diff --git a/container-selinux.tgz b/container-selinux.tgz
index 01fb9111..9960e8d5 100644
Binary files a/container-selinux.tgz and b/container-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 766abd1f..e70cd11b 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -22769,7 +22769,7 @@ index e100d886b..355a67b18 100644
+')
+
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 8dbab4c5e..af9ee60b6 100644
+index 8dbab4c5e..2d283007a 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -25,6 +25,9 @@ attribute kern_unconfined;
@@ -22832,7 +22832,12 @@ index 8dbab4c5e..af9ee60b6 100644
type proc_xen_t, proc_type;
files_mountpoint(proc_xen_t)
genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0)
-@@ -118,6 +147,7 @@ genfscon proc /irq gen_context(system_u:object_r:sysctl_irq_t,s0)
+@@ -114,10 +143,12 @@ genfscon proc /sys gen_context(system_u:object_r:sysctl_t,s0)
+
+ # /proc/irq directory and files
+ type sysctl_irq_t, sysctl_type;
++fs_associate_proc(sysctl_irq_t)
+ genfscon proc /irq gen_context(system_u:object_r:sysctl_irq_t,s0)
# /proc/net/rpc directory and files
type sysctl_rpc_t, sysctl_type;
@@ -22840,7 +22845,7 @@ index 8dbab4c5e..af9ee60b6 100644
genfscon proc /net/rpc gen_context(system_u:object_r:sysctl_rpc_t,s0)
# /proc/sys/crypto directory and files
-@@ -133,14 +163,6 @@ genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0)
+@@ -133,14 +164,6 @@ genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0)
type sysctl_kernel_t, sysctl_type;
genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s0)
@@ -22855,7 +22860,7 @@ index 8dbab4c5e..af9ee60b6 100644
# /proc/sys/net directory and files
type sysctl_net_t, sysctl_type;
genfscon proc /sys/net gen_context(system_u:object_r:sysctl_net_t,s0)
-@@ -153,6 +175,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0)
+@@ -153,6 +176,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0)
type sysctl_vm_t, sysctl_type;
genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0)
@@ -22866,7 +22871,7 @@ index 8dbab4c5e..af9ee60b6 100644
# /proc/sys/dev directory and files
type sysctl_dev_t, sysctl_type;
genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
-@@ -165,6 +191,14 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
+@@ -165,6 +192,14 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
type unlabeled_t;
fs_associate(unlabeled_t)
sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
@@ -22881,7 +22886,7 @@ index 8dbab4c5e..af9ee60b6 100644
# These initial sids are no longer used, and can be removed:
sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-@@ -189,6 +223,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+@@ -189,6 +224,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
# kernel local policy
#
@@ -22889,7 +22894,7 @@ index 8dbab4c5e..af9ee60b6 100644
allow kernel_t self:capability ~sys_module;
allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow kernel_t self:shm create_shm_perms;
-@@ -233,7 +268,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
+@@ -233,7 +269,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
corenet_in_generic_if(unlabeled_t)
corenet_in_generic_node(unlabeled_t)
@@ -22897,7 +22902,7 @@ index 8dbab4c5e..af9ee60b6 100644
corenet_all_recvfrom_netlabel(kernel_t)
# Kernel-generated traffic e.g., ICMP replies:
corenet_raw_sendrecv_all_if(kernel_t)
-@@ -244,17 +278,26 @@ corenet_tcp_sendrecv_all_if(kernel_t)
+@@ -244,17 +279,26 @@ corenet_tcp_sendrecv_all_if(kernel_t)
corenet_tcp_sendrecv_all_nodes(kernel_t)
corenet_raw_send_generic_node(kernel_t)
corenet_send_all_packets(kernel_t)
@@ -22928,7 +22933,7 @@ index 8dbab4c5e..af9ee60b6 100644
# Mount root file system. Used when loading a policy
# from initrd, then mounting the root filesystem
-@@ -263,7 +306,8 @@ fs_unmount_all_fs(kernel_t)
+@@ -263,7 +307,8 @@ fs_unmount_all_fs(kernel_t)
selinux_load_policy(kernel_t)
@@ -22938,7 +22943,7 @@ index 8dbab4c5e..af9ee60b6 100644
corecmd_exec_shell(kernel_t)
corecmd_list_bin(kernel_t)
-@@ -277,13 +321,23 @@ files_list_root(kernel_t)
+@@ -277,13 +322,23 @@ files_list_root(kernel_t)
files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
@@ -22962,7 +22967,7 @@ index 8dbab4c5e..af9ee60b6 100644
ifdef(`distro_redhat',`
# Bugzilla 222337
-@@ -291,11 +345,29 @@ ifdef(`distro_redhat',`
+@@ -291,11 +346,29 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -22992,7 +22997,7 @@ index 8dbab4c5e..af9ee60b6 100644
')
optional_policy(`
-@@ -305,6 +377,19 @@ optional_policy(`
+@@ -305,6 +378,19 @@ optional_policy(`
optional_policy(`
logging_send_syslog_msg(kernel_t)
@@ -23012,7 +23017,7 @@ index 8dbab4c5e..af9ee60b6 100644
')
optional_policy(`
-@@ -312,6 +397,11 @@ optional_policy(`
+@@ -312,6 +398,11 @@ optional_policy(`
')
optional_policy(`
@@ -23024,7 +23029,7 @@ index 8dbab4c5e..af9ee60b6 100644
# nfs kernel server needs kernel UDP access. It is less risky and painful
# to just give it everything.
allow kernel_t self:tcp_socket create_stream_socket_perms;
-@@ -332,9 +422,6 @@ optional_policy(`
+@@ -332,9 +423,6 @@ optional_policy(`
sysnet_read_config(kernel_t)
@@ -23034,7 +23039,7 @@ index 8dbab4c5e..af9ee60b6 100644
rpc_udp_rw_nfs_sockets(kernel_t)
tunable_policy(`nfs_export_all_ro',`
-@@ -343,9 +430,7 @@ optional_policy(`
+@@ -343,9 +431,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@@ -23045,7 +23050,7 @@ index 8dbab4c5e..af9ee60b6 100644
')
tunable_policy(`nfs_export_all_rw',`
-@@ -354,7 +439,7 @@ optional_policy(`
+@@ -354,7 +440,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@@ -23054,7 +23059,7 @@ index 8dbab4c5e..af9ee60b6 100644
')
')
-@@ -364,9 +449,22 @@ optional_policy(`
+@@ -364,9 +450,22 @@ optional_policy(`
')
optional_policy(`
@@ -23077,7 +23082,7 @@ index 8dbab4c5e..af9ee60b6 100644
########################################
#
# Unlabeled process local policy
-@@ -388,6 +486,8 @@ optional_policy(`
+@@ -388,6 +487,8 @@ optional_policy(`
if( ! secure_mode_insmod ) {
allow can_load_kernmodule self:capability sys_module;
@@ -23086,7 +23091,7 @@ index 8dbab4c5e..af9ee60b6 100644
# load_module() calls stop_machine() which
# calls sched_setscheduler()
allow can_load_kernmodule self:capability sys_nice;
-@@ -399,14 +499,38 @@ if( ! secure_mode_insmod ) {
+@@ -399,14 +500,38 @@ if( ! secure_mode_insmod ) {
# Rules for unconfined acccess to this module
#
@@ -29351,7 +29356,7 @@ index fe0c68272..79d568a54 100644
+ ps_process_pattern($1, sshd_t)
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index cc877c7b0..3038b0862 100644
+index cc877c7b0..b14a28d5c 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,43 +6,69 @@ policy_module(ssh, 2.4.2)
@@ -29734,7 +29739,7 @@ index cc877c7b0..3038b0862 100644
rpm_use_script_fds(sshd_t)
')
-@@ -289,13 +379,93 @@ optional_policy(`
+@@ -289,13 +379,94 @@ optional_policy(`
')
optional_policy(`
@@ -29776,6 +29781,7 @@ index cc877c7b0..3038b0862 100644
+
+optional_policy(`
xserver_domtrans_xauth(sshd_t)
++ xserver_xdm_signull(sshd_t)
')
+ifdef(`TODO',`
@@ -29828,7 +29834,7 @@ index cc877c7b0..3038b0862 100644
########################################
#
# ssh_keygen local policy
-@@ -304,19 +474,33 @@ optional_policy(`
+@@ -304,19 +475,33 @@ optional_policy(`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -29863,7 +29869,7 @@ index cc877c7b0..3038b0862 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -332,7 +516,9 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -332,7 +517,9 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
@@ -29873,7 +29879,7 @@ index cc877c7b0..3038b0862 100644
optional_policy(`
seutil_sigchld_newrole(ssh_keygen_t)
-@@ -341,3 +527,150 @@ optional_policy(`
+@@ -341,3 +528,150 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
@@ -30194,7 +30200,7 @@ index 8274418c6..a47fd0b4d 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc2d..29db5fd25 100644
+index 6bf0ecc2d..75b2f31f9 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -18,100 +18,36 @@
@@ -31197,7 +31203,32 @@ index 6bf0ecc2d..29db5fd25 100644
')
########################################
-@@ -1210,6 +1531,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',`
+@@ -1135,6 +1456,24 @@ interface(`xserver_signal',`
+
+ ########################################
+ ##
++## Send a null signal to xdm processes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_xdm_signull',`
++ gen_require(`
++ type xdm_t;
++ ')
++
++ allow $1 xdm_t:process signull;
++')
++
++########################################
++##
+ ## Kill X servers
+ ##
+ ##
+@@ -1210,6 +1549,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',`
########################################
##
@@ -31223,7 +31254,7 @@ index 6bf0ecc2d..29db5fd25 100644
## Connect to the X server over a unix domain
## stream socket.
##
-@@ -1226,6 +1566,26 @@ interface(`xserver_stream_connect',`
+@@ -1226,6 +1584,26 @@ interface(`xserver_stream_connect',`
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -31250,7 +31281,7 @@ index 6bf0ecc2d..29db5fd25 100644
')
########################################
-@@ -1251,7 +1611,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1251,7 +1629,7 @@ interface(`xserver_read_tmp_files',`
##
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@@ -31259,7 +31290,7 @@ index 6bf0ecc2d..29db5fd25 100644
##
##
##
-@@ -1261,13 +1621,27 @@ interface(`xserver_read_tmp_files',`
+@@ -1261,13 +1639,27 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
@@ -31288,7 +31319,7 @@ index 6bf0ecc2d..29db5fd25 100644
')
########################################
-@@ -1284,10 +1658,662 @@ interface(`xserver_manage_core_devices',`
+@@ -1284,10 +1676,662 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -34703,7 +34734,7 @@ index 3efd5b669..190c29841 100644
+ allow $1 login_pgm:key manage_key_perms;
+')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 09b791dcc..2d255df93 100644
+index 09b791dcc..385cd6d79 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1)
@@ -34918,11 +34949,12 @@ index 09b791dcc..2d255df93 100644
allow updpwd_t self:process setfscreate;
allow updpwd_t self:fifo_file rw_fifo_file_perms;
allow updpwd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -341,6 +362,11 @@ kernel_read_system_state(updpwd_t)
+@@ -341,6 +362,12 @@ kernel_read_system_state(updpwd_t)
dev_read_urand(updpwd_t)
files_manage_etc_files(updpwd_t)
+auth_manage_passwd(updpwd_t)
++auth_filetrans_named_content(updpwd_t)
+
+mls_file_read_all_levels(updpwd_t)
+mls_file_write_all_levels(updpwd_t)
@@ -34930,7 +34962,7 @@ index 09b791dcc..2d255df93 100644
term_dontaudit_use_console(updpwd_t)
term_dontaudit_use_unallocated_ttys(updpwd_t)
-@@ -350,9 +376,7 @@ auth_use_nsswitch(updpwd_t)
+@@ -350,9 +377,7 @@ auth_use_nsswitch(updpwd_t)
logging_send_syslog_msg(updpwd_t)
@@ -34941,7 +34973,7 @@ index 09b791dcc..2d255df93 100644
ifdef(`distro_ubuntu',`
optional_policy(`
-@@ -380,13 +404,15 @@ term_dontaudit_use_all_ttys(utempter_t)
+@@ -380,13 +405,15 @@ term_dontaudit_use_all_ttys(utempter_t)
term_dontaudit_use_all_ptys(utempter_t)
term_dontaudit_use_ptmx(utempter_t)
@@ -34958,7 +34990,7 @@ index 09b791dcc..2d255df93 100644
# Allow utemper to write to /tmp/.xses-*
userdom_write_user_tmp_files(utempter_t)
-@@ -397,19 +423,29 @@ ifdef(`distro_ubuntu',`
+@@ -397,19 +424,29 @@ ifdef(`distro_ubuntu',`
')
optional_policy(`
@@ -34992,7 +35024,7 @@ index 09b791dcc..2d255df93 100644
files_list_var_lib(nsswitch_domain)
# read /etc/nsswitch.conf
-@@ -417,15 +453,42 @@ files_read_etc_files(nsswitch_domain)
+@@ -417,15 +454,42 @@ files_read_etc_files(nsswitch_domain)
sysnet_dns_name_resolve(nsswitch_domain)
@@ -35037,7 +35069,7 @@ index 09b791dcc..2d255df93 100644
ldap_stream_connect(nsswitch_domain)
')
')
-@@ -438,6 +501,7 @@ optional_policy(`
+@@ -438,6 +502,7 @@ optional_policy(`
likewise_stream_connect_lsassd(nsswitch_domain)
')
@@ -35045,7 +35077,7 @@ index 09b791dcc..2d255df93 100644
optional_policy(`
kerberos_use(nsswitch_domain)
')
-@@ -456,10 +520,159 @@ optional_policy(`
+@@ -456,10 +521,159 @@ optional_policy(`
optional_policy(`
sssd_stream_connect(nsswitch_domain)
@@ -58088,7 +58120,7 @@ index f4ac38dc7..1589d6065 100644
+ ssh_signal(confined_admindomain)
+')
diff --git a/policy/policy_capabilities b/policy/policy_capabilities
-index db3cbca45..0728639e8 100644
+index db3cbca45..40fd5a518 100644
--- a/policy/policy_capabilities
+++ b/policy/policy_capabilities
@@ -31,3 +31,21 @@ policycap network_peer_controls;
@@ -58102,7 +58134,7 @@ index db3cbca45..0728639e8 100644
+#
+# Added checks:
+# (none)
-+#policycap cgroup_seclabel;
++policycap cgroup_seclabel;
+
+# Enable NoNewPrivileges support. Requires libsepol 2.7+
+# and kernel 4.14 (estimated).
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 8e51ee1b..cffbeb56 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -5579,7 +5579,7 @@ index f6eb4851f..fe461a3fc 100644
+ ps_process_pattern(httpd_t, $1)
')
diff --git a/apache.te b/apache.te
-index 6649962b6..a6b4312e6 100644
+index 6649962b6..1a0189a44 100644
--- a/apache.te
+++ b/apache.te
@@ -5,280 +5,346 @@ policy_module(apache, 2.7.2)
@@ -6828,7 +6828,7 @@ index 6649962b6..a6b4312e6 100644
avahi_dbus_chat(httpd_t)
')
+
-+ tunable_policy(`httpd_dbus_sssd',
++ tunable_policy(`httpd_dbus_sssd',`
+ sssd_dbus_chat(httpd_t)
+ ')
')
@@ -9010,7 +9010,7 @@ index f24e36960..4484a98da 100644
+ allow $1 automount_unit_file_t:service all_service_perms;
')
diff --git a/automount.te b/automount.te
-index 27d2f400b..1297f5bbe 100644
+index 27d2f400b..f74f75f1b 100644
--- a/automount.te
+++ b/automount.te
@@ -22,6 +22,9 @@ type automount_tmp_t;
@@ -9065,7 +9065,7 @@ index 27d2f400b..1297f5bbe 100644
fs_search_all(automount_t)
fs_search_auto_mountpoints(automount_t)
fs_unmount_all_fs(automount_t)
-@@ -135,15 +139,18 @@ auth_use_nsswitch(automount_t)
+@@ -135,15 +139,19 @@ auth_use_nsswitch(automount_t)
logging_send_syslog_msg(automount_t)
logging_search_logs(automount_t)
@@ -9082,13 +9082,14 @@ index 27d2f400b..1297f5bbe 100644
+ mount_domtrans(automount_t)
+ mount_domtrans_showmount(automount_t)
+ mount_signal(automount_t)
++ mount_rw_pid_files(automount_t)
+')
+
+optional_policy(`
fstools_domtrans(automount_t)
')
-@@ -166,3 +173,8 @@ optional_policy(`
+@@ -166,3 +174,8 @@ optional_policy(`
optional_policy(`
udev_read_db(automount_t)
')
@@ -22522,10 +22523,10 @@ index f55c42082..e9d64ab5f 100644
-
-miscfiles_read_localization(dbskkd_t)
diff --git a/dbus.fc b/dbus.fc
-index dda905b9c..558729530 100644
+index dda905b9c..60806a524 100644
--- a/dbus.fc
+++ b/dbus.fc
-@@ -1,20 +1,29 @@
+@@ -1,20 +1,31 @@
-HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:session_dbusd_home_t,s0)
+/etc/dbus-1(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0)
@@ -22541,6 +22542,8 @@ index dda905b9c..558729530 100644
-/lib/dbus-.*/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
++/usr/bin/dbus-broker -- gen_context(system_u:object_r:dbusd_exec_t,s0)
++/usr/bin/dbus-broker-launch -- gen_context(system_u:object_r:dbusd_exec_t,s0)
-/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
@@ -23505,7 +23508,7 @@ index 62d22cb46..c0c2ed47d 100644
+ manage_dirs_pattern($1, session_dbusd_tmp_t, session_dbusd_tmp_t)
')
diff --git a/dbus.te b/dbus.te
-index c9998c80d..d8ef03416 100644
+index c9998c80d..131d809ae 100644
--- a/dbus.te
+++ b/dbus.te
@@ -4,17 +4,15 @@ gen_require(`
@@ -23632,7 +23635,7 @@ index c9998c80d..d8ef03416 100644
mls_fd_use_all_levels(system_dbusd_t)
mls_rangetrans_target(system_dbusd_t)
mls_file_read_all_levels(system_dbusd_t)
-@@ -123,66 +124,176 @@ term_dontaudit_use_console(system_dbusd_t)
+@@ -123,66 +124,177 @@ term_dontaudit_use_console(system_dbusd_t)
auth_use_nsswitch(system_dbusd_t)
auth_read_pam_console_data(system_dbusd_t)
@@ -23654,6 +23657,7 @@ index c9998c80d..d8ef03416 100644
+init_domtrans_script(system_dbusd_t)
+init_rw_stream_sockets(system_dbusd_t)
+init_status(system_dbusd_t)
++init_start_system(system_dbusd_t) # needed by dbus-broker
logging_send_audit_msgs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)
@@ -23823,7 +23827,7 @@ index c9998c80d..d8ef03416 100644
kernel_read_kernel_sysctls(session_bus_type)
corecmd_list_bin(session_bus_type)
-@@ -191,23 +302,18 @@ corecmd_read_bin_files(session_bus_type)
+@@ -191,23 +303,18 @@ corecmd_read_bin_files(session_bus_type)
corecmd_read_bin_pipes(session_bus_type)
corecmd_read_bin_sockets(session_bus_type)
@@ -23848,7 +23852,7 @@ index c9998c80d..d8ef03416 100644
files_dontaudit_search_var(session_bus_type)
fs_getattr_romfs(session_bus_type)
-@@ -215,7 +321,6 @@ fs_getattr_xattr_fs(session_bus_type)
+@@ -215,7 +322,6 @@ fs_getattr_xattr_fs(session_bus_type)
fs_list_inotifyfs(session_bus_type)
fs_dontaudit_list_nfs(session_bus_type)
@@ -23856,7 +23860,7 @@ index c9998c80d..d8ef03416 100644
selinux_validate_context(session_bus_type)
selinux_compute_access_vector(session_bus_type)
selinux_compute_create_context(session_bus_type)
-@@ -225,18 +330,36 @@ selinux_compute_user_contexts(session_bus_type)
+@@ -225,18 +331,36 @@ selinux_compute_user_contexts(session_bus_type)
auth_read_pam_console_data(session_bus_type)
logging_send_audit_msgs(session_bus_type)
@@ -23898,7 +23902,7 @@ index c9998c80d..d8ef03416 100644
')
########################################
-@@ -244,5 +367,9 @@ optional_policy(`
+@@ -244,5 +368,9 @@ optional_policy(`
# Unconfined access to this module
#
@@ -25814,10 +25818,10 @@ index 000000000..b3784d85d
+')
diff --git a/dirsrv.te b/dirsrv.te
new file mode 100644
-index 000000000..86c5021d6
+index 000000000..22cafcd43
--- /dev/null
+++ b/dirsrv.te
-@@ -0,0 +1,211 @@
+@@ -0,0 +1,207 @@
+policy_module(dirsrv,1.0.0)
+
+########################################
@@ -25982,10 +25986,6 @@ index 000000000..86c5021d6
+ systemd_manage_passwd_run(dirsrv_t)
+')
+
-+optional_policy(`
-+ rolekit_read_tmp(dirsrv_t)
-+')
-+
+########################################
+#
+# dirsrv-snmp local policy
@@ -43317,7 +43317,7 @@ index 000000000..bd7e7fa17
+')
diff --git a/keepalived.te b/keepalived.te
new file mode 100644
-index 000000000..923edd01e
+index 000000000..7395ac19a
--- /dev/null
+++ b/keepalived.te
@@ -0,0 +1,100 @@
@@ -43346,7 +43346,7 @@ index 000000000..923edd01e
+# keepalived local policy
+#
+
-+allow keepalived_t self:capability { net_admin net_raw kill dac_read_search sys_ptrace };
++allow keepalived_t self:capability { net_admin net_raw kill dac_read_search setpgid sys_ptrace };
+allow keepalived_t self:process { signal_perms };
+allow keepalived_t self:netlink_socket create_socket_perms;
+allow keepalived_t self:netlink_generic_socket create_socket_perms;
@@ -53630,7 +53630,7 @@ index 6194b806b..e27c53d6e 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 11ac8e4fc..3c24a12ef 100644
+index 11ac8e4fc..94822ad40 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -6,17 +6,56 @@ policy_module(mozilla, 2.8.0)
@@ -53911,15 +53911,15 @@ index 11ac8e4fc..3c24a12ef 100644
miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
-userdom_use_user_ptys(mozilla_t)
--
++userdom_use_inherited_user_ptys(mozilla_t)
+
-userdom_manage_user_tmp_dirs(mozilla_t)
-userdom_manage_user_tmp_files(mozilla_t)
-
-userdom_manage_user_home_content_dirs(mozilla_t)
-userdom_manage_user_home_content_files(mozilla_t)
-userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
-+userdom_use_inherited_user_ptys(mozilla_t)
-
+-
-userdom_write_user_tmp_sockets(mozilla_t)
-
-mozilla_run_plugin(mozilla_t, mozilla_roles)
@@ -54049,34 +54049,34 @@ index 11ac8e4fc..3c24a12ef 100644
- gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private")
+ gnome_manage_config(mozilla_t)
+ gnome_manage_gconf_home_files(mozilla_t)
-+')
-+
-+optional_policy(`
-+ java_domtrans(mozilla_t)
')
optional_policy(`
- java_exec(mozilla_t)
- java_manage_generic_home_content(mozilla_t)
- java_home_filetrans_java_home(mozilla_t, dir, ".java")
-+ lpd_domtrans_lpr(mozilla_t)
++ java_domtrans(mozilla_t)
')
optional_policy(`
- lpd_run_lpr(mozilla_t, mozilla_roles)
-+ mplayer_domtrans(mozilla_t)
-+ mplayer_read_user_home_files(mozilla_t)
++ lpd_domtrans_lpr(mozilla_t)
')
optional_policy(`
- mplayer_exec(mozilla_t)
- mplayer_manage_generic_home_content(mozilla_t)
- mplayer_home_filetrans_mplayer_home(mozilla_t, dir, ".mplayer")
-+ nscd_socket_use(mozilla_t)
++ mplayer_domtrans(mozilla_t)
++ mplayer_read_user_home_files(mozilla_t)
')
optional_policy(`
- pulseaudio_run(mozilla_t, mozilla_roles)
++ nscd_socket_use(mozilla_t)
++')
++
++optional_policy(`
+ #pulseaudio_role(mozilla_roles, mozilla_t)
+ pulseaudio_exec(mozilla_t)
+ pulseaudio_stream_connect(mozilla_t)
@@ -54084,7 +54084,7 @@ index 11ac8e4fc..3c24a12ef 100644
')
optional_policy(`
-@@ -300,259 +340,258 @@ optional_policy(`
+@@ -300,259 +340,260 @@ optional_policy(`
########################################
#
@@ -54168,13 +54168,15 @@ index 11ac8e4fc..3c24a12ef 100644
-fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
+fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file dir lnk_file sock_file fifo_file })
+userdom_manage_home_texlive(mozilla_plugin_t)
++allow mozilla_plugin_t mozilla_plugin_tmpfs_t:file map;
- allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
+-allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
-allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms;
-allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
--
+
-dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
-stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
++allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
+read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
@@ -54489,7 +54491,7 @@ index 11ac8e4fc..3c24a12ef 100644
')
optional_policy(`
-@@ -560,7 +599,11 @@ optional_policy(`
+@@ -560,7 +601,11 @@ optional_policy(`
')
optional_policy(`
@@ -54502,7 +54504,7 @@ index 11ac8e4fc..3c24a12ef 100644
')
optional_policy(`
-@@ -568,108 +611,144 @@ optional_policy(`
+@@ -568,108 +613,144 @@ optional_policy(`
')
optional_policy(`
@@ -56308,7 +56310,7 @@ index ed81cac5a..cd52baf59 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/mta.te b/mta.te
-index ff1d68c6a..94b1dfca7 100644
+index ff1d68c6a..3f662fbef 100644
--- a/mta.te
+++ b/mta.te
@@ -14,8 +14,6 @@ attribute mailserver_sender;
@@ -56408,7 +56410,7 @@ index ff1d68c6a..94b1dfca7 100644
procmail_exec(user_mail_domain)
')
-@@ -166,57 +166,76 @@ optional_policy(`
+@@ -166,57 +166,77 @@ optional_policy(`
uucp_manage_spool(user_mail_domain)
')
@@ -56461,6 +56463,7 @@ index ff1d68c6a..94b1dfca7 100644
+userdom_dontaudit_list_user_home_dirs(system_mail_t)
+userdom_dontaudit_list_admin_dir(system_mail_t)
+userdom_dontaudit_list_user_tmp(system_mail_t)
++userdom_dontaudit_read_inherited_admin_home_files(system_mail_t)
+
+manage_dirs_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
+manage_files_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
@@ -56504,7 +56507,7 @@ index ff1d68c6a..94b1dfca7 100644
')
optional_policy(`
-@@ -225,17 +244,21 @@ optional_policy(`
+@@ -225,17 +245,21 @@ optional_policy(`
')
optional_policy(`
@@ -56528,7 +56531,7 @@ index ff1d68c6a..94b1dfca7 100644
courier_stream_connect_authdaemon(system_mail_t)
')
-@@ -244,9 +267,10 @@ optional_policy(`
+@@ -244,9 +268,10 @@ optional_policy(`
')
optional_policy(`
@@ -56542,7 +56545,7 @@ index ff1d68c6a..94b1dfca7 100644
')
optional_policy(`
-@@ -258,10 +282,17 @@ optional_policy(`
+@@ -258,10 +283,17 @@ optional_policy(`
')
optional_policy(`
@@ -56560,7 +56563,7 @@ index ff1d68c6a..94b1dfca7 100644
nagios_read_tmp_files(system_mail_t)
')
-@@ -272,6 +303,19 @@ optional_policy(`
+@@ -272,6 +304,19 @@ optional_policy(`
manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
@@ -56580,7 +56583,7 @@ index ff1d68c6a..94b1dfca7 100644
')
optional_policy(`
-@@ -279,6 +323,10 @@ optional_policy(`
+@@ -279,6 +324,10 @@ optional_policy(`
')
optional_policy(`
@@ -56591,7 +56594,7 @@ index ff1d68c6a..94b1dfca7 100644
userdom_dontaudit_use_user_ptys(system_mail_t)
optional_policy(`
-@@ -287,42 +335,36 @@ optional_policy(`
+@@ -287,42 +336,36 @@ optional_policy(`
')
optional_policy(`
@@ -56644,7 +56647,7 @@ index ff1d68c6a..94b1dfca7 100644
allow mailserver_delivery mail_spool_t:dir list_dir_perms;
create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
-@@ -331,44 +373,48 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+@@ -331,44 +374,48 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -56714,7 +56717,7 @@ index ff1d68c6a..94b1dfca7 100644
')
optional_policy(`
-@@ -381,24 +427,49 @@ optional_policy(`
+@@ -381,24 +428,49 @@ optional_policy(`
########################################
#
@@ -92198,10 +92201,10 @@ index 000000000..504b6e13e
+/usr/sbin/roled -- gen_context(system_u:object_r:rolekit_exec_t,s0)
diff --git a/rolekit.if b/rolekit.if
new file mode 100644
-index 000000000..df5e3338c
+index 000000000..b11fb8f6d
--- /dev/null
+++ b/rolekit.if
-@@ -0,0 +1,138 @@
+@@ -0,0 +1,120 @@
+## Daemon for Linux systems providing a stable D-BUS interface to manage the deployment of Server Roles.
+
+########################################
@@ -92322,24 +92325,6 @@ index 000000000..df5e3338c
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
-+
-+########################################
-+##
-+## Allow domain to read rolekit tmp files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`rolekit_read_tmp',`
-+ gen_require(`
-+ type rolekit_tmp_t;
-+ ')
-+
-+ read_files_pattern($1, rolekit_tmp_t, rolekit_tmp_t)
-+')
diff --git a/rolekit.te b/rolekit.te
new file mode 100644
index 000000000..da944537b
@@ -107829,7 +107814,7 @@ index 49dd63ca1..ae2e798f5 100644
+
+/var/log/stunnel.* -- gen_context(system_u:object_r:stunnel_log_t,s0)
diff --git a/stunnel.te b/stunnel.te
-index 27a8480bc..5482c7549 100644
+index 27a8480bc..fc3fca520 100644
--- a/stunnel.te
+++ b/stunnel.te
@@ -12,6 +12,9 @@ init_daemon_domain(stunnel_t, stunnel_exec_t)
@@ -107842,15 +107827,18 @@ index 27a8480bc..5482c7549 100644
type stunnel_tmp_t;
files_tmp_file(stunnel_tmp_t)
-@@ -23,7 +26,7 @@ files_pid_file(stunnel_var_run_t)
+@@ -23,9 +26,9 @@ files_pid_file(stunnel_var_run_t)
# Local policy
#
-allow stunnel_t self:capability { setgid setuid sys_chroot };
+allow stunnel_t self:capability { setgid setuid sys_chroot sys_nice };
dontaudit stunnel_t self:capability sys_tty_config;
- allow stunnel_t self:process signal_perms;
+-allow stunnel_t self:process signal_perms;
++allow stunnel_t self:process { setsched signal_perms };
allow stunnel_t self:fifo_file rw_fifo_file_perms;
+ allow stunnel_t self:tcp_socket { accept listen };
+ allow stunnel_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
@@ -34,6 +37,9 @@ allow stunnel_t stunnel_etc_t:dir list_dir_perms;
allow stunnel_t stunnel_etc_t:file read_file_perms;
allow stunnel_t stunnel_etc_t:lnk_file read_lnk_file_perms;
@@ -112168,10 +112156,10 @@ index 000000000..e5cec8fda
+')
diff --git a/tomcat.te b/tomcat.te
new file mode 100644
-index 000000000..bc54338c2
+index 000000000..7726f7594
--- /dev/null
+++ b/tomcat.te
-@@ -0,0 +1,108 @@
+@@ -0,0 +1,109 @@
+policy_module(tomcat, 1.0.0)
+
+########################################
@@ -112256,6 +112244,7 @@ index 000000000..bc54338c2
+corenet_tcp_connect_oracle_port(tomcat_domain)
+corenet_tcp_connect_ibm_dt_2_port(tomcat_domain)
+corenet_tcp_connect_unreserved_ports(tomcat_domain)
++corenet_tcp_connect_mssql_port(tomcat_domain)
+
+dev_read_rand(tomcat_domain)
+dev_read_urand(tomcat_domain)
@@ -114588,10 +114577,10 @@ index 3d11c6a3d..c5d84287e 100644
optional_policy(`
diff --git a/virt.fc b/virt.fc
-index a4f20bcfc..9777de289 100644
+index a4f20bcfc..58d0a33f2 100644
--- a/virt.fc
+++ b/virt.fc
-@@ -1,51 +1,109 @@
+@@ -1,51 +1,111 @@
-HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
-HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
-HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
@@ -114726,6 +114715,8 @@ index a4f20bcfc..9777de289 100644
+
+/usr/libexec/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0)
+
++/usr/lib/virt-sysprep/firstboot.sh -- gen_context(system_u:object_r:virtd_exec_t,s0)
++
+/usr/lib/systemd/system/*virtlogd.* gen_context(system_u:object_r:virtlogd_unit_file_t,s0)
+
+/usr/lib/systemd/system/virt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 1bb2c757..7509df1f 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 283%{?dist}
+Release: 284%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -682,6 +682,17 @@ exit 0
%endif
%changelog
+* Thu Sep 14 2017 Lukas Vrabec - 3.13.1-284
+- Allow mozilla_plugins_t domain mmap mozilla_plugin_tmpfs_t files
+- Allow automount domain to manage mount pid files
+- Allow stunnel_t domain setsched
+- Add keepalived domain setpgid capability
+- Merge pull request #24 from teg/rawhide
+- Merge pull request #28 from lslebodn/revert_1e8403055
+- Allow sysctl_irq_t assciate with proc_t
+- Enable cgourp sec labeling
+- Allow sshd_t domain to send signull to xdm_t processes
+
* Tue Sep 12 2017 Lukas Vrabec - 3.13.1-283
- Allow passwd_t domain mmap /etc/shadow and /etc/passwd
- Allow pulseaudio_t domain to map user tmp files