diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index c0669db..794c40f 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -24505,7 +24505,7 @@ index 5fc0391..d6519a1 100644
+ xserver_rw_xdm_pipes(ssh_agent_type)
+')
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index d1f64a0..2ef633d 100644
+index d1f64a0..7acda6c 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,35 @@
@@ -24611,12 +24611,13 @@ index d1f64a0..2ef633d 100644
/usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
-@@ -92,25 +130,49 @@ ifndef(`distro_debian',`
+@@ -92,25 +130,50 @@ ifndef(`distro_debian',`
/var/lib/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
-/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
+/var/lib/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
++/var/lib/lightdm-data(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
+/var/lib/[mxkwg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0)
+/var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0)
@@ -26298,7 +26299,7 @@ index 6bf0ecc..0d55916 100644
+')
+
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 2696452..173a535 100644
+index 2696452..8834d25 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,28 +26,59 @@ gen_require(`
@@ -26549,7 +26550,7 @@ index 2696452..173a535 100644
')
########################################
-@@ -247,48 +321,89 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -247,48 +321,90 @@ tunable_policy(`use_samba_home_dirs',`
# Xauth local policy
#
@@ -26612,6 +26613,7 @@ index 2696452..173a535 100644
+userdom_use_inherited_user_terminals(xauth_t)
userdom_read_user_tmp_files(xauth_t)
+userdom_read_all_users_state(xauth_t)
++userdom_search_user_home_dirs(xauth_t)
+userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority")
+userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-l")
+userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-c")
@@ -26650,7 +26652,7 @@ index 2696452..173a535 100644
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
ssh_dontaudit_rw_tcp_sockets(xauth_t)
-@@ -299,64 +414,109 @@ optional_policy(`
+@@ -299,64 +415,109 @@ optional_policy(`
# XDM Local policy
#
@@ -26770,7 +26772,7 @@ index 2696452..173a535 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -365,20 +525,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -365,20 +526,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -26803,7 +26805,7 @@ index 2696452..173a535 100644
corenet_all_recvfrom_netlabel(xdm_t)
corenet_tcp_sendrecv_generic_if(xdm_t)
corenet_udp_sendrecv_generic_if(xdm_t)
-@@ -388,38 +558,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -388,38 +559,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -26857,7 +26859,7 @@ index 2696452..173a535 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -430,9 +611,28 @@ files_list_mnt(xdm_t)
+@@ -430,9 +612,28 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -26886,7 +26888,7 @@ index 2696452..173a535 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -441,28 +641,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -441,28 +642,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -26935,7 +26937,7 @@ index 2696452..173a535 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -471,24 +688,149 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -471,24 +689,149 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -27091,7 +27093,7 @@ index 2696452..173a535 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -502,11 +844,26 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,11 +845,26 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -27118,7 +27120,7 @@ index 2696452..173a535 100644
')
optional_policy(`
-@@ -514,12 +871,57 @@ optional_policy(`
+@@ -514,12 +872,57 @@ optional_policy(`
')
optional_policy(`
@@ -27176,7 +27178,7 @@ index 2696452..173a535 100644
hostname_exec(xdm_t)
')
-@@ -537,28 +939,78 @@ optional_policy(`
+@@ -537,28 +940,78 @@ optional_policy(`
')
optional_policy(`
@@ -27264,7 +27266,7 @@ index 2696452..173a535 100644
')
optional_policy(`
-@@ -570,6 +1022,14 @@ optional_policy(`
+@@ -570,6 +1023,14 @@ optional_policy(`
')
optional_policy(`
@@ -27279,7 +27281,7 @@ index 2696452..173a535 100644
xfs_stream_connect(xdm_t)
')
-@@ -584,7 +1044,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+@@ -584,7 +1045,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@@ -27288,7 +27290,7 @@ index 2696452..173a535 100644
# setuid/setgid for the wrapper program to change UID
# sys_rawio is for iopl access - should not be needed for frame-buffer
-@@ -594,8 +1054,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -594,8 +1055,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -27301,7 +27303,7 @@ index 2696452..173a535 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -608,8 +1071,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +1072,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -27317,7 +27319,7 @@ index 2696452..173a535 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -617,6 +1087,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -617,6 +1088,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@@ -27328,7 +27330,7 @@ index 2696452..173a535 100644
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -628,12 +1102,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -628,12 +1103,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -27350,7 +27352,7 @@ index 2696452..173a535 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -641,12 +1122,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,12 +1123,12 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -27364,7 +27366,7 @@ index 2696452..173a535 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +1148,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +1149,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -27396,7 +27398,7 @@ index 2696452..173a535 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -694,7 +1180,16 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,7 +1181,16 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -27414,7 +27416,7 @@ index 2696452..173a535 100644
mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
-@@ -708,20 +1203,18 @@ init_getpgid(xserver_t)
+@@ -708,20 +1204,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -27438,7 +27440,7 @@ index 2696452..173a535 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -729,8 +1222,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -729,8 +1223,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
@@ -27447,7 +27449,7 @@ index 2696452..173a535 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
-@@ -775,16 +1266,44 @@ optional_policy(`
+@@ -775,16 +1267,44 @@ optional_policy(`
')
optional_policy(`
@@ -27493,7 +27495,7 @@ index 2696452..173a535 100644
unconfined_domtrans(xserver_t)
')
-@@ -793,6 +1312,10 @@ optional_policy(`
+@@ -793,6 +1313,10 @@ optional_policy(`
')
optional_policy(`
@@ -27504,7 +27506,7 @@ index 2696452..173a535 100644
xfs_stream_connect(xserver_t)
')
-@@ -808,10 +1331,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1332,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -27518,7 +27520,7 @@ index 2696452..173a535 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1342,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1343,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -27527,7 +27529,7 @@ index 2696452..173a535 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -832,26 +1355,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1356,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -27562,7 +27564,7 @@ index 2696452..173a535 100644
')
optional_policy(`
-@@ -902,7 +1420,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1421,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -27571,7 +27573,7 @@ index 2696452..173a535 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -956,11 +1474,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1475,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -27603,7 +27605,7 @@ index 2696452..173a535 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -982,18 +1520,150 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1521,150 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index e95d9b2..0e66a58 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -1,8 +1,8 @@
diff --git a/abrt.fc b/abrt.fc
-index e4f84de..439ee6d 100644
+index e4f84de..6098f52 100644
--- a/abrt.fc
+++ b/abrt.fc
-@@ -1,30 +1,44 @@
+@@ -1,30 +1,46 @@
-/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
-/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
+/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
@@ -40,27 +40,29 @@ index e4f84de..439ee6d 100644
+/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
+/var/run/abrtd?\.socket -- gen_context(system_u:object_r:abrt_var_run_t,s0)
+/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0)
-
--/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
--/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
--/var/cache/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
--/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
++
+/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+/var/spool/debug(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+/var/spool/rhsm/debug(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+/var/tmp/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
--/var/log/abrt-logger.* -- gen_context(system_u:object_r:abrt_var_log_t,s0)
+-/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+-/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+-/var/cache/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+-/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+# ABRT retrace server
+/usr/bin/abrt-retrace-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
+/usr/bin/coredump2packages -- gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0)
+-/var/log/abrt-logger.* -- gen_context(system_u:object_r:abrt_var_log_t,s0)
++/var/cache/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
++/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
++/var/spool/faf(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
+
-/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0)
-/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
-/var/run/abrtd?\.socket -s gen_context(system_u:object_r:abrt_var_run_t,s0)
-/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0)
-+/var/cache/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
-+/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
-/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
-/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
@@ -70,7 +72,7 @@ index e4f84de..439ee6d 100644
+/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
diff --git a/abrt.if b/abrt.if
-index 058d908..a65b9d7 100644
+index 058d908..cf17e67 100644
--- a/abrt.if
+++ b/abrt.if
@@ -1,4 +1,26 @@
@@ -375,7 +377,7 @@ index 058d908..a65b9d7 100644
##
##
##
-@@ -288,39 +425,173 @@ interface(`abrt_manage_pid_files',`
+@@ -288,39 +425,174 @@ interface(`abrt_manage_pid_files',`
##
##
##
@@ -475,6 +477,7 @@ index 058d908..a65b9d7 100644
+ manage_dirs_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+ manage_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+ manage_lnk_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
++ manage_sock_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+')
+
+#####################################
@@ -10850,7 +10853,7 @@ index 008f8ef..144c074 100644
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/certmonger.te b/certmonger.te
-index 2354e21..5d02854 100644
+index 2354e21..b2b0a2f 100644
--- a/certmonger.te
+++ b/certmonger.te
@@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t)
@@ -10935,7 +10938,7 @@ index 2354e21..5d02854 100644
')
optional_policy(`
-@@ -92,11 +108,47 @@ optional_policy(`
+@@ -92,11 +108,51 @@ optional_policy(`
')
optional_policy(`
@@ -10946,6 +10949,10 @@ index 2354e21..5d02854 100644
+')
+
+optional_policy(`
++ ipa_manage_lib(certmonger_t)
++')
++
++optional_policy(`
kerberos_use(certmonger_t)
+ kerberos_read_keytab(certmonger_t)
')
@@ -11430,10 +11437,10 @@ index 0000000..23407b8
+')
diff --git a/chrome.te b/chrome.te
new file mode 100644
-index 0000000..748f5d5
+index 0000000..fb60ffc
--- /dev/null
+++ b/chrome.te
-@@ -0,0 +1,247 @@
+@@ -0,0 +1,248 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -11562,6 +11569,7 @@ index 0000000..748f5d5
+userdom_manage_home_certs(chrome_sandbox_t)
+
+optional_policy(`
++ gnome_exec_config_home_files(chrome_sandbox_t)
+ gnome_read_generic_cache_files(chrome_sandbox_t)
+ gnome_rw_inherited_config(chrome_sandbox_t)
+ gnome_read_home_config(chrome_sandbox_t)
@@ -28754,7 +28762,7 @@ index e39de43..6a6db28 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
-index d03fd43..a41306b 100644
+index d03fd43..af9415c 100644
--- a/gnome.if
+++ b/gnome.if
@@ -1,123 +1,157 @@
@@ -29817,7 +29825,7 @@ index d03fd43..a41306b 100644
##
##
##
-@@ -704,12 +778,948 @@ interface(`gnome_stream_connect_gkeyringd',`
+@@ -704,12 +778,966 @@ interface(`gnome_stream_connect_gkeyringd',`
##
##
#
@@ -30374,6 +30382,24 @@ index d03fd43..a41306b 100644
+ can_exec($1, gstreamer_home_t)
+')
+
++######################################
++##
++## Allow to execute config home content files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_exec_config_home_files',`
++ gen_require(`
++ type config_home_t;
++ ')
++
++ can_exec($1, config_home_t)
++')
++
+#######################################
+##
+## file name transition gstreamer home content files.
@@ -33326,20 +33352,22 @@ index 94ec5f8..6cbbf7d 100644
diff --git a/ipa.fc b/ipa.fc
new file mode 100644
-index 0000000..9278f85
+index 0000000..48d7322
--- /dev/null
+++ b/ipa.fc
-@@ -0,0 +1,4 @@
+@@ -0,0 +1,6 @@
+/usr/lib/systemd/system/ipa-otpd.* -- gen_context(system_u:object_r:ipa_otpd_unit_file_t,s0)
+
+/usr/libexec/ipa-otpd -- gen_context(system_u:object_r:ipa_otpd_exec_t,s0)
+
++/var/lib/ipa(/.*)? gen_context(system_u:object_r:ipa_var_lib_t,s0)
++
diff --git a/ipa.if b/ipa.if
new file mode 100644
-index 0000000..70c67d3
+index 0000000..d028154
--- /dev/null
+++ b/ipa.if
-@@ -0,0 +1,38 @@
+@@ -0,0 +1,57 @@
+## Policy for IPA services.
+
+########################################
@@ -33378,12 +33406,31 @@ index 0000000..70c67d3
+ allow $1 ipa_otpd_t:unix_stream_socket connectto;
+')
+
++########################################
++##
++## Allow domain to manage ipa lib files/dirs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ipa_manage_lib',`
++ gen_require(`
++ type ipa_var_lib_t;
++ ')
++
++ manage_files_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
++ manage_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
++')
++
diff --git a/ipa.te b/ipa.te
new file mode 100644
-index 0000000..0fd2678
+index 0000000..b60bc5f
--- /dev/null
+++ b/ipa.te
-@@ -0,0 +1,40 @@
+@@ -0,0 +1,43 @@
+policy_module(ipa, 1.0.0)
+
+########################################
@@ -33400,6 +33447,9 @@ index 0000000..0fd2678
+type ipa_otpd_unit_file_t;
+systemd_unit_file(ipa_otpd_unit_file_t)
+
++type ipa_var_lib_t;
++files_type(ipa_var_lib_t)
++
+########################################
+#
+# ipa_otpd local policy
@@ -44471,7 +44521,7 @@ index 6194b80..cafb2b0 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..f238761 100644
+index 6a306ee..e76899c 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
@@ -44917,7 +44967,7 @@ index 6a306ee..f238761 100644
')
optional_policy(`
-@@ -300,259 +326,247 @@ optional_policy(`
+@@ -300,259 +326,250 @@ optional_policy(`
########################################
#
@@ -45198,8 +45248,11 @@ index 6a306ee..f238761 100644
userdom_dontaudit_use_user_terminals(mozilla_plugin_t)
+userdom_manage_user_tmp_sockets(mozilla_plugin_t)
+userdom_manage_user_tmp_dirs(mozilla_plugin_t)
++userdom_manage_tmpfs_files(mozilla_plugin_t)
+userdom_rw_inherited_user_tmp_files(mozilla_plugin_t)
++userdom_rw_inherited_user_tmpfs_files(mozilla_plugin_t)
+userdom_delete_user_tmp_files(mozilla_plugin_t)
++userdom_delete_user_tmpfs_files(mozilla_plugin_t)
+userdom_rw_inherited_user_home_sock_files(mozilla_plugin_t)
+userdom_manage_home_certs(mozilla_plugin_t)
+userdom_read_user_tmp_symlinks(mozilla_plugin_t)
@@ -45312,7 +45365,7 @@ index 6a306ee..f238761 100644
')
optional_policy(`
-@@ -560,7 +574,11 @@ optional_policy(`
+@@ -560,7 +577,11 @@ optional_policy(`
')
optional_policy(`
@@ -45325,7 +45378,7 @@ index 6a306ee..f238761 100644
')
optional_policy(`
-@@ -568,108 +586,131 @@ optional_policy(`
+@@ -568,108 +589,131 @@ optional_policy(`
')
optional_policy(`
@@ -59657,10 +59710,10 @@ index 0000000..ba24b40
+
diff --git a/pcp.te b/pcp.te
new file mode 100644
-index 0000000..d3152d5
+index 0000000..b756da3
--- /dev/null
+++ b/pcp.te
-@@ -0,0 +1,254 @@
+@@ -0,0 +1,277 @@
+policy_module(pcp, 1.0.0)
+
+########################################
@@ -59761,11 +59814,14 @@ index 0000000..d3152d5
+kernel_read_state(pcp_pmcd_t)
+kernel_read_fs_sysctls(pcp_pmcd_t)
+kernel_read_rpc_sysctls(pcp_pmcd_t)
++kernel_read_debugfs(pcp_pmcd_t)
+
+corecmd_exec_bin(pcp_pmcd_t)
+
+corenet_tcp_bind_amqp_port(pcp_pmcd_t)
+corenet_tcp_connect_amqp_port(pcp_pmcd_t)
++corenet_tcp_connect_http_port(pcp_pmcd_t)
++corenet_tcp_connect_all_ephemeral_ports(pcp_pmcd_t)
+
+domain_read_all_domains_state(pcp_pmcd_t)
+domain_getattr_all_domains(pcp_pmcd_t)
@@ -59780,10 +59836,14 @@ index 0000000..d3152d5
+fs_list_cgroup_dirs(pcp_pmcd_t)
+fs_read_cgroup_files(pcp_pmcd_t)
+
++hostname_exec(pcp_pmcd_t)
++
+init_read_utmp(pcp_pmcd_t)
+
+logging_send_syslog_msg(pcp_pmcd_t)
+
++sendmail_read_log(pcp_pmcd_t)
++
+storage_getattr_fixed_disk_dev(pcp_pmcd_t)
+
+userdom_read_user_tmp_files(pcp_pmcd_t)
@@ -59805,6 +59865,22 @@ index 0000000..d3152d5
+ unconfined_domain(pcp_pmcd_t)
+')
+
++optional_policy(`
++ rpm_read_db(pcp_pmcd_t)
++')
++
++optional_policy(`
++ rpcbind_stream_connect(pcp_pmcd_t)
++')
++
++optional_policy(`
++ pcp_pmie_exec(pcp_pmcd_t)
++')
++
++optional_policy(`
++ mta_read_config(pcp_pmcd_t)
++')
++
+########################################
+#
+# pcp_pmproxy local policy
@@ -60149,7 +60225,7 @@ index d2fc677..ded726f 100644
')
+
diff --git a/pegasus.te b/pegasus.te
-index 7bcf327..4461b33 100644
+index 7bcf327..6c3afa0 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -1,17 +1,16 @@
@@ -60648,11 +60724,12 @@ index 7bcf327..4461b33 100644
')
optional_policy(`
-@@ -180,6 +493,7 @@ optional_policy(`
+@@ -180,6 +493,8 @@ optional_policy(`
')
optional_policy(`
+ virt_getattr_images(pegasus_t)
++ virt_getattr_content(pegasus_t)
virt_domtrans(pegasus_t)
virt_stream_connect(pegasus_t)
virt_manage_config(pegasus_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 291ab2f..9478949 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 148%{?dist}
+Release: 149%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,17 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Mar 31 2014 Lukas Vrabec 3.12.1-149
+- Allow xauth_t to read user_home_dir_t lnk_file
+- Add labeling for lightdm-data
+- Allow certmonger to manage ipa lib files
+- Add support for /var/lib/ipa
+- Allow pegasus to getattr virt_content
+- Added some new rules to pcp policy
+- Fix abrt_manage_spool_retrace()
+- Allow chrome_sandbox to execute config_home_t
+- Add support for ABRT FAF
+
* Fri Mar 28 2014 Miroslav Grepl 3.12.1-148
- Allow kdm to send signull to remote_login_t process
- Add gear policy