* Wed Nov 02 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-222

- Allow abrt_dump_oops_t to drop capabilities. bz(1391040) - Add named_t domain net_raw capability bz(1389240) - Allow geoclue to read system info. bz(1389320) - Make openfortivpn_t as init_deamon_domain. bz(1159899) - Allow nfsd domain to create nfsd_unit_file_t files. bz(1382487) - Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib - Add interace lldpad_relabel_tmpfs - Merge pull request #155 from rhatdan/sandbox_nfs - Add pscsd_t wake_alarm capability2 - Allow sandbox domains to mount fuse file systems - Add boolean to allow sandbox domains to mount nfs - Allow hypervvssd_t to read all dirs. - Allow isnsd_t to connect to isns_port_t - Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib - Allow GlusterFS with RDMA transport to be started correctly. It requires ipc_lock capability together with rw permission on rdma_cm device. - Make tor_var_lib_t and tor_var_log_t as mountpoints. - Allow systemd-rfkill to write to /proc/kmsg bz(1388669) - Allow init_t to relabel /dev/shm/lldpad.state - Merge pull request #168 from rhatdan/docker - Label tcp 51954 as isns_port_t - Lots of new domains like OCID and RKT are user container processes
2016-11-02 18:02:58 +01:00 · 2016-11-02 18:02:58 +01:00 · 2bb5c83b3d
commit 2bb5c83b3d
parent cb85251274
4 changed files with 189 additions and 113 deletions
--- a/container-selinux.tgz
+++ b/container-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -5946,7 +5946,7 @@ index 8e0f9cd..b9f45b9 100644
 
 define(`create_packet_interfaces',``
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055..25a5cfe 100644
+index b191055..9729941 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@ -6134,7 +6134,8 @@ index b191055..25a5cfe 100644
 +network_port(ircd, tcp,6667,s0, tcp,6697,s0)
 network_port(isakmp, udp,500,s0)
 network_port(iscsi, tcp,3260,s0)
- network_port(isns, tcp,3205,s0, udp,3205,s0)
+-network_port(isns, tcp,3205,s0, udp,3205,s0)
+network_port(isns, tcp,3205,s0, udp,3205,s0, tcp,51954,s0)
 network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
 -network_port(jabber_interserver, tcp,5269,s0)
 -network_port(jboss_iiop, tcp,3528,s0, udp,3528,s0)
@ -37458,7 +37459,7 @@ index 79a45f6..d092e6e 100644
 +    allow $1 init_var_lib_t:dir search_dir_perms;
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..e33db3f 100644
+index 17eda24..e59e001 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@ -37768,7 +37769,7 @@ index 17eda24..e33db3f 100644
 
 ifdef(`distro_gentoo',`
 	allow init_t self:process { getcap setcap };
-@@ -186,29 +337,271 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +337,275 @@ ifdef(`distro_gentoo',`
 ')
 
 ifdef(`distro_redhat',`
@ -38011,10 +38012,14 @@ index 17eda24..e33db3f 100644
 
 optional_policy(`
 -	auth_rw_login_records(init_t)
-+	consolekit_manage_log(init_t)
+    lldpad_relabel_tmpfs(init_t)
 ')
 
 optional_policy(`
+	consolekit_manage_log(init_t)
+')
+
+optional_policy(`
 +	dbus_connect_system_bus(init_t)
 	dbus_system_bus_client(init_t)
 +	dbus_delete_pid_files(init_t)
@ -38049,7 +38054,7 @@ index 17eda24..e33db3f 100644
 ')
 
 optional_policy(`
-@@ -216,7 +609,30 @@ optional_policy(`
+@@ -216,7 +613,30 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -38081,7 +38086,7 @@ index 17eda24..e33db3f 100644
 ')
 
 ########################################
-@@ -225,9 +641,9 @@ optional_policy(`
+@@ -225,9 +645,9 @@ optional_policy(`
 #
 
 allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@ -38093,7 +38098,7 @@ index 17eda24..e33db3f 100644
 allow initrc_t self:passwd rootok;
 allow initrc_t self:key manage_key_perms;
 
-@@ -258,12 +674,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +678,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
 
 allow initrc_t initrc_var_run_t:file manage_file_perms;
 files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@ -38110,7 +38115,7 @@ index 17eda24..e33db3f 100644
 
 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
 manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +699,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +703,36 @@ kernel_change_ring_buffer_level(initrc_t)
 kernel_clear_ring_buffer(initrc_t)
 kernel_get_sysvipc_info(initrc_t)
 kernel_read_all_sysctls(initrc_t)
@ -38153,7 +38158,7 @@ index 17eda24..e33db3f 100644
 corenet_tcp_sendrecv_all_ports(initrc_t)
 corenet_udp_sendrecv_all_ports(initrc_t)
 corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +736,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +740,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
 
 dev_read_rand(initrc_t)
 dev_read_urand(initrc_t)
@ -38165,7 +38170,7 @@ index 17eda24..e33db3f 100644
 dev_rw_sysfs(initrc_t)
 dev_list_usbfs(initrc_t)
 dev_read_framebuffer(initrc_t)
-@@ -313,8 +748,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +752,10 @@ dev_write_framebuffer(initrc_t)
 dev_read_realtime_clock(initrc_t)
 dev_read_sound_mixer(initrc_t)
 dev_write_sound_mixer(initrc_t)
@ -38176,7 +38181,7 @@ index 17eda24..e33db3f 100644
 dev_delete_lvm_control_dev(initrc_t)
 dev_manage_generic_symlinks(initrc_t)
 dev_manage_generic_files(initrc_t)
-@@ -322,8 +759,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +763,7 @@ dev_manage_generic_files(initrc_t)
 dev_delete_generic_symlinks(initrc_t)
 dev_getattr_all_blk_files(initrc_t)
 dev_getattr_all_chr_files(initrc_t)
@ -38186,7 +38191,7 @@ index 17eda24..e33db3f 100644
 
 domain_kill_all_domains(initrc_t)
 domain_signal_all_domains(initrc_t)
-@@ -332,7 +768,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +772,6 @@ domain_sigstop_all_domains(initrc_t)
 domain_sigchld_all_domains(initrc_t)
 domain_read_all_domains_state(initrc_t)
 domain_getattr_all_domains(initrc_t)
@ -38194,7 +38199,7 @@ index 17eda24..e33db3f 100644
 domain_getsession_all_domains(initrc_t)
 domain_use_interactive_fds(initrc_t)
 # for lsof which is used by alsa shutdown:
-@@ -340,6 +775,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +779,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
 domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
 domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
 domain_dontaudit_getattr_all_pipes(initrc_t)
@ -38202,7 +38207,7 @@ index 17eda24..e33db3f 100644
 
 files_getattr_all_dirs(initrc_t)
 files_getattr_all_files(initrc_t)
-@@ -347,14 +783,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +787,15 @@ files_getattr_all_symlinks(initrc_t)
 files_getattr_all_pipes(initrc_t)
 files_getattr_all_sockets(initrc_t)
 files_purge_tmp(initrc_t)
@ -38220,7 +38225,7 @@ index 17eda24..e33db3f 100644
 files_read_usr_files(initrc_t)
 files_manage_urandom_seed(initrc_t)
 files_manage_generic_spool(initrc_t)
-@@ -364,8 +801,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +805,12 @@ files_list_isid_type_dirs(initrc_t)
 files_mounton_isid_type_dirs(initrc_t)
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
@ -38234,7 +38239,7 @@ index 17eda24..e33db3f 100644
 fs_list_inotifyfs(initrc_t)
 fs_register_binary_executable_type(initrc_t)
 # rhgb-console writes to ramfs
-@@ -375,10 +816,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +820,11 @@ fs_mount_all_fs(initrc_t)
 fs_unmount_all_fs(initrc_t)
 fs_remount_all_fs(initrc_t)
 fs_getattr_all_fs(initrc_t)
@ -38248,7 +38253,7 @@ index 17eda24..e33db3f 100644
 mcs_process_set_categories(initrc_t)
 
 mls_file_read_all_levels(initrc_t)
-@@ -387,8 +829,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +833,10 @@ mls_process_read_up(initrc_t)
 mls_process_write_down(initrc_t)
 mls_rangetrans_source(initrc_t)
 mls_fd_share_all_levels(initrc_t)
@ -38259,7 +38264,7 @@ index 17eda24..e33db3f 100644
 
 storage_getattr_fixed_disk_dev(initrc_t)
 storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +842,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +846,7 @@ term_use_all_terms(initrc_t)
 term_reset_tty_labels(initrc_t)
 
 auth_rw_login_records(initrc_t)
@ -38267,7 +38272,7 @@ index 17eda24..e33db3f 100644
 auth_setattr_login_records(initrc_t)
 auth_rw_lastlog(initrc_t)
 auth_read_pam_pid(initrc_t)
-@@ -416,20 +861,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +865,18 @@ logging_read_all_logs(initrc_t)
 logging_append_all_logs(initrc_t)
 logging_read_audit_config(initrc_t)
 
@ -38291,7 +38296,7 @@ index 17eda24..e33db3f 100644
 
 ifdef(`distro_debian',`
 	dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +894,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +898,6 @@ ifdef(`distro_gentoo',`
 	allow initrc_t self:process setfscreate;
 	dev_create_null_dev(initrc_t)
 	dev_create_zero_dev(initrc_t)
@ -38299,7 +38304,7 @@ index 17eda24..e33db3f 100644
 	term_create_console_dev(initrc_t)
 
 	# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +928,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +932,10 @@ ifdef(`distro_gentoo',`
 	sysnet_setattr_config(initrc_t)
 
 	optional_policy(`
@ -38310,7 +38315,7 @@ index 17eda24..e33db3f 100644
 		alsa_read_lib(initrc_t)
 	')
 
-@@ -506,7 +952,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +956,7 @@ ifdef(`distro_redhat',`
 
 	# Red Hat systems seem to have a stray
 	# fd open from the initrd
@ -38319,7 +38324,7 @@ index 17eda24..e33db3f 100644
 	files_dontaudit_read_root_files(initrc_t)
 
 	# These seem to be from the initrd
-@@ -521,6 +967,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +971,7 @@ ifdef(`distro_redhat',`
 	files_create_boot_dirs(initrc_t)
 	files_create_boot_flag(initrc_t)
 	files_rw_boot_symlinks(initrc_t)
@ -38327,7 +38332,7 @@ index 17eda24..e33db3f 100644
 	# wants to read /.fonts directory
 	files_read_default_files(initrc_t)
 	files_mountpoint(initrc_tmp_t)
-@@ -541,6 +988,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +992,7 @@ ifdef(`distro_redhat',`
 	miscfiles_rw_localization(initrc_t)
 	miscfiles_setattr_localization(initrc_t)
 	miscfiles_relabel_localization(initrc_t)
@ -38335,7 +38340,7 @@ index 17eda24..e33db3f 100644
 
 	miscfiles_read_fonts(initrc_t)
 	miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +998,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +1002,44 @@ ifdef(`distro_redhat',`
 	')
 
 	optional_policy(`
@ -38380,7 +38385,7 @@ index 17eda24..e33db3f 100644
 	')
 
 	optional_policy(`
-@@ -559,14 +1043,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +1047,31 @@ ifdef(`distro_redhat',`
 		rpc_write_exports(initrc_t)
 		rpc_manage_nfs_state_data(initrc_t)
 	')
@ -38412,7 +38417,7 @@ index 17eda24..e33db3f 100644
 	')
 ')
 
-@@ -577,6 +1078,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1082,39 @@ ifdef(`distro_suse',`
 	')
 ')
 
@ -38452,7 +38457,7 @@ index 17eda24..e33db3f 100644
 optional_policy(`
 	amavis_search_lib(initrc_t)
 	amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1123,8 @@ optional_policy(`
+@@ -589,6 +1127,8 @@ optional_policy(`
 optional_policy(`
 	apache_read_config(initrc_t)
 	apache_list_modules(initrc_t)
@ -38461,7 +38466,7 @@ index 17eda24..e33db3f 100644
 ')
 
 optional_policy(`
-@@ -610,6 +1146,7 @@ optional_policy(`
+@@ -610,6 +1150,7 @@ optional_policy(`
 
 optional_policy(`
 	cgroup_stream_connect_cgred(initrc_t)
@ -38469,7 +38474,7 @@ index 17eda24..e33db3f 100644
 ')
 
 optional_policy(`
-@@ -626,6 +1163,17 @@ optional_policy(`
+@@ -626,6 +1167,17 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -38487,7 +38492,7 @@ index 17eda24..e33db3f 100644
 	dev_getattr_printer_dev(initrc_t)
 
 	cups_read_log(initrc_t)
-@@ -642,9 +1190,13 @@ optional_policy(`
+@@ -642,9 +1194,13 @@ optional_policy(`
 	dbus_connect_system_bus(initrc_t)
 	dbus_system_bus_client(initrc_t)
 	dbus_read_config(initrc_t)
@ -38501,7 +38506,7 @@ index 17eda24..e33db3f 100644
 	')
 
 	optional_policy(`
-@@ -657,15 +1209,11 @@ optional_policy(`
+@@ -657,15 +1213,11 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -38519,7 +38524,7 @@ index 17eda24..e33db3f 100644
 ')
 
 optional_policy(`
-@@ -686,6 +1234,15 @@ optional_policy(`
+@@ -686,6 +1238,15 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -38535,7 +38540,7 @@ index 17eda24..e33db3f 100644
 	inn_exec_config(initrc_t)
 ')
 
-@@ -726,6 +1283,7 @@ optional_policy(`
+@@ -726,6 +1287,7 @@ optional_policy(`
 	lpd_list_spool(initrc_t)
 
 	lpd_read_config(initrc_t)
@ -38543,7 +38548,7 @@ index 17eda24..e33db3f 100644
 ')
 
 optional_policy(`
-@@ -743,7 +1301,13 @@ optional_policy(`
+@@ -743,7 +1305,13 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -38558,7 +38563,7 @@ index 17eda24..e33db3f 100644
 	mta_dontaudit_read_spool_symlinks(initrc_t)
 ')
 
-@@ -766,6 +1330,10 @@ optional_policy(`
+@@ -766,6 +1334,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -38569,7 +38574,7 @@ index 17eda24..e33db3f 100644
 	postgresql_manage_db(initrc_t)
 	postgresql_read_config(initrc_t)
 ')
-@@ -775,10 +1343,20 @@ optional_policy(`
+@@ -775,10 +1347,20 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -38590,7 +38595,7 @@ index 17eda24..e33db3f 100644
 	quota_manage_flags(initrc_t)
 ')
 
-@@ -787,6 +1365,10 @@ optional_policy(`
+@@ -787,6 +1369,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -38601,7 +38606,7 @@ index 17eda24..e33db3f 100644
 	fs_write_ramfs_sockets(initrc_t)
 	fs_search_ramfs(initrc_t)
 
-@@ -808,8 +1390,6 @@ optional_policy(`
+@@ -808,8 +1394,6 @@ optional_policy(`
 	# bash tries ioctl for some reason
 	files_dontaudit_ioctl_all_pids(initrc_t)
 
@ -38610,7 +38615,7 @@ index 17eda24..e33db3f 100644
 ')
 
 optional_policy(`
-@@ -818,6 +1398,10 @@ optional_policy(`
+@@ -818,6 +1402,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -38621,7 +38626,7 @@ index 17eda24..e33db3f 100644
 	# shorewall-init script run /var/lib/shorewall/firewall
 	shorewall_lib_domtrans(initrc_t)
 ')
-@@ -827,10 +1411,12 @@ optional_policy(`
+@@ -827,10 +1415,12 @@ optional_policy(`
 	squid_manage_logs(initrc_t)
 ')
 
@ -38634,7 +38639,7 @@ index 17eda24..e33db3f 100644
 
 optional_policy(`
 	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1443,62 @@ optional_policy(`
+@@ -857,21 +1447,62 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -38698,7 +38703,7 @@ index 17eda24..e33db3f 100644
 ')
 
 optional_policy(`
-@@ -887,6 +1514,10 @@ optional_policy(`
+@@ -887,6 +1518,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -38709,7 +38714,7 @@ index 17eda24..e33db3f 100644
 	# Set device ownerships/modes.
 	xserver_setattr_console_pipes(initrc_t)
 
-@@ -897,3 +1528,218 @@ optional_policy(`
+@@ -897,3 +1532,218 @@ optional_policy(`
 optional_policy(`
 	zebra_read_config(initrc_t)
 ')
@ -49137,10 +49142,10 @@ index 0000000..86e3d01
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..eff9e73
+index 0000000..2800431
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,972 @@
+@@ -0,0 +1,973 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@ -49868,6 +49873,7 @@ index 0000000..eff9e73
 +
 +dev_read_sysfs(systemd_rfkill_t)
 +dev_rw_wireless(systemd_rfkill_t)
+dev_write_kmsg(systemd_rfkill_t)
 +
 +init_search_var_lib_dirs(systemd_rfkill_t)
 +
@ -51261,10 +51267,10 @@ index 5ca20a9..5454d16 100644
 +	allow $1 unconfined_service_t:process signull;
 ')
 diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
-index 5fe902d..a349d18 100644
+index 5fe902d..b31eeba 100644
 --- a/policy/modules/system/unconfined.te
 +++ b/policy/modules/system/unconfined.te
-@@ -1,207 +1,28 @@
+@@ -1,207 +1,32 @@
 -policy_module(unconfined, 3.5.1)
 +policy_module(unconfined, 3.5.0)
 
@ -51352,8 +51358,7 @@ index 5fe902d..a349d18 100644
 -optional_policy(`
 -	firstboot_run(unconfined_t, unconfined_r)
 -')
-+role unconfined_r types unconfined_service_t;
- 
+-
 -optional_policy(`
 -	ftp_run_ftpdctl(unconfined_t, unconfined_r)
 -')
@ -51369,15 +51374,12 @@ index 5fe902d..a349d18 100644
 -optional_policy(`
 -	java_run_unconfined(unconfined_t, unconfined_r)
 -')
-+corecmd_bin_entry_type(unconfined_service_t)
-+corecmd_shell_entry_type(unconfined_service_t)
- 
- optional_policy(`
+-
+-optional_policy(`
 -	lpd_run_checkpc(unconfined_t, unconfined_r)
-+	rpm_transition_script(unconfined_service_t, system_r)
- ')
- 
- optional_policy(`
+-')
+-
+-optional_policy(`
 -	modutils_run_update_mods(unconfined_t, unconfined_r)
 -')
 -
@ -51429,7 +51431,8 @@ index 5fe902d..a349d18 100644
 -optional_policy(`
 -	rpm_run(unconfined_t, unconfined_r)
 -')
-
+role unconfined_r types unconfined_service_t;
+ 
 -optional_policy(`
 -	samba_run_net(unconfined_t, unconfined_r)
 -	samba_run_winbind_helper(unconfined_t, unconfined_r)
@ -51451,16 +51454,20 @@ index 5fe902d..a349d18 100644
 -optional_policy(`
 -	unconfined_dbus_chat(unconfined_t)
 -')
-
-optional_policy(`
+corecmd_bin_entry_type(unconfined_service_t)
+corecmd_shell_entry_type(unconfined_service_t)
+ 
+ optional_policy(`
 -	usermanage_run_admin_passwd(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
+	rpm_transition_script(unconfined_service_t, system_r)
+ ')
+ 
+ optional_policy(`
 -	vpn_run(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
+	dbus_chat_system_bus(unconfined_service_t)
+ ')
+ 
+ optional_policy(`
 -	webalizer_run(unconfined_t, unconfined_r)
 -')
 -
@ -51482,7 +51489,7 @@ index 5fe902d..a349d18 100644
 -
 -optional_policy(`
 -	unconfined_dbus_chat(unconfined_execmem_t)
-+	dbus_chat_system_bus(unconfined_service_t)
+	virt_transition_svirt(unconfined_service_t, system_r)
 ')
 diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
 index db75976..c54480a 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -9774,7 +9774,7 @@ index 531a8f2..3fcf187 100644
 +	allow $1 named_unit_file_t:service all_service_perms;
 ')
 diff --git a/bind.te b/bind.te
-index 1241123..ab9ec30 100644
+index 1241123..f726b13 100644
 --- a/bind.te
 +++ b/bind.te
@@ -34,7 +34,7 @@ type named_checkconf_exec_t;
@ -9801,7 +9801,7 @@ index 1241123..ab9ec30 100644
 #
 
 -allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource };
-+allow named_t self:capability { chown dac_override fowner net_admin setgid setuid sys_chroot sys_nice sys_resource };
+allow named_t self:capability { chown dac_override fowner net_admin net_raw setgid setuid sys_chroot sys_nice sys_resource };
 dontaudit named_t self:capability sys_tty_config;
 +allow named_t self:capability2 block_suspend;
 allow named_t self:process { setsched getcap setcap setrlimit signal_perms };
@ -31429,10 +31429,10 @@ index 0000000..cf9f7bf
 +')
 diff --git a/geoclue.te b/geoclue.te
 new file mode 100644
-index 0000000..efd838f
+index 0000000..fb8be0d
 --- /dev/null
 +++ b/geoclue.te
-@@ -0,0 +1,71 @@
+@@ -0,0 +1,72 @@
 +policy_module(geoclue, 1.0.0)
 +
 +########################################
@ -31466,6 +31466,7 @@ index 0000000..efd838f
 +manage_dirs_pattern(geoclue_t, geoclue_tmp_t, geoclue_tmp_t)
 +files_tmp_filetrans(geoclue_t, geoclue_tmp_t, { dir file })
 +
+kernel_read_system_state(geoclue_t)
 +kernel_read_network_state(geoclue_t)
 +
 +auth_read_passwd(geoclue_t)
@ -32381,10 +32382,10 @@ index 0000000..764ae00
 +
 diff --git a/glusterd.te b/glusterd.te
 new file mode 100644
-index 0000000..3ba328e
+index 0000000..0a33da3
 --- /dev/null
 +++ b/glusterd.te
-@@ -0,0 +1,303 @@
+@@ -0,0 +1,305 @@
 +policy_module(glusterd, 1.1.3)
 +
 +## <desc>
@ -32446,7 +32447,7 @@ index 0000000..3ba328e
 +# Local policy
 +#
 +
-+allow glusterd_t self:capability { sys_admin sys_resource sys_ptrace dac_override chown dac_read_search fowner fsetid kill setgid setuid net_admin mknod net_raw };
+allow glusterd_t self:capability { sys_admin sys_resource sys_ptrace dac_override chown dac_read_search fowner fsetid ipc_lock kill setgid setuid net_admin mknod net_raw };
 +
 +allow glusterd_t self:capability2 block_suspend;
 +allow glusterd_t self:process { getcap setcap setrlimit signal_perms setsched getsched setfscreate};
@ -32542,6 +32543,7 @@ index 0000000..3ba328e
 +dev_read_sysfs(glusterd_t)
 +dev_read_urand(glusterd_t)
 +dev_read_rand(glusterd_t)
+dev_rw_infiniband_dev(glusterd_t)
 +
 +domain_read_all_domains_state(glusterd_t)
 +domain_getattr_all_sockets(glusterd_t)
@ -32551,6 +32553,7 @@ index 0000000..3ba328e
 +fs_mount_all_fs(glusterd_t)
 +fs_unmount_all_fs(glusterd_t)
 +fs_getattr_all_fs(glusterd_t)
+fs_getattr_all_dirs(glusterd_t)
 +
 +files_mounton_non_security(glusterd_t)
 +
@ -37724,10 +37727,10 @@ index 6517fad..f183748 100644
 +	allow $1 hypervkvp_unit_file_t:service all_service_perms;
 ')
 diff --git a/hypervkvp.te b/hypervkvp.te
-index 4eb7041..de9cd55 100644
+index 4eb7041..b205df0 100644
 --- a/hypervkvp.te
 +++ b/hypervkvp.te
-@@ -5,24 +5,153 @@ policy_module(hypervkvp, 1.0.0)
+@@ -5,24 +5,154 @@ policy_module(hypervkvp, 1.0.0)
 # Declarations
 #
 
@ -37889,6 +37892,7 @@ index 4eb7041..de9cd55 100644
 -miscfiles_read_localization(hypervkvpd_t)
 +files_list_all_mountpoints(hypervvssd_t)
 +files_write_all_mountpoints(hypervvssd_t)
+files_list_non_auth_dirs(hypervvssd_t)
 
 -sysnet_dns_name_resolve(hypervkvpd_t)
 +logging_send_syslog_msg(hypervvssd_t)
@ -39918,7 +39922,7 @@ index ca020fa..d546e07 100644
 +	kdump_rw_inherited_kdumpctl_tmp_pipes(iscsid_t)
 +')
 diff --git a/isns.te b/isns.te
-index bc11034..183c526 100644
+index bc11034..20a7f39 100644
 --- a/isns.te
 +++ b/isns.te
@@ -26,6 +26,7 @@ files_pid_file(isnsd_var_run_t)
@ -39939,9 +39943,11 @@ index bc11034..183c526 100644
 corenet_all_recvfrom_unlabeled(isnsd_t)
 corenet_all_recvfrom_netlabel(isnsd_t)
 corenet_tcp_sendrecv_generic_if(isnsd_t)
-@@ -46,10 +50,6 @@ corenet_tcp_bind_generic_node(isnsd_t)
+@@ -45,11 +49,8 @@ corenet_tcp_sendrecv_isns_port(isnsd_t)
+ corenet_tcp_bind_generic_node(isnsd_t)
 corenet_sendrecv_isns_server_packets(isnsd_t)
 corenet_tcp_bind_isns_port(isnsd_t)
+corenet_tcp_connect_isns_port(isnsd_t)
 
 -files_read_etc_files(isnsd_t)
 +auth_use_nsswitch(isnsd_t)
@ -46051,7 +46057,7 @@ index 8031a78..72e56ac 100644
 +
 +/dev/shm/lldpad.*   --  gen_context(system_u:object_r:lldpad_tmpfs_t,s0)
 diff --git a/lldpad.if b/lldpad.if
-index d18c960..fb5b674 100644
+index d18c960..b7bd752 100644
 --- a/lldpad.if
 +++ b/lldpad.if
@@ -2,6 +2,25 @@
@ -46095,6 +46101,29 @@ index d18c960..fb5b674 100644
 	init_labeled_script_domtrans($1, lldpad_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 lldpad_initrc_exec_t system_r;
+@@ -56,3 +79,22 @@ interface(`lldpad_admin',`
+ 	files_search_pids($1)
+ 	admin_pattern($1, lldpad_var_run_t)
+ ')
+
+########################################
+## <summary>
+##	Allow relabel lldpad_tmpfs_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`lldpad_relabel_tmpfs',`
+	gen_require(`
+		type lldpad_tmpfs_t;
+	')
+
+	allow $1 lldpad_tmpfs_t:file relabelfrom;
+	allow $1 lldpad_tmpfs_t:file relabelto;
+')
 diff --git a/lldpad.te b/lldpad.te
 index 2a491d9..42e5578 100644
 --- a/lldpad.te
@ -64805,10 +64834,10 @@ index 0000000..7581b52
 +')
 diff --git a/openfortivpn.te b/openfortivpn.te
 new file mode 100644
-index 0000000..0d22f83
+index 0000000..3142896
 --- /dev/null
 +++ b/openfortivpn.te
-@@ -0,0 +1,69 @@
+@@ -0,0 +1,67 @@
 +policy_module(openfortivpn, 1.0.0)
 +
 +########################################
@ -64817,11 +64846,9 @@ index 0000000..0d22f83
 +#
 +
 +type openfortivpn_t;
-+domain_type(openfortivpn_t);
 +role system_r types openfortivpn_t;
-+
 +type openfortivpn_exec_t;
-+domain_entry_file(openfortivpn_t, openfortivpn_exec_t)
+init_daemon_domain(openfortivpn_t, openfortivpn_exec_t)
 +
 +type openfortivpn_var_lib_t;
 +files_type(openfortivpn_var_lib_t)
@ -69440,14 +69467,15 @@ index 43d50f9..6b1544f 100644
 
 ########################################
 diff --git a/pcscd.te b/pcscd.te
-index 1fb1964..5212cd2 100644
+index 1fb1964..a8026bd 100644
 --- a/pcscd.te
 +++ b/pcscd.te
-@@ -22,10 +22,11 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd")
+@@ -22,10 +22,12 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd")
 #
 
 allow pcscd_t self:capability { dac_override dac_read_search fsetid };
 -allow pcscd_t self:process signal;
+allow pcscd_t self:capability2 { wake_alarm };
 +allow pcscd_t self:process { signal signull };
 allow pcscd_t self:fifo_file rw_fifo_file_perms;
 -allow pcscd_t self:unix_stream_socket { accept listen };
@ -69458,7 +69486,7 @@ index 1fb1964..5212cd2 100644
 allow pcscd_t self:netlink_kobject_uevent_socket create_socket_perms;
 
 manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
-@@ -36,7 +37,6 @@ files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir })
+@@ -36,7 +38,6 @@ files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir })
 
 kernel_read_system_state(pcscd_t)
 
@ -69466,7 +69494,7 @@ index 1fb1964..5212cd2 100644
 corenet_all_recvfrom_netlabel(pcscd_t)
 corenet_tcp_sendrecv_generic_if(pcscd_t)
 corenet_tcp_sendrecv_generic_node(pcscd_t)
-@@ -45,12 +45,13 @@ corenet_sendrecv_http_client_packets(pcscd_t)
+@@ -45,12 +46,13 @@ corenet_sendrecv_http_client_packets(pcscd_t)
 corenet_tcp_connect_http_port(pcscd_t)
 corenet_tcp_sendrecv_http_port(pcscd_t)
 
@ -69481,7 +69509,7 @@ index 1fb1964..5212cd2 100644
 files_read_etc_runtime_files(pcscd_t)
 
 term_use_unallocated_ttys(pcscd_t)
-@@ -60,16 +61,26 @@ locallogin_use_fds(pcscd_t)
+@@ -60,16 +62,26 @@ locallogin_use_fds(pcscd_t)
 
 logging_send_syslog_msg(pcscd_t)
 
@ -69510,7 +69538,7 @@ index 1fb1964..5212cd2 100644
 ')
 
 optional_policy(`
-@@ -85,3 +96,8 @@ optional_policy(`
+@@ -85,3 +97,8 @@ optional_policy(`
 optional_policy(`
 	udev_read_db(pcscd_t)
 ')
@ -90925,7 +90953,7 @@ index 0bf13c2..ed393a0 100644
 	files_list_tmp($1)
 	admin_pattern($1, gssd_tmp_t)
 diff --git a/rpc.te b/rpc.te
-index 2da9fca..7f491b0 100644
+index 2da9fca..23bddad 100644
 --- a/rpc.te
 +++ b/rpc.te
@@ -6,22 +6,27 @@ policy_module(rpc, 1.15.1)
@ -91123,7 +91151,7 @@ index 2da9fca..7f491b0 100644
 ')
 
 ########################################
-@@ -202,41 +226,56 @@ optional_policy(`
+@@ -202,41 +226,61 @@ optional_policy(`
 #
 
 allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
@ -91177,6 +91205,11 @@ index 2da9fca..7f491b0 100644
 storage_dontaudit_read_fixed_disk(nfsd_t)
 storage_raw_read_removable_device(nfsd_t)
 
+allow nfsd_t nfsd_unit_file_t:file manage_file_perms;
+systemd_unit_file_filetrans(nfsd_t, nfsd_unit_file_t, file)
+systemd_create_unit_file_dirs(nfsd_t)
+systemd_create_unit_file_lnk(nfsd_t)
+
 +# Read access to public_content_t and public_content_rw_t
 miscfiles_read_public_files(nfsd_t)
 
@ -91189,7 +91222,7 @@ index 2da9fca..7f491b0 100644
 	miscfiles_manage_public_files(nfsd_t)
 ')
 
-@@ -245,7 +284,6 @@ tunable_policy(`nfs_export_all_rw',`
+@@ -245,7 +289,6 @@ tunable_policy(`nfs_export_all_rw',`
 	dev_getattr_all_chr_files(nfsd_t)
 
 	fs_read_noxattr_fs_files(nfsd_t)
@ -91197,7 +91230,7 @@ index 2da9fca..7f491b0 100644
 ')
 
 tunable_policy(`nfs_export_all_ro',`
-@@ -257,12 +295,12 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -257,12 +300,12 @@ tunable_policy(`nfs_export_all_ro',`
 
 	fs_read_noxattr_fs_files(nfsd_t)
 
@ -91212,7 +91245,7 @@ index 2da9fca..7f491b0 100644
 ')
 
 ########################################
-@@ -270,7 +308,7 @@ optional_policy(`
+@@ -270,7 +313,7 @@ optional_policy(`
 # GSSD local policy
 #
 
@ -91221,7 +91254,7 @@ index 2da9fca..7f491b0 100644
 allow gssd_t self:process { getsched setsched };
 allow gssd_t self:fifo_file rw_fifo_file_perms;
 
-@@ -280,6 +318,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+@@ -280,6 +323,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
 manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
 files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
 
@ -91229,7 +91262,7 @@ index 2da9fca..7f491b0 100644
 kernel_read_network_state(gssd_t)
 kernel_read_network_state_symlinks(gssd_t)
 kernel_request_load_module(gssd_t)
-@@ -288,25 +327,31 @@ kernel_signal(gssd_t)
+@@ -288,25 +332,31 @@ kernel_signal(gssd_t)
 
 corecmd_exec_bin(gssd_t)
 
@ -91264,7 +91297,7 @@ index 2da9fca..7f491b0 100644
 ')
 
 optional_policy(`
-@@ -314,9 +359,12 @@ optional_policy(`
+@@ -314,9 +364,12 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -109696,7 +109729,7 @@ index 61c2e07..3b86095 100644
 +	')
 ')
 diff --git a/tor.te b/tor.te
-index 5ceacde..f24416b 100644
+index 5ceacde..c919a2d 100644
 --- a/tor.te
 +++ b/tor.te
@@ -13,6 +13,13 @@ policy_module(tor, 1.9.0)
@ -109713,7 +109746,16 @@ index 5ceacde..f24416b 100644
 type tor_t;
 type tor_exec_t;
 init_daemon_domain(tor_t, tor_exec_t)
-@@ -32,6 +39,10 @@ logging_log_file(tor_var_log_t)
+@@ -25,13 +32,19 @@ init_script_file(tor_initrc_exec_t)
+ 
+ type tor_var_lib_t;
+ files_type(tor_var_lib_t)
+files_mountpoint(tor_var_lib_t)
+ 
+ type tor_var_log_t;
+ logging_log_file(tor_var_log_t)
+files_mountpoint(tor_var_log_t)
+ 
 type tor_var_run_t;
 files_pid_file(tor_var_run_t)
 init_daemon_run_dir(tor_var_run_t, "tor")
@ -109724,7 +109766,7 @@ index 5ceacde..f24416b 100644
 
 ########################################
 #
-@@ -48,6 +59,8 @@ allow tor_t tor_etc_t:dir list_dir_perms;
+@@ -48,6 +61,8 @@ allow tor_t tor_etc_t:dir list_dir_perms;
 allow tor_t tor_etc_t:file read_file_perms;
 allow tor_t tor_etc_t:lnk_file read_lnk_file_perms;
 
@ -109733,7 +109775,7 @@ index 5ceacde..f24416b 100644
 manage_dirs_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
 manage_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
 manage_sock_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
-@@ -77,7 +90,6 @@ corenet_tcp_sendrecv_generic_node(tor_t)
+@@ -77,7 +92,6 @@ corenet_tcp_sendrecv_generic_node(tor_t)
 corenet_udp_sendrecv_generic_node(tor_t)
 corenet_tcp_bind_generic_node(tor_t)
 corenet_udp_bind_generic_node(tor_t)
@ -109741,7 +109783,7 @@ index 5ceacde..f24416b 100644
 corenet_sendrecv_dns_server_packets(tor_t)
 corenet_udp_bind_dns_port(tor_t)
 corenet_udp_sendrecv_dns_port(tor_t)
-@@ -85,6 +97,7 @@ corenet_udp_sendrecv_dns_port(tor_t)
+@@ -85,6 +99,7 @@ corenet_udp_sendrecv_dns_port(tor_t)
 corenet_sendrecv_tor_server_packets(tor_t)
 corenet_tcp_bind_tor_port(tor_t)
 corenet_tcp_sendrecv_tor_port(tor_t)
@ -109749,7 +109791,7 @@ index 5ceacde..f24416b 100644
 
 corenet_sendrecv_all_client_packets(tor_t)
 corenet_tcp_connect_all_ports(tor_t)
-@@ -98,19 +111,22 @@ dev_read_urand(tor_t)
+@@ -98,19 +113,22 @@ dev_read_urand(tor_t)
 domain_use_interactive_fds(tor_t)
 
 files_read_etc_runtime_files(tor_t)
@ -114182,7 +114224,7 @@ index facdee8..2cff369 100644
 +	domtrans_pattern($1,container_file_t, $2)
 ')
 diff --git a/virt.te b/virt.te
-index f03dcf5..923fbbe 100644
+index f03dcf5..af39887 100644
 --- a/virt.te
 +++ b/virt.te
@@ -1,451 +1,403 @@
@ -115766,7 +115808,7 @@ index f03dcf5..923fbbe 100644
 selinux_get_enforce_mode(virtd_lxc_t)
 selinux_get_fs_mount(virtd_lxc_t)
 selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1260,360 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1260,364 @@ selinux_compute_create_context(virtd_lxc_t)
 selinux_compute_relabel_context(virtd_lxc_t)
 selinux_compute_user_contexts(virtd_lxc_t)
 
@ -116051,6 +116093,9 @@ index f03dcf5..923fbbe 100644
 +	fs_manage_nfs_files(svirt_sandbox_domain)
 +	fs_manage_nfs_named_sockets(svirt_sandbox_domain)
 +	fs_manage_nfs_symlinks(svirt_sandbox_domain)
+	fs_mount_nfs(svirt_sandbox_domain)
+	fs_unmount_nfs(svirt_sandbox_domain)
+	kernel_rw_fs_sysctls(svirt_sandbox_domain)
 +')
 +
 +tunable_policy(`virt_use_samba',`
@ -116064,6 +116109,8 @@ index f03dcf5..923fbbe 100644
 +    fs_manage_fusefs_dirs(svirt_sandbox_domain)
 +    fs_manage_fusefs_files(svirt_sandbox_domain)
 +    fs_manage_fusefs_symlinks(svirt_sandbox_domain)
+    fs_mount_fusefs(svirt_sandbox_domain)
+    fs_unmount_fusefs(svirt_sandbox_domain)
 ')
 
 optional_policy(`
@ -116091,7 +116138,6 @@ index f03dcf5..923fbbe 100644
 +dontaudit container_t self:capability2  block_suspend ;
 +allow container_t self:process { execstack execmem };
 +manage_chr_files_pattern(container_t, container_file_t, container_file_t)
-+kernel_load_module(container_t)
 +
 +tunable_policy(`virt_sandbox_use_sys_admin',`
 +	allow container_t self:capability sys_admin;
@ -116271,7 +116317,7 @@ index f03dcf5..923fbbe 100644
 allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
 allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
 
-@@ -1174,12 +1626,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1630,12 @@ dev_read_sysfs(virt_qmf_t)
 dev_read_rand(virt_qmf_t)
 dev_read_urand(virt_qmf_t)
 
@ -116286,7 +116332,7 @@ index f03dcf5..923fbbe 100644
 sysnet_read_config(virt_qmf_t)
 
 optional_policy(`
-@@ -1192,7 +1644,7 @@ optional_policy(`
+@@ -1192,7 +1648,7 @@ optional_policy(`
 
 ########################################
 #
@ -116295,7 +116341,7 @@ index f03dcf5..923fbbe 100644
 #
 
 allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1653,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1657,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
 allow virt_bridgehelper_t self:tun_socket create_socket_perms;
 allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
 
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 221%{?dist}
+Release: 222%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -675,6 +675,29 @@ exit 0
 %endif

 %changelog
+* Wed Nov 02 2016 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-222
+- Allow abrt_dump_oops_t to drop capabilities. bz(1391040)
+- Add named_t domain net_raw capability bz(1389240)
+- Allow geoclue to read system info. bz(1389320)
+- Make openfortivpn_t as init_deamon_domain. bz(1159899)
+- Allow nfsd domain to create nfsd_unit_file_t files. bz(1382487)
+- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib
+- Add interace lldpad_relabel_tmpfs
+- Merge pull request #155 from rhatdan/sandbox_nfs
+- Add pscsd_t wake_alarm capability2
+- Allow sandbox domains to mount fuse file systems
+- Add boolean to allow sandbox domains to mount nfs
+- Allow hypervvssd_t to read all dirs.
+- Allow isnsd_t to connect to isns_port_t
+- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib
+- Allow GlusterFS with RDMA transport to be started correctly. It requires ipc_lock capability together with rw permission on rdma_cm device.
+- Make tor_var_lib_t and tor_var_log_t as mountpoints.
+- Allow systemd-rfkill to write to /proc/kmsg bz(1388669)
+- Allow init_t to relabel /dev/shm/lldpad.state
+- Merge pull request #168 from rhatdan/docker
+- Label tcp 51954 as isns_port_t
+- Lots of new domains like OCID and RKT are user container processes
+
 * Mon Oct 17 2016 Miroslav Grepl <mgrepl@redhat.com> - 3.13.1-221
 - Add container_file_t into contexts/customizable_types.