diff --git a/container-selinux.tgz b/container-selinux.tgz
index f64ff4a..6551eec 100644
Binary files a/container-selinux.tgz and b/container-selinux.tgz differ
diff --git a/policy-f25-base.patch b/policy-f25-base.patch
index 62b762d..42d53ff 100644
--- a/policy-f25-base.patch
+++ b/policy-f25-base.patch
@@ -25669,10 +25669,10 @@ index 0000000..15b42ae
 +
 diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
 new file mode 100644
-index 0000000..89f4076
+index 0000000..883d9ea
 --- /dev/null
 +++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,360 @@
+@@ -0,0 +1,362 @@
 +policy_module(unconfineduser, 1.0.0)
 +
 +########################################
@@ -25737,6 +25737,8 @@ index 0000000..89f4076
 +
 +allow unconfined_t file_type:system module_load;
 +
++allow unconfined_t self:cap_userns all_cap_userns_perms;
++
 +kernel_rw_unlabeled_socket(unconfined_t)
 +kernel_rw_unlabeled_rawip_socket(unconfined_t)
 +
@@ -30232,7 +30234,7 @@ index 6bf0ecc..e6be63a 100644
 +')
 +
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..a55ca15 100644
+index 8b40377..00a15e8 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
 @@ -26,28 +26,66 @@ gen_require(`
@@ -30832,7 +30834,7 @@ index 8b40377..a55ca15 100644
  
  storage_dontaudit_read_fixed_disk(xdm_t)
  storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -442,28 +649,46 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -442,28 +649,47 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
  storage_dontaudit_raw_write_removable_device(xdm_t)
  storage_dontaudit_setattr_removable_dev(xdm_t)
  storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -30864,6 +30866,7 @@ index 8b40377..a55ca15 100644
  
  libs_exec_lib_files(xdm_t)
 +libs_exec_ldconfig(xdm_t)
++libs_dontaudit_setattr_lib_files(xdm_t)
  
  logging_read_generic_logs(xdm_t)
  
@@ -30883,7 +30886,7 @@ index 8b40377..a55ca15 100644
  
  userdom_dontaudit_use_unpriv_user_fds(xdm_t)
  userdom_create_all_users_keys(xdm_t)
-@@ -472,24 +697,163 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -472,24 +698,163 @@ userdom_read_user_home_content_files(xdm_t)
  # Search /proc for any user domain processes.
  userdom_read_all_users_state(xdm_t)
  userdom_signal_all_users(xdm_t)
@@ -31053,7 +31056,7 @@ index 8b40377..a55ca15 100644
  tunable_policy(`xdm_sysadm_login',`
  	userdom_xsession_spec_domtrans_all_users(xdm_t)
  	# FIXME:
-@@ -502,12 +866,31 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,12 +867,31 @@ tunable_policy(`xdm_sysadm_login',`
  #	allow xserver_t xdm_tmpfs_t:file rw_file_perms;
  ')
  
@@ -31085,7 +31088,7 @@ index 8b40377..a55ca15 100644
  ')
  
  optional_policy(`
-@@ -518,8 +901,36 @@ optional_policy(`
+@@ -518,8 +902,36 @@ optional_policy(`
  	dbus_system_bus_client(xdm_t)
  	dbus_connect_system_bus(xdm_t)
  
@@ -31123,7 +31126,7 @@ index 8b40377..a55ca15 100644
  	')
  ')
  
-@@ -530,6 +941,20 @@ optional_policy(`
+@@ -530,6 +942,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -31144,7 +31147,7 @@ index 8b40377..a55ca15 100644
  	hostname_exec(xdm_t)
  ')
  
-@@ -547,28 +972,78 @@ optional_policy(`
+@@ -547,28 +973,78 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -31232,7 +31235,7 @@ index 8b40377..a55ca15 100644
  ')
  
  optional_policy(`
-@@ -580,6 +1055,14 @@ optional_policy(`
+@@ -580,6 +1056,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -31247,7 +31250,7 @@ index 8b40377..a55ca15 100644
  	xfs_stream_connect(xdm_t)
  ')
  
-@@ -594,7 +1077,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+@@ -594,7 +1078,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
  type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
  
  allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@@ -31256,7 +31259,7 @@ index 8b40377..a55ca15 100644
  
  # setuid/setgid for the wrapper program to change UID
  # sys_rawio is for iopl access - should not be needed for frame-buffer
-@@ -604,8 +1087,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -604,8 +1088,11 @@ allow xserver_t input_xevent_t:x_event send;
  # execheap needed until the X module loader is fixed.
  # NVIDIA Needs execstack
  
@@ -31269,7 +31272,7 @@ index 8b40377..a55ca15 100644
  allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow xserver_t self:fd use;
  allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -618,8 +1104,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -618,8 +1105,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
  allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow xserver_t self:tcp_socket create_stream_socket_perms;
  allow xserver_t self:udp_socket create_socket_perms;
@@ -31285,7 +31288,7 @@ index 8b40377..a55ca15 100644
  manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -627,6 +1120,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -627,6 +1121,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
  
  filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
  
@@ -31296,7 +31299,7 @@ index 8b40377..a55ca15 100644
  manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
  manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
  manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -638,25 +1135,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -638,25 +1136,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  files_search_var_lib(xserver_t)
  
@@ -31338,7 +31341,7 @@ index 8b40377..a55ca15 100644
  corenet_all_recvfrom_netlabel(xserver_t)
  corenet_tcp_sendrecv_generic_if(xserver_t)
  corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -677,23 +1186,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -677,23 +1187,28 @@ dev_rw_apm_bios(xserver_t)
  dev_rw_agp(xserver_t)
  dev_rw_framebuffer(xserver_t)
  dev_manage_dri_dev(xserver_t)
@@ -31370,7 +31373,7 @@ index 8b40377..a55ca15 100644
  
  # brought on by rhgb
  files_search_mnt(xserver_t)
-@@ -705,6 +1219,14 @@ fs_search_nfs(xserver_t)
+@@ -705,6 +1220,14 @@ fs_search_nfs(xserver_t)
  fs_search_auto_mountpoints(xserver_t)
  fs_search_ramfs(xserver_t)
  
@@ -31385,7 +31388,7 @@ index 8b40377..a55ca15 100644
  mls_xwin_read_to_clearance(xserver_t)
  
  selinux_validate_context(xserver_t)
-@@ -718,20 +1240,18 @@ init_getpgid(xserver_t)
+@@ -718,20 +1241,18 @@ init_getpgid(xserver_t)
  term_setattr_unallocated_ttys(xserver_t)
  term_use_unallocated_ttys(xserver_t)
  
@@ -31409,7 +31412,7 @@ index 8b40377..a55ca15 100644
  
  userdom_search_user_home_dirs(xserver_t)
  userdom_use_user_ttys(xserver_t)
-@@ -739,8 +1259,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -739,8 +1260,6 @@ userdom_setattr_user_ttys(xserver_t)
  userdom_read_user_tmp_files(xserver_t)
  userdom_rw_user_tmpfs_files(xserver_t)
  
@@ -31418,7 +31421,7 @@ index 8b40377..a55ca15 100644
  ifndef(`distro_redhat',`
  	allow xserver_t self:process { execmem execheap execstack };
  	domain_mmap_low_uncond(xserver_t)
-@@ -785,17 +1303,54 @@ optional_policy(`
+@@ -785,17 +1304,54 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -31475,7 +31478,7 @@ index 8b40377..a55ca15 100644
  ')
  
  optional_policy(`
-@@ -803,6 +1358,10 @@ optional_policy(`
+@@ -803,6 +1359,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -31486,7 +31489,7 @@ index 8b40377..a55ca15 100644
  	xfs_stream_connect(xserver_t)
  ')
  
-@@ -818,18 +1377,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -818,18 +1378,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
  
  # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
  # handle of a file inside the dir!!!
@@ -31511,7 +31514,7 @@ index 8b40377..a55ca15 100644
  can_exec(xserver_t, xkb_var_lib_t)
  
  # VNC v4 module in X server
-@@ -842,26 +1400,21 @@ init_use_fds(xserver_t)
+@@ -842,26 +1401,21 @@ init_use_fds(xserver_t)
  # to read ROLE_home_t - examine this in more detail
  # (xauth?)
  userdom_read_user_home_content_files(xserver_t)
@@ -31546,7 +31549,7 @@ index 8b40377..a55ca15 100644
  ')
  
  optional_policy(`
-@@ -912,7 +1465,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -912,7 +1466,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
  allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
  # operations allowed on my windows
  allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -31555,7 +31558,7 @@ index 8b40377..a55ca15 100644
  # operations allowed on all windows
  allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
  
-@@ -966,11 +1519,31 @@ allow x_domain self:x_resource { read write };
+@@ -966,11 +1520,31 @@ allow x_domain self:x_resource { read write };
  # can mess with the screensaver
  allow x_domain xserver_t:x_screen { getattr saver_getattr };
  
@@ -31587,7 +31590,7 @@ index 8b40377..a55ca15 100644
  tunable_policy(`! xserver_object_manager',`
  	# should be xserver_unconfined(x_domain),
  	# but typeattribute doesnt work in conditionals
-@@ -992,18 +1565,148 @@ tunable_policy(`! xserver_object_manager',`
+@@ -992,18 +1566,148 @@ tunable_policy(`! xserver_object_manager',`
  	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
  ')
  
@@ -38775,7 +38778,7 @@ index 73bb3c0..a70bee5 100644
 +
 +/usr/sbin/ldconfig		--	gen_context(system_u:object_r:ldconfig_exec_t,s0)
 diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
-index 808ba93..57a68da 100644
+index 808ba93..baca326 100644
 --- a/policy/modules/system/libraries.if
 +++ b/policy/modules/system/libraries.if
 @@ -66,6 +66,25 @@ interface(`libs_exec_ldconfig',`
@@ -38812,65 +38815,113 @@ index 808ba93..57a68da 100644
  	manage_files_pattern($1, lib_t, ld_so_t)
  ')
  
-@@ -205,8 +225,26 @@ interface(`libs_search_lib',`
+@@ -205,68 +225,87 @@ interface(`libs_search_lib',`
  		type lib_t;
  	')
  
 +	read_lnk_files_pattern($1, lib_t, lib_t)
  	allow $1 lib_t:dir search_dir_perms;
  ')
-+########################################
-+## <summary>
+-
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to write to library directories.
 +##	dontaudit attempts to setattr on library files
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+-## <desc>
+-##	<p>
+-##	Do not audit attempts to write to library directories.
+-##	Typically this is used to quiet attempts to recompile
+-##	python byte code.
+-##	</p>
+-## </desc>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`libs_dontaudit_write_lib_dirs',`
 +interface(`libs_dontaudit_setattr_lib_files',`
-+	gen_require(`
-+		type lib_t;
-+	')
-+
+ 	gen_require(`
+ 		type lib_t;
+ 	')
+ 
+-	dontaudit $1 lib_t:dir write;
 +	dontaudit $1 lib_t:file setattr;
-+')
+ ')
  
  ########################################
  ## <summary>
-@@ -248,29 +286,12 @@ interface(`libs_manage_lib_dirs',`
+-##	Create, read, write, and delete library directories.
++##	dontaudit attempts to setattr on library dirs
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`libs_manage_lib_dirs',`
++interface(`libs_dontaudit_setattr_lib_dirs',`
+ 	gen_require(`
  		type lib_t;
  	')
  
-+	read_lnk_files_pattern($1, lib_t, lib_t)
- 	allow $1 lib_t:dir manage_dir_perms;
+-	allow $1 lib_t:dir manage_dir_perms;
++	dontaudit $1 lib_t:dir setattr;
  ')
  
  ########################################
  ## <summary>
 -##	dontaudit attempts to setattr on library files
--## </summary>
--## <param name="domain">
--##	<summary>
--##	Domain to not audit.
--##	</summary>
--## </param>
--#
++##	Do not audit attempts to write to library directories.
+ ## </summary>
++## <desc>
++##	<p>
++##	Do not audit attempts to write to library directories.
++##	Typically this is used to quiet attempts to recompile
++##	python byte code.
++##	</p>
++## </desc>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
 -interface(`libs_dontaudit_setattr_lib_files',`
--	gen_require(`
--		type lib_t;
--	')
--
++interface(`libs_dontaudit_write_lib_dirs',`
+ 	gen_require(`
+ 		type lib_t;
+ 	')
+ 
 -	dontaudit $1 lib_t:file setattr;
--')
--
--########################################
--## <summary>
- ##	Read files in the library directories, such
- ##	as static libraries.
- ## </summary>
-@@ -345,6 +366,7 @@ interface(`libs_manage_lib_files',`
++	dontaudit $1 lib_t:dir write;
++')
++
++########################################
++## <summary>
++##	Create, read, write, and delete library directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`libs_manage_lib_dirs',`
++	gen_require(`
++		type lib_t;
++	')
++
++	read_lnk_files_pattern($1, lib_t, lib_t)
++	allow $1 lib_t:dir manage_dir_perms;
+ ')
+ 
+ ########################################
+@@ -345,6 +384,7 @@ interface(`libs_manage_lib_files',`
  		type lib_t;
  	')
  
@@ -38878,7 +38929,7 @@ index 808ba93..57a68da 100644
  	manage_files_pattern($1, lib_t, lib_t)
  ')
  
-@@ -421,7 +443,8 @@ interface(`libs_manage_shared_libs',`
+@@ -421,7 +461,8 @@ interface(`libs_manage_shared_libs',`
  		type lib_t, textrel_shlib_t;
  	')
  
@@ -38888,7 +38939,7 @@ index 808ba93..57a68da 100644
  ')
  
  ########################################
-@@ -440,9 +463,10 @@ interface(`libs_use_shared_libs',`
+@@ -440,9 +481,10 @@ interface(`libs_use_shared_libs',`
  	')
  
  	files_search_usr($1)
@@ -38902,7 +38953,7 @@ index 808ba93..57a68da 100644
  	allow $1 textrel_shlib_t:file execmod;
  ')
  
-@@ -483,7 +507,7 @@ interface(`libs_relabel_shared_libs',`
+@@ -483,7 +525,7 @@ interface(`libs_relabel_shared_libs',`
  		type lib_t, textrel_shlib_t;
  	')
  
@@ -38911,7 +38962,7 @@ index 808ba93..57a68da 100644
  ')
  
  ########################################
-@@ -534,3 +558,28 @@ interface(`lib_filetrans_shared_lib',`
+@@ -534,3 +576,28 @@ interface(`lib_filetrans_shared_lib',`
  interface(`files_lib_filetrans_shared_lib',`
  	refpolicywarn(`$0($*) has been deprecated.')
  ')
@@ -45880,10 +45931,10 @@ index 0000000..21963a2
 +/var/run/initramfs(/.*)?	<<none>>
 diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
 new file mode 100644
-index 0000000..3303edd
+index 0000000..d1356af
 --- /dev/null
 +++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1823 @@
+@@ -0,0 +1,1842 @@
 +## <summary>SELinux policy for systemd components</summary>
 +
 +######################################
@@ -46394,6 +46445,25 @@ index 0000000..3303edd
 +
 +#######################################
 +## <summary>
++##  Allow a domain to execute systemd-sysctl in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++##  Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_tmpfiles_exec',`
++    gen_require(`
++        type systemd_tmpfiles_exec_t;
++    ')
++
++    can_exec($1,systemd_tmpfiles_exec_t)
++
++')
++
++#######################################
++## <summary>
 +##  Execute a domain transition to run systemd-tmpfiles.
 +## </summary>
 +## <param name="domain">
diff --git a/policy-f25-contrib.patch b/policy-f25-contrib.patch
index 01537b3..93708cc 100644
--- a/policy-f25-contrib.patch
+++ b/policy-f25-contrib.patch
@@ -10896,7 +10896,7 @@ index 02fefaa..308616e 100644
 +	')
  ')
 diff --git a/boinc.te b/boinc.te
-index 687d4c4..bce6267 100644
+index 687d4c4..ff57137 100644
 --- a/boinc.te
 +++ b/boinc.te
 @@ -1,4 +1,4 @@
@@ -11091,7 +11091,7 @@ index 687d4c4..bce6267 100644
 -files_read_usr_files(boinc_t)
  
 -fs_getattr_all_fs(boinc_t)
-+auth_read_passwd(boinc_t)
++auth_use_nsswitch(boinc_t)
  
  term_getattr_all_ptys(boinc_t)
  term_getattr_unallocated_ttys(boinc_t)
@@ -29208,7 +29208,7 @@ index c62c567..a74f123 100644
 +	allow $1 firewalld_unit_file_t:service all_service_perms;
  ')
 diff --git a/firewalld.te b/firewalld.te
-index 98072a3..0235724 100644
+index 98072a3..e6904e2 100644
 --- a/firewalld.te
 +++ b/firewalld.te
 @@ -21,9 +21,15 @@ logging_log_file(firewalld_var_log_t)
@@ -29259,7 +29259,7 @@ index 98072a3..0235724 100644
  corecmd_exec_bin(firewalld_t)
  corecmd_exec_shell(firewalld_t)
  
-@@ -63,20 +79,26 @@ dev_search_sysfs(firewalld_t)
+@@ -63,20 +79,27 @@ dev_search_sysfs(firewalld_t)
  
  domain_use_interactive_fds(firewalld_t)
  
@@ -29276,6 +29276,7 @@ index 98072a3..0235724 100644
  
 -miscfiles_read_localization(firewalld_t)
 +libs_exec_ldconfig(firewalld_t)
++libs_dontaudit_write_lib_dirs(firewalld_t)
  
 -seutil_exec_setfiles(firewalld_t)
 -seutil_read_file_contexts(firewalld_t)
@@ -29293,7 +29294,7 @@ index 98072a3..0235724 100644
  
  optional_policy(`
  	dbus_system_domain(firewalld_t, firewalld_exec_t)
-@@ -91,10 +113,15 @@ optional_policy(`
+@@ -91,10 +114,15 @@ optional_policy(`
  
  	optional_policy(`
  		networkmanager_dbus_chat(firewalld_t)
@@ -50930,7 +50931,7 @@ index b1ac8b5..24782b3 100644
 +	')
 +')
 diff --git a/modemmanager.te b/modemmanager.te
-index d15eb5b..2055876 100644
+index d15eb5b..ad481ce 100644
 --- a/modemmanager.te
 +++ b/modemmanager.te
 @@ -11,6 +11,9 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t)
@@ -50953,16 +50954,17 @@ index d15eb5b..2055876 100644
  
  kernel_read_system_state(modemmanager_t)
  
+-dev_read_sysfs(modemmanager_t)
+-dev_rw_modem(modemmanager_t)
 +auth_read_passwd(modemmanager_t)
-+
+ 
+-files_read_etc_files(modemmanager_t)
 +corecmd_exec_bin(modemmanager_t)
 +
- dev_read_sysfs(modemmanager_t)
++dev_rw_sysfs(modemmanager_t)
 +dev_read_urand(modemmanager_t)
- dev_rw_modem(modemmanager_t)
++dev_rw_modem(modemmanager_t)
  
--files_read_etc_files(modemmanager_t)
--
  term_use_generic_ptys(modemmanager_t)
  term_use_unallocated_ttys(modemmanager_t)
 +term_use_usb_ttys(modemmanager_t)
@@ -91985,7 +91987,7 @@ index 3b5e9ee..ff1163f 100644
 +	admin_pattern($1, rpcbind_var_run_t)
  ')
 diff --git a/rpcbind.te b/rpcbind.te
-index 54de77c..4ce4fb9 100644
+index 54de77c..8891c9d 100644
 --- a/rpcbind.te
 +++ b/rpcbind.te
 @@ -12,6 +12,9 @@ init_daemon_domain(rpcbind_t, rpcbind_exec_t)
@@ -92031,7 +92033,7 @@ index 54de77c..4ce4fb9 100644
  corenet_all_recvfrom_netlabel(rpcbind_t)
  corenet_tcp_sendrecv_generic_if(rpcbind_t)
  corenet_udp_sendrecv_generic_if(rpcbind_t)
-@@ -68,7 +77,11 @@ auth_use_nsswitch(rpcbind_t)
+@@ -68,7 +77,15 @@ auth_use_nsswitch(rpcbind_t)
  
  logging_send_syslog_msg(rpcbind_t)
  
@@ -92041,6 +92043,10 @@ index 54de77c..4ce4fb9 100644
 +optional_policy(`
 +	nis_use_ypbind(rpcbind_t)
 +')
++
++optional_policy(`
++    systemd_tmpfiles_exec(rpcbind_t)
++')
  
  ifdef(`distro_debian',`
  	term_dontaudit_use_unallocated_ttys(rpcbind_t)
@@ -109299,10 +109305,10 @@ index 0000000..9524b50
 +')
 diff --git a/thumb.te b/thumb.te
 new file mode 100644
-index 0000000..ab916b7
+index 0000000..d366c8b
 --- /dev/null
 +++ b/thumb.te
-@@ -0,0 +1,167 @@
+@@ -0,0 +1,168 @@
 +policy_module(thumb, 1.0.0)
 +
 +########################################
@@ -109341,6 +109347,7 @@ index 0000000..ab916b7
 +
 +allow thumb_t self:fifo_file manage_fifo_file_perms;
 +allow thumb_t self:unix_stream_socket create_stream_socket_perms;
++allow thumb_t self:unix_dgram_socket create_socket_perms;
 +allow thumb_t self:netlink_route_socket r_netlink_socket_perms;
 +allow thumb_t self:netlink_kobject_uevent_socket create_socket_perms;
 +allow thumb_t self:udp_socket create_socket_perms;
@@ -115084,7 +115091,7 @@ index facdee8..487857a 100644
 +	dontaudit $1 virtd_t:lnk_file read_lnk_file_perms;
  ')
 diff --git a/virt.te b/virt.te
-index f03dcf5..71afe45 100644
+index f03dcf5..39524ae 100644
 --- a/virt.te
 +++ b/virt.te
 @@ -1,451 +1,414 @@
@@ -116109,7 +116116,7 @@ index f03dcf5..71afe45 100644
  	kernel_read_xen_state(virtd_t)
  	kernel_write_xen_state(virtd_t)
  
-@@ -746,44 +719,347 @@ optional_policy(`
+@@ -746,44 +719,350 @@ optional_policy(`
  	udev_read_pid_files(virtd_t)
  ')
  
@@ -116323,7 +116330,7 @@ index f03dcf5..71afe45 100644
 +term_getattr_pty_fs(virt_domain)
 +term_use_generic_ptys(virt_domain)
 +term_use_ptmx(virt_domain)
-+
+ 
 +tunable_policy(`virt_use_execmem',`
 +	allow virt_domain self:process { execmem execstack };
 +')
@@ -116351,7 +116358,10 @@ index f03dcf5..71afe45 100644
 +optional_policy(`
 +	sssd_dontaudit_stream_connect(virt_domain)
 +	sssd_dontaudit_read_lib(virt_domain)
-+	sssd_dontaudit_read_public_files(virt_domain)
++')
++
++optional_policy(`
++	sssd_read_public_files(virt_domain)
 +')
 +
 +optional_policy(`
@@ -116415,7 +116425,7 @@ index f03dcf5..71afe45 100644
 +        sanlock_stream_connect(virt_domain)
 +    ')
 +')
- 
++
 +tunable_policy(`virt_use_rawip',`
 +	allow virt_domain self:rawip_socket create_socket_perms;
 +')
@@ -116479,7 +116489,7 @@ index f03dcf5..71afe45 100644
  kernel_read_system_state(virsh_t)
  kernel_read_network_state(virsh_t)
  kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +1070,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +1073,18 @@ kernel_write_xen_state(virsh_t)
  corecmd_exec_bin(virsh_t)
  corecmd_exec_shell(virsh_t)
  
@@ -116506,7 +116516,7 @@ index f03dcf5..71afe45 100644
  
  fs_getattr_all_fs(virsh_t)
  fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +1090,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +1093,25 @@ fs_search_auto_mountpoints(virsh_t)
  
  storage_raw_read_fixed_disk(virsh_t)
  
@@ -116523,10 +116533,10 @@ index f03dcf5..71afe45 100644
  
 -logging_send_syslog_msg(virsh_t)
 +systemd_exec_systemctl(virsh_t)
++
++auth_read_passwd(virsh_t)
  
 -miscfiles_read_localization(virsh_t)
-+auth_read_passwd(virsh_t)
-+
 +logging_send_syslog_msg(virsh_t)
  
  sysnet_dns_name_resolve(virsh_t)
@@ -116540,7 +116550,7 @@ index f03dcf5..71afe45 100644
  
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +1127,20 @@ optional_policy(`
+@@ -856,14 +1130,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -116562,7 +116572,7 @@ index f03dcf5..71afe45 100644
  	xen_stream_connect(virsh_t)
  	xen_stream_connect_xenstore(virsh_t)
  ')
-@@ -888,49 +1165,66 @@ optional_policy(`
+@@ -888,49 +1168,66 @@ optional_policy(`
  	kernel_read_xen_state(virsh_ssh_t)
  	kernel_write_xen_state(virsh_ssh_t)
  
@@ -116647,7 +116657,7 @@ index f03dcf5..71afe45 100644
  
  corecmd_exec_bin(virtd_lxc_t)
  corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1236,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1239,16 @@ dev_read_urand(virtd_lxc_t)
  
  domain_use_interactive_fds(virtd_lxc_t)
  
@@ -116667,7 +116677,7 @@ index f03dcf5..71afe45 100644
  fs_getattr_all_fs(virtd_lxc_t)
  fs_manage_tmpfs_dirs(virtd_lxc_t)
  fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,8 +1257,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,8 +1260,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
  fs_unmount_all_fs(virtd_lxc_t)
  fs_relabelfrom_tmpfs(virtd_lxc_t)
  
@@ -116691,7 +116701,7 @@ index f03dcf5..71afe45 100644
  selinux_get_enforce_mode(virtd_lxc_t)
  selinux_get_fs_mount(virtd_lxc_t)
  selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1282,355 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1285,355 @@ selinux_compute_create_context(virtd_lxc_t)
  selinux_compute_relabel_context(virtd_lxc_t)
  selinux_compute_user_contexts(virtd_lxc_t)
  
@@ -116705,21 +116715,20 @@ index f03dcf5..71afe45 100644
  
 -logging_send_syslog_msg(virtd_lxc_t)
 +userdom_read_admin_home_files(virtd_lxc_t)
- 
--miscfiles_read_localization(virtd_lxc_t)
++
 +optional_policy(`
 +	dbus_system_bus_client(virtd_lxc_t)
 +	init_dbus_chat(virtd_lxc_t)
  
--seutil_domtrans_setfiles(virtd_lxc_t)
--seutil_read_config(virtd_lxc_t)
--seutil_read_default_contexts(virtd_lxc_t)
+-miscfiles_read_localization(virtd_lxc_t)
 +	optional_policy(`
 +		hal_dbus_chat(virtd_lxc_t)
 +	')
 +')
  
--sysnet_domtrans_ifconfig(virtd_lxc_t)
+-seutil_domtrans_setfiles(virtd_lxc_t)
+-seutil_read_config(virtd_lxc_t)
+-seutil_read_default_contexts(virtd_lxc_t)
 +optional_policy(`
 +    container_exec_lib(virtd_lxc_t)
 +')
@@ -116731,7 +116740,8 @@ index f03dcf5..71afe45 100644
 +optional_policy(`
 +	setrans_manage_pid_files(virtd_lxc_t)
 +')
-+
+ 
+-sysnet_domtrans_ifconfig(virtd_lxc_t)
 +optional_policy(`
 +	unconfined_domain(virtd_lxc_t)
 +')
@@ -116764,7 +116774,89 @@ index f03dcf5..71afe45 100644
 +tunable_policy(`deny_ptrace',`',`
 +	allow svirt_sandbox_domain self:process ptrace;
 +')
-+
+ 
+-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
+-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
+-allow svirt_lxc_domain self:fifo_file manage_file_perms;
+-allow svirt_lxc_domain self:sem create_sem_perms;
+-allow svirt_lxc_domain self:shm create_shm_perms;
+-allow svirt_lxc_domain self:msgq create_msgq_perms;
+-allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
+-allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
+-
+-allow svirt_lxc_domain virtd_lxc_t:fd use;
+-allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms;
+-allow svirt_lxc_domain virtd_lxc_t:process sigchld;
+-
+-allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
+-
+-allow svirt_lxc_domain virsh_t:fd use;
+-allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms;
+-allow svirt_lxc_domain virsh_t:process sigchld;
+-
+-allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms;
+-allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms;
+-
+-manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-
+-allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton;
+-allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr;
+-
+-can_exec(svirt_lxc_domain, svirt_lxc_file_t)
+-
+-kernel_getattr_proc(svirt_lxc_domain)
+-kernel_list_all_proc(svirt_lxc_domain)
+-kernel_read_kernel_sysctls(svirt_lxc_domain)
+-kernel_rw_net_sysctls(svirt_lxc_domain)
+-kernel_read_system_state(svirt_lxc_domain)
+-kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
+-
+-corecmd_exec_all_executables(svirt_lxc_domain)
+-
+-files_dontaudit_getattr_all_dirs(svirt_lxc_domain)
+-files_dontaudit_getattr_all_files(svirt_lxc_domain)
+-files_dontaudit_getattr_all_symlinks(svirt_lxc_domain)
+-files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
+-files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
+-files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
+-files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
+-# files_entrypoint_all_files(svirt_lxc_domain)
+-files_list_var(svirt_lxc_domain)
+-files_list_var_lib(svirt_lxc_domain)
+-files_search_all(svirt_lxc_domain)
+-files_read_config_files(svirt_lxc_domain)
+-files_read_usr_files(svirt_lxc_domain)
+-files_read_usr_symlinks(svirt_lxc_domain)
+-
+-fs_getattr_all_fs(svirt_lxc_domain)
+-fs_list_inotifyfs(svirt_lxc_domain)
+-
+-# fs_rw_inherited_tmpfs_files(svirt_lxc_domain)
+-# fs_rw_inherited_cifs_files(svirt_lxc_domain)
+-# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain)
+-
+-auth_dontaudit_read_login_records(svirt_lxc_domain)
+-auth_dontaudit_write_login_records(svirt_lxc_domain)
+-auth_search_pam_console_data(svirt_lxc_domain)
+-
+-clock_read_adjtime(svirt_lxc_domain)
+-
+-init_read_utmp(svirt_lxc_domain)
+-init_dontaudit_write_utmp(svirt_lxc_domain)
+-
+-libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
+-
+-miscfiles_read_localization(svirt_lxc_domain)
+-miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain)
+-miscfiles_read_fonts(svirt_lxc_domain)
+-
+-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
 +allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto };
 +allow virtd_t svirt_sandbox_domain:process { signal_perms getattr };
 +allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms };
@@ -116854,110 +116946,30 @@ index f03dcf5..71afe45 100644
 +userdom_use_inherited_user_terminals(svirt_sandbox_domain)
 +userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
 +userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
-+
-+optional_policy(`
+ 
+ optional_policy(`
+-	udev_read_pid_files(svirt_lxc_domain)
 +tunable_policy(`virt_sandbox_share_apache_content',`
 +		apache_exec_modules(svirt_sandbox_domain)
 +		apache_read_sys_content(svirt_sandbox_domain)
 +	')
-+')
-+
-+optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	apache_exec_modules(svirt_lxc_domain)
+-	apache_read_sys_content(svirt_lxc_domain)
 +	mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
 +')
 +
 +optional_policy(`
 +	ssh_use_ptys(svirt_sandbox_domain)
 +')
- 
--allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
--allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
--allow svirt_lxc_domain self:fifo_file manage_file_perms;
--allow svirt_lxc_domain self:sem create_sem_perms;
--allow svirt_lxc_domain self:shm create_shm_perms;
--allow svirt_lxc_domain self:msgq create_msgq_perms;
--allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
--allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
--
--allow svirt_lxc_domain virtd_lxc_t:fd use;
--allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms;
--allow svirt_lxc_domain virtd_lxc_t:process sigchld;
--
--allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
--
--allow svirt_lxc_domain virsh_t:fd use;
--allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms;
--allow svirt_lxc_domain virsh_t:process sigchld;
--
--allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms;
--allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms;
--
--manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--
--allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton;
--allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr;
--
--can_exec(svirt_lxc_domain, svirt_lxc_file_t)
--
--kernel_getattr_proc(svirt_lxc_domain)
--kernel_list_all_proc(svirt_lxc_domain)
--kernel_read_kernel_sysctls(svirt_lxc_domain)
--kernel_rw_net_sysctls(svirt_lxc_domain)
--kernel_read_system_state(svirt_lxc_domain)
--kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
--
--corecmd_exec_all_executables(svirt_lxc_domain)
--
--files_dontaudit_getattr_all_dirs(svirt_lxc_domain)
--files_dontaudit_getattr_all_files(svirt_lxc_domain)
--files_dontaudit_getattr_all_symlinks(svirt_lxc_domain)
--files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
--files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
--files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
--files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
--# files_entrypoint_all_files(svirt_lxc_domain)
--files_list_var(svirt_lxc_domain)
--files_list_var_lib(svirt_lxc_domain)
--files_search_all(svirt_lxc_domain)
--files_read_config_files(svirt_lxc_domain)
--files_read_usr_files(svirt_lxc_domain)
--files_read_usr_symlinks(svirt_lxc_domain)
--
--fs_getattr_all_fs(svirt_lxc_domain)
--fs_list_inotifyfs(svirt_lxc_domain)
--
--# fs_rw_inherited_tmpfs_files(svirt_lxc_domain)
--# fs_rw_inherited_cifs_files(svirt_lxc_domain)
--# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain)
--
--auth_dontaudit_read_login_records(svirt_lxc_domain)
--auth_dontaudit_write_login_records(svirt_lxc_domain)
--auth_search_pam_console_data(svirt_lxc_domain)
--
--clock_read_adjtime(svirt_lxc_domain)
--
--init_read_utmp(svirt_lxc_domain)
--init_dontaudit_write_utmp(svirt_lxc_domain)
--
--libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
--
--miscfiles_read_localization(svirt_lxc_domain)
--miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain)
--miscfiles_read_fonts(svirt_lxc_domain)
--
--mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
++
 +optional_policy(`
 +	udev_read_pid_files(svirt_sandbox_domain)
 +')
- 
- optional_policy(`
--	udev_read_pid_files(svirt_lxc_domain)
++
++optional_policy(`
 +	userhelper_dontaudit_write_config(svirt_sandbox_domain)
 +')
 +
@@ -116987,11 +116999,9 @@ index f03dcf5..71afe45 100644
 +    fs_mount_fusefs(svirt_sandbox_domain)
 +    fs_unmount_fusefs(svirt_sandbox_domain)
 +    fs_exec_fusefs_files(svirt_sandbox_domain)
- ')
- 
- optional_policy(`
--	apache_exec_modules(svirt_lxc_domain)
--	apache_read_sys_content(svirt_lxc_domain)
++')
++
++optional_policy(`
 +    container_read_share_files(svirt_sandbox_domain)
 +    container_exec_share_files(svirt_sandbox_domain)
 +    container_lib_filetrans(svirt_sandbox_domain,container_file_t, sock_file)
@@ -117136,11 +117146,11 @@ index f03dcf5..71afe45 100644
 +manage_lnk_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
 +manage_sock_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
 +filetrans_pattern(sandbox_net_domain, virt_home_t, svirt_home_t, { dir sock_file file })
-+
-+term_use_generic_ptys(svirt_qemu_net_t)
-+term_use_ptmx(svirt_qemu_net_t)
  
 -allow svirt_prot_exec_t self:process { execmem execstack };
++term_use_generic_ptys(svirt_qemu_net_t)
++term_use_ptmx(svirt_qemu_net_t)
++
 +dev_rw_kvm(svirt_qemu_net_t)
 +
 +manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t)
@@ -117192,7 +117202,7 @@ index f03dcf5..71afe45 100644
  allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
  allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
  
-@@ -1174,12 +1643,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1646,12 @@ dev_read_sysfs(virt_qmf_t)
  dev_read_rand(virt_qmf_t)
  dev_read_urand(virt_qmf_t)
  
@@ -117207,7 +117217,7 @@ index f03dcf5..71afe45 100644
  sysnet_read_config(virt_qmf_t)
  
  optional_policy(`
-@@ -1192,7 +1661,7 @@ optional_policy(`
+@@ -1192,7 +1664,7 @@ optional_policy(`
  
  ########################################
  #
@@ -117216,7 +117226,7 @@ index f03dcf5..71afe45 100644
  #
  
  allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1670,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1673,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
  allow virt_bridgehelper_t self:tun_socket create_socket_perms;
  allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 5d8a6a7..e369745 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 225.18%{?dist}
+Release: 225.19%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -683,6 +683,18 @@ exit 0
 %endif
 
 %changelog
+* Fri Jun 23 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-225.19
+- Allow boinc_t nsswitch
+- Dontaudit firewalld to write to lib_t dirs
+- Allow modemmanager_t domain to write to raw_ip file labeled as sysfs_t
+- Allow thumb_t domain to allow create dgram sockets
+- Allow rpcbind_t to execute systemd_tmpfiles_exec_t binary files.
+- Allow qemu to authenticate SPICE connections with SASL GSSAPI when SSSD is in use
+- Allow unconfined_t user all user namespace capabilties.
+- Add interface systemd_tmpfiles_exec()
+- Dontaudit xdm_t domain to setattr on lib_t dirs
+- Add interface libs_dontaudit_setattr_lib_files()
+
 * Thu Jun 08 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-225.18
 -  Add a boolean to enable the use of dac_override
 - Add support for userns for sandbox domains