diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index 20183a8..2da01b6 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -120816,7 +120816,7 @@ index 7be4ddf..f7021a0 100644
 +
 +/sys/class/net/ib.* 		gen_context(system_u:object_r:sysctl_net_t,s0)
 diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index 4bf45cb..dc7f313 100644
+index 4bf45cb..9f81200 100644
 --- a/policy/modules/kernel/kernel.if
 +++ b/policy/modules/kernel/kernel.if
 @@ -267,7 +267,7 @@ interface(`kernel_rw_unix_dgram_sockets',`
@@ -121107,7 +121107,7 @@ index 4bf45cb..dc7f313 100644
  ##	Unconfined access to kernel module resources.
  ## </summary>
  ## <param name="domain">
-@@ -2956,5 +3126,315 @@ interface(`kernel_unconfined',`
+@@ -2956,5 +3126,318 @@ interface(`kernel_unconfined',`
  	')
  
  	typeattribute $1 kern_unconfined;
@@ -121380,10 +121380,11 @@ index 4bf45cb..dc7f313 100644
 +#
 +interface(`kernel_search_vm_overcommit_sysctl',`
 +	gen_require(`
-+		type proc_t, sysctl_t, sysctl_vm_overcommit_t;
++		type sysctl_vm_overcommit_t;
 +	')
 +
-+	search_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_overcommit_t)
++	kernel_search_vm_sysctl($1)
++	search_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
 +')
 +
 +########################################
@@ -121399,10 +121400,11 @@ index 4bf45cb..dc7f313 100644
 +#
 +interface(`kernel_read_vm_overcommit_sysctls',`
 +	gen_require(`
-+		type proc_t, sysctl_t, sysctl_vm_overcommit_t;
++		type sysctl_vm_overcommit_t;
 +	')
 +
-+	read_files_pattern($1, { proc_t sysctl_t sysctl_vm_overcommit_t }, sysctl_vm_overcommit_t)
++	kernel_search_vm_sysctl($1)
++	read_files_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
 +')
 +
 +########################################
@@ -121418,11 +121420,12 @@ index 4bf45cb..dc7f313 100644
 +#
 +interface(`kernel_rw_vm_overcommit_sysctls',`
 +	gen_require(`
-+		type proc_t, sysctl_t, sysctl_vm_overcommit_t;
++		type sysctl_vm_overcommit_t;
 +	')
 +
-+	rw_files_pattern($1 ,{ proc_t sysctl_t sysctl_vm_overcommit_t }, sysctl_vm_overcommit_t)
-+	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_overcommit_t)
++	kernel_search_vm_sysctl($1)
++	rw_files_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
++	list_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
  ')
 diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
 index ab9b6cd..ccffb0f 100644
@@ -123407,7 +123410,7 @@ index 01dd2f1..3541088 100644
 +	dev_filetrans($1, tty_device_t, chr_file, "xvc9")
 +')
 diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
-index 9d64659..31b2165 100644
+index 9d64659..f85e86f 100644
 --- a/policy/modules/kernel/terminal.te
 +++ b/policy/modules/kernel/terminal.te
 @@ -29,6 +29,7 @@ files_mountpoint(devpts_t)
@@ -123418,10 +123421,14 @@ index 9d64659..31b2165 100644
  
  #
  # devtty_t is the type of /dev/tty.
-@@ -56,3 +57,9 @@ dev_node(tty_device_t)
+@@ -54,5 +55,11 @@ dev_node(tty_device_t)
  #
- type usbtty_device_t, serial_device;
- dev_node(usbtty_device_t)
+ # usbtty_device_t is the type of /dev/usr/tty*
+ #
+-type usbtty_device_t, serial_device;
+-dev_node(usbtty_device_t)
++type usbtty_device_t;
++term_tty(usbtty_device_t)
 +
 +#
 +# virtio_device_t is the type of /dev/vport[0-9]p[0-9]
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index 6fe1a6b..f243357 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -2072,10 +2072,10 @@ index 0000000..feabdf3
 +        files_getattr_all_sockets(antivirus_domain)
 +')
 diff --git a/apache.fc b/apache.fc
-index fd9fa07..ff0883d 100644
+index fd9fa07..3a26b0f 100644
 --- a/apache.fc
 +++ b/apache.fc
-@@ -1,41 +1,61 @@
+@@ -1,20 +1,36 @@
  HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
 +HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
 +HOME_DIR/((www)|(web)|(public_html))(/.*)?/\.htaccess	--	gen_context(system_u:object_r:httpd_user_htaccess_t,s0)
@@ -2101,7 +2101,8 @@ index fd9fa07..ff0883d 100644
  /etc/vhosts			--	gen_context(system_u:object_r:httpd_config_t,s0)
 +/etc/WebCalendar(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
  /etc/zabbix/web(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
- 
++/etc/z-push(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++
 +/usr/.*\.cgi			-- 	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
 +/opt/.*\.cgi			-- 	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
 +/usr/lib/systemd/system/httpd.*  --     gen_context(system_u:object_r:httpd_unit_file_t,s0)
@@ -2109,10 +2110,10 @@ index fd9fa07..ff0883d 100644
 +/usr/lib/systemd/system/php-fpm.*	--  gen_context(system_u:object_r:httpd_unit_file_t,s0)
 +
 +/usr/libexec/httpd-ssl-pass-dialog      --      gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
-+
+ 
  /srv/([^/]*/)?www(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
  /srv/gallery2(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
- 
+@@ -22,20 +38,25 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
  /usr/bin/htsslpass 		--	gen_context(system_u:object_r:httpd_helper_exec_t,s0)
  /usr/bin/mongrel_rails		--	gen_context(system_u:object_r:httpd_exec_t,s0)
  
@@ -2145,7 +2146,7 @@ index fd9fa07..ff0883d 100644
  /usr/sbin/rotatelogs		--	gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
  /usr/sbin/suexec		--	gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
  
-@@ -43,8 +63,9 @@ ifdef(`distro_suse', `
+@@ -43,8 +64,9 @@ ifdef(`distro_suse', `
  /usr/sbin/httpd2-.*		--	gen_context(system_u:object_r:httpd_exec_t,s0)
  ')
  
@@ -2157,7 +2158,7 @@ index fd9fa07..ff0883d 100644
  /usr/share/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
  /usr/share/icecast(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
  /usr/share/mythweb(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
-@@ -54,9 +75,12 @@ ifdef(`distro_suse', `
+@@ -54,9 +76,13 @@ ifdef(`distro_suse', `
  /usr/share/ntop/html(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
  /usr/share/openca/htdocs(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
  /usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -2167,10 +2168,11 @@ index fd9fa07..ff0883d 100644
  /usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 +/usr/share/wordpress/wp-content/upgrade(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 +/usr/share/wordpress/wp-includes/.*\.php    --  gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
++/usr/share/z-push(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
  
  /var/cache/httpd(/.*)?			gen_context(system_u:object_r:httpd_cache_t,s0)
  /var/cache/lighttpd(/.*)?		gen_context(system_u:object_r:httpd_cache_t,s0)
-@@ -73,31 +97,48 @@ ifdef(`distro_suse', `
+@@ -73,31 +99,50 @@ ifdef(`distro_suse', `
  /var/cache/ssl.*\.sem		--	gen_context(system_u:object_r:httpd_cache_t,s0)
  
  /var/lib/cacti/rra(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -2185,10 +2187,12 @@ index fd9fa07..ff0883d 100644
 +/var/lib/lighttpd(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
  /var/lib/php/session(/.*)?		gen_context(system_u:object_r:httpd_var_run_t,s0)
  /var/lib/squirrelmail/prefs(/.*)?	gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
-+/var/lib/openshift/.httpd.d(/.*)?         gen_context(system_u:object_r:httpd_config_t,s0)
-+/var/lib/stickshift/.httpd.d(/.*)?         gen_context(system_u:object_r:httpd_config_t,s0)
++/var/lib/openshift/\.httpd\.d(/.*)?         gen_context(system_u:object_r:httpd_config_t,s0)
++/var/lib/openshift/\.log/httpd(/.*)?		  gen_context(system_u:object_r:httpd_log_t,s0)
++/var/lib/stickshift/\.httpd\.d(/.*)?         gen_context(system_u:object_r:httpd_config_t,s0)
 +/var/lib/svn(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 +/var/lib/trac(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/var/lib/z-push(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
  
  /var/log/apache(2)?(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
  /var/log/apache-ssl(2)?(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
@@ -2197,13 +2201,14 @@ index fd9fa07..ff0883d 100644
 -/var/log/httpd(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
 -/var/log/lighttpd(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
 -/var/log/piranha(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
+-
 +/var/log/cherokee(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
 +/var/log/httpd(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
 +/var/log/lighttpd(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
 +/var/log/php-fpm(/.*)?      gen_context(system_u:object_r:httpd_log_t,s0)
 +/var/log/roundcubemail(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
 +/var/log/suphp\.log.*	--	gen_context(system_u:object_r:httpd_log_t,s0)
- 
++/var/log/z-push(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
  ifdef(`distro_debian', `
  /var/log/horde2(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
  ')
@@ -2223,7 +2228,7 @@ index fd9fa07..ff0883d 100644
  
  /var/spool/gosa(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
  /var/spool/squirrelmail(/.*)?		gen_context(system_u:object_r:squirrelmail_spool_t,s0)
-@@ -109,3 +150,26 @@ ifdef(`distro_debian', `
+@@ -109,3 +154,26 @@ ifdef(`distro_debian', `
  /var/www/cgi-bin(/.*)?			gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
  /var/www/icons(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
  /var/www/perl(/.*)?			gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -4462,7 +4467,7 @@ index d052bf0..48f0ce4 100644
  	corenet_tcp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t)
  	corenet_tcp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t)
 diff --git a/apm.fc b/apm.fc
-index 0123777..f2f0c35 100644
+index 0123777..5bfd421 100644
 --- a/apm.fc
 +++ b/apm.fc
 @@ -1,3 +1,4 @@
@@ -4470,6 +4475,14 @@ index 0123777..f2f0c35 100644
  
  #
  # /usr
+@@ -14,6 +15,7 @@
+ /var/log/acpid.*	--	gen_context(system_u:object_r:apmd_log_t,s0)
+ 
+ /var/run/\.?acpid\.socket -s	gen_context(system_u:object_r:apmd_var_run_t,s0)
++/var/run/acpid\.pid	--  	gen_context(system_u:object_r:apmd_var_run_t,s0)
+ /var/run/apmd\.pid	--	gen_context(system_u:object_r:apmd_var_run_t,s0)
+ /var/run/powersaved\.pid --	gen_context(system_u:object_r:apmd_var_run_t,s0)
+ /var/run/powersave_socket -s	gen_context(system_u:object_r:apmd_var_run_t,s0)
 diff --git a/apm.if b/apm.if
 index 1ea99b2..0b668ae 100644
 --- a/apm.if
@@ -25023,7 +25036,7 @@ index 671d8fd..25c7ab8 100644
 +	dontaudit gnomeclock_t $1:dbus send_msg;
 +')
 diff --git a/gnomeclock.te b/gnomeclock.te
-index 4fde46b..1aa73d8 100644
+index 4fde46b..540e180 100644
 --- a/gnomeclock.te
 +++ b/gnomeclock.te
 @@ -7,38 +7,84 @@ policy_module(gnomeclock, 1.0.0)
@@ -25054,7 +25067,7 @@ index 4fde46b..1aa73d8 100644
 +
 +corenet_tcp_connect_time_port(gnomeclock_t)
 +
-+dev_read_realtime_clock(gnomeclock_t)
++dev_rw_realtime_clock(gnomeclock_t)
 +dev_read_urand(gnomeclock_t)
 +dev_write_kmsg(gnomeclock_t)
 +dev_read_sysfs(gnomeclock_t)
@@ -26887,10 +26900,10 @@ index 9aeeaf9..a91de65 100644
  userdom_dontaudit_search_user_home_dirs(irqbalance_t)
  
 diff --git a/iscsi.fc b/iscsi.fc
-index 14d9670..6825edc 100644
+index 14d9670..e94b352 100644
 --- a/iscsi.fc
 +++ b/iscsi.fc
-@@ -1,7 +1,16 @@
+@@ -1,7 +1,17 @@
  /sbin/iscsid		--	gen_context(system_u:object_r:iscsid_exec_t,s0)
  /sbin/brcm_iscsiuio	--	gen_context(system_u:object_r:iscsid_exec_t,s0)
 +/sbin/iscsiuio 		--  	gen_context(system_u:object_r:iscsid_exec_t,s0)
@@ -26904,6 +26917,7 @@ index 14d9670..6825edc 100644
 +/var/log/iscsiuio\.log.*	--	gen_context(system_u:object_r:iscsi_log_t,s0)
 +
  /var/run/iscsid\.pid	--	gen_context(system_u:object_r:iscsi_var_run_t,s0)
++/var/run/iscsiuio\.pid	--	gen_context(system_u:object_r:iscsi_var_run_t,s0)
 +
 +/usr/sbin/iscsid	--	gen_context(system_u:object_r:iscsid_exec_t,s0)
 +/usr/sbin/brcm_iscsiuio	--	gen_context(system_u:object_r:iscsid_exec_t,s0)
@@ -34995,7 +35009,7 @@ index afa18c8..2f102b2 100644
 +/var/spool/mqueue\.in(/.*)?	gen_context(system_u:object_r:mqueue_spool_t,s0)
  /var/spool/mail(/.*)?		gen_context(system_u:object_r:mail_spool_t,s0)
 diff --git a/mta.if b/mta.if
-index 4e2a5ba..ef40577 100644
+index 4e2a5ba..def7747 100644
 --- a/mta.if
 +++ b/mta.if
 @@ -37,6 +37,7 @@ interface(`mta_stub',`
@@ -35111,7 +35125,8 @@ index 4e2a5ba..ef40577 100644
  
  	allow mta_user_agent $2:fd use;
  	allow mta_user_agent $2:process sigchld;
- 	allow mta_user_agent $2:fifo_file { read write };
+-	allow mta_user_agent $2:fifo_file { read write };
++	allow mta_user_agent $2:fifo_file rw_inherited_fifo_file_perms;
 +
 +	optional_policy(`
 +		exim_run($2, $1)
@@ -35166,7 +35181,17 @@ index 4e2a5ba..ef40577 100644
  ')
  
  #######################################
-@@ -393,12 +353,19 @@ interface(`mta_send_mail',`
+@@ -361,8 +321,7 @@ interface(`mta_send_mail',`
+ 
+ 	allow mta_user_agent $1:fd use;
+ 	allow mta_user_agent $1:process sigchld;
+-	allow mta_user_agent $1:fifo_file rw_fifo_file_perms;
+-
++	allow mta_user_agent $1:fifo_file rw_inherited_fifo_file_perms;
+ 	dontaudit mta_user_agent $1:unix_stream_socket rw_socket_perms;
+ ')
+ 
+@@ -393,12 +352,19 @@ interface(`mta_send_mail',`
  #
  interface(`mta_sendmail_domtrans',`
  	gen_require(`
@@ -35184,11 +35209,11 @@ index 4e2a5ba..ef40577 100644
 +	domtrans_pattern($1, mta_exec_type, $2)
 +	allow mta_user_agent $1:fd use;
 +	allow mta_user_agent $1:process sigchld;
-+	allow mta_user_agent $1:fifo_file { read write };
++	allow mta_user_agent $1:fifo_file rw_inherited_fifo_file_perms;
  ')
  
  ########################################
-@@ -411,7 +378,6 @@ interface(`mta_sendmail_domtrans',`
+@@ -411,7 +377,6 @@ interface(`mta_sendmail_domtrans',`
  ##	</summary>
  ## </param>
  #
@@ -35196,7 +35221,7 @@ index 4e2a5ba..ef40577 100644
  interface(`mta_signal_system_mail',`
  	gen_require(`
  		type system_mail_t;
-@@ -422,6 +388,60 @@ interface(`mta_signal_system_mail',`
+@@ -422,6 +387,60 @@ interface(`mta_signal_system_mail',`
  
  ########################################
  ## <summary>
@@ -35257,7 +35282,7 @@ index 4e2a5ba..ef40577 100644
  ##	Execute sendmail in the caller domain.
  ## </summary>
  ## <param name="domain">
-@@ -440,6 +460,26 @@ interface(`mta_sendmail_exec',`
+@@ -440,6 +459,26 @@ interface(`mta_sendmail_exec',`
  
  ########################################
  ## <summary>
@@ -35284,7 +35309,7 @@ index 4e2a5ba..ef40577 100644
  ##	Read mail server configuration.
  ## </summary>
  ## <param name="domain">
-@@ -481,6 +521,25 @@ interface(`mta_write_config',`
+@@ -481,6 +520,25 @@ interface(`mta_write_config',`
  
  ########################################
  ## <summary>
@@ -35310,7 +35335,7 @@ index 4e2a5ba..ef40577 100644
  ##	Read mail address aliases.
  ## </summary>
  ## <param name="domain">
-@@ -496,6 +555,7 @@ interface(`mta_read_aliases',`
+@@ -496,6 +554,7 @@ interface(`mta_read_aliases',`
  
  	files_search_etc($1)
  	allow $1 etc_aliases_t:file read_file_perms;
@@ -35318,7 +35343,7 @@ index 4e2a5ba..ef40577 100644
  ')
  
  ########################################
-@@ -516,6 +576,9 @@ interface(`mta_manage_aliases',`
+@@ -516,6 +575,9 @@ interface(`mta_manage_aliases',`
  	files_search_etc($1)
  	manage_files_pattern($1, etc_aliases_t, etc_aliases_t)
  	manage_lnk_files_pattern($1, etc_aliases_t, etc_aliases_t)
@@ -35328,7 +35353,7 @@ index 4e2a5ba..ef40577 100644
  ')
  
  ########################################
-@@ -534,7 +597,7 @@ interface(`mta_etc_filetrans_aliases',`
+@@ -534,7 +596,7 @@ interface(`mta_etc_filetrans_aliases',`
  		type etc_aliases_t;
  	')
  
@@ -35337,7 +35362,7 @@ index 4e2a5ba..ef40577 100644
  ')
  
  ########################################
-@@ -554,7 +617,7 @@ interface(`mta_rw_aliases',`
+@@ -554,7 +616,7 @@ interface(`mta_rw_aliases',`
  	')
  
  	files_search_etc($1)
@@ -35346,7 +35371,7 @@ index 4e2a5ba..ef40577 100644
  ')
  
  #######################################
-@@ -576,6 +639,25 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
+@@ -576,6 +638,25 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
  	dontaudit $1 mailserver_delivery:tcp_socket { read write };
  ')
  
@@ -35372,7 +35397,7 @@ index 4e2a5ba..ef40577 100644
  #######################################
  ## <summary>
  ##	Connect to all mail servers over TCP.  (Deprecated)
-@@ -648,8 +730,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
+@@ -648,8 +729,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
  
  	files_dontaudit_search_spool($1)
  	dontaudit $1 mail_spool_t:dir search_dir_perms;
@@ -35383,7 +35408,7 @@ index 4e2a5ba..ef40577 100644
  ')
  
  #######################################
-@@ -679,7 +761,26 @@ interface(`mta_spool_filetrans',`
+@@ -679,7 +760,26 @@ interface(`mta_spool_filetrans',`
  	')
  
  	files_search_spool($1)
@@ -35411,7 +35436,7 @@ index 4e2a5ba..ef40577 100644
  ')
  
  ########################################
-@@ -699,8 +800,8 @@ interface(`mta_rw_spool',`
+@@ -699,8 +799,8 @@ interface(`mta_rw_spool',`
  
  	files_search_spool($1)
  	allow $1 mail_spool_t:dir list_dir_perms;
@@ -35422,7 +35447,7 @@ index 4e2a5ba..ef40577 100644
  	read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
  ')
  
-@@ -840,7 +941,7 @@ interface(`mta_dontaudit_rw_queue',`
+@@ -840,7 +940,7 @@ interface(`mta_dontaudit_rw_queue',`
  	')
  
  	dontaudit $1 mqueue_spool_t:dir search_dir_perms;
@@ -35431,7 +35456,7 @@ index 4e2a5ba..ef40577 100644
  ')
  
  ########################################
-@@ -866,6 +967,36 @@ interface(`mta_manage_queue',`
+@@ -866,6 +966,36 @@ interface(`mta_manage_queue',`
  
  #######################################
  ## <summary>
@@ -35468,7 +35493,7 @@ index 4e2a5ba..ef40577 100644
  ##	Read sendmail binary.
  ## </summary>
  ## <param name="domain">
-@@ -901,3 +1032,172 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -901,3 +1031,172 @@ interface(`mta_rw_user_mail_stream_sockets',`
  
  	allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
  ')
@@ -43606,7 +43631,7 @@ index ceafba6..47b690d 100644
 +	udev_read_db(pcscd_t)
 +')
 diff --git a/pegasus.te b/pegasus.te
-index 3185114..5a51349 100644
+index 3185114..713423f 100644
 --- a/pegasus.te
 +++ b/pegasus.te
 @@ -9,6 +9,9 @@ type pegasus_t;
@@ -43699,12 +43724,16 @@ index 3185114..5a51349 100644
  sysnet_read_config(pegasus_t)
  sysnet_domtrans_ifconfig(pegasus_t)
  
-@@ -121,12 +130,44 @@ userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
+@@ -121,12 +130,48 @@ userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
  userdom_dontaudit_search_user_home_dirs(pegasus_t)
  
  optional_policy(`
 +    dbus_system_bus_client(pegasus_t)
 +    dbus_connect_system_bus(pegasus_t)
++
++    optional_policy(`
++	networkmanager_dbus_chat(pegasus_t)
++    ')
 +')
 +
 +optional_policy(`
@@ -43745,7 +43774,7 @@ index 3185114..5a51349 100644
  ')
  
  optional_policy(`
-@@ -136,3 +177,14 @@ optional_policy(`
+@@ -136,3 +181,14 @@ optional_policy(`
  optional_policy(`
  	unconfined_signull(pegasus_t)
  ')
@@ -48630,10 +48659,18 @@ index ec0e76a..62af9a4 100644
  
  /var/lib/misc/prelink.*		--	gen_context(system_u:object_r:prelink_var_lib_t,s0)
 diff --git a/prelink.te b/prelink.te
-index af55369..13dcbea 100644
+index af55369..9f1d1b5 100644
 --- a/prelink.te
 +++ b/prelink.te
-@@ -36,7 +36,7 @@ files_type(prelink_var_lib_t)
+@@ -18,6 +18,7 @@ type prelink_cron_system_t;
+ type prelink_cron_system_exec_t;
+ domain_type(prelink_cron_system_t)
+ domain_entry_file(prelink_cron_system_t, prelink_cron_system_exec_t)
++domain_obj_id_change_exemption(prelink_cron_system_t)
+ 
+ type prelink_log_t;
+ logging_log_file(prelink_log_t)
+@@ -36,7 +37,7 @@ files_type(prelink_var_lib_t)
  # Local policy
  #
  
@@ -48642,7 +48679,7 @@ index af55369..13dcbea 100644
  allow prelink_t self:process { execheap execmem execstack signal };
  allow prelink_t self:fifo_file rw_fifo_file_perms;
  
-@@ -59,10 +59,11 @@ manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
+@@ -59,10 +60,11 @@ manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
  manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
  relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
  files_var_lib_filetrans(prelink_t, prelink_var_lib_t, { dir file })
@@ -48655,7 +48692,7 @@ index af55369..13dcbea 100644
  
  kernel_read_system_state(prelink_t)
  kernel_read_kernel_sysctls(prelink_t)
-@@ -73,6 +74,7 @@ corecmd_mmap_all_executables(prelink_t)
+@@ -73,6 +75,7 @@ corecmd_mmap_all_executables(prelink_t)
  corecmd_read_bin_symlinks(prelink_t)
  
  dev_read_urand(prelink_t)
@@ -48663,7 +48700,7 @@ index af55369..13dcbea 100644
  
  files_list_all(prelink_t)
  files_getattr_all_files(prelink_t)
-@@ -86,6 +88,8 @@ files_relabelfrom_usr_files(prelink_t)
+@@ -86,6 +89,8 @@ files_relabelfrom_usr_files(prelink_t)
  
  fs_getattr_xattr_fs(prelink_t)
  
@@ -48672,7 +48709,7 @@ index af55369..13dcbea 100644
  selinux_get_enforce_mode(prelink_t)
  
  libs_exec_ld_so(prelink_t)
-@@ -96,9 +100,16 @@ libs_manage_shared_libs(prelink_t)
+@@ -96,9 +101,16 @@ libs_manage_shared_libs(prelink_t)
  libs_relabel_shared_libs(prelink_t)
  libs_delete_lib_symlinks(prelink_t)
  
@@ -48691,7 +48728,7 @@ index af55369..13dcbea 100644
  
  optional_policy(`
  	amanda_manage_lib(prelink_t)
-@@ -109,6 +120,15 @@ optional_policy(`
+@@ -109,6 +121,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -48707,7 +48744,7 @@ index af55369..13dcbea 100644
  	rpm_manage_tmp_files(prelink_t)
  ')
  
-@@ -129,6 +149,7 @@ optional_policy(`
+@@ -129,6 +150,7 @@ optional_policy(`
  
  	read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t)
  	allow prelink_cron_system_t prelink_cache_t:file unlink;
@@ -48715,7 +48752,7 @@ index af55369..13dcbea 100644
  
  	domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t)
  	allow prelink_cron_system_t prelink_t:process noatsecure;
-@@ -144,21 +165,38 @@ optional_policy(`
+@@ -144,21 +166,38 @@ optional_policy(`
  	corecmd_exec_bin(prelink_cron_system_t)
  	corecmd_exec_shell(prelink_cron_system_t)
  
@@ -64634,10 +64671,10 @@ index 0000000..dd2ac36
 +
 diff --git a/svnserve.te b/svnserve.te
 new file mode 100644
-index 0000000..f66149f
+index 0000000..ba40a17
 --- /dev/null
 +++ b/svnserve.te
-@@ -0,0 +1,52 @@
+@@ -0,0 +1,53 @@
 +policy_module(svnserve, 1.0.0)
 +
 +########################################
@@ -64667,6 +64704,7 @@ index 0000000..f66149f
 +#
 +
 +allow svnserve_t self:fifo_file rw_fifo_file_perms;
++allow svnserve_t self:tcp_socket create_stream_socket_perms;
 +allow svnserve_t self:unix_stream_socket create_stream_socket_perms;
 +
 +manage_dirs_pattern(svnserve_t, svnserve_content_t, svnserve_content_t)
@@ -68620,7 +68658,7 @@ index 32a3c13..0cbca75 100644
  
  optional_policy(`
 diff --git a/virt.fc b/virt.fc
-index 2124b6a..40b350a 100644
+index 2124b6a..e55e393 100644
 --- a/virt.fc
 +++ b/virt.fc
 @@ -1,6 +1,14 @@
@@ -68640,7 +68678,7 @@ index 2124b6a..40b350a 100644
  
  /etc/libvirt		-d	gen_context(system_u:object_r:virt_etc_t,s0)
  /etc/libvirt/[^/]*	--	gen_context(system_u:object_r:virt_etc_t,s0)
-@@ -12,18 +20,58 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
+@@ -12,18 +20,59 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
  /etc/xen/[^/]*		-d	gen_context(system_u:object_r:virt_etc_rw_t,s0)
  /etc/xen/.*/.*			gen_context(system_u:object_r:virt_etc_rw_t,s0)
  
@@ -68666,6 +68704,7 @@ index 2124b6a..40b350a 100644
 +/var/log/log(/.*)?		gen_context(system_u:object_r:virt_log_t,s0)
  /var/log/libvirt(/.*)?		gen_context(system_u:object_r:virt_log_t,s0)
 +/var/log/vdsm(/.*)?		gen_context(system_u:object_r:virt_log_t,s0)
++/var/run/libvirtd\.pid	--	gen_context(system_u:object_r:virt_var_run_t,s0)
  /var/run/libvirt(/.*)?		gen_context(system_u:object_r:virt_var_run_t,s0)
 -/var/run/libvirt/qemu(/.*)? 	gen_context(system_u:object_r:svirt_var_run_t,s0)
 +/var/run/libvirt/qemu(/.*)? 	gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
@@ -68703,7 +68742,7 @@ index 2124b6a..40b350a 100644
 +/var/run/qemu-ga\.pid           --      gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
 +/var/log/qemu-ga\.log           --      gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
 diff --git a/virt.if b/virt.if
-index 6f0736b..cebdb3e 100644
+index 6f0736b..be0e5a5 100644
 --- a/virt.if
 +++ b/virt.if
 @@ -13,64 +13,61 @@
@@ -69120,7 +69159,7 @@ index 6f0736b..cebdb3e 100644
  ')
  
  ########################################
-@@ -468,18 +647,30 @@ interface(`virt_manage_images',`
+@@ -468,18 +647,52 @@ interface(`virt_manage_images',`
  	manage_files_pattern($1, virt_image_type, virt_image_type)
  	read_lnk_files_pattern($1, virt_image_type, virt_image_type)
  	rw_blk_files_pattern($1, virt_image_type, virt_image_type)
@@ -69131,6 +69170,33 @@ index 6f0736b..cebdb3e 100644
 -		fs_manage_nfs_dirs($1)
 -		fs_manage_nfs_files($1)
 -		fs_read_nfs_symlinks($1)
+-	')
++#######################################
++## <summary>
++##  Allow domain to manage virt image files
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`virt_manage_default_image_type',`
++    gen_require(`
++        type virt_var_lib_t;
++        type virt_image_t;
++    ')
++
++    virt_search_lib($1)
++    manage_dirs_pattern($1, virt_image_t, virt_image_t)
++    manage_files_pattern($1, virt_image_t, virt_image_t)
++    read_lnk_files_pattern($1, virt_image_t, virt_image_t)
++')
+ 
+-	tunable_policy(`virt_use_samba',`
+-		fs_manage_cifs_files($1)
+-		fs_manage_cifs_files($1)
+-		fs_read_cifs_symlinks($1)
 +########################################
 +## <summary>
 +##	Execute virt server in the virt domain.
@@ -69146,12 +69212,7 @@ index 6f0736b..cebdb3e 100644
 +		type virtd_unit_file_t;
 +		type virtd_t;
  	')
- 
--	tunable_policy(`virt_use_samba',`
--		fs_manage_cifs_files($1)
--		fs_manage_cifs_files($1)
--		fs_read_cifs_symlinks($1)
--	')
++
 +	systemd_exec_systemctl($1)
 +	allow $1 virtd_unit_file_t:file read_file_perms;
 +	allow $1 virtd_unit_file_t:service manage_service_perms;
@@ -69160,7 +69221,7 @@ index 6f0736b..cebdb3e 100644
  ')
  
  ########################################
-@@ -502,10 +693,20 @@ interface(`virt_manage_images',`
+@@ -502,10 +715,20 @@ interface(`virt_manage_images',`
  interface(`virt_admin',`
  	gen_require(`
  		type virtd_t, virtd_initrc_exec_t;
@@ -69182,7 +69243,7 @@ index 6f0736b..cebdb3e 100644
  
  	init_labeled_script_domtrans($1, virtd_initrc_exec_t)
  	domain_system_change_exemption($1)
-@@ -517,4 +718,299 @@ interface(`virt_admin',`
+@@ -517,4 +740,299 @@ interface(`virt_admin',`
  	virt_manage_lib_files($1)
  
  	virt_manage_log($1)
@@ -69483,7 +69544,7 @@ index 6f0736b..cebdb3e 100644
 +	allow svirt_lxc_domain $1:process sigchld;
  ')
 diff --git a/virt.te b/virt.te
-index 947bbc6..ea2746e 100644
+index 947bbc6..8bca6b2 100644
 --- a/virt.te
 +++ b/virt.te
 @@ -5,56 +5,94 @@ policy_module(virt, 1.5.0)
@@ -70151,7 +70212,7 @@ index 947bbc6..ea2746e 100644
  files_read_usr_files(virt_domain)
  files_read_var_files(virt_domain)
  files_search_all(virt_domain)
-@@ -449,23 +694,519 @@ files_search_all(virt_domain)
+@@ -449,23 +694,521 @@ files_search_all(virt_domain)
  fs_getattr_tmpfs(virt_domain)
  fs_rw_anon_inodefs_files(virt_domain)
  fs_rw_tmpfs_files(virt_domain)
@@ -70489,7 +70550,6 @@ index 947bbc6..ea2746e 100644
 +
 +corecmd_exec_all_executables(svirt_lxc_domain)
 +
-+files_read_kernel_modules(svirt_lxc_net_t)
 +files_dontaudit_getattr_all_dirs(svirt_lxc_domain)
 +files_dontaudit_getattr_all_files(svirt_lxc_domain)
 +files_dontaudit_getattr_all_symlinks(svirt_lxc_domain)
@@ -70542,7 +70602,7 @@ index 947bbc6..ea2746e 100644
 +
 +allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin net_bind_service sys_admin sys_nice sys_ptrace sys_resource setpcap };
 +dontaudit svirt_lxc_net_t self:capability2 block_suspend;
-+
++allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
 +allow svirt_lxc_net_t self:process setrlimit;
 +
 +allow svirt_lxc_net_t self:udp_socket create_socket_perms;
@@ -70559,6 +70619,8 @@ index 947bbc6..ea2746e 100644
 +
 +dev_read_sysfs(svirt_lxc_net_t)
 +dev_getattr_mtrr_dev(svirt_lxc_net_t)
++dev_read_rand(svirt_lxc_net_t)
++dev_read_urand(svirt_lxc_net_t)
 +
 +corenet_tcp_bind_generic_node(svirt_lxc_net_t)
 +corenet_udp_bind_generic_node(svirt_lxc_net_t)
@@ -70568,7 +70630,13 @@ index 947bbc6..ea2746e 100644
 +corenet_tcp_bind_all_ports(svirt_lxc_net_t)
 +corenet_tcp_connect_all_ports(svirt_lxc_net_t)
 +
++files_read_kernel_modules(svirt_lxc_net_t)
++
 +fs_noxattr_type(svirt_lxc_file_t)
++fs_mount_cgroup(svirt_lxc_net_t)
++fs_manage_cgroup_dirs(svirt_lxc_net_t)
++fs_manage_cgroup_files(svirt_lxc_net_t)
++
 +term_pty(svirt_lxc_file_t)
 +
 +auth_use_nsswitch(svirt_lxc_net_t)
@@ -70579,11 +70647,6 @@ index 947bbc6..ea2746e 100644
 +
 +userdom_use_inherited_user_ptys(svirt_lxc_net_t)
 +
-+fs_mount_cgroup(svirt_lxc_net_t)
-+fs_manage_cgroup_dirs(svirt_lxc_net_t)
-+fs_manage_cgroup_files(svirt_lxc_net_t)
-+
-+
 +#######################################
 +#
 +# svirt_prot_exec local policy
@@ -71684,7 +71747,7 @@ index 77d41b6..cc73c96 100644
  
  	files_search_pids($1)
 diff --git a/xen.te b/xen.te
-index 07033bb..203e2f8 100644
+index 07033bb..08d37ba 100644
 --- a/xen.te
 +++ b/xen.te
 @@ -4,6 +4,7 @@ policy_module(xen, 1.12.0)
@@ -71849,7 +71912,7 @@ index 07033bb..203e2f8 100644
  optional_policy(`
  	brctl_domtrans(xend_t)
  ')
-@@ -349,6 +349,27 @@ optional_policy(`
+@@ -349,6 +349,28 @@ optional_policy(`
  	consoletype_exec(xend_t)
  ')
  
@@ -71870,6 +71933,7 @@ index 07033bb..203e2f8 100644
 +')
 +
 +optional_policy(`
++	virt_manage_default_image_type(xend_t)
 +	virt_search_images(xend_t)
 +	virt_read_config(xend_t)
 +')
@@ -71877,7 +71941,7 @@ index 07033bb..203e2f8 100644
  ########################################
  #
  # Xen console local policy
-@@ -374,8 +395,6 @@ dev_rw_xen(xenconsoled_t)
+@@ -374,8 +396,6 @@ dev_rw_xen(xenconsoled_t)
  dev_filetrans_xen(xenconsoled_t)
  dev_rw_sysfs(xenconsoled_t)
  
@@ -71886,7 +71950,7 @@ index 07033bb..203e2f8 100644
  files_read_etc_files(xenconsoled_t)
  files_read_usr_files(xenconsoled_t)
  
-@@ -390,7 +409,6 @@ term_use_console(xenconsoled_t)
+@@ -390,7 +410,6 @@ term_use_console(xenconsoled_t)
  init_use_fds(xenconsoled_t)
  init_use_script_ptys(xenconsoled_t)
  
@@ -71894,7 +71958,7 @@ index 07033bb..203e2f8 100644
  
  xen_manage_log(xenconsoled_t)
  xen_stream_connect_xenstore(xenconsoled_t)
-@@ -413,9 +431,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
+@@ -413,9 +432,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
  files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir })
  
  # pid file
@@ -71906,7 +71970,7 @@ index 07033bb..203e2f8 100644
  
  # log files
  manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
-@@ -442,111 +461,24 @@ files_read_etc_files(xenstored_t)
+@@ -442,111 +462,24 @@ files_read_etc_files(xenstored_t)
  
  files_read_usr_files(xenstored_t)
  
@@ -72020,7 +72084,7 @@ index 07033bb..203e2f8 100644
  	#Should have a boolean wrapping these
  	fs_list_auto_mountpoints(xend_t)
  	files_search_mnt(xend_t)
-@@ -559,8 +491,4 @@ optional_policy(`
+@@ -559,8 +492,4 @@ optional_policy(`
  		fs_manage_nfs_files(xend_t)
  		fs_read_nfs_symlinks(xend_t)
  	')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d28d998..2bcee44 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.11.1
-Release: 51%{?dist}
+Release: 52%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -523,6 +523,16 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+ Thu Nov 8 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-52
+- Define usbtty_device_t as a term_tty
+- Allow svnserve to accept a connection
+- Allow xend manage default virt_image_t type
+- Allow prelink_cron_system_t to overide user componant when executing cp
+- Add labeling for z-push
+- Gnomeclock sets the realtime clock
+- Openshift seems to be storing apache logs in /var/lib/openshift/.log/httpd
+- Allow lxc domains to use /dev/random and /dev/urandom
+
 * Wed Nov 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-51
 - Add port defintion for tcp/9000
 - Fix labeling for /usr/share/cluster/checkquorum to label also checkquorum.wdmd