diff --git a/container-selinux.tgz b/container-selinux.tgz
index 930b000..09d36e2 100644
Binary files a/container-selinux.tgz and b/container-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 800ac4a..2487a9f 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -2760,10 +2760,10 @@ index 0960199..2e75ec7 100644
+ manage_files_pattern($1, sudo_db_t, sudo_db_t)
+')
diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
-index d9fce57..5c4a213 100644
+index d9fce57..8a18a54 100644
--- a/policy/modules/admin/sudo.te
+++ b/policy/modules/admin/sudo.te
-@@ -7,3 +7,110 @@ attribute sudodomain;
+@@ -7,3 +7,111 @@ attribute sudodomain;
type sudo_exec_t;
application_executable_file(sudo_exec_t)
@@ -2868,6 +2868,7 @@ index d9fce57..5c4a213 100644
+
+ optional_policy(`
+ systemd_dbus_chat_logind(sudodomain)
++ init_getpgid(sudodomain)
+ ')
+')
+
@@ -10185,7 +10186,7 @@ index 6a1e4d1..26e5558 100644
+ dontaudit $1 domain:dir_file_class_set audit_access;
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..990ecf3 100644
+index cf04cb5..43876e0 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,17 +4,41 @@ policy_module(domain, 1.11.0)
@@ -10341,7 +10342,7 @@ index cf04cb5..990ecf3 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -160,11 +237,380 @@ allow unconfined_domain_type domain:msg { send receive };
+@@ -160,11 +237,382 @@ allow unconfined_domain_type domain:msg { send receive };
# For /proc/pid
allow unconfined_domain_type domain:dir list_dir_perms;
@@ -10558,7 +10559,9 @@ index cf04cb5..990ecf3 100644
+
+optional_policy(`
+ sysnet_filetrans_named_content(named_filetrans_domain)
-+ sysnet_filetrans_named_content_ifconfig(named_filetrans_domain)
++ sysnet_filetrans_named_content_ifconfig(named_filetrans_domain)
++ sysnet_filetrans_named_content(unconfined_domain_type)
++ sysnet_filetrans_named_content_ifconfig(unconfined_domain_type)
+')
+
+optional_policy(`
@@ -17938,7 +17941,7 @@ index d7c11a0..f521a50 100644
/var/run/shm/.* <<none>>
-')
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 8416beb..b204e90 100644
+index 8416beb..ca45838 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -18437,7 +18440,7 @@ index 8416beb..b204e90 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1878,135 +2122,151 @@ interface(`fs_search_fusefs',`
+@@ -1878,95 +2122,169 @@ interface(`fs_search_fusefs',`
## </summary>
## </param>
#
@@ -18543,7 +18546,6 @@ index 8416beb..b204e90 100644
-#
-interface(`fs_exec_fusefs_files',`
- gen_require(`
-- type fusefs_t;
+## <desc>
+## <p>
+## Execute a file on a FUSE filesystem
@@ -18577,34 +18579,86 @@ index 8416beb..b204e90 100644
+interface(`fs_ecryptfs_domtrans',`
+ gen_require(`
+ type ecryptfs_t;
++ ')
++
++ allow $1 ecryptfs_t:dir search_dir_perms;
++ domain_auto_transition_pattern($1, ecryptfs_t, $2)
++')
++
++########################################
++## <summary>
++## Mount a FUSE filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_mount_fusefs',`
++ gen_require(`
+ type fusefs_t;
')
- exec_files_pattern($1, fusefs_t, fusefs_t)
-+ allow $1 ecryptfs_t:dir search_dir_perms;
-+ domain_auto_transition_pattern($1, ecryptfs_t, $2)
++ allow $1 fusefs_t:filesystem mount;
')
########################################
## <summary>
-## Create, read, write, and delete files
--## on a FUSEFS filesystem.
-+## Mount a FUSE filesystem.
++## Unmount a FUSE filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_unmount_fusefs',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
++ allow $1 fusefs_t:filesystem unmount;
++')
++
++########################################
++## <summary>
++## Mounton a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_mounton_fusefs',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
++ allow $1 fusefs_t:dir mounton;
++')
++
++########################################
++## <summary>
++## Search directories
+ ## on a FUSEFS filesystem.
## </summary>
## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
+@@ -1976,19 +2294,18 @@ interface(`fs_exec_fusefs_files',`
## </param>
--## <rolecap/>
+ ## <rolecap/>
#
-interface(`fs_manage_fusefs_files',`
-+interface(`fs_mount_fusefs',`
++interface(`fs_search_fusefs',`
gen_require(`
type fusefs_t;
')
- manage_files_pattern($1, fusefs_t, fusefs_t)
-+ allow $1 fusefs_t:filesystem mount;
++ allow $1 fusefs_t:dir search_dir_perms;
')
########################################
@@ -18612,96 +18666,79 @@ index 8416beb..b204e90 100644
-## Do not audit attempts to create,
-## read, write, and delete files
-## on a FUSEFS filesystem.
-+## Unmount a FUSE filesystem.
++## Do not audit attempts to list the contents
++## of directories on a FUSEFS filesystem.
## </summary>
## <param name="domain">
## <summary>
--## Domain to not audit.
-+## Domain allowed access.
+@@ -1996,217 +2313,274 @@ interface(`fs_manage_fusefs_files',`
## </summary>
## </param>
#
-interface(`fs_dontaudit_manage_fusefs_files',`
-+interface(`fs_unmount_fusefs',`
++interface(`fs_dontaudit_list_fusefs',`
gen_require(`
type fusefs_t;
')
- dontaudit $1 fusefs_t:file manage_file_perms;
-+ allow $1 fusefs_t:filesystem unmount;
++ dontaudit $1 fusefs_t:dir list_dir_perms;
')
########################################
## <summary>
-## Read symbolic links on a FUSEFS filesystem.
-+## Mounton a FUSEFS filesystem.
++## Create, read, write, and delete directories
++## on a FUSEFS filesystem.
## </summary>
## <param name="domain">
## <summary>
-@@ -2014,145 +2274,194 @@ interface(`fs_dontaudit_manage_fusefs_files',`
+ ## Domain allowed access.
## </summary>
## </param>
++## <rolecap/>
#
-interface(`fs_read_fusefs_symlinks',`
-+interface(`fs_mounton_fusefs',`
++interface(`fs_manage_fusefs_dirs',`
gen_require(`
type fusefs_t;
')
- allow $1 fusefs_t:dir list_dir_perms;
- read_lnk_files_pattern($1, fusefs_t, fusefs_t)
-+ allow $1 fusefs_t:dir mounton;
++ allow $1 fusefs_t:dir manage_dir_perms;
')
########################################
## <summary>
-## Get the attributes of an hugetlbfs
-## filesystem.
-+## Search directories
++## Do not audit attempts to create, read,
++## write, and delete directories
+## on a FUSEFS filesystem.
## </summary>
## <param name="domain">
## <summary>
- ## Domain allowed access.
+-## Domain allowed access.
++## Domain to not audit.
## </summary>
## </param>
-+## <rolecap/>
#
-interface(`fs_getattr_hugetlbfs',`
-+interface(`fs_search_fusefs',`
++interface(`fs_dontaudit_manage_fusefs_dirs',`
gen_require(`
- type hugetlbfs_t;
+ type fusefs_t;
')
- allow $1 hugetlbfs_t:filesystem getattr;
-+ allow $1 fusefs_t:dir search_dir_perms;
++ dontaudit $1 fusefs_t:dir manage_dir_perms;
')
########################################
## <summary>
-## List hugetlbfs.
-+## Do not audit attempts to list the contents
-+## of directories on a FUSEFS filesystem.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`fs_dontaudit_list_fusefs',`
-+ gen_require(`
-+ type fusefs_t;
-+ ')
-+
-+ dontaudit $1 fusefs_t:dir list_dir_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Create, read, write, and delete directories
-+## on a FUSEFS filesystem.
++## Read, a FUSEFS filesystem.
## </summary>
## <param name="domain">
## <summary>
@@ -18711,40 +18748,20 @@ index 8416beb..b204e90 100644
+## <rolecap/>
#
-interface(`fs_list_hugetlbfs',`
-+interface(`fs_manage_fusefs_dirs',`
++interface(`fs_read_fusefs_files',`
gen_require(`
- type hugetlbfs_t;
+ type fusefs_t;
')
- allow $1 hugetlbfs_t:dir list_dir_perms;
-+ allow $1 fusefs_t:dir manage_dir_perms;
++ read_files_pattern($1, fusefs_t, fusefs_t)
')
########################################
## <summary>
-## Manage hugetlbfs dirs.
-+## Do not audit attempts to create, read,
-+## write, and delete directories
-+## on a FUSEFS filesystem.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`fs_dontaudit_manage_fusefs_dirs',`
-+ gen_require(`
-+ type fusefs_t;
-+ ')
-+
-+ dontaudit $1 fusefs_t:dir manage_dir_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Read, a FUSEFS filesystem.
++## Execute files on a FUSEFS filesystem.
## </summary>
## <param name="domain">
## <summary>
@@ -18754,37 +18771,38 @@ index 8416beb..b204e90 100644
+## <rolecap/>
#
-interface(`fs_manage_hugetlbfs_dirs',`
-+interface(`fs_read_fusefs_files',`
++interface(`fs_exec_fusefs_files',`
gen_require(`
- type hugetlbfs_t;
+ type fusefs_t;
')
- manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
-+ read_files_pattern($1, fusefs_t, fusefs_t)
++ exec_files_pattern($1, fusefs_t, fusefs_t)
')
########################################
## <summary>
-## Read and write hugetlbfs files.
-+## Execute files on a FUSEFS filesystem.
++## Make general progams in FUSEFS an entrypoint for
++## the specified domain.
## </summary>
## <param name="domain">
## <summary>
- ## Domain allowed access.
+-## Domain allowed access.
++## The domain for which fusefs_t is an entrypoint.
## </summary>
## </param>
-+## <rolecap/>
#
-interface(`fs_rw_hugetlbfs_files',`
-+interface(`fs_exec_fusefs_files',`
++interface(`fs_fusefs_entry_type',`
gen_require(`
- type hugetlbfs_t;
+ type fusefs_t;
')
- rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
-+ exec_files_pattern($1, fusefs_t, fusefs_t)
++ domain_entry_file($1, fusefs_t)
')
########################################
@@ -18802,93 +18820,94 @@ index 8416beb..b204e90 100644
## </param>
#
-interface(`fs_associate_hugetlbfs',`
-+interface(`fs_fusefs_entry_type',`
++interface(`fs_fusefs_entrypoint',`
gen_require(`
- type hugetlbfs_t;
+ type fusefs_t;
')
- allow $1 hugetlbfs_t:filesystem associate;
-+ domain_entry_file($1, fusefs_t)
++ allow $1 fusefs_t:file entrypoint;
')
########################################
## <summary>
-## Search inotifyfs filesystem.
-+## Make general progams in FUSEFS an entrypoint for
-+## the specified domain.
++## Create, read, write, and delete files
++## on a FUSEFS filesystem.
## </summary>
## <param name="domain">
## <summary>
--## Domain allowed access.
-+## The domain for which fusefs_t is an entrypoint.
+ ## Domain allowed access.
## </summary>
## </param>
++## <rolecap/>
#
-interface(`fs_search_inotifyfs',`
-+interface(`fs_fusefs_entrypoint',`
++interface(`fs_manage_fusefs_files',`
gen_require(`
- type inotifyfs_t;
+ type fusefs_t;
')
- allow $1 inotifyfs_t:dir search_dir_perms;
-+ allow $1 fusefs_t:file entrypoint;
++ manage_files_pattern($1, fusefs_t, fusefs_t)
')
########################################
## <summary>
-## List inotifyfs filesystem.
-+## Create, read, write, and delete files
++## Do not audit attempts to create,
++## read, write, and delete files
+## on a FUSEFS filesystem.
## </summary>
## <param name="domain">
## <summary>
- ## Domain allowed access.
+-## Domain allowed access.
++## Domain to not audit.
## </summary>
## </param>
-+## <rolecap/>
#
-interface(`fs_list_inotifyfs',`
-+interface(`fs_manage_fusefs_files',`
++interface(`fs_dontaudit_manage_fusefs_files',`
gen_require(`
- type inotifyfs_t;
+ type fusefs_t;
')
- allow $1 inotifyfs_t:dir list_dir_perms;
-+ manage_files_pattern($1, fusefs_t, fusefs_t)
++ dontaudit $1 fusefs_t:file manage_file_perms;
')
########################################
## <summary>
-## Dontaudit List inotifyfs filesystem.
-+## Do not audit attempts to create,
-+## read, write, and delete files
-+## on a FUSEFS filesystem.
++## Read symbolic links on a FUSEFS filesystem.
## </summary>
## <param name="domain">
## <summary>
-@@ -2160,73 +2469,118 @@ interface(`fs_list_inotifyfs',`
+-## Domain to not audit.
++## Domain allowed access.
## </summary>
## </param>
#
-interface(`fs_dontaudit_list_inotifyfs',`
-+interface(`fs_dontaudit_manage_fusefs_files',`
++interface(`fs_read_fusefs_symlinks',`
gen_require(`
- type inotifyfs_t;
+ type fusefs_t;
')
- dontaudit $1 inotifyfs_t:dir list_dir_perms;
-+ dontaudit $1 fusefs_t:file manage_file_perms;
++ allow $1 fusefs_t:dir list_dir_perms;
++ read_lnk_files_pattern($1, fusefs_t, fusefs_t)
')
########################################
## <summary>
-## Create an object in a hugetlbfs filesystem, with a private
-## type using a type transition.
-+## Read symbolic links on a FUSEFS filesystem.
++## Manage symbolic links on a FUSEFS filesystem.
## </summary>
## <param name="domain">
## <summary>
@@ -18897,27 +18916,6 @@ index 8416beb..b204e90 100644
## </param>
-## <param name="private type">
+#
-+interface(`fs_read_fusefs_symlinks',`
-+ gen_require(`
-+ type fusefs_t;
-+ ')
-+
-+ allow $1 fusefs_t:dir list_dir_perms;
-+ read_lnk_files_pattern($1, fusefs_t, fusefs_t)
-+')
-+
-+########################################
-+## <summary>
-+## Manage symbolic links on a FUSEFS filesystem.
-+## </summary>
-+## <param name="domain">
- ## <summary>
--## The type of the object to be created.
-+## Domain allowed access.
- ## </summary>
- ## </param>
--## <param name="object">
-+#
+interface(`fs_manage_fusefs_symlinks',`
+ gen_require(`
+ type fusefs_t;
@@ -18952,73 +18950,68 @@ index 8416beb..b204e90 100644
+## </desc>
+## <param name="domain">
## <summary>
--## The object class of the object being created.
+-## The type of the object to be created.
+## Domain allowed to transition.
## </summary>
## </param>
--## <param name="name" optional="true">
+-## <param name="object">
+## <param name="target_domain">
## <summary>
--## The name of the object being created.
+-## The object class of the object being created.
+## The type of the new process.
## </summary>
## </param>
- #
--interface(`fs_hugetlbfs_filetrans',`
+-## <param name="name" optional="true">
++#
+interface(`fs_fusefs_domtrans',`
- gen_require(`
-- type hugetlbfs_t;
++ gen_require(`
+ type fusefs_t;
- ')
-
-- allow $2 hugetlbfs_t:filesystem associate;
-- filetrans_pattern($1, hugetlbfs_t, $2, $3, $4)
++ ')
++
+ allow $1 fusefs_t:dir search_dir_perms;
+ domain_auto_transition_pattern($1, fusefs_t, $2)
- ')
-
- ########################################
- ## <summary>
--## Mount an iso9660 filesystem, which
--## is usually used on CDs.
++')
++
++########################################
++## <summary>
+## Get the attributes of a FUSEFS filesystem.
- ## </summary>
- ## <param name="domain">
++## </summary>
++## <param name="domain">
## <summary>
- ## Domain allowed access.
+-## The name of the object being created.
++## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
--interface(`fs_mount_iso9660_fs',`
+-interface(`fs_hugetlbfs_filetrans',`
+interface(`fs_getattr_fusefs',`
gen_require(`
-- type iso9660_t;
+- type hugetlbfs_t;
+ type fusefs_t;
')
-- allow $1 iso9660_t:filesystem mount;
+- allow $2 hugetlbfs_t:filesystem associate;
+- filetrans_pattern($1, hugetlbfs_t, $2, $3, $4)
+ allow $1 fusefs_t:filesystem getattr;
')
########################################
## <summary>
--## Remount an iso9660 filesystem, which
--## is usually used on CDs. This allows
--## some mount options to be changed.
+-## Mount an iso9660 filesystem, which
+-## is usually used on CDs.
+## Get the attributes of an hugetlbfs
+## filesystem.
## </summary>
## <param name="domain">
## <summary>
-@@ -2234,18 +2588,701 @@ interface(`fs_mount_iso9660_fs',`
+@@ -2214,19 +2588,681 @@ interface(`fs_hugetlbfs_filetrans',`
## </summary>
## </param>
#
--interface(`fs_remount_iso9660_fs',`
+-interface(`fs_mount_iso9660_fs',`
+interface(`fs_getattr_hugetlbfs',`
- gen_require(`
-- type iso9660_t;
++ gen_require(`
+ type hugetlbfs_t;
+ ')
+
@@ -19678,29 +19671,36 @@ index 8416beb..b204e90 100644
+## </param>
+#
+interface(`fs_read_kdbus_files',`
-+ gen_require(`
+ gen_require(`
+- type iso9660_t;
+ type cgroup_t;
+
-+ ')
-+
+ ')
+
+- allow $1 iso9660_t:filesystem mount;
+ read_files_pattern($1, kdbusfs_t, kdbusfs_t)
+ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Remount an iso9660 filesystem, which
+-## is usually used on CDs. This allows
+-## some mount options to be changed.
+## Write kdbusfs files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2234,18 +3270,19 @@ interface(`fs_mount_iso9660_fs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`fs_remount_iso9660_fs',`
+interface(`fs_write_kdbus_files', `
-+ gen_require(`
+ gen_require(`
+- type iso9660_t;
+ type kdbusfs_t;
')
@@ -20110,42 +20110,11 @@ index 8416beb..b204e90 100644
## Mount a NFS server pseudo filesystem.
## </summary>
## <param name="domain">
-@@ -3224,30 +4439,120 @@ interface(`fs_search_nfsd_fs',`
- type nfsd_fs_t;
- ')
-
-- allow $1 nfsd_fs_t:dir search_dir_perms;
-+ allow $1 nfsd_fs_t:dir search_dir_perms;
-+')
-+
-+########################################
-+## <summary>
-+## List NFS server directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`fs_list_nfsd_fs',`
-+ gen_require(`
-+ type nfsd_fs_t;
-+ ')
-+
-+ allow $1 nfsd_fs_t:dir list_dir_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Getattr files on an nfsd filesystem
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+@@ -3255,17 +4470,107 @@ interface(`fs_list_nfsd_fs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`fs_getattr_nfsd_files',`
+interface(`fs_getattr_nfsd_files',`
+ gen_require(`
+ type nfsd_fs_t;
@@ -20206,48 +20175,36 @@ index 8416beb..b204e90 100644
+ ')
+
+ getattr_files_pattern($1, nsfs_t, nsfs_t)
- ')
-
--########################################
++')
++
+#######################################
- ## <summary>
--## List NFS server directories.
++## <summary>
+## Read nsfs inodes (e.g. /proc/pid/ns/uts)
- ## </summary>
- ## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
++## </summary>
++## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
- ## </param>
- #
--interface(`fs_list_nfsd_fs',`
++## </param>
++#
+interface(`fs_read_nsfs_files',`
- gen_require(`
-- type nfsd_fs_t;
-- ')
++ gen_require(`
+ type nsfs_t;
+ ')
-
-- allow $1 nfsd_fs_t:dir list_dir_perms;
++
+ allow $1 nsfs_t:file read_file_perms;
- ')
-
--########################################
++')
++
+#######################################
- ## <summary>
--## Getattr files on an nfsd filesystem
++## <summary>
+## Read and write nsfs inodes (e.g. /proc/pid/ns/uts)
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -3255,17 +4560,17 @@ interface(`fs_list_nfsd_fs',`
- ## </summary>
- ## </param>
- #
--interface(`fs_getattr_nfsd_files',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`fs_rw_nsfs_files',`
gen_require(`
- type nfsd_fs_t;
@@ -20280,7 +20237,32 @@ index 8416beb..b204e90 100644
')
########################################
-@@ -3392,7 +4697,7 @@ interface(`fs_search_ramfs',`
+@@ -3301,6 +4606,24 @@ interface(`fs_associate_ramfs',`
+
+ ########################################
+ ## <summary>
++## Allow the type to associate to proc filesystems.
++## </summary>
++## <param name="type">
++## <summary>
++## The type of the object to be associated.
++## </summary>
++## </param>
++#
++interface(`fs_associate_proc',`
++ gen_require(`
++ type proc_t;
++ ')
++
++ allow $1 proc_t:filesystem associate;
++')
++
++########################################
++## <summary>
+ ## Mount a RAM filesystem.
+ ## </summary>
+ ## <param name="domain">
+@@ -3392,7 +4715,7 @@ interface(`fs_search_ramfs',`
########################################
## <summary>
@@ -20289,7 +20271,7 @@ index 8416beb..b204e90 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3429,7 +4734,7 @@ interface(`fs_manage_ramfs_dirs',`
+@@ -3429,7 +4752,7 @@ interface(`fs_manage_ramfs_dirs',`
########################################
## <summary>
@@ -20298,7 +20280,7 @@ index 8416beb..b204e90 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3447,7 +4752,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
+@@ -3447,7 +4770,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
########################################
## <summary>
@@ -20307,7 +20289,7 @@ index 8416beb..b204e90 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3779,6 +5084,24 @@ interface(`fs_mount_tmpfs',`
+@@ -3779,6 +5102,24 @@ interface(`fs_mount_tmpfs',`
########################################
## <summary>
@@ -20332,7 +20314,7 @@ index 8416beb..b204e90 100644
## Remount a tmpfs filesystem.
## </summary>
## <param name="domain">
-@@ -3815,6 +5138,24 @@ interface(`fs_unmount_tmpfs',`
+@@ -3815,6 +5156,24 @@ interface(`fs_unmount_tmpfs',`
########################################
## <summary>
@@ -20357,7 +20339,7 @@ index 8416beb..b204e90 100644
## Get the attributes of a tmpfs
## filesystem.
## </summary>
-@@ -3908,7 +5249,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3908,7 +5267,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
########################################
## <summary>
@@ -20366,7 +20348,7 @@ index 8416beb..b204e90 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3916,17 +5257,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3916,17 +5275,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
## </summary>
## </param>
#
@@ -20387,7 +20369,7 @@ index 8416beb..b204e90 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3934,17 +5275,17 @@ interface(`fs_mounton_tmpfs',`
+@@ -3934,17 +5293,17 @@ interface(`fs_mounton_tmpfs',`
## </summary>
## </param>
#
@@ -20408,7 +20390,7 @@ index 8416beb..b204e90 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3952,17 +5293,36 @@ interface(`fs_setattr_tmpfs_dirs',`
+@@ -3952,17 +5311,36 @@ interface(`fs_setattr_tmpfs_dirs',`
## </summary>
## </param>
#
@@ -20448,7 +20430,7 @@ index 8416beb..b204e90 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3970,31 +5330,48 @@ interface(`fs_search_tmpfs',`
+@@ -3970,31 +5348,48 @@ interface(`fs_search_tmpfs',`
## </summary>
## </param>
#
@@ -20504,7 +20486,7 @@ index 8416beb..b204e90 100644
')
########################################
-@@ -4057,23 +5434,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',`
+@@ -4057,23 +5452,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',`
## </param>
## <param name="name" optional="true">
## <summary>
@@ -20681,7 +20663,7 @@ index 8416beb..b204e90 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4081,18 +5605,18 @@ interface(`fs_tmpfs_filetrans',`
+@@ -4081,18 +5623,18 @@ interface(`fs_tmpfs_filetrans',`
## </summary>
## </param>
#
@@ -20704,7 +20686,7 @@ index 8416beb..b204e90 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4100,54 +5624,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',`
+@@ -4100,54 +5642,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',`
## </summary>
## </param>
#
@@ -20771,7 +20753,7 @@ index 8416beb..b204e90 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4155,17 +5678,18 @@ interface(`fs_read_tmpfs_files',`
+@@ -4155,17 +5696,18 @@ interface(`fs_read_tmpfs_files',`
## </summary>
## </param>
#
@@ -20793,7 +20775,7 @@ index 8416beb..b204e90 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4173,17 +5697,18 @@ interface(`fs_rw_tmpfs_files',`
+@@ -4173,17 +5715,18 @@ interface(`fs_rw_tmpfs_files',`
## </summary>
## </param>
#
@@ -20815,7 +20797,7 @@ index 8416beb..b204e90 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4191,37 +5716,36 @@ interface(`fs_read_tmpfs_symlinks',`
+@@ -4191,37 +5734,36 @@ interface(`fs_read_tmpfs_symlinks',`
## </summary>
## </param>
#
@@ -20861,7 +20843,7 @@ index 8416beb..b204e90 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4229,18 +5753,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4229,18 +5771,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
## </summary>
## </param>
#
@@ -20883,7 +20865,7 @@ index 8416beb..b204e90 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4248,18 +5772,19 @@ interface(`fs_relabel_tmpfs_chr_file',`
+@@ -4248,18 +5790,19 @@ interface(`fs_relabel_tmpfs_chr_file',`
## </summary>
## </param>
#
@@ -20907,7 +20889,7 @@ index 8416beb..b204e90 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4267,32 +5792,31 @@ interface(`fs_rw_tmpfs_blk_files',`
+@@ -4267,32 +5810,31 @@ interface(`fs_rw_tmpfs_blk_files',`
## </summary>
## </param>
#
@@ -20946,7 +20928,7 @@ index 8416beb..b204e90 100644
')
########################################
-@@ -4407,6 +5931,25 @@ interface(`fs_search_xenfs',`
+@@ -4407,6 +5949,25 @@ interface(`fs_search_xenfs',`
allow $1 xenfs_t:dir search_dir_perms;
')
@@ -20972,7 +20954,7 @@ index 8416beb..b204e90 100644
########################################
## <summary>
## Create, read, write, and delete directories
-@@ -4503,6 +6046,8 @@ interface(`fs_mount_all_fs',`
+@@ -4503,6 +6064,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -20981,7 +20963,7 @@ index 8416beb..b204e90 100644
')
########################################
-@@ -4549,7 +6094,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4549,7 +6112,7 @@ interface(`fs_unmount_all_fs',`
## <desc>
## <p>
## Allow the specified domain to
@@ -20990,7 +20972,7 @@ index 8416beb..b204e90 100644
## Example attributes:
## </p>
## <ul>
-@@ -4596,6 +6141,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
+@@ -4596,6 +6159,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
########################################
## <summary>
@@ -21017,7 +20999,7 @@ index 8416beb..b204e90 100644
## Get the quotas of all filesystems.
## </summary>
## <param name="domain">
-@@ -4671,6 +6236,25 @@ interface(`fs_getattr_all_dirs',`
+@@ -4671,6 +6254,25 @@ interface(`fs_getattr_all_dirs',`
########################################
## <summary>
@@ -21043,7 +21025,7 @@ index 8416beb..b204e90 100644
## Search all directories with a filesystem type.
## </summary>
## <param name="domain">
-@@ -4912,3 +6496,173 @@ interface(`fs_unconfined',`
+@@ -4912,3 +6514,173 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -37476,7 +37458,7 @@ index 79a45f6..d092e6e 100644
+ allow $1 init_var_lib_t:dir search_dir_perms;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..6e568f7 100644
+index 17eda24..e33db3f 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -37707,11 +37689,12 @@ index 17eda24..6e568f7 100644
# file descriptors inherited from the rootfs:
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)
-@@ -155,29 +262,72 @@ fs_list_inotifyfs(init_t)
+@@ -155,29 +262,73 @@ fs_list_inotifyfs(init_t)
# cjp: this may be related to /dev/log
fs_write_ramfs_sockets(init_t)
+fs_read_efivarfs_files(init_t)
++fs_read_nfsd_files(init_t)
+
+fstools_getattr_swap_files(init_t)
+
@@ -37785,7 +37768,7 @@ index 17eda24..6e568f7 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +336,267 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +337,271 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -37840,14 +37823,13 @@ index 17eda24..6e568f7 100644
+
+optional_policy(`
+ ipa_delete_tmp(init_t)
- ')
-
- optional_policy(`
-- auth_rw_login_records(init_t)
++')
++
++optional_policy(`
+ rpm_read_db(init_t)
- ')
-
- optional_policy(`
++')
++
++optional_policy(`
+ iscsi_read_lib_files(init_t)
+ iscsi_manage_lock(init_t)
+')
@@ -37864,6 +37846,10 @@ index 17eda24..6e568f7 100644
+ mta_manage_aliases(init_t)
+')
+
++optional_policy(`
++ systemd_allow_mount_dir(init_t)
++')
++
+allow init_t self:system all_system_perms;
+allow init_t self:unix_dgram_socket { create_socket_perms sendto };
+allow init_t self:process { setkeycreate setsockcreate setfscreate setrlimit setexec };
@@ -38021,13 +38007,14 @@ index 17eda24..6e568f7 100644
+optional_policy(`
+ lvm_rw_pipes(init_t)
+ lvm_read_config(init_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- auth_rw_login_records(init_t)
+ consolekit_manage_log(init_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+ dbus_connect_system_bus(init_t)
dbus_system_bus_client(init_t)
+ dbus_delete_pid_files(init_t)
@@ -38035,10 +38022,9 @@ index 17eda24..6e568f7 100644
+ optional_policy(`
+ devicekit_dbus_chat_power(init_t)
+ ')
- ')
-
- optional_policy(`
-- nscd_use(init_t)
++')
++
++optional_policy(`
+ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to
+ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
+ # the directory. But we do not want to allow this.
@@ -38055,14 +38041,15 @@ index 17eda24..6e568f7 100644
+ plymouthd_stream_connect(init_t)
+ plymouthd_exec_plymouth(init_t)
+ plymouthd_filetrans_named_content(init_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- nscd_use(init_t)
+ ssh_getattr_server_keys(init_t)
')
optional_policy(`
-@@ -216,7 +604,30 @@ optional_policy(`
+@@ -216,7 +609,30 @@ optional_policy(`
')
optional_policy(`
@@ -38094,7 +38081,7 @@ index 17eda24..6e568f7 100644
')
########################################
-@@ -225,9 +636,9 @@ optional_policy(`
+@@ -225,9 +641,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -38106,7 +38093,7 @@ index 17eda24..6e568f7 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -258,12 +669,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +674,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -38123,7 +38110,7 @@ index 17eda24..6e568f7 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +694,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +699,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -38166,7 +38153,7 @@ index 17eda24..6e568f7 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +731,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +736,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -38178,7 +38165,7 @@ index 17eda24..6e568f7 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -313,8 +743,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +748,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -38189,7 +38176,7 @@ index 17eda24..6e568f7 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -322,8 +754,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +759,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -38199,7 +38186,7 @@ index 17eda24..6e568f7 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -332,7 +763,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +768,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -38207,7 +38194,7 @@ index 17eda24..6e568f7 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -340,6 +770,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +775,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -38215,7 +38202,7 @@ index 17eda24..6e568f7 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -347,14 +778,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +783,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -38233,7 +38220,7 @@ index 17eda24..6e568f7 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -364,8 +796,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +801,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -38247,7 +38234,7 @@ index 17eda24..6e568f7 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -375,10 +811,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +816,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -38261,7 +38248,7 @@ index 17eda24..6e568f7 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -387,8 +824,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +829,10 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -38272,7 +38259,7 @@ index 17eda24..6e568f7 100644
storage_getattr_fixed_disk_dev(initrc_t)
storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +837,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +842,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -38280,7 +38267,7 @@ index 17eda24..6e568f7 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -416,20 +856,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +861,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -38304,7 +38291,7 @@ index 17eda24..6e568f7 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +889,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +894,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -38312,7 +38299,7 @@ index 17eda24..6e568f7 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +923,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +928,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -38323,7 +38310,7 @@ index 17eda24..6e568f7 100644
alsa_read_lib(initrc_t)
')
-@@ -506,7 +947,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +952,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -38332,7 +38319,7 @@ index 17eda24..6e568f7 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -521,6 +962,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +967,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -38340,7 +38327,7 @@ index 17eda24..6e568f7 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -541,6 +983,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +988,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -38348,7 +38335,7 @@ index 17eda24..6e568f7 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +993,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +998,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -38393,7 +38380,7 @@ index 17eda24..6e568f7 100644
')
optional_policy(`
-@@ -559,14 +1038,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +1043,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -38425,7 +38412,7 @@ index 17eda24..6e568f7 100644
')
')
-@@ -577,6 +1073,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1078,39 @@ ifdef(`distro_suse',`
')
')
@@ -38465,7 +38452,7 @@ index 17eda24..6e568f7 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1118,8 @@ optional_policy(`
+@@ -589,6 +1123,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -38474,7 +38461,7 @@ index 17eda24..6e568f7 100644
')
optional_policy(`
-@@ -610,6 +1141,7 @@ optional_policy(`
+@@ -610,6 +1146,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -38482,7 +38469,7 @@ index 17eda24..6e568f7 100644
')
optional_policy(`
-@@ -626,6 +1158,17 @@ optional_policy(`
+@@ -626,6 +1163,17 @@ optional_policy(`
')
optional_policy(`
@@ -38500,7 +38487,7 @@ index 17eda24..6e568f7 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -642,9 +1185,13 @@ optional_policy(`
+@@ -642,9 +1190,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -38514,7 +38501,7 @@ index 17eda24..6e568f7 100644
')
optional_policy(`
-@@ -657,15 +1204,11 @@ optional_policy(`
+@@ -657,15 +1209,11 @@ optional_policy(`
')
optional_policy(`
@@ -38532,7 +38519,7 @@ index 17eda24..6e568f7 100644
')
optional_policy(`
-@@ -686,6 +1229,15 @@ optional_policy(`
+@@ -686,6 +1234,15 @@ optional_policy(`
')
optional_policy(`
@@ -38548,7 +38535,7 @@ index 17eda24..6e568f7 100644
inn_exec_config(initrc_t)
')
-@@ -726,6 +1278,7 @@ optional_policy(`
+@@ -726,6 +1283,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -38556,7 +38543,7 @@ index 17eda24..6e568f7 100644
')
optional_policy(`
-@@ -743,7 +1296,13 @@ optional_policy(`
+@@ -743,7 +1301,13 @@ optional_policy(`
')
optional_policy(`
@@ -38571,7 +38558,7 @@ index 17eda24..6e568f7 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -766,6 +1325,10 @@ optional_policy(`
+@@ -766,6 +1330,10 @@ optional_policy(`
')
optional_policy(`
@@ -38582,7 +38569,7 @@ index 17eda24..6e568f7 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -775,10 +1338,20 @@ optional_policy(`
+@@ -775,10 +1343,20 @@ optional_policy(`
')
optional_policy(`
@@ -38603,7 +38590,7 @@ index 17eda24..6e568f7 100644
quota_manage_flags(initrc_t)
')
-@@ -787,6 +1360,10 @@ optional_policy(`
+@@ -787,6 +1365,10 @@ optional_policy(`
')
optional_policy(`
@@ -38614,7 +38601,7 @@ index 17eda24..6e568f7 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -808,8 +1385,6 @@ optional_policy(`
+@@ -808,8 +1390,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -38623,7 +38610,7 @@ index 17eda24..6e568f7 100644
')
optional_policy(`
-@@ -818,6 +1393,10 @@ optional_policy(`
+@@ -818,6 +1398,10 @@ optional_policy(`
')
optional_policy(`
@@ -38634,7 +38621,7 @@ index 17eda24..6e568f7 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -827,10 +1406,12 @@ optional_policy(`
+@@ -827,10 +1411,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -38647,7 +38634,7 @@ index 17eda24..6e568f7 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1438,62 @@ optional_policy(`
+@@ -857,21 +1443,62 @@ optional_policy(`
')
optional_policy(`
@@ -38711,7 +38698,7 @@ index 17eda24..6e568f7 100644
')
optional_policy(`
-@@ -887,6 +1509,10 @@ optional_policy(`
+@@ -887,6 +1514,10 @@ optional_policy(`
')
optional_policy(`
@@ -38722,7 +38709,7 @@ index 17eda24..6e568f7 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -897,3 +1523,218 @@ optional_policy(`
+@@ -897,3 +1528,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -46276,7 +46263,7 @@ index 40edc18..95f4458 100644
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
+
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 2cea692..1c74c66 100644
+index 2cea692..e3cb4f2 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@@ -46647,7 +46634,7 @@ index 2cea692..1c74c66 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
-@@ -720,8 +970,13 @@ interface(`sysnet_dns_name_resolve',`
+@@ -720,14 +970,23 @@ interface(`sysnet_dns_name_resolve',`
corenet_tcp_sendrecv_dns_port($1)
corenet_udp_sendrecv_dns_port($1)
corenet_tcp_connect_dns_port($1)
@@ -46661,7 +46648,17 @@ index 2cea692..1c74c66 100644
sysnet_read_config($1)
optional_policy(`
-@@ -750,8 +1005,6 @@ interface(`sysnet_use_ldap',`
+ avahi_stream_connect($1)
+ ')
+
++ optional_policy(`
++ dbus_stream_connect_system_dbusd($1)
++ ')
++
+ optional_policy(`
+ nscd_use($1)
+ ')
+@@ -750,8 +1009,6 @@ interface(`sysnet_use_ldap',`
allow $1 self:tcp_socket create_socket_perms;
@@ -46670,7 +46667,7 @@ index 2cea692..1c74c66 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
corenet_tcp_sendrecv_ldap_port($1)
-@@ -760,9 +1013,14 @@ interface(`sysnet_use_ldap',`
+@@ -760,9 +1017,14 @@ interface(`sysnet_use_ldap',`
# Support for LDAPS
dev_read_rand($1)
@@ -46685,7 +46682,7 @@ index 2cea692..1c74c66 100644
')
########################################
-@@ -784,7 +1042,6 @@ interface(`sysnet_use_portmap',`
+@@ -784,7 +1046,6 @@ interface(`sysnet_use_portmap',`
allow $1 self:udp_socket create_socket_perms;
corenet_all_recvfrom_unlabeled($1)
@@ -46693,7 +46690,7 @@ index 2cea692..1c74c66 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
-@@ -796,3 +1053,144 @@ interface(`sysnet_use_portmap',`
+@@ -796,3 +1057,144 @@ interface(`sysnet_use_portmap',`
sysnet_read_config($1)
')
@@ -47331,10 +47328,10 @@ index 0000000..fc4c791
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..16cd1ac
+index 0000000..86e3d01
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1763 @@
+@@ -0,0 +1,1803 @@
+## <summary>SELinux policy for systemd components</summary>
+
+######################################
@@ -49098,12 +49095,52 @@ index 0000000..16cd1ac
+ allow $1 systemd_hwdb_etc_t:file {relabelfrom relabelto};
+ files_etc_filetrans($1, systemd_hwdb_etc_t, file)
+')
++
++########################################
++## <summary>
++## Allow process to mount directory configured in a
++## systemd unit as ReadWriteDirectory or ReadOnlyDirectory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`systemd_allow_mount_dir',`
++ gen_require(`
++ attribute systemd_mount_directory;
++ ')
++
++ allow $1 systemd_mount_directory:dir mounton;
++')
++
++########################################
++## <summary>
++## Mark the following type as mountable by systemd.
++## </summary>
++## <param name="type">
++## <summary>
++## Type to be authorized to be mounted
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`systemd_mount_dir',`
++ gen_require(`
++ attribute systemd_mount_directory;
++ ')
++
++ files_type($1)
++ typeattribute $1 systemd_mount_directory;
++')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..bd6672d
+index 0000000..eff9e73
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,971 @@
+@@ -0,0 +1,972 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -49114,6 +49151,7 @@ index 0000000..bd6672d
+attribute systemd_unit_file_type;
+attribute systemd_domain;
+attribute systemctl_domain;
++attribute systemd_mount_directory;
+
+systemd_domain_template(systemd_logger)
+systemd_domain_template(systemd_logind)
@@ -51490,7 +51528,7 @@ index db75976..c54480a 100644
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
+
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6..af8711d 100644
+index 9dc60c6..adc5f75 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -52659,15 +52697,18 @@ index 9dc60c6..af8711d 100644
##############################
#
# Local policy
-@@ -907,53 +1195,137 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -907,53 +1195,142 @@ template(`userdom_restricted_xwindows_user_template',`
#
# Local policy
#
-+ kernel_stream_connect($1_usertype)
++ allow $1_usertype self:cap_userns { sys_admin sys_chroot };
++ allow $1_usertype self:dir { add_name write };
- auth_role($1_r, $1_t)
- auth_search_pam_console_data($1_t)
--
++ kernel_stream_connect($1_usertype)
++ fs_associate_proc($1_usertype)
+
- dev_read_sound($1_t)
- dev_write_sound($1_t)
+ dev_read_sound($1_usertype)
@@ -52679,6 +52720,7 @@ index 9dc60c6..af8711d 100644
+ dev_read_rand($1_usertype)
- logging_send_syslog_msg($1_t)
+- logging_dontaudit_send_audit_msgs($1_t)
+ dev_read_video_dev($1_usertype)
+ dev_write_video_dev($1_usertype)
+ dev_rw_wireless($1_usertype)
@@ -52686,6 +52728,7 @@ index 9dc60c6..af8711d 100644
+ libs_dontaudit_setattr_lib_files($1_usertype)
+
+ init_read_state($1_usertype)
++ init_signal($1_usertype)
+
+ tunable_policy(`selinuxuser_rw_noexattrfile',`
+ dev_rw_usbfs($1_t)
@@ -52700,7 +52743,7 @@ index 9dc60c6..af8711d 100644
+ ')
+
+ logging_send_syslog_msg($1_t)
- logging_dontaudit_send_audit_msgs($1_t)
++ logging_dontaudit_send_audit_msgs($1_t)
# Need to to this just so screensaver will work. Should be moved to screensaver domain
- logging_send_audit_msgs($1_t)
@@ -52748,25 +52791,25 @@ index 9dc60c6..af8711d 100644
+ consolekit_dontaudit_read_log($1_usertype)
+ consolekit_dbus_chat($1_usertype)
+ ')
-+
-+ optional_policy(`
-+ cups_dbus_chat($1_usertype)
-+ cups_dbus_chat_config($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ devicekit_dbus_chat($1_usertype)
-+ devicekit_dbus_chat_disk($1_usertype)
-+ devicekit_dbus_chat_power($1_usertype)
-+ ')
optional_policy(`
- consolekit_dbus_chat($1_t)
-+ fprintd_dbus_chat($1_t)
++ cups_dbus_chat($1_usertype)
++ cups_dbus_chat_config($1_usertype)
')
optional_policy(`
- cups_dbus_chat($1_t)
++ devicekit_dbus_chat($1_usertype)
++ devicekit_dbus_chat_disk($1_usertype)
++ devicekit_dbus_chat_power($1_usertype)
++ ')
++
++ optional_policy(`
++ fprintd_dbus_chat($1_t)
++ ')
++
++ optional_policy(`
+ realmd_dbus_chat($1_t)
')
@@ -52811,7 +52854,7 @@ index 9dc60c6..af8711d 100644
')
#######################################
-@@ -987,27 +1359,33 @@ template(`userdom_unpriv_user_template', `
+@@ -987,27 +1364,33 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -52849,7 +52892,7 @@ index 9dc60c6..af8711d 100644
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
# Write floppies
-@@ -1018,23 +1396,63 @@ template(`userdom_unpriv_user_template', `
+@@ -1018,23 +1401,63 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -52923,7 +52966,7 @@ index 9dc60c6..af8711d 100644
')
# Run pppd in pppd_t by default for user
-@@ -1043,7 +1461,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1043,7 +1466,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -52934,7 +52977,7 @@ index 9dc60c6..af8711d 100644
')
')
-@@ -1079,7 +1499,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1079,7 +1504,9 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -52945,7 +52988,7 @@ index 9dc60c6..af8711d 100644
')
##############################
-@@ -1095,6 +1517,7 @@ template(`userdom_admin_user_template',`
+@@ -1095,6 +1522,7 @@ template(`userdom_admin_user_template',`
role system_r types $1_t;
typeattribute $1_t admindomain;
@@ -52953,7 +52996,7 @@ index 9dc60c6..af8711d 100644
ifdef(`direct_sysadm_daemon',`
domain_system_change_exemption($1_t)
-@@ -1105,14 +1528,8 @@ template(`userdom_admin_user_template',`
+@@ -1105,14 +1533,8 @@ template(`userdom_admin_user_template',`
# $1_t local policy
#
@@ -52970,7 +53013,7 @@ index 9dc60c6..af8711d 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
-@@ -1128,6 +1545,8 @@ template(`userdom_admin_user_template',`
+@@ -1128,6 +1550,8 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -52979,7 +53022,7 @@ index 9dc60c6..af8711d 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1145,10 +1564,15 @@ template(`userdom_admin_user_template',`
+@@ -1145,10 +1569,15 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -52995,7 +53038,7 @@ index 9dc60c6..af8711d 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1159,29 +1583,40 @@ template(`userdom_admin_user_template',`
+@@ -1159,29 +1588,40 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -53040,7 +53083,7 @@ index 9dc60c6..af8711d 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1191,6 +1626,8 @@ template(`userdom_admin_user_template',`
+@@ -1191,6 +1631,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -53049,7 +53092,7 @@ index 9dc60c6..af8711d 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1198,13 +1635,21 @@ template(`userdom_admin_user_template',`
+@@ -1198,13 +1640,21 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@@ -53072,7 +53115,7 @@ index 9dc60c6..af8711d 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1240,7 +1685,7 @@ template(`userdom_admin_user_template',`
+@@ -1240,7 +1690,7 @@ template(`userdom_admin_user_template',`
## </summary>
## </param>
#
@@ -53081,7 +53124,7 @@ index 9dc60c6..af8711d 100644
allow $1 self:capability { dac_read_search dac_override };
corecmd_exec_shell($1)
-@@ -1250,6 +1695,8 @@ template(`userdom_security_admin_template',`
+@@ -1250,6 +1700,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -53090,7 +53133,7 @@ index 9dc60c6..af8711d 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1262,8 +1709,10 @@ template(`userdom_security_admin_template',`
+@@ -1262,8 +1714,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -53102,7 +53145,7 @@ index 9dc60c6..af8711d 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1274,29 +1723,31 @@ template(`userdom_security_admin_template',`
+@@ -1274,29 +1728,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -53145,7 +53188,7 @@ index 9dc60c6..af8711d 100644
')
optional_policy(`
-@@ -1357,14 +1808,17 @@ interface(`userdom_user_home_content',`
+@@ -1357,14 +1813,17 @@ interface(`userdom_user_home_content',`
gen_require(`
attribute user_home_content_type;
type user_home_t;
@@ -53164,7 +53207,7 @@ index 9dc60c6..af8711d 100644
')
########################################
-@@ -1397,12 +1851,52 @@ interface(`userdom_user_tmp_file',`
+@@ -1397,12 +1856,52 @@ interface(`userdom_user_tmp_file',`
## </param>
#
interface(`userdom_user_tmpfs_file',`
@@ -53218,7 +53261,7 @@ index 9dc60c6..af8711d 100644
## Allow domain to attach to TUN devices created by administrative users.
## </summary>
## <param name="domain">
-@@ -1509,11 +2003,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1509,11 +2008,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -53250,7 +53293,7 @@ index 9dc60c6..af8711d 100644
## Do not audit attempts to search user home directories.
## </summary>
## <desc>
-@@ -1555,6 +2069,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1555,6 +2074,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -53265,7 +53308,7 @@ index 9dc60c6..af8711d 100644
')
########################################
-@@ -1570,9 +2092,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1570,9 +2097,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -53277,7 +53320,7 @@ index 9dc60c6..af8711d 100644
')
########################################
-@@ -1613,6 +2137,24 @@ interface(`userdom_manage_user_home_dirs',`
+@@ -1613,6 +2142,24 @@ interface(`userdom_manage_user_home_dirs',`
########################################
## <summary>
@@ -53302,7 +53345,7 @@ index 9dc60c6..af8711d 100644
## Relabel to user home directories.
## </summary>
## <param name="domain">
-@@ -1631,6 +2173,59 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1631,6 +2178,59 @@ interface(`userdom_relabelto_user_home_dirs',`
########################################
## <summary>
@@ -53362,7 +53405,7 @@ index 9dc60c6..af8711d 100644
## Create directories in the home dir root with
## the user home directory type.
## </summary>
-@@ -1704,10 +2299,12 @@ interface(`userdom_user_home_domtrans',`
+@@ -1704,10 +2304,12 @@ interface(`userdom_user_home_domtrans',`
#
interface(`userdom_dontaudit_search_user_home_content',`
gen_require(`
@@ -53377,7 +53420,7 @@ index 9dc60c6..af8711d 100644
')
########################################
-@@ -1741,10 +2338,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1741,10 +2343,12 @@ interface(`userdom_list_all_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -53392,7 +53435,7 @@ index 9dc60c6..af8711d 100644
')
########################################
-@@ -1769,7 +2368,7 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1769,7 +2373,7 @@ interface(`userdom_manage_user_home_content_dirs',`
########################################
## <summary>
@@ -53401,7 +53444,7 @@ index 9dc60c6..af8711d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1777,19 +2376,17 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1777,19 +2381,17 @@ interface(`userdom_manage_user_home_content_dirs',`
## </summary>
## </param>
#
@@ -53425,7 +53468,7 @@ index 9dc60c6..af8711d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1797,55 +2394,55 @@ interface(`userdom_delete_all_user_home_content_dirs',`
+@@ -1797,55 +2399,55 @@ interface(`userdom_delete_all_user_home_content_dirs',`
## </summary>
## </param>
#
@@ -53496,7 +53539,7 @@ index 9dc60c6..af8711d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1853,18 +2450,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1853,18 +2455,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
## </summary>
## </param>
#
@@ -53524,7 +53567,7 @@ index 9dc60c6..af8711d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1872,18 +2470,71 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1872,13 +2475,163 @@ interface(`userdom_mmap_user_home_content_files',`
## </summary>
## </param>
#
@@ -53538,11 +53581,10 @@ index 9dc60c6..af8711d 100644
+interface(`usedom_dontaudit_user_getattr_tmp_sockets',`
+ refpolicywarn(`$0($*) has been deprecated, use userdom_getattr_user_tmp_files() instead.')
+ userdom_getattr_user_tmp_files($1)
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to read user home files.
++')
++
++########################################
++## <summary>
+## Dontaudit getattr on user tmp sockets.
+## </summary>
+## <param name="domain">
@@ -53601,21 +53643,18 @@ index 9dc60c6..af8711d 100644
+## <summary>
+## Do not audit attempts to set the
+## attributes of user home files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -1891,13 +2542,113 @@ interface(`userdom_read_user_home_content_files',`
- ## </summary>
- ## </param>
- #
--interface(`userdom_dontaudit_read_user_home_content_files',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
+interface(`userdom_dontaudit_setattr_user_home_content_files',`
- gen_require(`
- type user_home_t;
- ')
-
-- dontaudit $1 user_home_t:dir list_dir_perms;
-- dontaudit $1 user_home_t:file read_file_perms;
++ gen_require(`
++ type user_home_t;
++ ')
++
+ dontaudit $1 user_home_t:file setattr_file_perms;
+')
+
@@ -53696,24 +53735,20 @@ index 9dc60c6..af8711d 100644
+
+ dontaudit $1 user_home_type:dir getattr;
+ dontaudit $1 user_home_type:file getattr;
-+')
-+
-+########################################
-+## <summary>
-+## Do not audit attempts to read user home files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`userdom_dontaudit_read_user_home_content_files',`
-+ gen_require(`
+ ')
+
+ ########################################
+@@ -1893,11 +2646,14 @@ interface(`userdom_read_user_home_content_files',`
+ #
+ interface(`userdom_dontaudit_read_user_home_content_files',`
+ gen_require(`
+- type user_home_t;
+ attribute user_home_type;
+ type user_home_dir_t;
-+ ')
-+
+ ')
+
+- dontaudit $1 user_home_t:dir list_dir_perms;
+- dontaudit $1 user_home_t:file read_file_perms;
+ dontaudit $1 user_home_dir_t:dir list_dir_perms;
+ dontaudit $1 user_home_type:dir list_dir_perms;
+ dontaudit $1 user_home_type:file read_file_perms;
@@ -53721,7 +53756,7 @@ index 9dc60c6..af8711d 100644
')
########################################
-@@ -1938,7 +2689,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1938,7 +2694,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
########################################
## <summary>
@@ -53730,7 +53765,7 @@ index 9dc60c6..af8711d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1946,10 +2697,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1946,10 +2702,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
## </summary>
## </param>
#
@@ -53743,7 +53778,7 @@ index 9dc60c6..af8711d 100644
')
userdom_search_user_home_content($1)
-@@ -1958,7 +2708,7 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1958,7 +2713,7 @@ interface(`userdom_delete_all_user_home_content_files',`
########################################
## <summary>
@@ -53752,7 +53787,7 @@ index 9dc60c6..af8711d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1966,12 +2716,66 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1966,12 +2721,66 @@ interface(`userdom_delete_all_user_home_content_files',`
## </summary>
## </param>
#
@@ -53821,7 +53856,7 @@ index 9dc60c6..af8711d 100644
')
########################################
-@@ -2007,8 +2811,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2007,8 +2816,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -53831,7 +53866,7 @@ index 9dc60c6..af8711d 100644
')
########################################
-@@ -2024,20 +2827,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2024,20 +2832,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -53856,7 +53891,7 @@ index 9dc60c6..af8711d 100644
########################################
## <summary>
-@@ -2120,7 +2917,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2120,7 +2922,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
## <summary>
@@ -53865,7 +53900,7 @@ index 9dc60c6..af8711d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2128,19 +2925,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2128,19 +2930,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -53889,7 +53924,7 @@ index 9dc60c6..af8711d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2148,12 +2943,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2148,12 +2948,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -53905,7 +53940,7 @@ index 9dc60c6..af8711d 100644
')
########################################
-@@ -2388,18 +3183,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2388,18 +3188,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
## </summary>
## </param>
#
@@ -53963,7 +53998,7 @@ index 9dc60c6..af8711d 100644
## Do not audit attempts to read users
## temporary files.
## </summary>
-@@ -2414,7 +3245,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2414,7 +3250,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -53972,7 +54007,7 @@ index 9dc60c6..af8711d 100644
')
########################################
-@@ -2455,6 +3286,25 @@ interface(`userdom_rw_user_tmp_files',`
+@@ -2455,6 +3291,25 @@ interface(`userdom_rw_user_tmp_files',`
rw_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
')
@@ -53998,7 +54033,7 @@ index 9dc60c6..af8711d 100644
########################################
## <summary>
-@@ -2538,7 +3388,27 @@ interface(`userdom_manage_user_tmp_files',`
+@@ -2538,7 +3393,27 @@ interface(`userdom_manage_user_tmp_files',`
########################################
## <summary>
## Create, read, write, and delete user
@@ -54027,7 +54062,7 @@ index 9dc60c6..af8711d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2566,6 +3436,27 @@ interface(`userdom_manage_user_tmp_symlinks',`
+@@ -2566,6 +3441,27 @@ interface(`userdom_manage_user_tmp_symlinks',`
## </summary>
## </param>
#
@@ -54055,7 +54090,7 @@ index 9dc60c6..af8711d 100644
interface(`userdom_manage_user_tmp_pipes',`
gen_require(`
type user_tmp_t;
-@@ -2661,6 +3552,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2661,6 +3557,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -54077,7 +54112,7 @@ index 9dc60c6..af8711d 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2672,18 +3578,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2672,18 +3583,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
## </param>
#
interface(`userdom_read_user_tmpfs_files',`
@@ -54099,7 +54134,7 @@ index 9dc60c6..af8711d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2692,19 +3593,13 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2692,19 +3598,13 @@ interface(`userdom_read_user_tmpfs_files',`
## </param>
#
interface(`userdom_rw_user_tmpfs_files',`
@@ -54122,7 +54157,7 @@ index 9dc60c6..af8711d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2713,13 +3608,56 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2713,13 +3613,56 @@ interface(`userdom_rw_user_tmpfs_files',`
## </param>
#
interface(`userdom_manage_user_tmpfs_files',`
@@ -54183,7 +54218,7 @@ index 9dc60c6..af8711d 100644
')
########################################
-@@ -2814,6 +3752,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2814,6 +3757,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -54208,7 +54243,7 @@ index 9dc60c6..af8711d 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2832,22 +3788,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2832,22 +3793,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -54251,7 +54286,7 @@ index 9dc60c6..af8711d 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2856,14 +3824,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2856,14 +3829,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -54289,7 +54324,7 @@ index 9dc60c6..af8711d 100644
')
########################################
-@@ -2882,8 +3869,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2882,8 +3874,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -54319,7 +54354,7 @@ index 9dc60c6..af8711d 100644
')
########################################
-@@ -2955,6 +3961,42 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2955,6 +3966,42 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -54362,7 +54397,7 @@ index 9dc60c6..af8711d 100644
########################################
## <summary>
## Execute an Xserver session in all unprivileged user domains. This
-@@ -2978,24 +4020,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
+@@ -2978,24 +4025,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -54387,7 +54422,7 @@ index 9dc60c6..af8711d 100644
########################################
## <summary>
## Manage unpriviledged user SysV sempaphores.
-@@ -3014,9 +4038,9 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3014,9 +4043,9 @@ interface(`userdom_manage_unpriv_user_semaphores',`
allow $1 unpriv_userdomain:sem create_sem_perms;
')
@@ -54399,7 +54434,7 @@ index 9dc60c6..af8711d 100644
## memory segments.
## </summary>
## <param name="domain">
-@@ -3025,17 +4049,17 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3025,17 +4054,17 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -54420,7 +54455,7 @@ index 9dc60c6..af8711d 100644
## memory segments.
## </summary>
## <param name="domain">
-@@ -3044,12 +4068,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',`
+@@ -3044,12 +4073,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',`
## </summary>
## </param>
#
@@ -54435,7 +54470,7 @@ index 9dc60c6..af8711d 100644
')
########################################
-@@ -3094,7 +4118,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3094,7 +4123,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -54444,7 +54479,7 @@ index 9dc60c6..af8711d 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3110,29 +4134,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3110,29 +4139,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -54478,7 +54513,7 @@ index 9dc60c6..af8711d 100644
')
########################################
-@@ -3214,7 +4222,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3214,7 +4227,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -54505,7 +54540,7 @@ index 9dc60c6..af8711d 100644
')
########################################
-@@ -3269,12 +4295,13 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3269,12 +4300,13 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -54521,7 +54556,7 @@ index 9dc60c6..af8711d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3282,54 +4309,56 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3282,54 +4314,56 @@ interface(`userdom_write_user_tmp_files',`
## </summary>
## </param>
#
@@ -54593,7 +54628,7 @@ index 9dc60c6..af8711d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3337,17 +4366,91 @@ interface(`userdom_getattr_all_users',`
+@@ -3337,18 +4371,92 @@ interface(`userdom_getattr_all_users',`
## </summary>
## </param>
#
@@ -54610,6 +54645,7 @@ index 9dc60c6..af8711d 100644
########################################
## <summary>
-## Do not audit attempts to inherit the file
+-## descriptors from any user domains.
+## Do not audit attempts to use user ttys.
+## </summary>
+## <param name="domain">
@@ -54685,10 +54721,11 @@ index 9dc60c6..af8711d 100644
+########################################
+## <summary>
+## Do not audit attempts to inherit the file
- ## descriptors from any user domains.
++## descriptors from any user domains.
## </summary>
## <param name="domain">
-@@ -3382,6 +4485,42 @@ interface(`userdom_signal_all_users',`
+ ## <summary>
+@@ -3382,6 +4490,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -54731,7 +54768,7 @@ index 9dc60c6..af8711d 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3402,6 +4541,60 @@ interface(`userdom_sigchld_all_users',`
+@@ -3402,6 +4546,60 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -54792,7 +54829,7 @@ index 9dc60c6..af8711d 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3435,4 +4628,1817 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3435,4 +4633,1817 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 48b201d..d4a3261 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -20776,10 +20776,18 @@ index 949011e..8f8bc20 100644
+/etc/opt/brother/Printers/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --git a/cups.if b/cups.if
-index 3023be7..4f0fe46 100644
+index 3023be7..5afde80 100644
--- a/cups.if
+++ b/cups.if
-@@ -200,10 +200,13 @@ interface(`cups_dbus_chat_config',`
+@@ -70,6 +70,7 @@ interface(`cups_stream_connect',`
+
+ files_search_pids($1)
+ stream_connect_pattern($1, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
++ allow $1 cupsd_var_run_t:sock_file read_sock_file_perms;
+ ')
+
+ ########################################
+@@ -200,10 +201,13 @@ interface(`cups_dbus_chat_config',`
interface(`cups_read_config',`
gen_require(`
type cupsd_etc_t, cupsd_rw_etc_t;
@@ -20794,7 +20802,7 @@ index 3023be7..4f0fe46 100644
')
########################################
-@@ -306,6 +309,30 @@ interface(`cups_stream_connect_ptal',`
+@@ -306,6 +310,30 @@ interface(`cups_stream_connect_ptal',`
########################################
## <summary>
@@ -20825,7 +20833,7 @@ index 3023be7..4f0fe46 100644
## Read the process state (/proc/pid) of cupsd.
## </summary>
## <param name="domain">
-@@ -344,18 +371,23 @@ interface(`cups_read_state',`
+@@ -344,18 +372,23 @@ interface(`cups_read_state',`
interface(`cups_admin',`
gen_require(`
type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
@@ -20854,7 +20862,7 @@ index 3023be7..4f0fe46 100644
init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -368,13 +400,46 @@ interface(`cups_admin',`
+@@ -368,13 +401,46 @@ interface(`cups_admin',`
logging_list_logs($1)
admin_pattern($1, cupsd_log_t)
@@ -20907,7 +20915,7 @@ index 3023be7..4f0fe46 100644
+ files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups")
')
diff --git a/cups.te b/cups.te
-index c91813c..71b61c4 100644
+index c91813c..474a13f 100644
--- a/cups.te
+++ b/cups.te
@@ -5,19 +5,31 @@ policy_module(cups, 1.16.2)
@@ -21077,7 +21085,7 @@ index c91813c..71b61c4 100644
allow cupsd_t cupsd_exec_t:dir search_dir_perms;
allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
-@@ -136,22 +170,23 @@ manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+@@ -136,22 +170,24 @@ manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
@@ -21086,6 +21094,7 @@ index c91813c..71b61c4 100644
+
manage_dirs_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
++manage_lnk_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { dir fifo_file file })
@@ -21105,7 +21114,7 @@ index c91813c..71b61c4 100644
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
-@@ -159,11 +194,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
+@@ -159,11 +195,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t })
kernel_read_system_state(cupsd_t)
@@ -21117,7 +21126,7 @@ index c91813c..71b61c4 100644
corenet_all_recvfrom_netlabel(cupsd_t)
corenet_tcp_sendrecv_generic_if(cupsd_t)
corenet_udp_sendrecv_generic_if(cupsd_t)
-@@ -186,12 +219,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
+@@ -186,12 +220,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_bind_all_rpc_ports(cupsd_t)
corenet_tcp_connect_all_ports(cupsd_t)
@@ -21142,7 +21151,7 @@ index c91813c..71b61c4 100644
dev_rw_input_dev(cupsd_t)
dev_rw_generic_usb_dev(cupsd_t)
dev_rw_usbfs(cupsd_t)
-@@ -203,7 +244,6 @@ domain_use_interactive_fds(cupsd_t)
+@@ -203,7 +245,6 @@ domain_use_interactive_fds(cupsd_t)
files_getattr_boot_dirs(cupsd_t)
files_list_spool(cupsd_t)
files_read_etc_runtime_files(cupsd_t)
@@ -21150,7 +21159,7 @@ index c91813c..71b61c4 100644
files_exec_usr_files(cupsd_t)
# for /var/lib/defoma
files_read_var_lib_files(cupsd_t)
-@@ -212,17 +252,19 @@ files_read_world_readable_files(cupsd_t)
+@@ -212,17 +253,19 @@ files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
files_read_var_files(cupsd_t)
files_read_var_symlinks(cupsd_t)
@@ -21172,7 +21181,7 @@ index c91813c..71b61c4 100644
mls_fd_use_all_levels(cupsd_t)
mls_file_downgrade(cupsd_t)
mls_file_write_all_levels(cupsd_t)
-@@ -232,6 +274,8 @@ mls_socket_write_all_levels(cupsd_t)
+@@ -232,6 +275,8 @@ mls_socket_write_all_levels(cupsd_t)
term_search_ptys(cupsd_t)
term_use_unallocated_ttys(cupsd_t)
@@ -21181,7 +21190,7 @@ index c91813c..71b61c4 100644
selinux_compute_access_vector(cupsd_t)
selinux_validate_context(cupsd_t)
-@@ -244,22 +288,28 @@ auth_dontaudit_read_pam_pid(cupsd_t)
+@@ -244,22 +289,28 @@ auth_dontaudit_read_pam_pid(cupsd_t)
auth_rw_faillog(cupsd_t)
auth_use_nsswitch(cupsd_t)
@@ -21215,7 +21224,7 @@ index c91813c..71b61c4 100644
optional_policy(`
apm_domtrans_client(cupsd_t)
-@@ -272,6 +322,8 @@ optional_policy(`
+@@ -272,6 +323,8 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(cupsd_t)
@@ -21224,7 +21233,7 @@ index c91813c..71b61c4 100644
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
-@@ -279,11 +331,17 @@ optional_policy(`
+@@ -279,11 +332,17 @@ optional_policy(`
')
optional_policy(`
@@ -21242,7 +21251,7 @@ index c91813c..71b61c4 100644
')
')
-@@ -296,8 +354,8 @@ optional_policy(`
+@@ -296,8 +355,8 @@ optional_policy(`
')
optional_policy(`
@@ -21252,7 +21261,7 @@ index c91813c..71b61c4 100644
')
optional_policy(`
-@@ -306,7 +364,6 @@ optional_policy(`
+@@ -306,7 +365,6 @@ optional_policy(`
optional_policy(`
lpd_exec_lpr(cupsd_t)
@@ -21260,7 +21269,7 @@ index c91813c..71b61c4 100644
lpd_read_config(cupsd_t)
lpd_relabel_spool(cupsd_t)
')
-@@ -316,6 +373,10 @@ optional_policy(`
+@@ -316,6 +374,10 @@ optional_policy(`
')
optional_policy(`
@@ -21271,7 +21280,7 @@ index c91813c..71b61c4 100644
samba_read_config(cupsd_t)
samba_rw_var_files(cupsd_t)
samba_stream_connect_nmbd(cupsd_t)
-@@ -326,7 +387,7 @@ optional_policy(`
+@@ -326,7 +388,7 @@ optional_policy(`
')
optional_policy(`
@@ -21280,7 +21289,7 @@ index c91813c..71b61c4 100644
')
optional_policy(`
-@@ -334,7 +395,11 @@ optional_policy(`
+@@ -334,7 +396,11 @@ optional_policy(`
')
optional_policy(`
@@ -21293,7 +21302,7 @@ index c91813c..71b61c4 100644
')
########################################
-@@ -342,12 +407,11 @@ optional_policy(`
+@@ -342,12 +408,11 @@ optional_policy(`
# Configuration daemon local policy
#
@@ -21309,7 +21318,7 @@ index c91813c..71b61c4 100644
allow cupsd_config_t cupsd_t:process signal;
ps_process_pattern(cupsd_config_t, cupsd_t)
-@@ -367,23 +431,23 @@ manage_dirs_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
+@@ -367,23 +432,23 @@ manage_dirs_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
@@ -21337,7 +21346,7 @@ index c91813c..71b61c4 100644
corenet_all_recvfrom_netlabel(cupsd_config_t)
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -392,20 +456,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+@@ -392,20 +457,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
corenet_sendrecv_all_client_packets(cupsd_config_t)
corenet_tcp_connect_all_ports(cupsd_config_t)
@@ -21358,7 +21367,7 @@ index c91813c..71b61c4 100644
fs_search_auto_mountpoints(cupsd_config_t)
domain_use_interactive_fds(cupsd_config_t)
-@@ -417,11 +473,6 @@ auth_use_nsswitch(cupsd_config_t)
+@@ -417,11 +474,6 @@ auth_use_nsswitch(cupsd_config_t)
logging_send_syslog_msg(cupsd_config_t)
@@ -21370,7 +21379,7 @@ index c91813c..71b61c4 100644
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
-@@ -449,9 +500,12 @@ optional_policy(`
+@@ -449,9 +501,12 @@ optional_policy(`
')
optional_policy(`
@@ -21384,7 +21393,7 @@ index c91813c..71b61c4 100644
')
optional_policy(`
-@@ -467,6 +521,10 @@ optional_policy(`
+@@ -467,6 +522,10 @@ optional_policy(`
')
optional_policy(`
@@ -21395,7 +21404,7 @@ index c91813c..71b61c4 100644
rpm_read_db(cupsd_config_t)
')
-@@ -487,10 +545,6 @@ optional_policy(`
+@@ -487,10 +546,6 @@ optional_policy(`
# Lpd local policy
#
@@ -21406,7 +21415,7 @@ index c91813c..71b61c4 100644
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
-@@ -508,15 +562,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+@@ -508,15 +563,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
@@ -21424,7 +21433,7 @@ index c91813c..71b61c4 100644
corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t)
corenet_sendrecv_printer_server_packets(cupsd_lpd_t)
-@@ -537,9 +591,6 @@ auth_use_nsswitch(cupsd_lpd_t)
+@@ -537,9 +592,6 @@ auth_use_nsswitch(cupsd_lpd_t)
logging_send_syslog_msg(cupsd_lpd_t)
@@ -21434,7 +21443,7 @@ index c91813c..71b61c4 100644
optional_policy(`
inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
')
-@@ -550,7 +601,6 @@ optional_policy(`
+@@ -550,7 +602,6 @@ optional_policy(`
#
allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
@@ -21442,7 +21451,7 @@ index c91813c..71b61c4 100644
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
-@@ -566,148 +616,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
+@@ -566,148 +617,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
kernel_read_system_state(cups_pdf_t)
@@ -21594,7 +21603,7 @@ index c91813c..71b61c4 100644
########################################
#
-@@ -735,7 +660,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -735,7 +661,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@@ -21602,7 +21611,7 @@ index c91813c..71b61c4 100644
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -745,13 +669,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
+@@ -745,13 +670,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
corenet_tcp_bind_ptal_port(ptal_t)
corenet_tcp_sendrecv_ptal_port(ptal_t)
@@ -21616,7 +21625,7 @@ index c91813c..71b61c4 100644
files_read_etc_runtime_files(ptal_t)
fs_getattr_all_fs(ptal_t)
-@@ -759,8 +681,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -759,8 +682,6 @@ fs_search_auto_mountpoints(ptal_t)
logging_send_syslog_msg(ptal_t)
@@ -21625,7 +21634,7 @@ index c91813c..71b61c4 100644
sysnet_read_config(ptal_t)
userdom_dontaudit_use_unpriv_user_fds(ptal_t)
-@@ -773,3 +693,4 @@ optional_policy(`
+@@ -773,3 +694,4 @@ optional_policy(`
optional_policy(`
udev_read_db(ptal_t)
')
@@ -22146,7 +22155,7 @@ index dda905b..5587295 100644
/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+')
diff --git a/dbus.if b/dbus.if
-index 62d22cb..90fc04d 100644
+index 62d22cb..1287d08 100644
--- a/dbus.if
+++ b/dbus.if
@@ -1,4 +1,4 @@
@@ -22295,9 +22304,9 @@ index 62d22cb..90fc04d 100644
- files_search_var_lib($1)
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+ files_search_var_lib($1)
-+
-+ dev_read_urand($1)
++ dev_read_urand($1)
++
+ # For connecting to the bus
files_search_pids($1)
stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
@@ -22676,7 +22685,7 @@ index 62d22cb..90fc04d 100644
## <param name="domain">
## <summary>
## Type to be used as a domain.
-@@ -397,199 +410,228 @@ interface(`dbus_manage_lib_files',`
+@@ -397,199 +410,250 @@ interface(`dbus_manage_lib_files',`
## </param>
## <param name="entry_point">
## <summary>
@@ -22916,22 +22925,40 @@ index 62d22cb..90fc04d 100644
## <param name="domain">
## <summary>
-## Type to be used as a domain.
--## </summary>
--## </param>
++## Domain to not audit.
+ ## </summary>
+ ## </param>
-## <param name="entry_point">
--## <summary>
++#
++interface(`dbus_dontaudit_chat_system_bus',`
++ gen_require(`
++ attribute system_bus_type;
++ class dbus send_msg;
++ ')
++
++ dontaudit $1 system_bus_type:dbus send_msg;
++ dontaudit system_bus_type $1:dbus send_msg;
++')
++
++
++########################################
++## <summary>
++## Allow attempts to connect to
++## session bus types with a unix
++## stream socket.
++## </summary>
++## <param name="domain">
+ ## <summary>
-## Type of the program to be used as an entry point to this domain.
+## Domain to not audit.
## </summary>
## </param>
#
-interface(`dbus_system_domain',`
-+interface(`dbus_dontaudit_chat_system_bus',`
++interface(`dbus_stream_connect_system_dbusd',`
gen_require(`
-- type system_dbusd_t;
+ type system_dbusd_t;
- role system_r;
-+ attribute system_bus_type;
-+ class dbus send_msg;
')
- domain_type($1)
@@ -22951,10 +22978,10 @@ index 62d22cb..90fc04d 100644
- ifdef(`hide_broken_symptoms', `
- dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
- ')
-+ dontaudit $1 system_bus_type:dbus send_msg;
-+ dontaudit system_bus_type $1:dbus send_msg;
++ allow $1 system_dbusd_t:unix_stream_socket connectto;
')
++
########################################
## <summary>
-## Use and inherit DBUS system bus
@@ -22990,7 +23017,7 @@ index 62d22cb..90fc04d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -597,28 +639,50 @@ interface(`dbus_use_system_bus_fds',`
+@@ -597,28 +661,50 @@ interface(`dbus_use_system_bus_fds',`
## </summary>
## </param>
#
@@ -23050,7 +23077,7 @@ index 62d22cb..90fc04d 100644
+
')
diff --git a/dbus.te b/dbus.te
-index c9998c8..44c6283 100644
+index c9998c8..8b447a3 100644
--- a/dbus.te
+++ b/dbus.te
@@ -4,17 +4,15 @@ gen_require(`
@@ -23174,7 +23201,7 @@ index c9998c8..44c6283 100644
mls_fd_use_all_levels(system_dbusd_t)
mls_rangetrans_target(system_dbusd_t)
mls_file_read_all_levels(system_dbusd_t)
-@@ -123,66 +122,170 @@ term_dontaudit_use_console(system_dbusd_t)
+@@ -123,66 +122,174 @@ term_dontaudit_use_console(system_dbusd_t)
auth_use_nsswitch(system_dbusd_t)
auth_read_pam_console_data(system_dbusd_t)
@@ -23223,9 +23250,10 @@ index c9998c8..44c6283 100644
optional_policy(`
- policykit_read_lib(system_dbusd_t)
+ cpufreqselector_dbus_chat(system_dbusd_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- seutil_sigchld_newrole(system_dbusd_t)
+ getty_start_services(system_dbusd_t)
+')
+
@@ -23255,10 +23283,9 @@ index c9998c8..44c6283 100644
+
+optional_policy(`
+ sysnet_domtrans_dhcpc(system_dbusd_t)
- ')
-
- optional_policy(`
-- seutil_sigchld_newrole(system_dbusd_t)
++')
++
++optional_policy(`
+ systemd_use_fds_logind(system_dbusd_t)
+ systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
+ systemd_write_inhibit_pipes(system_dbusd_t)
@@ -23273,6 +23300,10 @@ index c9998c8..44c6283 100644
')
+optional_policy(`
++ virt_list_sandbox_dirs(system_dbusd_t)
++')
++
++optional_policy(`
+ # /var/lib/gdm/.local/share/icc/edid-0a027915105823af34f99b1704e80336.icc
+ xserver_read_inherited_xdm_lib_files(system_dbusd_t)
+')
@@ -23292,7 +23323,7 @@ index c9998c8..44c6283 100644
+allow system_bus_type system_dbusd_t:unix_stream_socket rw_socket_perms;
+
+fs_search_all(system_bus_type)
-+
+
+dbus_system_bus_client(system_bus_type)
+dbus_connect_system_bus(system_bus_type)
+
@@ -23322,7 +23353,7 @@ index c9998c8..44c6283 100644
+ifdef(`hide_broken_symptoms',`
+ dontaudit system_bus_type system_dbusd_t:netlink_selinux_socket { read write };
+')
-
++
+########################################
+#
+# session_bus_type rules
@@ -23359,7 +23390,7 @@ index c9998c8..44c6283 100644
kernel_read_kernel_sysctls(session_bus_type)
corecmd_list_bin(session_bus_type)
-@@ -191,23 +294,18 @@ corecmd_read_bin_files(session_bus_type)
+@@ -191,23 +298,18 @@ corecmd_read_bin_files(session_bus_type)
corecmd_read_bin_pipes(session_bus_type)
corecmd_read_bin_sockets(session_bus_type)
@@ -23384,7 +23415,7 @@ index c9998c8..44c6283 100644
files_dontaudit_search_var(session_bus_type)
fs_getattr_romfs(session_bus_type)
-@@ -215,7 +313,6 @@ fs_getattr_xattr_fs(session_bus_type)
+@@ -215,7 +317,6 @@ fs_getattr_xattr_fs(session_bus_type)
fs_list_inotifyfs(session_bus_type)
fs_dontaudit_list_nfs(session_bus_type)
@@ -23392,7 +23423,7 @@ index c9998c8..44c6283 100644
selinux_validate_context(session_bus_type)
selinux_compute_access_vector(session_bus_type)
selinux_compute_create_context(session_bus_type)
-@@ -225,18 +322,36 @@ selinux_compute_user_contexts(session_bus_type)
+@@ -225,18 +326,36 @@ selinux_compute_user_contexts(session_bus_type)
auth_read_pam_console_data(session_bus_type)
logging_send_audit_msgs(session_bus_type)
@@ -23434,7 +23465,7 @@ index c9998c8..44c6283 100644
')
########################################
-@@ -244,5 +359,9 @@ optional_policy(`
+@@ -244,5 +363,9 @@ optional_policy(`
# Unconfined access to this module
#
@@ -96244,10 +96275,10 @@ index 0000000..b7db254
+# Empty
diff --git a/sandbox.if b/sandbox.if
new file mode 100644
-index 0000000..b21026b
+index 0000000..cc29a06
--- /dev/null
+++ b/sandbox.if
-@@ -0,0 +1,92 @@
+@@ -0,0 +1,96 @@
+
+## <summary>policy for sandbox</summary>
+
@@ -96339,13 +96370,17 @@ index 0000000..b21026b
+ # this is to satisfy the assertion:
+ auth_reader_shadow($1_t)
+ auth_writer_shadow($1_t)
++
++ #optional_policy(`
++ # unconfined_typebounds($1_t)
++ #')
+')
diff --git a/sandbox.te b/sandbox.te
new file mode 100644
-index 0000000..6b3fab1
+index 0000000..402257c
--- /dev/null
+++ b/sandbox.te
-@@ -0,0 +1,65 @@
+@@ -0,0 +1,66 @@
+policy_module(sandbox,1.0.0)
+
+attribute sandbox_domain;
@@ -96411,6 +96446,7 @@ index 0000000..6b3fab1
+userdom_use_inherited_user_terminals(sandbox_domain)
+
+mta_dontaudit_read_spool_symlinks(sandbox_domain)
++
diff --git a/sandboxX.fc b/sandboxX.fc
new file mode 100644
index 0000000..6caef63
@@ -96421,10 +96457,10 @@ index 0000000..6caef63
+/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0)
diff --git a/sandboxX.if b/sandboxX.if
new file mode 100644
-index 0000000..3e89d71
+index 0000000..98dc14e
--- /dev/null
+++ b/sandboxX.if
-@@ -0,0 +1,396 @@
+@@ -0,0 +1,401 @@
+
+## <summary>policy for sandboxX </summary>
+
@@ -96559,6 +96595,11 @@ index 0000000..3e89d71
+ allow sandbox_xserver_t $1_t:shm rw_shm_perms;
+ allow $1_client_t $1_t:unix_stream_socket connectto;
+ allow $1_t $1_client_t:unix_stream_socket connectto;
++
++ #optional_policy(`
++ # unconfined_typebounds($1_t)
++ # unconfined_typebounds($1_client_t)
++ #')
+')
+
+########################################
@@ -96823,10 +96864,10 @@ index 0000000..3e89d71
+')
diff --git a/sandboxX.te b/sandboxX.te
new file mode 100644
-index 0000000..24cb7ca
+index 0000000..22e956f
--- /dev/null
+++ b/sandboxX.te
-@@ -0,0 +1,508 @@
+@@ -0,0 +1,512 @@
+policy_module(sandboxX,1.0.0)
+
+dbus_stub()
@@ -97001,8 +97042,8 @@ index 0000000..24cb7ca
+files_read_config_files(sandbox_x_domain)
+files_read_usr_symlinks(sandbox_x_domain)
+
-++corecmd_entrypoint_all_executables(sandbox_x_domain)
-++files_entrypoint_all_mountpoint(sandbox_x_domain)
++corecmd_entrypoint_all_executables(sandbox_x_domain)
++files_entrypoint_all_mountpoint(sandbox_x_domain)
+
+fs_getattr_tmpfs(sandbox_x_domain)
+fs_getattr_xattr_fs(sandbox_x_domain)
@@ -97048,6 +97089,10 @@ index 0000000..24cb7ca
+')
+
+optional_policy(`
++ colord_dbus_chat(sandbox_x_domain)
++')
++
++optional_policy(`
+ consolekit_dbus_chat(sandbox_x_domain)
+')
+
@@ -111806,7 +111851,7 @@ index 3d11c6a..b19a117 100644
optional_policy(`
diff --git a/virt.fc b/virt.fc
-index a4f20bc..d8b1fd1 100644
+index a4f20bc..9777de2 100644
--- a/virt.fc
+++ b/virt.fc
@@ -1,51 +1,109 @@
@@ -111919,7 +111964,7 @@ index a4f20bc..d8b1fd1 100644
+/var/lib/oz(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
+/var/lib/oz/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+/var/lib/vdsm(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
-+/var/lib/rkt/cas(/.*)? gen_context(system_u:object_r:container_image_t,s0)
++/var/lib/rkt/cas(/.*)? gen_context(system_u:object_r:container_file_t,s0)
+
+# add support vios-proxy-*
+/usr/bin/vios-proxy-host -- gen_context(system_u:object_r:virtd_exec_t,s0)
@@ -111958,10 +112003,10 @@ index a4f20bc..d8b1fd1 100644
+/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index facdee8..31f7fd1 100644
+index facdee8..2cff369 100644
--- a/virt.if
+++ b/virt.if
-@@ -1,120 +1,110 @@
+@@ -1,120 +1,111 @@
-## <summary>Libvirt virtualization API.</summary>
+## <summary>Libvirt virtualization API</summary>
@@ -112065,7 +112110,7 @@ index facdee8..31f7fd1 100644
- pulseaudio_run($1_t, virt_domain_roles)
+########################################
+## <summary>
-+## container_image_t stub interface. No access allowed.
++## container_file_t stub interface. No access allowed.
+## </summary>
+## <param name="domain" unused="true">
+## <summary>
@@ -112075,7 +112120,7 @@ index facdee8..31f7fd1 100644
+#
+interface(`virt_stub_container_image',`
+ gen_require(`
-+ type container_image_t;
++ type container_file_t;
')
+')
@@ -112083,7 +112128,8 @@ index facdee8..31f7fd1 100644
- xserver_rw_shm($1_t)
+interface(`virt_stub_svirt_sandbox_file',`
+ gen_require(`
-+ type container_image_t;
++ type container_file_t;
++ type container_ro_file_t;
')
')
@@ -112153,7 +112199,7 @@ index facdee8..31f7fd1 100644
## </summary>
## </param>
#
-@@ -125,31 +115,32 @@ interface(`virt_image',`
+@@ -125,31 +116,32 @@ interface(`virt_image',`
typeattribute $1 virt_image_type;
files_type($1)
@@ -112198,7 +112244,7 @@ index facdee8..31f7fd1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -157,95 +148,71 @@ interface(`virt_domtrans',`
+@@ -157,95 +149,71 @@ interface(`virt_domtrans',`
## </summary>
## </param>
#
@@ -112318,7 +112364,7 @@ index facdee8..31f7fd1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -253,17 +220,18 @@ interface(`virt_run_virt_domain',`
+@@ -253,17 +221,18 @@ interface(`virt_run_virt_domain',`
## </summary>
## </param>
#
@@ -112342,7 +112388,7 @@ index facdee8..31f7fd1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -271,48 +239,36 @@ interface(`virt_signal_all_virt_domains',`
+@@ -271,48 +240,36 @@ interface(`virt_signal_all_virt_domains',`
## </summary>
## </param>
#
@@ -112402,7 +112448,7 @@ index facdee8..31f7fd1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -320,18 +276,18 @@ interface(`virt_run_svirt_lxc_domain',`
+@@ -320,18 +277,18 @@ interface(`virt_run_svirt_lxc_domain',`
## </summary>
## </param>
#
@@ -112427,7 +112473,7 @@ index facdee8..31f7fd1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -339,18 +295,18 @@ interface(`virt_getattr_virtd_exec_files',`
+@@ -339,18 +296,18 @@ interface(`virt_getattr_virtd_exec_files',`
## </summary>
## </param>
#
@@ -112451,7 +112497,7 @@ index facdee8..31f7fd1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -358,18 +314,20 @@ interface(`virt_stream_connect',`
+@@ -358,18 +315,20 @@ interface(`virt_stream_connect',`
## </summary>
## </param>
#
@@ -112477,7 +112523,7 @@ index facdee8..31f7fd1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -377,22 +335,20 @@ interface(`virt_attach_tun_iface',`
+@@ -377,22 +336,20 @@ interface(`virt_attach_tun_iface',`
## </summary>
## </param>
#
@@ -112505,7 +112551,7 @@ index facdee8..31f7fd1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -400,22 +356,17 @@ interface(`virt_read_config',`
+@@ -400,22 +357,17 @@ interface(`virt_read_config',`
## </summary>
## </param>
#
@@ -112532,7 +112578,7 @@ index facdee8..31f7fd1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -434,6 +385,7 @@ interface(`virt_read_content',`
+@@ -434,6 +386,7 @@ interface(`virt_read_content',`
read_files_pattern($1, virt_content_t, virt_content_t)
read_lnk_files_pattern($1, virt_content_t, virt_content_t)
read_blk_files_pattern($1, virt_content_t, virt_content_t)
@@ -112540,7 +112586,7 @@ index facdee8..31f7fd1 100644
tunable_policy(`virt_use_nfs',`
fs_list_nfs($1)
-@@ -450,8 +402,7 @@ interface(`virt_read_content',`
+@@ -450,8 +403,7 @@ interface(`virt_read_content',`
########################################
## <summary>
@@ -112550,7 +112596,7 @@ index facdee8..31f7fd1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -459,35 +410,17 @@ interface(`virt_read_content',`
+@@ -459,35 +411,17 @@ interface(`virt_read_content',`
## </summary>
## </param>
#
@@ -112589,7 +112635,7 @@ index facdee8..31f7fd1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -495,53 +428,38 @@ interface(`virt_manage_virt_content',`
+@@ -495,53 +429,38 @@ interface(`virt_manage_virt_content',`
## </summary>
## </param>
#
@@ -112654,7 +112700,7 @@ index facdee8..31f7fd1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -549,34 +467,21 @@ interface(`virt_home_filetrans_virt_content',`
+@@ -549,34 +468,21 @@ interface(`virt_home_filetrans_virt_content',`
## </summary>
## </param>
#
@@ -112697,7 +112743,7 @@ index facdee8..31f7fd1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -584,32 +489,36 @@ interface(`virt_manage_svirt_home_content',`
+@@ -584,32 +490,36 @@ interface(`virt_manage_svirt_home_content',`
## </summary>
## </param>
#
@@ -112746,7 +112792,7 @@ index facdee8..31f7fd1 100644
## </summary>
## </param>
## <param name="name" optional="true">
-@@ -618,54 +527,36 @@ interface(`virt_relabel_svirt_home_content',`
+@@ -618,54 +528,36 @@ interface(`virt_relabel_svirt_home_content',`
## </summary>
## </param>
#
@@ -112810,7 +112856,7 @@ index facdee8..31f7fd1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -673,107 +564,607 @@ interface(`virt_home_filetrans',`
+@@ -673,107 +565,625 @@ interface(`virt_home_filetrans',`
## </summary>
## </param>
#
@@ -113165,15 +113211,15 @@ index facdee8..31f7fd1 100644
+#
+interface(`virt_exec_sandbox_files',`
+ gen_require(`
-+ type container_image_t;
++ attribute svirt_file_type;
+ ')
+
-+ can_exec($1, container_image_t)
++ can_exec($1, svirt_file_type)
+')
+
+########################################
+## <summary>
-+## Allow any container_image_t to be an entrypoint of this domain
++## Allow any svirt_file_type to be an entrypoint of this domain
+## </summary>
+## <param name="domain">
+## <summary>
@@ -113184,9 +113230,27 @@ index facdee8..31f7fd1 100644
+#
+interface(`virt_sandbox_entrypoint',`
+ gen_require(`
-+ type container_image_t;
++ attribute svirt_file_type;
++ ')
++ allow $1 svirt_file_type:file entrypoint;
++')
++
++#######################################
++## <summary>
++## List Sandbox Dirs
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`virt_list_sandbox_dirs',`
++ gen_require(`
++ type svirt_sandbox_file_t;
+ ')
-+ allow $1 container_image_t:file entrypoint;
++
++ list_dirs_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
+')
+
+#######################################
@@ -113201,12 +113265,12 @@ index facdee8..31f7fd1 100644
+#
+interface(`virt_read_sandbox_files',`
+ gen_require(`
-+ type container_image_t;
++ attribute svirt_file_type;
+ ')
+
-+ list_dirs_pattern($1, container_image_t, container_image_t)
-+ read_files_pattern($1, container_image_t, container_image_t)
-+ read_lnk_files_pattern($1, container_image_t, container_image_t)
++ list_dirs_pattern($1, svirt_file_type, svirt_file_type)
++ read_files_pattern($1, svirt_file_type, svirt_file_type)
++ read_lnk_files_pattern($1, svirt_file_type, svirt_file_type)
+')
+
+#######################################
@@ -113221,15 +113285,15 @@ index facdee8..31f7fd1 100644
+#
+interface(`virt_manage_sandbox_files',`
+ gen_require(`
-+ type container_image_t;
++ attribute svirt_file_type;
+ ')
+
-+ manage_dirs_pattern($1, container_image_t, container_image_t)
-+ manage_files_pattern($1, container_image_t, container_image_t)
-+ manage_fifo_files_pattern($1, container_image_t, container_image_t)
-+ manage_chr_files_pattern($1, container_image_t, container_image_t)
-+ manage_lnk_files_pattern($1, container_image_t, container_image_t)
-+ allow $1 container_image_t:dir_file_class_set { relabelfrom relabelto };
++ manage_dirs_pattern($1, svirt_file_type, svirt_file_type)
++ manage_files_pattern($1, svirt_file_type, svirt_file_type)
++ manage_fifo_files_pattern($1, svirt_file_type, svirt_file_type)
++ manage_chr_files_pattern($1, svirt_file_type, svirt_file_type)
++ manage_lnk_files_pattern($1, svirt_file_type, svirt_file_type)
++ allow $1 svirt_file_type:dir_file_class_set { relabelfrom relabelto };
+')
+
+#######################################
@@ -113244,10 +113308,10 @@ index facdee8..31f7fd1 100644
+#
+interface(`virt_getattr_sandbox_filesystem',`
+ gen_require(`
-+ type container_image_t;
++ attribute svirt_file_type;
+ ')
+
-+ allow $1 container_image_t:filesystem getattr;
++ allow $1 svirt_file_type:filesystem getattr;
+')
+
+#######################################
@@ -113262,10 +113326,10 @@ index facdee8..31f7fd1 100644
+#
+interface(`virt_relabel_sandbox_filesystem',`
+ gen_require(`
-+ type container_image_t;
++ attribute svirt_file_type;
+ ')
+
-+ allow $1 container_image_t:filesystem { relabelfrom relabelto };
++ allow $1 svirt_file_type:filesystem { relabelfrom relabelto };
+')
+
+#######################################
@@ -113280,10 +113344,10 @@ index facdee8..31f7fd1 100644
+#
+interface(`virt_mounton_sandbox_file',`
+ gen_require(`
-+ type container_image_t;
++ attribute svirt_file_type;
+ ')
+
-+ allow $1 container_image_t:dir_file_class_set mounton;
++ allow $1 svirt_file_type:dir_file_class_set mounton;
+')
+
+#######################################
@@ -113299,11 +113363,11 @@ index facdee8..31f7fd1 100644
+interface(`virt_stream_connect_sandbox',`
+ gen_require(`
+ attribute svirt_sandbox_domain;
-+ type container_image_t;
++ attribute svirt_file_type;
+ ')
+
+ files_search_pids($1)
-+ stream_connect_pattern($1, container_image_t, container_image_t, svirt_sandbox_domain)
++ stream_connect_pattern($1, svirt_file_type, svirt_file_type, svirt_sandbox_domain)
+ ps_process_pattern(svirt_sandbox_domain, $1)
+')
+
@@ -113463,7 +113527,7 @@ index facdee8..31f7fd1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -781,19 +1172,17 @@ interface(`virt_home_filetrans_virt_home',`
+@@ -781,19 +1191,17 @@ interface(`virt_home_filetrans_virt_home',`
## </summary>
## </param>
#
@@ -113487,7 +113551,7 @@ index facdee8..31f7fd1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -801,18 +1190,17 @@ interface(`virt_read_pid_files',`
+@@ -801,18 +1209,17 @@ interface(`virt_read_pid_files',`
## </summary>
## </param>
#
@@ -113510,7 +113574,7 @@ index facdee8..31f7fd1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -820,18 +1208,17 @@ interface(`virt_manage_pid_files',`
+@@ -820,18 +1227,17 @@ interface(`virt_manage_pid_files',`
## </summary>
## </param>
#
@@ -113533,7 +113597,7 @@ index facdee8..31f7fd1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -839,192 +1226,243 @@ interface(`virt_search_lib',`
+@@ -839,192 +1245,247 @@ interface(`virt_search_lib',`
## </summary>
## </param>
#
@@ -113686,6 +113750,10 @@ index facdee8..31f7fd1 100644
+
+ kernel_read_system_state($1_t)
+ kernel_read_all_proc($1_t)
++
++ # optional_policy(`
++ # container_runtime_typebounds($1_t)
++ # ')
')
########################################
@@ -113857,7 +113925,7 @@ index facdee8..31f7fd1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1032,20 +1470,17 @@ interface(`virt_read_images',`
+@@ -1032,20 +1493,17 @@ interface(`virt_read_images',`
## </summary>
## </param>
#
@@ -113882,7 +113950,7 @@ index facdee8..31f7fd1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1053,15 +1488,17 @@ interface(`virt_rw_all_image_chr_files',`
+@@ -1053,15 +1511,17 @@ interface(`virt_rw_all_image_chr_files',`
## </summary>
## </param>
#
@@ -113905,7 +113973,7 @@ index facdee8..31f7fd1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1069,21 +1506,17 @@ interface(`virt_manage_svirt_cache',`
+@@ -1069,21 +1529,17 @@ interface(`virt_manage_svirt_cache',`
## </summary>
## </param>
#
@@ -113931,7 +113999,7 @@ index facdee8..31f7fd1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1091,36 +1524,18 @@ interface(`virt_manage_virt_cache',`
+@@ -1091,36 +1547,18 @@ interface(`virt_manage_virt_cache',`
## </summary>
## </param>
#
@@ -113973,7 +114041,7 @@ index facdee8..31f7fd1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1136,50 +1551,76 @@ interface(`virt_manage_images',`
+@@ -1136,50 +1574,109 @@ interface(`virt_manage_images',`
#
interface(`virt_admin',`
gen_require(`
@@ -114012,26 +114080,20 @@ index facdee8..31f7fd1 100644
- fs_search_tmpfs($1)
- admin_pattern($1, virt_tmpfs_type)
--
-- files_search_tmp($1)
-- admin_pattern($1, { virt_tmp_type virt_tmp_t })
--
-- files_search_etc($1)
-- admin_pattern($1, { virt_etc_t virt_etc_rw_t virtd_keytab_t })
+ allow $1 virt_domain:process signal_perms;
-- logging_search_logs($1)
-- admin_pattern($1, virt_log_t)
+- files_search_tmp($1)
+- admin_pattern($1, { virt_tmp_type virt_tmp_t })
+ admin_pattern($1, virt_file_type)
+ admin_pattern($1, svirt_file_type)
-- files_search_pids($1)
-- admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t })
+- files_search_etc($1)
+- admin_pattern($1, { virt_etc_t virt_etc_rw_t virtd_keytab_t })
+ virt_systemctl($1)
+ allow $1 virtd_unit_file_t:service all_service_perms;
-- files_search_var($1)
-- admin_pattern($1, svirt_cache_t)
+- logging_search_logs($1)
+- admin_pattern($1, virt_log_t)
+ virt_stream_connect_sandbox($1)
+ virt_stream_connect_svirt($1)
+ virt_stream_connect($1)
@@ -114051,16 +114113,16 @@ index facdee8..31f7fd1 100644
+ attribute sandbox_caps_domain;
+ ')
-- files_search_var_lib($1)
-- admin_pattern($1, { virt_image_type virt_var_lib_t svirt_lxc_file_t })
+- files_search_pids($1)
+- admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t })
+ typeattribute $1 sandbox_caps_domain;
+')
-- files_search_locks($1)
-- admin_pattern($1, virt_lock_t)
+- files_search_var($1)
+- admin_pattern($1, svirt_cache_t)
-- dev_list_all_dev_nodes($1)
-- allow $1 virt_ptynode:chr_file rw_term_perms;
+- files_search_var_lib($1)
+- admin_pattern($1, { virt_image_type virt_var_lib_t svirt_lxc_file_t })
+########################################
+## <summary>
+## Send and receive messages from
@@ -114081,12 +114143,49 @@ index facdee8..31f7fd1 100644
+ allow $1 virtd_t:dbus send_msg;
+ allow virtd_t $1:dbus send_msg;
+ ps_process_pattern(virtd_t, $1)
++')
+
+- files_search_locks($1)
+- admin_pattern($1, virt_lock_t)
++########################################
++## <summary>
++## Execute a file in a sandbox directory
++## in the specified domain.
++## </summary>
++## <desc>
++## <p>
++## Execute a file in a sandbox directory
++## in the specified domain. This allows
++## the specified domain to execute any file
++## on these filesystems in the specified
++## domain.
++## </p>
++## </desc>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++## <param name="target_domain">
++## <summary>
++## The type of the new process.
++## </summary>
++## </param>
++#
++interface(`virt_sandbox_domtrans',`
++ gen_require(`
++ type container_file_t;
++ ')
+
+- dev_list_all_dev_nodes($1)
+- allow $1 virt_ptynode:chr_file rw_term_perms;
++ domtrans_pattern($1,container_file_t, $2)
')
diff --git a/virt.te b/virt.te
-index f03dcf5..d369e60 100644
+index f03dcf5..923fbbe 100644
--- a/virt.te
+++ b/virt.te
-@@ -1,451 +1,400 @@
+@@ -1,451 +1,403 @@
-policy_module(virt, 1.7.4)
+policy_module(virt, 1.5.0)
@@ -114642,28 +114741,30 @@ index f03dcf5..d369e60 100644
-optional_policy(`
- dbus_read_lib_files(virt_domain)
-')
--
--optional_policy(`
-- nscd_use(virt_domain)
--')
+type virtd_lxc_t, virt_system_domain;
+type virtd_lxc_exec_t, virt_file_type;
+init_system_domain(virtd_lxc_t, virtd_lxc_exec_t)
-optional_policy(`
-- samba_domtrans_smbd(virt_domain)
+- nscd_use(virt_domain)
-')
+type virt_lxc_var_run_t, virt_file_type;
+files_pid_file(virt_lxc_var_run_t)
+typealias virt_lxc_var_run_t alias virtd_lxc_var_run_t;
-optional_policy(`
-- xen_rw_image_files(virt_domain)
+- samba_domtrans_smbd(virt_domain)
-')
+# virt lxc container files
-+type container_image_t, svirt_file_type;
-+typealias container_image_t alias { svirt_sandbox_file_t svirt_lxc_file_t };
-+files_mountpoint(container_image_t)
++type container_file_t, svirt_file_type;
++typealias container_file_t alias { svirt_sandbox_file_t svirt_lxc_file_t };
++files_mountpoint(container_file_t)
+
+-optional_policy(`
+- xen_rw_image_files(virt_domain)
+-')
++type container_ro_file_t, svirt_file_type;
++files_mountpoint(container_ro_file_t)
########################################
#
@@ -114675,17 +114776,17 @@ index f03dcf5..d369e60 100644
-
-dontaudit svirt_t virt_content_t:file write_file_perms;
-dontaudit svirt_t virt_content_t:dir rw_dir_perms;
-+allow svirt_t self:process ptrace;
-
+-
-append_files_pattern(svirt_t, virt_home_t, virt_home_t)
-manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t)
-manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
-manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
++allow svirt_t self:process ptrace;
+
+-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
+# it was a part of auth_use_nsswitch
+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
--filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
--
-stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
-
-corenet_udp_sendrecv_generic_if(svirt_t)
@@ -114798,7 +114899,7 @@ index f03dcf5..d369e60 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -455,42 +404,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -455,42 +407,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@@ -114845,7 +114946,7 @@ index f03dcf5..d369e60 100644
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -503,23 +439,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -503,23 +442,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -114878,7 +114979,7 @@ index f03dcf5..d369e60 100644
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -527,24 +464,16 @@ corecmd_exec_shell(virtd_t)
+@@ -527,24 +467,16 @@ corecmd_exec_shell(virtd_t)
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -114906,7 +115007,7 @@ index f03dcf5..d369e60 100644
dev_rw_sysfs(virtd_t)
dev_read_urand(virtd_t)
dev_read_rand(virtd_t)
-@@ -555,20 +484,26 @@ dev_rw_vhost(virtd_t)
+@@ -555,20 +487,26 @@ dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t)
@@ -114937,7 +115038,7 @@ index f03dcf5..d369e60 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_all_fs(virtd_t)
fs_rw_anon_inodefs_files(virtd_t)
-@@ -601,15 +536,18 @@ term_use_ptmx(virtd_t)
+@@ -601,15 +539,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -114957,7 +115058,7 @@ index f03dcf5..d369e60 100644
selinux_validate_context(virtd_t)
-@@ -620,18 +558,26 @@ seutil_read_file_contexts(virtd_t)
+@@ -620,18 +561,26 @@ seutil_read_file_contexts(virtd_t)
sysnet_signull_ifconfig(virtd_t)
sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
@@ -114994,7 +115095,7 @@ index f03dcf5..d369e60 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -640,7 +586,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -640,7 +589,7 @@ tunable_policy(`virt_use_nfs',`
')
tunable_policy(`virt_use_samba',`
@@ -115003,7 +115104,7 @@ index f03dcf5..d369e60 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
-@@ -665,20 +611,12 @@ optional_policy(`
+@@ -665,20 +614,12 @@ optional_policy(`
')
optional_policy(`
@@ -115024,7 +115125,7 @@ index f03dcf5..d369e60 100644
')
optional_policy(`
-@@ -691,20 +629,26 @@ optional_policy(`
+@@ -691,20 +632,26 @@ optional_policy(`
dnsmasq_kill(virtd_t)
dnsmasq_signull(virtd_t)
dnsmasq_create_pid_dirs(virtd_t)
@@ -115035,11 +115136,12 @@ index f03dcf5..d369e60 100644
')
optional_policy(`
+- iptables_domtrans(virtd_t)
+ firewalld_dbus_chat(virtd_t)
+')
+
+optional_policy(`
- iptables_domtrans(virtd_t)
++ iptables_domtrans(virtd_t)
iptables_initrc_domtrans(virtd_t)
+ iptables_systemctl(virtd_t)
+
@@ -115055,7 +115157,7 @@ index f03dcf5..d369e60 100644
')
optional_policy(`
-@@ -712,11 +656,18 @@ optional_policy(`
+@@ -712,11 +659,18 @@ optional_policy(`
')
optional_policy(`
@@ -115074,7 +115176,7 @@ index f03dcf5..d369e60 100644
policykit_domtrans_auth(virtd_t)
policykit_domtrans_resolve(virtd_t)
policykit_read_lib(virtd_t)
-@@ -727,10 +678,18 @@ optional_policy(`
+@@ -727,10 +681,18 @@ optional_policy(`
')
optional_policy(`
@@ -115093,7 +115195,7 @@ index f03dcf5..d369e60 100644
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
-@@ -746,44 +705,336 @@ optional_policy(`
+@@ -746,44 +708,336 @@ optional_policy(`
udev_read_pid_files(virtd_t)
')
@@ -115291,7 +115393,7 @@ index f03dcf5..d369e60 100644
+storage_raw_read_removable_device(virt_domain)
+
+sysnet_read_config(virt_domain)
-
++
+term_use_all_inherited_terms(virt_domain)
+term_getattr_pty_fs(virt_domain)
+term_use_generic_ptys(virt_domain)
@@ -115304,7 +115406,7 @@ index f03dcf5..d369e60 100644
+optional_policy(`
+ alsa_read_rw_config(virt_domain)
+')
-+
+
+optional_policy(`
+ nscd_dontaudit_write_sock_file(virt_domain)
+')
@@ -115433,12 +115535,12 @@ index f03dcf5..d369e60 100644
+manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+
-+manage_dirs_pattern(virsh_t, container_image_t, container_image_t)
-+manage_files_pattern(virsh_t, container_image_t, container_image_t)
-+manage_chr_files_pattern(virsh_t, container_image_t, container_image_t)
-+manage_lnk_files_pattern(virsh_t, container_image_t, container_image_t)
-+manage_sock_files_pattern(virsh_t, container_image_t, container_image_t)
-+manage_fifo_files_pattern(virsh_t, container_image_t, container_image_t)
++manage_dirs_pattern(virsh_t, container_file_t, container_file_t)
++manage_files_pattern(virsh_t, container_file_t, container_file_t)
++manage_chr_files_pattern(virsh_t, container_file_t, container_file_t)
++manage_lnk_files_pattern(virsh_t, container_file_t, container_file_t)
++manage_sock_files_pattern(virsh_t, container_file_t, container_file_t)
++manage_fifo_files_pattern(virsh_t, container_file_t, container_file_t)
+virt_transition_svirt_sandbox(virsh_t, system_r)
+
+manage_dirs_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
@@ -115452,7 +115554,7 @@ index f03dcf5..d369e60 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +1045,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +1048,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -115479,7 +115581,7 @@ index f03dcf5..d369e60 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +1065,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +1068,25 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -115513,7 +115615,7 @@ index f03dcf5..d369e60 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +1102,20 @@ optional_policy(`
+@@ -856,14 +1105,20 @@ optional_policy(`
')
optional_policy(`
@@ -115535,7 +115637,7 @@ index f03dcf5..d369e60 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -888,49 +1140,66 @@ optional_policy(`
+@@ -888,49 +1143,66 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -115598,15 +115700,15 @@ index f03dcf5..d369e60 100644
+files_pid_filetrans(virtd_lxc_t, virt_lxc_var_run_t, { file dir })
+filetrans_pattern(virtd_lxc_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
+
-+manage_dirs_pattern(virtd_lxc_t, container_image_t, container_image_t)
-+manage_files_pattern(virtd_lxc_t, container_image_t, container_image_t)
-+manage_chr_files_pattern(virtd_lxc_t, container_image_t, container_image_t)
-+manage_lnk_files_pattern(virtd_lxc_t, container_image_t, container_image_t)
-+manage_sock_files_pattern(virtd_lxc_t, container_image_t, container_image_t)
-+manage_fifo_files_pattern(virtd_lxc_t, container_image_t, container_image_t)
-+allow virtd_lxc_t container_image_t:dir_file_class_set { relabelto relabelfrom };
-+allow virtd_lxc_t container_image_t:filesystem { relabelto relabelfrom };
-+files_associate_rootfs(container_image_t)
++manage_dirs_pattern(virtd_lxc_t, container_file_t, container_file_t)
++manage_files_pattern(virtd_lxc_t, container_file_t, container_file_t)
++manage_chr_files_pattern(virtd_lxc_t, container_file_t, container_file_t)
++manage_lnk_files_pattern(virtd_lxc_t, container_file_t, container_file_t)
++manage_sock_files_pattern(virtd_lxc_t, container_file_t, container_file_t)
++manage_fifo_files_pattern(virtd_lxc_t, container_file_t, container_file_t)
++allow virtd_lxc_t container_file_t:dir_file_class_set { relabelto relabelfrom };
++allow virtd_lxc_t container_file_t:filesystem { relabelto relabelfrom };
++files_associate_rootfs(container_file_t)
+
+seutil_read_file_contexts(virtd_lxc_t)
@@ -115620,7 +115722,7 @@ index f03dcf5..d369e60 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1211,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1214,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -115634,13 +115736,13 @@ index f03dcf5..d369e60 100644
files_unmount_all_file_type_fs(virtd_lxc_t)
files_list_isid_type_dirs(virtd_lxc_t)
-files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set)
-+files_root_filetrans(virtd_lxc_t, container_image_t, dir_file_class_set)
++files_root_filetrans(virtd_lxc_t, container_file_t, dir_file_class_set)
+fs_read_fusefs_files(virtd_lxc_t)
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,8 +1232,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,8 +1235,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -115664,7 +115766,7 @@ index f03dcf5..d369e60 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1257,360 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1260,360 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -115746,26 +115848,26 @@ index f03dcf5..d369e60 100644
+allow svirt_sandbox_domain virtd_lxc_t:fd use;
+allow svirt_sandbox_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
+
-+manage_dirs_pattern(svirt_sandbox_domain, container_image_t, container_image_t)
-+manage_files_pattern(svirt_sandbox_domain, container_image_t, container_image_t)
-+manage_lnk_files_pattern(svirt_sandbox_domain, container_image_t, container_image_t)
-+manage_sock_files_pattern(svirt_sandbox_domain, container_image_t, container_image_t)
-+manage_fifo_files_pattern(svirt_sandbox_domain, container_image_t, container_image_t)
-+allow svirt_sandbox_domain container_image_t:file { execmod relabelfrom relabelto };
-+allow svirt_sandbox_domain container_image_t:dir { execmod relabelfrom relabelto };
-+virt_mounton_sandbox_file(svirt_sandbox_domain)
-+
-+list_dirs_pattern(svirt_sandbox_domain, container_image_t, container_image_t)
-+read_files_pattern(svirt_sandbox_domain, container_image_t, container_image_t)
-+read_lnk_files_pattern(svirt_sandbox_domain, container_image_t, container_image_t)
-+allow svirt_sandbox_domain container_image_t:file execmod;
-+can_exec(svirt_sandbox_domain, container_image_t)
-+
-+allow svirt_sandbox_domain container_image_t:blk_file setattr;
-+rw_blk_files_pattern(svirt_sandbox_domain, container_image_t, container_image_t)
-+can_exec(svirt_sandbox_domain, container_image_t)
-+allow svirt_sandbox_domain container_image_t:dir mounton;
-+allow svirt_sandbox_domain container_image_t:filesystem { getattr remount };
++manage_dirs_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
++manage_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
++manage_lnk_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
++manage_sock_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
++manage_fifo_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
++allow svirt_sandbox_domain container_file_t:file { execmod relabelfrom relabelto };
++allow svirt_sandbox_domain container_file_t:dir { execmod relabelfrom relabelto };
++allow svirt_sandbox_domain svirt_file_type:dir_file_class_set mounton;
++
++list_dirs_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
++read_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
++read_lnk_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
++allow svirt_sandbox_domain container_file_t:file execmod;
++can_exec(svirt_sandbox_domain, container_file_t)
++
++allow svirt_sandbox_domain container_file_t:blk_file setattr;
++rw_blk_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
++can_exec(svirt_sandbox_domain, container_file_t)
++allow svirt_sandbox_domain container_file_t:dir mounton;
++allow svirt_sandbox_domain container_file_t:filesystem { getattr remount };
+
+kernel_getattr_proc(svirt_sandbox_domain)
+kernel_list_all_proc(svirt_sandbox_domain)
@@ -115969,7 +116071,7 @@ index f03dcf5..d369e60 100644
- apache_read_sys_content(svirt_lxc_domain)
+ container_read_share_files(svirt_sandbox_domain)
+ container_exec_share_files(svirt_sandbox_domain)
-+ container_lib_filetrans(svirt_sandbox_domain,container_image_t, sock_file)
++ container_lib_filetrans(svirt_sandbox_domain,container_file_t, sock_file)
+ container_use_ptys(svirt_sandbox_domain)
+ container_spc_stream_connect(svirt_sandbox_domain)
+ fs_dontaudit_remount_tmpfs(svirt_sandbox_domain)
@@ -115988,7 +116090,7 @@ index f03dcf5..d369e60 100644
+dontaudit container_t self:capability fsetid;
+dontaudit container_t self:capability2 block_suspend ;
+allow container_t self:process { execstack execmem };
-+manage_chr_files_pattern(container_t, container_image_t, container_image_t)
++manage_chr_files_pattern(container_t, container_file_t, container_file_t)
+kernel_load_module(container_t)
+
+tunable_policy(`virt_sandbox_use_sys_admin',`
@@ -116061,7 +116163,7 @@ index f03dcf5..d369e60 100644
-fs_mount_cgroup(svirt_lxc_net_t)
-fs_manage_cgroup_dirs(svirt_lxc_net_t)
-fs_rw_cgroup_files(svirt_lxc_net_t)
-+fs_noxattr_type(container_image_t)
++fs_noxattr_type(container_file_t)
+# Do we actually need these?
+fs_mount_cgroup(container_t)
+fs_manage_cgroup_dirs(container_t)
@@ -116070,7 +116172,7 @@ index f03dcf5..d369e60 100644
+fs_unmount_xattr_fs(container_t)
-auth_use_nsswitch(svirt_lxc_net_t)
-+term_pty(container_image_t)
++term_pty(container_file_t)
-logging_send_audit_msgs(svirt_lxc_net_t)
+auth_use_nsswitch(container_t)
@@ -116136,12 +116238,12 @@ index f03dcf5..d369e60 100644
+
+files_read_kernel_modules(svirt_qemu_net_t)
+
-+fs_noxattr_type(container_image_t)
++fs_noxattr_type(container_file_t)
+fs_mount_cgroup(svirt_qemu_net_t)
+fs_manage_cgroup_dirs(svirt_qemu_net_t)
+fs_manage_cgroup_files(svirt_qemu_net_t)
+
-+term_pty(container_image_t)
++term_pty(container_file_t)
+
+auth_use_nsswitch(svirt_qemu_net_t)
+
@@ -116169,7 +116271,7 @@ index f03dcf5..d369e60 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1623,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1626,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -116184,7 +116286,7 @@ index f03dcf5..d369e60 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1192,7 +1641,7 @@ optional_policy(`
+@@ -1192,7 +1644,7 @@ optional_policy(`
########################################
#
@@ -116193,7 +116295,7 @@ index f03dcf5..d369e60 100644
#
allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1650,257 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1653,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
allow virt_bridgehelper_t self:tun_socket create_socket_perms;
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
@@ -116403,12 +116505,12 @@ index f03dcf5..d369e60 100644
+
+files_read_kernel_modules(svirt_kvm_net_t)
+
-+fs_noxattr_type(container_image_t)
++fs_noxattr_type(container_file_t)
+fs_mount_cgroup(svirt_kvm_net_t)
+fs_manage_cgroup_dirs(svirt_kvm_net_t)
+fs_manage_cgroup_files(svirt_kvm_net_t)
+
-+term_pty(container_image_t)
++term_pty(container_file_t)
+
+auth_use_nsswitch(svirt_kvm_net_t)
+
@@ -116453,6 +116555,11 @@ index f03dcf5..d369e60 100644
+
+allow sandbox_caps_domain self:capability { chown dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap };
+
++list_dirs_pattern(svirt_sandbox_domain, container_ro_file_t, container_ro_file_t)
++read_files_pattern(svirt_sandbox_domain, container_ro_file_t, container_ro_file_t)
++read_lnk_files_pattern(svirt_sandbox_domain, container_ro_file_t, container_ro_file_t)
++allow svirt_sandbox_domain container_ro_file_t:file execmod;
++can_exec(svirt_sandbox_domain, container_ro_file_t)
diff --git a/vlock.te b/vlock.te
index 6b72968..de409cc 100644
--- a/vlock.te
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 4a40174..2bd0710 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 219%{?dist}
+Release: 220%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -675,6 +675,25 @@ exit 0
%endif
%changelog
+* Sun Oct 16 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-220
+- Disable container_runtime_typebounds() due to typebounds issues which can not be resolved during build.
+- Disable unconfined_typebounds in sandbox.te due to entrypoint check which exceed for sandbox domains unconfined_t domain.
+- Disable unconfined_typebounds due to entrypoint check which exceed for sandbox domains unconfined_t domain.
+- Merge pull request #167 from rhatdan/container
+- Add transition rules for sandbox domains
+- container_typebounds() should be part of sandbox domain template
+- Fix broken container_* interfaces
+- unconfined_typebounds() should be part of sandbox domain template
+- Fixed unrecognized characters at sandboxX module
+- unconfined_typebounds() should be part of sandbox domain template
+- svirt_file_type is atribute no type.
+- Merge pull request #166 from rhatdan/container
+- Allow users to transition from unconfined_t to container types
+- Add dbus_stream_connect_system_dbusd() interface.
+- Merge pull request #152 from rhatdan/network_filetrans
+- Fix typo in filesystem module
+- Allow nss_plugin to resolve host names via the systemd-resolved. BZ(1383473)
+
* Mon Oct 10 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-219
- Dontaudit leaked file descriptors for thumb. BZ(1383071)
- Fix typo in cobbler SELinux module