diff --git a/container-selinux.tgz b/container-selinux.tgz
index be53f4f..627306a 100644
Binary files a/container-selinux.tgz and b/container-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 5182051..a886459 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -47930,10 +47930,10 @@ index 0000000..3303edd
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..746fc9d
+index 0000000..54d6359
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,1018 @@
+@@ -0,0 +1,1020 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -48916,6 +48916,8 @@ index 0000000..746fc9d
+# systemd_modules_load domain
+#
+
++allow systemd_modules_load_t self:system module_load;
++
+kernel_dgram_send(systemd_modules_load_t)
+kernel_load_module(systemd_modules_load_t)
+
@@ -49250,7 +49252,7 @@ index 9a1650d..d7e8a01 100644
########################################
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index 39f185f..b41b341 100644
+index 39f185f..a313a7d 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t)
@@ -49280,7 +49282,7 @@ index 39f185f..b41b341 100644
-allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace };
+allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice };
-+allow udev_t self:capability2 { block_suspend };
++allow udev_t self:capability2 { block_suspend wake_alarm };
dontaudit udev_t self:capability sys_tty_config;
-allow udev_t self:capability2 block_suspend;
-allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 24ad5d3..85bf9db 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -9823,7 +9823,7 @@ index 531a8f2..3fcf187 100644
+ allow $1 named_unit_file_t:service all_service_perms;
')
diff --git a/bind.te b/bind.te
-index 1241123..4ec3437 100644
+index 1241123..fc5eb99 100644
--- a/bind.te
+++ b/bind.te
@@ -34,7 +34,7 @@ type named_checkconf_exec_t;
@@ -9885,7 +9885,7 @@ index 1241123..4ec3437 100644
corenet_all_recvfrom_netlabel(named_t)
corenet_tcp_sendrecv_generic_if(named_t)
corenet_udp_sendrecv_generic_if(named_t)
-@@ -127,6 +130,12 @@ corenet_udp_bind_generic_node(named_t)
+@@ -127,9 +130,15 @@ corenet_udp_bind_generic_node(named_t)
corenet_sendrecv_all_server_packets(named_t)
corenet_tcp_bind_dns_port(named_t)
corenet_udp_bind_dns_port(named_t)
@@ -9897,6 +9897,10 @@ index 1241123..4ec3437 100644
+corenet_udp_bind_bgp_port(named_t)
corenet_tcp_sendrecv_dns_port(named_t)
corenet_udp_sendrecv_dns_port(named_t)
+-
++corenet_udp_bind_whois_port(named_t)
+ corenet_tcp_bind_rndc_port(named_t)
+ corenet_tcp_sendrecv_rndc_port(named_t)
@@ -141,9 +150,13 @@ corenet_sendrecv_all_client_packets(named_t)
corenet_tcp_connect_all_ports(named_t)
@@ -15713,7 +15717,7 @@ index 954309e..6780142 100644
')
+
diff --git a/collectd.te b/collectd.te
-index 6471fa8..cb6a356 100644
+index 6471fa8..228b603 100644
--- a/collectd.te
+++ b/collectd.te
@@ -26,43 +26,61 @@ files_type(collectd_var_lib_t)
@@ -15788,10 +15792,12 @@ index 6471fa8..cb6a356 100644
logging_send_syslog_msg(collectd_t)
-@@ -74,17 +92,45 @@ tunable_policy(`collectd_tcp_network_connect',`
- corenet_tcp_sendrecv_all_ports(collectd_t)
+@@ -75,16 +93,47 @@ tunable_policy(`collectd_tcp_network_connect',`
')
+ optional_policy(`
++ lvm_read_config(collectd_t)
++')
+
+optional_policy(`
+ pdns_stream_connect(collectd_t)
@@ -15813,7 +15819,7 @@ index 6471fa8..cb6a356 100644
+ snmp_read_snmp_var_lib_dirs(collectd_t)
+')
+
- optional_policy(`
++optional_policy(`
virt_read_config(collectd_t)
+ virt_stream_connect(collectd_t)
')
@@ -23240,7 +23246,7 @@ index 62d22cb..1287d08 100644
+
')
diff --git a/dbus.te b/dbus.te
-index c9998c8..8b447a3 100644
+index c9998c8..27182fd 100644
--- a/dbus.te
+++ b/dbus.te
@@ -4,17 +4,15 @@ gen_require(`
@@ -23284,7 +23290,7 @@ index c9998c8..8b447a3 100644
ifdef(`enable_mcs',`
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
-@@ -51,59 +47,62 @@ ifdef(`enable_mls',`
+@@ -51,59 +47,64 @@ ifdef(`enable_mls',`
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh)
')
@@ -23349,6 +23355,8 @@ index c9998c8..8b447a3 100644
-files_list_home(system_dbusd_t)
-files_read_usr_files(system_dbusd_t)
++dev_rw_nvme(system_dbusd_t)
++
+files_rw_inherited_non_security_files(system_dbusd_t)
fs_getattr_all_fs(system_dbusd_t)
@@ -23364,7 +23372,7 @@ index c9998c8..8b447a3 100644
mls_fd_use_all_levels(system_dbusd_t)
mls_rangetrans_target(system_dbusd_t)
mls_file_read_all_levels(system_dbusd_t)
-@@ -123,66 +122,174 @@ term_dontaudit_use_console(system_dbusd_t)
+@@ -123,66 +124,174 @@ term_dontaudit_use_console(system_dbusd_t)
auth_use_nsswitch(system_dbusd_t)
auth_read_pam_console_data(system_dbusd_t)
@@ -23413,10 +23421,9 @@ index c9998c8..8b447a3 100644
optional_policy(`
- policykit_read_lib(system_dbusd_t)
+ cpufreqselector_dbus_chat(system_dbusd_t)
- ')
-
- optional_policy(`
-- seutil_sigchld_newrole(system_dbusd_t)
++')
++
++optional_policy(`
+ getty_start_services(system_dbusd_t)
+')
+
@@ -23442,9 +23449,10 @@ index c9998c8..8b447a3 100644
+
+optional_policy(`
+ snapper_read_inherited_pipe(system_dbusd_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- seutil_sigchld_newrole(system_dbusd_t)
+ sysnet_domtrans_dhcpc(system_dbusd_t)
+')
+
@@ -23486,7 +23494,7 @@ index c9998c8..8b447a3 100644
+allow system_bus_type system_dbusd_t:unix_stream_socket rw_socket_perms;
+
+fs_search_all(system_bus_type)
-
++
+dbus_system_bus_client(system_bus_type)
+dbus_connect_system_bus(system_bus_type)
+
@@ -23516,7 +23524,7 @@ index c9998c8..8b447a3 100644
+ifdef(`hide_broken_symptoms',`
+ dontaudit system_bus_type system_dbusd_t:netlink_selinux_socket { read write };
+')
-+
+
+########################################
+#
+# session_bus_type rules
@@ -23553,7 +23561,7 @@ index c9998c8..8b447a3 100644
kernel_read_kernel_sysctls(session_bus_type)
corecmd_list_bin(session_bus_type)
-@@ -191,23 +298,18 @@ corecmd_read_bin_files(session_bus_type)
+@@ -191,23 +300,18 @@ corecmd_read_bin_files(session_bus_type)
corecmd_read_bin_pipes(session_bus_type)
corecmd_read_bin_sockets(session_bus_type)
@@ -23578,7 +23586,7 @@ index c9998c8..8b447a3 100644
files_dontaudit_search_var(session_bus_type)
fs_getattr_romfs(session_bus_type)
-@@ -215,7 +317,6 @@ fs_getattr_xattr_fs(session_bus_type)
+@@ -215,7 +319,6 @@ fs_getattr_xattr_fs(session_bus_type)
fs_list_inotifyfs(session_bus_type)
fs_dontaudit_list_nfs(session_bus_type)
@@ -23586,7 +23594,7 @@ index c9998c8..8b447a3 100644
selinux_validate_context(session_bus_type)
selinux_compute_access_vector(session_bus_type)
selinux_compute_create_context(session_bus_type)
-@@ -225,18 +326,36 @@ selinux_compute_user_contexts(session_bus_type)
+@@ -225,18 +328,36 @@ selinux_compute_user_contexts(session_bus_type)
auth_read_pam_console_data(session_bus_type)
logging_send_audit_msgs(session_bus_type)
@@ -23628,7 +23636,7 @@ index c9998c8..8b447a3 100644
')
########################################
-@@ -244,5 +363,9 @@ optional_policy(`
+@@ -244,5 +365,9 @@ optional_policy(`
# Unconfined access to this module
#
@@ -42717,10 +42725,10 @@ index 182ab8b..8b1d9c2 100644
+')
+
diff --git a/kdumpgui.te b/kdumpgui.te
-index 2990962..abd217f 100644
+index 2990962..6629aaf 100644
--- a/kdumpgui.te
+++ b/kdumpgui.te
-@@ -5,79 +5,89 @@ policy_module(kdumpgui, 1.2.0)
+@@ -5,79 +5,90 @@ policy_module(kdumpgui, 1.2.0)
# Declarations
#
@@ -42784,8 +42792,10 @@ index 2990962..abd217f 100644
fs_list_hugetlbfs(kdumpgui_t)
-fs_read_dos_files(kdumpgui_t)
- storage_raw_read_fixed_disk(kdumpgui_t)
+-storage_raw_read_fixed_disk(kdumpgui_t)
storage_raw_write_fixed_disk(kdumpgui_t)
++storage_raw_read_removable_device(kdumpgui_t)
++storage_raw_read_fixed_disk(kdumpgui_t)
+storage_getattr_removable_dev(kdumpgui_t)
auth_use_nsswitch(kdumpgui_t)
@@ -42829,7 +42839,7 @@ index 2990962..abd217f 100644
')
optional_policy(`
-@@ -87,4 +97,10 @@ optional_policy(`
+@@ -87,4 +98,10 @@ optional_policy(`
optional_policy(`
kdump_manage_config(kdumpgui_t)
kdump_initrc_domtrans(kdumpgui_t)
@@ -42941,7 +42951,7 @@ index 0000000..bd7e7fa
+')
diff --git a/keepalived.te b/keepalived.te
new file mode 100644
-index 0000000..c4f0c32
+index 0000000..04c46e7
--- /dev/null
+++ b/keepalived.te
@@ -0,0 +1,95 @@
@@ -42985,7 +42995,7 @@ index 0000000..c4f0c32
+kernel_read_system_state(keepalived_t)
+kernel_read_network_state(keepalived_t)
+kernel_request_load_module(keepalived_t)
-+kernel_read_usermodehelper_state(keepalived_t)
++kernel_rw_usermodehelper_state(keepalived_t)
+
+auth_use_nsswitch(keepalived_t)
+
@@ -72991,10 +73001,10 @@ index 0000000..f18fcc6
+')
diff --git a/pki.te b/pki.te
new file mode 100644
-index 0000000..555b44a
+index 0000000..94da39a
--- /dev/null
+++ b/pki.te
-@@ -0,0 +1,283 @@
+@@ -0,0 +1,285 @@
+policy_module(pki,10.0.11)
+
+########################################
@@ -73121,6 +73131,8 @@ index 0000000..555b44a
+
+selinux_get_enforce_mode(pki_tomcat_t)
+
++libs_exec_ldconfig(pki_tomcat_t)
++
+logging_send_audit_msgs(pki_tomcat_t)
+
+miscfiles_read_hwdata(pki_tomcat_t)
@@ -84656,7 +84668,7 @@ index 2c3d338..7d49554 100644
init_labeled_script_domtrans($1, rabbitmq_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/rabbitmq.te b/rabbitmq.te
-index dc3b0ed..b0ae2c6 100644
+index dc3b0ed..37aa9a7 100644
--- a/rabbitmq.te
+++ b/rabbitmq.te
@@ -5,13 +5,14 @@ policy_module(rabbitmq, 1.0.2)
@@ -84690,7 +84702,7 @@ index dc3b0ed..b0ae2c6 100644
type rabbitmq_var_log_t;
logging_log_file(rabbitmq_var_log_t)
-@@ -27,98 +31,93 @@ files_pid_file(rabbitmq_var_run_t)
+@@ -27,98 +31,96 @@ files_pid_file(rabbitmq_var_run_t)
######################################
#
@@ -84793,6 +84805,7 @@ index dc3b0ed..b0ae2c6 100644
+allow rabbitmq_t self:process { setsched signal signull };
+allow rabbitmq_t self:fifo_file rw_fifo_file_perms;
+allow rabbitmq_t self:tcp_socket { accept listen };
++allow rabbitmq_t self:unix_dgram_socket { connect create getopt setopt write };
+
+manage_dirs_pattern(rabbitmq_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
+manage_files_pattern(rabbitmq_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
@@ -84813,6 +84826,8 @@ index dc3b0ed..b0ae2c6 100644
+manage_lnk_files_pattern(rabbitmq_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
+files_pid_filetrans(rabbitmq_t, rabbitmq_var_run_t, { dir file })
+
++kernel_dgram_send(rabbitmq_t)
++
+kernel_read_system_state(rabbitmq_t)
+kernel_read_fs_sysctls(rabbitmq_t)
+
@@ -96185,7 +96200,7 @@ index 50d07fb..a34db48 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 2b7c441..0aaed65 100644
+index 2b7c441..09e193b 100644
--- a/samba.te
+++ b/samba.te
@@ -6,99 +6,86 @@ policy_module(samba, 1.16.3)
@@ -96717,7 +96732,7 @@ index 2b7c441..0aaed65 100644
')
tunable_policy(`samba_domain_controller',`
-@@ -419,20 +459,10 @@ tunable_policy(`samba_domain_controller',`
+@@ -419,20 +459,16 @@ tunable_policy(`samba_domain_controller',`
')
tunable_policy(`samba_enable_home_dirs',`
@@ -96726,21 +96741,25 @@ index 2b7c441..0aaed65 100644
- userdom_manage_user_home_content_symlinks(smbd_t)
- userdom_manage_user_home_content_sockets(smbd_t)
- userdom_manage_user_home_content_pipes(smbd_t)
--')
--
++ userdom_manage_user_home_content(smbd_t)
+ ')
+
-tunable_policy(`samba_portmapper',`
- corenet_sendrecv_all_server_packets(smbd_t)
- corenet_tcp_bind_epmap_port(smbd_t)
- corenet_tcp_bind_all_unreserved_ports(smbd_t)
- corenet_tcp_sendrecv_all_ports(smbd_t)
-+ userdom_manage_user_home_content(smbd_t)
++optional_policy(`
++ tunable_policy(`samba_enable_home_dirs',`
++ apache_manage_user_content(smbd_t)
++ ')
')
+# Support Samba sharing of NFS mount points
tunable_policy(`samba_share_nfs',`
fs_manage_nfs_dirs(smbd_t)
fs_manage_nfs_files(smbd_t)
-@@ -441,6 +471,7 @@ tunable_policy(`samba_share_nfs',`
+@@ -441,6 +477,7 @@ tunable_policy(`samba_share_nfs',`
fs_manage_nfs_named_sockets(smbd_t)
')
@@ -96748,7 +96767,7 @@ index 2b7c441..0aaed65 100644
tunable_policy(`samba_share_fusefs',`
fs_manage_fusefs_dirs(smbd_t)
fs_manage_fusefs_files(smbd_t)
-@@ -448,15 +479,10 @@ tunable_policy(`samba_share_fusefs',`
+@@ -448,15 +485,10 @@ tunable_policy(`samba_share_fusefs',`
fs_search_fusefs(smbd_t)
')
@@ -96768,7 +96787,7 @@ index 2b7c441..0aaed65 100644
')
optional_policy(`
-@@ -466,6 +492,7 @@ optional_policy(`
+@@ -466,6 +498,7 @@ optional_policy(`
optional_policy(`
ctdbd_stream_connect(smbd_t)
ctdbd_manage_lib_files(smbd_t)
@@ -96776,7 +96795,7 @@ index 2b7c441..0aaed65 100644
')
optional_policy(`
-@@ -474,11 +501,31 @@ optional_policy(`
+@@ -474,11 +507,31 @@ optional_policy(`
')
optional_policy(`
@@ -96808,7 +96827,7 @@ index 2b7c441..0aaed65 100644
lpd_exec_lpr(smbd_t)
')
-@@ -488,6 +535,10 @@ optional_policy(`
+@@ -488,6 +541,10 @@ optional_policy(`
')
optional_policy(`
@@ -96819,7 +96838,7 @@ index 2b7c441..0aaed65 100644
rpc_search_nfs_state_data(smbd_t)
')
-@@ -499,12 +550,53 @@ optional_policy(`
+@@ -499,12 +556,53 @@ optional_policy(`
udev_read_db(smbd_t)
')
@@ -96874,7 +96893,7 @@ index 2b7c441..0aaed65 100644
allow nmbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow nmbd_t self:fd use;
allow nmbd_t self:fifo_file rw_fifo_file_perms;
-@@ -512,9 +604,11 @@ allow nmbd_t self:msg { send receive };
+@@ -512,9 +610,11 @@ allow nmbd_t self:msg { send receive };
allow nmbd_t self:msgq create_msgq_perms;
allow nmbd_t self:sem create_sem_perms;
allow nmbd_t self:shm create_shm_perms;
@@ -96889,7 +96908,7 @@ index 2b7c441..0aaed65 100644
manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-@@ -526,20 +620,16 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+@@ -526,20 +626,16 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
@@ -96914,7 +96933,7 @@ index 2b7c441..0aaed65 100644
kernel_getattr_core_if(nmbd_t)
kernel_getattr_message_if(nmbd_t)
-@@ -547,53 +637,44 @@ kernel_read_kernel_sysctls(nmbd_t)
+@@ -547,53 +643,44 @@ kernel_read_kernel_sysctls(nmbd_t)
kernel_read_network_state(nmbd_t)
kernel_read_software_raid_state(nmbd_t)
kernel_read_system_state(nmbd_t)
@@ -96983,7 +97002,7 @@ index 2b7c441..0aaed65 100644
')
optional_policy(`
-@@ -606,18 +687,29 @@ optional_policy(`
+@@ -606,18 +693,29 @@ optional_policy(`
########################################
#
@@ -97019,7 +97038,7 @@ index 2b7c441..0aaed65 100644
samba_read_config(smbcontrol_t)
samba_search_var(smbcontrol_t)
-@@ -627,39 +719,38 @@ domain_use_interactive_fds(smbcontrol_t)
+@@ -627,39 +725,38 @@ domain_use_interactive_fds(smbcontrol_t)
dev_read_urand(smbcontrol_t)
@@ -97071,7 +97090,7 @@ index 2b7c441..0aaed65 100644
allow smbmount_t samba_secrets_t:file manage_file_perms;
-@@ -668,26 +759,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+@@ -668,26 +765,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
@@ -97107,7 +97126,7 @@ index 2b7c441..0aaed65 100644
fs_getattr_cifs(smbmount_t)
fs_mount_cifs(smbmount_t)
-@@ -699,58 +786,77 @@ fs_read_cifs_files(smbmount_t)
+@@ -699,58 +792,77 @@ fs_read_cifs_files(smbmount_t)
storage_raw_read_fixed_disk(smbmount_t)
storage_raw_write_fixed_disk(smbmount_t)
@@ -97199,7 +97218,7 @@ index 2b7c441..0aaed65 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -759,17 +865,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+@@ -759,17 +871,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
files_pid_filetrans(swat_t, swat_var_run_t, file)
@@ -97223,7 +97242,7 @@ index 2b7c441..0aaed65 100644
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -777,36 +879,25 @@ kernel_read_network_state(swat_t)
+@@ -777,36 +885,25 @@ kernel_read_network_state(swat_t)
corecmd_search_bin(swat_t)
@@ -97266,7 +97285,7 @@ index 2b7c441..0aaed65 100644
auth_domtrans_chk_passwd(swat_t)
auth_use_nsswitch(swat_t)
-@@ -818,10 +909,11 @@ logging_send_syslog_msg(swat_t)
+@@ -818,10 +915,11 @@ logging_send_syslog_msg(swat_t)
logging_send_audit_msgs(swat_t)
logging_search_logs(swat_t)
@@ -97280,7 +97299,7 @@ index 2b7c441..0aaed65 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -840,17 +932,20 @@ optional_policy(`
+@@ -840,17 +938,20 @@ optional_policy(`
# Winbind local policy
#
@@ -97307,7 +97326,7 @@ index 2b7c441..0aaed65 100644
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -860,9 +955,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+@@ -860,9 +961,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@@ -97318,7 +97337,7 @@ index 2b7c441..0aaed65 100644
manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -873,38 +966,42 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -873,38 +972,42 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
@@ -97372,7 +97391,7 @@ index 2b7c441..0aaed65 100644
corenet_tcp_connect_smbd_port(winbind_t)
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -912,38 +1009,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -912,38 +1015,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
dev_read_sysfs(winbind_t)
dev_read_urand(winbind_t)
@@ -97431,7 +97450,7 @@ index 2b7c441..0aaed65 100644
')
optional_policy(`
-@@ -959,31 +1070,36 @@ optional_policy(`
+@@ -959,31 +1076,36 @@ optional_policy(`
# Winbind helper local policy
#
@@ -97475,7 +97494,7 @@ index 2b7c441..0aaed65 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -997,25 +1113,38 @@ optional_policy(`
+@@ -997,25 +1119,38 @@ optional_policy(`
########################################
#
@@ -110367,7 +110386,7 @@ index 0000000..eef708d
+/var/run/tlp(/.*)? gen_context(system_u:object_r:tlp_var_run_t,s0)
diff --git a/tlp.if b/tlp.if
new file mode 100644
-index 0000000..46f12a4
+index 0000000..368e188
--- /dev/null
+++ b/tlp.if
@@ -0,0 +1,184 @@
@@ -110510,7 +110529,7 @@ index 0000000..46f12a4
+ ')
+
+ files_search_pids($1)
-+ read_files_pattern($1, tlp_var_run_t, tlp_var_run_t)
++ manage_files_pattern($1, tlp_var_run_t, tlp_var_run_t)
+')
+
+########################################
@@ -111401,10 +111420,10 @@ index 61c2e07..3b86095 100644
+ ')
')
diff --git a/tor.te b/tor.te
-index 5ceacde..c919a2d 100644
+index 5ceacde..a395940 100644
--- a/tor.te
+++ b/tor.te
-@@ -13,6 +13,13 @@ policy_module(tor, 1.9.0)
+@@ -13,6 +13,20 @@ policy_module(tor, 1.9.0)
## </desc>
gen_tunable(tor_bind_all_unreserved_ports, false)
@@ -111415,10 +111434,17 @@ index 5ceacde..c919a2d 100644
+## </desc>
+gen_tunable(tor_can_network_relay, false)
+
++## <desc>
++## <p>
++## Allow tor to run onion services
++## </p>
++## </desc>
++gen_tunable(tor_can_onion_services, false)
++
type tor_t;
type tor_exec_t;
init_daemon_domain(tor_t, tor_exec_t)
-@@ -25,13 +32,19 @@ init_script_file(tor_initrc_exec_t)
+@@ -25,13 +39,19 @@ init_script_file(tor_initrc_exec_t)
type tor_var_lib_t;
files_type(tor_var_lib_t)
@@ -111438,7 +111464,7 @@ index 5ceacde..c919a2d 100644
########################################
#
-@@ -48,6 +61,8 @@ allow tor_t tor_etc_t:dir list_dir_perms;
+@@ -48,6 +68,8 @@ allow tor_t tor_etc_t:dir list_dir_perms;
allow tor_t tor_etc_t:file read_file_perms;
allow tor_t tor_etc_t:lnk_file read_lnk_file_perms;
@@ -111447,7 +111473,7 @@ index 5ceacde..c919a2d 100644
manage_dirs_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
manage_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
manage_sock_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
-@@ -77,7 +92,6 @@ corenet_tcp_sendrecv_generic_node(tor_t)
+@@ -77,7 +99,6 @@ corenet_tcp_sendrecv_generic_node(tor_t)
corenet_udp_sendrecv_generic_node(tor_t)
corenet_tcp_bind_generic_node(tor_t)
corenet_udp_bind_generic_node(tor_t)
@@ -111455,7 +111481,7 @@ index 5ceacde..c919a2d 100644
corenet_sendrecv_dns_server_packets(tor_t)
corenet_udp_bind_dns_port(tor_t)
corenet_udp_sendrecv_dns_port(tor_t)
-@@ -85,6 +99,7 @@ corenet_udp_sendrecv_dns_port(tor_t)
+@@ -85,6 +106,7 @@ corenet_udp_sendrecv_dns_port(tor_t)
corenet_sendrecv_tor_server_packets(tor_t)
corenet_tcp_bind_tor_port(tor_t)
corenet_tcp_sendrecv_tor_port(tor_t)
@@ -111463,7 +111489,7 @@ index 5ceacde..c919a2d 100644
corenet_sendrecv_all_client_packets(tor_t)
corenet_tcp_connect_all_ports(tor_t)
-@@ -98,19 +113,22 @@ dev_read_urand(tor_t)
+@@ -98,19 +120,26 @@ dev_read_urand(tor_t)
domain_use_interactive_fds(tor_t)
files_read_etc_runtime_files(tor_t)
@@ -111486,6 +111512,10 @@ index 5ceacde..c919a2d 100644
+ corenet_tcp_bind_http_port(tor_t)
+')
+
++tunable_policy(`tor_can_onion_services',`
++ allow tor_t self:capability { dac_read_search dac_override };
++')
++
optional_policy(`
seutil_sigchld_newrole(tor_t)
')
@@ -112061,10 +112091,10 @@ index 0000000..45304ea
+')
diff --git a/udisks2.te b/udisks2.te
new file mode 100644
-index 0000000..5312470
+index 0000000..617ee56
--- /dev/null
+++ b/udisks2.te
-@@ -0,0 +1,57 @@
+@@ -0,0 +1,58 @@
+policy_module(udisks2, 1.0.0)
+
+########################################
@@ -112112,6 +112142,7 @@ index 0000000..5312470
+logging_send_syslog_msg(udisks2_t)
+
+storage_raw_read_fixed_disk(udisks2_t)
++storage_raw_read_removable_device(udisks2_t)
+
+udev_read_db(udisks2_t)
+
@@ -115918,7 +115949,7 @@ index facdee8..b5a815a 100644
+ dontaudit $1 virtd_t:lnk_file read_lnk_file_perms;
')
diff --git a/virt.te b/virt.te
-index f03dcf5..066b1c3 100644
+index f03dcf5..ac277da 100644
--- a/virt.te
+++ b/virt.te
@@ -1,451 +1,422 @@
@@ -116955,7 +116986,7 @@ index f03dcf5..066b1c3 100644
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
-@@ -746,44 +727,350 @@ optional_policy(`
+@@ -746,44 +727,353 @@ optional_policy(`
udev_read_pid_files(virtd_t)
')
@@ -117016,6 +117047,9 @@ index f03dcf5..066b1c3 100644
-can_exec(virsh_t, virsh_exec_t)
+allow virtlogd_t self:unix_stream_socket create_stream_socket_perms;
+
++# Allow virtlogd_t to execute itself.
++allow virtlogd_t virtlogd_exec_t:file execute_no_trans;
++
+dev_read_sysfs(virtlogd_t)
+
+logging_send_syslog_msg(virtlogd_t)
@@ -117104,7 +117138,7 @@ index f03dcf5..066b1c3 100644
+stream_connect_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t, virtd_t)
+
+dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
-
++
+dontaudit virt_domain virt_tmpfs_type:file { read write };
+
+append_files_pattern(virt_domain, virt_log_t, virt_log_t)
@@ -117153,7 +117187,7 @@ index f03dcf5..066b1c3 100644
+fs_rw_inherited_nfs_files(virt_domain)
+fs_rw_inherited_cifs_files(virt_domain)
+fs_rw_inherited_noxattr_fs_files(virt_domain)
-+
+
+# I think we need these for now.
+miscfiles_read_public_files(virt_domain)
+miscfiles_read_generic_certs(virt_domain)
@@ -117328,7 +117362,7 @@ index f03dcf5..066b1c3 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +1081,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +1084,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -117355,7 +117389,7 @@ index f03dcf5..066b1c3 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +1101,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +1104,25 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -117389,7 +117423,7 @@ index f03dcf5..066b1c3 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +1138,20 @@ optional_policy(`
+@@ -856,14 +1141,20 @@ optional_policy(`
')
optional_policy(`
@@ -117411,7 +117445,7 @@ index f03dcf5..066b1c3 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -888,49 +1176,66 @@ optional_policy(`
+@@ -888,49 +1179,66 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -117496,7 +117530,7 @@ index f03dcf5..066b1c3 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1247,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1250,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -117516,7 +117550,7 @@ index f03dcf5..066b1c3 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,8 +1268,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,8 +1271,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -117540,7 +117574,7 @@ index f03dcf5..066b1c3 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1293,296 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1296,296 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -117571,8 +117605,7 @@ index f03dcf5..066b1c3 100644
+optional_policy(`
+ container_exec_lib(virtd_lxc_t)
+')
-
--sysnet_domtrans_ifconfig(virtd_lxc_t)
++
+optional_policy(`
+ gnome_read_generic_cache_files(virtd_lxc_t)
+')
@@ -117580,7 +117613,8 @@ index f03dcf5..066b1c3 100644
+optional_policy(`
+ setrans_manage_pid_files(virtd_lxc_t)
+')
-+
+
+-sysnet_domtrans_ifconfig(virtd_lxc_t)
+optional_policy(`
+ unconfined_domain(virtd_lxc_t)
+')
@@ -117703,6 +117737,21 @@ index f03dcf5..066b1c3 100644
+userdom_use_inherited_user_terminals(svirt_sandbox_domain)
+userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
+userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
++
++optional_policy(`
++tunable_policy(`virt_sandbox_share_apache_content',`
++ apache_exec_modules(svirt_sandbox_domain)
++ apache_read_sys_content(svirt_sandbox_domain)
++ ')
++')
++
++optional_policy(`
++ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
++')
++
++optional_policy(`
++ ssh_use_ptys(svirt_sandbox_domain)
++')
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
@@ -117787,31 +117836,14 @@ index f03dcf5..066b1c3 100644
-
-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
+optional_policy(`
-+tunable_policy(`virt_sandbox_share_apache_content',`
-+ apache_exec_modules(svirt_sandbox_domain)
-+ apache_read_sys_content(svirt_sandbox_domain)
-+ ')
-+')
-+
-+optional_policy(`
-+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
-+')
-+
-+optional_policy(`
-+ ssh_use_ptys(svirt_sandbox_domain)
++ udev_read_pid_files(svirt_sandbox_domain)
+')
optional_policy(`
- udev_read_pid_files(svirt_lxc_domain)
-+ udev_read_pid_files(svirt_sandbox_domain)
- ')
-
- optional_policy(`
-- apache_exec_modules(svirt_lxc_domain)
-- apache_read_sys_content(svirt_lxc_domain)
+ userhelper_dontaudit_write_config(svirt_sandbox_domain)
- ')
-
++')
++
+tunable_policy(`virt_use_nfs',`
+ fs_manage_nfs_dirs(svirt_sandbox_domain)
+ fs_manage_nfs_files(svirt_sandbox_domain)
@@ -117838,9 +117870,11 @@ index f03dcf5..066b1c3 100644
+ fs_mount_fusefs(svirt_sandbox_domain)
+ fs_unmount_fusefs(svirt_sandbox_domain)
+ fs_exec_fusefs_files(svirt_sandbox_domain)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- apache_exec_modules(svirt_lxc_domain)
+- apache_read_sys_content(svirt_lxc_domain)
+ container_read_share_files(svirt_sandbox_domain)
+ container_exec_share_files(svirt_sandbox_domain)
+ container_lib_filetrans(svirt_sandbox_domain,container_file_t, sock_file)
@@ -117848,23 +117882,16 @@ index f03dcf5..066b1c3 100644
+ container_spc_stream_connect(svirt_sandbox_domain)
+ fs_dontaudit_remount_tmpfs(svirt_sandbox_domain)
+ dev_dontaudit_mounton_sysfs(svirt_sandbox_domain)
-+')
-+
-+########################################
-+#
-+# container_t local policy
-+#
-+virt_sandbox_domain_template(container)
-+typealias container_t alias svirt_lxc_net_t;
-+# Policy moved to container-selinux policy package
-+
+ ')
+
########################################
#
-# Lxc net local policy
+# container_t local policy
#
-+virt_sandbox_domain_template(svirt_qemu_net)
-+typeattribute svirt_qemu_net_t sandbox_net_domain;
++virt_sandbox_domain_template(container)
++typealias container_t alias svirt_lxc_net_t;
++# Policy moved to container-selinux policy package
-allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap };
-dontaudit svirt_lxc_net_t self:capability2 block_suspend;
@@ -117877,17 +117904,18 @@ index f03dcf5..066b1c3 100644
-allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
-allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_socket_perms;
-allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms;
-+allow svirt_qemu_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap };
-+dontaudit svirt_qemu_net_t self:capability2 block_suspend;
-+allow svirt_qemu_net_t self:process { execstack execmem };
++########################################
++#
++# container_t local policy
++#
++virt_sandbox_domain_template(svirt_qemu_net)
++typeattribute svirt_qemu_net_t sandbox_net_domain;
-kernel_read_network_state(svirt_lxc_net_t)
-kernel_read_irq_sysctls(svirt_lxc_net_t)
-+tunable_policy(`virt_sandbox_use_netlink',`
-+ allow svirt_qemu_net_t self:netlink_socket create_socket_perms;
-+ allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
-+ allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms;
-+')
++allow svirt_qemu_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap };
++dontaudit svirt_qemu_net_t self:capability2 block_suspend;
++allow svirt_qemu_net_t self:process { execstack execmem };
-corenet_all_recvfrom_unlabeled(svirt_lxc_net_t)
-corenet_all_recvfrom_netlabel(svirt_lxc_net_t)
@@ -117899,6 +117927,15 @@ index f03dcf5..066b1c3 100644
-corenet_udp_sendrecv_all_ports(svirt_lxc_net_t)
-corenet_tcp_bind_generic_node(svirt_lxc_net_t)
-corenet_udp_bind_generic_node(svirt_lxc_net_t)
++tunable_policy(`virt_sandbox_use_netlink',`
++ allow svirt_qemu_net_t self:netlink_socket create_socket_perms;
++ allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
++ allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms;
++')
+
+-corenet_sendrecv_all_server_packets(svirt_lxc_net_t)
+-corenet_udp_bind_all_ports(svirt_lxc_net_t)
+-corenet_tcp_bind_all_ports(svirt_lxc_net_t)
+manage_dirs_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
+manage_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
+manage_fifo_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
@@ -117906,55 +117943,52 @@ index f03dcf5..066b1c3 100644
+manage_sock_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
+filetrans_pattern(sandbox_net_domain, virt_home_t, svirt_home_t, { dir sock_file file })
--corenet_sendrecv_all_server_packets(svirt_lxc_net_t)
--corenet_udp_bind_all_ports(svirt_lxc_net_t)
--corenet_tcp_bind_all_ports(svirt_lxc_net_t)
-+term_use_generic_ptys(svirt_qemu_net_t)
-+term_use_ptmx(svirt_qemu_net_t)
-
-corenet_sendrecv_all_client_packets(svirt_lxc_net_t)
-corenet_tcp_connect_all_ports(svirt_lxc_net_t)
-+dev_rw_kvm(svirt_qemu_net_t)
++term_use_generic_ptys(svirt_qemu_net_t)
++term_use_ptmx(svirt_qemu_net_t)
-dev_getattr_mtrr_dev(svirt_lxc_net_t)
-dev_read_rand(svirt_lxc_net_t)
-dev_read_sysfs(svirt_lxc_net_t)
-dev_read_urand(svirt_lxc_net_t)
-+manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t)
++dev_rw_kvm(svirt_qemu_net_t)
-files_read_kernel_modules(svirt_lxc_net_t)
-+list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
-+read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
++manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t)
-fs_mount_cgroup(svirt_lxc_net_t)
-fs_manage_cgroup_dirs(svirt_lxc_net_t)
-fs_rw_cgroup_files(svirt_lxc_net_t)
-+append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t)
++list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
++read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
-auth_use_nsswitch(svirt_lxc_net_t)
-+kernel_read_irq_sysctls(svirt_qemu_net_t)
++append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t)
-logging_send_audit_msgs(svirt_lxc_net_t)
++kernel_read_irq_sysctls(svirt_qemu_net_t)
+
+-userdom_use_user_ptys(svirt_lxc_net_t)
+dev_read_sysfs(svirt_qemu_net_t)
+dev_getattr_mtrr_dev(svirt_qemu_net_t)
+dev_read_rand(svirt_qemu_net_t)
+dev_read_urand(svirt_qemu_net_t)
--userdom_use_user_ptys(svirt_lxc_net_t)
-+files_read_kernel_modules(svirt_qemu_net_t)
-
-optional_policy(`
- rpm_read_db(svirt_lxc_net_t)
-')
-+fs_noxattr_type(container_file_t)
-+fs_mount_cgroup(svirt_qemu_net_t)
-+fs_manage_cgroup_dirs(svirt_qemu_net_t)
-+fs_manage_cgroup_files(svirt_qemu_net_t)
++files_read_kernel_modules(svirt_qemu_net_t)
-#######################################
-#
-# Prot exec local policy
-#
++fs_noxattr_type(container_file_t)
++fs_mount_cgroup(svirt_qemu_net_t)
++fs_manage_cgroup_dirs(svirt_qemu_net_t)
++fs_manage_cgroup_files(svirt_qemu_net_t)
++
+term_pty(container_file_t)
+
+auth_use_nsswitch(svirt_qemu_net_t)
@@ -117984,7 +118018,7 @@ index f03dcf5..066b1c3 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1595,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1598,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -117999,7 +118033,7 @@ index f03dcf5..066b1c3 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1192,7 +1613,7 @@ optional_policy(`
+@@ -1192,7 +1616,7 @@ optional_policy(`
########################################
#
@@ -118008,7 +118042,7 @@ index f03dcf5..066b1c3 100644
#
allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1622,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1625,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
allow virt_bridgehelper_t self:tun_socket create_socket_perms;
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
@@ -118240,6 +118274,7 @@ index f03dcf5..066b1c3 100644
+kernel_read_network_state(sandbox_net_domain)
+
+allow sandbox_net_domain self:capability { net_raw net_admin net_bind_service };
++allow sandbox_net_domain self:cap_userns { net_raw net_admin net_bind_service };
+
+allow sandbox_net_domain self:udp_socket create_socket_perms;
+allow sandbox_net_domain self:tcp_socket create_stream_socket_perms;
@@ -118267,6 +118302,7 @@ index f03dcf5..066b1c3 100644
+')
+
+allow sandbox_caps_domain self:capability { chown dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap };
++allow sandbox_caps_domain self:cap_userns { chown dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap };
+
+list_dirs_pattern(svirt_sandbox_domain, container_ro_file_t, container_ro_file_t)
+read_files_pattern(svirt_sandbox_domain, container_ro_file_t, container_ro_file_t)
@@ -121629,7 +121665,7 @@ index dd63de0..38ce620 100644
- admin_pattern($1, zabbix_tmpfs_t)
')
diff --git a/zabbix.te b/zabbix.te
-index 7f496c6..aab4f86 100644
+index 7f496c6..bf2ae51 100644
--- a/zabbix.te
+++ b/zabbix.te
@@ -6,27 +6,32 @@ policy_module(zabbix, 1.6.0)
@@ -121879,7 +121915,7 @@ index 7f496c6..aab4f86 100644
corenet_sendrecv_zabbix_client_packets(zabbix_agent_t)
corenet_tcp_connect_zabbix_port(zabbix_agent_t)
corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
-@@ -177,21 +218,49 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
+@@ -177,21 +218,50 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
dev_getattr_all_blk_files(zabbix_agent_t)
dev_getattr_all_chr_files(zabbix_agent_t)
@@ -121923,6 +121959,7 @@ index 7f496c6..aab4f86 100644
+allow zabbix_t zabbix_script_exec_t:dir search_dir_perms;
+allow zabbix_t zabbix_script_exec_t:dir read_file_perms;
+allow zabbix_t zabbix_script_exec_t:file ioctl;
++allow zabbix_t zabbix_script_t:process signal;
+
+init_domtrans_script(zabbix_script_t)
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 64a3b35..0a0d7bb 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 256%{?dist}
+Release: 258%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -689,6 +689,25 @@ exit 0
%endif
%changelog
+* Thu Jun 08 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-257
+- Merge pull request #10 from mscherer/fix_tor_dac
+- Merge pull request #9 from rhatdan/rawhide
+- Merge pull request #13 from vinzent/allow_zabbix_t_to_kill_zabbix_script_t
+- Allow kdumpgui to read removable disk device
+- Allow systemd_dbusd_t domain read/write to nvme devices
+- Allow udisks2 domain to read removable devices BZ(1443981)
+- Allow virtlogd_t to execute itself
+- Allow keepalived to read/write usermodehelper state
+- Allow named_t to bind on udp 4321 port
+- Fix interface tlp_manage_pid_files()
+- Allow collectd domain read lvm config files. BZ(1459097)
+- Merge branch 'rawhide' of github.com:wrabcak/selinux-policy-contrib into rawhide
+- Allow samba_manage_home_dirs boolean to manage user content
+- Merge pull request #14 from lemenkov/rabbitmq_systemd_notify
+- Allow pki_tomcat_t execute ldconfig.
+- Merge pull request #191 from rhatdan/udev
+- Allow systemd_modules_load_t to load modules
+
* Mon Jun 05 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-256
- Allow keepalived domain connect to squid tcp port
- Allow krb5kdc_t domain read realmd lib files.