diff --git a/container-selinux.tgz b/container-selinux.tgz
index b2f25d3..ebb3ecc 100644
Binary files a/container-selinux.tgz and b/container-selinux.tgz differ
diff --git a/policy-f25-base.patch b/policy-f25-base.patch
index 5b5070b..cfee1da 100644
--- a/policy-f25-base.patch
+++ b/policy-f25-base.patch
@@ -11237,7 +11237,7 @@ index b876c48..03f9342 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..e06a46c 100644
+index f962f76..12c026e 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -13188,20 +13188,15 @@ index f962f76..e06a46c 100644
')
########################################
-@@ -4012,6 +4908,12 @@ interface(`files_read_kernel_modules',`
+@@ -4012,6 +4908,7 @@ interface(`files_read_kernel_modules',`
allow $1 modules_object_t:dir list_dir_perms;
read_files_pattern($1, modules_object_t, modules_object_t)
read_lnk_files_pattern($1, modules_object_t, modules_object_t)
+
-+ # FIXME:
-+ # needed for already labeled module deps by modules_dep_t
-+ optional_policy(`
-+ modutils_read_module_deps_files($1)
-+ ')
')
########################################
-@@ -4217,174 +5119,218 @@ interface(`files_read_world_readable_sockets',`
+@@ -4217,174 +5114,218 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -13506,7 +13501,7 @@ index f962f76..e06a46c 100644
##
##
##
-@@ -4392,53 +5338,56 @@ interface(`files_read_generic_tmp_files',`
+@@ -4392,53 +5333,56 @@ interface(`files_read_generic_tmp_files',`
##
##
#
@@ -13575,7 +13570,7 @@ index f962f76..e06a46c 100644
##
##
##
-@@ -4446,35 +5395,37 @@ interface(`files_read_generic_tmp_symlinks',`
+@@ -4446,35 +5390,37 @@ interface(`files_read_generic_tmp_symlinks',`
##
##
#
@@ -13621,7 +13616,7 @@ index f962f76..e06a46c 100644
##
##
##
-@@ -4482,59 +5433,55 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -4482,59 +5428,55 @@ interface(`files_setattr_all_tmp_dirs',`
##
##
#
@@ -13702,7 +13697,7 @@ index f962f76..e06a46c 100644
##
##
##
-@@ -4542,110 +5489,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
+@@ -4542,110 +5484,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
##
##
#
@@ -13841,7 +13836,7 @@ index f962f76..e06a46c 100644
##
##
##
-@@ -4653,22 +5588,17 @@ interface(`files_tmp_filetrans',`
+@@ -4653,22 +5583,17 @@ interface(`files_tmp_filetrans',`
##
##
#
@@ -13868,7 +13863,7 @@ index f962f76..e06a46c 100644
##
##
##
-@@ -4676,17 +5606,17 @@ interface(`files_purge_tmp',`
+@@ -4676,17 +5601,17 @@ interface(`files_purge_tmp',`
##
##
#
@@ -13890,7 +13885,7 @@ index f962f76..e06a46c 100644
##
##
##
-@@ -4694,18 +5624,17 @@ interface(`files_setattr_usr_dirs',`
+@@ -4694,18 +5619,17 @@ interface(`files_setattr_usr_dirs',`
##
##
#
@@ -13913,7 +13908,7 @@ index f962f76..e06a46c 100644
##
##
##
-@@ -4713,35 +5642,35 @@ interface(`files_search_usr',`
+@@ -4713,35 +5637,35 @@ interface(`files_search_usr',`
##
##
#
@@ -13958,7 +13953,7 @@ index f962f76..e06a46c 100644
##
##
##
-@@ -4749,36 +5678,35 @@ interface(`files_dontaudit_write_usr_dirs',`
+@@ -4749,36 +5673,35 @@ interface(`files_dontaudit_write_usr_dirs',`
##
##
#
@@ -14004,7 +13999,7 @@ index f962f76..e06a46c 100644
##
##
##
-@@ -4786,17 +5714,17 @@ interface(`files_dontaudit_rw_usr_dirs',`
+@@ -4786,17 +5709,17 @@ interface(`files_dontaudit_rw_usr_dirs',`
##
##
#
@@ -14026,7 +14021,7 @@ index f962f76..e06a46c 100644
##
##
##
-@@ -4804,73 +5732,59 @@ interface(`files_delete_usr_dirs',`
+@@ -4804,73 +5727,59 @@ interface(`files_delete_usr_dirs',`
##
##
#
@@ -14119,7 +14114,7 @@ index f962f76..e06a46c 100644
##
##
##
-@@ -4878,55 +5792,58 @@ interface(`files_read_usr_files',`
+@@ -4878,55 +5787,58 @@ interface(`files_read_usr_files',`
##
##
#
@@ -14194,7 +14189,7 @@ index f962f76..e06a46c 100644
##
##
##
-@@ -4934,67 +5851,70 @@ interface(`files_manage_usr_files',`
+@@ -4934,67 +5846,70 @@ interface(`files_manage_usr_files',`
##
##
#
@@ -14283,7 +14278,7 @@ index f962f76..e06a46c 100644
##
##
##
-@@ -5003,35 +5923,50 @@ interface(`files_read_usr_symlinks',`
+@@ -5003,35 +5918,50 @@ interface(`files_read_usr_symlinks',`
##
##
#
@@ -14343,7 +14338,7 @@ index f962f76..e06a46c 100644
##
##
##
-@@ -5039,20 +5974,17 @@ interface(`files_dontaudit_search_src',`
+@@ -5039,20 +5969,17 @@ interface(`files_dontaudit_search_src',`
##
##
#
@@ -14368,7 +14363,7 @@ index f962f76..e06a46c 100644
##
##
##
-@@ -5060,20 +5992,18 @@ interface(`files_getattr_usr_src_files',`
+@@ -5060,20 +5987,18 @@ interface(`files_getattr_usr_src_files',`
##
##
#
@@ -14393,7 +14388,7 @@ index f962f76..e06a46c 100644
##
##
##
-@@ -5081,38 +6011,35 @@ interface(`files_read_usr_src_files',`
+@@ -5081,38 +6006,35 @@ interface(`files_read_usr_src_files',`
##
##
#
@@ -14441,7 +14436,7 @@ index f962f76..e06a46c 100644
##
##
##
-@@ -5120,37 +6047,36 @@ interface(`files_create_kernel_symbol_table',`
+@@ -5120,37 +6042,36 @@ interface(`files_create_kernel_symbol_table',`
##
##
#
@@ -14489,7 +14484,7 @@ index f962f76..e06a46c 100644
##
##
##
-@@ -5158,35 +6084,35 @@ interface(`files_delete_kernel_symbol_table',`
+@@ -5158,35 +6079,35 @@ interface(`files_delete_kernel_symbol_table',`
##
##
#
@@ -14534,7 +14529,7 @@ index f962f76..e06a46c 100644
##
##
##
-@@ -5194,36 +6120,55 @@ interface(`files_dontaudit_write_var_dirs',`
+@@ -5194,36 +6115,55 @@ interface(`files_dontaudit_write_var_dirs',`
##
##
#
@@ -14600,7 +14595,7 @@ index f962f76..e06a46c 100644
##
##
##
-@@ -5231,36 +6176,37 @@ interface(`files_dontaudit_search_var',`
+@@ -5231,36 +6171,37 @@ interface(`files_dontaudit_search_var',`
##
##
#
@@ -14648,7 +14643,7 @@ index f962f76..e06a46c 100644
##
##
##
-@@ -5268,17 +6214,17 @@ interface(`files_manage_var_dirs',`
+@@ -5268,17 +6209,17 @@ interface(`files_manage_var_dirs',`
##
##
#
@@ -14670,7 +14665,7 @@ index f962f76..e06a46c 100644
##
##
##
-@@ -5286,17 +6232,17 @@ interface(`files_read_var_files',`
+@@ -5286,17 +6227,17 @@ interface(`files_read_var_files',`
##
##
#
@@ -14692,7 +14687,7 @@ index f962f76..e06a46c 100644
##
##
##
-@@ -5304,73 +6250,86 @@ interface(`files_append_var_files',`
+@@ -5304,73 +6245,86 @@ interface(`files_append_var_files',`
##
##
#
@@ -14799,7 +14794,7 @@ index f962f76..e06a46c 100644
##
##
##
-@@ -5378,50 +6337,41 @@ interface(`files_read_var_symlinks',`
+@@ -5378,50 +6332,41 @@ interface(`files_read_var_symlinks',`
##
##
#
@@ -14864,7 +14859,7 @@ index f962f76..e06a46c 100644
##
##
##
-@@ -5429,69 +6379,56 @@ interface(`files_var_filetrans',`
+@@ -5429,69 +6374,56 @@ interface(`files_var_filetrans',`
##
##
#
@@ -14949,7 +14944,7 @@ index f962f76..e06a46c 100644
##
##
##
-@@ -5499,17 +6436,18 @@ interface(`files_dontaudit_search_var_lib',`
+@@ -5499,17 +6431,18 @@ interface(`files_dontaudit_search_var_lib',`
##
##
#
@@ -14973,7 +14968,7 @@ index f962f76..e06a46c 100644
##
##
##
-@@ -5517,70 +6455,54 @@ interface(`files_list_var_lib',`
+@@ -5517,70 +6450,54 @@ interface(`files_list_var_lib',`
##
##
#
@@ -15057,7 +15052,7 @@ index f962f76..e06a46c 100644
##
##
##
-@@ -5588,41 +6510,36 @@ interface(`files_read_var_lib_files',`
+@@ -5588,41 +6505,36 @@ interface(`files_read_var_lib_files',`
##
##
#
@@ -15109,7 +15104,7 @@ index f962f76..e06a46c 100644
##
##
##
-@@ -5630,36 +6547,36 @@ interface(`files_manage_urandom_seed',`
+@@ -5630,36 +6542,36 @@ interface(`files_manage_urandom_seed',`
##
##
#
@@ -15156,7 +15151,7 @@ index f962f76..e06a46c 100644
##
##
##
-@@ -5667,38 +6584,35 @@ interface(`files_setattr_lock_dirs',`
+@@ -5667,38 +6579,35 @@ interface(`files_setattr_lock_dirs',`
##
##
#
@@ -15204,7 +15199,7 @@ index f962f76..e06a46c 100644
##
##
##
-@@ -5706,19 +6620,17 @@ interface(`files_dontaudit_search_locks',`
+@@ -5706,19 +6615,17 @@ interface(`files_dontaudit_search_locks',`
##
##
#
@@ -15228,7 +15223,7 @@ index f962f76..e06a46c 100644
##
##
##
-@@ -5726,60 +6638,54 @@ interface(`files_list_locks',`
+@@ -5726,60 +6633,54 @@ interface(`files_list_locks',`
##
##
#
@@ -15304,7 +15299,7 @@ index f962f76..e06a46c 100644
##
##
##
-@@ -5787,20 +6693,18 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5787,20 +6688,18 @@ interface(`files_relabel_all_lock_dirs',`
##
##
#
@@ -15330,7 +15325,7 @@ index f962f76..e06a46c 100644
##
##
##
-@@ -5808,63 +6712,68 @@ interface(`files_getattr_generic_locks',`
+@@ -5808,63 +6707,68 @@ interface(`files_getattr_generic_locks',`
##
##
#
@@ -15422,7 +15417,7 @@ index f962f76..e06a46c 100644
##
##
##
-@@ -5872,101 +6781,87 @@ interface(`files_delete_all_locks',`
+@@ -5872,101 +6776,87 @@ interface(`files_delete_all_locks',`
##
##
#
@@ -15559,7 +15554,7 @@ index f962f76..e06a46c 100644
##
##
##
-@@ -5974,19 +6869,17 @@ interface(`files_dontaudit_getattr_pid_dirs',`
+@@ -5974,19 +6864,17 @@ interface(`files_dontaudit_getattr_pid_dirs',`
##
##
#
@@ -15583,7 +15578,7 @@ index f962f76..e06a46c 100644
##
##
##
-@@ -5994,39 +6887,52 @@ interface(`files_setattr_pid_dirs',`
+@@ -5994,39 +6882,52 @@ interface(`files_setattr_pid_dirs',`
##
##
#
@@ -15649,7 +15644,7 @@ index f962f76..e06a46c 100644
##
##
##
-@@ -6034,18 +6940,1302 @@ interface(`files_dontaudit_search_pids',`
+@@ -6034,18 +6935,1302 @@ interface(`files_dontaudit_search_pids',`
##
##
#
@@ -16956,7 +16951,7 @@ index f962f76..e06a46c 100644
##
##
##
-@@ -6053,19 +8243,18 @@ interface(`files_list_pids',`
+@@ -6053,19 +8238,18 @@ interface(`files_list_pids',`
##
##
#
@@ -16981,7 +16976,7 @@ index f962f76..e06a46c 100644
##
##
##
-@@ -6073,43 +8262,151 @@ interface(`files_read_generic_pids',`
+@@ -6073,43 +8257,151 @@ interface(`files_read_generic_pids',`
##
##
#
@@ -17160,7 +17155,7 @@ index f962f76..e06a46c 100644
##
##
##
-@@ -6117,80 +8414,157 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6117,80 +8409,157 @@ interface(`files_write_generic_pid_pipes',`
## Domain allowed access.
##
##
@@ -17347,7 +17342,7 @@ index f962f76..e06a46c 100644
##
##
##
-@@ -6198,19 +8572,17 @@ interface(`files_rw_generic_pids',`
+@@ -6198,19 +8567,17 @@ interface(`files_rw_generic_pids',`
##
##
#
@@ -17371,7 +17366,7 @@ index f962f76..e06a46c 100644
##
##
##
-@@ -6218,18 +8590,17 @@ interface(`files_dontaudit_getattr_all_pids',`
+@@ -6218,18 +8585,17 @@ interface(`files_dontaudit_getattr_all_pids',`
##
##
#
@@ -17394,7 +17389,7 @@ index f962f76..e06a46c 100644
##
##
##
-@@ -6237,129 +8608,119 @@ interface(`files_dontaudit_write_all_pids',`
+@@ -6237,129 +8603,119 @@ interface(`files_dontaudit_write_all_pids',`
##
##
#
@@ -17564,7 +17559,7 @@ index f962f76..e06a46c 100644
##
##
##
-@@ -6367,18 +8728,19 @@ interface(`files_mounton_all_poly_members',`
+@@ -6367,18 +8723,19 @@ interface(`files_mounton_all_poly_members',`
##
##
#
@@ -17589,7 +17584,7 @@ index f962f76..e06a46c 100644
##
##
##
-@@ -6386,132 +8748,227 @@ interface(`files_search_spool',`
+@@ -6386,132 +8743,227 @@ interface(`files_search_spool',`
##
##
#
@@ -17863,7 +17858,7 @@ index f962f76..e06a46c 100644
##
##
##
-@@ -6519,53 +8976,17 @@ interface(`files_spool_filetrans',`
+@@ -6519,53 +8971,17 @@ interface(`files_spool_filetrans',`
##
##
#
@@ -17921,7 +17916,7 @@ index f962f76..e06a46c 100644
##
##
##
-@@ -6573,10 +8994,10 @@ interface(`files_polyinstantiate_all',`
+@@ -6573,10 +8989,10 @@ interface(`files_polyinstantiate_all',`
##
##
#
@@ -21724,7 +21719,7 @@ index 7be4ddf..9710b33 100644
+/sys/kernel/debug -d gen_context(system_u:object_r:debugfs_t,s0)
+/sys/kernel/debug/.* <>
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index e100d88..9ccf724 100644
+index e100d88..7a08793 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -126,6 +126,24 @@ interface(`kernel_setsched',`
@@ -22147,7 +22142,34 @@ index e100d88..9ccf724 100644
########################################
##
## Read and write RPC sysctls.
-@@ -2085,9 +2261,28 @@ interface(`kernel_dontaudit_list_all_sysctls',`
+@@ -2071,6 +2247,26 @@ interface(`kernel_rw_rpc_sysctls',`
+
+ ########################################
+ ##
++## Read and write RPC sysctls.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`kernel_create_rpc_sysctls',`
++ gen_require(`
++ type proc_t, proc_net_t, sysctl_rpc_t;
++ ')
++
++ create_files_pattern($1, { proc_t proc_net_t sysctl_rpc_t }, sysctl_rpc_t)
++
++')
++
++########################################
++##
+ ## Do not audit attempts to list all sysctl directories.
+ ##
+ ##
+@@ -2085,9 +2281,28 @@ interface(`kernel_dontaudit_list_all_sysctls',`
')
dontaudit $1 sysctl_type:dir list_dir_perms;
@@ -22177,7 +22199,7 @@ index e100d88..9ccf724 100644
########################################
##
## Allow caller to read all sysctls.
-@@ -2282,6 +2477,25 @@ interface(`kernel_list_unlabeled',`
+@@ -2282,6 +2497,25 @@ interface(`kernel_list_unlabeled',`
########################################
##
@@ -22203,7 +22225,7 @@ index e100d88..9ccf724 100644
## Read the process state (/proc/pid) of all unlabeled_t.
##
##
-@@ -2306,7 +2520,7 @@ interface(`kernel_read_unlabeled_state',`
+@@ -2306,7 +2540,7 @@ interface(`kernel_read_unlabeled_state',`
##
##
##
@@ -22212,14 +22234,17 @@ index e100d88..9ccf724 100644
##
##
#
-@@ -2488,6 +2702,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
+@@ -2488,12 +2722,30 @@ interface(`kernel_rw_unlabeled_blk_files',`
########################################
##
+-## Do not audit attempts by caller to get attributes for
+-## unlabeled character devices.
+## Read and write unlabeled sockets.
-+##
-+##
-+##
+ ##
+ ##
+ ##
+-## Domain to not audit.
+## Domain allowed access.
+##
+##
@@ -22234,37 +22259,20 @@ index e100d88..9ccf724 100644
+
+########################################
+##
- ## Do not audit attempts by caller to get attributes for
- ## unlabeled character devices.
- ##
-@@ -2525,7 +2757,7 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
-
- ########################################
- ##
--## Allow caller to relabel unlabeled files.
-+## Allow caller to relabel unlabeled filesystems.
- ##
- ##
- ##
-@@ -2533,18 +2765,36 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
++## Do not audit attempts by caller to get attributes for
++## unlabeled character devices.
++##
++##
++##
++## Domain to not audit.
##
##
#
--interface(`kernel_relabelfrom_unlabeled_files',`
-+interface(`kernel_relabelfrom_unlabeled_fs',`
- gen_require(`
- type unlabeled_t;
- ')
-
-- kernel_list_unlabeled($1)
-- allow $1 unlabeled_t:file { getattr relabelfrom };
-+ allow $1 unlabeled_t:filesystem relabelfrom;
- ')
+@@ -2525,6 +2777,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
########################################
##
--## Allow caller to relabel unlabeled symbolic links.
-+## Allow caller to relabel unlabeled files.
++## Allow caller to relabel unlabeled filesystems.
+##
+##
+##
@@ -22272,22 +22280,20 @@ index e100d88..9ccf724 100644
+##
+##
+#
-+interface(`kernel_relabelfrom_unlabeled_files',`
++interface(`kernel_relabelfrom_unlabeled_fs',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
-+ kernel_list_unlabeled($1)
-+ allow $1 unlabeled_t:file { getattr relabelfrom };
++ allow $1 unlabeled_t:filesystem relabelfrom;
+')
+
+########################################
+##
-+## Allow caller to relabel unlabeled symbolic links.
+ ## Allow caller to relabel unlabeled files.
##
##
- ##
-@@ -2667,6 +2917,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+@@ -2667,6 +2937,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
########################################
##
@@ -22312,7 +22318,7 @@ index e100d88..9ccf724 100644
## Receive TCP packets from an unlabeled connection.
##
##
-@@ -2694,6 +2962,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+@@ -2694,6 +2982,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
########################################
##
@@ -22338,7 +22344,7 @@ index e100d88..9ccf724 100644
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
##
-@@ -2803,6 +3090,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+@@ -2803,6 +3110,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
allow $1 unlabeled_t:rawip_socket recvfrom;
')
@@ -22372,7 +22378,7 @@ index e100d88..9ccf724 100644
########################################
##
-@@ -2958,6 +3272,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2958,6 +3292,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
########################################
##
@@ -22397,7 +22403,7 @@ index e100d88..9ccf724 100644
## Unconfined access to kernel module resources.
##
##
-@@ -2972,5 +3304,649 @@ interface(`kernel_unconfined',`
+@@ -2972,5 +3324,649 @@ interface(`kernel_unconfined',`
')
typeattribute $1 kern_unconfined;
@@ -22537,7 +22543,7 @@ index e100d88..9ccf724 100644
+ dontaudit $1 kernel_t:dir search_dir_perms;
+ dontaudit $1 kernel_t:file read_file_perms;
+ dontaudit $1 kernel_t:lnk_file read_lnk_file_perms;
-+')
+ ')
+
+########################################
+##
@@ -22638,7 +22644,7 @@ index e100d88..9ccf724 100644
+ ')
+
+ write_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t)
- ')
++')
+
+########################################
+##
@@ -23049,7 +23055,7 @@ index e100d88..9ccf724 100644
+')
+
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 8dbab4c..5deb336 100644
+index 8dbab4c..88c7112 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -25,6 +25,9 @@ attribute kern_unconfined;
@@ -23344,7 +23350,16 @@ index 8dbab4c..5deb336 100644
########################################
#
# Unlabeled process local policy
-@@ -399,14 +491,38 @@ if( ! secure_mode_insmod ) {
+@@ -388,6 +480,8 @@ optional_policy(`
+ if( ! secure_mode_insmod ) {
+ allow can_load_kernmodule self:capability sys_module;
+
++ files_load_kernel_modules(can_load_kernmodule)
++
+ # load_module() calls stop_machine() which
+ # calls sched_setscheduler()
+ allow can_load_kernmodule self:capability sys_nice;
+@@ -399,14 +493,38 @@ if( ! secure_mode_insmod ) {
# Rules for unconfined acccess to this module
#
diff --git a/policy-f25-contrib.patch b/policy-f25-contrib.patch
index 94c1d52..f484928 100644
--- a/policy-f25-contrib.patch
+++ b/policy-f25-contrib.patch
@@ -3503,10 +3503,10 @@ index 0000000..c679dd3
+ spamassassin_read_pid_files(antivirus_domain)
+')
diff --git a/apache.fc b/apache.fc
-index 7caefc3..2029082 100644
+index 7caefc3..dac9ad5 100644
--- a/apache.fc
+++ b/apache.fc
-@@ -1,162 +1,215 @@
+@@ -1,162 +1,217 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -3535,6 +3535,7 @@ index 7caefc3..2029082 100644
+/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/owncloud(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/etc/nextcloud(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/rt(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -3751,6 +3752,7 @@ index 7caefc3..2029082 100644
+/var/lib/openshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/var/lib/openshift/\.log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/lib/owncloud(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/lib/nextcloud(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/rt(3|4)/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
@@ -3862,7 +3864,7 @@ index 7caefc3..2029082 100644
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/apache.if b/apache.if
-index f6eb485..757b864 100644
+index f6eb485..fe461a3 100644
--- a/apache.if
+++ b/apache.if
@@ -1,9 +1,9 @@
@@ -5327,7 +5329,7 @@ index f6eb485..757b864 100644
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
-@@ -1224,9 +1625,182 @@ interface(`apache_admin',`
+@@ -1224,9 +1625,183 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
@@ -5399,6 +5401,7 @@ index f6eb485..757b864 100644
+ files_etc_filetrans($1, httpd_sys_content_t, dir, "htdig")
+ files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "horde")
+ files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "owncloud")
++ files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "nextcloud")
+ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, file, "settings.php")
+ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "smarty")
+ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "uploads")
@@ -83981,10 +83984,24 @@ index 4460582..4c66c25 100644
+
')
diff --git a/radius.te b/radius.te
-index 403a4fe..0ff0178 100644
+index 403a4fe..159f21e 100644
--- a/radius.te
+++ b/radius.te
-@@ -27,6 +27,9 @@ files_type(radiusd_var_lib_t)
+@@ -5,6 +5,13 @@ policy_module(radius, 1.13.0)
+ # Declarations
+ #
+
++##
++##
++## Determine whether radius can use JIT compiler.
++##
++##
++gen_tunable(radius_use_jit, false)
++
+ type radiusd_t;
+ type radiusd_exec_t;
+ init_daemon_domain(radiusd_t, radiusd_exec_t)
+@@ -27,6 +34,9 @@ files_type(radiusd_var_lib_t)
type radiusd_var_run_t;
files_pid_file(radiusd_var_run_t)
@@ -83994,7 +84011,7 @@ index 403a4fe..0ff0178 100644
########################################
#
# Local policy
-@@ -49,9 +52,7 @@ manage_lnk_files_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t)
+@@ -49,9 +59,7 @@ manage_lnk_files_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t)
filetrans_pattern(radiusd_t, radiusd_etc_t, radiusd_etc_rw_t, { dir file lnk_file })
manage_dirs_pattern(radiusd_t, radiusd_log_t, radiusd_log_t)
@@ -84005,7 +84022,7 @@ index 403a4fe..0ff0178 100644
logging_log_filetrans(radiusd_t, radiusd_log_t, { file dir })
manage_files_pattern(radiusd_t, radiusd_var_lib_t, radiusd_var_lib_t)
-@@ -60,11 +61,11 @@ manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
+@@ -60,11 +68,11 @@ manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
manage_dirs_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
manage_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
files_pid_filetrans(radiusd_t, radiusd_var_run_t, { file sock_file dir })
@@ -84018,7 +84035,7 @@ index 403a4fe..0ff0178 100644
corenet_all_recvfrom_netlabel(radiusd_t)
corenet_tcp_sendrecv_generic_if(radiusd_t)
corenet_udp_sendrecv_generic_if(radiusd_t)
-@@ -74,12 +75,22 @@ corenet_tcp_sendrecv_all_ports(radiusd_t)
+@@ -74,12 +82,22 @@ corenet_tcp_sendrecv_all_ports(radiusd_t)
corenet_udp_sendrecv_all_ports(radiusd_t)
corenet_udp_bind_generic_node(radiusd_t)
@@ -84041,7 +84058,7 @@ index 403a4fe..0ff0178 100644
corenet_sendrecv_snmp_client_packets(radiusd_t)
corenet_tcp_connect_snmp_port(radiusd_t)
-@@ -97,7 +108,6 @@ domain_use_interactive_fds(radiusd_t)
+@@ -97,7 +115,6 @@ domain_use_interactive_fds(radiusd_t)
fs_getattr_all_fs(radiusd_t)
fs_search_auto_mountpoints(radiusd_t)
@@ -84049,7 +84066,7 @@ index 403a4fe..0ff0178 100644
files_read_etc_runtime_files(radiusd_t)
files_dontaudit_list_tmp(radiusd_t)
-@@ -109,7 +119,6 @@ libs_exec_lib_files(radiusd_t)
+@@ -109,7 +126,6 @@ libs_exec_lib_files(radiusd_t)
logging_send_syslog_msg(radiusd_t)
@@ -84057,7 +84074,18 @@ index 403a4fe..0ff0178 100644
miscfiles_read_generic_certs(radiusd_t)
sysnet_use_ldap(radiusd_t)
-@@ -122,6 +131,11 @@ optional_policy(`
+@@ -117,11 +133,22 @@ sysnet_use_ldap(radiusd_t)
+ userdom_dontaudit_use_unpriv_user_fds(radiusd_t)
+ userdom_dontaudit_search_user_home_dirs(radiusd_t)
+
++tunable_policy(`radius_use_jit',`
++ allow radiusd_t self:process execmem;
++',`
++ dontaudit radiusd_t self:process execmem;
++')
++
+ optional_policy(`
+ cron_system_entry(radiusd_t, radiusd_exec_t)
')
optional_policy(`
@@ -84069,7 +84097,7 @@ index 403a4fe..0ff0178 100644
logrotate_exec(radiusd_t)
')
-@@ -140,5 +154,10 @@ optional_policy(`
+@@ -140,5 +167,10 @@ optional_policy(`
')
optional_policy(`
@@ -91118,7 +91146,7 @@ index 0bf13c2..ed393a0 100644
files_list_tmp($1)
admin_pattern($1, gssd_tmp_t)
diff --git a/rpc.te b/rpc.te
-index 2da9fca..be1fab2 100644
+index 2da9fca..f97a61a 100644
--- a/rpc.te
+++ b/rpc.te
@@ -6,22 +6,27 @@ policy_module(rpc, 1.15.1)
@@ -91322,7 +91350,7 @@ index 2da9fca..be1fab2 100644
')
########################################
-@@ -202,41 +232,62 @@ optional_policy(`
+@@ -202,41 +232,63 @@ optional_policy(`
#
allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
@@ -91341,6 +91369,7 @@ index 2da9fca..be1fab2 100644
-# kernel_mounton_proc(nfsd_t)
+kernel_mounton_proc(nfsd_t)
+kernel_rw_rpc_sysctls_dirs(nfsd_t)
++kernel_create_rpc_sysctls(nfsd_t)
-corenet_sendrecv_nfs_server_packets(nfsd_t)
+corecmd_exec_shell(nfsd_t)
@@ -91395,7 +91424,7 @@ index 2da9fca..be1fab2 100644
miscfiles_manage_public_files(nfsd_t)
')
-@@ -245,7 +296,6 @@ tunable_policy(`nfs_export_all_rw',`
+@@ -245,7 +297,6 @@ tunable_policy(`nfs_export_all_rw',`
dev_getattr_all_chr_files(nfsd_t)
fs_read_noxattr_fs_files(nfsd_t)
@@ -91403,7 +91432,7 @@ index 2da9fca..be1fab2 100644
')
tunable_policy(`nfs_export_all_ro',`
-@@ -257,12 +307,12 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -257,12 +308,12 @@ tunable_policy(`nfs_export_all_ro',`
fs_read_noxattr_fs_files(nfsd_t)
@@ -91418,7 +91447,7 @@ index 2da9fca..be1fab2 100644
')
########################################
-@@ -270,7 +320,7 @@ optional_policy(`
+@@ -270,7 +321,7 @@ optional_policy(`
# GSSD local policy
#
@@ -91427,7 +91456,7 @@ index 2da9fca..be1fab2 100644
allow gssd_t self:process { getsched setsched };
allow gssd_t self:fifo_file rw_fifo_file_perms;
-@@ -280,6 +330,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+@@ -280,6 +331,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
@@ -91435,7 +91464,7 @@ index 2da9fca..be1fab2 100644
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_request_load_module(gssd_t)
-@@ -288,25 +339,31 @@ kernel_signal(gssd_t)
+@@ -288,25 +340,31 @@ kernel_signal(gssd_t)
corecmd_exec_bin(gssd_t)
@@ -91470,7 +91499,7 @@ index 2da9fca..be1fab2 100644
')
optional_policy(`
-@@ -314,9 +371,12 @@ optional_policy(`
+@@ -314,9 +372,12 @@ optional_policy(`
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 2a503dc..8b2f2ae 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 225.10%{?dist}
+Release: 225.11%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -675,6 +675,13 @@ exit 0
%endif
%changelog
+* Mon Feb 27 2017 Lukas Vrabec - 3.13.1-225.11
+- Add radius_use_jit boolean
+- Allow nfsd_t domain to create sysctls_rpc_t files
+- add the policy required for nextcloud
+- Allow can_load_kernmodule to load kernel modules. BZ(1426741)
+- Create kernel_create_rpc_sysctls() interface
+
* Tue Feb 21 2017 Lukas Vrabec - 3.13.1-225.10
- FIx label for /usr/lib/libGLdispatch.so.0.0.0