diff --git a/docker-selinux.tgz b/docker-selinux.tgz
index 1f4d9ec..3bbf129 100644
Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index b727ff9..c922d1b 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -5718,7 +5718,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055..5ee0a46 100644
+index b191055..1be0b6d 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@@ -5874,7 +5874,7 @@ index b191055..5ee0a46 100644
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
network_port(hadoop_datanode, tcp,50010,s0)
-@@ -140,45 +179,57 @@ network_port(hadoop_namenode, tcp,8020,s0)
+@@ -140,45 +179,58 @@ network_port(hadoop_namenode, tcp,8020,s0)
network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
@@ -5916,6 +5916,7 @@ index b191055..5ee0a46 100644
+network_port(keystone, tcp, 35357,s0, udp, 35357,s0)
+network_port(kubernetes, tcp, 10250,s0, tcp, 4001,s0, tcp, 4194,s0)
+network_port(lltng, tcp, 5345, s0)
++network_port(llmnr, tcp, 5355, s0, udp, 5355,s0)
+network_port(rabbitmq, tcp,25672,s0)
+network_port(rkt, tcp,18112,s0)
+network_port(rlogin, tcp,543,s0, tcp,2105,s0)
@@ -5947,7 +5948,7 @@ index b191055..5ee0a46 100644
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -186,101 +237,126 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
+@@ -186,101 +238,126 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
network_port(mxi, tcp,8005,s0, udp,8005,s0)
network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
network_port(mysqlmanagerd, tcp,2273,s0)
@@ -6092,7 +6093,7 @@ index b191055..5ee0a46 100644
network_port(xserver, tcp,6000-6020,s0)
network_port(zarafa, tcp,236,s0, tcp,237,s0)
network_port(zabbix, tcp,10051,s0)
-@@ -288,19 +364,23 @@ network_port(zabbix_agent, tcp,10050,s0)
+@@ -288,19 +365,23 @@ network_port(zabbix_agent, tcp,10050,s0)
network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
@@ -6119,7 +6120,7 @@ index b191055..5ee0a46 100644
########################################
#
-@@ -333,6 +413,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -333,6 +414,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
build_option(`enable_mls',`
network_interface(lo, lo, s0 - mls_systemhigh)
@@ -6128,7 +6129,7 @@ index b191055..5ee0a46 100644
',`
typealias netif_t alias { lo_netif_t netif_lo_t };
')
-@@ -345,9 +427,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -345,9 +428,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -6332,7 +6333,7 @@ index b31c054..8722f6d 100644
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 76f285e..b7a4271 100644
+index 76f285e..1c1addd 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -7288,7 +7289,7 @@ index 76f285e..b7a4271 100644
')
########################################
-@@ -3144,6 +3686,42 @@ interface(`dev_create_null_dev',`
+@@ -3144,6 +3686,60 @@ interface(`dev_create_null_dev',`
########################################
##
@@ -7328,10 +7329,28 @@ index 76f285e..b7a4271 100644
+
+########################################
+##
++## Read Non-Volatile Memory Host Controller Interface.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_read_nvme',`
++ gen_require(`
++ type nvme_device_t;
++ ')
++
++ read_chr_files_pattern($1, device_t, nvme_device_t)
++')
++
++########################################
++##
## Do not audit attempts to get the attributes
## of the BIOS non-volatile RAM device.
##
-@@ -3163,6 +3741,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',`
+@@ -3163,6 +3759,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',`
########################################
##
@@ -7356,7 +7375,7 @@ index 76f285e..b7a4271 100644
## Read and write BIOS non-volatile RAM.
##
##
-@@ -3254,7 +3850,25 @@ interface(`dev_rw_printer',`
+@@ -3254,7 +3868,25 @@ interface(`dev_rw_printer',`
########################################
##
@@ -7383,7 +7402,7 @@ index 76f285e..b7a4271 100644
##
##
##
-@@ -3262,12 +3876,13 @@ interface(`dev_rw_printer',`
+@@ -3262,12 +3894,13 @@ interface(`dev_rw_printer',`
##
##
#
@@ -7400,7 +7419,7 @@ index 76f285e..b7a4271 100644
')
########################################
-@@ -3399,7 +4014,7 @@ interface(`dev_dontaudit_read_rand',`
+@@ -3399,7 +4032,7 @@ interface(`dev_dontaudit_read_rand',`
########################################
##
@@ -7409,7 +7428,7 @@ index 76f285e..b7a4271 100644
## number generator devices (e.g., /dev/random)
##
##
-@@ -3413,7 +4028,7 @@ interface(`dev_dontaudit_append_rand',`
+@@ -3413,7 +4046,7 @@ interface(`dev_dontaudit_append_rand',`
type random_device_t;
')
@@ -7418,7 +7437,7 @@ index 76f285e..b7a4271 100644
')
########################################
-@@ -3855,7 +4470,7 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3855,7 +4488,7 @@ interface(`dev_getattr_sysfs_dirs',`
########################################
##
@@ -7427,7 +7446,7 @@ index 76f285e..b7a4271 100644
##
##
##
-@@ -3863,91 +4478,89 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3863,91 +4496,89 @@ interface(`dev_getattr_sysfs_dirs',`
##
##
#
@@ -7538,7 +7557,7 @@ index 76f285e..b7a4271 100644
##
##
##
-@@ -3955,68 +4568,53 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+@@ -3955,68 +4586,53 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
##
##
#
@@ -7617,7 +7636,7 @@ index 76f285e..b7a4271 100644
##
##
##
-@@ -4024,114 +4622,97 @@ interface(`dev_rw_sysfs',`
+@@ -4024,114 +4640,97 @@ interface(`dev_rw_sysfs',`
##
##
#
@@ -7762,7 +7781,7 @@ index 76f285e..b7a4271 100644
##
##
##
-@@ -4139,35 +4720,50 @@ interface(`dev_getattr_generic_usb_dev',`
+@@ -4139,35 +4738,50 @@ interface(`dev_getattr_generic_usb_dev',`
##
##
#
@@ -7821,58 +7840,50 @@ index 76f285e..b7a4271 100644
##
##
##
-@@ -4175,17 +4771,20 @@ interface(`dev_read_generic_usb_dev',`
+@@ -4175,7 +4789,254 @@ interface(`dev_read_generic_usb_dev',`
##
##
#
-interface(`dev_rw_generic_usb_dev',`
+interface(`dev_rw_sysfs',`
- gen_require(`
-- type device_t, usb_device_t;
++ gen_require(`
+ type sysfs_t;
- ')
-
-- rw_chr_files_pattern($1, device_t, usb_device_t)
++ ')
++
+ rw_files_pattern($1, sysfs_t, sysfs_t)
+ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
+
+ list_dirs_pattern($1, sysfs_t, sysfs_t)
- ')
-
- ########################################
- ##
--## Relabel generic the USB devices.
++')
++
++########################################
++##
+## Relabel hardware state directories.
- ##
- ##
- ##
-@@ -4193,17 +4792,17 @@ interface(`dev_rw_generic_usb_dev',`
- ##
- ##
- #
--interface(`dev_relabel_generic_usb_dev',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`dev_relabel_sysfs_dirs',`
- gen_require(`
-- type usb_device_t;
++ gen_require(`
+ type sysfs_t;
- ')
-
-- relabel_chr_files_pattern($1, device_t, usb_device_t)
++ ')
++
+ relabel_dirs_pattern($1, sysfs_t, sysfs_t)
- ')
-
- ########################################
- ##
--## Read USB monitor devices.
++')
++
++########################################
++##
+## Relabel hardware state files
- ##
- ##
- ##
-@@ -4211,7 +4810,251 @@ interface(`dev_relabel_generic_usb_dev',`
- ##
- ##
- #
--interface(`dev_read_usbmon_dev',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`dev_relabel_all_sysfs',`
+ gen_require(`
+ type sysfs_t;
@@ -8082,59 +8093,65 @@ index 76f285e..b7a4271 100644
+##
+#
+interface(`dev_rw_generic_usb_dev',`
-+ gen_require(`
-+ type device_t, usb_device_t;
-+ ')
-+
-+ rw_chr_files_pattern($1, device_t, usb_device_t)
-+')
-+
-+########################################
-+##
-+## Relabel generic the USB devices.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_relabel_generic_usb_dev',`
-+ gen_require(`
-+ type usb_device_t;
-+ ')
-+
-+ relabel_chr_files_pattern($1, device_t, usb_device_t)
-+')
-+
-+########################################
-+##
-+## Read USB monitor devices.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_read_usbmon_dev',`
gen_require(`
- type device_t, usbmon_device_t;
+ type device_t, usb_device_t;
')
-@@ -4267,15 +5110,169 @@ interface(`dev_mount_usbfs',`
+@@ -4409,9 +5270,9 @@ interface(`dev_rw_usbfs',`
+ read_lnk_files_pattern($1, usbfs_t, usbfs_t)
+ ')
+
+-########################################
++######################################
+ ##
+-## Get the attributes of video4linux devices.
++## Read and write userio device.
+ ##
+ ##
+ ##
+@@ -4419,17 +5280,17 @@ interface(`dev_rw_usbfs',`
+ ##
+ ##
#
- interface(`dev_associate_usbfs',`
+-interface(`dev_getattr_video_dev',`
++interface(`dev_rw_userio_dev',`
gen_require(`
-- type usbfs_t;
-+ type usbfs_t;
-+ ')
-+
-+ allow $1 usbfs_t:filesystem associate;
-+')
-+
+- type device_t, v4l_device_t;
++ type device_t, userio_device_t;
+ ')
+
+- getattr_chr_files_pattern($1, device_t, v4l_device_t)
++ rw_chr_files_pattern($1, device_t, userio_device_t)
+ ')
+
+-######################################
+########################################
-+##
-+## Get the attributes of a directory in the usb filesystem.
+ ##
+-## Read and write userio device.
++## Get the attributes of video4linux devices.
+ ##
+ ##
+ ##
+@@ -4437,12 +5298,12 @@ interface(`dev_getattr_video_dev',`
+ ##
+ ##
+ #
+-interface(`dev_rw_userio_dev',`
++interface(`dev_getattr_video_dev',`
+ gen_require(`
+- type device_t, userio_device_t;
++ type device_t, v4l_device_t;
+ ')
+
+- rw_chr_files_pattern($1, device_t, userio_device_t)
++ getattr_chr_files_pattern($1, device_t, v4l_device_t)
+ ')
+
+ ########################################
+@@ -4539,6 +5400,134 @@ interface(`dev_write_video_dev',`
+
+ ########################################
+ ##
++## Get the attributes of vfio devices.
+##
+##
+##
@@ -8142,18 +8159,18 @@ index 76f285e..b7a4271 100644
+##
+##
+#
-+interface(`dev_getattr_usbfs_dirs',`
++interface(`dev_getattr_vfio_dev',`
+ gen_require(`
-+ type usbfs_t;
++ type device_t, vfio_device_t;
+ ')
+
-+ allow $1 usbfs_t:dir getattr_dir_perms;
++ getattr_chr_files_pattern($1, device_t, vfio_device_t)
+')
+
+########################################
+##
+## Do not audit attempts to get the attributes
-+## of a directory in the usb filesystem.
++## of vfio device nodes.
+##
+##
+##
@@ -8161,17 +8178,17 @@ index 76f285e..b7a4271 100644
+##
+##
+#
-+interface(`dev_dontaudit_getattr_usbfs_dirs',`
++interface(`dev_dontaudit_getattr_vfio_dev',`
+ gen_require(`
-+ type usbfs_t;
++ type vfio_device_t;
+ ')
+
-+ dontaudit $1 usbfs_t:dir getattr_dir_perms;
++ dontaudit $1 vfio_device_t:chr_file getattr;
+')
+
+########################################
+##
-+## Search the directory containing USB hardware information.
++## Set the attributes of vfio device nodes.
+##
+##
+##
@@ -8179,38 +8196,36 @@ index 76f285e..b7a4271 100644
+##
+##
+#
-+interface(`dev_search_usbfs',`
++interface(`dev_setattr_vfio_dev',`
+ gen_require(`
-+ type usbfs_t;
++ type device_t, vfio_device_t;
+ ')
+
-+ search_dirs_pattern($1, usbfs_t, usbfs_t)
++ setattr_chr_files_pattern($1, device_t, vfio_device_t)
+')
+
+########################################
+##
-+## Allow caller to get a list of usb hardware.
++## Do not audit attempts to set the attributes
++## of vfio device nodes.
+##
+##
+##
-+## Domain allowed access.
++## Domain to not audit.
+##
+##
+#
-+interface(`dev_list_usbfs',`
++interface(`dev_dontaudit_setattr_vfio_dev',`
+ gen_require(`
-+ type usbfs_t;
++ type vfio_device_t;
+ ')
+
-+ read_lnk_files_pattern($1, usbfs_t, usbfs_t)
-+ getattr_files_pattern($1, usbfs_t, usbfs_t)
-+
-+ list_dirs_pattern($1, usbfs_t, usbfs_t)
++ dontaudit $1 vfio_device_t:chr_file setattr;
+')
+
+########################################
+##
-+## Set the attributes of usbfs filesystem.
++## Read the vfio devices.
+##
+##
+##
@@ -8218,19 +8233,17 @@ index 76f285e..b7a4271 100644
+##
+##
+#
-+interface(`dev_setattr_usbfs_files',`
++interface(`dev_read_vfio_dev',`
+ gen_require(`
-+ type usbfs_t;
++ type device_t, vfio_device_t;
+ ')
+
-+ setattr_files_pattern($1, usbfs_t, usbfs_t)
-+ list_dirs_pattern($1, usbfs_t, usbfs_t)
++ read_chr_files_pattern($1, device_t, vfio_device_t)
+')
+
+########################################
+##
-+## Read USB hardware information using
-+## the usbfs filesystem interface.
++## Write the vfio devices.
+##
+##
+##
@@ -8238,19 +8251,17 @@ index 76f285e..b7a4271 100644
+##
+##
+#
-+interface(`dev_read_usbfs',`
++interface(`dev_write_vfio_dev',`
+ gen_require(`
-+ type usbfs_t;
++ type device_t, vfio_device_t;
+ ')
+
-+ read_files_pattern($1, usbfs_t, usbfs_t)
-+ read_lnk_files_pattern($1, usbfs_t, usbfs_t)
-+ list_dirs_pattern($1, usbfs_t, usbfs_t)
++ write_chr_files_pattern($1, device_t, vfio_device_t)
+')
+
+########################################
+##
-+## Allow caller to modify usb hardware configuration files.
++## Read and write the VFIO devices.
+##
+##
+##
@@ -8258,19 +8269,24 @@ index 76f285e..b7a4271 100644
+##
+##
+#
-+interface(`dev_rw_usbfs',`
++interface(`dev_rw_vfio_dev',`
+ gen_require(`
-+ type usbfs_t;
++ type device_t, vfio_device_t;
+ ')
+
-+ list_dirs_pattern($1, usbfs_t, usbfs_t)
-+ rw_files_pattern($1, usbfs_t, usbfs_t)
-+ read_lnk_files_pattern($1, usbfs_t, usbfs_t)
++ rw_chr_files_pattern($1, device_t, vfio_device_t)
+')
+
-+######################################
++########################################
+##
-+## Read and write userio device.
+ ## Allow read/write the vhost net device
+ ##
+ ##
+@@ -4557,6 +5546,24 @@ interface(`dev_rw_vhost',`
+
+ ########################################
+ ##
++## Allow read/write inheretid the vhost net device
+##
+##
+##
@@ -8278,365 +8294,20 @@ index 76f285e..b7a4271 100644
+##
+##
+#
-+interface(`dev_rw_userio_dev',`
++interface(`dev_rw_inherited_vhost',`
+ gen_require(`
-+ type device_t, userio_device_t;
- ')
-
-- allow $1 usbfs_t:filesystem associate;
-+ rw_chr_files_pattern($1, device_t, userio_device_t)
- ')
-
- ########################################
- ##
--## Get the attributes of a directory in the usb filesystem.
-+## Get the attributes of video4linux devices.
- ##
- ##
- ##
-@@ -4283,18 +5280,18 @@ interface(`dev_associate_usbfs',`
- ##
- ##
- #
--interface(`dev_getattr_usbfs_dirs',`
-+interface(`dev_getattr_video_dev',`
- gen_require(`
-- type usbfs_t;
-+ type device_t, v4l_device_t;
- ')
-
-- allow $1 usbfs_t:dir getattr_dir_perms;
-+ getattr_chr_files_pattern($1, device_t, v4l_device_t)
- ')
-
- ########################################
- ##
- ## Do not audit attempts to get the attributes
--## of a directory in the usb filesystem.
-+## of video4linux device nodes.
- ##
- ##
- ##
-@@ -4302,17 +5299,17 @@ interface(`dev_getattr_usbfs_dirs',`
- ##
- ##
- #
--interface(`dev_dontaudit_getattr_usbfs_dirs',`
-+interface(`dev_dontaudit_getattr_video_dev',`
- gen_require(`
-- type usbfs_t;
-+ type v4l_device_t;
- ')
-
-- dontaudit $1 usbfs_t:dir getattr_dir_perms;
-+ dontaudit $1 v4l_device_t:chr_file getattr;
- ')
-
- ########################################
- ##
--## Search the directory containing USB hardware information.
-+## Set the attributes of video4linux device nodes.
- ##
- ##
- ##
-@@ -4320,38 +5317,36 @@ interface(`dev_dontaudit_getattr_usbfs_dirs',`
- ##
- ##
- #
--interface(`dev_search_usbfs',`
-+interface(`dev_setattr_video_dev',`
- gen_require(`
-- type usbfs_t;
-+ type device_t, v4l_device_t;
- ')
-
-- search_dirs_pattern($1, usbfs_t, usbfs_t)
-+ setattr_chr_files_pattern($1, device_t, v4l_device_t)
- ')
-
- ########################################
- ##
--## Allow caller to get a list of usb hardware.
-+## Do not audit attempts to set the attributes
-+## of video4linux device nodes.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`dev_list_usbfs',`
-+interface(`dev_dontaudit_setattr_video_dev',`
- gen_require(`
-- type usbfs_t;
-+ type v4l_device_t;
- ')
-
-- read_lnk_files_pattern($1, usbfs_t, usbfs_t)
-- getattr_files_pattern($1, usbfs_t, usbfs_t)
--
-- list_dirs_pattern($1, usbfs_t, usbfs_t)
-+ dontaudit $1 v4l_device_t:chr_file setattr;
- ')
-
- ########################################
- ##
--## Set the attributes of usbfs filesystem.
-+## Read the video4linux devices.
- ##
- ##
- ##
-@@ -4359,19 +5354,17 @@ interface(`dev_list_usbfs',`
- ##
- ##
- #
--interface(`dev_setattr_usbfs_files',`
-+interface(`dev_read_video_dev',`
- gen_require(`
-- type usbfs_t;
-+ type device_t, v4l_device_t;
- ')
-
-- setattr_files_pattern($1, usbfs_t, usbfs_t)
-- list_dirs_pattern($1, usbfs_t, usbfs_t)
-+ read_chr_files_pattern($1, device_t, v4l_device_t)
- ')
-
- ########################################
- ##
--## Read USB hardware information using
--## the usbfs filesystem interface.
-+## Write the video4linux devices.
- ##
- ##
- ##
-@@ -4379,19 +5372,17 @@ interface(`dev_setattr_usbfs_files',`
- ##
- ##
- #
--interface(`dev_read_usbfs',`
-+interface(`dev_write_video_dev',`
- gen_require(`
-- type usbfs_t;
-+ type device_t, v4l_device_t;
- ')
-
-- read_files_pattern($1, usbfs_t, usbfs_t)
-- read_lnk_files_pattern($1, usbfs_t, usbfs_t)
-- list_dirs_pattern($1, usbfs_t, usbfs_t)
-+ write_chr_files_pattern($1, device_t, v4l_device_t)
- ')
-
- ########################################
- ##
--## Allow caller to modify usb hardware configuration files.
-+## Get the attributes of vfio devices.
- ##
- ##
- ##
-@@ -4399,37 +5390,36 @@ interface(`dev_read_usbfs',`
- ##
- ##
- #
--interface(`dev_rw_usbfs',`
-+interface(`dev_getattr_vfio_dev',`
- gen_require(`
-- type usbfs_t;
-+ type device_t, vfio_device_t;
- ')
-
-- list_dirs_pattern($1, usbfs_t, usbfs_t)
-- rw_files_pattern($1, usbfs_t, usbfs_t)
-- read_lnk_files_pattern($1, usbfs_t, usbfs_t)
-+ getattr_chr_files_pattern($1, device_t, vfio_device_t)
- ')
-
- ########################################
- ##
--## Get the attributes of video4linux devices.
-+## Do not audit attempts to get the attributes
-+## of vfio device nodes.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`dev_getattr_video_dev',`
-+interface(`dev_dontaudit_getattr_vfio_dev',`
- gen_require(`
-- type device_t, v4l_device_t;
-+ type vfio_device_t;
- ')
-
-- getattr_chr_files_pattern($1, device_t, v4l_device_t)
-+ dontaudit $1 vfio_device_t:chr_file getattr;
- ')
-
--######################################
-+########################################
- ##
--## Read and write userio device.
-+## Set the attributes of vfio device nodes.
- ##
- ##
- ##
-@@ -4437,18 +5427,18 @@ interface(`dev_getattr_video_dev',`
- ##
- ##
- #
--interface(`dev_rw_userio_dev',`
-+interface(`dev_setattr_vfio_dev',`
- gen_require(`
-- type device_t, userio_device_t;
-+ type device_t, vfio_device_t;
- ')
-
-- rw_chr_files_pattern($1, device_t, userio_device_t)
-+ setattr_chr_files_pattern($1, device_t, vfio_device_t)
- ')
-
- ########################################
- ##
--## Do not audit attempts to get the attributes
--## of video4linux device nodes.
-+## Do not audit attempts to set the attributes
-+## of vfio device nodes.
- ##
- ##
- ##
-@@ -4456,17 +5446,17 @@ interface(`dev_rw_userio_dev',`
- ##
- ##
- #
--interface(`dev_dontaudit_getattr_video_dev',`
-+interface(`dev_dontaudit_setattr_vfio_dev',`
- gen_require(`
-- type v4l_device_t;
-+ type vfio_device_t;
- ')
-
-- dontaudit $1 v4l_device_t:chr_file getattr;
-+ dontaudit $1 vfio_device_t:chr_file setattr;
- ')
-
- ########################################
- ##
--## Set the attributes of video4linux device nodes.
-+## Read the vfio devices.
- ##
- ##
- ##
-@@ -4474,36 +5464,35 @@ interface(`dev_dontaudit_getattr_video_dev',`
- ##
- ##
- #
--interface(`dev_setattr_video_dev',`
-+interface(`dev_read_vfio_dev',`
- gen_require(`
-- type device_t, v4l_device_t;
-+ type device_t, vfio_device_t;
- ')
-
-- setattr_chr_files_pattern($1, device_t, v4l_device_t)
-+ read_chr_files_pattern($1, device_t, vfio_device_t)
- ')
-
- ########################################
- ##
--## Do not audit attempts to set the attributes
--## of video4linux device nodes.
-+## Write the vfio devices.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`dev_dontaudit_setattr_video_dev',`
-+interface(`dev_write_vfio_dev',`
- gen_require(`
-- type v4l_device_t;
-+ type device_t, vfio_device_t;
- ')
-
-- dontaudit $1 v4l_device_t:chr_file setattr;
-+ write_chr_files_pattern($1, device_t, vfio_device_t)
- ')
-
- ########################################
- ##
--## Read the video4linux devices.
-+## Read and write the VFIO devices.
- ##
- ##
- ##
-@@ -4511,17 +5500,17 @@ interface(`dev_dontaudit_setattr_video_dev',`
- ##
- ##
- #
--interface(`dev_read_video_dev',`
-+interface(`dev_rw_vfio_dev',`
- gen_require(`
-- type device_t, v4l_device_t;
-+ type device_t, vfio_device_t;
- ')
-
-- read_chr_files_pattern($1, device_t, v4l_device_t)
-+ rw_chr_files_pattern($1, device_t, vfio_device_t)
- ')
-
- ########################################
- ##
--## Write the video4linux devices.
-+## Allow read/write the vhost net device
- ##
- ##
- ##
-@@ -4529,17 +5518,17 @@ interface(`dev_read_video_dev',`
- ##
- ##
- #
--interface(`dev_write_video_dev',`
-+interface(`dev_rw_vhost',`
- gen_require(`
-- type device_t, v4l_device_t;
+ type device_t, vhost_device_t;
- ')
-
-- write_chr_files_pattern($1, device_t, v4l_device_t)
-+ rw_chr_files_pattern($1, device_t, vhost_device_t)
- ')
-
- ########################################
- ##
--## Allow read/write the vhost net device
-+## Allow read/write inheretid the vhost net device
++ ')
++
++ allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms;
++')
++
++########################################
++##
+ ## Read and write VMWare devices.
##
##
- ##
-@@ -4547,12 +5536,12 @@ interface(`dev_write_video_dev',`
- ##
- ##
- #
--interface(`dev_rw_vhost',`
-+interface(`dev_rw_inherited_vhost',`
- gen_require(`
- type device_t, vhost_device_t;
- ')
-
-- rw_chr_files_pattern($1, device_t, vhost_device_t)
-+ allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms;
- ')
-
- ########################################
-@@ -4630,6 +5619,24 @@ interface(`dev_write_watchdog',`
+@@ -4630,6 +5637,24 @@ interface(`dev_write_watchdog',`
########################################
##
@@ -8661,7 +8332,7 @@ index 76f285e..b7a4271 100644
## Read and write the the wireless device.
##
##
-@@ -4762,6 +5769,44 @@ interface(`dev_rw_xserver_misc',`
+@@ -4762,6 +5787,44 @@ interface(`dev_rw_xserver_misc',`
########################################
##
@@ -8706,7 +8377,7 @@ index 76f285e..b7a4271 100644
## Read and write to the zero device (/dev/zero).
##
##
-@@ -4851,3 +5896,978 @@ interface(`dev_unconfined',`
+@@ -4851,3 +5914,978 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -43837,10 +43508,10 @@ index a392fc4..78fa512 100644
+')
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
new file mode 100644
-index 0000000..19617c7
+index 0000000..0e4185f
--- /dev/null
+++ b/policy/modules/system/systemd.fc
-@@ -0,0 +1,64 @@
+@@ -0,0 +1,68 @@
+HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0)
+/root/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0)
+
@@ -43865,6 +43536,7 @@ index 0000000..19617c7
+/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0)
+/usr/lib/systemd/system/systemd-machined\.service -- gen_context(system_u:object_r:systemd_machined_unit_file_t,s0)
+/usr/lib/systemd/system/systemd-networkd\.service gen_context(system_u:object_r:systemd_networkd_unit_file_t,s0)
++/usr/lib/systemd/system/systemd-resolved\.service gen_context(system_u:object_r:systemd_resolved_unit_file_t,s0)
+/usr/lib/systemd/system/systemd-vconsole-setup\.service gen_context(system_u:object_r:systemd_vconsole_unit_file_t,s0)
+/usr/lib/systemd/system/systemd-rfkill\.service -- gen_context(system_u:object_r:systemd_rfkill_unit_file_t,s0)
+/usr/lib/systemd/system/systemd-time.*\.service -- gen_context(system_u:object_r:systemd_timedated_unit_file_t,s0)
@@ -43887,6 +43559,8 @@ index 0000000..19617c7
+/usr/lib/systemd/systemd-networkd -- gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
+/usr/lib/systemd/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
+/usr/lib/systemd/systemd-coredump -- gen_context(system_u:object_r:systemd_coredump_exec_t,s0)
++/usr/lib/systemd/system-generators/systemd-gpt-auto-generator -- gen_context(system_u:object_r:systemd_gpt_generator_exec_t,s0)
++/usr/lib/systemd/systemd-resolve(d|-host) gen_context(system_u:object_r:systemd_resolved_exec_t,s0)
+
+/var/lib/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_lib_t,s0)
+/var/lib/systemd/rfkill(/.*)? gen_context(system_u:object_r:systemd_rfkill_var_lib_t,s0)
@@ -43903,6 +43577,7 @@ index 0000000..19617c7
+/var/run/systemd/ask-password-block(/.*)? gen_context(system_u:object_r:systemd_passwd_var_run_t,s0)
+/var/run/systemd/ask-password(/.*)? gen_context(system_u:object_r:systemd_passwd_var_run_t,s0)
+/var/run/systemd/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_run_t,s0)
++/var/run/systemd/resolve(/.*)? gen_context(system_u:object_r:systemd_resolved_var_run_t,s0)
+/var/run/systemd/netif(/.*)? gen_context(system_u:object_r:systemd_networkd_var_run_t,s0)
+/var/run/initramfs(/.*)? <>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
@@ -45591,10 +45266,10 @@ index 0000000..21f7c14
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..551317f
+index 0000000..f4783a5
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,860 @@
+@@ -0,0 +1,904 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -45648,6 +45323,14 @@ index 0000000..551317f
+type systemd_networkd_var_run_t;
+files_pid_file(systemd_networkd_var_run_t)
+
++systemd_domain_template(systemd_resolved)
++
++type systemd_resolved_var_run_t;
++files_pid_file(systemd_resolved_var_run_t)
++
++type systemd_resolved_unit_file_t;
++systemd_unit_file(systemd_resolved_unit_file_t)
++
+# domain for systemd-tty-ask-password-agent and systemd-gnome-ask-password-agent
+# systemd components
+
@@ -45703,6 +45386,9 @@ index 0000000..551317f
+
+systemd_domain_template(systemd_sysctl)
+
++#domain for gpt-auto-generator
++systemd_domain_template(systemd_gpt_generator)
++
+#domain for systemd-machined
+systemd_domain_template(systemd_machined)
+
@@ -46411,11 +46097,44 @@ index 0000000..551317f
+#
+# systemd_hwdb domain
+#
-+
+manage_files_pattern(systemd_hwdb_t, systemd_hwdb_etc_t, systemd_hwdb_etc_t)
+files_etc_filetrans(systemd_hwdb_t, systemd_hwdb_etc_t, file)
+
+
++#######################################
++#
++# systemd_gpt_generator domain
++#
++dev_read_sysfs(systemd_gpt_generator_t)
++dev_write_kmsg(systemd_gpt_generator_t)
++dev_read_nvme(systemd_gpt_generator_t)
++
++#######################################
++#
++# systemd_resolved domain
++#
++
++allow systemd_resolved_t self:capability { chown setgid setpcap setuid };
++allow systemd_resolved_t self:process setcap;
++allow systemd_resolved_t self:tcp_socket { accept listen };
++
++manage_dirs_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
++manage_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
++init_pid_filetrans(systemd_resolved_t, systemd_resolved_var_run_t, dir)
++
++list_dirs_pattern(systemd_resolved_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
++
++kernel_dgram_send(systemd_resolved_t)
++
++corenet_tcp_bind_llmnr_port(systemd_resolved_t)
++corenet_udp_bind_llmnr_port(systemd_resolved_t)
++
++sysnet_manage_config(systemd_resolved_t)
++
++optional_policy(`
++ dbus_system_bus_client(systemd_resolved_t)
++')
++
+########################################
+#
+# Common rules for systemd domains
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f479ed5..1c1d049 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 177%{?dist}
+Release: 178%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -670,6 +670,10 @@ exit 0
%endif
%changelog
+* Thu Mar 10 2016 Lukas Vrabec 3.13.1-178
+- Label tcp port 5355 as llmnr-> Link-Local Multicast Name Resolution
+- Add support systemd-resolved.
+
* Tue Mar 08 2016 Lukas Vrabec 3.13.1-177
- Allow spice-vdagent to getattr on tmpfs_t filesystems Resolves: rhbz#1276251
- Allow sending dbus msgs between firewalld and system_cronjob domains.