diff --git a/docker-selinux.tgz b/docker-selinux.tgz
index f1022ab..fd92246 100644
Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 736b123..26f2fe8 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -40564,7 +40564,7 @@ index 0e3c2a9..ea9bd57 100644
+ userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin")
+')
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index 446fa99..22f539c 100644
+index 446fa99..d66491c 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t)
@@ -40588,7 +40588,7 @@ index 446fa99..22f539c 100644
+')
+
+ifdef(`enable_mls',`
-+ init_ranged_daemon_domain(sulogin_t, sulogin_exec_t, mls_systemhigh)
++ init_ranged_daemon_domain(sulogin_t, sulogin_exec_t, s0 - mls_systemhigh)
+')
+
########################################
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 522ac0c..ff08db5 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -2275,7 +2275,7 @@ index 7f4dfbc..e5c9f45 100644
/usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0)
diff --git a/amanda.te b/amanda.te
-index 519051c..0f871e6 100644
+index 519051c..69a4c66 100644
--- a/amanda.te
+++ b/amanda.te
@@ -9,11 +9,14 @@ attribute_role amanda_recover_roles;
@@ -2313,7 +2313,15 @@ index 519051c..0f871e6 100644
filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
allow amanda_t amanda_dumpdates_t:file rw_file_perms;
-@@ -100,13 +104,15 @@ kernel_dontaudit_read_proc_symlinks(amanda_t)
+@@ -81,6 +85,7 @@ allow amanda_t amanda_gnutarlists_t:lnk_file manage_lnk_file_perms;
+
+ manage_dirs_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t)
+ manage_files_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t)
++files_var_lib_filetrans(amanda_t, amanda_var_lib_t, dir)
+
+ manage_files_pattern(amanda_t, amanda_log_t, amanda_log_t)
+ manage_dirs_pattern(amanda_t, amanda_log_t, amanda_log_t)
+@@ -100,13 +105,15 @@ kernel_dontaudit_read_proc_symlinks(amanda_t)
corecmd_exec_shell(amanda_t)
corecmd_exec_bin(amanda_t)
@@ -2330,7 +2338,7 @@ index 519051c..0f871e6 100644
corenet_sendrecv_all_server_packets(amanda_t)
corenet_tcp_bind_all_rpc_ports(amanda_t)
corenet_tcp_bind_generic_port(amanda_t)
-@@ -114,6 +120,7 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t)
+@@ -114,6 +121,7 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t)
dev_getattr_all_blk_files(amanda_t)
dev_getattr_all_chr_files(amanda_t)
@@ -2338,7 +2346,7 @@ index 519051c..0f871e6 100644
files_read_etc_runtime_files(amanda_t)
files_list_all(amanda_t)
-@@ -130,6 +137,7 @@ fs_list_all(amanda_t)
+@@ -130,6 +138,7 @@ fs_list_all(amanda_t)
storage_raw_read_fixed_disk(amanda_t)
storage_read_tape(amanda_t)
storage_write_tape(amanda_t)
@@ -2346,7 +2354,7 @@ index 519051c..0f871e6 100644
auth_use_nsswitch(amanda_t)
auth_read_shadow(amanda_t)
-@@ -170,7 +178,6 @@ kernel_read_system_state(amanda_recover_t)
+@@ -170,7 +179,6 @@ kernel_read_system_state(amanda_recover_t)
corecmd_exec_shell(amanda_recover_t)
corecmd_exec_bin(amanda_recover_t)
@@ -2354,7 +2362,7 @@ index 519051c..0f871e6 100644
corenet_all_recvfrom_netlabel(amanda_recover_t)
corenet_tcp_sendrecv_generic_if(amanda_recover_t)
corenet_udp_sendrecv_generic_if(amanda_recover_t)
-@@ -195,12 +202,16 @@ files_search_tmp(amanda_recover_t)
+@@ -195,12 +203,16 @@ files_search_tmp(amanda_recover_t)
auth_use_nsswitch(amanda_recover_t)
@@ -37938,10 +37946,18 @@ index fbb54e7..05c3777 100644
########################################
diff --git a/inetd.te b/inetd.te
-index c6450df..6304b00 100644
+index c6450df..ed6af79 100644
--- a/inetd.te
+++ b/inetd.te
-@@ -37,9 +37,9 @@ ifdef(`enable_mcs',`
+@@ -21,6 +21,7 @@ files_pid_file(inetd_var_run_t)
+ type inetd_child_t;
+ type inetd_child_exec_t;
+ inetd_service_domain(inetd_child_t, inetd_child_exec_t)
++init_daemon_domain(inetd_child_t, inetd_child_exec_t)
+
+ type inetd_child_tmp_t;
+ files_tmp_file(inetd_child_tmp_t)
+@@ -37,9 +38,9 @@ ifdef(`enable_mcs',`
# Local policy
#
@@ -37953,7 +37969,7 @@ index c6450df..6304b00 100644
allow inetd_t self:fifo_file rw_fifo_file_perms;
allow inetd_t self:tcp_socket { accept listen };
allow inetd_t self:fd use;
-@@ -61,6 +61,7 @@ kernel_read_system_state(inetd_t)
+@@ -61,6 +62,7 @@ kernel_read_system_state(inetd_t)
kernel_tcp_recvfrom_unlabeled(inetd_t)
corecmd_bin_domtrans(inetd_t, inetd_child_t)
@@ -37961,7 +37977,7 @@ index c6450df..6304b00 100644
corenet_all_recvfrom_unlabeled(inetd_t)
corenet_all_recvfrom_netlabel(inetd_t)
-@@ -98,6 +99,11 @@ corenet_sendrecv_inetd_child_server_packets(inetd_t)
+@@ -98,6 +100,11 @@ corenet_sendrecv_inetd_child_server_packets(inetd_t)
corenet_tcp_bind_inetd_child_port(inetd_t)
corenet_udp_bind_inetd_child_port(inetd_t)
@@ -37973,7 +37989,7 @@ index c6450df..6304b00 100644
corenet_sendrecv_ircd_server_packets(inetd_t)
corenet_tcp_bind_ircd_port(inetd_t)
-@@ -141,6 +147,9 @@ corenet_sendrecv_git_server_packets(inetd_t)
+@@ -141,6 +148,9 @@ corenet_sendrecv_git_server_packets(inetd_t)
corenet_tcp_bind_git_port(inetd_t)
corenet_udp_bind_git_port(inetd_t)
@@ -37983,7 +37999,7 @@ index c6450df..6304b00 100644
dev_read_sysfs(inetd_t)
domain_use_interactive_fds(inetd_t)
-@@ -157,8 +166,6 @@ auth_use_nsswitch(inetd_t)
+@@ -157,8 +167,6 @@ auth_use_nsswitch(inetd_t)
logging_send_syslog_msg(inetd_t)
@@ -37992,7 +38008,7 @@ index c6450df..6304b00 100644
mls_fd_share_all_levels(inetd_t)
mls_socket_read_to_clearance(inetd_t)
mls_socket_write_to_clearance(inetd_t)
-@@ -188,17 +195,13 @@ optional_policy(`
+@@ -188,17 +196,13 @@ optional_policy(`
')
optional_policy(`
@@ -38011,7 +38027,7 @@ index c6450df..6304b00 100644
########################################
#
# Child local policy
-@@ -220,6 +223,16 @@ kernel_read_kernel_sysctls(inetd_child_t)
+@@ -220,6 +224,16 @@ kernel_read_kernel_sysctls(inetd_child_t)
kernel_read_network_state(inetd_child_t)
kernel_read_system_state(inetd_child_t)
@@ -38028,7 +38044,7 @@ index c6450df..6304b00 100644
dev_read_urand(inetd_child_t)
fs_getattr_xattr_fs(inetd_child_t)
-@@ -230,7 +243,15 @@ auth_use_nsswitch(inetd_child_t)
+@@ -230,7 +244,15 @@ auth_use_nsswitch(inetd_child_t)
logging_send_syslog_msg(inetd_child_t)
@@ -79153,10 +79169,10 @@ index 6643b49..dd0c3d3 100644
optional_policy(`
diff --git a/puppet.fc b/puppet.fc
-index d68e26d..2542f5a 100644
+index d68e26d..3b08cfd 100644
--- a/puppet.fc
+++ b/puppet.fc
-@@ -1,18 +1,22 @@
+@@ -1,18 +1,23 @@
-/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
+/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
+/etc/puppetlabs(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
@@ -79178,6 +79194,7 @@ index d68e26d..2542f5a 100644
-/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
-/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+/usr/bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
++/usr/bin/puppet -- gen_context(system_u:object_r:puppetagent_exec_t,s0)
+/usr/bin/puppetd -- gen_context(system_u:object_r:puppetagent_exec_t,s0)
+/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
@@ -93000,10 +93017,10 @@ index f1140ef..642e062 100644
+ files_pid_filetrans($1, rsync_var_run_t, file, "rsyncd.lock")
')
diff --git a/rsync.te b/rsync.te
-index abeb302..6836678 100644
+index abeb302..b27a479 100644
--- a/rsync.te
+++ b/rsync.te
-@@ -6,67 +6,45 @@ policy_module(rsync, 1.13.0)
+@@ -6,67 +6,46 @@ policy_module(rsync, 1.13.0)
#
## <desc>
@@ -93076,11 +93093,11 @@ index abeb302..6836678 100644
type rsync_t;
type rsync_exec_t;
--init_daemon_domain(rsync_t, rsync_exec_t)
--application_domain(rsync_t, rsync_exec_t)
--role rsync_roles types rsync_t;
+application_executable_file(rsync_exec_t)
+role system_r types rsync_t;
+ init_daemon_domain(rsync_t, rsync_exec_t)
+-application_domain(rsync_t, rsync_exec_t)
+-role rsync_roles types rsync_t;
type rsync_etc_t;
files_config_file(rsync_etc_t)
@@ -93090,7 +93107,7 @@ index abeb302..6836678 100644
files_type(rsync_data_t)
type rsync_log_t;
-@@ -86,15 +64,25 @@ files_pid_file(rsync_var_run_t)
+@@ -86,15 +65,25 @@ files_pid_file(rsync_var_run_t)
allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot };
allow rsync_t self:process signal_perms;
allow rsync_t self:fifo_file rw_fifo_file_perms;
@@ -93121,7 +93138,7 @@ index abeb302..6836678 100644
logging_log_filetrans(rsync_t, rsync_log_t, file)
manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t)
-@@ -108,46 +96,55 @@ kernel_read_kernel_sysctls(rsync_t)
+@@ -108,46 +97,55 @@ kernel_read_kernel_sysctls(rsync_t)
kernel_read_system_state(rsync_t)
kernel_read_network_state(rsync_t)
@@ -93195,7 +93212,7 @@ index abeb302..6836678 100644
')
tunable_policy(`rsync_export_all_ro',`
-@@ -161,38 +158,24 @@ tunable_policy(`rsync_export_all_ro',`
+@@ -161,38 +159,24 @@ tunable_policy(`rsync_export_all_ro',`
auth_tunable_read_shadow(rsync_t)
')
@@ -111608,10 +111625,10 @@ index 3d11c6a..b19a117 100644
optional_policy(`
diff --git a/virt.fc b/virt.fc
-index a4f20bc..f3d5b04 100644
+index a4f20bc..17edb35 100644
--- a/virt.fc
+++ b/virt.fc
-@@ -1,51 +1,111 @@
+@@ -1,51 +1,114 @@
-HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
-HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
-HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
@@ -111756,13 +111773,16 @@ index a4f20bc..f3d5b04 100644
+
+/var/lib/kubelet(/.*)? gen_context(system_u:object_r:svirt_sandbox_file_t,s0)
+
++/var/lib/docker/vfs(/.*)? gen_context(system_u:object_r:svirt_sandbox_file_t,s0)
++/var/lib/docker-latest/vfs(/.*)? gen_context(system_u:object_r:svirt_sandbox_file_t,s0)
++
+/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
+/var/run/qga\.state -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
+
+/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index facdee8..816d860 100644
+index facdee8..12e74f1 100644
--- a/virt.if
+++ b/virt.if
@@ -1,318 +1,231 @@
@@ -112589,7 +112609,7 @@ index facdee8..816d860 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -673,54 +539,472 @@ interface(`virt_home_filetrans',`
+@@ -673,107 +539,607 @@ interface(`virt_home_filetrans',`
## </summary>
## </param>
#
@@ -112625,14 +112645,8 @@ index facdee8..816d860 100644
gen_require(`
- type virt_home_t;
+ type virt_var_lib_t;
- ')
-
-- userdom_search_user_home_dirs($1)
-- allow $1 virt_home_t:dir manage_dir_perms;
-- allow $1 virt_home_t:file manage_file_perms;
-- allow $1 virt_home_t:fifo_file manage_fifo_file_perms;
-- allow $1 virt_home_t:lnk_file manage_lnk_file_perms;
-- allow $1 virt_home_t:sock_file manage_sock_file_perms;
++ ')
++
+ dontaudit $1 virt_var_lib_t:file read_inherited_file_perms;
+')
+
@@ -112777,20 +112791,14 @@ index facdee8..816d860 100644
+ read_lnk_files_pattern($1, virt_image_type, virt_image_type)
+ read_blk_files_pattern($1, virt_image_type, virt_image_type)
+ read_chr_files_pattern($1, virt_image_type, virt_image_type)
-
- tunable_policy(`virt_use_nfs',`
-- fs_manage_nfs_dirs($1)
-- fs_manage_nfs_files($1)
-- fs_manage_nfs_symlinks($1)
++
++ tunable_policy(`virt_use_nfs',`
+ fs_list_nfs($1)
+ fs_read_nfs_files($1)
+ fs_read_nfs_symlinks($1)
- ')
-
- tunable_policy(`virt_use_samba',`
-- fs_manage_cifs_dirs($1)
-- fs_manage_cifs_files($1)
-- fs_manage_cifs_symlinks($1)
++ ')
++
++ tunable_policy(`virt_use_samba',`
+ fs_list_cifs($1)
+ fs_read_cifs_files($1)
+ fs_read_cifs_symlinks($1)
@@ -112957,14 +112965,13 @@ index facdee8..816d860 100644
+interface(`virt_exec_sandbox_files',`
+ gen_require(`
+ type svirt_sandbox_file_t;
- ')
++ ')
+
+ can_exec($1, svirt_sandbox_file_t)
- ')
-
- ########################################
- ## <summary>
--## Relabel virt home content.
++')
++
++########################################
++## <summary>
+## Allow any svirt_sandbox_file_t to be an entrypoint of this domain
+## </summary>
+## <param name="domain">
@@ -113081,19 +113088,97 @@ index facdee8..816d860 100644
+#######################################
+## <summary>
+## Connect to virt over a unix domain stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`virt_stream_connect_sandbox',`
++ gen_require(`
++ attribute svirt_sandbox_domain;
++ type svirt_sandbox_file_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t, svirt_sandbox_domain)
++ ps_process_pattern(svirt_sandbox_domain, $1)
++')
++
++########################################
++## <summary>
++## Execute qemu in the svirt domain, and
++## allow the specified role the svirt domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed the sandbox domain.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`virt_transition_svirt',`
++ gen_require(`
++ attribute virt_domain;
++ type virt_bridgehelper_t;
++ type svirt_image_t;
++ type svirt_socket_t;
+ ')
+
+- userdom_search_user_home_dirs($1)
+- allow $1 virt_home_t:dir manage_dir_perms;
+- allow $1 virt_home_t:file manage_file_perms;
+- allow $1 virt_home_t:fifo_file manage_fifo_file_perms;
+- allow $1 virt_home_t:lnk_file manage_lnk_file_perms;
+- allow $1 virt_home_t:sock_file manage_sock_file_perms;
++ allow $1 virt_domain:process transition;
++ role $2 types virt_domain;
++ role $2 types virt_bridgehelper_t;
++ role $2 types svirt_socket_t;
+
+- tunable_policy(`virt_use_nfs',`
+- fs_manage_nfs_dirs($1)
+- fs_manage_nfs_files($1)
+- fs_manage_nfs_symlinks($1)
+- ')
++ allow $1 virt_domain:process { sigkill sigstop signull signal };
++ allow $1 svirt_image_t:file { relabelfrom relabelto };
++ allow $1 svirt_image_t:fifo_file { read_fifo_file_perms relabelto };
++ allow $1 svirt_image_t:sock_file { create_sock_file_perms relabelto };
++ allow $1 svirt_socket_t:unix_stream_socket create_stream_socket_perms;
+
+- tunable_policy(`virt_use_samba',`
+- fs_manage_cifs_dirs($1)
+- fs_manage_cifs_files($1)
+- fs_manage_cifs_symlinks($1)
++ optional_policy(`
++ ptchown_run(virt_domain, $2)
+ ')
+ ')
+
+ ########################################
+ ## <summary>
+-## Relabel virt home content.
++## Do not audit attempts to write virt daemon unnamed pipes.
## </summary>
## <param name="domain">
## <summary>
-@@ -728,52 +1012,80 @@ interface(`virt_manage_generic_virt_home_content',`
+-## Domain allowed access.
++## Domain to not audit.
## </summary>
## </param>
#
-interface(`virt_relabel_generic_virt_home_content',`
-+interface(`virt_stream_connect_sandbox',`
++interface(`virt_dontaudit_write_pipes',`
gen_require(`
- type virt_home_t;
-+ attribute svirt_sandbox_domain;
-+ type svirt_sandbox_file_t;
++ type virtd_t;
')
- userdom_search_user_home_dirs($1)
@@ -113102,9 +113187,8 @@ index facdee8..816d860 100644
- allow $1 virt_home_t:fifo_file relabel_fifo_file_perms;
- allow $1 virt_home_t:lnk_file relabel_lnk_file_perms;
- allow $1 virt_home_t:sock_file relabel_sock_file_perms;
-+ files_search_pids($1)
-+ stream_connect_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t, svirt_sandbox_domain)
-+ ps_process_pattern(svirt_sandbox_domain, $1)
++ dontaudit $1 virtd_t:fd use;
++ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
')
########################################
@@ -113112,214 +113196,213 @@ index facdee8..816d860 100644
-## Create specified objects in user home
-## directories with the generic virt
-## home type.
-+## Execute qemu in the svirt domain, and
-+## allow the specified role the svirt domain.
++## Send a sigkill to virtual machines
## </summary>
## <param name="domain">
## <summary>
--## Domain allowed access.
-+## Domain allowed access
+ ## Domain allowed access.
## </summary>
## </param>
-## <param name="object_class">
-+## <param name="role">
++#
++interface(`virt_kill_svirt',`
++ gen_require(`
++ attribute virt_domain;
++ ')
++
++ allow $1 virt_domain:process sigkill;
++')
++
++########################################
++## <summary>
++## Send a sigkill to virtd daemon.
++## </summary>
++## <param name="domain">
## <summary>
-## Class of the object being created.
-+## The role to be allowed the sandbox domain.
++## Domain allowed access.
## </summary>
## </param>
-## <param name="name" optional="true">
-+## <rolecap/>
+#
-+interface(`virt_transition_svirt',`
++interface(`virt_kill',`
+ gen_require(`
-+ attribute virt_domain;
-+ type virt_bridgehelper_t;
-+ type svirt_image_t;
-+ type svirt_socket_t;
++ type virtd_t;
+ ')
+
-+ allow $1 virt_domain:process transition;
-+ role $2 types virt_domain;
-+ role $2 types virt_bridgehelper_t;
-+ role $2 types svirt_socket_t;
-+
-+ allow $1 virt_domain:process { sigkill sigstop signull signal };
-+ allow $1 svirt_image_t:file { relabelfrom relabelto };
-+ allow $1 svirt_image_t:fifo_file { read_fifo_file_perms relabelto };
-+ allow $1 svirt_image_t:sock_file { create_sock_file_perms relabelto };
-+ allow $1 svirt_socket_t:unix_stream_socket create_stream_socket_perms;
-+
-+ optional_policy(`
-+ ptchown_run(virt_domain, $2)
-+ ')
++ allow $1 virtd_t:process sigkill;
+')
+
+########################################
+## <summary>
-+## Do not audit attempts to write virt daemon unnamed pipes.
++## Send a signal to virtd daemon.
+## </summary>
+## <param name="domain">
## <summary>
-## The name of the object being created.
-+## Domain to not audit.
++## Domain allowed access.
## </summary>
## </param>
#
-interface(`virt_home_filetrans_virt_home',`
-+interface(`virt_dontaudit_write_pipes',`
++interface(`virt_signal',`
gen_require(`
- type virt_home_t;
+ type virtd_t;
')
- userdom_user_home_dir_filetrans($1, virt_home_t, $2, $3)
-+ dontaudit $1 virtd_t:fd use;
-+ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
++ allow $1 virtd_t:process signal;
')
########################################
## <summary>
-## Read virt pid files.
-+## Send a sigkill to virtual machines
++## Send null signal to virtd daemon.
## </summary>
## <param name="domain">
## <summary>
-@@ -781,19 +1093,17 @@ interface(`virt_home_filetrans_virt_home',`
+@@ -781,19 +1147,17 @@ interface(`virt_home_filetrans_virt_home',`
## </summary>
## </param>
#
-interface(`virt_read_pid_files',`
-+interface(`virt_kill_svirt',`
++interface(`virt_signull',`
gen_require(`
- type virt_var_run_t;
-+ attribute virt_domain;
++ type virtd_t;
')
- files_search_pids($1)
- read_files_pattern($1, virt_var_run_t, virt_var_run_t)
-+ allow $1 virt_domain:process sigkill;
++ allow $1 virtd_t:process signull;
')
########################################
## <summary>
-## Create, read, write, and delete
-## virt pid files.
-+## Send a sigkill to virtd daemon.
++## Send a signal to virtual machines
## </summary>
## <param name="domain">
## <summary>
-@@ -801,18 +1111,17 @@ interface(`virt_read_pid_files',`
+@@ -801,18 +1165,17 @@ interface(`virt_read_pid_files',`
## </summary>
## </param>
#
-interface(`virt_manage_pid_files',`
-+interface(`virt_kill',`
++interface(`virt_signal_svirt',`
gen_require(`
- type virt_var_run_t;
-+ type virtd_t;
++ attribute virt_domain;
')
- files_search_pids($1)
- manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
-+ allow $1 virtd_t:process sigkill;
++ allow $1 virt_domain:process signal;
')
########################################
## <summary>
-## Search virt lib directories.
-+## Send a signal to virtd daemon.
++## Send a signal to sandbox domains
## </summary>
## <param name="domain">
## <summary>
-@@ -820,18 +1129,17 @@ interface(`virt_manage_pid_files',`
+@@ -820,18 +1183,17 @@ interface(`virt_manage_pid_files',`
## </summary>
## </param>
#
-interface(`virt_search_lib',`
-+interface(`virt_signal',`
++interface(`virt_signal_sandbox',`
gen_require(`
- type virt_var_lib_t;
-+ type virtd_t;
++ attribute svirt_sandbox_domain;
')
- files_search_var_lib($1)
- allow $1 virt_var_lib_t:dir search_dir_perms;
-+ allow $1 virtd_t:process signal;
++ allow $1 svirt_sandbox_domain:process signal;
')
########################################
## <summary>
-## Read virt lib files.
-+## Send null signal to virtd daemon.
++## Manage virt home files.
## </summary>
## <param name="domain">
## <summary>
-@@ -839,20 +1147,17 @@ interface(`virt_search_lib',`
+@@ -839,192 +1201,243 @@ interface(`virt_search_lib',`
## </summary>
## </param>
#
-interface(`virt_read_lib_files',`
-+interface(`virt_signull',`
++interface(`virt_manage_home_files',`
gen_require(`
- type virt_var_lib_t;
-+ type virtd_t;
++ type virt_home_t;
')
- files_search_var_lib($1)
- read_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
- read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
-+ allow $1 virtd_t:process signull;
++ userdom_search_user_home_dirs($1)
++ manage_files_pattern($1, virt_home_t, virt_home_t)
')
########################################
## <summary>
-## Create, read, write, and delete
-## virt lib files.
-+## Send a signal to virtual machines
++## allow domain to read
++## virt tmpfs files
## </summary>
## <param name="domain">
## <summary>
-@@ -860,74 +1165,123 @@ interface(`virt_read_lib_files',`
+-## Domain allowed access.
++## Domain allowed access
## </summary>
## </param>
#
-interface(`virt_manage_lib_files',`
-+interface(`virt_signal_svirt',`
++interface(`virt_read_tmpfs_files',`
gen_require(`
- type virt_var_lib_t;
-+ attribute virt_domain;
++ attribute virt_tmpfs_type;
')
- files_search_var_lib($1)
- manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
-+ allow $1 virt_domain:process signal;
++ allow $1 virt_tmpfs_type:file read_file_perms;
')
########################################
## <summary>
-## Create objects in virt pid
-## directories with a private type.
-+## Send a signal to sandbox domains
++## allow domain to manage
++## virt tmpfs files
## </summary>
## <param name="domain">
## <summary>
- ## Domain allowed access.
+-## Domain allowed access.
++## Domain allowed access
## </summary>
## </param>
-## <param name="private type">
+#
-+interface(`virt_signal_sandbox',`
++interface(`virt_manage_tmpfs_files',`
+ gen_require(`
-+ attribute svirt_sandbox_domain;
++ attribute virt_tmpfs_type;
+ ')
+
-+ allow $1 svirt_sandbox_domain:process signal;
++ allow $1 virt_tmpfs_type:file manage_file_perms;
+')
+
+########################################
+## <summary>
-+## Manage virt home files.
++## Create .virt directory in the user home directory
++## with an correct label.
+## </summary>
+## <param name="domain">
## <summary>
@@ -113329,204 +113412,213 @@ index facdee8..816d860 100644
## </param>
-## <param name="object">
+#
-+interface(`virt_manage_home_files',`
++interface(`virt_filetrans_home_content',`
+ gen_require(`
+ type virt_home_t;
++ type svirt_home_t;
+ ')
+
-+ userdom_search_user_home_dirs($1)
-+ manage_files_pattern($1, virt_home_t, virt_home_t)
++ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
++ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
++ filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu")
++
++ optional_policy(`
++ gnome_config_filetrans($1, virt_home_t, dir, "libvirt")
++ gnome_cache_filetrans($1, virt_home_t, dir, "libvirt")
++ gnome_cache_filetrans($1, virt_home_t, dir, "libvirt-sandbox")
++ gnome_cache_filetrans($1, virt_home_t, dir, "gnome-boxes")
++ gnome_data_filetrans($1, svirt_home_t, dir, "images")
++ gnome_data_filetrans($1, svirt_home_t, dir, "boot")
++ ')
+')
+
+########################################
+## <summary>
-+## allow domain to read
-+## virt tmpfs files
++## Dontaudit attempts to Read virt_image_type devices.
+## </summary>
+## <param name="domain">
## <summary>
-## The object class of the object being created.
-+## Domain allowed access
++## Domain allowed access.
## </summary>
## </param>
-## <param name="name" optional="true">
+#
-+interface(`virt_read_tmpfs_files',`
++interface(`virt_dontaudit_read_chr_dev',`
+ gen_require(`
-+ attribute virt_tmpfs_type;
++ attribute virt_image_type;
+ ')
+
-+ allow $1 virt_tmpfs_type:file read_file_perms;
++ dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
+')
+
+########################################
+## <summary>
-+## allow domain to manage
-+## virt tmpfs files
++## Creates types and rules for a basic
++## virt_lxc process domain.
+## </summary>
-+## <param name="domain">
++## <param name="prefix">
## <summary>
-## The name of the object being created.
-+## Domain allowed access
++## Prefix for the domain.
## </summary>
## </param>
-## <infoflow type="write" weight="10"/>
#
-interface(`virt_pid_filetrans',`
-+interface(`virt_manage_tmpfs_files',`
++template(`virt_sandbox_domain_template',`
gen_require(`
- type virt_var_run_t;
-+ attribute virt_tmpfs_type;
++ attribute svirt_sandbox_domain;
')
- files_search_pids($1)
- filetrans_pattern($1, virt_var_run_t, $2, $3, $4)
-+ allow $1 virt_tmpfs_type:file manage_file_perms;
++ type $1_t, svirt_sandbox_domain;
++ domain_type($1_t)
++ domain_user_exemption_target($1_t)
++ mls_rangetrans_target($1_t)
++ mcs_constrained($1_t)
++ role system_r types $1_t;
++
++ logging_send_syslog_msg($1_t)
++
++ kernel_read_system_state($1_t)
++ kernel_read_all_proc($1_t)
')
########################################
## <summary>
-## Read virt log files.
-+## Create .virt directory in the user home directory
-+## with an correct label.
++## Make the specified type usable as a lxc domain
## </summary>
- ## <param name="domain">
+-## <param name="domain">
++## <param name="type">
## <summary>
- ## Domain allowed access.
+-## Domain allowed access.
++## Type to be used as a lxc domain
## </summary>
## </param>
-## <rolecap/>
#
-interface(`virt_read_log',`
-+interface(`virt_filetrans_home_content',`
++template(`virt_sandbox_domain',`
gen_require(`
- type virt_log_t;
-+ type virt_home_t;
-+ type svirt_home_t;
++ attribute svirt_sandbox_domain;
')
- logging_search_logs($1)
- read_files_pattern($1, virt_log_t, virt_log_t)
-+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
-+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
-+ filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu")
-+
-+ optional_policy(`
-+ gnome_config_filetrans($1, virt_home_t, dir, "libvirt")
-+ gnome_cache_filetrans($1, virt_home_t, dir, "libvirt")
-+ gnome_cache_filetrans($1, virt_home_t, dir, "libvirt-sandbox")
-+ gnome_cache_filetrans($1, virt_home_t, dir, "gnome-boxes")
-+ gnome_data_filetrans($1, svirt_home_t, dir, "images")
-+ gnome_data_filetrans($1, svirt_home_t, dir, "boot")
-+ ')
++ typeattribute $1 svirt_sandbox_domain;
')
########################################
## <summary>
-## Append virt log files.
-+## Dontaudit attempts to Read virt_image_type devices.
++## Make the specified type usable as a lxc network domain
## </summary>
- ## <param name="domain">
+-## <param name="domain">
++## <param name="type">
## <summary>
-@@ -935,117 +1289,153 @@ interface(`virt_read_log',`
+-## Domain allowed access.
++## Type to be used as a lxc network domain
## </summary>
## </param>
#
-interface(`virt_append_log',`
-+interface(`virt_dontaudit_read_chr_dev',`
++template(`virt_sandbox_net_domain',`
gen_require(`
- type virt_log_t;
-+ attribute virt_image_type;
++ attribute sandbox_net_domain;
')
- logging_search_logs($1)
- append_files_pattern($1, virt_log_t, virt_log_t)
-+ dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
++ virt_sandbox_domain($1)
++ typeattribute $1 sandbox_net_domain;
')
########################################
## <summary>
-## Create, read, write, and delete
-## virt log files.
-+## Creates types and rules for a basic
-+## virt_lxc process domain.
++## Execute a qemu_exec_t in the callers domain
## </summary>
--## <param name="domain">
-+## <param name="prefix">
- ## <summary>
--## Domain allowed access.
-+## Prefix for the domain.
- ## </summary>
+ ## <param name="domain">
+-## <summary>
++## <summary>
+ ## Domain allowed access.
+-## </summary>
++## </summary>
## </param>
#
-interface(`virt_manage_log',`
-+template(`virt_sandbox_domain_template',`
++interface(`virt_exec_qemu',`
gen_require(`
- type virt_log_t;
-+ attribute svirt_sandbox_domain;
++ type qemu_exec_t;
')
- logging_search_logs($1)
- manage_dirs_pattern($1, virt_log_t, virt_log_t)
- manage_files_pattern($1, virt_log_t, virt_log_t)
- manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
-+ type $1_t, svirt_sandbox_domain;
-+ domain_type($1_t)
-+ domain_user_exemption_target($1_t)
-+ mls_rangetrans_target($1_t)
-+ mcs_constrained($1_t)
-+ role system_r types $1_t;
-+
-+ logging_send_syslog_msg($1_t)
-+
-+ kernel_read_system_state($1_t)
-+ kernel_read_all_proc($1_t)
++ can_exec($1, qemu_exec_t)
')
########################################
## <summary>
-## Search virt image directories.
-+## Make the specified type usable as a lxc domain
++## Transition to virt named content
## </summary>
--## <param name="domain">
-+## <param name="type">
+ ## <param name="domain">
## <summary>
-## Domain allowed access.
-+## Type to be used as a lxc domain
++## Domain allowed access.
## </summary>
## </param>
#
-interface(`virt_search_images',`
-+template(`virt_sandbox_domain',`
++interface(`virt_filetrans_named_content',`
gen_require(`
- attribute virt_image_type;
-+ attribute svirt_sandbox_domain;
++ type virt_lxc_var_run_t;
++ type virt_var_run_t;
')
- virt_search_lib($1)
- allow $1 virt_image_type:dir search_dir_perms;
-+ typeattribute $1 svirt_sandbox_domain;
++ files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
++ files_pid_filetrans($1, virt_var_run_t, dir, "libvirt")
++ files_pid_filetrans($1, virt_var_run_t, dir, "libguestfs")
')
########################################
## <summary>
-## Read virt image files.
-+## Make the specified type usable as a lxc network domain
++## Execute qemu in the svirt domain, and
++## allow the specified role the svirt domain.
## </summary>
--## <param name="domain">
-+## <param name="type">
+ ## <param name="domain">
## <summary>
-## Domain allowed access.
-+## Type to be used as a lxc network domain
++## Domain allowed access
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed the sandbox domain.
## </summary>
## </param>
++## <rolecap/>
#
-interface(`virt_read_images',`
-+template(`virt_sandbox_net_domain',`
++interface(`virt_transition_svirt_sandbox',`
gen_require(`
- type virt_var_lib_t;
- attribute virt_image_type;
-+ attribute sandbox_net_domain;
++ attribute svirt_sandbox_domain;
')
- virt_search_lib($1)
@@ -113535,79 +113627,41 @@ index facdee8..816d860 100644
- read_files_pattern($1, virt_image_type, virt_image_type)
- read_lnk_files_pattern($1, virt_image_type, virt_image_type)
- read_blk_files_pattern($1, virt_image_type, virt_image_type)
-+ virt_sandbox_domain($1)
-+ typeattribute $1 sandbox_net_domain;
-+')
++ allow $1 svirt_sandbox_domain:process { transition signal_perms };
++ role $2 types svirt_sandbox_domain;
++ allow $1 svirt_sandbox_domain:unix_dgram_socket sendto;
- tunable_policy(`virt_use_nfs',`
- fs_list_nfs($1)
- fs_read_nfs_files($1)
- fs_read_nfs_symlinks($1)
-+########################################
-+## <summary>
-+## Execute a qemu_exec_t in the callers domain
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`virt_exec_qemu',`
-+ gen_require(`
-+ type qemu_exec_t;
- ')
+- ')
++ allow svirt_sandbox_domain $1:fd use;
- tunable_policy(`virt_use_samba',`
- fs_list_cifs($1)
- fs_read_cifs_files($1)
- fs_read_cifs_symlinks($1)
-+ can_exec($1, qemu_exec_t)
-+')
-+
-+########################################
-+## <summary>
-+## Transition to virt named content
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`virt_filetrans_named_content',`
-+ gen_require(`
-+ type virt_lxc_var_run_t;
-+ type virt_var_run_t;
- ')
-+
-+ files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
-+ files_pid_filetrans($1, virt_var_run_t, dir, "libvirt")
-+ files_pid_filetrans($1, virt_var_run_t, dir, "libguestfs")
+- ')
++ allow svirt_sandbox_domain $1:fifo_file rw_fifo_file_perms;
++ allow svirt_sandbox_domain $1:process sigchld;
++ ps_process_pattern($1, svirt_sandbox_domain)
')
########################################
## <summary>
-## Read and write all virt image
-## character files.
-+## Execute qemu in the svirt domain, and
-+## allow the specified role the svirt domain.
++## Read the process state of virt sandbox containers
## </summary>
## <param name="domain">
## <summary>
--## Domain allowed access.
-+## Domain allowed access
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
-+## The role to be allowed the sandbox domain.
+@@ -1032,20 +1445,17 @@ interface(`virt_read_images',`
## </summary>
## </param>
-+## <rolecap/>
#
-interface(`virt_rw_all_image_chr_files',`
-+interface(`virt_transition_svirt_sandbox',`
++interface(`virt_sandbox_read_state',`
gen_require(`
- attribute virt_image_type;
+ attribute svirt_sandbox_domain;
@@ -113616,12 +113670,6 @@ index facdee8..816d860 100644
- virt_search_lib($1)
- allow $1 virt_image_type:dir list_dir_perms;
- rw_chr_files_pattern($1, virt_image_type, virt_image_type)
-+ allow $1 svirt_sandbox_domain:process { transition signal_perms };
-+ role $2 types svirt_sandbox_domain;
-+ allow $1 svirt_sandbox_domain:unix_dgram_socket sendto;
-+
-+ allow svirt_sandbox_domain $1:fifo_file rw_fifo_file_perms;
-+ allow svirt_sandbox_domain $1:process sigchld;
+ ps_process_pattern($1, svirt_sandbox_domain)
')
@@ -113629,23 +113677,23 @@ index facdee8..816d860 100644
## <summary>
-## Create, read, write, and delete
-## svirt cache files.
-+## Read the process state of virt sandbox containers
++## Read and write to svirt_image devices.
## </summary>
## <param name="domain">
## <summary>
-@@ -1053,15 +1443,17 @@ interface(`virt_rw_all_image_chr_files',`
+@@ -1053,15 +1463,17 @@ interface(`virt_rw_all_image_chr_files',`
## </summary>
## </param>
#
-interface(`virt_manage_svirt_cache',`
- refpolicywarn(`$0($*) has been deprecated, use virt_manage_virt_cache() instead.')
- virt_manage_virt_cache($1)
-+interface(`virt_sandbox_read_state',`
++interface(`virt_rw_svirt_dev',`
+ gen_require(`
-+ attribute svirt_sandbox_domain;
++ type svirt_image_t;
+ ')
+
-+ ps_process_pattern($1, svirt_sandbox_domain)
++ allow $1 svirt_image_t:chr_file rw_file_perms;
')
########################################
@@ -113656,22 +113704,22 @@ index facdee8..816d860 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1069,21 +1461,17 @@ interface(`virt_manage_svirt_cache',`
+@@ -1069,21 +1481,17 @@ interface(`virt_manage_svirt_cache',`
## </summary>
## </param>
#
-interface(`virt_manage_virt_cache',`
-+interface(`virt_rw_svirt_dev',`
++interface(`virt_rlimitinh',`
gen_require(`
- type virt_cache_t;
-+ type svirt_image_t;
++ type virtd_t;
')
- files_search_var($1)
- manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
- manage_files_pattern($1, virt_cache_t, virt_cache_t)
- manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
-+ allow $1 svirt_image_t:chr_file rw_file_perms;
++ allow $1 virtd_t:process { rlimitinh };
')
########################################
@@ -113682,43 +113730,28 @@ index facdee8..816d860 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1091,36 +1479,36 @@ interface(`virt_manage_virt_cache',`
+@@ -1091,36 +1499,18 @@ interface(`virt_manage_virt_cache',`
## </summary>
## </param>
#
-interface(`virt_manage_images',`
-+interface(`virt_rlimitinh',`
++interface(`virt_noatsecure',`
gen_require(`
- type virt_var_lib_t;
- attribute virt_image_type;
-+ type virtd_t;
- ')
-
+- ')
+-
- virt_search_lib($1)
- allow $1 virt_image_type:dir list_dir_perms;
- manage_dirs_pattern($1, virt_image_type, virt_image_type)
- manage_files_pattern($1, virt_image_type, virt_image_type)
- read_lnk_files_pattern($1, virt_image_type, virt_image_type)
- rw_blk_files_pattern($1, virt_image_type, virt_image_type)
-+ allow $1 virtd_t:process { rlimitinh };
-+')
-
+-
- tunable_policy(`virt_use_nfs',`
- fs_manage_nfs_dirs($1)
- fs_manage_nfs_files($1)
- fs_read_nfs_symlinks($1)
-+########################################
-+## <summary>
-+## Read and write to svirt_image devices.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`virt_noatsecure',`
-+ gen_require(`
+ type virtd_t;
')
@@ -113739,7 +113772,7 @@ index facdee8..816d860 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1136,50 +1524,76 @@ interface(`virt_manage_images',`
+@@ -1136,50 +1526,76 @@ interface(`virt_manage_images',`
#
interface(`virt_admin',`
gen_require(`
@@ -113849,7 +113882,7 @@ index facdee8..816d860 100644
+ ps_process_pattern(virtd_t, $1)
')
diff --git a/virt.te b/virt.te
-index f03dcf5..a4e5bf6 100644
+index f03dcf5..75d9fa0 100644
--- a/virt.te
+++ b/virt.te
@@ -1,451 +1,402 @@
@@ -115431,7 +115464,7 @@ index f03dcf5..a4e5bf6 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1258,357 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1258,359 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -115486,6 +115519,7 @@ index f03dcf5..a4e5bf6 100644
+
+allow svirt_sandbox_domain self:process { getattr signal_perms getsched getpgid getcap setsched setcap setpgid setrlimit };
+allow svirt_sandbox_domain self:fifo_file manage_file_perms;
++allow svirt_sandbox_domain self:msg all_msg_perms;
+allow svirt_sandbox_domain self:sem create_sem_perms;
+allow svirt_sandbox_domain self:shm create_shm_perms;
+allow svirt_sandbox_domain self:msgq create_msgq_perms;
@@ -115619,6 +115653,7 @@ index f03dcf5..a4e5bf6 100644
+kernel_list_all_proc(svirt_sandbox_domain)
+kernel_read_all_sysctls(svirt_sandbox_domain)
+kernel_rw_net_sysctls(svirt_sandbox_domain)
++kernel_rw_unix_sysctls(svirt_sandbox_domain)
+kernel_dontaudit_search_kernel_sysctl(svirt_sandbox_domain)
+kernel_dontaudit_access_check_proc(svirt_sandbox_domain)
+kernel_dontaudit_setattr_proc_files(svirt_sandbox_domain)
@@ -115930,7 +115965,7 @@ index f03dcf5..a4e5bf6 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1621,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1623,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -115945,7 +115980,7 @@ index f03dcf5..a4e5bf6 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1192,7 +1639,7 @@ optional_policy(`
+@@ -1192,7 +1641,7 @@ optional_policy(`
########################################
#
@@ -115954,7 +115989,7 @@ index f03dcf5..a4e5bf6 100644
#
allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1648,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1650,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
allow virt_bridgehelper_t self:tun_socket create_socket_perms;
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 25f2f24..2242d57 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 212%{?dist}
+Release: 213%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -648,6 +648,12 @@ exit 0
%endif
%changelog
+* Fri Sep 02 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-213
+- Label /var/lib/docker/vfs as svirt_sandbox_file_t in virt SELinux module
+- Label /usr/bin/pappet as puppetagent_exec_t
+- Allow amanda to create dir in /var/lib/ with amanda_var_lib_t label
+- Allow run sulogin_t in range mls_systemlow-mls_systemhigh.
+
* Wed Aug 31 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-212
- udisk2 module is part of devicekit module now
- Fix file context for /etc/pki/pki-tomcat/ca/