diff --git a/container-selinux.tgz b/container-selinux.tgz
index e3df106..d4438ea 100644
Binary files a/container-selinux.tgz and b/container-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 4d722aa..8cda26a 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -2089,7 +2089,7 @@ index c6ca761..0c86bfd 100644
')
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
-index c44c359..ae484a0 100644
+index c44c359..a3d4e61 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -7,10 +7,10 @@ policy_module(netutils, 1.12.1)
@@ -2187,11 +2187,12 @@ index c44c359..ae484a0 100644
domain_use_interactive_fds(ping_t)
-@@ -131,14 +139,13 @@ files_read_etc_files(ping_t)
+@@ -131,14 +139,14 @@ files_read_etc_files(ping_t)
files_dontaudit_search_var(ping_t)
kernel_read_system_state(ping_t)
+kernel_read_network_state(ping_t)
++kernel_request_load_module(ping_t)
auth_use_nsswitch(ping_t)
@@ -2205,7 +2206,7 @@ index c44c359..ae484a0 100644
ifdef(`hide_broken_symptoms',`
init_dontaudit_use_fds(ping_t)
-@@ -146,14 +153,29 @@ ifdef(`hide_broken_symptoms',`
+@@ -146,14 +154,29 @@ ifdef(`hide_broken_symptoms',`
optional_policy(`
nagios_dontaudit_rw_log(ping_t)
nagios_dontaudit_rw_pipes(ping_t)
@@ -2235,7 +2236,7 @@ index c44c359..ae484a0 100644
pcmcia_use_cardmgr_fds(ping_t)
')
-@@ -161,6 +183,15 @@ optional_policy(`
+@@ -161,6 +184,15 @@ optional_policy(`
hotplug_use_fds(ping_t)
')
@@ -2251,7 +2252,7 @@ index c44c359..ae484a0 100644
########################################
#
# Traceroute local policy
-@@ -174,7 +205,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
+@@ -174,7 +206,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
kernel_read_system_state(traceroute_t)
kernel_read_network_state(traceroute_t)
@@ -2259,7 +2260,7 @@ index c44c359..ae484a0 100644
corenet_all_recvfrom_netlabel(traceroute_t)
corenet_tcp_sendrecv_generic_if(traceroute_t)
corenet_udp_sendrecv_generic_if(traceroute_t)
-@@ -198,6 +228,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
+@@ -198,6 +229,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
domain_use_interactive_fds(traceroute_t)
files_read_etc_files(traceroute_t)
@@ -2267,7 +2268,7 @@ index c44c359..ae484a0 100644
files_dontaudit_search_var(traceroute_t)
init_use_fds(traceroute_t)
-@@ -206,11 +237,17 @@ auth_use_nsswitch(traceroute_t)
+@@ -206,11 +238,17 @@ auth_use_nsswitch(traceroute_t)
logging_send_syslog_msg(traceroute_t)
@@ -10069,7 +10070,7 @@ index 0b1a871..29965c3 100644
+dev_getattr_all(devices_unconfined_type)
+
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
-index 6a1e4d1..e215d29 100644
+index 6a1e4d1..8f4a4cd 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -76,33 +76,8 @@ interface(`domain_type',`
@@ -10108,7 +10109,18 @@ index 6a1e4d1..e215d29 100644
')
########################################
-@@ -513,6 +488,26 @@ interface(`domain_signull_all_domains',`
+@@ -133,6 +108,10 @@ interface(`domain_entry_file',`
+ typeattribute $2 entry_type;
+
+ corecmd_executable_file($2)
++
++ optional_policy(`
++ unconfined_exec_typebounds($2)
++ ')
+ ')
+
+ ########################################
+@@ -513,6 +492,26 @@ interface(`domain_signull_all_domains',`
########################################
##
@@ -10135,7 +10147,7 @@ index 6a1e4d1..e215d29 100644
## Send a stop signal to all domains.
##
##
-@@ -571,6 +566,25 @@ interface(`domain_kill_all_domains',`
+@@ -571,6 +570,25 @@ interface(`domain_kill_all_domains',`
########################################
##
@@ -10161,7 +10173,7 @@ index 6a1e4d1..e215d29 100644
## Search the process state directory (/proc/pid) of all domains.
##
##
-@@ -590,6 +604,42 @@ interface(`domain_search_all_domains_state',`
+@@ -590,6 +608,42 @@ interface(`domain_search_all_domains_state',`
########################################
##
@@ -10204,7 +10216,7 @@ index 6a1e4d1..e215d29 100644
## Do not audit attempts to search the process
## state directory (/proc/pid) of all domains.
##
-@@ -631,7 +681,7 @@ interface(`domain_read_all_domains_state',`
+@@ -631,7 +685,7 @@ interface(`domain_read_all_domains_state',`
########################################
##
@@ -10213,7 +10225,7 @@ index 6a1e4d1..e215d29 100644
##
##
##
-@@ -655,7 +705,7 @@ interface(`domain_getattr_all_domains',`
+@@ -655,7 +709,7 @@ interface(`domain_getattr_all_domains',`
##
##
##
@@ -10222,7 +10234,7 @@ index 6a1e4d1..e215d29 100644
##
##
#
-@@ -1356,6 +1406,24 @@ interface(`domain_manage_all_entry_files',`
+@@ -1356,6 +1410,24 @@ interface(`domain_manage_all_entry_files',`
########################################
##
@@ -10247,7 +10259,7 @@ index 6a1e4d1..e215d29 100644
## Relabel to and from all entry point
## file types.
##
-@@ -1421,7 +1489,7 @@ interface(`domain_entry_file_spec_domtrans',`
+@@ -1421,7 +1493,7 @@ interface(`domain_entry_file_spec_domtrans',`
##
## Ability to mmap a low area of the address
## space conditionally, as configured by
@@ -10256,7 +10268,7 @@ index 6a1e4d1..e215d29 100644
## Preventing such mappings helps protect against
## exploiting null deref bugs in the kernel.
##
-@@ -1448,7 +1516,7 @@ interface(`domain_mmap_low',`
+@@ -1448,7 +1520,7 @@ interface(`domain_mmap_low',`
##
## Ability to mmap a low area of the address
## space unconditionally, as configured
@@ -10265,7 +10277,7 @@ index 6a1e4d1..e215d29 100644
## Preventing such mappings helps protect against
## exploiting null deref bugs in the kernel.
##
-@@ -1508,6 +1576,40 @@ interface(`domain_unconfined_signal',`
+@@ -1508,6 +1580,40 @@ interface(`domain_unconfined_signal',`
########################################
##
@@ -10306,7 +10318,7 @@ index 6a1e4d1..e215d29 100644
## Unconfined access to domains.
##
##
-@@ -1530,4 +1632,101 @@ interface(`domain_unconfined',`
+@@ -1530,4 +1636,101 @@ interface(`domain_unconfined',`
typeattribute $1 can_change_object_identity;
typeattribute $1 set_curr_context;
typeattribute $1 process_uncond_exempt;
@@ -10409,7 +10421,7 @@ index 6a1e4d1..e215d29 100644
+ allow $1 domain:process rlimitinh;
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..43876e0 100644
+index cf04cb5..ae8a257 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,17 +4,41 @@ policy_module(domain, 1.11.0)
@@ -10565,7 +10577,7 @@ index cf04cb5..43876e0 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -160,11 +237,382 @@ allow unconfined_domain_type domain:msg { send receive };
+@@ -160,11 +237,386 @@ allow unconfined_domain_type domain:msg { send receive };
# For /proc/pid
allow unconfined_domain_type domain:dir list_dir_perms;
@@ -10799,6 +10811,10 @@ index cf04cb5..43876e0 100644
+')
+
+optional_policy(`
++ sssd_filetrans_named_content(named_filetrans_domain)
++')
++
++optional_policy(`
+ tftp_filetrans_named_content(named_filetrans_domain)
+')
+
@@ -21648,7 +21664,7 @@ index 7be4ddf..9710b33 100644
+/sys/kernel/debug -d gen_context(system_u:object_r:debugfs_t,s0)
+/sys/kernel/debug/.* <>
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index e100d88..8139871 100644
+index e100d88..342fb1e 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -126,6 +126,24 @@ interface(`kernel_setsched',`
@@ -22385,7 +22401,7 @@ index e100d88..8139871 100644
+#######################################
+##
+## Allow the specified domain to read/write on
-+## the kernel with a unix socket.
++## the kernel with a unix stream socket.
+##
+##
+##
@@ -26785,10 +26801,10 @@ index 0000000..d9efb90
+#/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0)
diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if
new file mode 100644
-index 0000000..15b42ae
+index 0000000..f730286
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.if
-@@ -0,0 +1,727 @@
+@@ -0,0 +1,745 @@
+## Unconfined user role
+
+########################################
@@ -27516,6 +27532,24 @@ index 0000000..15b42ae
+ typebounds unconfined_t $1;
+')
+
++########################################
++##
++## unconfined_exec_t domain typebounds file_type.
++##
++##
++##
++## File type to be typebound.
++##
++##
++#
++interface(`unconfined_exec_typebounds',`
++ gen_require(`
++ type unconfined_exec_t;
++ ')
++
++ typebounds unconfined_exec_t $1;
++')
++
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
index 0000000..60c3f9d
@@ -37792,7 +37826,7 @@ index 79a45f6..6126f21 100644
+ allow $1 init_var_lib_t:dir search_dir_perms;
')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..9f2c792 100644
+index 17eda24..136864b 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -37972,11 +38006,12 @@ index 17eda24..9f2c792 100644
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -125,13 +212,24 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -125,13 +212,25 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
kernel_read_system_state(init_t)
kernel_share_state(init_t)
-+kernel_stream_connect(init_t)
++kernel_rw_stream_socket_perms(init_t)
++kernel_rw_unix_dgram_sockets(init_t)
+kernel_mounton_systemd_ProtectKernelTunables(init_t)
corecmd_exec_chroot(init_t)
@@ -37998,7 +38033,7 @@ index 17eda24..9f2c792 100644
domain_getpgid_all_domains(init_t)
domain_kill_all_domains(init_t)
-@@ -139,14 +237,26 @@ domain_signal_all_domains(init_t)
+@@ -139,14 +238,26 @@ domain_signal_all_domains(init_t)
domain_signull_all_domains(init_t)
domain_sigstop_all_domains(init_t)
domain_sigchld_all_domains(init_t)
@@ -38027,7 +38062,7 @@ index 17eda24..9f2c792 100644
# file descriptors inherited from the rootfs:
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)
-@@ -155,29 +265,73 @@ fs_list_inotifyfs(init_t)
+@@ -155,29 +266,73 @@ fs_list_inotifyfs(init_t)
# cjp: this may be related to /dev/log
fs_write_ramfs_sockets(init_t)
@@ -38106,7 +38141,7 @@ index 17eda24..9f2c792 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +340,275 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +341,275 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -38391,7 +38426,7 @@ index 17eda24..9f2c792 100644
')
optional_policy(`
-@@ -216,7 +616,30 @@ optional_policy(`
+@@ -216,7 +617,30 @@ optional_policy(`
')
optional_policy(`
@@ -38423,7 +38458,7 @@ index 17eda24..9f2c792 100644
')
########################################
-@@ -225,9 +648,9 @@ optional_policy(`
+@@ -225,9 +649,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -38435,7 +38470,7 @@ index 17eda24..9f2c792 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -258,12 +681,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +682,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -38452,7 +38487,7 @@ index 17eda24..9f2c792 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +706,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +707,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -38495,7 +38530,7 @@ index 17eda24..9f2c792 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +743,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +744,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -38507,7 +38542,7 @@ index 17eda24..9f2c792 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -313,8 +755,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +756,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -38518,7 +38553,7 @@ index 17eda24..9f2c792 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -322,8 +766,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +767,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -38528,7 +38563,7 @@ index 17eda24..9f2c792 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -332,7 +775,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +776,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -38536,7 +38571,7 @@ index 17eda24..9f2c792 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -340,6 +782,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +783,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -38544,7 +38579,7 @@ index 17eda24..9f2c792 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -347,14 +790,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +791,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -38562,7 +38597,7 @@ index 17eda24..9f2c792 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -364,8 +808,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +809,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -38576,7 +38611,7 @@ index 17eda24..9f2c792 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -375,10 +823,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +824,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -38590,7 +38625,7 @@ index 17eda24..9f2c792 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -387,8 +836,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +837,10 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -38601,7 +38636,7 @@ index 17eda24..9f2c792 100644
storage_getattr_fixed_disk_dev(initrc_t)
storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +849,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +850,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -38609,7 +38644,7 @@ index 17eda24..9f2c792 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -416,20 +868,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +869,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -38633,7 +38668,7 @@ index 17eda24..9f2c792 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +901,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +902,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -38641,7 +38676,7 @@ index 17eda24..9f2c792 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +935,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +936,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -38652,7 +38687,7 @@ index 17eda24..9f2c792 100644
alsa_read_lib(initrc_t)
')
-@@ -506,7 +959,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +960,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -38661,7 +38696,7 @@ index 17eda24..9f2c792 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -521,6 +974,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +975,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -38669,7 +38704,7 @@ index 17eda24..9f2c792 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -541,6 +995,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +996,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -38677,7 +38712,7 @@ index 17eda24..9f2c792 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +1005,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +1006,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -38722,7 +38757,7 @@ index 17eda24..9f2c792 100644
')
optional_policy(`
-@@ -559,14 +1050,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +1051,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -38754,7 +38789,7 @@ index 17eda24..9f2c792 100644
')
')
-@@ -577,6 +1085,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1086,39 @@ ifdef(`distro_suse',`
')
')
@@ -38794,7 +38829,7 @@ index 17eda24..9f2c792 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1130,8 @@ optional_policy(`
+@@ -589,6 +1131,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -38803,7 +38838,7 @@ index 17eda24..9f2c792 100644
')
optional_policy(`
-@@ -610,6 +1153,7 @@ optional_policy(`
+@@ -610,6 +1154,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -38811,7 +38846,7 @@ index 17eda24..9f2c792 100644
')
optional_policy(`
-@@ -626,6 +1170,17 @@ optional_policy(`
+@@ -626,6 +1171,17 @@ optional_policy(`
')
optional_policy(`
@@ -38829,7 +38864,7 @@ index 17eda24..9f2c792 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -642,9 +1197,13 @@ optional_policy(`
+@@ -642,9 +1198,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -38843,7 +38878,7 @@ index 17eda24..9f2c792 100644
')
optional_policy(`
-@@ -657,15 +1216,11 @@ optional_policy(`
+@@ -657,15 +1217,11 @@ optional_policy(`
')
optional_policy(`
@@ -38861,7 +38896,7 @@ index 17eda24..9f2c792 100644
')
optional_policy(`
-@@ -686,6 +1241,15 @@ optional_policy(`
+@@ -686,6 +1242,15 @@ optional_policy(`
')
optional_policy(`
@@ -38877,7 +38912,7 @@ index 17eda24..9f2c792 100644
inn_exec_config(initrc_t)
')
-@@ -726,6 +1290,7 @@ optional_policy(`
+@@ -726,6 +1291,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -38885,7 +38920,7 @@ index 17eda24..9f2c792 100644
')
optional_policy(`
-@@ -743,7 +1308,13 @@ optional_policy(`
+@@ -743,7 +1309,13 @@ optional_policy(`
')
optional_policy(`
@@ -38900,7 +38935,7 @@ index 17eda24..9f2c792 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -766,6 +1337,10 @@ optional_policy(`
+@@ -766,6 +1338,10 @@ optional_policy(`
')
optional_policy(`
@@ -38911,7 +38946,7 @@ index 17eda24..9f2c792 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -775,10 +1350,20 @@ optional_policy(`
+@@ -775,10 +1351,20 @@ optional_policy(`
')
optional_policy(`
@@ -38932,7 +38967,7 @@ index 17eda24..9f2c792 100644
quota_manage_flags(initrc_t)
')
-@@ -787,6 +1372,10 @@ optional_policy(`
+@@ -787,6 +1373,10 @@ optional_policy(`
')
optional_policy(`
@@ -38943,7 +38978,7 @@ index 17eda24..9f2c792 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -808,8 +1397,6 @@ optional_policy(`
+@@ -808,8 +1398,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -38952,7 +38987,7 @@ index 17eda24..9f2c792 100644
')
optional_policy(`
-@@ -818,6 +1405,10 @@ optional_policy(`
+@@ -818,6 +1406,10 @@ optional_policy(`
')
optional_policy(`
@@ -38963,7 +38998,7 @@ index 17eda24..9f2c792 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -827,10 +1418,12 @@ optional_policy(`
+@@ -827,10 +1419,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -38976,7 +39011,7 @@ index 17eda24..9f2c792 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1450,62 @@ optional_policy(`
+@@ -857,21 +1451,62 @@ optional_policy(`
')
optional_policy(`
@@ -39040,7 +39075,7 @@ index 17eda24..9f2c792 100644
')
optional_policy(`
-@@ -887,6 +1521,10 @@ optional_policy(`
+@@ -887,6 +1522,10 @@ optional_policy(`
')
optional_policy(`
@@ -39051,7 +39086,7 @@ index 17eda24..9f2c792 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -897,3 +1535,218 @@ optional_policy(`
+@@ -897,3 +1536,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -47198,7 +47233,7 @@ index 2cea692..e3cb4f2 100644
+ files_etc_filetrans($1, net_conf_t, file)
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index a392fc4..b01eb22 100644
+index a392fc4..98c5f23 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4)
@@ -47441,7 +47476,7 @@ index a392fc4..b01eb22 100644
vmware_append_log(dhcpc_t)
')
-@@ -264,29 +322,66 @@ allow ifconfig_t self:msgq create_msgq_perms;
+@@ -264,32 +322,70 @@ allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
@@ -47508,7 +47543,11 @@ index a392fc4..b01eb22 100644
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
-@@ -299,33 +394,51 @@ term_dontaudit_use_all_ptys(ifconfig_t)
++fs_read_nsfs_files(ifconfig_t)
+
+ selinux_dontaudit_getattr_fs(ifconfig_t)
+
+@@ -299,33 +395,51 @@ term_dontaudit_use_all_ptys(ifconfig_t)
term_dontaudit_use_ptmx(ifconfig_t)
term_dontaudit_use_generic_ptys(ifconfig_t)
@@ -47566,7 +47605,7 @@ index a392fc4..b01eb22 100644
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
')
-@@ -336,7 +449,11 @@ ifdef(`hide_broken_symptoms',`
+@@ -336,7 +450,11 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
@@ -47579,7 +47618,7 @@ index a392fc4..b01eb22 100644
')
optional_policy(`
-@@ -350,7 +467,16 @@ optional_policy(`
+@@ -350,7 +468,16 @@ optional_policy(`
')
optional_policy(`
@@ -47597,7 +47636,7 @@ index a392fc4..b01eb22 100644
')
optional_policy(`
-@@ -371,3 +497,17 @@ optional_policy(`
+@@ -371,3 +498,17 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
@@ -51904,7 +51943,7 @@ index db75976..c54480a 100644
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
+
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6..269ce67 100644
+index 9dc60c6..4b0a3ed 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -55501,7 +55540,7 @@ index 9dc60c6..269ce67 100644
+#
+interface(`userdom_execmod_user_home_files',`
+ gen_require(`
-+ type user_home_type;
++ attribute user_home_type;
+ ')
+
+ allow $1 user_home_type:file execmod;
@@ -55897,7 +55936,7 @@ index 9dc60c6..269ce67 100644
+#
+interface(`userdom_dontaudit_read_inherited_admin_home_files',`
+ gen_require(`
-+ attribute admin_home_t;
++ type admin_home_t;
+ ')
+
+ dontaudit $1 admin_home_t:file read_inherited_file_perms;
@@ -55915,7 +55954,7 @@ index 9dc60c6..269ce67 100644
+#
+interface(`userdom_dontaudit_append_inherited_admin_home_file',`
+ gen_require(`
-+ attribute admin_home_t;
++ type admin_home_t;
+ ')
+
+ dontaudit $1 admin_home_t:file append_inherited_file_perms;
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index c20e916..0243bf0 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -2280,7 +2280,7 @@ index 7f4dfbc..e5c9f45 100644
/usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0)
diff --git a/amanda.te b/amanda.te
-index 519051c..69a4c66 100644
+index 519051c..c3a718a 100644
--- a/amanda.te
+++ b/amanda.te
@@ -9,11 +9,14 @@ attribute_role amanda_recover_roles;
@@ -2301,7 +2301,17 @@ index 519051c..69a4c66 100644
type amanda_log_t;
logging_log_file(amanda_log_t)
-@@ -60,7 +63,7 @@ optional_policy(`
+@@ -33,6 +36,9 @@ files_type(amanda_gnutarlists_t)
+ type amanda_tmp_t;
+ files_tmp_file(amanda_tmp_t)
+
++type amanda_tmpfs_t;
++files_tmpfs_file(amanda_tmpfs_t)
++
+ type amanda_amandates_t;
+ files_type(amanda_amandates_t)
+
+@@ -60,7 +66,7 @@ optional_policy(`
#
allow amanda_t self:capability { chown dac_override setuid kill };
@@ -2310,7 +2320,7 @@ index 519051c..69a4c66 100644
allow amanda_t self:fifo_file rw_fifo_file_perms;
allow amanda_t self:unix_stream_socket { accept listen };
allow amanda_t self:tcp_socket { accept listen };
-@@ -71,6 +74,7 @@ allow amanda_t amanda_config_t:file read_file_perms;
+@@ -71,6 +77,7 @@ allow amanda_t amanda_config_t:file read_file_perms;
manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t)
manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
@@ -2318,7 +2328,7 @@ index 519051c..69a4c66 100644
filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
allow amanda_t amanda_dumpdates_t:file rw_file_perms;
-@@ -81,6 +85,7 @@ allow amanda_t amanda_gnutarlists_t:lnk_file manage_lnk_file_perms;
+@@ -81,6 +88,7 @@ allow amanda_t amanda_gnutarlists_t:lnk_file manage_lnk_file_perms;
manage_dirs_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t)
manage_files_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t)
@@ -2326,7 +2336,18 @@ index 519051c..69a4c66 100644
manage_files_pattern(amanda_t, amanda_log_t, amanda_log_t)
manage_dirs_pattern(amanda_t, amanda_log_t, amanda_log_t)
-@@ -100,13 +105,15 @@ kernel_dontaudit_read_proc_symlinks(amanda_t)
+@@ -90,6 +98,10 @@ manage_files_pattern(amanda_t, amanda_tmp_t, amanda_tmp_t)
+ manage_dirs_pattern(amanda_t, amanda_tmp_t, amanda_tmp_t)
+ files_tmp_filetrans(amanda_t, amanda_tmp_t, { file dir })
+
++manage_files_pattern(amanda_t, amanda_tmpfs_t, amanda_tmpfs_t)
++manage_dirs_pattern(amanda_t, amanda_tmpfs_t, amanda_tmpfs_t)
++fs_tmpfs_filetrans(amanda_t, amanda_tmpfs_t, { dir })
++
+ can_exec(amanda_t, { amanda_exec_t amanda_inetd_exec_t })
+
+ kernel_read_kernel_sysctls(amanda_t)
+@@ -100,13 +112,15 @@ kernel_dontaudit_read_proc_symlinks(amanda_t)
corecmd_exec_shell(amanda_t)
corecmd_exec_bin(amanda_t)
@@ -2343,7 +2364,7 @@ index 519051c..69a4c66 100644
corenet_sendrecv_all_server_packets(amanda_t)
corenet_tcp_bind_all_rpc_ports(amanda_t)
corenet_tcp_bind_generic_port(amanda_t)
-@@ -114,6 +121,7 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t)
+@@ -114,6 +128,7 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t)
dev_getattr_all_blk_files(amanda_t)
dev_getattr_all_chr_files(amanda_t)
@@ -2351,7 +2372,7 @@ index 519051c..69a4c66 100644
files_read_etc_runtime_files(amanda_t)
files_list_all(amanda_t)
-@@ -130,6 +138,7 @@ fs_list_all(amanda_t)
+@@ -130,6 +145,7 @@ fs_list_all(amanda_t)
storage_raw_read_fixed_disk(amanda_t)
storage_read_tape(amanda_t)
storage_write_tape(amanda_t)
@@ -2359,7 +2380,7 @@ index 519051c..69a4c66 100644
auth_use_nsswitch(amanda_t)
auth_read_shadow(amanda_t)
-@@ -170,7 +179,6 @@ kernel_read_system_state(amanda_recover_t)
+@@ -170,7 +186,6 @@ kernel_read_system_state(amanda_recover_t)
corecmd_exec_shell(amanda_recover_t)
corecmd_exec_bin(amanda_recover_t)
@@ -2367,7 +2388,7 @@ index 519051c..69a4c66 100644
corenet_all_recvfrom_netlabel(amanda_recover_t)
corenet_tcp_sendrecv_generic_if(amanda_recover_t)
corenet_udp_sendrecv_generic_if(amanda_recover_t)
-@@ -195,12 +203,16 @@ files_search_tmp(amanda_recover_t)
+@@ -195,12 +210,16 @@ files_search_tmp(amanda_recover_t)
auth_use_nsswitch(amanda_recover_t)
@@ -42027,10 +42048,10 @@ index 182ab8b..8b1d9c2 100644
+')
+
diff --git a/kdumpgui.te b/kdumpgui.te
-index 2990962..c153d15 100644
+index 2990962..abd217f 100644
--- a/kdumpgui.te
+++ b/kdumpgui.te
-@@ -5,79 +5,88 @@ policy_module(kdumpgui, 1.2.0)
+@@ -5,79 +5,89 @@ policy_module(kdumpgui, 1.2.0)
# Declarations
#
@@ -42078,6 +42099,7 @@ index 2990962..c153d15 100644
dev_read_sysfs(kdumpgui_t)
+dev_read_urand(kdumpgui_t)
+dev_getattr_all_blk_files(kdumpgui_t)
++dev_read_nvme(kdumpgui_t)
files_manage_boot_files(kdumpgui_t)
files_manage_boot_symlinks(kdumpgui_t)
@@ -42138,7 +42160,7 @@ index 2990962..c153d15 100644
')
optional_policy(`
-@@ -87,4 +96,10 @@ optional_policy(`
+@@ -87,4 +97,10 @@ optional_policy(`
optional_policy(`
kdump_manage_config(kdumpgui_t)
kdump_initrc_domtrans(kdumpgui_t)
@@ -104702,10 +104724,10 @@ index 0000000..821e158
+')
+
diff --git a/sssd.fc b/sssd.fc
-index dbb005a..835122a 100644
+index dbb005a..d4328ed 100644
--- a/sssd.fc
+++ b/sssd.fc
-@@ -1,15 +1,19 @@
+@@ -1,15 +1,21 @@
/etc/rc\.d/init\.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
-/etc/sssd(/.*)? gen_context(system_u:object_r:sssd_conf_t,s0)
@@ -104713,6 +104735,7 @@ index dbb005a..835122a 100644
-/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0)
+/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0)
++/usr/libexec/sssd/sssd_secrets -- gen_context(system_u:object_r:sssd_exec_t,s0)
-/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
+/usr/lib/systemd/system/sssd.* -- gen_context(system_u:object_r:sssd_unit_file_t,s0)
@@ -104731,8 +104754,9 @@ index dbb005a..835122a 100644
-/var/run/sssd\.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
+/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
++/var/run/secrets.socket gen_context(system_u:object_r:sssd_var_run_t,s0)
diff --git a/sssd.if b/sssd.if
-index a240455..04419ae 100644
+index a240455..d30fd1f 100644
--- a/sssd.if
+++ b/sssd.if
@@ -1,21 +1,21 @@
@@ -105045,7 +105069,7 @@ index a240455..04419ae 100644
##
##
##
-@@ -317,8 +408,65 @@ interface(`sssd_stream_connect',`
+@@ -317,8 +408,92 @@ interface(`sssd_stream_connect',`
########################################
##
@@ -105108,12 +105132,39 @@ index a240455..04419ae 100644
+
+########################################
+##
++## Transition to sssd named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`sssd_filetrans_named_content',`
++ gen_require(`
++ type sssd_var_run_t;
++ type sssd_var_log_t;
++ type sssd_var_lib_t;
++ type sssd_public_t;
++ type sssd_conf_t;
++ ')
++
++ files_pid_filetrans($1, sssd_var_run_t, sock_file, "secrets.socket")
++ logging_log_filetrans($1, sssd_var_log_t, dir, "sssd")
++ files_var_lib_filetrans($1, sssd_var_lib_t, dir, "sss")
++ filestrans_pattern($1, sssd_var_lib_t, sssd_public_t, dir, "mc")
++ filestrans_pattern($1, sssd_var_lib_t, sssd_public_t, dir, "pubconf")
++ etc_filestrans($1, sssd_conf_t, dir, "sssd")
++')
++
++########################################
++##
+## All of the rules required to administrate
+## an sssd environment
##
##
##
-@@ -327,7 +475,7 @@ interface(`sssd_stream_connect',`
+@@ -327,7 +502,7 @@ interface(`sssd_stream_connect',`
##
##
##
@@ -105122,7 +105173,7 @@ index a240455..04419ae 100644
##
##
##
-@@ -335,27 +483,29 @@ interface(`sssd_stream_connect',`
+@@ -335,27 +510,29 @@ interface(`sssd_stream_connect',`
interface(`sssd_admin',`
gen_require(`
type sssd_t, sssd_public_t, sssd_initrc_exec_t;
@@ -105164,7 +105215,7 @@ index a240455..04419ae 100644
- admin_pattern($1, sssd_log_t)
')
diff --git a/sssd.te b/sssd.te
-index 2d8db1f..a28dfe7 100644
+index 2d8db1f..1139567 100644
--- a/sssd.te
+++ b/sssd.te
@@ -28,19 +28,28 @@ logging_log_file(sssd_var_log_t)
@@ -105188,7 +105239,8 @@ index 2d8db1f..a28dfe7 100644
-allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid sys_admin sys_resource };
+allow sssd_t self:capability { ipc_lock chown dac_read_search dac_override kill net_admin sys_nice fowner setgid setuid sys_admin sys_resource };
allow sssd_t self:capability2 block_suspend;
- allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit };
+-allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit };
++allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit setpgid};
allow sssd_t self:fifo_file rw_fifo_file_perms;
allow sssd_t self:key manage_key_perms;
-allow sssd_t self:unix_stream_socket { accept connectto listen };
@@ -114657,7 +114709,7 @@ index facdee8..2cff369 100644
+ domtrans_pattern($1,container_file_t, $2)
')
diff --git a/virt.te b/virt.te
-index f03dcf5..d7dc78b 100644
+index f03dcf5..b5b9ca5 100644
--- a/virt.te
+++ b/virt.te
@@ -1,451 +1,411 @@
@@ -116249,7 +116301,7 @@ index f03dcf5..d7dc78b 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1268,370 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1268,355 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -116462,10 +116514,7 @@ index f03dcf5..d7dc78b 100644
+files_entrypoint_all_mountpoint(svirt_sandbox_domain)
+corecmd_entrypoint_all_executables(svirt_sandbox_domain)
+
-+files_list_var(svirt_sandbox_domain)
-+files_list_var_lib(svirt_sandbox_domain)
+files_search_all(svirt_sandbox_domain)
-+files_read_config_files(svirt_sandbox_domain)
+files_read_usr_symlinks(svirt_sandbox_domain)
+files_search_locks(svirt_sandbox_domain)
+files_dontaudit_unmount_all_mountpoints(svirt_sandbox_domain)
@@ -116473,10 +116522,9 @@ index f03dcf5..d7dc78b 100644
+fs_getattr_all_fs(svirt_sandbox_domain)
+fs_list_inotifyfs(svirt_sandbox_domain)
+fs_rw_inherited_tmpfs_files(svirt_sandbox_domain)
-+fs_read_fusefs_files(svirt_sandbox_domain)
+fs_read_hugetlbfs_files(svirt_sandbox_domain)
+fs_read_tmpfs_symlinks(svirt_sandbox_domain)
-+fs_list_tmpfs(svirt_sandbox_domain)
++fs_search_tmpfs(svirt_sandbox_domain)
+fs_rw_hugetlbfs_files(svirt_sandbox_domain)
+
+
@@ -116485,9 +116533,7 @@ index f03dcf5..d7dc78b 100644
+auth_dontaudit_write_login_records(svirt_sandbox_domain)
+auth_search_pam_console_data(svirt_sandbox_domain)
+
-+clock_read_adjtime(svirt_sandbox_domain)
-+
-+init_read_utmp(svirt_sandbox_domain)
++init_dontaudit_read_utmp(svirt_sandbox_domain)
+init_dontaudit_write_utmp(svirt_sandbox_domain)
+
+libs_dontaudit_setattr_lib_files(svirt_sandbox_domain)
@@ -116497,8 +116543,6 @@ index f03dcf5..d7dc78b 100644
+miscfiles_read_fonts(svirt_sandbox_domain)
+miscfiles_read_hwdata(svirt_sandbox_domain)
+
-+systemd_read_unit_files(svirt_sandbox_domain)
-+
+userdom_use_inherited_user_terminals(svirt_sandbox_domain)
+userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
+userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
@@ -116575,7 +116619,6 @@ index f03dcf5..d7dc78b 100644
+virt_sandbox_domain_template(container)
+typealias container_t alias svirt_lxc_net_t;
+virt_default_capabilities(container_t)
-+typeattribute container_t sandbox_net_domain;
+dontaudit container_t self:capability fsetid;
+dontaudit container_t self:capability2 block_suspend ;
+allow container_t self:process { execstack execmem };
@@ -116663,12 +116706,6 @@ index f03dcf5..d7dc78b 100644
-auth_use_nsswitch(svirt_lxc_net_t)
+fs_noxattr_type(container_file_t)
-+# Do we actually need these?
-+fs_mount_cgroup(container_t)
-+fs_manage_cgroup_dirs(container_t)
-+fs_manage_cgroup_files(container_t)
-+# Needed for docker
-+fs_unmount_xattr_fs(container_t)
-logging_send_audit_msgs(svirt_lxc_net_t)
+term_pty(container_file_t)
@@ -116765,7 +116802,7 @@ index f03dcf5..d7dc78b 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1644,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1629,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -116780,7 +116817,7 @@ index f03dcf5..d7dc78b 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1192,7 +1662,7 @@ optional_policy(`
+@@ -1192,7 +1647,7 @@ optional_policy(`
########################################
#
@@ -116789,7 +116826,7 @@ index f03dcf5..d7dc78b 100644
#
allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1671,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1656,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
allow virt_bridgehelper_t self:tun_socket create_socket_perms;
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 24b4aa6..7b4a618 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 235%{?dist}
+Release: 236%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -675,6 +675,16 @@ exit 0
%endif
%changelog
+* Thu Feb 02 2017 Lukas Vrabec - 3.13.1-236
+- Allow kdumpgui domain to read nvme device
+- Add amanda_tmpfs_t label. BZ(1243752)
+- Fix typo in sssd interface file
+- Allow sssd_t domain setpgid BZ(1411437)
+- Allow ifconfig_t domain read nsfs_t
+- Allow ping_t domain to load kernel modules.
+- Allow systemd to send user information back to pid1. BZ(1412750)
+- rawhide-base: Fix wrong type/attribute flavors in require blocks
+
* Tue Jan 17 2017 Lukas Vrabec - 3.13.1-235
- Allow libvirt daemon to create /var/chace/libvirt dir.
- Allow systemd using ProtectKernelTunables securit feature. BZ(1392161)