diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index e01726d..9331692 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -2729,7 +2729,7 @@ index 99e3903..7270808 100644
  
  ########################################
 diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index d555767..3053e39 100644
+index d555767..dd089fa 100644
 --- a/policy/modules/admin/usermanage.te
 +++ b/policy/modules/admin/usermanage.te
 @@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.1)
@@ -3011,7 +3011,7 @@ index d555767..3053e39 100644
  userdom_use_unpriv_users_fds(passwd_t)
  # make sure that getcon succeeds
  userdom_getattr_all_users(passwd_t)
-@@ -349,9 +389,17 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -349,9 +389,18 @@ userdom_read_user_tmp_files(passwd_t)
  # user generally runs this from their home directory, so do not audit a search
  # on user home dir
  userdom_dontaudit_search_user_home_content(passwd_t)
@@ -3021,6 +3021,7 @@ index d555767..3053e39 100644
 -	nscd_run(passwd_t, passwd_roles)
 +	gnome_exec_keyringd(passwd_t)
 +	gnome_manage_cache_home_dir(passwd_t)
++	gnome_manage_generic_cache_sockets(passwd_t)
 +	gnome_stream_connect_gkeyringd(passwd_t)
 +')
 +
@@ -3030,7 +3031,7 @@ index d555767..3053e39 100644
  ')
  
  ########################################
-@@ -398,9 +446,10 @@ dev_read_urand(sysadm_passwd_t)
+@@ -398,9 +447,10 @@ dev_read_urand(sysadm_passwd_t)
  fs_getattr_xattr_fs(sysadm_passwd_t)
  fs_search_auto_mountpoints(sysadm_passwd_t)
  
@@ -3043,7 +3044,7 @@ index d555767..3053e39 100644
  auth_manage_shadow(sysadm_passwd_t)
  auth_relabel_shadow(sysadm_passwd_t)
  auth_etc_filetrans_shadow(sysadm_passwd_t)
-@@ -413,7 +462,6 @@ files_read_usr_files(sysadm_passwd_t)
+@@ -413,7 +463,6 @@ files_read_usr_files(sysadm_passwd_t)
  
  domain_use_interactive_fds(sysadm_passwd_t)
  
@@ -3051,7 +3052,7 @@ index d555767..3053e39 100644
  files_relabel_etc_files(sysadm_passwd_t)
  files_read_etc_runtime_files(sysadm_passwd_t)
  # for nscd lookups
-@@ -423,19 +471,17 @@ files_dontaudit_search_pids(sysadm_passwd_t)
+@@ -423,19 +472,17 @@ files_dontaudit_search_pids(sysadm_passwd_t)
  # correctly without it.  Do not audit write denials to utmp.
  init_dontaudit_rw_utmp(sysadm_passwd_t)
  
@@ -3073,7 +3074,7 @@ index d555767..3053e39 100644
  ')
  
  ########################################
-@@ -443,7 +489,8 @@ optional_policy(`
+@@ -443,7 +490,8 @@ optional_policy(`
  # Useradd local policy
  #
  
@@ -3083,7 +3084,7 @@ index d555767..3053e39 100644
  dontaudit useradd_t self:capability sys_tty_config;
  allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow useradd_t self:process setfscreate;
-@@ -458,6 +505,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
+@@ -458,6 +506,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
  allow useradd_t self:unix_dgram_socket sendto;
  allow useradd_t self:unix_stream_socket connectto;
  
@@ -3094,7 +3095,7 @@ index d555767..3053e39 100644
  # for getting the number of groups
  kernel_read_kernel_sysctls(useradd_t)
  
-@@ -465,36 +516,36 @@ corecmd_exec_shell(useradd_t)
+@@ -465,36 +517,36 @@ corecmd_exec_shell(useradd_t)
  # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
  corecmd_exec_bin(useradd_t)
  
@@ -3143,7 +3144,7 @@ index d555767..3053e39 100644
  auth_manage_shadow(useradd_t)
  auth_relabel_shadow(useradd_t)
  auth_etc_filetrans_shadow(useradd_t)
-@@ -505,33 +556,36 @@ init_rw_utmp(useradd_t)
+@@ -505,33 +557,36 @@ init_rw_utmp(useradd_t)
  logging_send_audit_msgs(useradd_t)
  logging_send_syslog_msg(useradd_t)
  
@@ -3194,7 +3195,7 @@ index d555767..3053e39 100644
  optional_policy(`
  	apache_manage_all_user_content(useradd_t)
  ')
-@@ -542,7 +596,12 @@ optional_policy(`
+@@ -542,7 +597,12 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -3208,7 +3209,7 @@ index d555767..3053e39 100644
  ')
  
  optional_policy(`
-@@ -550,6 +609,11 @@ optional_policy(`
+@@ -550,6 +610,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -3220,7 +3221,7 @@ index d555767..3053e39 100644
  	tunable_policy(`samba_domain_controller',`
  		samba_append_log(useradd_t)
  	')
-@@ -559,3 +623,12 @@ optional_policy(`
+@@ -559,3 +624,12 @@ optional_policy(`
  	rpm_use_fds(useradd_t)
  	rpm_rw_pipes(useradd_t)
  ')
@@ -9583,7 +9584,7 @@ index c2c6e05..2282452 100644
 +/nsr(/.*)?			gen_context(system_u:object_r:var_t,s0)
 +/nsr/logs(/.*)?			gen_context(system_u:object_r:var_log_t,s0)
 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 64ff4d7..42ac33d 100644
+index 64ff4d7..32d36ba 100644
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
 @@ -19,6 +19,136 @@
@@ -12094,7 +12095,7 @@ index 64ff4d7..42ac33d 100644
  ')
  
  ########################################
-@@ -6562,3 +7996,496 @@ interface(`files_unconfined',`
+@@ -6562,3 +7996,514 @@ interface(`files_unconfined',`
  
  	typeattribute $1 files_unconfined_type;
  ')
@@ -12405,6 +12406,24 @@ index 64ff4d7..42ac33d 100644
 +
 +########################################
 +## <summary>
++##	Allow domain to delete to all dirs
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`files_delete_all_non_security_dirs',`
++	gen_require(`
++		attribute non_security_file_type;
++	')
++
++	allow $1 non_security_file_type:dir { del_entry_dir_perms delete_dir_perms };
++')
++
++########################################
++## <summary>
 +##	Transition named content in the var_run_t directory
 +## </summary>
 +## <param name="domain">
@@ -20827,10 +20846,10 @@ index fe0c682..c0413e8 100644
 +	ps_process_pattern($1, sshd_t)
 +')
 diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 5fc0391..692569b 100644
+index 5fc0391..3b3225a 100644
 --- a/policy/modules/services/ssh.te
 +++ b/policy/modules/services/ssh.te
-@@ -6,43 +6,61 @@ policy_module(ssh, 2.3.3)
+@@ -6,43 +6,62 @@ policy_module(ssh, 2.3.3)
  #
  
  ## <desc>
@@ -20887,6 +20906,7 @@ index 5fc0391..692569b 100644
  ssh_server_template(sshd)
  init_daemon_domain(sshd_t, sshd_exec_t)
 +mls_trusted_object(sshd_t)
++mls_process_write_all_levels(sshd_t)
  
 -type sshd_key_t;
 -files_type(sshd_key_t)
@@ -20907,7 +20927,7 @@ index 5fc0391..692569b 100644
  
  type ssh_t;
  type ssh_exec_t;
-@@ -73,6 +91,11 @@ type ssh_home_t;
+@@ -73,6 +92,11 @@ type ssh_home_t;
  typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
  typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
  userdom_user_home_content(ssh_home_t)
@@ -20919,7 +20939,7 @@ index 5fc0391..692569b 100644
  
  ##############################
  #
-@@ -83,6 +106,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
+@@ -83,6 +107,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
  allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow ssh_t self:fd use;
  allow ssh_t self:fifo_file rw_fifo_file_perms;
@@ -20927,7 +20947,7 @@ index 5fc0391..692569b 100644
  allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
  allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow ssh_t self:shm create_shm_perms;
-@@ -90,15 +114,11 @@ allow ssh_t self:sem create_sem_perms;
+@@ -90,15 +115,11 @@ allow ssh_t self:sem create_sem_perms;
  allow ssh_t self:msgq create_msgq_perms;
  allow ssh_t self:msg { send receive };
  allow ssh_t self:tcp_socket create_stream_socket_perms;
@@ -20944,7 +20964,7 @@ index 5fc0391..692569b 100644
  manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
  manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
  manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
-@@ -107,33 +127,42 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
+@@ -107,33 +128,42 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
  
  manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
  manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
@@ -20992,7 +21012,7 @@ index 5fc0391..692569b 100644
  dev_read_urand(ssh_t)
  
  fs_getattr_all_fs(ssh_t)
-@@ -154,40 +183,46 @@ files_read_var_files(ssh_t)
+@@ -154,40 +184,46 @@ files_read_var_files(ssh_t)
  logging_send_syslog_msg(ssh_t)
  logging_read_generic_logs(ssh_t)
  
@@ -21058,7 +21078,7 @@ index 5fc0391..692569b 100644
  ')
  
  optional_policy(`
-@@ -195,6 +230,7 @@ optional_policy(`
+@@ -195,6 +231,7 @@ optional_policy(`
  	xserver_domtrans_xauth(ssh_t)
  ')
  
@@ -21066,7 +21086,7 @@ index 5fc0391..692569b 100644
  ##############################
  #
  # ssh_keysign_t local policy
-@@ -206,6 +242,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
+@@ -206,6 +243,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
  allow ssh_keysign_t sshd_key_t:file { getattr read };
  
  dev_read_urand(ssh_keysign_t)
@@ -21074,7 +21094,7 @@ index 5fc0391..692569b 100644
  
  files_read_etc_files(ssh_keysign_t)
  
-@@ -223,33 +260,54 @@ optional_policy(`
+@@ -223,33 +261,54 @@ optional_policy(`
  # so a tunnel can point to another ssh tunnel
  allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
  allow sshd_t self:key { search link write };
@@ -21138,7 +21158,7 @@ index 5fc0391..692569b 100644
  ')
  
  optional_policy(`
-@@ -257,11 +315,28 @@ optional_policy(`
+@@ -257,11 +316,28 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -21168,7 +21188,7 @@ index 5fc0391..692569b 100644
  ')
  
  optional_policy(`
-@@ -269,6 +344,10 @@ optional_policy(`
+@@ -269,6 +345,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -21179,7 +21199,7 @@ index 5fc0391..692569b 100644
  	rpm_use_script_fds(sshd_t)
  ')
  
-@@ -279,13 +358,93 @@ optional_policy(`
+@@ -279,13 +359,93 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -21273,7 +21293,7 @@ index 5fc0391..692569b 100644
  ########################################
  #
  # ssh_keygen local policy
-@@ -294,19 +453,29 @@ optional_policy(`
+@@ -294,19 +454,29 @@ optional_policy(`
  # ssh_keygen_t is the type of the ssh-keygen program when run at install time
  # and by sysadm_t
  
@@ -21304,7 +21324,7 @@ index 5fc0391..692569b 100644
  dev_read_urand(ssh_keygen_t)
  
  term_dontaudit_use_console(ssh_keygen_t)
-@@ -323,6 +492,12 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -323,6 +493,12 @@ auth_use_nsswitch(ssh_keygen_t)
  logging_send_syslog_msg(ssh_keygen_t)
  
  userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -21317,7 +21337,7 @@ index 5fc0391..692569b 100644
  
  optional_policy(`
  	seutil_sigchld_newrole(ssh_keygen_t)
-@@ -331,3 +506,140 @@ optional_policy(`
+@@ -331,3 +507,140 @@ optional_policy(`
  optional_policy(`
  	udev_read_db(ssh_keygen_t)
  ')
@@ -25757,7 +25777,7 @@ index 3efd5b6..08c3e93 100644
 +	allow $1 login_pgm:process sigchld;
 +')
 diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 104037e..98a441d 100644
+index 104037e..a2e2fcf 100644
 --- a/policy/modules/system/authlogin.te
 +++ b/policy/modules/system/authlogin.te
 @@ -5,6 +5,19 @@ policy_module(authlogin, 2.4.2)
@@ -25954,7 +25974,7 @@ index 104037e..98a441d 100644
  miscfiles_read_generic_certs(pam_console_t)
  
  seutil_read_file_contexts(pam_console_t)
-@@ -341,6 +362,10 @@ kernel_read_system_state(updpwd_t)
+@@ -341,6 +362,11 @@ kernel_read_system_state(updpwd_t)
  dev_read_urand(updpwd_t)
  
  files_manage_etc_files(updpwd_t)
@@ -25962,10 +25982,11 @@ index 104037e..98a441d 100644
 +
 +mls_file_read_all_levels(updpwd_t)
 +mls_file_write_all_levels(updpwd_t)
++mls_file_downgrade(updpwd_t)
  
  term_dontaudit_use_console(updpwd_t)
  term_dontaudit_use_unallocated_ttys(updpwd_t)
-@@ -350,9 +375,7 @@ auth_use_nsswitch(updpwd_t)
+@@ -350,9 +376,7 @@ auth_use_nsswitch(updpwd_t)
  
  logging_send_syslog_msg(updpwd_t)
  
@@ -25976,7 +25997,7 @@ index 104037e..98a441d 100644
  
  ifdef(`distro_ubuntu',`
  	optional_policy(`
-@@ -380,13 +403,15 @@ term_dontaudit_use_all_ttys(utempter_t)
+@@ -380,13 +404,15 @@ term_dontaudit_use_all_ttys(utempter_t)
  term_dontaudit_use_all_ptys(utempter_t)
  term_dontaudit_use_ptmx(utempter_t)
  
@@ -25993,7 +26014,7 @@ index 104037e..98a441d 100644
  # Allow utemper to write to /tmp/.xses-*
  userdom_write_user_tmp_files(utempter_t)
  
-@@ -397,19 +422,29 @@ ifdef(`distro_ubuntu',`
+@@ -397,19 +423,29 @@ ifdef(`distro_ubuntu',`
  ')
  
  optional_policy(`
@@ -26027,7 +26048,7 @@ index 104037e..98a441d 100644
  files_list_var_lib(nsswitch_domain)
  
  # read /etc/nsswitch.conf
-@@ -417,15 +452,21 @@ files_read_etc_files(nsswitch_domain)
+@@ -417,15 +453,21 @@ files_read_etc_files(nsswitch_domain)
  
  sysnet_dns_name_resolve(nsswitch_domain)
  
@@ -26051,7 +26072,7 @@ index 104037e..98a441d 100644
  		ldap_stream_connect(nsswitch_domain)
  	')
  ')
-@@ -438,6 +479,7 @@ optional_policy(`
+@@ -438,6 +480,7 @@ optional_policy(`
  	likewise_stream_connect_lsassd(nsswitch_domain)
  ')
  
@@ -26059,7 +26080,7 @@ index 104037e..98a441d 100644
  optional_policy(`
  	kerberos_use(nsswitch_domain)
  ')
-@@ -456,6 +498,8 @@ optional_policy(`
+@@ -456,6 +499,8 @@ optional_policy(`
  
  optional_policy(`
  	sssd_stream_connect(nsswitch_domain)
@@ -26068,7 +26089,7 @@ index 104037e..98a441d 100644
  ')
  
  optional_policy(`
-@@ -463,3 +507,134 @@ optional_policy(`
+@@ -463,3 +508,134 @@ optional_policy(`
  	samba_read_var_files(nsswitch_domain)
  	samba_dontaudit_write_var_files(nsswitch_domain)
  ')
@@ -32915,7 +32936,7 @@ index 9933677..ca14c17 100644
 +
 +/var/run/tmpfiles.d/kmod.conf --	gen_context(system_u:object_r:insmod_var_run_t,s0)
 diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
-index 7449974..6375786 100644
+index 7449974..28cb8a3 100644
 --- a/policy/modules/system/modutils.if
 +++ b/policy/modules/system/modutils.if
 @@ -12,7 +12,7 @@
@@ -32972,7 +32993,32 @@ index 7449974..6375786 100644
  ##	Read the configuration options used when
  ##	loading modules.
  ## </summary>
-@@ -308,11 +346,18 @@ interface(`modutils_domtrans_update_mods',`
+@@ -208,6 +246,24 @@ interface(`modutils_exec_insmod',`
+ 	can_exec($1, insmod_exec_t)
+ ')
+ 
++#######################################
++## <summary>
++## Don't audit execute insmod in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`modutils_dontaudit_exec_insmod',`
++    gen_require(`
++        type insmod_exec_t;
++    ')
++
++    dontaudit $1 insmod_exec_t:file exec_file_perms;
++')
++
+ ########################################
+ ## <summary>
+ ##	Execute depmod in the depmod domain.
+@@ -308,11 +364,18 @@ interface(`modutils_domtrans_update_mods',`
  #
  interface(`modutils_run_update_mods',`
  	gen_require(`
@@ -32993,7 +33039,7 @@ index 7449974..6375786 100644
  ')
  
  ########################################
-@@ -333,3 +378,25 @@ interface(`modutils_exec_update_mods',`
+@@ -333,3 +396,25 @@ interface(`modutils_exec_update_mods',`
  	corecmd_search_bin($1)
  	can_exec($1, update_modules_exec_t)
  ')
@@ -35716,7 +35762,7 @@ index 346a7cc..42a48b6 100644
 +/var/run/netns(/.*)?		gen_context(system_u:object_r:ifconfig_var_run_t,s0)
 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
 diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 6944526..0bd8d93 100644
+index 6944526..c9ab542 100644
 --- a/policy/modules/system/sysnetwork.if
 +++ b/policy/modules/system/sysnetwork.if
 @@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@@ -35750,6 +35796,15 @@ index 6944526..0bd8d93 100644
  ')
  
  ########################################
+@@ -212,7 +231,7 @@ interface(`sysnet_rw_dhcp_config',`
+ 	')
+ 
+ 	files_search_etc($1)
+-	allow $1 dhcp_etc_t:file rw_file_perms;
++	rw_files_pattern($1, dhcp_etc_t, dhcp_etc_t)
+ ')
+ 
+ ########################################
 @@ -250,6 +269,7 @@ interface(`sysnet_read_dhcpc_state',`
  		type dhcpc_state_t;
  	')
@@ -36503,10 +36558,10 @@ index 0000000..e9f1096
 +/var/run/initramfs(/.*)?	<<none>>
 diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
 new file mode 100644
-index 0000000..35b4178
+index 0000000..1d9bdfd
 --- /dev/null
 +++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1400 @@
+@@ -0,0 +1,1419 @@
 +## <summary>SELinux policy for systemd components</summary>
 +
 +######################################
@@ -37785,6 +37840,25 @@ index 0000000..35b4178
 +	allow $1 power_unit_file_t:service start;
 +')
 +
++########################################
++## <summary>
++##	Status power unit files domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++#
++interface(`systemd_status_power_services',`
++	gen_require(`
++		type power_unit_file_t;
++	')
++
++	systemd_exec_systemctl($1)
++	allow $1 power_unit_file_t:service status;
++')
++
 +#######################################
 +## <summary>
 +##  Start power unit files domain.
@@ -37909,10 +37983,10 @@ index 0000000..35b4178
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..c31945a
+index 0000000..2109915
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,652 @@
+@@ -0,0 +1,653 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -38212,6 +38286,7 @@ index 0000000..c31945a
 +files_read_generic_tmp_symlinks(systemd_tmpfiles_t)
 +files_setattr_all_tmp_dirs(systemd_tmpfiles_t)
 +files_delete_boot_flag(systemd_tmpfiles_t)
++files_delete_all_non_security_dirs(systemd_tmpfiles_t)
 +files_delete_all_non_security_files(systemd_tmpfiles_t)
 +files_delete_all_pid_sockets(systemd_tmpfiles_t)
 +files_delete_all_pid_pipes(systemd_tmpfiles_t)
@@ -38524,7 +38599,7 @@ index 0000000..c31945a
 +#
 +# systemd_sysctl domains local policy
 +#
-+allow systemd_sysctl_t self:capability net_admin;
++allow systemd_sysctl_t self:capability { sys_admin net_admin };
 +allow systemd_sysctl_t self:unix_dgram_socket create_socket_perms;
 +
 +kernel_dgram_send(systemd_sysctl_t)
@@ -38863,7 +38938,7 @@ index 0f64692..d7e8a01 100644
  
  ########################################
 diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index a5ec88b..de9d585 100644
+index a5ec88b..f10561b 100644
 --- a/policy/modules/system/udev.te
 +++ b/policy/modules/system/udev.te
 @@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t)
@@ -39054,7 +39129,7 @@ index a5ec88b..de9d585 100644
  
  	# for arping used for static IP addresses on PCMCIA ethernet
  	netutils_domtrans(udev_t)
-@@ -226,19 +248,34 @@ optional_policy(`
+@@ -226,19 +248,38 @@ optional_policy(`
  
  optional_policy(`
  	cups_domtrans_config(udev_t)
@@ -39081,6 +39156,10 @@ index a5ec88b..de9d585 100644
 +
 +optional_policy(`
 +	gpsd_domtrans(udev_t)
++')
++
++optional_policy(`
++	kdump_systemctl(udev_t)
  ')
  
  optional_policy(`
@@ -39089,7 +39168,7 @@ index a5ec88b..de9d585 100644
  ')
  
  optional_policy(`
-@@ -264,6 +301,10 @@ optional_policy(`
+@@ -264,6 +305,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39100,7 +39179,7 @@ index a5ec88b..de9d585 100644
  	openct_read_pid_files(udev_t)
  	openct_domtrans(udev_t)
  ')
-@@ -278,6 +319,15 @@ optional_policy(`
+@@ -278,6 +323,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39116,7 +39195,7 @@ index a5ec88b..de9d585 100644
  	unconfined_signal(udev_t)
  ')
  
-@@ -290,6 +340,7 @@ optional_policy(`
+@@ -290,6 +344,7 @@ optional_policy(`
  	kernel_read_xen_state(udev_t)
  	xen_manage_log(udev_t)
  	xen_read_image_files(udev_t)
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 9cb2d5a..206fded 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -3032,7 +3032,7 @@ index 0000000..8ba9c95
 +	spamassassin_read_pid_files(antivirus_domain)
 +')
 diff --git a/apache.fc b/apache.fc
-index 550a69e..a7b579a 100644
+index 550a69e..ecca81c 100644
 --- a/apache.fc
 +++ b/apache.fc
 @@ -1,161 +1,205 @@
@@ -3354,7 +3354,7 @@ index 550a69e..a7b579a 100644
 +/var/www/html/configuration\.php 	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 +
 +/var/www/html(/.*)?/wp-content(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+
++/var/www/html(/.*)?/uploads(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 +/var/www/gallery/albums(/.*)?		gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 +
 +/var/www/moodledata(/.*)?		gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
@@ -3380,7 +3380,7 @@ index 550a69e..a7b579a 100644
 +/var/run/dirsrv/admin-serv.*	gen_context(system_u:object_r:httpd_var_run_t,s0)
 +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?       gen_context(system_u:object_r:httpd_var_run_t,s0)
 diff --git a/apache.if b/apache.if
-index 83e899c..fac6fe5 100644
+index 83e899c..64beed7 100644
 --- a/apache.if
 +++ b/apache.if
 @@ -1,9 +1,9 @@
@@ -4027,131 +4027,166 @@ index 83e899c..fac6fe5 100644
 -##	Create, read, write, and delete
 -##	httpd log files.
 +##	Allow the specified domain to manage
-+##	to apache log files.
++##	to apache var lib files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -698,47 +762,49 @@ interface(`apache_manage_log',`
- 	read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
+@@ -687,20 +751,21 @@ interface(`apache_dontaudit_append_log',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`apache_manage_log',`
++interface(`apache_manage_lib',`
+ 	gen_require(`
+-		type httpd_log_t;
++		type httpd_var_lib_t;
+ 	')
+ 
+-	logging_search_logs($1)
+-	manage_dirs_pattern($1, httpd_log_t, httpd_log_t)
+-	manage_files_pattern($1, httpd_log_t, httpd_log_t)
+-	read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
++	files_search_var_lib($1)
++	manage_dirs_pattern($1, httpd_var_lib_t, httpd_var_lib_t)
++	manage_files_pattern($1, httpd_var_lib_t, httpd_var_lib_t)
++	read_lnk_files_pattern($1, httpd_var_lib_t, httpd_var_lib_t)
  ')
  
 -#######################################
 +########################################
  ## <summary>
 -##	Write apache log files.
-+##	Do not audit attempts to search Apache
-+##	module directories.
++##	Allow the specified domain to manage
++##	to apache log files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain allowed access.
-+##	Domain to not audit.
+@@ -708,19 +773,21 @@ interface(`apache_manage_log',`
  ##	</summary>
  ## </param>
  #
 -interface(`apache_write_log',`
-+interface(`apache_dontaudit_search_modules',`
++interface(`apache_manage_log',`
  	gen_require(`
--		type httpd_log_t;
-+		type httpd_modules_t;
+ 		type httpd_log_t;
  	')
  
--	logging_search_logs($1)
+ 	logging_search_logs($1)
 -	write_files_pattern($1, httpd_log_t, httpd_log_t)
-+	dontaudit $1 httpd_modules_t:dir search_dir_perms;
++	manage_dirs_pattern($1, httpd_log_t, httpd_log_t)
++	manage_files_pattern($1, httpd_log_t, httpd_log_t)
++	read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
  ')
  
  ########################################
  ## <summary>
 -##	Do not audit attempts to search
 -##	httpd module directories.
++##	Do not audit attempts to search Apache
++##	module directories.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -738,7 +805,8 @@ interface(`apache_dontaudit_search_modules',`
+ 
+ ########################################
+ ## <summary>
+-##	List httpd module directories.
 +##	Allow the specified domain to read
 +##	the apache module directories.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain to not audit.
-+##	Domain allowed access.
+@@ -746,17 +814,19 @@ interface(`apache_dontaudit_search_modules',`
  ##	</summary>
  ## </param>
  #
--interface(`apache_dontaudit_search_modules',`
+-interface(`apache_list_modules',`
 +interface(`apache_read_modules',`
  	gen_require(`
  		type httpd_modules_t;
  	')
  
--	dontaudit $1 httpd_modules_t:dir search_dir_perms;
+-	allow $1 httpd_modules_t:dir list_dir_perms;
 +	read_files_pattern($1, httpd_modules_t, httpd_modules_t)
  ')
  
  ########################################
  ## <summary>
--##	List httpd module directories.
+-##	Execute httpd module files.
 +##	Allow the specified domain to list
 +##	the contents of the apache modules
 +##	directory.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -752,11 +818,13 @@ interface(`apache_list_modules',`
+@@ -764,19 +834,19 @@ interface(`apache_list_modules',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`apache_exec_modules',`
++interface(`apache_list_modules',`
+ 	gen_require(`
+ 		type httpd_modules_t;
  	')
  
  	allow $1 httpd_modules_t:dir list_dir_perms;
+-	allow $1 httpd_modules_t:lnk_file read_lnk_file_perms;
+-	can_exec($1, httpd_modules_t)
 +	read_lnk_files_pattern($1, httpd_modules_t, httpd_modules_t)
  ')
  
  ########################################
  ## <summary>
--##	Execute httpd module files.
+-##	Read httpd module files.
 +##	Allow the specified domain to execute
 +##	apache modules.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -776,46 +844,63 @@ interface(`apache_exec_modules',`
- 
- ########################################
- ## <summary>
--##	Read httpd module files.
-+##	Execute a domain transition to run httpd_rotatelogs.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain allowed access.
-+##	Domain allowed to transition.
+@@ -784,19 +854,19 @@ interface(`apache_exec_modules',`
  ##	</summary>
  ## </param>
  #
 -interface(`apache_read_module_files',`
-+interface(`apache_domtrans_rotatelogs',`
++interface(`apache_exec_modules',`
  	gen_require(`
--		type httpd_modules_t;
-+		type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
+ 		type httpd_modules_t;
  	')
  
 -	libs_search_lib($1)
 -	read_files_pattern($1, httpd_modules_t, httpd_modules_t)
-+	domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
++	allow $1 httpd_modules_t:dir list_dir_perms;
++	allow $1 httpd_modules_t:lnk_file read_lnk_file_perms;
++	can_exec($1, httpd_modules_t)
  ')
  
--########################################
-+#######################################
+ ########################################
  ## <summary>
 -##	Execute a domain transition to
 -##	run httpd_rotatelogs.
-+##  Execute httpd_rotatelogs in the caller domain.
++##	Execute a domain transition to run httpd_rotatelogs.
  ## </summary>
  ## <param name="domain">
--##	<summary>
--##	Domain allowed to transition.
--##	</summary>
+ ##	<summary>
+@@ -809,13 +879,50 @@ interface(`apache_domtrans_rotatelogs',`
+ 		type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
+ 	')
+ 
+-	corecmd_search_bin($1)
+ 	domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
+ ')
+ 
++#######################################
++## <summary>
++##  Execute httpd_rotatelogs in the caller domain.
++## </summary>
++## <param name="domain">
 +##  <summary>
 +##  Domain allowed to transition.
 +##  </summary>
- ## </param>
- #
--interface(`apache_domtrans_rotatelogs',`
++## </param>
++#
 +interface(`apache_exec_rotatelogs',`
 +    gen_require(`
 +        type httpd_rotatelogs_exec_t;
@@ -4171,17 +4206,14 @@ index 83e899c..fac6fe5 100644
 +## </param>
 +#
 +interface(`apache_exec_sys_script',`
- 	gen_require(`
--		type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
++	gen_require(`
 +		type httpd_sys_script_exec_t;
- 	')
- 
--	corecmd_search_bin($1)
--	domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
++	')
++
 +	allow $1 httpd_sys_script_exec_t:dir search_dir_perms;
 +	can_exec($1, httpd_sys_script_exec_t)
- ')
- 
++')
++
  ########################################
  ## <summary>
 -##	List httpd system content directories.
@@ -4190,7 +4222,7 @@ index 83e899c..fac6fe5 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -829,13 +914,14 @@ interface(`apache_list_sys_content',`
+@@ -829,13 +936,14 @@ interface(`apache_list_sys_content',`
  	')
  
  	list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
@@ -4207,7 +4239,7 @@ index 83e899c..fac6fe5 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -844,6 +930,7 @@ interface(`apache_list_sys_content',`
+@@ -844,6 +952,7 @@ interface(`apache_list_sys_content',`
  ## </param>
  ## <rolecap/>
  #
@@ -4215,23 +4247,21 @@ index 83e899c..fac6fe5 100644
  interface(`apache_manage_sys_content',`
  	gen_require(`
  		type httpd_sys_content_t;
-@@ -855,32 +942,98 @@ interface(`apache_manage_sys_content',`
+@@ -855,32 +964,98 @@ interface(`apache_manage_sys_content',`
  	manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
  ')
  
 -########################################
 +######################################
- ## <summary>
--##	Create, read, write, and delete
--##	httpd system rw content.
++## <summary>
 +##	Allow the specified domain to read
 +##	apache system content rw files.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
 +## <rolecap/>
 +#
 +interface(`apache_read_sys_content_rw_files',`
@@ -4243,22 +4273,26 @@ index 83e899c..fac6fe5 100644
 +')
 +
 +######################################
-+## <summary>
+ ## <summary>
+-##	Create, read, write, and delete
+-##	httpd system rw content.
 +##	Allow the specified domain to read
 +##	apache system content rw dirs.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
 +## <rolecap/>
-+#
+ #
+-interface(`apache_manage_sys_rw_content',`
 +interface(`apache_read_sys_content_rw_dirs',`
-+	gen_require(`
-+		type httpd_sys_rw_content_t;
-+	')
-+
+ 	gen_require(`
+ 		type httpd_sys_rw_content_t;
+ 	')
+ 
+-	apache_search_sys_content($1)
 +	list_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
 +')
 +
@@ -4273,14 +4307,12 @@ index 83e899c..fac6fe5 100644
 +##	</summary>
 +## </param>
 +## <rolecap/>
- #
--interface(`apache_manage_sys_rw_content',`
++#
 +interface(`apache_manage_sys_content_rw',`
- 	gen_require(`
- 		type httpd_sys_rw_content_t;
- 	')
- 
--	apache_search_sys_content($1)
++	gen_require(`
++		type httpd_sys_rw_content_t;
++	')
++
 +	files_search_var($1)
  	manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
 -	manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t)
@@ -4322,7 +4354,7 @@ index 83e899c..fac6fe5 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -888,10 +1041,17 @@ interface(`apache_manage_sys_rw_content',`
+@@ -888,10 +1063,17 @@ interface(`apache_manage_sys_rw_content',`
  ##	</summary>
  ## </param>
  #
@@ -4341,7 +4373,7 @@ index 83e899c..fac6fe5 100644
  	')
  
  	tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -901,9 +1061,8 @@ interface(`apache_domtrans_sys_script',`
+@@ -901,9 +1083,8 @@ interface(`apache_domtrans_sys_script',`
  
  ########################################
  ## <summary>
@@ -4353,7 +4385,7 @@ index 83e899c..fac6fe5 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -941,7 +1100,7 @@ interface(`apache_domtrans_all_scripts',`
+@@ -941,7 +1122,7 @@ interface(`apache_domtrans_all_scripts',`
  ########################################
  ## <summary>
  ##	Execute all user scripts in the user
@@ -4362,7 +4394,7 @@ index 83e899c..fac6fe5 100644
  ##	to the specified role.
  ## </summary>
  ## <param name="domain">
-@@ -954,6 +1113,7 @@ interface(`apache_domtrans_all_scripts',`
+@@ -954,6 +1135,7 @@ interface(`apache_domtrans_all_scripts',`
  ##	Role allowed access.
  ##	</summary>
  ## </param>
@@ -4370,7 +4402,7 @@ index 83e899c..fac6fe5 100644
  #
  interface(`apache_run_all_scripts',`
  	gen_require(`
-@@ -966,7 +1126,8 @@ interface(`apache_run_all_scripts',`
+@@ -966,7 +1148,8 @@ interface(`apache_run_all_scripts',`
  
  ########################################
  ## <summary>
@@ -4380,7 +4412,7 @@ index 83e899c..fac6fe5 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -979,12 +1140,13 @@ interface(`apache_read_squirrelmail_data',`
+@@ -979,12 +1162,13 @@ interface(`apache_read_squirrelmail_data',`
  		type httpd_squirrelmail_t;
  	')
  
@@ -4396,7 +4428,7 @@ index 83e899c..fac6fe5 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1002,7 +1164,7 @@ interface(`apache_append_squirrelmail_data',`
+@@ -1002,7 +1186,7 @@ interface(`apache_append_squirrelmail_data',`
  
  ########################################
  ## <summary>
@@ -4405,7 +4437,7 @@ index 83e899c..fac6fe5 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1015,13 +1177,12 @@ interface(`apache_search_sys_content',`
+@@ -1015,13 +1199,12 @@ interface(`apache_search_sys_content',`
  		type httpd_sys_content_t;
  	')
  
@@ -4420,7 +4452,7 @@ index 83e899c..fac6fe5 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1041,7 +1202,7 @@ interface(`apache_read_sys_content',`
+@@ -1041,7 +1224,7 @@ interface(`apache_read_sys_content',`
  
  ########################################
  ## <summary>
@@ -4429,7 +4461,7 @@ index 83e899c..fac6fe5 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1059,8 +1220,7 @@ interface(`apache_search_sys_scripts',`
+@@ -1059,8 +1242,7 @@ interface(`apache_search_sys_scripts',`
  
  ########################################
  ## <summary>
@@ -4439,7 +4471,7 @@ index 83e899c..fac6fe5 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1070,13 +1230,22 @@ interface(`apache_search_sys_scripts',`
+@@ -1070,13 +1252,22 @@ interface(`apache_search_sys_scripts',`
  ## <rolecap/>
  #
  interface(`apache_manage_all_user_content',`
@@ -4465,7 +4497,7 @@ index 83e899c..fac6fe5 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1094,7 +1263,8 @@ interface(`apache_search_sys_script_state',`
+@@ -1094,7 +1285,8 @@ interface(`apache_search_sys_script_state',`
  
  ########################################
  ## <summary>
@@ -4475,7 +4507,7 @@ index 83e899c..fac6fe5 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1111,10 +1281,29 @@ interface(`apache_read_tmp_files',`
+@@ -1111,10 +1303,29 @@ interface(`apache_read_tmp_files',`
  	read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
  ')
  
@@ -4507,7 +4539,7 @@ index 83e899c..fac6fe5 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1127,7 +1316,7 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1127,7 +1338,7 @@ interface(`apache_dontaudit_write_tmp_files',`
  		type httpd_tmp_t;
  	')
  
@@ -4516,7 +4548,7 @@ index 83e899c..fac6fe5 100644
  ')
  
  ########################################
-@@ -1136,6 +1325,9 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1136,6 +1347,9 @@ interface(`apache_dontaudit_write_tmp_files',`
  ## </summary>
  ##	<desc>
  ##	<p>
@@ -4526,7 +4558,7 @@ index 83e899c..fac6fe5 100644
  ##	This is an interface to support third party modules
  ##	and its use is not allowed in upstream reference
  ##	policy.
-@@ -1165,8 +1357,30 @@ interface(`apache_cgi_domain',`
+@@ -1165,8 +1379,30 @@ interface(`apache_cgi_domain',`
  
  ########################################
  ## <summary>
@@ -4559,7 +4591,7 @@ index 83e899c..fac6fe5 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1183,18 +1397,19 @@ interface(`apache_cgi_domain',`
+@@ -1183,18 +1419,19 @@ interface(`apache_cgi_domain',`
  interface(`apache_admin',`
  	gen_require(`
  		attribute httpdcontent, httpd_script_exec_type;
@@ -4588,7 +4620,7 @@ index 83e899c..fac6fe5 100644
  
  	init_labeled_script_domtrans($1, httpd_initrc_exec_t)
  	domain_system_change_exemption($1)
-@@ -1204,10 +1419,10 @@ interface(`apache_admin',`
+@@ -1204,10 +1441,10 @@ interface(`apache_admin',`
  	apache_manage_all_content($1)
  	miscfiles_manage_public_files($1)
  
@@ -4602,7 +4634,7 @@ index 83e899c..fac6fe5 100644
  	admin_pattern($1, httpd_log_t)
  
  	admin_pattern($1, httpd_modules_t)
-@@ -1218,9 +1433,129 @@ interface(`apache_admin',`
+@@ -1218,9 +1455,141 @@ interface(`apache_admin',`
  	admin_pattern($1, httpd_var_run_t)
  	files_pid_filetrans($1, httpd_var_run_t, file)
  
@@ -4666,7 +4698,19 @@ index 83e899c..fac6fe5 100644
 +
 +
 +	apache_filetrans_home_content($1)
++	files_usr_filetrans($1, httpd_sys_content_t, dir, "gallery2")
++	files_usr_filetrans($1, httpd_sys_content_t, dir, "z-push")
++	files_etc_filetrans($1, httpd_sys_content_t, dir, "z-push")
++	files_etc_filetrans($1, httpd_sys_content_t, dir, "web")
++	files_etc_filetrans($1, httpd_sys_content_t, dir, "WebCalendar")
++	files_etc_filetrans($1, httpd_sys_content_t, dir, "htdig")
++	files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "horde")
++	files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "owncloud")
 +	filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, file, "settings.php")
++	filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "smarty")
++	filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "uploads")
++	filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "wp-content")
++	filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "upgrade")
 +	userdom_user_tmp_filetrans($1, httpd_tmp_t, dir, "apache")
 +')
 +
@@ -7090,7 +7134,7 @@ index f3c0aba..b6afc90 100644
 +	allow $1 apcupsd_unit_file_t:service all_service_perms;
  ')
 diff --git a/apcupsd.te b/apcupsd.te
-index b236327..7b2142b 100644
+index b236327..11fcb66 100644
 --- a/apcupsd.te
 +++ b/apcupsd.te
 @@ -24,6 +24,9 @@ files_tmp_file(apcupsd_tmp_t)
@@ -7131,7 +7175,7 @@ index b236327..7b2142b 100644
  
  corenet_udp_bind_snmp_port(apcupsd_t)
  corenet_sendrecv_snmp_server_packets(apcupsd_t)
-@@ -74,19 +76,25 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t)
+@@ -74,19 +76,23 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t)
  
  dev_rw_generic_usb_dev(apcupsd_t)
  
@@ -7146,22 +7190,32 @@ index b236327..7b2142b 100644
 +#apcupsd runs shutdown, probably need a shutdown domain
 +init_rw_utmp(apcupsd_t)
 +init_telinit(apcupsd_t)
++
++auth_use_nsswitch(apcupsd_t)
  
 -miscfiles_read_localization(apcupsd_t)
-+auth_use_nsswitch(apcupsd_t)
-+
 +logging_send_syslog_msg(apcupsd_t)
  
  sysnet_dns_name_resolve(apcupsd_t)
  
 -userdom_use_user_ttys(apcupsd_t)
-+systemd_start_power_services(apcupsd_t)
-+
 +userdom_use_inherited_user_ttys(apcupsd_t)
  
  optional_policy(`
  	hostname_exec(apcupsd_t)
-@@ -112,7 +120,6 @@ optional_policy(`
+@@ -101,6 +107,11 @@ optional_policy(`
+ 	shutdown_domtrans(apcupsd_t)
+ ')
+ 
++optional_policy(`
++	systemd_start_power_services(apcupsd_t)
++	systemd_status_power_services(apcupsd_t)
++')
++
+ ########################################
+ #
+ # CGI local policy
+@@ -112,7 +123,6 @@ optional_policy(`
  	allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
  	allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms;
  
@@ -10510,7 +10564,7 @@ index 008f8ef..144c074 100644
  	admin_pattern($1, certmonger_var_run_t)
  ')
 diff --git a/certmonger.te b/certmonger.te
-index 2354e21..fb8c9ed 100644
+index 2354e21..fb4590f 100644
 --- a/certmonger.te
 +++ b/certmonger.te
 @@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t)
@@ -10577,9 +10631,10 @@ index 2354e21..fb8c9ed 100644
 -miscfiles_read_localization(certmonger_t)
  miscfiles_manage_generic_cert_files(certmonger_t)
  
+-userdom_search_user_home_content(certmonger_t)
 +systemd_exec_systemctl(certmonger_t)
 +
- userdom_search_user_home_content(certmonger_t)
++userdom_manage_home_certs(certmonger_t)
  
  optional_policy(`
 -	apache_initrc_domtrans(certmonger_t)
@@ -10612,7 +10667,7 @@ index 2354e21..fb8c9ed 100644
 +
 +optional_policy(`
 +	pki_rw_tomcat_cert(certmonger_t)
-+    pki_read_tomcat_lib_files(certmonger_t)
++	pki_read_tomcat_lib_files(certmonger_t)
 +')
 +
 +########################################
@@ -10852,7 +10907,7 @@ index 85ca63f..1d1c99c 100644
  	admin_pattern($1, { cgconfig_etc_t cgrules_etc_t })
  	files_list_etc($1)
 diff --git a/cgroup.te b/cgroup.te
-index fdee107..7a38b63 100644
+index fdee107..9bb9ad1 100644
 --- a/cgroup.te
 +++ b/cgroup.te
 @@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
@@ -10905,13 +10960,15 @@ index fdee107..7a38b63 100644
  allow cgred_t self:netlink_socket { write bind create read };
  allow cgred_t self:unix_dgram_socket { write create connect };
  
-@@ -99,10 +102,10 @@ domain_setpriority_all_domains(cgred_t)
+@@ -99,10 +102,11 @@ domain_setpriority_all_domains(cgred_t)
  files_getattr_all_files(cgred_t)
  files_getattr_all_sockets(cgred_t)
  files_read_all_symlinks(cgred_t)
 -files_read_etc_files(cgred_t)
  
- fs_write_cgroup_files(cgred_t)
+-fs_write_cgroup_files(cgred_t)
++fs_manage_cgroup_dirs(cgred_t)
++fs_manage_cgroup_files(cgred_t)
 +fs_list_inotifyfs(cgred_t)
  
 -logging_send_syslog_msg(cgred_t)
@@ -12593,7 +12650,7 @@ index c223f81..8b567c1 100644
 -	admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t })
  ')
 diff --git a/cobbler.te b/cobbler.te
-index 2a71346..8c4ac39 100644
+index 2a71346..3a38b11 100644
 --- a/cobbler.te
 +++ b/cobbler.te
 @@ -81,6 +81,7 @@ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
@@ -12642,23 +12699,42 @@ index 2a71346..8c4ac39 100644
  ')
  
  optional_policy(`
-+    apache_domtrans(cobblerd_t)
++	apache_domtrans(cobblerd_t)
  	apache_search_sys_content(cobblerd_t)
  ')
  
-@@ -188,17 +191,25 @@ optional_policy(`
+@@ -170,6 +173,7 @@ optional_policy(`
+ 	bind_domtrans(cobblerd_t)
+ 	bind_initrc_domtrans(cobblerd_t)
+ 	bind_manage_zone(cobblerd_t)
++	bind_systemctl(cobblerd_t)
  ')
  
  optional_policy(`
-+    libs_exec_ldconfig(cobblerd_t)
+@@ -179,12 +183,22 @@ optional_policy(`
+ optional_policy(`
+ 	dhcpd_domtrans(cobblerd_t)
+ 	dhcpd_initrc_domtrans(cobblerd_t)
++	dhcpd_systemctl(cobblerd_t)
+ ')
+ 
+ optional_policy(`
+ 	dnsmasq_domtrans(cobblerd_t)
+ 	dnsmasq_initrc_domtrans(cobblerd_t)
+ 	dnsmasq_write_config(cobblerd_t)
++	dnsmasq_systemctl(cobblerd_t)
 +')
 +
 +optional_policy(`
-+    mysql_stream_connect(cobblerd_t)
++    libs_exec_ldconfig(cobblerd_t)
 +')
 +
 +optional_policy(`
- 	rpm_exec(cobblerd_t)
++    mysql_stream_connect(cobblerd_t)
+ ')
+ 
+ optional_policy(`
+@@ -192,13 +206,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -16119,7 +16195,7 @@ index 1303b30..058864e 100644
 +    logging_log_filetrans($1, cron_log_t, $2, $3)
  ')
 diff --git a/cron.te b/cron.te
-index 28e1b86..f871609 100644
+index 28e1b86..0cf34ad 100644
 --- a/cron.te
 +++ b/cron.te
 @@ -1,4 +1,4 @@
@@ -16769,7 +16845,7 @@ index 28e1b86..f871609 100644
  	selinux_validate_context(system_cronjob_t)
  	selinux_compute_access_vector(system_cronjob_t)
  	selinux_compute_create_context(system_cronjob_t)
-@@ -534,10 +523,17 @@ tunable_policy(`cron_can_relabel',`
+@@ -534,10 +523,18 @@ tunable_policy(`cron_can_relabel',`
  ')
  
  optional_policy(`
@@ -16778,6 +16854,7 @@ index 28e1b86..f871609 100644
  	apache_read_config(system_cronjob_t)
  	apache_read_log(system_cronjob_t)
  	apache_read_sys_content(system_cronjob_t)
++	apache_manage_lib(system_cronjob_t)
 +	apache_delete_cache_dirs(system_cronjob_t)
 +	apache_delete_cache_files(system_cronjob_t)
 +')
@@ -16787,7 +16864,7 @@ index 28e1b86..f871609 100644
  ')
  
  optional_policy(`
-@@ -546,10 +542,6 @@ optional_policy(`
+@@ -546,10 +543,6 @@ optional_policy(`
  
  optional_policy(`
  	dbus_system_bus_client(system_cronjob_t)
@@ -16798,7 +16875,7 @@ index 28e1b86..f871609 100644
  ')
  
  optional_policy(`
-@@ -581,6 +573,7 @@ optional_policy(`
+@@ -581,6 +574,7 @@ optional_policy(`
  optional_policy(`
  	mta_read_config(system_cronjob_t)
  	mta_send_mail(system_cronjob_t)
@@ -16806,7 +16883,7 @@ index 28e1b86..f871609 100644
  ')
  
  optional_policy(`
-@@ -588,15 +581,19 @@ optional_policy(`
+@@ -588,15 +582,19 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -16828,7 +16905,7 @@ index 28e1b86..f871609 100644
  ')
  
  optional_policy(`
-@@ -606,6 +603,7 @@ optional_policy(`
+@@ -606,6 +604,7 @@ optional_policy(`
  
  optional_policy(`
  	spamassassin_manage_lib_files(system_cronjob_t)
@@ -16836,7 +16913,7 @@ index 28e1b86..f871609 100644
  ')
  
  optional_policy(`
-@@ -613,12 +611,24 @@ optional_policy(`
+@@ -613,12 +612,24 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -16863,7 +16940,7 @@ index 28e1b86..f871609 100644
  #
  
  allow cronjob_t self:process { signal_perms setsched };
-@@ -626,12 +636,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
+@@ -626,12 +637,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
  allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
  allow cronjob_t self:unix_dgram_socket create_socket_perms;
  
@@ -16897,7 +16974,7 @@ index 28e1b86..f871609 100644
  corenet_all_recvfrom_netlabel(cronjob_t)
  corenet_tcp_sendrecv_generic_if(cronjob_t)
  corenet_udp_sendrecv_generic_if(cronjob_t)
-@@ -639,84 +669,148 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
+@@ -639,84 +670,148 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
  corenet_udp_sendrecv_generic_node(cronjob_t)
  corenet_tcp_sendrecv_all_ports(cronjob_t)
  corenet_udp_sendrecv_all_ports(cronjob_t)
@@ -25560,18 +25637,19 @@ index c12c067..a415012 100644
  
  optional_policy(`
 diff --git a/fprintd.te b/fprintd.te
-index c81b6e8..34e1f1c 100644
+index c81b6e8..6f2c7b8 100644
 --- a/fprintd.te
 +++ b/fprintd.te
-@@ -20,6 +20,7 @@ files_type(fprintd_var_lib_t)
+@@ -20,6 +20,8 @@ files_type(fprintd_var_lib_t)
  allow fprintd_t self:capability sys_nice;
  allow fprintd_t self:process { getsched setsched signal sigkill };
  allow fprintd_t self:fifo_file rw_fifo_file_perms;
 +allow fprintd_t self:netlink_kobject_uevent_socket create_socket_perms;
++allow fprintd_t self:unix_dgram_socket { create_socket_perms sendto };
  
  manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
  manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
-@@ -28,16 +29,13 @@ kernel_read_system_state(fprintd_t)
+@@ -28,15 +30,14 @@ kernel_read_system_state(fprintd_t)
  
  dev_list_usbfs(fprintd_t)
  dev_read_sysfs(fprintd_t)
@@ -25585,11 +25663,11 @@ index c81b6e8..34e1f1c 100644
  auth_use_nsswitch(fprintd_t)
  
 -miscfiles_read_localization(fprintd_t)
--
++logging_send_syslog_msg(fprintd_t)
+ 
  userdom_use_user_ptys(fprintd_t)
  userdom_read_all_users_state(fprintd_t)
- 
-@@ -54,8 +52,13 @@ optional_policy(`
+@@ -54,8 +55,13 @@ optional_policy(`
  	')
  ')
  
@@ -26939,10 +27017,10 @@ index 0000000..1ed97fe
 +
 diff --git a/glusterd.te b/glusterd.te
 new file mode 100644
-index 0000000..3a71ad6
+index 0000000..ed9fdd0
 --- /dev/null
 +++ b/glusterd.te
-@@ -0,0 +1,199 @@
+@@ -0,0 +1,200 @@
 +policy_module(glusterfs, 1.0.1)
 +
 +## <desc>
@@ -27034,12 +27112,13 @@ index 0000000..3a71ad6
 +
 +manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
 +manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
-+#manage_sock_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
++manage_sock_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
 +files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir)
 +relabel_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
 +
 +manage_dirs_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
 +manage_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
++manage_fifo_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
 +manage_lnk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
 +relabel_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
 +relabel_lnk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
@@ -31039,10 +31118,10 @@ index 0000000..3ce0ac0
 +')
 diff --git a/gssproxy.te b/gssproxy.te
 new file mode 100644
-index 0000000..5044e7b
+index 0000000..bbd5979
 --- /dev/null
 +++ b/gssproxy.te
-@@ -0,0 +1,66 @@
+@@ -0,0 +1,68 @@
 +policy_module(gssproxy, 1.0.0)
 +
 +########################################
@@ -31067,6 +31146,7 @@ index 0000000..5044e7b
 +#
 +# gssproxy local policy
 +#
++allow gssproxy_t self:capability { setuid setgid };
 +allow gssproxy_t self:capability2 block_suspend;
 +allow gssproxy_t self:fifo_file rw_fifo_file_perms;
 +allow gssproxy_t self:unix_stream_socket create_stream_socket_perms;
@@ -31097,6 +31177,7 @@ index 0000000..5044e7b
 +
 +miscfiles_read_localization(gssproxy_t)
 +
++userdom_read_all_users_keys(gssproxy_t)
 +userdom_manage_user_tmp_dirs(gssproxy_t)
 +userdom_manage_user_tmp_files(gssproxy_t)
 +
@@ -31944,7 +32025,7 @@ index ac00fb0..36ef2e5 100644
 +		userdom_user_home_dir_filetrans($1, irssi_home_t, dir, "irclogs")
  ')
 diff --git a/irc.te b/irc.te
-index ecad9c7..e413e5a 100644
+index ecad9c7..abf0b2d 100644
 --- a/irc.te
 +++ b/irc.te
 @@ -31,13 +31,35 @@ typealias irc_home_t alias { user_irc_home_t staff_irc_home_t sysadm_irc_home_t
@@ -32002,23 +32083,27 @@ index ecad9c7..e413e5a 100644
  
  manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t)
  manage_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
-@@ -70,7 +86,6 @@ files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
+@@ -70,7 +86,9 @@ files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
  
  kernel_read_system_state(irc_t)
  
 -corenet_all_recvfrom_unlabeled(irc_t)
++corecmd_exec_shell(irc_t)
++corecmd_exec_bin(irc_t)
++
  corenet_all_recvfrom_netlabel(irc_t)
  corenet_tcp_sendrecv_generic_if(irc_t)
  corenet_tcp_sendrecv_generic_node(irc_t)
-@@ -93,7 +108,6 @@ dev_read_rand(irc_t)
+@@ -93,8 +111,6 @@ dev_read_rand(irc_t)
  
  domain_use_interactive_fds(irc_t)
  
 -files_read_usr_files(irc_t)
- 
+-
  fs_getattr_all_fs(irc_t)
  fs_search_auto_mountpoints(irc_t)
-@@ -106,15 +120,18 @@ auth_use_nsswitch(irc_t)
+ 
+@@ -106,15 +122,18 @@ auth_use_nsswitch(irc_t)
  init_read_utmp(irc_t)
  init_dontaudit_lock_utmp(irc_t)
  
@@ -32039,7 +32124,7 @@ index ecad9c7..e413e5a 100644
  	corenet_sendrecv_all_server_packets(irc_t)
  	corenet_tcp_bind_all_unreserved_ports(irc_t)
  	corenet_sendrecv_all_client_packets(irc_t)
-@@ -122,18 +139,71 @@ tunable_policy(`irc_use_any_tcp_ports',`
+@@ -122,18 +141,71 @@ tunable_policy(`irc_use_any_tcp_ports',`
  	corenet_tcp_sendrecv_all_ports(irc_t)
  ')
  
@@ -32076,7 +32161,7 @@ index ecad9c7..e413e5a 100644
 +
 +kernel_read_system_state(irssi_t)
 +
-+corecmd_search_bin(irssi_t)
++corecmd_exec_shell(irssi_t)
 +corecmd_read_bin_symlinks(irssi_t)
 +
 +corenet_tcp_connect_ircd_port(irssi_t)
@@ -40275,16 +40360,16 @@ index 0000000..c713b27
 +/var/run/mirrormanager(/.*)?		gen_context(system_u:object_r:mirrormanager_var_run_t,s0)
 diff --git a/mirrormanager.if b/mirrormanager.if
 new file mode 100644
-index 0000000..7ba3eed
+index 0000000..dd049c7
 --- /dev/null
 +++ b/mirrormanager.if
-@@ -0,0 +1,222 @@
+@@ -0,0 +1,224 @@
 +
 +## <summary>policy for mirrormanager</summary>
 +
 +########################################
 +## <summary>
-+##	Execute TEMPLATE in the mirrormanager domin.
++##	Execute mirrormanager in the mirrormanager domin.
 +## </summary>
 +## <param name="domain">
 +## <summary>
@@ -40300,6 +40385,7 @@ index 0000000..7ba3eed
 +	corecmd_search_bin($1)
 +	domtrans_pattern($1, mirrormanager_exec_t, mirrormanager_t)
 +')
++
 +########################################
 +## <summary>
 +##	Read mirrormanager's log files.
@@ -40496,6 +40582,7 @@ index 0000000..7ba3eed
 +
 +	files_search_pids($1)
 +	admin_pattern($1, mirrormanager_var_run_t)
++
 +	optional_policy(`
 +		systemd_passwd_agent_exec($1)
 +		systemd_read_fifo_file_passwd_run($1)
@@ -40503,10 +40590,10 @@ index 0000000..7ba3eed
 +')
 diff --git a/mirrormanager.te b/mirrormanager.te
 new file mode 100644
-index 0000000..a19c096
+index 0000000..841b732
 --- /dev/null
 +++ b/mirrormanager.te
-@@ -0,0 +1,47 @@
+@@ -0,0 +1,43 @@
 +policy_module(mirrormanager, 1.0.0)
 +
 +########################################
@@ -40531,29 +40618,25 @@ index 0000000..a19c096
 +#
 +# mirrormanager local policy
 +#
++
 +allow mirrormanager_t self:fifo_file rw_fifo_file_perms;
 +allow mirrormanager_t self:unix_stream_socket create_stream_socket_perms;
 +
 +manage_dirs_pattern(mirrormanager_t, mirrormanager_log_t, mirrormanager_log_t)
 +manage_files_pattern(mirrormanager_t, mirrormanager_log_t, mirrormanager_log_t)
 +manage_lnk_files_pattern(mirrormanager_t, mirrormanager_log_t, mirrormanager_log_t)
-+logging_log_filetrans(mirrormanager_t, mirrormanager_log_t, { dir file lnk_file })
++logging_log_filetrans(mirrormanager_t, mirrormanager_log_t, { dir })
 +
 +manage_dirs_pattern(mirrormanager_t, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
 +manage_files_pattern(mirrormanager_t, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
 +manage_lnk_files_pattern(mirrormanager_t, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
-+files_var_lib_filetrans(mirrormanager_t, mirrormanager_var_lib_t, { dir file lnk_file })
++files_var_lib_filetrans(mirrormanager_t, mirrormanager_var_lib_t, { dir })
 +
 +manage_dirs_pattern(mirrormanager_t, mirrormanager_var_run_t, mirrormanager_var_run_t)
 +manage_files_pattern(mirrormanager_t, mirrormanager_var_run_t, mirrormanager_var_run_t)
 +manage_lnk_files_pattern(mirrormanager_t, mirrormanager_var_run_t, mirrormanager_var_run_t)
-+files_pid_filetrans(mirrormanager_t, mirrormanager_var_run_t, { dir file lnk_file })
-+
-+domain_use_interactive_fds(mirrormanager_t)
++files_pid_filetrans(mirrormanager_t, mirrormanager_var_run_t, { dir })
 +
-+files_read_etc_files(mirrormanager_t)
-+
-+miscfiles_read_localization(mirrormanager_t)
 diff --git a/mock.fc b/mock.fc
 new file mode 100644
 index 0000000..8d0e473
@@ -41239,7 +41322,7 @@ index b1ac8b5..9b22bea 100644
 +	')
 +')
 diff --git a/modemmanager.te b/modemmanager.te
-index cb4c13d..ab6fb25 100644
+index cb4c13d..9342be3 100644
 --- a/modemmanager.te
 +++ b/modemmanager.te
 @@ -11,6 +11,9 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t)
@@ -41252,12 +41335,15 @@ index cb4c13d..ab6fb25 100644
  ########################################
  #
  # Local policy
-@@ -27,12 +30,12 @@ kernel_read_system_state(modemmanager_t)
+@@ -25,14 +28,14 @@ allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
+ kernel_read_system_state(modemmanager_t)
+ 
  dev_read_sysfs(modemmanager_t)
++dev_read_urand(modemmanager_t)
  dev_rw_modem(modemmanager_t)
  
 -files_read_etc_files(modemmanager_t)
- 
+-
  term_use_generic_ptys(modemmanager_t)
  term_use_unallocated_ttys(modemmanager_t)
 +term_use_usb_ttys(modemmanager_t)
@@ -41796,7 +41882,7 @@ index 6ffaba2..cb1e8b0 100644
 +/usr/lib/nspluginwrapper/plugin-config			--	gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
 +')
 diff --git a/mozilla.if b/mozilla.if
-index 6194b80..7fbb9e7 100644
+index 6194b80..b8952a1 100644
 --- a/mozilla.if
 +++ b/mozilla.if
 @@ -1,146 +1,75 @@
@@ -41928,7 +42014,8 @@ index 6194b80..7fbb9e7 100644
  
 -	mozilla_run_plugin($2, $1)
 -	mozilla_run_plugin_config($2, $1)
--
++	mozilla_filetrans_home_content($2)
+ 
 -	allow $2 { mozilla_plugin_t mozilla_plugin_config_t }:process { ptrace signal_perms };
 -	ps_process_pattern($2, { mozilla_plugin_t mozilla_plugin_config_t })
 -
@@ -41950,8 +42037,7 @@ index 6194b80..7fbb9e7 100644
 -	userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".mozilla")
 -	userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".netscape")
 -	userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".phoenix")
-+	mozilla_filetrans_home_content($2)
- 
+-
 -	allow $2 mozilla_plugin_tmp_t:dir { manage_dir_perms relabel_dir_perms };
 -	allow $2 mozilla_plugin_tmp_t:file { manage_file_perms relabel_file_perms };
 -	allow $2 mozilla_plugin_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
@@ -42306,7 +42392,7 @@ index 6194b80..7fbb9e7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -433,76 +353,126 @@ interface(`mozilla_dbus_chat',`
+@@ -433,76 +353,144 @@ interface(`mozilla_dbus_chat',`
  ##	</summary>
  ## </param>
  #
@@ -42409,7 +42495,25 @@ index 6194b80..7fbb9e7 100644
 +                type mozilla_plugin_t;
 +        ')
 +
-+        allow $1 mozilla_plugin_t:sem { unix_read unix_write };
++        dontaudit $1 mozilla_plugin_t:sem { associate unix_read unix_write };
++')
++
++#######################################
++## <summary>
++##      Allow generict ipc read/write to a mozilla_plugin
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain to not audit.
++##      </summary>
++## </param>
++#
++interface(`mozilla_plugin_rw_sem',`
++        gen_require(`
++                type mozilla_plugin_t;
++        ')
++
++        allow $1 mozilla_plugin_t:sem { associate unix_read unix_write };
  ')
  
  ########################################
@@ -42462,7 +42566,7 @@ index 6194b80..7fbb9e7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -510,19 +480,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
+@@ -510,19 +498,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
  ##	</summary>
  ## </param>
  #
@@ -42487,7 +42591,7 @@ index 6194b80..7fbb9e7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -530,45 +499,56 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
+@@ -530,45 +517,56 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
  ##	</summary>
  ## </param>
  #
@@ -42569,7 +42673,7 @@ index 6194b80..7fbb9e7 100644
  ')
 +
 diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..32542a8 100644
+index 6a306ee..bf3015e 100644
 --- a/mozilla.te
 +++ b/mozilla.te
 @@ -1,4 +1,4 @@
@@ -42843,12 +42947,12 @@ index 6a306ee..32542a8 100644
 -
 -userdom_manage_user_tmp_dirs(mozilla_t)
 -userdom_manage_user_tmp_files(mozilla_t)
-+userdom_use_inherited_user_ptys(mozilla_t)
- 
+-
 -userdom_manage_user_home_content_dirs(mozilla_t)
 -userdom_manage_user_home_content_files(mozilla_t)
 -userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
--
++userdom_use_inherited_user_ptys(mozilla_t)
+ 
 -userdom_write_user_tmp_sockets(mozilla_t)
 -
 -mozilla_run_plugin(mozilla_t, mozilla_roles)
@@ -43276,12 +43380,12 @@ index 6a306ee..32542a8 100644
  
 -userdom_manage_user_tmp_dirs(mozilla_plugin_t)
 -userdom_manage_user_tmp_files(mozilla_plugin_t)
--
++systemd_read_logind_sessions_files(mozilla_plugin_t)
+ 
 -userdom_manage_user_home_content_dirs(mozilla_plugin_t)
 -userdom_manage_user_home_content_files(mozilla_plugin_t)
 -userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file })
-+systemd_read_logind_sessions_files(mozilla_plugin_t)
- 
+-
 -userdom_write_user_tmp_sockets(mozilla_plugin_t)
 +term_getattr_all_ttys(mozilla_plugin_t)
 +term_getattr_all_ptys(mozilla_plugin_t)
@@ -43406,16 +43510,20 @@ index 6a306ee..32542a8 100644
  ')
  
  optional_policy(`
-@@ -560,7 +568,7 @@ optional_policy(`
+@@ -560,7 +568,11 @@ optional_policy(`
  ')
  
  optional_policy(`
 -	pulseaudio_run(mozilla_plugin_t, mozilla_plugin_roles)
++	policykit_dbus_chat(mozilla_plugin_t)
++')
++
++optional_policy(`
 +	rtkit_scheduled(mozilla_plugin_t)
  ')
  
  optional_policy(`
-@@ -568,108 +576,130 @@ optional_policy(`
+@@ -568,108 +580,130 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -43448,7 +43556,8 @@ index 6a306ee..32542a8 100644
 -allow mozilla_plugin_config_t mozilla_plugin_rw_t:dir manage_dir_perms;
 -allow mozilla_plugin_config_t mozilla_plugin_rw_t:file manage_file_perms;
 -allow mozilla_plugin_config_t mozilla_plugin_rw_t:lnk_file manage_lnk_file_perms;
--
++allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack };
+ 
 -manage_dirs_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t })
 -manage_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
 -manage_lnk_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
@@ -43457,7 +43566,8 @@ index 6a306ee..32542a8 100644
 -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".mozilla")
 -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".netscape")
 -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".phoenix")
-+allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack };
++allow mozilla_plugin_config_t self:fifo_file rw_file_perms;
++allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
  
 -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".adobe")
 -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".macromedia")
@@ -43467,22 +43577,20 @@ index 6a306ee..32542a8 100644
 -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".spicec")
 -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".ICAClient")
 -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, "zimbrauserdata")
-+allow mozilla_plugin_config_t self:fifo_file rw_file_perms;
-+allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
- 
--filetrans_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
 +ps_process_pattern(mozilla_plugin_config_t,mozilla_plugin_t)
  
--can_exec(mozilla_plugin_config_t, { mozilla_plugin_rw_t mozilla_plugin_home_t })
+-filetrans_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
 +dev_read_sysfs(mozilla_plugin_config_t)
 +dev_read_urand(mozilla_plugin_config_t)
 +dev_dontaudit_read_rand(mozilla_plugin_config_t)
 +dev_dontaudit_rw_dri(mozilla_plugin_config_t)
  
--ps_process_pattern(mozilla_plugin_config_t, mozilla_plugin_t)
+-can_exec(mozilla_plugin_config_t, { mozilla_plugin_rw_t mozilla_plugin_home_t })
 +fs_search_auto_mountpoints(mozilla_plugin_config_t)
 +fs_list_inotifyfs(mozilla_plugin_config_t)
  
+-ps_process_pattern(mozilla_plugin_config_t, mozilla_plugin_t)
+-
 -kernel_read_system_state(mozilla_plugin_config_t)
 -kernel_request_load_module(mozilla_plugin_config_t)
 +can_exec(mozilla_plugin_config_t, mozilla_plugin_rw_t)
@@ -44009,7 +44117,7 @@ index f42896c..cb2791a 100644
 -/var/spool/mail(/.*)?	gen_context(system_u:object_r:mail_spool_t,s0)
 +/var/spool/mail(/.*)?		gen_context(system_u:object_r:mail_spool_t,s0)
 diff --git a/mta.if b/mta.if
-index ed81cac..566684a 100644
+index ed81cac..26c97cd 100644
 --- a/mta.if
 +++ b/mta.if
 @@ -1,4 +1,4 @@
@@ -44060,7 +44168,7 @@ index ed81cac..566684a 100644
  	#
  
  	type $1_mail_t, user_mail_domain;
-@@ -43,17 +57,16 @@ template(`mta_base_mail_template',`
+@@ -43,17 +57,18 @@ template(`mta_base_mail_template',`
  	type $1_mail_tmp_t;
  	files_tmp_file($1_mail_tmp_t)
  
@@ -44075,6 +44183,8 @@ index ed81cac..566684a 100644
  
 +	kernel_read_system_state($1_mail_t)
 +
++	corenet_all_recvfrom_netlabel($1_mail_t)
++
  	auth_use_nsswitch($1_mail_t)
  
 +	logging_send_syslog_msg($1_mail_t)
@@ -44082,7 +44192,7 @@ index ed81cac..566684a 100644
  	optional_policy(`
  		postfix_domtrans_user_mail_handler($1_mail_t)
  	')
-@@ -61,61 +74,41 @@ template(`mta_base_mail_template',`
+@@ -61,61 +76,41 @@ template(`mta_base_mail_template',`
  
  ########################################
  ## <summary>
@@ -44154,7 +44264,7 @@ index ed81cac..566684a 100644
  	')
  ')
  
-@@ -163,125 +156,23 @@ interface(`mta_agent_executable',`
+@@ -163,125 +158,23 @@ interface(`mta_agent_executable',`
  	application_executable_file($1)
  ')
  
@@ -44287,7 +44397,7 @@ index ed81cac..566684a 100644
  ')
  
  ########################################
-@@ -334,7 +225,6 @@ interface(`mta_sendmail_mailserver',`
+@@ -334,7 +227,6 @@ interface(`mta_sendmail_mailserver',`
  	')
  
  	init_system_domain($1, sendmail_exec_t)
@@ -44295,7 +44405,7 @@ index ed81cac..566684a 100644
  	typeattribute $1 mailserver_domain;
  ')
  
-@@ -374,6 +264,15 @@ interface(`mta_mailserver_delivery',`
+@@ -374,6 +266,15 @@ interface(`mta_mailserver_delivery',`
  	')
  
  	typeattribute $1 mailserver_delivery;
@@ -44311,7 +44421,7 @@ index ed81cac..566684a 100644
  ')
  
  #######################################
-@@ -394,6 +293,12 @@ interface(`mta_mailserver_user_agent',`
+@@ -394,6 +295,12 @@ interface(`mta_mailserver_user_agent',`
  	')
  
  	typeattribute $1 mta_user_agent;
@@ -44324,7 +44434,7 @@ index ed81cac..566684a 100644
  ')
  
  ########################################
-@@ -408,14 +313,19 @@ interface(`mta_mailserver_user_agent',`
+@@ -408,14 +315,19 @@ interface(`mta_mailserver_user_agent',`
  #
  interface(`mta_send_mail',`
  	gen_require(`
@@ -44346,7 +44456,7 @@ index ed81cac..566684a 100644
  ')
  
  ########################################
-@@ -445,18 +355,24 @@ interface(`mta_send_mail',`
+@@ -445,18 +357,24 @@ interface(`mta_send_mail',`
  #
  interface(`mta_sendmail_domtrans',`
  	gen_require(`
@@ -44376,7 +44486,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -464,7 +380,6 @@ interface(`mta_sendmail_domtrans',`
+@@ -464,7 +382,6 @@ interface(`mta_sendmail_domtrans',`
  ##	</summary>
  ## </param>
  #
@@ -44384,7 +44494,7 @@ index ed81cac..566684a 100644
  interface(`mta_signal_system_mail',`
  	gen_require(`
  		type system_mail_t;
-@@ -475,7 +390,43 @@ interface(`mta_signal_system_mail',`
+@@ -475,7 +392,43 @@ interface(`mta_signal_system_mail',`
  
  ########################################
  ## <summary>
@@ -44429,7 +44539,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -506,13 +457,32 @@ interface(`mta_sendmail_exec',`
+@@ -506,13 +459,32 @@ interface(`mta_sendmail_exec',`
  		type sendmail_exec_t;
  	')
  
@@ -44464,7 +44574,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -528,13 +498,13 @@ interface(`mta_read_config',`
+@@ -528,13 +500,13 @@ interface(`mta_read_config',`
  
  	files_search_etc($1)
  	allow $1 etc_mail_t:dir list_dir_perms;
@@ -44481,7 +44591,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -548,33 +518,31 @@ interface(`mta_write_config',`
+@@ -548,33 +520,31 @@ interface(`mta_write_config',`
  		type etc_mail_t;
  	')
  
@@ -44521,7 +44631,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -582,84 +550,66 @@ interface(`mta_read_aliases',`
+@@ -582,84 +552,66 @@ interface(`mta_read_aliases',`
  ##	</summary>
  ## </param>
  #
@@ -44622,7 +44732,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -674,14 +624,13 @@ interface(`mta_rw_aliases',`
+@@ -674,14 +626,13 @@ interface(`mta_rw_aliases',`
  	')
  
  	files_search_etc($1)
@@ -44640,7 +44750,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -697,6 +646,25 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
+@@ -697,6 +648,25 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
  	dontaudit $1 mailserver_delivery:tcp_socket { read write };
  ')
  
@@ -44666,7 +44776,7 @@ index ed81cac..566684a 100644
  #######################################
  ## <summary>
  ##	Connect to all mail servers over TCP.  (Deprecated)
-@@ -713,8 +681,8 @@ interface(`mta_tcp_connect_all_mailservers',`
+@@ -713,8 +683,8 @@ interface(`mta_tcp_connect_all_mailservers',`
  
  #######################################
  ## <summary>
@@ -44677,7 +44787,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -732,7 +700,7 @@ interface(`mta_dontaudit_read_spool_symlinks',`
+@@ -732,7 +702,7 @@ interface(`mta_dontaudit_read_spool_symlinks',`
  
  ########################################
  ## <summary>
@@ -44686,7 +44796,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -753,8 +721,8 @@ interface(`mta_getattr_spool',`
+@@ -753,8 +723,8 @@ interface(`mta_getattr_spool',`
  
  ########################################
  ## <summary>
@@ -44697,7 +44807,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -775,9 +743,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
+@@ -775,9 +745,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
  
  #######################################
  ## <summary>
@@ -44709,7 +44819,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -811,7 +778,7 @@ interface(`mta_spool_filetrans',`
+@@ -811,7 +780,7 @@ interface(`mta_spool_filetrans',`
  
  #######################################
  ## <summary>
@@ -44718,7 +44828,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##  <summary>
-@@ -819,10 +786,10 @@ interface(`mta_spool_filetrans',`
+@@ -819,10 +788,10 @@ interface(`mta_spool_filetrans',`
  ##  </summary>
  ## </param>
  #
@@ -44733,7 +44843,7 @@ index ed81cac..566684a 100644
  
  	files_search_spool($1)
  	read_files_pattern($1, mail_spool_t, mail_spool_t)
-@@ -830,7 +797,7 @@ interface(`mta_read_spool_files',`
+@@ -830,7 +799,7 @@ interface(`mta_read_spool_files',`
  
  ########################################
  ## <summary>
@@ -44742,7 +44852,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -845,13 +812,14 @@ interface(`mta_rw_spool',`
+@@ -845,13 +814,14 @@ interface(`mta_rw_spool',`
  
  	files_search_spool($1)
  	allow $1 mail_spool_t:dir list_dir_perms;
@@ -44760,7 +44870,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -866,13 +834,14 @@ interface(`mta_append_spool',`
+@@ -866,13 +836,14 @@ interface(`mta_append_spool',`
  
  	files_search_spool($1)
  	allow $1 mail_spool_t:dir list_dir_perms;
@@ -44778,7 +44888,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -891,8 +860,7 @@ interface(`mta_delete_spool',`
+@@ -891,8 +862,7 @@ interface(`mta_delete_spool',`
  
  ########################################
  ## <summary>
@@ -44788,7 +44898,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -911,45 +879,9 @@ interface(`mta_manage_spool',`
+@@ -911,45 +881,9 @@ interface(`mta_manage_spool',`
  	manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
  ')
  
@@ -44835,7 +44945,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -968,7 +900,7 @@ interface(`mta_search_queue',`
+@@ -968,7 +902,7 @@ interface(`mta_search_queue',`
  
  #######################################
  ## <summary>
@@ -44844,7 +44954,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -981,13 +913,13 @@ interface(`mta_list_queue',`
+@@ -981,13 +915,13 @@ interface(`mta_list_queue',`
  		type mqueue_spool_t;
  	')
  
@@ -44860,7 +44970,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1000,14 +932,14 @@ interface(`mta_read_queue',`
+@@ -1000,14 +934,14 @@ interface(`mta_read_queue',`
  		type mqueue_spool_t;
  	')
  
@@ -44877,7 +44987,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1027,7 +959,7 @@ interface(`mta_dontaudit_rw_queue',`
+@@ -1027,7 +961,7 @@ interface(`mta_dontaudit_rw_queue',`
  ########################################
  ## <summary>
  ##	Create, read, write, and delete
@@ -44886,7 +44996,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1047,6 +979,41 @@ interface(`mta_manage_queue',`
+@@ -1047,6 +981,41 @@ interface(`mta_manage_queue',`
  
  #######################################
  ## <summary>
@@ -44928,7 +45038,7 @@ index ed81cac..566684a 100644
  ##	Read sendmail binary.
  ## </summary>
  ## <param name="domain">
-@@ -1055,6 +1022,7 @@ interface(`mta_manage_queue',`
+@@ -1055,6 +1024,7 @@ interface(`mta_manage_queue',`
  ##	</summary>
  ## </param>
  #
@@ -44936,7 +45046,7 @@ index ed81cac..566684a 100644
  interface(`mta_read_sendmail_bin',`
  	gen_require(`
  		type sendmail_exec_t;
-@@ -1065,8 +1033,8 @@ interface(`mta_read_sendmail_bin',`
+@@ -1065,8 +1035,8 @@ interface(`mta_read_sendmail_bin',`
  
  #######################################
  ## <summary>
@@ -44947,7 +45057,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1081,3 +1049,175 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -1081,3 +1051,175 @@ interface(`mta_rw_user_mail_stream_sockets',`
  
  	allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
  ')
@@ -45124,7 +45234,7 @@ index ed81cac..566684a 100644
 +	mta_filetrans_admin_home_content($1)
 +')
 diff --git a/mta.te b/mta.te
-index afd2fad..1943352 100644
+index afd2fad..17466ee 100644
 --- a/mta.te
 +++ b/mta.te
 @@ -1,4 +1,4 @@
@@ -45321,7 +45431,8 @@ index afd2fad..1943352 100644
  
  init_use_script_ptys(system_mail_t)
 +init_dontaudit_rw_stream_socket(system_mail_t)
-+
+ 
+-userdom_use_user_terminals(system_mail_t)
 +userdom_use_inherited_user_terminals(system_mail_t)
 +userdom_dontaudit_list_user_home_dirs(system_mail_t)
 +userdom_dontaudit_list_admin_dir(system_mail_t)
@@ -45334,8 +45445,7 @@ index afd2fad..1943352 100644
 +
 +
 +logging_append_all_logs(system_mail_t)
- 
--userdom_use_user_terminals(system_mail_t)
++
 +logging_send_syslog_msg(system_mail_t)
  
  optional_policy(`
@@ -45423,7 +45533,7 @@ index afd2fad..1943352 100644
  	nagios_read_tmp_files(system_mail_t)
  ')
  
-@@ -278,6 +179,15 @@ optional_policy(`
+@@ -278,6 +179,19 @@ optional_policy(`
  	manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
  	manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
  	files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
@@ -45432,6 +45542,10 @@ index afd2fad..1943352 100644
 +')
 +
 +optional_policy(`
++	postfix_domtrans_postdrop(system_mail_t)
++')
++
++optional_policy(`
 +	qmail_domtrans_inject(system_mail_t)
 +	qmail_manage_spool_dirs(system_mail_t)
 +	qmail_manage_spool_files(system_mail_t)
@@ -45439,7 +45553,7 @@ index afd2fad..1943352 100644
  ')
  
  optional_policy(`
-@@ -293,42 +203,36 @@ optional_policy(`
+@@ -293,42 +207,36 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -45492,7 +45606,7 @@ index afd2fad..1943352 100644
  
  allow mailserver_delivery mail_spool_t:dir list_dir_perms;
  create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
-@@ -337,40 +241,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+@@ -337,40 +245,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
  create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
  read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
  
@@ -45541,7 +45655,7 @@ index afd2fad..1943352 100644
  	files_search_var_lib(mailserver_delivery)
  
  	mailman_domtrans(mailserver_delivery)
-@@ -387,24 +277,174 @@ optional_policy(`
+@@ -387,24 +281,177 @@ optional_policy(`
  
  ########################################
  #
@@ -45659,6 +45773,9 @@ index afd2fad..1943352 100644
 +# Check available space.
 +fs_getattr_xattr_fs(user_mail_domain)
 +
++mta_filetrans_admin_home_content(user_mail_domain)
++mta_filetrans_home_content(user_mail_domain)
++
 +init_dontaudit_rw_utmp(user_mail_domain)
 +
 +optional_policy(`
@@ -47353,10 +47470,10 @@ index 0000000..171f666
 +')
 diff --git a/mythtv.te b/mythtv.te
 new file mode 100644
-index 0000000..90129ac
+index 0000000..395c2fd
 --- /dev/null
 +++ b/mythtv.te
-@@ -0,0 +1,41 @@
+@@ -0,0 +1,46 @@
 +policy_module(mythtv, 1.0.0)
 +
 +########################################
@@ -47376,6 +47493,9 @@ index 0000000..90129ac
 +#
 +# httpd_mythtv_script local policy
 +#
++#============= httpd_mythtv_script_t ==============
++allow httpd_mythtv_script_t self:process setpgid;
++dev_list_sysfs(httpd_mythtv_script_t)
 +
 +manage_files_pattern(httpd_mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t)
 +manage_dirs_pattern(httpd_mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t)
@@ -47391,6 +47511,8 @@ index 0000000..90129ac
 +
 +fs_read_nfs_files(httpd_mythtv_script_t)
 +
++auth_read_passwd(httpd_mythtv_script_t)
++
 +miscfiles_read_localization(httpd_mythtv_script_t)
 +
 +optional_policy(`
@@ -49594,7 +49716,7 @@ index 46e55c3..6e4e061 100644
 +	allow $1 nis_unit_file_t:service all_service_perms;
  ')
 diff --git a/nis.te b/nis.te
-index 3e4a31c..eea788e 100644
+index 3e4a31c..6aeb9dd 100644
 --- a/nis.te
 +++ b/nis.te
 @@ -1,12 +1,10 @@
@@ -49765,11 +49887,12 @@ index 3e4a31c..eea788e 100644
  dev_read_sysfs(yppasswdd_t)
  
  fs_getattr_all_fs(yppasswdd_t)
-@@ -203,11 +192,19 @@ selinux_get_fs_mount(yppasswdd_t)
+@@ -202,12 +191,20 @@ fs_search_auto_mountpoints(yppasswdd_t)
+ selinux_get_fs_mount(yppasswdd_t)
  
  auth_manage_shadow(yppasswdd_t)
++auth_manage_passwd(yppasswdd_t)
  auth_relabel_shadow(yppasswdd_t)
-+auth_read_passwd(yppasswdd_t)
  auth_etc_filetrans_shadow(yppasswdd_t)
  
 +corecmd_exec_bin(yppasswdd_t)
@@ -60963,7 +61086,7 @@ index ae27bb7..d00f6ba 100644
 +	allow $1 polipo_unit_file_t:service all_service_perms;
  ')
 diff --git a/polipo.te b/polipo.te
-index 316d53a..35d9018 100644
+index 316d53a..6646219 100644
 --- a/polipo.te
 +++ b/polipo.te
 @@ -1,4 +1,4 @@
@@ -61039,7 +61162,7 @@ index 316d53a..35d9018 100644
  
  type polipo_cache_t;
  files_type(polipo_cache_t)
-@@ -56,112 +63,97 @@ files_type(polipo_cache_t)
+@@ -56,112 +63,98 @@ files_type(polipo_cache_t)
  type polipo_log_t;
  logging_log_file(polipo_log_t)
  
@@ -61092,6 +61215,7 @@ index 316d53a..35d9018 100644
 +corenet_tcp_bind_http_cache_port(polipo_daemon)
 +corenet_sendrecv_http_cache_server_packets(polipo_daemon)
 +corenet_tcp_connect_http_port(polipo_daemon)
++corenet_tcp_connect_http_cache_port(polipo_daemon)
 +corenet_tcp_connect_tor_port(polipo_daemon)
 +corenet_tcp_connect_flash_port(polipo_daemon)
  
@@ -70139,7 +70263,7 @@ index 769d1fd..0ef5efc 100644
 +	sudo_exec(neutron_t)
  ')
 diff --git a/quota.fc b/quota.fc
-index cadabe3..0ee2489 100644
+index cadabe3..54ba01d 100644
 --- a/quota.fc
 +++ b/quota.fc
 @@ -1,6 +1,5 @@
@@ -70150,7 +70274,7 @@ index cadabe3..0ee2489 100644
  
  /a?quota\.(user|group)	--	gen_context(system_u:object_r:quota_db_t,s0)
  
-@@ -8,24 +7,23 @@ HOME_DIR/a?quota\.(user|group)	--	gen_context(system_u:object_r:quota_db_t,s0)
+@@ -8,24 +7,24 @@ HOME_DIR/a?quota\.(user|group)	--	gen_context(system_u:object_r:quota_db_t,s0)
  
  /etc/a?quota\.(user|group)	--	gen_context(system_u:object_r:quota_db_t,s0)
  
@@ -70166,6 +70290,7 @@ index cadabe3..0ee2489 100644
  
  /var/a?quota\.(user|group)	--	gen_context(system_u:object_r:quota_db_t,s0)
 +/var/lib/quota(/.*)?			gen_context(system_u:object_r:quota_flag_t,s0)
++/var/spool/cron/a?quota\.(user|group) --	gen_context(system_u:object_r:quota_db_t,s0)
 +/var/spool/(.*/)?a?quota\.(user|group) --	gen_context(system_u:object_r:quota_db_t,s0)
  
 -/var/lib/quota(/.*)?	gen_context(system_u:object_r:quota_flag_t,s0)
@@ -71464,10 +71589,10 @@ index 0000000..a073efd
 +')
 diff --git a/rasdaemon.te b/rasdaemon.te
 new file mode 100644
-index 0000000..8651ca4
+index 0000000..7b1fa9e
 --- /dev/null
 +++ b/rasdaemon.te
-@@ -0,0 +1,35 @@
+@@ -0,0 +1,45 @@
 +policy_module(rasdaemon, 1.0.0)
 +
 +########################################
@@ -71499,10 +71624,20 @@ index 0000000..8651ca4
 +kernel_read_system_state(rasdaemon_t)
 +kernel_manage_debugfs(rasdaemon_t)
 +
++auth_use_nsswitch(rasdaemon_t)
++
++dev_read_raw_memory(rasdaemon_t)
 +dev_read_sysfs(rasdaemon_t)
++dev_read_urand(rasdaemon_t)
 +
 +logging_send_syslog_msg(rasdaemon_t)
 +
++modutils_dontaudit_exec_insmod(rasdaemon_t) # more info here #1030277
++
++optional_policy(`
++    dmidecode_exec(rasdaemon_t)
++')
++
 diff --git a/razor.fc b/razor.fc
 index 6723f4d..6e26673 100644
 --- a/razor.fc
@@ -73714,7 +73849,7 @@ index 47de2d6..98a4280 100644
 +/var/log/cluster/rgmanager\.log.*       --  gen_context(system_u:object_r:cluster_var_log_t,s0)
 +/var/log/pcsd(/.*)?     gen_context(system_u:object_r:cluster_var_log_t,s0)
 diff --git a/rhcs.if b/rhcs.if
-index 56bc01f..2e4d698 100644
+index 56bc01f..f1ee87e 100644
 --- a/rhcs.if
 +++ b/rhcs.if
 @@ -1,19 +1,19 @@
@@ -73963,8 +74098,10 @@ index 56bc01f..2e4d698 100644
 +	manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
 +')
 +
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
+-##	Read and write all cluster domains
+-##	shared memory.
 +##	Read and write to group shared memory.
 +## </summary>
 +## <param name="domain">
@@ -73984,10 +74121,8 @@ index 56bc01f..2e4d698 100644
 +	manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
 +')
 +
- ########################################
- ## <summary>
--##	Read and write all cluster domains
--##	shared memory.
++########################################
++## <summary>
 +##	Read and write to group shared memory.
  ## </summary>
  ## <param name="domain">
@@ -74015,7 +74150,7 @@ index 56bc01f..2e4d698 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -393,36 +423,39 @@ interface(`rhcs_rw_cluster_semaphores',`
+@@ -393,20 +423,44 @@ interface(`rhcs_rw_cluster_semaphores',`
  ##	</summary>
  ## </param>
  #
@@ -74027,49 +74162,65 @@ index 56bc01f..2e4d698 100644
  	')
  
 -	allow $1 groupd_t:sem { rw_sem_perms destroy };
--
--	fs_search_tmpfs($1)
--	manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
 +	files_search_pids($1)
 +	stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain)
- ')
++')
  
--########################################
+-	fs_search_tmpfs($1)
+-	manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
 +#####################################
- ## <summary>
--##	Read and write groupd shared memory.
++## <summary>
 +##	Connect to cluster domains over a unix domain
 +##	stream socket.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
++#
++interface(`rhcs_stream_connect_cluster_to',`
++	gen_require(`
++		attribute cluster_domain;
++		attribute cluster_pid;
++	')
++
++    files_search_pids($1)
++    stream_connect_pattern($1, cluster_pid, cluster_pid, $2)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read and write groupd shared memory.
++##	Send a null signal to cluster.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -414,15 +468,12 @@ interface(`rhcs_rw_groupd_semaphores',`
+ ##	</summary>
+ ## </param>
  #
 -interface(`rhcs_rw_groupd_shm',`
-+interface(`rhcs_stream_connect_cluster_to',`
++interface(`rhcs_signull_cluster',`
  	gen_require(`
 -		type groupd_t, groupd_tmpfs_t;
-+		attribute cluster_domain;
-+		attribute cluster_pid;
++		type cluster_t;
  	')
  
 -	allow $1 groupd_t:shm { rw_shm_perms destroy };
 -
 -	fs_search_tmpfs($1)
 -	manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
-+    files_search_pids($1)
-+    stream_connect_pattern($1, cluster_pid, cluster_pid, $2)
++	allow $1 cluster_t:process signull;
  ')
  
  ######################################
-@@ -446,52 +479,360 @@ interface(`rhcs_domtrans_qdiskd',`
+@@ -446,52 +497,360 @@ interface(`rhcs_domtrans_qdiskd',`
  
  ########################################
  ## <summary>
@@ -74120,7 +74271,11 @@ index 56bc01f..2e4d698 100644
 +	files_search_var_lib($1)
 +	read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
 +')
-+
+ 
+-	init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t })
+-	domain_system_change_exemption($1)
+-	role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r;
+-	allow $2 system_r;
 +#####################################
 +## <summary>
 +##  Allow domain to manage cluster lib files
@@ -74136,16 +74291,14 @@ index 56bc01f..2e4d698 100644
 +        type cluster_var_lib_t;
 +    ')
  
--	init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t })
--	domain_system_change_exemption($1)
--	role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r;
--	allow $2 system_r;
+-	files_search_pids($1)
+-	admin_pattern($1, cluster_pid)
 +    files_search_var_lib($1)
 +    manage_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
 +')
  
--	files_search_pids($1)
--	admin_pattern($1, cluster_pid)
+-	files_search_locks($1)
+-	admin_pattern($1, fenced_lock_t)
 +####################################
 +## <summary>
 +##  Allow domain to relabel cluster lib files
@@ -74166,8 +74319,8 @@ index 56bc01f..2e4d698 100644
 +	relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
 +')
  
--	files_search_locks($1)
--	admin_pattern($1, fenced_lock_t)
+-	files_search_tmp($1)
+-	admin_pattern($1, fenced_tmp_t)
 +######################################
 +## <summary>
 +##  Execute a domain transition to run cluster administrative domain.
@@ -74183,14 +74336,14 @@ index 56bc01f..2e4d698 100644
 +        type cluster_t, cluster_exec_t;
 +    ')
  
--	files_search_tmp($1)
--	admin_pattern($1, fenced_tmp_t)
+-	files_search_var_lib($1)
+-	admin_pattern($1, qdiskd_var_lib_t)
 +    corecmd_search_bin($1)
 +    domtrans_pattern($1, cluster_exec_t, cluster_t)
 +')
  
--	files_search_var_lib($1)
--	admin_pattern($1, qdiskd_var_lib_t)
+-	fs_search_tmpfs($1)
+-	admin_pattern($1, cluster_tmpfs)
 +#######################################
 +## <summary>
 +##  Execute cluster init scripts in
@@ -74206,9 +74359,7 @@ index 56bc01f..2e4d698 100644
 +    gen_require(`
 +        type cluster_initrc_exec_t;
 +    ')
- 
--	fs_search_tmpfs($1)
--	admin_pattern($1, cluster_tmpfs)
++
 +    init_labeled_script_domtrans($1, cluster_initrc_exec_t)
 +')
 +
@@ -79143,7 +79294,7 @@ index f1140ef..8afe362 100644
 +	files_pid_filetrans($1, rsync_var_run_t, file, "rsyncd.lock")
  ')
 diff --git a/rsync.te b/rsync.te
-index e3e7c96..ec50426 100644
+index e3e7c96..d7db2d9 100644
 --- a/rsync.te
 +++ b/rsync.te
 @@ -1,4 +1,4 @@
@@ -79270,7 +79421,7 @@ index e3e7c96..ec50426 100644
  logging_log_filetrans(rsync_t, rsync_log_t, file)
  
  manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t)
-@@ -108,91 +96,80 @@ kernel_read_kernel_sysctls(rsync_t)
+@@ -108,91 +96,78 @@ kernel_read_kernel_sysctls(rsync_t)
  kernel_read_system_state(rsync_t)
  kernel_read_network_state(rsync_t)
  
@@ -79336,9 +79487,7 @@ index e3e7c96..ec50426 100644
 +
 +tunable_policy(`rsync_full_access',`
 +	allow rsync_t self:capability { dac_override dac_read_search };
-+	files_manage_non_security_dirs(rsync_t)
-+	files_manage_non_security_files(rsync_t)
-+	#files_relabel_non_security_files(rsync_t)
++	files_manage_non_auth_files(rsync_t)
  ')
  
  tunable_policy(`rsync_export_all_ro',`
@@ -80662,7 +80811,7 @@ index aee75af..a6bab06 100644
 +	allow $1 samba_unit_file_t:service all_service_perms;
  ')
 diff --git a/samba.te b/samba.te
-index 57c034b..5f13e3c 100644
+index 57c034b..e4ae518 100644
 --- a/samba.te
 +++ b/samba.te
 @@ -1,4 +1,4 @@
@@ -81219,7 +81368,18 @@ index 57c034b..5f13e3c 100644
  	lpd_exec_lpr(smbd_t)
  ')
  
-@@ -493,9 +486,33 @@ optional_policy(`
+@@ -482,6 +475,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	rhcs_signull_cluster(smbd_t)
++')
++
++optional_policy(`
+ 	rpc_search_nfs_state_data(smbd_t)
+ ')
+ 
+@@ -493,9 +490,33 @@ optional_policy(`
  	udev_read_db(smbd_t)
  ')
  
@@ -81254,7 +81414,7 @@ index 57c034b..5f13e3c 100644
  #
  
  dontaudit nmbd_t self:capability sys_tty_config;
-@@ -506,9 +523,11 @@ allow nmbd_t self:msg { send receive };
+@@ -506,9 +527,11 @@ allow nmbd_t self:msg { send receive };
  allow nmbd_t self:msgq create_msgq_perms;
  allow nmbd_t self:sem create_sem_perms;
  allow nmbd_t self:shm create_shm_perms;
@@ -81269,7 +81429,7 @@ index 57c034b..5f13e3c 100644
  
  manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
  manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-@@ -520,20 +539,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+@@ -520,20 +543,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
  read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
  
  manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
@@ -81293,7 +81453,7 @@ index 57c034b..5f13e3c 100644
  
  kernel_getattr_core_if(nmbd_t)
  kernel_getattr_message_if(nmbd_t)
-@@ -542,52 +556,41 @@ kernel_read_network_state(nmbd_t)
+@@ -542,52 +560,41 @@ kernel_read_network_state(nmbd_t)
  kernel_read_software_raid_state(nmbd_t)
  kernel_read_system_state(nmbd_t)
  
@@ -81342,14 +81502,14 @@ index 57c034b..5f13e3c 100644
 -
  userdom_use_unpriv_users_fds(nmbd_t)
 -userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
-+userdom_dontaudit_search_user_home_dirs(nmbd_t)
- 
+-
 -tunable_policy(`samba_export_all_ro',`
 -	fs_read_noxattr_fs_files(nmbd_t)
 -	files_list_non_auth_dirs(nmbd_t)
 -	files_read_non_auth_files(nmbd_t)
 -')
--
++userdom_dontaudit_search_user_home_dirs(nmbd_t)
+ 
 -tunable_policy(`samba_export_all_rw',`
 -	fs_read_noxattr_fs_files(nmbd_t)
 -	files_manage_non_auth_files(nmbd_t)
@@ -81359,7 +81519,7 @@ index 57c034b..5f13e3c 100644
  ')
  
  optional_policy(`
-@@ -600,19 +603,26 @@ optional_policy(`
+@@ -600,19 +607,26 @@ optional_policy(`
  
  ########################################
  #
@@ -81379,11 +81539,11 @@ index 57c034b..5f13e3c 100644
 -read_files_pattern(smbcontrol_t, { nmbd_var_run_t smbd_var_run_t }, { nmbd_var_run_t smbd_var_run_t })
 +allow smbcontrol_t nmbd_t:process { signal signull };
 +read_files_pattern(smbcontrol_t, nmbd_var_run_t, nmbd_var_run_t)
-+
+ 
 +allow smbcontrol_t smbd_t:process { signal signull };
 +read_files_pattern(smbcontrol_t, smbd_var_run_t, smbd_var_run_t)
 +allow smbcontrol_t winbind_t:process { signal signull };
- 
++
 +files_search_var_lib(smbcontrol_t)
  samba_read_config(smbcontrol_t)
 -samba_rw_var_files(smbcontrol_t)
@@ -81391,7 +81551,7 @@ index 57c034b..5f13e3c 100644
  samba_search_var(smbcontrol_t)
  samba_read_winbind_pid(smbcontrol_t)
  
-@@ -620,16 +630,12 @@ domain_use_interactive_fds(smbcontrol_t)
+@@ -620,16 +634,12 @@ domain_use_interactive_fds(smbcontrol_t)
  
  dev_read_urand(smbcontrol_t)
  
@@ -81409,7 +81569,7 @@ index 57c034b..5f13e3c 100644
  
  optional_policy(`
  	ctdbd_stream_connect(smbcontrol_t)
-@@ -637,22 +643,23 @@ optional_policy(`
+@@ -637,22 +647,23 @@ optional_policy(`
  
  ########################################
  #
@@ -81441,7 +81601,7 @@ index 57c034b..5f13e3c 100644
  
  allow smbmount_t samba_secrets_t:file manage_file_perms;
  
-@@ -661,26 +668,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+@@ -661,26 +672,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
  manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
  files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
  
@@ -81477,7 +81637,7 @@ index 57c034b..5f13e3c 100644
  
  fs_getattr_cifs(smbmount_t)
  fs_mount_cifs(smbmount_t)
-@@ -692,58 +695,77 @@ fs_read_cifs_files(smbmount_t)
+@@ -692,58 +699,77 @@ fs_read_cifs_files(smbmount_t)
  storage_raw_read_fixed_disk(smbmount_t)
  storage_raw_write_fixed_disk(smbmount_t)
  
@@ -81569,7 +81729,7 @@ index 57c034b..5f13e3c 100644
  
  manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
  manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -752,17 +774,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+@@ -752,17 +778,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
  manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
  files_pid_filetrans(swat_t, swat_var_run_t, file)
  
@@ -81593,7 +81753,7 @@ index 57c034b..5f13e3c 100644
  
  kernel_read_kernel_sysctls(swat_t)
  kernel_read_system_state(swat_t)
-@@ -770,36 +788,25 @@ kernel_read_network_state(swat_t)
+@@ -770,36 +792,25 @@ kernel_read_network_state(swat_t)
  
  corecmd_search_bin(swat_t)
  
@@ -81636,7 +81796,7 @@ index 57c034b..5f13e3c 100644
  
  auth_domtrans_chk_passwd(swat_t)
  auth_use_nsswitch(swat_t)
-@@ -811,10 +818,11 @@ logging_send_syslog_msg(swat_t)
+@@ -811,10 +822,11 @@ logging_send_syslog_msg(swat_t)
  logging_send_audit_msgs(swat_t)
  logging_search_logs(swat_t)
  
@@ -81650,7 +81810,7 @@ index 57c034b..5f13e3c 100644
  optional_policy(`
  	cups_read_rw_config(swat_t)
  	cups_stream_connect(swat_t)
-@@ -834,16 +842,19 @@ optional_policy(`
+@@ -834,16 +846,19 @@ optional_policy(`
  #
  
  allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice };
@@ -81674,7 +81834,7 @@ index 57c034b..5f13e3c 100644
  
  allow winbind_t samba_etc_t:dir list_dir_perms;
  read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -853,9 +864,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+@@ -853,9 +868,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
  filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
  
  manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@@ -81685,7 +81845,7 @@ index 57c034b..5f13e3c 100644
  manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
  
  manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -866,23 +875,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -866,23 +879,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
  
  rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
  
@@ -81715,7 +81875,7 @@ index 57c034b..5f13e3c 100644
  manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
  
  kernel_read_network_state(winbind_t)
-@@ -891,13 +898,17 @@ kernel_read_system_state(winbind_t)
+@@ -891,13 +902,17 @@ kernel_read_system_state(winbind_t)
  
  corecmd_exec_bin(winbind_t)
  
@@ -81736,7 +81896,7 @@ index 57c034b..5f13e3c 100644
  corenet_tcp_connect_smbd_port(winbind_t)
  corenet_tcp_connect_epmap_port(winbind_t)
  corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -905,10 +916,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -905,10 +920,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
  dev_read_sysfs(winbind_t)
  dev_read_urand(winbind_t)
  
@@ -81747,7 +81907,7 @@ index 57c034b..5f13e3c 100644
  
  fs_getattr_all_fs(winbind_t)
  fs_search_auto_mountpoints(winbind_t)
-@@ -917,26 +924,39 @@ auth_domtrans_chk_passwd(winbind_t)
+@@ -917,26 +928,39 @@ auth_domtrans_chk_passwd(winbind_t)
  auth_use_nsswitch(winbind_t)
  auth_manage_cache(winbind_t)
  
@@ -81789,7 +81949,7 @@ index 57c034b..5f13e3c 100644
  ')
  
  optional_policy(`
-@@ -952,31 +972,29 @@ optional_policy(`
+@@ -952,31 +976,29 @@ optional_policy(`
  # Winbind helper local policy
  #
  
@@ -81827,7 +81987,7 @@ index 57c034b..5f13e3c 100644
  
  optional_policy(`
  	apache_append_log(winbind_helper_t)
-@@ -990,25 +1008,38 @@ optional_policy(`
+@@ -990,25 +1012,38 @@ optional_policy(`
  
  ########################################
  #
@@ -82090,10 +82250,10 @@ index 0000000..6caef63
 +/usr/share/sandbox/start --	gen_context(system_u:object_r:sandbox_exec_t,s0)
 diff --git a/sandboxX.if b/sandboxX.if
 new file mode 100644
-index 0000000..5da5bff
+index 0000000..e45c73a
 --- /dev/null
 +++ b/sandboxX.if
-@@ -0,0 +1,392 @@
+@@ -0,0 +1,393 @@
 +
 +## <summary>policy for sandboxX </summary>
 +
@@ -82217,6 +82377,7 @@ index 0000000..5da5bff
 +
 +	domtrans_pattern($1_t, sandbox_exec_t, $1_client_t)
 +	domain_entry_file($1_client_t,  sandbox_exec_t)
++	allow $1_client_t $1_t:shm { unix_read unix_write };
 +
 +	ps_process_pattern(sandbox_xserver_t, $1_client_t)
 +	ps_process_pattern(sandbox_xserver_t, $1_t)
@@ -82488,10 +82649,10 @@ index 0000000..5da5bff
 +')
 diff --git a/sandboxX.te b/sandboxX.te
 new file mode 100644
-index 0000000..710df6b
+index 0000000..9ba5803
 --- /dev/null
 +++ b/sandboxX.te
-@@ -0,0 +1,483 @@
+@@ -0,0 +1,488 @@
 +policy_module(sandboxX,1.0.0)
 +
 +dbus_stub()
@@ -82616,7 +82777,7 @@ index 0000000..710df6b
 +#
 +# sandbox_x_domain local policy
 +#
-+allow sandbox_x_domain self:process { getattr signal_perms getsched setsched setpgid execstack };
++allow sandbox_x_domain self:process { getattr signal_perms getsched setsched setpgid execstack getcap setcap };
 +tunable_policy(`deny_execmem',`',`
 +	allow sandbox_x_domain self:process execmem;
 +')
@@ -82917,6 +83078,14 @@ index 0000000..710df6b
 +')
 +
 +optional_policy(`
++	mozilla_plugin_rw_sem(sandbox_web_type)
++')
++
++optional_policy(`
++	networkmanager_dontaudit_dbus_chat(sandbox_web_type)
++')
++
++optional_policy(`
 +	nsplugin_manage_rw(sandbox_web_type)
 +	nsplugin_read_rw_files(sandbox_web_type)
 +	nsplugin_rw_exec(sandbox_web_type)
@@ -82938,10 +83107,6 @@ index 0000000..710df6b
 +')
 +
 +optional_policy(`
-+	networkmanager_dontaudit_dbus_chat(sandbox_web_type)
-+')
-+
-+optional_policy(`
 +	udev_read_state(sandbox_web_type)
 +')
 +
@@ -82971,10 +83136,11 @@ index 0000000..710df6b
 +	mozilla_dontaudit_rw_user_home_files(sandbox_x_t)
 +	mozilla_dontaudit_rw_user_home_files(sandbox_xserver_t)
 +	mozilla_dontaudit_rw_user_home_files(sandbox_x_domain)
-+    mozilla_plugin_dontaudit_rw_sem(sandbox_x_domain)
++	mozilla_plugin_rw_sem(sandbox_x_domain)
 +	mozilla_plugin_dontaudit_leaks(sandbox_x_domain)
 +')
 +userdom_dontaudit_open_user_ptys(sandbox_x_domain)
++
 diff --git a/sanlock.fc b/sanlock.fc
 index 3df2a0f..9059165 100644
 --- a/sanlock.fc
@@ -85611,10 +85777,18 @@ index 1aeef8a..d5ce40a 100644
  	admin_pattern($1, shorewall_etc_t)
  
 diff --git a/shorewall.te b/shorewall.te
-index ca03de6..c3b5559 100644
+index ca03de6..e0ebb61 100644
 --- a/shorewall.te
 +++ b/shorewall.te
-@@ -44,9 +44,7 @@ manage_files_pattern(shorewall_t, shorewall_lock_t, shorewall_lock_t)
+@@ -34,6 +34,7 @@ logging_log_file(shorewall_log_t)
+ 
+ allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_admin };
+ dontaudit shorewall_t self:capability sys_tty_config;
++allow shorewall_t self:process signal_perms;
+ allow shorewall_t self:fifo_file rw_fifo_file_perms;
+ allow shorewall_t self:netlink_socket create_socket_perms;
+ 
+@@ -44,9 +45,7 @@ manage_files_pattern(shorewall_t, shorewall_lock_t, shorewall_lock_t)
  files_lock_filetrans(shorewall_t, shorewall_lock_t, file)
  
  manage_dirs_pattern(shorewall_t, shorewall_log_t, shorewall_log_t)
@@ -85625,7 +85799,7 @@ index ca03de6..c3b5559 100644
  logging_log_filetrans(shorewall_t, shorewall_log_t, { file dir })
  
  manage_dirs_pattern(shorewall_t, shorewall_tmp_t, shorewall_tmp_t)
-@@ -57,6 +55,9 @@ exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
+@@ -57,6 +56,9 @@ exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
  manage_dirs_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
  manage_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
  files_var_lib_filetrans(shorewall_t, shorewall_var_lib_t, { dir file })
@@ -85635,7 +85809,7 @@ index ca03de6..c3b5559 100644
  
  allow shorewall_t shorewall_initrc_exec_t:file read_file_perms;
  
-@@ -74,7 +75,6 @@ dev_read_urand(shorewall_t)
+@@ -74,7 +76,6 @@ dev_read_urand(shorewall_t)
  domain_read_all_domains_state(shorewall_t)
  
  files_getattr_kernel_modules(shorewall_t)
@@ -85643,7 +85817,7 @@ index ca03de6..c3b5559 100644
  files_search_kernel_modules(shorewall_t)
  
  fs_getattr_all_fs(shorewall_t)
-@@ -86,12 +86,11 @@ init_rw_utmp(shorewall_t)
+@@ -86,12 +87,11 @@ init_rw_utmp(shorewall_t)
  logging_read_generic_logs(shorewall_t)
  logging_send_syslog_msg(shorewall_t)
  
@@ -88550,6 +88724,221 @@ index 4faa7e0..4babad1 100644
 +	gpg_manage_home_content(spamd_update_t)
  ')
 +
+diff --git a/speech-dispatcher.fc b/speech-dispatcher.fc
+new file mode 100644
+index 0000000..545f682
+--- /dev/null
++++ b/speech-dispatcher.fc
+@@ -0,0 +1,5 @@
++/usr/bin/speech-dispatcher		--	gen_context(system_u:object_r:speech-dispatcher_exec_t,s0)
++
++/usr/lib/systemd/system/speech-dispatcherd.service		--	gen_context(system_u:object_r:speech-dispatcher_unit_file_t,s0)
++
++/var/log/speech-dispatcher(/.*)?		gen_context(system_u:object_r:speech-dispatcher_log_t,s0)
+diff --git a/speech-dispatcher.if b/speech-dispatcher.if
+new file mode 100644
+index 0000000..ddfed09
+--- /dev/null
++++ b/speech-dispatcher.if
+@@ -0,0 +1,142 @@
++
++## <summary>speech-dispatcher - server process managing speech requests in Speech Dispatcher</summary>
++
++########################################
++## <summary>
++##	Execute speech-dispatcher in the speech-dispatcher domain.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`speech-dispatcher_domtrans',`
++	gen_require(`
++		type speech-dispatcher_t, speech-dispatcher_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	domtrans_pattern($1, speech-dispatcher_exec_t, speech-dispatcher_t)
++')
++########################################
++## <summary>
++##	Read speech-dispatcher's log files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`speech-dispatcher_read_log',`
++	gen_require(`
++		type speech-dispatcher_log_t;
++	')
++
++	logging_search_logs($1)
++	read_files_pattern($1, speech-dispatcher_log_t, speech-dispatcher_log_t)
++')
++
++########################################
++## <summary>
++##	Append to speech-dispatcher log files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`speech-dispatcher_append_log',`
++	gen_require(`
++		type speech-dispatcher_log_t;
++	')
++
++	logging_search_logs($1)
++	append_files_pattern($1, speech-dispatcher_log_t, speech-dispatcher_log_t)
++')
++
++########################################
++## <summary>
++##	Manage speech-dispatcher log files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`speech-dispatcher_manage_log',`
++	gen_require(`
++		type speech-dispatcher_log_t;
++	')
++
++	logging_search_logs($1)
++	manage_dirs_pattern($1, speech-dispatcher_log_t, speech-dispatcher_log_t)
++	manage_files_pattern($1, speech-dispatcher_log_t, speech-dispatcher_log_t)
++	manage_lnk_files_pattern($1, speech-dispatcher_log_t, speech-dispatcher_log_t)
++')
++########################################
++## <summary>
++##	Execute speech-dispatcher server in the speech-dispatcher domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++#
++interface(`speech-dispatcher_systemctl',`
++	gen_require(`
++		type speech-dispatcher_t;
++		type speech-dispatcher_unit_file_t;
++	')
++
++	systemd_exec_systemctl($1)
++    systemd_read_fifo_file_passwd_run($1)
++	allow $1 speech-dispatcher_unit_file_t:file read_file_perms;
++	allow $1 speech-dispatcher_unit_file_t:service manage_service_perms;
++
++	ps_process_pattern($1, speech-dispatcher_t)
++')
++
++
++########################################
++## <summary>
++##	All of the rules required to administrate
++##	an speech-dispatcher environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`speech-dispatcher_admin',`
++	gen_require(`
++		type speech-dispatcher_t;
++		type speech-dispatcher_log_t;
++	    type speech-dispatcher_unit_file_t;
++	')
++
++	allow $1 speech-dispatcher_t:process { signal_perms };
++	ps_process_pattern($1, speech-dispatcher_t)
++
++    tunable_policy(`deny_ptrace',`',`
++        allow $1 speech-dispatcher_t:process ptrace;
++    ')
++
++	logging_search_logs($1)
++	admin_pattern($1, speech-dispatcher_log_t)
++
++	speech-dispatcher_systemctl($1)
++	admin_pattern($1, speech-dispatcher_unit_file_t)
++	allow $1 speech-dispatcher_unit_file_t:service all_service_perms;
++	optional_policy(`
++		systemd_passwd_agent_exec($1)
++		systemd_read_fifo_file_passwd_run($1)
++	')
++')
+diff --git a/speech-dispatcher.te b/speech-dispatcher.te
+new file mode 100644
+index 0000000..57372d0
+--- /dev/null
++++ b/speech-dispatcher.te
+@@ -0,0 +1,50 @@
++policy_module(speech-dispatcher, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type speech-dispatcher_t;
++type speech-dispatcher_exec_t;
++init_daemon_domain(speech-dispatcher_t, speech-dispatcher_exec_t)
++
++type speech-dispatcher_log_t;
++logging_log_file(speech-dispatcher_log_t)
++
++type speech-dispatcher_unit_file_t;
++systemd_unit_file(speech-dispatcher_unit_file_t)
++
++type speech-dispatcher_tmp_t;
++files_tmp_file(speech-dispatcher_tmp_t)
++
++type speech-dispatcher_tmpfs_t;
++files_tmpfs_file(speech-dispatcher_tmpfs_t)
++
++########################################
++#
++# speech-dispatcher local policy
++#
++allow speech-dispatcher_t self:process { fork signal_perms };
++allow speech-dispatcher_t self:fifo_file rw_fifo_file_perms;
++allow speech-dispatcher_t self:unix_stream_socket create_stream_socket_perms;
++allow speech-dispatcher_t self:tcp_socket create_socket_perms;
++
++manage_dirs_pattern(speech-dispatcher_t, speech-dispatcher_log_t, speech-dispatcher_log_t)
++manage_files_pattern(speech-dispatcher_t, speech-dispatcher_log_t, speech-dispatcher_log_t)
++logging_log_filetrans(speech-dispatcher_t, speech-dispatcher_log_t, { dir })
++
++manage_files_pattern(speech-dispatcher_t, speech-dispatcher_tmp_t, speech-dispatcher_tmp_t)
++files_tmp_filetrans(speech-dispatcher_t, speech-dispatcher_tmp_t, { file })
++
++manage_files_pattern(speech-dispatcher_t, speech-dispatcher_tmpfs_t, speech-dispatcher_tmpfs_t)
++fs_tmpfs_filetrans(speech-dispatcher_t, speech-dispatcher_tmpfs_t, { file })
++
++kernel_read_system_state(speech-dispatcher_t)
++
++auth_read_passwd(speech-dispatcher_t)
++
++corenet_tcp_connect_pdps_port(speech-dispatcher_t)
++
++dev_read_urand(speech-dispatcher_t)
++
 diff --git a/speedtouch.te b/speedtouch.te
 index 9025dbd..388ce0a 100644
 --- a/speedtouch.te
@@ -89198,7 +89587,7 @@ index a240455..16a04bf 100644
 -	admin_pattern($1, sssd_log_t)
  ')
 diff --git a/sssd.te b/sssd.te
-index 8b537aa..92ad8d0 100644
+index 8b537aa..fb39837 100644
 --- a/sssd.te
 +++ b/sssd.te
 @@ -1,4 +1,4 @@
@@ -89289,7 +89678,7 @@ index 8b537aa..92ad8d0 100644
  auth_domtrans_chk_passwd(sssd_t)
  auth_domtrans_upd_passwd(sssd_t)
  auth_manage_cache(sssd_t)
-@@ -112,18 +106,32 @@ logging_send_syslog_msg(sssd_t)
+@@ -112,18 +106,34 @@ logging_send_syslog_msg(sssd_t)
  logging_send_audit_msgs(sssd_t)
  
  miscfiles_read_generic_certs(sssd_t)
@@ -89300,6 +89689,7 @@ index 8b537aa..92ad8d0 100644
  
 +userdom_manage_tmp_role(system_r, sssd_t)
 +userdom_manage_all_users_keys(sssd_t)
++userdom_home_reader(sssd_t)
 +
  optional_policy(`
  	dbus_system_bus_client(sssd_t)
@@ -89316,15 +89706,16 @@ index 8b537aa..92ad8d0 100644
 +
 +optional_policy(`
 +	dirsrv_stream_connect(sssd_t)
- ')
++')
 +
 +optional_policy(`
 +	ldap_stream_connect(sssd_t)
-+    ldap_read_certs(sssd_t)
++	ldap_read_certs(sssd_t)
 +')
 +
-+userdom_home_reader(sssd_t)
-+
++optional_policy(`
++	systemd_login_read_pid_files(sssd_t)
+ ')
 diff --git a/stapserver.fc b/stapserver.fc
 new file mode 100644
 index 0000000..0ccce59
@@ -96981,7 +97372,7 @@ index 9dec06c..43128c6 100644
 +	virt_stream_connect($1)
  ')
 diff --git a/virt.te b/virt.te
-index 1f22fba..156d389 100644
+index 1f22fba..4f24986 100644
 --- a/virt.te
 +++ b/virt.te
 @@ -1,147 +1,194 @@
@@ -97250,7 +97641,7 @@ index 1f22fba..156d389 100644
  ifdef(`enable_mcs',`
  	init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
  ')
-@@ -150,295 +197,142 @@ ifdef(`enable_mls',`
+@@ -150,295 +197,130 @@ ifdef(`enable_mls',`
  	init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
  ')
  
@@ -97443,80 +97834,60 @@ index 1f22fba..156d389 100644
 -	fs_manage_nfs_named_sockets(virt_domain)
 -	fs_read_nfs_symlinks(virt_domain)
 -')
-+type virtd_lxc_t, virt_system_domain;
-+type virtd_lxc_exec_t, virt_file_type;
-+init_system_domain(virtd_lxc_t, virtd_lxc_exec_t)
- 
+-
 -tunable_policy(`virt_use_samba',`
 -	fs_manage_cifs_dirs(virt_domain)
 -	fs_manage_cifs_files(virt_domain)
 -	fs_manage_cifs_named_sockets(virt_domain)
 -	fs_read_cifs_symlinks(virt_domain)
 -')
-+type virt_lxc_var_run_t, virt_file_type;
-+files_pid_file(virt_lxc_var_run_t)
-+typealias virt_lxc_var_run_t alias virtd_lxc_var_run_t;
- 
+-
 -tunable_policy(`virt_use_sysfs',`
 -	dev_rw_sysfs(virt_domain)
 -')
-+# virt lxc container files
-+type svirt_sandbox_file_t alias svirt_lxc_file_t, svirt_file_type;
-+files_mountpoint(svirt_sandbox_file_t)
- 
+-
 -tunable_policy(`virt_use_usb',`
 -	dev_rw_usbfs(virt_domain)
 -	dev_read_sysfs(virt_domain)
 -	fs_manage_dos_dirs(virt_domain)
 -	fs_manage_dos_files(virt_domain)
 -')
-+########################################
-+#
-+# svirt local policy
-+#
- 
+-
 -optional_policy(`
 -	tunable_policy(`virt_use_xserver',`
 -		xserver_read_xdm_pid(virt_domain)
 -		xserver_stream_connect(virt_domain)
 -	')
 -')
-+# it was a part of auth_use_nsswitch
-+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
- 
+-
 -optional_policy(`
 -	dbus_read_lib_files(virt_domain)
 -')
-+corenet_udp_sendrecv_generic_if(svirt_t)
-+corenet_udp_sendrecv_generic_node(svirt_t)
-+corenet_udp_sendrecv_all_ports(svirt_t)
-+corenet_udp_bind_generic_node(svirt_t)
-+corenet_udp_bind_all_ports(svirt_t)
-+corenet_tcp_bind_all_ports(svirt_t)
-+corenet_tcp_connect_all_ports(svirt_t)
- 
+-
 -optional_policy(`
 -	nscd_use(virt_domain)
 -')
-+miscfiles_read_generic_certs(svirt_t)
++type virtd_lxc_t, virt_system_domain;
++type virtd_lxc_exec_t, virt_file_type;
++init_system_domain(virtd_lxc_t, virtd_lxc_exec_t)
  
- optional_policy(`
+-optional_policy(`
 -	samba_domtrans_smbd(virt_domain)
-+	nscd_dontaudit_write_sock_file(svirt_t)
- ')
+-')
++type virt_lxc_var_run_t, virt_file_type;
++files_pid_file(virt_lxc_var_run_t)
++typealias virt_lxc_var_run_t alias virtd_lxc_var_run_t;
  
- optional_policy(`
+-optional_policy(`
 -	xen_rw_image_files(virt_domain)
-+	sssd_dontaudit_stream_connect(svirt_t)
-+	sssd_dontaudit_read_lib(svirt_t)
-+	sssd_dontaudit_read_public_files(svirt_t)
- ')
+-')
++# virt lxc container files
++type svirt_sandbox_file_t alias svirt_lxc_file_t, svirt_file_type;
++files_mountpoint(svirt_sandbox_file_t)
  
--########################################
-+#######################################
+ ########################################
  #
--# svirt local policy
-+# svirt_prot_exec local policy
+ # svirt local policy
  #
  
 -list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
@@ -97531,7 +97902,9 @@ index 1f22fba..156d389 100644
 -manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
 -
 -filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
--
++# it was a part of auth_use_nsswitch
++allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
+ 
 -stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
 -
 -corenet_udp_sendrecv_generic_if(svirt_t)
@@ -97542,22 +97915,29 @@ index 1f22fba..156d389 100644
 -corenet_all_recvfrom_unlabeled(svirt_t)
 -corenet_all_recvfrom_netlabel(svirt_t)
 -corenet_tcp_sendrecv_generic_if(svirt_t)
--corenet_udp_sendrecv_generic_if(svirt_t)
+ corenet_udp_sendrecv_generic_if(svirt_t)
 -corenet_tcp_sendrecv_generic_node(svirt_t)
--corenet_udp_sendrecv_generic_node(svirt_t)
+ corenet_udp_sendrecv_generic_node(svirt_t)
 -corenet_tcp_sendrecv_all_ports(svirt_t)
--corenet_udp_sendrecv_all_ports(svirt_t)
+ corenet_udp_sendrecv_all_ports(svirt_t)
 -corenet_tcp_bind_generic_node(svirt_t)
--corenet_udp_bind_generic_node(svirt_t)
+ corenet_udp_bind_generic_node(svirt_t)
 -
 -corenet_sendrecv_all_server_packets(svirt_t)
--corenet_udp_bind_all_ports(svirt_t)
--corenet_tcp_bind_all_ports(svirt_t)
+ corenet_udp_bind_all_ports(svirt_t)
+ corenet_tcp_bind_all_ports(svirt_t)
+-
+-corenet_sendrecv_all_client_packets(svirt_t)
+ corenet_tcp_connect_all_ports(svirt_t)
+ 
++#######################################
++#
++# svirt_prot_exec local policy
++#
++
 +allow svirt_tcg_t self:process { execmem execstack };
 +allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
- 
--corenet_sendrecv_all_client_packets(svirt_t)
--corenet_tcp_connect_all_ports(svirt_t)
++
 +corenet_udp_sendrecv_generic_if(svirt_tcg_t)
 +corenet_udp_sendrecv_generic_node(svirt_tcg_t)
 +corenet_udp_sendrecv_all_ports(svirt_tcg_t)
@@ -97565,7 +97945,7 @@ index 1f22fba..156d389 100644
 +corenet_udp_bind_all_ports(svirt_tcg_t)
 +corenet_tcp_bind_all_ports(svirt_tcg_t)
 +corenet_tcp_connect_all_ports(svirt_tcg_t)
- 
++
  ########################################
  #
  # virtd local policy
@@ -97632,7 +98012,7 @@ index 1f22fba..156d389 100644
  
  read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
  read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -448,42 +342,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -448,42 +330,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
  manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
  filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
  
@@ -97679,7 +98059,7 @@ index 1f22fba..156d389 100644
  logging_log_filetrans(virtd_t, virt_log_t, { file dir })
  
  manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -496,16 +377,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -496,16 +365,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
  manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
  files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
  
@@ -97689,19 +98069,19 @@ index 1f22fba..156d389 100644
 -
 -stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
 -stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+-
+-can_exec(virtd_t, virt_tmp_t)
 +manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
 +manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
 +filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
 +allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto };
 +stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
  
--can_exec(virtd_t, virt_tmp_t)
--
 -kernel_read_crypto_sysctls(virtd_t)
  kernel_read_system_state(virtd_t)
  kernel_read_network_state(virtd_t)
  kernel_rw_net_sysctls(virtd_t)
-@@ -513,6 +390,7 @@ kernel_read_kernel_sysctls(virtd_t)
+@@ -513,6 +378,7 @@ kernel_read_kernel_sysctls(virtd_t)
  kernel_request_load_module(virtd_t)
  kernel_search_debugfs(virtd_t)
  kernel_setsched(virtd_t)
@@ -97709,7 +98089,7 @@ index 1f22fba..156d389 100644
  
  corecmd_exec_bin(virtd_t)
  corecmd_exec_shell(virtd_t)
-@@ -520,24 +398,16 @@ corecmd_exec_shell(virtd_t)
+@@ -520,24 +386,16 @@ corecmd_exec_shell(virtd_t)
  corenet_all_recvfrom_netlabel(virtd_t)
  corenet_tcp_sendrecv_generic_if(virtd_t)
  corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -97737,7 +98117,7 @@ index 1f22fba..156d389 100644
  dev_rw_sysfs(virtd_t)
  dev_read_urand(virtd_t)
  dev_read_rand(virtd_t)
-@@ -548,22 +418,27 @@ dev_rw_vhost(virtd_t)
+@@ -548,22 +406,27 @@ dev_rw_vhost(virtd_t)
  dev_setattr_generic_usb_dev(virtd_t)
  dev_relabel_generic_usb_dev(virtd_t)
  
@@ -97770,7 +98150,7 @@ index 1f22fba..156d389 100644
  fs_rw_anon_inodefs_files(virtd_t)
  fs_list_inotifyfs(virtd_t)
  fs_manage_cgroup_dirs(virtd_t)
-@@ -594,15 +469,18 @@ term_use_ptmx(virtd_t)
+@@ -594,15 +457,18 @@ term_use_ptmx(virtd_t)
  
  auth_use_nsswitch(virtd_t)
  
@@ -97790,7 +98170,7 @@ index 1f22fba..156d389 100644
  
  selinux_validate_context(virtd_t)
  
-@@ -613,18 +491,26 @@ seutil_read_file_contexts(virtd_t)
+@@ -613,18 +479,26 @@ seutil_read_file_contexts(virtd_t)
  sysnet_signull_ifconfig(virtd_t)
  sysnet_signal_ifconfig(virtd_t)
  sysnet_domtrans_ifconfig(virtd_t)
@@ -97827,7 +98207,7 @@ index 1f22fba..156d389 100644
  
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virtd_t)
-@@ -633,7 +519,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -633,7 +507,7 @@ tunable_policy(`virt_use_nfs',`
  ')
  
  tunable_policy(`virt_use_samba',`
@@ -97836,7 +98216,7 @@ index 1f22fba..156d389 100644
  	fs_manage_cifs_files(virtd_t)
  	fs_read_cifs_symlinks(virtd_t)
  ')
-@@ -658,20 +544,12 @@ optional_policy(`
+@@ -658,20 +532,12 @@ optional_policy(`
  	')
  
  	optional_policy(`
@@ -97857,7 +98237,7 @@ index 1f22fba..156d389 100644
  ')
  
  optional_policy(`
-@@ -684,14 +562,20 @@ optional_policy(`
+@@ -684,14 +550,20 @@ optional_policy(`
  	dnsmasq_kill(virtd_t)
  	dnsmasq_signull(virtd_t)
  	dnsmasq_create_pid_dirs(virtd_t)
@@ -97880,7 +98260,7 @@ index 1f22fba..156d389 100644
  	iptables_manage_config(virtd_t)
  ')
  
-@@ -704,11 +588,13 @@ optional_policy(`
+@@ -704,11 +576,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -97894,7 +98274,7 @@ index 1f22fba..156d389 100644
  	policykit_domtrans_auth(virtd_t)
  	policykit_domtrans_resolve(virtd_t)
  	policykit_read_lib(virtd_t)
-@@ -719,10 +605,18 @@ optional_policy(`
+@@ -719,10 +593,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -97913,7 +98293,7 @@ index 1f22fba..156d389 100644
  	kernel_read_xen_state(virtd_t)
  	kernel_write_xen_state(virtd_t)
  
-@@ -737,44 +631,264 @@ optional_policy(`
+@@ -737,44 +619,276 @@ optional_policy(`
  	udev_read_db(virtd_t)
  ')
  
@@ -97941,22 +98321,28 @@ index 1f22fba..156d389 100644
 -allow virsh_t self:fifo_file rw_fifo_file_perms;
 -allow virsh_t self:unix_stream_socket { accept connectto listen };
 -allow virsh_t self:tcp_socket { accept listen };
-+list_dirs_pattern(virt_domain, virt_content_t, virt_content_t)
-+read_files_pattern(virt_domain, virt_content_t, virt_content_t)
-+dontaudit virt_domain virt_content_t:file write_file_perms;
-+dontaudit virt_domain virt_content_t:dir write;
- 
+-
 -manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
 -manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
 -manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
-+kernel_read_net_sysctls(virt_domain)
- 
+-
 -manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
 -manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
 -manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
 -manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
 -manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
 -manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
++list_dirs_pattern(virt_domain, virt_content_t, virt_content_t)
++read_files_pattern(virt_domain, virt_content_t, virt_content_t)
++dontaudit virt_domain virt_content_t:file write_file_perms;
++dontaudit virt_domain virt_content_t:dir write;
+ 
+-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
++kernel_read_net_sysctls(virt_domain)
+ 
+-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
 +userdom_search_user_home_content(virt_domain)
 +userdom_read_user_home_content_symlinks(virt_domain)
 +userdom_read_all_users_state(virt_domain)
@@ -97966,14 +98352,13 @@ index 1f22fba..156d389 100644
 +manage_sock_files_pattern(virt_domain, svirt_home_t, svirt_home_t)
 +filetrans_pattern(virt_domain, virt_home_t, svirt_home_t, { dir sock_file file })
 +stream_connect_pattern(virt_domain, svirt_home_t, svirt_home_t, virtd_t)
-+
+ 
+-allow virsh_t svirt_lxc_domain:process transition;
 +manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
 +manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
 +files_var_filetrans(virt_domain, virt_cache_t, { file dir })
  
--manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
--manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
--filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
+-can_exec(virsh_t, virsh_exec_t)
 +read_lnk_files_pattern(virt_domain, virt_image_t, virt_image_t)
 +
 +manage_dirs_pattern(virt_domain, svirt_image_t, svirt_image_t)
@@ -98004,14 +98389,11 @@ index 1f22fba..156d389 100644
 +stream_connect_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t, virtd_t)
 +
 +dontaudit virtd_t virt_domain:process  { siginh noatsecure rlimitinh };
- 
--dontaudit virsh_t virt_var_lib_t:file read_file_perms;
++
 +dontaudit virt_domain virt_tmpfs_type:file { read write };
- 
--allow virsh_t svirt_lxc_domain:process transition;
++
 +append_files_pattern(virt_domain, virt_log_t, virt_log_t)
- 
--can_exec(virsh_t, virsh_exec_t)
++
 +append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
 +
 +corecmd_exec_bin(virt_domain)
@@ -98057,6 +98439,8 @@ index 1f22fba..156d389 100644
 +
 +# I think we need these for now.
 +miscfiles_read_public_files(virt_domain)
++miscfiles_read_generic_certs(virt_domain)
++
 +storage_raw_read_removable_device(virt_domain)
 +
 +sysnet_read_config(virt_domain)
@@ -98075,6 +98459,10 @@ index 1f22fba..156d389 100644
 +')
 +
 +optional_policy(`
++	nscd_dontaudit_write_sock_file(virt_domain)
++')
++
++optional_policy(`
 +	ptchown_domtrans(virt_domain)
 +')
 +
@@ -98083,6 +98471,12 @@ index 1f22fba..156d389 100644
 +')
 +
 +optional_policy(`
++	sssd_dontaudit_stream_connect(virt_domain)
++	sssd_dontaudit_read_lib(virt_domain)
++	sssd_dontaudit_read_public_files(virt_domain)
++')
+ 
++optional_policy(`
 +	virt_read_config(virt_domain)
 +	virt_read_lib_files(virt_domain)
 +	virt_read_content(virt_domain)
@@ -98162,7 +98556,7 @@ index 1f22fba..156d389 100644
 +allow virsh_t self:fifo_file rw_fifo_file_perms;
 +allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto };
 +allow virsh_t self:tcp_socket create_stream_socket_perms;
- 
++
 +ps_process_pattern(virsh_t, svirt_sandbox_domain)
 +
 +can_exec(virsh_t, virsh_exec_t)
@@ -98439,8 +98833,7 @@ index 1f22fba..156d389 100644
 +optional_policy(`
 +	docker_exec_lib(virtd_lxc_t)
 +')
- 
--sysnet_domtrans_ifconfig(virtd_lxc_t)
++
 +optional_policy(`
 +	gnome_read_generic_cache_files(virtd_lxc_t)
 +')
@@ -98448,7 +98841,8 @@ index 1f22fba..156d389 100644
 +optional_policy(`
 +	setrans_manage_pid_files(virtd_lxc_t)
 +')
-+
+ 
+-sysnet_domtrans_ifconfig(virtd_lxc_t)
 +optional_policy(`
 +	unconfined_domain(virtd_lxc_t)
 +')
@@ -98633,19 +99027,19 @@ index 1f22fba..156d389 100644
 +	docker_read_lib_files(svirt_sandbox_domain)
 +	docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file)
 +')
++
++optional_policy(`
++	mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
++')
  
  optional_policy(`
 -	udev_read_pid_files(svirt_lxc_domain)
-+	mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
++	ssh_use_ptys(svirt_sandbox_domain)
  ')
  
  optional_policy(`
 -	apache_exec_modules(svirt_lxc_domain)
 -	apache_read_sys_content(svirt_lxc_domain)
-+	ssh_use_ptys(svirt_sandbox_domain)
-+')
-+
-+optional_policy(`
 +	udev_read_pid_files(svirt_sandbox_domain)
 +')
 +
@@ -98773,13 +99167,13 @@ index 1f22fba..156d389 100644
 +dev_rw_kvm(svirt_qemu_net_t)
 +
 +manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t)
-+
+ 
+-allow svirt_prot_exec_t self:process { execmem execstack };
 +list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
 +read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
 +
 +append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t)
- 
--allow svirt_prot_exec_t self:process { execmem execstack };
++
 +kernel_read_irq_sysctls(svirt_qemu_net_t)
 +
 +dev_read_sysfs(svirt_qemu_net_t)
@@ -101809,10 +102203,10 @@ index d837e88..910aeec 100644
  userdom_search_user_home_dirs(yam_t)
  
 diff --git a/zabbix.fc b/zabbix.fc
-index ce10cb1..3181728 100644
+index ce10cb1..38b143f 100644
 --- a/zabbix.fc
 +++ b/zabbix.fc
-@@ -4,11 +4,15 @@
+@@ -4,12 +4,17 @@
  /usr/bin/zabbix_server	--	gen_context(system_u:object_r:zabbix_exec_t,s0)
  /usr/bin/zabbix_agentd	--	gen_context(system_u:object_r:zabbix_agent_exec_t,s0)
  
@@ -101827,8 +102221,10 @@ index ce10cb1..3181728 100644
 +/usr/sbin/zabbix_proxy_pgsql   --  gen_context(system_u:object_r:zabbix_exec_t,s0)
 +/usr/sbin/zabbix_proxy_sqlite3 --  gen_context(system_u:object_r:zabbix_exec_t,s0)
  
++/var/lib/zabbixsrv(/.*)?	gen_context(system_u:object_r:zabbix_var_lib_t,s0)
  /var/log/zabbix(/.*)?	gen_context(system_u:object_r:zabbix_log_t,s0)
  
+ /var/run/zabbix(/.*)?	gen_context(system_u:object_r:zabbix_var_run_t,s0)
 diff --git a/zabbix.if b/zabbix.if
 index dd63de0..38ce620 100644
 --- a/zabbix.if
@@ -101992,10 +102388,10 @@ index dd63de0..38ce620 100644
 -	admin_pattern($1, zabbix_tmpfs_t)
  ')
 diff --git a/zabbix.te b/zabbix.te
-index 46e4cd3..4b38bfa 100644
+index 46e4cd3..47847ad 100644
 --- a/zabbix.te
 +++ b/zabbix.te
-@@ -6,21 +6,23 @@ policy_module(zabbix, 1.5.3)
+@@ -6,27 +6,32 @@ policy_module(zabbix, 1.5.3)
  #
  
  ## <desc>
@@ -102022,7 +102418,24 @@ index 46e4cd3..4b38bfa 100644
  type zabbix_agent_exec_t;
  init_daemon_domain(zabbix_agent_t, zabbix_agent_exec_t)
  
-@@ -41,22 +43,40 @@ files_pid_file(zabbix_var_run_t)
+ type zabbix_agent_initrc_exec_t;
+ init_script_file(zabbix_agent_initrc_exec_t)
+ 
++type zabbixd_var_lib_t;
++files_type(zabbixd_var_lib_t)
++
+ type zabbix_log_t;
+ logging_log_file(zabbix_log_t)
+ 
+@@ -36,27 +41,53 @@ files_tmp_file(zabbix_tmp_t)
+ type zabbix_tmpfs_t;
+ files_tmpfs_file(zabbix_tmpfs_t)
+ 
++type zabbix_var_lib_t;
++files_type(zabbix_var_lib_t)
++
+ type zabbix_var_run_t;
+ files_pid_file(zabbix_var_run_t)
  
  ########################################
  #
@@ -102062,6 +102475,11 @@ index 46e4cd3..4b38bfa 100644
 -allow zabbix_t self:shm create_shm_perms;
 -allow zabbix_t self:tcp_socket create_stream_socket_perms;
 +allow zabbix_t self:capability { dac_read_search dac_override };
++
++manage_dirs_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
++manage_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
++manage_lnk_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
++files_var_lib_filetrans(zabbix_t, zabbix_var_lib_t, dir, "zabbixsrv")
  
 -allow zabbix_t zabbix_log_t:dir setattr_dir_perms;
 -append_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
@@ -102075,7 +102493,7 @@ index 46e4cd3..4b38bfa 100644
  
  manage_dirs_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t)
  manage_files_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t)
-@@ -70,13 +90,9 @@ manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
+@@ -70,13 +101,9 @@ manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
  files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file })
  
  kernel_read_system_state(zabbix_t)
@@ -102089,7 +102507,13 @@ index 46e4cd3..4b38bfa 100644
  
  corenet_sendrecv_ftp_client_packets(zabbix_t)
  corenet_tcp_connect_ftp_port(zabbix_t)
-@@ -90,17 +106,8 @@ corenet_sendrecv_zabbix_server_packets(zabbix_t)
+@@ -85,22 +112,14 @@ corenet_tcp_sendrecv_ftp_port(zabbix_t)
+ corenet_sendrecv_http_client_packets(zabbix_t)
+ corenet_tcp_connect_http_port(zabbix_t)
+ corenet_tcp_sendrecv_http_port(zabbix_t)
++corenet_tcp_connect_smtp_port(zabbix_t)
+ 
+ corenet_sendrecv_zabbix_server_packets(zabbix_t)
  corenet_tcp_bind_zabbix_port(zabbix_t)
  corenet_tcp_sendrecv_zabbix_port(zabbix_t)
  
@@ -102107,7 +102531,7 @@ index 46e4cd3..4b38bfa 100644
  zabbix_agent_tcp_connect(zabbix_t)
  
  tunable_policy(`zabbix_can_network',`
-@@ -110,12 +117,11 @@ tunable_policy(`zabbix_can_network',`
+@@ -110,12 +129,11 @@ tunable_policy(`zabbix_can_network',`
  ')
  
  optional_policy(`
@@ -102122,7 +102546,7 @@ index 46e4cd3..4b38bfa 100644
  ')
  
  optional_policy(`
-@@ -125,6 +131,7 @@ optional_policy(`
+@@ -125,6 +143,7 @@ optional_policy(`
  
  optional_policy(`
  	snmp_read_snmp_var_lib_files(zabbix_t)
@@ -102130,7 +102554,7 @@ index 46e4cd3..4b38bfa 100644
  ')
  
  ########################################
-@@ -132,18 +139,7 @@ optional_policy(`
+@@ -132,18 +151,7 @@ optional_policy(`
  # Agent local policy
  #
  
@@ -102150,7 +102574,7 @@ index 46e4cd3..4b38bfa 100644
  
  rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
  fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
-@@ -151,16 +147,12 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
+@@ -151,16 +159,12 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
  manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t)
  files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file)
  
@@ -102169,7 +102593,7 @@ index 46e4cd3..4b38bfa 100644
  
  corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t)
  corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t)
-@@ -177,12 +169,11 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
+@@ -177,12 +181,11 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
  dev_getattr_all_blk_files(zabbix_agent_t)
  dev_getattr_all_chr_files(zabbix_agent_t)
  
@@ -102183,7 +102607,7 @@ index 46e4cd3..4b38bfa 100644
  
  fs_getattr_all_fs(zabbix_agent_t)
  
-@@ -190,8 +181,14 @@ init_read_utmp(zabbix_agent_t)
+@@ -190,8 +193,14 @@ init_read_utmp(zabbix_agent_t)
  
  logging_search_logs(zabbix_agent_t)
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 10c984a..2dc3f77 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 111%{?dist}
+Release: 112%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -576,6 +576,49 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Mon Jan 6 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-112
+- Allow sshd to write to all process levels in order to change passwd when running at a level
+- Allow updpwd_t to downgrade /etc/passwd file to s0, if it is not running with this range
+- Allow apcuspd_t to status and start the power unit file
+- Allow udev to manage kdump unit file
+- Added new interface modutils_dontaudit_exec_insmod
+- Allow cobbler to search dhcp_etc_t directory
+- systemd_systemctl needs sys_admin capability
+- Allow sytemd_tmpfiles_t to delete all directories
+- passwd to create gnome-keyring passwd socket
+- Add missing zabbix_var_lib_t type
+- Fix filename trans for zabbixsrv in zabbix.te
+- Allow fprintd_t to send syslog messages
+- Add  zabbix_var_lib_t for /var/lib/zabbixsrv, also allow zabix to connect to smtp port
+- Allow mozilla plugin to chat with policykit, needed for spice
+- Allow gssprozy to change user and gid, as well as read user keyrings
+- Label upgrades directory under /var/www as httpd_sys_rw_content_t, add other filetrans rules to label content correctly
+- Allow polipo to connect to http_cache_ports
+- Allow cron jobs to manage apache var lib content
+- Allow yppassword to manage the passwd_file_t
+- Allow showall_t to send itself signals
+- Allow cobbler to restart dhcpc, dnsmasq and bind services
+- Allow certmonger to manage home cert files
+- Add userdom filename trans for user mail domains
+- Allow apcuspd_t to status and start the power unit file
+- Allow cgroupdrulesengd to create content in cgoups directories
+- Allow smbd_t to signull cluster
+- Allow gluster daemon to create fifo files in glusterd_brick_t and sock_file in glusterd_var_lib_t
+- Add label for /var/spool/cron.aquota.user
+- Allow sandbox_x domains to use work with the mozilla plugin semaphore
+- Added new policy for speech-dispatcher
+- Added dontaudit rule for insmod_exec_t  in rasdaemon policy
+- Updated rasdaemon policy
+- Allow system_mail_t to transition to postfix_postdrop_t
+- Clean up mirrormanager policy
+- Allow virt_domains to read cert files, needs backport to RHEL7
+- Allow sssd to read systemd_login_var_run_t
+- Allow irc_t to execute shell and bin-t files:
+- Add new access for mythtv
+- Allow rsync_t to manage all non auth files
+- allow modemmanger to read /dev/urand
+- Allow sandbox apps to attempt to set and get capabilties
+
 * Thu Dec 19 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-111
 - Add labeling for /var/lib/servicelog/servicelog.db-journal
 - Add support for freeipmi port