From 68b689158d8c3a6cdd6ddb8de3c7076fb1f6faf4 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Wed, 7 Dec 2016 12:46:00 +0100
Subject: [PATCH] * Wed Dec 07 2016 Lukas Vrabec  <lvrabec@redhat.com> -
 3.13.1-229 - Label /usr/bin/rpcbind as rpcbind_exec_t. Label
 /usr/lib/systemd/systemd/rpcbind.service - Allot tlp domain to create
 unix_dgram sockets BZ(1401233) - Allow antivirus domain to create lnk_files
 in /tmp - Allow cupsd_t to create lnk_files in /tmp. BZ(1401634) - Allow
 svnserve_t domain to read /dev/random BZ(1401827) - Allow lircd to use
 nsswitch. BZ(1401375) - Allow hostname_t domain to manage cluster_tmp_t files

---
 container-selinux.tgz        | Bin 4955 -> 4955 bytes
 policy-rawhide-base.patch    |  12 ++++++--
 policy-rawhide-contrib.patch |  56 +++++++++++++++++++++++++----------
 selinux-policy.spec          |  11 ++++++-
 4 files changed, 61 insertions(+), 18 deletions(-)

diff --git a/container-selinux.tgz b/container-selinux.tgz
index e0774ec5573d95debf9fba420a7f284615ad56d4..237e40c227d326205f01397c725bd33770cf8577 100644
GIT binary patch
literal 4955
zcmV-h6Qt}PiwFSd^+#9$1MOYikK8tr&+GJGA=m*t6WBB3aW)3*>>duuJ>0`#gWbGc
z?zC!&-K|((D@yZmhX41g;+H6iq$ssIo&{Qf-Q7~vk7SW7RuzkyxGb6|El7Qx?!GzE
zbqm)IKYWj$Z{PpvR{w<S-P?D!KYRoK-MxMP{*K*$`|j@c{WrnwsVbyjEp4JY2)@bg
z>u5`2E8W!df6;66@@4QNZSy>;pZ@aefdpkmiZ`@u>zD*lRb^=$HECG{u^cD?DfaMr
z{o{>f+W?5))hi8tT>Qr)iQ9%~=xGr&2mMA;=J4g3vEFFB!H-o`M|n_0Ir;MoPW9q1
zqY{2*4}vJm$_J7JO&K(GRL~R~WdglnsPKK077eL)QA{rXp=uM>ZPBDT386fO^Xm0K
zHWzzRgf;nRo7O<PxwvSaDy;>Ir+IC-Nk9T&^Ko<W>T0vOh|8M9c@k0*)$t+Rrp4vA
zZ?85NvbeB{8mJZCwS$?SG*=re-~=57l6|(lgz}ivLw=nRM+KvFcEXYJ{yQsE6L*$w
zg9NG{H)Wj?Iz!SIE=fmmOejOUm?vT(6sVSufbXLkNjurH@`G>RnrJ>iI|G3aU&D&j
zIR(aDnh`1s7SyaqRvy{UP1I~a{gHyU3~<GFq{RP5qGTX$*0o<<&^1(ywUAY3k+`j6
z^n!u&$7Ut2u>Js<(?e8~=OlGjA%D4Zau2CzDQ$3U+k`HF47Yr`Y??bOJ}pM@@9<G~
z|2v!YxIWX0#OW@D4&oh&YbzP4JXU7H2L$pTxwxND4<0vAEShbB$PGgOuc(Oj!-eE|
z%(0wR?PR)5z#pUCB*xT)IjNR3_TY0e1+;!drFNQbbg0XdO8+O&n4p!)?e8FOiVjAk
zbp@2t>y9U6c}SZ>5CLJ^fP|Yg4p{3u=K<6m(nXpctm^b0%R$ONutNvPq81_6!hnyi
zIBQC|W15%?1(kQqq%@}}&Kt&AM5(1H_H10%mWbk#IpyL1FM_f{`A6BGUo>@VYa)^k
zirtd5*n1Ugo+47mdAsMv3F7j$wMp>p9sGL-|Gr<>KKtcAe|{z_2eV?TG?}+<fG=!O
zH~>Xw7{m<7cyo2PkCOU+l>n5pBSxW(xqkN(ZAczB*{sOZ$MLhaNE;^puA?}1A`C5A
z5bv!N$!n68Xsm;zQW#I{NgyuCEV^}9a_|Zi%R_=S;W!3=RIAAc{0P*@P#)<7m#9!6
z7BKNsa&Imw7-DsaGhiZswu+k-6-n?=rzQhCCpoNKUw=|RfQ<6FBghs{P&CjFdBCxy
z>}N=GD9j)jNV7jJtLAC$5*`fjt>O%3#v5A-gROaD>JjHcU#N113`Cod`>LTRS$v3s
z!cT*ICE<toP=|biJcLk-b%cx;cNaSck*~g*u<;uynmMAzYh02;<cwjK*t>-q%TGd4
zOY8;zZqSy03x)C_@!4>KWaZw$s;z|<ibI)`;TRB$qF8iU3++oIlDrOHsAt!}_u^_X
zPEy97mV;2>4o5Y@yGzi()Yoy|#90d6yBvwPZH1ah*+A#-!CGa5z=pyGh(yR9<6iM{
z@VTlWOwB<R=y5m(Q7puGlYy$Bdaroe&W0dZH*$9A{+bl`YoZ=X+R(KDnXj`VW=&|B
z-Cv^wR)OU`g~r>8a3$EuS@g6%;@ygnQB&rroNcf`*RVQ;QIe+x*SWaiVH@gPDNCel
z^#IV03~`i2A^mu@xMJgjC;)@@F`x}By*bmPr1|Q0BCidut61yBd)>YsVZXRVUg0T>
zdacv`{>x8Y0rWZdTorrw9@6644IjQe#cwmSJcPQkWt6v^4%|Ej{sAQ<>%-{+QLUz&
zWxpD?I%EW?ZlP9zXdiR6*?do-U|6GA9I&6ra-Y^^k<T)0Pt#qjp2vFh*5It{QFjPn
zY}tY>XMV6Z-sj7<r>iLZ@!&H!ay3XJpy|GdGVam@Up~%r+MzI}+0BHqV(#d-3qcEU
zTj#_Szld55_)*Fp0K7AhTiTq8fA7UEnr{dsO>=AGWIBQ)V=<@}Mu8X^6b`F0OXDXt
z!e!t{M2aGq0gc?GyV9Od1eRW{9S{towmFDwo>5egJ$z<aPprOk64Mw%Pg`hBJ~Aau
zLmJ&aZg1P%QOD+^ok*`sDR_6sQ7LE|!g@B(K+ezC=3%X$Z?cYOL6x<jV%IfWhnT+4
z=1&+yZw@yzSP*JkwnakOguxxRb#xiuG*s|M<ZgCVTok9)TR5hI<?DE}6IQ{fcrw6?
zHG|6nOiozP>ZhuN=5k9lr9#?&+>C+mb(xVks%|DF-&J>M?ySr7<8*wZrz?r~hE^>e
zT<YgOc3|?hO8*>l8q><O>I@z`kc@dpgSz-38Pjk&q~T+Q<c3n2AVws7>ZsCqyIivx
zN72CHez!&J{r%#B(A7gnt@^v1Hlx+dt8d0=tn#+2)bZM3i-ovQ%&xb~H$Og$nQfJ!
z{UiM<+OS-j9XjAz$l`0S(b#rA^{{>uF$t;5EuJ8wVRHN0r)d6luWpm3A*U+Ceg5nF
z+jsA8N9Vup?#}1G{)mhF;bC4TZALEDXm}mGy}rG^ou!dBFN2>+oWb-*{}nXNhAD)E
z&{%A~S7O_p;N~?H6FeLU=&V}bXpWdsB%^~YhL>f*uRr|~RAt?$-T6vr8;*`Dq-l$2
ztG7WJ<Y1(|4t7yS3AD#%H$pLKgmxLz;h=h)W=@}4nm#N?CW%O179rQ9mxhvDXNEXe
zNZal2AuN;eAu9IlY0d&CCOE}}_MIokM%S@|9dBI<m5NXzp(m`FHBTk=P%hj*>C1!P
z8;MYlr;O>ngy@V|=<U*cxBf=&W$)>DK&VJxzlvIx0LNqEG6x8aJN$h(x$7_YrSOyA
zjCl^j<&b}jE2Ely<Sq!y>nVP-rW+%o#;9)}Q$~V0VkY<aFNa(vv{3~`^mw>+emP)r
zOx3&^O;^07dIo+B5PPgn<Q+9&?`RJle%kSo);y}%fE$l0^C&fkjt8j2xIrI$9L2Df
zF(e%qrA2uArS$d?WT;l%yfh+=;bn?bAG^zt;@M8k)8&|D3??>$`&cT8hYKMuq05-(
zc{yS<2pX22k$Bm?j~fip6{KOmFNZ917tn4Ygc%iO0bics5qGFf>lP*1?gRMs(KgM}
z<|+6b#E0^s2tK8-Ztmb4fbA%0(j>?~6=f1&Wm&YJecPsmO6X)a>gWM5n;k&nHq1o9
zu<FVUy_#fTA!WFsH^J2H{p<<20ZrZC{DIQzEX~t~)q{#;wCTF2y#dUR(>4nD=EDTD
zX@`;(+`s9G*2L8cC~Y!AnZw=<io0OTG&F5#MT*45IUK=yQ_x3b0|v|hXV}$Zbr_Ec
zO;|`W6=S>}nog@63pPG|v>0(R<-`-&l!LOM>2k$4?~5+!88;$_B2Dby;tp_->$b4T
z+$b^aqAqE!9c^G1d9_udea5!3e5c@x$`4%D*uCM#(xy7GW=|3uo;iKe4@?uBtWWUe
z%1f~^gb#8u@^ewJ1U7&v*05b&=G}UROV2nXZK9gSWDHUFVS?<N-)UJ~!^4Gr-!pHm
z50;IEnb@<(hA)2Kw)Yw-18B>LIa1(g?>inHEp%V}V+8Nt24Pd3vJiR5;gn@;vl9x-
zM+FU-*o!zc-2+~Q+~A*AF_<U1i#m6j@V4n|(z52LgDT9;DvOVcW|`~V2ulZx2j=X-
z;eoj}-t5`#!u083K|FKS^c}^jD(ft>=Ir;AV0WqTr-Z*-AK!G;;xt8Q$0SZy03Phv
zyzFQ!N5kBX=^W)W^(KTR6W<eaw$k&&ovrvhan+%)wSi}A!6{rHP1t*T)=Uq=bjZrT
z$}1YMQ%CEUj$SX!xkjWX@Umg%0la9Kxo}NK5B(uc!$7s24G5oMJU&!B7`qQj&vao~
zjMWZre-Y7n5uxk{>5XmCBKMy_nj{k$A$-4)C5D*wv`$@+=Ao=V`I572^d}lOnNido
z@dF}zk%ByEd?1Nm;TZF_tUh7`788_M&P)_H={-!8#8SSXPw-iru-7t(LiiKv63RxV
z6tg|kt$B<3s!v4^B+DFdC@~BZv%Q2p{H)VBEXu@E1)YVGB7u_b6<fMnz_hTe!Iq7M
zjkSt(AtoS9)5jw1;LtRcXAzPmF7v#~$YaPlc$$}O5X_aJk!f0jJvL8qAkWM}p;#u0
z5K5E{{kYrXwor58ZpMgxCq8K~L2@>iqcHTrdA;^^*;dYa2}<rb)2BR3i%)i1k$N84
zW+RaF>S(JVZOR%~wmNzU*<RTrn8-;=KUwJ677yyDg3^byi4SHvaR6l~F0j{=^1%Wv
z-YX+B0?ky62%opM7ImkhaOkk&bGo-s_lQB&V^|ibZO%bTV{NdpjoI}7B1d)&i+ZS&
zIJQ0@ZIg-xA|bn|%^L2dJlcl5&cTPg4f=`VR7!;R6Y@jl7TF47rs&h16W4HhtFCgZ
zhkwN%^A>I$6n21D=2CYsfXj?dh}goMRt+YKE#$`cqu=vM;I-+=vU)c!gX}Tp=Tk8+
zZq9Cg62&2g0qQg%XoKz31V1X=pNG#De?C#MqmSRVW!bPVV5rHj;*2HOYP0s{MH%7)
zyNMMos=%zD(Yej30${MAk_$mKstxUcn_cXFZ;N|!k6Uu_Dc|2LHzIoF0VMmnO9S|9
z+I$aCcW}pUeqzCAM^Zo#%X85a!nAm#UC4DF>o{cV8@$s~--OlMtpQ#}@}67V_h|(x
zsMwVg7WF?{LYt7iiENm+YM>YG33C|Lu;#gKdP(fI*bT%^hhYOAkG?Ql%zBLo;4p-5
za{z#nY1J0gmqoOSCc9@Es;Nsyx%kp9EYeAlm1X4xHCd#vtYm9b3a&7wTus_y!XrO|
zVbVw(aZFfcW+oM*o5iIfa4s&sQd4z`##MkAp-AmRSHM3?;<irBUc3pn-(I^#%#9+K
zSqemL;YC&x4>Df~sD2RUx?@NUNgW;V5~~TT8Wme{HnQN?zyAE!;BU~NdlLMLM*~@^
zmOX87GdM59QWaS-{16?p=O=?zoI!pHp{nRl_{ip^vj;k2=De)p->|o}A6n20+1Bd3
zuxJxHBg&1(Q(Z<{MOroaqk}{$B0#b>nh}a-PZP><*A}=8$M`PWu(8&2gX<XB_MJ@%
z>mY@jb_1W~*>abNO#_u)YjYktmbwYmFZm`<b2&1H&BxGHwA@E^WwaZ(R0s=iI0IN6
z2k(lmAV=$sOfs2dE{|P7m>h<E)r~Lsj%OF=_#4T#r7|>%U->)mEY1`^JHf~fk&}oI
z1OB=ReBTBRA4{8@FYQo;VQy1uGe%7Gc@!Uj&c^Y|R`L$?-UE!3WU`^JtU^TtWs&#S
zDznPw(ApRa=2;gQXR)3Pg5^Lb?2fR{D(XJ1o9Q3{Cv&*&?77dxH&KQZ4AX6C(YamO
zlFl^`Iknv6@uiouw#UE*p@r*Zuq$hH(*;2HDwdG)7TTNiS{;^BXWx4~qR&mv*oR$$
zZ>Rexn<>@}z1p^+!WclWL>P(?^q7yIvO~A#Ryv$jLxm0L{X9MCqDR~v<2ROi!A7b$
zpQi?DM;UkL^yCY4O~LVrfUwTik5fndy=0SIy*+}7(&io31~U(jVH?kMuyb`75*Rzw
z<D7@!%lO3!uETnxm-I~d@+!4L90Z)pukBU~1jm45Z-(pQP1cB#;rO?C4*HcSqAi9^
z`=;z|fnxl{pkEzJnW%w%b?lC;Ti1F<-YxhFQ+o)KK((Yj^<8zq!((xo4wc{L@j-nL
zaROQB{C3+{j$B_|O{q}%#=%Z$+VqL6=TJF0HqEt)FFSk1-*Yr^085;EU2yP7=bU-!
zNX6AGa9ZG4o$~6P)v>PU@-;&f$t2V7N^(7$%qv+5-kAxqQW>tKkYkH*=ZE;9Pv?ku
zB^{_yG040yggX_fYp+ldY5QsNh>#J?Z|_Z!Pj7rl(y#sAh39f9$z1PF_HGOJ`#)}f
z_|x0>=fD5_m987yBE0$SnjdOr@8V(cnnzfA`Rd$$5Pv_a{?JV$aX69U8$xbcTHk=t
zhyL6R$GN%w?&8fGZ#21hi`PXWstHv5X@XUtw`tMgtpy0rVuV`@Pf`8%|K9x1cU;S_
z+j#Nv{`IOXVB@w1pK5*FqP#D&HYaa{Fy_GPZzR=+SbunpideCP^}4Zx7OsZ)TsEe)
zS2GB7Sd<0SCCufkf4lI;isd0*CV&n{jI^WRHaB46Xab!J)_JF_a(ytsy5Xh$hQ}ei
zL8Z%Vf>cx#(XYSz4G($x*Owm`od%XCEc}uEE6om9tOJaJ=eb?x!V`yM1muc{cSk^W
zn4KJF!dZr?)-U{TTdY#cqh_abLJ7<h%qxj(o?b`KE;Ib9lgwVkI&)3puRP@>?CLXb
z0DSxegf;VsMS^?Ls-6g@2$BV}*?`9@_Z$A9tyydJ1ROf~fJfKC6Mu1QB@qfG%MBnp
z7jzWl(DWDp-(-*RTuAW}4jpK}3`c5`ukFsAuk&@j&e!=mU+3$5ov-tCzRuVAI$!7O
Ze4VfJb-vEm`8r?h`hSg~9*6*-000)z$O`}f

literal 4955
zcmV-h6Qt}PiwFSii$z!f1MOW|kK8sA_UrVo5bOY+3G6w1#K1VoViE7dJ}eR>ep~M<
zYKh&gSXV@8jy3$>w~B{ENhC$7)%FBv0d{vwRUgSBS*$7+HDR7rL7b8DJl;Gy&~*vd
zci+9j&#O1DFV#=DUS7St{O%F__X7UCe)IbEqsyz8FD_p_@-7cmA@!<h6_lR$D7h(v
zH3^M$W6%Gh*Xqd=?|WLOX;9w(_<l#cydc?gn%8AWyr3wOI1H*d&%96$6pv(E_&opq
zLb9y@#O>;o20u>zaYw?sA_{t(dDTw65#=d-IcKaF3a|Hl5tKpdWkE`Qc+9CD|2Qb&
z9edyfNs`}^$g6U%Duay1*eD(71w)1Jt2nDjxd}pY`g>CwzpS$=PKgiYF`TE*eqWtz
zN#>X2&pIxFc6D-6-4{v=8lLKz<|Y9N_|@Ch$<wpd>Lkod5~h()Nl=D6e;sG1-&~!o
zPGoU@5mZnsylV#2J*m!CSik`~3MBhrdkN(+rH9-)BMdS|Y3+nP<^3BgQxSI(ue}JW
zA69u86FNcCCpJk3VMr)LJDDb8Arz>Vi-2!}5=mRxvhuxeu5>il&`wX_!&ko`WlDi@
z6DNeqf(13}k%dS0LlZR{P+wBeh5_F2?J4nJNf7nK&ARrh3%Z1gu@<uG%o4Y8jGi!X
z{#dWX8>}xNbGi#k@{pv?D&#JAPVOM}B&HRPZIjRikmi<4myL5L*~i%k?j1hp?!U8H
zkLxonNEmNo=pf#axVDmk%420ld_W-oo{Red_27O3#h}?{h+HG|e+5~v?Jpz`V~(Y)
zY6sJ80)8LuCNah)%t5uJwg(@QDWLQtDz(FOqeWdFRQf-G#ssaDum1pfQ*<x_r7NJ6
zPIufR%WYikyZ{L63M5>`p~qU^IuD@kkS<X4U{S_5SPoKt!4B;qi(2?t3k^QH;;bq8
zhG}9h6ja_JlhTx;IIkZj0i}kb*t20-Ya)t^rj&>OKlbth<sT$JJg&;x)I=oh6}u*J
zwsk62KSiXDb9T?Q6U63iE0f@x7x3>T{Cl;mefG;g-#w6(gIO^}98Fs{z!x?s9Dt$|
z3}ObPy}7vCM@f0JNC3*(5rfdiRKNS4RwNCpWK!hm?eJNh#T65O+ff`l5{8y6i1${E
z<RwXRG}b{<F^nhn#1off7TvnZId}nz<u<~aa2$<4s?_8fKfGpSG#=>)m#B~@7BKNs
za<5Jb7-D6PGhifuwuqY*WRZ7U#ySH#B`K_2Uw=~Hf{fCsBghm_XlS4xQjcRx*-wyW
zUzncPlV*2X7S;XKCEV-b8^!5Oj5pR423vK{)FaM?u2AI+>4`QXH$_EJviJ}Mg`XPv
zO2X@KSNeQ{-1<<9WrU0ucNbd+k*~gru<;woswtwzYgm#+<cwjG*xQ8~%a43fOY8;r
zZcvtg14ZLQ;<Nq)N%F0QRapxS6uUen{V^aGMX~6z7MhnvBzfjNZl0Y3-{Z5{I8h#c
zoDV{Q+aJ^j@6JI3Q(wh-9wsq#?|dZQwgqY;WdohR1#6WJ0uu@wAQB<D3p>Tj!Dp+2
zFg1Hsp!?xyL@^WNc>=0}s=eZ9J8Obq?a0~0+jElLEQz|yX+@U?WWLUVm?fcka&wLn
zSOk{$6dG>}!sTEmC&B&lh%Xj|45~bh<!plmx`frq527^AxX#5557SWRN?9VEHxB@9
z&k#qRWzvst7FTS%7kFUM-g&fwr8i}IlvH2cPUN-0browpd#~HoBkUG8%PTyDQLl8`
zZ@>K17C;|z&lRC_?;$O&-SFYsQ~WkF%YCRTTSj@yY0u4L;MXW2Ssza4iE35(B>Ppn
z)gdEDWev6RMEjVl&E|Uy1;ZM};(*;mmYcZDvviVSdzkKG_1xE^HwI^AkJ>{3L(3Ly
zIsJpJ_C8;>9bHA?k9(iMkt;zO9*wtIkZ_mA`}}sA(+-6(&8{bu6|+abZ3s$;+c+o2
z_(jyJ$B$BW0N|a0+|uT3__t2%qWPLY(m1y=PR1iRG8ThsVGxLsL1DkhlQ_I*BU}cK
zM5HKy8Bobhx-;eZNMPyd(g8s~sH>gG<{3l<*~15x^~CBsB{7XLbhL%i<ULc;6r{oJ
z{r0x?9kp*h+JW@Cl!9}2?3IG1AS`F|^yK_-Z64P8=_c!N78FShDt1}3wU6ogZ2E-J
z^k#oEg9V}1d7VX+O&Hv9TSk}hO~VF$kKE0+inHR>Y72){uzc-rcETzcWcM0)v1V{t
zfXN99T6tgO&|Ge*##BiA%gq@0Ugil2gW_UT@@;kJ=FZwoKTgLtdfJkBZz$E`!KH5Q
zV+$s4H|d{4PHkG5Qk~vo3z9bPs8<&^ByAc_i`0MIAladsOb{&+KDAV7xLvMTje}@l
zf4|!x_U?XhPw34<ORc)QoF=1H&#P|6D6I0ft<>S#VTy&=Q1q_1%{Sjai<xbeq5UKM
zDq68znhiSOO331CuhH0cKJ~DEBQXi7%MG3&qhWIU+NWs#x>vhNQ;|cJVL$)%>hk5A
z%fb1tt2f8<Uti+lez>3JQJs*}W;8tWuFfydFDGfF)f4X>2@{z9=)Z!dSuuqW5gLlk
z_d;yD6WqLpV!YcO0i9K<8_fYTiez+<#qg5Ed;ilfUXhnovpZi1ZNt$~g;aGGtkpI&
z200jM&%8~LPy+2S*^N+49H3psbU3IUtC`cKmZlHOk%<D5=9$km>8Yk9+nFKG<<olo
zhY!nSxC^o^dz!Mqi4Lw|Li^5<W2Nd?!H&01g-S&zk<jCp%$lc?x-S>*pLFHH?+rw#
z##4s$PC~RsEYx->zFT*r_q6kLI3SuxU$=@%mH@|N;?f5QwLAP>IJxUD_oeWY-wb&U
z!)c#?h%2L-UF0?h%j+qAv!-h!qS~l$7gI)pIbtIB_)q&>I<!FrMfAA8b$;4ovP{*q
z7))2Z)$|Pf=plAkt;idy!QRjgI{Y-_BdvZ^u>m(6Rr*n?4;}YV`*DLV_%MoLETd04
zEJ}&+c1!8(A;?f|bMsV-Foc&WPF?IaLyBiRRrjYumLZtf2<~DvNjzK#X%1b+JkQes
zqejrM^bEwy?!8@Mh%O@)`+eGHnYw_s3n9#?Ao2L}43D@&ty{M!NjBHu*9Yr3iK~0>
zlNavt+sykI!@9YFZveKTq>3Xi{g~yEhm~c~e)er0XH7yUyHN(WfLUz-61QPS3Wilz
zZs?UH0ShU?4ZRVjcJF6PzzwL%?&c4aUM6uGSF9dXB%_VjrP&+6{5WN!fNwsGFza?G
zS;5_#j%Za_EPzr+1C%N3?Vxz!t(k_VH7!UM**N<nSZxaWh-|=s8DI^&8mtcOF`*F)
zNv2{9*F)WDm3_g6r;lbMj;5SABI|NcW;9){`1*a(IXz=X<WQsv-CNuO_Hx~3HklhG
zx?R*c%{8O-%p#|@O0-YdR+jJNeQxpt=QVb#xiPn?R;<aB#Du3$pL7FL1Sjj`eLizi
zYz*OAPDXw%3YNeMFvS|SDf6^l&v5A(W~7Z&Q=5z->fTR~ef|f{vvYVjv+q0Rt?|LU
zu`m&P^4M_2@7nfGBc%sz7%_Va9PNF}qrHXhiocKG-P<5+szVkc4>=sNjCFEAVY#TF
z9us>JhoXDHtB@P~(<%n@M0HW8P7~fXbxoSroaUekbF=d7?W|d5dpE+|!Qy~9d2l#j
zE{!*Nw%agWdRP!oTs2)saZ{CLmRWuF`$4eVRQN-}zgQk$churAMJUH44p#sk>{vZ%
zX$(ih?2hRa<uvvtggF!65p%NAbHtsj_#APYLt#q;Pu7BCxGtKo^Y*NX9)#|Ym3x&J
zG+@V$*3TWiPMA}TNJrp#!^{DA)-bc->W&_|L+XY>({?r>T!!)RP;qbU-Zpxs4a;Jz
zwtxGxh|Y@$Wj9E#ZHp4Q{|M3~iO2}y`;9CyM6ah+>WoykdHK<moMofm)38dkqHc+A
z5!s0p<Uzw7iQEdun73i|5gV|Wpu}=!g0PBjV4_5Z@&$c_&+3T1mO&K4pHQ1nRx+iS
z?U}CiThwP=D!L;{Vu3@6VVIchC2Zkm8HawBM}{h>ER<vslyuXu#hV#SGt262*%;VZ
zt5_Fe0>U_bDAEpgRaH0^Az8vaO^bxw`K*J-dD#ZRR0(RC#wFNca})>iOdJ#q%SaJI
ziL#*|wtL(LYEInF7_slfCk-Y@PUf-{hCVp2*S5^-!dfpu$sK2UpC)nk(M&5+&jZtJ
z1d>i2O%<e7UgFAD2Dd)jE4u>|Ig05=13lZ~LH(3bdK*{aPERKep!CHB_Ii}x8lc5{
zWn@O6o{ACS^V-y+_EZ!O9aelww+8ACF{pYB%L28@If!Yf3^ukg8~-n`WY@5$M{^R#
z)CZ)lVzEF(WE0d$#l4g}(~ws=_>eb2-&34Qk??+eeyH3aTS3eeeY~;aYEEyJMQZf$
z&-i2B!nK9M4DeK6>IMdIp3o5y8<^vw!bGu|-1vU<8$Jn~Ha%HZ@9K${+=cvnD(1ya
z+0BoF(8n-98Ak+dux%XSM}hnE@LA)}dn$JH@!LAjEA|BpHThMXu>@Of(%!r%LwsO2
zv7$v4nDsL_w>ee-3^r79KB&fKL)+tK7rWot;vU`OmRx+wcQ?zmh)#I`(Y9>U06yt9
z-#yeF+_9UUSn$b`6ySyOT=a-A4IXJ5a-GIH4B5H{@6^;cVfD6afRmBD<reo%T!0G7
zHu;D}{bx;R<+C@D_48IW^rAg}3Zoj<JiARViR~7<hS=&btia<@7iNQ5uMhzohVV@e
z08lcmT7&vBh_<0gZkUFu%G^>ezO)OAv{EE_UN}LG7AY(%+1i+bD~u^uqqdmv$oF6v
zH4+CLBUYK7sfp1|;%XvrHZHzW)8-V7tpG7Xk=lhWgMXBSbs6iucpYxHy=IG;8$~v=
z6o~4~iL4|JWUdlu`aziMmLb(AwRFG}tR}2#RBXkW$h`MIzx&zy6&iFyy!UuCkfmyw
z(*{?)^D-<|krl%a(J^~|G+4zM<fjm76aDe;*u1p%KugS=mqq*=_O|w24SFG28=V&x
zZ9-?HapUn+mzK66Evod+LLwCrAQ>CY2t~8U3FWw}GhBv4e3z|X8SA;ibqs9#)+U8@
zkit!~fzR@6xl6>RL6cr<avoZivhtf>@=c!la%2vhi=o@lav#-}(XQcYLRfgi8o+8f
zcvrLqSz51UlF1}fdCUqz=P+!Gc6`BiJi9o>--y;Vm7!7m%HM%!aHja#2}ZUHtVDbm
z@YhY?`!;a+7}{igX-88S<~GG9V?;-v2H_6qOdL;5C2v6Q-NHzTMjQInC{#31W_f>g
zV^*0QS`%Z&JnIbOEXI>TupFp_?Gg4#Mcu?@H6A43WER(*J$IS-I!d2{VY<!@I=3xb
z(%I%Ar<R*MuJm%&b{N<oG;lrfHhGC|x&UZj#o|-mLUWUzHHW2|v+o@q(dRm6?0OU7
z+v(oQW{Pz~t+r{XFb2>o0fr(3J?7)b?9i>gl@@1JQ(;YdKTl6O=@7Ta__d{;u#qax
z=QRVhr3~A1dh!Ljy5RUoKv-q##;F7TUb0cH&K|)?Y10mCgPDiNu(fA8*tt3k2@D<T
zVa|j1dHCW4+hM)IOL|6p`6jhO90Z)ouk2O}1j~S9Z-#5*O~#0l=J>aM4!V^nqAi+D
z`zr5jfnxkcqhBpcnW%wzb!?BU8`pY9-Y)nJrt%OZfoe&4>bmNHhsWYFEh@jw<AdrR
z;s~<P`SrT19J#(a8&je3jf1VyH0cvr&%Sc9Y?><-pLh0(zvpP=0G2rSI^*Dx$~p1W
zQ4?1)z$t;_=9E|Gtd4O#m#-NbNhTS8SCZ}7XkN)e@YYO_h03rch3s2|JwL<+eLP3R
zDe0gY6}`+0O}Mimwe1x)M9O}eJR+n8bK84s$j3LnB<a_F@4`d58p)h*4)$&f`};pG
zzk7Z4=J@xYztVMqTZ9)M&iSEc_AVY4uepPzm#@zCwfOr{<#jua#NkAWZwR@lX?X!g
zANq3_9OvTv+mq+dozdjtEnXLis5(&brwJB;UdLIBw-g{e3lVN9yoT!E|GoInw_M9F
z+j#Nv{^hDHV8glupK5vBEWgQ<IwjAAFs8t(ZzNTRSa*00ide9O<+`zj7OsZ)oHwSG
zS2GB7Sd<0SDa_@wznwT^h4K(D6F`e2M%rF*s|zr36oF0!YrRuexh@!BUGUOA;Bg3N
zQ0X%3AR8)*=;z;lz(bzy_2tJ!$ARSu3wLDqO0&Zi%K&5Gd1{y0@WkO50l6UJi#;G)
z%vO#Q;S9r6=@<UDEf%TeUbE9Wp#<gu=9NU&Pp`dammYr6NoFo$nYkwM7oKtwcJZ0l
z1KxiE!kW3qBEh}rrk)7a5JWR(vj&e>?gRdztx0S32pl^3fJc|X6Mu1QArT5C%MBnp
z6?72fQ1lo8UnF<oR7mj>4i#uS4@YW}ukFqquj6&Rj@R)zUdQWr9k1hcypGrLI$p=?
Zcpb0fb-a$(@j71Y`aef%?2rJU006)Eq#pnP

diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 3a502cbb..c2288f89 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -35720,7 +35720,7 @@ index 187f04f..cf0af09 100644
  interface(`hostname_exec',`
  	gen_require(`
 diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
-index 24a7889..a3d8f1a 100644
+index 24a7889..619b32e 100644
 --- a/policy/modules/system/hostname.te
 +++ b/policy/modules/system/hostname.te
 @@ -23,33 +23,36 @@ dontaudit hostname_t self:capability sys_tty_config;
@@ -35763,7 +35763,7 @@ index 24a7889..a3d8f1a 100644
  
  sysnet_dontaudit_rw_dhcpc_udp_sockets(hostname_t)
  sysnet_dontaudit_rw_dhcpc_unix_stream_sockets(hostname_t)
-@@ -57,6 +60,14 @@ sysnet_read_config(hostname_t)
+@@ -57,10 +60,22 @@ sysnet_read_config(hostname_t)
  sysnet_dns_name_resolve(hostname_t)
  
  optional_policy(`
@@ -35778,6 +35778,14 @@ index 24a7889..a3d8f1a 100644
  	nis_use_ypbind(hostname_t)
  ')
  
+ optional_policy(`
++    rhcs_manage_cluster_tmp_files(hostname_t)
++')
++
++optional_policy(`
+ 	xen_append_log(hostname_t)
+ 	xen_dontaudit_use_fds(hostname_t)
+ ')
 diff --git a/policy/modules/system/hotplug.fc b/policy/modules/system/hotplug.fc
 index caf736b..91c4c6f 100644
 --- a/policy/modules/system/hotplug.fc
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index b1004d02..15d2d0bb 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -3203,10 +3203,10 @@ index 0000000..36251b9
 +')
 diff --git a/antivirus.te b/antivirus.te
 new file mode 100644
-index 0000000..6bd2eb9
+index 0000000..c679dd3
 --- /dev/null
 +++ b/antivirus.te
-@@ -0,0 +1,273 @@
+@@ -0,0 +1,274 @@
 +policy_module(antivirus, 1.0.0)
 +
 +########################################
@@ -3298,7 +3298,8 @@ index 0000000..6bd2eb9
 +manage_dirs_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
 +manage_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
 +manage_sock_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
-+files_tmp_filetrans(antivirus_domain, antivirus_tmp_t, { file dir sock_file } )
++manage_lnk_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
++files_tmp_filetrans(antivirus_domain, antivirus_tmp_t, { file dir lnk_file sock_file } )
 +
 +manage_dirs_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t)
 +manage_files_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t)
@@ -20913,7 +20914,7 @@ index 3023be7..5afde80 100644
 +	files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups")
  ')
 diff --git a/cups.te b/cups.te
-index c91813c..c3820a5 100644
+index c91813c..6f66ea4 100644
 --- a/cups.te
 +++ b/cups.te
 @@ -5,19 +5,31 @@ policy_module(cups, 1.16.2)
@@ -21095,7 +21096,8 @@ index c91813c..c3820a5 100644
  manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
 +manage_lnk_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
  manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
- files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { dir fifo_file file })
+-files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { dir fifo_file file })
++files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { dir fifo_file file lnk_file })
  
 +allow cupsd_t cupsd_var_run_t:dir setattr_dir_perms;
  manage_dirs_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
@@ -45951,7 +45953,7 @@ index dff21a7..b6981c8 100644
  	init_labeled_script_domtrans($1, lircd_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/lircd.te b/lircd.te
-index 483c87b..0a54c6d 100644
+index 483c87b..f68ee3a 100644
 --- a/lircd.te
 +++ b/lircd.te
 @@ -13,7 +13,7 @@ type lircd_initrc_exec_t;
@@ -45992,7 +45994,7 @@ index 483c87b..0a54c6d 100644
 +term_use_unallocated_ttys(lircd_t)
  
 -logging_send_syslog_msg(lircd_t)
-+auth_read_passwd(lircd_t)
++auth_use_nsswitch(lircd_t)
  
 -miscfiles_read_localization(lircd_t)
 +logging_send_syslog_msg(lircd_t)
@@ -91366,6 +91368,20 @@ index 2da9fca..6935f5c 100644
  	kerberos_use(gssd_t)
  ')
  
+diff --git a/rpcbind.fc b/rpcbind.fc
+index d31220e..c84a461 100644
+--- a/rpcbind.fc
++++ b/rpcbind.fc
+@@ -1,6 +1,9 @@
+ /etc/rc\.d/init\.d/rpcbind	--	gen_context(system_u:object_r:rpcbind_initrc_exec_t,s0)
+ 
++/usr/lib/systemd/system/rpcbind\.service	--	gen_context(system_u:object_r:rpcbind_unit_file_t,s0)
++
+ /sbin/rpcbind	--	gen_context(system_u:object_r:rpcbind_exec_t,s0)
++/bin/rpcbind	--	gen_context(system_u:object_r:rpcbind_exec_t,s0)
+ 
+ /usr/sbin/rpcbind	--	gen_context(system_u:object_r:rpcbind_exec_t,s0)
+ 
 diff --git a/rpcbind.if b/rpcbind.if
 index 3b5e9ee..ff1163f 100644
 --- a/rpcbind.if
@@ -91521,7 +91537,7 @@ index 3b5e9ee..ff1163f 100644
 +	admin_pattern($1, rpcbind_var_run_t)
  ')
 diff --git a/rpcbind.te b/rpcbind.te
-index 54de77c..0ee4cc1 100644
+index 54de77c..4ce4fb9 100644
 --- a/rpcbind.te
 +++ b/rpcbind.te
 @@ -12,6 +12,9 @@ init_daemon_domain(rpcbind_t, rpcbind_exec_t)
@@ -91534,7 +91550,15 @@ index 54de77c..0ee4cc1 100644
  type rpcbind_var_run_t;
  files_pid_file(rpcbind_var_run_t)
  init_daemon_run_dir(rpcbind_var_run_t, "rpcbind")
-@@ -24,11 +27,15 @@ files_type(rpcbind_var_lib_t)
+@@ -19,16 +22,23 @@ init_daemon_run_dir(rpcbind_var_run_t, "rpcbind")
+ type rpcbind_var_lib_t;
+ files_type(rpcbind_var_lib_t)
+ 
++type rpcbind_unit_file_t;
++systemd_unit_file(rpcbind_unit_file_t)
++
+ ########################################
+ #
  # Local policy
  #
  
@@ -91551,7 +91575,7 @@ index 54de77c..0ee4cc1 100644
  manage_files_pattern(rpcbind_t, rpcbind_var_run_t, rpcbind_var_run_t)
  manage_sock_files_pattern(rpcbind_t, rpcbind_var_run_t, rpcbind_var_run_t)
  files_pid_filetrans(rpcbind_t, rpcbind_var_run_t, { file sock_file })
-@@ -42,7 +49,6 @@ kernel_read_system_state(rpcbind_t)
+@@ -42,7 +52,6 @@ kernel_read_system_state(rpcbind_t)
  kernel_read_network_state(rpcbind_t)
  kernel_request_load_module(rpcbind_t)
  
@@ -91559,7 +91583,7 @@ index 54de77c..0ee4cc1 100644
  corenet_all_recvfrom_netlabel(rpcbind_t)
  corenet_tcp_sendrecv_generic_if(rpcbind_t)
  corenet_udp_sendrecv_generic_if(rpcbind_t)
-@@ -68,7 +74,11 @@ auth_use_nsswitch(rpcbind_t)
+@@ -68,7 +77,11 @@ auth_use_nsswitch(rpcbind_t)
  
  logging_send_syslog_msg(rpcbind_t)
  
@@ -105766,7 +105790,7 @@ index 2ac91b6..a97033d 100644
  ')
 +
 diff --git a/svnserve.te b/svnserve.te
-index 49d688d..f07cc80 100644
+index 49d688d..451a647 100644
 --- a/svnserve.te
 +++ b/svnserve.te
 @@ -12,12 +12,18 @@ init_daemon_domain(svnserve_t, svnserve_exec_t)
@@ -105810,11 +105834,12 @@ index 49d688d..f07cc80 100644
  corenet_all_recvfrom_unlabeled(svnserve_t)
  corenet_all_recvfrom_netlabel(svnserve_t)
  corenet_tcp_sendrecv_generic_if(svnserve_t)
-@@ -52,8 +60,8 @@ corenet_tcp_sendrecv_svn_port(svnserve_t)
+@@ -52,8 +60,9 @@ corenet_tcp_sendrecv_svn_port(svnserve_t)
  corenet_udp_bind_svn_port(svnserve_t)
  corenet_udp_sendrecv_svn_port(svnserve_t)
  
 -logging_send_syslog_msg(svnserve_t)
++dev_read_rand(svnserve_t)
 +dev_read_urand(svnserve_t)
  
 -miscfiles_read_localization(svnserve_t)
@@ -109267,10 +109292,10 @@ index 0000000..46f12a4
 +')
 diff --git a/tlp.te b/tlp.te
 new file mode 100644
-index 0000000..7c81c68
+index 0000000..98e708a
 --- /dev/null
 +++ b/tlp.te
-@@ -0,0 +1,54 @@
+@@ -0,0 +1,55 @@
 +policy_module(tlp, 1.0.0)
 +
 +########################################
@@ -109295,6 +109320,7 @@ index 0000000..7c81c68
 +allow tlp_t self:capability { net_admin sys_rawio };
 +allow tlp_t self:unix_stream_socket create_stream_socket_perms;
 +allow tlp_t self:udp_socket create_socket_perms;
++allow tlp_t self:unix_dgram_socket create_socket_perms;
 +
 +manage_dirs_pattern(tlp_t, tlp_var_run_t, tlp_var_run_t)
 +manage_files_pattern(tlp_t, tlp_var_run_t, tlp_var_run_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 13322fc6..05fb6c45 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 228%{?dist}
+Release: 229%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -675,6 +675,15 @@ exit 0
 %endif
 
 %changelog
+* Wed Dec 07 2016 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-229
+- Label /usr/bin/rpcbind as rpcbind_exec_t. Label /usr/lib/systemd/systemd/rpcbind.service
+- Allot tlp domain to create unix_dgram sockets BZ(1401233)
+- Allow antivirus domain to create lnk_files in /tmp
+- Allow cupsd_t to create lnk_files in /tmp. BZ(1401634)
+- Allow svnserve_t domain to read /dev/random BZ(1401827)
+- Allow lircd to use nsswitch. BZ(1401375)
+- Allow hostname_t domain to manage cluster_tmp_t files
+
 * Mon Dec 05 2016 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-228
 - Fix some boolean descriptions.
 - Add fwupd_dbus_chat() interface