diff --git a/docker-selinux.tgz b/docker-selinux.tgz
index 2e0c333..4bda657 100644
Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 3f64d8e..5c5030c 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -9551,7 +9551,7 @@ index 531a8f2..0b86f2f 100644
+ allow $1 named_unit_file_t:service all_service_perms;
')
diff --git a/bind.te b/bind.te
-index 1241123..5336071 100644
+index 1241123..dcaf16b 100644
--- a/bind.te
+++ b/bind.te
@@ -34,7 +34,7 @@ type named_checkconf_exec_t;
@@ -9607,11 +9607,12 @@ index 1241123..5336071 100644
corenet_all_recvfrom_netlabel(named_t)
corenet_tcp_sendrecv_generic_if(named_t)
corenet_udp_sendrecv_generic_if(named_t)
-@@ -141,9 +143,12 @@ corenet_sendrecv_all_client_packets(named_t)
+@@ -141,9 +143,13 @@ corenet_sendrecv_all_client_packets(named_t)
corenet_tcp_connect_all_ports(named_t)
corenet_tcp_sendrecv_all_ports(named_t)
+corenet_tcp_bind_all_ephemeral_ports(named_t)
++corenet_udp_bind_all_ephemeral_ports(named_t)
+
dev_read_sysfs(named_t)
dev_read_rand(named_t)
@@ -9620,7 +9621,7 @@ index 1241123..5336071 100644
domain_use_interactive_fds(named_t)
-@@ -175,6 +180,19 @@ tunable_policy(`named_write_master_zones',`
+@@ -175,6 +181,19 @@ tunable_policy(`named_write_master_zones',`
')
optional_policy(`
@@ -9640,7 +9641,7 @@ index 1241123..5336071 100644
dbus_system_domain(named_t, named_exec_t)
init_dbus_chat_script(named_t)
-@@ -187,7 +205,13 @@ optional_policy(`
+@@ -187,7 +206,13 @@ optional_policy(`
')
optional_policy(`
@@ -9654,7 +9655,7 @@ index 1241123..5336071 100644
kerberos_use(named_t)
')
-@@ -215,7 +239,8 @@ optional_policy(`
+@@ -215,7 +240,8 @@ optional_policy(`
#
allow ndc_t self:capability { dac_override net_admin };
@@ -9664,7 +9665,7 @@ index 1241123..5336071 100644
allow ndc_t self:fifo_file rw_fifo_file_perms;
allow ndc_t self:unix_stream_socket { accept listen };
-@@ -229,10 +254,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
+@@ -229,10 +255,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
allow ndc_t named_zone_t:dir search_dir_perms;
@@ -9676,7 +9677,7 @@ index 1241123..5336071 100644
corenet_all_recvfrom_netlabel(ndc_t)
corenet_tcp_sendrecv_generic_if(ndc_t)
corenet_tcp_sendrecv_generic_node(ndc_t)
-@@ -242,6 +266,9 @@ corenet_tcp_bind_generic_node(ndc_t)
+@@ -242,6 +267,9 @@ corenet_tcp_bind_generic_node(ndc_t)
corenet_tcp_connect_rndc_port(ndc_t)
corenet_sendrecv_rndc_client_packets(ndc_t)
@@ -9686,7 +9687,7 @@ index 1241123..5336071 100644
domain_use_interactive_fds(ndc_t)
files_search_pids(ndc_t)
-@@ -257,7 +284,7 @@ init_use_script_ptys(ndc_t)
+@@ -257,7 +285,7 @@ init_use_script_ptys(ndc_t)
logging_send_syslog_msg(ndc_t)
@@ -44261,7 +44262,7 @@ index dff21a7..b6981c8 100644
init_labeled_script_domtrans($1, lircd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/lircd.te b/lircd.te
-index 483c87b..62ca3e4 100644
+index 483c87b..0a54c6d 100644
--- a/lircd.te
+++ b/lircd.te
@@ -13,7 +13,7 @@ type lircd_initrc_exec_t;
@@ -44273,7 +44274,12 @@ index 483c87b..62ca3e4 100644
type lircd_var_run_t alias lircd_sock_t;
files_pid_file(lircd_var_run_t)
-@@ -27,6 +27,7 @@ allow lircd_t self:capability { chown kill sys_admin };
+@@ -23,10 +23,11 @@ files_pid_file(lircd_var_run_t)
+ # Local policy
+ #
+
+-allow lircd_t self:capability { chown kill sys_admin };
++allow lircd_t self:capability { setuid setgid dac_override chown kill sys_admin };
allow lircd_t self:process signal;
allow lircd_t self:fifo_file rw_fifo_file_perms;
allow lircd_t self:tcp_socket { accept listen };
@@ -44281,17 +44287,27 @@ index 483c87b..62ca3e4 100644
read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t)
-@@ -64,9 +65,9 @@ files_manage_generic_locks(lircd_t)
+@@ -39,6 +40,7 @@ dev_filetrans(lircd_t, lircd_var_run_t, sock_file)
+
+ kernel_request_load_module(lircd_t)
+
++
+ corenet_all_recvfrom_unlabeled(lircd_t)
+ corenet_all_recvfrom_netlabel(lircd_t)
+ corenet_tcp_sendrecv_generic_if(lircd_t)
+@@ -64,9 +66,11 @@ files_manage_generic_locks(lircd_t)
files_read_all_locks(lircd_t)
term_use_ptmx(lircd_t)
+term_use_usb_ttys(lircd_t)
+term_use_unallocated_ttys(lircd_t)
- logging_send_syslog_msg(lircd_t)
+-logging_send_syslog_msg(lircd_t)
++auth_read_passwd(lircd_t)
-miscfiles_read_localization(lircd_t)
--
++logging_send_syslog_msg(lircd_t)
+
sysnet_dns_name_resolve(lircd_t)
diff --git a/livecd.if b/livecd.if
index e354181..fc614ba 100644
@@ -57389,7 +57405,7 @@ index 86dc29d..7380935 100644
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
')
diff --git a/networkmanager.te b/networkmanager.te
-index 55f2009..d63018d 100644
+index 55f2009..2646460 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -9,15 +9,18 @@ type NetworkManager_t;
@@ -57607,10 +57623,10 @@ index 55f2009..d63018d 100644
-# certificates in user home directories (cert_home_t in ~/\.pki)
-userdom_read_user_home_content_files(NetworkManager_t)
+systemd_machined_read_pid_files(NetworkManager_t)
++
++term_use_unallocated_ttys(NetworkManager_t)
-userdom_write_user_tmp_sockets(NetworkManager_t)
-+term_use_unallocated_ttys(NetworkManager_t)
-+
+userdom_stream_connect(NetworkManager_t)
userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
userdom_dontaudit_use_user_ttys(NetworkManager_t)
@@ -57809,7 +57825,21 @@ index 55f2009..d63018d 100644
')
optional_policy(`
-@@ -357,6 +447,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -338,6 +428,13 @@ optional_policy(`
+ vpn_relabelfrom_tun_socket(NetworkManager_t)
+ ')
+
++optional_policy(`
++ openfortivpn_domtrans(NetworkManager_t)
++ openfortivpn_sigkill(NetworkManager_t)
++ openfortivpn_signal(NetworkManager_t)
++ openfortivpn_signull(NetworkManager_t)
++')
++
+ ########################################
+ #
+ # wpa_cli local policy
+@@ -357,6 +454,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t)
@@ -62271,6 +62301,210 @@ index 3b6920e..3e9b17f 100644
userdom_dontaudit_use_unpriv_user_fds(openct_t)
userdom_dontaudit_search_user_home_dirs(openct_t)
+diff --git a/openfortivpn.fc b/openfortivpn.fc
+new file mode 100644
+index 0000000..2e4dd3f
+--- /dev/null
++++ b/openfortivpn.fc
+@@ -0,0 +1,4 @@
++/usr/bin/openfortivpn -- gen_context(system_u:object_r:openfortivpn_exec_t,s0)
++/usr/libexec/nm-fortisslvpn-service -- gen_context(system_u:object_r:openfortivpn_exec_t,s0)
++
++/var/lib/NetworkManager-fortisslvpn(/.*)? gen_context(system_u:object_r:openfortivpn_var_lib_t,s0)
+diff --git a/openfortivpn.if b/openfortivpn.if
+new file mode 100644
+index 0000000..7581b52
+--- /dev/null
++++ b/openfortivpn.if
+@@ -0,0 +1,113 @@
++## Fortinet compatible SSL VPN daemons.
++
++########################################
++##
++## Transition to openfortivpn.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`openfortivpn_domtrans',`
++ gen_require(`
++ type openfortivpn_t, openfortivpn_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, openfortivpn_exec_t, openfortivpn_t)
++')
++
++########################################
++##
++## Allow send a signal to openfortivpn.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`openfortivpn_signal',`
++ gen_require(`
++ type openfortivpn_t;
++ ')
++
++ allow $1 openfortivpn_t:process signal;
++')
++
++########################################
++##
++## Allow send signull to openfortivpn.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`openfortivpn_signull',`
++ gen_require(`
++ type openfortivpn_t;
++ ')
++
++ allow $1 openfortivpn_t:process signull;
++')
++
++########################################
++##
++## Allow send sigkill to openfortivpn.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`openfortivpn_sigkill',`
++ gen_require(`
++ type openfortivpn_t;
++ ')
++
++ allow $1 openfortivpn_t:process sigkill;
++')
++
++########################################
++##
++## Send and receive messages from
++## openfortivpn over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`openfortivpn_dbus_chat',`
++ gen_require(`
++ type openfortivpn_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 openfortivpn_t:dbus send_msg;
++ allow openfortivpn_t $1:dbus send_msg;
++')
++
++########################################
++##
++## Read from and write to the openfortivpn devpts.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`openfortivpn_use_ptys',`
++ gen_require(`
++ type openfortivpn_devpts_t;
++ ')
++
++ allow $1 openfortivpn_devpts_t:chr_file rw_term_perms;
++')
+diff --git a/openfortivpn.te b/openfortivpn.te
+new file mode 100644
+index 0000000..0d22f83
+--- /dev/null
++++ b/openfortivpn.te
+@@ -0,0 +1,69 @@
++policy_module(openfortivpn, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type openfortivpn_t;
++domain_type(openfortivpn_t);
++role system_r types openfortivpn_t;
++
++type openfortivpn_exec_t;
++domain_entry_file(openfortivpn_t, openfortivpn_exec_t)
++
++type openfortivpn_var_lib_t;
++files_type(openfortivpn_var_lib_t)
++
++type openfortivpn_devpts_t;
++term_pty(openfortivpn_devpts_t)
++
++########################################
++#
++# Local policy
++#
++
++# User certificates are typically not world-readable and are owned by the user
++allow openfortivpn_t self:capability dac_override;
++
++# Talking to pppd via the PTY
++allow openfortivpn_t openfortivpn_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
++
++manage_dirs_pattern(openfortivpn_t, openfortivpn_var_lib_t, openfortivpn_var_lib_t)
++manage_files_pattern(openfortivpn_t, openfortivpn_var_lib_t, openfortivpn_var_lib_t)
++
++can_exec(openfortivpn_t, openfortivpn_exec_t)
++
++# No standard port for SSLVPN
++corenet_all_recvfrom_unlabeled(openfortivpn_t)
++corenet_tcp_connect_all_ports(openfortivpn_t)
++corenet_tcp_sendrecv_all_ports(openfortivpn_t)
++corenet_tcp_sendrecv_generic_if(openfortivpn_t)
++corenet_tcp_sendrecv_generic_node(openfortivpn_t)
++
++fs_dontaudit_getattr_xattr_fs(openfortivpn_t)
++
++# PTY to pppd
++term_create_pty(openfortivpn_t, openfortivpn_devpts_t)
++
++auth_dontaudit_read_passwd(openfortivpn_t)
++auth_use_nsswitch(openfortivpn_t)
++
++logging_send_syslog_msg(openfortivpn_t)
++
++userdom_read_home_certs(openfortivpn_t)
++
++optional_policy(`
++ dbus_system_bus_client(openfortivpn_t)
++ dbus_connect_system_bus(openfortivpn_t)
++
++ optional_policy(`
++ networkmanager_dbus_chat(openfortivpn_t)
++ ')
++')
++
++optional_policy(`
++ ppp_domtrans(openfortivpn_t)
++ ppp_signal(openfortivpn_t)
++ ppp_kill(openfortivpn_t)
++')
diff --git a/openhpi.te b/openhpi.te
index 8de6191..1a01e99 100644
--- a/openhpi.te
@@ -73802,7 +74036,7 @@ index cd8b8b9..2cfa88a 100644
+ allow $1 pppd_unit_file_t:service all_service_perms;
')
diff --git a/ppp.te b/ppp.te
-index d616ca3..6b73bbd 100644
+index d616ca3..8ccefd5 100644
--- a/ppp.te
+++ b/ppp.te
@@ -6,41 +6,47 @@ policy_module(ppp, 1.14.0)
@@ -73991,14 +74225,14 @@ index d616ca3..6b73bbd 100644
-fs_getattr_all_fs(pppd_t)
-fs_search_auto_mountpoints(pppd_t)
-+# for scripts
-
+-
-term_use_unallocated_ttys(pppd_t)
-term_setattr_unallocated_ttys(pppd_t)
-term_ioctl_generic_ptys(pppd_t)
-term_create_pty(pppd_t, pppd_devpts_t)
-term_use_generic_ptys(pppd_t)
--
++# for scripts
+
-init_labeled_script_domtrans(pppd_t, pppd_initrc_exec_t)
init_read_utmp(pppd_t)
-init_signal_script(pppd_t)
@@ -74046,8 +74280,15 @@ index d616ca3..6b73bbd 100644
')
')
-@@ -218,16 +240,19 @@ optional_policy(`
+@@ -216,18 +238,26 @@ optional_policy(`
+ udev_read_db(pppd_t)
+ ')
++optional_policy(`
++ openfortivpn_dbus_chat(pppd_t)
++ openfortivpn_use_ptys(pppd_t)
++')
++
########################################
#
-# PPTP local policy
@@ -74069,7 +74310,7 @@ index d616ca3..6b73bbd 100644
allow pptp_t pppd_etc_t:dir list_dir_perms;
allow pptp_t pppd_etc_t:file read_file_perms;
-@@ -236,45 +261,43 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms;
+@@ -236,45 +266,43 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms;
allow pptp_t pppd_etc_rw_t:dir list_dir_perms;
allow pptp_t pppd_etc_rw_t:file read_file_perms;
allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms;
@@ -74126,7 +74367,7 @@ index d616ca3..6b73bbd 100644
fs_getattr_all_fs(pptp_t)
fs_search_auto_mountpoints(pptp_t)
-@@ -282,12 +305,12 @@ term_ioctl_generic_ptys(pptp_t)
+@@ -282,12 +310,12 @@ term_ioctl_generic_ptys(pptp_t)
term_search_ptys(pptp_t)
term_use_ptmx(pptp_t)
@@ -74141,7 +74382,7 @@ index d616ca3..6b73bbd 100644
sysnet_exec_ifconfig(pptp_t)
userdom_dontaudit_use_unpriv_user_fds(pptp_t)
-@@ -299,6 +322,10 @@ optional_policy(`
+@@ -299,6 +327,10 @@ optional_policy(`
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 1d52333..fc59b8b 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 157%{?dist}
+Release: 158%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -661,6 +661,10 @@ exit 0
%endif
%changelog
+* Tue Nov 10 2015 Miroslav Grepl 3.13.1-158
+- Merge pull request #48 from lkundrak/contrib-openfortivpn
+- unbound wants to use ephemeral ports as a default configuration. Allow to use also udp sockets.
+
* Mon Nov 09 2015 Miroslav Grepl 3.13.1-157
- The ABRT coredump handler has code to emulate default core file creation The handler runs in a separate process with abrt_dump_oops_t SELinux process type. abrt-hook-ccpp also saves the core dump file in the very same way as kernel does and a user can specify CWD location for a coredump. abrt-hook-ccpp has been made as a SELinux aware apps to create this coredumps with correct labeling and with this commit the policy rules have been updated to allow access all non security files on a system.
- Since /dev/log is a symlink, we need to allow relabelto also symlink. This commit update logging_relabel_devlog_dev() interface to allow it.