diff --git a/policy-F16.patch b/policy-F16.patch
index 84a9a7a..3d81387 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -1304,7 +1304,7 @@ index 4f7bd3c..a29af21 100644
- unconfined_domain(kudzu_t)
')
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
-index 7090dae..071d66e 100644
+index 7090dae..b8152bc 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
@@ -29,9 +29,9 @@ files_type(logrotate_var_lib_t)
@@ -1416,7 +1416,18 @@ index 7090dae..071d66e 100644
cups_domtrans(logrotate_t)
')
-@@ -200,9 +217,12 @@ optional_policy(`
+@@ -178,6 +195,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ chronyd_read_keys(logrotate_t)
++')
++
++optional_policy(`
+ icecast_signal(logrotate_t)
+ ')
+
+@@ -200,9 +221,12 @@ optional_policy(`
')
optional_policy(`
@@ -1430,7 +1441,7 @@ index 7090dae..071d66e 100644
optional_policy(`
samba_exec_log(logrotate_t)
-@@ -228,3 +248,14 @@ optional_policy(`
+@@ -228,3 +252,14 @@ optional_policy(`
optional_policy(`
varnishd_manage_log(logrotate_t)
')
@@ -4914,7 +4925,7 @@ index 0000000..a03aec4
+')
diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
new file mode 100644
-index 0000000..9da72e0
+index 0000000..9a914b6
--- /dev/null
+++ b/policy/modules/apps/chrome.te
@@ -0,0 +1,187 @@
@@ -5063,7 +5074,7 @@ index 0000000..9da72e0
+# chrome_sandbox_nacl local policy
+#
+
-+allow chrome_sandbox_nacl_t self:process execmem;
++allow chrome_sandbox_nacl_t self:process { execmem setsched };
+allow chrome_sandbox_nacl_t self:fifo_file manage_fifo_file_perms;
+allow chrome_sandbox_nacl_t self:unix_stream_socket create_stream_socket_perms;
+allow chrome_sandbox_nacl_t self:shm create_shm_perms;
@@ -5073,7 +5084,7 @@ index 0000000..9da72e0
+
+allow chrome_sandbox_nacl_t chrome_sandbox_t:shm rw_shm_perms;
+allow chrome_sandbox_nacl_t chrome_sandbox_tmpfs_t:file rw_inherited_file_perms;
-+allow chrome_sandbox_t chrome_sandbox_nacl_t:process share;
++allow chrome_sandbox_t chrome_sandbox_nacl_t:process { sigkill sigstop signull signal share };
+
+manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
+fs_tmpfs_filetrans(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, file)
@@ -25686,10 +25697,10 @@ index 6480167..e12bbc0 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..dd51579 100644
+index 3136c6a..7770367 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
-@@ -18,130 +18,218 @@ policy_module(apache, 2.2.1)
+@@ -18,130 +18,225 @@ policy_module(apache, 2.2.1)
# Declarations
#
@@ -25738,6 +25749,13 @@ index 3136c6a..dd51579 100644
+
+##
+##
++## Allow httpd processes to manage IPA content
++##
++##
++gen_tunable(httpd_manage_ipa, false)
++
++##
++##
+## Allow httpd daemon to change system limits
+##
+##
@@ -25964,7 +25982,7 @@ index 3136c6a..dd51579 100644
attribute httpdcontent;
attribute httpd_user_content_type;
-@@ -166,7 +254,7 @@ files_type(httpd_cache_t)
+@@ -166,7 +261,7 @@ files_type(httpd_cache_t)
# httpd_config_t is the type given to the configuration files
type httpd_config_t;
@@ -25973,7 +25991,7 @@ index 3136c6a..dd51579 100644
type httpd_helper_t;
type httpd_helper_exec_t;
-@@ -177,6 +265,9 @@ role system_r types httpd_helper_t;
+@@ -177,6 +272,9 @@ role system_r types httpd_helper_t;
type httpd_initrc_exec_t;
init_script_file(httpd_initrc_exec_t)
@@ -25983,7 +26001,7 @@ index 3136c6a..dd51579 100644
type httpd_lock_t;
files_lock_file(httpd_lock_t)
-@@ -216,7 +307,17 @@ files_tmp_file(httpd_suexec_tmp_t)
+@@ -216,7 +314,17 @@ files_tmp_file(httpd_suexec_tmp_t)
# setup the system domain for system CGI scripts
apache_content_template(sys)
@@ -26002,7 +26020,7 @@ index 3136c6a..dd51579 100644
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -226,6 +327,10 @@ files_tmpfs_file(httpd_tmpfs_t)
+@@ -226,6 +334,10 @@ files_tmpfs_file(httpd_tmpfs_t)
apache_content_template(user)
ubac_constrained(httpd_user_script_t)
@@ -26013,7 +26031,7 @@ index 3136c6a..dd51579 100644
userdom_user_home_content(httpd_user_content_t)
userdom_user_home_content(httpd_user_htaccess_t)
userdom_user_home_content(httpd_user_script_exec_t)
-@@ -233,6 +338,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
+@@ -233,6 +345,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
userdom_user_home_content(httpd_user_rw_content_t)
typeattribute httpd_user_script_t httpd_script_domains;
typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
@@ -26021,7 +26039,7 @@ index 3136c6a..dd51579 100644
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -254,14 +360,23 @@ files_type(httpd_var_lib_t)
+@@ -254,14 +367,23 @@ files_type(httpd_var_lib_t)
type httpd_var_run_t;
files_pid_file(httpd_var_run_t)
@@ -26045,7 +26063,7 @@ index 3136c6a..dd51579 100644
########################################
#
# Apache server local policy
-@@ -281,11 +396,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -281,11 +403,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow httpd_t self:tcp_socket create_stream_socket_perms;
allow httpd_t self:udp_socket create_socket_perms;
@@ -26059,7 +26077,7 @@ index 3136c6a..dd51579 100644
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -329,8 +446,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+@@ -329,8 +453,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -26070,7 +26088,7 @@ index 3136c6a..dd51579 100644
manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
-@@ -355,6 +473,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -355,6 +480,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -26080,7 +26098,7 @@ index 3136c6a..dd51579 100644
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -365,11 +486,15 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+@@ -365,11 +493,15 @@ corenet_udp_sendrecv_generic_node(httpd_t)
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
@@ -26097,7 +26115,7 @@ index 3136c6a..dd51579 100644
dev_read_sysfs(httpd_t)
dev_read_rand(httpd_t)
-@@ -378,12 +503,12 @@ dev_rw_crypto(httpd_t)
+@@ -378,12 +510,12 @@ dev_rw_crypto(httpd_t)
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -26113,7 +26131,7 @@ index 3136c6a..dd51579 100644
domain_use_interactive_fds(httpd_t)
-@@ -391,6 +516,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
+@@ -391,6 +523,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
files_read_usr_files(httpd_t)
files_list_mnt(httpd_t)
files_search_spool(httpd_t)
@@ -26121,7 +26139,7 @@ index 3136c6a..dd51579 100644
files_read_var_lib_files(httpd_t)
files_search_home(httpd_t)
files_getattr_home_dir(httpd_t)
-@@ -402,48 +528,101 @@ files_read_etc_files(httpd_t)
+@@ -402,48 +535,101 @@ files_read_etc_files(httpd_t)
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -26225,7 +26243,7 @@ index 3136c6a..dd51579 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -456,25 +635,55 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -456,25 +642,55 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
@@ -26283,7 +26301,7 @@ index 3136c6a..dd51579 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -484,7 +693,16 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -484,7 +700,16 @@ tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -26300,7 +26318,7 @@ index 3136c6a..dd51579 100644
')
tunable_policy(`httpd_ssi_exec',`
-@@ -499,9 +717,19 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -499,9 +724,19 @@ tunable_policy(`httpd_ssi_exec',`
# to run correctly without this permission, so the permission
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
@@ -26321,7 +26339,7 @@ index 3136c6a..dd51579 100644
')
optional_policy(`
-@@ -513,7 +741,13 @@ optional_policy(`
+@@ -513,7 +748,13 @@ optional_policy(`
')
optional_policy(`
@@ -26336,7 +26354,7 @@ index 3136c6a..dd51579 100644
')
optional_policy(`
-@@ -528,7 +762,19 @@ optional_policy(`
+@@ -528,7 +769,19 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -26357,7 +26375,7 @@ index 3136c6a..dd51579 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +783,13 @@ optional_policy(`
+@@ -537,8 +790,13 @@ optional_policy(`
')
optional_policy(`
@@ -26372,7 +26390,7 @@ index 3136c6a..dd51579 100644
')
')
-@@ -556,7 +807,13 @@ optional_policy(`
+@@ -556,7 +814,21 @@ optional_policy(`
')
optional_policy(`
@@ -26381,12 +26399,20 @@ index 3136c6a..dd51579 100644
+')
+
+optional_policy(`
++ memcached_stream_connect(httpd_t)
++
++ tunable_policy(`httpd_manage_ipa',`
++ memcached_manage_pid_files(httpd_t)
++ ')
++')
++
++optional_policy(`
# Allow httpd to work with mysql
+ mysql_read_config(httpd_t)
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +824,7 @@ optional_policy(`
+@@ -567,6 +839,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -26394,7 +26420,7 @@ index 3136c6a..dd51579 100644
')
optional_policy(`
-@@ -577,6 +835,20 @@ optional_policy(`
+@@ -577,6 +850,20 @@ optional_policy(`
')
optional_policy(`
@@ -26415,7 +26441,7 @@ index 3136c6a..dd51579 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -591,6 +863,11 @@ optional_policy(`
+@@ -591,6 +878,11 @@ optional_policy(`
')
optional_policy(`
@@ -26427,7 +26453,7 @@ index 3136c6a..dd51579 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +880,12 @@ optional_policy(`
+@@ -603,6 +895,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -26440,7 +26466,7 @@ index 3136c6a..dd51579 100644
########################################
#
# Apache helper local policy
-@@ -616,7 +899,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -616,7 +914,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -26453,7 +26479,7 @@ index 3136c6a..dd51579 100644
########################################
#
-@@ -654,28 +941,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +956,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -26497,7 +26523,7 @@ index 3136c6a..dd51579 100644
')
########################################
-@@ -685,6 +974,8 @@ optional_policy(`
+@@ -685,6 +989,8 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -26506,7 +26532,7 @@ index 3136c6a..dd51579 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -699,17 +990,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +1005,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -26532,7 +26558,7 @@ index 3136c6a..dd51579 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,13 +1036,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,13 +1051,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -26565,7 +26591,7 @@ index 3136c6a..dd51579 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -769,6 +1083,25 @@ optional_policy(`
+@@ -769,6 +1098,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -26591,7 +26617,7 @@ index 3136c6a..dd51579 100644
########################################
#
# Apache system script local policy
-@@ -789,12 +1122,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1137,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -26609,7 +26635,7 @@ index 3136c6a..dd51579 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,18 +1141,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,18 +1156,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -26666,7 +26692,7 @@ index 3136c6a..dd51579 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -822,14 +1192,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,14 +1207,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -26697,7 +26723,7 @@ index 3136c6a..dd51579 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1227,20 @@ optional_policy(`
+@@ -842,10 +1242,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -26718,7 +26744,7 @@ index 3136c6a..dd51579 100644
')
########################################
-@@ -891,11 +1286,49 @@ optional_policy(`
+@@ -891,11 +1301,49 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -33224,7 +33250,7 @@ index 305ddf4..173cd16 100644
admin_pattern($1, ptal_etc_t)
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
-index 0f28095..4082621 100644
+index 0f28095..50a94a4 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -33396,7 +33422,15 @@ index 0f28095..4082621 100644
policykit_dbus_chat(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
')
-@@ -587,13 +614,17 @@ auth_use_nsswitch(cups_pdf_t)
+@@ -537,6 +564,7 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
+ corenet_tcp_bind_generic_node(cupsd_lpd_t)
+ corenet_udp_bind_generic_node(cupsd_lpd_t)
+ corenet_tcp_connect_ipp_port(cupsd_lpd_t)
++corenet_tcp_connect_printer_port(cupsd_lpd_t)
+
+ dev_read_urand(cupsd_lpd_t)
+ dev_read_rand(cupsd_lpd_t)
+@@ -587,13 +615,17 @@ auth_use_nsswitch(cups_pdf_t)
miscfiles_read_localization(cups_pdf_t)
miscfiles_read_fonts(cups_pdf_t)
@@ -33416,7 +33450,7 @@ index 0f28095..4082621 100644
tunable_policy(`use_nfs_home_dirs',`
fs_search_auto_mountpoints(cups_pdf_t)
-@@ -606,6 +637,10 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -606,6 +638,10 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(cups_pdf_t)
')
@@ -33427,7 +33461,7 @@ index 0f28095..4082621 100644
########################################
#
# HPLIP local policy
-@@ -639,7 +674,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+@@ -639,7 +675,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
@@ -33436,7 +33470,7 @@ index 0f28095..4082621 100644
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
-@@ -685,6 +720,7 @@ domain_use_interactive_fds(hplip_t)
+@@ -685,6 +721,7 @@ domain_use_interactive_fds(hplip_t)
files_read_etc_files(hplip_t)
files_read_etc_runtime_files(hplip_t)
files_read_usr_files(hplip_t)
@@ -33444,7 +33478,7 @@ index 0f28095..4082621 100644
logging_send_syslog_msg(hplip_t)
-@@ -696,8 +732,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
+@@ -696,8 +733,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
userdom_dontaudit_search_user_home_dirs(hplip_t)
userdom_dontaudit_search_user_home_content(hplip_t)
@@ -34432,20 +34466,29 @@ index 567865f..9c9e65c 100644
admin_pattern($1, denyhosts_var_lock_t)
')
diff --git a/policy/modules/services/denyhosts.te b/policy/modules/services/denyhosts.te
-index 8ba9425..b10da2c 100644
+index 8ba9425..5aaad2f 100644
--- a/policy/modules/services/denyhosts.te
+++ b/policy/modules/services/denyhosts.te
-@@ -25,7 +25,8 @@ logging_log_file(denyhosts_var_log_t)
+@@ -25,7 +25,9 @@ logging_log_file(denyhosts_var_log_t)
#
# DenyHosts personal policy.
#
-
+# Bug #588563
+allow denyhosts_t self:capability sys_tty_config;
++allow denyhosts_t self:fifo_file rw_fifo_file_perms;
allow denyhosts_t self:netlink_route_socket create_netlink_socket_perms;
allow denyhosts_t self:tcp_socket create_socket_perms;
allow denyhosts_t self:udp_socket create_socket_perms;
-@@ -53,20 +54,28 @@ corenet_tcp_sendrecv_generic_if(denyhosts_t)
+@@ -45,6 +47,7 @@ logging_log_filetrans(denyhosts_t, denyhosts_var_log_t, file)
+
+ kernel_read_system_state(denyhosts_t)
+
++corecmd_exec_shell(denyhosts_t)
+ corecmd_exec_bin(denyhosts_t)
+
+ corenet_all_recvfrom_unlabeled(denyhosts_t)
+@@ -53,20 +56,28 @@ corenet_tcp_sendrecv_generic_if(denyhosts_t)
corenet_tcp_sendrecv_generic_node(denyhosts_t)
corenet_tcp_bind_generic_node(denyhosts_t)
corenet_tcp_connect_smtp_port(denyhosts_t)
@@ -43519,7 +43562,7 @@ index 98d28b4..1c1d012 100644
+ delete_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
+')
diff --git a/policy/modules/services/memcached.if b/policy/modules/services/memcached.if
-index db4fd6f..5008a6c 100644
+index db4fd6f..7fe8321 100644
--- a/policy/modules/services/memcached.if
+++ b/policy/modules/services/memcached.if
@@ -5,15 +5,14 @@
@@ -43541,7 +43584,52 @@ index db4fd6f..5008a6c 100644
')
domtrans_pattern($1, memcached_exec_t, memcached_t)
-@@ -57,8 +56,7 @@ interface(`memcached_read_pid_files',`
+@@ -40,6 +39,44 @@ interface(`memcached_read_pid_files',`
+
+ ########################################
+ ##
++## Manage memcached PID files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`memcached_manage_pid_files',`
++ gen_require(`
++ type memcached_var_run_t;
++ ')
++
++ files_search_pids($1)
++ manage_files_pattern($1, memcached_var_run_t, memcached_var_run_t, memcached_t)
++')
++
++########################################
++##
++## Connect to memcached over a unix stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`memcached_stream_connect',`
++ gen_require(`
++ type memcached_t, memcached_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, memcached_var_run_t, memcached_var_run_t, memcached_t)
++')
++
++########################################
++##
+ ## All of the rules required to administrate
+ ## an memcached environment
+ ##
+@@ -57,8 +94,7 @@ interface(`memcached_read_pid_files',`
#
interface(`memcached_admin',`
gen_require(`
@@ -43551,7 +43639,7 @@ index db4fd6f..5008a6c 100644
')
allow $1 memcached_t:process { ptrace signal_perms };
-@@ -69,5 +67,6 @@ interface(`memcached_admin',`
+@@ -69,5 +105,6 @@ interface(`memcached_admin',`
role_transition $2 memcached_initrc_exec_t system_r;
allow $2 system_r;
@@ -50082,10 +50170,10 @@ index 0000000..b11f37a
+')
diff --git a/policy/modules/services/polipo.te b/policy/modules/services/polipo.te
new file mode 100644
-index 0000000..89ab1b6
+index 0000000..7750ace
--- /dev/null
+++ b/policy/modules/services/polipo.te
-@@ -0,0 +1,159 @@
+@@ -0,0 +1,170 @@
+policy_module(polipo, 1.0.0)
+
+########################################
@@ -50134,6 +50222,13 @@ index 0000000..89ab1b6
+##
+gen_tunable(polipo_session_send_syslog_msg, false)
+
++##
++##
++## Allow polipo to connect to all ports > 1023
++##
++##
++gen_tunable(polipo_connect_all_unreserved, false)
++
+attribute polipo_daemon;
+
+type polipo_t, polipo_daemon;
@@ -50205,6 +50300,10 @@ index 0000000..89ab1b6
+
+logging_send_syslog_msg(polipo_t)
+
++tunable_policy(`polipo_connect_all_unreserved',`
++ corenet_tcp_connect_all_unreserved_ports(polipo_t)
++')
++
+tunable_policy(`polipo_use_cifs',`
+ fs_manage_cifs_files(polipo_t)
+')
@@ -64094,7 +64193,7 @@ index 4966c94..cb2e1a3 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 130ced9..351ed06 100644
+index 130ced9..69aedbf 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -64332,12 +64431,14 @@ index 130ced9..351ed06 100644
')
allow $2 self:shm create_shm_perms;
-@@ -456,11 +495,18 @@ template(`xserver_user_x_domain_template',`
+@@ -456,11 +495,20 @@ template(`xserver_user_x_domain_template',`
allow $2 xauth_home_t:file read_file_perms;
allow $2 iceauth_home_t:file read_file_perms;
+ userdom_user_home_dir_filetrans($2, iceauth_home_t, file, ".DCOP")
+ userdom_user_home_dir_filetrans($2, iceauth_home_t, file, ".ICEauthority")
++ userdom_user_home_dir_filetrans($2, iceauth_home_t, file, ".ICEauthority-c")
++ userdom_user_home_dir_filetrans($2, iceauth_home_t, file, ".ICEauthority-n")
+ userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".Xauthority")
+ userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".xauth")
+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors")
@@ -64353,7 +64454,7 @@ index 130ced9..351ed06 100644
dontaudit $2 xdm_t:tcp_socket { read write };
# Allow connections to X server.
-@@ -472,20 +518,26 @@ template(`xserver_user_x_domain_template',`
+@@ -472,20 +520,26 @@ template(`xserver_user_x_domain_template',`
# for .xsession-errors
userdom_dontaudit_write_user_home_content_files($2)
@@ -64382,7 +64483,7 @@ index 130ced9..351ed06 100644
')
########################################
-@@ -517,6 +569,7 @@ interface(`xserver_use_user_fonts',`
+@@ -517,6 +571,7 @@ interface(`xserver_use_user_fonts',`
# Read per user fonts
allow $1 user_fonts_t:dir list_dir_perms;
allow $1 user_fonts_t:file read_file_perms;
@@ -64390,7 +64491,7 @@ index 130ced9..351ed06 100644
# Manipulate the global font cache
manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
-@@ -549,6 +602,24 @@ interface(`xserver_domtrans_xauth',`
+@@ -549,6 +604,24 @@ interface(`xserver_domtrans_xauth',`
########################################
##
@@ -64415,7 +64516,7 @@ index 130ced9..351ed06 100644
## Create a Xauthority file in the user home directory.
##
##
-@@ -598,6 +669,7 @@ interface(`xserver_read_user_xauth',`
+@@ -598,6 +671,7 @@ interface(`xserver_read_user_xauth',`
allow $1 xauth_home_t:file read_file_perms;
userdom_search_user_home_dirs($1)
@@ -64423,7 +64524,7 @@ index 130ced9..351ed06 100644
')
########################################
-@@ -615,7 +687,7 @@ interface(`xserver_setattr_console_pipes',`
+@@ -615,7 +689,7 @@ interface(`xserver_setattr_console_pipes',`
type xconsole_device_t;
')
@@ -64432,7 +64533,7 @@ index 130ced9..351ed06 100644
')
########################################
-@@ -638,6 +710,25 @@ interface(`xserver_rw_console',`
+@@ -638,6 +712,25 @@ interface(`xserver_rw_console',`
########################################
##
@@ -64458,7 +64559,7 @@ index 130ced9..351ed06 100644
## Use file descriptors for xdm.
##
##
-@@ -651,7 +742,7 @@ interface(`xserver_use_xdm_fds',`
+@@ -651,7 +744,7 @@ interface(`xserver_use_xdm_fds',`
type xdm_t;
')
@@ -64467,7 +64568,7 @@ index 130ced9..351ed06 100644
')
########################################
-@@ -670,7 +761,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
+@@ -670,7 +763,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
type xdm_t;
')
@@ -64476,7 +64577,7 @@ index 130ced9..351ed06 100644
')
########################################
-@@ -688,7 +779,7 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -688,7 +781,7 @@ interface(`xserver_rw_xdm_pipes',`
type xdm_t;
')
@@ -64485,7 +64586,7 @@ index 130ced9..351ed06 100644
')
########################################
-@@ -703,12 +794,11 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -703,12 +796,11 @@ interface(`xserver_rw_xdm_pipes',`
##
#
interface(`xserver_dontaudit_rw_xdm_pipes',`
@@ -64499,7 +64600,7 @@ index 130ced9..351ed06 100644
')
########################################
-@@ -724,11 +814,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
+@@ -724,11 +816,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
#
interface(`xserver_stream_connect_xdm',`
gen_require(`
@@ -64533,7 +64634,7 @@ index 130ced9..351ed06 100644
')
########################################
-@@ -752,6 +862,25 @@ interface(`xserver_read_xdm_rw_config',`
+@@ -752,6 +864,25 @@ interface(`xserver_read_xdm_rw_config',`
########################################
##
@@ -64559,7 +64660,7 @@ index 130ced9..351ed06 100644
## Set the attributes of XDM temporary directories.
##
##
-@@ -765,7 +894,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
+@@ -765,7 +896,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
type xdm_tmp_t;
')
@@ -64568,7 +64669,7 @@ index 130ced9..351ed06 100644
')
########################################
-@@ -805,7 +934,26 @@ interface(`xserver_read_xdm_pid',`
+@@ -805,7 +936,26 @@ interface(`xserver_read_xdm_pid',`
')
files_search_pids($1)
@@ -64596,7 +64697,7 @@ index 130ced9..351ed06 100644
')
########################################
-@@ -828,6 +976,24 @@ interface(`xserver_read_xdm_lib_files',`
+@@ -828,6 +978,24 @@ interface(`xserver_read_xdm_lib_files',`
########################################
##
@@ -64621,7 +64722,7 @@ index 130ced9..351ed06 100644
## Make an X session script an entrypoint for the specified domain.
##
##
-@@ -897,7 +1063,7 @@ interface(`xserver_getattr_log',`
+@@ -897,7 +1065,7 @@ interface(`xserver_getattr_log',`
')
logging_search_logs($1)
@@ -64630,7 +64731,7 @@ index 130ced9..351ed06 100644
')
########################################
-@@ -916,7 +1082,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -916,7 +1084,7 @@ interface(`xserver_dontaudit_write_log',`
type xserver_log_t;
')
@@ -64639,7 +64740,7 @@ index 130ced9..351ed06 100644
')
########################################
-@@ -963,6 +1129,45 @@ interface(`xserver_read_xkb_libs',`
+@@ -963,6 +1131,45 @@ interface(`xserver_read_xkb_libs',`
########################################
##
@@ -64685,7 +64786,7 @@ index 130ced9..351ed06 100644
## Read xdm temporary files.
##
##
-@@ -976,7 +1181,7 @@ interface(`xserver_read_xdm_tmp_files',`
+@@ -976,7 +1183,7 @@ interface(`xserver_read_xdm_tmp_files',`
type xdm_tmp_t;
')
@@ -64694,7 +64795,7 @@ index 130ced9..351ed06 100644
read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
')
-@@ -1038,6 +1243,42 @@ interface(`xserver_manage_xdm_tmp_files',`
+@@ -1038,6 +1245,42 @@ interface(`xserver_manage_xdm_tmp_files',`
########################################
##
@@ -64737,7 +64838,7 @@ index 130ced9..351ed06 100644
## Do not audit attempts to get the attributes of
## xdm temporary named sockets.
##
-@@ -1052,7 +1293,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+@@ -1052,7 +1295,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
type xdm_tmp_t;
')
@@ -64746,7 +64847,7 @@ index 130ced9..351ed06 100644
')
########################################
-@@ -1070,8 +1311,10 @@ interface(`xserver_domtrans',`
+@@ -1070,8 +1313,10 @@ interface(`xserver_domtrans',`
type xserver_t, xserver_exec_t;
')
@@ -64758,7 +64859,7 @@ index 130ced9..351ed06 100644
')
########################################
-@@ -1185,6 +1428,26 @@ interface(`xserver_stream_connect',`
+@@ -1185,6 +1430,26 @@ interface(`xserver_stream_connect',`
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -64785,7 +64886,7 @@ index 130ced9..351ed06 100644
')
########################################
-@@ -1210,7 +1473,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1210,7 +1475,7 @@ interface(`xserver_read_tmp_files',`
##
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@@ -64794,7 +64895,7 @@ index 130ced9..351ed06 100644
##
##
##
-@@ -1220,13 +1483,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1220,13 +1485,23 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
@@ -64819,7 +64920,7 @@ index 130ced9..351ed06 100644
')
########################################
-@@ -1243,10 +1516,458 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1518,458 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -66510,7 +66611,7 @@ index c9981d1..d0931f9 100644
corenet_sendrecv_zabbix_agent_client_packets($1)
diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te
-index 7f88f5f..4d704e8 100644
+index 7f88f5f..7d8a06e 100644
--- a/policy/modules/services/zabbix.te
+++ b/policy/modules/services/zabbix.te
@@ -5,6 +5,13 @@ policy_module(zabbix, 1.3.1)
@@ -66568,7 +66669,7 @@ index 7f88f5f..4d704e8 100644
# shared memory
rw_files_pattern(zabbix_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
fs_tmpfs_filetrans(zabbix_t, zabbix_tmpfs_t, file)
-@@ -58,25 +75,53 @@ manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
+@@ -58,25 +75,55 @@ manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file })
@@ -66580,8 +66681,10 @@ index 7f88f5f..4d704e8 100644
+
corenet_tcp_bind_generic_node(zabbix_t)
corenet_tcp_bind_zabbix_port(zabbix_t)
-+#needed by zabbix-server-mysql
++# needed by zabbix-server-mysql
+corenet_tcp_connect_http_port(zabbix_t)
++# to monitor ftp urls
++corenet_tcp_connect_ftp_port(zabbix_t)
+
+dev_read_urand(zabbix_t)
@@ -66597,8 +66700,8 @@ index 7f88f5f..4d704e8 100644
zabbix_agent_tcp_connect(zabbix_t)
+tunable_policy(`zabbix_can_network',`
-+ corenet_tcp_connect_all_unreserved_ports(zabbix_t)
-+ corenet_tcp_connect_all_ephemeral_ports(zabbix_t)
++ corenet_tcp_connect_all_unreserved_ports(zabbix_t)
++ corenet_tcp_connect_all_ephemeral_ports(zabbix_t)
+')
+
optional_policy(`
@@ -66624,7 +66727,7 @@ index 7f88f5f..4d704e8 100644
########################################
#
# zabbix agent local policy
-@@ -134,3 +179,4 @@ sysnet_dns_name_resolve(zabbix_agent_t)
+@@ -134,3 +181,4 @@ sysnet_dns_name_resolve(zabbix_agent_t)
# Network access to zabbix server
zabbix_tcp_connect(zabbix_agent_t)
@@ -71469,10 +71572,10 @@ index 831b909..efe1038 100644
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index b6ec597..8c7803a 100644
+index b6ec597..aea710e 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
-@@ -5,6 +5,13 @@ policy_module(logging, 1.17.2)
+@@ -5,6 +5,20 @@ policy_module(logging, 1.17.2)
# Declarations
#
@@ -71483,10 +71586,17 @@ index b6ec597..8c7803a 100644
+##
+gen_tunable(logging_syslogd_can_sendmail, false)
+
++##
++##
++## Allow syslogd the ability to read/write terminals
++##
++##
++gen_tunable(logging_syslogd_use_tty, false)
++
attribute logfile;
type auditctl_t;
-@@ -20,6 +27,7 @@ files_security_file(auditd_log_t)
+@@ -20,6 +34,7 @@ files_security_file(auditd_log_t)
files_security_mountpoint(auditd_log_t)
type audit_spool_t;
@@ -71494,7 +71604,7 @@ index b6ec597..8c7803a 100644
files_security_file(audit_spool_t)
files_security_mountpoint(audit_spool_t)
-@@ -64,6 +72,7 @@ files_config_file(syslog_conf_t)
+@@ -64,6 +79,7 @@ files_config_file(syslog_conf_t)
type syslogd_t;
type syslogd_exec_t;
init_daemon_domain(syslogd_t, syslogd_exec_t)
@@ -71502,7 +71612,7 @@ index b6ec597..8c7803a 100644
type syslogd_initrc_exec_t;
init_script_file(syslogd_initrc_exec_t)
-@@ -111,7 +120,7 @@ domain_use_interactive_fds(auditctl_t)
+@@ -111,7 +127,7 @@ domain_use_interactive_fds(auditctl_t)
mls_file_read_all_levels(auditctl_t)
@@ -71511,7 +71621,7 @@ index b6ec597..8c7803a 100644
init_dontaudit_use_fds(auditctl_t)
-@@ -183,16 +192,19 @@ logging_send_syslog_msg(auditd_t)
+@@ -183,16 +199,19 @@ logging_send_syslog_msg(auditd_t)
logging_domtrans_dispatcher(auditd_t)
logging_signal_dispatcher(auditd_t)
@@ -71532,7 +71642,7 @@ index b6ec597..8c7803a 100644
userdom_dontaudit_use_unpriv_user_fds(auditd_t)
userdom_dontaudit_search_user_home_dirs(auditd_t)
-@@ -237,10 +249,17 @@ corecmd_exec_shell(audisp_t)
+@@ -237,10 +256,17 @@ corecmd_exec_shell(audisp_t)
domain_use_interactive_fds(audisp_t)
@@ -71550,7 +71660,7 @@ index b6ec597..8c7803a 100644
logging_send_syslog_msg(audisp_t)
-@@ -250,6 +269,10 @@ sysnet_dns_name_resolve(audisp_t)
+@@ -250,6 +276,10 @@ sysnet_dns_name_resolve(audisp_t)
optional_policy(`
dbus_system_bus_client(audisp_t)
@@ -71561,7 +71671,7 @@ index b6ec597..8c7803a 100644
')
########################################
-@@ -280,11 +303,20 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
+@@ -280,11 +310,20 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
files_read_etc_files(audisp_remote_t)
@@ -71582,7 +71692,7 @@ index b6ec597..8c7803a 100644
sysnet_dns_name_resolve(audisp_remote_t)
########################################
-@@ -354,11 +386,12 @@ optional_policy(`
+@@ -354,11 +393,12 @@ optional_policy(`
# chown fsetid for syslog-ng
# sys_admin for the integrated klog of syslog-ng and metalog
# cjp: why net_admin!
@@ -71597,7 +71707,7 @@ index b6ec597..8c7803a 100644
# receive messages to be logged
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -376,6 +409,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
+@@ -376,6 +416,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
# create/append log files.
manage_files_pattern(syslogd_t, var_log_t, var_log_t)
rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
@@ -71605,7 +71715,7 @@ index b6ec597..8c7803a 100644
# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };
-@@ -385,9 +419,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -385,9 +426,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
@@ -71621,10 +71731,15 @@ index b6ec597..8c7803a 100644
# manage pid file
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
-@@ -426,9 +466,18 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+@@ -426,9 +473,23 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
corenet_sendrecv_postgresql_client_packets(syslogd_t)
corenet_sendrecv_mysqld_client_packets(syslogd_t)
++tunable_policy(`logging_syslogd_use_tty',`
++ term_use_all_ttys(syslogd_t)
++ term_use_all_ptys(syslogd_t)
++')
++
+tunable_policy(`logging_syslogd_can_sendmail',`
+ # support for ommail module to send logs via mail
+ corenet_tcp_connect_smtp_port(syslogd_t)
@@ -71640,7 +71755,7 @@ index b6ec597..8c7803a 100644
domain_use_interactive_fds(syslogd_t)
files_read_etc_files(syslogd_t)
-@@ -448,6 +497,7 @@ term_write_console(syslogd_t)
+@@ -448,6 +509,7 @@ term_write_console(syslogd_t)
# Allow syslog to a terminal
term_write_unallocated_ttys(syslogd_t)
@@ -71648,7 +71763,7 @@ index b6ec597..8c7803a 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
-@@ -459,6 +509,7 @@ init_use_fds(syslogd_t)
+@@ -459,6 +521,7 @@ init_use_fds(syslogd_t)
# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)
@@ -71656,7 +71771,7 @@ index b6ec597..8c7803a 100644
miscfiles_read_localization(syslogd_t)
-@@ -496,11 +547,20 @@ optional_policy(`
+@@ -496,11 +559,20 @@ optional_policy(`
')
optional_policy(`
@@ -75356,7 +75471,7 @@ index 0000000..1688a39
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..9e08125
+index 0000000..567c78c
--- /dev/null
+++ b/policy/modules/system/systemd.te
@@ -0,0 +1,381 @@
@@ -75420,7 +75535,7 @@ index 0000000..9e08125
+#
+
+# dac_override is for /run/user/$USER ($USER ownership is $USER:$USER)
-+allow systemd_logind_t self:capability { chown dac_override fowner };
++allow systemd_logind_t self:capability { chown dac_override fowner sys_tty_config };
+allow systemd_logind_t self:process getcap;
+allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 3265b0a..433db05 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 74%{?dist}
+Release: 75%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,17 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Feb 1 2012 Miroslav Grepl 3.10.0-75
+- Add logging_syslogd_use_tty boolea
+- Add polipo_connect_all_unreserved bolean
+- Allow zabbix to connect to ftp port
+- Allow systemd-logind to be able to switch VTs
+- Allow apache to communicate with memcached through a sock_file
+- Allow denyhosts to use fifo files and exec shell
+- Allow sandbox_nacl to setsched on its process
+- Allow chrome_sandbox_t to send all signals to sandbox_nacl_t
+- Allow cupsd_lpd_t to connect to the printer port
+
* Thu Jan 26 2012 Miroslav Grepl 3.10.0-74
- Add httpd_can_connect_zabbix boolean
- apcupsd_t needs to use seriel ports connected to usb devices