diff --git a/docker-selinux.tgz b/docker-selinux.tgz
index 5cb9828..1799d9e 100644
Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 8bb1cc6..9112bf0 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -15455,7 +15455,7 @@ index d7c11a0..6b3331d 100644
/var/run/shm/.* <<none>>
-')
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 8416beb..f3dd0f6 100644
+index 8416beb..99002ca 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -15607,7 +15607,32 @@ index 8416beb..f3dd0f6 100644
dev_search_sysfs($1)
')
-@@ -1107,6 +1177,24 @@ interface(`fs_read_noxattr_fs_files',`
+@@ -920,6 +990,24 @@ interface(`fs_getattr_cifs',`
+
+ ########################################
+ ## <summary>
++## Set the attributes of cifs directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_setattr_cifs_dirs',`
++ gen_require(`
++ type cifs_t;
++ ')
++
++ allow $1 cifs_t:dir setattr;
++')
++
++########################################
++## <summary>
+ ## Search directories on a CIFS or SMB filesystem.
+ ## </summary>
+ ## <param name="domain">
+@@ -1107,6 +1195,24 @@ interface(`fs_read_noxattr_fs_files',`
########################################
## <summary>
@@ -15632,7 +15657,7 @@ index 8416beb..f3dd0f6 100644
## Do not audit attempts to read all
## noxattrfs files.
## </summary>
-@@ -1245,7 +1333,7 @@ interface(`fs_append_cifs_files',`
+@@ -1245,7 +1351,7 @@ interface(`fs_append_cifs_files',`
########################################
## <summary>
@@ -15641,7 +15666,7 @@ index 8416beb..f3dd0f6 100644
## on a CIFS filesystem.
## </summary>
## <param name="domain">
-@@ -1265,6 +1353,42 @@ interface(`fs_dontaudit_append_cifs_files',`
+@@ -1265,6 +1371,42 @@ interface(`fs_dontaudit_append_cifs_files',`
########################################
## <summary>
@@ -15684,7 +15709,7 @@ index 8416beb..f3dd0f6 100644
## Do not audit attempts to read or
## write files on a CIFS or SMB filesystem.
## </summary>
-@@ -1279,7 +1403,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
+@@ -1279,7 +1421,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
type cifs_t;
')
@@ -15693,7 +15718,7 @@ index 8416beb..f3dd0f6 100644
')
########################################
-@@ -1542,6 +1666,63 @@ interface(`fs_cifs_domtrans',`
+@@ -1542,6 +1684,63 @@ interface(`fs_cifs_domtrans',`
domain_auto_transition_pattern($1, cifs_t, $2)
')
@@ -15757,7 +15782,7 @@ index 8416beb..f3dd0f6 100644
#######################################
## <summary>
## Create, read, write, and delete dirs
-@@ -1582,6 +1763,24 @@ interface(`fs_manage_configfs_files',`
+@@ -1582,6 +1781,24 @@ interface(`fs_manage_configfs_files',`
########################################
## <summary>
@@ -15782,7 +15807,7 @@ index 8416beb..f3dd0f6 100644
## Mount a DOS filesystem, such as
## FAT32 or NTFS.
## </summary>
-@@ -1793,63 +1992,70 @@ interface(`fs_read_eventpollfs',`
+@@ -1793,63 +2010,70 @@ interface(`fs_read_eventpollfs',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -15878,7 +15903,7 @@ index 8416beb..f3dd0f6 100644
## on a FUSEFS filesystem.
## </summary>
## <param name="domain">
-@@ -1859,18 +2065,19 @@ interface(`fs_mounton_fusefs',`
+@@ -1859,18 +2083,19 @@ interface(`fs_mounton_fusefs',`
## </param>
## <rolecap/>
#
@@ -15903,7 +15928,7 @@ index 8416beb..f3dd0f6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1878,135 +2085,721 @@ interface(`fs_search_fusefs',`
+@@ -1878,135 +2103,740 @@ interface(`fs_search_fusefs',`
## </summary>
## </param>
#
@@ -16023,55 +16048,48 @@ index 8416beb..f3dd0f6 100644
## <summary>
-## Domain allowed access.
+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+## <param name="target_domain">
-+## <summary>
-+## The type of the new process.
## </summary>
## </param>
-## <rolecap/>
- #
+-#
-interface(`fs_exec_fusefs_files',`
-+interface(`fs_ecryptfs_domtrans',`
- gen_require(`
+- gen_require(`
- type fusefs_t;
++## <param name="target_domain">
++## <summary>
++## The type of the new process.
++## </summary>
++## </param>
++#
++interface(`fs_ecryptfs_domtrans',`
++ gen_require(`
+ type ecryptfs_t;
- ')
-
-- exec_files_pattern($1, fusefs_t, fusefs_t)
++ ')
++
+ allow $1 ecryptfs_t:dir search_dir_perms;
+ domain_auto_transition_pattern($1, ecryptfs_t, $2)
- ')
-
- ########################################
- ## <summary>
--## Create, read, write, and delete files
--## on a FUSEFS filesystem.
++')
++
++########################################
++## <summary>
+## Mount a FUSE filesystem.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <rolecap/>
- #
--interface(`fs_manage_fusefs_files',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`fs_mount_fusefs',`
- gen_require(`
- type fusefs_t;
- ')
-
-- manage_files_pattern($1, fusefs_t, fusefs_t)
++ gen_require(`
++ type fusefs_t;
++ ')
++
+ allow $1 fusefs_t:filesystem mount;
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to create,
--## read, write, and delete files
--## on a FUSEFS filesystem.
++')
++
++########################################
++## <summary>
+## Unmount a FUSE filesystem.
+## </summary>
+## <param name="domain">
@@ -16631,87 +16649,93 @@ index 8416beb..f3dd0f6 100644
+interface(`fs_hugetlbfs_filetrans',`
+ gen_require(`
+ type hugetlbfs_t;
-+ ')
-+
+ ')
+
+- exec_files_pattern($1, fusefs_t, fusefs_t)
+ allow $2 hugetlbfs_t:filesystem associate;
+ filetrans_pattern($1, hugetlbfs_t, $2, $3, $4)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete files
+-## on a FUSEFS filesystem.
+## Mount an iso9660 filesystem, which
+## is usually used on CDs.
## </summary>
## <param name="domain">
## <summary>
--## Domain to not audit.
-+## Domain allowed access.
+ ## Domain allowed access.
## </summary>
## </param>
+-## <rolecap/>
#
--interface(`fs_dontaudit_manage_fusefs_files',`
+-interface(`fs_manage_fusefs_files',`
+interface(`fs_mount_iso9660_fs',`
gen_require(`
- type fusefs_t;
+ type iso9660_t;
')
-- dontaudit $1 fusefs_t:file manage_file_perms;
+- manage_files_pattern($1, fusefs_t, fusefs_t)
+ allow $1 iso9660_t:filesystem mount;
')
########################################
## <summary>
--## Read symbolic links on a FUSEFS filesystem.
+-## Do not audit attempts to create,
+-## read, write, and delete files
+-## on a FUSEFS filesystem.
+## Remount an iso9660 filesystem, which
+## is usually used on CDs. This allows
+## some mount options to be changed.
## </summary>
## <param name="domain">
## <summary>
-@@ -2014,19 +2807,18 @@ interface(`fs_dontaudit_manage_fusefs_files',`
+-## Domain to not audit.
++## Domain allowed access.
## </summary>
## </param>
#
--interface(`fs_read_fusefs_symlinks',`
+-interface(`fs_dontaudit_manage_fusefs_files',`
+interface(`fs_remount_iso9660_fs',`
gen_require(`
- type fusefs_t;
+ type iso9660_t;
')
-- allow $1 fusefs_t:dir list_dir_perms;
-- read_lnk_files_pattern($1, fusefs_t, fusefs_t)
+- dontaudit $1 fusefs_t:file manage_file_perms;
+ allow $1 iso9660_t:filesystem remount;
')
########################################
## <summary>
--## Get the attributes of an hugetlbfs
--## filesystem.
+-## Read symbolic links on a FUSEFS filesystem.
+## Unmount an iso9660 filesystem, which
+## is usually used on CDs.
## </summary>
## <param name="domain">
## <summary>
-@@ -2034,35 +2826,38 @@ interface(`fs_read_fusefs_symlinks',`
+@@ -2014,37 +2844,38 @@ interface(`fs_dontaudit_manage_fusefs_files',`
## </summary>
## </param>
#
--interface(`fs_getattr_hugetlbfs',`
+-interface(`fs_read_fusefs_symlinks',`
+interface(`fs_unmount_iso9660_fs',`
gen_require(`
-- type hugetlbfs_t;
+- type fusefs_t;
+ type iso9660_t;
')
-- allow $1 hugetlbfs_t:filesystem getattr;
+- allow $1 fusefs_t:dir list_dir_perms;
+- read_lnk_files_pattern($1, fusefs_t, fusefs_t)
+ allow $1 iso9660_t:filesystem unmount;
')
########################################
## <summary>
--## List hugetlbfs.
+-## Get the attributes of an hugetlbfs
+-## filesystem.
+## Get the attributes of an iso9660
+## filesystem, which is usually used on CDs.
## </summary>
@@ -16722,61 +16746,61 @@ index 8416beb..f3dd0f6 100644
## </param>
+## <rolecap/>
#
--interface(`fs_list_hugetlbfs',`
+-interface(`fs_getattr_hugetlbfs',`
+interface(`fs_getattr_iso9660_fs',`
gen_require(`
- type hugetlbfs_t;
+ type iso9660_t;
')
-- allow $1 hugetlbfs_t:dir list_dir_perms;
+- allow $1 hugetlbfs_t:filesystem getattr;
+ allow $1 iso9660_t:filesystem getattr;
')
########################################
## <summary>
--## Manage hugetlbfs dirs.
+-## List hugetlbfs.
+## Read files on an iso9660 filesystem, which
+## is usually used on CDs.
## </summary>
## <param name="domain">
## <summary>
-@@ -2070,17 +2865,19 @@ interface(`fs_list_hugetlbfs',`
+@@ -2052,17 +2883,19 @@ interface(`fs_getattr_hugetlbfs',`
## </summary>
## </param>
#
--interface(`fs_manage_hugetlbfs_dirs',`
+-interface(`fs_list_hugetlbfs',`
+interface(`fs_getattr_iso9660_files',`
gen_require(`
- type hugetlbfs_t;
+ type iso9660_t;
')
-- manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
+- allow $1 hugetlbfs_t:dir list_dir_perms;
+ allow $1 iso9660_t:dir list_dir_perms;
+ allow $1 iso9660_t:file getattr;
')
########################################
## <summary>
--## Read and write hugetlbfs files.
+-## Manage hugetlbfs dirs.
+## Read files on an iso9660 filesystem, which
+## is usually used on CDs.
## </summary>
## <param name="domain">
## <summary>
-@@ -2088,35 +2885,38 @@ interface(`fs_manage_hugetlbfs_dirs',`
+@@ -2070,17 +2903,20 @@ interface(`fs_list_hugetlbfs',`
## </summary>
## </param>
#
--interface(`fs_rw_hugetlbfs_files',`
+-interface(`fs_manage_hugetlbfs_dirs',`
+interface(`fs_read_iso9660_files',`
gen_require(`
- type hugetlbfs_t;
+ type iso9660_t;
')
-- rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
+- manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
+ allow $1 iso9660_t:dir list_dir_perms;
+ read_files_pattern($1, iso9660_t, iso9660_t)
+ read_lnk_files_pattern($1, iso9660_t, iso9660_t)
@@ -16785,9 +16809,31 @@ index 8416beb..f3dd0f6 100644
+
########################################
## <summary>
--## Allow the type to associate to hugetlbfs filesystems.
+-## Read and write hugetlbfs files.
+## Mount kdbus filesystems.
## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2088,35 +2924,35 @@ interface(`fs_manage_hugetlbfs_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`fs_rw_hugetlbfs_files',`
++interface(`fs_mount_kdbus', `
+ gen_require(`
+- type hugetlbfs_t;
++ type kdbusfs_t;
+ ')
+
+- rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
++ allow $1 kdbusfs_t:filesystem mount;
+ ')
+
+ ########################################
+ ## <summary>
+-## Allow the type to associate to hugetlbfs filesystems.
++## Remount kdbus filesystems.
+ ## </summary>
-## <param name="type">
+## <param name="domain">
## <summary>
@@ -16797,64 +16843,64 @@ index 8416beb..f3dd0f6 100644
## </param>
#
-interface(`fs_associate_hugetlbfs',`
-+interface(`fs_mount_kdbus', `
++interface(`fs_remount_kdbus', `
gen_require(`
- type hugetlbfs_t;
+ type kdbusfs_t;
')
- allow $1 hugetlbfs_t:filesystem associate;
-+ allow $1 kdbusfs_t:filesystem mount;
++ allow $1 kdbusfs_t:filesystem remount;
')
########################################
## <summary>
-## Search inotifyfs filesystem.
-+## Remount kdbus filesystems.
++## Unmount kdbus filesystems.
## </summary>
## <param name="domain">
## <summary>
-@@ -2124,17 +2924,17 @@ interface(`fs_associate_hugetlbfs',`
+@@ -2124,17 +2960,17 @@ interface(`fs_associate_hugetlbfs',`
## </summary>
## </param>
#
-interface(`fs_search_inotifyfs',`
-+interface(`fs_remount_kdbus', `
++interface(`fs_unmount_kdbus', `
gen_require(`
- type inotifyfs_t;
+ type kdbusfs_t;
')
- allow $1 inotifyfs_t:dir search_dir_perms;
-+ allow $1 kdbusfs_t:filesystem remount;
++ allow $1 kdbusfs_t:filesystem unmount;
')
########################################
## <summary>
-## List inotifyfs filesystem.
-+## Unmount kdbus filesystems.
++## Get attributes of kdbus filesystems.
## </summary>
## <param name="domain">
## <summary>
-@@ -2142,71 +2942,134 @@ interface(`fs_search_inotifyfs',`
+@@ -2142,71 +2978,136 @@ interface(`fs_search_inotifyfs',`
## </summary>
## </param>
#
-interface(`fs_list_inotifyfs',`
-+interface(`fs_unmount_kdbus', `
++interface(`fs_getattr_kdbus',`
gen_require(`
- type inotifyfs_t;
+ type kdbusfs_t;
')
- allow $1 inotifyfs_t:dir list_dir_perms;
-+ allow $1 kdbusfs_t:filesystem unmount;
++ allow $1 kdbusfs_t:filesystem getattr;
')
########################################
## <summary>
-## Dontaudit List inotifyfs filesystem.
-+## Get attributes of kdbus filesystems.
++## Search kdbusfs directories.
## </summary>
## <param name="domain">
## <summary>
@@ -16864,21 +16910,24 @@ index 8416beb..f3dd0f6 100644
## </param>
#
-interface(`fs_dontaudit_list_inotifyfs',`
-+interface(`fs_getattr_kdbus',`
++interface(`fs_search_kdbus_dirs',`
gen_require(`
- type inotifyfs_t;
+ type kdbusfs_t;
++
')
- dontaudit $1 inotifyfs_t:dir list_dir_perms;
-+ allow $1 kdbusfs_t:filesystem getattr;
++ search_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
++ fs_search_tmpfs($1)
++ dev_search_sysfs($1)
')
########################################
## <summary>
-## Create an object in a hugetlbfs filesystem, with a private
-## type using a type transition.
-+## Search kdbusfs directories.
++## Relabel kdbusfs directories.
## </summary>
## <param name="domain">
## <summary>
@@ -16887,29 +16936,6 @@ index 8416beb..f3dd0f6 100644
## </param>
-## <param name="private type">
+#
-+interface(`fs_search_kdbus_dirs',`
-+ gen_require(`
-+ type kdbusfs_t;
-+
-+ ')
-+
-+ search_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
-+ fs_search_tmpfs($1)
-+ dev_search_sysfs($1)
-+')
-+
-+########################################
-+## <summary>
-+## Relabel kdbusfs directories.
-+## </summary>
-+## <param name="domain">
- ## <summary>
--## The type of the object to be created.
-+## Domain allowed access.
- ## </summary>
- ## </param>
--## <param name="object">
-+#
+interface(`fs_relabel_kdbus_dirs',`
+ gen_require(`
+ type cgroup_t;
@@ -16925,11 +16951,11 @@ index 8416beb..f3dd0f6 100644
+## </summary>
+## <param name="domain">
## <summary>
--## The object class of the object being created.
+-## The type of the object to be created.
+## Domain allowed access.
## </summary>
## </param>
--## <param name="name" optional="true">
+-## <param name="object">
+#
+interface(`fs_list_kdbus_dirs',`
+ gen_require(`
@@ -16966,21 +16992,44 @@ index 8416beb..f3dd0f6 100644
+## </summary>
+## <param name="domain">
## <summary>
+-## The object class of the object being created.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="name" optional="true">
++#
++interface(`fs_delete_kdbus_dirs', `
++ gen_require(`
++ type kdbusfs_t;
++ ')
++
++ delete_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
++ fs_search_tmpfs($1)
++ dev_search_sysfs($1)
++')
++
++########################################
++## <summary>
++## Manage kdbusfs directories.
++## </summary>
++## <param name="domain">
+ ## <summary>
-## The name of the object being created.
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`fs_hugetlbfs_filetrans',`
-+interface(`fs_delete_kdbus_dirs', `
++interface(`fs_manage_kdbus_dirs',`
gen_require(`
- type hugetlbfs_t;
+- ')
+ type kdbusfs_t;
- ')
- allow $2 hugetlbfs_t:filesystem associate;
- filetrans_pattern($1, hugetlbfs_t, $2, $3, $4)
-+ delete_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
++ ')
++ manage_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
')
@@ -16989,24 +17038,25 @@ index 8416beb..f3dd0f6 100644
## <summary>
-## Mount an iso9660 filesystem, which
-## is usually used on CDs.
-+## Manage kdbusfs directories.
++## Read kdbusfs files.
## </summary>
## <param name="domain">
## <summary>
-@@ -2214,19 +3077,19 @@ interface(`fs_hugetlbfs_filetrans',`
+@@ -2214,19 +3115,21 @@ interface(`fs_hugetlbfs_filetrans',`
## </summary>
## </param>
#
-interface(`fs_mount_iso9660_fs',`
-+interface(`fs_manage_kdbus_dirs',`
++interface(`fs_read_kdbus_files',`
gen_require(`
- type iso9660_t;
-- ')
-+ type kdbusfs_t;
++ type cgroup_t;
++
+ ')
- allow $1 iso9660_t:filesystem mount;
-+ ')
-+ manage_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
++ read_files_pattern($1, kdbusfs_t, kdbusfs_t)
++ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
')
@@ -17016,25 +17066,23 @@ index 8416beb..f3dd0f6 100644
-## Remount an iso9660 filesystem, which
-## is usually used on CDs. This allows
-## some mount options to be changed.
-+## Read kdbusfs files.
++## Write kdbusfs files.
## </summary>
## <param name="domain">
## <summary>
-@@ -2234,18 +3097,21 @@ interface(`fs_mount_iso9660_fs',`
+@@ -2234,18 +3137,19 @@ interface(`fs_mount_iso9660_fs',`
## </summary>
## </param>
#
-interface(`fs_remount_iso9660_fs',`
-+interface(`fs_read_kdbus_files',`
++interface(`fs_write_kdbus_files', `
gen_require(`
- type iso9660_t;
-+ type cgroup_t;
-+
++ type kdbusfs_t;
')
- allow $1 iso9660_t:filesystem remount;
-+ read_files_pattern($1, kdbusfs_t, kdbusfs_t)
-+ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
++ write_files_pattern($1, kdbusfs_t, kdbusfs_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
')
@@ -17043,23 +17091,25 @@ index 8416beb..f3dd0f6 100644
## <summary>
-## Unmount an iso9660 filesystem, which
-## is usually used on CDs.
-+## Write kdbusfs files.
++## Read and write kdbusfs files.
## </summary>
## <param name="domain">
## <summary>
-@@ -2253,38 +3119,61 @@ interface(`fs_remount_iso9660_fs',`
+@@ -2253,38 +3157,41 @@ interface(`fs_remount_iso9660_fs',`
## </summary>
## </param>
#
-interface(`fs_unmount_iso9660_fs',`
-+interface(`fs_write_kdbus_files', `
++interface(`fs_rw_kdbus_files',`
gen_require(`
- type iso9660_t;
+ type kdbusfs_t;
++
')
- allow $1 iso9660_t:filesystem unmount;
-+ write_files_pattern($1, kdbusfs_t, kdbusfs_t)
++ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
++ rw_files_pattern($1, kdbusfs_t, kdbusfs_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
')
@@ -17068,59 +17118,38 @@ index 8416beb..f3dd0f6 100644
## <summary>
-## Get the attributes of an iso9660
-## filesystem, which is usually used on CDs.
-+## Read and write kdbusfs files.
++## Do not audit attempts to open,
++## get attributes, read and write
++## cgroup files.
## </summary>
## <param name="domain">
## <summary>
- ## Domain allowed access.
+-## Domain allowed access.
++## Domain to not audit.
## </summary>
## </param>
-## <rolecap/>
#
-interface(`fs_getattr_iso9660_fs',`
-+interface(`fs_rw_kdbus_files',`
++interface(`fs_dontaudit_rw_kdbus_files',`
gen_require(`
- type iso9660_t;
+ type kdbusfs_t;
-+
')
- allow $1 iso9660_t:filesystem getattr;
-+ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
-+ rw_files_pattern($1, kdbusfs_t, kdbusfs_t)
-+ fs_search_tmpfs($1)
-+ dev_search_sysfs($1)
++ dontaudit $1 kdbusfs_t:file rw_file_perms;
')
########################################
## <summary>
-## Read files on an iso9660 filesystem, which
-## is usually used on CDs.
-+## Do not audit attempts to open,
-+## get attributes, read and write
-+## cgroup files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`fs_dontaudit_rw_kdbus_files',`
-+ gen_require(`
-+ type kdbusfs_t;
-+ ')
-+
-+ dontaudit $1 kdbusfs_t:file rw_file_perms;
-+')
-+
-+########################################
-+## <summary>
+## Manage kdbusfs files.
## </summary>
## <param name="domain">
## <summary>
-@@ -2292,19 +3181,21 @@ interface(`fs_getattr_iso9660_fs',`
+@@ -2292,19 +3199,21 @@ interface(`fs_getattr_iso9660_fs',`
## </summary>
## </param>
#
@@ -17148,7 +17177,7 @@ index 8416beb..f3dd0f6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2312,16 +3203,15 @@ interface(`fs_getattr_iso9660_files',`
+@@ -2312,16 +3221,15 @@ interface(`fs_getattr_iso9660_files',`
## </summary>
## </param>
#
@@ -17169,7 +17198,7 @@ index 8416beb..f3dd0f6 100644
########################################
## <summary>
## Mount a NFS filesystem.
-@@ -2356,44 +3246,62 @@ interface(`fs_remount_nfs',`
+@@ -2356,44 +3264,62 @@ interface(`fs_remount_nfs',`
type nfs_t;
')
@@ -17240,7 +17269,7 @@ index 8416beb..f3dd0f6 100644
')
########################################
-@@ -2485,6 +3393,7 @@ interface(`fs_read_nfs_files',`
+@@ -2485,6 +3411,7 @@ interface(`fs_read_nfs_files',`
type nfs_t;
')
@@ -17248,7 +17277,7 @@ index 8416beb..f3dd0f6 100644
allow $1 nfs_t:dir list_dir_perms;
read_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2523,6 +3432,7 @@ interface(`fs_write_nfs_files',`
+@@ -2523,6 +3450,7 @@ interface(`fs_write_nfs_files',`
type nfs_t;
')
@@ -17256,7 +17285,7 @@ index 8416beb..f3dd0f6 100644
allow $1 nfs_t:dir list_dir_perms;
write_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2549,6 +3459,44 @@ interface(`fs_exec_nfs_files',`
+@@ -2549,6 +3477,44 @@ interface(`fs_exec_nfs_files',`
########################################
## <summary>
@@ -17301,7 +17330,7 @@ index 8416beb..f3dd0f6 100644
## Append files
## on a NFS filesystem.
## </summary>
-@@ -2569,7 +3517,7 @@ interface(`fs_append_nfs_files',`
+@@ -2569,7 +3535,7 @@ interface(`fs_append_nfs_files',`
########################################
## <summary>
@@ -17310,7 +17339,7 @@ index 8416beb..f3dd0f6 100644
## on a NFS filesystem.
## </summary>
## <param name="domain">
-@@ -2589,6 +3537,42 @@ interface(`fs_dontaudit_append_nfs_files',`
+@@ -2589,6 +3555,42 @@ interface(`fs_dontaudit_append_nfs_files',`
########################################
## <summary>
@@ -17353,7 +17382,7 @@ index 8416beb..f3dd0f6 100644
## Do not audit attempts to read or
## write files on a NFS filesystem.
## </summary>
-@@ -2603,7 +3587,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2603,7 +3605,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
type nfs_t;
')
@@ -17362,7 +17391,7 @@ index 8416beb..f3dd0f6 100644
')
########################################
-@@ -2627,7 +3611,7 @@ interface(`fs_read_nfs_symlinks',`
+@@ -2627,7 +3629,7 @@ interface(`fs_read_nfs_symlinks',`
########################################
## <summary>
@@ -17371,7 +17400,7 @@ index 8416beb..f3dd0f6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2719,6 +3703,65 @@ interface(`fs_search_rpc',`
+@@ -2719,6 +3721,65 @@ interface(`fs_search_rpc',`
########################################
## <summary>
@@ -17437,7 +17466,7 @@ index 8416beb..f3dd0f6 100644
## Search removable storage directories.
## </summary>
## <param name="domain">
-@@ -2741,7 +3784,7 @@ interface(`fs_search_removable',`
+@@ -2741,7 +3802,7 @@ interface(`fs_search_removable',`
## </summary>
## <param name="domain">
## <summary>
@@ -17446,7 +17475,7 @@ index 8416beb..f3dd0f6 100644
## </summary>
## </param>
#
-@@ -2777,7 +3820,7 @@ interface(`fs_read_removable_files',`
+@@ -2777,7 +3838,7 @@ interface(`fs_read_removable_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -17455,7 +17484,7 @@ index 8416beb..f3dd0f6 100644
## </summary>
## </param>
#
-@@ -2970,6 +4013,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2970,6 +4031,7 @@ interface(`fs_manage_nfs_dirs',`
type nfs_t;
')
@@ -17463,7 +17492,7 @@ index 8416beb..f3dd0f6 100644
allow $1 nfs_t:dir manage_dir_perms;
')
-@@ -3010,6 +4054,7 @@ interface(`fs_manage_nfs_files',`
+@@ -3010,6 +4072,7 @@ interface(`fs_manage_nfs_files',`
type nfs_t;
')
@@ -17471,7 +17500,7 @@ index 8416beb..f3dd0f6 100644
manage_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3050,6 +4095,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -3050,6 +4113,7 @@ interface(`fs_manage_nfs_symlinks',`
type nfs_t;
')
@@ -17479,7 +17508,7 @@ index 8416beb..f3dd0f6 100644
manage_lnk_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3137,6 +4183,24 @@ interface(`fs_nfs_domtrans',`
+@@ -3137,6 +4201,24 @@ interface(`fs_nfs_domtrans',`
########################################
## <summary>
@@ -17504,7 +17533,7 @@ index 8416beb..f3dd0f6 100644
## Mount a NFS server pseudo filesystem.
## </summary>
## <param name="domain">
-@@ -3263,7 +4327,25 @@ interface(`fs_getattr_nfsd_files',`
+@@ -3263,7 +4345,25 @@ interface(`fs_getattr_nfsd_files',`
getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
')
@@ -17531,7 +17560,7 @@ index 8416beb..f3dd0f6 100644
## <summary>
## Read and write NFS server files.
## </summary>
-@@ -3283,6 +4365,59 @@ interface(`fs_rw_nfsd_fs',`
+@@ -3283,6 +4383,59 @@ interface(`fs_rw_nfsd_fs',`
########################################
## <summary>
@@ -17591,7 +17620,7 @@ index 8416beb..f3dd0f6 100644
## Allow the type to associate to ramfs filesystems.
## </summary>
## <param name="type">
-@@ -3392,7 +4527,7 @@ interface(`fs_search_ramfs',`
+@@ -3392,7 +4545,7 @@ interface(`fs_search_ramfs',`
########################################
## <summary>
@@ -17600,7 +17629,7 @@ index 8416beb..f3dd0f6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3429,7 +4564,7 @@ interface(`fs_manage_ramfs_dirs',`
+@@ -3429,7 +4582,7 @@ interface(`fs_manage_ramfs_dirs',`
########################################
## <summary>
@@ -17609,7 +17638,7 @@ index 8416beb..f3dd0f6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3447,7 +4582,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
+@@ -3447,7 +4600,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
########################################
## <summary>
@@ -17618,7 +17647,7 @@ index 8416beb..f3dd0f6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3779,6 +4914,24 @@ interface(`fs_mount_tmpfs',`
+@@ -3779,6 +4932,24 @@ interface(`fs_mount_tmpfs',`
########################################
## <summary>
@@ -17643,7 +17672,7 @@ index 8416beb..f3dd0f6 100644
## Remount a tmpfs filesystem.
## </summary>
## <param name="domain">
-@@ -3815,6 +4968,24 @@ interface(`fs_unmount_tmpfs',`
+@@ -3815,6 +4986,24 @@ interface(`fs_unmount_tmpfs',`
########################################
## <summary>
@@ -17668,7 +17697,7 @@ index 8416beb..f3dd0f6 100644
## Get the attributes of a tmpfs
## filesystem.
## </summary>
-@@ -3839,39 +5010,76 @@ interface(`fs_getattr_tmpfs',`
+@@ -3839,39 +5028,76 @@ interface(`fs_getattr_tmpfs',`
## </summary>
## <param name="type">
## <summary>
@@ -17754,7 +17783,7 @@ index 8416beb..f3dd0f6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3879,36 +5087,35 @@ interface(`fs_relabelfrom_tmpfs',`
+@@ -3879,36 +5105,35 @@ interface(`fs_relabelfrom_tmpfs',`
## </summary>
## </param>
#
@@ -17798,7 +17827,7 @@ index 8416beb..f3dd0f6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3916,35 +5123,36 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3916,35 +5141,36 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
## </summary>
## </param>
#
@@ -17842,7 +17871,7 @@ index 8416beb..f3dd0f6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3952,17 +5160,17 @@ interface(`fs_setattr_tmpfs_dirs',`
+@@ -3952,17 +5178,17 @@ interface(`fs_setattr_tmpfs_dirs',`
## </summary>
## </param>
#
@@ -17863,7 +17892,7 @@ index 8416beb..f3dd0f6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3970,31 +5178,30 @@ interface(`fs_search_tmpfs',`
+@@ -3970,31 +5196,30 @@ interface(`fs_search_tmpfs',`
## </summary>
## </param>
#
@@ -17901,7 +17930,7 @@ index 8416beb..f3dd0f6 100644
')
########################################
-@@ -4105,7 +5312,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
+@@ -4105,7 +5330,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
type tmpfs_t;
')
@@ -17910,7 +17939,7 @@ index 8416beb..f3dd0f6 100644
')
########################################
-@@ -4165,6 +5372,24 @@ interface(`fs_rw_tmpfs_files',`
+@@ -4165,6 +5390,24 @@ interface(`fs_rw_tmpfs_files',`
########################################
## <summary>
@@ -17935,7 +17964,7 @@ index 8416beb..f3dd0f6 100644
## Read tmpfs link files.
## </summary>
## <param name="domain">
-@@ -4202,7 +5427,7 @@ interface(`fs_rw_tmpfs_chr_files',`
+@@ -4202,7 +5445,7 @@ interface(`fs_rw_tmpfs_chr_files',`
########################################
## <summary>
@@ -17944,7 +17973,7 @@ index 8416beb..f3dd0f6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4221,6 +5446,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4221,6 +5464,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
########################################
## <summary>
@@ -18005,7 +18034,7 @@ index 8416beb..f3dd0f6 100644
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
-@@ -4278,6 +5557,44 @@ interface(`fs_relabel_tmpfs_blk_file',`
+@@ -4278,6 +5575,44 @@ interface(`fs_relabel_tmpfs_blk_file',`
########################################
## <summary>
@@ -18050,7 +18079,7 @@ index 8416beb..f3dd0f6 100644
## Read and write, create and delete generic
## files on tmpfs filesystems.
## </summary>
-@@ -4297,6 +5614,25 @@ interface(`fs_manage_tmpfs_files',`
+@@ -4297,6 +5632,25 @@ interface(`fs_manage_tmpfs_files',`
########################################
## <summary>
@@ -18076,7 +18105,7 @@ index 8416beb..f3dd0f6 100644
## Read and write, create and delete symbolic
## links on tmpfs filesystems.
## </summary>
-@@ -4407,6 +5743,25 @@ interface(`fs_search_xenfs',`
+@@ -4407,6 +5761,25 @@ interface(`fs_search_xenfs',`
allow $1 xenfs_t:dir search_dir_perms;
')
@@ -18102,7 +18131,7 @@ index 8416beb..f3dd0f6 100644
########################################
## <summary>
## Create, read, write, and delete directories
-@@ -4503,6 +5858,8 @@ interface(`fs_mount_all_fs',`
+@@ -4503,6 +5876,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -18111,7 +18140,7 @@ index 8416beb..f3dd0f6 100644
')
########################################
-@@ -4549,7 +5906,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4549,7 +5924,7 @@ interface(`fs_unmount_all_fs',`
## <desc>
## <p>
## Allow the specified domain to
@@ -18120,7 +18149,7 @@ index 8416beb..f3dd0f6 100644
## Example attributes:
## </p>
## <ul>
-@@ -4596,6 +5953,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
+@@ -4596,6 +5971,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
########################################
## <summary>
@@ -18147,7 +18176,7 @@ index 8416beb..f3dd0f6 100644
## Get the quotas of all filesystems.
## </summary>
## <param name="domain">
-@@ -4671,6 +6048,25 @@ interface(`fs_getattr_all_dirs',`
+@@ -4671,6 +6066,25 @@ interface(`fs_getattr_all_dirs',`
########################################
## <summary>
@@ -18173,7 +18202,7 @@ index 8416beb..f3dd0f6 100644
## Search all directories with a filesystem type.
## </summary>
## <param name="domain">
-@@ -4912,3 +6308,63 @@ interface(`fs_unconfined',`
+@@ -4912,3 +6326,63 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -23386,10 +23415,10 @@ index 0000000..b680867
+/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0)
diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if
new file mode 100644
-index 0000000..4165608
+index 0000000..03faeac
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.if
-@@ -0,0 +1,689 @@
+@@ -0,0 +1,708 @@
+## <summary>Unconfined user role</summary>
+
+########################################
@@ -24079,12 +24108,31 @@ index 0000000..4165608
+ allow unconfined_t $2:file entrypoint;
+ allow $1 unconfined_t:process signal_perms;
+')
++
++########################################
++## <summary>
++## unconfined_t domain typebounds calling domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to be typebound.
++## </summary>
++## </param>
++#
++interface(`unconfined_typebounds',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ typebounds unconfined_t $1;
++')
++
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..c0d61f3
+index 0000000..31076d7
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,340 @@
+@@ -0,0 +1,345 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -24280,6 +24328,10 @@ index 0000000..c0d61f3
+')
+
+optional_policy(`
++ docker_entrypoint(unconfined_t)
++')
++
++optional_policy(`
+ dbus_role_template(unconfined, unconfined_r, unconfined_t)
+ role system_r types unconfined_dbusd_t;
+
@@ -24415,6 +24467,7 @@ index 0000000..c0d61f3
+optional_policy(`
+ virt_transition_svirt(unconfined_t, unconfined_r)
+ virt_transition_svirt_sandbox(unconfined_t, unconfined_r)
++ virt_sandbox_entrypoint(unconfined_t)
+')
+
+optional_policy(`
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index e61fc87..b30f250 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -106682,10 +106682,10 @@ index 97cd155..49321a5 100644
fs_search_auto_mountpoints(timidity_t)
diff --git a/tmpreaper.te b/tmpreaper.te
-index 585a77f..9b0ab2b 100644
+index 585a77f..948bc5b 100644
--- a/tmpreaper.te
+++ b/tmpreaper.te
-@@ -5,9 +5,25 @@ policy_module(tmpreaper, 1.7.1)
+@@ -5,9 +5,34 @@ policy_module(tmpreaper, 1.7.1)
# Declarations
#
@@ -106697,6 +106697,15 @@ index 585a77f..9b0ab2b 100644
+## </desc>
+gen_tunable(tmpreaper_use_nfs, false)
+
++
++## <desc>
++## <p>
++## Determine whether tmpreaper can use
++## cifs file systems.
++## </p>
++## </desc>
++gen_tunable(tmpreaper_use_cifs, false)
++
+## <desc>
+## <p>
+## Determine whether tmpreaper can use samba_share files
@@ -106711,7 +106720,7 @@ index 585a77f..9b0ab2b 100644
########################################
#
-@@ -19,6 +35,7 @@ allow tmpreaper_t self:fifo_file rw_fifo_file_perms;
+@@ -19,6 +44,7 @@ allow tmpreaper_t self:fifo_file rw_fifo_file_perms;
kernel_list_unlabeled(tmpreaper_t)
kernel_read_system_state(tmpreaper_t)
@@ -106719,7 +106728,7 @@ index 585a77f..9b0ab2b 100644
dev_read_urand(tmpreaper_t)
-@@ -27,15 +44,19 @@ corecmd_exec_shell(tmpreaper_t)
+@@ -27,15 +53,19 @@ corecmd_exec_shell(tmpreaper_t)
fs_getattr_xattr_fs(tmpreaper_t)
fs_list_all(tmpreaper_t)
@@ -106743,7 +106752,7 @@ index 585a77f..9b0ab2b 100644
mls_file_read_all_levels(tmpreaper_t)
mls_file_write_all_levels(tmpreaper_t)
-@@ -45,7 +66,6 @@ init_use_inherited_script_ptys(tmpreaper_t)
+@@ -45,7 +75,6 @@ init_use_inherited_script_ptys(tmpreaper_t)
logging_send_syslog_msg(tmpreaper_t)
@@ -106751,7 +106760,7 @@ index 585a77f..9b0ab2b 100644
miscfiles_delete_man_pages(tmpreaper_t)
ifdef(`distro_debian',`
-@@ -53,10 +73,23 @@ ifdef(`distro_debian',`
+@@ -53,10 +82,33 @@ ifdef(`distro_debian',`
')
ifdef(`distro_redhat',`
@@ -106773,10 +106782,20 @@ index 585a77f..9b0ab2b 100644
+ tunable_policy(`tmpreaper_use_samba',`
+ samba_setattr_samba_share_dirs(tmpreaper_t)
+ ')
++')
++
++tunable_policy(`tmpreaper_use_cifs',`
++ fs_setattr_cifs_dirs(tmpreaper_t)
++')
++
++ optional_policy(`
++ tunable_policy(`tmpreaper_use_samba',`
++ samba_setattr_samba_share_dirs(tmpreaper_t)
++ ')
')
optional_policy(`
-@@ -64,6 +97,7 @@ optional_policy(`
+@@ -64,6 +116,7 @@ optional_policy(`
')
optional_policy(`
@@ -106784,7 +106803,7 @@ index 585a77f..9b0ab2b 100644
apache_list_cache(tmpreaper_t)
apache_delete_cache_dirs(tmpreaper_t)
apache_delete_cache_files(tmpreaper_t)
-@@ -79,7 +113,19 @@ optional_policy(`
+@@ -79,7 +132,19 @@ optional_policy(`
')
optional_policy(`
@@ -106805,7 +106824,7 @@ index 585a77f..9b0ab2b 100644
')
optional_policy(`
-@@ -89,3 +135,8 @@ optional_policy(`
+@@ -89,3 +154,8 @@ optional_policy(`
optional_policy(`
rpm_manage_cache(tmpreaper_t)
')
@@ -109388,7 +109407,7 @@ index a4f20bc..58f9c69 100644
+/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index facdee8..65b5a0d 100644
+index facdee8..52ece13 100644
--- a/virt.if
+++ b/virt.if
@@ -1,318 +1,226 @@
@@ -110210,7 +110229,7 @@ index facdee8..65b5a0d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -673,54 +534,454 @@ interface(`virt_home_filetrans',`
+@@ -673,54 +534,472 @@ interface(`virt_home_filetrans',`
## </summary>
## </param>
#
@@ -110580,6 +110599,24 @@ index facdee8..65b5a0d 100644
+ can_exec($1, svirt_sandbox_file_t)
+')
+
++########################################
++## <summary>
++## Allow any svirt_sandbox_file_t to be an entrypoint of this domain
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`virt_sandbox_entrypoint',`
++ gen_require(`
++ type svirt_sandbox_file_t;
++ ')
++ allow $1 svirt_sandbox_file_t:file entrypoint;
++')
++
+#######################################
+## <summary>
+## Read Sandbox Files
@@ -110690,7 +110727,7 @@ index facdee8..65b5a0d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -728,52 +989,80 @@ interface(`virt_manage_generic_virt_home_content',`
+@@ -728,52 +1007,80 @@ interface(`virt_manage_generic_virt_home_content',`
## </summary>
## </param>
#
@@ -110791,7 +110828,7 @@ index facdee8..65b5a0d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -781,19 +1070,17 @@ interface(`virt_home_filetrans_virt_home',`
+@@ -781,19 +1088,17 @@ interface(`virt_home_filetrans_virt_home',`
## </summary>
## </param>
#
@@ -110815,7 +110852,7 @@ index facdee8..65b5a0d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -801,18 +1088,17 @@ interface(`virt_read_pid_files',`
+@@ -801,18 +1106,17 @@ interface(`virt_read_pid_files',`
## </summary>
## </param>
#
@@ -110838,7 +110875,7 @@ index facdee8..65b5a0d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -820,18 +1106,17 @@ interface(`virt_manage_pid_files',`
+@@ -820,18 +1124,17 @@ interface(`virt_manage_pid_files',`
## </summary>
## </param>
#
@@ -110861,7 +110898,7 @@ index facdee8..65b5a0d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -839,20 +1124,17 @@ interface(`virt_search_lib',`
+@@ -839,20 +1142,17 @@ interface(`virt_search_lib',`
## </summary>
## </param>
#
@@ -110886,7 +110923,7 @@ index facdee8..65b5a0d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -860,74 +1142,123 @@ interface(`virt_read_lib_files',`
+@@ -860,74 +1160,123 @@ interface(`virt_read_lib_files',`
## </summary>
## </param>
#
@@ -111034,7 +111071,7 @@ index facdee8..65b5a0d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -935,117 +1266,134 @@ interface(`virt_read_log',`
+@@ -935,117 +1284,134 @@ interface(`virt_read_log',`
## </summary>
## </param>
#
@@ -111221,7 +111258,7 @@ index facdee8..65b5a0d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1053,15 +1401,17 @@ interface(`virt_rw_all_image_chr_files',`
+@@ -1053,15 +1419,17 @@ interface(`virt_rw_all_image_chr_files',`
## </summary>
## </param>
#
@@ -111244,7 +111281,7 @@ index facdee8..65b5a0d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1069,21 +1419,17 @@ interface(`virt_manage_svirt_cache',`
+@@ -1069,21 +1437,17 @@ interface(`virt_manage_svirt_cache',`
## </summary>
## </param>
#
@@ -111270,7 +111307,7 @@ index facdee8..65b5a0d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1091,36 +1437,36 @@ interface(`virt_manage_virt_cache',`
+@@ -1091,36 +1455,36 @@ interface(`virt_manage_virt_cache',`
## </summary>
## </param>
#
@@ -111327,7 +111364,7 @@ index facdee8..65b5a0d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1136,50 +1482,76 @@ interface(`virt_manage_images',`
+@@ -1136,50 +1500,76 @@ interface(`virt_manage_images',`
#
interface(`virt_admin',`
gen_require(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index ee49a62..17cfb8a 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 175%{?dist}
+Release: 176%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -670,6 +670,21 @@ exit 0
%endif
%changelog
+* Thu Mar 03 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-176
+- Add new boolean tmpreaper_use_cifs() to allow tmpreaper to run on local directories being shared with Samba.
+- Merge pull request #105 from rhatdan/NO_NEW_PRIV
+- Fix new rkt policy
+- Remove some redundant rules.
+- Fix cosmetic issues in interface file.
+- Merge pull request #100 from rhatdan/rawhide-contrib
+- Add interface fs_setattr_cifs_dirs().
+- Merge pull request #106 from rhatdan/NO_NEW_PRIV_BASE
+- Fixed to make SELinux work with docker and prctl(NO_NEW_PRIVS)
+-Build file_contexts.bin file_context.local.bin file_context.homedir.bin during build phase.
+ This fix issue in Fedora live images when selinux-policy-targeted is not installed but just unpackaged, since there's no .bin files,
+ file_contexts is parsed in selabel_open().
+Resolves: rhbz#1314372
+
* Fri Feb 26 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-175
- Fix new rkt policy (Remove some redundant rules, Fix cosmetic issues in interface file)
- Add policy for rkt services