diff --git a/container-selinux.tgz b/container-selinux.tgz
index dacf9c7..5589848 100644
Binary files a/container-selinux.tgz and b/container-selinux.tgz differ
diff --git a/policy-f27-base.patch b/policy-f27-base.patch
index d707438..5a6303e 100644
--- a/policy-f27-base.patch
+++ b/policy-f27-base.patch
@@ -26631,10 +26631,10 @@ index 000000000..d9efb902a
+#/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0)
diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if
new file mode 100644
-index 000000000..bb9082586
+index 000000000..ecc53819c
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.if
-@@ -0,0 +1,763 @@
+@@ -0,0 +1,764 @@
+## Unconfined user role
+
+########################################
@@ -27110,6 +27110,7 @@ index 000000000..bb9082586
+ ')
+
+ dontaudit $1 unconfined_t:dir list_dir_perms;
++ dontaudit $1 unconfined_t:file read_file_perms;
+')
+
+########################################
diff --git a/policy-f27-contrib.patch b/policy-f27-contrib.patch
index bfd045d..8b4161e 100644
--- a/policy-f27-contrib.patch
+++ b/policy-f27-contrib.patch
@@ -97198,7 +97198,7 @@ index 50d07fb2e..a34db489c 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 2b7c441e7..c9e72f196 100644
+index 2b7c441e7..adf980ca1 100644
--- a/samba.te
+++ b/samba.te
@@ -6,99 +6,86 @@ policy_module(samba, 1.16.3)
@@ -97908,7 +97908,7 @@ index 2b7c441e7..c9e72f196 100644
manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-@@ -526,20 +627,16 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+@@ -526,20 +627,17 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
@@ -97924,6 +97924,7 @@ index 2b7c441e7..c9e72f196 100644
manage_sock_files_pattern(nmbd_t, samba_var_t, samba_var_t)
-files_var_filetrans(nmbd_t, samba_var_t, dir, "nmbd")
files_var_filetrans(nmbd_t, samba_var_t, dir, "samba")
++allow nmbd_t samba_var_t:file map;
-allow nmbd_t { swat_t smbcontrol_t }:process signal;
-
@@ -97933,7 +97934,7 @@ index 2b7c441e7..c9e72f196 100644
kernel_getattr_core_if(nmbd_t)
kernel_getattr_message_if(nmbd_t)
-@@ -547,53 +644,44 @@ kernel_read_kernel_sysctls(nmbd_t)
+@@ -547,53 +645,44 @@ kernel_read_kernel_sysctls(nmbd_t)
kernel_read_network_state(nmbd_t)
kernel_read_software_raid_state(nmbd_t)
kernel_read_system_state(nmbd_t)
@@ -98002,7 +98003,7 @@ index 2b7c441e7..c9e72f196 100644
')
optional_policy(`
-@@ -606,18 +694,29 @@ optional_policy(`
+@@ -606,18 +695,29 @@ optional_policy(`
########################################
#
@@ -98038,7 +98039,7 @@ index 2b7c441e7..c9e72f196 100644
samba_read_config(smbcontrol_t)
samba_search_var(smbcontrol_t)
-@@ -627,39 +726,38 @@ domain_use_interactive_fds(smbcontrol_t)
+@@ -627,39 +727,38 @@ domain_use_interactive_fds(smbcontrol_t)
dev_read_urand(smbcontrol_t)
@@ -98090,7 +98091,7 @@ index 2b7c441e7..c9e72f196 100644
allow smbmount_t samba_secrets_t:file manage_file_perms;
-@@ -668,26 +766,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+@@ -668,26 +767,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
@@ -98126,7 +98127,7 @@ index 2b7c441e7..c9e72f196 100644
fs_getattr_cifs(smbmount_t)
fs_mount_cifs(smbmount_t)
-@@ -699,58 +793,77 @@ fs_read_cifs_files(smbmount_t)
+@@ -699,58 +794,77 @@ fs_read_cifs_files(smbmount_t)
storage_raw_read_fixed_disk(smbmount_t)
storage_raw_write_fixed_disk(smbmount_t)
@@ -98219,7 +98220,7 @@ index 2b7c441e7..c9e72f196 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -759,17 +872,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+@@ -759,17 +873,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
files_pid_filetrans(swat_t, swat_var_run_t, file)
@@ -98243,7 +98244,7 @@ index 2b7c441e7..c9e72f196 100644
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -777,36 +886,25 @@ kernel_read_network_state(swat_t)
+@@ -777,36 +887,25 @@ kernel_read_network_state(swat_t)
corecmd_search_bin(swat_t)
@@ -98286,7 +98287,7 @@ index 2b7c441e7..c9e72f196 100644
auth_domtrans_chk_passwd(swat_t)
auth_use_nsswitch(swat_t)
-@@ -818,10 +916,11 @@ logging_send_syslog_msg(swat_t)
+@@ -818,10 +917,11 @@ logging_send_syslog_msg(swat_t)
logging_send_audit_msgs(swat_t)
logging_search_logs(swat_t)
@@ -98300,7 +98301,7 @@ index 2b7c441e7..c9e72f196 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -840,17 +939,20 @@ optional_policy(`
+@@ -840,17 +940,20 @@ optional_policy(`
# Winbind local policy
#
@@ -98327,7 +98328,7 @@ index 2b7c441e7..c9e72f196 100644
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -860,9 +962,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+@@ -860,9 +963,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@@ -98338,7 +98339,7 @@ index 2b7c441e7..c9e72f196 100644
manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -870,41 +970,46 @@ manage_files_pattern(winbind_t, samba_var_t, samba_var_t)
+@@ -870,41 +971,46 @@ manage_files_pattern(winbind_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(winbind_t, samba_var_t, samba_var_t)
manage_sock_files_pattern(winbind_t, samba_var_t, samba_var_t)
files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
@@ -98397,7 +98398,7 @@ index 2b7c441e7..c9e72f196 100644
corenet_tcp_connect_smbd_port(winbind_t)
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -912,38 +1017,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -912,38 +1018,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
dev_read_sysfs(winbind_t)
dev_read_urand(winbind_t)
@@ -98456,7 +98457,7 @@ index 2b7c441e7..c9e72f196 100644
')
optional_policy(`
-@@ -959,31 +1078,36 @@ optional_policy(`
+@@ -959,31 +1079,36 @@ optional_policy(`
# Winbind helper local policy
#
@@ -98500,7 +98501,7 @@ index 2b7c441e7..c9e72f196 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -997,25 +1121,38 @@ optional_policy(`
+@@ -997,25 +1122,38 @@ optional_policy(`
########################################
#
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 96db5f2..9837173 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 283.12%{?dist}
+Release: 283.13%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -722,6 +722,10 @@ exit 0
%endif
%changelog
+* Wed Oct 25 2017 Lukas Vrabec - 3.13.1-283.13
+- Allow nmbd_t domain to mmap files labeled as samba_var_t. BZ(1505877)
+- Updatre unconfined_dontaudit_read_state() interface to dontaudit also acess to files. BZ(1503466)
+
* Tue Oct 24 2017 Lukas Vrabec - 3.13.1-283.12
- Allow chronyd_t do request kernel module and block_suspend capability
- Allow system_cronjob_t to create /var/lib/letsencrypt dir with right label