diff --git a/policy-f19-base.patch b/policy-f19-base.patch
index da94e3a..4068580 100644
--- a/policy-f19-base.patch
+++ b/policy-f19-base.patch
@@ -8291,7 +8291,7 @@ index 6529bd9..831344c 100644
+allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *;
allow devices_unconfined_type mtrr_device_t:file *;
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
-index 6a1e4d1..c691385 100644
+index 6a1e4d1..acdd919 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -76,33 +76,8 @@ interface(`domain_type',`
@@ -8409,7 +8409,7 @@ index 6a1e4d1..c691385 100644
## Relabel to and from all entry point
## file types.
##
-@@ -1530,4 +1543,27 @@ interface(`domain_unconfined',`
+@@ -1530,4 +1543,63 @@ interface(`domain_unconfined',`
typeattribute $1 can_change_object_identity;
typeattribute $1 set_curr_context;
typeattribute $1 process_uncond_exempt;
@@ -8436,6 +8436,42 @@ index 6a1e4d1..c691385 100644
+ ')
+
+ dontaudit $1 domain:socket_class_set { read write };
++')
++
++########################################
++##
++## Allow caller to transition to any domain
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`domain_transition_all',`
++ gen_require(`
++ attribute domain;
++ ')
++
++ allow $1 domain:process transition;
++')
++
++########################################
++##
++## Do not audit attempts to access check /proc
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`domain_dontaudit_access_check',`
++ gen_require(`
++ attribute domain;
++ ')
++
++ dontaudit $1 domain:dir_file_class_set audit_access;
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index cf04cb5..602ad63 100644
@@ -17097,7 +17133,7 @@ index ff92430..36740ea 100644
##
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 88d0028..0459d20 100644
+index 88d0028..3cfc3dd 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -5,39 +5,85 @@ policy_module(sysadm, 2.5.1)
@@ -17535,7 +17571,7 @@ index 88d0028..0459d20 100644
virt_stream_connect(sysadm_t)
+ virt_filetrans_home_content(sysadm_t)
+ virt_manage_pid_dirs(sysadm_t)
-+ virt_transition_svirt_lxc(sysadm_t, sysadm_r)
++ virt_transition_svirt_sandbox(sysadm_t, sysadm_r)
')
optional_policy(`
@@ -18350,7 +18386,7 @@ index 0000000..cf6582f
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..a52f369
+index 0000000..f312edf
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
@@ -0,0 +1,330 @@
@@ -18675,7 +18711,7 @@ index 0000000..a52f369
+
+optional_policy(`
+ virt_transition_svirt(unconfined_t, unconfined_r)
-+ virt_transition_svirt_lxc(unconfined_t, unconfined_r)
++ virt_transition_svirt_sandbox(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
@@ -20175,7 +20211,7 @@ index fe0c682..225aaa7 100644
+ ps_process_pattern($1, sshd_t)
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 5fc0391..2d08ed2 100644
+index 5fc0391..7931fba 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,43 +6,54 @@ policy_module(ssh, 2.3.3)
@@ -20554,8 +20590,8 @@ index 5fc0391..2d08ed2 100644
optional_policy(`
+ kernel_write_proc_files(sshd_t)
-+ virt_transition_svirt_lxc(sshd_t, system_r)
-+ virt_stream_connect_lxc(sshd_t)
++ virt_transition_svirt_sandbox(sshd_t, system_r)
++ virt_stream_connect_sandbox(sshd_t)
+ virt_stream_connect(sshd_t)
+')
+
@@ -25859,10 +25895,10 @@ index 9dfecf7..6d00f5c 100644
+
+/usr/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
-index f6cbda9..8c37105 100644
+index f6cbda9..51e9aef 100644
--- a/policy/modules/system/hostname.te
+++ b/policy/modules/system/hostname.te
-@@ -23,39 +23,47 @@ dontaudit hostname_t self:capability sys_tty_config;
+@@ -23,39 +23,46 @@ dontaudit hostname_t self:capability sys_tty_config;
kernel_list_proc(hostname_t)
kernel_read_proc_symlinks(hostname_t)
@@ -25889,8 +25925,7 @@ index f6cbda9..8c37105 100644
term_dontaudit_use_console(hostname_t)
-term_use_all_ttys(hostname_t)
-term_use_all_ptys(hostname_t)
-+term_use_all_inherited_ttys(hostname_t)
-+term_use_all_inherited_ptys(hostname_t)
++term_use_all_inherited_terms(hostname_t)
init_use_fds(hostname_t)
init_use_script_fds(hostname_t)
@@ -28809,7 +28844,7 @@ index 0d4c8d3..a89c4a2 100644
+ ps_process_pattern($1, ipsec_mgmt_t)
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 9e54bf9..4bf2a53 100644
+index 9e54bf9..18ef725 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@@ -28891,7 +28926,7 @@ index 9e54bf9..4bf2a53 100644
term_use_console(ipsec_t)
term_dontaudit_use_all_ttys(ipsec_t)
-@@ -165,11 +176,13 @@ auth_use_nsswitch(ipsec_t)
+@@ -165,16 +176,22 @@ auth_use_nsswitch(ipsec_t)
init_use_fds(ipsec_t)
init_use_script_ptys(ipsec_t)
@@ -28906,7 +28941,16 @@ index 9e54bf9..4bf2a53 100644
userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
userdom_dontaudit_search_user_home_dirs(ipsec_t)
-@@ -187,10 +200,10 @@ optional_policy(`
+
+ optional_policy(`
++ iptables_domtrans(ipsec_t)
++')
++
++optional_policy(`
+ seutil_sigchld_newrole(ipsec_t)
+ ')
+
+@@ -187,10 +204,10 @@ optional_policy(`
# ipsec_mgmt Local policy
#
@@ -28921,7 +28965,7 @@ index 9e54bf9..4bf2a53 100644
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
allow ipsec_mgmt_t self:key_socket create_socket_perms;
-@@ -206,14 +219,15 @@ files_tmp_filetrans(ipsec_mgmt_t, ipsec_tmp_t, { dir file })
+@@ -206,14 +223,15 @@ files_tmp_filetrans(ipsec_mgmt_t, ipsec_tmp_t, { dir file })
manage_files_pattern(ipsec_mgmt_t, ipsec_log_t, ipsec_log_t)
logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
@@ -28940,7 +28984,7 @@ index 9e54bf9..4bf2a53 100644
# _realsetup needs to be able to cat /var/run/pluto.pid,
# run ps on that pid, and delete the file
-@@ -246,6 +260,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
+@@ -246,6 +264,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
kernel_getattr_core_if(ipsec_mgmt_t)
kernel_getattr_message_if(ipsec_mgmt_t)
@@ -28957,7 +29001,7 @@ index 9e54bf9..4bf2a53 100644
files_read_kernel_symbol_table(ipsec_mgmt_t)
files_getattr_kernel_modules(ipsec_mgmt_t)
-@@ -255,6 +279,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
+@@ -255,6 +283,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
corecmd_exec_bin(ipsec_mgmt_t)
corecmd_exec_shell(ipsec_mgmt_t)
@@ -28966,7 +29010,7 @@ index 9e54bf9..4bf2a53 100644
dev_read_rand(ipsec_mgmt_t)
dev_read_urand(ipsec_mgmt_t)
-@@ -278,9 +304,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+@@ -278,9 +308,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
fs_list_tmpfs(ipsec_mgmt_t)
term_use_console(ipsec_mgmt_t)
@@ -28978,7 +29022,7 @@ index 9e54bf9..4bf2a53 100644
init_read_utmp(ipsec_mgmt_t)
init_use_script_ptys(ipsec_mgmt_t)
-@@ -290,15 +317,18 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
+@@ -290,15 +321,18 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
logging_send_syslog_msg(ipsec_mgmt_t)
@@ -29002,7 +29046,7 @@ index 9e54bf9..4bf2a53 100644
optional_policy(`
consoletype_exec(ipsec_mgmt_t)
-@@ -322,6 +352,10 @@ optional_policy(`
+@@ -322,6 +356,10 @@ optional_policy(`
')
optional_policy(`
@@ -29013,7 +29057,7 @@ index 9e54bf9..4bf2a53 100644
modutils_domtrans_insmod(ipsec_mgmt_t)
')
-@@ -335,7 +369,7 @@ optional_policy(`
+@@ -335,7 +373,7 @@ optional_policy(`
#
allow racoon_t self:capability { net_admin net_bind_service };
@@ -29022,7 +29066,7 @@ index 9e54bf9..4bf2a53 100644
allow racoon_t self:unix_dgram_socket { connect create ioctl write };
allow racoon_t self:netlink_selinux_socket { bind create read };
allow racoon_t self:udp_socket create_socket_perms;
-@@ -370,13 +404,12 @@ kernel_request_load_module(racoon_t)
+@@ -370,13 +408,12 @@ kernel_request_load_module(racoon_t)
corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)
@@ -29042,7 +29086,7 @@ index 9e54bf9..4bf2a53 100644
corenet_udp_bind_isakmp_port(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t)
-@@ -401,10 +434,11 @@ locallogin_use_fds(racoon_t)
+@@ -401,10 +438,11 @@ locallogin_use_fds(racoon_t)
logging_send_syslog_msg(racoon_t)
logging_send_audit_msgs(racoon_t)
@@ -29055,7 +29099,7 @@ index 9e54bf9..4bf2a53 100644
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -438,9 +472,9 @@ corenet_setcontext_all_spds(setkey_t)
+@@ -438,9 +476,9 @@ corenet_setcontext_all_spds(setkey_t)
locallogin_use_fds(setkey_t)
@@ -42897,7 +42941,7 @@ index 3c5dba7..fbcee33 100644
+ dontaudit $1 user_home_type:dir_file_class_set audit_access;
')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index e2b538b..211263f 100644
+index e2b538b..3a775a7 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,48 +7,42 @@ policy_module(userdomain, 4.8.5)
@@ -42985,7 +43029,7 @@ index e2b538b..211263f 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -70,26 +82,226 @@ ubac_constrained(user_home_dir_t)
+@@ -70,26 +82,227 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -43043,6 +43087,7 @@ index e2b538b..211263f 100644
+allow userdomain userdomain:fifo_file rw_inherited_fifo_file_perms;
+
+# Nautilus causes this avc
++domain_dontaudit_access_check(unpriv_userdomain)
+dontaudit unpriv_userdomain self:dir setattr;
+allow unpriv_userdomain self:key manage_key_perms;
+
diff --git a/policy-f19-contrib.patch b/policy-f19-contrib.patch
index a49f171..4f23182 100644
--- a/policy-f19-contrib.patch
+++ b/policy-f19-contrib.patch
@@ -51238,7 +51238,7 @@ index 0000000..fdc4a03
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
-index 0000000..c1eed44
+index 0000000..9724884
--- /dev/null
+++ b/openshift.te
@@ -0,0 +1,549 @@
@@ -51340,7 +51340,7 @@ index 0000000..c1eed44
+unconfined_domain_noaudit(openshift_initrc_t)
+mcs_process_set_categories(openshift_initrc_t)
+
-+virt_lxc_domain(openshift_initrc_t)
++virt_sandbox_domain(openshift_initrc_t)
+
+systemd_dbus_chat_logind(openshift_initrc_t)
+
@@ -86704,10 +86704,10 @@ index 0000000..8b2dfff
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 0000000..07820b6
+index 0000000..17c737d
--- /dev/null
+++ b/thumb.te
-@@ -0,0 +1,145 @@
+@@ -0,0 +1,146 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -86781,6 +86781,7 @@ index 0000000..07820b6
+dev_rw_xserver_misc(thumb_t)
+
+domain_use_interactive_fds(thumb_t)
++domain_dontaudit_read_all_domains_state(thumb_t)
+
+files_read_non_security_files(thumb_t)
+
@@ -89505,7 +89506,7 @@ index c30da4c..b81eaa0 100644
+/var/run/qga\.state -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
+/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index 9dec06c..bdba959 100644
+index 9dec06c..4e31afe 100644
--- a/virt.if
+++ b/virt.if
@@ -1,120 +1,51 @@
@@ -90647,17 +90648,17 @@ index 9dec06c..bdba959 100644
-##
#
-interface(`virt_pid_filetrans',`
-+interface(`virt_stream_connect_lxc',`
++interface(`virt_stream_connect_sandbox',`
gen_require(`
- type virt_var_run_t;
-+ attribute svirt_lxc_domain;
-+ type svirt_lxc_file_t;
++ attribute svirt_sandbox_domain;
++ type svirt_sandbox_file_t;
')
files_search_pids($1)
- filetrans_pattern($1, virt_var_run_t, $2, $3, $4)
-+ stream_connect_pattern($1, svirt_lxc_file_t, svirt_lxc_file_t, svirt_lxc_domain)
-+ ps_process_pattern(svirt_lxc_domain, $1)
++ stream_connect_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t, svirt_sandbox_domain)
++ ps_process_pattern(svirt_sandbox_domain, $1)
')
+
@@ -90981,16 +90982,16 @@ index 9dec06c..bdba959 100644
- manage_files_pattern($1, virt_image_type, virt_image_type)
- read_lnk_files_pattern($1, virt_image_type, virt_image_type)
- rw_blk_files_pattern($1, virt_image_type, virt_image_type)
--
++ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
++ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
++ filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu")
+
- tunable_policy(`virt_use_nfs',`
- fs_manage_nfs_dirs($1)
- fs_manage_nfs_files($1)
- fs_read_nfs_symlinks($1)
- ')
-+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
-+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
-+ filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu")
-
+-
- tunable_policy(`virt_use_samba',`
- fs_manage_cifs_files($1)
- fs_manage_cifs_files($1)
@@ -91039,7 +91040,7 @@ index 9dec06c..bdba959 100644
-##
#
-interface(`virt_admin',`
-+template(`virt_lxc_domain_template',`
++template(`virt_sandbox_domain_template',`
gen_require(`
- attribute virt_domain, virt_image_type, virt_tmpfs_type;
- attribute virt_ptynode, svirt_lxc_domain, virt_tmp_type;
@@ -91049,14 +91050,14 @@ index 9dec06c..bdba959 100644
- type virt_var_run_t, virt_tmp_t, virt_log_t;
- type virt_lock_t, svirt_var_run_t, virt_etc_rw_t;
- type virt_etc_t, svirt_cache_t;
-+ attribute svirt_lxc_domain;
++ attribute svirt_sandbox_domain;
')
- allow $1 { virt_domain svirt_lxc_domain virtd_t }:process { ptrace signal_perms };
- allow $1 { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { virt_domain svirt_lxc_domain virtd_t })
- ps_process_pattern($1, { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t })
-+ type $1_t, svirt_lxc_domain;
++ type $1_t, svirt_sandbox_domain;
+ domain_type($1_t)
+ domain_user_exemption_target($1_t)
+ mls_rangetrans_target($1_t)
@@ -91082,14 +91083,14 @@ index 9dec06c..bdba959 100644
+##
+##
+#
-+template(`virt_lxc_domain',`
++template(`virt_sandbox_domain',`
+ gen_require(`
-+ attribute svirt_lxc_domain;
++ attribute svirt_sandbox_domain;
+ ')
- files_search_tmp($1)
- admin_pattern($1, { virt_tmp_type virt_tmp_t })
-+ typeattribute $1 svirt_lxc_domain;
++ typeattribute $1 svirt_sandbox_domain;
+')
- files_search_etc($1)
@@ -91158,16 +91159,16 @@ index 9dec06c..bdba959 100644
+##
+##
+#
-+interface(`virt_transition_svirt_lxc',`
++interface(`virt_transition_svirt_sandbox',`
+ gen_require(`
-+ attribute svirt_lxc_domain;
++ attribute svirt_sandbox_domain;
+ ')
+
-+ allow $1 svirt_lxc_domain:process transition;
-+ role $2 types svirt_lxc_domain;
-+ allow $1 svirt_lxc_domain:unix_dgram_socket sendto;
++ allow $1 svirt_sandbox_domain:process transition;
++ role $2 types svirt_sandbox_domain;
++ allow $1 svirt_sandbox_domain:unix_dgram_socket sendto;
+
-+ allow svirt_lxc_domain $1:process sigchld;
++ allow svirt_sandbox_domain $1:process sigchld;
+')
- files_search_locks($1)
@@ -91192,7 +91193,7 @@ index 9dec06c..bdba959 100644
+ allow $1 svirt_image_t:chr_file rw_file_perms;
')
diff --git a/virt.te b/virt.te
-index 1f22fba..4ed8171 100644
+index 1f22fba..8757277 100644
--- a/virt.te
+++ b/virt.te
@@ -1,94 +1,104 @@
@@ -91453,7 +91454,7 @@ index 1f22fba..4ed8171 100644
-# Common virt domain local policy
+# Declarations
#
-+attribute svirt_lxc_domain;
++attribute svirt_sandbox_domain;
-allow virt_domain self:process { signal getsched signull };
-allow virt_domain self:fifo_file rw_fifo_file_perms;
@@ -91581,19 +91582,16 @@ index 1f22fba..4ed8171 100644
- fs_manage_fusefs_files(virt_domain)
- fs_read_fusefs_symlinks(virt_domain)
-')
-+type virtd_lxc_t;
-+type virtd_lxc_exec_t;
-+init_system_domain(virtd_lxc_t, virtd_lxc_exec_t)
-
+-
-tunable_policy(`virt_use_nfs',`
- fs_manage_nfs_dirs(virt_domain)
- fs_manage_nfs_files(virt_domain)
- fs_manage_nfs_named_sockets(virt_domain)
- fs_read_nfs_symlinks(virt_domain)
-')
-+type virt_lxc_var_run_t;
-+files_pid_file(virt_lxc_var_run_t)
-+typealias virt_lxc_var_run_t alias virtd_lxc_var_run_t;
++type virtd_lxc_t;
++type virtd_lxc_exec_t;
++init_system_domain(virtd_lxc_t, virtd_lxc_exec_t)
-tunable_policy(`virt_use_samba',`
- fs_manage_cifs_dirs(virt_domain)
@@ -91601,13 +91599,16 @@ index 1f22fba..4ed8171 100644
- fs_manage_cifs_named_sockets(virt_domain)
- fs_read_cifs_symlinks(virt_domain)
-')
--
++type virt_lxc_var_run_t;
++files_pid_file(virt_lxc_var_run_t)
++typealias virt_lxc_var_run_t alias virtd_lxc_var_run_t;
+
-tunable_policy(`virt_use_sysfs',`
- dev_rw_sysfs(virt_domain)
-')
+# virt lxc container files
-+type svirt_lxc_file_t;
-+files_mountpoint(svirt_lxc_file_t)
++type svirt_sandbox_file_t alias svirt_lxc_file_t;
++files_mountpoint(svirt_sandbox_file_t)
-tunable_policy(`virt_use_usb',`
- dev_rw_usbfs(virt_domain)
@@ -91667,9 +91668,7 @@ index 1f22fba..4ed8171 100644
-
-dontaudit svirt_t virt_content_t:file write_file_perms;
-dontaudit svirt_t virt_content_t:dir rw_dir_perms;
-+allow svirt_tcg_t self:process { execmem execstack };
-+allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
-
+-
-append_files_pattern(svirt_t, virt_home_t, virt_home_t)
-manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t)
-manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
@@ -91678,7 +91677,9 @@ index 1f22fba..4ed8171 100644
-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
-
-stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
--
++allow svirt_tcg_t self:process { execmem execstack };
++allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
+
-corenet_udp_sendrecv_generic_if(svirt_t)
-corenet_udp_sendrecv_generic_node(svirt_t)
-corenet_udp_sendrecv_all_ports(svirt_t)
@@ -91972,7 +91973,7 @@ index 1f22fba..4ed8171 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
-@@ -658,95 +504,326 @@ optional_policy(`
+@@ -658,20 +504,12 @@ optional_policy(`
')
optional_policy(`
@@ -91986,95 +91987,82 @@ index 1f22fba..4ed8171 100644
optional_policy(`
networkmanager_dbus_chat(virtd_t)
')
-+')
-+
-+optional_policy(`
-+ dmidecode_domtrans(virtd_t)
-+')
-+
-+optional_policy(`
-+ dnsmasq_domtrans(virtd_t)
-+ dnsmasq_signal(virtd_t)
-+ dnsmasq_kill(virtd_t)
-+ dnsmasq_signull(virtd_t)
-+ dnsmasq_create_pid_dirs(virtd_t)
+-
+- optional_policy(`
+- policykit_dbus_chat(virtd_t)
+- ')
+ ')
+
+ optional_policy(`
+@@ -684,14 +522,20 @@ optional_policy(`
+ dnsmasq_kill(virtd_t)
+ dnsmasq_signull(virtd_t)
+ dnsmasq_create_pid_dirs(virtd_t)
+- dnsmasq_spec_filetrans_pid(virtd_t, virt_var_run_t, dir, "network")
+- dnsmasq_spec_filetrans_pid(virtd_t, virt_var_run_t, file, "dnsmasq.pid")
+ dnsmasq_filetrans_named_content_fromdir(virtd_t, virt_var_run_t);
-+ dnsmasq_manage_pid_files(virtd_t)
-+')
-+
-+optional_policy(`
+ dnsmasq_manage_pid_files(virtd_t)
+ ')
+
+ optional_policy(`
+ firewalld_dbus_chat(virtd_t)
+')
+
+optional_policy(`
-+ iptables_domtrans(virtd_t)
-+ iptables_initrc_domtrans(virtd_t)
+ iptables_domtrans(virtd_t)
+ iptables_initrc_domtrans(virtd_t)
+ iptables_systemctl(virtd_t)
+
+ # Manages /etc/sysconfig/system-config-firewall
-+ iptables_manage_config(virtd_t)
-+')
-+
-+optional_policy(`
-+ kerberos_keytab_template(virtd, virtd_t)
-+')
-+
-+optional_policy(`
-+ lvm_domtrans(virtd_t)
-+')
-+
-+optional_policy(`
+ iptables_manage_config(virtd_t)
+ ')
+
+@@ -704,11 +548,13 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+ # Run mount in the mount_t domain.
-+ mount_domtrans(virtd_t)
-+ mount_signal(virtd_t)
-+')
-+
-+optional_policy(`
+ mount_domtrans(virtd_t)
+ mount_signal(virtd_t)
+ ')
+
+ optional_policy(`
+ policykit_dbus_chat(virtd_t)
-+ policykit_domtrans_auth(virtd_t)
-+ policykit_domtrans_resolve(virtd_t)
-+ policykit_read_lib(virtd_t)
-+')
-+
-+optional_policy(`
-+ qemu_exec(virtd_t)
-+')
-+
-+optional_policy(`
+ policykit_domtrans_auth(virtd_t)
+ policykit_domtrans_resolve(virtd_t)
+ policykit_read_lib(virtd_t)
+@@ -719,10 +565,18 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+ sanlock_stream_connect(virtd_t)
+')
+
+optional_policy(`
-+ sasl_connect(virtd_t)
-+')
-+
-+optional_policy(`
+ sasl_connect(virtd_t)
+ ')
+
+ optional_policy(`
+ setrans_manage_pid_files(virtd_t)
+')
+
+optional_policy(`
-+ kernel_read_xen_state(virtd_t)
-+ kernel_write_xen_state(virtd_t)
-+
-+ xen_exec(virtd_t)
-+ xen_stream_connect(virtd_t)
-+ xen_stream_connect_xenstore(virtd_t)
-+ xen_read_image_files(virtd_t)
-+')
-+
-+optional_policy(`
-+ udev_domtrans(virtd_t)
-+ udev_read_db(virtd_t)
-+')
-+
+ kernel_read_xen_state(virtd_t)
+ kernel_write_xen_state(virtd_t)
+
+@@ -737,44 +591,261 @@ optional_policy(`
+ udev_read_db(virtd_t)
+ ')
+
+optional_policy(`
+ unconfined_domain(virtd_t)
+')
+
-+########################################
-+#
+ ########################################
+ #
+-# Virsh local policy
+# virtual domains common policy
-+#
+ #
+allow virt_domain self:capability2 compromise_kernel;
+allow virt_domain self:process { setrlimit signal_perms getsched setsched };
+allow virt_domain self:fifo_file rw_fifo_file_perms;
@@ -92083,7 +92071,16 @@ index 1f22fba..4ed8171 100644
+allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
+allow virt_domain self:tcp_socket create_stream_socket_perms;
+allow virt_domain self:udp_socket create_socket_perms;
-+
+
+-allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
+-allow virsh_t self:process { getcap getsched setsched setcap signal };
+-allow virsh_t self:fifo_file rw_fifo_file_perms;
+-allow virsh_t self:unix_stream_socket { accept connectto listen };
+-allow virsh_t self:tcp_socket { accept listen };
+-
+-manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
+-manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+-manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+list_dirs_pattern(virt_domain, virt_content_t, virt_content_t)
+read_files_pattern(virt_domain, virt_content_t, virt_content_t)
+dontaudit virt_domain virt_content_t:file write_file_perms;
@@ -92102,7 +92099,13 @@ index 1f22fba..4ed8171 100644
+manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
+manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
+files_var_filetrans(virt_domain, virt_cache_t, { file dir })
-+
+
+-manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+read_lnk_files_pattern(virt_domain, virt_image_t, virt_image_t)
+
+manage_dirs_pattern(virt_domain, svirt_image_t, svirt_image_t)
@@ -92133,13 +92136,19 @@ index 1f22fba..4ed8171 100644
+stream_connect_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t, virtd_t)
+
+dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
-+
+
+-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
+dontaudit virt_domain virt_tmpfs_type:file { read write };
-+
+
+-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
+append_files_pattern(virt_domain, virt_log_t, virt_log_t)
-+
+
+-allow virsh_t svirt_lxc_domain:process transition;
+append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-+
+
+-can_exec(virsh_t, virsh_exec_t)
+corecmd_exec_bin(virt_domain)
+corecmd_exec_shell(virt_domain)
+
@@ -92186,10 +92195,7 @@ index 1f22fba..4ed8171 100644
+storage_raw_read_removable_device(virt_domain)
+
+sysnet_read_config(virt_domain)
-
-- optional_policy(`
-- policykit_dbus_chat(virtd_t)
-- ')
++
+term_use_all_inherited_terms(virt_domain)
+term_getattr_pty_fs(virt_domain)
+term_use_generic_ptys(virt_domain)
@@ -92197,78 +92203,53 @@ index 1f22fba..4ed8171 100644
+
+tunable_policy(`virt_use_execmem',`
+ allow virt_domain self:process { execmem execstack };
- ')
-
- optional_policy(`
-- dmidecode_domtrans(virtd_t)
++')
++
++optional_policy(`
+ alsa_read_rw_config(virt_domain)
- ')
-
- optional_policy(`
-- dnsmasq_domtrans(virtd_t)
-- dnsmasq_signal(virtd_t)
-- dnsmasq_kill(virtd_t)
-- dnsmasq_signull(virtd_t)
-- dnsmasq_create_pid_dirs(virtd_t)
-- dnsmasq_spec_filetrans_pid(virtd_t, virt_var_run_t, dir, "network")
-- dnsmasq_spec_filetrans_pid(virtd_t, virt_var_run_t, file, "dnsmasq.pid")
-- dnsmasq_manage_pid_files(virtd_t)
++')
++
++optional_policy(`
+ ptchown_domtrans(virt_domain)
- ')
-
- optional_policy(`
-- iptables_domtrans(virtd_t)
-- iptables_initrc_domtrans(virtd_t)
-- iptables_manage_config(virtd_t)
++')
++
++optional_policy(`
+ pulseaudio_dontaudit_exec(virt_domain)
- ')
-
- optional_policy(`
-- kerberos_keytab_template(virtd, virtd_t)
++')
++
++optional_policy(`
+ virt_read_config(virt_domain)
+ virt_read_lib_files(virt_domain)
+ virt_read_content(virt_domain)
+ virt_stream_connect(virt_domain)
+ virt_read_pid_symlinks(virt_domain)
+ virt_domtrans_bridgehelper(virt_domain)
- ')
++')
- optional_policy(`
-- lvm_domtrans(virtd_t)
++optional_policy(`
+ xserver_rw_shm(virt_domain)
- ')
-
--optional_policy(`
-- mount_domtrans(virtd_t)
-- mount_signal(virtd_t)
++')
++
+tunable_policy(`virt_use_comm',`
+ term_use_unallocated_ttys(virt_domain)
+ dev_rw_printer(virt_domain)
- ')
-
--optional_policy(`
-- policykit_domtrans_auth(virtd_t)
-- policykit_domtrans_resolve(virtd_t)
-- policykit_read_lib(virtd_t)
++')
++
+tunable_policy(`virt_use_fusefs',`
+ fs_manage_fusefs_dirs(virt_domain)
+ fs_manage_fusefs_files(virt_domain)
+ fs_read_fusefs_symlinks(virt_domain)
+ fs_getattr_fusefs(virt_domain)
- ')
-
--optional_policy(`
-- qemu_exec(virtd_t)
++')
++
+tunable_policy(`virt_use_nfs',`
+ fs_manage_nfs_dirs(virt_domain)
+ fs_manage_nfs_files(virt_domain)
+ fs_manage_nfs_named_sockets(virt_domain)
+ fs_read_nfs_symlinks(virt_domain)
+ fs_getattr_nfs(virt_domain)
- ')
-
--optional_policy(`
-- sasl_connect(virtd_t)
++')
++
+tunable_policy(`virt_use_samba',`
+ fs_manage_cifs_dirs(virt_domain)
+ fs_manage_cifs_files(virt_domain)
@@ -92280,102 +92261,81 @@ index 1f22fba..4ed8171 100644
+tunable_policy(`virt_use_usb',`
+ dev_rw_usbfs(virt_domain)
+ dev_read_sysfs(virt_domain)
++ fs_getattr_dos_fs(virt_domain)
+ fs_manage_dos_dirs(virt_domain)
+ fs_manage_dos_files(virt_domain)
- ')
-
- optional_policy(`
-- kernel_read_xen_state(virtd_t)
-- kernel_write_xen_state(virtd_t)
++')
++
++optional_policy(`
+ tunable_policy(`virt_use_sanlock',`
+ sanlock_stream_connect(virt_domain)
+ ')
+')
-
-- xen_exec(virtd_t)
-- xen_stream_connect(virtd_t)
-- xen_stream_connect_xenstore(virtd_t)
-- xen_read_image_files(virtd_t)
++
+tunable_policy(`virt_use_rawip',`
+ allow virt_domain self:rawip_socket create_socket_perms;
- ')
-
- optional_policy(`
-- udev_domtrans(virtd_t)
-- udev_read_db(virtd_t)
++')
++
++optional_policy(`
+ tunable_policy(`virt_use_xserver',`
+ xserver_stream_connect(virt_domain)
+ ')
- ')
-
- ########################################
- #
--# Virsh local policy
++')
++
++########################################
++#
+# xm local policy
- #
++#
+type virsh_t;
+type virsh_exec_t;
+init_system_domain(virsh_t, virsh_exec_t)
+typealias virsh_t alias xm_t;
+typealias virsh_exec_t alias xm_exec_t;
-
--allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
--allow virsh_t self:process { getcap getsched setsched setcap signal };
++
+allow virsh_t self:capability { setpcap dac_override ipc_lock sys_admin sys_chroot sys_nice sys_tty_config };
+allow virsh_t self:process { getcap getsched setsched setcap setexec signal };
- allow virsh_t self:fifo_file rw_fifo_file_perms;
--allow virsh_t self:unix_stream_socket { accept connectto listen };
--allow virsh_t self:tcp_socket { accept listen };
++allow virsh_t self:fifo_file rw_fifo_file_perms;
+allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow virsh_t self:tcp_socket create_stream_socket_perms;
+
-+ps_process_pattern(virsh_t, svirt_lxc_domain)
++ps_process_pattern(virsh_t, svirt_sandbox_domain)
+
+can_exec(virsh_t, virsh_exec_t)
-+virt_domtrans(virsh_t)
-+virt_manage_images(virsh_t)
-+virt_manage_config(virsh_t)
-+virt_stream_connect(virsh_t)
-+
+ virt_domtrans(virsh_t)
+ virt_manage_images(virsh_t)
+ virt_manage_config(virsh_t)
+ virt_stream_connect(virsh_t)
+
+-kernel_read_crypto_sysctls(virsh_t)
+manage_dirs_pattern(virsh_t, virt_lock_t, virt_lock_t)
+manage_files_pattern(virsh_t, virt_lock_t, virt_lock_t)
+manage_lnk_files_pattern(virsh_t, virt_lock_t, virt_lock_t)
+files_lock_filetrans(virsh_t, virt_lock_t, { dir file lnk_file })
-
- manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
- manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
-@@ -758,23 +835,16 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
- manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
- manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
- manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-+virt_transition_svirt_lxc(virsh_t, system_r)
-
--manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
--manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
--filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
--
--dontaudit virsh_t virt_var_lib_t:file read_file_perms;
++
++manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
++manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
++manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
++
++manage_dirs_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_files_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_chr_files_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_lnk_files_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_sock_files_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_fifo_files_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++virt_transition_svirt_sandbox(virsh_t, system_r)
++
+manage_dirs_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+virt_filetrans_named_content(virsh_t)
+filetrans_pattern(virsh_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
-
--allow virsh_t svirt_lxc_domain:process transition;
++
+dontaudit virsh_t virt_var_lib_t:file read_inherited_file_perms;
-
--can_exec(virsh_t, virsh_exec_t)
--
--virt_domtrans(virsh_t)
--virt_manage_images(virsh_t)
--virt_manage_config(virsh_t)
--virt_stream_connect(virsh_t)
--
--kernel_read_crypto_sysctls(virsh_t)
++
+kernel_write_proc_files(virsh_t)
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +855,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +856,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -92402,7 +92362,7 @@ index 1f22fba..4ed8171 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -812,24 +875,22 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,24 +876,22 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -92434,7 +92394,7 @@ index 1f22fba..4ed8171 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
fs_manage_nfs_files(virsh_t)
-@@ -847,14 +908,20 @@ optional_policy(`
+@@ -847,14 +909,20 @@ optional_policy(`
')
optional_policy(`
@@ -92456,7 +92416,7 @@ index 1f22fba..4ed8171 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -879,34 +946,45 @@ optional_policy(`
+@@ -879,49 +947,65 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -92486,7 +92446,7 @@ index 1f22fba..4ed8171 100644
+allow virtd_lxc_t self:netlink_route_socket rw_netlink_socket_perms;
+allow virtd_lxc_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow virtd_lxc_t self:packet_socket create_socket_perms;
-+ps_process_pattern(virtd_lxc_t, svirt_lxc_domain)
++ps_process_pattern(virtd_lxc_t, svirt_sandbox_domain)
+allow virtd_t virtd_lxc_t:unix_stream_socket create_stream_socket_perms;
-allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched transition signal signull sigkill };
@@ -92503,19 +92463,30 @@ index 1f22fba..4ed8171 100644
-manage_files_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-manage_sock_files_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-files_pid_filetrans(virtd_lxc_t, virtd_lxc_var_run_t, { file dir })
+-
+-manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_chr_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_lnk_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
+-allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
+manage_dirs_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_sock_files_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+files_pid_filetrans(virtd_lxc_t, virt_lxc_var_run_t, { file dir })
+filetrans_pattern(virtd_lxc_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
-
- manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
- manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -916,12 +994,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
- manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
- allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
- allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
-+files_associate_rootfs(svirt_lxc_file_t)
++
++manage_dirs_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_files_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_chr_files_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_lnk_files_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_sock_files_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_fifo_files_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++allow virtd_lxc_t svirt_sandbox_file_t:dir_file_class_set { relabelto relabelfrom };
++allow virtd_lxc_t svirt_sandbox_file_t:filesystem { relabelto relabelfrom };
++files_associate_rootfs(svirt_sandbox_file_t)
+
+seutil_read_file_contexts(virtd_lxc_t)
@@ -92529,7 +92500,7 @@ index 1f22fba..4ed8171 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -933,10 +1016,8 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,17 +1017,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -92540,15 +92511,16 @@ index 1f22fba..4ed8171 100644
files_relabel_rootfs(virtd_lxc_t)
files_mounton_non_security(virtd_lxc_t)
files_mount_all_file_type_fs(virtd_lxc_t)
-@@ -944,6 +1025,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
+ files_unmount_all_file_type_fs(virtd_lxc_t)
files_list_isid_type_dirs(virtd_lxc_t)
- files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set)
+-files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set)
++files_root_filetrans(virtd_lxc_t, svirt_sandbox_file_t, dir_file_class_set)
+fs_read_fusefs_files(virtd_lxc_t)
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,8 +1037,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,8 +1038,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -92572,7 +92544,7 @@ index 1f22fba..4ed8171 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -965,29 +1062,33 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -965,194 +1063,247 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -92610,135 +92582,202 @@ index 1f22fba..4ed8171 100644
########################################
#
-# Common virt lxc domain local policy
-+# virt_lxc_domain local policy
- #
--
++# svirt_sandbox_domain local policy
+ #
++allow svirt_sandbox_domain self:key manage_key_perms;
++allow svirt_sandbox_domain self:process { getattr signal_perms getsched getpgid getcap setsched setcap setpgid setrlimit };
++allow svirt_sandbox_domain self:fifo_file manage_file_perms;
++allow svirt_sandbox_domain self:sem create_sem_perms;
++allow svirt_sandbox_domain self:shm create_shm_perms;
++allow svirt_sandbox_domain self:msgq create_msgq_perms;
++allow svirt_sandbox_domain self:unix_stream_socket { create_stream_socket_perms connectto };
++allow svirt_sandbox_domain self:unix_dgram_socket { sendto create_socket_perms };
++
++
++allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto };
++allow virtd_t svirt_sandbox_domain:process { signal_perms getattr };
++allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms };
++
++allow svirt_sandbox_domain virtd_lxc_t:process sigchld;
++allow svirt_sandbox_domain virtd_lxc_t:fd use;
++allow svirt_sandbox_domain virt_lxc_var_run_t:dir list_dir_perms;
++allow svirt_sandbox_domain virt_lxc_var_run_t:file read_file_perms;
++allow svirt_sandbox_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
++
++manage_dirs_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_lnk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_sock_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_fifo_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++rw_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++rw_blk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++can_exec(svirt_sandbox_domain, svirt_sandbox_file_t)
++allow svirt_sandbox_domain svirt_sandbox_file_t:dir mounton;
++allow svirt_sandbox_domain svirt_sandbox_file_t:filesystem getattr;
++
++kernel_getattr_proc(svirt_sandbox_domain)
++kernel_list_all_proc(svirt_sandbox_domain)
++kernel_read_all_sysctls(svirt_sandbox_domain)
++kernel_rw_net_sysctls(svirt_sandbox_domain)
++kernel_dontaudit_search_kernel_sysctl(svirt_sandbox_domain)
++
++corecmd_exec_all_executables(svirt_sandbox_domain)
++
++files_dontaudit_getattr_all_dirs(svirt_sandbox_domain)
++files_dontaudit_getattr_all_files(svirt_sandbox_domain)
++files_dontaudit_getattr_all_symlinks(svirt_sandbox_domain)
++files_dontaudit_getattr_all_pipes(svirt_sandbox_domain)
++files_dontaudit_getattr_all_sockets(svirt_sandbox_domain)
++files_dontaudit_list_all_mountpoints(svirt_sandbox_domain)
++files_dontaudit_write_etc_runtime_files(svirt_sandbox_domain)
++files_entrypoint_all_files(svirt_sandbox_domain)
++files_list_var(svirt_sandbox_domain)
++files_list_var_lib(svirt_sandbox_domain)
++files_search_all(svirt_sandbox_domain)
++files_read_config_files(svirt_sandbox_domain)
++files_read_usr_symlinks(svirt_sandbox_domain)
++files_search_locks(svirt_sandbox_domain)
++
++fs_getattr_all_fs(svirt_sandbox_domain)
++fs_list_inotifyfs(svirt_sandbox_domain)
++fs_rw_inherited_tmpfs_files(svirt_sandbox_domain)
++fs_read_fusefs_files(svirt_sandbox_domain)
++
++auth_dontaudit_read_passwd(svirt_sandbox_domain)
++auth_dontaudit_read_login_records(svirt_sandbox_domain)
++auth_dontaudit_write_login_records(svirt_sandbox_domain)
++auth_search_pam_console_data(svirt_sandbox_domain)
++
++clock_read_adjtime(svirt_sandbox_domain)
++
++init_read_utmp(svirt_sandbox_domain)
++init_dontaudit_write_utmp(svirt_sandbox_domain)
++
++libs_dontaudit_setattr_lib_files(svirt_sandbox_domain)
++
++miscfiles_dontaudit_access_check_cert(svirt_sandbox_domain)
++miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_sandbox_domain)
++miscfiles_read_fonts(svirt_sandbox_domain)
++miscfiles_read_hwdata(svirt_sandbox_domain)
++
++systemd_read_unit_files(svirt_sandbox_domain)
++
++userdom_use_inherited_user_terminals(svirt_sandbox_domain)
++userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
++userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
++
++optional_policy(`
++ apache_exec_modules(svirt_sandbox_domain)
++ apache_read_sys_content(svirt_sandbox_domain)
++')
+
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
-+allow svirt_lxc_domain self:key manage_key_perms;
-+allow svirt_lxc_domain self:process { getattr signal_perms getsched getpgid getcap setsched setcap setpgid setrlimit };
- allow svirt_lxc_domain self:fifo_file manage_file_perms;
- allow svirt_lxc_domain self:sem create_sem_perms;
- allow svirt_lxc_domain self:shm create_shm_perms;
-@@ -995,18 +1096,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
- allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
- allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
-
+-allow svirt_lxc_domain self:fifo_file manage_file_perms;
+-allow svirt_lxc_domain self:sem create_sem_perms;
+-allow svirt_lxc_domain self:shm create_shm_perms;
+-allow svirt_lxc_domain self:msgq create_msgq_perms;
+-allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
+-allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
+-
-allow svirt_lxc_domain virtd_lxc_t:fd use;
-allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms;
-allow svirt_lxc_domain virtd_lxc_t:process sigchld;
-
-allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
-
+-
-allow svirt_lxc_domain virsh_t:fd use;
-allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms;
-allow svirt_lxc_domain virsh_t:process sigchld;
-+allow virtd_t svirt_lxc_domain:unix_stream_socket { create_stream_socket_perms connectto };
-+allow virtd_t svirt_lxc_domain:process { signal_perms getattr };
-+allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched setrlimit transition signal_perms };
-
+-
-allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms;
-allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms;
-+allow svirt_lxc_domain virtd_lxc_t:process sigchld;
-+allow svirt_lxc_domain virtd_lxc_t:fd use;
-+allow svirt_lxc_domain virt_lxc_var_run_t:dir list_dir_perms;
-+allow svirt_lxc_domain virt_lxc_var_run_t:file read_file_perms;
-+allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
-
- manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
- manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -1015,17 +1114,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
- manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
- rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
- rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--
-+can_exec(svirt_lxc_domain, svirt_lxc_file_t)
- allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton;
- allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr;
-
+-
+-manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-
+-allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton;
+-allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr;
+-
-can_exec(svirt_lxc_domain, svirt_lxc_file_t)
-
- kernel_getattr_proc(svirt_lxc_domain)
- kernel_list_all_proc(svirt_lxc_domain)
+-kernel_getattr_proc(svirt_lxc_domain)
+-kernel_list_all_proc(svirt_lxc_domain)
-kernel_read_kernel_sysctls(svirt_lxc_domain)
-+kernel_read_all_sysctls(svirt_lxc_domain)
- kernel_rw_net_sysctls(svirt_lxc_domain)
+-kernel_rw_net_sysctls(svirt_lxc_domain)
-kernel_read_system_state(svirt_lxc_domain)
- kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
-
- corecmd_exec_all_executables(svirt_lxc_domain)
-@@ -1037,21 +1133,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
- files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
- files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
- files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
+-kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
+-
+-corecmd_exec_all_executables(svirt_lxc_domain)
+-
+-files_dontaudit_getattr_all_dirs(svirt_lxc_domain)
+-files_dontaudit_getattr_all_files(svirt_lxc_domain)
+-files_dontaudit_getattr_all_symlinks(svirt_lxc_domain)
+-files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
+-files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
+-files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
+-files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
-# files_entrypoint_all_files(svirt_lxc_domain)
-+files_entrypoint_all_files(svirt_lxc_domain)
- files_list_var(svirt_lxc_domain)
- files_list_var_lib(svirt_lxc_domain)
- files_search_all(svirt_lxc_domain)
- files_read_config_files(svirt_lxc_domain)
+-files_list_var(svirt_lxc_domain)
+-files_list_var_lib(svirt_lxc_domain)
+-files_search_all(svirt_lxc_domain)
+-files_read_config_files(svirt_lxc_domain)
-files_read_usr_files(svirt_lxc_domain)
- files_read_usr_symlinks(svirt_lxc_domain)
-+files_search_locks(svirt_lxc_domain)
-
- fs_getattr_all_fs(svirt_lxc_domain)
- fs_list_inotifyfs(svirt_lxc_domain)
-+fs_rw_inherited_tmpfs_files(svirt_lxc_domain)
-+fs_read_fusefs_files(svirt_lxc_net_t)
-
+-files_read_usr_symlinks(svirt_lxc_domain)
+-
+-fs_getattr_all_fs(svirt_lxc_domain)
+-fs_list_inotifyfs(svirt_lxc_domain)
+-
-# fs_rw_inherited_tmpfs_files(svirt_lxc_domain)
-# fs_rw_inherited_cifs_files(svirt_lxc_domain)
-# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain)
-
-+auth_dontaudit_read_passwd(svirt_lxc_domain)
- auth_dontaudit_read_login_records(svirt_lxc_domain)
- auth_dontaudit_write_login_records(svirt_lxc_domain)
- auth_search_pam_console_data(svirt_lxc_domain)
-@@ -1063,96 +1158,94 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
-
- libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
-
+-auth_dontaudit_read_login_records(svirt_lxc_domain)
+-auth_dontaudit_write_login_records(svirt_lxc_domain)
+-auth_search_pam_console_data(svirt_lxc_domain)
+-
+-clock_read_adjtime(svirt_lxc_domain)
+-
+-init_read_utmp(svirt_lxc_domain)
+-init_dontaudit_write_utmp(svirt_lxc_domain)
+-
+-libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
+-
-miscfiles_read_localization(svirt_lxc_domain)
-+miscfiles_dontaudit_access_check_cert(svirt_lxc_domain)
- miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain)
- miscfiles_read_fonts(svirt_lxc_domain)
-+miscfiles_read_hwdata(svirt_lxc_domain)
-+
-+systemd_read_unit_files(svirt_lxc_domain)
-+
-+userdom_use_inherited_user_terminals(svirt_lxc_domain)
-+userdom_dontaudit_append_inherited_admin_home_file(svirt_lxc_domain)
-+userdom_dontaudit_read_inherited_admin_home_files(svirt_lxc_domain)
-+
+-miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain)
+-miscfiles_read_fonts(svirt_lxc_domain)
+-
+-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
+optional_policy(`
-+ apache_exec_modules(svirt_lxc_domain)
-+ apache_read_sys_content(svirt_lxc_domain)
++ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
+')
+
+optional_policy(`
-+ mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
-+')
-
--mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
-+optional_policy(`
-+ ssh_use_ptys(svirt_lxc_net_t)
++ ssh_use_ptys(svirt_sandbox_domain)
+')
optional_policy(`
- udev_read_pid_files(svirt_lxc_domain)
+- udev_read_pid_files(svirt_lxc_domain)
++ udev_read_pid_files(svirt_sandbox_domain)
')
optional_policy(`
- apache_exec_modules(svirt_lxc_domain)
- apache_read_sys_content(svirt_lxc_domain)
-+ userhelper_dontaudit_write_config(svirt_lxc_domain)
++ userhelper_dontaudit_write_config(svirt_sandbox_domain)
')
--########################################
--#
+ ########################################
+ #
-# Lxc net local policy
--#
-+virt_lxc_domain_template(svirt_lxc_net)
++# svirt_lxc_net_t local policy
+ #
++virt_sandbox_domain_template(svirt_lxc_net)
-allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap };
+allow svirt_lxc_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid net_raw net_admin net_bind_service sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap };
@@ -92794,13 +92833,13 @@ index 1f22fba..4ed8171 100644
-
files_read_kernel_modules(svirt_lxc_net_t)
-+fs_noxattr_type(svirt_lxc_file_t)
++fs_noxattr_type(svirt_sandbox_file_t)
fs_mount_cgroup(svirt_lxc_net_t)
fs_manage_cgroup_dirs(svirt_lxc_net_t)
-fs_rw_cgroup_files(svirt_lxc_net_t)
+fs_manage_cgroup_files(svirt_lxc_net_t)
+
-+term_pty(svirt_lxc_file_t)
++term_pty(svirt_sandbox_file_t)
auth_use_nsswitch(svirt_lxc_net_t)
@@ -92813,14 +92852,62 @@ index 1f22fba..4ed8171 100644
-optional_policy(`
- rpm_read_db(svirt_lxc_net_t)
-')
--
+
-#######################################
--#
++########################################
+ #
-# Prot exec local policy
--#
--
++# svirt_lxc_net_t local policy
+ #
++virt_sandbox_domain_template(svirt_qemu_net)
++
++allow svirt_qemu_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid net_raw net_admin net_bind_service sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap };
++dontaudit svirt_qemu_net_t self:capability2 block_suspend;
++allow svirt_qemu_net_t self:process { execstack execmem };
++allow svirt_qemu_net_t self:netlink_socket create_socket_perms;
++allow svirt_qemu_net_t self:udp_socket create_socket_perms;
++allow svirt_qemu_net_t self:tcp_socket create_stream_socket_perms;
++allow svirt_qemu_net_t self:netlink_route_socket create_netlink_socket_perms;
++allow svirt_qemu_net_t self:packet_socket create_socket_perms;
++allow svirt_qemu_net_t self:socket create_socket_perms;
++allow svirt_qemu_net_t self:rawip_socket create_socket_perms;
++allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
++allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms;
+
-allow svirt_prot_exec_t self:process { execmem execstack };
--
++kernel_read_network_state(svirt_qemu_net_t)
++kernel_read_irq_sysctls(svirt_qemu_net_t)
++
++dev_read_sysfs(svirt_qemu_net_t)
++dev_getattr_mtrr_dev(svirt_qemu_net_t)
++dev_read_rand(svirt_qemu_net_t)
++dev_read_urand(svirt_qemu_net_t)
++
++corenet_tcp_bind_generic_node(svirt_qemu_net_t)
++corenet_udp_bind_generic_node(svirt_qemu_net_t)
++corenet_tcp_sendrecv_all_ports(svirt_qemu_net_t)
++corenet_udp_sendrecv_all_ports(svirt_qemu_net_t)
++corenet_udp_bind_all_ports(svirt_qemu_net_t)
++corenet_tcp_bind_all_ports(svirt_qemu_net_t)
++corenet_tcp_connect_all_ports(svirt_qemu_net_t)
++
++files_read_kernel_modules(svirt_qemu_net_t)
++
++fs_noxattr_type(svirt_sandbox_file_t)
++fs_mount_cgroup(svirt_qemu_net_t)
++fs_manage_cgroup_dirs(svirt_qemu_net_t)
++fs_manage_cgroup_files(svirt_qemu_net_t)
++
++term_pty(svirt_sandbox_file_t)
++
++auth_use_nsswitch(svirt_qemu_net_t)
++
++rpm_read_db(svirt_qemu_net_t)
++
++logging_send_audit_msgs(svirt_qemu_net_t)
++
++userdom_use_user_ptys(svirt_qemu_net_t)
+
########################################
#
-# Qmf local policy
@@ -92835,7 +92922,7 @@ index 1f22fba..4ed8171 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1258,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1316,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -92850,7 +92937,7 @@ index 1f22fba..4ed8171 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1276,8 @@ optional_policy(`
+@@ -1183,9 +1334,8 @@ optional_policy(`
########################################
#
@@ -92861,7 +92948,7 @@ index 1f22fba..4ed8171 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1290,120 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1348,120 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index db685ad..9dbb61c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -539,7 +539,15 @@ SELinux Reference policy mls base module.
%endif
%changelog
-* Wed Aug 28 2013 Lukas Vrabec 3.12.1-74
+* Thu Aug 29 2013 Lukas Vrabec 3.12.1-74
+- Rename svirt_lxc_file_t to svirt_sandbox_file_t
+- Allow virt_domain with USB devices to look at dos file systems
+- Dontaudit thumb_t trying to look in /proc
+- Change svirt_lxc_domain to svirt_sandbox_domain, and add svirt_qemu_net_t type
+- Rename interface virt_transition_svirt_lxc to virt_transition_svirt_sanbox
+- Allow ipsec_t to domtrans to iptables_t
+- dontaudit users running nautilus on /proc
+- Dontaudit hostname inheriting any terminal
- Label polgengui as a bin_t
- Allow semanage to create /.autorelabel file
- Label systemd unit files under dracut correctly