From cb674ac32fefdbdf71eeb480d6042cd2633e79cd Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Sun, 8 Jan 2017 22:35:48 +0100
Subject: [PATCH] * Sun Jan 08 2017 Lukas Vrabec  <lvrabec@redhat.com> -
 3.13.1-233 -Allow thumb domain sendto via dgram sockets. BZ(1398813) - Add
 condor_procd_t domain sys_ptrace cap_userns BZ(1411077) - Allow cobbler
 domain to create netlink_audit sockets BZ(1384600) - Allow networkmanager to
 manage networkmanager_var_lib_t lnk files BZ(1408626) - Add dhcpd_t domain
 fowner capability BZ(1409963) - Allow thumb to create netlink_kobject_uevent
 sockets. BZ(1410942) - Fix broken interfaces - Allow setfiles_t domain rw
 inherited kdumpctl tmp pipes BZ(1356456) - Allow user_t run systemctl --user
 BZ(1401625)

---
 container-selinux.tgz        | Bin 5426 -> 5425 bytes
 policy-rawhide-base.patch    |  53 ++++++++++++---------
 policy-rawhide-contrib.patch |  90 +++++++++++++++++++++--------------
 selinux-policy.spec          |  13 ++++-
 4 files changed, 97 insertions(+), 59 deletions(-)

diff --git a/container-selinux.tgz b/container-selinux.tgz
index efca37650e008069cc699157b4a6c8d0cfc98ce6..dfc4dfddfca1b37d2db01a56ef03caed2d1319bb 100644
GIT binary patch
delta 4632
zcmV+z66fu*DzPemABzY8+plt100Zq^TW{Prmd>l|R|s(fu^Wl)IOz`H^vqz<nTLJY
zoyJVRZSSg8601sWU8+UNmksjY_Z;3tNhC$7REZaG0g21f;Yae2JUlnjaaq(+T9E1@
z-Ml!`=L$YQ{`ek$zWwmSmHrbx@7{iR_v4GV@2=jx|Ka+7!-sd*FRtFcyS~195nLUs
zLHehmbyNkxi|nq7)+DyljlKVW`dOWx20zgz&!g(`ufOg{Q0__bhL%kglOWpfvowzC
zv@C*HPLzNYTljhL)1@r70uaAXr#ATI<nIq8Zfc^Tr$tcj^an|q!<P$I^inGu{Irj%
zC=ZG#Cx3Z=$*Ercbx^}6_9BR~th^^lP?tenMFmZ<Qzp<$h6>+TX;G7E6UF50ch#D(
zYKl6|NeJ~ZoL8@ZU!8185mw~SCar*Wb#hWa?zJAMGWBc2LjoKK>yN9GSLdtMNnBPW
z&XbUmsET*tIxWt=dwae*k=2F!sD@VIQ#+XHO?|#7!U~QsP{7$IJ4(opDI?@J7;#iE
zO6MRP$nSr#IyH7@={iWD`EgxVlcWJ5f31n;2KpHYeE1sfNtIJ5xJffYWyOM;jmW|?
z`>C;-O{lNQXv+jw<qqWdKS`AI*v*Fan=`tChOr*9=FDQZb&j4eaQ@mX#1+<8;5pqz
z6?sZrXASb_J16(xdX~}}=eCXM0?6>lXUN7&XT|Mo1pfga4EMjWRge2K-IF-of21%#
zd?0aeB?FPi>P+~A!14!f?njh^hfNfVWShZq1JnN_Dxz(FBY7HYEN4wSnrsvBhe$Vx
zF}7fiDkY60_>@!uZ5&ak9cLIF;_|56{~07ENTqW92k@Jsfe~p#0kw37;}MJ8r}Zv~
zfUv27!*v=5toN<)0OAhmB25nNf2;Hk>p{w|IG{ab(TWgTVZcXIoOPw#FiFgrg2Fpy
zT$)l9FB`^LM5(1J_HJ0$nuzL>DfQw1FN1QA{ExD~ysWFn)<q=kRl6o>vGuCfyhNmo
z^ES_o3&dq@Ym4B!YxwsL{=HvTKl|n1KRuD1gK07QG?}(<fGunhH~>W_e<;KZ$oOz^
zvyYPMZV?BRb07w;jj49`Bdtju*V!b`)5qbvrbuhX{&t`^b|MrlSrH$t6v-=+m8h%(
zr&5?t>`fp(valG|P07LcAXx4bYzfCP*rQrYZtzE-W`?pzM@oqX1!4mezsl09lRZqa
zs>BsA;y_!(%!-O6xUW)^e}bKp9Cog6zo_qlNBPtlWb-E|8W@K>;MkJ)6S&!DW)Sqa
z*<F_V`f=(O9`x|7><lLQ8ygCft$t+U5!XVOsd9z%SeuZ$eNB<G_!1d~KMnkqgg5c7
z3i$%L51|#yFd0AGTx<<QzWZv-#&4vkr?477!<rl{X9Xs)z1^s>fBqyCt;A9A9|mpv
zw@@e>65sU~NLFqgMYX-qLa{4z(w_rjQxuyn>!E#XM3UFROZDyo%Dp_Fjgyq|?R*dl
zrNcps@aY^hQ1x}3H*uE2@Xkl#eOsU<vv|WX%6J}Udo7>>1E${=^kp^;Z76JtN`&ko
z?o=<QzpDvC*|jube<sd=5t9)N!#NY<O$OqQ>NCqz|2H`D+S$KJw-=<iTM~6w(wZ&}
z$n3QRF)KpL?Ct_Num~(4DGG|fx_ltZbf06QQoA5r3HC!4JuZ)Uy&z;%mw75>04OdM
z?Al?J<Y~e8A`ArCmJi>oB+`X?0cZ!he#)Yd{tcycVCRD<F#tvXA)qy=Bstq(Nd3+A
zXWkmrH?Y;Sa{zoT<!*JetmR`EJKCWA>zAL~3g}ZFxqXvw1tkG;la&P@f0ac(N#Q@v
zaItnC>gljLt>uWiT_Zz{A9P&vi>>iFR|PyxXyK;_K7)Z<0XG7gZi^`6re5&n<1}Xm
zRK_H`nNT*&9TjjPXs&<jniwlDym`Iy$Yl=zJ{VY9YQn1g)~mSazQMsZURs+c<DM<)
zqe8JTa8OBSdAKjLG=5|=6I?pfga<8x6;R9I<+=8L#Nqa8lST$ffA(1eB6eA|wU6oh
zZu){TjAlQ`!<=*LvMCbE77Rurmyu;Wn5y6p$Z2hxILm*p_i#uB+t=Z0C+vbz@o0b-
zdj{tPsGP8&Rge1;y2~}ylnQQty%huBt1=^Tw7(qXeB0c)ImIs3kJIr0SX&bx4Xs(+
zVb#qEZNcPYl@>cJe`!p&)0)$J?Lac-WA)nNhh$7oYLWV{6_OiDWylzj@U5ds!!!a-
zYaDnO`*{Esws+&`J*KOdj#hP}zc!`STviWKX+`B@SFOXn!{!Tdp_ol?mu-G{b~g(l
zqW&Z8Dq6D~qYWD1n#<x_@6p(IzVxttBR&Z!%Pp25qhWj-e?R}z25D+?tTRUL^Iz}Z
zf4IIHp8xvreE#cee7L<C=4H}k<V?+m*TLJ1tBb2iD{plgd?IlM(;V$ISWzoB@e@L0
z5q#f^usgxvHB=Ma?+C2TN)I$gZ1b01Fy^buvf$UBe+l+wRjcUyUaTsPj!UI(ifFC(
zK`EY~jJysue^EvW^v9+jK{aWF`UjI$u*96(d6!yl@hnFsiAY`+A(t3uhMHVwhIpxv
zHtRn^*bd@dRBYMXoH+<gaH<gMF`gxqnPh67y>%;H1c_Sl(V37q*aDFU6jn^xrINbO
zPOiRp*~p&_IIp`KhV)*%cN+A1zckaP8=XDtydBOXf8_}4Hc?A1;CPH(X8)NnF`x@4
zlLchh27mI0SPrztvwry@u5|i!ky{@nZ>RX3b=~MNG&)7Qn9@<o5i^+@aMmwnLK`$t
zI9L1e?z3JY#|qE)gH?`?)X2auJ;Y8?C-R0Gus5`W4!_#*k=8t`*n}I-D)THgdscg>
zeY3g?e?Bzwt#$NChgE3~&~7aq7rXRis)uJrgdx1ljOt>yiB&vFs(w5h78!zxIB6G4
z<^FIc<X}11%rH9}6f`gzcB}z=*|U!;^k5aFX1|~Hi%i{j+x-((RFnmLSBF>J-ZX7@
zlw_M5FngnQnx*w)@HvQg<$V#{rm)>^;2VH#Kq#rxB*<@zG6}G;%o)zUt<yr~fwBix
zbPt&I1|Ts?F;X#X)-v8zkqi{84C7rRh1$@_mVlOASKZhM)Lvz2o|DN5AAkD=P?}_b
zGNpJsDXxPxlhCxGdr~B>lKmO1cLhx-Heo;waC#-p%F4=kx@bhPl9>v_{m^vC<xsHU
zp{3b~qZt{V$fgvH8C{n<zBz0-XJp)n9E#Mje~(+hUV_@pE_0>C6l9#!T{~J&E%NHC
zMEi_=W$8e{7nRgEud`djgMYbQbz)6kBsM&A&Z8fg#yHuY;LEv}U}Fe3axwDbRImls
zfGPH{O;zUYeui7mFkx$?nZ{fN(e{2`?VCSnSzN%&nPcBkZ>=xp&4r2Bljnvnepk2m
znkhYK%ZxdY;i&IBULDMIU;IND@81WZQysGsc{bvhb*!@^GRsE<^<)aM`#Ut*^U>|t
zan-)jP1LE&g!fI~lje0too``gR#|+UwaQ#qD$JcM9+;CShX>};c#~JV3)5$W1@XjP
z({~oDrYy6~nv=tig573{9~1t1d3@99hT~MBolH1h1$dZXb=s3k3ycH{Qs0-8+6ze?
zyh}xQB+DFd$T4&ivsl6wey!3tEXu^v1ic6)MUy}b9tqxiRw0YTWuEVoXAC`mve`S^
zB`CS!Ods<sEpF|!A~QR(twtc}w9(c;T9*~>Y*ln0vRK&zsK`l5Z!PpJ#Dnswp!7bi
z<DHpKoX_a93-tA*ythD$>u6-coSBLd;rqtcqxR4cP90W#PPZ274l#&&bjt#@%{WMD
ztW7o+m`(pTvM1%NnAbxcRI!bJ0cq+~Y!C_AL`_z6E9Jp9<@FML%G;nHDK4c%SU({@
z$8F)QAZCI--8gX#hnuQ>Znf~w`D@<8wS&SA@XB241}1Qs(GeC~3a9%T^UG$I#%tB@
z_#*HMda|U~)oGAD#QgXsrqfM{<|k1cq8p$}6M{O}Hcjxy9^>=yv%y~pAE}7w<F|EL
z)|0CZcNq5|f{IN!qEY|Z5L$=q0<(U)tASqhC(M&N4l#cn_2OM$Sf!I9E6cqX)M%AL
zvy#0{DVV~Tay6=p35)!I0;5Xepu~t)W-g?BbdyRc51gwM->IoOWa6qo%uuBEp)24Y
zC2>=wW-H!=+wHGiBj!qxODzSWrtl)GhzFT32h=zSb=@(g`lOBlIK^hdu0};D&PEpe
z`j1cl2>z4m4onsIb^hQWk%9=2tes|rqTAzya^5uslS>a;VEcA{!FN2`H^tsa)(w@e
zQT)oU&a)U({OklH+eJ<yJ`MP740s&{P9IC3oOfEN$}qPnwJ9Se`aFtvKxZrQ%2x9R
z<la5Zlw`D{udGZ(1!b1?*C@5hX3*LS7R<6P(31raH-D$WrmWCR7Xa-|B_ZWKw0G&X
zIxMA*hIh({F*g}wH=6`6Z~G{_DfSJ$*|w>|3V>XR&=n!*F&{r=XHw0*bQr6K1{>1*
zd3w@GhqyiEZmji$%~Wx$PfgU8GH#Fe$$NKA&hZh4uwJa|r;hlwU8AKsF@llWrk!O5
zH4jfI8-LGquyb|j5*QlP!<>iU%kW+S*I~WE9X2Djyh^PQ2LY#+*P_(|!7<_3#c8d-
z$?8!uoQ^iHLBAS>x5W^&uggvd6#Xv-`RdrpL<{V@V|$|8y4N%EcEeYg+DqUBiY4u>
z@2&$D9`nnzsQfYa59%?*5o96rn{`(>a(Q(=CVxWZg?z2hw8<0M&c1MR1kJUE&pUg?
zuK^l4fF;ho&Nz6amz;R&Ncq()aGK*-o$~6O)v@m9@)n+vWRmf#gk0}N^GX(icV>bt
zREH}m<j^YI`5`{&<2fRhJDo=4`=OUS4gZSUf))CvQmDD!%O^27aTTd60;-6#D4{&~
zWPb$nizq7c@o=6Zohk6@zO*|Her_tzit6l<U+0wad$eG81~nFi@de&D8W?oO5JdVu
z>zME8=0d%MpP$vM<xlwL0ID||1<+eeE-tMYze{Ok3*zrpWK~MWv@;~YvrbvY=e~W$
zC)QB%4uvj1XKR+zhC`X%Q<=eVs~E)O(0^tE(>=ar-*Uo~6pysf&br};u!m2)5<xwY
z2I_u?&A5<M(30JeW9hlZTSfoTXig09*<oi-Y)0#ei#ie%rJm4&T>RSmJ2=kS(Jgtc
z|BaB*MvBm<tBu|0sQG~LSXr=`k~G?S#a+j+ZpB|WYseisq+HE<^*Z>yy(d-=Hh<cZ
zKZHK03;eYD(;)EcZswjLXei@(GG}qqd#T=mj#^n>^}=?pkX~<JQK3hSd-j{PfeoVM
zuKV8gByw4v2A|5{o&>NjHZUHjCK7h77A1dcgETz4(FGq1llX*3SOfkOYQ(=#T2|sF
z1wHO#h&w2ke>byK2^!bVjPK1UD1UW7XULca<R!@1gkvjhJPAq6L+#oZ?pE%FFlwJ0
zzq%h)_+oRkyRF>!e_efe|9*J?*VPZt_kVqj&n4#iT>f^!*A%;R4yOcp02`W{+0BiR
zu+>dF)5I+U6mJN-Y-n|vrE63zE;-KS#rG#~-gu))6<%D6jHo71@u!Ivfq!17MT@r-
zAgH2m5N;_vco#2;r>Oqxe=h&~du|6U%S`cybQWu|K#jRou{3N^-j!LClQ+{@p<m<O
zfyO^;wA7eU9dMcT)Ll!9b3m(MxjEKC3kRwAId1`L7fK0qFuDcQ83?ZPznyqv#q#PA
z#()+_EQ5pKR+o1X?=^@Ofq&!+)cVs|!z56rlZ#*h)Fp5AZ+IBg8&n1iOpuC-BKpPm
zzu^@Z{!HYTWsC#M^QHdC{*7iwOP2x0u=~_`<iZn2gC|Y`55(&OAY06qkIPI`ZCv;t
zzFMN=D3X_H9wJ?;zihS$2M>}!&c!Y;kFe$?vU%wryz<TPiwXdH6@AOd0g1n`IFPW5
zONAcr;lcs*f|;9i8w618L@-4#XDJ)-c;kM<znnTr9~pr|7Z%{rW$?tGP+f?HVgukx
z9-Rt0h|y?r41hJYXMzM^*Q4n`+j%%rl6-6X{Q2|zdHy_qo<Gl@=g;%!`SbjF{ycw{
O`urb_30UF)pa1}!t{7hc

delta 4619
zcmV+m67=n{DzYknABzY8YXopu00Zq^TaVl}miBAcuMq42?hfp}*@=O6W(JFR9`<2(
zf|<N+b`_Pxs#01dDWcSuHT>WA9Nt7pBt@xIb}!Hc*j+6hek2dc!*e4$F7i4`b5fnB
zn-@p=T*BwaAK&B8s}Db1>ObN0?&`z4A75O(yL|Wl^78tB>WAwWmsjtuFE3vNm&a<5
z{%L3(RYC9~yQ`u#iLG>F@Bg2ER<B+KKhb8tkE+MN{<<SUQIh;EEt)DOK~$Dm8b@_n
z<UuSaN<i{0{5=2ZLKa&Ah~KAE8~k$e_XiR;HPO)1Jg9g2gQVEQmvdJ1LMt2mR7O>_
z5AtYF{_>K4Q@#A_poUNEMG$3KaZi$<E`qv>a++eNOrRGG6~3?1ye8EqiplBksx@KN
z<aN3yA=JlkUcdQ$b+RRSSdl-Qv;x}I$w~cKYCTY8>Nkdm1UL}ZA6F-@&sM9GxTr|H
zPeMwfD&B?bG(Y|B>TGo)s|(AhhF0NIJDBNBeYV0A3XU*Pz}Y7|O305XBjh(2ag;NY
zkpU9{RFkCvA%Dt5a|8Vh1U`HXOH%DA6x^g4p|WB@%|>M5nf=sQ%_h{>WVB_1t8xc&
z{GTLBdhBLH`^_0$LBm)NS#xHw+d4;27&w1z7UBx)EAX7|qKZ5vuCoUD^PQ7>a6L<D
zjdR<^bOB^|<TGUBrL+8YHiG|v4~F~S*s90<nU*9@H-9M%5Fbd~TggD=u{skzA+Y>`
zoBI*v;9(QRBH3oJ+`#nzi1KLL-$<Uu8r!p`9Zj|g_(P<d#28yJN0pMs5qwIjfHsaO
z)Q&TZ4sm%@?*9xD6QokH{sZ_;(ZGnbp@3RC!|{kk?$de~L_pZoz~MTL1J?W2cmQ#S
zbde?p%YQ1p!+MbND-LK6S+pX=Rv7Tn6lYy2HcS$8rl9bS8JDJ1#mk0q7Ex-cioF}w
zwI-svWJ-Pb|I45#k^fQlmzQ<b*t&?My=vDa&9`3FnwN-_ao*;+ae=t3ZEX>JcMbpE
z!N2#*>Sw?F`==+eb1*HYOp|H*2H3(Dfdf!<f`3BHfQ%0pH~T25?iO)CIR|3k+L&s0
zKhm1)<2sw<dHOhf*W_u<*xwEm$4-QzB`e~il_GgXvI3QL;8Y6piM<KLM-~>tx+yq#
z34-N5!Ip3wgFULX<OY8PYGx>lbflDMP#`ui@vAJoIw@g_RRykq5eM2LW>%CZ!F`pQ
z6o2eJ*~8BD?HBbu@Mu4E2HE@xiU!7EA8>5R`w86aGcyQ!-0UvPvVNSpg$F%+D?5XU
z{>FyFWUC*Uc*M2PWvW~uJ=P}VuB<6?7GENx@TY;llJF+pRUuy>_aU@m87AY0n~SZ1
z$ai0j+4zm*^%Pd)XIPVi<*dLYwznHK)_<RbqLnxb{==Yc{}u{mL*l#s0?CT4qo}qQ
zS}1nKp7iH{*c8R4%X(<v8j<8p@KU`yhjK5^X5%D9d^;b6Lg{eOB78ar4OD#{=WU#&
zFue1Tc;6Oi$t>P*j3S=L*<K5%z<}wu1$~)KLmLX4q7or{h&$EG>F;WSP<Aa%n16{g
zV8mnu!*I^Tc$<N^qx#J9)c*~Rymt0)((O6P@0LW}6||;H12TJULClKKBD*_B4lDx8
zM~Z?Xur40RGTrBxsMIb9SAhMHMUTrPUM~n4)x|!QG5{2p3U=)<O7>~a_aY1g*_IFA
ztR&L8dI4w$x_*j0m;Mc<bYSO$C@}y<{~@3?s3d!~zmWQy>(9J3sBd7aXXgO;TFTw(
zW?9R}Fm|*-``0f&w-wN*JaT1|a0Mj+Vw08yAAc43ev-m}oZ({aJk--+by~|2b-PA}
z8b9c`<`-MzbFK<_n$W^e5qt&%w*qbiG~MP=#!bE8%g1TX45*Arb~B-Dm^&)qLeO0Q
z)-^F!UU>6*<&n!C0DLg8wA6%E`K?!R(S3u1ZM?KLPsTl4(np12Vc?*W&hoG<vNV2V
zGZS1o)Px5uf)!B9;N_Y2e#GJSdXq;6Nq@?$0TH{b+S<qTeK&o<7)G-n<YCUab<yMr
zWeWx)k;}+39!yp62jsN2O`PSw*Lygmg6->YwG(#1D1S7-i#>z$0#r`e(5lC>fbMcl
zHKl^vUvI_0_o~Q99F-TNoNt>uH>cR8`f)lQ0BdXFqoFm6JFL1np)HtvtkPnKC4Y_S
zc3N|KuN_Fne5_tu{E&?4Ni9<UwL)@3sSFt-625gbX_!W!X^jI9V?PhT!uD<)y~lL*
z($T7J^w*}en#<}zDy^t|?5cIRci4O(E)=ur?Xt}e&+cX+MAUzzT}5k_W3)j7Tyt4`
z>pdF#&X*pxZ^S1dWx2%?WHgL#<A3LW+8|9$j&;V!eg5nH`w!Qb!}DJsp3i@MjSsgs
z!+nu7897z6;Z1OLetCX5Y2~e61)oTq!8AuZ4OY~OP5gw=SOnio5q2jSyoPFm`yGL`
zS?Pi1h;9DT3&wm^Sr+{I^DjYJRJDrEmts|MbX+QRlSga44@&U_W#mn;iGMOmpg%VK
z2&zdV)IXT4f+gnM&b!odi)T49NksNV9&(9sYN*L|W{8&xX|w(#gzX^SMfsM!-7^P)
z2~HJ4J;t+yGLuZrv$t-giy%=eJ~|Z=2U{TWfWnF?yHry5*~!)SE*tr?0q1ph!;s#K
z_fCUe@0VuUbfdGUowvhzq<<V?-6m?u1sspD%j`chCI)ojWU_z^+u%?B5X*tqc-k*N
z#Fb9JE^_Om<n0u{v#uK*hDN7o7gIV)IbtSL15W#;OlX4!3g>D+-hJ9D<XGYRa<Izr
zks2BJrH9xl>O|g91NMe?(BW4*KGK?J6`OFwS!JH3X3uI5wQp8;!GDKFzO{}%>98uz
z0otvl<6@VdO!e^8h%khgnNeNrHnEB)N!5?1!y-d45hv|psoWpVggsc!H8adk2L%m`
zh8=6bUiR$c3O!gksoC$R{UTHM-FE+k6%}Ox-__w2w>M4O9VOZ32F%`Qon~qM7<>-m
zU2&fWw<&D58~6rb8$e3xGzs>%d65LzSmq38-_~ia@<7>xD!K>EdIOLcr5LFgHftI0
zsz?TkRfh4dkwR@~WJ^FxuB&cr1ZuCcbf1&T2_Jvu0w_%~K$%j!ofOx>nn`Hd(30ed
zt7Lx$>s>(;icJ_$1Dsw-v$C=>o-P_utYoIba6dF1ayb-icxY)h;%G*OC$cF;V@B8I
zj&BYd&KVguB8MV%?BC-Su$Q1Vv&&p5F$Edtbk~m7Q;WR%D$zb;Us*a(@I@u{&Fk#e
z@L+##SDjds7l{qeob%`hrZG;oC-`#aCD<6kja-cUI2CMxHDHQ8Y*Q8cc0a?dXPB@x
z(oAEnf@pg`ulDU9w8+ol<;=0~sJGS^^X9@t?8$S(7r(39d(D&{v}MK|$Z*v69j^{%
zx-b4AjQ8(@(5a4Di98!|%sSTD5t-#9f_h|y*!>-v?D^<+?6_**=qBpaWy1TW?@9Bz
zqt3T5Gpooy&RS)zD;4HW77xtHlfwgZX}rm+-G%8h!h(3>uIW3ARa2JPX3fdrN5O70
z#g7Spy*$3@bi;9~&`u^CuL3+wuzJ;#OACwyb5h?IliLeP9jr@5cO=UkaL6%q6SG*t
z7JjYLILwR0(geK-C3%xU3?2zCJ*$vK;$puqlV}V*f1)X!?GlvSaHfy@EX{B2v?4P*
zvaLoS>9o<-Kw1|S?rc?bAF^241E|PJN^dRnEX0HIDW~*4t>c}UPMpu^vkUa~q`0?0
zi|c4)!kn3k5#jsB)}!{&5KbLd{hn?u)E#0F_2`xbYMXJ8(pZ~pEHIn?Z)8u(SuwAN
zI;dhBe*@Cgsn{SAvWc3k=2pssZOZE<_>{LnKT=#uiLib`evaG1TS3eOeY$bt8V)yA
z<=$%HpYhkchieCg9pJUO)(uSHBBLWLwiHgw8uQC$md0z<@Ax9{3VO1n*VU^adx-h*
zO-!eo63tJdI7Bx<l_msrux*;)j}qha@Uy{R2_LD5=;OC_QPh*H4R;tz5JCB-7}2Qz
zYzVDGc7a(x-PJ%Z`V;PxI}R~_9QEQ|Us$D+A}fm03u?4Vp;^h^rW8zJOt~7>#e_wE
zK!H&uaZqAJD>D~TKDtSzln2gLitp4^9WrrMAZ931`_Sd^kCM2lQnM9r!tM6gt`T#k
z$fcG7QImU-Rm6kLmjh}Xgu3pSQhid#0KCFx!mdU|D9%O}{Q8ei{|Nq*>kdp6%X<Id
zAd!LykgT0%greKygmT_BIg?BeT3}^6zu-F_?VDn6B<qGs*C>AFSLa!bDSmc>k?kTU
z5uXP9HU_+o0;i9qPtH3nRArdkl-iUL6a7AlcR*(=@!D4N2ISs7%#>ubqpz(@MFnM+
z_17r1%4X2o3g*nR&e4+w5I29Xf=yAOnJxg@n@U2;duZ>{8+BMp9S!f45o2yL#%?wV
zUf%Xmc2n#ddb4d)g%tp~5}_+X&|^M+%Fd*kd+9J%4GlJ=_w)3mlMZov%H3G&37e_n
zSf84xEoIyu@00iLnw;Y!4q?4m*H0bsYr95Ebz%e~wM{$A3~C;pQZ|2{>0syT&?PW5
zsE0WZ!I$B^0<Ob)gF9?SY<ZPhAr1mgEw4qZ1%hM3v5V7Mf0NatWH=pdUW0x$3U7-c
zXkQnd5GeXz4D!{nm5CPEcgOZbw{@>)<n4y9FtwM!2^34(Ti;y=EIj6yX;JxO?jO`+
zh$F~C<~QrEaOCppY)pTI$_x2gp=pyRvYmb5<OrH;4WD=RieCdXasW%5d!2FcNH00@
z)RFS5S>QCsu{!0|Ijdvc&*d#VBgrJ=R|&b^jpmgs1n<lQS*Q+IQpllIxbs7N(8qH`
zEO$DM$oE4pc^du|w*@QoO{GwCy_Zj7aN;UbR|HfMX;DIX@X3D&<`+>^<m2HyMLJX9
z)qQFAD)_mnKr5=VM}D1C%J0#F-5Jza6vpRx-)Laa8AA~1W!5p@(anW=2|qupSIeL9
z%>h(zHVUA(m|R?1F@BfQ$QH!ktH`R9jA>^`fM=bujL&`hj8Ckg<Q)oKe$Lh`rwxZP
zyQeaP;Z`w-$)SJE1g3j@%f9UiQ&K$ALObh*AHp6!@k#{sL>j339X8`aQb9|0M~<cE
z8gCW-N2570z-Nb@J+T?BCobwpP?UN?3v%&m@9*F^XGgc>wf;9kMjI(YpRP7`qod{n
z#$#o{VoK6z>lJq$!@3oJ-K-&Z=#X+X>-C%9_x7GxJ=lL}Oa2i0pf2#!>Q95fue+Ih
zhM=L0=gFMKP4A_82RdqHdDRQsxk7rqeMN;HG49!K)&@3+g1hc}*OSO)`6~ES1otF>
zeX)V@KsAxDYqco(TN|X|(Ty(nSeV2oJi;3ApHL(Ih0>xDH!0|GA4A+hx%|7CrApAa
zc4mBUPC<XE`#D3#G$1cQ#wHwFY2!&qVjgPOzHqm4FN9J1-1yb~sKV!)qup)gzW?j;
z!~6Gx`@gP!{NefjudngBz+9h;-_H4(Vt3BrlpqgaLvu5`xe*e!x@l*cxMhIi4Ph4z
ztuC^3jjF{3$GJHF{^adjZ#1dGi))b))dVX3G|_(|(CajB@s<JvRrD>wErkc~;wAAE
z)qnlZ#eaX#?Vx3uDgKboVl5V^F}Es~hRut+B5U^K?Q~Y?*LZiJ@y{A9HD*)?TxLCW
z*V5t~&}vw2j<wLjK`MUETfo|dQUV=}ZUJ=)g6r&WC*D}Gyn2K&pv4i(;2^lw#a+aE
z4Pt*qAo&8d{&dzb3DoK2B3J-*!CU<s9tQOWl>q}2q@tpTe*XP$c*TW36ZvHs<G}KK
zsXwxRquJ5YWq>j4K6M_s@Wj#JiIczs@%jMB7PIB!GSgHW7ygH@mgqQ&<Yk(NNEhla
zn=Qh@gCvl1u?x&2ta*uSUit^Gd^7x_0>FP>#WHe0;x8-?B<$i+p$B}pZ~(nv<|f?+
z0aQB?OcBgk$_6~%xZm(Er%uvGM&Qte1$cBBJn<(~7h<8<0JxGzr-BY*G@2X(U`_3r
zAOYC*Xgbh#9*&eG-`YNZ{ycx4KhK}%&-3T`^Za@KJb#`)&!43}{|EiM9>xHm000}L
B9?Sp$

diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index a9c04b39..148e1caa 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -27823,7 +27823,7 @@ index 3835596..fbca2be 100644
  ########################################
  ## <summary>
 diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index 6d77e81..656a8c4 100644
+index 6d77e81..20657b8 100644
 --- a/policy/modules/roles/unprivuser.te
 +++ b/policy/modules/roles/unprivuser.te
 @@ -1,5 +1,12 @@
@@ -27839,7 +27839,7 @@ index 6d77e81..656a8c4 100644
  # this module should be named user, but that is
  # a compile error since user is a keyword.
  
-@@ -12,12 +19,98 @@ role user_r;
+@@ -12,12 +19,103 @@ role user_r;
  
  userdom_unpriv_user_template(user)
  
@@ -27927,6 +27927,11 @@ index 6d77e81..656a8c4 100644
 +')
 +
 +optional_policy(`
++	systemd_read_unit_files(user_t)
++	systemd_exec_systemctl(user_t)
++')
++
++optional_policy(`
 +	sandbox_transition(user_t, user_r)
 +')
 +
@@ -27939,29 +27944,29 @@ index 6d77e81..656a8c4 100644
  ')
  
  optional_policy(`
-@@ -25,11 +118,19 @@ optional_policy(`
+@@ -25,11 +123,19 @@ optional_policy(`
  ')
  
  optional_policy(`
 -	vlock_run(user_t, user_r)
 +	setroubleshoot_dontaudit_stream_connect(user_t)
-+')
-+
+ ')
+ 
 +#optional_policy(`
 +#	telepathy_dbus_session_role(user_r, user_t)
 +#')
 +
-+optional_policy(`
-+	usbmuxd_stream_connect(user_t)
- ')
- 
  optional_policy(`
 -	xserver_role(user_r, user_t)
++	usbmuxd_stream_connect(user_t)
++')
++
++optional_policy(`
 +	vlock_run(user_t, user_r)
  ')
  
  ifndef(`distro_redhat',`
-@@ -102,10 +203,6 @@ ifndef(`distro_redhat',`
+@@ -102,10 +208,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -27972,7 +27977,7 @@ index 6d77e81..656a8c4 100644
  		postgresql_role(user_r, user_t)
  	')
  
-@@ -128,7 +225,6 @@ ifndef(`distro_redhat',`
+@@ -128,7 +230,6 @@ ifndef(`distro_redhat',`
  	optional_policy(`
  		ssh_role_template(user, user_r, user_t)
  	')
@@ -27980,7 +27985,7 @@ index 6d77e81..656a8c4 100644
  	optional_policy(`
  		su_role_template(user, user_r, user_t)
  	')
-@@ -160,4 +256,24 @@ ifndef(`distro_redhat',`
+@@ -160,4 +261,24 @@ ifndef(`distro_redhat',`
  	optional_policy(`
  		wireshark_role(user_r, user_t)
  	')
@@ -45583,7 +45588,7 @@ index 3822072..d358162 100644
 +	allow semanage_t $1:dbus send_msg;
 +')
 diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index dc46420..9edcb69 100644
+index dc46420..8d4ed0f 100644
 --- a/policy/modules/system/selinuxutil.te
 +++ b/policy/modules/system/selinuxutil.te
 @@ -11,14 +11,16 @@ gen_require(`
@@ -46001,9 +46006,9 @@ index dc46420..9edcb69 100644
 -corecmd_exec_bin(semanage_t)
 -
 -dev_read_urand(semanage_t)
- 
--domain_use_interactive_fds(semanage_t)
 -
+-domain_use_interactive_fds(semanage_t)
+ 
 -files_read_etc_files(semanage_t)
 -files_read_etc_runtime_files(semanage_t)
 -files_read_usr_files(semanage_t)
@@ -46026,11 +46031,11 @@ index dc46420..9edcb69 100644
 -auth_use_nsswitch(semanage_t)
 -
 -locallogin_use_fds(semanage_t)
+-
+-logging_send_syslog_msg(semanage_t)
 +# Admins are creating pp files in random locations
 +files_read_non_security_files(semanage_t)
  
--logging_send_syslog_msg(semanage_t)
--
 -miscfiles_read_localization(semanage_t)
 -
 -seutil_libselinux_linked(semanage_t)
@@ -46118,7 +46123,7 @@ index dc46420..9edcb69 100644
  ')
  
  ########################################
-@@ -522,111 +597,197 @@ ifdef(`distro_ubuntu',`
+@@ -522,111 +597,201 @@ ifdef(`distro_ubuntu',`
  # Setfiles local policy
  #
  
@@ -46197,23 +46202,27 @@ index dc46420..9edcb69 100644
 +optional_policy(`
 +    cloudform_dontaudit_write_cloud_log(setfiles_t)
 +')
-+
+ 
+-seutil_libselinux_linked(setfiles_t)
 +optional_policy(`
 +	devicekit_dontaudit_read_pid_files(setfiles_t)
 +	devicekit_dontaudit_rw_log(setfiles_t)
 +')
  
--seutil_libselinux_linked(setfiles_t)
+-userdom_use_all_users_fds(setfiles_t)
 +optional_policy(`
 +	# pki is leaking
 +	pki_dontaudit_write_log(setfiles_t)
 +')
 +
 +optional_policy(`
++	kdump_rw_inherited_kdumpctl_tmp_pipes(setfiles_t)
++')
++
++optional_policy(`
 +	xserver_append_xdm_tmp_files(setfiles_t)
 +')
- 
--userdom_use_all_users_fds(setfiles_t)
++
 +ifdef(`hide_broken_symptoms',`
 +
 +	optional_policy(`
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 77d05001..924f8626 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -14958,10 +14958,18 @@ index c223f81..8b567c1 100644
 -	admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t })
  ')
 diff --git a/cobbler.te b/cobbler.te
-index 5f306dd..578b615 100644
+index 5f306dd..cf347c6 100644
 --- a/cobbler.te
 +++ b/cobbler.te
-@@ -81,6 +81,7 @@ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
+@@ -67,6 +67,7 @@ dontaudit cobblerd_t self:capability sys_tty_config;
+ allow cobblerd_t self:process { getsched setsched signal };
+ allow cobblerd_t self:fifo_file rw_fifo_file_perms;
+ allow cobblerd_t self:tcp_socket { accept listen };
++allow cobblerd_t self:netlink_audit_socket create_socket_perms;
+ 
+ allow cobblerd_t cobbler_etc_t:dir list_dir_perms;
+ allow cobblerd_t cobbler_etc_t:file read_file_perms;
+@@ -81,6 +82,7 @@ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
  manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
  manage_lnk_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
  files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, dir)
@@ -14969,7 +14977,7 @@ index 5f306dd..578b615 100644
  
  append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
  create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
-@@ -89,7 +90,7 @@ setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
+@@ -89,7 +91,7 @@ setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
  logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file)
  
  kernel_read_system_state(cobblerd_t)
@@ -14978,7 +14986,7 @@ index 5f306dd..578b615 100644
  
  corecmd_exec_bin(cobblerd_t)
  corecmd_exec_shell(cobblerd_t)
-@@ -112,14 +113,13 @@ corenet_tcp_sendrecv_http_port(cobblerd_t)
+@@ -112,14 +114,13 @@ corenet_tcp_sendrecv_http_port(cobblerd_t)
  corenet_tcp_connect_http_port(cobblerd_t)
  corenet_sendrecv_http_client_packets(cobblerd_t)
  
@@ -14994,7 +15002,7 @@ index 5f306dd..578b615 100644
  
  fs_getattr_all_fs(cobblerd_t)
  fs_read_iso9660_files(cobblerd_t)
-@@ -128,6 +128,8 @@ selinux_get_enforce_mode(cobblerd_t)
+@@ -128,6 +129,8 @@ selinux_get_enforce_mode(cobblerd_t)
  
  term_use_console(cobblerd_t)
  
@@ -15003,7 +15011,7 @@ index 5f306dd..578b615 100644
  logging_send_syslog_msg(cobblerd_t)
  
  miscfiles_read_localization(cobblerd_t)
-@@ -160,6 +162,7 @@ tunable_policy(`cobbler_use_nfs',`
+@@ -160,6 +163,7 @@ tunable_policy(`cobbler_use_nfs',`
  ')
  
  optional_policy(`
@@ -15011,7 +15019,7 @@ index 5f306dd..578b615 100644
  	apache_search_sys_content(cobblerd_t)
  ')
  
-@@ -170,6 +173,7 @@ optional_policy(`
+@@ -170,6 +174,7 @@ optional_policy(`
  	bind_domtrans(cobblerd_t)
  	bind_initrc_domtrans(cobblerd_t)
  	bind_manage_zone(cobblerd_t)
@@ -15019,7 +15027,7 @@ index 5f306dd..578b615 100644
  ')
  
  optional_policy(`
-@@ -179,12 +183,22 @@ optional_policy(`
+@@ -179,12 +184,22 @@ optional_policy(`
  optional_policy(`
  	dhcpd_domtrans(cobblerd_t)
  	dhcpd_initrc_domtrans(cobblerd_t)
@@ -15042,7 +15050,7 @@ index 5f306dd..578b615 100644
  ')
  
  optional_policy(`
-@@ -192,13 +206,14 @@ optional_policy(`
+@@ -192,13 +207,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -16417,7 +16425,7 @@ index 881d92f..a2d588a 100644
 +	')
  ')
 diff --git a/condor.te b/condor.te
-index ce9f040..dc29445 100644
+index ce9f040..320d6e8 100644
 --- a/condor.te
 +++ b/condor.te
 @@ -34,7 +34,7 @@ files_tmp_file(condor_startd_tmp_t)
@@ -16528,7 +16536,7 @@ index ce9f040..dc29445 100644
  #####################################
  #
  # Negotiator local policy
-@@ -183,6 +200,8 @@ allow condor_negotiator_t self:capability { setuid setgid };
+@@ -183,12 +200,15 @@ allow condor_negotiator_t self:capability { setuid setgid };
  allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms;
  allow condor_negotiator_t condor_master_t:udp_socket getattr;
  
@@ -16537,7 +16545,14 @@ index ce9f040..dc29445 100644
  ######################################
  #
  # Procd local policy
-@@ -206,6 +225,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
+ #
+ 
+ allow condor_procd_t self:capability { fowner chown kill dac_override sys_ptrace };
++allow condor_procd_t self:cap_userns { sys_ptrace };
+ 
+ allow condor_procd_t condor_domain:process sigkill;
+ 
+@@ -206,6 +226,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
  
  allow condor_schedd_t condor_var_lock_t:dir manage_file_perms;
  
@@ -16546,7 +16561,7 @@ index ce9f040..dc29445 100644
  domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t)
  domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t)
  
-@@ -214,6 +235,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
+@@ -214,6 +236,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
  relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
  files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir })
  
@@ -16555,7 +16570,7 @@ index ce9f040..dc29445 100644
  #####################################
  #
  # Startd local policy
-@@ -238,11 +261,10 @@ domain_read_all_domains_state(condor_startd_t)
+@@ -238,11 +262,10 @@ domain_read_all_domains_state(condor_startd_t)
  mcs_process_set_categories(condor_startd_t)
  
  init_domtrans_script(condor_startd_t)
@@ -16568,7 +16583,7 @@ index ce9f040..dc29445 100644
  optional_policy(`
  	ssh_basic_client_template(condor_startd, condor_startd_t, system_r)
  	ssh_domtrans(condor_startd_t)
-@@ -254,3 +276,7 @@ optional_policy(`
+@@ -254,3 +277,7 @@ optional_policy(`
  		kerberos_use(condor_startd_ssh_t)
  	')
  ')
@@ -24621,7 +24636,7 @@ index c697edb..954c090 100644
 +	allow $1 dhcpd_unit_file_t:service all_service_perms;
  ')
 diff --git a/dhcp.te b/dhcp.te
-index 98a24b9..cb5795e 100644
+index 98a24b9..02c58ea 100644
 --- a/dhcp.te
 +++ b/dhcp.te
 @@ -20,6 +20,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t)
@@ -24639,7 +24654,7 @@ index 98a24b9..cb5795e 100644
  #
  
 -allow dhcpd_t self:capability { chown dac_override sys_chroot net_raw setgid setuid sys_resource };
-+allow dhcpd_t self:capability { chown dac_override sys_chroot net_raw kill setgid setuid setpcap sys_resource };
++allow dhcpd_t self:capability { chown dac_override fowner sys_chroot net_raw kill setgid setuid setpcap sys_resource };
  dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
  allow dhcpd_t self:process { getcap setcap signal_perms };
  allow dhcpd_t self:fifo_file rw_fifo_file_perms;
@@ -59439,7 +59454,7 @@ index 86dc29d..c7d9376 100644
 +	logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
  ')
 diff --git a/networkmanager.te b/networkmanager.te
-index 55f2009..debb78b 100644
+index 55f2009..b073836 100644
 --- a/networkmanager.te
 +++ b/networkmanager.te
 @@ -9,15 +9,18 @@ type NetworkManager_t;
@@ -59530,7 +59545,7 @@ index 55f2009..debb78b 100644
  manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
  manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
  filetrans_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_rw_t, { dir file })
-@@ -68,30 +102,29 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_
+@@ -68,30 +102,30 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_
  setattr_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
  logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
  
@@ -59542,7 +59557,8 @@ index 55f2009..debb78b 100644
  manage_dirs_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
  manage_files_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
 -files_var_lib_filetrans(NetworkManager_t, NetworkManager_var_lib_t, dir)
-+files_var_lib_filetrans(NetworkManager_t, NetworkManager_var_lib_t, { dir file })
++manage_lnk_files_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
++files_var_lib_filetrans(NetworkManager_t, NetworkManager_var_lib_t, { dir file lnk_file })
  
  manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
  manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
@@ -59565,7 +59581,7 @@ index 55f2009..debb78b 100644
  corenet_all_recvfrom_netlabel(NetworkManager_t)
  corenet_tcp_sendrecv_generic_if(NetworkManager_t)
  corenet_udp_sendrecv_generic_if(NetworkManager_t)
-@@ -102,36 +135,24 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
+@@ -102,36 +136,24 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
  corenet_tcp_sendrecv_all_ports(NetworkManager_t)
  corenet_udp_sendrecv_all_ports(NetworkManager_t)
  corenet_udp_bind_generic_node(NetworkManager_t)
@@ -59607,7 +59623,7 @@ index 55f2009..debb78b 100644
  fs_getattr_all_fs(NetworkManager_t)
  fs_search_auto_mountpoints(NetworkManager_t)
  fs_list_inotifyfs(NetworkManager_t)
-@@ -140,18 +161,36 @@ mls_file_read_all_levels(NetworkManager_t)
+@@ -140,18 +162,36 @@ mls_file_read_all_levels(NetworkManager_t)
  
  selinux_dontaudit_search_fs(NetworkManager_t)
  
@@ -59645,7 +59661,7 @@ index 55f2009..debb78b 100644
  
  seutil_read_config(NetworkManager_t)
  
-@@ -166,21 +205,37 @@ sysnet_kill_dhcpc(NetworkManager_t)
+@@ -166,21 +206,37 @@ sysnet_kill_dhcpc(NetworkManager_t)
  sysnet_read_dhcpc_state(NetworkManager_t)
  sysnet_delete_dhcpc_state(NetworkManager_t)
  sysnet_search_dhcp_state(NetworkManager_t)
@@ -59687,7 +59703,7 @@ index 55f2009..debb78b 100644
  ')
  
  optional_policy(`
-@@ -196,10 +251,6 @@ optional_policy(`
+@@ -196,10 +252,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -59698,7 +59714,7 @@ index 55f2009..debb78b 100644
  	consoletype_exec(NetworkManager_t)
  ')
  
-@@ -210,31 +261,34 @@ optional_policy(`
+@@ -210,31 +262,34 @@ optional_policy(`
  optional_policy(`
  	dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
  
@@ -59741,7 +59757,7 @@ index 55f2009..debb78b 100644
  ')
  
  optional_policy(`
-@@ -246,10 +300,26 @@ optional_policy(`
+@@ -246,10 +301,26 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -59768,7 +59784,7 @@ index 55f2009..debb78b 100644
  ')
  
  optional_policy(`
-@@ -257,15 +327,19 @@ optional_policy(`
+@@ -257,15 +328,19 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -59790,7 +59806,7 @@ index 55f2009..debb78b 100644
  ')
  
  optional_policy(`
-@@ -274,10 +348,17 @@ optional_policy(`
+@@ -274,10 +349,17 @@ optional_policy(`
  	nscd_signull(NetworkManager_t)
  	nscd_kill(NetworkManager_t)
  	nscd_initrc_domtrans(NetworkManager_t)
@@ -59808,7 +59824,7 @@ index 55f2009..debb78b 100644
  ')
  
  optional_policy(`
-@@ -286,9 +367,12 @@ optional_policy(`
+@@ -286,9 +368,12 @@ optional_policy(`
  	openvpn_kill(NetworkManager_t)
  	openvpn_signal(NetworkManager_t)
  	openvpn_signull(NetworkManager_t)
@@ -59821,7 +59837,7 @@ index 55f2009..debb78b 100644
  	policykit_domtrans_auth(NetworkManager_t)
  	policykit_read_lib(NetworkManager_t)
  	policykit_read_reload(NetworkManager_t)
-@@ -296,7 +380,7 @@ optional_policy(`
+@@ -296,7 +381,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -59830,7 +59846,7 @@ index 55f2009..debb78b 100644
  ')
  
  optional_policy(`
-@@ -307,6 +391,7 @@ optional_policy(`
+@@ -307,6 +392,7 @@ optional_policy(`
  	ppp_signal(NetworkManager_t)
  	ppp_signull(NetworkManager_t)
  	ppp_read_config(NetworkManager_t)
@@ -59838,7 +59854,7 @@ index 55f2009..debb78b 100644
  ')
  
  optional_policy(`
-@@ -320,14 +405,21 @@ optional_policy(`
+@@ -320,14 +406,21 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -59865,7 +59881,7 @@ index 55f2009..debb78b 100644
  ')
  
  optional_policy(`
-@@ -338,6 +430,13 @@ optional_policy(`
+@@ -338,6 +431,13 @@ optional_policy(`
  	vpn_relabelfrom_tun_socket(NetworkManager_t)
  ')
  
@@ -59879,7 +59895,7 @@ index 55f2009..debb78b 100644
  ########################################
  #
  # wpa_cli local policy
-@@ -357,6 +456,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -357,6 +457,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
  init_dontaudit_use_fds(wpa_cli_t)
  init_use_script_ptys(wpa_cli_t)
  
@@ -108897,10 +108913,10 @@ index 0000000..9524b50
 +')
 diff --git a/thumb.te b/thumb.te
 new file mode 100644
-index 0000000..3f3a239
+index 0000000..ab916b7
 --- /dev/null
 +++ b/thumb.te
-@@ -0,0 +1,165 @@
+@@ -0,0 +1,167 @@
 +policy_module(thumb, 1.0.0)
 +
 +########################################
@@ -108940,6 +108956,7 @@ index 0000000..3f3a239
 +allow thumb_t self:fifo_file manage_fifo_file_perms;
 +allow thumb_t self:unix_stream_socket create_stream_socket_perms;
 +allow thumb_t self:netlink_route_socket r_netlink_socket_perms;
++allow thumb_t self:netlink_kobject_uevent_socket create_socket_perms;
 +allow thumb_t self:udp_socket create_socket_perms;
 +allow thumb_t self:tcp_socket create_socket_perms;
 +allow thumb_t self:shm create_shm_perms;
@@ -108967,6 +108984,7 @@ index 0000000..3f3a239
 +can_exec(thumb_t, thumb_exec_t)
 +
 +kernel_read_system_state(thumb_t)
++kernel_dgram_send(thumb_t)
 +
 +corecmd_exec_bin(thumb_t)
 +corecmd_exec_shell(thumb_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 569f257d..88f81d60 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 232%{?dist}
+Release: 233%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -675,6 +675,17 @@ exit 0
 %endif
 
 %changelog
+* Sun Jan 08 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-233
+-Allow thumb domain sendto via dgram sockets. BZ(1398813)
+- Add condor_procd_t domain sys_ptrace cap_userns BZ(1411077)
+- Allow cobbler domain to create netlink_audit sockets BZ(1384600)
+- Allow networkmanager to manage networkmanager_var_lib_t lnk files BZ(1408626)
+- Add dhcpd_t domain fowner capability BZ(1409963)
+- Allow thumb to create netlink_kobject_uevent sockets. BZ(1410942)
+- Fix broken interfaces
+- Allow setfiles_t domain rw inherited kdumpctl tmp pipes BZ(1356456)
+- Allow user_t run systemctl --user BZ(1401625)
+
 * Fri Jan 06 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-232
 - Add tlp_var_lib_t label for /var/lib/tlp directory BZ(1409977)
 - Allow tlp_t domain to read proc_net_t BZ(1403487)