++##
+## Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container.
+##
+##
@@ -20069,7 +20188,11 @@ index 0000000..168668b
+')
+
+optional_policy(`
-+ chrome_role(unconfined_r, unconfined_usertype)
++ chrome_role_notrans(unconfined_r, unconfined_usertype)
++
++ tunable_policy(`unconfined_chrome_sandbox_transition',`
++ chrome_domtrans_sandbox(unconfined_usertype)
++ ')
+')
+
+optional_policy(`
@@ -20334,10 +20457,10 @@ index 0000000..168668b
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index e5bfdd4..425ea6f 100644
+index e5bfdd4..17b57ba 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
-@@ -12,15 +12,74 @@ role user_r;
+@@ -12,15 +12,78 @@ role user_r;
userdom_unpriv_user_template(user)
@@ -20363,6 +20486,10 @@ index e5bfdd4..425ea6f 100644
+')
+
+optional_policy(`
++ chrome_role(user_r, user_t)
++')
++
++optional_policy(`
+ gnome_role(user_r, user_t)
+')
+
@@ -20412,7 +20539,7 @@ index e5bfdd4..425ea6f 100644
vlock_run(user_t, user_r)
')
-@@ -62,10 +121,6 @@ ifndef(`distro_redhat',`
+@@ -62,10 +125,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -20423,7 +20550,7 @@ index e5bfdd4..425ea6f 100644
gpg_role(user_r, user_t)
')
-@@ -118,11 +173,7 @@ ifndef(`distro_redhat',`
+@@ -118,11 +177,7 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -20436,7 +20563,7 @@ index e5bfdd4..425ea6f 100644
')
optional_policy(`
-@@ -157,3 +208,4 @@ ifndef(`distro_redhat',`
+@@ -157,3 +212,4 @@ ifndef(`distro_redhat',`
wireshark_role(user_r, user_t)
')
')
@@ -26096,7 +26223,7 @@ index e8e9a21..89fc935 100644
/var/log/clamd.* gen_context(system_u:object_r:clamd_var_log_t,s0)
/var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0)
diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
-index 1f11572..7f6a7ab 100644
+index 1f11572..101824b 100644
--- a/policy/modules/services/clamav.if
+++ b/policy/modules/services/clamav.if
@@ -33,6 +33,7 @@ interface(`clamav_stream_connect',`
@@ -26123,7 +26250,33 @@ index 1f11572..7f6a7ab 100644
')
########################################
-@@ -151,9 +152,8 @@ interface(`clamav_exec_clamscan',`
+@@ -133,6 +134,25 @@ interface(`clamav_exec_clamscan',`
+
+ ########################################
+ ##