diff --git a/docker-selinux.tgz b/docker-selinux.tgz
index 3bbf129..05cb417 100644
Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index c922d1b..6f97c6e 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -3495,7 +3495,7 @@ index 7590165..d81185e 100644
+ fs_mounton_fusefs(seunshare_domain)
')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 33e0f8d..9502a72 100644
+index 33e0f8d..b94f32f 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@@ -3518,16 +3518,7 @@ index 33e0f8d..9502a72 100644
/etc/avahi/.*\.action -- gen_context(system_u:object_r:bin_t,s0)
/etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -59,6 +61,8 @@ ifdef(`distro_redhat',`
- /etc/cron.weekly(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /etc/cron.monthly(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
-+/etc/ctdb/events\.d/.* -- gen_context(system_u:object_r:bin_t,s0)
-+
- /etc/dhcp/dhclient\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
- /etc/hotplug/.*agent -- gen_context(system_u:object_r:bin_t,s0)
-@@ -67,18 +71,33 @@ ifdef(`distro_redhat',`
+@@ -67,18 +69,33 @@ ifdef(`distro_redhat',`
/etc/hotplug\.d/default/default.* gen_context(system_u:object_r:bin_t,s0)
/etc/kde/env(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -3561,7 +3552,7 @@ index 33e0f8d..9502a72 100644
/etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -101,8 +120,6 @@ ifdef(`distro_redhat',`
+@@ -101,8 +118,6 @@ ifdef(`distro_redhat',`
/etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
@@ -3570,7 +3561,7 @@ index 33e0f8d..9502a72 100644
/etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0)
-@@ -116,6 +133,9 @@ ifdef(`distro_redhat',`
+@@ -116,6 +131,9 @@ ifdef(`distro_redhat',`
/etc/vmware-tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -3580,7 +3571,7 @@ index 33e0f8d..9502a72 100644
/etc/X11/xdm/GiveConsole -- gen_context(system_u:object_r:bin_t,s0)
/etc/X11/xdm/TakeConsole -- gen_context(system_u:object_r:bin_t,s0)
/etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0)
-@@ -135,10 +155,12 @@ ifdef(`distro_debian',`
+@@ -135,10 +153,12 @@ ifdef(`distro_debian',`
/lib/nut/.* -- gen_context(system_u:object_r:bin_t,s0)
/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
@@ -3594,7 +3585,7 @@ index 33e0f8d..9502a72 100644
ifdef(`distro_gentoo',`
/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
-@@ -149,10 +171,12 @@ ifdef(`distro_gentoo',`
+@@ -149,10 +169,12 @@ ifdef(`distro_gentoo',`
/lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -3608,7 +3599,7 @@ index 33e0f8d..9502a72 100644
/sbin/.* gen_context(system_u:object_r:bin_t,s0)
/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
-@@ -168,6 +192,7 @@ ifdef(`distro_gentoo',`
+@@ -168,6 +190,7 @@ ifdef(`distro_gentoo',`
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -3616,7 +3607,7 @@ index 33e0f8d..9502a72 100644
/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -179,34 +204,50 @@ ifdef(`distro_gentoo',`
+@@ -179,34 +202,50 @@ ifdef(`distro_gentoo',`
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -3676,7 +3667,7 @@ index 33e0f8d..9502a72 100644
/usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -218,19 +259,32 @@ ifdef(`distro_gentoo',`
+@@ -218,19 +257,32 @@ ifdef(`distro_gentoo',`
/usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -3716,7 +3707,7 @@ index 33e0f8d..9502a72 100644
/usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0)
-@@ -245,26 +299,40 @@ ifdef(`distro_gentoo',`
+@@ -245,26 +297,40 @@ ifdef(`distro_gentoo',`
/usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@@ -3762,7 +3753,7 @@ index 33e0f8d..9502a72 100644
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -280,10 +348,14 @@ ifdef(`distro_gentoo',`
+@@ -280,10 +346,14 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
@@ -3777,7 +3768,7 @@ index 33e0f8d..9502a72 100644
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -298,16 +370,22 @@ ifdef(`distro_gentoo',`
+@@ -298,16 +368,22 @@ ifdef(`distro_gentoo',`
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
@@ -3802,7 +3793,7 @@ index 33e0f8d..9502a72 100644
ifdef(`distro_debian',`
/usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -325,20 +403,27 @@ ifdef(`distro_redhat', `
+@@ -325,20 +401,27 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
@@ -3831,7 +3822,7 @@ index 33e0f8d..9502a72 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -346,6 +431,7 @@ ifdef(`distro_redhat', `
+@@ -346,6 +429,7 @@ ifdef(`distro_redhat', `
/usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0)
@@ -3839,7 +3830,7 @@ index 33e0f8d..9502a72 100644
/usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
-@@ -387,17 +473,34 @@ ifdef(`distro_suse', `
+@@ -387,17 +471,34 @@ ifdef(`distro_suse', `
#
# /var
#
@@ -18124,7 +18115,7 @@ index 7be4ddf..9710b33 100644
+/sys/kernel/debug -d gen_context(system_u:object_r:debugfs_t,s0)
+/sys/kernel/debug/.* <<none>>
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index e100d88..65a3b6d 100644
+index e100d88..c652350 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -126,6 +126,24 @@ interface(`kernel_setsched',`
@@ -18135,7 +18126,7 @@ index e100d88..65a3b6d 100644
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -18755,7 +18746,7 @@ index e100d88..65a3b6d 100644
## Unconfined access to kernel module resources.
## </summary>
## <param name="domain">
-@@ -2972,5 +3284,630 @@ interface(`kernel_unconfined',`
+@@ -2972,5 +3284,649 @@ interface(`kernel_unconfined',`
')
typeattribute $1 kern_unconfined;
@@ -19309,6 +19300,25 @@ index e100d88..65a3b6d 100644
+
+########################################
+## <summary>
++## Dontaudit write usermodehelper state
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`kernel_dontaudit_write_usermodehelper_state',`
++ gen_require(`
++ type usermodehelper_t;
++ ')
++
++ dontaudit $1 usermodehelper_t:file write;
++')
++
++########################################
++## <summary>
+## Relabel to usermodehelper context .
+## </summary>
+## <param name="domain">
@@ -28312,7 +28322,7 @@ index 6bf0ecc..e6be63a 100644
+')
+
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..23560f0 100644
+index 8b40377..436b1e0 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,28 +26,66 @@ gen_require(`
@@ -28906,7 +28916,7 @@ index 8b40377..23560f0 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -442,28 +643,44 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -442,28 +643,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -28918,6 +28928,7 @@ index 8b40377..23560f0 100644
+term_use_all_terms(xdm_t)
+term_relabel_all_ttys(xdm_t)
+term_relabel_unallocated_ttys(xdm_t)
++term_getattr_virtio_console(xdm_t)
auth_domtrans_pam_console(xdm_t)
-auth_manage_pam_pid(xdm_t)
@@ -28955,7 +28966,7 @@ index 8b40377..23560f0 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -472,24 +689,163 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -472,24 +690,163 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -29125,7 +29136,7 @@ index 8b40377..23560f0 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -502,12 +858,31 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,12 +859,31 @@ tunable_policy(`xdm_sysadm_login',`
# allow xserver_t xdm_tmpfs_t:file rw_file_perms;
')
@@ -29157,7 +29168,7 @@ index 8b40377..23560f0 100644
')
optional_policy(`
-@@ -518,8 +893,36 @@ optional_policy(`
+@@ -518,8 +894,36 @@ optional_policy(`
dbus_system_bus_client(xdm_t)
dbus_connect_system_bus(xdm_t)
@@ -29195,7 +29206,7 @@ index 8b40377..23560f0 100644
')
')
-@@ -530,6 +933,20 @@ optional_policy(`
+@@ -530,6 +934,20 @@ optional_policy(`
')
optional_policy(`
@@ -29216,7 +29227,7 @@ index 8b40377..23560f0 100644
hostname_exec(xdm_t)
')
-@@ -547,28 +964,78 @@ optional_policy(`
+@@ -547,28 +965,78 @@ optional_policy(`
')
optional_policy(`
@@ -29304,7 +29315,7 @@ index 8b40377..23560f0 100644
')
optional_policy(`
-@@ -580,6 +1047,14 @@ optional_policy(`
+@@ -580,6 +1048,14 @@ optional_policy(`
')
optional_policy(`
@@ -29319,7 +29330,7 @@ index 8b40377..23560f0 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,7 +1069,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+@@ -594,7 +1070,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@@ -29328,7 +29339,7 @@ index 8b40377..23560f0 100644
# setuid/setgid for the wrapper program to change UID
# sys_rawio is for iopl access - should not be needed for frame-buffer
-@@ -604,8 +1079,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -604,8 +1080,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -29341,7 +29352,7 @@ index 8b40377..23560f0 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -618,8 +1096,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -618,8 +1097,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -29357,7 +29368,7 @@ index 8b40377..23560f0 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -627,6 +1112,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -627,6 +1113,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@@ -29368,7 +29379,7 @@ index 8b40377..23560f0 100644
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -638,25 +1127,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -638,25 +1128,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -29405,7 +29416,7 @@ index 8b40377..23560f0 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -677,23 +1173,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -677,23 +1174,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -29437,7 +29448,7 @@ index 8b40377..23560f0 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -705,6 +1206,14 @@ fs_search_nfs(xserver_t)
+@@ -705,6 +1207,14 @@ fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -29452,7 +29463,7 @@ index 8b40377..23560f0 100644
mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
-@@ -718,20 +1227,18 @@ init_getpgid(xserver_t)
+@@ -718,20 +1228,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -29476,7 +29487,7 @@ index 8b40377..23560f0 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -739,8 +1246,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -739,8 +1247,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
@@ -29485,7 +29496,7 @@ index 8b40377..23560f0 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
-@@ -785,17 +1290,54 @@ optional_policy(`
+@@ -785,17 +1291,54 @@ optional_policy(`
')
optional_policy(`
@@ -29542,7 +29553,7 @@ index 8b40377..23560f0 100644
')
optional_policy(`
-@@ -803,6 +1345,10 @@ optional_policy(`
+@@ -803,6 +1346,10 @@ optional_policy(`
')
optional_policy(`
@@ -29553,7 +29564,7 @@ index 8b40377..23560f0 100644
xfs_stream_connect(xserver_t)
')
-@@ -818,18 +1364,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -818,18 +1365,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -29578,7 +29589,7 @@ index 8b40377..23560f0 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -842,26 +1387,21 @@ init_use_fds(xserver_t)
+@@ -842,26 +1388,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -29613,7 +29624,7 @@ index 8b40377..23560f0 100644
')
optional_policy(`
-@@ -912,7 +1452,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -912,7 +1453,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -29622,7 +29633,7 @@ index 8b40377..23560f0 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -966,11 +1506,31 @@ allow x_domain self:x_resource { read write };
+@@ -966,11 +1507,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -29654,7 +29665,7 @@ index 8b40377..23560f0 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -992,18 +1552,148 @@ tunable_policy(`! xserver_object_manager',`
+@@ -992,18 +1553,148 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -35595,7 +35606,7 @@ index 0d4c8d3..537aa42 100644
+ ps_process_pattern($1, ipsec_mgmt_t)
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 312cd04..324b3af 100644
+index 312cd04..102b975 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@@ -35702,7 +35713,7 @@ index 312cd04..324b3af 100644
dev_read_sysfs(ipsec_t)
dev_read_rand(ipsec_t)
-@@ -157,22 +178,31 @@ files_dontaudit_search_home(ipsec_t)
+@@ -157,22 +178,32 @@ files_dontaudit_search_home(ipsec_t)
fs_getattr_all_fs(ipsec_t)
fs_search_auto_mountpoints(ipsec_t)
@@ -35711,6 +35722,7 @@ index 312cd04..324b3af 100644
term_use_console(ipsec_t)
term_dontaudit_use_all_ttys(ipsec_t)
++auth_use_pam(ipsec_t)
auth_use_nsswitch(ipsec_t)
+auth_read_home_content(ipsec_t)
@@ -35736,7 +35748,7 @@ index 312cd04..324b3af 100644
optional_policy(`
seutil_sigchld_newrole(ipsec_t)
-@@ -182,19 +212,30 @@ optional_policy(`
+@@ -182,19 +213,30 @@ optional_policy(`
udev_read_db(ipsec_t)
')
@@ -35771,7 +35783,7 @@ index 312cd04..324b3af 100644
allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
-@@ -208,12 +249,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
+@@ -208,12 +250,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
@@ -35787,7 +35799,7 @@ index 312cd04..324b3af 100644
# _realsetup needs to be able to cat /var/run/pluto.pid,
# run ps on that pid, and delete the file
-@@ -246,6 +289,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
+@@ -246,6 +290,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
kernel_getattr_core_if(ipsec_mgmt_t)
kernel_getattr_message_if(ipsec_mgmt_t)
@@ -35804,7 +35816,7 @@ index 312cd04..324b3af 100644
files_read_kernel_symbol_table(ipsec_mgmt_t)
files_getattr_kernel_modules(ipsec_mgmt_t)
-@@ -255,6 +308,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
+@@ -255,6 +309,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
corecmd_exec_bin(ipsec_mgmt_t)
corecmd_exec_shell(ipsec_mgmt_t)
@@ -35813,7 +35825,7 @@ index 312cd04..324b3af 100644
dev_read_rand(ipsec_mgmt_t)
dev_read_urand(ipsec_mgmt_t)
-@@ -269,6 +324,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
+@@ -269,6 +325,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
files_read_etc_files(ipsec_mgmt_t)
files_exec_etc_files(ipsec_mgmt_t)
files_read_etc_runtime_files(ipsec_mgmt_t)
@@ -35821,7 +35833,7 @@ index 312cd04..324b3af 100644
files_read_usr_files(ipsec_mgmt_t)
files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
files_dontaudit_getattr_default_files(ipsec_mgmt_t)
-@@ -278,9 +334,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+@@ -278,9 +335,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
fs_list_tmpfs(ipsec_mgmt_t)
term_use_console(ipsec_mgmt_t)
@@ -35833,7 +35845,7 @@ index 312cd04..324b3af 100644
init_read_utmp(ipsec_mgmt_t)
init_use_script_ptys(ipsec_mgmt_t)
-@@ -288,17 +345,28 @@ init_exec_script_files(ipsec_mgmt_t)
+@@ -288,17 +346,28 @@ init_exec_script_files(ipsec_mgmt_t)
init_use_fds(ipsec_mgmt_t)
init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
@@ -35867,7 +35879,7 @@ index 312cd04..324b3af 100644
optional_policy(`
consoletype_exec(ipsec_mgmt_t)
-@@ -322,6 +390,10 @@ optional_policy(`
+@@ -322,6 +391,10 @@ optional_policy(`
')
optional_policy(`
@@ -35878,7 +35890,7 @@ index 312cd04..324b3af 100644
modutils_domtrans_insmod(ipsec_mgmt_t)
')
-@@ -335,7 +407,7 @@ optional_policy(`
+@@ -335,7 +408,7 @@ optional_policy(`
#
allow racoon_t self:capability { net_admin net_bind_service };
@@ -35887,7 +35899,7 @@ index 312cd04..324b3af 100644
allow racoon_t self:unix_dgram_socket { connect create ioctl write };
allow racoon_t self:netlink_selinux_socket { bind create read };
allow racoon_t self:udp_socket create_socket_perms;
-@@ -370,13 +442,12 @@ kernel_request_load_module(racoon_t)
+@@ -370,13 +443,12 @@ kernel_request_load_module(racoon_t)
corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)
@@ -35907,7 +35919,7 @@ index 312cd04..324b3af 100644
corenet_udp_bind_isakmp_port(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t)
-@@ -401,10 +472,10 @@ locallogin_use_fds(racoon_t)
+@@ -401,10 +473,10 @@ locallogin_use_fds(racoon_t)
logging_send_syslog_msg(racoon_t)
logging_send_audit_msgs(racoon_t)
@@ -35920,7 +35932,7 @@ index 312cd04..324b3af 100644
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -438,9 +509,8 @@ corenet_setcontext_all_spds(setkey_t)
+@@ -438,9 +510,8 @@ corenet_setcontext_all_spds(setkey_t)
locallogin_use_fds(setkey_t)
@@ -42470,7 +42482,7 @@ index efa9c27..536a514 100644
+ manage_files_pattern($1, setrans_var_run_t, setrans_var_run_t)
+')
diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
-index 1447687..d5e6fb9 100644
+index 1447687..0b1da4d 100644
--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
@@ -12,6 +12,7 @@ gen_require(`
@@ -42481,7 +42493,15 @@ index 1447687..d5e6fb9 100644
type setrans_initrc_exec_t;
init_script_file(setrans_initrc_exec_t)
-@@ -78,7 +79,6 @@ locallogin_dontaudit_use_fds(setrans_t)
+@@ -49,6 +50,7 @@ manage_files_pattern(setrans_t, setrans_var_run_t, setrans_var_run_t)
+ manage_sock_files_pattern(setrans_t, setrans_var_run_t, setrans_var_run_t)
+ files_pid_filetrans(setrans_t, setrans_var_run_t, { file dir })
+
++kernel_read_system_state(setrans_t)
+ kernel_read_kernel_sysctls(setrans_t)
+ kernel_read_proc_symlinks(setrans_t)
+
+@@ -78,7 +80,6 @@ locallogin_dontaudit_use_fds(setrans_t)
logging_send_syslog_msg(setrans_t)
@@ -45266,10 +45286,10 @@ index 0000000..21f7c14
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..f4783a5
+index 0000000..605f160
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,904 @@
+@@ -0,0 +1,909 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -45832,6 +45852,8 @@ index 0000000..f4783a5
+allow systemd_notify_t self:unix_stream_socket create_stream_socket_perms;
+allow systemd_notify_t self:unix_dgram_socket create_socket_perms;
+
++dev_write_kmsg(systemd_notify_t)
++
+domain_use_interactive_fds(systemd_notify_t)
+
+fs_getattr_cgroup_files(systemd_notify_t)
@@ -46105,10 +46127,13 @@ index 0000000..f4783a5
+#
+# systemd_gpt_generator domain
+#
++
+dev_read_sysfs(systemd_gpt_generator_t)
+dev_write_kmsg(systemd_gpt_generator_t)
+dev_read_nvme(systemd_gpt_generator_t)
+
++storage_raw_read_fixed_disk(systemd_gpt_generator_t)
++
+#######################################
+#
+# systemd_resolved domain
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 6de2977..ba812ef 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -19864,17 +19864,19 @@ index 7de3859..1444c2f 100644
type unconfined_cronjob_t;
diff --git a/ctdb.fc b/ctdb.fc
-index 8401fe6..d58f3e7 100644
+index 8401fe6..84ece3e 100644
--- a/ctdb.fc
+++ b/ctdb.fc
-@@ -1,12 +1,18 @@
+@@ -1,12 +1,20 @@
/etc/rc\.d/init\.d/ctdb -- gen_context(system_u:object_r:ctdbd_initrc_exec_t,s0)
++/etc/ctdb/events\.d/.* -- gen_context(system_u:object_r:ctdbd_exec_t,s0)
++
/usr/sbin/ctdbd -- gen_context(system_u:object_r:ctdbd_exec_t,s0)
+/usr/sbin/ctdbd_wrapper -- gen_context(system_u:object_r:ctdbd_exec_t,s0)
-
-+/var/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_t,s0)
+
++/var/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_t,s0)
+
+/var/lib/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
/var/lib/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
@@ -20192,7 +20194,7 @@ index b25b01d..06895f3 100644
')
+
diff --git a/ctdb.te b/ctdb.te
-index 001b502..4a84c8b 100644
+index 001b502..47199aa 100644
--- a/ctdb.te
+++ b/ctdb.te
@@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t)
@@ -20221,7 +20223,7 @@ index 001b502..4a84c8b 100644
append_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)
create_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)
-@@ -57,12 +63,21 @@ files_spool_filetrans(ctdbd_t, ctdbd_spool_t, dir)
+@@ -57,12 +63,23 @@ files_spool_filetrans(ctdbd_t, ctdbd_spool_t, dir)
exec_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
manage_dirs_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
manage_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
@@ -20239,12 +20241,14 @@ index 001b502..4a84c8b 100644
+manage_sock_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
files_pid_filetrans(ctdbd_t, ctdbd_var_run_t, dir)
++setattr_files_pattern(ctdbd_t, ctdbd_exec_t, ctdbd_exec_t)
++
+can_exec(ctdbd_t, ctdbd_exec_t)
+
kernel_read_network_state(ctdbd_t)
kernel_read_system_state(ctdbd_t)
kernel_rw_net_sysctls(ctdbd_t)
-@@ -72,9 +87,13 @@ corenet_all_recvfrom_netlabel(ctdbd_t)
+@@ -72,9 +89,13 @@ corenet_all_recvfrom_netlabel(ctdbd_t)
corenet_tcp_sendrecv_generic_if(ctdbd_t)
corenet_tcp_sendrecv_generic_node(ctdbd_t)
corenet_tcp_bind_generic_node(ctdbd_t)
@@ -20258,7 +20262,7 @@ index 001b502..4a84c8b 100644
corenet_tcp_sendrecv_ctdb_port(ctdbd_t)
corecmd_exec_bin(ctdbd_t)
-@@ -85,14 +104,18 @@ dev_read_urand(ctdbd_t)
+@@ -85,14 +106,18 @@ dev_read_urand(ctdbd_t)
domain_dontaudit_read_all_domains_state(ctdbd_t)
@@ -20279,7 +20283,7 @@ index 001b502..4a84c8b 100644
optional_policy(`
consoletype_exec(ctdbd_t)
')
-@@ -106,9 +129,16 @@ optional_policy(`
+@@ -106,9 +131,16 @@ optional_policy(`
')
optional_policy(`
@@ -20442,7 +20446,7 @@ index 949011e..9437dbe 100644
+/etc/opt/brother/Printers/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --git a/cups.if b/cups.if
-index 3023be7..0317731 100644
+index 3023be7..4f0fe46 100644
--- a/cups.if
+++ b/cups.if
@@ -200,10 +200,13 @@ interface(`cups_dbus_chat_config',`
@@ -20520,7 +20524,7 @@ index 3023be7..0317731 100644
init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -368,13 +400,45 @@ interface(`cups_admin',`
+@@ -368,13 +400,46 @@ interface(`cups_admin',`
logging_list_logs($1)
admin_pattern($1, cupsd_log_t)
@@ -20565,6 +20569,7 @@ index 3023be7..0317731 100644
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf.O")
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf.N")
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "ppds.dat")
++ files_etc_filetrans($1, cupsd_rw_etc_t, file, "printcap")
+ files_etc_filetrans($1, cupsd_rw_etc_t, file, "ppds.dat")
+ files_etc_filetrans($1, cupsd_rw_etc_t, dir, "inf")
+ files_usr_filetrans($1, cupsd_rw_etc_t, dir, "inf")
@@ -26601,7 +26606,7 @@ index 0aabc7e..e1c4564 100644
sendmail_domtrans(dovecot_deliver_t)
')
diff --git a/drbd.fc b/drbd.fc
-index 671a3fb..c781675 100644
+index 671a3fb..47b4958 100644
--- a/drbd.fc
+++ b/drbd.fc
@@ -3,7 +3,7 @@
@@ -26613,6 +26618,12 @@ index 671a3fb..c781675 100644
/usr/sbin/drbdadm -- gen_context(system_u:object_r:drbd_exec_t,s0)
/usr/sbin/drbdsetup -- gen_context(system_u:object_r:drbd_exec_t,s0)
+@@ -11,3 +11,5 @@
+ /var/lib/drbd(/.*)? gen_context(system_u:object_r:drbd_var_lib_t,s0)
+
+ /var/lock/subsys/drbd -- gen_context(system_u:object_r:drbd_lock_t,s0)
++
++/var/run/drbd(/.*)? gen_context(system_u:object_r:drbd_var_run_t,s0)
diff --git a/drbd.if b/drbd.if
index 9a21639..26c5986 100644
--- a/drbd.if
@@ -26756,13 +26767,16 @@ index 9a21639..26c5986 100644
')
+
diff --git a/drbd.te b/drbd.te
-index f2516cc..0487894 100644
+index f2516cc..6b232ae 100644
--- a/drbd.te
+++ b/drbd.te
-@@ -18,17 +18,20 @@ files_type(drbd_var_lib_t)
+@@ -18,38 +18,71 @@ files_type(drbd_var_lib_t)
type drbd_lock_t;
files_lock_file(drbd_lock_t)
++type drbd_var_run_t;
++files_pid_file(drbd_var_run_t)
++
+type drbd_tmp_t;
+files_tmp_file(drbd_tmp_t)
+
@@ -26782,14 +26796,21 @@ index f2516cc..0487894 100644
manage_dirs_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
manage_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
-@@ -38,18 +41,40 @@ files_var_lib_filetrans(drbd_t, drbd_var_lib_t, dir)
+ manage_lnk_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
+ files_var_lib_filetrans(drbd_t, drbd_var_lib_t, dir)
+
++manage_dirs_pattern(drbd_t, drbd_var_run_t, drbd_var_run_t)
++manage_files_pattern(drbd_t, drbd_var_run_t, drbd_var_run_t)
++manage_lnk_files_pattern(drbd_t, drbd_var_run_t, drbd_var_run_t)
++files_pid_filetrans(drbd_t, drbd_var_run_t, { file dir })
++
manage_files_pattern(drbd_t, drbd_lock_t, drbd_lock_t)
files_lock_filetrans(drbd_t, drbd_lock_t, file)
-can_exec(drbd_t, drbd_exec_t)
+manage_dirs_pattern(drbd_t, drbd_tmp_t, drbd_tmp_t)
+manage_files_pattern(drbd_t, drbd_tmp_t, drbd_tmp_t)
-+files_tmp_filetrans(drbd_t, drbd_tmp_t, dir)
++files_tmp_filetrans(drbd_t, drbd_tmp_t, {file dir})
kernel_read_system_state(drbd_t)
@@ -29992,10 +30013,10 @@ index 0000000..c4d2c2d
+')
diff --git a/fwupd.te b/fwupd.te
new file mode 100644
-index 0000000..3dd3dc8
+index 0000000..e0bb02d
--- /dev/null
+++ b/fwupd.te
-@@ -0,0 +1,60 @@
+@@ -0,0 +1,64 @@
+policy_module(fwupd, 1.0.0)
+
+########################################
@@ -30056,6 +30077,10 @@ index 0000000..3dd3dc8
+ policykit_dbus_chat(fwupd_t)
+ ')
+')
++
++optional_policy(`
++ unconfined_domain(fwupd_t)
++')
diff --git a/games.if b/games.if
index e2a3e0d..50ebd40 100644
--- a/games.if
@@ -67402,10 +67427,10 @@ index 0000000..80246e6
+
diff --git a/pcp.te b/pcp.te
new file mode 100644
-index 0000000..573632e
+index 0000000..2fecf5d
--- /dev/null
+++ b/pcp.te
-@@ -0,0 +1,274 @@
+@@ -0,0 +1,278 @@
+policy_module(pcp, 1.0.0)
+
+########################################
@@ -67658,6 +67683,8 @@ index 0000000..573632e
+
+corecmd_exec_bin(pcp_pmie_t)
+
++domain_read_all_domains_state(pcp_pmie_t)
++
+logging_send_syslog_msg(pcp_pmie_t)
+
+userdom_read_user_tmp_files(pcp_pmie_t)
@@ -67680,6 +67707,8 @@ index 0000000..573632e
+corenet_tcp_bind_commplex_link_port(pcp_pmlogger_t)
+corenet_tcp_bind_generic_node(pcp_pmlogger_t)
+
++domain_read_all_domains_state(pcp_pmlogger_t)
++
diff --git a/pcscd.if b/pcscd.if
index 43d50f9..6b1544f 100644
--- a/pcscd.if
@@ -83865,22 +83894,24 @@ index 5bc878b..5736203 100644
+ unconfined_domain_noaudit(realmd_consolehelper_t)
')
diff --git a/redis.fc b/redis.fc
-index e240ac9..953767b 100644
+index e240ac9..b9707aa 100644
--- a/redis.fc
+++ b/redis.fc
-@@ -1,9 +1,11 @@
+@@ -1,9 +1,13 @@
/etc/rc\.d/init\.d/redis -- gen_context(system_u:object_r:redis_initrc_exec_t,s0)
-/usr/sbin/redis-server -- gen_context(system_u:object_r:redis_exec_t,s0)
-+/usr/lib/systemd/system/redis.* -- gen_context(system_u:object_r:redis_unit_file_t,s0)
++/etc/redis-sentinel.* -- gen_context(system_u:object_r:redis_conf_t,s0)
-/var/lib/redis(/.*)? gen_context(system_u:object_r:redis_var_lib_t,s0)
-+/usr/bin/redis-server -- gen_context(system_u:object_r:redis_exec_t,s0)
++/usr/lib/systemd/system/redis.* -- gen_context(system_u:object_r:redis_unit_file_t,s0)
-/var/log/redis(/.*)? gen_context(system_u:object_r:redis_log_t,s0)
-+/var/lib/redis(/.*)? gen_context(system_u:object_r:redis_var_lib_t,s0)
++/usr/bin/redis-server -- gen_context(system_u:object_r:redis_exec_t,s0)
-/var/run/redis(/.*)? gen_context(system_u:object_r:redis_var_run_t,s0)
++/var/lib/redis(/.*)? gen_context(system_u:object_r:redis_var_lib_t,s0)
++
+/var/log/redis(/.*)? gen_context(system_u:object_r:redis_log_t,s0)
+
+/var/run/redis(/.*)? gen_context(system_u:object_r:redis_var_run_t,s0)
@@ -84149,10 +84180,20 @@ index 16c8ecb..4e021ec 100644
+ ')
')
diff --git a/redis.te b/redis.te
-index 25cd417..edf5ca8 100644
+index 25cd417..61de827 100644
--- a/redis.te
+++ b/redis.te
-@@ -21,6 +21,9 @@ files_type(redis_var_lib_t)
+@@ -12,6 +12,9 @@ init_daemon_domain(redis_t, redis_exec_t)
+ type redis_initrc_exec_t;
+ init_script_file(redis_initrc_exec_t)
+
++type redis_conf_t;
++files_config_file(redis_conf_t)
++
+ type redis_log_t;
+ logging_log_file(redis_log_t)
+
+@@ -21,6 +24,9 @@ files_type(redis_var_lib_t)
type redis_var_run_t;
files_pid_file(redis_var_run_t)
@@ -84162,7 +84203,16 @@ index 25cd417..edf5ca8 100644
########################################
#
# Local policy
-@@ -42,8 +45,10 @@ manage_lnk_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)
+@@ -31,6 +37,8 @@ allow redis_t self:fifo_file rw_fifo_file_perms;
+ allow redis_t self:unix_stream_socket create_stream_socket_perms;
+ allow redis_t self:tcp_socket create_stream_socket_perms;
+
++manage_files_pattern(redis_t, redis_conf_t, redis_conf_t)
++
+ manage_dirs_pattern(redis_t, redis_log_t, redis_log_t)
+ manage_files_pattern(redis_t, redis_log_t, redis_log_t)
+ manage_lnk_files_pattern(redis_t, redis_log_t, redis_log_t)
+@@ -42,14 +50,17 @@ manage_lnk_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)
manage_dirs_pattern(redis_t, redis_var_run_t, redis_var_run_t)
manage_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
manage_lnk_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
@@ -84173,7 +84223,14 @@ index 25cd417..edf5ca8 100644
corenet_all_recvfrom_unlabeled(redis_t)
corenet_all_recvfrom_netlabel(redis_t)
-@@ -60,6 +65,4 @@ dev_read_urand(redis_t)
+ corenet_tcp_sendrecv_generic_if(redis_t)
+ corenet_tcp_sendrecv_generic_node(redis_t)
+ corenet_tcp_bind_generic_node(redis_t)
++corenet_tcp_connect_redis_port(redis_t)
+
+ corenet_sendrecv_redis_server_packets(redis_t)
+ corenet_tcp_bind_redis_port(redis_t)
+@@ -60,6 +71,4 @@ dev_read_urand(redis_t)
logging_send_syslog_msg(redis_t)
@@ -109275,10 +109332,10 @@ index 3d11c6a..b19a117 100644
optional_policy(`
diff --git a/virt.fc b/virt.fc
-index a4f20bc..58f9c69 100644
+index a4f20bc..c88e3e4 100644
--- a/virt.fc
+++ b/virt.fc
-@@ -1,51 +1,102 @@
+@@ -1,51 +1,103 @@
-HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
-HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
-HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
@@ -109376,6 +109433,7 @@ index a4f20bc..58f9c69 100644
+/var/lib/oz(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
+/var/lib/oz/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+/var/lib/vdsm(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
++/var/lib/rkt/cas(/.*)? gen_context(system_u:object_r:container_image_t,s0)
-/var/run/libguestfs(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
-/var/run/libvirtd\.pid -- gen_context(system_u:object_r:virt_var_run_t,s0)
@@ -109420,7 +109478,7 @@ index a4f20bc..58f9c69 100644
+/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index facdee8..52ece13 100644
+index facdee8..280e040 100644
--- a/virt.if
+++ b/virt.if
@@ -1,318 +1,226 @@
@@ -110438,9 +110496,12 @@ index facdee8..52ece13 100644
+ fs_list_nfs($1)
+ fs_read_nfs_files($1)
+ fs_read_nfs_symlinks($1)
-+ ')
-+
-+ tunable_policy(`virt_use_samba',`
+ ')
+
+ tunable_policy(`virt_use_samba',`
+- fs_manage_cifs_dirs($1)
+- fs_manage_cifs_files($1)
+- fs_manage_cifs_symlinks($1)
+ fs_list_cifs($1)
+ fs_read_cifs_files($1)
+ fs_read_cifs_symlinks($1)
@@ -110478,13 +110539,14 @@ index facdee8..52ece13 100644
+interface(`virt_rw_chr_files',`
+ gen_require(`
+ attribute virt_image_type;
-+ ')
+ ')
+
+ rw_chr_files_pattern($1, virt_image_type, virt_image_type)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Relabel virt home content.
+## Create, read, write, and delete
+## svirt cache files.
+## </summary>
@@ -110722,20 +110784,13 @@ index facdee8..52ece13 100644
+interface(`virt_mounton_sandbox_file',`
+ gen_require(`
+ type svirt_sandbox_file_t;
- ')
-
-- tunable_policy(`virt_use_samba',`
-- fs_manage_cifs_dirs($1)
-- fs_manage_cifs_files($1)
-- fs_manage_cifs_symlinks($1)
-- ')
++ ')
++
+ allow $1 svirt_sandbox_file_t:dir_file_class_set mounton;
- ')
-
--########################################
++')
++
+#######################################
- ## <summary>
--## Relabel virt home content.
++## <summary>
+## Connect to virt over a unix domain stream socket.
## </summary>
## <param name="domain">
@@ -111084,7 +111139,7 @@ index facdee8..52ece13 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -935,117 +1284,134 @@ interface(`virt_read_log',`
+@@ -935,117 +1284,153 @@ interface(`virt_read_log',`
## </summary>
## </param>
#
@@ -111167,22 +111222,22 @@ index facdee8..52ece13 100644
########################################
## <summary>
-## Read virt image files.
-+## Execute a qemu_exec_t in the callers domain
++## Make the specified type usable as a lxc network domain
## </summary>
- ## <param name="domain">
--## <summary>
-+## <summary>
- ## Domain allowed access.
--## </summary>
-+## </summary>
+-## <param name="domain">
++## <param name="type">
+ ## <summary>
+-## Domain allowed access.
++## Type to be used as a lxc network domain
+ ## </summary>
## </param>
#
-interface(`virt_read_images',`
-+interface(`virt_exec_qemu',`
++template(`virt_sandbox_net_domain',`
gen_require(`
- type virt_var_lib_t;
- attribute virt_image_type;
-+ type qemu_exec_t;
++ attribute sandbox_net_domain;
')
- virt_search_lib($1)
@@ -111191,7 +111246,8 @@ index facdee8..52ece13 100644
- read_files_pattern($1, virt_image_type, virt_image_type)
- read_lnk_files_pattern($1, virt_image_type, virt_image_type)
- read_blk_files_pattern($1, virt_image_type, virt_image_type)
-+ can_exec($1, qemu_exec_t)
++ virt_sandbox_domain($1)
++ typeattribute $1 sandbox_net_domain;
+')
- tunable_policy(`virt_use_nfs',`
@@ -111200,6 +111256,28 @@ index facdee8..52ece13 100644
- fs_read_nfs_symlinks($1)
+########################################
+## <summary>
++## Execute a qemu_exec_t in the callers domain
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`virt_exec_qemu',`
++ gen_require(`
++ type qemu_exec_t;
+ ')
+
+- tunable_policy(`virt_use_samba',`
+- fs_list_cifs($1)
+- fs_read_cifs_files($1)
+- fs_read_cifs_symlinks($1)
++ can_exec($1, qemu_exec_t)
++')
++
++########################################
++## <summary>
+## Transition to virt named content
+## </summary>
+## <param name="domain">
@@ -111213,12 +111291,7 @@ index facdee8..52ece13 100644
+ type virt_lxc_var_run_t;
+ type virt_var_run_t;
')
-
-- tunable_policy(`virt_use_samba',`
-- fs_list_cifs($1)
-- fs_read_cifs_files($1)
-- fs_read_cifs_symlinks($1)
-- ')
++
+ files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
+ files_pid_filetrans($1, virt_var_run_t, dir, "libvirt")
+ files_pid_filetrans($1, virt_var_run_t, dir, "libguestfs")
@@ -111271,7 +111344,7 @@ index facdee8..52ece13 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1053,15 +1419,17 @@ interface(`virt_rw_all_image_chr_files',`
+@@ -1053,15 +1438,17 @@ interface(`virt_rw_all_image_chr_files',`
## </summary>
## </param>
#
@@ -111294,7 +111367,7 @@ index facdee8..52ece13 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1069,21 +1437,17 @@ interface(`virt_manage_svirt_cache',`
+@@ -1069,21 +1456,17 @@ interface(`virt_manage_svirt_cache',`
## </summary>
## </param>
#
@@ -111320,7 +111393,7 @@ index facdee8..52ece13 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1091,36 +1455,36 @@ interface(`virt_manage_virt_cache',`
+@@ -1091,36 +1474,36 @@ interface(`virt_manage_virt_cache',`
## </summary>
## </param>
#
@@ -111377,7 +111450,7 @@ index facdee8..52ece13 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1136,50 +1500,76 @@ interface(`virt_manage_images',`
+@@ -1136,50 +1519,76 @@ interface(`virt_manage_images',`
#
interface(`virt_admin',`
gen_require(`
@@ -111487,10 +111560,10 @@ index facdee8..52ece13 100644
+ ps_process_pattern(virtd_t, $1)
')
diff --git a/virt.te b/virt.te
-index f03dcf5..f347621 100644
+index f03dcf5..ae377ac 100644
--- a/virt.te
+++ b/virt.te
-@@ -1,150 +1,248 @@
+@@ -1,150 +1,234 @@
-policy_module(virt, 1.7.4)
+policy_module(virt, 1.5.0)
@@ -111645,27 +111718,12 @@ index f03dcf5..f347621 100644
+
+## <desc>
+## <p>
-+## Allow sandbox containers to manage nfs files
-+## </p>
-+## </desc>
-+gen_tunable(virt_sandbox_use_nfs, false)
-+
-+## <desc>
-+## <p>
-+## Allow sandbox containers to manage samba/cifs files
-+## </p>
-+## </desc>
-+gen_tunable(virt_sandbox_use_samba, false)
-+
-+## <desc>
-+## <p>
+## Allow sandbox containers to send audit messages
+
+## </p>
+## </desc>
+gen_tunable(virt_sandbox_use_audit, true)
-
--attribute svirt_lxc_domain;
++
+## <desc>
+## <p>
+## Allow sandbox containers to use netlink system calls
@@ -111679,7 +111737,8 @@ index f03dcf5..f347621 100644
+## </p>
+## </desc>
+gen_tunable(virt_sandbox_use_sys_admin, false)
-+
+
+-attribute svirt_lxc_domain;
+## <desc>
+## <p>
+## Allow sandbox containers to use mknod system calls
@@ -111718,13 +111777,13 @@ index f03dcf5..f347621 100644
-virt_domain_template(svirt_prot_exec)
+role system_r types svirt_t;
+typealias svirt_t alias qemu_t;
-+
+
+-type virt_cache_t alias svirt_cache_t;
+virt_domain_template(svirt_tcg)
+role system_r types svirt_tcg_t;
+
+type qemu_exec_t, virt_file_type;
-
--type virt_cache_t alias svirt_cache_t;
++
+type virt_cache_t alias svirt_cache_t, virt_file_type;
files_type(virt_cache_t)
@@ -111809,7 +111868,7 @@ index f03dcf5..f347621 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
-@@ -153,299 +251,137 @@ ifdef(`enable_mls',`
+@@ -153,299 +237,140 @@ ifdef(`enable_mls',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
')
@@ -112033,28 +112092,30 @@ index f03dcf5..f347621 100644
-optional_policy(`
- dbus_read_lib_files(virt_domain)
-')
--
--optional_policy(`
-- nscd_use(virt_domain)
--')
+type virtd_lxc_t, virt_system_domain;
+type virtd_lxc_exec_t, virt_file_type;
+init_system_domain(virtd_lxc_t, virtd_lxc_exec_t)
-optional_policy(`
-- samba_domtrans_smbd(virt_domain)
+- nscd_use(virt_domain)
-')
+type virt_lxc_var_run_t, virt_file_type;
+files_pid_file(virt_lxc_var_run_t)
+typealias virt_lxc_var_run_t alias virtd_lxc_var_run_t;
-optional_policy(`
-- xen_rw_image_files(virt_domain)
+- samba_domtrans_smbd(virt_domain)
-')
+# virt lxc container files
+type svirt_sandbox_file_t alias svirt_lxc_file_t, svirt_file_type;
+files_mountpoint(svirt_sandbox_file_t)
+-optional_policy(`
+- xen_rw_image_files(virt_domain)
+-')
++type container_image_t;
++files_mountpoint(container_image_t)
+
########################################
#
# svirt local policy
@@ -112072,27 +112133,27 @@ index f03dcf5..f347621 100644
-manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
-
-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
--
--stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
+allow svirt_t self:process ptrace;
--corenet_udp_sendrecv_generic_if(svirt_t)
--corenet_udp_sendrecv_generic_node(svirt_t)
--corenet_udp_sendrecv_all_ports(svirt_t)
--corenet_udp_bind_generic_node(svirt_t)
+-stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
+# it was a part of auth_use_nsswitch
+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
+ corenet_udp_sendrecv_generic_if(svirt_t)
+ corenet_udp_sendrecv_generic_node(svirt_t)
+ corenet_udp_sendrecv_all_ports(svirt_t)
+ corenet_udp_bind_generic_node(svirt_t)
+-
-corenet_all_recvfrom_unlabeled(svirt_t)
-corenet_all_recvfrom_netlabel(svirt_t)
-corenet_tcp_sendrecv_generic_if(svirt_t)
- corenet_udp_sendrecv_generic_if(svirt_t)
+-corenet_udp_sendrecv_generic_if(svirt_t)
-corenet_tcp_sendrecv_generic_node(svirt_t)
- corenet_udp_sendrecv_generic_node(svirt_t)
+-corenet_udp_sendrecv_generic_node(svirt_t)
-corenet_tcp_sendrecv_all_ports(svirt_t)
- corenet_udp_sendrecv_all_ports(svirt_t)
+-corenet_udp_sendrecv_all_ports(svirt_t)
-corenet_tcp_bind_generic_node(svirt_t)
- corenet_udp_bind_generic_node(svirt_t)
+-corenet_udp_bind_generic_node(svirt_t)
-
-corenet_sendrecv_all_server_packets(svirt_t)
corenet_udp_bind_all_ports(svirt_t)
@@ -112188,7 +112249,7 @@ index f03dcf5..f347621 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -455,42 +391,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -455,42 +380,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@@ -112235,7 +112296,7 @@ index f03dcf5..f347621 100644
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -503,23 +426,20 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -503,23 +415,20 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -112266,7 +112327,7 @@ index f03dcf5..f347621 100644
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -527,24 +447,16 @@ corecmd_exec_shell(virtd_t)
+@@ -527,24 +436,16 @@ corecmd_exec_shell(virtd_t)
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -112294,7 +112355,7 @@ index f03dcf5..f347621 100644
dev_rw_sysfs(virtd_t)
dev_read_urand(virtd_t)
dev_read_rand(virtd_t)
-@@ -555,20 +467,26 @@ dev_rw_vhost(virtd_t)
+@@ -555,20 +456,26 @@ dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t)
@@ -112325,7 +112386,7 @@ index f03dcf5..f347621 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_all_fs(virtd_t)
fs_rw_anon_inodefs_files(virtd_t)
-@@ -601,15 +519,18 @@ term_use_ptmx(virtd_t)
+@@ -601,15 +508,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -112345,7 +112406,7 @@ index f03dcf5..f347621 100644
selinux_validate_context(virtd_t)
-@@ -620,18 +541,26 @@ seutil_read_file_contexts(virtd_t)
+@@ -620,18 +530,26 @@ seutil_read_file_contexts(virtd_t)
sysnet_signull_ifconfig(virtd_t)
sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
@@ -112382,7 +112443,7 @@ index f03dcf5..f347621 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -640,7 +569,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -640,7 +558,7 @@ tunable_policy(`virt_use_nfs',`
')
tunable_policy(`virt_use_samba',`
@@ -112391,7 +112452,7 @@ index f03dcf5..f347621 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
-@@ -665,20 +594,12 @@ optional_policy(`
+@@ -665,20 +583,12 @@ optional_policy(`
')
optional_policy(`
@@ -112412,7 +112473,7 @@ index f03dcf5..f347621 100644
')
optional_policy(`
-@@ -691,20 +612,26 @@ optional_policy(`
+@@ -691,20 +601,26 @@ optional_policy(`
dnsmasq_kill(virtd_t)
dnsmasq_signull(virtd_t)
dnsmasq_create_pid_dirs(virtd_t)
@@ -112423,12 +112484,11 @@ index f03dcf5..f347621 100644
')
optional_policy(`
-- iptables_domtrans(virtd_t)
+ firewalld_dbus_chat(virtd_t)
+')
+
+optional_policy(`
-+ iptables_domtrans(virtd_t)
+ iptables_domtrans(virtd_t)
iptables_initrc_domtrans(virtd_t)
+ iptables_systemctl(virtd_t)
+
@@ -112444,7 +112504,7 @@ index f03dcf5..f347621 100644
')
optional_policy(`
-@@ -712,11 +639,18 @@ optional_policy(`
+@@ -712,11 +628,18 @@ optional_policy(`
')
optional_policy(`
@@ -112463,26 +112523,24 @@ index f03dcf5..f347621 100644
policykit_domtrans_auth(virtd_t)
policykit_domtrans_resolve(virtd_t)
policykit_read_lib(virtd_t)
-@@ -727,10 +661,18 @@ optional_policy(`
+@@ -727,7 +650,15 @@ optional_policy(`
')
optional_policy(`
+- sasl_connect(virtd_t)
+ sanlock_stream_connect(virtd_t)
+')
+
+optional_policy(`
- sasl_connect(virtd_t)
- ')
-
- optional_policy(`
-+ setrans_manage_pid_files(virtd_t)
++ sasl_connect(virtd_t)
+')
+
+optional_policy(`
- kernel_read_xen_state(virtd_t)
- kernel_write_xen_state(virtd_t)
++ setrans_manage_pid_files(virtd_t)
+ ')
-@@ -746,44 +688,278 @@ optional_policy(`
+ optional_policy(`
+@@ -746,44 +677,278 @@ optional_policy(`
udev_read_pid_files(virtd_t)
')
@@ -112520,7 +112578,13 @@ index f03dcf5..f347621 100644
-manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+kernel_read_net_sysctls(virt_domain)
+kernel_read_network_state(virt_domain)
-+
+
+-manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+userdom_search_user_home_content(virt_domain)
+userdom_read_user_home_content_symlinks(virt_domain)
+userdom_read_all_users_state(virt_domain)
@@ -112530,17 +112594,15 @@ index f03dcf5..f347621 100644
+manage_sock_files_pattern(virt_domain, svirt_home_t, svirt_home_t)
+filetrans_pattern(virt_domain, virt_home_t, svirt_home_t, { dir sock_file file })
+stream_connect_pattern(virt_domain, svirt_home_t, svirt_home_t, virtd_t)
-+
+
+-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
+manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
+manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
+files_var_filetrans(virt_domain, virt_cache_t, { file dir })
--manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
+read_lnk_files_pattern(virt_domain, virt_image_t, virt_image_t)
+
+manage_dirs_pattern(virt_domain, svirt_image_t, svirt_image_t)
@@ -112573,18 +112635,14 @@ index f03dcf5..f347621 100644
+
+dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
--manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
--manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
--filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
+-allow virsh_t svirt_lxc_domain:process transition;
+dontaudit virt_domain virt_tmpfs_type:file { read write };
--dontaudit virsh_t virt_var_lib_t:file read_file_perms;
+-can_exec(virsh_t, virsh_exec_t)
+append_files_pattern(virt_domain, virt_log_t, virt_log_t)
-
--allow virsh_t svirt_lxc_domain:process transition;
++
+append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-
--can_exec(virsh_t, virsh_exec_t)
++
+corecmd_exec_bin(virt_domain)
+corecmd_exec_shell(virt_domain)
+
@@ -112638,7 +112696,7 @@ index f03dcf5..f347621 100644
+term_getattr_pty_fs(virt_domain)
+term_use_generic_ptys(virt_domain)
+term_use_ptmx(virt_domain)
-+
+
+tunable_policy(`virt_use_execmem',`
+ allow virt_domain self:process { execmem execstack };
+')
@@ -112664,7 +112722,7 @@ index f03dcf5..f347621 100644
+ sssd_dontaudit_read_lib(virt_domain)
+ sssd_dontaudit_read_public_files(virt_domain)
+')
-
++
+optional_policy(`
+ virt_read_config(virt_domain)
+ virt_read_lib_files(virt_domain)
@@ -112783,7 +112841,7 @@ index f03dcf5..f347621 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +970,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +959,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -112810,7 +112868,7 @@ index f03dcf5..f347621 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +990,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +979,25 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -112844,7 +112902,7 @@ index f03dcf5..f347621 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +1027,20 @@ optional_policy(`
+@@ -856,14 +1016,20 @@ optional_policy(`
')
optional_policy(`
@@ -112866,7 +112924,7 @@ index f03dcf5..f347621 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -888,49 +1065,65 @@ optional_policy(`
+@@ -888,49 +1054,65 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -112950,7 +113008,7 @@ index f03dcf5..f347621 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1135,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1124,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -112970,7 +113028,7 @@ index f03dcf5..f347621 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,8 +1156,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,8 +1145,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -112994,7 +113052,7 @@ index f03dcf5..f347621 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1181,343 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1170,352 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -113010,21 +113068,21 @@ index f03dcf5..f347621 100644
+optional_policy(`
+ dbus_system_bus_client(virtd_lxc_t)
+ init_dbus_chat(virtd_lxc_t)
-+
+
+-miscfiles_read_localization(virtd_lxc_t)
+ optional_policy(`
+ hal_dbus_chat(virtd_lxc_t)
+ ')
+')
--miscfiles_read_localization(virtd_lxc_t)
-+optional_policy(`
-+ docker_exec_lib(virtd_lxc_t)
-+')
-
-seutil_domtrans_setfiles(virtd_lxc_t)
-seutil_read_config(virtd_lxc_t)
-seutil_read_default_contexts(virtd_lxc_t)
+optional_policy(`
++ docker_exec_lib(virtd_lxc_t)
++')
++
++optional_policy(`
+ gnome_read_generic_cache_files(virtd_lxc_t)
+')
+
@@ -113079,21 +113137,30 @@ index f03dcf5..f347621 100644
+manage_fifo_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
+manage_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
+allow svirt_sandbox_domain svirt_sandbox_file_t:file { execmod relabelfrom relabelto };
++allow svirt_sandbox_domain svirt_sandbox_file_t:dir { execmod relabelfrom relabelto };
++virt_mounton_sandbox_file(svirt_sandbox_domain)
++
++list_dirs_pattern(svirt_sandbox_domain, container_image_t, container_image_t)
++read_files_pattern(svirt_sandbox_domain, container_image_t, container_image_t)
++read_lnk_files_pattern(svirt_sandbox_domain, container_image_t, container_image_t)
++allow svirt_sandbox_domain container_image_t:file execmod;
++can_exec(svirt_sandbox_domain, container_image_t)
+
+allow svirt_sandbox_domain svirt_sandbox_file_t:blk_file setattr;
+rw_blk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
+can_exec(svirt_sandbox_domain, svirt_sandbox_file_t)
+allow svirt_sandbox_domain svirt_sandbox_file_t:dir mounton;
-+allow svirt_sandbox_domain svirt_sandbox_file_t:filesystem getattr;
++allow svirt_sandbox_domain svirt_sandbox_file_t:filesystem { getattr remount };
+
+kernel_getattr_proc(svirt_sandbox_domain)
+kernel_list_all_proc(svirt_sandbox_domain)
+kernel_read_all_sysctls(svirt_sandbox_domain)
-+kernel_read_net_sysctls(svirt_sandbox_domain)
++kernel_rw_net_sysctls(svirt_sandbox_domain)
+kernel_dontaudit_search_kernel_sysctl(svirt_sandbox_domain)
+kernel_dontaudit_access_check_proc(svirt_sandbox_domain)
+kernel_dontaudit_setattr_proc_files(svirt_sandbox_domain)
+kernel_dontaudit_setattr_proc_dirs(svirt_sandbox_domain)
++kernel_dontaudit_write_usermodehelper_state(svirt_sandbox_domain)
+
+corecmd_exec_all_executables(svirt_sandbox_domain)
+
@@ -113149,11 +113216,6 @@ index f03dcf5..f347621 100644
+userdom_use_inherited_user_terminals(svirt_sandbox_domain)
+userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
+userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
-+
-+optional_policy(`
-+ apache_exec_modules(svirt_sandbox_domain)
-+ apache_read_sys_content(svirt_sandbox_domain)
-+')
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
@@ -113238,23 +113300,30 @@ index f03dcf5..f347621 100644
-
-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
+optional_policy(`
-+ gear_read_pid_files(svirt_sandbox_domain)
++ apache_exec_modules(svirt_sandbox_domain)
++ apache_read_sys_content(svirt_sandbox_domain)
+')
+
+optional_policy(`
-+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
++ gear_read_pid_files(svirt_sandbox_domain)
+')
-+
-+optional_policy(`
+
+ optional_policy(`
+- udev_read_pid_files(svirt_lxc_domain)
++ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
+ ')
+
+ optional_policy(`
+- apache_exec_modules(svirt_lxc_domain)
+- apache_read_sys_content(svirt_lxc_domain)
+ ssh_use_ptys(svirt_sandbox_domain)
+')
+
+optional_policy(`
+ udev_read_pid_files(svirt_sandbox_domain)
+')
-
- optional_policy(`
-- udev_read_pid_files(svirt_lxc_domain)
++
++optional_policy(`
+ userhelper_dontaudit_write_config(svirt_sandbox_domain)
+')
+
@@ -113276,11 +113345,9 @@ index f03dcf5..f347621 100644
+ fs_manage_fusefs_dirs(svirt_sandbox_domain)
+ fs_manage_fusefs_files(svirt_sandbox_domain)
+ fs_manage_fusefs_symlinks(svirt_sandbox_domain)
- ')
-
- optional_policy(`
-- apache_exec_modules(svirt_lxc_domain)
-- apache_read_sys_content(svirt_lxc_domain)
++')
++
++optional_policy(`
+ docker_read_share_files(svirt_sandbox_domain)
+ docker_exec_share_files(svirt_sandbox_domain)
+ docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file)
@@ -113444,15 +113511,15 @@ index f03dcf5..f347621 100644
+dev_read_urand(svirt_qemu_net_t)
+
+files_read_kernel_modules(svirt_qemu_net_t)
-
--allow svirt_prot_exec_t self:process { execmem execstack };
++
+fs_noxattr_type(svirt_sandbox_file_t)
+fs_mount_cgroup(svirt_qemu_net_t)
+fs_manage_cgroup_dirs(svirt_qemu_net_t)
+fs_manage_cgroup_files(svirt_qemu_net_t)
+
+term_pty(svirt_sandbox_file_t)
-+
+
+-allow svirt_prot_exec_t self:process { execmem execstack };
+auth_use_nsswitch(svirt_qemu_net_t)
+
+rpm_read_db(svirt_qemu_net_t)
@@ -113479,7 +113546,7 @@ index f03dcf5..f347621 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1530,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1528,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -113494,7 +113561,7 @@ index f03dcf5..f347621 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1192,7 +1548,7 @@ optional_policy(`
+@@ -1192,7 +1546,7 @@ optional_policy(`
########################################
#
@@ -113503,7 +113570,7 @@ index f03dcf5..f347621 100644
#
allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1557,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1555,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
allow virt_bridgehelper_t self:tun_socket create_socket_perms;
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 1c1d049..bf9efb2 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 178%{?dist}
+Release: 179%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -670,6 +670,29 @@ exit 0
%endif
%changelog
+* Wed Mar 16 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-179
+- Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content() interface.
+- Revert "Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content."
+- Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content.
+- Allow pcp_pmie and pcp_pmlogger to read all domains state.
+- Make fwupd domain unconfined. We need to discuss solution related to using gpg. rhbz#1316717
+- Merge pull request #108 from rhatdan/rkt
+- Merge pull request #109 from rhatdan/virt_sandbox
+- Add new interface to define virt_sandbox_network domains
+- Label /etc/redis-sentinel.conf as redis_conf_t. Allow redis_t write to redis_conf_t. Allow redis_t to connect on redis tcp port.
+- Fix typo in drbd policy
+- Remove declaration of empty booleans in virt policy.
+- Add new drbd file type: drbd_var_run_t. Allow drbd_t to manage drbd_var_run_t files/dirs.
+- Label /etc/ctdb/events.d/* as ctdb_exec_t. Allow ctdbd_t to setattr on ctdbd_exec_t files.
+- Additional rules to make rkt work in enforcing mode
+- Allow to log out to gdm after screen was resized in session via vdagent. Resolves: rhbz#1249020
+- Allow ipsec to use pam. rhbz#1317988
+- Allow systemd-gpt-generator to read fixed_disk_device_t. rhbz#1314968
+- Allow setrans daemon to read /proc/meminfo.
+- Merge pull request #107 from rhatdan/rkt-base
+- Allow systemd_notify_t to write to kmsg_device_t when 'systemd.log_target=kmsg' option is used.
+- Remove bin_t label for /etc/ctdb/events.d/. We need to label this scripts as ctdb_exec_t.
+
* Thu Mar 10 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-178
- Label tcp port 5355 as llmnr-> Link-Local Multicast Name Resolution
- Add support systemd-resolved.