diff --git a/container-selinux.tgz b/container-selinux.tgz
index 8e1c934..36bc4df 100644
Binary files a/container-selinux.tgz and b/container-selinux.tgz differ
diff --git a/policy-f25-base.patch b/policy-f25-base.patch
index a2c939a..51b2655 100644
--- a/policy-f25-base.patch
+++ b/policy-f25-base.patch
@@ -15424,7 +15424,7 @@ index d7c11a0..f521a50 100644
  /var/run/shm/.*			<<none>>
 -')
 diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 8416beb..f1ebb1b 100644
+index 8416beb..b5e6d68 100644
 --- a/policy/modules/kernel/filesystem.if
 +++ b/policy/modules/kernel/filesystem.if
 @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -15777,10 +15777,31 @@ index 8416beb..f1ebb1b 100644
  #######################################
  ## <summary>
  ##	Create, read, write, and delete dirs
-@@ -1582,6 +1800,24 @@ interface(`fs_manage_configfs_files',`
+@@ -1580,6 +1798,43 @@ interface(`fs_manage_configfs_files',`
+ 	manage_files_pattern($1, configfs_t, configfs_t)
+ ')
  
- ########################################
- ## <summary>
++#######################################
++## <summary>
++##	Create, read, write, and delete files
++##	on a configfs filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`fs_manage_configfs_lnk_files',`
++	gen_require(`
++		type configfs_t;
++	')
++
++	manage_lnk_files_pattern($1, configfs_t, configfs_t)
++')
++
++########################################
++## <summary>
 +##	Unmount a configfs filesystem
 +## </summary>
 +## <param name="domain">
@@ -15797,12 +15818,10 @@ index 8416beb..f1ebb1b 100644
 +	allow $1 configfs_t:filesystem unmount;
 +')
 +
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
  ##	Mount a DOS filesystem, such as
- ##	FAT32 or NTFS.
- ## </summary>
-@@ -1793,63 +2029,70 @@ interface(`fs_read_eventpollfs',`
+@@ -1793,63 +2048,70 @@ interface(`fs_read_eventpollfs',`
  	refpolicywarn(`$0($*) has been deprecated.')
  ')
  
@@ -15898,7 +15917,7 @@ index 8416beb..f1ebb1b 100644
  ##	on a FUSEFS filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -1859,18 +2102,19 @@ interface(`fs_mounton_fusefs',`
+@@ -1859,18 +2121,19 @@ interface(`fs_mounton_fusefs',`
  ## </param>
  ## <rolecap/>
  #
@@ -15923,7 +15942,7 @@ index 8416beb..f1ebb1b 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1878,135 +2122,835 @@ interface(`fs_search_fusefs',`
+@@ -1878,49 +2141,240 @@ interface(`fs_search_fusefs',`
  ##	</summary>
  ## </param>
  #
@@ -15985,50 +16004,33 @@ index 8416beb..f1ebb1b 100644
  	gen_require(`
 -		type fusefs_t;
 +		type ecryptfs_t;
- 	')
--
--	dontaudit $1 fusefs_t:dir manage_dir_perms;
++	')
 +	dontaudit $1 ecryptfs_t:file append;
- ')
- 
- ########################################
- ## <summary>
--##	Read, a FUSEFS filesystem.
++')
++
++########################################
++## <summary>
 +##	Manage symbolic links on a FUSEFS filesystem.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <rolecap/>
- #
--interface(`fs_read_fusefs_files',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`fs_manage_ecryptfs_symlinks',`
- 	gen_require(`
--		type fusefs_t;
++	gen_require(`
 +		type ecryptfs_t;
- 	')
- 
--	read_files_pattern($1, fusefs_t, fusefs_t)
++	')
++
 +	manage_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t)
- ')
- 
- ########################################
- ## <summary>
--##	Execute files on a FUSEFS filesystem.
++')
++
++########################################
++## <summary>
 +##	Execute a file on a FUSE filesystem
 +##	in the specified domain.
- ## </summary>
--## <param name="domain">
--##	<summary>
--##	Domain allowed access.
--##	</summary>
--## </param>
--## <rolecap/>
--#
--interface(`fs_exec_fusefs_files',`
--	gen_require(`
++## </summary>
 +## <desc>
 +##	<p>
 +##	Execute a file on a FUSE filesystem
@@ -16196,13 +16198,14 @@ index 8416beb..f1ebb1b 100644
 +interface(`fs_dontaudit_manage_fusefs_dirs',`
 +	gen_require(`
 +		type fusefs_t;
-+	')
-+
-+	dontaudit $1 fusefs_t:dir manage_dir_perms;
-+')
-+
-+########################################
-+## <summary>
+ 	')
+ 
+ 	dontaudit $1 fusefs_t:dir manage_dir_perms;
+@@ -1928,105 +2382,652 @@ interface(`fs_dontaudit_manage_fusefs_dirs',`
+ 
+ ########################################
+ ## <summary>
+-##	Read, a FUSEFS filesystem.
 +##	Read, a FUSEFS filesystem.
 +## </summary>
 +## <param name="domain">
@@ -16291,10 +16294,9 @@ index 8416beb..f1ebb1b 100644
 +#
 +interface(`fs_manage_fusefs_files',`
 +	gen_require(`
- 		type fusefs_t;
- 	')
- 
--	exec_files_pattern($1, fusefs_t, fusefs_t)
++		type fusefs_t;
++	')
++
 +	manage_files_pattern($1, fusefs_t, fusefs_t)
 +')
 +
@@ -16731,12 +16733,10 @@ index 8416beb..f1ebb1b 100644
 +	')
 +
 +	dontaudit $1 inotifyfs_t:dir list_dir_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Create, read, write, and delete files
--##	on a FUSEFS filesystem.
++')
++
++########################################
++## <summary>
 +##	Create an object in a hugetlbfs filesystem, with a private
 +##	type using a type transition.
  ## </summary>
@@ -16762,96 +16762,97 @@ index 8416beb..f1ebb1b 100644
 +##	</summary>
 +## </param>
  #
--interface(`fs_manage_fusefs_files',`
+-interface(`fs_read_fusefs_files',`
 +interface(`fs_hugetlbfs_filetrans',`
  	gen_require(`
 -		type fusefs_t;
 +		type hugetlbfs_t;
  	')
  
--	manage_files_pattern($1, fusefs_t, fusefs_t)
+-	read_files_pattern($1, fusefs_t, fusefs_t)
 +	allow $2 hugetlbfs_t:filesystem associate;
 +	filetrans_pattern($1, hugetlbfs_t, $2, $3, $4)
  ')
  
  ########################################
  ## <summary>
--##	Do not audit attempts to create,
--##	read, write, and delete files
--##	on a FUSEFS filesystem.
+-##	Execute files on a FUSEFS filesystem.
 +##	Mount an iso9660 filesystem, which
 +##	is usually used on CDs.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain to not audit.
-+##	Domain allowed access.
+ ##	Domain allowed access.
  ##	</summary>
  ## </param>
+-## <rolecap/>
  #
--interface(`fs_dontaudit_manage_fusefs_files',`
+-interface(`fs_exec_fusefs_files',`
 +interface(`fs_mount_iso9660_fs',`
  	gen_require(`
 -		type fusefs_t;
 +		type iso9660_t;
  	')
  
--	dontaudit $1 fusefs_t:file manage_file_perms;
+-	exec_files_pattern($1, fusefs_t, fusefs_t)
 +	allow $1 iso9660_t:filesystem mount;
  ')
  
  ########################################
  ## <summary>
--##	Read symbolic links on a FUSEFS filesystem.
+-##	Create, read, write, and delete files
+-##	on a FUSEFS filesystem.
 +##	Remount an iso9660 filesystem, which
 +##	is usually used on CDs.  This allows
 +##	some mount options to be changed.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2014,19 +2958,18 @@ interface(`fs_dontaudit_manage_fusefs_files',`
+ ##	Domain allowed access.
  ##	</summary>
  ## </param>
+-## <rolecap/>
  #
--interface(`fs_read_fusefs_symlinks',`
+-interface(`fs_manage_fusefs_files',`
 +interface(`fs_remount_iso9660_fs',`
  	gen_require(`
 -		type fusefs_t;
 +		type iso9660_t;
  	')
  
--	allow $1 fusefs_t:dir list_dir_perms;
--	read_lnk_files_pattern($1, fusefs_t, fusefs_t)
+-	manage_files_pattern($1, fusefs_t, fusefs_t)
 +	allow $1 iso9660_t:filesystem remount;
  ')
  
  ########################################
  ## <summary>
--##	Get the attributes of an hugetlbfs
--##	filesystem.
+-##	Do not audit attempts to create,
+-##	read, write, and delete files
+-##	on a FUSEFS filesystem.
 +##	Unmount an iso9660 filesystem, which
 +##	is usually used on CDs.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2034,35 +2977,38 @@ interface(`fs_read_fusefs_symlinks',`
+-##	Domain to not audit.
++##	Domain allowed access.
  ##	</summary>
  ## </param>
  #
--interface(`fs_getattr_hugetlbfs',`
+-interface(`fs_dontaudit_manage_fusefs_files',`
 +interface(`fs_unmount_iso9660_fs',`
  	gen_require(`
--		type hugetlbfs_t;
+-		type fusefs_t;
 +		type iso9660_t;
  	')
  
--	allow $1 hugetlbfs_t:filesystem getattr;
+-	dontaudit $1 fusefs_t:file manage_file_perms;
 +	allow $1 iso9660_t:filesystem unmount;
  ')
  
  ########################################
  ## <summary>
--##	List hugetlbfs.
+-##	Read symbolic links on a FUSEFS filesystem.
 +##	Get the attributes of an iso9660
 +##	filesystem, which is usually used on CDs.
  ## </summary>
@@ -16862,61 +16863,63 @@ index 8416beb..f1ebb1b 100644
  ## </param>
 +## <rolecap/>
  #
--interface(`fs_list_hugetlbfs',`
+-interface(`fs_read_fusefs_symlinks',`
 +interface(`fs_getattr_iso9660_fs',`
  	gen_require(`
--		type hugetlbfs_t;
+-		type fusefs_t;
 +		type iso9660_t;
  	')
  
--	allow $1 hugetlbfs_t:dir list_dir_perms;
+-	allow $1 fusefs_t:dir list_dir_perms;
+-	read_lnk_files_pattern($1, fusefs_t, fusefs_t)
 +	allow $1 iso9660_t:filesystem getattr;
  ')
  
  ########################################
  ## <summary>
--##	Manage hugetlbfs dirs.
+-##	Get the attributes of an hugetlbfs
+-##	filesystem.
 +##	Read files on an iso9660 filesystem, which
 +##	is usually used on CDs.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2070,17 +3016,19 @@ interface(`fs_list_hugetlbfs',`
+@@ -2034,17 +3035,19 @@ interface(`fs_read_fusefs_symlinks',`
  ##	</summary>
  ## </param>
  #
--interface(`fs_manage_hugetlbfs_dirs',`
+-interface(`fs_getattr_hugetlbfs',`
 +interface(`fs_getattr_iso9660_files',`
  	gen_require(`
 -		type hugetlbfs_t;
 +		type iso9660_t;
  	')
  
--	manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
+-	allow $1 hugetlbfs_t:filesystem getattr;
 +	allow $1 iso9660_t:dir list_dir_perms;
 +	allow $1 iso9660_t:file getattr;
  ')
  
  ########################################
  ## <summary>
--##	Read and write hugetlbfs files.
+-##	List hugetlbfs.
 +##	Read files on an iso9660 filesystem, which
 +##	is usually used on CDs.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2088,35 +3036,38 @@ interface(`fs_manage_hugetlbfs_dirs',`
+@@ -2052,17 +3055,20 @@ interface(`fs_getattr_hugetlbfs',`
  ##	</summary>
  ## </param>
  #
--interface(`fs_rw_hugetlbfs_files',`
+-interface(`fs_list_hugetlbfs',`
 +interface(`fs_read_iso9660_files',`
  	gen_require(`
 -		type hugetlbfs_t;
 +		type iso9660_t;
  	')
  
--	rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
+-	allow $1 hugetlbfs_t:dir list_dir_perms;
 +	allow $1 iso9660_t:dir list_dir_perms;
 +	read_files_pattern($1, iso9660_t, iso9660_t)
 +	read_lnk_files_pattern($1, iso9660_t, iso9660_t)
@@ -16925,151 +16928,158 @@ index 8416beb..f1ebb1b 100644
 +
  ########################################
  ## <summary>
--##	Allow the type to associate to hugetlbfs filesystems.
+-##	Manage hugetlbfs dirs.
 +##	Mount kdbus filesystems.
  ## </summary>
--## <param name="type">
-+## <param name="domain">
+ ## <param name="domain">
  ##	<summary>
--##	The type of the object to be associated.
-+##	Domain allowed access.
+@@ -2070,17 +3076,17 @@ interface(`fs_list_hugetlbfs',`
  ##	</summary>
  ## </param>
  #
--interface(`fs_associate_hugetlbfs',`
+-interface(`fs_manage_hugetlbfs_dirs',`
 +interface(`fs_mount_kdbus', `
  	gen_require(`
 -		type hugetlbfs_t;
 +		type kdbusfs_t;
  	')
  
--	allow $1 hugetlbfs_t:filesystem associate;
+-	manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
 +	allow $1 kdbusfs_t:filesystem mount;
  ')
  
  ########################################
  ## <summary>
--##	Search inotifyfs filesystem.
+-##	Read and write hugetlbfs files.
 +##	Remount kdbus filesystems.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2124,17 +3075,17 @@ interface(`fs_associate_hugetlbfs',`
+@@ -2088,35 +3094,35 @@ interface(`fs_manage_hugetlbfs_dirs',`
  ##	</summary>
  ## </param>
  #
--interface(`fs_search_inotifyfs',`
+-interface(`fs_rw_hugetlbfs_files',`
 +interface(`fs_remount_kdbus', `
  	gen_require(`
--		type inotifyfs_t;
+-		type hugetlbfs_t;
 +		type kdbusfs_t;
  	')
  
--	allow $1 inotifyfs_t:dir search_dir_perms;
+-	rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
 +	allow $1 kdbusfs_t:filesystem remount;
  ')
  
  ########################################
  ## <summary>
--##	List inotifyfs filesystem.
+-##	Allow the type to associate to hugetlbfs filesystems.
 +##	Unmount kdbus filesystems.
  ## </summary>
- ## <param name="domain">
+-## <param name="type">
++## <param name="domain">
  ##	<summary>
-@@ -2142,71 +3093,134 @@ interface(`fs_search_inotifyfs',`
+-##	The type of the object to be associated.
++##	Domain allowed access.
  ##	</summary>
  ## </param>
  #
--interface(`fs_list_inotifyfs',`
+-interface(`fs_associate_hugetlbfs',`
 +interface(`fs_unmount_kdbus', `
  	gen_require(`
--		type inotifyfs_t;
+-		type hugetlbfs_t;
 +		type kdbusfs_t;
  	')
  
--	allow $1 inotifyfs_t:dir list_dir_perms;
+-	allow $1 hugetlbfs_t:filesystem associate;
 +	allow $1 kdbusfs_t:filesystem unmount;
  ')
  
  ########################################
  ## <summary>
--##	Dontaudit List inotifyfs filesystem.
+-##	Search inotifyfs filesystem.
 +##	Get attributes of kdbus filesystems.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain to not audit.
-+##	Domain allowed access.
+@@ -2124,17 +3130,17 @@ interface(`fs_associate_hugetlbfs',`
  ##	</summary>
  ## </param>
  #
--interface(`fs_dontaudit_list_inotifyfs',`
+-interface(`fs_search_inotifyfs',`
 +interface(`fs_getattr_kdbus',`
  	gen_require(`
 -		type inotifyfs_t;
 +		type kdbusfs_t;
  	')
  
--	dontaudit $1 inotifyfs_t:dir list_dir_perms;
+-	allow $1 inotifyfs_t:dir search_dir_perms;
 +	allow $1 kdbusfs_t:filesystem getattr;
  ')
  
  ########################################
  ## <summary>
--##	Create an object in a hugetlbfs filesystem, with a private
--##	type using a type transition.
+-##	List inotifyfs filesystem.
 +##	Search kdbusfs directories.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
- ##	Domain allowed access.
+@@ -2142,71 +3148,118 @@ interface(`fs_search_inotifyfs',`
  ##	</summary>
  ## </param>
--## <param name="private type">
-+#
+ #
+-interface(`fs_list_inotifyfs',`
 +interface(`fs_search_kdbus_dirs',`
-+	gen_require(`
+ 	gen_require(`
+-		type inotifyfs_t;
 +		type kdbusfs_t;
 +
-+	')
-+
+ 	')
+ 
+-	allow $1 inotifyfs_t:dir list_dir_perms;
 +	search_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
 +	fs_search_tmpfs($1)
 +	dev_search_sysfs($1)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Dontaudit List inotifyfs filesystem.
 +##	Relabel kdbusfs directories.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
  ##	<summary>
--##	The type of the object to be created.
+-##	Domain to not audit.
 +##	Domain allowed access.
  ##	</summary>
  ## </param>
--## <param name="object">
-+#
+ #
+-interface(`fs_dontaudit_list_inotifyfs',`
 +interface(`fs_relabel_kdbus_dirs',`
-+	gen_require(`
+ 	gen_require(`
+-		type inotifyfs_t;
 +		type cgroup_t;
 +
-+	')
-+
+ 	')
+ 
+-	dontaudit $1 inotifyfs_t:dir list_dir_perms;
 +	relabel_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create an object in a hugetlbfs filesystem, with a private
+-##	type using a type transition.
 +##	List kdbusfs directories.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
  ##	<summary>
--##	The object class of the object being created.
-+##	Domain allowed access.
+ ##	Domain allowed access.
  ##	</summary>
  ## </param>
--## <param name="name" optional="true">
+-## <param name="private type">
+-##	<summary>
+-##	The type of the object to be created.
+-##	</summary>
 +#
 +interface(`fs_list_kdbus_dirs',`
 +	gen_require(`
@@ -17089,7 +17099,8 @@ index 8416beb..f1ebb1b 100644
 +##  <summary>
 +##	Domain to not audit.
 +##  </summary>
-+## </param>
+ ## </param>
+-## <param name="object">
 +#
 +interface(`fs_dontaudit_search_kdbus_dirs', `
 +    gen_require(`
@@ -17106,21 +17117,44 @@ index 8416beb..f1ebb1b 100644
 +## </summary>
 +## <param name="domain">
  ##	<summary>
+-##	The object class of the object being created.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <param name="name" optional="true">
++#
++interface(`fs_delete_kdbus_dirs', `
++	gen_require(`
++		type kdbusfs_t;
++	')
++
++	delete_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
++	fs_search_tmpfs($1)
++	dev_search_sysfs($1)
++')
++
++########################################
++## <summary>
++##	Manage kdbusfs directories.
++## </summary>
++## <param name="domain">
+ ##	<summary>
 -##	The name of the object being created.
 +##	Domain allowed access.
  ##	</summary>
  ## </param>
  #
 -interface(`fs_hugetlbfs_filetrans',`
-+interface(`fs_delete_kdbus_dirs', `
++interface(`fs_manage_kdbus_dirs',`
  	gen_require(`
 -		type hugetlbfs_t;
+-	')
 +		type kdbusfs_t;
- 	')
  
 -	allow $2 hugetlbfs_t:filesystem associate;
 -	filetrans_pattern($1, hugetlbfs_t, $2, $3, $4)
-+	delete_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
++	')
++	manage_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
 +	fs_search_tmpfs($1)
 +	dev_search_sysfs($1)
  ')
@@ -17129,24 +17163,25 @@ index 8416beb..f1ebb1b 100644
  ## <summary>
 -##	Mount an iso9660 filesystem, which
 -##	is usually used on CDs.
-+##	Manage kdbusfs directories.
++##	Read kdbusfs files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2214,19 +3228,19 @@ interface(`fs_hugetlbfs_filetrans',`
+@@ -2214,19 +3267,21 @@ interface(`fs_hugetlbfs_filetrans',`
  ##	</summary>
  ## </param>
  #
 -interface(`fs_mount_iso9660_fs',`
-+interface(`fs_manage_kdbus_dirs',`
++interface(`fs_read_kdbus_files',`
  	gen_require(`
 -		type iso9660_t;
--	')
-+		type kdbusfs_t;
++		type cgroup_t;
++
+ 	')
  
 -	allow $1 iso9660_t:filesystem mount;
-+	')
-+	manage_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
++	read_files_pattern($1, kdbusfs_t, kdbusfs_t)
++	read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
 +	fs_search_tmpfs($1)
 +	dev_search_sysfs($1)
  ')
@@ -17156,25 +17191,23 @@ index 8416beb..f1ebb1b 100644
 -##	Remount an iso9660 filesystem, which
 -##	is usually used on CDs.  This allows
 -##	some mount options to be changed.
-+##	Read kdbusfs files.
++##	Write kdbusfs files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2234,18 +3248,21 @@ interface(`fs_mount_iso9660_fs',`
+@@ -2234,18 +3289,19 @@ interface(`fs_mount_iso9660_fs',`
  ##	</summary>
  ## </param>
  #
 -interface(`fs_remount_iso9660_fs',`
-+interface(`fs_read_kdbus_files',`
++interface(`fs_write_kdbus_files', `
  	gen_require(`
 -		type iso9660_t;
-+		type cgroup_t;
-+
++		type kdbusfs_t;
  	')
  
 -	allow $1 iso9660_t:filesystem remount;
-+	read_files_pattern($1, kdbusfs_t, kdbusfs_t)
-+	read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
++	write_files_pattern($1, kdbusfs_t, kdbusfs_t)
 +	fs_search_tmpfs($1)
 +	dev_search_sysfs($1)
  ')
@@ -17183,23 +17216,25 @@ index 8416beb..f1ebb1b 100644
  ## <summary>
 -##	Unmount an iso9660 filesystem, which
 -##	is usually used on CDs.
-+##	Write kdbusfs files.
++##	Read and write kdbusfs files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2253,38 +3270,61 @@ interface(`fs_remount_iso9660_fs',`
+@@ -2253,38 +3309,41 @@ interface(`fs_remount_iso9660_fs',`
  ##	</summary>
  ## </param>
  #
 -interface(`fs_unmount_iso9660_fs',`
-+interface(`fs_write_kdbus_files', `
++interface(`fs_rw_kdbus_files',`
  	gen_require(`
 -		type iso9660_t;
 +		type kdbusfs_t;
++
  	')
  
 -	allow $1 iso9660_t:filesystem unmount;
-+	write_files_pattern($1, kdbusfs_t, kdbusfs_t)
++	read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
++	rw_files_pattern($1, kdbusfs_t, kdbusfs_t)
 +	fs_search_tmpfs($1)
 +	dev_search_sysfs($1)
  ')
@@ -17208,59 +17243,38 @@ index 8416beb..f1ebb1b 100644
  ## <summary>
 -##	Get the attributes of an iso9660
 -##	filesystem, which is usually used on CDs.
-+##	Read and write kdbusfs files.
++##	Do not audit attempts to open,
++##	get attributes, read and write
++##	cgroup files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
- ##	Domain allowed access.
+-##	Domain allowed access.
++##	Domain to not audit.
  ##	</summary>
  ## </param>
 -## <rolecap/>
  #
 -interface(`fs_getattr_iso9660_fs',`
-+interface(`fs_rw_kdbus_files',`
++interface(`fs_dontaudit_rw_kdbus_files',`
  	gen_require(`
 -		type iso9660_t;
 +		type kdbusfs_t;
-+
  	')
  
 -	allow $1 iso9660_t:filesystem getattr;
-+	read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
-+	rw_files_pattern($1, kdbusfs_t, kdbusfs_t)
-+	fs_search_tmpfs($1)
-+	dev_search_sysfs($1)
++	dontaudit $1 kdbusfs_t:file rw_file_perms;
  ')
  
  ########################################
  ## <summary>
 -##	Read files on an iso9660 filesystem, which
 -##	is usually used on CDs.
-+##	Do not audit attempts to open,
-+##	get attributes, read and write
-+##	cgroup files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`fs_dontaudit_rw_kdbus_files',`
-+	gen_require(`
-+		type kdbusfs_t;
-+	')
-+
-+	dontaudit $1 kdbusfs_t:file rw_file_perms;
-+')
-+
-+########################################
-+## <summary>
 +##	Manage kdbusfs files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2292,19 +3332,21 @@ interface(`fs_getattr_iso9660_fs',`
+@@ -2292,19 +3351,21 @@ interface(`fs_getattr_iso9660_fs',`
  ##	</summary>
  ## </param>
  #
@@ -17288,7 +17302,7 @@ index 8416beb..f1ebb1b 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2312,16 +3354,15 @@ interface(`fs_getattr_iso9660_files',`
+@@ -2312,16 +3373,15 @@ interface(`fs_getattr_iso9660_files',`
  ##	</summary>
  ## </param>
  #
@@ -17309,7 +17323,7 @@ index 8416beb..f1ebb1b 100644
  ########################################
  ## <summary>
  ##	Mount a NFS filesystem.
-@@ -2398,6 +3439,24 @@ interface(`fs_getattr_nfs',`
+@@ -2398,6 +3458,24 @@ interface(`fs_getattr_nfs',`
  
  ########################################
  ## <summary>
@@ -17334,7 +17348,7 @@ index 8416beb..f1ebb1b 100644
  ##	Search directories on a NFS filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -2485,6 +3544,7 @@ interface(`fs_read_nfs_files',`
+@@ -2485,6 +3563,7 @@ interface(`fs_read_nfs_files',`
  		type nfs_t;
  	')
  
@@ -17342,7 +17356,7 @@ index 8416beb..f1ebb1b 100644
  	allow $1 nfs_t:dir list_dir_perms;
  	read_files_pattern($1, nfs_t, nfs_t)
  ')
-@@ -2523,6 +3583,7 @@ interface(`fs_write_nfs_files',`
+@@ -2523,6 +3602,7 @@ interface(`fs_write_nfs_files',`
  		type nfs_t;
  	')
  
@@ -17350,7 +17364,7 @@ index 8416beb..f1ebb1b 100644
  	allow $1 nfs_t:dir list_dir_perms;
  	write_files_pattern($1, nfs_t, nfs_t)
  ')
-@@ -2549,6 +3610,44 @@ interface(`fs_exec_nfs_files',`
+@@ -2549,6 +3629,44 @@ interface(`fs_exec_nfs_files',`
  
  ########################################
  ## <summary>
@@ -17395,7 +17409,7 @@ index 8416beb..f1ebb1b 100644
  ##	Append files
  ##	on a NFS filesystem.
  ## </summary>
-@@ -2569,7 +3668,7 @@ interface(`fs_append_nfs_files',`
+@@ -2569,7 +3687,7 @@ interface(`fs_append_nfs_files',`
  
  ########################################
  ## <summary>
@@ -17404,7 +17418,7 @@ index 8416beb..f1ebb1b 100644
  ##	on a NFS filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -2589,6 +3688,42 @@ interface(`fs_dontaudit_append_nfs_files',`
+@@ -2589,6 +3707,42 @@ interface(`fs_dontaudit_append_nfs_files',`
  
  ########################################
  ## <summary>
@@ -17447,7 +17461,7 @@ index 8416beb..f1ebb1b 100644
  ##	Do not audit attempts to read or
  ##	write files on a NFS filesystem.
  ## </summary>
-@@ -2603,7 +3738,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2603,7 +3757,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
  		type nfs_t;
  	')
  
@@ -17456,7 +17470,7 @@ index 8416beb..f1ebb1b 100644
  ')
  
  ########################################
-@@ -2627,7 +3762,7 @@ interface(`fs_read_nfs_symlinks',`
+@@ -2627,7 +3781,7 @@ interface(`fs_read_nfs_symlinks',`
  
  ########################################
  ## <summary>
@@ -17465,7 +17479,7 @@ index 8416beb..f1ebb1b 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2719,6 +3854,65 @@ interface(`fs_search_rpc',`
+@@ -2719,6 +3873,65 @@ interface(`fs_search_rpc',`
  
  ########################################
  ## <summary>
@@ -17531,7 +17545,7 @@ index 8416beb..f1ebb1b 100644
  ##	Search removable storage directories.
  ## </summary>
  ## <param name="domain">
-@@ -2741,7 +3935,7 @@ interface(`fs_search_removable',`
+@@ -2741,7 +3954,7 @@ interface(`fs_search_removable',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -17540,7 +17554,7 @@ index 8416beb..f1ebb1b 100644
  ##	</summary>
  ## </param>
  #
-@@ -2777,7 +3971,7 @@ interface(`fs_read_removable_files',`
+@@ -2777,7 +3990,7 @@ interface(`fs_read_removable_files',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -17549,7 +17563,7 @@ index 8416beb..f1ebb1b 100644
  ##	</summary>
  ## </param>
  #
-@@ -2970,6 +4164,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2970,6 +4183,7 @@ interface(`fs_manage_nfs_dirs',`
  		type nfs_t;
  	')
  
@@ -17557,7 +17571,7 @@ index 8416beb..f1ebb1b 100644
  	allow $1 nfs_t:dir manage_dir_perms;
  ')
  
-@@ -3010,6 +4205,7 @@ interface(`fs_manage_nfs_files',`
+@@ -3010,6 +4224,7 @@ interface(`fs_manage_nfs_files',`
  		type nfs_t;
  	')
  
@@ -17565,7 +17579,7 @@ index 8416beb..f1ebb1b 100644
  	manage_files_pattern($1, nfs_t, nfs_t)
  ')
  
-@@ -3050,6 +4246,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -3050,6 +4265,7 @@ interface(`fs_manage_nfs_symlinks',`
  		type nfs_t;
  	')
  
@@ -17573,7 +17587,7 @@ index 8416beb..f1ebb1b 100644
  	manage_lnk_files_pattern($1, nfs_t, nfs_t)
  ')
  
-@@ -3137,6 +4334,24 @@ interface(`fs_nfs_domtrans',`
+@@ -3137,6 +4353,24 @@ interface(`fs_nfs_domtrans',`
  
  ########################################
  ## <summary>
@@ -17598,7 +17612,7 @@ index 8416beb..f1ebb1b 100644
  ##	Mount a NFS server pseudo filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -3255,17 +4470,182 @@ interface(`fs_list_nfsd_fs',`
+@@ -3255,17 +4489,182 @@ interface(`fs_list_nfsd_fs',`
  ##	</summary>
  ## </param>
  #
@@ -17785,7 +17799,7 @@ index 8416beb..f1ebb1b 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3273,12 +4653,12 @@ interface(`fs_getattr_nfsd_files',`
+@@ -3273,12 +4672,12 @@ interface(`fs_getattr_nfsd_files',`
  ##	</summary>
  ## </param>
  #
@@ -17800,7 +17814,7 @@ index 8416beb..f1ebb1b 100644
  ')
  
  ########################################
-@@ -3301,6 +4681,24 @@ interface(`fs_associate_ramfs',`
+@@ -3301,6 +4700,24 @@ interface(`fs_associate_ramfs',`
  
  ########################################
  ## <summary>
@@ -17825,7 +17839,7 @@ index 8416beb..f1ebb1b 100644
  ##	Mount a RAM filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -3392,7 +4790,7 @@ interface(`fs_search_ramfs',`
+@@ -3392,7 +4809,7 @@ interface(`fs_search_ramfs',`
  
  ########################################
  ## <summary>
@@ -17834,7 +17848,7 @@ index 8416beb..f1ebb1b 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3429,7 +4827,7 @@ interface(`fs_manage_ramfs_dirs',`
+@@ -3429,7 +4846,7 @@ interface(`fs_manage_ramfs_dirs',`
  
  ########################################
  ## <summary>
@@ -17843,7 +17857,7 @@ index 8416beb..f1ebb1b 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3447,7 +4845,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
+@@ -3447,7 +4864,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
  
  ########################################
  ## <summary>
@@ -17852,7 +17866,7 @@ index 8416beb..f1ebb1b 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3779,6 +5177,24 @@ interface(`fs_mount_tmpfs',`
+@@ -3779,6 +5196,24 @@ interface(`fs_mount_tmpfs',`
  
  ########################################
  ## <summary>
@@ -17877,7 +17891,7 @@ index 8416beb..f1ebb1b 100644
  ##	Remount a tmpfs filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -3815,6 +5231,24 @@ interface(`fs_unmount_tmpfs',`
+@@ -3815,6 +5250,24 @@ interface(`fs_unmount_tmpfs',`
  
  ########################################
  ## <summary>
@@ -17902,7 +17916,7 @@ index 8416beb..f1ebb1b 100644
  ##	Get the attributes of a tmpfs
  ##	filesystem.
  ## </summary>
-@@ -3908,7 +5342,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3908,7 +5361,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
  
  ########################################
  ## <summary>
@@ -17911,7 +17925,7 @@ index 8416beb..f1ebb1b 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3916,17 +5350,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3916,17 +5369,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -17932,7 +17946,7 @@ index 8416beb..f1ebb1b 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3934,17 +5368,17 @@ interface(`fs_mounton_tmpfs',`
+@@ -3934,17 +5387,17 @@ interface(`fs_mounton_tmpfs',`
  ##	</summary>
  ## </param>
  #
@@ -17953,7 +17967,7 @@ index 8416beb..f1ebb1b 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3952,17 +5386,36 @@ interface(`fs_setattr_tmpfs_dirs',`
+@@ -3952,17 +5405,36 @@ interface(`fs_setattr_tmpfs_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -17993,7 +18007,7 @@ index 8416beb..f1ebb1b 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3970,31 +5423,48 @@ interface(`fs_search_tmpfs',`
+@@ -3970,31 +5442,48 @@ interface(`fs_search_tmpfs',`
  ##	</summary>
  ## </param>
  #
@@ -18049,7 +18063,7 @@ index 8416beb..f1ebb1b 100644
  ')
  
  ########################################
-@@ -4057,23 +5527,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',`
+@@ -4057,23 +5546,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',`
  ## </param>
  ## <param name="name" optional="true">
  ##	<summary>
@@ -18226,7 +18240,7 @@ index 8416beb..f1ebb1b 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4081,18 +5698,18 @@ interface(`fs_tmpfs_filetrans',`
+@@ -4081,18 +5717,18 @@ interface(`fs_tmpfs_filetrans',`
  ##	</summary>
  ## </param>
  #
@@ -18249,7 +18263,7 @@ index 8416beb..f1ebb1b 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4100,54 +5717,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',`
+@@ -4100,54 +5736,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',`
  ##	</summary>
  ## </param>
  #
@@ -18316,7 +18330,7 @@ index 8416beb..f1ebb1b 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4155,17 +5771,18 @@ interface(`fs_read_tmpfs_files',`
+@@ -4155,17 +5790,18 @@ interface(`fs_read_tmpfs_files',`
  ##	</summary>
  ## </param>
  #
@@ -18338,7 +18352,7 @@ index 8416beb..f1ebb1b 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4173,17 +5790,18 @@ interface(`fs_rw_tmpfs_files',`
+@@ -4173,17 +5809,18 @@ interface(`fs_rw_tmpfs_files',`
  ##	</summary>
  ## </param>
  #
@@ -18360,7 +18374,7 @@ index 8416beb..f1ebb1b 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4191,37 +5809,36 @@ interface(`fs_read_tmpfs_symlinks',`
+@@ -4191,37 +5828,36 @@ interface(`fs_read_tmpfs_symlinks',`
  ##	</summary>
  ## </param>
  #
@@ -18406,7 +18420,7 @@ index 8416beb..f1ebb1b 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4229,18 +5846,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4229,18 +5865,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
  ##	</summary>
  ## </param>
  #
@@ -18428,7 +18442,7 @@ index 8416beb..f1ebb1b 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4248,18 +5865,19 @@ interface(`fs_relabel_tmpfs_chr_file',`
+@@ -4248,18 +5884,19 @@ interface(`fs_relabel_tmpfs_chr_file',`
  ##	</summary>
  ## </param>
  #
@@ -18452,7 +18466,7 @@ index 8416beb..f1ebb1b 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4267,32 +5885,31 @@ interface(`fs_rw_tmpfs_blk_files',`
+@@ -4267,32 +5904,31 @@ interface(`fs_rw_tmpfs_blk_files',`
  ##	</summary>
  ## </param>
  #
@@ -18491,7 +18505,7 @@ index 8416beb..f1ebb1b 100644
  ')
  
  ########################################
-@@ -4407,6 +6024,25 @@ interface(`fs_search_xenfs',`
+@@ -4407,6 +6043,25 @@ interface(`fs_search_xenfs',`
  	allow $1 xenfs_t:dir search_dir_perms;
  ')
  
@@ -18517,7 +18531,7 @@ index 8416beb..f1ebb1b 100644
  ########################################
  ## <summary>
  ##	Create, read, write, and delete directories
-@@ -4503,6 +6139,8 @@ interface(`fs_mount_all_fs',`
+@@ -4503,6 +6158,8 @@ interface(`fs_mount_all_fs',`
  	')
  
  	allow $1 filesystem_type:filesystem mount;
@@ -18526,7 +18540,7 @@ index 8416beb..f1ebb1b 100644
  ')
  
  ########################################
-@@ -4549,7 +6187,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4549,7 +6206,7 @@ interface(`fs_unmount_all_fs',`
  ## <desc>
  ##	<p>
  ##	Allow the specified domain to
@@ -18535,7 +18549,7 @@ index 8416beb..f1ebb1b 100644
  ##	Example attributes:
  ##	</p>
  ##	<ul>
-@@ -4596,6 +6234,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
+@@ -4596,6 +6253,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
  
  ########################################
  ## <summary>
@@ -18562,7 +18576,7 @@ index 8416beb..f1ebb1b 100644
  ##	Get the quotas of all filesystems.
  ## </summary>
  ## <param name="domain">
-@@ -4671,6 +6329,25 @@ interface(`fs_getattr_all_dirs',`
+@@ -4671,6 +6348,25 @@ interface(`fs_getattr_all_dirs',`
  
  ########################################
  ## <summary>
@@ -18588,7 +18602,7 @@ index 8416beb..f1ebb1b 100644
  ##	Search all directories with a filesystem type.
  ## </summary>
  ## <param name="domain">
-@@ -4912,3 +6589,175 @@ interface(`fs_unconfined',`
+@@ -4912,3 +6608,175 @@ interface(`fs_unconfined',`
  
  	typeattribute $1 filesystem_unconfined_type;
  ')
diff --git a/policy-f25-contrib.patch b/policy-f25-contrib.patch
index 888a1ea..1ff0209 100644
--- a/policy-f25-contrib.patch
+++ b/policy-f25-contrib.patch
@@ -84153,7 +84153,7 @@ index 4460582..4c66c25 100644
 +
  ')
 diff --git a/radius.te b/radius.te
-index 403a4fe..0958dc1 100644
+index 403a4fe..07b9baf 100644
 --- a/radius.te
 +++ b/radius.te
 @@ -5,6 +5,13 @@ policy_module(radius, 1.13.0)
@@ -84275,10 +84275,11 @@ index 403a4fe..0958dc1 100644
  	logrotate_exec(radiusd_t)
  ')
  
-@@ -132,6 +159,10 @@ optional_policy(`
+@@ -132,6 +159,11 @@ optional_policy(`
  ')
  
  optional_policy(`
++    postgresql_stream_connect(radiusd_t)
 +    postgresql_tcp_connect(radiusd_t)
 +')
 +
@@ -84286,7 +84287,7 @@ index 403a4fe..0958dc1 100644
  	samba_domtrans_winbind_helper(radiusd_t)
  ')
  
-@@ -140,5 +171,10 @@ optional_policy(`
+@@ -140,5 +172,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -107041,10 +107042,10 @@ index 0000000..a6e216c
 +
 diff --git a/targetd.te b/targetd.te
 new file mode 100644
-index 0000000..e187320
+index 0000000..0315421
 --- /dev/null
 +++ b/targetd.te
-@@ -0,0 +1,68 @@
+@@ -0,0 +1,81 @@
 +policy_module(targetd, 1.0.0)
 +
 +########################################
@@ -107067,21 +107068,33 @@ index 0000000..e187320
 +# targetd local policy
 +#
 +
-+allow targetd_t self:capability { sys_admin };
++allow targetd_t self:capability { ipc_lock sys_admin sys_nice };
 +allow targetd_t self:fifo_file rw_fifo_file_perms;
 +allow targetd_t self:unix_stream_socket create_stream_socket_perms;
 +allow targetd_t self:unix_dgram_socket create_socket_perms;
 +allow targetd_t self:tcp_socket listen;
 +allow targetd_t self:netlink_route_socket r_netlink_socket_perms;
-+allow targetd_t self:process setfscreate;
++allow targetd_t self:process { setfscreate setsched };
 +
 +manage_dirs_pattern(targetd_t, targetd_etc_rw_t, targetd_etc_rw_t)
 +manage_files_pattern(targetd_t, targetd_etc_rw_t, targetd_etc_rw_t)
 +files_etc_filetrans(targetd_t, targetd_etc_rw_t, { dir file })
 +
++fs_getattr_xattr_fs(targetd_t)
++fs_manage_configfs_files(targetd_t)
++fs_manage_configfs_lnk_files(targetd_t)
++fs_manage_configfs_dirs(targetd_t)
++fs_read_nfsd_files(targetd_t)
++
++kernel_rw_rpc_sysctls(targetd_t)
++kernel_get_sysvipc_info(targetd_t)
 +kernel_read_system_state(targetd_t)
 +kernel_read_network_state(targetd_t)
 +
++rpc_read_exports(targetd_t)
++
++storage_raw_rw_fixed_disk(targetd_t)
++
 +auth_use_nsswitch(targetd_t)
 +
 +corecmd_exec_shell(targetd_t)
@@ -107090,7 +107103,7 @@ index 0000000..e187320
 +corenet_tcp_bind_generic_node(targetd_t)
 +corenet_tcp_bind_lsm_plugin_port(targetd_t)
 +
-+dev_read_sysfs(targetd_t)
++dev_rw_sysfs(targetd_t)
 +dev_read_urand(targetd_t)
 +dev_rw_lvm_control(targetd_t)
 +dev_getattr_loop_control(targetd_t)
@@ -107104,8 +107117,9 @@ index 0000000..e187320
 +
 +optional_policy(`
 +   lvm_read_config(targetd_t)
-+   lvm_read_metadata(targetd_t)
++   lvm_write_metadata(targetd_t)
 +   lvm_manage_lock(targetd_t)
++   lvm_rw_pipes(targetd_t)
 +   lvm_stream_connect(targetd_t)
 +')
 +
@@ -114990,10 +115004,10 @@ index facdee8..487857a 100644
 +	dontaudit $1 virtd_t:lnk_file read_lnk_file_perms;
  ')
 diff --git a/virt.te b/virt.te
-index f03dcf5..975501d 100644
+index f03dcf5..2ed3d3a 100644
 --- a/virt.te
 +++ b/virt.te
-@@ -1,451 +1,412 @@
+@@ -1,451 +1,414 @@
 -policy_module(virt, 1.7.4)
 +policy_module(virt, 1.5.0)
  
@@ -115631,6 +115645,8 @@ index f03dcf5..975501d 100644
 +
 +virt_dontaudit_read_state(svirt_t)
 +
++storage_raw_read_fixed_disk(svirt_t)
++
 +#######################################
 +#
 +# svirt_prot_exec local policy
@@ -115716,7 +115732,7 @@ index f03dcf5..975501d 100644
  
  read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
  read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -455,42 +416,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -455,42 +418,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
  manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
  filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
  
@@ -115763,27 +115779,27 @@ index f03dcf5..975501d 100644
  logging_log_filetrans(virtd_t, virt_log_t, { file dir })
  
  manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -503,23 +451,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -503,23 +453,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
  manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
  files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
  
 -manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
 -manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
 -filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
--
--stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
--stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
 +manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
 +manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
 +filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
 +allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto };
 +stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
  
--can_exec(virtd_t, virt_tmp_t)
+-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
+-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
 +# libvirtd is permitted to talk to virtlogd
 +stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_var_run_t, virtlogd_t)
 +allow virtd_t virtlogd_t:fifo_file rw_inherited_fifo_file_perms;
  
+-can_exec(virtd_t, virt_tmp_t)
+-
 -kernel_read_crypto_sysctls(virtd_t)
  kernel_read_system_state(virtd_t)
  kernel_read_network_state(virtd_t)
@@ -115797,7 +115813,7 @@ index f03dcf5..975501d 100644
  
  corecmd_exec_bin(virtd_t)
  corecmd_exec_shell(virtd_t)
-@@ -527,24 +476,16 @@ corecmd_exec_shell(virtd_t)
+@@ -527,24 +478,16 @@ corecmd_exec_shell(virtd_t)
  corenet_all_recvfrom_netlabel(virtd_t)
  corenet_tcp_sendrecv_generic_if(virtd_t)
  corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -115825,7 +115841,7 @@ index f03dcf5..975501d 100644
  dev_rw_sysfs(virtd_t)
  dev_read_urand(virtd_t)
  dev_read_rand(virtd_t)
-@@ -555,20 +496,26 @@ dev_rw_vhost(virtd_t)
+@@ -555,20 +498,26 @@ dev_rw_vhost(virtd_t)
  dev_setattr_generic_usb_dev(virtd_t)
  dev_relabel_generic_usb_dev(virtd_t)
  
@@ -115856,7 +115872,7 @@ index f03dcf5..975501d 100644
  fs_list_auto_mountpoints(virtd_t)
  fs_getattr_all_fs(virtd_t)
  fs_rw_anon_inodefs_files(virtd_t)
-@@ -601,15 +548,18 @@ term_use_ptmx(virtd_t)
+@@ -601,15 +550,18 @@ term_use_ptmx(virtd_t)
  
  auth_use_nsswitch(virtd_t)
  
@@ -115876,7 +115892,7 @@ index f03dcf5..975501d 100644
  
  selinux_validate_context(virtd_t)
  
-@@ -620,18 +570,26 @@ seutil_read_file_contexts(virtd_t)
+@@ -620,18 +572,26 @@ seutil_read_file_contexts(virtd_t)
  sysnet_signull_ifconfig(virtd_t)
  sysnet_signal_ifconfig(virtd_t)
  sysnet_domtrans_ifconfig(virtd_t)
@@ -115913,7 +115929,7 @@ index f03dcf5..975501d 100644
  
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virtd_t)
-@@ -640,7 +598,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -640,7 +600,7 @@ tunable_policy(`virt_use_nfs',`
  ')
  
  tunable_policy(`virt_use_samba',`
@@ -115922,7 +115938,7 @@ index f03dcf5..975501d 100644
  	fs_manage_cifs_files(virtd_t)
  	fs_read_cifs_symlinks(virtd_t)
  ')
-@@ -665,20 +623,12 @@ optional_policy(`
+@@ -665,20 +625,12 @@ optional_policy(`
  	')
  
  	optional_policy(`
@@ -115944,7 +115960,7 @@ index f03dcf5..975501d 100644
  ')
  
  optional_policy(`
-@@ -691,20 +641,26 @@ optional_policy(`
+@@ -691,20 +643,26 @@ optional_policy(`
  	dnsmasq_kill(virtd_t)
  	dnsmasq_signull(virtd_t)
  	dnsmasq_create_pid_dirs(virtd_t)
@@ -115975,7 +115991,7 @@ index f03dcf5..975501d 100644
  ')
  
  optional_policy(`
-@@ -712,11 +668,18 @@ optional_policy(`
+@@ -712,11 +670,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -115994,7 +116010,7 @@ index f03dcf5..975501d 100644
  	policykit_domtrans_auth(virtd_t)
  	policykit_domtrans_resolve(virtd_t)
  	policykit_read_lib(virtd_t)
-@@ -727,10 +690,18 @@ optional_policy(`
+@@ -727,10 +692,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -116013,7 +116029,7 @@ index f03dcf5..975501d 100644
  	kernel_read_xen_state(virtd_t)
  	kernel_write_xen_state(virtd_t)
  
-@@ -746,44 +717,344 @@ optional_policy(`
+@@ -746,44 +719,344 @@ optional_policy(`
  	udev_read_pid_files(virtd_t)
  ')
  
@@ -116180,7 +116196,7 @@ index f03dcf5..975501d 100644
 +corenet_tcp_bind_virt_migration_port(virt_domain)
 +corenet_tcp_connect_virt_migration_port(virt_domain)
 +corenet_rw_inherited_tun_tap_dev(virt_domain)
- 
++
 +dev_list_sysfs(virt_domain)
 +dev_getattr_fs(virt_domain)
 +dev_dontaudit_getattr_all(virt_domain)
@@ -116224,7 +116240,7 @@ index f03dcf5..975501d 100644
 +term_getattr_pty_fs(virt_domain)
 +term_use_generic_ptys(virt_domain)
 +term_use_ptmx(virt_domain)
-+
+ 
 +tunable_policy(`virt_use_execmem',`
 +	allow virt_domain self:process { execmem execstack };
 +')
@@ -116380,7 +116396,7 @@ index f03dcf5..975501d 100644
  kernel_read_system_state(virsh_t)
  kernel_read_network_state(virsh_t)
  kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +1065,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +1067,18 @@ kernel_write_xen_state(virsh_t)
  corecmd_exec_bin(virsh_t)
  corecmd_exec_shell(virsh_t)
  
@@ -116407,7 +116423,7 @@ index f03dcf5..975501d 100644
  
  fs_getattr_all_fs(virsh_t)
  fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +1085,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +1087,25 @@ fs_search_auto_mountpoints(virsh_t)
  
  storage_raw_read_fixed_disk(virsh_t)
  
@@ -116424,10 +116440,10 @@ index f03dcf5..975501d 100644
  
 -logging_send_syslog_msg(virsh_t)
 +systemd_exec_systemctl(virsh_t)
-+
-+auth_read_passwd(virsh_t)
  
 -miscfiles_read_localization(virsh_t)
++auth_read_passwd(virsh_t)
++
 +logging_send_syslog_msg(virsh_t)
  
  sysnet_dns_name_resolve(virsh_t)
@@ -116441,7 +116457,7 @@ index f03dcf5..975501d 100644
  
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +1122,20 @@ optional_policy(`
+@@ -856,14 +1124,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -116463,7 +116479,7 @@ index f03dcf5..975501d 100644
  	xen_stream_connect(virsh_t)
  	xen_stream_connect_xenstore(virsh_t)
  ')
-@@ -888,49 +1160,66 @@ optional_policy(`
+@@ -888,49 +1162,66 @@ optional_policy(`
  	kernel_read_xen_state(virsh_ssh_t)
  	kernel_write_xen_state(virsh_ssh_t)
  
@@ -116548,7 +116564,7 @@ index f03dcf5..975501d 100644
  
  corecmd_exec_bin(virtd_lxc_t)
  corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1231,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1233,16 @@ dev_read_urand(virtd_lxc_t)
  
  domain_use_interactive_fds(virtd_lxc_t)
  
@@ -116568,7 +116584,7 @@ index f03dcf5..975501d 100644
  fs_getattr_all_fs(virtd_lxc_t)
  fs_manage_tmpfs_dirs(virtd_lxc_t)
  fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,8 +1252,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,8 +1254,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
  fs_unmount_all_fs(virtd_lxc_t)
  fs_relabelfrom_tmpfs(virtd_lxc_t)
  
@@ -116592,7 +116608,7 @@ index f03dcf5..975501d 100644
  selinux_get_enforce_mode(virtd_lxc_t)
  selinux_get_fs_mount(virtd_lxc_t)
  selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1277,355 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1279,355 @@ selinux_compute_create_context(virtd_lxc_t)
  selinux_compute_relabel_context(virtd_lxc_t)
  selinux_compute_user_contexts(virtd_lxc_t)
  
@@ -116766,6 +116782,10 @@ index f03dcf5..975501d 100644
 +optional_policy(`
 +	mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
 +')
++
++optional_policy(`
++	ssh_use_ptys(svirt_sandbox_domain)
++')
  
 -allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
 -allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
@@ -116850,17 +116870,11 @@ index f03dcf5..975501d 100644
 -
 -mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
 +optional_policy(`
-+	ssh_use_ptys(svirt_sandbox_domain)
++	udev_read_pid_files(svirt_sandbox_domain)
 +')
  
  optional_policy(`
 -	udev_read_pid_files(svirt_lxc_domain)
-+	udev_read_pid_files(svirt_sandbox_domain)
- ')
- 
- optional_policy(`
--	apache_exec_modules(svirt_lxc_domain)
--	apache_read_sys_content(svirt_lxc_domain)
 +	userhelper_dontaudit_write_config(svirt_sandbox_domain)
 +')
 +
@@ -116890,9 +116904,11 @@ index f03dcf5..975501d 100644
 +    fs_mount_fusefs(svirt_sandbox_domain)
 +    fs_unmount_fusefs(svirt_sandbox_domain)
 +    fs_exec_fusefs_files(svirt_sandbox_domain)
-+')
-+
-+optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	apache_exec_modules(svirt_lxc_domain)
+-	apache_read_sys_content(svirt_lxc_domain)
 +    container_read_share_files(svirt_sandbox_domain)
 +    container_exec_share_files(svirt_sandbox_domain)
 +    container_lib_filetrans(svirt_sandbox_domain,container_file_t, sock_file)
@@ -117093,7 +117109,7 @@ index f03dcf5..975501d 100644
  allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
  allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
  
-@@ -1174,12 +1638,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1640,12 @@ dev_read_sysfs(virt_qmf_t)
  dev_read_rand(virt_qmf_t)
  dev_read_urand(virt_qmf_t)
  
@@ -117108,7 +117124,7 @@ index f03dcf5..975501d 100644
  sysnet_read_config(virt_qmf_t)
  
  optional_policy(`
-@@ -1192,7 +1656,7 @@ optional_policy(`
+@@ -1192,7 +1658,7 @@ optional_policy(`
  
  ########################################
  #
@@ -117117,7 +117133,7 @@ index f03dcf5..975501d 100644
  #
  
  allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1665,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1667,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
  allow virt_bridgehelper_t self:tun_socket create_socket_perms;
  allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 95121be..b481727 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 225.15%{?dist}
+Release: 225.16%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -682,6 +682,13 @@ exit 0
 %endif
 
 %changelog
+* Mon May 15 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-225.16
+- Allow svirt_t to read raw fixed_disk_device_t to make working blockcommit
+- Update targetd policy to accommodate changes in the service
+- Allow virt_domain to read raw fixed_disk_device_t to make working blockcommit
+- Allow radius domain stream connec to postgresql
+- Add fs_manage_configfs_lnk_files() interface
+
 * Sun May 14 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-225.15
 - auth_use_nsswitch can call only domain not attribute
 - Fix broken cermonger module