diff --git a/docker-selinux.tgz b/docker-selinux.tgz
index 251805a..3a4a272 100644
Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 337540a..23edb1d 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -10226,7 +10226,7 @@ index 6a1e4d1..26e5558 100644
+ dontaudit $1 domain:dir_file_class_set audit_access;
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..7b76b77 100644
+index cf04cb5..b5fe8e5 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,17 +4,41 @@ policy_module(domain, 1.11.0)
@@ -10379,7 +10379,14 @@ index cf04cb5..7b76b77 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +242,373 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -160,11 +236,379 @@ allow unconfined_domain_type domain:msg { send receive };
+
+ # For /proc/pid
+ allow unconfined_domain_type domain:dir list_dir_perms;
+-allow unconfined_domain_type domain:file rw_file_perms;
++allow unconfined_domain_type domain:file manage_file_perms;
+ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -35025,7 +35032,7 @@ index bc0ffc8..37b8ea5 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 79a45f6..e69fa39 100644
+index 79a45f6..cf6add7 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1,5 +1,21 @@
@@ -35740,7 +35747,7 @@ index 79a45f6..e69fa39 100644
##
##
##
-@@ -1133,7 +1382,83 @@ interface(`init_getattr_all_script_files',`
+@@ -1133,7 +1382,102 @@ interface(`init_getattr_all_script_files',`
##
##
#
@@ -35813,6 +35820,25 @@ index 79a45f6..e69fa39 100644
+
+########################################
+##
++## Allow the specified domain to modify the systemd configuration of
++## transient scripts.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_config_transient_files',`
++ gen_require(`
++ attribute init_var_run_t;
++ ')
++
++ allow $1 init_var_run_t:service all_service_perms;
++')
++
++########################################
++##
+## Read all init script files.
+##
+##
@@ -35825,7 +35851,7 @@ index 79a45f6..e69fa39 100644
gen_require(`
attribute init_script_file_type;
')
-@@ -1144,6 +1469,24 @@ interface(`init_read_all_script_files',`
+@@ -1144,6 +1488,24 @@ interface(`init_read_all_script_files',`
#######################################
##
@@ -35850,7 +35876,7 @@ index 79a45f6..e69fa39 100644
## Dontaudit read all init script files.
##
##
-@@ -1195,12 +1538,7 @@ interface(`init_read_script_state',`
+@@ -1195,12 +1557,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
@@ -35864,7 +35890,7 @@ index 79a45f6..e69fa39 100644
')
########################################
-@@ -1314,6 +1652,24 @@ interface(`init_signal_script',`
+@@ -1314,6 +1671,24 @@ interface(`init_signal_script',`
########################################
##
@@ -35889,7 +35915,7 @@ index 79a45f6..e69fa39 100644
## Send null signals to init scripts.
##
##
-@@ -1440,6 +1796,27 @@ interface(`init_dbus_send_script',`
+@@ -1440,6 +1815,27 @@ interface(`init_dbus_send_script',`
########################################
##
## Send and receive messages from
@@ -35917,7 +35943,7 @@ index 79a45f6..e69fa39 100644
## init scripts over dbus.
##
##
-@@ -1547,6 +1924,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1547,6 +1943,25 @@ interface(`init_getattr_script_status_files',`
########################################
##
@@ -35943,7 +35969,7 @@ index 79a45f6..e69fa39 100644
## Do not audit attempts to read init script
## status files.
##
-@@ -1605,6 +2001,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1605,6 +2020,24 @@ interface(`init_rw_script_tmp_files',`
########################################
##
@@ -35968,7 +35994,7 @@ index 79a45f6..e69fa39 100644
## Create files in a init script
## temporary data directory.
##
-@@ -1677,6 +2091,43 @@ interface(`init_read_utmp',`
+@@ -1677,6 +2110,43 @@ interface(`init_read_utmp',`
########################################
##
@@ -36012,7 +36038,7 @@ index 79a45f6..e69fa39 100644
## Do not audit attempts to write utmp.
##
##
-@@ -1765,7 +2216,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1765,7 +2235,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -36021,12 +36047,14 @@ index 79a45f6..e69fa39 100644
')
########################################
-@@ -1806,6 +2257,133 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1806,37 +2276,672 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
')
+-########################################
+######################################
-+##
+ ##
+-## Allow the specified domain to connect to daemon with a tcp socket
+## Allow search directory in the /run/systemd directory.
+##
+##
@@ -36085,8 +36113,8 @@ index 79a45f6..e69fa39 100644
+## Create objects in /run/systemd directory
+## with an automatic type transition to
+## a specified private type.
-+##
-+##
+ ##
+ ##
+##
+## Domain allowed access.
+##
@@ -36102,31 +36130,39 @@ index 79a45f6..e69fa39 100644
+##
+##
+##
-+##
+ ##
+-## Domain allowed access.
+## The name of the object being created.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`init_tcp_recvfrom_all_daemons',`
+- gen_require(`
+- attribute daemon;
+- ')
+interface(`init_pid_filetrans',`
+ gen_require(`
+ type init_var_run_t;
+ ')
-+
+
+- corenet_tcp_recvfrom_labeled($1, daemon)
+ files_search_pids($1)
+ filetrans_pattern($1, init_var_run_t, $2, $3, $4)
-+')
-+
+ ')
+
+-########################################
+#######################################
-+##
+ ##
+-## Allow the specified domain to connect to daemon with a udp socket
+## Create objects in /run/systemd directory
+## with an automatic type transition to
+## a specified private type.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+##
+##
+## The type of the object to create.
@@ -36142,23 +36178,53 @@ index 79a45f6..e69fa39 100644
+## The name of the object being created.
+##
+##
-+#
+ #
+-interface(`init_udp_recvfrom_all_daemons',`
+interface(`init_named_pid_filetrans',`
-+ gen_require(`
+ gen_require(`
+- attribute daemon;
+ type init_var_run_t;
-+ ')
+ ')
+- corenet_udp_recvfrom_labeled($1, daemon)
+
+ files_search_pids($1)
+ filetrans_pattern($1, init_var_run_t, $2, $3, $4)
+')
+
- ########################################
- ##
- ## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1840,3 +2418,511 @@ interface(`init_udp_recvfrom_all_daemons',`
- ')
- corenet_udp_recvfrom_labeled($1, daemon)
- ')
++########################################
++##
++## Allow the specified domain to connect to daemon with a tcp socket
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_tcp_recvfrom_all_daemons',`
++ gen_require(`
++ attribute daemon;
++ ')
++
++ corenet_tcp_recvfrom_labeled($1, daemon)
++')
++
++########################################
++##
++## Allow the specified domain to connect to daemon with a udp socket
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_udp_recvfrom_all_daemons',`
++ gen_require(`
++ attribute daemon;
++ ')
++ corenet_udp_recvfrom_labeled($1, daemon)
++')
+
+########################################
+##
@@ -36666,7 +36732,7 @@ index 79a45f6..e69fa39 100644
+
+ files_search_var_lib($1)
+ allow $1 init_var_lib_t:dir search_dir_perms;
-+')
+ ')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 17eda24..f09c5ae 100644
--- a/policy/modules/system/init.te
@@ -45402,7 +45468,7 @@ index 40edc18..95f4458 100644
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
+
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 2cea692..bf86a31 100644
+index 2cea692..8edb742 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@@ -45819,7 +45885,7 @@ index 2cea692..bf86a31 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
-@@ -796,3 +1053,125 @@ interface(`sysnet_use_portmap',`
+@@ -796,3 +1053,143 @@ interface(`sysnet_use_portmap',`
sysnet_read_config($1)
')
@@ -45945,6 +46011,24 @@ index 2cea692..bf86a31 100644
+
+ files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns")
+')
++
++########################################
++##
++## Transition to sysnet ifconfig named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`sysnet_filetrans_net_conf',`
++ gen_require(`
++ type net_conf_t;
++ ')
++
++ files_etc_filetrans($1, net_conf_t, file)
++')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index a392fc4..155d5ce 100644
--- a/policy/modules/system/sysnetwork.te
@@ -48142,10 +48226,10 @@ index 0000000..ebd6cc8
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..0be65c0
+index 0000000..8c07053
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,930 @@
+@@ -0,0 +1,931 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -48375,6 +48459,7 @@ index 0000000..0be65c0
+init_signal_script(systemd_logind_t)
+init_getattr_script_status_files(systemd_logind_t)
+init_read_utmp(systemd_logind_t)
++init_config_transient_files(systemd_logind_t)
+
+getty_systemctl(systemd_logind_t)
+
@@ -49674,7 +49759,7 @@ index 0abaf84..8b34dbc 100644
-/usr/lib/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-')
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
-index 5ca20a9..99a38b0 100644
+index 5ca20a9..5454d16 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -12,53 +12,57 @@
@@ -49701,7 +49786,8 @@ index 5ca20a9..99a38b0 100644
+ allow $1 self:process { dyntransition transition };
# Write access is for setting attributes under /proc/self/attr.
- allow $1 self:file rw_file_perms;
+- allow $1 self:file rw_file_perms;
++ allow $1 self:file manage_file_perms;
+ allow $1 self:dir rw_dir_perms;
# Userland object managers
@@ -55573,7 +55659,7 @@ index 9dc60c6..595ad40 100644
+ ')
')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index f4ac38d..d7cbcec 100644
+index f4ac38d..1589d60 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,48 +7,43 @@ policy_module(userdomain, 4.9.1)
@@ -55662,7 +55748,7 @@ index f4ac38d..d7cbcec 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -70,26 +83,395 @@ ubac_constrained(user_home_dir_t)
+@@ -70,26 +83,396 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -55729,6 +55815,7 @@ index f4ac38d..d7cbcec 100644
+# Nautilus causes this avc
+domain_dontaudit_access_check(unpriv_userdomain)
+dontaudit unpriv_userdomain self:dir setattr;
++allow unpriv_userdomain self:file manage_file_perms;
+allow unpriv_userdomain self:key manage_key_perms;
+
+mount_dontaudit_write_mount_pid(unpriv_userdomain)
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 0203074..ff0837a 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -58759,7 +58759,7 @@ index 86dc29d..7380935 100644
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
')
diff --git a/networkmanager.te b/networkmanager.te
-index 55f2009..ab2d757 100644
+index 55f2009..debb78b 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -9,15 +9,18 @@ type NetworkManager_t;
@@ -58965,7 +58965,7 @@ index 55f2009..ab2d757 100644
seutil_read_config(NetworkManager_t)
-@@ -166,21 +205,36 @@ sysnet_kill_dhcpc(NetworkManager_t)
+@@ -166,21 +205,37 @@ sysnet_kill_dhcpc(NetworkManager_t)
sysnet_read_dhcpc_state(NetworkManager_t)
sysnet_delete_dhcpc_state(NetworkManager_t)
sysnet_search_dhcp_state(NetworkManager_t)
@@ -58973,6 +58973,7 @@ index 55f2009..ab2d757 100644
sysnet_manage_config(NetworkManager_t)
-sysnet_etc_filetrans_config(NetworkManager_t)
+sysnet_filetrans_named_content(NetworkManager_t)
++sysnet_filetrans_net_conf(NetworkManager_t)
-# certificates in user home directories (cert_home_t in ~/\.pki)
-userdom_read_user_home_content_files(NetworkManager_t)
@@ -59006,7 +59007,7 @@ index 55f2009..ab2d757 100644
')
optional_policy(`
-@@ -196,10 +250,6 @@ optional_policy(`
+@@ -196,10 +251,6 @@ optional_policy(`
')
optional_policy(`
@@ -59017,7 +59018,7 @@ index 55f2009..ab2d757 100644
consoletype_exec(NetworkManager_t)
')
-@@ -210,31 +260,34 @@ optional_policy(`
+@@ -210,31 +261,34 @@ optional_policy(`
optional_policy(`
dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -59060,7 +59061,7 @@ index 55f2009..ab2d757 100644
')
optional_policy(`
-@@ -246,10 +299,26 @@ optional_policy(`
+@@ -246,10 +300,26 @@ optional_policy(`
')
optional_policy(`
@@ -59087,7 +59088,7 @@ index 55f2009..ab2d757 100644
')
optional_policy(`
-@@ -257,15 +326,19 @@ optional_policy(`
+@@ -257,15 +327,19 @@ optional_policy(`
')
optional_policy(`
@@ -59109,7 +59110,7 @@ index 55f2009..ab2d757 100644
')
optional_policy(`
-@@ -274,10 +347,17 @@ optional_policy(`
+@@ -274,10 +348,17 @@ optional_policy(`
nscd_signull(NetworkManager_t)
nscd_kill(NetworkManager_t)
nscd_initrc_domtrans(NetworkManager_t)
@@ -59127,7 +59128,7 @@ index 55f2009..ab2d757 100644
')
optional_policy(`
-@@ -286,9 +366,12 @@ optional_policy(`
+@@ -286,9 +367,12 @@ optional_policy(`
openvpn_kill(NetworkManager_t)
openvpn_signal(NetworkManager_t)
openvpn_signull(NetworkManager_t)
@@ -59140,7 +59141,7 @@ index 55f2009..ab2d757 100644
policykit_domtrans_auth(NetworkManager_t)
policykit_read_lib(NetworkManager_t)
policykit_read_reload(NetworkManager_t)
-@@ -296,7 +379,7 @@ optional_policy(`
+@@ -296,7 +380,7 @@ optional_policy(`
')
optional_policy(`
@@ -59149,7 +59150,7 @@ index 55f2009..ab2d757 100644
')
optional_policy(`
-@@ -307,6 +390,7 @@ optional_policy(`
+@@ -307,6 +391,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
@@ -59157,7 +59158,7 @@ index 55f2009..ab2d757 100644
')
optional_policy(`
-@@ -320,14 +404,21 @@ optional_policy(`
+@@ -320,14 +405,21 @@ optional_policy(`
')
optional_policy(`
@@ -59184,7 +59185,7 @@ index 55f2009..ab2d757 100644
')
optional_policy(`
-@@ -338,6 +429,13 @@ optional_policy(`
+@@ -338,6 +430,13 @@ optional_policy(`
vpn_relabelfrom_tun_socket(NetworkManager_t)
')
@@ -59198,7 +59199,7 @@ index 55f2009..ab2d757 100644
########################################
#
# wpa_cli local policy
-@@ -357,6 +455,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -357,6 +456,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t)
@@ -112661,7 +112662,7 @@ index facdee8..816d860 100644
+ ps_process_pattern(virtd_t, $1)
')
diff --git a/virt.te b/virt.te
-index f03dcf5..5b78d90 100644
+index f03dcf5..8d090ad 100644
--- a/virt.te
+++ b/virt.te
@@ -1,451 +1,402 @@
@@ -114235,7 +114236,7 @@ index f03dcf5..5b78d90 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1250,354 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1250,355 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -114300,6 +114301,7 @@ index f03dcf5..5b78d90 100644
+dev_dontaudit_mounton_sysfs(svirt_sandbox_domain)
+
+fs_dontaudit_remount_tmpfs(svirt_sandbox_domain)
++fs_rw_onload_sockets(svirt_sandbox_domain)
+
+tunable_policy(`deny_ptrace',`',`
+ allow svirt_sandbox_domain self:process ptrace;
@@ -114731,7 +114733,7 @@ index f03dcf5..5b78d90 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1610,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1611,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -114746,7 +114748,7 @@ index f03dcf5..5b78d90 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1192,7 +1628,7 @@ optional_policy(`
+@@ -1192,7 +1629,7 @@ optional_policy(`
########################################
#
@@ -114755,7 +114757,7 @@ index f03dcf5..5b78d90 100644
#
allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1637,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1638,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
allow virt_bridgehelper_t self:tun_socket create_socket_perms;
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 12b5672..945fe28 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 195%{?dist}
+Release: 196%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -647,6 +647,13 @@ exit 0
%endif
%changelog
+* Mon Jun 13 2016 Lukas Vrabec 3.13.1-196
+- Allow svirt_sandbox_domains to r/w onload sockets
+- Add filetrans rule that NetworkManager_t can create net_conf_t files in /etc.
+- Add interface sysnet_filetrans_named_net_conf()
+- Rawhide fails to boot, systemd-logind needs to config transient config files
+- User Namespace is requires create on process domains
+
* Thu Jun 08 2016 Lukas Vrabec 3.13.1-195
- Add hwloc-dump-hwdata SELinux policy
- Add labels for mediawiki123