diff --git a/container-selinux.tgz b/container-selinux.tgz
index 9d0d555..01fb911 100644
Binary files a/container-selinux.tgz and b/container-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index a257b3f..766abd1 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -3189,7 +3189,7 @@ index 99e3903ea..fa68362ea 100644
##
##
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 1d732f1e7..6a7c8001a 100644
+index 1d732f1e7..7e03673be 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -26,6 +26,7 @@ type chfn_exec_t;
@@ -3395,7 +3395,7 @@ index 1d732f1e7..6a7c8001a 100644
fs_getattr_xattr_fs(passwd_t)
fs_search_auto_mountpoints(passwd_t)
-@@ -310,26 +341,32 @@ selinux_compute_create_context(passwd_t)
+@@ -310,26 +341,34 @@ selinux_compute_create_context(passwd_t)
selinux_compute_relabel_context(passwd_t)
selinux_compute_user_contexts(passwd_t)
@@ -3406,7 +3406,9 @@ index 1d732f1e7..6a7c8001a 100644
auth_run_chk_passwd(passwd_t, passwd_roles)
+auth_manage_passwd(passwd_t)
++auth_map_passwd(passwd_t)
auth_manage_shadow(passwd_t)
++auth_map_shadow(passwd_t)
auth_relabel_shadow(passwd_t)
auth_etc_filetrans_shadow(passwd_t)
-auth_use_nsswitch(passwd_t)
@@ -3432,7 +3434,7 @@ index 1d732f1e7..6a7c8001a 100644
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(passwd_t)
-@@ -338,12 +375,11 @@ init_use_fds(passwd_t)
+@@ -338,12 +377,11 @@ init_use_fds(passwd_t)
logging_send_audit_msgs(passwd_t)
logging_send_syslog_msg(passwd_t)
@@ -3446,7 +3448,7 @@ index 1d732f1e7..6a7c8001a 100644
userdom_use_unpriv_users_fds(passwd_t)
# make sure that getcon succeeds
userdom_getattr_all_users(passwd_t)
-@@ -352,6 +388,20 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -352,6 +390,20 @@ userdom_read_user_tmp_files(passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
@@ -3467,7 +3469,7 @@ index 1d732f1e7..6a7c8001a 100644
optional_policy(`
nscd_run(passwd_t, passwd_roles)
-@@ -362,7 +412,7 @@ optional_policy(`
+@@ -362,7 +414,7 @@ optional_policy(`
# Password admin local policy
#
@@ -3476,7 +3478,7 @@ index 1d732f1e7..6a7c8001a 100644
allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow sysadm_passwd_t self:process { setrlimit setfscreate };
allow sysadm_passwd_t self:fd use;
-@@ -401,9 +451,10 @@ dev_read_urand(sysadm_passwd_t)
+@@ -401,9 +453,10 @@ dev_read_urand(sysadm_passwd_t)
fs_getattr_xattr_fs(sysadm_passwd_t)
fs_search_auto_mountpoints(sysadm_passwd_t)
@@ -3489,7 +3491,7 @@ index 1d732f1e7..6a7c8001a 100644
auth_manage_shadow(sysadm_passwd_t)
auth_relabel_shadow(sysadm_passwd_t)
auth_etc_filetrans_shadow(sysadm_passwd_t)
-@@ -416,7 +467,6 @@ files_read_usr_files(sysadm_passwd_t)
+@@ -416,7 +469,6 @@ files_read_usr_files(sysadm_passwd_t)
domain_use_interactive_fds(sysadm_passwd_t)
@@ -3497,7 +3499,7 @@ index 1d732f1e7..6a7c8001a 100644
files_relabel_etc_files(sysadm_passwd_t)
files_read_etc_runtime_files(sysadm_passwd_t)
# for nscd lookups
-@@ -426,12 +476,9 @@ files_dontaudit_search_pids(sysadm_passwd_t)
+@@ -426,12 +478,9 @@ files_dontaudit_search_pids(sysadm_passwd_t)
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(sysadm_passwd_t)
@@ -3510,7 +3512,7 @@ index 1d732f1e7..6a7c8001a 100644
userdom_use_unpriv_users_fds(sysadm_passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
-@@ -446,8 +493,10 @@ optional_policy(`
+@@ -446,8 +495,10 @@ optional_policy(`
# Useradd local policy
#
@@ -3523,7 +3525,7 @@ index 1d732f1e7..6a7c8001a 100644
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
allow useradd_t self:fd use;
-@@ -461,6 +510,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
+@@ -461,6 +512,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
allow useradd_t self:unix_dgram_socket sendto;
allow useradd_t self:unix_stream_socket connectto;
@@ -3534,7 +3536,7 @@ index 1d732f1e7..6a7c8001a 100644
# for getting the number of groups
kernel_read_kernel_sysctls(useradd_t)
-@@ -468,29 +521,28 @@ corecmd_exec_shell(useradd_t)
+@@ -468,29 +523,28 @@ corecmd_exec_shell(useradd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(useradd_t)
@@ -3574,7 +3576,7 @@ index 1d732f1e7..6a7c8001a 100644
auth_run_chk_passwd(useradd_t, useradd_roles)
auth_rw_lastlog(useradd_t)
-@@ -498,45 +550,50 @@ auth_rw_faillog(useradd_t)
+@@ -498,45 +552,50 @@ auth_rw_faillog(useradd_t)
auth_use_nsswitch(useradd_t)
# these may be unnecessary due to the above
# domtrans_chk_passwd() call.
@@ -3636,7 +3638,7 @@ index 1d732f1e7..6a7c8001a 100644
')
optional_policy(`
-@@ -545,14 +602,27 @@ optional_policy(`
+@@ -545,14 +604,27 @@ optional_policy(`
')
optional_policy(`
@@ -3664,7 +3666,7 @@ index 1d732f1e7..6a7c8001a 100644
tunable_policy(`samba_domain_controller',`
samba_append_log(useradd_t)
')
-@@ -562,3 +632,12 @@ optional_policy(`
+@@ -562,3 +634,12 @@ optional_policy(`
rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t)
')
@@ -33740,7 +33742,7 @@ index 247958765..890e1e293 100644
/var/(db|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
/var/lib/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 3efd5b669..3db526f84 100644
+index 3efd5b669..190c29841 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -23,11 +23,17 @@ interface(`auth_role',`
@@ -34030,7 +34032,32 @@ index 3efd5b669..3db526f84 100644
')
########################################
-@@ -664,6 +759,10 @@ interface(`auth_manage_shadow',`
+@@ -534,6 +629,24 @@ interface(`auth_dontaudit_getattr_shadow',`
+
+ ########################################
+ ##
++## Mmap the shadow passwords file.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`auth_map_shadow',`
++ gen_require(`
++ type shadow_t;
++ ')
++
++ allow $1 shadow_t:file map;
++')
++
++########################################
++##
+ ## Read the shadow passwords file (/etc/shadow)
+ ##
+ ##
+@@ -664,6 +777,10 @@ interface(`auth_manage_shadow',`
allow $1 shadow_t:file manage_file_perms;
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
@@ -34041,7 +34068,7 @@ index 3efd5b669..3db526f84 100644
')
#######################################
-@@ -763,7 +862,50 @@ interface(`auth_rw_faillog',`
+@@ -763,7 +880,50 @@ interface(`auth_rw_faillog',`
')
logging_search_logs($1)
@@ -34093,7 +34120,7 @@ index 3efd5b669..3db526f84 100644
')
#######################################
-@@ -824,9 +966,29 @@ interface(`auth_rw_lastlog',`
+@@ -824,9 +984,29 @@ interface(`auth_rw_lastlog',`
allow $1 lastlog_t:file { rw_file_perms lock setattr };
')
@@ -34124,7 +34151,7 @@ index 3efd5b669..3db526f84 100644
##
##
##
-@@ -834,12 +996,27 @@ interface(`auth_rw_lastlog',`
+@@ -834,12 +1014,27 @@ interface(`auth_rw_lastlog',`
##
##
#
@@ -34155,7 +34182,7 @@ index 3efd5b669..3db526f84 100644
')
########################################
-@@ -854,15 +1031,15 @@ interface(`auth_domtrans_pam',`
+@@ -854,15 +1049,15 @@ interface(`auth_domtrans_pam',`
#
interface(`auth_signal_pam',`
gen_require(`
@@ -34174,7 +34201,7 @@ index 3efd5b669..3db526f84 100644
##
##
##
-@@ -875,13 +1052,33 @@ interface(`auth_signal_pam',`
+@@ -875,13 +1070,33 @@ interface(`auth_signal_pam',`
##
##
#
@@ -34212,7 +34239,7 @@ index 3efd5b669..3db526f84 100644
')
########################################
-@@ -959,9 +1156,30 @@ interface(`auth_manage_var_auth',`
+@@ -959,9 +1174,30 @@ interface(`auth_manage_var_auth',`
')
files_search_var($1)
@@ -34246,7 +34273,7 @@ index 3efd5b669..3db526f84 100644
')
########################################
-@@ -1040,6 +1258,10 @@ interface(`auth_manage_pam_pid',`
+@@ -1040,6 +1276,10 @@ interface(`auth_manage_pam_pid',`
files_search_pids($1)
allow $1 pam_var_run_t:dir manage_dir_perms;
allow $1 pam_var_run_t:file manage_file_perms;
@@ -34257,7 +34284,7 @@ index 3efd5b669..3db526f84 100644
')
########################################
-@@ -1176,6 +1398,7 @@ interface(`auth_manage_pam_console_data',`
+@@ -1176,6 +1416,7 @@ interface(`auth_manage_pam_console_data',`
files_search_pids($1)
manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
@@ -34265,7 +34292,7 @@ index 3efd5b669..3db526f84 100644
')
#######################################
-@@ -1576,6 +1799,25 @@ interface(`auth_setattr_login_records',`
+@@ -1576,6 +1817,25 @@ interface(`auth_setattr_login_records',`
########################################
##
@@ -34291,7 +34318,7 @@ index 3efd5b669..3db526f84 100644
## Read login records files (/var/log/wtmp).
##
##
-@@ -1726,24 +1968,63 @@ interface(`auth_manage_login_records',`
+@@ -1726,24 +1986,63 @@ interface(`auth_manage_login_records',`
logging_rw_generic_log_dirs($1)
allow $1 wtmp_t:file manage_file_perms;
@@ -34359,7 +34386,7 @@ index 3efd5b669..3db526f84 100644
')
########################################
-@@ -1767,11 +2048,13 @@ interface(`auth_relabel_login_records',`
+@@ -1767,11 +2066,13 @@ interface(`auth_relabel_login_records',`
##
#
interface(`auth_use_nsswitch',`
@@ -34376,7 +34403,7 @@ index 3efd5b669..3db526f84 100644
')
########################################
-@@ -1805,3 +2088,280 @@ interface(`auth_unconfined',`
+@@ -1805,3 +2106,298 @@ interface(`auth_unconfined',`
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -34492,6 +34519,24 @@ index 3efd5b669..3db526f84 100644
+
+########################################
+##
++## Mmap the passwd passwords file (/etc/passwd)
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`auth_map_passwd',`
++ gen_require(`
++ type passwd_file_t;
++ ')
++
++ allow $1 passwd_file_t:file map;
++')
++
++########################################
++##
+## Do not audit attempts to read the passwd
+## password file (/etc/passwd).
+##
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 49936dd..8e51ee1 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -53630,7 +53630,7 @@ index 6194b806b..e27c53d6e 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 11ac8e4fc..7d5d385a2 100644
+index 11ac8e4fc..3c24a12ef 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -6,17 +6,56 @@ policy_module(mozilla, 2.8.0)
@@ -53750,7 +53750,7 @@ index 11ac8e4fc..7d5d385a2 100644
########################################
#
# Local policy
-@@ -75,27 +109,30 @@ optional_policy(`
+@@ -75,104 +109,101 @@ optional_policy(`
allow mozilla_t self:capability { sys_nice setgid setuid };
allow mozilla_t self:process { sigkill signal setsched getsched setrlimit };
allow mozilla_t self:fifo_file rw_fifo_file_perms;
@@ -53794,10 +53794,10 @@ index 11ac8e4fc..7d5d385a2 100644
manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
-@@ -103,76 +140,69 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
+ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })
-
+-
-allow mozilla_t mozilla_plugin_rw_t:dir list_dir_perms;
-allow mozilla_t mozilla_plugin_rw_t:file read_file_perms;
-allow mozilla_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
@@ -53805,7 +53805,8 @@ index 11ac8e4fc..7d5d385a2 100644
-stream_connect_pattern(mozilla_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_plugin_t)
-
-can_exec(mozilla_t, { mozilla_exec_t mozilla_plugin_rw_t mozilla_plugin_home_t })
--
++allow mozilla_plugin_t mozilla_tmpfs_t:file map;
+
kernel_read_kernel_sysctls(mozilla_t)
kernel_read_network_state(mozilla_t)
+# Access /proc, sysctl
@@ -53902,7 +53903,7 @@ index 11ac8e4fc..7d5d385a2 100644
term_dontaudit_getattr_pty_dirs(mozilla_t)
-@@ -181,56 +211,73 @@ auth_use_nsswitch(mozilla_t)
+@@ -181,56 +212,73 @@ auth_use_nsswitch(mozilla_t)
logging_send_syslog_msg(mozilla_t)
miscfiles_read_fonts(mozilla_t)
@@ -54013,7 +54014,7 @@ index 11ac8e4fc..7d5d385a2 100644
')
optional_policy(`
-@@ -244,19 +291,12 @@ optional_policy(`
+@@ -244,19 +292,12 @@ optional_policy(`
optional_policy(`
cups_read_rw_config(mozilla_t)
@@ -54035,7 +54036,7 @@ index 11ac8e4fc..7d5d385a2 100644
optional_policy(`
networkmanager_dbus_chat(mozilla_t)
-@@ -265,33 +305,32 @@ optional_policy(`
+@@ -265,33 +306,32 @@ optional_policy(`
optional_policy(`
gnome_stream_connect_gconf(mozilla_t)
@@ -54083,7 +54084,7 @@ index 11ac8e4fc..7d5d385a2 100644
')
optional_policy(`
-@@ -300,259 +339,258 @@ optional_policy(`
+@@ -300,259 +340,258 @@ optional_policy(`
########################################
#
@@ -54488,7 +54489,7 @@ index 11ac8e4fc..7d5d385a2 100644
')
optional_policy(`
-@@ -560,7 +598,11 @@ optional_policy(`
+@@ -560,7 +599,11 @@ optional_policy(`
')
optional_policy(`
@@ -54501,7 +54502,7 @@ index 11ac8e4fc..7d5d385a2 100644
')
optional_policy(`
-@@ -568,108 +610,144 @@ optional_policy(`
+@@ -568,108 +611,144 @@ optional_policy(`
')
optional_policy(`
@@ -80891,10 +80892,10 @@ index 45843b55c..4d1adace5 100644
+ ps_process_pattern($1, pulseaudio_t)
')
diff --git a/pulseaudio.te b/pulseaudio.te
-index 6643b49c2..dd0c3d371 100644
+index 6643b49c2..22214f676 100644
--- a/pulseaudio.te
+++ b/pulseaudio.te
-@@ -8,61 +8,49 @@ policy_module(pulseaudio, 1.6.0)
+@@ -8,61 +8,50 @@ policy_module(pulseaudio, 1.6.0)
attribute pulseaudio_client;
attribute pulseaudio_tmpfsfile;
@@ -80970,10 +80971,11 @@ index 6643b49c2..dd0c3d371 100644
+# ~/.esd_auth - maybe we should label this pulseaudio_home_t?
+userdom_read_user_home_content_files(pulseaudio_t)
+userdom_search_admin_dir(pulseaudio_t)
++userdom_map_tmp_files(pulseaudio_t)
manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
-@@ -72,10 +60,7 @@ files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file })
+@@ -72,10 +61,7 @@ files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file })
manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
@@ -80985,7 +80987,7 @@ index 6643b49c2..dd0c3d371 100644
can_exec(pulseaudio_t, pulseaudio_exec_t)
-@@ -85,62 +70,58 @@ kernel_read_kernel_sysctls(pulseaudio_t)
+@@ -85,62 +71,58 @@ kernel_read_kernel_sysctls(pulseaudio_t)
corecmd_exec_bin(pulseaudio_t)
@@ -81067,7 +81069,7 @@ index 6643b49c2..dd0c3d371 100644
')
optional_policy(`
-@@ -153,8 +134,9 @@ optional_policy(`
+@@ -153,8 +135,9 @@ optional_policy(`
optional_policy(`
dbus_system_domain(pulseaudio_t, pulseaudio_exec_t)
@@ -81079,7 +81081,7 @@ index 6643b49c2..dd0c3d371 100644
optional_policy(`
consolekit_dbus_chat(pulseaudio_t)
-@@ -174,29 +156,49 @@ optional_policy(`
+@@ -174,29 +157,49 @@ optional_policy(`
')
optional_policy(`
@@ -81131,7 +81133,7 @@ index 6643b49c2..dd0c3d371 100644
#
# Client local policy
#
-@@ -210,8 +212,6 @@ delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfi
+@@ -210,8 +213,6 @@ delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfi
fs_getattr_tmpfs(pulseaudio_client)
@@ -81140,7 +81142,7 @@ index 6643b49c2..dd0c3d371 100644
corenet_tcp_sendrecv_generic_if(pulseaudio_client)
corenet_tcp_sendrecv_generic_node(pulseaudio_client)
-@@ -220,38 +220,33 @@ corenet_tcp_connect_pulseaudio_port(pulseaudio_client)
+@@ -220,38 +221,33 @@ corenet_tcp_connect_pulseaudio_port(pulseaudio_client)
corenet_tcp_sendrecv_pulseaudio_port(pulseaudio_client)
pulseaudio_stream_connect(pulseaudio_client)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 8636194..ee81507 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 282%{?dist}
+Release: 283%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -681,6 +681,11 @@ exit 0
%endif
%changelog
+* Tue Sep 12 2017 Lukas Vrabec - 3.13.1-283
+- Allow passwd_t domain mmap /etc/shadow and /etc/passwd
+- Allow pulseaudio_t domain to map user tmp files
+- Allow mozilla plugin to mmap mozilla tmpfs files
+
* Mon Sep 11 2017 Lukas Vrabec - 3.13.1-282
- Add new bunch of map rules
- Merge pull request #25 from NetworkManager/nm-ovs