diff --git a/modules-targeted.conf b/modules-targeted.conf
index 2d12a6b..aceefbb 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -2368,3 +2368,10 @@ namespace = module
 # policy for l2tpd
 #
 l2tpd = module
+
+# Layer: services
+# Module: collectd
+#
+# policy for collectd
+#
+collectd = module
diff --git a/policy-F15.patch b/policy-F15.patch
index 651fdc7..a703605 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -5781,7 +5781,7 @@ index 93ac529..aafece7 100644
  /usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
 +/usr/lib(64)?/xulrunner[^/]*/plugin-container		--	gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
 diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
-index 9a6d67d..8668188 100644
+index 9a6d67d..45c5566 100644
 --- a/policy/modules/apps/mozilla.if
 +++ b/policy/modules/apps/mozilla.if
 @@ -29,6 +29,8 @@ interface(`mozilla_role',`
@@ -5840,7 +5840,7 @@ index 9a6d67d..8668188 100644
  ##	Execmod mozilla home directory content.
  ## </summary>
  ## <param name="domain">
-@@ -168,6 +194,77 @@ interface(`mozilla_domtrans',`
+@@ -168,6 +194,80 @@ interface(`mozilla_domtrans',`
  
  ########################################
  ## <summary>
@@ -5892,6 +5892,9 @@ index 9a6d67d..8668188 100644
 +	allow $1 mozilla_plugin_t:unix_stream_socket { connectto rw_socket_perms };
 +	allow $1 mozilla_plugin_t:process { signal sigkill };
 +
++	allow mozilla_plugin_t $1:shm rw_shm_perms;
++	allow mozilla_plugin_t $1:sem create_sem_perms;
++
 +	allow mozilla_plugin_t $1:unix_stream_socket rw_socket_perms;
 +')
 +
@@ -5918,7 +5921,7 @@ index 9a6d67d..8668188 100644
  ##	Send and receive messages from
  ##	mozilla over dbus.
  ## </summary>
-@@ -204,3 +301,57 @@ interface(`mozilla_rw_tcp_sockets',`
+@@ -204,3 +304,57 @@ interface(`mozilla_rw_tcp_sockets',`
  
  	allow $1 mozilla_t:tcp_socket rw_socket_perms;
  ')
@@ -11371,7 +11374,7 @@ index 5a07a43..096bc60 100644
  	corenet_udp_recvfrom_labeled($1, $2)
  	corenet_raw_recvfrom_labeled($1, $2)
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 0757523..c0ccec7 100644
+index 0757523..7652d34 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
 @@ -16,6 +16,7 @@ attribute rpc_port_type;
@@ -11521,7 +11524,7 @@ index 0757523..c0ccec7 100644
  network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
  network_port(pingd, tcp,9125,s0)
 +network_port(piranha, tcp,3636,s0)
-+network_port(pki_ca, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443, s0, tcp, 9444, s0, tcp, 9445, s0)
++network_port(pki_ca, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443-9446, s0)
 +network_port(pki_kra, tcp, 10180, s0, tcp, 10701, s0, tcp, 10443, s0, tcp, 10444, s0, tcp, 10445, s0)
 +network_port(pki_ocsp, tcp, 11180, s0, tcp, 11701, s0, tcp, 11443, s0, tcp, 11444, s0, tcp, 11445, s0)
 +network_port(pki_tks, tcp, 13180, s0, tcp, 13701, s0, tcp, 13443, s0, tcp, 13444, s0, tcp, 13445, s0)
@@ -19102,7 +19105,7 @@ index 9e39aa5..0119d45 100644
 +/var/run/dirsrv/admin-serv.*	gen_context(system_u:object_r:httpd_var_run_t,s0)
 +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?       gen_context(system_u:object_r:httpd_var_run_t,s0)
 diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
-index 6480167..2d45594 100644
+index 6480167..04f38b8 100644
 --- a/policy/modules/services/apache.if
 +++ b/policy/modules/services/apache.if
 @@ -13,17 +13,13 @@
@@ -19644,7 +19647,7 @@ index 6480167..2d45594 100644
  	admin_pattern($1, httpd_log_t)
  
  	admin_pattern($1, httpd_modules_t)
-@@ -1205,14 +1389,43 @@ interface(`apache_admin',`
+@@ -1205,14 +1389,61 @@ interface(`apache_admin',`
  	admin_pattern($1, httpd_var_run_t)
  	files_pid_filetrans($1, httpd_var_run_t, file)
  
@@ -19692,6 +19695,24 @@ index 6480167..2d45594 100644
 +	dontaudit $1 httpd_t:unix_dgram_socket { read write };
 +	dontaudit $1 httpd_t:unix_stream_socket { read write };
 +	dontaudit $1 httpd_tmp_t:file { read write };
++')
++
++######################################
++## <summary>
++##  Get the attributes of httpd unix stream socket.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`httpd_getattr_stream_socket',`
++    gen_require(`
++        type httpd_t;
++    ')
++
++    allow $1 httpd_t:unix_stream_socket { getattr ioctl };
  ')
 diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
 index 3136c6a..f6d4bab 100644
@@ -23656,6 +23677,252 @@ index 0258b48..3bd47ee 100644
 +list_dirs_pattern(cobblerd_t, httpd_cobbler_content_t, httpd_cobbler_content_t)
  manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
  manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
+diff --git a/policy/modules/services/collectd.fc b/policy/modules/services/collectd.fc
+new file mode 100644
+index 0000000..9d06a27
+--- /dev/null
++++ b/policy/modules/services/collectd.fc
+@@ -0,0 +1,11 @@
++
++/etc/rc\.d/init\.d/collectd	--	gen_context(system_u:object_r:collectd_initrc_exec_t,s0)
++
++/usr/sbin/collectd		--	gen_context(system_u:object_r:collectd_exec_t,s0)
++
++/var/lib/collectd(/.*)?			gen_context(system_u:object_r:collectd_var_lib_t,s0)
++
++/var/run/collectd\.pid			gen_context(system_u:object_r:collectd_var_run_t,s0)
++
++/usr/share/collectd/collection3/bin/.*\.cgi -- gen_context(system_u:object_r:httpd_collectd_script_exec_t,s0)
++
+diff --git a/policy/modules/services/collectd.if b/policy/modules/services/collectd.if
+new file mode 100644
+index 0000000..ed13d1e
+--- /dev/null
++++ b/policy/modules/services/collectd.if
+@@ -0,0 +1,157 @@
++
++## <summary>policy for collectd</summary>
++
++
++########################################
++## <summary>
++##	Transition to collectd.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`collectd_domtrans',`
++	gen_require(`
++		type collectd_t, collectd_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	domtrans_pattern($1, collectd_exec_t, collectd_t)
++')
++
++
++########################################
++## <summary>
++##	Execute collectd server in the collectd domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`collectd_initrc_domtrans',`
++	gen_require(`
++		type collectd_initrc_exec_t;
++	')
++
++	init_labeled_script_domtrans($1, collectd_initrc_exec_t)
++')
++
++
++########################################
++## <summary>
++##	Search collectd lib directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`collectd_search_lib',`
++	gen_require(`
++		type collectd_var_lib_t;
++	')
++
++	allow $1 collectd_var_lib_t:dir search_dir_perms;
++	files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++##	Read collectd lib files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`collectd_read_lib_files',`
++	gen_require(`
++		type collectd_var_lib_t;
++	')
++
++	files_search_var_lib($1)
++	read_files_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
++')
++
++########################################
++## <summary>
++##	Manage collectd lib files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`collectd_manage_lib_files',`
++	gen_require(`
++		type collectd_var_lib_t;
++	')
++
++	files_search_var_lib($1)
++	manage_files_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
++')
++
++########################################
++## <summary>
++##	Manage collectd lib directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`collectd_manage_lib_dirs',`
++	gen_require(`
++		type collectd_var_lib_t;
++	')
++
++	files_search_var_lib($1)
++	manage_dirs_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
++')
++
++
++########################################
++## <summary>
++##	All of the rules required to administrate
++##	an collectd environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	Role allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`collectd_admin',`
++	gen_require(`
++		type collectd_t;
++	type collectd_initrc_exec_t;
++	type collectd_var_lib_t;
++	')
++
++	allow $1 collectd_t:process { ptrace signal_perms };
++	ps_process_pattern($1, collectd_t)
++
++	collectd_initrc_domtrans($1)
++	domain_system_change_exemption($1)
++	role_transition $2 collectd_initrc_exec_t system_r;
++	allow $2 system_r;
++
++	files_search_var_lib($1)
++	admin_pattern($1, collectd_var_lib_t)
++
++')
++
+diff --git a/policy/modules/services/collectd.te b/policy/modules/services/collectd.te
+new file mode 100644
+index 0000000..2dfd363
+--- /dev/null
++++ b/policy/modules/services/collectd.te
+@@ -0,0 +1,60 @@
++policy_module(collectd, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type collectd_t;
++type collectd_exec_t;
++init_daemon_domain(collectd_t, collectd_exec_t)
++
++permissive collectd_t;
++
++type collectd_initrc_exec_t;
++init_script_file(collectd_initrc_exec_t)
++
++type collectd_var_lib_t;
++files_type(collectd_var_lib_t)
++
++type collectd_var_run_t;
++files_pid_file(collectd_var_run_t)
++
++########################################
++#
++# collectd local policy
++#
++allow collectd_t self:process { fork };
++
++allow collectd_t self:fifo_file rw_fifo_file_perms;
++allow collectd_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
++manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
++files_var_lib_filetrans(collectd_t, collectd_var_lib_t, { dir file })
++
++manage_dirs_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
++manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
++files_pid_filetrans(collectd_t, collectd_var_run_t, { dir file })
++
++domain_use_interactive_fds(collectd_t)
++
++kernel_read_network_state(collectd_t)
++kernel_read_system_state(collectd_t)
++
++files_read_etc_files(collectd_t)
++files_read_usr_files(collectd_t)
++
++miscfiles_read_localization(collectd_t)
++
++logging_send_syslog_msg(collectd_t)
++
++sysnet_dns_name_resolve(collectd_t)
++
++optional_policy(`
++	apache_content_template(collectd)
++	permissive httpd_collectd_script_t;
++
++	miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
++')
++
 diff --git a/policy/modules/services/colord.fc b/policy/modules/services/colord.fc
 new file mode 100644
 index 0000000..0a83e88
@@ -26432,10 +26699,10 @@ index d4424ad..2e09383 100644
  ')
 diff --git a/policy/modules/services/dirsrv-admin.fc b/policy/modules/services/dirsrv-admin.fc
 new file mode 100644
-index 0000000..2ce40a0
+index 0000000..00a91b0
 --- /dev/null
 +++ b/policy/modules/services/dirsrv-admin.fc
-@@ -0,0 +1,11 @@
+@@ -0,0 +1,13 @@
 +/etc/dirsrv/admin-serv(/.*)?		gen_context(system_u:object_r:dirsrvadmin_config_t,s0)
 +
 +/etc/dirsrv/dsgw(/.*)?	gen_context(system_u:object_r:dirsrvadmin_config_t,s0)
@@ -26447,12 +26714,14 @@ index 0000000..2ce40a0
 +/usr/lib64/dirsrv/cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0)
 +/usr/lib64/dirsrv/dsgw-cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0)
 +
++/usr/lib64/dirsrv/cgi-bin/ds_create    --  gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0)
++/usr/lib64/dirsrv/cgi-bin/ds_remove    --  gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0)
 diff --git a/policy/modules/services/dirsrv-admin.if b/policy/modules/services/dirsrv-admin.if
 new file mode 100644
-index 0000000..60c81d6
+index 0000000..a951202
 --- /dev/null
 +++ b/policy/modules/services/dirsrv-admin.if
-@@ -0,0 +1,95 @@
+@@ -0,0 +1,134 @@
 +## <summary>Administration Server for Directory Server, dirsrv-admin.</summary>
 +
 +########################################
@@ -26530,6 +26799,24 @@ index 0000000..60c81d6
 +	allow $1 dirsrvadmin_config_t:file manage_file_perms;
 +')
 +
++#######################################
++## <summary>
++##      Read dirsrv-adminserver tmp files.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`dirsrvadmin_read_tmp',`
++        gen_require(`
++                type dirsrvadmin_tmp_t;
++        ')
++
++        read_files_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++')
++
 +########################################
 +## <summary>
 +##      Manage dirsrv-adminserver tmp files.
@@ -26548,12 +26835,33 @@ index 0000000..60c81d6
 +	manage_files_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
 +	manage_dirs_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
 +')
++
++#######################################
++## <summary>
++##  Execute admin cgi programs in caller domain.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`dirsrvadmin_domtrans_unconfined_script_t',`
++    gen_require(`
++       type dirsrvadmin_unconfined_script_t;
++        type dirsrvadmin_unconfined_script_exec_t;
++    ')
++
++   domtrans_pattern($1, dirsrvadmin_unconfined_script_exec_t, dirsrvadmin_unconfined_script_t)
++   allow httpd_t dirsrvadmin_unconfined_script_t:process signal_perms;
++
++')
 diff --git a/policy/modules/services/dirsrv-admin.te b/policy/modules/services/dirsrv-admin.te
 new file mode 100644
-index 0000000..5214120
+index 0000000..583bdbe
 --- /dev/null
 +++ b/policy/modules/services/dirsrv-admin.te
-@@ -0,0 +1,101 @@
+@@ -0,0 +1,133 @@
 +policy_module(dirsrv-admin,1.0.0) 
 +
 +########################################
@@ -26572,13 +26880,19 @@ index 0000000..5214120
 +type dirsrvadmin_tmp_t;
 +files_tmp_file(dirsrvadmin_tmp_t)
 +
++type dirsrvadmin_unconfined_script_t;
++type dirsrvadmin_unconfined_script_exec_t;
++domain_type(dirsrvadmin_unconfined_script_t)
++domain_entry_file(dirsrvadmin_unconfined_script_t, dirsrvadmin_unconfined_script_exec_t)
++corecmd_shell_entry_type(dirsrvadmin_unconfined_script_t)
++role system_r types dirsrvadmin_unconfined_script_t;
++
 +########################################
 +#
 +# Local policy for the daemon
 +#
 +allow dirsrvadmin_t self:fifo_file rw_fifo_file_perms;
-+allow dirsrvadmin_t self:capability { dac_read_search dac_override sys_tty_config sys_resource };
-+allow dirsrvadmin_t self:process setrlimit;
++allow dirsrvadmin_t self:capability { dac_read_search dac_override sys_tty_config };
 +
 +manage_files_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
 +manage_dirs_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
@@ -26593,8 +26907,6 @@ index 0000000..5214120
 +
 +files_exec_etc_files(dirsrvadmin_t)
 +
-+libs_exec_ld_so(dirsrvadmin_t)
-+
 +logging_search_logs(dirsrvadmin_t)
 +
 +miscfiles_read_localization(dirsrvadmin_t)
@@ -26602,10 +26914,8 @@ index 0000000..5214120
 +# Needed for stop and restart scripts
 +dirsrv_read_var_run(dirsrvadmin_t)
 +
-+optional_policy(`
-+	apache_domtrans(dirsrvadmin_t)
-+	apache_signal(dirsrvadmin_t)
-+')
++apache_domtrans(dirsrvadmin_t)
++apache_signal(dirsrvadmin_t)
 +
 +########################################
 +#
@@ -26628,8 +26938,7 @@ index 0000000..5214120
 +
 +	kernel_read_kernel_sysctls(httpd_dirsrvadmin_script_t)
 +
-+	corenet_all_recvfrom_unlabeled(httpd_dirsrvadmin_script_t)
-+	corenet_all_recvfrom_netlabel(httpd_dirsrvadmin_script_t)
++	corenet_sendrecv_unlabeled_packets(httpd_dirsrvadmin_script_t)
 +	corenet_tcp_connect_generic_port(httpd_dirsrvadmin_script_t)
 +	corenet_tcp_connect_ldap_port(httpd_dirsrvadmin_script_t)
 +	corenet_tcp_connect_http_port(httpd_dirsrvadmin_script_t)
@@ -26654,6 +26963,37 @@ index 0000000..5214120
 +	dirsrv_manage_var_run(httpd_dirsrvadmin_script_t)
 +	dirsrv_manage_config(httpd_dirsrvadmin_script_t)
 +	dirsrv_read_share(httpd_dirsrvadmin_script_t)
++
++	optional_policy(`
++		httpd_getattr_stream_socket(httpd_dirsrvadmin_script_t)
++	')
++')
++
++######################################
++#
++# Local policy for the admin CGIs
++#
++#
++
++manage_files_pattern(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++manage_dirs_pattern(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++files_tmp_filetrans(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, { file dir })
++
++# needed because of filetrans rules
++dirsrvadmin_run_exec(dirsrvadmin_unconfined_script_t)
++dirsrvadmin_manage_config(dirsrvadmin_unconfined_script_t)
++dirsrv_domtrans(dirsrvadmin_unconfined_script_t)
++dirsrv_signal(dirsrvadmin_unconfined_script_t)
++dirsrv_signull(dirsrvadmin_unconfined_script_t)
++dirsrv_manage_log(dirsrvadmin_unconfined_script_t)
++dirsrv_manage_var_lib(dirsrvadmin_unconfined_script_t)
++dirsrv_pid_filetrans(dirsrvadmin_unconfined_script_t)
++dirsrv_manage_var_run(dirsrvadmin_unconfined_script_t)
++dirsrv_manage_config(dirsrvadmin_unconfined_script_t)
++dirsrv_read_share(dirsrvadmin_unconfined_script_t)
++
++optional_policy(`
++   unconfined_domain(dirsrvadmin_unconfined_script_t)
 +')
 diff --git a/policy/modules/services/dirsrv.fc b/policy/modules/services/dirsrv.fc
 new file mode 100644
@@ -27182,10 +27522,10 @@ index 9bd812b..c808b31 100644
  ')
  
 diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
-index fdaeeba..bdbd777 100644
+index fdaeeba..06021d4 100644
 --- a/policy/modules/services/dnsmasq.te
 +++ b/policy/modules/services/dnsmasq.te
-@@ -48,8 +48,9 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
+@@ -48,11 +48,13 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
  manage_files_pattern(dnsmasq_t, dnsmasq_var_log_t, dnsmasq_var_log_t)
  logging_log_filetrans(dnsmasq_t, dnsmasq_var_log_t, file)
  
@@ -27196,7 +27536,11 @@ index fdaeeba..bdbd777 100644
  
  kernel_read_kernel_sysctls(dnsmasq_t)
  kernel_read_system_state(dnsmasq_t)
-@@ -88,6 +89,8 @@ logging_send_syslog_msg(dnsmasq_t)
++kernel_request_load_module(dnsmasq_t)
+ 
+ corenet_all_recvfrom_unlabeled(dnsmasq_t)
+ corenet_all_recvfrom_netlabel(dnsmasq_t)
+@@ -88,6 +90,8 @@ logging_send_syslog_msg(dnsmasq_t)
  
  miscfiles_read_localization(dnsmasq_t)
  
@@ -27205,7 +27549,7 @@ index fdaeeba..bdbd777 100644
  userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
  userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
  
-@@ -96,7 +99,20 @@ optional_policy(`
+@@ -96,7 +100,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -27226,7 +27570,7 @@ index fdaeeba..bdbd777 100644
  ')
  
  optional_policy(`
-@@ -114,4 +130,5 @@ optional_policy(`
+@@ -114,4 +131,5 @@ optional_policy(`
  optional_policy(`
  	virt_manage_lib_files(dnsmasq_t)
  	virt_read_pid_files(dnsmasq_t)
@@ -28144,6 +28488,21 @@ index 6537214..7d64c0a 100644
  	ps_process_pattern($1, fetchmail_t)
  
  	files_list_etc($1)
+diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te
+index 3459d93..c39305a 100644
+--- a/policy/modules/services/fetchmail.te
++++ b/policy/modules/services/fetchmail.te
+@@ -88,6 +88,10 @@ userdom_dontaudit_use_unpriv_user_fds(fetchmail_t)
+ userdom_dontaudit_search_user_home_dirs(fetchmail_t)
+ 
+ optional_policy(`
++	kerberos_use(fetchmail_t)
++')
++
++optional_policy(`
+ 	procmail_domtrans(fetchmail_t)
+ ')
+ 
 diff --git a/policy/modules/services/firewalld.fc b/policy/modules/services/firewalld.fc
 new file mode 100644
 index 0000000..ba9a7a9
@@ -31535,7 +31894,7 @@ index 49e04e5..69db026 100644
  /usr/sbin/lircd		--	gen_context(system_u:object_r:lircd_exec_t,s0)
  
 diff --git a/policy/modules/services/lircd.te b/policy/modules/services/lircd.te
-index 6a78de1..ae8af5b 100644
+index 6a78de1..fc04753 100644
 --- a/policy/modules/services/lircd.te
 +++ b/policy/modules/services/lircd.te
 @@ -13,7 +13,7 @@ type lircd_initrc_exec_t;
@@ -31547,7 +31906,16 @@ index 6a78de1..ae8af5b 100644
  
  type lircd_var_run_t alias lircd_sock_t;
  files_pid_file(lircd_var_run_t)
-@@ -44,13 +44,13 @@ corenet_tcp_bind_lirc_port(lircd_t)
+@@ -24,6 +24,8 @@ files_pid_file(lircd_var_run_t)
+ #
+ 
+ allow lircd_t self:capability { chown kill sys_admin };
++allow lircd_t self:process signal;
++
+ allow lircd_t self:fifo_file rw_fifo_file_perms;
+ allow lircd_t self:unix_dgram_socket create_socket_perms;
+ allow lircd_t self:tcp_socket create_stream_socket_perms;
+@@ -44,13 +46,14 @@ corenet_tcp_bind_lirc_port(lircd_t)
  corenet_tcp_sendrecv_all_ports(lircd_t)
  corenet_tcp_connect_lirc_port(lircd_t)
  
@@ -31557,6 +31925,7 @@ index 6a78de1..ae8af5b 100644
  dev_filetrans_lirc(lircd_t)
  dev_rw_lirc(lircd_t)
  dev_rw_input_dev(lircd_t)
++dev_read_sysfs(lircd_t)
  
 -files_read_etc_files(lircd_t)
 +files_read_config_files(lircd_t)
@@ -37542,7 +37911,7 @@ index 152af92..1594066 100644
  type portreserve_var_run_t;
  files_pid_file(portreserve_var_run_t)
 diff --git a/policy/modules/services/postfix.fc b/policy/modules/services/postfix.fc
-index 55e62d2..f2674e8 100644
+index 55e62d2..c0e0959 100644
 --- a/policy/modules/services/postfix.fc
 +++ b/policy/modules/services/postfix.fc
 @@ -1,5 +1,6 @@
@@ -37553,7 +37922,7 @@ index 55e62d2..f2674e8 100644
  ifdef(`distro_redhat', `
  /usr/libexec/postfix/.*	--	gen_context(system_u:object_r:postfix_exec_t,s0)
  /usr/libexec/postfix/cleanup --	gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
-@@ -29,12 +30,10 @@ ifdef(`distro_redhat', `
+@@ -29,7 +30,6 @@ ifdef(`distro_redhat', `
  /usr/lib/postfix/smtpd	--	gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
  /usr/lib/postfix/bounce	--	gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
  /usr/lib/postfix/pipe	--	gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
@@ -37561,12 +37930,7 @@ index 55e62d2..f2674e8 100644
  ')
  /etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
  /etc/postfix/prng_exch	--	gen_context(system_u:object_r:postfix_prng_t,s0)
- /usr/sbin/postalias	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
--/usr/sbin/postcat	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
- /usr/sbin/postdrop	--	gen_context(system_u:object_r:postfix_postdrop_exec_t,s0)
- /usr/sbin/postfix	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
- /usr/sbin/postkick	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
-@@ -44,9 +43,10 @@ ifdef(`distro_redhat', `
+@@ -44,9 +44,11 @@ ifdef(`distro_redhat', `
  /usr/sbin/postqueue	--	gen_context(system_u:object_r:postfix_postqueue_exec_t,s0)
  /usr/sbin/postsuper	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
  
@@ -37576,11 +37940,12 @@ index 55e62d2..f2674e8 100644
 -/var/spool/postfix(/.*)?		gen_context(system_u:object_r:postfix_spool_t,s0)
 +/var/spool/postfix.*		gen_context(system_u:object_r:postfix_spool_t,s0)
 +/var/spool/postfix/deferred(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
++/var/spool/postfix/defer(/.*)? 	  gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
  /var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
  /var/spool/postfix/pid/.*	gen_context(system_u:object_r:postfix_var_run_t,s0)
  /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
 diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
-index 46bee12..fc18bf2 100644
+index 46bee12..c22af86 100644
 --- a/policy/modules/services/postfix.if
 +++ b/policy/modules/services/postfix.if
 @@ -34,8 +34,9 @@ template(`postfix_domain_template',`
@@ -37639,17 +38004,36 @@ index 46bee12..fc18bf2 100644
  ')
  
  ########################################
-@@ -290,7 +295,8 @@ interface(`postfix_read_master_state',`
+@@ -290,7 +295,27 @@ interface(`postfix_read_master_state',`
  		type postfix_master_t;
  	')
  
 -	read_files_pattern($1, postfix_master_t, postfix_master_t)
 +	kernel_search_proc($1)
 +	ps_process_pattern($1, postfix_master_t)
++')
++
++########################################
++## <summary>
++##	Use postfix master process file
++##	file descriptors.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`postfix_use_fds_master',`
++	gen_require(`
++		type postfix_master_t;
++	')
++
++	allow $1 postfix_master_t:fd use;
  ')
  
  ########################################
-@@ -376,6 +382,25 @@ interface(`postfix_domtrans_master',`
+@@ -376,6 +401,25 @@ interface(`postfix_domtrans_master',`
  	domtrans_pattern($1, postfix_master_exec_t, postfix_master_t)
  ')
  
@@ -37675,7 +38059,7 @@ index 46bee12..fc18bf2 100644
  ########################################
  ## <summary>
  ##	Execute the master postfix program in the
-@@ -404,7 +429,6 @@ interface(`postfix_exec_master',`
+@@ -404,7 +448,6 @@ interface(`postfix_exec_master',`
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
@@ -37683,7 +38067,7 @@ index 46bee12..fc18bf2 100644
  #
  interface(`postfix_stream_connect_master',`
  	gen_require(`
-@@ -416,6 +440,24 @@ interface(`postfix_stream_connect_master',`
+@@ -416,6 +459,24 @@ interface(`postfix_stream_connect_master',`
  
  ########################################
  ## <summary>
@@ -37708,7 +38092,7 @@ index 46bee12..fc18bf2 100644
  ##	Execute the master postdrop in the
  ##	postfix_postdrop domain.
  ## </summary>
-@@ -462,7 +504,7 @@ interface(`postfix_domtrans_postqueue',`
+@@ -462,7 +523,7 @@ interface(`postfix_domtrans_postqueue',`
  ##	</summary>
  ## </param>
  #
@@ -37717,7 +38101,7 @@ index 46bee12..fc18bf2 100644
  	gen_require(`
  		type postfix_postqueue_exec_t;
  	')
-@@ -529,6 +571,25 @@ interface(`postfix_domtrans_smtp',`
+@@ -529,6 +590,25 @@ interface(`postfix_domtrans_smtp',`
  
  ########################################
  ## <summary>
@@ -37743,7 +38127,7 @@ index 46bee12..fc18bf2 100644
  ##	Search postfix mail spool directories.
  ## </summary>
  ## <param name="domain">
-@@ -539,10 +600,10 @@ interface(`postfix_domtrans_smtp',`
+@@ -539,10 +619,10 @@ interface(`postfix_domtrans_smtp',`
  #
  interface(`postfix_search_spool',`
  	gen_require(`
@@ -37756,7 +38140,7 @@ index 46bee12..fc18bf2 100644
  	files_search_spool($1)
  ')
  
-@@ -558,10 +619,10 @@ interface(`postfix_search_spool',`
+@@ -558,10 +638,10 @@ interface(`postfix_search_spool',`
  #
  interface(`postfix_list_spool',`
  	gen_require(`
@@ -37769,7 +38153,7 @@ index 46bee12..fc18bf2 100644
  	files_search_spool($1)
  ')
  
-@@ -577,11 +638,11 @@ interface(`postfix_list_spool',`
+@@ -577,11 +657,11 @@ interface(`postfix_list_spool',`
  #
  interface(`postfix_read_spool_files',`
  	gen_require(`
@@ -37783,7 +38167,7 @@ index 46bee12..fc18bf2 100644
  ')
  
  ########################################
-@@ -596,11 +657,11 @@ interface(`postfix_read_spool_files',`
+@@ -596,11 +676,11 @@ interface(`postfix_read_spool_files',`
  #
  interface(`postfix_manage_spool_files',`
  	gen_require(`
@@ -37797,7 +38181,7 @@ index 46bee12..fc18bf2 100644
  ')
  
  ########################################
-@@ -621,3 +682,108 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -621,3 +701,103 @@ interface(`postfix_domtrans_user_mail_handler',`
  
  	typeattribute $1 postfix_user_domtrans;
  ')
@@ -37900,17 +38284,17 @@ index 46bee12..fc18bf2 100644
 +
 +	postfix_domtrans_postdrop($1)
 +	role $2 types postfix_postdrop_t;
-+
-+	ifdef(`hide_broken_symptoms', `
-+        dontaudit postfix_postdrop_t $1:socket_class_set { getattr read write };
-+    ')
-+
 +')
 diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index 06e37d4..b4d7354 100644
+index 06e37d4..c28b1b3 100644
 --- a/policy/modules/services/postfix.te
 +++ b/policy/modules/services/postfix.te
-@@ -5,6 +5,14 @@ policy_module(postfix, 1.12.0)
+@@ -1,10 +1,18 @@
+-policy_module(postfix, 1.12.0)
++policy_module(postfix, 1.12.1)
+ 
+ ########################################
+ #
  # Declarations
  #
  
@@ -38018,16 +38402,18 @@ index 06e37d4..b4d7354 100644
  corenet_tcp_bind_generic_node(postfix_master_t)
  corenet_tcp_bind_amavisd_send_port(postfix_master_t)
  corenet_tcp_bind_smtp_port(postfix_master_t)
-@@ -167,6 +184,8 @@ corecmd_exec_bin(postfix_master_t)
+@@ -167,6 +184,10 @@ corecmd_exec_bin(postfix_master_t)
  domain_use_interactive_fds(postfix_master_t)
  
  files_read_usr_files(postfix_master_t)
 +files_search_var_lib(postfix_master_t)
 +files_search_tmp(postfix_master_t)
++
++mcs_file_read_all(postfix_master_t)
  
  term_dontaudit_search_ptys(postfix_master_t)
  
-@@ -220,13 +239,17 @@ allow postfix_bounce_t self:capability dac_read_search;
+@@ -220,7 +241,7 @@ allow postfix_bounce_t self:capability dac_read_search;
  allow postfix_bounce_t self:tcp_socket create_socket_perms;
  
  allow postfix_bounce_t postfix_public_t:sock_file write;
@@ -38036,17 +38422,18 @@ index 06e37d4..b4d7354 100644
  
  manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
  manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
- manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
- files_spool_filetrans(postfix_bounce_t, postfix_spool_t, dir)
+@@ -249,6 +270,10 @@ manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
+ manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
+ files_spool_filetrans(postfix_cleanup_t, postfix_spool_t, dir)
  
-+manage_files_pattern(postfix_bounce_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-+manage_dirs_pattern(postfix_bounce_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-+allow postfix_bounce_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
++allow postfix_cleanup_t postfix_spool_maildrop_t:dir list_dir_perms;
++allow postfix_cleanup_t postfix_spool_maildrop_t:file read_file_perms;
++allow postfix_cleanup_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
 +
- manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
- manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
- manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
-@@ -264,8 +287,8 @@ optional_policy(`
+ allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms;
+ 
+ corecmd_exec_bin(postfix_cleanup_t)
+@@ -264,8 +289,8 @@ optional_policy(`
  # Postfix local local policy
  #
  
@@ -38056,7 +38443,7 @@ index 06e37d4..b4d7354 100644
  
  # connect to master process
  stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t)
-@@ -273,6 +296,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
+@@ -273,6 +298,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
  # for .forward - maybe we need a new type for it?
  rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t)
  
@@ -38065,7 +38452,7 @@ index 06e37d4..b4d7354 100644
  allow postfix_local_t postfix_spool_t:file rw_file_perms;
  
  corecmd_exec_shell(postfix_local_t)
-@@ -286,10 +311,15 @@ mta_read_aliases(postfix_local_t)
+@@ -286,10 +313,15 @@ mta_read_aliases(postfix_local_t)
  mta_delete_spool(postfix_local_t)
  # For reading spamassasin
  mta_read_config(postfix_local_t)
@@ -38084,7 +38471,7 @@ index 06e37d4..b4d7354 100644
  
  optional_policy(`
  	clamav_search_lib(postfix_local_t)
-@@ -304,9 +334,22 @@ optional_policy(`
+@@ -304,9 +336,22 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -38100,14 +38487,14 @@ index 06e37d4..b4d7354 100644
 +')
 +
 +optional_policy(`
-+	zarafa_deliver_domtrans(postfix_local_t)
++	zarafa_domtrans_deliver(postfix_local_t)
 +	zarafa_stream_connect_server(postfix_local_t)
 +')
 +
  ########################################
  #
  # Postfix map local policy
-@@ -372,6 +415,7 @@ optional_policy(`
+@@ -372,6 +417,7 @@ optional_policy(`
  # Postfix pickup local policy
  #
  
@@ -38115,18 +38502,25 @@ index 06e37d4..b4d7354 100644
  allow postfix_pickup_t self:tcp_socket create_socket_perms;
  
  stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
-@@ -381,6 +425,10 @@ rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
- 
- postfix_list_spool(postfix_pickup_t)
+@@ -379,19 +425,26 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
+ rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
+ rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
  
 +allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
 +read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
 +delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
 +
+ postfix_list_spool(postfix_pickup_t)
+ 
  allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms;
  read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
  delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-@@ -390,8 +438,8 @@ delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_m
+ 
++mcs_file_read_all(postfix_pickup_t)
++mcs_file_write_all(postfix_pickup_t)
++
+ ########################################
+ #
  # Postfix pipe local policy
  #
  
@@ -38136,7 +38530,7 @@ index 06e37d4..b4d7354 100644
  
  write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
  
-@@ -401,6 +449,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
+@@ -401,6 +454,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
  
  domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
  
@@ -38145,7 +38539,7 @@ index 06e37d4..b4d7354 100644
  optional_policy(`
  	dovecot_domtrans_deliver(postfix_pipe_t)
  ')
-@@ -420,6 +470,7 @@ optional_policy(`
+@@ -420,6 +475,7 @@ optional_policy(`
  
  optional_policy(`
  	spamassassin_domtrans_client(postfix_pipe_t)
@@ -38153,7 +38547,7 @@ index 06e37d4..b4d7354 100644
  ')
  
  optional_policy(`
-@@ -436,6 +487,9 @@ allow postfix_postdrop_t self:capability sys_resource;
+@@ -436,11 +492,17 @@ allow postfix_postdrop_t self:capability sys_resource;
  allow postfix_postdrop_t self:tcp_socket create;
  allow postfix_postdrop_t self:udp_socket create_socket_perms;
  
@@ -38163,7 +38557,15 @@ index 06e37d4..b4d7354 100644
  rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
  
  postfix_list_spool(postfix_postdrop_t)
-@@ -507,6 +561,8 @@ optional_policy(`
+ manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+ 
++mcs_file_read_all(postfix_postdrop_t)
++mcs_file_write_all(postfix_postdrop_t)
++
+ corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
+ corenet_udp_sendrecv_generic_node(postfix_postdrop_t)
+ 
+@@ -507,6 +569,8 @@ optional_policy(`
  # Postfix qmgr local policy
  #
  
@@ -38172,7 +38574,7 @@ index 06e37d4..b4d7354 100644
  stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
  
  rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t)
-@@ -519,7 +575,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+@@ -519,7 +583,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
  
  allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
  allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
@@ -38185,16 +38587,18 @@ index 06e37d4..b4d7354 100644
  
  corecmd_exec_bin(postfix_qmgr_t)
  
-@@ -539,7 +599,7 @@ postfix_list_spool(postfix_showq_t)
+@@ -539,7 +607,9 @@ postfix_list_spool(postfix_showq_t)
  
  allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
  allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
 -allow postfix_showq_t postfix_spool_maildrop_t:lnk_file { getattr read };
 +allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
++
++mcs_file_read_all(postfix_showq_t)
  
  # to write the mailq output, it really should not need read access!
  term_use_all_ptys(postfix_showq_t)
-@@ -588,10 +648,16 @@ corecmd_exec_bin(postfix_smtpd_t)
+@@ -588,10 +658,16 @@ corecmd_exec_bin(postfix_smtpd_t)
  
  # for OpenSSL certificates
  files_read_usr_files(postfix_smtpd_t)
@@ -38211,18 +38615,7 @@ index 06e37d4..b4d7354 100644
  ')
  
  optional_policy(`
-@@ -599,6 +665,10 @@ optional_policy(`
- ')
- 
- optional_policy(`
-+	mysql_stream_connect(postfix_smtpd_t)
-+')
-+
-+optional_policy(`
- 	postgrey_stream_connect(postfix_smtpd_t)
- ')
- 
-@@ -611,8 +681,8 @@ optional_policy(`
+@@ -611,8 +687,8 @@ optional_policy(`
  # Postfix virtual local policy
  #
  
@@ -38232,7 +38625,7 @@ index 06e37d4..b4d7354 100644
  
  allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
  
-@@ -630,3 +700,8 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +706,8 @@ mta_delete_spool(postfix_virtual_t)
  # For reading spamassasin
  mta_read_config(postfix_virtual_t)
  mta_manage_spool(postfix_virtual_t)
@@ -43235,9 +43628,18 @@ index adea9f9..d5b2d93 100644
  
  	init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
 diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te
-index 606a098..7cff55a 100644
+index 606a098..13ffcc1 100644
 --- a/policy/modules/services/smartmon.te
 +++ b/policy/modules/services/smartmon.te
+@@ -35,7 +35,7 @@ ifdef(`enable_mls',`
+ # Local policy
+ #
+ 
+-allow fsdaemon_t self:capability { setpcap setgid sys_rawio sys_admin };
++allow fsdaemon_t self:capability { kill setpcap setgid sys_rawio sys_admin };
+ dontaudit fsdaemon_t self:capability sys_tty_config;
+ allow fsdaemon_t self:process { getcap setcap signal_perms };
+ allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
 @@ -73,19 +73,26 @@ files_read_etc_runtime_files(fsdaemon_t)
  files_read_usr_files(fsdaemon_t)
  # for config
@@ -47569,7 +47971,7 @@ index 6f1e3c7..ecfe665 100644
 +/var/lib/pqsql/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 +
 diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 130ced9..33c8170 100644
+index 130ced9..dc521f4 100644
 --- a/policy/modules/services/xserver.if
 +++ b/policy/modules/services/xserver.if
 @@ -19,9 +19,10 @@
@@ -47817,7 +48219,7 @@ index 130ced9..33c8170 100644
  	dontaudit $2 xdm_t:tcp_socket { read write };
  
  	# Allow connections to X server.
-@@ -472,20 +509,25 @@ template(`xserver_user_x_domain_template',`
+@@ -472,20 +509,26 @@ template(`xserver_user_x_domain_template',`
  	# for .xsession-errors
  	userdom_dontaudit_write_user_home_content_files($2)
  
@@ -47827,6 +48229,7 @@ index 130ced9..33c8170 100644
  
  	xserver_read_xdm_tmp_files($2)
 +	xserver_read_xdm_pid($2)
++	xserver_xdm_append_log($2)
  
  	# X object manager
  	xserver_object_types_template($1)
@@ -47845,7 +48248,7 @@ index 130ced9..33c8170 100644
  ')
  
  ########################################
-@@ -517,6 +559,7 @@ interface(`xserver_use_user_fonts',`
+@@ -517,6 +560,7 @@ interface(`xserver_use_user_fonts',`
  	# Read per user fonts
  	allow $1 user_fonts_t:dir list_dir_perms;
  	allow $1 user_fonts_t:file read_file_perms;
@@ -47853,7 +48256,7 @@ index 130ced9..33c8170 100644
  
  	# Manipulate the global font cache
  	manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
-@@ -545,6 +588,28 @@ interface(`xserver_domtrans_xauth',`
+@@ -545,6 +589,28 @@ interface(`xserver_domtrans_xauth',`
  	')
  
  	domtrans_pattern($1, xauth_exec_t, xauth_t)
@@ -47882,7 +48285,7 @@ index 130ced9..33c8170 100644
  ')
  
  ########################################
-@@ -598,6 +663,7 @@ interface(`xserver_read_user_xauth',`
+@@ -598,6 +664,7 @@ interface(`xserver_read_user_xauth',`
  
  	allow $1 xauth_home_t:file read_file_perms;
  	userdom_search_user_home_dirs($1)
@@ -47890,7 +48293,7 @@ index 130ced9..33c8170 100644
  ')
  
  ########################################
-@@ -615,7 +681,7 @@ interface(`xserver_setattr_console_pipes',`
+@@ -615,7 +682,7 @@ interface(`xserver_setattr_console_pipes',`
  		type xconsole_device_t;
  	')
  
@@ -47899,7 +48302,7 @@ index 130ced9..33c8170 100644
  ')
  
  ########################################
-@@ -651,7 +717,7 @@ interface(`xserver_use_xdm_fds',`
+@@ -651,7 +718,7 @@ interface(`xserver_use_xdm_fds',`
  		type xdm_t;
  	')
  
@@ -47908,7 +48311,7 @@ index 130ced9..33c8170 100644
  ')
  
  ########################################
-@@ -670,7 +736,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
+@@ -670,7 +737,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
  		type xdm_t;
  	')
  
@@ -47917,7 +48320,7 @@ index 130ced9..33c8170 100644
  ')
  
  ########################################
-@@ -688,7 +754,7 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -688,7 +755,7 @@ interface(`xserver_rw_xdm_pipes',`
  		type xdm_t;
  	')
  
@@ -47926,7 +48329,7 @@ index 130ced9..33c8170 100644
  ')
  
  ########################################
-@@ -703,12 +769,11 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -703,12 +770,11 @@ interface(`xserver_rw_xdm_pipes',`
  ## </param>
  #
  interface(`xserver_dontaudit_rw_xdm_pipes',`
@@ -47940,7 +48343,7 @@ index 130ced9..33c8170 100644
  ')
  
  ########################################
-@@ -724,11 +789,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
+@@ -724,11 +790,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
  #
  interface(`xserver_stream_connect_xdm',`
  	gen_require(`
@@ -47974,7 +48377,7 @@ index 130ced9..33c8170 100644
  ')
  
  ########################################
-@@ -765,7 +850,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
+@@ -765,7 +851,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
  		type xdm_tmp_t;
  	')
  
@@ -47983,7 +48386,7 @@ index 130ced9..33c8170 100644
  ')
  
  ########################################
-@@ -805,7 +890,26 @@ interface(`xserver_read_xdm_pid',`
+@@ -805,7 +891,26 @@ interface(`xserver_read_xdm_pid',`
  	')
  
  	files_search_pids($1)
@@ -48011,7 +48414,7 @@ index 130ced9..33c8170 100644
  ')
  
  ########################################
-@@ -897,7 +1001,7 @@ interface(`xserver_getattr_log',`
+@@ -897,7 +1002,7 @@ interface(`xserver_getattr_log',`
  	')
  
  	logging_search_logs($1)
@@ -48020,7 +48423,7 @@ index 130ced9..33c8170 100644
  ')
  
  ########################################
-@@ -916,7 +1020,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -916,7 +1021,7 @@ interface(`xserver_dontaudit_write_log',`
  		type xserver_log_t;
  	')
  
@@ -48029,7 +48432,7 @@ index 130ced9..33c8170 100644
  ')
  
  ########################################
-@@ -963,6 +1067,45 @@ interface(`xserver_read_xkb_libs',`
+@@ -963,6 +1068,45 @@ interface(`xserver_read_xkb_libs',`
  
  ########################################
  ## <summary>
@@ -48075,7 +48478,7 @@ index 130ced9..33c8170 100644
  ##	Read xdm temporary files.
  ## </summary>
  ## <param name="domain">
-@@ -976,7 +1119,7 @@ interface(`xserver_read_xdm_tmp_files',`
+@@ -976,7 +1120,7 @@ interface(`xserver_read_xdm_tmp_files',`
  		type xdm_tmp_t;
  	')
  
@@ -48084,7 +48487,7 @@ index 130ced9..33c8170 100644
  	read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
  ')
  
-@@ -1038,6 +1181,42 @@ interface(`xserver_manage_xdm_tmp_files',`
+@@ -1038,6 +1182,42 @@ interface(`xserver_manage_xdm_tmp_files',`
  
  ########################################
  ## <summary>
@@ -48127,7 +48530,7 @@ index 130ced9..33c8170 100644
  ##	Do not audit attempts to get the attributes of
  ##	xdm temporary named sockets.
  ## </summary>
-@@ -1052,7 +1231,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+@@ -1052,7 +1232,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
  		type xdm_tmp_t;
  	')
  
@@ -48136,7 +48539,7 @@ index 130ced9..33c8170 100644
  ')
  
  ########################################
-@@ -1070,8 +1249,10 @@ interface(`xserver_domtrans',`
+@@ -1070,8 +1250,10 @@ interface(`xserver_domtrans',`
  		type xserver_t, xserver_exec_t;
  	')
  
@@ -48148,7 +48551,7 @@ index 130ced9..33c8170 100644
  ')
  
  ########################################
-@@ -1185,6 +1366,26 @@ interface(`xserver_stream_connect',`
+@@ -1185,6 +1367,26 @@ interface(`xserver_stream_connect',`
  
  	files_search_tmp($1)
  	stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -48175,7 +48578,7 @@ index 130ced9..33c8170 100644
  ')
  
  ########################################
-@@ -1210,7 +1411,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1210,7 +1412,7 @@ interface(`xserver_read_tmp_files',`
  ## <summary>
  ##	Interface to provide X object permissions on a given X server to
  ##	an X client domain.  Gives the domain permission to read the
@@ -48184,7 +48587,7 @@ index 130ced9..33c8170 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1220,13 +1421,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1220,13 +1422,23 @@ interface(`xserver_read_tmp_files',`
  #
  interface(`xserver_manage_core_devices',`
  	gen_require(`
@@ -48209,7 +48612,7 @@ index 130ced9..33c8170 100644
  ')
  
  ########################################
-@@ -1243,10 +1454,392 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1455,392 @@ interface(`xserver_manage_core_devices',`
  #
  interface(`xserver_unconfined',`
  	gen_require(`
@@ -49809,50 +50212,44 @@ index c26ecf5..ad41551 100644
  optional_policy(`
 diff --git a/policy/modules/services/zarafa.fc b/policy/modules/services/zarafa.fc
 new file mode 100644
-index 0000000..ac33ce2
+index 0000000..2ad2488
 --- /dev/null
 +++ b/policy/modules/services/zarafa.fc
-@@ -0,0 +1,33 @@
-+
+@@ -0,0 +1,27 @@
 +/etc/zarafa(/.*)?		gen_context(system_u:object_r:zarafa_etc_t,s0)
 +
-+/usr/bin/zarafa-dagent	--	gen_context(system_u:object_r:zarafa_deliver_exec_t,s0)
-+
-+/usr/bin/zarafa-server	--	gen_context(system_u:object_r:zarafa_server_exec_t,s0)
-+
-+/usr/bin/zarafa-gateway	--	gen_context(system_u:object_r:zarafa_gateway_exec_t,s0)
-+
-+/usr/bin/zarafa-spooler	--	gen_context(system_u:object_r:zarafa_spooler_exec_t,s0)
++/usr/bin/zarafa-dagent		--	gen_context(system_u:object_r:zarafa_deliver_exec_t,s0)
++/usr/bin/zarafa-gateway		--	gen_context(system_u:object_r:zarafa_gateway_exec_t,s0)
++/usr/bin/zarafa-ical		--	gen_context(system_u:object_r:zarafa_ical_exec_t,s0)
++/usr/bin/zarafa-indexer		--	gen_context(system_u:object_r:zarafa_indexer_exec_t,s0)
++/usr/bin/zarafa-monitor		--	gen_context(system_u:object_r:zarafa_monitor_exec_t,s0)
++/usr/bin/zarafa-server		--	gen_context(system_u:object_r:zarafa_server_exec_t,s0)
++/usr/bin/zarafa-spooler		--	gen_context(system_u:object_r:zarafa_spooler_exec_t,s0)
 +
-+/usr/bin/zarafa-ical	--	gen_context(system_u:object_r:zarafa_ical_exec_t,s0)
++/var/lib/zarafa(/.*)?			gen_context(system_u:object_r:zarafa_var_lib_t,s0)
++/var/lib/zarafa-webaccess(/.*)?	gen_context(system_u:object_r:zarafa_var_lib_t,s0)
 +
-+/usr/bin/zarafa-indexer --	gen_context(system_u:object_r:zarafa_indexer_exec_t,s0)
-+
-+/usr/bin/zarafa-monitor	--	gen_context(system_u:object_r:zarafa_monitor_exec_t,s0)
-+
-+/var/lib/zarafa.*		gen_context(system_u:object_r:zarafa_var_lib_t,s0)
-+
-+/var/log/zarafa/server\.log	--	gen_context(system_u:object_r:zarafa_server_log_t,s0)
-+/var/log/zarafa/spooler\.log	--	gen_context(system_u:object_r:zarafa_spooler_log_t,s0)
 +/var/log/zarafa/gateway\.log	--	gen_context(system_u:object_r:zarafa_gateway_log_t,s0)
 +/var/log/zarafa/ical\.log	--	gen_context(system_u:object_r:zarafa_ical_log_t,s0)
 +/var/log/zarafa/indexer\.log	--	gen_context(system_u:object_r:zarafa_indexer_log_t,s0)
 +/var/log/zarafa/monitor\.log	--	gen_context(system_u:object_r:zarafa_monitor_log_t,s0)
++/var/log/zarafa/server\.log	--	gen_context(system_u:object_r:zarafa_server_log_t,s0)
++/var/log/zarafa/spooler\.log	--	gen_context(system_u:object_r:zarafa_spooler_log_t,s0)
 +
-+/var/run/zarafa			-s      gen_context(system_u:object_r:zarafa_server_var_run_t,s0)
++/var/run/zarafa			-s	gen_context(system_u:object_r:zarafa_server_var_run_t,s0)
 +/var/run/zarafa-gateway\.pid	--	gen_context(system_u:object_r:zarafa_gateway_var_run_t,s0)
-+/var/run/zarafa-server\.pid     --      gen_context(system_u:object_r:zarafa_server_var_run_t,s0)
-+/var/run/zarafa-spooler\.pid    --      gen_context(system_u:object_r:zarafa_spooler_var_run_t,s0)
-+/var/run/zarafa-ical\.pid       --      gen_context(system_u:object_r:zarafa_ical_var_run_t,s0)
-+/var/run/zarafa-monitor\.pid    --      gen_context(system_u:object_r:zarafa_monitor_var_run_t,s0)
-+/var/run/zarafa-indexer.*		gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0)
++/var/run/zarafa-ical\.pid	--	gen_context(system_u:object_r:zarafa_ical_var_run_t,s0)
++/var/run/zarafa-indexer		--	gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0)
++/var/run/zarafa-monitor\.pid	--	gen_context(system_u:object_r:zarafa_monitor_var_run_t,s0)
++/var/run/zarafa-server\.pid	--	gen_context(system_u:object_r:zarafa_server_var_run_t,s0)
++/var/run/zarafa-spooler\.pid	--	gen_context(system_u:object_r:zarafa_spooler_var_run_t,s0)
 diff --git a/policy/modules/services/zarafa.if b/policy/modules/services/zarafa.if
 new file mode 100644
-index 0000000..7ee5092
+index 0000000..3e448dd
 --- /dev/null
 +++ b/policy/modules/services/zarafa.if
-@@ -0,0 +1,141 @@
-+## <summary>policy for zarafa services</summary>
+@@ -0,0 +1,143 @@
++## <summary>Zarafa collaboration platform.</summary>
 +
 +######################################
 +## <summary>
@@ -49894,26 +50291,30 @@ index 0000000..7ee5092
 +	manage_sock_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t)
 +	files_pid_filetrans(zarafa_$1_t, zarafa_$1_var_run_t, { file sock_file })
 +
-+	manage_files_pattern(zarafa_$1_t, zarafa_$1_log_t,zarafa_$1_log_t)
-+	logging_log_filetrans(zarafa_$1_t,zarafa_$1_log_t,{ file })
++	manage_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t)
++	logging_log_filetrans(zarafa_$1_t, zarafa_$1_log_t, { file })
++
++	auth_use_nsswitch(zarafa_$1_t)
 +')
 +
-+########################################
++######################################
 +## <summary>
-+##	Execute a domain transition to run zarafa_server.
++##	Allow the specified domain to search
++##	zarafa configuration dirs.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed to transition.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`zarafa_server_domtrans',`
++interface(`zarafa_search_config',`
 +	gen_require(`
-+		type zarafa_server_t, zarafa_server_exec_t;
++		type zarafa_etc_t;
 +	')
 +
-+	domtrans_pattern($1, zarafa_server_exec_t, zarafa_server_t)
++	files_search_etc($1)
++	allow $1 zarafa_etc_t:dir search_dir_perms;
 +')
 +
 +########################################
@@ -49926,7 +50327,7 @@ index 0000000..7ee5092
 +##	</summary>
 +## </param>
 +#
-+interface(`zarafa_deliver_domtrans',`
++interface(`zarafa_domtrans_deliver',`
 +	gen_require(`
 +		type zarafa_deliver_t, zarafa_deliver_exec_t;
 +	')
@@ -49934,46 +50335,44 @@ index 0000000..7ee5092
 +	domtrans_pattern($1, zarafa_deliver_exec_t, zarafa_deliver_t)
 +')
 +
-+#######################################
++########################################
 +## <summary>
-+##	Connect to zarafa-server unix domain stream socket.
++##	Execute a domain transition to run zarafa_server.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain allowed to transition.
 +##	</summary>
 +## </param>
 +#
-+interface(`zarafa_stream_connect_server',`
++interface(`zarafa_domtrans_server',`
 +	gen_require(`
-+		type zarafa_server_t, zarafa_server_var_run_t;
++		type zarafa_server_t, zarafa_server_exec_t;
 +	')
 +
-+	files_search_var_lib($1)
-+	stream_connect_pattern($1, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t)
++	domtrans_pattern($1, zarafa_server_exec_t, zarafa_server_t)
 +')
 +
-+######################################
++#######################################
 +## <summary>
-+##  Allow the specified domain to search
-+##  zarafa configuration dirs.
++##	Connect to zarafa-server unix domain stream socket.
 +## </summary>
 +## <param name="domain">
-+##  <summary>
-+##  Domain allowed access.
-+##  </summary>
++##	<summary>
++##	Domain allowed access.
++##	</summary>
 +## </param>
 +#
-+interface(`zarafa_search_config',`
-+    gen_require(`
-+        type zarafa_etc_t;
-+    ')
++interface(`zarafa_stream_connect_server',`
++	gen_require(`
++		type zarafa_server_t, zarafa_server_var_run_t;
++	')
 +
-+    files_search_etc($1)
-+    allow $1 zarafa_etc_t:dir search_dir_perms;
++	files_search_var_lib($1)
++	stream_connect_pattern($1, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t)
 +')
 +
-+#####################################
++####################################
 +## <summary>
 +##  Allow the specified domain to manage
 +##  zarafa /var/lib files.
@@ -49988,17 +50387,17 @@ index 0000000..7ee5092
 +    gen_require(`
 +        type zarafa_var_lib_t;
 +    ')
-+	
-+	files_search_var_lib($1)
-+	manage_files_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
-+	manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
++
++    files_search_var_lib($1)
++    manage_files_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
++    manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
 +')
 diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te
 new file mode 100644
-index 0000000..0b1d997
+index 0000000..a59cfc2
 --- /dev/null
 +++ b/policy/modules/services/zarafa.te
-@@ -0,0 +1,153 @@
+@@ -0,0 +1,209 @@
 +policy_module(zarafa, 1.0.0)
 +
 +########################################
@@ -50008,39 +50407,69 @@ index 0000000..0b1d997
 +
 +attribute zarafa_domain;
 +
-+zarafa_domain_template(monitor)
-+zarafa_domain_template(indexer)
-+zarafa_domain_template(ical)
-+zarafa_domain_template(server)
-+zarafa_domain_template(spooler)
-+zarafa_domain_template(gateway)
 +zarafa_domain_template(deliver)
 +
 +type zarafa_deliver_tmp_t;
 +files_tmp_file(zarafa_deliver_tmp_t)
 +
++type zarafa_etc_t;
++files_config_file(zarafa_etc_t)
++
++zarafa_domain_template(gateway)
++zarafa_domain_template(ical)
++zarafa_domain_template(indexer)
++
 +type zarafa_indexer_tmp_t;
 +files_tmp_file(zarafa_indexer_tmp_t)
 +
++zarafa_domain_template(monitor)
++zarafa_domain_template(server)
++
 +type zarafa_server_tmp_t;
 +files_tmp_file(zarafa_server_tmp_t)
 +
++type zarafa_share_t;
++files_type(zarafa_share_t)
++
++zarafa_domain_template(spooler)
++
 +type zarafa_var_lib_t;
 +files_tmp_file(zarafa_var_lib_t)
 +
-+type zarafa_etc_t;
-+files_config_file(zarafa_etc_t)
++permissive zarafa_indexer_t;
 +
-+type zarafa_share_t;
-+files_type(zarafa_share_t)
++########################################
++#
++# zarafa-deliver local policy
++#
 +
-+permissive zarafa_indexer_t;
++manage_dirs_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t)
++manage_files_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t)
++files_tmp_filetrans(zarafa_deliver_t, zarafa_deliver_tmp_t, { file dir })
 +
-+#######################################
++########################################
++#
++# zarafa_gateway local policy
++#
++
++allow zarafa_gateway_t self:capability { chown kill };
++allow zarafa_gateway_t self:process setrlimit;
++
++corenet_all_recvfrom_unlabeled(zarafa_gateway_t)
++corenet_all_recvfrom_netlabel(zarafa_gateway_t)
++corenet_tcp_sendrecv_generic_if(zarafa_gateway_t)
++corenet_tcp_sendrecv_generic_node(zarafa_gateway_t)
++corenet_tcp_sendrecv_all_ports(zarafa_gateway_t)
++corenet_tcp_bind_generic_node(zarafa_gateway_t)
++corenet_tcp_bind_pop_port(zarafa_gateway_t)
++
++######################################
 +#
 +# zarafa-indexer local policy
 +#
 +
++allow zarafa_indexer_t self:capability chown;
++
 +manage_dirs_pattern(zarafa_indexer_t, zarafa_indexer_tmp_t, zarafa_indexer_tmp_t)
 +manage_files_pattern(zarafa_indexer_t, zarafa_indexer_tmp_t, zarafa_indexer_tmp_t)
 +files_tmp_filetrans(zarafa_indexer_t, zarafa_indexer_tmp_t, { file dir })
@@ -50048,15 +50477,27 @@ index 0000000..0b1d997
 +manage_dirs_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t)
 +manage_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t)
 +
-+########################################
++#######################################
 +#
-+# zarafa-deliver local policy
++# zarafa-ical local policy
 +#
 +
-+manage_dirs_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t)
-+manage_files_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t)
-+files_tmp_filetrans(zarafa_deliver_t, zarafa_deliver_tmp_t, { file dir })
++allow zarafa_ical_t self:capability chown;
 +
++corenet_all_recvfrom_unlabeled(zarafa_ical_t)
++corenet_all_recvfrom_netlabel(zarafa_ical_t)
++corenet_tcp_sendrecv_generic_if(zarafa_ical_t)
++corenet_tcp_sendrecv_generic_node(zarafa_ical_t)
++corenet_tcp_sendrecv_all_ports(zarafa_ical_t)
++corenet_tcp_bind_generic_node(zarafa_ical_t)
++corenet_tcp_bind_http_cache_port(zarafa_ical_t)
++
++######################################
++#
++# zarafa-monitor local policy
++#
++
++allow zarafa_monitor_t self:capability chown;
 +
 +########################################
 +#
@@ -50072,9 +50513,16 @@ index 0000000..0b1d997
 +
 +manage_dirs_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t)
 +manage_files_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t)
++files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir })
 +
 +stream_connect_pattern(zarafa_server_t, zarafa_indexer_var_run_t, zarafa_indexer_var_run_t, zarafa_indexer_t)
 +
++corenet_all_recvfrom_unlabeled(zarafa_server_t)
++corenet_all_recvfrom_netlabel(zarafa_server_t)
++corenet_tcp_sendrecv_generic_if(zarafa_server_t)
++corenet_tcp_sendrecv_generic_node(zarafa_server_t)
++corenet_tcp_sendrecv_all_ports(zarafa_server_t)
++corenet_tcp_bind_generic_node(zarafa_server_t)
 +corenet_tcp_bind_zarafa_port(zarafa_server_t)
 +
 +files_read_usr_files(zarafa_server_t)
@@ -50085,11 +50533,11 @@ index 0000000..0b1d997
 +sysnet_dns_name_resolve(zarafa_server_t)
 +
 +optional_policy(`
-+	mysql_stream_connect(zarafa_server_t)
++	kerberos_use(zarafa_server_t)
 +')
 +
 +optional_policy(`
-+	kerberos_use(zarafa_server_t)
++	mysql_stream_connect(zarafa_server_t)
 +')
 +
 +########################################
@@ -50101,8 +50549,15 @@ index 0000000..0b1d997
 +
 +can_exec(zarafa_spooler_t, zarafa_spooler_exec_t)
 +
++corenet_all_recvfrom_unlabeled(zarafa_spooler_t)
++corenet_all_recvfrom_netlabel(zarafa_spooler_t)
++corenet_tcp_sendrecv_generic_if(zarafa_spooler_t)
++corenet_tcp_sendrecv_generic_node(zarafa_spooler_t)
++corenet_tcp_sendrecv_all_ports(zarafa_spooler_t)
 +corenet_tcp_connect_smtp_port(zarafa_spooler_t)
 +
++dev_read_rand(zarafa_spooler_t)
++
 +########################################
 +#
 +# zarafa_gateway local policy
@@ -50111,6 +50566,8 @@ index 0000000..0b1d997
 +allow zarafa_gateway_t self:capability { chown kill };
 +allow zarafa_gateway_t self:process setrlimit;
 +
++dev_read_rand(zarafa_gateway_t)
++
 +corenet_tcp_bind_pop_port(zarafa_gateway_t)
 +
 +#######################################
@@ -50149,8 +50606,6 @@ index 0000000..0b1d997
 +
 +files_read_etc_files(zarafa_domain)
 +
-+auth_use_nsswitch(zarafa_domain)
-+
 +miscfiles_read_localization(zarafa_domain)
 diff --git a/policy/modules/services/zebra.if b/policy/modules/services/zebra.if
 index 6b87605..347f754 100644
@@ -56986,7 +57441,7 @@ index ff80d0a..7f1a21c 100644
 +	role_transition $1 dhcpc_exec_t system_r;
 +')
 diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index df32316..773c572 100644
+index df32316..0f71f92 100644
 --- a/policy/modules/system/sysnetwork.te
 +++ b/policy/modules/system/sysnetwork.te
 @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.1)
@@ -57155,7 +57610,7 @@ index df32316..773c572 100644
 +')
 +optional_policy(`
 +	systemd_passwd_agent_domtrans(dhcpc_t)
-+	systemd_exec_systemctl(dhcpc_t)
++	systemd_signal_passwd_agent(dhcpc_t)
  ')
  
  optional_policy(`
@@ -57264,10 +57719,10 @@ index 0000000..c7476cb
 +
 diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
 new file mode 100644
-index 0000000..4dfe28c
+index 0000000..de940a5
 --- /dev/null
 +++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,246 @@
+@@ -0,0 +1,263 @@
 +## <summary>SELinux policy for systemd components</summary>
 +
 +#######################################
@@ -57483,6 +57938,23 @@ index 0000000..4dfe28c
 +	allow $2 systemd_passwd_agent_t:process signal;
 +')
 +
++########################################
++## <summary>
++##	Send generic signals to systemd_passwd_agent processes.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`systemd_signal_passwd_agent',`
++	gen_require(`
++              type systemd_passwd_agent_t;
++	')
++
++	allow $1 systemd_passwd_agent_t:process signal;
++')
 +
 +######################################
 +## <summary>
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 458b848..df9f83b 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.9.16
-Release: 36%{?dist}
+Release: 37%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,10 @@ exit 0
 %endif
 
 %changelog
+* Fri Aug 5 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-37
+- Fixes for zarafa, postfix policy
+- Backport collect policy
+
 * Wed Jul 27 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-36
 - Backport ABRT changes
 - Make tmux working with scree policy