diff --git a/docker-selinux.tgz b/docker-selinux.tgz
index 1029221..5bf5064 100644
Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 9d3eadc..b4a8532 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -26517,10 +26517,10 @@ index cc877c7..b8e6e98 100644
+ xserver_rw_xdm_pipes(ssh_agent_type)
+')
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index 8274418..b3baa75 100644
+index 8274418..12a5645 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
-@@ -2,13 +2,36 @@
+@@ -2,13 +2,38 @@
# HOME_DIR
#
HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
@@ -26538,6 +26538,7 @@ index 8274418..b3baa75 100644
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+HOME_DIR/\.cache/gdm(/.*)? gen_context(system_u:object_r:xdm_home_t,s0)
+HOME_DIR/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0)
++HOME_DIR/\.wayland-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0)
+HOME_DIR/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0)
+
+/root/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
@@ -26553,11 +26554,12 @@ index 8274418..b3baa75 100644
+/root/\.Xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+/root/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+/root/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0)
++/root/\.wayland-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0)
+/root/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0)
#
# /dev
-@@ -22,13 +45,21 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+@@ -22,13 +47,21 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
/etc/gdm(3)?/PreSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/gdm(3)?/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
@@ -26580,7 +26582,7 @@ index 8274418..b3baa75 100644
/etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0)
-@@ -46,26 +77,34 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+@@ -46,26 +79,34 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
# /tmp
#
@@ -26621,7 +26623,7 @@ index 8274418..b3baa75 100644
/usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
-@@ -91,19 +130,34 @@ ifndef(`distro_debian',`
+@@ -91,19 +132,34 @@ ifndef(`distro_debian',`
/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
/var/lib/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
@@ -26660,7 +26662,7 @@ index 8274418..b3baa75 100644
/var/run/xdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
-@@ -111,7 +165,18 @@ ifndef(`distro_debian',`
+@@ -111,7 +167,18 @@ ifndef(`distro_debian',`
/var/run/slim.* gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
@@ -26680,7 +26682,7 @@ index 8274418..b3baa75 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc..f2bbe7e 100644
+index 6bf0ecc..7d0c3c3 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -18,100 +18,36 @@
@@ -27756,7 +27758,7 @@ index 6bf0ecc..f2bbe7e 100644
')
########################################
-@@ -1284,10 +1640,660 @@ interface(`xserver_manage_core_devices',`
+@@ -1284,10 +1640,662 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -28290,6 +28292,7 @@ index 6bf0ecc..f2bbe7e 100644
+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:9")
+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped")
+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped.old")
++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".wayland-errors")
+ userdom_user_home_dir_filetrans($1, user_fonts_config_t, file, ".fonts.conf")
+ userdom_user_home_dir_filetrans($1, user_fonts_config_t, dir, ".fonts.d")
+ userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts")
@@ -28334,6 +28337,7 @@ index 6bf0ecc..f2bbe7e 100644
+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped")
+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped.old")
+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors.old")
++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".wayland-errors")
+ userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP")
+ userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority")
+ userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority")
@@ -45258,10 +45262,10 @@ index 0000000..c253b33
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..56ba5a6
+index 0000000..b4a073f
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,824 @@
+@@ -0,0 +1,825 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -45463,6 +45467,7 @@ index 0000000..56ba5a6
+init_undefined(systemd_logind_t)
+init_signal_script(systemd_logind_t)
+init_getattr_script_status_files(systemd_logind_t)
++init_read_utmp(systemd_logind_t)
+
+getty_systemctl(systemd_logind_t)
+
@@ -47499,7 +47504,7 @@ index db75976..c54480a 100644
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
+
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6..cb235f4 100644
+index 9dc60c6..e6556aa 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -50801,7 +50806,7 @@ index 9dc60c6..cb235f4 100644
## Create keys for all user domains.
##
##
-@@ -3435,4 +4622,1763 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3435,4 +4622,1781 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
@@ -51369,6 +51374,24 @@ index 9dc60c6..cb235f4 100644
+
+########################################
+##
++## Read and write userdomain stream.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_connectto_stream',`
++ gen_require(`
++ attribute userdomain;
++ ')
++
++ allow $1 userdomain:unix_stream_socket connectto;
++')
++
++########################################
++##
+## Do not audit attempts to read and write
+## unserdomain datagram socket.
+##
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index d1ed53e..90745cc 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -3799,7 +3799,7 @@ index 7caefc3..b25689b 100644
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/apache.if b/apache.if
-index f6eb485..c55558a 100644
+index f6eb485..f1f976b 100644
--- a/apache.if
+++ b/apache.if
@@ -1,9 +1,9 @@
@@ -3948,7 +3948,7 @@ index f6eb485..c55558a 100644
+ manage_fifo_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+ manage_sock_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+
-+ allow $1_script_t httpd_t:unix_stream_socket { ioctl accept getattr read write };
++ allow $1_script_t httpd_t:unix_stream_socket { ioctl accept getattr read write shutdown };
+
+ # Allow the web server to run scripts and serve pages
tunable_policy(`httpd_builtin_scripting',`
@@ -20497,7 +20497,7 @@ index 3023be7..0317731 100644
+ files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups")
')
diff --git a/cups.te b/cups.te
-index c91813c..999581c 100644
+index c91813c..3d89006 100644
--- a/cups.te
+++ b/cups.te
@@ -5,19 +5,31 @@ policy_module(cups, 1.16.2)
@@ -20771,13 +20771,14 @@ index c91813c..999581c 100644
selinux_compute_access_vector(cupsd_t)
selinux_validate_context(cupsd_t)
-@@ -244,22 +288,27 @@ auth_dontaudit_read_pam_pid(cupsd_t)
+@@ -244,22 +288,28 @@ auth_dontaudit_read_pam_pid(cupsd_t)
auth_rw_faillog(cupsd_t)
auth_use_nsswitch(cupsd_t)
-libs_read_lib_files(cupsd_t)
libs_exec_lib_files(cupsd_t)
+libs_exec_ldconfig(cupsd_t)
++libs_exec_ld_so(cupsd_t)
logging_send_audit_msgs(cupsd_t)
logging_send_syslog_msg(cupsd_t)
@@ -20804,7 +20805,7 @@ index c91813c..999581c 100644
optional_policy(`
apm_domtrans_client(cupsd_t)
-@@ -272,6 +321,8 @@ optional_policy(`
+@@ -272,6 +322,8 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(cupsd_t)
@@ -20813,7 +20814,7 @@ index c91813c..999581c 100644
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
-@@ -279,11 +330,17 @@ optional_policy(`
+@@ -279,11 +331,17 @@ optional_policy(`
')
optional_policy(`
@@ -20831,7 +20832,7 @@ index c91813c..999581c 100644
')
')
-@@ -296,8 +353,8 @@ optional_policy(`
+@@ -296,8 +354,8 @@ optional_policy(`
')
optional_policy(`
@@ -20841,7 +20842,7 @@ index c91813c..999581c 100644
')
optional_policy(`
-@@ -306,7 +363,6 @@ optional_policy(`
+@@ -306,7 +364,6 @@ optional_policy(`
optional_policy(`
lpd_exec_lpr(cupsd_t)
@@ -20849,7 +20850,7 @@ index c91813c..999581c 100644
lpd_read_config(cupsd_t)
lpd_relabel_spool(cupsd_t)
')
-@@ -316,6 +372,10 @@ optional_policy(`
+@@ -316,6 +373,10 @@ optional_policy(`
')
optional_policy(`
@@ -20860,7 +20861,7 @@ index c91813c..999581c 100644
samba_read_config(cupsd_t)
samba_rw_var_files(cupsd_t)
samba_stream_connect_nmbd(cupsd_t)
-@@ -334,7 +394,11 @@ optional_policy(`
+@@ -334,7 +395,11 @@ optional_policy(`
')
optional_policy(`
@@ -20873,7 +20874,7 @@ index c91813c..999581c 100644
')
########################################
-@@ -342,12 +406,11 @@ optional_policy(`
+@@ -342,12 +407,11 @@ optional_policy(`
# Configuration daemon local policy
#
@@ -20889,7 +20890,7 @@ index c91813c..999581c 100644
allow cupsd_config_t cupsd_t:process signal;
ps_process_pattern(cupsd_config_t, cupsd_t)
-@@ -372,18 +435,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
+@@ -372,18 +436,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
@@ -20910,7 +20911,7 @@ index c91813c..999581c 100644
corenet_all_recvfrom_netlabel(cupsd_config_t)
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -392,20 +453,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+@@ -392,20 +454,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
corenet_sendrecv_all_client_packets(cupsd_config_t)
corenet_tcp_connect_all_ports(cupsd_config_t)
@@ -20931,7 +20932,7 @@ index c91813c..999581c 100644
fs_search_auto_mountpoints(cupsd_config_t)
domain_use_interactive_fds(cupsd_config_t)
-@@ -417,11 +470,6 @@ auth_use_nsswitch(cupsd_config_t)
+@@ -417,11 +471,6 @@ auth_use_nsswitch(cupsd_config_t)
logging_send_syslog_msg(cupsd_config_t)
@@ -20943,7 +20944,7 @@ index c91813c..999581c 100644
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
-@@ -449,9 +497,12 @@ optional_policy(`
+@@ -449,9 +498,12 @@ optional_policy(`
')
optional_policy(`
@@ -20957,7 +20958,7 @@ index c91813c..999581c 100644
')
optional_policy(`
-@@ -467,6 +518,10 @@ optional_policy(`
+@@ -467,6 +519,10 @@ optional_policy(`
')
optional_policy(`
@@ -20968,7 +20969,7 @@ index c91813c..999581c 100644
rpm_read_db(cupsd_config_t)
')
-@@ -487,10 +542,6 @@ optional_policy(`
+@@ -487,10 +543,6 @@ optional_policy(`
# Lpd local policy
#
@@ -20979,7 +20980,7 @@ index c91813c..999581c 100644
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
-@@ -508,15 +559,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+@@ -508,15 +560,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
@@ -20997,7 +20998,7 @@ index c91813c..999581c 100644
corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t)
corenet_sendrecv_printer_server_packets(cupsd_lpd_t)
-@@ -537,9 +588,6 @@ auth_use_nsswitch(cupsd_lpd_t)
+@@ -537,9 +589,6 @@ auth_use_nsswitch(cupsd_lpd_t)
logging_send_syslog_msg(cupsd_lpd_t)
@@ -21007,7 +21008,7 @@ index c91813c..999581c 100644
optional_policy(`
inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
')
-@@ -550,7 +598,6 @@ optional_policy(`
+@@ -550,7 +599,6 @@ optional_policy(`
#
allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
@@ -21015,7 +21016,7 @@ index c91813c..999581c 100644
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
-@@ -566,148 +613,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
+@@ -566,148 +614,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
kernel_read_system_state(cups_pdf_t)
@@ -21167,7 +21168,7 @@ index c91813c..999581c 100644
########################################
#
-@@ -735,7 +657,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -735,7 +658,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@@ -21175,7 +21176,7 @@ index c91813c..999581c 100644
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -745,13 +666,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
+@@ -745,13 +667,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
corenet_tcp_bind_ptal_port(ptal_t)
corenet_tcp_sendrecv_ptal_port(ptal_t)
@@ -21189,7 +21190,7 @@ index c91813c..999581c 100644
files_read_etc_runtime_files(ptal_t)
fs_getattr_all_fs(ptal_t)
-@@ -759,8 +678,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -759,8 +679,6 @@ fs_search_auto_mountpoints(ptal_t)
logging_send_syslog_msg(ptal_t)
@@ -21198,7 +21199,7 @@ index c91813c..999581c 100644
sysnet_read_config(ptal_t)
userdom_dontaudit_use_unpriv_user_fds(ptal_t)
-@@ -773,3 +690,4 @@ optional_policy(`
+@@ -773,3 +691,4 @@ optional_policy(`
optional_policy(`
udev_read_db(ptal_t)
')
@@ -24084,7 +24085,7 @@ index c697edb..954c090 100644
+ allow $1 dhcpd_unit_file_t:service all_service_perms;
')
diff --git a/dhcp.te b/dhcp.te
-index 98a24b9..5a24c3a 100644
+index 98a24b9..cb5795e 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -20,6 +20,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t)
@@ -24122,7 +24123,7 @@ index 98a24b9..5a24c3a 100644
files_read_etc_runtime_files(dhcpd_t)
files_search_var_lib(dhcpd_t)
-@@ -102,22 +103,42 @@ auth_use_nsswitch(dhcpd_t)
+@@ -102,22 +103,44 @@ auth_use_nsswitch(dhcpd_t)
logging_send_syslog_msg(dhcpd_t)
@@ -24145,17 +24146,19 @@ index 98a24b9..5a24c3a 100644
+ corenet_tcp_sendrecv_ldap_port(dhcpd_t)
+ corenet_tcp_connect_ldap_port(dhcpd_t)
+ corenet_sendrecv_ldap_client_packets(dhcpd_t)
-+')
-+
-+tunable_policy(`dhcpd_use_ldap',`
-+ ldap_read_certs(dhcpd_t)
+ ')
+
+ optional_policy(`
++ tunable_policy(`dhcpd_use_ldap',`
++ ldap_read_certs(dhcpd_t)
++ ')
+')
+
+ifdef(`distro_gentoo',`
+ allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
- ')
-
- optional_policy(`
++')
++
++optional_policy(`
+ # used for dynamic DNS
bind_read_dnssec_keys(dhcpd_t)
')
@@ -36395,10 +36398,10 @@ index 6517fad..f183748 100644
+ allow $1 hypervkvp_unit_file_t:service all_service_perms;
')
diff --git a/hypervkvp.te b/hypervkvp.te
-index 4eb7041..3ba4a51 100644
+index 4eb7041..76a5802 100644
--- a/hypervkvp.te
+++ b/hypervkvp.te
-@@ -5,24 +5,139 @@ policy_module(hypervkvp, 1.0.0)
+@@ -5,24 +5,142 @@ policy_module(hypervkvp, 1.0.0)
# Declarations
#
@@ -36436,7 +36439,7 @@ index 4eb7041..3ba4a51 100644
#
-# Local policy
+# hyperv domain local policy
- #
++#
+
+allow hyperv_domain self:capability net_admin;
+allow hyperv_domain self:netlink_socket create_socket_perms;
@@ -36452,10 +36455,8 @@ index 4eb7041..3ba4a51 100644
+########################################
+#
+# hypervkvp local policy
- #
-
--allow hypervkvpd_t self:fifo_file rw_fifo_file_perms;
--allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms;
++#
++
+allow hypervkvp_t self:capability sys_ptrace;
+allow hypervkvp_t self:process setfscreate;
+allow hypervkvp_t self:netlink_route_socket rw_netlink_socket_perms;
@@ -36537,16 +36538,21 @@ index 4eb7041..3ba4a51 100644
+')
+
+########################################
-+#
+ #
+# hypervvssd local policy
-+#
+ #
--logging_send_syslog_msg(hypervkvpd_t)
+-allow hypervkvpd_t self:fifo_file rw_fifo_file_perms;
+-allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms;
+allow hypervvssd_t self:capability sys_admin;
--miscfiles_read_localization(hypervkvpd_t)
+-logging_send_syslog_msg(hypervkvpd_t)
+files_list_boot(hypervvssd_t)
+-miscfiles_read_localization(hypervkvpd_t)
++files_list_all_mountpoints(hypervvssd_t)
++files_write_all_mountpoints(hypervvssd_t)
+
-sysnet_dns_name_resolve(hypervkvpd_t)
+logging_send_syslog_msg(hypervvssd_t)
diff --git a/i18n_input.te b/i18n_input.te
@@ -37242,15 +37248,16 @@ index 0000000..61f2003
+userdom_use_user_terminals(iotop_t)
diff --git a/ipa.fc b/ipa.fc
new file mode 100644
-index 0000000..db194ec
+index 0000000..749756a
--- /dev/null
+++ b/ipa.fc
-@@ -0,0 +1,10 @@
+@@ -0,0 +1,11 @@
+/usr/lib/systemd/system/ipa-otpd.* -- gen_context(system_u:object_r:ipa_otpd_unit_file_t,s0)
+
+/usr/libexec/ipa-otpd -- gen_context(system_u:object_r:ipa_otpd_exec_t,s0)
+
+/usr/libexec/ipa/com\.redhat\.idm\.trust-fetch-domains -- gen_context(system_u:object_r:ipa_helper_exec_t,s0)
++/usr/libexec/ipa/oddjob/com\.redhat\.idm\.trust-fetch-domains -- gen_context(system_u:object_r:ipa_helper_exec_t,s0)
+
+/var/lib/ipa(/.*)? gen_context(system_u:object_r:ipa_var_lib_t,s0)
+
@@ -61471,10 +61478,10 @@ index 57c0161..c554eb6 100644
+ ps_process_pattern($1, nut_t)
')
diff --git a/nut.te b/nut.te
-index 5b2cb0d..ad16c77 100644
+index 5b2cb0d..7655e0b 100644
--- a/nut.te
+++ b/nut.te
-@@ -7,154 +7,143 @@ policy_module(nut, 1.3.0)
+@@ -7,154 +7,148 @@ policy_module(nut, 1.3.0)
attribute nut_domain;
@@ -61584,12 +61591,13 @@ index 5b2cb0d..ad16c77 100644
-allow nut_upsmon_t self:capability dac_read_search;
-allow nut_upsmon_t self:unix_stream_socket connectto;
++allow nut_upsmon_t self:capability kill;
+allow nut_upsmon_t self:tcp_socket create_socket_perms;
+allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto };
+allow nut_upsmon_t self:unix_stream_socket { create_socket_perms connectto };
-
-+read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
+
++read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
+
+kernel_read_kernel_sysctls(nut_upsmon_t)
kernel_read_system_state(nut_upsmon_t)
@@ -61609,6 +61617,9 @@ index 5b2cb0d..ad16c77 100644
-corenet_sendrecv_generic_client_packets(nut_upsmon_t)
corenet_tcp_connect_generic_port(nut_upsmon_t)
++dev_read_rand(nut_upsmon_t)
++dev_read_urand(nut_upsmon_t)
++
+# Creates /etc/killpower
files_manage_etc_runtime_files(nut_upsmon_t)
files_etc_filetrans_etc_runtime(nut_upsmon_t, file)
@@ -61655,6 +61666,7 @@ index 5b2cb0d..ad16c77 100644
dev_read_sysfs(nut_upsdrvctl_t)
-dev_read_urand(nut_upsdrvctl_t)
++dev_read_usbfs(nut_upsdrvctl_t)
dev_rw_generic_usb_dev(nut_upsdrvctl_t)
term_use_unallocated_ttys(nut_upsdrvctl_t)
@@ -76890,7 +76902,7 @@ index d68e26d..d2c4d2a 100644
+/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
+/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0)
diff --git a/puppet.if b/puppet.if
-index 7cb8b1f..9422c90 100644
+index 7cb8b1f..bef7217 100644
--- a/puppet.if
+++ b/puppet.if
@@ -1,4 +1,32 @@
@@ -76971,7 +76983,7 @@ index 7cb8b1f..9422c90 100644
')
################################################
-@@ -78,158 +107,164 @@ interface(`puppet_read_config',`
+@@ -78,158 +107,165 @@ interface(`puppet_read_config',`
##
##
#
@@ -77202,8 +77214,9 @@ index 7cb8b1f..9422c90 100644
- files_search_var_lib($1)
- admin_pattern($1, puppet_var_lib_t)
+ files_search_etc($1)
-+ list_dirs_pattern($1, puppet_etc_t, puppet_etc_t)
++ list_dirs_pattern($1, puppet_etc_t, puppet_etc_t)
+ read_files_pattern($1, puppet_etc_t, puppet_etc_t)
++ read_lnk_files_pattern($1, puppet_etc_t, puppet_etc_t)
+')
+#####################################
@@ -81711,10 +81724,10 @@ index 951db7f..00e699d 100644
+ files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf.anacbak")
')
diff --git a/raid.te b/raid.te
-index c99753f..c8696d7 100644
+index c99753f..c7b77bc 100644
--- a/raid.te
+++ b/raid.te
-@@ -15,54 +15,101 @@ role mdadm_roles types mdadm_t;
+@@ -15,54 +15,102 @@ role mdadm_roles types mdadm_t;
type mdadm_initrc_exec_t;
init_script_file(mdadm_initrc_exec_t)
@@ -81822,10 +81835,11 @@ index c99753f..c8696d7 100644
fs_rw_cgroup_files(mdadm_t)
fs_dontaudit_list_tmpfs(mdadm_t)
+fs_manage_cgroup_files(mdadm_t)
++fs_read_efivarfs_files(mdadm_t)
mls_file_read_all_levels(mdadm_t)
mls_file_write_all_levels(mdadm_t)
-@@ -71,15 +118,25 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
+@@ -71,15 +119,25 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
storage_manage_fixed_disk(mdadm_t)
storage_read_scsi_generic(mdadm_t)
storage_write_scsi_generic(mdadm_t)
@@ -81852,7 +81866,7 @@ index c99753f..c8696d7 100644
userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
userdom_dontaudit_search_user_home_content(mdadm_t)
-@@ -90,17 +147,38 @@ optional_policy(`
+@@ -90,17 +148,38 @@ optional_policy(`
')
optional_policy(`
@@ -93982,10 +93996,10 @@ index 0000000..3e89d71
+')
diff --git a/sandboxX.te b/sandboxX.te
new file mode 100644
-index 0000000..c9449b4
+index 0000000..3dc39bf
--- /dev/null
+++ b/sandboxX.te
-@@ -0,0 +1,505 @@
+@@ -0,0 +1,506 @@
+policy_module(sandboxX,1.0.0)
+
+dbus_stub()
@@ -94282,6 +94296,7 @@ index 0000000..c9449b4
+#1103622
+corenet_tcp_connect_xserver_port(sandbox_x_domain)
+xserver_stream_connect(sandbox_x_domain)
++userdom_connectto_stream(sandbox_x_domain)
+
+########################################
+#
@@ -98580,10 +98595,10 @@ index 0000000..ed76979
+
diff --git a/snapper.te b/snapper.te
new file mode 100644
-index 0000000..90903a9
+index 0000000..243fc96
--- /dev/null
+++ b/snapper.te
-@@ -0,0 +1,75 @@
+@@ -0,0 +1,77 @@
+policy_module(snapper, 1.0.0)
+
+########################################
@@ -98609,6 +98624,8 @@ index 0000000..90903a9
+# snapperd local policy
+#
+
++allow snapperd_t self:capability dac_override;
++
+allow snapperd_t self:fifo_file rw_fifo_file_perms;
+allow snapperd_t self:unix_stream_socket create_stream_socket_perms;
+
@@ -110492,7 +110509,7 @@ index facdee8..19b6ffb 100644
+ ps_process_pattern(virtd_t, $1)
')
diff --git a/virt.te b/virt.te
-index f03dcf5..a9548bd 100644
+index f03dcf5..7056171 100644
--- a/virt.te
+++ b/virt.te
@@ -1,150 +1,248 @@
@@ -112081,7 +112098,7 @@ index f03dcf5..a9548bd 100644
+manage_sock_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
+manage_fifo_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
+manage_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+allow svirt_sandbox_domain svirt_sandbox_file_t:file { relabelfrom relabelto };
++allow svirt_sandbox_domain svirt_sandbox_file_t:file { execmod relabelfrom relabelto };
+
+allow svirt_sandbox_domain svirt_sandbox_file_t:blk_file setattr;
+rw_blk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
@@ -112497,24 +112514,30 @@ index f03dcf5..a9548bd 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1192,9 +1546,8 @@ optional_policy(`
+@@ -1192,7 +1546,7 @@ optional_policy(`
########################################
#
-# Bridgehelper local policy
+# virt_bridgehelper local policy
#
--
+
allow virt_bridgehelper_t self:process { setcap getcap };
- allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
- allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1205,7 +1558,247 @@ manage_files_pattern(virt_bridgehelper_t, svirt_home_t, svirt_home_t)
+@@ -1201,11 +1555,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+ allow virt_bridgehelper_t self:tun_socket create_socket_perms;
+ allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
- kernel_read_network_state(virt_bridgehelper_t)
++allow virt_bridgehelper_t virt_domain:unix_stream_socket { read write };
++
+ manage_files_pattern(virt_bridgehelper_t, svirt_home_t, svirt_home_t)
+ kernel_read_network_state(virt_bridgehelper_t)
++kernel_read_system_state(virt_bridgehelper_t)
++
+dev_read_urand(virt_bridgehelper_t)
+dev_read_rand(virt_bridgehelper_t)
-+
++dev_read_sysfs(virt_bridgehelper_t)
+
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
-userdom_search_user_home_dirs(virt_bridgehelper_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 7a1e5c2..57fbaa3 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 164%{?dist}
+Release: 165%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -664,6 +664,18 @@ exit 0
%endif
%changelog
+* Wed Jan 06 2016 Lukas Vrabec 3.13.1-165
+- Allow sddm-helper running as xdm_t to create .wayland-errors with correct labeling. BZ(#1291085)
+- Revert "Allow arping running as netutils_t sys_module capability for removing tap devices."
+- Allow arping running as netutils_t sys_module capability for removing tap devices.
+- Add userdom_connectto_stream() interface.
+- Allow systemd-logind to read /run/utmp. BZ(#1278662)
+- Allow sddm-helper running as xdm_t to create .wayland-errors with correct labeling. BZ(#1291085)
+- Revert "Allow arping running as netutils_t sys_module capability for removing tap devices."
+- Allow arping running as netutils_t sys_module capability for removing tap devices.
+- Add userdom_connectto_stream() interface.
+- Allow systemd-logind to read /run/utmp. BZ(#1278662)
+
* Tue Dec 15 2015 Lukas Vrabec 3.13.1-164
- Allow firewalld to create firewalld_var_run_t directory. BZ(1291243)
- Add interface firewalld_read_pid_files()