From 6319c499e49abffa7520a40a11c30851eab9425f Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Thu, 8 Dec 2016 16:30:38 +0100
Subject: [PATCH] * Thu Dec 08 2016 Lukas Vrabec  <lvrabec@redhat.com> -
 3.13.1-230 - Label /usr/bin/rpcbind as rpcbind_exec_t - Dontaudit mozilla
 plugin rawip socket creation. BZ(1275961) - Merge pull request #174 from
 rhatdan/netlink

---
 container-selinux.tgz        | Bin 4955 -> 4957 bytes
 policy-rawhide-contrib.patch |  98 ++++++++++++++++++++++++-----------
 selinux-policy.spec          |   7 ++-
 3 files changed, 74 insertions(+), 31 deletions(-)

diff --git a/container-selinux.tgz b/container-selinux.tgz
index 237e40c227d326205f01397c725bd33770cf8577..9b07a0f33c013c46b0d2cd40a423a0cbea5e92b4 100644
GIT binary patch
literal 4957
zcmV-j6Qb-NiwFQSd`VaU1MOYikJ~m9&+GcH5RwAfEt1{MCQX1%+ry!`hkH1*X!CZt
zQ)P*^)#$6Dv>zAbf4>=iNR&iUlq@G(zycE6(#((KkQ~kohuSdDsvyotc^+>b9q77*
z>-Fnb`1#_^cbDoXTrXd|ynOu#{=2%mdh`17^~*<>FJ4|<zIx<c9;!m>RnsacJ?~L+
zQwD1i8tKNK|3$CWlPBKyv`*8Yy#Mk2j(B-Nvgb6f%aC|MQ6zB~RB@hpp&Te4$+qx$
z{{4kyTLFmM)hP{roc!aCgmpy}^f>dXoq8k6Q}}YuST7V_@B1PsgVf7{l>G3RQ$7B1
zP{KR*zzdQjza^1Z<z7_=8I7?~I?xM-3g1_8R*`ZOgyi)1rZ#?AXH}dMAIf7mPoMq1
zI@yxUFUg;ETmtRt<fOVUlom8R)icda0uu16x2uz<XRFmon3p6>BcGC>40rxI&Q8C1
zake^<#rZ{0L9Otv8BF)2I$L1@2k0n}?1Swkl*g1Fa_fvR$QY%y6ZVw%Z>&s3+)2Fl
zBB*{?<z-Ch1WBLRBprkyp$zS0nuvu^pjs{hz6nYsZDq^K_r7_dqq&B5dIBH5`UNRd
z3XGdLAygJDs9BFJJhC5}sM&z}l7co2@P=<siT_H1s3&gLwO?J(B~*;HkX2`vxQ%1<
zgn{$NdL`aqeF2%%T~LyTBz0CHce!(N2dO79t#E9cgf4(Iw_LhxoIA-r&PH(W@IiO~
zoy~e&pJ_qDcoRbh@s7l`l?+rKD>LE)0{Qn`+z+S+_Zuh%%{D{i8lnFy$bxNuA$b^c
zEM-+Ym~IpB`)D_bF*aciswK5O_>fEir5{nL9i|&C>hhq{{|PiEXr+Ap2gsYEgApiQ
z0i|@h;~rUV<7(#xKv-8G;VKS2*80|Y0Ck6SfuaYCGQPobkn#(5Xb)M`!pB-@@X-}#
zP02S*6LX=U@(!7lrWD0_{V)kAH5A334a-^+QCu{oJpBK$mlr7iAo<~ORo12^B5AMK
zHHovWQ?dFfB6Xazd#;@zHg8**1m9f2znAdu)w1^4FaLb^KvoWB#T0QgZQTH0*r0F#
zicT<y8Ibno;%*-$<;@}iC~HRyLK{>4?t5C1G^~<Ik*BxAXLS}=O#E#}aqLJKTCyPC
zTQQQCB+1cO2T8>+p4bylT#{LI>n7*m1t^x=2y4P|H2$bklWY9&nvv0Xq$6CSLY`Q_
z#81h+Iw@d?l{wCUkpS8vZdQ;*-fbD{4D6JouyTF<Nqq}4N~ew>Q#_%efqqCmjxA+B
zL7IJGdR|YO-Dz1=_fwZ}uZM3Gr#CU)SW_5m)jd;>I2XD?l{2I#+KAi~6-CM7LlhK#
zYUC>kuftvG^9ge6LoJpOGG5$WY#l_t`YOW4ZzQXxh#Ie9NfwbahDl;?7iug&@<lDN
z7u>r+S^f<ajSq>>`V%C{w-#1qEi_Q<@|5()fLIj8qRU!nUK)|)nfJJPb`E@x&t~I9
zdH8WY2nB9`P$RrM2MtVp73X=F#L&I-k$Bq{sEL#fbp95sRW=ArC~Sa8gyb&l6fXy#
ztqQ`_>{Ws8hoce2OpNCVs0ym~ilgnU34*mFXA^JFNp`a&>Mo}hT^f-2ItyZ!gyzZ3
zIZ9v=Sl&};ye$ZqgPoiN_sb(*EeIJ@c^b>v1`BivtCJr@X`FGLiyI!Mq0W`EL^^LC
z0NS1*jy%hxAKxsl*my7Sz@WYJXa!4e%Je9yzPg>rYlG`5)_V3{x2s3kEpC=qcnG6j
z>9pT|`Kc{{KIEP&Lg(H?T3ox~!?maQZDyAHP*=8$@|M${o5#SfQ9`mloX!)~s`5$p
zt9GkHMv%%HYUPRcF;|<-_ZSL>HHyUnyNN6}ahYf7B*XSF-Nov;uSahT&dMIOhX96_
zE!cAU2V3oZzHB?XiozfFK7k`wf;2oDZ?hobE{*s3?KGzy3S*jGPbe#9kAB+_ln}RZ
zPK@!3s8x?2rR)H}I|I3;&Drp8o!CY5HG!mYZe^T|M{r~;2GznK5F>-aevv0}c+W<-
z3>=9_Q2;ZblACmA%JY%H($l2_f__j}JCV&ZhzhcY4=n46)ptr_8e`~a3#G|>rlcuI
zgWLP<ZR<N~-+Z(K>2)au=kC}m1x-O%&gSXK`Qh3;to74P*5NEDk{VR(vSw=^)AiZ(
z38U%F{$>UXLap;Uizu5gxZ}2rF5{bq4g4Otn{5?m#i`X64yj=I+TZMiRWQizHSl81
z;IaUd6Be}czR01u+)|CHkoK3GG4Q?26A}i+#i-=l>dwubwV8gLj&Jm|CGp-+s>Op#
z-Q33(Ox|wNKZl&!v@)eSy~h?LZQfC@E^bKLG@KTx|F}W2Lp7NoS|ogGsnT$}T(KGl
z(ZK$Gw?XXP{o<a`n}?QKb$2;UMysAz-HcIK<!xK3!?nW{3$dZ-U2mIjzJC@o+bTo*
zNBUK?V!1RMbikF6#n)b=vF&{7Vf{v85>l5NJV8do<o2~s(foC<c9W(ehbqH<{_EA{
z%Qu&U^ItFC9M6A!iHrN;ews&hLQb2}@XUL0etCX5Nh7VEc<)G<!1PD|6*SF?DTIj7
zP;9;zV%weI<~0=K-R=nJtWw=*4wz9Sqk}Almn7c%pMLR*ysVnt`9f$Lj*cp%s<U9N
zwxKb|!AN`NZGwanXphNmgks_V?J}mrLG@V8oG!IAeOQi66p%E}e6C4PH6_{33~?@>
z*6TlfSSG_=kZsx1lm$+7a19gMca9t@RmTc;ymcy6Dnf~b9=~MPJeAaaxp4oaD-V8e
zAVM{sGNgABqBUZnwoCEdx*NTxou|VA(M0;XRaCMBI35$1K0v75;qSu9U4OYRg`fOp
z$a5G@`}{*(8P)6}w?SB5Pw|^IT^kYAMt!@OG7`)Y6S>EK+UL@t4Js(2$NjDI(;ky$
zs;0$Yy5g;-XW&N<vBPRb-cSwphIY{5rx_n<^`nXnxZ$YMk5YZ;xQE)08+5^kQ4C`l
zebQl3N`$vtN@ov2hH9Ier&@#|yi9TGVz(JmJlm<dKOM3R!Nf*z7pqC);X+7r=rZPc
zo(>o_f`+AMAYOLw?FvJ58L8Os(>}}81+-lVVMYas$Cqb##2sqgx<yH{xdy*JSjS0R
z-Fu(BaF^d^-p3f$%?*45uni?u9C_)-ERQ^_EQ|KDZ|gW~5<1z9GPniIY6FnC4Kq?O
zth#bTuOtarNC|G}jWD%)KU)HBKvi}(f1va-iPN}Z^`IgdZM-hc-T>yuDH{cR^I?Qp
zw?oMa?%s4ntHNRdlsX!qOkr;a#g(^a8k*L$AX#MN?2llzDd;1z0Rv`$HSB7zI<&`x
zMl2+miZNUdb*EMK1sk3|nvFP`a^i@r%R!mZbh+Z|_eJOQj2)3fkt%d=aSPbXb(`5_
zZj|VDQRg(*jMg)YoZ2eUK4Du~zLWR4$q$^@*sbQq+@@NwCQlL*o<4oj4NMW7tdIBk
z%t^5^gljn&`MD@q0xQ52YuKjD({??>rDvFtHd0M(GKQ#oKSB2SA2iR-;o;1_@0hp7
z2lK|lMC{39!xg`4+dGYv9<*V^>?v@x_bre17P>3`K7w~|gRrR%S%^I3aL6*&$pMAs
zqJnx%>_r@k?g6htZtzd57|avZMV&fLc-z!9X<l=hgDT9;%Con#W|{5X2y+LE1Lowx
z;efd`-sIVC!*uCkK|FEQbRES_RhC(1_1W(S!ERIG4+(#@JihLz#bJt2j!7J@06f^S
zdeYJuj)vJC(<#bn>`e%BCcY!)WToebJ6Z8L;x>oEmIj`z1;=n*G-2oMSra`7-61RY
zDlcfjjvcL^J9?ckry7xt!1IQg1MsY2X2aDTJ#>fE4TGlbY(TgS<Kdy=-q^iu^h_I;
z#aM0s_Gb~D7ZJ*CkY3vsC361}q)8Hy5yJNySz?G@Ppi}!sc!S~qboVfM!%<Fm1srX
z65k@S6Di1phC33u6^=1)!|Ee8U@<|7<;(<O72m)_i45fn`Us!Z5qm9zD1<+uHleI!
zN-^6rUF)}~&$?7}N0P(>hZ4guG22Vn!p|}e{Vb0RRZv+d$s#D}reTXWGni(U)!VW$
zu(4LLF2n?car#iC9qg*Aa4bTygn6143AyuG2aofz4T7l>)H01ru*2pk4&<3QC>oZL
zB7_oULqBZyxDC{txScU#--%BeOpu(+Who4Oa9*!%nb(E2UV@T4&h$P_;_RcDR-~Q>
zrr8K2ojRH-NUOZWm8}eJeYRJ22PSe9(~kyvw#9?`DWmi@uEL$3P8>k#iwo@aD8Ds8
zi}%XNj6gjVBf{sksYUInC>%Ph_>^u9)E#0_^%#}~YLjyi(@+^~Y-2Y5Utr0uVNs9f
zB#x;MNL|HZfr!W^sFR9&DR-tJuX6AqZ-Tz3IF%yd{rLP)xk0vqm?`>rW5v~+-YSdK
z=;5F7$GnAW3xyfrslL<=4B$MWBO*31$3=ySVl%n%{pdG*5;$#ovaH_K6EC?7`T11L
zi<`2W9|fV0VSqA@2-;xVIKqzt_vhiW#-I08?C9gSb)Hx33m9tht2ko`w%Vk<c~OS=
zz;0qiiz+bdXK-$FtN<8nsN{T5jm?I($IUKwzq7?Xy2mZK_>}K%mTM86@&KZ3*`@(}
z(rvzbs5`i0H$Ac7lO-v@3+1`!5n&oU(l+Eejdd8Zbq(IBsc*vSZPx%NBYDd$?why(
z6_joA5sUiIn$XH;ZzAjGt!n5+d;AneHLQ7dn_d#zEp`pD)nQnH$D=OH2D4rv0yqre
zn;Zb3WLmWb^<@xkLzCPv4ONx7rCfYz7Zz!yNb<aJf*LJSSXQ#NF$Gr`Q?5pBG2xN#
z!7yqh4md`vGCflhqnpIlMBr>(e5Iz%DH>Y=VuT{K3ta~PC<*H_)_d_f+-`f#7BM%9
zY-TAC)tM7nNgT*rCD8PPFxM?Zs!wX^fG1c@Sk<W5iZhXU?|**xv-c}B=!SUj@n|4R
z)iS3Iu6pNXSgIl`h99D1_WWqDiZjShA=D=N<KMA)Y3+fQm^m+t_&4lr?YkQELb5hG
zFD%-G&Pe0N<Ebt!Z9`gA>79i{Dk4BKHkuKNW{(rfaaU)!42SqGTfZ{abA{^|*!HbW
z3hN++n`Q%_<=JwVh)shgz1HMBv@B)iH^1bYJoV+s95xq2x1r@esx6~k!_|ba@P;*j
z)pGEzXbZBmUdtqtNv86c6@<=V*cR>hg70{Caf-hYt!pYnqxhA-1JB@0@v{?*Y!_IG
z_%PtFo51&N;P5fD$@<ccrZCKHicQ9djy?^-9nhILo|;PDfZn@>krItI^r=y(XrRpU
z{_4i8GC8y+#*BH^8OB+RCxc))Pzl>3?30SRiOXs{NWjS~t~-0~GVyhkJ_W;cof~v+
zTehUL%|lKtH+fv?<*e;6ut8|xdg5*J65VtG(7uYrr@V#cCOvBoOEqWTJ3OM#b<WuJ
zCc?MVy_L-r>xNow(@<dypjQG6MF@J#$B)^eTYW1n&Z?%un)H62o^;Y7ZjbS6OFdyD
zRh-Xj25L(gw&(QZ3v_kC@sWVA%GQlj2mHNcqg<Umf|1gu9o7aj507DM&vdYJbr=#D
zI@H6Q2k-On#R;~<dV`nrjQH|RYK1rmIF(=7triHD0mt49*T$QS5hcy>Z~Yu}D^WyS
zG@JHS-q`}h_=`rrT9z_V1M}+G9$7c8^^Ck-@Ec6!AxHw%lJeAb)d3HW#bsJlew)V!
z)jh-!WTErxbyqoZeRVdbLggC=Tcv5zC$gS><z(43S1La5>=l2{(Z~TTaqe}-!6TJ(
z;;Ex1u4aH!0>{lMug+N=<9aS%Gc=M+GXAb4+q2QUl7--{nIH?5VM_|xw+MTFhzt67
zj)+szK{G0PnHQRHXG3b+D{P3A{WN(*NDJn+_tub)Z+uD8ul?SIhjKNNIo}-Y-4^!u
ze_X!)?!}wq-+%r}*9C47UVJ#`hnm^Dcv!sV4whcNI@j0Y??;u_?KBdH6DhtS<f5kK
z1sHwk&s}hwi}P<!o<Da+lZ&@_T_mFFK*gUXSOj_<XD!}Rfbc9txTWwKs(=6Y;y>SV
zEx&Bz#moDbtFnL%>k@pb<#Dt8CQs^=JQu>40<XT2R2^d7;Wa2?!4j71#ui$*8sc-_
zm{wlRAkbk^7Eq@!m(Tuo;*1r_L%d7?Eshvzd%>+Pz{F7mIu)$-PFdx;V1RYOOZ$Mw
zA)G;_%dCTJs3@YJfBOLsdAiq^9~T`5mM1LSk=-lJ4p%G#jDhE=U1q}*hhqfff{0gp
zK(?5z94EpVhN;po{BK(<Qp>$&r*%RJ%md6TiL9Sqd(SRC{GyZ0T*NYSP2w*+<s|Il
zGp`4{{{)0JbB{%Wd(llj5v(DIX3S;{9<SU7{6kxl*6I;Bbn*d@E`ulj;?_bU6iSvG
zKy)hTAjqNUF#x_u?!u{%;w2m^&~_e<)FfZqojYE~>v$cn<8{1_*YP@D$Ln|<uj6&R
bj@R)zUdQWr9k1hcyx8@BdikCf0H6Q>uaUQB

literal 4955
zcmV-h6Qt}PiwFSd^+#9$1MOYikK8tr&+GJGA=m*t6WBB3aW)3*>>duuJ>0`#gWbGc
z?zC!&-K|((D@yZmhX41g;+H6iq$ssIo&{Qf-Q7~vk7SW7RuzkyxGb6|El7Qx?!GzE
zbqm)IKYWj$Z{PpvR{w<S-P?D!KYRoK-MxMP{*K*$`|j@c{WrnwsVbyjEp4JY2)@bg
z>u5`2E8W!df6;66@@4QNZSy>;pZ@aefdpkmiZ`@u>zD*lRb^=$HECG{u^cD?DfaMr
z{o{>f+W?5))hi8tT>Qr)iQ9%~=xGr&2mMA;=J4g3vEFFB!H-o`M|n_0Ir;MoPW9q1
zqY{2*4}vJm$_J7JO&K(GRL~R~WdglnsPKK077eL)QA{rXp=uM>ZPBDT386fO^Xm0K
zHWzzRgf;nRo7O<PxwvSaDy;>Ir+IC-Nk9T&^Ko<W>T0vOh|8M9c@k0*)$t+Rrp4vA
zZ?85NvbeB{8mJZCwS$?SG*=re-~=57l6|(lgz}ivLw=nRM+KvFcEXYJ{yQsE6L*$w
zg9NG{H)Wj?Iz!SIE=fmmOejOUm?vT(6sVSufbXLkNjurH@`G>RnrJ>iI|G3aU&D&j
zIR(aDnh`1s7SyaqRvy{UP1I~a{gHyU3~<GFq{RP5qGTX$*0o<<&^1(ywUAY3k+`j6
z^n!u&$7Ut2u>Js<(?e8~=OlGjA%D4Zau2CzDQ$3U+k`HF47Yr`Y??bOJ}pM@@9<G~
z|2v!YxIWX0#OW@D4&oh&YbzP4JXU7H2L$pTxwxND4<0vAEShbB$PGgOuc(Oj!-eE|
z%(0wR?PR)5z#pUCB*xT)IjNR3_TY0e1+;!drFNQbbg0XdO8+O&n4p!)?e8FOiVjAk
zbp@2t>y9U6c}SZ>5CLJ^fP|Yg4p{3u=K<6m(nXpctm^b0%R$ONutNvPq81_6!hnyi
zIBQC|W15%?1(kQqq%@}}&Kt&AM5(1H_H10%mWbk#IpyL1FM_f{`A6BGUo>@VYa)^k
zirtd5*n1Ugo+47mdAsMv3F7j$wMp>p9sGL-|Gr<>KKtcAe|{z_2eV?TG?}+<fG=!O
zH~>Xw7{m<7cyo2PkCOU+l>n5pBSxW(xqkN(ZAczB*{sOZ$MLhaNE;^puA?}1A`C5A
z5bv!N$!n68Xsm;zQW#I{NgyuCEV^}9a_|Zi%R_=S;W!3=RIAAc{0P*@P#)<7m#9!6
z7BKNsa&Imw7-DsaGhiZswu+k-6-n?=rzQhCCpoNKUw=|RfQ<6FBghs{P&CjFdBCxy
z>}N=GD9j)jNV7jJtLAC$5*`fjt>O%3#v5A-gROaD>JjHcU#N113`Cod`>LTRS$v3s
z!cT*ICE<toP=|biJcLk-b%cx;cNaSck*~g*u<;uynmMAzYh02;<cwjK*t>-q%TGd4
zOY8;zZqSy03x)C_@!4>KWaZw$s;z|<ibI)`;TRB$qF8iU3++oIlDrOHsAt!}_u^_X
zPEy97mV;2>4o5Y@yGzi()Yoy|#90d6yBvwPZH1ah*+A#-!CGa5z=pyGh(yR9<6iM{
z@VTlWOwB<R=y5m(Q7puGlYy$Bdaroe&W0dZH*$9A{+bl`YoZ=X+R(KDnXj`VW=&|B
z-Cv^wR)OU`g~r>8a3$EuS@g6%;@ygnQB&rroNcf`*RVQ;QIe+x*SWaiVH@gPDNCel
z^#IV03~`i2A^mu@xMJgjC;)@@F`x}By*bmPr1|Q0BCidut61yBd)>YsVZXRVUg0T>
zdacv`{>x8Y0rWZdTorrw9@6644IjQe#cwmSJcPQkWt6v^4%|Ej{sAQ<>%-{+QLUz&
zWxpD?I%EW?ZlP9zXdiR6*?do-U|6GA9I&6ra-Y^^k<T)0Pt#qjp2vFh*5It{QFjPn
zY}tY>XMV6Z-sj7<r>iLZ@!&H!ay3XJpy|GdGVam@Up~%r+MzI}+0BHqV(#d-3qcEU
zTj#_Szld55_)*Fp0K7AhTiTq8fA7UEnr{dsO>=AGWIBQ)V=<@}Mu8X^6b`F0OXDXt
z!e!t{M2aGq0gc?GyV9Od1eRW{9S{towmFDwo>5egJ$z<aPprOk64Mw%Pg`hBJ~Aau
zLmJ&aZg1P%QOD+^ok*`sDR_6sQ7LE|!g@B(K+ezC=3%X$Z?cYOL6x<jV%IfWhnT+4
z=1&+yZw@yzSP*JkwnakOguxxRb#xiuG*s|M<ZgCVTok9)TR5hI<?DE}6IQ{fcrw6?
zHG|6nOiozP>ZhuN=5k9lr9#?&+>C+mb(xVks%|DF-&J>M?ySr7<8*wZrz?r~hE^>e
zT<YgOc3|?hO8*>l8q><O>I@z`kc@dpgSz-38Pjk&q~T+Q<c3n2AVws7>ZsCqyIivx
zN72CHez!&J{r%#B(A7gnt@^v1Hlx+dt8d0=tn#+2)bZM3i-ovQ%&xb~H$Og$nQfJ!
z{UiM<+OS-j9XjAz$l`0S(b#rA^{{>uF$t;5EuJ8wVRHN0r)d6luWpm3A*U+Ceg5nF
z+jsA8N9Vup?#}1G{)mhF;bC4TZALEDXm}mGy}rG^ou!dBFN2>+oWb-*{}nXNhAD)E
z&{%A~S7O_p;N~?H6FeLU=&V}bXpWdsB%^~YhL>f*uRr|~RAt?$-T6vr8;*`Dq-l$2
ztG7WJ<Y1(|4t7yS3AD#%H$pLKgmxLz;h=h)W=@}4nm#N?CW%O179rQ9mxhvDXNEXe
zNZal2AuN;eAu9IlY0d&CCOE}}_MIokM%S@|9dBI<m5NXzp(m`FHBTk=P%hj*>C1!P
z8;MYlr;O>ngy@V|=<U*cxBf=&W$)>DK&VJxzlvIx0LNqEG6x8aJN$h(x$7_YrSOyA
zjCl^j<&b}jE2Ely<Sq!y>nVP-rW+%o#;9)}Q$~V0VkY<aFNa(vv{3~`^mw>+emP)r
zOx3&^O;^07dIo+B5PPgn<Q+9&?`RJle%kSo);y}%fE$l0^C&fkjt8j2xIrI$9L2Df
zF(e%qrA2uArS$d?WT;l%yfh+=;bn?bAG^zt;@M8k)8&|D3??>$`&cT8hYKMuq05-(
zc{yS<2pX22k$Bm?j~fip6{KOmFNZ917tn4Ygc%iO0bics5qGFf>lP*1?gRMs(KgM}
z<|+6b#E0^s2tK8-Ztmb4fbA%0(j>?~6=f1&Wm&YJecPsmO6X)a>gWM5n;k&nHq1o9
zu<FVUy_#fTA!WFsH^J2H{p<<20ZrZC{DIQzEX~t~)q{#;wCTF2y#dUR(>4nD=EDTD
zX@`;(+`s9G*2L8cC~Y!AnZw=<io0OTG&F5#MT*45IUK=yQ_x3b0|v|hXV}$Zbr_Ec
zO;|`W6=S>}nog@63pPG|v>0(R<-`-&l!LOM>2k$4?~5+!88;$_B2Dby;tp_->$b4T
z+$b^aqAqE!9c^G1d9_udea5!3e5c@x$`4%D*uCM#(xy7GW=|3uo;iKe4@?uBtWWUe
z%1f~^gb#8u@^ewJ1U7&v*05b&=G}UROV2nXZK9gSWDHUFVS?<N-)UJ~!^4Gr-!pHm
z50;IEnb@<(hA)2Kw)Yw-18B>LIa1(g?>inHEp%V}V+8Nt24Pd3vJiR5;gn@;vl9x-
zM+FU-*o!zc-2+~Q+~A*AF_<U1i#m6j@V4n|(z52LgDT9;DvOVcW|`~V2ulZx2j=X-
z;eoj}-t5`#!u083K|FKS^c}^jD(ft>=Ir;AV0WqTr-Z*-AK!G;;xt8Q$0SZy03Phv
zyzFQ!N5kBX=^W)W^(KTR6W<eaw$k&&ovrvhan+%)wSi}A!6{rHP1t*T)=Uq=bjZrT
z$}1YMQ%CEUj$SX!xkjWX@Umg%0la9Kxo}NK5B(uc!$7s24G5oMJU&!B7`qQj&vao~
zjMWZre-Y7n5uxk{>5XmCBKMy_nj{k$A$-4)C5D*wv`$@+=Ao=V`I572^d}lOnNido
z@dF}zk%ByEd?1Nm;TZF_tUh7`788_M&P)_H={-!8#8SSXPw-iru-7t(LiiKv63RxV
z6tg|kt$B<3s!v4^B+DFdC@~BZv%Q2p{H)VBEXu@E1)YVGB7u_b6<fMnz_hTe!Iq7M
zjkSt(AtoS9)5jw1;LtRcXAzPmF7v#~$YaPlc$$}O5X_aJk!f0jJvL8qAkWM}p;#u0
z5K5E{{kYrXwor58ZpMgxCq8K~L2@>iqcHTrdA;^^*;dYa2}<rb)2BR3i%)i1k$N84
zW+RaF>S(JVZOR%~wmNzU*<RTrn8-;=KUwJ677yyDg3^byi4SHvaR6l~F0j{=^1%Wv
z-YX+B0?ky62%opM7ImkhaOkk&bGo-s_lQB&V^|ibZO%bTV{NdpjoI}7B1d)&i+ZS&
zIJQ0@ZIg-xA|bn|%^L2dJlcl5&cTPg4f=`VR7!;R6Y@jl7TF47rs&h16W4HhtFCgZ
zhkwN%^A>I$6n21D=2CYsfXj?dh}goMRt+YKE#$`cqu=vM;I-+=vU)c!gX}Tp=Tk8+
zZq9Cg62&2g0qQg%XoKz31V1X=pNG#De?C#MqmSRVW!bPVV5rHj;*2HOYP0s{MH%7)
zyNMMos=%zD(Yej30${MAk_$mKstxUcn_cXFZ;N|!k6Uu_Dc|2LHzIoF0VMmnO9S|9
z+I$aCcW}pUeqzCAM^Zo#%X85a!nAm#UC4DF>o{cV8@$s~--OlMtpQ#}@}67V_h|(x
zsMwVg7WF?{LYt7iiENm+YM>YG33C|Lu;#gKdP(fI*bT%^hhYOAkG?Ql%zBLo;4p-5
za{z#nY1J0gmqoOSCc9@Es;Nsyx%kp9EYeAlm1X4xHCd#vtYm9b3a&7wTus_y!XrO|
zVbVw(aZFfcW+oM*o5iIfa4s&sQd4z`##MkAp-AmRSHM3?;<irBUc3pn-(I^#%#9+K
zSqemL;YC&x4>Df~sD2RUx?@NUNgW;V5~~TT8Wme{HnQN?zyAE!;BU~NdlLMLM*~@^
zmOX87GdM59QWaS-{16?p=O=?zoI!pHp{nRl_{ip^vj;k2=De)p->|o}A6n20+1Bd3
zuxJxHBg&1(Q(Z<{MOroaqk}{$B0#b>nh}a-PZP><*A}=8$M`PWu(8&2gX<XB_MJ@%
z>mY@jb_1W~*>abNO#_u)YjYktmbwYmFZm`<b2&1H&BxGHwA@E^WwaZ(R0s=iI0IN6
z2k(lmAV=$sOfs2dE{|P7m>h<E)r~Lsj%OF=_#4T#r7|>%U->)mEY1`^JHf~fk&}oI
z1OB=ReBTBRA4{8@FYQo;VQy1uGe%7Gc@!Uj&c^Y|R`L$?-UE!3WU`^JtU^TtWs&#S
zDznPw(ApRa=2;gQXR)3Pg5^Lb?2fR{D(XJ1o9Q3{Cv&*&?77dxH&KQZ4AX6C(YamO
zlFl^`Iknv6@uiouw#UE*p@r*Zuq$hH(*;2HDwdG)7TTNiS{;^BXWx4~qR&mv*oR$$
zZ>Rexn<>@}z1p^+!WclWL>P(?^q7yIvO~A#Ryv$jLxm0L{X9MCqDR~v<2ROi!A7b$
zpQi?DM;UkL^yCY4O~LVrfUwTik5fndy=0SIy*+}7(&io31~U(jVH?kMuyb`75*Rzw
z<D7@!%lO3!uETnxm-I~d@+!4L90Z)pukBU~1jm45Z-(pQP1cB#;rO?C4*HcSqAi9^
z`=;z|fnxl{pkEzJnW%w%b?lC;Ti1F<-YxhFQ+o)KK((Yj^<8zq!((xo4wc{L@j-nL
zaROQB{C3+{j$B_|O{q}%#=%Z$+VqL6=TJF0HqEt)FFSk1-*Yr^085;EU2yP7=bU-!
zNX6AGa9ZG4o$~6P)v>PU@-;&f$t2V7N^(7$%qv+5-kAxqQW>tKkYkH*=ZE;9Pv?ku
zB^{_yG040yggX_fYp+ldY5QsNh>#J?Z|_Z!Pj7rl(y#sAh39f9$z1PF_HGOJ`#)}f
z_|x0>=fD5_m987yBE0$SnjdOr@8V(cnnzfA`Rd$$5Pv_a{?JV$aX69U8$xbcTHk=t
zhyL6R$GN%w?&8fGZ#21hi`PXWstHv5X@XUtw`tMgtpy0rVuV`@Pf`8%|K9x1cU;S_
z+j#Nv{`IOXVB@w1pK5*FqP#D&HYaa{Fy_GPZzR=+SbunpideCP^}4Zx7OsZ)TsEe)
zS2GB7Sd<0SCCufkf4lI;isd0*CV&n{jI^WRHaB46Xab!J)_JF_a(ytsy5Xh$hQ}ei
zL8Z%Vf>cx#(XYSz4G($x*Owm`od%XCEc}uEE6om9tOJaJ=eb?x!V`yM1muc{cSk^W
zn4KJF!dZr?)-U{TTdY#cqh_abLJ7<h%qxj(o?b`KE;Ib9lgwVkI&)3puRP@>?CLXb
z0DSxegf;VsMS^?Ls-6g@2$BV}*?`9@_Z$A9tyydJ1ROf~fJfKC6Mu1QB@qfG%MBnp
z7jzWl(DWDp-(-*RTuAW}4jpK}3`c5`ukFsAuk&@j&e!=mU+3$5ov-tCzRuVAI$!7O
Ze4VfJb-vEm`8r?h`hSg~9*6*-000)z$O`}f

diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 15d2d0bb..70263d82 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -38661,10 +38661,10 @@ index 0000000..419d280
 +
 diff --git a/ipa.if b/ipa.if
 new file mode 100644
-index 0000000..1a30961
+index 0000000..ddbc007
 --- /dev/null
 +++ b/ipa.if
-@@ -0,0 +1,235 @@
+@@ -0,0 +1,252 @@
 +## <summary>Policy for IPA services.</summary>
 +
 +########################################
@@ -38705,6 +38705,23 @@ index 0000000..1a30961
 +
 +########################################
 +## <summary>
++##	Connect to ipa-ods-exporter over a unix stream socket.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`ipa_stream_connect_ods_exporter',`
++	gen_require(`
++		type ipa_ods_exporter_t;
++	')
++    allow $1 ipa_ods_exporter_t:unix_stream_socket connectto;
++')
++
++########################################
++## <summary>
 +##	Execute ipa-helper in the ipa_helper domain.
 +## </summary>
 +## <param name="domain">
@@ -52349,7 +52366,7 @@ index 6194b80..e27c53d 100644
  ')
 +
 diff --git a/mozilla.te b/mozilla.te
-index 11ac8e4..9336364 100644
+index 11ac8e4..7d5d385 100644
 --- a/mozilla.te
 +++ b/mozilla.te
 @@ -6,17 +6,56 @@ policy_module(mozilla, 2.8.0)
@@ -52802,7 +52819,7 @@ index 11ac8e4..9336364 100644
  ')
  
  optional_policy(`
-@@ -300,259 +339,257 @@ optional_policy(`
+@@ -300,259 +339,258 @@ optional_policy(`
  
  ########################################
  #
@@ -52816,6 +52833,7 @@ index 11ac8e4..9336364 100644
 +dontaudit mozilla_plugin_t self:capability { sys_ptrace sys_admin ipc_lock sys_nice sys_tty_config };
 +dontaudit mozilla_plugin_t self:capability2 block_suspend;
 +dontaudit mozilla_plugin_t self:cap_userns {sys_ptrace };
++dontaudit mozilla_plugin_t self:rawip_socket create_socket_perms;
 +
 +
 +allow mozilla_plugin_t self:cap_userns {sys_admin sys_chroot};
@@ -53206,7 +53224,7 @@ index 11ac8e4..9336364 100644
  ')
  
  optional_policy(`
-@@ -560,7 +597,11 @@ optional_policy(`
+@@ -560,7 +598,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -53219,7 +53237,7 @@ index 11ac8e4..9336364 100644
  ')
  
  optional_policy(`
-@@ -568,108 +609,144 @@ optional_policy(`
+@@ -568,108 +610,144 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -64674,10 +64692,10 @@ index 0000000..7c08157
 +')
 diff --git a/opendnssec.te b/opendnssec.te
 new file mode 100644
-index 0000000..e246d45
+index 0000000..3a760d7
 --- /dev/null
 +++ b/opendnssec.te
-@@ -0,0 +1,68 @@
+@@ -0,0 +1,69 @@
 +policy_module(opendnssec, 1.0.0)
 +
 +########################################
@@ -64744,6 +64762,7 @@ index 0000000..e246d45
 +
 +optional_policy(`
 +    ipa_manage_lib(opendnssec_t)
++    ipa_stream_connect_ods_exporter(opendnssec_t)
 +')
 +
 diff --git a/openfortivpn.fc b/openfortivpn.fc
@@ -76617,7 +76636,7 @@ index cd8b8b9..2cfa88a 100644
 +	allow $1 pppd_unit_file_t:service all_service_perms;
  ')
 diff --git a/ppp.te b/ppp.te
-index d616ca3..e4fc9c0 100644
+index d616ca3..b03d137 100644
 --- a/ppp.te
 +++ b/ppp.te
 @@ -6,41 +6,47 @@ policy_module(ppp, 1.14.0)
@@ -76892,7 +76911,7 @@ index d616ca3..e4fc9c0 100644
  
  allow pptp_t pppd_etc_t:dir list_dir_perms;
  allow pptp_t pppd_etc_t:file read_file_perms;
-@@ -236,45 +266,43 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms;
+@@ -236,45 +266,45 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms;
  allow pptp_t pppd_etc_rw_t:dir list_dir_perms;
  allow pptp_t pppd_etc_rw_t:file read_file_perms;
  allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms;
@@ -76921,6 +76940,8 @@ index d616ca3..e4fc9c0 100644
  kernel_signal(pptp_t)
  
 +dev_read_sysfs(pptp_t)
++dev_read_rand(pptp_t)
++dev_read_urand(pptp_t)
 +
  corecmd_exec_shell(pptp_t)
  corecmd_read_bin_symlinks(pptp_t)
@@ -76949,7 +76970,7 @@ index d616ca3..e4fc9c0 100644
  fs_getattr_all_fs(pptp_t)
  fs_search_auto_mountpoints(pptp_t)
  
-@@ -282,12 +310,12 @@ term_ioctl_generic_ptys(pptp_t)
+@@ -282,12 +312,12 @@ term_ioctl_generic_ptys(pptp_t)
  term_search_ptys(pptp_t)
  term_use_ptmx(pptp_t)
  
@@ -76964,7 +76985,7 @@ index d616ca3..e4fc9c0 100644
  sysnet_exec_ifconfig(pptp_t)
  
  userdom_dontaudit_use_unpriv_user_fds(pptp_t)
-@@ -299,6 +327,10 @@ optional_policy(`
+@@ -299,6 +329,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -91369,10 +91390,10 @@ index 2da9fca..6935f5c 100644
  ')
  
 diff --git a/rpcbind.fc b/rpcbind.fc
-index d31220e..c84a461 100644
+index d31220e..0b6894a 100644
 --- a/rpcbind.fc
 +++ b/rpcbind.fc
-@@ -1,6 +1,9 @@
+@@ -1,8 +1,12 @@
  /etc/rc\.d/init\.d/rpcbind	--	gen_context(system_u:object_r:rpcbind_initrc_exec_t,s0)
  
 +/usr/lib/systemd/system/rpcbind\.service	--	gen_context(system_u:object_r:rpcbind_unit_file_t,s0)
@@ -91381,6 +91402,9 @@ index d31220e..c84a461 100644
 +/bin/rpcbind	--	gen_context(system_u:object_r:rpcbind_exec_t,s0)
  
  /usr/sbin/rpcbind	--	gen_context(system_u:object_r:rpcbind_exec_t,s0)
++/usr/bin/rpcbind	--	gen_context(system_u:object_r:rpcbind_exec_t,s0)
+ 
+ /var/cache/rpcbind(/.*)?	gen_context(system_u:object_r:rpcbind_var_lib_t,s0)
  
 diff --git a/rpcbind.if b/rpcbind.if
 index 3b5e9ee..ff1163f 100644
@@ -103093,7 +103117,7 @@ index 1499b0b..e695a62 100644
 -	spamassassin_role($2, $1)
  ')
 diff --git a/spamassassin.te b/spamassassin.te
-index cc58e35..963d86c 100644
+index cc58e35..1e34535 100644
 --- a/spamassassin.te
 +++ b/spamassassin.te
 @@ -7,50 +7,30 @@ policy_module(spamassassin, 2.6.1)
@@ -103557,7 +103581,7 @@ index cc58e35..963d86c 100644
  ')
  
  optional_policy(`
-@@ -267,36 +384,40 @@ optional_policy(`
+@@ -267,48 +384,54 @@ optional_policy(`
  
  ########################################
  #
@@ -103615,7 +103639,13 @@ index cc58e35..963d86c 100644
  logging_log_filetrans(spamd_t, spamd_log_t, file)
  
  manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
-@@ -308,7 +429,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
+ manage_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
+ manage_sock_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
+-files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
++manage_lnk_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
++files_spool_filetrans(spamd_t, spamd_spool_t, { file dir lnk_file })
+ 
+ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
  manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
  files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
  
@@ -103625,7 +103655,7 @@ index cc58e35..963d86c 100644
  manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
  manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
  
-@@ -317,12 +439,14 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+@@ -317,12 +440,14 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
  manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
  files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir })
  
@@ -103642,7 +103672,7 @@ index cc58e35..963d86c 100644
  corenet_all_recvfrom_netlabel(spamd_t)
  corenet_tcp_sendrecv_generic_if(spamd_t)
  corenet_udp_sendrecv_generic_if(spamd_t)
-@@ -331,78 +455,60 @@ corenet_udp_sendrecv_generic_node(spamd_t)
+@@ -331,78 +456,60 @@ corenet_udp_sendrecv_generic_node(spamd_t)
  corenet_tcp_sendrecv_all_ports(spamd_t)
  corenet_udp_sendrecv_all_ports(spamd_t)
  corenet_tcp_bind_generic_node(spamd_t)
@@ -103747,7 +103777,7 @@ index cc58e35..963d86c 100644
  ')
  
  optional_policy(`
-@@ -421,21 +527,13 @@ optional_policy(`
+@@ -421,21 +528,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -103771,7 +103801,7 @@ index cc58e35..963d86c 100644
  ')
  
  optional_policy(`
-@@ -443,8 +541,8 @@ optional_policy(`
+@@ -443,8 +542,8 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -103781,7 +103811,7 @@ index cc58e35..963d86c 100644
  ')
  
  optional_policy(`
-@@ -455,7 +553,17 @@ optional_policy(`
+@@ -455,7 +554,17 @@ optional_policy(`
  optional_policy(`
  	razor_domtrans(spamd_t)
  	razor_read_lib_files(spamd_t)
@@ -103800,7 +103830,7 @@ index cc58e35..963d86c 100644
  ')
  
  optional_policy(`
-@@ -463,9 +571,10 @@ optional_policy(`
+@@ -463,9 +572,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -103812,7 +103842,7 @@ index cc58e35..963d86c 100644
  ')
  
  optional_policy(`
-@@ -474,32 +583,32 @@ optional_policy(`
+@@ -474,32 +584,32 @@ optional_policy(`
  
  ########################################
  #
@@ -103855,7 +103885,7 @@ index cc58e35..963d86c 100644
  
  corecmd_exec_bin(spamd_update_t)
  corecmd_exec_shell(spamd_update_t)
-@@ -508,25 +617,26 @@ dev_read_urand(spamd_update_t)
+@@ -508,25 +618,26 @@ dev_read_urand(spamd_update_t)
  
  domain_use_interactive_fds(spamd_update_t)
  
@@ -114575,7 +114605,7 @@ index facdee8..2cff369 100644
 +	domtrans_pattern($1,container_file_t, $2)
  ')
 diff --git a/virt.te b/virt.te
-index f03dcf5..af39887 100644
+index f03dcf5..9bde200 100644
 --- a/virt.te
 +++ b/virt.te
 @@ -1,451 +1,403 @@
@@ -116159,7 +116189,7 @@ index f03dcf5..af39887 100644
  selinux_get_enforce_mode(virtd_lxc_t)
  selinux_get_fs_mount(virtd_lxc_t)
  selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1260,364 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1260,372 @@ selinux_compute_create_context(virtd_lxc_t)
  selinux_compute_relabel_context(virtd_lxc_t)
  selinux_compute_user_contexts(virtd_lxc_t)
  
@@ -116530,6 +116560,14 @@ index f03dcf5..af39887 100644
 +	allow container_t self:netlink_socket create_socket_perms;
 +	allow container_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
 +	allow container_t self:netlink_kobject_uevent_socket create_socket_perms;
++	allow container_t self:netlink_connector_socket create_socket_perms;
++	allow container_t self:netlink_crypto_socket create_socket_perms;
++	allow container_t self:netlink_fib_lookup_socket create_socket_perms;
++	allow container_t self:netlink_generic_socket create_socket_perms;
++	allow container_t self:netlink_iscsi_socket create_socket_perms;
++	allow container_t self:netlink_netfilter_socket create_socket_perms;
++	allow container_t self:netlink_rdma_socket create_socket_perms;
++	allow container_t self:netlink_scsitransport_socket create_socket_perms;
 +', `
 +	logging_dontaudit_send_audit_msgs(container_t)
 +')
@@ -116668,7 +116706,7 @@ index f03dcf5..af39887 100644
  allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
  allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
  
-@@ -1174,12 +1630,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1638,12 @@ dev_read_sysfs(virt_qmf_t)
  dev_read_rand(virt_qmf_t)
  dev_read_urand(virt_qmf_t)
  
@@ -116683,7 +116721,7 @@ index f03dcf5..af39887 100644
  sysnet_read_config(virt_qmf_t)
  
  optional_policy(`
-@@ -1192,7 +1648,7 @@ optional_policy(`
+@@ -1192,7 +1656,7 @@ optional_policy(`
  
  ########################################
  #
@@ -116692,7 +116730,7 @@ index f03dcf5..af39887 100644
  #
  
  allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1657,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1665,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
  allow virt_bridgehelper_t self:tun_socket create_socket_perms;
  allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 05fb6c45..ea5883ee 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 229%{?dist}
+Release: 230%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -675,6 +675,11 @@ exit 0
 %endif
 
 %changelog
+* Thu Dec 08 2016 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-230
+- Label /usr/bin/rpcbind as rpcbind_exec_t
+- Dontaudit mozilla plugin rawip socket creation. BZ(1275961)
+- Merge pull request #174 from rhatdan/netlink
+
 * Wed Dec 07 2016 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-229
 - Label /usr/bin/rpcbind as rpcbind_exec_t. Label /usr/lib/systemd/systemd/rpcbind.service
 - Allot tlp domain to create unix_dgram sockets BZ(1401233)