* Thu Sep 29 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-216

- Allow devicekit to chat with policykit via DBUS. BZ(1377113) - Add interface virt_rw_stream_sockets_svirt() BZ(1379314) - Allow xdm_t to read mount pid files. BZ(1377113) - Allow staff to rw svirt unix stream sockets. BZ(1379314) - Allow staff_t to read tmpfs files BZ(1378446)
2016-09-29 14:23:17 +02:00 · 2016-09-29 14:23:17 +02:00 · 25813e22ec
parent 4efe5ab99f
commit 25813e22ec
4 changed files with 311 additions and 273 deletions
--- a/docker-selinux.tgz
+++ b/docker-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -25403,10 +25403,10 @@ index 234a940..a92415a 100644
 ########################################
 ## <summary>
 diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 0fef1fc..008545e 100644
+index 0fef1fc..59d8b87 100644
 --- a/policy/modules/roles/staff.te
 +++ b/policy/modules/roles/staff.te
-@@ -8,12 +8,72 @@ policy_module(staff, 2.4.0)
+@@ -8,12 +8,73 @@ policy_module(staff, 2.4.0)
 role staff_r;
 userdom_unpriv_user_template(staff)
@ -25434,6 +25434,7 @@ index 0fef1fc..008545e 100644
 +
 +fs_read_hugetlbfs_files(staff_t)
 +files_dontaudit_read_all_symlinks(staff_t)
 +fs_read_tmpfs_files(staff_t)
 +
 +dev_read_cpuid(staff_t)
 +dev_read_kmsg(staff_t)
@ -25479,7 +25480,7 @@ index 0fef1fc..008545e 100644
 optional_policy(`
 	apache_role(staff_r, staff_t)
 ')
-@@ -23,11 +83,115 @@ optional_policy(`
+@@ -23,11 +84,115 @@ optional_policy(`
 ')
 optional_policy(`
@ -25596,7 +25597,7 @@ index 0fef1fc..008545e 100644
 ')
 optional_policy(`
-@@ -35,15 +199,31 @@ optional_policy(`
+@@ -35,15 +200,31 @@ optional_policy(`
 ')
 optional_policy(`
@ -25630,7 +25631,7 @@ index 0fef1fc..008545e 100644
 ')
 optional_policy(`
-@@ -52,11 +232,61 @@ optional_policy(`
+@@ -52,11 +233,61 @@ optional_policy(`
 ')
 optional_policy(`
@ -25693,7 +25694,7 @@ index 0fef1fc..008545e 100644
 ')
 ifndef(`distro_redhat',`
-@@ -65,10 +295,6 @@ ifndef(`distro_redhat',`
+@@ -65,10 +296,6 @@ ifndef(`distro_redhat',`
 	')
 	optional_policy(`
@ -25704,7 +25705,7 @@ index 0fef1fc..008545e 100644
 		cdrecord_role(staff_r, staff_t)
 	')
-@@ -78,10 +304,6 @@ ifndef(`distro_redhat',`
+@@ -78,10 +305,6 @@ ifndef(`distro_redhat',`
 	optional_policy(`
 		dbus_role_template(staff, staff_r, staff_t)
@ -25715,7 +25716,7 @@ index 0fef1fc..008545e 100644
 	')
 	optional_policy(`
-@@ -101,10 +323,6 @@ ifndef(`distro_redhat',`
+@@ -101,10 +324,6 @@ ifndef(`distro_redhat',`
 	')
 	optional_policy(`
@ -25726,7 +25727,7 @@ index 0fef1fc..008545e 100644
 		java_role(staff_r, staff_t)
 	')
-@@ -125,10 +343,6 @@ ifndef(`distro_redhat',`
+@@ -125,10 +344,6 @@ ifndef(`distro_redhat',`
 	')
 	optional_policy(`
@ -25737,7 +25738,7 @@ index 0fef1fc..008545e 100644
 		pyzor_role(staff_r, staff_t)
 	')
-@@ -141,10 +355,6 @@ ifndef(`distro_redhat',`
+@@ -141,10 +356,6 @@ ifndef(`distro_redhat',`
 	')
 	optional_policy(`
@ -25748,7 +25749,7 @@ index 0fef1fc..008545e 100644
 		spamassassin_role(staff_r, staff_t)
 	')
-@@ -176,3 +386,22 @@ ifndef(`distro_redhat',`
+@@ -176,3 +387,23 @@ ifndef(`distro_redhat',`
 		wireshark_role(staff_r, staff_t)
 	')
 ')
@ -25768,6 +25769,7 @@ index 0fef1fc..008545e 100644
 +		dev_rw_kvm(staff_t)
 +		virt_manage_images(staff_t)
 +		virt_stream_connect_svirt(staff_t)
 +		virt_rw_stream_sockets_svirt(staff_t)
 +		virt_exec(staff_t)
 +	')
 +')
@ -31789,7 +31791,7 @@ index 6bf0ecc..e6be63a 100644
 +')
 +
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..a1eab03 100644
+index 8b40377..010654c 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
@@ -26,28 +26,66 @@ gen_require(`
@ -32353,7 +32355,7 @@ index 8b40377..a1eab03 100644
 files_read_etc_files(xdm_t)
 files_read_var_files(xdm_t)
-@@ -431,9 +612,29 @@ files_list_mnt(xdm_t)
+@@ -431,9 +612,30 @@ files_list_mnt(xdm_t)
 files_read_usr_files(xdm_t)
 # Poweroff wants to create the /poweroff file when run from xdm
 files_create_boot_flag(xdm_t)
@ -32377,13 +32379,14 @@ index 8b40377..a1eab03 100644
 +fs_dontaudit_read_noxattr_fs_files(xdm_t)
 +fs_manage_cgroup_dirs(xdm_t)
 +fs_manage_cgroup_files(xdm_t)
 +mount_read_pid_files(xdm_t)
 +
 +mls_socket_write_to_clearance(xdm_t)
 +mls_trusted_object(xdm_t)
 storage_dontaudit_read_fixed_disk(xdm_t)
 storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -442,28 +643,46 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -442,28 +644,46 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
 storage_dontaudit_raw_write_removable_device(xdm_t)
 storage_dontaudit_setattr_removable_dev(xdm_t)
 storage_dontaudit_rw_scsi_generic(xdm_t)
@ -32434,7 +32437,7 @@ index 8b40377..a1eab03 100644
 userdom_dontaudit_use_unpriv_user_fds(xdm_t)
 userdom_create_all_users_keys(xdm_t)
-@@ -472,24 +691,163 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -472,24 +692,163 @@ userdom_read_user_home_content_files(xdm_t)
 # Search /proc for any user domain processes.
 userdom_read_all_users_state(xdm_t)
 userdom_signal_all_users(xdm_t)
@ -32604,7 +32607,7 @@ index 8b40377..a1eab03 100644
 tunable_policy(`xdm_sysadm_login',`
 	userdom_xsession_spec_domtrans_all_users(xdm_t)
 	# FIXME:
-@@ -502,12 +860,31 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,12 +861,31 @@ tunable_policy(`xdm_sysadm_login',`
 #	allow xserver_t xdm_tmpfs_t:file rw_file_perms;
 ')
@ -32636,7 +32639,7 @@ index 8b40377..a1eab03 100644
 ')
 optional_policy(`
-@@ -518,8 +895,36 @@ optional_policy(`
+@@ -518,8 +896,36 @@ optional_policy(`
 	dbus_system_bus_client(xdm_t)
 	dbus_connect_system_bus(xdm_t)
@ -32674,7 +32677,7 @@ index 8b40377..a1eab03 100644
 	')
 ')
-@@ -530,6 +935,20 @@ optional_policy(`
+@@ -530,6 +936,20 @@ optional_policy(`
 ')
 optional_policy(`
@ -32695,7 +32698,7 @@ index 8b40377..a1eab03 100644
 	hostname_exec(xdm_t)
 ')
-@@ -547,28 +966,78 @@ optional_policy(`
+@@ -547,28 +967,78 @@ optional_policy(`
 ')
 optional_policy(`
@ -32783,7 +32786,7 @@ index 8b40377..a1eab03 100644
 ')
 optional_policy(`
-@@ -580,6 +1049,14 @@ optional_policy(`
+@@ -580,6 +1050,14 @@ optional_policy(`
 ')
 optional_policy(`
@ -32798,7 +32801,7 @@ index 8b40377..a1eab03 100644
 	xfs_stream_connect(xdm_t)
 ')
-@@ -594,7 +1071,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+@@ -594,7 +1072,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
 type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
 allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@ -32807,7 +32810,7 @@ index 8b40377..a1eab03 100644
 # setuid/setgid for the wrapper program to change UID
 # sys_rawio is for iopl access - should not be needed for frame-buffer
-@@ -604,8 +1081,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -604,8 +1082,11 @@ allow xserver_t input_xevent_t:x_event send;
 # execheap needed until the X module loader is fixed.
 # NVIDIA Needs execstack
@ -32820,7 +32823,7 @@ index 8b40377..a1eab03 100644
 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow xserver_t self:fd use;
 allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -618,8 +1098,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -618,8 +1099,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
 allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow xserver_t self:tcp_socket create_stream_socket_perms;
 allow xserver_t self:udp_socket create_socket_perms;
@ -32836,7 +32839,7 @@ index 8b40377..a1eab03 100644
 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
 manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
 manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -627,6 +1114,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -627,6 +1115,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
 filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@ -32847,7 +32850,7 @@ index 8b40377..a1eab03 100644
 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -638,25 +1129,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -638,25 +1130,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 files_search_var_lib(xserver_t)
@ -32889,7 +32892,7 @@ index 8b40377..a1eab03 100644
 corenet_all_recvfrom_netlabel(xserver_t)
 corenet_tcp_sendrecv_generic_if(xserver_t)
 corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -677,23 +1180,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -677,23 +1181,28 @@ dev_rw_apm_bios(xserver_t)
 dev_rw_agp(xserver_t)
 dev_rw_framebuffer(xserver_t)
 dev_manage_dri_dev(xserver_t)
@ -32921,7 +32924,7 @@ index 8b40377..a1eab03 100644
 # brought on by rhgb
 files_search_mnt(xserver_t)
-@@ -705,6 +1213,14 @@ fs_search_nfs(xserver_t)
+@@ -705,6 +1214,14 @@ fs_search_nfs(xserver_t)
 fs_search_auto_mountpoints(xserver_t)
 fs_search_ramfs(xserver_t)
@ -32936,7 +32939,7 @@ index 8b40377..a1eab03 100644
 mls_xwin_read_to_clearance(xserver_t)
 selinux_validate_context(xserver_t)
-@@ -718,20 +1234,18 @@ init_getpgid(xserver_t)
+@@ -718,20 +1235,18 @@ init_getpgid(xserver_t)
 term_setattr_unallocated_ttys(xserver_t)
 term_use_unallocated_ttys(xserver_t)
@ -32960,7 +32963,7 @@ index 8b40377..a1eab03 100644
 userdom_search_user_home_dirs(xserver_t)
 userdom_use_user_ttys(xserver_t)
-@@ -739,8 +1253,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -739,8 +1254,6 @@ userdom_setattr_user_ttys(xserver_t)
 userdom_read_user_tmp_files(xserver_t)
 userdom_rw_user_tmpfs_files(xserver_t)
@ -32969,7 +32972,7 @@ index 8b40377..a1eab03 100644
 ifndef(`distro_redhat',`
 	allow xserver_t self:process { execmem execheap execstack };
 	domain_mmap_low_uncond(xserver_t)
-@@ -785,17 +1297,54 @@ optional_policy(`
+@@ -785,17 +1298,54 @@ optional_policy(`
 ')
 optional_policy(`
@ -33026,7 +33029,7 @@ index 8b40377..a1eab03 100644
 ')
 optional_policy(`
-@@ -803,6 +1352,10 @@ optional_policy(`
+@@ -803,6 +1353,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -33037,7 +33040,7 @@ index 8b40377..a1eab03 100644
 	xfs_stream_connect(xserver_t)
 ')
-@@ -818,18 +1371,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -818,18 +1372,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
 # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
 # handle of a file inside the dir!!!
@ -33062,7 +33065,7 @@ index 8b40377..a1eab03 100644
 can_exec(xserver_t, xkb_var_lib_t)
 # VNC v4 module in X server
-@@ -842,26 +1394,21 @@ init_use_fds(xserver_t)
+@@ -842,26 +1395,21 @@ init_use_fds(xserver_t)
 # to read ROLE_home_t - examine this in more detail
 # (xauth?)
 userdom_read_user_home_content_files(xserver_t)
@ -33097,7 +33100,7 @@ index 8b40377..a1eab03 100644
 ')
 optional_policy(`
-@@ -912,7 +1459,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -912,7 +1460,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
 allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
 # operations allowed on my windows
 allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@ -33106,7 +33109,7 @@ index 8b40377..a1eab03 100644
 # operations allowed on all windows
 allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -966,11 +1513,31 @@ allow x_domain self:x_resource { read write };
+@@ -966,11 +1514,31 @@ allow x_domain self:x_resource { read write };
 # can mess with the screensaver
 allow x_domain xserver_t:x_screen { getattr saver_getattr };
@ -33138,7 +33141,7 @@ index 8b40377..a1eab03 100644
 tunable_policy(`! xserver_object_manager',`
 	# should be xserver_unconfined(x_domain),
 	# but typeattribute doesnt work in conditionals
-@@ -992,18 +1559,148 @@ tunable_policy(`! xserver_object_manager',`
+@@ -992,18 +1560,148 @@ tunable_policy(`! xserver_object_manager',`
 	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
 ')
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -72864,7 +72864,7 @@ index 032a84d..be00a65 100644
 +	allow $1 policykit_auth_t:process signal;
 ')
 diff --git a/policykit.te b/policykit.te
-index ee91778..5fd133f 100644
+index ee91778..fb9b69a 100644
 --- a/policykit.te
 +++ b/policykit.te
@@ -7,9 +7,6 @@ policy_module(policykit, 1.3.0)
@ -72890,7 +72890,7 @@ index ee91778..5fd133f 100644
 type policykit_resolve_t, policykit_domain;
 type policykit_resolve_exec_t;
-@@ -42,63 +37,70 @@ files_pid_file(policykit_var_run_t)
+@@ -42,96 +37,121 @@ files_pid_file(policykit_var_run_t)
 #######################################
 #
@ -72980,7 +72980,14 @@ index ee91778..5fd133f 100644
 	optional_policy(`
 		consolekit_dbus_chat(policykit_t)
 	')
-@@ -109,29 +111,43 @@ optional_policy(`
+ 
 	optional_policy(`
 +		devicekit_dbus_chat(policykit_t)
 +	')
 +
 +	optional_policy(`
 		rpm_dbus_chat(policykit_t)
 	')
 ')
 optional_policy(`
@ -73018,11 +73025,11 @@ index ee91778..5fd133f 100644
 -allow policykit_auth_t self:process { getsched setsched signal };
 -allow policykit_auth_t self:unix_stream_socket { accept listen };
 +allow policykit_auth_t self:process { setsched getsched signal };
 +
 +allow policykit_auth_t self:unix_dgram_socket create_socket_perms;
 +allow policykit_auth_t self:unix_stream_socket create_stream_socket_perms;
 -ps_process_pattern(policykit_auth_t, policykit_domain)
 +allow policykit_auth_t self:unix_dgram_socket create_socket_perms;
 +allow policykit_auth_t self:unix_stream_socket create_stream_socket_perms;
 +
 +policykit_dbus_chat(policykit_auth_t)
 +
 +kernel_read_system_state(policykit_auth_t)
@ -73032,7 +73039,7 @@ index ee91778..5fd133f 100644
 rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
-@@ -145,65 +161,80 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
+@@ -145,65 +165,80 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
 manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
 files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
@ -73125,7 +73132,7 @@ index ee91778..5fd133f 100644
 rw_files_pattern(policykit_grant_t, policykit_reload_t, policykit_reload_t)
-@@ -211,23 +242,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t
+@@ -211,23 +246,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t
 manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t)
@ -73152,7 +73159,7 @@ index ee91778..5fd133f 100644
 	optional_policy(`
 		consolekit_dbus_chat(policykit_grant_t)
 	')
-@@ -235,26 +263,28 @@ optional_policy(`
+@@ -235,26 +267,28 @@ optional_policy(`
 ########################################
 #
@ -73187,7 +73194,7 @@ index ee91778..5fd133f 100644
 userdom_read_all_users_state(policykit_resolve_t)
 optional_policy(`
-@@ -266,6 +296,6 @@ optional_policy(`
+@@ -266,6 +300,6 @@ optional_policy(`
 ')
 optional_policy(`
@ -111896,10 +111903,10 @@ index a4f20bc..d8b1fd1 100644
 +/var/log/qemu-ga\.log.*           --      gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
 +/var/log/qemu-ga(/.*)?		gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
 diff --git a/virt.if b/virt.if
-index facdee8..12e74f1 100644
+index facdee8..58c4c51 100644
 --- a/virt.if
 +++ b/virt.if
-@@ -1,318 +1,231 @@
+@@ -1,120 +1,104 @@
 -## <summary>Libvirt virtualization API.</summary>
 +## <summary>Libvirt virtualization API</summary>
@ -111949,8 +111956,10 @@ index facdee8..12e74f1 100644
 -
 -	optional_policy(`
 -		pulseaudio_tmpfs_content($1_tmpfs_t)
-	')
+		type virtd_lxc_t;
-
+ 	')
 +')
 -	type $1_image_t, virt_image_type;
 -	files_type($1_image_t)
 -	dev_node($1_image_t)
@ -111985,11 +111994,37 @@ index facdee8..12e74f1 100644
 -
 -	optional_policy(`
 -		pulseaudio_run($1_t, virt_domain_roles)
-	')
+########################################
-
+## <summary>
 +##	svirt_sandbox_domain attribute stub interface.  No access allowed.
 +## </summary>
 +## <param name="domain" unused="true">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`virt_stub_svirt_sandbox_domain',`
 +	gen_require(`
 +		attribute svirt_sandbox_domain;
 	')
 +')
 -	optional_policy(`
 -		xserver_rw_shm($1_t)
-+		type virtd_lxc_t;
+########################################
 +## <summary>
 +##	svirt_sandbox_file_t stub interface.  No access allowed.
 +## </summary>
 +## <param name="domain" unused="true">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`virt_stub_svirt_sandbox_file',`
 +	gen_require(`
 +		type svirt_sandbox_file_t;
 	')
 ')
@ -111997,75 +112032,22 @@ index facdee8..12e74f1 100644
 +########################################
 ## <summary>
 -##	The template to define a virt lxc domain.
 +##	svirt_sandbox_domain attribute stub interface.  No access allowed.
 ## </summary>
 -## <param name="domain_prefix">
 +## <param name="domain" unused="true">
 ##	<summary>
 -##	Domain prefix to be used.
 +##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 -template(`virt_lxc_domain_template',`
 +interface(`virt_stub_svirt_sandbox_domain',`
 	gen_require(`
 -		attribute_role svirt_lxc_domain_roles;
 -		attribute svirt_lxc_domain;
 +		attribute svirt_sandbox_domain;
 	')
 -
 -	type $1_t, svirt_lxc_domain;
 -	domain_type($1_t)
 -	domain_user_exemption_target($1_t)
 -	mls_rangetrans_target($1_t)
 -	mcs_constrained($1_t)
 -	role svirt_lxc_domain_roles types $1_t;
 ')
 ########################################
 ## <summary>
 -##	Make the specified type virt image type.
 +##	svirt_sandbox_file_t stub interface.  No access allowed.
 ## </summary>
 -## <param name="type">
 +## <param name="domain" unused="true">
 ##	<summary>
 -##	Type to be used as a virtual image.
 +##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 -interface(`virt_image',`
 +interface(`virt_stub_svirt_sandbox_file',`
 	gen_require(`
 -		attribute virt_image_type;
 +		type svirt_sandbox_file_t;
 	')
 -
 -	typeattribute $1 virt_image_type;
 -	files_type($1)
 -	dev_node($1)
 ')
 ########################################
 ## <summary>
 -##	Execute a domain transition to run virtd.
 +##	Creates types and rules for a basic
 +##	qemu process domain.
 ## </summary>
-## <param name="domain">
+-## <param name="domain_prefix">
 +## <param name="prefix">
 ##	<summary>
-##	Domain allowed to transition.
+-##	Domain prefix to be used.
 +##	Prefix for the domain.
 ##	</summary>
 ## </param>
 #
-interface(`virt_domtrans',`
+-template(`virt_lxc_domain_template',`
 +template(`virt_domain_template',`
 	gen_require(`
-		type virtd_t, virtd_exec_t;
+-		attribute_role svirt_lxc_domain_roles;
 -		attribute svirt_lxc_domain;
 +		attribute virt_image_type, virt_domain;
 +		attribute virt_tmpfs_type;
 +		attribute virt_ptynode;
@ -112073,13 +112055,14 @@ index facdee8..12e74f1 100644
 +		type virtlogd_t;
 	')
-	corecmd_search_bin($1)
+-	type $1_t, svirt_lxc_domain;
-	domtrans_pattern($1, virtd_exec_t, virtd_t)
+-	domain_type($1_t)
 +	type $1_t, virt_domain;
 +	application_domain($1_t, qemu_exec_t)
-+	domain_user_exemption_target($1_t)
+ 	domain_user_exemption_target($1_t)
-+	mls_rangetrans_target($1_t)
+ 	mls_rangetrans_target($1_t)
-+	mcs_constrained($1_t)
+ 	mcs_constrained($1_t)
 -	role svirt_lxc_domain_roles types $1_t;
 +	role system_r types $1_t;
 +
 +	type $1_devpts_t, virt_ptynode;
@ -112101,38 +112084,29 @@ index facdee8..12e74f1 100644
 ########################################
 ## <summary>
-##	Execute a domain transition to run virt qmf.
+-##	Make the specified type virt image type.
 +##	Make the specified type usable as a virt image
 ## </summary>
-## <param name="domain">
+ ## <param name="type">
 +## <param name="type">
 ##	<summary>
-##	Domain allowed to transition.
+-##	Type to be used as a virtual image.
 +##	Type to be used as a virtual image
 ##	</summary>
 ## </param>
 #
-interface(`virt_domtrans_qmf',`
+@@ -125,31 +109,32 @@ interface(`virt_image',`
 +interface(`virt_image',`
 	gen_require(`
 -		type virt_qmf_t, virt_qmf_exec_t;
 +		attribute virt_image_type;
 	')
-	corecmd_search_bin($1)
+ 	typeattribute $1 virt_image_type;
-	domtrans_pattern($1, virt_qmf_exec_t, virt_qmf_t)
+ 	files_type($1)
 +	typeattribute $1 virt_image_type;
 +	files_type($1)
 +
 +	# virt images can be assigned to blk devices
-+	dev_node($1)
+ 	dev_node($1)
 ')
 -########################################
 +#######################################
 ## <summary>
-##	Execute a domain transition to
+-##	Execute a domain transition to run virtd.
 -##	run virt bridgehelper.
 +##  Getattr on virt executable.
 ## </summary>
 ## <param name="domain">
@ -112144,9 +112118,9 @@ index facdee8..12e74f1 100644
 +##  </summary>
 ## </param>
 #
-interface(`virt_domtrans_bridgehelper',`
+-interface(`virt_domtrans',`
 -	gen_require(`
-		type virt_bridgehelper_t, virt_bridgehelper_exec_t;
+-		type virtd_t, virtd_exec_t;
 -	')
 +interface(`virt_getattr_exec',`
 +    gen_require(`
@ -112154,38 +112128,89 @@ index facdee8..12e74f1 100644
 +    ')
 -	corecmd_search_bin($1)
-	domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t)
+-	domtrans_pattern($1, virtd_exec_t, virtd_t)
 +	allow $1 virtd_exec_t:file getattr;
 ')
 ########################################
 ## <summary>
 -##	Execute a domain transition to run virt qmf.
 +##	Execute a domain transition to run virt.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -157,95 +142,71 @@ interface(`virt_domtrans',`
 ##	</summary>
 ## </param>
 #
 -interface(`virt_domtrans_qmf',`
 +interface(`virt_domtrans',`
 	gen_require(`
 -		type virt_qmf_t, virt_qmf_exec_t;
 +		type virtd_t, virtd_exec_t;
 	')
 -	corecmd_search_bin($1)
 -	domtrans_pattern($1, virt_qmf_exec_t, virt_qmf_t)
 +	domtrans_pattern($1, virtd_exec_t, virtd_t)
 ')
 ########################################
 ## <summary>
 -##	Execute a domain transition to
 -##	run virt bridgehelper.
 +##	Execute virtd in the caller domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 -##	Domain allowed to transition.
 +##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 -interface(`virt_domtrans_bridgehelper',`
 +interface(`virt_exec',`
 	gen_require(`
 -		type virt_bridgehelper_t, virt_bridgehelper_exec_t;
 +		type virtd_exec_t;
 	')
 -	corecmd_search_bin($1)
 -	domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t)
 +	can_exec($1, virtd_exec_t)
 ')
 ########################################
 ## <summary>
 -##	Execute bridgehelper in the bridgehelper
 -##	domain, and allow the specified role
 -##	the bridgehelper domain.
-+##	Execute a domain transition to run virt.
+##	Transition to virt_qmf.
 ## </summary>
 ## <param name="domain">
- ##	<summary>
+-##	<summary>
 +## <summary>
 ##	Domain allowed to transition.
- ##	</summary>
+-##	</summary>
- ## </param>
+-## </param>
 -## <param name="role">
 -##	<summary>
 -##	Role allowed access.
 -##	</summary>
-## </param>
+## </summary>
 ## </param>
 #
 -interface(`virt_run_bridgehelper',`
-+interface(`virt_domtrans',`
+interface(`virt_domtrans_qmf',`
 	gen_require(`
 -		attribute_role virt_bridgehelper_roles;
-+		type virtd_t, virtd_exec_t;
+		type virt_qmf_t, virt_qmf_exec_t;
 	')
 -	virt_domtrans_bridgehelper($1)
 -	roleattribute $2 virt_bridgehelper_roles;
-+	domtrans_pattern($1, virtd_exec_t, virtd_t)
+	corecmd_search_bin($1)
 +	domtrans_pattern($1, virt_qmf_exec_t, virt_qmf_t)
 ')
 ########################################
@ -112193,26 +112218,28 @@ index facdee8..12e74f1 100644
 -##	Execute virt domain in the their
 -##	domain, and allow the specified
 -##	role that virt domain.
-+##	Execute virtd in the caller domain.
+##  Transition to virt_bridgehelper.
 ## </summary>
 ## <param name="domain">
- ##	<summary>
+-##	<summary>
 -##	Domain allowed to transition.
 -##	</summary>
 -## </param>
 -## <param name="role">
 -##	<summary>
 -##	Role allowed access.
-+##	Domain allowed access.
+-##	</summary>
- ##	</summary>
+## <summary>
 +##  Domain allowed to transition.
 +## </summary>
 ## </param>
- #
+-#
 -interface(`virt_run_virt_domain',`
-+interface(`virt_exec',`
+interface(`virt_domtrans_bridgehelper',`
 	gen_require(`
 -		attribute virt_domain;
 -		attribute_role virt_domain_roles;
-+		type virtd_exec_t;
+		type virt_bridgehelper_t, virt_bridgehelper_exec_t;
 	')
 -	allow $1 virt_domain:process { signal transition };
@ -112221,67 +112248,63 @@ index facdee8..12e74f1 100644
 -	allow virt_domain $1:fd use;
 -	allow virt_domain $1:fifo_file rw_fifo_file_perms;
 -	allow virt_domain $1:process sigchld;
 +	can_exec($1, virtd_exec_t)
 ')
 ########################################
 ## <summary>
 -##	Send generic signals to all virt domains.
 +##	Transition to virt_qmf.
 ## </summary>
 ## <param name="domain">
 -##	<summary>
 -##	Domain allowed access.
 -##	</summary>
 +## <summary>
 +##	Domain allowed to transition.
 +## </summary>
 ## </param>
 #
 -interface(`virt_signal_all_virt_domains',`
 +interface(`virt_domtrans_qmf',`
 	gen_require(`
 -		attribute virt_domain;
 +		type virt_qmf_t, virt_qmf_exec_t;
 	')
 -	allow $1 virt_domain:process signal;
 +	corecmd_search_bin($1)
 +	domtrans_pattern($1, virt_qmf_exec_t, virt_qmf_t)
 ')
 ########################################
 ## <summary>
 -##	Send kill signals to all virt domains.
 +##  Transition to virt_bridgehelper.
 ## </summary>
 ## <param name="domain">
 -##	<summary>
 -##	Domain allowed access.
 -##	</summary>
 +## <summary>
 +##  Domain allowed to transition.
 +## </summary>
 ## </param>
 -#
 -interface(`virt_kill_all_virt_domains',`
 +interface(`virt_domtrans_bridgehelper',`
 	gen_require(`
 -		attribute virt_domain;
 +		type virt_bridgehelper_t, virt_bridgehelper_exec_t;
 	')
 -	allow $1 virt_domain:process sigkill;
 +	domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t)
 ')
 -########################################
 +#######################################
 ## <summary>
 -##	Send generic signals to all virt domains.
 +##	Connect to virt over a unix domain stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -253,17 +214,18 @@ interface(`virt_run_virt_domain',`
 ##	</summary>
 ## </param>
 #
 -interface(`virt_signal_all_virt_domains',`
 +interface(`virt_stream_connect',`
 	gen_require(`
 -		attribute virt_domain;
 +		type virtd_t, virt_var_run_t;
 	')
 -	allow $1 virt_domain:process signal;
 +	files_search_pids($1)
 +	stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
 ')
 -########################################
 +#######################################
 ## <summary>
 -##	Send kill signals to all virt domains.
 +##	Connect to svirt process over a unix domain stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -271,48 +233,36 @@ interface(`virt_signal_all_virt_domains',`
 ##	</summary>
 ## </param>
 #
 -interface(`virt_kill_all_virt_domains',`
 +interface(`virt_stream_connect_svirt',`
 	gen_require(`
 -		attribute virt_domain;
 +		type svirt_t;
 	')
 -	allow $1 virt_domain:process sigkill;
 +    allow $1 svirt_t:unix_stream_socket connectto;
 ')
 ########################################
 ## <summary>
 -##	Execute svirt lxc domains in their
 -##	domain, and allow the specified
 -##	role that svirt lxc domain.
-+##	Connect to virt over a unix domain stream socket.
+##	Read and write to apmd unix
 +##	stream sockets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -112296,11 +112319,11 @@ index facdee8..12e74f1 100644
 ## </param>
 #
 -interface(`virt_run_svirt_lxc_domain',`
-+interface(`virt_stream_connect',`
+interface(`virt_rw_stream_sockets_svirt',`
 	gen_require(`
 -		attribute svirt_lxc_domain;
 -		attribute_role svirt_lxc_domain_roles;
-+		type virtd_t, virt_var_run_t;
+		type svirt_t;
 	')
 -	allow $1 svirt_lxc_domain:process { signal transition };
@ -112309,30 +112332,31 @@ index facdee8..12e74f1 100644
 -	allow svirt_lxc_domain $1:fd use;
 -	allow svirt_lxc_domain $1:fifo_file rw_fifo_file_perms;
 -	allow svirt_lxc_domain $1:process sigchld;
-+	files_search_pids($1)
+	allow $1 svirt_t:unix_stream_socket { read write };
 +	stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
 ')
- #######################################
+-#######################################
 +########################################
 ## <summary>
 -##	Get attributes of virtd executable files.
-+##	Connect to svirt process over a unix domain stream socket.
+##	Allow domain to attach to virt TUN devices
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -320,18 +233,17 @@ interface(`virt_run_svirt_lxc_domain',`
+@@ -320,18 +270,18 @@ interface(`virt_run_svirt_lxc_domain',`
 ##	</summary>
 ## </param>
 #
 -interface(`virt_getattr_virtd_exec_files',`
-+interface(`virt_stream_connect_svirt',`
+interface(`virt_attach_tun_iface',`
 	gen_require(`
 -		type virtd_exec_t;
-+		type svirt_t;
+		type virtd_t;
 	')
 -	allow $1 virtd_exec_t:file getattr_file_perms;
-+    allow $1 svirt_t:unix_stream_socket connectto;
+	allow $1 virtd_t:tun_socket relabelfrom;
 +	allow $1 self:tun_socket relabelto;
 ')
 -#######################################
@ -112340,112 +112364,116 @@ index facdee8..12e74f1 100644
 ## <summary>
 -##	Connect to virt with a unix
 -##	domain stream socket.
-+##	Allow domain to attach to virt TUN devices
+##	Allow domain to attach to virt sandbox TUN devices
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -339,18 +251,18 @@ interface(`virt_getattr_virtd_exec_files',`
+@@ -339,18 +289,18 @@ interface(`virt_getattr_virtd_exec_files',`
 ##	</summary>
 ## </param>
 #
 -interface(`virt_stream_connect',`
-+interface(`virt_attach_tun_iface',`
+interface(`virt_attach_sandbox_tun_iface',`
 	gen_require(`
 -		type virtd_t, virt_var_run_t;
-+		type virtd_t;
+		attribute svirt_sandbox_domain;
 	')
 -	files_search_pids($1)
 -	stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
-+	allow $1 virtd_t:tun_socket relabelfrom;
+	allow $1 svirt_sandbox_domain:tun_socket relabelfrom;
 +	allow $1 self:tun_socket relabelto;
 ')
 ########################################
 ## <summary>
 -##	Attach to virt tun devices.
-+##	Allow domain to attach to virt sandbox TUN devices
+##	Read virt config files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -358,18 +270,18 @@ interface(`virt_stream_connect',`
+@@ -358,18 +308,20 @@ interface(`virt_stream_connect',`
 ##	</summary>
 ## </param>
 #
 -interface(`virt_attach_tun_iface',`
-+interface(`virt_attach_sandbox_tun_iface',`
+interface(`virt_read_config',`
 	gen_require(`
 -		type virtd_t;
-+		attribute svirt_sandbox_domain;
+		type virt_etc_t, virt_etc_rw_t;
 	')
 -	allow $1 virtd_t:tun_socket relabelfrom;
-+	allow $1 svirt_sandbox_domain:tun_socket relabelfrom;
+-	allow $1 self:tun_socket relabelto;
- 	allow $1 self:tun_socket relabelto;
+	files_search_etc($1)
 +	read_files_pattern($1, virt_etc_t, virt_etc_t)
 +	read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
 +	read_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
 ')
 ########################################
 ## <summary>
 -##	Read virt configuration content.
-+##	Read virt config files.
+##	manage virt config files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -383,7 +295,6 @@ interface(`virt_read_config',`
+@@ -377,22 +329,20 @@ interface(`virt_attach_tun_iface',`
 ##	</summary>
 ## </param>
 #
 -interface(`virt_read_config',`
 +interface(`virt_manage_config',`
 	gen_require(`
 		type virt_etc_t, virt_etc_rw_t;
 	')
 	files_search_etc($1)
 -	allow $1 { virt_etc_t virt_etc_rw_t }:dir list_dir_perms;
- 	read_files_pattern($1, virt_etc_t, virt_etc_t)
+-	read_files_pattern($1, virt_etc_t, virt_etc_t)
- 	read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
+-	read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
- 	read_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
+-	read_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
-@@ -391,8 +302,7 @@ interface(`virt_read_config',`
+	manage_files_pattern($1, virt_etc_t, virt_etc_t)
 +	manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
 +	manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
 ')
 ########################################
 ## <summary>
 -##	Create, read, write, and delete
 -##	virt configuration content.
-+##	manage virt config files.
+##	Allow domain to manage virt image files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -406,7 +316,6 @@ interface(`virt_manage_config',`
+@@ -400,22 +350,17 @@ interface(`virt_read_config',`
 ##	</summary>
 ## </param>
 #
 -interface(`virt_manage_config',`
 +interface(`virt_getattr_content',`
 	gen_require(`
 -		type virt_etc_t, virt_etc_rw_t;
 +		type virt_content_t;
 	')
- 	files_search_etc($1)
+-	files_search_etc($1)
 -	allow $1 { virt_etc_t virt_etc_rw_t }:dir manage_dir_perms;
- 	manage_files_pattern($1, virt_etc_t, virt_etc_t)
+-	manage_files_pattern($1, virt_etc_t, virt_etc_t)
- 	manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
+-	manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
- 	manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
+-	manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
-@@ -414,8 +323,25 @@ interface(`virt_manage_config',`
+    allow $1 virt_content_t:file getattr_file_perms;
 ')
 ########################################
 ## <summary>
 -##	Create, read, write, and delete
 -##	virt image files.
 +##	Allow domain to manage virt image files
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`virt_getattr_content',`
 +	gen_require(`
 +		type virt_content_t;
 +	')
 +
 +    allow $1 virt_content_t:file getattr_file_perms;
 +')
 +
 +########################################
 +## <summary>
 +##	Allow domain to manage virt image files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -434,6 +360,7 @@ interface(`virt_read_content',`
+@@ -434,6 +379,7 @@ interface(`virt_read_content',`
 	read_files_pattern($1, virt_content_t, virt_content_t)
 	read_lnk_files_pattern($1, virt_content_t, virt_content_t)
 	read_blk_files_pattern($1, virt_content_t, virt_content_t)
@ -112453,7 +112481,7 @@ index facdee8..12e74f1 100644
 	tunable_policy(`virt_use_nfs',`
 		fs_list_nfs($1)
-@@ -450,8 +377,7 @@ interface(`virt_read_content',`
+@@ -450,8 +396,7 @@ interface(`virt_read_content',`
 ########################################
 ## <summary>
@ -112463,7 +112491,7 @@ index facdee8..12e74f1 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -459,35 +385,17 @@ interface(`virt_read_content',`
+@@ -459,35 +404,17 @@ interface(`virt_read_content',`
 ##	</summary>
 ## </param>
 #
@ -112502,7 +112530,7 @@ index facdee8..12e74f1 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -495,53 +403,38 @@ interface(`virt_manage_virt_content',`
+@@ -495,53 +422,38 @@ interface(`virt_manage_virt_content',`
 ##	</summary>
 ## </param>
 #
@ -112567,7 +112595,7 @@ index facdee8..12e74f1 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -549,34 +442,21 @@ interface(`virt_home_filetrans_virt_content',`
+@@ -549,34 +461,21 @@ interface(`virt_home_filetrans_virt_content',`
 ##	</summary>
 ## </param>
 #
@ -112610,7 +112638,7 @@ index facdee8..12e74f1 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -584,32 +464,36 @@ interface(`virt_manage_svirt_home_content',`
+@@ -584,32 +483,36 @@ interface(`virt_manage_svirt_home_content',`
 ##	</summary>
 ## </param>
 #
@ -112659,7 +112687,7 @@ index facdee8..12e74f1 100644
 ##	</summary>
 ## </param>
 ## <param name="name" optional="true">
-@@ -618,54 +502,36 @@ interface(`virt_relabel_svirt_home_content',`
+@@ -618,54 +521,36 @@ interface(`virt_relabel_svirt_home_content',`
 ##	</summary>
 ## </param>
 #
@ -112723,7 +112751,7 @@ index facdee8..12e74f1 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -673,107 +539,607 @@ interface(`virt_home_filetrans',`
+@@ -673,107 +558,607 @@ interface(`virt_home_filetrans',`
 ##	</summary>
 ## </param>
 #
@ -113376,7 +113404,7 @@ index facdee8..12e74f1 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -781,19 +1147,17 @@ interface(`virt_home_filetrans_virt_home',`
+@@ -781,19 +1166,17 @@ interface(`virt_home_filetrans_virt_home',`
 ##	</summary>
 ## </param>
 #
@ -113400,7 +113428,7 @@ index facdee8..12e74f1 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -801,18 +1165,17 @@ interface(`virt_read_pid_files',`
+@@ -801,18 +1184,17 @@ interface(`virt_read_pid_files',`
 ##	</summary>
 ## </param>
 #
@ -113423,7 +113451,7 @@ index facdee8..12e74f1 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -820,18 +1183,17 @@ interface(`virt_manage_pid_files',`
+@@ -820,18 +1202,17 @@ interface(`virt_manage_pid_files',`
 ##	</summary>
 ## </param>
 #
@ -113446,7 +113474,7 @@ index facdee8..12e74f1 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -839,192 +1201,243 @@ interface(`virt_search_lib',`
+@@ -839,192 +1220,243 @@ interface(`virt_search_lib',`
 ##	</summary>
 ## </param>
 #
@ -113770,7 +113798,7 @@ index facdee8..12e74f1 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1032,20 +1445,17 @@ interface(`virt_read_images',`
+@@ -1032,20 +1464,17 @@ interface(`virt_read_images',`
 ##	</summary>
 ## </param>
 #
@ -113795,7 +113823,7 @@ index facdee8..12e74f1 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1053,15 +1463,17 @@ interface(`virt_rw_all_image_chr_files',`
+@@ -1053,15 +1482,17 @@ interface(`virt_rw_all_image_chr_files',`
 ##	</summary>
 ## </param>
 #
@ -113818,7 +113846,7 @@ index facdee8..12e74f1 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1069,21 +1481,17 @@ interface(`virt_manage_svirt_cache',`
+@@ -1069,21 +1500,17 @@ interface(`virt_manage_svirt_cache',`
 ##	</summary>
 ## </param>
 #
@ -113844,7 +113872,7 @@ index facdee8..12e74f1 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1091,36 +1499,18 @@ interface(`virt_manage_virt_cache',`
+@@ -1091,36 +1518,18 @@ interface(`virt_manage_virt_cache',`
 ##	</summary>
 ## </param>
 #
@ -113886,7 +113914,7 @@ index facdee8..12e74f1 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1136,50 +1526,76 @@ interface(`virt_manage_images',`
+@@ -1136,50 +1545,76 @@ interface(`virt_manage_images',`
 #
 interface(`virt_admin',`
 	gen_require(`
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 215%{?dist}
+Release: 216%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -675,6 +675,13 @@ exit 0
 %endif
 %changelog
 * Thu Sep 29 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-216
 - Allow devicekit to chat with policykit via DBUS. BZ(1377113)
 - Add interface virt_rw_stream_sockets_svirt() BZ(1379314)
 - Allow xdm_t to read mount pid files. BZ(1377113)
 - Allow staff to rw svirt unix stream sockets. BZ(1379314)
 - Allow staff_t to read tmpfs files BZ(1378446)
 * Fri Sep 23 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-215
 - Make tor_var_run_t as mountpoint. BZ(1368621)
 - Fix typo in ftpd SELinux module.