diff --git a/container-selinux.tgz b/container-selinux.tgz
index b151925..930b000 100644
Binary files a/container-selinux.tgz and b/container-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index dfc836d..800ac4a 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -10185,7 +10185,7 @@ index 6a1e4d1..26e5558 100644
+ dontaudit $1 domain:dir_file_class_set audit_access;
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..9e9400f 100644
+index cf04cb5..990ecf3 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,17 +4,41 @@ policy_module(domain, 1.11.0)
@@ -10373,7 +10373,7 @@ index cf04cb5..9e9400f 100644
+')
+
+optional_policy(`
-+ docker_filetrans_named_content(named_filetrans_domain)
++ container_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
@@ -10717,7 +10717,7 @@ index cf04cb5..9e9400f 100644
+')
+
+optional_policy(`
-+ docker_spc_stream_connect(domain)
++ container_spc_stream_connect(domain)
+')
+
+optional_policy(`
@@ -25403,7 +25403,7 @@ index 234a940..a92415a 100644
########################################
##
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 0fef1fc..59d8b87 100644
+index 0fef1fc..c3b8b13 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,73 @@ policy_module(staff, 2.4.0)
@@ -25509,8 +25509,8 @@ index 0fef1fc..59d8b87 100644
optional_policy(`
- git_role(staff_r, staff_t)
-+ docker_stream_connect(staff_t)
-+ docker_exec(staff_t)
++ container_stream_connect(staff_t)
++ container_runtime_exec(staff_t)
+')
+
+optional_policy(`
@@ -25802,7 +25802,7 @@ index ff92430..36740ea 100644
##
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 2522ca6..d389826 100644
+index 2522ca6..47b6d44 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -5,39 +5,92 @@ policy_module(sysadm, 2.6.1)
@@ -25898,7 +25898,7 @@ index 2522ca6..d389826 100644
+')
+
+optional_policy(`
-+ docker_stream_connect(sysadm_t)
++ container_stream_connect(sysadm_t)
+')
+
+optional_policy(`
@@ -27237,7 +27237,7 @@ index 0000000..15b42ae
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..79f40da
+index 0000000..60c3f9d
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
@@ -0,0 +1,358 @@
@@ -27436,7 +27436,7 @@ index 0000000..79f40da
+')
+
+optional_policy(`
-+ docker_entrypoint(unconfined_t)
++ container_runtime_entrypoint(unconfined_t)
+')
+
+optional_policy(`
@@ -31791,7 +31791,7 @@ index 6bf0ecc..e6be63a 100644
+')
+
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..010654c 100644
+index 8b40377..b4908dd 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,28 +26,66 @@ gen_require(`
@@ -32301,7 +32301,7 @@ index 8b40377..010654c 100644
corenet_all_recvfrom_netlabel(xdm_t)
corenet_tcp_sendrecv_generic_if(xdm_t)
corenet_udp_sendrecv_generic_if(xdm_t)
-@@ -389,38 +559,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -389,38 +559,50 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -32346,6 +32346,7 @@ index 8b40377..010654c 100644
dev_setattr_power_mgmt_dev(xdm_t)
+dev_getattr_null_dev(xdm_t)
+dev_setattr_null_dev(xdm_t)
++dev_read_nvme(xdm_t)
domain_use_interactive_fds(xdm_t)
# Do not audit denied probes of /proc.
@@ -32355,7 +32356,7 @@ index 8b40377..010654c 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -431,9 +612,30 @@ files_list_mnt(xdm_t)
+@@ -431,9 +613,30 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -32386,7 +32387,7 @@ index 8b40377..010654c 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -442,28 +644,46 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -442,28 +645,46 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -32437,7 +32438,7 @@ index 8b40377..010654c 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -472,24 +692,163 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -472,24 +693,163 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -32607,7 +32608,7 @@ index 8b40377..010654c 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -502,12 +861,31 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,12 +862,31 @@ tunable_policy(`xdm_sysadm_login',`
# allow xserver_t xdm_tmpfs_t:file rw_file_perms;
')
@@ -32639,7 +32640,7 @@ index 8b40377..010654c 100644
')
optional_policy(`
-@@ -518,8 +896,36 @@ optional_policy(`
+@@ -518,8 +897,36 @@ optional_policy(`
dbus_system_bus_client(xdm_t)
dbus_connect_system_bus(xdm_t)
@@ -32677,7 +32678,7 @@ index 8b40377..010654c 100644
')
')
-@@ -530,6 +936,20 @@ optional_policy(`
+@@ -530,6 +937,20 @@ optional_policy(`
')
optional_policy(`
@@ -32698,7 +32699,7 @@ index 8b40377..010654c 100644
hostname_exec(xdm_t)
')
-@@ -547,28 +967,78 @@ optional_policy(`
+@@ -547,28 +968,78 @@ optional_policy(`
')
optional_policy(`
@@ -32786,7 +32787,7 @@ index 8b40377..010654c 100644
')
optional_policy(`
-@@ -580,6 +1050,14 @@ optional_policy(`
+@@ -580,6 +1051,14 @@ optional_policy(`
')
optional_policy(`
@@ -32801,7 +32802,7 @@ index 8b40377..010654c 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,7 +1072,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+@@ -594,7 +1073,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@@ -32810,7 +32811,7 @@ index 8b40377..010654c 100644
# setuid/setgid for the wrapper program to change UID
# sys_rawio is for iopl access - should not be needed for frame-buffer
-@@ -604,8 +1082,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -604,8 +1083,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -32823,7 +32824,7 @@ index 8b40377..010654c 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -618,8 +1099,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -618,8 +1100,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -32839,7 +32840,7 @@ index 8b40377..010654c 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -627,6 +1115,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -627,6 +1116,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@@ -32850,7 +32851,7 @@ index 8b40377..010654c 100644
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -638,25 +1130,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -638,25 +1131,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -32892,7 +32893,7 @@ index 8b40377..010654c 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -677,23 +1181,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -677,23 +1182,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -32924,7 +32925,7 @@ index 8b40377..010654c 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -705,6 +1214,14 @@ fs_search_nfs(xserver_t)
+@@ -705,6 +1215,14 @@ fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -32939,7 +32940,7 @@ index 8b40377..010654c 100644
mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
-@@ -718,20 +1235,18 @@ init_getpgid(xserver_t)
+@@ -718,20 +1236,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -32963,7 +32964,7 @@ index 8b40377..010654c 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -739,8 +1254,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -739,8 +1255,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
@@ -32972,7 +32973,7 @@ index 8b40377..010654c 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
-@@ -785,17 +1298,54 @@ optional_policy(`
+@@ -785,17 +1299,54 @@ optional_policy(`
')
optional_policy(`
@@ -33029,7 +33030,7 @@ index 8b40377..010654c 100644
')
optional_policy(`
-@@ -803,6 +1353,10 @@ optional_policy(`
+@@ -803,6 +1354,10 @@ optional_policy(`
')
optional_policy(`
@@ -33040,7 +33041,7 @@ index 8b40377..010654c 100644
xfs_stream_connect(xserver_t)
')
-@@ -818,18 +1372,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -818,18 +1373,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -33065,7 +33066,7 @@ index 8b40377..010654c 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -842,26 +1395,21 @@ init_use_fds(xserver_t)
+@@ -842,26 +1396,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -33100,7 +33101,7 @@ index 8b40377..010654c 100644
')
optional_policy(`
-@@ -912,7 +1460,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -912,7 +1461,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -33109,7 +33110,7 @@ index 8b40377..010654c 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -966,11 +1514,31 @@ allow x_domain self:x_resource { read write };
+@@ -966,11 +1515,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -33141,7 +33142,7 @@ index 8b40377..010654c 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -992,18 +1560,148 @@ tunable_policy(`! xserver_object_manager',`
+@@ -992,18 +1561,148 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -42422,7 +42423,7 @@ index 58bc27f..9e86fce 100644
+
+
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
-index 79048c4..a6a1d12 100644
+index 79048c4..262c9ec 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
@@ -42658,7 +42659,7 @@ index 79048c4..a6a1d12 100644
')
optional_policy(`
-+ docker_rw_sem(lvm_t)
++ container_rw_sem(lvm_t)
+')
+
+optional_policy(`
@@ -49099,7 +49100,7 @@ index 0000000..16cd1ac
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..f2c6d14
+index 0000000..bd6672d
--- /dev/null
+++ b/policy/modules/system/systemd.te
@@ -0,0 +1,971 @@
@@ -49446,8 +49447,8 @@ index 0000000..f2c6d14
+')
+
+optional_policy(`
-+ docker_read_share_files(systemd_machined_t)
-+ docker_spc_read_state(systemd_machined_t)
++ container_read_share_files(systemd_machined_t)
++ container_spc_read_state(systemd_machined_t)
+')
+
+optional_policy(`
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index c0c7d57..48b201d 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -589,7 +589,7 @@ index 058d908..ee0c559 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index eb50f07..5f57515 100644
+index eb50f07..a308065 100644
--- a/abrt.te
+++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@@ -873,7 +873,7 @@ index eb50f07..5f57515 100644
')
optional_policy(`
-+ docker_stream_connect(abrt_t)
++ container_stream_connect(abrt_t)
+')
+
+optional_policy(`
@@ -1070,7 +1070,7 @@ index eb50f07..5f57515 100644
-allow abrt_dump_oops_t self:capability dac_override;
+allow abrt_dump_oops_t self:capability { kill net_admin sys_ptrace ipc_lock fowner chown fsetid dac_override setuid setgid };
-+allow abrt_dump_oops_t self:cap_userns { kill };
++allow abrt_dump_oops_t self:cap_userns { kill sys_ptrace };
+allow abrt_dump_oops_t self:process setfscreate;
allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms;
-allow abrt_dump_oops_t self:unix_stream_socket { accept listen };
@@ -5492,7 +5492,7 @@ index f6eb485..757b864 100644
+ ps_process_pattern(httpd_t, $1)
')
diff --git a/apache.te b/apache.te
-index 6649962..4cb64e5 100644
+index 6649962..248b38c 100644
--- a/apache.te
+++ b/apache.te
@@ -5,280 +5,346 @@ policy_module(apache, 2.7.2)
@@ -6210,7 +6210,7 @@ index 6649962..4cb64e5 100644
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })
setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
-@@ -450,140 +575,176 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -450,140 +575,177 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@@ -6277,6 +6277,7 @@ index 6649962..4cb64e5 100644
-fs_search_auto_mountpoints(httpd_t)
+fs_rw_anon_inodefs_files(httpd_t)
+fs_rw_hugetlbfs_files(httpd_t)
++fs_list_inotifyfs(httpd_t)
+
+auth_use_nsswitch(httpd_t)
+
@@ -6451,7 +6452,7 @@ index 6649962..4cb64e5 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -594,28 +755,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -594,28 +756,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@@ -6511,7 +6512,7 @@ index 6649962..4cb64e5 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -624,68 +807,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -624,68 +808,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
@@ -6614,7 +6615,7 @@ index 6649962..4cb64e5 100644
')
tunable_policy(`httpd_setrlimit',`
-@@ -695,49 +866,48 @@ tunable_policy(`httpd_setrlimit',`
+@@ -695,49 +867,48 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -6695,7 +6696,7 @@ index 6649962..4cb64e5 100644
')
optional_policy(`
-@@ -749,24 +919,32 @@ optional_policy(`
+@@ -749,24 +920,32 @@ optional_policy(`
')
optional_policy(`
@@ -6734,7 +6735,7 @@ index 6649962..4cb64e5 100644
')
optional_policy(`
-@@ -775,6 +953,10 @@ optional_policy(`
+@@ -775,6 +954,10 @@ optional_policy(`
tunable_policy(`httpd_dbus_avahi',`
avahi_dbus_chat(httpd_t)
')
@@ -6745,7 +6746,7 @@ index 6649962..4cb64e5 100644
')
optional_policy(`
-@@ -786,35 +968,60 @@ optional_policy(`
+@@ -786,35 +969,60 @@ optional_policy(`
')
optional_policy(`
@@ -6819,7 +6820,7 @@ index 6649962..4cb64e5 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
-@@ -822,8 +1029,30 @@ optional_policy(`
+@@ -822,8 +1030,30 @@ optional_policy(`
')
optional_policy(`
@@ -6850,7 +6851,7 @@ index 6649962..4cb64e5 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
-@@ -832,6 +1061,8 @@ optional_policy(`
+@@ -832,6 +1062,8 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -6859,7 +6860,7 @@ index 6649962..4cb64e5 100644
')
optional_policy(`
-@@ -842,20 +1073,44 @@ optional_policy(`
+@@ -842,20 +1074,44 @@ optional_policy(`
')
optional_policy(`
@@ -6910,7 +6911,7 @@ index 6649962..4cb64e5 100644
')
optional_policy(`
-@@ -863,16 +1118,31 @@ optional_policy(`
+@@ -863,16 +1119,31 @@ optional_policy(`
')
optional_policy(`
@@ -6944,7 +6945,7 @@ index 6649962..4cb64e5 100644
')
optional_policy(`
-@@ -883,65 +1153,189 @@ optional_policy(`
+@@ -883,65 +1154,189 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -7156,7 +7157,7 @@ index 6649962..4cb64e5 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -950,123 +1344,75 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -950,123 +1345,75 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -7310,7 +7311,7 @@ index 6649962..4cb64e5 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1083,172 +1429,107 @@ optional_policy(`
+@@ -1083,172 +1430,107 @@ optional_policy(`
')
')
@@ -7548,7 +7549,7 @@ index 6649962..4cb64e5 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1256,64 +1537,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1256,64 +1538,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -7645,7 +7646,7 @@ index 6649962..4cb64e5 100644
########################################
#
-@@ -1321,8 +1612,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1321,8 +1613,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -7662,7 +7663,7 @@ index 6649962..4cb64e5 100644
')
########################################
-@@ -1330,49 +1628,40 @@ optional_policy(`
+@@ -1330,49 +1629,40 @@ optional_policy(`
# User content local policy
#
@@ -7728,7 +7729,7 @@ index 6649962..4cb64e5 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1671,109 @@ dev_read_urand(httpd_passwd_t)
+@@ -1382,38 +1672,109 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -14958,7 +14959,7 @@ index c223f81..8b567c1 100644
- admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t })
')
diff --git a/cobbler.te b/cobbler.te
-index 5f306dd..e01156f 100644
+index 5f306dd..578b615 100644
--- a/cobbler.te
+++ b/cobbler.te
@@ -81,6 +81,7 @@ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
@@ -15042,7 +15043,7 @@ index 5f306dd..e01156f 100644
')
optional_policy(`
-@@ -192,13 +206,13 @@ optional_policy(`
+@@ -192,13 +206,14 @@ optional_policy(`
')
optional_policy(`
@@ -15057,6 +15058,7 @@ index 5f306dd..e01156f 100644
- tftp_manage_config_files(cobblerd_t)
- tftp_etc_filetrans_config(cobblerd_t, file, "tftp")
+ tftp_manage_config(cobblerd_t)
++ tftp_delete_content_dirs(cobblerd_t)
tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file })
')
diff --git a/cockpit.fc b/cockpit.fc
@@ -15273,7 +15275,7 @@ index 0000000..d5920c0
+')
diff --git a/cockpit.te b/cockpit.te
new file mode 100644
-index 0000000..23ebc59
+index 0000000..e7b8c7e
--- /dev/null
+++ b/cockpit.te
@@ -0,0 +1,115 @@
@@ -15336,8 +15338,8 @@ index 0000000..23ebc59
+manage_sock_files_pattern(cockpit_ws_t, cockpit_var_run_t, cockpit_var_run_t)
+files_pid_filetrans(cockpit_ws_t, cockpit_var_run_t, { file dir sock_file })
+
-+read_files_pattern(cockpit_ws_t, cockpit_var_lib_t, cockpit_var_lib_t)
-+list_dirs_pattern(cockpit_ws_t, cockpit_var_lib_t, cockpit_var_lib_t)
++manage_files_pattern(cockpit_ws_t, cockpit_var_lib_t, cockpit_var_lib_t)
++manage_dirs_pattern(cockpit_ws_t, cockpit_var_lib_t, cockpit_var_lib_t)
+
+auth_use_nsswitch(cockpit_ws_t)
+
@@ -26631,7 +26633,7 @@ index d5badb7..c2431fc 100644
+ admin_pattern($1, dovecot_passwd_t)
')
diff --git a/dovecot.te b/dovecot.te
-index 0aabc7e..315aa2f 100644
+index 0aabc7e..3d8233b 100644
--- a/dovecot.te
+++ b/dovecot.te
@@ -7,12 +7,10 @@ policy_module(dovecot, 1.16.1)
@@ -26702,7 +26704,7 @@ index 0aabc7e..315aa2f 100644
corecmd_exec_bin(dovecot_domain)
corecmd_exec_shell(dovecot_domain)
-@@ -81,26 +79,34 @@ dev_read_sysfs(dovecot_domain)
+@@ -81,26 +79,36 @@ dev_read_sysfs(dovecot_domain)
dev_read_rand(dovecot_domain)
dev_read_urand(dovecot_domain)
@@ -26731,6 +26733,8 @@ index 0aabc7e..315aa2f 100644
+domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
+
+allow dovecot_t dovecot_auth_t:process signal;
++
++allow dovecot_t dovecot_deliver_t:process signull;
allow dovecot_t dovecot_cert_t:dir list_dir_perms;
-allow dovecot_t dovecot_cert_t:file read_file_perms;
@@ -26747,7 +26751,7 @@ index 0aabc7e..315aa2f 100644
allow dovecot_t dovecot_keytab_t:file read_file_perms;
-@@ -108,12 +114,13 @@ manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
+@@ -108,12 +116,13 @@ manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir })
@@ -26764,19 +26768,19 @@ index 0aabc7e..315aa2f 100644
logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir })
manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
-@@ -125,45 +132,35 @@ manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
+@@ -125,45 +134,35 @@ manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_fifo_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
-files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file })
--
++files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file sock_file })
+
-can_exec(dovecot_t, dovecot_exec_t)
-
-allow dovecot_t dovecot_auth_t:process signal;
-
-domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
-+files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file sock_file })
-
+-
-corenet_all_recvfrom_unlabeled(dovecot_t)
corenet_all_recvfrom_netlabel(dovecot_t)
corenet_tcp_sendrecv_generic_if(dovecot_t)
@@ -26821,7 +26825,7 @@ index 0aabc7e..315aa2f 100644
init_getattr_utmp(dovecot_t)
-@@ -171,45 +168,44 @@ auth_use_nsswitch(dovecot_t)
+@@ -171,45 +170,44 @@ auth_use_nsswitch(dovecot_t)
miscfiles_read_generic_certs(dovecot_t)
@@ -26885,7 +26889,7 @@ index 0aabc7e..315aa2f 100644
sendmail_domtrans(dovecot_t)
')
-@@ -227,46 +223,69 @@ optional_policy(`
+@@ -227,46 +225,69 @@ optional_policy(`
########################################
#
@@ -26964,7 +26968,7 @@ index 0aabc7e..315aa2f 100644
mysql_stream_connect(dovecot_auth_t)
mysql_read_config(dovecot_auth_t)
mysql_tcp_connect(dovecot_auth_t)
-@@ -277,53 +296,79 @@ optional_policy(`
+@@ -277,53 +298,79 @@ optional_policy(`
')
optional_policy(`
@@ -27063,7 +27067,7 @@ index 0aabc7e..315aa2f 100644
mta_read_queue(dovecot_deliver_t)
')
-@@ -332,5 +377,6 @@ optional_policy(`
+@@ -332,5 +379,6 @@ optional_policy(`
')
optional_policy(`
@@ -29024,7 +29028,7 @@ index c62c567..a74f123 100644
+ allow $1 firewalld_unit_file_t:service all_service_perms;
')
diff --git a/firewalld.te b/firewalld.te
-index 98072a3..a30b953 100644
+index 98072a3..ee152e2 100644
--- a/firewalld.te
+++ b/firewalld.te
@@ -21,9 +21,15 @@ logging_log_file(firewalld_var_log_t)
@@ -29102,7 +29106,12 @@ index 98072a3..a30b953 100644
optional_policy(`
dbus_system_domain(firewalld_t, firewalld_exec_t)
-@@ -95,6 +115,10 @@ optional_policy(`
+@@ -91,10 +111,15 @@ optional_policy(`
+
+ optional_policy(`
+ networkmanager_dbus_chat(firewalld_t)
++ networkmanager_stream_connect(firewalld_t)
+ ')
')
optional_policy(`
@@ -69076,7 +69085,7 @@ index 0000000..fa4cfaa
Binary files /dev/null and b/pcp.pp differ
diff --git a/pcp.te b/pcp.te
new file mode 100644
-index 0000000..f302fd8
+index 0000000..d6fdef6
--- /dev/null
+++ b/pcp.te
@@ -0,0 +1,297 @@
@@ -69238,7 +69247,7 @@ index 0000000..f302fd8
+')
+
+optional_policy(`
-+ docker_manage_lib_files(pcp_pmcd_t)
++ container_manage_lib_files(pcp_pmcd_t)
+')
+
+optional_policy(`
@@ -69814,7 +69823,7 @@ index d2fc677..86dce34 100644
')
+
diff --git a/pegasus.te b/pegasus.te
-index 608f454..bc31081 100644
+index 608f454..270648d 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0)
@@ -70157,7 +70166,8 @@ index 608f454..bc31081 100644
+# pegasus local policy
#
- allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_override net_admin net_bind_service };
+-allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_override net_admin net_bind_service };
++allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_override net_admin net_bind_service sys_ptrace };
dontaudit pegasus_t self:capability sys_tty_config;
-allow pegasus_t self:process signal;
+allow pegasus_t self:process { setsched signal };
@@ -90304,6 +90314,16 @@ index 0000000..da94453
+ #unconfined_domain(rolekit_t)
+ domain_named_filetrans(rolekit_t)
+')
+diff --git a/roundup.fc b/roundup.fc
+index 6f05cd0..dc2a9aa 100644
+--- a/roundup.fc
++++ b/roundup.fc
+@@ -2,4 +2,4 @@
+
+ /usr/bin/roundup-server -- gen_context(system_u:object_r:roundup_exec_t,s0)
+
+-/var/lib/roundup(/.*)? -- gen_context(system_u:object_r:roundup_var_lib_t,s0)
++/var/lib/roundup(/.*)? gen_context(system_u:object_r:roundup_var_lib_t,s0)
diff --git a/roundup.if b/roundup.if
index 975bb6a..ce4f5ea 100644
--- a/roundup.if
@@ -90322,10 +90342,14 @@ index 975bb6a..ce4f5ea 100644
init_labeled_script_domtrans($1, roundup_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/roundup.te b/roundup.te
-index ccb5991..189ac01 100644
+index ccb5991..fa10c5a 100644
--- a/roundup.te
+++ b/roundup.te
-@@ -41,7 +41,6 @@ kernel_read_proc_symlinks(roundup_t)
+@@ -38,10 +38,10 @@ files_pid_filetrans(roundup_t, roundup_var_run_t, file)
+ kernel_read_kernel_sysctls(roundup_t)
+ kernel_list_proc(roundup_t)
+ kernel_read_proc_symlinks(roundup_t)
++kernel_read_system_state(roundup_t)
corecmd_exec_bin(roundup_t)
@@ -90333,7 +90357,7 @@ index ccb5991..189ac01 100644
corenet_all_recvfrom_netlabel(roundup_t)
corenet_tcp_sendrecv_generic_if(roundup_t)
corenet_tcp_sendrecv_generic_node(roundup_t)
-@@ -60,16 +59,11 @@ dev_read_urand(roundup_t)
+@@ -60,19 +60,19 @@ dev_read_urand(roundup_t)
domain_use_interactive_fds(roundup_t)
@@ -90350,11 +90374,19 @@ index ccb5991..189ac01 100644
sysnet_dns_name_resolve(roundup_t)
userdom_dontaudit_use_unpriv_user_fds(roundup_t)
++
++optional_policy(`
++ apache_search_config(roundup_t)
++')
++
+ userdom_dontaudit_search_user_home_dirs(roundup_t)
+
+ optional_policy(`
diff --git a/rpc.fc b/rpc.fc
-index a6fb30c..38a2f09 100644
+index a6fb30c..3148280 100644
--- a/rpc.fc
+++ b/rpc.fc
-@@ -1,12 +1,23 @@
+@@ -1,12 +1,25 @@
-/etc/exports -- gen_context(system_u:object_r:exports_t,s0)
+#
+# /etc
@@ -90372,19 +90404,21 @@ index a6fb30c..38a2f09 100644
-/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
-/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0)
++/usr/lib/systemd/system-generators/nfs.* -- gen_context(system_u:object_r:nfsd_exec_t,s0)
+
+#
+# /sbin
+#
+/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0)
-
++
+#
+# /usr
+#
/usr/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
/usr/sbin/rpc\.idmapd -- gen_context(system_u:object_r:rpcd_exec_t,s0)
/usr/sbin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
-@@ -16,7 +27,12 @@
+@@ -16,7 +29,12 @@
/usr/sbin/rpc\.svcgssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
/usr/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0)
@@ -107737,7 +107771,7 @@ index 3dd87da..0d13384 100644
-/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_rw_t,s0)
+/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_rw_t,s0)
diff --git a/tftp.if b/tftp.if
-index 9957e30..cd21321 100644
+index 9957e30..51af586 100644
--- a/tftp.if
+++ b/tftp.if
@@ -1,8 +1,8 @@
@@ -107751,17 +107785,13 @@ index 9957e30..cd21321 100644
##
##
##
-@@ -13,18 +13,21 @@
+@@ -13,18 +13,40 @@
interface(`tftp_read_content',`
gen_require(`
type tftpdir_t;
+ type tftpdir_rw_t;
- ')
-
-- files_search_var_lib($1)
-- allow $1 tftpdir_t:dir list_dir_perms;
-- allow $1 tftpdir_t:file read_file_perms;
-- allow $1 tftpdir_t:lnk_file read_lnk_file_perms;
++ ')
++
+ list_dirs_pattern($1, tftpdir_t, tftpdir_t)
+ read_files_pattern($1, tftpdir_t, tftpdir_t)
+ read_lnk_files_pattern($1, tftpdir_t, tftpdir_t)
@@ -107769,46 +107799,68 @@ index 9957e30..cd21321 100644
+ list_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
+ read_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
+ read_lnk_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
++')
++
++########################################
++##
++## Search tftp /var/lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`tftp_search_rw_content',`
++ gen_require(`
++ type tftpdir_rw_t;
+ ')
+
++ search_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
+ files_search_var_lib($1)
+- allow $1 tftpdir_t:dir list_dir_perms;
+- allow $1 tftpdir_t:file read_file_perms;
+- allow $1 tftpdir_t:lnk_file read_lnk_file_perms;
')
########################################
##
-## Create, read, write, and delete
-## tftp rw content.
-+## Search tftp /var/lib directories.
++## Allow read tftp /var/lib files.
##
##
##
-@@ -32,20 +35,18 @@ interface(`tftp_read_content',`
+@@ -32,20 +54,18 @@ interface(`tftp_read_content',`
##
##
#
-interface(`tftp_manage_rw_content',`
-+interface(`tftp_search_rw_content',`
++interface(`tftp_read_rw_content',`
gen_require(`
type tftpdir_rw_t;
')
-+ search_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
files_search_var_lib($1)
- allow $1 tftpdir_rw_t:dir manage_dir_perms;
- allow $1 tftpdir_rw_t:file manage_file_perms;
- allow $1 tftpdir_rw_t:lnk_file manage_lnk_file_perms;
++ read_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
')
########################################
##
-## Read tftpd configuration files.
-+## Allow read tftp /var/lib files.
++## Allow write tftp /var/lib files.
##
##
##
-@@ -53,19 +54,18 @@ interface(`tftp_manage_rw_content',`
+@@ -53,19 +73,18 @@ interface(`tftp_manage_rw_content',`
##
##
#
-interface(`tftp_read_config_files',`
-+interface(`tftp_read_rw_content',`
++interface(`tftp_write_rw_content',`
gen_require(`
- type tftpd_conf_t;
+ type tftpdir_rw_t;
@@ -107817,23 +107869,23 @@ index 9957e30..cd21321 100644
- files_search_etc($1)
- allow $1 tftpd_conf_t:file read_file_perms;
+ files_search_var_lib($1)
-+ read_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
++ write_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
')
########################################
##
-## Create, read, write, and delete
-## tftpd configuration files.
-+## Allow write tftp /var/lib files.
++## Manage tftp /var/lib files.
##
##
##
-@@ -73,55 +73,83 @@ interface(`tftp_read_config_files',`
+@@ -73,55 +92,83 @@ interface(`tftp_read_config_files',`
##
##
#
-interface(`tftp_manage_config_files',`
-+interface(`tftp_write_rw_content',`
++interface(`tftp_manage_rw_content',`
gen_require(`
- type tftpd_conf_t;
+ type tftpdir_rw_t;
@@ -107842,7 +107894,8 @@ index 9957e30..cd21321 100644
- files_search_etc($1)
- allow $1 tftpd_conf_t:file manage_file_perms;
+ files_search_var_lib($1)
-+ write_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
++ manage_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
++ manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
')
########################################
@@ -107859,14 +107912,13 @@ index 9957e30..cd21321 100644
##
-##
+#
-+interface(`tftp_manage_rw_content',`
++interface(`tftp_delete_content_dirs',`
+ gen_require(`
+ type tftpdir_rw_t;
+ ')
+
+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
-+ manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
++ delete_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
+')
+
+########################################
@@ -107928,7 +107980,7 @@ index 9957e30..cd21321 100644
##
## Private file type.
##
-@@ -131,25 +159,38 @@ interface(`tftp_etc_filetrans_config',`
+@@ -131,25 +178,38 @@ interface(`tftp_etc_filetrans_config',`
## Class of the object being created.
##
##
@@ -107975,7 +108027,7 @@ index 9957e30..cd21321 100644
##
##
##
-@@ -161,18 +202,22 @@ interface(`tftp_filetrans_tftpdir',`
+@@ -161,18 +221,22 @@ interface(`tftp_filetrans_tftpdir',`
interface(`tftp_admin',`
gen_require(`
type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t;
@@ -108625,10 +108677,10 @@ index 0000000..9524b50
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 0000000..e80cde4
+index 0000000..3f3a239
--- /dev/null
+++ b/thumb.te
-@@ -0,0 +1,162 @@
+@@ -0,0 +1,165 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -108730,6 +108782,9 @@ index 0000000..e80cde4
+
+sysnet_read_config(thumb_t)
+
++
++term_dontaudit_use_unallocated_ttys(thumb_t)
++
+userdom_dontaudit_setattr_user_tmp(thumb_t)
+userdom_read_user_tmp_files(thumb_t)
+userdom_read_user_home_content_files(thumb_t)
@@ -111903,10 +111958,10 @@ index a4f20bc..d8b1fd1 100644
+/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index facdee8..58c4c51 100644
+index facdee8..31f7fd1 100644
--- a/virt.if
+++ b/virt.if
-@@ -1,120 +1,104 @@
+@@ -1,120 +1,110 @@
-## Libvirt virtualization API.
+## Libvirt virtualization API
@@ -111930,8 +111985,10 @@ index facdee8..58c4c51 100644
- attribute_role virt_domain_roles;
- attribute virt_image_type, virt_domain, virt_tmpfs_type;
- attribute virt_ptynode, virt_tmp_type;
-- ')
--
++ type virtd_lxc_t;
+ ')
++')
+
- ########################################
- #
- # Declarations
@@ -111956,7 +112013,19 @@ index facdee8..58c4c51 100644
-
- optional_policy(`
- pulseaudio_tmpfs_content($1_tmpfs_t)
-+ type virtd_lxc_t;
++########################################
++##
++## svirt_sandbox_domain attribute stub interface. No access allowed.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`virt_stub_svirt_sandbox_domain',`
++ gen_require(`
++ attribute svirt_sandbox_domain;
')
+')
@@ -111996,7 +112065,7 @@ index facdee8..58c4c51 100644
- pulseaudio_run($1_t, virt_domain_roles)
+########################################
+##
-+## svirt_sandbox_domain attribute stub interface. No access allowed.
++## container_image_t stub interface. No access allowed.
+##
+##
+##
@@ -112004,27 +112073,17 @@ index facdee8..58c4c51 100644
+##
+##
+#
-+interface(`virt_stub_svirt_sandbox_domain',`
++interface(`virt_stub_container_image',`
+ gen_require(`
-+ attribute svirt_sandbox_domain;
++ type container_image_t;
')
+')
- optional_policy(`
- xserver_rw_shm($1_t)
-+########################################
-+##
-+## svirt_sandbox_file_t stub interface. No access allowed.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+interface(`virt_stub_svirt_sandbox_file',`
+ gen_require(`
-+ type svirt_sandbox_file_t;
++ type container_image_t;
')
')
@@ -112094,7 +112153,7 @@ index facdee8..58c4c51 100644
##
##
#
-@@ -125,31 +109,32 @@ interface(`virt_image',`
+@@ -125,31 +115,32 @@ interface(`virt_image',`
typeattribute $1 virt_image_type;
files_type($1)
@@ -112139,7 +112198,7 @@ index facdee8..58c4c51 100644
##
##
##
-@@ -157,95 +142,71 @@ interface(`virt_domtrans',`
+@@ -157,95 +148,71 @@ interface(`virt_domtrans',`
##
##
#
@@ -112259,7 +112318,7 @@ index facdee8..58c4c51 100644
##
##
##
-@@ -253,17 +214,18 @@ interface(`virt_run_virt_domain',`
+@@ -253,17 +220,18 @@ interface(`virt_run_virt_domain',`
##
##
#
@@ -112283,7 +112342,7 @@ index facdee8..58c4c51 100644
##
##
##
-@@ -271,48 +233,36 @@ interface(`virt_signal_all_virt_domains',`
+@@ -271,48 +239,36 @@ interface(`virt_signal_all_virt_domains',`
##
##
#
@@ -112343,7 +112402,7 @@ index facdee8..58c4c51 100644
##
##
##
-@@ -320,18 +270,18 @@ interface(`virt_run_svirt_lxc_domain',`
+@@ -320,18 +276,18 @@ interface(`virt_run_svirt_lxc_domain',`
##
##
#
@@ -112368,7 +112427,7 @@ index facdee8..58c4c51 100644
##
##
##
-@@ -339,18 +289,18 @@ interface(`virt_getattr_virtd_exec_files',`
+@@ -339,18 +295,18 @@ interface(`virt_getattr_virtd_exec_files',`
##
##
#
@@ -112392,7 +112451,7 @@ index facdee8..58c4c51 100644
##
##
##
-@@ -358,18 +308,20 @@ interface(`virt_stream_connect',`
+@@ -358,18 +314,20 @@ interface(`virt_stream_connect',`
##
##
#
@@ -112418,7 +112477,7 @@ index facdee8..58c4c51 100644
##
##
##
-@@ -377,22 +329,20 @@ interface(`virt_attach_tun_iface',`
+@@ -377,22 +335,20 @@ interface(`virt_attach_tun_iface',`
##
##
#
@@ -112446,7 +112505,7 @@ index facdee8..58c4c51 100644
##
##
##
-@@ -400,22 +350,17 @@ interface(`virt_read_config',`
+@@ -400,22 +356,17 @@ interface(`virt_read_config',`
##
##
#
@@ -112473,7 +112532,7 @@ index facdee8..58c4c51 100644
##
##
##
-@@ -434,6 +379,7 @@ interface(`virt_read_content',`
+@@ -434,6 +385,7 @@ interface(`virt_read_content',`
read_files_pattern($1, virt_content_t, virt_content_t)
read_lnk_files_pattern($1, virt_content_t, virt_content_t)
read_blk_files_pattern($1, virt_content_t, virt_content_t)
@@ -112481,7 +112540,7 @@ index facdee8..58c4c51 100644
tunable_policy(`virt_use_nfs',`
fs_list_nfs($1)
-@@ -450,8 +396,7 @@ interface(`virt_read_content',`
+@@ -450,8 +402,7 @@ interface(`virt_read_content',`
########################################
##
@@ -112491,7 +112550,7 @@ index facdee8..58c4c51 100644
##
##
##
-@@ -459,35 +404,17 @@ interface(`virt_read_content',`
+@@ -459,35 +410,17 @@ interface(`virt_read_content',`
##
##
#
@@ -112530,7 +112589,7 @@ index facdee8..58c4c51 100644
##
##
##
-@@ -495,53 +422,38 @@ interface(`virt_manage_virt_content',`
+@@ -495,53 +428,38 @@ interface(`virt_manage_virt_content',`
##
##
#
@@ -112595,7 +112654,7 @@ index facdee8..58c4c51 100644
##
##
##
-@@ -549,34 +461,21 @@ interface(`virt_home_filetrans_virt_content',`
+@@ -549,34 +467,21 @@ interface(`virt_home_filetrans_virt_content',`
##
##
#
@@ -112638,7 +112697,7 @@ index facdee8..58c4c51 100644
##
##
##
-@@ -584,32 +483,36 @@ interface(`virt_manage_svirt_home_content',`
+@@ -584,32 +489,36 @@ interface(`virt_manage_svirt_home_content',`
##
##
#
@@ -112687,7 +112746,7 @@ index facdee8..58c4c51 100644
##
##
##
-@@ -618,54 +521,36 @@ interface(`virt_relabel_svirt_home_content',`
+@@ -618,54 +527,36 @@ interface(`virt_relabel_svirt_home_content',`
##
##
#
@@ -112751,7 +112810,7 @@ index facdee8..58c4c51 100644
##
##
##
-@@ -673,107 +558,607 @@ interface(`virt_home_filetrans',`
+@@ -673,107 +564,607 @@ interface(`virt_home_filetrans',`
##
##
#
@@ -113106,15 +113165,15 @@ index facdee8..58c4c51 100644
+#
+interface(`virt_exec_sandbox_files',`
+ gen_require(`
-+ type svirt_sandbox_file_t;
++ type container_image_t;
+ ')
+
-+ can_exec($1, svirt_sandbox_file_t)
++ can_exec($1, container_image_t)
+')
+
+########################################
+##
-+## Allow any svirt_sandbox_file_t to be an entrypoint of this domain
++## Allow any container_image_t to be an entrypoint of this domain
+##
+##
+##
@@ -113125,9 +113184,9 @@ index facdee8..58c4c51 100644
+#
+interface(`virt_sandbox_entrypoint',`
+ gen_require(`
-+ type svirt_sandbox_file_t;
++ type container_image_t;
+ ')
-+ allow $1 svirt_sandbox_file_t:file entrypoint;
++ allow $1 container_image_t:file entrypoint;
+')
+
+#######################################
@@ -113142,12 +113201,12 @@ index facdee8..58c4c51 100644
+#
+interface(`virt_read_sandbox_files',`
+ gen_require(`
-+ type svirt_sandbox_file_t;
++ type container_image_t;
+ ')
+
-+ list_dirs_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+ read_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+ read_lnk_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
++ list_dirs_pattern($1, container_image_t, container_image_t)
++ read_files_pattern($1, container_image_t, container_image_t)
++ read_lnk_files_pattern($1, container_image_t, container_image_t)
+')
+
+#######################################
@@ -113162,15 +113221,15 @@ index facdee8..58c4c51 100644
+#
+interface(`virt_manage_sandbox_files',`
+ gen_require(`
-+ type svirt_sandbox_file_t;
++ type container_image_t;
+ ')
+
-+ manage_dirs_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+ manage_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+ manage_fifo_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+ manage_chr_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+ manage_lnk_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+ allow $1 svirt_sandbox_file_t:dir_file_class_set { relabelfrom relabelto };
++ manage_dirs_pattern($1, container_image_t, container_image_t)
++ manage_files_pattern($1, container_image_t, container_image_t)
++ manage_fifo_files_pattern($1, container_image_t, container_image_t)
++ manage_chr_files_pattern($1, container_image_t, container_image_t)
++ manage_lnk_files_pattern($1, container_image_t, container_image_t)
++ allow $1 container_image_t:dir_file_class_set { relabelfrom relabelto };
+')
+
+#######################################
@@ -113185,10 +113244,10 @@ index facdee8..58c4c51 100644
+#
+interface(`virt_getattr_sandbox_filesystem',`
+ gen_require(`
-+ type svirt_sandbox_file_t;
++ type container_image_t;
+ ')
+
-+ allow $1 svirt_sandbox_file_t:filesystem getattr;
++ allow $1 container_image_t:filesystem getattr;
+')
+
+#######################################
@@ -113203,10 +113262,10 @@ index facdee8..58c4c51 100644
+#
+interface(`virt_relabel_sandbox_filesystem',`
+ gen_require(`
-+ type svirt_sandbox_file_t;
++ type container_image_t;
+ ')
+
-+ allow $1 svirt_sandbox_file_t:filesystem { relabelfrom relabelto };
++ allow $1 container_image_t:filesystem { relabelfrom relabelto };
+')
+
+#######################################
@@ -113221,10 +113280,10 @@ index facdee8..58c4c51 100644
+#
+interface(`virt_mounton_sandbox_file',`
+ gen_require(`
-+ type svirt_sandbox_file_t;
++ type container_image_t;
+ ')
+
-+ allow $1 svirt_sandbox_file_t:dir_file_class_set mounton;
++ allow $1 container_image_t:dir_file_class_set mounton;
+')
+
+#######################################
@@ -113240,11 +113299,11 @@ index facdee8..58c4c51 100644
+interface(`virt_stream_connect_sandbox',`
+ gen_require(`
+ attribute svirt_sandbox_domain;
-+ type svirt_sandbox_file_t;
++ type container_image_t;
+ ')
+
+ files_search_pids($1)
-+ stream_connect_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t, svirt_sandbox_domain)
++ stream_connect_pattern($1, container_image_t, container_image_t, svirt_sandbox_domain)
+ ps_process_pattern(svirt_sandbox_domain, $1)
+')
+
@@ -113404,7 +113463,7 @@ index facdee8..58c4c51 100644
##
##
##
-@@ -781,19 +1166,17 @@ interface(`virt_home_filetrans_virt_home',`
+@@ -781,19 +1172,17 @@ interface(`virt_home_filetrans_virt_home',`
##
##
#
@@ -113428,7 +113487,7 @@ index facdee8..58c4c51 100644
##
##
##
-@@ -801,18 +1184,17 @@ interface(`virt_read_pid_files',`
+@@ -801,18 +1190,17 @@ interface(`virt_read_pid_files',`
##
##
#
@@ -113451,7 +113510,7 @@ index facdee8..58c4c51 100644
##
##
##
-@@ -820,18 +1202,17 @@ interface(`virt_manage_pid_files',`
+@@ -820,18 +1208,17 @@ interface(`virt_manage_pid_files',`
##
##
#
@@ -113474,7 +113533,7 @@ index facdee8..58c4c51 100644
##
##
##
-@@ -839,192 +1220,243 @@ interface(`virt_search_lib',`
+@@ -839,192 +1226,243 @@ interface(`virt_search_lib',`
##
##
#
@@ -113798,7 +113857,7 @@ index facdee8..58c4c51 100644
##
##
##
-@@ -1032,20 +1464,17 @@ interface(`virt_read_images',`
+@@ -1032,20 +1470,17 @@ interface(`virt_read_images',`
##
##
#
@@ -113823,7 +113882,7 @@ index facdee8..58c4c51 100644
##
##
##
-@@ -1053,15 +1482,17 @@ interface(`virt_rw_all_image_chr_files',`
+@@ -1053,15 +1488,17 @@ interface(`virt_rw_all_image_chr_files',`
##
##
#
@@ -113846,7 +113905,7 @@ index facdee8..58c4c51 100644
##
##
##
-@@ -1069,21 +1500,17 @@ interface(`virt_manage_svirt_cache',`
+@@ -1069,21 +1506,17 @@ interface(`virt_manage_svirt_cache',`
##
##
#
@@ -113872,7 +113931,7 @@ index facdee8..58c4c51 100644
##
##
##
-@@ -1091,36 +1518,18 @@ interface(`virt_manage_virt_cache',`
+@@ -1091,36 +1524,18 @@ interface(`virt_manage_virt_cache',`
##
##
#
@@ -113914,7 +113973,7 @@ index facdee8..58c4c51 100644
##
##
##
-@@ -1136,50 +1545,76 @@ interface(`virt_manage_images',`
+@@ -1136,50 +1551,76 @@ interface(`virt_manage_images',`
#
interface(`virt_admin',`
gen_require(`
@@ -114024,10 +114083,10 @@ index facdee8..58c4c51 100644
+ ps_process_pattern(virtd_t, $1)
')
diff --git a/virt.te b/virt.te
-index f03dcf5..36bc283 100644
+index f03dcf5..d369e60 100644
--- a/virt.te
+++ b/virt.te
-@@ -1,451 +1,402 @@
+@@ -1,451 +1,400 @@
-policy_module(virt, 1.7.4)
+policy_module(virt, 1.5.0)
@@ -114583,28 +114642,27 @@ index f03dcf5..36bc283 100644
-optional_policy(`
- dbus_read_lib_files(virt_domain)
-')
+-
+-optional_policy(`
+- nscd_use(virt_domain)
+-')
+type virtd_lxc_t, virt_system_domain;
+type virtd_lxc_exec_t, virt_file_type;
+init_system_domain(virtd_lxc_t, virtd_lxc_exec_t)
-optional_policy(`
-- nscd_use(virt_domain)
+- samba_domtrans_smbd(virt_domain)
-')
+type virt_lxc_var_run_t, virt_file_type;
+files_pid_file(virt_lxc_var_run_t)
+typealias virt_lxc_var_run_t alias virtd_lxc_var_run_t;
-optional_policy(`
-- samba_domtrans_smbd(virt_domain)
--')
-+# virt lxc container files
-+type svirt_sandbox_file_t alias svirt_lxc_file_t, svirt_file_type;
-+files_mountpoint(svirt_sandbox_file_t)
-
--optional_policy(`
- xen_rw_image_files(virt_domain)
-')
-+type container_image_t;
++# virt lxc container files
++type container_image_t, svirt_file_type;
++typealias container_image_t alias { svirt_sandbox_file_t svirt_lxc_file_t };
+files_mountpoint(container_image_t)
########################################
@@ -114617,17 +114675,17 @@ index f03dcf5..36bc283 100644
-
-dontaudit svirt_t virt_content_t:file write_file_perms;
-dontaudit svirt_t virt_content_t:dir rw_dir_perms;
--
++allow svirt_t self:process ptrace;
+
-append_files_pattern(svirt_t, virt_home_t, virt_home_t)
-manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t)
-manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
-manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
-+allow svirt_t self:process ptrace;
-
--filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
+# it was a part of auth_use_nsswitch
+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
+-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
+-
-stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
-
-corenet_udp_sendrecv_generic_if(svirt_t)
@@ -114740,7 +114798,7 @@ index f03dcf5..36bc283 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -455,42 +406,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -455,42 +404,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@@ -114787,7 +114845,7 @@ index f03dcf5..36bc283 100644
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -503,23 +441,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -503,23 +439,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -114820,7 +114878,7 @@ index f03dcf5..36bc283 100644
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -527,24 +466,16 @@ corecmd_exec_shell(virtd_t)
+@@ -527,24 +464,16 @@ corecmd_exec_shell(virtd_t)
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -114848,7 +114906,7 @@ index f03dcf5..36bc283 100644
dev_rw_sysfs(virtd_t)
dev_read_urand(virtd_t)
dev_read_rand(virtd_t)
-@@ -555,20 +486,26 @@ dev_rw_vhost(virtd_t)
+@@ -555,20 +484,26 @@ dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t)
@@ -114879,7 +114937,7 @@ index f03dcf5..36bc283 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_all_fs(virtd_t)
fs_rw_anon_inodefs_files(virtd_t)
-@@ -601,15 +538,18 @@ term_use_ptmx(virtd_t)
+@@ -601,15 +536,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -114899,7 +114957,7 @@ index f03dcf5..36bc283 100644
selinux_validate_context(virtd_t)
-@@ -620,18 +560,26 @@ seutil_read_file_contexts(virtd_t)
+@@ -620,18 +558,26 @@ seutil_read_file_contexts(virtd_t)
sysnet_signull_ifconfig(virtd_t)
sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
@@ -114936,7 +114994,7 @@ index f03dcf5..36bc283 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -640,7 +588,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -640,7 +586,7 @@ tunable_policy(`virt_use_nfs',`
')
tunable_policy(`virt_use_samba',`
@@ -114945,7 +115003,7 @@ index f03dcf5..36bc283 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
-@@ -665,20 +613,12 @@ optional_policy(`
+@@ -665,20 +611,12 @@ optional_policy(`
')
optional_policy(`
@@ -114966,7 +115024,7 @@ index f03dcf5..36bc283 100644
')
optional_policy(`
-@@ -691,20 +631,26 @@ optional_policy(`
+@@ -691,20 +629,26 @@ optional_policy(`
dnsmasq_kill(virtd_t)
dnsmasq_signull(virtd_t)
dnsmasq_create_pid_dirs(virtd_t)
@@ -114977,12 +115035,11 @@ index f03dcf5..36bc283 100644
')
optional_policy(`
-- iptables_domtrans(virtd_t)
+ firewalld_dbus_chat(virtd_t)
+')
+
+optional_policy(`
-+ iptables_domtrans(virtd_t)
+ iptables_domtrans(virtd_t)
iptables_initrc_domtrans(virtd_t)
+ iptables_systemctl(virtd_t)
+
@@ -114998,7 +115055,7 @@ index f03dcf5..36bc283 100644
')
optional_policy(`
-@@ -712,11 +658,18 @@ optional_policy(`
+@@ -712,11 +656,18 @@ optional_policy(`
')
optional_policy(`
@@ -115017,7 +115074,7 @@ index f03dcf5..36bc283 100644
policykit_domtrans_auth(virtd_t)
policykit_domtrans_resolve(virtd_t)
policykit_read_lib(virtd_t)
-@@ -727,10 +680,18 @@ optional_policy(`
+@@ -727,10 +678,18 @@ optional_policy(`
')
optional_policy(`
@@ -115036,7 +115093,7 @@ index f03dcf5..36bc283 100644
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
-@@ -746,44 +707,336 @@ optional_policy(`
+@@ -746,44 +705,336 @@ optional_policy(`
udev_read_pid_files(virtd_t)
')
@@ -115234,7 +115291,7 @@ index f03dcf5..36bc283 100644
+storage_raw_read_removable_device(virt_domain)
+
+sysnet_read_config(virt_domain)
-+
+
+term_use_all_inherited_terms(virt_domain)
+term_getattr_pty_fs(virt_domain)
+term_use_generic_ptys(virt_domain)
@@ -115351,7 +115408,7 @@ index f03dcf5..36bc283 100644
+init_system_domain(virsh_t, virsh_exec_t)
+typealias virsh_t alias xm_t;
+typealias virsh_exec_t alias xm_exec_t;
-
++
+allow virsh_t self:capability { setpcap dac_override ipc_lock sys_admin sys_chroot sys_nice sys_tty_config };
+allow virsh_t self:process { getcap getsched setsched setcap setexec signal };
+allow virsh_t self:fifo_file rw_fifo_file_perms;
@@ -115376,12 +115433,12 @@ index f03dcf5..36bc283 100644
+manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+
-+manage_dirs_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+manage_files_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+manage_chr_files_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+manage_lnk_files_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+manage_sock_files_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+manage_fifo_files_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_dirs_pattern(virsh_t, container_image_t, container_image_t)
++manage_files_pattern(virsh_t, container_image_t, container_image_t)
++manage_chr_files_pattern(virsh_t, container_image_t, container_image_t)
++manage_lnk_files_pattern(virsh_t, container_image_t, container_image_t)
++manage_sock_files_pattern(virsh_t, container_image_t, container_image_t)
++manage_fifo_files_pattern(virsh_t, container_image_t, container_image_t)
+virt_transition_svirt_sandbox(virsh_t, system_r)
+
+manage_dirs_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
@@ -115395,7 +115452,7 @@ index f03dcf5..36bc283 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +1047,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +1045,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -115422,7 +115479,7 @@ index f03dcf5..36bc283 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +1067,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +1065,25 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -115439,10 +115496,10 @@ index f03dcf5..36bc283 100644
-logging_send_syslog_msg(virsh_t)
+systemd_exec_systemctl(virsh_t)
-+
-+auth_read_passwd(virsh_t)
-miscfiles_read_localization(virsh_t)
++auth_read_passwd(virsh_t)
++
+logging_send_syslog_msg(virsh_t)
sysnet_dns_name_resolve(virsh_t)
@@ -115456,7 +115513,7 @@ index f03dcf5..36bc283 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +1104,20 @@ optional_policy(`
+@@ -856,14 +1102,20 @@ optional_policy(`
')
optional_policy(`
@@ -115478,7 +115535,7 @@ index f03dcf5..36bc283 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -888,49 +1142,66 @@ optional_policy(`
+@@ -888,49 +1140,66 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -115541,15 +115598,15 @@ index f03dcf5..36bc283 100644
+files_pid_filetrans(virtd_lxc_t, virt_lxc_var_run_t, { file dir })
+filetrans_pattern(virtd_lxc_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
+
-+manage_dirs_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+manage_files_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+manage_chr_files_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+manage_lnk_files_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+manage_sock_files_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+manage_fifo_files_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+allow virtd_lxc_t svirt_sandbox_file_t:dir_file_class_set { relabelto relabelfrom };
-+allow virtd_lxc_t svirt_sandbox_file_t:filesystem { relabelto relabelfrom };
-+files_associate_rootfs(svirt_sandbox_file_t)
++manage_dirs_pattern(virtd_lxc_t, container_image_t, container_image_t)
++manage_files_pattern(virtd_lxc_t, container_image_t, container_image_t)
++manage_chr_files_pattern(virtd_lxc_t, container_image_t, container_image_t)
++manage_lnk_files_pattern(virtd_lxc_t, container_image_t, container_image_t)
++manage_sock_files_pattern(virtd_lxc_t, container_image_t, container_image_t)
++manage_fifo_files_pattern(virtd_lxc_t, container_image_t, container_image_t)
++allow virtd_lxc_t container_image_t:dir_file_class_set { relabelto relabelfrom };
++allow virtd_lxc_t container_image_t:filesystem { relabelto relabelfrom };
++files_associate_rootfs(container_image_t)
+
+seutil_read_file_contexts(virtd_lxc_t)
@@ -115563,7 +115620,7 @@ index f03dcf5..36bc283 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1213,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1211,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -115577,13 +115634,13 @@ index f03dcf5..36bc283 100644
files_unmount_all_file_type_fs(virtd_lxc_t)
files_list_isid_type_dirs(virtd_lxc_t)
-files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set)
-+files_root_filetrans(virtd_lxc_t, svirt_sandbox_file_t, dir_file_class_set)
++files_root_filetrans(virtd_lxc_t, container_image_t, dir_file_class_set)
+fs_read_fusefs_files(virtd_lxc_t)
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,8 +1234,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,8 +1232,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -115607,7 +115664,7 @@ index f03dcf5..36bc283 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1259,359 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1257,360 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -115634,12 +115691,12 @@ index f03dcf5..36bc283 100644
+ hal_dbus_chat(virtd_lxc_t)
+ ')
+')
-
--sysnet_domtrans_ifconfig(virtd_lxc_t)
++
+optional_policy(`
-+ docker_exec_lib(virtd_lxc_t)
++ container_exec_lib(virtd_lxc_t)
+')
-+
+
+-sysnet_domtrans_ifconfig(virtd_lxc_t)
+optional_policy(`
+ gnome_read_generic_cache_files(virtd_lxc_t)
+')
@@ -115680,89 +115737,7 @@ index f03dcf5..36bc283 100644
+tunable_policy(`deny_ptrace',`',`
+ allow svirt_sandbox_domain self:process ptrace;
+')
-
--allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
--allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
--allow svirt_lxc_domain self:fifo_file manage_file_perms;
--allow svirt_lxc_domain self:sem create_sem_perms;
--allow svirt_lxc_domain self:shm create_shm_perms;
--allow svirt_lxc_domain self:msgq create_msgq_perms;
--allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
--allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
--
--allow svirt_lxc_domain virtd_lxc_t:fd use;
--allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms;
--allow svirt_lxc_domain virtd_lxc_t:process sigchld;
--
--allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
--
--allow svirt_lxc_domain virsh_t:fd use;
--allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms;
--allow svirt_lxc_domain virsh_t:process sigchld;
--
--allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms;
--allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms;
--
--manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--
--allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton;
--allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr;
--
--can_exec(svirt_lxc_domain, svirt_lxc_file_t)
--
--kernel_getattr_proc(svirt_lxc_domain)
--kernel_list_all_proc(svirt_lxc_domain)
--kernel_read_kernel_sysctls(svirt_lxc_domain)
--kernel_rw_net_sysctls(svirt_lxc_domain)
--kernel_read_system_state(svirt_lxc_domain)
--kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
--
--corecmd_exec_all_executables(svirt_lxc_domain)
--
--files_dontaudit_getattr_all_dirs(svirt_lxc_domain)
--files_dontaudit_getattr_all_files(svirt_lxc_domain)
--files_dontaudit_getattr_all_symlinks(svirt_lxc_domain)
--files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
--files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
--files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
--files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
--# files_entrypoint_all_files(svirt_lxc_domain)
--files_list_var(svirt_lxc_domain)
--files_list_var_lib(svirt_lxc_domain)
--files_search_all(svirt_lxc_domain)
--files_read_config_files(svirt_lxc_domain)
--files_read_usr_files(svirt_lxc_domain)
--files_read_usr_symlinks(svirt_lxc_domain)
--
--fs_getattr_all_fs(svirt_lxc_domain)
--fs_list_inotifyfs(svirt_lxc_domain)
--
--# fs_rw_inherited_tmpfs_files(svirt_lxc_domain)
--# fs_rw_inherited_cifs_files(svirt_lxc_domain)
--# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain)
--
--auth_dontaudit_read_login_records(svirt_lxc_domain)
--auth_dontaudit_write_login_records(svirt_lxc_domain)
--auth_search_pam_console_data(svirt_lxc_domain)
--
--clock_read_adjtime(svirt_lxc_domain)
--
--init_read_utmp(svirt_lxc_domain)
--init_dontaudit_write_utmp(svirt_lxc_domain)
--
--libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
--
--miscfiles_read_localization(svirt_lxc_domain)
--miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain)
--miscfiles_read_fonts(svirt_lxc_domain)
--
--mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
++
+allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto };
+allow virtd_t svirt_sandbox_domain:process { signal_perms getattr };
+allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms };
@@ -115771,13 +115746,13 @@ index f03dcf5..36bc283 100644
+allow svirt_sandbox_domain virtd_lxc_t:fd use;
+allow svirt_sandbox_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
+
-+manage_dirs_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+manage_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+manage_lnk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+manage_sock_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+manage_fifo_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+allow svirt_sandbox_domain svirt_sandbox_file_t:file { execmod relabelfrom relabelto };
-+allow svirt_sandbox_domain svirt_sandbox_file_t:dir { execmod relabelfrom relabelto };
++manage_dirs_pattern(svirt_sandbox_domain, container_image_t, container_image_t)
++manage_files_pattern(svirt_sandbox_domain, container_image_t, container_image_t)
++manage_lnk_files_pattern(svirt_sandbox_domain, container_image_t, container_image_t)
++manage_sock_files_pattern(svirt_sandbox_domain, container_image_t, container_image_t)
++manage_fifo_files_pattern(svirt_sandbox_domain, container_image_t, container_image_t)
++allow svirt_sandbox_domain container_image_t:file { execmod relabelfrom relabelto };
++allow svirt_sandbox_domain container_image_t:dir { execmod relabelfrom relabelto };
+virt_mounton_sandbox_file(svirt_sandbox_domain)
+
+list_dirs_pattern(svirt_sandbox_domain, container_image_t, container_image_t)
@@ -115786,11 +115761,11 @@ index f03dcf5..36bc283 100644
+allow svirt_sandbox_domain container_image_t:file execmod;
+can_exec(svirt_sandbox_domain, container_image_t)
+
-+allow svirt_sandbox_domain svirt_sandbox_file_t:blk_file setattr;
-+rw_blk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+can_exec(svirt_sandbox_domain, svirt_sandbox_file_t)
-+allow svirt_sandbox_domain svirt_sandbox_file_t:dir mounton;
-+allow svirt_sandbox_domain svirt_sandbox_file_t:filesystem { getattr remount };
++allow svirt_sandbox_domain container_image_t:blk_file setattr;
++rw_blk_files_pattern(svirt_sandbox_domain, container_image_t, container_image_t)
++can_exec(svirt_sandbox_domain, container_image_t)
++allow svirt_sandbox_domain container_image_t:dir mounton;
++allow svirt_sandbox_domain container_image_t:filesystem { getattr remount };
+
+kernel_getattr_proc(svirt_sandbox_domain)
+kernel_list_all_proc(svirt_sandbox_domain)
@@ -115861,8 +115836,89 @@ index f03dcf5..36bc283 100644
+userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
+userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
- optional_policy(`
-- udev_read_pid_files(svirt_lxc_domain)
+-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
+-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
+-allow svirt_lxc_domain self:fifo_file manage_file_perms;
+-allow svirt_lxc_domain self:sem create_sem_perms;
+-allow svirt_lxc_domain self:shm create_shm_perms;
+-allow svirt_lxc_domain self:msgq create_msgq_perms;
+-allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
+-allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
+-
+-allow svirt_lxc_domain virtd_lxc_t:fd use;
+-allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms;
+-allow svirt_lxc_domain virtd_lxc_t:process sigchld;
+-
+-allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
+-
+-allow svirt_lxc_domain virsh_t:fd use;
+-allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms;
+-allow svirt_lxc_domain virsh_t:process sigchld;
+-
+-allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms;
+-allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms;
+-
+-manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-
+-allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton;
+-allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr;
+-
+-can_exec(svirt_lxc_domain, svirt_lxc_file_t)
+-
+-kernel_getattr_proc(svirt_lxc_domain)
+-kernel_list_all_proc(svirt_lxc_domain)
+-kernel_read_kernel_sysctls(svirt_lxc_domain)
+-kernel_rw_net_sysctls(svirt_lxc_domain)
+-kernel_read_system_state(svirt_lxc_domain)
+-kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
+-
+-corecmd_exec_all_executables(svirt_lxc_domain)
+-
+-files_dontaudit_getattr_all_dirs(svirt_lxc_domain)
+-files_dontaudit_getattr_all_files(svirt_lxc_domain)
+-files_dontaudit_getattr_all_symlinks(svirt_lxc_domain)
+-files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
+-files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
+-files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
+-files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
+-# files_entrypoint_all_files(svirt_lxc_domain)
+-files_list_var(svirt_lxc_domain)
+-files_list_var_lib(svirt_lxc_domain)
+-files_search_all(svirt_lxc_domain)
+-files_read_config_files(svirt_lxc_domain)
+-files_read_usr_files(svirt_lxc_domain)
+-files_read_usr_symlinks(svirt_lxc_domain)
+-
+-fs_getattr_all_fs(svirt_lxc_domain)
+-fs_list_inotifyfs(svirt_lxc_domain)
+-
+-# fs_rw_inherited_tmpfs_files(svirt_lxc_domain)
+-# fs_rw_inherited_cifs_files(svirt_lxc_domain)
+-# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain)
+-
+-auth_dontaudit_read_login_records(svirt_lxc_domain)
+-auth_dontaudit_write_login_records(svirt_lxc_domain)
+-auth_search_pam_console_data(svirt_lxc_domain)
+-
+-clock_read_adjtime(svirt_lxc_domain)
+-
+-init_read_utmp(svirt_lxc_domain)
+-init_dontaudit_write_utmp(svirt_lxc_domain)
+-
+-libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
+-
+-miscfiles_read_localization(svirt_lxc_domain)
+-miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain)
+-miscfiles_read_fonts(svirt_lxc_domain)
+-
+-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
++optional_policy(`
+ apache_exec_modules(svirt_sandbox_domain)
+ apache_read_sys_content(svirt_sandbox_domain)
+')
@@ -115882,8 +115938,9 @@ index f03dcf5..36bc283 100644
+optional_policy(`
+ udev_read_pid_files(svirt_sandbox_domain)
+')
-+
-+optional_policy(`
+
+ optional_policy(`
+- udev_read_pid_files(svirt_lxc_domain)
+ userhelper_dontaudit_write_config(svirt_sandbox_domain)
+')
+
@@ -115910,11 +115967,11 @@ index f03dcf5..36bc283 100644
optional_policy(`
- apache_exec_modules(svirt_lxc_domain)
- apache_read_sys_content(svirt_lxc_domain)
-+ docker_read_share_files(svirt_sandbox_domain)
-+ docker_exec_share_files(svirt_sandbox_domain)
-+ docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file)
-+ docker_use_ptys(svirt_sandbox_domain)
-+ docker_spc_stream_connect(svirt_sandbox_domain)
++ container_read_share_files(svirt_sandbox_domain)
++ container_exec_share_files(svirt_sandbox_domain)
++ container_lib_filetrans(svirt_sandbox_domain,container_image_t, sock_file)
++ container_use_ptys(svirt_sandbox_domain)
++ container_spc_stream_connect(svirt_sandbox_domain)
+ fs_dontaudit_remount_tmpfs(svirt_sandbox_domain)
+ dev_dontaudit_mounton_sysfs(svirt_sandbox_domain)
')
@@ -115922,40 +115979,21 @@ index f03dcf5..36bc283 100644
########################################
#
-# Lxc net local policy
-+# svirt_lxc_net_t local policy
- #
-+virt_sandbox_domain_template(svirt_lxc_net)
-+virt_default_capabilities(svirt_lxc_net_t)
-+typeattribute svirt_lxc_net_t sandbox_net_domain;
-+dontaudit svirt_lxc_net_t self:capability fsetid;
-+dontaudit svirt_lxc_net_t self:capability2 block_suspend ;
-+allow svirt_lxc_net_t self:process { execstack execmem };
-+manage_chr_files_pattern(svirt_lxc_net_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+kernel_load_module(svirt_lxc_net_t)
++# container_t local policy
+ #
++virt_sandbox_domain_template(container)
++typealias container_t alias svirt_lxc_net_t;
++virt_default_capabilities(container_t)
++typeattribute container_t sandbox_net_domain;
++dontaudit container_t self:capability fsetid;
++dontaudit container_t self:capability2 block_suspend ;
++allow container_t self:process { execstack execmem };
++manage_chr_files_pattern(container_t, container_image_t, container_image_t)
++kernel_load_module(container_t)
+
+tunable_policy(`virt_sandbox_use_sys_admin',`
-+ allow svirt_lxc_net_t self:capability sys_admin;
-+')
-+
-+tunable_policy(`virt_sandbox_use_mknod',`
-+ allow svirt_lxc_net_t self:capability mknod;
-+')
-+
-+tunable_policy(`virt_sandbox_use_all_caps',`
-+ allow svirt_lxc_net_t self:capability all_capability_perms;
-+ allow svirt_lxc_net_t self:capability2 all_capability2_perms;
-+')
-+
-+tunable_policy(`virt_sandbox_use_netlink',`
-+ allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
-+ allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
-+ allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms;
-+', `
-+ logging_dontaudit_send_audit_msgs(svirt_lxc_net_t)
++ allow container_t self:capability sys_admin;
+')
-+
-+allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms;
-+allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms;
-allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap };
-dontaudit svirt_lxc_net_t self:capability2 block_suspend;
@@ -115968,10 +116006,16 @@ index f03dcf5..36bc283 100644
-allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
-allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_socket_perms;
-allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms;
--
++tunable_policy(`virt_sandbox_use_mknod',`
++ allow container_t self:capability mknod;
++')
+
-kernel_read_network_state(svirt_lxc_net_t)
- kernel_read_irq_sysctls(svirt_lxc_net_t)
-+kernel_read_messages(svirt_lxc_net_t)
+-kernel_read_irq_sysctls(svirt_lxc_net_t)
++tunable_policy(`virt_sandbox_use_all_caps',`
++ allow container_t self:capability all_capability_perms;
++ allow container_t self:capability2 all_capability2_perms;
++')
-corenet_all_recvfrom_unlabeled(svirt_lxc_net_t)
-corenet_all_recvfrom_netlabel(svirt_lxc_net_t)
@@ -115983,55 +116027,72 @@ index f03dcf5..36bc283 100644
-corenet_udp_sendrecv_all_ports(svirt_lxc_net_t)
-corenet_tcp_bind_generic_node(svirt_lxc_net_t)
-corenet_udp_bind_generic_node(svirt_lxc_net_t)
--
++tunable_policy(`virt_sandbox_use_netlink',`
++ allow container_t self:netlink_socket create_socket_perms;
++ allow container_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
++ allow container_t self:netlink_kobject_uevent_socket create_socket_perms;
++', `
++ logging_dontaudit_send_audit_msgs(container_t)
++')
+
-corenet_sendrecv_all_server_packets(svirt_lxc_net_t)
-corenet_udp_bind_all_ports(svirt_lxc_net_t)
-corenet_tcp_bind_all_ports(svirt_lxc_net_t)
--
++allow container_t virt_lxc_var_run_t:dir list_dir_perms;
++allow container_t virt_lxc_var_run_t:file read_file_perms;
+
-corenet_sendrecv_all_client_packets(svirt_lxc_net_t)
-corenet_tcp_connect_all_ports(svirt_lxc_net_t)
--
++kernel_read_irq_sysctls(container_t)
++kernel_read_messages(container_t)
+
-dev_getattr_mtrr_dev(svirt_lxc_net_t)
-dev_read_rand(svirt_lxc_net_t)
- dev_read_sysfs(svirt_lxc_net_t)
-+dev_read_mtrr(svirt_lxc_net_t)
-+dev_read_rand(svirt_lxc_net_t)
- dev_read_urand(svirt_lxc_net_t)
-
- files_read_kernel_modules(svirt_lxc_net_t)
-
-+fs_noxattr_type(svirt_sandbox_file_t)
-+# Do we actually need these?
- fs_mount_cgroup(svirt_lxc_net_t)
- fs_manage_cgroup_dirs(svirt_lxc_net_t)
+-dev_read_sysfs(svirt_lxc_net_t)
+-dev_read_urand(svirt_lxc_net_t)
++dev_read_sysfs(container_t)
++dev_read_mtrr(container_t)
++dev_read_rand(container_t)
++dev_read_urand(container_t)
+
+-files_read_kernel_modules(svirt_lxc_net_t)
++files_read_kernel_modules(container_t)
+
+-fs_mount_cgroup(svirt_lxc_net_t)
+-fs_manage_cgroup_dirs(svirt_lxc_net_t)
-fs_rw_cgroup_files(svirt_lxc_net_t)
-+fs_manage_cgroup_files(svirt_lxc_net_t)
++fs_noxattr_type(container_image_t)
++# Do we actually need these?
++fs_mount_cgroup(container_t)
++fs_manage_cgroup_dirs(container_t)
++fs_manage_cgroup_files(container_t)
+# Needed for docker
-+fs_unmount_xattr_fs(svirt_lxc_net_t)
-+
-+term_pty(svirt_sandbox_file_t)
++fs_unmount_xattr_fs(container_t)
- auth_use_nsswitch(svirt_lxc_net_t)
+-auth_use_nsswitch(svirt_lxc_net_t)
++term_pty(container_image_t)
-logging_send_audit_msgs(svirt_lxc_net_t)
-+rpm_read_db(svirt_lxc_net_t)
++auth_use_nsswitch(container_t)
-userdom_use_user_ptys(svirt_lxc_net_t)
-+logging_send_syslog_msg(svirt_lxc_net_t)
++rpm_read_db(container_t)
-optional_policy(`
- rpm_read_db(svirt_lxc_net_t)
++logging_send_syslog_msg(container_t)
++
+tunable_policy(`virt_sandbox_use_audit',`
-+ logging_send_audit_msgs(svirt_lxc_net_t)
++ logging_send_audit_msgs(container_t)
')
-#######################################
-+userdom_use_user_ptys(svirt_lxc_net_t)
++userdom_use_user_ptys(container_t)
+
+########################################
#
-# Prot exec local policy
-+# svirt_lxc_net_t local policy
++# container_t local policy
#
+virt_sandbox_domain_template(svirt_qemu_net)
+typeattribute svirt_qemu_net_t sandbox_net_domain;
@@ -116055,12 +116116,12 @@ index f03dcf5..36bc283 100644
+
+term_use_generic_ptys(svirt_qemu_net_t)
+term_use_ptmx(svirt_qemu_net_t)
-
--allow svirt_prot_exec_t self:process { execmem execstack };
++
+dev_rw_kvm(svirt_qemu_net_t)
+
+manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t)
-+
+
+-allow svirt_prot_exec_t self:process { execmem execstack };
+list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
+read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
+
@@ -116075,12 +116136,12 @@ index f03dcf5..36bc283 100644
+
+files_read_kernel_modules(svirt_qemu_net_t)
+
-+fs_noxattr_type(svirt_sandbox_file_t)
++fs_noxattr_type(container_image_t)
+fs_mount_cgroup(svirt_qemu_net_t)
+fs_manage_cgroup_dirs(svirt_qemu_net_t)
+fs_manage_cgroup_files(svirt_qemu_net_t)
+
-+term_pty(svirt_sandbox_file_t)
++term_pty(container_image_t)
+
+auth_use_nsswitch(svirt_qemu_net_t)
+
@@ -116108,7 +116169,7 @@ index f03dcf5..36bc283 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1624,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1623,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -116123,7 +116184,7 @@ index f03dcf5..36bc283 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1192,7 +1642,7 @@ optional_policy(`
+@@ -1192,7 +1641,7 @@ optional_policy(`
########################################
#
@@ -116132,7 +116193,7 @@ index f03dcf5..36bc283 100644
#
allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1651,257 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1650,257 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
allow virt_bridgehelper_t self:tun_socket create_socket_perms;
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
@@ -116306,7 +116367,7 @@ index f03dcf5..36bc283 100644
+
+########################################
+#
-+# svirt_lxc_net_t local policy
++# container_t local policy
+#
+virt_sandbox_domain_template(svirt_kvm_net)
+typeattribute svirt_kvm_net_t sandbox_net_domain;
@@ -116342,12 +116403,12 @@ index f03dcf5..36bc283 100644
+
+files_read_kernel_modules(svirt_kvm_net_t)
+
-+fs_noxattr_type(svirt_sandbox_file_t)
++fs_noxattr_type(container_image_t)
+fs_mount_cgroup(svirt_kvm_net_t)
+fs_manage_cgroup_dirs(svirt_kvm_net_t)
+fs_manage_cgroup_files(svirt_kvm_net_t)
+
-+term_pty(svirt_sandbox_file_t)
++term_pty(container_image_t)
+
+auth_use_nsswitch(svirt_kvm_net_t)
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 456c3d4..4a40174 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 218%{?dist}
+Release: 219%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -675,6 +675,24 @@ exit 0
%endif
%changelog
+* Mon Oct 10 2016 Lukas Vrabec - 3.13.1-219
+- Dontaudit leaked file descriptors for thumb. BZ(1383071)
+- Fix typo in cobbler SELinux module
+- Merge pull request #165 from rhatdan/container
+- Allow cockpit_ws_t to manage cockpit_lib_t dirs and files. BZ(1375156)
+- Allow cobblerd_t to delete dirs labeled as tftpdir_rw_t
+- Rename svirt_lxc_net_t to container_t
+- Rename docker.pp to container.pp, causes change in interface name
+- Allow httpd_t domain to list inotify filesystem.
+- Fix couple AVC to start roundup properly
+- Allow dovecot_t send signull to dovecot_deliver_t
+- Add sys_ptrace capability to pegasus domain
+- Allow firewalld to stream connect to NetworkManager. BZ(1380954)
+- rename docker intefaces to container
+- Merge pull request #164 from rhatdan/docker-base
+- Rename docker.pp to container.pp, causes change in interface name
+- Allow gvfs to read /dev/nvme* devices BZ(1380951)
+
* Wed Oct 05 2016 Colin Walters - 3.13.1-218
- Revert addition of systemd service for factory reset, since it is
basically worse than what we had before. BZ(1290659)