diff --git a/docker-selinux.tgz b/docker-selinux.tgz
index 82592d1..41fc4ea 100644
Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 20807f6..fdcf930 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -10083,7 +10083,7 @@ index 6a1e4d1..26e5558 100644
 +	dontaudit $1 domain:dir_file_class_set audit_access;
  ')
 diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..e9c1427 100644
+index cf04cb5..549d218 100644
 --- a/policy/modules/kernel/domain.te
 +++ b/policy/modules/kernel/domain.te
 @@ -4,17 +4,41 @@ policy_module(domain, 1.11.0)
@@ -10236,7 +10236,7 @@ index cf04cb5..e9c1427 100644
  
  # Create/access any System V IPC objects.
  allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +242,369 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +242,373 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
  # act on all domains keys
  allow unconfined_domain_type domain:key *;
  
@@ -10260,9 +10260,9 @@ index cf04cb5..e9c1427 100644
 +    fstools_filetrans_named_content_fsadm(named_filetrans_domain)
 +')
 +
-+#optional_policy(`
-+#    docker_filetrans_named_content(named_filetrans_domain)
-+#')
++optional_policy(`
++    docker_filetrans_named_content(named_filetrans_domain)
++')
 +
 +optional_policy(`
 +	locallogin_filetrans_home_content(named_filetrans_domain)
@@ -10604,6 +10604,10 @@ index cf04cb5..e9c1427 100644
 +')
 +
 +optional_policy(`
++    docker_spc_stream_connect(domain)
++')
++
++optional_policy(`
 +	unconfined_server_stream_connect(domain)
 +')
 diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
@@ -22103,7 +22107,7 @@ index 234a940..a92415a 100644
  ########################################
  ## <summary>
 diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 0fef1fc..eb39093 100644
+index 0fef1fc..008545e 100644
 --- a/policy/modules/roles/staff.te
 +++ b/policy/modules/roles/staff.te
 @@ -8,12 +8,72 @@ policy_module(staff, 2.4.0)
@@ -22206,10 +22210,11 @@ index 0fef1fc..eb39093 100644
  	dbadm_role_change(staff_r)
  ')
  
-+#optional_policy(`
-+#    docker_stream_connect(staff_t)
-+#    docker_exec(staff_t)
-+#')
+ optional_policy(`
+-	git_role(staff_r, staff_t)
++    docker_stream_connect(staff_t)
++    docker_exec(staff_t)
++')
 +
 +optional_policy(`
 +	dnsmasq_read_pid_files(staff_t)
@@ -22276,8 +22281,7 @@ index 0fef1fc..eb39093 100644
 +	oident_relabel_user_content(staff_t)
 +')
 +
- optional_policy(`
--	git_role(staff_r, staff_t)
++optional_policy(`
 +	mta_role(staff_r, staff_t)
 +')
 +
@@ -26593,7 +26597,7 @@ index 8274418..b3baa75 100644
 +/var/lib/pqsql/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 +
 diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc..b036584 100644
+index 6bf0ecc..f2bbe7e 100644
 --- a/policy/modules/services/xserver.if
 +++ b/policy/modules/services/xserver.if
 @@ -18,100 +18,36 @@
@@ -27561,8 +27565,8 @@ index 6bf0ecc..b036584 100644
 -	')
 -
 -	dontaudit $1 xdm_tmp_t:sock_file getattr;
-+    refpolicywarn(`$0() has been deprecated, please use usedom_dontaudit_user_getattr_tmp_sockets instead.')
-+    usedom_dontaudit_user_getattr_tmp_sockets($1)
++    refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_user_getattr_tmp_sockets instead.')
++    userdom_dontaudit_user_getattr_tmp_sockets($1)
  ')
  
  ########################################
@@ -33737,7 +33741,7 @@ index 79a45f6..9769b64 100644
 +	read_files_pattern($1, init_var_lib_t, init_var_lib_t)
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..137676e 100644
+index 17eda24..6e6454d 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
 @@ -11,10 +11,31 @@ gen_require(`
@@ -33792,7 +33796,7 @@ index 17eda24..137676e 100644
  
  # Mark file type as a daemon run directory
  attribute daemonrundir;
-@@ -35,12 +64,20 @@ attribute daemonrundir;
+@@ -35,12 +64,21 @@ attribute daemonrundir;
  #
  # init_t is the domain of the init process.
  #
@@ -33802,6 +33806,7 @@ index 17eda24..137676e 100644
  domain_type(init_t)
  domain_entry_file(init_t, init_exec_t)
 +domain_role_change_exemption(init_t)
++domain_subj_id_change_exemption(init_t)
  kernel_domtrans_to(init_t, init_exec_t)
  role system_r types init_t;
 +init_initrc_domain(init_t)
@@ -33814,7 +33819,7 @@ index 17eda24..137676e 100644
  
  #
  # init_var_run_t is the type for /var/run/shutdown.pid.
-@@ -49,6 +86,15 @@ type init_var_run_t;
+@@ -49,6 +87,15 @@ type init_var_run_t;
  files_pid_file(init_var_run_t)
  
  #
@@ -33830,7 +33835,7 @@ index 17eda24..137676e 100644
  # initctl_t is the type of the named pipe created
  # by init during initialization.  This pipe is used
  # to communicate with init.
-@@ -57,7 +103,7 @@ type initctl_t;
+@@ -57,7 +104,7 @@ type initctl_t;
  files_type(initctl_t)
  mls_trusted_object(initctl_t)
  
@@ -33839,7 +33844,7 @@ index 17eda24..137676e 100644
  type initrc_exec_t, init_script_file_type;
  domain_type(initrc_t)
  domain_entry_file(initrc_t, initrc_exec_t)
-@@ -66,6 +112,7 @@ role system_r types initrc_t;
+@@ -66,6 +113,7 @@ role system_r types initrc_t;
  # of the below init_upstart tunable
  # but this has a typeattribute in it
  corecmd_shell_entry_type(initrc_t)
@@ -33847,7 +33852,7 @@ index 17eda24..137676e 100644
  
  type initrc_devpts_t;
  term_pty(initrc_devpts_t)
-@@ -98,7 +145,11 @@ ifdef(`enable_mls',`
+@@ -98,7 +146,11 @@ ifdef(`enable_mls',`
  #
  
  # Use capabilities. old rule:
@@ -33860,7 +33865,7 @@ index 17eda24..137676e 100644
  # is ~sys_module really needed? observed:
  # sys_boot
  # sys_tty_config
-@@ -108,14 +159,43 @@ allow init_t self:capability ~sys_module;
+@@ -108,14 +160,43 @@ allow init_t self:capability ~sys_module;
  
  allow init_t self:fifo_file rw_fifo_file_perms;
  
@@ -33910,7 +33915,7 @@ index 17eda24..137676e 100644
  
  allow init_t initctl_t:fifo_file manage_fifo_file_perms;
  dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -125,13 +205,23 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -125,13 +206,23 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
  
  kernel_read_system_state(init_t)
  kernel_share_state(init_t)
@@ -33935,7 +33940,7 @@ index 17eda24..137676e 100644
  
  domain_getpgid_all_domains(init_t)
  domain_kill_all_domains(init_t)
-@@ -139,14 +229,24 @@ domain_signal_all_domains(init_t)
+@@ -139,14 +230,24 @@ domain_signal_all_domains(init_t)
  domain_signull_all_domains(init_t)
  domain_sigstop_all_domains(init_t)
  domain_sigchld_all_domains(init_t)
@@ -33961,7 +33966,7 @@ index 17eda24..137676e 100644
  # file descriptors inherited from the rootfs:
  files_dontaudit_rw_root_files(init_t)
  files_dontaudit_rw_root_chr_files(init_t)
-@@ -156,28 +256,55 @@ fs_list_inotifyfs(init_t)
+@@ -156,28 +257,55 @@ fs_list_inotifyfs(init_t)
  fs_write_ramfs_sockets(init_t)
  
  mcs_process_set_categories(init_t)
@@ -34021,7 +34026,7 @@ index 17eda24..137676e 100644
  
  ifdef(`distro_gentoo',`
  	allow init_t self:process { getcap setcap };
-@@ -186,29 +313,242 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +314,242 @@ ifdef(`distro_gentoo',`
  ')
  
  ifdef(`distro_redhat',`
@@ -34273,7 +34278,7 @@ index 17eda24..137676e 100644
  ')
  
  optional_policy(`
-@@ -216,7 +556,31 @@ optional_policy(`
+@@ -216,7 +557,31 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -34305,7 +34310,7 @@ index 17eda24..137676e 100644
  ')
  
  ########################################
-@@ -225,9 +589,9 @@ optional_policy(`
+@@ -225,9 +590,9 @@ optional_policy(`
  #
  
  allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -34317,7 +34322,7 @@ index 17eda24..137676e 100644
  allow initrc_t self:passwd rootok;
  allow initrc_t self:key manage_key_perms;
  
-@@ -258,12 +622,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +623,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
  
  allow initrc_t initrc_var_run_t:file manage_file_perms;
  files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -34334,7 +34339,7 @@ index 17eda24..137676e 100644
  
  manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
  manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +647,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +648,36 @@ kernel_change_ring_buffer_level(initrc_t)
  kernel_clear_ring_buffer(initrc_t)
  kernel_get_sysvipc_info(initrc_t)
  kernel_read_all_sysctls(initrc_t)
@@ -34377,7 +34382,7 @@ index 17eda24..137676e 100644
  corenet_tcp_sendrecv_all_ports(initrc_t)
  corenet_udp_sendrecv_all_ports(initrc_t)
  corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +684,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +685,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
  
  dev_read_rand(initrc_t)
  dev_read_urand(initrc_t)
@@ -34389,7 +34394,7 @@ index 17eda24..137676e 100644
  dev_rw_sysfs(initrc_t)
  dev_list_usbfs(initrc_t)
  dev_read_framebuffer(initrc_t)
-@@ -313,8 +696,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +697,10 @@ dev_write_framebuffer(initrc_t)
  dev_read_realtime_clock(initrc_t)
  dev_read_sound_mixer(initrc_t)
  dev_write_sound_mixer(initrc_t)
@@ -34400,7 +34405,7 @@ index 17eda24..137676e 100644
  dev_delete_lvm_control_dev(initrc_t)
  dev_manage_generic_symlinks(initrc_t)
  dev_manage_generic_files(initrc_t)
-@@ -322,8 +707,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +708,7 @@ dev_manage_generic_files(initrc_t)
  dev_delete_generic_symlinks(initrc_t)
  dev_getattr_all_blk_files(initrc_t)
  dev_getattr_all_chr_files(initrc_t)
@@ -34410,7 +34415,7 @@ index 17eda24..137676e 100644
  
  domain_kill_all_domains(initrc_t)
  domain_signal_all_domains(initrc_t)
-@@ -332,7 +716,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +717,6 @@ domain_sigstop_all_domains(initrc_t)
  domain_sigchld_all_domains(initrc_t)
  domain_read_all_domains_state(initrc_t)
  domain_getattr_all_domains(initrc_t)
@@ -34418,7 +34423,7 @@ index 17eda24..137676e 100644
  domain_getsession_all_domains(initrc_t)
  domain_use_interactive_fds(initrc_t)
  # for lsof which is used by alsa shutdown:
-@@ -340,6 +723,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +724,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
  domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
  domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
  domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -34426,7 +34431,7 @@ index 17eda24..137676e 100644
  
  files_getattr_all_dirs(initrc_t)
  files_getattr_all_files(initrc_t)
-@@ -347,14 +731,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +732,15 @@ files_getattr_all_symlinks(initrc_t)
  files_getattr_all_pipes(initrc_t)
  files_getattr_all_sockets(initrc_t)
  files_purge_tmp(initrc_t)
@@ -34444,7 +34449,7 @@ index 17eda24..137676e 100644
  files_read_usr_files(initrc_t)
  files_manage_urandom_seed(initrc_t)
  files_manage_generic_spool(initrc_t)
-@@ -364,8 +749,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +750,12 @@ files_list_isid_type_dirs(initrc_t)
  files_mounton_isid_type_dirs(initrc_t)
  files_list_default(initrc_t)
  files_mounton_default(initrc_t)
@@ -34458,7 +34463,7 @@ index 17eda24..137676e 100644
  fs_list_inotifyfs(initrc_t)
  fs_register_binary_executable_type(initrc_t)
  # rhgb-console writes to ramfs
-@@ -375,10 +764,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +765,11 @@ fs_mount_all_fs(initrc_t)
  fs_unmount_all_fs(initrc_t)
  fs_remount_all_fs(initrc_t)
  fs_getattr_all_fs(initrc_t)
@@ -34472,7 +34477,7 @@ index 17eda24..137676e 100644
  mcs_process_set_categories(initrc_t)
  
  mls_file_read_all_levels(initrc_t)
-@@ -387,8 +777,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +778,10 @@ mls_process_read_up(initrc_t)
  mls_process_write_down(initrc_t)
  mls_rangetrans_source(initrc_t)
  mls_fd_share_all_levels(initrc_t)
@@ -34483,7 +34488,7 @@ index 17eda24..137676e 100644
  
  storage_getattr_fixed_disk_dev(initrc_t)
  storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +790,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +791,7 @@ term_use_all_terms(initrc_t)
  term_reset_tty_labels(initrc_t)
  
  auth_rw_login_records(initrc_t)
@@ -34491,7 +34496,7 @@ index 17eda24..137676e 100644
  auth_setattr_login_records(initrc_t)
  auth_rw_lastlog(initrc_t)
  auth_read_pam_pid(initrc_t)
-@@ -416,20 +809,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +810,18 @@ logging_read_all_logs(initrc_t)
  logging_append_all_logs(initrc_t)
  logging_read_audit_config(initrc_t)
  
@@ -34515,7 +34520,7 @@ index 17eda24..137676e 100644
  
  ifdef(`distro_debian',`
  	dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +842,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +843,6 @@ ifdef(`distro_gentoo',`
  	allow initrc_t self:process setfscreate;
  	dev_create_null_dev(initrc_t)
  	dev_create_zero_dev(initrc_t)
@@ -34523,7 +34528,7 @@ index 17eda24..137676e 100644
  	term_create_console_dev(initrc_t)
  
  	# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +876,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +877,10 @@ ifdef(`distro_gentoo',`
  	sysnet_setattr_config(initrc_t)
  
  	optional_policy(`
@@ -34534,7 +34539,7 @@ index 17eda24..137676e 100644
  		alsa_read_lib(initrc_t)
  	')
  
-@@ -506,7 +900,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +901,7 @@ ifdef(`distro_redhat',`
  
  	# Red Hat systems seem to have a stray
  	# fd open from the initrd
@@ -34543,7 +34548,7 @@ index 17eda24..137676e 100644
  	files_dontaudit_read_root_files(initrc_t)
  
  	# These seem to be from the initrd
-@@ -521,6 +915,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +916,7 @@ ifdef(`distro_redhat',`
  	files_create_boot_dirs(initrc_t)
  	files_create_boot_flag(initrc_t)
  	files_rw_boot_symlinks(initrc_t)
@@ -34551,7 +34556,7 @@ index 17eda24..137676e 100644
  	# wants to read /.fonts directory
  	files_read_default_files(initrc_t)
  	files_mountpoint(initrc_tmp_t)
-@@ -541,6 +936,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +937,7 @@ ifdef(`distro_redhat',`
  	miscfiles_rw_localization(initrc_t)
  	miscfiles_setattr_localization(initrc_t)
  	miscfiles_relabel_localization(initrc_t)
@@ -34559,7 +34564,7 @@ index 17eda24..137676e 100644
  
  	miscfiles_read_fonts(initrc_t)
  	miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +946,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +947,44 @@ ifdef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -34604,7 +34609,7 @@ index 17eda24..137676e 100644
  	')
  
  	optional_policy(`
-@@ -559,14 +991,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +992,31 @@ ifdef(`distro_redhat',`
  		rpc_write_exports(initrc_t)
  		rpc_manage_nfs_state_data(initrc_t)
  	')
@@ -34636,7 +34641,7 @@ index 17eda24..137676e 100644
  	')
  ')
  
-@@ -577,6 +1026,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1027,39 @@ ifdef(`distro_suse',`
  	')
  ')
  
@@ -34676,7 +34681,7 @@ index 17eda24..137676e 100644
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1071,8 @@ optional_policy(`
+@@ -589,6 +1072,8 @@ optional_policy(`
  optional_policy(`
  	apache_read_config(initrc_t)
  	apache_list_modules(initrc_t)
@@ -34685,7 +34690,7 @@ index 17eda24..137676e 100644
  ')
  
  optional_policy(`
-@@ -610,6 +1094,7 @@ optional_policy(`
+@@ -610,6 +1095,7 @@ optional_policy(`
  
  optional_policy(`
  	cgroup_stream_connect_cgred(initrc_t)
@@ -34693,7 +34698,7 @@ index 17eda24..137676e 100644
  ')
  
  optional_policy(`
-@@ -626,6 +1111,17 @@ optional_policy(`
+@@ -626,6 +1112,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -34711,7 +34716,7 @@ index 17eda24..137676e 100644
  	dev_getattr_printer_dev(initrc_t)
  
  	cups_read_log(initrc_t)
-@@ -642,9 +1138,13 @@ optional_policy(`
+@@ -642,9 +1139,13 @@ optional_policy(`
  	dbus_connect_system_bus(initrc_t)
  	dbus_system_bus_client(initrc_t)
  	dbus_read_config(initrc_t)
@@ -34725,7 +34730,7 @@ index 17eda24..137676e 100644
  	')
  
  	optional_policy(`
-@@ -657,15 +1157,11 @@ optional_policy(`
+@@ -657,15 +1158,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -34743,7 +34748,7 @@ index 17eda24..137676e 100644
  ')
  
  optional_policy(`
-@@ -686,6 +1182,15 @@ optional_policy(`
+@@ -686,6 +1183,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -34759,7 +34764,7 @@ index 17eda24..137676e 100644
  	inn_exec_config(initrc_t)
  ')
  
-@@ -726,6 +1231,7 @@ optional_policy(`
+@@ -726,6 +1232,7 @@ optional_policy(`
  	lpd_list_spool(initrc_t)
  
  	lpd_read_config(initrc_t)
@@ -34767,7 +34772,7 @@ index 17eda24..137676e 100644
  ')
  
  optional_policy(`
-@@ -743,7 +1249,13 @@ optional_policy(`
+@@ -743,7 +1250,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -34782,7 +34787,7 @@ index 17eda24..137676e 100644
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
  
-@@ -766,6 +1278,10 @@ optional_policy(`
+@@ -766,6 +1279,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -34793,7 +34798,7 @@ index 17eda24..137676e 100644
  	postgresql_manage_db(initrc_t)
  	postgresql_read_config(initrc_t)
  ')
-@@ -775,10 +1291,20 @@ optional_policy(`
+@@ -775,10 +1292,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -34814,7 +34819,7 @@ index 17eda24..137676e 100644
  	quota_manage_flags(initrc_t)
  ')
  
-@@ -787,6 +1313,10 @@ optional_policy(`
+@@ -787,6 +1314,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -34825,7 +34830,7 @@ index 17eda24..137676e 100644
  	fs_write_ramfs_sockets(initrc_t)
  	fs_search_ramfs(initrc_t)
  
-@@ -808,8 +1338,6 @@ optional_policy(`
+@@ -808,8 +1339,6 @@ optional_policy(`
  	# bash tries ioctl for some reason
  	files_dontaudit_ioctl_all_pids(initrc_t)
  
@@ -34834,7 +34839,7 @@ index 17eda24..137676e 100644
  ')
  
  optional_policy(`
-@@ -818,6 +1346,10 @@ optional_policy(`
+@@ -818,6 +1347,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -34845,7 +34850,7 @@ index 17eda24..137676e 100644
  	# shorewall-init script run /var/lib/shorewall/firewall
  	shorewall_lib_domtrans(initrc_t)
  ')
-@@ -827,10 +1359,12 @@ optional_policy(`
+@@ -827,10 +1360,12 @@ optional_policy(`
  	squid_manage_logs(initrc_t)
  ')
  
@@ -34858,7 +34863,7 @@ index 17eda24..137676e 100644
  
  optional_policy(`
  	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1391,60 @@ optional_policy(`
+@@ -857,21 +1392,60 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -34920,7 +34925,7 @@ index 17eda24..137676e 100644
  ')
  
  optional_policy(`
-@@ -887,6 +1460,10 @@ optional_policy(`
+@@ -887,6 +1461,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -34931,7 +34936,7 @@ index 17eda24..137676e 100644
  	# Set device ownerships/modes.
  	xserver_setattr_console_pipes(initrc_t)
  
-@@ -897,3 +1474,218 @@ optional_policy(`
+@@ -897,3 +1475,218 @@ optional_policy(`
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
@@ -35428,7 +35433,7 @@ index 0d4c8d3..720ece8 100644
 +    ps_process_pattern($1, ipsec_mgmt_t)
 +')
 diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 312cd04..30cecca 100644
+index 312cd04..8e32ea8 100644
 --- a/policy/modules/system/ipsec.te
 +++ b/policy/modules/system/ipsec.te
 @@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@@ -35441,7 +35446,7 @@ index 312cd04..30cecca 100644
  type ipsec_mgmt_lock_t;
  files_lock_file(ipsec_mgmt_lock_t)
  
-@@ -67,29 +70,42 @@ type setkey_exec_t;
+@@ -67,29 +70,43 @@ type setkey_exec_t;
  init_system_domain(setkey_t, setkey_exec_t)
  role system_r types setkey_t;
  
@@ -35470,6 +35475,7 @@ index 312cd04..30cecca 100644
 +allow ipsec_t self:netlink_selinux_socket create_socket_perms;
 +allow ipsec_t self:unix_stream_socket { create_stream_socket_perms connectto };
 +allow ipsec_t self:netlink_route_socket { create_netlink_socket_perms write };
++allow ipsec_t self:tun_socket create_socket_perms;
  
  allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
  
@@ -35489,7 +35495,7 @@ index 312cd04..30cecca 100644
  
  manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
  manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
-@@ -110,10 +126,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
+@@ -110,10 +127,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
  allow ipsec_mgmt_t ipsec_t:fd use;
  allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
  allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
@@ -35502,7 +35508,7 @@ index 312cd04..30cecca 100644
  kernel_list_proc(ipsec_t)
  kernel_read_proc_symlinks(ipsec_t)
  # allow pluto to access /proc/net/ipsec_eroute;
-@@ -128,20 +144,22 @@ corecmd_exec_shell(ipsec_t)
+@@ -128,20 +145,24 @@ corecmd_exec_shell(ipsec_t)
  corecmd_exec_bin(ipsec_t)
  
  # Pluto needs network access
@@ -35529,10 +35535,12 @@ index 312cd04..30cecca 100644
  corenet_sendrecv_isakmp_server_packets(ipsec_t)
 +corenet_tcp_connect_http_port(ipsec_t)
 +corenet_tcp_connect_ldap_port(ipsec_t)
++
++corenet_rw_tun_tap_dev(ipsec_t)
  
  dev_read_sysfs(ipsec_t)
  dev_read_rand(ipsec_t)
-@@ -157,24 +175,32 @@ files_dontaudit_search_home(ipsec_t)
+@@ -157,24 +178,32 @@ files_dontaudit_search_home(ipsec_t)
  fs_getattr_all_fs(ipsec_t)
  fs_search_auto_mountpoints(ipsec_t)
  
@@ -35567,7 +35575,21 @@ index 312cd04..30cecca 100644
  	seutil_sigchld_newrole(ipsec_t)
  ')
  
-@@ -187,14 +213,15 @@ optional_policy(`
+@@ -182,19 +211,29 @@ optional_policy(`
+ 	udev_read_db(ipsec_t)
+ ')
+ 
++optional_policy(`
++	dbus_system_bus_client(ipsec_t)
++	dbus_connect_system_bus(ipsec_t)
++
++	optional_policy(`
++		networkmanager_dbus_chat(ipsec_t)
++	')
++')
++
+ ########################################
+ #
  # ipsec_mgmt Local policy
  #
  
@@ -35587,7 +35609,7 @@ index 312cd04..30cecca 100644
  
  allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
  files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
-@@ -208,12 +235,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
+@@ -208,12 +247,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
  
  allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
  files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
@@ -35603,7 +35625,7 @@ index 312cd04..30cecca 100644
  
  # _realsetup needs to be able to cat /var/run/pluto.pid,
  # run ps on that pid, and delete the file
-@@ -246,6 +275,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
+@@ -246,6 +287,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
  kernel_getattr_core_if(ipsec_mgmt_t)
  kernel_getattr_message_if(ipsec_mgmt_t)
  
@@ -35620,7 +35642,7 @@ index 312cd04..30cecca 100644
  files_read_kernel_symbol_table(ipsec_mgmt_t)
  files_getattr_kernel_modules(ipsec_mgmt_t)
  
-@@ -255,6 +294,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
+@@ -255,6 +306,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
  corecmd_exec_bin(ipsec_mgmt_t)
  corecmd_exec_shell(ipsec_mgmt_t)
  
@@ -35629,7 +35651,7 @@ index 312cd04..30cecca 100644
  dev_read_rand(ipsec_mgmt_t)
  dev_read_urand(ipsec_mgmt_t)
  
-@@ -269,6 +310,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
+@@ -269,6 +322,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
  files_read_etc_files(ipsec_mgmt_t)
  files_exec_etc_files(ipsec_mgmt_t)
  files_read_etc_runtime_files(ipsec_mgmt_t)
@@ -35637,7 +35659,7 @@ index 312cd04..30cecca 100644
  files_read_usr_files(ipsec_mgmt_t)
  files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
  files_dontaudit_getattr_default_files(ipsec_mgmt_t)
-@@ -278,9 +320,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+@@ -278,9 +332,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
  fs_list_tmpfs(ipsec_mgmt_t)
  
  term_use_console(ipsec_mgmt_t)
@@ -35649,7 +35671,7 @@ index 312cd04..30cecca 100644
  
  init_read_utmp(ipsec_mgmt_t)
  init_use_script_ptys(ipsec_mgmt_t)
-@@ -288,17 +331,28 @@ init_exec_script_files(ipsec_mgmt_t)
+@@ -288,17 +343,28 @@ init_exec_script_files(ipsec_mgmt_t)
  init_use_fds(ipsec_mgmt_t)
  init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
  
@@ -35683,7 +35705,7 @@ index 312cd04..30cecca 100644
  
  optional_policy(`
  	consoletype_exec(ipsec_mgmt_t)
-@@ -322,6 +376,10 @@ optional_policy(`
+@@ -322,6 +388,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -35694,7 +35716,7 @@ index 312cd04..30cecca 100644
  	modutils_domtrans_insmod(ipsec_mgmt_t)
  ')
  
-@@ -335,7 +393,7 @@ optional_policy(`
+@@ -335,7 +405,7 @@ optional_policy(`
  #
  
  allow racoon_t self:capability { net_admin net_bind_service };
@@ -35703,7 +35725,7 @@ index 312cd04..30cecca 100644
  allow racoon_t self:unix_dgram_socket { connect create ioctl write };
  allow racoon_t self:netlink_selinux_socket { bind create read };
  allow racoon_t self:udp_socket create_socket_perms;
-@@ -370,13 +428,12 @@ kernel_request_load_module(racoon_t)
+@@ -370,13 +440,12 @@ kernel_request_load_module(racoon_t)
  corecmd_exec_shell(racoon_t)
  corecmd_exec_bin(racoon_t)
  
@@ -35723,7 +35745,7 @@ index 312cd04..30cecca 100644
  corenet_udp_bind_isakmp_port(racoon_t)
  corenet_udp_bind_ipsecnat_port(racoon_t)
  
-@@ -401,10 +458,10 @@ locallogin_use_fds(racoon_t)
+@@ -401,10 +470,10 @@ locallogin_use_fds(racoon_t)
  logging_send_syslog_msg(racoon_t)
  logging_send_audit_msgs(racoon_t)
  
@@ -35736,7 +35758,7 @@ index 312cd04..30cecca 100644
  auth_can_read_shadow_passwords(racoon_t)
  tunable_policy(`racoon_read_shadow',`
  	auth_tunable_read_shadow(racoon_t)
-@@ -438,9 +495,8 @@ corenet_setcontext_all_spds(setkey_t)
+@@ -438,9 +507,8 @@ corenet_setcontext_all_spds(setkey_t)
  
  locallogin_use_fds(setkey_t)
  
@@ -38505,7 +38527,7 @@ index 58bc27f..8f7b119 100644
 +
 +
 diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
-index 79048c4..14497e9 100644
+index 79048c4..a6a1d12 100644
 --- a/policy/modules/system/lvm.te
 +++ b/policy/modules/system/lvm.te
 @@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
@@ -38737,17 +38759,17 @@ index 79048c4..14497e9 100644
  	bootloader_rw_tmp_files(lvm_t)
  ')
  
-@@ -320,6 +363,10 @@ optional_policy(`
- 	ccs_stream_connect(lvm_t)
+@@ -321,6 +364,10 @@ optional_policy(`
  ')
  
-+#optional_policy(`
-+#    docker_rw_sem(lvm_t)
-+#')
-+
  optional_policy(`
++    docker_rw_sem(lvm_t)
++')
++
++optional_policy(`
  	gpm_dontaudit_getattr_gpmctl(lvm_t)
  ')
+ 
 @@ -333,14 +380,30 @@ optional_policy(`
  ')
  
@@ -43315,10 +43337,10 @@ index 0000000..66b8608
 +/var/run/initramfs(/.*)?	<<none>>
 diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
 new file mode 100644
-index 0000000..4f142e9
+index 0000000..697417b
 --- /dev/null
 +++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1615 @@
+@@ -0,0 +1,1639 @@
 +## <summary>SELinux policy for systemd components</summary>
 +
 +######################################
@@ -43342,6 +43364,8 @@ index 0000000..4f142e9
 +    init_daemon_domain($1_t, $1_exec_t)
 +
 +    kernel_read_system_state($1_t)
++
++    auth_use_nsswitch($1_t)
 +')
 +
 +######################################
@@ -44934,12 +44958,34 @@ index 0000000..4f142e9
 +        files_search_var_lib($1)
 +        manage_files_pattern($1, systemd_machined_var_lib_t, systemd_machined_var_lib_t)
 +')
++
++########################################
++## <summary>
++##	Send and receive messages from
++##	systemd machined over dbus.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`systemd_dbus_chat_machined',`
++	gen_require(`
++		type systemd_machined_t;
++		class dbus send_msg;
++	')
++
++	allow $1 systemd_machined_t:dbus send_msg;
++	allow systemd_machined_t $1:dbus send_msg;
++	ps_process_pattern(systemd_machined_t, $1)
++')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..bf0a5c8
+index 0000000..dde1f34
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,784 @@
+@@ -0,0 +1,780 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -45141,7 +45187,6 @@ index 0000000..bf0a5c8
 +# /run/user/.*
 +# Actually only have proof of it creating dirs and symlinks (/run/user/$USER/X11/display)
 +auth_manage_var_auth(systemd_logind_t)
-+auth_use_nsswitch(systemd_logind_t)
 +
 +authlogin_read_state(systemd_logind_t)
 +
@@ -45203,7 +45248,7 @@ index 0000000..bf0a5c8
 +# systemd_machined local policy
 +#
 +
-+allow systemd_machined_t self:capability sys_ptrace;
++allow systemd_machined_t self:capability { dac_override setgid sys_admin sys_chroot sys_ptrace };
 +allow systemd_machined_t systemd_unit_file_t:service { status start }; 
 +allow systemd_machined_t self:unix_dgram_socket create_socket_perms;
 +
@@ -45218,6 +45263,8 @@ index 0000000..bf0a5c8
 +init_var_lib_filetrans(systemd_machined_t, systemd_machined_var_lib_t, dir, "machines")
 +
 +kernel_dgram_send(systemd_machined_t)
++# This is a bug, but need for now.
++kernel_read_unlabeled_state(systemd_machined_t)
 +
 +init_dbus_chat(systemd_machined_t)
 +init_status(systemd_machined_t)
@@ -45232,7 +45279,13 @@ index 0000000..bf0a5c8
 +')
 +
 +optional_policy(`
++	docker_read_share_files(systemd_machined_t)
++	docker_spc_read_state(systemd_machined_t)
++')
++
++optional_policy(`
 +	virt_dbus_chat(systemd_machined_t)
++	virt_sandbox_read_state(systemd_machined_t)
 +')
 +
 +#######################################
@@ -45268,8 +45321,6 @@ index 0000000..bf0a5c8
 +
 +dev_read_sysfs(systemd_networkd_t)
 +
-+auth_use_nsswitch(systemd_networkd_t)
-+
 +logging_send_syslog_msg(systemd_networkd_t)
 +
 +sysnet_manage_config(systemd_networkd_t)
@@ -45312,8 +45363,6 @@ index 0000000..bf0a5c8
 +
 +term_read_console(systemd_passwd_agent_t)
 +
-+auth_use_nsswitch(systemd_passwd_agent_t)
-+
 +init_create_pid_dirs(systemd_passwd_agent_t)
 +init_rw_pipes(systemd_passwd_agent_t)
 +init_read_utmp(systemd_passwd_agent_t)
@@ -45379,7 +45428,6 @@ index 0000000..bf0a5c8
 +auth_relabel_var_auth_dirs(systemd_tmpfiles_t)
 +auth_relabel_login_records(systemd_tmpfiles_t)
 +auth_setattr_login_records(systemd_tmpfiles_t)
-+auth_use_nsswitch(systemd_tmpfiles_t)
 +
 +init_dgram_send(systemd_tmpfiles_t)
 +init_rw_stream_sockets(systemd_tmpfiles_t)
@@ -45458,8 +45506,6 @@ index 0000000..bf0a5c8
 +
 +fs_getattr_cgroup_files(systemd_notify_t)
 +
-+auth_use_nsswitch(systemd_notify_t)
-+
 +init_rw_stream_sockets(systemd_notify_t)
 +
 +optional_policy(`
@@ -45490,8 +45536,6 @@ index 0000000..bf0a5c8
 +# only needs write
 +term_use_generic_ptys(systemd_logger_t)
 +
-+auth_use_nsswitch(systemd_logger_t)
-+
 +# /run/systemd/notify
 +init_write_pid_socket(systemd_logger_t)
 +
@@ -45606,8 +45650,6 @@ index 0000000..bf0a5c8
 +
 +fs_getattr_xattr_fs(systemd_timedated_t)
 +
-+auth_use_nsswitch(systemd_timedated_t)
-+
 +init_dbus_chat(systemd_timedated_t)
 +init_status(systemd_timedated_t)
 +
@@ -47137,7 +47179,7 @@ index db75976..c54480a 100644
 +/var/tmp/hsperfdata_root    gen_context(system_u:object_r:user_tmp_t,s0)
 +
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6..48a4886 100644
+index 9dc60c6..b2ad017 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
 @@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -49167,7 +49209,7 @@ index 9dc60c6..48a4886 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1872,17 +2463,151 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1872,17 +2463,167 @@ interface(`userdom_mmap_user_home_content_files',`
  ##	</summary>
  ## </param>
  #
@@ -49176,9 +49218,25 @@ index 9dc60c6..48a4886 100644
 -		type user_home_dir_t, user_home_t;
 -	')
 +interface(`usedom_dontaudit_user_getattr_tmp_sockets',`
++    refpolicywarn(`$0($*) has been deprecated, use userdom_getattr_user_tmp_files() instead.')
++    userdom_getattr_user_tmp_files($1)
++')
++
++########################################
++## <summary>
++##	Dontaudit getattr on user tmp sockets.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`userdom_dontaudit_user_getattr_tmp_sockets',`
 +    gen_require(`
 +        type user_tmp_t;
 +    ')
++
 +    dontaudit $1 user_tmp_t:sock_file getattr_sock_file_perms;
 +')
 +
@@ -49238,7 +49296,8 @@ index 9dc60c6..48a4886 100644
 +
 +	dontaudit $1 user_home_t:file setattr_file_perms;
 +')
-+
+ 
+-	read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
 +########################################
 +## <summary>
 +##	Set the attributes of all user home directories.
@@ -49274,11 +49333,11 @@ index 9dc60c6..48a4886 100644
 +	')
 +
 +	mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
-+	files_search_home($1)
-+')
-+
-+########################################
-+## <summary>
+ 	files_search_home($1)
+ ')
+ 
+ ########################################
+ ## <summary>
 +##	Read user home files.
 +## </summary>
 +## <param name="domain">
@@ -49292,16 +49351,15 @@ index 9dc60c6..48a4886 100644
 +		type user_home_dir_t, user_home_t;
 +		attribute user_home_type;
 +	')
- 
--	read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
++
 +	allow $1 user_home_dir_t:lnk_file read_lnk_file_perms;
 +	list_dirs_pattern($1, { user_home_dir_t user_home_type }, { user_home_dir_t user_home_type })
 +	read_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
- 	files_search_home($1)
- ')
- 
- ########################################
- ## <summary>
++	files_search_home($1)
++')
++
++########################################
++## <summary>
 +##	Do not audit attempts to getattr user home files.
 +## </summary>
 +## <param name="domain">
@@ -49324,7 +49382,7 @@ index 9dc60c6..48a4886 100644
  ##	Do not audit attempts to read user home files.
  ## </summary>
  ## <param name="domain">
-@@ -1893,11 +2618,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1893,11 +2634,14 @@ interface(`userdom_read_user_home_content_files',`
  #
  interface(`userdom_dontaudit_read_user_home_content_files',`
  	gen_require(`
@@ -49342,7 +49400,7 @@ index 9dc60c6..48a4886 100644
  ')
  
  ########################################
-@@ -1938,7 +2666,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1938,7 +2682,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
  
  ########################################
  ## <summary>
@@ -49351,7 +49409,7 @@ index 9dc60c6..48a4886 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1946,10 +2674,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1946,10 +2690,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
  ##	</summary>
  ## </param>
  #
@@ -49364,7 +49422,7 @@ index 9dc60c6..48a4886 100644
  	')
  
  	userdom_search_user_home_content($1)
-@@ -1958,7 +2685,7 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1958,7 +2701,7 @@ interface(`userdom_delete_all_user_home_content_files',`
  
  ########################################
  ## <summary>
@@ -49373,7 +49431,7 @@ index 9dc60c6..48a4886 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1966,12 +2693,66 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1966,12 +2709,66 @@ interface(`userdom_delete_all_user_home_content_files',`
  ##	</summary>
  ## </param>
  #
@@ -49442,7 +49500,7 @@ index 9dc60c6..48a4886 100644
  ')
  
  ########################################
-@@ -2007,8 +2788,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2007,8 +2804,7 @@ interface(`userdom_read_user_home_content_symlinks',`
  		type user_home_dir_t, user_home_t;
  	')
  
@@ -49452,7 +49510,7 @@ index 9dc60c6..48a4886 100644
  ')
  
  ########################################
-@@ -2024,21 +2804,15 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2024,21 +2820,15 @@ interface(`userdom_read_user_home_content_symlinks',`
  #
  interface(`userdom_exec_user_home_content_files',`
  	gen_require(`
@@ -49478,7 +49536,7 @@ index 9dc60c6..48a4886 100644
  ########################################
  ## <summary>
  ##	Do not audit attempts to execute user home files.
-@@ -2120,7 +2894,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2120,7 +2910,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
  
  ########################################
  ## <summary>
@@ -49487,7 +49545,7 @@ index 9dc60c6..48a4886 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2128,19 +2902,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2128,19 +2918,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
  ##	</summary>
  ## </param>
  #
@@ -49511,7 +49569,7 @@ index 9dc60c6..48a4886 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2148,12 +2920,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2148,12 +2936,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
  ##	</summary>
  ## </param>
  #
@@ -49527,7 +49585,7 @@ index 9dc60c6..48a4886 100644
  ')
  
  ########################################
-@@ -2388,18 +3160,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2388,18 +3176,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -49585,7 +49643,7 @@ index 9dc60c6..48a4886 100644
  ##	Do not audit attempts to read users
  ##	temporary files.
  ## </summary>
-@@ -2414,7 +3222,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2414,7 +3238,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
  		type user_tmp_t;
  	')
  
@@ -49594,7 +49652,7 @@ index 9dc60c6..48a4886 100644
  ')
  
  ########################################
-@@ -2455,6 +3263,25 @@ interface(`userdom_rw_user_tmp_files',`
+@@ -2455,6 +3279,25 @@ interface(`userdom_rw_user_tmp_files',`
  	rw_files_pattern($1, user_tmp_t, user_tmp_t)
  	files_search_tmp($1)
  ')
@@ -49620,7 +49678,7 @@ index 9dc60c6..48a4886 100644
  
  ########################################
  ## <summary>
-@@ -2538,7 +3365,7 @@ interface(`userdom_manage_user_tmp_files',`
+@@ -2538,7 +3381,7 @@ interface(`userdom_manage_user_tmp_files',`
  ########################################
  ## <summary>
  ##	Create, read, write, and delete user
@@ -49629,7 +49687,7 @@ index 9dc60c6..48a4886 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2546,19 +3373,19 @@ interface(`userdom_manage_user_tmp_files',`
+@@ -2546,18 +3389,59 @@ interface(`userdom_manage_user_tmp_files',`
  ##	</summary>
  ## </param>
  #
@@ -49647,55 +49705,7 @@ index 9dc60c6..48a4886 100644
  ########################################
  ## <summary>
  ##	Create, read, write, and delete user
--##	temporary named pipes.
 +##	temporary symbolic links.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -2566,19 +3393,19 @@ interface(`userdom_manage_user_tmp_symlinks',`
- ##	</summary>
- ## </param>
- #
--interface(`userdom_manage_user_tmp_pipes',`
-+interface(`userdom_manage_user_tmp_symlinks',`
- 	gen_require(`
- 		type user_tmp_t;
- 	')
- 
--	manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t)
-+	manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
- 	files_search_tmp($1)
- ')
- 
- ########################################
- ## <summary>
- ##	Create, read, write, and delete user
--##	temporary named sockets.
-+##	temporary named pipes.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -2586,18 +3413,59 @@ interface(`userdom_manage_user_tmp_pipes',`
- ##	</summary>
- ## </param>
- #
--interface(`userdom_manage_user_tmp_sockets',`
-+interface(`userdom_rw_inherited_user_tmp_pipes',`
- 	gen_require(`
- 		type user_tmp_t;
- 	')
- 
--	manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
-+    allow $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
- 	files_search_tmp($1)
- ')
- 
-+
- ########################################
- ## <summary>
--##	Create objects in a user temporary directory
-+##	Create, read, write, and delete user
-+##	temporary named pipes.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -49703,19 +49713,19 @@ index 9dc60c6..48a4886 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_manage_user_tmp_pipes',`
++interface(`userdom_manage_user_tmp_symlinks',`
 +	gen_require(`
 +		type user_tmp_t;
 +	')
 +
-+	manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t)
++	manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
 +	files_search_tmp($1)
 +')
 +
 +########################################
 +## <summary>
 +##	Create, read, write, and delete user
-+##	temporary named sockets.
++##	temporary named pipes.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -49723,22 +49733,23 @@ index 9dc60c6..48a4886 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_manage_user_tmp_sockets',`
++interface(`userdom_rw_inherited_user_tmp_pipes',`
 +	gen_require(`
 +		type user_tmp_t;
 +	')
 +
-+	manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
++    allow $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
 +	files_search_tmp($1)
 +')
 +
++
 +########################################
 +## <summary>
-+##	Create objects in a user temporary directory
- ##	with an automatic type transition to
- ##	a specified private type.
++##	Create, read, write, and delete user
+ ##	temporary named pipes.
  ## </summary>
-@@ -2661,6 +3529,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+ ## <param name="domain">
+@@ -2661,6 +3545,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
  	files_tmp_filetrans($1, user_tmp_t, $2, $3)
  ')
  
@@ -49760,7 +49771,7 @@ index 9dc60c6..48a4886 100644
  ########################################
  ## <summary>
  ##	Read user tmpfs files.
-@@ -2672,18 +3555,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2672,18 +3571,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
  ## </param>
  #
  interface(`userdom_read_user_tmpfs_files',`
@@ -49782,7 +49793,7 @@ index 9dc60c6..48a4886 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2692,19 +3570,13 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2692,19 +3586,13 @@ interface(`userdom_read_user_tmpfs_files',`
  ## </param>
  #
  interface(`userdom_rw_user_tmpfs_files',`
@@ -49805,7 +49816,7 @@ index 9dc60c6..48a4886 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2713,13 +3585,56 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2713,13 +3601,56 @@ interface(`userdom_rw_user_tmpfs_files',`
  ## </param>
  #
  interface(`userdom_manage_user_tmpfs_files',`
@@ -49866,7 +49877,7 @@ index 9dc60c6..48a4886 100644
  ')
  
  ########################################
-@@ -2814,6 +3729,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2814,6 +3745,24 @@ interface(`userdom_use_user_ttys',`
  
  ########################################
  ## <summary>
@@ -49891,7 +49902,7 @@ index 9dc60c6..48a4886 100644
  ##	Read and write a user domain pty.
  ## </summary>
  ## <param name="domain">
-@@ -2832,22 +3765,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2832,22 +3781,34 @@ interface(`userdom_use_user_ptys',`
  
  ########################################
  ## <summary>
@@ -49934,7 +49945,7 @@ index 9dc60c6..48a4886 100644
  ## </desc>
  ## <param name="domain">
  ##	<summary>
-@@ -2856,14 +3801,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2856,14 +3817,33 @@ interface(`userdom_use_user_ptys',`
  ## </param>
  ## <infoflow type="both" weight="10"/>
  #
@@ -49972,7 +49983,7 @@ index 9dc60c6..48a4886 100644
  ')
  
  ########################################
-@@ -2882,8 +3846,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2882,8 +3862,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
  		type user_tty_device_t, user_devpts_t;
  	')
  
@@ -50002,7 +50013,7 @@ index 9dc60c6..48a4886 100644
  ')
  
  ########################################
-@@ -2955,69 +3938,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2955,69 +3954,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
  	allow unpriv_userdomain $1:process sigchld;
  ')
  
@@ -50103,7 +50114,7 @@ index 9dc60c6..48a4886 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3025,12 +4007,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3025,12 +4023,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
  ##	</summary>
  ## </param>
  #
@@ -50118,7 +50129,7 @@ index 9dc60c6..48a4886 100644
  ')
  
  ########################################
-@@ -3094,7 +4076,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3094,7 +4092,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
  
  	domain_entry_file_spec_domtrans($1, unpriv_userdomain)
  	allow unpriv_userdomain $1:fd use;
@@ -50127,7 +50138,7 @@ index 9dc60c6..48a4886 100644
  	allow unpriv_userdomain $1:process sigchld;
  ')
  
-@@ -3110,29 +4092,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3110,29 +4108,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
  #
  interface(`userdom_search_user_home_content',`
  	gen_require(`
@@ -50161,7 +50172,7 @@ index 9dc60c6..48a4886 100644
  ')
  
  ########################################
-@@ -3214,7 +4180,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3214,7 +4196,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
  		type user_devpts_t;
  	')
  
@@ -50188,7 +50199,7 @@ index 9dc60c6..48a4886 100644
  ')
  
  ########################################
-@@ -3269,12 +4253,13 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3269,12 +4269,13 @@ interface(`userdom_write_user_tmp_files',`
  		type user_tmp_t;
  	')
  
@@ -50204,7 +50215,7 @@ index 9dc60c6..48a4886 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3282,46 +4267,122 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3282,54 +4283,130 @@ interface(`userdom_write_user_tmp_files',`
  ##	</summary>
  ## </param>
  #
@@ -50262,13 +50273,15 @@ index 9dc60c6..48a4886 100644
  	gen_require(`
 -		attribute userdomain;
 +		type user_tmp_t;
-+	')
-+
+ 	')
+ 
+-	allow $1 userdomain:process getattr;
 +	dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Inherit the file descriptors from all user domains
 +##	Allow domain to read/write inherited users
 +##	fifo files.
 +## </summary>
@@ -50337,10 +50350,18 @@ index 9dc60c6..48a4886 100644
 +interface(`userdom_getattr_all_users',`
 +	gen_require(`
 +		attribute userdomain;
- 	')
- 
- 	allow $1 userdomain:process getattr;
-@@ -3382,6 +4443,42 @@ interface(`userdom_signal_all_users',`
++	')
++
++	allow $1 userdomain:process getattr;
++')
++
++########################################
++## <summary>
++##	Inherit the file descriptors from all user domains
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -3382,6 +4459,42 @@ interface(`userdom_signal_all_users',`
  	allow $1 userdomain:process signal;
  ')
  
@@ -50383,7 +50404,7 @@ index 9dc60c6..48a4886 100644
  ########################################
  ## <summary>
  ##	Send a SIGCHLD signal to all user domains.
-@@ -3402,6 +4499,60 @@ interface(`userdom_sigchld_all_users',`
+@@ -3402,6 +4515,60 @@ interface(`userdom_sigchld_all_users',`
  
  ########################################
  ## <summary>
@@ -50444,7 +50465,7 @@ index 9dc60c6..48a4886 100644
  ##	Create keys for all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -3435,4 +4586,1727 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3435,4 +4602,1727 @@ interface(`userdom_dbus_send_all_users',`
  	')
  
  	allow $1 userdomain:dbus send_msg;
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 2c9c72b..c0a4779 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -589,7 +589,7 @@ index 058d908..ee0c559 100644
 +')
 +
 diff --git a/abrt.te b/abrt.te
-index eb50f07..853554d 100644
+index eb50f07..e519be5 100644
 --- a/abrt.te
 +++ b/abrt.te
 @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@@ -838,9 +838,9 @@ index eb50f07..853554d 100644
 +logging_read_syslog_pid(abrt_t)
 +
 +auth_use_nsswitch(abrt_t)
-+
-+init_read_utmp(abrt_t)
  
++init_read_utmp(abrt_t)
++
 +miscfiles_read_generic_certs(abrt_t)
  miscfiles_read_public_files(abrt_t)
 +miscfiles_dontaudit_access_check_cert(abrt_t)
@@ -868,10 +868,14 @@ index eb50f07..853554d 100644
  ')
  
  optional_policy(`
-@@ -222,6 +253,28 @@ optional_policy(`
+@@ -222,6 +253,32 @@ optional_policy(`
  ')
  
  optional_policy(`
++	docker_stream_connect(abrt_t)
++')
++
++optional_policy(`
 +	kdump_read_crash(abrt_t)
 +')
 +
@@ -897,7 +901,7 @@ index eb50f07..853554d 100644
  	policykit_domtrans_auth(abrt_t)
  	policykit_read_lib(abrt_t)
  	policykit_read_reload(abrt_t)
-@@ -234,6 +287,11 @@ optional_policy(`
+@@ -234,6 +291,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -909,7 +913,7 @@ index eb50f07..853554d 100644
  	rpm_exec(abrt_t)
  	rpm_dontaudit_manage_db(abrt_t)
  	rpm_manage_cache(abrt_t)
-@@ -243,6 +301,7 @@ optional_policy(`
+@@ -243,6 +305,7 @@ optional_policy(`
  	rpm_signull(abrt_t)
  ')
  
@@ -917,7 +921,7 @@ index eb50f07..853554d 100644
  optional_policy(`
  	sendmail_domtrans(abrt_t)
  ')
-@@ -253,9 +312,21 @@ optional_policy(`
+@@ -253,9 +316,21 @@ optional_policy(`
  	sosreport_delete_tmp_files(abrt_t)
  ')
  
@@ -940,7 +944,7 @@ index eb50f07..853554d 100644
  #
  
  allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -266,9 +337,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -266,9 +341,13 @@ tunable_policy(`abrt_handle_event',`
  	can_exec(abrt_t, abrt_handle_event_exec_t)
  ')
  
@@ -955,7 +959,7 @@ index eb50f07..853554d 100644
  #
  
  allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -281,6 +356,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -281,6 +360,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
  manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
  manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
  files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@@ -963,7 +967,7 @@ index eb50f07..853554d 100644
  
  read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
  read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-@@ -289,15 +365,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -289,15 +369,20 @@ corecmd_read_all_executables(abrt_helper_t)
  
  domain_read_all_domains_state(abrt_helper_t)
  
@@ -984,7 +988,7 @@ index eb50f07..853554d 100644
  	userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
  	userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
  	dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -305,11 +386,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -305,11 +390,25 @@ ifdef(`hide_broken_symptoms',`
  	dev_dontaudit_write_all_chr_files(abrt_helper_t)
  	dev_dontaudit_write_all_blk_files(abrt_helper_t)
  	fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -1011,7 +1015,7 @@ index eb50f07..853554d 100644
  #
  
  allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -327,10 +422,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+@@ -327,10 +426,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
  
  dev_read_urand(abrt_retrace_coredump_t)
  
@@ -1025,7 +1029,7 @@ index eb50f07..853554d 100644
  optional_policy(`
  	rpm_exec(abrt_retrace_coredump_t)
  	rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -343,10 +440,11 @@ optional_policy(`
+@@ -343,10 +444,11 @@ optional_policy(`
  
  #######################################
  #
@@ -1039,7 +1043,7 @@ index eb50f07..853554d 100644
  allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
  
  domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -365,38 +463,64 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -365,38 +467,64 @@ corecmd_exec_shell(abrt_retrace_worker_t)
  
  dev_read_urand(abrt_retrace_worker_t)
  
@@ -1108,7 +1112,7 @@ index eb50f07..853554d 100644
  
  #######################################
  #
-@@ -404,25 +528,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
+@@ -404,25 +532,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
  #
  
  allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
@@ -1171,7 +1175,7 @@ index eb50f07..853554d 100644
  ')
  
  #######################################
-@@ -430,10 +589,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
+@@ -430,10 +593,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
  # Global local policy
  #
  
@@ -27932,7 +27936,7 @@ index 50d0084..94e1936 100644
  
  	fail2ban_run_client($1, $2)
 diff --git a/fail2ban.te b/fail2ban.te
-index cf0e567..6c3ce35 100644
+index cf0e567..7945ad9 100644
 --- a/fail2ban.te
 +++ b/fail2ban.te
 @@ -37,7 +37,7 @@ role fail2ban_client_roles types fail2ban_client_t;
@@ -28013,7 +28017,7 @@ index cf0e567..6c3ce35 100644
  	shorewall_domtrans(fail2ban_t)
  ')
  
-@@ -131,22 +146,30 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
+@@ -131,22 +146,32 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
  
  domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
  
@@ -28036,6 +28040,8 @@ index cf0e567..6c3ce35 100644
  
 +auth_use_nsswitch(fail2ban_client_t)
 +
++libs_exec_ldconfig(fail2ban_client_t)
++
  logging_getattr_all_logs(fail2ban_client_t)
  logging_search_all_logs(fail2ban_client_t)
 -
@@ -66423,10 +66429,10 @@ index 0000000..80246e6
 +
 diff --git a/pcp.te b/pcp.te
 new file mode 100644
-index 0000000..08c51d3
+index 0000000..65502e1
 --- /dev/null
 +++ b/pcp.te
-@@ -0,0 +1,268 @@
+@@ -0,0 +1,272 @@
 +policy_module(pcp, 1.0.0)
 +
 +########################################
@@ -66576,6 +66582,10 @@ index 0000000..08c51d3
 +userdom_read_user_tmp_files(pcp_pmcd_t)
 +
 +optional_policy(`
++    docker_manage_lib_files(pcp_pmcd_t)
++')
++
++optional_policy(`
 +    mysql_stream_connect(pcp_pmcd_t)
 +')
 +
@@ -96355,10 +96365,10 @@ index 3a9a70b..903109c 100644
  	logging_list_logs($1)
  	admin_pattern($1, setroubleshoot_var_log_t)
 diff --git a/setroubleshoot.te b/setroubleshoot.te
-index ce67935..130eca9 100644
+index ce67935..24c746f 100644
 --- a/setroubleshoot.te
 +++ b/setroubleshoot.te
-@@ -7,43 +7,52 @@ policy_module(setroubleshoot, 1.12.1)
+@@ -7,68 +7,95 @@ policy_module(setroubleshoot, 1.12.1)
  
  type setroubleshootd_t alias setroubleshoot_t;
  type setroubleshootd_exec_t;
@@ -96382,6 +96392,12 @@ index ce67935..130eca9 100644
  type setroubleshoot_var_run_t;
  files_pid_file(setroubleshoot_var_run_t)
  
++type setroubleshoot_tmp_t;
++files_tmp_file(setroubleshoot_tmp_t)
++
++type setroubleshoot_tmpfs_t;
++files_tmpfs_file(setroubleshoot_tmpfs_t)
++
  ########################################
  #
 -# Local policy
@@ -96402,8 +96418,19 @@ index ce67935..130eca9 100644
 +allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
 +allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
 +allow setroubleshootd_t self:unix_dgram_socket create_socket_perms;
++
  
 -allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr_dir_perms;
++manage_files_pattern(setroubleshootd_t, setroubleshoot_tmp_t, setroubleshoot_tmp_t)
++manage_dirs_pattern(setroubleshootd_t, setroubleshoot_tmp_t, setroubleshoot_tmp_t)
++files_tmp_filetrans(setroubleshootd_t, setroubleshoot_tmp_t, { file dir })
++allow setroubleshootd_t setroubleshoot_tmp_t:file mmap_file_perms;
++
++manage_files_pattern(setroubleshootd_t, setroubleshoot_tmpfs_t, setroubleshoot_tmpfs_t)
++manage_dirs_pattern(setroubleshootd_t, setroubleshoot_tmpfs_t, setroubleshoot_tmpfs_t)
++fs_tmpfs_filetrans(setroubleshootd_t, setroubleshoot_tmpfs_t, { file dir })
++allow setroubleshootd_t setroubleshoot_tmpfs_t:file mmap_file_perms;
++
 +# database files
 +allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr;
  manage_files_pattern(setroubleshootd_t, setroubleshoot_var_lib_t, setroubleshoot_var_lib_t)
@@ -96423,7 +96450,12 @@ index ce67935..130eca9 100644
  manage_dirs_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
  manage_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
  manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
-@@ -55,20 +64,20 @@ kernel_read_net_sysctls(setroubleshootd_t)
+ files_pid_filetrans(setroubleshootd_t, setroubleshoot_var_run_t, { file sock_file dir })
+ 
++
+ kernel_read_kernel_sysctls(setroubleshootd_t)
+ kernel_read_system_state(setroubleshootd_t)
+ kernel_read_net_sysctls(setroubleshootd_t)
  kernel_read_network_state(setroubleshootd_t)
  kernel_dontaudit_list_all_proc(setroubleshootd_t)
  kernel_read_irq_sysctls(setroubleshootd_t)
@@ -96448,7 +96480,7 @@ index ce67935..130eca9 100644
  
  dev_read_urand(setroubleshootd_t)
  dev_read_sysfs(setroubleshootd_t)
-@@ -76,10 +85,9 @@ dev_getattr_all_blk_files(setroubleshootd_t)
+@@ -76,10 +103,9 @@ dev_getattr_all_blk_files(setroubleshootd_t)
  dev_getattr_all_chr_files(setroubleshootd_t)
  dev_getattr_mtrr_dev(setroubleshootd_t)
  
@@ -96460,7 +96492,7 @@ index ce67935..130eca9 100644
  files_list_all(setroubleshootd_t)
  files_getattr_all_files(setroubleshootd_t)
  files_getattr_all_pipes(setroubleshootd_t)
-@@ -109,27 +117,24 @@ init_read_utmp(setroubleshootd_t)
+@@ -109,27 +135,24 @@ init_read_utmp(setroubleshootd_t)
  init_dontaudit_write_utmp(setroubleshootd_t)
  
  libs_exec_ld_so(setroubleshootd_t)
@@ -96493,7 +96525,7 @@ index ce67935..130eca9 100644
  ')
  
  optional_policy(`
-@@ -137,10 +142,18 @@ optional_policy(`
+@@ -137,10 +160,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -96512,7 +96544,7 @@ index ce67935..130eca9 100644
  	rpm_exec(setroubleshootd_t)
  	rpm_signull(setroubleshootd_t)
  	rpm_read_db(setroubleshootd_t)
-@@ -150,26 +163,36 @@ optional_policy(`
+@@ -150,26 +181,36 @@ optional_policy(`
  
  ########################################
  #
@@ -96551,7 +96583,7 @@ index ce67935..130eca9 100644
  files_list_tmp(setroubleshoot_fixit_t)
  
  auth_use_nsswitch(setroubleshoot_fixit_t)
-@@ -177,23 +200,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
+@@ -177,23 +218,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
  logging_send_audit_msgs(setroubleshoot_fixit_t)
  logging_send_syslog_msg(setroubleshoot_fixit_t)
  
@@ -108083,7 +108115,7 @@ index a4f20bc..374e8ef 100644
 +/var/log/qemu-ga\.log.*           --      gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
 +/var/log/qemu-ga(/.*)?		gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
 diff --git a/virt.if b/virt.if
-index facdee8..efe9356 100644
+index facdee8..eae2073 100644
 --- a/virt.if
 +++ b/virt.if
 @@ -1,318 +1,226 @@
@@ -108905,7 +108937,7 @@ index facdee8..efe9356 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -673,107 +534,136 @@ interface(`virt_home_filetrans',`
+@@ -673,54 +534,398 @@ interface(`virt_home_filetrans',`
  ##	</summary>
  ## </param>
  #
@@ -108951,11 +108983,7 @@ index facdee8..efe9356 100644
 -	allow $1 virt_home_t:sock_file manage_sock_file_perms;
 +	dontaudit $1 virt_var_lib_t:file read_inherited_file_perms;
 +')
- 
--	tunable_policy(`virt_use_nfs',`
--		fs_manage_nfs_dirs($1)
--		fs_manage_nfs_files($1)
--		fs_manage_nfs_symlinks($1)
++
 +########################################
 +## <summary>
 +##	Create, read, write, and delete
@@ -108970,60 +108998,42 @@ index facdee8..efe9356 100644
 +interface(`virt_manage_lib_files',`
 +	gen_require(`
 +		type virt_var_lib_t;
- 	')
- 
--	tunable_policy(`virt_use_samba',`
--		fs_manage_cifs_dirs($1)
--		fs_manage_cifs_files($1)
--		fs_manage_cifs_symlinks($1)
--	')
++	')
++
 +	files_search_var_lib($1)
 +	manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
- ')
- 
- ########################################
- ## <summary>
--##	Relabel virt home content.
++')
++
++########################################
++## <summary>
 +##	Allow the specified domain to read virt's log files.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
 +## <rolecap/>
- #
--interface(`virt_relabel_generic_virt_home_content',`
++#
 +interface(`virt_read_log',`
- 	gen_require(`
--		type virt_home_t;
++	gen_require(`
 +		type virt_log_t;
- 	')
- 
--	userdom_search_user_home_dirs($1)
--	allow $1 virt_home_t:dir relabel_dir_perms;
--	allow $1 virt_home_t:file relabel_file_perms;
--	allow $1 virt_home_t:fifo_file relabel_fifo_file_perms;
--	allow $1 virt_home_t:lnk_file relabel_lnk_file_perms;
--	allow $1 virt_home_t:sock_file relabel_sock_file_perms;
++	')
++
 +	logging_search_logs($1)
 +	read_files_pattern($1, virt_log_t, virt_log_t)
- ')
- 
- ########################################
- ## <summary>
--##	Create specified objects in user home
--##	directories with the generic virt
--##	home type.
++')
++
++########################################
++## <summary>
 +##	Allow the specified domain to append
 +##	virt log files.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <param name="object_class">
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
 +#
 +interface(`virt_append_log',`
 +	gen_require(`
@@ -109039,12 +109049,10 @@ index facdee8..efe9356 100644
 +##	Allow domain to manage virt log files
 +## </summary>
 +## <param name="domain">
- ##	<summary>
--##	Class of the object being created.
++##	<summary>
 +##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <param name="name" optional="true">
++##	</summary>
++## </param>
 +#
 +interface(`virt_manage_log',`
 +	gen_require(`
@@ -109061,70 +109069,55 @@ index facdee8..efe9356 100644
 +##	Allow domain to getattr virt image direcories
 +## </summary>
 +## <param name="domain">
- ##	<summary>
--##	The name of the object being created.
++##	<summary>
 +##	Domain allowed access.
- ##	</summary>
- ## </param>
- #
--interface(`virt_home_filetrans_virt_home',`
++##	</summary>
++## </param>
++#
 +interface(`virt_getattr_images',`
- 	gen_require(`
--		type virt_home_t;
++	gen_require(`
 +		attribute virt_image_type;
- 	')
- 
--	userdom_user_home_dir_filetrans($1, virt_home_t, $2, $3)
++	')
++
 +	virt_search_lib($1)
 +	allow $1 virt_image_type:file getattr_file_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Read virt pid files.
++')
++
++########################################
++## <summary>
 +##	Allow domain to search virt image direcories
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -781,19 +671,18 @@ interface(`virt_home_filetrans_virt_home',`
- ##	</summary>
- ## </param>
- #
--interface(`virt_read_pid_files',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`virt_search_images',`
- 	gen_require(`
--		type virt_var_run_t;
++	gen_require(`
 +		attribute virt_image_type;
- 	')
- 
--	files_search_pids($1)
--	read_files_pattern($1, virt_var_run_t, virt_var_run_t)
++	')
++
 +	virt_search_lib($1)
 +	allow $1 virt_image_type:dir search_dir_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Create, read, write, and delete
--##	virt pid files.
++')
++
++########################################
++## <summary>
 +##	Allow domain to read virt image files
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -801,18 +690,36 @@ interface(`virt_read_pid_files',`
- ##	</summary>
- ## </param>
- #
--interface(`virt_manage_pid_files',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`virt_read_images',`
- 	gen_require(`
--		type virt_var_run_t;
++	gen_require(`
 +		type virt_var_lib_t;
 +		attribute virt_image_type;
- 	')
- 
--	files_search_pids($1)
--	manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
++	')
++
 +	virt_search_lib($1)
 +	allow $1 virt_image_type:dir list_dir_perms;
 +	list_dirs_pattern($1, virt_image_type, virt_image_type)
@@ -109132,8 +109125,11 @@ index facdee8..efe9356 100644
 +	read_lnk_files_pattern($1, virt_image_type, virt_image_type)
 +	read_blk_files_pattern($1, virt_image_type, virt_image_type)
 +	read_chr_files_pattern($1, virt_image_type, virt_image_type)
-+
-+	tunable_policy(`virt_use_nfs',`
+ 
+ 	tunable_policy(`virt_use_nfs',`
+-		fs_manage_nfs_dirs($1)
+-		fs_manage_nfs_files($1)
+-		fs_manage_nfs_symlinks($1)
 +		fs_list_nfs($1)
 +		fs_read_nfs_files($1)
 +		fs_read_nfs_symlinks($1)
@@ -109144,68 +109140,55 @@ index facdee8..efe9356 100644
 +		fs_read_cifs_files($1)
 +		fs_read_cifs_symlinks($1)
 +	')
- ')
- 
- ########################################
- ## <summary>
--##	Search virt lib directories.
++')
++
++########################################
++## <summary>
 +##	Allow domain to read virt blk image files
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -820,18 +727,17 @@ interface(`virt_manage_pid_files',`
- ##	</summary>
- ## </param>
- #
--interface(`virt_search_lib',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`virt_read_blk_images',`
- 	gen_require(`
--		type virt_var_lib_t;
++	gen_require(`
 +		attribute virt_image_type;
- 	')
- 
--	files_search_var_lib($1)
--	allow $1 virt_var_lib_t:dir search_dir_perms;
++	')
++
 +	read_blk_files_pattern($1, virt_image_type, virt_image_type)
- ')
- 
- ########################################
- ## <summary>
--##	Read virt lib files.
++')
++
++########################################
++## <summary>
 +##	Allow domain to read/write virt image chr files
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -839,20 +745,18 @@ interface(`virt_search_lib',`
- ##	</summary>
- ## </param>
- #
--interface(`virt_read_lib_files',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`virt_rw_chr_files',`
- 	gen_require(`
--		type virt_var_lib_t;
++	gen_require(`
 +		attribute virt_image_type;
- 	')
- 
--	files_search_var_lib($1)
--	read_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
--	read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
++	')
++
 +	rw_chr_files_pattern($1, virt_image_type, virt_image_type)
- ')
- 
- ########################################
- ## <summary>
- ##	Create, read, write, and delete
--##	virt lib files.
++')
++
++########################################
++## <summary>
++##	Create, read, write, and delete
 +##	svirt cache files.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -860,94 +764,267 @@ interface(`virt_read_lib_files',`
- ##	</summary>
- ## </param>
- #
--interface(`virt_manage_lib_files',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`virt_manage_cache',`
 +	gen_require(`
 +		type virt_cache_t;
@@ -109228,13 +109211,11 @@ index facdee8..efe9356 100644
 +## </param>
 +#
 +interface(`virt_manage_images',`
- 	gen_require(`
- 		type virt_var_lib_t;
++	gen_require(`
++		type virt_var_lib_t;
 +		attribute virt_image_type;
- 	')
- 
--	files_search_var_lib($1)
--	manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
++	')
++
 +	virt_search_lib($1)
 +	allow $1 virt_image_type:dir list_dir_perms;
 +	manage_dirs_pattern($1, virt_image_type, virt_image_type)
@@ -109288,12 +109269,10 @@ index facdee8..efe9356 100644
 +	allow $1 virtd_unit_file_t:service manage_service_perms;
 +
 +	ps_process_pattern($1, virtd_t)
- ')
- 
- ########################################
- ## <summary>
--##	Create objects in virt pid
--##	directories with a private type.
++')
++
++########################################
++## <summary>
 +##	Ptrace the svirt domain
 +## </summary>
 +## <param name="domain">
@@ -109331,13 +109310,12 @@ index facdee8..efe9356 100644
 +#######################################
 +## <summary>
 +##	Manage Sandbox Files
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <param name="private type">
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
 +#
 +interface(`virt_manage_sandbox_files',`
 +	gen_require(`
@@ -109357,98 +109335,109 @@ index facdee8..efe9356 100644
 +##	Relabel Sandbox File systems
 +## </summary>
 +## <param name="domain">
- ##	<summary>
--##	The type of the object to be created.
++##	<summary>
 +##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <param name="object">
++##	</summary>
++## </param>
 +#
 +interface(`virt_relabel_sandbox_filesystem',`
 +	gen_require(`
 +		type svirt_sandbox_file_t;
-+	')
-+
+ 	')
+ 
+-	tunable_policy(`virt_use_samba',`
+-		fs_manage_cifs_dirs($1)
+-		fs_manage_cifs_files($1)
+-		fs_manage_cifs_symlinks($1)
+-	')
 +	allow $1 svirt_sandbox_file_t:filesystem { relabelfrom relabelto };
-+')
-+
+ ')
+ 
+-########################################
 +#######################################
-+## <summary>
+ ## <summary>
+-##	Relabel virt home content.
 +##	Mounton Sandbox Files
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
  ##	<summary>
--##	The object class of the object being created.
-+##	Domain allowed access.
+@@ -728,72 +933,98 @@ interface(`virt_manage_generic_virt_home_content',`
  ##	</summary>
  ## </param>
--## <param name="name" optional="true">
-+#
+ #
+-interface(`virt_relabel_generic_virt_home_content',`
 +interface(`virt_mounton_sandbox_file',`
-+	gen_require(`
+ 	gen_require(`
+-		type virt_home_t;
 +		type svirt_sandbox_file_t;
-+	')
-+
+ 	')
+ 
+-	userdom_search_user_home_dirs($1)
+-	allow $1 virt_home_t:dir relabel_dir_perms;
+-	allow $1 virt_home_t:file relabel_file_perms;
+-	allow $1 virt_home_t:fifo_file relabel_fifo_file_perms;
+-	allow $1 virt_home_t:lnk_file relabel_lnk_file_perms;
+-	allow $1 virt_home_t:sock_file relabel_sock_file_perms;
 +	allow $1 svirt_sandbox_file_t:dir_file_class_set mounton;
-+')
-+
+ ')
+ 
+-########################################
 +#######################################
-+## <summary>
+ ## <summary>
+-##	Create specified objects in user home
+-##	directories with the generic virt
+-##	home type.
 +##	Connect to virt over a unix domain stream socket.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
  ##	<summary>
--##	The name of the object being created.
-+##	Domain allowed access.
+ ##	Domain allowed access.
  ##	</summary>
  ## </param>
--## <infoflow type="write" weight="10"/>
- #
--interface(`virt_pid_filetrans',`
+-## <param name="object_class">
++#
 +interface(`virt_stream_connect_sandbox',`
- 	gen_require(`
--		type virt_var_run_t;
++	gen_require(`
 +		attribute svirt_sandbox_domain;
 +		type svirt_sandbox_file_t;
- 	')
- 
- 	files_search_pids($1)
--	filetrans_pattern($1, virt_var_run_t, $2, $3, $4)
++	')
++
++	files_search_pids($1)
 +	stream_connect_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t, svirt_sandbox_domain)
 +	ps_process_pattern(svirt_sandbox_domain, $1)
- ')
- 
- ########################################
- ## <summary>
--##	Read virt log files.
++')
++
++########################################
++## <summary>
 +##	Execute qemu in the svirt domain, and
 +##	allow the specified role the svirt domain.
- ## </summary>
- ## <param name="domain">
++## </summary>
++## <param name="domain">
  ##	<summary>
--##	Domain allowed access.
+-##	Class of the object being created.
 +##	Domain allowed access
-+##	</summary>
-+## </param>
+ ##	</summary>
+ ## </param>
+-## <param name="name" optional="true">
 +## <param name="role">
-+##	<summary>
+ ##	<summary>
+-##	The name of the object being created.
 +##	The role to be allowed the sandbox domain.
  ##	</summary>
  ## </param>
- ## <rolecap/>
++## <rolecap/>
  #
--interface(`virt_read_log',`
+-interface(`virt_home_filetrans_virt_home',`
 +interface(`virt_transition_svirt',`
  	gen_require(`
--		type virt_log_t;
+-		type virt_home_t;
 +		attribute virt_domain;
 +		type virt_bridgehelper_t;
 +		type svirt_image_t;
 +		type svirt_socket_t;
  	')
  
--	logging_search_logs($1)
--	read_files_pattern($1, virt_log_t, virt_log_t)
+-	userdom_user_home_dir_filetrans($1, virt_home_t, $2, $3)
 +	allow $1 virt_domain:process transition;
 +	role $2 types virt_domain;
 +	role $2 types virt_bridgehelper_t;
@@ -109467,7 +109456,7 @@ index facdee8..efe9356 100644
  
  ########################################
  ## <summary>
--##	Append virt log files.
+-##	Read virt pid files.
 +##	Do not audit attempts to write virt daemon unnamed pipes.
  ## </summary>
  ## <param name="domain">
@@ -109477,15 +109466,15 @@ index facdee8..efe9356 100644
  ##	</summary>
  ## </param>
  #
--interface(`virt_append_log',`
+-interface(`virt_read_pid_files',`
 +interface(`virt_dontaudit_write_pipes',`
  	gen_require(`
--		type virt_log_t;
+-		type virt_var_run_t;
 +		type virtd_t;
  	')
  
--	logging_search_logs($1)
--	append_files_pattern($1, virt_log_t, virt_log_t)
+-	files_search_pids($1)
+-	read_files_pattern($1, virt_var_run_t, virt_var_run_t)
 +	dontaudit $1 virtd_t:fd use;
 +	dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
  ')
@@ -109493,219 +109482,230 @@ index facdee8..efe9356 100644
  ########################################
  ## <summary>
 -##	Create, read, write, and delete
--##	virt log files.
+-##	virt pid files.
 +##	Send a sigkill to virtual machines
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -955,20 +1032,17 @@ interface(`virt_append_log',`
+@@ -801,18 +1032,17 @@ interface(`virt_read_pid_files',`
  ##	</summary>
  ## </param>
  #
--interface(`virt_manage_log',`
+-interface(`virt_manage_pid_files',`
 +interface(`virt_kill_svirt',`
  	gen_require(`
--		type virt_log_t;
+-		type virt_var_run_t;
 +		attribute virt_domain;
  	')
  
--	logging_search_logs($1)
--	manage_dirs_pattern($1, virt_log_t, virt_log_t)
--	manage_files_pattern($1, virt_log_t, virt_log_t)
--	manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
+-	files_search_pids($1)
+-	manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
 +	allow $1 virt_domain:process sigkill;
  ')
  
  ########################################
  ## <summary>
--##	Search virt image directories.
+-##	Search virt lib directories.
 +##	Send a sigkill to virtd daemon.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -976,18 +1050,17 @@ interface(`virt_manage_log',`
+@@ -820,18 +1050,17 @@ interface(`virt_manage_pid_files',`
  ##	</summary>
  ## </param>
  #
--interface(`virt_search_images',`
+-interface(`virt_search_lib',`
 +interface(`virt_kill',`
  	gen_require(`
--		attribute virt_image_type;
+-		type virt_var_lib_t;
 +		type virtd_t;
  	')
  
--	virt_search_lib($1)
--	allow $1 virt_image_type:dir search_dir_perms;
+-	files_search_var_lib($1)
+-	allow $1 virt_var_lib_t:dir search_dir_perms;
 +	allow $1 virtd_t:process sigkill;
  ')
  
  ########################################
  ## <summary>
--##	Read virt image files.
+-##	Read virt lib files.
 +##	Send a signal to virtd daemon.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -995,36 +1068,35 @@ interface(`virt_search_images',`
+@@ -839,20 +1068,17 @@ interface(`virt_search_lib',`
  ##	</summary>
  ## </param>
  #
--interface(`virt_read_images',`
+-interface(`virt_read_lib_files',`
 +interface(`virt_signal',`
  	gen_require(`
 -		type virt_var_lib_t;
--		attribute virt_image_type;
 +		type virtd_t;
  	')
  
--	virt_search_lib($1)
--	allow $1 virt_image_type:dir list_dir_perms;
--	list_dirs_pattern($1, virt_image_type, virt_image_type)
--	read_files_pattern($1, virt_image_type, virt_image_type)
--	read_lnk_files_pattern($1, virt_image_type, virt_image_type)
--	read_blk_files_pattern($1, virt_image_type, virt_image_type)
+-	files_search_var_lib($1)
+-	read_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
+-	read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
 +	allow $1 virtd_t:process signal;
-+')
+ ')
  
--	tunable_policy(`virt_use_nfs',`
--		fs_list_nfs($1)
--		fs_read_nfs_files($1)
--		fs_read_nfs_symlinks($1)
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete
+-##	virt lib files.
 +##	Send null signal to virtd daemon.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -860,94 +1086,93 @@ interface(`virt_read_lib_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`virt_manage_lib_files',`
 +interface(`virt_signull',`
-+	gen_require(`
+ 	gen_require(`
+-		type virt_var_lib_t;
 +		type virtd_t;
  	')
  
--	tunable_policy(`virt_use_samba',`
--		fs_list_cifs($1)
--		fs_read_cifs_files($1)
--		fs_read_cifs_symlinks($1)
--	')
+-	files_search_var_lib($1)
+-	manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
 +	allow $1 virtd_t:process signull;
  ')
  
  ########################################
  ## <summary>
--##	Read and write all virt image
--##	character files.
+-##	Create objects in virt pid
+-##	directories with a private type.
 +##	Send a signal to virtual machines
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1032,20 +1104,17 @@ interface(`virt_read_images',`
+ ##	Domain allowed access.
  ##	</summary>
  ## </param>
- #
--interface(`virt_rw_all_image_chr_files',`
+-## <param name="private type">
+-##	<summary>
+-##	The type of the object to be created.
+-##	</summary>
+-## </param>
+-## <param name="object">
+-##	<summary>
+-##	The object class of the object being created.
+-##	</summary>
+-## </param>
+-## <param name="name" optional="true">
++#
 +interface(`virt_signal_svirt',`
- 	gen_require(`
--		attribute virt_image_type;
++	gen_require(`
 +		attribute virt_domain;
- 	')
- 
--	virt_search_lib($1)
--	allow $1 virt_image_type:dir list_dir_perms;
--	rw_chr_files_pattern($1, virt_image_type, virt_image_type)
++	')
++
 +	allow $1 virt_domain:process signal;
- ')
- 
- ########################################
- ## <summary>
--##	Create, read, write, and delete
--##	svirt cache files.
++')
++
++########################################
++## <summary>
 +##	Manage virt home files.
- ## </summary>
- ## <param name="domain">
++## </summary>
++## <param name="domain">
  ##	<summary>
-@@ -1053,15 +1122,57 @@ interface(`virt_rw_all_image_chr_files',`
+-##	The name of the object being created.
++##	Domain allowed access.
  ##	</summary>
  ## </param>
+-## <infoflow type="write" weight="10"/>
  #
--interface(`virt_manage_svirt_cache',`
--	refpolicywarn(`$0($*) has been deprecated, use virt_manage_virt_cache() instead.')
--	virt_manage_virt_cache($1)
+-interface(`virt_pid_filetrans',`
 +interface(`virt_manage_home_files',`
-+	gen_require(`
+ 	gen_require(`
+-		type virt_var_run_t;
 +		type virt_home_t;
-+	')
-+
+ 	')
+ 
+-	files_search_pids($1)
+-	filetrans_pattern($1, virt_var_run_t, $2, $3, $4)
 +	userdom_search_user_home_dirs($1)
 +	manage_files_pattern($1, virt_home_t, virt_home_t)
  ')
  
  ########################################
  ## <summary>
--##	Create, read, write, and delete
--##	virt cache content.
+-##	Read virt log files.
 +##	allow domain to read
 +##	virt tmpfs files
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
 +##	Domain allowed access
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`virt_read_log',`
 +interface(`virt_read_tmpfs_files',`
-+	gen_require(`
+ 	gen_require(`
+-		type virt_log_t;
 +		attribute virt_tmpfs_type;
-+	')
-+
+ 	')
+ 
+-	logging_search_logs($1)
+-	read_files_pattern($1, virt_log_t, virt_log_t)
 +	allow $1 virt_tmpfs_type:file read_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Append virt log files.
 +##	allow domain to manage
 +##	virt tmpfs files
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
 +##	Domain allowed access
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`virt_append_log',`
 +interface(`virt_manage_tmpfs_files',`
-+	gen_require(`
+ 	gen_require(`
+-		type virt_log_t;
 +		attribute virt_tmpfs_type;
-+	')
-+
+ 	')
+ 
+-	logging_search_logs($1)
+-	append_files_pattern($1, virt_log_t, virt_log_t)
 +	allow $1 virt_tmpfs_type:file manage_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete
+-##	virt log files.
 +##	Create .virt directory in the user home directory
 +##	with an correct label.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1069,21 +1180,29 @@ interface(`virt_manage_svirt_cache',`
+@@ -955,20 +1180,29 @@ interface(`virt_append_log',`
  ##	</summary>
  ## </param>
  #
--interface(`virt_manage_virt_cache',`
+-interface(`virt_manage_log',`
 +interface(`virt_filetrans_home_content',`
  	gen_require(`
--		type virt_cache_t;
+-		type virt_log_t;
 +		type virt_home_t;
 +		type svirt_home_t;
  	')
  
--	files_search_var($1)
--	manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
--	manage_files_pattern($1, virt_cache_t, virt_cache_t)
--	manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
+-	logging_search_logs($1)
+-	manage_dirs_pattern($1, virt_log_t, virt_log_t)
+-	manage_files_pattern($1, virt_log_t, virt_log_t)
+-	manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
 +	userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
 +	userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
 +	filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu")
@@ -109722,63 +109722,65 @@ index facdee8..efe9356 100644
  
  ########################################
  ## <summary>
--##	Create, read, write, and delete
--##	virt image files.
+-##	Search virt image directories.
 +##	Dontaudit attempts to Read virt_image_type devices.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1091,36 +1210,188 @@ interface(`virt_manage_virt_cache',`
+@@ -976,92 +1210,133 @@ interface(`virt_manage_log',`
  ##	</summary>
  ## </param>
  #
--interface(`virt_manage_images',`
+-interface(`virt_search_images',`
 +interface(`virt_dontaudit_read_chr_dev',`
  	gen_require(`
--		type virt_var_lib_t;
  		attribute virt_image_type;
  	')
  
 -	virt_search_lib($1)
--	allow $1 virt_image_type:dir list_dir_perms;
--	manage_dirs_pattern($1, virt_image_type, virt_image_type)
--	manage_files_pattern($1, virt_image_type, virt_image_type)
--	read_lnk_files_pattern($1, virt_image_type, virt_image_type)
--	rw_blk_files_pattern($1, virt_image_type, virt_image_type)
+-	allow $1 virt_image_type:dir search_dir_perms;
 +	dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
-+')
+ ')
  
--	tunable_policy(`virt_use_nfs',`
--		fs_manage_nfs_dirs($1)
--		fs_manage_nfs_files($1)
--		fs_read_nfs_symlinks($1)
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
+-##	Read virt image files.
 +##	Creates types and rules for a basic
 +##	virt_lxc process domain.
-+## </summary>
+ ## </summary>
+-## <param name="domain">
 +## <param name="prefix">
-+##	<summary>
+ ##	<summary>
+-##	Domain allowed access.
 +##	Prefix for the domain.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`virt_read_images',`
 +template(`virt_sandbox_domain_template',`
-+	gen_require(`
+ 	gen_require(`
+-		type virt_var_lib_t;
+-		attribute virt_image_type;
 +		attribute svirt_sandbox_domain;
  	')
  
--	tunable_policy(`virt_use_samba',`
--		fs_manage_cifs_files($1)
--		fs_manage_cifs_files($1)
--		fs_read_cifs_symlinks($1)
+-	virt_search_lib($1)
+-	allow $1 virt_image_type:dir list_dir_perms;
+-	list_dirs_pattern($1, virt_image_type, virt_image_type)
+-	read_files_pattern($1, virt_image_type, virt_image_type)
+-	read_lnk_files_pattern($1, virt_image_type, virt_image_type)
+-	read_blk_files_pattern($1, virt_image_type, virt_image_type)
 +	type $1_t, svirt_sandbox_domain;
 +	domain_type($1_t)
 +	domain_user_exemption_target($1_t)
 +	mls_rangetrans_target($1_t)
 +	mcs_constrained($1_t)
 +	role system_r types $1_t;
-+
+ 
+-	tunable_policy(`virt_use_nfs',`
+-		fs_list_nfs($1)
+-		fs_read_nfs_files($1)
+-		fs_read_nfs_symlinks($1)
 +	logging_send_syslog_msg($1_t)
 +
 +	kernel_read_system_state($1_t)
@@ -109797,8 +109799,12 @@ index facdee8..efe9356 100644
 +template(`virt_sandbox_domain',`
 +	gen_require(`
 +		attribute svirt_sandbox_domain;
-+	')
-+
+ 	')
+ 
+-	tunable_policy(`virt_use_samba',`
+-		fs_list_cifs($1)
+-		fs_read_cifs_files($1)
+-		fs_read_cifs_symlinks($1)
 +	typeattribute  $1 svirt_sandbox_domain;
 +')
 +
@@ -109815,49 +109821,63 @@ index facdee8..efe9356 100644
 +interface(`virt_exec_qemu',`
 +	gen_require(`
 +		type qemu_exec_t;
-+	')
+ 	')
 +
 +	can_exec($1, qemu_exec_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read and write all virt image
+-##	character files.
 +##	Transition to virt named content
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
 +##      Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`virt_rw_all_image_chr_files',`
 +interface(`virt_filetrans_named_content',`
-+	gen_require(`
+ 	gen_require(`
+-		attribute virt_image_type;
 +		type virt_lxc_var_run_t;
 +		type virt_var_run_t;
-+	')
-+
+ 	')
+ 
+-	virt_search_lib($1)
+-	allow $1 virt_image_type:dir list_dir_perms;
+-	rw_chr_files_pattern($1, virt_image_type, virt_image_type)
 +	files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
 +	files_pid_filetrans($1, virt_var_run_t, dir, "libvirt")
 +	files_pid_filetrans($1, virt_var_run_t, dir, "libguestfs")
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete
+-##	svirt cache files.
 +##	Execute qemu in the svirt domain, and
 +##	allow the specified role the svirt domain.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
 +##	Domain allowed access
 +##	</summary>
 +## </param>
 +## <param name="role">
 +##	<summary>
 +##	The role to be allowed the sandbox domain.
-+##	</summary>
-+## </param>
+ ##	</summary>
+ ## </param>
 +## <rolecap/>
-+#
+ #
+-interface(`virt_manage_svirt_cache',`
+-	refpolicywarn(`$0($*) has been deprecated, use virt_manage_virt_cache() instead.')
+-	virt_manage_virt_cache($1)
 +interface(`virt_transition_svirt_sandbox',`
 +	gen_require(`
 +		attribute svirt_sandbox_domain;
@@ -109870,44 +109890,67 @@ index facdee8..efe9356 100644
 +	allow svirt_sandbox_domain $1:fifo_file rw_fifo_file_perms;
 +	allow svirt_sandbox_domain $1:process sigchld;
 +	ps_process_pattern($1, svirt_sandbox_domain)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete
+-##	virt cache content.
 +##	Read and write to svirt_image devices.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -1069,21 +1344,17 @@ interface(`virt_manage_svirt_cache',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`virt_manage_virt_cache',`
 +interface(`virt_rw_svirt_dev',`
-+	gen_require(`
+ 	gen_require(`
+-		type virt_cache_t;
 +		type svirt_image_t;
-+	')
-+
+ 	')
+ 
+-	files_search_var($1)
+-	manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
+-	manage_files_pattern($1, virt_cache_t, virt_cache_t)
+-	manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
 +	allow $1 svirt_image_t:chr_file rw_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete
+-##	virt image files.
 +##	Read and write to svirt_image devices.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -1091,36 +1362,36 @@ interface(`virt_manage_virt_cache',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`virt_manage_images',`
 +interface(`virt_rlimitinh',`
-+	gen_require(`
+ 	gen_require(`
+-		type virt_var_lib_t;
+-		attribute virt_image_type;
 +		type virtd_t;
-+	')
-+
+ 	')
+ 
+-	virt_search_lib($1)
+-	allow $1 virt_image_type:dir list_dir_perms;
+-	manage_dirs_pattern($1, virt_image_type, virt_image_type)
+-	manage_files_pattern($1, virt_image_type, virt_image_type)
+-	read_lnk_files_pattern($1, virt_image_type, virt_image_type)
+-	rw_blk_files_pattern($1, virt_image_type, virt_image_type)
 +    allow $1 virtd_t:process { rlimitinh };
 +')
-+
+ 
+-	tunable_policy(`virt_use_nfs',`
+-		fs_manage_nfs_dirs($1)
+-		fs_manage_nfs_files($1)
+-		fs_read_nfs_symlinks($1)
 +########################################
 +## <summary>
 +##	Read and write to svirt_image devices.
@@ -109922,7 +109965,12 @@ index facdee8..efe9356 100644
 +	gen_require(`
 +		type virtd_t;
  	')
-+
+ 
+-	tunable_policy(`virt_use_samba',`
+-		fs_manage_cifs_files($1)
+-		fs_manage_cifs_files($1)
+-		fs_read_cifs_symlinks($1)
+-	')
 +    allow $1 virtd_t:process { noatsecure rlimitinh };
  ')
  
@@ -109935,7 +109983,7 @@ index facdee8..efe9356 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1136,50 +1407,76 @@ interface(`virt_manage_images',`
+@@ -1136,50 +1407,95 @@ interface(`virt_manage_images',`
  #
  interface(`virt_admin',`
  	gen_require(`
@@ -109974,26 +110022,20 @@ index facdee8..efe9356 100644
  
 -	fs_search_tmpfs($1)
 -	admin_pattern($1, virt_tmpfs_type)
--
--	files_search_tmp($1)
--	admin_pattern($1, { virt_tmp_type virt_tmp_t })
--
--	files_search_etc($1)
--	admin_pattern($1, { virt_etc_t virt_etc_rw_t virtd_keytab_t })
 +	allow $1 virt_domain:process signal_perms;
  
--	logging_search_logs($1)
--	admin_pattern($1, virt_log_t)
+-	files_search_tmp($1)
+-	admin_pattern($1, { virt_tmp_type virt_tmp_t })
 +	admin_pattern($1, virt_file_type)
 +	admin_pattern($1, svirt_file_type)
  
--	files_search_pids($1)
--	admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t })
+-	files_search_etc($1)
+-	admin_pattern($1, { virt_etc_t virt_etc_rw_t virtd_keytab_t })
 +	virt_systemctl($1)
 +	allow $1 virtd_unit_file_t:service all_service_perms;
  
--	files_search_var($1)
--	admin_pattern($1, svirt_cache_t)
+-	logging_search_logs($1)
+-	admin_pattern($1, virt_log_t)
 +	virt_stream_connect_sandbox($1)
 +	virt_stream_connect_svirt($1)
 +	virt_stream_connect($1)
@@ -110013,9 +110055,32 @@ index facdee8..efe9356 100644
 +		attribute sandbox_caps_domain;
 +	')
  
+-	files_search_pids($1)
+-	admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t })
++	typeattribute $1 sandbox_caps_domain;
++')
+ 
+-	files_search_var($1)
+-	admin_pattern($1, svirt_cache_t)
++########################################
++## <summary>
++##	Allow the domain to read svirt_sandbox_domain state files in /proc.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`virt_sandbox_read_state',`
++	gen_require(`
++		attribute svirt_sandbox_domain;
++	')
+ 
 -	files_search_var_lib($1)
 -	admin_pattern($1, { virt_image_type virt_var_lib_t svirt_lxc_file_t })
-+	typeattribute $1 sandbox_caps_domain;
++	kernel_search_proc($1)
++	ps_process_pattern($1, svirt_sandbox_domain)
 +')
  
 -	files_search_locks($1)
@@ -110045,10 +110110,10 @@ index facdee8..efe9356 100644
 +        ps_process_pattern(virtd_t, $1)
  ')
 diff --git a/virt.te b/virt.te
-index f03dcf5..a463e77 100644
+index f03dcf5..27c7cb7 100644
 --- a/virt.te
 +++ b/virt.te
-@@ -1,150 +1,241 @@
+@@ -1,150 +1,248 @@
 -policy_module(virt, 1.7.4)
 +policy_module(virt, 1.5.0)
  
@@ -110131,6 +110196,13 @@ index f03dcf5..a463e77 100644
 -##	can use nfs file systems.
 -##	</p>
 +## <p>
++## Allow sandbox containers manage fuse files
++## </p>
++## </desc>
++gen_tunable(virt_sandbox_use_fusefs, false)
++
++## <desc>
++## <p>
 +## Allow confined virtual guests to manage nfs files
 +## </p>
  ## </desc>
@@ -110215,15 +110287,15 @@ index f03dcf5..a463e77 100644
 +## </p>
 +## </desc>
 +gen_tunable(virt_sandbox_use_audit, true)
-+
+ 
+-attribute svirt_lxc_domain;
 +## <desc>
 +## <p>
 +## Allow sandbox containers to use netlink system calls
 +## </p>
 +## </desc>
 +gen_tunable(virt_sandbox_use_netlink, false)
- 
--attribute svirt_lxc_domain;
++
 +## <desc>
 +## <p>
 +## Allow sandbox containers to use sys_admin system calls, for example mount
@@ -110272,10 +110344,10 @@ index f03dcf5..a463e77 100644
 +
 +virt_domain_template(svirt_tcg)
 +role system_r types svirt_tcg_t;
++
++type qemu_exec_t, virt_file_type;
  
 -type virt_cache_t alias svirt_cache_t;
-+type qemu_exec_t, virt_file_type;
-+
 +type virt_cache_t alias svirt_cache_t, virt_file_type;
  files_type(virt_cache_t)
  
@@ -110360,7 +110432,7 @@ index f03dcf5..a463e77 100644
  ifdef(`enable_mcs',`
  	init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
  ')
-@@ -153,299 +244,135 @@ ifdef(`enable_mls',`
+@@ -153,299 +251,135 @@ ifdef(`enable_mls',`
  	init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
  ')
  
@@ -110625,24 +110697,24 @@ index f03dcf5..a463e77 100644
 -filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
 -
 -stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
--
--corenet_udp_sendrecv_generic_if(svirt_t)
--corenet_udp_sendrecv_generic_node(svirt_t)
--corenet_udp_sendrecv_all_ports(svirt_t)
--corenet_udp_bind_generic_node(svirt_t)
 +# it was a part of auth_use_nsswitch
 +allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
  
+ corenet_udp_sendrecv_generic_if(svirt_t)
+ corenet_udp_sendrecv_generic_node(svirt_t)
+ corenet_udp_sendrecv_all_ports(svirt_t)
+ corenet_udp_bind_generic_node(svirt_t)
+-
 -corenet_all_recvfrom_unlabeled(svirt_t)
 -corenet_all_recvfrom_netlabel(svirt_t)
 -corenet_tcp_sendrecv_generic_if(svirt_t)
- corenet_udp_sendrecv_generic_if(svirt_t)
+-corenet_udp_sendrecv_generic_if(svirt_t)
 -corenet_tcp_sendrecv_generic_node(svirt_t)
- corenet_udp_sendrecv_generic_node(svirt_t)
+-corenet_udp_sendrecv_generic_node(svirt_t)
 -corenet_tcp_sendrecv_all_ports(svirt_t)
- corenet_udp_sendrecv_all_ports(svirt_t)
+-corenet_udp_sendrecv_all_ports(svirt_t)
 -corenet_tcp_bind_generic_node(svirt_t)
- corenet_udp_bind_generic_node(svirt_t)
+-corenet_udp_bind_generic_node(svirt_t)
 -
 -corenet_sendrecv_all_server_packets(svirt_t)
  corenet_udp_bind_all_ports(svirt_t)
@@ -110738,7 +110810,7 @@ index f03dcf5..a463e77 100644
  
  read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
  read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -455,42 +382,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -455,42 +389,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
  manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
  filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
  
@@ -110785,7 +110857,7 @@ index f03dcf5..a463e77 100644
  logging_log_filetrans(virtd_t, virt_log_t, { file dir })
  
  manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -503,23 +417,20 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -503,23 +424,20 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
  manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
  files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
  
@@ -110795,14 +110867,14 @@ index f03dcf5..a463e77 100644
 -
 -stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
 -stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+-
+-can_exec(virtd_t, virt_tmp_t)
 +manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
 +manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
 +filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
 +allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto };
 +stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
  
--can_exec(virtd_t, virt_tmp_t)
--
 -kernel_read_crypto_sysctls(virtd_t)
  kernel_read_system_state(virtd_t)
  kernel_read_network_state(virtd_t)
@@ -110816,7 +110888,7 @@ index f03dcf5..a463e77 100644
  
  corecmd_exec_bin(virtd_t)
  corecmd_exec_shell(virtd_t)
-@@ -527,24 +438,16 @@ corecmd_exec_shell(virtd_t)
+@@ -527,24 +445,16 @@ corecmd_exec_shell(virtd_t)
  corenet_all_recvfrom_netlabel(virtd_t)
  corenet_tcp_sendrecv_generic_if(virtd_t)
  corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -110844,7 +110916,7 @@ index f03dcf5..a463e77 100644
  dev_rw_sysfs(virtd_t)
  dev_read_urand(virtd_t)
  dev_read_rand(virtd_t)
-@@ -555,20 +458,26 @@ dev_rw_vhost(virtd_t)
+@@ -555,20 +465,26 @@ dev_rw_vhost(virtd_t)
  dev_setattr_generic_usb_dev(virtd_t)
  dev_relabel_generic_usb_dev(virtd_t)
  
@@ -110875,7 +110947,7 @@ index f03dcf5..a463e77 100644
  fs_list_auto_mountpoints(virtd_t)
  fs_getattr_all_fs(virtd_t)
  fs_rw_anon_inodefs_files(virtd_t)
-@@ -601,15 +510,18 @@ term_use_ptmx(virtd_t)
+@@ -601,15 +517,18 @@ term_use_ptmx(virtd_t)
  
  auth_use_nsswitch(virtd_t)
  
@@ -110895,7 +110967,7 @@ index f03dcf5..a463e77 100644
  
  selinux_validate_context(virtd_t)
  
-@@ -620,18 +532,26 @@ seutil_read_file_contexts(virtd_t)
+@@ -620,18 +539,26 @@ seutil_read_file_contexts(virtd_t)
  sysnet_signull_ifconfig(virtd_t)
  sysnet_signal_ifconfig(virtd_t)
  sysnet_domtrans_ifconfig(virtd_t)
@@ -110932,7 +111004,7 @@ index f03dcf5..a463e77 100644
  
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virtd_t)
-@@ -640,7 +560,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -640,7 +567,7 @@ tunable_policy(`virt_use_nfs',`
  ')
  
  tunable_policy(`virt_use_samba',`
@@ -110941,7 +111013,7 @@ index f03dcf5..a463e77 100644
  	fs_manage_cifs_files(virtd_t)
  	fs_read_cifs_symlinks(virtd_t)
  ')
-@@ -665,20 +585,12 @@ optional_policy(`
+@@ -665,20 +592,12 @@ optional_policy(`
  	')
  
  	optional_policy(`
@@ -110962,7 +111034,7 @@ index f03dcf5..a463e77 100644
  ')
  
  optional_policy(`
-@@ -691,20 +603,26 @@ optional_policy(`
+@@ -691,20 +610,26 @@ optional_policy(`
  	dnsmasq_kill(virtd_t)
  	dnsmasq_signull(virtd_t)
  	dnsmasq_create_pid_dirs(virtd_t)
@@ -110973,30 +111045,27 @@ index f03dcf5..a463e77 100644
  ')
  
  optional_policy(`
--	iptables_domtrans(virtd_t)
--	iptables_initrc_domtrans(virtd_t)
--	iptables_manage_config(virtd_t)
 +	firewalld_dbus_chat(virtd_t)
++')
++
++optional_policy(`
+ 	iptables_domtrans(virtd_t)
+ 	iptables_initrc_domtrans(virtd_t)
++	iptables_systemctl(virtd_t)
++
++	# Manages /etc/sysconfig/system-config-firewall
+ 	iptables_manage_config(virtd_t)
  ')
  
  optional_policy(`
 -	kerberos_read_keytab(virtd_t)
 -	kerberos_use(virtd_t)
-+	iptables_domtrans(virtd_t)
-+	iptables_initrc_domtrans(virtd_t)
-+	iptables_systemctl(virtd_t)
-+
-+	# Manages /etc/sysconfig/system-config-firewall
-+	iptables_manage_config(virtd_t)
-+')
-+
-+optional_policy(`
 +    kerberos_read_keytab(virtd_t)
 +    kerberos_use(virtd_t)
  ')
  
  optional_policy(`
-@@ -712,11 +630,18 @@ optional_policy(`
+@@ -712,11 +637,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -111015,7 +111084,7 @@ index f03dcf5..a463e77 100644
  	policykit_domtrans_auth(virtd_t)
  	policykit_domtrans_resolve(virtd_t)
  	policykit_read_lib(virtd_t)
-@@ -727,10 +652,18 @@ optional_policy(`
+@@ -727,10 +659,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -111034,7 +111103,7 @@ index f03dcf5..a463e77 100644
  	kernel_read_xen_state(virtd_t)
  	kernel_write_xen_state(virtd_t)
  
-@@ -746,44 +679,277 @@ optional_policy(`
+@@ -746,44 +686,277 @@ optional_policy(`
  	udev_read_pid_files(virtd_t)
  ')
  
@@ -111088,14 +111157,15 @@ index f03dcf5..a463e77 100644
 +manage_sock_files_pattern(virt_domain, svirt_home_t, svirt_home_t)
 +filetrans_pattern(virt_domain, virt_home_t, svirt_home_t, { dir sock_file file })
 +stream_connect_pattern(virt_domain, svirt_home_t, svirt_home_t, virtd_t)
-+
-+manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
-+manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
-+files_var_filetrans(virt_domain, virt_cache_t, { file dir })
  
 -manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
 -manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
 -filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
++manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
++manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
++files_var_filetrans(virt_domain, virt_cache_t, { file dir })
+ 
+-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
 +read_lnk_files_pattern(virt_domain, virt_image_t, virt_image_t)
 +
 +manage_dirs_pattern(virt_domain, svirt_image_t, svirt_image_t)
@@ -111127,15 +111197,14 @@ index f03dcf5..a463e77 100644
 +
 +dontaudit virtd_t virt_domain:process  { siginh noatsecure rlimitinh };
  
--dontaudit virsh_t virt_var_lib_t:file read_file_perms;
-+dontaudit virt_domain virt_tmpfs_type:file { read write };
- 
 -allow virsh_t svirt_lxc_domain:process transition;
-+append_files_pattern(virt_domain, virt_log_t, virt_log_t)
++dontaudit virt_domain virt_tmpfs_type:file { read write };
  
 -can_exec(virsh_t, virsh_exec_t)
++append_files_pattern(virt_domain, virt_log_t, virt_log_t)
++
 +append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
- 
++
 +corecmd_exec_bin(virt_domain)
 +corecmd_exec_shell(virt_domain)
 +
@@ -111280,7 +111349,7 @@ index f03dcf5..a463e77 100644
 +		xserver_stream_connect(virt_domain)
 +	')
 +')
-+
+ 
 +########################################
 +#
 +# xm local policy
@@ -111334,7 +111403,7 @@ index f03dcf5..a463e77 100644
  kernel_read_system_state(virsh_t)
  kernel_read_network_state(virsh_t)
  kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +960,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +967,18 @@ kernel_write_xen_state(virsh_t)
  corecmd_exec_bin(virsh_t)
  corecmd_exec_shell(virsh_t)
  
@@ -111361,7 +111430,7 @@ index f03dcf5..a463e77 100644
  
  fs_getattr_all_fs(virsh_t)
  fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +980,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +987,25 @@ fs_search_auto_mountpoints(virsh_t)
  
  storage_raw_read_fixed_disk(virsh_t)
  
@@ -111378,10 +111447,10 @@ index f03dcf5..a463e77 100644
  
 -logging_send_syslog_msg(virsh_t)
 +systemd_exec_systemctl(virsh_t)
++
++auth_read_passwd(virsh_t)
  
 -miscfiles_read_localization(virsh_t)
-+auth_read_passwd(virsh_t)
-+
 +logging_send_syslog_msg(virsh_t)
  
  sysnet_dns_name_resolve(virsh_t)
@@ -111395,7 +111464,7 @@ index f03dcf5..a463e77 100644
  
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +1017,20 @@ optional_policy(`
+@@ -856,14 +1024,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -111417,7 +111486,7 @@ index f03dcf5..a463e77 100644
  	xen_stream_connect(virsh_t)
  	xen_stream_connect_xenstore(virsh_t)
  ')
-@@ -888,49 +1055,65 @@ optional_policy(`
+@@ -888,49 +1062,65 @@ optional_policy(`
  	kernel_read_xen_state(virsh_ssh_t)
  	kernel_write_xen_state(virsh_ssh_t)
  
@@ -111501,7 +111570,7 @@ index f03dcf5..a463e77 100644
  
  corecmd_exec_bin(virtd_lxc_t)
  corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1125,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1132,16 @@ dev_read_urand(virtd_lxc_t)
  
  domain_use_interactive_fds(virtd_lxc_t)
  
@@ -111521,7 +111590,7 @@ index f03dcf5..a463e77 100644
  fs_getattr_all_fs(virtd_lxc_t)
  fs_manage_tmpfs_dirs(virtd_lxc_t)
  fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,8 +1146,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,8 +1153,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
  fs_unmount_all_fs(virtd_lxc_t)
  fs_relabelfrom_tmpfs(virtd_lxc_t)
  
@@ -111545,7 +111614,7 @@ index f03dcf5..a463e77 100644
  selinux_get_enforce_mode(virtd_lxc_t)
  selinux_get_fs_mount(virtd_lxc_t)
  selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1171,326 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1178,343 @@ selinux_compute_create_context(virtd_lxc_t)
  selinux_compute_relabel_context(virtd_lxc_t)
  selinux_compute_user_contexts(virtd_lxc_t)
  
@@ -111561,13 +111630,17 @@ index f03dcf5..a463e77 100644
 +optional_policy(`
 +	dbus_system_bus_client(virtd_lxc_t)
 +	init_dbus_chat(virtd_lxc_t)
- 
--miscfiles_read_localization(virtd_lxc_t)
++
 +	optional_policy(`
 +		hal_dbus_chat(virtd_lxc_t)
 +	')
 +')
  
+-miscfiles_read_localization(virtd_lxc_t)
++optional_policy(`
++    docker_exec_lib(virtd_lxc_t)
++')
+ 
 -seutil_domtrans_setfiles(virtd_lxc_t)
 -seutil_read_config(virtd_lxc_t)
 -seutil_read_default_contexts(virtd_lxc_t)
@@ -111644,6 +111717,9 @@ index f03dcf5..a463e77 100644
 +
 +corecmd_exec_all_executables(svirt_sandbox_domain)
 +
++domain_dontaudit_link_all_domains_keyrings(svirt_sandbox_domain)
++domain_dontaudit_search_all_domains_keyrings(svirt_sandbox_domain)
++
 +files_dontaudit_getattr_all_dirs(svirt_sandbox_domain)
 +files_dontaudit_getattr_all_files(svirt_sandbox_domain)
 +files_dontaudit_getattr_all_symlinks(svirt_sandbox_domain)
@@ -111667,6 +111743,9 @@ index f03dcf5..a463e77 100644
 +fs_read_fusefs_files(svirt_sandbox_domain)
 +fs_read_hugetlbfs_files(svirt_sandbox_domain)
 +fs_read_tmpfs_symlinks(svirt_sandbox_domain)
++fs_list_tmpfs(svirt_sandbox_domain)
++fs_rw_hugetlbfs_files(svirt_sandbox_domain)
++
 +
 +auth_dontaudit_read_passwd(svirt_sandbox_domain)
 +auth_dontaudit_read_login_records(svirt_sandbox_domain)
@@ -111695,18 +111774,6 @@ index f03dcf5..a463e77 100644
 +	apache_exec_modules(svirt_sandbox_domain)
 +	apache_read_sys_content(svirt_sandbox_domain)
 +')
-+
-+optional_policy(`
-+	gear_read_pid_files(svirt_sandbox_domain)
-+')
-+
-+optional_policy(`
-+	mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
-+')
-+
-+optional_policy(`
-+	ssh_use_ptys(svirt_sandbox_domain)
-+')
  
 -allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
 -allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
@@ -111791,6 +111858,18 @@ index f03dcf5..a463e77 100644
 -
 -mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
 +optional_policy(`
++	gear_read_pid_files(svirt_sandbox_domain)
++')
++
++optional_policy(`
++	mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
++')
++
++optional_policy(`
++	ssh_use_ptys(svirt_sandbox_domain)
++')
++
++optional_policy(`
 +	udev_read_pid_files(svirt_sandbox_domain)
 +')
  
@@ -111811,15 +111890,22 @@ index f03dcf5..a463e77 100644
 +	fs_manage_cifs_dirs(svirt_sandbox_domain)
 +	fs_manage_cifs_named_sockets(svirt_sandbox_domain)
 +	fs_manage_cifs_symlinks(svirt_sandbox_domain)
++')
++
++tunable_policy(`virt_sandbox_use_fusefs',`
++    fs_manage_fusefs_dirs(svirt_sandbox_domain)
++    fs_manage_fusefs_files(svirt_sandbox_domain)
++    fs_manage_fusefs_symlinks(svirt_sandbox_domain)
  ')
  
  optional_policy(`
 -	apache_exec_modules(svirt_lxc_domain)
 -	apache_read_sys_content(svirt_lxc_domain)
-+    #docker_read_share_files(svirt_sandbox_domain)
-+    #docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file)
-+    #docker_use_ptys(svirt_sandbox_domain)
-+    #docker_spc_stream_connect(svirt_sandbox_domain)
++    docker_read_share_files(svirt_sandbox_domain)
++    docker_exec_share_files(svirt_sandbox_domain)
++    docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file)
++    docker_use_ptys(svirt_sandbox_domain)
++    docker_spc_stream_connect(svirt_sandbox_domain)
 +    fs_dontaudit_remount_tmpfs(svirt_sandbox_domain)
 +    dev_dontaudit_mounton_sysfs(svirt_sandbox_domain)
  ')
@@ -111978,13 +112064,13 @@ index f03dcf5..a463e77 100644
 +dev_read_urand(svirt_qemu_net_t)
 +
 +files_read_kernel_modules(svirt_qemu_net_t)
-+
+ 
+-allow svirt_prot_exec_t self:process { execmem execstack };
 +fs_noxattr_type(svirt_sandbox_file_t)
 +fs_mount_cgroup(svirt_qemu_net_t)
 +fs_manage_cgroup_dirs(svirt_qemu_net_t)
 +fs_manage_cgroup_files(svirt_qemu_net_t)
- 
--allow svirt_prot_exec_t self:process { execmem execstack };
++
 +term_pty(svirt_sandbox_file_t)
 +
 +auth_use_nsswitch(svirt_qemu_net_t)
@@ -112013,7 +112099,7 @@ index f03dcf5..a463e77 100644
  allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
  allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
  
-@@ -1174,12 +1503,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1527,12 @@ dev_read_sysfs(virt_qmf_t)
  dev_read_rand(virt_qmf_t)
  dev_read_urand(virt_qmf_t)
  
@@ -112028,7 +112114,7 @@ index f03dcf5..a463e77 100644
  sysnet_read_config(virt_qmf_t)
  
  optional_policy(`
-@@ -1192,9 +1521,8 @@ optional_policy(`
+@@ -1192,9 +1545,8 @@ optional_policy(`
  
  ########################################
  #
@@ -112039,7 +112125,7 @@ index f03dcf5..a463e77 100644
  allow virt_bridgehelper_t self:process { setcap getcap };
  allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
  allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1205,7 +1533,247 @@ manage_files_pattern(virt_bridgehelper_t, svirt_home_t, svirt_home_t)
+@@ -1205,7 +1557,247 @@ manage_files_pattern(virt_bridgehelper_t, svirt_home_t, svirt_home_t)
  
  kernel_read_network_state(virt_bridgehelper_t)
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index af968db..b17df2e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 155%{?dist}
+Release: 156%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -661,6 +661,21 @@ exit 0
 %endif
 
 %changelog
+* Tue Oct 27 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-156
+- Allow fail2ban-client to execute ldconfig. #1268715
+- Add interface virt_sandbox_domain()
+- Use mmap_file_perms instead of exec_file_perms in setroubleshoot policy to shave off the execute_no_trans permission. Based on a github communication with Dominick Grift.
+-all userdom_dontaudit_user_getattr_tmp_sockets instead() of usedom_dontaudit_user_getattr_tmp_sockets().
+- Rename usedom_dontaudit_user_getattr_tmp_sockets() to userdom_dontaudit_user_getattr_tmp_sockets().
+- Remove auth_login_pgm_domain(init_t) which has been added by accident.
+- init_t needs to able to change SELinux identity because it is used as login_pgm domain because of systemd-user and PAM. It allows security_compute_user() returns a list of possible context and then a correct default label is returned by "selinux.get_default_context(sel_user,fromcon)" defined in the policy user config files.
+- Add interface auth_use_nsswitch() to systemd_domain_template.
+- Revert "auth_use_nsswitch can be used with attribute systemd_domain."
+- auth_use_nsswitch can be used with attribute systemd_domain.
+- ipsec: fix stringSwan charon-nm
+- docker is communicating with systemd-machined
+- Add missing systemd_dbus_chat_machined, needed by docker
+
 * Tue Oct 20 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-155
 - Build including docker selinux interfaces.