From 9855c65aebf051e8351d4b6d2d0a4a885391cc56 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Apr 18 2014 09:47:35 +0000
Subject: * Fri Apr 18 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-156

- Allow init_t to setattr/relabelfrom dhcp state files
- Dontaudit antivirus domains read access on all security files by
default
- Add missing alias for old amavis_etc_t type
- Allow block_suspend cap for haproxy
- Additional fixes for  instack overcloud
- Allow OpenStack to read mysqld_db links and connect to MySQL
- Remove dup filename rules in gnome.te
- Allow sys_chroot cap for httpd_t and setattr on httpd_log_t
- Allow iscsid to handle own unit files
- Add iscsi_systemctl()
- Allow mongod to create also sock_files in /run with correct labeling

---

diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index f0ed2b3..0e82369 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -31438,7 +31438,7 @@ index 24e7804..2863546 100644
 +	files_etc_filetrans($1, machineid_t, file, "machine-id" )
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..c983546 100644
+index dd3be8d..6d72189 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
 @@ -11,10 +11,31 @@ gen_require(`
@@ -31700,7 +31700,7 @@ index dd3be8d..c983546 100644
  
  ifdef(`distro_gentoo',`
  	allow init_t self:process { getcap setcap };
-@@ -186,29 +300,226 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +300,231 @@ ifdef(`distro_gentoo',`
  ')
  
  ifdef(`distro_redhat',`
@@ -31895,6 +31895,11 @@ index dd3be8d..c983546 100644
 +    optional_policy(`
 +        rpc_manage_nfs_state_data(init_t)
 +    ')
++
++    optional_policy(`
++        sysnet_relabelfrom_dhcpc_state(init_t)
++        sysnet_setattr_dhcp_state(init_t)
++    ')
 +')
 +
 +optional_policy(`
@@ -31935,7 +31940,7 @@ index dd3be8d..c983546 100644
  ')
  
  optional_policy(`
-@@ -216,7 +527,30 @@ optional_policy(`
+@@ -216,7 +532,30 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -31966,7 +31971,7 @@ index dd3be8d..c983546 100644
  ')
  
  ########################################
-@@ -225,8 +559,9 @@ optional_policy(`
+@@ -225,8 +564,9 @@ optional_policy(`
  #
  
  allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -31978,7 +31983,7 @@ index dd3be8d..c983546 100644
  allow initrc_t self:passwd rootok;
  allow initrc_t self:key manage_key_perms;
  
-@@ -257,12 +592,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -257,12 +597,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
  
  allow initrc_t initrc_var_run_t:file manage_file_perms;
  files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -31995,7 +32000,7 @@ index dd3be8d..c983546 100644
  
  manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
  manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -278,23 +617,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -278,23 +622,36 @@ kernel_change_ring_buffer_level(initrc_t)
  kernel_clear_ring_buffer(initrc_t)
  kernel_get_sysvipc_info(initrc_t)
  kernel_read_all_sysctls(initrc_t)
@@ -32038,7 +32043,7 @@ index dd3be8d..c983546 100644
  corenet_tcp_sendrecv_all_ports(initrc_t)
  corenet_udp_sendrecv_all_ports(initrc_t)
  corenet_tcp_connect_all_ports(initrc_t)
-@@ -302,9 +654,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -302,9 +659,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
  
  dev_read_rand(initrc_t)
  dev_read_urand(initrc_t)
@@ -32050,7 +32055,7 @@ index dd3be8d..c983546 100644
  dev_rw_sysfs(initrc_t)
  dev_list_usbfs(initrc_t)
  dev_read_framebuffer(initrc_t)
-@@ -312,8 +666,10 @@ dev_write_framebuffer(initrc_t)
+@@ -312,8 +671,10 @@ dev_write_framebuffer(initrc_t)
  dev_read_realtime_clock(initrc_t)
  dev_read_sound_mixer(initrc_t)
  dev_write_sound_mixer(initrc_t)
@@ -32061,7 +32066,7 @@ index dd3be8d..c983546 100644
  dev_delete_lvm_control_dev(initrc_t)
  dev_manage_generic_symlinks(initrc_t)
  dev_manage_generic_files(initrc_t)
-@@ -321,8 +677,7 @@ dev_manage_generic_files(initrc_t)
+@@ -321,8 +682,7 @@ dev_manage_generic_files(initrc_t)
  dev_delete_generic_symlinks(initrc_t)
  dev_getattr_all_blk_files(initrc_t)
  dev_getattr_all_chr_files(initrc_t)
@@ -32071,7 +32076,7 @@ index dd3be8d..c983546 100644
  
  domain_kill_all_domains(initrc_t)
  domain_signal_all_domains(initrc_t)
-@@ -331,7 +686,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -331,7 +691,6 @@ domain_sigstop_all_domains(initrc_t)
  domain_sigchld_all_domains(initrc_t)
  domain_read_all_domains_state(initrc_t)
  domain_getattr_all_domains(initrc_t)
@@ -32079,7 +32084,7 @@ index dd3be8d..c983546 100644
  domain_getsession_all_domains(initrc_t)
  domain_use_interactive_fds(initrc_t)
  # for lsof which is used by alsa shutdown:
-@@ -339,6 +693,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -339,6 +698,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
  domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
  domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
  domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -32087,7 +32092,7 @@ index dd3be8d..c983546 100644
  
  files_getattr_all_dirs(initrc_t)
  files_getattr_all_files(initrc_t)
-@@ -346,14 +701,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -346,14 +706,15 @@ files_getattr_all_symlinks(initrc_t)
  files_getattr_all_pipes(initrc_t)
  files_getattr_all_sockets(initrc_t)
  files_purge_tmp(initrc_t)
@@ -32105,7 +32110,7 @@ index dd3be8d..c983546 100644
  files_read_usr_files(initrc_t)
  files_manage_urandom_seed(initrc_t)
  files_manage_generic_spool(initrc_t)
-@@ -363,8 +719,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -363,8 +724,12 @@ files_list_isid_type_dirs(initrc_t)
  files_mounton_isid_type_dirs(initrc_t)
  files_list_default(initrc_t)
  files_mounton_default(initrc_t)
@@ -32119,7 +32124,7 @@ index dd3be8d..c983546 100644
  fs_list_inotifyfs(initrc_t)
  fs_register_binary_executable_type(initrc_t)
  # rhgb-console writes to ramfs
-@@ -374,10 +734,11 @@ fs_mount_all_fs(initrc_t)
+@@ -374,10 +739,11 @@ fs_mount_all_fs(initrc_t)
  fs_unmount_all_fs(initrc_t)
  fs_remount_all_fs(initrc_t)
  fs_getattr_all_fs(initrc_t)
@@ -32133,7 +32138,7 @@ index dd3be8d..c983546 100644
  mcs_process_set_categories(initrc_t)
  
  mls_file_read_all_levels(initrc_t)
-@@ -386,6 +747,7 @@ mls_process_read_up(initrc_t)
+@@ -386,6 +752,7 @@ mls_process_read_up(initrc_t)
  mls_process_write_down(initrc_t)
  mls_rangetrans_source(initrc_t)
  mls_fd_share_all_levels(initrc_t)
@@ -32141,7 +32146,7 @@ index dd3be8d..c983546 100644
  
  selinux_get_enforce_mode(initrc_t)
  
-@@ -397,6 +759,7 @@ term_use_all_terms(initrc_t)
+@@ -397,6 +764,7 @@ term_use_all_terms(initrc_t)
  term_reset_tty_labels(initrc_t)
  
  auth_rw_login_records(initrc_t)
@@ -32149,7 +32154,7 @@ index dd3be8d..c983546 100644
  auth_setattr_login_records(initrc_t)
  auth_rw_lastlog(initrc_t)
  auth_read_pam_pid(initrc_t)
-@@ -415,20 +778,18 @@ logging_read_all_logs(initrc_t)
+@@ -415,20 +783,18 @@ logging_read_all_logs(initrc_t)
  logging_append_all_logs(initrc_t)
  logging_read_audit_config(initrc_t)
  
@@ -32173,7 +32178,7 @@ index dd3be8d..c983546 100644
  
  ifdef(`distro_debian',`
  	dev_setattr_generic_dirs(initrc_t)
-@@ -450,7 +811,6 @@ ifdef(`distro_gentoo',`
+@@ -450,7 +816,6 @@ ifdef(`distro_gentoo',`
  	allow initrc_t self:process setfscreate;
  	dev_create_null_dev(initrc_t)
  	dev_create_zero_dev(initrc_t)
@@ -32181,7 +32186,7 @@ index dd3be8d..c983546 100644
  	term_create_console_dev(initrc_t)
  
  	# unfortunately /sbin/rc does stupid tricks
-@@ -485,6 +845,10 @@ ifdef(`distro_gentoo',`
+@@ -485,6 +850,10 @@ ifdef(`distro_gentoo',`
  	sysnet_setattr_config(initrc_t)
  
  	optional_policy(`
@@ -32192,7 +32197,7 @@ index dd3be8d..c983546 100644
  		alsa_read_lib(initrc_t)
  	')
  
-@@ -505,7 +869,7 @@ ifdef(`distro_redhat',`
+@@ -505,7 +874,7 @@ ifdef(`distro_redhat',`
  
  	# Red Hat systems seem to have a stray
  	# fd open from the initrd
@@ -32201,7 +32206,7 @@ index dd3be8d..c983546 100644
  	files_dontaudit_read_root_files(initrc_t)
  
  	# These seem to be from the initrd
-@@ -520,6 +884,7 @@ ifdef(`distro_redhat',`
+@@ -520,6 +889,7 @@ ifdef(`distro_redhat',`
  	files_create_boot_dirs(initrc_t)
  	files_create_boot_flag(initrc_t)
  	files_rw_boot_symlinks(initrc_t)
@@ -32209,7 +32214,7 @@ index dd3be8d..c983546 100644
  	# wants to read /.fonts directory
  	files_read_default_files(initrc_t)
  	files_mountpoint(initrc_tmp_t)
-@@ -540,6 +905,7 @@ ifdef(`distro_redhat',`
+@@ -540,6 +910,7 @@ ifdef(`distro_redhat',`
  	miscfiles_rw_localization(initrc_t)
  	miscfiles_setattr_localization(initrc_t)
  	miscfiles_relabel_localization(initrc_t)
@@ -32217,7 +32222,7 @@ index dd3be8d..c983546 100644
  
  	miscfiles_read_fonts(initrc_t)
  	miscfiles_read_hwdata(initrc_t)
-@@ -549,8 +915,44 @@ ifdef(`distro_redhat',`
+@@ -549,8 +920,44 @@ ifdef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -32262,7 +32267,7 @@ index dd3be8d..c983546 100644
  	')
  
  	optional_policy(`
-@@ -558,14 +960,31 @@ ifdef(`distro_redhat',`
+@@ -558,14 +965,31 @@ ifdef(`distro_redhat',`
  		rpc_write_exports(initrc_t)
  		rpc_manage_nfs_state_data(initrc_t)
  	')
@@ -32294,7 +32299,7 @@ index dd3be8d..c983546 100644
  	')
  ')
  
-@@ -576,6 +995,39 @@ ifdef(`distro_suse',`
+@@ -576,6 +1000,39 @@ ifdef(`distro_suse',`
  	')
  ')
  
@@ -32334,7 +32339,7 @@ index dd3be8d..c983546 100644
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -588,6 +1040,8 @@ optional_policy(`
+@@ -588,6 +1045,8 @@ optional_policy(`
  optional_policy(`
  	apache_read_config(initrc_t)
  	apache_list_modules(initrc_t)
@@ -32343,7 +32348,7 @@ index dd3be8d..c983546 100644
  ')
  
  optional_policy(`
-@@ -609,6 +1063,7 @@ optional_policy(`
+@@ -609,6 +1068,7 @@ optional_policy(`
  
  optional_policy(`
  	cgroup_stream_connect_cgred(initrc_t)
@@ -32351,7 +32356,7 @@ index dd3be8d..c983546 100644
  ')
  
  optional_policy(`
-@@ -625,6 +1080,17 @@ optional_policy(`
+@@ -625,6 +1085,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -32369,7 +32374,7 @@ index dd3be8d..c983546 100644
  	dev_getattr_printer_dev(initrc_t)
  
  	cups_read_log(initrc_t)
-@@ -641,9 +1107,13 @@ optional_policy(`
+@@ -641,9 +1112,13 @@ optional_policy(`
  	dbus_connect_system_bus(initrc_t)
  	dbus_system_bus_client(initrc_t)
  	dbus_read_config(initrc_t)
@@ -32383,7 +32388,7 @@ index dd3be8d..c983546 100644
  	')
  
  	optional_policy(`
-@@ -656,15 +1126,11 @@ optional_policy(`
+@@ -656,15 +1131,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -32401,7 +32406,7 @@ index dd3be8d..c983546 100644
  ')
  
  optional_policy(`
-@@ -685,6 +1151,15 @@ optional_policy(`
+@@ -685,6 +1156,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -32417,7 +32422,7 @@ index dd3be8d..c983546 100644
  	inn_exec_config(initrc_t)
  ')
  
-@@ -725,6 +1200,7 @@ optional_policy(`
+@@ -725,6 +1205,7 @@ optional_policy(`
  	lpd_list_spool(initrc_t)
  
  	lpd_read_config(initrc_t)
@@ -32425,7 +32430,7 @@ index dd3be8d..c983546 100644
  ')
  
  optional_policy(`
-@@ -742,7 +1218,13 @@ optional_policy(`
+@@ -742,7 +1223,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -32440,7 +32445,7 @@ index dd3be8d..c983546 100644
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
  
-@@ -765,6 +1247,10 @@ optional_policy(`
+@@ -765,6 +1252,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -32451,7 +32456,7 @@ index dd3be8d..c983546 100644
  	postgresql_manage_db(initrc_t)
  	postgresql_read_config(initrc_t)
  ')
-@@ -774,10 +1260,20 @@ optional_policy(`
+@@ -774,10 +1265,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -32472,7 +32477,7 @@ index dd3be8d..c983546 100644
  	quota_manage_flags(initrc_t)
  ')
  
-@@ -786,6 +1282,10 @@ optional_policy(`
+@@ -786,6 +1287,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -32483,7 +32488,7 @@ index dd3be8d..c983546 100644
  	fs_write_ramfs_sockets(initrc_t)
  	fs_search_ramfs(initrc_t)
  
-@@ -807,8 +1307,6 @@ optional_policy(`
+@@ -807,8 +1312,6 @@ optional_policy(`
  	# bash tries ioctl for some reason
  	files_dontaudit_ioctl_all_pids(initrc_t)
  
@@ -32492,7 +32497,7 @@ index dd3be8d..c983546 100644
  ')
  
  optional_policy(`
-@@ -817,6 +1315,10 @@ optional_policy(`
+@@ -817,6 +1320,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -32503,7 +32508,7 @@ index dd3be8d..c983546 100644
  	# shorewall-init script run /var/lib/shorewall/firewall
  	shorewall_lib_domtrans(initrc_t)
  ')
-@@ -826,10 +1328,12 @@ optional_policy(`
+@@ -826,10 +1333,12 @@ optional_policy(`
  	squid_manage_logs(initrc_t)
  ')
  
@@ -32516,7 +32521,7 @@ index dd3be8d..c983546 100644
  
  optional_policy(`
  	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -856,12 +1360,35 @@ optional_policy(`
+@@ -856,12 +1365,35 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -32553,7 +32558,7 @@ index dd3be8d..c983546 100644
  
  	ifdef(`distro_redhat',`
  		# system-config-services causes avc messages that should be dontaudited
-@@ -871,6 +1398,18 @@ optional_policy(`
+@@ -871,6 +1403,18 @@ optional_policy(`
  	optional_policy(`
  		mono_domtrans(initrc_t)
  	')
@@ -32572,7 +32577,7 @@ index dd3be8d..c983546 100644
  ')
  
  optional_policy(`
-@@ -886,6 +1425,10 @@ optional_policy(`
+@@ -886,6 +1430,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -32583,7 +32588,7 @@ index dd3be8d..c983546 100644
  	# Set device ownerships/modes.
  	xserver_setattr_console_pipes(initrc_t)
  
-@@ -896,3 +1439,218 @@ optional_policy(`
+@@ -896,3 +1444,218 @@ optional_policy(`
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
@@ -39242,7 +39247,7 @@ index 346a7cc..42a48b6 100644
 +/var/run/netns(/.*)?		gen_context(system_u:object_r:ifconfig_var_run_t,s0)
 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
 diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 6944526..821e74c 100644
+index 6944526..98ac8bf 100644
 --- a/policy/modules/system/sysnetwork.if
 +++ b/policy/modules/system/sysnetwork.if
 @@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@@ -39481,7 +39486,34 @@ index 6944526..821e74c 100644
  ')
  
  ########################################
-@@ -681,8 +833,6 @@ interface(`sysnet_dns_name_resolve',`
+@@ -617,6 +769,26 @@ interface(`sysnet_search_dhcp_state',`
+ 	allow $1 dhcp_state_t:dir search_dir_perms;
+ ')
+ 
++#######################################
++## <summary>
++##	Set the attributes of network config files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`sysnet_setattr_dhcp_state',`
++	gen_require(`
++		type dhcp_state_t;
++	')
++
++    files_search_var_lib($1)
++	allow $1 dhcp_state_t:file setattr_file_perms;
++')
++
++
+ ########################################
+ ## <summary>
+ ##	Create DHCP state data.
+@@ -681,8 +853,6 @@ interface(`sysnet_dns_name_resolve',`
  	allow $1 self:udp_socket create_socket_perms;
  	allow $1 self:netlink_route_socket r_netlink_socket_perms;
  
@@ -39490,7 +39522,7 @@ index 6944526..821e74c 100644
  	corenet_tcp_sendrecv_generic_if($1)
  	corenet_udp_sendrecv_generic_if($1)
  	corenet_tcp_sendrecv_generic_node($1)
-@@ -690,8 +840,11 @@ interface(`sysnet_dns_name_resolve',`
+@@ -690,8 +860,11 @@ interface(`sysnet_dns_name_resolve',`
  	corenet_tcp_sendrecv_dns_port($1)
  	corenet_udp_sendrecv_dns_port($1)
  	corenet_tcp_connect_dns_port($1)
@@ -39502,7 +39534,7 @@ index 6944526..821e74c 100644
  	sysnet_read_config($1)
  
  	optional_policy(`
-@@ -720,8 +873,6 @@ interface(`sysnet_use_ldap',`
+@@ -720,8 +893,6 @@ interface(`sysnet_use_ldap',`
  
  	allow $1 self:tcp_socket create_socket_perms;
  
@@ -39511,7 +39543,7 @@ index 6944526..821e74c 100644
  	corenet_tcp_sendrecv_generic_if($1)
  	corenet_tcp_sendrecv_generic_node($1)
  	corenet_tcp_sendrecv_ldap_port($1)
-@@ -733,6 +884,9 @@ interface(`sysnet_use_ldap',`
+@@ -733,6 +904,9 @@ interface(`sysnet_use_ldap',`
  	dev_read_urand($1)
  
  	sysnet_read_config($1)
@@ -39521,7 +39553,7 @@ index 6944526..821e74c 100644
  ')
  
  ########################################
-@@ -754,7 +908,6 @@ interface(`sysnet_use_portmap',`
+@@ -754,7 +928,6 @@ interface(`sysnet_use_portmap',`
  	allow $1 self:udp_socket create_socket_perms;
  
  	corenet_all_recvfrom_unlabeled($1)
@@ -39529,7 +39561,7 @@ index 6944526..821e74c 100644
  	corenet_tcp_sendrecv_generic_if($1)
  	corenet_udp_sendrecv_generic_if($1)
  	corenet_tcp_sendrecv_generic_node($1)
-@@ -766,3 +919,114 @@ interface(`sysnet_use_portmap',`
+@@ -766,3 +939,114 @@ interface(`sysnet_use_portmap',`
  
  	sysnet_read_config($1)
  ')
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index a0314fc..e06bda9 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -2929,10 +2929,10 @@ index 0000000..df5b3be
 +')
 diff --git a/antivirus.te b/antivirus.te
 new file mode 100644
-index 0000000..8ba9c95
+index 0000000..83590aa
 --- /dev/null
 +++ b/antivirus.te
-@@ -0,0 +1,274 @@
+@@ -0,0 +1,273 @@
 +policy_module(antivirus, 1.0.0)
 +
 +########################################
@@ -2972,7 +2972,7 @@ index 0000000..8ba9c95
 +systemd_unit_file(antivirus_unit_file_t)
 +
 +type antivirus_conf_t;
-+typealias antivirus_conf_t alias { clamd_etc_t };
++typealias antivirus_conf_t alias { clamd_etc_t amavis_etc_t };
 +files_config_file(antivirus_conf_t)
 +
 +type antivirus_var_run_t;
@@ -3101,6 +3101,7 @@ index 0000000..8ba9c95
 +
 +domain_dontaudit_read_all_domains_state(antivirus_domain)
 +
++files_dontaudit_read_security_files(antivirus_domain)
 +files_read_etc_runtime_files(antivirus_domain)
 +files_search_spool(antivirus_domain)
 +
@@ -3125,8 +3126,6 @@ index 0000000..8ba9c95
 +
 +tunable_policy(`antivirus_can_scan_system',`
 +	files_read_non_security_files(antivirus_domain)
-+    #files_dontaudit_read_all_non_security_files(antivirus_domain)
-+    files_dontaudit_read_security_files(antivirus_domain)
 +	files_getattr_all_pipes(antivirus_domain)
 +	files_getattr_all_sockets(antivirus_domain)
 +    dev_getattr_all_blk_files(antivirus_domain)
@@ -4964,7 +4963,7 @@ index 83e899c..64beed7 100644
 +	filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
  ')
 diff --git a/apache.te b/apache.te
-index 1a82e29..15e3e0b 100644
+index 1a82e29..0dbb289 100644
 --- a/apache.te
 +++ b/apache.te
 @@ -1,297 +1,381 @@
@@ -5598,13 +5597,14 @@ index 1a82e29..15e3e0b 100644
 +# Apache server local policy
  #
  
- allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
+-allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
 -dontaudit httpd_t self:capability net_admin;
++allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config sys_chroot };
 +dontaudit httpd_t self:capability { net_admin sys_tty_config };
  allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow httpd_t self:fd use;
  allow httpd_t self:sock_file read_sock_file_perms;
-@@ -378,28 +484,36 @@ allow httpd_t self:shm create_shm_perms;
+@@ -378,28 +484,37 @@ allow httpd_t self:shm create_shm_perms;
  allow httpd_t self:sem create_sem_perms;
  allow httpd_t self:msgq create_msgq_perms;
  allow httpd_t self:msg { send receive };
@@ -5639,6 +5639,7 @@ index 1a82e29..15e3e0b 100644
  create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
  create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
  append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
++setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
  read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
  read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
 +# cjp: need to refine create interfaces to
@@ -5646,7 +5647,7 @@ index 1a82e29..15e3e0b 100644
  logging_log_filetrans(httpd_t, httpd_log_t, file)
  
  allow httpd_t httpd_modules_t:dir list_dir_perms;
-@@ -407,14 +521,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+@@ -407,14 +522,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
  read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
  read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
  
@@ -5668,7 +5669,7 @@ index 1a82e29..15e3e0b 100644
  allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
  
  manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -445,140 +566,172 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -445,140 +567,172 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  
@@ -5906,7 +5907,7 @@ index 1a82e29..15e3e0b 100644
  ')
  
  tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -589,28 +742,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -589,28 +743,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
  	fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
  ')
  
@@ -5966,7 +5967,7 @@ index 1a82e29..15e3e0b 100644
  ')
  
  tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -619,68 +794,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -619,68 +795,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
  	fs_read_nfs_symlinks(httpd_t)
  ')
  
@@ -6057,7 +6058,7 @@ index 1a82e29..15e3e0b 100644
  ')
  
  tunable_policy(`httpd_setrlimit',`
-@@ -690,49 +841,48 @@ tunable_policy(`httpd_setrlimit',`
+@@ -690,49 +842,48 @@ tunable_policy(`httpd_setrlimit',`
  
  tunable_policy(`httpd_ssi_exec',`
  	corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -6138,7 +6139,7 @@ index 1a82e29..15e3e0b 100644
  ')
  
  optional_policy(`
-@@ -744,24 +894,32 @@ optional_policy(`
+@@ -744,24 +895,32 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6177,7 +6178,7 @@ index 1a82e29..15e3e0b 100644
  ')
  
  optional_policy(`
-@@ -770,6 +928,10 @@ optional_policy(`
+@@ -770,6 +929,10 @@ optional_policy(`
  	tunable_policy(`httpd_dbus_avahi',`
  		avahi_dbus_chat(httpd_t)
  	')
@@ -6188,7 +6189,7 @@ index 1a82e29..15e3e0b 100644
  ')
  
  optional_policy(`
-@@ -781,34 +943,53 @@ optional_policy(`
+@@ -781,34 +944,53 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6253,7 +6254,7 @@ index 1a82e29..15e3e0b 100644
  
  	tunable_policy(`httpd_manage_ipa',`
  		memcached_manage_pid_files(httpd_t)
-@@ -816,8 +997,18 @@ optional_policy(`
+@@ -816,8 +998,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6272,7 +6273,7 @@ index 1a82e29..15e3e0b 100644
  
  	tunable_policy(`httpd_can_network_connect_db',`
  		mysql_tcp_connect(httpd_t)
-@@ -826,6 +1017,7 @@ optional_policy(`
+@@ -826,6 +1018,7 @@ optional_policy(`
  
  optional_policy(`
  	nagios_read_config(httpd_t)
@@ -6280,7 +6281,7 @@ index 1a82e29..15e3e0b 100644
  ')
  
  optional_policy(`
-@@ -836,20 +1028,39 @@ optional_policy(`
+@@ -836,20 +1029,39 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6326,7 +6327,7 @@ index 1a82e29..15e3e0b 100644
  ')
  
  optional_policy(`
-@@ -857,19 +1068,35 @@ optional_policy(`
+@@ -857,19 +1069,35 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6362,7 +6363,7 @@ index 1a82e29..15e3e0b 100644
  	udev_read_db(httpd_t)
  ')
  
-@@ -877,65 +1104,173 @@ optional_policy(`
+@@ -877,65 +1105,173 @@ optional_policy(`
  	yam_read_content(httpd_t)
  ')
  
@@ -6558,7 +6559,7 @@ index 1a82e29..15e3e0b 100644
  files_dontaudit_search_pids(httpd_suexec_t)
  files_search_home(httpd_suexec_t)
  
-@@ -944,123 +1279,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -944,123 +1280,74 @@ auth_use_nsswitch(httpd_suexec_t)
  logging_search_logs(httpd_suexec_t)
  logging_send_syslog_msg(httpd_suexec_t)
  
@@ -6713,7 +6714,7 @@ index 1a82e29..15e3e0b 100644
  	mysql_read_config(httpd_suexec_t)
  
  	tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1363,106 @@ optional_policy(`
+@@ -1077,172 +1364,106 @@ optional_policy(`
  	')
  ')
  
@@ -6950,7 +6951,7 @@ index 1a82e29..15e3e0b 100644
  ')
  
  tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1470,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1471,74 @@ tunable_policy(`httpd_read_user_content',`
  ')
  
  tunable_policy(`httpd_use_cifs',`
@@ -7047,7 +7048,7 @@ index 1a82e29..15e3e0b 100644
  
  ########################################
  #
-@@ -1315,8 +1545,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1546,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
  #
  
  optional_policy(`
@@ -7064,7 +7065,7 @@ index 1a82e29..15e3e0b 100644
  ')
  
  ########################################
-@@ -1324,49 +1561,38 @@ optional_policy(`
+@@ -1324,49 +1562,38 @@ optional_policy(`
  # User content local policy
  #
  
@@ -7129,7 +7130,7 @@ index 1a82e29..15e3e0b 100644
  kernel_read_system_state(httpd_passwd_t)
  
  corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1602,100 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1603,100 @@ dev_read_urand(httpd_passwd_t)
  
  domain_use_interactive_fds(httpd_passwd_t)
  
@@ -12541,10 +12542,10 @@ index 0000000..8ac848b
 +')
 diff --git a/cloudform.te b/cloudform.te
 new file mode 100644
-index 0000000..786d623
+index 0000000..496ce03
 --- /dev/null
 +++ b/cloudform.te
-@@ -0,0 +1,299 @@
+@@ -0,0 +1,300 @@
 +policy_module(cloudform, 1.0)
 +########################################
 +#
@@ -12817,8 +12818,9 @@ index 0000000..786d623
 +
 +manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
 +manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
++manage_sock_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
 +#needed by dbomatic
-+files_pid_filetrans(mongod_t, mongod_var_run_t, { file })
++files_pid_filetrans(mongod_t, mongod_var_run_t, { file sock_file dir })
 +
 +corecmd_exec_bin(mongod_t)
 +corecmd_exec_shell(mongod_t)
@@ -28084,7 +28086,7 @@ index 9eacb2c..229782f 100644
  	init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
  	domain_system_change_exemption($1)
 diff --git a/glance.te b/glance.te
-index e0a4f46..16dcb5b 100644
+index e0a4f46..6838221 100644
 --- a/glance.te
 +++ b/glance.te
 @@ -7,8 +7,7 @@ policy_module(glance, 1.0.2)
@@ -28118,7 +28120,7 @@ index e0a4f46..16dcb5b 100644
  allow glance_domain self:fifo_file rw_fifo_file_perms;
  allow glance_domain self:unix_stream_socket create_stream_socket_perms;
  allow glance_domain self:tcp_socket { accept listen };
-@@ -56,27 +58,23 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
+@@ -56,29 +58,29 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
  manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
  manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
  
@@ -28149,8 +28151,14 @@ index e0a4f46..16dcb5b 100644
 -
  sysnet_dns_name_resolve(glance_domain)
  
++optional_policy(`
++    mysql_read_db_lnk_files(glance_domain)
++')
++
  ########################################
-@@ -88,8 +86,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
+ #
+ # Registry local policy
+@@ -88,8 +90,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
  manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
  files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { dir file })
  
@@ -28165,7 +28173,7 @@ index e0a4f46..16dcb5b 100644
  
  logging_send_syslog_msg(glance_registry_t)
  
-@@ -108,13 +112,22 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
+@@ -108,13 +116,24 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
  files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file })
  can_exec(glance_api_t, glance_tmp_t)
  
@@ -28184,6 +28192,8 @@ index e0a4f46..16dcb5b 100644
 +corenet_tcp_connect_http_port(glance_api_t)
 +
 +corenet_tcp_connect_all_ephemeral_ports(glance_api_t)
++corenet_tcp_connect_commplex_main_port(glance_api_t)
++corenet_tcp_connect_http_cache_port(glance_api_t)
 +
 +corenet_sendrecv_hplip_server_packets(glance_api_t)
 +corenet_tcp_bind_hplip_port(glance_api_t)
@@ -30896,7 +30906,7 @@ index d03fd43..af9415c 100644
 +    type_transition $1 gkeyringd_exec_t:process $2;
  ')
 diff --git a/gnome.te b/gnome.te
-index 20f726b..5314f96 100644
+index 20f726b..ea1115c 100644
 --- a/gnome.te
 +++ b/gnome.te
 @@ -1,18 +1,36 @@
@@ -30940,7 +30950,7 @@ index 20f726b..5314f96 100644
  typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
  typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
  typealias gconf_home_t alias unconfined_gconf_home_t;
-@@ -29,107 +47,227 @@ type gconfd_exec_t;
+@@ -29,107 +47,226 @@ type gconfd_exec_t;
  typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t };
  typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
  userdom_user_application_domain(gconfd_t, gconfd_exec_t)
@@ -31162,7 +31172,6 @@ index 20f726b..5314f96 100644
 +filetrans_pattern(gkeyringd_domain, gconf_home_t, data_home_t, dir, "share")
 +filetrans_pattern(gkeyringd_domain, gnome_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
 +filetrans_pattern(gkeyringd_domain, data_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
-+filetrans_pattern(gkeyringd_domain, gnome_home_t, data_home_t, dir, "keyrings")
  
 -manage_dirs_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t)
 -manage_sock_files_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t)
@@ -33945,7 +33954,7 @@ index 08b7560..417e630 100644
 +/usr/lib/systemd/system/((iscsi)|(iscsid)|(iscsiuio))\.service	--	gen_context(system_u:object_r:iscsi_unit_file_t,s0)
 +/usr/lib/systemd/system/((iscsid)|(iscsiuio))\.socket	--	gen_context(system_u:object_r:iscsi_unit_file_t,s0)
 diff --git a/iscsi.if b/iscsi.if
-index 1a35420..2ea1241 100644
+index 1a35420..a7e1562 100644
 --- a/iscsi.if
 +++ b/iscsi.if
 @@ -22,6 +22,27 @@ interface(`iscsid_domtrans',`
@@ -33976,7 +33985,7 @@ index 1a35420..2ea1241 100644
  ##	iscsid sempaphores.
  ## </summary>
  ## <param name="domain">
-@@ -80,17 +101,31 @@ interface(`iscsi_read_lib_files',`
+@@ -80,17 +101,53 @@ interface(`iscsi_read_lib_files',`
  
  ########################################
  ## <summary>
@@ -34000,6 +34009,28 @@ index 1a35420..2ea1241 100644
 +    files_lock_filetrans($1, iscsi_lock_t, dir, "iscsi")
 +')
 +
++########################################
++## <summary>
++##     Execute iscsi server in the iscsi domain.
++## </summary>
++## <param name="domain">
++##     <summary>
++##     Domain allowed to transition.
++##     </summary>
++## </param>
++#
++interface(`iscsi_systemctl',`
++       gen_require(`
++               type iscsid_t;
++               type iscsi_unit_file_t;
++       ')
++
++       systemd_exec_systemctl($1)
++       allow $1 iscsi_unit_file_t:file read_file_perms;
++       allow $1 iscsi_unit_file_t:service manage_service_perms;
++
++       ps_process_pattern($1, iscsid_t)
++')
 +
 +########################################
 +## <summary>
@@ -34013,7 +34044,7 @@ index 1a35420..2ea1241 100644
  ##	</summary>
  ## </param>
  ## <rolecap/>
-@@ -99,16 +134,15 @@ interface(`iscsi_admin',`
+@@ -99,16 +156,15 @@ interface(`iscsi_admin',`
  	gen_require(`
  		type iscsid_t, iscsi_lock_t, iscsi_log_t;
  		type iscsi_var_lib_t, iscsi_var_run_t, iscsi_tmp_t;
@@ -34035,7 +34066,7 @@ index 1a35420..2ea1241 100644
  	logging_search_logs($1)
  	admin_pattern($1, iscsi_log_t)
 diff --git a/iscsi.te b/iscsi.te
-index 57304e4..56d45ec 100644
+index 57304e4..b25cfd0 100644
 --- a/iscsi.te
 +++ b/iscsi.te
 @@ -9,8 +9,8 @@ type iscsid_t;
@@ -34086,7 +34117,7 @@ index 57304e4..56d45ec 100644
  corenet_all_recvfrom_netlabel(iscsid_t)
  corenet_tcp_sendrecv_generic_if(iscsid_t)
  corenet_tcp_sendrecv_generic_node(iscsid_t)
-@@ -85,21 +86,26 @@ corenet_sendrecv_isns_client_packets(iscsid_t)
+@@ -85,21 +86,33 @@ corenet_sendrecv_isns_client_packets(iscsid_t)
  corenet_tcp_connect_isns_port(iscsid_t)
  corenet_tcp_sendrecv_isns_port(iscsid_t)
  
@@ -34095,6 +34126,9 @@ index 57304e4..56d45ec 100644
 +corenet_tcp_connect_winshadow_port(iscsid_t)
 +corenet_tcp_sendrecv_winshadow_port(iscsid_t)
 +
++corecmd_exec_bin(iscsid_t)
++corecmd_exec_shell(iscsid_t)
++
 +dev_read_urand(iscsid_t)
  dev_rw_sysfs(iscsid_t)
  dev_rw_userio_dev(iscsid_t)
@@ -34113,6 +34147,10 @@ index 57304e4..56d45ec 100644
  
 -miscfiles_read_localization(iscsid_t)
 +modutils_read_module_config(iscsid_t)
++
++optional_policy(`
++    iscsi_systemctl(iscsid_t)
++')
  
  optional_policy(`
  	tgtd_manage_semaphores(iscsid_t)
@@ -37622,7 +37660,7 @@ index d3e7fc9..f20248c 100644
 +	')
  ')
 diff --git a/keystone.te b/keystone.te
-index 3494d9b..a82637c 100644
+index 3494d9b..c21beab 100644
 --- a/keystone.te
 +++ b/keystone.te
 @@ -21,10 +21,14 @@ files_type(keystone_var_lib_t)
@@ -37640,7 +37678,7 @@ index 3494d9b..a82637c 100644
  
  allow keystone_t self:fifo_file rw_fifo_file_perms;
  allow keystone_t self:unix_stream_socket { accept listen };
-@@ -57,20 +61,29 @@ corenet_all_recvfrom_netlabel(keystone_t)
+@@ -57,20 +61,30 @@ corenet_all_recvfrom_netlabel(keystone_t)
  corenet_tcp_sendrecv_generic_if(keystone_t)
  corenet_tcp_sendrecv_generic_node(keystone_t)
  corenet_tcp_bind_generic_node(keystone_t)
@@ -37664,7 +37702,8 @@ index 3494d9b..a82637c 100644
  optional_policy(`
  	mysql_stream_connect(keystone_t)
  	mysql_tcp_connect(keystone_t)
- ')
++    mysql_read_db_lnk_files(keystone_t)
++')
 +
 +optional_policy(`
 +	postgresql_stream_connect(keystone_t)
@@ -37672,7 +37711,7 @@ index 3494d9b..a82637c 100644
 +
 +optional_policy(`
 +    rpm_exec(keystone_t)
-+')
+ ')
 diff --git a/kismet.if b/kismet.if
 index aa2a337..7ff229f 100644
 --- a/kismet.if
@@ -48519,7 +48558,7 @@ index c48dc17..297f831 100644
 +/var/run/mysqld(/.*)?		gen_context(system_u:object_r:mysqld_var_run_t,s0)
 +/var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
 diff --git a/mysql.if b/mysql.if
-index 687af38..404ed6d 100644
+index 687af38..a77dc09 100644
 --- a/mysql.if
 +++ b/mysql.if
 @@ -1,23 +1,4 @@
@@ -48723,7 +48762,28 @@ index 687af38..404ed6d 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -224,7 +236,7 @@ interface(`mysql_append_db_files',`
+@@ -221,10 +233,28 @@ interface(`mysql_append_db_files',`
+ 	files_search_var_lib($1)
+ 	append_files_pattern($1, mysqld_db_t, mysqld_db_t)
+ ')
++#######################################
++## <summary>
++##	Read and write to the MySQL database directory.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`mysql_read_db_lnk_files',`
++	gen_require(`
++		type mysqld_db_t;
++	')
++
++	files_search_var_lib($1)
++    read_lnk_files_pattern($1, mysqld_db_t, mysqld_db_t)
++')
  
  #######################################
  ## <summary>
@@ -48732,7 +48792,7 @@ index 687af38..404ed6d 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -243,8 +255,7 @@ interface(`mysql_rw_db_files',`
+@@ -243,8 +273,7 @@ interface(`mysql_rw_db_files',`
  
  #######################################
  ## <summary>
@@ -48742,7 +48802,7 @@ index 687af38..404ed6d 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -263,7 +274,7 @@ interface(`mysql_manage_db_files',`
+@@ -263,7 +292,7 @@ interface(`mysql_manage_db_files',`
  
  ########################################
  ## <summary>
@@ -48751,7 +48811,7 @@ index 687af38..404ed6d 100644
  ##	named socket.
  ## </summary>
  ## <param name="domain">
-@@ -273,13 +284,18 @@ interface(`mysql_manage_db_files',`
+@@ -273,13 +302,18 @@ interface(`mysql_manage_db_files',`
  ## </param>
  #
  interface(`mysql_rw_db_sockets',`
@@ -48773,7 +48833,7 @@ index 687af38..404ed6d 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -287,86 +303,92 @@ interface(`mysql_rw_db_sockets',`
+@@ -287,86 +321,92 @@ interface(`mysql_rw_db_sockets',`
  ##	</summary>
  ## </param>
  #
@@ -48899,7 +48959,7 @@ index 687af38..404ed6d 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -374,18 +396,22 @@ interface(`mysql_write_log',`
+@@ -374,18 +414,22 @@ interface(`mysql_write_log',`
  ##	</summary>
  ## </param>
  #
@@ -48928,7 +48988,7 @@ index 687af38..404ed6d 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -393,39 +419,37 @@ interface(`mysql_domtrans_mysql_safe',`
+@@ -393,39 +437,37 @@ interface(`mysql_domtrans_mysql_safe',`
  ##	</summary>
  ## </param>
  #
@@ -48980,7 +49040,7 @@ index 687af38..404ed6d 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -434,41 +458,52 @@ interface(`mysql_search_pid_files',`
+@@ -434,41 +476,52 @@ interface(`mysql_search_pid_files',`
  ## </param>
  ## <param name="role">
  ##	<summary>
@@ -52258,10 +52318,10 @@ index 0000000..28936b4
 +')
 diff --git a/nova.te b/nova.te
 new file mode 100644
-index 0000000..d5b54e5
+index 0000000..bd2f08f
 --- /dev/null
 +++ b/nova.te
-@@ -0,0 +1,320 @@
+@@ -0,0 +1,318 @@
 +policy_module(nova, 1.0.0)
 +
 +########################################
@@ -52310,6 +52370,7 @@ index 0000000..d5b54e5
 +# nova general domain local policy
 +#
 +
++allow nova_domain self:process signal_perms;
 +allow nova_domain self:fifo_file rw_fifo_file_perms;
 +allow nova_domain self:tcp_socket create_stream_socket_perms;
 +allow nova_domain self:unix_stream_socket create_stream_socket_perms;
@@ -52340,6 +52401,11 @@ index 0000000..d5b54e5
 +libs_exec_ldconfig(nova_domain)
 +
 +optional_policy(`
++    mysql_stream_connect(nova_domain)
++    mysql_read_db_lnk_files(nova_domain)
++')
++
++optional_policy(`
 +	sysnet_read_config(nova_domain)
 +	sysnet_exec_ifconfig(nova_domain)
 +')
@@ -52406,10 +52472,6 @@ index 0000000..d5b54e5
 +miscfiles_read_certs(nova_cert_t)
 +
 +optional_policy(`
-+	mysql_stream_connect(nova_cert_t)
-+')
-+
-+optional_policy(`
 +	postgresql_stream_connect(nova_cert_t)
 +')
 +
@@ -52440,10 +52502,6 @@ index 0000000..d5b54e5
 +
 +auth_use_nsswitch(nova_console_t)
 +
-+optional_policy(`
-+    mysql_stream_connect(nova_console_t)
-+')
-+
 +#######################################
 +#
 +# nova direct local policy
@@ -73165,10 +73223,10 @@ index afc0068..3105104 100644
 +	')
  ')
 diff --git a/quantum.te b/quantum.te
-index 769d1fd..52bad99 100644
+index 769d1fd..8c49752 100644
 --- a/quantum.te
 +++ b/quantum.te
-@@ -1,96 +1,132 @@
+@@ -1,96 +1,134 @@
 -policy_module(quantum, 1.0.2)
 +policy_module(quantum, 1.0.3)
  
@@ -73218,8 +73276,9 @@ index 769d1fd..52bad99 100644
 -allow quantum_t self:key manage_key_perms;
 -allow quantum_t self:tcp_socket { accept listen };
 -allow quantum_t self:unix_stream_socket { accept listen };
-+allow neutron_t self:capability { sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw };
-+allow neutron_t self:process { setsched setrlimit };
++allow neutron_t self:capability { sys_ptrace kill setgid setuid sys_resource net_admin sys_admin };
++allow neutron_t self:capability2 block_suspend;
++allow neutron_t self:process { setsched setrlimit signal_perms };
 +allow neutron_t self:fifo_file rw_fifo_file_perms;
 +allow neutron_t self:key manage_key_perms;
 +allow neutron_t self:tcp_socket { accept listen };
@@ -73252,7 +73311,7 @@ index 769d1fd..52bad99 100644
 +can_exec(neutron_t, neutron_tmp_t)
  
 -can_exec(quantum_t, quantum_tmp_t)
-+kernel_read_kernel_sysctls(neutron_t)
++kernel_rw_kernel_sysctl(neutron_t)
 +kernel_read_system_state(neutron_t)
 +kernel_read_network_state(neutron_t)
 +kernel_request_load_module(neutron_t)
@@ -73281,9 +73340,11 @@ index 769d1fd..52bad99 100644
 +corenet_tcp_connect_keystone_port(neutron_t)
 +corenet_tcp_connect_amqp_port(neutron_t)
 +corenet_tcp_connect_mysqld_port(neutron_t)
++corenet_tcp_connect_osapi_compute_port(neutron_t)
  
 -dev_list_sysfs(quantum_t)
 -dev_read_urand(quantum_t)
++domain_read_all_domains_state(neutron_t)
 +domain_named_filetrans(neutron_t)
  
 -files_read_usr_files(quantum_t)
@@ -73335,18 +73396,17 @@ index 769d1fd..52bad99 100644
 -	postgresql_stream_connect(quantum_t)
 -	postgresql_unpriv_client(quantum_t)
 +	mysql_stream_connect(neutron_t)
++    mysql_read_db_lnk_files(neutron_t)
 +	mysql_read_config(neutron_t)
++	mysql_tcp_connect(neutron_t)
++')
  
 -	postgresql_tcp_connect(quantum_t)
-+	mysql_tcp_connect(neutron_t)
- ')
-+
 +optional_policy(`
 +	postgresql_stream_connect(neutron_t)
 +	postgresql_unpriv_client(neutron_t)
-+
 +	postgresql_tcp_connect(neutron_t)
-+')
+ ')
 +
 +optional_policy(`
 +    openvswitch_domtrans(neutron_t)
@@ -77736,7 +77796,7 @@ index 56bc01f..1337d42 100644
 +    allow $1 cluster_unit_file_t:service all_service_perms;
  ')
 diff --git a/rhcs.te b/rhcs.te
-index 2c2de9a..4fd3b77 100644
+index 2c2de9a..503838b 100644
 --- a/rhcs.te
 +++ b/rhcs.te
 @@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false)
@@ -78220,7 +78280,7 @@ index 2c2de9a..4fd3b77 100644
  optional_policy(`
  	lvm_exec(gfs_controld_t)
  	dev_rw_lvm_control(gfs_controld_t)
-@@ -275,10 +580,53 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+@@ -275,10 +580,54 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
  
  dev_list_sysfs(groupd_t)
  
@@ -78239,6 +78299,7 @@ index 2c2de9a..4fd3b77 100644
 +allow haproxy_t self:capability { dac_override kill };
 +
 +allow haproxy_t self:capability { chown setgid setuid sys_chroot sys_resource };
++allow haproxy_t self:capability2 block_suspend;
 +allow haproxy_t self:process { fork setrlimit signal_perms };
 +allow haproxy_t self:fifo_file rw_fifo_file_perms;
 +allow haproxy_t self:unix_stream_socket create_stream_socket_perms;
@@ -78276,7 +78337,7 @@ index 2c2de9a..4fd3b77 100644
  ######################################
  #
  # qdiskd local policy
-@@ -321,6 +669,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -321,6 +670,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
  
  auth_use_nsswitch(qdiskd_t)
  
@@ -94004,10 +94065,10 @@ index 0000000..df82c36
 +')
 diff --git a/swift.te b/swift.te
 new file mode 100644
-index 0000000..7bef550
+index 0000000..3faae22
 --- /dev/null
 +++ b/swift.te
-@@ -0,0 +1,80 @@
+@@ -0,0 +1,87 @@
 +policy_module(swift, 1.0.0)
 +
 +########################################
@@ -94020,7 +94081,10 @@ index 0000000..7bef550
 +init_daemon_domain(swift_t, swift_exec_t)
 +
 +type swift_tmp_t;
-+files_tmpfs_file(swift_tmp_t)
++files_tmp_file(swift_tmp_t)
++
++type swift_tmpfs_t;
++files_tmpfs_file(swift_tmpfs_t)
 +
 +type swift_var_cache_t;
 +files_type(swift_var_cache_t)
@@ -94050,6 +94114,10 @@ index 0000000..7bef550
 +manage_files_pattern(swift_t, swift_tmp_t, swift_tmp_t)
 +files_tmp_filetrans(swift_t, swift_tmp_t, { dir file })
 +
++manage_dirs_pattern(swift_t, swift_tmpfs_t, swift_tmpfs_t)
++manage_files_pattern(swift_t, swift_tmpfs_t, swift_tmpfs_t)
++fs_tmpfs_filetrans(swift_t, swift_tmpfs_t, { dir file })
++
 +manage_dirs_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
 +manage_files_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
 +manage_lnk_files_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d0d2a48..32d10d7 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 155%{?dist}
+Release: 156%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,19 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Fri Apr 18 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-156
+- Allow init_t to setattr/relabelfrom dhcp state files
+- Dontaudit antivirus domains read access on all security files by default
+- Add missing alias for old amavis_etc_t type
+- Allow block_suspend cap for haproxy
+- Additional fixes for  instack overcloud
+- Allow OpenStack to read mysqld_db links and connect to MySQL
+- Remove dup filename rules in gnome.te
+- Allow sys_chroot cap for httpd_t and setattr on httpd_log_t
+- Allow iscsid to handle own unit files
+- Add iscsi_systemctl()
+- Allow mongod to create also sock_files in /run with correct labeling
+
 * Mon Apr 14 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-155
 - Allow httpd to send signull to apache script domains and don't audit leaks
 - Allow rabbitmq_beam to connect to httpd port