diff --git a/container-selinux.tgz b/container-selinux.tgz
index a013fe7..8018518 100644
Binary files a/container-selinux.tgz and b/container-selinux.tgz differ
diff --git a/policy-f25-base.patch b/policy-f25-base.patch
index 0e4c203..24f8fdc 100644
--- a/policy-f25-base.patch
+++ b/policy-f25-base.patch
@@ -3089,7 +3089,7 @@ index 99e3903ea..fa68362ea 100644
##
##
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 1d732f1e7..84225b490 100644
+index 1d732f1e7..7a132d600 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -26,6 +26,7 @@ type chfn_exec_t;
@@ -3409,7 +3409,7 @@ index 1d732f1e7..84225b490 100644
userdom_use_unpriv_users_fds(sysadm_passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
-@@ -446,7 +492,8 @@ optional_policy(`
+@@ -446,8 +492,10 @@ optional_policy(`
# Useradd local policy
#
@@ -3417,9 +3417,11 @@ index 1d732f1e7..84225b490 100644
+allow useradd_t self:capability { dac_read_search dac_override chown kill fowner fsetid setuid sys_ptrace sys_resource sys_chroot };
+
dontaudit useradd_t self:capability sys_tty_config;
++dontaudit useradd_t self:cap_userns { sys_ptrace };
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
-@@ -461,6 +508,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
+ allow useradd_t self:fd use;
+@@ -461,6 +509,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
allow useradd_t self:unix_dgram_socket sendto;
allow useradd_t self:unix_stream_socket connectto;
@@ -3430,7 +3432,7 @@ index 1d732f1e7..84225b490 100644
# for getting the number of groups
kernel_read_kernel_sysctls(useradd_t)
-@@ -468,29 +519,28 @@ corecmd_exec_shell(useradd_t)
+@@ -468,29 +520,28 @@ corecmd_exec_shell(useradd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(useradd_t)
@@ -3470,7 +3472,7 @@ index 1d732f1e7..84225b490 100644
auth_run_chk_passwd(useradd_t, useradd_roles)
auth_rw_lastlog(useradd_t)
-@@ -498,6 +548,7 @@ auth_rw_faillog(useradd_t)
+@@ -498,6 +549,7 @@ auth_rw_faillog(useradd_t)
auth_use_nsswitch(useradd_t)
# these may be unnecessary due to the above
# domtrans_chk_passwd() call.
@@ -3478,7 +3480,7 @@ index 1d732f1e7..84225b490 100644
auth_manage_shadow(useradd_t)
auth_relabel_shadow(useradd_t)
auth_etc_filetrans_shadow(useradd_t)
-@@ -508,35 +559,38 @@ init_rw_utmp(useradd_t)
+@@ -508,35 +560,38 @@ init_rw_utmp(useradd_t)
logging_send_audit_msgs(useradd_t)
logging_send_syslog_msg(useradd_t)
@@ -3528,7 +3530,7 @@ index 1d732f1e7..84225b490 100644
')
optional_policy(`
-@@ -545,14 +599,27 @@ optional_policy(`
+@@ -545,14 +600,27 @@ optional_policy(`
')
optional_policy(`
@@ -3556,7 +3558,7 @@ index 1d732f1e7..84225b490 100644
tunable_policy(`samba_domain_controller',`
samba_append_log(useradd_t)
')
-@@ -562,3 +629,12 @@ optional_policy(`
+@@ -562,3 +630,12 @@ optional_policy(`
rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t)
')
@@ -26937,7 +26939,7 @@ index 76d9f66ec..7528851ad 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index fe0c68272..92e8e489b 100644
+index fe0c68272..a1954d8cd 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,11 @@
@@ -27064,7 +27066,7 @@ index fe0c68272..92e8e489b 100644
files_pid_file($1_var_run_t)
- allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
-+ allow $1_t self:capability { setpcap kill sys_admin sys_chroot sys_nice sys_resource chown dac_read_search dac_override fowner fsetid net_admin setgid setuid sys_tty_config };
++ allow $1_t self:capability { kill sys_admin sys_chroot sys_nice sys_resource chown dac_override chown dac_read fowner fsetid net_admin setgid setuid sys_tty_config };;
allow $1_t self:fifo_file rw_fifo_file_perms;
- allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate };
+ allow $1_t self:process { setcap getcap signal getsched setsched setrlimit setexec };
@@ -37822,7 +37824,7 @@ index 0d4c8d35e..537aa4274 100644
+ ps_process_pattern($1, ipsec_mgmt_t)
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 312cd0417..102b975de 100644
+index 312cd0417..56961b493 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@@ -37884,7 +37886,15 @@ index 312cd0417..102b975de 100644
manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
-@@ -110,10 +127,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
+@@ -101,6 +118,7 @@ manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
+ files_pid_filetrans(ipsec_t, ipsec_var_run_t, { dir file sock_file })
+
+ can_exec(ipsec_t, ipsec_mgmt_exec_t)
++can_exec(ipsec_t, ipsec_exec_t)
+
+ # pluto runs an updown script (by calling popen()!) as this is by default
+ # a shell script, we need to find a way to make things work without
+@@ -110,10 +128,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
allow ipsec_mgmt_t ipsec_t:fd use;
allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
@@ -37897,7 +37907,7 @@ index 312cd0417..102b975de 100644
kernel_list_proc(ipsec_t)
kernel_read_proc_symlinks(ipsec_t)
# allow pluto to access /proc/net/ipsec_eroute;
-@@ -128,20 +145,24 @@ corecmd_exec_shell(ipsec_t)
+@@ -128,20 +146,24 @@ corecmd_exec_shell(ipsec_t)
corecmd_exec_bin(ipsec_t)
# Pluto needs network access
@@ -37929,7 +37939,7 @@ index 312cd0417..102b975de 100644
dev_read_sysfs(ipsec_t)
dev_read_rand(ipsec_t)
-@@ -157,22 +178,32 @@ files_dontaudit_search_home(ipsec_t)
+@@ -157,22 +179,32 @@ files_dontaudit_search_home(ipsec_t)
fs_getattr_all_fs(ipsec_t)
fs_search_auto_mountpoints(ipsec_t)
@@ -37964,7 +37974,7 @@ index 312cd0417..102b975de 100644
optional_policy(`
seutil_sigchld_newrole(ipsec_t)
-@@ -182,19 +213,30 @@ optional_policy(`
+@@ -182,19 +214,30 @@ optional_policy(`
udev_read_db(ipsec_t)
')
@@ -37999,7 +38009,7 @@ index 312cd0417..102b975de 100644
allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
-@@ -208,12 +250,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
+@@ -208,12 +251,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
@@ -38015,7 +38025,7 @@ index 312cd0417..102b975de 100644
# _realsetup needs to be able to cat /var/run/pluto.pid,
# run ps on that pid, and delete the file
-@@ -246,6 +290,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
+@@ -246,6 +291,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
kernel_getattr_core_if(ipsec_mgmt_t)
kernel_getattr_message_if(ipsec_mgmt_t)
@@ -38032,7 +38042,7 @@ index 312cd0417..102b975de 100644
files_read_kernel_symbol_table(ipsec_mgmt_t)
files_getattr_kernel_modules(ipsec_mgmt_t)
-@@ -255,6 +309,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
+@@ -255,6 +310,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
corecmd_exec_bin(ipsec_mgmt_t)
corecmd_exec_shell(ipsec_mgmt_t)
@@ -38041,7 +38051,7 @@ index 312cd0417..102b975de 100644
dev_read_rand(ipsec_mgmt_t)
dev_read_urand(ipsec_mgmt_t)
-@@ -269,6 +325,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
+@@ -269,6 +326,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
files_read_etc_files(ipsec_mgmt_t)
files_exec_etc_files(ipsec_mgmt_t)
files_read_etc_runtime_files(ipsec_mgmt_t)
@@ -38049,7 +38059,7 @@ index 312cd0417..102b975de 100644
files_read_usr_files(ipsec_mgmt_t)
files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
files_dontaudit_getattr_default_files(ipsec_mgmt_t)
-@@ -278,9 +335,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+@@ -278,9 +336,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
fs_list_tmpfs(ipsec_mgmt_t)
term_use_console(ipsec_mgmt_t)
@@ -38061,7 +38071,7 @@ index 312cd0417..102b975de 100644
init_read_utmp(ipsec_mgmt_t)
init_use_script_ptys(ipsec_mgmt_t)
-@@ -288,17 +346,28 @@ init_exec_script_files(ipsec_mgmt_t)
+@@ -288,17 +347,28 @@ init_exec_script_files(ipsec_mgmt_t)
init_use_fds(ipsec_mgmt_t)
init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
@@ -38095,7 +38105,7 @@ index 312cd0417..102b975de 100644
optional_policy(`
consoletype_exec(ipsec_mgmt_t)
-@@ -322,6 +391,10 @@ optional_policy(`
+@@ -322,6 +392,10 @@ optional_policy(`
')
optional_policy(`
@@ -38106,7 +38116,7 @@ index 312cd0417..102b975de 100644
modutils_domtrans_insmod(ipsec_mgmt_t)
')
-@@ -335,7 +408,7 @@ optional_policy(`
+@@ -335,7 +409,7 @@ optional_policy(`
#
allow racoon_t self:capability { net_admin net_bind_service };
@@ -38115,7 +38125,7 @@ index 312cd0417..102b975de 100644
allow racoon_t self:unix_dgram_socket { connect create ioctl write };
allow racoon_t self:netlink_selinux_socket { bind create read };
allow racoon_t self:udp_socket create_socket_perms;
-@@ -370,13 +443,12 @@ kernel_request_load_module(racoon_t)
+@@ -370,13 +444,12 @@ kernel_request_load_module(racoon_t)
corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)
@@ -38135,7 +38145,7 @@ index 312cd0417..102b975de 100644
corenet_udp_bind_isakmp_port(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t)
-@@ -401,10 +473,10 @@ locallogin_use_fds(racoon_t)
+@@ -401,10 +474,10 @@ locallogin_use_fds(racoon_t)
logging_send_syslog_msg(racoon_t)
logging_send_audit_msgs(racoon_t)
@@ -38148,7 +38158,7 @@ index 312cd0417..102b975de 100644
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -438,9 +510,8 @@ corenet_setcontext_all_spds(setkey_t)
+@@ -438,9 +511,8 @@ corenet_setcontext_all_spds(setkey_t)
locallogin_use_fds(setkey_t)
@@ -45536,7 +45546,7 @@ index 2cea692c0..e3cb4f2ef 100644
+ files_etc_filetrans($1, net_conf_t, file)
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index a392fc4bc..41a5b082f 100644
+index a392fc4bc..95c64150b 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4)
@@ -45781,7 +45791,7 @@ index a392fc4bc..41a5b082f 100644
vmware_append_log(dhcpc_t)
')
-@@ -264,32 +322,72 @@ allow ifconfig_t self:msgq create_msgq_perms;
+@@ -264,32 +322,73 @@ allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
@@ -45847,6 +45857,7 @@ index a392fc4bc..41a5b082f 100644
+files_read_usr_files(ifconfig_t)
fs_getattr_xattr_fs(ifconfig_t)
++fs_unmount_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
+fs_read_nsfs_files(ifconfig_t)
+fs_mount_nsfs(ifconfig_t)
@@ -45854,7 +45865,7 @@ index a392fc4bc..41a5b082f 100644
selinux_dontaudit_getattr_fs(ifconfig_t)
-@@ -299,33 +397,51 @@ term_dontaudit_use_all_ptys(ifconfig_t)
+@@ -299,33 +398,51 @@ term_dontaudit_use_all_ptys(ifconfig_t)
term_dontaudit_use_ptmx(ifconfig_t)
term_dontaudit_use_generic_ptys(ifconfig_t)
@@ -45912,7 +45923,7 @@ index a392fc4bc..41a5b082f 100644
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
')
-@@ -336,7 +452,11 @@ ifdef(`hide_broken_symptoms',`
+@@ -336,7 +453,11 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
@@ -45925,7 +45936,7 @@ index a392fc4bc..41a5b082f 100644
')
optional_policy(`
-@@ -350,7 +470,16 @@ optional_policy(`
+@@ -350,7 +471,16 @@ optional_policy(`
')
optional_policy(`
@@ -45943,7 +45954,7 @@ index a392fc4bc..41a5b082f 100644
')
optional_policy(`
-@@ -371,3 +500,17 @@ optional_policy(`
+@@ -371,3 +501,17 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
diff --git a/policy-f25-contrib.patch b/policy-f25-contrib.patch
index 8052b47..ba80bfb 100644
--- a/policy-f25-contrib.patch
+++ b/policy-f25-contrib.patch
@@ -21231,7 +21231,7 @@ index 3023be7f6..5afde8039 100644
+ files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups")
')
diff --git a/cups.te b/cups.te
-index c91813ccb..1585454d9 100644
+index c91813ccb..3e21f0ca7 100644
--- a/cups.te
+++ b/cups.te
@@ -5,19 +5,31 @@ policy_module(cups, 1.16.2)
@@ -21508,7 +21508,7 @@ index c91813ccb..1585454d9 100644
selinux_compute_access_vector(cupsd_t)
selinux_validate_context(cupsd_t)
-@@ -244,22 +289,28 @@ auth_dontaudit_read_pam_pid(cupsd_t)
+@@ -244,22 +289,29 @@ auth_dontaudit_read_pam_pid(cupsd_t)
auth_rw_faillog(cupsd_t)
auth_use_nsswitch(cupsd_t)
@@ -21516,6 +21516,7 @@ index c91813ccb..1585454d9 100644
libs_exec_lib_files(cupsd_t)
+libs_exec_ldconfig(cupsd_t)
+libs_exec_ld_so(cupsd_t)
++libs_use_ld_so(cupsd_t)
logging_send_audit_msgs(cupsd_t)
logging_send_syslog_msg(cupsd_t)
@@ -21542,7 +21543,7 @@ index c91813ccb..1585454d9 100644
optional_policy(`
apm_domtrans_client(cupsd_t)
-@@ -272,6 +323,8 @@ optional_policy(`
+@@ -272,6 +324,8 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(cupsd_t)
@@ -21551,7 +21552,7 @@ index c91813ccb..1585454d9 100644
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
-@@ -279,11 +332,17 @@ optional_policy(`
+@@ -279,11 +333,17 @@ optional_policy(`
')
optional_policy(`
@@ -21569,7 +21570,7 @@ index c91813ccb..1585454d9 100644
')
')
-@@ -296,8 +355,8 @@ optional_policy(`
+@@ -296,8 +356,8 @@ optional_policy(`
')
optional_policy(`
@@ -21579,7 +21580,7 @@ index c91813ccb..1585454d9 100644
')
optional_policy(`
-@@ -306,7 +365,6 @@ optional_policy(`
+@@ -306,7 +366,6 @@ optional_policy(`
optional_policy(`
lpd_exec_lpr(cupsd_t)
@@ -21587,7 +21588,7 @@ index c91813ccb..1585454d9 100644
lpd_read_config(cupsd_t)
lpd_relabel_spool(cupsd_t)
')
-@@ -316,6 +374,10 @@ optional_policy(`
+@@ -316,6 +375,10 @@ optional_policy(`
')
optional_policy(`
@@ -21598,7 +21599,7 @@ index c91813ccb..1585454d9 100644
samba_read_config(cupsd_t)
samba_rw_var_files(cupsd_t)
samba_stream_connect_nmbd(cupsd_t)
-@@ -326,7 +388,7 @@ optional_policy(`
+@@ -326,7 +389,7 @@ optional_policy(`
')
optional_policy(`
@@ -21607,7 +21608,7 @@ index c91813ccb..1585454d9 100644
')
optional_policy(`
-@@ -334,7 +396,11 @@ optional_policy(`
+@@ -334,7 +397,11 @@ optional_policy(`
')
optional_policy(`
@@ -21620,7 +21621,7 @@ index c91813ccb..1585454d9 100644
')
########################################
-@@ -342,12 +408,11 @@ optional_policy(`
+@@ -342,12 +409,11 @@ optional_policy(`
# Configuration daemon local policy
#
@@ -21636,7 +21637,7 @@ index c91813ccb..1585454d9 100644
allow cupsd_config_t cupsd_t:process signal;
ps_process_pattern(cupsd_config_t, cupsd_t)
-@@ -367,23 +432,23 @@ manage_dirs_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
+@@ -367,23 +433,23 @@ manage_dirs_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
@@ -21664,7 +21665,7 @@ index c91813ccb..1585454d9 100644
corenet_all_recvfrom_netlabel(cupsd_config_t)
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -392,20 +457,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+@@ -392,20 +458,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
corenet_sendrecv_all_client_packets(cupsd_config_t)
corenet_tcp_connect_all_ports(cupsd_config_t)
@@ -21685,7 +21686,7 @@ index c91813ccb..1585454d9 100644
fs_search_auto_mountpoints(cupsd_config_t)
domain_use_interactive_fds(cupsd_config_t)
-@@ -417,11 +474,6 @@ auth_use_nsswitch(cupsd_config_t)
+@@ -417,11 +475,6 @@ auth_use_nsswitch(cupsd_config_t)
logging_send_syslog_msg(cupsd_config_t)
@@ -21697,7 +21698,7 @@ index c91813ccb..1585454d9 100644
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
-@@ -449,9 +501,12 @@ optional_policy(`
+@@ -449,9 +502,12 @@ optional_policy(`
')
optional_policy(`
@@ -21711,7 +21712,7 @@ index c91813ccb..1585454d9 100644
')
optional_policy(`
-@@ -467,6 +522,10 @@ optional_policy(`
+@@ -467,6 +523,10 @@ optional_policy(`
')
optional_policy(`
@@ -21722,7 +21723,7 @@ index c91813ccb..1585454d9 100644
rpm_read_db(cupsd_config_t)
')
-@@ -487,10 +546,6 @@ optional_policy(`
+@@ -487,10 +547,6 @@ optional_policy(`
# Lpd local policy
#
@@ -21733,7 +21734,7 @@ index c91813ccb..1585454d9 100644
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
-@@ -508,15 +563,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+@@ -508,15 +564,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
@@ -21751,7 +21752,7 @@ index c91813ccb..1585454d9 100644
corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t)
corenet_sendrecv_printer_server_packets(cupsd_lpd_t)
-@@ -537,9 +592,6 @@ auth_use_nsswitch(cupsd_lpd_t)
+@@ -537,9 +593,6 @@ auth_use_nsswitch(cupsd_lpd_t)
logging_send_syslog_msg(cupsd_lpd_t)
@@ -21761,7 +21762,7 @@ index c91813ccb..1585454d9 100644
optional_policy(`
inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
')
-@@ -549,8 +601,7 @@ optional_policy(`
+@@ -549,8 +602,7 @@ optional_policy(`
# Pdf local policy
#
@@ -21771,7 +21772,7 @@ index c91813ccb..1585454d9 100644
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
-@@ -566,148 +617,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
+@@ -566,148 +618,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
kernel_read_system_state(cups_pdf_t)
@@ -21923,7 +21924,7 @@ index c91813ccb..1585454d9 100644
########################################
#
-@@ -735,7 +661,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -735,7 +662,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@@ -21931,7 +21932,7 @@ index c91813ccb..1585454d9 100644
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -745,13 +670,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
+@@ -745,13 +671,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
corenet_tcp_bind_ptal_port(ptal_t)
corenet_tcp_sendrecv_ptal_port(ptal_t)
@@ -21945,7 +21946,7 @@ index c91813ccb..1585454d9 100644
files_read_etc_runtime_files(ptal_t)
fs_getattr_all_fs(ptal_t)
-@@ -759,8 +682,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -759,8 +683,6 @@ fs_search_auto_mountpoints(ptal_t)
logging_send_syslog_msg(ptal_t)
@@ -21954,7 +21955,7 @@ index c91813ccb..1585454d9 100644
sysnet_read_config(ptal_t)
userdom_dontaudit_use_unpriv_user_fds(ptal_t)
-@@ -773,3 +694,4 @@ optional_policy(`
+@@ -773,3 +695,4 @@ optional_policy(`
optional_policy(`
udev_read_db(ptal_t)
')
@@ -24002,7 +24003,7 @@ index 5606b4069..cd18cf2a7 100644
domain_system_change_exemption($1)
role_transition $2 ddclient_initrc_exec_t system_r;
diff --git a/ddclient.te b/ddclient.te
-index a4caa1b5b..42f30662d 100644
+index a4caa1b5b..f244f9a63 100644
--- a/ddclient.te
+++ b/ddclient.te
@@ -38,9 +38,13 @@ files_pid_file(ddclient_var_run_t)
@@ -24047,7 +24048,7 @@ index a4caa1b5b..42f30662d 100644
fs_getattr_all_fs(ddclient_t)
fs_search_auto_mountpoints(ddclient_t)
-+auth_read_passwd(ddclient_t)
++auth_use_nsswitch(ddclient_t)
+
logging_send_syslog_msg(ddclient_t)
@@ -40350,7 +40351,7 @@ index 1a354203e..8101022be 100644
logging_search_logs($1)
admin_pattern($1, iscsi_log_t)
diff --git a/iscsi.te b/iscsi.te
-index ca020faa9..9c628b22e 100644
+index ca020faa9..c53375b3b 100644
--- a/iscsi.te
+++ b/iscsi.te
@@ -5,12 +5,15 @@ policy_module(iscsi, 1.9.0)
@@ -40415,7 +40416,7 @@ index ca020faa9..9c628b22e 100644
corenet_all_recvfrom_netlabel(iscsid_t)
corenet_tcp_sendrecv_generic_if(iscsid_t)
corenet_tcp_sendrecv_generic_node(iscsid_t)
-@@ -85,22 +90,38 @@ corenet_sendrecv_isns_client_packets(iscsid_t)
+@@ -85,22 +90,40 @@ corenet_sendrecv_isns_client_packets(iscsid_t)
corenet_tcp_connect_isns_port(iscsid_t)
corenet_tcp_sendrecv_isns_port(iscsid_t)
@@ -40446,6 +40447,8 @@ index ca020faa9..9c628b22e 100644
-miscfiles_read_localization(iscsid_t)
+modutils_read_module_config(iscsid_t)
+
++mount_read_pid_files(iscsid_t)
++
+optional_policy(`
+ iscsi_systemctl(iscsid_t)
+')
@@ -44751,7 +44754,7 @@ index 93a64bc50..af6d741d6 100644
+ allow $1 ksmtuned_unit_file_t:service all_service_perms;
')
diff --git a/ksmtuned.te b/ksmtuned.te
-index 8eef134ac..a2ca1a009 100644
+index 8eef134ac..9636a5343 100644
--- a/ksmtuned.te
+++ b/ksmtuned.te
@@ -5,10 +5,27 @@ policy_module(ksmtuned, 1.1.1)
@@ -44782,8 +44785,12 @@ index 8eef134ac..a2ca1a009 100644
type ksmtuned_initrc_exec_t;
init_script_file(ksmtuned_initrc_exec_t)
-@@ -43,6 +60,7 @@ corecmd_exec_shell(ksmtuned_t)
- dev_rw_sysfs(ksmtuned_t)
+@@ -40,9 +57,10 @@ kernel_read_system_state(ksmtuned_t)
+ corecmd_exec_bin(ksmtuned_t)
+ corecmd_exec_shell(ksmtuned_t)
+
+-dev_rw_sysfs(ksmtuned_t)
++dev_manage_sysfs(ksmtuned_t)
domain_read_all_domains_state(ksmtuned_t)
+domain_dontaudit_read_all_domains_state(ksmtuned_t)
@@ -61928,7 +61935,7 @@ index 8f2ab09f5..a29819859 100644
+ allow $1 nscd_unit_file_t:service all_service_perms;
')
diff --git a/nscd.te b/nscd.te
-index bcd7d0a7d..0188086f9 100644
+index bcd7d0a7d..9b397fdd7 100644
--- a/nscd.te
+++ b/nscd.te
@@ -4,33 +4,34 @@ gen_require(`
@@ -61976,7 +61983,7 @@ index bcd7d0a7d..0188086f9 100644
type nscd_log_t;
logging_log_file(nscd_log_t)
-@@ -40,56 +41,58 @@ logging_log_file(nscd_log_t)
+@@ -40,56 +41,59 @@ logging_log_file(nscd_log_t)
#
allow nscd_t self:capability { kill setgid setuid };
@@ -62012,6 +62019,7 @@ index bcd7d0a7d..0188086f9 100644
-kernel_read_kernel_sysctls(nscd_t)
kernel_read_network_state(nscd_t)
+kernel_read_kernel_sysctls(nscd_t)
++kernel_search_network_sysctl(nscd_t)
+kernel_list_proc(nscd_t)
kernel_read_proc_symlinks(nscd_t)
@@ -62053,7 +62061,7 @@ index bcd7d0a7d..0188086f9 100644
corenet_rw_tun_tap_dev(nscd_t)
selinux_get_fs_mount(nscd_t)
-@@ -98,16 +101,23 @@ selinux_compute_access_vector(nscd_t)
+@@ -98,16 +102,23 @@ selinux_compute_access_vector(nscd_t)
selinux_compute_create_context(nscd_t)
selinux_compute_relabel_context(nscd_t)
selinux_compute_user_contexts(nscd_t)
@@ -62078,7 +62086,7 @@ index bcd7d0a7d..0188086f9 100644
userdom_dontaudit_use_user_terminals(nscd_t)
userdom_dontaudit_use_unpriv_user_fds(nscd_t)
userdom_dontaudit_search_user_home_dirs(nscd_t)
-@@ -121,13 +131,11 @@ optional_policy(`
+@@ -121,13 +132,11 @@ optional_policy(`
')
optional_policy(`
@@ -62096,7 +62104,7 @@ index bcd7d0a7d..0188086f9 100644
')
optional_policy(`
-@@ -138,3 +146,20 @@ optional_policy(`
+@@ -138,3 +147,20 @@ optional_policy(`
xen_dontaudit_rw_unix_stream_sockets(nscd_t)
xen_append_log(nscd_t)
')
@@ -76785,7 +76793,7 @@ index b9e71b537..a7502cd0e 100644
domain_system_change_exemption($1)
role_transition $2 postgrey_initrc_exec_t system_r;
diff --git a/postgrey.te b/postgrey.te
-index fd58805e5..2ff8a1e4c 100644
+index fd58805e5..248d22985 100644
--- a/postgrey.te
+++ b/postgrey.te
@@ -16,7 +16,7 @@ type postgrey_initrc_exec_t;
@@ -76806,15 +76814,20 @@ index fd58805e5..2ff8a1e4c 100644
dontaudit postgrey_t self:capability sys_tty_config;
allow postgrey_t self:process signal_perms;
allow postgrey_t self:fifo_file create_fifo_file_perms;
-@@ -57,7 +57,6 @@ kernel_read_kernel_sysctls(postgrey_t)
+@@ -55,9 +55,10 @@ files_pid_filetrans(postgrey_t, postgrey_var_run_t, { dir file sock_file })
+ kernel_read_system_state(postgrey_t)
+ kernel_read_kernel_sysctls(postgrey_t)
- corecmd_search_bin(postgrey_t)
+-corecmd_search_bin(postgrey_t)
++auth_use_nsswitch(postgrey_t)
++
++corecmd_exec_bin(postgrey_t)
-corenet_all_recvfrom_unlabeled(postgrey_t)
corenet_all_recvfrom_netlabel(postgrey_t)
corenet_tcp_sendrecv_generic_if(postgrey_t)
corenet_tcp_sendrecv_generic_node(postgrey_t)
-@@ -72,17 +71,15 @@ dev_read_sysfs(postgrey_t)
+@@ -72,17 +73,15 @@ dev_read_sysfs(postgrey_t)
domain_use_interactive_fds(postgrey_t)
@@ -84720,7 +84733,7 @@ index 44605825c..4c66c2502 100644
+
')
diff --git a/radius.te b/radius.te
-index 403a4fed1..482046ace 100644
+index 403a4fed1..193195e3c 100644
--- a/radius.te
+++ b/radius.te
@@ -5,6 +5,13 @@ policy_module(radius, 1.13.0)
@@ -84750,7 +84763,7 @@ index 403a4fed1..482046ace 100644
#
-allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config };
-+allow radiusd_t self:capability { chown dac_read_search dac_override fsetid kill setgid setuid sys_resource sys_tty_config};
++allow radiusd_t self:capability { chown dac_read_search dac_override fsetid kill setgid setuid sys_resource sys_tty_config sys_ptrace };
dontaudit radiusd_t self:capability sys_tty_config;
-allow radiusd_t self:process { getsched setrlimit setsched sigkill signal };
+allow radiusd_t self:process { getsched setrlimit setsched sigkill signal ptrace};
@@ -99266,7 +99279,7 @@ index 000000000..7a058a82a
+')
diff --git a/sbd.te b/sbd.te
new file mode 100644
-index 000000000..b86f200a7
+index 000000000..7e35f83f6
--- /dev/null
+++ b/sbd.te
@@ -0,0 +1,54 @@
@@ -99291,7 +99304,7 @@ index 000000000..b86f200a7
+#
+# sbd local policy
+#
-+allow sbd_t self:capability { dac_read_search dac_override ipc_lock sys_nice sys_admin};
++allow sbd_t self:capability { dac_read_search dac_override ipc_lock sys_boot sys_nice sys_admin};
+allow sbd_t self:process { fork setsched signal_perms };
+allow sbd_t self:fifo_file rw_fifo_file_perms;
+allow sbd_t self:unix_stream_socket create_stream_socket_perms;
@@ -109910,10 +109923,10 @@ index 000000000..9524b50aa
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 000000000..d366c8b37
+index 000000000..2b15dca23
--- /dev/null
+++ b/thumb.te
-@@ -0,0 +1,168 @@
+@@ -0,0 +1,172 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -110082,6 +110095,10 @@ index 000000000..d366c8b37
+ corenet_dontaudit_udp_bind_all_ports(thumb_t)
+ corenet_dontaudit_udp_bind_generic_node(thumb_t)
+')
++
++optional_policy(`
++ storage_getattr_fixed_disk_dev(thumb_t)
++')
diff --git a/thunderbird.te b/thunderbird.te
index 5e867da56..b25ea6e08 100644
--- a/thunderbird.te
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 7bd7c76..13d2777 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 225.21%{?dist}
+Release: 225.22%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -681,6 +681,20 @@ exit 0
%endif
%changelog
+* Thu Aug 31 2017 Lukas Vrabec - 3.13.1-225.22
+- Allow ddclient use nsswitch BZ(1456241)
+- Allow thumb_t domain getattr fixed_disk device. BZ(1379137)
+- After fix in kernel where LSM hooks for dac_override and dac_search_read capability was swaped we need to fix it also in policy
+- Allow cupsd_t to execute ld_so_cache
+- Allow postgrey to execute bin_t files and add postgrey into nsswitch_domain
+- Allow nscd_t domain to search network sysctls
+- Allow iscsid_t domain to read mount pid files
+- Allow ksmtuned_t domain manage sysfs_t files/dirs
+- Dontaudit useradd_t sys_ptrace BZ(1480121)
+- Allow ipsec_t can exec ipsec_exec_t
+- After fix in kernel where LSM hooks for dac_override and dac_search_read capability was swaped we need to fix it also in policy
+- Allow ifconfig_t domain unmount fs_t
+
* Mon Aug 14 2017 Lukas Vrabec - 3.13.1-225.21
- Allow osad make executable an anonymous mapping or private file mapping that is writable BZ(1425524)
- Fix ntp SELinux module