diff --git a/docker-selinux.tgz b/docker-selinux.tgz
index 82592d1..41fc4ea 100644
Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 20807f6..fdcf930 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -10083,7 +10083,7 @@ index 6a1e4d1..26e5558 100644
+ dontaudit $1 domain:dir_file_class_set audit_access;
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..e9c1427 100644
+index cf04cb5..549d218 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,17 +4,41 @@ policy_module(domain, 1.11.0)
@@ -10236,7 +10236,7 @@ index cf04cb5..e9c1427 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +242,369 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +242,373 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -10260,9 +10260,9 @@ index cf04cb5..e9c1427 100644
+ fstools_filetrans_named_content_fsadm(named_filetrans_domain)
+')
+
-+#optional_policy(`
-+# docker_filetrans_named_content(named_filetrans_domain)
-+#')
++optional_policy(`
++ docker_filetrans_named_content(named_filetrans_domain)
++')
+
+optional_policy(`
+ locallogin_filetrans_home_content(named_filetrans_domain)
@@ -10604,6 +10604,10 @@ index cf04cb5..e9c1427 100644
+')
+
+optional_policy(`
++ docker_spc_stream_connect(domain)
++')
++
++optional_policy(`
+ unconfined_server_stream_connect(domain)
+')
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
@@ -22103,7 +22107,7 @@ index 234a940..a92415a 100644
########################################
## <summary>
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 0fef1fc..eb39093 100644
+index 0fef1fc..008545e 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,72 @@ policy_module(staff, 2.4.0)
@@ -22206,10 +22210,11 @@ index 0fef1fc..eb39093 100644
dbadm_role_change(staff_r)
')
-+#optional_policy(`
-+# docker_stream_connect(staff_t)
-+# docker_exec(staff_t)
-+#')
+ optional_policy(`
+- git_role(staff_r, staff_t)
++ docker_stream_connect(staff_t)
++ docker_exec(staff_t)
++')
+
+optional_policy(`
+ dnsmasq_read_pid_files(staff_t)
@@ -22276,8 +22281,7 @@ index 0fef1fc..eb39093 100644
+ oident_relabel_user_content(staff_t)
+')
+
- optional_policy(`
-- git_role(staff_r, staff_t)
++optional_policy(`
+ mta_role(staff_r, staff_t)
+')
+
@@ -26593,7 +26597,7 @@ index 8274418..b3baa75 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc..b036584 100644
+index 6bf0ecc..f2bbe7e 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -18,100 +18,36 @@
@@ -27561,8 +27565,8 @@ index 6bf0ecc..b036584 100644
- ')
-
- dontaudit $1 xdm_tmp_t:sock_file getattr;
-+ refpolicywarn(`$0() has been deprecated, please use usedom_dontaudit_user_getattr_tmp_sockets instead.')
-+ usedom_dontaudit_user_getattr_tmp_sockets($1)
++ refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_user_getattr_tmp_sockets instead.')
++ userdom_dontaudit_user_getattr_tmp_sockets($1)
')
########################################
@@ -33737,7 +33741,7 @@ index 79a45f6..9769b64 100644
+ read_files_pattern($1, init_var_lib_t, init_var_lib_t)
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..137676e 100644
+index 17eda24..6e6454d 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -33792,7 +33796,7 @@ index 17eda24..137676e 100644
# Mark file type as a daemon run directory
attribute daemonrundir;
-@@ -35,12 +64,20 @@ attribute daemonrundir;
+@@ -35,12 +64,21 @@ attribute daemonrundir;
#
# init_t is the domain of the init process.
#
@@ -33802,6 +33806,7 @@ index 17eda24..137676e 100644
domain_type(init_t)
domain_entry_file(init_t, init_exec_t)
+domain_role_change_exemption(init_t)
++domain_subj_id_change_exemption(init_t)
kernel_domtrans_to(init_t, init_exec_t)
role system_r types init_t;
+init_initrc_domain(init_t)
@@ -33814,7 +33819,7 @@ index 17eda24..137676e 100644
#
# init_var_run_t is the type for /var/run/shutdown.pid.
-@@ -49,6 +86,15 @@ type init_var_run_t;
+@@ -49,6 +87,15 @@ type init_var_run_t;
files_pid_file(init_var_run_t)
#
@@ -33830,7 +33835,7 @@ index 17eda24..137676e 100644
# initctl_t is the type of the named pipe created
# by init during initialization. This pipe is used
# to communicate with init.
-@@ -57,7 +103,7 @@ type initctl_t;
+@@ -57,7 +104,7 @@ type initctl_t;
files_type(initctl_t)
mls_trusted_object(initctl_t)
@@ -33839,7 +33844,7 @@ index 17eda24..137676e 100644
type initrc_exec_t, init_script_file_type;
domain_type(initrc_t)
domain_entry_file(initrc_t, initrc_exec_t)
-@@ -66,6 +112,7 @@ role system_r types initrc_t;
+@@ -66,6 +113,7 @@ role system_r types initrc_t;
# of the below init_upstart tunable
# but this has a typeattribute in it
corecmd_shell_entry_type(initrc_t)
@@ -33847,7 +33852,7 @@ index 17eda24..137676e 100644
type initrc_devpts_t;
term_pty(initrc_devpts_t)
-@@ -98,7 +145,11 @@ ifdef(`enable_mls',`
+@@ -98,7 +146,11 @@ ifdef(`enable_mls',`
#
# Use capabilities. old rule:
@@ -33860,7 +33865,7 @@ index 17eda24..137676e 100644
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
-@@ -108,14 +159,43 @@ allow init_t self:capability ~sys_module;
+@@ -108,14 +160,43 @@ allow init_t self:capability ~sys_module;
allow init_t self:fifo_file rw_fifo_file_perms;
@@ -33910,7 +33915,7 @@ index 17eda24..137676e 100644
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -125,13 +205,23 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -125,13 +206,23 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
kernel_read_system_state(init_t)
kernel_share_state(init_t)
@@ -33935,7 +33940,7 @@ index 17eda24..137676e 100644
domain_getpgid_all_domains(init_t)
domain_kill_all_domains(init_t)
-@@ -139,14 +229,24 @@ domain_signal_all_domains(init_t)
+@@ -139,14 +230,24 @@ domain_signal_all_domains(init_t)
domain_signull_all_domains(init_t)
domain_sigstop_all_domains(init_t)
domain_sigchld_all_domains(init_t)
@@ -33961,7 +33966,7 @@ index 17eda24..137676e 100644
# file descriptors inherited from the rootfs:
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)
-@@ -156,28 +256,55 @@ fs_list_inotifyfs(init_t)
+@@ -156,28 +257,55 @@ fs_list_inotifyfs(init_t)
fs_write_ramfs_sockets(init_t)
mcs_process_set_categories(init_t)
@@ -34021,7 +34026,7 @@ index 17eda24..137676e 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +313,242 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +314,242 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -34273,7 +34278,7 @@ index 17eda24..137676e 100644
')
optional_policy(`
-@@ -216,7 +556,31 @@ optional_policy(`
+@@ -216,7 +557,31 @@ optional_policy(`
')
optional_policy(`
@@ -34305,7 +34310,7 @@ index 17eda24..137676e 100644
')
########################################
-@@ -225,9 +589,9 @@ optional_policy(`
+@@ -225,9 +590,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -34317,7 +34322,7 @@ index 17eda24..137676e 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -258,12 +622,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +623,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -34334,7 +34339,7 @@ index 17eda24..137676e 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +647,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +648,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -34377,7 +34382,7 @@ index 17eda24..137676e 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +684,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +685,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -34389,7 +34394,7 @@ index 17eda24..137676e 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -313,8 +696,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +697,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -34400,7 +34405,7 @@ index 17eda24..137676e 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -322,8 +707,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +708,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -34410,7 +34415,7 @@ index 17eda24..137676e 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -332,7 +716,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +717,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -34418,7 +34423,7 @@ index 17eda24..137676e 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -340,6 +723,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +724,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -34426,7 +34431,7 @@ index 17eda24..137676e 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -347,14 +731,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +732,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -34444,7 +34449,7 @@ index 17eda24..137676e 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -364,8 +749,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +750,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -34458,7 +34463,7 @@ index 17eda24..137676e 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -375,10 +764,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +765,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -34472,7 +34477,7 @@ index 17eda24..137676e 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -387,8 +777,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +778,10 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -34483,7 +34488,7 @@ index 17eda24..137676e 100644
storage_getattr_fixed_disk_dev(initrc_t)
storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +790,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +791,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -34491,7 +34496,7 @@ index 17eda24..137676e 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -416,20 +809,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +810,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -34515,7 +34520,7 @@ index 17eda24..137676e 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +842,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +843,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -34523,7 +34528,7 @@ index 17eda24..137676e 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +876,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +877,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -34534,7 +34539,7 @@ index 17eda24..137676e 100644
alsa_read_lib(initrc_t)
')
-@@ -506,7 +900,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +901,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -34543,7 +34548,7 @@ index 17eda24..137676e 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -521,6 +915,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +916,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -34551,7 +34556,7 @@ index 17eda24..137676e 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -541,6 +936,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +937,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -34559,7 +34564,7 @@ index 17eda24..137676e 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +946,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +947,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -34604,7 +34609,7 @@ index 17eda24..137676e 100644
')
optional_policy(`
-@@ -559,14 +991,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +992,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -34636,7 +34641,7 @@ index 17eda24..137676e 100644
')
')
-@@ -577,6 +1026,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1027,39 @@ ifdef(`distro_suse',`
')
')
@@ -34676,7 +34681,7 @@ index 17eda24..137676e 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1071,8 @@ optional_policy(`
+@@ -589,6 +1072,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -34685,7 +34690,7 @@ index 17eda24..137676e 100644
')
optional_policy(`
-@@ -610,6 +1094,7 @@ optional_policy(`
+@@ -610,6 +1095,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -34693,7 +34698,7 @@ index 17eda24..137676e 100644
')
optional_policy(`
-@@ -626,6 +1111,17 @@ optional_policy(`
+@@ -626,6 +1112,17 @@ optional_policy(`
')
optional_policy(`
@@ -34711,7 +34716,7 @@ index 17eda24..137676e 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -642,9 +1138,13 @@ optional_policy(`
+@@ -642,9 +1139,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -34725,7 +34730,7 @@ index 17eda24..137676e 100644
')
optional_policy(`
-@@ -657,15 +1157,11 @@ optional_policy(`
+@@ -657,15 +1158,11 @@ optional_policy(`
')
optional_policy(`
@@ -34743,7 +34748,7 @@ index 17eda24..137676e 100644
')
optional_policy(`
-@@ -686,6 +1182,15 @@ optional_policy(`
+@@ -686,6 +1183,15 @@ optional_policy(`
')
optional_policy(`
@@ -34759,7 +34764,7 @@ index 17eda24..137676e 100644
inn_exec_config(initrc_t)
')
-@@ -726,6 +1231,7 @@ optional_policy(`
+@@ -726,6 +1232,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -34767,7 +34772,7 @@ index 17eda24..137676e 100644
')
optional_policy(`
-@@ -743,7 +1249,13 @@ optional_policy(`
+@@ -743,7 +1250,13 @@ optional_policy(`
')
optional_policy(`
@@ -34782,7 +34787,7 @@ index 17eda24..137676e 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -766,6 +1278,10 @@ optional_policy(`
+@@ -766,6 +1279,10 @@ optional_policy(`
')
optional_policy(`
@@ -34793,7 +34798,7 @@ index 17eda24..137676e 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -775,10 +1291,20 @@ optional_policy(`
+@@ -775,10 +1292,20 @@ optional_policy(`
')
optional_policy(`
@@ -34814,7 +34819,7 @@ index 17eda24..137676e 100644
quota_manage_flags(initrc_t)
')
-@@ -787,6 +1313,10 @@ optional_policy(`
+@@ -787,6 +1314,10 @@ optional_policy(`
')
optional_policy(`
@@ -34825,7 +34830,7 @@ index 17eda24..137676e 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -808,8 +1338,6 @@ optional_policy(`
+@@ -808,8 +1339,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -34834,7 +34839,7 @@ index 17eda24..137676e 100644
')
optional_policy(`
-@@ -818,6 +1346,10 @@ optional_policy(`
+@@ -818,6 +1347,10 @@ optional_policy(`
')
optional_policy(`
@@ -34845,7 +34850,7 @@ index 17eda24..137676e 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -827,10 +1359,12 @@ optional_policy(`
+@@ -827,10 +1360,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -34858,7 +34863,7 @@ index 17eda24..137676e 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1391,60 @@ optional_policy(`
+@@ -857,21 +1392,60 @@ optional_policy(`
')
optional_policy(`
@@ -34920,7 +34925,7 @@ index 17eda24..137676e 100644
')
optional_policy(`
-@@ -887,6 +1460,10 @@ optional_policy(`
+@@ -887,6 +1461,10 @@ optional_policy(`
')
optional_policy(`
@@ -34931,7 +34936,7 @@ index 17eda24..137676e 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -897,3 +1474,218 @@ optional_policy(`
+@@ -897,3 +1475,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -35428,7 +35433,7 @@ index 0d4c8d3..720ece8 100644
+ ps_process_pattern($1, ipsec_mgmt_t)
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 312cd04..30cecca 100644
+index 312cd04..8e32ea8 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@@ -35441,7 +35446,7 @@ index 312cd04..30cecca 100644
type ipsec_mgmt_lock_t;
files_lock_file(ipsec_mgmt_lock_t)
-@@ -67,29 +70,42 @@ type setkey_exec_t;
+@@ -67,29 +70,43 @@ type setkey_exec_t;
init_system_domain(setkey_t, setkey_exec_t)
role system_r types setkey_t;
@@ -35470,6 +35475,7 @@ index 312cd04..30cecca 100644
+allow ipsec_t self:netlink_selinux_socket create_socket_perms;
+allow ipsec_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow ipsec_t self:netlink_route_socket { create_netlink_socket_perms write };
++allow ipsec_t self:tun_socket create_socket_perms;
allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
@@ -35489,7 +35495,7 @@ index 312cd04..30cecca 100644
manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
-@@ -110,10 +126,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
+@@ -110,10 +127,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
allow ipsec_mgmt_t ipsec_t:fd use;
allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
@@ -35502,7 +35508,7 @@ index 312cd04..30cecca 100644
kernel_list_proc(ipsec_t)
kernel_read_proc_symlinks(ipsec_t)
# allow pluto to access /proc/net/ipsec_eroute;
-@@ -128,20 +144,22 @@ corecmd_exec_shell(ipsec_t)
+@@ -128,20 +145,24 @@ corecmd_exec_shell(ipsec_t)
corecmd_exec_bin(ipsec_t)
# Pluto needs network access
@@ -35529,10 +35535,12 @@ index 312cd04..30cecca 100644
corenet_sendrecv_isakmp_server_packets(ipsec_t)
+corenet_tcp_connect_http_port(ipsec_t)
+corenet_tcp_connect_ldap_port(ipsec_t)
++
++corenet_rw_tun_tap_dev(ipsec_t)
dev_read_sysfs(ipsec_t)
dev_read_rand(ipsec_t)
-@@ -157,24 +175,32 @@ files_dontaudit_search_home(ipsec_t)
+@@ -157,24 +178,32 @@ files_dontaudit_search_home(ipsec_t)
fs_getattr_all_fs(ipsec_t)
fs_search_auto_mountpoints(ipsec_t)
@@ -35567,7 +35575,21 @@ index 312cd04..30cecca 100644
seutil_sigchld_newrole(ipsec_t)
')
-@@ -187,14 +213,15 @@ optional_policy(`
+@@ -182,19 +211,29 @@ optional_policy(`
+ udev_read_db(ipsec_t)
+ ')
+
++optional_policy(`
++ dbus_system_bus_client(ipsec_t)
++ dbus_connect_system_bus(ipsec_t)
++
++ optional_policy(`
++ networkmanager_dbus_chat(ipsec_t)
++ ')
++')
++
+ ########################################
+ #
# ipsec_mgmt Local policy
#
@@ -35587,7 +35609,7 @@ index 312cd04..30cecca 100644
allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
-@@ -208,12 +235,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
+@@ -208,12 +247,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
@@ -35603,7 +35625,7 @@ index 312cd04..30cecca 100644
# _realsetup needs to be able to cat /var/run/pluto.pid,
# run ps on that pid, and delete the file
-@@ -246,6 +275,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
+@@ -246,6 +287,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
kernel_getattr_core_if(ipsec_mgmt_t)
kernel_getattr_message_if(ipsec_mgmt_t)
@@ -35620,7 +35642,7 @@ index 312cd04..30cecca 100644
files_read_kernel_symbol_table(ipsec_mgmt_t)
files_getattr_kernel_modules(ipsec_mgmt_t)
-@@ -255,6 +294,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
+@@ -255,6 +306,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
corecmd_exec_bin(ipsec_mgmt_t)
corecmd_exec_shell(ipsec_mgmt_t)
@@ -35629,7 +35651,7 @@ index 312cd04..30cecca 100644
dev_read_rand(ipsec_mgmt_t)
dev_read_urand(ipsec_mgmt_t)
-@@ -269,6 +310,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
+@@ -269,6 +322,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
files_read_etc_files(ipsec_mgmt_t)
files_exec_etc_files(ipsec_mgmt_t)
files_read_etc_runtime_files(ipsec_mgmt_t)
@@ -35637,7 +35659,7 @@ index 312cd04..30cecca 100644
files_read_usr_files(ipsec_mgmt_t)
files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
files_dontaudit_getattr_default_files(ipsec_mgmt_t)
-@@ -278,9 +320,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+@@ -278,9 +332,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
fs_list_tmpfs(ipsec_mgmt_t)
term_use_console(ipsec_mgmt_t)
@@ -35649,7 +35671,7 @@ index 312cd04..30cecca 100644
init_read_utmp(ipsec_mgmt_t)
init_use_script_ptys(ipsec_mgmt_t)
-@@ -288,17 +331,28 @@ init_exec_script_files(ipsec_mgmt_t)
+@@ -288,17 +343,28 @@ init_exec_script_files(ipsec_mgmt_t)
init_use_fds(ipsec_mgmt_t)
init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
@@ -35683,7 +35705,7 @@ index 312cd04..30cecca 100644
optional_policy(`
consoletype_exec(ipsec_mgmt_t)
-@@ -322,6 +376,10 @@ optional_policy(`
+@@ -322,6 +388,10 @@ optional_policy(`
')
optional_policy(`
@@ -35694,7 +35716,7 @@ index 312cd04..30cecca 100644
modutils_domtrans_insmod(ipsec_mgmt_t)
')
-@@ -335,7 +393,7 @@ optional_policy(`
+@@ -335,7 +405,7 @@ optional_policy(`
#
allow racoon_t self:capability { net_admin net_bind_service };
@@ -35703,7 +35725,7 @@ index 312cd04..30cecca 100644
allow racoon_t self:unix_dgram_socket { connect create ioctl write };
allow racoon_t self:netlink_selinux_socket { bind create read };
allow racoon_t self:udp_socket create_socket_perms;
-@@ -370,13 +428,12 @@ kernel_request_load_module(racoon_t)
+@@ -370,13 +440,12 @@ kernel_request_load_module(racoon_t)
corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)
@@ -35723,7 +35745,7 @@ index 312cd04..30cecca 100644
corenet_udp_bind_isakmp_port(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t)
-@@ -401,10 +458,10 @@ locallogin_use_fds(racoon_t)
+@@ -401,10 +470,10 @@ locallogin_use_fds(racoon_t)
logging_send_syslog_msg(racoon_t)
logging_send_audit_msgs(racoon_t)
@@ -35736,7 +35758,7 @@ index 312cd04..30cecca 100644
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -438,9 +495,8 @@ corenet_setcontext_all_spds(setkey_t)
+@@ -438,9 +507,8 @@ corenet_setcontext_all_spds(setkey_t)
locallogin_use_fds(setkey_t)
@@ -38505,7 +38527,7 @@ index 58bc27f..8f7b119 100644
+
+
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
-index 79048c4..14497e9 100644
+index 79048c4..a6a1d12 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
@@ -38737,17 +38759,17 @@ index 79048c4..14497e9 100644
bootloader_rw_tmp_files(lvm_t)
')
-@@ -320,6 +363,10 @@ optional_policy(`
- ccs_stream_connect(lvm_t)
+@@ -321,6 +364,10 @@ optional_policy(`
')
-+#optional_policy(`
-+# docker_rw_sem(lvm_t)
-+#')
-+
optional_policy(`
++ docker_rw_sem(lvm_t)
++')
++
++optional_policy(`
gpm_dontaudit_getattr_gpmctl(lvm_t)
')
+
@@ -333,14 +380,30 @@ optional_policy(`
')
@@ -43315,10 +43337,10 @@ index 0000000..66b8608
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..4f142e9
+index 0000000..697417b
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1615 @@
+@@ -0,0 +1,1639 @@
+## <summary>SELinux policy for systemd components</summary>
+
+######################################
@@ -43342,6 +43364,8 @@ index 0000000..4f142e9
+ init_daemon_domain($1_t, $1_exec_t)
+
+ kernel_read_system_state($1_t)
++
++ auth_use_nsswitch($1_t)
+')
+
+######################################
@@ -44934,12 +44958,34 @@ index 0000000..4f142e9
+ files_search_var_lib($1)
+ manage_files_pattern($1, systemd_machined_var_lib_t, systemd_machined_var_lib_t)
+')
++
++########################################
++## <summary>
++## Send and receive messages from
++## systemd machined over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_dbus_chat_machined',`
++ gen_require(`
++ type systemd_machined_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 systemd_machined_t:dbus send_msg;
++ allow systemd_machined_t $1:dbus send_msg;
++ ps_process_pattern(systemd_machined_t, $1)
++')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..bf0a5c8
+index 0000000..dde1f34
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,784 @@
+@@ -0,0 +1,780 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -45141,7 +45187,6 @@ index 0000000..bf0a5c8
+# /run/user/.*
+# Actually only have proof of it creating dirs and symlinks (/run/user/$USER/X11/display)
+auth_manage_var_auth(systemd_logind_t)
-+auth_use_nsswitch(systemd_logind_t)
+
+authlogin_read_state(systemd_logind_t)
+
@@ -45203,7 +45248,7 @@ index 0000000..bf0a5c8
+# systemd_machined local policy
+#
+
-+allow systemd_machined_t self:capability sys_ptrace;
++allow systemd_machined_t self:capability { dac_override setgid sys_admin sys_chroot sys_ptrace };
+allow systemd_machined_t systemd_unit_file_t:service { status start };
+allow systemd_machined_t self:unix_dgram_socket create_socket_perms;
+
@@ -45218,6 +45263,8 @@ index 0000000..bf0a5c8
+init_var_lib_filetrans(systemd_machined_t, systemd_machined_var_lib_t, dir, "machines")
+
+kernel_dgram_send(systemd_machined_t)
++# This is a bug, but need for now.
++kernel_read_unlabeled_state(systemd_machined_t)
+
+init_dbus_chat(systemd_machined_t)
+init_status(systemd_machined_t)
@@ -45232,7 +45279,13 @@ index 0000000..bf0a5c8
+')
+
+optional_policy(`
++ docker_read_share_files(systemd_machined_t)
++ docker_spc_read_state(systemd_machined_t)
++')
++
++optional_policy(`
+ virt_dbus_chat(systemd_machined_t)
++ virt_sandbox_read_state(systemd_machined_t)
+')
+
+#######################################
@@ -45268,8 +45321,6 @@ index 0000000..bf0a5c8
+
+dev_read_sysfs(systemd_networkd_t)
+
-+auth_use_nsswitch(systemd_networkd_t)
-+
+logging_send_syslog_msg(systemd_networkd_t)
+
+sysnet_manage_config(systemd_networkd_t)
@@ -45312,8 +45363,6 @@ index 0000000..bf0a5c8
+
+term_read_console(systemd_passwd_agent_t)
+
-+auth_use_nsswitch(systemd_passwd_agent_t)
-+
+init_create_pid_dirs(systemd_passwd_agent_t)
+init_rw_pipes(systemd_passwd_agent_t)
+init_read_utmp(systemd_passwd_agent_t)
@@ -45379,7 +45428,6 @@ index 0000000..bf0a5c8
+auth_relabel_var_auth_dirs(systemd_tmpfiles_t)
+auth_relabel_login_records(systemd_tmpfiles_t)
+auth_setattr_login_records(systemd_tmpfiles_t)
-+auth_use_nsswitch(systemd_tmpfiles_t)
+
+init_dgram_send(systemd_tmpfiles_t)
+init_rw_stream_sockets(systemd_tmpfiles_t)
@@ -45458,8 +45506,6 @@ index 0000000..bf0a5c8
+
+fs_getattr_cgroup_files(systemd_notify_t)
+
-+auth_use_nsswitch(systemd_notify_t)
-+
+init_rw_stream_sockets(systemd_notify_t)
+
+optional_policy(`
@@ -45490,8 +45536,6 @@ index 0000000..bf0a5c8
+# only needs write
+term_use_generic_ptys(systemd_logger_t)
+
-+auth_use_nsswitch(systemd_logger_t)
-+
+# /run/systemd/notify
+init_write_pid_socket(systemd_logger_t)
+
@@ -45606,8 +45650,6 @@ index 0000000..bf0a5c8
+
+fs_getattr_xattr_fs(systemd_timedated_t)
+
-+auth_use_nsswitch(systemd_timedated_t)
-+
+init_dbus_chat(systemd_timedated_t)
+init_status(systemd_timedated_t)
+
@@ -47137,7 +47179,7 @@ index db75976..c54480a 100644
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
+
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6..48a4886 100644
+index 9dc60c6..b2ad017 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -49167,7 +49209,7 @@ index 9dc60c6..48a4886 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1872,17 +2463,151 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1872,17 +2463,167 @@ interface(`userdom_mmap_user_home_content_files',`
## </summary>
## </param>
#
@@ -49176,9 +49218,25 @@ index 9dc60c6..48a4886 100644
- type user_home_dir_t, user_home_t;
- ')
+interface(`usedom_dontaudit_user_getattr_tmp_sockets',`
++ refpolicywarn(`$0($*) has been deprecated, use userdom_getattr_user_tmp_files() instead.')
++ userdom_getattr_user_tmp_files($1)
++')
++
++########################################
++## <summary>
++## Dontaudit getattr on user tmp sockets.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_dontaudit_user_getattr_tmp_sockets',`
+ gen_require(`
+ type user_tmp_t;
+ ')
++
+ dontaudit $1 user_tmp_t:sock_file getattr_sock_file_perms;
+')
+
@@ -49238,7 +49296,8 @@ index 9dc60c6..48a4886 100644
+
+ dontaudit $1 user_home_t:file setattr_file_perms;
+')
-+
+
+- read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+########################################
+## <summary>
+## Set the attributes of all user home directories.
@@ -49274,11 +49333,11 @@ index 9dc60c6..48a4886 100644
+ ')
+
+ mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
-+ files_search_home($1)
-+')
-+
-+########################################
-+## <summary>
+ files_search_home($1)
+ ')
+
+ ########################################
+ ## <summary>
+## Read user home files.
+## </summary>
+## <param name="domain">
@@ -49292,16 +49351,15 @@ index 9dc60c6..48a4886 100644
+ type user_home_dir_t, user_home_t;
+ attribute user_home_type;
+ ')
-
-- read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
++
+ allow $1 user_home_dir_t:lnk_file read_lnk_file_perms;
+ list_dirs_pattern($1, { user_home_dir_t user_home_type }, { user_home_dir_t user_home_type })
+ read_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
- files_search_home($1)
- ')
-
- ########################################
- ## <summary>
++ files_search_home($1)
++')
++
++########################################
++## <summary>
+## Do not audit attempts to getattr user home files.
+## </summary>
+## <param name="domain">
@@ -49324,7 +49382,7 @@ index 9dc60c6..48a4886 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1893,11 +2618,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1893,11 +2634,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -49342,7 +49400,7 @@ index 9dc60c6..48a4886 100644
')
########################################
-@@ -1938,7 +2666,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1938,7 +2682,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
########################################
## <summary>
@@ -49351,7 +49409,7 @@ index 9dc60c6..48a4886 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1946,10 +2674,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1946,10 +2690,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
## </summary>
## </param>
#
@@ -49364,7 +49422,7 @@ index 9dc60c6..48a4886 100644
')
userdom_search_user_home_content($1)
-@@ -1958,7 +2685,7 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1958,7 +2701,7 @@ interface(`userdom_delete_all_user_home_content_files',`
########################################
## <summary>
@@ -49373,7 +49431,7 @@ index 9dc60c6..48a4886 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1966,12 +2693,66 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1966,12 +2709,66 @@ interface(`userdom_delete_all_user_home_content_files',`
## </summary>
## </param>
#
@@ -49442,7 +49500,7 @@ index 9dc60c6..48a4886 100644
')
########################################
-@@ -2007,8 +2788,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2007,8 +2804,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -49452,7 +49510,7 @@ index 9dc60c6..48a4886 100644
')
########################################
-@@ -2024,21 +2804,15 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2024,21 +2820,15 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -49478,7 +49536,7 @@ index 9dc60c6..48a4886 100644
########################################
## <summary>
## Do not audit attempts to execute user home files.
-@@ -2120,7 +2894,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2120,7 +2910,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
## <summary>
@@ -49487,7 +49545,7 @@ index 9dc60c6..48a4886 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2128,19 +2902,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2128,19 +2918,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -49511,7 +49569,7 @@ index 9dc60c6..48a4886 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2148,12 +2920,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2148,12 +2936,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -49527,7 +49585,7 @@ index 9dc60c6..48a4886 100644
')
########################################
-@@ -2388,18 +3160,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2388,18 +3176,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
## </summary>
## </param>
#
@@ -49585,7 +49643,7 @@ index 9dc60c6..48a4886 100644
## Do not audit attempts to read users
## temporary files.
## </summary>
-@@ -2414,7 +3222,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2414,7 +3238,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -49594,7 +49652,7 @@ index 9dc60c6..48a4886 100644
')
########################################
-@@ -2455,6 +3263,25 @@ interface(`userdom_rw_user_tmp_files',`
+@@ -2455,6 +3279,25 @@ interface(`userdom_rw_user_tmp_files',`
rw_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
')
@@ -49620,7 +49678,7 @@ index 9dc60c6..48a4886 100644
########################################
## <summary>
-@@ -2538,7 +3365,7 @@ interface(`userdom_manage_user_tmp_files',`
+@@ -2538,7 +3381,7 @@ interface(`userdom_manage_user_tmp_files',`
########################################
## <summary>
## Create, read, write, and delete user
@@ -49629,7 +49687,7 @@ index 9dc60c6..48a4886 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2546,19 +3373,19 @@ interface(`userdom_manage_user_tmp_files',`
+@@ -2546,18 +3389,59 @@ interface(`userdom_manage_user_tmp_files',`
## </summary>
## </param>
#
@@ -49647,55 +49705,7 @@ index 9dc60c6..48a4886 100644
########################################
## <summary>
## Create, read, write, and delete user
--## temporary named pipes.
+## temporary symbolic links.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -2566,19 +3393,19 @@ interface(`userdom_manage_user_tmp_symlinks',`
- ## </summary>
- ## </param>
- #
--interface(`userdom_manage_user_tmp_pipes',`
-+interface(`userdom_manage_user_tmp_symlinks',`
- gen_require(`
- type user_tmp_t;
- ')
-
-- manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t)
-+ manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
- files_search_tmp($1)
- ')
-
- ########################################
- ## <summary>
- ## Create, read, write, and delete user
--## temporary named sockets.
-+## temporary named pipes.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -2586,18 +3413,59 @@ interface(`userdom_manage_user_tmp_pipes',`
- ## </summary>
- ## </param>
- #
--interface(`userdom_manage_user_tmp_sockets',`
-+interface(`userdom_rw_inherited_user_tmp_pipes',`
- gen_require(`
- type user_tmp_t;
- ')
-
-- manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
-+ allow $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
- files_search_tmp($1)
- ')
-
-+
- ########################################
- ## <summary>
--## Create objects in a user temporary directory
-+## Create, read, write, and delete user
-+## temporary named pipes.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -49703,19 +49713,19 @@ index 9dc60c6..48a4886 100644
+## </summary>
+## </param>
+#
-+interface(`userdom_manage_user_tmp_pipes',`
++interface(`userdom_manage_user_tmp_symlinks',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
-+ manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t)
++ manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
+ files_search_tmp($1)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete user
-+## temporary named sockets.
++## temporary named pipes.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -49723,22 +49733,23 @@ index 9dc60c6..48a4886 100644
+## </summary>
+## </param>
+#
-+interface(`userdom_manage_user_tmp_sockets',`
++interface(`userdom_rw_inherited_user_tmp_pipes',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
-+ manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
++ allow $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
+ files_search_tmp($1)
+')
+
++
+########################################
+## <summary>
-+## Create objects in a user temporary directory
- ## with an automatic type transition to
- ## a specified private type.
++## Create, read, write, and delete user
+ ## temporary named pipes.
## </summary>
-@@ -2661,6 +3529,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+ ## <param name="domain">
+@@ -2661,6 +3545,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -49760,7 +49771,7 @@ index 9dc60c6..48a4886 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2672,18 +3555,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2672,18 +3571,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
## </param>
#
interface(`userdom_read_user_tmpfs_files',`
@@ -49782,7 +49793,7 @@ index 9dc60c6..48a4886 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2692,19 +3570,13 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2692,19 +3586,13 @@ interface(`userdom_read_user_tmpfs_files',`
## </param>
#
interface(`userdom_rw_user_tmpfs_files',`
@@ -49805,7 +49816,7 @@ index 9dc60c6..48a4886 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2713,13 +3585,56 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2713,13 +3601,56 @@ interface(`userdom_rw_user_tmpfs_files',`
## </param>
#
interface(`userdom_manage_user_tmpfs_files',`
@@ -49866,7 +49877,7 @@ index 9dc60c6..48a4886 100644
')
########################################
-@@ -2814,6 +3729,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2814,6 +3745,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -49891,7 +49902,7 @@ index 9dc60c6..48a4886 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2832,22 +3765,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2832,22 +3781,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -49934,7 +49945,7 @@ index 9dc60c6..48a4886 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2856,14 +3801,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2856,14 +3817,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -49972,7 +49983,7 @@ index 9dc60c6..48a4886 100644
')
########################################
-@@ -2882,8 +3846,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2882,8 +3862,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -50002,7 +50013,7 @@ index 9dc60c6..48a4886 100644
')
########################################
-@@ -2955,69 +3938,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2955,69 +3954,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -50103,7 +50114,7 @@ index 9dc60c6..48a4886 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3025,12 +4007,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3025,12 +4023,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -50118,7 +50129,7 @@ index 9dc60c6..48a4886 100644
')
########################################
-@@ -3094,7 +4076,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3094,7 +4092,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -50127,7 +50138,7 @@ index 9dc60c6..48a4886 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3110,29 +4092,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3110,29 +4108,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -50161,7 +50172,7 @@ index 9dc60c6..48a4886 100644
')
########################################
-@@ -3214,7 +4180,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3214,7 +4196,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -50188,7 +50199,7 @@ index 9dc60c6..48a4886 100644
')
########################################
-@@ -3269,12 +4253,13 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3269,12 +4269,13 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -50204,7 +50215,7 @@ index 9dc60c6..48a4886 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3282,46 +4267,122 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3282,54 +4283,130 @@ interface(`userdom_write_user_tmp_files',`
## </summary>
## </param>
#
@@ -50262,13 +50273,15 @@ index 9dc60c6..48a4886 100644
gen_require(`
- attribute userdomain;
+ type user_tmp_t;
-+ ')
-+
+ ')
+
+- allow $1 userdomain:process getattr;
+ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Inherit the file descriptors from all user domains
+## Allow domain to read/write inherited users
+## fifo files.
+## </summary>
@@ -50337,10 +50350,18 @@ index 9dc60c6..48a4886 100644
+interface(`userdom_getattr_all_users',`
+ gen_require(`
+ attribute userdomain;
- ')
-
- allow $1 userdomain:process getattr;
-@@ -3382,6 +4443,42 @@ interface(`userdom_signal_all_users',`
++ ')
++
++ allow $1 userdomain:process getattr;
++')
++
++########################################
++## <summary>
++## Inherit the file descriptors from all user domains
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -3382,6 +4459,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -50383,7 +50404,7 @@ index 9dc60c6..48a4886 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3402,6 +4499,60 @@ interface(`userdom_sigchld_all_users',`
+@@ -3402,6 +4515,60 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -50444,7 +50465,7 @@ index 9dc60c6..48a4886 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3435,4 +4586,1727 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3435,4 +4602,1727 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 2c9c72b..c0a4779 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -589,7 +589,7 @@ index 058d908..ee0c559 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index eb50f07..853554d 100644
+index eb50f07..e519be5 100644
--- a/abrt.te
+++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@@ -838,9 +838,9 @@ index eb50f07..853554d 100644
+logging_read_syslog_pid(abrt_t)
+
+auth_use_nsswitch(abrt_t)
-+
-+init_read_utmp(abrt_t)
++init_read_utmp(abrt_t)
++
+miscfiles_read_generic_certs(abrt_t)
miscfiles_read_public_files(abrt_t)
+miscfiles_dontaudit_access_check_cert(abrt_t)
@@ -868,10 +868,14 @@ index eb50f07..853554d 100644
')
optional_policy(`
-@@ -222,6 +253,28 @@ optional_policy(`
+@@ -222,6 +253,32 @@ optional_policy(`
')
optional_policy(`
++ docker_stream_connect(abrt_t)
++')
++
++optional_policy(`
+ kdump_read_crash(abrt_t)
+')
+
@@ -897,7 +901,7 @@ index eb50f07..853554d 100644
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
policykit_read_reload(abrt_t)
-@@ -234,6 +287,11 @@ optional_policy(`
+@@ -234,6 +291,11 @@ optional_policy(`
')
optional_policy(`
@@ -909,7 +913,7 @@ index eb50f07..853554d 100644
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
rpm_manage_cache(abrt_t)
-@@ -243,6 +301,7 @@ optional_policy(`
+@@ -243,6 +305,7 @@ optional_policy(`
rpm_signull(abrt_t)
')
@@ -917,7 +921,7 @@ index eb50f07..853554d 100644
optional_policy(`
sendmail_domtrans(abrt_t)
')
-@@ -253,9 +312,21 @@ optional_policy(`
+@@ -253,9 +316,21 @@ optional_policy(`
sosreport_delete_tmp_files(abrt_t)
')
@@ -940,7 +944,7 @@ index eb50f07..853554d 100644
#
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -266,9 +337,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -266,9 +341,13 @@ tunable_policy(`abrt_handle_event',`
can_exec(abrt_t, abrt_handle_event_exec_t)
')
@@ -955,7 +959,7 @@ index eb50f07..853554d 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -281,6 +356,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -281,6 +360,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@@ -963,7 +967,7 @@ index eb50f07..853554d 100644
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-@@ -289,15 +365,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -289,15 +369,20 @@ corecmd_read_all_executables(abrt_helper_t)
domain_read_all_domains_state(abrt_helper_t)
@@ -984,7 +988,7 @@ index eb50f07..853554d 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -305,11 +386,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -305,11 +390,25 @@ ifdef(`hide_broken_symptoms',`
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -1011,7 +1015,7 @@ index eb50f07..853554d 100644
#
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -327,10 +422,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+@@ -327,10 +426,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
dev_read_urand(abrt_retrace_coredump_t)
@@ -1025,7 +1029,7 @@ index eb50f07..853554d 100644
optional_policy(`
rpm_exec(abrt_retrace_coredump_t)
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -343,10 +440,11 @@ optional_policy(`
+@@ -343,10 +444,11 @@ optional_policy(`
#######################################
#
@@ -1039,7 +1043,7 @@ index eb50f07..853554d 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -365,38 +463,64 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -365,38 +467,64 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
@@ -1108,7 +1112,7 @@ index eb50f07..853554d 100644
#######################################
#
-@@ -404,25 +528,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
+@@ -404,25 +532,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
#
allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
@@ -1171,7 +1175,7 @@ index eb50f07..853554d 100644
')
#######################################
-@@ -430,10 +589,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
+@@ -430,10 +593,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
# Global local policy
#
@@ -27932,7 +27936,7 @@ index 50d0084..94e1936 100644
fail2ban_run_client($1, $2)
diff --git a/fail2ban.te b/fail2ban.te
-index cf0e567..6c3ce35 100644
+index cf0e567..7945ad9 100644
--- a/fail2ban.te
+++ b/fail2ban.te
@@ -37,7 +37,7 @@ role fail2ban_client_roles types fail2ban_client_t;
@@ -28013,7 +28017,7 @@ index cf0e567..6c3ce35 100644
shorewall_domtrans(fail2ban_t)
')
-@@ -131,22 +146,30 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
+@@ -131,22 +146,32 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
@@ -28036,6 +28040,8 @@ index cf0e567..6c3ce35 100644
+auth_use_nsswitch(fail2ban_client_t)
+
++libs_exec_ldconfig(fail2ban_client_t)
++
logging_getattr_all_logs(fail2ban_client_t)
logging_search_all_logs(fail2ban_client_t)
-
@@ -66423,10 +66429,10 @@ index 0000000..80246e6
+
diff --git a/pcp.te b/pcp.te
new file mode 100644
-index 0000000..08c51d3
+index 0000000..65502e1
--- /dev/null
+++ b/pcp.te
-@@ -0,0 +1,268 @@
+@@ -0,0 +1,272 @@
+policy_module(pcp, 1.0.0)
+
+########################################
@@ -66576,6 +66582,10 @@ index 0000000..08c51d3
+userdom_read_user_tmp_files(pcp_pmcd_t)
+
+optional_policy(`
++ docker_manage_lib_files(pcp_pmcd_t)
++')
++
++optional_policy(`
+ mysql_stream_connect(pcp_pmcd_t)
+')
+
@@ -96355,10 +96365,10 @@ index 3a9a70b..903109c 100644
logging_list_logs($1)
admin_pattern($1, setroubleshoot_var_log_t)
diff --git a/setroubleshoot.te b/setroubleshoot.te
-index ce67935..130eca9 100644
+index ce67935..24c746f 100644
--- a/setroubleshoot.te
+++ b/setroubleshoot.te
-@@ -7,43 +7,52 @@ policy_module(setroubleshoot, 1.12.1)
+@@ -7,68 +7,95 @@ policy_module(setroubleshoot, 1.12.1)
type setroubleshootd_t alias setroubleshoot_t;
type setroubleshootd_exec_t;
@@ -96382,6 +96392,12 @@ index ce67935..130eca9 100644
type setroubleshoot_var_run_t;
files_pid_file(setroubleshoot_var_run_t)
++type setroubleshoot_tmp_t;
++files_tmp_file(setroubleshoot_tmp_t)
++
++type setroubleshoot_tmpfs_t;
++files_tmpfs_file(setroubleshoot_tmpfs_t)
++
########################################
#
-# Local policy
@@ -96402,8 +96418,19 @@ index ce67935..130eca9 100644
+allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
+allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow setroubleshootd_t self:unix_dgram_socket create_socket_perms;
++
-allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr_dir_perms;
++manage_files_pattern(setroubleshootd_t, setroubleshoot_tmp_t, setroubleshoot_tmp_t)
++manage_dirs_pattern(setroubleshootd_t, setroubleshoot_tmp_t, setroubleshoot_tmp_t)
++files_tmp_filetrans(setroubleshootd_t, setroubleshoot_tmp_t, { file dir })
++allow setroubleshootd_t setroubleshoot_tmp_t:file mmap_file_perms;
++
++manage_files_pattern(setroubleshootd_t, setroubleshoot_tmpfs_t, setroubleshoot_tmpfs_t)
++manage_dirs_pattern(setroubleshootd_t, setroubleshoot_tmpfs_t, setroubleshoot_tmpfs_t)
++fs_tmpfs_filetrans(setroubleshootd_t, setroubleshoot_tmpfs_t, { file dir })
++allow setroubleshootd_t setroubleshoot_tmpfs_t:file mmap_file_perms;
++
+# database files
+allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr;
manage_files_pattern(setroubleshootd_t, setroubleshoot_var_lib_t, setroubleshoot_var_lib_t)
@@ -96423,7 +96450,12 @@ index ce67935..130eca9 100644
manage_dirs_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
manage_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
-@@ -55,20 +64,20 @@ kernel_read_net_sysctls(setroubleshootd_t)
+ files_pid_filetrans(setroubleshootd_t, setroubleshoot_var_run_t, { file sock_file dir })
+
++
+ kernel_read_kernel_sysctls(setroubleshootd_t)
+ kernel_read_system_state(setroubleshootd_t)
+ kernel_read_net_sysctls(setroubleshootd_t)
kernel_read_network_state(setroubleshootd_t)
kernel_dontaudit_list_all_proc(setroubleshootd_t)
kernel_read_irq_sysctls(setroubleshootd_t)
@@ -96448,7 +96480,7 @@ index ce67935..130eca9 100644
dev_read_urand(setroubleshootd_t)
dev_read_sysfs(setroubleshootd_t)
-@@ -76,10 +85,9 @@ dev_getattr_all_blk_files(setroubleshootd_t)
+@@ -76,10 +103,9 @@ dev_getattr_all_blk_files(setroubleshootd_t)
dev_getattr_all_chr_files(setroubleshootd_t)
dev_getattr_mtrr_dev(setroubleshootd_t)
@@ -96460,7 +96492,7 @@ index ce67935..130eca9 100644
files_list_all(setroubleshootd_t)
files_getattr_all_files(setroubleshootd_t)
files_getattr_all_pipes(setroubleshootd_t)
-@@ -109,27 +117,24 @@ init_read_utmp(setroubleshootd_t)
+@@ -109,27 +135,24 @@ init_read_utmp(setroubleshootd_t)
init_dontaudit_write_utmp(setroubleshootd_t)
libs_exec_ld_so(setroubleshootd_t)
@@ -96493,7 +96525,7 @@ index ce67935..130eca9 100644
')
optional_policy(`
-@@ -137,10 +142,18 @@ optional_policy(`
+@@ -137,10 +160,18 @@ optional_policy(`
')
optional_policy(`
@@ -96512,7 +96544,7 @@ index ce67935..130eca9 100644
rpm_exec(setroubleshootd_t)
rpm_signull(setroubleshootd_t)
rpm_read_db(setroubleshootd_t)
-@@ -150,26 +163,36 @@ optional_policy(`
+@@ -150,26 +181,36 @@ optional_policy(`
########################################
#
@@ -96551,7 +96583,7 @@ index ce67935..130eca9 100644
files_list_tmp(setroubleshoot_fixit_t)
auth_use_nsswitch(setroubleshoot_fixit_t)
-@@ -177,23 +200,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
+@@ -177,23 +218,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
logging_send_audit_msgs(setroubleshoot_fixit_t)
logging_send_syslog_msg(setroubleshoot_fixit_t)
@@ -108083,7 +108115,7 @@ index a4f20bc..374e8ef 100644
+/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index facdee8..efe9356 100644
+index facdee8..eae2073 100644
--- a/virt.if
+++ b/virt.if
@@ -1,318 +1,226 @@
@@ -108905,7 +108937,7 @@ index facdee8..efe9356 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -673,107 +534,136 @@ interface(`virt_home_filetrans',`
+@@ -673,54 +534,398 @@ interface(`virt_home_filetrans',`
## </summary>
## </param>
#
@@ -108951,11 +108983,7 @@ index facdee8..efe9356 100644
- allow $1 virt_home_t:sock_file manage_sock_file_perms;
+ dontaudit $1 virt_var_lib_t:file read_inherited_file_perms;
+')
-
-- tunable_policy(`virt_use_nfs',`
-- fs_manage_nfs_dirs($1)
-- fs_manage_nfs_files($1)
-- fs_manage_nfs_symlinks($1)
++
+########################################
+## <summary>
+## Create, read, write, and delete
@@ -108970,60 +108998,42 @@ index facdee8..efe9356 100644
+interface(`virt_manage_lib_files',`
+ gen_require(`
+ type virt_var_lib_t;
- ')
-
-- tunable_policy(`virt_use_samba',`
-- fs_manage_cifs_dirs($1)
-- fs_manage_cifs_files($1)
-- fs_manage_cifs_symlinks($1)
-- ')
++ ')
++
+ files_search_var_lib($1)
+ manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
- ')
-
- ########################################
- ## <summary>
--## Relabel virt home content.
++')
++
++########################################
++## <summary>
+## Allow the specified domain to read virt's log files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
+## <rolecap/>
- #
--interface(`virt_relabel_generic_virt_home_content',`
++#
+interface(`virt_read_log',`
- gen_require(`
-- type virt_home_t;
++ gen_require(`
+ type virt_log_t;
- ')
-
-- userdom_search_user_home_dirs($1)
-- allow $1 virt_home_t:dir relabel_dir_perms;
-- allow $1 virt_home_t:file relabel_file_perms;
-- allow $1 virt_home_t:fifo_file relabel_fifo_file_perms;
-- allow $1 virt_home_t:lnk_file relabel_lnk_file_perms;
-- allow $1 virt_home_t:sock_file relabel_sock_file_perms;
++ ')
++
+ logging_search_logs($1)
+ read_files_pattern($1, virt_log_t, virt_log_t)
- ')
-
- ########################################
- ## <summary>
--## Create specified objects in user home
--## directories with the generic virt
--## home type.
++')
++
++########################################
++## <summary>
+## Allow the specified domain to append
+## virt log files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <param name="object_class">
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
+#
+interface(`virt_append_log',`
+ gen_require(`
@@ -109039,12 +109049,10 @@ index facdee8..efe9356 100644
+## Allow domain to manage virt log files
+## </summary>
+## <param name="domain">
- ## <summary>
--## Class of the object being created.
++## <summary>
+## Domain allowed access.
- ## </summary>
- ## </param>
--## <param name="name" optional="true">
++## </summary>
++## </param>
+#
+interface(`virt_manage_log',`
+ gen_require(`
@@ -109061,70 +109069,55 @@ index facdee8..efe9356 100644
+## Allow domain to getattr virt image direcories
+## </summary>
+## <param name="domain">
- ## <summary>
--## The name of the object being created.
++## <summary>
+## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`virt_home_filetrans_virt_home',`
++## </summary>
++## </param>
++#
+interface(`virt_getattr_images',`
- gen_require(`
-- type virt_home_t;
++ gen_require(`
+ attribute virt_image_type;
- ')
-
-- userdom_user_home_dir_filetrans($1, virt_home_t, $2, $3)
++ ')
++
+ virt_search_lib($1)
+ allow $1 virt_image_type:file getattr_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Read virt pid files.
++')
++
++########################################
++## <summary>
+## Allow domain to search virt image direcories
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -781,19 +671,18 @@ interface(`virt_home_filetrans_virt_home',`
- ## </summary>
- ## </param>
- #
--interface(`virt_read_pid_files',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`virt_search_images',`
- gen_require(`
-- type virt_var_run_t;
++ gen_require(`
+ attribute virt_image_type;
- ')
-
-- files_search_pids($1)
-- read_files_pattern($1, virt_var_run_t, virt_var_run_t)
++ ')
++
+ virt_search_lib($1)
+ allow $1 virt_image_type:dir search_dir_perms;
- ')
-
- ########################################
- ## <summary>
--## Create, read, write, and delete
--## virt pid files.
++')
++
++########################################
++## <summary>
+## Allow domain to read virt image files
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -801,18 +690,36 @@ interface(`virt_read_pid_files',`
- ## </summary>
- ## </param>
- #
--interface(`virt_manage_pid_files',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`virt_read_images',`
- gen_require(`
-- type virt_var_run_t;
++ gen_require(`
+ type virt_var_lib_t;
+ attribute virt_image_type;
- ')
-
-- files_search_pids($1)
-- manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
++ ')
++
+ virt_search_lib($1)
+ allow $1 virt_image_type:dir list_dir_perms;
+ list_dirs_pattern($1, virt_image_type, virt_image_type)
@@ -109132,8 +109125,11 @@ index facdee8..efe9356 100644
+ read_lnk_files_pattern($1, virt_image_type, virt_image_type)
+ read_blk_files_pattern($1, virt_image_type, virt_image_type)
+ read_chr_files_pattern($1, virt_image_type, virt_image_type)
-+
-+ tunable_policy(`virt_use_nfs',`
+
+ tunable_policy(`virt_use_nfs',`
+- fs_manage_nfs_dirs($1)
+- fs_manage_nfs_files($1)
+- fs_manage_nfs_symlinks($1)
+ fs_list_nfs($1)
+ fs_read_nfs_files($1)
+ fs_read_nfs_symlinks($1)
@@ -109144,68 +109140,55 @@ index facdee8..efe9356 100644
+ fs_read_cifs_files($1)
+ fs_read_cifs_symlinks($1)
+ ')
- ')
-
- ########################################
- ## <summary>
--## Search virt lib directories.
++')
++
++########################################
++## <summary>
+## Allow domain to read virt blk image files
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -820,18 +727,17 @@ interface(`virt_manage_pid_files',`
- ## </summary>
- ## </param>
- #
--interface(`virt_search_lib',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`virt_read_blk_images',`
- gen_require(`
-- type virt_var_lib_t;
++ gen_require(`
+ attribute virt_image_type;
- ')
-
-- files_search_var_lib($1)
-- allow $1 virt_var_lib_t:dir search_dir_perms;
++ ')
++
+ read_blk_files_pattern($1, virt_image_type, virt_image_type)
- ')
-
- ########################################
- ## <summary>
--## Read virt lib files.
++')
++
++########################################
++## <summary>
+## Allow domain to read/write virt image chr files
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -839,20 +745,18 @@ interface(`virt_search_lib',`
- ## </summary>
- ## </param>
- #
--interface(`virt_read_lib_files',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`virt_rw_chr_files',`
- gen_require(`
-- type virt_var_lib_t;
++ gen_require(`
+ attribute virt_image_type;
- ')
-
-- files_search_var_lib($1)
-- read_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
-- read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
++ ')
++
+ rw_chr_files_pattern($1, virt_image_type, virt_image_type)
- ')
-
- ########################################
- ## <summary>
- ## Create, read, write, and delete
--## virt lib files.
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete
+## svirt cache files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -860,94 +764,267 @@ interface(`virt_read_lib_files',`
- ## </summary>
- ## </param>
- #
--interface(`virt_manage_lib_files',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`virt_manage_cache',`
+ gen_require(`
+ type virt_cache_t;
@@ -109228,13 +109211,11 @@ index facdee8..efe9356 100644
+## </param>
+#
+interface(`virt_manage_images',`
- gen_require(`
- type virt_var_lib_t;
++ gen_require(`
++ type virt_var_lib_t;
+ attribute virt_image_type;
- ')
-
-- files_search_var_lib($1)
-- manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
++ ')
++
+ virt_search_lib($1)
+ allow $1 virt_image_type:dir list_dir_perms;
+ manage_dirs_pattern($1, virt_image_type, virt_image_type)
@@ -109288,12 +109269,10 @@ index facdee8..efe9356 100644
+ allow $1 virtd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, virtd_t)
- ')
-
- ########################################
- ## <summary>
--## Create objects in virt pid
--## directories with a private type.
++')
++
++########################################
++## <summary>
+## Ptrace the svirt domain
+## </summary>
+## <param name="domain">
@@ -109331,13 +109310,12 @@ index facdee8..efe9356 100644
+#######################################
+## <summary>
+## Manage Sandbox Files
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <param name="private type">
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
+#
+interface(`virt_manage_sandbox_files',`
+ gen_require(`
@@ -109357,98 +109335,109 @@ index facdee8..efe9356 100644
+## Relabel Sandbox File systems
+## </summary>
+## <param name="domain">
- ## <summary>
--## The type of the object to be created.
++## <summary>
+## Domain allowed access.
- ## </summary>
- ## </param>
--## <param name="object">
++## </summary>
++## </param>
+#
+interface(`virt_relabel_sandbox_filesystem',`
+ gen_require(`
+ type svirt_sandbox_file_t;
-+ ')
-+
+ ')
+
+- tunable_policy(`virt_use_samba',`
+- fs_manage_cifs_dirs($1)
+- fs_manage_cifs_files($1)
+- fs_manage_cifs_symlinks($1)
+- ')
+ allow $1 svirt_sandbox_file_t:filesystem { relabelfrom relabelto };
-+')
-+
+ ')
+
+-########################################
+#######################################
-+## <summary>
+ ## <summary>
+-## Relabel virt home content.
+## Mounton Sandbox Files
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
## <summary>
--## The object class of the object being created.
-+## Domain allowed access.
+@@ -728,72 +933,98 @@ interface(`virt_manage_generic_virt_home_content',`
## </summary>
## </param>
--## <param name="name" optional="true">
-+#
+ #
+-interface(`virt_relabel_generic_virt_home_content',`
+interface(`virt_mounton_sandbox_file',`
-+ gen_require(`
+ gen_require(`
+- type virt_home_t;
+ type svirt_sandbox_file_t;
-+ ')
-+
+ ')
+
+- userdom_search_user_home_dirs($1)
+- allow $1 virt_home_t:dir relabel_dir_perms;
+- allow $1 virt_home_t:file relabel_file_perms;
+- allow $1 virt_home_t:fifo_file relabel_fifo_file_perms;
+- allow $1 virt_home_t:lnk_file relabel_lnk_file_perms;
+- allow $1 virt_home_t:sock_file relabel_sock_file_perms;
+ allow $1 svirt_sandbox_file_t:dir_file_class_set mounton;
-+')
-+
+ ')
+
+-########################################
+#######################################
-+## <summary>
+ ## <summary>
+-## Create specified objects in user home
+-## directories with the generic virt
+-## home type.
+## Connect to virt over a unix domain stream socket.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
## <summary>
--## The name of the object being created.
-+## Domain allowed access.
+ ## Domain allowed access.
## </summary>
## </param>
--## <infoflow type="write" weight="10"/>
- #
--interface(`virt_pid_filetrans',`
+-## <param name="object_class">
++#
+interface(`virt_stream_connect_sandbox',`
- gen_require(`
-- type virt_var_run_t;
++ gen_require(`
+ attribute svirt_sandbox_domain;
+ type svirt_sandbox_file_t;
- ')
-
- files_search_pids($1)
-- filetrans_pattern($1, virt_var_run_t, $2, $3, $4)
++ ')
++
++ files_search_pids($1)
+ stream_connect_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t, svirt_sandbox_domain)
+ ps_process_pattern(svirt_sandbox_domain, $1)
- ')
-
- ########################################
- ## <summary>
--## Read virt log files.
++')
++
++########################################
++## <summary>
+## Execute qemu in the svirt domain, and
+## allow the specified role the svirt domain.
- ## </summary>
- ## <param name="domain">
++## </summary>
++## <param name="domain">
## <summary>
--## Domain allowed access.
+-## Class of the object being created.
+## Domain allowed access
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+-## <param name="name" optional="true">
+## <param name="role">
-+## <summary>
+ ## <summary>
+-## The name of the object being created.
+## The role to be allowed the sandbox domain.
## </summary>
## </param>
- ## <rolecap/>
++## <rolecap/>
#
--interface(`virt_read_log',`
+-interface(`virt_home_filetrans_virt_home',`
+interface(`virt_transition_svirt',`
gen_require(`
-- type virt_log_t;
+- type virt_home_t;
+ attribute virt_domain;
+ type virt_bridgehelper_t;
+ type svirt_image_t;
+ type svirt_socket_t;
')
-- logging_search_logs($1)
-- read_files_pattern($1, virt_log_t, virt_log_t)
+- userdom_user_home_dir_filetrans($1, virt_home_t, $2, $3)
+ allow $1 virt_domain:process transition;
+ role $2 types virt_domain;
+ role $2 types virt_bridgehelper_t;
@@ -109467,7 +109456,7 @@ index facdee8..efe9356 100644
########################################
## <summary>
--## Append virt log files.
+-## Read virt pid files.
+## Do not audit attempts to write virt daemon unnamed pipes.
## </summary>
## <param name="domain">
@@ -109477,15 +109466,15 @@ index facdee8..efe9356 100644
## </summary>
## </param>
#
--interface(`virt_append_log',`
+-interface(`virt_read_pid_files',`
+interface(`virt_dontaudit_write_pipes',`
gen_require(`
-- type virt_log_t;
+- type virt_var_run_t;
+ type virtd_t;
')
-- logging_search_logs($1)
-- append_files_pattern($1, virt_log_t, virt_log_t)
+- files_search_pids($1)
+- read_files_pattern($1, virt_var_run_t, virt_var_run_t)
+ dontaudit $1 virtd_t:fd use;
+ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
')
@@ -109493,219 +109482,230 @@ index facdee8..efe9356 100644
########################################
## <summary>
-## Create, read, write, and delete
--## virt log files.
+-## virt pid files.
+## Send a sigkill to virtual machines
## </summary>
## <param name="domain">
## <summary>
-@@ -955,20 +1032,17 @@ interface(`virt_append_log',`
+@@ -801,18 +1032,17 @@ interface(`virt_read_pid_files',`
## </summary>
## </param>
#
--interface(`virt_manage_log',`
+-interface(`virt_manage_pid_files',`
+interface(`virt_kill_svirt',`
gen_require(`
-- type virt_log_t;
+- type virt_var_run_t;
+ attribute virt_domain;
')
-- logging_search_logs($1)
-- manage_dirs_pattern($1, virt_log_t, virt_log_t)
-- manage_files_pattern($1, virt_log_t, virt_log_t)
-- manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
+- files_search_pids($1)
+- manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
+ allow $1 virt_domain:process sigkill;
')
########################################
## <summary>
--## Search virt image directories.
+-## Search virt lib directories.
+## Send a sigkill to virtd daemon.
## </summary>
## <param name="domain">
## <summary>
-@@ -976,18 +1050,17 @@ interface(`virt_manage_log',`
+@@ -820,18 +1050,17 @@ interface(`virt_manage_pid_files',`
## </summary>
## </param>
#
--interface(`virt_search_images',`
+-interface(`virt_search_lib',`
+interface(`virt_kill',`
gen_require(`
-- attribute virt_image_type;
+- type virt_var_lib_t;
+ type virtd_t;
')
-- virt_search_lib($1)
-- allow $1 virt_image_type:dir search_dir_perms;
+- files_search_var_lib($1)
+- allow $1 virt_var_lib_t:dir search_dir_perms;
+ allow $1 virtd_t:process sigkill;
')
########################################
## <summary>
--## Read virt image files.
+-## Read virt lib files.
+## Send a signal to virtd daemon.
## </summary>
## <param name="domain">
## <summary>
-@@ -995,36 +1068,35 @@ interface(`virt_search_images',`
+@@ -839,20 +1068,17 @@ interface(`virt_search_lib',`
## </summary>
## </param>
#
--interface(`virt_read_images',`
+-interface(`virt_read_lib_files',`
+interface(`virt_signal',`
gen_require(`
- type virt_var_lib_t;
-- attribute virt_image_type;
+ type virtd_t;
')
-- virt_search_lib($1)
-- allow $1 virt_image_type:dir list_dir_perms;
-- list_dirs_pattern($1, virt_image_type, virt_image_type)
-- read_files_pattern($1, virt_image_type, virt_image_type)
-- read_lnk_files_pattern($1, virt_image_type, virt_image_type)
-- read_blk_files_pattern($1, virt_image_type, virt_image_type)
+- files_search_var_lib($1)
+- read_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
+- read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
+ allow $1 virtd_t:process signal;
-+')
+ ')
-- tunable_policy(`virt_use_nfs',`
-- fs_list_nfs($1)
-- fs_read_nfs_files($1)
-- fs_read_nfs_symlinks($1)
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## virt lib files.
+## Send null signal to virtd daemon.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -860,94 +1086,93 @@ interface(`virt_read_lib_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`virt_manage_lib_files',`
+interface(`virt_signull',`
-+ gen_require(`
+ gen_require(`
+- type virt_var_lib_t;
+ type virtd_t;
')
-- tunable_policy(`virt_use_samba',`
-- fs_list_cifs($1)
-- fs_read_cifs_files($1)
-- fs_read_cifs_symlinks($1)
-- ')
+- files_search_var_lib($1)
+- manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
+ allow $1 virtd_t:process signull;
')
########################################
## <summary>
--## Read and write all virt image
--## character files.
+-## Create objects in virt pid
+-## directories with a private type.
+## Send a signal to virtual machines
## </summary>
## <param name="domain">
## <summary>
-@@ -1032,20 +1104,17 @@ interface(`virt_read_images',`
+ ## Domain allowed access.
## </summary>
## </param>
- #
--interface(`virt_rw_all_image_chr_files',`
+-## <param name="private type">
+-## <summary>
+-## The type of the object to be created.
+-## </summary>
+-## </param>
+-## <param name="object">
+-## <summary>
+-## The object class of the object being created.
+-## </summary>
+-## </param>
+-## <param name="name" optional="true">
++#
+interface(`virt_signal_svirt',`
- gen_require(`
-- attribute virt_image_type;
++ gen_require(`
+ attribute virt_domain;
- ')
-
-- virt_search_lib($1)
-- allow $1 virt_image_type:dir list_dir_perms;
-- rw_chr_files_pattern($1, virt_image_type, virt_image_type)
++ ')
++
+ allow $1 virt_domain:process signal;
- ')
-
- ########################################
- ## <summary>
--## Create, read, write, and delete
--## svirt cache files.
++')
++
++########################################
++## <summary>
+## Manage virt home files.
- ## </summary>
- ## <param name="domain">
++## </summary>
++## <param name="domain">
## <summary>
-@@ -1053,15 +1122,57 @@ interface(`virt_rw_all_image_chr_files',`
+-## The name of the object being created.
++## Domain allowed access.
## </summary>
## </param>
+-## <infoflow type="write" weight="10"/>
#
--interface(`virt_manage_svirt_cache',`
-- refpolicywarn(`$0($*) has been deprecated, use virt_manage_virt_cache() instead.')
-- virt_manage_virt_cache($1)
+-interface(`virt_pid_filetrans',`
+interface(`virt_manage_home_files',`
-+ gen_require(`
+ gen_require(`
+- type virt_var_run_t;
+ type virt_home_t;
-+ ')
-+
+ ')
+
+- files_search_pids($1)
+- filetrans_pattern($1, virt_var_run_t, $2, $3, $4)
+ userdom_search_user_home_dirs($1)
+ manage_files_pattern($1, virt_home_t, virt_home_t)
')
########################################
## <summary>
--## Create, read, write, and delete
--## virt cache content.
+-## Read virt log files.
+## allow domain to read
+## virt tmpfs files
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain allowed access
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`virt_read_log',`
+interface(`virt_read_tmpfs_files',`
-+ gen_require(`
+ gen_require(`
+- type virt_log_t;
+ attribute virt_tmpfs_type;
-+ ')
-+
+ ')
+
+- logging_search_logs($1)
+- read_files_pattern($1, virt_log_t, virt_log_t)
+ allow $1 virt_tmpfs_type:file read_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Append virt log files.
+## allow domain to manage
+## virt tmpfs files
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain allowed access
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`virt_append_log',`
+interface(`virt_manage_tmpfs_files',`
-+ gen_require(`
+ gen_require(`
+- type virt_log_t;
+ attribute virt_tmpfs_type;
-+ ')
-+
+ ')
+
+- logging_search_logs($1)
+- append_files_pattern($1, virt_log_t, virt_log_t)
+ allow $1 virt_tmpfs_type:file manage_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## virt log files.
+## Create .virt directory in the user home directory
+## with an correct label.
## </summary>
## <param name="domain">
## <summary>
-@@ -1069,21 +1180,29 @@ interface(`virt_manage_svirt_cache',`
+@@ -955,20 +1180,29 @@ interface(`virt_append_log',`
## </summary>
## </param>
#
--interface(`virt_manage_virt_cache',`
+-interface(`virt_manage_log',`
+interface(`virt_filetrans_home_content',`
gen_require(`
-- type virt_cache_t;
+- type virt_log_t;
+ type virt_home_t;
+ type svirt_home_t;
')
-- files_search_var($1)
-- manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
-- manage_files_pattern($1, virt_cache_t, virt_cache_t)
-- manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
+- logging_search_logs($1)
+- manage_dirs_pattern($1, virt_log_t, virt_log_t)
+- manage_files_pattern($1, virt_log_t, virt_log_t)
+- manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
+ filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu")
@@ -109722,63 +109722,65 @@ index facdee8..efe9356 100644
########################################
## <summary>
--## Create, read, write, and delete
--## virt image files.
+-## Search virt image directories.
+## Dontaudit attempts to Read virt_image_type devices.
## </summary>
## <param name="domain">
## <summary>
-@@ -1091,36 +1210,188 @@ interface(`virt_manage_virt_cache',`
+@@ -976,92 +1210,133 @@ interface(`virt_manage_log',`
## </summary>
## </param>
#
--interface(`virt_manage_images',`
+-interface(`virt_search_images',`
+interface(`virt_dontaudit_read_chr_dev',`
gen_require(`
-- type virt_var_lib_t;
attribute virt_image_type;
')
- virt_search_lib($1)
-- allow $1 virt_image_type:dir list_dir_perms;
-- manage_dirs_pattern($1, virt_image_type, virt_image_type)
-- manage_files_pattern($1, virt_image_type, virt_image_type)
-- read_lnk_files_pattern($1, virt_image_type, virt_image_type)
-- rw_blk_files_pattern($1, virt_image_type, virt_image_type)
+- allow $1 virt_image_type:dir search_dir_perms;
+ dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
-+')
+ ')
-- tunable_policy(`virt_use_nfs',`
-- fs_manage_nfs_dirs($1)
-- fs_manage_nfs_files($1)
-- fs_read_nfs_symlinks($1)
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
+-## Read virt image files.
+## Creates types and rules for a basic
+## virt_lxc process domain.
-+## </summary>
+ ## </summary>
+-## <param name="domain">
+## <param name="prefix">
-+## <summary>
+ ## <summary>
+-## Domain allowed access.
+## Prefix for the domain.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`virt_read_images',`
+template(`virt_sandbox_domain_template',`
-+ gen_require(`
+ gen_require(`
+- type virt_var_lib_t;
+- attribute virt_image_type;
+ attribute svirt_sandbox_domain;
')
-- tunable_policy(`virt_use_samba',`
-- fs_manage_cifs_files($1)
-- fs_manage_cifs_files($1)
-- fs_read_cifs_symlinks($1)
+- virt_search_lib($1)
+- allow $1 virt_image_type:dir list_dir_perms;
+- list_dirs_pattern($1, virt_image_type, virt_image_type)
+- read_files_pattern($1, virt_image_type, virt_image_type)
+- read_lnk_files_pattern($1, virt_image_type, virt_image_type)
+- read_blk_files_pattern($1, virt_image_type, virt_image_type)
+ type $1_t, svirt_sandbox_domain;
+ domain_type($1_t)
+ domain_user_exemption_target($1_t)
+ mls_rangetrans_target($1_t)
+ mcs_constrained($1_t)
+ role system_r types $1_t;
-+
+
+- tunable_policy(`virt_use_nfs',`
+- fs_list_nfs($1)
+- fs_read_nfs_files($1)
+- fs_read_nfs_symlinks($1)
+ logging_send_syslog_msg($1_t)
+
+ kernel_read_system_state($1_t)
@@ -109797,8 +109799,12 @@ index facdee8..efe9356 100644
+template(`virt_sandbox_domain',`
+ gen_require(`
+ attribute svirt_sandbox_domain;
-+ ')
-+
+ ')
+
+- tunable_policy(`virt_use_samba',`
+- fs_list_cifs($1)
+- fs_read_cifs_files($1)
+- fs_read_cifs_symlinks($1)
+ typeattribute $1 svirt_sandbox_domain;
+')
+
@@ -109815,49 +109821,63 @@ index facdee8..efe9356 100644
+interface(`virt_exec_qemu',`
+ gen_require(`
+ type qemu_exec_t;
-+ ')
+ ')
+
+ can_exec($1, qemu_exec_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Read and write all virt image
+-## character files.
+## Transition to virt named content
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`virt_rw_all_image_chr_files',`
+interface(`virt_filetrans_named_content',`
-+ gen_require(`
+ gen_require(`
+- attribute virt_image_type;
+ type virt_lxc_var_run_t;
+ type virt_var_run_t;
-+ ')
-+
+ ')
+
+- virt_search_lib($1)
+- allow $1 virt_image_type:dir list_dir_perms;
+- rw_chr_files_pattern($1, virt_image_type, virt_image_type)
+ files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
+ files_pid_filetrans($1, virt_var_run_t, dir, "libvirt")
+ files_pid_filetrans($1, virt_var_run_t, dir, "libguestfs")
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## svirt cache files.
+## Execute qemu in the svirt domain, and
+## allow the specified role the svirt domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the sandbox domain.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+## <rolecap/>
-+#
+ #
+-interface(`virt_manage_svirt_cache',`
+- refpolicywarn(`$0($*) has been deprecated, use virt_manage_virt_cache() instead.')
+- virt_manage_virt_cache($1)
+interface(`virt_transition_svirt_sandbox',`
+ gen_require(`
+ attribute svirt_sandbox_domain;
@@ -109870,44 +109890,67 @@ index facdee8..efe9356 100644
+ allow svirt_sandbox_domain $1:fifo_file rw_fifo_file_perms;
+ allow svirt_sandbox_domain $1:process sigchld;
+ ps_process_pattern($1, svirt_sandbox_domain)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## virt cache content.
+## Read and write to svirt_image devices.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1069,21 +1344,17 @@ interface(`virt_manage_svirt_cache',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`virt_manage_virt_cache',`
+interface(`virt_rw_svirt_dev',`
-+ gen_require(`
+ gen_require(`
+- type virt_cache_t;
+ type svirt_image_t;
-+ ')
-+
+ ')
+
+- files_search_var($1)
+- manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
+- manage_files_pattern($1, virt_cache_t, virt_cache_t)
+- manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
+ allow $1 svirt_image_t:chr_file rw_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## virt image files.
+## Read and write to svirt_image devices.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1091,36 +1362,36 @@ interface(`virt_manage_virt_cache',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`virt_manage_images',`
+interface(`virt_rlimitinh',`
-+ gen_require(`
+ gen_require(`
+- type virt_var_lib_t;
+- attribute virt_image_type;
+ type virtd_t;
-+ ')
-+
+ ')
+
+- virt_search_lib($1)
+- allow $1 virt_image_type:dir list_dir_perms;
+- manage_dirs_pattern($1, virt_image_type, virt_image_type)
+- manage_files_pattern($1, virt_image_type, virt_image_type)
+- read_lnk_files_pattern($1, virt_image_type, virt_image_type)
+- rw_blk_files_pattern($1, virt_image_type, virt_image_type)
+ allow $1 virtd_t:process { rlimitinh };
+')
-+
+
+- tunable_policy(`virt_use_nfs',`
+- fs_manage_nfs_dirs($1)
+- fs_manage_nfs_files($1)
+- fs_read_nfs_symlinks($1)
+########################################
+## <summary>
+## Read and write to svirt_image devices.
@@ -109922,7 +109965,12 @@ index facdee8..efe9356 100644
+ gen_require(`
+ type virtd_t;
')
-+
+
+- tunable_policy(`virt_use_samba',`
+- fs_manage_cifs_files($1)
+- fs_manage_cifs_files($1)
+- fs_read_cifs_symlinks($1)
+- ')
+ allow $1 virtd_t:process { noatsecure rlimitinh };
')
@@ -109935,7 +109983,7 @@ index facdee8..efe9356 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1136,50 +1407,76 @@ interface(`virt_manage_images',`
+@@ -1136,50 +1407,95 @@ interface(`virt_manage_images',`
#
interface(`virt_admin',`
gen_require(`
@@ -109974,26 +110022,20 @@ index facdee8..efe9356 100644
- fs_search_tmpfs($1)
- admin_pattern($1, virt_tmpfs_type)
--
-- files_search_tmp($1)
-- admin_pattern($1, { virt_tmp_type virt_tmp_t })
--
-- files_search_etc($1)
-- admin_pattern($1, { virt_etc_t virt_etc_rw_t virtd_keytab_t })
+ allow $1 virt_domain:process signal_perms;
-- logging_search_logs($1)
-- admin_pattern($1, virt_log_t)
+- files_search_tmp($1)
+- admin_pattern($1, { virt_tmp_type virt_tmp_t })
+ admin_pattern($1, virt_file_type)
+ admin_pattern($1, svirt_file_type)
-- files_search_pids($1)
-- admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t })
+- files_search_etc($1)
+- admin_pattern($1, { virt_etc_t virt_etc_rw_t virtd_keytab_t })
+ virt_systemctl($1)
+ allow $1 virtd_unit_file_t:service all_service_perms;
-- files_search_var($1)
-- admin_pattern($1, svirt_cache_t)
+- logging_search_logs($1)
+- admin_pattern($1, virt_log_t)
+ virt_stream_connect_sandbox($1)
+ virt_stream_connect_svirt($1)
+ virt_stream_connect($1)
@@ -110013,9 +110055,32 @@ index facdee8..efe9356 100644
+ attribute sandbox_caps_domain;
+ ')
+- files_search_pids($1)
+- admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t })
++ typeattribute $1 sandbox_caps_domain;
++')
+
+- files_search_var($1)
+- admin_pattern($1, svirt_cache_t)
++########################################
++## <summary>
++## Allow the domain to read svirt_sandbox_domain state files in /proc.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`virt_sandbox_read_state',`
++ gen_require(`
++ attribute svirt_sandbox_domain;
++ ')
+
- files_search_var_lib($1)
- admin_pattern($1, { virt_image_type virt_var_lib_t svirt_lxc_file_t })
-+ typeattribute $1 sandbox_caps_domain;
++ kernel_search_proc($1)
++ ps_process_pattern($1, svirt_sandbox_domain)
+')
- files_search_locks($1)
@@ -110045,10 +110110,10 @@ index facdee8..efe9356 100644
+ ps_process_pattern(virtd_t, $1)
')
diff --git a/virt.te b/virt.te
-index f03dcf5..a463e77 100644
+index f03dcf5..27c7cb7 100644
--- a/virt.te
+++ b/virt.te
-@@ -1,150 +1,241 @@
+@@ -1,150 +1,248 @@
-policy_module(virt, 1.7.4)
+policy_module(virt, 1.5.0)
@@ -110131,6 +110196,13 @@ index f03dcf5..a463e77 100644
-## can use nfs file systems.
-## </p>
+## <p>
++## Allow sandbox containers manage fuse files
++## </p>
++## </desc>
++gen_tunable(virt_sandbox_use_fusefs, false)
++
++## <desc>
++## <p>
+## Allow confined virtual guests to manage nfs files
+## </p>
## </desc>
@@ -110215,15 +110287,15 @@ index f03dcf5..a463e77 100644
+## </p>
+## </desc>
+gen_tunable(virt_sandbox_use_audit, true)
-+
+
+-attribute svirt_lxc_domain;
+## <desc>
+## <p>
+## Allow sandbox containers to use netlink system calls
+## </p>
+## </desc>
+gen_tunable(virt_sandbox_use_netlink, false)
-
--attribute svirt_lxc_domain;
++
+## <desc>
+## <p>
+## Allow sandbox containers to use sys_admin system calls, for example mount
@@ -110272,10 +110344,10 @@ index f03dcf5..a463e77 100644
+
+virt_domain_template(svirt_tcg)
+role system_r types svirt_tcg_t;
++
++type qemu_exec_t, virt_file_type;
-type virt_cache_t alias svirt_cache_t;
-+type qemu_exec_t, virt_file_type;
-+
+type virt_cache_t alias svirt_cache_t, virt_file_type;
files_type(virt_cache_t)
@@ -110360,7 +110432,7 @@ index f03dcf5..a463e77 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
-@@ -153,299 +244,135 @@ ifdef(`enable_mls',`
+@@ -153,299 +251,135 @@ ifdef(`enable_mls',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
')
@@ -110625,24 +110697,24 @@ index f03dcf5..a463e77 100644
-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
-
-stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
--
--corenet_udp_sendrecv_generic_if(svirt_t)
--corenet_udp_sendrecv_generic_node(svirt_t)
--corenet_udp_sendrecv_all_ports(svirt_t)
--corenet_udp_bind_generic_node(svirt_t)
+# it was a part of auth_use_nsswitch
+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
+ corenet_udp_sendrecv_generic_if(svirt_t)
+ corenet_udp_sendrecv_generic_node(svirt_t)
+ corenet_udp_sendrecv_all_ports(svirt_t)
+ corenet_udp_bind_generic_node(svirt_t)
+-
-corenet_all_recvfrom_unlabeled(svirt_t)
-corenet_all_recvfrom_netlabel(svirt_t)
-corenet_tcp_sendrecv_generic_if(svirt_t)
- corenet_udp_sendrecv_generic_if(svirt_t)
+-corenet_udp_sendrecv_generic_if(svirt_t)
-corenet_tcp_sendrecv_generic_node(svirt_t)
- corenet_udp_sendrecv_generic_node(svirt_t)
+-corenet_udp_sendrecv_generic_node(svirt_t)
-corenet_tcp_sendrecv_all_ports(svirt_t)
- corenet_udp_sendrecv_all_ports(svirt_t)
+-corenet_udp_sendrecv_all_ports(svirt_t)
-corenet_tcp_bind_generic_node(svirt_t)
- corenet_udp_bind_generic_node(svirt_t)
+-corenet_udp_bind_generic_node(svirt_t)
-
-corenet_sendrecv_all_server_packets(svirt_t)
corenet_udp_bind_all_ports(svirt_t)
@@ -110738,7 +110810,7 @@ index f03dcf5..a463e77 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -455,42 +382,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -455,42 +389,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@@ -110785,7 +110857,7 @@ index f03dcf5..a463e77 100644
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -503,23 +417,20 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -503,23 +424,20 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -110795,14 +110867,14 @@ index f03dcf5..a463e77 100644
-
-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+-
+-can_exec(virtd_t, virt_tmp_t)
+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
+allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto };
+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
--can_exec(virtd_t, virt_tmp_t)
--
-kernel_read_crypto_sysctls(virtd_t)
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
@@ -110816,7 +110888,7 @@ index f03dcf5..a463e77 100644
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -527,24 +438,16 @@ corecmd_exec_shell(virtd_t)
+@@ -527,24 +445,16 @@ corecmd_exec_shell(virtd_t)
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -110844,7 +110916,7 @@ index f03dcf5..a463e77 100644
dev_rw_sysfs(virtd_t)
dev_read_urand(virtd_t)
dev_read_rand(virtd_t)
-@@ -555,20 +458,26 @@ dev_rw_vhost(virtd_t)
+@@ -555,20 +465,26 @@ dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t)
@@ -110875,7 +110947,7 @@ index f03dcf5..a463e77 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_all_fs(virtd_t)
fs_rw_anon_inodefs_files(virtd_t)
-@@ -601,15 +510,18 @@ term_use_ptmx(virtd_t)
+@@ -601,15 +517,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -110895,7 +110967,7 @@ index f03dcf5..a463e77 100644
selinux_validate_context(virtd_t)
-@@ -620,18 +532,26 @@ seutil_read_file_contexts(virtd_t)
+@@ -620,18 +539,26 @@ seutil_read_file_contexts(virtd_t)
sysnet_signull_ifconfig(virtd_t)
sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
@@ -110932,7 +111004,7 @@ index f03dcf5..a463e77 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -640,7 +560,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -640,7 +567,7 @@ tunable_policy(`virt_use_nfs',`
')
tunable_policy(`virt_use_samba',`
@@ -110941,7 +111013,7 @@ index f03dcf5..a463e77 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
-@@ -665,20 +585,12 @@ optional_policy(`
+@@ -665,20 +592,12 @@ optional_policy(`
')
optional_policy(`
@@ -110962,7 +111034,7 @@ index f03dcf5..a463e77 100644
')
optional_policy(`
-@@ -691,20 +603,26 @@ optional_policy(`
+@@ -691,20 +610,26 @@ optional_policy(`
dnsmasq_kill(virtd_t)
dnsmasq_signull(virtd_t)
dnsmasq_create_pid_dirs(virtd_t)
@@ -110973,30 +111045,27 @@ index f03dcf5..a463e77 100644
')
optional_policy(`
-- iptables_domtrans(virtd_t)
-- iptables_initrc_domtrans(virtd_t)
-- iptables_manage_config(virtd_t)
+ firewalld_dbus_chat(virtd_t)
++')
++
++optional_policy(`
+ iptables_domtrans(virtd_t)
+ iptables_initrc_domtrans(virtd_t)
++ iptables_systemctl(virtd_t)
++
++ # Manages /etc/sysconfig/system-config-firewall
+ iptables_manage_config(virtd_t)
')
optional_policy(`
- kerberos_read_keytab(virtd_t)
- kerberos_use(virtd_t)
-+ iptables_domtrans(virtd_t)
-+ iptables_initrc_domtrans(virtd_t)
-+ iptables_systemctl(virtd_t)
-+
-+ # Manages /etc/sysconfig/system-config-firewall
-+ iptables_manage_config(virtd_t)
-+')
-+
-+optional_policy(`
+ kerberos_read_keytab(virtd_t)
+ kerberos_use(virtd_t)
')
optional_policy(`
-@@ -712,11 +630,18 @@ optional_policy(`
+@@ -712,11 +637,18 @@ optional_policy(`
')
optional_policy(`
@@ -111015,7 +111084,7 @@ index f03dcf5..a463e77 100644
policykit_domtrans_auth(virtd_t)
policykit_domtrans_resolve(virtd_t)
policykit_read_lib(virtd_t)
-@@ -727,10 +652,18 @@ optional_policy(`
+@@ -727,10 +659,18 @@ optional_policy(`
')
optional_policy(`
@@ -111034,7 +111103,7 @@ index f03dcf5..a463e77 100644
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
-@@ -746,44 +679,277 @@ optional_policy(`
+@@ -746,44 +686,277 @@ optional_policy(`
udev_read_pid_files(virtd_t)
')
@@ -111088,14 +111157,15 @@ index f03dcf5..a463e77 100644
+manage_sock_files_pattern(virt_domain, svirt_home_t, svirt_home_t)
+filetrans_pattern(virt_domain, virt_home_t, svirt_home_t, { dir sock_file file })
+stream_connect_pattern(virt_domain, svirt_home_t, svirt_home_t, virtd_t)
-+
-+manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
-+manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
-+files_var_filetrans(virt_domain, virt_cache_t, { file dir })
-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
++manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
++manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
++files_var_filetrans(virt_domain, virt_cache_t, { file dir })
+
+-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
+read_lnk_files_pattern(virt_domain, virt_image_t, virt_image_t)
+
+manage_dirs_pattern(virt_domain, svirt_image_t, svirt_image_t)
@@ -111127,15 +111197,14 @@ index f03dcf5..a463e77 100644
+
+dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
--dontaudit virsh_t virt_var_lib_t:file read_file_perms;
-+dontaudit virt_domain virt_tmpfs_type:file { read write };
-
-allow virsh_t svirt_lxc_domain:process transition;
-+append_files_pattern(virt_domain, virt_log_t, virt_log_t)
++dontaudit virt_domain virt_tmpfs_type:file { read write };
-can_exec(virsh_t, virsh_exec_t)
++append_files_pattern(virt_domain, virt_log_t, virt_log_t)
++
+append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-
++
+corecmd_exec_bin(virt_domain)
+corecmd_exec_shell(virt_domain)
+
@@ -111280,7 +111349,7 @@ index f03dcf5..a463e77 100644
+ xserver_stream_connect(virt_domain)
+ ')
+')
-+
+
+########################################
+#
+# xm local policy
@@ -111334,7 +111403,7 @@ index f03dcf5..a463e77 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +960,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +967,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -111361,7 +111430,7 @@ index f03dcf5..a463e77 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +980,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +987,25 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -111378,10 +111447,10 @@ index f03dcf5..a463e77 100644
-logging_send_syslog_msg(virsh_t)
+systemd_exec_systemctl(virsh_t)
++
++auth_read_passwd(virsh_t)
-miscfiles_read_localization(virsh_t)
-+auth_read_passwd(virsh_t)
-+
+logging_send_syslog_msg(virsh_t)
sysnet_dns_name_resolve(virsh_t)
@@ -111395,7 +111464,7 @@ index f03dcf5..a463e77 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +1017,20 @@ optional_policy(`
+@@ -856,14 +1024,20 @@ optional_policy(`
')
optional_policy(`
@@ -111417,7 +111486,7 @@ index f03dcf5..a463e77 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -888,49 +1055,65 @@ optional_policy(`
+@@ -888,49 +1062,65 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -111501,7 +111570,7 @@ index f03dcf5..a463e77 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1125,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1132,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -111521,7 +111590,7 @@ index f03dcf5..a463e77 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,8 +1146,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,8 +1153,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -111545,7 +111614,7 @@ index f03dcf5..a463e77 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1171,326 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1178,343 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -111561,13 +111630,17 @@ index f03dcf5..a463e77 100644
+optional_policy(`
+ dbus_system_bus_client(virtd_lxc_t)
+ init_dbus_chat(virtd_lxc_t)
-
--miscfiles_read_localization(virtd_lxc_t)
++
+ optional_policy(`
+ hal_dbus_chat(virtd_lxc_t)
+ ')
+')
+-miscfiles_read_localization(virtd_lxc_t)
++optional_policy(`
++ docker_exec_lib(virtd_lxc_t)
++')
+
-seutil_domtrans_setfiles(virtd_lxc_t)
-seutil_read_config(virtd_lxc_t)
-seutil_read_default_contexts(virtd_lxc_t)
@@ -111644,6 +111717,9 @@ index f03dcf5..a463e77 100644
+
+corecmd_exec_all_executables(svirt_sandbox_domain)
+
++domain_dontaudit_link_all_domains_keyrings(svirt_sandbox_domain)
++domain_dontaudit_search_all_domains_keyrings(svirt_sandbox_domain)
++
+files_dontaudit_getattr_all_dirs(svirt_sandbox_domain)
+files_dontaudit_getattr_all_files(svirt_sandbox_domain)
+files_dontaudit_getattr_all_symlinks(svirt_sandbox_domain)
@@ -111667,6 +111743,9 @@ index f03dcf5..a463e77 100644
+fs_read_fusefs_files(svirt_sandbox_domain)
+fs_read_hugetlbfs_files(svirt_sandbox_domain)
+fs_read_tmpfs_symlinks(svirt_sandbox_domain)
++fs_list_tmpfs(svirt_sandbox_domain)
++fs_rw_hugetlbfs_files(svirt_sandbox_domain)
++
+
+auth_dontaudit_read_passwd(svirt_sandbox_domain)
+auth_dontaudit_read_login_records(svirt_sandbox_domain)
@@ -111695,18 +111774,6 @@ index f03dcf5..a463e77 100644
+ apache_exec_modules(svirt_sandbox_domain)
+ apache_read_sys_content(svirt_sandbox_domain)
+')
-+
-+optional_policy(`
-+ gear_read_pid_files(svirt_sandbox_domain)
-+')
-+
-+optional_policy(`
-+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
-+')
-+
-+optional_policy(`
-+ ssh_use_ptys(svirt_sandbox_domain)
-+')
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
@@ -111791,6 +111858,18 @@ index f03dcf5..a463e77 100644
-
-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
+optional_policy(`
++ gear_read_pid_files(svirt_sandbox_domain)
++')
++
++optional_policy(`
++ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
++')
++
++optional_policy(`
++ ssh_use_ptys(svirt_sandbox_domain)
++')
++
++optional_policy(`
+ udev_read_pid_files(svirt_sandbox_domain)
+')
@@ -111811,15 +111890,22 @@ index f03dcf5..a463e77 100644
+ fs_manage_cifs_dirs(svirt_sandbox_domain)
+ fs_manage_cifs_named_sockets(svirt_sandbox_domain)
+ fs_manage_cifs_symlinks(svirt_sandbox_domain)
++')
++
++tunable_policy(`virt_sandbox_use_fusefs',`
++ fs_manage_fusefs_dirs(svirt_sandbox_domain)
++ fs_manage_fusefs_files(svirt_sandbox_domain)
++ fs_manage_fusefs_symlinks(svirt_sandbox_domain)
')
optional_policy(`
- apache_exec_modules(svirt_lxc_domain)
- apache_read_sys_content(svirt_lxc_domain)
-+ #docker_read_share_files(svirt_sandbox_domain)
-+ #docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file)
-+ #docker_use_ptys(svirt_sandbox_domain)
-+ #docker_spc_stream_connect(svirt_sandbox_domain)
++ docker_read_share_files(svirt_sandbox_domain)
++ docker_exec_share_files(svirt_sandbox_domain)
++ docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file)
++ docker_use_ptys(svirt_sandbox_domain)
++ docker_spc_stream_connect(svirt_sandbox_domain)
+ fs_dontaudit_remount_tmpfs(svirt_sandbox_domain)
+ dev_dontaudit_mounton_sysfs(svirt_sandbox_domain)
')
@@ -111978,13 +112064,13 @@ index f03dcf5..a463e77 100644
+dev_read_urand(svirt_qemu_net_t)
+
+files_read_kernel_modules(svirt_qemu_net_t)
-+
+
+-allow svirt_prot_exec_t self:process { execmem execstack };
+fs_noxattr_type(svirt_sandbox_file_t)
+fs_mount_cgroup(svirt_qemu_net_t)
+fs_manage_cgroup_dirs(svirt_qemu_net_t)
+fs_manage_cgroup_files(svirt_qemu_net_t)
-
--allow svirt_prot_exec_t self:process { execmem execstack };
++
+term_pty(svirt_sandbox_file_t)
+
+auth_use_nsswitch(svirt_qemu_net_t)
@@ -112013,7 +112099,7 @@ index f03dcf5..a463e77 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1503,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1527,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -112028,7 +112114,7 @@ index f03dcf5..a463e77 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1192,9 +1521,8 @@ optional_policy(`
+@@ -1192,9 +1545,8 @@ optional_policy(`
########################################
#
@@ -112039,7 +112125,7 @@ index f03dcf5..a463e77 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1205,7 +1533,247 @@ manage_files_pattern(virt_bridgehelper_t, svirt_home_t, svirt_home_t)
+@@ -1205,7 +1557,247 @@ manage_files_pattern(virt_bridgehelper_t, svirt_home_t, svirt_home_t)
kernel_read_network_state(virt_bridgehelper_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index af968db..b17df2e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 155%{?dist}
+Release: 156%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -661,6 +661,21 @@ exit 0
%endif
%changelog
+* Tue Oct 27 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-156
+- Allow fail2ban-client to execute ldconfig. #1268715
+- Add interface virt_sandbox_domain()
+- Use mmap_file_perms instead of exec_file_perms in setroubleshoot policy to shave off the execute_no_trans permission. Based on a github communication with Dominick Grift.
+-all userdom_dontaudit_user_getattr_tmp_sockets instead() of usedom_dontaudit_user_getattr_tmp_sockets().
+- Rename usedom_dontaudit_user_getattr_tmp_sockets() to userdom_dontaudit_user_getattr_tmp_sockets().
+- Remove auth_login_pgm_domain(init_t) which has been added by accident.
+- init_t needs to able to change SELinux identity because it is used as login_pgm domain because of systemd-user and PAM. It allows security_compute_user() returns a list of possible context and then a correct default label is returned by "selinux.get_default_context(sel_user,fromcon)" defined in the policy user config files.
+- Add interface auth_use_nsswitch() to systemd_domain_template.
+- Revert "auth_use_nsswitch can be used with attribute systemd_domain."
+- auth_use_nsswitch can be used with attribute systemd_domain.
+- ipsec: fix stringSwan charon-nm
+- docker is communicating with systemd-machined
+- Add missing systemd_dbus_chat_machined, needed by docker
+
* Tue Oct 20 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-155
- Build including docker selinux interfaces.