* Mon Oct 09 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-294

- Allow cloud-init to create content in /var/run/cloud-init - Dontaudit VM to read gnome-boxes process data BZ(1415975) - Allow winbind_t domain mmap samba_var_t files - Allow cupsd_t to execute ld_so_cache_t BZ(1478602) - Update dev_rw_xserver_misc() interface to allo source domains to mmap xserver devices BZ(1334035) - Add dac_override capability to groupadd_t domain BZ(1497091) - Allow unconfined_service_t to start containers
2017-10-09 10:09:01 +02:00 · 2017-10-09 10:09:01 +02:00 · f2424e7390
parent 918bddec38
commit f2424e7390
4 changed files with 103 additions and 66 deletions
--- a/container-selinux.tgz
+++ b/container-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -3190,7 +3190,7 @@ index 99e3903ea..fa68362ea 100644
 ## </summary>
 ## <param name="domain">
 diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 1d732f1e7..fc127e1d7 100644
+index 1d732f1e7..d3c0b2d97 100644
 --- a/policy/modules/admin/usermanage.te
 +++ b/policy/modules/admin/usermanage.te
@@ -26,6 +26,7 @@ type chfn_exec_t;
@ -3317,7 +3317,7 @@ index 1d732f1e7..fc127e1d7 100644
 #
 -allow groupadd_t self:capability { dac_override chown kill setuid sys_resource audit_write };
-+allow groupadd_t self:capability { dac_read_search  chown kill setuid sys_resource audit_write };
+allow groupadd_t self:capability { dac_read_search dac_override chown kill setuid sys_resource audit_write };
 dontaudit groupadd_t self:capability { fsetid sys_tty_config };
 allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
 allow groupadd_t self:process { setrlimit setfscreate };
@ -6872,7 +6872,7 @@ index b31c05491..b15a7aa05 100644
 +/usr/lib/udev/devices/null	-c	gen_context(system_u:object_r:null_device_t,s0)
 +/usr/lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
 diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 76f285ea6..8c3bbb82c 100644
+index 76f285ea6..f0bb3da0c 100644
 --- a/policy/modules/kernel/devices.if
 +++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@ -9910,7 +9910,7 @@ index 76f285ea6..8c3bbb82c 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4511,35 +5938,35 @@ interface(`dev_dontaudit_setattr_video_dev',`
+@@ -4511,35 +5938,36 @@ interface(`dev_dontaudit_setattr_video_dev',`
 ##	</summary>
 ## </param>
 #
@ -9923,6 +9923,7 @@ index 76f285ea6..8c3bbb82c 100644
 -	read_chr_files_pattern($1, device_t, v4l_device_t)
 +	rw_chr_files_pattern($1, device_t, xserver_misc_device_t)
 +	allow $1 xserver_misc_device_t:chr_file map;
 ')
 ########################################
@ -9955,7 +9956,7 @@ index 76f285ea6..8c3bbb82c 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4547,17 +5974,19 @@ interface(`dev_write_video_dev',`
+@@ -4547,17 +5975,19 @@ interface(`dev_write_video_dev',`
 ##	</summary>
 ## </param>
 #
@ -9979,7 +9980,7 @@ index 76f285ea6..8c3bbb82c 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4565,17 +5994,17 @@ interface(`dev_rw_vhost',`
+@@ -4565,17 +5995,17 @@ interface(`dev_rw_vhost',`
 ##	</summary>
 ## </param>
 #
@ -10001,7 +10002,7 @@ index 76f285ea6..8c3bbb82c 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4583,18 +6012,18 @@ interface(`dev_rw_vmware',`
+@@ -4583,18 +6013,18 @@ interface(`dev_rw_vmware',`
 ##	</summary>
 ## </param>
 #
@ -10025,7 +10026,7 @@ index 76f285ea6..8c3bbb82c 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4602,17 +6031,18 @@ interface(`dev_rwx_vmware',`
+@@ -4602,17 +6032,18 @@ interface(`dev_rwx_vmware',`
 ##	</summary>
 ## </param>
 #
@ -10048,7 +10049,7 @@ index 76f285ea6..8c3bbb82c 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4620,17 +6050,17 @@ interface(`dev_read_watchdog',`
+@@ -4620,17 +6051,17 @@ interface(`dev_read_watchdog',`
 ##	</summary>
 ## </param>
 #
@ -10070,7 +10071,7 @@ index 76f285ea6..8c3bbb82c 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4638,35 +6068,36 @@ interface(`dev_write_watchdog',`
+@@ -4638,35 +6069,36 @@ interface(`dev_write_watchdog',`
 ##	</summary>
 ## </param>
 #
@ -10116,7 +10117,7 @@ index 76f285ea6..8c3bbb82c 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4674,41 +6105,35 @@ interface(`dev_rw_xen',`
+@@ -4674,41 +6106,35 @@ interface(`dev_rw_xen',`
 ##	</summary>
 ## </param>
 #
@ -10166,7 +10167,7 @@ index 76f285ea6..8c3bbb82c 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4716,17 +6141,17 @@ interface(`dev_filetrans_xen',`
+@@ -4716,17 +6142,17 @@ interface(`dev_filetrans_xen',`
 ##	</summary>
 ## </param>
 #
@ -10188,7 +10189,7 @@ index 76f285ea6..8c3bbb82c 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4734,17 +6159,18 @@ interface(`dev_getattr_xserver_misc_dev',`
+@@ -4734,17 +6160,18 @@ interface(`dev_getattr_xserver_misc_dev',`
 ##	</summary>
 ## </param>
 #
@ -10211,7 +10212,7 @@ index 76f285ea6..8c3bbb82c 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4752,17 +6178,17 @@ interface(`dev_setattr_xserver_misc_dev',`
+@@ -4752,17 +6179,17 @@ interface(`dev_setattr_xserver_misc_dev',`
 ##	</summary>
 ## </param>
 #
@ -10233,7 +10234,7 @@ index 76f285ea6..8c3bbb82c 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4770,17 +6196,17 @@ interface(`dev_rw_xserver_misc',`
+@@ -4770,17 +6197,17 @@ interface(`dev_rw_xserver_misc',`
 ##	</summary>
 ## </param>
 #
@ -10255,7 +10256,7 @@ index 76f285ea6..8c3bbb82c 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4788,18 +6214,17 @@ interface(`dev_rw_zero',`
+@@ -4788,18 +6215,17 @@ interface(`dev_rw_zero',`
 ##	</summary>
 ## </param>
 #
@ -10278,7 +10279,7 @@ index 76f285ea6..8c3bbb82c 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4807,47 +6232,911 @@ interface(`dev_rwx_zero',`
+@@ -4807,47 +6233,911 @@ interface(`dev_rwx_zero',`
 ##	</summary>
 ## </param>
 #
@ -26637,10 +26638,10 @@ index 000000000..d9efb902a
 +#/usr/sbin/xrdp-sesman   --  gen_context(system_u:object_r:unconfined_exec_t,s0)
 diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if
 new file mode 100644
-index 000000000..f73028658
+index 000000000..bb9082586
 --- /dev/null
 +++ b/policy/modules/roles/unconfineduser.if
-@@ -0,0 +1,745 @@
+@@ -0,0 +1,763 @@
 +## <summary>Unconfined user role</summary>
 +
 +########################################
@ -27102,6 +27103,24 @@ index 000000000..f73028658
 +
 +########################################
 +## <summary>
 +##	Dontaudit read process information for unconfined process.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`unconfined_dontaudit_read_state',`
 +	gen_require(`
 +		type unconfined_t;
 +	')
 +
 +	dontaudit $1 unconfined_t:dir list_dir_perms;
 +')
 +
 +########################################
 +## <summary>
 +##	Write keys for the unconfined domain.
 +## </summary>
 +## <param name="domain">
@ -52298,10 +52317,10 @@ index 5ca20a97d..5454d1668 100644
 +	allow $1 unconfined_service_t:process signull;
 ')
 diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
-index 5fe902db3..b31eeba97 100644
+index 5fe902db3..0a7c3bb00 100644
 --- a/policy/modules/system/unconfined.te
 +++ b/policy/modules/system/unconfined.te
-@@ -1,207 +1,32 @@
+@@ -1,207 +1,33 @@
 -policy_module(unconfined, 3.5.1)
 +policy_module(unconfined, 3.5.0)
@ -52521,6 +52540,7 @@ index 5fe902db3..b31eeba97 100644
 -optional_policy(`
 -	unconfined_dbus_chat(unconfined_execmem_t)
 +	virt_transition_svirt(unconfined_service_t, system_r)
 +	virt_transition_svirt_sandbox(unconfined_service_t, system_r)
 ')
 diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
 index db7597682..c54480a1d 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -14708,10 +14708,10 @@ index 4a5b3d1a5..cd146bd5a 100644
 ')
 diff --git a/cloudform.fc b/cloudform.fc
 new file mode 100644
-index 000000000..3849f134a
+index 000000000..e07f85124
 --- /dev/null
 +++ b/cloudform.fc
-@@ -0,0 +1,21 @@
+@@ -0,0 +1,22 @@
 +/etc/rc\.d/init\.d/iwhd --      gen_context(system_u:object_r:iwhd_initrc_exec_t,s0)
 +
 +/usr/bin/cloud-init     --      gen_context(system_u:object_r:cloud_init_exec_t,s0)
@ -14719,6 +14719,7 @@ index 000000000..3849f134a
 +/usr/libexec/min-cloud-agent    --  gen_context(system_u:object_r:cloud_init_exec_t,s0)
 +/usr/bin/deltacloudd    --	gen_context(system_u:object_r:deltacloudd_exec_t,s0)
 +/usr/bin/iwhd           --      gen_context(system_u:object_r:iwhd_exec_t,s0)
 +/usr/lib/systemd/system-generators/cloud-init.* gen_context(system_u:object_r:cloud_init_exec_t,s0)
 +
 +/usr/lib/systemd/system/cloud-config.* --  gen_context(system_u:object_r:cloud_init_unit_file_t,s0)
 +
@ -14857,10 +14858,10 @@ index 000000000..55fe0d668
 +')
 diff --git a/cloudform.te b/cloudform.te
 new file mode 100644
-index 000000000..0763656a0
+index 000000000..2f19544f0
 --- /dev/null
 +++ b/cloudform.te
-@@ -0,0 +1,250 @@
+@@ -0,0 +1,251 @@
 +policy_module(cloudform, 1.0)
 +########################################
 +#
@ -15021,6 +15022,7 @@ index 000000000..0763656a0
 +    sysnet_domtrans_ifconfig(cloud_init_t)
 +    sysnet_read_dhcpc_state(cloud_init_t)
 +    sysnet_dns_name_resolve(cloud_init_t)
 +    sysnet_filetrans_cloud_net_conf(cloud_init_t)
 +')
 +
 +optional_policy(`
@ -97227,7 +97229,7 @@ index 50d07fb2e..a34db489c 100644
 +	allow $1 samba_unit_file_t:service all_service_perms;
 ')
 diff --git a/samba.te b/samba.te
-index 2b7c441e7..6d5786b06 100644
+index 2b7c441e7..0ad80a509 100644
 --- a/samba.te
 +++ b/samba.te
@@ -6,99 +6,86 @@ policy_module(samba, 1.16.3)
@ -98368,9 +98370,11 @@ index 2b7c441e7..6d5786b06 100644
 manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
 manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -871,40 +971,44 @@ manage_lnk_files_pattern(winbind_t, samba_var_t, samba_var_t)
+@@ -870,41 +970,46 @@ manage_files_pattern(winbind_t, samba_var_t, samba_var_t)
 manage_lnk_files_pattern(winbind_t, samba_var_t, samba_var_t)
 manage_sock_files_pattern(winbind_t, samba_var_t, samba_var_t)
 files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
 +allow winbind_t samba_var_t:file { map } ;
 -rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
 +manage_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
@ -98425,7 +98429,7 @@ index 2b7c441e7..6d5786b06 100644
 corenet_tcp_connect_smbd_port(winbind_t)
 corenet_tcp_connect_epmap_port(winbind_t)
 corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -912,38 +1016,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -912,38 +1017,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
 dev_read_sysfs(winbind_t)
 dev_read_urand(winbind_t)
@ -98484,7 +98488,7 @@ index 2b7c441e7..6d5786b06 100644
 ')
 optional_policy(`
-@@ -959,31 +1077,36 @@ optional_policy(`
+@@ -959,31 +1078,36 @@ optional_policy(`
 # Winbind helper local policy
 #
@ -98528,7 +98532,7 @@ index 2b7c441e7..6d5786b06 100644
 optional_policy(`
 	apache_append_log(winbind_helper_t)
-@@ -997,25 +1120,38 @@ optional_policy(`
+@@ -997,25 +1121,38 @@ optional_policy(`
 ########################################
 #
@ -117249,7 +117253,7 @@ index facdee8b3..2a619ba9e 100644
 +	dgram_send_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
 ')
 diff --git a/virt.te b/virt.te
-index f03dcf567..844aa6e9e 100644
+index f03dcf567..c7a95a908 100644
 --- a/virt.te
 +++ b/virt.te
@@ -1,451 +1,424 @@
@ -117418,30 +117422,36 @@ index f03dcf567..844aa6e9e 100644
 +## </p>
 +## </desc>
 +gen_tunable(virt_use_usb, true)
- 
+
 -attribute svirt_lxc_domain;
 +## <desc>
 +## <p>
 +## Allow confined virtual guests to use smartcards
 +## </p>
 +## </desc>
 +gen_tunable(virt_use_pcscd, false)
-+
+ 
 -attribute svirt_lxc_domain;
 +## <desc>
 +## <p>
 +## Allow sandbox containers to send audit messages
-+
+ 
 -attribute_role virt_domain_roles;
 -roleattribute system_r virt_domain_roles;
 +## </p>
 +## </desc>
 +gen_tunable(virt_sandbox_use_audit, true)
-+
+ 
 -attribute_role virt_bridgehelper_roles;
 -roleattribute system_r virt_bridgehelper_roles;
 +## <desc>
 +## <p>
 +## Allow sandbox containers to use netlink system calls
 +## </p>
 +## </desc>
 +gen_tunable(virt_sandbox_use_netlink, false)
-+
+ 
 -attribute_role svirt_lxc_domain_roles;
 -roleattribute system_r svirt_lxc_domain_roles;
 +## <desc>
 +## <p>
 +## Allow sandbox containers to use sys_admin system calls, for example mount
@ -117455,27 +117465,21 @@ index f03dcf567..844aa6e9e 100644
 +## </p>
 +## </desc>
 +gen_tunable(virt_sandbox_use_mknod, false)
- 
+
 -attribute_role virt_domain_roles;
 -roleattribute system_r virt_domain_roles;
 +## <desc>
 +## <p>
 +## Allow sandbox containers to use all capabilities
 +## </p>
 +## </desc>
 +gen_tunable(virt_sandbox_use_all_caps, true)
- 
+
 -attribute_role virt_bridgehelper_roles;
 -roleattribute system_r virt_bridgehelper_roles;
 +## <desc>
 +## <p>
 +## Allow qemu-ga to read qemu-ga date.
 +## </p>
 +## </desc>
 +gen_tunable(virt_read_qemu_ga_data, false)
- 
+
 -attribute_role svirt_lxc_domain_roles;
 -roleattribute system_r svirt_lxc_domain_roles;
 +## <desc>
 +## <p>
 +## Allow qemu-ga to manage qemu-ga date.
@ -117490,10 +117494,10 @@ index f03dcf567..844aa6e9e 100644
 +
 +virt_domain_template(svirt_tcg)
 +role system_r types svirt_tcg_t;
 +
 +type qemu_exec_t, virt_file_type;
 -type virt_cache_t alias svirt_cache_t;
 +type qemu_exec_t, virt_file_type;
 +
 +type virt_cache_t alias svirt_cache_t, virt_file_type;
 files_type(virt_cache_t)
@ -117862,10 +117866,10 @@ index f03dcf567..844aa6e9e 100644
 -manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t)
 -manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
 -manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
 -
 -filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
 +allow svirt_t self:process ptrace;
 -filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
 -
 -stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
 +# it was a part of auth_use_nsswitch
 +allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
@ -118041,20 +118045,20 @@ index f03dcf567..844aa6e9e 100644
 -manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
 -manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
 -filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
 -
 -stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
 -stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
 +manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
 +manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
 +filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
 +allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto };
 +stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
-can_exec(virtd_t, virt_tmp_t)
+-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
 -stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
 +# libvirtd is permitted to talk to virtlogd
 +stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_var_run_t, virtlogd_t)
 +allow virtd_t virtlogd_t:fifo_file rw_inherited_fifo_file_perms;
 -can_exec(virtd_t, virt_tmp_t)
 -
 -kernel_read_crypto_sysctls(virtd_t)
 kernel_read_system_state(virtd_t)
 kernel_read_network_state(virtd_t)
@ -118214,7 +118218,7 @@ index f03dcf567..844aa6e9e 100644
 ')
 optional_policy(`
-@@ -691,99 +653,441 @@ optional_policy(`
+@@ -691,99 +653,445 @@ optional_policy(`
 	dnsmasq_kill(virtd_t)
 	dnsmasq_signull(virtd_t)
 	dnsmasq_create_pid_dirs(virtd_t)
@ -118540,6 +118544,10 @@ index f03dcf567..844aa6e9e 100644
 +')
 +
 +optional_policy(`
 +    unconfined_dontaudit_read_state(virt_domain)
 +')
 +
 +optional_policy(`
 +	xserver_rw_shm(virt_domain)
 +')
 +
@ -118707,7 +118715,7 @@ index f03dcf567..844aa6e9e 100644
 kernel_read_system_state(virsh_t)
 kernel_read_network_state(virsh_t)
 kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +1098,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +1102,18 @@ kernel_write_xen_state(virsh_t)
 corecmd_exec_bin(virsh_t)
 corecmd_exec_shell(virsh_t)
@ -118734,7 +118742,7 @@ index f03dcf567..844aa6e9e 100644
 fs_getattr_all_fs(virsh_t)
 fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +1118,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +1122,25 @@ fs_search_auto_mountpoints(virsh_t)
 storage_raw_read_fixed_disk(virsh_t)
@ -118768,7 +118776,7 @@ index f03dcf567..844aa6e9e 100644
 tunable_policy(`virt_use_nfs',`
 	fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +1155,20 @@ optional_policy(`
+@@ -856,14 +1159,20 @@ optional_policy(`
 ')
 optional_policy(`
@ -118790,7 +118798,7 @@ index f03dcf567..844aa6e9e 100644
 	xen_stream_connect(virsh_t)
 	xen_stream_connect_xenstore(virsh_t)
 ')
-@@ -888,49 +1193,66 @@ optional_policy(`
+@@ -888,49 +1197,66 @@ optional_policy(`
 	kernel_read_xen_state(virsh_ssh_t)
 	kernel_write_xen_state(virsh_ssh_t)
@ -118875,7 +118883,7 @@ index f03dcf567..844aa6e9e 100644
 corecmd_exec_bin(virtd_lxc_t)
 corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1264,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1268,16 @@ dev_read_urand(virtd_lxc_t)
 domain_use_interactive_fds(virtd_lxc_t)
@ -118895,7 +118903,7 @@ index f03dcf567..844aa6e9e 100644
 fs_getattr_all_fs(virtd_lxc_t)
 fs_manage_tmpfs_dirs(virtd_lxc_t)
 fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,15 +1285,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,15 +1289,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
 fs_unmount_all_fs(virtd_lxc_t)
 fs_relabelfrom_tmpfs(virtd_lxc_t)
@ -118914,7 +118922,7 @@ index f03dcf567..844aa6e9e 100644
 term_use_generic_ptys(virtd_lxc_t)
 term_use_ptmx(virtd_lxc_t)
-@@ -982,186 +1299,307 @@ auth_use_nsswitch(virtd_lxc_t)
+@@ -982,186 +1303,307 @@ auth_use_nsswitch(virtd_lxc_t)
 logging_send_syslog_msg(virtd_lxc_t)
@ -119351,7 +119359,7 @@ index f03dcf567..844aa6e9e 100644
 allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
 allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1612,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1616,12 @@ dev_read_sysfs(virt_qmf_t)
 dev_read_rand(virt_qmf_t)
 dev_read_urand(virt_qmf_t)
@ -119366,7 +119374,7 @@ index f03dcf567..844aa6e9e 100644
 sysnet_read_config(virt_qmf_t)
 optional_policy(`
-@@ -1192,7 +1630,7 @@ optional_policy(`
+@@ -1192,7 +1634,7 @@ optional_policy(`
 ########################################
 #
@ -119375,7 +119383,7 @@ index f03dcf567..844aa6e9e 100644
 #
 allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1639,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1643,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
 allow virt_bridgehelper_t self:tun_socket create_socket_perms;
 allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 293%{?dist}
+Release: 294%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -678,6 +678,15 @@ exit 0
 %endif
 %changelog
 * Mon Oct 09 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-294
 - Allow cloud-init to create content in /var/run/cloud-init
 - Dontaudit VM to read gnome-boxes process data BZ(1415975)
 - Allow winbind_t domain mmap samba_var_t files
 - Allow cupsd_t to execute ld_so_cache_t BZ(1478602)
 - Update dev_rw_xserver_misc() interface to allo source domains to mmap xserver devices BZ(1334035)
 - Add dac_override capability to groupadd_t domain BZ(1497091)
 - Allow unconfined_service_t to start containers
 * Sun Oct 08 2017 Petr Lautrbach <plautrba@redhat.com> - 3.13.1-293
 - Drop policyhelp utility BZ(1498429)