--##
--## Receive TCP packets from an unlabeled connection.
--##
--##
--## The corenetwork interface corenet_tcp_recv_unlabeled() should
--## be used instead of this one.
--##
++##
+##
+##
+## Domain allowed access.
@@ -22171,20 +22248,10 @@ index e100d88..1428581 100644
+
+########################################
+##
-+## Receive TCP packets from an unlabeled connection.
-+##
-+##
-+##
-+## Receive TCP packets from an unlabeled connection.
-+##
-+##
-+## The corenetwork interface corenet_tcp_recv_unlabeled() should
-+## be used instead of this one.
-+##
- ##
- ##
- ##
-@@ -2694,6 +2942,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+ ## Receive TCP packets from an unlabeled connection.
+ ##
+ ##
+@@ -2694,6 +2970,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
########################################
##
@@ -22210,7 +22277,7 @@ index e100d88..1428581 100644
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
##
-@@ -2803,6 +3070,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+@@ -2803,6 +3098,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
allow $1 unlabeled_t:rawip_socket recvfrom;
')
@@ -22244,7 +22311,7 @@ index e100d88..1428581 100644
########################################
##
-@@ -2958,6 +3252,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2958,6 +3280,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
########################################
##
@@ -22269,7 +22336,7 @@ index e100d88..1428581 100644
## Unconfined access to kernel module resources.
##
##
-@@ -2972,5 +3284,649 @@ interface(`kernel_unconfined',`
+@@ -2972,5 +3312,649 @@ interface(`kernel_unconfined',`
')
typeattribute $1 kern_unconfined;
@@ -22491,7 +22558,7 @@ index e100d88..1428581 100644
+ read_lnk_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t)
+
+ list_dirs_pattern($1, proc_t, proc_numa_t)
-+')
+ ')
+
+########################################
+##
@@ -22510,7 +22577,7 @@ index e100d88..1428581 100644
+ ')
+
+ write_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t)
- ')
++')
+
+########################################
+##
@@ -37725,7 +37792,7 @@ index 79a45f6..6126f21 100644
+ allow $1 init_var_lib_t:dir search_dir_perms;
')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..25e49cf 100644
+index 17eda24..9f2c792 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -37905,11 +37972,12 @@ index 17eda24..25e49cf 100644
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -125,13 +212,23 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -125,13 +212,24 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
kernel_read_system_state(init_t)
kernel_share_state(init_t)
+kernel_stream_connect(init_t)
++kernel_mounton_systemd_ProtectKernelTunables(init_t)
corecmd_exec_chroot(init_t)
corecmd_exec_bin(init_t)
@@ -37930,15 +37998,17 @@ index 17eda24..25e49cf 100644
domain_getpgid_all_domains(init_t)
domain_kill_all_domains(init_t)
-@@ -139,14 +236,25 @@ domain_signal_all_domains(init_t)
+@@ -139,14 +237,26 @@ domain_signal_all_domains(init_t)
domain_signull_all_domains(init_t)
domain_sigstop_all_domains(init_t)
domain_sigchld_all_domains(init_t)
+-
+-files_read_etc_files(init_t)
+domain_read_all_domains_state(init_t)
+domain_getattr_all_domains(init_t)
+domain_setrlimit_all_domains(init_t)
-
--files_read_etc_files(init_t)
++domain_rlimitinh_all_domains(init_t)
++
+files_read_config_files(init_t)
+files_read_all_pids(init_t)
+files_read_system_conf_files(init_t)
@@ -37957,7 +38027,7 @@ index 17eda24..25e49cf 100644
# file descriptors inherited from the rootfs:
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)
-@@ -155,29 +263,73 @@ fs_list_inotifyfs(init_t)
+@@ -155,29 +265,73 @@ fs_list_inotifyfs(init_t)
# cjp: this may be related to /dev/log
fs_write_ramfs_sockets(init_t)
@@ -38020,10 +38090,10 @@ index 17eda24..25e49cf 100644
+
+miscfiles_manage_localization(init_t)
+miscfiles_filetrans_named_content(init_t)
-+
-+udev_manage_rules_files(init_t)
-miscfiles_read_localization(init_t)
++udev_manage_rules_files(init_t)
++
+userdom_use_user_ttys(init_t)
+userdom_manage_tmp_dirs(init_t)
+userdom_manage_tmp_sockets(init_t)
@@ -38036,7 +38106,7 @@ index 17eda24..25e49cf 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +338,275 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +340,275 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -38275,18 +38345,18 @@ index 17eda24..25e49cf 100644
+optional_policy(`
+ lvm_rw_pipes(init_t)
+ lvm_read_config(init_t)
++')
++
++optional_policy(`
++ lldpad_relabel_tmpfs(init_t)
')
optional_policy(`
- auth_rw_login_records(init_t)
-+ lldpad_relabel_tmpfs(init_t)
++ consolekit_manage_log(init_t)
')
optional_policy(`
-+ consolekit_manage_log(init_t)
-+')
-+
-+optional_policy(`
+ dbus_connect_system_bus(init_t)
dbus_system_bus_client(init_t)
+ dbus_delete_pid_files(init_t)
@@ -38307,21 +38377,21 @@ index 17eda24..25e49cf 100644
+optional_policy(`
+ networkmanager_stream_connect(init_t)
+ networkmanager_stream_connect(initrc_t)
-+')
-+
-+optional_policy(`
-+ plymouthd_stream_connect(init_t)
-+ plymouthd_exec_plymouth(init_t)
-+ plymouthd_filetrans_named_content(init_t)
')
optional_policy(`
- nscd_use(init_t)
++ plymouthd_stream_connect(init_t)
++ plymouthd_exec_plymouth(init_t)
++ plymouthd_filetrans_named_content(init_t)
++')
++
++optional_policy(`
+ ssh_getattr_server_keys(init_t)
')
optional_policy(`
-@@ -216,7 +614,30 @@ optional_policy(`
+@@ -216,7 +616,30 @@ optional_policy(`
')
optional_policy(`
@@ -38353,7 +38423,7 @@ index 17eda24..25e49cf 100644
')
########################################
-@@ -225,9 +646,9 @@ optional_policy(`
+@@ -225,9 +648,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -38365,7 +38435,7 @@ index 17eda24..25e49cf 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -258,12 +679,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +681,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -38382,7 +38452,7 @@ index 17eda24..25e49cf 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +704,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +706,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -38425,7 +38495,7 @@ index 17eda24..25e49cf 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +741,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +743,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -38437,7 +38507,7 @@ index 17eda24..25e49cf 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -313,8 +753,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +755,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -38448,7 +38518,7 @@ index 17eda24..25e49cf 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -322,8 +764,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +766,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -38458,7 +38528,7 @@ index 17eda24..25e49cf 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -332,7 +773,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +775,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -38466,7 +38536,7 @@ index 17eda24..25e49cf 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -340,6 +780,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +782,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -38474,7 +38544,7 @@ index 17eda24..25e49cf 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -347,14 +788,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +790,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -38492,7 +38562,7 @@ index 17eda24..25e49cf 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -364,8 +806,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +808,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -38506,7 +38576,7 @@ index 17eda24..25e49cf 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -375,10 +821,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +823,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -38520,7 +38590,7 @@ index 17eda24..25e49cf 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -387,8 +834,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +836,10 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -38531,7 +38601,7 @@ index 17eda24..25e49cf 100644
storage_getattr_fixed_disk_dev(initrc_t)
storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +847,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +849,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -38539,7 +38609,7 @@ index 17eda24..25e49cf 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -416,20 +866,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +868,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -38563,7 +38633,7 @@ index 17eda24..25e49cf 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +899,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +901,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -38571,7 +38641,7 @@ index 17eda24..25e49cf 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +933,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +935,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -38582,7 +38652,7 @@ index 17eda24..25e49cf 100644
alsa_read_lib(initrc_t)
')
-@@ -506,7 +957,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +959,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -38591,7 +38661,7 @@ index 17eda24..25e49cf 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -521,6 +972,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +974,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -38599,7 +38669,7 @@ index 17eda24..25e49cf 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -541,6 +993,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +995,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -38607,7 +38677,7 @@ index 17eda24..25e49cf 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +1003,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +1005,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -38652,7 +38722,7 @@ index 17eda24..25e49cf 100644
')
optional_policy(`
-@@ -559,14 +1048,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +1050,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -38684,7 +38754,7 @@ index 17eda24..25e49cf 100644
')
')
-@@ -577,6 +1083,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1085,39 @@ ifdef(`distro_suse',`
')
')
@@ -38724,7 +38794,7 @@ index 17eda24..25e49cf 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1128,8 @@ optional_policy(`
+@@ -589,6 +1130,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -38733,7 +38803,7 @@ index 17eda24..25e49cf 100644
')
optional_policy(`
-@@ -610,6 +1151,7 @@ optional_policy(`
+@@ -610,6 +1153,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -38741,7 +38811,7 @@ index 17eda24..25e49cf 100644
')
optional_policy(`
-@@ -626,6 +1168,17 @@ optional_policy(`
+@@ -626,6 +1170,17 @@ optional_policy(`
')
optional_policy(`
@@ -38759,7 +38829,7 @@ index 17eda24..25e49cf 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -642,9 +1195,13 @@ optional_policy(`
+@@ -642,9 +1197,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -38773,7 +38843,7 @@ index 17eda24..25e49cf 100644
')
optional_policy(`
-@@ -657,15 +1214,11 @@ optional_policy(`
+@@ -657,15 +1216,11 @@ optional_policy(`
')
optional_policy(`
@@ -38791,7 +38861,7 @@ index 17eda24..25e49cf 100644
')
optional_policy(`
-@@ -686,6 +1239,15 @@ optional_policy(`
+@@ -686,6 +1241,15 @@ optional_policy(`
')
optional_policy(`
@@ -38807,7 +38877,7 @@ index 17eda24..25e49cf 100644
inn_exec_config(initrc_t)
')
-@@ -726,6 +1288,7 @@ optional_policy(`
+@@ -726,6 +1290,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -38815,7 +38885,7 @@ index 17eda24..25e49cf 100644
')
optional_policy(`
-@@ -743,7 +1306,13 @@ optional_policy(`
+@@ -743,7 +1308,13 @@ optional_policy(`
')
optional_policy(`
@@ -38830,7 +38900,7 @@ index 17eda24..25e49cf 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -766,6 +1335,10 @@ optional_policy(`
+@@ -766,6 +1337,10 @@ optional_policy(`
')
optional_policy(`
@@ -38841,7 +38911,7 @@ index 17eda24..25e49cf 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -775,10 +1348,20 @@ optional_policy(`
+@@ -775,10 +1350,20 @@ optional_policy(`
')
optional_policy(`
@@ -38862,7 +38932,7 @@ index 17eda24..25e49cf 100644
quota_manage_flags(initrc_t)
')
-@@ -787,6 +1370,10 @@ optional_policy(`
+@@ -787,6 +1372,10 @@ optional_policy(`
')
optional_policy(`
@@ -38873,7 +38943,7 @@ index 17eda24..25e49cf 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -808,8 +1395,6 @@ optional_policy(`
+@@ -808,8 +1397,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -38882,7 +38952,7 @@ index 17eda24..25e49cf 100644
')
optional_policy(`
-@@ -818,6 +1403,10 @@ optional_policy(`
+@@ -818,6 +1405,10 @@ optional_policy(`
')
optional_policy(`
@@ -38893,7 +38963,7 @@ index 17eda24..25e49cf 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -827,10 +1416,12 @@ optional_policy(`
+@@ -827,10 +1418,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -38906,7 +38976,7 @@ index 17eda24..25e49cf 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1448,62 @@ optional_policy(`
+@@ -857,21 +1450,62 @@ optional_policy(`
')
optional_policy(`
@@ -38970,7 +39040,7 @@ index 17eda24..25e49cf 100644
')
optional_policy(`
-@@ -887,6 +1519,10 @@ optional_policy(`
+@@ -887,6 +1521,10 @@ optional_policy(`
')
optional_policy(`
@@ -38981,7 +39051,7 @@ index 17eda24..25e49cf 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -897,3 +1533,218 @@ optional_policy(`
+@@ -897,3 +1535,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index a8c9dfc..c20e916 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -114657,10 +114657,10 @@ index facdee8..2cff369 100644
+ domtrans_pattern($1,container_file_t, $2)
')
diff --git a/virt.te b/virt.te
-index f03dcf5..8036117 100644
+index f03dcf5..d7dc78b 100644
--- a/virt.te
+++ b/virt.te
-@@ -1,451 +1,410 @@
+@@ -1,451 +1,411 @@
-policy_module(virt, 1.7.4)
+policy_module(virt, 1.5.0)
@@ -115350,6 +115350,7 @@ index f03dcf5..8036117 100644
manage_dirs_pattern(virtd_t, virt_cache_t, virt_cache_t)
manage_files_pattern(virtd_t, virt_cache_t, virt_cache_t)
++files_var_filetrans(virtd_t, virt_cache_t, dir)
manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t)
manage_files_pattern(virtd_t, virt_content_t, virt_content_t)
@@ -115381,7 +115382,7 @@ index f03dcf5..8036117 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -455,42 +414,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -455,42 +415,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@@ -115428,7 +115429,7 @@ index f03dcf5..8036117 100644
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -503,23 +449,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -503,23 +450,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -115462,7 +115463,7 @@ index f03dcf5..8036117 100644
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -527,24 +474,16 @@ corecmd_exec_shell(virtd_t)
+@@ -527,24 +475,16 @@ corecmd_exec_shell(virtd_t)
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -115490,7 +115491,7 @@ index f03dcf5..8036117 100644
dev_rw_sysfs(virtd_t)
dev_read_urand(virtd_t)
dev_read_rand(virtd_t)
-@@ -555,20 +494,26 @@ dev_rw_vhost(virtd_t)
+@@ -555,20 +495,26 @@ dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t)
@@ -115521,7 +115522,7 @@ index f03dcf5..8036117 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_all_fs(virtd_t)
fs_rw_anon_inodefs_files(virtd_t)
-@@ -601,15 +546,18 @@ term_use_ptmx(virtd_t)
+@@ -601,15 +547,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -115541,7 +115542,7 @@ index f03dcf5..8036117 100644
selinux_validate_context(virtd_t)
-@@ -620,18 +568,26 @@ seutil_read_file_contexts(virtd_t)
+@@ -620,18 +569,26 @@ seutil_read_file_contexts(virtd_t)
sysnet_signull_ifconfig(virtd_t)
sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
@@ -115578,7 +115579,7 @@ index f03dcf5..8036117 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -640,7 +596,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -640,7 +597,7 @@ tunable_policy(`virt_use_nfs',`
')
tunable_policy(`virt_use_samba',`
@@ -115587,7 +115588,7 @@ index f03dcf5..8036117 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
-@@ -665,20 +621,12 @@ optional_policy(`
+@@ -665,20 +622,12 @@ optional_policy(`
')
optional_policy(`
@@ -115608,7 +115609,7 @@ index f03dcf5..8036117 100644
')
optional_policy(`
-@@ -691,20 +639,26 @@ optional_policy(`
+@@ -691,20 +640,26 @@ optional_policy(`
dnsmasq_kill(virtd_t)
dnsmasq_signull(virtd_t)
dnsmasq_create_pid_dirs(virtd_t)
@@ -115639,7 +115640,7 @@ index f03dcf5..8036117 100644
')
optional_policy(`
-@@ -712,11 +666,18 @@ optional_policy(`
+@@ -712,11 +667,18 @@ optional_policy(`
')
optional_policy(`
@@ -115658,7 +115659,7 @@ index f03dcf5..8036117 100644
policykit_domtrans_auth(virtd_t)
policykit_domtrans_resolve(virtd_t)
policykit_read_lib(virtd_t)
-@@ -727,10 +688,18 @@ optional_policy(`
+@@ -727,10 +689,18 @@ optional_policy(`
')
optional_policy(`
@@ -115677,7 +115678,7 @@ index f03dcf5..8036117 100644
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
-@@ -746,44 +715,336 @@ optional_policy(`
+@@ -746,44 +716,336 @@ optional_policy(`
udev_read_pid_files(virtd_t)
')
@@ -116036,7 +116037,7 @@ index f03dcf5..8036117 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +1055,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +1056,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -116063,7 +116064,7 @@ index f03dcf5..8036117 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +1075,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +1076,25 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -116097,7 +116098,7 @@ index f03dcf5..8036117 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +1112,20 @@ optional_policy(`
+@@ -856,14 +1113,20 @@ optional_policy(`
')
optional_policy(`
@@ -116119,7 +116120,7 @@ index f03dcf5..8036117 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -888,49 +1150,66 @@ optional_policy(`
+@@ -888,49 +1151,66 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -116204,7 +116205,7 @@ index f03dcf5..8036117 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1221,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1222,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -116224,7 +116225,7 @@ index f03dcf5..8036117 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,8 +1242,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,8 +1243,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -116248,7 +116249,7 @@ index f03dcf5..8036117 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1267,370 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1268,370 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -116764,7 +116765,7 @@ index f03dcf5..8036117 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1643,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1644,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -116779,7 +116780,7 @@ index f03dcf5..8036117 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1192,7 +1661,7 @@ optional_policy(`
+@@ -1192,7 +1662,7 @@ optional_policy(`
########################################
#
@@ -116788,7 +116789,7 @@ index f03dcf5..8036117 100644
#
allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1670,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1671,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
allow virt_bridgehelper_t self:tun_socket create_socket_perms;
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 85fbc1e..24b4aa6 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 234%{?dist}
+Release: 235%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -675,6 +675,11 @@ exit 0
%endif
%changelog
+* Tue Jan 17 2017 Lukas Vrabec - 3.13.1-235
+- Allow libvirt daemon to create /var/chace/libvirt dir.
+- Allow systemd using ProtectKernelTunables securit feature. BZ(1392161)
+- F26 Wide change: Coredumps enabled by default. Allowing inherits process limits to enable coredumps.BZ(1341829)
+
* Tue Jan 17 2017 Lukas Vrabec - 3.13.1-234
- After the latest changes in nfsd. We should allow nfsd_t to read raw fixed disk. For more info see: BZ(1403017)
- Tighten security on containe types