* Thu Feb 02 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-107

- Fix labels on new location of resolv.conf - syslog is not writing to the audit socket - seunshare is doing getattr on unix_stream_sockets leaked into it - Allow sshd_t to manage gssd keyring - Allow apps that create net_conf_t content to create .resolv.conf.NetworkManager - Posgresql listens on port 9898 when running PCP (pgpool Control Port) - Allow svirt sandbox domains to read /proc/mtrr - Allow polipo_deamon connect to all ephemeral ports. BZ(1187723) - Allow dovecot domains to use sys_resouce - Allow sshd_t to manage gssd keyring - gpg_pinentry_t needs more access in f22
2015-02-02 11:59:21 +01:00 · 2015-02-02 11:59:21 +01:00 · 1808b757f1
commit 1808b757f1
parent a849531c0e
3 changed files with 302 additions and 266 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -3150,7 +3150,7 @@ index 1d732f1..4aef39e 100644
 +	stapserver_manage_lib(useradd_t)
 +')
 diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if
-index 1dc7a85..c6f4da0 100644
+index 1dc7a85..1a2084f 100644
 --- a/policy/modules/apps/seunshare.if
 +++ b/policy/modules/apps/seunshare.if
@@ -43,18 +43,18 @@ interface(`seunshare_run',`
@ -3179,7 +3179,7 @@ index 1dc7a85..c6f4da0 100644
 ## <param name="role">
 ##	<summary>
 ##	Role allowed access.
-@@ -66,15 +66,44 @@ interface(`seunshare_run',`
+@@ -66,15 +66,45 @@ interface(`seunshare_run',`
 ##	</summary>
 ## </param>
 #
@ -3206,6 +3206,7 @@ index 1dc7a85..c6f4da0 100644
 +	mls_process_set_level($1_seunshare_t)
 +
 +	domtrans_pattern($3, seunshare_exec_t, $1_seunshare_t)
 +	allow $1_seunshare_t $3:unix_stream_socket getattr;
 +
 +	# part of sandboxX.pp
 +	optional_policy(`
@ -5526,7 +5527,7 @@ index 8e0f9cd..b9f45b9 100644
 define(`create_packet_interfaces',``
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055..94987a2 100644
+index b191055..87b5aa1 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@ -5751,7 +5752,7 @@ index b191055..94987a2 100644
 network_port(msnp, tcp,1863,s0, udp,1863,s0)
 network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
 network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -186,26 +233,36 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
+@@ -186,95 +233,116 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
 network_port(mxi, tcp,8005,s0, udp,8005,s0)
 network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
 network_port(mysqlmanagerd, tcp,2273,s0)
@ -5791,8 +5792,9 @@ index b191055..94987a2 100644
 +network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0, tcp,10993,s0)
 network_port(portmap, udp,111,s0, tcp,111,s0)
 network_port(postfix_policyd, tcp,10031,s0)
- network_port(postgresql, tcp,5432,s0)
+-network_port(postgresql, tcp,5432,s0)
-@@ -213,68 +270,79 @@ network_port(postgrey, tcp,60000,s0)
+network_port(postgresql, tcp,5432,s0, tcp,9898,s0)
 network_port(postgrey, tcp,60000,s0)
 network_port(pptp, tcp,1723,s0, udp,1723,s0)
 network_port(prelude, tcp,4690,s0, udp,4690,s0)
 network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
@ -6120,7 +6122,7 @@ index b31c054..1f28afb 100644
 +/usr/lib/udev/devices/null	-c	gen_context(system_u:object_r:null_device_t,s0)
 +/usr/lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
 diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 76f285e..0e6161d 100644
+index 76f285e..be13cd9 100644
 --- a/policy/modules/kernel/devices.if
 +++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@ -6990,7 +6992,7 @@ index 76f285e..0e6161d 100644
 ##	range registers (MTRR).
 ## </summary>
 ## <param name="domain">
-@@ -2970,13 +3457,13 @@ interface(`dev_write_mtrr',`
+@@ -2970,13 +3457,32 @@ interface(`dev_write_mtrr',`
 ##	</summary>
 ## </param>
 #
@ -7004,82 +7006,77 @@ index 76f285e..0e6161d 100644
 -	dontaudit $1 mtrr_device_t:chr_file write;
 +	dontaudit $1 mtrr_device_t:file { open read };
 +	dontaudit $1 mtrr_device_t:chr_file { open read };
 ')
 ########################################
@@ -3144,52 +3631,106 @@ interface(`dev_create_null_dev',`
 ########################################
 ## <summary>
 -##	Do not audit attempts to get the attributes
 -##	of the BIOS non-volatile RAM device.
 +##	Get the status of a null device service.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 -##	Domain to not audit.
 +##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 -interface(`dev_dontaudit_getattr_nvram_dev',`
 +interface(`dev_service_status_null_dev',`
 	gen_require(`
 -		type nvram_device_t;
 +		type null_device_t;
 	')
 -	dontaudit $1 nvram_device_t:chr_file getattr;
 +	allow $1 null_device_t:service status;
 ')
 ########################################
 ## <summary>
 -##	Read and write BIOS non-volatile RAM.
 +##	Configure null_device as a unit files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 -##	Domain allowed access.
 +##	Domain allowed to transition.
 ##	</summary>
 ## </param>
 #
 -interface(`dev_rw_nvram',`
 +interface(`dev_config_null_dev_service',`
 	gen_require(`
 -		type nvram_device_t;
 +		type null_device_t;
 	')
 -	rw_chr_files_pattern($1, device_t, nvram_device_t)
 +	allow $1 null_device_t:service manage_service_perms;
 ')
 ########################################
 ## <summary>
 -##	Get the attributes of the printer device nodes.
 +##	Do not audit attempts to get the attributes
 +##	of the BIOS non-volatile RAM device.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 -##	Domain allowed access.
 +##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
 -interface(`dev_getattr_printer_dev',`
 +interface(`dev_dontaudit_getattr_nvram_dev',`
 +	gen_require(`
 +		type nvram_device_t;
 +	')
 +
 +	dontaudit $1 nvram_device_t:chr_file getattr;
 +')
 +
 +########################################
 +## <summary>
 +##	Read the memory type range registers (MTRR).
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`dev_read_mtrr',`
 +	gen_require(`
 +		type device_t, mtrr_device_t;
 +	')
 +
 +	read_files_pattern($1, device_t, mtrr_device_t)
 +	read_chr_files_pattern($1, device_t, mtrr_device_t)
 ')
 ########################################
@@ -3144,7 +3650,43 @@ interface(`dev_create_null_dev',`
 ########################################
 ## <summary>
 -##	Do not audit attempts to get the attributes
 +##	Get the status of a null device service.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`dev_service_status_null_dev',`
 +	gen_require(`
 +		type null_device_t;
 +	')
 +
 +	allow $1 null_device_t:service status;
 +')
 +
 +########################################
 +## <summary>
 +##	Configure null_device as a unit files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed to transition.
 +##	</summary>
 +## </param>
 +#
 +interface(`dev_config_null_dev_service',`
 +	gen_require(`
 +		type null_device_t;
 +	')
 +
 +	allow $1 null_device_t:service manage_service_perms;
 +')
 +
 +########################################
 +## <summary>
 +##	Do not audit attempts to get the attributes
 ##	of the BIOS non-volatile RAM device.
 ## </summary>
 ## <param name="domain">
@@ -3163,6 +3705,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',`
 ########################################
 ## <summary>
 +##	Read BIOS non-volatile RAM.
 +## </summary>
 +## <param name="domain">
@ -7098,81 +7095,54 @@ index 76f285e..0e6161d 100644
 +
 +########################################
 +## <summary>
-+##	Read and write BIOS non-volatile RAM.
+ ##	Read and write BIOS non-volatile RAM.
-+## </summary>
+ ## </summary>
-+## <param name="domain">
+ ## <param name="domain">
-+##	<summary>
+@@ -3254,7 +3814,25 @@ interface(`dev_rw_printer',`
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`dev_rw_nvram',`
 +	gen_require(`
 +		type nvram_device_t;
 +	')
 +
 +	rw_chr_files_pattern($1, device_t, nvram_device_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Get the attributes of the printer device nodes.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`dev_getattr_printer_dev',`
 	gen_require(`
 		type device_t, printer_device_t;
 	')
@@ -3254,7 +3795,7 @@ interface(`dev_rw_printer',`
 ########################################
 ## <summary>
 -##	Read printk devices (e.g., /dev/kmsg /dev/mcelog)
 +##	Relabel the printer device node.
- ## </summary>
+## </summary>
- ## <param name="domain">
+## <param name="domain">
- ##	<summary>
+##	<summary>
-@@ -3262,12 +3803,31 @@ interface(`dev_rw_printer',`
+##	Domain allowed access.
- ##	</summary>
+##	</summary>
- ## </param>
+## </param>
- #
+#
 -interface(`dev_read_printk',`
 +interface(`dev_relabel_printer',`
- 	gen_require(`
+	gen_require(`
 -		type device_t, printk_device_t;
 +		type printer_device_t;
- 	')
+	')
- 
+
 -	read_chr_files_pattern($1, device_t, printk_device_t)
 +	allow $1 printer_device_t:chr_file relabel_chr_file_perms;
 +')
 +
 +########################################
 +## <summary>
 +##	Read and write the printer device.
-+## </summary>
+ ## </summary>
-+## <param name="domain">
+ ## <param name="domain">
-+##	<summary>
+ ##	<summary>
-+##	Domain allowed access.
+@@ -3262,12 +3840,13 @@ interface(`dev_rw_printer',`
-+##	</summary>
+ ##	</summary>
-+## </param>
+ ## </param>
-+#
+ #
 -interface(`dev_read_printk',`
 +interface(`dev_manage_printer',`
-+	gen_require(`
+ 	gen_require(`
 -		type device_t, printk_device_t;
 +		type device_t, printer_device_t;
-+	')
+ 	')
-+
+ 
 -	read_chr_files_pattern($1, device_t, printk_device_t)
 +	manage_chr_files_pattern($1, device_t, printer_device_t)
 +	dev_filetrans_printer_named_dev($1)
 ')
 ########################################
-@@ -3399,7 +3959,7 @@ interface(`dev_dontaudit_read_rand',`
+@@ -3399,7 +3978,7 @@ interface(`dev_dontaudit_read_rand',`
 ########################################
 ## <summary>
@ -7181,7 +7151,7 @@ index 76f285e..0e6161d 100644
 ##	number generator devices (e.g., /dev/random)
 ## </summary>
 ## <param name="domain">
-@@ -3413,7 +3973,7 @@ interface(`dev_dontaudit_append_rand',`
+@@ -3413,7 +3992,7 @@ interface(`dev_dontaudit_append_rand',`
 		type random_device_t;
 	')
@ -7190,7 +7160,7 @@ index 76f285e..0e6161d 100644
 ')
 ########################################
-@@ -3855,6 +4415,96 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3855,6 +4434,96 @@ interface(`dev_getattr_sysfs_dirs',`
 ########################################
 ## <summary>
@ -7287,7 +7257,7 @@ index 76f285e..0e6161d 100644
 ##	Search the sysfs directories.
 ## </summary>
 ## <param name="domain">
-@@ -3904,6 +4554,7 @@ interface(`dev_list_sysfs',`
+@@ -3904,6 +4573,7 @@ interface(`dev_list_sysfs',`
 		type sysfs_t;
 	')
@ -7295,7 +7265,7 @@ index 76f285e..0e6161d 100644
 	list_dirs_pattern($1, sysfs_t, sysfs_t)
 ')
-@@ -3946,23 +4597,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+@@ -3946,23 +4616,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
 ########################################
 ## <summary>
@ -7316,7 +7286,7 @@ index 76f285e..0e6161d 100644
 #
 -interface(`dev_manage_sysfs_dirs',`
 +interface(`dev_read_cpu_online',`
-+	gen_require(`
+ 	gen_require(`
 +		type cpu_online_t;
 +	')
 +
@ -7335,7 +7305,7 @@ index 76f285e..0e6161d 100644
 +## </param>
 +#
 +interface(`dev_relabel_cpu_online',`
- 	gen_require(`
+	gen_require(`
 +		type cpu_online_t;
 		type sysfs_t;
 	')
@ -7349,7 +7319,7 @@ index 76f285e..0e6161d 100644
 ########################################
 ## <summary>
 ##	Read hardware state information.
-@@ -4016,6 +4693,62 @@ interface(`dev_rw_sysfs',`
+@@ -4016,6 +4712,62 @@ interface(`dev_rw_sysfs',`
 ########################################
 ## <summary>
@ -7412,7 +7382,7 @@ index 76f285e..0e6161d 100644
 ##	Read and write the TPM device.
 ## </summary>
 ## <param name="domain">
-@@ -4113,6 +4846,25 @@ interface(`dev_write_urand',`
+@@ -4113,6 +4865,25 @@ interface(`dev_write_urand',`
 ########################################
 ## <summary>
@ -7438,7 +7408,7 @@ index 76f285e..0e6161d 100644
 ##	Getattr generic the USB devices.
 ## </summary>
 ## <param name="domain">
-@@ -4123,7 +4875,7 @@ interface(`dev_write_urand',`
+@@ -4123,7 +4894,7 @@ interface(`dev_write_urand',`
 #
 interface(`dev_getattr_generic_usb_dev',`
 	gen_require(`
@ -7447,7 +7417,7 @@ index 76f285e..0e6161d 100644
 	')
 	getattr_chr_files_pattern($1, device_t, usb_device_t)
-@@ -4409,9 +5161,9 @@ interface(`dev_rw_usbfs',`
+@@ -4409,9 +5180,9 @@ interface(`dev_rw_usbfs',`
 	read_lnk_files_pattern($1, usbfs_t, usbfs_t)
 ')
@ -7459,7 +7429,7 @@ index 76f285e..0e6161d 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4419,17 +5171,17 @@ interface(`dev_rw_usbfs',`
+@@ -4419,17 +5190,17 @@ interface(`dev_rw_usbfs',`
 ##	</summary>
 ## </param>
 #
@ -7482,7 +7452,7 @@ index 76f285e..0e6161d 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4437,12 +5189,12 @@ interface(`dev_getattr_video_dev',`
+@@ -4437,12 +5208,12 @@ interface(`dev_getattr_video_dev',`
 ##	</summary>
 ## </param>
 #
@ -7498,7 +7468,7 @@ index 76f285e..0e6161d 100644
 ')
 ########################################
-@@ -4539,6 +5291,134 @@ interface(`dev_write_video_dev',`
+@@ -4539,6 +5310,134 @@ interface(`dev_write_video_dev',`
 ########################################
 ## <summary>
@ -7633,7 +7603,7 @@ index 76f285e..0e6161d 100644
 ##	Allow read/write the vhost net device
 ## </summary>
 ## <param name="domain">
-@@ -4557,6 +5437,24 @@ interface(`dev_rw_vhost',`
+@@ -4557,6 +5456,24 @@ interface(`dev_rw_vhost',`
 ########################################
 ## <summary>
@ -7658,7 +7628,7 @@ index 76f285e..0e6161d 100644
 ##	Read and write VMWare devices.
 ## </summary>
 ## <param name="domain">
-@@ -4762,6 +5660,44 @@ interface(`dev_rw_xserver_misc',`
+@@ -4762,6 +5679,44 @@ interface(`dev_rw_xserver_misc',`
 ########################################
 ## <summary>
@ -7703,7 +7673,7 @@ index 76f285e..0e6161d 100644
 ##	Read and write to the zero device (/dev/zero).
 ## </summary>
 ## <param name="domain">
-@@ -4851,3 +5787,966 @@ interface(`dev_unconfined',`
+@@ -4851,3 +5806,966 @@ interface(`dev_unconfined',`
 	typeattribute $1 devices_unconfined_type;
 ')
@ -23162,7 +23132,7 @@ index fe0c682..3ad1b1f 100644
 +	ps_process_pattern($1, sshd_t)
 +')
 diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index cc877c7..2ef9dc6 100644
+index cc877c7..46e1c3e 100644
 --- a/policy/modules/services/ssh.te
 +++ b/policy/modules/services/ssh.te
@@ -6,43 +6,68 @@ policy_module(ssh, 2.4.2)
@ -23513,7 +23483,7 @@ index cc877c7..2ef9dc6 100644
 	inetd_tcp_service_domain(sshd_t, sshd_exec_t)
 ')
-@@ -275,6 +344,18 @@ optional_policy(`
+@@ -275,10 +344,26 @@ optional_policy(`
 ')
 optional_policy(`
@ -23532,7 +23502,15 @@ index cc877c7..2ef9dc6 100644
 	oddjob_domtrans_mkhomedir(sshd_t)
 ')
-@@ -289,13 +370,93 @@ optional_policy(`
+ optional_policy(`
 +	rpc_rw_gssd_keys(sshd_t)
 +')
 +
 +optional_policy(`
 	rpm_use_script_fds(sshd_t)
 ')
@@ -289,13 +374,93 @@ optional_policy(`
 ')
 optional_policy(`
@ -23626,7 +23604,7 @@ index cc877c7..2ef9dc6 100644
 ########################################
 #
 # ssh_keygen local policy
-@@ -304,19 +465,33 @@ optional_policy(`
+@@ -304,19 +469,33 @@ optional_policy(`
 # ssh_keygen_t is the type of the ssh-keygen program when run at install time
 # and by sysadm_t
@ -23661,7 +23639,7 @@ index cc877c7..2ef9dc6 100644
 dev_read_urand(ssh_keygen_t)
 term_dontaudit_use_console(ssh_keygen_t)
-@@ -332,7 +507,9 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -332,7 +511,9 @@ auth_use_nsswitch(ssh_keygen_t)
 logging_send_syslog_msg(ssh_keygen_t)
@ -23671,7 +23649,7 @@ index cc877c7..2ef9dc6 100644
 optional_policy(`
 	seutil_sigchld_newrole(ssh_keygen_t)
-@@ -341,3 +518,148 @@ optional_policy(`
+@@ -341,3 +522,148 @@ optional_policy(`
 optional_policy(`
 	udev_read_db(ssh_keygen_t)
 ')
@ -34756,7 +34734,7 @@ index 4e94884..8de26ad 100644
 +    logging_log_filetrans($1, var_log_t, dir, "anaconda")
 +')
 diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 59b04c1..89471ff 100644
+index 59b04c1..53a6182 100644
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
@@ -4,6 +4,21 @@ policy_module(logging, 1.20.1)
@ -34979,19 +34957,19 @@ index 59b04c1..89471ff 100644
 # receive messages to be logged
 allow syslogd_t self:unix_dgram_socket create_socket_perms;
 allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -369,8 +412,11 @@ allow syslogd_t self:unix_dgram_socket sendto;
+@@ -369,8 +412,10 @@ allow syslogd_t self:unix_dgram_socket sendto;
 allow syslogd_t self:fifo_file rw_fifo_file_perms;
 allow syslogd_t self:udp_socket create_socket_perms;
 allow syslogd_t self:tcp_socket create_stream_socket_perms;
 -
 +allow syslogd_t self:rawip_socket create_socket_perms;
-+allow syslogd_t self:netlink_audit_socket r_netlink_socket_perms;
+allow syslogd_t self:netlink_audit_socket { r_netlink_socket_perms nlmsg_write };
 allow syslogd_t syslog_conf_t:file read_file_perms;
 +allow syslogd_t syslog_conf_t:dir list_dir_perms;
 # Create and bind to /dev/log or /var/run/log.
 allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
-@@ -389,30 +435,46 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -389,30 +434,46 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
 manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
 files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
@ -35041,7 +35019,7 @@ index 59b04c1..89471ff 100644
 # syslog-ng can listen and connect on tcp port 514 (rsh)
 corenet_tcp_sendrecv_generic_if(syslogd_t)
 corenet_tcp_sendrecv_generic_node(syslogd_t)
-@@ -422,6 +484,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
+@@ -422,6 +483,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
 corenet_tcp_connect_rsh_port(syslogd_t)
 # Allow users to define additional syslog ports to connect to
 corenet_tcp_bind_syslogd_port(syslogd_t)
@ -35050,7 +35028,7 @@ index 59b04c1..89471ff 100644
 corenet_tcp_connect_syslogd_port(syslogd_t)
 corenet_tcp_connect_postgresql_port(syslogd_t)
 corenet_tcp_connect_mysqld_port(syslogd_t)
-@@ -432,9 +496,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+@@ -432,9 +495,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
 corenet_sendrecv_postgresql_client_packets(syslogd_t)
 corenet_sendrecv_mysqld_client_packets(syslogd_t)
@ -35078,7 +35056,7 @@ index 59b04c1..89471ff 100644
 domain_use_interactive_fds(syslogd_t)
 files_read_etc_files(syslogd_t)
-@@ -448,13 +529,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
+@@ -448,13 +528,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
 fs_getattr_all_fs(syslogd_t)
 fs_search_auto_mountpoints(syslogd_t)
@ -35096,7 +35074,7 @@ index 59b04c1..89471ff 100644
 # for sending messages to logged in users
 init_read_utmp(syslogd_t)
 init_dontaudit_write_utmp(syslogd_t)
-@@ -466,11 +551,11 @@ init_use_fds(syslogd_t)
+@@ -466,11 +550,11 @@ init_use_fds(syslogd_t)
 # cjp: this doesnt make sense
 logging_send_syslog_msg(syslogd_t)
@ -35111,7 +35089,7 @@ index 59b04c1..89471ff 100644
 ifdef(`distro_gentoo',`
 	# default gentoo syslog-ng config appends kernel
-@@ -497,6 +582,7 @@ optional_policy(`
+@@ -497,6 +581,7 @@ optional_policy(`
 optional_policy(`
 	cron_manage_log_files(syslogd_t)
 	cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
@ -35119,7 +35097,7 @@ index 59b04c1..89471ff 100644
 ')
 optional_policy(`
-@@ -507,15 +593,40 @@ optional_policy(`
+@@ -507,15 +592,40 @@ optional_policy(`
 ')
 optional_policy(`
@ -35160,7 +35138,7 @@ index 59b04c1..89471ff 100644
 ')
 optional_policy(`
-@@ -526,3 +637,26 @@ optional_policy(`
+@@ -526,3 +636,26 @@ optional_policy(`
 	# log to the xconsole
 	xserver_rw_console(syslogd_t)
 ')
@ -39152,10 +39130,10 @@ index 1447687..d5e6fb9 100644
 seutil_read_config(setrans_t)
 diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
-index 40edc18..8896a27 100644
+index 40edc18..bdc6d52 100644
 --- a/policy/modules/system/sysnetwork.fc
 +++ b/policy/modules/system/sysnetwork.fc
-@@ -17,22 +17,25 @@ ifdef(`distro_debian',`
+@@ -17,23 +17,28 @@ ifdef(`distro_debian',`
 /etc/dhclient.*conf	--	gen_context(system_u:object_r:dhcp_etc_t,s0)
 /etc/dhclient-script	--	gen_context(system_u:object_r:dhcp_etc_t,s0)
 /etc/dhcpc.*			gen_context(system_u:object_r:dhcp_etc_t,s0)
@ -39171,6 +39149,7 @@ index 40edc18..8896a27 100644
 /etc/resolv\.conf.*	--	gen_context(system_u:object_r:net_conf_t,s0)
 /etc/yp\.conf.*		--	gen_context(system_u:object_r:net_conf_t,s0)
 +/etc/ntp\.conf		--	gen_context(system_u:object_r:net_conf_t,s0)
 +/etc/\.resolv\.conf\.NetworkManager gen_context(system_u:object_r:net_conf_t,s0)
 -/etc/dhcp3(/.*)?		gen_context(system_u:object_r:dhcp_etc_t,s0)
 +/etc/dhcp3?(/.*)?		gen_context(system_u:object_r:dhcp_etc_t,s0)
@ -39183,9 +39162,11 @@ index 40edc18..8896a27 100644
 +/var/run/systemd/network(/.*)?  gen_context(system_u:object_r:net_conf_t,s0)
 +/var/run/systemd/resolve/resolv\.conf   --  gen_context(system_u:object_r:net_conf_t,s0)
 ')
 +/var/run/NetworkManager/resolve/resolv\.conf   --  gen_context(system_u:object_r:net_conf_t,s0)
 #
-@@ -44,6 +47,7 @@ ifdef(`distro_redhat',`
+ # /sbin
@@ -44,6 +49,7 @@ ifdef(`distro_redhat',`
 /sbin/ethtool		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
 /sbin/ifconfig		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
 /sbin/ip		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
@ -39193,7 +39174,7 @@ index 40edc18..8896a27 100644
 /sbin/ipx_configure	--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
 /sbin/ipx_interface	--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
 /sbin/ipx_internal_net	--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
-@@ -55,6 +59,21 @@ ifdef(`distro_redhat',`
+@@ -55,6 +61,21 @@ ifdef(`distro_redhat',`
 #
 # /usr
 #
@ -39215,7 +39196,7 @@ index 40edc18..8896a27 100644
 /usr/sbin/tc		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
 #
-@@ -77,3 +96,6 @@ ifdef(`distro_debian',`
+@@ -77,3 +98,6 @@ ifdef(`distro_debian',`
 /var/run/network(/.*)?	gen_context(system_u:object_r:net_conf_t,s0)
 ')
@ -39223,7 +39204,7 @@ index 40edc18..8896a27 100644
 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
 +
 diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 2cea692..e094fc0 100644
+index 2cea692..b52919c 100644
 --- a/policy/modules/system/sysnetwork.if
 +++ b/policy/modules/system/sysnetwork.if
@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@ -39583,7 +39564,7 @@ index 2cea692..e094fc0 100644
 	corenet_tcp_sendrecv_generic_if($1)
 	corenet_udp_sendrecv_generic_if($1)
 	corenet_tcp_sendrecv_generic_node($1)
-@@ -796,3 +1005,115 @@ interface(`sysnet_use_portmap',`
+@@ -796,3 +1005,120 @@ interface(`sysnet_use_portmap',`
 	sysnet_read_config($1)
 ')
@ -39653,13 +39634,18 @@ index 2cea692..e094fc0 100644
 +	files_etc_filetrans($1, net_conf_t, file, "resolv.conf.tmp")
 +	files_etc_filetrans($1, net_conf_t, file, "resolv.conf.fp-tmp")
 +	files_etc_filetrans($1, net_conf_t, file, "resolv.conf.fp-saved")
 +	files_etc_filetrans($1, net_conf_t, lnk_file, ".resolv.conf.NetworkManager")
 +	files_etc_filetrans($1, net_conf_t, file, "denyhosts")
 +	files_etc_filetrans($1, net_conf_t, file, "hosts")
 +	files_etc_filetrans($1, net_conf_t, file, "hosts.deny")
 +	files_etc_filetrans($1, net_conf_t, file, "ethers")
 +	files_etc_filetrans($1, net_conf_t, file, "yp.conf")
 +	files_etc_filetrans($1, net_conf_t, file, "ntp.conf")
-+    init_pid_filetrans($1, net_conf_t, dir, "network") 
+	init_pid_filetrans($1, net_conf_t, dir, "network")
 +
 +	optional_policy(`
 +		networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf")
 +	')
 +')
 +
 +########################################
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -25850,7 +25850,7 @@ index d5badb7..c2431fc 100644
 +	admin_pattern($1, dovecot_passwd_t)
 ')
 diff --git a/dovecot.te b/dovecot.te
-index 0aabc7e..7bd570c 100644
+index 0aabc7e..e1c4564 100644
 --- a/dovecot.te
 +++ b/dovecot.te
@@ -7,12 +7,10 @@ policy_module(dovecot, 1.16.1)
@ -25892,7 +25892,7 @@ index 0aabc7e..7bd570c 100644
 type dovecot_var_lib_t;
 files_type(dovecot_var_lib_t)
-@@ -59,20 +57,19 @@ logging_log_file(dovecot_var_log_t)
+@@ -59,20 +57,20 @@ logging_log_file(dovecot_var_log_t)
 type dovecot_var_run_t;
 files_pid_file(dovecot_var_run_t)
@ -25903,8 +25903,10 @@ index 0aabc7e..7bd570c 100644
 +# dovecot domain local policy
 #
- allow dovecot_domain self:capability2 block_suspend;
+-allow dovecot_domain self:capability2 block_suspend;
 -allow dovecot_domain self:fifo_file rw_fifo_file_perms;
 +allow dovecot_domain self:capability sys_resource;
 +dontaudit dovecot_domain self:capability2 block_suspend;
 +allow dovecot_domain self:process signal_perms;
 -allow dovecot_domain dovecot_etc_t:dir list_dir_perms;
@ -25919,7 +25921,7 @@ index 0aabc7e..7bd570c 100644
 corecmd_exec_bin(dovecot_domain)
 corecmd_exec_shell(dovecot_domain)
-@@ -81,26 +78,34 @@ dev_read_sysfs(dovecot_domain)
+@@ -81,26 +79,34 @@ dev_read_sysfs(dovecot_domain)
 dev_read_rand(dovecot_domain)
 dev_read_urand(dovecot_domain)
@ -25964,7 +25966,7 @@ index 0aabc7e..7bd570c 100644
 allow dovecot_t dovecot_keytab_t:file read_file_perms;
-@@ -108,12 +113,13 @@ manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
+@@ -108,12 +114,13 @@ manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
 manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
 files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir })
@ -25981,7 +25983,7 @@ index 0aabc7e..7bd570c 100644
 logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir })
 manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
-@@ -125,45 +131,35 @@ manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
+@@ -125,45 +132,35 @@ manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
 manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
 manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
 manage_fifo_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
@ -26038,7 +26040,7 @@ index 0aabc7e..7bd570c 100644
 init_getattr_utmp(dovecot_t)
-@@ -171,45 +167,44 @@ auth_use_nsswitch(dovecot_t)
+@@ -171,45 +168,44 @@ auth_use_nsswitch(dovecot_t)
 miscfiles_read_generic_certs(dovecot_t)
@ -26102,7 +26104,7 @@ index 0aabc7e..7bd570c 100644
 	sendmail_domtrans(dovecot_t)
 ')
-@@ -227,46 +222,67 @@ optional_policy(`
+@@ -227,46 +223,67 @@ optional_policy(`
 ########################################
 #
@ -26179,7 +26181,7 @@ index 0aabc7e..7bd570c 100644
 	mysql_stream_connect(dovecot_auth_t)
 	mysql_read_config(dovecot_auth_t)
 	mysql_tcp_connect(dovecot_auth_t)
-@@ -277,53 +293,79 @@ optional_policy(`
+@@ -277,53 +294,79 @@ optional_policy(`
 ')
 optional_policy(`
@ -26278,7 +26280,7 @@ index 0aabc7e..7bd570c 100644
 	mta_read_queue(dovecot_deliver_t)
 ')
-@@ -332,5 +374,6 @@ optional_policy(`
+@@ -332,5 +375,6 @@ optional_policy(`
 ')
 optional_policy(`
@ -34279,7 +34281,7 @@ index 180f1b7..3c8757e 100644
 +	userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
 +')
 diff --git a/gpg.te b/gpg.te
-index 0e97e82..64cb452 100644
+index 0e97e82..2569781 100644
 --- a/gpg.te
 +++ b/gpg.te
@@ -4,15 +4,7 @@ policy_module(gpg, 2.8.0)
@ -34636,7 +34638,7 @@ index 0e97e82..64cb452 100644
 manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
 userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file)
-@@ -287,53 +322,86 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
+@@ -287,53 +322,87 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
 manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
 fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
@ -34666,7 +34668,7 @@ index 0e97e82..64cb452 100644
 +# read /etc/X11/qtrc
 fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
-+fs_getattr_tmpfs(gpg_pinentry_t)
+fs_getattr_all_fs(gpg_pinentry_t)
 auth_use_nsswitch(gpg_pinentry_t)
@ -34687,11 +34689,12 @@ index 0e97e82..64cb452 100644
 -	fs_read_nfs_files(gpg_pinentry_t)
 -')
 +userdom_home_reader(gpg_pinentry_t)
 +userdom_stream_connect(gpg_pinentry_t)
 -tunable_policy(`use_samba_home_dirs',`
 -	fs_read_cifs_files(gpg_pinentry_t)
 +optional_policy(`
-+	gnome_read_home_config(gpg_pinentry_t)
+	gnome_manage_home_config(gpg_pinentry_t)
 ')
 optional_policy(`
@ -55100,7 +55103,7 @@ index 94b9734..448a7e8 100644
 +/var/run/wpa_supplicant(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 /var/run/wpa_supplicant-global	-s	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 diff --git a/networkmanager.if b/networkmanager.if
-index 86dc29d..3eaf32b 100644
+index 86dc29d..219892b 100644
 --- a/networkmanager.if
 +++ b/networkmanager.if
@@ -2,7 +2,7 @@
@ -55325,7 +55328,7 @@ index 86dc29d..3eaf32b 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -241,13 +307,32 @@ interface(`networkmanager_append_log_files',`
+@@ -241,13 +307,66 @@ interface(`networkmanager_append_log_files',`
 ##	</summary>
 ## </param>
 #
@ -55357,10 +55360,44 @@ index 86dc29d..3eaf32b 100644
 +
 +	files_search_pids($1)
 +	manage_sock_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Create objects in /etc with a private
 +##	type using a type_transition.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +## <param name="file_type">
 +##	<summary>
 +##	Private file type.
 +##	</summary>
 +## </param>
 +## <param name="class">
 +##	<summary>
 +##	Object classes to be created.
 +##	</summary>
 +## </param>
 +## <param name="name" optional="true">
 +##	<summary>
 +##	The name of the object being created.
 +##	</summary>
 +## </param>
 +#
 +interface(`networkmanager_pid_filetrans',`
 +	gen_require(`
 +		type NetworkManager_var_run_t;
 +	')
 +
 +	filetrans_pattern($1, NetworkManager_var_run_t, $2, $3, $4)
 ')
 ####################################
-@@ -272,14 +357,33 @@ interface(`networkmanager_stream_connect',`
+@@ -272,14 +391,33 @@ interface(`networkmanager_stream_connect',`
 ########################################
 ## <summary>
@ -55396,7 +55433,7 @@ index 86dc29d..3eaf32b 100644
 ## <param name="role">
 ##	<summary>
 ##	Role allowed access.
-@@ -287,33 +391,132 @@ interface(`networkmanager_stream_connect',`
+@@ -287,33 +425,132 @@ interface(`networkmanager_stream_connect',`
 ## </param>
 ## <rolecap/>
 #
@ -68496,7 +68533,7 @@ index ae27bb7..10a7787 100644
 +	allow $1 polipo_unit_file_t:service all_service_perms;
 ')
 diff --git a/polipo.te b/polipo.te
-index 9764bfe..96dadf3 100644
+index 9764bfe..8870de7 100644
 --- a/polipo.te
 +++ b/polipo.te
@@ -7,19 +7,27 @@ policy_module(polipo, 1.1.1)
@ -68566,7 +68603,7 @@ index 9764bfe..96dadf3 100644
 type polipo_cache_t;
 files_type(polipo_cache_t)
-@@ -56,116 +63,103 @@ files_type(polipo_cache_t)
+@@ -56,116 +63,104 @@ files_type(polipo_cache_t)
 type polipo_log_t;
 logging_log_file(polipo_log_t)
@ -68725,6 +68762,7 @@ index 9764bfe..96dadf3 100644
 corenet_sendrecv_tor_client_packets(polipo_daemon)
 corenet_tcp_sendrecv_tor_port(polipo_daemon)
 corenet_tcp_connect_tor_port(polipo_daemon)
 +corenet_tcp_connect_all_ephemeral_ports(polipo_daemon)
 -files_read_usr_files(polipo_daemon)
 +logging_send_syslog_msg(polipo_session_t)
@ -84908,7 +84946,7 @@ index a6fb30c..38a2f09 100644
 +/var/run/rpc\.statd\.pid --	gen_context(system_u:object_r:rpcd_var_run_t,s0)
 +
 diff --git a/rpc.if b/rpc.if
-index 0bf13c2..1d69728 100644
+index 0bf13c2..8236a71 100644
 --- a/rpc.if
 +++ b/rpc.if
@@ -1,4 +1,4 @@
@ -85220,64 +85258,62 @@ index 0bf13c2..1d69728 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -326,12 +345,12 @@ interface(`rpc_search_nfs_state_data',`
+@@ -326,12 +345,31 @@ interface(`rpc_search_nfs_state_data',`
 	')
 	files_search_var_lib($1)
 -	allow $1 var_lib_nfs_t:dir search;
 +	allow $1 var_lib_nfs_t:dir search_dir_perms;
- ')
+')
- 
+
- ########################################
+########################################
- ## <summary>
+## <summary>
 -##	Read nfs lib files.
 +##	List NFS state data in /var/lib/nfs.
- ## </summary>
+## </summary>
- ## <param name="domain">
+## <param name="domain">
- ##	<summary>
+##	<summary>
-@@ -339,19 +358,18 @@ interface(`rpc_search_nfs_state_data',`
+##	Domain allowed access.
- ##	</summary>
+##	</summary>
- ## </param>
+## </param>
- #
+#
 -interface(`rpc_read_nfs_state_data',`
 +interface(`rpc_list_nfs_state_data',`
- 	gen_require(`
+	gen_require(`
- 		type var_lib_nfs_t;
+		type var_lib_nfs_t;
- 	')
+	')
- 
+
- 	files_search_var_lib($1)
+	files_search_var_lib($1)
 -	read_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
 +	allow $1 var_lib_nfs_t:dir list_dir_perms;
 ')
 ########################################
 ## <summary>
-##	Create, read, write, and delete
+-##	Read nfs lib files.
 -##	nfs lib files.
 +##	Read NFS state data in /var/lib/nfs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -359,34 +377,54 @@ interface(`rpc_read_nfs_state_data',`
+@@ -350,8 +388,7 @@ interface(`rpc_read_nfs_state_data',`
- ##	</summary>
+ 
- ## </param>
+ ########################################
- #
+ ## <summary>
-interface(`rpc_manage_nfs_state_data',`
+-##	Create, read, write, and delete
-+interface(`rpc_read_nfs_state_data',`
+-##	nfs lib files.
- 	gen_require(`
+##	Manage NFS state data in /var/lib/nfs.
- 		type var_lib_nfs_t;
+ ## </summary>
- 	')
+ ## <param name="domain">
 ##	<summary>
@@ -366,27 +403,46 @@ interface(`rpc_manage_nfs_state_data',`
 	files_search_var_lib($1)
-	manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
+ 	manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
-+	read_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
+	allow $1 var_lib_nfs_t:file relabel_file_perms;
 ')
 ########################################
 ## <summary>
 -##	All of the rules required to
 -##	administrate an rpc environment.
-+##	Manage NFS state data in /var/lib/nfs.
+##	Write keys for all user domains.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -85285,14 +85321,12 @@ index 0bf13c2..1d69728 100644
 ##	</summary>
 ## </param>
 +#
-+interface(`rpc_manage_nfs_state_data',`
+interface(`rpc_rw_gssd_keys',`
 +	gen_require(`
-+		type var_lib_nfs_t;
+		type gssd_t;
 +	')
 +
-+	files_search_var_lib($1)
+	allow $1 gssd_t:key { read search setattr view write };
 +	manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
 +	allow $1 var_lib_nfs_t:file relabel_file_perms;
 +')
 +
 +#######################################
@ -106587,7 +106621,7 @@ index facdee8..f6b8a09 100644
 +	typeattribute $1 sandbox_caps_domain;
 ')
 diff --git a/virt.te b/virt.te
-index f03dcf5..a687bea 100644
+index f03dcf5..2c0de22 100644
 --- a/virt.te
 +++ b/virt.te
@@ -1,150 +1,241 @@
@ -108377,6 +108411,26 @@ index f03dcf5..a687bea 100644
 +tunable_policy(`virt_sandbox_use_sys_admin',`
 +	allow svirt_lxc_net_t self:capability sys_admin;
 +')
 +
 +tunable_policy(`virt_sandbox_use_mknod',`
 +	allow svirt_lxc_net_t self:capability mknod;
 +')
 +
 +tunable_policy(`virt_sandbox_use_all_caps',`
 +	allow svirt_lxc_net_t self:capability all_capability_perms;
 +	allow svirt_lxc_net_t self:capability2 all_capability2_perms;
 +')
 +
 +tunable_policy(`virt_sandbox_use_netlink',`
 +	allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
 +	allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
 +	allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms;
 +', `
 +	logging_dontaudit_send_audit_msgs(svirt_lxc_net_t)
 +')
 +
 +allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms;
 +allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms;
 -allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap };
 -dontaudit svirt_lxc_net_t self:capability2 block_suspend;
@ -108391,15 +108445,8 @@ index f03dcf5..a687bea 100644
 -allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms;
 -
 -kernel_read_network_state(svirt_lxc_net_t)
-kernel_read_irq_sysctls(svirt_lxc_net_t)
+ kernel_read_irq_sysctls(svirt_lxc_net_t)
-+tunable_policy(`virt_sandbox_use_mknod',`
+kernel_read_messages(svirt_lxc_net_t)
 +	allow svirt_lxc_net_t self:capability mknod;
 +')
 +
 +tunable_policy(`virt_sandbox_use_all_caps',`
 +	allow svirt_lxc_net_t self:capability all_capability_perms;
 +	allow svirt_lxc_net_t self:capability2 all_capability2_perms;
 +')
 -corenet_all_recvfrom_unlabeled(svirt_lxc_net_t)
 -corenet_all_recvfrom_netlabel(svirt_lxc_net_t)
@ -108411,29 +108458,19 @@ index f03dcf5..a687bea 100644
 -corenet_udp_sendrecv_all_ports(svirt_lxc_net_t)
 -corenet_tcp_bind_generic_node(svirt_lxc_net_t)
 -corenet_udp_bind_generic_node(svirt_lxc_net_t)
-+tunable_policy(`virt_sandbox_use_netlink',`
+-
 +	allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
 +	allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
 +	allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms;
 +', `
 +	logging_dontaudit_send_audit_msgs(svirt_lxc_net_t)
 +')
 -corenet_sendrecv_all_server_packets(svirt_lxc_net_t)
 -corenet_udp_bind_all_ports(svirt_lxc_net_t)
 -corenet_tcp_bind_all_ports(svirt_lxc_net_t)
-+allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms;
+-
 +allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms;
 -corenet_sendrecv_all_client_packets(svirt_lxc_net_t)
 -corenet_tcp_connect_all_ports(svirt_lxc_net_t)
-+kernel_read_irq_sysctls(svirt_lxc_net_t)
+-
-+kernel_read_messages(svirt_lxc_net_t)
+-dev_getattr_mtrr_dev(svirt_lxc_net_t)
- 
+-dev_read_rand(svirt_lxc_net_t)
-+dev_read_sysfs(svirt_lxc_net_t)
+ dev_read_sysfs(svirt_lxc_net_t)
- dev_getattr_mtrr_dev(svirt_lxc_net_t)
+dev_read_mtrr(svirt_lxc_net_t)
- dev_read_rand(svirt_lxc_net_t)
+dev_read_rand(svirt_lxc_net_t)
 -dev_read_sysfs(svirt_lxc_net_t)
 dev_read_urand(svirt_lxc_net_t)
 files_read_kernel_modules(svirt_lxc_net_t)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 106%{?dist}
+Release: 107%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -605,6 +605,19 @@ SELinux Reference policy mls base module.
 %endif
 %changelog
 * Thu Feb 02 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-107
 - Fix labels on new location of resolv.conf
 - syslog is not writing to the audit socket
 - seunshare is doing getattr on unix_stream_sockets leaked into it
 - Allow sshd_t to manage gssd keyring
 - Allow apps that create net_conf_t content to create .resolv.conf.NetworkManager
 - Posgresql listens on port 9898 when running PCP (pgpool Control Port)
 - Allow svirt sandbox domains to read /proc/mtrr
 - Allow polipo_deamon connect to all ephemeral ports. BZ(1187723)
 - Allow dovecot domains to use sys_resouce
 - Allow sshd_t to manage gssd keyring
 - gpg_pinentry_t needs more access in f22
 * Thu Jan 29 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-106
 - Allow docker to attach to the sandbox and user domains tun devices
 - Allow pingd to read /dev/urandom. BZ(1181831)