diff --git a/docker-selinux.tgz b/docker-selinux.tgz
index e1394dc..b5f593d 100644
Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index b0588bc..dfc836d 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -25403,10 +25403,10 @@ index 234a940..a92415a 100644
########################################
##
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 0fef1fc..008545e 100644
+index 0fef1fc..59d8b87 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
-@@ -8,12 +8,72 @@ policy_module(staff, 2.4.0)
+@@ -8,12 +8,73 @@ policy_module(staff, 2.4.0)
role staff_r;
userdom_unpriv_user_template(staff)
@@ -25434,6 +25434,7 @@ index 0fef1fc..008545e 100644
+
+fs_read_hugetlbfs_files(staff_t)
+files_dontaudit_read_all_symlinks(staff_t)
++fs_read_tmpfs_files(staff_t)
+
+dev_read_cpuid(staff_t)
+dev_read_kmsg(staff_t)
@@ -25479,7 +25480,7 @@ index 0fef1fc..008545e 100644
optional_policy(`
apache_role(staff_r, staff_t)
')
-@@ -23,11 +83,115 @@ optional_policy(`
+@@ -23,11 +84,115 @@ optional_policy(`
')
optional_policy(`
@@ -25596,7 +25597,7 @@ index 0fef1fc..008545e 100644
')
optional_policy(`
-@@ -35,15 +199,31 @@ optional_policy(`
+@@ -35,15 +200,31 @@ optional_policy(`
')
optional_policy(`
@@ -25630,7 +25631,7 @@ index 0fef1fc..008545e 100644
')
optional_policy(`
-@@ -52,11 +232,61 @@ optional_policy(`
+@@ -52,11 +233,61 @@ optional_policy(`
')
optional_policy(`
@@ -25693,7 +25694,7 @@ index 0fef1fc..008545e 100644
')
ifndef(`distro_redhat',`
-@@ -65,10 +295,6 @@ ifndef(`distro_redhat',`
+@@ -65,10 +296,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -25704,7 +25705,7 @@ index 0fef1fc..008545e 100644
cdrecord_role(staff_r, staff_t)
')
-@@ -78,10 +304,6 @@ ifndef(`distro_redhat',`
+@@ -78,10 +305,6 @@ ifndef(`distro_redhat',`
optional_policy(`
dbus_role_template(staff, staff_r, staff_t)
@@ -25715,7 +25716,7 @@ index 0fef1fc..008545e 100644
')
optional_policy(`
-@@ -101,10 +323,6 @@ ifndef(`distro_redhat',`
+@@ -101,10 +324,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -25726,7 +25727,7 @@ index 0fef1fc..008545e 100644
java_role(staff_r, staff_t)
')
-@@ -125,10 +343,6 @@ ifndef(`distro_redhat',`
+@@ -125,10 +344,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -25737,7 +25738,7 @@ index 0fef1fc..008545e 100644
pyzor_role(staff_r, staff_t)
')
-@@ -141,10 +355,6 @@ ifndef(`distro_redhat',`
+@@ -141,10 +356,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -25748,7 +25749,7 @@ index 0fef1fc..008545e 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -176,3 +386,22 @@ ifndef(`distro_redhat',`
+@@ -176,3 +387,23 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -25768,6 +25769,7 @@ index 0fef1fc..008545e 100644
+ dev_rw_kvm(staff_t)
+ virt_manage_images(staff_t)
+ virt_stream_connect_svirt(staff_t)
++ virt_rw_stream_sockets_svirt(staff_t)
+ virt_exec(staff_t)
+ ')
+')
@@ -31789,7 +31791,7 @@ index 6bf0ecc..e6be63a 100644
+')
+
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..a1eab03 100644
+index 8b40377..010654c 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,28 +26,66 @@ gen_require(`
@@ -32353,7 +32355,7 @@ index 8b40377..a1eab03 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -431,9 +612,29 @@ files_list_mnt(xdm_t)
+@@ -431,9 +612,30 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -32377,13 +32379,14 @@ index 8b40377..a1eab03 100644
+fs_dontaudit_read_noxattr_fs_files(xdm_t)
+fs_manage_cgroup_dirs(xdm_t)
+fs_manage_cgroup_files(xdm_t)
++mount_read_pid_files(xdm_t)
+
+mls_socket_write_to_clearance(xdm_t)
+mls_trusted_object(xdm_t)
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -442,28 +643,46 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -442,28 +644,46 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -32434,7 +32437,7 @@ index 8b40377..a1eab03 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -472,24 +691,163 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -472,24 +692,163 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -32604,7 +32607,7 @@ index 8b40377..a1eab03 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -502,12 +860,31 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,12 +861,31 @@ tunable_policy(`xdm_sysadm_login',`
# allow xserver_t xdm_tmpfs_t:file rw_file_perms;
')
@@ -32636,7 +32639,7 @@ index 8b40377..a1eab03 100644
')
optional_policy(`
-@@ -518,8 +895,36 @@ optional_policy(`
+@@ -518,8 +896,36 @@ optional_policy(`
dbus_system_bus_client(xdm_t)
dbus_connect_system_bus(xdm_t)
@@ -32674,7 +32677,7 @@ index 8b40377..a1eab03 100644
')
')
-@@ -530,6 +935,20 @@ optional_policy(`
+@@ -530,6 +936,20 @@ optional_policy(`
')
optional_policy(`
@@ -32695,7 +32698,7 @@ index 8b40377..a1eab03 100644
hostname_exec(xdm_t)
')
-@@ -547,28 +966,78 @@ optional_policy(`
+@@ -547,28 +967,78 @@ optional_policy(`
')
optional_policy(`
@@ -32783,7 +32786,7 @@ index 8b40377..a1eab03 100644
')
optional_policy(`
-@@ -580,6 +1049,14 @@ optional_policy(`
+@@ -580,6 +1050,14 @@ optional_policy(`
')
optional_policy(`
@@ -32798,7 +32801,7 @@ index 8b40377..a1eab03 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,7 +1071,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+@@ -594,7 +1072,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@@ -32807,7 +32810,7 @@ index 8b40377..a1eab03 100644
# setuid/setgid for the wrapper program to change UID
# sys_rawio is for iopl access - should not be needed for frame-buffer
-@@ -604,8 +1081,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -604,8 +1082,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -32820,7 +32823,7 @@ index 8b40377..a1eab03 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -618,8 +1098,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -618,8 +1099,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -32836,7 +32839,7 @@ index 8b40377..a1eab03 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -627,6 +1114,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -627,6 +1115,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@@ -32847,7 +32850,7 @@ index 8b40377..a1eab03 100644
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -638,25 +1129,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -638,25 +1130,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -32889,7 +32892,7 @@ index 8b40377..a1eab03 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -677,23 +1180,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -677,23 +1181,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -32921,7 +32924,7 @@ index 8b40377..a1eab03 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -705,6 +1213,14 @@ fs_search_nfs(xserver_t)
+@@ -705,6 +1214,14 @@ fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -32936,7 +32939,7 @@ index 8b40377..a1eab03 100644
mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
-@@ -718,20 +1234,18 @@ init_getpgid(xserver_t)
+@@ -718,20 +1235,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -32960,7 +32963,7 @@ index 8b40377..a1eab03 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -739,8 +1253,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -739,8 +1254,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
@@ -32969,7 +32972,7 @@ index 8b40377..a1eab03 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
-@@ -785,17 +1297,54 @@ optional_policy(`
+@@ -785,17 +1298,54 @@ optional_policy(`
')
optional_policy(`
@@ -33026,7 +33029,7 @@ index 8b40377..a1eab03 100644
')
optional_policy(`
-@@ -803,6 +1352,10 @@ optional_policy(`
+@@ -803,6 +1353,10 @@ optional_policy(`
')
optional_policy(`
@@ -33037,7 +33040,7 @@ index 8b40377..a1eab03 100644
xfs_stream_connect(xserver_t)
')
-@@ -818,18 +1371,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -818,18 +1372,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -33062,7 +33065,7 @@ index 8b40377..a1eab03 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -842,26 +1394,21 @@ init_use_fds(xserver_t)
+@@ -842,26 +1395,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -33097,7 +33100,7 @@ index 8b40377..a1eab03 100644
')
optional_policy(`
-@@ -912,7 +1459,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -912,7 +1460,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -33106,7 +33109,7 @@ index 8b40377..a1eab03 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -966,11 +1513,31 @@ allow x_domain self:x_resource { read write };
+@@ -966,11 +1514,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -33138,7 +33141,7 @@ index 8b40377..a1eab03 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -992,18 +1559,148 @@ tunable_policy(`! xserver_object_manager',`
+@@ -992,18 +1560,148 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 9253e17..ada0925 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -589,7 +589,7 @@ index 058d908..ee0c559 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index eb50f07..5f57515 100644
+index eb50f07..1377e9e 100644
--- a/abrt.te
+++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@@ -1070,7 +1070,7 @@ index eb50f07..5f57515 100644
-allow abrt_dump_oops_t self:capability dac_override;
+allow abrt_dump_oops_t self:capability { kill net_admin sys_ptrace ipc_lock fowner chown fsetid dac_override setuid setgid };
-+allow abrt_dump_oops_t self:cap_userns { kill };
++allow abrt_dump_oops_t self:cap_userns { kill sys_ptrace };
+allow abrt_dump_oops_t self:process setfscreate;
allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms;
-allow abrt_dump_oops_t self:unix_stream_socket { accept listen };
@@ -72864,7 +72864,7 @@ index 032a84d..be00a65 100644
+ allow $1 policykit_auth_t:process signal;
')
diff --git a/policykit.te b/policykit.te
-index ee91778..5fd133f 100644
+index ee91778..fb9b69a 100644
--- a/policykit.te
+++ b/policykit.te
@@ -7,9 +7,6 @@ policy_module(policykit, 1.3.0)
@@ -72890,7 +72890,7 @@ index ee91778..5fd133f 100644
type policykit_resolve_t, policykit_domain;
type policykit_resolve_exec_t;
-@@ -42,63 +37,70 @@ files_pid_file(policykit_var_run_t)
+@@ -42,96 +37,121 @@ files_pid_file(policykit_var_run_t)
#######################################
#
@@ -72980,7 +72980,14 @@ index ee91778..5fd133f 100644
optional_policy(`
consolekit_dbus_chat(policykit_t)
')
-@@ -109,29 +111,43 @@ optional_policy(`
+
+ optional_policy(`
++ devicekit_dbus_chat(policykit_t)
++ ')
++
++ optional_policy(`
+ rpm_dbus_chat(policykit_t)
+ ')
')
optional_policy(`
@@ -73018,11 +73025,11 @@ index ee91778..5fd133f 100644
-allow policykit_auth_t self:process { getsched setsched signal };
-allow policykit_auth_t self:unix_stream_socket { accept listen };
+allow policykit_auth_t self:process { setsched getsched signal };
-+
-+allow policykit_auth_t self:unix_dgram_socket create_socket_perms;
-+allow policykit_auth_t self:unix_stream_socket create_stream_socket_perms;
-ps_process_pattern(policykit_auth_t, policykit_domain)
++allow policykit_auth_t self:unix_dgram_socket create_socket_perms;
++allow policykit_auth_t self:unix_stream_socket create_stream_socket_perms;
++
+policykit_dbus_chat(policykit_auth_t)
+
+kernel_read_system_state(policykit_auth_t)
@@ -73032,7 +73039,7 @@ index ee91778..5fd133f 100644
rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
-@@ -145,65 +161,80 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
+@@ -145,65 +165,80 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
@@ -73125,7 +73132,7 @@ index ee91778..5fd133f 100644
rw_files_pattern(policykit_grant_t, policykit_reload_t, policykit_reload_t)
-@@ -211,23 +242,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t
+@@ -211,23 +246,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t
manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t)
@@ -73152,7 +73159,7 @@ index ee91778..5fd133f 100644
optional_policy(`
consolekit_dbus_chat(policykit_grant_t)
')
-@@ -235,26 +263,28 @@ optional_policy(`
+@@ -235,26 +267,28 @@ optional_policy(`
########################################
#
@@ -73187,7 +73194,7 @@ index ee91778..5fd133f 100644
userdom_read_all_users_state(policykit_resolve_t)
optional_policy(`
-@@ -266,6 +296,6 @@ optional_policy(`
+@@ -266,6 +300,6 @@ optional_policy(`
')
optional_policy(`
@@ -90344,10 +90351,10 @@ index ccb5991..189ac01 100644
userdom_dontaudit_use_unpriv_user_fds(roundup_t)
diff --git a/rpc.fc b/rpc.fc
-index a6fb30c..38a2f09 100644
+index a6fb30c..3148280 100644
--- a/rpc.fc
+++ b/rpc.fc
-@@ -1,12 +1,23 @@
+@@ -1,12 +1,25 @@
-/etc/exports -- gen_context(system_u:object_r:exports_t,s0)
+#
+# /etc
@@ -90365,19 +90372,21 @@ index a6fb30c..38a2f09 100644
-/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
-/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0)
++/usr/lib/systemd/system-generators/nfs.* -- gen_context(system_u:object_r:nfsd_exec_t,s0)
+
+#
+# /sbin
+#
+/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0)
-
++
+#
+# /usr
+#
/usr/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
/usr/sbin/rpc\.idmapd -- gen_context(system_u:object_r:rpcd_exec_t,s0)
/usr/sbin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
-@@ -16,7 +27,12 @@
+@@ -16,7 +29,12 @@
/usr/sbin/rpc\.svcgssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
/usr/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0)
@@ -111896,10 +111905,10 @@ index a4f20bc..d8b1fd1 100644
+/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index facdee8..12e74f1 100644
+index facdee8..58c4c51 100644
--- a/virt.if
+++ b/virt.if
-@@ -1,318 +1,231 @@
+@@ -1,120 +1,104 @@
-## Libvirt virtualization API.
+## Libvirt virtualization API
@@ -111949,8 +111958,10 @@ index facdee8..12e74f1 100644
-
- optional_policy(`
- pulseaudio_tmpfs_content($1_tmpfs_t)
-- ')
--
++ type virtd_lxc_t;
+ ')
++')
+
- type $1_image_t, virt_image_type;
- files_type($1_image_t)
- dev_node($1_image_t)
@@ -111985,87 +111996,60 @@ index facdee8..12e74f1 100644
-
- optional_policy(`
- pulseaudio_run($1_t, virt_domain_roles)
-- ')
--
-- optional_policy(`
-- xserver_rw_shm($1_t)
-+ type virtd_lxc_t;
- ')
- ')
-
--#######################################
+########################################
- ##
--## The template to define a virt lxc domain.
++##
+## svirt_sandbox_domain attribute stub interface. No access allowed.
- ##
--##
++##
+##
- ##
--## Domain prefix to be used.
++##
+## Domain allowed access.
- ##
- ##
- #
--template(`virt_lxc_domain_template',`
++##
++##
++#
+interface(`virt_stub_svirt_sandbox_domain',`
- gen_require(`
-- attribute_role svirt_lxc_domain_roles;
-- attribute svirt_lxc_domain;
++ gen_require(`
+ attribute svirt_sandbox_domain;
')
--
-- type $1_t, svirt_lxc_domain;
-- domain_type($1_t)
-- domain_user_exemption_target($1_t)
-- mls_rangetrans_target($1_t)
-- mcs_constrained($1_t)
-- role svirt_lxc_domain_roles types $1_t;
- ')
++')
- ########################################
- ##
--## Make the specified type virt image type.
+- optional_policy(`
+- xserver_rw_shm($1_t)
++########################################
++##
+## svirt_sandbox_file_t stub interface. No access allowed.
- ##
--##
++##
+##
- ##
--## Type to be used as a virtual image.
++##
+## Domain allowed access.
- ##
- ##
- #
--interface(`virt_image',`
++##
++##
++#
+interface(`virt_stub_svirt_sandbox_file',`
- gen_require(`
-- attribute virt_image_type;
++ gen_require(`
+ type svirt_sandbox_file_t;
')
--
-- typeattribute $1 virt_image_type;
-- files_type($1)
-- dev_node($1)
')
- ########################################
+-#######################################
++########################################
##
--## Execute a domain transition to run virtd.
+-## The template to define a virt lxc domain.
+## Creates types and rules for a basic
+## qemu process domain.
##
--##
+-##
+##
##
--## Domain allowed to transition.
+-## Domain prefix to be used.
+## Prefix for the domain.
##
##
#
--interface(`virt_domtrans',`
+-template(`virt_lxc_domain_template',`
+template(`virt_domain_template',`
gen_require(`
-- type virtd_t, virtd_exec_t;
+- attribute_role svirt_lxc_domain_roles;
+- attribute svirt_lxc_domain;
+ attribute virt_image_type, virt_domain;
+ attribute virt_tmpfs_type;
+ attribute virt_ptynode;
@@ -112073,13 +112057,14 @@ index facdee8..12e74f1 100644
+ type virtlogd_t;
')
-- corecmd_search_bin($1)
-- domtrans_pattern($1, virtd_exec_t, virtd_t)
+- type $1_t, svirt_lxc_domain;
+- domain_type($1_t)
+ type $1_t, virt_domain;
+ application_domain($1_t, qemu_exec_t)
-+ domain_user_exemption_target($1_t)
-+ mls_rangetrans_target($1_t)
-+ mcs_constrained($1_t)
+ domain_user_exemption_target($1_t)
+ mls_rangetrans_target($1_t)
+ mcs_constrained($1_t)
+- role svirt_lxc_domain_roles types $1_t;
+ role system_r types $1_t;
+
+ type $1_devpts_t, virt_ptynode;
@@ -112101,38 +112086,29 @@ index facdee8..12e74f1 100644
########################################
##
--## Execute a domain transition to run virt qmf.
+-## Make the specified type virt image type.
+## Make the specified type usable as a virt image
##
--##
-+##
+ ##
##
--## Domain allowed to transition.
+-## Type to be used as a virtual image.
+## Type to be used as a virtual image
##
##
#
--interface(`virt_domtrans_qmf',`
-+interface(`virt_image',`
- gen_require(`
-- type virt_qmf_t, virt_qmf_exec_t;
-+ attribute virt_image_type;
- ')
+@@ -125,31 +109,32 @@ interface(`virt_image',`
-- corecmd_search_bin($1)
-- domtrans_pattern($1, virt_qmf_exec_t, virt_qmf_t)
-+ typeattribute $1 virt_image_type;
-+ files_type($1)
+ typeattribute $1 virt_image_type;
+ files_type($1)
+
+ # virt images can be assigned to blk devices
-+ dev_node($1)
+ dev_node($1)
')
-########################################
+#######################################
##
--## Execute a domain transition to
--## run virt bridgehelper.
+-## Execute a domain transition to run virtd.
+## Getattr on virt executable.
##
##
@@ -112144,9 +112120,9 @@ index facdee8..12e74f1 100644
+##
##
#
--interface(`virt_domtrans_bridgehelper',`
+-interface(`virt_domtrans',`
- gen_require(`
-- type virt_bridgehelper_t, virt_bridgehelper_exec_t;
+- type virtd_t, virtd_exec_t;
- ')
+interface(`virt_getattr_exec',`
+ gen_require(`
@@ -112154,134 +112130,183 @@ index facdee8..12e74f1 100644
+ ')
- corecmd_search_bin($1)
-- domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t)
+- domtrans_pattern($1, virtd_exec_t, virtd_t)
+ allow $1 virtd_exec_t:file getattr;
')
########################################
##
--## Execute bridgehelper in the bridgehelper
--## domain, and allow the specified role
--## the bridgehelper domain.
+-## Execute a domain transition to run virt qmf.
+## Execute a domain transition to run virt.
##
##
##
- ## Domain allowed to transition.
+@@ -157,95 +142,71 @@ interface(`virt_domtrans',`
##
##
--##
--##
--## Role allowed access.
--##
--##
#
--interface(`virt_run_bridgehelper',`
+-interface(`virt_domtrans_qmf',`
+interface(`virt_domtrans',`
gen_require(`
-- attribute_role virt_bridgehelper_roles;
+- type virt_qmf_t, virt_qmf_exec_t;
+ type virtd_t, virtd_exec_t;
')
-- virt_domtrans_bridgehelper($1)
-- roleattribute $2 virt_bridgehelper_roles;
+- corecmd_search_bin($1)
+- domtrans_pattern($1, virt_qmf_exec_t, virt_qmf_t)
+ domtrans_pattern($1, virtd_exec_t, virtd_t)
')
########################################
##
--## Execute virt domain in the their
--## domain, and allow the specified
--## role that virt domain.
+-## Execute a domain transition to
+-## run virt bridgehelper.
+## Execute virtd in the caller domain.
##
##
##
-## Domain allowed to transition.
--##
--##
--##
--##
--## Role allowed access.
+## Domain allowed access.
##
##
#
--interface(`virt_run_virt_domain',`
+-interface(`virt_domtrans_bridgehelper',`
+interface(`virt_exec',`
gen_require(`
-- attribute virt_domain;
-- attribute_role virt_domain_roles;
+- type virt_bridgehelper_t, virt_bridgehelper_exec_t;
+ type virtd_exec_t;
')
-- allow $1 virt_domain:process { signal transition };
-- roleattribute $2 virt_domain_roles;
--
-- allow virt_domain $1:fd use;
-- allow virt_domain $1:fifo_file rw_fifo_file_perms;
-- allow virt_domain $1:process sigchld;
+- corecmd_search_bin($1)
+- domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t)
+ can_exec($1, virtd_exec_t)
')
########################################
##
--## Send generic signals to all virt domains.
+-## Execute bridgehelper in the bridgehelper
+-## domain, and allow the specified role
+-## the bridgehelper domain.
+## Transition to virt_qmf.
##
##
-##
--## Domain allowed access.
--##
+##
-+## Domain allowed to transition.
+ ## Domain allowed to transition.
+-##
+-##
+-##
+-##
+-## Role allowed access.
+-##
+##
##
#
--interface(`virt_signal_all_virt_domains',`
+-interface(`virt_run_bridgehelper',`
+interface(`virt_domtrans_qmf',`
gen_require(`
-- attribute virt_domain;
+- attribute_role virt_bridgehelper_roles;
+ type virt_qmf_t, virt_qmf_exec_t;
')
-- allow $1 virt_domain:process signal;
+- virt_domtrans_bridgehelper($1)
+- roleattribute $2 virt_bridgehelper_roles;
+ corecmd_search_bin($1)
+ domtrans_pattern($1, virt_qmf_exec_t, virt_qmf_t)
')
########################################
##
--## Send kill signals to all virt domains.
+-## Execute virt domain in the their
+-## domain, and allow the specified
+-## role that virt domain.
+## Transition to virt_bridgehelper.
##
##
-##
--## Domain allowed access.
+-## Domain allowed to transition.
+-##
+-##
+-##
+-##
+-## Role allowed access.
-##
+##
+## Domain allowed to transition.
+##
##
-#
--interface(`virt_kill_all_virt_domains',`
+-interface(`virt_run_virt_domain',`
+interface(`virt_domtrans_bridgehelper',`
gen_require(`
- attribute virt_domain;
+- attribute_role virt_domain_roles;
+ type virt_bridgehelper_t, virt_bridgehelper_exec_t;
')
-- allow $1 virt_domain:process sigkill;
+- allow $1 virt_domain:process { signal transition };
+- roleattribute $2 virt_domain_roles;
+-
+- allow virt_domain $1:fd use;
+- allow virt_domain $1:fifo_file rw_fifo_file_perms;
+- allow virt_domain $1:process sigchld;
+ domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t)
')
-########################################
+#######################################
##
+-## Send generic signals to all virt domains.
++## Connect to virt over a unix domain stream socket.
+ ##
+ ##
+ ##
+@@ -253,17 +214,18 @@ interface(`virt_run_virt_domain',`
+ ##
+ ##
+ #
+-interface(`virt_signal_all_virt_domains',`
++interface(`virt_stream_connect',`
+ gen_require(`
+- attribute virt_domain;
++ type virtd_t, virt_var_run_t;
+ ')
+
+- allow $1 virt_domain:process signal;
++ files_search_pids($1)
++ stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
+ ')
+
+-########################################
++#######################################
+ ##
+-## Send kill signals to all virt domains.
++## Connect to svirt process over a unix domain stream socket.
+ ##
+ ##
+ ##
+@@ -271,48 +233,36 @@ interface(`virt_signal_all_virt_domains',`
+ ##
+ ##
+ #
+-interface(`virt_kill_all_virt_domains',`
++interface(`virt_stream_connect_svirt',`
+ gen_require(`
+- attribute virt_domain;
++ type svirt_t;
+ ')
+
+- allow $1 virt_domain:process sigkill;
++ allow $1 svirt_t:unix_stream_socket connectto;
+ ')
+
+ ########################################
+ ##
-## Execute svirt lxc domains in their
-## domain, and allow the specified
-## role that svirt lxc domain.
-+## Connect to virt over a unix domain stream socket.
++## Read and write to apmd unix
++## stream sockets.
##
##
##
@@ -112296,11 +112321,11 @@ index facdee8..12e74f1 100644
##
#
-interface(`virt_run_svirt_lxc_domain',`
-+interface(`virt_stream_connect',`
++interface(`virt_rw_stream_sockets_svirt',`
gen_require(`
- attribute svirt_lxc_domain;
- attribute_role svirt_lxc_domain_roles;
-+ type virtd_t, virt_var_run_t;
++ type svirt_t;
')
- allow $1 svirt_lxc_domain:process { signal transition };
@@ -112309,30 +112334,31 @@ index facdee8..12e74f1 100644
- allow svirt_lxc_domain $1:fd use;
- allow svirt_lxc_domain $1:fifo_file rw_fifo_file_perms;
- allow svirt_lxc_domain $1:process sigchld;
-+ files_search_pids($1)
-+ stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
++ allow $1 svirt_t:unix_stream_socket { read write };
')
- #######################################
+-#######################################
++########################################
##
-## Get attributes of virtd executable files.
-+## Connect to svirt process over a unix domain stream socket.
++## Allow domain to attach to virt TUN devices
##
##
##
-@@ -320,18 +233,17 @@ interface(`virt_run_svirt_lxc_domain',`
+@@ -320,18 +270,18 @@ interface(`virt_run_svirt_lxc_domain',`
##
##
#
-interface(`virt_getattr_virtd_exec_files',`
-+interface(`virt_stream_connect_svirt',`
++interface(`virt_attach_tun_iface',`
gen_require(`
- type virtd_exec_t;
-+ type svirt_t;
++ type virtd_t;
')
- allow $1 virtd_exec_t:file getattr_file_perms;
-+ allow $1 svirt_t:unix_stream_socket connectto;
++ allow $1 virtd_t:tun_socket relabelfrom;
++ allow $1 self:tun_socket relabelto;
')
-#######################################
@@ -112340,112 +112366,116 @@ index facdee8..12e74f1 100644
##
-## Connect to virt with a unix
-## domain stream socket.
-+## Allow domain to attach to virt TUN devices
++## Allow domain to attach to virt sandbox TUN devices
##
##
##
-@@ -339,18 +251,18 @@ interface(`virt_getattr_virtd_exec_files',`
+@@ -339,18 +289,18 @@ interface(`virt_getattr_virtd_exec_files',`
##
##
#
-interface(`virt_stream_connect',`
-+interface(`virt_attach_tun_iface',`
++interface(`virt_attach_sandbox_tun_iface',`
gen_require(`
- type virtd_t, virt_var_run_t;
-+ type virtd_t;
++ attribute svirt_sandbox_domain;
')
- files_search_pids($1)
- stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
-+ allow $1 virtd_t:tun_socket relabelfrom;
++ allow $1 svirt_sandbox_domain:tun_socket relabelfrom;
+ allow $1 self:tun_socket relabelto;
')
########################################
##
-## Attach to virt tun devices.
-+## Allow domain to attach to virt sandbox TUN devices
++## Read virt config files.
##
##
##
-@@ -358,18 +270,18 @@ interface(`virt_stream_connect',`
+@@ -358,18 +308,20 @@ interface(`virt_stream_connect',`
##
##
#
-interface(`virt_attach_tun_iface',`
-+interface(`virt_attach_sandbox_tun_iface',`
++interface(`virt_read_config',`
gen_require(`
- type virtd_t;
-+ attribute svirt_sandbox_domain;
++ type virt_etc_t, virt_etc_rw_t;
')
- allow $1 virtd_t:tun_socket relabelfrom;
-+ allow $1 svirt_sandbox_domain:tun_socket relabelfrom;
- allow $1 self:tun_socket relabelto;
+- allow $1 self:tun_socket relabelto;
++ files_search_etc($1)
++ read_files_pattern($1, virt_etc_t, virt_etc_t)
++ read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
++ read_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
')
########################################
##
-## Read virt configuration content.
-+## Read virt config files.
++## manage virt config files.
##
##
##
-@@ -383,7 +295,6 @@ interface(`virt_read_config',`
+@@ -377,22 +329,20 @@ interface(`virt_attach_tun_iface',`
+ ##
+ ##
+ #
+-interface(`virt_read_config',`
++interface(`virt_manage_config',`
+ gen_require(`
+ type virt_etc_t, virt_etc_rw_t;
')
files_search_etc($1)
- allow $1 { virt_etc_t virt_etc_rw_t }:dir list_dir_perms;
- read_files_pattern($1, virt_etc_t, virt_etc_t)
- read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
- read_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
-@@ -391,8 +302,7 @@ interface(`virt_read_config',`
+- read_files_pattern($1, virt_etc_t, virt_etc_t)
+- read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
+- read_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
++ manage_files_pattern($1, virt_etc_t, virt_etc_t)
++ manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
++ manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
+ ')
########################################
##
-## Create, read, write, and delete
-## virt configuration content.
-+## manage virt config files.
++## Allow domain to manage virt image files
##
##
##
-@@ -406,7 +316,6 @@ interface(`virt_manage_config',`
+@@ -400,22 +350,17 @@ interface(`virt_read_config',`
+ ##
+ ##
+ #
+-interface(`virt_manage_config',`
++interface(`virt_getattr_content',`
+ gen_require(`
+- type virt_etc_t, virt_etc_rw_t;
++ type virt_content_t;
')
- files_search_etc($1)
+- files_search_etc($1)
- allow $1 { virt_etc_t virt_etc_rw_t }:dir manage_dir_perms;
- manage_files_pattern($1, virt_etc_t, virt_etc_t)
- manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
- manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
-@@ -414,8 +323,25 @@ interface(`virt_manage_config',`
+- manage_files_pattern($1, virt_etc_t, virt_etc_t)
+- manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
+- manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
++ allow $1 virt_content_t:file getattr_file_perms;
+ ')
########################################
##
-## Create, read, write, and delete
-## virt image files.
+## Allow domain to manage virt image files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`virt_getattr_content',`
-+ gen_require(`
-+ type virt_content_t;
-+ ')
-+
-+ allow $1 virt_content_t:file getattr_file_perms;
-+')
-+
-+########################################
-+##
-+## Allow domain to manage virt image files
##
##
##
-@@ -434,6 +360,7 @@ interface(`virt_read_content',`
+@@ -434,6 +379,7 @@ interface(`virt_read_content',`
read_files_pattern($1, virt_content_t, virt_content_t)
read_lnk_files_pattern($1, virt_content_t, virt_content_t)
read_blk_files_pattern($1, virt_content_t, virt_content_t)
@@ -112453,7 +112483,7 @@ index facdee8..12e74f1 100644
tunable_policy(`virt_use_nfs',`
fs_list_nfs($1)
-@@ -450,8 +377,7 @@ interface(`virt_read_content',`
+@@ -450,8 +396,7 @@ interface(`virt_read_content',`
########################################
##
@@ -112463,7 +112493,7 @@ index facdee8..12e74f1 100644
##
##
##
-@@ -459,35 +385,17 @@ interface(`virt_read_content',`
+@@ -459,35 +404,17 @@ interface(`virt_read_content',`
##
##
#
@@ -112502,7 +112532,7 @@ index facdee8..12e74f1 100644
##
##
##
-@@ -495,53 +403,38 @@ interface(`virt_manage_virt_content',`
+@@ -495,53 +422,38 @@ interface(`virt_manage_virt_content',`
##
##
#
@@ -112567,7 +112597,7 @@ index facdee8..12e74f1 100644
##
##
##
-@@ -549,34 +442,21 @@ interface(`virt_home_filetrans_virt_content',`
+@@ -549,34 +461,21 @@ interface(`virt_home_filetrans_virt_content',`
##
##
#
@@ -112610,7 +112640,7 @@ index facdee8..12e74f1 100644
##
##
##
-@@ -584,32 +464,36 @@ interface(`virt_manage_svirt_home_content',`
+@@ -584,32 +483,36 @@ interface(`virt_manage_svirt_home_content',`
##
##
#
@@ -112659,7 +112689,7 @@ index facdee8..12e74f1 100644
##
##
##
-@@ -618,54 +502,36 @@ interface(`virt_relabel_svirt_home_content',`
+@@ -618,54 +521,36 @@ interface(`virt_relabel_svirt_home_content',`
##
##
#
@@ -112723,7 +112753,7 @@ index facdee8..12e74f1 100644
##
##
##
-@@ -673,107 +539,607 @@ interface(`virt_home_filetrans',`
+@@ -673,107 +558,607 @@ interface(`virt_home_filetrans',`
##
##
#
@@ -113376,7 +113406,7 @@ index facdee8..12e74f1 100644
##
##
##
-@@ -781,19 +1147,17 @@ interface(`virt_home_filetrans_virt_home',`
+@@ -781,19 +1166,17 @@ interface(`virt_home_filetrans_virt_home',`
##
##
#
@@ -113400,7 +113430,7 @@ index facdee8..12e74f1 100644
##
##
##
-@@ -801,18 +1165,17 @@ interface(`virt_read_pid_files',`
+@@ -801,18 +1184,17 @@ interface(`virt_read_pid_files',`
##
##
#
@@ -113423,7 +113453,7 @@ index facdee8..12e74f1 100644
##
##
##
-@@ -820,18 +1183,17 @@ interface(`virt_manage_pid_files',`
+@@ -820,18 +1202,17 @@ interface(`virt_manage_pid_files',`
##
##
#
@@ -113446,7 +113476,7 @@ index facdee8..12e74f1 100644
##
##
##
-@@ -839,192 +1201,243 @@ interface(`virt_search_lib',`
+@@ -839,192 +1220,243 @@ interface(`virt_search_lib',`
##
##
#
@@ -113770,7 +113800,7 @@ index facdee8..12e74f1 100644
##
##
##
-@@ -1032,20 +1445,17 @@ interface(`virt_read_images',`
+@@ -1032,20 +1464,17 @@ interface(`virt_read_images',`
##
##
#
@@ -113795,7 +113825,7 @@ index facdee8..12e74f1 100644
##
##
##
-@@ -1053,15 +1463,17 @@ interface(`virt_rw_all_image_chr_files',`
+@@ -1053,15 +1482,17 @@ interface(`virt_rw_all_image_chr_files',`
##
##
#
@@ -113818,7 +113848,7 @@ index facdee8..12e74f1 100644
##
##
##
-@@ -1069,21 +1481,17 @@ interface(`virt_manage_svirt_cache',`
+@@ -1069,21 +1500,17 @@ interface(`virt_manage_svirt_cache',`
##
##
#
@@ -113844,7 +113874,7 @@ index facdee8..12e74f1 100644
##
##
##
-@@ -1091,36 +1499,18 @@ interface(`virt_manage_virt_cache',`
+@@ -1091,36 +1518,18 @@ interface(`virt_manage_virt_cache',`
##
##
#
@@ -113886,7 +113916,7 @@ index facdee8..12e74f1 100644
##
##
##
-@@ -1136,50 +1526,76 @@ interface(`virt_manage_images',`
+@@ -1136,50 +1545,76 @@ interface(`virt_manage_images',`
#
interface(`virt_admin',`
gen_require(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 2e90b47..ed5c4bf 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 215%{?dist}
+Release: 216%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -675,6 +675,13 @@ exit 0
%endif
%changelog
+* Fri Sep 30 2016 Lukas Vrabec 3.13.1-216
+- Allow devicekit to chat with policykit via DBUS. BZ(1377113)
+- Add interface virt_rw_stream_sockets_svirt() BZ(1379314)
+- Allow xdm_t to read mount pid files. BZ(1377113)
+- Allow staff to rw svirt unix stream sockets. BZ(1379314)
+- Allow staff_t to read tmpfs files BZ(1378446)
+
* Fri Sep 23 2016 Lukas Vrabec 3.13.1-215
- Make tor_var_run_t as mountpoint. BZ(1368621)
- Fix typo in ftpd SELinux module.