* Fri Jul 21 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-265

- Allow llpdad send dgram to libvirt - Allow abrt_t domain dac_read_search capability - Allow init_t domain mounton dirs labeled as init_var_lib_t BZ(1471476) - Allow xdm_t domain read unique machine-id generated during system installation. BZ(1467036)
2017-07-21 14:21:02 +02:00 · 2017-07-21 14:21:02 +02:00 · 4696e7ec09
commit 4696e7ec09
parent 3622c01896
4 changed files with 218 additions and 177 deletions
--- a/container-selinux.tgz
+++ b/container-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -30397,7 +30397,7 @@ index 6bf0ecc..e6be63a 100644
 +')
 +
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..e3436b4 100644
+index 8b40377..8c9110f 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
@@ -26,28 +26,66 @@ gen_require(`
@ -30745,13 +30745,13 @@ index 8b40377..e3436b4 100644
 +ifdef(`hide_broken_symptoms',`
 +	term_dontaudit_use_unallocated_ttys(xauth_t)
 +	dev_dontaudit_rw_dri(xauth_t)
 +')
 +
 +optional_policy(`
 +	nx_var_lib_filetrans(xauth_t, xauth_home_t, file)
 ')
 optional_policy(`
 +	nx_var_lib_filetrans(xauth_t, xauth_home_t, file)
 +')
 +
 +optional_policy(`
 +	ssh_use_ptys(xauth_t)
 	ssh_sigchld(xauth_t)
 	ssh_read_pipes(xauth_t)
@ -30788,12 +30788,12 @@ index 8b40377..e3436b4 100644
 +allow xdm_t self:dbus { send_msg acquire_svc };
 +
 +allow xdm_t xauth_home_t:file manage_file_perms;
- 
+
 -allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
 +allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms };
 +manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
 +manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
-+
+ 
 -allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
 +manage_dirs_pattern(xdm_t, xdm_home_t, xdm_home_t)
 +manage_files_pattern(xdm_t, xdm_home_t, xdm_home_t)
 +xserver_filetrans_home_content(xdm_t)
@ -31051,7 +31051,7 @@ index 8b40377..e3436b4 100644
 userdom_dontaudit_use_unpriv_user_fds(xdm_t)
 userdom_create_all_users_keys(xdm_t)
-@@ -472,24 +700,163 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -472,24 +700,167 @@ userdom_read_user_home_content_files(xdm_t)
 # Search /proc for any user domain processes.
 userdom_read_all_users_state(xdm_t)
 userdom_signal_all_users(xdm_t)
@ -31107,6 +31107,10 @@ index 8b40377..e3436b4 100644
 +')
 +
 +optional_policy(`
 +    dbus_read_lib_files(xdm_t)
 +')
 +
 +optional_policy(`
 +	gnome_config_filetrans(xdm_t, home_cert_t, dir, "certificates")
 +')
 +
@ -31221,7 +31225,7 @@ index 8b40377..e3436b4 100644
 tunable_policy(`xdm_sysadm_login',`
 	userdom_xsession_spec_domtrans_all_users(xdm_t)
 	# FIXME:
-@@ -502,12 +869,31 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,12 +873,31 @@ tunable_policy(`xdm_sysadm_login',`
 #	allow xserver_t xdm_tmpfs_t:file rw_file_perms;
 ')
@ -31253,7 +31257,7 @@ index 8b40377..e3436b4 100644
 ')
 optional_policy(`
-@@ -518,8 +904,36 @@ optional_policy(`
+@@ -518,8 +908,36 @@ optional_policy(`
 	dbus_system_bus_client(xdm_t)
 	dbus_connect_system_bus(xdm_t)
@ -31272,13 +31276,13 @@ index 8b40377..e3436b4 100644
 +		cpufreqselector_dbus_chat(xdm_t)
 +	')
 +
- 	optional_policy(`
+	optional_policy(`
 -		accountsd_dbus_chat(xdm_t)
 +		devicekit_dbus_chat_disk(xdm_t)
 +		devicekit_dbus_chat_power(xdm_t)
 +	')
 +
-+	optional_policy(`
+ 	optional_policy(`
 -		accountsd_dbus_chat(xdm_t)
 +		hal_dbus_chat(xdm_t)
 +	')
 +
@ -31291,7 +31295,7 @@ index 8b40377..e3436b4 100644
 	')
 ')
-@@ -530,6 +944,20 @@ optional_policy(`
+@@ -530,6 +948,20 @@ optional_policy(`
 ')
 optional_policy(`
@ -31312,7 +31316,7 @@ index 8b40377..e3436b4 100644
 	hostname_exec(xdm_t)
 ')
-@@ -547,28 +975,78 @@ optional_policy(`
+@@ -547,28 +979,78 @@ optional_policy(`
 ')
 optional_policy(`
@ -31400,7 +31404,7 @@ index 8b40377..e3436b4 100644
 ')
 optional_policy(`
-@@ -580,6 +1058,14 @@ optional_policy(`
+@@ -580,6 +1062,14 @@ optional_policy(`
 ')
 optional_policy(`
@ -31415,7 +31419,7 @@ index 8b40377..e3436b4 100644
 	xfs_stream_connect(xdm_t)
 ')
-@@ -594,7 +1080,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+@@ -594,7 +1084,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
 type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
 allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@ -31424,7 +31428,7 @@ index 8b40377..e3436b4 100644
 # setuid/setgid for the wrapper program to change UID
 # sys_rawio is for iopl access - should not be needed for frame-buffer
-@@ -604,8 +1090,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -604,8 +1094,11 @@ allow xserver_t input_xevent_t:x_event send;
 # execheap needed until the X module loader is fixed.
 # NVIDIA Needs execstack
@ -31437,7 +31441,7 @@ index 8b40377..e3436b4 100644
 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow xserver_t self:fd use;
 allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -618,8 +1107,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -618,8 +1111,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
 allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow xserver_t self:tcp_socket create_stream_socket_perms;
 allow xserver_t self:udp_socket create_socket_perms;
@ -31453,7 +31457,7 @@ index 8b40377..e3436b4 100644
 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
 manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
 manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -627,6 +1123,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -627,6 +1127,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
 filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@ -31464,7 +31468,7 @@ index 8b40377..e3436b4 100644
 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -638,25 +1138,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -638,25 +1142,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 files_search_var_lib(xserver_t)
@ -31506,7 +31510,7 @@ index 8b40377..e3436b4 100644
 corenet_all_recvfrom_netlabel(xserver_t)
 corenet_tcp_sendrecv_generic_if(xserver_t)
 corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -677,23 +1189,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -677,23 +1193,28 @@ dev_rw_apm_bios(xserver_t)
 dev_rw_agp(xserver_t)
 dev_rw_framebuffer(xserver_t)
 dev_manage_dri_dev(xserver_t)
@ -31538,7 +31542,7 @@ index 8b40377..e3436b4 100644
 # brought on by rhgb
 files_search_mnt(xserver_t)
-@@ -705,6 +1222,14 @@ fs_search_nfs(xserver_t)
+@@ -705,6 +1226,14 @@ fs_search_nfs(xserver_t)
 fs_search_auto_mountpoints(xserver_t)
 fs_search_ramfs(xserver_t)
@ -31553,7 +31557,7 @@ index 8b40377..e3436b4 100644
 mls_xwin_read_to_clearance(xserver_t)
 selinux_validate_context(xserver_t)
-@@ -718,20 +1243,18 @@ init_getpgid(xserver_t)
+@@ -718,20 +1247,18 @@ init_getpgid(xserver_t)
 term_setattr_unallocated_ttys(xserver_t)
 term_use_unallocated_ttys(xserver_t)
@ -31577,7 +31581,7 @@ index 8b40377..e3436b4 100644
 userdom_search_user_home_dirs(xserver_t)
 userdom_use_user_ttys(xserver_t)
-@@ -739,8 +1262,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -739,8 +1266,6 @@ userdom_setattr_user_ttys(xserver_t)
 userdom_read_user_tmp_files(xserver_t)
 userdom_rw_user_tmpfs_files(xserver_t)
@ -31586,7 +31590,7 @@ index 8b40377..e3436b4 100644
 ifndef(`distro_redhat',`
 	allow xserver_t self:process { execmem execheap execstack };
 	domain_mmap_low_uncond(xserver_t)
-@@ -785,17 +1306,54 @@ optional_policy(`
+@@ -785,17 +1310,54 @@ optional_policy(`
 ')
 optional_policy(`
@ -31643,7 +31647,7 @@ index 8b40377..e3436b4 100644
 ')
 optional_policy(`
-@@ -803,6 +1361,10 @@ optional_policy(`
+@@ -803,6 +1365,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -31654,7 +31658,7 @@ index 8b40377..e3436b4 100644
 	xfs_stream_connect(xserver_t)
 ')
-@@ -818,18 +1380,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -818,18 +1384,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
 # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
 # handle of a file inside the dir!!!
@ -31679,7 +31683,7 @@ index 8b40377..e3436b4 100644
 can_exec(xserver_t, xkb_var_lib_t)
 # VNC v4 module in X server
-@@ -842,26 +1403,21 @@ init_use_fds(xserver_t)
+@@ -842,26 +1407,21 @@ init_use_fds(xserver_t)
 # to read ROLE_home_t - examine this in more detail
 # (xauth?)
 userdom_read_user_home_content_files(xserver_t)
@ -31714,7 +31718,7 @@ index 8b40377..e3436b4 100644
 ')
 optional_policy(`
-@@ -912,7 +1468,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -912,7 +1472,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
 allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
 # operations allowed on my windows
 allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@ -31723,7 +31727,7 @@ index 8b40377..e3436b4 100644
 # operations allowed on all windows
 allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -966,11 +1522,31 @@ allow x_domain self:x_resource { read write };
+@@ -966,11 +1526,31 @@ allow x_domain self:x_resource { read write };
 # can mess with the screensaver
 allow x_domain xserver_t:x_screen { getattr saver_getattr };
@ -31755,7 +31759,7 @@ index 8b40377..e3436b4 100644
 tunable_policy(`! xserver_object_manager',`
 	# should be xserver_unconfined(x_domain),
 	# but typeattribute doesnt work in conditionals
-@@ -992,18 +1568,148 @@ tunable_policy(`! xserver_object_manager',`
+@@ -992,18 +1572,148 @@ tunable_policy(`! xserver_object_manager',`
 	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
 ')
@ -36159,7 +36163,7 @@ index 79a45f6..054b9f7 100644
 +    allow $1 init_var_lib_t:dir search_dir_perms;
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..fa4ad6a 100644
+index 17eda24..055193c 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@ -36284,7 +36288,7 @@ index 17eda24..fa4ad6a 100644
 # is ~sys_module really needed? observed:
 # sys_boot
 # sys_tty_config
-@@ -108,14 +161,48 @@ allow init_t self:capability ~sys_module;
+@@ -108,14 +161,49 @@ allow init_t self:capability ~sys_module;
 allow init_t self:fifo_file rw_fifo_file_perms;
@ -36317,6 +36321,7 @@ index 17eda24..fa4ad6a 100644
 +manage_lnk_files_pattern(init_t, init_var_lib_t, init_var_lib_t)
 +manage_sock_files_pattern(init_t, init_var_lib_t, init_var_lib_t)
 +files_var_lib_filetrans(init_t, init_var_lib_t, { dir file })
 +allow init_t init_var_lib_t:dir mounton;
 +
 +manage_dirs_pattern(init_t, init_var_run_t, init_var_run_t)
 +manage_files_pattern(init_t, init_var_run_t, init_var_run_t)
@ -36339,7 +36344,7 @@ index 17eda24..fa4ad6a 100644
 allow init_t initctl_t:fifo_file manage_fifo_file_perms;
 dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -125,13 +212,26 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -125,13 +213,26 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
 kernel_read_system_state(init_t)
 kernel_share_state(init_t)
@ -36367,7 +36372,7 @@ index 17eda24..fa4ad6a 100644
 domain_getpgid_all_domains(init_t)
 domain_kill_all_domains(init_t)
-@@ -139,45 +239,102 @@ domain_signal_all_domains(init_t)
+@@ -139,45 +240,102 @@ domain_signal_all_domains(init_t)
 domain_signull_all_domains(init_t)
 domain_sigstop_all_domains(init_t)
 domain_sigchld_all_domains(init_t)
@ -36477,7 +36482,7 @@ index 17eda24..fa4ad6a 100644
 ifdef(`distro_gentoo',`
 	allow init_t self:process { getcap setcap };
-@@ -186,29 +343,283 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +344,283 @@ ifdef(`distro_gentoo',`
 ')
 ifdef(`distro_redhat',`
@ -36770,7 +36775,7 @@ index 17eda24..fa4ad6a 100644
 ')
 optional_policy(`
-@@ -216,7 +627,30 @@ optional_policy(`
+@@ -216,7 +628,30 @@ optional_policy(`
 ')
 optional_policy(`
@ -36802,7 +36807,7 @@ index 17eda24..fa4ad6a 100644
 ')
 ########################################
-@@ -225,9 +659,9 @@ optional_policy(`
+@@ -225,9 +660,9 @@ optional_policy(`
 #
 allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@ -36814,7 +36819,7 @@ index 17eda24..fa4ad6a 100644
 allow initrc_t self:passwd rootok;
 allow initrc_t self:key manage_key_perms;
-@@ -258,12 +692,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +693,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
 allow initrc_t initrc_var_run_t:file manage_file_perms;
 files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@ -36831,7 +36836,7 @@ index 17eda24..fa4ad6a 100644
 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
 manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +717,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +718,36 @@ kernel_change_ring_buffer_level(initrc_t)
 kernel_clear_ring_buffer(initrc_t)
 kernel_get_sysvipc_info(initrc_t)
 kernel_read_all_sysctls(initrc_t)
@ -36874,7 +36879,7 @@ index 17eda24..fa4ad6a 100644
 corenet_tcp_sendrecv_all_ports(initrc_t)
 corenet_udp_sendrecv_all_ports(initrc_t)
 corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +754,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +755,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
 dev_read_rand(initrc_t)
 dev_read_urand(initrc_t)
@ -36886,7 +36891,7 @@ index 17eda24..fa4ad6a 100644
 dev_rw_sysfs(initrc_t)
 dev_list_usbfs(initrc_t)
 dev_read_framebuffer(initrc_t)
-@@ -313,8 +766,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +767,10 @@ dev_write_framebuffer(initrc_t)
 dev_read_realtime_clock(initrc_t)
 dev_read_sound_mixer(initrc_t)
 dev_write_sound_mixer(initrc_t)
@ -36897,7 +36902,7 @@ index 17eda24..fa4ad6a 100644
 dev_delete_lvm_control_dev(initrc_t)
 dev_manage_generic_symlinks(initrc_t)
 dev_manage_generic_files(initrc_t)
-@@ -322,8 +777,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +778,7 @@ dev_manage_generic_files(initrc_t)
 dev_delete_generic_symlinks(initrc_t)
 dev_getattr_all_blk_files(initrc_t)
 dev_getattr_all_chr_files(initrc_t)
@ -36907,7 +36912,7 @@ index 17eda24..fa4ad6a 100644
 domain_kill_all_domains(initrc_t)
 domain_signal_all_domains(initrc_t)
-@@ -332,7 +786,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +787,6 @@ domain_sigstop_all_domains(initrc_t)
 domain_sigchld_all_domains(initrc_t)
 domain_read_all_domains_state(initrc_t)
 domain_getattr_all_domains(initrc_t)
@ -36915,7 +36920,7 @@ index 17eda24..fa4ad6a 100644
 domain_getsession_all_domains(initrc_t)
 domain_use_interactive_fds(initrc_t)
 # for lsof which is used by alsa shutdown:
-@@ -340,6 +793,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +794,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
 domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
 domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
 domain_dontaudit_getattr_all_pipes(initrc_t)
@ -36923,7 +36928,7 @@ index 17eda24..fa4ad6a 100644
 files_getattr_all_dirs(initrc_t)
 files_getattr_all_files(initrc_t)
-@@ -347,14 +801,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +802,15 @@ files_getattr_all_symlinks(initrc_t)
 files_getattr_all_pipes(initrc_t)
 files_getattr_all_sockets(initrc_t)
 files_purge_tmp(initrc_t)
@ -36941,7 +36946,7 @@ index 17eda24..fa4ad6a 100644
 files_read_usr_files(initrc_t)
 files_manage_urandom_seed(initrc_t)
 files_manage_generic_spool(initrc_t)
-@@ -364,8 +819,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +820,12 @@ files_list_isid_type_dirs(initrc_t)
 files_mounton_isid_type_dirs(initrc_t)
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
@ -36955,7 +36960,7 @@ index 17eda24..fa4ad6a 100644
 fs_list_inotifyfs(initrc_t)
 fs_register_binary_executable_type(initrc_t)
 # rhgb-console writes to ramfs
-@@ -375,10 +834,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +835,11 @@ fs_mount_all_fs(initrc_t)
 fs_unmount_all_fs(initrc_t)
 fs_remount_all_fs(initrc_t)
 fs_getattr_all_fs(initrc_t)
@ -36969,7 +36974,7 @@ index 17eda24..fa4ad6a 100644
 mcs_process_set_categories(initrc_t)
 mls_file_read_all_levels(initrc_t)
-@@ -387,8 +847,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +848,10 @@ mls_process_read_up(initrc_t)
 mls_process_write_down(initrc_t)
 mls_rangetrans_source(initrc_t)
 mls_fd_share_all_levels(initrc_t)
@ -36980,7 +36985,7 @@ index 17eda24..fa4ad6a 100644
 storage_getattr_fixed_disk_dev(initrc_t)
 storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +860,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +861,7 @@ term_use_all_terms(initrc_t)
 term_reset_tty_labels(initrc_t)
 auth_rw_login_records(initrc_t)
@ -36988,7 +36993,7 @@ index 17eda24..fa4ad6a 100644
 auth_setattr_login_records(initrc_t)
 auth_rw_lastlog(initrc_t)
 auth_read_pam_pid(initrc_t)
-@@ -416,20 +879,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +880,18 @@ logging_read_all_logs(initrc_t)
 logging_append_all_logs(initrc_t)
 logging_read_audit_config(initrc_t)
@ -37012,7 +37017,7 @@ index 17eda24..fa4ad6a 100644
 ifdef(`distro_debian',`
 	dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +912,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +913,6 @@ ifdef(`distro_gentoo',`
 	allow initrc_t self:process setfscreate;
 	dev_create_null_dev(initrc_t)
 	dev_create_zero_dev(initrc_t)
@ -37020,7 +37025,7 @@ index 17eda24..fa4ad6a 100644
 	term_create_console_dev(initrc_t)
 	# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +946,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +947,10 @@ ifdef(`distro_gentoo',`
 	sysnet_setattr_config(initrc_t)
 	optional_policy(`
@ -37031,7 +37036,7 @@ index 17eda24..fa4ad6a 100644
 		alsa_read_lib(initrc_t)
 	')
-@@ -506,7 +970,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +971,7 @@ ifdef(`distro_redhat',`
 	# Red Hat systems seem to have a stray
 	# fd open from the initrd
@ -37040,7 +37045,7 @@ index 17eda24..fa4ad6a 100644
 	files_dontaudit_read_root_files(initrc_t)
 	# These seem to be from the initrd
-@@ -521,6 +985,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +986,7 @@ ifdef(`distro_redhat',`
 	files_create_boot_dirs(initrc_t)
 	files_create_boot_flag(initrc_t)
 	files_rw_boot_symlinks(initrc_t)
@ -37048,7 +37053,7 @@ index 17eda24..fa4ad6a 100644
 	# wants to read /.fonts directory
 	files_read_default_files(initrc_t)
 	files_mountpoint(initrc_tmp_t)
-@@ -541,6 +1006,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +1007,7 @@ ifdef(`distro_redhat',`
 	miscfiles_rw_localization(initrc_t)
 	miscfiles_setattr_localization(initrc_t)
 	miscfiles_relabel_localization(initrc_t)
@ -37056,7 +37061,7 @@ index 17eda24..fa4ad6a 100644
 	miscfiles_read_fonts(initrc_t)
 	miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +1016,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +1017,44 @@ ifdef(`distro_redhat',`
 	')
 	optional_policy(`
@ -37101,7 +37106,7 @@ index 17eda24..fa4ad6a 100644
 	')
 	optional_policy(`
-@@ -559,14 +1061,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +1062,31 @@ ifdef(`distro_redhat',`
 		rpc_write_exports(initrc_t)
 		rpc_manage_nfs_state_data(initrc_t)
 	')
@ -37133,7 +37138,7 @@ index 17eda24..fa4ad6a 100644
 	')
 ')
-@@ -577,6 +1096,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1097,39 @@ ifdef(`distro_suse',`
 	')
 ')
@ -37173,7 +37178,7 @@ index 17eda24..fa4ad6a 100644
 optional_policy(`
 	amavis_search_lib(initrc_t)
 	amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1141,8 @@ optional_policy(`
+@@ -589,6 +1142,8 @@ optional_policy(`
 optional_policy(`
 	apache_read_config(initrc_t)
 	apache_list_modules(initrc_t)
@ -37182,7 +37187,7 @@ index 17eda24..fa4ad6a 100644
 ')
 optional_policy(`
-@@ -610,6 +1164,7 @@ optional_policy(`
+@@ -610,6 +1165,7 @@ optional_policy(`
 optional_policy(`
 	cgroup_stream_connect_cgred(initrc_t)
@ -37190,7 +37195,7 @@ index 17eda24..fa4ad6a 100644
 ')
 optional_policy(`
-@@ -626,6 +1181,17 @@ optional_policy(`
+@@ -626,6 +1182,17 @@ optional_policy(`
 ')
 optional_policy(`
@ -37208,7 +37213,7 @@ index 17eda24..fa4ad6a 100644
 	dev_getattr_printer_dev(initrc_t)
 	cups_read_log(initrc_t)
-@@ -642,9 +1208,13 @@ optional_policy(`
+@@ -642,9 +1209,13 @@ optional_policy(`
 	dbus_connect_system_bus(initrc_t)
 	dbus_system_bus_client(initrc_t)
 	dbus_read_config(initrc_t)
@ -37222,7 +37227,7 @@ index 17eda24..fa4ad6a 100644
 	')
 	optional_policy(`
-@@ -657,15 +1227,11 @@ optional_policy(`
+@@ -657,15 +1228,11 @@ optional_policy(`
 ')
 optional_policy(`
@ -37240,7 +37245,7 @@ index 17eda24..fa4ad6a 100644
 ')
 optional_policy(`
-@@ -686,6 +1252,15 @@ optional_policy(`
+@@ -686,6 +1253,15 @@ optional_policy(`
 ')
 optional_policy(`
@ -37256,7 +37261,7 @@ index 17eda24..fa4ad6a 100644
 	inn_exec_config(initrc_t)
 ')
-@@ -726,6 +1301,7 @@ optional_policy(`
+@@ -726,6 +1302,7 @@ optional_policy(`
 	lpd_list_spool(initrc_t)
 	lpd_read_config(initrc_t)
@ -37264,7 +37269,7 @@ index 17eda24..fa4ad6a 100644
 ')
 optional_policy(`
-@@ -743,7 +1319,13 @@ optional_policy(`
+@@ -743,7 +1320,13 @@ optional_policy(`
 ')
 optional_policy(`
@ -37279,7 +37284,7 @@ index 17eda24..fa4ad6a 100644
 	mta_dontaudit_read_spool_symlinks(initrc_t)
 ')
-@@ -766,6 +1348,10 @@ optional_policy(`
+@@ -766,6 +1349,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -37290,7 +37295,7 @@ index 17eda24..fa4ad6a 100644
 	postgresql_manage_db(initrc_t)
 	postgresql_read_config(initrc_t)
 ')
-@@ -775,10 +1361,20 @@ optional_policy(`
+@@ -775,10 +1362,20 @@ optional_policy(`
 ')
 optional_policy(`
@ -37311,7 +37316,7 @@ index 17eda24..fa4ad6a 100644
 	quota_manage_flags(initrc_t)
 ')
-@@ -787,6 +1383,10 @@ optional_policy(`
+@@ -787,6 +1384,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -37322,7 +37327,7 @@ index 17eda24..fa4ad6a 100644
 	fs_write_ramfs_sockets(initrc_t)
 	fs_search_ramfs(initrc_t)
-@@ -808,8 +1408,6 @@ optional_policy(`
+@@ -808,8 +1409,6 @@ optional_policy(`
 	# bash tries ioctl for some reason
 	files_dontaudit_ioctl_all_pids(initrc_t)
@ -37331,7 +37336,7 @@ index 17eda24..fa4ad6a 100644
 ')
 optional_policy(`
-@@ -818,6 +1416,10 @@ optional_policy(`
+@@ -818,6 +1417,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -37342,7 +37347,7 @@ index 17eda24..fa4ad6a 100644
 	# shorewall-init script run /var/lib/shorewall/firewall
 	shorewall_lib_domtrans(initrc_t)
 ')
-@@ -827,10 +1429,12 @@ optional_policy(`
+@@ -827,10 +1430,12 @@ optional_policy(`
 	squid_manage_logs(initrc_t)
 ')
@ -37355,7 +37360,7 @@ index 17eda24..fa4ad6a 100644
 optional_policy(`
 	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1461,62 @@ optional_policy(`
+@@ -857,21 +1462,62 @@ optional_policy(`
 ')
 optional_policy(`
@ -37419,7 +37424,7 @@ index 17eda24..fa4ad6a 100644
 ')
 optional_policy(`
-@@ -887,6 +1532,10 @@ optional_policy(`
+@@ -887,6 +1533,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -37430,7 +37435,7 @@ index 17eda24..fa4ad6a 100644
 	# Set device ownerships/modes.
 	xserver_setattr_console_pipes(initrc_t)
-@@ -897,3 +1546,218 @@ optional_policy(`
+@@ -897,3 +1547,218 @@ optional_policy(`
 optional_policy(`
 	zebra_read_config(initrc_t)
 ')
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -589,7 +589,7 @@ index 058d908..ee0c559 100644
 +')
 +
 diff --git a/abrt.te b/abrt.te
-index eb50f07..ca625e9 100644
+index eb50f07..f893465 100644
 --- a/abrt.te
 +++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@ -718,7 +718,7 @@ index eb50f07..ca625e9 100644
 -allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice };
 -dontaudit abrt_t self:capability sys_rawio;
-+allow abrt_t self:capability { chown dac_override fowner fsetid ipc_lock kill setgid setuid sys_nice sys_ptrace };
+allow abrt_t self:capability { chown dac_read_search  dac_override fowner fsetid ipc_lock kill setgid setuid sys_nice sys_ptrace };
 +dontaudit abrt_t self:capability { net_admin sys_rawio sys_ptrace };
 allow abrt_t self:process { setpgid sigkill signal signull setsched getsched };
 +
@ -46962,7 +46962,7 @@ index d18c960..b7bd752 100644
 +	allow $1 lldpad_tmpfs_t:file relabelto;
 +')
 diff --git a/lldpad.te b/lldpad.te
-index 2a491d9..42e5578 100644
+index 2a491d9..3399d59 100644
 --- a/lldpad.te
 +++ b/lldpad.te
@@ -26,7 +26,7 @@ files_pid_file(lldpad_var_run_t)
@ -46974,7 +46974,7 @@ index 2a491d9..42e5578 100644
 allow lldpad_t self:shm create_shm_perms;
 allow lldpad_t self:fifo_file rw_fifo_file_perms;
 allow lldpad_t self:unix_stream_socket { accept listen };
-@@ -51,12 +51,16 @@ kernel_request_load_module(lldpad_t)
+@@ -51,12 +51,20 @@ kernel_request_load_module(lldpad_t)
 dev_read_sysfs(lldpad_t)
@ -46993,6 +46993,10 @@ index 2a491d9..42e5578 100644
 +optional_policy(`
 +    networkmanager_dgram_send(lldpad_t)
 +')
 +
 +optional_policy(`
 +    virt_dgram_send(lldpad_t)
 +')
 diff --git a/loadkeys.te b/loadkeys.te
 index d2f4643..c8e6b37 100644
 --- a/loadkeys.te
@ -113788,7 +113792,7 @@ index a4f20bc..9777de2 100644
 +/var/log/qemu-ga\.log.*           --      gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
 +/var/log/qemu-ga(/.*)?		gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
 diff --git a/virt.if b/virt.if
-index facdee8..b5a815a 100644
+index facdee8..2a619ba 100644
 --- a/virt.if
 +++ b/virt.if
@@ -1,120 +1,111 @@
@ -114641,7 +114645,7 @@ index facdee8..b5a815a 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -673,54 +565,571 @@ interface(`virt_home_filetrans',`
+@@ -673,54 +565,607 @@ interface(`virt_home_filetrans',`
 ##	</summary>
 ## </param>
 #
@ -115218,6 +115222,43 @@ index facdee8..b5a815a 100644
 +#
 +interface(`virt_dontaudit_write_pipes',`
 +	gen_require(`
 +		type virtd_t;
 +	')
 +
 +	dontaudit $1 virtd_t:fd use;
 +	dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
 +')
 +
 +########################################
 +## <summary>
 +##	Send a sigkill to virtual machines
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`virt_kill_svirt',`
 +	gen_require(`
 +		attribute virt_domain;
 +	')
 +
 +	allow $1 virt_domain:process sigkill;
 +')
 +
 +########################################
 +## <summary>
 +##	Send a sigkill to virtd daemon.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`virt_kill',`
 +	gen_require(`
 +		type virtd_t;
 	')
@ -115226,26 +115267,25 @@ index facdee8..b5a815a 100644
 -		fs_manage_cifs_files($1)
 -		fs_manage_cifs_symlinks($1)
 -	')
-+	dontaudit $1 virtd_t:fd use;
+	allow $1 virtd_t:process sigkill;
 +	dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
 ')
 ########################################
 ## <summary>
 -##	Relabel virt home content.
-+##	Send a sigkill to virtual machines
+##	Send a signal to virtd daemon.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -728,52 +1137,53 @@ interface(`virt_manage_generic_virt_home_content',`
+@@ -728,52 +1173,35 @@ interface(`virt_manage_generic_virt_home_content',`
 ##	</summary>
 ## </param>
 #
 -interface(`virt_relabel_generic_virt_home_content',`
-+interface(`virt_kill_svirt',`
+interface(`virt_signal',`
 	gen_require(`
 -		type virt_home_t;
-+		attribute virt_domain;
+		type virtd_t;
 	')
 -	userdom_search_user_home_dirs($1)
@ -115254,7 +115294,7 @@ index facdee8..b5a815a 100644
 -	allow $1 virt_home_t:fifo_file relabel_fifo_file_perms;
 -	allow $1 virt_home_t:lnk_file relabel_lnk_file_perms;
 -	allow $1 virt_home_t:sock_file relabel_sock_file_perms;
-+	allow $1 virt_domain:process sigkill;
+	allow $1 virtd_t:process signal;
 ')
 ########################################
@ -115262,7 +115302,7 @@ index facdee8..b5a815a 100644
 -##	Create specified objects in user home
 -##	directories with the generic virt
 -##	home type.
-+##	Send a sigkill to virtd daemon.
+##	Send null signal to virtd daemon.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -115275,73 +115315,34 @@ index facdee8..b5a815a 100644
 -##	</summary>
 -## </param>
 -## <param name="name" optional="true">
-+#
+-##	<summary>
 +interface(`virt_kill',`
 +	gen_require(`
 +		type virtd_t;
 +	')
 +
 +	allow $1 virtd_t:process sigkill;
 +')
 +
 +########################################
 +## <summary>
 +##	Send a signal to virtd daemon.
 +## </summary>
 +## <param name="domain">
 ##	<summary>
 -##	The name of the object being created.
-+##	Domain allowed access.
+-##	</summary>
- ##	</summary>
+-## </param>
 ## </param>
 #
 -interface(`virt_home_filetrans_virt_home',`
-+interface(`virt_signal',`
+interface(`virt_signull',`
 	gen_require(`
 -		type virt_home_t;
 +		type virtd_t;
 	')
 -	userdom_user_home_dir_filetrans($1, virt_home_t, $2, $3)
 +	allow $1 virtd_t:process signal;
 ')
 ########################################
 ## <summary>
 -##	Read virt pid files.
 +##	Send null signal to virtd daemon.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -781,19 +1191,17 @@ interface(`virt_home_filetrans_virt_home',`
 ##	</summary>
 ## </param>
 #
 -interface(`virt_read_pid_files',`
 +interface(`virt_signull',`
 	gen_require(`
 -		type virt_var_run_t;
 +		type virtd_t;
 	')
 -	files_search_pids($1)
 -	read_files_pattern($1, virt_var_run_t, virt_var_run_t)
 +	allow $1 virtd_t:process signull;
 ')
 ########################################
 ## <summary>
-##	Create, read, write, and delete
+-##	Read virt pid files.
 -##	virt pid files.
 +##	Send a signal to virtual machines
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -801,18 +1209,17 @@ interface(`virt_read_pid_files',`
+@@ -781,19 +1209,17 @@ interface(`virt_home_filetrans_virt_home',`
 ##	</summary>
 ## </param>
 #
-interface(`virt_manage_pid_files',`
+-interface(`virt_read_pid_files',`
 +interface(`virt_signal_svirt',`
 	gen_require(`
 -		type virt_var_run_t;
@ -115349,45 +115350,46 @@ index facdee8..b5a815a 100644
 	')
 -	files_search_pids($1)
-	manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
+-	read_files_pattern($1, virt_var_run_t, virt_var_run_t)
 +	allow $1 virt_domain:process signal;
 ')
 ########################################
 ## <summary>
-##	Search virt lib directories.
+-##	Create, read, write, and delete
 -##	virt pid files.
 +##	Send a signal to sandbox domains
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -820,18 +1227,17 @@ interface(`virt_manage_pid_files',`
+@@ -801,18 +1227,17 @@ interface(`virt_read_pid_files',`
 ##	</summary>
 ## </param>
 #
-interface(`virt_search_lib',`
+-interface(`virt_manage_pid_files',`
 +interface(`virt_signal_sandbox',`
 	gen_require(`
-		type virt_var_lib_t;
+-		type virt_var_run_t;
 +		attribute svirt_sandbox_domain;
 	')
-	files_search_var_lib($1)
+-	files_search_pids($1)
-	allow $1 virt_var_lib_t:dir search_dir_perms;
+-	manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
 +	allow $1 svirt_sandbox_domain:process signal;
 ')
 ########################################
 ## <summary>
-##	Read virt lib files.
+-##	Search virt lib directories.
 +##	Manage virt home files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -839,192 +1245,247 @@ interface(`virt_search_lib',`
+@@ -820,211 +1245,247 @@ interface(`virt_manage_pid_files',`
 ##	</summary>
 ## </param>
 #
-interface(`virt_read_lib_files',`
+-interface(`virt_search_lib',`
 +interface(`virt_manage_home_files',`
 	gen_require(`
 -		type virt_var_lib_t;
@ -115395,16 +115397,14 @@ index facdee8..b5a815a 100644
 	')
 -	files_search_var_lib($1)
-	read_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
+-	allow $1 virt_var_lib_t:dir search_dir_perms;
 -	read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
 +	userdom_search_user_home_dirs($1)
 +	manage_files_pattern($1, virt_home_t, virt_home_t)
 ')
 ########################################
 ## <summary>
-##	Create, read, write, and delete
+-##	Read virt lib files.
 -##	virt lib files.
 +##	allow domain to read
 +##	virt tmpfs files
 ## </summary>
@ -115415,7 +115415,7 @@ index facdee8..b5a815a 100644
 ##	</summary>
 ## </param>
 #
-interface(`virt_manage_lib_files',`
+-interface(`virt_read_lib_files',`
 +interface(`virt_read_tmpfs_files',`
 	gen_require(`
 -		type virt_var_lib_t;
@ -115423,14 +115423,15 @@ index facdee8..b5a815a 100644
 	')
 -	files_search_var_lib($1)
-	manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
+-	read_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
 -	read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
 +	allow $1 virt_tmpfs_type:file read_file_perms;
 ')
 ########################################
 ## <summary>
-##	Create objects in virt pid
+-##	Create, read, write, and delete
-##	directories with a private type.
+-##	virt lib files.
 +##	allow domain to manage
 +##	virt tmpfs files
 ## </summary>
@ -115440,27 +115441,36 @@ index facdee8..b5a815a 100644
 +##	Domain allowed access
 ##	</summary>
 ## </param>
-## <param name="private type">
+ #
-+#
+-interface(`virt_manage_lib_files',`
 +interface(`virt_manage_tmpfs_files',`
-+	gen_require(`
+ 	gen_require(`
 -		type virt_var_lib_t;
 +		attribute virt_tmpfs_type;
-+	')
+ 	')
-+
+ 
 -	files_search_var_lib($1)
 -	manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
 +	allow $1 virt_tmpfs_type:file manage_file_perms;
-+')
+ ')
-+
+ 
-+########################################
+ ########################################
-+## <summary>
+ ## <summary>
 -##	Create objects in virt pid
 -##	directories with a private type.
 +##	Create .virt directory in the user home directory
 +##	with an correct label.
-+## </summary>
+ ## </summary>
-+## <param name="domain">
+ ## <param name="domain">
 ##	<summary>
-##	The type of the object to be created.
+ ##	Domain allowed access.
 +##	Domain allowed access.
 ##	</summary>
 ## </param>
 -## <param name="private type">
 -##	<summary>
 -##	The type of the object to be created.
 -##	</summary>
 -## </param>
 -## <param name="object">
 +#
 +interface(`virt_filetrans_home_content',`
@ -115827,7 +115837,7 @@ index facdee8..b5a815a 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1136,50 +1574,129 @@ interface(`virt_manage_images',`
+@@ -1136,50 +1574,148 @@ interface(`virt_manage_images',`
 #
 interface(`virt_admin',`
 	gen_require(`
@ -115963,9 +115973,7 @@ index facdee8..b5a815a 100644
 +
 +	domtrans_pattern($1,container_file_t, $2)
 +')
- 
+
 -	files_search_locks($1)
 -	admin_pattern($1, virt_lock_t)
 +########################################
 +## <summary>
 +##	Dontaudit read the process state (/proc/pid) of libvirt
@ -115980,12 +115988,33 @@ index facdee8..b5a815a 100644
 +	gen_require(`
 +		type virtd_t;
 +	')
- 
+
 -	dev_list_all_dev_nodes($1)
 -	allow $1 virt_ptynode:chr_file rw_term_perms;
 +	dontaudit $1 virtd_t:dir search_dir_perms;
 +	dontaudit $1 virtd_t:file read_file_perms;
 +	dontaudit $1 virtd_t:lnk_file read_lnk_file_perms;
 +')
 -	files_search_locks($1)
 -	admin_pattern($1, virt_lock_t)
 +#######################################
 +## <summary>
 +##	Send to libvirt with a unix dgram socket.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`virt_dgram_send',`
 +	gen_require(`
 +		type virtd_t, virt_var_run_t;
 +	')
 -	dev_list_all_dev_nodes($1)
 -	allow $1 virt_ptynode:chr_file rw_term_perms;
 +	files_search_pids($1)
 +	dgram_send_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
 ')
 diff --git a/virt.te b/virt.te
 index f03dcf5..49d4083 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 264%{?dist}
+Release: 265%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -690,6 +690,13 @@ exit 0
 %endif
 %changelog
 * Fri Jul 21 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-265
 - Allow llpdad send dgram to libvirt
 - Allow abrt_t domain dac_read_search capability
 - Allow init_t domain mounton dirs labeled as init_var_lib_t BZ(1471476)
 - Allow xdm_t domain read unique machine-id generated during system installation. BZ(1467036)
 - Dontaudit xdm_t to setattr lib_t dirs. BZ(#1458518)
 * Mon Jul 17 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-264
 - Dontaudit xdm_t to setattr lib_t dirs. BZ(#1458518)