diff --git a/docker-selinux.tgz b/docker-selinux.tgz
index 62b738f..544c986 100644
Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ
diff --git a/policy-f24-base.patch b/policy-f24-base.patch
index 30dd766..5bca7f4 100644
--- a/policy-f24-base.patch
+++ b/policy-f24-base.patch
@@ -37182,7 +37182,7 @@ index 79a45f6..d4f6066 100644
+ allow $1 init_var_lib_t:dir search_dir_perms;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..3945e2c 100644
+index 17eda24..f1cc9e3 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -37408,9 +37408,12 @@ index 17eda24..3945e2c 100644
# file descriptors inherited from the rootfs:
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)
-@@ -156,28 +258,64 @@ fs_list_inotifyfs(init_t)
+@@ -155,29 +257,67 @@ fs_list_inotifyfs(init_t)
+ # cjp: this may be related to /dev/log
fs_write_ramfs_sockets(init_t)
++fstools_getattr_swap_files(init_t)
++
mcs_process_set_categories(init_t)
-mcs_killall(init_t)
@@ -37468,17 +37471,17 @@ index 17eda24..3945e2c 100644
+userdom_use_user_ttys(init_t)
+userdom_manage_tmp_dirs(init_t)
+userdom_manage_tmp_sockets(init_t)
-+
+
+-miscfiles_read_localization(init_t)
+userdom_transition_login_userdomain(init_t)
+userdom_noatsecure_login_userdomain(init_t)
+userdom_sigchld_login_userdomain(init_t)
-
--miscfiles_read_localization(init_t)
++
+allow init_t self:process setsched;
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +324,264 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +326,264 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -37514,15 +37517,14 @@ index 17eda24..3945e2c 100644
+
+optional_policy(`
+ journalctl_exec(init_t)
- ')
-
- optional_policy(`
-- auth_rw_login_records(init_t)
++')
++
++optional_policy(`
+ kdump_read_crash(init_t)
+ kdump_read_config(init_t)
- ')
-
- optional_policy(`
++')
++
++optional_policy(`
+ gnome_filetrans_home_content(init_t)
+ gnome_manage_data(init_t)
+ gnome_manage_config(init_t)
@@ -37706,14 +37708,15 @@ index 17eda24..3945e2c 100644
+ sysnet_relabelfrom_dhcpc_state(init_t)
+ sysnet_setattr_dhcp_state(init_t)
+ ')
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- auth_rw_login_records(init_t)
+ lvm_rw_pipes(init_t)
+ lvm_read_config(init_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+ consolekit_manage_log(init_t)
+')
+
@@ -37725,9 +37728,10 @@ index 17eda24..3945e2c 100644
+ optional_policy(`
+ devicekit_dbus_chat_power(init_t)
+ ')
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- nscd_use(init_t)
+ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to
+ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
+ # the directory. But we do not want to allow this.
@@ -37744,15 +37748,14 @@ index 17eda24..3945e2c 100644
+ plymouthd_stream_connect(init_t)
+ plymouthd_exec_plymouth(init_t)
+ plymouthd_filetrans_named_content(init_t)
- ')
-
- optional_policy(`
-- nscd_use(init_t)
++')
++
++optional_policy(`
+ ssh_getattr_server_keys(init_t)
')
optional_policy(`
-@@ -216,7 +589,30 @@ optional_policy(`
+@@ -216,7 +591,30 @@ optional_policy(`
')
optional_policy(`
@@ -37784,7 +37787,7 @@ index 17eda24..3945e2c 100644
')
########################################
-@@ -225,9 +621,9 @@ optional_policy(`
+@@ -225,9 +623,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -37796,7 +37799,7 @@ index 17eda24..3945e2c 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -258,12 +654,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +656,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -37813,7 +37816,7 @@ index 17eda24..3945e2c 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +679,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +681,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -37856,7 +37859,7 @@ index 17eda24..3945e2c 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +716,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +718,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -37868,7 +37871,7 @@ index 17eda24..3945e2c 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -313,8 +728,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +730,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -37879,7 +37882,7 @@ index 17eda24..3945e2c 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -322,8 +739,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +741,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -37889,7 +37892,7 @@ index 17eda24..3945e2c 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -332,7 +748,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +750,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -37897,7 +37900,7 @@ index 17eda24..3945e2c 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -340,6 +755,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +757,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -37905,7 +37908,7 @@ index 17eda24..3945e2c 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -347,14 +763,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +765,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -37923,7 +37926,7 @@ index 17eda24..3945e2c 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -364,8 +781,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +783,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -37937,7 +37940,7 @@ index 17eda24..3945e2c 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -375,10 +796,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +798,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -37951,7 +37954,7 @@ index 17eda24..3945e2c 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -387,8 +809,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +811,10 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -37962,7 +37965,7 @@ index 17eda24..3945e2c 100644
storage_getattr_fixed_disk_dev(initrc_t)
storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +822,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +824,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -37970,7 +37973,7 @@ index 17eda24..3945e2c 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -416,20 +841,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +843,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -37994,7 +37997,7 @@ index 17eda24..3945e2c 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +874,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +876,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -38002,7 +38005,7 @@ index 17eda24..3945e2c 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +908,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +910,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -38013,7 +38016,7 @@ index 17eda24..3945e2c 100644
alsa_read_lib(initrc_t)
')
-@@ -506,7 +932,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +934,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -38022,7 +38025,7 @@ index 17eda24..3945e2c 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -521,6 +947,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +949,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -38030,7 +38033,7 @@ index 17eda24..3945e2c 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -541,6 +968,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +970,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -38038,7 +38041,7 @@ index 17eda24..3945e2c 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +978,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +980,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -38083,7 +38086,7 @@ index 17eda24..3945e2c 100644
')
optional_policy(`
-@@ -559,14 +1023,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +1025,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -38115,7 +38118,7 @@ index 17eda24..3945e2c 100644
')
')
-@@ -577,6 +1058,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1060,39 @@ ifdef(`distro_suse',`
')
')
@@ -38155,7 +38158,7 @@ index 17eda24..3945e2c 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1103,8 @@ optional_policy(`
+@@ -589,6 +1105,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -38164,7 +38167,7 @@ index 17eda24..3945e2c 100644
')
optional_policy(`
-@@ -610,6 +1126,7 @@ optional_policy(`
+@@ -610,6 +1128,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -38172,7 +38175,7 @@ index 17eda24..3945e2c 100644
')
optional_policy(`
-@@ -626,6 +1143,17 @@ optional_policy(`
+@@ -626,6 +1145,17 @@ optional_policy(`
')
optional_policy(`
@@ -38190,7 +38193,7 @@ index 17eda24..3945e2c 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -642,9 +1170,13 @@ optional_policy(`
+@@ -642,9 +1172,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -38204,7 +38207,7 @@ index 17eda24..3945e2c 100644
')
optional_policy(`
-@@ -657,15 +1189,11 @@ optional_policy(`
+@@ -657,15 +1191,11 @@ optional_policy(`
')
optional_policy(`
@@ -38222,7 +38225,7 @@ index 17eda24..3945e2c 100644
')
optional_policy(`
-@@ -686,6 +1214,15 @@ optional_policy(`
+@@ -686,6 +1216,15 @@ optional_policy(`
')
optional_policy(`
@@ -38238,7 +38241,7 @@ index 17eda24..3945e2c 100644
inn_exec_config(initrc_t)
')
-@@ -726,6 +1263,7 @@ optional_policy(`
+@@ -726,6 +1265,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -38246,7 +38249,7 @@ index 17eda24..3945e2c 100644
')
optional_policy(`
-@@ -743,7 +1281,13 @@ optional_policy(`
+@@ -743,7 +1283,13 @@ optional_policy(`
')
optional_policy(`
@@ -38261,7 +38264,7 @@ index 17eda24..3945e2c 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -766,6 +1310,10 @@ optional_policy(`
+@@ -766,6 +1312,10 @@ optional_policy(`
')
optional_policy(`
@@ -38272,7 +38275,7 @@ index 17eda24..3945e2c 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -775,10 +1323,20 @@ optional_policy(`
+@@ -775,10 +1325,20 @@ optional_policy(`
')
optional_policy(`
@@ -38293,7 +38296,7 @@ index 17eda24..3945e2c 100644
quota_manage_flags(initrc_t)
')
-@@ -787,6 +1345,10 @@ optional_policy(`
+@@ -787,6 +1347,10 @@ optional_policy(`
')
optional_policy(`
@@ -38304,7 +38307,7 @@ index 17eda24..3945e2c 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -808,8 +1370,6 @@ optional_policy(`
+@@ -808,8 +1372,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -38313,7 +38316,7 @@ index 17eda24..3945e2c 100644
')
optional_policy(`
-@@ -818,6 +1378,10 @@ optional_policy(`
+@@ -818,6 +1380,10 @@ optional_policy(`
')
optional_policy(`
@@ -38324,7 +38327,7 @@ index 17eda24..3945e2c 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -827,10 +1391,12 @@ optional_policy(`
+@@ -827,10 +1393,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -38337,7 +38340,7 @@ index 17eda24..3945e2c 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1423,60 @@ optional_policy(`
+@@ -857,21 +1425,60 @@ optional_policy(`
')
optional_policy(`
@@ -38399,7 +38402,7 @@ index 17eda24..3945e2c 100644
')
optional_policy(`
-@@ -887,6 +1492,10 @@ optional_policy(`
+@@ -887,6 +1494,10 @@ optional_policy(`
')
optional_policy(`
@@ -38410,7 +38413,7 @@ index 17eda24..3945e2c 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -897,3 +1506,218 @@ optional_policy(`
+@@ -897,3 +1508,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -39273,10 +39276,10 @@ index 312cd04..102b975 100644
+userdom_use_inherited_user_terminals(setkey_t)
+userdom_read_user_tmp_files(setkey_t)
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
-index 73a1c4e..a143623 100644
+index 73a1c4e..63c7fc0 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
-@@ -1,22 +1,45 @@
+@@ -1,22 +1,48 @@
/etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
@@ -39290,6 +39293,7 @@ index 73a1c4e..a143623 100644
+/usr/lib/systemd/system/ip6tables.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
+/usr/lib/systemd/system/ipset.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
+
++/usr/libexec/iptables/iptables.init -- gen_context(system_u:object_r:iptables_exec_t,s0)
+
+/usr/libexec/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0)
+
@@ -39337,6 +39341,8 @@ index 73a1c4e..a143623 100644
+
+/var/lib/ebtables(/.*)? gen_context(system_u:object_r:iptables_var_lib_t,s0)
+
++/var/lock/subsys/iptables -- gen_context(system_u:object_r:iptables_lock_t,s0)
++
+/var/run/xtables.* -- gen_context(system_u:object_r:iptables_var_run_t,s0)
diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
index c42fbc3..bf211db 100644
@@ -39407,10 +39413,10 @@ index c42fbc3..bf211db 100644
+ files_pid_filetrans($1, iptables_var_run_t, file, "xtables.lock")
+')
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index be8ed1e..e336bc1 100644
+index be8ed1e..ae70490 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
-@@ -16,15 +16,18 @@ role iptables_roles types iptables_t;
+@@ -16,15 +16,21 @@ role iptables_roles types iptables_t;
type iptables_initrc_exec_t;
init_script_file(iptables_initrc_exec_t)
@@ -39426,13 +39432,16 @@ index be8ed1e..e336bc1 100644
+type iptables_var_lib_t;
+files_pid_file(iptables_var_lib_t)
+
++type iptables_lock_t;
++files_lock_file(iptables_lock_t)
++
+type iptables_unit_file_t;
+systemd_unit_file(iptables_unit_file_t)
+
########################################
#
# Iptables local policy
-@@ -35,25 +38,32 @@ dontaudit iptables_t self:capability sys_tty_config;
+@@ -35,25 +41,35 @@ dontaudit iptables_t self:capability sys_tty_config;
allow iptables_t self:fifo_file rw_fifo_file_perms;
allow iptables_t self:process { sigchld sigkill sigstop signull signal };
allow iptables_t self:netlink_socket create_socket_perms;
@@ -39454,6 +39463,9 @@ index be8ed1e..e336bc1 100644
+
can_exec(iptables_t, iptables_exec_t)
++manage_files_pattern(iptables_t, iptables_lock_t, iptables_lock_t)
++files_lock_filetrans(iptables_t, iptables_lock_t, file)
++
allow iptables_t iptables_tmp_t:dir manage_dir_perms;
allow iptables_t iptables_tmp_t:file manage_file_perms;
files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir })
@@ -39468,7 +39480,7 @@ index be8ed1e..e336bc1 100644
kernel_use_fds(iptables_t)
# needed by ipvsadm
-@@ -64,19 +74,23 @@ corenet_relabelto_all_packets(iptables_t)
+@@ -64,19 +80,23 @@ corenet_relabelto_all_packets(iptables_t)
corenet_dontaudit_rw_tun_tap_dev(iptables_t)
dev_read_sysfs(iptables_t)
@@ -39494,7 +39506,7 @@ index be8ed1e..e336bc1 100644
auth_use_nsswitch(iptables_t)
-@@ -85,15 +99,14 @@ init_use_script_ptys(iptables_t)
+@@ -85,15 +105,14 @@ init_use_script_ptys(iptables_t)
# to allow rules to be saved on reboot:
init_rw_script_tmp_files(iptables_t)
init_rw_script_stream_sockets(iptables_t)
@@ -39512,7 +39524,7 @@ index be8ed1e..e336bc1 100644
userdom_use_all_users_fds(iptables_t)
ifdef(`hide_broken_symptoms',`
-@@ -102,6 +115,9 @@ ifdef(`hide_broken_symptoms',`
+@@ -102,6 +121,9 @@ ifdef(`hide_broken_symptoms',`
optional_policy(`
fail2ban_append_log(iptables_t)
@@ -39522,7 +39534,7 @@ index be8ed1e..e336bc1 100644
')
optional_policy(`
-@@ -110,6 +126,13 @@ optional_policy(`
+@@ -110,6 +132,13 @@ optional_policy(`
')
optional_policy(`
@@ -39536,7 +39548,7 @@ index be8ed1e..e336bc1 100644
modutils_run_insmod(iptables_t, iptables_roles)
')
-@@ -124,6 +147,16 @@ optional_policy(`
+@@ -124,6 +153,16 @@ optional_policy(`
optional_policy(`
psad_rw_tmp_files(iptables_t)
@@ -39553,7 +39565,7 @@ index be8ed1e..e336bc1 100644
')
optional_policy(`
-@@ -135,9 +168,9 @@ optional_policy(`
+@@ -135,9 +174,9 @@ optional_policy(`
')
optional_policy(`
@@ -48733,10 +48745,10 @@ index 0000000..16cd1ac
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..564202a
+index 0000000..3e6cbf1
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,959 @@
+@@ -0,0 +1,961 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -49064,6 +49076,8 @@ index 0000000..564202a
+
+init_dbus_chat(systemd_machined_t)
+init_status(systemd_machined_t)
++init_start(systemd_machined_t)
++init_stop(systemd_machined_t)
+
+userdom_dbus_send_all_users(systemd_machined_t)
+
diff --git a/policy-f24-contrib.patch b/policy-f24-contrib.patch
index fbfcb53..a876cfd 100644
--- a/policy-f24-contrib.patch
+++ b/policy-f24-contrib.patch
@@ -22042,7 +22042,7 @@ index dda905b..5587295 100644
/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+')
diff --git a/dbus.if b/dbus.if
-index 62d22cb..f8ab4af 100644
+index 62d22cb..d578ac1 100644
--- a/dbus.if
+++ b/dbus.if
@@ -1,4 +1,4 @@
@@ -22077,7 +22077,7 @@ index 62d22cb..f8ab4af 100644
##
##
##
-@@ -41,59 +58,68 @@ interface(`dbus_stub',`
+@@ -41,59 +58,69 @@ interface(`dbus_stub',`
template(`dbus_role_template',`
gen_require(`
class dbus { send_msg acquire_svc };
@@ -22121,6 +22121,7 @@ index 62d22cb..f8ab4af 100644
- allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
+ # For connecting to the bus
+ allow $3 $1_dbusd_t:unix_stream_socket { connectto rw_socket_perms };
++ allow $1_dbusd_t $3:unix_stream_socket { accept getattr getopt };
- allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
- allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:file { manage_file_perms relabel_file_perms };
@@ -22168,7 +22169,7 @@ index 62d22cb..f8ab4af 100644
##
##
##
-@@ -103,91 +129,88 @@ template(`dbus_role_template',`
+@@ -103,91 +130,88 @@ template(`dbus_role_template',`
#
interface(`dbus_system_bus_client',`
gen_require(`
@@ -22298,7 +22299,7 @@ index 62d22cb..f8ab4af 100644
##
##
##
-@@ -195,15 +218,18 @@ interface(`dbus_connect_spec_session_bus',`
+@@ -195,15 +219,18 @@ interface(`dbus_connect_spec_session_bus',`
##
##
#
@@ -22323,7 +22324,7 @@ index 62d22cb..f8ab4af 100644
##
##
##
-@@ -211,57 +237,39 @@ interface(`dbus_session_bus_client',`
+@@ -211,57 +238,39 @@ interface(`dbus_session_bus_client',`
##
##
#
@@ -22395,7 +22396,7 @@ index 62d22cb..f8ab4af 100644
##
##
##
-@@ -269,15 +277,19 @@ interface(`dbus_spec_session_bus_client',`
+@@ -269,15 +278,19 @@ interface(`dbus_spec_session_bus_client',`
##
##
#
@@ -22421,7 +22422,7 @@ index 62d22cb..f8ab4af 100644
##
##
##
-@@ -285,44 +297,52 @@ interface(`dbus_send_session_bus',`
+@@ -285,44 +298,52 @@ interface(`dbus_send_session_bus',`
##
##
#
@@ -22488,7 +22489,7 @@ index 62d22cb..f8ab4af 100644
##
##
##
-@@ -330,18 +350,18 @@ interface(`dbus_send_spec_session_bus',`
+@@ -330,18 +351,18 @@ interface(`dbus_send_spec_session_bus',`
##
##
#
@@ -22512,7 +22513,7 @@ index 62d22cb..f8ab4af 100644
##
##
##
-@@ -349,20 +369,18 @@ interface(`dbus_read_config',`
+@@ -349,20 +370,18 @@ interface(`dbus_read_config',`
##
##
#
@@ -22538,7 +22539,7 @@ index 62d22cb..f8ab4af 100644
##
##
##
-@@ -370,26 +388,20 @@ interface(`dbus_read_lib_files',`
+@@ -370,26 +389,20 @@ interface(`dbus_read_lib_files',`
##
##
#
@@ -22571,7 +22572,7 @@ index 62d22cb..f8ab4af 100644
##
##
## Type to be used as a domain.
-@@ -397,81 +409,67 @@ interface(`dbus_manage_lib_files',`
+@@ -397,81 +410,67 @@ interface(`dbus_manage_lib_files',`
##
##
##
@@ -22681,7 +22682,7 @@ index 62d22cb..f8ab4af 100644
##
##
##
-@@ -479,18 +477,18 @@ interface(`dbus_spec_session_domain',`
+@@ -479,18 +478,18 @@ interface(`dbus_spec_session_domain',`
##
##
#
@@ -22705,7 +22706,7 @@ index 62d22cb..f8ab4af 100644
##
##
##
-@@ -498,98 +496,100 @@ interface(`dbus_connect_system_bus',`
+@@ -498,98 +497,100 @@ interface(`dbus_connect_system_bus',`
##
##
#
@@ -22849,7 +22850,7 @@ index 62d22cb..f8ab4af 100644
##
##
##
-@@ -597,28 +597,50 @@ interface(`dbus_use_system_bus_fds',`
+@@ -597,28 +598,50 @@ interface(`dbus_use_system_bus_fds',`
##
##
#
@@ -32726,7 +32727,7 @@ index e39de43..5edcb83 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
-index ab09d61..cfd00e3 100644
+index ab09d61..1a07290 100644
--- a/gnome.if
+++ b/gnome.if
@@ -1,52 +1,76 @@
@@ -32878,7 +32879,7 @@ index ab09d61..cfd00e3 100644
+ allow $3 $1_gkeyringd_t:fd use;
+ allow $3 $1_gkeyringd_t:fifo_file rw_fifo_file_perms;
+
-+ dontaudit $1_gkeyringd_t $3:unix_stream_socket { getattr read write };
++ dontaudit $1_gkeyringd_t $3:unix_stream_socket { getattr read write connectto};
+ stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t)
+
+ kernel_read_system_state($1_gkeyringd_t)
@@ -37473,10 +37474,10 @@ index 6517fad..f183748 100644
+ allow $1 hypervkvp_unit_file_t:service all_service_perms;
')
diff --git a/hypervkvp.te b/hypervkvp.te
-index 4eb7041..097bd50 100644
+index 4eb7041..99d8ddc 100644
--- a/hypervkvp.te
+++ b/hypervkvp.te
-@@ -5,24 +5,150 @@ policy_module(hypervkvp, 1.0.0)
+@@ -5,24 +5,151 @@ policy_module(hypervkvp, 1.0.0)
# Declarations
#
@@ -37562,6 +37563,7 @@ index 4eb7041..097bd50 100644
+dev_read_urand(hypervkvp_t)
+
+files_dontaudit_search_home(hypervkvp_t)
++files_dontaudit_getattr_non_security_files(hypervkvp_t)
+
+fs_getattr_all_fs(hypervkvp_t)
+fs_read_hugetlbfs_files(hypervkvp_t)
@@ -38811,10 +38813,10 @@ index 0000000..81f38fe
+')
diff --git a/ipmievd.fc b/ipmievd.fc
new file mode 100644
-index 0000000..afe4e83
+index 0000000..0f598ca
--- /dev/null
+++ b/ipmievd.fc
-@@ -0,0 +1,7 @@
+@@ -0,0 +1,9 @@
+/usr/lib/systemd/system/ipmievd\.service -- gen_context(system_u:object_r:ipmievd_unit_file_t,s0)
+
+/usr/sbin/ipmievd -- gen_context(system_u:object_r:ipmievd_exec_t,s0)
@@ -38822,6 +38824,8 @@ index 0000000..afe4e83
+/usr/libexec/openipmi-helper -- gen_context(system_u:object_r:ipmievd_exec_t,s0)
+
+/var/run/ipmievd\.pid -- gen_context(system_u:object_r:ipmievd_var_run_t,s0)
++
++/var/lock/subsys/ipmi -- gen_context(system_u:object_r:ipmievd_lock_t,s0)
diff --git a/ipmievd.if b/ipmievd.if
new file mode 100644
index 0000000..e86db54
@@ -38950,10 +38954,10 @@ index 0000000..e86db54
+')
diff --git a/ipmievd.te b/ipmievd.te
new file mode 100644
-index 0000000..32d7f6c
+index 0000000..a2c9648
--- /dev/null
+++ b/ipmievd.te
-@@ -0,0 +1,33 @@
+@@ -0,0 +1,51 @@
+policy_module(ipmievd, 1.0.0)
+
+########################################
@@ -38968,6 +38972,9 @@ index 0000000..32d7f6c
+type ipmievd_var_run_t;
+files_pid_file(ipmievd_var_run_t)
+
++type ipmievd_lock_t;
++files_lock_file(ipmievd_lock_t)
++
+type ipmievd_unit_file_t;
+systemd_unit_file(ipmievd_unit_file_t)
+
@@ -38982,11 +38989,26 @@ index 0000000..32d7f6c
+manage_files_pattern(ipmievd_t, ipmievd_var_run_t, ipmievd_var_run_t)
+files_pid_filetrans(ipmievd_t, ipmievd_var_run_t, { file })
+
++manage_files_pattern(ipmievd_t, ipmievd_lock_t, ipmievd_lock_t)
++files_lock_filetrans(ipmievd_t, ipmievd_lock_t, file)
++
++kernel_read_system_state(ipmievd_t)
++
++auth_read_passwd(ipmievd_t)
++
++corecmd_exec_bin(ipmievd_t)
++
+dev_manage_ipmi_dev(ipmievd_t)
+dev_filetrans_ipmi(ipmievd_t)
++dev_read_sysfs(ipmievd_t)
++
++files_read_kernel_modules(ipmievd_t)
+
+logging_send_syslog_msg(ipmievd_t)
+
++modutils_exec_insmod(ipmievd_t)
++modutils_read_module_config(ipmievd_t)
++
diff --git a/irc.fc b/irc.fc
index 48e7739..1bf0326 100644
--- a/irc.fc
@@ -42733,7 +42755,7 @@ index f6c00d8..e3cb4f1 100644
+ kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
')
diff --git a/kerberos.te b/kerberos.te
-index 8833d59..a6356be 100644
+index 8833d59..3fde8ee 100644
--- a/kerberos.te
+++ b/kerberos.te
@@ -6,11 +6,11 @@ policy_module(kerberos, 1.12.0)
@@ -42910,7 +42932,7 @@ index 8833d59..a6356be 100644
')
optional_policy(`
-@@ -174,24 +205,27 @@ optional_policy(`
+@@ -174,24 +205,28 @@ optional_policy(`
# Krb5kdc local policy
#
@@ -42931,6 +42953,7 @@ index 8833d59..a6356be 100644
+can_exec(krb5kdc_t, krb5kdc_exec_t)
+
++list_dirs_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t)
read_files_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t)
-dontaudit krb5kdc_t krb5kdc_conf_t:file write_file_perms;
+dontaudit krb5kdc_t krb5kdc_conf_t:file write;
@@ -42942,7 +42965,7 @@ index 8833d59..a6356be 100644
logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file)
allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms;
-@@ -201,71 +235,79 @@ manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
+@@ -201,71 +236,79 @@ manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir })
manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
@@ -43036,7 +43059,7 @@ index 8833d59..a6356be 100644
')
optional_policy(`
-@@ -273,6 +315,10 @@ optional_policy(`
+@@ -273,6 +316,10 @@ optional_policy(`
')
optional_policy(`
@@ -43047,7 +43070,7 @@ index 8833d59..a6356be 100644
udev_read_db(krb5kdc_t)
')
-@@ -281,10 +327,12 @@ optional_policy(`
+@@ -281,10 +328,12 @@ optional_policy(`
# kpropd local policy
#
@@ -43063,7 +43086,7 @@ index 8833d59..a6356be 100644
allow kpropd_t krb5_host_rcache_t:file manage_file_perms;
-@@ -301,27 +349,26 @@ manage_dirs_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
+@@ -301,27 +350,26 @@ manage_dirs_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
manage_files_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
@@ -58447,7 +58470,7 @@ index 94b9734..448a7e8 100644
+/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/networkmanager.if b/networkmanager.if
-index 86dc29d..7380935 100644
+index 86dc29d..c7d9376 100644
--- a/networkmanager.if
+++ b/networkmanager.if
@@ -2,7 +2,7 @@
@@ -58779,7 +58802,7 @@ index 86dc29d..7380935 100644
##
##
## Role allowed access.
-@@ -287,33 +427,189 @@ interface(`networkmanager_stream_connect',`
+@@ -287,33 +427,190 @@ interface(`networkmanager_stream_connect',`
##
##
#
@@ -58982,6 +59005,7 @@ index 86dc29d..7380935 100644
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em6.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em7.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em8.conf")
++ files_pid_filetrans($1, NetworkManager_var_run_t, dir, "teamd")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "wicd.pid")
+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "manager-settings.conf")
+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireless-settings.conf")
@@ -86225,10 +86249,10 @@ index c8a1e16..2d409bf 100644
xen_domtrans_xm(rgmanager_t)
')
diff --git a/rhcs.fc b/rhcs.fc
-index 47de2d6..aa2272c 100644
+index 47de2d6..c2bc05a 100644
--- a/rhcs.fc
+++ b/rhcs.fc
-@@ -1,31 +1,101 @@
+@@ -1,31 +1,104 @@
-/etc/rc\.d/init\.d/dlm -- gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/foghorn -- gen_context(system_u:object_r:foghorn_initrc_exec_t,s0)
+/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
@@ -86346,6 +86370,9 @@ index 47de2d6..aa2272c 100644
+/var/run/heartbeat(/.*)? gen_context(system_u:object_r:cluster_var_run_t,s0)
+/var/run/rgmanager\.pid -- gen_context(system_u:object_r:cluster_var_run_t,s0)
+/var/run/rsctmp(/.*)? gen_context(system_u:object_r:cluster_var_run_t,s0)
++/var/run/corosync-qdevice(/.*)? gen_context(system_u:object_r:cluster_var_run_t,s0)
++/var/run/corosync-qnetd(/.*)? gen_context(system_u:object_r:cluster_var_run_t,s0)
++
+
+/var/log/cluster/aisexec\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
+/var/log/cluster/cpglockd\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 2f7c2ed..86f5f5f 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 191.12%{?dist}
+Release: 191.13%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -645,6 +645,17 @@ exit 0
%endif
%changelog
+* Tue Aug 23 2016 Lukas Vrabec 3.13.1-191.13
+- Label /var/run/corosync-qnetd and /var/run/corosync-qdevice as cluster_var_run_t. Note: corosync policy is now par of rhcs module
+- Allow krb5kdc_t to read krb4kdc_conf_t dirs.
+- Update networkmanager_filetrans_named_content() interface to allow source domain to create also temad dir in /var/run.
+- Make confined users working again
+- Fix hypervkvp module
+- Allow ipmievd domain to create lock files in /var/lock/subsys/
+- Update policy for ipmievd daemon. Contain: Allowing reading sysfs, passwd,kernel modules Execuring bin_t,insmod_t
+- Allow systemd to stop systemd-machined daemon. This allows stop virtual machines.
+- Label /usr/libexec/iptables/iptables.init as iptables_exec_t Allow iptables creating lock file in /var/lock/subsys/
+
* Tue Aug 16 2016 Lukas Vrabec 3.13.1-191.12
- Fix lsm SELinux module
- Dontaudit firewalld to create dirs in /root/ BZ(1340611)