From be9b0d1f26cd2db765adcbacf70f56e748311e26 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Mon, 13 Jun 2016 16:38:21 +0200
Subject: [PATCH] * Mon Jun 13 2016 Lukas Vrabec <lvrabec@redhat.com>
 3.13.1-196 - Allow svirt_sandbox_domains to r/w onload sockets - Add
 filetrans rule that NetworkManager_t can create net_conf_t files in /etc. -
 Add interface sysnet_filetrans_named_net_conf() - Rawhide fails to boot,
 systemd-logind needs to config transient config files - User Namespace is
 requires create on process domains

---
 docker-selinux.tgz           | Bin 4317 -> 4317 bytes
 policy-rawhide-base.patch    | 185 +++++++++++++++++++++++++----------
 policy-rawhide-contrib.patch |  38 +++----
 selinux-policy.spec          |   9 +-
 4 files changed, 164 insertions(+), 68 deletions(-)

diff --git a/docker-selinux.tgz b/docker-selinux.tgz
index 251805a4cd8272c1a31abed006e5fd8bb6103ba5..3a4a27210c62a25c7fd10d25b0c01b32639c4221 100644
GIT binary patch
literal 4317
zcmV<35F+m%iwFR!#9mhb1MOVvkJ~m9&sY1e5RwAfJtX@|(f~=@!=b$o_u+uz+K&ZP
zS)y%q^*WJSuP?~|elvWDqDVc~-eh}c0f}vK=0|ck8qN$yo0Rb_sV~y?v&Xxx;QIF4
zxA=Me{@s=N3D?cLH*elNyS{mU^Zwo2o11sn&#ta--d){13$7k<O!{gli|QbFmfh9S
zio{;JvGzadwS4g+_>MMt9@YCFe%+FwtVr>imQ5X#AgZb?jU$$pMG%(-i_(JB0Vy`{
zdGXz)Vp{^pw5!t_{8;?`p2Q6!LBiEANQ;1N^{=GNp~nl(bZKw}-&Ii^<v|hU<ooA>
z>iG{n?4Ni;5M^1pBT2x@fYnh!Q=E<q^pc~(_hnizQm><!oc%6_5<(}O`Q@wMmx~Q4
z!kYZMNoycjE*5NGsWFG_mHI|tY9af$T)aGAE*EiGlQ>U8N}@X6hO4wV`{w$5xlq7i
z6*1@(?^+1@Cp%vv)RAQ!gM6NrtZ~|-a-JsLI4U@0U#bVn@)zEb5@nXIf&@kxv$9SJ
zogu}=kQAdhCX}NsW{6M90LC;b#Ji|Qx>k<7=ir;`9>E8gULcX-Ygmywr@*yNGeT9D
zlA4SDn40>e#LLy^%Lvz{y_)Gj5&w%si78*ckY87_H4KT*jgMu%e7(B3;K-ucVP-YZ
zqY9aBqnbP!G4s((6ttk7Am%Kk3>DZZWr<?{9$lRgzO1-?0Pplw?XBtG_*0BKC#^`F
zu2Yi8%@cP$(zRT?!$hn)G9S3-K9)H<KpR{(>H%VQ2>PE<5pBp5vr#!8)Z<twiTyA;
zrML&5hsU#Y{l$7R8@91zXqz5k#e633@x=Wj*gmi_<?0WRF-2ECQnH6GI`ZEm{VrwO
zAOfm}fk;^z2Ykk@j}EpA=_13ZRdsrYogn2GTtN$2jv~ZSIPfuI<x?rw+_DOZpe2sE
zh~{)9c*8i0DD`y3+xmU2i0m$z(;xo-9O7-1f0TXyoYjqQib!g8yCP|^nbfW0nNap?
zT1@MFBD_(nq4nR~z`r-}@9hyCsh|Jx(^J?9xc5<|$&7uVZVHc80USEjRpluCJI4*V
zD5>ub&&Ldky_X}H73A(IBYDiS@r2Ar>qb+gj7zv(3xSqMXGlSd1xb;-CRvGIGe{)`
zW#KJ>ycDxsxpgVPE3g#11lLC3*wLRcj1Tw`=#|&;-w=x&N+7o&`BSkj7ZvDFU7}*U
z^ynyoO;jYou1<U2ZccL8cE0k{xdV~pla#|5o1=j9K%gk0&XAZbupqD`W;|6D+t1x&
z0}I?MvS3c$t)ZYlY|m{ODt1?JO5IKICFHJR6s3qQC?EW^WvQq>#M?R)s=f=M^Wz8>
zFA<ZqQJB~jm4GpGO$s(gym<Ay84xpPm@eve1I5mhP!16#KT-6?p6qJYQ5rUMR6Z*=
zT<u+ea)WXKZp)n53oW-Pxd-z3cs46+e-%6z4Hv-i{Cp+?g*#yv25-&A0k>EqypFRJ
zq%JW)FdJ~GxPY7}TyhE_yN^44tM%~quL1$1e*<8OH)SU^q%=Tx*6HSg6nDqL+m@8k
z<3VvR_b6yJp=EY=f%82OP%HxO>=Fn}UkwHzjFLPpgsx*E*14GCNl+jcdMOVJ=*psy
z!GyG0CHh}c0DJy@Kp7acoIeAEedW^yJ`^-qINlk@VN)I8ZU-}+;G;P>#(Mnn^N;P}
zCw;Q(QpJ<k25Hfx!pGEA5x2ST62d^asTI?vmV3*=KcINjcm!P_hsDZS8@@9Et3u(r
zfl&o=emtV!4{!<{!~V|`8ijhEz&@sRS>&@kfk#*<KEnA?i#wO3mTn-xu{M9$MICoH
z{hMN28S;>2d=Y#C7q*5e1~lCiQ6{{);Pb}`K?uNdi|c4r{SRm0yzEA%&8yUd%rdC9
zm{EXZ+(O96s$2@qycy?}Q?}#W5k6zhM`BGCIO0>>iyBojDy+&ZjrUwFReUQ0T8K6a
zrc(arM*B$o`|_v>iZE)}RvzVdvlP7LDU~zukxs53;neLzZcOu#N)iL6d+)HbFvpr4
zT2}HH7FSJvn(!Z9Sz@psBfo-TR5q3}p6_4d_G)+|U)|*phsij&5qCq$)3YUTnq&LW
zLLr~1!^V|mrZ;UFhbn7edpV+KZ3B)s%r_#Ah3ll3dDdZ7Hbp|Y5y4ZA<5+WXP^01J
z+VOT=)6<H^TvQWm%ZEF_u)9aaUSY~@P|OcJUf7`PeO1B~grl5NDZwwN@bJAZGZIJD
zrKj#dk8xJ1U(dA>jUt2IVsZ(8?b6ym#U*oTj67l=BlX|!ZyfdC*Y8gC-(TVqj((Vz
z3B=N8LK|KM*B4h8SF>!?@<s3yi8FZo(MJZyWXX*{LTD^cEGl_cK``|X-b=9C5^!;9
zou-eteNuS>9?e6j|Lc!G2US@!eV$QCQzM|!aImI`R(kY$g98isDp*GuB`_1qJiF`*
zKj}*%l9xp&Orb)wi@ML3qCKR|>W?r@!gw1M8-lGlkDxT8rbKHvM7A_tCCP)g&ZK9A
z{PL(VtobHJ74@?3B7E%M8=s{=^e~5KcpKfU`&p;e61j0)A-MS59I?9V%t2*m@l)KC
z=Ot$yLW{diV2B>&Z$8w1j=_~B5qz0Cc{uAd_jq_$_94QV*=(y}UK#R$A0`8D>@%!s
zhXsCGOi196y?ezR=?;^z?_aw4Z8{64laEr_0)6wWPi679r;OszknPW`7K=e2e)UyN
zmnP0LZPG-+%12osOeWlq<guf4>?q0BAHd^@R%w>9eefxWx8<$~Zc{L0Yxo8TYf4y}
z1o>@ICP6`%NC)z75L)UA1Ae29c7Vy&0EyW&S8rhXRC={08SGCPrdM5*ZL)4dAY5a0
zH(Lk&)LELRjQ2?80jj50o#erTTqENnvPdotS2~z?(Y-kY!Q$$ntWDBm9p!1)@g`XD
zC!RL6B1HoB)*r!{2HjcC+1pU`X;Rmcxhe~1^7bo1rvi+ghWUZ4GqGv&P-fVX`<*7l
z0RX{CSUfa*gTH$`J8k@8L+Isyr;XjiZ0$Xsfh*=uIB<R(8hqA=(^Ch(v42e;x}SA|
z_Bq+zr|>>rW8SL6;PbitK$|=tlqQQhPcXO)P^9r(*Ja)sQZ#?lWXLz`?yspb9Acdy
zLnnLJqwq*ja(W~<dEV%6*uQ7YeUN?H{6|J0cc%j|RN2x25UcFrGjS`kZ04_y8QS}C
zsT0$_9zZ`#-_frgVmPL085@i)@XE`kU}Z7&`SHG|Gfj`i*eB?b7s5SZ**w>n_}51F
z_d?$ARERkojA79ZzJoAb!Kc7XQ1U4-M}U~H;Da#kMen??Ib+#<1!6;EI>;;!R*6rS
z@)(3J$vY5d;%a$eT*ZGw2rk*`xo|1F*S}xKYAyOsKS^y=g`t*x`?HK>WiVm{wC#9}
z&=!6cB$G#NA_K%v+zeY_l0fLVE9=`q8h-e{r!mW@gJOpm{&tuZjkhEjz{Y6PG*vR8
zg%!s9C?JYidIw6FnDCM)!PCtq;Z^q%PPEY8l$PprmZzy!M#ApA+eEh{%WOuRBu14y
z@ZP}BI*mh!%ZY`e=qN;gfO)5B)Adx!IjETI^w9E=a`|FH)I+4wpIgSNAuvT3mw8@g
z<UZum_b~7fdeZ!zl%Dx_Xou#7gj1GD)49N;q2O9&Bm+$nLD6cU%#{cw1e-gN)P_Zm
zOLV)b%ckmgE1QKMMfZ7@7Pl6GJkE_edJOkF{dPK~tgO+#*3mBHiJE)xBa)QfnnXN_
zfzM?@=`LmQ)@YQKEA|Y*S4qm92_oN-QKbMz6K}zrO=oCrVHB<vN6+cTB<WCqDZ=0l
zNIL#cN@HV5d2%lOPh=<7xi6{<a5@4a4NIlfO2|5DGA8`2`;Ok2WI}H`AbX0Mmq<@7
z6jjQm3?v0NMCrPZ;3&GPtGw$do{M{8s4M%nMf%bWx(0<PGwKqBha;^R9<0n^!9O2#
zCp5{Q8{@~{%NId*AB!4JJT4l|rY2DwVlhXZCIq+EO`70Gh51qVZ1Crv%8V+0Ta_i_
zUts@LUuCHxdgG&MQVA?SP{_PL*)QJ%do_<vR9Jp|qC<H2b@DL~+bqA|Nk_W#k&0A2
zEZuCT6ULv1O*VC#hW+G9i3a%83FmcUHuuv&Qns!9bqUDjT(|M#7;!)1^v77{F_Uyy
zTI1$-YBs_bx=Sl~e2aDIa(n*W5XwUSj$r2`)gY1s40BK~u*wd<N>Ml*C<letJ!=Z?
zl7g-0^$?v?#2!iS!Pcc%OYlI=&Bb)oj20LMCK9OC%nelo$cd{VyW>`Y)uj!KZ`>hb
z|8`cEm7mFtC^u;})|5hwfZ}lP<uV+ZOXc<<dStF$-A$>(@o`cea`#BZZbQ}k$$coP
zN=V{uEZ`p{aZ{&8h~h%%4&3s5#0K2+PoSkK{B1SywGED63rV_K_8QvlPFGCFbm2W$
zoc`Ea3huMb^yT;;%Goxcm)WZ8v+=kP-7y^vu)Rs3+bfpe+xL~815bCzyj2d`)2igz
z6lii|{G$RP>-N1w(*~YU>kfcDq;S)6hxqxf@cH=a>66`#Q`OSdEY!c$3)TjrI*syr
z6PiGH$lfXegH%VBc%vUzwq!zNEu=jSC#A}~Pa?Dw)a6rcs&;MRJH8Dt>W3w(hN^4<
zeig4envSC=1mSJlsNW(MMwGo{#Xqj1InKd%1vD%kx}=>=z(tft@ir|wo3E&!boH@L
zYqEp2OWcEh=@m(%_n(dj?V~QZr(TFnGV0_O%*M9Fa~$(7t(hl|5N)>4&u@Aa-_;ya
z*mGCqy%SnB_Ow%wsJz}Fky79e6<<-4^hK~PYxM6WSNr-zNX4kFVZPGEO?ouaBAFc-
zUAz!f@K8h;YDgk1h)8*%sWBMahcyQv7uQiqA&yfP9pbjaw8dZW)s{7Ada-4*QH!Qt
zt9RvKT<Hpvwwol0V*cKpo3xWta^cRaJ%%U^Upa7AzHm<w12fCNwhlFd&;9b;p>np~
zi!41)UZ2)TUv-?rNUcjATPgT!i*5Ml4e%T<F!X$9C$<cU97hHa7@2uwd1NqsMz&N$
z5d((GS+sxdHbnzQ*mxJix3O@Bc6S+J>6ub+EP2#5!Z&O=)LX3DY|K_{DL4L>$WUpQ
zD2$w4`((1sEP&E+sSC?Uis%ZmwkpZJTd4Omh7OQM-Y)Sr44)|-jOssTIvCn}^7L@z
zfy1a#(D8$*@pBZt(6`+qAv<57>AVSGO=09%RUK6yW<oMn(~hJ}72Ve^jsL&6gv>A2
zkNIN5@cSQEZ*JavYrp^T_WkMa|9_F|5;NnMzsZtK{vMV*0y&dAYx6<=VZ{1_d_ZNj
zC&f2JE*n~3uF~RC0xTA<Ur$4kuOlOh1@gKm@5-#n$!lRFr(>G$Ics3>k|eMX|Do_L
zzI3PLr|joKrZc9G-zb9bj^BxI&qMe3(C(I(VBjVA+2zGw&i}fY2BZsU1q$qGhSX;v
zwQen+ze2igAh=@3K$4npx26(p7_1vCc4UQ!uya3jmSWS_V{4Iq!#|KUU1vtH(18Fj
zdIT`}_p**R(@UYZbQWUIZ!&ZaC@!=6cov?lp*B%A4*>CL|0QPAW?`u~&ZV~PtN(y_
z$^TT>qoAT+b_8HR6Q<!e{QG3{@xJ!%c)Cv4={jAf>vWy2({;K|*XcT4r|We6Z(RQc
L)-oW=0C)fZMIw0x

literal 4317
zcmV<35F+m%iwFQ~fLT`n1MOVhkJ~m9&#V1c2uXqL9+KV7Zj%5>+ry!~hkH1nxc0Gt
zDoeDjuD(vB*6R!MzuyeML{X$Z*4|`$X90<Aapp&II2z6jN1K%KEvYZk^|QyjuHbt2
z?pyqP^ZxCX`3cwc+nbx4XK$|GU%$J7hPOA*uHIaK`~Lb_aP^2|(pN)SR0qMc?5>Vh
zB=*vcwf{-4<%<`=ceKg#sNVnZ>y`v%MT*z7Z0eW<QB`GW9I>=4g19VLloq58NU?#>
zi|;NK+Y&&gU7g<G$KvnzByJc960U|pS_EvXe<fuOJzj98OM@%;u8Qg?4~i%!-#-^r
z&wuD)|HK=DD9g$nNdi^|td0tr;&fb~mmC$oFVljNdL6~&>~}Gg5IW(^FJJw>Tx>`Y
z*5uz!S_8pyv0(d3jX7km)HecC3)#oz;^p~rxrob}#CZ}@64miGT&2a?H*e0D3k4ij
z5ra<gu7#j~vhyWE9a+{f$meOv8mB!f=V{W7qk>cRrFx(&f8iY|QD*5XNMMvPE9;cd
z8B$yfNim9JLOI%EhWMlmU`(Szyo+k2Yvss$4!(KQBlrN*3nVgp4J%UT6u8!DMyTpi
zQghKCQ&XRmc)9v~8R5FLS2G<b;(w7SG3Cn_^6N^rh9U8}@v+R8uU8ir99c9w%&Z1_
zR3X!CRFfwoW<HvUf)=zB#GIv+p#nRlEK%&=qpLH*mld}U;GMpzy*2$Ce~NMEq!o$N
zbxIPsdE%}|x|WM~n21$J<^%WK$1-OJXoJf}JwVJ3LH{!<q78XsHY(?XdK@byu^(oq
z6!+ls@OYN4zgSOZ!#0)-ZPO#Hn9t-rp16Mm+Xq&rT>Swurs&E?O7_r2NB(=H-=%CD
zL_pOr5GhOJfX}$~(ZO~hU1S)ws!s2)6QultD`+9hQG_@O2R=rud@ALdTUH?vw8SwN
z(VVUXZy0A0rJk;MTfeUrk=-S8`osU9L%fahkFxKdv%2w35lO9XS0pVqle%?06Uu%~
zi)o!tgg0t6wEmlG_;&;UzCEHN_47Y|dI~!M_dcpLnXwPlP2sUBfJ3LcsvM<%=eQvk
zCH39m`Item_i_ZYg4{i2B#&7(o{;%y-DrxGaS69;A<z=(3@K=_ASsg9BrDNt2C1Z=
zEW9O<mtvMHw=M;E1(sr$;MxcrJNh$*@c};qz4AK#8)A_|3FH<ee=64Hq5}P?OH^!^
z9vvmHiHaoH)oIV$%}Ea1&R2dqcOa5{l5#j>a};nM2oxpM84|Mv76g{WjHjw%`?-5;
zV1au@7R<@JH5BxR?YS*O#qJ7Dsk<q@gxpn(q7<<O<%6HLEEUy<cw2`;)psFuejLH#
zC1SER3KP4c5-?`2Nx|lb7q5Od17hY3(?#8GpxAj5$|0iUCyL(KlU>a^O2dYZ%4g+<
ztGx?QZcr}3ZJ85$q2)Fu_dq@$&t`?~uY%{I;Q~0GpU*^~a3}1-;H}v>;1+9y*KwAD
z)FlQ8W&<u27myQ$OHLtV_i?9hwI1I7RUlyWZvag3rtGAKlm_U|I^A55;_f(j+mbSR
zJSgtv9tEu?w9M`<aJ~luibcSkT>^pWtHA(-QIe;H&~;42Iu}zs2@2#wFXdqYU0D<|
zn2=VhME@%aV9&n~C<B9*^JjptuY9_|hk^zR$2;RVY^np??O>)8d^88gSdU+R{;@s$
zq)&ETs(A9+AT63y_?WsX;x_kPLKrAFwPM=Ta&I~K2NaJQkDv?Wuvj^3!*?cNRVZ9H
zFseY#k4F^z0ZyS~*#CJ#qfpNi*vGUki+q+R@CXaVM>s!fap#iM(hUSS*5(hpsN?RY
ze^YELLmsk>FM?0t!qzawfTo)w%7j-JeEv8g2mx4baUHFy|KSXrm)*#;d6jyQSq9Y>
zGYW8wTL>9hl}n+SH{-l=%66PP!e^}cNUW&>M|_HVQKL#mg;klQ@t&)tif?5=3(;o5
zRLcL{Xdj7xUmi6<5k?K$%A@>lmV&oDrE&&7(#iEBoVtC;jcFcINn*fs?;Um)=2(+M
z%Ss-@;;P9{6aK?1OAPj7<X2FP%EnU0^ZjewUJY;LtGgWHFc}9o;%+E;dbR{kb8H`4
zDC84$*toLH^rkK2P-P8lFGuvOZNTw{`9{RCaGmrr&pNEirbs9^B6!Mi9BVEPYBc;@
zJKm0KdRoz#i)w;x`EUmqcK4{*D@?f!iur-Z3mbI3uS%GLaFkOjCHUnO9=_LQM&hWt
z^wb^bG0rOW>$x_fQDo3tOfKQCU0VC6xMVJkkw@%fr2hN;b-(`m?bX{;{r8u+grgtk
zWdgDEnb3w;!JCV#i>p~SYWX7giNqN^{^%ovW3uE%AR#oCCl-}Ft00*A2k#}=Z3(zI
zwNBGV+&-y10gvV()c^IzpM$EbnLf{`q^S|mXgF9?L@Pady}^Nnd=;#tj1riMWu9I3
zg`e~#5y{IU6sAxi+C|;xOVJ+EX7xvyCSkmdiVeZmoJUZaQB$Hd93oqqu9D=zTW8WU
zLVkJF7}k6fql$XjcM(4J?~TvWA9|R>GrWy%*8Qy0YKh!9t`J;&ZjM;pb>^V5v-l})
z%JY)54xz=}CNM;g@;4u9KgZz8k_f&`ojja%ntMFFEBg@P%xt#RFs}@Gzz>swH})CU
zw8H{FEhZ#z$lkqTj&z5~*!M5p{5G8h)5%AvY=ORc)~B-g+fznyXvp?wR*S`;55M}V
zrb`p&nKo&nVCADM5GE7uNAlQFI(C#~>kr`ZM5{DQ**^Fb#M^RL1h*-eu{C@Hgf%5B
zO@jQkD3hQdOr!((HwZ0tg#o`&M?1h|Yk<UTnyWXkd@8+KlMME!4AZMF$~IZIArP*y
zx|^+oe(EgEQ^tFw@&MJ-t4{LZL9UVU5m_V`hbtY-yXf8=f?#p=P}U~tv5xYz>v$ck
z_!CbXT9G0Fd+U$jOoQ$$=j?4L`ZTF)$y}9%GkN=!pi==xPs98`)|uF}c_=gN$o)<e
z;sAi)BrF~pzQNx;o}D&+u_5&GzthI<VYc=j&%hP)Cmc9G4h=r*!|ADm-`KyV58cl?
zLHnHS?o)UluQ6}cVet9fexOaB4@#3oohKMv1}M^auIn;y4Jn$xX)@%Sb@$g)84j^d
zkfD>k>rr?lC^<b6oIG#zH|*at=03<iZT=%8kh{|X7^-aP0Ekug@R_)kSvK=m#|-WL
zxYUVhUk{)krtj!i4>26mw2Tc#7kK4mQ?Rm_`uup`)0w76W9$?3$P3|~uxy@dO#Ex3
z`+Fg8cq+sk4#u!(2j4-MuHaK(CMfw7m?J<;Snxp@_o8>+*POBJz5=nKF&$)<2dl)V
zOL+`Jm*gFYGjX-NFs|aiAq1Cf^<21=-Rs}4W3?82r=O%Ys=`pqzWrH7vN9Mk0@`-G
zMraE^3zEsBHjx41CvJu<Fi9YE+?Dn1APqnK-_w|7)IqUB41YV!ipE=#3}9olX__jT
z(83C1eiRVJEWHCIOiXx5l;G)Rlklp02`5@;Z%RvbI?K~kD<ffd-ff~=l4Uj{P7<R^
z9(ZryXPw3&#O1_7QFIidKft`xwCQ>(<s4K@c6w;}NV$A5A?hJg>CY`=)exAXi_1K(
zGIAes>3bM>2t8^3PD;=GJG4XdLc%G_r0HB>(ok@%GLnHNiJ)jTQ07X65`xX0NNU5P
z$0fSm)MZokyOqttkD~iLON(2JKpy8t9X*Eooqju=QdZVzU+ZWW@<h!&_z_7;Z%rbe
z#K7mWpmdkAcxyDu$`yNt;HxC%&IFO~$f!~PqlvfR&89Q7wlE6UilgUrW0G_zz!YKd
z1|%K-C#A8mq&zv7{wJ~%>)aRB1vni6k%pzxY9(YHH5n6r)_q5BOfsQ29gsam%}b=G
z7K$omQwEZP8=`dGM{pEf)m7eg6wk#yG1QfP+ai7G23><flo@r2!o!hP3=dZ3u;8B$
zx)Yk@&yDfp@8ydiyN^W;Cmt7#W>b?W4zZY{P7{J#>n2U`qr&_sd^Y%VPi00GzpcuW
z@h`Cds;{zC5xw!zG^qrZA1GwrpX`_KfxVhXCn_vIKG7jO{5ts<h;5eN@1!H$`A9`7
z9+qx4(+T6x!zP=$O~Zb2r9=aK>V)$;F`N5oASv5c{<;L@a<1F>ag4Yhar$E{^O#9G
zEUj_#J2e~O3*Ds^Jif)cbh$nMZU|)|e@C!$l4=mi0fsrK7g%M7U!^D<4wQq!>z*|Q
zcS*t4^LmKRDPoVL_h9Q%tR;A$=H_BLYDNnT0}~0<YUYNj0p!Hhklk^s!0OV5#W(H{
zv41-&%gWE>MwFYh8f!`+MnG}6_i`DI%%yVs5Ir*2uI{GP;rKYI4!L`zVz;5{{p3EB
zR3#+wHWu)YlDMf;BSdi_bO&yEK4Jsz`6tlQ6#llF_}T`?uZ1LCEqe{^cBd<*W4iF3
zD^7oGEd}@4X8Lmc59Mqd(93Mq_1Sn_i0+t<2H4&t(Crn=@9q0a&w-~qWZo(V?P*o=
zYzj2FG5%43kahcBqG<z9sC5Ux9#XhzxkLPXSNME<_4LVZ$Ej-RY8L8W>IG{9QJqG4
zy$MYqJY;W`fI+GwOT5vKD_b%lvKG>whLcid-X{@S3hMHyHdVW}@EzX<81=)FRYO&_
z0KbY?9Zknk6oT-!ZPafO3nR+jvEm<B(H!UCy8;>(4_(sECg38<qj;MZoy}L&PrCY8
zr#0EZ+9mG6zx0Zv(fd!wgZ5Du+*2>aCK+{d3ua?m;yI3am)6V^M~F7t=jS)QitlO;
zDeSqc^4<xp8hhF)NK{^LkVq+Thl;PLN%|sKmo@tLlB<1vBBWx})-Ye`;wC*BX_3s1
zj4oaXDtIU&3^gPX7DS}H(9{@=?ZcV_kc;c6q!7m`iw<#HVcOy^_-e}<G`-le*{DTR
zuhqM9Fs^ikN!v}5L@|Hw&Q03MDY<ax)gD8XhOZnrD_^*$h=G~qUt5P7!RLN??oc^f
z??slLC$CRyq^~;8VWie2kF6B^wZ%64^9Fd17Z`fJvlCl}M2;f^2#m};vOF@FJ|kNy
zqKE-Q<t*AicblRCBW%2j;oDd^L%X|-u=GqRIF>x>8sQtZ9O^ArZ8l~rwv-!xOJu0D
zOB6=Vu6;7uW)?u{xYUJZBt>)uSzDFl-YwL78bb$2BX5^@8-~x64o3AKGaU@=J$ZUK
z^1xx#DCqdX)c84yUg+EIk&vA)&~)Aeu%<9_tg4Qx4>KVdt7%74ri$)sm&X5JTtem-
z>&JYtVfg)ztDEbacfG&=|L*kn|G&s}iJ9@s-(<-qe-BF@ft<;mwfP|bFk<~dKA^JN
zlj0j9mkq5iS7~u60Tzqbucx8N*O3v$0(o7OcV*V(<h8Jo(=pBWoHa0bNfOwH|4{fA
zU%FHBQ}%Nq(;3spZxq3I$M3|q=b`(1Xm`s?Fz^!m?DFC-=YL&H1JVVw0tNOoL+Z1T
zTDO+ZUm@K#5L~fiAW2QQTT_WP4Au=6JF-GV*ts7%OR?$ev9(CQ;UCDFt}`Q8=s*A%
zJp!2gds)Yu>7~$HIt#JqHyJty6qnh3JPS|OP@5>52Y~pr{}Qulv#?Yg=Th7D)qg;|
z<bSH`QBct@I|4AE3DfW!{(Z9fcwc*WJYA>jbe*o#b-GU1={jAf>vWy2({;N3H?IEz
La8}YN0C)fZB*kw4

diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 337540a5..23edb1df 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -10226,7 +10226,7 @@ index 6a1e4d1..26e5558 100644
 +	dontaudit $1 domain:dir_file_class_set audit_access;
  ')
 diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..7b76b77 100644
+index cf04cb5..b5fe8e5 100644
 --- a/policy/modules/kernel/domain.te
 +++ b/policy/modules/kernel/domain.te
 @@ -4,17 +4,41 @@ policy_module(domain, 1.11.0)
@@ -10379,7 +10379,14 @@ index cf04cb5..7b76b77 100644
  
  # Create/access any System V IPC objects.
  allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +242,373 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -160,11 +236,379 @@ allow unconfined_domain_type domain:msg { send receive };
+ 
+ # For /proc/pid
+ allow unconfined_domain_type domain:dir list_dir_perms;
+-allow unconfined_domain_type domain:file rw_file_perms;
++allow unconfined_domain_type domain:file manage_file_perms;
+ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+ 
  # act on all domains keys
  allow unconfined_domain_type domain:key *;
  
@@ -35025,7 +35032,7 @@ index bc0ffc8..37b8ea5 100644
  ')
 +/var/run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
 diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 79a45f6..e69fa39 100644
+index 79a45f6..cf6add7 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
 @@ -1,5 +1,21 @@
@@ -35740,7 +35747,7 @@ index 79a45f6..e69fa39 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1133,7 +1382,83 @@ interface(`init_getattr_all_script_files',`
+@@ -1133,7 +1382,102 @@ interface(`init_getattr_all_script_files',`
  ##	</summary>
  ## </param>
  #
@@ -35813,6 +35820,25 @@ index 79a45f6..e69fa39 100644
 +
 +########################################
 +## <summary>
++##	Allow the specified domain to modify the systemd configuration of 
++##	transient scripts.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`init_config_transient_files',`
++	gen_require(`
++		attribute init_var_run_t;
++	')
++
++	allow $1 init_var_run_t:service all_service_perms;
++')
++
++########################################
++## <summary>
 +##	Read all init script files.
 +## </summary>
 +## <param name="domain">
@@ -35825,7 +35851,7 @@ index 79a45f6..e69fa39 100644
  	gen_require(`
  		attribute init_script_file_type;
  	')
-@@ -1144,6 +1469,24 @@ interface(`init_read_all_script_files',`
+@@ -1144,6 +1488,24 @@ interface(`init_read_all_script_files',`
  
  #######################################
  ## <summary>
@@ -35850,7 +35876,7 @@ index 79a45f6..e69fa39 100644
  ##	Dontaudit read all init script files.
  ## </summary>
  ## <param name="domain">
-@@ -1195,12 +1538,7 @@ interface(`init_read_script_state',`
+@@ -1195,12 +1557,7 @@ interface(`init_read_script_state',`
  	')
  
  	kernel_search_proc($1)
@@ -35864,7 +35890,7 @@ index 79a45f6..e69fa39 100644
  ')
  
  ########################################
-@@ -1314,6 +1652,24 @@ interface(`init_signal_script',`
+@@ -1314,6 +1671,24 @@ interface(`init_signal_script',`
  
  ########################################
  ## <summary>
@@ -35889,7 +35915,7 @@ index 79a45f6..e69fa39 100644
  ##	Send null signals to init scripts.
  ## </summary>
  ## <param name="domain">
-@@ -1440,6 +1796,27 @@ interface(`init_dbus_send_script',`
+@@ -1440,6 +1815,27 @@ interface(`init_dbus_send_script',`
  ########################################
  ## <summary>
  ##	Send and receive messages from
@@ -35917,7 +35943,7 @@ index 79a45f6..e69fa39 100644
  ##	init scripts over dbus.
  ## </summary>
  ## <param name="domain">
-@@ -1547,6 +1924,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1547,6 +1943,25 @@ interface(`init_getattr_script_status_files',`
  
  ########################################
  ## <summary>
@@ -35943,7 +35969,7 @@ index 79a45f6..e69fa39 100644
  ##	Do not audit attempts to read init script
  ##	status files.
  ## </summary>
-@@ -1605,6 +2001,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1605,6 +2020,24 @@ interface(`init_rw_script_tmp_files',`
  
  ########################################
  ## <summary>
@@ -35968,7 +35994,7 @@ index 79a45f6..e69fa39 100644
  ##	Create files in a init script
  ##	temporary data directory.
  ## </summary>
-@@ -1677,6 +2091,43 @@ interface(`init_read_utmp',`
+@@ -1677,6 +2110,43 @@ interface(`init_read_utmp',`
  
  ########################################
  ## <summary>
@@ -36012,7 +36038,7 @@ index 79a45f6..e69fa39 100644
  ##	Do not audit attempts to write utmp.
  ## </summary>
  ## <param name="domain">
-@@ -1765,7 +2216,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1765,7 +2235,7 @@ interface(`init_dontaudit_rw_utmp',`
  		type initrc_var_run_t;
  	')
  
@@ -36021,12 +36047,14 @@ index 79a45f6..e69fa39 100644
  ')
  
  ########################################
-@@ -1806,6 +2257,133 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1806,37 +2276,672 @@ interface(`init_pid_filetrans_utmp',`
  	files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
  ')
  
+-########################################
 +######################################
-+## <summary>
+ ## <summary>
+-##	Allow the specified domain to connect to daemon with a tcp socket
 +##  Allow search  directory in the /run/systemd directory.
 +## </summary>
 +## <param name="domain">
@@ -36085,8 +36113,8 @@ index 79a45f6..e69fa39 100644
 +##  Create objects in /run/systemd directory
 +##  with an automatic type transition to
 +##  a specified private type.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
@@ -36102,31 +36130,39 @@ index 79a45f6..e69fa39 100644
 +##  </summary>
 +## </param>
 +## <param name="name" optional="true">
-+##	<summary>
+ ##	<summary>
+-##	Domain allowed access.
 +##	The name of the object being created.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`init_tcp_recvfrom_all_daemons',`
+-	gen_require(`
+-		attribute daemon;
+-	')
 +interface(`init_pid_filetrans',`
 +    gen_require(`
 +        type init_var_run_t;
 +    ')
-+
+ 
+-	corenet_tcp_recvfrom_labeled($1, daemon)
 +	files_search_pids($1)
 +	filetrans_pattern($1, init_var_run_t, $2, $3, $4)
-+')
-+
+ ')
+ 
+-########################################
 +#######################################
-+## <summary>
+ ## <summary>
+-##	Allow the specified domain to connect to daemon with a udp socket
 +##	Create objects in /run/systemd directory
 +##	with an automatic type transition to
 +##	a specified private type.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
 +## <param name="private_type">
 +##	<summary>
 +##	The type of the object to create.
@@ -36142,23 +36178,53 @@ index 79a45f6..e69fa39 100644
 +##	The name of the object being created.
 +##	</summary>
 +## </param>
-+#
+ #
+-interface(`init_udp_recvfrom_all_daemons',`
 +interface(`init_named_pid_filetrans',`
-+	gen_require(`
+ 	gen_require(`
+-		attribute daemon;
 +		type init_var_run_t;
-+	')
+ 	')
+-	corenet_udp_recvfrom_labeled($1, daemon)
 +
 +	files_search_pids($1)
 +	filetrans_pattern($1, init_var_run_t, $2, $3, $4)
 +')
 +
- ########################################
- ## <summary>
- ##	Allow the specified domain to connect to daemon with a tcp socket
-@@ -1840,3 +2418,511 @@ interface(`init_udp_recvfrom_all_daemons',`
- 	')
- 	corenet_udp_recvfrom_labeled($1, daemon)
- ')
++########################################
++## <summary>
++##	Allow the specified domain to connect to daemon with a tcp socket
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`init_tcp_recvfrom_all_daemons',`
++	gen_require(`
++		attribute daemon;
++	')
++
++	corenet_tcp_recvfrom_labeled($1, daemon)
++')
++
++########################################
++## <summary>
++##	Allow the specified domain to connect to daemon with a udp socket
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`init_udp_recvfrom_all_daemons',`
++	gen_require(`
++		attribute daemon;
++	')
++	corenet_udp_recvfrom_labeled($1, daemon)
++')
 +
 +########################################
 +## <summary>
@@ -36666,7 +36732,7 @@ index 79a45f6..e69fa39 100644
 +
 +	files_search_var_lib($1)
 +    allow $1 init_var_lib_t:dir search_dir_perms;
-+')
+ ')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
 index 17eda24..f09c5ae 100644
 --- a/policy/modules/system/init.te
@@ -45402,7 +45468,7 @@ index 40edc18..95f4458 100644
 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
 +
 diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 2cea692..bf86a31 100644
+index 2cea692..8edb742 100644
 --- a/policy/modules/system/sysnetwork.if
 +++ b/policy/modules/system/sysnetwork.if
 @@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@@ -45819,7 +45885,7 @@ index 2cea692..bf86a31 100644
  	corenet_tcp_sendrecv_generic_if($1)
  	corenet_udp_sendrecv_generic_if($1)
  	corenet_tcp_sendrecv_generic_node($1)
-@@ -796,3 +1053,125 @@ interface(`sysnet_use_portmap',`
+@@ -796,3 +1053,143 @@ interface(`sysnet_use_portmap',`
  
  	sysnet_read_config($1)
  ')
@@ -45945,6 +46011,24 @@ index 2cea692..bf86a31 100644
 +
 +	files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns")
 +')
++
++########################################
++## <summary>
++##	Transition to sysnet ifconfig named content
++## </summary>
++## <param name="domain">
++##	<summary>
++##      Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`sysnet_filetrans_net_conf',`
++	gen_require(`
++		type net_conf_t;
++	')
++
++	files_etc_filetrans($1, net_conf_t, file)
++')
 diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
 index a392fc4..155d5ce 100644
 --- a/policy/modules/system/sysnetwork.te
@@ -48142,10 +48226,10 @@ index 0000000..ebd6cc8
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..0be65c0
+index 0000000..8c07053
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,930 @@
+@@ -0,0 +1,931 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -48375,6 +48459,7 @@ index 0000000..0be65c0
 +init_signal_script(systemd_logind_t)
 +init_getattr_script_status_files(systemd_logind_t)
 +init_read_utmp(systemd_logind_t)
++init_config_transient_files(systemd_logind_t)
 +
 +getty_systemctl(systemd_logind_t)
 +
@@ -49674,7 +49759,7 @@ index 0abaf84..8b34dbc 100644
 -/usr/lib/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 -')
 diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
-index 5ca20a9..99a38b0 100644
+index 5ca20a9..5454d16 100644
 --- a/policy/modules/system/unconfined.if
 +++ b/policy/modules/system/unconfined.if
 @@ -12,53 +12,57 @@
@@ -49701,7 +49786,8 @@ index 5ca20a9..99a38b0 100644
 +	allow $1 self:process { dyntransition transition };
  
  	# Write access is for setting attributes under /proc/self/attr.
- 	allow $1 self:file rw_file_perms;
+-	allow $1 self:file rw_file_perms;
++	allow $1 self:file manage_file_perms;
 +	allow $1 self:dir rw_dir_perms;
  
  	# Userland object managers
@@ -55573,7 +55659,7 @@ index 9dc60c6..595ad40 100644
 +	')
  ')
 diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index f4ac38d..d7cbcec 100644
+index f4ac38d..1589d60 100644
 --- a/policy/modules/system/userdomain.te
 +++ b/policy/modules/system/userdomain.te
 @@ -7,48 +7,43 @@ policy_module(userdomain, 4.9.1)
@@ -55662,7 +55748,7 @@ index f4ac38d..d7cbcec 100644
  type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
  fs_associate_tmpfs(user_home_dir_t)
  files_type(user_home_dir_t)
-@@ -70,26 +83,395 @@ ubac_constrained(user_home_dir_t)
+@@ -70,26 +83,396 @@ ubac_constrained(user_home_dir_t)
  
  type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
  typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -55729,6 +55815,7 @@ index f4ac38d..d7cbcec 100644
 +# Nautilus causes this avc
 +domain_dontaudit_access_check(unpriv_userdomain)
 +dontaudit unpriv_userdomain self:dir setattr;
++allow unpriv_userdomain self:file manage_file_perms;
 +allow unpriv_userdomain self:key manage_key_perms;
 +
 +mount_dontaudit_write_mount_pid(unpriv_userdomain)
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 0203074c..ff0837a3 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -58759,7 +58759,7 @@ index 86dc29d..7380935 100644
 +	logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
  ')
 diff --git a/networkmanager.te b/networkmanager.te
-index 55f2009..ab2d757 100644
+index 55f2009..debb78b 100644
 --- a/networkmanager.te
 +++ b/networkmanager.te
 @@ -9,15 +9,18 @@ type NetworkManager_t;
@@ -58965,7 +58965,7 @@ index 55f2009..ab2d757 100644
  
  seutil_read_config(NetworkManager_t)
  
-@@ -166,21 +205,36 @@ sysnet_kill_dhcpc(NetworkManager_t)
+@@ -166,21 +205,37 @@ sysnet_kill_dhcpc(NetworkManager_t)
  sysnet_read_dhcpc_state(NetworkManager_t)
  sysnet_delete_dhcpc_state(NetworkManager_t)
  sysnet_search_dhcp_state(NetworkManager_t)
@@ -58973,6 +58973,7 @@ index 55f2009..ab2d757 100644
  sysnet_manage_config(NetworkManager_t)
 -sysnet_etc_filetrans_config(NetworkManager_t)
 +sysnet_filetrans_named_content(NetworkManager_t)
++sysnet_filetrans_net_conf(NetworkManager_t)
  
 -# certificates in user home directories (cert_home_t in ~/\.pki)
 -userdom_read_user_home_content_files(NetworkManager_t)
@@ -59006,7 +59007,7 @@ index 55f2009..ab2d757 100644
  ')
  
  optional_policy(`
-@@ -196,10 +250,6 @@ optional_policy(`
+@@ -196,10 +251,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -59017,7 +59018,7 @@ index 55f2009..ab2d757 100644
  	consoletype_exec(NetworkManager_t)
  ')
  
-@@ -210,31 +260,34 @@ optional_policy(`
+@@ -210,31 +261,34 @@ optional_policy(`
  optional_policy(`
  	dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
  
@@ -59060,7 +59061,7 @@ index 55f2009..ab2d757 100644
  ')
  
  optional_policy(`
-@@ -246,10 +299,26 @@ optional_policy(`
+@@ -246,10 +300,26 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -59087,7 +59088,7 @@ index 55f2009..ab2d757 100644
  ')
  
  optional_policy(`
-@@ -257,15 +326,19 @@ optional_policy(`
+@@ -257,15 +327,19 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -59109,7 +59110,7 @@ index 55f2009..ab2d757 100644
  ')
  
  optional_policy(`
-@@ -274,10 +347,17 @@ optional_policy(`
+@@ -274,10 +348,17 @@ optional_policy(`
  	nscd_signull(NetworkManager_t)
  	nscd_kill(NetworkManager_t)
  	nscd_initrc_domtrans(NetworkManager_t)
@@ -59127,7 +59128,7 @@ index 55f2009..ab2d757 100644
  ')
  
  optional_policy(`
-@@ -286,9 +366,12 @@ optional_policy(`
+@@ -286,9 +367,12 @@ optional_policy(`
  	openvpn_kill(NetworkManager_t)
  	openvpn_signal(NetworkManager_t)
  	openvpn_signull(NetworkManager_t)
@@ -59140,7 +59141,7 @@ index 55f2009..ab2d757 100644
  	policykit_domtrans_auth(NetworkManager_t)
  	policykit_read_lib(NetworkManager_t)
  	policykit_read_reload(NetworkManager_t)
-@@ -296,7 +379,7 @@ optional_policy(`
+@@ -296,7 +380,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -59149,7 +59150,7 @@ index 55f2009..ab2d757 100644
  ')
  
  optional_policy(`
-@@ -307,6 +390,7 @@ optional_policy(`
+@@ -307,6 +391,7 @@ optional_policy(`
  	ppp_signal(NetworkManager_t)
  	ppp_signull(NetworkManager_t)
  	ppp_read_config(NetworkManager_t)
@@ -59157,7 +59158,7 @@ index 55f2009..ab2d757 100644
  ')
  
  optional_policy(`
-@@ -320,14 +404,21 @@ optional_policy(`
+@@ -320,14 +405,21 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -59184,7 +59185,7 @@ index 55f2009..ab2d757 100644
  ')
  
  optional_policy(`
-@@ -338,6 +429,13 @@ optional_policy(`
+@@ -338,6 +430,13 @@ optional_policy(`
  	vpn_relabelfrom_tun_socket(NetworkManager_t)
  ')
  
@@ -59198,7 +59199,7 @@ index 55f2009..ab2d757 100644
  ########################################
  #
  # wpa_cli local policy
-@@ -357,6 +455,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -357,6 +456,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
  init_dontaudit_use_fds(wpa_cli_t)
  init_use_script_ptys(wpa_cli_t)
  
@@ -112661,7 +112662,7 @@ index facdee8..816d860 100644
 +        ps_process_pattern(virtd_t, $1)
  ')
 diff --git a/virt.te b/virt.te
-index f03dcf5..5b78d90 100644
+index f03dcf5..8d090ad 100644
 --- a/virt.te
 +++ b/virt.te
 @@ -1,451 +1,402 @@
@@ -114235,7 +114236,7 @@ index f03dcf5..5b78d90 100644
  selinux_get_enforce_mode(virtd_lxc_t)
  selinux_get_fs_mount(virtd_lxc_t)
  selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1250,354 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1250,355 @@ selinux_compute_create_context(virtd_lxc_t)
  selinux_compute_relabel_context(virtd_lxc_t)
  selinux_compute_user_contexts(virtd_lxc_t)
  
@@ -114300,6 +114301,7 @@ index f03dcf5..5b78d90 100644
 +dev_dontaudit_mounton_sysfs(svirt_sandbox_domain)
 +
 +fs_dontaudit_remount_tmpfs(svirt_sandbox_domain)
++fs_rw_onload_sockets(svirt_sandbox_domain)
 +
 +tunable_policy(`deny_ptrace',`',`
 +	allow svirt_sandbox_domain self:process ptrace;
@@ -114731,7 +114733,7 @@ index f03dcf5..5b78d90 100644
  allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
  allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
  
-@@ -1174,12 +1610,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1611,12 @@ dev_read_sysfs(virt_qmf_t)
  dev_read_rand(virt_qmf_t)
  dev_read_urand(virt_qmf_t)
  
@@ -114746,7 +114748,7 @@ index f03dcf5..5b78d90 100644
  sysnet_read_config(virt_qmf_t)
  
  optional_policy(`
-@@ -1192,7 +1628,7 @@ optional_policy(`
+@@ -1192,7 +1629,7 @@ optional_policy(`
  
  ########################################
  #
@@ -114755,7 +114757,7 @@ index f03dcf5..5b78d90 100644
  #
  
  allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1637,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1638,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
  allow virt_bridgehelper_t self:tun_socket create_socket_perms;
  allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 12b56724..945fe287 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 195%{?dist}
+Release: 196%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -647,6 +647,13 @@ exit 0
 %endif
 
 %changelog
+* Mon Jun 13 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-196
+- Allow svirt_sandbox_domains to r/w onload sockets
+- Add filetrans rule that NetworkManager_t can create net_conf_t files in /etc.
+- Add interface sysnet_filetrans_named_net_conf()
+- Rawhide fails to boot, systemd-logind needs to config transient config files
+- User Namespace is requires create on process domains
+
 * Thu Jun 08 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-195
 - Add hwloc-dump-hwdata SELinux policy
 - Add labels for mediawiki123