diff --git a/container-selinux.tgz b/container-selinux.tgz
index b681098..3b80c6c 100644
Binary files a/container-selinux.tgz and b/container-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 08f8a56..a08c614 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -17543,7 +17543,7 @@ index d7c11a0b3..f521a50f8 100644
/var/run/shm/.* <<none>>
-')
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 8416beb43..1cc0d9ad9 100644
+index 8416beb43..a7af809a0 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -577,6 +577,24 @@ interface(`fs_mount_cgroup', `
@@ -18307,7 +18307,7 @@ index 8416beb43..1cc0d9ad9 100644
## Read files on a DOS filesystem.
## </summary>
## <param name="domain">
-@@ -1793,137 +2162,336 @@ interface(`fs_read_eventpollfs',`
+@@ -1793,161 +2162,986 @@ interface(`fs_read_eventpollfs',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -18679,14 +18679,17 @@ index 8416beb43..1cc0d9ad9 100644
+ ')
+
+ dontaudit $1 fusefs_t:dir manage_dir_perms;
- ')
-
- ########################################
-@@ -1935,19 +2503,645 @@ interface(`fs_dontaudit_manage_fusefs_dirs',`
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <rolecap/>
++')
++
++########################################
++## <summary>
++## Read, a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
+## <rolecap/>
+#
+interface(`fs_read_fusefs_files',`
@@ -19301,18 +19304,20 @@ index 8416beb43..1cc0d9ad9 100644
+ ')
+
+ allow $1 iso9660_t:filesystem remount;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Read, a FUSEFS filesystem.
+## Unmount an iso9660 filesystem, which
+## is usually used on CDs.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
#
-interface(`fs_read_fusefs_files',`
+interface(`fs_unmount_iso9660_fs',`
@@ -19860,44 +19865,38 @@ index 8416beb43..1cc0d9ad9 100644
allow $1 nfs_t:dir list_dir_perms;
read_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2518,73 +3731,148 @@ interface(`fs_dontaudit_read_nfs_files',`
- ## </summary>
- ## </param>
- #
--interface(`fs_write_nfs_files',`
-+interface(`fs_write_nfs_files',`
-+ gen_require(`
-+ type nfs_t;
-+ ')
-+
+@@ -2523,6 +3736,7 @@ interface(`fs_write_nfs_files',`
+ type nfs_t;
+ ')
+
+ fs_search_auto_mountpoints($1)
-+ allow $1 nfs_t:dir list_dir_perms;
-+ write_files_pattern($1, nfs_t, nfs_t)
-+')
-+
-+########################################
-+## <summary>
-+## Execute files on a NFS filesystem.
+ allow $1 nfs_t:dir list_dir_perms;
+ write_files_pattern($1, nfs_t, nfs_t)
+ ')
+@@ -2549,6 +3763,44 @@ interface(`fs_exec_nfs_files',`
+
+ ########################################
+ ## <summary>
++## Make general progams in nfs an entrypoint for
++## the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## The domain for which nfs_t is an entrypoint.
+## </summary>
+## </param>
-+## <rolecap/>
+#
-+interface(`fs_exec_nfs_files',`
++interface(`fs_nfs_entry_type',`
+ gen_require(`
+ type nfs_t;
+ ')
+
-+ allow $1 nfs_t:dir list_dir_perms;
-+ exec_files_pattern($1, nfs_t, nfs_t)
++ domain_entry_file($1, nfs_t)
+')
+
+########################################
+## <summary>
-+## Make general progams in nfs an entrypoint for
++## Make general progams in NFS an entrypoint for
+## the specified domain.
+## </summary>
+## <param name="domain">
@@ -19906,94 +19905,62 @@ index 8416beb43..1cc0d9ad9 100644
+## </summary>
+## </param>
+#
-+interface(`fs_nfs_entry_type',`
++interface(`fs_nfs_entrypoint',`
+ gen_require(`
+ type nfs_t;
+ ')
+
-+ domain_entry_file($1, nfs_t)
++ allow $1 nfs_t:file entrypoint;
+')
+
+########################################
+## <summary>
-+## Make general progams in NFS an entrypoint for
-+## the specified domain.
+ ## Append files
+ ## on a NFS filesystem.
+ ## </summary>
+@@ -2559,32 +3811,68 @@ interface(`fs_exec_nfs_files',`
+ ## </param>
+ ## <rolecap/>
+ #
+-interface(`fs_append_nfs_files',`
++interface(`fs_append_nfs_files',`
++ gen_require(`
++ type nfs_t;
++ ')
++
++ append_files_pattern($1, nfs_t, nfs_t)
++')
++
++########################################
++## <summary>
++## Do not audit attempts to append files
++## on a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
-+## The domain for which nfs_t is an entrypoint.
++## Domain to not audit.
+## </summary>
+## </param>
++## <rolecap/>
+#
-+interface(`fs_nfs_entrypoint',`
++interface(`fs_dontaudit_append_nfs_files',`
+ gen_require(`
+ type nfs_t;
+ ')
+
-+ allow $1 nfs_t:file entrypoint;
++ dontaudit $1 nfs_t:file append_file_perms;
+')
+
+########################################
+## <summary>
-+## Append files
-+## on a NFS filesystem.
++## Read inherited files on a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
-+## <rolecap/>
+#
-+interface(`fs_append_nfs_files',`
- gen_require(`
- type nfs_t;
- ')
-
-- allow $1 nfs_t:dir list_dir_perms;
-- write_files_pattern($1, nfs_t, nfs_t)
-+ append_files_pattern($1, nfs_t, nfs_t)
- ')
-
- ########################################
- ## <summary>
--## Execute files on a NFS filesystem.
-+## Do not audit attempts to append files
-+## on a NFS filesystem.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
-+## Domain to not audit.
- ## </summary>
- ## </param>
- ## <rolecap/>
- #
--interface(`fs_exec_nfs_files',`
-+interface(`fs_dontaudit_append_nfs_files',`
- gen_require(`
- type nfs_t;
- ')
-
-- allow $1 nfs_t:dir list_dir_perms;
-- exec_files_pattern($1, nfs_t, nfs_t)
-+ dontaudit $1 nfs_t:file append_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Append files
--## on a NFS filesystem.
-+## Read inherited files on a NFS filesystem.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <rolecap/>
- #
--interface(`fs_append_nfs_files',`
+interface(`fs_read_inherited_nfs_files',`
gen_require(`
type nfs_t;
@@ -20121,7 +20088,33 @@ index 8416beb43..1cc0d9ad9 100644
## </summary>
## </param>
#
-@@ -2777,7 +4124,7 @@ interface(`fs_read_removable_files',`
+@@ -2771,13 +4118,33 @@ interface(`fs_read_removable_files',`
+ read_files_pattern($1, removable_t, removable_t)
+ ')
+
++
++########################################
++## <summary>
++## mmap files on a removable files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`fs_mmap_removable_files',`
++ gen_require(`
++ type removable_t;
++ ')
++
++ allow $1 removable_t:file map;
++')
++
+ ########################################
+ ## <summary>
+ ## Do not audit attempts to read removable storage files.
## </summary>
## <param name="domain">
## <summary>
@@ -20130,7 +20123,7 @@ index 8416beb43..1cc0d9ad9 100644
## </summary>
## </param>
#
-@@ -2970,6 +4317,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2970,6 +4337,7 @@ interface(`fs_manage_nfs_dirs',`
type nfs_t;
')
@@ -20138,7 +20131,7 @@ index 8416beb43..1cc0d9ad9 100644
allow $1 nfs_t:dir manage_dir_perms;
')
-@@ -3010,11 +4358,31 @@ interface(`fs_manage_nfs_files',`
+@@ -3010,11 +4378,31 @@ interface(`fs_manage_nfs_files',`
type nfs_t;
')
@@ -20170,7 +20163,7 @@ index 8416beb43..1cc0d9ad9 100644
## Do not audit attempts to create,
## read, write, and delete files
## on a NFS filesystem.
-@@ -3050,6 +4418,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -3050,6 +4438,7 @@ interface(`fs_manage_nfs_symlinks',`
type nfs_t;
')
@@ -20178,7 +20171,7 @@ index 8416beb43..1cc0d9ad9 100644
manage_lnk_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3137,6 +4506,24 @@ interface(`fs_nfs_domtrans',`
+@@ -3137,6 +4526,24 @@ interface(`fs_nfs_domtrans',`
########################################
## <summary>
@@ -20203,7 +20196,7 @@ index 8416beb43..1cc0d9ad9 100644
## Mount a NFS server pseudo filesystem.
## </summary>
## <param name="domain">
-@@ -3239,15 +4626,198 @@ interface(`fs_search_nfsd_fs',`
+@@ -3239,15 +4646,198 @@ interface(`fs_search_nfsd_fs',`
#
interface(`fs_list_nfsd_fs',`
gen_require(`
@@ -20405,7 +20398,7 @@ index 8416beb43..1cc0d9ad9 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3255,35 +4825,35 @@ interface(`fs_list_nfsd_fs',`
+@@ -3255,35 +4845,35 @@ interface(`fs_list_nfsd_fs',`
## </summary>
## </param>
#
@@ -20450,7 +20443,7 @@ index 8416beb43..1cc0d9ad9 100644
## </summary>
## <param name="type">
## <summary>
-@@ -3291,12 +4861,12 @@ interface(`fs_rw_nfsd_fs',`
+@@ -3291,12 +4881,12 @@ interface(`fs_rw_nfsd_fs',`
## </summary>
## </param>
#
@@ -20466,7 +20459,7 @@ index 8416beb43..1cc0d9ad9 100644
')
########################################
-@@ -3392,7 +4962,7 @@ interface(`fs_search_ramfs',`
+@@ -3392,7 +4982,7 @@ interface(`fs_search_ramfs',`
########################################
## <summary>
@@ -20475,7 +20468,7 @@ index 8416beb43..1cc0d9ad9 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3429,7 +4999,7 @@ interface(`fs_manage_ramfs_dirs',`
+@@ -3429,7 +5019,7 @@ interface(`fs_manage_ramfs_dirs',`
########################################
## <summary>
@@ -20484,7 +20477,7 @@ index 8416beb43..1cc0d9ad9 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3447,7 +5017,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
+@@ -3447,7 +5037,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
########################################
## <summary>
@@ -20493,7 +20486,7 @@ index 8416beb43..1cc0d9ad9 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3779,6 +5349,24 @@ interface(`fs_mount_tmpfs',`
+@@ -3779,6 +5369,24 @@ interface(`fs_mount_tmpfs',`
########################################
## <summary>
@@ -20518,7 +20511,7 @@ index 8416beb43..1cc0d9ad9 100644
## Remount a tmpfs filesystem.
## </summary>
## <param name="domain">
-@@ -3815,6 +5403,24 @@ interface(`fs_unmount_tmpfs',`
+@@ -3815,6 +5423,24 @@ interface(`fs_unmount_tmpfs',`
########################################
## <summary>
@@ -20543,7 +20536,7 @@ index 8416beb43..1cc0d9ad9 100644
## Get the attributes of a tmpfs
## filesystem.
## </summary>
-@@ -3908,7 +5514,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3908,7 +5534,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
########################################
## <summary>
@@ -20552,7 +20545,7 @@ index 8416beb43..1cc0d9ad9 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3916,17 +5522,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3916,17 +5542,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
## </summary>
## </param>
#
@@ -20573,7 +20566,7 @@ index 8416beb43..1cc0d9ad9 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3934,17 +5540,17 @@ interface(`fs_mounton_tmpfs',`
+@@ -3934,17 +5560,17 @@ interface(`fs_mounton_tmpfs',`
## </summary>
## </param>
#
@@ -20594,7 +20587,7 @@ index 8416beb43..1cc0d9ad9 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3952,17 +5558,36 @@ interface(`fs_setattr_tmpfs_dirs',`
+@@ -3952,17 +5578,36 @@ interface(`fs_setattr_tmpfs_dirs',`
## </summary>
## </param>
#
@@ -20634,7 +20627,7 @@ index 8416beb43..1cc0d9ad9 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3970,31 +5595,48 @@ interface(`fs_search_tmpfs',`
+@@ -3970,31 +5615,48 @@ interface(`fs_search_tmpfs',`
## </summary>
## </param>
#
@@ -20690,7 +20683,7 @@ index 8416beb43..1cc0d9ad9 100644
')
########################################
-@@ -4057,23 +5699,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',`
+@@ -4057,23 +5719,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',`
## </param>
## <param name="name" optional="true">
## <summary>
@@ -20867,7 +20860,7 @@ index 8416beb43..1cc0d9ad9 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4081,18 +5870,18 @@ interface(`fs_tmpfs_filetrans',`
+@@ -4081,18 +5890,18 @@ interface(`fs_tmpfs_filetrans',`
## </summary>
## </param>
#
@@ -20890,7 +20883,7 @@ index 8416beb43..1cc0d9ad9 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4100,54 +5889,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',`
+@@ -4100,54 +5909,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',`
## </summary>
## </param>
#
@@ -20957,7 +20950,7 @@ index 8416beb43..1cc0d9ad9 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4155,17 +5943,18 @@ interface(`fs_read_tmpfs_files',`
+@@ -4155,17 +5963,18 @@ interface(`fs_read_tmpfs_files',`
## </summary>
## </param>
#
@@ -20979,7 +20972,7 @@ index 8416beb43..1cc0d9ad9 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4173,17 +5962,18 @@ interface(`fs_rw_tmpfs_files',`
+@@ -4173,17 +5982,18 @@ interface(`fs_rw_tmpfs_files',`
## </summary>
## </param>
#
@@ -21001,7 +20994,7 @@ index 8416beb43..1cc0d9ad9 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4191,37 +5981,36 @@ interface(`fs_read_tmpfs_symlinks',`
+@@ -4191,37 +6001,36 @@ interface(`fs_read_tmpfs_symlinks',`
## </summary>
## </param>
#
@@ -21047,7 +21040,7 @@ index 8416beb43..1cc0d9ad9 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4229,18 +6018,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4229,18 +6038,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
## </summary>
## </param>
#
@@ -21069,7 +21062,7 @@ index 8416beb43..1cc0d9ad9 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4248,18 +6037,19 @@ interface(`fs_relabel_tmpfs_chr_file',`
+@@ -4248,18 +6057,19 @@ interface(`fs_relabel_tmpfs_chr_file',`
## </summary>
## </param>
#
@@ -21093,7 +21086,7 @@ index 8416beb43..1cc0d9ad9 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4267,32 +6057,31 @@ interface(`fs_rw_tmpfs_blk_files',`
+@@ -4267,32 +6077,31 @@ interface(`fs_rw_tmpfs_blk_files',`
## </summary>
## </param>
#
@@ -21132,7 +21125,7 @@ index 8416beb43..1cc0d9ad9 100644
')
########################################
-@@ -4407,6 +6196,25 @@ interface(`fs_search_xenfs',`
+@@ -4407,6 +6216,25 @@ interface(`fs_search_xenfs',`
allow $1 xenfs_t:dir search_dir_perms;
')
@@ -21158,7 +21151,7 @@ index 8416beb43..1cc0d9ad9 100644
########################################
## <summary>
## Create, read, write, and delete directories
-@@ -4503,6 +6311,8 @@ interface(`fs_mount_all_fs',`
+@@ -4503,6 +6331,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -21167,7 +21160,7 @@ index 8416beb43..1cc0d9ad9 100644
')
########################################
-@@ -4549,7 +6359,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4549,7 +6379,7 @@ interface(`fs_unmount_all_fs',`
## <desc>
## <p>
## Allow the specified domain to
@@ -21176,7 +21169,7 @@ index 8416beb43..1cc0d9ad9 100644
## Example attributes:
## </p>
## <ul>
-@@ -4596,6 +6406,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
+@@ -4596,6 +6426,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
########################################
## <summary>
@@ -21203,7 +21196,7 @@ index 8416beb43..1cc0d9ad9 100644
## Get the quotas of all filesystems.
## </summary>
## <param name="domain">
-@@ -4671,6 +6501,25 @@ interface(`fs_getattr_all_dirs',`
+@@ -4671,6 +6521,25 @@ interface(`fs_getattr_all_dirs',`
########################################
## <summary>
@@ -21229,7 +21222,7 @@ index 8416beb43..1cc0d9ad9 100644
## Search all directories with a filesystem type.
## </summary>
## <param name="domain">
-@@ -4912,3 +6761,176 @@ interface(`fs_unconfined',`
+@@ -4912,3 +6781,176 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -34661,7 +34654,7 @@ index 247958765..890e1e293 100644
/var/(db|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
/var/lib/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 3efd5b669..a8cb6df3d 100644
+index 3efd5b669..2ce58d86d 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -23,11 +23,17 @@ interface(`auth_role',`
@@ -34883,7 +34876,15 @@ index 3efd5b669..a8cb6df3d 100644
## Manage authentication cache
## </summary>
## <param name="domain">
-@@ -402,6 +459,8 @@ interface(`auth_domtrans_chk_passwd',`
+@@ -337,6 +394,7 @@ interface(`auth_manage_cache',`
+
+ manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
+ manage_files_pattern($1, auth_cache_t, auth_cache_t)
++ allow $1 auth_cache_t:file map;
+ ')
+
+ #######################################
+@@ -402,6 +460,8 @@ interface(`auth_domtrans_chk_passwd',`
optional_policy(`
samba_stream_connect_winbind($1)
')
@@ -34892,7 +34893,7 @@ index 3efd5b669..a8cb6df3d 100644
')
########################################
-@@ -428,6 +487,24 @@ interface(`auth_domtrans_chkpwd',`
+@@ -428,6 +488,24 @@ interface(`auth_domtrans_chkpwd',`
########################################
## <summary>
@@ -34917,7 +34918,7 @@ index 3efd5b669..a8cb6df3d 100644
## Execute chkpwd programs in the chkpwd domain.
## </summary>
## <param name="domain">
-@@ -448,6 +525,25 @@ interface(`auth_run_chk_passwd',`
+@@ -448,6 +526,25 @@ interface(`auth_run_chk_passwd',`
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -34943,7 +34944,7 @@ index 3efd5b669..a8cb6df3d 100644
')
########################################
-@@ -467,7 +563,6 @@ interface(`auth_domtrans_upd_passwd',`
+@@ -467,7 +564,6 @@ interface(`auth_domtrans_upd_passwd',`
domtrans_pattern($1, updpwd_exec_t, updpwd_t)
auth_dontaudit_read_shadow($1)
@@ -34951,7 +34952,7 @@ index 3efd5b669..a8cb6df3d 100644
')
########################################
-@@ -534,6 +629,24 @@ interface(`auth_dontaudit_getattr_shadow',`
+@@ -534,6 +630,24 @@ interface(`auth_dontaudit_getattr_shadow',`
########################################
## <summary>
@@ -34976,7 +34977,7 @@ index 3efd5b669..a8cb6df3d 100644
## Read the shadow passwords file (/etc/shadow)
## </summary>
## <param name="domain">
-@@ -664,6 +777,11 @@ interface(`auth_manage_shadow',`
+@@ -664,6 +778,11 @@ interface(`auth_manage_shadow',`
allow $1 shadow_t:file manage_file_perms;
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
@@ -34988,7 +34989,7 @@ index 3efd5b669..a8cb6df3d 100644
')
#######################################
-@@ -763,7 +881,50 @@ interface(`auth_rw_faillog',`
+@@ -763,7 +882,50 @@ interface(`auth_rw_faillog',`
')
logging_search_logs($1)
@@ -35040,7 +35041,7 @@ index 3efd5b669..a8cb6df3d 100644
')
#######################################
-@@ -824,9 +985,29 @@ interface(`auth_rw_lastlog',`
+@@ -824,9 +986,29 @@ interface(`auth_rw_lastlog',`
allow $1 lastlog_t:file { rw_file_perms lock setattr };
')
@@ -35071,7 +35072,7 @@ index 3efd5b669..a8cb6df3d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -834,12 +1015,27 @@ interface(`auth_rw_lastlog',`
+@@ -834,12 +1016,27 @@ interface(`auth_rw_lastlog',`
## </summary>
## </param>
#
@@ -35102,7 +35103,7 @@ index 3efd5b669..a8cb6df3d 100644
')
########################################
-@@ -854,15 +1050,15 @@ interface(`auth_domtrans_pam',`
+@@ -854,15 +1051,15 @@ interface(`auth_domtrans_pam',`
#
interface(`auth_signal_pam',`
gen_require(`
@@ -35121,7 +35122,7 @@ index 3efd5b669..a8cb6df3d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -875,13 +1071,33 @@ interface(`auth_signal_pam',`
+@@ -875,13 +1072,33 @@ interface(`auth_signal_pam',`
## </summary>
## </param>
#
@@ -35159,7 +35160,7 @@ index 3efd5b669..a8cb6df3d 100644
')
########################################
-@@ -959,9 +1175,30 @@ interface(`auth_manage_var_auth',`
+@@ -959,9 +1176,30 @@ interface(`auth_manage_var_auth',`
')
files_search_var($1)
@@ -35193,7 +35194,7 @@ index 3efd5b669..a8cb6df3d 100644
')
########################################
-@@ -1040,6 +1277,10 @@ interface(`auth_manage_pam_pid',`
+@@ -1040,6 +1278,10 @@ interface(`auth_manage_pam_pid',`
files_search_pids($1)
allow $1 pam_var_run_t:dir manage_dir_perms;
allow $1 pam_var_run_t:file manage_file_perms;
@@ -35204,7 +35205,7 @@ index 3efd5b669..a8cb6df3d 100644
')
########################################
-@@ -1176,6 +1417,7 @@ interface(`auth_manage_pam_console_data',`
+@@ -1176,6 +1418,7 @@ interface(`auth_manage_pam_console_data',`
files_search_pids($1)
manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
@@ -35212,7 +35213,7 @@ index 3efd5b669..a8cb6df3d 100644
')
#######################################
-@@ -1576,6 +1818,25 @@ interface(`auth_setattr_login_records',`
+@@ -1576,6 +1819,25 @@ interface(`auth_setattr_login_records',`
########################################
## <summary>
@@ -35238,7 +35239,7 @@ index 3efd5b669..a8cb6df3d 100644
## Read login records files (/var/log/wtmp).
## </summary>
## <param name="domain">
-@@ -1726,24 +1987,63 @@ interface(`auth_manage_login_records',`
+@@ -1726,24 +1988,63 @@ interface(`auth_manage_login_records',`
logging_rw_generic_log_dirs($1)
allow $1 wtmp_t:file manage_file_perms;
@@ -35306,7 +35307,7 @@ index 3efd5b669..a8cb6df3d 100644
')
########################################
-@@ -1767,11 +2067,13 @@ interface(`auth_relabel_login_records',`
+@@ -1767,11 +2068,13 @@ interface(`auth_relabel_login_records',`
## <infoflow type="both" weight="10"/>
#
interface(`auth_use_nsswitch',`
@@ -35323,7 +35324,7 @@ index 3efd5b669..a8cb6df3d 100644
')
########################################
-@@ -1805,3 +2107,298 @@ interface(`auth_unconfined',`
+@@ -1805,3 +2108,298 @@ interface(`auth_unconfined',`
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -35623,7 +35624,7 @@ index 3efd5b669..a8cb6df3d 100644
+ allow $1 login_pgm:key manage_key_perms;
+')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 09b791dcc..c6721f846 100644
+index 09b791dcc..03feb4c8d 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1)
@@ -35982,7 +35983,7 @@ index 09b791dcc..c6721f846 100644
optional_policy(`
kerberos_use(nsswitch_domain)
')
-@@ -456,10 +525,163 @@ optional_policy(`
+@@ -456,10 +525,164 @@ optional_policy(`
optional_policy(`
sssd_stream_connect(nsswitch_domain)
@@ -36037,6 +36038,7 @@ index 09b791dcc..c6721f846 100644
+manage_files_pattern(login_pgm, auth_cache_t, auth_cache_t)
+manage_sock_files_pattern(login_pgm, auth_cache_t, auth_cache_t)
+files_var_filetrans(login_pgm, auth_cache_t, dir, "coolkey")
++allow login_pgm auth_cache_t:file map;
+
+manage_dirs_pattern(login_pgm, auth_home_t, auth_home_t)
+manage_files_pattern(login_pgm, auth_home_t, auth_home_t)
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index c0fc473..aa773fb 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -5635,7 +5635,7 @@ index f6eb4851f..3628a384f 100644
+ allow $1 httpd_t:process { noatsecure };
')
diff --git a/apache.te b/apache.te
-index 6649962b6..b7ac74501 100644
+index 6649962b6..1df48fb13 100644
--- a/apache.te
+++ b/apache.te
@@ -5,280 +5,346 @@ policy_module(apache, 2.7.2)
@@ -6323,7 +6323,7 @@ index 6649962b6..b7ac74501 100644
logging_log_filetrans(httpd_t, httpd_log_t, file)
allow httpd_t httpd_modules_t:dir list_dir_perms;
-@@ -412,13 +524,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+@@ -412,13 +524,22 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
@@ -6334,11 +6334,12 @@ index 6649962b6..b7ac74501 100644
manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
-
--allow httpd_t httpd_suexec_exec_t:file read_file_perms;
++allow httpd_t httpd_squirrelmail_t:file map;
++
+allow httpd_t httpd_suexec_t:process { signal signull };
+allow httpd_t httpd_suexec_t:file read_file_perms;
-+
+
+-allow httpd_t httpd_suexec_exec_t:file read_file_perms;
+allow httpd_t httpd_sys_content_t:dir list_dir_perms;
+read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
+read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
@@ -6346,7 +6347,7 @@ index 6649962b6..b7ac74501 100644
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
-@@ -428,6 +548,7 @@ manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
+@@ -428,6 +549,7 @@ manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file })
userdom_user_tmp_filetrans(httpd_t, httpd_tmp_t, dir)
@@ -6354,7 +6355,7 @@ index 6649962b6..b7ac74501 100644
manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
-@@ -438,6 +559,7 @@ fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_fi
+@@ -438,6 +560,7 @@ fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_fi
manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
@@ -6362,7 +6363,7 @@ index 6649962b6..b7ac74501 100644
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })
setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
-@@ -450,140 +572,179 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -450,140 +573,179 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@@ -6606,7 +6607,7 @@ index 6649962b6..b7ac74501 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -594,28 +755,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -594,28 +756,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@@ -6666,7 +6667,7 @@ index 6649962b6..b7ac74501 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -624,68 +807,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -624,68 +808,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
@@ -6769,7 +6770,7 @@ index 6649962b6..b7ac74501 100644
')
tunable_policy(`httpd_setrlimit',`
-@@ -695,49 +866,48 @@ tunable_policy(`httpd_setrlimit',`
+@@ -695,49 +867,48 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -6850,7 +6851,7 @@ index 6649962b6..b7ac74501 100644
')
optional_policy(`
-@@ -749,24 +919,32 @@ optional_policy(`
+@@ -749,24 +920,32 @@ optional_policy(`
')
optional_policy(`
@@ -6889,7 +6890,7 @@ index 6649962b6..b7ac74501 100644
')
optional_policy(`
-@@ -775,6 +953,10 @@ optional_policy(`
+@@ -775,6 +954,10 @@ optional_policy(`
tunable_policy(`httpd_dbus_avahi',`
avahi_dbus_chat(httpd_t)
')
@@ -6900,7 +6901,7 @@ index 6649962b6..b7ac74501 100644
')
optional_policy(`
-@@ -786,35 +968,62 @@ optional_policy(`
+@@ -786,35 +969,62 @@ optional_policy(`
')
optional_policy(`
@@ -6976,7 +6977,7 @@ index 6649962b6..b7ac74501 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
-@@ -822,8 +1031,31 @@ optional_policy(`
+@@ -822,8 +1032,31 @@ optional_policy(`
')
optional_policy(`
@@ -7008,7 +7009,7 @@ index 6649962b6..b7ac74501 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
-@@ -832,6 +1064,8 @@ optional_policy(`
+@@ -832,6 +1065,8 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -7017,7 +7018,7 @@ index 6649962b6..b7ac74501 100644
')
optional_policy(`
-@@ -842,20 +1076,48 @@ optional_policy(`
+@@ -842,20 +1077,48 @@ optional_policy(`
')
optional_policy(`
@@ -7072,7 +7073,7 @@ index 6649962b6..b7ac74501 100644
')
optional_policy(`
-@@ -863,16 +1125,31 @@ optional_policy(`
+@@ -863,16 +1126,31 @@ optional_policy(`
')
optional_policy(`
@@ -7106,7 +7107,7 @@ index 6649962b6..b7ac74501 100644
')
optional_policy(`
-@@ -883,65 +1160,189 @@ optional_policy(`
+@@ -883,65 +1161,189 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -7318,7 +7319,7 @@ index 6649962b6..b7ac74501 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -950,123 +1351,75 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -950,123 +1352,75 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -7472,7 +7473,7 @@ index 6649962b6..b7ac74501 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1083,172 +1436,107 @@ optional_policy(`
+@@ -1083,172 +1437,107 @@ optional_policy(`
')
')
@@ -7710,7 +7711,7 @@ index 6649962b6..b7ac74501 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1256,64 +1544,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1256,64 +1545,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -7808,7 +7809,7 @@ index 6649962b6..b7ac74501 100644
########################################
#
-@@ -1321,8 +1619,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1321,8 +1620,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -7825,7 +7826,7 @@ index 6649962b6..b7ac74501 100644
')
########################################
-@@ -1330,49 +1635,43 @@ optional_policy(`
+@@ -1330,49 +1636,43 @@ optional_policy(`
# User content local policy
#
@@ -7894,7 +7895,7 @@ index 6649962b6..b7ac74501 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1681,110 @@ dev_read_urand(httpd_passwd_t)
+@@ -1382,38 +1682,110 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -16089,10 +16090,10 @@ index 954309e64..67801421b 100644
')
+
diff --git a/collectd.te b/collectd.te
-index 6471fa8c4..90d2b5324 100644
+index 6471fa8c4..00a1f00ef 100644
--- a/collectd.te
+++ b/collectd.te
-@@ -26,43 +26,61 @@ files_type(collectd_var_lib_t)
+@@ -26,43 +26,62 @@ files_type(collectd_var_lib_t)
type collectd_var_run_t;
files_pid_file(collectd_var_run_t)
@@ -16144,6 +16145,7 @@ index 6471fa8c4..90d2b5324 100644
-kernel_read_system_state(collectd_t)
+corenet_udp_bind_generic_node(collectd_t)
+corenet_udp_bind_collectd_port(collectd_t)
++corenet_tcp_connect_lmtp_port(collectd_t)
dev_read_rand(collectd_t)
dev_read_sysfs(collectd_t)
@@ -16164,7 +16166,7 @@ index 6471fa8c4..90d2b5324 100644
logging_send_syslog_msg(collectd_t)
-@@ -75,16 +93,47 @@ tunable_policy(`collectd_tcp_network_connect',`
+@@ -75,16 +94,47 @@ tunable_policy(`collectd_tcp_network_connect',`
')
optional_policy(`
@@ -28615,7 +28617,7 @@ index 18f245250..a446210f0 100644
+
')
diff --git a/dspam.te b/dspam.te
-index ef6236335..25dcb975a 100644
+index ef6236335..281bd61c6 100644
--- a/dspam.te
+++ b/dspam.te
@@ -28,6 +28,9 @@ files_pid_file(dspam_var_run_t)
@@ -28641,7 +28643,7 @@ index ef6236335..25dcb975a 100644
files_search_spool(dspam_t)
-@@ -64,14 +73,35 @@ auth_use_nsswitch(dspam_t)
+@@ -64,14 +73,36 @@ auth_use_nsswitch(dspam_t)
logging_send_syslog_msg(dspam_t)
@@ -28653,6 +28655,7 @@ index ef6236335..25dcb975a 100644
+
+ manage_dirs_pattern(dspam_t, dspam_rw_content_t, dspam_rw_content_t)
+ manage_files_pattern(dspam_t, dspam_rw_content_t, dspam_rw_content_t)
++ allow dspam_t dspam_rw_content_t:file map;
+
+ read_files_pattern(dspam_script_t, dspam_var_lib_t, dspam_var_lib_t)
+
@@ -28682,7 +28685,7 @@ index ef6236335..25dcb975a 100644
')
optional_policy(`
-@@ -87,3 +117,12 @@ optional_policy(`
+@@ -87,3 +118,12 @@ optional_policy(`
postgresql_tcp_connect(dspam_t)
')
@@ -78385,7 +78388,7 @@ index b9e71b537..a7502cd0e 100644
domain_system_change_exemption($1)
role_transition $2 postgrey_initrc_exec_t system_r;
diff --git a/postgrey.te b/postgrey.te
-index fd58805e5..593a05367 100644
+index fd58805e5..6f75dbd4b 100644
--- a/postgrey.te
+++ b/postgrey.te
@@ -16,7 +16,7 @@ type postgrey_initrc_exec_t;
@@ -78406,7 +78409,15 @@ index fd58805e5..593a05367 100644
dontaudit postgrey_t self:capability sys_tty_config;
allow postgrey_t self:process signal_perms;
allow postgrey_t self:fifo_file create_fifo_file_perms;
-@@ -55,9 +55,10 @@ files_pid_filetrans(postgrey_t, postgrey_var_run_t, { dir file sock_file })
+@@ -43,6 +43,7 @@ manage_dirs_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
+ manage_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
+ manage_fifo_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
+ manage_sock_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
++allow postgrey_t postgrey_spool_t:file map;
+
+ manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t)
+ files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file)
+@@ -55,9 +56,10 @@ files_pid_filetrans(postgrey_t, postgrey_var_run_t, { dir file sock_file })
kernel_read_system_state(postgrey_t)
kernel_read_kernel_sysctls(postgrey_t)
@@ -78419,7 +78430,7 @@ index fd58805e5..593a05367 100644
corenet_all_recvfrom_netlabel(postgrey_t)
corenet_tcp_sendrecv_generic_if(postgrey_t)
corenet_tcp_sendrecv_generic_node(postgrey_t)
-@@ -72,17 +73,15 @@ dev_read_sysfs(postgrey_t)
+@@ -72,17 +74,15 @@ dev_read_sysfs(postgrey_t)
domain_use_interactive_fds(postgrey_t)
@@ -99519,10 +99530,10 @@ index 000000000..6caef6326
+/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0)
diff --git a/sandboxX.if b/sandboxX.if
new file mode 100644
-index 000000000..98dc14ef6
+index 000000000..92695bf0d
--- /dev/null
+++ b/sandboxX.if
-@@ -0,0 +1,401 @@
+@@ -0,0 +1,402 @@
+
+## <summary>policy for sandboxX </summary>
+
@@ -99641,8 +99652,9 @@ index 000000000..98dc14ef6
+ fs_tmpfs_filetrans($1_t, $1_client_tmpfs_t, file )
+ # Pulseaudio tmpfs files with different MCS labels
+ dontaudit $1_client_t $1_client_tmpfs_t:file { read write };
-+ dontaudit $1_t $1_client_tmpfs_t:file { read write };
++ dontaudit $1_t $1_client_tmpfs_t:file { read write map };
+ allow sandbox_xserver_t $1_client_tmpfs_t:file { read write };
++ allow $1_client_t $1_client_tmpfs_t:file { map };
+
+ domtrans_pattern($1_t, xserver_exec_t, sandbox_xserver_t)
+ allow $1_t sandbox_xserver_t:process signal_perms;
@@ -99926,10 +99938,10 @@ index 000000000..98dc14ef6
+')
diff --git a/sandboxX.te b/sandboxX.te
new file mode 100644
-index 000000000..22e956fe3
+index 000000000..6d87bc156
--- /dev/null
+++ b/sandboxX.te
-@@ -0,0 +1,512 @@
+@@ -0,0 +1,536 @@
+policy_module(sandboxX,1.0.0)
+
+dbus_stub()
@@ -99973,6 +99985,8 @@ index 000000000..22e956fe3
+#
+allow sandbox_xserver_t self:process { signal_perms execstack };
+
++allow sandbox_web_t sandbox_xserver_t:process2 nnp_transition;
++
+tunable_policy(`deny_execmem',`',`
+ allow sandbox_xserver_t self:process execmem;
+')
@@ -100052,6 +100066,22 @@ index 000000000..22e956fe3
+
+########################################
+#
++# sandbox_x_t local policy
++#
++
++allow sandbox_x_t sandbox_x_client_t:process2 nnp_transition;
++allow sandbox_x_t sandbox_xserver_t:process2 nnp_transition;
++
++files_search_home(sandbox_x_t)
++userdom_use_user_ptys(sandbox_x_t)
++
++# This access is needed due to Wayland
++userdom_manage_user_tmp_dirs(sandbox_x_t)
++userdom_map_tmp_files(sandbox_x_t)
++userdom_manage_user_tmp_files(sandbox_x_t)
++
++########################################
++#
+# sandbox_x_domain local policy
+#
+allow sandbox_x_domain self:process { getattr signal_perms getsched setsched setpgid execstack getcap setcap };
@@ -100226,9 +100256,6 @@ index 000000000..22e956fe3
+ networkmanager_dontaudit_dbus_chat(sandbox_x_domain)
+')
+
-+files_search_home(sandbox_x_t)
-+userdom_use_user_ptys(sandbox_x_t)
-+
+#1103622
+corenet_tcp_connect_xserver_port(sandbox_x_domain)
+xserver_stream_connect(sandbox_x_domain)
@@ -100251,6 +100278,11 @@ index 000000000..22e956fe3
+
+logging_send_syslog_msg(sandbox_x_client_t)
+
++# This access is needed due to Wayland
++userdom_manage_user_tmp_dirs(sandbox_x_client_t)
++userdom_map_tmp_files(sandbox_x_client_t)
++userdom_manage_user_tmp_files(sandbox_x_client_t)
++
+optional_policy(`
+ avahi_dbus_chat(sandbox_x_client_t)
+')
@@ -100273,12 +100305,16 @@ index 000000000..22e956fe3
+#
+typeattribute sandbox_web_client_t sandbox_web_type;
+
++allow sandbox_web_t sandbox_web_client_t:process2 nnp_transition;
++
+selinux_get_fs_mount(sandbox_web_client_t)
+
+auth_use_nsswitch(sandbox_web_client_t)
+
+logging_send_syslog_msg(sandbox_web_client_t)
+
++miscfiles_map_generic_certs(sandbox_web_client_t)
++
+allow sandbox_web_type self:capability { setuid setgid };
+allow sandbox_web_type self:netlink_audit_socket nlmsg_relay;
+dontaudit sandbox_web_type self:process setrlimit;
@@ -112041,10 +112077,10 @@ index 000000000..d371f62f6
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 000000000..1b34bc7b6
+index 000000000..6c04973ea
--- /dev/null
+++ b/thumb.te
-@@ -0,0 +1,175 @@
+@@ -0,0 +1,176 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -112138,6 +112174,7 @@ index 000000000..1b34bc7b6
+fs_read_dos_files(thumb_t)
+fs_rw_inherited_tmpfs_files(thumb_t)
+fs_map_dos_files(thumb_t)
++fs_mmap_removable_files(thumb_t)
+
+auth_read_passwd(thumb_t)
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d398a58..9f49a3e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 307%{?dist}
+Release: 308%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -717,6 +717,16 @@ exit 0
%endif
%changelog
+* Thu Jan 04 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-308
+- Make working SELinux sandbox with Wayland. BZ(1474082)
+- Allow postgrey_t domain to mmap postgrey_spool_t files BZ(1529169)
+- Allow dspam_t to mmap dspam_rw_content_t files BZ(1528723)
+- Allow collectd to connect to lmtp_port_t BZ(1304029)
+- Allow httpd_t to mmap httpd_squirrelmail_t files BZ(1528776)
+- Allow thumb_t to mmap removable_t files. BZ(1522724)
+- Allow sssd_t and login_pgm attribute to mmap auth_cache_t files BZ(1530118)
+- Add interface fs_mmap_removable_files()
+
* Tue Dec 19 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-307
- Allow crond_t to read pcp lib files BZ(1525420)
- Allow mozilla plugin domain to mmap user_home_t files BZ(1452783)