udp,3205,s0)
++network_port(isns, tcp,3205,s0, udp,3205,s0, tcp,51954,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
-network_port(jabber_interserver, tcp,5269,s0)
-network_port(jboss_iiop, tcp,3528,s0, udp,3528,s0)
@@ -37458,7 +37459,7 @@ index 79a45f6..d092e6e 100644
+ allow $1 init_var_lib_t:dir search_dir_perms;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..e33db3f 100644
+index 17eda24..e59e001 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -37768,7 +37769,7 @@ index 17eda24..e33db3f 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +337,271 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +337,275 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -38011,10 +38012,14 @@ index 17eda24..e33db3f 100644
optional_policy(`
- auth_rw_login_records(init_t)
-+ consolekit_manage_log(init_t)
++ lldpad_relabel_tmpfs(init_t)
')
optional_policy(`
++ consolekit_manage_log(init_t)
++')
++
++optional_policy(`
+ dbus_connect_system_bus(init_t)
dbus_system_bus_client(init_t)
+ dbus_delete_pid_files(init_t)
@@ -38049,7 +38054,7 @@ index 17eda24..e33db3f 100644
')
optional_policy(`
-@@ -216,7 +609,30 @@ optional_policy(`
+@@ -216,7 +613,30 @@ optional_policy(`
')
optional_policy(`
@@ -38081,7 +38086,7 @@ index 17eda24..e33db3f 100644
')
########################################
-@@ -225,9 +641,9 @@ optional_policy(`
+@@ -225,9 +645,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -38093,7 +38098,7 @@ index 17eda24..e33db3f 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -258,12 +674,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +678,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -38110,7 +38115,7 @@ index 17eda24..e33db3f 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +699,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +703,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -38153,7 +38158,7 @@ index 17eda24..e33db3f 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +736,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +740,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -38165,7 +38170,7 @@ index 17eda24..e33db3f 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -313,8 +748,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +752,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -38176,7 +38181,7 @@ index 17eda24..e33db3f 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -322,8 +759,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +763,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -38186,7 +38191,7 @@ index 17eda24..e33db3f 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -332,7 +768,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +772,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -38194,7 +38199,7 @@ index 17eda24..e33db3f 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -340,6 +775,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +779,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -38202,7 +38207,7 @@ index 17eda24..e33db3f 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -347,14 +783,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +787,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -38220,7 +38225,7 @@ index 17eda24..e33db3f 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -364,8 +801,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +805,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -38234,7 +38239,7 @@ index 17eda24..e33db3f 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -375,10 +816,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +820,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -38248,7 +38253,7 @@ index 17eda24..e33db3f 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -387,8 +829,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +833,10 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -38259,7 +38264,7 @@ index 17eda24..e33db3f 100644
storage_getattr_fixed_disk_dev(initrc_t)
storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +842,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +846,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -38267,7 +38272,7 @@ index 17eda24..e33db3f 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -416,20 +861,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +865,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -38291,7 +38296,7 @@ index 17eda24..e33db3f 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +894,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +898,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -38299,7 +38304,7 @@ index 17eda24..e33db3f 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +928,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +932,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -38310,7 +38315,7 @@ index 17eda24..e33db3f 100644
alsa_read_lib(initrc_t)
')
-@@ -506,7 +952,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +956,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -38319,7 +38324,7 @@ index 17eda24..e33db3f 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -521,6 +967,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +971,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -38327,7 +38332,7 @@ index 17eda24..e33db3f 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -541,6 +988,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +992,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -38335,7 +38340,7 @@ index 17eda24..e33db3f 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +998,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +1002,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -38380,7 +38385,7 @@ index 17eda24..e33db3f 100644
')
optional_policy(`
-@@ -559,14 +1043,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +1047,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -38412,7 +38417,7 @@ index 17eda24..e33db3f 100644
')
')
-@@ -577,6 +1078,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1082,39 @@ ifdef(`distro_suse',`
')
')
@@ -38452,7 +38457,7 @@ index 17eda24..e33db3f 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1123,8 @@ optional_policy(`
+@@ -589,6 +1127,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -38461,7 +38466,7 @@ index 17eda24..e33db3f 100644
')
optional_policy(`
-@@ -610,6 +1146,7 @@ optional_policy(`
+@@ -610,6 +1150,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -38469,7 +38474,7 @@ index 17eda24..e33db3f 100644
')
optional_policy(`
-@@ -626,6 +1163,17 @@ optional_policy(`
+@@ -626,6 +1167,17 @@ optional_policy(`
')
optional_policy(`
@@ -38487,7 +38492,7 @@ index 17eda24..e33db3f 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -642,9 +1190,13 @@ optional_policy(`
+@@ -642,9 +1194,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -38501,7 +38506,7 @@ index 17eda24..e33db3f 100644
')
optional_policy(`
-@@ -657,15 +1209,11 @@ optional_policy(`
+@@ -657,15 +1213,11 @@ optional_policy(`
')
optional_policy(`
@@ -38519,7 +38524,7 @@ index 17eda24..e33db3f 100644
')
optional_policy(`
-@@ -686,6 +1234,15 @@ optional_policy(`
+@@ -686,6 +1238,15 @@ optional_policy(`
')
optional_policy(`
@@ -38535,7 +38540,7 @@ index 17eda24..e33db3f 100644
inn_exec_config(initrc_t)
')
-@@ -726,6 +1283,7 @@ optional_policy(`
+@@ -726,6 +1287,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -38543,7 +38548,7 @@ index 17eda24..e33db3f 100644
')
optional_policy(`
-@@ -743,7 +1301,13 @@ optional_policy(`
+@@ -743,7 +1305,13 @@ optional_policy(`
')
optional_policy(`
@@ -38558,7 +38563,7 @@ index 17eda24..e33db3f 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -766,6 +1330,10 @@ optional_policy(`
+@@ -766,6 +1334,10 @@ optional_policy(`
')
optional_policy(`
@@ -38569,7 +38574,7 @@ index 17eda24..e33db3f 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -775,10 +1343,20 @@ optional_policy(`
+@@ -775,10 +1347,20 @@ optional_policy(`
')
optional_policy(`
@@ -38590,7 +38595,7 @@ index 17eda24..e33db3f 100644
quota_manage_flags(initrc_t)
')
-@@ -787,6 +1365,10 @@ optional_policy(`
+@@ -787,6 +1369,10 @@ optional_policy(`
')
optional_policy(`
@@ -38601,7 +38606,7 @@ index 17eda24..e33db3f 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -808,8 +1390,6 @@ optional_policy(`
+@@ -808,8 +1394,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -38610,7 +38615,7 @@ index 17eda24..e33db3f 100644
')
optional_policy(`
-@@ -818,6 +1398,10 @@ optional_policy(`
+@@ -818,6 +1402,10 @@ optional_policy(`
')
optional_policy(`
@@ -38621,7 +38626,7 @@ index 17eda24..e33db3f 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -827,10 +1411,12 @@ optional_policy(`
+@@ -827,10 +1415,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -38634,7 +38639,7 @@ index 17eda24..e33db3f 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1443,62 @@ optional_policy(`
+@@ -857,21 +1447,62 @@ optional_policy(`
')
optional_policy(`
@@ -38698,7 +38703,7 @@ index 17eda24..e33db3f 100644
')
optional_policy(`
-@@ -887,6 +1514,10 @@ optional_policy(`
+@@ -887,6 +1518,10 @@ optional_policy(`
')
optional_policy(`
@@ -38709,7 +38714,7 @@ index 17eda24..e33db3f 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -897,3 +1528,218 @@ optional_policy(`
+@@ -897,3 +1532,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -49137,10 +49142,10 @@ index 0000000..86e3d01
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..eff9e73
+index 0000000..2800431
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,972 @@
+@@ -0,0 +1,973 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -49868,6 +49873,7 @@ index 0000000..eff9e73
+
+dev_read_sysfs(systemd_rfkill_t)
+dev_rw_wireless(systemd_rfkill_t)
++dev_write_kmsg(systemd_rfkill_t)
+
+init_search_var_lib_dirs(systemd_rfkill_t)
+
@@ -51261,10 +51267,10 @@ index 5ca20a9..5454d16 100644
+ allow $1 unconfined_service_t:process signull;
')
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
-index 5fe902d..a349d18 100644
+index 5fe902d..b31eeba 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
-@@ -1,207 +1,28 @@
+@@ -1,207 +1,32 @@
-policy_module(unconfined, 3.5.1)
+policy_module(unconfined, 3.5.0)
@@ -51352,8 +51358,7 @@ index 5fe902d..a349d18 100644
-optional_policy(`
- firstboot_run(unconfined_t, unconfined_r)
-')
-+role unconfined_r types unconfined_service_t;
-
+-
-optional_policy(`
- ftp_run_ftpdctl(unconfined_t, unconfined_r)
-')
@@ -51369,15 +51374,12 @@ index 5fe902d..a349d18 100644
-optional_policy(`
- java_run_unconfined(unconfined_t, unconfined_r)
-')
-+corecmd_bin_entry_type(unconfined_service_t)
-+corecmd_shell_entry_type(unconfined_service_t)
-
- optional_policy(`
+-
+-optional_policy(`
- lpd_run_checkpc(unconfined_t, unconfined_r)
-+ rpm_transition_script(unconfined_service_t, system_r)
- ')
-
- optional_policy(`
+-')
+-
+-optional_policy(`
- modutils_run_update_mods(unconfined_t, unconfined_r)
-')
-
@@ -51429,7 +51431,8 @@ index 5fe902d..a349d18 100644
-optional_policy(`
- rpm_run(unconfined_t, unconfined_r)
-')
--
++role unconfined_r types unconfined_service_t;
+
-optional_policy(`
- samba_run_net(unconfined_t, unconfined_r)
- samba_run_winbind_helper(unconfined_t, unconfined_r)
@@ -51451,16 +51454,20 @@ index 5fe902d..a349d18 100644
-optional_policy(`
- unconfined_dbus_chat(unconfined_t)
-')
--
--optional_policy(`
++corecmd_bin_entry_type(unconfined_service_t)
++corecmd_shell_entry_type(unconfined_service_t)
+
+ optional_policy(`
- usermanage_run_admin_passwd(unconfined_t, unconfined_r)
--')
--
--optional_policy(`
++ rpm_transition_script(unconfined_service_t, system_r)
+ ')
+
+ optional_policy(`
- vpn_run(unconfined_t, unconfined_r)
--')
--
--optional_policy(`
++ dbus_chat_system_bus(unconfined_service_t)
+ ')
+
+ optional_policy(`
- webalizer_run(unconfined_t, unconfined_r)
-')
-
@@ -51482,7 +51489,7 @@ index 5fe902d..a349d18 100644
-
-optional_policy(`
- unconfined_dbus_chat(unconfined_execmem_t)
-+ dbus_chat_system_bus(unconfined_service_t)
++ virt_transition_svirt(unconfined_service_t, system_r)
')
diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
index db75976..c54480a 100644
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index d4a3261..c402de5 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -9774,7 +9774,7 @@ index 531a8f2..3fcf187 100644
+ allow $1 named_unit_file_t:service all_service_perms;
')
diff --git a/bind.te b/bind.te
-index 1241123..ab9ec30 100644
+index 1241123..f726b13 100644
--- a/bind.te
+++ b/bind.te
@@ -34,7 +34,7 @@ type named_checkconf_exec_t;
@@ -9801,7 +9801,7 @@ index 1241123..ab9ec30 100644
#
-allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource };
-+allow named_t self:capability { chown dac_override fowner net_admin setgid setuid sys_chroot sys_nice sys_resource };
++allow named_t self:capability { chown dac_override fowner net_admin net_raw setgid setuid sys_chroot sys_nice sys_resource };
dontaudit named_t self:capability sys_tty_config;
+allow named_t self:capability2 block_suspend;
allow named_t self:process { setsched getcap setcap setrlimit signal_perms };
@@ -31429,10 +31429,10 @@ index 0000000..cf9f7bf
+')
diff --git a/geoclue.te b/geoclue.te
new file mode 100644
-index 0000000..efd838f
+index 0000000..fb8be0d
--- /dev/null
+++ b/geoclue.te
-@@ -0,0 +1,71 @@
+@@ -0,0 +1,72 @@
+policy_module(geoclue, 1.0.0)
+
+########################################
@@ -31466,6 +31466,7 @@ index 0000000..efd838f
+manage_dirs_pattern(geoclue_t, geoclue_tmp_t, geoclue_tmp_t)
+files_tmp_filetrans(geoclue_t, geoclue_tmp_t, { dir file })
+
++kernel_read_system_state(geoclue_t)
+kernel_read_network_state(geoclue_t)
+
+auth_read_passwd(geoclue_t)
@@ -32381,10 +32382,10 @@ index 0000000..764ae00
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
-index 0000000..3ba328e
+index 0000000..0a33da3
--- /dev/null
+++ b/glusterd.te
-@@ -0,0 +1,303 @@
+@@ -0,0 +1,305 @@
+policy_module(glusterd, 1.1.3)
+
+## <desc>
@@ -32446,7 +32447,7 @@ index 0000000..3ba328e
+# Local policy
+#
+
-+allow glusterd_t self:capability { sys_admin sys_resource sys_ptrace dac_override chown dac_read_search fowner fsetid kill setgid setuid net_admin mknod net_raw };
++allow glusterd_t self:capability { sys_admin sys_resource sys_ptrace dac_override chown dac_read_search fowner fsetid ipc_lock kill setgid setuid net_admin mknod net_raw };
+
+allow glusterd_t self:capability2 block_suspend;
+allow glusterd_t self:process { getcap setcap setrlimit signal_perms setsched getsched setfscreate};
@@ -32542,6 +32543,7 @@ index 0000000..3ba328e
+dev_read_sysfs(glusterd_t)
+dev_read_urand(glusterd_t)
+dev_read_rand(glusterd_t)
++dev_rw_infiniband_dev(glusterd_t)
+
+domain_read_all_domains_state(glusterd_t)
+domain_getattr_all_sockets(glusterd_t)
@@ -32551,6 +32553,7 @@ index 0000000..3ba328e
+fs_mount_all_fs(glusterd_t)
+fs_unmount_all_fs(glusterd_t)
+fs_getattr_all_fs(glusterd_t)
++fs_getattr_all_dirs(glusterd_t)
+
+files_mounton_non_security(glusterd_t)
+
@@ -37724,10 +37727,10 @@ index 6517fad..f183748 100644
+ allow $1 hypervkvp_unit_file_t:service all_service_perms;
')
diff --git a/hypervkvp.te b/hypervkvp.te
-index 4eb7041..de9cd55 100644
+index 4eb7041..b205df0 100644
--- a/hypervkvp.te
+++ b/hypervkvp.te
-@@ -5,24 +5,153 @@ policy_module(hypervkvp, 1.0.0)
+@@ -5,24 +5,154 @@ policy_module(hypervkvp, 1.0.0)
# Declarations
#
@@ -37889,6 +37892,7 @@ index 4eb7041..de9cd55 100644
-miscfiles_read_localization(hypervkvpd_t)
+files_list_all_mountpoints(hypervvssd_t)
+files_write_all_mountpoints(hypervvssd_t)
++files_list_non_auth_dirs(hypervvssd_t)
-sysnet_dns_name_resolve(hypervkvpd_t)
+logging_send_syslog_msg(hypervvssd_t)
@@ -39918,7 +39922,7 @@ index ca020fa..d546e07 100644
+ kdump_rw_inherited_kdumpctl_tmp_pipes(iscsid_t)
+')
diff --git a/isns.te b/isns.te
-index bc11034..183c526 100644
+index bc11034..20a7f39 100644
--- a/isns.te
+++ b/isns.te
@@ -26,6 +26,7 @@ files_pid_file(isnsd_var_run_t)
@@ -39939,9 +39943,11 @@ index bc11034..183c526 100644
corenet_all_recvfrom_unlabeled(isnsd_t)
corenet_all_recvfrom_netlabel(isnsd_t)
corenet_tcp_sendrecv_generic_if(isnsd_t)
-@@ -46,10 +50,6 @@ corenet_tcp_bind_generic_node(isnsd_t)
+@@ -45,11 +49,8 @@ corenet_tcp_sendrecv_isns_port(isnsd_t)
+ corenet_tcp_bind_generic_node(isnsd_t)
corenet_sendrecv_isns_server_packets(isnsd_t)
corenet_tcp_bind_isns_port(isnsd_t)
++corenet_tcp_connect_isns_port(isnsd_t)
-files_read_etc_files(isnsd_t)
+auth_use_nsswitch(isnsd_t)
@@ -46051,7 +46057,7 @@ index 8031a78..72e56ac 100644
+
+/dev/shm/lldpad.* -- gen_context(system_u:object_r:lldpad_tmpfs_t,s0)
diff --git a/lldpad.if b/lldpad.if
-index d18c960..fb5b674 100644
+index d18c960..b7bd752 100644
--- a/lldpad.if
+++ b/lldpad.if
@@ -2,6 +2,25 @@
@@ -46095,6 +46101,29 @@ index d18c960..fb5b674 100644
init_labeled_script_domtrans($1, lldpad_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 lldpad_initrc_exec_t system_r;
+@@ -56,3 +79,22 @@ interface(`lldpad_admin',`
+ files_search_pids($1)
+ admin_pattern($1, lldpad_var_run_t)
+ ')
++
++########################################
++## <summary>
++## Allow relabel lldpad_tmpfs_t
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`lldpad_relabel_tmpfs',`
++ gen_require(`
++ type lldpad_tmpfs_t;
++ ')
++
++ allow $1 lldpad_tmpfs_t:file relabelfrom;
++ allow $1 lldpad_tmpfs_t:file relabelto;
++')
diff --git a/lldpad.te b/lldpad.te
index 2a491d9..42e5578 100644
--- a/lldpad.te
@@ -64805,10 +64834,10 @@ index 0000000..7581b52
+')
diff --git a/openfortivpn.te b/openfortivpn.te
new file mode 100644
-index 0000000..0d22f83
+index 0000000..3142896
--- /dev/null
+++ b/openfortivpn.te
-@@ -0,0 +1,69 @@
+@@ -0,0 +1,67 @@
+policy_module(openfortivpn, 1.0.0)
+
+########################################
@@ -64817,11 +64846,9 @@ index 0000000..0d22f83
+#
+
+type openfortivpn_t;
-+domain_type(openfortivpn_t);
+role system_r types openfortivpn_t;
-+
+type openfortivpn_exec_t;
-+domain_entry_file(openfortivpn_t, openfortivpn_exec_t)
++init_daemon_domain(openfortivpn_t, openfortivpn_exec_t)
+
+type openfortivpn_var_lib_t;
+files_type(openfortivpn_var_lib_t)
@@ -69440,14 +69467,15 @@ index 43d50f9..6b1544f 100644
########################################
diff --git a/pcscd.te b/pcscd.te
-index 1fb1964..5212cd2 100644
+index 1fb1964..a8026bd 100644
--- a/pcscd.te
+++ b/pcscd.te
-@@ -22,10 +22,11 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd")
+@@ -22,10 +22,12 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd")
#
allow pcscd_t self:capability { dac_override dac_read_search fsetid };
-allow pcscd_t self:process signal;
++allow pcscd_t self:capability2 { wake_alarm };
+allow pcscd_t self:process { signal signull };
allow pcscd_t self:fifo_file rw_fifo_file_perms;
-allow pcscd_t self:unix_stream_socket { accept listen };
@@ -69458,7 +69486,7 @@ index 1fb1964..5212cd2 100644
allow pcscd_t self:netlink_kobject_uevent_socket create_socket_perms;
manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
-@@ -36,7 +37,6 @@ files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir })
+@@ -36,7 +38,6 @@ files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir })
kernel_read_system_state(pcscd_t)
@@ -69466,7 +69494,7 @@ index 1fb1964..5212cd2 100644
corenet_all_recvfrom_netlabel(pcscd_t)
corenet_tcp_sendrecv_generic_if(pcscd_t)
corenet_tcp_sendrecv_generic_node(pcscd_t)
-@@ -45,12 +45,13 @@ corenet_sendrecv_http_client_packets(pcscd_t)
+@@ -45,12 +46,13 @@ corenet_sendrecv_http_client_packets(pcscd_t)
corenet_tcp_connect_http_port(pcscd_t)
corenet_tcp_sendrecv_http_port(pcscd_t)
@@ -69481,7 +69509,7 @@ index 1fb1964..5212cd2 100644
files_read_etc_runtime_files(pcscd_t)
term_use_unallocated_ttys(pcscd_t)
-@@ -60,16 +61,26 @@ locallogin_use_fds(pcscd_t)
+@@ -60,16 +62,26 @@ locallogin_use_fds(pcscd_t)
logging_send_syslog_msg(pcscd_t)
@@ -69510,7 +69538,7 @@ index 1fb1964..5212cd2 100644
')
optional_policy(`
-@@ -85,3 +96,8 @@ optional_policy(`
+@@ -85,3 +97,8 @@ optional_policy(`
optional_policy(`
udev_read_db(pcscd_t)
')
@@ -90925,7 +90953,7 @@ index 0bf13c2..ed393a0 100644
files_list_tmp($1)
admin_pattern($1, gssd_tmp_t)
diff --git a/rpc.te b/rpc.te
-index 2da9fca..7f491b0 100644
+index 2da9fca..23bddad 100644
--- a/rpc.te
+++ b/rpc.te
@@ -6,22 +6,27 @@ policy_module(rpc, 1.15.1)
@@ -91123,7 +91151,7 @@ index 2da9fca..7f491b0 100644
')
########################################
-@@ -202,41 +226,56 @@ optional_policy(`
+@@ -202,41 +226,61 @@ optional_policy(`
#
allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
@@ -91177,6 +91205,11 @@ index 2da9fca..7f491b0 100644
storage_dontaudit_read_fixed_disk(nfsd_t)
storage_raw_read_removable_device(nfsd_t)
++allow nfsd_t nfsd_unit_file_t:file manage_file_perms;
++systemd_unit_file_filetrans(nfsd_t, nfsd_unit_file_t, file)
++systemd_create_unit_file_dirs(nfsd_t)
++systemd_create_unit_file_lnk(nfsd_t)
++
+# Read access to public_content_t and public_content_rw_t
miscfiles_read_public_files(nfsd_t)
@@ -91189,7 +91222,7 @@ index 2da9fca..7f491b0 100644
miscfiles_manage_public_files(nfsd_t)
')
-@@ -245,7 +284,6 @@ tunable_policy(`nfs_export_all_rw',`
+@@ -245,7 +289,6 @@ tunable_policy(`nfs_export_all_rw',`
dev_getattr_all_chr_files(nfsd_t)
fs_read_noxattr_fs_files(nfsd_t)
@@ -91197,7 +91230,7 @@ index 2da9fca..7f491b0 100644
')
tunable_policy(`nfs_export_all_ro',`
-@@ -257,12 +295,12 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -257,12 +300,12 @@ tunable_policy(`nfs_export_all_ro',`
fs_read_noxattr_fs_files(nfsd_t)
@@ -91212,7 +91245,7 @@ index 2da9fca..7f491b0 100644
')
########################################
-@@ -270,7 +308,7 @@ optional_policy(`
+@@ -270,7 +313,7 @@ optional_policy(`
# GSSD local policy
#
@@ -91221,7 +91254,7 @@ index 2da9fca..7f491b0 100644
allow gssd_t self:process { getsched setsched };
allow gssd_t self:fifo_file rw_fifo_file_perms;
-@@ -280,6 +318,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+@@ -280,6 +323,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
@@ -91229,7 +91262,7 @@ index 2da9fca..7f491b0 100644
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_request_load_module(gssd_t)
-@@ -288,25 +327,31 @@ kernel_signal(gssd_t)
+@@ -288,25 +332,31 @@ kernel_signal(gssd_t)
corecmd_exec_bin(gssd_t)
@@ -91264,7 +91297,7 @@ index 2da9fca..7f491b0 100644
')
optional_policy(`
-@@ -314,9 +359,12 @@ optional_policy(`
+@@ -314,9 +364,12 @@ optional_policy(`
')
optional_policy(`
@@ -109696,7 +109729,7 @@ index 61c2e07..3b86095 100644
+ ')
')
diff --git a/tor.te b/tor.te
-index 5ceacde..f24416b 100644
+index 5ceacde..c919a2d 100644
--- a/tor.te
+++ b/tor.te
@@ -13,6 +13,13 @@ policy_module(tor, 1.9.0)
@@ -109713,7 +109746,16 @@ index 5ceacde..f24416b 100644
type tor_t;
type tor_exec_t;
init_daemon_domain(tor_t, tor_exec_t)
-@@ -32,6 +39,10 @@ logging_log_file(tor_var_log_t)
+@@ -25,13 +32,19 @@ init_script_file(tor_initrc_exec_t)
+
+ type tor_var_lib_t;
+ files_type(tor_var_lib_t)
++files_mountpoint(tor_var_lib_t)
+
+ type tor_var_log_t;
+ logging_log_file(tor_var_log_t)
++files_mountpoint(tor_var_log_t)
+
type tor_var_run_t;
files_pid_file(tor_var_run_t)
init_daemon_run_dir(tor_var_run_t, "tor")
@@ -109724,7 +109766,7 @@ index 5ceacde..f24416b 100644
########################################
#
-@@ -48,6 +59,8 @@ allow tor_t tor_etc_t:dir list_dir_perms;
+@@ -48,6 +61,8 @@ allow tor_t tor_etc_t:dir list_dir_perms;
allow tor_t tor_etc_t:file read_file_perms;
allow tor_t tor_etc_t:lnk_file read_lnk_file_perms;
@@ -109733,7 +109775,7 @@ index 5ceacde..f24416b 100644
manage_dirs_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
manage_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
manage_sock_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
-@@ -77,7 +90,6 @@ corenet_tcp_sendrecv_generic_node(tor_t)
+@@ -77,7 +92,6 @@ corenet_tcp_sendrecv_generic_node(tor_t)
corenet_udp_sendrecv_generic_node(tor_t)
corenet_tcp_bind_generic_node(tor_t)
corenet_udp_bind_generic_node(tor_t)
@@ -109741,7 +109783,7 @@ index 5ceacde..f24416b 100644
corenet_sendrecv_dns_server_packets(tor_t)
corenet_udp_bind_dns_port(tor_t)
corenet_udp_sendrecv_dns_port(tor_t)
-@@ -85,6 +97,7 @@ corenet_udp_sendrecv_dns_port(tor_t)
+@@ -85,6 +99,7 @@ corenet_udp_sendrecv_dns_port(tor_t)
corenet_sendrecv_tor_server_packets(tor_t)
corenet_tcp_bind_tor_port(tor_t)
corenet_tcp_sendrecv_tor_port(tor_t)
@@ -109749,7 +109791,7 @@ index 5ceacde..f24416b 100644
corenet_sendrecv_all_client_packets(tor_t)
corenet_tcp_connect_all_ports(tor_t)
-@@ -98,19 +111,22 @@ dev_read_urand(tor_t)
+@@ -98,19 +113,22 @@ dev_read_urand(tor_t)
domain_use_interactive_fds(tor_t)
files_read_etc_runtime_files(tor_t)
@@ -114182,7 +114224,7 @@ index facdee8..2cff369 100644
+ domtrans_pattern($1,container_file_t, $2)
')
diff --git a/virt.te b/virt.te
-index f03dcf5..923fbbe 100644
+index f03dcf5..af39887 100644
--- a/virt.te
+++ b/virt.te
@@ -1,451 +1,403 @@
@@ -115766,7 +115808,7 @@ index f03dcf5..923fbbe 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1260,360 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1260,364 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -116051,6 +116093,9 @@ index f03dcf5..923fbbe 100644
+ fs_manage_nfs_files(svirt_sandbox_domain)
+ fs_manage_nfs_named_sockets(svirt_sandbox_domain)
+ fs_manage_nfs_symlinks(svirt_sandbox_domain)
++ fs_mount_nfs(svirt_sandbox_domain)
++ fs_unmount_nfs(svirt_sandbox_domain)
++ kernel_rw_fs_sysctls(svirt_sandbox_domain)
+')
+
+tunable_policy(`virt_use_samba',`
@@ -116064,6 +116109,8 @@ index f03dcf5..923fbbe 100644
+ fs_manage_fusefs_dirs(svirt_sandbox_domain)
+ fs_manage_fusefs_files(svirt_sandbox_domain)
+ fs_manage_fusefs_symlinks(svirt_sandbox_domain)
++ fs_mount_fusefs(svirt_sandbox_domain)
++ fs_unmount_fusefs(svirt_sandbox_domain)
')
optional_policy(`
@@ -116091,7 +116138,6 @@ index f03dcf5..923fbbe 100644
+dontaudit container_t self:capability2 block_suspend ;
+allow container_t self:process { execstack execmem };
+manage_chr_files_pattern(container_t, container_file_t, container_file_t)
-+kernel_load_module(container_t)
+
+tunable_policy(`virt_sandbox_use_sys_admin',`
+ allow container_t self:capability sys_admin;
@@ -116271,7 +116317,7 @@ index f03dcf5..923fbbe 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1626,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1630,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -116286,7 +116332,7 @@ index f03dcf5..923fbbe 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1192,7 +1644,7 @@ optional_policy(`
+@@ -1192,7 +1648,7 @@ optional_policy(`
########################################
#
@@ -116295,7 +116341,7 @@ index f03dcf5..923fbbe 100644
#
allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1653,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1657,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
allow virt_bridgehelper_t self:tun_socket create_socket_perms;
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 11f9dc3..714f596 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 221%{?dist}
+Release: 222%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -675,6 +675,29 @@ exit 0
%endif
%changelog
+* Wed Nov 02 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-222
+- Allow abrt_dump_oops_t to drop capabilities. bz(1391040)
+- Add named_t domain net_raw capability bz(1389240)
+- Allow geoclue to read system info. bz(1389320)
+- Make openfortivpn_t as init_deamon_domain. bz(1159899)
+- Allow nfsd domain to create nfsd_unit_file_t files. bz(1382487)
+- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib
+- Add interace lldpad_relabel_tmpfs
+- Merge pull request #155 from rhatdan/sandbox_nfs
+- Add pscsd_t wake_alarm capability2
+- Allow sandbox domains to mount fuse file systems
+- Add boolean to allow sandbox domains to mount nfs
+- Allow hypervvssd_t to read all dirs.
+- Allow isnsd_t to connect to isns_port_t
+- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib
+- Allow GlusterFS with RDMA transport to be started correctly. It requires ipc_lock capability together with rw permission on rdma_cm device.
+- Make tor_var_lib_t and tor_var_log_t as mountpoints.
+- Allow systemd-rfkill to write to /proc/kmsg bz(1388669)
+- Allow init_t to relabel /dev/shm/lldpad.state
+- Merge pull request #168 from rhatdan/docker
+- Label tcp 51954 as isns_port_t
+- Lots of new domains like OCID and RKT are user container processes
+
* Mon Oct 17 2016 Miroslav Grepl <mgrepl@redhat.com> - 3.13.1-221
- Add container_file_t into contexts/customizable_types.