* Thu Jun 08 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-257

- Merge pull request #10 from mscherer/fix_tor_dac - Merge pull request #9 from rhatdan/rawhide - Merge pull request #13 from vinzent/allow_zabbix_t_to_kill_zabbix_script_t - Allow kdumpgui to read removable disk device - Allow systemd_dbusd_t domain read/write to nvme devices - Allow udisks2 domain to read removable devices BZ(1443981) - Allow virtlogd_t to execute itself - Allow keepalived to read/write usermodehelper state - Allow named_t to bind on udp 4321 port - Fix interface tlp_manage_pid_files() - Allow collectd domain read lvm config files. BZ(1459097) - Merge branch 'rawhide' of github.com:wrabcak/selinux-policy-contrib into rawhide - Allow samba_manage_home_dirs boolean to manage user content - Merge pull request #14 from lemenkov/rabbitmq_systemd_notify - Allow pki_tomcat_t execute ldconfig. - Merge pull request #191 from rhatdan/udev - Allow systemd_modules_load_t to load modules
2017-06-08 12:25:29 +02:00 · 2017-06-08 12:25:29 +02:00 · 7ac1cbb003
parent 941d5af493
commit 7ac1cbb003
4 changed files with 214 additions and 156 deletions
--- a/container-selinux.tgz
+++ b/container-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -47930,10 +47930,10 @@ index 0000000..3303edd
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..746fc9d
+index 0000000..54d6359
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,1018 @@
+@@ -0,0 +1,1020 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@ -48916,6 +48916,8 @@ index 0000000..746fc9d
 +# systemd_modules_load domain
 +#
 +
 +allow systemd_modules_load_t self:system module_load;
 +
 +kernel_dgram_send(systemd_modules_load_t)
 +kernel_load_module(systemd_modules_load_t)
 +
@ -49250,7 +49252,7 @@ index 9a1650d..d7e8a01 100644
 ########################################
 diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index 39f185f..b41b341 100644
+index 39f185f..a313a7d 100644
 --- a/policy/modules/system/udev.te
 +++ b/policy/modules/system/udev.te
@@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t)
@ -49280,7 +49282,7 @@ index 39f185f..b41b341 100644
 -allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace };
 +allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice };
-+allow udev_t self:capability2 { block_suspend };
+allow udev_t self:capability2 { block_suspend wake_alarm };
 dontaudit udev_t self:capability sys_tty_config;
 -allow udev_t self:capability2 block_suspend;
 -allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -9823,7 +9823,7 @@ index 531a8f2..3fcf187 100644
 +	allow $1 named_unit_file_t:service all_service_perms;
 ')
 diff --git a/bind.te b/bind.te
-index 1241123..4ec3437 100644
+index 1241123..fc5eb99 100644
 --- a/bind.te
 +++ b/bind.te
@@ -34,7 +34,7 @@ type named_checkconf_exec_t;
@ -9885,7 +9885,7 @@ index 1241123..4ec3437 100644
 corenet_all_recvfrom_netlabel(named_t)
 corenet_tcp_sendrecv_generic_if(named_t)
 corenet_udp_sendrecv_generic_if(named_t)
-@@ -127,6 +130,12 @@ corenet_udp_bind_generic_node(named_t)
+@@ -127,9 +130,15 @@ corenet_udp_bind_generic_node(named_t)
 corenet_sendrecv_all_server_packets(named_t)
 corenet_tcp_bind_dns_port(named_t)
 corenet_udp_bind_dns_port(named_t)
@ -9897,6 +9897,10 @@ index 1241123..4ec3437 100644
 +corenet_udp_bind_bgp_port(named_t)
 corenet_tcp_sendrecv_dns_port(named_t)
 corenet_udp_sendrecv_dns_port(named_t)
 -
 +corenet_udp_bind_whois_port(named_t)
 corenet_tcp_bind_rndc_port(named_t)
 corenet_tcp_sendrecv_rndc_port(named_t)
@@ -141,9 +150,13 @@ corenet_sendrecv_all_client_packets(named_t)
 corenet_tcp_connect_all_ports(named_t)
@ -15713,7 +15717,7 @@ index 954309e..6780142 100644
 ')
 +
 diff --git a/collectd.te b/collectd.te
-index 6471fa8..cb6a356 100644
+index 6471fa8..228b603 100644
 --- a/collectd.te
 +++ b/collectd.te
@@ -26,43 +26,61 @@ files_type(collectd_var_lib_t)
@ -15788,10 +15792,12 @@ index 6471fa8..cb6a356 100644
 logging_send_syslog_msg(collectd_t)
-@@ -74,17 +92,45 @@ tunable_policy(`collectd_tcp_network_connect',`
+@@ -75,16 +93,47 @@ tunable_policy(`collectd_tcp_network_connect',`
 	corenet_tcp_sendrecv_all_ports(collectd_t)
 ')
 optional_policy(`
 +    lvm_read_config(collectd_t)
 +')
 +
 +optional_policy(`
 +	pdns_stream_connect(collectd_t)
@ -15813,7 +15819,7 @@ index 6471fa8..cb6a356 100644
 +    snmp_read_snmp_var_lib_dirs(collectd_t)
 +')
 +
- optional_policy(`
+optional_policy(`
 	virt_read_config(collectd_t)
 +	virt_stream_connect(collectd_t)
 ')
@ -23240,7 +23246,7 @@ index 62d22cb..1287d08 100644
 +
 ')
 diff --git a/dbus.te b/dbus.te
-index c9998c8..8b447a3 100644
+index c9998c8..27182fd 100644
 --- a/dbus.te
 +++ b/dbus.te
@@ -4,17 +4,15 @@ gen_require(`
@ -23284,7 +23290,7 @@ index c9998c8..8b447a3 100644
 ifdef(`enable_mcs',`
 	init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
-@@ -51,59 +47,62 @@ ifdef(`enable_mls',`
+@@ -51,59 +47,64 @@ ifdef(`enable_mls',`
 	init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh)
 ')
@ -23349,6 +23355,8 @@ index c9998c8..8b447a3 100644
 -files_list_home(system_dbusd_t)
 -files_read_usr_files(system_dbusd_t)
 +dev_rw_nvme(system_dbusd_t)
 +
 +files_rw_inherited_non_security_files(system_dbusd_t)
 fs_getattr_all_fs(system_dbusd_t)
@ -23364,7 +23372,7 @@ index c9998c8..8b447a3 100644
 mls_fd_use_all_levels(system_dbusd_t)
 mls_rangetrans_target(system_dbusd_t)
 mls_file_read_all_levels(system_dbusd_t)
-@@ -123,66 +122,174 @@ term_dontaudit_use_console(system_dbusd_t)
+@@ -123,66 +124,174 @@ term_dontaudit_use_console(system_dbusd_t)
 auth_use_nsswitch(system_dbusd_t)
 auth_read_pam_console_data(system_dbusd_t)
@ -23413,10 +23421,9 @@ index c9998c8..8b447a3 100644
 optional_policy(`
 -	policykit_read_lib(system_dbusd_t)
 +	cpufreqselector_dbus_chat(system_dbusd_t)
- ')
+')
- 
+
- optional_policy(`
+optional_policy(`
 -	seutil_sigchld_newrole(system_dbusd_t)
 +	getty_start_services(system_dbusd_t)
 +')
 +
@ -23442,9 +23449,10 @@ index c9998c8..8b447a3 100644
 +
 +optional_policy(`
 +    snapper_read_inherited_pipe(system_dbusd_t)
-+')
+ ')
-+
+ 
-+optional_policy(`
+ optional_policy(`
 -	seutil_sigchld_newrole(system_dbusd_t)
 +	sysnet_domtrans_dhcpc(system_dbusd_t)
 +')
 +
@ -23486,7 +23494,7 @@ index c9998c8..8b447a3 100644
 +allow system_bus_type system_dbusd_t:unix_stream_socket rw_socket_perms;
 +
 +fs_search_all(system_bus_type)
- 
+
 +dbus_system_bus_client(system_bus_type)
 +dbus_connect_system_bus(system_bus_type)
 +
@ -23516,7 +23524,7 @@ index c9998c8..8b447a3 100644
 +ifdef(`hide_broken_symptoms',`
 +	dontaudit system_bus_type system_dbusd_t:netlink_selinux_socket { read write };
 +')
-+
+ 
 +########################################
 +#
 +# session_bus_type rules
@ -23553,7 +23561,7 @@ index c9998c8..8b447a3 100644
 kernel_read_kernel_sysctls(session_bus_type)
 corecmd_list_bin(session_bus_type)
-@@ -191,23 +298,18 @@ corecmd_read_bin_files(session_bus_type)
+@@ -191,23 +300,18 @@ corecmd_read_bin_files(session_bus_type)
 corecmd_read_bin_pipes(session_bus_type)
 corecmd_read_bin_sockets(session_bus_type)
@ -23578,7 +23586,7 @@ index c9998c8..8b447a3 100644
 files_dontaudit_search_var(session_bus_type)
 fs_getattr_romfs(session_bus_type)
-@@ -215,7 +317,6 @@ fs_getattr_xattr_fs(session_bus_type)
+@@ -215,7 +319,6 @@ fs_getattr_xattr_fs(session_bus_type)
 fs_list_inotifyfs(session_bus_type)
 fs_dontaudit_list_nfs(session_bus_type)
@ -23586,7 +23594,7 @@ index c9998c8..8b447a3 100644
 selinux_validate_context(session_bus_type)
 selinux_compute_access_vector(session_bus_type)
 selinux_compute_create_context(session_bus_type)
-@@ -225,18 +326,36 @@ selinux_compute_user_contexts(session_bus_type)
+@@ -225,18 +328,36 @@ selinux_compute_user_contexts(session_bus_type)
 auth_read_pam_console_data(session_bus_type)
 logging_send_audit_msgs(session_bus_type)
@ -23628,7 +23636,7 @@ index c9998c8..8b447a3 100644
 ')
 ########################################
-@@ -244,5 +363,9 @@ optional_policy(`
+@@ -244,5 +365,9 @@ optional_policy(`
 # Unconfined access to this module
 #
@ -42717,10 +42725,10 @@ index 182ab8b..8b1d9c2 100644
 +')
 +
 diff --git a/kdumpgui.te b/kdumpgui.te
-index 2990962..abd217f 100644
+index 2990962..6629aaf 100644
 --- a/kdumpgui.te
 +++ b/kdumpgui.te
-@@ -5,79 +5,89 @@ policy_module(kdumpgui, 1.2.0)
+@@ -5,79 +5,90 @@ policy_module(kdumpgui, 1.2.0)
 # Declarations
 #
@ -42784,8 +42792,10 @@ index 2990962..abd217f 100644
 fs_list_hugetlbfs(kdumpgui_t)
 -fs_read_dos_files(kdumpgui_t)
- storage_raw_read_fixed_disk(kdumpgui_t)
+-storage_raw_read_fixed_disk(kdumpgui_t)
 storage_raw_write_fixed_disk(kdumpgui_t)
 +storage_raw_read_removable_device(kdumpgui_t)
 +storage_raw_read_fixed_disk(kdumpgui_t)
 +storage_getattr_removable_dev(kdumpgui_t)
 auth_use_nsswitch(kdumpgui_t)
@ -42829,7 +42839,7 @@ index 2990962..abd217f 100644
 ')
 optional_policy(`
-@@ -87,4 +97,10 @@ optional_policy(`
+@@ -87,4 +98,10 @@ optional_policy(`
 optional_policy(`
 	kdump_manage_config(kdumpgui_t)
 	kdump_initrc_domtrans(kdumpgui_t)
@ -42941,7 +42951,7 @@ index 0000000..bd7e7fa
 +')
 diff --git a/keepalived.te b/keepalived.te
 new file mode 100644
-index 0000000..c4f0c32
+index 0000000..04c46e7
 --- /dev/null
 +++ b/keepalived.te
@@ -0,0 +1,95 @@
@ -42985,7 +42995,7 @@ index 0000000..c4f0c32
 +kernel_read_system_state(keepalived_t)
 +kernel_read_network_state(keepalived_t)
 +kernel_request_load_module(keepalived_t)
-+kernel_read_usermodehelper_state(keepalived_t)
+kernel_rw_usermodehelper_state(keepalived_t)
 +
 +auth_use_nsswitch(keepalived_t)
 +
@ -72991,10 +73001,10 @@ index 0000000..f18fcc6
 +')
 diff --git a/pki.te b/pki.te
 new file mode 100644
-index 0000000..555b44a
+index 0000000..94da39a
 --- /dev/null
 +++ b/pki.te
-@@ -0,0 +1,283 @@
+@@ -0,0 +1,285 @@
 +policy_module(pki,10.0.11)
 +
 +########################################
@ -73121,6 +73131,8 @@ index 0000000..555b44a
 +
 +selinux_get_enforce_mode(pki_tomcat_t)
 +
 +libs_exec_ldconfig(pki_tomcat_t)
 +
 +logging_send_audit_msgs(pki_tomcat_t)
 +
 +miscfiles_read_hwdata(pki_tomcat_t)
@ -84656,7 +84668,7 @@ index 2c3d338..7d49554 100644
 	init_labeled_script_domtrans($1, rabbitmq_initrc_exec_t)
 	domain_system_change_exemption($1)
 diff --git a/rabbitmq.te b/rabbitmq.te
-index dc3b0ed..b0ae2c6 100644
+index dc3b0ed..37aa9a7 100644
 --- a/rabbitmq.te
 +++ b/rabbitmq.te
@@ -5,13 +5,14 @@ policy_module(rabbitmq, 1.0.2)
@ -84690,7 +84702,7 @@ index dc3b0ed..b0ae2c6 100644
 type rabbitmq_var_log_t;
 logging_log_file(rabbitmq_var_log_t)
-@@ -27,98 +31,93 @@ files_pid_file(rabbitmq_var_run_t)
+@@ -27,98 +31,96 @@ files_pid_file(rabbitmq_var_run_t)
 ######################################
 #
@ -84793,6 +84805,7 @@ index dc3b0ed..b0ae2c6 100644
 +allow rabbitmq_t self:process { setsched signal signull };
 +allow rabbitmq_t self:fifo_file rw_fifo_file_perms;
 +allow rabbitmq_t self:tcp_socket { accept listen };
 +allow rabbitmq_t self:unix_dgram_socket { connect create getopt setopt write };
 +
 +manage_dirs_pattern(rabbitmq_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
 +manage_files_pattern(rabbitmq_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
@ -84813,6 +84826,8 @@ index dc3b0ed..b0ae2c6 100644
 +manage_lnk_files_pattern(rabbitmq_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
 +files_pid_filetrans(rabbitmq_t, rabbitmq_var_run_t, { dir file })
 +
 +kernel_dgram_send(rabbitmq_t)
 +
 +kernel_read_system_state(rabbitmq_t)
 +kernel_read_fs_sysctls(rabbitmq_t)
 +
@ -96185,7 +96200,7 @@ index 50d07fb..a34db48 100644
 +	allow $1 samba_unit_file_t:service all_service_perms;
 ')
 diff --git a/samba.te b/samba.te
-index 2b7c441..0aaed65 100644
+index 2b7c441..09e193b 100644
 --- a/samba.te
 +++ b/samba.te
@@ -6,99 +6,86 @@ policy_module(samba, 1.16.3)
@ -96717,7 +96732,7 @@ index 2b7c441..0aaed65 100644
 ')
 tunable_policy(`samba_domain_controller',`
-@@ -419,20 +459,10 @@ tunable_policy(`samba_domain_controller',`
+@@ -419,20 +459,16 @@ tunable_policy(`samba_domain_controller',`
 ')
 tunable_policy(`samba_enable_home_dirs',`
@ -96726,21 +96741,25 @@ index 2b7c441..0aaed65 100644
 -	userdom_manage_user_home_content_symlinks(smbd_t)
 -	userdom_manage_user_home_content_sockets(smbd_t)
 -	userdom_manage_user_home_content_pipes(smbd_t)
-')
+	userdom_manage_user_home_content(smbd_t)
-
+ ')
 -tunable_policy(`samba_portmapper',`
 -	corenet_sendrecv_all_server_packets(smbd_t)
 -	corenet_tcp_bind_epmap_port(smbd_t)
 -	corenet_tcp_bind_all_unreserved_ports(smbd_t)
 -	corenet_tcp_sendrecv_all_ports(smbd_t)
-+	userdom_manage_user_home_content(smbd_t)
+optional_policy(`
 +    tunable_policy(`samba_enable_home_dirs',`
 +        apache_manage_user_content(smbd_t)
 +    ')
 ')
 +# Support Samba sharing of NFS mount points
 tunable_policy(`samba_share_nfs',`
 	fs_manage_nfs_dirs(smbd_t)
 	fs_manage_nfs_files(smbd_t)
-@@ -441,6 +471,7 @@ tunable_policy(`samba_share_nfs',`
+@@ -441,6 +477,7 @@ tunable_policy(`samba_share_nfs',`
 	fs_manage_nfs_named_sockets(smbd_t)
 ')
@ -96748,7 +96767,7 @@ index 2b7c441..0aaed65 100644
 tunable_policy(`samba_share_fusefs',`
 	fs_manage_fusefs_dirs(smbd_t)
 	fs_manage_fusefs_files(smbd_t)
-@@ -448,15 +479,10 @@ tunable_policy(`samba_share_fusefs',`
+@@ -448,15 +485,10 @@ tunable_policy(`samba_share_fusefs',`
 	fs_search_fusefs(smbd_t)
 ')
@ -96768,7 +96787,7 @@ index 2b7c441..0aaed65 100644
 ')
 optional_policy(`
-@@ -466,6 +492,7 @@ optional_policy(`
+@@ -466,6 +498,7 @@ optional_policy(`
 optional_policy(`
 	ctdbd_stream_connect(smbd_t)
 	ctdbd_manage_lib_files(smbd_t)
@ -96776,7 +96795,7 @@ index 2b7c441..0aaed65 100644
 ')
 optional_policy(`
-@@ -474,11 +501,31 @@ optional_policy(`
+@@ -474,11 +507,31 @@ optional_policy(`
 ')
 optional_policy(`
@ -96808,7 +96827,7 @@ index 2b7c441..0aaed65 100644
 	lpd_exec_lpr(smbd_t)
 ')
-@@ -488,6 +535,10 @@ optional_policy(`
+@@ -488,6 +541,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -96819,7 +96838,7 @@ index 2b7c441..0aaed65 100644
 	rpc_search_nfs_state_data(smbd_t)
 ')
-@@ -499,12 +550,53 @@ optional_policy(`
+@@ -499,12 +556,53 @@ optional_policy(`
 	udev_read_db(smbd_t)
 ')
@ -96874,7 +96893,7 @@ index 2b7c441..0aaed65 100644
 allow nmbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow nmbd_t self:fd use;
 allow nmbd_t self:fifo_file rw_fifo_file_perms;
-@@ -512,9 +604,11 @@ allow nmbd_t self:msg { send receive };
+@@ -512,9 +610,11 @@ allow nmbd_t self:msg { send receive };
 allow nmbd_t self:msgq create_msgq_perms;
 allow nmbd_t self:sem create_sem_perms;
 allow nmbd_t self:shm create_shm_perms;
@ -96889,7 +96908,7 @@ index 2b7c441..0aaed65 100644
 manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
 manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-@@ -526,20 +620,16 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+@@ -526,20 +626,16 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
 read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
 manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
@ -96914,7 +96933,7 @@ index 2b7c441..0aaed65 100644
 kernel_getattr_core_if(nmbd_t)
 kernel_getattr_message_if(nmbd_t)
-@@ -547,53 +637,44 @@ kernel_read_kernel_sysctls(nmbd_t)
+@@ -547,53 +643,44 @@ kernel_read_kernel_sysctls(nmbd_t)
 kernel_read_network_state(nmbd_t)
 kernel_read_software_raid_state(nmbd_t)
 kernel_read_system_state(nmbd_t)
@ -96983,7 +97002,7 @@ index 2b7c441..0aaed65 100644
 ')
 optional_policy(`
-@@ -606,18 +687,29 @@ optional_policy(`
+@@ -606,18 +693,29 @@ optional_policy(`
 ########################################
 #
@ -97019,7 +97038,7 @@ index 2b7c441..0aaed65 100644
 samba_read_config(smbcontrol_t)
 samba_search_var(smbcontrol_t)
-@@ -627,39 +719,38 @@ domain_use_interactive_fds(smbcontrol_t)
+@@ -627,39 +725,38 @@ domain_use_interactive_fds(smbcontrol_t)
 dev_read_urand(smbcontrol_t)
@ -97071,7 +97090,7 @@ index 2b7c441..0aaed65 100644
 allow smbmount_t samba_secrets_t:file manage_file_perms;
-@@ -668,26 +759,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+@@ -668,26 +765,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
 manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
 files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
@ -97107,7 +97126,7 @@ index 2b7c441..0aaed65 100644
 fs_getattr_cifs(smbmount_t)
 fs_mount_cifs(smbmount_t)
-@@ -699,58 +786,77 @@ fs_read_cifs_files(smbmount_t)
+@@ -699,58 +792,77 @@ fs_read_cifs_files(smbmount_t)
 storage_raw_read_fixed_disk(smbmount_t)
 storage_raw_write_fixed_disk(smbmount_t)
@ -97199,7 +97218,7 @@ index 2b7c441..0aaed65 100644
 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
 manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -759,17 +865,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+@@ -759,17 +871,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
 manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
 files_pid_filetrans(swat_t, swat_var_run_t, file)
@ -97223,7 +97242,7 @@ index 2b7c441..0aaed65 100644
 kernel_read_kernel_sysctls(swat_t)
 kernel_read_system_state(swat_t)
-@@ -777,36 +879,25 @@ kernel_read_network_state(swat_t)
+@@ -777,36 +885,25 @@ kernel_read_network_state(swat_t)
 corecmd_search_bin(swat_t)
@ -97266,7 +97285,7 @@ index 2b7c441..0aaed65 100644
 auth_domtrans_chk_passwd(swat_t)
 auth_use_nsswitch(swat_t)
-@@ -818,10 +909,11 @@ logging_send_syslog_msg(swat_t)
+@@ -818,10 +915,11 @@ logging_send_syslog_msg(swat_t)
 logging_send_audit_msgs(swat_t)
 logging_search_logs(swat_t)
@ -97280,7 +97299,7 @@ index 2b7c441..0aaed65 100644
 optional_policy(`
 	cups_read_rw_config(swat_t)
 	cups_stream_connect(swat_t)
-@@ -840,17 +932,20 @@ optional_policy(`
+@@ -840,17 +938,20 @@ optional_policy(`
 # Winbind local policy
 #
@ -97307,7 +97326,7 @@ index 2b7c441..0aaed65 100644
 allow winbind_t samba_etc_t:dir list_dir_perms;
 read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -860,9 +955,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+@@ -860,9 +961,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
 filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
 manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@ -97318,7 +97337,7 @@ index 2b7c441..0aaed65 100644
 manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
 manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -873,38 +966,42 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -873,38 +972,42 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
 rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
@ -97372,7 +97391,7 @@ index 2b7c441..0aaed65 100644
 corenet_tcp_connect_smbd_port(winbind_t)
 corenet_tcp_connect_epmap_port(winbind_t)
 corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -912,38 +1009,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -912,38 +1015,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
 dev_read_sysfs(winbind_t)
 dev_read_urand(winbind_t)
@ -97431,7 +97450,7 @@ index 2b7c441..0aaed65 100644
 ')
 optional_policy(`
-@@ -959,31 +1070,36 @@ optional_policy(`
+@@ -959,31 +1076,36 @@ optional_policy(`
 # Winbind helper local policy
 #
@ -97475,7 +97494,7 @@ index 2b7c441..0aaed65 100644
 optional_policy(`
 	apache_append_log(winbind_helper_t)
-@@ -997,25 +1113,38 @@ optional_policy(`
+@@ -997,25 +1119,38 @@ optional_policy(`
 ########################################
 #
@ -110367,7 +110386,7 @@ index 0000000..eef708d
 +/var/run/tlp(/.*)?		gen_context(system_u:object_r:tlp_var_run_t,s0)
 diff --git a/tlp.if b/tlp.if
 new file mode 100644
-index 0000000..46f12a4
+index 0000000..368e188
 --- /dev/null
 +++ b/tlp.if
@@ -0,0 +1,184 @@
@ -110510,7 +110529,7 @@ index 0000000..46f12a4
 +	')
 +
 +	files_search_pids($1)
-+	read_files_pattern($1, tlp_var_run_t, tlp_var_run_t)
+	manage_files_pattern($1, tlp_var_run_t, tlp_var_run_t)
 +')
 +
 +########################################
@ -111401,10 +111420,10 @@ index 61c2e07..3b86095 100644
 +	')
 ')
 diff --git a/tor.te b/tor.te
-index 5ceacde..c919a2d 100644
+index 5ceacde..a395940 100644
 --- a/tor.te
 +++ b/tor.te
-@@ -13,6 +13,13 @@ policy_module(tor, 1.9.0)
+@@ -13,6 +13,20 @@ policy_module(tor, 1.9.0)
 ## </desc>
 gen_tunable(tor_bind_all_unreserved_ports, false)
@ -111414,11 +111433,18 @@ index 5ceacde..c919a2d 100644
 +## </p>
 +## </desc>
 +gen_tunable(tor_can_network_relay, false)
 +
 +## <desc>
 +## <p>
 +## Allow tor to run onion services
 +## </p>
 +## </desc>
 +gen_tunable(tor_can_onion_services, false)
 +
 type tor_t;
 type tor_exec_t;
 init_daemon_domain(tor_t, tor_exec_t)
-@@ -25,13 +32,19 @@ init_script_file(tor_initrc_exec_t)
+@@ -25,13 +39,19 @@ init_script_file(tor_initrc_exec_t)
 type tor_var_lib_t;
 files_type(tor_var_lib_t)
@ -111438,7 +111464,7 @@ index 5ceacde..c919a2d 100644
 ########################################
 #
-@@ -48,6 +61,8 @@ allow tor_t tor_etc_t:dir list_dir_perms;
+@@ -48,6 +68,8 @@ allow tor_t tor_etc_t:dir list_dir_perms;
 allow tor_t tor_etc_t:file read_file_perms;
 allow tor_t tor_etc_t:lnk_file read_lnk_file_perms;
@ -111447,7 +111473,7 @@ index 5ceacde..c919a2d 100644
 manage_dirs_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
 manage_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
 manage_sock_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
-@@ -77,7 +92,6 @@ corenet_tcp_sendrecv_generic_node(tor_t)
+@@ -77,7 +99,6 @@ corenet_tcp_sendrecv_generic_node(tor_t)
 corenet_udp_sendrecv_generic_node(tor_t)
 corenet_tcp_bind_generic_node(tor_t)
 corenet_udp_bind_generic_node(tor_t)
@ -111455,7 +111481,7 @@ index 5ceacde..c919a2d 100644
 corenet_sendrecv_dns_server_packets(tor_t)
 corenet_udp_bind_dns_port(tor_t)
 corenet_udp_sendrecv_dns_port(tor_t)
-@@ -85,6 +99,7 @@ corenet_udp_sendrecv_dns_port(tor_t)
+@@ -85,6 +106,7 @@ corenet_udp_sendrecv_dns_port(tor_t)
 corenet_sendrecv_tor_server_packets(tor_t)
 corenet_tcp_bind_tor_port(tor_t)
 corenet_tcp_sendrecv_tor_port(tor_t)
@ -111463,7 +111489,7 @@ index 5ceacde..c919a2d 100644
 corenet_sendrecv_all_client_packets(tor_t)
 corenet_tcp_connect_all_ports(tor_t)
-@@ -98,19 +113,22 @@ dev_read_urand(tor_t)
+@@ -98,19 +120,26 @@ dev_read_urand(tor_t)
 domain_use_interactive_fds(tor_t)
 files_read_etc_runtime_files(tor_t)
@ -111485,6 +111511,10 @@ index 5ceacde..c919a2d 100644
 +	corenet_tcp_connect_all_ephemeral_ports(tor_t)
 +	corenet_tcp_bind_http_port(tor_t)
 +')
 +
 +tunable_policy(`tor_can_onion_services',`
 +    allow tor_t self:capability { dac_read_search dac_override };
 +')
 +
 optional_policy(`
 	seutil_sigchld_newrole(tor_t)
@ -112061,10 +112091,10 @@ index 0000000..45304ea
 +')
 diff --git a/udisks2.te b/udisks2.te
 new file mode 100644
-index 0000000..5312470
+index 0000000..617ee56
 --- /dev/null
 +++ b/udisks2.te
-@@ -0,0 +1,57 @@
+@@ -0,0 +1,58 @@
 +policy_module(udisks2, 1.0.0)
 +
 +########################################
@ -112112,6 +112142,7 @@ index 0000000..5312470
 +logging_send_syslog_msg(udisks2_t)
 +
 +storage_raw_read_fixed_disk(udisks2_t)
 +storage_raw_read_removable_device(udisks2_t)
 +
 +udev_read_db(udisks2_t)
 +
@ -115918,7 +115949,7 @@ index facdee8..b5a815a 100644
 +	dontaudit $1 virtd_t:lnk_file read_lnk_file_perms;
 ')
 diff --git a/virt.te b/virt.te
-index f03dcf5..066b1c3 100644
+index f03dcf5..ac277da 100644
 --- a/virt.te
 +++ b/virt.te
@@ -1,451 +1,422 @@
@ -116955,7 +116986,7 @@ index f03dcf5..066b1c3 100644
 	kernel_read_xen_state(virtd_t)
 	kernel_write_xen_state(virtd_t)
-@@ -746,44 +727,350 @@ optional_policy(`
+@@ -746,44 +727,353 @@ optional_policy(`
 	udev_read_pid_files(virtd_t)
 ')
@ -117016,6 +117047,9 @@ index f03dcf5..066b1c3 100644
 -can_exec(virsh_t, virsh_exec_t)
 +allow virtlogd_t self:unix_stream_socket create_stream_socket_perms;
 +
 +# Allow virtlogd_t to execute itself.
 +allow virtlogd_t virtlogd_exec_t:file execute_no_trans;
 +
 +dev_read_sysfs(virtlogd_t)
 +
 +logging_send_syslog_msg(virtlogd_t)
@ -117104,7 +117138,7 @@ index f03dcf5..066b1c3 100644
 +stream_connect_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t, virtd_t)
 +
 +dontaudit virtd_t virt_domain:process  { siginh noatsecure rlimitinh };
- 
+
 +dontaudit virt_domain virt_tmpfs_type:file { read write };
 +
 +append_files_pattern(virt_domain, virt_log_t, virt_log_t)
@ -117153,7 +117187,7 @@ index f03dcf5..066b1c3 100644
 +fs_rw_inherited_nfs_files(virt_domain)
 +fs_rw_inherited_cifs_files(virt_domain)
 +fs_rw_inherited_noxattr_fs_files(virt_domain)
-+
+ 
 +# I think we need these for now.
 +miscfiles_read_public_files(virt_domain)
 +miscfiles_read_generic_certs(virt_domain)
@ -117328,7 +117362,7 @@ index f03dcf5..066b1c3 100644
 kernel_read_system_state(virsh_t)
 kernel_read_network_state(virsh_t)
 kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +1081,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +1084,18 @@ kernel_write_xen_state(virsh_t)
 corecmd_exec_bin(virsh_t)
 corecmd_exec_shell(virsh_t)
@ -117355,7 +117389,7 @@ index f03dcf5..066b1c3 100644
 fs_getattr_all_fs(virsh_t)
 fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +1101,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +1104,25 @@ fs_search_auto_mountpoints(virsh_t)
 storage_raw_read_fixed_disk(virsh_t)
@ -117389,7 +117423,7 @@ index f03dcf5..066b1c3 100644
 tunable_policy(`virt_use_nfs',`
 	fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +1138,20 @@ optional_policy(`
+@@ -856,14 +1141,20 @@ optional_policy(`
 ')
 optional_policy(`
@ -117411,7 +117445,7 @@ index f03dcf5..066b1c3 100644
 	xen_stream_connect(virsh_t)
 	xen_stream_connect_xenstore(virsh_t)
 ')
-@@ -888,49 +1176,66 @@ optional_policy(`
+@@ -888,49 +1179,66 @@ optional_policy(`
 	kernel_read_xen_state(virsh_ssh_t)
 	kernel_write_xen_state(virsh_ssh_t)
@ -117496,7 +117530,7 @@ index f03dcf5..066b1c3 100644
 corecmd_exec_bin(virtd_lxc_t)
 corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1247,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1250,16 @@ dev_read_urand(virtd_lxc_t)
 domain_use_interactive_fds(virtd_lxc_t)
@ -117516,7 +117550,7 @@ index f03dcf5..066b1c3 100644
 fs_getattr_all_fs(virtd_lxc_t)
 fs_manage_tmpfs_dirs(virtd_lxc_t)
 fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,8 +1268,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,8 +1271,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
 fs_unmount_all_fs(virtd_lxc_t)
 fs_relabelfrom_tmpfs(virtd_lxc_t)
@ -117540,7 +117574,7 @@ index f03dcf5..066b1c3 100644
 selinux_get_enforce_mode(virtd_lxc_t)
 selinux_get_fs_mount(virtd_lxc_t)
 selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1293,296 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1296,296 @@ selinux_compute_create_context(virtd_lxc_t)
 selinux_compute_relabel_context(virtd_lxc_t)
 selinux_compute_user_contexts(virtd_lxc_t)
@ -117571,8 +117605,7 @@ index f03dcf5..066b1c3 100644
 +optional_policy(`
 +    container_exec_lib(virtd_lxc_t)
 +')
- 
+
 -sysnet_domtrans_ifconfig(virtd_lxc_t)
 +optional_policy(`
 +	gnome_read_generic_cache_files(virtd_lxc_t)
 +')
@ -117580,7 +117613,8 @@ index f03dcf5..066b1c3 100644
 +optional_policy(`
 +	setrans_manage_pid_files(virtd_lxc_t)
 +')
-+
+ 
 -sysnet_domtrans_ifconfig(virtd_lxc_t)
 +optional_policy(`
 +	unconfined_domain(virtd_lxc_t)
 +')
@ -117703,6 +117737,21 @@ index f03dcf5..066b1c3 100644
 +userdom_use_inherited_user_terminals(svirt_sandbox_domain)
 +userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
 +userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
 +
 +optional_policy(`
 +tunable_policy(`virt_sandbox_share_apache_content',`
 +		apache_exec_modules(svirt_sandbox_domain)
 +		apache_read_sys_content(svirt_sandbox_domain)
 +	')
 +')
 +
 +optional_policy(`
 +	mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
 +')
 +
 +optional_policy(`
 +	ssh_use_ptys(svirt_sandbox_domain)
 +')
 -allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
 -allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
@ -117787,31 +117836,14 @@ index f03dcf5..066b1c3 100644
 -
 -mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
 +optional_policy(`
-+tunable_policy(`virt_sandbox_share_apache_content',`
+	udev_read_pid_files(svirt_sandbox_domain)
 +		apache_exec_modules(svirt_sandbox_domain)
 +		apache_read_sys_content(svirt_sandbox_domain)
 +	')
 +')
 +
 +optional_policy(`
 +	mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
 +')
 +
 +optional_policy(`
 +	ssh_use_ptys(svirt_sandbox_domain)
 +')
 optional_policy(`
 -	udev_read_pid_files(svirt_lxc_domain)
 +	udev_read_pid_files(svirt_sandbox_domain)
 ')
 optional_policy(`
 -	apache_exec_modules(svirt_lxc_domain)
 -	apache_read_sys_content(svirt_lxc_domain)
 +	userhelper_dontaudit_write_config(svirt_sandbox_domain)
- ')
+')
- 
+
 +tunable_policy(`virt_use_nfs',`
 +	fs_manage_nfs_dirs(svirt_sandbox_domain)
 +	fs_manage_nfs_files(svirt_sandbox_domain)
@ -117838,9 +117870,11 @@ index f03dcf5..066b1c3 100644
 +    fs_mount_fusefs(svirt_sandbox_domain)
 +    fs_unmount_fusefs(svirt_sandbox_domain)
 +    fs_exec_fusefs_files(svirt_sandbox_domain)
-+')
+ ')
-+
+ 
-+optional_policy(`
+ optional_policy(`
 -	apache_exec_modules(svirt_lxc_domain)
 -	apache_read_sys_content(svirt_lxc_domain)
 +    container_read_share_files(svirt_sandbox_domain)
 +    container_exec_share_files(svirt_sandbox_domain)
 +    container_lib_filetrans(svirt_sandbox_domain,container_file_t, sock_file)
@ -117848,23 +117882,16 @@ index f03dcf5..066b1c3 100644
 +    container_spc_stream_connect(svirt_sandbox_domain)
 +    fs_dontaudit_remount_tmpfs(svirt_sandbox_domain)
 +    dev_dontaudit_mounton_sysfs(svirt_sandbox_domain)
-+')
+ ')
-+
+ 
 +########################################
 +#
 +# container_t local policy
 +#
 +virt_sandbox_domain_template(container)
 +typealias container_t alias svirt_lxc_net_t;
 +# Policy moved to container-selinux policy package
 +
 ########################################
 #
 -# Lxc net local policy
 +# container_t local policy
 #
-+virt_sandbox_domain_template(svirt_qemu_net)
+virt_sandbox_domain_template(container)
-+typeattribute svirt_qemu_net_t sandbox_net_domain;
+typealias container_t alias svirt_lxc_net_t;
 +# Policy moved to container-selinux policy package
 -allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap };
 -dontaudit svirt_lxc_net_t self:capability2 block_suspend;
@ -117877,17 +117904,18 @@ index f03dcf5..066b1c3 100644
 -allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
 -allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_socket_perms;
 -allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms;
-+allow svirt_qemu_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap };
+########################################
-+dontaudit svirt_qemu_net_t self:capability2 block_suspend;
+#
-+allow svirt_qemu_net_t self:process { execstack execmem };
+# container_t local policy
 +#
 +virt_sandbox_domain_template(svirt_qemu_net)
 +typeattribute svirt_qemu_net_t sandbox_net_domain;
 -kernel_read_network_state(svirt_lxc_net_t)
 -kernel_read_irq_sysctls(svirt_lxc_net_t)
-+tunable_policy(`virt_sandbox_use_netlink',`
+allow svirt_qemu_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap };
-+	allow svirt_qemu_net_t self:netlink_socket create_socket_perms;
+dontaudit svirt_qemu_net_t self:capability2 block_suspend;
-+	allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
+allow svirt_qemu_net_t self:process { execstack execmem };
 +	allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms;
 +')
 -corenet_all_recvfrom_unlabeled(svirt_lxc_net_t)
 -corenet_all_recvfrom_netlabel(svirt_lxc_net_t)
@ -117899,6 +117927,15 @@ index f03dcf5..066b1c3 100644
 -corenet_udp_sendrecv_all_ports(svirt_lxc_net_t)
 -corenet_tcp_bind_generic_node(svirt_lxc_net_t)
 -corenet_udp_bind_generic_node(svirt_lxc_net_t)
 +tunable_policy(`virt_sandbox_use_netlink',`
 +	allow svirt_qemu_net_t self:netlink_socket create_socket_perms;
 +	allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
 +	allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms;
 +')
 -corenet_sendrecv_all_server_packets(svirt_lxc_net_t)
 -corenet_udp_bind_all_ports(svirt_lxc_net_t)
 -corenet_tcp_bind_all_ports(svirt_lxc_net_t)
 +manage_dirs_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
 +manage_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
 +manage_fifo_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
@ -117906,55 +117943,52 @@ index f03dcf5..066b1c3 100644
 +manage_sock_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
 +filetrans_pattern(sandbox_net_domain, virt_home_t, svirt_home_t, { dir sock_file file })
 -corenet_sendrecv_all_server_packets(svirt_lxc_net_t)
 -corenet_udp_bind_all_ports(svirt_lxc_net_t)
 -corenet_tcp_bind_all_ports(svirt_lxc_net_t)
 +term_use_generic_ptys(svirt_qemu_net_t)
 +term_use_ptmx(svirt_qemu_net_t)
 -corenet_sendrecv_all_client_packets(svirt_lxc_net_t)
 -corenet_tcp_connect_all_ports(svirt_lxc_net_t)
-+dev_rw_kvm(svirt_qemu_net_t)
+term_use_generic_ptys(svirt_qemu_net_t)
 +term_use_ptmx(svirt_qemu_net_t)
 -dev_getattr_mtrr_dev(svirt_lxc_net_t)
 -dev_read_rand(svirt_lxc_net_t)
 -dev_read_sysfs(svirt_lxc_net_t)
 -dev_read_urand(svirt_lxc_net_t)
-+manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t)
+dev_rw_kvm(svirt_qemu_net_t)
 -files_read_kernel_modules(svirt_lxc_net_t)
-+list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
+manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t)
 +read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
 -fs_mount_cgroup(svirt_lxc_net_t)
 -fs_manage_cgroup_dirs(svirt_lxc_net_t)
 -fs_rw_cgroup_files(svirt_lxc_net_t)
-+append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t)
+list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
 +read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
 -auth_use_nsswitch(svirt_lxc_net_t)
-+kernel_read_irq_sysctls(svirt_qemu_net_t)
+append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t)
 -logging_send_audit_msgs(svirt_lxc_net_t)
 +kernel_read_irq_sysctls(svirt_qemu_net_t)
 -userdom_use_user_ptys(svirt_lxc_net_t)
 +dev_read_sysfs(svirt_qemu_net_t)
 +dev_getattr_mtrr_dev(svirt_qemu_net_t)
 +dev_read_rand(svirt_qemu_net_t)
 +dev_read_urand(svirt_qemu_net_t)
 -userdom_use_user_ptys(svirt_lxc_net_t)
 +files_read_kernel_modules(svirt_qemu_net_t)
 -optional_policy(`
 -	rpm_read_db(svirt_lxc_net_t)
 -')
-+fs_noxattr_type(container_file_t)
+files_read_kernel_modules(svirt_qemu_net_t)
 +fs_mount_cgroup(svirt_qemu_net_t)
 +fs_manage_cgroup_dirs(svirt_qemu_net_t)
 +fs_manage_cgroup_files(svirt_qemu_net_t)
 -#######################################
 -#
 -# Prot exec local policy
 -#
 +fs_noxattr_type(container_file_t)
 +fs_mount_cgroup(svirt_qemu_net_t)
 +fs_manage_cgroup_dirs(svirt_qemu_net_t)
 +fs_manage_cgroup_files(svirt_qemu_net_t)
 +
 +term_pty(container_file_t)
 +
 +auth_use_nsswitch(svirt_qemu_net_t)
@ -117984,7 +118018,7 @@ index f03dcf5..066b1c3 100644
 allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
 allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1595,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1598,12 @@ dev_read_sysfs(virt_qmf_t)
 dev_read_rand(virt_qmf_t)
 dev_read_urand(virt_qmf_t)
@ -117999,7 +118033,7 @@ index f03dcf5..066b1c3 100644
 sysnet_read_config(virt_qmf_t)
 optional_policy(`
-@@ -1192,7 +1613,7 @@ optional_policy(`
+@@ -1192,7 +1616,7 @@ optional_policy(`
 ########################################
 #
@ -118008,7 +118042,7 @@ index f03dcf5..066b1c3 100644
 #
 allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1622,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1625,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
 allow virt_bridgehelper_t self:tun_socket create_socket_perms;
 allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
@ -118240,6 +118274,7 @@ index f03dcf5..066b1c3 100644
 +kernel_read_network_state(sandbox_net_domain)
 +
 +allow sandbox_net_domain self:capability { net_raw net_admin net_bind_service };
 +allow sandbox_net_domain self:cap_userns { net_raw net_admin net_bind_service };
 +
 +allow sandbox_net_domain self:udp_socket create_socket_perms;
 +allow sandbox_net_domain self:tcp_socket create_stream_socket_perms;
@ -118267,6 +118302,7 @@ index f03dcf5..066b1c3 100644
 +')
 +
 +allow sandbox_caps_domain self:capability { chown dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap };
 +allow sandbox_caps_domain self:cap_userns { chown dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap };
 +
 +list_dirs_pattern(svirt_sandbox_domain, container_ro_file_t, container_ro_file_t)
 +read_files_pattern(svirt_sandbox_domain, container_ro_file_t, container_ro_file_t)
@ -121629,7 +121665,7 @@ index dd63de0..38ce620 100644
 -	admin_pattern($1, zabbix_tmpfs_t)
 ')
 diff --git a/zabbix.te b/zabbix.te
-index 7f496c6..aab4f86 100644
+index 7f496c6..bf2ae51 100644
 --- a/zabbix.te
 +++ b/zabbix.te
@@ -6,27 +6,32 @@ policy_module(zabbix, 1.6.0)
@ -121879,7 +121915,7 @@ index 7f496c6..aab4f86 100644
 corenet_sendrecv_zabbix_client_packets(zabbix_agent_t)
 corenet_tcp_connect_zabbix_port(zabbix_agent_t)
 corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
-@@ -177,21 +218,49 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
+@@ -177,21 +218,50 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
 dev_getattr_all_blk_files(zabbix_agent_t)
 dev_getattr_all_chr_files(zabbix_agent_t)
@ -121923,6 +121959,7 @@ index 7f496c6..aab4f86 100644
 +allow zabbix_t zabbix_script_exec_t:dir search_dir_perms;
 +allow zabbix_t zabbix_script_exec_t:dir read_file_perms;
 +allow zabbix_t zabbix_script_exec_t:file ioctl;
 +allow zabbix_t zabbix_script_t:process signal;
 +
 +init_domtrans_script(zabbix_script_t)
 +
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 256%{?dist}
+Release: 258%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -689,6 +689,25 @@ exit 0
 %endif
 %changelog
 * Thu Jun 08 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-257
 - Merge pull request #10 from mscherer/fix_tor_dac
 - Merge pull request #9 from rhatdan/rawhide
 - Merge pull request #13 from vinzent/allow_zabbix_t_to_kill_zabbix_script_t
 - Allow kdumpgui to read removable disk device
 - Allow systemd_dbusd_t domain read/write to nvme devices
 - Allow udisks2 domain to read removable devices BZ(1443981)
 - Allow virtlogd_t to execute itself
 - Allow keepalived to read/write usermodehelper state
 - Allow named_t to bind on udp 4321 port
 - Fix interface tlp_manage_pid_files()
 - Allow collectd domain read lvm config files. BZ(1459097)
 - Merge branch 'rawhide' of github.com:wrabcak/selinux-policy-contrib into rawhide
 - Allow samba_manage_home_dirs boolean to manage user content
 - Merge pull request #14 from lemenkov/rabbitmq_systemd_notify
 - Allow pki_tomcat_t execute ldconfig.
 - Merge pull request #191 from rhatdan/udev
 - Allow systemd_modules_load_t to load modules
 * Mon Jun 05 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-256
 - Allow keepalived domain connect to squid tcp port
 - Allow krb5kdc_t domain read realmd lib files.