* Thu Jan 04 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-308

- Make working SELinux sandbox with Wayland. BZ(1474082) - Allow postgrey_t domain to mmap postgrey_spool_t files BZ(1529169) - Allow dspam_t to mmap dspam_rw_content_t files BZ(1528723) - Allow collectd to connect to lmtp_port_t BZ(1304029) - Allow httpd_t to mmap httpd_squirrelmail_t files BZ(1528776) - Allow thumb_t to mmap removable_t files. BZ(1522724) - Allow sssd_t and login_pgm attribute to mmap auth_cache_t files BZ(1530118) - Add interface fs_mmap_removable_files()
2018-01-04 13:06:00 +01:00 · 2018-01-04 13:06:00 +01:00 · 46f9f9c36a
parent d319e75862
commit 46f9f9c36a
4 changed files with 255 additions and 206 deletions
--- a/container-selinux.tgz
+++ b/container-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -17543,7 +17543,7 @@ index d7c11a0b3..f521a50f8 100644
 /var/run/shm/.*			<<none>>
 -')
 diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 8416beb43..1cc0d9ad9 100644
+index 8416beb43..a7af809a0 100644
 --- a/policy/modules/kernel/filesystem.if
 +++ b/policy/modules/kernel/filesystem.if
@@ -577,6 +577,24 @@ interface(`fs_mount_cgroup', `
@ -18307,7 +18307,7 @@ index 8416beb43..1cc0d9ad9 100644
 ##	Read files on a DOS filesystem.
 ## </summary>
 ## <param name="domain">
-@@ -1793,137 +2162,336 @@ interface(`fs_read_eventpollfs',`
+@@ -1793,161 +2162,986 @@ interface(`fs_read_eventpollfs',`
 	refpolicywarn(`$0($*) has been deprecated.')
 ')
 
@ -18679,14 +18679,17 @@ index 8416beb43..1cc0d9ad9 100644
 +	')
 +
 +	dontaudit $1 fusefs_t:dir manage_dir_perms;
- ')
- 
- ########################################
-@@ -1935,19 +2503,645 @@ interface(`fs_dontaudit_manage_fusefs_dirs',`
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
-## <rolecap/>
+')
+
+########################################
+## <summary>
+##	Read, a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 +## <rolecap/>
 +#
 +interface(`fs_read_fusefs_files',`
@ -19301,18 +19304,20 @@ index 8416beb43..1cc0d9ad9 100644
 +	')
 +
 +	allow $1 iso9660_t:filesystem remount;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read, a FUSEFS filesystem.
 +##	Unmount an iso9660 filesystem, which
 +##	is usually used on CDs.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
 #
 -interface(`fs_read_fusefs_files',`
 +interface(`fs_unmount_iso9660_fs',`
@ -19860,43 +19865,18 @@ index 8416beb43..1cc0d9ad9 100644
 	allow $1 nfs_t:dir list_dir_perms;
 	read_files_pattern($1, nfs_t, nfs_t)
 ')
-@@ -2518,73 +3731,148 @@ interface(`fs_dontaudit_read_nfs_files',`
- ##	</summary>
- ## </param>
- #
-interface(`fs_write_nfs_files',`
-+interface(`fs_write_nfs_files',`
-+	gen_require(`
-+		type nfs_t;
-+	')
-+
+@@ -2523,6 +3736,7 @@ interface(`fs_write_nfs_files',`
+ 		type nfs_t;
+ 	')
+ 
 +	fs_search_auto_mountpoints($1)
-+	allow $1 nfs_t:dir list_dir_perms;
-+	write_files_pattern($1, nfs_t, nfs_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Execute files on a NFS filesystem.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`fs_exec_nfs_files',`
-+	gen_require(`
-+		type nfs_t;
-+	')
-+
-+	allow $1 nfs_t:dir list_dir_perms;
-+	exec_files_pattern($1, nfs_t, nfs_t)
-+')
-+
-+########################################
-+## <summary>
+ 	allow $1 nfs_t:dir list_dir_perms;
+ 	write_files_pattern($1, nfs_t, nfs_t)
+ ')
+@@ -2549,6 +3763,44 @@ interface(`fs_exec_nfs_files',`
+ 
+ ########################################
+ ## <summary>
 +##	Make general progams in nfs an entrypoint for
 +##	the specified domain.
 +## </summary>
@ -19935,65 +19915,52 @@ index 8416beb43..1cc0d9ad9 100644
 +
 +########################################
 +## <summary>
-+##	Append files
+ ##	Append files
+ ##	on a NFS filesystem.
+ ## </summary>
+@@ -2559,32 +3811,68 @@ interface(`fs_exec_nfs_files',`
+ ## </param>
+ ## <rolecap/>
+ #
+-interface(`fs_append_nfs_files',`
+interface(`fs_append_nfs_files',`
+	gen_require(`
+		type nfs_t;
+	')
+
+	append_files_pattern($1, nfs_t, nfs_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to append files
 +##	on a NFS filesystem.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_dontaudit_append_nfs_files',`
+	gen_require(`
+		type nfs_t;
+	')
+
+	dontaudit $1 nfs_t:file append_file_perms;
+')
+
+########################################
+## <summary>
+##	Read inherited files on a NFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <rolecap/>
 +#
-+interface(`fs_append_nfs_files',`
- 	gen_require(`
- 		type nfs_t;
- 	')
- 
-	allow $1 nfs_t:dir list_dir_perms;
-	write_files_pattern($1, nfs_t, nfs_t)
-+	append_files_pattern($1, nfs_t, nfs_t)
- ')
- 
- ########################################
- ## <summary>
-##	Execute files on a NFS filesystem.
-+##	Do not audit attempts to append files
-+##	on a NFS filesystem.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-##	Domain allowed access.
-+##	Domain to not audit.
- ##	</summary>
- ## </param>
- ## <rolecap/>
- #
-interface(`fs_exec_nfs_files',`
-+interface(`fs_dontaudit_append_nfs_files',`
- 	gen_require(`
- 		type nfs_t;
- 	')
- 
-	allow $1 nfs_t:dir list_dir_perms;
-	exec_files_pattern($1, nfs_t, nfs_t)
-+	dontaudit $1 nfs_t:file append_file_perms;
- ')
- 
- ########################################
- ## <summary>
-##	Append files
-##	on a NFS filesystem.
-+##	Read inherited files on a NFS filesystem.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
-## <rolecap/>
- #
-interface(`fs_append_nfs_files',`
 +interface(`fs_read_inherited_nfs_files',`
 	gen_require(`
 		type nfs_t;
@ -20121,7 +20088,33 @@ index 8416beb43..1cc0d9ad9 100644
 ##	</summary>
 ## </param>
 #
-@@ -2777,7 +4124,7 @@ interface(`fs_read_removable_files',`
+@@ -2771,13 +4118,33 @@ interface(`fs_read_removable_files',`
+ 	read_files_pattern($1, removable_t, removable_t)
+ ')
+ 
+
+########################################
+## <summary>
+##	mmap files on a removable files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_mmap_removable_files',`
+	gen_require(`
+		type removable_t;
+	')
+
+	allow $1 removable_t:file map;
+')
+
+ ########################################
+ ## <summary>
+ ##	Do not audit attempts to read removable storage files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -20130,7 +20123,7 @@ index 8416beb43..1cc0d9ad9 100644
 ##	</summary>
 ## </param>
 #
-@@ -2970,6 +4317,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2970,6 +4337,7 @@ interface(`fs_manage_nfs_dirs',`
 		type nfs_t;
 	')
 
@ -20138,7 +20131,7 @@ index 8416beb43..1cc0d9ad9 100644
 	allow $1 nfs_t:dir manage_dir_perms;
 ')
 
-@@ -3010,11 +4358,31 @@ interface(`fs_manage_nfs_files',`
+@@ -3010,11 +4378,31 @@ interface(`fs_manage_nfs_files',`
 		type nfs_t;
 	')
 
@ -20170,7 +20163,7 @@ index 8416beb43..1cc0d9ad9 100644
 ##	Do not audit attempts to create,
 ##	read, write, and delete files
 ##	on a NFS filesystem.
-@@ -3050,6 +4418,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -3050,6 +4438,7 @@ interface(`fs_manage_nfs_symlinks',`
 		type nfs_t;
 	')
 
@ -20178,7 +20171,7 @@ index 8416beb43..1cc0d9ad9 100644
 	manage_lnk_files_pattern($1, nfs_t, nfs_t)
 ')
 
-@@ -3137,6 +4506,24 @@ interface(`fs_nfs_domtrans',`
+@@ -3137,6 +4526,24 @@ interface(`fs_nfs_domtrans',`
 
 ########################################
 ## <summary>
@ -20203,7 +20196,7 @@ index 8416beb43..1cc0d9ad9 100644
 ##	Mount a NFS server pseudo filesystem.
 ## </summary>
 ## <param name="domain">
-@@ -3239,15 +4626,198 @@ interface(`fs_search_nfsd_fs',`
+@@ -3239,15 +4646,198 @@ interface(`fs_search_nfsd_fs',`
 #
 interface(`fs_list_nfsd_fs',`
 	gen_require(`
@ -20405,7 +20398,7 @@ index 8416beb43..1cc0d9ad9 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3255,35 +4825,35 @@ interface(`fs_list_nfsd_fs',`
+@@ -3255,35 +4845,35 @@ interface(`fs_list_nfsd_fs',`
 ##	</summary>
 ## </param>
 #
@ -20450,7 +20443,7 @@ index 8416beb43..1cc0d9ad9 100644
 ## </summary>
 ## <param name="type">
 ##	<summary>
-@@ -3291,12 +4861,12 @@ interface(`fs_rw_nfsd_fs',`
+@@ -3291,12 +4881,12 @@ interface(`fs_rw_nfsd_fs',`
 ##	</summary>
 ## </param>
 #
@ -20466,7 +20459,7 @@ index 8416beb43..1cc0d9ad9 100644
 ')
 
 ########################################
-@@ -3392,7 +4962,7 @@ interface(`fs_search_ramfs',`
+@@ -3392,7 +4982,7 @@ interface(`fs_search_ramfs',`
 
 ########################################
 ## <summary>
@ -20475,7 +20468,7 @@ index 8416beb43..1cc0d9ad9 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3429,7 +4999,7 @@ interface(`fs_manage_ramfs_dirs',`
+@@ -3429,7 +5019,7 @@ interface(`fs_manage_ramfs_dirs',`
 
 ########################################
 ## <summary>
@ -20484,7 +20477,7 @@ index 8416beb43..1cc0d9ad9 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3447,7 +5017,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
+@@ -3447,7 +5037,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
 
 ########################################
 ## <summary>
@ -20493,7 +20486,7 @@ index 8416beb43..1cc0d9ad9 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3779,6 +5349,24 @@ interface(`fs_mount_tmpfs',`
+@@ -3779,6 +5369,24 @@ interface(`fs_mount_tmpfs',`
 
 ########################################
 ## <summary>
@ -20518,7 +20511,7 @@ index 8416beb43..1cc0d9ad9 100644
 ##	Remount a tmpfs filesystem.
 ## </summary>
 ## <param name="domain">
-@@ -3815,6 +5403,24 @@ interface(`fs_unmount_tmpfs',`
+@@ -3815,6 +5423,24 @@ interface(`fs_unmount_tmpfs',`
 
 ########################################
 ## <summary>
@ -20543,7 +20536,7 @@ index 8416beb43..1cc0d9ad9 100644
 ##	Get the attributes of a tmpfs
 ##	filesystem.
 ## </summary>
-@@ -3908,7 +5514,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3908,7 +5534,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
 
 ########################################
 ## <summary>
@ -20552,7 +20545,7 @@ index 8416beb43..1cc0d9ad9 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3916,17 +5522,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3916,17 +5542,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
 ##	</summary>
 ## </param>
 #
@ -20573,7 +20566,7 @@ index 8416beb43..1cc0d9ad9 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3934,17 +5540,17 @@ interface(`fs_mounton_tmpfs',`
+@@ -3934,17 +5560,17 @@ interface(`fs_mounton_tmpfs',`
 ##	</summary>
 ## </param>
 #
@ -20594,7 +20587,7 @@ index 8416beb43..1cc0d9ad9 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3952,17 +5558,36 @@ interface(`fs_setattr_tmpfs_dirs',`
+@@ -3952,17 +5578,36 @@ interface(`fs_setattr_tmpfs_dirs',`
 ##	</summary>
 ## </param>
 #
@ -20634,7 +20627,7 @@ index 8416beb43..1cc0d9ad9 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3970,31 +5595,48 @@ interface(`fs_search_tmpfs',`
+@@ -3970,31 +5615,48 @@ interface(`fs_search_tmpfs',`
 ##	</summary>
 ## </param>
 #
@ -20690,7 +20683,7 @@ index 8416beb43..1cc0d9ad9 100644
 ')
 
 ########################################
-@@ -4057,23 +5699,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',`
+@@ -4057,23 +5719,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',`
 ## </param>
 ## <param name="name" optional="true">
 ##	<summary>
@ -20867,7 +20860,7 @@ index 8416beb43..1cc0d9ad9 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4081,18 +5870,18 @@ interface(`fs_tmpfs_filetrans',`
+@@ -4081,18 +5890,18 @@ interface(`fs_tmpfs_filetrans',`
 ##	</summary>
 ## </param>
 #
@ -20890,7 +20883,7 @@ index 8416beb43..1cc0d9ad9 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4100,54 +5889,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',`
+@@ -4100,54 +5909,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',`
 ##	</summary>
 ## </param>
 #
@ -20957,7 +20950,7 @@ index 8416beb43..1cc0d9ad9 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4155,17 +5943,18 @@ interface(`fs_read_tmpfs_files',`
+@@ -4155,17 +5963,18 @@ interface(`fs_read_tmpfs_files',`
 ##	</summary>
 ## </param>
 #
@ -20979,7 +20972,7 @@ index 8416beb43..1cc0d9ad9 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4173,17 +5962,18 @@ interface(`fs_rw_tmpfs_files',`
+@@ -4173,17 +5982,18 @@ interface(`fs_rw_tmpfs_files',`
 ##	</summary>
 ## </param>
 #
@ -21001,7 +20994,7 @@ index 8416beb43..1cc0d9ad9 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4191,37 +5981,36 @@ interface(`fs_read_tmpfs_symlinks',`
+@@ -4191,37 +6001,36 @@ interface(`fs_read_tmpfs_symlinks',`
 ##	</summary>
 ## </param>
 #
@ -21047,7 +21040,7 @@ index 8416beb43..1cc0d9ad9 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4229,18 +6018,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4229,18 +6038,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
 ##	</summary>
 ## </param>
 #
@ -21069,7 +21062,7 @@ index 8416beb43..1cc0d9ad9 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4248,18 +6037,19 @@ interface(`fs_relabel_tmpfs_chr_file',`
+@@ -4248,18 +6057,19 @@ interface(`fs_relabel_tmpfs_chr_file',`
 ##	</summary>
 ## </param>
 #
@ -21093,7 +21086,7 @@ index 8416beb43..1cc0d9ad9 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4267,32 +6057,31 @@ interface(`fs_rw_tmpfs_blk_files',`
+@@ -4267,32 +6077,31 @@ interface(`fs_rw_tmpfs_blk_files',`
 ##	</summary>
 ## </param>
 #
@ -21132,7 +21125,7 @@ index 8416beb43..1cc0d9ad9 100644
 ')
 
 ########################################
-@@ -4407,6 +6196,25 @@ interface(`fs_search_xenfs',`
+@@ -4407,6 +6216,25 @@ interface(`fs_search_xenfs',`
 	allow $1 xenfs_t:dir search_dir_perms;
 ')
 
@ -21158,7 +21151,7 @@ index 8416beb43..1cc0d9ad9 100644
 ########################################
 ## <summary>
 ##	Create, read, write, and delete directories
-@@ -4503,6 +6311,8 @@ interface(`fs_mount_all_fs',`
+@@ -4503,6 +6331,8 @@ interface(`fs_mount_all_fs',`
 	')
 
 	allow $1 filesystem_type:filesystem mount;
@ -21167,7 +21160,7 @@ index 8416beb43..1cc0d9ad9 100644
 ')
 
 ########################################
-@@ -4549,7 +6359,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4549,7 +6379,7 @@ interface(`fs_unmount_all_fs',`
 ## <desc>
 ##	<p>
 ##	Allow the specified domain to
@ -21176,7 +21169,7 @@ index 8416beb43..1cc0d9ad9 100644
 ##	Example attributes:
 ##	</p>
 ##	<ul>
-@@ -4596,6 +6406,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
+@@ -4596,6 +6426,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
 
 ########################################
 ## <summary>
@ -21203,7 +21196,7 @@ index 8416beb43..1cc0d9ad9 100644
 ##	Get the quotas of all filesystems.
 ## </summary>
 ## <param name="domain">
-@@ -4671,6 +6501,25 @@ interface(`fs_getattr_all_dirs',`
+@@ -4671,6 +6521,25 @@ interface(`fs_getattr_all_dirs',`
 
 ########################################
 ## <summary>
@ -21229,7 +21222,7 @@ index 8416beb43..1cc0d9ad9 100644
 ##	Search all directories with a filesystem type.
 ## </summary>
 ## <param name="domain">
-@@ -4912,3 +6761,176 @@ interface(`fs_unconfined',`
+@@ -4912,3 +6781,176 @@ interface(`fs_unconfined',`
 
 	typeattribute $1 filesystem_unconfined_type;
 ')
@ -34661,7 +34654,7 @@ index 247958765..890e1e293 100644
 /var/(db|adm)/sudo(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
 /var/lib/sudo(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
 diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 3efd5b669..a8cb6df3d 100644
+index 3efd5b669..2ce58d86d 100644
 --- a/policy/modules/system/authlogin.if
 +++ b/policy/modules/system/authlogin.if
@@ -23,11 +23,17 @@ interface(`auth_role',`
@ -34883,7 +34876,15 @@ index 3efd5b669..a8cb6df3d 100644
 ##	Manage authentication cache
 ## </summary>
 ## <param name="domain">
-@@ -402,6 +459,8 @@ interface(`auth_domtrans_chk_passwd',`
+@@ -337,6 +394,7 @@ interface(`auth_manage_cache',`
+ 
+ 	manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
+ 	manage_files_pattern($1, auth_cache_t, auth_cache_t)
+    allow $1 auth_cache_t:file map;
+ ')
+ 
+ #######################################
+@@ -402,6 +460,8 @@ interface(`auth_domtrans_chk_passwd',`
 	optional_policy(`
 		samba_stream_connect_winbind($1)
 	')
@ -34892,7 +34893,7 @@ index 3efd5b669..a8cb6df3d 100644
 ')
 
 ########################################
-@@ -428,6 +487,24 @@ interface(`auth_domtrans_chkpwd',`
+@@ -428,6 +488,24 @@ interface(`auth_domtrans_chkpwd',`
 
 ########################################
 ## <summary>
@ -34917,7 +34918,7 @@ index 3efd5b669..a8cb6df3d 100644
 ##	Execute chkpwd programs in the chkpwd domain.
 ## </summary>
 ## <param name="domain">
-@@ -448,6 +525,25 @@ interface(`auth_run_chk_passwd',`
+@@ -448,6 +526,25 @@ interface(`auth_run_chk_passwd',`
 
 	auth_domtrans_chk_passwd($1)
 	role $2 types chkpwd_t;
@ -34943,7 +34944,7 @@ index 3efd5b669..a8cb6df3d 100644
 ')
 
 ########################################
-@@ -467,7 +563,6 @@ interface(`auth_domtrans_upd_passwd',`
+@@ -467,7 +564,6 @@ interface(`auth_domtrans_upd_passwd',`
 
 	domtrans_pattern($1, updpwd_exec_t, updpwd_t)
 	auth_dontaudit_read_shadow($1)
@ -34951,7 +34952,7 @@ index 3efd5b669..a8cb6df3d 100644
 ')
 
 ########################################
-@@ -534,6 +629,24 @@ interface(`auth_dontaudit_getattr_shadow',`
+@@ -534,6 +630,24 @@ interface(`auth_dontaudit_getattr_shadow',`
 
 ########################################
 ## <summary>
@ -34976,7 +34977,7 @@ index 3efd5b669..a8cb6df3d 100644
 ##	Read the shadow passwords file (/etc/shadow)
 ## </summary>
 ## <param name="domain">
-@@ -664,6 +777,11 @@ interface(`auth_manage_shadow',`
+@@ -664,6 +778,11 @@ interface(`auth_manage_shadow',`
 
 	allow $1 shadow_t:file manage_file_perms;
 	typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
@ -34988,7 +34989,7 @@ index 3efd5b669..a8cb6df3d 100644
 ')
 
 #######################################
-@@ -763,7 +881,50 @@ interface(`auth_rw_faillog',`
+@@ -763,7 +882,50 @@ interface(`auth_rw_faillog',`
 	')
 
 	logging_search_logs($1)
@ -35040,7 +35041,7 @@ index 3efd5b669..a8cb6df3d 100644
 ')
 
 #######################################
-@@ -824,9 +985,29 @@ interface(`auth_rw_lastlog',`
+@@ -824,9 +986,29 @@ interface(`auth_rw_lastlog',`
 	allow $1 lastlog_t:file { rw_file_perms lock setattr };
 ')
 
@ -35071,7 +35072,7 @@ index 3efd5b669..a8cb6df3d 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -834,12 +1015,27 @@ interface(`auth_rw_lastlog',`
+@@ -834,12 +1016,27 @@ interface(`auth_rw_lastlog',`
 ##	</summary>
 ## </param>
 #
@ -35102,7 +35103,7 @@ index 3efd5b669..a8cb6df3d 100644
 ')
 
 ########################################
-@@ -854,15 +1050,15 @@ interface(`auth_domtrans_pam',`
+@@ -854,15 +1051,15 @@ interface(`auth_domtrans_pam',`
 #
 interface(`auth_signal_pam',`
 	gen_require(`
@ -35121,7 +35122,7 @@ index 3efd5b669..a8cb6df3d 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -875,13 +1071,33 @@ interface(`auth_signal_pam',`
+@@ -875,13 +1072,33 @@ interface(`auth_signal_pam',`
 ##	</summary>
 ## </param>
 #
@ -35159,7 +35160,7 @@ index 3efd5b669..a8cb6df3d 100644
 ')
 
 ########################################
-@@ -959,9 +1175,30 @@ interface(`auth_manage_var_auth',`
+@@ -959,9 +1176,30 @@ interface(`auth_manage_var_auth',`
 	')
 
 	files_search_var($1)
@ -35193,7 +35194,7 @@ index 3efd5b669..a8cb6df3d 100644
 ')
 
 ########################################
-@@ -1040,6 +1277,10 @@ interface(`auth_manage_pam_pid',`
+@@ -1040,6 +1278,10 @@ interface(`auth_manage_pam_pid',`
 	files_search_pids($1)
 	allow $1 pam_var_run_t:dir manage_dir_perms;
 	allow $1 pam_var_run_t:file manage_file_perms;
@ -35204,7 +35205,7 @@ index 3efd5b669..a8cb6df3d 100644
 ')
 
 ########################################
-@@ -1176,6 +1417,7 @@ interface(`auth_manage_pam_console_data',`
+@@ -1176,6 +1418,7 @@ interface(`auth_manage_pam_console_data',`
 	files_search_pids($1)
 	manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
 	manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
@ -35212,7 +35213,7 @@ index 3efd5b669..a8cb6df3d 100644
 ')
 
 #######################################
-@@ -1576,6 +1818,25 @@ interface(`auth_setattr_login_records',`
+@@ -1576,6 +1819,25 @@ interface(`auth_setattr_login_records',`
 
 ########################################
 ## <summary>
@ -35238,7 +35239,7 @@ index 3efd5b669..a8cb6df3d 100644
 ##	Read login records files (/var/log/wtmp).
 ## </summary>
 ## <param name="domain">
-@@ -1726,24 +1987,63 @@ interface(`auth_manage_login_records',`
+@@ -1726,24 +1988,63 @@ interface(`auth_manage_login_records',`
 
 	logging_rw_generic_log_dirs($1)
 	allow $1 wtmp_t:file manage_file_perms;
@ -35306,7 +35307,7 @@ index 3efd5b669..a8cb6df3d 100644
 ')
 
 ########################################
-@@ -1767,11 +2067,13 @@ interface(`auth_relabel_login_records',`
+@@ -1767,11 +2068,13 @@ interface(`auth_relabel_login_records',`
 ## <infoflow type="both" weight="10"/>
 #
 interface(`auth_use_nsswitch',`
@ -35323,7 +35324,7 @@ index 3efd5b669..a8cb6df3d 100644
 ')
 
 ########################################
-@@ -1805,3 +2107,298 @@ interface(`auth_unconfined',`
+@@ -1805,3 +2108,298 @@ interface(`auth_unconfined',`
 	typeattribute $1 can_write_shadow_passwords;
 	typeattribute $1 can_relabelto_shadow_passwords;
 ')
@ -35623,7 +35624,7 @@ index 3efd5b669..a8cb6df3d 100644
 +	allow $1 login_pgm:key manage_key_perms;
 +')
 diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 09b791dcc..c6721f846 100644
+index 09b791dcc..03feb4c8d 100644
 --- a/policy/modules/system/authlogin.te
 +++ b/policy/modules/system/authlogin.te
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1)
@ -35982,7 +35983,7 @@ index 09b791dcc..c6721f846 100644
 optional_policy(`
 	kerberos_use(nsswitch_domain)
 ')
-@@ -456,10 +525,163 @@ optional_policy(`
+@@ -456,10 +525,164 @@ optional_policy(`
 
 optional_policy(`
 	sssd_stream_connect(nsswitch_domain)
@ -36037,6 +36038,7 @@ index 09b791dcc..c6721f846 100644
 +manage_files_pattern(login_pgm, auth_cache_t, auth_cache_t)
 +manage_sock_files_pattern(login_pgm, auth_cache_t, auth_cache_t)
 +files_var_filetrans(login_pgm, auth_cache_t, dir, "coolkey")
+allow login_pgm auth_cache_t:file map;
 +
 +manage_dirs_pattern(login_pgm, auth_home_t, auth_home_t)
 +manage_files_pattern(login_pgm, auth_home_t, auth_home_t)
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -5635,7 +5635,7 @@ index f6eb4851f..3628a384f 100644
 +    allow $1 httpd_t:process { noatsecure };
 ')
 diff --git a/apache.te b/apache.te
-index 6649962b6..b7ac74501 100644
+index 6649962b6..1df48fb13 100644
 --- a/apache.te
 +++ b/apache.te
@@ -5,280 +5,346 @@ policy_module(apache, 2.7.2)
@ -6323,7 +6323,7 @@ index 6649962b6..b7ac74501 100644
 logging_log_filetrans(httpd_t, httpd_log_t, file)
 
 allow httpd_t httpd_modules_t:dir list_dir_perms;
-@@ -412,13 +524,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+@@ -412,13 +524,22 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
 read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
 read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
 
@ -6334,11 +6334,12 @@ index 6649962b6..b7ac74501 100644
 manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
 manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
 manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
- 
-allow httpd_t httpd_suexec_exec_t:file read_file_perms;
+allow httpd_t httpd_squirrelmail_t:file map;
+
 +allow httpd_t httpd_suexec_t:process { signal signull };
 +allow httpd_t httpd_suexec_t:file read_file_perms;
-+
+ 
+-allow httpd_t httpd_suexec_exec_t:file read_file_perms;
 +allow httpd_t httpd_sys_content_t:dir list_dir_perms;
 +read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
 +read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
@ -6346,7 +6347,7 @@ index 6649962b6..b7ac74501 100644
 
 allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
 
-@@ -428,6 +548,7 @@ manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
+@@ -428,6 +549,7 @@ manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
 manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
 files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file })
 userdom_user_tmp_filetrans(httpd_t, httpd_tmp_t, dir)
@ -6354,7 +6355,7 @@ index 6649962b6..b7ac74501 100644
 
 manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
 manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
-@@ -438,6 +559,7 @@ fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_fi
+@@ -438,6 +560,7 @@ fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_fi
 
 manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
 manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
@ -6362,7 +6363,7 @@ index 6649962b6..b7ac74501 100644
 files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })
 
 setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
-@@ -450,140 +572,179 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -450,140 +573,179 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
 manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
 manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
 
@ -6606,7 +6607,7 @@ index 6649962b6..b7ac74501 100644
 ')
 
 tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -594,28 +755,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -594,28 +756,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
 	fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
 ')
 
@ -6666,7 +6667,7 @@ index 6649962b6..b7ac74501 100644
 ')
 
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -624,68 +807,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -624,68 +808,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
 	fs_read_nfs_symlinks(httpd_t)
 ')
 
@ -6769,7 +6770,7 @@ index 6649962b6..b7ac74501 100644
 ')
 
 tunable_policy(`httpd_setrlimit',`
-@@ -695,49 +866,48 @@ tunable_policy(`httpd_setrlimit',`
+@@ -695,49 +867,48 @@ tunable_policy(`httpd_setrlimit',`
 
 tunable_policy(`httpd_ssi_exec',`
 	corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@ -6850,7 +6851,7 @@ index 6649962b6..b7ac74501 100644
 ')
 
 optional_policy(`
-@@ -749,24 +919,32 @@ optional_policy(`
+@@ -749,24 +920,32 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -6889,7 +6890,7 @@ index 6649962b6..b7ac74501 100644
 ')
 
 optional_policy(`
-@@ -775,6 +953,10 @@ optional_policy(`
+@@ -775,6 +954,10 @@ optional_policy(`
 	tunable_policy(`httpd_dbus_avahi',`
 		avahi_dbus_chat(httpd_t)
 	')
@ -6900,7 +6901,7 @@ index 6649962b6..b7ac74501 100644
 ')
 
 optional_policy(`
-@@ -786,35 +968,62 @@ optional_policy(`
+@@ -786,35 +969,62 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -6976,7 +6977,7 @@ index 6649962b6..b7ac74501 100644
 
 	tunable_policy(`httpd_manage_ipa',`
 		memcached_manage_pid_files(httpd_t)
-@@ -822,8 +1031,31 @@ optional_policy(`
+@@ -822,8 +1032,31 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -7008,7 +7009,7 @@ index 6649962b6..b7ac74501 100644
 
 	tunable_policy(`httpd_can_network_connect_db',`
 		mysql_tcp_connect(httpd_t)
-@@ -832,6 +1064,8 @@ optional_policy(`
+@@ -832,6 +1065,8 @@ optional_policy(`
 
 optional_policy(`
 	nagios_read_config(httpd_t)
@ -7017,7 +7018,7 @@ index 6649962b6..b7ac74501 100644
 ')
 
 optional_policy(`
-@@ -842,20 +1076,48 @@ optional_policy(`
+@@ -842,20 +1077,48 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -7072,7 +7073,7 @@ index 6649962b6..b7ac74501 100644
 ')
 
 optional_policy(`
-@@ -863,16 +1125,31 @@ optional_policy(`
+@@ -863,16 +1126,31 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -7106,7 +7107,7 @@ index 6649962b6..b7ac74501 100644
 ')
 
 optional_policy(`
-@@ -883,65 +1160,189 @@ optional_policy(`
+@@ -883,65 +1161,189 @@ optional_policy(`
 	yam_read_content(httpd_t)
 ')
 
@ -7318,7 +7319,7 @@ index 6649962b6..b7ac74501 100644
 files_dontaudit_search_pids(httpd_suexec_t)
 files_search_home(httpd_suexec_t)
 
-@@ -950,123 +1351,75 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -950,123 +1352,75 @@ auth_use_nsswitch(httpd_suexec_t)
 logging_search_logs(httpd_suexec_t)
 logging_send_syslog_msg(httpd_suexec_t)
 
@ -7472,7 +7473,7 @@ index 6649962b6..b7ac74501 100644
 	mysql_read_config(httpd_suexec_t)
 
 	tunable_policy(`httpd_can_network_connect_db',`
-@@ -1083,172 +1436,107 @@ optional_policy(`
+@@ -1083,172 +1437,107 @@ optional_policy(`
 	')
 ')
 
@ -7710,7 +7711,7 @@ index 6649962b6..b7ac74501 100644
 ')
 
 tunable_policy(`httpd_read_user_content',`
-@@ -1256,64 +1544,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1256,64 +1545,74 @@ tunable_policy(`httpd_read_user_content',`
 ')
 
 tunable_policy(`httpd_use_cifs',`
@ -7808,7 +7809,7 @@ index 6649962b6..b7ac74501 100644
 
 ########################################
 #
-@@ -1321,8 +1619,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1321,8 +1620,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
 #
 
 optional_policy(`
@ -7825,7 +7826,7 @@ index 6649962b6..b7ac74501 100644
 ')
 
 ########################################
-@@ -1330,49 +1635,43 @@ optional_policy(`
+@@ -1330,49 +1636,43 @@ optional_policy(`
 # User content local policy
 #
 
@ -7894,7 +7895,7 @@ index 6649962b6..b7ac74501 100644
 kernel_read_system_state(httpd_passwd_t)
 
 corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1681,110 @@ dev_read_urand(httpd_passwd_t)
+@@ -1382,38 +1682,110 @@ dev_read_urand(httpd_passwd_t)
 
 domain_use_interactive_fds(httpd_passwd_t)
 
@ -16089,10 +16090,10 @@ index 954309e64..67801421b 100644
 ')
 +
 diff --git a/collectd.te b/collectd.te
-index 6471fa8c4..90d2b5324 100644
+index 6471fa8c4..00a1f00ef 100644
 --- a/collectd.te
 +++ b/collectd.te
-@@ -26,43 +26,61 @@ files_type(collectd_var_lib_t)
+@@ -26,43 +26,62 @@ files_type(collectd_var_lib_t)
 type collectd_var_run_t;
 files_pid_file(collectd_var_run_t)
 
@ -16144,6 +16145,7 @@ index 6471fa8c4..90d2b5324 100644
 -kernel_read_system_state(collectd_t)
 +corenet_udp_bind_generic_node(collectd_t)
 +corenet_udp_bind_collectd_port(collectd_t)
+corenet_tcp_connect_lmtp_port(collectd_t)
 
 dev_read_rand(collectd_t)
 dev_read_sysfs(collectd_t)
@ -16164,7 +16166,7 @@ index 6471fa8c4..90d2b5324 100644
 
 logging_send_syslog_msg(collectd_t)
 
-@@ -75,16 +93,47 @@ tunable_policy(`collectd_tcp_network_connect',`
+@@ -75,16 +94,47 @@ tunable_policy(`collectd_tcp_network_connect',`
 ')
 
 optional_policy(`
@ -28615,7 +28617,7 @@ index 18f245250..a446210f0 100644
 +
 ')
 diff --git a/dspam.te b/dspam.te
-index ef6236335..25dcb975a 100644
+index ef6236335..281bd61c6 100644
 --- a/dspam.te
 +++ b/dspam.te
@@ -28,6 +28,9 @@ files_pid_file(dspam_var_run_t)
@ -28641,7 +28643,7 @@ index ef6236335..25dcb975a 100644
 
 files_search_spool(dspam_t)
 
-@@ -64,14 +73,35 @@ auth_use_nsswitch(dspam_t)
+@@ -64,14 +73,36 @@ auth_use_nsswitch(dspam_t)
 
 logging_send_syslog_msg(dspam_t)
 
@ -28653,6 +28655,7 @@ index ef6236335..25dcb975a 100644
 +
 +    manage_dirs_pattern(dspam_t, dspam_rw_content_t, dspam_rw_content_t)
 +    manage_files_pattern(dspam_t, dspam_rw_content_t, dspam_rw_content_t)
+    allow dspam_t dspam_rw_content_t:file map;
 +
 +	read_files_pattern(dspam_script_t, dspam_var_lib_t, dspam_var_lib_t)
 +
@ -28682,7 +28685,7 @@ index ef6236335..25dcb975a 100644
 ')
 
 optional_policy(`
-@@ -87,3 +117,12 @@ optional_policy(`
+@@ -87,3 +118,12 @@ optional_policy(`
 
 	postgresql_tcp_connect(dspam_t)
 ')
@ -78385,7 +78388,7 @@ index b9e71b537..a7502cd0e 100644
 	domain_system_change_exemption($1)
 	role_transition $2 postgrey_initrc_exec_t system_r;
 diff --git a/postgrey.te b/postgrey.te
-index fd58805e5..593a05367 100644
+index fd58805e5..6f75dbd4b 100644
 --- a/postgrey.te
 +++ b/postgrey.te
@@ -16,7 +16,7 @@ type postgrey_initrc_exec_t;
@ -78406,7 +78409,15 @@ index fd58805e5..593a05367 100644
 dontaudit postgrey_t self:capability sys_tty_config;
 allow postgrey_t self:process signal_perms;
 allow postgrey_t self:fifo_file create_fifo_file_perms;
-@@ -55,9 +55,10 @@ files_pid_filetrans(postgrey_t, postgrey_var_run_t, { dir file sock_file })
+@@ -43,6 +43,7 @@ manage_dirs_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
+ manage_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
+ manage_fifo_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
+ manage_sock_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
+allow postgrey_t postgrey_spool_t:file map;
+ 
+ manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t)
+ files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file)
+@@ -55,9 +56,10 @@ files_pid_filetrans(postgrey_t, postgrey_var_run_t, { dir file sock_file })
 kernel_read_system_state(postgrey_t)
 kernel_read_kernel_sysctls(postgrey_t)
 
@ -78419,7 +78430,7 @@ index fd58805e5..593a05367 100644
 corenet_all_recvfrom_netlabel(postgrey_t)
 corenet_tcp_sendrecv_generic_if(postgrey_t)
 corenet_tcp_sendrecv_generic_node(postgrey_t)
-@@ -72,17 +73,15 @@ dev_read_sysfs(postgrey_t)
+@@ -72,17 +74,15 @@ dev_read_sysfs(postgrey_t)
 
 domain_use_interactive_fds(postgrey_t)
 
@ -99519,10 +99530,10 @@ index 000000000..6caef6326
 +/usr/share/sandbox/start --	gen_context(system_u:object_r:sandbox_exec_t,s0)
 diff --git a/sandboxX.if b/sandboxX.if
 new file mode 100644
-index 000000000..98dc14ef6
+index 000000000..92695bf0d
 --- /dev/null
 +++ b/sandboxX.if
-@@ -0,0 +1,401 @@
+@@ -0,0 +1,402 @@
 +
 +## <summary>policy for sandboxX </summary>
 +
@ -99641,8 +99652,9 @@ index 000000000..98dc14ef6
 +	fs_tmpfs_filetrans($1_t, $1_client_tmpfs_t, file )
 +	# Pulseaudio tmpfs files with different MCS labels
 +	dontaudit $1_client_t $1_client_tmpfs_t:file { read write };
-+	dontaudit $1_t $1_client_tmpfs_t:file { read write };
+	dontaudit $1_t $1_client_tmpfs_t:file { read write map };
 +	allow sandbox_xserver_t $1_client_tmpfs_t:file { read write };
+	allow $1_client_t $1_client_tmpfs_t:file { map };
 +
 +	domtrans_pattern($1_t, xserver_exec_t, sandbox_xserver_t)
 +	allow $1_t sandbox_xserver_t:process signal_perms;
@ -99926,10 +99938,10 @@ index 000000000..98dc14ef6
 +')
 diff --git a/sandboxX.te b/sandboxX.te
 new file mode 100644
-index 000000000..22e956fe3
+index 000000000..6d87bc156
 --- /dev/null
 +++ b/sandboxX.te
-@@ -0,0 +1,512 @@
+@@ -0,0 +1,536 @@
 +policy_module(sandboxX,1.0.0)
 +
 +dbus_stub()
@ -99973,6 +99985,8 @@ index 000000000..22e956fe3
 +#
 +allow sandbox_xserver_t self:process { signal_perms execstack };
 +
+allow sandbox_web_t sandbox_xserver_t:process2 nnp_transition;
+
 +tunable_policy(`deny_execmem',`',`
 +	allow sandbox_xserver_t self:process execmem;
 +')
@ -100052,6 +100066,22 @@ index 000000000..22e956fe3
 +
 +########################################
 +#
+# sandbox_x_t local policy
+#
+
+allow sandbox_x_t sandbox_x_client_t:process2 nnp_transition;
+allow sandbox_x_t sandbox_xserver_t:process2 nnp_transition;
+
+files_search_home(sandbox_x_t)
+userdom_use_user_ptys(sandbox_x_t)
+
+# This access is needed due to Wayland
+userdom_manage_user_tmp_dirs(sandbox_x_t)
+userdom_map_tmp_files(sandbox_x_t)
+userdom_manage_user_tmp_files(sandbox_x_t)
+
+########################################
+#
 +# sandbox_x_domain local policy
 +#
 +allow sandbox_x_domain self:process { getattr signal_perms getsched setsched setpgid execstack getcap setcap };
@ -100226,9 +100256,6 @@ index 000000000..22e956fe3
 +	networkmanager_dontaudit_dbus_chat(sandbox_x_domain)
 +')
 +
-+files_search_home(sandbox_x_t)
-+userdom_use_user_ptys(sandbox_x_t)
-+
 +#1103622
 +corenet_tcp_connect_xserver_port(sandbox_x_domain)
 +xserver_stream_connect(sandbox_x_domain)
@ -100251,6 +100278,11 @@ index 000000000..22e956fe3
 +
 +logging_send_syslog_msg(sandbox_x_client_t)
 +
+# This access is needed due to Wayland
+userdom_manage_user_tmp_dirs(sandbox_x_client_t)
+userdom_map_tmp_files(sandbox_x_client_t)
+userdom_manage_user_tmp_files(sandbox_x_client_t)
+
 +optional_policy(`
 +	avahi_dbus_chat(sandbox_x_client_t)
 +')
@ -100273,12 +100305,16 @@ index 000000000..22e956fe3
 +#
 +typeattribute sandbox_web_client_t sandbox_web_type;
 +
+allow sandbox_web_t sandbox_web_client_t:process2 nnp_transition;
+
 +selinux_get_fs_mount(sandbox_web_client_t)
 +
 +auth_use_nsswitch(sandbox_web_client_t)
 +
 +logging_send_syslog_msg(sandbox_web_client_t)
 +
+miscfiles_map_generic_certs(sandbox_web_client_t)
+
 +allow sandbox_web_type self:capability { setuid setgid };
 +allow sandbox_web_type self:netlink_audit_socket nlmsg_relay;
 +dontaudit sandbox_web_type self:process setrlimit;
@ -112041,10 +112077,10 @@ index 000000000..d371f62f6
 +')
 diff --git a/thumb.te b/thumb.te
 new file mode 100644
-index 000000000..1b34bc7b6
+index 000000000..6c04973ea
 --- /dev/null
 +++ b/thumb.te
-@@ -0,0 +1,175 @@
+@@ -0,0 +1,176 @@
 +policy_module(thumb, 1.0.0)
 +
 +########################################
@ -112138,6 +112174,7 @@ index 000000000..1b34bc7b6
 +fs_read_dos_files(thumb_t)
 +fs_rw_inherited_tmpfs_files(thumb_t)
 +fs_map_dos_files(thumb_t)
+fs_mmap_removable_files(thumb_t)
 +
 +auth_read_passwd(thumb_t)
 +
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 307%{?dist}
+Release: 308%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -717,6 +717,16 @@ exit 0
 %endif

 %changelog
+* Thu Jan 04 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-308
+- Make working SELinux sandbox with Wayland. BZ(1474082)
+- Allow postgrey_t domain to mmap postgrey_spool_t files BZ(1529169)
+- Allow dspam_t to mmap dspam_rw_content_t files BZ(1528723)
+- Allow collectd to connect to lmtp_port_t BZ(1304029)
+- Allow httpd_t to mmap httpd_squirrelmail_t files BZ(1528776)
+- Allow thumb_t to mmap removable_t files. BZ(1522724)
+- Allow sssd_t and login_pgm attribute to mmap auth_cache_t files BZ(1530118)
+- Add interface fs_mmap_removable_files()
+
 * Tue Dec 19 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-307
 - Allow crond_t to read pcp lib files BZ(1525420)
 - Allow mozilla plugin domain to mmap user_home_t files BZ(1452783)