diff --git a/container-selinux.tgz b/container-selinux.tgz
index f68e784..1fbd717 100644
Binary files a/container-selinux.tgz and b/container-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 61241e1..4b91b04 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -6162,7 +6162,7 @@ index 8e0f9cd14..2fe34db47 100644
+create_ibendport_type_interfaces($*)
+')
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055f9..15ec98f76 100644
+index b191055f9..12aecdf4e 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@@ -6386,7 +6386,7 @@ index b191055f9..15ec98f76 100644
network_port(ktalkd, udp,517,s0, udp,518,s0)
-network_port(l2tp, tcp,1701,s0, udp,1701,s0)
-network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
-+network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0, tcp, 7389,s0)
++network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0, tcp,3269,s0, tcp, 7389,s0)
network_port(lirc, tcp,8765,s0)
-network_port(lmtp, tcp,24,s0, udp,24,s0)
+network_port(luci, tcp,8084,s0)
@@ -27377,10 +27377,10 @@ index 000000000..f73028658
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 000000000..883d9eaa3
+index 000000000..bdfe41b61
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,362 @@
+@@ -0,0 +1,363 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -27418,6 +27418,7 @@ index 000000000..883d9eaa3
+userdom_manage_tmp_role(unconfined_r, unconfined_t)
+userdom_unpriv_type(unconfined_t)
+userdom_login_userdomain(unconfined_t)
++userdom_home_filetrans_user_home_dir(unconfined_t)
+
+type unconfined_exec_t;
+application_domain(unconfined_t, unconfined_exec_t)
@@ -37845,7 +37846,7 @@ index 79a45f62e..6ed0c399a 100644
+ allow $1 init_var_lib_t:dir search_dir_perms;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda2480..6c22a0a1f 100644
+index 17eda2480..7d76c87ce 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -38167,7 +38168,7 @@ index 17eda2480..6c22a0a1f 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +347,292 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +347,293 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -38208,6 +38209,7 @@ index 17eda2480..6c22a0a1f 100644
+
+optional_policy(`
+ apache_delete_tmp(init_t)
++ apache_noatsecure(init_t)
+')
+
+optional_policy(`
@@ -38469,7 +38471,7 @@ index 17eda2480..6c22a0a1f 100644
')
optional_policy(`
-@@ -216,7 +640,30 @@ optional_policy(`
+@@ -216,7 +641,30 @@ optional_policy(`
')
optional_policy(`
@@ -38501,7 +38503,7 @@ index 17eda2480..6c22a0a1f 100644
')
########################################
-@@ -225,9 +672,9 @@ optional_policy(`
+@@ -225,9 +673,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -38513,7 +38515,7 @@ index 17eda2480..6c22a0a1f 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -258,12 +705,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +706,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -38530,7 +38532,7 @@ index 17eda2480..6c22a0a1f 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +730,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +731,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -38573,7 +38575,7 @@ index 17eda2480..6c22a0a1f 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +767,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +768,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -38585,7 +38587,7 @@ index 17eda2480..6c22a0a1f 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -313,8 +779,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +780,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -38596,7 +38598,7 @@ index 17eda2480..6c22a0a1f 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -322,8 +790,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +791,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -38606,7 +38608,7 @@ index 17eda2480..6c22a0a1f 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -332,7 +799,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +800,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -38614,7 +38616,7 @@ index 17eda2480..6c22a0a1f 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -340,6 +806,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +807,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -38622,7 +38624,7 @@ index 17eda2480..6c22a0a1f 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -347,14 +814,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +815,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -38640,7 +38642,7 @@ index 17eda2480..6c22a0a1f 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -364,8 +832,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +833,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -38654,7 +38656,7 @@ index 17eda2480..6c22a0a1f 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -375,10 +847,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +848,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -38668,7 +38670,7 @@ index 17eda2480..6c22a0a1f 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -387,8 +860,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +861,10 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -38679,7 +38681,7 @@ index 17eda2480..6c22a0a1f 100644
storage_getattr_fixed_disk_dev(initrc_t)
storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +873,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +874,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -38687,7 +38689,7 @@ index 17eda2480..6c22a0a1f 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -416,20 +892,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +893,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -38711,7 +38713,7 @@ index 17eda2480..6c22a0a1f 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +925,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +926,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -38719,7 +38721,7 @@ index 17eda2480..6c22a0a1f 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +959,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +960,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -38730,7 +38732,7 @@ index 17eda2480..6c22a0a1f 100644
alsa_read_lib(initrc_t)
')
-@@ -506,7 +983,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +984,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -38739,7 +38741,7 @@ index 17eda2480..6c22a0a1f 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -521,6 +998,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +999,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -38747,7 +38749,7 @@ index 17eda2480..6c22a0a1f 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -541,6 +1019,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +1020,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -38755,7 +38757,7 @@ index 17eda2480..6c22a0a1f 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +1029,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +1030,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -38800,7 +38802,7 @@ index 17eda2480..6c22a0a1f 100644
')
optional_policy(`
-@@ -559,14 +1074,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +1075,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -38832,7 +38834,7 @@ index 17eda2480..6c22a0a1f 100644
')
')
-@@ -577,6 +1109,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1110,39 @@ ifdef(`distro_suse',`
')
')
@@ -38872,7 +38874,7 @@ index 17eda2480..6c22a0a1f 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1154,8 @@ optional_policy(`
+@@ -589,6 +1155,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -38881,7 +38883,7 @@ index 17eda2480..6c22a0a1f 100644
')
optional_policy(`
-@@ -610,6 +1177,7 @@ optional_policy(`
+@@ -610,6 +1178,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -38889,7 +38891,7 @@ index 17eda2480..6c22a0a1f 100644
')
optional_policy(`
-@@ -626,6 +1194,17 @@ optional_policy(`
+@@ -626,6 +1195,17 @@ optional_policy(`
')
optional_policy(`
@@ -38907,7 +38909,7 @@ index 17eda2480..6c22a0a1f 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -642,9 +1221,13 @@ optional_policy(`
+@@ -642,9 +1222,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -38921,7 +38923,7 @@ index 17eda2480..6c22a0a1f 100644
')
optional_policy(`
-@@ -657,15 +1240,11 @@ optional_policy(`
+@@ -657,15 +1241,11 @@ optional_policy(`
')
optional_policy(`
@@ -38939,7 +38941,7 @@ index 17eda2480..6c22a0a1f 100644
')
optional_policy(`
-@@ -686,6 +1265,15 @@ optional_policy(`
+@@ -686,6 +1266,15 @@ optional_policy(`
')
optional_policy(`
@@ -38955,7 +38957,7 @@ index 17eda2480..6c22a0a1f 100644
inn_exec_config(initrc_t)
')
-@@ -726,6 +1314,7 @@ optional_policy(`
+@@ -726,6 +1315,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -38963,7 +38965,7 @@ index 17eda2480..6c22a0a1f 100644
')
optional_policy(`
-@@ -743,7 +1332,13 @@ optional_policy(`
+@@ -743,7 +1333,13 @@ optional_policy(`
')
optional_policy(`
@@ -38978,7 +38980,7 @@ index 17eda2480..6c22a0a1f 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -766,6 +1361,10 @@ optional_policy(`
+@@ -766,6 +1362,10 @@ optional_policy(`
')
optional_policy(`
@@ -38989,7 +38991,7 @@ index 17eda2480..6c22a0a1f 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -775,10 +1374,20 @@ optional_policy(`
+@@ -775,10 +1375,20 @@ optional_policy(`
')
optional_policy(`
@@ -39010,7 +39012,7 @@ index 17eda2480..6c22a0a1f 100644
quota_manage_flags(initrc_t)
')
-@@ -787,6 +1396,10 @@ optional_policy(`
+@@ -787,6 +1397,10 @@ optional_policy(`
')
optional_policy(`
@@ -39021,7 +39023,7 @@ index 17eda2480..6c22a0a1f 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -808,8 +1421,6 @@ optional_policy(`
+@@ -808,8 +1422,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -39030,7 +39032,7 @@ index 17eda2480..6c22a0a1f 100644
')
optional_policy(`
-@@ -818,6 +1429,10 @@ optional_policy(`
+@@ -818,6 +1430,10 @@ optional_policy(`
')
optional_policy(`
@@ -39041,7 +39043,7 @@ index 17eda2480..6c22a0a1f 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -827,10 +1442,12 @@ optional_policy(`
+@@ -827,10 +1443,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -39054,7 +39056,7 @@ index 17eda2480..6c22a0a1f 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1474,62 @@ optional_policy(`
+@@ -857,21 +1475,62 @@ optional_policy(`
')
optional_policy(`
@@ -39118,7 +39120,7 @@ index 17eda2480..6c22a0a1f 100644
')
optional_policy(`
-@@ -887,6 +1545,10 @@ optional_policy(`
+@@ -887,6 +1546,10 @@ optional_policy(`
')
optional_policy(`
@@ -39129,7 +39131,7 @@ index 17eda2480..6c22a0a1f 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -897,3 +1559,218 @@ optional_policy(`
+@@ -897,3 +1560,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 902c1f0..e27883e 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -3925,7 +3925,7 @@ index 7caefc353..966c2f3e6 100644
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/apache.if b/apache.if
-index f6eb4851f..422f408d4 100644
+index f6eb4851f..3628a384f 100644
--- a/apache.if
+++ b/apache.if
@@ -1,9 +1,9 @@
@@ -4218,11 +4218,11 @@ index f6eb4851f..422f408d4 100644
- ')
+ # privileged users run the script:
+ domtrans_pattern(httpd_exec_scripts, $1_script_exec_t, $1_script_t)
++
++ allow httpd_exec_scripts $1_script_exec_t:file read_file_perms;
- tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
- filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file })
-+ allow httpd_exec_scripts $1_script_exec_t:file read_file_perms;
-+
+ # apache runs the script:
+ domtrans_pattern(httpd_t, $1_script_exec_t, $1_script_t)
+ allow httpd_t $1_script_t:unix_dgram_socket sendto;
@@ -4499,12 +4499,10 @@ index f6eb4851f..422f408d4 100644
- dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms;
+ dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to read and
--## write httpd unix domain stream sockets.
++')
++
++########################################
++## <summary>
+## Allow attempts to read and write Apache
+## unix domain stream sockets.
+## </summary>
@@ -4520,10 +4518,12 @@ index f6eb4851f..422f408d4 100644
+ ')
+
+ allow $1 httpd_t:unix_stream_socket { getattr read write };
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to read and
+-## write httpd unix domain stream sockets.
+## Do not audit attempts to read and write Apache
+## unix domain stream sockets.
## </summary>
@@ -4997,31 +4997,11 @@ index f6eb4851f..422f408d4 100644
-########################################
+######################################
-+## <summary>
-+## Allow the specified domain to read
-+## apache system content rw files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`apache_read_sys_content_rw_files',`
-+ gen_require(`
-+ type httpd_sys_rw_content_t;
-+ ')
-+
-+ read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
-+')
-+
-+######################################
## <summary>
-## Create, read, write, and delete
-## httpd system rw content.
+## Allow the specified domain to read
-+## apache system content rw dirs.
++## apache system content rw files.
## </summary>
## <param name="domain">
## <summary>
@@ -5031,12 +5011,32 @@ index f6eb4851f..422f408d4 100644
+## <rolecap/>
#
-interface(`apache_manage_sys_rw_content',`
-+interface(`apache_read_sys_content_rw_dirs',`
++interface(`apache_read_sys_content_rw_files',`
gen_require(`
type httpd_sys_rw_content_t;
')
- apache_search_sys_content($1)
++ read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
++')
++
++######################################
++## <summary>
++## Allow the specified domain to read
++## apache system content rw dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`apache_read_sys_content_rw_dirs',`
++ gen_require(`
++ type httpd_sys_rw_content_t;
++ ')
++
+ list_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
@@ -5390,7 +5390,7 @@ index f6eb4851f..422f408d4 100644
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
-@@ -1224,9 +1625,201 @@ interface(`apache_admin',`
+@@ -1224,9 +1625,219 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
@@ -5591,10 +5591,28 @@ index f6eb4851f..422f408d4 100644
+ gen_require(`
+ type httpd_tmp_t;
+ ')
++
++ allow $1 httpd_tmp_t:file unlink;
++')
++
++########################################
++## <summary>
++## Allow httpd noatsecure
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`apache_noatsecure',`
++ gen_require(`
++ type httpd_t;
++ ')
- apache_run_all_scripts($1, $2)
- apache_run_helper($1, $2)
-+ allow $1 httpd_tmp_t:file unlink;
++ allow $1 httpd_t:process { noatsecure };
')
diff --git a/apache.te b/apache.te
index 6649962b6..1a0189a44 100644
@@ -58089,7 +58107,7 @@ index 687af38bb..5381f1b39 100644
+ mysql_stream_connect($1)
')
diff --git a/mysql.te b/mysql.te
-index 7584bbe7c..a89f6d665 100644
+index 7584bbe7c..9c33fb9ac 100644
--- a/mysql.te
+++ b/mysql.te
@@ -6,20 +6,22 @@ policy_module(mysql, 1.14.1)
@@ -58140,7 +58158,7 @@ index 7584bbe7c..a89f6d665 100644
type mysqld_initrc_exec_t;
init_script_file(mysqld_initrc_exec_t)
-@@ -62,28 +66,29 @@ files_pid_file(mysqlmanagerd_var_run_t)
+@@ -62,28 +66,30 @@ files_pid_file(mysqlmanagerd_var_run_t)
# Local policy
#
@@ -58161,6 +58179,7 @@ index 7584bbe7c..a89f6d665 100644
+manage_sock_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file })
++allow mysqld_t mysqld_db_t:file map;
-filetrans_pattern(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file)
-
@@ -58177,7 +58196,7 @@ index 7584bbe7c..a89f6d665 100644
logging_log_filetrans(mysqld_t, mysqld_log_t, { dir file })
manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
-@@ -95,50 +100,66 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
+@@ -95,50 +101,66 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file })
@@ -58262,7 +58281,7 @@ index 7584bbe7c..a89f6d665 100644
')
optional_policy(`
-@@ -146,6 +167,10 @@ optional_policy(`
+@@ -146,6 +168,10 @@ optional_policy(`
')
optional_policy(`
@@ -58273,7 +58292,7 @@ index 7584bbe7c..a89f6d665 100644
seutil_sigchld_newrole(mysqld_t)
')
-@@ -155,21 +180,20 @@ optional_policy(`
+@@ -155,21 +181,20 @@ optional_policy(`
#######################################
#
@@ -58301,7 +58320,7 @@ index 7584bbe7c..a89f6d665 100644
list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
-@@ -177,9 +201,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
+@@ -177,9 +202,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
@@ -58312,7 +58331,7 @@ index 7584bbe7c..a89f6d665 100644
kernel_read_system_state(mysqld_safe_t)
kernel_read_kernel_sysctls(mysqld_safe_t)
-@@ -187,21 +209,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
+@@ -187,21 +210,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
corecmd_exec_bin(mysqld_safe_t)
corecmd_exec_shell(mysqld_safe_t)
@@ -58348,7 +58367,7 @@ index 7584bbe7c..a89f6d665 100644
optional_policy(`
hostname_exec(mysqld_safe_t)
-@@ -209,20 +239,21 @@ optional_policy(`
+@@ -209,20 +240,21 @@ optional_policy(`
########################################
#
@@ -58377,7 +58396,7 @@ index 7584bbe7c..a89f6d665 100644
domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
-@@ -230,31 +261,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
+@@ -230,31 +262,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
@@ -112229,10 +112248,10 @@ index 000000000..e5cec8fda
+')
diff --git a/tomcat.te b/tomcat.te
new file mode 100644
-index 000000000..9c3b00220
+index 000000000..31baf3bb8
--- /dev/null
+++ b/tomcat.te
-@@ -0,0 +1,117 @@
+@@ -0,0 +1,124 @@
+policy_module(tomcat, 1.0.0)
+
+########################################
@@ -112292,8 +112311,7 @@ index 000000000..9c3b00220
+
+allow tomcat_t self:capability { dac_override setuid kill };
+
-+allow tomcat_t self:process execmem;
-+allow tomcat_t self:process { setcap signal signull };
++allow tomcat_t self:process { execmem setcap setsched signal signull };
+
+allow tomcat_t self:tcp_socket { accept listen };
+allow tomcat_domain self:fifo_file rw_fifo_file_perms;
@@ -112333,6 +112351,8 @@ index 000000000..9c3b00220
+
+domain_use_interactive_fds(tomcat_domain)
+
++libs_exec_ldconfig(tomcat_domain)
++
+fs_getattr_all_fs(tomcat_domain)
+fs_read_hugetlbfs_files(tomcat_domain)
+
@@ -112343,6 +112363,12 @@ index 000000000..9c3b00220
+')
+
+optional_policy(`
++ # needed by FreeIPA
++ ldap_stream_connect(tomcat_domain)
++ ldap_read_certs(tomcat_domain)
++')
++
++optional_policy(`
+ tomcat_search_lib(tomcat_domain)
+')
+
@@ -117037,7 +117063,7 @@ index facdee8b3..2a619ba9e 100644
+ dgram_send_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
')
diff --git a/virt.te b/virt.te
-index f03dcf567..529ae6612 100644
+index f03dcf567..cf9950e36 100644
--- a/virt.te
+++ b/virt.te
@@ -1,451 +1,424 @@
@@ -118002,7 +118028,7 @@ index f03dcf567..529ae6612 100644
')
optional_policy(`
-@@ -691,99 +653,432 @@ optional_policy(`
+@@ -691,99 +653,433 @@ optional_policy(`
dnsmasq_kill(virtd_t)
dnsmasq_signull(virtd_t)
dnsmasq_create_pid_dirs(virtd_t)
@@ -118247,6 +118273,7 @@ index f03dcf567..529ae6612 100644
+dev_rw_inherited_vhost(virt_domain)
+dev_rw_infiniband_dev(virt_domain)
+dev_rw_dri(virt_domain)
++dev_rw_tpm(virt_domain)
+
+domain_use_interactive_fds(virt_domain)
+
@@ -118484,7 +118511,7 @@ index f03dcf567..529ae6612 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +1089,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +1090,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -118511,7 +118538,7 @@ index f03dcf567..529ae6612 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +1109,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +1110,25 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -118545,7 +118572,7 @@ index f03dcf567..529ae6612 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +1146,20 @@ optional_policy(`
+@@ -856,14 +1147,20 @@ optional_policy(`
')
optional_policy(`
@@ -118567,7 +118594,7 @@ index f03dcf567..529ae6612 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -888,49 +1184,66 @@ optional_policy(`
+@@ -888,49 +1185,66 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -118652,7 +118679,7 @@ index f03dcf567..529ae6612 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1255,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1256,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -118672,7 +118699,7 @@ index f03dcf567..529ae6612 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,8 +1276,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,8 +1277,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -118696,7 +118723,7 @@ index f03dcf567..529ae6612 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1301,296 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1302,296 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -119140,7 +119167,7 @@ index f03dcf567..529ae6612 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1603,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1604,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -119155,7 +119182,7 @@ index f03dcf567..529ae6612 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1192,7 +1621,7 @@ optional_policy(`
+@@ -1192,7 +1622,7 @@ optional_policy(`
########################################
#
@@ -119164,7 +119191,7 @@ index f03dcf567..529ae6612 100644
#
allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1630,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1631,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
allow virt_bridgehelper_t self:tun_socket create_socket_perms;
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 290d069..110607f 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 286%{?dist}
+Release: 287%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -682,6 +682,13 @@ exit 0
%endif
%changelog
+* Fri Sep 22 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-287
+- Allow init noatsecure httpd_t
+- Allow mysqld_t domain to mmap mysqld db files. BZ(1483331)
+- Allow unconfined_t domain to create new users with proper SELinux lables
+- Allow init noatsecure httpd_t
+- Label tcp port 3269 as ldap_port_t
+
* Mon Sep 18 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-286
- Add new boolean tomcat_read_rpm_db()
- Allow tomcat to connect on mysqld tcp ports