diff --git a/policy-F16.patch b/policy-F16.patch
index ca71a31..b1d4625 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -1858,7 +1858,7 @@ index c6ca761..46e0767 100644
  ')
  
 diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
-index e0791b9..373882d 100644
+index e0791b9..9f49d01 100644
 --- a/policy/modules/admin/netutils.te
 +++ b/policy/modules/admin/netutils.te
 @@ -48,6 +48,8 @@ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
@@ -1933,7 +1933,18 @@ index e0791b9..373882d 100644
  	pcmcia_use_cardmgr_fds(ping_t)
  ')
  
-@@ -194,6 +213,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
+@@ -157,6 +176,10 @@ optional_policy(`
+ 	hotplug_use_fds(ping_t)
+ ')
+ 
++optional_policy(`
++	zabbix_read_tmp(ping_t)
++')
++
+ ########################################
+ #
+ # Traceroute local policy
+@@ -194,6 +217,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
  domain_use_interactive_fds(traceroute_t)
  
  files_read_etc_files(traceroute_t)
@@ -1941,7 +1952,7 @@ index e0791b9..373882d 100644
  files_dontaudit_search_var(traceroute_t)
  
  init_use_fds(traceroute_t)
-@@ -204,9 +224,16 @@ logging_send_syslog_msg(traceroute_t)
+@@ -204,9 +228,16 @@ logging_send_syslog_msg(traceroute_t)
  
  miscfiles_read_localization(traceroute_t)
  
@@ -5134,10 +5145,10 @@ index 0000000..2bd5790
 +')
 diff --git a/policy/modules/apps/firewallgui.te b/policy/modules/apps/firewallgui.te
 new file mode 100644
-index 0000000..86b640d
+index 0000000..175de9d
 --- /dev/null
 +++ b/policy/modules/apps/firewallgui.te
-@@ -0,0 +1,72 @@
+@@ -0,0 +1,74 @@
 +policy_module(firewallgui,1.0.0)
 +
 +########################################
@@ -5187,6 +5198,8 @@ index 0000000..86b640d
 +
 +miscfiles_read_localization(firewallgui_t)
 +
++seutil_read_config(firewallgui_t)
++
 +userdom_dontaudit_search_user_home_dirs(firewallgui_t)
 +
 +optional_policy(`
@@ -14134,7 +14147,7 @@ index 4f3b542..f4e36ee 100644
  	corenet_udp_recvfrom_labeled($1, $2)
  	corenet_raw_recvfrom_labeled($1, $2)
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 99b71cb..9c48de6 100644
+index 99b71cb..630e5e2 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
 @@ -11,11 +11,15 @@ attribute netif_type;
@@ -14337,7 +14350,7 @@ index 99b71cb..9c48de6 100644
  network_port(prelude, tcp,4690,s0, udp,4690,s0)
  network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
  network_port(printer, tcp,515,s0)
-@@ -179,30 +238,35 @@ network_port(radacct, udp,1646,s0, udp,1813,s0)
+@@ -179,34 +238,40 @@ network_port(radacct, udp,1646,s0, udp,1813,s0)
  network_port(radius, udp,1645,s0, udp,1812,s0)
  network_port(radsec, tcp,2083,s0)
  network_port(razor, tcp,2703,s0)
@@ -14377,7 +14390,13 @@ index 99b71cb..9c48de6 100644
  network_port(tcs, tcp, 30003, s0)
  network_port(telnetd, tcp,23,s0)
  network_port(tftp, udp,69,s0)
-@@ -215,9 +279,11 @@ network_port(uucpd, tcp,540,s0)
+-network_port(tor, tcp, 6969, s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0)
++network_port(tor, tcp, 6969, s0, tcp,9001,s0, tcp,9030,s0, tcp,9051,s0)
++network_port(tor_socks, tcp,9050,s0)
+ network_port(traceroute, udp,64000-64010,s0)
+ network_port(transproxy, tcp,8081,s0)
+ network_port(ups, tcp,3493,s0)
+@@ -215,9 +280,11 @@ network_port(uucpd, tcp,540,s0)
  network_port(varnishd, tcp,6081-6082,s0)
  network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
  network_port(virt_migration, tcp,49152-49216,s0)
@@ -14390,7 +14409,7 @@ index 99b71cb..9c48de6 100644
  network_port(xdmcp, udp,177,s0, tcp,177,s0)
  network_port(xen, tcp,8002,s0)
  network_port(xfs, tcp,7100,s0)
-@@ -229,6 +295,7 @@ network_port(zookeeper_client, tcp,2181,s0)
+@@ -229,6 +296,7 @@ network_port(zookeeper_client, tcp,2181,s0)
  network_port(zookeeper_election, tcp,3888,s0)
  network_port(zookeeper_leader, tcp,2888,s0)
  network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
@@ -14398,7 +14417,7 @@ index 99b71cb..9c48de6 100644
  network_port(zope, tcp,8021,s0)
  
  # Defaults for reserved ports.	Earlier portcon entries take precedence;
-@@ -238,6 +305,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+@@ -238,6 +306,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
  portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
  portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
  portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
@@ -14411,7 +14430,7 @@ index 99b71cb..9c48de6 100644
  
  ########################################
  #
-@@ -282,9 +355,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -282,9 +356,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
  allow corenet_unconfined_type node_type:node *;
  allow corenet_unconfined_type netif_type:netif *;
  allow corenet_unconfined_type packet_type:packet *;
@@ -18456,7 +18475,7 @@ index ff006ea..b682bcf 100644
 +	dontaudit $1 file_type:dir_file_class_set write;
 +')
 diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
-index 22821ff..4e8d594 100644
+index 22821ff..4486d80 100644
 --- a/policy/modules/kernel/files.te
 +++ b/policy/modules/kernel/files.te
 @@ -10,7 +10,9 @@ attribute files_unconfined_type;
@@ -18496,7 +18515,7 @@ index 22821ff..4e8d594 100644
  #
  type system_map_t;
  files_type(system_map_t)
-+procs_type(system_map_t)
++kernel_proc_type(system_map_t)
  genfscon proc /kallsyms gen_context(system_u:object_r:system_map_t,s0)
  
  #
@@ -19095,10 +19114,18 @@ index 97fcdac..6342520 100644
 +')
 +
 diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index f125dc2..3c6e827 100644
+index f125dc2..f5e522e 100644
 --- a/policy/modules/kernel/filesystem.te
 +++ b/policy/modules/kernel/filesystem.te
-@@ -52,6 +52,7 @@ type anon_inodefs_t;
+@@ -33,6 +33,7 @@ fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
++fs_use_xattr squashfs gen_context(system_u:object_r:fs_t,s0);
+ 
+ # Use the allocating task SID to label inodes in the following filesystem
+ # types, and label the filesystem itself with the specified context.
+@@ -52,6 +53,7 @@ type anon_inodefs_t;
  fs_type(anon_inodefs_t)
  files_mountpoint(anon_inodefs_t)
  genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0)
@@ -19106,7 +19133,7 @@ index f125dc2..3c6e827 100644
  
  type bdev_t;
  fs_type(bdev_t)
-@@ -67,7 +68,7 @@ fs_type(capifs_t)
+@@ -67,7 +69,7 @@ fs_type(capifs_t)
  files_mountpoint(capifs_t)
  genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
  
@@ -19115,7 +19142,7 @@ index f125dc2..3c6e827 100644
  fs_type(cgroup_t)
  files_type(cgroup_t)
  files_mountpoint(cgroup_t)
-@@ -96,6 +97,7 @@ type hugetlbfs_t;
+@@ -96,6 +98,7 @@ type hugetlbfs_t;
  fs_type(hugetlbfs_t)
  files_mountpoint(hugetlbfs_t)
  fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
@@ -19123,7 +19150,19 @@ index f125dc2..3c6e827 100644
  
  type ibmasmfs_t;
  fs_type(ibmasmfs_t)
-@@ -175,6 +177,7 @@ fs_type(tmpfs_t)
+@@ -144,11 +147,6 @@ fs_type(spufs_t)
+ genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
+ files_mountpoint(spufs_t)
+ 
+-type squash_t;
+-fs_type(squash_t)
+-genfscon squash / gen_context(system_u:object_r:squash_t,s0)
+-files_mountpoint(squash_t)
+-
+ type sysv_t;
+ fs_noxattr_type(sysv_t)
+ files_mountpoint(sysv_t)
+@@ -175,6 +173,7 @@ fs_type(tmpfs_t)
  files_type(tmpfs_t)
  files_mountpoint(tmpfs_t)
  files_poly_parent(tmpfs_t)
@@ -19131,7 +19170,7 @@ index f125dc2..3c6e827 100644
  
  # Use a transition SID based on the allocating task SID and the
  # filesystem SID to label inodes in the following filesystem types,
-@@ -254,6 +257,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+@@ -254,6 +253,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
  type removable_t;
  allow removable_t noxattrfs:filesystem associate;
  fs_noxattr_type(removable_t)
@@ -19140,7 +19179,7 @@ index f125dc2..3c6e827 100644
  files_mountpoint(removable_t)
  
  #
-@@ -273,6 +278,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
+@@ -273,6 +274,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
  genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
  genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
  genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
@@ -19149,7 +19188,7 @@ index f125dc2..3c6e827 100644
  ########################################
  #
 diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index 6346378..4845190 100644
+index 6346378..34c6897 100644
 --- a/policy/modules/kernel/kernel.if
 +++ b/policy/modules/kernel/kernel.if
 @@ -345,13 +345,8 @@ interface(`kernel_load_module',`
@@ -19364,9 +19403,9 @@ index 6346378..4845190 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`procs_type',`
++interface(`kernel_proc_type',`
 +	gen_require(`
-+		attribute proc_type
++		attribute proc_type;
 +	')
 +
 +	typeattribute $1 proc_type;
@@ -29922,7 +29961,7 @@ index 1f11572..717fb8d 100644
  
  	init_labeled_script_domtrans($1, clamd_initrc_exec_t)
 diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
-index f758323..4c06224 100644
+index f758323..9f2a358 100644
 --- a/policy/modules/services/clamav.te
 +++ b/policy/modules/services/clamav.te
 @@ -1,9 +1,16 @@
@@ -30016,7 +30055,7 @@ index f758323..4c06224 100644
 +
 +optional_policy(`
 +	spamd_stream_connect(clamd_t)
-+	spamd_read_pid(clamd_t)
++	spamassassin_read_pid_files(clamd_t)
 +')
 +
  tunable_policy(`clamd_use_jit',`
@@ -31266,24 +31305,10 @@ index 0000000..ca71d08
 +')
 +
 diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
-index 74505cc..246bbf9 100644
+index 74505cc..be3683b 100644
 --- a/policy/modules/services/colord.te
 +++ b/policy/modules/services/colord.te
-@@ -5,6 +5,13 @@ policy_module(colord, 1.0.0)
- # Declarations
- #
- 
-+## <desc>
-+##  <p>
-+##  Allow colord domain to connect to the network using TCP.
-+##  </p>
-+## </desc>
-+gen_tunable(colord_can_network_connect, false)
-+
- type colord_t;
- type colord_exec_t;
- dbus_system_domain(colord_t, colord_exec_t)
-@@ -23,9 +30,11 @@ files_type(colord_var_lib_t)
+@@ -23,9 +23,11 @@ files_type(colord_var_lib_t)
  # colord local policy
  #
  allow colord_t self:capability { dac_read_search dac_override };
@@ -31295,7 +31320,7 @@ index 74505cc..246bbf9 100644
  allow colord_t self:udp_socket create_socket_perms;
  allow colord_t self:unix_dgram_socket create_socket_perms;
  
-@@ -41,8 +50,14 @@ manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
+@@ -41,8 +43,14 @@ manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
  manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
  files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir })
  
@@ -31311,7 +31336,7 @@ index 74505cc..246bbf9 100644
  
  corenet_all_recvfrom_unlabeled(colord_t)
  corenet_all_recvfrom_netlabel(colord_t)
-@@ -50,6 +65,8 @@ corenet_udp_bind_generic_node(colord_t)
+@@ -50,6 +58,8 @@ corenet_udp_bind_generic_node(colord_t)
  corenet_udp_bind_ipp_port(colord_t)
  corenet_tcp_connect_ipp_port(colord_t)
  
@@ -31320,12 +31345,13 @@ index 74505cc..246bbf9 100644
  dev_read_video_dev(colord_t)
  dev_write_video_dev(colord_t)
  dev_rw_printer(colord_t)
-@@ -65,19 +82,36 @@ files_list_mnt(colord_t)
+@@ -65,19 +75,33 @@ files_list_mnt(colord_t)
  files_read_etc_files(colord_t)
  files_read_usr_files(colord_t)
  
 +fs_search_all(colord_t)
 +fs_getattr_noxattr_fs(colord_t)
++fs_dontaudit_getattr_all_fs(colord_t)
 +fs_list_noxattr_fs(colord_t)
  fs_read_noxattr_fs_files(colord_t)
  
@@ -31343,10 +31369,6 @@ index 74505cc..246bbf9 100644
 +userdom_rw_user_tmpfs_files(colord_t)
 +
 +userdom_home_reader(colord_t)
-+
-+tunable_policy(`colord_can_network_connect',`
-+    corenet_tcp_connect_all_ports(colord_t)
-+')
  
  tunable_policy(`use_nfs_home_dirs',`
 +	fs_getattr_nfs(colord_t)
@@ -31358,7 +31380,7 @@ index 74505cc..246bbf9 100644
  	fs_read_cifs_files(colord_t)
  ')
  
-@@ -89,6 +123,12 @@ optional_policy(`
+@@ -89,6 +113,12 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -31371,7 +31393,7 @@ index 74505cc..246bbf9 100644
  	policykit_dbus_chat(colord_t)
  	policykit_domtrans_auth(colord_t)
  	policykit_read_lib(colord_t)
-@@ -96,5 +136,16 @@ optional_policy(`
+@@ -96,5 +126,16 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -32465,7 +32487,7 @@ index 35241ed..7a0913c 100644
 +	manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
  ')
 diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
-index f7583ab..230cbb2 100644
+index f7583ab..a4d25d9 100644
 --- a/policy/modules/services/cron.te
 +++ b/policy/modules/services/cron.te
 @@ -10,18 +10,18 @@ gen_require(`
@@ -32858,7 +32880,18 @@ index f7583ab..230cbb2 100644
  ')
  
  optional_policy(`
-@@ -480,7 +582,7 @@ optional_policy(`
+@@ -472,6 +574,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	networkmanager_dbus_chat(system_cronjob_t)
++')
++
++optional_policy(`
+ 	postfix_read_config(system_cronjob_t)
+ ')	
+ 
+@@ -480,7 +586,7 @@ optional_policy(`
  	prelink_manage_lib(system_cronjob_t)
  	prelink_manage_log(system_cronjob_t)
  	prelink_read_cache(system_cronjob_t)
@@ -32867,7 +32900,7 @@ index f7583ab..230cbb2 100644
  ')
  
  optional_policy(`
-@@ -495,6 +597,7 @@ optional_policy(`
+@@ -495,6 +601,7 @@ optional_policy(`
  
  optional_policy(`
  	spamassassin_manage_lib_files(system_cronjob_t)
@@ -32875,7 +32908,7 @@ index f7583ab..230cbb2 100644
  ')
  
  optional_policy(`
-@@ -502,7 +605,13 @@ optional_policy(`
+@@ -502,7 +609,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -32889,7 +32922,7 @@ index f7583ab..230cbb2 100644
  	userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
  ')
  
-@@ -595,9 +704,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
+@@ -595,9 +708,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
  #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
  
  list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
@@ -34737,7 +34770,7 @@ index 418a5a0..c25fbdc 100644
  /var/run/udisks(/.*)?			gen_context(system_u:object_r:devicekit_var_run_t,s0)
  /var/run/upower(/.*)?			gen_context(system_u:object_r:devicekit_var_run_t,s0)
 diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if
-index f706b99..7cdc0f5 100644
+index f706b99..d41e4fe 100644
 --- a/policy/modules/services/devicekit.if
 +++ b/policy/modules/services/devicekit.if
 @@ -5,9 +5,9 @@
@@ -34927,7 +34960,7 @@ index f706b99..7cdc0f5 100644
 +	')
 +
 +	files_search_pids($1)
-+	rw_dirs_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
++	manage_dirs_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
 +	manage_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
 +')
 +
@@ -36635,7 +36668,7 @@ index e1d7dc5..0557be0 100644
  	admin_pattern($1, dovecot_var_run_t)
  
 diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
-index acf6d4f..194f170 100644
+index acf6d4f..47969fe 100644
 --- a/policy/modules/services/dovecot.te
 +++ b/policy/modules/services/dovecot.te
 @@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
@@ -36689,7 +36722,7 @@ index acf6d4f..194f170 100644
  files_search_etc(dovecot_t)
  
  can_exec(dovecot_t, dovecot_exec_t)
-@@ -94,10 +99,11 @@ manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
+@@ -94,10 +99,12 @@ manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
  manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
  manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
  
@@ -36698,11 +36731,12 @@ index acf6d4f..194f170 100644
  manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
  manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
 -files_pid_filetrans(dovecot_t, dovecot_var_run_t, file)
-+files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file })
++manage_fifo_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
++files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file })
  
  kernel_read_kernel_sysctls(dovecot_t)
  kernel_read_system_state(dovecot_t)
-@@ -110,6 +116,7 @@ corenet_tcp_sendrecv_all_ports(dovecot_t)
+@@ -110,6 +117,7 @@ corenet_tcp_sendrecv_all_ports(dovecot_t)
  corenet_tcp_bind_generic_node(dovecot_t)
  corenet_tcp_bind_mail_port(dovecot_t)
  corenet_tcp_bind_pop_port(dovecot_t)
@@ -36710,7 +36744,7 @@ index acf6d4f..194f170 100644
  corenet_tcp_bind_sieve_port(dovecot_t)
  corenet_tcp_connect_all_ports(dovecot_t)
  corenet_tcp_connect_postgresql_port(dovecot_t)
-@@ -135,6 +142,7 @@ files_dontaudit_list_default(dovecot_t)
+@@ -135,6 +143,7 @@ files_dontaudit_list_default(dovecot_t)
  # Dovecot now has quota support and it uses getmntent() to find the mountpoints.
  files_read_etc_runtime_files(dovecot_t)
  files_search_all_mountpoints(dovecot_t)
@@ -36718,7 +36752,7 @@ index acf6d4f..194f170 100644
  
  init_getattr_utmp(dovecot_t)
  
-@@ -145,6 +153,7 @@ logging_send_syslog_msg(dovecot_t)
+@@ -145,6 +154,7 @@ logging_send_syslog_msg(dovecot_t)
  miscfiles_read_generic_certs(dovecot_t)
  miscfiles_read_localization(dovecot_t)
  
@@ -36726,7 +36760,7 @@ index acf6d4f..194f170 100644
  userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
  userdom_manage_user_home_content_dirs(dovecot_t)
  userdom_manage_user_home_content_files(dovecot_t)
-@@ -160,6 +169,15 @@ optional_policy(`
+@@ -160,6 +170,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -36742,7 +36776,7 @@ index acf6d4f..194f170 100644
  	postgresql_stream_connect(dovecot_t)
  ')
  
-@@ -180,8 +198,8 @@ optional_policy(`
+@@ -180,8 +199,8 @@ optional_policy(`
  # dovecot auth local policy
  #
  
@@ -36753,7 +36787,7 @@ index acf6d4f..194f170 100644
  allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
  allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
  allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
-@@ -190,6 +208,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
+@@ -190,6 +209,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
  
  read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
  
@@ -36763,7 +36797,7 @@ index acf6d4f..194f170 100644
  manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
  manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
  files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
-@@ -201,9 +222,12 @@ dovecot_stream_connect_auth(dovecot_auth_t)
+@@ -201,9 +223,12 @@ dovecot_stream_connect_auth(dovecot_auth_t)
  kernel_read_all_sysctls(dovecot_auth_t)
  kernel_read_system_state(dovecot_auth_t)
  
@@ -36776,7 +36810,7 @@ index acf6d4f..194f170 100644
  dev_read_urand(dovecot_auth_t)
  
  auth_domtrans_chk_passwd(dovecot_auth_t)
-@@ -216,7 +240,8 @@ files_read_usr_files(dovecot_auth_t)
+@@ -216,7 +241,8 @@ files_read_usr_files(dovecot_auth_t)
  files_read_usr_symlinks(dovecot_auth_t)
  files_read_var_lib_files(dovecot_auth_t)
  files_search_tmp(dovecot_auth_t)
@@ -36786,7 +36820,7 @@ index acf6d4f..194f170 100644
  
  init_rw_utmp(dovecot_auth_t)
  
-@@ -236,6 +261,8 @@ optional_policy(`
+@@ -236,6 +262,8 @@ optional_policy(`
  optional_policy(`
  	mysql_search_db(dovecot_auth_t)
  	mysql_stream_connect(dovecot_auth_t)
@@ -36795,7 +36829,7 @@ index acf6d4f..194f170 100644
  ')
  
  optional_policy(`
-@@ -243,6 +270,8 @@ optional_policy(`
+@@ -243,6 +271,8 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -36804,7 +36838,7 @@ index acf6d4f..194f170 100644
  	postfix_search_spool(dovecot_auth_t)
  ')
  
-@@ -250,23 +279,42 @@ optional_policy(`
+@@ -250,23 +280,42 @@ optional_policy(`
  #
  # dovecot deliver local policy
  #
@@ -36849,7 +36883,7 @@ index acf6d4f..194f170 100644
  
  miscfiles_read_localization(dovecot_deliver_t)
  
-@@ -283,24 +331,22 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
+@@ -283,24 +332,22 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
  userdom_manage_user_home_content_sockets(dovecot_deliver_t)
  userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
  
@@ -38414,7 +38448,7 @@ index 0000000..8dcd6e4
 +	policykit_dbus_chat(firewalld_t)
 +')
 diff --git a/policy/modules/services/fprintd.if b/policy/modules/services/fprintd.if
-index ebad8c4..c02062c 100644
+index ebad8c4..eeddf7b 100644
 --- a/policy/modules/services/fprintd.if
 +++ b/policy/modules/services/fprintd.if
 @@ -5,9 +5,9 @@
@@ -38429,9 +38463,11 @@ index ebad8c4..c02062c 100644
  ## </param>
  #
  interface(`fprintd_domtrans',`
-@@ -38,4 +38,3 @@ interface(`fprintd_dbus_chat',`
+@@ -37,5 +37,5 @@ interface(`fprintd_dbus_chat',`
+ 
  	allow $1 fprintd_t:dbus send_msg;
  	allow fprintd_t $1:dbus send_msg;
++	allow fprintd_t $1:file read;
  ')
 -
 diff --git a/policy/modules/services/fprintd.te b/policy/modules/services/fprintd.te
@@ -48777,7 +48813,7 @@ index d883214..d6afa87 100644
  	init_labeled_script_domtrans($1, openvpn_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
-index 8b550f4..ed5aae9 100644
+index 8b550f4..6b73075 100644
 --- a/policy/modules/services/openvpn.te
 +++ b/policy/modules/services/openvpn.te
 @@ -6,9 +6,9 @@ policy_module(openvpn, 1.10.0)
@@ -48844,7 +48880,15 @@ index 8b550f4..ed5aae9 100644
  
  corecmd_exec_bin(openvpn_t)
  corecmd_exec_shell(openvpn_t)
-@@ -102,6 +109,8 @@ files_read_etc_runtime_files(openvpn_t)
+@@ -87,6 +94,7 @@ corenet_udp_bind_openvpn_port(openvpn_t)
+ corenet_tcp_bind_http_port(openvpn_t)
+ corenet_tcp_connect_openvpn_port(openvpn_t)
+ corenet_tcp_connect_http_port(openvpn_t)
++corenet_tcp_connect_tor_socks_port(openvpn_t)
+ corenet_tcp_connect_http_cache_port(openvpn_t)
+ corenet_rw_tun_tap_dev(openvpn_t)
+ corenet_sendrecv_openvpn_server_packets(openvpn_t)
+@@ -102,6 +110,8 @@ files_read_etc_runtime_files(openvpn_t)
  
  auth_use_pam(openvpn_t)
  
@@ -48853,7 +48897,7 @@ index 8b550f4..ed5aae9 100644
  logging_send_syslog_msg(openvpn_t)
  
  miscfiles_read_localization(openvpn_t)
-@@ -112,21 +121,21 @@ sysnet_exec_ifconfig(openvpn_t)
+@@ -112,21 +122,21 @@ sysnet_exec_ifconfig(openvpn_t)
  sysnet_manage_config(openvpn_t)
  sysnet_etc_filetrans_config(openvpn_t)
  
@@ -48883,7 +48927,7 @@ index 8b550f4..ed5aae9 100644
  
  optional_policy(`
  	daemontools_service_domain(openvpn_t, openvpn_exec_t)
-@@ -138,3 +147,7 @@ optional_policy(`
+@@ -138,3 +148,7 @@ optional_policy(`
  
  	networkmanager_dbus_chat(openvpn_t)
  ')
@@ -51060,10 +51104,10 @@ index a3e85c9..c0e0959 100644
  /var/spool/postfix/pid/.*	gen_context(system_u:object_r:postfix_var_run_t,s0)
  /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
 diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
-index 46bee12..2216f6a 100644
+index 46bee12..1fbe0fa 100644
 --- a/policy/modules/services/postfix.if
 +++ b/policy/modules/services/postfix.if
-@@ -34,8 +34,9 @@ template(`postfix_domain_template',`
+@@ -34,11 +34,13 @@ template(`postfix_domain_template',`
  	domain_entry_file(postfix_$1_t, postfix_$1_exec_t)
  	role system_r types postfix_$1_t;
  
@@ -51074,7 +51118,11 @@ index 46bee12..2216f6a 100644
  	allow postfix_$1_t self:unix_dgram_socket create_socket_perms;
  	allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms;
  	allow postfix_$1_t self:unix_stream_socket connectto;
-@@ -50,7 +51,7 @@ template(`postfix_domain_template',`
++	allow postfix_$1_t self:fifo_file rw_fifo_file_perms;
+ 
+ 	allow postfix_master_t postfix_$1_t:process signal;
+ 	#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244456
+@@ -50,7 +52,7 @@ template(`postfix_domain_template',`
  
  	can_exec(postfix_$1_t, postfix_$1_exec_t)
  
@@ -51083,7 +51131,7 @@ index 46bee12..2216f6a 100644
  
  	allow postfix_$1_t postfix_master_t:process sigchld;
  
-@@ -77,6 +78,7 @@ template(`postfix_domain_template',`
+@@ -77,6 +79,7 @@ template(`postfix_domain_template',`
  
  	files_read_etc_files(postfix_$1_t)
  	files_read_etc_runtime_files(postfix_$1_t)
@@ -51091,7 +51139,7 @@ index 46bee12..2216f6a 100644
  	files_read_usr_symlinks(postfix_$1_t)
  	files_search_spool(postfix_$1_t)
  	files_getattr_tmp_dirs(postfix_$1_t)
-@@ -115,7 +117,7 @@ template(`postfix_server_domain_template',`
+@@ -115,7 +118,7 @@ template(`postfix_server_domain_template',`
  	type postfix_$1_tmp_t;
  	files_tmp_file(postfix_$1_tmp_t)
  
@@ -51100,7 +51148,7 @@ index 46bee12..2216f6a 100644
  	allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
  	allow postfix_$1_t self:tcp_socket create_socket_perms;
  	allow postfix_$1_t self:udp_socket create_socket_perms;
-@@ -165,6 +167,8 @@ template(`postfix_user_domain_template',`
+@@ -165,6 +168,8 @@ template(`postfix_user_domain_template',`
  	domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t)
  
  	domain_use_interactive_fds(postfix_$1_t)
@@ -51109,7 +51157,7 @@ index 46bee12..2216f6a 100644
  ')
  
  ########################################
-@@ -215,7 +219,7 @@ interface(`postfix_config_filetrans',`
+@@ -215,7 +220,7 @@ interface(`postfix_config_filetrans',`
  	')
  
  	files_search_etc($1)
@@ -51118,7 +51166,7 @@ index 46bee12..2216f6a 100644
  ')
  
  ########################################
-@@ -272,7 +276,8 @@ interface(`postfix_read_local_state',`
+@@ -272,7 +277,8 @@ interface(`postfix_read_local_state',`
  		type postfix_local_t;
  	')
  
@@ -51128,7 +51176,7 @@ index 46bee12..2216f6a 100644
  ')
  
  ########################################
-@@ -290,7 +295,27 @@ interface(`postfix_read_master_state',`
+@@ -290,7 +296,27 @@ interface(`postfix_read_master_state',`
  		type postfix_master_t;
  	')
  
@@ -51157,7 +51205,7 @@ index 46bee12..2216f6a 100644
  ')
  
  ########################################
-@@ -376,6 +401,25 @@ interface(`postfix_domtrans_master',`
+@@ -376,6 +402,25 @@ interface(`postfix_domtrans_master',`
  	domtrans_pattern($1, postfix_master_exec_t, postfix_master_t)
  ')
  
@@ -51183,7 +51231,7 @@ index 46bee12..2216f6a 100644
  ########################################
  ## <summary>
  ##	Execute the master postfix program in the
-@@ -404,7 +448,6 @@ interface(`postfix_exec_master',`
+@@ -404,7 +449,6 @@ interface(`postfix_exec_master',`
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
@@ -51191,7 +51239,7 @@ index 46bee12..2216f6a 100644
  #
  interface(`postfix_stream_connect_master',`
  	gen_require(`
-@@ -416,6 +459,24 @@ interface(`postfix_stream_connect_master',`
+@@ -416,6 +460,24 @@ interface(`postfix_stream_connect_master',`
  
  ########################################
  ## <summary>
@@ -51216,7 +51264,7 @@ index 46bee12..2216f6a 100644
  ##	Execute the master postdrop in the
  ##	postfix_postdrop domain.
  ## </summary>
-@@ -462,7 +523,7 @@ interface(`postfix_domtrans_postqueue',`
+@@ -462,7 +524,7 @@ interface(`postfix_domtrans_postqueue',`
  ##	</summary>
  ## </param>
  #
@@ -51225,7 +51273,7 @@ index 46bee12..2216f6a 100644
  	gen_require(`
  		type postfix_postqueue_exec_t;
  	')
-@@ -529,6 +590,25 @@ interface(`postfix_domtrans_smtp',`
+@@ -529,6 +591,25 @@ interface(`postfix_domtrans_smtp',`
  
  ########################################
  ## <summary>
@@ -51251,7 +51299,7 @@ index 46bee12..2216f6a 100644
  ##	Search postfix mail spool directories.
  ## </summary>
  ## <param name="domain">
-@@ -539,10 +619,10 @@ interface(`postfix_domtrans_smtp',`
+@@ -539,10 +620,10 @@ interface(`postfix_domtrans_smtp',`
  #
  interface(`postfix_search_spool',`
  	gen_require(`
@@ -51264,7 +51312,7 @@ index 46bee12..2216f6a 100644
  	files_search_spool($1)
  ')
  
-@@ -558,10 +638,10 @@ interface(`postfix_search_spool',`
+@@ -558,10 +639,10 @@ interface(`postfix_search_spool',`
  #
  interface(`postfix_list_spool',`
  	gen_require(`
@@ -51277,7 +51325,7 @@ index 46bee12..2216f6a 100644
  	files_search_spool($1)
  ')
  
-@@ -577,11 +657,11 @@ interface(`postfix_list_spool',`
+@@ -577,11 +658,11 @@ interface(`postfix_list_spool',`
  #
  interface(`postfix_read_spool_files',`
  	gen_require(`
@@ -51291,7 +51339,7 @@ index 46bee12..2216f6a 100644
  ')
  
  ########################################
-@@ -596,11 +676,11 @@ interface(`postfix_read_spool_files',`
+@@ -596,11 +677,11 @@ interface(`postfix_read_spool_files',`
  #
  interface(`postfix_manage_spool_files',`
  	gen_require(`
@@ -51305,7 +51353,7 @@ index 46bee12..2216f6a 100644
  ')
  
  ########################################
-@@ -621,3 +701,154 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -621,3 +702,154 @@ interface(`postfix_domtrans_user_mail_handler',`
  
  	typeattribute $1 postfix_user_domtrans;
  ')
@@ -51461,7 +51509,7 @@ index 46bee12..2216f6a 100644
 +	postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
 +')
 diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index a32c4b3..94e68b2 100644
+index a32c4b3..149da7a 100644
 --- a/policy/modules/services/postfix.te
 +++ b/policy/modules/services/postfix.te
 @@ -5,6 +5,14 @@ policy_module(postfix, 1.12.1)
@@ -51529,12 +51577,12 @@ index a32c4b3..94e68b2 100644
  
  type postfix_public_t;
  files_type(postfix_public_t)
-@@ -94,23 +106,25 @@ mta_mailserver_delivery(postfix_virtual_t)
+@@ -94,23 +106,24 @@ mta_mailserver_delivery(postfix_virtual_t)
  
  # chown is to set the correct ownership of queue dirs
  allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
+-allow postfix_master_t self:fifo_file rw_fifo_file_perms;
 +allow postfix_master_t self:process setrlimit;
- allow postfix_master_t self:fifo_file rw_fifo_file_perms;
  allow postfix_master_t self:tcp_socket create_stream_socket_perms;
  allow postfix_master_t self:udp_socket create_socket_perms;
 -allow postfix_master_t self:process setrlimit;
@@ -51559,7 +51607,7 @@ index a32c4b3..94e68b2 100644
  
  manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
  manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
-@@ -130,7 +144,7 @@ manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
+@@ -130,7 +143,7 @@ manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
  files_spool_filetrans(postfix_master_t, postfix_spool_t, dir)
  
  allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms;
@@ -51568,7 +51616,7 @@ index a32c4b3..94e68b2 100644
  
  manage_dirs_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
  manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
-@@ -138,6 +152,7 @@ manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_
+@@ -138,6 +151,7 @@ manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_
  
  delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
  rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
@@ -51576,7 +51624,7 @@ index a32c4b3..94e68b2 100644
  setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
  
  kernel_read_all_sysctls(postfix_master_t)
-@@ -150,6 +165,9 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
+@@ -150,6 +164,9 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
  corenet_udp_sendrecv_generic_node(postfix_master_t)
  corenet_tcp_sendrecv_all_ports(postfix_master_t)
  corenet_udp_sendrecv_all_ports(postfix_master_t)
@@ -51586,7 +51634,7 @@ index a32c4b3..94e68b2 100644
  corenet_tcp_bind_generic_node(postfix_master_t)
  corenet_tcp_bind_amavisd_send_port(postfix_master_t)
  corenet_tcp_bind_smtp_port(postfix_master_t)
-@@ -167,6 +185,10 @@ corecmd_exec_bin(postfix_master_t)
+@@ -167,6 +184,10 @@ corecmd_exec_bin(postfix_master_t)
  domain_use_interactive_fds(postfix_master_t)
  
  files_read_usr_files(postfix_master_t)
@@ -51597,7 +51645,7 @@ index a32c4b3..94e68b2 100644
  
  term_dontaudit_search_ptys(postfix_master_t)
  
-@@ -220,13 +242,17 @@ allow postfix_bounce_t self:capability dac_read_search;
+@@ -220,13 +241,17 @@ allow postfix_bounce_t self:capability dac_read_search;
  allow postfix_bounce_t self:tcp_socket create_socket_perms;
  
  allow postfix_bounce_t postfix_public_t:sock_file write;
@@ -51616,7 +51664,7 @@ index a32c4b3..94e68b2 100644
  manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
  manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
  manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
-@@ -243,12 +269,17 @@ stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t,
+@@ -243,12 +268,17 @@ stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t,
  
  rw_fifo_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t)
  write_sock_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t)
@@ -51634,17 +51682,15 @@ index a32c4b3..94e68b2 100644
  allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms;
  
  corecmd_exec_bin(postfix_cleanup_t)
-@@ -264,8 +295,8 @@ optional_policy(`
+@@ -264,7 +294,6 @@ optional_policy(`
  # Postfix local local policy
  #
  
 -allow postfix_local_t self:fifo_file rw_fifo_file_perms;
  allow postfix_local_t self:process { setsched setrlimit };
-+allow postfix_local_t self:fifo_file rw_fifo_file_perms;
  
  # connect to master process
- stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t)
-@@ -273,6 +304,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
+@@ -273,6 +302,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
  # for .forward - maybe we need a new type for it?
  rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t)
  
@@ -51653,7 +51699,7 @@ index a32c4b3..94e68b2 100644
  allow postfix_local_t postfix_spool_t:file rw_file_perms;
  
  corecmd_exec_shell(postfix_local_t)
-@@ -286,10 +319,15 @@ mta_read_aliases(postfix_local_t)
+@@ -286,10 +317,15 @@ mta_read_aliases(postfix_local_t)
  mta_delete_spool(postfix_local_t)
  # For reading spamassasin
  mta_read_config(postfix_local_t)
@@ -51672,7 +51718,7 @@ index a32c4b3..94e68b2 100644
  
  optional_policy(`
  	clamav_search_lib(postfix_local_t)
-@@ -297,6 +335,10 @@ optional_policy(`
+@@ -297,6 +333,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -51683,7 +51729,7 @@ index a32c4b3..94e68b2 100644
  #	for postalias
  	mailman_manage_data_files(postfix_local_t)
  	mailman_append_log(postfix_local_t)
-@@ -304,9 +346,22 @@ optional_policy(`
+@@ -304,9 +344,22 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -51706,15 +51752,7 @@ index a32c4b3..94e68b2 100644
  ########################################
  #
  # Postfix map local policy
-@@ -372,6 +427,7 @@ optional_policy(`
- # Postfix pickup local policy
- #
- 
-+allow postfix_pickup_t self:fifo_file rw_fifo_file_perms;
- allow postfix_pickup_t self:tcp_socket create_socket_perms;
- 
- stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
-@@ -379,19 +435,26 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
+@@ -379,18 +432,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
  rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
  rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
  
@@ -51738,11 +51776,9 @@ index a32c4b3..94e68b2 100644
  
 -allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
  allow postfix_pipe_t self:process setrlimit;
-+allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
  
  write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
- 
-@@ -401,6 +464,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
+@@ -401,6 +460,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
  
  domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
  
@@ -51751,7 +51787,7 @@ index a32c4b3..94e68b2 100644
  optional_policy(`
  	dovecot_domtrans_deliver(postfix_pipe_t)
  ')
-@@ -420,6 +485,7 @@ optional_policy(`
+@@ -420,6 +481,7 @@ optional_policy(`
  
  optional_policy(`
  	spamassassin_domtrans_client(postfix_pipe_t)
@@ -51759,7 +51795,7 @@ index a32c4b3..94e68b2 100644
  ')
  
  optional_policy(`
-@@ -436,11 +502,17 @@ allow postfix_postdrop_t self:capability sys_resource;
+@@ -436,11 +498,17 @@ allow postfix_postdrop_t self:capability sys_resource;
  allow postfix_postdrop_t self:tcp_socket create;
  allow postfix_postdrop_t self:udp_socket create_socket_perms;
  
@@ -51777,7 +51813,7 @@ index a32c4b3..94e68b2 100644
  corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
  corenet_udp_sendrecv_generic_node(postfix_postdrop_t)
  
-@@ -487,8 +559,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
+@@ -487,8 +555,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
  domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
  
  # to write the mailq output, it really should not need read access!
@@ -51788,16 +51824,7 @@ index a32c4b3..94e68b2 100644
  
  init_sigchld_script(postfix_postqueue_t)
  init_use_script_fds(postfix_postqueue_t)
-@@ -507,6 +579,8 @@ optional_policy(`
- # Postfix qmgr local policy
- #
- 
-+allow postfix_qmgr_t self:fifo_file rw_fifo_file_perms;
-+
- stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
- 
- rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t)
-@@ -519,7 +593,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+@@ -519,7 +587,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
  
  allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
  allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
@@ -51810,7 +51837,7 @@ index a32c4b3..94e68b2 100644
  
  corecmd_exec_bin(postfix_qmgr_t)
  
-@@ -539,7 +617,9 @@ postfix_list_spool(postfix_showq_t)
+@@ -539,7 +611,9 @@ postfix_list_spool(postfix_showq_t)
  
  allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
  allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
@@ -51821,7 +51848,7 @@ index a32c4b3..94e68b2 100644
  
  # to write the mailq output, it really should not need read access!
  term_use_all_ptys(postfix_showq_t)
-@@ -558,6 +638,8 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
+@@ -558,6 +632,8 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
  
  allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
  
@@ -51830,7 +51857,7 @@ index a32c4b3..94e68b2 100644
  files_search_all_mountpoints(postfix_smtp_t)
  
  optional_policy(`
-@@ -565,6 +647,14 @@ optional_policy(`
+@@ -565,6 +641,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -51845,7 +51872,7 @@ index a32c4b3..94e68b2 100644
  	milter_stream_connect_all(postfix_smtp_t)
  ')
  
-@@ -588,10 +678,16 @@ corecmd_exec_bin(postfix_smtpd_t)
+@@ -588,10 +672,16 @@ corecmd_exec_bin(postfix_smtpd_t)
  
  # for OpenSSL certificates
  files_read_usr_files(postfix_smtpd_t)
@@ -51862,7 +51889,7 @@ index a32c4b3..94e68b2 100644
  ')
  
  optional_policy(`
-@@ -599,6 +695,10 @@ optional_policy(`
+@@ -599,6 +689,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -51873,17 +51900,15 @@ index a32c4b3..94e68b2 100644
  	postgrey_stream_connect(postfix_smtpd_t)
  ')
  
-@@ -611,8 +711,8 @@ optional_policy(`
+@@ -611,7 +705,6 @@ optional_policy(`
  # Postfix virtual local policy
  #
  
 -allow postfix_virtual_t self:fifo_file rw_fifo_file_perms;
  allow postfix_virtual_t self:process { setsched setrlimit };
-+allow postfix_virtual_t self:fifo_file rw_fifo_file_perms;
  
  allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
- 
-@@ -630,3 +730,8 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +723,8 @@ mta_delete_spool(postfix_virtual_t)
  # For reading spamassasin
  mta_read_config(postfix_virtual_t)
  mta_manage_spool(postfix_virtual_t)
@@ -52707,7 +52732,7 @@ index afd1751..5aff531 100644
  	init_labeled_script_domtrans($1, privoxy_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/policy/modules/services/privoxy.te b/policy/modules/services/privoxy.te
-index 2dbf4d4..28d7fe5 100644
+index 2dbf4d4..8323004 100644
 --- a/policy/modules/services/privoxy.te
 +++ b/policy/modules/services/privoxy.te
 @@ -6,10 +6,10 @@ policy_module(privoxy, 1.11.0)
@@ -52736,7 +52761,15 @@ index 2dbf4d4..28d7fe5 100644
  
  corenet_all_recvfrom_unlabeled(privoxy_t)
  corenet_all_recvfrom_netlabel(privoxy_t)
-@@ -87,7 +88,7 @@ miscfiles_read_localization(privoxy_t)
+@@ -62,6 +63,7 @@ corenet_tcp_connect_squid_port(privoxy_t)
+ corenet_tcp_connect_ftp_port(privoxy_t)
+ corenet_tcp_connect_pgpkeyserver_port(privoxy_t)
+ corenet_tcp_connect_tor_port(privoxy_t)
++corenet_tcp_connect_tor_socks_port(privoxy_t)
+ corenet_sendrecv_http_cache_client_packets(privoxy_t)
+ corenet_sendrecv_squid_client_packets(privoxy_t)
+ corenet_sendrecv_http_cache_server_packets(privoxy_t)
+@@ -87,7 +89,7 @@ miscfiles_read_localization(privoxy_t)
  userdom_dontaudit_use_unpriv_user_fds(privoxy_t)
  userdom_dontaudit_search_user_home_dirs(privoxy_t)
  # cjp: this should really not be needed
@@ -53233,7 +53266,7 @@ index 2855a44..58bb459 100644
 +    allow $1 puppet_var_run_t:dir search_dir_perms;
 +')
 diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
-index 64c5f95..fa3c113 100644
+index 64c5f95..39d23dc 100644
 --- a/policy/modules/services/puppet.te
 +++ b/policy/modules/services/puppet.te
 @@ -6,12 +6,19 @@ policy_module(puppet, 1.0.0)
@@ -53357,7 +53390,7 @@ index 64c5f95..fa3c113 100644
  	files_rw_var_files(puppet_t)
  
  	rpm_domtrans(puppet_t)
-@@ -156,13 +188,68 @@ optional_policy(`
+@@ -156,13 +188,136 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -53368,8 +53401,77 @@ index 64c5f95..fa3c113 100644
 +    usermanage_access_check_useradd(puppet_t)
 +')
 +
-+########################################
-+#
++optional_policy(`
++	auth_filetrans_named_content(puppet_t)
++')
++
++optional_policy(`
++	alsa_filetrans_named_content(puppet_t)
++')
++
++optional_policy(`
++	bootloader_filetrans_config(puppet_t)
++')
++
++optional_policy(`
++	devicekit_filetrans_named_content(puppet_t)
++')
++
++optional_policy(`
++	dnsmasq_filetrans_named_content(puppet_t)
++')
++
++optional_policy(`
++	kerberos_filetrans_named_content(puppet_t)
++')
++
++optional_policy(`
++	libs_filetrans_named_content(puppet_t)
++')
++
++optional_policy(`
++	miscfiles_filetrans_named_content(puppet_t)
++')
++
++optional_policy(`
++	mta_filetrans_named_content(puppet_t)
++')
++
++optional_policy(`
++	modules_filetrans_named_content(puppet_t)
++')
++
++optional_policy(`
++	networkmanager_filetrans_named_content(puppet_t)
++')
++
++optional_policy(`
++	nx_filetrans_named_content(puppet_t)
++')
++
++optional_policy(`
++	postfix_filetrans_named_content(puppet_t)
++')
++
++optional_policy(`
++	quota_filetrans_named_content(puppet_t)
++')
++
++optional_policy(`
++	sysnet_filetrans_named_content(puppet_t)
++')
++
++optional_policy(`
++	virt_filetrans_home_content(puppet_t)
++')
++
++optional_policy(`
++	ssh_filetrans_admin_home_content(puppet_t)
+ ')
+ 
+ ########################################
+ #
+-# Pupper master personal policy
 +# PuppetCA personal policy
 +#
 +
@@ -53420,16 +53522,15 @@ index 64c5f95..fa3c113 100644
 +    usermanage_access_check_groupadd(puppet_t)
 +    usermanage_access_check_passwd(puppet_t)
 +    usermanage_access_check_useradd(puppet_t)
- ')
- 
- ########################################
- #
--# Pupper master personal policy
++')
++
++########################################
++#
 +# Puppet master personal policy
  #
  
  allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
-@@ -171,29 +258,36 @@ allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
+@@ -171,29 +326,36 @@ allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
  allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
  allow puppetmaster_t self:socket create;
  allow puppetmaster_t self:tcp_socket create_stream_socket_perms;
@@ -53469,7 +53570,7 @@ index 64c5f95..fa3c113 100644
  
  corecmd_exec_bin(puppetmaster_t)
  corecmd_exec_shell(puppetmaster_t)
-@@ -206,21 +300,46 @@ corenet_tcp_bind_generic_node(puppetmaster_t)
+@@ -206,21 +368,46 @@ corenet_tcp_bind_generic_node(puppetmaster_t)
  corenet_tcp_bind_puppet_port(puppetmaster_t)
  corenet_sendrecv_puppet_server_packets(puppetmaster_t)
  
@@ -53483,11 +53584,11 @@ index 64c5f95..fa3c113 100644
  
  domain_read_all_domains_state(puppetmaster_t)
 +domain_obj_id_change_exemption(puppetmaster_t)
-+
-+files_read_usr_files(puppetmaster_t)
  
 -files_read_etc_files(puppetmaster_t)
 -files_search_var_lib(puppetmaster_t)
++files_read_usr_files(puppetmaster_t)
++
 +selinux_validate_context(puppetmaster_t)
 +
 +auth_use_nsswitch(puppetmaster_t)
@@ -53519,7 +53620,7 @@ index 64c5f95..fa3c113 100644
  optional_policy(`
  	hostname_exec(puppetmaster_t)
  ')
-@@ -231,3 +350,9 @@ optional_policy(`
+@@ -231,3 +418,9 @@ optional_policy(`
  	rpm_exec(puppetmaster_t)
  	rpm_read_db(puppetmaster_t)
  ')
@@ -59424,7 +59525,7 @@ index 623c8fa..0a802f7 100644
  /var/run/snmpd(/.*)?		gen_context(system_u:object_r:snmpd_var_run_t,s0)
  /var/run/snmpd\.pid	--	gen_context(system_u:object_r:snmpd_var_run_t,s0)
 diff --git a/policy/modules/services/snmp.if b/policy/modules/services/snmp.if
-index 275f9fb..ad10bef 100644
+index 275f9fb..f1343b7 100644
 --- a/policy/modules/services/snmp.if
 +++ b/policy/modules/services/snmp.if
 @@ -11,12 +11,12 @@
@@ -59444,7 +59545,7 @@ index 275f9fb..ad10bef 100644
  ')
  
  ########################################
-@@ -62,6 +62,7 @@ interface(`snmp_read_snmp_var_lib_files',`
+@@ -62,11 +62,70 @@ interface(`snmp_read_snmp_var_lib_files',`
  		type snmpd_var_lib_t;
  	')
  
@@ -59452,10 +59553,29 @@ index 275f9fb..ad10bef 100644
  	allow $1 snmpd_var_lib_t:dir list_dir_perms;
  	read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
  	read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
-@@ -69,6 +70,45 @@ interface(`snmp_read_snmp_var_lib_files',`
+ ')
  
- ########################################
- ## <summary>
++#######################################
++## <summary>
++##  Read snmpd libraries directories
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`snmp_read_snmp_var_lib_dirs',`
++    gen_require(`
++        type snmpd_var_lib_t;
++    ')
++
++    files_search_var_lib($1)
++    allow $1 snmpd_var_lib_t:dir list_dir_perms;
++')
++
++########################################
++## <summary>
 +##	Manage snmpd libraries directories
 +## </summary>
 +## <param name="domain">
@@ -59493,12 +59613,10 @@ index 275f9fb..ad10bef 100644
 +	manage_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
 +')
 +
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
  ##	dontaudit Read snmpd libraries.
- ## </summary>
- ## <param name="domain">
-@@ -81,9 +121,10 @@ interface(`snmp_dontaudit_read_snmp_var_lib_files',`
+@@ -81,9 +140,10 @@ interface(`snmp_dontaudit_read_snmp_var_lib_files',`
  	gen_require(`
  		type snmpd_var_lib_t;
  	')
@@ -59510,7 +59628,7 @@ index 275f9fb..ad10bef 100644
  ')
  
  ########################################
-@@ -123,13 +164,15 @@ interface(`snmp_dontaudit_write_snmp_var_lib_files',`
+@@ -123,13 +183,15 @@ interface(`snmp_dontaudit_write_snmp_var_lib_files',`
  #
  interface(`snmp_admin',`
  	gen_require(`
@@ -59730,7 +59848,7 @@ index 6b3abf9..a785741 100644
 +/var/spool/MD-Quarantine(/.*)?	gen_context(system_u:object_r:spamd_var_run_t,s0)
 +/var/spool/MIMEDefang(/.*)?	gen_context(system_u:object_r:spamd_var_run_t,s0)
 diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if
-index c954f31..4aac595 100644
+index c954f31..82fc7f6 100644
 --- a/policy/modules/services/spamassassin.if
 +++ b/policy/modules/services/spamassassin.if
 @@ -14,6 +14,7 @@
@@ -59857,42 +59975,42 @@ index c954f31..4aac595 100644
 +	dontaudit $1 spamd_tmp_t:sock_file getattr_sock_file_perms;
 +')
 +
-+#######################################
++########################################
 +## <summary>
-+##  Read spamd pid file.
++##	Connect to run spamd.
 +## </summary>
 +## <param name="domain">
-+##  <summary>
-+##  Domain allowed to connect.
-+##  </summary>
++##	<summary>
++##	Domain allowed to connect.
++##	</summary>
 +## </param>
 +#
-+interface(`spamd_read_pid',`
-+    gen_require(`
-+        type spamd_t, spamd_var_run_t;
-+    ')
++interface(`spamd_stream_connect',`
++	gen_require(`
++		type spamd_t, spamd_var_run_t;
++	')
 +
-+    files_search_pids($1)
-+    read_files_pattern($1, spamd_var_run_t, spamd_var_run_t)
++	files_search_pids($1)
++	stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Connect to run spamd.
++##	Read spamd pid files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed to connect.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`spamd_stream_connect',`
++interface(`spamassassin_read_pid_files',`
 +	gen_require(`
-+		type spamd_t, spamd_var_run_t;
++		type spamd_var_run_t;
 +	')
 +
 +	files_search_pids($1)
-+	stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t)
++	read_files_pattern($1, spamd_var_run_t, spamd_var_run_t)
 +')
 +
 +########################################
@@ -60478,7 +60596,7 @@ index d2496bd..c7614d7 100644
  	init_labeled_script_domtrans($1, squid_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te
-index 4b2230e..950e65a 100644
+index 4b2230e..7b3d2db 100644
 --- a/policy/modules/services/squid.te
 +++ b/policy/modules/services/squid.te
 @@ -6,17 +6,17 @@ policy_module(squid, 1.10.0)
@@ -60515,7 +60633,15 @@ index 4b2230e..950e65a 100644
  
  type squid_initrc_exec_t;
  init_script_file(squid_initrc_exec_t)
-@@ -169,7 +169,8 @@ userdom_dontaudit_search_user_home_dirs(squid_t)
+@@ -90,6 +90,7 @@ files_pid_filetrans(squid_t, squid_var_run_t, file)
+ 
+ kernel_read_kernel_sysctls(squid_t)
+ kernel_read_system_state(squid_t)
++kernel_read_network_state(squid_t)
+ 
+ files_dontaudit_getattr_boot_dirs(squid_t)
+ 
+@@ -169,7 +170,8 @@ userdom_dontaudit_search_user_home_dirs(squid_t)
  tunable_policy(`squid_connect_any',`
  	corenet_tcp_connect_all_ports(squid_t)
  	corenet_tcp_bind_all_ports(squid_t)
@@ -60525,7 +60651,7 @@ index 4b2230e..950e65a 100644
  ')
  
  tunable_policy(`squid_use_tproxy',`
-@@ -185,6 +186,7 @@ optional_policy(`
+@@ -185,6 +187,7 @@ optional_policy(`
  	corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
  	corenet_all_recvfrom_netlabel(httpd_squid_script_t)
  	corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
@@ -60533,7 +60659,7 @@ index 4b2230e..950e65a 100644
  
  	sysnet_dns_name_resolve(httpd_squid_script_t)
  
-@@ -206,3 +208,7 @@ optional_policy(`
+@@ -206,3 +209,7 @@ optional_policy(`
  optional_policy(`
  	udev_read_db(squid_t)
  ')
@@ -60566,7 +60692,7 @@ index 078bcd7..84d29ee 100644
 +/root/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
 +/root/\.shosts				gen_context(system_u:object_r:ssh_home_t,s0)
 diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index 22adaca..d6a4b77 100644
+index 22adaca..e494f5c 100644
 --- a/policy/modules/services/ssh.if
 +++ b/policy/modules/services/ssh.if
 @@ -32,10 +32,10 @@
@@ -60697,7 +60823,7 @@ index 22adaca..d6a4b77 100644
  
  	corenet_all_recvfrom_unlabeled($1_t)
  	corenet_all_recvfrom_netlabel($1_t)
-@@ -220,8 +244,11 @@ template(`ssh_server_template', `
+@@ -220,10 +244,13 @@ template(`ssh_server_template', `
  	corenet_tcp_bind_generic_node($1_t)
  	corenet_udp_bind_generic_node($1_t)
  	corenet_tcp_bind_ssh_port($1_t)
@@ -60708,8 +60834,11 @@ index 22adaca..d6a4b77 100644
 +	# tunnel feature and -w (net_admin capability also)
 +	corenet_rw_tun_tap_dev($1_t)
  
- 	fs_dontaudit_getattr_all_fs($1_t)
+-	fs_dontaudit_getattr_all_fs($1_t)
++	fs_getattr_all_fs($1_t)
  
+ 	auth_rw_login_records($1_t)
+ 	auth_rw_faillog($1_t)
 @@ -234,6 +261,7 @@ template(`ssh_server_template', `
  	corecmd_getattr_bin_files($1_t)
  
@@ -62280,7 +62409,7 @@ index 904f13e..f9d007b 100644
  	init_labeled_script_domtrans($1, tor_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te
-index c842cad..1136b10 100644
+index c842cad..037dd90 100644
 --- a/policy/modules/services/tor.te
 +++ b/policy/modules/services/tor.te
 @@ -42,6 +42,7 @@ files_pid_file(tor_var_run_t)
@@ -62291,7 +62420,15 @@ index c842cad..1136b10 100644
  allow tor_t self:fifo_file rw_fifo_file_perms;
  allow tor_t self:unix_stream_socket create_stream_socket_perms;
  allow tor_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -95,9 +96,11 @@ corenet_tcp_connect_all_ports(tor_t)
+@@ -87,6 +88,7 @@ corenet_tcp_sendrecv_all_reserved_ports(tor_t)
+ corenet_tcp_bind_generic_node(tor_t)
+ corenet_udp_bind_generic_node(tor_t)
+ corenet_tcp_bind_tor_port(tor_t)
++corenet_tcp_bind_tor_socks_port(tor_t)
+ corenet_udp_bind_dns_port(tor_t)
+ corenet_sendrecv_tor_server_packets(tor_t)
+ corenet_sendrecv_dns_server_packets(tor_t)
+@@ -95,9 +97,11 @@ corenet_tcp_connect_all_ports(tor_t)
  corenet_sendrecv_all_client_packets(tor_t)
  # ... especially including port 80 and other privileged ports
  corenet_tcp_connect_all_reserved_ports(tor_t)
@@ -63865,7 +64002,7 @@ index 7c5d8d8..3fd8f12 100644
 +')
 +
 diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..30c47b0 100644
+index 3eca020..59444ba 100644
 --- a/policy/modules/services/virt.te
 +++ b/policy/modules/services/virt.te
 @@ -5,56 +5,84 @@ policy_module(virt, 1.4.0)
@@ -64422,7 +64559,7 @@ index 3eca020..30c47b0 100644
  files_read_usr_files(virt_domain)
  files_read_var_files(virt_domain)
  files_search_all(virt_domain)
-@@ -440,25 +626,358 @@ files_search_all(virt_domain)
+@@ -440,25 +626,359 @@ files_search_all(virt_domain)
  fs_getattr_tmpfs(virt_domain)
  fs_rw_anon_inodefs_files(virt_domain)
  fs_rw_tmpfs_files(virt_domain)
@@ -64758,6 +64895,7 @@ index 3eca020..30c47b0 100644
 +
 +domain_entry_file(svirt_lxc_net_t, svirt_lxc_file_t)
 +domtrans_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_net_t)
++corecmd_shell_domtrans(virtd_lxc_t, svirt_lxc_net_t)
 +fs_noxattr_type(svirt_lxc_file_t)
 +term_pty(svirt_lxc_file_t)
 +
@@ -67561,7 +67699,7 @@ index 664cd7a..e3eaec5 100644
  /var/log/zabbix(/.*)?			gen_context(system_u:object_r:zabbix_log_t,s0)
  
 diff --git a/policy/modules/services/zabbix.if b/policy/modules/services/zabbix.if
-index c9981d1..0629472 100644
+index c9981d1..75a7d17 100644
 --- a/policy/modules/services/zabbix.if
 +++ b/policy/modules/services/zabbix.if
 @@ -5,9 +5,9 @@
@@ -67576,7 +67714,31 @@ index c9981d1..0629472 100644
  ## </param>
  #
  interface(`zabbix_domtrans',`
-@@ -65,9 +65,9 @@ interface(`zabbix_read_log',`
+@@ -61,13 +61,33 @@ interface(`zabbix_read_log',`
+ 
+ ########################################
+ ## <summary>
++##	Allow the specified domain to read zabbix's tmp files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`zabbix_read_tmp',`
++	gen_require(`
++		type zabbix_tmp_t;
++	')
++
++	files_search_tmp($1)
++	read_files_pattern($1, zabbix_tmp_t, zabbix_tmp_t)
++')
++
++########################################
++## <summary>
+ ##	Allow the specified domain to append
  ##	zabbix log files.
  ## </summary>
  ## <param name="domain">
@@ -67588,7 +67750,7 @@ index c9981d1..0629472 100644
  ## </param>
  #
  interface(`zabbix_append_log',`
-@@ -110,7 +110,7 @@ interface(`zabbix_read_pid_files',`
+@@ -110,7 +130,7 @@ interface(`zabbix_read_pid_files',`
  #
  interface(`zabbix_agent_tcp_connect',`
  	gen_require(`
@@ -67597,7 +67759,7 @@ index c9981d1..0629472 100644
  	')
  
  	corenet_sendrecv_zabbix_agent_client_packets($1)
-@@ -142,8 +142,11 @@ interface(`zabbix_admin',`
+@@ -142,8 +162,11 @@ interface(`zabbix_admin',`
  		type zabbix_initrc_exec_t;
  	')
  
@@ -67611,10 +67773,21 @@ index c9981d1..0629472 100644
  	init_labeled_script_domtrans($1, zabbix_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te
-index 7f88f5f..bd6493d 100644
+index 7f88f5f..5f1e19c 100644
 --- a/policy/modules/services/zabbix.te
 +++ b/policy/modules/services/zabbix.te
-@@ -36,16 +36,17 @@ files_pid_file(zabbix_var_run_t)
+@@ -23,6 +23,10 @@ init_script_file(zabbix_agent_initrc_exec_t)
+ type zabbix_log_t;
+ logging_log_file(zabbix_log_t)
+ 
++# tmp files
++type zabbix_tmp_t;
++files_tmp_file(zabbix_tmp_t)
++
+ # shared memory
+ type zabbix_tmpfs_t;
+ files_tmpfs_file(zabbix_tmpfs_t)
+@@ -36,19 +40,25 @@ files_pid_file(zabbix_var_run_t)
  # zabbix local policy
  #
  
@@ -67636,22 +67809,64 @@ index 7f88f5f..bd6493d 100644
  manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
  logging_log_filetrans(zabbix_t, zabbix_log_t, file)
  
-@@ -58,11 +59,15 @@ manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
++# tmp files
++manage_dirs_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t)
++manage_files_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t)
++files_tmp_filetrans(zabbix_t, zabbix_tmp_t, { dir file })
++
+ # shared memory
+ rw_files_pattern(zabbix_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
+ fs_tmpfs_filetrans(zabbix_t, zabbix_tmpfs_t, file)
+@@ -58,14 +68,25 @@ manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
  manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
  files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file })
  
++kernel_read_system_state(zabbix_t)
 +kernel_read_kernel_sysctls(zabbix_t)
 +
++corecmd_exec_bin(zabbix_t)
++corecmd_exec_shell(zabbix_t)
++
  corenet_tcp_bind_generic_node(zabbix_t)
  corenet_tcp_bind_zabbix_port(zabbix_t)
++#needed by zabbix-server-mysql
++corenet_tcp_connect_http_port(zabbix_t)
++
++dev_read_urand(zabbix_t)
  
  files_read_etc_files(zabbix_t)
++files_read_usr_files(zabbix_t)
  
+-miscfiles_read_localization(zabbix_t)
 +auth_use_nsswitch(zabbix_t)
+ 
+-sysnet_dns_name_resolve(zabbix_t)
++miscfiles_read_localization(zabbix_t)
+ 
+ zabbix_agent_tcp_connect(zabbix_t)
+ 
+@@ -74,9 +95,21 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	netutils_domtrans_ping(zabbix_t)
++')
 +
- miscfiles_read_localization(zabbix_t)
++optional_policy(`
+ 	postgresql_stream_connect(zabbix_t)
+ ')
  
- sysnet_dns_name_resolve(zabbix_t)
++optional_policy(`
++	snmp_read_snmp_var_lib_dirs(zabbix_t)
++')
++
++optional_policy(`
++	sysnet_dns_name_resolve(zabbix_t)
++')
++
+ ########################################
+ #
+ # zabbix agent local policy
 diff --git a/policy/modules/services/zarafa.fc b/policy/modules/services/zarafa.fc
 index 3defaa1..2ad2488 100644
 --- a/policy/modules/services/zarafa.fc
@@ -74092,7 +74307,7 @@ index 8b5c196..da41726 100644
 +    role $2 types showmount_t;
  ')
 diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 15832c7..a50ceba 100644
+index 15832c7..aa18423 100644
 --- a/policy/modules/system/mount.te
 +++ b/policy/modules/system/mount.te
 @@ -17,17 +17,29 @@ type mount_exec_t;
@@ -74363,7 +74578,7 @@ index 15832c7..a50ceba 100644
  	ifdef(`hide_broken_symptoms',`
  		# for a bug in the X server
  		rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -188,21 +280,87 @@ optional_policy(`
+@@ -188,21 +280,88 @@ optional_policy(`
  	')
  ')
  
@@ -74378,6 +74593,7 @@ index 15832c7..a50ceba 100644
 +
 +optional_policy(`
 +	modutils_domtrans_insmod(mount_t)
++	modutils_read_module_deps(mount_t)
 +')
 +
 +optional_policy(`
@@ -76741,10 +76957,10 @@ index 0000000..5571350
 +
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..ff3ce3f
+index 0000000..b7da774
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,377 @@
+@@ -0,0 +1,378 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -77010,6 +77226,7 @@ index 0000000..ff3ce3f
 +	userdom_delete_all_user_home_content_files(systemd_tmpfiles_t)
 +	userdom_delete_all_user_home_content_sock_files(systemd_tmpfiles_t)
 +	userdom_delete_all_user_home_content_symlinks(systemd_tmpfiles_t)
++	userdom_delete_admin_home_files(systemd_tmpfiles_t)
 +')
 +
 +optional_policy(`
@@ -78367,7 +78584,7 @@ index db75976..ce61aed 100644
 +
 +/var/run/user(/.*)?	gen_context(system_u:object_r:user_tmp_t,s0)
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..290f54e 100644
+index 4b2878a..b7ed01c 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
 @@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -80691,7 +80908,7 @@ index 4b2878a..290f54e 100644
  ##	Create keys for all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -3194,3 +3912,1186 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3194,3 +3912,1205 @@ interface(`userdom_dbus_send_all_users',`
  
  	allow $1 userdomain:dbus send_msg;
  ')
@@ -80955,6 +81172,25 @@ index 4b2878a..290f54e 100644
 +
 +########################################
 +## <summary>
++##	Delete admin home files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`userdom_delete_admin_home_files',`
++	gen_require(`
++		type admin_home_t;
++	')
++
++	allow $1 admin_home_t:file delete_file_perms;
++')
++
++########################################
++## <summary>
 +##	Execute admin home files.
 +## </summary>
 +## <param name="domain">
diff --git a/selinux-policy.spec b/selinux-policy.spec
index ec365e3..2c7dc94 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 61%{?dist}
+Release: 64%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -470,6 +470,27 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Thu Dec 1 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-64
+- Use fs_use_xattr for squashf
+-  Fix procs_type interface
+- Dovecot has a new fifo_file /var/run/dovecot/stats-mail
+- Dovecot has a new fifo_file /var/run/stats-mail
+- Colord does not need to connect to network
+- Allow system_cronjob to dbus chat with NetworkManager
+- Puppet manages content, want to make sure it labels everything correctly
+
+* Tue Nov 29 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-63
+- Change port 9050 to tor_socks_port_t and then allow openvpn to connect to it
+- Allow all postfix domains to use the fifo_file
+- Allow sshd_t to getattr on all file systems in order to generate avc on nfs_t
+- Allow apmd_t to read grub.cfg
+- Let firewallgui read the selinux config
+- Allow systemd-tmpfiles to delete content in /root that has been moved to /tmp
+- Fix devicekit_manage_pid_files() interface
+- Allow squid to check the network state
+- Dontaudit colord getattr on file systems
+- Allow ping domains to read zabbix_tmp_t files
+
 * Wed Nov 23 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-59
 - Allow mcelog_t to create dir and file in /var/run and label it correctly
 - Allow dbus to manage fusefs