diff --git a/container-selinux.tgz b/container-selinux.tgz
index 9ddea9c..81f0bba 100644
Binary files a/container-selinux.tgz and b/container-selinux.tgz differ
diff --git a/policy-f26-base.patch b/policy-f26-base.patch
index dd78d08..efb6180 100644
--- a/policy-f26-base.patch
+++ b/policy-f26-base.patch
@@ -3098,7 +3098,7 @@ index 99e3903ea..fa68362ea 100644
##
##
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 1d732f1e7..121ace88e 100644
+index 1d732f1e7..d698fdd02 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -26,6 +26,7 @@ type chfn_exec_t;
@@ -3418,7 +3418,7 @@ index 1d732f1e7..121ace88e 100644
userdom_use_unpriv_users_fds(sysadm_passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
-@@ -446,8 +492,9 @@ optional_policy(`
+@@ -446,8 +492,10 @@ optional_policy(`
# Useradd local policy
#
@@ -3427,10 +3427,11 @@ index 1d732f1e7..121ace88e 100644
+allow useradd_t self:capability { dac_read_search dac_override chown kill fowner fsetid setuid sys_ptrace sys_resource sys_chroot };
+
+dontaudit useradd_t self:capability { net_admin sys_tty_config };
++dontaudit useradd_t self:cap_userns { sys_ptrace };
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
allow useradd_t self:fd use;
-@@ -461,6 +508,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
+@@ -461,6 +509,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
allow useradd_t self:unix_dgram_socket sendto;
allow useradd_t self:unix_stream_socket connectto;
@@ -3441,7 +3442,7 @@ index 1d732f1e7..121ace88e 100644
# for getting the number of groups
kernel_read_kernel_sysctls(useradd_t)
-@@ -468,29 +519,28 @@ corecmd_exec_shell(useradd_t)
+@@ -468,29 +520,28 @@ corecmd_exec_shell(useradd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(useradd_t)
@@ -3481,7 +3482,7 @@ index 1d732f1e7..121ace88e 100644
auth_run_chk_passwd(useradd_t, useradd_roles)
auth_rw_lastlog(useradd_t)
-@@ -498,6 +548,7 @@ auth_rw_faillog(useradd_t)
+@@ -498,6 +549,7 @@ auth_rw_faillog(useradd_t)
auth_use_nsswitch(useradd_t)
# these may be unnecessary due to the above
# domtrans_chk_passwd() call.
@@ -3489,7 +3490,7 @@ index 1d732f1e7..121ace88e 100644
auth_manage_shadow(useradd_t)
auth_relabel_shadow(useradd_t)
auth_etc_filetrans_shadow(useradd_t)
-@@ -508,35 +559,38 @@ init_rw_utmp(useradd_t)
+@@ -508,35 +560,38 @@ init_rw_utmp(useradd_t)
logging_send_audit_msgs(useradd_t)
logging_send_syslog_msg(useradd_t)
@@ -3539,7 +3540,7 @@ index 1d732f1e7..121ace88e 100644
')
optional_policy(`
-@@ -545,14 +599,27 @@ optional_policy(`
+@@ -545,14 +600,27 @@ optional_policy(`
')
optional_policy(`
@@ -3567,7 +3568,7 @@ index 1d732f1e7..121ace88e 100644
tunable_policy(`samba_domain_controller',`
samba_append_log(useradd_t)
')
-@@ -562,3 +629,12 @@ optional_policy(`
+@@ -562,3 +630,12 @@ optional_policy(`
rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t)
')
@@ -38059,7 +38060,7 @@ index 0d4c8d35e..537aa4274 100644
+ ps_process_pattern($1, ipsec_mgmt_t)
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 312cd0417..102b975de 100644
+index 312cd0417..56961b493 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@@ -38121,7 +38122,15 @@ index 312cd0417..102b975de 100644
manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
-@@ -110,10 +127,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
+@@ -101,6 +118,7 @@ manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
+ files_pid_filetrans(ipsec_t, ipsec_var_run_t, { dir file sock_file })
+
+ can_exec(ipsec_t, ipsec_mgmt_exec_t)
++can_exec(ipsec_t, ipsec_exec_t)
+
+ # pluto runs an updown script (by calling popen()!) as this is by default
+ # a shell script, we need to find a way to make things work without
+@@ -110,10 +128,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
allow ipsec_mgmt_t ipsec_t:fd use;
allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
@@ -38134,7 +38143,7 @@ index 312cd0417..102b975de 100644
kernel_list_proc(ipsec_t)
kernel_read_proc_symlinks(ipsec_t)
# allow pluto to access /proc/net/ipsec_eroute;
-@@ -128,20 +145,24 @@ corecmd_exec_shell(ipsec_t)
+@@ -128,20 +146,24 @@ corecmd_exec_shell(ipsec_t)
corecmd_exec_bin(ipsec_t)
# Pluto needs network access
@@ -38166,7 +38175,7 @@ index 312cd0417..102b975de 100644
dev_read_sysfs(ipsec_t)
dev_read_rand(ipsec_t)
-@@ -157,22 +178,32 @@ files_dontaudit_search_home(ipsec_t)
+@@ -157,22 +179,32 @@ files_dontaudit_search_home(ipsec_t)
fs_getattr_all_fs(ipsec_t)
fs_search_auto_mountpoints(ipsec_t)
@@ -38201,7 +38210,7 @@ index 312cd0417..102b975de 100644
optional_policy(`
seutil_sigchld_newrole(ipsec_t)
-@@ -182,19 +213,30 @@ optional_policy(`
+@@ -182,19 +214,30 @@ optional_policy(`
udev_read_db(ipsec_t)
')
@@ -38236,7 +38245,7 @@ index 312cd0417..102b975de 100644
allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
-@@ -208,12 +250,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
+@@ -208,12 +251,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
@@ -38252,7 +38261,7 @@ index 312cd0417..102b975de 100644
# _realsetup needs to be able to cat /var/run/pluto.pid,
# run ps on that pid, and delete the file
-@@ -246,6 +290,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
+@@ -246,6 +291,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
kernel_getattr_core_if(ipsec_mgmt_t)
kernel_getattr_message_if(ipsec_mgmt_t)
@@ -38269,7 +38278,7 @@ index 312cd0417..102b975de 100644
files_read_kernel_symbol_table(ipsec_mgmt_t)
files_getattr_kernel_modules(ipsec_mgmt_t)
-@@ -255,6 +309,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
+@@ -255,6 +310,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
corecmd_exec_bin(ipsec_mgmt_t)
corecmd_exec_shell(ipsec_mgmt_t)
@@ -38278,7 +38287,7 @@ index 312cd0417..102b975de 100644
dev_read_rand(ipsec_mgmt_t)
dev_read_urand(ipsec_mgmt_t)
-@@ -269,6 +325,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
+@@ -269,6 +326,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
files_read_etc_files(ipsec_mgmt_t)
files_exec_etc_files(ipsec_mgmt_t)
files_read_etc_runtime_files(ipsec_mgmt_t)
@@ -38286,7 +38295,7 @@ index 312cd0417..102b975de 100644
files_read_usr_files(ipsec_mgmt_t)
files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
files_dontaudit_getattr_default_files(ipsec_mgmt_t)
-@@ -278,9 +335,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+@@ -278,9 +336,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
fs_list_tmpfs(ipsec_mgmt_t)
term_use_console(ipsec_mgmt_t)
@@ -38298,7 +38307,7 @@ index 312cd0417..102b975de 100644
init_read_utmp(ipsec_mgmt_t)
init_use_script_ptys(ipsec_mgmt_t)
-@@ -288,17 +346,28 @@ init_exec_script_files(ipsec_mgmt_t)
+@@ -288,17 +347,28 @@ init_exec_script_files(ipsec_mgmt_t)
init_use_fds(ipsec_mgmt_t)
init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
@@ -38332,7 +38341,7 @@ index 312cd0417..102b975de 100644
optional_policy(`
consoletype_exec(ipsec_mgmt_t)
-@@ -322,6 +391,10 @@ optional_policy(`
+@@ -322,6 +392,10 @@ optional_policy(`
')
optional_policy(`
@@ -38343,7 +38352,7 @@ index 312cd0417..102b975de 100644
modutils_domtrans_insmod(ipsec_mgmt_t)
')
-@@ -335,7 +408,7 @@ optional_policy(`
+@@ -335,7 +409,7 @@ optional_policy(`
#
allow racoon_t self:capability { net_admin net_bind_service };
@@ -38352,7 +38361,7 @@ index 312cd0417..102b975de 100644
allow racoon_t self:unix_dgram_socket { connect create ioctl write };
allow racoon_t self:netlink_selinux_socket { bind create read };
allow racoon_t self:udp_socket create_socket_perms;
-@@ -370,13 +443,12 @@ kernel_request_load_module(racoon_t)
+@@ -370,13 +444,12 @@ kernel_request_load_module(racoon_t)
corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)
@@ -38372,7 +38381,7 @@ index 312cd0417..102b975de 100644
corenet_udp_bind_isakmp_port(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t)
-@@ -401,10 +473,10 @@ locallogin_use_fds(racoon_t)
+@@ -401,10 +474,10 @@ locallogin_use_fds(racoon_t)
logging_send_syslog_msg(racoon_t)
logging_send_audit_msgs(racoon_t)
@@ -38385,7 +38394,7 @@ index 312cd0417..102b975de 100644
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -438,9 +510,8 @@ corenet_setcontext_all_spds(setkey_t)
+@@ -438,9 +511,8 @@ corenet_setcontext_all_spds(setkey_t)
locallogin_use_fds(setkey_t)
@@ -48192,10 +48201,10 @@ index 000000000..d1356af89
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 000000000..35fc2b865
+index 000000000..e7c2cc70b
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,1020 @@
+@@ -0,0 +1,1021 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -48486,6 +48495,7 @@ index 000000000..35fc2b865
+optional_policy(`
+ dbus_connect_system_bus(systemd_logind_t)
+ dbus_system_bus_client(systemd_logind_t)
++ dbus_manage_session_tmp_dirs(systemd_logind_t)
+')
+
+optional_policy(`
diff --git a/policy-f26-contrib.patch b/policy-f26-contrib.patch
index 356e8c3..d2f7f58 100644
--- a/policy-f26-contrib.patch
+++ b/policy-f26-contrib.patch
@@ -22515,7 +22515,7 @@ index dda905b9c..558729530 100644
/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+')
diff --git a/dbus.if b/dbus.if
-index 62d22cb46..77afd180d 100644
+index 62d22cb46..c0c2ed47d 100644
--- a/dbus.if
+++ b/dbus.if
@@ -1,4 +1,4 @@
@@ -22664,9 +22664,9 @@ index 62d22cb46..77afd180d 100644
- files_search_var_lib($1)
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+ files_search_var_lib($1)
-
-+ dev_read_urand($1)
+
++ dev_read_urand($1)
+
+ # For connecting to the bus
files_search_pids($1)
stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
@@ -23376,7 +23376,7 @@ index 62d22cb46..77afd180d 100644
##
##
##
-@@ -597,28 +661,50 @@ interface(`dbus_use_system_bus_fds',`
+@@ -597,28 +661,68 @@ interface(`dbus_use_system_bus_fds',`
##
##
#
@@ -23434,6 +23434,24 @@ index 62d22cb46..77afd180d 100644
- typeattribute $1 dbusd_unconfined;
+ allow $1 system_dbusd_t:dbus acquire_svc;
+
++')
++
++########################################
++##
++## Manage session_dbusd tmp dirs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dbus_manage_session_tmp_dirs',`
++ gen_require(`
++ type session_dbusd_tmp_t;
++ ')
++
++ manage_dirs_pattern($1, session_dbusd_tmp_t, session_dbusd_tmp_t)
')
diff --git a/dbus.te b/dbus.te
index c9998c80d..d8ef03416 100644
@@ -24039,7 +24057,7 @@ index 5606b4069..cd18cf2a7 100644
domain_system_change_exemption($1)
role_transition $2 ddclient_initrc_exec_t system_r;
diff --git a/ddclient.te b/ddclient.te
-index a4caa1b5b..42f30662d 100644
+index a4caa1b5b..f244f9a63 100644
--- a/ddclient.te
+++ b/ddclient.te
@@ -38,9 +38,13 @@ files_pid_file(ddclient_var_run_t)
@@ -24084,7 +24102,7 @@ index a4caa1b5b..42f30662d 100644
fs_getattr_all_fs(ddclient_t)
fs_search_auto_mountpoints(ddclient_t)
-+auth_read_passwd(ddclient_t)
++auth_use_nsswitch(ddclient_t)
+
logging_send_syslog_msg(ddclient_t)
@@ -93305,7 +93323,7 @@ index ebe91fc70..6ba4338cb 100644
+/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
')
diff --git a/rpm.if b/rpm.if
-index ef3b22507..b15d901a4 100644
+index ef3b22507..a33cae9d6 100644
--- a/rpm.if
+++ b/rpm.if
@@ -1,8 +1,8 @@
@@ -93406,16 +93424,34 @@ index ef3b22507..b15d901a4 100644
##
##
##
-@@ -109,7 +116,7 @@ interface(`rpm_exec',`
+@@ -109,7 +116,25 @@ interface(`rpm_exec',`
########################################
##
-## Send null signals to rpm.
++## Do not audit to execute a rpm.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`rpm_dontaudit_exec',`
++ gen_require(`
++ type rpm_exec_t;
++ ')
++
++ dontaudit $1 rpm_exec_t:file exec_file_perms;
++')
++
++########################################
++##
+## Send a null signal to rpm.
##
##
##
-@@ -127,7 +134,7 @@ interface(`rpm_signull',`
+@@ -127,7 +152,7 @@ interface(`rpm_signull',`
########################################
##
@@ -93424,7 +93460,7 @@ index ef3b22507..b15d901a4 100644
##
##
##
-@@ -145,7 +152,7 @@ interface(`rpm_use_fds',`
+@@ -145,7 +170,7 @@ interface(`rpm_use_fds',`
########################################
##
@@ -93433,7 +93469,7 @@ index ef3b22507..b15d901a4 100644
##
##
##
-@@ -163,7 +170,7 @@ interface(`rpm_read_pipes',`
+@@ -163,7 +188,7 @@ interface(`rpm_read_pipes',`
########################################
##
@@ -93442,7 +93478,7 @@ index ef3b22507..b15d901a4 100644
##
##
##
-@@ -181,6 +188,60 @@ interface(`rpm_rw_pipes',`
+@@ -181,6 +206,60 @@ interface(`rpm_rw_pipes',`
########################################
##
@@ -93503,7 +93539,7 @@ index ef3b22507..b15d901a4 100644
## Send and receive messages from
## rpm over dbus.
##
-@@ -224,7 +285,7 @@ interface(`rpm_dontaudit_dbus_chat',`
+@@ -224,7 +303,7 @@ interface(`rpm_dontaudit_dbus_chat',`
########################################
##
## Send and receive messages from
@@ -93512,7 +93548,7 @@ index ef3b22507..b15d901a4 100644
##
##
##
-@@ -244,7 +305,7 @@ interface(`rpm_script_dbus_chat',`
+@@ -244,7 +323,7 @@ interface(`rpm_script_dbus_chat',`
########################################
##
@@ -93521,7 +93557,7 @@ index ef3b22507..b15d901a4 100644
##
##
##
-@@ -263,7 +324,8 @@ interface(`rpm_search_log',`
+@@ -263,7 +342,8 @@ interface(`rpm_search_log',`
#####################################
##
@@ -93531,19 +93567,17 @@ index ef3b22507..b15d901a4 100644
##
##
##
-@@ -276,14 +338,30 @@ interface(`rpm_append_log',`
+@@ -276,14 +356,30 @@ interface(`rpm_append_log',`
type rpm_log_t;
')
- logging_search_logs($1)
- append_files_pattern($1, rpm_log_t, rpm_log_t)
+ allow $1 rpm_log_t:file append_inherited_file_perms;
- ')
-
- ########################################
- ##
--## Create, read, write, and delete
--## rpm log files.
++')
++
++########################################
++##
+## Create, read, write, and delete the RPM log.
+##
+##
@@ -93558,15 +93592,17 @@ index ef3b22507..b15d901a4 100644
+ ')
+
+ read_files_pattern($1, rpm_log_t, rpm_log_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Create, read, write, and delete
+-## rpm log files.
+## Create, read, write, and delete the RPM log.
##
##
##
-@@ -302,7 +380,32 @@ interface(`rpm_manage_log',`
+@@ -302,7 +398,32 @@ interface(`rpm_manage_log',`
########################################
##
@@ -93600,7 +93636,7 @@ index ef3b22507..b15d901a4 100644
##
##
##
-@@ -320,8 +423,8 @@ interface(`rpm_use_script_fds',`
+@@ -320,8 +441,8 @@ interface(`rpm_use_script_fds',`
########################################
##
@@ -93611,7 +93647,7 @@ index ef3b22507..b15d901a4 100644
##
##
##
-@@ -335,12 +438,15 @@ interface(`rpm_manage_script_tmp_files',`
+@@ -335,12 +456,15 @@ interface(`rpm_manage_script_tmp_files',`
')
files_search_tmp($1)
@@ -93628,7 +93664,7 @@ index ef3b22507..b15d901a4 100644
##
##
##
-@@ -353,14 +459,13 @@ interface(`rpm_append_tmp_files',`
+@@ -353,14 +477,13 @@ interface(`rpm_append_tmp_files',`
type rpm_tmp_t;
')
@@ -93646,7 +93682,7 @@ index ef3b22507..b15d901a4 100644
##
##
##
-@@ -374,12 +479,34 @@ interface(`rpm_manage_tmp_files',`
+@@ -374,12 +497,34 @@ interface(`rpm_manage_tmp_files',`
')
files_search_tmp($1)
@@ -93682,7 +93718,7 @@ index ef3b22507..b15d901a4 100644
##
##
##
-@@ -399,7 +526,7 @@ interface(`rpm_read_script_tmp_files',`
+@@ -399,7 +544,7 @@ interface(`rpm_read_script_tmp_files',`
########################################
##
@@ -93691,7 +93727,7 @@ index ef3b22507..b15d901a4 100644
##
##
##
-@@ -420,8 +547,7 @@ interface(`rpm_read_cache',`
+@@ -420,8 +565,7 @@ interface(`rpm_read_cache',`
########################################
##
@@ -93701,7 +93737,7 @@ index ef3b22507..b15d901a4 100644
##
##
##
-@@ -442,7 +568,7 @@ interface(`rpm_manage_cache',`
+@@ -442,7 +586,7 @@ interface(`rpm_manage_cache',`
########################################
##
@@ -93710,7 +93746,7 @@ index ef3b22507..b15d901a4 100644
##
##
##
-@@ -459,11 +585,12 @@ interface(`rpm_read_db',`
+@@ -459,11 +603,12 @@ interface(`rpm_read_db',`
allow $1 rpm_var_lib_t:dir list_dir_perms;
read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
@@ -93724,7 +93760,7 @@ index ef3b22507..b15d901a4 100644
##
##
##
-@@ -482,8 +609,7 @@ interface(`rpm_delete_db',`
+@@ -482,8 +627,7 @@ interface(`rpm_delete_db',`
########################################
##
@@ -93734,7 +93770,7 @@ index ef3b22507..b15d901a4 100644
##
##
##
-@@ -503,8 +629,28 @@ interface(`rpm_manage_db',`
+@@ -503,8 +647,28 @@ interface(`rpm_manage_db',`
########################################
##
@@ -93764,7 +93800,7 @@ index ef3b22507..b15d901a4 100644
##
##
##
-@@ -517,7 +663,7 @@ interface(`rpm_dontaudit_manage_db',`
+@@ -517,7 +681,7 @@ interface(`rpm_dontaudit_manage_db',`
type rpm_var_lib_t;
')
@@ -93773,7 +93809,7 @@ index ef3b22507..b15d901a4 100644
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
-@@ -543,8 +689,7 @@ interface(`rpm_read_pid_files',`
+@@ -543,8 +707,7 @@ interface(`rpm_read_pid_files',`
#####################################
##
@@ -93783,7 +93819,7 @@ index ef3b22507..b15d901a4 100644
##
##
##
-@@ -563,8 +708,7 @@ interface(`rpm_manage_pid_files',`
+@@ -563,8 +726,7 @@ interface(`rpm_manage_pid_files',`
######################################
##
@@ -93793,7 +93829,7 @@ index ef3b22507..b15d901a4 100644
##
##
##
-@@ -573,43 +717,54 @@ interface(`rpm_manage_pid_files',`
+@@ -573,43 +735,54 @@ interface(`rpm_manage_pid_files',`
##
#
interface(`rpm_pid_filetrans',`
@@ -93865,7 +93901,7 @@ index ef3b22507..b15d901a4 100644
##
##
##
-@@ -617,22 +772,57 @@ interface(`rpm_pid_filetrans_rpm_pid',`
+@@ -617,22 +790,57 @@ interface(`rpm_pid_filetrans_rpm_pid',`
##
##
##
@@ -93934,7 +93970,7 @@ index ef3b22507..b15d901a4 100644
init_labeled_script_domtrans($1, rpm_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -641,9 +831,6 @@ interface(`rpm_admin',`
+@@ -641,9 +849,6 @@ interface(`rpm_admin',`
admin_pattern($1, rpm_file_t)
@@ -108361,10 +108397,10 @@ index 000000000..a6e216c73
+
diff --git a/targetd.te b/targetd.te
new file mode 100644
-index 000000000..681ec9f67
+index 000000000..acdccbb18
--- /dev/null
+++ b/targetd.te
-@@ -0,0 +1,101 @@
+@@ -0,0 +1,109 @@
+policy_module(targetd, 1.0.0)
+
+########################################
@@ -108382,6 +108418,9 @@ index 000000000..681ec9f67
+type targetd_unit_file_t;
+systemd_unit_file(targetd_unit_file_t)
+
++type targetd_tmp_t;
++files_tmp_file(targetd_tmp_t)
++
+########################################
+#
+# targetd local policy
@@ -108399,6 +108438,10 @@ index 000000000..681ec9f67
+manage_files_pattern(targetd_t, targetd_etc_rw_t, targetd_etc_rw_t)
+files_etc_filetrans(targetd_t, targetd_etc_rw_t, { dir file })
+
++manage_dirs_pattern(targetd_t, targetd_tmp_t, targetd_tmp_t)
++manage_files_pattern(targetd_t, targetd_tmp_t, targetd_tmp_t)
++files_tmp_filetrans(targetd_t, targetd_tmp_t, { file dir })
++
+files_rw_isid_type_dirs(targetd_t)
+
+fs_getattr_xattr_fs(targetd_t)
@@ -108460,6 +108503,7 @@ index 000000000..681ec9f67
+
+optional_policy(`
+ rpm_dontaudit_read_db(targetd_t)
++ rpm_dontaudit_exec(targetd_t)
+')
+
+optional_policy(`
@@ -110582,10 +110626,10 @@ index 000000000..9524b50aa
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 000000000..d366c8b37
+index 000000000..2b15dca23
--- /dev/null
+++ b/thumb.te
-@@ -0,0 +1,168 @@
+@@ -0,0 +1,172 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -110754,6 +110798,10 @@ index 000000000..d366c8b37
+ corenet_dontaudit_udp_bind_all_ports(thumb_t)
+ corenet_dontaudit_udp_bind_generic_node(thumb_t)
+')
++
++optional_policy(`
++ storage_getattr_fixed_disk_dev(thumb_t)
++')
diff --git a/thunderbird.te b/thunderbird.te
index 5e867da56..b25ea6e08 100644
--- a/thunderbird.te
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a6aa4f4..e85178d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 260.7%{?dist}
+Release: 260.8%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -681,6 +681,15 @@ exit 0
%endif
%changelog
+* Thu Aug 31 2017 Lukas Vrabec - 3.13.1-260.8
+- Allow ddclient use nsswitch BZ(1456241)
+- Allow thumb_t domain getattr fixed_disk device. BZ(1379137)
+- Add interface dbus_manage_session_tmp_dirs()
+- Allow targetd_t to create own tmp files. Dontaudit targetd_t to exec rpm binary file.
+- Dontaudit useradd_t sys_ptrace BZ(1480121)
+- Allow ipsec_t can exec ipsec_exec_t
+- Allow systemd_logind_t to mamange session_dbusd_tmp_t dirs
+
* Mon Aug 28 2017 Lukas Vrabec - 3.13.1-260.7
- Allow cupsd_t to execute ld_so_cache
- Add few rules to make working targetd daemon with SELinux