From 9fc76d9ab8710961f55f50599bf7ed27c6b4dc3c Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Thu, 3 Mar 2016 16:00:03 +0100
Subject: [PATCH] * Thu Mar 03 2016 Lukas Vrabec <lvrabec@redhat.com>
 3.13.1-176 - Add new boolean tmpreaper_use_cifs() to allow tmpreaper to run
 on local directories being shared with Samba. - Merge pull request #105 from
 rhatdan/NO_NEW_PRIV - Fix new rkt policy - Remove some redundant rules. - Fix
 cosmetic issues in interface file. - Merge pull request #100 from
 rhatdan/rawhide-contrib - Add interface fs_setattr_cifs_dirs(). - Merge pull
 request #106 from rhatdan/NO_NEW_PRIV_BASE - Fixed to make SELinux work with
 docker and prctl(NO_NEW_PRIVS) -Build file_contexts.bin
 file_context.local.bin file_context.homedir.bin during build phase.  This fix
 issue in Fedora live images when selinux-policy-targeted is not installed but
 just unpackaged, since there's no .bin files,  file_contexts is parsed in
 selabel_open(). Resolves: rhbz#1314372

---
 docker-selinux.tgz           | Bin 4355 -> 4318 bytes
 policy-rawhide-base.patch    | 607 +++++++++++++++++++----------------
 policy-rawhide-contrib.patch |  81 +++--
 selinux-policy.spec          |  17 +-
 4 files changed, 405 insertions(+), 300 deletions(-)

diff --git a/docker-selinux.tgz b/docker-selinux.tgz
index 5cb9828d90c1117d7bb1d2ae8e84d2fa6b629258..1799d9e63029cd065cd3385a3b65c395b28f095f 100644
GIT binary patch
literal 4318
zcmV<45Fzg$iwFQRQP@@h1MOVvkJ~m9&sY1e5RwAfJtVuE&7;7k?cvbghx>3qaqY(f
zsw~mAx_X^Rt=AXif4>>NL{X$3Yj3i>vw+05IP)Vp91UlNqfN^Amed#N`q|@MS8#p!
z@D4xUeEa^&{DkZJ{oA*1pS`*M@ZrPN`>S^!uAg1Kxqg3j{Vce8#4+isp)9I{;8}K8
zM=KJ0>Bidsq}TGri{Lxj<at!@fB1Dvg0dpTYg#sSOoFJYvNVoZS{6ZE7A#5&QU|2i
zz~{wxmx^r(Ak(f+Z}4OB_j?jIj06c+!yqjJw$;CqGKU^7IMb!U6?|7kb(9B1l#}nD
z3##Wo^ss;84MCJ;<&Go)D+5+X1x;}}F3?Mk3g4G$!AQN1VsiGo7)l78aORh<eqSy&
zqzG&B?<TE*V7XYZeWk`6vRCRGfvJV;<8txxe7Ri2WliEd2`P!{cpI+L;_RC@=gWlx
z4y%Ykr+C*w&_CJv5}}SP>lozov}BFb9+mSn>BdpPDf?1AP?o>&j+7{~bQL5p%9xdP
zO6UwJE{3ES#WA5AZ81Z9QU)-lQ6b(%HPW?m<UI%9yy+3#!1Mx%3}3^F)HwyNb(#^X
zx|Gyh^vBfHCna94K3_(-F74G!2a5P#BuY&A@`e1mlC5D#d~SR!^X2Q+#RW$e%?>lG
zfgV-JbQ{&=$%vVcW}=`4?F2DrDP^d@PAN+i`}gSTjPPZ}?E`qHuWD~i|HhwU+&O7Q
z;&h#oL~fqA>yfVI;vFVp)sgwYJ@>K9*#X+%vQZBZvqRATjEZPOo|uiw`Jf)hN=fX8
z*(t?6_&hwGrRy)&li9G1B}3cv2rK3@d5<UVAHnv4l_^($fQ%`+@{y7~bkULj9_e=}
z+XfL(H4H?`(m3EVZhdsHT}T%hMy;yTJM080zu*d5$Z`}Rj>3VD5i6fcx#pHtNCYi$
z%tbV(E5RGaSwyL)E8f=cYei&t$(;W1|K|{Iqx_@n`{%4~d{abHtJ@Vxi_N5N9nXZa
zU(;e*=M&+LS`DrL<{JLJg@5mk=t%wikDs2xPQbm7DotkW19ek)tP0@JsjezV>EAhS
z$VEwgcX&Q#Q0%=N!K@&6PZ`N$mW?N5K3X@LB4u2{?OF)5L^?wXS}aJ4<Tc4k^qN5`
zDJTnX3FM`i<;tx~0bYTn*d@3&0>_U2jA7j1N1#_;$A3dCawvh^g5*!dx?EJCKXr+U
z?b4&81U6BT1iL!zdAm8uVcYr2Pv;Iql21|&XKaoF&I5s>ggQfFw!nhGl9=&SRct?Z
zj}0tvugHQqdAEjw{;)l_WvJL)!6|h&#g~w~icypzwxE3Q)0U;8x{0@SC{%qHLg&X3
zEM6ieYojo+D=GnF=9(02j(G9vcQYVn&M;ln?FNdSC!ri7N`9i~jXl}btfMq+=%{>F
zZn)aJ0Obbd0^F84u@_oyQ*saF^YLs}*#0VbE*dU?<N5ha1PXV;E)3q9jRS76MtB`(
zDM(#nfM7P@QgHz}QMlw3LUtc_`c~`V?Oz1~M*jxD6mQB-YDj5-?yS?z1u5>1gSRay
zqsN2dUhYxQYC_BG?gHm~AfQ+T+}R}%n7$eeKo})?S_oaoM67c$#gm{wF7#3!7SNSN
zA%h8NwMz8Aq5$^%`+zbqXgPld2>Z&X3w$VOuyDLHj>D!pz}*gJI>ASCaE$f%<>w#U
z!%zBT*QJUluMN_oNrjK8t0Hc5-z9{Ba#Jg&O)dA9gWsTd)OZA4Acw`uSsT7H0jomc
zx`9yza(+Cb;16&L9mD?56B>njp1?k)by?)IJb_18C_cjZQHwj5q?T?Vz_B)e*hL+8
zH~pJpTN(0@Wqc8Q0vEQ1DF!s%6j3I;y5RH22|)<Ja*OL|Rs9cV;JoZcrp>F=gUm9h
zwwO_XW86Z>$f{fl&Ab`sl~cCk+z~!w%|~KQ6*%Hk+>07jGAgXfERFYEEmeFg16qhS
z3#L;3=SKTT{QL5#35qak*j66pce50{<tddj@R3fgAK}#PLvBp-kV+B*rhD(OvoOb+
z99mZL7#3Geewy$fURh$WA0xklVpKMkGM?{W<MwKJBVXO+5QoV)xDj_l$<wnXaGGQL
z&_W@fsKdsUWu`Z68HXxsV0$^DXKe$HH_SI8j)m)_mwDD<RW?OJxe>urj^kK!aZsb-
z=i2dhT+`Ev##~erY|Do`z_7bV#a>~`ZBWb)JYLwK>wQ(i6ojLkQYpbNr||H-E;ABG
z)upHIK#y@&sb9~v5se~)-ePhIf9=xRKgA_;X^cE#A0zeO-(EZFzu&w+)qj79OE~&r
zUM3Jrp9yVv6}-8)y11HUqn0m%pGcg+<BvWvI3`PO1QJ4Hd16t?vkHQ#fAC&{-Ijoh
zQ|mN+#O;&H6YyvrLj7NV{5hz~n(6b5N}3u0jfR6YMYPhR*BcyI$XCHS$|!-ESmxPf
zU-(I15|O+tLSYIOqFvN|z7*{tZB~DTX%fcUsMru}&3Oc+88szZ!y&Sz=_*Mcymcl$
zBjlGyjbY6<F{-GSeHY<l|K9j4{h^0BJj2`QX5G&^t(M4*;|jsW=jMpjU1ts|JBy#<
zraUh>>kwMpZ308|D1Y;z_HzubEQ#RD)XBqHr@6<&yRr`v&dg?84fD#72mCM@cw?Vo
zO*<^`(_%sbhwR-e=16y#jD7#o&2Q6LFr9pq$`<IGXMHM*zddCXhlXr_X0=!h`tYl-
zYPvLWo@tXN3RXVK0%0=Yek6|_rDI1)w!Q(6Ct9Uh%J#vhAl{a{BDhV#jIH4tAgn22
zX%ghOMVSNzVIm#Kzd>lJD-8IJI@$pyTLUC!(_FoQ<x}a^nq;s)Wtd)dQMSpt4S{ft
z)!l3z^iyYPo-*Del?SMvUUiZO4|0u+kH{jqI9%yq-bMH35Cn^>hq5+Fk9Cx%UB~NS
z#h-ZE(25iZ*js-DXBu>8IcIM}(WgmWOXjL9oXOj-1f2>ndK%^jvd+Y&%|n@CNA7o;
z5C;GRCt>l>@D2X%@$9tmiw&Wd|D85=53{xRcm}SRKjFanacJ;aA5Kpl{Koz@edvDH
z3EJmmcb~%hc#V0h4uj9<_5*G5+$c>Jb)H~w8K6kxxvtB+HKb_%rpb_R*4<xIWjMq-
zL55EDu1DdKpyc#OaPqv-->`qrnEN36wE2&WK<-WlV5qXC10Yt}!)M}FX4%YN9W%7|
z<5DN4eLaAFn7*T5J;ZQK(=s*~UEr0MO~J}y>ht4$PiLAQjj>PABQJz|!m@d;G4ZdB
z?(c=X;i(XFI2gmC9ef92x`I!EnV{rTV2%JWVZjGs+>73MUvtK?`wGN{#&nQb9;_0d
zF6A)@U6OYo&cxO7!nlh6h7eq`)pOxecCUZGj@4T9oqm$qs0u?Z`}SuU$;x2F2x!~!
z8lf%xEJ!Ag+C&D3pST&ez$AgtaaY#2gEai`e@|nUQ3u5iG5qZ?D;jS}GJuWIrfI5V
zLJKR5`B6X=v-A#>FfrjJQG%zNO~R}0C7fuXy(ul#=`2rEt&D`-dAEsfNtW4+I7y5u
zdEmW)pLH6C5SJ4RMbS}+{s8k%)28dGlyguq+3BI>BjxhNgs6u|r9ZcfRYPEkE-v%D
z%E*1lrSD<jA@rpAJ1IT$@6Zm-3kjzzlcsZlNkhT4%18#9B!Z&VK$$BMN(eT0BB>3F
z9+&8LQ<qKE?^ZSoKZ@@2EG=#=0(qPpb@UkSclzygN?BQ>eXXNi$P+d9;724Wy)}t=
z5(A&hg3?{e;;qprD_86pg0GU4I}=2{Bcn<Ij3(ZKH=EAT+QKMYD~_JijY-m>08@m)
z8<2GTpOnVNlJewS`k%;7taD#f7vOXRL>iV#tCf&-)MQNfS@#{iG0BA9bU^kLH7}8#
zS}3ZNO&LfEZiv!#AHh*{Rabe}Q9Kv-#86lEZHx4!8*~i{QD)R73J*tGF+5nA!-9W4
z=uT*oKR3pYzn3q9>^>GXoOoO`noUijIK*O(I!y>}t(!E#j|%gn@Y&$cJ(U?%{I)7f
z#=pS+tG>!oMfAo;)1(quexQ(ff3jb`2li?nov5(<_(X^B@ayDbAhub4zmtx1=OY!V
zcv!mGOec&#51VZ2HVym9l@bl`sT0oY#BA=Tfuw9(`Rfvp%eijj$1&o5#OaT*%ws0$
zu(Za_@6>FBFLaky@c0(%(&hI2yCIZ?{2js0Nvc642N>p{USO3SewCtdI8Y7>uY1-M
z+$9BD&+8#Nr-(h0-h-`6v6kS0nwyL1s2MFV3``_YtC<_B29Oh1Lw3il0;@|K7T>r-
z#QyE9EGs{g8&Pi3YOE=R7y-rM-pge;GMCEjL-fd8ySkfFhvVa<I^^z=irt2)_mlfj
zQk9Uz+gQLqO5&zYjS$6!&>gtt`G^g;=bu1JQ~29z;%gfmzZQ~owd^&t+nuhMj_JaC
zt~mX%wG`ZEo9WB(Ka{g=KrgdZ*JtB#A-ZEa8en^qK(|*czqjuzJqModka?>dw5L_c
zvnkNz#`s4CLe}kjiKY!aq1GJ$dr0A?<qq-lUE%Zb)zc@t9jB_Lt68XjsTZsbM0FbF
z^(Hid@Q}S#0tTs$Eb&G^u58JK$XZBy8cs@;d7ngRDX7b*+Ene@!gqWdVAKywRt;6z
z0{kjobu=AEQ3%4@wo$)DEQ~07$BKVkMRS~k?+R#GJakDrn}CZbkK%1wbT(g6Kk4dY
zoz`RrYnQkO|I#axM(;lz586jva8JDun`G3<EtrjMiRU=xU0O3w93k3lpP%3KD!!{Z
zq_F3%%6liYYV2vJAW?a}K_aEV9V)(}Ch3b{UDoK|ORo0yiI9p>Tf=;%i<|Ulq(w42
zGP-ynsNkW9Fw~GlSP+r&LQ`WfwhwC#KrXJMl0qD(EIPz(g=vew;Hxcb(DY)<W}_BO
zy;kqa!MM^DCT%xK62<(zJ2z=3r{uz&S9=Um8oqMitbE~~A_iube{CIV1fTomxkKe_
zy%$+}p1eM-k-q9Uhml&BJhoEs*B0CG&l})5USR0?&Q5F@5;=|xATToX$nwZw`iyL;
zh$03Im9uF7+--^mjIi-8hHqox4DIeR!qPLP;8^mgYlLsua;Udhwb_`h*ivr%Es>$p
zE>RdcyY|Usn^^#*<5CxvkrdGtWNlTFd$&;UX$&18jl5mrZ5TdNIvCY|%yclc_vGo}
z$ODH_qoCslQ{(3-dZBN-M?!YKK+|~>z?#Cyv8p<%KFow<tfn1FnJT)kT^j#?aS54U
ztRM5mhT-==uHIh1{b0ZU@$TEx-~az2*Cl4gFMpFIoBTa2c?5DMch=@c{$a%WMn0gj
z+LPiNB9{%VFIQ=CDFGIX*RQ9c$k&k(#R7R<ly_y;<m9!mk<&5F_nb8_cu5l2hyPIc
z7GJtk@>BM6A=4St$8QwDcgOF<x96ezduVsdOEB;f{Ot1LFXw+<Oasydv;qb8G(+mM
zkXpBv&tD<kHV|B~V<1UQxLZ?+HVoDc7CW*+MA*3>I!m$X>#?;+zu_Oqnyxb=Sm;0i
z7(D`*{Cio)o9U&{TRID|=QkNT2NajteLM?K)=--$n+JgSwEq&bX|u3Y9OqKo_SJtt
zyySnX>rqhAFFOJ-pb69P8~%N=`FLM@cRXFE>vWy2({;K|*XcT4r|Wc`uG4k8{x`1w
M0$!?CbO3k&0N?$OOaK4?

literal 4355
zcmV+e5&Z5SiwFRyfY4R|1MOT{kK;BHo>%)<5HkU$dok0;TmgELEEdT=?85@VCXWFW
zS)y&Fbw#Aw?H$a2-zr|BDC%mv)4hO&>9HkNeI$!iv8q^fTtv6Dx=7Y99`Cw>>(i$X
z_<8;9$1D32u6G}<uiw46eg_oSaEH&Y-+lOW{eoOQVw=oWGagoiyh!h=a7CkDy0P;A
z(`)(a75R?USr%6NAAa3ZQj|1*%Zj>+C<)6lO`?z|MNXn3=V6l5iqL!mpBLX<YPKbS
zOuJgO!Oh~I_cW?GC9#->B*_Win!C8jpvDWqbZK#s@5-<WGm?iH{r;t-dig^K`zKLA
z!Za;*G$y<tyb5!cV0V0=mjV^OFO!_pY8^)O?04Ce04fp8uiyN>Tx@6_RP@g}seoX)
zSnz$R+Z^yW`WuC=1^n}J@%ntZTtr1hqbv>>4XbDytdjifo9pxCLIVe7$e~hv>L8d~
ze!fJgBg;Ah`8+RKW4A};JWaY$m<!6TR1cKpFQOtX$~0M#7+M+eqDm;6A;raz6vHT@
zOrR}hh)>A?+B7P}yRbsKMvkIp^38RJ;0C%!6f%4bN?K(MxYkKZnXXb%3(+5Qramk2
zis|#$2-i1z4by=l{tpdfTfSl-pH{LJG)eSLv}L}0d*|XpAj@Kpnl(U=DrB||EBb82
zELt;B(2{n7nA3!DoWNcwD-`#BbaY1e(){)TywgXuGp7F#Z!xZ%tfW!0PH3zaPh9nA
zTXTsDV>#-`eBhe<SnBM6+2GSr4-m6Q(Ekqea6_M&j><%%9!E<l?1$+o%{}-&Jf5cO
z4%V|-u&p6O-Sh|})~E6wPuxF(?gK4Tto{HQGc@HxEqkb<CI3Cr?-ITxAyCyEM9Pzh
zh#ogKI_NH>3oWHqR>>V!f|P&Z2s+5B6#=%wgO47o=t{8`npH{!HE|?FG^Z-b8$@Zy
zSWi`=tXtQLs_No7_2K_7!QV#thw1k(c~$py5lNkDS2W2tldAQ+6Iy>w^J%?rM6cIs
z&H8WN!QXrM`*1`<>gRv`^c+?KVSSWIJYyZG>bys*01lgKstT0uljFKvj8=Dt$72S?
z-iZ;+a&q^K(=6iYctGZ}^PtWXE+pKHg+z;$F{Gj8fFwv>(X>FT8KjcHWDzAqU7A^q
z+`5q9C1{FWjAJ8lT<_0n#tnWDGxEm&8)8vSA!-Ryx0-diC}I9o1x{?=JUWVF6Xr45
zRY}L%&1eS8&J(|#I}k}WX>xdda};n!B#IX542ih{BgB!I^;VU9KX;8K4tTG~$eg%a
z&0zlUz0hSivD<>v)7=(dOz%q0P>NWB^1)A6mYV7&+E#&_>bn3cKaODWl0I4Eg~?S>
z3m7BUH0N`~i&wXr0Wk}P>7s5HP^>%-R1;D16Gd;W$-ZLarC~v9%BRIfOnV=oTA+M@
z+ajaxK&xd+t%0IHJ&P5VzacMW!3A)<JfDfc;7QPi!AG-kz$`WhZ=*B;sVfW+%mz#<
zAs{b`keo(H@1s`TdOUjT*N%WyzXdSGnsS30N*XYC*2(6A=6A=z+ZK$o<3R~4_b6x;
zWkq^-f&D!YP!0mF><S1}Uj+&v2;(ft<y^-=tamWwo1j51%upWY&=q;EoC&413bemM
z0&D&~VH^}%Cf)(cpLlmcGzAqFws*#M*i-|!UBOHv_-F=>H6FkG{A08E$)4@Fl+om|
zL0VL)@G*5%<YQsG1kg~SYGt>XW8Mnz8x)UjkEA22S-hCF;ClnG+7+&9XcbZY6CQ<l
zffJ}0)_)Pu$o2aK`Z1}BJey?+Ji<VU7S8ut{IMiGbOR2Kv-ra*>Up~9K9tMKkcF)L
z3-Sd_*b2HxShC5(R9bc9>*onh2*3)B>nYXs4@cm7*{w)h@1!1NR!+6Ui~=0vmO@5W
zZBiKK%{Z^>vg_xL@L6L%;%jQh5#QpD*QkS0L0P0pv=`G-`?t!W1#dIwI^=(Dm5=zp
zuaDt!;!Cfm9pfSdx<-v-Dd;EH!g7BN8#khX^_$i6mI#`oMs<R)=3ABj&<^d0lIN5I
zB3e2*=|)gDn$ha!A?Y_3O#9hk8;G7UIW!mNF_tOa`Dwy`csh>7ery|B%J!KWY@**Y
zt!ZbTmuU^l%MmSW7jV45dLN!Tlks#t<WjK|P9L$3;r!qCSMNW4>*oJ{y!vp;|NSd2
zY3K!65rZ#vCTGJNa(!`iaWzX9FJF<LXq1A!!{r{Vu%*y|F=dg8SeGhRO)>NfrW)C8
zDJ*)G3DbtTAcz_@4jPvH`s2@}EGll|*`?C05*pPduk&zaT5l9wnD5_^b(k^=J#m~X
zUn;5C>4`&{6?q_azeaSEde4`#JYe<ej{scZXdC7milv#bpbev;tO~G+2gsJTU8s2Q
z(U~#>kzZ{!1(k@*GEKegE)k!*&&GS%Z$;V7vsRmS)b*@Y>WJJ5S4%F@H;=F8i#hA)
z9Dd4&DqeopB6PSL2Ugao?nP6(KBmu0mVBv>JfF3SJ3OK)H;8;@7rWCiD=m4zjm;nm
zy9{gAVu4$S2?;#1_m7yz-L)CJ_JyC{rE_3f@d)iLnuljyDu=(>Ws;jle1GPYI1Fa<
zqdV11YT7*2rc@M+e3%lcGU0isww<Kx38U%yCJM`Nm81#ZlP@IN7Q39>CZNXF@C^{w
zjPfKV*==6LB&S@4gTyzmlFbgYcu<8qz~pOy#Au4IHqd-JyjIZ^)~6K1Yd*>*ShJzv
zoARn1t$})~G|3V!YGi5yt*2Jw<l{!3<?+iXf{()&4ir_i9}YqAsC+1E9d}qqd75#2
zM^@sEXEiHn9)rH^x8QAs?oH?GEGT9-p{>b$nPoG1yP1Gf0Y-O2`hlE1k!k(VYS<I|
zn<m5o0Le*tG}L^Hzr8&-t^IOA=*0h~wY`VgS$ldKu9?4J!^L(O`D!*Nr#61$-c4_M
zKkJ0q=VkZr!uIi6{nizdujlRyZS&mdnJn}CK;d#gQOa{&6<MQ5QT<Jmp;)ZjcT;6J
z#5zHSUiP*{(IY{{*(1Tp{YHDky`RzdLH23=A8CPFoesdzX)6antkQ?~#6Ou;u{b(p
z&EC&T6JzVE0p^EoJN8cx*&JK7j5Wq2_+&+$^CF-6{`8*Hm^P2b*eA@RUI>4ORq<S9
z(myt)zE|o&Plk}kz!(<oU=I592|fj8!X%#pa|DP913n1jAN1CFy&1#ammoCMri0Y-
zV3zQ7DUU&zl&k}BCXQAwj4%0X2*D>?(-$FS|M++F7@a}inK!BNs?gPPAAePzta3&y
zhqh_2<=Vn+PE)n7C?h~(d(qMbHVL?nyP~=sq!F9HdlvDOc_?;>(O(X|V$qhy1K8+o
z+Nw$gv@pX|?1Y37Pwrq6#x}enig7Eqjz!kBf|Dhz)1{@}XcA$nl@+i%Zx^vGO;eW<
zJBePUaJ)BgTP0BdemQkeG#vx)4>0cxZL*$9IR_PkojtUor9!?K5bYt-;m<AS<q(*r
zi;65OQ+gi=>Gv=Q7kX0vy_7xuZ_y6*3kjzTlcDp0DMcY>l@$!MNhC!x168a<PD0SR
z6G>fIw76uoo2sbGZndgd+EHwurAdD45UB0Eur-h2d8^)5rHmI9>enjV1tL&$4|YVH
zuv?o*1TpZv%o*DyJla}?Y7^e=A=oN$v9m$c83~>DU=@iHd|0=d)+EN@SPAruZETVj
z1*jr)-hiZK|0FE3hExRSlK+NoU|ravCYPWkAX@W8X|0&9!#d^C&bn{S8=Fkdn-<8P
z;mnJbr54C6Ra*v%LMWnS-9_*u-Be}PHWbh0GuhOY``96U?FU`MgeX$x6Gab4QgYl_
znZtrVA9E*XQh#hrZ1XQ)k@P;2IefTXG#X8f!zjSb{3?klF0Gp+#*Y%?qwrbd?VhQK
zDt=oP1s7jn{ncMpsv273qhV47tUgf4qCQoxSOYsbZ(dXwete??c==86k;r9MJa2^~
z{qaamDqog%G}8;yABT-MRTGB&;tPoqeCwp~Ix(92WgsZqWPbVt<TI`t|8b1C>v8t`
zSoSuPGFTer)^F5oq%Cxpl<@lI>%wRD{8>}R193*IwUcTQsRjlaOfS&N9=l3Ycnl~H
zMXz~Q=fWffT@U_ZwQubrc1Suew#hqNf(2?XF1Dd&l|VBvkieW`p{Qy=j(r8`ozM!r
zDqL7RafOK8$7xZN{Y-vDwMgr>CJcN86o-E;SMJDMD!&cUA@i;3eoEtxkCPggyF)5h
z8>Y{vcA?Z%LXzIX9R3)M>MF5Z6dyvn;g01a7vPS40ws0cUsln+vcdKnAt_VK9YeR=
zYl<14F1QyHr`xuMLfC9GZ8`BnDcc(6Wx8tHY{D-@bIf=Hd~Xw&@{(uw?sGlQfv4SM
zQK}l<Q>x`z=csZcJX9X=cHK)<ZD0vC<^bqJ1`i!`NbK)Qn@^0M+1YIwRSjLm19PVj
z*jk8sH>%f~Fa**<?#&XgNR4NS54wJ3LncMmK)T)VQtHV2BtmC``fRFA*^DiG$87LX
zJ1kz+Oh*gwt32vv8;&v&M3imAZiyTinZb)0-#ChPI|p;c4J>ZDB&|h2rYQQD*GWZp
zFetIVRj+&dTAPKXWg7QT-z63AG3I5NYj}%?y|d3(957h;R>i#+S{HVvh$PX$wLv01
zi&|7d_BQD&vMwq#vK3d8jvX-BYNwfROoowZjZzDCMOGEBBo)le5bb?MgjorRNOrXv
z;~J8715|*=lg=RbG;kzUl9w4sg=8gr>2u4zAcrp=VAHmv5Md+^Hu*_gK^q_Lyd-9D
zgYW=@H?>5VV(9re2CTDdK)%Xf5D@lWStL3CJeV)mNqX;?%4R!68H3{-R_t2wxC1WE
zg*E<FuLtEh4$(1Az1Yg<@WkZ7^RNT8DkeX@N3K+4mH_&qX}Etmpn!!6Y_#y1b*96o
z$8w>Oa%q=iG%hcMcQTi6q7v-Y2l{}ZQ3gFIU3H&<9>9jUuLGGx>RbD~$7d9nhLES%
z<d5@U1;T&Da8dj4S~Fid{5LL}dI39x2BgE`nYUeb`|#UT4(*VEKL2%_FarNVvZ^<4
z;6F}sia#(1dOk097t6)16^U=$JZa!`!O#6Gv0BpVRp3+8XL#ysYTG^h$gZT|{uZIX
ziT#7o2@<tqL`^hEMT?qP5FSrlbc3JX`ez?qGZ};O1j<m_piH`*omXeG%}lN{F%KV>
zB}<c?*kru<jUasnWN348<m5_k!SH_N!KnRPm<L1m?rJ_9d0?Y+6m)#kb9|4^4D@Y#
zyU~qB8M@xh1w&!Q?{$t|7iL1B-_VYP<2Bt=AG>%qmz2xJ`Y{i-44?nGdjJ08$J6is
zKhbrGtKsEuDrHxgTWSkTt%X5-qkb5%x=}BY%JyY=Lg=z))#WP5FBQOI@%HUB6m_x|
zQ5=xBd2v^ybw=MxJvJTFKC)|o!H8GDefSTBZ}64fpgvVS7b=`Jz5Ui9h<5wE_-;Q;
zeGjc}c?n8bfuCJo{O$bji)lb6fm))#x?@Rw7E<GNiT<~dE|trr5GMg@r>zBdTd!aN
zJz~S|)@)Lv+V*fu^oR(H^+Saw*Ll;n2I)8ay{+j}a0Cl&1^{D608>A|b-bQl%GZF+
zLhP7I))WSc%k(~)g{M;TZIsOeK>A*$OAOA=!t%ZV3at6r3_!dTzx?$msA!5E0T|Gv
xruhwj?rc8ZQ!los>vWy2({;K|*XcT4r|Wc`uG4k8PS+D%{{#1mqCo(70038@Y6}1W

diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 8bb1cc6b..9112bf0c 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -15455,7 +15455,7 @@ index d7c11a0..6b3331d 100644
  /var/run/shm/.*			<<none>>
 -')
 diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 8416beb..f3dd0f6 100644
+index 8416beb..99002ca 100644
 --- a/policy/modules/kernel/filesystem.if
 +++ b/policy/modules/kernel/filesystem.if
 @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -15607,7 +15607,32 @@ index 8416beb..f3dd0f6 100644
  	dev_search_sysfs($1)
  ')
  
-@@ -1107,6 +1177,24 @@ interface(`fs_read_noxattr_fs_files',`
+@@ -920,6 +990,24 @@ interface(`fs_getattr_cifs',`
+ 
+ ########################################
+ ## <summary>
++##	Set the attributes of cifs directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`fs_setattr_cifs_dirs',`
++	gen_require(`
++		type cifs_t;
++	')
++
++	allow $1 cifs_t:dir setattr;
++')
++
++########################################
++## <summary>
+ ##	Search directories on a CIFS or SMB filesystem.
+ ## </summary>
+ ## <param name="domain">
+@@ -1107,6 +1195,24 @@ interface(`fs_read_noxattr_fs_files',`
  
  ########################################
  ## <summary>
@@ -15632,7 +15657,7 @@ index 8416beb..f3dd0f6 100644
  ##	Do not audit attempts to read all
  ##	noxattrfs files.
  ## </summary>
-@@ -1245,7 +1333,7 @@ interface(`fs_append_cifs_files',`
+@@ -1245,7 +1351,7 @@ interface(`fs_append_cifs_files',`
  
  ########################################
  ## <summary>
@@ -15641,7 +15666,7 @@ index 8416beb..f3dd0f6 100644
  ##	on a CIFS filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -1265,6 +1353,42 @@ interface(`fs_dontaudit_append_cifs_files',`
+@@ -1265,6 +1371,42 @@ interface(`fs_dontaudit_append_cifs_files',`
  
  ########################################
  ## <summary>
@@ -15684,7 +15709,7 @@ index 8416beb..f3dd0f6 100644
  ##	Do not audit attempts to read or
  ##	write files on a CIFS or SMB filesystem.
  ## </summary>
-@@ -1279,7 +1403,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
+@@ -1279,7 +1421,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
  		type cifs_t;
  	')
  
@@ -15693,7 +15718,7 @@ index 8416beb..f3dd0f6 100644
  ')
  
  ########################################
-@@ -1542,6 +1666,63 @@ interface(`fs_cifs_domtrans',`
+@@ -1542,6 +1684,63 @@ interface(`fs_cifs_domtrans',`
  	domain_auto_transition_pattern($1, cifs_t, $2)
  ')
  
@@ -15757,7 +15782,7 @@ index 8416beb..f3dd0f6 100644
  #######################################
  ## <summary>
  ##	Create, read, write, and delete dirs
-@@ -1582,6 +1763,24 @@ interface(`fs_manage_configfs_files',`
+@@ -1582,6 +1781,24 @@ interface(`fs_manage_configfs_files',`
  
  ########################################
  ## <summary>
@@ -15782,7 +15807,7 @@ index 8416beb..f3dd0f6 100644
  ##	Mount a DOS filesystem, such as
  ##	FAT32 or NTFS.
  ## </summary>
-@@ -1793,63 +1992,70 @@ interface(`fs_read_eventpollfs',`
+@@ -1793,63 +2010,70 @@ interface(`fs_read_eventpollfs',`
  	refpolicywarn(`$0($*) has been deprecated.')
  ')
  
@@ -15878,7 +15903,7 @@ index 8416beb..f3dd0f6 100644
  ##	on a FUSEFS filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -1859,18 +2065,19 @@ interface(`fs_mounton_fusefs',`
+@@ -1859,18 +2083,19 @@ interface(`fs_mounton_fusefs',`
  ## </param>
  ## <rolecap/>
  #
@@ -15903,7 +15928,7 @@ index 8416beb..f3dd0f6 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1878,135 +2085,721 @@ interface(`fs_search_fusefs',`
+@@ -1878,135 +2103,740 @@ interface(`fs_search_fusefs',`
  ##	</summary>
  ## </param>
  #
@@ -16023,55 +16048,48 @@ index 8416beb..f3dd0f6 100644
  ##	<summary>
 -##	Domain allowed access.
 +##	Domain allowed to transition.
-+##	</summary>
-+## </param>
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
+-#
+-interface(`fs_exec_fusefs_files',`
+-	gen_require(`
+-		type fusefs_t;
 +## <param name="target_domain">
 +##	<summary>
 +##	The type of the new process.
- ##	</summary>
- ## </param>
--## <rolecap/>
- #
--interface(`fs_exec_fusefs_files',`
++##	</summary>
++## </param>
++#
 +interface(`fs_ecryptfs_domtrans',`
- 	gen_require(`
--		type fusefs_t;
++	gen_require(`
 +		type ecryptfs_t;
- 	')
- 
--	exec_files_pattern($1, fusefs_t, fusefs_t)
++	')
++
 +	allow $1 ecryptfs_t:dir search_dir_perms;
 +	domain_auto_transition_pattern($1, ecryptfs_t, $2)
- ')
- 
- ########################################
- ## <summary>
--##	Create, read, write, and delete files
--##	on a FUSEFS filesystem.
++')
++
++########################################
++## <summary>
 +##	Mount a FUSE filesystem.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <rolecap/>
- #
--interface(`fs_manage_fusefs_files',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`fs_mount_fusefs',`
- 	gen_require(`
- 		type fusefs_t;
- 	')
- 
--	manage_files_pattern($1, fusefs_t, fusefs_t)
++	gen_require(`
++		type fusefs_t;
++	')
++
 +	allow $1 fusefs_t:filesystem mount;
- ')
- 
- ########################################
- ## <summary>
--##	Do not audit attempts to create,
--##	read, write, and delete files
--##	on a FUSEFS filesystem.
++')
++
++########################################
++## <summary>
 +##	Unmount a FUSE filesystem.
 +## </summary>
 +## <param name="domain">
@@ -16631,50 +16649,79 @@ index 8416beb..f3dd0f6 100644
 +interface(`fs_hugetlbfs_filetrans',`
 +	gen_require(`
 +		type hugetlbfs_t;
-+	')
-+
+ 	')
+ 
+-	exec_files_pattern($1, fusefs_t, fusefs_t)
 +	allow $2 hugetlbfs_t:filesystem associate;
 +	filetrans_pattern($1, hugetlbfs_t, $2, $3, $4)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete files
+-##	on a FUSEFS filesystem.
 +##	Mount an iso9660 filesystem, which
 +##	is usually used on CDs.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`fs_manage_fusefs_files',`
++interface(`fs_mount_iso9660_fs',`
+ 	gen_require(`
+-		type fusefs_t;
++		type iso9660_t;
+ 	')
+ 
+-	manage_files_pattern($1, fusefs_t, fusefs_t)
++	allow $1 iso9660_t:filesystem mount;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to create,
+-##	read, write, and delete files
+-##	on a FUSEFS filesystem.
++##	Remount an iso9660 filesystem, which
++##	is usually used on CDs.  This allows
++##	some mount options to be changed.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
 -##	Domain to not audit.
 +##	Domain allowed access.
  ##	</summary>
  ## </param>
  #
 -interface(`fs_dontaudit_manage_fusefs_files',`
-+interface(`fs_mount_iso9660_fs',`
++interface(`fs_remount_iso9660_fs',`
  	gen_require(`
 -		type fusefs_t;
 +		type iso9660_t;
  	')
  
 -	dontaudit $1 fusefs_t:file manage_file_perms;
-+	allow $1 iso9660_t:filesystem mount;
++	allow $1 iso9660_t:filesystem remount;
  ')
  
  ########################################
  ## <summary>
 -##	Read symbolic links on a FUSEFS filesystem.
-+##	Remount an iso9660 filesystem, which
-+##	is usually used on CDs.  This allows
-+##	some mount options to be changed.
++##	Unmount an iso9660 filesystem, which
++##	is usually used on CDs.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2014,19 +2807,18 @@ interface(`fs_dontaudit_manage_fusefs_files',`
+@@ -2014,37 +2844,38 @@ interface(`fs_dontaudit_manage_fusefs_files',`
  ##	</summary>
  ## </param>
  #
 -interface(`fs_read_fusefs_symlinks',`
-+interface(`fs_remount_iso9660_fs',`
++interface(`fs_unmount_iso9660_fs',`
  	gen_require(`
 -		type fusefs_t;
 +		type iso9660_t;
@@ -16682,36 +16729,13 @@ index 8416beb..f3dd0f6 100644
  
 -	allow $1 fusefs_t:dir list_dir_perms;
 -	read_lnk_files_pattern($1, fusefs_t, fusefs_t)
-+	allow $1 iso9660_t:filesystem remount;
++	allow $1 iso9660_t:filesystem unmount;
  ')
  
  ########################################
  ## <summary>
 -##	Get the attributes of an hugetlbfs
 -##	filesystem.
-+##	Unmount an iso9660 filesystem, which
-+##	is usually used on CDs.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -2034,35 +2826,38 @@ interface(`fs_read_fusefs_symlinks',`
- ##	</summary>
- ## </param>
- #
--interface(`fs_getattr_hugetlbfs',`
-+interface(`fs_unmount_iso9660_fs',`
- 	gen_require(`
--		type hugetlbfs_t;
-+		type iso9660_t;
- 	')
- 
--	allow $1 hugetlbfs_t:filesystem getattr;
-+	allow $1 iso9660_t:filesystem unmount;
- ')
- 
- ########################################
- ## <summary>
--##	List hugetlbfs.
 +##	Get the attributes of an iso9660
 +##	filesystem, which is usually used on CDs.
  ## </summary>
@@ -16722,17 +16746,41 @@ index 8416beb..f3dd0f6 100644
  ## </param>
 +## <rolecap/>
  #
--interface(`fs_list_hugetlbfs',`
+-interface(`fs_getattr_hugetlbfs',`
 +interface(`fs_getattr_iso9660_fs',`
  	gen_require(`
 -		type hugetlbfs_t;
 +		type iso9660_t;
  	')
  
--	allow $1 hugetlbfs_t:dir list_dir_perms;
+-	allow $1 hugetlbfs_t:filesystem getattr;
 +	allow $1 iso9660_t:filesystem getattr;
  ')
  
+ ########################################
+ ## <summary>
+-##	List hugetlbfs.
++##	Read files on an iso9660 filesystem, which
++##	is usually used on CDs.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -2052,17 +2883,19 @@ interface(`fs_getattr_hugetlbfs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_list_hugetlbfs',`
++interface(`fs_getattr_iso9660_files',`
+ 	gen_require(`
+-		type hugetlbfs_t;
++		type iso9660_t;
+ 	')
+ 
+-	allow $1 hugetlbfs_t:dir list_dir_perms;
++	allow $1 iso9660_t:dir list_dir_perms;
++	allow $1 iso9660_t:file getattr;
+ ')
+ 
  ########################################
  ## <summary>
 -##	Manage hugetlbfs dirs.
@@ -16741,42 +16789,18 @@ index 8416beb..f3dd0f6 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2070,17 +2865,19 @@ interface(`fs_list_hugetlbfs',`
+@@ -2070,17 +2903,20 @@ interface(`fs_list_hugetlbfs',`
  ##	</summary>
  ## </param>
  #
 -interface(`fs_manage_hugetlbfs_dirs',`
-+interface(`fs_getattr_iso9660_files',`
- 	gen_require(`
--		type hugetlbfs_t;
-+		type iso9660_t;
- 	')
- 
--	manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
-+	allow $1 iso9660_t:dir list_dir_perms;
-+	allow $1 iso9660_t:file getattr;
- ')
- 
- ########################################
- ## <summary>
--##	Read and write hugetlbfs files.
-+##	Read files on an iso9660 filesystem, which
-+##	is usually used on CDs.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -2088,35 +2885,38 @@ interface(`fs_manage_hugetlbfs_dirs',`
- ##	</summary>
- ## </param>
- #
--interface(`fs_rw_hugetlbfs_files',`
 +interface(`fs_read_iso9660_files',`
  	gen_require(`
 -		type hugetlbfs_t;
 +		type iso9660_t;
  	')
  
--	rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
+-	manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
 +	allow $1 iso9660_t:dir list_dir_perms;
 +	read_files_pattern($1, iso9660_t, iso9660_t)
 +	read_lnk_files_pattern($1, iso9660_t, iso9660_t)
@@ -16785,9 +16809,31 @@ index 8416beb..f3dd0f6 100644
 +
  ########################################
  ## <summary>
--##	Allow the type to associate to hugetlbfs filesystems.
+-##	Read and write hugetlbfs files.
 +##	Mount kdbus filesystems.
  ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -2088,35 +2924,35 @@ interface(`fs_manage_hugetlbfs_dirs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_rw_hugetlbfs_files',`
++interface(`fs_mount_kdbus', `
+ 	gen_require(`
+-		type hugetlbfs_t;
++		type kdbusfs_t;
+ 	')
+ 
+-	rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
++	allow $1 kdbusfs_t:filesystem mount;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Allow the type to associate to hugetlbfs filesystems.
++##	Remount kdbus filesystems.
+ ## </summary>
 -## <param name="type">
 +## <param name="domain">
  ##	<summary>
@@ -16797,88 +16843,91 @@ index 8416beb..f3dd0f6 100644
  ## </param>
  #
 -interface(`fs_associate_hugetlbfs',`
-+interface(`fs_mount_kdbus', `
++interface(`fs_remount_kdbus', `
  	gen_require(`
 -		type hugetlbfs_t;
 +		type kdbusfs_t;
  	')
  
 -	allow $1 hugetlbfs_t:filesystem associate;
-+	allow $1 kdbusfs_t:filesystem mount;
- ')
- 
- ########################################
- ## <summary>
--##	Search inotifyfs filesystem.
-+##	Remount kdbus filesystems.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -2124,17 +2924,17 @@ interface(`fs_associate_hugetlbfs',`
- ##	</summary>
- ## </param>
- #
--interface(`fs_search_inotifyfs',`
-+interface(`fs_remount_kdbus', `
- 	gen_require(`
--		type inotifyfs_t;
-+		type kdbusfs_t;
- 	')
- 
--	allow $1 inotifyfs_t:dir search_dir_perms;
 +	allow $1 kdbusfs_t:filesystem remount;
  ')
  
  ########################################
  ## <summary>
--##	List inotifyfs filesystem.
+-##	Search inotifyfs filesystem.
 +##	Unmount kdbus filesystems.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2142,71 +2942,134 @@ interface(`fs_search_inotifyfs',`
+@@ -2124,17 +2960,17 @@ interface(`fs_associate_hugetlbfs',`
  ##	</summary>
  ## </param>
  #
--interface(`fs_list_inotifyfs',`
+-interface(`fs_search_inotifyfs',`
 +interface(`fs_unmount_kdbus', `
  	gen_require(`
 -		type inotifyfs_t;
 +		type kdbusfs_t;
  	')
  
--	allow $1 inotifyfs_t:dir list_dir_perms;
+-	allow $1 inotifyfs_t:dir search_dir_perms;
 +	allow $1 kdbusfs_t:filesystem unmount;
  ')
  
  ########################################
  ## <summary>
--##	Dontaudit List inotifyfs filesystem.
+-##	List inotifyfs filesystem.
 +##	Get attributes of kdbus filesystems.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
+@@ -2142,71 +2978,136 @@ interface(`fs_search_inotifyfs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_list_inotifyfs',`
++interface(`fs_getattr_kdbus',`
+ 	gen_require(`
+-		type inotifyfs_t;
++		type kdbusfs_t;
+ 	')
+ 
+-	allow $1 inotifyfs_t:dir list_dir_perms;
++	allow $1 kdbusfs_t:filesystem getattr;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Dontaudit List inotifyfs filesystem.
++##	Search kdbusfs directories.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
 -##	Domain to not audit.
 +##	Domain allowed access.
  ##	</summary>
  ## </param>
  #
 -interface(`fs_dontaudit_list_inotifyfs',`
-+interface(`fs_getattr_kdbus',`
++interface(`fs_search_kdbus_dirs',`
  	gen_require(`
 -		type inotifyfs_t;
 +		type kdbusfs_t;
++
  	')
  
 -	dontaudit $1 inotifyfs_t:dir list_dir_perms;
-+	allow $1 kdbusfs_t:filesystem getattr;
++	search_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
++	fs_search_tmpfs($1)
++	dev_search_sysfs($1)
  ')
  
  ########################################
  ## <summary>
 -##	Create an object in a hugetlbfs filesystem, with a private
 -##	type using a type transition.
-+##	Search kdbusfs directories.
++##	Relabel kdbusfs directories.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -16887,29 +16936,6 @@ index 8416beb..f3dd0f6 100644
  ## </param>
 -## <param name="private type">
 +#
-+interface(`fs_search_kdbus_dirs',`
-+	gen_require(`
-+		type kdbusfs_t;
-+
-+	')
-+
-+	search_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
-+	fs_search_tmpfs($1)
-+	dev_search_sysfs($1)
-+')
-+
-+########################################
-+## <summary>
-+##	Relabel kdbusfs directories.
-+## </summary>
-+## <param name="domain">
- ##	<summary>
--##	The type of the object to be created.
-+##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <param name="object">
-+#
 +interface(`fs_relabel_kdbus_dirs',`
 +	gen_require(`
 +		type cgroup_t;
@@ -16925,11 +16951,11 @@ index 8416beb..f3dd0f6 100644
 +## </summary>
 +## <param name="domain">
  ##	<summary>
--##	The object class of the object being created.
+-##	The type of the object to be created.
 +##	Domain allowed access.
  ##	</summary>
  ## </param>
--## <param name="name" optional="true">
+-## <param name="object">
 +#
 +interface(`fs_list_kdbus_dirs',`
 +	gen_require(`
@@ -16964,6 +16990,28 @@ index 8416beb..f3dd0f6 100644
 +## <summary>
 +##	Delete kdbusfs directories.
 +## </summary>
++## <param name="domain">
+ ##	<summary>
+-##	The object class of the object being created.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <param name="name" optional="true">
++#
++interface(`fs_delete_kdbus_dirs', `
++	gen_require(`
++		type kdbusfs_t;
++	')
++
++	delete_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
++	fs_search_tmpfs($1)
++	dev_search_sysfs($1)
++')
++
++########################################
++## <summary>
++##	Manage kdbusfs directories.
++## </summary>
 +## <param name="domain">
  ##	<summary>
 -##	The name of the object being created.
@@ -16972,15 +17020,16 @@ index 8416beb..f3dd0f6 100644
  ## </param>
  #
 -interface(`fs_hugetlbfs_filetrans',`
-+interface(`fs_delete_kdbus_dirs', `
++interface(`fs_manage_kdbus_dirs',`
  	gen_require(`
 -		type hugetlbfs_t;
+-	')
 +		type kdbusfs_t;
- 	')
  
 -	allow $2 hugetlbfs_t:filesystem associate;
 -	filetrans_pattern($1, hugetlbfs_t, $2, $3, $4)
-+	delete_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
++	')
++	manage_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
 +	fs_search_tmpfs($1)
 +	dev_search_sysfs($1)
  ')
@@ -16989,24 +17038,25 @@ index 8416beb..f3dd0f6 100644
  ## <summary>
 -##	Mount an iso9660 filesystem, which
 -##	is usually used on CDs.
-+##	Manage kdbusfs directories.
++##	Read kdbusfs files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2214,19 +3077,19 @@ interface(`fs_hugetlbfs_filetrans',`
+@@ -2214,19 +3115,21 @@ interface(`fs_hugetlbfs_filetrans',`
  ##	</summary>
  ## </param>
  #
 -interface(`fs_mount_iso9660_fs',`
-+interface(`fs_manage_kdbus_dirs',`
++interface(`fs_read_kdbus_files',`
  	gen_require(`
 -		type iso9660_t;
--	')
-+		type kdbusfs_t;
++		type cgroup_t;
++
+ 	')
  
 -	allow $1 iso9660_t:filesystem mount;
-+	')
-+	manage_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
++	read_files_pattern($1, kdbusfs_t, kdbusfs_t)
++	read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
 +	fs_search_tmpfs($1)
 +	dev_search_sysfs($1)
  ')
@@ -17016,25 +17066,23 @@ index 8416beb..f3dd0f6 100644
 -##	Remount an iso9660 filesystem, which
 -##	is usually used on CDs.  This allows
 -##	some mount options to be changed.
-+##	Read kdbusfs files.
++##	Write kdbusfs files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2234,18 +3097,21 @@ interface(`fs_mount_iso9660_fs',`
+@@ -2234,18 +3137,19 @@ interface(`fs_mount_iso9660_fs',`
  ##	</summary>
  ## </param>
  #
 -interface(`fs_remount_iso9660_fs',`
-+interface(`fs_read_kdbus_files',`
++interface(`fs_write_kdbus_files', `
  	gen_require(`
 -		type iso9660_t;
-+		type cgroup_t;
-+
++		type kdbusfs_t;
  	')
  
 -	allow $1 iso9660_t:filesystem remount;
-+	read_files_pattern($1, kdbusfs_t, kdbusfs_t)
-+	read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
++	write_files_pattern($1, kdbusfs_t, kdbusfs_t)
 +	fs_search_tmpfs($1)
 +	dev_search_sysfs($1)
  ')
@@ -17043,41 +17091,15 @@ index 8416beb..f3dd0f6 100644
  ## <summary>
 -##	Unmount an iso9660 filesystem, which
 -##	is usually used on CDs.
-+##	Write kdbusfs files.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -2253,38 +3119,61 @@ interface(`fs_remount_iso9660_fs',`
- ##	</summary>
- ## </param>
- #
--interface(`fs_unmount_iso9660_fs',`
-+interface(`fs_write_kdbus_files', `
- 	gen_require(`
--		type iso9660_t;
-+		type kdbusfs_t;
- 	')
- 
--	allow $1 iso9660_t:filesystem unmount;
-+	write_files_pattern($1, kdbusfs_t, kdbusfs_t)
-+	fs_search_tmpfs($1)
-+	dev_search_sysfs($1)
- ')
- 
- ########################################
- ## <summary>
--##	Get the attributes of an iso9660
--##	filesystem, which is usually used on CDs.
 +##	Read and write kdbusfs files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
- ##	Domain allowed access.
+@@ -2253,38 +3157,41 @@ interface(`fs_remount_iso9660_fs',`
  ##	</summary>
  ## </param>
--## <rolecap/>
  #
--interface(`fs_getattr_iso9660_fs',`
+-interface(`fs_unmount_iso9660_fs',`
 +interface(`fs_rw_kdbus_files',`
  	gen_require(`
 -		type iso9660_t;
@@ -17085,7 +17107,7 @@ index 8416beb..f3dd0f6 100644
 +
  	')
  
--	allow $1 iso9660_t:filesystem getattr;
+-	allow $1 iso9660_t:filesystem unmount;
 +	read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
 +	rw_files_pattern($1, kdbusfs_t, kdbusfs_t)
 +	fs_search_tmpfs($1)
@@ -17094,33 +17116,40 @@ index 8416beb..f3dd0f6 100644
  
  ########################################
  ## <summary>
--##	Read files on an iso9660 filesystem, which
--##	is usually used on CDs.
+-##	Get the attributes of an iso9660
+-##	filesystem, which is usually used on CDs.
 +##	Do not audit attempts to open,
 +##	get attributes, read and write
 +##	cgroup files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
 +##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`fs_getattr_iso9660_fs',`
 +interface(`fs_dontaudit_rw_kdbus_files',`
-+	gen_require(`
+ 	gen_require(`
+-		type iso9660_t;
 +		type kdbusfs_t;
-+	')
-+
+ 	')
+ 
+-	allow $1 iso9660_t:filesystem getattr;
 +	dontaudit $1 kdbusfs_t:file rw_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read files on an iso9660 filesystem, which
+-##	is usually used on CDs.
 +##	Manage kdbusfs files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2292,19 +3181,21 @@ interface(`fs_getattr_iso9660_fs',`
+@@ -2292,19 +3199,21 @@ interface(`fs_getattr_iso9660_fs',`
  ##	</summary>
  ## </param>
  #
@@ -17148,7 +17177,7 @@ index 8416beb..f3dd0f6 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2312,16 +3203,15 @@ interface(`fs_getattr_iso9660_files',`
+@@ -2312,16 +3221,15 @@ interface(`fs_getattr_iso9660_files',`
  ##	</summary>
  ## </param>
  #
@@ -17169,7 +17198,7 @@ index 8416beb..f3dd0f6 100644
  ########################################
  ## <summary>
  ##	Mount a NFS filesystem.
-@@ -2356,44 +3246,62 @@ interface(`fs_remount_nfs',`
+@@ -2356,44 +3264,62 @@ interface(`fs_remount_nfs',`
  		type nfs_t;
  	')
  
@@ -17240,7 +17269,7 @@ index 8416beb..f3dd0f6 100644
  ')
  
  ########################################
-@@ -2485,6 +3393,7 @@ interface(`fs_read_nfs_files',`
+@@ -2485,6 +3411,7 @@ interface(`fs_read_nfs_files',`
  		type nfs_t;
  	')
  
@@ -17248,7 +17277,7 @@ index 8416beb..f3dd0f6 100644
  	allow $1 nfs_t:dir list_dir_perms;
  	read_files_pattern($1, nfs_t, nfs_t)
  ')
-@@ -2523,6 +3432,7 @@ interface(`fs_write_nfs_files',`
+@@ -2523,6 +3450,7 @@ interface(`fs_write_nfs_files',`
  		type nfs_t;
  	')
  
@@ -17256,7 +17285,7 @@ index 8416beb..f3dd0f6 100644
  	allow $1 nfs_t:dir list_dir_perms;
  	write_files_pattern($1, nfs_t, nfs_t)
  ')
-@@ -2549,6 +3459,44 @@ interface(`fs_exec_nfs_files',`
+@@ -2549,6 +3477,44 @@ interface(`fs_exec_nfs_files',`
  
  ########################################
  ## <summary>
@@ -17301,7 +17330,7 @@ index 8416beb..f3dd0f6 100644
  ##	Append files
  ##	on a NFS filesystem.
  ## </summary>
-@@ -2569,7 +3517,7 @@ interface(`fs_append_nfs_files',`
+@@ -2569,7 +3535,7 @@ interface(`fs_append_nfs_files',`
  
  ########################################
  ## <summary>
@@ -17310,7 +17339,7 @@ index 8416beb..f3dd0f6 100644
  ##	on a NFS filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -2589,6 +3537,42 @@ interface(`fs_dontaudit_append_nfs_files',`
+@@ -2589,6 +3555,42 @@ interface(`fs_dontaudit_append_nfs_files',`
  
  ########################################
  ## <summary>
@@ -17353,7 +17382,7 @@ index 8416beb..f3dd0f6 100644
  ##	Do not audit attempts to read or
  ##	write files on a NFS filesystem.
  ## </summary>
-@@ -2603,7 +3587,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2603,7 +3605,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
  		type nfs_t;
  	')
  
@@ -17362,7 +17391,7 @@ index 8416beb..f3dd0f6 100644
  ')
  
  ########################################
-@@ -2627,7 +3611,7 @@ interface(`fs_read_nfs_symlinks',`
+@@ -2627,7 +3629,7 @@ interface(`fs_read_nfs_symlinks',`
  
  ########################################
  ## <summary>
@@ -17371,7 +17400,7 @@ index 8416beb..f3dd0f6 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2719,6 +3703,65 @@ interface(`fs_search_rpc',`
+@@ -2719,6 +3721,65 @@ interface(`fs_search_rpc',`
  
  ########################################
  ## <summary>
@@ -17437,7 +17466,7 @@ index 8416beb..f3dd0f6 100644
  ##	Search removable storage directories.
  ## </summary>
  ## <param name="domain">
-@@ -2741,7 +3784,7 @@ interface(`fs_search_removable',`
+@@ -2741,7 +3802,7 @@ interface(`fs_search_removable',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -17446,7 +17475,7 @@ index 8416beb..f3dd0f6 100644
  ##	</summary>
  ## </param>
  #
-@@ -2777,7 +3820,7 @@ interface(`fs_read_removable_files',`
+@@ -2777,7 +3838,7 @@ interface(`fs_read_removable_files',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -17455,7 +17484,7 @@ index 8416beb..f3dd0f6 100644
  ##	</summary>
  ## </param>
  #
-@@ -2970,6 +4013,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2970,6 +4031,7 @@ interface(`fs_manage_nfs_dirs',`
  		type nfs_t;
  	')
  
@@ -17463,7 +17492,7 @@ index 8416beb..f3dd0f6 100644
  	allow $1 nfs_t:dir manage_dir_perms;
  ')
  
-@@ -3010,6 +4054,7 @@ interface(`fs_manage_nfs_files',`
+@@ -3010,6 +4072,7 @@ interface(`fs_manage_nfs_files',`
  		type nfs_t;
  	')
  
@@ -17471,7 +17500,7 @@ index 8416beb..f3dd0f6 100644
  	manage_files_pattern($1, nfs_t, nfs_t)
  ')
  
-@@ -3050,6 +4095,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -3050,6 +4113,7 @@ interface(`fs_manage_nfs_symlinks',`
  		type nfs_t;
  	')
  
@@ -17479,7 +17508,7 @@ index 8416beb..f3dd0f6 100644
  	manage_lnk_files_pattern($1, nfs_t, nfs_t)
  ')
  
-@@ -3137,6 +4183,24 @@ interface(`fs_nfs_domtrans',`
+@@ -3137,6 +4201,24 @@ interface(`fs_nfs_domtrans',`
  
  ########################################
  ## <summary>
@@ -17504,7 +17533,7 @@ index 8416beb..f3dd0f6 100644
  ##	Mount a NFS server pseudo filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -3263,7 +4327,25 @@ interface(`fs_getattr_nfsd_files',`
+@@ -3263,7 +4345,25 @@ interface(`fs_getattr_nfsd_files',`
  	getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
  ')
  
@@ -17531,7 +17560,7 @@ index 8416beb..f3dd0f6 100644
  ## <summary>
  ##	Read and write NFS server files.
  ## </summary>
-@@ -3283,6 +4365,59 @@ interface(`fs_rw_nfsd_fs',`
+@@ -3283,6 +4383,59 @@ interface(`fs_rw_nfsd_fs',`
  
  ########################################
  ## <summary>
@@ -17591,7 +17620,7 @@ index 8416beb..f3dd0f6 100644
  ##	Allow the type to associate to ramfs filesystems.
  ## </summary>
  ## <param name="type">
-@@ -3392,7 +4527,7 @@ interface(`fs_search_ramfs',`
+@@ -3392,7 +4545,7 @@ interface(`fs_search_ramfs',`
  
  ########################################
  ## <summary>
@@ -17600,7 +17629,7 @@ index 8416beb..f3dd0f6 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3429,7 +4564,7 @@ interface(`fs_manage_ramfs_dirs',`
+@@ -3429,7 +4582,7 @@ interface(`fs_manage_ramfs_dirs',`
  
  ########################################
  ## <summary>
@@ -17609,7 +17638,7 @@ index 8416beb..f3dd0f6 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3447,7 +4582,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
+@@ -3447,7 +4600,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
  
  ########################################
  ## <summary>
@@ -17618,7 +17647,7 @@ index 8416beb..f3dd0f6 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3779,6 +4914,24 @@ interface(`fs_mount_tmpfs',`
+@@ -3779,6 +4932,24 @@ interface(`fs_mount_tmpfs',`
  
  ########################################
  ## <summary>
@@ -17643,7 +17672,7 @@ index 8416beb..f3dd0f6 100644
  ##	Remount a tmpfs filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -3815,6 +4968,24 @@ interface(`fs_unmount_tmpfs',`
+@@ -3815,6 +4986,24 @@ interface(`fs_unmount_tmpfs',`
  
  ########################################
  ## <summary>
@@ -17668,7 +17697,7 @@ index 8416beb..f3dd0f6 100644
  ##	Get the attributes of a tmpfs
  ##	filesystem.
  ## </summary>
-@@ -3839,39 +5010,76 @@ interface(`fs_getattr_tmpfs',`
+@@ -3839,39 +5028,76 @@ interface(`fs_getattr_tmpfs',`
  ## </summary>
  ## <param name="type">
  ##	<summary>
@@ -17754,7 +17783,7 @@ index 8416beb..f3dd0f6 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3879,36 +5087,35 @@ interface(`fs_relabelfrom_tmpfs',`
+@@ -3879,36 +5105,35 @@ interface(`fs_relabelfrom_tmpfs',`
  ##	</summary>
  ## </param>
  #
@@ -17798,7 +17827,7 @@ index 8416beb..f3dd0f6 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3916,35 +5123,36 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3916,35 +5141,36 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -17842,7 +17871,7 @@ index 8416beb..f3dd0f6 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3952,17 +5160,17 @@ interface(`fs_setattr_tmpfs_dirs',`
+@@ -3952,17 +5178,17 @@ interface(`fs_setattr_tmpfs_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -17863,7 +17892,7 @@ index 8416beb..f3dd0f6 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3970,31 +5178,30 @@ interface(`fs_search_tmpfs',`
+@@ -3970,31 +5196,30 @@ interface(`fs_search_tmpfs',`
  ##	</summary>
  ## </param>
  #
@@ -17901,7 +17930,7 @@ index 8416beb..f3dd0f6 100644
  ')
  
  ########################################
-@@ -4105,7 +5312,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
+@@ -4105,7 +5330,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
  		type tmpfs_t;
  	')
  
@@ -17910,7 +17939,7 @@ index 8416beb..f3dd0f6 100644
  ')
  
  ########################################
-@@ -4165,6 +5372,24 @@ interface(`fs_rw_tmpfs_files',`
+@@ -4165,6 +5390,24 @@ interface(`fs_rw_tmpfs_files',`
  
  ########################################
  ## <summary>
@@ -17935,7 +17964,7 @@ index 8416beb..f3dd0f6 100644
  ##	Read tmpfs link files.
  ## </summary>
  ## <param name="domain">
-@@ -4202,7 +5427,7 @@ interface(`fs_rw_tmpfs_chr_files',`
+@@ -4202,7 +5445,7 @@ interface(`fs_rw_tmpfs_chr_files',`
  
  ########################################
  ## <summary>
@@ -17944,7 +17973,7 @@ index 8416beb..f3dd0f6 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4221,6 +5446,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4221,6 +5464,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
  
  ########################################
  ## <summary>
@@ -18005,7 +18034,7 @@ index 8416beb..f3dd0f6 100644
  ##	Relabel character nodes on tmpfs filesystems.
  ## </summary>
  ## <param name="domain">
-@@ -4278,6 +5557,44 @@ interface(`fs_relabel_tmpfs_blk_file',`
+@@ -4278,6 +5575,44 @@ interface(`fs_relabel_tmpfs_blk_file',`
  
  ########################################
  ## <summary>
@@ -18050,7 +18079,7 @@ index 8416beb..f3dd0f6 100644
  ##	Read and write, create and delete generic
  ##	files on tmpfs filesystems.
  ## </summary>
-@@ -4297,6 +5614,25 @@ interface(`fs_manage_tmpfs_files',`
+@@ -4297,6 +5632,25 @@ interface(`fs_manage_tmpfs_files',`
  
  ########################################
  ## <summary>
@@ -18076,7 +18105,7 @@ index 8416beb..f3dd0f6 100644
  ##	Read and write, create and delete symbolic
  ##	links on tmpfs filesystems.
  ## </summary>
-@@ -4407,6 +5743,25 @@ interface(`fs_search_xenfs',`
+@@ -4407,6 +5761,25 @@ interface(`fs_search_xenfs',`
  	allow $1 xenfs_t:dir search_dir_perms;
  ')
  
@@ -18102,7 +18131,7 @@ index 8416beb..f3dd0f6 100644
  ########################################
  ## <summary>
  ##	Create, read, write, and delete directories
-@@ -4503,6 +5858,8 @@ interface(`fs_mount_all_fs',`
+@@ -4503,6 +5876,8 @@ interface(`fs_mount_all_fs',`
  	')
  
  	allow $1 filesystem_type:filesystem mount;
@@ -18111,7 +18140,7 @@ index 8416beb..f3dd0f6 100644
  ')
  
  ########################################
-@@ -4549,7 +5906,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4549,7 +5924,7 @@ interface(`fs_unmount_all_fs',`
  ## <desc>
  ##	<p>
  ##	Allow the specified domain to
@@ -18120,7 +18149,7 @@ index 8416beb..f3dd0f6 100644
  ##	Example attributes:
  ##	</p>
  ##	<ul>
-@@ -4596,6 +5953,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
+@@ -4596,6 +5971,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
  
  ########################################
  ## <summary>
@@ -18147,7 +18176,7 @@ index 8416beb..f3dd0f6 100644
  ##	Get the quotas of all filesystems.
  ## </summary>
  ## <param name="domain">
-@@ -4671,6 +6048,25 @@ interface(`fs_getattr_all_dirs',`
+@@ -4671,6 +6066,25 @@ interface(`fs_getattr_all_dirs',`
  
  ########################################
  ## <summary>
@@ -18173,7 +18202,7 @@ index 8416beb..f3dd0f6 100644
  ##	Search all directories with a filesystem type.
  ## </summary>
  ## <param name="domain">
-@@ -4912,3 +6308,63 @@ interface(`fs_unconfined',`
+@@ -4912,3 +6326,63 @@ interface(`fs_unconfined',`
  
  	typeattribute $1 filesystem_unconfined_type;
  ')
@@ -23386,10 +23415,10 @@ index 0000000..b680867
 +/usr/sbin/xrdp-sesman   --  gen_context(system_u:object_r:unconfined_exec_t,s0)
 diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if
 new file mode 100644
-index 0000000..4165608
+index 0000000..03faeac
 --- /dev/null
 +++ b/policy/modules/roles/unconfineduser.if
-@@ -0,0 +1,689 @@
+@@ -0,0 +1,708 @@
 +## <summary>Unconfined user role</summary>
 +
 +########################################
@@ -24079,12 +24108,31 @@ index 0000000..4165608
 +	allow unconfined_t $2:file entrypoint;
 +	allow $1 unconfined_t:process signal_perms;
 +')
++
++########################################
++## <summary>
++##	unconfined_t domain typebounds calling domain.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain to be typebound.
++## </summary>
++## </param>
++#
++interface(`unconfined_typebounds',`
++	gen_require(`
++		type unconfined_t;
++	')
++
++	typebounds unconfined_t $1;
++')
++
 diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
 new file mode 100644
-index 0000000..c0d61f3
+index 0000000..31076d7
 --- /dev/null
 +++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,340 @@
+@@ -0,0 +1,345 @@
 +policy_module(unconfineduser, 1.0.0)
 +
 +########################################
@@ -24280,6 +24328,10 @@ index 0000000..c0d61f3
 +')
 +
 +optional_policy(`
++	docker_entrypoint(unconfined_t)
++')
++
++optional_policy(`
 +	dbus_role_template(unconfined, unconfined_r, unconfined_t)
 +	role system_r types unconfined_dbusd_t;
 +
@@ -24415,6 +24467,7 @@ index 0000000..c0d61f3
 +optional_policy(`
 +	virt_transition_svirt(unconfined_t, unconfined_r)
 +	virt_transition_svirt_sandbox(unconfined_t, unconfined_r)
++	virt_sandbox_entrypoint(unconfined_t)
 +')
 +
 +optional_policy(`
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index e61fc878..b30f2509 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -106682,10 +106682,10 @@ index 97cd155..49321a5 100644
  
  fs_search_auto_mountpoints(timidity_t)
 diff --git a/tmpreaper.te b/tmpreaper.te
-index 585a77f..9b0ab2b 100644
+index 585a77f..948bc5b 100644
 --- a/tmpreaper.te
 +++ b/tmpreaper.te
-@@ -5,9 +5,25 @@ policy_module(tmpreaper, 1.7.1)
+@@ -5,9 +5,34 @@ policy_module(tmpreaper, 1.7.1)
  # Declarations
  #
  
@@ -106697,6 +106697,15 @@ index 585a77f..9b0ab2b 100644
 +## </desc>
 +gen_tunable(tmpreaper_use_nfs, false)
 +
++
++## <desc>
++##	<p>
++##	Determine whether tmpreaper can use
++##	cifs file systems.
++##	</p>
++## </desc>
++gen_tunable(tmpreaper_use_cifs, false)
++
 +## <desc>
 +## <p>
 +## Determine whether tmpreaper can use samba_share files
@@ -106711,7 +106720,7 @@ index 585a77f..9b0ab2b 100644
  
  ########################################
  #
-@@ -19,6 +35,7 @@ allow tmpreaper_t self:fifo_file rw_fifo_file_perms;
+@@ -19,6 +44,7 @@ allow tmpreaper_t self:fifo_file rw_fifo_file_perms;
  
  kernel_list_unlabeled(tmpreaper_t)
  kernel_read_system_state(tmpreaper_t)
@@ -106719,7 +106728,7 @@ index 585a77f..9b0ab2b 100644
  
  dev_read_urand(tmpreaper_t)
  
-@@ -27,15 +44,19 @@ corecmd_exec_shell(tmpreaper_t)
+@@ -27,15 +53,19 @@ corecmd_exec_shell(tmpreaper_t)
  
  fs_getattr_xattr_fs(tmpreaper_t)
  fs_list_all(tmpreaper_t)
@@ -106743,7 +106752,7 @@ index 585a77f..9b0ab2b 100644
  mls_file_read_all_levels(tmpreaper_t)
  mls_file_write_all_levels(tmpreaper_t)
  
-@@ -45,7 +66,6 @@ init_use_inherited_script_ptys(tmpreaper_t)
+@@ -45,7 +75,6 @@ init_use_inherited_script_ptys(tmpreaper_t)
  
  logging_send_syslog_msg(tmpreaper_t)
  
@@ -106751,7 +106760,7 @@ index 585a77f..9b0ab2b 100644
  miscfiles_delete_man_pages(tmpreaper_t)
  
  ifdef(`distro_debian',`
-@@ -53,10 +73,23 @@ ifdef(`distro_debian',`
+@@ -53,10 +82,33 @@ ifdef(`distro_debian',`
  ')
  
  ifdef(`distro_redhat',`
@@ -106772,11 +106781,21 @@ index 585a77f..9b0ab2b 100644
 +	optional_policy(`
 +        tunable_policy(`tmpreaper_use_samba',`
 +            samba_setattr_samba_share_dirs(tmpreaper_t)
++    ')
++')
++
++tunable_policy(`tmpreaper_use_cifs',`
++	fs_setattr_cifs_dirs(tmpreaper_t)
++')
++
++	optional_policy(`
++        tunable_policy(`tmpreaper_use_samba',`
++            samba_setattr_samba_share_dirs(tmpreaper_t)
 +    ')
  ')
  
  optional_policy(`
-@@ -64,6 +97,7 @@ optional_policy(`
+@@ -64,6 +116,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -106784,7 +106803,7 @@ index 585a77f..9b0ab2b 100644
  	apache_list_cache(tmpreaper_t)
  	apache_delete_cache_dirs(tmpreaper_t)
  	apache_delete_cache_files(tmpreaper_t)
-@@ -79,7 +113,19 @@ optional_policy(`
+@@ -79,7 +132,19 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -106805,7 +106824,7 @@ index 585a77f..9b0ab2b 100644
  ')
  
  optional_policy(`
-@@ -89,3 +135,8 @@ optional_policy(`
+@@ -89,3 +154,8 @@ optional_policy(`
  optional_policy(`
  	rpm_manage_cache(tmpreaper_t)
  ')
@@ -109388,7 +109407,7 @@ index a4f20bc..58f9c69 100644
 +/var/log/qemu-ga\.log.*           --      gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
 +/var/log/qemu-ga(/.*)?		gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
 diff --git a/virt.if b/virt.if
-index facdee8..65b5a0d 100644
+index facdee8..52ece13 100644
 --- a/virt.if
 +++ b/virt.if
 @@ -1,318 +1,226 @@
@@ -110210,7 +110229,7 @@ index facdee8..65b5a0d 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -673,54 +534,454 @@ interface(`virt_home_filetrans',`
+@@ -673,54 +534,472 @@ interface(`virt_home_filetrans',`
  ##	</summary>
  ## </param>
  #
@@ -110580,6 +110599,24 @@ index facdee8..65b5a0d 100644
 +	can_exec($1, svirt_sandbox_file_t)
 +')
 +
++########################################
++## <summary>
++##	Allow any svirt_sandbox_file_t to be an entrypoint of this domain
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`virt_sandbox_entrypoint',`
++	gen_require(`
++		type svirt_sandbox_file_t;
++	')
++	allow $1 svirt_sandbox_file_t:file entrypoint;
++')
++
 +#######################################
 +## <summary>
 +##	Read Sandbox Files
@@ -110690,7 +110727,7 @@ index facdee8..65b5a0d 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -728,52 +989,80 @@ interface(`virt_manage_generic_virt_home_content',`
+@@ -728,52 +1007,80 @@ interface(`virt_manage_generic_virt_home_content',`
  ##	</summary>
  ## </param>
  #
@@ -110791,7 +110828,7 @@ index facdee8..65b5a0d 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -781,19 +1070,17 @@ interface(`virt_home_filetrans_virt_home',`
+@@ -781,19 +1088,17 @@ interface(`virt_home_filetrans_virt_home',`
  ##	</summary>
  ## </param>
  #
@@ -110815,7 +110852,7 @@ index facdee8..65b5a0d 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -801,18 +1088,17 @@ interface(`virt_read_pid_files',`
+@@ -801,18 +1106,17 @@ interface(`virt_read_pid_files',`
  ##	</summary>
  ## </param>
  #
@@ -110838,7 +110875,7 @@ index facdee8..65b5a0d 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -820,18 +1106,17 @@ interface(`virt_manage_pid_files',`
+@@ -820,18 +1124,17 @@ interface(`virt_manage_pid_files',`
  ##	</summary>
  ## </param>
  #
@@ -110861,7 +110898,7 @@ index facdee8..65b5a0d 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -839,20 +1124,17 @@ interface(`virt_search_lib',`
+@@ -839,20 +1142,17 @@ interface(`virt_search_lib',`
  ##	</summary>
  ## </param>
  #
@@ -110886,7 +110923,7 @@ index facdee8..65b5a0d 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -860,74 +1142,123 @@ interface(`virt_read_lib_files',`
+@@ -860,74 +1160,123 @@ interface(`virt_read_lib_files',`
  ##	</summary>
  ## </param>
  #
@@ -111034,7 +111071,7 @@ index facdee8..65b5a0d 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -935,117 +1266,134 @@ interface(`virt_read_log',`
+@@ -935,117 +1284,134 @@ interface(`virt_read_log',`
  ##	</summary>
  ## </param>
  #
@@ -111221,7 +111258,7 @@ index facdee8..65b5a0d 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1053,15 +1401,17 @@ interface(`virt_rw_all_image_chr_files',`
+@@ -1053,15 +1419,17 @@ interface(`virt_rw_all_image_chr_files',`
  ##	</summary>
  ## </param>
  #
@@ -111244,7 +111281,7 @@ index facdee8..65b5a0d 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1069,21 +1419,17 @@ interface(`virt_manage_svirt_cache',`
+@@ -1069,21 +1437,17 @@ interface(`virt_manage_svirt_cache',`
  ##	</summary>
  ## </param>
  #
@@ -111270,7 +111307,7 @@ index facdee8..65b5a0d 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1091,36 +1437,36 @@ interface(`virt_manage_virt_cache',`
+@@ -1091,36 +1455,36 @@ interface(`virt_manage_virt_cache',`
  ##	</summary>
  ## </param>
  #
@@ -111327,7 +111364,7 @@ index facdee8..65b5a0d 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1136,50 +1482,76 @@ interface(`virt_manage_images',`
+@@ -1136,50 +1500,76 @@ interface(`virt_manage_images',`
  #
  interface(`virt_admin',`
  	gen_require(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index ee49a62e..17cfb8a1 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 175%{?dist}
+Release: 176%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -670,6 +670,21 @@ exit 0
 %endif
 
 %changelog
+* Thu Mar 03 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-176
+- Add new boolean tmpreaper_use_cifs() to allow tmpreaper to run on local directories being shared with Samba.
+- Merge pull request #105 from rhatdan/NO_NEW_PRIV
+- Fix new rkt policy
+- Remove some redundant rules.
+- Fix cosmetic issues in interface file.
+- Merge pull request #100 from rhatdan/rawhide-contrib
+- Add interface fs_setattr_cifs_dirs().
+- Merge pull request #106 from rhatdan/NO_NEW_PRIV_BASE
+- Fixed to make SELinux work with docker and prctl(NO_NEW_PRIVS)
+-Build file_contexts.bin file_context.local.bin file_context.homedir.bin during build phase.
+ This fix issue in Fedora live images when selinux-policy-targeted is not installed but just unpackaged, since there's no .bin files,
+ file_contexts is parsed in selabel_open().
+Resolves: rhbz#1314372
+
 * Fri Feb 26 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-175
 - Fix new rkt policy (Remove some redundant rules, Fix cosmetic issues in interface file)
 - Add policy for rkt services